[
https://issues.apache.org/jira/browse/OAK-10548?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Fabrizio Fortino updated OAK-10548:
-----------------------------------
Fix Version/s: (was: 1.58.0)
> oak-solr-osgi embeds vulnerable Zookeeper 3.4.14
> ------------------------------------------------
>
> Key: OAK-10548
> URL: https://issues.apache.org/jira/browse/OAK-10548
> Project: Jackrabbit Oak
> Issue Type: Task
> Components: indexing
> Reporter: Fabrizio Fortino
> Assignee: Fabrizio Fortino
> Priority: Major
>
> This artifact embeds Apache ZooKeeper 3.4.10 which contains the following
> vulnerabilitie(s):
> * *BDSA-2013-0048* in version 3.4.10 (CVSS 7.5 High): Apache ZooKeeper
> contains an information disclosure vulnerability due to a missing permission
> check within the `getACL` command. An attacker could exploit this to obtain
> hashes for authentication, if Digest Authentication is in use.
> * *CVE-2020-10663* in version 3.4.10 (CVSS 7.5 High): The JSON gem through
> 2.2.0 for Ruby, as used in Ruby 2.4 through 2.4.9, 2.5 through 2.5.7, and 2.6
> through 2.6.5, has an Unsafe Object Creation Vulnerability. This is quite
> similar to CVE-2013-0269, but does not rely on poor garbage-collection
> behavior within Ruby. Specifically, use of JSON parsing methods can lead to
> creation of a malicious object within the interpreter, with adverse effects
> that are application-dependent.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
