-
Notifications
You must be signed in to change notification settings - Fork 14.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
jquery dependency needs to be updated to 3.5.0 or newer #10429
Comments
Thanks for opening your first issue here! Be sure to follow the issue template! |
Would you be so kind to make a PR with that? It shoudl be rather easy? BTW. When you open a new "security" issue from template, you should get information that the right way of raising security issues is through [email protected] -> that's the Then such a vulnerability can be fixed before it gets disclosed. |
There is a vulnerability in the version currently being used. GHSA-gxr4-xjj5-5px2
Pull request made. I did not email [email protected] because I frankly don't consider this to be worth going through that process. This vulnerability is not in any way "secret". It's a vulnerability in a dependency, that Nessus is already alerting on against running airflow servers (mostly because of some networking equipment that happens to put jquery on a similar path not because they coded it specifically for airflow). I'm not providing any information about a working exploit against airflow. I'm not even sure one exists because I didn't sit down and research how you used jquery to see if you're using the functionality that has issues. |
Thanks! I saw that the Astronomer's team will test it once they get the .lock file . Thanks for that :)
|
See this comment on the PR I opened for past attempts to fix this: |
Currently you're requring jquery 3.4.0 or newer, 3.5.0 has a vulnerability against it.
CVE-2020-11022
Change is needed to these two lines:
https://github.com/apache/airflow/blob/master/airflow/www/package.json#L70
https://github.com/apache/airflow/blob/master/airflow/www/package.json#L48
The text was updated successfully, but these errors were encountered: