Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

nifi-jetty-1.4.0-SNAPSHOT.jar: 28 vulnerabilities (highest severity is: 9.8) #73

Open
mend-for-github-com bot opened this issue Jan 15, 2024 · 0 comments
Labels
Mend: dependency security vulnerability Security vulnerability detected by Mend

Comments

@mend-for-github-com
Copy link

mend-for-github-com bot commented Jan 15, 2024

Vulnerable Library - nifi-jetty-1.4.0-SNAPSHOT.jar

Path to dependency file: /nifi-nar-bundles/nifi-framework-bundle/nifi-framework-nar/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty/3.7.0.Final/netty-3.7.0.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty/3.7.0.Final/netty-3.7.0.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty/3.7.0.Final/netty-3.7.0.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty/3.7.0.Final/netty-3.7.0.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty/3.7.0.Final/netty-3.7.0.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty/3.7.0.Final/netty-3.7.0.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty/3.7.0.Final/netty-3.7.0.Final.jar

Found in HEAD commit: 0707e245fb382da58db8bb8ec5ccff5d9ae55c39

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (nifi-jetty version) Remediation Possible**
CVE-2022-23305 Critical 9.8 log4j-1.2.16.jar Transitive N/A*
CVE-2020-9493 Critical 9.8 log4j-1.2.16.jar Transitive N/A*
CVE-2019-17571 Critical 9.8 log4j-1.2.16.jar Transitive N/A*
CVE-2019-20444 Critical 9.1 netty-3.7.0.Final.jar Transitive N/A*
CVE-2022-23307 High 8.8 log4j-1.2.16.jar Transitive N/A*
CVE-2022-23302 High 8.8 log4j-1.2.16.jar Transitive N/A*
WS-2022-0468 High 7.5 jackson-core-2.6.1.jar Transitive N/A*
CVE-2023-26464 High 7.5 log4j-1.2.16.jar Transitive N/A*
CVE-2023-1370 High 7.5 json-smart-2.1.1.jar Transitive N/A*
CVE-2021-4104 High 7.5 log4j-1.2.16.jar Transitive N/A*
CVE-2015-2156 High 7.5 netty-3.7.0.Final.jar Transitive N/A*
CVE-2023-6481 High 7.1 logback-core-1.2.3.jar Transitive N/A*
CVE-2024-12798 Medium 6.6 logback-core-1.2.3.jar Transitive N/A*
CVE-2021-42550 Medium 6.6 logback-core-1.2.3.jar Transitive N/A*
CVE-2023-20863 Medium 6.5 spring-expression-4.2.4.RELEASE.jar Transitive N/A*
CVE-2023-20861 Medium 6.5 spring-expression-4.2.4.RELEASE.jar Transitive N/A*
CVE-2022-22950 Medium 6.5 spring-expression-4.2.4.RELEASE.jar Transitive N/A*
CVE-2021-27568 Medium 5.9 json-smart-2.1.1.jar Transitive N/A*
CVE-2018-10237 Medium 5.9 guava-18.0.jar Transitive N/A*
CVE-2023-2976 Medium 5.5 guava-18.0.jar Transitive N/A*
WS-2018-0125 Medium 5.3 jackson-core-2.6.1.jar Transitive N/A*
WS-2018-0124 Medium 5.3 jackson-core-2.6.1.jar Transitive N/A*
CVE-2014-0193 Medium 5.3 netty-3.7.0.Final.jar Transitive N/A*
CVE-2024-12801 Medium 4.4 logback-core-1.2.3.jar Transitive N/A*
CVE-2020-15250 Medium 4.4 junit-4.12.jar Transitive N/A*
CVE-2024-38808 Medium 4.3 spring-expression-4.2.4.RELEASE.jar Transitive N/A*
CVE-2020-9488 Low 3.7 log4j-1.2.16.jar Transitive N/A*
CVE-2020-8908 Low 3.3 guava-18.0.jar Transitive N/A*

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

Partial details (16 vulnerabilities) are displayed below due to a content size limitation in GitHub. To view information on the remaining vulnerabilities, navigate to the Mend Application.

CVE-2022-23305

Vulnerable Library - log4j-1.2.16.jar

Apache Log4j 1.2

Library home page: http://www.apache.org

Path to dependency file: /nifi-nar-bundles/nifi-framework-bundle/nifi-framework-nar/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar

Dependency Hierarchy:

  • nifi-jetty-1.4.0-SNAPSHOT.jar (Root Library)
    • nifi-web-security-1.4.0-SNAPSHOT.jar
      • nifi-framework-core-1.4.0-SNAPSHOT.jar
        • zookeeper-3.4.6.jar
          • slf4j-log4j12-1.7.25.jar
            • log4j-1.2.16.jar (Vulnerable Library)

Found in HEAD commit: 0707e245fb382da58db8bb8ec5ccff5d9ae55c39

Found in base branch: master

Vulnerability Details

By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converters from PatternLayout. The message converter, %m, is likely to always be included. This allows attackers to manipulate the SQL by entering crafted strings into input fields or headers of an application that are logged allowing unintended SQL queries to be executed. Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default. Beginning in version 2.0-beta8, the JDBCAppender was re-introduced with proper support for parameterized SQL queries and further customization over the columns written to in logs. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.

Publish Date: 2022-01-18

URL: CVE-2022-23305

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://reload4j.qos.ch/

Release Date: 2022-01-18

Fix Resolution: ch.qos.reload4j:reload4j:1.2.18.2

CVE-2020-9493

Vulnerable Library - log4j-1.2.16.jar

Apache Log4j 1.2

Library home page: http://www.apache.org

Path to dependency file: /nifi-nar-bundles/nifi-framework-bundle/nifi-framework-nar/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar

Dependency Hierarchy:

  • nifi-jetty-1.4.0-SNAPSHOT.jar (Root Library)
    • nifi-web-security-1.4.0-SNAPSHOT.jar
      • nifi-framework-core-1.4.0-SNAPSHOT.jar
        • zookeeper-3.4.6.jar
          • slf4j-log4j12-1.7.25.jar
            • log4j-1.2.16.jar (Vulnerable Library)

Found in HEAD commit: 0707e245fb382da58db8bb8ec5ccff5d9ae55c39

Found in base branch: master

Vulnerability Details

A deserialization flaw was found in Apache Chainsaw versions prior to 2.1.0 which could lead to malicious code execution.

Publish Date: 2021-06-16

URL: CVE-2020-9493

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.openwall.com/lists/oss-security/2021/06/16/1

Release Date: 2021-06-16

Fix Resolution: ch.qos.reload4j:reload4j:1.2.18.1

CVE-2019-17571

Vulnerable Library - log4j-1.2.16.jar

Apache Log4j 1.2

Library home page: http://www.apache.org

Path to dependency file: /nifi-nar-bundles/nifi-framework-bundle/nifi-framework-nar/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar

Dependency Hierarchy:

  • nifi-jetty-1.4.0-SNAPSHOT.jar (Root Library)
    • nifi-web-security-1.4.0-SNAPSHOT.jar
      • nifi-framework-core-1.4.0-SNAPSHOT.jar
        • zookeeper-3.4.6.jar
          • slf4j-log4j12-1.7.25.jar
            • log4j-1.2.16.jar (Vulnerable Library)

Found in HEAD commit: 0707e245fb382da58db8bb8ec5ccff5d9ae55c39

Found in base branch: master

Vulnerability Details

Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17.

Publish Date: 2019-12-20

URL: CVE-2019-17571

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://lists.apache.org/thread.html/eea03d504b36e8f870e8321d908e1def1addda16adda04327fe7c125%40%3Cdev.logging.apache.org%3E

Release Date: 2019-12-20

Fix Resolution: log4j-manual - 1.2.17-16;log4j-javadoc - 1.2.17-16;log4j - 1.2.17-16,1.2.17-16

CVE-2019-20444

Vulnerable Library - netty-3.7.0.Final.jar

The Netty project is an effort to provide an asynchronous event-driven network application framework and tools for rapid development of maintainable high performance and high scalability protocol servers and clients. In other words, Netty is a NIO client server framework which enables quick and easy development of network applications such as protocol servers and clients. It greatly simplifies and streamlines network programming such as TCP and UDP socket server.

Library home page: http://netty.io/

Path to dependency file: /nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-cluster/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty/3.7.0.Final/netty-3.7.0.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty/3.7.0.Final/netty-3.7.0.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty/3.7.0.Final/netty-3.7.0.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty/3.7.0.Final/netty-3.7.0.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty/3.7.0.Final/netty-3.7.0.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty/3.7.0.Final/netty-3.7.0.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty/3.7.0.Final/netty-3.7.0.Final.jar

Dependency Hierarchy:

  • nifi-jetty-1.4.0-SNAPSHOT.jar (Root Library)
    • nifi-web-security-1.4.0-SNAPSHOT.jar
      • nifi-framework-core-1.4.0-SNAPSHOT.jar
        • zookeeper-3.4.6.jar
          • netty-3.7.0.Final.jar (Vulnerable Library)

Found in HEAD commit: 0707e245fb382da58db8bb8ec5ccff5d9ae55c39

Found in base branch: master

Vulnerability Details

HttpObjectDecoder.java in Netty before 4.1.44 allows an HTTP header that lacks a colon, which might be interpreted as a separate header with an incorrect syntax, or might be interpreted as an "invalid fold."

Publish Date: 2020-01-29

URL: CVE-2019-20444

CVSS 3 Score Details (9.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20444

Release Date: 2020-01-29

Fix Resolution: io.netty:netty-all:4.1.44.Final

CVE-2022-23307

Vulnerable Library - log4j-1.2.16.jar

Apache Log4j 1.2

Library home page: http://www.apache.org

Path to dependency file: /nifi-nar-bundles/nifi-framework-bundle/nifi-framework-nar/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar

Dependency Hierarchy:

  • nifi-jetty-1.4.0-SNAPSHOT.jar (Root Library)
    • nifi-web-security-1.4.0-SNAPSHOT.jar
      • nifi-framework-core-1.4.0-SNAPSHOT.jar
        • zookeeper-3.4.6.jar
          • slf4j-log4j12-1.7.25.jar
            • log4j-1.2.16.jar (Vulnerable Library)

Found in HEAD commit: 0707e245fb382da58db8bb8ec5ccff5d9ae55c39

Found in base branch: master

Vulnerability Details

CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw V2.0 Chainsaw was a component of Apache Log4j 1.2.x where the same issue exists.

Publish Date: 2022-01-18

URL: CVE-2022-23307

CVSS 3 Score Details (8.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2022-01-18

Fix Resolution: ch.qos.reload4j:reload4j:1.2.18.1

CVE-2022-23302

Vulnerable Library - log4j-1.2.16.jar

Apache Log4j 1.2

Library home page: http://www.apache.org

Path to dependency file: /nifi-nar-bundles/nifi-framework-bundle/nifi-framework-nar/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar

Dependency Hierarchy:

  • nifi-jetty-1.4.0-SNAPSHOT.jar (Root Library)
    • nifi-web-security-1.4.0-SNAPSHOT.jar
      • nifi-framework-core-1.4.0-SNAPSHOT.jar
        • zookeeper-3.4.6.jar
          • slf4j-log4j12-1.7.25.jar
            • log4j-1.2.16.jar (Vulnerable Library)

Found in HEAD commit: 0707e245fb382da58db8bb8ec5ccff5d9ae55c39

Found in base branch: master

Vulnerability Details

JMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration or if the configuration references an LDAP service the attacker has access to. The attacker can provide a TopicConnectionFactoryBindingName configuration causing JMSSink to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-4104. Note this issue only affects Log4j 1.x when specifically configured to use JMSSink, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.

Publish Date: 2022-01-18

URL: CVE-2022-23302

CVSS 3 Score Details (8.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://reload4j.qos.ch/

Release Date: 2022-01-18

Fix Resolution: ch.qos.reload4j:reload4j:1.2.18.1

WS-2022-0468

Vulnerable Library - jackson-core-2.6.1.jar

Core Jackson abstractions, basic JSON streaming API implementation

Library home page: http://fasterxml.com/

Path to dependency file: /nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-authorizer/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.6.1/jackson-core-2.6.1.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.6.1/jackson-core-2.6.1.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.6.1/jackson-core-2.6.1.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.6.1/jackson-core-2.6.1.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.6.1/jackson-core-2.6.1.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.6.1/jackson-core-2.6.1.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.6.1/jackson-core-2.6.1.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.6.1/jackson-core-2.6.1.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.6.1/jackson-core-2.6.1.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.6.1/jackson-core-2.6.1.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.6.1/jackson-core-2.6.1.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.6.1/jackson-core-2.6.1.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.6.1/jackson-core-2.6.1.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.6.1/jackson-core-2.6.1.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.6.1/jackson-core-2.6.1.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.6.1/jackson-core-2.6.1.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.6.1/jackson-core-2.6.1.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.6.1/jackson-core-2.6.1.jar

Dependency Hierarchy:

  • nifi-jetty-1.4.0-SNAPSHOT.jar (Root Library)
    • nifi-web-security-1.4.0-SNAPSHOT.jar
      • nifi-administration-1.4.0-SNAPSHOT.jar
        • nifi-framework-core-api-1.4.0-SNAPSHOT.jar
          • nifi-framework-authorization-1.4.0-SNAPSHOT.jar
            • nifi-expression-language-1.4.0-SNAPSHOT.jar
              • jackson-databind-2.6.1.jar
                • jackson-core-2.6.1.jar (Vulnerable Library)

Found in HEAD commit: 0707e245fb382da58db8bb8ec5ccff5d9ae55c39

Found in base branch: master

Vulnerability Details

The jackson-core package is vulnerable to a Denial of Service (DoS) attack. The methods in the classes listed below fail to restrict input size when performing numeric type conversions. A remote attacker can exploit this vulnerability by causing the application to deserialize data containing certain numeric types with large values. Deserializing many of the aforementioned objects may cause the application to exhaust all available resources, resulting in a DoS condition.

Publish Date: 2022-12-07

URL: WS-2022-0468

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2022-12-07

Fix Resolution: com.fasterxml.jackson.core:jackson-core:2.15.0

CVE-2023-26464

Vulnerable Library - log4j-1.2.16.jar

Apache Log4j 1.2

Library home page: http://www.apache.org

Path to dependency file: /nifi-nar-bundles/nifi-framework-bundle/nifi-framework-nar/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar

Dependency Hierarchy:

  • nifi-jetty-1.4.0-SNAPSHOT.jar (Root Library)
    • nifi-web-security-1.4.0-SNAPSHOT.jar
      • nifi-framework-core-1.4.0-SNAPSHOT.jar
        • zookeeper-3.4.6.jar
          • slf4j-log4j12-1.7.25.jar
            • log4j-1.2.16.jar (Vulnerable Library)

Found in HEAD commit: 0707e245fb382da58db8bb8ec5ccff5d9ae55c39

Found in base branch: master

Vulnerability Details

** UNSUPPORTED WHEN ASSIGNED **

When using the Chainsaw or SocketAppender components with Log4j 1.x on JRE less than 1.7, an attacker that manages to cause a logging entry involving a specially-crafted (ie, deeply nested)
hashmap or hashtable (depending on which logging component is in use) to be processed could exhaust the available memory in the virtual machine and achieve Denial of Service when the object is deserialized.

This issue affects Apache Log4j before 2. Affected users are recommended to update to Log4j 2.x.

NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

Publish Date: 2023-03-10

URL: CVE-2023-26464

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-vp98-w2p3-mv35

Release Date: 2023-03-10

Fix Resolution: org.apache.logging.log4j:log4j-core:2.0

CVE-2023-1370

Vulnerable Library - json-smart-2.1.1.jar

JSON (JavaScript Object Notation) is a lightweight data-interchange format. It is easy for humans to read and write. It is easy for machines to parse and generate. It is based on a subset of the JavaScript Programming Language, Standard ECMA-262 3rd Edition - December 1999. JSON is a text format that is completely language independent but uses conventions that are familiar to programmers of the C-family of languages, including C, C++, C#, Java, JavaScript, Perl, Python, and many others. These properties make JSON an ideal data-interchange language.

