hansva opened a new issue, #2250:
URL: https://github.com/apache/hop/issues/2250
### What needs to happen?
|Package|Vulnerability ID |Severity|Installed Version|Fixed Version |PkgPath
|Description|
|-------------------------------------------|-------------------|--------|-----------------|--------------------------------------------|--------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|com.fasterxml.jackson.core:jackson-databind|CVE-2017-15095
|CRITICAL|2.4.0|2.7.9.2, 2.8.10,
2.9.1|opt/hop/hop/plugins/engines/beam/lib/htrace-core-3.1.0-incubating.jar |A
deserialization flaw was discovered in the jackson-databind in versions before
2.8.10 and 2.9.1, which could allow an unauthenticated user to perform code
execution by sending the maliciously crafted input to the readValue method of
the ObjectMapper. This issue extends the previous flaw CVE-2017-7525 by
blacklisting more classes that could be used maliciously.|
|com.fasterxml.jackson.core:jackson-databind|CVE-2018-11307
|CRITICAL|2.4.0|2.7.9.4, 2.8.11.2,
2.9.6|opt/hop/hop/plugins/engines/beam/lib/htrace-core-3.1.0-incubating.jar |An
issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.5. Use of
Jackson default typing along with a gadget class from iBatis allows
exfiltration of content. Fixed in 2.7.9.4, 2.8.11.2, and 2.9.6.|
|com.fasterxml.jackson.core:jackson-databind|CVE-2018-14718
|CRITICAL|2.4.0|2.6.7.2,
2.9.7|opt/hop/hop/plugins/engines/beam/lib/htrace-core-3.1.0-incubating.jar
|FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to
execute arbitrary code by leveraging failure to block the slf4j-ext class from
polymorphic deserialization. |
|com.fasterxml.jackson.core:jackson-databind|CVE-2018-7489|CRITICAL|2.4.0|2.7.9.3,
2.8.11.1,
2.9.5|opt/hop/hop/plugins/engines/beam/lib/htrace-core-3.1.0-incubating.jar
|FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x
before 2.9.5 allows unauthenticated remote code execution because of an
incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable
by sending maliciously crafted JSON input to the readValue method of the
ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries
are available in the classpath.|
|com.fasterxml.jackson.core:jackson-databind|CVE-2019-14540
|CRITICAL|2.4.0|2.9.10|opt/hop/hop/plugins/engines/beam/lib/htrace-core-3.1.0-incubating.jar
|A Polymorphic Typing issue was discovered in FasterXML jackson-databind
before 2.9.10. It is related to com.zaxxer.hikari.HikariConfig. |
|com.fasterxml.jackson.core:jackson-databind|CVE-2019-14893
|CRITICAL|2.4.0|2.8.11.5,
2.9.10|opt/hop/hop/plugins/engines/beam/lib/htrace-core-3.1.0-incubating.jar |A
flaw was discovered in FasterXML jackson-databind in all versions before 2.9.10
and 2.10.0, where it would permit polymorphic deserialization of malicious
objects using the xalan JNDI gadget when used in conjunction with polymorphic
type handling methods such as \`enableDefaultTyping()\` or when @JsonTypeInfo
is using \`Id.CLASS\` or \`Id.MINIMAL_CLASS\` or in any other way which
ObjectMapper.readValue might instantiate objects from unsafe sources. An
attacker could use this flaw to execute arbitrary code. |
|com.fasterxml.jackson.core:jackson-databind|CVE-2019-16335
|CRITICAL|2.4.0|2.9.10|opt/hop/hop/plugins/engines/beam/lib/htrace-core-3.1.0-incubating.jar
|A Polymorphic Typing issue was discovered in FasterXML jackson-databind
before 2.9.10. It is related to com.zaxxer.hikari.HikariDataSource. This is a
different vulnerability than CVE-2019-14540.|
|com.fasterxml.jackson.core:jackson-databind|CVE-2019-16942
|CRITICAL|2.4.0|2.9.10.1|opt/hop/hop/plugins/engines/beam/lib/htrace-core-3.1.0-incubating.jar
|A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0
through 2.9.10. When Default Typing is enabled (either globally or for a
specific property) for an externally exposed JSON endpoint and the service has
the commons-dbcp (1.4) jar in the classpath, and an attacker can find an RMI
service endpoint to access, it is possible to make the service execute a
malicious payload. This issue exists because of
org.apache.commons.dbcp.datasources.SharedPoolDataSource and
org.apache.commons.dbcp.datasources.PerUserPoolDataSource mishandling. |
|com.fasterxml.jackson.core:jackson-databind|CVE-2019-16943
|CRITICAL|2.4.0|2.9.10.1|opt/hop/hop/plugins/engines/beam/lib/htrace-core-3.1.0-incubating.jar
|A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0
through 2.9.10. When Default Typing is enabled (either globally or for a
specific property) for an externally exposed JSON endpoint and the service has
the p6spy (3.8.6) jar in the classpath, and an attacker can find an RMI service
endpoint to access, it is possible to make the service execute a malicious
payload. This issue exists because of com.p6spy.engine.spy.P6DataSource
mishandling. |
|com.fasterxml.jackson.core:jackson-databind|CVE-2019-17267
|CRITICAL|2.4.0|2.9.10|opt/hop/hop/plugins/engines/beam/lib/htrace-core-3.1.0-incubating.jar
|A Polymorphic Typing issue was discovered in FasterXML jackson-databind
before 2.9.10. It is related to
net.sf.ehcache.hibernate.EhcacheJtaTransactionManagerLookup.|
|com.fasterxml.jackson.core:jackson-databind|CVE-2019-17531
|CRITICAL|2.4.0|2.9.10.1|opt/hop/hop/plugins/engines/beam/lib/htrace-core-3.1.0-incubating.jar
|A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0
through 2.9.10. When Default Typing is enabled (either globally or for a
specific property) for an externally exposed JSON endpoint and the service has
the apache-log4j-extra (version 1.2.x) jar in the classpath, and an attacker
can provide a JNDI service to access, it is possible to make the service
execute a malicious payload.|
|com.fasterxml.jackson.core:jackson-databind|CVE-2019-20330
|CRITICAL|2.4.0|2.8.11.5,
2.9.10.2|opt/hop/hop/plugins/engines/beam/lib/htrace-core-3.1.0-incubating.jar
|FasterXML jackson-databind 2.x before 2.9.10.2 lacks certain net.sf.ehcache
blocking. |
|org.apache.commons:commons-text|CVE-2022-42889
|CRITICAL|1.9|1.10.0|opt/hop/hop/plugins/engines/beam/lib/commons-text-1.9.jar
|Apache Commons Text performs variable interpolation, allowing properties to be
dynamically evaluated and expanded. The standard format for interpolation is
"${prefix:name}", where "prefix" is used to locate an instance of
org.apache.commons.text.lookup.StringLookup that performs the interpolation.
