Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

RetireJS vulnerability flagged on springfox-swagger-ui-3.0.0.jar? #4734

Closed
volkert-fastned opened this issue Aug 8, 2022 · 2 comments
Closed

RetireJS vulnerability flagged on springfox-swagger-ui-3.0.0.jar? #4734

volkert-fastned opened this issue Aug 8, 2022 · 2 comments
Labels
question

Comments

@volkert-fastned
Copy link
Contributor

The OWASP Dependency Check flagged the following vulnerability in one of our projects:

springfox-swagger-ui-3.0.0.jar: swagger-ui-bundle.js (pkg:javascript/DOMPurify@2.0.7) : Fix a possible XSS in Chrome that is hidden behind #enable-experimental-web-platform-features, Fixed a new MathML-based bypass submitted by PewGrand. Fixed a new SVG-related bypass submitted by SecurityMB, Fixed an mXSS bypass dropped on us publicly via, Fixed an mXSS issue reported, Fixed an mXSS-based bypass caused by nested forms inside MathML, Fixed another bypass causing mXSS by using MathML, Fixed several possible mXSS patterns, thanks @hackvertor

This is the first time I'm encountering a flagged vulnerability that has neither a CPE pattern nor a CVE number associated with it. Apparently, this is a RetireJS vulnerability?

Currently, no newer version of springfox-swagger-ui has been released. Also, it apparently has no transitive dependencies that could be overridden to newer available versions.

I opened a ticket at the Springfox project to inquire whether a version with a mitigation could be released, or whether it could possibly be a false positive, but in the meantime, I'm asking this here as well. Is this a legit vulnerability, or could it somehow immediatley be identified as a false positive on the part of the Dependency Check plugin?

The text behind the flagged package(s) looks like a changelog for a newer version, implying that some kind of XSS vulnerability was fixed. A bit confusing to display it like this, to be honest.
@vijeyanidhi
Copy link

Hi @jeremylong

Can you take a look at this and see if this is problem in the DependencyCheck?

We are also seeing this occurring in our project now out of the blue (was not tagged with this cve atleast till 12 hrs ago prior to the first occurrence ).
We started seeing this around 11 am UTC time today (14th September 2022).

@jeremylong
Copy link
Owner

Webjars containt JavaScript. In this case it looks like dom purify might be included in the JAR and was detected by the retirejS analyzer.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jeremylong @vijeyanidhi @volkert-fastned