ADVISORIES

• CVE-2016-10707 (NVD)
• GHSA-mhpp-875w-9cpv

GEM

jquery-rails

SEVERITY

CVSS v3.x: 7.5 (High)

CVSS v2.0: 5.0 (Medium)

UNAFFECTED VERSIONS

• < 3.0.0-rc.1

PATCHED VERSIONS

• >= 3.0.0

DESCRIPTION

Affected versions of jquery use a lowercasing logic on attribute names. When given a boolean attribute with a name that contains uppercase characters, jquery enters into an infinite recursion loop, exceeding the call stack limit, and resulting in a denial of service condition.

Recommendation

Update to version 3.0.0 or later.

RELATED

• https://nvd.nist.gov/vuln/detail/CVE-2016-10707
• https://github.com/advisories/GHSA-mhpp-875w-9cpv
• https://github.com/jquery/jquery/issues/3133
• https://github.com/jquery/jquery/issues/3133#issuecomment-358978489
• https://www.npmjs.com/advisories/330
• https://github.com/jquery/jquery/pull/3134
• https://snyk.io/vuln/npm:jquery:20160529