Starting with version 1.5 and continuing through 1.9, the set of default Lookup
instances included interpolators that could result in arbitrary code execution
or contact with remote servers. These lookups are: - "script" - execute
expressions using the JVM script execution engine (javax.script) - "dns" -
resolve dns records - "url" - load values from urls, including from remote
servers Applications using the interpolation defaults in the affected versions
may be vulnerable to remote code execution or unintentional contact with remote
servers if untrusted configu
ration values are used. Users are recommended to upgrade to Apache Commons
Text 1.10.0, which disables the problematic interpolators by default. |
|com.fasterxml.jackson.core:jackson-databind|CVE-2020-36518 |HIGH|2.11.4
|2.12.6.1,
2.13.2.1|opt/hop/hop/plugins/tech/parquet/lib/parquet-jackson-1.12.0.jar
|jackson-databind before 2.13.0 allows a Java StackOverflow exception and
denial of service via a large depth of nested objects. |
|com.fasterxml.jackson.core:jackson-databind|CVE-2022-42003 |HIGH|2.11.4
|2.12.7.1,
2.13.4.1|opt/hop/hop/plugins/tech/parquet/lib/parquet-jackson-1.12.0.jar |In
FasterXML jackson-databind before 2.14.0-rc1, resource exhaustion can occur
because of a lack of a check in primitive value deserializers to avoid deep
wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled.
Additional fix version in 2.13.4.1 and 2.12.17.1|
|com.fasterxml.jackson.core:jackson-databind|CVE-2022-42004 |HIGH|2.11.4
|2.12.7.1,
2.13.4|opt/hop/hop/plugins/tech/parquet/lib/parquet-jackson-1.12.0.jar |In
FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because
of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use
of deeply nested arrays. An application is vulnerable only with certain
customized choices for deserialization.|
|com.fasterxml.jackson.core:jackson-databind|CVE-2022-42003 |HIGH|2.12.7
|2.12.7.1,
2.13.4.1|opt/hop/hop/plugins/engines/beam/lib/hadoop-client-runtime-3.3.4.jar|In
FasterXML jackson-databind before 2.14.0-rc1, resource exhaustion can occur
because of a lack of a check in primitive value deserializers to avoid deep
wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled.
Additional fix version in 2.13.4.1 and 2.12.17.1|
|com.fasterxml.jackson.core:jackson-databind|CVE-2022-42003 |HIGH|2.12.7
|2.12.7.1,
2.13.4.1|opt/hop/hop/plugins/tech/parquet/lib/hadoop-client-runtime-3.3.4.jar|In
FasterXML jackson-databind before 2.14.0-rc1, resource exhaustion can occur
because of a lack of a check in primitive value deserializers to avoid deep
wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled.
Additional fix version in 2.13.4.1 and 2.12.17.1|
|com.fasterxml.jackson.core:jackson-databind|CVE-2022-42004 |HIGH|2.12.7
|2.12.7.1,
2.13.4|opt/hop/hop/plugins/engines/beam/lib/hadoop-client-runtime-3.3.4.jar|In
FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because
of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use
of deeply nested arrays. An application is vulnerable only with certain
customized choices for deserialization.|
|com.fasterxml.jackson.core:jackson-databind|CVE-2022-42004 |HIGH|2.12.7
|2.12.7.1,
2.13.4|opt/hop/hop/plugins/tech/parquet/lib/hadoop-client-runtime-3.3.4.jar|In
FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because
of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use
of deeply nested arrays. An application is vulnerable only with certain
customized choices for deserialization.|
|com.fasterxml.jackson.core:jackson-databind|CVE-2018-5968|HIGH|2.4.0|2.7.9.5,
2.8.11.1,
2.9.4|opt/hop/hop/plugins/engines/beam/lib/htrace-core-3.1.0-incubating.jar
|FasterXML jackson-databind through 2.8.11 and 2.9.x through 2.9.3 allows
unauthenticated remote code execution because of an incomplete fix for the
CVE-2017-7525 and CVE-2017-17485 deserialization flaws. This is exploitable via
two different gadgets that bypass a blacklist.|
|com.fasterxml.jackson.core:jackson-databind|CVE-2020-10650
|HIGH|2.4.0|2.9.10.4|opt/hop/hop/plugins/engines/beam/lib/htrace-core-3.1.0-incubating.jar
|A deserialization flaw was discovered in jackson-databind through 2.9.10.4.
It could allow an unauthenticated user to perform code execution via ignite-jta
or quartz-core: org.apache.ignite.cache.jta.jndi.CacheJndiTmLookup,
org.apache.ignite.cache.jta.jndi.CacheJndiTmFactory, and
org.quartz.utils.JNDIConnectionProvider. |
|com.fasterxml.jackson.core:jackson-databind|CVE-2020-35490
|HIGH|2.4.0|2.9.10.8|opt/hop/hop/plugins/engines/beam/lib/htrace-core-3.1.0-incubating.jar
|FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction
between serialization gadgets and typing, related to
org.apache.commons.dbcp2.datasources.PerUserPoolDataSource.|
|com.fasterxml.jackson.core:jackson-databind|CVE-2020-35491
|HIGH|2.4.0|2.9.10.8|opt/hop/hop/plugins/engines/beam/lib/htrace-core-3.1.0-incubating.jar
|FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction
between serialization gadgets and typing, related to
org.apache.commons.dbcp2.datasources.SharedPoolDataSource. |
|com.fasterxml.jackson.core:jackson-databind|CVE-2020-36518
|HIGH|2.4.0|2.12.6.1,
2.13.2.1|opt/hop/hop/plugins/engines/beam/lib/htrace-core-3.1.0-incubating.jar
|jackson-databind before 2.13.0 allows a Java StackOverflow exception and
denial of service via a large depth of nested objects. |
|com.fasterxml.jackson.core:jackson-databind|CVE-2022-42003
|HIGH|2.4.0|2.12.7.1,
2.13.4.1|opt/hop/hop/plugins/engines/beam/lib/htrace-core-3.1.0-incubating.jar
|In FasterXML jackson-databind before 2.14.0-rc1, resource exhaustion can occur
because of a lack of a check in primitive value deserializers to avoid deep
wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled.
