You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Path to dependency file: /nifi-nar-bundles/nifi-framework-bundle/nifi-framework-nar/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty/3.7.0.Final/netty-3.7.0.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty/3.7.0.Final/netty-3.7.0.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty/3.7.0.Final/netty-3.7.0.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty/3.7.0.Final/netty-3.7.0.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty/3.7.0.Final/netty-3.7.0.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty/3.7.0.Final/netty-3.7.0.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty/3.7.0.Final/netty-3.7.0.Final.jar
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Partial details (16 vulnerabilities) are displayed below due to a content size limitation in GitHub. To view information on the remaining vulnerabilities, navigate to the Mend Application.
Path to dependency file: /nifi-nar-bundles/nifi-framework-bundle/nifi-framework-nar/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar
By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converters from PatternLayout. The message converter, %m, is likely to always be included. This allows attackers to manipulate the SQL by entering crafted strings into input fields or headers of an application that are logged allowing unintended SQL queries to be executed. Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default. Beginning in version 2.0-beta8, the JDBCAppender was re-introduced with proper support for parameterized SQL queries and further customization over the columns written to in logs. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.
Path to dependency file: /nifi-nar-bundles/nifi-framework-bundle/nifi-framework-nar/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar
Path to dependency file: /nifi-nar-bundles/nifi-framework-bundle/nifi-framework-nar/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar
Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17.
The Netty project is an effort to provide an asynchronous event-driven
network application framework and tools for rapid development of
maintainable high performance and high scalability protocol servers and
clients. In other words, Netty is a NIO client server framework which
enables quick and easy development of network applications such as protocol
servers and clients. It greatly simplifies and streamlines network
programming such as TCP and UDP socket server.
Path to dependency file: /nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-cluster/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty/3.7.0.Final/netty-3.7.0.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty/3.7.0.Final/netty-3.7.0.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty/3.7.0.Final/netty-3.7.0.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty/3.7.0.Final/netty-3.7.0.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty/3.7.0.Final/netty-3.7.0.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty/3.7.0.Final/netty-3.7.0.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty/3.7.0.Final/netty-3.7.0.Final.jar
HttpObjectDecoder.java in Netty before 4.1.44 allows an HTTP header that lacks a colon, which might be interpreted as a separate header with an incorrect syntax, or might be interpreted as an "invalid fold."
Path to dependency file: /nifi-nar-bundles/nifi-framework-bundle/nifi-framework-nar/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar
CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw V2.0 Chainsaw was a component of Apache Log4j 1.2.x where the same issue exists.
Path to dependency file: /nifi-nar-bundles/nifi-framework-bundle/nifi-framework-nar/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar
JMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration or if the configuration references an LDAP service the attacker has access to. The attacker can provide a TopicConnectionFactoryBindingName configuration causing JMSSink to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-4104. Note this issue only affects Log4j 1.x when specifically configured to use JMSSink, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.
Path to dependency file: /nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-authorizer/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.6.1/jackson-core-2.6.1.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.6.1/jackson-core-2.6.1.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.6.1/jackson-core-2.6.1.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.6.1/jackson-core-2.6.1.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.6.1/jackson-core-2.6.1.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.6.1/jackson-core-2.6.1.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.6.1/jackson-core-2.6.1.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.6.1/jackson-core-2.6.1.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.6.1/jackson-core-2.6.1.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.6.1/jackson-core-2.6.1.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.6.1/jackson-core-2.6.1.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.6.1/jackson-core-2.6.1.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.6.1/jackson-core-2.6.1.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.6.1/jackson-core-2.6.1.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.6.1/jackson-core-2.6.1.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.6.1/jackson-core-2.6.1.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.6.1/jackson-core-2.6.1.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.6.1/jackson-core-2.6.1.jar
The jackson-core package is vulnerable to a Denial of Service (DoS) attack. The methods in the classes listed below fail to restrict input size when performing numeric type conversions. A remote attacker can exploit this vulnerability by causing the application to deserialize data containing certain numeric types with large values. Deserializing many of the aforementioned objects may cause the application to exhaust all available resources, resulting in a DoS condition.
Path to dependency file: /nifi-nar-bundles/nifi-framework-bundle/nifi-framework-nar/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar
When using the Chainsaw or SocketAppender components with Log4j 1.x on JRE less than 1.7, an attacker that manages to cause a logging entry involving a specially-crafted (ie, deeply nested)
hashmap or hashtable (depending on which logging component is in use) to be processed could exhaust the available memory in the virtual machine and achieve Denial of Service when the object is deserialized.
