mythz
commented
1 year ago The OpenApiFeature was upgraded to latest jQuery 1.x and Handlebars versions in this commit.
This change is available from v6.8.1+ that's now available on MyGet.
FYI the next ServiceStack v6.9 with this fix should be next release if you wanted to wait for the next NuGet release.
thx for reporting 👍
The latest and also some previous versions of ServiceStack's OpenAPI NuGet package (
ServiceStack.Api.OpenApi" Version="6.8.0"), which includes the Swagger UI, bundles specific versions of jQuery and Handlebars (handlebars v4.0.5,jQuery v1.8.0). These libraries have known vulnerabilities.Here's some description on the vulnerability:
Handlebars https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8861 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19919 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20920 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20922 https://security.snyk.io/vuln/SNYK-JS-HANDLEBARS-173692
jQuery https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6708 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-9251 https://www.cvedetails.com/cve/CVE-2019-11358/ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11022 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11023 http://research.insecurelabs.org/jquery/test/