Additional fix version in 2.13.4.1 and 2.12.17.1|
|com.fasterxml.jackson.core:jackson-databind|CVE-2022-42004
|HIGH|2.4.0|2.12.7.1,
2.13.4|opt/hop/hop/plugins/engines/beam/lib/htrace-core-3.1.0-incubating.jar
|In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur
because of a lack of a check in BeanDeserializer._deserializeFromArray to
prevent use of deeply nested arrays. An application is vulnerable only with
certain customized choices for deserialization.|
|com.fasterxml.woodstox:woodstox-core |CVE-2022-40151 |HIGH|5.3.0|5.4.0,
6.4.0|opt/hop/hop/plugins/engines/beam/lib/hadoop-client-runtime-3.3.4.jar|Those
using Xstream to seralize XML data may be vulnerable to Denial of Service
attacks (DOS). If the parser is running on user supplied input, an attacker may
supply content that causes the parser to crash by stackoverflow. This effect
may support a denial of service attack.|
|com.fasterxml.woodstox:woodstox-core |CVE-2022-40151 |HIGH|5.3.0|5.4.0,
6.4.0|opt/hop/hop/plugins/tech/parquet/lib/hadoop-client-runtime-3.3.4.jar|Those
using Xstream to seralize XML data may be vulnerable to Denial of Service
attacks (DOS). If the parser is running on user supplied input, an attacker may
supply content that causes the parser to crash by stackoverflow. This effect
may support a denial of service attack.|
|com.fasterxml.woodstox:woodstox-core |CVE-2022-40152 |HIGH|5.3.0|5.4.0,
6.4.0|opt/hop/hop/plugins/engines/beam/lib/hadoop-client-runtime-3.3.4.jar|Those
using Woodstox to parse XML data may be vulnerable to Denial of Service
attacks (DOS) if DTD support is enabled. If the parser is running on user
supplied input, an attacker may supply content that causes the parser to crash
by stackoverflow. This effect may support a denial of service attack.|
|com.fasterxml.woodstox:woodstox-core |CVE-2022-40152 |HIGH|5.3.0|5.4.0,
6.4.0|opt/hop/hop/plugins/tech/parquet/lib/hadoop-client-runtime-3.3.4.jar|Those
using Woodstox to parse XML data may be vulnerable to Denial of Service
attacks (DOS) if DTD support is enabled. If the parser is running on user
supplied input, an attacker may supply content that causes the parser to crash
by stackoverflow. This effect may support a denial of service attack.|
|com.google.protobuf:protobuf-java|CVE-2022-3171|HIGH|3.19.3 |3.16.3,
3.19.6, 3.20.3, 3.21.7|opt/hop/hop/lib/core/sshlib-2.2.21.jar|A parsing issue
with binary data in protobuf-java core and lite versions prior to 3.21.7,
3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs
containing multiple instances of non-repeated embedded messages with repeated
or unknown fields causes objects to be converted back-n-forth between mutable
and immutable forms, resulting in potentially long garbage collection pauses.
We recommend updating to the versions mentioned above. |
|com.google.protobuf:protobuf-java|CVE-2022-3171|HIGH|3.19.3 |3.16.3,
3.19.6, 3.20.3,
3.21.7|opt/hop/hop/plugins/transforms/ssh/lib/sshlib-2.2.21.jar|A parsing issue
with binary data in protobuf-java core and lite versions prior to 3.21.7,
3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs
containing multiple instances of non-repeated embedded messages with repeated
or unknown fields causes objects to be converted back-n-forth between mutable
and immutable forms, resulting in potentially long garbage collection pauses.
We recommend updating to the versions mentioned above. |
|com.google.protobuf:protobuf-java|CVE-2022-3509|HIGH|3.19.3 |3.16.3,
3.19.6, 3.20.3, 3.21.7|opt/hop/hop/lib/core/sshlib-2.2.21.jar|A parsing issue
similar to CVE-2022-3171, but with textformat in protobuf-java core and lite
versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of
service attack. Inputs containing multiple instances of non-repeated embedded
messages with repeated or unknown fields causes objects to be converted
back-n-forth between mutable and immutable forms, resulting in potentially long
garbage collection pauses. We recommend updating to the versions mentioned
above.|
|com.google.protobuf:protobuf-java|CVE-2022-3509|HIGH|3.19.3 |3.16.3,
3.19.6, 3.20.3,
3.21.7|opt/hop/hop/plugins/transforms/ssh/lib/sshlib-2.2.21.jar|A parsing issue
similar to CVE-2022-3171, but with textformat in protobuf-java core and lite
versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of
service attack. Inputs containing multiple instances of non-repeated embedded
messages with repeated or unknown fields causes objects to be converted
back-n-forth between mutable and immutable forms, resulting in potentially long
garbage collection pauses. We recommend updating to the versions mentioned
above.|
|com.google.protobuf:protobuf-java|CVE-2022-3510|HIGH|3.19.3 |3.16.3,
3.19.6, 3.20.3, 3.21.7|opt/hop/hop/lib/core/sshlib-2.2.21.jar|A parsing issue
similar to CVE-2022-3171, but with Message-Type Extensions in protobuf-java
core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a
denial of service attack. Inputs containing multiple instances of non-repeated
embedded messages with repeated or unknown fields causes objects to be
converted back-n-forth between mutable and immutable forms, resulting in
potentially long garbage collection pauses. We recommend updating to the
versions mentioned above. |
|com.google.protobuf:protobuf-java|CVE-2022-3510|HIGH|3.19.3 |3.16.3,
3.19.6, 3.20.3,
3.21.7|opt/hop/hop/plugins/transforms/ssh/lib/sshlib-2.2.21.jar|A parsing issue
similar to CVE-2022-3171, but with Message-Type Extensions in protobuf-java
core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a
denial of service attack. Inputs containing multiple instances of non-repeated
embedded messages with repeated or unknown fields causes objects to be
converted back-n-forth between mutable and immutable forms, resulting in
potentially long garbage collection pauses. We recommend updating to the
versions mentioned above. |
|com.google.protobuf:protobuf-java|CVE-2022-3171|HIGH|3.21.1 |3.16.3,
3.19.6, 3.20.3, 3.21.7|opt/hop/hop/lib/beam/beam-vendor-grpc-1_48_1-0.1.jar|A
parsing issue with binary data in protobuf-java core and lite versions prior to
3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack.
Inputs containing multiple instances of non-repeated embedded messages with
repeated or unknown fields causes objects to be converted back-n-forth between
mutable and immutable forms, resulting in potentially long garbage collection
pauses. We recommend updating to the versions mentioned above. |
|com.google.protobuf:protobuf-java|CVE-2022-3509|HIGH|3.21.1 |3.16.3,
3.19.6, 3.20.3, 3.21.7|opt/hop/hop/lib/beam/beam-vendor-grpc-1_48_1-0.1.jar|A
parsing issue similar to CVE-2022-3171, but with textformat in protobuf-java
core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a
denial of service attack. Inputs containing multiple instances of non-repeated
embedded messages with repeated or unknown fields causes objects to be
converted back-n-forth between mutable and immutable forms, resulting in
potentially long garbage collection pauses. We recommend updating to the
versions mentioned above.|
|com.google.protobuf:protobuf-java|CVE-2022-3510|HIGH|3.21.1 |3.16.3,
3.19.6, 3.20.3, 3.21.7|opt/hop/hop/lib/beam/beam-vendor-grpc-1_48_1-0.1.jar|A
parsing issue similar to CVE-2022-3171, but with Message-Type Extensions in
protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3
can lead to a denial of service attack. Inputs containing multiple instances of
non-repeated embedded messages with repeated or unknown fields causes objects
to be converted back-n-forth between mutable and immutable forms, resulting in
potentially long garbage collection pauses. We recommend updating to the
versions mentioned above. |
|com.google.protobuf:protobuf-java|CVE-2022-3171|HIGH|3.7.1|3.16.3, 3.19.6,
3.20.3,
3.21.7|opt/hop/hop/plugins/engines/beam/lib/hadoop-client-runtime-3.3.4.jar|A
parsing issue with binary data in protobuf-java core and lite versions prior to
3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack.
