You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@felix.apache.org by "XuCongying (Jira)" <ji...@apache.org> on 2020/03/01 12:48:00 UTC

[jira] [Created] (FELIX-6230) Vulnerable dependencies in your project.(CVEs)

XuCongying created FELIX-6230:
---------------------------------

             Summary: Vulnerable dependencies in your project.(CVEs)
                 Key: FELIX-6230
                 URL: https://issues.apache.org/jira/browse/FELIX-6230
             Project: Felix
          Issue Type: Bug
            Reporter: XuCongying


Hi,
I found some CVEs in the library dependencies, which may affect the security of your projects. To prevent potential risk it may cause, I suggest a library update. See details below:

 Vulnerable Library Version: commons-collections : commons-collections : 3.2.1
  CVE ID: [CVE-2015-6420](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6420)
  Import Path: http/sslfilter/pom.xml, http/whiteboard/pom.xml
  Suggested Safe Versions: 20030418.083655, 20031027.000000, 20040102.233541, 20040616, 3.2.2

 Vulnerable Library Version: org.bouncycastle : bcpkix-jdk15on : 1.54
  CVE ID: [CVE-2017-13098](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13098), [CVE-2016-1000341](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000341), [CVE-2018-1000613](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000613)
  Import Path: deploymentadmin/itest/pom.xml
  Suggested Safe Versions: 1.60, 1.61, 1.62, 1.63, 1.64

 Vulnerable Library Version: org.ops4j.pax.runner : pax-runner-no-jcl : 1.7.6
  CVE ID: [CVE-2012-5783](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5783)
  Import Path: useradmin/itest/pom.xml
  Suggested Safe Versions: 1.9.0
 Vulnerable Library Version: xerces : xercesImpl : 2.9.1
  CVE ID: [CVE-2012-0881](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0881), [CVE-2013-4002](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4002)
  Import Path: ipojo/manipulator/maven-ipojo-plugin/pom.xml, ipojo/manipulator/ipojo-ant-task/pom.xml
  Suggested Safe Versions: 2.12.0

 Vulnerable Library Version: org.eclipse.jetty : jetty-util : 9.4.11.v20180605
  CVE ID: [CVE-2019-10246](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10246), [CVE-2019-10241](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10241)
  Import Path: http/jetty/pom.xml
  Suggested Safe Versions: 10.0.0-alpha0, 10.0.0.alpha1, 9.4.17.v20190418, 9.4.18.v20190429, 9.4.19.v20190610, 9.4.20.v20190813, 9.4.21.v20190926, 9.4.22.v20191022, 9.4.23.v20191118, 9.4.24.v20191120, 9.4.25.v20191220, 9.4.26.v20200117

 Vulnerable Library Version: org.eclipse.jetty : jetty-util : 9.3.8.v20160314
  CVE ID: [CVE-2017-9735](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9735), [CVE-2019-10246](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10246), [CVE-2019-10241](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10241), [CVE-2018-12536](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12536)
  Import Path: http/cometd/pom.xml
  Suggested Safe Versions: 10.0.0-alpha0, 10.0.0.alpha1, 9.4.17.v20190418, 9.4.18.v20190429, 9.4.19.v20190610, 9.4.20.v20190813, 9.4.21.v20190926, 9.4.22.v20191022, 9.4.23.v20191118, 9.4.24.v20191120, 9.4.25.v20191220, 9.4.26.v20200117

 Vulnerable Library Version: org.apache.ant : ant : 1.7.0
  CVE ID: [CVE-2012-2098](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2098)
  Import Path: tools/org.apache.felix.scr.ant/pom.xml
  Suggested Safe Versions: 1.10.0, 1.10.1, 1.10.2, 1.10.3, 1.10.4, 1.10.5, 1.10.6, 1.10.7, 1.7.1, 1.8.4, 1.9.0, 1.9.1, 1.9.10, 1.9.11, 1.9.12, 1.9.13, 1.9.14, 1.9.2, 1.9.3, 1.9.4, 1.9.5, 1.9.6, 1.9.7, 1.9.8, 1.9.9

 Vulnerable Library Version: org.eclipse.jetty : jetty-client : 9.3.8.v20160314
  CVE ID: [CVE-2017-7657](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7657), [CVE-2017-7658](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7658), [CVE-2017-7656](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7656)
  Import Path: http/cometd/pom.xml
  Suggested Safe Versions: 10.0.0-alpha0, 10.0.0.alpha1, 9.4.11.v20180605, 9.4.12.RC0, 9.4.12.RC1, 9.4.12.RC2, 9.4.12.v20180830, 9.4.13.v20181111, 9.4.14.v20181114, 9.4.15.v20190215, 9.4.16.v20190411, 9.4.17.v20190418, 9.4.18.v20190429, 9.4.19.v20190610, 9.4.20.v20190813, 9.4.21.v20190926, 9.4.22.v20191022, 9.4.23.v20191118, 9.4.24.v20191120, 9.4.25.v20191220, 9.4.26.v20200117

 Vulnerable Library Version: org.codehaus.plexus : plexus-utils : 2.0.5
  CVE ID: [CVE-2017-1000487](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000487)
  Import Path: ipojo/manipulator/maven-ipojo-plugin/pom.xml
  Suggested Safe Versions: 3.0.16, 3.0.17, 3.0.18, 3.0.19, 3.0.20, 3.0.21, 3.0.22, 3.0.23, 3.0.24, 3.1.0, 3.1.1, 3.2.0, 3.2.1, 3.3.0

 Vulnerable Library Version: org.codehaus.plexus : plexus-utils : 3.0.10
  CVE ID: [CVE-2017-1000487](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000487)
  Import Path: tools/maven-bundle-plugin/pom.xml
  Suggested Safe Versions: 3.0.16, 3.0.17, 3.0.18, 3.0.19, 3.0.20, 3.0.21, 3.0.22, 3.0.23, 3.0.24, 3.1.0, 3.1.1, 3.2.0, 3.2.1, 3.3.0

 Vulnerable Library Version: ch.qos.logback : logback-core : 0.9.6
  CVE ID: [CVE-2017-5929](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5929)
  Import Path: ipojo/runtime/core-it/ipojo-core-factory-test/pom.xml, ipojo/runtime/core-it/ipojo-core-handler-test/pom.xml...(The rest of the 34 paths is hidden.)
  Suggested Safe Versions: 1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.3.0-alpha0, 1.3.0-alpha1, 1.3.0-alpha2, 1.3.0-alpha3, 1.3.0-alpha4, 1.3.0-alpha5

 Vulnerable Library Version: ch.qos.logback : logback-core : 0.9.29
  CVE ID: [CVE-2017-5929](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5929)
  Import Path: scr/pom.xml
  Suggested Safe Versions: 1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.3.0-alpha0, 1.3.0-alpha1, 1.3.0-alpha2, 1.3.0-alpha3, 1.3.0-alpha4, 1.3.0-alpha5

 Vulnerable Library Version: ch.qos.logback : logback-core : 1.0.13
  CVE ID: [CVE-2017-5929](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5929)
  Import Path: systemready/pom.xml
  Suggested Safe Versions: 1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.3.0-alpha0, 1.3.0-alpha1, 1.3.0-alpha2, 1.3.0-alpha3, 1.3.0-alpha4, 1.3.0-alpha5

 Vulnerable Library Version: ch.qos.logback : logback-core : 1.1.3
  CVE ID: [CVE-2017-5929](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5929)
  Import Path: deploymentadmin/itest/pom.xml
  Suggested Safe Versions: 1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.3.0-alpha0, 1.3.0-alpha1, 1.3.0-alpha2, 1.3.0-alpha3, 1.3.0-alpha4, 1.3.0-alpha5

 Vulnerable Library Version: ch.qos.logback : logback-core : 0.9.20
  CVE ID: [CVE-2017-5929](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5929)
  Import Path: ipojo/handler/eventadmin/eventadmin-handler-it/src/it/event-admin-it/pom.xml, ipojo/handler/eventadmin/eventadmin-handler-it/pom.xml, ipojo/handler/jmx/jmx-handler-it/src/it/jmx-it/pom.xml, ipojo/handler/jmx/jmx-handler-it/pom.xml, ipojo/handler/temporal/temporal-dependency-handler-it/src/it/temporal-it/pom.xml, ipojo/handler/temporal/temporal-dependency-handler-it/pom.xml, ipojo/handler/transaction/transaction-handler-it/src/it/transaction-it/pom.xml, ipojo/handler/transaction/transaction-handler-it/pom.xml, ipojo/handler/whiteboard/whiteboard-handler-it/src/it/whiteboard-it/pom.xml, ipojo/handler/whiteboard/whiteboard-handler-it/pom.xml
  Suggested Safe Versions: 1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.3.0-alpha0, 1.3.0-alpha1, 1.3.0-alpha2, 1.3.0-alpha3, 1.3.0-alpha4, 1.3.0-alpha5

 Vulnerable Library Version: org.ops4j.pax.url : pax-url-aether : 1.6.0
  CVE ID: [CVE-2015-6748](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6748)
  Import Path: deploymentadmin/itest/pom.xml
  Suggested Safe Versions: 2.0.0, 2.1.0, 2.2.0, 2.3.0, 2.4.0, 2.4.1, 2.4.2, 2.4.3, 2.4.4, 2.4.5, 2.4.6, 2.4.7, 2.4.8, 2.5.0, 2.5.1, 2.5.2, 2.5.3, 2.5.4, 2.6.0, 2.6.1, 2.6.2

 Vulnerable Library Version: com.h2database : h2 : 1.3.171
  CVE ID: [CVE-2018-10054](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10054), [CVE-2018-14335](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14335)
  Import Path: examples/jaas/jdbc-h2/pom.xml
  Suggested Safe Versions: 1.4.198, 1.4.199, 1.4.200
 Vulnerable Library Version: org.eclipse.jetty : jetty-server : 9.4.11.v20180605
  CVE ID: [CVE-2019-10247](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10247)
  Import Path: http/jetty/pom.xml
  Suggested Safe Versions: 10.0.0-alpha0, 10.0.0.alpha1, 9.4.17.v20190418, 9.4.18.v20190429, 9.4.19.v20190610, 9.4.20.v20190813, 9.4.24.v20191120, 9.4.25.v20191220, 9.4.26.v20200117

 Vulnerable Library Version: commons-fileupload : commons-fileupload : 1.3.2
  CVE ID: [CVE-2016-1000031](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000031)
  Import Path: webconsole-plugins/subsystems/pom.xml, webconsole-plugins/deppack/pom.xml, webconsole-plugins/script-console/pom.xml
  Suggested Safe Versions: 1.3.3, 1.4

 Vulnerable Library Version: commons-fileupload : commons-fileupload : 1.2.1
  CVE ID: [CVE-2013-2186](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2186), [CVE-2016-3092](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3092), [CVE-2014-0050](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0050), [CVE-2016-1000031](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000031), [CVE-2013-0248](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0248)
  Import Path: webconsole/pom.xml
  Suggested Safe Versions: 1.3.3, 1.4

 Vulnerable Library Version: commons-fileupload : commons-fileupload : 1.2.2
  CVE ID: [CVE-2013-2186](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2186), [CVE-2016-3092](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3092), [CVE-2014-0050](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0050), [CVE-2016-1000031](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000031), [CVE-2013-0248](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0248)
  Import Path: ipojo/distributions/ipojo-webconsole-quicktart/pom.xml
  Suggested Safe Versions: 1.3.3, 1.4
 Vulnerable Library Version: org.apache.commons : commons-compress : 1.10
  CVE ID: [CVE-2018-11771](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11771)
  Import Path: tools/maven-bundle-plugin/src/it/embed-multiple-artifacts/pom.xml, tools/maven-bundle-plugin/src/it/dep-reduced/pom.xml
  Suggested Safe Versions: 1.19, 1.20
 Vulnerable Library Version: org.apache.sling : org.apache.sling.api : 2.2.0
  CVE ID: [CVE-2015-2944](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2944)
  Import Path: tools/maven-scr-plugin/src/it/basic-build-it/pom.xml, tools/maven-scr-plugin/src/it/external-annotations-it/pom.xml
  Suggested Safe Versions: 2.11.0, 2.12.0, 2.14.0, 2.14.2, 2.15.0, 2.16.0, 2.16.2, 2.16.4, 2.18.0, 2.18.2, 2.18.4, 2.2.2, 2.2.4, 2.20.0, 2.21.0, 2.22.0, 2.3.0, 2.4.0, 2.4.2, 2.5.0, 2.6.0, 2.7.0, 2.8.0, 2.9.0

 Vulnerable Library Version: ch.qos.logback : logback-classic : 0.9.6
  CVE ID: [CVE-2017-5929](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5929)
  Import Path: ipojo/runtime/core-it/ipojo-core-factory-test/pom.xml, ipojo/runtime/core-it/ipojo-core-handler-test/pom.xml...(The rest of the 34 paths is hidden.)
  Suggested Safe Versions: 1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.3.0-alpha0, 1.3.0-alpha1, 1.3.0-alpha2, 1.3.0-alpha3, 1.3.0-alpha4, 1.3.0-alpha5
 
