diff --git a/cmd/osv-scanner/fix/interactive.go b/cmd/osv-scanner/fix/interactive.go
index c278f0c769c..5409c46d6dc 100644
--- a/cmd/osv-scanner/fix/interactive.go
+++ b/cmd/osv-scanner/fix/interactive.go
@@ -2,14 +2,20 @@ package fix
import (
"context"
+ "errors"
tea "github.com/charmbracelet/bubbletea"
+ "github.com/google/osv-scanner/internal/remediation"
)
// TODO: currently, it's impossible to undo commands
// Need to think about how to support this
func interactiveMode(ctx context.Context, opts osvFixOptions) error {
+ if !remediation.SupportsRelax(opts.ManifestRW) && !remediation.SupportsInPlace(opts.LockfileRW) {
+ return errors.New("no supported remediation strategies found")
+ }
+
cl := opts.Client
p := tea.NewProgram(newModel(ctx, opts, cl), tea.WithAltScreen())
m, err := p.Run()
diff --git a/cmd/osv-scanner/fix/noninteractive.go b/cmd/osv-scanner/fix/noninteractive.go
index b18c0780634..73f24d7e43d 100644
--- a/cmd/osv-scanner/fix/noninteractive.go
+++ b/cmd/osv-scanner/fix/noninteractive.go
@@ -2,6 +2,7 @@ package fix
import (
"context"
+ "errors"
"fmt"
"os"
"slices"
@@ -17,6 +18,10 @@ import (
)
func autoInPlace(ctx context.Context, r reporter.Reporter, opts osvFixOptions, maxUpgrades int) error {
+ if !remediation.SupportsInPlace(opts.LockfileRW) {
+ return errors.New("in-place strategy is not supported for lockfile")
+ }
+
r.Infof("Scanning %s...\n", opts.Lockfile)
f, err := lockfile.OpenLocalDepFile(opts.Lockfile)
if err != nil {
@@ -92,6 +97,10 @@ func autoChooseInPlacePatches(res remediation.InPlaceResult, maxUpgrades int) ([
}
func autoRelock(ctx context.Context, r reporter.Reporter, opts osvFixOptions, maxUpgrades int) error {
+ if !remediation.SupportsRelax(opts.ManifestRW) {
+ return errors.New("relock strategy is not supported for manifest")
+ }
+
r.Infof("Resolving %s...\n", opts.Manifest)
f, err := lockfile.OpenLocalDepFile(opts.Manifest)
if err != nil {
diff --git a/internal/remediation/__snapshots__/relax_test.snap b/internal/remediation/__snapshots__/relax_test.snap
deleted file mode 100755
index aef428308e4..00000000000
--- a/internal/remediation/__snapshots__/relax_test.snap
+++ /dev/null
@@ -1,265 +0,0 @@
-
-[TestComputeRelaxPatches/npm-santatracker - 1]
-[
- {
- "Patch": {
- "Deps": [
- {
- "Pkg": {
- "System": 3,
- "Name": "mocha"
- },
- "Type": {},
- "OrigRequire": "^5.2.0",
- "NewRequire": "^9.2.2",
- "OrigResolved": "5.2.0",
- "NewResolved": "9.2.2"
- }
- ],
- "EcosystemSpecific": null
- },
- "RemovedVulns": [
- {
- "ID": "GHSA-f8q6-p94x-37v3",
- "AffectedNodes": [
- 571
- ]
- },
- {
- "ID": "GHSA-vh95-rmgr-6w4m",
- "AffectedNodes": [
- 575
- ]
- },
- {
- "ID": "GHSA-xvch-5gv4-984h",
- "AffectedNodes": [
- 575
- ]
- }
- ],
- "AddedVulns": []
- },
- {
- "Patch": {
- "Deps": [
- {
- "Pkg": {
- "System": 3,
- "Name": "mocha"
- },
- "Type": {},
- "OrigRequire": "^5.2.0",
- "NewRequire": "^8.4.0",
- "OrigResolved": "5.2.0",
- "NewResolved": "8.4.0"
- }
- ],
- "EcosystemSpecific": null
- },
- "RemovedVulns": [
- {
- "ID": "GHSA-vh95-rmgr-6w4m",
- "AffectedNodes": [
- 575
- ]
- },
- {
- "ID": "GHSA-xvch-5gv4-984h",
- "AffectedNodes": [
- 575
- ]
- }
- ],
- "AddedVulns": [
- {
- "ID": "GHSA-qrpm-p2h7-hrv2",
- "AffectedNodes": [
- 578
- ]
- }
- ]
- },
- {
- "Patch": {
- "Deps": [
- {
- "Pkg": {
- "System": 3,
- "Name": "@google-cloud/cloudbuild"
- },
- "Type": {},
- "OrigRequire": "^2.6.0",
- "NewRequire": "^4.4.0",
- "OrigResolved": "2.6.0",
- "NewResolved": "4.4.0"
- }
- ],
- "EcosystemSpecific": null
- },
- "RemovedVulns": [
- {
- "ID": "GHSA-h755-8qp9-cq85",
- "AffectedNodes": [
- 221
- ]
- }
- ],
- "AddedVulns": []
- },
- {
- "Patch": {
- "Deps": [
- {
- "Pkg": {
- "System": 3,
- "Name": "autoprefixer"
- },
- "Type": {},
- "OrigRequire": "^9.3.0",
- "NewRequire": "^10.4.19",
- "OrigResolved": "9.8.8",
- "NewResolved": "10.4.19"
- }
- ],
- "EcosystemSpecific": null
- },
- "RemovedVulns": [
- {
- "ID": "GHSA-7fh5-64p2-3v2j",
- "AffectedNodes": [
- 327
- ]
- }
- ],
- "AddedVulns": []
- },
- {
- "Patch": {
- "Deps": [
- {
- "Pkg": {
- "System": 3,
- "Name": "google-closure-library"
- },
- "Type": {},
- "OrigRequire": "^20190909.0.0",
- "NewRequire": "^20200315.0.0",
- "OrigResolved": "20190909.0.0",
- "NewResolved": "20200315.0.0"
- }
- ],
- "EcosystemSpecific": null
- },
- "RemovedVulns": [
- {
- "ID": "GHSA-vh5w-fg69-rc8m",
- "AffectedNodes": [
- 24
- ]
- }
- ],
- "AddedVulns": []
- },
- {
- "Patch": {
- "Deps": [
- {
- "Pkg": {
- "System": 3,
- "Name": "terser"
- },
- "Type": {},
- "OrigRequire": "^3.10.11",
- "NewRequire": "^4.8.1",
- "OrigResolved": "3.17.0",
- "NewResolved": "4.8.1"
- }
- ],
- "EcosystemSpecific": null
- },
- "RemovedVulns": [
- {
- "ID": "GHSA-4wf5-vphf-c2xc",
- "AffectedNodes": [
- 44
- ]
- }
- ],
- "AddedVulns": []
- },
- {
- "Patch": {
- "Deps": [
- {
- "Pkg": {
- "System": 3,
- "Name": "yargs"
- },
- "Type": {},
- "OrigRequire": "^12.0.2",
- "NewRequire": "^13.3.2",
- "OrigResolved": "12.0.5",
- "NewResolved": "13.3.2"
- }
- ],
- "EcosystemSpecific": null
- },
- "RemovedVulns": [
- {
- "ID": "GHSA-p9pc-299p-vxgp",
- "AffectedNodes": [
- 610
- ]
- }
- ],
- "AddedVulns": []
- },
- {
- "Patch": {
- "Deps": [
- {
- "Pkg": {
- "System": 3,
- "Name": "mocha"
- },
- "Type": {},
- "OrigRequire": "^5.2.0",
- "NewRequire": "^6.2.3",
- "OrigResolved": "5.2.0",
- "NewResolved": "6.2.3"
- }
- ],
- "EcosystemSpecific": null
- },
- "RemovedVulns": [
- {
- "ID": "GHSA-vh95-rmgr-6w4m",
- "AffectedNodes": [
- 575
- ]
- },
- {
- "ID": "GHSA-xvch-5gv4-984h",
- "AffectedNodes": [
- 575
- ]
- }
- ],
- "AddedVulns": [
- {
- "ID": "GHSA-2j2x-2gpw-g8fm",
- "AffectedNodes": [
- 675
- ]
- },
- {
- "ID": "GHSA-gxpj-cx7g-858c",
- "AffectedNodes": [
- 566
- ]
- }
- ]
- }
-]
----
diff --git a/internal/remediation/__snapshots__/testhelpers_test.snap b/internal/remediation/__snapshots__/testhelpers_test.snap
new file mode 100755
index 00000000000..f28d0e649d9
--- /dev/null
+++ b/internal/remediation/__snapshots__/testhelpers_test.snap
@@ -0,0 +1,1497 @@
+
+[TestComputeOverridePatches/maven-zeppelin-server - 1]
+[
+ {
+ "Patch": {
+ "Deps": [
+ {
+ "Pkg": {
+ "System": 6,
+ "Name": "io.atomix:atomix"
+ },
+ "Type": {},
+ "OrigRequire": "",
+ "NewRequire": "3.1.6",
+ "OrigResolved": "3.0.0-rc5",
+ "NewResolved": "3.1.6"
+ }
+ ],
+ "EcosystemSpecific": null
+ },
+ "RemovedVulns": [
+ {
+ "ID": "GHSA-2fqw-684c-pvp7",
+ "AffectedNodes": [
+ 123
+ ]
+ },
+ {
+ "ID": "GHSA-4jhc-wjr3-pwh2",
+ "AffectedNodes": [
+ 123
+ ]
+ },
+ {
+ "ID": "GHSA-6vvh-5794-vpmj",
+ "AffectedNodes": [
+ 123
+ ]
+ },
+ {
+ "ID": "GHSA-7fr2-94h7-ccg2",
+ "AffectedNodes": [
+ 123
+ ]
+ },
+ {
+ "ID": "GHSA-g7p8-r2ch-4rmf",
+ "AffectedNodes": [
+ 123
+ ]
+ },
+ {
+ "ID": "GHSA-m4h3-7mc2-v295",
+ "AffectedNodes": [
+ 123
+ ]
+ },
+ {
+ "ID": "GHSA-mf27-wg66-m8f5",
+ "AffectedNodes": [
+ 123
+ ]
+ }
+ ],
+ "AddedVulns": [
+ {
+ "ID": "GHSA-v2xm-76pq-phcf",
+ "AffectedNodes": [
+ 264
+ ]
+ }
+ ]
+ },
+ {
+ "Patch": {
+ "Deps": [
+ {
+ "Pkg": {
+ "System": 6,
+ "Name": "org.apache.pdfbox:pdfbox"
+ },
+ "Type": {},
+ "OrigRequire": "",
+ "NewRequire": "2.0.24",
+ "OrigResolved": "2.0.16",
+ "NewResolved": "2.0.24"
+ }
+ ],
+ "EcosystemSpecific": null
+ },
+ "RemovedVulns": [
+ {
+ "ID": "GHSA-2h3j-m7gr-25xj",
+ "AffectedNodes": [
+ 287
+ ]
+ },
+ {
+ "ID": "GHSA-6vqp-h455-42mr",
+ "AffectedNodes": [
+ 287
+ ]
+ },
+ {
+ "ID": "GHSA-7grw-6pjh-jpc9",
+ "AffectedNodes": [
+ 287
+ ]
+ },
+ {
+ "ID": "GHSA-fg3j-q579-v8x4",
+ "AffectedNodes": [
+ 287
+ ]
+ }
+ ],
+ "AddedVulns": []
+ },
+ {
+ "Patch": {
+ "Deps": [
+ {
+ "Pkg": {
+ "System": 6,
+ "Name": "xerces:xercesImpl"
+ },
+ "Type": {},
+ "OrigRequire": "",
+ "NewRequire": "2.12.2",
+ "OrigResolved": "2.11.0",
+ "NewResolved": "2.12.2"
+ }
+ ],
+ "EcosystemSpecific": null
+ },
+ "RemovedVulns": [
+ {
+ "ID": "GHSA-7j4h-8wpf-rqfh",
+ "AffectedNodes": [
+ 252
+ ]
+ },
+ {
+ "ID": "GHSA-h65f-jvqw-m9fj",
+ "AffectedNodes": [
+ 252
+ ]
+ },
+ {
+ "ID": "GHSA-vmqm-g3vh-847m",
+ "AffectedNodes": [
+ 252
+ ]
+ },
+ {
+ "ID": "GHSA-w4jq-qh47-hvjq",
+ "AffectedNodes": [
+ 252
+ ]
+ }
+ ],
+ "AddedVulns": []
+ },
+ {
+ "Patch": {
+ "Deps": [
+ {
+ "Pkg": {
+ "System": 6,
+ "Name": "io.atomix:atomix"
+ },
+ "Type": {},
+ "OrigRequire": "",
+ "NewRequire": "3.1.6",
+ "OrigResolved": "3.0.0-rc5",
+ "NewResolved": "3.1.6"
+ },
+ {
+ "Pkg": {
+ "System": 6,
+ "Name": "io.github.classgraph:classgraph"
+ },
+ "Type": {},
+ "OrigRequire": "",
+ "NewRequire": "4.8.112",
+ "OrigResolved": "4.2.3",
+ "NewResolved": "4.8.112"
+ }
+ ],
+ "EcosystemSpecific": null
+ },
+ "RemovedVulns": [
+ {
+ "ID": "GHSA-2fqw-684c-pvp7",
+ "AffectedNodes": [
+ 123
+ ]
+ },
+ {
+ "ID": "GHSA-4jhc-wjr3-pwh2",
+ "AffectedNodes": [
+ 123
+ ]
+ },
+ {
+ "ID": "GHSA-6vvh-5794-vpmj",
+ "AffectedNodes": [
+ 123
+ ]
+ },
+ {
+ "ID": "GHSA-7fr2-94h7-ccg2",
+ "AffectedNodes": [
+ 123
+ ]
+ },
+ {
+ "ID": "GHSA-g7p8-r2ch-4rmf",
+ "AffectedNodes": [
+ 123
+ ]
+ },
+ {
+ "ID": "GHSA-m4h3-7mc2-v295",
+ "AffectedNodes": [
+ 123
+ ]
+ },
+ {
+ "ID": "GHSA-mf27-wg66-m8f5",
+ "AffectedNodes": [
+ 123
+ ]
+ }
+ ],
+ "AddedVulns": []
+ },
+ {
+ "Patch": {
+ "Deps": [
+ {
+ "Pkg": {
+ "System": 6,
+ "Name": "com.google.guava:guava"
+ },
+ "Type": {},
+ "OrigRequire": "",
+ "NewRequire": "32.0.0-android",
+ "OrigResolved": "22.0",
+ "NewResolved": "32.0.0-android"
+ }
+ ],
+ "EcosystemSpecific": null
+ },
+ "RemovedVulns": [
+ {
+ "ID": "GHSA-5mg8-w23w-74h3",
+ "AffectedNodes": [
+ 260
+ ]
+ },
+ {
+ "ID": "GHSA-7g45-4rm6-3mm3",
+ "AffectedNodes": [
+ 260
+ ]
+ },
+ {
+ "ID": "GHSA-mvr2-9pj6-7w5j",
+ "AffectedNodes": [
+ 260
+ ]
+ }
+ ],
+ "AddedVulns": []
+ },
+ {
+ "Patch": {
+ "Deps": [
+ {
+ "Pkg": {
+ "System": 6,
+ "Name": "xerces:xercesImpl"
+ },
+ "Type": {},
+ "OrigRequire": "",
+ "NewRequire": "2.12.1",
+ "OrigResolved": "2.11.0",
+ "NewResolved": "2.12.1"
+ }
+ ],
+ "EcosystemSpecific": null
+ },
+ "RemovedVulns": [
+ {
+ "ID": "GHSA-7j4h-8wpf-rqfh",
+ "AffectedNodes": [
+ 252
+ ]
+ },
+ {
+ "ID": "GHSA-vmqm-g3vh-847m",
+ "AffectedNodes": [
+ 252
+ ]
+ },
+ {
+ "ID": "GHSA-w4jq-qh47-hvjq",
+ "AffectedNodes": [
+ 252
+ ]
+ }
+ ],
+ "AddedVulns": []
+ },
+ {
+ "Patch": {
+ "Deps": [
+ {
+ "Pkg": {
+ "System": 6,
+ "Name": "com.fasterxml.jackson.core:jackson-databind"
+ },
+ "Type": {},
+ "OrigRequire": "",
+ "NewRequire": "2.12.7.1",
+ "OrigResolved": "2.12.6.1",
+ "NewResolved": "2.12.7.1"
+ }
+ ],
+ "EcosystemSpecific": null
+ },
+ "RemovedVulns": [
+ {
+ "ID": "GHSA-jjjh-jjxp-wpff",
+ "AffectedNodes": [
+ 15
+ ]
+ },
+ {
+ "ID": "GHSA-rgv9-q543-rqg4",
+ "AffectedNodes": [
+ 15
+ ]
+ }
+ ],
+ "AddedVulns": []
+ },
+ {
+ "Patch": {
+ "Deps": [
+ {
+ "Pkg": {
+ "System": 6,
+ "Name": "io.netty:netty-handler"
+ },
+ "Type": {},
+ "OrigRequire": "",
+ "NewRequire": "4.1.94.Final",
+ "OrigResolved": "4.1.27.Final",
+ "NewResolved": "4.1.94.Final"
+ }
+ ],
+ "EcosystemSpecific": null
+ },
+ "RemovedVulns": [
+ {
+ "ID": "GHSA-6mjq-h674-j845",
+ "AffectedNodes": [
+ 257
+ ]
+ },
+ {
+ "ID": "GHSA-mm9x-g8pc-w292",
+ "AffectedNodes": [
+ 257
+ ]
+ }
+ ],
+ "AddedVulns": []
+ },
+ {
+ "Patch": {
+ "Deps": [
+ {
+ "Pkg": {
+ "System": 6,
+ "Name": "org.apache.commons:commons-compress"
+ },
+ "Type": {},
+ "OrigRequire": "",
+ "NewRequire": "1.26.0",
+ "OrigResolved": "1.21",
+ "NewResolved": "1.26.0"
+ }
+ ],
+ "EcosystemSpecific": null
+ },
+ "RemovedVulns": [
+ {
+ "ID": "GHSA-4265-ccf5-phj5",
+ "AffectedNodes": [
+ 59
+ ]
+ },
+ {
+ "ID": "GHSA-4g9r-vxhx-9pgx",
+ "AffectedNodes": [
+ 59
+ ]
+ }
+ ],
+ "AddedVulns": []
+ },
+ {
+ "Patch": {
+ "Deps": [
+ {
+ "Pkg": {
+ "System": 6,
+ "Name": "org.apache.commons:commons-configuration2"
+ },
+ "Type": {},
+ "OrigRequire": "",
+ "NewRequire": "2.10.1",
+ "OrigResolved": "2.8.0",
+ "NewResolved": "2.10.1"
+ }