This issue affects Apache Log4j before 2. Affected users are recommended to update to Log4j 2.x.
NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
JSON (JavaScript Object Notation) is a lightweight data-interchange format.
It is easy for humans to read and write. It is easy for machines to parse and generate.
It is based on a subset of the JavaScript Programming Language, Standard ECMA-262 3rd Edition
- December 1999. JSON is a text format that is completely language independent but uses
conventions that are familiar to programmers of the C-family of languages, including C, C++, C#,
Java, JavaScript, Perl, Python, and many others.
These properties make JSON an ideal data-interchange language.
Path to vulnerable library: /home/wss-scanner/.m2/repository/net/minidev/json-smart/2.1.1/json-smart-2.1.1.jar,/home/wss-scanner/.m2/repository/net/minidev/json-smart/2.1.1/json-smart-2.1.1.jar,/home/wss-scanner/.m2/repository/net/minidev/json-smart/2.1.1/json-smart-2.1.1.jar,/home/wss-scanner/.m2/repository/net/minidev/json-smart/2.1.1/json-smart-2.1.1.jar,/home/wss-scanner/.m2/repository/net/minidev/json-smart/2.1.1/json-smart-2.1.1.jar,/home/wss-scanner/.m2/repository/net/minidev/json-smart/2.1.1/json-smart-2.1.1.jar,/home/wss-scanner/.m2/repository/net/minidev/json-smart/2.1.1/json-smart-2.1.1.jar,/home/wss-scanner/.m2/repository/net/minidev/json-smart/2.1.1/json-smart-2.1.1.jar,/home/wss-scanner/.m2/repository/net/minidev/json-smart/2.1.1/json-smart-2.1.1.jar,/home/wss-scanner/.m2/repository/net/minidev/json-smart/2.1.1/json-smart-2.1.1.jar,/home/wss-scanner/.m2/repository/net/minidev/json-smart/2.1.1/json-smart-2.1.1.jar,/home/wss-scanner/.m2/repository/net/minidev/json-smart/2.1.1/json-smart-2.1.1.jar,/home/wss-scanner/.m2/repository/net/minidev/json-smart/2.1.1/json-smart-2.1.1.jar,/home/wss-scanner/.m2/repository/net/minidev/json-smart/2.1.1/json-smart-2.1.1.jar,/home/wss-scanner/.m2/repository/net/minidev/json-smart/2.1.1/json-smart-2.1.1.jar,/home/wss-scanner/.m2/repository/net/minidev/json-smart/2.1.1/json-smart-2.1.1.jar,/home/wss-scanner/.m2/repository/net/minidev/json-smart/2.1.1/json-smart-2.1.1.jar
Json-smart is a performance focused, JSON processor lib.
When reaching a ‘[‘ or ‘{‘ character in the JSON input, the code parses an array or an object respectively.
It was discovered that the code does not have any limit to the nesting of such arrays or objects. Since the parsing of nested arrays and objects is done recursively, nesting too many of them can cause a stack exhaustion (stack overflow) and crash the software.
Path to dependency file: /nifi-nar-bundles/nifi-framework-bundle/nifi-framework-nar/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar
JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.
The Netty project is an effort to provide an asynchronous event-driven
network application framework and tools for rapid development of
maintainable high performance and high scalability protocol servers and
clients. In other words, Netty is a NIO client server framework which
enables quick and easy development of network applications such as protocol
servers and clients. It greatly simplifies and streamlines network
programming such as TCP and UDP socket server.
Path to dependency file: /nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-cluster/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty/3.7.0.Final/netty-3.7.0.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty/3.7.0.Final/netty-3.7.0.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty/3.7.0.Final/netty-3.7.0.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty/3.7.0.Final/netty-3.7.0.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty/3.7.0.Final/netty-3.7.0.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty/3.7.0.Final/netty-3.7.0.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty/3.7.0.Final/netty-3.7.0.Final.jar
Netty before 3.9.8.Final, 3.10.x before 3.10.3.Final, 4.0.x before 4.0.28.Final, and 4.1.x before 4.1.0.Beta5 and Play Framework 2.x before 2.3.9 might allow remote attackers to bypass the httpOnly flag on cookies and obtain sensitive information by leveraging improper validation of cookie name and value characters.
