You are viewing a plain text version of this content. The canonical link for it is here.
Posted to yarn-issues@hadoop.apache.org by "Eugene Shinn (Truveta) (Jira)" <ji...@apache.org> on 2022/12/21 17:06:00 UTC
[jira] [Commented] (YARN-11309) datatables@1.10.17 sonatype-2020-0988 vulnerability
[ https://issues.apache.org/jira/browse/YARN-11309?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17650940#comment-17650940 ]
Eugene Shinn (Truveta) commented on YARN-11309:
-----------------------------------------------
Vulnerability addressed by upgrading to a non-vulnerable version that fixes other CVE's.
> datatables@1.10.17 sonatype-2020-0988 vulnerability
> ----------------------------------------------------
>
> Key: YARN-11309
> URL: https://issues.apache.org/jira/browse/YARN-11309
> Project: Hadoop YARN
> Issue Type: Bug
> Components: yarn-ui-v2
> Affects Versions: 3.3.4
> Reporter: Eugene Shinn (Truveta)
> Assignee: Ashutosh Gupta
> Priority: Major
>
> Our static analysis security tool detected that YARN's UI currently includes a vulnerable version of datatables detected by Sonatype (sonatype-2020-0988).
> From the vulnerability description:
> _"The `datatables.net` package is vulnerable to Prototype Pollution. The `setData` function in `jquery.dataTables.js` fails to protect prototype attributes when objects are created during the application's execution. A remote attacker can exploit this to modify the behavior of object prototypes which, depending on their use in the application, may result in a Denial of Service (DoS), Remote Code Execution (RCE), or other unexpected execution flow."_
> This issue was addressed in v 1.11.5 (ref: [Fix: Protect developers from inadvertantely introducing prototype pol… · DataTables/Dist-DataTables@e2e19ea (github.com)).|https://github.com/DataTables/Dist-DataTables/commit/e2e19eac7e5a6f140d7eefca5c7deba165b357eb#diff-e7d8309f017dd2ef6385fa8cdc1539a2R2765]
> [HDFS-16777] datatables@1.10.17 sonatype-2020-0988 vulnerability - ASF JIRA (apache.org) was filed to address the identical issue in HDFS' UI.
> h4.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: yarn-issues-help@hadoop.apache.org