[
https://issues.apache.org/jira/browse/ARTEMIS-3971?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Robbie Gemmell reassigned ARTEMIS-3971:
---------------------------------------
Fix Version/s: 2.26.0
Affects Version/s: 2.25.0
2.23.1
2.23.0
2.22.0
2.21.0
2.20.0
Assignee: Robbie Gemmell
Description:
Following https://openjdk.org/jeps/225), the javadoc output on JDK9+ has
included a search box. To enable this various javascript files and a zipped
index are included in the javadoc output. This means they were introduced to
the once the project required Java 11, i.e from 2.20.0, as previously Java 8
was used to run the release builds. These files are of whatever version the JDK
used to run the build has included, and can tend to get stale.
Setting the -noindex option when building the javadoc removes the search, so we
can add this option and remove the need to deal with these files doing stale in
future.
==== Original report =====
Please upgrade the listed libraries, as there are reported vulnerabilities for
them, see the list below. This is a blocker for production deployments.
[http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-11358]
{quote}jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other
products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype
pollution. If an unsanitized source object contained an enumerable
_{_}proto{_}_ property, it could extend the native Object.prototype.
{quote}
[http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-11022]
{quote}In jQuery versions greater than or equal to 1.2 and before 3.5.0,
passing HTML from untrusted sources - even after sanitizing it - to one of
jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may
execute untrusted code. This problem is patched in jQuery 3.5.0.
{quote}
[http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-11023]
{quote}In jQuery versions greater than or equal to 1.0.3 and before 3.5.0,
passing HTML containing <option> elements from untrusted sources - even after
sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(),
.append(), and others) may execute untrusted code. This problem is patched in
jQuery 3.5.0.
{quote}
[http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-31160]
{quote}jQuery UI is a curated set of user interface interactions, effects,
widgets, and themes built on top of jQuery. Versions prior to 1.13.2 are
potentially vulnerable to cross-site scripting. Initializing a checkboxradio
widget on an input enclosed within a label makes that parent label contents
considered as the input label. Calling `.checkboxradio( "refresh" )` on such a
widget and the initial HTML contained encoded HTML entities will make them
erroneously get decoded. This can lead to potentially executing JavaScript
code. The bug has been patched in jQuery UI 1.13.2. To remediate the issue,
someone who can change the initial HTML can wrap all the non-input contents of
the `label` in a `span`.
{quote}
[http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-23413]
{quote}This affects the package jszip before 3.7.0. Crafting a new zip file
with filenames set to Object prototype values (e.g _{_}proto{_}_, toString,
etc) results in a returned object with a modified prototype instance.
{quote}
was:
Please upgrade the listed libraries, as there are reported vulnerabilities for
them, see the list below. This is a blocker for production deployments.
[http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-11358]
{quote}jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other
products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype
pollution. If an unsanitized source object contained an enumerable
_{_}proto{_}_ property, it could extend the native Object.prototype.
{quote}
[http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-11022]
{quote}In jQuery versions greater than or equal to 1.2 and before 3.5.0,
passing HTML from untrusted sources - even after sanitizing it - to one of
jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may
execute untrusted code. This problem is patched in jQuery 3.5.0.
{quote}
[http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-11023]
{quote}In jQuery versions greater than or equal to 1.0.3 and before 3.5.0,
passing HTML containing <option> elements from untrusted sources - even after
sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(),
.append(), and others) may execute untrusted code. This problem is patched in
jQuery 3.5.0.
{quote}
[http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-31160]
{quote}jQuery UI is a curated set of user interface interactions, effects,
widgets, and themes built on top of jQuery. Versions prior to 1.13.2 are
potentially vulnerable to cross-site scripting. Initializing a checkboxradio
widget on an input enclosed within a label makes that parent label contents
considered as the input label. Calling `.checkboxradio( "refresh" )` on such a
widget and the initial HTML contained encoded HTML entities will make them
erroneously get decoded. This can lead to potentially executing JavaScript
code. The bug has been patched in jQuery UI 1.13.2. To remediate the issue,
someone who can change the initial HTML can wrap all the non-input contents of
the `label` in a `span`.
{quote}
[http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-23413]
{quote}This affects the package jszip before 3.7.0. Crafting a new zip file
with filenames set to Object prototype values (e.g _{_}proto{_}_, toString,
etc) results in a returned object with a modified prototype instance.
{quote}
Priority: Major (was: Critical)
> remove vulnerable .js deps from javadoc output - jQuery, jQuery UI, jszip
> -------------------------------------------------------------------------
>
> Key: ARTEMIS-3971
> URL: https://issues.apache.org/jira/browse/ARTEMIS-3971
> Project: ActiveMQ Artemis
> Issue Type: Bug
> Components: API
> Affects Versions: 2.20.0, 2.21.0, 2.22.0, 2.23.0, 2.23.1, 2.24.0, 2.25.0
> Reporter: Jakub Moravec
> Assignee: Robbie Gemmell
> Priority: Major
> Fix For: 2.26.0
>
>
> Following https://openjdk.org/jeps/225), the javadoc output on JDK9+ has
> included a search box. To enable this various javascript files and a zipped
> index are included in the javadoc output. This means they were introduced to
> the once the project required Java 11, i.e from 2.20.0, as previously Java 8
> was used to run the release builds. These files are of whatever version the
> JDK used to run the build has included, and can tend to get stale.
> Setting the -noindex option when building the javadoc removes the search, so
> we can add this option and remove the need to deal with these files doing
> stale in future.
> ==== Original report =====
> Please upgrade the listed libraries, as there are reported vulnerabilities
> for them, see the list below. This is a blocker for production deployments.
> [http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-11358]
> {quote}jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other
> products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype
> pollution. If an unsanitized source object contained an enumerable
> _{_}proto{_}_ property, it could extend the native Object.prototype.
> {quote}
> [http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-11022]
> {quote}In jQuery versions greater than or equal to 1.2 and before 3.5.0,
> passing HTML from untrusted sources - even after sanitizing it - to one of
> jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may
> execute untrusted code. This problem is patched in jQuery 3.5.0.
> {quote}
> [http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-11023]
> {quote}In jQuery versions greater than or equal to 1.0.3 and before 3.5.0,
> passing HTML containing <option> elements from untrusted sources - even after
> sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(),
> .append(), and others) may execute untrusted code. This problem is patched in
> jQuery 3.5.0.
> {quote}
> [http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-31160]
> {quote}jQuery UI is a curated set of user interface interactions, effects,
> widgets, and themes built on top of jQuery. Versions prior to 1.13.2 are
> potentially vulnerable to cross-site scripting. Initializing a checkboxradio
> widget on an input enclosed within a label makes that parent label contents
> considered as the input label. Calling `.checkboxradio( "refresh" )` on such
> a widget and the initial HTML contained encoded HTML entities will make them
> erroneously get decoded. This can lead to potentially executing JavaScript
> code. The bug has been patched in jQuery UI 1.13.2. To remediate the issue,
> someone who can change the initial HTML can wrap all the non-input contents
> of the `label` in a `span`.
> {quote}
> [http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-23413]
> {quote}This affects the package jszip before 3.7.0. Crafting a new zip file
> with filenames set to Object prototype values (e.g _{_}proto{_}_, toString,
> etc) results in a returned object with a modified prototype instance.
> {quote}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
