[
https://issues.apache.org/jira/browse/QPID-8511?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Alex Rudyy resolved QPID-8511.
------------------------------
Resolution: Fixed
> [Broker-J] Upgrade dojotoolkit to version 1.16.3
> ------------------------------------------------
>
> Key: QPID-8511
> URL: https://issues.apache.org/jira/browse/QPID-8511
> Project: Qpid
> Issue Type: Task
> Components: Broker-J
> Reporter: Alex Rudyy
> Priority: Major
> Fix For: qpid-java-broker-8.0.5
>
>
> A security vulnerability
> [CVE-2020-5258|https://nvd.nist.gov/vuln/detail/CVE-2020-5258] is reported
> against dojo-toolkit version 1.16.0.
> {quote}
> A deepCopy method is vulnerable to Prototype Pollution. Prototype Pollution
> refers to the ability to inject properties into existing JavaScript language
> construct prototypes, such as objects. An attacker manipulates these
> attributes to overwrite, or pollute, a JavaScript application object
> prototype of the base object by injecting other values.
> {quote}
> Even when vulnerability attack is successful and UI is affected by the
> injected code, it is not expected that it would have any bearing on Qpid REST
> API and messaging functionality.
> In order to prevent various scanning tools from flagging the issue, we need
> to upgrade dojotollkit to version 1.16.3
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org
For additional commands, e-mail: dev-h...@qpid.apache.org
