You are viewing a plain text version of this content. The canonical link for it is here.
Posted to hdfs-issues@hadoop.apache.org by "ASF GitHub Bot (Jira)" <ji...@apache.org> on 2022/10/11 16:01:00 UTC

[jira] [Commented] (HDFS-16777) datatables@1.10.17 sonatype-2020-0988 vulnerability

    [ https://issues.apache.org/jira/browse/HDFS-16777?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17615929#comment-17615929 ] 

ASF GitHub Bot commented on HDFS-16777:
---------------------------------------

ashutoshcipher opened a new pull request, #5003:
URL: https://github.com/apache/hadoop/pull/5003

   ### Description of PR
   
   datatables@1.10.17 sonatype-2020-0988 vulnerability
   
   JIRA - HDFS-16777
   
   
   ### How was this patch tested?
   
   Added screenshots
   
   ### For code changes:
   
   - [X] Does the title or this PR starts with the corresponding JIRA issue id (e.g. 'HADOOP-17799. Your PR title ...')?
   - [ ] Object storage: have the integration tests been executed and the endpoint declared according to the connector-specific documentation?
   - [ ] If adding new dependencies to the code, are these dependencies licensed in a way that is compatible for inclusion under [ASF 2.0](http://www.apache.org/legal/resolved.html#category-a)?
   - [ ] If applicable, have you updated the `LICENSE`, `LICENSE-binary`, `NOTICE-binary` files?
   
   




> datatables@1.10.17  sonatype-2020-0988 vulnerability
> ----------------------------------------------------
>
>                 Key: HDFS-16777
>                 URL: https://issues.apache.org/jira/browse/HDFS-16777
>             Project: Hadoop HDFS
>          Issue Type: Bug
>          Components: ui
>    Affects Versions: 3.3.4
>            Reporter: Eugene Shinn (Truveta)
>            Assignee: Ashutosh Gupta
>            Priority: Major
>
> Our static analysis security tool detected that HDFS's UI currently includes a vulnerable version of datatables detected by Sonatype (sonatype-2020-0988). 
> From the vulnerability description:
> _"The `datatables.net` package is vulnerable to Prototype Pollution. The `setData` function in `jquery.dataTables.js` fails to protect prototype attributes when objects are created during the application's execution. A remote attacker can exploit this to modify the behavior of object prototypes which, depending on their use in the application, may result in a Denial of Service (DoS), Remote Code Execution (RCE), or other unexpected execution flow."_
> This issue was addressed in v 1.11.5 (ref: [Fix: Protect developers from inadvertantely introducing prototype pol… · DataTables/Dist-DataTables@e2e19ea (github.com)).|https://github.com/DataTables/Dist-DataTables/commit/e2e19eac7e5a6f140d7eefca5c7deba165b357eb#diff-e7d8309f017dd2ef6385fa8cdc1539a2R2765]
> N.B. this issue was also detected within the YARN UI as well.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: hdfs-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: hdfs-issues-help@hadoop.apache.org