[
https://issues.apache.org/jira/browse/YARN-11076?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
ASF GitHub Bot updated YARN-11076:
----------------------------------
Labels: pull-request-available (was: )
> Upgrade jQuery version in Yarn UI2
> -----------------------------------
>
> Key: YARN-11076
> URL: https://issues.apache.org/jira/browse/YARN-11076
> Project: Hadoop YARN
> Issue Type: Improvement
> Components: yarn-ui-v2
> Affects Versions: 3.3.0, 3.4.0
> Reporter: Tamas Domok
> Assignee: Tamas Domok
> Priority: Major
> Labels: pull-request-available
> Attachments: jquery.html, ui2jquery.png
>
> Time Spent: 10m
> Remaining Estimate: 0h
>
> UI2 uses an old jQuery version (2.1.4) which is affected by some known
> vulnerabilities, e.g.:
> - https://nvd.nist.gov/vuln/detail/CVE-2020-11022#vulnCurrentDescriptionTitle
> - https://nvd.nist.gov/vuln/detail/CVE-2020-11023#vulnCurrentDescriptionTitle
> - https://www.exploit-db.com/exploits/49766
> !ui2jquery.png!
> Attached an example reproduction page:
> [^jquery.html]
> The alert window pops with 1.8.2, or 2.1.4 but not with a 3.6.0. However, I
> couldn't exploit this with UI2, but I haven't tried every code path for sure.
> https://github.com/apache/hadoop/blob/trunk/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-ui/src/main/webapp/bower.json
> {code}
> "jquery": "2.1.4",
> "jquery-ui": "1.11.4",
> {code}
> jQuery was upgraded already in hadoop-common:
> - HADOOP-18044, HADOOP-17286, HADOOP-17783
> jquery-ui should also be upgraded to at least 1.13.0:
> -
> https://www.cvedetails.com/vulnerability-list/vendor_id-6538/product_id-31126/Jquery-Jquery-Ui.html
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
