Uploaded image for project: 'Hadoop YARN'
  1. Hadoop YARN
  2. YARN-11309

datatables@1.10.17 sonatype-2020-0988 vulnerability

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Open
    • Major
    • Resolution: Unresolved
    • 3.3.4
    • None
    • yarn-ui-v2
    • None

    Description

      Our static analysis security tool detected that YARN's UI currently includes a vulnerable version of datatables detected by Sonatype (sonatype-2020-0988). 

      From the vulnerability description:

      "The `datatables.net` package is vulnerable to Prototype Pollution. The `setData` function in `jquery.dataTables.js` fails to protect prototype attributes when objects are created during the application's execution. A remote attacker can exploit this to modify the behavior of object prototypes which, depending on their use in the application, may result in a Denial of Service (DoS), Remote Code Execution (RCE), or other unexpected execution flow."

      This issue was addressed in v 1.11.5 (ref: Fix: Protect developers from inadvertantely introducing prototype pol… · DataTables/Dist-DataTables@e2e19ea (github.com)).

      HDFS-16777 datatables@1.10.17 sonatype-2020-0988 vulnerability - ASF JIRA (apache.org) was filed to address the identical issue in HDFS' UI.

      Attachments

        Issue Links

          is fixed by

          Improvement - An improvement or enhancement to an existing feature or task. YARN-11356 Upgrade DataTables to 1.11.5 to fix CVEs

          • Major - Major loss of function.
          • Resolved

          Activity

            People

              groot Ashutosh Gupta
              ess-truveta Eugene Shinn (Truveta)
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated: