Details
-
Task
-
Status: Open
-
Minor
-
Resolution: Unresolved
-
8.8.1
-
None
-
None
Description
The Solr webapp contains jQuery UI version 1.12.1. This jQuery UI version is vulnerable to the following vulnerabilities (and possibly others):
Actually, the first two CVEs may not be relevant, because Solr uses a custom jQuery UI subset, which currently does not contain the jQuery UI datepicker component. Solr's custom jQuery UI subset does include the jQuery UI position utility and might be vulnerable to that last CVE.
I'm working with a dev team who build Solr themselves. Their library dependency scans constantly complain about all of the above CVEs. I believe that the actual risk of an exploitable vulnerability stemming from this jQuery UI version is really small. But an upgrade would shut up such tools.
It's really more a compliance issue rather than a security issue. But upgrading to latest jQuery UI 1.13.2 or newer, would shut up similar security scans for other Solr users. And moving to the latest version might make it easier to upgrade to future jQuery UI versions, when a more impactful vulnerability becomes known.
Attachments
Issue Links
- relates to
-
SOLR-8885 Update JS lib versions
- Open
-
SOLR-11578 Solr 7 Admin UI (Cloud > Graph) should reflect the Replica type to give a more accurate representation of the cluster
- Closed