Sonatype High Vulnerability Finding due to vis-timeline #2289
Comments
|
I did not find any reference to vis-timeline in the repo Would you have more info please? |
aslakhellesoy
added
the
security vulnerability
|
Thanks @aslakhellesoy |
The issue was originally filed in the (The hint that this is related to cucumber-jvm is in the summary:
Yes we do: Line 10 in 18db2f2
The files are here: https://github.com/cucumber/cucumber-jvm/tree/main/core/src/main/resources/io/cucumber/core/plugin/timeline |
|
Related: It was proposed to deprecate the timeline formatter, but as @mpkorstanje pointed out we should have an alternative available before doing that. So I suggest:
|
Summary
Sonatype registers a High Vulnerability issue with io.cucumber : cucumber-core : 6.10.3
Expected Behavior
Threat Level 6, Problem Code CVE-2020-28487
Related to using vis-timeline before 7.4.4 library
See below for Sonatype's description of the error
Possible Solution
Upgrade vis-timeline to the latest and most secure version.
Sonatype Documenation
DESCRIPTION FROM CVE
This affects the package vis-timeline before 7.4.4. An attacker with the ability to control the items of a Timeline element can inject additional script code into the generated application.
EXPLANATION
The vis-timeline package is vulnerable to Cross-Site Scripting (XSS) attacks. The functions in the files listed below fail to sanitize certain user-supplied parameters before rendering their values in HTML. A remote attacker who can influence Timeline elements can exploit this vulnerability by crafting a request containing malicious JavaScript in any affected parameter. The attacker can then entice a victim into submitting the request or interacting with the injection if it is stored. This will result in script execution when the resulting response is rendered by the victim's browser.
Vulnerable File(s) and Function(s):
package/lib/shared/Configurator.js
_makeHeader()
_makeLabel()
_setupPopup()
package/lib/shared/Popup.js
setText()
package/lib/timeline/Timeline.js
constructor()
package/lib/timeline/component/CustomTime.js
setCustomMarker()
package/lib/timeline/component/DataAxis.js
_redrawLabel()
_redrawTitle()
package/lib/timeline/component/Group.js
setData()
package/lib/timeline/component/Legend.js
function()
package/lib/timeline/component/TimeAxis.js
_repaintMinorText()
_repaintMajorText()
package/lib/timeline/component/item/Item.js
_repaintOnItemUpdateTimeTooltip()
_updateContents()
package/dist/vis-timeline-graph2d.esm.js
package/esnext/esm/vis-timeline-graph2d.js
package/esnext/umd/vis-timeline-graph2d.js
package/peer/esm/vis-timeline-graph2d.js
package/peer/umd/vis-timeline-graph2d.js
package/standalone/esm/vis-timeline-graph2d.js
package/standalone/umd/vis-timeline-graph2d.js
package/dist/vis-timeline-graph2d.min.js
package/esnext/esm/vis-timeline-graph2d.min.js
package/esnext/umd/vis-timeline-graph2d.min.js
package/peer/esm/vis-timeline-graph2d.min.js
package/peer/umd/vis-timeline-graph2d.min.js
package/standalone/esm/vis-timeline-graph2d.min.js
package/standalone/umd/vis-timeline-graph2d.min.js
DETECTION
The application is vulnerable by using this component.
RECOMMENDATION
We recommend upgrading to a version of this component that is not vulnerable to this specific issue.
Note: If this component is included as a bundled/transitive dependency of another component, there may not be an upgrade path. In this instance, we recommend contacting the maintainers who included the vulnerable package. Alternatively, we recommend investigating alternative components or a potential mitigating control.
ROOT CAUSE
cucumber-core-6.10.3.jario/cucumber/core/plugin/timeline/vis.min.js[0.3.0, 5.0.0)
ADVISORIES
Project:https://github.com/visjs/vis-timeline/issues/838
Project:https://github.com/visjs/vis-timeline/pull/840
CVSS DETAILS
CVE CVSS 3:6.8
CVSS Vector:CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:L
The text was updated successfully, but these errors were encountered: