Andrew Kyle Purtell created YARN-11331: ------------------------------------------
Summary: YARN UIs embed problematic javascript Key: YARN-11331 URL: https://issues.apache.org/jira/browse/YARN-11331 Project: Hadoop YARN Issue Type: Bug Affects Versions: 3.3.4 Reporter: Andrew Kyle Purtell YARN component UIs, especially the Application Catalog, embed several problematic Javascript components. First and foremost is the Angular framework, for which all development has ceased and several vulnerabilities are known and listed in the CVE database. To fix this requires a migration away from Angular to some other framework. Another component like this is x-editable, an editor widget for Bootstrap. There is a cross-site scripting problem for which no fixed version exists. Requires use of an alternative component or addition of a mitigating control. All Boostrap versions 3.x have an issue covered by CVE-2018-14041, a cross site scripting problem, fixed in Bootstrap versions 4.1.3 and later. This requires a migration where Bootstrap 3.x is in use to Bootstrap 4.1.3+. At my workplace we have chosen to delete the Application Catalog, which I recommend as the most likely path to satisfaction for you as well, because the Angular problem lacks a path forward other than reimplementation. x-editable and Bootstrap issues persist in other places. Rather than collect these findings piecemeal, it is suggested this issue can be used as an umbrella. -- This message was sent by Atlassian Jira (v8.20.10#820010) --------------------------------------------------------------------- To unsubscribe, e-mail: yarn-dev-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-dev-h...@hadoop.apache.org