Open UI v. 1.60 a simple dependency check shows an issue in the following libraries
in particular this is a high vulnerability
https://github.com/wycats/handlebars.js/commit/7372d4e9dffc9d70c09671aa28b9392a1577fd86
best regards
amejiasp
All 6 comments
This is for version 1.70
amejiasp
on 9 Oct 2019
The vulnerability in this library (handlebars.js) has been fixed in version 4.0.13 and 4.1.0. I think that simply replacing the library in
core-ext-light.js
core-ext-light-3.js
handlebars.js
core-ext.js
will fix the issue
amejiasp
on 9 Oct 2019
Forwarded #1970505257
stephania87
on 9 Oct 2019
Reg. handlebars: Only third party/handlebars.js needs to be replaced, the others are just bundles packaging it during the build.
Reg. jQuery: most of the jQuery "matches" are false positives or repackaged versions of thirdparty/jquery.js. Not sure how you created those lists, but CVE numbers would be helpful. jQuery2.2.3 for example is a patched version where we fixed issues regarding JavaScript execution of AJAX responses as well as the prototype pollution reported for jQuery.extend.
codeworrior
on 9 Oct 2019
I've just run dependecy check tool from OWASP. I agree about your jquery comment
amejiasp
on 9 Oct 2019
Updated to the handlebars 4.4.3 via: https://github.com/SAP/openui5/commit/fd1d965b8dbcac04a9df1106d6a173dd871a5346 (unfortunately missed to add the fixes) - dowports to older releases are prepared and will be submitted soon.
petermuessig
on 19 Nov 2019
Related issues
boghyon
路
4Comments
chumbalum
路
3Comments
boghyon
路
4Comments
git-ashish
路
4Comments
viqtor1
路
3Comments