[jira] [Created] (AMQ-7432) Vulnerable dependencies in your project.(CVEs)

Sun, 01 Mar 2020 05:28:45 -0800 

XuCongying created AMQ-7432:
-------------------------------

             Summary: Vulnerable dependencies in your project.(CVEs)
                 Key: AMQ-7432
                 URL: https://issues.apache.org/jira/browse/AMQ-7432
             Project: ActiveMQ
          Issue Type: Bug
            Reporter: XuCongying


I found your project used some dependencies that contain CVEs. To prevent 
potential security risks it may cause, I suggest to update the library 
dependency. Please note the following details.
 
Vulnerable Library Version: org.apache.hadoop : hadoop-core : 1.0.4
  CVE ID: 
[CVE-2013-2192](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2192)
  Import Path: activemq-leveldb-store/pom.xml
  Suggested Safe Versions: 1.2.1
 
Vulnerable Library Version: io.netty : netty-codec-http : 4.1.43.Final
  CVE ID: 
[CVE-2019-20444](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20444),
 [CVE-2020-7238](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7238), 
[CVE-2019-20445](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20445)
  Import Path: activemq-amqp/pom.xml
  Suggested Safe Versions: 4.1.44.Final, 4.1.45.Final, 5.0.0.Alpha1, 
5.0.0.Alpha2
 
Vulnerable Library Version: org.fusesource.mqtt-client : mqtt-client : 1.15
  CVE ID: 
[CVE-2019-0222](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0222)
  Import Path: activemq-mqtt/pom.xml, activemq-unit-tests/pom.xml
  Suggested Safe Versions: 1.16
 
Vulnerable Library Version: com.fasterxml.jackson.core : jackson-databind : 
2.9.10.1
  CVE ID: 
[CVE-2020-8840](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8840), 
[CVE-2019-20330](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20330)
  Import Path: activemq-broker/pom.xml, assembly/pom.xml, 
activemq-partition/pom.xml, activemq-leveldb-store/pom.xml, 
activemq-console/pom.xml
  Suggested Safe Versions: 2.10.0, 2.10.1, 2.10.2, 2.9.10.3




--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to