GitHub Advisory DatabaseGHSA-MHPP-875W-9CPVDenial of Service in jquery
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.002 Low
EPSS
Percentile
61.5%
Affected versions of jquery use a lowercasing logic on attribute names. When given a boolean attribute with a name that contains uppercase characters, jquery enters into an infinite recursion loop, exceeding the call stack limit, and resulting in a denial of service condition.
Recommendation
Update to version 3.0.0 or later.
| CPE | Name | Operator | Version |
|---|---|---|---|
| jquery-rails | eq | 3.0.0-rc.1 | |
| org.webjars.npm:jquery | eq | 3.0.0-rc.1 | |
| jquery | eq | 3.0.0-rc.1 | |
| jquery | eq | 3.0.0-rc.1 |
References
github.com/advisories/GHSA-mhpp-875w-9cpv
github.com/jquery/jquery/issues/3133
github.com/jquery/jquery/issues/3133#issuecomment-358978489
github.com/jquery/jquery/pull/3134
github.com/rubysec/ruby-advisory-db/blob/master/gems/jquery-rails/CVE-2016-10707.yml
nvd.nist.gov/vuln/detail/CVE-2016-10707
snyk.io/vuln/npm:jquery:20160529
www.npmjs.com/advisories/330
Related
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.002 Low
EPSS
Percentile
61.5%