Open spring-projects-issues opened 5 years ago
honnel opened DATAREST-1370 and commented
The Spring Data Rest HAL Browser uses hal-browser which bundles jquery in very old version with CVE:
hal-browser (javascript) is used by Spring Data Rest HAL Browser as webjar:
https://github.com/spring-projects/spring-data-rest/blob/master/spring-data-rest-hal-browser/pom.xml#L16
The webjar uses following version of hal-browser with jquery in version 1.10.2
https://github.com/mikekelly/hal-browser/blob/ad9b865f6439652a8a7c683731a45d4fb997477f/vendor/js/jquery-1.10.2.min.js
The CVE for this jquery version is: https://nvd.nist.gov/vuln/detail/CVE-2019-11358
Affects: 3.1.6 (Lovelace SR6)
Reference URL: https://github.com/mikekelly/hal-browser/blob/ad9b865f6439652a8a7c683731a45d4fb997477f/vendor/js/jquery-1.10.2.min.js
Oliver Drotbohm commented
I've filed a ticket in the HAL browser project's issue tracker
honnel opened DATAREST-1370 and commented
The Spring Data Rest HAL Browser uses hal-browser which bundles jquery in very old version with CVE:
hal-browser (javascript) is used by Spring Data Rest HAL Browser as webjar:
https://github.com/spring-projects/spring-data-rest/blob/master/spring-data-rest-hal-browser/pom.xml#L16
The webjar uses following version of hal-browser with jquery in version 1.10.2
https://github.com/mikekelly/hal-browser/blob/ad9b865f6439652a8a7c683731a45d4fb997477f/vendor/js/jquery-1.10.2.min.js
The CVE for this jquery version is: https://nvd.nist.gov/vuln/detail/CVE-2019-11358
Affects: 3.1.6 (Lovelace SR6)
Reference URL: https://github.com/mikekelly/hal-browser/blob/ad9b865f6439652a8a7c683731a45d4fb997477f/vendor/js/jquery-1.10.2.min.js