Library home page: http://www.minidev.net/

Path to dependency file: /nifi-bootstrap/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/net/minidev/json-smart/2.1.1/json-smart-2.1.1.jar,/home/wss-scanner/.m2/repository/net/minidev/json-smart/2.1.1/json-smart-2.1.1.jar,/home/wss-scanner/.m2/repository/net/minidev/json-smart/2.1.1/json-smart-2.1.1.jar,/home/wss-scanner/.m2/repository/net/minidev/json-smart/2.1.1/json-smart-2.1.1.jar,/home/wss-scanner/.m2/repository/net/minidev/json-smart/2.1.1/json-smart-2.1.1.jar,/home/wss-scanner/.m2/repository/net/minidev/json-smart/2.1.1/json-smart-2.1.1.jar,/home/wss-scanner/.m2/repository/net/minidev/json-smart/2.1.1/json-smart-2.1.1.jar,/home/wss-scanner/.m2/repository/net/minidev/json-smart/2.1.1/json-smart-2.1.1.jar,/home/wss-scanner/.m2/repository/net/minidev/json-smart/2.1.1/json-smart-2.1.1.jar,/home/wss-scanner/.m2/repository/net/minidev/json-smart/2.1.1/json-smart-2.1.1.jar,/home/wss-scanner/.m2/repository/net/minidev/json-smart/2.1.1/json-smart-2.1.1.jar,/home/wss-scanner/.m2/repository/net/minidev/json-smart/2.1.1/json-smart-2.1.1.jar,/home/wss-scanner/.m2/repository/net/minidev/json-smart/2.1.1/json-smart-2.1.1.jar,/home/wss-scanner/.m2/repository/net/minidev/json-smart/2.1.1/json-smart-2.1.1.jar,/home/wss-scanner/.m2/repository/net/minidev/json-smart/2.1.1/json-smart-2.1.1.jar,/home/wss-scanner/.m2/repository/net/minidev/json-smart/2.1.1/json-smart-2.1.1.jar,/home/wss-scanner/.m2/repository/net/minidev/json-smart/2.1.1/json-smart-2.1.1.jar

Dependency Hierarchy:

  • nifi-jetty-1.4.0-SNAPSHOT.jar (Root Library)
    • nifi-web-security-1.4.0-SNAPSHOT.jar
      • nifi-administration-1.4.0-SNAPSHOT.jar
        • nifi-framework-core-api-1.4.0-SNAPSHOT.jar
          • nifi-framework-authorization-1.4.0-SNAPSHOT.jar
            • nifi-expression-language-1.4.0-SNAPSHOT.jar
              • json-path-2.0.0.jar
                • json-smart-2.1.1.jar (Vulnerable Library)

Found in HEAD commit: 0707e245fb382da58db8bb8ec5ccff5d9ae55c39

Found in base branch: master

Vulnerability Details

Json-smart is a performance focused, JSON processor lib.

When reaching a ‘[‘ or ‘{‘ character in the JSON input, the code parses an array or an object respectively.

It was discovered that the code does not have any limit to the nesting of such arrays or objects. Since the parsing of nested arrays and objects is done recursively, nesting too many of them can cause a stack exhaustion (stack overflow) and crash the software.

Publish Date: 2023-03-13

URL: CVE-2023-1370

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://research.jfrog.com/vulnerabilities/stack-exhaustion-in-json-smart-leads-to-denial-of-service-when-parsing-malformed-json-xray-427633/

Release Date: 2023-03-13

Fix Resolution: net.minidev:json-smart:2.4.9

CVE-2021-4104

Vulnerable Library - log4j-1.2.16.jar

Apache Log4j 1.2

Library home page: http://www.apache.org

Path to dependency file: /nifi-nar-bundles/nifi-framework-bundle/nifi-framework-nar/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar

Dependency Hierarchy:

  • nifi-jetty-1.4.0-SNAPSHOT.jar (Root Library)
    • nifi-web-security-1.4.0-SNAPSHOT.jar
      • nifi-framework-core-1.4.0-SNAPSHOT.jar
        • zookeeper-3.4.6.jar
          • slf4j-log4j12-1.7.25.jar
            • log4j-1.2.16.jar (Vulnerable Library)

Found in HEAD commit: 0707e245fb382da58db8bb8ec5ccff5d9ae55c39

Found in base branch: master

Vulnerability Details

JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.

