Bug 66144 - The manual/api uses out of date jquery 3.3.1 which has security issues
Summary: The manual/api uses out of date jquery 3.3.1 which has security issues
Status: NEW
Alias: None
Product: Ant
Classification: Unclassified
Component: Documentation (show other bugs)
Version: 1.10.12
Hardware: PC All
: P2 normal (vote)
Target Milestone: ---
Assignee: Ant Notifications List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2022-06-24 15:03 UTC by Alan Heath
Modified: 2022-06-25 15:46 UTC (History)
0 users



Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alan Heath 2022-06-24 15:03:00 UTC
Identified issue in the jquery is CVE-2020-11023

Does the manual need to use jquery? If it does it should get updated.
Comment 1 Stefan Bodewig 2022-06-25 15:46:24 UTC
I don't believe it is Ant itself that puts jquery into the api docs but the javadoc tool of the JDK does. "Fixing" the manual probably means re-creating it with a more recent JDK - if and only if the more recent JDK has actually upgraded its jquery dependency, that is.

Looking at CVE-2020-11023 and grepping through the code a bit I don't believe the code generated by the javadoc tool ever uses input from untrusted source at all, so it may just be that the apidocs generated simply are not affected by the vulnerabilty and thus no update is required. You may want to check that yourself.