[jira] [Updated] (SOLR-16309) Upgrade vulnerable jQuery UI to version 1.13.2

Fri, 21 Oct 2022 13:00:29 -0700 


     [ 
https://issues.apache.org/jira/browse/SOLR-16309?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Kevin Risden updated SOLR-16309:
--------------------------------
    Component/s: Admin UI

> Upgrade vulnerable jQuery UI to version 1.13.2
> ----------------------------------------------
>
>                 Key: SOLR-16309
>                 URL: https://issues.apache.org/jira/browse/SOLR-16309
>             Project: Solr
>          Issue Type: Bug
>      Security Level: Public(Default Security Level. Issues are Public) 
>          Components: Admin UI
>    Affects Versions: 8.8.1
>            Reporter: Michael Riedel
>            Priority: Major
>
> The Solr webapp [contains jQuery UI version 
> 1.12.1|https://github.com/apache/solr/blob/main/solr/webapp/web/libs/jquery-ui.min.js].
>  This jQuery UI version is vulnerable to the following vulnerabilities (and 
> possibly others):
> * [CVE-2021-41182|https://nvd.nist.gov/vuln/detail/CVE-2021-41182]
> * [CVE-2021-41183|https://nvd.nist.gov/vuln/detail/CVE-2021-41183]
> * [CVE-2021-41184|https://nvd.nist.gov/vuln/detail/CVE-2021-41184]
> Actually, the first two CVEs may not be relevant, because Solr uses a custom 
> jQuery UI subset, which currently does not contain the jQuery UI datepicker 
> component. Solr's custom jQuery UI subset does include the jQuery UI position 
> utility and might be vulnerable to that last CVE.
> I'm working with a dev team who build Solr themselves. Their library 
> dependency scans constantly complain about all of the above CVEs. I believe 
> that the actual risk of an exploitable vulnerability stemming from this 
> jQuery UI version is really small. But an upgrade would shut up such tools.
> It's really more a compliance issue rather than a security issue. But 
> upgrading to latest jQuery UI 1.13.2 or newer, would shut up similar security 
> scans for other Solr users. And moving to the latest version might make it 
> easier to upgrade to future jQuery UI versions, when a more impactful 
> vulnerability becomes known.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to