nifi-framework-core-1.4.0-SNAPSHOT.jar: 15 vulnerabilities (highest severity is: 9.8) #73
Labels
Mend: dependency security vulnerability
Security vulnerability detected by Mend
Comments
dev-mend-for-github-com
bot
added
the
Mend: dependency security vulnerability
dev-mend-for-github-com
bot
changed the title
dev-mend-for-github-com
bot
changed the title
|
✔️ This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory. |
dev-mend-for-github-com
bot
changed the title
|
ℹ️ This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory. |
dev-mend-for-github-com
bot
changed the title
dev-mend-for-github-com
bot
changed the title
dev-mend-for-github-com
bot
changed the title
dev-mend-for-github-com
bot
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty/3.7.0.Final/netty-3.7.0.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty/3.7.0.Final/netty-3.7.0.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty/3.7.0.Final/netty-3.7.0.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty/3.7.0.Final/netty-3.7.0.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty/3.7.0.Final/netty-3.7.0.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty/3.7.0.Final/netty-3.7.0.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty/3.7.0.Final/netty-3.7.0.Final.jar
Found in HEAD commit: d672f5c3ea38dd0e23359cf12d310c2c27abf963
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - log4j-1.2.16.jar
Apache Log4j 1.2
Library home page: http://logging.apache.org/log4j/1.2/
Path to dependency file: /nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-file-authorizer/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar
Dependency Hierarchy:
Found in HEAD commit: d672f5c3ea38dd0e23359cf12d310c2c27abf963
Found in base branch: master
Vulnerability Details
A deserialization flaw was found in Apache Chainsaw versions prior to 2.1.0 which could lead to malicious code execution.
Publish Date: 2021-06-16
URL: CVE-2020-9493
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://www.openwall.com/lists/oss-security/2021/06/16/1
Release Date: 2021-06-16
Fix Resolution: ch.qos.reload4j:reload4j:1.2.18.1
Vulnerable Library - log4j-1.2.16.jar
Apache Log4j 1.2
Library home page: http://logging.apache.org/log4j/1.2/
Path to dependency file: /nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-file-authorizer/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar
Dependency Hierarchy:
Found in HEAD commit: d672f5c3ea38dd0e23359cf12d310c2c27abf963
Found in base branch: master
Vulnerability Details
Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17.
Publish Date: 2019-12-20
URL: CVE-2019-17571
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: test
Release Date: 2019-12-20
Fix Resolution: test
Vulnerable Library - log4j-1.2.16.jar
Apache Log4j 1.2
Library home page: http://logging.apache.org/log4j/1.2/
Path to dependency file: /nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-file-authorizer/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar
Dependency Hierarchy:
Found in HEAD commit: d672f5c3ea38dd0e23359cf12d310c2c27abf963
Found in base branch: master
Vulnerability Details
By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converters from PatternLayout. The message converter, %m, is likely to always be included. This allows attackers to manipulate the SQL by entering crafted strings into input fields or headers of an application that are logged allowing unintended SQL queries to be executed. Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default. Beginning in version 2.0-beta8, the JDBCAppender was re-introduced with proper support for parameterized SQL queries and further customization over the columns written to in logs. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.
Publish Date: 2022-01-18
URL: CVE-2022-23305
CVSS 3 Score Details (9.6)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://reload4j.qos.ch/
Release Date: 2022-01-18
Fix Resolution: ch.qos.reload4j:reload4j:1.2.18.2
Vulnerable Library - netty-3.7.0.Final.jar
The Netty project is an effort to provide an asynchronous event-driven network application framework and tools for rapid development of maintainable high performance and high scalability protocol servers and clients. In other words, Netty is a NIO client server framework which enables quick and easy development of network applications such as protocol servers and clients. It greatly simplifies and streamlines network programming such as TCP and UDP socket server.
Library home page: http://netty.io/
Path to dependency file: /nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-cluster/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty/3.7.0.Final/netty-3.7.0.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty/3.7.0.Final/netty-3.7.0.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty/3.7.0.Final/netty-3.7.0.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty/3.7.0.Final/netty-3.7.0.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty/3.7.0.Final/netty-3.7.0.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty/3.7.0.Final/netty-3.7.0.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty/3.7.0.Final/netty-3.7.0.Final.jar
Dependency Hierarchy:
Found in HEAD commit: d672f5c3ea38dd0e23359cf12d310c2c27abf963
Found in base branch: master
Vulnerability Details
HttpObjectDecoder.java in Netty before 4.1.44 allows an HTTP header that lacks a colon, which might be interpreted as a separate header with an incorrect syntax, or might be interpreted as an "invalid fold."
