[jira] [Commented] (ZOOKEEPER-4513) ZK 3.6 jar vulnerabilities

Ramya Rohidas (Jira) Fri, 08 Apr 2022 01:58:04 -0700


    [ 
https://issues.apache.org/jira/browse/ZOOKEEPER-4513?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17519439#comment-17519439
 ]


Ramya Rohidas commented on ZOOKEEPER-4513:
------------------------------------------

Java (jar) ========== Total: 7 (UNKNOWN: 1, LOW: 2, MEDIUM: 0, HIGH: 3, 
CRITICAL: 1) 
+---------------------------------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------+
 | LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | 
TITLE | 
+---------------------------------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------+
 | com.fasterxml.jackson.core:jackson-databind | CVE-2020-36518 | HIGH | 
2.10.5.1 | 2.12.6.1, 2.13.2.1 | jackson-databind: denial of service | | | | | | 
| via a large depth of nested objects | | | | | | | 
-->avd.aquasec.com/nvd/cve-2020-36518 | 
+---------------------------------------------+------------------+ 
+-------------------+--------------------------------+---------------------------------------+
 | io.netty:netty-codec | CVE-2021-37136 | | 4.1.63.Final | 4.1.68.Final | 
netty-codec: Bzip2Decoder | | | | | | | doesn't allow setting size | | | | | | 
| restrictions for decompressed data | | | | | | | 
-->avd.aquasec.com/nvd/cve-2021-37136 | + +------------------+ + + 
+---------------------------------------+ | | CVE-2021-37137 | | | | 
netty-codec: SnappyFrameDecoder | | | | | | | doesn't restrict chunk length and 
| | | | | | | may buffer skippable chunks in... | | | | | | | 
-->avd.aquasec.com/nvd/cve-2021-37137 | 
+---------------------------------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------+
 | log4j:log4j | CVE-2019-17571 | CRITICAL | 1.2.17 | 2.0-alpha1 | log4j: 
deserialization of | | | | | | | untrusted data in SocketServer | | | | | | | 
-->avd.aquasec.com/nvd/cve-2019-17571 | + +------------------+----------+ 
+--------------------------------+---------------------------------------+ | | 
CVE-2020-9488 | LOW | | 2.13.2 | log4j: improper validation | | | | | | | of 
certificate with host | | | | | | | mismatch in SMTP appender | | | | | | | 
-->avd.aquasec.com/nvd/cve-2020-9488 | + +------------------+----------+ 
+--------------------------------+---------------------------------------+ | | 
GMS-2021-5 | UNKNOWN | | 2.15.0-rc1 | Improper Neutralization | | | | | | | of 
Special Elements in | | | | | | | Output Used by a Downstream | | | | | | | 
Component... | 
+---------------------------------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------+
 | org.eclipse.jetty:jetty-server | CVE-2021-34428 | LOW | 9.4.39.v20210325 | 
9.4.40.v20210413, 10.0.3, | jetty: SessionListener can | | | | | | 11.0.3 | 
prevent a session from being | | | | | | | invalidated breaking logout | | | | 
| | | -->avd.aquasec.com/nvd/cve-2021-34428 | 
+---------------------------------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------+

> ZK 3.6 jar vulnerabilities 
> ---------------------------
>
>                 Key: ZOOKEEPER-4513
>                 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-4513
>             Project: ZooKeeper
>          Issue Type: Bug
>            Reporter: Ramya Rohidas
>            Priority: Major
>
> Java (jar) ========== Total: 7 (UNKNOWN: 1, LOW: 2, MEDIUM: 0, HIGH: 3, 
> CRITICAL: 1) 
> +---------------------------------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------+
>  | LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION 
> | TITLE | 
> +---------------------------------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------+
>  | com.fasterxml.jackson.core:jackson-databind | CVE-2020-36518 | HIGH | 
> 2.10.5.1 | 2.12.6.1, 2.13.2.1 | jackson-databind: denial of service | | | | | 
> | | via a large depth of nested objects | | | | | | | 
> -->avd.aquasec.com/nvd/cve-2020-36518 | 
> +---------------------------------------------+------------------+ 
> +-------------------+--------------------------------+---------------------------------------+
>  | io.netty:netty-codec | CVE-2021-37136 | | 4.1.63.Final | 4.1.68.Final | 
> netty-codec: Bzip2Decoder | | | | | | | doesn't allow setting size | | | | | 
> | | restrictions for decompressed data | | | | | | | 
> -->avd.aquasec.com/nvd/cve-2021-37136 | + +------------------+ + + 
> +---------------------------------------+ | | CVE-2021-37137 | | | | 
> netty-codec: SnappyFrameDecoder | | | | | | | doesn't restrict chunk length 
> and | | | | | | | may buffer skippable chunks in... | | | | | | | 
> -->avd.aquasec.com/nvd/cve-2021-37137 | 
> +---------------------------------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------+
>  | log4j:log4j | CVE-2019-17571 | CRITICAL | 1.2.17 | 2.0-alpha1 | log4j: 
> deserialization of | | | | | | | untrusted data in SocketServer | | | | | | | 
> -->avd.aquasec.com/nvd/cve-2019-17571 | + +------------------+----------+ 
> +--------------------------------+---------------------------------------+ | 
> | CVE-2020-9488 | LOW | | 2.13.2 | log4j: improper validation | | | | | | | 
> of certificate with host | | | | | | | mismatch in SMTP appender | | | | | | 
> | -->avd.aquasec.com/nvd/cve-2020-9488 | + +------------------+----------+ 
> +--------------------------------+---------------------------------------+ | 
> | GMS-2021-5 | UNKNOWN | | 2.15.0-rc1 | Improper Neutralization | | | | | | | 
> of Special Elements in | | | | | | | Output Used by a Downstream | | | | | | 
> | Component... | 
> +---------------------------------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------+
>  | org.eclipse.jetty:jetty-server | CVE-2021-34428 | LOW | 9.4.39.v20210325 | 
> 9.4.40.v20210413, 10.0.3, | jetty: SessionListener can | | | | | | 11.0.3 | 
> prevent a session from being | | | | | | | invalidated breaking logout | | | 
> | | | | -->avd.aquasec.com/nvd/cve-2021-34428 | 
> +---------------------------------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------+



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

[jira] [Commented] (ZOOKEEPER-4513) ZK 3.6 jar vulnerabilities

Reply via email to