Inputs containing multiple instances of non-repeated embedded messages with
repeated or unknown fields causes objects to be converted back-n-forth between
mutable and immutable forms, resulting in potentially long garbage collection
pauses. We recommend updating to the versions mentioned above. |
|com.google.protobuf:protobuf-java|CVE-2022-3171|HIGH|3.7.1|3.16.3, 3.19.6,
3.20.3,
3.21.7|opt/hop/hop/plugins/tech/parquet/lib/hadoop-client-runtime-3.3.4.jar|A
parsing issue with binary data in protobuf-java core and lite versions prior to
3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack.
Inputs containing multiple instances of non-repeated embedded messages with
repeated or unknown fields causes objects to be converted back-n-forth between
mutable and immutable forms, resulting in potentially long garbage collection
pauses. We recommend updating to the versions mentioned above. |
|io.netty:netty-all |CVE-2022-41881 |HIGH|4.1.85.Final
|4.1.86|opt/hop/hop/lib/beam/netty-all-4.1.85.Final.jar |Netty project is an
event-driven asynchronous network application framework. In versions prior to
4.1.86.Final, a StackOverflowError can be raised when parsing a malformed
crafted message due to an infinite recursion. This issue is patched in version
4.1.86.Final. There is no workaround, except using a custom
HaProxyMessageDecoder. |
|io.netty:netty-codec |CVE-2021-37136 |HIGH|4.1.66.Final
|4.1.68|opt/hop/hop/plugins/tech/neo4j/lib/neo4j-java-driver-4.3.4.jar|The
Bzip2 decompression decoder function doesn't allow setting size restrictions on
the decompressed output data (which affects the allocation size used during
decompression). All users of Bzip2Decoder are affected. The malicious input can
trigger an OOME and so a DoS attack |
|io.netty:netty-codec |CVE-2021-37137 |HIGH|4.1.66.Final
|4.1.68|opt/hop/hop/plugins/tech/neo4j/lib/neo4j-java-driver-4.3.4.jar|The
Snappy frame decoder function doesn't restrict the chunk length which may lead
to excessive memory usage. Beside this it also may buffer reserved skippable
chunks until the whole chunk was received which may lead to excessive memory
usage as well. This vulnerability can be triggered by supplying malicious input
that decompresses to a very big size (via a network stream or a file) or by
sending a huge skippable chunk.|
|io.netty:netty-codec-haproxy |CVE-2022-41881 |HIGH|4.1.85.Final
|4.1.86.Final|opt/hop/hop/lib/beam/netty-codec-haproxy-4.1.85.Final.jar |Netty
project is an event-driven asynchronous network application framework. In
versions prior to 4.1.86.Final, a StackOverflowError can be raised when parsing
a malformed crafted message due to an infinite recursion. This issue is patched
in version 4.1.86.Final. There is no workaround, except using a custom
HaProxyMessageDecoder. |
|org.eclipse.jetty:jetty-client |CVE-2020-27216 |HIGH|9.4.28.v20200408
|9.4.33.v20201020, 10.0.0.beta3,
11.0.0.beta3|opt/hop/hop/lib/core/jetty-client-9.4.28.v20200408.jar|In Eclipse
Jetty versions 1.0 thru 9.4.32.v20200930, 10.0.0.alpha1 thru 10.0.0.beta2, and
11.0.0.alpha1 thru 11.0.0.beta2O, on Unix like systems, the system's temporary
directory is shared between all users on that system. A collocated user can
observe the process of creating a temporary sub directory in the shared
temporary directory and race to complete the creation of the temporary
subdirectory. If the attacker wins the race then they will have read and write
permission to the subdirectory used to unpack web applications, including their
WEB-INF/lib jar files and JSP files. If any code is ever executed out of this
temporary directory, this can lead to a local privilege escalation
vulnerability.|
|org.eclipse.jetty:jetty-client |CVE-2021-28165 |HIGH|9.4.28.v20200408
|9.4.39.v20210325, 10.0.2,
11.0.2|opt/hop/hop/lib/core/jetty-client-9.4.28.v20200408.jar|In Eclipse Jetty
7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU
usage can reach 100% upon receiving a large invalid TLS frame.|
|org.eclipse.jetty:jetty-http |CVE-2021-28165 |HIGH|9.4.35.v20201120
|9.4.39.v20210325, 10.0.2,
11.0.2|opt/hop/hop/lib/core/jetty-http-9.4.35.v20201120.jar|In Eclipse Jetty
7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU
usage can reach 100% upon receiving a large invalid TLS frame.|
|org.eclipse.jetty:jetty-io |CVE-2021-28165 |HIGH|9.4.35.v20201120
|9.4.39.v20210325, 10.0.2,
11.0.2|opt/hop/hop/lib/core/jetty-io-9.4.35.v20201120.jar|In Eclipse Jetty
7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU
usage can reach 100% upon receiving a large invalid TLS frame.|
|org.eclipse.jetty:jetty-server |CVE-2021-28165 |HIGH|9.4.35.v20201120
|9.4.39.v20210325, 10.0.2,
11.0.2|opt/hop/hop/lib/core/jetty-server-9.4.35.v20201120.jar|In Eclipse Jetty
7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU
usage can reach 100% upon receiving a large invalid TLS frame.|
|org.eclipse.jetty:jetty-util |CVE-2021-28165 |HIGH|9.4.35.v20201120
|9.4.39.v20210325, 10.0.2,
11.0.2|opt/hop/hop/lib/core/jetty-util-9.4.35.v20201120.jar|In Eclipse Jetty
7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU
usage can reach 100% upon receiving a large invalid TLS frame.|
|org.yaml:snakeyaml |CVE-2022-25857 |HIGH|1.26
|1.31|opt/hop/hop/plugins/tech/cassandra/lib/snakeyaml-1.26.jar |The package
org.yaml:snakeyaml from 0 and before 1.31 are vulnerable to Denial of Service
(DoS) due missing to nested depth limitation for collections. |
|com.google.guava:guava |CVE-2020-8908|LOW |14.0.1
|30.0|opt/hop/hop/plugins/engines/beam/lib/spark-network-common_2.12-3.3.0.jar|A
temp directory creation vulnerability exists in all versions of Guava,
allowing an attacker with access to the machine to potentially access data in a
temporary directory created by the Guava API
com.google.common.io.Files.createTempDir(). By default, on unix-like systems,
the created directory is world-readable (readable by an attacker with access to
the system). The method in question has been marked @Deprecated in versions
30.0 and later and should not be used. For Android developers, we recommend
choosing a temporary directory API provided by Android, such as
context.getCacheDir(). For other Java developers, we recommend migrating to the
Java 7 API java.nio.file.Files.createTempDirectory() which explicitly
configures permissions of 700, or configuring the Java runtime's java.io.tmpdir
system property to point to a location whose permissions are ap
propriately configured.|
|com.google.guava:guava |CVE-2020-8908|LOW |26.0-jre
|30.0|opt/hop/hop/lib/beam/beam-vendor-guava-26_0-jre-0.1.jar |A temp directory
creation vulnerability exists in all versions of Guava, allowing an attacker
with access to the machine to potentially access data in a temporary directory
created by the Guava API com.google.common.io.Files.createTempDir(). By
default, on unix-like systems, the created directory is world-readable
(readable by an attacker with access to the system). The method in question has
been marked @Deprecated in versions 30.0 and later and should not be used. For
Android developers, we recommend choosing a temporary directory API provided by
Android, such as context.getCacheDir(). For other Java developers, we recommend
migrating to the Java 7 API java.nio.file.Files.createTempDirectory() which
explicitly configures permissions of 700, or configuring the Java runtime's
java.io.tmpdir system property to point to a location whose permissions are
appropriately co
nfigured.|
|org.apache.tika:tika-core|CVE-2022-33879 |LOW |2.3.0|1.28.4, 2.4.1
|opt/hop/hop/plugins/transforms/tika/lib/tika-core-2.3.0.jar |The initial fixes
in CVE-2022-30126 and CVE-2022-30973 for regexes in the
StandardsExtractingContentHandler were insufficient, and we found a separate,
new regex DoS in a different regex in the StandardsExtractingContentHandler.
These are now fixed in 1.28.4 and 2.4.1. |
|org.apache.tika:tika-parser-image-module |CVE-2022-33879 |LOW
|2.3.0|1.28.4, 2.4.1
|opt/hop/hop/plugins/transforms/tika/lib/tika-parser-image-module-2.3.0.jar|The
initial fixes in CVE-2022-30126 and CVE-2022-30973 for regexes in the
StandardsExtractingContentHandler were insufficient, and we found a separate,
new regex DoS in a different regex in the StandardsExtractingContentHandler.
These are now fixed in 1.28.4 and 2.4.1. |
|org.eclipse.jetty:jetty-http |CVE-2021-28163 |LOW |9.4.35.v20201120
|9.4.39.v20210325, 10.0.2,
11.0.2|opt/hop/hop/lib/core/jetty-http-9.4.35.v20201120.jar|In Eclipse Jetty
9.4.32 to 9.4.38, 10.0.0.beta2 to 10.0.1, and 11.0.0.beta2 to 11.0.1, if a user
uses a webapps directory that is a symlink, the contents of the webapps
directory is deployed as a static webapp, inadvertently serving the webapps
themselves and anything else that might be in that directory.|
|org.eclipse.jetty:jetty-http |CVE-2022-2047|LOW |9.4.35.v20201120
|9.4.46.v20220331, 10.0.9, 11.0.10
|opt/hop/hop/lib/core/jetty-http-9.4.35.v20201120.jar|In Eclipse Jetty versions
9.4.0 thru 9.4.46, and 10.0.0 thru 10.0.9, and 11.0.0 thru 11.0.9 versions, the
parsing of the authority segment of an http scheme URI, the Jetty HttpURI class
improperly detects an invalid input as a hostname. This can lead to failures in
a Proxy scenario. |
|org.eclipse.jetty:jetty-http |CVE-2022-2047|LOW |9.4.43.v20210629
|9.4.46.v20220331, 10.0.9, 11.0.10
|opt/hop/hop/plugins/engines/beam/lib/hadoop-client-runtime-3.3.4.jar|In
Eclipse Jetty versions 9.4.0 thru 9.4.46, and 10.0.0 thru 10.0.9, and 11.0.0
thru 11.0.9 versions, the parsing of the authority segment of an http scheme
URI, the Jetty HttpURI class improperly detects an invalid input as a hostname.
This can lead to failures in a Proxy scenario. |
|org.eclipse.jetty:jetty-http |CVE-2022-2047|LOW |9.4.43.v20210629
|9.4.46.v20220331, 10.0.9, 11.0.10
|opt/hop/hop/plugins/tech/parquet/lib/hadoop-client-runtime-3.3.4.jar|In
Eclipse Jetty versions 9.4.0 thru 9.4.46, and 10.0.0 thru 10.0.9, and 11.0.0
thru 11.0.9 versions, the parsing of the authority segment of an http scheme
URI, the Jetty HttpURI class improperly detects an invalid input as a hostname.
This can lead to failures in a Proxy scenario. |
|org.eclipse.jetty:jetty-server |CVE-2021-28163 |LOW |9.4.35.v20201120
|9.4.39.v20210325, 10.0.2,
11.0.2|opt/hop/hop/lib/core/jetty-server-9.4.35.v20201120.jar|In Eclipse Jetty
9.4.32 to 9.4.38, 10.0.0.beta2 to 10.0.1, and 11.0.0.beta2 to 11.0.1, if a user
uses a webapps directory that is a symlink, the contents of the webapps
directory is deployed as a static webapp, inadvertently serving the webapps
themselves and anything else that might be in that directory.|
|org.eclipse.jetty:jetty-server |CVE-2021-34428 |LOW |9.4.35.v20201120
|9.4.40.v20210413, 10.0.3,
11.0.3|opt/hop/hop/lib/core/jetty-server-9.4.35.v20201120.jar|For Eclipse Jetty
versions <= 9.4.40, <= 10.0.2, <= 11.0.2, if an exception is thrown from the
SessionListener#sessionDestroyed() method, then the session ID is not
invalidated in the session ID manager. On deployments with clustered sessions
and multiple contexts this can result in a session not being invalidated. This
can result in an application used on a shared computer being left logged in.|
|org.eclipse.jetty:jetty-util |CVE-2021-28163 |LOW |9.4.35.v20201120
|9.4.39.v20210325, 10.0.2,
11.0.2|opt/hop/hop/lib/core/jetty-util-9.4.35.v20201120.jar|In Eclipse Jetty
9.4.32 to 9.4.38, 10.0.0.beta2 to 10.0.1, and 11.0.0.beta2 to 11.0.1, if a user
uses a webapps directory that is a symlink, the contents of the webapps
directory is deployed as a static webapp, inadvertently serving the webapps
themselves and anything else that might be in that directory.|
|org.eclipse.jetty:jetty-webapp |CVE-2021-28163 |LOW |9.4.35.v20201120
|9.4.39.v20210325, 10.0.2,
11.0.2|opt/hop/hop/lib/core/jetty-webapp-9.4.35.v20201120.jar|In Eclipse Jetty
9.4.32 to 9.4.38, 10.0.0.beta2 to 10.0.1, and 11.0.0.beta2 to 11.0.1, if a user
uses a webapps directory that is a symlink, the contents of the webapps
directory is deployed as a static webapp, inadvertently serving the webapps
themselves and anything else that might be in that directory.|
|com.fasterxml.jackson.core:jackson-databind|CVE-2018-1000873
|MEDIUM|2.4.0|2.9.8
|opt/hop/hop/plugins/engines/beam/lib/htrace-core-3.1.0-incubating.jar
|Fasterxml Jackson version Before 2.9.8 contains a CWE-20: Improper Input
Validation vulnerability in Jackson-Modules-Java8 that can result in Causes a
denial-of-service (DoS). This attack appear to be exploitable via The victim
deserializes malicious input, specifically very large values in the nanoseconds
field of a time value. This vulnerability appears to have been fixed in 2.9.8.|
|com.google.guava:guava |CVE-2018-10237 |MEDIUM|14.0.1 |24.1.1-jre,
24.1.1-android|opt/hop/hop/plugins/engines/beam/lib/spark-network-common_2.12-3.3.0.jar|Unbounded
memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows
remote attackers to conduct denial of service attacks against servers that
depend on this library and deserialize attacker-provided data, because the
AtomicDoubleArray class (when serialized with Java serialization) and the
