You are viewing a plain text version of this content. The canonical link for it is here.
Posted to oak-issues@jackrabbit.apache.org by "Andrei Dulceanu (Jira)" <ji...@apache.org> on 2021/07/13 13:33:00 UTC
[jira] [Updated] (OAK-9491) Address vulnerabilities found by
dependency checker plugin
[ https://issues.apache.org/jira/browse/OAK-9491?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Andrei Dulceanu updated OAK-9491:
---------------------------------
Affects Version/s: 1.40.0
> Address vulnerabilities found by dependency checker plugin
> ----------------------------------------------------------
>
> Key: OAK-9491
> URL: https://issues.apache.org/jira/browse/OAK-9491
> Project: Jackrabbit Oak
> Issue Type: Task
> Affects Versions: 1.40.0, 1.22.7
> Reporter: Andrei Dulceanu
> Assignee: Andrei Dulceanu
> Priority: Major
> Labels: candidate_oak_1_22
> Fix For: 1.22.8
>
>
> {noformat}
> One or more dependencies were identified with known vulnerabilities in Jackrabbit Oak:aggs-matrix-stats-client-7.1.1.jar (pkg:maven/org.elasticsearch.plugin/aggs-matrix-stats-client@7.1.1, cpe:2.3:a:elastic:elasticsearch:7.1.1:*:*:*:*:*:*:*, cpe:2.3:a:elasticsearch:elasticsearch:7.1.1:*:*:*:*:*:*:*) : CVE-2019-7614, CVE-2019-7619, CVE-2020-7009, CVE-2020-7014, CVE-2020-7019, CVE-2020-7020, CVE-2020-7021
> bcprov-jdk15on-1.65.jar (pkg:maven/org.bouncycastle/bcprov-jdk15on@1.65, cpe:2.3:a:bouncycastle:legion-of-the-bouncy-castle-java-crytography-api:1.65:*:*:*:*:*:*:*) : CVE-2020-28052
> commons-io-2.6.jar (pkg:maven/commons-io/commons-io@2.6, cpe:2.3:a:apache:commons_io:2.6:*:*:*:*:*:*:*) : CVE-2021-29425
> cxf-core-3.3.6.jar (pkg:maven/org.apache.cxf/cxf-core@3.3.6, cpe:2.3:a:apache:cxf:3.3.6:*:*:*:*:*:*:*) : CVE-2020-13954, CVE-2021-22696, CVE-2021-30468
> elasticsearch-core-7.1.1.jar (pkg:maven/org.elasticsearch/elasticsearch-core@7.1.1, cpe:2.3:a:elastic:elasticsearch:7.1.1:*:*:*:*:*:*:*, cpe:2.3:a:elasticsearch:elasticsearch:7.1.1:*:*:*:*:*:*:*) : CVE-2019-7614, CVE-2019-7619, CVE-2020-7009, CVE-2020-7014, CVE-2020-7019, CVE-2020-7020, CVE-2020-7021
> fluent-hc-4.5.12.jar (pkg:maven/org.apache.httpcomponents/fluent-hc@4.5.12, cpe:2.3:a:apache:httpclient:4.5.12:*:*:*:*:*:*:*) : CVE-2020-13956
> groovy-2.5.2.jar (pkg:maven/org.codehaus.groovy/groovy@2.5.2, cpe:2.3:a:apache:groovy:2.5.2:*:*:*:*:*:*:*) : CVE-2020-17521
> groovy-all-2.4.17.jar (pkg:maven/org.codehaus.groovy/groovy-all@2.4.17, cpe:2.3:a:apache:groovy:2.4.17:*:*:*:*:*:*:*) : CVE-2020-17521
