You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The OWASP Dependency Check flagged the following vulnerability in one of our projects:
springfox-swagger-ui-3.0.0.jar: swagger-ui-bundle.js (pkg:javascript/DOMPurify@2.0.7) : Fix a possible XSS in Chrome that is hidden behind #enable-experimental-web-platform-features, Fixed a new MathML-based bypass submitted by PewGrand. Fixed a new SVG-related bypass submitted by SecurityMB, Fixed an mXSS bypass dropped on us publicly via, Fixed an mXSS issue reported, Fixed an mXSS-based bypass caused by nested forms inside MathML, Fixed another bypass causing mXSS by using MathML, Fixed several possible mXSS patterns, thanks @hackvertor
This is the first time I'm encountering a flagged vulnerability that has neither a CPE pattern nor a CVE number associated with it. Apparently, this is a RetireJS vulnerability?
Currently, no newer version of springfox-swagger-ui has been released. Also, it apparently has no transitive dependencies that could be overridden to newer available versions.
I opened a ticket at the Springfox project to inquire whether a version with a mitigation could be released, or whether it could possibly be a false positive, but in the meantime, I'm asking this here as well. Is this a legit vulnerability, or could it somehow immediatley be identified as a false positive on the part of the Dependency Check plugin?
The text behind the flagged package(s) looks like a changelog for a newer version, implying that some kind of XSS vulnerability was fixed. A bit confusing to display it like this, to be honest.
The text was updated successfully, but these errors were encountered:
Can you take a look at this and see if this is problem in the DependencyCheck?
We are also seeing this occurring in our project now out of the blue (was not tagged with this cve atleast till 12 hrs ago prior to the first occurrence ).
We started seeing this around 11 am UTC time today (14th September 2022).
The OWASP Dependency Check flagged the following vulnerability in one of our projects:
This is the first time I'm encountering a flagged vulnerability that has neither a CPE pattern nor a CVE number associated with it. Apparently, this is a RetireJS vulnerability?
Currently, no newer version of
springfox-swagger-ui
has been released. Also, it apparently has no transitive dependencies that could be overridden to newer available versions.I opened a ticket at the Springfox project to inquire whether a version with a mitigation could be released, or whether it could possibly be a false positive, but in the meantime, I'm asking this here as well. Is this a legit vulnerability, or could it somehow immediatley be identified as a false positive on the part of the Dependency Check plugin?
The text behind the flagged package(s) looks like a changelog for a newer version, implying that some kind of XSS vulnerability was fixed. A bit confusing to display it like this, to be honest.
The text was updated successfully, but these errors were encountered: