[#913] CVE-2024-38999 requirejs v2.3.6 was discovered to contain a prototype pollution (#915)

maximthomas · web-flow · commit 8b4abfb1d534 · 2025-09-01T12:59:16.000+03:00
diff --git a/legal/THIRDPARTYREADME.txt b/legal/THIRDPARTYREADME.txt
@@ -888,7 +888,7 @@ Copyright: Copyright (c) 2009 Kazuhiko Arase
 Version: qunit-1.15.0.js
 Copyright: Copyright 2012-2014 The Dojo Foundation
 
-Version: requirejs-2.1.14-min.js
+Version: requirejs-2.3.7-min.js
 Copyright: Copyright (c) 2010-2014, The Dojo Foundation
 
 Version: spin-2.0.1-min.js
diff --git a/openam-oauth2/src/main/resources/templates/CodeThanks.ftl b/openam-oauth2/src/main/resources/templates/CodeThanks.ftl
@@ -34,6 +34,6 @@
       done: true
   };
 </script>
-<script data-main="${baseUrl?html}/XUI/main-device" src="${baseUrl?html}/XUI/libs/requirejs-2.1.14-min.js"></script>
+<script data-main="${baseUrl?html}/XUI/main-device" src="${baseUrl?html}/XUI/libs/requirejs-2.3.7-min.js"></script>
 </body>
 </html>
diff --git a/openam-oauth2/src/main/resources/templates/CodeVerificationForm.ftl b/openam-oauth2/src/main/resources/templates/CodeVerificationForm.ftl
@@ -34,6 +34,6 @@
       baseUrl : "${baseUrl?js_string}/XUI"
   };
 </script>
-<script data-main="${baseUrl?html}/XUI/main-device" src="${baseUrl?html}/XUI/libs/requirejs-2.1.14-min.js"></script>
+<script data-main="${baseUrl?html}/XUI/main-device" src="${baseUrl?html}/XUI/libs/requirejs-2.3.7-min.js"></script>
 </body>
 </html>
diff --git a/openam-oauth2/src/main/resources/templates/page/authorize.ftl b/openam-oauth2/src/main/resources/templates/page/authorize.ftl
@@ -62,6 +62,6 @@
                 }
             };
         </script>
-        <script data-main="${baseUrl?html}/XUI/main-authorize" src="${baseUrl?html}/XUI/libs/requirejs-2.1.14-min.js"></script>
+        <script data-main="${baseUrl?html}/XUI/main-authorize" src="${baseUrl?html}/XUI/libs/requirejs-2.3.7-min.js"></script>
     </body>
 </html>
diff --git a/openam-oauth2/src/main/resources/templates/page/error.ftl b/openam-oauth2/src/main/resources/templates/page/error.ftl
@@ -53,6 +53,6 @@
             }
         </#if>
     </script>
-    <script data-main="${baseUrl?html}/XUI/main-authorize" src="${baseUrl?html}/XUI/libs/requirejs-2.1.14-min.js"></script>
+    <script data-main="${baseUrl?html}/XUI/main-authorize" src="${baseUrl?html}/XUI/libs/requirejs-2.3.7-min.js"></script>
 </body>
 </html>
diff --git a/openam-oauth2/src/main/resources/templates/popup/authorize.ftl b/openam-oauth2/src/main/resources/templates/popup/authorize.ftl
@@ -61,6 +61,6 @@
                 }
             };
         </script>
-        <script data-main="${baseUrl?html}/XUI/main-authorize" src="${baseUrl?html}/XUI/libs/requirejs-2.1.14-min.js"></script>
+        <script data-main="${baseUrl?html}/XUI/main-authorize" src="${baseUrl?html}/XUI/libs/requirejs-2.3.7-min.js"></script>
     </body>
 </html>
diff --git a/openam-oauth2/src/main/resources/templates/touch/authorize.ftl b/openam-oauth2/src/main/resources/templates/touch/authorize.ftl
@@ -61,6 +61,6 @@
                 }
             };
         </script>
-        <script data-main="${baseUrl?html}/XUI/main-authorize" src="${baseUrl?html}/XUI/libs/requirejs-2.1.14-min.js"></script>
+        <script data-main="${baseUrl?html}/XUI/main-authorize" src="${baseUrl?html}/XUI/libs/requirejs-2.3.7-min.js"></script>
     </body>
 </html>
diff --git a/openam-server-only/src/license/THIRD-PARTY.properties b/openam-server-only/src/license/THIRD-PARTY.properties
@@ -66,7 +66,7 @@ org.forgerock.commons.ui.libs--qrcode--1.4.4=MIT
 org.forgerock.commons.ui.libs--react--15.2.1=BSD
 org.forgerock.commons.ui.libs--react-bootstrap--0.30.1=MIT
 org.forgerock.commons.ui.libs--react-dom--15.2.1=BSD
-org.forgerock.commons.ui.libs--requirejs--2.1.14=MIT
+org.forgerock.commons.ui.libs--requirejs--2.3.7=MIT
 org.forgerock.commons.ui.libs--selectize--0.12.1=Apache 2.0
 org.forgerock.commons.ui.libs--selectize-non-standalone--0.12.1=Apache 2.0
 org.forgerock.commons.ui.libs--spin--2.0.1=MIT
diff --git a/openam-ui/openam-ui-ria/src/main/resources/index.html b/openam-ui/openam-ui-ria/src/main/resources/index.html
@@ -25,6 +25,6 @@
                 deps : ['main']
             };
         </script>
-        <script src="libs/requirejs-2.1.14-min.js"></script>
+        <script src="libs/requirejs-2.3.7-min.js"></script>
     </body>
 </html>
diff --git a/openam-ui/pom.xml b/openam-ui/pom.xml
@@ -287,7 +287,7 @@
 			            <artifactItem>
 			              <groupId>org.openidentityplatform.commons.ui.libs</groupId>
 			              <artifactId>requirejs</artifactId>
-			              <version>2.1.14</version>
+			              <version>2.3.7</version>
 			              <classifier>min</classifier>
 			              <packaging>js</packaging>
 			              <downloadUrl>https://cdnjs.cloudflare.com/ajax/libs/require.js/{version}/require.{classifier}.{packaging}</downloadUrl>
diff --git a/pom.xml b/pom.xml
@@ -79,7 +79,7 @@
     <maven.compiler.source>8</maven.compiler.source>
     <!-- Supress checkstyle errors on legacy com.iplanet and com.sun.identity packages -->
     <checkstyleUnitTestSuppressionsLocation>checkstyle/suppressions.xml</checkstyleUnitTestSuppressionsLocation>
-    <opendj.version>4.10.1</opendj.version>
+    <opendj.version>4.10.2-SNAPSHOT</opendj.version>
     <javadoc-utils.version>1.0.0</javadoc-utils.version>
     <ant.contrib.version>1.0b3</ant.contrib.version>
     <guice.version>3.0</guice.version>

