Fabrizio Fortino created OAK-10548:
--------------------------------------
Summary: oak-solr-osgi embeds vulnerable Zookeeper 3.4.14
Key: OAK-10548
URL: https://issues.apache.org/jira/browse/OAK-10548
Project: Jackrabbit Oak
Issue Type: Task
Components: indexing
Reporter: Fabrizio Fortino
Assignee: Fabrizio Fortino
Fix For: 1.58.0
This artifact embeds Apache ZooKeeper 3.4.10 which contains the following
vulnerabilitie(s):
* *BDSA-2013-0048* in version 3.4.10 (CVSS 7.5 High): Apache ZooKeeper
contains an information disclosure vulnerability due to a missing permission
check within the `getACL` command. An attacker could exploit this to obtain
hashes for authentication, if Digest Authentication is in use.
* *CVE-2020-10663* in version 3.4.10 (CVSS 7.5 High): The JSON gem through
2.2.0 for Ruby, as used in Ruby 2.4 through 2.4.9, 2.5 through 2.5.7, and 2.6
through 2.6.5, has an Unsafe Object Creation Vulnerability. This is quite
similar to CVE-2013-0269, but does not rely on poor garbage-collection behavior
within Ruby. Specifically, use of JSON parsing methods can lead to creation of
a malicious object within the interpreter, with adverse effects that are
application-dependent.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
