HAL Browser bundles old jquery version with CVE [DATAREST-1370] - Githubissues

spring-projects / spring-data-rest

Simplifies building hypermedia-driven REST web services on top of Spring Data repositories

https://spring.io/projects/spring-data-rest

Apache License 2.0

913 stars 559 forks source link

HAL Browser bundles old jquery version with CVE [DATAREST-1370] #1730

Open spring-projects-issues opened 5 years ago

spring-projects-issues commented 5 years ago

honnel opened DATAREST-1370 and commented

The Spring Data Rest HAL Browser uses hal-browser which bundles jquery in very old version with CVE:

hal-browser (javascript) is used by Spring Data Rest HAL Browser as webjar:

https://github.com/spring-projects/spring-data-rest/blob/master/spring-data-rest-hal-browser/pom.xml#L16

The webjar uses following version of hal-browser with jquery in version 1.10.2

https://github.com/mikekelly/hal-browser/blob/ad9b865f6439652a8a7c683731a45d4fb997477f/vendor/js/jquery-1.10.2.min.js

The CVE for this jquery version is: https://nvd.nist.gov/vuln/detail/CVE-2019-11358

Affects: 3.1.6 (Lovelace SR6)

Reference URL: https://github.com/mikekelly/hal-browser/blob/ad9b865f6439652a8a7c683731a45d4fb997477f/vendor/js/jquery-1.10.2.min.js

spring-projects-issues commented 5 years ago

Oliver Drotbohm commented

I've filed a ticket in the HAL browser project's issue tracker