script.js icon indicating copy to clipboard operation
script.js copied to clipboard

Published 20 hours ago verified publisher icon ded

Security issues found with jquery and yui-utilities dependencies

Open charlesgreen opened this issue 7 years ago • 4 comments

I came across scriptjs in a template that I am using and found that it has the following two dependencies with known security vulnerabilities. This was for version 2.5.7

package link - also submitted the issue there as well. https://github.com/istarkov/google-map-react/issues/442#issuecomment-329552961

/myapp/node_modules/scriptjs/vendor/jquery.js ↳ jquery 1.5.2 has known vulnerabilities: severity: medium; CVE: CVE-2011-4969; http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4969 http://research.insecurelabs.org/jquery/test/ severity: medium; bug: 11290, summary: Selector interpreted as HTML; http://bugs.jquery.com/ticket/11290 http://research.insecurelabs.org/jquery/test/ severity: medium; issue: 2432, summary: 3rd party CORS request may execute; jquery/jquery#2432 http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/

/myapp/node_modules/scriptjs/vendor/yui-utilities.js ↳ YUI 2.8.2r1 has known vulnerabilities: severity: high; CVE: CVE-2012-5882; http://www.cvedetails.com/cve/CVE-2012-5882/ severity: high; CVE: CVE-2012-5881; http://www.cvedetails.com/cve/CVE-2012-5881/ severity: medium; CVE: CVE-2010-4710; http://www.cvedetails.com/cve/CVE-2010-4710/ severity: high; CVE: CVE-2010-4208; http://www.cvedetails.com/cve/CVE-2010-4208/ severity: high; CVE: CVE-2010-4207; http://www.cvedetails.com/cve/CVE-2010-4207/

charlesgreen avatar Sep 15 '17 11:09 charlesgreen

Even though there is a vendor directory in the repo, i do not see any of these packages listed in the package.json as dependencies (or used by the package itself), so I think this is fine

lfender6445 avatar Apr 09 '18 20:04 lfender6445

Just FYI, I used an open source tool called retire.js to scan the source and build a dependency tree using the package.json for each module and their dependencies.

If the app uses the code directly or not, by including references (even indirectly via a dependency) the vulnerable code is installed.

https://retirejs.github.io/retire.js/

As a side note, I decided not to use the template because of the vulnerability references here and others found in the template.

charlesgreen avatar Apr 10 '18 00:04 charlesgreen

Bump -- am also hitting this issue when running retire. The libraries only seem to be used for tests and benchmarks, which means they're not actually included in the code that is sent to the client, but it's still an annoyance to have vulnerable code installed along with script.js.

Deevian avatar Jun 24 '19 11:06 Deevian

And why don't we just remove the vendor files from the build and deployed package?

devpie avatar Jul 22 '19 10:07 devpie

Inactive - closing ticket.

charlesgreen avatar Jan 17 '23 22:01 charlesgreen

I am facing the same issue too!!! In the future, are they considering upgrading the JQuery package? At least >1.9.0 would help.

sadashiv-sumasoft avatar Jan 22 '24 12:01 sadashiv-sumasoft