Michael Riedel created SOLR-16309:
-------------------------------------
Summary: Upgrade vulnerable jQuery UI to version 1.13.2
Key: SOLR-16309
URL: https://issues.apache.org/jira/browse/SOLR-16309
Project: Solr
Issue Type: Bug
Security Level: Public (Default Security Level. Issues are Public)
Affects Versions: 8.8.1
Reporter: Michael Riedel
The Solr webapp [contains jQuery UI version
1.12.1|https://github.com/apache/solr/blob/main/solr/webapp/web/libs/jquery-ui.min.js].
This jQuery UI version is vulnerable to the following vulnerabilities (and
possibly others):
* [CVE-2021-41182|https://nvd.nist.gov/vuln/detail/CVE-2021-41182]
* [CVE-2021-41183|https://nvd.nist.gov/vuln/detail/CVE-2021-41183]
* [CVE-2021-41184|https://nvd.nist.gov/vuln/detail/CVE-2021-41184]
Actually, the first two CVEs may not be relevant, because Solr uses a custom
jQuery UI subset, which currently does not contain the jQuery UI datepicker
component. Solr's custom jQuery UI subset does include the jQuery UI position
utility and might be vulnerable to that last CVE.
I'm working with a dev team who build Solr themselves. Their library dependency
scans constantly complain about all of the above CVEs. I believe that the
actual risk of an exploitable vulnerability stemming from this jQuery UI
version is really small. But an upgrade would shut up such tools.
It's really more a compliance issue rather than a security issue. But upgrading
to latest jQuery UI 1.13.2 or newer, would shut up similar security scans for
other Solr users. And moving to the latest version might make it easier to
upgrade to future jQuery UI versions, when a more impactful vulnerability
becomes known.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
