You are viewing a plain text version of this content. The canonical link for it is here.

Posted to yarn-issues@hadoop.apache.org by "Tamas Domok (Jira)" <ji...@apache.org> on 2022/02/15 10:23:00 UTC

[jira] [Created] (YARN-11076) Upgrade jQuery version in Yarn UI2

Tamas Domok created YARN-11076:
----------------------------------

             Summary: Upgrade jQuery version in Yarn UI2 
                 Key: YARN-11076
                 URL: https://issues.apache.org/jira/browse/YARN-11076
             Project: Hadoop YARN
          Issue Type: Improvement
          Components: yarn-ui-v2
    Affects Versions: 3.3.0, 3.4.0
            Reporter: Tamas Domok
            Assignee: Tamas Domok
         Attachments: jquery.html, ui2jquery.png

UI2 uses an old jQuery version (2.1.4) which is affected by some known vulnerabilities, e.g.:

- https://nvd.nist.gov/vuln/detail/CVE-2020-11022#vulnCurrentDescriptionTitle
- https://nvd.nist.gov/vuln/detail/CVE-2020-11023#vulnCurrentDescriptionTitle
- https://www.exploit-db.com/exploits/49766

 !ui2jquery.png! 

Attached an example reproduction page:
 [^jquery.html] 
The alert window pops with 1.8.2, or 2.1.4 but not with a 3.6.0. However, I couldn't exploit this with UI2, but I haven't tried every code path for sure.

https://github.com/apache/hadoop/blob/trunk/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-ui/src/main/webapp/bower.json
{code}
    "jquery": "2.1.4",
    "jquery-ui": "1.11.4",
{code}

jQuery was upgraded already in hadoop-common:
 - HADOOP-18044, HADOOP-17286, HADOOP-17783

jquery-ui should also be upgraded to at least 1.13.0:
 - https://www.cvedetails.com/vulnerability-list/vendor_id-6538/product_id-31126/Jquery-Jquery-Ui.html





--
This message was sent by Atlassian Jira
(v8.20.1#820001)

---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: yarn-issues-help@hadoop.apache.org