CompoundOrdering class (when serialized with GWT serialization) perform eager
allocation without appropriate checks on what a client has sent and whether the
data size is reasonable. |
|com.google.protobuf:protobuf-java|CVE-2021-22569 |MEDIUM|3.7.1|3.16.1,
3.18.2,
3.19.2|opt/hop/hop/plugins/engines/beam/lib/hadoop-client-runtime-3.3.4.jar|An
issue in protobuf-java allowed the interleaving of
com.google.protobuf.UnknownFieldSet fields in such a way that would be
processed out of order. A small malicious payload can occupy the parser for
several minutes by creating large numbers of short-lived objects that cause
frequent, repeated pauses. We recommend upgrading libraries beyond the
vulnerable versions.|
|com.google.protobuf:protobuf-java|CVE-2021-22569 |MEDIUM|3.7.1|3.16.1,
3.18.2,
3.19.2|opt/hop/hop/plugins/tech/parquet/lib/hadoop-client-runtime-3.3.4.jar|An
issue in protobuf-java allowed the interleaving of
com.google.protobuf.UnknownFieldSet fields in such a way that would be
processed out of order. A small malicious payload can occupy the parser for
several minutes by creating large numbers of short-lived objects that cause
frequent, repeated pauses. We recommend upgrading libraries beyond the
vulnerable versions.|
|commons-net:commons-net|CVE-2021-37533 |MEDIUM|3.6|3.9.0
|opt/hop/hop/plugins/engines/beam/lib/hadoop-client-runtime-3.3.4.jar|[Prior to
Apache Commons Net 3.9.0, Net's FTP client trusts the host from PASV response
by default. A malicious server can redirect the Commons Net code to use a
different host, but the user has to connect to the malicious server in the
first place. This may lead to leakage of information about services running on
the private network of the client. The default in version 3.9.0 is now false to
ignore such hosts, as cURL does. See
https://issues.apache.org/jira/browse/NET-711.](https://issues.apache.org/jira/browse/NET-711)
|
|commons-net:commons-net|CVE-2021-37533 |MEDIUM|3.6|3.9.0
|opt/hop/hop/plugins/tech/parquet/lib/hadoop-client-runtime-3.3.4.jar|[Prior to
Apache Commons Net 3.9.0, Net's FTP client trusts the host from PASV response
by default. A malicious server can redirect the Commons Net code to use a
different host, but the user has to connect to the malicious server in the
first place. This may lead to leakage of information about services running on
the private network of the client. The default in version 3.9.0 is now false to
ignore such hosts, as cURL does. See
https://issues.apache.org/jira/browse/NET-711.](https://issues.apache.org/jira/browse/NET-711)
|
|commons-net:commons-net|CVE-2021-37533 |MEDIUM|3.8.0|3.9.0
|opt/hop/hop/lib/core/commons-net-3.8.0.jar|[Prior to Apache Commons Net 3.9.0,
Net's FTP client trusts the host from PASV response by default. A malicious
server can redirect the Commons Net code to use a different host, but the user
has to connect to the malicious server in the first place. This may lead to
leakage of information about services running on the private network of the
client. The default in version 3.9.0 is now false to ignore such hosts, as cURL
does. See
https://issues.apache.org/jira/browse/NET-711.](https://issues.apache.org/jira/browse/NET-711)
|
|io.netty:netty |CVE-2021-21409 |MEDIUM|3.10.6.Final
|4.1.61|opt/hop/hop/lib/beam/netty-3.10.6.Final.jar |Netty is an open-source,
asynchronous event-driven network application framework for rapid development
of maintainable high performance protocol servers & clients. In Netty
(io.netty:netty-codec-http2) before version 4.1.61.Final there is a
vulnerability that enables request smuggling. The content-length header is not
correctly validated if the request only uses a single Http2HeaderFrame with the
endStream set to to true. This could lead to request smuggling if the request
is proxied to a remote peer and translated to HTTP/1.1. This is a followup of
GHSA-wm47-8v5p-wjpj/CVE-2021-21295 which did miss to fix this one case. This
was fixed as part of 4.1.61.Final. |
|io.netty:netty |CVE-2022-24823 |MEDIUM|3.10.6.Final
|4.1.77.Final|opt/hop/hop/lib/beam/netty-3.10.6.Final.jar |Netty is an
open-source, asynchronous event-driven network application framework. The
package \`io.netty:netty-codec-http\` prior to version 4.1.77.Final contains an
insufficient fix for CVE-2021-21290. When Netty's multipart decoders are used
local information disclosure can occur via the local system temporary directory
if temporary storing uploads on the disk is enabled. This only impacts
applications running on Java version 6 and lower. Additionally, this
vulnerability impacts code running on Unix-like systems, and very old versions
of Mac OSX and Windows as they all share the system temporary directory between
all users. Version 4.1.77.Final contains a patch for this vulnerability. As a
workaround, specify one's own \`java.io.tmpdir\` when starting the JVM or use
DefaultHttpDataFactory.setBaseDir(...) to set the directory to something that
is only readable by the cu
rrent user.|
|io.netty:netty-codec |CVE-2022-24823 |MEDIUM|4.1.66.Final
|4.1.77.Final|opt/hop/hop/plugins/tech/neo4j/lib/neo4j-java-driver-4.3.4.jar|Netty
is an open-source, asynchronous event-driven network application framework.