Vulnerable Library Version: ch.qos.logback : logback-classic : 0.9.29
  CVE ID: [CVE-2017-5929](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5929)
  Import Path: scr/pom.xml
  Suggested Safe Versions: 1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.3.0-alpha0, 1.3.0-alpha1, 1.3.0-alpha2, 1.3.0-alpha3, 1.3.0-alpha4, 1.3.0-alpha5

 Vulnerable Library Version: ch.qos.logback : logback-classic : 1.0.13
  CVE ID: [CVE-2017-5929](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5929)
  Import Path: systemready/pom.xml
  Suggested Safe Versions: 1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.3.0-alpha0, 1.3.0-alpha1, 1.3.0-alpha2, 1.3.0-alpha3, 1.3.0-alpha4, 1.3.0-alpha5

 Vulnerable Library Version: ch.qos.logback : logback-classic : 1.1.3
  CVE ID: [CVE-2017-5929](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5929)
  Import Path: deploymentadmin/itest/pom.xml
  Suggested Safe Versions: 1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.3.0-alpha0, 1.3.0-alpha1, 1.3.0-alpha2, 1.3.0-alpha3, 1.3.0-alpha4, 1.3.0-alpha5

 Vulnerable Library Version: ch.qos.logback : logback-classic : 0.9.20
  CVE ID: [CVE-2017-5929](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5929)
  Import Path: ipojo/handler/eventadmin/eventadmin-handler-it/src/it/event-admin-it/pom.xml, ipojo/handler/eventadmin/eventadmin-handler-it/pom.xml, ipojo/handler/jmx/jmx-handler-it/src/it/jmx-it/pom.xml, ipojo/handler/jmx/jmx-handler-it/pom.xml, ipojo/handler/temporal/temporal-dependency-handler-it/src/it/temporal-it/pom.xml, ipojo/handler/temporal/temporal-dependency-handler-it/pom.xml, ipojo/handler/transaction/transaction-handler-it/src/it/transaction-it/pom.xml, ipojo/handler/transaction/transaction-handler-it/pom.xml, ipojo/handler/whiteboard/whiteboard-handler-it/src/it/whiteboard-it/pom.xml, ipojo/handler/whiteboard/whiteboard-handler-it/pom.xml
  Suggested Safe Versions: 1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.3.0-alpha0, 1.3.0-alpha1, 1.3.0-alpha2, 1.3.0-alpha3, 1.3.0-alpha4, 1.3.0-alpha5

 Vulnerable Library Version: org.codehaus.woodstox : woodstox-core-asl : 4.0.7
  CVE ID: [CVE-2013-2160](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2160)
  Import Path: bundlerepository/pom.xml
  Suggested Safe Versions: 4.2.0, 4.2.1, 4.3.0, 4.4.0, 4.4.1

 Vulnerable Library Version: org.bouncycastle : bcprov-jdk15on : 1.54
  CVE ID: [CVE-2016-1000346](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000346), [CVE-2018-1000613](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000613), [CVE-2015-6644](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6644), [CVE-2016-1000341](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000341), [CVE-2016-1000340](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000340), [CVE-2016-1000342](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000342), [CVE-2016-1000344](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000344), [CVE-2016-1000343](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000343), [CVE-2018-5382](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5382), [CVE-2016-1000339](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000339), [CVE-2016-1000345](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000345), [CVE-2016-1000352](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000352), [CVE-2016-1000338](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000338), [CVE-2017-13098](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13098)
  Import Path: deploymentadmin/itest/pom.xml
  Suggested Safe Versions: 1.60, 1.61, 1.62, 1.64

 Vulnerable Library Version: org.eclipse.jetty : jetty-http : 9.3.8.v20160314
  CVE ID: [CVE-2018-12545](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12545), [CVE-2017-7657](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7657), [CVE-2017-7658](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7658), [CVE-2017-7656](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7656)
  Import Path: http/cometd/pom.xml
  Suggested Safe Versions: 10.0.0-alpha0, 10.0.0.alpha1, 9.4.16.v20190411, 9.4.17.v20190418, 9.4.18.v20190429, 9.4.19.v20190610, 9.4.20.v20190813, 9.4.21.v20190926, 9.4.22.v20191022, 9.4.23.v20191118, 9.4.24.v20191120, 9.4.25.v20191220, 9.4.26.v20200117




--
This message was sent by Atlassian Jira
(v8.3.4#803005)