Original file line number	Diff line number	Diff line change
`@@ -62,6 +62,6 @@`
`62`	`62`	`}`
`63`	`63`	`};`
`64`	`64`	`</script>`
`65`		`- <script data-main="${baseUrl?html}/XUI/main-authorize" src="${baseUrl?html}/XUI/libs/requirejs-2.1.14-min.js"></script>`
	`65`	`+ <script data-main="${baseUrl?html}/XUI/main-authorize" src="${baseUrl?html}/XUI/libs/requirejs-2.3.7-min.js"></script>`
`66`	`66`	`</body>`
`67`	`67`	`</html>`
Original file line number	Diff line number	Diff line change
`@@ -53,6 +53,6 @@`
`53`	`53`	`}`
`54`	`54`	`</#if>`
`55`	`55`	`</script>`
`56`		`- <script data-main="${baseUrl?html}/XUI/main-authorize" src="${baseUrl?html}/XUI/libs/requirejs-2.1.14-min.js"></script>`
	`56`	`+ <script data-main="${baseUrl?html}/XUI/main-authorize" src="${baseUrl?html}/XUI/libs/requirejs-2.3.7-min.js"></script>`
`57`	`57`	`</body>`
`58`	`58`	`</html>`
Original file line number	Diff line number	Diff line change
`@@ -61,6 +61,6 @@`
`61`	`61`	`}`
`62`	`62`	`};`
`63`	`63`	`</script>`
`64`		`- <script data-main="${baseUrl?html}/XUI/main-authorize" src="${baseUrl?html}/XUI/libs/requirejs-2.1.14-min.js"></script>`
	`64`	`+ <script data-main="${baseUrl?html}/XUI/main-authorize" src="${baseUrl?html}/XUI/libs/requirejs-2.3.7-min.js"></script>`
`65`	`65`	`</body>`
`66`	`66`	`</html>`