The package \`io.netty:netty-codec-http\` prior to version 4.1.77.Final
contains an insufficient fix for CVE-2021-21290. When Netty's multipart
decoders are used local information disclosure can occur via the local system
temporary directory if temporary storing uploads on the disk is enabled. This
only impacts applications running on Java version 6 and lower. Additionally,
this vulnerability impacts code running on Unix-like systems, and very old
versions of Mac OSX and Windows as they all share the system temporary
directory between all users. Version 4.1.77.Final contains a patch for this
vulnerability. As a workaround, specify one's own \`java.io.tmpdir\` when
starting the JVM or use DefaultHttpDataFactory.setBaseDir(...) to set the
directory to something that is
only readable by the current user.|
|io.netty:netty-codec-http|CVE-2022-41915 |MEDIUM|4.1.77.Final
|4.1.86|opt/hop/hop/lib/beam/beam-vendor-grpc-1_48_1-0.1.jar|Netty project is
an event-driven asynchronous network application framework. Starting in version
4.1.83.Final and prior to 4.1.86.Final, when calling \`DefaultHttpHeadesr.set\`
with an \_iterator \_ of values, header value validation was not performed,
allowing malicious header values in the iterator to perform HTTP Response
Splitting. This issue has been patched in version 4.1.86.Final. Integrators can
work around the issue by changing the \`DefaultHttpHeaders.set(CharSequence,
Iterator<?>)\` call, into a \`remove()\` call, and call \`add()\` in a loop
over the iterator of values.|
|io.netty:netty-codec-http|CVE-2022-41915 |MEDIUM|4.1.85.Final
|4.1.86|opt/hop/hop/lib/beam/netty-codec-http-4.1.85.Final.jar|Netty project is
an event-driven asynchronous network application framework. Starting in version
4.1.83.Final and prior to 4.1.86.Final, when calling \`DefaultHttpHeadesr.set\`
with an \_iterator \_ of values, header value validation was not performed,
allowing malicious header values in the iterator to perform HTTP Response
Splitting. This issue has been patched in version 4.1.86.Final. Integrators can
work around the issue by changing the \`DefaultHttpHeaders.set(CharSequence,
Iterator<?>)\` call, into a \`remove()\` call, and call \`add()\` in a loop
over the iterator of values.|
|io.netty:netty-handler |CVE-2022-24823 |MEDIUM|4.1.66.Final
|4.1.77.Final|opt/hop/hop/plugins/tech/neo4j/lib/neo4j-java-driver-4.3.4.jar|Netty
is an open-source, asynchronous event-driven network application framework.
The package \`io.netty:netty-codec-http\` prior to version 4.1.77.Final
contains an insufficient fix for CVE-2021-21290. When Netty's multipart
decoders are used local information disclosure can occur via the local system
temporary directory if temporary storing uploads on the disk is enabled. This
only impacts applications running on Java version 6 and lower. Additionally,
this vulnerability impacts code running on Unix-like systems, and very old
versions of Mac OSX and Windows as they all share the system temporary
directory between all users. Version 4.1.77.Final contains a patch for this
vulnerability. As a workaround, specify one's own \`java.io.tmpdir\` when
starting the JVM or use DefaultHttpDataFactory.setBaseDir(...) to set the
directory to something that
is only readable by the current user.|
|org.apache.tika:tika-core|CVE-2022-30126 |MEDIUM|2.3.0|1.28.3, 2.4.0
|opt/hop/hop/plugins/transforms/tika/lib/tika-core-2.3.0.jar |In Apache Tika, a
regular expression in our StandardsText class, used by the
StandardsExtractingContentHandler could lead to a denial of service caused by
backtracking on a specially crafted file. This only affects users who are
running the StandardsExtractingContentHandler, which is a non-standard handler.
This is fixed in 1.28.2 and 2.4.0|
|org.apache.tika:tika-parser-image-module |CVE-2022-25169
|MEDIUM|2.3.0|1.28.2, 2.4.0
|opt/hop/hop/plugins/transforms/tika/lib/tika-parser-image-module-2.3.0.jar|The
BPG parser in versions of Apache Tika before 1.28.2 and 2.4.0 may allocate an
unreasonable amount of memory on carefully crafted files. |
|org.eclipse.jetty:jetty-client |CVE-2020-27223 |MEDIUM|9.4.28.v20200408
|9.4.37.v20210219, 10.0.1,
11.0.1|opt/hop/hop/lib/core/jetty-client-9.4.28.v20200408.jar|In Eclipse Jetty
9.4.6.v20170531 to 9.4.36.v20210114 (inclusive), 10.0.0, and 11.0.0 when Jetty
handles a request containing multiple Accept headers with a large number of
“quality” (i.e. q) parameters, the server may enter a denial of service (DoS)
state due to high CPU usage processing those quality values, resulting in
minutes of CPU time exhausted processing those quality values.|
|org.eclipse.jetty:jetty-http |CVE-2020-27223 |MEDIUM|9.4.35.v20201120
|9.4.37.v20210219, 10.0.1,
11.0.1|opt/hop/hop/lib/core/jetty-http-9.4.35.v20201120.jar|In Eclipse Jetty
9.4.6.v20170531 to 9.4.36.v20210114 (inclusive), 10.0.0, and 11.0.0 when Jetty
handles a request containing multiple Accept headers with a large number of
“quality” (i.e. q) parameters, the server may enter a denial of service (DoS)
state due to high CPU usage processing those quality values, resulting in
minutes of CPU time exhausted processing those quality values.|
|org.eclipse.jetty:jetty-server |CVE-2020-27223 |MEDIUM|9.4.35.v20201120
|9.4.37.v20210219, 10.0.1,
11.0.1|opt/hop/hop/lib/core/jetty-server-9.4.35.v20201120.jar|In Eclipse Jetty
9.4.6.v20170531 to 9.4.36.v20210114 (inclusive), 10.0.0, and 11.0.0 when Jetty
handles a request containing multiple Accept headers with a large number of
“quality” (i.e. q) parameters, the server may enter a denial of service (DoS)
state due to high CPU usage processing those quality values, resulting in
minutes of CPU time exhausted processing those quality values.|
|org.eclipse.jetty:jetty-servlets |CVE-2021-28169 |MEDIUM|9.4.35.v20201120
|9.4.41, 10.0.3,
11.0.3|opt/hop/hop/lib/core/jetty-servlets-9.4.35.v20201120.jar|For Eclipse
Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, it is possible for requests to
the ConcatServlet with a doubly encoded path to access protected resources
within the WEB-INF directory. For example a request to
\`/concat?/%2557EB-INF/web.xml\` can retrieve the web.xml file. This can reveal
sensitive information regarding the implementation of a web application. |
|org.eclipse.jetty:jetty-util |CVE-2020-27223 |MEDIUM|9.4.35.v20201120
|9.4.37.v20210219, 10.0.1,
