You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@hop.apache.org by "hansva (via GitHub)" <gi...@apache.org> on 2023/02/07 14:06:51 UTC
[GitHub] [hop] hansva opened a new issue, #2250: [Task]: Update dependencies to newer versions
hansva opened a new issue, #2250:
URL: https://github.com/apache/hop/issues/2250
### What needs to happen?
|Package|Vulnerability ID |Severity|Installed Version|Fixed Version |PkgPath |Description|
|-------------------------------------------|-------------------|--------|-----------------|--------------------------------------------|--------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|com.fasterxml.jackson.core:jackson-databind|CVE-2017-15095 |CRITICAL|2.4.0|2.7.9.2, 2.8.10, 2.9.1|opt/hop/hop/plugins/engines/beam/lib/htrace-core-3.1.0-incubating.jar |A deserialization flaw was discovered in the jackson-databind in versions before 2.8.10 and 2.9.1, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaw CVE-2017-7525 by blacklisting more classes that could be used maliciously.|
|com.fasterxml.jackson.core:jackson-databind|CVE-2018-11307 |CRITICAL|2.4.0|2.7.9.4, 2.8.11.2, 2.9.6|opt/hop/hop/plugins/engines/beam/lib/htrace-core-3.1.0-incubating.jar |An issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.5. Use of Jackson default typing along with a gadget class from iBatis allows exfiltration of content. Fixed in 2.7.9.4, 2.8.11.2, and 2.9.6.|
|com.fasterxml.jackson.core:jackson-databind|CVE-2018-14718 |CRITICAL|2.4.0|2.6.7.2, 2.9.7|opt/hop/hop/plugins/engines/beam/lib/htrace-core-3.1.0-incubating.jar |FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the slf4j-ext class from polymorphic deserialization. |
|com.fasterxml.jackson.core:jackson-databind|CVE-2018-7489|CRITICAL|2.4.0|2.7.9.3, 2.8.11.1, 2.9.5|opt/hop/hop/plugins/engines/beam/lib/htrace-core-3.1.0-incubating.jar |FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath.|
|com.fasterxml.jackson.core:jackson-databind|CVE-2019-14540 |CRITICAL|2.4.0|2.9.10|opt/hop/hop/plugins/engines/beam/lib/htrace-core-3.1.0-incubating.jar |A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariConfig. |
|com.fasterxml.jackson.core:jackson-databind|CVE-2019-14893 |CRITICAL|2.4.0|2.8.11.5, 2.9.10|opt/hop/hop/plugins/engines/beam/lib/htrace-core-3.1.0-incubating.jar |A flaw was discovered in FasterXML jackson-databind in all versions before 2.9.10 and 2.10.0, where it would permit polymorphic deserialization of malicious objects using the xalan JNDI gadget when used in conjunction with polymorphic type handling methods such as \`enableDefaultTyping()\` or when @JsonTypeInfo is using \`Id.CLASS\` or \`Id.MINIMAL_CLASS\` or in any other way which ObjectMapper.readValue might instantiate objects from unsafe sources. An attacker could use this flaw to execute arbitrary code. |
|com.fasterxml.jackson.core:jackson-databind|CVE-2019-16335 |CRITICAL|2.4.0|2.9.10|opt/hop/hop/plugins/engines/beam/lib/htrace-core-3.1.0-incubating.jar |A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariDataSource. This is a different vulnerability than CVE-2019-14540.|
|com.fasterxml.jackson.core:jackson-databind|CVE-2019-16942 |CRITICAL|2.4.0|2.9.10.1|opt/hop/hop/plugins/engines/beam/lib/htrace-core-3.1.0-incubating.jar |A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the commons-dbcp (1.4) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of org.apache.commons.dbcp.datasources.SharedPoolDataSource and org.apache.commons.dbcp.datasources.PerUserPoolDataSource mishandling. |
|com.fasterxml.jackson.core:jackson-databind|CVE-2019-16943 |CRITICAL|2.4.0|2.9.10.1|opt/hop/hop/plugins/engines/beam/lib/htrace-core-3.1.0-incubating.jar |A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the p6spy (3.8.6) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of com.p6spy.engine.spy.P6DataSource mishandling. |
|com.fasterxml.jackson.core:jackson-databind|CVE-2019-17267 |CRITICAL|2.4.0|2.9.10|opt/hop/hop/plugins/engines/beam/lib/htrace-core-3.1.0-incubating.jar |A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to net.sf.ehcache.hibernate.EhcacheJtaTransactionManagerLookup.|
|com.fasterxml.jackson.core:jackson-databind|CVE-2019-17531 |CRITICAL|2.4.0|2.9.10.1|opt/hop/hop/plugins/engines/beam/lib/htrace-core-3.1.0-incubating.jar |A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the apache-log4j-extra (version 1.2.x) jar in the classpath, and an attacker can provide a JNDI service to access, it is possible to make the service execute a malicious payload.|
|com.fasterxml.jackson.core:jackson-databind|CVE-2019-20330 |CRITICAL|2.4.0|2.8.11.5, 2.9.10.2|opt/hop/hop/plugins/engines/beam/lib/htrace-core-3.1.0-incubating.jar |FasterXML jackson-databind 2.x before 2.9.10.2 lacks certain net.sf.ehcache blocking. |
|org.apache.commons:commons-text|CVE-2022-42889 |CRITICAL|1.9|1.10.0|opt/hop/hop/plugins/engines/beam/lib/commons-text-1.9.jar |Apache Commons Text performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is "${prefix:name}", where "prefix" is used to locate an instance of org.apache.commons.text.lookup.StringLookup that performs the interpolation. Starting with version 1.5 and continuing through 1.9, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers. These lookups are: - "script" - execute expressions using the JVM script execution engine (javax.script) - "dns" - resolve dns records - "url" - load values from urls, including from remote servers Applications using the interpolation defaults in the affected versions may be vulnerable to remote code execution or unintentional contact with remote servers if untrusted configu
