[ https://issues.apache.org/jira/browse/QPID-8511?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Alex Rudyy resolved QPID-8511. ------------------------------ Resolution: Fixed > [Broker-J] Upgrade dojotoolkit to version 1.16.3 > ------------------------------------------------ > > Key: QPID-8511 > URL: https://issues.apache.org/jira/browse/QPID-8511 > Project: Qpid > Issue Type: Task > Components: Broker-J > Reporter: Alex Rudyy > Priority: Major > Fix For: qpid-java-broker-8.0.5 > > > A security vulnerability > [CVE-2020-5258|https://nvd.nist.gov/vuln/detail/CVE-2020-5258] is reported > against dojo-toolkit version 1.16.0. > {quote} > A deepCopy method is vulnerable to Prototype Pollution. Prototype Pollution > refers to the ability to inject properties into existing JavaScript language > construct prototypes, such as objects. An attacker manipulates these > attributes to overwrite, or pollute, a JavaScript application object > prototype of the base object by injecting other values. > {quote} > Even when vulnerability attack is successful and UI is affected by the > injected code, it is not expected that it would have any bearing on Qpid REST > API and messaging functionality. > In order to prevent various scanning tools from flagging the issue, we need > to upgrade dojotollkit to version 1.16.3 -- This message was sent by Atlassian Jira (v8.3.4#803005) --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org For additional commands, e-mail: dev-h...@qpid.apache.org