Skip to content
This repository has been archived by the owner on Oct 9, 2023. It is now read-only.

CVE-2012-6708 (Medium) detected in jquery-1.7.1.min.js #32

Open
mend-for-github-com bot opened this issue Dec 9, 2019 · 4 comments
Open

CVE-2012-6708 (Medium) detected in jquery-1.7.1.min.js #32

mend-for-github-com bot opened this issue Dec 9, 2019 · 4 comments
Labels
security vulnerability Security vulnerability detected by WhiteSource

Comments

@mend-for-github-com
Copy link

CVE-2012-6708 - Medium Severity Vulnerability

Vulnerable Library - jquery-1.7.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.7.1/jquery.min.js

Path to dependency file: /tmp/ws-scm/openfin-react-hooks/demo/node_modules/vm-browserify/example/run/index.html

Path to vulnerable library: /openfin-react-hooks/demo/node_modules/vm-browserify/example/run/index.html,/openfin-react-hooks/demo/node_modules/sockjs/examples/hapi/html/index.html,/openfin-react-hooks/demo/node_modules/sockjs/examples/echo/index.html,/openfin-react-hooks/demo/node_modules/sockjs/examples/express/index.html,/openfin-react-hooks/demo/node_modules/sockjs/examples/multiplex/index.html,/openfin-react-hooks/demo/node_modules/sockjs/examples/express-3.x/index.html

Dependency Hierarchy:

  • jquery-1.7.1.min.js (Vulnerable Library)

Found in HEAD commit: c9c569435dd51553be4bbe2b857087c7fe7761be

Vulnerability Details

jQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS) attacks. The jQuery(strInput) function does not differentiate selectors from HTML in a reliable fashion. In vulnerable versions, jQuery determined whether the input was HTML by looking for the '<' character anywhere in the string, giving attackers more flexibility when attempting to construct a malicious payload. In fixed versions, jQuery only deems the input to be HTML if it explicitly starts with the '<' character, limiting exploitability only to attackers who can control the beginning of a string, which is far less common.

Publish Date: 2018-01-18

URL: CVE-2012-6708

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2012-6708

Release Date: 2018-01-18

Fix Resolution: jQuery - v1.9.0

@mend-for-github-com mend-for-github-com bot added the security vulnerability Security vulnerability detected by WhiteSource label Dec 9, 2019
@ColinEberhardt
Copy link
Contributor

@maoo all of the issues raised are very similar in nature, relating to jQuery vulnerabilities. Here's a brief analysis of just one of them ...

Regarding:

/openfin-react-hooks/demo/node_modules/vm-browserify/example/run/index.html

This relates to an example file in the vm-browserify package. This was recently resolved with the following PR that removes the dependency browserify/vm-browserify#27

We depend on this package transitively as follows:

demo@0.1.0 /Users/colineberhardt/Projects/openfin-react-hooks/demo
└─┬ react-scripts@3.0.1
  └─┬ webpack@4.29.6
    └─┬ node-libs-browser@2.2.0
      └── vm-browserify@0.0.4 

However the node-libs-browser package is now deprecated:

NOTE: This library is deprecated and won't accept Pull Requests that include Breaking Changes or new Features. Only bugfixes are accepted.

This makes it very hard to bump the vm-browserify version in our dependency chain.

Also, the 'root' of our dependency is react-scripts, which is a dev-dependency. This significantly minimises the risks associated this this CVE to the point of being negligible.

@maoo @mcleo-d what is a suitable path to resolution? I don't believe any of the issues raised by the WhiteSource bot are significant.

maoo added a commit to maoo/openfin-react-hooks that referenced this issue Dec 11, 2019
See conversation on finos#32
@maoo
Copy link
Member

maoo commented Dec 11, 2019

Thanks for this @ColinEberhardt . My suggestion would be to define the following exclusions:

  • **/openfin-react-hooks/demo/**
  • **/vm-browserify/example/**
  • **/sockjs/examples/**
  • **/nlf/reports/**

As such, I'd suggest to the define WhiteSource excludes as follows:

excludes=**/openfin-react-hooks/demo/** **/vm-browserify/example/** **/sockjs/examples/** **/nlf/reports/**

PR sent on #37

@mcleo-d
Copy link
Member

mcleo-d commented Dec 11, 2019

@maoo and @ColinEberhardt - I have reported the sockjs upgrade recommendation to the sockjs team via their responsible disclosure policy. You are cc'd in the initial report.

@mcleo-d
Copy link
Member

mcleo-d commented Dec 11, 2019

This issue has been previously reported to sockjs and has been closed as below ...
sockjs/sockjs-node#257

Thanks for highlighting @ColinEberhardt 👍

oriondean added a commit that referenced this issue Jan 23, 2020
* Setting up WS excludes

See conversation on #32

* chore: added further documentation

Co-authored-by: Colin Eberhardt <colin.eberhardt@gmail.com>
Co-authored-by: Dean Kerr <oriondean@users.noreply.github.com>
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
security vulnerability Security vulnerability detected by WhiteSource
Projects
None yet
Development

No branches or pull requests

3 participants