ration values are used. Users are recommended to upgrade to Apache Commons Text 1.10.0, which disables the problematic interpolators by default. |
|com.fasterxml.jackson.core:jackson-databind|CVE-2020-36518 |HIGH|2.11.4 |2.12.6.1, 2.13.2.1|opt/hop/hop/plugins/tech/parquet/lib/parquet-jackson-1.12.0.jar |jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects. |
|com.fasterxml.jackson.core:jackson-databind|CVE-2022-42003 |HIGH|2.11.4 |2.12.7.1, 2.13.4.1|opt/hop/hop/plugins/tech/parquet/lib/parquet-jackson-1.12.0.jar |In FasterXML jackson-databind before 2.14.0-rc1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled. Additional fix version in 2.13.4.1 and 2.12.17.1|
|com.fasterxml.jackson.core:jackson-databind|CVE-2022-42004 |HIGH|2.11.4 |2.12.7.1, 2.13.4|opt/hop/hop/plugins/tech/parquet/lib/parquet-jackson-1.12.0.jar |In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An application is vulnerable only with certain customized choices for deserialization.|
|com.fasterxml.jackson.core:jackson-databind|CVE-2022-42003 |HIGH|2.12.7 |2.12.7.1, 2.13.4.1|opt/hop/hop/plugins/engines/beam/lib/hadoop-client-runtime-3.3.4.jar|In FasterXML jackson-databind before 2.14.0-rc1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled. Additional fix version in 2.13.4.1 and 2.12.17.1|
|com.fasterxml.jackson.core:jackson-databind|CVE-2022-42003 |HIGH|2.12.7 |2.12.7.1, 2.13.4.1|opt/hop/hop/plugins/tech/parquet/lib/hadoop-client-runtime-3.3.4.jar|In FasterXML jackson-databind before 2.14.0-rc1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled. Additional fix version in 2.13.4.1 and 2.12.17.1|
|com.fasterxml.jackson.core:jackson-databind|CVE-2022-42004 |HIGH|2.12.7 |2.12.7.1, 2.13.4|opt/hop/hop/plugins/engines/beam/lib/hadoop-client-runtime-3.3.4.jar|In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An application is vulnerable only with certain customized choices for deserialization.|
|com.fasterxml.jackson.core:jackson-databind|CVE-2022-42004 |HIGH|2.12.7 |2.12.7.1, 2.13.4|opt/hop/hop/plugins/tech/parquet/lib/hadoop-client-runtime-3.3.4.jar|In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An application is vulnerable only with certain customized choices for deserialization.|
|com.fasterxml.jackson.core:jackson-databind|CVE-2018-5968|HIGH|2.4.0|2.7.9.5, 2.8.11.1, 2.9.4|opt/hop/hop/plugins/engines/beam/lib/htrace-core-3.1.0-incubating.jar |FasterXML jackson-databind through 2.8.11 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 and CVE-2017-17485 deserialization flaws. This is exploitable via two different gadgets that bypass a blacklist.|
|com.fasterxml.jackson.core:jackson-databind|CVE-2020-10650 |HIGH|2.4.0|2.9.10.4|opt/hop/hop/plugins/engines/beam/lib/htrace-core-3.1.0-incubating.jar |A deserialization flaw was discovered in jackson-databind through 2.9.10.4. It could allow an unauthenticated user to perform code execution via ignite-jta or quartz-core: org.apache.ignite.cache.jta.jndi.CacheJndiTmLookup, org.apache.ignite.cache.jta.jndi.CacheJndiTmFactory, and org.quartz.utils.JNDIConnectionProvider. |
|com.fasterxml.jackson.core:jackson-databind|CVE-2020-35490 |HIGH|2.4.0|2.9.10.8|opt/hop/hop/plugins/engines/beam/lib/htrace-core-3.1.0-incubating.jar |FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.datasources.PerUserPoolDataSource.|
|com.fasterxml.jackson.core:jackson-databind|CVE-2020-35491 |HIGH|2.4.0|2.9.10.8|opt/hop/hop/plugins/engines/beam/lib/htrace-core-3.1.0-incubating.jar |FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.datasources.SharedPoolDataSource. |
|com.fasterxml.jackson.core:jackson-databind|CVE-2020-36518 |HIGH|2.4.0|2.12.6.1, 2.13.2.1|opt/hop/hop/plugins/engines/beam/lib/htrace-core-3.1.0-incubating.jar |jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects. |
|com.fasterxml.jackson.core:jackson-databind|CVE-2022-42003 |HIGH|2.4.0|2.12.7.1, 2.13.4.1|opt/hop/hop/plugins/engines/beam/lib/htrace-core-3.1.0-incubating.jar |In FasterXML jackson-databind before 2.14.0-rc1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled. Additional fix version in 2.13.4.1 and 2.12.17.1|
|com.fasterxml.jackson.core:jackson-databind|CVE-2022-42004 |HIGH|2.4.0|2.12.7.1, 2.13.4|opt/hop/hop/plugins/engines/beam/lib/htrace-core-3.1.0-incubating.jar |In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An application is vulnerable only with certain customized choices for deserialization.|
|com.fasterxml.woodstox:woodstox-core |CVE-2022-40151 |HIGH|5.3.0|5.4.0, 6.4.0|opt/hop/hop/plugins/engines/beam/lib/hadoop-client-runtime-3.3.4.jar|Those using Xstream to seralize XML data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial of service attack.|
|com.fasterxml.woodstox:woodstox-core |CVE-2022-40151 |HIGH|5.3.0|5.4.0, 6.4.0|opt/hop/hop/plugins/tech/parquet/lib/hadoop-client-runtime-3.3.4.jar|Those using Xstream to seralize XML data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial of service attack.|
|com.fasterxml.woodstox:woodstox-core |CVE-2022-40152 |HIGH|5.3.0|5.4.0, 6.4.0|opt/hop/hop/plugins/engines/beam/lib/hadoop-client-runtime-3.3.4.jar|Those using Woodstox to parse XML data may be vulnerable to Denial of Service attacks (DOS) if DTD support is enabled. If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial of service attack.|
|com.fasterxml.woodstox:woodstox-core |CVE-2022-40152 |HIGH|5.3.0|5.4.0, 6.4.0|opt/hop/hop/plugins/tech/parquet/lib/hadoop-client-runtime-3.3.4.jar|Those using Woodstox to parse XML data may be vulnerable to Denial of Service attacks (DOS) if DTD support is enabled. If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial of service attack.|
|com.google.protobuf:protobuf-java|CVE-2022-3171|HIGH|3.19.3 |3.16.3, 3.19.6, 3.20.3, 3.21.7|opt/hop/hop/lib/core/sshlib-2.2.21.jar|A parsing issue with binary data in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above. |
|com.google.protobuf:protobuf-java|CVE-2022-3171|HIGH|3.19.3 |3.16.3, 3.19.6, 3.20.3, 3.21.7|opt/hop/hop/plugins/transforms/ssh/lib/sshlib-2.2.21.jar|A parsing issue with binary data in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above. |
|com.google.protobuf:protobuf-java|CVE-2022-3509|HIGH|3.19.3 |3.16.3, 3.19.6, 3.20.3, 3.21.7|opt/hop/hop/lib/core/sshlib-2.2.21.jar|A parsing issue similar to CVE-2022-3171, but with textformat in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.|
|com.google.protobuf:protobuf-java|CVE-2022-3509|HIGH|3.19.3 |3.16.3, 3.19.6, 3.20.3, 3.21.7|opt/hop/hop/plugins/transforms/ssh/lib/sshlib-2.2.21.jar|A parsing issue similar to CVE-2022-3171, but with textformat in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.|
|com.google.protobuf:protobuf-java|CVE-2022-3510|HIGH|3.19.3 |3.16.3, 3.19.6, 3.20.3, 3.21.7|opt/hop/hop/lib/core/sshlib-2.2.21.jar|A parsing issue similar to CVE-2022-3171, but with Message-Type Extensions in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above. |
|com.google.protobuf:protobuf-java|CVE-2022-3510|HIGH|3.19.3 |3.16.3, 3.19.6, 3.20.3, 3.21.7|opt/hop/hop/plugins/transforms/ssh/lib/sshlib-2.2.21.jar|A parsing issue similar to CVE-2022-3171, but with Message-Type Extensions in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above. |
|com.google.protobuf:protobuf-java|CVE-2022-3171|HIGH|3.21.1 |3.16.3, 3.19.6, 3.20.3, 3.21.7|opt/hop/hop/lib/beam/beam-vendor-grpc-1_48_1-0.1.jar|A parsing issue with binary data in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above. |
|com.google.protobuf:protobuf-java|CVE-2022-3509|HIGH|3.21.1 |3.16.3, 3.19.6, 3.20.3, 3.21.7|opt/hop/hop/lib/beam/beam-vendor-grpc-1_48_1-0.1.jar|A parsing issue similar to CVE-2022-3171, but with textformat in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.|
|com.google.protobuf:protobuf-java|CVE-2022-3510|HIGH|3.21.1 |3.16.3, 3.19.6, 3.20.3, 3.21.7|opt/hop/hop/lib/beam/beam-vendor-grpc-1_48_1-0.1.jar|A parsing issue similar to CVE-2022-3171, but with Message-Type Extensions in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above. |
|com.google.protobuf:protobuf-java|CVE-2022-3171|HIGH|3.7.1|3.16.3, 3.19.6, 3.20.3, 3.21.7|opt/hop/hop/plugins/engines/beam/lib/hadoop-client-runtime-3.3.4.jar|A parsing issue with binary data in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above. |
|com.google.protobuf:protobuf-java|CVE-2022-3171|HIGH|3.7.1|3.16.3, 3.19.6, 3.20.3, 3.21.7|opt/hop/hop/plugins/tech/parquet/lib/hadoop-client-runtime-3.3.4.jar|A parsing issue with binary data in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above. |
|io.netty:netty-all |CVE-2022-41881 |HIGH|4.1.85.Final |4.1.86|opt/hop/hop/lib/beam/netty-all-4.1.85.Final.jar |Netty project is an event-driven asynchronous network application framework. In versions prior to 4.1.86.Final, a StackOverflowError can be raised when parsing a malformed crafted message due to an infinite recursion. This issue is patched in version 4.1.86.Final. There is no workaround, except using a custom HaProxyMessageDecoder. |
|io.netty:netty-codec |CVE-2021-37136 |HIGH|4.1.66.Final |4.1.68|opt/hop/hop/plugins/tech/neo4j/lib/neo4j-java-driver-4.3.4.jar|The Bzip2 decompression decoder function doesn't allow setting size restrictions on the decompressed output data (which affects the allocation size used during decompression). All users of Bzip2Decoder are affected. The malicious input can trigger an OOME and so a DoS attack |
|io.netty:netty-codec |CVE-2021-37137 |HIGH|4.1.66.Final |4.1.68|opt/hop/hop/plugins/tech/neo4j/lib/neo4j-java-driver-4.3.4.jar|The Snappy frame decoder function doesn't restrict the chunk length which may lead to excessive memory usage. Beside this it also may buffer reserved skippable chunks until the whole chunk was received which may lead to excessive memory usage as well. This vulnerability can be triggered by supplying malicious input that decompresses to a very big size (via a network stream or a file) or by sending a huge skippable chunk.|
|io.netty:netty-codec-haproxy |CVE-2022-41881 |HIGH|4.1.85.Final |4.1.86.Final|opt/hop/hop/lib/beam/netty-codec-haproxy-4.1.85.Final.jar |Netty project is an event-driven asynchronous network application framework. In versions prior to 4.1.86.Final, a StackOverflowError can be raised when parsing a malformed crafted message due to an infinite recursion. This issue is patched in version 4.1.86.Final. There is no workaround, except using a custom HaProxyMessageDecoder. |
|org.eclipse.jetty:jetty-client |CVE-2020-27216 |HIGH|9.4.28.v20200408 |9.4.33.v20201020, 10.0.0.beta3, 11.0.0.beta3|opt/hop/hop/lib/core/jetty-client-9.4.28.v20200408.jar|In Eclipse Jetty versions 1.0 thru 9.4.32.v20200930, 10.0.0.alpha1 thru 10.0.0.beta2, and 11.0.0.alpha1 thru 11.0.0.beta2O, on Unix like systems, the system's temporary directory is shared between all users on that system. A collocated user can observe the process of creating a temporary sub directory in the shared temporary directory and race to complete the creation of the temporary subdirectory. If the attacker wins the race then they will have read and write permission to the subdirectory used to unpack web applications, including their WEB-INF/lib jar files and JSP files. If any code is ever executed out of this temporary directory, this can lead to a local privilege escalation vulnerability.|
|org.eclipse.jetty:jetty-client |CVE-2021-28165 |HIGH|9.4.28.v20200408 |9.4.39.v20210325, 10.0.2, 11.0.2|opt/hop/hop/lib/core/jetty-client-9.4.28.v20200408.jar|In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame.|
|org.eclipse.jetty:jetty-http |CVE-2021-28165 |HIGH|9.4.35.v20201120 |9.4.39.v20210325, 10.0.2, 11.0.2|opt/hop/hop/lib/core/jetty-http-9.4.35.v20201120.jar|In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame.|
|org.eclipse.jetty:jetty-io |CVE-2021-28165 |HIGH|9.4.35.v20201120 |9.4.39.v20210325, 10.0.2, 11.0.2|opt/hop/hop/lib/core/jetty-io-9.4.35.v20201120.jar|In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame.|
|org.eclipse.jetty:jetty-server |CVE-2021-28165 |HIGH|9.4.35.v20201120 |9.4.39.v20210325, 10.0.2, 11.0.2|opt/hop/hop/lib/core/jetty-server-9.4.35.v20201120.jar|In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame.|
|org.eclipse.jetty:jetty-util |CVE-2021-28165 |HIGH|9.4.35.v20201120 |9.4.39.v20210325, 10.0.2, 11.0.2|opt/hop/hop/lib/core/jetty-util-9.4.35.v20201120.jar|In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame.|
|org.yaml:snakeyaml |CVE-2022-25857 |HIGH|1.26 |1.31|opt/hop/hop/plugins/tech/cassandra/lib/snakeyaml-1.26.jar |The package org.yaml:snakeyaml from 0 and before 1.31 are vulnerable to Denial of Service (DoS) due missing to nested depth limitation for collections. |
|com.google.guava:guava |CVE-2020-8908|LOW |14.0.1 |30.0|opt/hop/hop/plugins/engines/beam/lib/spark-network-common_2.12-3.3.0.jar|A temp directory creation vulnerability exists in all versions of Guava, allowing an attacker with access to the machine to potentially access data in a temporary directory created by the Guava API com.google.common.io.Files.createTempDir(). By default, on unix-like systems, the created directory is world-readable (readable by an attacker with access to the system). The method in question has been marked @Deprecated in versions 30.0 and later and should not be used. For Android developers, we recommend choosing a temporary directory API provided by Android, such as context.getCacheDir(). For other Java developers, we recommend migrating to the Java 7 API java.nio.file.Files.createTempDirectory() which explicitly configures permissions of 700, or configuring the Java runtime's java.io.tmpdir system property to point to a location whose permissions are ap
propriately configured.|
|com.google.guava:guava |CVE-2020-8908|LOW |26.0-jre |30.0|opt/hop/hop/lib/beam/beam-vendor-guava-26_0-jre-0.1.jar |A temp directory creation vulnerability exists in all versions of Guava, allowing an attacker with access to the machine to potentially access data in a temporary directory created by the Guava API com.google.common.io.Files.createTempDir(). By default, on unix-like systems, the created directory is world-readable (readable by an attacker with access to the system). The method in question has been marked @Deprecated in versions 30.0 and later and should not be used. For Android developers, we recommend choosing a temporary directory API provided by Android, such as context.getCacheDir(). For other Java developers, we recommend migrating to the Java 7 API java.nio.file.Files.createTempDirectory() which explicitly configures permissions of 700, or configuring the Java runtime's java.io.tmpdir system property to point to a location whose permissions are appropriately co
nfigured.|
|org.apache.tika:tika-core|CVE-2022-33879 |LOW |2.3.0|1.28.4, 2.4.1 |opt/hop/hop/plugins/transforms/tika/lib/tika-core-2.3.0.jar |The initial fixes in CVE-2022-30126 and CVE-2022-30973 for regexes in the StandardsExtractingContentHandler were insufficient, and we found a separate, new regex DoS in a different regex in the StandardsExtractingContentHandler. These are now fixed in 1.28.4 and 2.4.1. |
|org.apache.tika:tika-parser-image-module |CVE-2022-33879 |LOW |2.3.0|1.28.4, 2.4.1 |opt/hop/hop/plugins/transforms/tika/lib/tika-parser-image-module-2.3.0.jar|The initial fixes in CVE-2022-30126 and CVE-2022-30973 for regexes in the StandardsExtractingContentHandler were insufficient, and we found a separate, new regex DoS in a different regex in the StandardsExtractingContentHandler. These are now fixed in 1.28.4 and 2.4.1. |
|org.eclipse.jetty:jetty-http |CVE-2021-28163 |LOW |9.4.35.v20201120 |9.4.39.v20210325, 10.0.2, 11.0.2|opt/hop/hop/lib/core/jetty-http-9.4.35.v20201120.jar|In Eclipse Jetty 9.4.32 to 9.4.38, 10.0.0.beta2 to 10.0.1, and 11.0.0.beta2 to 11.0.1, if a user uses a webapps directory that is a symlink, the contents of the webapps directory is deployed as a static webapp, inadvertently serving the webapps themselves and anything else that might be in that directory.|
|org.eclipse.jetty:jetty-http |CVE-2022-2047|LOW |9.4.35.v20201120 |9.4.46.v20220331, 10.0.9, 11.0.10 |opt/hop/hop/lib/core/jetty-http-9.4.35.v20201120.jar|In Eclipse Jetty versions 9.4.0 thru 9.4.46, and 10.0.0 thru 10.0.9, and 11.0.0 thru 11.0.9 versions, the parsing of the authority segment of an http scheme URI, the Jetty HttpURI class improperly detects an invalid input as a hostname. This can lead to failures in a Proxy scenario. |
|org.eclipse.jetty:jetty-http |CVE-2022-2047|LOW |9.4.43.v20210629 |9.4.46.v20220331, 10.0.9, 11.0.10 |opt/hop/hop/plugins/engines/beam/lib/hadoop-client-runtime-3.3.4.jar|In Eclipse Jetty versions 9.4.0 thru 9.4.46, and 10.0.0 thru 10.0.9, and 11.0.0 thru 11.0.9 versions, the parsing of the authority segment of an http scheme URI, the Jetty HttpURI class improperly detects an invalid input as a hostname. This can lead to failures in a Proxy scenario. |
|org.eclipse.jetty:jetty-http |CVE-2022-2047|LOW |9.4.43.v20210629 |9.4.46.v20220331, 10.0.9, 11.0.10 |opt/hop/hop/plugins/tech/parquet/lib/hadoop-client-runtime-3.3.4.jar|In Eclipse Jetty versions 9.4.0 thru 9.4.46, and 10.0.0 thru 10.0.9, and 11.0.0 thru 11.0.9 versions, the parsing of the authority segment of an http scheme URI, the Jetty HttpURI class improperly detects an invalid input as a hostname. This can lead to failures in a Proxy scenario. |
|org.eclipse.jetty:jetty-server |CVE-2021-28163 |LOW |9.4.35.v20201120 |9.4.39.v20210325, 10.0.2, 11.0.2|opt/hop/hop/lib/core/jetty-server-9.4.35.v20201120.jar|In Eclipse Jetty 9.4.32 to 9.4.38, 10.0.0.beta2 to 10.0.1, and 11.0.0.beta2 to 11.0.1, if a user uses a webapps directory that is a symlink, the contents of the webapps directory is deployed as a static webapp, inadvertently serving the webapps themselves and anything else that might be in that directory.|
|org.eclipse.jetty:jetty-server |CVE-2021-34428 |LOW |9.4.35.v20201120 |9.4.40.v20210413, 10.0.3, 11.0.3|opt/hop/hop/lib/core/jetty-server-9.4.35.v20201120.jar|For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, if an exception is thrown from the SessionListener#sessionDestroyed() method, then the session ID is not invalidated in the session ID manager. On deployments with clustered sessions and multiple contexts this can result in a session not being invalidated. This can result in an application used on a shared computer being left logged in.|
|org.eclipse.jetty:jetty-util |CVE-2021-28163 |LOW |9.4.35.v20201120 |9.4.39.v20210325, 10.0.2, 11.0.2|opt/hop/hop/lib/core/jetty-util-9.4.35.v20201120.jar|In Eclipse Jetty 9.4.32 to 9.4.38, 10.0.0.beta2 to 10.0.1, and 11.0.0.beta2 to 11.0.1, if a user uses a webapps directory that is a symlink, the contents of the webapps directory is deployed as a static webapp, inadvertently serving the webapps themselves and anything else that might be in that directory.|
|org.eclipse.jetty:jetty-webapp |CVE-2021-28163 |LOW |9.4.35.v20201120 |9.4.39.v20210325, 10.0.2, 11.0.2|opt/hop/hop/lib/core/jetty-webapp-9.4.35.v20201120.jar|In Eclipse Jetty 9.4.32 to 9.4.38, 10.0.0.beta2 to 10.0.1, and 11.0.0.beta2 to 11.0.1, if a user uses a webapps directory that is a symlink, the contents of the webapps directory is deployed as a static webapp, inadvertently serving the webapps themselves and anything else that might be in that directory.|
|com.fasterxml.jackson.core:jackson-databind|CVE-2018-1000873 |MEDIUM|2.4.0|2.9.8 |opt/hop/hop/plugins/engines/beam/lib/htrace-core-3.1.0-incubating.jar |Fasterxml Jackson version Before 2.9.8 contains a CWE-20: Improper Input Validation vulnerability in Jackson-Modules-Java8 that can result in Causes a denial-of-service (DoS). This attack appear to be exploitable via The victim deserializes malicious input, specifically very large values in the nanoseconds field of a time value. This vulnerability appears to have been fixed in 2.9.8.|
|com.google.guava:guava |CVE-2018-10237 |MEDIUM|14.0.1 |24.1.1-jre, 24.1.1-android|opt/hop/hop/plugins/engines/beam/lib/spark-network-common_2.12-3.3.0.jar|Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attacks against servers that depend on this library and deserialize attacker-provided data, because the AtomicDoubleArray class (when serialized with Java serialization) and the CompoundOrdering class (when serialized with GWT serialization) perform eager allocation without appropriate checks on what a client has sent and whether the data size is reasonable. |
|com.google.protobuf:protobuf-java|CVE-2021-22569 |MEDIUM|3.7.1|3.16.1, 3.18.2, 3.19.2|opt/hop/hop/plugins/engines/beam/lib/hadoop-client-runtime-3.3.4.jar|An issue in protobuf-java allowed the interleaving of com.google.protobuf.UnknownFieldSet fields in such a way that would be processed out of order. A small malicious payload can occupy the parser for several minutes by creating large numbers of short-lived objects that cause frequent, repeated pauses. We recommend upgrading libraries beyond the vulnerable versions.|
|com.google.protobuf:protobuf-java|CVE-2021-22569 |MEDIUM|3.7.1|3.16.1, 3.18.2, 3.19.2|opt/hop/hop/plugins/tech/parquet/lib/hadoop-client-runtime-3.3.4.jar|An issue in protobuf-java allowed the interleaving of com.google.protobuf.UnknownFieldSet fields in such a way that would be processed out of order. A small malicious payload can occupy the parser for several minutes by creating large numbers of short-lived objects that cause frequent, repeated pauses. We recommend upgrading libraries beyond the vulnerable versions.|
|commons-net:commons-net|CVE-2021-37533 |MEDIUM|3.6|3.9.0 |opt/hop/hop/plugins/engines/beam/lib/hadoop-client-runtime-3.3.4.jar|[Prior to Apache Commons Net 3.9.0, Net's FTP client trusts the host from PASV response by default. A malicious server can redirect the Commons Net code to use a different host, but the user has to connect to the malicious server in the first place. This may lead to leakage of information about services running on the private network of the client. The default in version 3.9.0 is now false to ignore such hosts, as cURL does. See https://issues.apache.org/jira/browse/NET-711.](https://issues.apache.org/jira/browse/NET-711) |
|commons-net:commons-net|CVE-2021-37533 |MEDIUM|3.6|3.9.0 |opt/hop/hop/plugins/tech/parquet/lib/hadoop-client-runtime-3.3.4.jar|[Prior to Apache Commons Net 3.9.0, Net's FTP client trusts the host from PASV response by default. A malicious server can redirect the Commons Net code to use a different host, but the user has to connect to the malicious server in the first place. This may lead to leakage of information about services running on the private network of the client. The default in version 3.9.0 is now false to ignore such hosts, as cURL does. See https://issues.apache.org/jira/browse/NET-711.](https://issues.apache.org/jira/browse/NET-711) |
|commons-net:commons-net|CVE-2021-37533 |MEDIUM|3.8.0|3.9.0 |opt/hop/hop/lib/core/commons-net-3.8.0.jar|[Prior to Apache Commons Net 3.9.0, Net's FTP client trusts the host from PASV response by default. A malicious server can redirect the Commons Net code to use a different host, but the user has to connect to the malicious server in the first place. This may lead to leakage of information about services running on the private network of the client. The default in version 3.9.0 is now false to ignore such hosts, as cURL does. See https://issues.apache.org/jira/browse/NET-711.](https://issues.apache.org/jira/browse/NET-711) |
|io.netty:netty |CVE-2021-21409 |MEDIUM|3.10.6.Final |4.1.61|opt/hop/hop/lib/beam/netty-3.10.6.Final.jar |Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.61.Final there is a vulnerability that enables request smuggling. The content-length header is not correctly validated if the request only uses a single Http2HeaderFrame with the endStream set to to true. This could lead to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. This is a followup of GHSA-wm47-8v5p-wjpj/CVE-2021-21295 which did miss to fix this one case. This was fixed as part of 4.1.61.Final. |
|io.netty:netty |CVE-2022-24823 |MEDIUM|3.10.6.Final |4.1.77.Final|opt/hop/hop/lib/beam/netty-3.10.6.Final.jar |Netty is an open-source, asynchronous event-driven network application framework. The package \`io.netty:netty-codec-http\` prior to version 4.1.77.Final contains an insufficient fix for CVE-2021-21290. When Netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. This only impacts applications running on Java version 6 and lower. Additionally, this vulnerability impacts code running on Unix-like systems, and very old versions of Mac OSX and Windows as they all share the system temporary directory between all users. Version 4.1.77.Final contains a patch for this vulnerability. As a workaround, specify one's own \`java.io.tmpdir\` when starting the JVM or use DefaultHttpDataFactory.setBaseDir(...) to set the directory to something that is only readable by the cu
rrent user.|
|io.netty:netty-codec |CVE-2022-24823 |MEDIUM|4.1.66.Final |4.1.77.Final|opt/hop/hop/plugins/tech/neo4j/lib/neo4j-java-driver-4.3.4.jar|Netty is an open-source, asynchronous event-driven network application framework. The package \`io.netty:netty-codec-http\` prior to version 4.1.77.Final contains an insufficient fix for CVE-2021-21290. When Netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. This only impacts applications running on Java version 6 and lower. Additionally, this vulnerability impacts code running on Unix-like systems, and very old versions of Mac OSX and Windows as they all share the system temporary directory between all users. Version 4.1.77.Final contains a patch for this vulnerability. As a workaround, specify one's own \`java.io.tmpdir\` when starting the JVM or use DefaultHttpDataFactory.setBaseDir(...) to set the directory to something that is
only readable by the current user.|
|io.netty:netty-codec-http|CVE-2022-41915 |MEDIUM|4.1.77.Final |4.1.86|opt/hop/hop/lib/beam/beam-vendor-grpc-1_48_1-0.1.jar|Netty project is an event-driven asynchronous network application framework. Starting in version 4.1.83.Final and prior to 4.1.86.Final, when calling \`DefaultHttpHeadesr.set\` with an \_iterator \_ of values, header value validation was not performed, allowing malicious header values in the iterator to perform HTTP Response Splitting. This issue has been patched in version 4.1.86.Final. Integrators can work around the issue by changing the \`DefaultHttpHeaders.set(CharSequence, Iterator<?>)\` call, into a \`remove()\` call, and call \`add()\` in a loop over the iterator of values.|
|io.netty:netty-codec-http|CVE-2022-41915 |MEDIUM|4.1.85.Final |4.1.86|opt/hop/hop/lib/beam/netty-codec-http-4.1.85.Final.jar|Netty project is an event-driven asynchronous network application framework. Starting in version 4.1.83.Final and prior to 4.1.86.Final, when calling \`DefaultHttpHeadesr.set\` with an \_iterator \_ of values, header value validation was not performed, allowing malicious header values in the iterator to perform HTTP Response Splitting. This issue has been patched in version 4.1.86.Final. Integrators can work around the issue by changing the \`DefaultHttpHeaders.set(CharSequence, Iterator<?>)\` call, into a \`remove()\` call, and call \`add()\` in a loop over the iterator of values.|
|io.netty:netty-handler |CVE-2022-24823 |MEDIUM|4.1.66.Final |4.1.77.Final|opt/hop/hop/plugins/tech/neo4j/lib/neo4j-java-driver-4.3.4.jar|Netty is an open-source, asynchronous event-driven network application framework. The package \`io.netty:netty-codec-http\` prior to version 4.1.77.Final contains an insufficient fix for CVE-2021-21290. When Netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. This only impacts applications running on Java version 6 and lower. Additionally, this vulnerability impacts code running on Unix-like systems, and very old versions of Mac OSX and Windows as they all share the system temporary directory between all users. Version 4.1.77.Final contains a patch for this vulnerability. As a workaround, specify one's own \`java.io.tmpdir\` when starting the JVM or use DefaultHttpDataFactory.setBaseDir(...) to set the directory to something that
is only readable by the current user.|
|org.apache.tika:tika-core|CVE-2022-30126 |MEDIUM|2.3.0|1.28.3, 2.4.0 |opt/hop/hop/plugins/transforms/tika/lib/tika-core-2.3.0.jar |In Apache Tika, a regular expression in our StandardsText class, used by the StandardsExtractingContentHandler could lead to a denial of service caused by backtracking on a specially crafted file. This only affects users who are running the StandardsExtractingContentHandler, which is a non-standard handler. This is fixed in 1.28.2 and 2.4.0|
|org.apache.tika:tika-parser-image-module |CVE-2022-25169 |MEDIUM|2.3.0|1.28.2, 2.4.0 |opt/hop/hop/plugins/transforms/tika/lib/tika-parser-image-module-2.3.0.jar|The BPG parser in versions of Apache Tika before 1.28.2 and 2.4.0 may allocate an unreasonable amount of memory on carefully crafted files. |
|org.eclipse.jetty:jetty-client |CVE-2020-27223 |MEDIUM|9.4.28.v20200408 |9.4.37.v20210219, 10.0.1, 11.0.1|opt/hop/hop/lib/core/jetty-client-9.4.28.v20200408.jar|In Eclipse Jetty 9.4.6.v20170531 to 9.4.36.v20210114 (inclusive), 10.0.0, and 11.0.0 when Jetty handles a request containing multiple Accept headers with a large number of “quality” (i.e. q) parameters, the server may enter a denial of service (DoS) state due to high CPU usage processing those quality values, resulting in minutes of CPU time exhausted processing those quality values.|
|org.eclipse.jetty:jetty-http |CVE-2020-27223 |MEDIUM|9.4.35.v20201120 |9.4.37.v20210219, 10.0.1, 11.0.1|opt/hop/hop/lib/core/jetty-http-9.4.35.v20201120.jar|In Eclipse Jetty 9.4.6.v20170531 to 9.4.36.v20210114 (inclusive), 10.0.0, and 11.0.0 when Jetty handles a request containing multiple Accept headers with a large number of “quality” (i.e. q) parameters, the server may enter a denial of service (DoS) state due to high CPU usage processing those quality values, resulting in minutes of CPU time exhausted processing those quality values.|
|org.eclipse.jetty:jetty-server |CVE-2020-27223 |MEDIUM|9.4.35.v20201120 |9.4.37.v20210219, 10.0.1, 11.0.1|opt/hop/hop/lib/core/jetty-server-9.4.35.v20201120.jar|In Eclipse Jetty 9.4.6.v20170531 to 9.4.36.v20210114 (inclusive), 10.0.0, and 11.0.0 when Jetty handles a request containing multiple Accept headers with a large number of “quality” (i.e. q) parameters, the server may enter a denial of service (DoS) state due to high CPU usage processing those quality values, resulting in minutes of CPU time exhausted processing those quality values.|
|org.eclipse.jetty:jetty-servlets |CVE-2021-28169 |MEDIUM|9.4.35.v20201120 |9.4.41, 10.0.3, 11.0.3|opt/hop/hop/lib/core/jetty-servlets-9.4.35.v20201120.jar|For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, it is possible for requests to the ConcatServlet with a doubly encoded path to access protected resources within the WEB-INF directory. For example a request to \`/concat?/%2557EB-INF/web.xml\` can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application. |
|org.eclipse.jetty:jetty-util |CVE-2020-27223 |MEDIUM|9.4.35.v20201120 |9.4.37.v20210219, 10.0.1, 11.0.1|opt/hop/hop/lib/core/jetty-util-9.4.35.v20201120.jar|In Eclipse Jetty 9.4.6.v20170531 to 9.4.36.v20210114 (inclusive), 10.0.0, and 11.0.0 when Jetty handles a request containing multiple Accept headers with a large number of “quality” (i.e. q) parameters, the server may enter a denial of service (DoS) state due to high CPU usage processing those quality values, resulting in minutes of CPU time exhausted processing those quality values.|
|org.yaml:snakeyaml |CVE-2022-38749 |MEDIUM|1.26 |1.31|opt/hop/hop/plugins/tech/cassandra/lib/snakeyaml-1.26.jar |Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. |
|org.yaml:snakeyaml |CVE-2022-38750 |MEDIUM|1.26 |1.31|opt/hop/hop/plugins/tech/cassandra/lib/snakeyaml-1.26.jar |Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. |
|org.yaml:snakeyaml |CVE-2022-38751 |MEDIUM|1.26 |1.31|opt/hop/hop/plugins/tech/cassandra/lib/snakeyaml-1.26.jar |Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. |
|org.yaml:snakeyaml |CVE-2022-38752 |MEDIUM|1.26 |1.32|opt/hop/hop/plugins/tech/cassandra/lib/snakeyaml-1.26.jar |Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack-overflow.|
|org.yaml:snakeyaml |CVE-2022-41854 |MEDIUM|1.26 |1.32|opt/hop/hop/plugins/tech/cassandra/lib/snakeyaml-1.26.jar |Those using Snakeyaml to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack overflow. This effect may support a denial of service attack.|
|com.fasterxml.jackson.core:jackson-databind|GHSA-rpr3-cw39-3pxh|UNKNOWN |2.4.0|2.9.10.4|opt/hop/hop/plugins/engines/beam/lib/htrace-core-3.1.0-incubating.jar |The com.fasterxml.jackson.core:jackson-databind library before versions 2.9.10.4 is vulnerable to an Unsafe Deserialization vulnerability when handling interactions related to the class \`ignite-jta\`. |
|com.google.protobuf:protobuf-java|GHSA-h4h5-3hr4-j3g2|UNKNOWN |3.19.3 |3.20.3, 3.21.7, 3.16.3, 3.19.6|opt/hop/hop/lib/core/sshlib-2.2.21.jar|Improper Neutralization in com.google.protobuf:protobuf-kotlin-lite.|
|com.google.protobuf:protobuf-java|GHSA-h4h5-3hr4-j3g2|UNKNOWN |3.19.3 |3.20.3, 3.21.7, 3.16.3, 3.19.6|opt/hop/hop/plugins/transforms/ssh/lib/sshlib-2.2.21.jar|Improper Neutralization in com.google.protobuf:protobuf-kotlin-lite.|
|com.google.protobuf:protobuf-java|GHSA-h4h5-3hr4-j3g2|UNKNOWN |3.21.1 |3.20.3, 3.21.7, 3.16.3, 3.19.6|opt/hop/hop/lib/beam/beam-vendor-grpc-1_48_1-0.1.jar|Improper Neutralization in com.google.protobuf:protobuf-kotlin-lite.|
|com.google.protobuf:protobuf-java|GHSA-h4h5-3hr4-j3g2|UNKNOWN |3.7.1|3.20.3, 3.21.7, 3.16.3, 3.19.6|opt/hop/hop/plugins/engines/beam/lib/hadoop-client-runtime-3.3.4.jar|Improper Neutralization in com.google.protobuf:protobuf-kotlin-lite.|
|com.google.protobuf:protobuf-java|GHSA-h4h5-3hr4-j3g2|UNKNOWN |3.7.1|3.20.3, 3.21.7, 3.16.3, 3.19.6|opt/hop/hop/plugins/tech/parquet/lib/hadoop-client-runtime-3.3.4.jar|Improper Neutralization in com.google.protobuf:protobuf-kotlin-lite.|
|com.google.protobuf:protobuf-java|GHSA-wrvw-hg22-4m67|UNKNOWN |3.7.1|3.16.1, 3.18.2, 3.19.2|opt/hop/hop/plugins/engines/beam/lib/hadoop-client-runtime-3.3.4.jar|\## Summary A potential Denial of Service issue in protobuf-java was discovered in the parsing procedure for binary data. Reporter: [OSS-Fuzz](https://github.com/google/oss-fuzz) Affected versions: All versions of Java Protobufs (including Kotlin and JRuby) prior to the versions listed below. Protobuf "javalite" users (typically Android) are not affected. ## Severity [CVE-2021-22569](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22569) \*\*High\*\* - CVSS Score: 7.5, An implementation weakness in how unknown fields are parsed in Java. A small (~800 KB) malicious payload can occupy the parser for several minutes by creating large numbers of short-lived objects that cause frequent, repeated GC pauses. ## Proof of Concept For reproduction details, please refer to the oss-fuzz issue that identifies the specific inpu
ts that exercise this parsing weakness. ## Remediation and Mitigation Please update to the latest available versions of the following packages: - protobuf-java (3.16.1, 3.18.2, 3.19.2) - protobuf-kotlin (3.18.2, 3.19.2) - google-protobuf [JRuby gem only] (3.19.2)|
|com.google.protobuf:protobuf-java|GHSA-wrvw-hg22-4m67|UNKNOWN |3.7.1|3.16.1, 3.18.2, 3.19.2|opt/hop/hop/plugins/tech/parquet/lib/hadoop-client-runtime-3.3.4.jar|\## Summary A potential Denial of Service issue in protobuf-java was discovered in the parsing procedure for binary data. Reporter: [OSS-Fuzz](https://github.com/google/oss-fuzz) Affected versions: All versions of Java Protobufs (including Kotlin and JRuby) prior to the versions listed below. Protobuf "javalite" users (typically Android) are not affected. ## Severity [CVE-2021-22569](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22569) \*\*High\*\* - CVSS Score: 7.5, An implementation weakness in how unknown fields are parsed in Java. A small (~800 KB) malicious payload can occupy the parser for several minutes by creating large numbers of short-lived objects that cause frequent, repeated GC pauses. ## Proof of Concept For reproduction details, please refer to the oss-fuzz issue that identifies the specific inpu
ts that exercise this parsing weakness. ## Remediation and Mitigation Please update to the latest available versions of the following packages: - protobuf-java (3.16.1, 3.18.2, 3.19.2) - protobuf-kotlin (3.18.2, 3.19.2) - google-protobuf [JRuby gem only] (3.19.2)|
### Issue Priority
Priority: 2
### Issue Component
Component: Other
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@hop.apache.org.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [hop] hansva commented on issue #2250: [Task]: Update dependencies to newer versions
Posted by "hansva (via GitHub)" <gi...@apache.org>.
hansva commented on issue #2250:
URL: https://github.com/apache/hop/issues/2250#issuecomment-1432816808
I have added it as a thing for the next release, so by the end of march and included in the next release
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@hop.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [hop] KBoersch commented on issue #2250: [Task]: Update dependencies to newer versions
Posted by "KBoersch (via GitHub)" <gi...@apache.org>.
KBoersch commented on issue #2250:
URL: https://github.com/apache/hop/issues/2250#issuecomment-1432806443
Can you estimate when you'll solve the issue? Since we've been acquired by a bigger company, security has become even more important as it was before.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@hop.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [hop] hansva commented on issue #2250: [Task]: Update dependencies to newer versions
Posted by "hansva (via GitHub)" <gi...@apache.org>.
hansva commented on issue #2250:
URL: https://github.com/apache/hop/issues/2250#issuecomment-1451660296
.take-issue
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@hop.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [hop] hansva commented on issue #2250: [Task]: Update dependencies to newer versions
Posted by "hansva (via GitHub)" <gi...@apache.org>.
hansva commented on issue #2250:
URL: https://github.com/apache/hop/issues/2250#issuecomment-1454173862
I have upgraded what could be upgraded, and the list will be shorter... It can be checked using the hop:Development tag on docker or a client from [here](https://repository.apache.org/content/repositories/snapshots/org/apache/hop/hop-client/2.4.0-SNAPSHOT/).
Many of the remaining issues are packages from downstream projects such as Hadoop/Spark/Beam and will only get solved if that project does a new release.
Depending on what features you use in Hop you could mitigate those by removing that functionality.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@hop.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [hop] hansva closed issue #2250: [Task]: Update dependencies to newer versions
Posted by "hansva (via GitHub)" <gi...@apache.org>.
hansva closed issue #2250: [Task]: Update dependencies to newer versions
URL: https://github.com/apache/hop/issues/2250
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@hop.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org