Path to dependency file: /nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-file-authorizer/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar
A serialization vulnerability in logback receiver component part of
logback version 1.4.13, 1.3.13 and 1.2.12 allows an attacker to mount a Denial-Of-Service
attack by sending poisoned data.
Path to dependency file: /nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-file-authorizer/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar
ACE vulnerability in JaninoEventEvaluator by QOS.CH logback-core
upto including version 0.1 to 1.3.14 and 1.4.0 to 1.5.12 in Java applications allows
attacker to execute arbitrary code by compromising an existing
logback configuration file or by injecting an environment variable
before program execution.
Malicious logback configuration files can allow the attacker to execute
arbitrary code using the JaninoEventEvaluator extension.
A successful attack requires the user to have write access to a
configuration file. Alternatively, the attacker could inject a malicious
environment variable pointing to a malicious configuration file. In both
cases, the attack requires existing privilege.
Path to dependency file: /nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-file-authorizer/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar
In logback version 1.2.7 and prior versions, an attacker with the required privileges to edit configurations files could craft a malicious configuration allowing to execute arbitrary code loaded from LDAP servers.
Mend Note: Converted from WS-2021-0491, on 2022-11-07.
Path to dependency file: /nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-expression/4.2.4.RELEASE/spring-expression-4.2.4.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/4.2.4.RELEASE/spring-expression-4.2.4.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/4.2.4.RELEASE/spring-expression-4.2.4.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/4.2.4.RELEASE/spring-expression-4.2.4.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/4.2.4.RELEASE/spring-expression-4.2.4.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/4.2.4.RELEASE/spring-expression-4.2.4.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/4.2.4.RELEASE/spring-expression-4.2.4.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/4.2.4.RELEASE/spring-expression-4.2.4.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/4.2.4.RELEASE/spring-expression-4.2.4.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/4.2.4.RELEASE/spring-expression-4.2.4.RELEASE.jar
In spring framework versions prior to 5.2.24 release+ ,5.3.27+ and 6.0.8+ , it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service (DoS) condition.
Path to dependency file: /nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-expression/4.2.4.RELEASE/spring-expression-4.2.4.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/4.2.4.RELEASE/spring-expression-4.2.4.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/4.2.4.RELEASE/spring-expression-4.2.4.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/4.2.4.RELEASE/spring-expression-4.2.4.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/4.2.4.RELEASE/spring-expression-4.2.4.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/4.2.4.RELEASE/spring-expression-4.2.4.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/4.2.4.RELEASE/spring-expression-4.2.4.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/4.2.4.RELEASE/spring-expression-4.2.4.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/4.2.4.RELEASE/spring-expression-4.2.4.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/4.2.4.RELEASE/spring-expression-4.2.4.RELEASE.jar
In Spring Framework versions 6.0.0 - 6.0.6, 5.3.0 - 5.3.25, 5.2.0.RELEASE - 5.2.22.RELEASE, and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service (DoS) condition.
mend-for-github-combot
changed the title
nifi-jetty-1.4.0-SNAPSHOT.jar: 25 vulnerabilities (highest severity is: 9.8)
nifi-jetty-1.4.0-SNAPSHOT.jar: 24 vulnerabilities (highest severity is: 9.8)
Apr 14, 2024
mend-for-github-combot
changed the title
nifi-jetty-1.4.0-SNAPSHOT.jar: 24 vulnerabilities (highest severity is: 9.8)
nifi-jetty-1.4.0-SNAPSHOT.jar: 25 vulnerabilities (highest severity is: 9.8)
Aug 16, 2024
mend-for-github-combot
changed the title
nifi-jetty-1.4.0-SNAPSHOT.jar: 25 vulnerabilities (highest severity is: 9.8)
nifi-jetty-1.4.0-SNAPSHOT.jar: 27 vulnerabilities (highest severity is: 9.8)
Dec 22, 2024
mend-for-github-combot
changed the title
nifi-jetty-1.4.0-SNAPSHOT.jar: 27 vulnerabilities (highest severity is: 9.8)
nifi-jetty-1.4.0-SNAPSHOT.jar: 28 vulnerabilities (highest severity is: 9.8)
Dec 24, 2024
Vulnerable Library - nifi-jetty-1.4.0-SNAPSHOT.jar
Path to dependency file: /nifi-nar-bundles/nifi-framework-bundle/nifi-framework-nar/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty/3.7.0.Final/netty-3.7.0.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty/3.7.0.Final/netty-3.7.0.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty/3.7.0.Final/netty-3.7.0.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty/3.7.0.Final/netty-3.7.0.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty/3.7.0.Final/netty-3.7.0.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty/3.7.0.Final/netty-3.7.0.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty/3.7.0.Final/netty-3.7.0.Final.jar
Found in HEAD commit: 0707e245fb382da58db8bb8ec5ccff5d9ae55c39
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2022-23305
Vulnerable Library - log4j-1.2.16.jar
Apache Log4j 1.2
Library home page: http://www.apache.org
Path to dependency file: /nifi-nar-bundles/nifi-framework-bundle/nifi-framework-nar/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar
Dependency Hierarchy:
Found in HEAD commit: 0707e245fb382da58db8bb8ec5ccff5d9ae55c39
Found in base branch: master
Vulnerability Details
By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converters from PatternLayout. The message converter, %m, is likely to always be included. This allows attackers to manipulate the SQL by entering crafted strings into input fields or headers of an application that are logged allowing unintended SQL queries to be executed. Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default. Beginning in version 2.0-beta8, the JDBCAppender was re-introduced with proper support for parameterized SQL queries and further customization over the columns written to in logs. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.