Publish Date: 2020-01-29
URL: CVE-2019-20444
CVSS 3 Score Details (9.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20444
Release Date: 2020-01-29
Fix Resolution: io.netty:netty-all:4.1.44.Final
Vulnerable Library - log4j-1.2.16.jar
Apache Log4j 1.2
Library home page: http://logging.apache.org/log4j/1.2/
Path to dependency file: /nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-file-authorizer/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar
Dependency Hierarchy:
Found in HEAD commit: d672f5c3ea38dd0e23359cf12d310c2c27abf963
Found in base branch: master
Vulnerability Details
CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw V2.0 Chainsaw was a component of Apache Log4j 1.2.x where the same issue exists.
Publish Date: 2022-01-18
URL: CVE-2022-23307
CVSS 3 Score Details (8.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2022-01-18
Fix Resolution: ch.qos.reload4j:reload4j:1.2.18.1
Vulnerable Library - log4j-1.2.16.jar
Apache Log4j 1.2
Library home page: http://logging.apache.org/log4j/1.2/
Path to dependency file: /nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-file-authorizer/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar
Dependency Hierarchy:
Found in HEAD commit: d672f5c3ea38dd0e23359cf12d310c2c27abf963
Found in base branch: master
Vulnerability Details
JMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration or if the configuration references an LDAP service the attacker has access to. The attacker can provide a TopicConnectionFactoryBindingName configuration causing JMSSink to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-4104. Note this issue only affects Log4j 1.x when specifically configured to use JMSSink, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.
Publish Date: 2022-01-18
URL: CVE-2022-23302
CVSS 3 Score Details (8.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://reload4j.qos.ch/
Release Date: 2022-01-18
Fix Resolution: ch.qos.reload4j:reload4j:1.2.18.1
Vulnerable Library - log4j-1.2.16.jar
Apache Log4j 1.2
Library home page: http://logging.apache.org/log4j/1.2/
Path to dependency file: /nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-file-authorizer/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar
Dependency Hierarchy:
Found in HEAD commit: d672f5c3ea38dd0e23359cf12d310c2c27abf963
Found in base branch: master
Vulnerability Details
** UNSUPPORTED WHEN ASSIGNED **
When using the Chainsaw or SocketAppender components with Log4j 1.x on JRE less than 1.7, an attacker that manages to cause a logging entry involving a specially-crafted (ie, deeply nested)
hashmap or hashtable (depending on which logging component is in use) to be processed could exhaust the available memory in the virtual machine and achieve Denial of Service when the object is deserialized.
This issue affects Apache Log4j before 2. Affected users are recommended to update to Log4j 2.x.
NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
Publish Date: 2023-03-10
URL: CVE-2023-26464
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-vp98-w2p3-mv35
Release Date: 2023-03-10
Fix Resolution: org.apache.logging.log4j:log4j-core:2.0
Vulnerable Library - netty-3.7.0.Final.jar
The Netty project is an effort to provide an asynchronous event-driven network application framework and tools for rapid development of maintainable high performance and high scalability protocol servers and clients. In other words, Netty is a NIO client server framework which enables quick and easy development of network applications such as protocol servers and clients. It greatly simplifies and streamlines network programming such as TCP and UDP socket server.
Library home page: http://netty.io/
Path to dependency file: /nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-cluster/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty/3.7.0.Final/netty-3.7.0.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty/3.7.0.Final/netty-3.7.0.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty/3.7.0.Final/netty-3.7.0.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty/3.7.0.Final/netty-3.7.0.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty/3.7.0.Final/netty-3.7.0.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty/3.7.0.Final/netty-3.7.0.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty/3.7.0.Final/netty-3.7.0.Final.jar
Dependency Hierarchy:
Found in HEAD commit: d672f5c3ea38dd0e23359cf12d310c2c27abf963
Found in base branch: master
Vulnerability Details
Netty before 3.9.8.Final, 3.10.x before 3.10.3.Final, 4.0.x before 4.0.28.Final, and 4.1.x before 4.1.0.Beta5 and Play Framework 2.x before 2.3.9 might allow remote attackers to bypass the httpOnly flag on cookies and obtain sensitive information by leveraging improper validation of cookie name and value characters.
Publish Date: 2017-10-18
URL: CVE-2015-2156
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2156
Release Date: 2017-10-18
Fix Resolution: io.netty:netty:3.9.8.Final,io.netty:netty:3.10.3.Final,io.netty:netty-all:4.0.28.Final,io.netty:netty-codec-http:4.0.28.Final,io.netty:netty-codec-http:4.1.0.Beta5
Vulnerable Library - netty-3.7.0.Final.jar
The Netty project is an effort to provide an asynchronous event-driven network application framework and tools for rapid development of maintainable high performance and high scalability protocol servers and clients. In other words, Netty is a NIO client server framework which enables quick and easy development of network applications such as protocol servers and clients. It greatly simplifies and streamlines network programming such as TCP and UDP socket server.
Library home page: http://netty.io/
Path to dependency file: /nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-cluster/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty/3.7.0.Final/netty-3.7.0.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty/3.7.0.Final/netty-3.7.0.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty/3.7.0.Final/netty-3.7.0.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty/3.7.0.Final/netty-3.7.0.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty/3.7.0.Final/netty-3.7.0.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty/3.7.0.Final/netty-3.7.0.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty/3.7.0.Final/netty-3.7.0.Final.jar
Dependency Hierarchy:
Found in HEAD commit: d672f5c3ea38dd0e23359cf12d310c2c27abf963
Found in base branch: master
Vulnerability Details
The SslHandler in Netty before 3.9.2 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted SSLv2Hello message.
Publish Date: 2014-07-31
URL: CVE-2014-3488
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3488
Release Date: 2014-07-31
Fix Resolution: 3.9.2.Final
Vulnerable Library - spring-expression-5.2.18.RELEASE.jar
Spring Expression Language (SpEL)
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-cluster-protocol/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-expression/5.2.18.RELEASE/spring-expression-5.2.18.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/5.2.18.RELEASE/spring-expression-5.2.18.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/5.2.18.RELEASE/spring-expression-5.2.18.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/5.2.18.RELEASE/spring-expression-5.2.18.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/5.2.18.RELEASE/spring-expression-5.2.18.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/5.2.18.RELEASE/spring-expression-5.2.18.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/5.2.18.RELEASE/spring-expression-5.2.18.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/5.2.18.RELEASE/spring-expression-5.2.18.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/5.2.18.RELEASE/spring-expression-5.2.18.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/5.2.18.RELEASE/spring-expression-5.2.18.RELEASE.jar
Dependency Hierarchy:
Found in HEAD commit: d672f5c3ea38dd0e23359cf12d310c2c27abf963
Found in base branch: master
Vulnerability Details
In spring framework versions prior to 5.2.24 release+ ,5.3.27+ and 6.0.8+ , it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service (DoS) condition.
Publish Date: 2023-04-13
URL: CVE-2023-20863
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://spring.io/security/cve-2023-20863
Release Date: 2023-04-13
Fix Resolution: org.springframework:spring-expression - 5.2.24.RELEASE,5.3.27,6.0.8
Vulnerable Library - spring-expression-5.2.18.RELEASE.jar
Spring Expression Language (SpEL)
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-cluster-protocol/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-expression/5.2.18.RELEASE/spring-expression-5.2.18.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/5.2.18.RELEASE/spring-expression-5.2.18.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/5.2.18.RELEASE/spring-expression-5.2.18.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/5.2.18.RELEASE/spring-expression-5.2.18.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/5.2.18.RELEASE/spring-expression-5.2.18.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/5.2.18.RELEASE/spring-expression-5.2.18.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/5.2.18.RELEASE/spring-expression-5.2.18.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/5.2.18.RELEASE/spring-expression-5.2.18.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/5.2.18.RELEASE/spring-expression-5.2.18.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/5.2.18.RELEASE/spring-expression-5.2.18.RELEASE.jar
Dependency Hierarchy:
Found in HEAD commit: d672f5c3ea38dd0e23359cf12d310c2c27abf963
Found in base branch: master
Vulnerability Details
In Spring Framework versions 6.0.0 - 6.0.6, 5.3.0 - 5.3.25, 5.2.0.RELEASE - 5.2.22.RELEASE, and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service (DoS) condition.
Publish Date: 2023-03-23
URL: CVE-2023-20861
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://spring.io/security/cve-2023-20861
Release Date: 2023-03-23
Fix Resolution: org.springframework:spring-expression:x5.2.23.RELEASE,5.3.26,6.0.7
Vulnerable Library - spring-expression-5.2.18.RELEASE.jar
Spring Expression Language (SpEL)
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-cluster-protocol/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-expression/5.2.18.RELEASE/spring-expression-5.2.18.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/5.2.18.RELEASE/spring-expression-5.2.18.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/5.2.18.RELEASE/spring-expression-5.2.18.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/5.2.18.RELEASE/spring-expression-5.2.18.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/5.2.18.RELEASE/spring-expression-5.2.18.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/5.2.18.RELEASE/spring-expression-5.2.18.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/5.2.18.RELEASE/spring-expression-5.2.18.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/5.2.18.RELEASE/spring-expression-5.2.18.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/5.2.18.RELEASE/spring-expression-5.2.18.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/5.2.18.RELEASE/spring-expression-5.2.18.RELEASE.jar
Dependency Hierarchy:
Found in HEAD commit: d672f5c3ea38dd0e23359cf12d310c2c27abf963
Found in base branch: master
Vulnerability Details
n Spring Framework versions 5.3.0 - 5.3.16 and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial of service condition.
