TestNG using vulnerable jQuery-UI version in Maven dependency (CVE-2022-31160)

[cristinac42]

TestNG utilizes jQuery version 3.6.1 as a Maven dependency. However, this version of jQuery, in turn, depends on an earlier version of jQuery-UI (prior to 1.13.2) that contains a security vulnerability known as CVE-2022-31160.

CVE Description:
jQuery UI is a curated set of user interface interactions, effects, widgets, and themes built on top of jQuery. Versions prior to 1.13.2 are potentially vulnerable to cross-site scripting. Initializing a checkboxradio widget on an input enclosed within a label treats the parent label contents as the input label. Calling .checkboxradio( "refresh" ) on such a widget, along with initial HTML containing encoded HTML entities, may erroneously decode them. This can lead to the potential execution of malicious JavaScript code. The issue has been addressed in the patched version, jQuery UI 1.13.2. As a mitigation measure, modifying the initial HTML by wrapping all non-input contents of the label in a span is recommended.

Affected Component:
TestNG's Maven dependency on jQuery 3.6.1, which includes a vulnerable version of jQuery-UI prior to 1.13.2.

Impact:
The utilization of the vulnerable jQuery-UI version within the TestNG project may expose the application to cross-site scripting attacks. An attacker could potentially exploit this vulnerability to inject and execute arbitrary JavaScript code within the application context, compromising its integrity and potentially compromising user data.

Solution Proposal:
Since the vulnerable jQuery-UI version is imposed by the dependency on jQuery 3.6.1, it is suggested to update the jQuery dependency to a version that includes jQuery-UI 1.13.2 or above. By utilizing a patched version, the application can mitigate the risk associated with this vulnerability.

[krmahadevan]

@cristinac42 - I am not sure I understood this issue. The web-jars provided jquery bundle that we use has no other maven dependencies

https://mvnrepository.com/artifact/org.webjars/jquery/3.6.1

I also looked at the package.json of jquery for 3.6.1 and there also I couldn't find jquery-ui as a dependency https://github.com/jquery/jquery/blob/3.6.1/package.json

While I dont have any issues with TestNG upgrading the versions, but out of curiosity I was trying to understand the relevance of this issue with TestNG. Can you please let me know ?

[melloware]

I am getting this in IntelliJ for TestNG 2.8.0

Provides transitive vulnerable dependency maven:org.webjars:jquery:3.6.1 CVE-2014-6071 6.1 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability Results powered by Checkmarx(c)

[krmahadevan]

@melloware - If you are using TestNG as a maven dependency, you should be able to add an exclusion to this version and explicitly upgrade to the next version to get past this problem. This will be addressed in the next release of TestNG (dates are not yet decided. Am working on wrapping up a few more issues to be included in the next release)

I am getting this in IntelliJ for TestNG 2.8.0

You mean 7.8.0 right ?

[melloware]

Yes 7.8.0 sorry