[jira] [Commented] (YARN-11356) Upgrade DataTables to 1.11.5 to fix CVEs
[ https://issues.apache.org/jira/browse/YARN-11356?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17696984#comment-17696984 ] Eugene Shinn (Truveta) commented on YARN-11356: --- Assuming 3.4 is not coming out shortly, is it possible to have this also backported to a 3.3.x release? > Upgrade DataTables to 1.11.5 to fix CVEs > > > Key: YARN-11356 > URL: https://issues.apache.org/jira/browse/YARN-11356 > Project: Hadoop YARN > Issue Type: Improvement > Components: yarn >Affects Versions: 3.3.4 >Reporter: Bence Kosztolnik >Assignee: Bence Kosztolnik >Priority: Major > Labels: pull-request-available > Fix For: 3.4.0 > > > This ticket is intended to fix the following CVEs in the *DataTables.net* > lib, by upgrading the lib to 1.11.5 > *CVE-2020-28458 (HIGH severity)* - All versions of package datatables.net are > vulnerable to Prototype Pollution due to an incomplete fix for > [https://snyk.io/vuln/SNYK-JS-DATATABLESNET-598806]. > [https://nvd.nist.gov/vuln/detail/CVE-2020-28458] > *CVE-2021-23445 (MEDIUM severity)* - This affects the package datatables.net > before 1.11.3. If an array is passed to the HTML escape entities function it > would not have its contents escaped. > [https://nvd.nist.gov/vuln/detail/CVE-2021-23445] -- This message was sent by Atlassian Jira (v8.20.10#820010) - To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
[jira] [Commented] (YARN-11309) datatables@1.10.17 sonatype-2020-0988 vulnerability
[ https://issues.apache.org/jira/browse/YARN-11309?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17650940#comment-17650940 ] Eugene Shinn (Truveta) commented on YARN-11309: --- Vulnerability addressed by upgrading to a non-vulnerable version that fixes other CVE's. > datatables@1.10.17 sonatype-2020-0988 vulnerability > > > Key: YARN-11309 > URL: https://issues.apache.org/jira/browse/YARN-11309 > Project: Hadoop YARN > Issue Type: Bug > Components: yarn-ui-v2 >Affects Versions: 3.3.4 >Reporter: Eugene Shinn (Truveta) >Assignee: Ashutosh Gupta >Priority: Major > > Our static analysis security tool detected that YARN's UI currently includes > a vulnerable version of datatables detected by Sonatype (sonatype-2020-0988). > From the vulnerability description: > _"The `datatables.net` package is vulnerable to Prototype Pollution. The > `setData` function in `jquery.dataTables.js` fails to protect prototype > attributes when objects are created during the application's execution. A > remote attacker can exploit this to modify the behavior of object prototypes > which, depending on their use in the application, may result in a Denial of > Service (DoS), Remote Code Execution (RCE), or other unexpected execution > flow."_ > This issue was addressed in v 1.11.5 (ref: [Fix: Protect developers from > inadvertantely introducing prototype pol… · > DataTables/Dist-DataTables@e2e19ea > (github.com)).|https://github.com/DataTables/Dist-DataTables/commit/e2e19eac7e5a6f140d7eefca5c7deba165b357eb#diff-e7d8309f017dd2ef6385fa8cdc1539a2R2765] > [HDFS-16777] datatables@1.10.17 sonatype-2020-0988 vulnerability - ASF JIRA > (apache.org) was filed to address the identical issue in HDFS' UI. > h4. -- This message was sent by Atlassian Jira (v8.20.10#820010) - To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
[jira] [Created] (YARN-11309) datatables@1.10.17 sonatype-2020-0988 vulnerability
Eugene Shinn (Truveta) created YARN-11309: - Summary: datatables@1.10.17 sonatype-2020-0988 vulnerability Key: YARN-11309 URL: https://issues.apache.org/jira/browse/YARN-11309 Project: Hadoop YARN Issue Type: Bug Components: yarn-ui-v2 Affects Versions: 3.3.4 Reporter: Eugene Shinn (Truveta) Our static analysis security tool detected that YARN's UI currently includes a vulnerable version of datatables detected by Sonatype (sonatype-2020-0988). >From the vulnerability description: _"The `datatables.net` package is vulnerable to Prototype Pollution. The `setData` function in `jquery.dataTables.js` fails to protect prototype attributes when objects are created during the application's execution. A remote attacker can exploit this to modify the behavior of object prototypes which, depending on their use in the application, may result in a Denial of Service (DoS), Remote Code Execution (RCE), or other unexpected execution flow."_ This issue was addressed in v 1.11.5 (ref: [Fix: Protect developers from inadvertantely introducing prototype pol… · DataTables/Dist-DataTables@e2e19ea (github.com)).|https://github.com/DataTables/Dist-DataTables/commit/e2e19eac7e5a6f140d7eefca5c7deba165b357eb#diff-e7d8309f017dd2ef6385fa8cdc1539a2R2765] [HDFS-16777] datatables@1.10.17 sonatype-2020-0988 vulnerability - ASF JIRA (apache.org) was filed to address the identical issue in HDFS' UI. h4. -- This message was sent by Atlassian Jira (v8.20.10#820010) - To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org