[
https://issues.apache.org/jira/browse/AIRFLOW-4179?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16821226#comment-16821226
]
Ash Berlin-Taylor commented on AIRFLOW-4179:
--------------------------------------------
The security warnings against the components don't affect Airflow as the are
related to XHR requests to third party sites which Airflow UI does not do.
We should still update the libraries though, but it's (possibly) a non-trivial
amount of work.
> Update version of Bootstrap, jQuery in use
> ------------------------------------------
>
> Key: AIRFLOW-4179
> URL: https://issues.apache.org/jira/browse/AIRFLOW-4179
> Project: Apache Airflow
> Issue Type: Bug
> Components: security, ui
> Reporter: t oo
> Priority: Major
>
> "The Airflow application utilises the following three outdated libraries that
> contain publicly disclosed security vulnerabilities:
> -bootstrap 3.3.5
> -moment.js 2.9.0
> -jQuery 2.1.4"
> Business Impact/Attack Scenario
> The out of date libraries are vulnerable attacks such as cross-site scripting
> (XSS), which can be used to steal credentials, perform unauthorised actions,
> redirect the user to a malicious site or track the user's actions, or denial
> of service attacks.
> Recommendation
> "Update libraries to the latest versions at the time of writing as listed
> below. If old libraries are required for compatability reasons, update to the
> latest version of the legacy branch and review whether the application is
> using the vulnerable component to determine whether additional sanitisation
> of input may be required.
> Latest versions:
> -bootstrap 4.3.1
> -moment.js 2.19.3
> -jQuery 3.3.1"
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