Publish Date: 2022-01-18
URL: CVE-2022-23305
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://reload4j.qos.ch/
Release Date: 2022-01-18
Fix Resolution: ch.qos.reload4j:reload4j:1.2.18.2
CVE-2020-9493
Vulnerable Library - log4j-1.2.16.jar
Apache Log4j 1.2
Library home page: http://www.apache.org
Path to dependency file: /nifi-nar-bundles/nifi-framework-bundle/nifi-framework-nar/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar
Dependency Hierarchy:
Found in HEAD commit: 0707e245fb382da58db8bb8ec5ccff5d9ae55c39
Found in base branch: master
Vulnerability Details
A deserialization flaw was found in Apache Chainsaw versions prior to 2.1.0 which could lead to malicious code execution.
Publish Date: 2021-06-16
URL: CVE-2020-9493
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://www.openwall.com/lists/oss-security/2021/06/16/1
Release Date: 2021-06-16
Fix Resolution: ch.qos.reload4j:reload4j:1.2.18.1
CVE-2019-17571
Vulnerable Library - log4j-1.2.16.jar
Apache Log4j 1.2
Library home page: http://www.apache.org
Path to dependency file: /nifi-nar-bundles/nifi-framework-bundle/nifi-framework-nar/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar
Dependency Hierarchy:
Found in HEAD commit: 0707e245fb382da58db8bb8ec5ccff5d9ae55c39
Found in base branch: master
Vulnerability Details
Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17.
Publish Date: 2019-12-20
URL: CVE-2019-17571
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://lists.apache.org/thread.html/eea03d504b36e8f870e8321d908e1def1addda16adda04327fe7c125%40%3Cdev.logging.apache.org%3E
Release Date: 2019-12-20
Fix Resolution: log4j-manual - 1.2.17-16;log4j-javadoc - 1.2.17-16;log4j - 1.2.17-16,1.2.17-16
CVE-2019-20444
Vulnerable Library - netty-3.7.0.Final.jar
The Netty project is an effort to provide an asynchronous event-driven network application framework and tools for rapid development of maintainable high performance and high scalability protocol servers and clients. In other words, Netty is a NIO client server framework which enables quick and easy development of network applications such as protocol servers and clients. It greatly simplifies and streamlines network programming such as TCP and UDP socket server.
Library home page: http://netty.io/
Path to dependency file: /nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-cluster/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty/3.7.0.Final/netty-3.7.0.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty/3.7.0.Final/netty-3.7.0.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty/3.7.0.Final/netty-3.7.0.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty/3.7.0.Final/netty-3.7.0.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty/3.7.0.Final/netty-3.7.0.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty/3.7.0.Final/netty-3.7.0.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty/3.7.0.Final/netty-3.7.0.Final.jar
Dependency Hierarchy:
Found in HEAD commit: 0707e245fb382da58db8bb8ec5ccff5d9ae55c39
Found in base branch: master
Vulnerability Details
HttpObjectDecoder.java in Netty before 4.1.44 allows an HTTP header that lacks a colon, which might be interpreted as a separate header with an incorrect syntax, or might be interpreted as an "invalid fold."
