search

gdsmith / jquery.easing

jQuery Easing Plugin
http://gsgd.co.uk/sandbox/jquery/easing
Other
922 stars 423 forks source link

How to disable the jquery easing reference from Jquery "src" file #56

Open gopi1989 opened 1 month ago

gopi1989 commented 1 month ago

Hi @Everyone , I am using jQuery , jQuery UI and jQuery easing for my project and used via NPM (package.json).

While doing vulnerability scan jQuery UI / jQuery easing considered as vulnerability and security team recommended to remove the jQuery UI & jQuery Easing / Write wrapper for jQuery UI & jQuery.easing

I need a workaround to remove the reference of jQuery easing from Jquery lib source code either wrapper for jQuery easing.

Vulnerability description given by our Appsec Team

Recommended Version(s): No recommended versions are available for the current component.

Explanation: The jquery package is vulnerable to Denial of Service (DoS). The jQuery.each( jQuery.expr.match.bool.source.match( /\w+/g ) function in the attr.js file lacks the logic to convert the attribute name into lowercase. Any attribute getter using a mixed-cased name for the boolean attributes goes into infinite recursion, exceeding the stack call limit. This causes Denial of Service (DoS).

Note: This vulnerability has been assigned CVE-2016-10707.

Advisory Deviation Notice: The Sonatype Security Research team discovered that this vulnerability was introduced in version 1.11.0-beta3 and not 3.0.0-rc1 as stated in the advisory. This finding coincides with issues reported against versions 2.2.4 and 1.12.14 and confirmed by jQuery maintainers several months after this vulnerability's initial publication. Detection: The application is vulnerable by using this component. Recommendation: We recommend upgrading to a version of this component that is not vulnerable to this specific issue.

Note: If this component is included as a bundled/transitive dependency of another component, there may not be an upgrade path. In this instance, we recommend contacting the maintainers who included the vulnerable package. Alternatively, we recommend investigating alternative components or a potential mitigating control. Threat Vectors: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Thanks in Advance ! Expecting helping hands

Regards, Gopi

gopi1989 commented 1 month ago

@brettz9 , @Krinkle , @dmethvin , @graingert Guys need a help on my issue.