[
https://issues.apache.org/jira/browse/ZOOKEEPER-4513?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17519439#comment-17519439
]
Ramya Rohidas edited comment on ZOOKEEPER-4513 at 4/8/22 8:57 AM:
------------------------------------------------------------------
Java (jar)
==========
Total: 7 (UNKNOWN: 1, LOW: 2, MEDIUM: 0, HIGH: 3, CRITICAL: 1)
+---------------------------------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY |
INSTALLED VERSION | FIXED VERSION | TITLE
|
+---------------------------------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------+
| com.fasterxml.jackson.core:jackson-databind | CVE-2020-36518 | HIGH |
2.10.5.1 | 2.12.6.1, 2.13.2.1 | jackson-databind: denial
of service |
| | | |
| | via a large depth of nested
objects |
| | | |
| |
-->avd.aquasec.com/nvd/cve-2020-36518 |
+---------------------------------------------+------------------+
+-------------------+--------------------------------+---------------------------------------+
| io.netty:netty-codec | CVE-2021-37136 | |
4.1.63.Final | 4.1.68.Final | netty-codec: Bzip2Decoder
|
| | | |
| | doesn't allow setting size
|
| | | |
| | restrictions for
decompressed data |
| | | |
| |
-->avd.aquasec.com/nvd/cve-2021-37136 |
+ +------------------+ +
+
+---------------------------------------+
| | CVE-2021-37137 | |
| | netty-codec:
SnappyFrameDecoder |
| | | |
| | doesn't restrict chunk
length and |
| | | |
| | may buffer skippable chunks
in... |
| | | |
| |
-->avd.aquasec.com/nvd/cve-2021-37137 |
+---------------------------------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------+
| log4j:log4j | CVE-2019-17571 | CRITICAL |
1.2.17 | 2.0-alpha1 | log4j: deserialization of
|
| | | |
| | untrusted data in
SocketServer |
| | | |
| |
-->avd.aquasec.com/nvd/cve-2019-17571 |
+ +------------------+----------+
+--------------------------------+---------------------------------------+
| | CVE-2020-9488 | LOW |
| 2.13.2 | log4j: improper validation
|
| | | |
| | of certificate with host
|
| | | |
| | mismatch in SMTP appender
|
| | | |
| |
-->avd.aquasec.com/nvd/cve-2020-9488 |
+ +------------------+----------+
+--------------------------------+---------------------------------------+
| | GMS-2021-5 | UNKNOWN |
| 2.15.0-rc1 | Improper Neutralization
|
| | | |
| | of Special Elements in
|
| | | |
| | Output Used by a Downstream
|
| | | |
| | Component...
|
+---------------------------------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------+
| org.eclipse.jetty:jetty-server | CVE-2021-34428 | LOW |
9.4.39.v20210325 | 9.4.40.v20210413, 10.0.3, | jetty: SessionListener can
|
| | | |
| 11.0.3 | prevent a session from being
|
| | | |
| | invalidated breaking logout
|
| | | |
| |
-->avd.aquasec.com/nvd/cve-2021-34428 |
+---------------------------------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------+
was (Author: JIRAUSER286675):
Java (jar) ========== Total: 7 (UNKNOWN: 1, LOW: 2, MEDIUM: 0, HIGH: 3,
CRITICAL: 1)
+---------------------------------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |
TITLE |
+---------------------------------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------+
| com.fasterxml.jackson.core:jackson-databind | CVE-2020-36518 | HIGH |
2.10.5.1 | 2.12.6.1, 2.13.2.1 | jackson-databind: denial of service | | | | | |
| via a large depth of nested objects | | | | | | |
-->avd.aquasec.com/nvd/cve-2020-36518 |
+---------------------------------------------+------------------+
+-------------------+--------------------------------+---------------------------------------+
| io.netty:netty-codec | CVE-2021-37136 | | 4.1.63.Final | 4.1.68.Final |
netty-codec: Bzip2Decoder | | | | | | | doesn't allow setting size | | | | | |
| restrictions for decompressed data | | | | | | |
-->avd.aquasec.com/nvd/cve-2021-37136 | + +------------------+ + +
+---------------------------------------+ | | CVE-2021-37137 | | | |
netty-codec: SnappyFrameDecoder | | | | | | | doesn't restrict chunk length and
| | | | | | | may buffer skippable chunks in... | | | | | | |
-->avd.aquasec.com/nvd/cve-2021-37137 |
+---------------------------------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------+
