[ https://issues.apache.org/jira/browse/YARN-11076?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
ASF GitHub Bot updated YARN-11076: ---------------------------------- Labels: pull-request-available (was: ) > Upgrade jQuery version in Yarn UI2 > ----------------------------------- > > Key: YARN-11076 > URL: https://issues.apache.org/jira/browse/YARN-11076 > Project: Hadoop YARN > Issue Type: Improvement > Components: yarn-ui-v2 > Affects Versions: 3.3.0, 3.4.0 > Reporter: Tamas Domok > Assignee: Tamas Domok > Priority: Major > Labels: pull-request-available > Attachments: jquery.html, ui2jquery.png > > Time Spent: 10m > Remaining Estimate: 0h > > UI2 uses an old jQuery version (2.1.4) which is affected by some known > vulnerabilities, e.g.: > - https://nvd.nist.gov/vuln/detail/CVE-2020-11022#vulnCurrentDescriptionTitle > - https://nvd.nist.gov/vuln/detail/CVE-2020-11023#vulnCurrentDescriptionTitle > - https://www.exploit-db.com/exploits/49766 > !ui2jquery.png! > Attached an example reproduction page: > [^jquery.html] > The alert window pops with 1.8.2, or 2.1.4 but not with a 3.6.0. However, I > couldn't exploit this with UI2, but I haven't tried every code path for sure. > https://github.com/apache/hadoop/blob/trunk/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-ui/src/main/webapp/bower.json > {code} > "jquery": "2.1.4", > "jquery-ui": "1.11.4", > {code} > jQuery was upgraded already in hadoop-common: > - HADOOP-18044, HADOOP-17286, HADOOP-17783 > jquery-ui should also be upgraded to at least 1.13.0: > - > https://www.cvedetails.com/vulnerability-list/vendor_id-6538/product_id-31126/Jquery-Jquery-Ui.html -- This message was sent by Atlassian Jira (v8.20.1#820001) --------------------------------------------------------------------- To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org