You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@zookeeper.apache.org by "Ramya Rohidas (Jira)" <ji...@apache.org> on 2022/04/06 10:31:00 UTC
[jira] [Created] (ZOOKEEPER-4513) ZK 3.6 jar vulnerabilities
Ramya Rohidas created ZOOKEEPER-4513:
----------------------------------------
Summary: ZK 3.6 jar vulnerabilities
Key: ZOOKEEPER-4513
URL: https://issues.apache.org/jira/browse/ZOOKEEPER-4513
Project: ZooKeeper
Issue Type: Bug
Reporter: Ramya Rohidas
Java (jar) ========== Total: 7 (UNKNOWN: 1, LOW: 2, MEDIUM: 0, HIGH: 3, CRITICAL: 1) +---------------------------------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------+ | LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE | +---------------------------------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------+ | com.fasterxml.jackson.core:jackson-databind | CVE-2020-36518 | HIGH | 2.10.5.1 | 2.12.6.1, 2.13.2.1 | jackson-databind: denial of service | | | | | | | via a large depth of nested objects | | | | | | | -->avd.aquasec.com/nvd/cve-2020-36518 | +---------------------------------------------+------------------+ +-------------------+--------------------------------+---------------------------------------+ | io.netty:netty-codec | CVE-2021-37136 | | 4.1.63.Final | 4.1.68.Final | netty-codec: Bzip2Decoder | | | | | | | doesn't allow setting size | | | | | | | restrictions for decompressed data | | | | | | | -->avd.aquasec.com/nvd/cve-2021-37136 | + +------------------+ + + +---------------------------------------+ | | CVE-2021-37137 | | | | netty-codec: SnappyFrameDecoder | | | | | | | doesn't restrict chunk length and | | | | | | | may buffer skippable chunks in... | | | | | | | -->avd.aquasec.com/nvd/cve-2021-37137 | +---------------------------------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------+ | log4j:log4j | CVE-2019-17571 | CRITICAL | 1.2.17 | 2.0-alpha1 | log4j: deserialization of | | | | | | | untrusted data in SocketServer | | | | | | | -->avd.aquasec.com/nvd/cve-2019-17571 | + +------------------+----------+ +--------------------------------+---------------------------------------+ | | CVE-2020-9488 | LOW | | 2.13.2 | log4j: improper validation | | | | | | | of certificate with host | | | | | | | mismatch in SMTP appender | | | | | | | -->avd.aquasec.com/nvd/cve-2020-9488 | + +------------------+----------+ +--------------------------------+---------------------------------------+ | | GMS-2021-5 | UNKNOWN | | 2.15.0-rc1 | Improper Neutralization | | | | | | | of Special Elements in | | | | | | | Output Used by a Downstream | | | | | | | Component... | +---------------------------------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------+ | org.eclipse.jetty:jetty-server | CVE-2021-34428 | LOW | 9.4.39.v20210325 | 9.4.40.v20210413, 10.0.3, | jetty: SessionListener can | | | | | | 11.0.3 | prevent a session from being | | | | | | | invalidated breaking logout | | | | | | | -->avd.aquasec.com/nvd/cve-2021-34428 | +---------------------------------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------+
--
This message was sent by Atlassian Jira
(v8.20.1#820001)