[QPID-8511] [Broker-J] Upgrade dojotoolkit to version 1.16.3 - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: None
Fix Version/s: qpid-java-broker-8.0.5
Component/s: Broker-J
Labels:
None

Description

A security vulnerability CVE-2020-5258 is reported against dojo-toolkit version 1.16.0.

A deepCopy method is vulnerable to Prototype Pollution. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values.

Even when vulnerability attack is successful and UI is affected by the injected code, it is not expected that it would have any bearing on Qpid REST API and messaging functionality.

In order to prevent various scanning tools from flagging the issue, we need to upgrade dojotollkit to version 1.16.3

Attachments

Activity

People

Assignee:: Unassigned

Reporter:: Alex Rudyy

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 14/Mar/21 20:07

Updated:: 19/Jun/21 18:02

Resolved:: 13/Jun/21 21:30