Uploaded image for project: 'Hadoop YARN'
  1. Hadoop YARN
  2. YARN-1993

Cross-site scripting vulnerability in TextView.java

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • None
    • 2.8.0, 3.0.0-alpha1
    • webapp
    • None
    • Reviewed

    Description

      In hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/webapp/view/TextView.java , method echo() e.g. :

          for (Object s : args) {
      out.print(s);
    }

      Printing s to an HTML page allows cross-site scripting, because it was not properly sanitized for context HTML attribute name.

      Attachments

        1. YARN-1993.patch
          1 kB
          Kenji Kikushima

        Issue Links

          is related to

          Bug - A problem which impairs or prevents the functions of the product. YARN-3589 RM and AH web UI display DOCTYPE wrongly

          • Major - Major loss of function.
          • Resolved

          Activity

            People

              kj-ki Kenji Kikushima
              yuzhihong@gmail.com Ted Yu
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: