Alex Rudyy created QPID-8511:
--------------------------------
Summary: [Broker-J] Upgrade dojotoolkit to version 1.16.3
Key: QPID-8511
URL: https://issues.apache.org/jira/browse/QPID-8511
Project: Qpid
Issue Type: Task
Components: Broker-J
Reporter: Alex Rudyy
Fix For: qpid-java-broker-8.0.5
A security vulnerability
[CVE-2020-5258|https://nvd.nist.gov/vuln/detail/CVE-2020-5258] is reported
against dojo-toolkit version 1.16.0.
{quote}
A deepCopy method is vulnerable to Prototype Pollution. Prototype Pollution
refers to the ability to inject properties into existing JavaScript language
construct prototypes, such as objects. An attacker manipulates these attributes
to overwrite, or pollute, a JavaScript application object prototype of the base
object by injecting other values.
{quote}
Even when vulnerability attack is successful and UI is affected by the injected
code, it is not expected that it would have any bearing on Qpid REST API and
messaging functionality.
In order to prevent various scanning tools from flagging the issue, we need to
upgrade dojotollkit to version 1.16.3
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