Publish Date: 2021-12-14

URL: CVE-2021-4104

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-4104

Release Date: 2021-12-14

Fix Resolution: uom-parent - 1.0.3-3.module,1.0.3-3.module;uom-se-javadoc - 1.0.4-3.module;parfait-examples - 0.5.4-4.module;log4j-manual - 1.2.17-16;si-units-javadoc - 0.6.5-2.module;unit-api - 1.0-5.module,1.0-5.module;unit-api-javadoc - 1.0-5.module;parfait - 0.5.4-4.module,0.5.4-4.module;log4j-javadoc - 1.2.17-16;uom-systems-javadoc - 0.7-1.module;uom-lib-javadoc - 1.0.1-6.module;uom-systems - 0.7-1.module,0.7-1.module;log4j - 1.2.17-16,1.2.17-16;uom-se - 1.0.4-3.module,1.0.4-3.module;uom-lib - 1.0.1-6.module,1.0.1-6.module;parfait-javadoc - 0.5.4-4.module;pcp-parfait-agent - 0.5.4-4.module;si-units - 0.6.5-2.module,0.6.5-2.module

CVE-2015-2156

Vulnerable Library - netty-3.7.0.Final.jar

The Netty project is an effort to provide an asynchronous event-driven network application framework and tools for rapid development of maintainable high performance and high scalability protocol servers and clients. In other words, Netty is a NIO client server framework which enables quick and easy development of network applications such as protocol servers and clients. It greatly simplifies and streamlines network programming such as TCP and UDP socket server.

Library home page: http://netty.io/

Path to dependency file: /nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-cluster/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty/3.7.0.Final/netty-3.7.0.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty/3.7.0.Final/netty-3.7.0.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty/3.7.0.Final/netty-3.7.0.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty/3.7.0.Final/netty-3.7.0.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty/3.7.0.Final/netty-3.7.0.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty/3.7.0.Final/netty-3.7.0.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty/3.7.0.Final/netty-3.7.0.Final.jar

Dependency Hierarchy:

  • nifi-jetty-1.4.0-SNAPSHOT.jar (Root Library)
    • nifi-web-security-1.4.0-SNAPSHOT.jar
      • nifi-framework-core-1.4.0-SNAPSHOT.jar
        • zookeeper-3.4.6.jar
          • netty-3.7.0.Final.jar (Vulnerable Library)

Found in HEAD commit: 0707e245fb382da58db8bb8ec5ccff5d9ae55c39

Found in base branch: master

Vulnerability Details

Netty before 3.9.8.Final, 3.10.x before 3.10.3.Final, 4.0.x before 4.0.28.Final, and 4.1.x before 4.1.0.Beta5 and Play Framework 2.x before 2.3.9 might allow remote attackers to bypass the httpOnly flag on cookies and obtain sensitive information by leveraging improper validation of cookie name and value characters.

Publish Date: 2017-10-18

URL: CVE-2015-2156

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2156

Release Date: 2017-10-18

Fix Resolution: io.netty:netty:3.9.8.Final,io.netty:netty:3.10.3.Final,io.netty:netty-all:4.0.28.Final,io.netty:netty-codec-http:4.0.28.Final,io.netty:netty-codec-http:4.1.0.Beta5

CVE-2023-6481

Vulnerable Library - logback-core-1.2.3.jar

logback-core module

Library home page: http://www.qos.ch

Path to dependency file: /nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-file-authorizer/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar

Dependency Hierarchy:

  • nifi-jetty-1.4.0-SNAPSHOT.jar (Root Library)
    • nifi-web-security-1.4.0-SNAPSHOT.jar
      • nifi-framework-core-1.4.0-SNAPSHOT.jar
        • nifi-properties-loader-1.4.0-SNAPSHOT.jar
          • logback-classic-1.2.3.jar
            • logback-core-1.2.3.jar (Vulnerable Library)

Found in HEAD commit: 0707e245fb382da58db8bb8ec5ccff5d9ae55c39

Found in base branch: master

Vulnerability Details

A serialization vulnerability in logback receiver component part of
logback version 1.4.13, 1.3.13 and 1.2.12 allows an attacker to mount a Denial-Of-Service
attack by sending poisoned data.

