SONAR VULNERABILITIES : SONATYPE-2019-0115 org.testng : testng : 7.0.0 for jquery version

91 views

Skip to first unread message

Gaurav Deshmukh

unread,

Sep 12, 2019, 10:26:17 AM9/12/19

to testng-dev

Explanation

The jquery package is vulnerable to Prototype Pollution. The jQuery.extend and jQuery.fn.extend functions defined in many files allow an untrusted object to extend Object.prototype. An attacker can modify and add prototype properties to JavaScript objects and can potentially leverage those changes to crash the application or execute remote code.

NOTE: This vulnerability has been assigned CVE-2019-11358.

Advisory Deviation Notice: The Sonatype security research team discovered that the CVSS score of the vulnerability is 9.8, not 6.1 as the advisory states.

Detection

The application is vulnerable by using this component.

Recommendation

We recommend upgrading to a version of this component that is not vulnerable to this specific issue.

Root Cause

testng-7.0.0.jar <= org/testng/jquery-1.7.1.min.js : ( , 3.4.0)

Advisories

Project: https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/

CVSS Details

Sonatype CVSS 3.0: 9.8
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Reply all

Reply to author

Forward

0 new messages