Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update dependency jquery-rails to '~> 4.4.0' [SECURITY] #3378

Closed
wants to merge 1 commit into from
Closed

Update dependency jquery-rails to '~> 4.4.0' [SECURITY] #3378

wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Apr 28, 2024
edited by knu

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
jquery-rails '~> 4.2.1' -> '~> 4.4.0' age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2020-11023

Impact

Passing HTML containing <option> elements from untrusted sources - even after sanitizing them - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code.

Patches

This problem is patched in jQuery 3.5.0.

Workarounds

To workaround this issue without upgrading, use DOMPurify with its SAFE_FOR_JQUERY option to sanitize the HTML string before passing it to a jQuery method.

References

https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery repo. If you don't find an answer, open a new issue.

CVE-2019-11358

jQuery from 1.1.4 until 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.

CVE-2020-23064

Cross Site Scripting vulnerability in jQuery v.2.2.0 until v.3.5.0 allows a remote attacker to execute arbitrary code via the <options> element.

CVE-2020-11022

Impact

Passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code.

Patches

This problem is patched in jQuery 3.5.0.

Workarounds

To workaround the issue without upgrading, adding the following to your code:

jQuery.htmlPrefilter = function( html ) {
	return html;
};

You need to use at least jQuery 1.12/2.2 or newer to be able to apply this workaround.

References

https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/
https://jquery.com/upgrade-guide/3.5/

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery repo. If you don't find an answer, open a new issue.

XSS in jQuery as used in Drupal, Backdrop CMS, and other products

CVE-2019-11358 / GHSA-6c3j-c64m-qhgq / SNYK-JS-JQUERY-174006

More information

Details

jQuery from 1.1.4 until 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.

Severity

  • CVSS Score: 6.1 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

jQuery Cross Site Scripting vulnerability

CVE-2020-23064 / GHSA-257q-pv89-v3xv / SNYK-JS-JQUERY-565129

More information

Details

Cross Site Scripting vulnerability in jQuery v.2.2.0 until v.3.5.0 allows a remote attacker to execute arbitrary code via the <options> element.

Severity

  • CVSS Score: 6.1 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Potential XSS vulnerability in jQuery

BIT-drupal-2020-11023 / CVE-2020-11023 / GHSA-jpcq-cgw6-v4j6

More information

Details

Impact

Passing HTML containing <option> elements from untrusted sources - even after sanitizing them - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code.

Patches

This problem is patched in jQuery 3.5.0.

Workarounds

To workaround this issue without upgrading, use DOMPurify with its SAFE_FOR_JQUERY option to sanitize the HTML string before passing it to a jQuery method.

References

https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery repo. If you don't find an answer, open a new issue.

Severity

  • CVSS Score: 6.9 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Potential XSS vulnerability in jQuery

BIT-drupal-2020-11022 / CVE-2020-11022 / GHSA-gxr4-xjj5-5px2

More information

Details

Impact

Passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code.

Patches

This problem is patched in jQuery 3.5.0.

Workarounds

To workaround the issue without upgrading, adding the following to your code:

jQuery.htmlPrefilter = function( html ) {
	return html;
};

You need to use at least jQuery 1.12/2.2 or newer to be able to apply this workaround.

References

https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/
https://jquery.com/upgrade-guide/3.5/

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery repo. If you don't find an answer, open a new issue.

Severity

  • CVSS Score: 6.9 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Release Notes

rails/jquery-rails (jquery-rails)

v4.4.0

Compare Source

v4.3.5

Compare Source

  • update jquery to 3.4.1

v4.3.4

Compare Source

  • update jquery to 3.4.0

v4.3.3

Compare Source

  • update jquery to 3.3.1

v4.3.2

Compare Source

  • update jquery to 3.3.0
  • Add possibility to test HTML: all, attribute prefix, attribute contains,
    attribute ends with, child, and class selectors
  • Fix matching multiple calls for the same selector/function exception

v4.3.1

Compare Source

  • update jquery to 3.2.1

v4.3.0

Compare Source

  • update jquery to 3.2.0
  • Add possibility to test HTML attribute selectors

Configuration

📅 Schedule: Branch creation - "" in timezone Asia/Tokyo, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

@knu knu changed the title chore(deps): update dependency jquery-rails to '~> 4.4.0' [security] rebase! chore(deps): update dependency jquery-rails to '~> 4.4.0' [security] Apr 28, 2024
@renovate renovate bot force-pushed the renovate/rubygems-jquery-rails-vulnerability branch from 221d83f to ad819fb Compare April 28, 2024 12:42
@renovate renovate bot changed the title rebase! chore(deps): update dependency jquery-rails to '~> 4.4.0' [security] chore(deps): update dependency jquery-rails to '~> 4.4.0' [security] Apr 28, 2024
@renovate renovate bot force-pushed the renovate/rubygems-jquery-rails-vulnerability branch from ad819fb to 179f1e4 Compare April 28, 2024 12:43
@renovate renovate bot force-pushed the renovate/rubygems-jquery-rails-vulnerability branch 2 times, most recently from 2ac8a33 to 6d47400 Compare April 28, 2024 13:03
@renovate renovate bot changed the title chore(deps): update dependency jquery-rails to '~> 4.4.0' [security] Update dependency jquery-rails to '~> 4.4.0' [SECURITY] Apr 28, 2024
@renovate renovate bot force-pushed the renovate/rubygems-jquery-rails-vulnerability branch from 6d47400 to 0a6d972 Compare April 28, 2024 13:08
@renovate renovate bot force-pushed the renovate/rubygems-jquery-rails-vulnerability branch from 0a6d972 to ca8b851 Compare April 28, 2024 13:10
@knu
Copy link
Member

knu commented Apr 28, 2024

Updated in 0703046.

@knu knu closed this Apr 28, 2024
@knu knu deleted the renovate/rubygems-jquery-rails-vulnerability branch April 28, 2024 13:37
@trafico-bot trafico-bot bot added the 🔍 Ready for Review Pull Request is not reviewed yet label Apr 28, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
automerge dependencies 🔍 Ready for Review Pull Request is not reviewed yet security
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
1 participant
@knu