Eugene Shinn (Truveta) created HDFS-16777:
---------------------------------------------
Summary: datatables@1.10.17 sonatype-2020-0988 vulnerability
Key: HDFS-16777
URL: https://issues.apache.org/jira/browse/HDFS-16777
Project: Hadoop HDFS
Issue Type: Bug
Components: ui
Affects Versions: 3.3.4
Reporter: Eugene Shinn (Truveta)
Our static analysis security tool detected that HDFS's UI currently includes a
vulnerable version of datatables detected by Sonatype (sonatype-2020-0988).
>From the vulnerability description:
_"The `datatables.net` package is vulnerable to Prototype Pollution. The
`setData` function in `jquery.dataTables.js` fails to protect prototype
attributes when objects are created during the application's execution. A
remote attacker can exploit this to modify the behavior of object prototypes
which, depending on their use in the application, may result in a Denial of
Service (DoS), Remote Code Execution (RCE), or other unexpected execution
flow."_
This issue was addressed in v 1.11.5 (ref: [Fix: Protect developers from
inadvertantely introducing prototype pol… · DataTables/Dist-DataTables@e2e19ea
(github.com)).|https://github.com/DataTables/Dist-DataTables/commit/e2e19eac7e5a6f140d7eefca5c7deba165b357eb#diff-e7d8309f017dd2ef6385fa8cdc1539a2R2765]
N.B. this issue was also detected within the YARN UI as well.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: hdfs-dev-unsubscr...@hadoop.apache.org
For additional commands, e-mail: hdfs-dev-h...@hadoop.apache.org
