Denial of Service in jquery
Published: January 18, 2018
SECURITY IDENTIFIERS
- CVE: CVE-2016-10707 (NVD)
- GHSA: GHSA-mhpp-875w-9cpv
GEM
FRAMEWORK
SEVERITY
UNAFFECTED VERSIONS
< 3.0.0-rc.1
PATCHED VERSIONS
>= 3.0.0
DESCRIPTION
Affected versions of jquery use a lowercasing logic on attribute
names. When given a boolean attribute with a name that contains
uppercase characters, jquery enters into an infinite recursion
loop, exceeding the call stack limit, and resulting in a denial
of service condition.
Recommendation
Update to version 3.0.0 or later.
RELATED
- https://nvd.nist.gov/vuln/detail/CVE-2016-10707
- https://github.com/advisories/GHSA-mhpp-875w-9cpv
- https://github.com/jquery/jquery/issues/3133
- https://github.com/jquery/jquery/issues/3133#issuecomment-358978489
- https://www.npmjs.com/advisories/330
- https://github.com/jquery/jquery/pull/3134
- https://snyk.io/vuln/npm:jquery:20160529