Publish Date: 2023-12-04

URL: CVE-2023-6481

CVSS 3 Score Details (7.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-6481

Release Date: 2023-12-04

Fix Resolution: ch.qos.logback:logback-core:1.2.13,1.3.14,1.4.14

CVE-2024-12798

Vulnerable Library - logback-core-1.2.3.jar

logback-core module

Library home page: http://www.qos.ch

Path to dependency file: /nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-file-authorizer/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar

Dependency Hierarchy:

  • nifi-jetty-1.4.0-SNAPSHOT.jar (Root Library)
    • nifi-web-security-1.4.0-SNAPSHOT.jar
      • nifi-framework-core-1.4.0-SNAPSHOT.jar
        • nifi-properties-loader-1.4.0-SNAPSHOT.jar
          • logback-classic-1.2.3.jar
            • logback-core-1.2.3.jar (Vulnerable Library)

Found in HEAD commit: 0707e245fb382da58db8bb8ec5ccff5d9ae55c39

Found in base branch: master

Vulnerability Details

ACE vulnerability in JaninoEventEvaluator by QOS.CH logback-core
upto including version 0.1 to 1.3.14 and 1.4.0 to 1.5.12 in Java applications allows
attacker to execute arbitrary code by compromising an existing
logback configuration file or by injecting an environment variable
before program execution.
Malicious logback configuration files can allow the attacker to execute
arbitrary code using the JaninoEventEvaluator extension.
A successful attack requires the user to have write access to a
configuration file. Alternatively, the attacker could inject a malicious
environment variable pointing to a malicious configuration file. In both
cases, the attack requires existing privilege.

Publish Date: 2024-12-19

URL: CVE-2024-12798

CVSS 3 Score Details (6.6)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: High
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-pr98-23f8-jwxv

Release Date: 2024-12-19

Fix Resolution: ch.qos.logback:logback-core:1.5.13, ch.qos.logback:logback-classic:1.5.13

CVE-2021-42550

Vulnerable Library - logback-core-1.2.3.jar

logback-core module

Library home page: http://www.qos.ch

Path to dependency file: /nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-file-authorizer/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar

Dependency Hierarchy:

  • nifi-jetty-1.4.0-SNAPSHOT.jar (Root Library)
    • nifi-web-security-1.4.0-SNAPSHOT.jar
      • nifi-framework-core-1.4.0-SNAPSHOT.jar
        • nifi-properties-loader-1.4.0-SNAPSHOT.jar
          • logback-classic-1.2.3.jar
            • logback-core-1.2.3.jar (Vulnerable Library)

Found in HEAD commit: 0707e245fb382da58db8bb8ec5ccff5d9ae55c39

Found in base branch: master

Vulnerability Details

In logback version 1.2.7 and prior versions, an attacker with the required privileges to edit configurations files could craft a malicious configuration allowing to execute arbitrary code loaded from LDAP servers.
Mend Note: Converted from WS-2021-0491, on 2022-11-07.

Publish Date: 2021-12-16

URL: CVE-2021-42550

CVSS 3 Score Details (6.6)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: High
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=VE-2021-42550

Release Date: 2021-12-16

Fix Resolution: ch.qos.logback:logback-classic:1.2.9;ch.qos.logback:logback-core:1.2.9

CVE-2023-20863

Vulnerable Library - spring-expression-4.2.4.RELEASE.jar

Spring Expression Language (SpEL)

Library home page: http://projects.spring.io/spring-framework

Path to dependency file: /nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-expression/4.2.4.RELEASE/spring-expression-4.2.4.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/4.2.4.RELEASE/spring-expression-4.2.4.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/4.2.4.RELEASE/spring-expression-4.2.4.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/4.2.4.RELEASE/spring-expression-4.2.4.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/4.2.4.RELEASE/spring-expression-4.2.4.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/4.2.4.RELEASE/spring-expression-4.2.4.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/4.2.4.RELEASE/spring-expression-4.2.4.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/4.2.4.RELEASE/spring-expression-4.2.4.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/4.2.4.RELEASE/spring-expression-4.2.4.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/4.2.4.RELEASE/spring-expression-4.2.4.RELEASE.jar

Dependency Hierarchy:

  • nifi-jetty-1.4.0-SNAPSHOT.jar (Root Library)
    • nifi-web-security-1.4.0-SNAPSHOT.jar
      • nifi-administration-1.4.0-SNAPSHOT.jar
        • spring-context-4.2.4.RELEASE.jar
          • spring-expression-4.2.4.RELEASE.jar (Vulnerable Library)

Found in HEAD commit: 0707e245fb382da58db8bb8ec5ccff5d9ae55c39

Found in base branch: master

Vulnerability Details

In spring framework versions prior to 5.2.24 release+ ,5.3.27+ and 6.0.8+ , it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service (DoS) condition.