> guava-15.0.jar (pkg:maven/com.google.guava/guava@15.0, cpe:2.3:a:google:guava:15.0:*:*:*:*:*:*:*) : CVE-2018-10237, CVE-2020-8908
> guava-18.0.jar (pkg:maven/com.google.guava/guava@18.0, cpe:2.3:a:google:guava:18.0:*:*:*:*:*:*:*) : CVE-2018-10237, CVE-2020-8908
> hibernate-validator-5.3.6.Final.jar (pkg:maven/org.hibernate/hibernate-validator@5.3.6.Final, cpe:2.3:a:hibernate:hibernate-validator:5.3.6:*:*:*:*:*:*:*, cpe:2.3:a:redhat:hibernate_validator:5.3.6:*:*:*:*:*:*:*) : CVE-2020-10693
> http2-client-9.4.27.v20200227.jar (pkg:maven/org.eclipse.jetty.http2/http2-client@9.4.27.v20200227, cpe:2.3:a:eclipse:jetty:9.4.27:20200227:*:*:*:*:*:*, cpe:2.3:a:jetty:jetty:9.4.27:20200227:*:*:*:*:*:*, cpe:2.3:a:mortbay_jetty:jetty:9.4.27:20200227:*:*:*:*:*:*) : CVE-2019-17638, CVE-2020-27216, CVE-2020-27218, CVE-2020-27223, CVE-2021-28165, CVE-2021-28169, CVE-2021-34428
> httpclient-4.5.12.jar (pkg:maven/org.apache.httpcomponents/httpclient@4.5.12, cpe:2.3:a:apache:httpclient:4.5.12:*:*:*:*:*:*:*) : CVE-2020-13956
> httpclient-osgi-4.5.12.jar/META-INF/maven/org.apache.httpcomponents/httpclient-cache/pom.xml (pkg:maven/org.apache.httpcomponents/httpclient-cache@4.5.12, cpe:2.3:a:apache:httpclient:4.5.12:*:*:*:*:*:*:*) : CVE-2020-13956
> jackson-databind-2.10.3.jar (pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.10.3, cpe:2.3:a:fasterxml:jackson-databind:2.10.3:*:*:*:*:*:*:*) : CVE-2020-25649
> java-xmlbuilder-1.1.jar (pkg:maven/com.jamesmurty.utils/java-xmlbuilder@1.1) : CWE-611: Improper Restriction of XML External Entity Reference ('XXE')
> javax-websocket-server-impl-9.4.18.v20190429.jar (pkg:maven/org.eclipse.jetty.websocket/javax-websocket-server-impl@9.4.18.v20190429, cpe:2.3:a:eclipse:jetty:9.4.18:20190429:*:*:*:*:*:*, cpe:2.3:a:java-websocket_project:java-websocket:9.4.18:20190429:*:*:*:*:*:*, cpe:2.3:a:jetty:jetty:9.4.18:20190429:*:*:*:*:*:*, cpe:2.3:a:mortbay_jetty:jetty:9.4.18:20190429:*:*:*:*:*:*) : CVE-2020-27216, CVE-2020-27218, CVE-2020-27223, CVE-2021-28165, CVE-2021-28169, CVE-2021-34428
> javax.servlet-3.0.0.v201112011016.jar (pkg:maven/org.eclipse.jetty.orbit/javax.servlet@3.0.0.v201112011016, cpe:2.3:a:eclipse:jetty:3.0.0:201112011016:*:*:*:*:*:*, cpe:2.3:a:jetty:jetty:3.0.0:201112011016:*:*:*:*:*:*) : CVE-2009-5045, CVE-2009-5046, CVE-2017-7656, CVE-2017-7657, CVE-2017-7658, CVE-2020-27216, CVE-2021-28169, CVE-2021-34428