Publish Date: 2020-01-29
URL: CVE-2019-20444
CVSS 3 Score Details (9.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20444
Release Date: 2020-01-29
Fix Resolution: io.netty:netty-all:4.1.44.Final
CVE-2022-23307
Vulnerable Library - log4j-1.2.16.jar
Apache Log4j 1.2
Library home page: http://www.apache.org
Path to dependency file: /nifi-nar-bundles/nifi-framework-bundle/nifi-framework-nar/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar
Dependency Hierarchy:
Found in HEAD commit: 0707e245fb382da58db8bb8ec5ccff5d9ae55c39
Found in base branch: master
Vulnerability Details
CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw V2.0 Chainsaw was a component of Apache Log4j 1.2.x where the same issue exists.
Publish Date: 2022-01-18
URL: CVE-2022-23307
CVSS 3 Score Details (8.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2022-01-18
Fix Resolution: ch.qos.reload4j:reload4j:1.2.18.1
CVE-2022-23302
Vulnerable Library - log4j-1.2.16.jar
Apache Log4j 1.2
Library home page: http://www.apache.org
Path to dependency file: /nifi-nar-bundles/nifi-framework-bundle/nifi-framework-nar/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar
Dependency Hierarchy:
Found in HEAD commit: 0707e245fb382da58db8bb8ec5ccff5d9ae55c39
Found in base branch: master
Vulnerability Details
JMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration or if the configuration references an LDAP service the attacker has access to. The attacker can provide a TopicConnectionFactoryBindingName configuration causing JMSSink to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-4104. Note this issue only affects Log4j 1.x when specifically configured to use JMSSink, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.
Publish Date: 2022-01-18
URL: CVE-2022-23302
CVSS 3 Score Details (8.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://reload4j.qos.ch/
Release Date: 2022-01-18
Fix Resolution: ch.qos.reload4j:reload4j:1.2.18.1
WS-2022-0468
Vulnerable Library - jackson-core-2.6.1.jar
Core Jackson abstractions, basic JSON streaming API implementation
Library home page: http://fasterxml.com/
Path to dependency file: /nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-authorizer/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.6.1/jackson-core-2.6.1.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.6.1/jackson-core-2.6.1.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.6.1/jackson-core-2.6.1.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.6.1/jackson-core-2.6.1.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.6.1/jackson-core-2.6.1.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.6.1/jackson-core-2.6.1.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.6.1/jackson-core-2.6.1.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.6.1/jackson-core-2.6.1.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.6.1/jackson-core-2.6.1.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.6.1/jackson-core-2.6.1.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.6.1/jackson-core-2.6.1.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.6.1/jackson-core-2.6.1.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.6.1/jackson-core-2.6.1.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.6.1/jackson-core-2.6.1.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.6.1/jackson-core-2.6.1.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.6.1/jackson-core-2.6.1.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.6.1/jackson-core-2.6.1.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.6.1/jackson-core-2.6.1.jar
Dependency Hierarchy:
Found in HEAD commit: 0707e245fb382da58db8bb8ec5ccff5d9ae55c39
Found in base branch: master
Vulnerability Details
The jackson-core package is vulnerable to a Denial of Service (DoS) attack. The methods in the classes listed below fail to restrict input size when performing numeric type conversions. A remote attacker can exploit this vulnerability by causing the application to deserialize data containing certain numeric types with large values. Deserializing many of the aforementioned objects may cause the application to exhaust all available resources, resulting in a DoS condition.
Publish Date: 2022-12-07
URL: WS-2022-0468
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2022-12-07
Fix Resolution: com.fasterxml.jackson.core:jackson-core:2.15.0
CVE-2023-26464
Vulnerable Library - log4j-1.2.16.jar
Apache Log4j 1.2
Library home page: http://www.apache.org
Path to dependency file: /nifi-nar-bundles/nifi-framework-bundle/nifi-framework-nar/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar
Dependency Hierarchy:
Found in HEAD commit: 0707e245fb382da58db8bb8ec5ccff5d9ae55c39
Found in base branch: master
Vulnerability Details
** UNSUPPORTED WHEN ASSIGNED **
When using the Chainsaw or SocketAppender components with Log4j 1.x on JRE less than 1.7, an attacker that manages to cause a logging entry involving a specially-crafted (ie, deeply nested)
hashmap or hashtable (depending on which logging component is in use) to be processed could exhaust the available memory in the virtual machine and achieve Denial of Service when the object is deserialized.
