admin管理员组

文章数量:1323192

We're using jQuery and I've e across the following jQuery vulnerability in the National Vulnerability Database:

Has this been fixed in more recent versions of jQuery? The original release date on the vulnerability is 4/30/2007.

I'm trying to ensure that the little jQuery we do use doesn't expose this vulnerability, does anyone have examples of it?

We're using jQuery and I've e across the following jQuery vulnerability in the National Vulnerability Database:

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-2379

Has this been fixed in more recent versions of jQuery? The original release date on the vulnerability is 4/30/2007.

I'm trying to ensure that the little jQuery we do use doesn't expose this vulnerability, does anyone have examples of it?

Share Improve this question edited Oct 1, 2011 at 21:53 Book Of Zeus 49.9k18 gold badges175 silver badges171 bronze badges asked Feb 23, 2010 at 22:31 Dustin KendallDustin Kendall 5208 silver badges18 bronze badges 2
  • Starting from 1.4 version jQuery uses JSON parser build into browser (if it's available). – Ivan Nevostruev Commented Feb 23, 2010 at 22:35
  • What is the resolution to this? It's still ing up in Anchore security scans – Adam Hughes Commented Apr 1, 2024 at 18:38
Add a ment  | 

2 Answers 2

Reset to default 6

Have a look at jQuery.getJSON():

If the specified URL is on a remote server, the request is treated as JSONP instead.

Read about JSONP here.

As long as you're using JSONP, this vulnerability doesn't exist.

Also, this 'vulnerability' is stupid. Anyone can exchange data using JSON, it's not just jQuery that uses it.

Isn't the problem only there when you use JSONP? It's all safe as long as all the sources are trusted.

As something inherent to JS, there's no way to fix it. Possibly, the XMLHttpRequest/CORS Cross-Origin Resource Sharing spec which is supported by many of the modern browsers (but requires the providing server to be configured to send out the CORS header) could be used instead of JSONP and using Douglas Crockford's JSON2 library (which also falls back on native browser JSON support if available).

本文标签: javascriptjQuery vulnerability (NVD CVE20072379)Stack Overflow