admin管理员组

文章数量:1324452

We're using jQuery and I've e across the following jQuery vulnerability in the National Vulnerability Database:

Has this been fixed in more recent versions of jQuery? The original release date on the vulnerability is 4/30/2007.

I'm trying to ensure that the little jQuery we do use doesn't expose this vulnerability, does anyone have examples of it?

We're using jQuery and I've e across the following jQuery vulnerability in the National Vulnerability Database:

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-2379

Has this been fixed in more recent versions of jQuery? The original release date on the vulnerability is 4/30/2007.

I'm trying to ensure that the little jQuery we do use doesn't expose this vulnerability, does anyone have examples of it?

  • javascript
  • jquery
  • security
Share Improve this question edited Oct 1, 2011 at 21:53 Book Of Zeus 49.9k18 gold badges175 silver badges171 bronze badges asked Feb 23, 2010 at 22:31 Dustin KendallDustin Kendall 5208 silver badges18 bronze badges 2
  • Starting from 1.4 version jQuery uses JSON parser build into browser (if it's available). – Ivan Nevostruev Commented Feb 23, 2010 at 22:35
  • What is the resolution to this? It's still ing up in Anchore security scans – Adam Hughes Commented Apr 1, 2024 at 18:38
Add a ment  | 

2 Answers 2

Reset to default 6

Have a look at jQuery.getJSON():

If the specified URL is on a remote server, the request is treated as JSONP instead.

Read about JSONP here.

As long as you're using JSONP, this vulnerability doesn't exist.

Also, this 'vulnerability' is stupid. Anyone can exchange data using JSON, it's not just jQuery that uses it.

Isn't the problem only there when you use JSONP? It's all safe as long as all the sources are trusted.

As something inherent to JS, there's no way to fix it. Possibly, the XMLHttpRequest/CORS Cross-Origin Resource Sharing spec which is supported by many of the modern browsers (but requires the providing server to be configured to send out the CORS header) could be used instead of JSONP and using Douglas Crockford's JSON2 library (which also falls back on native browser JSON support if available).

本文标签: javascriptjQuery vulnerability (NVD CVE20072379)Stack Overflow

版权声明:本文标题:javascript - jQuery vulnerability (NVD CVE-2007-2379) - Stack Overflow 内容由网友自发贡献,该文观点仅代表作者本人, 转载请联系作者并注明出处:http://www.betaflare.com/web/1742122744a2421798.html, 本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容,一经查实,本站将立刻删除。