+ ],
+ "EcosystemSpecific": null
+ },
+ "RemovedVulns": [
+ {
+ "ID": "GHSA-9w38-p64v-xpmv",
+ "AffectedNodes": [
+ 127
+ ]
+ },
+ {
+ "ID": "GHSA-xjp4-hw94-mvp5",
+ "AffectedNodes": [
+ 127
+ ]
+ }
+ ],
+ "AddedVulns": []
+ },
+ {
+ "Patch": {
+ "Deps": [
+ {
+ "Pkg": {
+ "System": 6,
+ "Name": "org.apache.mina:mina-core"
+ },
+ "Type": {},
+ "OrigRequire": "",
+ "NewRequire": "2.0.22",
+ "OrigResolved": "2.0.7",
+ "NewResolved": "2.0.22"
+ }
+ ],
+ "EcosystemSpecific": null
+ },
+ "RemovedVulns": [
+ {
+ "ID": "GHSA-5h29-qq92-wj7f",
+ "AffectedNodes": [
+ 167
+ ]
+ },
+ {
+ "ID": "GHSA-6mcm-j9cj-3vc3",
+ "AffectedNodes": [
+ 167
+ ]
+ }
+ ],
+ "AddedVulns": []
+ },
+ {
+ "Patch": {
+ "Deps": [
+ {
+ "Pkg": {
+ "System": 6,
+ "Name": "org.apache.pdfbox:pdfbox"
+ },
+ "Type": {},
+ "OrigRequire": "",
+ "NewRequire": "2.0.23",
+ "OrigResolved": "2.0.16",
+ "NewResolved": "2.0.23"
+ }
+ ],
+ "EcosystemSpecific": null
+ },
+ "RemovedVulns": [
+ {
+ "ID": "GHSA-2h3j-m7gr-25xj",
+ "AffectedNodes": [
+ 287
+ ]
+ },
+ {
+ "ID": "GHSA-6vqp-h455-42mr",
+ "AffectedNodes": [
+ 287
+ ]
+ }
+ ],
+ "AddedVulns": []
+ },
+ {
+ "Patch": {
+ "Deps": [
+ {
+ "Pkg": {
+ "System": 6,
+ "Name": "org.apache.shiro:shiro-web"
+ },
+ "Type": {},
+ "OrigRequire": "",
+ "NewRequire": "1.13.0",
+ "OrigResolved": "1.10.0",
+ "NewResolved": "1.13.0"
+ }
+ ],
+ "EcosystemSpecific": null
+ },
+ "RemovedVulns": [
+ {
+ "ID": "GHSA-hhw5-c326-822h",
+ "AffectedNodes": [
+ 21
+ ]
+ },
+ {
+ "ID": "GHSA-pmhc-2g4f-85cg",
+ "AffectedNodes": [
+ 21
+ ]
+ }
+ ],
+ "AddedVulns": []
+ },
+ {
+ "Patch": {
+ "Deps": [
+ {
+ "Pkg": {
+ "System": 6,
+ "Name": "org.eclipse.jgit:org.eclipse.jgit"
+ },
+ "Type": {},
+ "OrigRequire": "",
+ "NewRequire": "5.13.3.202401111512-r",
+ "OrigResolved": "4.5.4.201711221230-r",
+ "NewResolved": "5.13.3.202401111512-r"
+ }
+ ],
+ "EcosystemSpecific": null
+ },
+ "RemovedVulns": [
+ {
+ "ID": "GHSA-3p86-9955-h393",
+ "AffectedNodes": [
+ 56
+ ]
+ },
+ {
+ "ID": "GHSA-q446-82vq-w674",
+ "AffectedNodes": [
+ 151
+ ]
+ }
+ ],
+ "AddedVulns": []
+ },
+ {
+ "Patch": {
+ "Deps": [
+ {
+ "Pkg": {
+ "System": 6,
+ "Name": "xerces:xercesImpl"
+ },
+ "Type": {},
+ "OrigRequire": "",
+ "NewRequire": "2.12.0",
+ "OrigResolved": "2.11.0",
+ "NewResolved": "2.12.0"
+ }
+ ],
+ "EcosystemSpecific": null
+ },
+ "RemovedVulns": [
+ {
+ "ID": "GHSA-7j4h-8wpf-rqfh",
+ "AffectedNodes": [
+ 252
+ ]
+ },
+ {
+ "ID": "GHSA-vmqm-g3vh-847m",
+ "AffectedNodes": [
+ 252
+ ]
+ }
+ ],
+ "AddedVulns": []
+ },
+ {
+ "Patch": {
+ "Deps": [
+ {
+ "Pkg": {
+ "System": 6,
+ "Name": "commons-net:commons-net"
+ },
+ "Type": {},
+ "OrigRequire": "",
+ "NewRequire": "3.9.0",
+ "OrigResolved": "3.6",
+ "NewResolved": "3.9.0"
+ },
+ {
+ "Pkg": {
+ "System": 6,
+ "Name": "net.sourceforge.htmlunit:htmlunit"
+ },
+ "Type": {},
+ "OrigRequire": "",
+ "NewRequire": "2.37.0",
+ "OrigResolved": "2.18",
+ "NewResolved": "2.37.0"
+ },
+ {
+ "Pkg": {
+ "System": 6,
+ "Name": "net.sourceforge.htmlunit:neko-htmlunit"
+ },
+ "Type": {},
+ "OrigRequire": "",
+ "NewRequire": "2.61.0",
+ "OrigResolved": "2.37.0",
+ "NewResolved": "2.61.0"
+ }
+ ],
+ "EcosystemSpecific": null
+ },
+ "RemovedVulns": [
+ {
+ "ID": "GHSA-5mh9-r3rr-9597",
+ "AffectedNodes": [
+ 173
+ ]
+ },
+ {
+ "ID": "GHSA-7j4h-8wpf-rqfh",
+ "AffectedNodes": [
+ 252
+ ]
+ },
+ {
+ "ID": "GHSA-h65f-jvqw-m9fj",
+ "AffectedNodes": [
+ 252
+ ]
+ },
+ {
+ "ID": "GHSA-vmqm-g3vh-847m",
+ "AffectedNodes": [
+ 252
+ ]
+ },
+ {
+ "ID": "GHSA-w4jq-qh47-hvjq",
+ "AffectedNodes": [
+ 252
+ ]
+ }
+ ],
+ "AddedVulns": []
+ },
+ {
+ "Patch": {
+ "Deps": [
+ {
+ "Pkg": {
+ "System": 6,
+ "Name": "net.sourceforge.htmlunit:htmlunit"
+ },
+ "Type": {},
+ "OrigRequire": "",
+ "NewRequire": "2.37.0",
+ "OrigResolved": "2.18",
+ "NewResolved": "2.37.0"
+ }
+ ],
+ "EcosystemSpecific": null
+ },
+ "RemovedVulns": [
+ {
+ "ID": "GHSA-5mh9-r3rr-9597",
+ "AffectedNodes": [
+ 173
+ ]
+ },
+ {
+ "ID": "GHSA-7j4h-8wpf-rqfh",
+ "AffectedNodes": [
+ 252
+ ]
+ },
+ {
+ "ID": "GHSA-vmqm-g3vh-847m",
+ "AffectedNodes": [
+ 252
+ ]
+ }
+ ],
+ "AddedVulns": [
+ {
+ "ID": "GHSA-6jmm-mp6w-4rrg",
+ "AffectedNodes": [
+ 252
+ ]
+ },
+ {
+ "ID": "GHSA-cgp8-4m63-fhh5",
+ "AffectedNodes": [
+ 254
+ ]
+ }
+ ]
+ },
+ {
+ "Patch": {
+ "Deps": [
+ {
+ "Pkg": {
+ "System": 6,
+ "Name": "com.google.guava:guava"
+ },
+ "Type": {},
+ "OrigRequire": "",
+ "NewRequire": "24.1.1-android",
+ "OrigResolved": "22.0",
+ "NewResolved": "24.1.1-android"
+ }
+ ],
+ "EcosystemSpecific": null
+ },
+ "RemovedVulns": [
+ {
+ "ID": "GHSA-mvr2-9pj6-7w5j",
+ "AffectedNodes": [
+ 260
+ ]
+ }
+ ],
+ "AddedVulns": []
+ },
+ {
+ "Patch": {
+ "Deps": [
+ {
+ "Pkg": {
+ "System": 6,
+ "Name": "com.jcraft:jsch"
+ },
+ "Type": {},
+ "OrigRequire": "",
+ "NewRequire": "0.1.54",
+ "OrigResolved": "0.1.53",
+ "NewResolved": "0.1.54"
+ }
+ ],
+ "EcosystemSpecific": null
+ },
+ "RemovedVulns": [
+ {
+ "ID": "GHSA-q446-82vq-w674",
+ "AffectedNodes": [
+ 151
+ ]
+ }
+ ],
+ "AddedVulns": []
+ },
+ {
+ "Patch": {
+ "Deps": [
+ {
+ "Pkg": {
+ "System": 6,
+ "Name": "com.nimbusds:nimbus-jose-jwt"
+ },
+ "Type": {},
+ "OrigRequire": "",
+ "NewRequire": "9.37.2",
+ "OrigResolved": "9.13",
+ "NewResolved": "9.37.2"
+ }
+ ],
+ "EcosystemSpecific": null
+ },
+ "RemovedVulns": [
+ {
+ "ID": "GHSA-gvpg-vgmx-xg6w",
+ "AffectedNodes": [
+ 28
+ ]
+ }
+ ],
+ "AddedVulns": []
+ },
+ {
+ "Patch": {
+ "Deps": [
+ {
+ "Pkg": {
+ "System": 6,
+ "Name": "io.netty:netty"
+ },
+ "Type": {},
+ "OrigRequire": "",
+ "NewRequire": "3.9.8.Final",
+ "OrigResolved": "3.5.2.Final",
+ "NewResolved": "3.9.8.Final"
+ }
+ ],
+ "EcosystemSpecific": null
+ },
+ "RemovedVulns": [
+ {
+ "ID": "GHSA-xfv3-rrfm-f2rv",
+ "AffectedNodes": [
+ 175
+ ]
+ }
+ ],
+ "AddedVulns": []
+ },
+ {
+ "Patch": {
+ "Deps": [
+ {
+ "Pkg": {
+ "System": 6,
+ "Name": "io.netty:netty-handler"
+ },
+ "Type": {},
+ "OrigRequire": "",
+ "NewRequire": "4.1.46.Final",
+ "OrigResolved": "4.1.27.Final",
+ "NewResolved": "4.1.46.Final"
+ }
+ ],
+ "EcosystemSpecific": null
+ },
+ "RemovedVulns": [
+ {
+ "ID": "GHSA-mm9x-g8pc-w292",
+ "AffectedNodes": [
+ 257
+ ]
+ }
+ ],
+ "AddedVulns": []
+ },
+ {
+ "Patch": {
+ "Deps": [
+ {
+ "Pkg": {
+ "System": 6,
+ "Name": "org.apache.directory.api:api-ldap-model"
+ },
+ "Type": {},
+ "OrigRequire": "",
+ "NewRequire": "1.0.0-M31",
+ "OrigResolved": "1.0.0-M20",
+ "NewResolved": "1.0.0-M31"
+ }
+ ],
+ "EcosystemSpecific": null
+ },
+ "RemovedVulns": [
+ {
+ "ID": "GHSA-cx3q-cv6w-mx4h",
+ "AffectedNodes": [
+ 104
+ ]
+ }
+ ],
+ "AddedVulns": []
+ },
+ {
+ "Patch": {
+ "Deps": [
+ {
+ "Pkg": {
+ "System": 6,
+ "Name": "org.apache.mina:mina-core"
+ },
+ "Type": {},
+ "OrigRequire": "",
+ "NewRequire": "2.0.21",
+ "OrigResolved": "2.0.7",
+ "NewResolved": "2.0.21"
+ }
+ ],
+ "EcosystemSpecific": null
+ },
+ "RemovedVulns": [
+ {
+ "ID": "GHSA-5h29-qq92-wj7f",
+ "AffectedNodes": [
+ 167
+ ]
+ }
+ ],
+ "AddedVulns": []
+ },
+ {
+ "Patch": {
+ "Deps": [
+ {
+ "Pkg": {
+ "System": 6,
+ "Name": "org.apache.shiro:shiro-core"
+ },
+ "Type": {},
+ "OrigRequire": "",
+ "NewRequire": "1.13.0",
+ "OrigResolved": "1.10.0",
+ "NewResolved": "1.13.0"
+ }
+ ],
+ "EcosystemSpecific": null
+ },
+ "RemovedVulns": [
+ {
+ "ID": "GHSA-jc7h-c423-mpjc",
+ "AffectedNodes": [
+ 19
+ ]
+ }
+ ],
+ "AddedVulns": []
+ },
+ {
+ "Patch": {
+ "Deps": [
+ {
+ "Pkg": {
+ "System": 6,
+ "Name": "org.apache.shiro:shiro-web"
+ },
+ "Type": {},
+ "OrigRequire": "",
+ "NewRequire": "1.12.0",
+ "OrigResolved": "1.10.0",
+ "NewResolved": "1.12.0"
+ }
+ ],
+ "EcosystemSpecific": null
+ },
+ "RemovedVulns": [
+ {
+ "ID": "GHSA-pmhc-2g4f-85cg",
+ "AffectedNodes": [
+ 21
+ ]
+ }
+ ],
+ "AddedVulns": []
+ },
+ {
+ "Patch": {
+ "Deps": [
+ {
+ "Pkg": {
+ "System": 6,
+ "Name": "org.glassfish.jersey.core:jersey-common"
+ },
+ "Type": {},
+ "OrigRequire": "",
+ "NewRequire": "2.34",
+ "OrigResolved": "2.30",
+ "NewResolved": "2.34"
+ }
+ ],
+ "EcosystemSpecific": null
+ },
+ "RemovedVulns": [
+ {
+ "ID": "GHSA-c43q-5hpj-4crv",
+ "AffectedNodes": [
+ 68
+ ]
+ }
+ ],
+ "AddedVulns": []
+ },
+ {
+ "Patch": {
+ "Deps": [
+ {
+ "Pkg": {
+ "System": 6,
+ "Name": "xalan:xalan"
+ },
+ "Type": {},
+ "OrigRequire": "",
+ "NewRequire": "2.7.3",
+ "OrigResolved": "2.7.2",
+ "NewResolved": "2.7.3"
+ }
+ ],
+ "EcosystemSpecific": null
+ },
+ "RemovedVulns": [
+ {
+ "ID": "GHSA-9339-86wc-4qgf",
+ "AffectedNodes": [
+ 249
+ ]
+ }
+ ],
+ "AddedVulns": []
+ },
+ {
+ "Patch": {
+ "Deps": [
+ {
+ "Pkg": {
+ "System": 6,
+ "Name": "org.apache.thrift:libthrift"
+ },
+ "Type": {},
+ "OrigRequire": "",
+ "NewRequire": "0.14.0",
+ "OrigResolved": "0.13.0",
+ "NewResolved": "0.14.0"
+ },
+ {
+ "Pkg": {
+ "System": 6,
+ "Name": "org.apache.tomcat.embed:tomcat-embed-core"
+ },
+ "Type": {},
+ "OrigRequire": "",
+ "NewRequire": "8.5.99",
+ "OrigResolved": "8.5.46",
+ "NewResolved": "8.5.99"
+ }
+ ],
+ "EcosystemSpecific": null
+ },
+ "RemovedVulns": [
+ {
+ "ID": "GHSA-g2fg-mr77-6vrm",
+ "AffectedNodes": [
+ 126
+ ]
+ }
+ ],
+ "AddedVulns": []
+ },
+ {
+ "Patch": {
+ "Deps": [
+ {
+ "Pkg": {
+ "System": 6,
+ "Name": "io.netty:netty-codec"
+ },
+ "Type": {},
+ "OrigRequire": "",
+ "NewRequire": "4.1.68.Final",
+ "OrigResolved": "4.1.27.Final",
+ "NewResolved": "4.1.68.Final"
+ }
+ ],
+ "EcosystemSpecific": null
+ },
+ "RemovedVulns": [],
+ "AddedVulns": []
+ },
+ {
+ "Patch": {
+ "Deps": [
+ {
+ "Pkg": {
+ "System": 6,
+ "Name": "io.netty:netty-handler"
+ },
+ "Type": {},
+ "OrigRequire": "",
+ "NewRequire": "4.1.45.Final",
+ "OrigResolved": "4.1.27.Final",
+ "NewResolved": "4.1.45.Final"
+ }
+ ],
+ "EcosystemSpecific": null
+ },
+ "RemovedVulns": [],
+ "AddedVulns": []
+ },
+ {
+ "Patch": {
+ "Deps": [
+ {
+ "Pkg": {
+ "System": 6,
+ "Name": "org.apache.thrift:libthrift"
+ },
+ "Type": {},
+ "OrigRequire": "",
+ "NewRequire": "0.14.0",
+ "OrigResolved": "0.13.0",
+ "NewResolved": "0.14.0"
+ }
+ ],
+ "EcosystemSpecific": null
+ },
+ "RemovedVulns": [
+ {
+ "ID": "GHSA-g2fg-mr77-6vrm",
+ "AffectedNodes": [
+ 126
+ ]
+ }
+ ],
+ "AddedVulns": [
+ {
+ "ID": "GHSA-2rvv-w9r2-rg7m",
+ "AffectedNodes": [
+ 179
+ ]
+ },
+ {
+ "ID": "GHSA-7w75-32cg-r6g2",
+ "AffectedNodes": [
+ 179
+ ]
+ },
+ {
+ "ID": "GHSA-9xcj-c8cr-8c3c",
+ "AffectedNodes": [
+ 179
+ ]
+ },
+ {
+ "ID": "GHSA-c9hw-wf7x-jp9j",
+ "AffectedNodes": [
+ 179
+ ]
+ },
+ {
+ "ID": "GHSA-f4qf-m5gf-8jm8",
+ "AffectedNodes": [
+ 179
+ ]
+ },
+ {
+ "ID": "GHSA-fccv-jmmp-qg76",
+ "AffectedNodes": [
+ 179
+ ]
+ },
+ {
+ "ID": "GHSA-g8pj-r55q-5c2v",
+ "AffectedNodes": [
+ 179
+ ]
+ },
+ {
+ "ID": "GHSA-hh3j-x4mc-g48r",
+ "AffectedNodes": [
+ 179
+ ]
+ },
+ {
+ "ID": "GHSA-j39c-c8hj-x4j3",
+ "AffectedNodes": [
+ 179
+ ]
+ },
+ {
+ "ID": "GHSA-jgwr-3qm3-26f3",
+ "AffectedNodes": [
+ 179
+ ]
+ },
+ {
+ "ID": "GHSA-p22x-g9px-3945",
+ "AffectedNodes": [
+ 179
+ ]
+ },
+ {
+ "ID": "GHSA-q3mw-pvr8-9ggc",
+ "AffectedNodes": [
+ 179
+ ]
+ },
+ {
+ "ID": "GHSA-qppj-fm5r-hxr3",
+ "AffectedNodes": [
+ 179
+ ]
+ },
+ {
+ "ID": "GHSA-qxf4-chvg-4r8r",
+ "AffectedNodes": [
+ 179
+ ]
+ },
+ {
+ "ID": "GHSA-r6j3-px5g-cq3x",
+ "AffectedNodes": [
+ 179
+ ]
+ }
+ ]
+ }
+]
+---
+
+[TestComputeRelaxPatches/npm-santatracker - 1]
+[
+ {
+ "Patch": {
+ "Deps": [
+ {
+ "Pkg": {
+ "System": 3,
+ "Name": "mocha"
+ },
+ "Type": {},
+ "OrigRequire": "^5.2.0",
+ "NewRequire": "^9.2.2",
+ "OrigResolved": "5.2.0",
+ "NewResolved": "9.2.2"
+ }
+ ],
+ "EcosystemSpecific": null
+ },
+ "RemovedVulns": [
+ {
+ "ID": "GHSA-f8q6-p94x-37v3",
+ "AffectedNodes": [
+ 571
+ ]
+ },
+ {
+ "ID": "GHSA-vh95-rmgr-6w4m",
+ "AffectedNodes": [
+ 575
+ ]
+ },
+ {
+ "ID": "GHSA-xvch-5gv4-984h",
+ "AffectedNodes": [
+ 575
+ ]
+ }
+ ],
+ "AddedVulns": []
+ },
+ {
+ "Patch": {
+ "Deps": [
+ {
+ "Pkg": {
+ "System": 3,
+ "Name": "mocha"
+ },
