Security vulnerabilities found in dependency YUI #434

davidkhala · 2020-05-29T11:19:10Z

YUI 2.9.0 has known vulnerabilities:
severity: high; CVE: CVE-2012-5883; http://www.cvedetails.com/cve/CVE-2012-5883/
severity: high; CVE: CVE-2012-5882; http://www.cvedetails.com/cve/CVE-2012-5882/
severity: high; CVE: CVE-2012-5881; http://www.cvedetails.com/cve/CVE-2012-5881/

kjur · 2020-05-30T06:13:08Z

jsrsasign uses very small part of YUI. Just object inheritance class definition. So those vulnerability are not affect to jsrsasign. Part of YUI code is planed to remove from jsrsasign in the future. Thank you.

davidkhala · 2020-05-31T06:44:33Z

Good to hear that.
The issue is created due to some static code scanner report.

RasmusOlesen · 2021-03-15T12:22:57Z

Hi @kjur

The problem isn't only which part of YUI that is being used by jsrasign.
People who are using jsrasign are forced to host a vulnerable version of YUI on their webserver.
Which might open up on or more attack-vectors using one or more of the known vulnerabilities in the library.

So please reconsider removing or updating this dependency as quickly as possible.

kjur closed this as completed May 30, 2020

elliotsegler mentioned this issue Feb 13, 2024

Find a replacement for oidc-client-js DependencyTrack/frontend#215

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Security vulnerabilities found in dependency YUI #434

Security vulnerabilities found in dependency YUI #434

davidkhala commented May 29, 2020

kjur commented May 30, 2020

davidkhala commented May 31, 2020

RasmusOlesen commented Mar 15, 2021 •

edited

Loading

Security vulnerabilities found in dependency YUI #434

Security vulnerabilities found in dependency YUI #434

Comments

davidkhala commented May 29, 2020

kjur commented May 30, 2020

davidkhala commented May 31, 2020

RasmusOlesen commented Mar 15, 2021 • edited Loading

RasmusOlesen commented Mar 15, 2021 •

edited

Loading