> javax.websocket-api-1.0.jar (pkg:maven/javax.websocket/javax.websocket-api@1.0, cpe:2.3:a:java-websocket_project:java-websocket:1.0:*:*:*:*:*:*:*) : CVE-2020-11050
> jdom2-2.0.6.jar (pkg:maven/org.jdom/jdom2@2.0.6, cpe:2.3:a:jdom:jdom:2.0.6:*:*:*:*:*:*:*) : CVE-2021-33813
> jetty-http-9.4.27.v20200227.jar (pkg:maven/org.eclipse.jetty/jetty-http@9.4.27.v20200227, cpe:2.3:a:eclipse:jetty:9.4.27:20200227:*:*:*:*:*:*, cpe:2.3:a:jetty:jetty:9.4.27:20200227:*:*:*:*:*:*, cpe:2.3:a:mortbay_jetty:jetty:9.4.27:20200227:*:*:*:*:*:*) : CVE-2019-17638, CVE-2020-27216, CVE-2020-27218, CVE-2020-27223, CVE-2021-28165, CVE-2021-28169, CVE-2021-34428
> jetty-io-8.2.0.v20160908.jar (pkg:maven/org.eclipse.jetty/jetty-io@8.2.0.v20160908, cpe:2.3:a:mortbay_jetty:jetty:8.2.0:20160908:*:*:*:*:*:*) : CVE-2021-28165
> jetty-io-9.4.18.v20190429.jar (pkg:maven/org.eclipse.jetty/jetty-io@9.4.18.v20190429, cpe:2.3:a:mortbay_jetty:jetty:9.4.18:20190429:*:*:*:*:*:*) : CVE-2021-28165
> jetty-io-9.4.27.v20200227.jar (pkg:maven/org.eclipse.jetty/jetty-io@9.4.27.v20200227, cpe:2.3:a:mortbay_jetty:jetty:9.4.27:20200227:*:*:*:*:*:*) : CVE-2021-28165
> jetty-server-8.2.0.v20160908.jar (pkg:maven/org.eclipse.jetty/jetty-server@8.2.0.v20160908, cpe:2.3:a:eclipse:jetty:8.2.0:20160908:*:*:*:*:*:*, cpe:2.3:a:jetty:jetty:8.2.0:20160908:*:*:*:*:*:*, cpe:2.3:a:mortbay_jetty:jetty:8.2.0:20160908:*:*:*:*:*:*) : CVE-2017-7656, CVE-2017-7657, CVE-2017-7658, CVE-2017-9735, CVE-2019-10241, CVE-2019-10247, CVE-2020-27216, CVE-2021-28165, CVE-2021-28169, CVE-2021-34428
> jetty-server-9.4.18.v20190429.jar (pkg:maven/org.eclipse.jetty/jetty-server@9.4.18.v20190429, cpe:2.3:a:eclipse:jetty:9.4.18:20190429:*:*:*:*:*:*, cpe:2.3:a:jetty:jetty:9.4.18:20190429:*:*:*:*:*:*, cpe:2.3:a:mortbay_jetty:jetty:9.4.18:20190429:*:*:*:*:*:*) : CVE-2020-27216, CVE-2020-27218, CVE-2020-27223, CVE-2021-28165, CVE-2021-28169, CVE-2021-34428
> jetty-util-8.2.0.v20160908.jar (pkg:maven/org.eclipse.jetty/jetty-util@8.2.0.v20160908, cpe:2.3:a:eclipse:jetty:8.2.0:20160908:*:*:*:*:*:*, cpe:2.3:a:jetty:jetty:8.2.0:20160908:*:*:*:*:*:*, cpe:2.3:a:mortbay_jetty:jetty:8.2.0:20160908:*:*:*:*:*:*) : CVE-2017-7656, CVE-2017-7657, CVE-2017-7658, CVE-2019-10247, CVE-2020-27216, CVE-2021-28165, CVE-2021-28169, CVE-2021-34428
> junit-4.12.jar (pkg:maven/junit/junit@4.12) : CVE-2020-15250
> lang-mustache-client-7.1.1.jar (pkg:maven/org.elasticsearch.plugin/lang-mustache-client@7.1.1, cpe:2.3:a:elastic:elasticsearch:7.1.1:*:*:*:*:*:*:*, cpe:2.3:a:elasticsearch:elasticsearch:7.1.1:*:*:*:*:*:*:*) : CVE-2019-7614, CVE-2019-7619, CVE-2020-7009, CVE-2020-7014, CVE-2020-7019, CVE-2020-7020, CVE-2020-7021
> log4j-1.2.16.jar (pkg:maven/log4j/log4j@1.2.16, cpe:2.3:a:apache:log4j:1.2.16:*:*:*:*:*:*:*) : CVE-2019-17571, CVE-2020-9488
> log4j-1.2.17.jar (pkg:maven/log4j/log4j@1.2.17, cpe:2.3:a:apache:log4j:1.2.17:*:*:*:*:*:*:*) : CVE-2019-17571, CVE-2020-9488
> log4j-api-2.11.1.jar (pkg:maven/org.apache.logging.log4j/log4j-api@2.11.1, cpe:2.3:a:apache:log4j:2.11.1:*:*:*:*:*:*:*) : CVE-2020-9488
> log4j-over-slf4j-1.7.30.jar (pkg:maven/org.slf4j/log4j-over-slf4j@1.7.30, cpe:2.3:a:apache:log4j:1.7.30:*:*:*:*:*:*:*) : CVE-2020-9488
> mongo-java-driver-3.12.7.jar (pkg:maven/org.mongodb/mongo-java-driver@3.12.7, cpe:2.3:a:mongodb:java_driver:3.12.7:*:*:*:*:*:*:*) : CVE-2021-20328
> netty-3.7.0.Final.jar (pkg:maven/io.netty/netty@3.7.0.Final, cpe:2.3:a:netty:netty:3.7.0:*:*:*:*:*:*:*) : CVE-2014-0193, CVE-2014-3488, CVE-2015-2156, CVE-2019-16869, CVE-2019-20444, CVE-2019-20445, CVE-2021-21290, CVE-2021-21295, CVE-2021-21409, POODLE vulnerability in SSLv3.0 support
> netty-transport-4.1.47.Final.jar (pkg:maven/io.netty/netty-transport@4.1.47.Final, cpe:2.3:a:netty:netty:4.1.47:*:*:*:*:*:*:*) : CVE-2021-21290, CVE-2021-21295, CVE-2021-21409
> netty-transport-4.1.52.Final.jar (pkg:maven/io.netty/netty-transport@4.1.52.Final, cpe:2.3:a:netty:netty:4.1.52:*:*:*:*:*:*:*) : CVE-2021-21290, CVE-2021-21295, CVE-2021-21409
> oak-jackrabbit-api-1.34.0.jar (pkg:maven/org.apache.jackrabbit/oak-jackrabbit-api@1.34.0, cpe:2.3:a:apache:jackrabbit:1.34.0:*:*:*:*:*:*:*, cpe:2.3:a:apache:jackrabbit_oak:1.34.0:*:*:*:*:*:*:*) : CVE-2015-1833
> oak-segment-1.6.0.jar (pkg:maven/org.apache.jackrabbit/oak-segment@1.6.0, cpe:2.3:a:apache:jackrabbit:1.6.0:*:*:*:*:*:*:*, cpe:2.3:a:apache:jackrabbit_oak:1.6.0:*:*:*:*:*:*:*) : CVE-2015-1833, CVE-2020-1940
> org.apache.felix.webconsole-4.2.10-all.jar: jquery-1.8.3.js (pkg:javascript/jquery@1.8.3) : CVE-2012-6708, CVE-2015-9251, CVE-2019-11358, CVE-2020-11022, CVE-2020-11023
> org.apache.felix.webconsole-4.2.10-all.jar: jquery-ui-1.9.2.js (pkg:javascript/jquery-ui-dialog@1.9.2, pkg:javascript/jquery-ui-tooltip@1.9.2) : CVE-2010-5312, CVE-2012-6662, CVE-2016-7103
> pom.xml (pkg:maven/org.apache.jackrabbit/oak-jackrabbit-api@1.22.8-SNAPSHOT, cpe:2.3:a:apache:jackrabbit:1.22.8:snapshot:*:*:*:*:*:*, cpe:2.3:a:apache:jackrabbit_oak:1.22.8:snapshot:*:*:*:*:*:*) : CVE-2015-1833
> pom.xml (pkg:maven/org.apache.jackrabbit/oak-solr-core@1.22.8-SNAPSHOT, cpe:2.3:a:apache:jackrabbit_oak:1.22.8:snapshot:*:*:*:*:*:*, cpe:2.3:a:apache:solr:1.22.8:snapshot:*:*:*:*:*:*) : CVE-2012-6612, CVE-2013-6397, CVE-2013-6407, CVE-2013-6408, CVE-2015-8795, CVE-2015-8796, CVE-2015-8797, CVE-2017-3163, CVE-2017-3164, CVE-2018-11802, CVE-2018-1308, CVE-2019-0193, CVE-2020-13941, CVE-2021-27905, CVE-2021-29262, CVE-2021-29943
> org.apache.servicemix.bundles.dom4j-2.1.1_1.jar (pkg:maven/org.apache.servicemix.bundles/org.apache.servicemix.bundles.dom4j@2.1.1_1, cpe:2.3:a:dom4j_project:dom4j:2.1.1.1:*:*:*:*:*:*:*) : CVE-2020-10683
> org.apache.sling.commons.logservice-1.0.4.jar (pkg:maven/org.apache.sling/org.apache.sling.commons.logservice@1.0.4, cpe:2.3:a:apache:sling:1.0.4:*:*:*:*:*:*:*) : CVE-2016-5394, CVE-2016-6798
> parent-join-client-7.1.1.jar (pkg:maven/org.elasticsearch.plugin/parent-join-client@7.1.1, cpe:2.3:a:elastic:elasticsearch:7.1.1:*:*:*:*:*:*:*, cpe:2.3:a:elasticsearch:elasticsearch:7.1.1:*:*:*:*:*:*:*) : CVE-2019-7614, CVE-2019-7619, CVE-2020-7009, CVE-2020-7014, CVE-2020-7019, CVE-2020-7020, CVE-2020-7021
> pdfbox-2.0.19.jar (pkg:maven/org.apache.pdfbox/pdfbox@2.0.19, cpe:2.3:a:apache:pdfbox:2.0.19:*:*:*:*:*:*:*) : CVE-2021-27807, CVE-2021-27906, CVE-2021-31811, CVE-2021-31812
> preflight-2.0.19.jar (pkg:maven/org.apache.pdfbox/preflight@2.0.19, cpe:2.3:a:apache:pdfbox:2.0.19:*:*:*:*:*:*:*) : CVE-2021-27807, CVE-2021-27906, CVE-2021-31811, CVE-2021-31812
> rank-eval-client-7.1.1.jar (pkg:maven/org.elasticsearch.plugin/rank-eval-client@7.1.1, cpe:2.3:a:elastic:elasticsearch:7.1.1:*:*:*:*:*:*:*, cpe:2.3:a:elasticsearch:elasticsearch:7.1.1:*:*:*:*:*:*:*) : CVE-2019-7614, CVE-2019-7619, CVE-2020-7009, CVE-2020-7014, CVE-2020-7019, CVE-2020-7020, CVE-2020-7021
> sentiment-analysis-parser-0.1.jar (pkg:maven/edu.usc.ir/sentiment-analysis-parser@0.1, cpe:2.3:a:data_tools_project:data_tools:0.1:*:*:*:*:*:*:*) : CVE-2018-18749
> sis-netcdf-1.0.jar (pkg:maven/org.apache.sis.storage/sis-netcdf@1.0, cpe:2.3:a:storage_project:storage:1.0:*:*:*:*:*:*:*) : CVE-2021-20291
> snakeyaml-1.17.jar (pkg:maven/org.yaml/snakeyaml@1.17, cpe:2.3:a:snakeyaml_project:snakeyaml:1.17:*:*:*:*:*:*:*) : CVE-2017-18640
> solr-solrj-8.6.3.jar (pkg:maven/org.apache.solr/solr-solrj@8.6.3, cpe:2.3:a:apache:solr:8.6.3:*:*:*:*:*:*:*) : CVE-2021-27905, CVE-2021-29262, CVE-2021-29943
> spring-core-4.3.24.RELEASE.jar (pkg:maven/org.springframework/spring-core@4.3.24.RELEASE, cpe:2.3:a:pivotal_software:spring_framework:4.3.24:release:*:*:*:*:*:*, cpe:2.3:a:springsource:spring_framework:4.3.24:release:*:*:*:*:*:*, cpe:2.3:a:vmware:spring_framework:4.3.24:release:*:*:*:*:*:*, cpe:2.3:a:vmware:springsource_spring_framework:4.3.24:release:*:*:*:*:*:*) : CVE-2020-5421
> tagsoup-1.2.1.jar (pkg:maven/org.ccil.cowan.tagsoup/tagsoup@1.2.1, cpe:2.3:a:tag_project:tag:1.2.1:*:*:*:*:*:*:*) : CVE-2020-29242, CVE-2020-29243, CVE-2020-29244, CVE-2020-29245
> tika-core-1.24.1.jar (pkg:maven/org.apache.tika/tika-core@1.24.1, cpe:2.3:a:apache:tika:1.24.1:*:*:*:*:*:*:*) : CVE-2021-28657
> vorbis-java-tika-0.8.jar (pkg:maven/org.gagravarr/vorbis-java-tika@0.8, cpe:2.3:a:flac_project:flac:0.8:*:*:*:*:*:*:*) : CVE-2017-6888
> websocket-common-9.4.18.v20190429.jar (pkg:maven/org.eclipse.jetty.websocket/websocket-common@9.4.18.v20190429, cpe:2.3:a:eclipse:jetty:9.4.18:20190429:*:*:*:*:*:*, cpe:2.3:a:java-websocket_project:java-websocket:9.4.18:20190429:*:*:*:*:*:*, cpe:2.3:a:jetty:jetty:9.4.18:20190429:*:*:*:*:*:*, cpe:2.3:a:mortbay_jetty:jetty:9.4.18:20190429:*:*:*:*:*:*, cpe:2.3:a:websocket-extensions_project:websocket-extensions:9.4.18:20190429:*:*:*:*:*:*) : CVE-2020-27216, CVE-2020-27218, CVE-2020-27223, CVE-2021-28165, CVE-2021-28169, CVE-2021-34428
> websocket-server-9.4.18.v20190429.jar (pkg:maven/org.eclipse.jetty.websocket/websocket-server@9.4.18.v20190429, cpe:2.3:a:eclipse:jetty:9.4.18:20190429:*:*:*:*:*:*, cpe:2.3:a:java-websocket_project:java-websocket:9.4.18:20190429:*:*:*:*:*:*, cpe:2.3:a:jetty:jetty:9.4.18:20190429:*:*:*:*:*:*, cpe:2.3:a:mortbay_jetty:jetty:9.4.18:20190429:*:*:*:*:*:*) : CVE-2020-27216, CVE-2020-27218, CVE-2020-27223, CVE-2021-28165, CVE-2021-28169, CVE-2021-34428
> xmpbox-2.0.19.jar (pkg:maven/org.apache.pdfbox/xmpbox@2.0.19, cpe:2.3:a:apache:pdfbox:2.0.19:*:*:*:*:*:*:*) : CVE-2021-27807, CVE-2021-27906, CVE-2021-31811, CVE-2021-31812
> zookeeper-3.4.6.jar (pkg:maven/org.apache.zookeeper/zookeeper@3.4.6, cpe:2.3:a:apache:zookeeper:3.4.6:*:*:*:*:*:*:*) : CVE-2016-5017, CVE-2017-5637, CVE-2018-8012, CVE-2019-0201, CVE-2021-21409
> zookeeper-3.5.7.jar (pkg:maven/org.apache.zookeeper/zookeeper@3.5.7, cpe:2.3:a:apache:zookeeper:3.5.7:*:*:*:*:*:*:*) : CVE-2021-21409
> -1,548 {noformat}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)