+ "Type": {},
+ "OrigRequire": "^5.2.0",
+ "NewRequire": "^8.4.0",
+ "OrigResolved": "5.2.0",
+ "NewResolved": "8.4.0"
+ }
+ ],
+ "EcosystemSpecific": null
+ },
+ "RemovedVulns": [
+ {
+ "ID": "GHSA-vh95-rmgr-6w4m",
+ "AffectedNodes": [
+ 575
+ ]
+ },
+ {
+ "ID": "GHSA-xvch-5gv4-984h",
+ "AffectedNodes": [
+ 575
+ ]
+ }
+ ],
+ "AddedVulns": [
+ {
+ "ID": "GHSA-qrpm-p2h7-hrv2",
+ "AffectedNodes": [
+ 578
+ ]
+ }
+ ]
+ },
+ {
+ "Patch": {
+ "Deps": [
+ {
+ "Pkg": {
+ "System": 3,
+ "Name": "@google-cloud/cloudbuild"
+ },
+ "Type": {},
+ "OrigRequire": "^2.6.0",
+ "NewRequire": "^4.4.0",
+ "OrigResolved": "2.6.0",
+ "NewResolved": "4.4.0"
+ }
+ ],
+ "EcosystemSpecific": null
+ },
+ "RemovedVulns": [
+ {
+ "ID": "GHSA-h755-8qp9-cq85",
+ "AffectedNodes": [
+ 221
+ ]
+ }
+ ],
+ "AddedVulns": []
+ },
+ {
+ "Patch": {
+ "Deps": [
+ {
+ "Pkg": {
+ "System": 3,
+ "Name": "autoprefixer"
+ },
+ "Type": {},
+ "OrigRequire": "^9.3.0",
+ "NewRequire": "^10.4.19",
+ "OrigResolved": "9.8.8",
+ "NewResolved": "10.4.19"
+ }
+ ],
+ "EcosystemSpecific": null
+ },
+ "RemovedVulns": [
+ {
+ "ID": "GHSA-7fh5-64p2-3v2j",
+ "AffectedNodes": [
+ 327
+ ]
+ }
+ ],
+ "AddedVulns": []
+ },
+ {
+ "Patch": {
+ "Deps": [
+ {
+ "Pkg": {
+ "System": 3,
+ "Name": "google-closure-library"
+ },
+ "Type": {},
+ "OrigRequire": "^20190909.0.0",
+ "NewRequire": "^20200315.0.0",
+ "OrigResolved": "20190909.0.0",
+ "NewResolved": "20200315.0.0"
+ }
+ ],
+ "EcosystemSpecific": null
+ },
+ "RemovedVulns": [
+ {
+ "ID": "GHSA-vh5w-fg69-rc8m",
+ "AffectedNodes": [
+ 24
+ ]
+ }
+ ],
+ "AddedVulns": []
+ },
+ {
+ "Patch": {
+ "Deps": [
+ {
+ "Pkg": {
+ "System": 3,
+ "Name": "terser"
+ },
+ "Type": {},
+ "OrigRequire": "^3.10.11",
+ "NewRequire": "^4.8.1",
+ "OrigResolved": "3.17.0",
+ "NewResolved": "4.8.1"
+ }
+ ],
+ "EcosystemSpecific": null
+ },
+ "RemovedVulns": [
+ {
+ "ID": "GHSA-4wf5-vphf-c2xc",
+ "AffectedNodes": [
+ 44
+ ]
+ }
+ ],
+ "AddedVulns": []
+ },
+ {
+ "Patch": {
+ "Deps": [
+ {
+ "Pkg": {
+ "System": 3,
+ "Name": "yargs"
+ },
+ "Type": {},
+ "OrigRequire": "^12.0.2",
+ "NewRequire": "^13.3.2",
+ "OrigResolved": "12.0.5",
+ "NewResolved": "13.3.2"
+ }
+ ],
+ "EcosystemSpecific": null
+ },
+ "RemovedVulns": [
+ {
+ "ID": "GHSA-p9pc-299p-vxgp",
+ "AffectedNodes": [
+ 610
+ ]
+ }
+ ],
+ "AddedVulns": []
+ },
+ {
+ "Patch": {
+ "Deps": [
+ {
+ "Pkg": {
+ "System": 3,
+ "Name": "mocha"
+ },
+ "Type": {},
+ "OrigRequire": "^5.2.0",
+ "NewRequire": "^6.2.3",
+ "OrigResolved": "5.2.0",
+ "NewResolved": "6.2.3"
+ }
+ ],
+ "EcosystemSpecific": null
+ },
+ "RemovedVulns": [
+ {
+ "ID": "GHSA-vh95-rmgr-6w4m",
+ "AffectedNodes": [
+ 575
+ ]
+ },
+ {
+ "ID": "GHSA-xvch-5gv4-984h",
+ "AffectedNodes": [
+ 575
+ ]
+ }
+ ],
+ "AddedVulns": [
+ {
+ "ID": "GHSA-2j2x-2gpw-g8fm",
+ "AffectedNodes": [
+ 675
+ ]
+ },
+ {
+ "ID": "GHSA-gxpj-cx7g-858c",
+ "AffectedNodes": [
+ 566
+ ]
+ }
+ ]
+ }
+]
+---
diff --git a/internal/remediation/fixtures/zeppelin-server/parent/parent/pom.xml b/internal/remediation/fixtures/zeppelin-server/parent/parent/pom.xml
new file mode 100644
index 00000000000..0e5103ba8af
--- /dev/null
+++ b/internal/remediation/fixtures/zeppelin-server/parent/parent/pom.xml
@@ -0,0 +1,538 @@
+
+
+
+
+
+ 4.0.0
+
+
+ org.apache
+ apache
+ 28
+ pom
+
+ The Apache Software Foundation
+
+ The Apache Software Foundation provides support for the Apache community of open-source software projects.
+ The Apache projects are characterized by a collaborative, consensus based development process, an open and
+ pragmatic software license, and a desire to create high quality software that leads the way in its field.
+ We consider ourselves not simply a group of projects sharing a server, but rather a community of developers
+ and users.
+
+ https://www.apache.org/
+
+ The Apache Software Foundation
+ https://www.apache.org/
+
+
+
+ Apache License, Version 2.0
+ https://www.apache.org/licenses/LICENSE-2.0.txt
+ repo
+
+
+
+
+
+ Apache Announce List
+ announce-subscribe@apache.org
+ announce-unsubscribe@apache.org
+ announce@apache.org
+ https://mail-archives.apache.org/mod_mbox/www-announce/
+
+
+
+
+ scm:git:https://gitbox.apache.org/repos/asf/maven-apache-parent.git
+ scm:git:https://gitbox.apache.org/repos/asf/maven-apache-parent.git
+ https://github.com/apache/maven-apache-parent/tree/${project.scm.tag}
+ apache-28
+
+
+
+
+ apache.releases.https
+ ${distMgmtReleasesName}
+ ${distMgmtReleasesUrl}
+
+
+ apache.snapshots.https
+ ${distMgmtSnapshotsName}
+ ${distMgmtSnapshotsUrl}
+
+
+
+
+ Apache Release Distribution Repository
+ https://repository.apache.org/service/local/staging/deploy/maven2
+ Apache Development Snapshot Repository
+ https://repository.apache.org/content/repositories/snapshots
+ https://www.apache.org/images/asf_logo_wide_2016.png
+ UTF-8
+ UTF-8
+ source-release
+ true
+ 3.2.5
+ 1.8
+ ${maven.compiler.target}
+ 1.7
+ 2.22.2
+ 3.7.0
+ posix
+ 2022-11-14T22:50:41Z
+
+
+
+
+
+ org.apache.maven.plugin-tools
+ maven-plugin-annotations
+ ${maven.plugin.tools.version}
+
+
+
+
+
+
+ apache.snapshots
+ Apache Snapshot Repository
+ https://repository.apache.org/snapshots
+
+ false
+
+
+
+
+
+ apache.snapshots
+ Apache Snapshot Repository
+ https://repository.apache.org/snapshots
+
+ false
+
+
+
+
+
+
+
+
+
+ org.apache.maven.plugins
+ maven-antrun-plugin
+ 3.1.0
+
+
+ org.apache.maven.plugins
+ maven-assembly-plugin
+ 3.4.2
+
+
+ org.apache.maven.plugins
+ maven-clean-plugin
+ 3.2.0
+
+
+ org.apache.maven.plugins
+ maven-compiler-plugin
+ 3.10.1
+
+
+ org.apache.maven.plugins
+ maven-dependency-plugin
+ 3.3.0
+
+
+ org.apache.maven.plugins
+ maven-deploy-plugin
+ 2.8.2
+
+
+ org.apache.maven.plugins
+ maven-ear-plugin
+ 3.2.0
+
+
+ org.apache.maven.plugins
+ maven-enforcer-plugin
+ 3.1.0
+
+
+ org.apache.maven.plugins
+ maven-failsafe-plugin
+ ${surefire.version}
+
+
+ org.apache.maven.plugins
+ maven-gpg-plugin
+ 3.0.1
+
+
+ --digest-algo=SHA512
+
+
+
+
+ org.apache.maven.plugins
+ maven-help-plugin
+ 3.3.0
+
+
+ org.apache.maven.plugins
+ maven-install-plugin
+ 3.0.1
+
+
+ org.apache.maven.plugins
+ maven-invoker-plugin
+ 3.3.0
+
+
+ org.apache.maven.plugins
+ maven-jar-plugin
+ 3.3.0
+
+
+
+ true
+ true
+
+
+
+
+
+ org.apache.maven.plugins
+ maven-javadoc-plugin
+ 3.4.1
+
+ true
+
+
+
+ org.apache.maven.plugins
+ maven-plugin-plugin
+ ${maven.plugin.tools.version}
+
+
+ org.apache.maven.plugins
+ maven-plugin-report-plugin
+ ${maven.plugin.tools.version}
+
+
+ org.apache.maven.plugins
+ maven-project-info-reports-plugin
+ 3.4.1
+
+
+ org.eclipse.m2e:lifecycle-mapping
+
+
+
+
+
+ org.apache.maven.plugins
+ maven-release-plugin
+ 3.0.0-M6
+
+ false
+ deploy
+ apache-release
+
+
+
+
+ org.apache.maven.plugins
+ maven-remote-resources-plugin
+ 1.7.0
+
+
+ org.apache.maven.plugins
+ maven-resources-plugin
+ 3.3.0
+
+
+ org.apache.maven.plugins
+ maven-scm-plugin
+ 1.13.0
+
+
+ org.apache.maven.plugins
+ maven-scm-publish-plugin
+ 3.1.0
+
+
+ org.apache.maven.plugins
+ maven-site-plugin
+ 3.12.1
+
+
+ org.apache.maven.plugins
+ maven-source-plugin
+ 3.2.1
+
+
+ org.apache.maven.plugins
+ maven-surefire-plugin
+ ${surefire.version}
+
+
+ org.apache.maven.plugins
+ maven-surefire-report-plugin
+ ${surefire.version}
+
+
+ org.apache.maven.plugins
+ maven-war-plugin
+ 3.3.2
+
+
+ org.apache.maven.plugins
+ maven-shade-plugin
+ 3.4.1
+
+
+ org.apache.rat
+ apache-rat-plugin
+ 0.15
+
+
+
+
+
+
+ org.apache.maven.plugins
+ maven-remote-resources-plugin
+
+
+ process-resource-bundles
+
+ process
+
+
+
+ org.apache:apache-jar-resource-bundle:1.4
+
+
+
+
+
+
+ org.apache.maven.plugins
+ maven-enforcer-plugin
+
+
+ enforce-maven-version
+
+ enforce
+
+
+
+
+ ${minimalMavenBuildVersion}
+
+
+
+
+
+ enforce-java-version
+
+ enforce
+
+
+
+
+ ${minimalJavaBuildVersion}
+
+
+
+
+
+
+
+ org.apache.maven.plugins
+ maven-site-plugin
+
+
+ attach-descriptor
+
+ attach-descriptor
+
+
+
+
+
+
+
+
+
+
+ apache-release
+
+
+
+
+ org.apache.maven.plugins
+ maven-assembly-plugin
+
+
+ org.apache.apache.resources
+ apache-source-release-assembly-descriptor
+ 1.0.6
+
+
+
+
+ source-release-assembly
+ package
+
+ single
+
+
+ true
+
+ ${sourceReleaseAssemblyDescriptor}
+
+ ${assembly.tarLongFileMode}
+
+
+
+
+
+
+ true
+ org.apache.maven.plugins
+ maven-deploy-plugin
+
+ true
+
+
+
+ org.apache.maven.plugins
+ maven-source-plugin
+
+
+ attach-sources
+
+ jar-no-fork
+
+
+
+
+
+ org.apache.maven.plugins
+ maven-javadoc-plugin
+
+
+ attach-javadocs
+
+ jar
+
+
+
+
+
+
+ net.nicoulaj.maven.plugins
+ checksum-maven-plugin
+ 1.11
+
+
+ source-release-checksum
+
+ artifacts
+
+
+ post-integration-test
+
+
+ SHA-512
+
+
+ source-release
+ true
+ false
+
+ true
+
+
+
+
+
+
+ org.apache.maven.plugins
+ maven-gpg-plugin
+
+
+ sign-release-artifacts
+
+ sign
+
+
+
+
+
+
+
+
+
+ only-eclipse
+
+
+ m2e.version
+
+
+
+
+
+
+
+ org.eclipse.m2e
+ lifecycle-mapping
+ 1.0.0
+
+
+
+
+
+
+ org.apache.maven.plugins
+ maven-remote-resources-plugin
+ [0,1.8.0)
+
+ process
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/internal/remediation/fixtures/zeppelin-server/parent/pom.xml b/internal/remediation/fixtures/zeppelin-server/parent/pom.xml
new file mode 100644
index 00000000000..5c45d4d915c
--- /dev/null
+++ b/internal/remediation/fixtures/zeppelin-server/parent/pom.xml
@@ -0,0 +1,2094 @@
+
+
+
+
+
+ 4.0.0
+
+ org.apache.zeppelin
+ zeppelin
+ pom
+ 0.11.1
+ Zeppelin
+ Zeppelin project
+ https://zeppelin.apache.org
+
+
+ org.apache
+ apache
+ 28
+ ./parent
+
+
+
+
+ The Apache Software License, Version 2.0
+ https://www.apache.org/licenses/LICENSE-2.0.txt
+ repo
+
+
+
+
+ https://git-wip-us.apache.org/repos/asf/zeppelin.git
+ scm:git:https://git-wip-us.apache.org/repos/asf/zeppelin.git
+ scm:git:https://git-wip-us.apache.org/repos/asf/zeppelin.git
+
+
+ 2013
+
+
+ build-tools
+ zeppelin-interpreter-parent
+ zeppelin-interpreter
+ zeppelin-interpreter-shaded
+ zeppelin-zengine
+ rlang
+ zeppelin-jupyter-interpreter
+ zeppelin-jupyter-interpreter-shaded
+ groovy
+ spark
+ spark-submit
+ submarine
+ markdown
+ mongodb
+ angular
+ shell
+ livy
+ hbase
+ jdbc
+ file
+ flink
+ flink-cmd
+ influxdb
+ python
+ cassandra
+ elasticsearch
+ bigquery
+ alluxio
+ neo4j
+ java
+ sparql
+ zeppelin-common
+ zeppelin-client
+ zeppelin-client-examples
+ zeppelin-web
+ zeppelin-server
+ zeppelin-jupyter
+ zeppelin-plugins
+ zeppelin-distribution
+
+
+
+ UTF-8
+
+
+ 1.8
+
+ ${java.version}
+ ${java.version}
+ ${scala.2.11.version}
+ 2.11
+ 2.11.12
+ 2.12.17
+ 3.2.15
+ 1.17.0
+
+
+ v16.20.2
+ 8.19.4
+ 1.12.1
+
+
+ 1.7.35
+ 1.2.25
+ 0.13.0
+ 0.62.2
+ 2.8.9
+ 0.2.2
+ 20240205
+ 9.4.52.v20230823
+ 4.4.1
+ 4.5.13
+ 4.0.2
+ 1.21
+ 3.12.0
+ 1.10.0
+ 2.8.0
+ 1.3
+ 1.14
+ 2.7
+ 3.2.2
+ 1.4
+ 1.10.0
+ 1.70
+ 3.6.3
+ 4.1.14
+ 1.6.0
+
+ 2.7.7
+ 3.0.3
+ 3.1.3
+ 3.2.4
+ 3.3.6
+ ${hadoop2.7.version}
+ provided
+ hadoop-client
+ hadoop-yarn-api
+ hadoop-client
+
+ 2.3.2
+ 1.5.4
+ 1.16.1
+ 3.21.7
+ 1.51.0
+ 2.14.0
+
+
+ 5.7.1
+ 3.12.4
+ 1.7.0
+ 4.2.0
+
+
+ 1.8
+ 3.2.0
+ 1.7.7
+ 1.7
+ 1.4
+ 2.17
+ 3.1.0
+ 2.7
+ 3.8.1
+ 3.1.2
+ 2.8.2
+ 1.6.0
+ 3.0.0-M3
+ 1.6.0
+ 2.17
+ 4.0.0
+ 1.6
+ 3.2.0
+ 3.2.0
+ 1.0.0
+ 3.11.4
+ 0.13
+ 3.1.0
+ 1.4
+ 4.6.3
+ 2.15.2
+ 1.7.1
+ 2.0.0
+ 1.11.2
+ 3.2.1
+ 2.22.2
+ 1.4.1.Final
+
+ 1.19.0
+
+ 512m
+
+
+
+
+
+
+
+
+
+ com.vladsch.flexmark
+ flexmark-all
+ ${flexmark.all.version}
+
+
+
+ commons-logging
+ commons-logging
+
+
+
+
+
+
+ org.slf4j
+ slf4j-api
+ ${slf4j.version}
+
+
+
+ org.slf4j
+ slf4j-reload4j
+ ${slf4j.version}
+
+
+ ch.qos.reload4j
+ reload4j
+
+
+
+
+
+ ch.qos.reload4j
+ reload4j
+ ${reload4j.version}
+
+
+
+
+ org.slf4j
+ jcl-over-slf4j
+ ${slf4j.version}
+
+
+
+ org.apache.thrift
+ libthrift
+ ${libthrift.version}
+
+
+ javax.annotation
+ javax.annotation-api
+
+
+
+
+
+ org.apache.httpcomponents
+ httpcore
