Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix for security vulnerability in swagger-ui #24153

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Fix for security vulnerability in swagger-ui #24153

wants to merge 1 commit into from
+4 −0

Conversation

sumi-mathew
Copy link

@sumi-mathew sumi-mathew commented Nov 26, 2024
edited
Loading

Description

This PR addresses the security vulnerability CVE-2018-25031 in the swagger-ui WebJar , which is included as a transitive dependency in our project via presto-pinot-driver.

Motivation and Context

By excluding the vulnerable version of swagger-ui, we ensure that our application is not susceptible to the XSS vulnerability associated with CVE-2018-25031.

Impact

Test Plan

Contributor checklist

  • Please make sure your submission complies with our development, formatting, commit message, and attribution guidelines.
  • PR description addresses the issue accurately and concisely. If the change is non-trivial, a GitHub Issue is referenced.
  • Documented new properties (with its default value), SQL syntax, functions, or other functionality.
  • If release notes are required, they follow the release notes guidelines.
  • Adequate tests were added if applicable.
  • CI passed.

Release Notes

Please follow release notes guidelines and fill in the release notes below.

== RELEASE NOTES ==

Security Changes
* Fix security vulnerability in swagger-ui jar in response to 'CVE-2018-25031 <https://nvd.nist.gov/vuln/detail/CVE-2018-25031>' .  :pr:`24153`

@prestodb-ci prestodb-ci added the from:IBM PR from IBM label Nov 26, 2024
@linux-foundation-easycla Linux Foundation: EasyCLA
Copy link

linux-foundation-easycla bot commented Nov 26, 2024
edited
Loading

CLA Signed

The committers listed above are authorized under a signed CLA.

@prestodb-ci prestodb-ci requested review from a team, nishithakbhaskaran and jp-sivaprasad and removed request for a team November 26, 2024 11:16
@sumi-mathew sumi-mathew marked this pull request as ready for review November 26, 2024 13:37
@sumi-mathew sumi-mathew requested a review from a team as a code owner November 26, 2024 13:37
@nishithakbhaskaran
Copy link

nishithakbhaskaran commented Nov 27, 2024
edited
Loading

@sumi-mathew Please update the release note entry according to https://github.com/prestodb/presto/wiki/Release-Notes-Guidelines as below example.

  • Fix security vulnerability in swagger-ui jar in response to CVE-2018-25031 https://nvd.nist.gov/vuln/detail/CVE-2018-25031>_. :pr:24153

nishithakbhaskaran
nishithakbhaskaran approved these changes Nov 27, 2024
View reviewed changes
Copy link

@nishithakbhaskaran nishithakbhaskaran left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks Sumi. Looks good.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nishithakbhaskaran nishithakbhaskaran nishithakbhaskaran approved these changes

@jp-sivaprasad jp-sivaprasad Awaiting requested review from jp-sivaprasad jp-sivaprasad was automatically assigned from prestodb/ibm-reviewers

@presto-oss presto-oss Awaiting requested review from presto-oss presto-oss is a code owner automatically assigned from prestodb/committers

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
from:IBM PR from IBM
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@sumi-mathew @nishithakbhaskaran @prestodb-ci