This issue affects Apache Log4j before 2. Affected users are recommended to update to Log4j 2.x.
NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
Publish Date: 2023-03-10
URL: CVE-2023-26464
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-vp98-w2p3-mv35
Release Date: 2023-03-10
Fix Resolution: org.apache.logging.log4j:log4j-core:2.0
CVE-2023-1370
Vulnerable Library - json-smart-2.1.1.jar
JSON (JavaScript Object Notation) is a lightweight data-interchange format. It is easy for humans to read and write. It is easy for machines to parse and generate. It is based on a subset of the JavaScript Programming Language, Standard ECMA-262 3rd Edition - December 1999. JSON is a text format that is completely language independent but uses conventions that are familiar to programmers of the C-family of languages, including C, C++, C#, Java, JavaScript, Perl, Python, and many others. These properties make JSON an ideal data-interchange language.
Library home page: http://www.minidev.net/
Path to dependency file: /nifi-bootstrap/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/net/minidev/json-smart/2.1.1/json-smart-2.1.1.jar,/home/wss-scanner/.m2/repository/net/minidev/json-smart/2.1.1/json-smart-2.1.1.jar,/home/wss-scanner/.m2/repository/net/minidev/json-smart/2.1.1/json-smart-2.1.1.jar,/home/wss-scanner/.m2/repository/net/minidev/json-smart/2.1.1/json-smart-2.1.1.jar,/home/wss-scanner/.m2/repository/net/minidev/json-smart/2.1.1/json-smart-2.1.1.jar,/home/wss-scanner/.m2/repository/net/minidev/json-smart/2.1.1/json-smart-2.1.1.jar,/home/wss-scanner/.m2/repository/net/minidev/json-smart/2.1.1/json-smart-2.1.1.jar,/home/wss-scanner/.m2/repository/net/minidev/json-smart/2.1.1/json-smart-2.1.1.jar,/home/wss-scanner/.m2/repository/net/minidev/json-smart/2.1.1/json-smart-2.1.1.jar,/home/wss-scanner/.m2/repository/net/minidev/json-smart/2.1.1/json-smart-2.1.1.jar,/home/wss-scanner/.m2/repository/net/minidev/json-smart/2.1.1/json-smart-2.1.1.jar,/home/wss-scanner/.m2/repository/net/minidev/json-smart/2.1.1/json-smart-2.1.1.jar,/home/wss-scanner/.m2/repository/net/minidev/json-smart/2.1.1/json-smart-2.1.1.jar,/home/wss-scanner/.m2/repository/net/minidev/json-smart/2.1.1/json-smart-2.1.1.jar,/home/wss-scanner/.m2/repository/net/minidev/json-smart/2.1.1/json-smart-2.1.1.jar,/home/wss-scanner/.m2/repository/net/minidev/json-smart/2.1.1/json-smart-2.1.1.jar,/home/wss-scanner/.m2/repository/net/minidev/json-smart/2.1.1/json-smart-2.1.1.jar
Dependency Hierarchy:
Found in HEAD commit: 0707e245fb382da58db8bb8ec5ccff5d9ae55c39
Found in base branch: master
Vulnerability Details
Json-smart is a performance focused, JSON processor lib.
When reaching a ‘[‘ or ‘{‘ character in the JSON input, the code parses an array or an object respectively.
It was discovered that the code does not have any limit to the nesting of such arrays or objects. Since the parsing of nested arrays and objects is done recursively, nesting too many of them can cause a stack exhaustion (stack overflow) and crash the software.
Publish Date: 2023-03-13
URL: CVE-2023-1370
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://research.jfrog.com/vulnerabilities/stack-exhaustion-in-json-smart-leads-to-denial-of-service-when-parsing-malformed-json-xray-427633/
Release Date: 2023-03-13
Fix Resolution: net.minidev:json-smart:2.4.9
CVE-2021-4104
Vulnerable Library - log4j-1.2.16.jar
Apache Log4j 1.2
Library home page: http://www.apache.org
Path to dependency file: /nifi-nar-bundles/nifi-framework-bundle/nifi-framework-nar/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar
Dependency Hierarchy:
Found in HEAD commit: 0707e245fb382da58db8bb8ec5ccff5d9ae55c39
Found in base branch: master
Vulnerability Details
JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.