Publish Date: 2023-04-13

URL: CVE-2023-20863

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://spring.io/security/cve-2023-20863

Release Date: 2023-04-13

Fix Resolution: org.springframework:spring-expression - 5.2.24.RELEASE,5.3.27,6.0.8

CVE-2023-20861

Vulnerable Library - spring-expression-4.2.4.RELEASE.jar

Spring Expression Language (SpEL)

Library home page: http://projects.spring.io/spring-framework

Path to dependency file: /nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-expression/4.2.4.RELEASE/spring-expression-4.2.4.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/4.2.4.RELEASE/spring-expression-4.2.4.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/4.2.4.RELEASE/spring-expression-4.2.4.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/4.2.4.RELEASE/spring-expression-4.2.4.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/4.2.4.RELEASE/spring-expression-4.2.4.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/4.2.4.RELEASE/spring-expression-4.2.4.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/4.2.4.RELEASE/spring-expression-4.2.4.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/4.2.4.RELEASE/spring-expression-4.2.4.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/4.2.4.RELEASE/spring-expression-4.2.4.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/4.2.4.RELEASE/spring-expression-4.2.4.RELEASE.jar

Dependency Hierarchy:

  • nifi-jetty-1.4.0-SNAPSHOT.jar (Root Library)
    • nifi-web-security-1.4.0-SNAPSHOT.jar
      • nifi-administration-1.4.0-SNAPSHOT.jar
        • spring-context-4.2.4.RELEASE.jar
          • spring-expression-4.2.4.RELEASE.jar (Vulnerable Library)

Found in HEAD commit: 0707e245fb382da58db8bb8ec5ccff5d9ae55c39

Found in base branch: master

Vulnerability Details

In Spring Framework versions 6.0.0 - 6.0.6, 5.3.0 - 5.3.25, 5.2.0.RELEASE - 5.2.22.RELEASE, and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service (DoS) condition.

Publish Date: 2023-03-23

URL: CVE-2023-20861

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://spring.io/security/cve-2023-20861

Release Date: 2023-03-23

Fix Resolution: org.springframework:spring-expression:x5.2.23.RELEASE,5.3.26,6.0.7

@mend-for-github-com mend-for-github-com bot added the Mend: dependency security vulnerability Security vulnerability detected by Mend label Jan 15, 2024
@mend-for-github-com mend-for-github-com bot changed the title nifi-jetty-1.4.0-SNAPSHOT.jar: 25 vulnerabilities (highest severity is: 9.8) nifi-jetty-1.4.0-SNAPSHOT.jar: 24 vulnerabilities (highest severity is: 9.8) Apr 14, 2024
@mend-for-github-com mend-for-github-com bot changed the title nifi-jetty-1.4.0-SNAPSHOT.jar: 24 vulnerabilities (highest severity is: 9.8) nifi-jetty-1.4.0-SNAPSHOT.jar: 25 vulnerabilities (highest severity is: 9.8) Aug 16, 2024
@mend-for-github-com mend-for-github-com bot changed the title nifi-jetty-1.4.0-SNAPSHOT.jar: 25 vulnerabilities (highest severity is: 9.8) nifi-jetty-1.4.0-SNAPSHOT.jar: 27 vulnerabilities (highest severity is: 9.8) Dec 22, 2024
@mend-for-github-com mend-for-github-com bot changed the title nifi-jetty-1.4.0-SNAPSHOT.jar: 27 vulnerabilities (highest severity is: 9.8) nifi-jetty-1.4.0-SNAPSHOT.jar: 28 vulnerabilities (highest severity is: 9.8) Dec 24, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Mend: dependency security vulnerability Security vulnerability detected by Mend
Projects
None yet
Development

No branches or pull requests

0 participants