[
https://issues.apache.org/jira/browse/AMBARI-25798?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Sandeep Kumar updated AMBARI-25798:
-----------------------------------
Description:
CVEs List:
CVE-2020-25649
A flaw was found in FasterXML Jackson Databind, where it did not have entity
expansion secured properly. This flaw allows vulnerability to XML external
entity (XXE) attacks. The highest threat from this vulnerability is data
integrity.
CVE-2020-36518
jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial
of service via a large depth of nested objects.
CVE-2022-42003
In FasterXML jackson-databind before 2.14.0-rc1, resource exhaustion can occur
because of a lack of a check in primitive value deserializers to avoid deep
wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled.
CVE-2022-42004
In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur
because of a lack of a check in BeanDeserializer._deserializeFromArray to
prevent use of deeply nested arrays. An application is vulnerable only with
certain customized choices for deserialization.
was:
CVE-2018-17196:
In Apache Kafka versions between 0.11.0.0 and 2.1.0, it is possible to manually
craft a Produce request which bypasses transaction/idempotent ACL validation.
Only authenticated clients with Write permission on the respective topics are
able to exploit this vulnerability. Users should upgrade to 2.1.1 or later
where this vulnerability has been fixed.
CVE-2021-38153:
Some components in Apache Kafka use `Arrays.equals` to validate a password or
key, which is vulnerable to timing attacks that make brute force attacks for
such credentials more likely to be successful. Users should upgrade to 2.8.1 or
higher, or 3.0.0 or higher where this vulnerability has been fixed. The
affected versions include Apache Kafka 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0,
2.2.1, 2.2.2, 2.3.0, 2.3.1, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.6.0, 2.6.1, 2.6.2,
2.7.0, 2.7.1, and 2.8.0.
> Upgrade jackson-databind version to 2.12.7.1
> --------------------------------------------
>
> Key: AMBARI-25798
> URL: https://issues.apache.org/jira/browse/AMBARI-25798
> Project: Ambari
> Issue Type: Story
> Reporter: Sandeep Kumar
> Priority: Major
>
> CVEs List:
> CVE-2020-25649
> A flaw was found in FasterXML Jackson Databind, where it did not have entity
> expansion secured properly. This flaw allows vulnerability to XML external
> entity (XXE) attacks. The highest threat from this vulnerability is data
> integrity.
> CVE-2020-36518
> jackson-databind before 2.13.0 allows a Java StackOverflow exception and
> denial of service via a large depth of nested objects.
> CVE-2022-42003
> In FasterXML jackson-databind before 2.14.0-rc1, resource exhaustion can
> occur because of a lack of a check in primitive value deserializers to avoid
> deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is
> enabled.
>
> CVE-2022-42004
> In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur
> because of a lack of a check in BeanDeserializer._deserializeFromArray to
> prevent use of deeply nested arrays. An application is vulnerable only with
> certain customized choices for deserialization.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
