You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@activemq.apache.org by "Robbie Gemmell (Jira)" <ji...@apache.org> on 2022/09/06 13:55:00 UTC

[jira] [Comment Edited] (ARTEMIS-3971) Upgrade vulnerable javascript dependencies - jQuery, jQuery UI, jszip

    [ https://issues.apache.org/jira/browse/ARTEMIS-3971?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17600776#comment-17600776 ] 

Robbie Gemmell edited comment on ARTEMIS-3971 at 9/6/22 1:54 PM:
-----------------------------------------------------------------

Not the whole web folder unless you want to remove the entire console etc since there are war files in the root. Though you can actually do that too by modifying the etc/bootstrap.xml file I believe. 

The web dir splits most of the individual bits served from it into subdirs though, should be fairly easy to align with the content by looking at it and perhaps the URLs...e.g manual, api (javadoc), examples as you mentioned.

EDIT: ninja'd...what Justin said, lol.
I havent tried it but as justin said the broker itself doesnt really depend on those bits being there, so you should be able to remove as much or little as you like, with it just 404ing if someone tries to use a bit you remove (you could update the index accordingly to avoid that also).


was (Author: gemmellr):
Not the whole web folder unless you want to remove the entire console etc since there are war files in the root. Though you can actually do that too by modifying the etc/bootstrap.xml file I believe. 

The web dir splits most of the individual bits served from it into subdirs though, should be fairly easy to align with the content by looking at it and perhaps the URLs...e.g manual, api (javadoc), examples as you mentioned.

I havent tried it but as justin said the broker itself doesnt really depend on those bits being there, so you should be able to remove as much or little as you like, with it just 404ing if someone tries to use a bit you remove (you could update the index accordingly to avoid that also).

> Upgrade vulnerable javascript dependencies - jQuery, jQuery UI, jszip
> ---------------------------------------------------------------------
>
>                 Key: ARTEMIS-3971
>                 URL: https://issues.apache.org/jira/browse/ARTEMIS-3971
>             Project: ActiveMQ Artemis
>          Issue Type: Bug
>          Components: API
>    Affects Versions: 2.24.0
>            Reporter: Jakub Moravec
>            Priority: Critical
>
> Please upgrade the listed libraries, as there are reported vulnerabilities for them, see the list below. This is a blocker for production deployments.
> [http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-11358]
> {quote}jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable _{_}proto{_}_ property, it could extend the native Object.prototype.
> {quote}
> [http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-11022]
> {quote}In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
> {quote}
> [http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-11023]
> {quote}In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing <option> elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
> {quote}
> [http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-31160]
> {quote}jQuery UI is a curated set of user interface interactions, effects, widgets, and themes built on top of jQuery. Versions prior to 1.13.2 are potentially vulnerable to cross-site scripting. Initializing a checkboxradio widget on an input enclosed within a label makes that parent label contents considered as the input label. Calling `.checkboxradio( "refresh" )` on such a widget and the initial HTML contained encoded HTML entities will make them erroneously get decoded. This can lead to potentially executing JavaScript code. The bug has been patched in jQuery UI 1.13.2. To remediate the issue, someone who can change the initial HTML can wrap all the non-input contents of the `label` in a `span`.
> {quote}
> [http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-23413]
> {quote}This affects the package jszip before 3.7.0. Crafting a new zip file with filenames set to Object prototype values (e.g _{_}proto{_}_, toString, etc) results in a returned object with a modified prototype instance.
> {quote}



--
This message was sent by Atlassian Jira
(v8.20.10#820010)