Uploaded image for project: 'Qpid'
  1. Qpid
  2. QPID-8511

[Broker-J] Upgrade dojotoolkit to version 1.16.3

    XMLWordPrintableJSON

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: qpid-java-broker-8.0.5
    • Component/s: Broker-J
    • Labels:
      None

      Description

      A security vulnerability CVE-2020-5258 is reported against dojo-toolkit version 1.16.0.

      A deepCopy method is vulnerable to Prototype Pollution. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values.

      Even when vulnerability attack is successful and UI is affected by the injected code, it is not expected that it would have any bearing on Qpid REST API and messaging functionality.

      In order to prevent various scanning tools from flagging the issue, we need to upgrade dojotollkit to version 1.16.3

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              orudyy Alex Rudyy
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: