Andrew Kyle Purtell created YARN-11331:
------------------------------------------
Summary: YARN UIs embed problematic javascript
Key: YARN-11331
URL: https://issues.apache.org/jira/browse/YARN-11331
Project: Hadoop YARN
Issue Type: Bug
Affects Versions: 3.3.4
Reporter: Andrew Kyle Purtell
YARN component UIs, especially the Application Catalog, embed several
problematic Javascript components.
First and foremost is the Angular framework, for which all development has
ceased and several vulnerabilities are known and listed in the CVE database. To
fix this requires a migration away from Angular to some other framework.
Another component like this is x-editable, an editor widget for Bootstrap.
There is a cross-site scripting problem for which no fixed version exists.
Requires use of an alternative component or addition of a mitigating control.
All Boostrap versions 3.x have an issue covered by CVE-2018-14041, a cross site
scripting problem, fixed in Bootstrap versions 4.1.3 and later. This requires a
migration where Bootstrap 3.x is in use to Bootstrap 4.1.3+.
At my workplace we have chosen to delete the Application Catalog, which I
recommend as the most likely path to satisfaction for you as well, because the
Angular problem lacks a path forward other than reimplementation.
x-editable and Bootstrap issues persist in other places.
Rather than collect these findings piecemeal, it is suggested this issue can be
used as an umbrella.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-dev-unsubscr...@hadoop.apache.org
For additional commands, e-mail: yarn-dev-h...@hadoop.apache.org