+ ${httpcomponents.core.version}
+
+
+
+ org.apache.httpcomponents
+ httpclient
+ ${httpcomponents.client.version}
+
+
+
+ commons-logging
+ commons-logging
+
+
+
+
+
+ org.apache.httpcomponents
+ httpasyncclient
+ ${httpcomponents.asyncclient.version}
+
+
+
+ commons-logging
+ commons-logging
+
+
+
+
+
+ org.apache.commons
+ commons-lang3
+ ${commons.lang3.version}
+
+
+
+ org.apache.commons
+ commons-text
+ ${commons.text.version}
+
+
+
+ org.apache.commons
+ commons-exec
+ ${commons.exec.version}
+
+
+
+ com.google.code.gson
+ gson
+ ${gson.version}
+
+
+
+ org.json
+ json
+ ${org-json.version}
+
+
+
+ org.danilopianini
+ gson-extras
+ ${gson-extras.version}
+
+
+
+ org.apache.commons
+ commons-configuration2
+ ${commons.configuration2.version}
+
+
+
+
+ commons-lang
+ commons-lang
+ 2.6
+
+
+
+ commons-codec
+ commons-codec
+ ${commons.codec.version}
+
+
+
+ commons-io
+ commons-io
+ ${commons.io.version}
+
+
+
+ commons-collections
+ commons-collections
+ ${commons.collections.version}
+
+
+
+ commons-cli
+ commons-cli
+ ${commons.cli.version}
+
+
+
+
+ org.apache.shiro
+ shiro-core
+ ${shiro.version}
+
+
+ org.apache.shiro
+ shiro-web
+ ${shiro.version}
+
+
+ org.apache.shiro
+ shiro-config-core
+ ${shiro.version}
+
+
+
+ org.bouncycastle
+ bcpkix-jdk15on
+ ${bouncycastle.version}
+
+
+
+ org.codehaus.jettison
+ jettison
+ ${jettison.version}
+
+
+
+ org.apache.hadoop
+ ${hadoop-client-api.artifact}
+ ${hadoop.version}
+ ${hadoop.deps.scope}
+
+
+ org.apache.zookeeper
+ zookeeper
+
+
+ org.apache.hadoop
+ hadoop-common
+
+
+ com.sun.jersey
+ jersey-core
+
+
+ com.sun.jersey
+ jersey-json
+
+
+ com.sun.jersey
+ jersey-client
+
+
+ com.sun.jersey
+ jersey-server
+
+
+ javax.servlet
+ servlet-api
+
+
+ org.apache.avro
+ avro
+
+
+ org.apache.jackrabbit
+ jackrabbit-webdav
+
+
+ io.netty
+ netty
+
+
+ io.netty
+ netty-all
+
+
+ commons-httpclient
+ commons-httpclient
+
+
+ org.eclipse.jgit
+ org.eclipse.jgit
+
+
+ com.jcraft
+ jsch
+
+
+ org.apache.commons
+ commons-compress
+
+
+ xml-apis
+ xml-apis
+
+
+ xerces
+ xercesImpl
+
+
+ com.google.guava
+ guava
+
+
+ com.google.code.findbugs
+ jsr305
+
+
+ org.apache.commons
+ commons-math3
+
+
+ com.fasterxml.jackson.core
+ jackson-annotations
+
+
+ com.nimbusds
+ nimbus-jose-jwt
+
+
+ org.eclipse.jetty
+ jetty-xml
+
+
+ org.eclipse.jetty
+ jetty-servlet
+
+
+ org.eclipse.jetty
+ jetty-util
+
+
+ commons-beanutils
+ commons-beanutils
+
+
+ org.apache.commons
+ commons-configuration2
+
+
+ commons-beanutils
+ commons-beanutils-core
+
+
+ org.eclipse.jetty
+ jetty-webapp
+
+
+ com.fasterxml.jackson.module
+ jackson-module-jaxb-annotations
+
+
+ com.fasterxml.jackson.core
+ jackson-core
+
+
+ com.fasterxml.jackson.core
+ jackson-databind
+
+
+
+ commons-logging
+ commons-logging
+
+
+
+
+
+ org.apache.hadoop
+ hadoop-yarn-common
+ ${hadoop.version}
+ ${hadoop.deps.scope}
+
+
+ asm
+ asm
+
+
+ org.ow2.asm
+ asm
+
+
+ org.jboss.netty
+ netty
+
+
+ javax.servlet
+ servlet-api
+
+
+ commons-logging
+ commons-logging
+
+
+ com.sun.jersey
+ *
+
+
+ com.sun.jersey.jersey-test-framework
+ *
+
+
+ com.sun.jersey.contribs
+ *
+
+
+ com.google.guava
+ guava
+
+
+ org.apache.commons
+ commons-compress
+
+
+
+
+
+ org.apache.hadoop
+ hadoop-yarn-client
+ ${hadoop.version}
+ ${hadoop.deps.scope}
+
+
+ javax.servlet
+ servlet-api
+
+
+ org.apache.avro
+ avro
+
+
+ org.apache.jackrabbit
+ jackrabbit-webdav
+
+
+ io.netty
+ netty
+
+
+ commons-httpclient
+ commons-httpclient
+
+
+ org.eclipse.jgit
+ org.eclipse.jgit
+
+
+ com.jcraft
+ jsch
+
+
+ org.apache.commons
+ commons-compress
+
+
+ xml-apis
+ xml-apis
+
+
+ xerces
+ xercesImpl
+
+
+ org.codehaus.jackson
+ jackson-mapper-asl
+
+
+ org.codehaus.jackson
+ jackson-core-asl
+
+
+ com.google.guava
+ guava
+
+
+ com.google.code.findbugs
+ jsr305
+
+
+ org.apache.commons
+ commons-math3
+
+
+
+ commons-logging
+ commons-logging
+
+
+ log4j
+ log4j
+
+
+
+
+
+ org.apache.hadoop
+ hadoop-yarn-api
+ ${hadoop.version}
+ ${hadoop.deps.scope}
+
+
+ javax.servlet
+ servlet-api
+
+
+ org.apache.avro
+ avro
+
+
+ org.apache.jackrabbit
+ jackrabbit-webdav
+
+
+ io.netty
+ netty
+
+
+ commons-httpclient
+ commons-httpclient
+
+
+ org.eclipse.jgit
+ org.eclipse.jgit
+
+
+ com.jcraft
+ jsch
+
+
+ org.apache.commons
+ commons-compress
+
+
+ xml-apis
+ xml-apis
+
+
+ xerces
+ xercesImpl
+
+
+ org.codehaus.jackson
+ jackson-mapper-asl
+
+
+ org.codehaus.jackson
+ jackson-core-asl
+
+
+ com.google.guava
+ guava
+
+
+ com.google.code.findbugs
+ jsr305
+
+
+ org.apache.commons
+ commons-math3
+
+
+
+ commons-logging
+ commons-logging
+
+
+
+
+
+
+
+ org.apache.hadoop
+ hadoop-yarn-server-tests
+ ${hadoop.version}
+ tests
+ test
+
+
+ org.apache.hadoop
+ hadoop-yarn-common
+
+
+ com.sun.jersey
+ jersey-core
+
+
+ com.sun.jersey
+ jersey-client
+
+
+ com.sun.jersey
+ jersey-server
+
+
+ javax.servlet
+ servlet-api
+
+
+ org.apache.avro
+ avro
+
+
+ org.apache.jackrabbit
+ jackrabbit-webdav
+
+
+ io.netty
+ netty
+
+
+ commons-httpclient
+ commons-httpclient
+
+
+ org.eclipse.jgit
+ org.eclipse.jgit
+
+
+ com.jcraft
+ jsch
+
+
+ org.apache.commons
+ commons-compress
+
+
+ xml-apis
+ xml-apis
+
+
+ xerces
+ xercesImpl
+
+
+ org.codehaus.jackson
+ jackson-core-asl
+
+
+ org.codehaus.jackson
+ jackson-jaxrs
+
+
+ org.codehaus.jackson
+ jackson-xc
+
+
+ org.codehaus.jackson
+ jackson-mapper-asl
+
+
+ com.google.guava
+ guava
+
+
+ javax.xml.bind
+ jaxb-api
+
+
+ com.fasterxml.jackson.core
+ jackson-core
+
+
+ org.eclipse.jetty
+ jetty-util
+
+
+ com.zaxxer
+ HikariCP-java7
+
+
+ com.fasterxml.jackson.core
+ jackson-annotations
+
+
+ com.fasterxml.jackson.module
+ jackson-module-jaxb-annotations
+
+
+
+ commons-logging
+ commons-logging
+
+
+ io.dropwizard.metrics
+ metrics-core
+
+
+ com.google.guava
+ guava
+
+
+ com.fasterxml.jackson.core
+ jackson-databind
+
+
+
+
+
+ org.apache.hadoop
+ hadoop-common
+ ${hadoop.version}
+ ${hadoop.deps.scope}
+
+
+ com.sun.jersey
+ jersey-core
+
+
+ com.sun.jersey
+ jersey-json
+
+
+ com.sun.jersey
+ jersey-client
+
+
+ com.sun.jersey
+ jersey-server
+
+
+ javax.servlet
+ servlet-api
+
+
+ org.apache.avro
+ avro
+
+
+ org.apache.jackrabbit
+ jackrabbit-webdav
+
+
+ io.netty
+ netty
+
+
+ commons-httpclient
+ commons-httpclient
+
+
+ org.eclipse.jgit
+ org.eclipse.jgit
+
+
+ com.jcraft
+ jsch
+
+
+ org.apache.commons
+ commons-compress
+
+
+ xml-apis
+ xml-apis
+
+
+ xerces
+ xercesImpl
+
+
+ org.codehaus.jackson
+ jackson-mapper-asl
+
+
+ org.codehaus.jackson
+ jackson-core-asl
+
+
+ com.google.guava
+ guava
+
+
+ com.google.code.findbugs
+ jsr305
+
+
+ org.apache.commons
+ commons-math3
+
+
+ commons-beanutils
+ commons-beanutils
+
+
+ commons-beanutils
+ commons-beanutils-core
+
+
+ org.apache.commons
+ commons-configuration2
+
+
+ org.apache.zookeeper
+ zookeeper
+
+
+ org.eclipse.jetty
+ jetty-servlet
+
+
+ org.eclipse.jetty
+ jetty-util
+
+
+ org.eclipse.jetty
+ jetty-webapp
+
+
+ org.eclipse.jetty
+ jetty-server
+
+
+ com.nimbusds
+ nimbus-jose-jwt
+
+
+ com.fasterxml.jackson.core
+ jackson-databind
+
+
+
+ commons-logging
+ commons-logging
+
+
+ org.ow2.asm
+ asm
+
+
+ com.jamesmurty.utils
+ java-xmlbuilder
+
+
+
+
+
+ org.apache.hadoop
+ hadoop-common
+ ${hadoop.version}
+ tests
+ test
+
+
+ com.sun.jersey
+ jersey-core
+
+
+ com.sun.jersey
+ jersey-json
+
+
+ com.sun.jersey
+ jersey-client
+
+
+ com.sun.jersey
+ jersey-server
+
+
+ javax.servlet
+ servlet-api
+
+
+ org.apache.avro
+ avro
+
+
+ org.apache.jackrabbit
+ jackrabbit-webdav
+
+
+ io.netty
+ netty
+
+
+ commons-httpclient
+ commons-httpclient
+
+
+ org.eclipse.jgit
+ org.eclipse.jgit
+
+
+ com.jcraft
+ jsch
+
+
+ org.apache.commons
+ commons-compress
+
+
+ xml-apis
+ xml-apis
+
+
+ xerces
+ xercesImpl
+
+
+ org.codehaus.jackson
+ jackson-mapper-asl
+
+
+ org.codehaus.jackson
+ jackson-core-asl
+
+
+ com.google.guava
+ guava
+
+
+ com.google.code.findbugs
+ jsr305
+
+
+ org.apache.commons
+ commons-math3
+
+
+ commons-beanutils
+ commons-beanutils
+
+
+ org.apache.commons
+ commons-configuration2
+
+
+ org.apache.zookeeper
+ zookeeper
+
+
+ org.eclipse.jetty
+ jetty-servlet
+
+
+ org.eclipse.jetty
+ jetty-util
+
+
+ org.eclipse.jetty
+ jetty-webapp
+
+
+ org.eclipse.jetty
+ jetty-server
+
+
+ com.nimbusds
+ nimbus-jose-jwt
+
+
+ com.fasterxml.jackson.core
+ jackson-databind
+
+
+
+ commons-logging
+ commons-logging
+
+
+ log4j
+ log4j
+
+
+ org.slf4j
+ slf4j-log4j12
+
+
+ org.ow2.asm
+ asm
+
+
+
+
+
+
+ org.junit.jupiter
+ junit-jupiter-engine
+ ${junit.jupiter.version}
+ test
+
+
+
+ org.junit.jupiter
+ junit-jupiter-params
+ ${junit.jupiter.version}
+ test
+
+
+
+ org.assertj
+ assertj-core
+ ${assertj.version}
+ test
+
+
+
+ org.mockito
+ mockito-core
+ ${mockito.version}
+ test
+
+
+
+ org.testcontainers
+ testcontainers
+ ${testcontainers.version}
+ test
+
+
+
+ org.awaitility
+ awaitility
+ ${awaitility.version}
+ test
+
+
+
+ org.testcontainers
+ neo4j
+ ${testcontainers.version}
+ test
+
+
+
+ org.testcontainers
+ junit-jupiter
+ ${testcontainers.version}
+ test
+
+
+
+ org.apache.hadoop
+ hadoop-hdfs
+ ${hadoop.version}
+ test
+
+
+ com.sun.jersey
+ jersey-json
+
+
+ com.sun.jersey
+ jersey-client
+
+
+ javax.servlet
+ servlet-api
+
+
+ org.apache.avro
+ avro
+
+
+ org.apache.jackrabbit
+ jackrabbit-webdav
+
+
+ io.netty
+ netty
+
+
+ commons-httpclient
+ commons-httpclient
+
+
+ org.eclipse.jgit
+ org.eclipse.jgit
+
+
+ com.jcraft
+ jsch
+
+
+ org.apache.commons
+ commons-compress
+
+
+ xml-apis
+ xml-apis
+
+
+ xerces
+ xercesImpl
+
+
+ com.google.guava
+ guava
+
+
+ io.netty
+ netty-all
+
+
+ org.eclipse.jetty
+ jetty-util
+
+
+ com.fasterxml.jackson.core
+ jackson-annotations
+
+
+
+ commons-logging
+ commons-logging
+
+
+ com.fasterxml.jackson.core
+ jackson-databind
+
+
+
+
+
+ org.apache.hadoop
+ hadoop-hdfs
+ ${hadoop.version}
+ tests
+ test
+
+
+ com.sun.jersey
+ jersey-json
+
+
+ com.sun.jersey
+ jersey-client
+
+
+ javax.servlet
+ servlet-api
+
+
+ org.apache.avro
+ avro
+
+
+ org.apache.jackrabbit
+ jackrabbit-webdav
+
+
+ io.netty
+ netty
+
+
+ commons-httpclient
+ commons-httpclient
+
+
+ org.eclipse.jgit
+ org.eclipse.jgit
+
+
+ com.jcraft
+ jsch
+
+
+ org.apache.commons
+ commons-compress
+
+
+ xml-apis
+ xml-apis
+
+
+ xerces
+ xercesImpl
+
+
+ com.google.guava
+ guava
+
+
+ io.netty
+ netty-all
+
+
+ org.eclipse.jetty
+ jetty-util
+
+
+ com.fasterxml.jackson.core
+ jackson-annotations
+
+
+
+ commons-logging
+ commons-logging
+
+
+ log4j
+ log4j
+
+
+ com.fasterxml.jackson.core
+ jackson-databind
+
+
+
+
+
+ org.apache.hadoop
+ ${hadoop-client-runtime.artifact}
+ ${hadoop.version}
+ ${hadoop.deps.scope}
+
+
+ commons-logging
+ commons-logging
+
+
+ com.google.code.findbugs
+ jsr305
+
+
+
+
+ org.apache.hadoop
+ ${hadoop-client-minicluster.artifact}
+ ${hadoop.version}
+ test
+
+
+
+
+
+
+
+
+
+ org.apache.maven.plugins
+ maven-compiler-plugin
+
+ ${java.version}
+ ${java.version}
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ org.apache.maven.plugins
+ maven-jar-plugin
+
+
+
+ true
+ lib/
+ theMainClass
+
+
+
+
+
+
+ org.apache.maven.plugins
+ maven-scm-plugin
+
+ developerConnection
+ branch-0.1
+ branch
+
+
+
+
+ org.apache.maven.plugins
+ maven-enforcer-plugin
+
+
+ enforce-dependency-convergence
+
+
+
+
+ true
+
+
+ enforce
+
+
+
+
+
+
+ org.apache.maven.plugins
+ maven-deploy-plugin
+
+
+
+
+
+
+
+
+ org.apache.maven.plugins
+ maven-jar-plugin
+ ${plugin.jar.version}
+
+
+
+ org.apache.maven.plugins
+ maven-scm-plugin
+ ${plugin.scm.version}
+
+
+
+ pl.project13.maven
+ git-commit-id-plugin
+ ${plugin.git.commit.id.version}
+
+
+
+ org.apache.maven.plugins
+ maven-enforcer-plugin
+ ${plugin.enforcer.version}
+
+
+
+ org.apache.maven.plugins
+ maven-deploy-plugin
+ ${plugin.deploy.version}
+
+
+
+ org.apache.maven.plugins
+ maven-checkstyle-plugin