Publish Date: 2022-04-01
URL: CVE-2022-22950
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://tanzu.vmware.com/security/cve-2022-22950
Release Date: 2022-04-01
Fix Resolution: org.springframework:spring-expression:5.2.20,5.3.17
Vulnerable Library - guava-18.0.jar
Guava is a suite of core and expanded libraries that include utility classes, google's collections, io classes, and much much more.
Library home page: http://code.google.com/p/guava-libraries
Path to dependency file: /nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/google/guava/guava/18.0/guava-18.0.jar,/home/wss-scanner/.m2/repository/com/google/guava/guava/18.0/guava-18.0.jar,/home/wss-scanner/.m2/repository/com/google/guava/guava/18.0/guava-18.0.jar,/home/wss-scanner/.m2/repository/com/google/guava/guava/18.0/guava-18.0.jar,/home/wss-scanner/.m2/repository/com/google/guava/guava/18.0/guava-18.0.jar,/home/wss-scanner/.m2/repository/com/google/guava/guava/18.0/guava-18.0.jar,/home/wss-scanner/.m2/repository/com/google/guava/guava/18.0/guava-18.0.jar
Dependency Hierarchy:
Found in HEAD commit: d672f5c3ea38dd0e23359cf12d310c2c27abf963
Found in base branch: master
Vulnerability Details
Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attacks against servers that depend on this library and deserialize attacker-provided data, because the AtomicDoubleArray class (when serialized with Java serialization) and the CompoundOrdering class (when serialized with GWT serialization) perform eager allocation without appropriate checks on what a client has sent and whether the data size is reasonable.
Publish Date: 2018-04-26
URL: CVE-2018-10237
CVSS 3 Score Details (5.9)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-10237
Release Date: 2018-04-26
Fix Resolution: 24.1.1-jre, 24.1.1-android
Vulnerable Library - netty-3.7.0.Final.jar
The Netty project is an effort to provide an asynchronous event-driven network application framework and tools for rapid development of maintainable high performance and high scalability protocol servers and clients. In other words, Netty is a NIO client server framework which enables quick and easy development of network applications such as protocol servers and clients. It greatly simplifies and streamlines network programming such as TCP and UDP socket server.
Library home page: http://netty.io/
Path to dependency file: /nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-cluster/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty/3.7.0.Final/netty-3.7.0.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty/3.7.0.Final/netty-3.7.0.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty/3.7.0.Final/netty-3.7.0.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty/3.7.0.Final/netty-3.7.0.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty/3.7.0.Final/netty-3.7.0.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty/3.7.0.Final/netty-3.7.0.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty/3.7.0.Final/netty-3.7.0.Final.jar
Dependency Hierarchy:
Found in HEAD commit: d672f5c3ea38dd0e23359cf12d310c2c27abf963
Found in base branch: master
Vulnerability Details
WebSocket08FrameDecoder in Netty 3.6.x before 3.6.9, 3.7.x before 3.7.1, 3.8.x before 3.8.2, 3.9.x before 3.9.1, and 4.0.x before 4.0.19 allows remote attackers to cause a denial of service (memory consumption) via a TextWebSocketFrame followed by a long stream of ContinuationWebSocketFrames.
Publish Date: 2014-05-06
URL: CVE-2014-0193
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0193
Release Date: 2014-05-06
Fix Resolution: io.netty:netty-all:4.0.19.Final,io.netty:netty-codec-http:4.0.19.Final,io.netty:netty:3.6.9.Final,io.netty:netty:3.7.1.Final,io.netty:netty:3.8.2.Final,io.netty:netty:3.9.1.Final
Vulnerable Library - log4j-1.2.16.jar
Apache Log4j 1.2
Library home page: http://logging.apache.org/log4j/1.2/
Path to dependency file: /nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-file-authorizer/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar
Dependency Hierarchy:
Found in HEAD commit: d672f5c3ea38dd0e23359cf12d310c2c27abf963
Found in base branch: master
Vulnerability Details
Improper validation of certificate with host mismatch in Apache Log4j SMTP appender. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent through that appender. Fixed in Apache Log4j 2.12.3 and 2.13.1
Publish Date: 2020-04-27
URL: CVE-2020-9488
CVSS 3 Score Details (3.7)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://reload4j.qos.ch/
Release Date: 2020-04-27
Fix Resolution: ch.qos.reload4j:reload4j:1.2.18.3
The text was updated successfully, but these errors were encountered: