[YARN-11356] Upgrade DataTables to 1.11.5 to fix CVEs - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: 3.3.4
Fix Version/s: 3.4.0
Component/s: yarn
Labels:
- pull-request-available

Target Version/s:

3.4.0
Hadoop Flags:

Reviewed

Description

This ticket is intended to fix the following CVEs in the DataTables.net lib, by upgrading the lib to 1.11.5

CVE-2020-28458 (HIGH severity) - All versions of package datatables.net are vulnerable to Prototype Pollution due to an incomplete fix for https://snyk.io/vuln/SNYK-JS-DATATABLESNET-598806.

https://nvd.nist.gov/vuln/detail/CVE-2020-28458

CVE-2021-23445 (MEDIUM severity) - This affects the package datatables.net before 1.11.3. If an array is passed to the HTML escape entities function it would not have its contents escaped.

https://nvd.nist.gov/vuln/detail/CVE-2021-23445

Attachments

Issue Links

fixes

YARN-11309 datatables@1.10.17 sonatype-2020-0988 vulnerability

Open

links to

GitHub Pull Request #5052

Activity

People

Assignee:: Bence Kosztolnik

Reporter:: Bence Kosztolnik

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 20/Oct/22 10:21

Updated:: 28/Jan/24 04:59

Resolved:: 26/Oct/22 20:42