Vulnerable version of jquery packaged in cucumber-core #1971

aikebah · 2020-05-11T10:22:42Z

Describe the bug
An OWASP depenendency-check plugin run against an internal test library surfaced a vulnerable version of jquery is packaged within the cucumber-core library.

To Reproduce

Run OWASP dependency-check against any version of cucumber-core.
See it indicating a vulnerable version (3.4.1) of jquery in the analysis results.

Expected behavior
Cucumber-core has no vulnerable libraries included.

Context & Motivation

While I suspect that the given vulnerability (XSS vulnerability in html.preFilter) is not directly applicable to the library I would expect vulnerable javascript libraries to be fixed in a subsequent cucumber release.

Your Environment

Version used: 5.7.0; validated in github that the current master still uses jquery-3.4.1.min.js

Additional context
See JQuery's release-notes for version 3.5.0 for details on the vulnerability as well as notes on potentially breaking code that depended on the old behaviour:
https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/

aikebah added the 🐛 bug Defect / Bug label May 11, 2020

timtebeek self-assigned this May 12, 2020

timtebeek mentioned this issue May 12, 2020

Upgrade JQuery to 3.5.1 through webjars, for easier Maven version bumps #1972

Closed

6 tasks

mpkorstanje closed this as completed in 18ca31a May 14, 2020

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Vulnerable version of jquery packaged in cucumber-core #1971

Vulnerable version of jquery packaged in cucumber-core #1971

aikebah commented May 11, 2020

Vulnerable version of jquery packaged in cucumber-core #1971

Vulnerable version of jquery packaged in cucumber-core #1971

Comments

aikebah commented May 11, 2020