You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@solr.apache.org by "Michael Riedel (Jira)" <ji...@apache.org> on 2022/07/25 17:20:00 UTC

[jira] [Created] (SOLR-16309) Upgrade vulnerable jQuery UI to version 1.13.2

Michael Riedel created SOLR-16309:
-------------------------------------

             Summary: Upgrade vulnerable jQuery UI to version 1.13.2
                 Key: SOLR-16309
                 URL: https://issues.apache.org/jira/browse/SOLR-16309
             Project: Solr
          Issue Type: Bug
      Security Level: Public (Default Security Level. Issues are Public)
    Affects Versions: 8.8.1
            Reporter: Michael Riedel


The Solr webapp [contains jQuery UI version 1.12.1|https://github.com/apache/solr/blob/main/solr/webapp/web/libs/jquery-ui.min.js]. This jQuery UI version is vulnerable to the following vulnerabilities (and possibly others):

* [CVE-2021-41182|https://nvd.nist.gov/vuln/detail/CVE-2021-41182]
* [CVE-2021-41183|https://nvd.nist.gov/vuln/detail/CVE-2021-41183]
* [CVE-2021-41184|https://nvd.nist.gov/vuln/detail/CVE-2021-41184]

Actually, the first two CVEs may not be relevant, because Solr uses a custom jQuery UI subset, which currently does not contain the jQuery UI datepicker component. Solr's custom jQuery UI subset does include the jQuery UI position utility and might be vulnerable to that last CVE.

I'm working with a dev team who build Solr themselves. Their library dependency scans constantly complain about all of the above CVEs. I believe that the actual risk of an exploitable vulnerability stemming from this jQuery UI version is really small. But an upgrade would shut up such tools.

It's really more a compliance issue rather than a security issue. But upgrading to latest jQuery UI 1.13.2 or newer, would shut up similar security scans for other Solr users. And moving to the latest version might make it easier to upgrade to future jQuery UI versions, when a more impactful vulnerability becomes known.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org
For additional commands, e-mail: issues-help@solr.apache.org