You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@zookeeper.apache.org by "Ramya Rohidas (Jira)" <ji...@apache.org> on 2022/04/08 08:58:00 UTC
[jira] [Updated] (ZOOKEEPER-4513) ZK 3.6 jar vulnerabilities
[ https://issues.apache.org/jira/browse/ZOOKEEPER-4513?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Ramya Rohidas updated ZOOKEEPER-4513:
-------------------------------------
Description:
Java (jar)
==========
Total: 7 (UNKNOWN: 1, LOW: 2, MEDIUM: 0, HIGH: 3, CRITICAL: 1)
+---------------------------------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
+---------------------------------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------+
| com.fasterxml.jackson.core:jackson-databind | CVE-2020-36518 | HIGH | 2.10.5.1 | 2.12.6.1, 2.13.2.1 | jackson-databind: denial of service |
| | | | | | via a large depth of nested objects |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-36518 |
+---------------------------------------------+------------------+ +-------------------+--------------------------------+---------------------------------------+
| io.netty:netty-codec | CVE-2021-37136 | | 4.1.63.Final | 4.1.68.Final | netty-codec: Bzip2Decoder |
| | | | | | doesn't allow setting size |
| | | | | | restrictions for decompressed data |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-37136 |
+ +------------------+ + + +---------------------------------------+
| | CVE-2021-37137 | | | | netty-codec: SnappyFrameDecoder |
| | | | | | doesn't restrict chunk length and |
| | | | | | may buffer skippable chunks in... |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-37137 |
+---------------------------------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------+
| log4j:log4j | CVE-2019-17571 | CRITICAL | 1.2.17 | 2.0-alpha1 | log4j: deserialization of |
| | | | | | untrusted data in SocketServer |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-17571 |
+ +------------------+----------+ +--------------------------------+---------------------------------------+
| | CVE-2020-9488 | LOW | | 2.13.2 | log4j: improper validation |
| | | | | | of certificate with host |
| | | | | | mismatch in SMTP appender |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-9488 |
+ +------------------+----------+ +--------------------------------+---------------------------------------+
| | GMS-2021-5 | UNKNOWN | | 2.15.0-rc1 | Improper Neutralization |
| | | | | | of Special Elements in |
| | | | | | Output Used by a Downstream |
| | | | | | Component... |
+---------------------------------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------+
| org.eclipse.jetty:jetty-server | CVE-2021-34428 | LOW | 9.4.39.v20210325 | 9.4.40.v20210413, 10.0.3, | jetty: SessionListener can |
| | | | | 11.0.3 | prevent a session from being |
| | | | | | invalidated breaking logout |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-34428 |
+---------------------------------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------+
was:Java (jar) ========== Total: 7 (UNKNOWN: 1, LOW: 2, MEDIUM: 0, HIGH: 3, CRITICAL: 1) +---------------------------------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------+ | LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE | +---------------------------------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------+ | com.fasterxml.jackson.core:jackson-databind | CVE-2020-36518 | HIGH | 2.10.5.1 | 2.12.6.1, 2.13.2.1 | jackson-databind: denial of service | | | | | | | via a large depth of nested objects | | | | | | | -->avd.aquasec.com/nvd/cve-2020-36518 | +---------------------------------------------+------------------+ +-------------------+--------------------------------+---------------------------------------+ | io.netty:netty-codec | CVE-2021-37136 | | 4.1.63.Final | 4.1.68.Final | netty-codec: Bzip2Decoder | | | | | | | doesn't allow setting size | | | | | | | restrictions for decompressed data | | | | | | | -->avd.aquasec.com/nvd/cve-2021-37136 | + +------------------+ + + +---------------------------------------+ | | CVE-2021-37137 | | | | netty-codec: SnappyFrameDecoder | | | | | | | doesn't restrict chunk length and | | | | | | | may buffer skippable chunks in... | | | | | | | -->avd.aquasec.com/nvd/cve-2021-37137 | +---------------------------------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------+ | log4j:log4j | CVE-2019-17571 | CRITICAL | 1.2.17 | 2.0-alpha1 | log4j: deserialization of | | | | | | | untrusted data in SocketServer | | | | | | | -->avd.aquasec.com/nvd/cve-2019-17571 | + +------------------+----------+ +--------------------------------+---------------------------------------+ | | CVE-2020-9488 | LOW | | 2.13.2 | log4j: improper validation | | | | | | | of certificate with host | | | | | | | mismatch in SMTP appender | | | | | | | -->avd.aquasec.com/nvd/cve-2020-9488 | + +------------------+----------+ +--------------------------------+---------------------------------------+ | | GMS-2021-5 | UNKNOWN | | 2.15.0-rc1 | Improper Neutralization | | | | | | | of Special Elements in | | | | | | | Output Used by a Downstream | | | | | | | Component... | +---------------------------------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------+ | org.eclipse.jetty:jetty-server | CVE-2021-34428 | LOW | 9.4.39.v20210325 | 9.4.40.v20210413, 10.0.3, | jetty: SessionListener can | | | | | | 11.0.3 | prevent a session from being | | | | | | | invalidated breaking logout | | | | | | | -->avd.aquasec.com/nvd/cve-2021-34428 | +---------------------------------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------+
> ZK 3.6 jar vulnerabilities
> ---------------------------
>
> Key: ZOOKEEPER-4513
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-4513
> Project: ZooKeeper
> Issue Type: Bug
> Reporter: Ramya Rohidas
> Priority: Major
>
> Java (jar)
> ==========
> Total: 7 (UNKNOWN: 1, LOW: 2, MEDIUM: 0, HIGH: 3, CRITICAL: 1)
> +---------------------------------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------+
> | LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
> +---------------------------------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------+
> | com.fasterxml.jackson.core:jackson-databind | CVE-2020-36518 | HIGH | 2.10.5.1 | 2.12.6.1, 2.13.2.1 | jackson-databind: denial of service |
> | | | | | | via a large depth of nested objects |
> | | | | | | -->avd.aquasec.com/nvd/cve-2020-36518 |
> +---------------------------------------------+------------------+ +-------------------+--------------------------------+---------------------------------------+
> | io.netty:netty-codec | CVE-2021-37136 | | 4.1.63.Final | 4.1.68.Final | netty-codec: Bzip2Decoder |
> | | | | | | doesn't allow setting size |
> | | | | | | restrictions for decompressed data |
> | | | | | | -->avd.aquasec.com/nvd/cve-2021-37136 |
> + +------------------+ + + +---------------------------------------+
> | | CVE-2021-37137 | | | | netty-codec: SnappyFrameDecoder |
> | | | | | | doesn't restrict chunk length and |
> | | | | | | may buffer skippable chunks in... |
> | | | | | | -->avd.aquasec.com/nvd/cve-2021-37137 |
> +---------------------------------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------+
> | log4j:log4j | CVE-2019-17571 | CRITICAL | 1.2.17 | 2.0-alpha1 | log4j: deserialization of |
> | | | | | | untrusted data in SocketServer |
> | | | | | | -->avd.aquasec.com/nvd/cve-2019-17571 |
> + +------------------+----------+ +--------------------------------+---------------------------------------+
> | | CVE-2020-9488 | LOW | | 2.13.2 | log4j: improper validation |
> | | | | | | of certificate with host |
> | | | | | | mismatch in SMTP appender |
> | | | | | | -->avd.aquasec.com/nvd/cve-2020-9488 |
> + +------------------+----------+ +--------------------------------+---------------------------------------+
> | | GMS-2021-5 | UNKNOWN | | 2.15.0-rc1 | Improper Neutralization |
> | | | | | | of Special Elements in |
> | | | | | | Output Used by a Downstream |
> | | | | | | Component... |
> +---------------------------------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------+
> | org.eclipse.jetty:jetty-server | CVE-2021-34428 | LOW | 9.4.39.v20210325 | 9.4.40.v20210413, 10.0.3, | jetty: SessionListener can |
> | | | | | 11.0.3 | prevent a session from being |
> | | | | | | invalidated breaking logout |
> | | | | | | -->avd.aquasec.com/nvd/cve-2021-34428 |
> +---------------------------------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------+
--
This message was sent by Atlassian Jira
(v8.20.1#820001)