CVE-2012-6708 (Medium) detected in jquery-1.7.1.min.js

[mend-for-github-com]

CVE-2012-6708 - Medium Severity Vulnerability

Vulnerable Library - jquery-1.7.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.7.1/jquery.min.js

Path to dependency file: /tmp/ws-scm/openfin-react-hooks/demo/node_modules/vm-browserify/example/run/index.html

Path to vulnerable library: /openfin-react-hooks/demo/node_modules/vm-browserify/example/run/index.html,/openfin-react-hooks/demo/node_modules/sockjs/examples/hapi/html/index.html,/openfin-react-hooks/demo/node_modules/sockjs/examples/echo/index.html,/openfin-react-hooks/demo/node_modules/sockjs/examples/express/index.html,/openfin-react-hooks/demo/node_modules/sockjs/examples/multiplex/index.html,/openfin-react-hooks/demo/node_modules/sockjs/examples/express-3.x/index.html

Dependency Hierarchy:

• ❌ jquery-1.7.1.min.js (Vulnerable Library)

Found in HEAD commit: c9c569435dd51553be4bbe2b857087c7fe7761be

Vulnerability Details

jQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS) attacks. The jQuery(strInput) function does not differentiate selectors from HTML in a reliable fashion. In vulnerable versions, jQuery determined whether the input was HTML by looking for the '<' character anywhere in the string, giving attackers more flexibility when attempting to construct a malicious payload. In fixed versions, jQuery only deems the input to be HTML if it explicitly starts with the '<' character, limiting exploitability only to attackers who can control the beginning of a string, which is far less common.

Publish Date: 2018-01-18

URL: CVE-2012-6708

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2012-6708

Release Date: 2018-01-18

Fix Resolution: jQuery - v1.9.0

[ColinEberhardt]

@maoo all of the issues raised are very similar in nature, relating to jQuery vulnerabilities. Here's a brief analysis of just one of them ...

Regarding:

/openfin-react-hooks/demo/node_modules/vm-browserify/example/run/index.html

This relates to an example file in the vm-browserify package. This was recently resolved with the following PR that removes the dependency browserify/vm-browserify#27

We depend on this package transitively as follows:

demo@0.1.0 /Users/colineberhardt/Projects/openfin-react-hooks/demo
└─┬ react-scripts@3.0.1
  └─┬ webpack@4.29.6
    └─┬ node-libs-browser@2.2.0
      └── vm-browserify@0.0.4 

However the node-libs-browser package is now deprecated:

NOTE: This library is deprecated and won't accept Pull Requests that include Breaking Changes or new Features. Only bugfixes are accepted.

This makes it very hard to bump the vm-browserify version in our dependency chain.

Also, the 'root' of our dependency is react-scripts, which is a dev-dependency. This significantly minimises the risks associated this this CVE to the point of being negligible.

@maoo @mcleo-d what is a suitable path to resolution? I don't believe any of the issues raised by the WhiteSource bot are significant.

[maoo]

Thanks for this @ColinEberhardt . My suggestion would be to define the following exclusions:

• **/openfin-react-hooks/demo/**
• **/vm-browserify/example/**
• **/sockjs/examples/**
• **/nlf/reports/**

As such, I'd suggest to the define WhiteSource excludes as follows:

excludes=**/openfin-react-hooks/demo/** **/vm-browserify/example/** **/sockjs/examples/** **/nlf/reports/**

PR sent on #37

[mcleo-d]

@maoo and @ColinEberhardt - I have reported the sockjs upgrade recommendation to the sockjs team via their responsible disclosure policy. You are cc'd in the initial report.

[mcleo-d]

This issue has been previously reported to sockjs and has been closed as below ...
sockjs/sockjs-node#257

Thanks for highlighting @ColinEberhardt 👍