+ ${plugin.checkstyle.version}
+
+ true
+ ${basedir}/src/main/java,${basedir}/src/main/scala
+ ${basedir}/src/test/java
+
+ zeppelin/checkstyle.xml
+
+
+
+ checkstyle-fail-build
+
+ check
+
+
+ true
+ org/apache/zeppelin/interpreter/thrift/*,org/apache/zeppelin/python/proto/*
+
+
+
+
+
+ org.apache.zeppelin
+ build-tools
+ ${project.version}
+
+
+
+
+
+ org.apache.maven.plugins
+ maven-clean-plugin
+ ${plugin.clean.version}
+
+
+
+ net.alchim31.maven
+ scala-maven-plugin
+ ${plugin.scala.alchim31.version}
+
+ all
+
+ -unchecked
+ -deprecation
+ -feature
+
+
+
+
+
+ org.apache.maven.plugins
+ maven-surefire-plugin
+ ${plugin.surefire.version}
+
+ -Xmx2g -Xms1g -Dfile.encoding=UTF-8
+
+ true
+
+
+ ${tests.to.exclude}
+
+
+
+
+
+
+ org.apache.maven.plugins
+ maven-assembly-plugin
+ ${plugin.assembly.version}
+
+
+
+ org.codehaus.mojo
+ exec-maven-plugin
+ ${plugin.exec.version}
+
+
+
+ org.codehaus.mojo
+ cobertura-maven-plugin
+ ${plugin.cobertura.version}
+
+
+
+ com.googlecode.maven-download-plugin
+ download-maven-plugin
+ ${plugin.download.version}
+
+
+
+ org.apache.maven.plugins
+ maven-antrun-plugin
+ ${plugin.antrun.version}
+
+
+
+ org.apache.maven.plugins
+ maven-dependency-plugin
+ ${plugin.dependency.version}
+
+
+ copy-dependencies
+ process-test-resources
+
+ copy-dependencies
+
+
+ ${project.build.directory}/lib
+ false
+ false
+ true
+ runtime
+
+
+
+
+
+
+ org.scalatest
+ scalatest-maven-plugin
+ ${plugin.scalatest.version}
+
+
+
+
+ org.codehaus.mojo
+ build-helper-maven-plugin
+ ${plugin.buildhelper.version}
+
+
+
+ com.github.eirslett
+ frontend-maven-plugin
+ ${plugin.frontend.version}
+
+
+
+ org.apache.maven.plugins
+ maven-failsafe-plugin
+ ${plugin.failsafe.version}
+
+
+
+ com.github.os72
+ protoc-jar-maven-plugin
+ ${plugin.protobuf.version}
+
+
+
+ com.bazaarvoice.maven.plugins
+ s3-upload-maven-plugin
+ ${plugin.s3.upload.version}
+
+
+
+ org.codehaus.mojo
+ buildnumber-maven-plugin
+ ${plugin.buildnumber.version}
+
+
+
+ org.apache.avro
+ avro-maven-plugin
+ ${plugin.avro.version}
+
+
+
+ org.scalatra.scalate
+ maven-scalate-plugin_${scala.binary.version}
+ ${plugin.scalate.version}
+
+
+
+ org.apache.maven.plugins
+ maven-source-plugin
+ ${plugin.source.version}
+
+
+
+ org.apache.maven.plugins
+ maven-javadoc-plugin
+ ${plugin.javadoc.version}
+
+
+
+ org.apache.maven.plugins
+ maven-gpg-plugin
+ ${plugin.gpg.version}
+
+
+
+ org.apache.rat
+ apache-rat-plugin
+ ${plugin.rat.version}
+
+
+
+
+
+
+
+ web-angular
+
+ zeppelin-web-angular
+
+
+
+
+ vendor-repo
+
+
+ cloudera
+ https://repository.cloudera.com/artifactory/cloudera-repos/
+
+
+ hortonworks
+ https://repo.hortonworks.com/content/groups/public/
+
+
+
+
+
+ integration
+
+ zeppelin-integration
+ zeppelin-interpreter-integration
+
+
+
+
+ examples
+
+ zeppelin-examples
+
+
+
+
+ helium-dev
+
+ helium-dev
+
+
+
+
+ include-hadoop
+
+ compile
+
+
+
+
+ build-distr
+
+ false
+
+
+
+
+
+ org.apache.maven.plugins
+ maven-surefire-plugin
+
+ true
+
+
+
+
+ org.apache.maven.plugins
+ maven-assembly-plugin
+
+
+ make-assembly
+ package
+
+ single
+
+
+
+
+
+
+
+
+
+
+
+ publish-distr
+
+
+
+ org.apache.maven.plugins
+ maven-surefire-plugin
+
+ true
+
+
+
+
+ org.apache.maven.plugins
+ maven-source-plugin
+
+
+ attach-sources
+
+ jar
+
+
+
+
+
+
+ org.apache.maven.plugins
+ maven-javadoc-plugin
+
+
+ attach-javadocs
+
+ jar
+
+
+
+
+
+
+
+
+
+ release-sign-artifacts
+
+
+ performRelease
+ true
+
+
+
+
+
+ org.apache.maven.plugins
+ maven-gpg-plugin
+
+
+ sign-artifacts
+ verify
+
+ sign
+
+
+
+
+
+
+
+
+
+ rat
+
+
+
+ org.apache.rat
+ apache-rat-plugin
+
+
+ **/*.keywords
+ reports/**
+ **/.idea/
+ **/*.iml
+ .git/
+ .github/
+ .gitignore
+ git.properties
+ .repository/
+ .rat-excludes/
+ .Rhistory
+ **/*.diff
+ **/*.patch
+ **/*.avsc
+ **/*.avro
+ **/*.log
+ **/*.ipynb
+ **/test/resources/**
+ **/.settings/*
+ **/.factorypath
+ **/.classpath
+ **/.project
+ **/target/**
+ **/derby.log
+ **/metastore_db/
+ **/logs/**
+ **/run/**
+ interpreter/**
+ **/local-repo/**
+ **/null/**
+ **/notebook/**
+ **/README.md
+ DEPENDENCIES
+ DEPLOY.md
+ STYLE.md
+ Roadmap.md
+ **/licenses/**
+ **/zeppelin-distribution/src/bin_license/**
+ conf/interpreter.json
+ conf/notebook-authorization.json
+ conf/credentials.json
+ conf/zeppelin-env.sh
+ conf/helium.json
+ spark-*-bin*/**
+ .spark-dist/**
+ **/interpreter-setting.json
+ **/constants.json
+ scripts/**
+ **/**/*.log
+ **/**/logs/**
+
+
+ **/test/karma.conf.js
+ **/test/spec/**
+ **/.babelrc
+ **/.bowerrc
+ .editorconfig
+ .eslintrc
+ protractor.conf.js
+ **/.tmp/**
+ **/target/**
+ **/node/**
+ **/node_modules/**
+ **/bower_components/**
+ **/dist/**
+ **/.buildignore
+ **/.npmignore
+ **/.jshintrc
+ **/yarn.lock
+ **/bower.json
+ **/src/fonts/Patua-One*
+ **/src/fonts/patua-one*
+ **/src/fonts/Roboto*
+ **/src/fonts/roboto*
+ **/src/fonts/fontawesome*
+ **/src/fonts/font-awesome*
+ **/src/styles/font-awesome*
+ **/src/fonts/Simple-Line*
+ **/src/fonts/simple-line*
+ **/src/fonts/Source-Code-Pro*
+ **/src/fonts/source-code-pro*
+ **/src/**/**.test.js
+ **/e2e/**/**.spec.js
+ package-lock.json
+
+
+ **/*.json
+ **/browserslist
+ **/.prettierrc
+ **/.prettierignore
+ **/.editorconfig
+ **/src/**/*.svg
+ **/.gitkeep
+
+
+
+ **/src/main/java/org/apache/zeppelin/jdbc/SqlCompleter.java
+
+
+ docs/assets/themes/zeppelin/bootstrap/**
+ docs/assets/themes/zeppelin/css/style.css
+ docs/assets/themes/zeppelin/js/docs.js
+ docs/assets/themes/zeppelin/js/search.js
+ docs/_includes/themes/zeppelin/_jumbotron.html
+ docs/_includes/themes/zeppelin/_navigation.html
+
+
+ docs/404.html
+ docs/_config.yml
+ docs/_includes/JB/**
+ docs/_layouts/**
+ docs/_plugins/**
+ docs/atom.xml
+ docs/_includes/themes/zeppelin/default.html
+ docs/_includes/themes/zeppelin/page.html
+ docs/_includes/themes/zeppelin/post.html
+ docs/_includes/themes/zeppelin/settings.yml
+ docs/Rakefile
+ docs/rss.xml
+ docs/sitemap.txt
+ docs/search_data.json
+ **/dependency-reduced-pom.xml
+
+
+ docs/assets/themes/zeppelin/js/anchor.min.js
+
+
+ docs/assets/themes/zeppelin/js/toc.js
+
+
+ docs/assets/themes/zeppelin/js/lunr.min.js
+
+
+ docs/assets/themes/zeppelin/css/syntax.css
+
+
+ docs/_site/**
+ docs/Gemfile.lock
+
+
+ **/package.json
+
+ zeppelin-jupyter-interpreter/src/main/resources/grpc/jupyter/*.py
+
+
+
+
+
+ verify.rat
+ verify
+
+ check
+
+
+
+
+
+
+
+
+
+
+
+
+
+ org.apache.maven.plugins
+ maven-checkstyle-plugin
+
+
+ aggregate
+ false
+
+ checkstyle-aggregate
+
+
+
+ zeppelin/checkstyle.xml
+ org/apache/zeppelin/interpreter/thrift/*,org/apache/zeppelin/python/proto/*
+
+
+
+
+
+
+
diff --git a/internal/remediation/fixtures/zeppelin-server/pom.xml b/internal/remediation/fixtures/zeppelin-server/pom.xml
new file mode 100644
index 00000000000..e7de0f5f9d8
--- /dev/null
+++ b/internal/remediation/fixtures/zeppelin-server/pom.xml
@@ -0,0 +1,519 @@
+
+
+
+
+ 4.0.0
+
+
+ zeppelin
+ org.apache.zeppelin
+ 0.11.1
+ ./parent
+
+
+ zeppelin-server
+ jar
+ Zeppelin: Server
+
+
+
+
+ 2.30
+ 1.13
+ 2.1
+ 1.11
+ 4.1.0
+ 2.12.6.1
+ 9.13
+ 2.0.0-M15
+
+
+ 2.48.2
+ 1.4.01
+ 2.2
+
+
+
+
+
+ ${project.groupId}
+ zeppelin-zengine
+ ${project.version}
+
+
+ com.fasterxml.jackson.core
+ jackson-databind
+
+
+ com.sun.jersey
+ jersey-core
+
+
+ com.sun.jersey
+ jersey-json
+
+
+ com.sun.jersey
+ jersey-server
+
+
+ com.fasterxml.jackson.core
+ jackson-core
+
+
+ org.ow2.asm
+ asm
+
+
+
+ commons-logging
+ commons-logging
+
+
+ org.slf4j
+ slf4j-log4j12
+
+
+ org.slf4j
+ slf4j-reload4j
+
+
+ org.slf4j
+ jcl-over-slf4j
+
+
+
+
+
+ org.apache.httpcomponents
+ httpclient
+
+
+
+ org.slf4j
+ slf4j-reload4j
+
+
+ ch.qos.reload4j
+ reload4j
+
+
+ org.slf4j
+ jcl-over-slf4j
+
+
+
+ io.dropwizard.metrics
+ metrics-servlets
+ ${dropwizard.version}
+
+
+ com.fasterxml.jackson.core
+ jackson-databind
+
+
+
+
+
+ io.micrometer
+ micrometer-registry-prometheus
+ ${micrometer.version}
+
+
+ io.micrometer
+ micrometer-registry-jmx
+ ${micrometer.version}
+
+
+
+ io.dropwizard.metrics
+ metrics-jmx
+
+
+
+
+
+ io.dropwizard.metrics
+ metrics-jmx
+ ${dropwizard.version}
+
+
+
+ org.glassfish.jersey.core
+ jersey-client
+ ${jersey.version}
+
+
+ javax.annotation
+ javax.annotation-api
+
+
+
+
+ org.glassfish.jersey.containers
+ jersey-container-servlet-core
+ ${jersey.version}
+
+
+ org.glassfish.jersey.media
+ jersey-media-json-jackson
+ ${jersey.version}
+
+
+ com.fasterxml.jackson.core
+ jackson-annotations
+
+
+ com.fasterxml.jackson.core
+ jackson-databind
+
+
+ com.fasterxml.jackson.core
+ jackson-core
+
+
+
+
+ org.glassfish.jersey.inject
+ jersey-hk2
+ ${jersey.version}
+
+
+ org.glassfish.jersey.core
+ jersey-server
+ ${jersey.version}
+
+
+
+ com.fasterxml.jackson.core
+ jackson-databind
+ ${jackson.version}
+
+
+
+ javax.ws.rs
+ javax.ws.rs-api
+ ${javax.ws.rsapi.version}
+
+
+
+ org.bouncycastle
+ bcpkix-jdk15on
+
+
+
+ commons-collections
+ commons-collections
+
+
+
+ org.apache.shiro
+ shiro-core
+
+
+ commons-beanutils
+ commons-beanutils
+
+
+
+
+ commons-beanutils
+ commons-beanutils
+ 1.9.4
+
+
+
+ commons-logging
+ commons-logging
+
+
+
+
+
+ org.apache.shiro
+ shiro-web
+
+
+
+ org.kohsuke
+ libpam4j
+ ${libpam4j.version}
+
+
+ net.java.dev.jna
+ jna
+
+
+
+
+
+ net.java.dev.jna
+ jna
+ ${jna.version}
+
+
+
+ org.eclipse.jetty
+ jetty-webapp
+ ${jetty.version}
+
+
+
+ org.eclipse.jetty
+ jetty-jmx
+ ${jetty.version}
+
+
+
+ org.eclipse.jetty.websocket
+ javax-websocket-server-impl
+ ${jetty.version}
+
+
+
+ com.google.code.gson
+ gson
+
+
+
+ com.nimbusds
+ nimbus-jose-jwt
+ ${nimbus.version}
+
+
+
+ org.quartz-scheduler
+ quartz
+ ${quartz.scheduler.version}
+
+
+
+ org.apache.directory.server
+ apacheds-kerberos-codec
+ ${kerberos.version}
+
+
+
+ org.apache.zeppelin
+ zeppelin-zengine
+ ${project.version}
+ tests
+ test
+
+
+ com.google.guava
+ guava
+
+
+
+
+
+ org.junit.jupiter
+ junit-jupiter-engine
+ test
+
+
+
+ org.hamcrest
+ hamcrest
+ ${hamcrest.version}
+ test
+
+
+
+ org.mockito
+ mockito-core
+ test
+
+
+
+ org.objenesis
+ objenesis
+
+
+
+
+
+ org.seleniumhq.selenium
+ selenium-java
+ ${selenium.java.version}
+ test
+
+
+ org.seleniumhq.selenium
+ selenium-android-driver
+
+
+ commons-logging
+ commons-logging
+
+
+ xml-apis
+ xml-apis
+
+
+ org.eclipse.jetty.websocket
+ websocket-client
+
+
+ net.java.dev.jna
+ jna
+
+
+ org.apache.commons
+ commons-lang3
+
+
+ com.google.guava
+ guava
+
+
+
+
+
+ xml-apis
+ xml-apis
+ ${xml.apis.version}
+ test
+
+
+
+ org.bitbucket.cowwoc
+ diff-match-patch
+ 1.1
+
+
+
+
+
+ maven-failsafe-plugin
+
+
+
+ integration-test
+ verify
+
+
+
+
+ -Xmx2048m
+
+
+
+
+ maven-surefire-plugin
+
+ 1
+ false
+ -Xmx3g -Xms1g -Dfile.encoding=UTF-8
+
+ ${tests.to.exclude}
+
+
+ 1
+
+
+
+
+
+
+ org.apache.maven.plugins
+ maven-jar-plugin
+
+
+
+ test-jar
+
+
+
+
+
+
+ org.apache.maven.plugins
+ maven-dependency-plugin
+
+
+
+
+
+
+ using-source-tree
+
+ true
+
+
+
+ ../bin
+
+
+
+
+
+ using-packaged-distr
+
+ false
+
+
+
+ ../zeppelin-distribution/target/zeppelin-${project.version}/zeppelin-${project.version}/bin
+
+
+
+
+
+ hadoop2
+
+
+ ${hadoop2.7.version}
+
+
+
+ org.apache.hadoop
+ hadoop-common
+ ${hadoop.version}
+ ${hadoop.deps.scope}
+
+
+
+
+
+ hadoop3
+
+ true
+
+
+ ${hadoop3.2.version}
+ hadoop-client-api
+ hadoop-client-runtime
+
+
+
+
+ org.apache.hadoop
+ ${hadoop-client-runtime.artifact}
+ ${hadoop.version}
+ ${hadoop.deps.scope}
+
+
+
+
+
+
+
+
diff --git a/internal/remediation/fixtures/zeppelin-server/universe.yaml b/internal/remediation/fixtures/zeppelin-server/universe.yaml
new file mode 100644
index 00000000000..509d9ec01f4
--- /dev/null
+++ b/internal/remediation/fixtures/zeppelin-server/universe.yaml
@@ -0,0 +1,75509 @@
+# Automatically generated by generate_mock_resolution_universe on 11 Jul 24 15:25 AEST. DO NOT EDIT.
