You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hi @everyone , I am using jQuery , jQuery UI and jQuery easing for my project and used via NPM (package.json).
While doing vulnerability scan jQuery UI / jQuery easing considered as vulnerability and security team recommended to remove the jQuery UI & jQuery Easing / Write wrapper for jQuery UI & jQuery.easing
I need a workaround to remove the reference of jQuery easing from Jquery lib source code either wrapper for jQuery easing.
Vulnerability description given by our Appsec Team
Recommended Version(s): No recommended versions are available for the current component.
Explanation: The jquery package is vulnerable to Denial of Service (DoS). The jQuery.each( jQuery.expr.match.bool.source.match( /\w+/g ) function in the attr.js file lacks the logic to convert the attribute name into lowercase. Any attribute getter using a mixed-cased name for the boolean attributes goes into infinite recursion, exceeding the stack call limit. This causes Denial of Service (DoS).
Note: This vulnerability has been assigned CVE-2016-10707.
Advisory Deviation Notice:
The Sonatype Security Research team discovered that this vulnerability was introduced in version 1.11.0-beta3 and not 3.0.0-rc1 as stated in the advisory. This finding coincides with issues reported against versions 2.2.4 and 1.12.14 and confirmed by jQuery maintainers several months after this vulnerability's initial publication.
Detection: The application is vulnerable by using this component.
Recommendation: We recommend upgrading to a version of this component that is not vulnerable to this specific issue.
Note: If this component is included as a bundled/transitive dependency of another component, there may not be an upgrade path. In this instance, we recommend contacting the maintainers who included the vulnerable package. Alternatively, we recommend investigating alternative components or a potential mitigating control.
Threat Vectors: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Thanks in Advance ! Expecting helping hands
Regards,
Gopi
The text was updated successfully, but these errors were encountered:
Hi @everyone , I am using jQuery , jQuery UI and jQuery easing for my project and used via NPM (package.json).
While doing vulnerability scan jQuery UI / jQuery easing considered as vulnerability and security team recommended to remove the jQuery UI & jQuery Easing / Write wrapper for jQuery UI & jQuery.easing
I need a workaround to remove the reference of jQuery easing from Jquery lib source code either wrapper for jQuery easing.
Vulnerability description given by our Appsec Team
Recommended Version(s): No recommended versions are available for the current component.
Explanation: The
jquery
package is vulnerable to Denial of Service (DoS). ThejQuery.each( jQuery.expr.match.bool.source.match( /\w+/g )
function in theattr.js
file lacks the logic to convert the attribute name into lowercase. Any attribute getter using a mixed-cased name for the boolean attributes goes into infinite recursion, exceeding the stack call limit. This causes Denial of Service (DoS).Note: This vulnerability has been assigned CVE-2016-10707.
Advisory Deviation Notice:
The Sonatype Security Research team discovered that this vulnerability was introduced in version
1.11.0-beta3
and not3.0.0-rc1
as stated in the advisory. This finding coincides with issues reported against versions2.2.4
and1.12.14
and confirmed by jQuery maintainers several months after this vulnerability's initial publication.Detection: The application is vulnerable by using this component.
Recommendation: We recommend upgrading to a version of this component that is not vulnerable to this specific issue.
Note: If this component is included as a bundled/transitive dependency of another component, there may not be an upgrade path. In this instance, we recommend contacting the maintainers who included the vulnerable package. Alternatively, we recommend investigating alternative components or a potential mitigating control.
Threat Vectors: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Thanks in Advance ! Expecting helping hands
Regards,
Gopi
The text was updated successfully, but these errors were encountered: