DependencyCheck icon indicating copy to clipboard operation
DependencyCheck copied to clipboard

Published 20 hours ago verified publisher icon jeremylong

RetireJS vulnerability flagged on `springfox-swagger-ui-3.0.0.jar`?

Open volkert-fastned opened this issue 3 years ago • 1 comments
trafficstars

The OWASP Dependency Check flagged the following vulnerability in one of our projects:

springfox-swagger-ui-3.0.0.jar: swagger-ui-bundle.js (pkg:javascript/[email protected]) : Fix a possible XSS in Chrome that is hidden behind #enable-experimental-web-platform-features, Fixed a new MathML-based bypass submitted by PewGrand. Fixed a new SVG-related bypass submitted by SecurityMB, Fixed an mXSS bypass dropped on us publicly via, Fixed an mXSS issue reported, Fixed an mXSS-based bypass caused by nested forms inside MathML, Fixed another bypass causing mXSS by using MathML, Fixed several possible mXSS patterns, thanks @hackvertor

This is the first time I'm encountering a flagged vulnerability that has neither a CPE pattern nor a CVE number associated with it. Apparently, this is a RetireJS vulnerability?

Currently, no newer version of springfox-swagger-ui has been released. Also, it apparently has no transitive dependencies that could be overridden to newer available versions.

I opened a ticket at the Springfox project to inquire whether a version with a mitigation could be released, or whether it could possibly be a false positive, but in the meantime, I'm asking this here as well. Is this a legit vulnerability, or could it somehow immediatley be identified as a false positive on the part of the Dependency Check plugin?

The text behind the flagged package(s) looks like a changelog for a newer version, implying that some kind of XSS vulnerability was fixed. A bit confusing to display it like this, to be honest.

volkert-fastned avatar Aug 08 '22 10:08 volkert-fastned

Hi @jeremylong

Can you take a look at this and see if this is problem in the DependencyCheck?

We are also seeing this occurring in our project now out of the blue (was not tagged with this cve atleast till 12 hrs ago prior to the first occurrence ). We started seeing this around 11 am UTC time today (14th September 2022).

vijeyanidhi avatar Sep 14 '22 13:09 vijeyanidhi

Webjars containt JavaScript. In this case it looks like dom purify might be included in the JAR and was detected by the retirejS analyzer.

jeremylong avatar Nov 25 '22 12:11 jeremylong