Publish Date: 2021-12-14
URL: CVE-2021-4104
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-4104
Release Date: 2021-12-14
Fix Resolution: uom-parent - 1.0.3-3.module,1.0.3-3.module;uom-se-javadoc - 1.0.4-3.module;parfait-examples - 0.5.4-4.module;log4j-manual - 1.2.17-16;si-units-javadoc - 0.6.5-2.module;unit-api - 1.0-5.module,1.0-5.module;unit-api-javadoc - 1.0-5.module;parfait - 0.5.4-4.module,0.5.4-4.module;log4j-javadoc - 1.2.17-16;uom-systems-javadoc - 0.7-1.module;uom-lib-javadoc - 1.0.1-6.module;uom-systems - 0.7-1.module,0.7-1.module;log4j - 1.2.17-16,1.2.17-16;uom-se - 1.0.4-3.module,1.0.4-3.module;uom-lib - 1.0.1-6.module,1.0.1-6.module;parfait-javadoc - 0.5.4-4.module;pcp-parfait-agent - 0.5.4-4.module;si-units - 0.6.5-2.module,0.6.5-2.module
CVE-2015-2156
Vulnerable Library - netty-3.7.0.Final.jar
The Netty project is an effort to provide an asynchronous event-driven network application framework and tools for rapid development of maintainable high performance and high scalability protocol servers and clients. In other words, Netty is a NIO client server framework which enables quick and easy development of network applications such as protocol servers and clients. It greatly simplifies and streamlines network programming such as TCP and UDP socket server.
Library home page: http://netty.io/
Path to dependency file: /nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-cluster/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty/3.7.0.Final/netty-3.7.0.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty/3.7.0.Final/netty-3.7.0.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty/3.7.0.Final/netty-3.7.0.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty/3.7.0.Final/netty-3.7.0.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty/3.7.0.Final/netty-3.7.0.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty/3.7.0.Final/netty-3.7.0.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty/3.7.0.Final/netty-3.7.0.Final.jar
Dependency Hierarchy:
Found in HEAD commit: 0707e245fb382da58db8bb8ec5ccff5d9ae55c39
Found in base branch: master
Vulnerability Details
Netty before 3.9.8.Final, 3.10.x before 3.10.3.Final, 4.0.x before 4.0.28.Final, and 4.1.x before 4.1.0.Beta5 and Play Framework 2.x before 2.3.9 might allow remote attackers to bypass the httpOnly flag on cookies and obtain sensitive information by leveraging improper validation of cookie name and value characters.
Publish Date: 2017-10-18
URL: CVE-2015-2156
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2156
Release Date: 2017-10-18
Fix Resolution: io.netty:netty:3.9.8.Final,io.netty:netty:3.10.3.Final,io.netty:netty-all:4.0.28.Final,io.netty:netty-codec-http:4.0.28.Final,io.netty:netty-codec-http:4.1.0.Beta5
CVE-2023-6481
Vulnerable Library - logback-core-1.2.3.jar
logback-core module
Library home page: http://www.qos.ch
Path to dependency file: /nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-file-authorizer/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar
Dependency Hierarchy:
Found in HEAD commit: 0707e245fb382da58db8bb8ec5ccff5d9ae55c39
Found in base branch: master
Vulnerability Details
A serialization vulnerability in logback receiver component part of
logback version 1.4.13, 1.3.13 and 1.2.12 allows an attacker to mount a Denial-Of-Service
attack by sending poisoned data.
Publish Date: 2023-12-04
URL: CVE-2023-6481
CVSS 3 Score Details (7.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-6481
Release Date: 2023-12-04
Fix Resolution: ch.qos.logback:logback-core:1.2.13,1.3.14,1.4.14
CVE-2024-12798
Vulnerable Library - logback-core-1.2.3.jar
logback-core module
Library home page: http://www.qos.ch
Path to dependency file: /nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-file-authorizer/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar
Dependency Hierarchy:
Found in HEAD commit: 0707e245fb382da58db8bb8ec5ccff5d9ae55c39
Found in base branch: master
Vulnerability Details
ACE vulnerability in JaninoEventEvaluator by QOS.CH logback-core
upto including version 0.1 to 1.3.14 and 1.4.0 to 1.5.12 in Java applications allows
attacker to execute arbitrary code by compromising an existing
logback configuration file or by injecting an environment variable
before program execution.
Malicious logback configuration files can allow the attacker to execute
arbitrary code using the JaninoEventEvaluator extension.
