jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.
If you unpack the JRuby jar, jquery.js can be found here
META-INF/jruby.home/lib/ruby/stdlib/rdoc/generator/template/darkfish/js/jquery.js
In that file we see "jQuery v1.6.4".
CRuby recently fixed this by not shipping the jquery.js file anymore. ruby/ruby@e82719c
The text was updated successfully, but these errors were encountered:
As pointed out, CRuby fixed this by removing the offending files.
This only affects generated rdoc. Because we do not generate rdoc by default for gem installs, I think it would be fine for us to just mimic the CRuby change for JRuby 9.2.9.
I was asked by the security team to open a public issue for this, it's not an urgent security issue.
This CVE ID
https://nvd.nist.gov/vuln/detail/CVE-2015-9251
Describes the following jQuery vulnerability
If you unpack the JRuby jar, jquery.js can be found here
META-INF/jruby.home/lib/ruby/stdlib/rdoc/generator/template/darkfish/js/jquery.js
In that file we see "jQuery v1.6.4".
CRuby recently fixed this by not shipping the jquery.js file anymore.
ruby/ruby@e82719c
The text was updated successfully, but these errors were encountered: