[HDFS-16860] Upgrade moment.min.js to 2.29.4 - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: 3.4.0
Fix Version/s: 3.4.0
Component/s: build, ui
Labels:
- pull-request-available
- transitive-cve

Target Version/s:

3.4.0
Hadoop Flags:

Reviewed

Description

Upgrade moment.min.js to 2.29.4 to resolve https://nvd.nist.gov/vuln/detail/CVE-2022-31129

"Users may notice a noticeable slowdown is observed with inputs above 10k characters. Users who pass user-provided strings without sanity length checks to moment constructor are vulnerable to (Re)DoS attacks. The problem is patched in 2.29.4"

this only appears to affect the UI, not the yarn services, so it is a self-harm DoS rather than anything important. "if you pass in big strings the ui slows down"

Attachments

Issue Links

links to

GitHub Pull Request #5194

Activity

People

Assignee:: Anurag Parvatikar

Reporter:: D M Murali Krishna Reddy

Votes:: 0 Vote for this issue

Watchers:: 6 Start watching this issue

Dates

Created:: 05/Dec/22 04:49

Updated:: 28/Jan/24 07:35

Resolved:: 09/Dec/22 05:50