+system: Maven
+schema: |
+ antlr:antlr
+ 2.7.7
+ aopalliance:aopalliance
+ 1.0
+ asm:asm
+ 3.1
+ asm:asm-parent
+ 3.1
+ cglib:cglib-nodep
+ 2.1_3
+ ch.qos.logback:logback-classic
+ 1.2.10
+ ch.qos.logback:logback-core@1.2.10
+ org.slf4j:slf4j-api@1.7.32
+ Opt|javax.mail:mail@1.4
+ Opt|org.codehaus.janino:janino@3.0.6
+ Opt|javax.servlet:javax.servlet-api@3.1.0
+ ch.qos.logback:logback-core
+ 1.2.10
+ Opt|org.codehaus.janino:janino@3.0.6
+ Opt|org.fusesource.jansi:jansi@1.9
+ Opt|javax.mail:mail@1.4
+ Opt|javax.servlet:javax.servlet-api@3.1.0
+ ch.qos.logback:logback-parent
+ 1.2.10
+ ch.qos.reload4j:reload4j
+ 1.2.22
+ Opt|javax.mail:mail@1.4.7
+ Opt|org.apache.geronimo.specs:geronimo-jms_1.1_spec@1.0
+ 1.2.25
+ Opt|javax.mail:mail@1.4.7
+ Opt|org.apache.geronimo.specs:geronimo-jms_1.1_spec@1.0
+ com.apple:AppleJavaExtensions
+ 1.4
+ com.beust:jcommander
+ 1.82
+ com.esotericsoftware:kryo
+ 4.0.2
+ com.esotericsoftware:reflectasm@1.11.3
+ com.esotericsoftware:minlog@1.3.0
+ org.objenesis:objenesis@2.5.1
+ com.esotericsoftware:kryo-parent
+ 4.0.2
+ com.esotericsoftware:minlog@1.3.0
+ org.objenesis:objenesis@2.5.1
+ com.esotericsoftware:minlog
+ 1.3.0
+ com.esotericsoftware:reflectasm
+ 1.11.3
+ org.ow2.asm:asm@5.0.4
+ com.fasterxml.jackson.core:jackson-annotations
+ 2.9.0
+ 2.10.3
+ 2.12.6
+ 2.12.7
+ 2.16.1
+ com.fasterxml.jackson.core:jackson-core
+ 2.9.9
+ 2.12.6
+ 2.12.7
+ 2.16.1
+ com.fasterxml.jackson.core:jackson-databind
+ 2.9.9.3
+ com.fasterxml.jackson.core:jackson-annotations@2.9.0
+ com.fasterxml.jackson.core:jackson-core@2.9.9
+ 2.12.6
+ com.fasterxml.jackson.core:jackson-annotations@2.12.6
+ com.fasterxml.jackson.core:jackson-core@2.12.6
+ 2.12.6.1
+ com.fasterxml.jackson.core:jackson-annotations@2.12.6
+ com.fasterxml.jackson.core:jackson-core@2.12.6
+ 2.12.7.1
+ com.fasterxml.jackson.core:jackson-annotations@2.12.7
+ com.fasterxml.jackson.core:jackson-core@2.12.7
+ 2.16.1
+ com.fasterxml.jackson.core:jackson-annotations@2.16.1
+ com.fasterxml.jackson.core:jackson-core@2.16.1
+ com.fasterxml.jackson.jaxrs:jackson-jaxrs-base
+ 2.12.7
+ com.fasterxml.jackson.core:jackson-core@2.12.7
+ com.fasterxml.jackson.core:jackson-databind@2.12.7
+ Scope provided|javax.ws.rs:javax.ws.rs-api@2.1.1
+ com.fasterxml.jackson.jaxrs:jackson-jaxrs-json-provider
+ 2.12.7
+ com.fasterxml.jackson.jaxrs:jackson-jaxrs-base@2.12.7
+ com.fasterxml.jackson.module:jackson-module-jaxb-annotations@2.12.7
+ Scope provided|javax.ws.rs:javax.ws.rs-api@2.1.1
+ com.fasterxml.jackson.jaxrs:jackson-jaxrs-providers
+ 2.12.7
+ Scope provided|javax.ws.rs:javax.ws.rs-api@2.1.1
+ com.fasterxml.jackson.module:jackson-module-jakarta-xmlbind-annotations
+ 2.16.1
+ com.fasterxml.jackson.core:jackson-annotations@2.16.1
+ com.fasterxml.jackson.core:jackson-core@2.16.1
+ com.fasterxml.jackson.core:jackson-databind@2.16.1
+ jakarta.xml.bind:jakarta.xml.bind-api@3.0.1
+ jakarta.activation:jakarta.activation-api@2.1.0
+ com.fasterxml.jackson.module:jackson-module-jaxb-annotations
+ 2.9.9
+ com.fasterxml.jackson.core:jackson-annotations@2.9.0
+ com.fasterxml.jackson.core:jackson-core@2.9.9
+ com.fasterxml.jackson.core:jackson-databind@2.9.9
+ Scope provided|javax.xml.bind:jaxb-api@2.2
+ 2.12.7
+ com.fasterxml.jackson.core:jackson-annotations@2.12.7
+ com.fasterxml.jackson.core:jackson-core@2.12.7
+ com.fasterxml.jackson.core:jackson-databind@2.12.7
+ jakarta.xml.bind:jakarta.xml.bind-api@2.3.2
+ jakarta.activation:jakarta.activation-api@1.2.1
+ com.fasterxml.jackson.module:jackson-modules-base
+ 2.9.9
+ 2.12.7
+ 2.16.1
+ com.fasterxml.jackson:jackson-base
+ 2.9.9
+ 2.12.6
+ 2.12.7
+ 2.16.1
+ com.fasterxml.jackson:jackson-bom
+ 2.9.6
+ 2.9.9
+ 2.12.6
+ 2.12.7
+ 2.16.1
+ com.fasterxml.jackson:jackson-parent
+ 2.9.0
+ 2.9.1.1
+ 2.9.1.2
+ 2.10
+ 2.12
+ 2.16
+ com.fasterxml.woodstox:woodstox-core
+ 5.4.0
+ MavenExclusions javax.xml.stream:stax-api|org.codehaus.woodstox:stax2-api@4.2
+ Opt Scope provided|net.java.dev.msv:msv-core@2013.6.1
+ Opt Scope provided|net.java.dev.msv:msv-rngconverter@2013.6.1
+ Opt Scope provided|net.java.dev.msv:xsdlib@2013.6.1
+ Opt Scope provided|org.apache.felix:org.osgi.core@1.4.0
+ com.fasterxml:oss-parent
+ 28
+ 33
+ 34
+ 37
+ 38
+ 41
+ 56
+ com.github.ben-manes.caffeine:caffeine
+ 2.9.3
+ org.checkerframework:checker-qual@3.19.0
+ com.google.errorprone:error_prone_annotations@2.10.0
+ com.github.docker-java:docker-java-api
+ 3.3.6
+ com.fasterxml.jackson.core:jackson-annotations@2.10.3
+ org.slf4j:slf4j-api@1.7.30
+ Scope provided|com.google.code.findbugs:annotations@3.0.1u2
+ Scope provided|org.projectlombok:lombok@1.18.30
+ com.github.docker-java:docker-java-parent
+ 3.3.6
+ com.github.docker-java:docker-java-transport
+ 3.3.6
+ Scope provided|com.google.code.findbugs:annotations@3.0.1u2
+ Scope provided|org.immutables:value@2.8.2
+ Scope provided|net.java.dev.jna:jna@5.13.0
+ com.github.docker-java:docker-java-transport-zerodep
+ 3.3.6
+ com.github.docker-java:docker-java-transport@3.3.6
+ org.slf4j:slf4j-api@1.7.25
+ net.java.dev.jna:jna@5.13.0
+ com.github.eirslett:frontend-maven-plugin
+ 1.3
+ com.github.eirslett:frontend-plugin-core@1.3
+ Scope provided|org.apache.maven:maven-core@3.1.0
+ org.apache.maven:maven-plugin-api@3.1.0
+ org.apache.maven.plugin-tools:maven-plugin-annotations@3.2
+ org.sonatype.plexus:plexus-build-api@0.0.7
+ com.github.eirslett:frontend-plugin-core
+ 1.3
+ org.codehaus.jackson:jackson-mapper-asl@1.9.13
+ org.codehaus.jackson:jackson-core-asl@1.9.13
+ org.apache.commons:commons-compress@1.5
+ commons-io:commons-io@1.3.2
+ org.apache.httpcomponents:httpclient@4.5.1
+ org.codehaus.plexus:plexus-utils@3.0.22
+ org.slf4j:slf4j-api@1.7.5
+ 1.6
+ org.codehaus.jackson:jackson-mapper-asl@1.9.13
+ org.codehaus.jackson:jackson-core-asl@1.9.13
+ org.apache.commons:commons-compress@1.5
+ commons-io:commons-io@1.3.2
+ org.apache.commons:commons-exec@1.3
+ org.apache.httpcomponents:httpclient@4.5.1
+ org.codehaus.plexus:plexus-utils@3.0.22
+ org.slf4j:slf4j-api@1.7.5
+ com.github.eirslett:frontend-plugins
+ 1.3
+ 1.6
+ com.github.pjfanning:jersey-json
+ 1.20
+ MavenExclusions stax:stax-api|org.codehaus.jettison:jettison@1.1
+ com.sun.xml.bind:jaxb-impl@2.2.3-1
+ Opt|org.eclipse.persistence:org.eclipse.persistence.moxy@2.4.2
+ com.fasterxml.jackson.core:jackson-core@2.13.0
+ com.fasterxml.jackson.core:jackson-databind@2.13.0
+ com.fasterxml.jackson.jaxrs:jackson-jaxrs-json-provider@2.13.0
+ com.sun.jersey:jersey-core@1.19.4
+ com.github.stephenc.jcip:jcip-annotations
+ 1.0-1
+ com.google.auto.service:auto-service
+ 1.0.1
+ com.google.auto.service:auto-service-annotations@1.0.1
+ com.google.auto:auto-common@1.2
+ com.google.guava:guava@31.0.1-jre
+ com.google.auto.service:auto-service-aggregator
+ 1.0.1
+ com.google.auto.service:auto-service-annotations
+ 1.0.1
+ com.google.auto:auto-common
+ 1.2
+ com.google.guava:guava@31.0.1-jre
+ Opt|com.squareup:javapoet@1.13.0
+ com.google.code.findbugs:bcel-findbugs
+ 6.0
+ com.google.code.findbugs:findbugs
+ 3.0.1
+ net.jcip:jcip-annotations@1.0
+ com.google.code.findbugs:jsr305@2.0.1
+ com.google.code.findbugs:bcel-findbugs@6.0
+ com.google.code.findbugs:jFormatString@2.0.1
+ dom4j:dom4j@1.6.1
+ Scope provided|org.apache.ant:ant@1.7.1
+ org.ow2.asm:asm-debug-all@5.0.2
+ org.ow2.asm:asm-commons@5.0.2
+ commons-lang:commons-lang@2.6
+ com.apple:AppleJavaExtensions@1.4
+ MavenExclusions com.ibm.icu:icu4j|jaxen:jaxen@1.1.6
+ com.google.code.findbugs:jFormatString
+ 2.0.1
+ com.google.code.findbugs:jsr305
+ 1.3.9
+ 3.0.2
+ com.google.code.gson:gson
+ 2.2
+ 2.8.9
+ 2.9.0
+ 2.9.1
+ 2.11.0
+ com.google.errorprone:error_prone_annotations@2.27.0
+ com.google.code.gson:gson-parent
+ 2.8.9
+ 2.9.0
+ 2.9.1
+ 2.11.0
+ com.google.errorprone:error_prone_annotations
+ 2.0.18
+ 2.1.3
+ 2.11.0
+ 2.18.0
+ 2.27.0
+ com.google.errorprone:error_prone_parent
+ 2.0.18
+ 2.1.3
+ 2.11.0
+ 2.18.0
+ 2.27.0
+ com.google.guava:failureaccess
+ 1.0
+ 1.0.1
+ com.google.guava:guava
+ 22.0
+ com.google.code.findbugs:jsr305@1.3.9
+ com.google.errorprone:error_prone_annotations@2.0.18
+ com.google.j2objc:j2objc-annotations@1.1
+ org.codehaus.mojo:animal-sniffer-annotations@1.14
+ 24.1.1-android
+ com.google.code.findbugs:jsr305@1.3.9
+ org.checkerframework:checker-compat-qual@2.0.0
+ com.google.errorprone:error_prone_annotations@2.1.3
+ com.google.j2objc:j2objc-annotations@1.1
+ org.codehaus.mojo:animal-sniffer-annotations@1.14
+ 27.0-jre
+ com.google.guava:failureaccess@1.0
+ com.google.guava:listenablefuture@9999.0-empty-to-avoid-conflict-with-guava
+ com.google.code.findbugs:jsr305@3.0.2
+ org.checkerframework:checker-qual@2.5.2
+ com.google.errorprone:error_prone_annotations@2.2.0
+ com.google.j2objc:j2objc-annotations@1.1
+ org.codehaus.mojo:animal-sniffer-annotations@1.17
+ 31.1-jre
+ com.google.guava:failureaccess@1.0.1
+ com.google.guava:listenablefuture@9999.0-empty-to-avoid-conflict-with-guava
+ com.google.code.findbugs:jsr305@3.0.2
+ org.checkerframework:checker-qual@3.12.0
+ com.google.errorprone:error_prone_annotations@2.11.0
+ com.google.j2objc:j2objc-annotations@1.3
+ 32.0.0-android
+ com.google.guava:failureaccess@1.0.1
+ com.google.guava:listenablefuture@9999.0-empty-to-avoid-conflict-with-guava
+ com.google.code.findbugs:jsr305@3.0.2
+ org.checkerframework:checker-qual@3.33.0
+ com.google.errorprone:error_prone_annotations@2.18.0
+ com.google.j2objc:j2objc-annotations@2.8
+ com.google.guava:guava-parent
+ 22.0
+ 24.1.1-android
+ 26.0-android
+ 27.0-jre
+ 31.1-jre
+ 32.0.0-android
+ com.google.guava:listenablefuture
+ 9999.0-empty-to-avoid-conflict-with-guava
+ com.google.inject.extensions:extensions-parent
+ 4.2.3
+ com.google.inject:guice@4.2.3
+ com.google.inject.extensions:guice-servlet
+ 4.2.3
+ Scope provided|javax.servlet:servlet-api@2.5
+ com.google.inject:guice@4.2.3
+ com.google.inject:guice
+ 4.2.3
+ javax.inject:javax.inject@1
+ aopalliance:aopalliance@1.0
+ com.google.guava:guava@27.1-jre
+ Opt|org.ow2.asm:asm@7.2
+ Opt|cglib:cglib@3.3.0
+ com.google.inject:guice-parent
+ 4.2.3
+ com.google.j2objc:j2objc-annotations
+ 1.1
+ 1.3
+ 2.8
+ com.google.protobuf:protobuf-java
+ 2.5.0
+ com.google.re2j:re2j
+ 1.1
+ com.google:google
+ 1
+ 5
+ com.googlecode.javaewah:JavaEWAH
+ 0.7.9
+ 1.1.13
+ com.helger:parent-pom
+ 1.10.8
+ com.helger:profiler
+ 1.1.1
+ Scope provided|javax.ws.rs:javax.ws.rs-api@2.1.1
+ com.ibm.icu:icu4j
+ 59.1
+ 72.1
+ com.jcraft:jsch
+ 0.1.53
+ Opt|com.jcraft:jzlib@1.0.7
+ 0.1.54
+ Opt|com.jcraft:jzlib@1.0.7
+ 0.1.55
+ Opt|com.jcraft:jzlib@1.0.7
+ com.kohlschutter.junixsocket:junixsocket-common
+ 2.0.4
+ log4j:log4j@1.2.17
+ com.kohlschutter.junixsocket:junixsocket-native-common
+ 2.0.4
+ com.kohlschutter.junixsocket:junixsocket-common@2.0.4
+ org.scijava:native-lib-loader@2.0.2
+ log4j:log4j@1.2.17
+ com.kohlschutter.junixsocket:junixsocket-parent
+ 2.0.4
+ log4j:log4j@1.2.17
+ com.kohlschutter:kohlschutter-parent
+ 1.1
+ com.mchange:c3p0
+ 0.9.5.4
+ com.mchange:mchange-commons-java@0.2.15
+ 0.9.5.5
+ com.mchange:mchange-commons-java@0.2.19
+ com.mchange:mchange-commons-java
+ 0.2.15
+ Opt|com.typesafe:config@1.3.0
+ Opt|log4j:log4j@[1.2.14,1.2.15),[1.2.140,1.2.150),[1.2.1400,1.2.1500),[1.2.14000,1.2.15000),[1.2.140000,1.2.150000)
+ Opt|org.apache.logging.log4j:log4j-api@2.7
+ Opt|org.apache.logging.log4j:log4j-core@2.7
+ Opt|org.slf4j:slf4j-api@[1.7.5,1.7.6),[1.7.50,1.7.60),[1.7.500,1.7.600),[1.7.5000,1.7.6000),[1.7.50000,1.7.60000)
+ 0.2.19
+ Opt|com.typesafe:config@1.3.0
+ Opt|log4j:log4j@[1.2.14,1.2.15),[1.2.140,1.2.150),[1.2.1400,1.2.1500),[1.2.14000,1.2.15000),[1.2.140000,1.2.150000)
+ Opt|org.apache.logging.log4j:log4j-api@2.7
+ Opt|org.apache.logging.log4j:log4j-core@2.7
+ Opt|org.slf4j:slf4j-api@[1.7.5,1.7.6),[1.7.50,1.7.60),[1.7.500,1.7.600),[1.7.5000,1.7.6000),[1.7.50000,1.7.60000)
+ com.microsoft.sqlserver:mssql-jdbc
+ 6.2.1.jre7
+ Opt|com.microsoft.azure:azure-keyvault@0.9.7
+ Opt|com.microsoft.azure:adal4j@1.1.3
+ com.nimbusds:nimbus-jose-jwt
+ 9.9.3
+ com.github.stephenc.jcip:jcip-annotations@1.0-1
+ Opt|org.bouncycastle:bcprov-jdk15on@[1.68,2.0.0)
+ Opt|org.bouncycastle:bc-fips@[1.0.2,2.0.0)
+ Opt|org.bouncycastle:bcpkix-jdk15on@[1.68,)
+ Opt|com.google.crypto.tink:tink@1.5.0
+ 9.13
+ com.github.stephenc.jcip:jcip-annotations@1.0-1
+ Opt|org.bouncycastle:bcprov-jdk15on@1.68
+ Opt|org.bouncycastle:bc-fips@[1.0.2,2.0.0)
+ Opt|org.bouncycastle:bcpkix-jdk15on@1.68
+ Opt|com.google.crypto.tink:tink@1.5.0
+ 9.31
+ com.github.stephenc.jcip:jcip-annotations@1.0-1
+ Opt|org.bouncycastle:bcprov-jdk15on@1.70
+ Opt|org.bouncycastle:bcutil-jdk15on@1.70
+ Opt|org.bouncycastle:bc-fips@[1.0.2,2.0.0)
+ Opt|org.bouncycastle:bcpkix-jdk15on@1.70
+ Opt MavenExclusions com.google.protobuf:protobuf-java,com.google.code.gson:gson|com.google.crypto.tink:tink@1.7.0
+ 9.37.2
+ com.github.stephenc.jcip:jcip-annotations@1.0-1
+ Opt|org.bouncycastle:bcprov-jdk15on@1.70
+ Opt|org.bouncycastle:bcutil-jdk15on@1.70
+ Opt|org.bouncycastle:bc-fips@[1.0.2,2.0.0)
+ Opt|org.bouncycastle:bcpkix-jdk15on@1.70
+ Opt MavenExclusions com.google.protobuf:protobuf-java,com.google.code.gson:gson|com.google.crypto.tink:tink@1.10.0
+ com.openhtmltopdf:openhtmltopdf-core
+ 1.0.0
+ 1.0.10
+ com.openhtmltopdf:openhtmltopdf-jsoup-dom-converter
+ 1.0.0
+ org.jsoup:jsoup@1.11.3
+ com.openhtmltopdf:openhtmltopdf-parent
+ 1.0.0
+ 1.0.10
+ com.openhtmltopdf:openhtmltopdf-pdfbox
+ 1.0.0
+ org.apache.pdfbox:pdfbox@2.0.16
+ org.apache.pdfbox:xmpbox@2.0.16
+ com.openhtmltopdf:openhtmltopdf-core@1.0.0
+ de.rototor.pdfbox:graphics2d@0.24
+ 1.0.10
+ org.apache.pdfbox:pdfbox@2.0.24
+ org.apache.pdfbox:xmpbox@2.0.24
+ com.openhtmltopdf:openhtmltopdf-core@1.0.10
+ de.rototor.pdfbox:graphics2d@0.32
+ com.openhtmltopdf:openhtmltopdf-rtl-support
+ 1.0.0
+ com.ibm.icu:icu4j@59.1
+ com.openhtmltopdf:openhtmltopdf-core@1.0.0
+ 1.0.10
+ com.ibm.icu:icu4j@59.1
