-
Notifications
You must be signed in to change notification settings - Fork 1k
New issue
Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? # to your account
TestNG using vulnerable jQuery-UI version in Maven dependency (CVE-2022-31160) #2972
Comments
@cristinac42 - I am not sure I understood this issue. The web-jars provided jquery bundle that we use has no other maven dependencies https://mvnrepository.com/artifact/org.webjars/jquery/3.6.1 I also looked at the While I dont have any issues with TestNG upgrading the versions, but out of curiosity I was trying to understand the relevance of this issue with TestNG. Can you please let me know ? |
I am getting this in IntelliJ for TestNG 2.8.0 Provides transitive vulnerable dependency maven:org.webjars:jquery:3.6.1 CVE-2014-6071 6.1 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability Results powered by Checkmarx(c) |
@melloware - If you are using TestNG as a maven dependency, you should be able to add an exclusion to this version and explicitly upgrade to the next version to get past this problem. This will be addressed in the next release of TestNG (dates are not yet decided. Am working on wrapping up a few more issues to be included in the next release)
You mean |
Yes 7.8.0 sorry |
TestNG utilizes jQuery version 3.6.1 as a Maven dependency. However, this version of jQuery, in turn, depends on an earlier version of jQuery-UI (prior to 1.13.2) that contains a security vulnerability known as CVE-2022-31160.
CVE Description:
jQuery UI is a curated set of user interface interactions, effects, widgets, and themes built on top of jQuery. Versions prior to 1.13.2 are potentially vulnerable to cross-site scripting. Initializing a checkboxradio widget on an input enclosed within a label treats the parent label contents as the input label. Calling .checkboxradio( "refresh" ) on such a widget, along with initial HTML containing encoded HTML entities, may erroneously decode them. This can lead to the potential execution of malicious JavaScript code. The issue has been addressed in the patched version, jQuery UI 1.13.2. As a mitigation measure, modifying the initial HTML by wrapping all non-input contents of the label in a span is recommended.
Affected Component:
TestNG's Maven dependency on jQuery 3.6.1, which includes a vulnerable version of jQuery-UI prior to 1.13.2.
Impact:
The utilization of the vulnerable jQuery-UI version within the TestNG project may expose the application to cross-site scripting attacks. An attacker could potentially exploit this vulnerability to inject and execute arbitrary JavaScript code within the application context, compromising its integrity and potentially compromising user data.
Solution Proposal:
Since the vulnerable jQuery-UI version is imposed by the dependency on jQuery 3.6.1, it is suggested to update the jQuery dependency to a version that includes jQuery-UI 1.13.2 or above. By utilizing a patched version, the application can mitigate the risk associated with this vulnerability.
The text was updated successfully, but these errors were encountered: