You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@solr.apache.org by "Michael Riedel (Jira)" <ji...@apache.org> on 2022/07/25 17:23:00 UTC

[jira] [Commented] (SOLR-16309) Upgrade vulnerable jQuery UI to version 1.13.2

    [ https://issues.apache.org/jira/browse/SOLR-16309?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17571016#comment-17571016 ] 

Michael Riedel commented on SOLR-16309:
---------------------------------------

Fyi, I think I've figured out which subset of jQuery UI is currently using. I can post it here, if it helps.

I also wonder, if Solr needs jQuery UI at all. So far, I've only found [this one definitive usage of jQuery UI in Solr|https://github.com/apache/solr/blob/main/solr/webapp/web/js/angular/controllers/cloud.js#L935], which uses the tooltip widget. Maybe this could be replaced by something more lightweight?

> Upgrade vulnerable jQuery UI to version 1.13.2
> ----------------------------------------------
>
>                 Key: SOLR-16309
>                 URL: https://issues.apache.org/jira/browse/SOLR-16309
>             Project: Solr
>          Issue Type: Bug
>      Security Level: Public(Default Security Level. Issues are Public) 
>    Affects Versions: 8.8.1
>            Reporter: Michael Riedel
>            Priority: Major
>
> The Solr webapp [contains jQuery UI version 1.12.1|https://github.com/apache/solr/blob/main/solr/webapp/web/libs/jquery-ui.min.js]. This jQuery UI version is vulnerable to the following vulnerabilities (and possibly others):
> * [CVE-2021-41182|https://nvd.nist.gov/vuln/detail/CVE-2021-41182]
> * [CVE-2021-41183|https://nvd.nist.gov/vuln/detail/CVE-2021-41183]
> * [CVE-2021-41184|https://nvd.nist.gov/vuln/detail/CVE-2021-41184]
> Actually, the first two CVEs may not be relevant, because Solr uses a custom jQuery UI subset, which currently does not contain the jQuery UI datepicker component. Solr's custom jQuery UI subset does include the jQuery UI position utility and might be vulnerable to that last CVE.
> I'm working with a dev team who build Solr themselves. Their library dependency scans constantly complain about all of the above CVEs. I believe that the actual risk of an exploitable vulnerability stemming from this jQuery UI version is really small. But an upgrade would shut up such tools.
> It's really more a compliance issue rather than a security issue. But upgrading to latest jQuery UI 1.13.2 or newer, would shut up similar security scans for other Solr users. And moving to the latest version might make it easier to upgrade to future jQuery UI versions, when a more impactful vulnerability becomes known.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org
For additional commands, e-mail: issues-help@solr.apache.org