You are viewing a plain text version of this content. The canonical link for it is here.

Posted to hdfs-dev@hadoop.apache.org by "Andrew Kyle Purtell (Jira)" <ji...@apache.org> on 2022/10/06 22:37:00 UTC

[jira] [Created] (HDFS-16796) HDFS UIs embed problematic javascript components

Andrew Kyle Purtell created HDFS-16796:
------------------------------------------

             Summary: HDFS UIs embed problematic javascript components
                 Key: HDFS-16796
                 URL: https://issues.apache.org/jira/browse/HDFS-16796
             Project: Hadoop HDFS
          Issue Type: Bug
    Affects Versions: 3.3.4
            Reporter: Andrew Kyle Purtell


All Bootstrap versions 3.x have an issue covered by CVE-2018-14041, a cross site scripting problem, fixed in Bootstrap versions 4.1.3 and later. This requires a migration where Bootstrap 3.x is in use to Bootstrap 4.1.3+.

The component x-editable, an editor widget for Bootstrap, has a cross-site scripting problem for which no fixed version exists. Requires use of an alternative component or addition of a mitigating control.

Datatables versions less than 1.10.23 have problems like CVE-2020-28458. 

Similar to YARN-11331. 

Rather than collect these findings piecemeal, it is suggested this issue can be used as an umbrella.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: hdfs-dev-unsubscribe@hadoop.apache.org
For additional commands, e-mail: hdfs-dev-help@hadoop.apache.org