[
https://issues.apache.org/jira/browse/DRILL-7705?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17096365#comment-17096365
]
Anton Gozhiy commented on DRILL-7705:
-------------------------------------
Merged into master with commit id 0a66da598a986971a77900442e20025ebfc56e9d.
> Update jQuery and Bootstrap libraries
> -------------------------------------
>
> Key: DRILL-7705
> URL: https://issues.apache.org/jira/browse/DRILL-7705
> Project: Apache Drill
> Issue Type: Improvement
> Affects Versions: 1.17.0
> Reporter: Anton Gozhiy
> Assignee: Anton Gozhiy
> Priority: Major
> Labels: ready-to-commit
> Fix For: 1.18.0
>
>
> There are some vulnerabilities present in jQuery and Bootstrap libraries used
> in Drill:
> * jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products,
> mishandles jQuery.extend(true, {}, ...) because of Object.prototype
> pollution. If an unsanitized source object contained an enumerable __proto__
> property, it could extend the native Object.prototype.
> * In Bootstrap before 4.1.2, XSS is possible in the collapse data-parent
> attribute.
> * In Bootstrap before 4.1.2, XSS is possible in the data-container property
> of tooltip.
> * In Bootstrap before 3.4.0, XSS is possible in the affix configuration
> target property.
> * In Bootstrap before 3.4.1 and 4.3.x before 4.3.1, XSS is possible in the
> tooltip or popover data-template attribute.
> The following update is suggested to fix them:
> * jQuery: 3.2.1 -> 3.5.0
> * Bootstrap: 3.1.1 -> 4.4.1
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
