[ https://issues.apache.org/jira/browse/OAK-10548?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Fabrizio Fortino updated OAK-10548: ----------------------------------- Fix Version/s: (was: 1.58.0) > oak-solr-osgi embeds vulnerable Zookeeper 3.4.14 > ------------------------------------------------ > > Key: OAK-10548 > URL: https://issues.apache.org/jira/browse/OAK-10548 > Project: Jackrabbit Oak > Issue Type: Task > Components: indexing > Reporter: Fabrizio Fortino > Assignee: Fabrizio Fortino > Priority: Major > > This artifact embeds Apache ZooKeeper 3.4.10 which contains the following > vulnerabilitie(s): > * *BDSA-2013-0048* in version 3.4.10 (CVSS 7.5 High): Apache ZooKeeper > contains an information disclosure vulnerability due to a missing permission > check within the `getACL` command. An attacker could exploit this to obtain > hashes for authentication, if Digest Authentication is in use. > * *CVE-2020-10663* in version 3.4.10 (CVSS 7.5 High): The JSON gem through > 2.2.0 for Ruby, as used in Ruby 2.4 through 2.4.9, 2.5 through 2.5.7, and 2.6 > through 2.6.5, has an Unsafe Object Creation Vulnerability. This is quite > similar to CVE-2013-0269, but does not rely on poor garbage-collection > behavior within Ruby. Specifically, use of JSON parsing methods can lead to > creation of a malicious object within the interpreter, with adverse effects > that are application-dependent. -- This message was sent by Atlassian Jira (v8.20.10#820010)