+ com.openhtmltopdf:openhtmltopdf-core@1.0.10
+ com.sun.activation:all
+ 1.2.1
+ 1.2.2
+ com.sun.activation:jakarta.activation
+ 1.2.2
+ com.sun.codemodel:codemodel
+ 2.6
+ com.sun.codemodel:codemodel-project
+ 2.6
+ com.sun.jersey.contribs:jersey-contribs
+ 1.19.4
+ com.sun.jersey.contribs:jersey-guice
+ 1.19.4
+ Scope provided|javax.servlet:servlet-api@2.5
+ javax.inject:javax.inject@1
+ com.google.inject:guice@3.0
+ com.google.inject.extensions:guice-servlet@3.0
+ com.sun.jersey:jersey-servlet@1.19.4
+ com.sun.jersey:jersey-client
+ 1.19.4
+ Scope provided|org.osgi:osgi_R4_core@1.0
+ com.sun.jersey:jersey-core@1.19.4
+ com.sun.jersey:jersey-core
+ 1.19.4
+ javax.ws.rs:jsr311-api@1.1.1
+ Scope provided|javax.mail:mail@1.4
+ Scope provided|javax.xml.bind:jaxb-api@2.1
+ Scope provided|org.osgi:org.osgi.core@4.2.0
+ com.sun.jersey:jersey-project
+ 1.19.4
+ com.sun.jersey:jersey-server
+ 1.19.4
+ Scope provided|javax.mail:mail@1.4
+ Scope provided|javax.xml.bind:jaxb-api@2.1
+ Scope provided|javax.annotation:jsr250-api@1.0
+ Scope provided|org.osgi:osgi_R4_core@1.0
+ com.sun.jersey:jersey-core@1.19.4
+ com.sun.jersey:jersey-servlet
+ 1.19.4
+ Scope provided|javax.servlet:javax.servlet-api@3.0.1
+ Scope provided|javax.servlet:jsp-api@2.0
+ Scope provided|org.glassfish:javax.ejb@3.1
+ Scope provided|org.jboss.weld:weld-osgi-bundle@1.1.32.Final
+ Scope provided|javax.persistence:persistence-api@1.0
+ Scope provided|ant:ant@1.6.5
+ Scope provided|org.osgi:osgi_R4_core@1.0
+ com.sun.jersey:jersey-server@1.19.4
+ com.sun.xml.bind:jaxb-impl
+ 2.2.3-1
+ javax.xml.bind:jaxb-api@2.2.2
+ com.typesafe.netty:netty-reactive-streams
+ 2.0.4
+ io.netty:netty-handler@4.1.43.Final
+ org.reactivestreams:reactive-streams@1.0.3
+ com.typesafe.netty:netty-reactive-streams-parent
+ 2.0.4
+ com.typesafe:config
+ 1.3.2
+ com.vladsch.flexmark:flexmark
+ 0.50.40
+ com.vladsch.flexmark:flexmark-util@0.50.40
+ 0.62.2
+ com.vladsch.flexmark:flexmark-util-ast@0.62.2
+ com.vladsch.flexmark:flexmark-util-builder@0.62.2
+ com.vladsch.flexmark:flexmark-util-collection@0.62.2
+ com.vladsch.flexmark:flexmark-util-data@0.62.2
+ com.vladsch.flexmark:flexmark-util-dependency@0.62.2
+ com.vladsch.flexmark:flexmark-util-format@0.62.2
+ com.vladsch.flexmark:flexmark-util-html@0.62.2
+ com.vladsch.flexmark:flexmark-util-misc@0.62.2
+ com.vladsch.flexmark:flexmark-util-sequence@0.62.2
+ com.vladsch.flexmark:flexmark-util-visitor@0.62.2
+ 0.64.8
+ com.vladsch.flexmark:flexmark-util-ast@0.64.8
+ com.vladsch.flexmark:flexmark-util-builder@0.64.8
+ com.vladsch.flexmark:flexmark-util-collection@0.64.8
+ com.vladsch.flexmark:flexmark-util-data@0.64.8
+ com.vladsch.flexmark:flexmark-util-dependency@0.64.8
+ com.vladsch.flexmark:flexmark-util-format@0.64.8
+ com.vladsch.flexmark:flexmark-util-html@0.64.8
+ com.vladsch.flexmark:flexmark-util-misc@0.64.8
+ com.vladsch.flexmark:flexmark-util-sequence@0.64.8
+ com.vladsch.flexmark:flexmark-util-visitor@0.64.8
+ com.vladsch.flexmark:flexmark-all
+ 0.50.40
+ com.vladsch.flexmark:flexmark@0.50.40
+ com.vladsch.flexmark:flexmark-ext-abbreviation@0.50.40
+ com.vladsch.flexmark:flexmark-ext-admonition@0.50.40
+ com.vladsch.flexmark:flexmark-ext-anchorlink@0.50.40
+ com.vladsch.flexmark:flexmark-ext-aside@0.50.40
+ com.vladsch.flexmark:flexmark-ext-attributes@0.50.40
+ com.vladsch.flexmark:flexmark-ext-autolink@0.50.40
+ com.vladsch.flexmark:flexmark-ext-definition@0.50.40
+ com.vladsch.flexmark:flexmark-ext-emoji@0.50.40
+ com.vladsch.flexmark:flexmark-ext-enumerated-reference@0.50.40
+ com.vladsch.flexmark:flexmark-ext-escaped-character@0.50.40
+ com.vladsch.flexmark:flexmark-ext-footnotes@0.50.40
+ com.vladsch.flexmark:flexmark-ext-gfm-issues@0.50.40
+ com.vladsch.flexmark:flexmark-ext-gfm-strikethrough@0.50.40
+ com.vladsch.flexmark:flexmark-ext-gfm-tables@0.50.40
+ com.vladsch.flexmark:flexmark-ext-gfm-tasklist@0.50.40
+ com.vladsch.flexmark:flexmark-ext-gfm-users@0.50.40
+ com.vladsch.flexmark:flexmark-ext-gitlab@0.50.40
+ com.vladsch.flexmark:flexmark-ext-jekyll-front-matter@0.50.40
+ com.vladsch.flexmark:flexmark-ext-jekyll-tag@0.50.40
+ com.vladsch.flexmark:flexmark-ext-media-tags@0.50.40
+ com.vladsch.flexmark:flexmark-ext-macros@0.50.40
+ com.vladsch.flexmark:flexmark-ext-ins@0.50.40
+ com.vladsch.flexmark:flexmark-ext-xwiki-macros@0.50.40
+ com.vladsch.flexmark:flexmark-ext-superscript@0.50.40
+ com.vladsch.flexmark:flexmark-ext-tables@0.50.40
+ com.vladsch.flexmark:flexmark-ext-toc@0.50.40
+ com.vladsch.flexmark:flexmark-ext-typographic@0.50.40
+ com.vladsch.flexmark:flexmark-ext-wikilink@0.50.40
+ com.vladsch.flexmark:flexmark-ext-yaml-front-matter@0.50.40
+ com.vladsch.flexmark:flexmark-ext-youtube-embedded@0.50.40
+ com.vladsch.flexmark:flexmark-formatter@0.50.40
+ com.vladsch.flexmark:flexmark-html-parser@0.50.40
+ com.vladsch.flexmark:flexmark-html2md-converter@0.50.40
+ com.vladsch.flexmark:flexmark-jira-converter@0.50.40
+ com.vladsch.flexmark:flexmark-pdf-converter@0.50.40
+ com.vladsch.flexmark:flexmark-profile-pegdown@0.50.40
+ com.vladsch.flexmark:flexmark-util@0.50.40
+ com.vladsch.flexmark:flexmark-youtrack-converter@0.50.40
+ 0.62.2
+ com.vladsch.flexmark:flexmark@0.62.2
+ com.vladsch.flexmark:flexmark-ext-abbreviation@0.62.2
+ com.vladsch.flexmark:flexmark-ext-admonition@0.62.2
+ com.vladsch.flexmark:flexmark-ext-anchorlink@0.62.2
+ com.vladsch.flexmark:flexmark-ext-aside@0.62.2
+ com.vladsch.flexmark:flexmark-ext-attributes@0.62.2
+ com.vladsch.flexmark:flexmark-ext-autolink@0.62.2
+ com.vladsch.flexmark:flexmark-ext-definition@0.62.2
+ com.vladsch.flexmark:flexmark-ext-emoji@0.62.2
+ com.vladsch.flexmark:flexmark-ext-enumerated-reference@0.62.2
+ com.vladsch.flexmark:flexmark-ext-escaped-character@0.62.2
+ com.vladsch.flexmark:flexmark-ext-footnotes@0.62.2
+ com.vladsch.flexmark:flexmark-ext-gfm-issues@0.62.2
+ com.vladsch.flexmark:flexmark-ext-gfm-strikethrough@0.62.2
+ com.vladsch.flexmark:flexmark-ext-gfm-tasklist@0.62.2
+ com.vladsch.flexmark:flexmark-ext-gfm-users@0.62.2
+ com.vladsch.flexmark:flexmark-ext-gitlab@0.62.2
+ com.vladsch.flexmark:flexmark-ext-jekyll-front-matter@0.62.2
+ com.vladsch.flexmark:flexmark-ext-jekyll-tag@0.62.2
+ com.vladsch.flexmark:flexmark-ext-media-tags@0.62.2
+ com.vladsch.flexmark:flexmark-ext-macros@0.62.2
+ com.vladsch.flexmark:flexmark-ext-ins@0.62.2
+ com.vladsch.flexmark:flexmark-ext-xwiki-macros@0.62.2
+ com.vladsch.flexmark:flexmark-ext-superscript@0.62.2
+ com.vladsch.flexmark:flexmark-ext-tables@0.62.2
+ com.vladsch.flexmark:flexmark-ext-toc@0.62.2
+ com.vladsch.flexmark:flexmark-ext-typographic@0.62.2
+ com.vladsch.flexmark:flexmark-ext-wikilink@0.62.2
+ com.vladsch.flexmark:flexmark-ext-yaml-front-matter@0.62.2
+ com.vladsch.flexmark:flexmark-ext-youtube-embedded@0.62.2
+ com.vladsch.flexmark:flexmark-html2md-converter@0.62.2
+ com.vladsch.flexmark:flexmark-jira-converter@0.62.2
+ com.vladsch.flexmark:flexmark-pdf-converter@0.62.2
+ com.vladsch.flexmark:flexmark-profile-pegdown@0.62.2
+ com.vladsch.flexmark:flexmark-util-ast@0.62.2
+ com.vladsch.flexmark:flexmark-util-builder@0.62.2
+ com.vladsch.flexmark:flexmark-util-collection@0.62.2
+ com.vladsch.flexmark:flexmark-util-data@0.62.2
+ com.vladsch.flexmark:flexmark-util-dependency@0.62.2
+ com.vladsch.flexmark:flexmark-util-format@0.62.2
+ com.vladsch.flexmark:flexmark-util-html@0.62.2
+ com.vladsch.flexmark:flexmark-util-misc@0.62.2
+ com.vladsch.flexmark:flexmark-util-options@0.62.2
+ com.vladsch.flexmark:flexmark-util-sequence@0.62.2
+ com.vladsch.flexmark:flexmark-util-visitor@0.62.2
+ com.vladsch.flexmark:flexmark-youtrack-converter@0.62.2
+ 0.64.8
+ com.vladsch.flexmark:flexmark@0.64.8
+ com.vladsch.flexmark:flexmark-ext-abbreviation@0.64.8
+ com.vladsch.flexmark:flexmark-ext-admonition@0.64.8
+ com.vladsch.flexmark:flexmark-ext-anchorlink@0.64.8
+ com.vladsch.flexmark:flexmark-ext-aside@0.64.8
+ com.vladsch.flexmark:flexmark-ext-attributes@0.64.8
+ com.vladsch.flexmark:flexmark-ext-autolink@0.64.8
+ com.vladsch.flexmark:flexmark-ext-definition@0.64.8
+ com.vladsch.flexmark:flexmark-ext-emoji@0.64.8
+ com.vladsch.flexmark:flexmark-ext-enumerated-reference@0.64.8
+ com.vladsch.flexmark:flexmark-ext-escaped-character@0.64.8
+ com.vladsch.flexmark:flexmark-ext-footnotes@0.64.8
+ com.vladsch.flexmark:flexmark-ext-gfm-issues@0.64.8
+ com.vladsch.flexmark:flexmark-ext-gfm-strikethrough@0.64.8
+ com.vladsch.flexmark:flexmark-ext-gfm-tasklist@0.64.8
+ com.vladsch.flexmark:flexmark-ext-gfm-users@0.64.8
+ com.vladsch.flexmark:flexmark-ext-gitlab@0.64.8
+ com.vladsch.flexmark:flexmark-ext-jekyll-front-matter@0.64.8
+ com.vladsch.flexmark:flexmark-ext-jekyll-tag@0.64.8
+ com.vladsch.flexmark:flexmark-ext-media-tags@0.64.8
+ com.vladsch.flexmark:flexmark-ext-resizable-image@0.64.8
+ com.vladsch.flexmark:flexmark-ext-macros@0.64.8
+ com.vladsch.flexmark:flexmark-ext-ins@0.64.8
+ com.vladsch.flexmark:flexmark-ext-xwiki-macros@0.64.8
+ com.vladsch.flexmark:flexmark-ext-superscript@0.64.8
+ com.vladsch.flexmark:flexmark-ext-tables@0.64.8
+ com.vladsch.flexmark:flexmark-ext-toc@0.64.8
+ com.vladsch.flexmark:flexmark-ext-typographic@0.64.8
+ com.vladsch.flexmark:flexmark-ext-wikilink@0.64.8
+ com.vladsch.flexmark:flexmark-ext-yaml-front-matter@0.64.8
+ com.vladsch.flexmark:flexmark-ext-youtube-embedded@0.64.8
+ com.vladsch.flexmark:flexmark-html2md-converter@0.64.8
+ com.vladsch.flexmark:flexmark-jira-converter@0.64.8
+ com.vladsch.flexmark:flexmark-pdf-converter@0.64.8
+ com.vladsch.flexmark:flexmark-profile-pegdown@0.64.8
+ com.vladsch.flexmark:flexmark-util-ast@0.64.8
+ com.vladsch.flexmark:flexmark-util-builder@0.64.8
+ com.vladsch.flexmark:flexmark-util-collection@0.64.8
+ com.vladsch.flexmark:flexmark-util-data@0.64.8
+ com.vladsch.flexmark:flexmark-util-dependency@0.64.8
+ com.vladsch.flexmark:flexmark-util-format@0.64.8
+ com.vladsch.flexmark:flexmark-util-html@0.64.8
+ com.vladsch.flexmark:flexmark-util-misc@0.64.8
+ com.vladsch.flexmark:flexmark-util-options@0.64.8
+ com.vladsch.flexmark:flexmark-util-sequence@0.64.8
+ com.vladsch.flexmark:flexmark-util-visitor@0.64.8
+ com.vladsch.flexmark:flexmark-youtrack-converter@0.64.8
+ com.vladsch.flexmark:flexmark-ext-abbreviation
+ 0.50.40
+ com.vladsch.flexmark:flexmark-util@0.50.40
+ com.vladsch.flexmark:flexmark-ext-autolink@0.50.40
+ com.vladsch.flexmark:flexmark@0.50.40
+ com.vladsch.flexmark:flexmark-formatter@0.50.40
+ 0.62.2
+ com.vladsch.flexmark:flexmark-util@0.62.2
+ com.vladsch.flexmark:flexmark-ext-autolink@0.62.2
+ com.vladsch.flexmark:flexmark@0.62.2
+ 0.64.8
+ com.vladsch.flexmark:flexmark-util@0.64.8
+ com.vladsch.flexmark:flexmark-ext-autolink@0.64.8
+ com.vladsch.flexmark:flexmark@0.64.8
+ com.vladsch.flexmark:flexmark-ext-admonition
+ 0.50.40
+ com.vladsch.flexmark:flexmark-util@0.50.40
+ com.vladsch.flexmark:flexmark@0.50.40
+ com.vladsch.flexmark:flexmark-formatter@0.50.40
+ 0.62.2
+ com.vladsch.flexmark:flexmark-util@0.62.2
+ com.vladsch.flexmark:flexmark@0.62.2
+ 0.64.8
+ com.vladsch.flexmark:flexmark-util@0.64.8
+ com.vladsch.flexmark:flexmark@0.64.8
+ com.vladsch.flexmark:flexmark-ext-anchorlink
+ 0.50.40
+ com.vladsch.flexmark:flexmark-util@0.50.40
+ com.vladsch.flexmark:flexmark@0.50.40
+ com.vladsch.flexmark:flexmark-formatter@0.50.40
+ 0.62.2
+ com.vladsch.flexmark:flexmark-util@0.62.2
+ com.vladsch.flexmark:flexmark@0.62.2
+ 0.64.8
+ com.vladsch.flexmark:flexmark-util@0.64.8
+ com.vladsch.flexmark:flexmark@0.64.8
+ com.vladsch.flexmark:flexmark-ext-aside
+ 0.50.40
+ com.vladsch.flexmark:flexmark-util@0.50.40
+ com.vladsch.flexmark:flexmark@0.50.40
+ com.vladsch.flexmark:flexmark-jira-converter@0.50.40
+ com.vladsch.flexmark:flexmark-formatter@0.50.40
+ 0.62.2
+ com.vladsch.flexmark:flexmark-util@0.62.2
+ com.vladsch.flexmark:flexmark@0.62.2
+ com.vladsch.flexmark:flexmark-jira-converter@0.62.2
+ 0.64.8
+ com.vladsch.flexmark:flexmark-util@0.64.8
+ com.vladsch.flexmark:flexmark@0.64.8
+ com.vladsch.flexmark:flexmark-jira-converter@0.64.8
+ com.vladsch.flexmark:flexmark-ext-attributes
+ 0.50.40
+ com.vladsch.flexmark:flexmark-util@0.50.40
+ com.vladsch.flexmark:flexmark@0.50.40
+ com.vladsch.flexmark:flexmark-formatter@0.50.40
+ 0.62.2
+ com.vladsch.flexmark:flexmark-util@0.62.2
+ com.vladsch.flexmark:flexmark@0.62.2
+ 0.64.8
+ com.vladsch.flexmark:flexmark-util@0.64.8
+ com.vladsch.flexmark:flexmark@0.64.8
+ com.vladsch.flexmark:flexmark-ext-autolink
+ 0.50.40
+ com.vladsch.flexmark:flexmark-util@0.50.40
+ com.vladsch.flexmark:flexmark@0.50.40
+ org.nibor.autolink:autolink@0.6.0
+ 0.62.2
+ com.vladsch.flexmark:flexmark-util@0.62.2
+ com.vladsch.flexmark:flexmark@0.62.2
+ org.nibor.autolink:autolink@0.6.0
+ 0.64.8
+ com.vladsch.flexmark:flexmark-util@0.64.8
+ com.vladsch.flexmark:flexmark@0.64.8
+ org.nibor.autolink:autolink@0.6.0
+ com.vladsch.flexmark:flexmark-ext-definition
+ 0.50.40
+ com.vladsch.flexmark:flexmark-util@0.50.40
+ com.vladsch.flexmark:flexmark@0.50.40
+ com.vladsch.flexmark:flexmark-formatter@0.50.40
+ 0.62.2
+ com.vladsch.flexmark:flexmark-util@0.62.2
+ com.vladsch.flexmark:flexmark@0.62.2
+ 0.64.8
+ com.vladsch.flexmark:flexmark-util@0.64.8
+ com.vladsch.flexmark:flexmark@0.64.8
+ com.vladsch.flexmark:flexmark-ext-emoji
+ 0.50.40
+ com.vladsch.flexmark:flexmark-util@0.50.40
+ com.vladsch.flexmark:flexmark@0.50.40
+ com.vladsch.flexmark:flexmark-jira-converter@0.50.40
+ com.vladsch.flexmark:flexmark-formatter@0.50.40
+ 0.62.2
+ com.vladsch.flexmark:flexmark-util@0.62.2
+ com.vladsch.flexmark:flexmark@0.62.2
+ com.vladsch.flexmark:flexmark-jira-converter@0.62.2
+ 0.64.8
+ com.vladsch.flexmark:flexmark-util@0.64.8
+ com.vladsch.flexmark:flexmark@0.64.8
+ com.vladsch.flexmark:flexmark-jira-converter@0.64.8
+ com.vladsch.flexmark:flexmark-ext-enumerated-reference
+ 0.50.40
+ com.vladsch.flexmark:flexmark-util@0.50.40
