Infinite loop in jQuery



Published: 2016-06-02
Risk Low
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2016-10707
CWE-ID CWE-20
Exploitation vector Network
Public exploit Public exploit code for vulnerability #1 is available.
Vulnerable software
Subscribe
jQuery
Web applications / JS libraries

Vendor The jQuery Team

Security Bulletin

This security bulletin contains one low risk vulnerability.

1) Denial of service

EUVDB-ID: #VU7281

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2016-10707

CWE-ID: CWE-20 - Improper Input Validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service attack.

The vulnerability exists due to infinite loop when processing attributes. A remote attacker can trick the victim to follow a specially crafted link and trigger the infinite loop within jQuery code.

Mitigation

Update to version 3.0.0.

Vulnerable software versions

jQuery: 3.0.0 rc1


CPE2.3 External links

http://github.com/jquery/jquery/issues/3133

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?



###SIDEBAR###