Details
-
Bug
-
Status: Open
-
Minor
-
Resolution: Unresolved
-
3.1.1
-
None
-
None
Description
Hi, we are using Cloudera Hortonworks Data Platform 3.1.0 (I know 3.1.5 is out but we are not on it yet) but 3.1.5 has the same issue.
Our security team scanned our yarn UI and insists that we upgrade the jquery from 3.3.1 to 3.5.1 to close a security issue. I know that yarn will never be exposed to the internet but the security team does not care (don't ask).
This is the issue they want fixed
https://snyk.io/test/npm/jquery/3.3.1
https://www.cvedetails.com/cve/CVE-2019-11358/
Can someone upgrade the jquery in yarn from 3.3.1 to 3.5.1? We noticed this is bundled in a file called vendor.js
located here
hadoop-tools/hadoop-sls/src/main/html/js/thirdparty/jquery.js
FYI When I did these upgrades to other parts of our internal application (not on HDP) the upgraded version of jquery just worked without any code changes other than referring to the new file as jquery hard codes the version in its filename (e.g., jquery-3.5.1.min.js) for version 3.5.1
I could possibly fix this if I had access to your source code and was allowed to create a branch.
Thanks James Stroud
PS I work for IBM but I signed up with my personal email account
my IBM emails is stroudj@us.ibm.com
Also I apologize if I made mistakes creating this issue as I was not sure of what to put in for some fields.
I put this as a minor issue but I'm sure my security team would deem this higher than that.