Vulnerable JS libraries in ServiceStack's OpenAPI NuGet package

Question

Vulnerable JS libraries in ServiceStack's OpenAPI NuGet package

ashimupd opened this issue 2 years ago · 1 comments

The latest and also some previous versions of ServiceStack's OpenAPI NuGet package (ServiceStack.Api.OpenApi" Version="6.8.0"), which includes the Swagger UI, bundles specific versions of jQuery and Handlebars (handlebars v4.0.5, jQuery v1.8.0). These libraries have known vulnerabilities.

Here's some description on the vulnerability:

Handlebars
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8861
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19919
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20920
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20922
https://security.snyk.io/vuln/SNYK-JS-HANDLEBARS-173692

jQuery
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6708
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-9251
https://www.cvedetails.com/cve/CVE-2019-11358/
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11022
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11023
http://research.insecurelabs.org/jquery/test/

Answer 1 · 2023-06-02T04:58:46.000Z

The OpenApiFeature was upgraded to latest jQuery 1.x and Handlebars versions in this commit.

This change is available from v6.8.1+ that's now available on MyGet.

FYI the next ServiceStack v6.9 with this fix should be next release if you wanted to wait for the next NuGet release.

thx for reporting 👍