Details
-
Bug
-
Status: Resolved
-
Major
-
Resolution: Fixed
-
3.3.4
-
Reviewed
Description
Our static analysis security tool detected that HDFS's UI currently includes a vulnerable version of datatables detected by Sonatype (sonatype-2020-0988).
From the vulnerability description:
"The `datatables.net` package is vulnerable to Prototype Pollution. The `setData` function in `jquery.dataTables.js` fails to protect prototype attributes when objects are created during the application's execution. A remote attacker can exploit this to modify the behavior of object prototypes which, depending on their use in the application, may result in a Denial of Service (DoS), Remote Code Execution (RCE), or other unexpected execution flow."
This issue was addressed in v 1.11.5 (ref: Fix: Protect developers from inadvertantely introducing prototype pol… · DataTables/Dist-DataTables@e2e19ea (github.com)).
N.B. this issue was also detected within the YARN UI as well.
Attachments
Issue Links
- links to