| log4j:log4j | CVE-2019-17571 | CRITICAL | 1.2.17 | 2.0-alpha1 | log4j:
deserialization of | | | | | | | untrusted data in SocketServer | | | | | | |
-->avd.aquasec.com/nvd/cve-2019-17571 | + +------------------+----------+
+--------------------------------+---------------------------------------+ | |
CVE-2020-9488 | LOW | | 2.13.2 | log4j: improper validation | | | | | | | of
certificate with host | | | | | | | mismatch in SMTP appender | | | | | | |
-->avd.aquasec.com/nvd/cve-2020-9488 | + +------------------+----------+
+--------------------------------+---------------------------------------+ | |
GMS-2021-5 | UNKNOWN | | 2.15.0-rc1 | Improper Neutralization | | | | | | | of
Special Elements in | | | | | | | Output Used by a Downstream | | | | | | |
Component... |
+---------------------------------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------+
| org.eclipse.jetty:jetty-server | CVE-2021-34428 | LOW | 9.4.39.v20210325 |
9.4.40.v20210413, 10.0.3, | jetty: SessionListener can | | | | | | 11.0.3 |
prevent a session from being | | | | | | | invalidated breaking logout | | | |
| | | -->avd.aquasec.com/nvd/cve-2021-34428 |
+---------------------------------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------+
> ZK 3.6 jar vulnerabilities
> ---------------------------
>
> Key: ZOOKEEPER-4513
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-4513
> Project: ZooKeeper
> Issue Type: Bug
> Reporter: Ramya Rohidas
> Priority: Major
>
> Java (jar) ========== Total: 7 (UNKNOWN: 1, LOW: 2, MEDIUM: 0, HIGH: 3,
> CRITICAL: 1)
> +---------------------------------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------+
> | LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION
> | TITLE |
> +---------------------------------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------+
> | com.fasterxml.jackson.core:jackson-databind | CVE-2020-36518 | HIGH |
> 2.10.5.1 | 2.12.6.1, 2.13.2.1 | jackson-databind: denial of service | | | | |
> | | via a large depth of nested objects | | | | | | |
> -->avd.aquasec.com/nvd/cve-2020-36518 |
> +---------------------------------------------+------------------+
> +-------------------+--------------------------------+---------------------------------------+
> | io.netty:netty-codec | CVE-2021-37136 | | 4.1.63.Final | 4.1.68.Final |
> netty-codec: Bzip2Decoder | | | | | | | doesn't allow setting size | | | | |
> | | restrictions for decompressed data | | | | | | |
> -->avd.aquasec.com/nvd/cve-2021-37136 | + +------------------+ + +
> +---------------------------------------+ | | CVE-2021-37137 | | | |
> netty-codec: SnappyFrameDecoder | | | | | | | doesn't restrict chunk length
> and | | | | | | | may buffer skippable chunks in... | | | | | | |
> -->avd.aquasec.com/nvd/cve-2021-37137 |
> +---------------------------------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------+
> | log4j:log4j | CVE-2019-17571 | CRITICAL | 1.2.17 | 2.0-alpha1 | log4j:
> deserialization of | | | | | | | untrusted data in SocketServer | | | | | | |
> -->avd.aquasec.com/nvd/cve-2019-17571 | + +------------------+----------+
> +--------------------------------+---------------------------------------+ |
> | CVE-2020-9488 | LOW | | 2.13.2 | log4j: improper validation | | | | | | |
> of certificate with host | | | | | | | mismatch in SMTP appender | | | | | |
> | -->avd.aquasec.com/nvd/cve-2020-9488 | + +------------------+----------+
> +--------------------------------+---------------------------------------+ |
> | GMS-2021-5 | UNKNOWN | | 2.15.0-rc1 | Improper Neutralization | | | | | | |
> of Special Elements in | | | | | | | Output Used by a Downstream | | | | | |
> | Component... |
> +---------------------------------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------+
> | org.eclipse.jetty:jetty-server | CVE-2021-34428 | LOW | 9.4.39.v20210325 |
> 9.4.40.v20210413, 10.0.3, | jetty: SessionListener can | | | | | | 11.0.3 |
> prevent a session from being | | | | | | | invalidated breaking logout | | |
> | | | | -->avd.aquasec.com/nvd/cve-2021-34428 |
> +---------------------------------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------+
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