11.0.1|opt/hop/hop/lib/core/jetty-util-9.4.35.v20201120.jar|In Eclipse Jetty
9.4.6.v20170531 to 9.4.36.v20210114 (inclusive), 10.0.0, and 11.0.0 when Jetty
handles a request containing multiple Accept headers with a large number of
“quality” (i.e. q) parameters, the server may enter a denial of service (DoS)
state due to high CPU usage processing those quality values, resulting in
minutes of CPU time exhausted processing those quality values.|
|org.yaml:snakeyaml |CVE-2022-38749 |MEDIUM|1.26
|1.31|opt/hop/hop/plugins/tech/cassandra/lib/snakeyaml-1.26.jar |Using
snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service
attacks (DOS). If the parser is running on user supplied input, an attacker may
supply content that causes the parser to crash by stackoverflow. |
|org.yaml:snakeyaml |CVE-2022-38750 |MEDIUM|1.26
|1.31|opt/hop/hop/plugins/tech/cassandra/lib/snakeyaml-1.26.jar |Using
snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service
attacks (DOS). If the parser is running on user supplied input, an attacker may
supply content that causes the parser to crash by stackoverflow. |
|org.yaml:snakeyaml |CVE-2022-38751 |MEDIUM|1.26
|1.31|opt/hop/hop/plugins/tech/cassandra/lib/snakeyaml-1.26.jar |Using
snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service
attacks (DOS). If the parser is running on user supplied input, an attacker may
supply content that causes the parser to crash by stackoverflow. |
|org.yaml:snakeyaml |CVE-2022-38752 |MEDIUM|1.26
|1.32|opt/hop/hop/plugins/tech/cassandra/lib/snakeyaml-1.26.jar |Using
snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service
attacks (DOS). If the parser is running on user supplied input, an attacker may
supply content that causes the parser to crash by stack-overflow.|
|org.yaml:snakeyaml |CVE-2022-41854 |MEDIUM|1.26
|1.32|opt/hop/hop/plugins/tech/cassandra/lib/snakeyaml-1.26.jar |Those using
Snakeyaml to parse untrusted YAML files may be vulnerable to Denial of Service
attacks (DOS). If the parser is running on user supplied input, an attacker may
supply content that causes the parser to crash by stack overflow. This effect
may support a denial of service attack.|
|com.fasterxml.jackson.core:jackson-databind|GHSA-rpr3-cw39-3pxh|UNKNOWN
|2.4.0|2.9.10.4|opt/hop/hop/plugins/engines/beam/lib/htrace-core-3.1.0-incubating.jar
|The com.fasterxml.jackson.core:jackson-databind library before versions
2.9.10.4 is vulnerable to an Unsafe Deserialization vulnerability when handling
interactions related to the class \`ignite-jta\`. |
|com.google.protobuf:protobuf-java|GHSA-h4h5-3hr4-j3g2|UNKNOWN |3.19.3
|3.20.3, 3.21.7, 3.16.3, 3.19.6|opt/hop/hop/lib/core/sshlib-2.2.21.jar|Improper
Neutralization in com.google.protobuf:protobuf-kotlin-lite.|
|com.google.protobuf:protobuf-java|GHSA-h4h5-3hr4-j3g2|UNKNOWN |3.19.3
|3.20.3, 3.21.7, 3.16.3,
3.19.6|opt/hop/hop/plugins/transforms/ssh/lib/sshlib-2.2.21.jar|Improper
Neutralization in com.google.protobuf:protobuf-kotlin-lite.|
|com.google.protobuf:protobuf-java|GHSA-h4h5-3hr4-j3g2|UNKNOWN |3.21.1
|3.20.3, 3.21.7, 3.16.3,
3.19.6|opt/hop/hop/lib/beam/beam-vendor-grpc-1_48_1-0.1.jar|Improper
Neutralization in com.google.protobuf:protobuf-kotlin-lite.|
|com.google.protobuf:protobuf-java|GHSA-h4h5-3hr4-j3g2|UNKNOWN
|3.7.1|3.20.3, 3.21.7, 3.16.3,
3.19.6|opt/hop/hop/plugins/engines/beam/lib/hadoop-client-runtime-3.3.4.jar|Improper
Neutralization in com.google.protobuf:protobuf-kotlin-lite.|
|com.google.protobuf:protobuf-java|GHSA-h4h5-3hr4-j3g2|UNKNOWN
|3.7.1|3.20.3, 3.21.7, 3.16.3,
3.19.6|opt/hop/hop/plugins/tech/parquet/lib/hadoop-client-runtime-3.3.4.jar|Improper
Neutralization in com.google.protobuf:protobuf-kotlin-lite.|
|com.google.protobuf:protobuf-java|GHSA-wrvw-hg22-4m67|UNKNOWN
|3.7.1|3.16.1, 3.18.2,
3.19.2|opt/hop/hop/plugins/engines/beam/lib/hadoop-client-runtime-3.3.4.jar|\##
Summary A potential Denial of Service issue in protobuf-java was discovered in
the parsing procedure for binary data. Reporter:
[OSS-Fuzz](https://github.com/google/oss-fuzz) Affected versions: All versions
of Java Protobufs (including Kotlin and JRuby) prior to the versions listed
below. Protobuf "javalite" users (typically Android) are not affected. ##
Severity
[CVE-2021-22569](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22569)
\*\*High\*\* - CVSS Score: 7.5, An implementation weakness in how unknown
fields are parsed in Java. A small (~800 KB) malicious payload can occupy the
parser for several minutes by creating large numbers of short-lived objects
that cause frequent, repeated GC pauses. ## Proof of Concept For reproduction
details, please refer to the oss-fuzz issue that identifies the specific inpu
ts that exercise this parsing weakness. ## Remediation and Mitigation Please
update to the latest available versions of the following packages: -
protobuf-java (3.16.1, 3.18.2, 3.19.2) - protobuf-kotlin (3.18.2, 3.19.2) -
google-protobuf [JRuby gem only] (3.19.2)|
|com.google.protobuf:protobuf-java|GHSA-wrvw-hg22-4m67|UNKNOWN
|3.7.1|3.16.1, 3.18.2,
3.19.2|opt/hop/hop/plugins/tech/parquet/lib/hadoop-client-runtime-3.3.4.jar|\##
Summary A potential Denial of Service issue in protobuf-java was discovered in
the parsing procedure for binary data. Reporter:
[OSS-Fuzz](https://github.com/google/oss-fuzz) Affected versions: All versions
of Java Protobufs (including Kotlin and JRuby) prior to the versions listed
below. Protobuf "javalite" users (typically Android) are not affected. ##
Severity
[CVE-2021-22569](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22569)
\*\*High\*\* - CVSS Score: 7.5, An implementation weakness in how unknown
fields are parsed in Java. A small (~800 KB) malicious payload can occupy the
parser for several minutes by creating large numbers of short-lived objects
that cause frequent, repeated GC pauses. ## Proof of Concept For reproduction
details, please refer to the oss-fuzz issue that identifies the specific inpu
ts that exercise this parsing weakness. ## Remediation and Mitigation Please
update to the latest available versions of the following packages: -
protobuf-java (3.16.1, 3.18.2, 3.19.2) - protobuf-kotlin (3.18.2, 3.19.2) -
google-protobuf [JRuby gem only] (3.19.2)|
### Issue Priority
Priority: 2
### Issue Component
Component: Other
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
