[ https://issues.apache.org/jira/browse/ZOOKEEPER-3262?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Andor Molnar resolved ZOOKEEPER-3262. ------------------------------------- Resolution: Fixed Issue resolved by pull request 806 [https://github.com/apache/zookeeper/pull/806] > Update dependencies flagged by OWASP report > ------------------------------------------- > > Key: ZOOKEEPER-3262 > URL: https://issues.apache.org/jira/browse/ZOOKEEPER-3262 > Project: ZooKeeper > Issue Type: Improvement > Components: security > Affects Versions: 3.6.0, 3.5.5, 3.4.14 > Reporter: Enrico Olivelli > Assignee: Enrico Olivelli > Priority: Blocker > Labels: pull-request-available > Fix For: 3.6.0, 3.4.14, 3.5.5 > > Time Spent: 5h 10m > Remaining Estimate: 0h > > Currently OWASP plugin is reporting these vulnerabilities: > |[CVE-2018-14719|http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-14719]|CWE-502 > Deserialization of Untrusted Data|High(7.5)|jackson-databind-2.9.5.jar| > |[CVE-2018-14720|http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-14720]|CWE-611 > Improper Restriction of XML External Entity Reference > ('XXE')|High(7.5)|jackson-databind-2.9.5.jar| > |[CVE-2018-14721|http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-14721]|CWE-918 > Server-Side Request Forgery (SSRF)|High(7.5)|jackson-databind-2.9.5.jar| > |[CVE-2018-19360|http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-19360]|CWE-502 > Deserialization of Untrusted Data|High(7.5)|jackson-databind-2.9.5.jar| > |[CVE-2018-19361|http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-19361]|CWE-502 > Deserialization of Untrusted Data|High(7.5)|jackson-databind-2.9.5.jar| > |[CVE-2018-19362|http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-19362]|CWE-502 > Deserialization of Untrusted Data|High(7.5)|jackson-databind-2.9.5.jar| > |[CVE-2017-7657|http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-7657]|CWE-190 > Integer Overflow or Wraparound|High(7.5)|jetty-http-9.4.10.v20180503.jar | > |[CVE-2017-7658|http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-7658]|CWE-19 > Data Processing Errors|High(7.5)|jetty-http-9.4.10.v20180503.jar | > |[CVE-2018-1000873|http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-1000873]|CWE-20 > Improper Input Validation|Medium(5.0)|jackson-databind-2.9.5.jar| > |[CVE-2017-7656|http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-7656]|CWE-284 > Improper Access Control|Medium(5.0)|jetty-http-9.4.10.v20180503.jar | > |[CVE-2018-12536|http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-12536]|CWE-200 > Information Exposure|Medium(5.0)|jetty-http-9.4.10.v20180503.jar | > |[CVE-2018-12056|http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-12056]|CWE-338 > Use of Cryptographically Weak Pseudo-Random Number Generator > (PRNG)|Medium(5.0)|netty-all-4.1.29.Final.jar| > We have to upgrade all of them or add suppressions > > in the Maven build we also have; > pom.xml: CVE-2018-8012, CVE-2016-5017 -- This message was sent by Atlassian JIRA (v7.6.3#76005)