[jira] [Commented] (SOLR-16309) Upgrade vulnerable jQuery UI to version 1.13.2

Wed, 25 Jun 2025 11:55:07 -0700 


    [ 
https://issues.apache.org/jira/browse/SOLR-16309?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17986235#comment-17986235
 ] 

Eric Pugh commented on SOLR-16309:
----------------------------------

[~veita] please open a PR and tag me and I'll work with you to get the change 
made.   Looks like we just need to change up the tooltip usage and we can 
eliminate the dependency, or just do an upgrade.

> Upgrade vulnerable jQuery UI to version 1.13.2
> ----------------------------------------------
>
>                 Key: SOLR-16309
>                 URL: https://issues.apache.org/jira/browse/SOLR-16309
>             Project: Solr
>          Issue Type: Task
>          Components: Admin UI
>    Affects Versions: 8.8.1
>            Reporter: Michael Riedel
>            Priority: Minor
>
> The Solr webapp [contains jQuery UI version 
> 1.12.1|https://github.com/apache/solr/blob/main/solr/webapp/web/libs/jquery-ui.min.js].
>  This jQuery UI version is vulnerable to the following vulnerabilities (and 
> possibly others):
> * [CVE-2021-41182|https://nvd.nist.gov/vuln/detail/CVE-2021-41182]
> * [CVE-2021-41183|https://nvd.nist.gov/vuln/detail/CVE-2021-41183]
> * [CVE-2021-41184|https://nvd.nist.gov/vuln/detail/CVE-2021-41184]
> Actually, the first two CVEs may not be relevant, because Solr uses a custom 
> jQuery UI subset, which currently does not contain the jQuery UI datepicker 
> component. Solr's custom jQuery UI subset does include the jQuery UI position 
> utility and might be vulnerable to that last CVE.
> I'm working with a dev team who build Solr themselves. Their library 
> dependency scans constantly complain about all of the above CVEs. I believe 
> that the actual risk of an exploitable vulnerability stemming from this 
> jQuery UI version is really small. But an upgrade would shut up such tools.
> It's really more a compliance issue rather than a security issue. But 
> upgrading to latest jQuery UI 1.13.2 or newer, would shut up similar security 
> scans for other Solr users. And moving to the latest version might make it 
> easier to upgrade to future jQuery UI versions, when a more impactful 
> vulnerability becomes known.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to