[
https://issues.apache.org/jira/browse/SPARK-40684?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17682272#comment-17682272
]
Eugene Shinn (Truveta) commented on SPARK-40684:
------------------------------------------------
I think I filed [SPARK-39740] vis-timeline @ 4.2.1 vulnerable to XSS attacks -
ASF JIRA (apache.org) for the same issue, but haven't seen any updates on that
ticket either.
> Update embedded vis-timeline javascript resources
> -------------------------------------------------
>
> Key: SPARK-40684
> URL: https://issues.apache.org/jira/browse/SPARK-40684
> Project: Spark
> Issue Type: Bug
> Components: Spark Core
> Affects Versions: 3.3.0
> Reporter: Andrew Kyle Purtell
> Priority: Major
>
> Spark 3.3 currently ships with embedded vis-timeline javascript resources
> subject to CVE-2020-28487, detected as a minor problem by several static
> vulnerability assessment tools.
> https://nvd.nist.gov/vuln/detail/CVE-2020-28487:
> bq. This affects the package vis-timeline before 7.4.4. An attacker with the
> ability to control the items of a Timeline element can inject additional
> script code into the generated application.
> This issue is not meant to imply a security problem in Spark itself.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
