Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

How to disable the jquery easing reference from Jquery "src" file #56

Open
gopi1989 opened this issue Jun 18, 2024 · 1 comment
Open

How to disable the jquery easing reference from Jquery "src" file #56

gopi1989 opened this issue Jun 18, 2024 · 1 comment

Comments

@gopi1989
Copy link

gopi1989 commented Jun 18, 2024
edited
Loading

Hi @everyone , I am using jQuery , jQuery UI and jQuery easing for my project and used via NPM (package.json).

While doing vulnerability scan jQuery UI / jQuery easing considered as vulnerability and security team recommended to remove the jQuery UI & jQuery Easing / Write wrapper for jQuery UI & jQuery.easing

I need a workaround to remove the reference of jQuery easing from Jquery lib source code either wrapper for jQuery easing.

Vulnerability description given by our Appsec Team

Recommended Version(s): No recommended versions are available for the current component.

Explanation: The jquery package is vulnerable to Denial of Service (DoS). The jQuery.each( jQuery.expr.match.bool.source.match( /\w+/g ) function in the attr.js file lacks the logic to convert the attribute name into lowercase. Any attribute getter using a mixed-cased name for the boolean attributes goes into infinite recursion, exceeding the stack call limit. This causes Denial of Service (DoS).

Note: This vulnerability has been assigned CVE-2016-10707.

Advisory Deviation Notice:
The Sonatype Security Research team discovered that this vulnerability was introduced in version 1.11.0-beta3 and not 3.0.0-rc1 as stated in the advisory. This finding coincides with issues reported against versions 2.2.4 and 1.12.14 and confirmed by jQuery maintainers several months after this vulnerability's initial publication.
Detection: The application is vulnerable by using this component.
Recommendation: We recommend upgrading to a version of this component that is not vulnerable to this specific issue.

Note: If this component is included as a bundled/transitive dependency of another component, there may not be an upgrade path. In this instance, we recommend contacting the maintainers who included the vulnerable package. Alternatively, we recommend investigating alternative components or a potential mitigating control.
Threat Vectors: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Thanks in Advance ! Expecting helping hands

Regards,
Gopi
@gopi1989
Copy link
Author

gopi1989 commented Jul 1, 2024

@brettz9 , @Krinkle , @dmethvin , @graingert Guys need a help on my issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@gopi1989