A successful attack requires the user to have write access to a
configuration file. Alternatively, the attacker could inject a malicious
environment variable pointing to a malicious configuration file. In both
cases, the attack requires existing privilege.
Publish Date: 2024-12-19
URL: CVE-2024-12798
CVSS 3 Score Details (6.6)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-pr98-23f8-jwxv
Release Date: 2024-12-19
Fix Resolution: ch.qos.logback:logback-core:1.5.13, ch.qos.logback:logback-classic:1.5.13
CVE-2021-42550
Vulnerable Library - logback-core-1.2.3.jar
logback-core module
Library home page: http://www.qos.ch
Path to dependency file: /nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-file-authorizer/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar
Dependency Hierarchy:
Found in HEAD commit: 0707e245fb382da58db8bb8ec5ccff5d9ae55c39
Found in base branch: master
Vulnerability Details
In logback version 1.2.7 and prior versions, an attacker with the required privileges to edit configurations files could craft a malicious configuration allowing to execute arbitrary code loaded from LDAP servers.
Mend Note: Converted from WS-2021-0491, on 2022-11-07.
Publish Date: 2021-12-16
URL: CVE-2021-42550
CVSS 3 Score Details (6.6)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=VE-2021-42550
Release Date: 2021-12-16
Fix Resolution: ch.qos.logback:logback-classic:1.2.9;ch.qos.logback:logback-core:1.2.9
CVE-2023-20863
Vulnerable Library - spring-expression-4.2.4.RELEASE.jar
Spring Expression Language (SpEL)
Library home page: http://projects.spring.io/spring-framework
Path to dependency file: /nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-expression/4.2.4.RELEASE/spring-expression-4.2.4.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/4.2.4.RELEASE/spring-expression-4.2.4.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/4.2.4.RELEASE/spring-expression-4.2.4.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/4.2.4.RELEASE/spring-expression-4.2.4.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/4.2.4.RELEASE/spring-expression-4.2.4.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/4.2.4.RELEASE/spring-expression-4.2.4.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/4.2.4.RELEASE/spring-expression-4.2.4.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/4.2.4.RELEASE/spring-expression-4.2.4.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/4.2.4.RELEASE/spring-expression-4.2.4.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/4.2.4.RELEASE/spring-expression-4.2.4.RELEASE.jar
Dependency Hierarchy:
Found in HEAD commit: 0707e245fb382da58db8bb8ec5ccff5d9ae55c39
Found in base branch: master
Vulnerability Details
In spring framework versions prior to 5.2.24 release+ ,5.3.27+ and 6.0.8+ , it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service (DoS) condition.
Publish Date: 2023-04-13
URL: CVE-2023-20863
CVSS 3 Score Details (6.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://spring.io/security/cve-2023-20863
Release Date: 2023-04-13
Fix Resolution: org.springframework:spring-expression - 5.2.24.RELEASE,5.3.27,6.0.8
CVE-2023-20861
Vulnerable Library - spring-expression-4.2.4.RELEASE.jar
Spring Expression Language (SpEL)
Library home page: http://projects.spring.io/spring-framework
Path to dependency file: /nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-expression/4.2.4.RELEASE/spring-expression-4.2.4.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/4.2.4.RELEASE/spring-expression-4.2.4.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/4.2.4.RELEASE/spring-expression-4.2.4.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/4.2.4.RELEASE/spring-expression-4.2.4.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/4.2.4.RELEASE/spring-expression-4.2.4.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/4.2.4.RELEASE/spring-expression-4.2.4.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/4.2.4.RELEASE/spring-expression-4.2.4.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/4.2.4.RELEASE/spring-expression-4.2.4.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/4.2.4.RELEASE/spring-expression-4.2.4.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/4.2.4.RELEASE/spring-expression-4.2.4.RELEASE.jar
Dependency Hierarchy:
Found in HEAD commit: 0707e245fb382da58db8bb8ec5ccff5d9ae55c39
Found in base branch: master
Vulnerability Details
In Spring Framework versions 6.0.0 - 6.0.6, 5.3.0 - 5.3.25, 5.2.0.RELEASE - 5.2.22.RELEASE, and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service (DoS) condition.
Publish Date: 2023-03-23
URL: CVE-2023-20861
CVSS 3 Score Details (6.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://spring.io/security/cve-2023-20861
Release Date: 2023-03-23
Fix Resolution: org.springframework:spring-expression:x5.2.23.RELEASE,5.3.26,6.0.7
The text was updated successfully, but these errors were encountered: