cyxu2 opened a new issue #3920: Vulnerable dependencies in your project.(CVEs) URL: https://github.com/apache/cloudstack/issues/3920 Hi, I noticed that your project are using vulnerable libraries which are related to some CVEs. To prevent potential risk it may cause, I suggest a library update. See below for more details: * **Vulnerable Library Version:** io.netty : netty-all : 4.0.33.Final **CVE ID:** [CVE-2016-4970](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4970) **Import Path:** services/secondary-storage/server/pom.xml **Suggested Safe Versions:** 4.0.37.Final, 4.0.38.Final, 4.0.39.Final, 4.0.40.Final, 4.0.41.Final, 4.0.42.Final, 4.0.43.Final, 4.0.44.Final, 4.0.45.Final, 4.0.46.Final, 4.0.47.Final, 4.0.48.Final, 4.0.49.Final, 4.0.50.Final, 4.0.51.Final, 4.0.52.Final, 4.0.53.Final, 4.0.54.Final, 4.0.55.Final, 4.0.56.Final, 4.1.1.Final, 4.1.10.Final, 4.1.11.Final, 4.1.12.Final, 4.1.13.Final, 4.1.14.Final, 4.1.15.Final, 4.1.16.Final, 4.1.17.Final, 4.1.18.Final, 4.1.19.Final, 4.1.2.Final, 4.1.20.Final, 4.1.21.Final, 4.1.22.Final, 4.1.23.Final, 4.1.24.Final, 4.1.25.Final, 4.1.26.Final, 4.1.27.Final, 4.1.28.Final, 4.1.29.Final, 4.1.3.Final, 4.1.30.Final, 4.1.31.Final, 4.1.32.Final, 4.1.33.Final, 4.1.34.Final, 4.1.35.Final, 4.1.36.Final, 4.1.37.Final, 4.1.38.Final, 4.1.39.Final, 4.1.4.Final, 4.1.40.Final, 4.1.41.Final, 4.1.42.Final, 4.1.43.Final, 4.1.44.Final, 4.1.45.Final, 4.1.5.Final, 4.1.6.Final, 4.1.7.Final, 4.1.8.Final, 4.1.9.Final, 5.0.0.Alpha1, 5.0.0.Alpha2 * **Vulnerable Library Version:** org.bouncycastle : bcpkix-jdk15on : 1.59 **CVE ID:** [CVE-2018-1000613](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000613) **Import Path:** utils/pom.xml **Suggested Safe Versions:** 1.60, 1.61, 1.62, 1.63, 1.64 * **Vulnerable Library Version:** com.google.guava : guava : 23.6-jre **CVE ID:** [CVE-2018-10237](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10237) **Import Path:** framework/events/pom.xml, plugins/network-elements/juniper-contrail/pom.xml, plugins/hypervisors/simulator/pom.xml **Suggested Safe Versions:** 24.1.1-android, 24.1.1-jre, 25.0-android, 25.0-jre, 25.1-android, 25.1-jre, 26.0-android, 26.0-jre, 27.0-android, 27.0-jre, 27.0.1-android, 27.0.1-jre, 27.1-android, 27.1-jre, 28.0-android, 28.0-jre, 28.1-android, 28.1-jre, 28.2-android, 28.2-jre * **Vulnerable Library Version:** xerces : xercesImpl : 2.11.0 **CVE ID:** [CVE-2012-0881](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0881), [CVE-2013-4002](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4002) **Import Path:** plugins/user-authenticators/saml2/pom.xml **Suggested Safe Versions:** 2.12.0 * **Vulnerable Library Version:** org.eclipse.jetty : jetty-util : 9.4.8.v20171121 **CVE ID:** [CVE-2019-10246](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10246), [CVE-2019-10241](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10241), [CVE-2018-12536](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12536) **Import Path:** client/pom.xml **Suggested Safe Versions:** 10.0.0-alpha0, 10.0.0.alpha1, 9.4.17.v20190418, 9.4.18.v20190429, 9.4.19.v20190610, 9.4.20.v20190813, 9.4.21.v20190926, 9.4.22.v20191022, 9.4.23.v20191118, 9.4.24.v20191120, 9.4.25.v20191220, 9.4.26.v20200117 * **Vulnerable Library Version:** com.thoughtworks.xstream : xstream : 1.4.10 **CVE ID:** [CVE-2019-10173](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10173) **Import Path:** server/pom.xml **Suggested Safe Versions:** 1.4.11, 1.4.11-java7, 1.4.11.1 * **Vulnerable Library Version:** org.springframework : spring-web : 5.0.2.RELEASE **CVE ID:** [CVE-2018-15756](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15756), [CVE-2018-11039](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11039), [CVE-2020-5398](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5398) **Import Path:** server/pom.xml, framework/spring/module/pom.xml, engine/service/pom.xml **Suggested Safe Versions:** 5.0.16.RELEASE, 5.1.13.RELEASE, 5.2.3.RELEASE * **Vulnerable Library Version:** org.apache.cxf : cxf-rt-frontend-jaxrs : 3.2.0 **CVE ID:** [CVE-2017-12624](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12624) **Import Path:** framework/rest/pom.xml **Suggested Safe Versions:** 3.2.1, 3.2.10, 3.2.11, 3.2.12, 3.2.2, 3.2.3, 3.2.4, 3.2.5, 3.2.6, 3.2.7, 3.2.8, 3.2.9, 3.3.0, 3.3.1, 3.3.2, 3.3.3, 3.3.4, 3.3.5 * **Vulnerable Library Version:** org.apache.kafka : kafka-clients : 0.11.0.1 **CVE ID:** [CVE-2017-12610](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12610) **Import Path:** plugins/event-bus/kafka/pom.xml **Suggested Safe Versions:** 0.11.0.2, 0.11.0.3, 1.0.0, 1.0.1, 1.0.2, 1.1.0, 1.1.1, 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.2.2, 2.3.0, 2.3.1, 2.4.0 * **Vulnerable Library Version:** com.fasterxml.jackson.core : jackson-databind : 2.9.2 **CVE ID:** [CVE-2017-17485](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17485), [CVE-2020-8840](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8840), [CVE-2019-20330](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20330), [CVE-2019-16943](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16943), [CVE-2019-12384](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12384), [CVE-2019-14439](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14439), [CVE-2018-12023](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12023), [CVE-2018-19362](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19362), [CVE-2018-19361](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19361), [CVE-2018-14721](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14721), [CVE-2018-14719](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14719), [CVE-2018-7489](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7489), [CVE-2019-17531](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17531), [CVE-2019-12086](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12086), [CVE-2019-12814](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12814), [CVE-2018-14718](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14718), [CVE-2018-11307](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11307), [CVE-2019-14379](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14379), [CVE-2018-19360](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19360), [CVE-2018-14720](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14720), [CVE-2019-16942](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16942) **Import Path:** utils/pom.xml, framework/rest/pom.xml, plugins/integrations/cloudian/pom.xml **Suggested Safe Versions:** 2.10.0, 2.10.1, 2.10.2, 2.9.10.3 * **Vulnerable Library Version:** org.eclipse.jetty : jetty-server : 9.4.8.v20171121 **CVE ID:** [CVE-2019-10247](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10247), [CVE-2017-7658](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7658), [CVE-2017-7656](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7656), [CVE-2017-7657](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7657), [CVE-2018-12538](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12538), [CVE-2018-12536](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12536) **Import Path:** client/pom.xml **Suggested Safe Versions:** 10.0.0-alpha0, 10.0.0.alpha1, 9.4.17.v20190418, 9.4.18.v20190429, 9.4.19.v20190610, 9.4.20.v20190813, 9.4.24.v20191120, 9.4.25.v20191220, 9.4.26.v20200117 * **Vulnerable Library Version:** com.unboundid : unboundid-ldapsdk : 4.0.4 **CVE ID:** [CVE-2018-1000134](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000134) **Import Path:** plugins/user-authenticators/ldap/pom.xml **Suggested Safe Versions:** 4.0.10, 4.0.11, 4.0.12, 4.0.13, 4.0.14, 4.0.5, 4.0.6, 4.0.7, 4.0.8, 4.0.9 * **Vulnerable Library Version:** org.apache.commons : commons-compress : 1.15 **CVE ID:** [CVE-2018-1324](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1324), [CVE-2019-12402](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12402), [CVE-2018-11771](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11771) **Import Path:** core/pom.xml **Suggested Safe Versions:** 1.19, 1.20 * **Vulnerable Library Version:** mysql : mysql-connector-java : 5.1.34 **CVE ID:** [CVE-2019-2692](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2692), [CVE-2017-3523](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3523), [CVE-2017-3589](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3589), [CVE-2017-3586](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3586), [CVE-2015-2575](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2575) **Import Path:** tools/devcloud-kvm/pom.xml, tools/devcloud4/pom.xml, utils/pom.xml, plugins/storage/volume/cloudbyte/pom.xml, plugins/network-elements/juniper-contrail/pom.xml, plugins/database/mysql-ha/pom.xml, plugins/database/quota/pom.xml, usage/pom.xml, client/pom.xml **Suggested Safe Versions:** 8.0.16, 8.0.17, 8.0.18, 8.0.19 * **Vulnerable Library Version:** org.apache.tomcat.embed : tomcat-embed-core : 8.0.30 **CVE ID:** [CVE-2016-0762](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0762), [CVE-2015-5346](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5346), [CVE-2017-5664](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5664), [CVE-2016-0706](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0706), [CVE-2017-5647](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5647), [CVE-2017-12617](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12617), [CVE-2016-3092](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3092), [CVE-2016-6797](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6797), [CVE-2016-0763](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0763), [CVE-2017-5648](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5648), [CVE-2016-0714](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0714) **Import Path:** services/console-proxy/rdpconsole/pom.xml **Suggested Safe Versions:** 10.0.0-M1, 8.0.47, 8.0.48, 8.0.49, 8.0.50, 8.0.51, 8.0.52, 8.0.53, 8.5.41, 8.5.42, 8.5.43, 8.5.45, 8.5.46, 8.5.47, 8.5.49, 8.5.50, 8.5.51, 9.0.27, 9.0.29, 9.0.30, 9.0.31 * **Vulnerable Library Version:** com.rabbitmq : amqp-client : 5.1.1 **CVE ID:** [CVE-2018-11087](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11087) **Import Path:** plugins/event-bus/rabbitmq/pom.xml **Suggested Safe Versions:** 5.4.0, 5.4.1, 5.4.2, 5.4.3, 5.5.0, 5.5.1, 5.5.2, 5.5.3, 5.6.0, 5.7.0, 5.7.1, 5.7.2, 5.7.3, 5.8.0 * **Vulnerable Library Version:** org.bouncycastle : bcprov-jdk15on : 1.59 **CVE ID:** [CVE-2018-1000613](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000613), [CVE-2018-5382](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5382) **Import Path:** services/console-proxy/rdpconsole/pom.xml, utils/pom.xml **Suggested Safe Versions:** 1.60, 1.61, 1.62, 1.64
---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected] With regards, Apache Git Services