+ com.vladsch.flexmark:flexmark@0.50.40
+ com.vladsch.flexmark:flexmark-formatter@0.50.40
+ com.vladsch.flexmark:flexmark-ext-attributes@0.50.40
+ 0.62.2
+ com.vladsch.flexmark:flexmark-util@0.62.2
+ com.vladsch.flexmark:flexmark@0.62.2
+ com.vladsch.flexmark:flexmark-ext-attributes@0.62.2
+ 0.64.8
+ com.vladsch.flexmark:flexmark-util@0.64.8
+ com.vladsch.flexmark:flexmark@0.64.8
+ com.vladsch.flexmark:flexmark-ext-attributes@0.64.8
+ com.vladsch.flexmark:flexmark-ext-escaped-character
+ 0.50.40
+ com.vladsch.flexmark:flexmark-util@0.50.40
+ com.vladsch.flexmark:flexmark@0.50.40
+ com.vladsch.flexmark:flexmark-formatter@0.50.40
+ 0.62.2
+ com.vladsch.flexmark:flexmark-util@0.62.2
+ com.vladsch.flexmark:flexmark@0.62.2
+ 0.64.8
+ com.vladsch.flexmark:flexmark-util@0.64.8
+ com.vladsch.flexmark:flexmark@0.64.8
+ com.vladsch.flexmark:flexmark-ext-footnotes
+ 0.50.40
+ com.vladsch.flexmark:flexmark-util@0.50.40
+ com.vladsch.flexmark:flexmark@0.50.40
+ com.vladsch.flexmark:flexmark-formatter@0.50.40
+ 0.62.2
+ com.vladsch.flexmark:flexmark-util@0.62.2
+ com.vladsch.flexmark:flexmark@0.62.2
+ 0.64.8
+ com.vladsch.flexmark:flexmark-util@0.64.8
+ com.vladsch.flexmark:flexmark@0.64.8
+ com.vladsch.flexmark:flexmark-ext-gfm-issues
+ 0.50.40
+ com.vladsch.flexmark:flexmark-util@0.50.40
+ com.vladsch.flexmark:flexmark@0.50.40
+ com.vladsch.flexmark:flexmark-formatter@0.50.40
+ 0.62.2
+ com.vladsch.flexmark:flexmark-util@0.62.2
+ com.vladsch.flexmark:flexmark@0.62.2
+ 0.64.8
+ com.vladsch.flexmark:flexmark-util@0.64.8
+ com.vladsch.flexmark:flexmark@0.64.8
+ com.vladsch.flexmark:flexmark-ext-gfm-strikethrough
+ 0.50.40
+ com.vladsch.flexmark:flexmark-util@0.50.40
+ com.vladsch.flexmark:flexmark@0.50.40
+ com.vladsch.flexmark:flexmark-formatter@0.50.40
+ 0.62.2
+ com.vladsch.flexmark:flexmark-util@0.62.2
+ com.vladsch.flexmark:flexmark@0.62.2
+ 0.64.8
+ com.vladsch.flexmark:flexmark-util@0.64.8
+ com.vladsch.flexmark:flexmark@0.64.8
+ com.vladsch.flexmark:flexmark-ext-gfm-tables
+ 0.50.40
+ com.vladsch.flexmark:flexmark-util@0.50.40
+ com.vladsch.flexmark:flexmark@0.50.40
+ com.vladsch.flexmark:flexmark-formatter@0.50.40
+ com.vladsch.flexmark:flexmark-ext-gfm-tasklist
+ 0.50.40
+ com.vladsch.flexmark:flexmark-util@0.50.40
+ com.vladsch.flexmark:flexmark@0.50.40
+ com.vladsch.flexmark:flexmark-formatter@0.50.40
+ 0.62.2
+ com.vladsch.flexmark:flexmark-util@0.62.2
+ com.vladsch.flexmark:flexmark@0.62.2
+ 0.64.8
+ com.vladsch.flexmark:flexmark-util@0.64.8
+ com.vladsch.flexmark:flexmark@0.64.8
+ com.vladsch.flexmark:flexmark-ext-gfm-users
+ 0.50.40
+ com.vladsch.flexmark:flexmark-util@0.50.40
+ com.vladsch.flexmark:flexmark@0.50.40
+ com.vladsch.flexmark:flexmark-formatter@0.50.40
+ 0.62.2
+ com.vladsch.flexmark:flexmark-util@0.62.2
+ com.vladsch.flexmark:flexmark@0.62.2
+ 0.64.8
+ com.vladsch.flexmark:flexmark-util@0.64.8
+ com.vladsch.flexmark:flexmark@0.64.8
+ com.vladsch.flexmark:flexmark-ext-gitlab
+ 0.50.40
+ com.vladsch.flexmark:flexmark-util@0.50.40
+ com.vladsch.flexmark:flexmark@0.50.40
+ com.vladsch.flexmark:flexmark-formatter@0.50.40
+ 0.62.2
+ com.vladsch.flexmark:flexmark-util@0.62.2
+ com.vladsch.flexmark:flexmark@0.62.2
+ 0.64.8
+ com.vladsch.flexmark:flexmark-util@0.64.8
+ com.vladsch.flexmark:flexmark@0.64.8
+ com.vladsch.flexmark:flexmark-ext-ins
+ 0.50.40
+ com.vladsch.flexmark:flexmark-util@0.50.40
+ com.vladsch.flexmark:flexmark@0.50.40
+ com.vladsch.flexmark:flexmark-formatter@0.50.40
+ 0.62.2
+ com.vladsch.flexmark:flexmark-util@0.62.2
+ com.vladsch.flexmark:flexmark@0.62.2
+ 0.64.8
+ com.vladsch.flexmark:flexmark-util@0.64.8
+ com.vladsch.flexmark:flexmark@0.64.8
+ com.vladsch.flexmark:flexmark-ext-jekyll-front-matter
+ 0.50.40
+ com.vladsch.flexmark:flexmark-util@0.50.40
+ com.vladsch.flexmark:flexmark@0.50.40
+ com.vladsch.flexmark:flexmark-ext-yaml-front-matter@0.50.40
+ com.vladsch.flexmark:flexmark-formatter@0.50.40
+ 0.62.2
+ com.vladsch.flexmark:flexmark-util@0.62.2
+ com.vladsch.flexmark:flexmark@0.62.2
+ com.vladsch.flexmark:flexmark-ext-yaml-front-matter@0.62.2
+ 0.64.8
+ com.vladsch.flexmark:flexmark-util@0.64.8
+ com.vladsch.flexmark:flexmark@0.64.8
+ com.vladsch.flexmark:flexmark-ext-yaml-front-matter@0.64.8
+ com.vladsch.flexmark:flexmark-ext-jekyll-tag
+ 0.50.40
+ com.vladsch.flexmark:flexmark-util@0.50.40
+ com.vladsch.flexmark:flexmark@0.50.40
+ com.vladsch.flexmark:flexmark-formatter@0.50.40
+ 0.62.2
+ com.vladsch.flexmark:flexmark-util@0.62.2
+ com.vladsch.flexmark:flexmark@0.62.2
+ 0.64.8
+ com.vladsch.flexmark:flexmark-util@0.64.8
+ com.vladsch.flexmark:flexmark@0.64.8
+ com.vladsch.flexmark:flexmark-ext-macros
+ 0.50.40
+ com.vladsch.flexmark:flexmark-util@0.50.40
+ com.vladsch.flexmark:flexmark@0.50.40
+ com.vladsch.flexmark:flexmark-ext-gitlab@0.50.40
+ com.vladsch.flexmark:flexmark-formatter@0.50.40
+ 0.62.2
+ com.vladsch.flexmark:flexmark-util@0.62.2
+ com.vladsch.flexmark:flexmark@0.62.2
+ com.vladsch.flexmark:flexmark-ext-gitlab@0.62.2
+ 0.64.8
+ com.vladsch.flexmark:flexmark-util@0.64.8
+ com.vladsch.flexmark:flexmark@0.64.8
+ com.vladsch.flexmark:flexmark-ext-gitlab@0.64.8
+ com.vladsch.flexmark:flexmark-ext-media-tags
+ 0.50.40
+ com.vladsch.flexmark:flexmark@0.50.40
+ 0.62.2
+ com.vladsch.flexmark:flexmark@0.62.2
+ 0.64.8
+ com.vladsch.flexmark:flexmark@0.64.8
+ com.vladsch.flexmark:flexmark-ext-resizable-image
+ 0.64.8
+ com.vladsch.flexmark:flexmark@0.64.8
+ com.vladsch.flexmark:flexmark-ext-superscript
+ 0.50.40
+ com.vladsch.flexmark:flexmark-util@0.50.40
+ com.vladsch.flexmark:flexmark@0.50.40
+ com.vladsch.flexmark:flexmark-formatter@0.50.40
+ 0.62.2
+ com.vladsch.flexmark:flexmark-util@0.62.2
+ com.vladsch.flexmark:flexmark@0.62.2
+ 0.64.8
+ com.vladsch.flexmark:flexmark-util@0.64.8
+ com.vladsch.flexmark:flexmark@0.64.8
+ com.vladsch.flexmark:flexmark-ext-tables
+ 0.50.40
+ com.vladsch.flexmark:flexmark-util@0.50.40
+ com.vladsch.flexmark:flexmark@0.50.40
+ com.vladsch.flexmark:flexmark-formatter@0.50.40
+ 0.62.2
+ com.vladsch.flexmark:flexmark-util@0.62.2
+ com.vladsch.flexmark:flexmark@0.62.2
+ 0.64.8
+ com.vladsch.flexmark:flexmark-util@0.64.8
+ com.vladsch.flexmark:flexmark@0.64.8
+ com.vladsch.flexmark:flexmark-ext-toc
+ 0.50.40
+ com.vladsch.flexmark:flexmark-util@0.50.40
+ com.vladsch.flexmark:flexmark@0.50.40
+ com.vladsch.flexmark:flexmark-formatter@0.50.40
+ 0.62.2
+ com.vladsch.flexmark:flexmark-util@0.62.2
+ com.vladsch.flexmark:flexmark@0.62.2
+ 0.64.8
+ com.vladsch.flexmark:flexmark-util@0.64.8
+ com.vladsch.flexmark:flexmark@0.64.8
+ com.vladsch.flexmark:flexmark-ext-typographic
+ 0.50.40
+ com.vladsch.flexmark:flexmark-util@0.50.40
+ com.vladsch.flexmark:flexmark@0.50.40
+ com.vladsch.flexmark:flexmark-formatter@0.50.40
+ 0.62.2
+ com.vladsch.flexmark:flexmark-util@0.62.2
+ com.vladsch.flexmark:flexmark@0.62.2
+ 0.64.8
+ com.vladsch.flexmark:flexmark-util@0.64.8
+ com.vladsch.flexmark:flexmark@0.64.8
+ com.vladsch.flexmark:flexmark-ext-wikilink
+ 0.50.40
+ com.vladsch.flexmark:flexmark-util@0.50.40
+ com.vladsch.flexmark:flexmark@0.50.40
+ com.vladsch.flexmark:flexmark-formatter@0.50.40
+ 0.62.2
+ com.vladsch.flexmark:flexmark-util@0.62.2
+ com.vladsch.flexmark:flexmark@0.62.2
+ 0.64.8
+ com.vladsch.flexmark:flexmark-util@0.64.8
+ com.vladsch.flexmark:flexmark@0.64.8
+ com.vladsch.flexmark:flexmark-ext-xwiki-macros
+ 0.50.40
+ com.vladsch.flexmark:flexmark-util@0.50.40
+ com.vladsch.flexmark:flexmark@0.50.40
+ com.vladsch.flexmark:flexmark-formatter@0.50.40
+ 0.62.2
+ com.vladsch.flexmark:flexmark-util@0.62.2
+ com.vladsch.flexmark:flexmark@0.62.2
+ 0.64.8
+ com.vladsch.flexmark:flexmark-util@0.64.8
+ com.vladsch.flexmark:flexmark@0.64.8
+ com.vladsch.flexmark:flexmark-ext-yaml-front-matter
+ 0.50.40
+ com.vladsch.flexmark:flexmark-util@0.50.40
+ com.vladsch.flexmark:flexmark@0.50.40
+ com.vladsch.flexmark:flexmark-formatter@0.50.40
+ 0.62.2
+ com.vladsch.flexmark:flexmark-util@0.62.2
+ com.vladsch.flexmark:flexmark@0.62.2
+ 0.64.8
+ com.vladsch.flexmark:flexmark-util@0.64.8
+ com.vladsch.flexmark:flexmark@0.64.8
+ com.vladsch.flexmark:flexmark-ext-youtube-embedded
+ 0.50.40
+ com.vladsch.flexmark:flexmark@0.50.40
+ 0.62.2
+ com.vladsch.flexmark:flexmark@0.62.2
+ 0.64.8
+ com.vladsch.flexmark:flexmark@0.64.8
+ com.vladsch.flexmark:flexmark-formatter
+ 0.50.40
+ com.vladsch.flexmark:flexmark-util@0.50.40
+ com.vladsch.flexmark:flexmark@0.50.40
+ com.vladsch.flexmark:flexmark-html-parser
+ 0.50.40
+ com.vladsch.flexmark:flexmark-util@0.50.40
+ com.vladsch.flexmark:flexmark@0.50.40
+ com.vladsch.flexmark:flexmark-ext-emoji@0.50.40
+ org.jsoup:jsoup@1.11.3
+ com.vladsch.flexmark:flexmark-html2md-converter
+ 0.50.40
+ com.vladsch.flexmark:flexmark-util@0.50.40
+ com.vladsch.flexmark:flexmark@0.50.40
+ com.vladsch.flexmark:flexmark-ext-emoji@0.50.40
+ org.jsoup:jsoup@1.11.3
+ 0.62.2
+ com.vladsch.flexmark:flexmark-util@0.62.2
+ com.vladsch.flexmark:flexmark@0.62.2
+ com.vladsch.flexmark:flexmark-ext-emoji@0.62.2
+ org.jsoup:jsoup@1.11.3
+ 0.64.8
+ com.vladsch.flexmark:flexmark-util@0.64.8
+ com.vladsch.flexmark:flexmark@0.64.8
+ com.vladsch.flexmark:flexmark-ext-emoji@0.64.8
+ org.jsoup:jsoup@1.15.4
+ com.vladsch.flexmark:flexmark-java
+ 0.50.40
+ 0.62.2
+ 0.64.8
+ com.vladsch.flexmark:flexmark-jira-converter
+ 0.50.40
+ com.vladsch.flexmark:flexmark-util@0.50.40
+ com.vladsch.flexmark:flexmark-ext-gfm-strikethrough@0.50.40
+ com.vladsch.flexmark:flexmark-ext-tables@0.50.40
+ com.vladsch.flexmark:flexmark-ext-wikilink@0.50.40
+ com.vladsch.flexmark:flexmark-ext-ins@0.50.40
+ com.vladsch.flexmark:flexmark-ext-superscript@0.50.40
+ com.vladsch.flexmark:flexmark@0.50.40
+ 0.62.2
+ com.vladsch.flexmark:flexmark-util@0.62.2
+ com.vladsch.flexmark:flexmark-ext-gfm-strikethrough@0.62.2
+ com.vladsch.flexmark:flexmark-ext-tables@0.62.2
+ com.vladsch.flexmark:flexmark-ext-wikilink@0.62.2
+ com.vladsch.flexmark:flexmark-ext-ins@0.62.2
+ com.vladsch.flexmark:flexmark-ext-superscript@0.62.2
+ com.vladsch.flexmark:flexmark@0.62.2
+ 0.64.8
+ com.vladsch.flexmark:flexmark-util@0.64.8
+ com.vladsch.flexmark:flexmark-ext-gfm-strikethrough@0.64.8
+ com.vladsch.flexmark:flexmark-ext-tables@0.64.8
+ com.vladsch.flexmark:flexmark-ext-wikilink@0.64.8
+ com.vladsch.flexmark:flexmark-ext-ins@0.64.8
+ com.vladsch.flexmark:flexmark-ext-superscript@0.64.8
+ com.vladsch.flexmark:flexmark@0.64.8
+ com.vladsch.flexmark:flexmark-pdf-converter
+ 0.50.40
+ com.vladsch.flexmark:flexmark-util@0.50.40
+ com.vladsch.flexmark:flexmark@0.50.40
+ org.jsoup:jsoup@1.11.3
+ com.openhtmltopdf:openhtmltopdf-core@1.0.0
+ com.openhtmltopdf:openhtmltopdf-pdfbox@1.0.0
+ com.openhtmltopdf:openhtmltopdf-rtl-support@1.0.0
+ com.openhtmltopdf:openhtmltopdf-jsoup-dom-converter@1.0.0
+ 0.62.2
+ com.vladsch.flexmark:flexmark-util@0.62.2
+ com.vladsch.flexmark:flexmark@0.62.2
+ org.jsoup:jsoup@1.11.3
+ com.openhtmltopdf:openhtmltopdf-core@1.0.0
+ com.openhtmltopdf:openhtmltopdf-pdfbox@1.0.0
+ com.openhtmltopdf:openhtmltopdf-rtl-support@1.0.0
+ com.openhtmltopdf:openhtmltopdf-jsoup-dom-converter@1.0.0
+ 0.64.8
+ com.vladsch.flexmark:flexmark-util@0.64.8
+ com.vladsch.flexmark:flexmark@0.64.8
+ org.jsoup:jsoup@1.15.4
+ com.ibm.icu:icu4j@72.1
+ com.openhtmltopdf:openhtmltopdf-core@1.0.10
+ com.openhtmltopdf:openhtmltopdf-pdfbox@1.0.10
+ MavenExclusions com.ibm.icu:icu4j|com.openhtmltopdf:openhtmltopdf-rtl-support@1.0.10
+ com.vladsch.flexmark:flexmark-profile-pegdown
+ 0.50.40
+ com.vladsch.flexmark:flexmark@0.50.40
+ com.vladsch.flexmark:flexmark-ext-abbreviation@0.50.40
+ com.vladsch.flexmark:flexmark-ext-anchorlink@0.50.40
+ com.vladsch.flexmark:flexmark-ext-aside@0.50.40
+ com.vladsch.flexmark:flexmark-ext-autolink@0.50.40
+ com.vladsch.flexmark:flexmark-ext-definition@0.50.40
+ com.vladsch.flexmark:flexmark-ext-emoji@0.50.40
+ com.vladsch.flexmark:flexmark-ext-escaped-character@0.50.40
+ com.vladsch.flexmark:flexmark-ext-footnotes@0.50.40
+ com.vladsch.flexmark:flexmark-ext-gfm-strikethrough@0.50.40
+ com.vladsch.flexmark:flexmark-ext-gfm-tasklist@0.50.40
+ com.vladsch.flexmark:flexmark-ext-ins@0.50.40
+ com.vladsch.flexmark:flexmark-ext-jekyll-front-matter@0.50.40
+ com.vladsch.flexmark:flexmark-ext-superscript@0.50.40
+ com.vladsch.flexmark:flexmark-ext-tables@0.50.40
+ com.vladsch.flexmark:flexmark-ext-toc@0.50.40
+ com.vladsch.flexmark:flexmark-ext-typographic@0.50.40
+ com.vladsch.flexmark:flexmark-ext-wikilink@0.50.40
+ com.vladsch.flexmark:flexmark-util@0.50.40
+ 0.62.2
+ com.vladsch.flexmark:flexmark@0.62.2
+ com.vladsch.flexmark:flexmark-ext-abbreviation@0.62.2
+ com.vladsch.flexmark:flexmark-ext-anchorlink@0.62.2
+ com.vladsch.flexmark:flexmark-ext-aside@0.62.2
+ com.vladsch.flexmark:flexmark-ext-autolink@0.62.2
+ com.vladsch.flexmark:flexmark-ext-definition@0.62.2
+ com.vladsch.flexmark:flexmark-ext-emoji@0.62.2
+ com.vladsch.flexmark:flexmark-ext-escaped-character@0.62.2
+ com.vladsch.flexmark:flexmark-ext-footnotes@0.62.2
+ com.vladsch.flexmark:flexmark-ext-gfm-strikethrough@0.62.2
+ com.vladsch.flexmark:flexmark-ext-gfm-tasklist@0.62.2
+ com.vladsch.flexmark:flexmark-ext-ins@0.62.2
+ com.vladsch.flexmark:flexmark-ext-jekyll-front-matter@0.62.2
+ com.vladsch.flexmark:flexmark-ext-superscript@0.62.2
+ com.vladsch.flexmark:flexmark-ext-tables@0.62.2
+ com.vladsch.flexmark:flexmark-ext-toc@0.62.2
+ com.vladsch.flexmark:flexmark-ext-typographic@0.62.2
+ com.vladsch.flexmark:flexmark-ext-wikilink@0.62.2
+ com.vladsch.flexmark:flexmark-util-ast@0.62.2
+ com.vladsch.flexmark:flexmark-util-data@0.62.2
+ com.vladsch.flexmark:flexmark-util-misc@0.62.2
+ com.vladsch.flexmark:flexmark-util-sequence@0.62.2
+ 0.64.8
+ com.vladsch.flexmark:flexmark@0.64.8
+ com.vladsch.flexmark:flexmark-ext-abbreviation@0.64.8
+ com.vladsch.flexmark:flexmark-ext-anchorlink@0.64.8
+ com.vladsch.flexmark:flexmark-ext-aside@0.64.8
+ com.vladsch.flexmark:flexmark-ext-autolink@0.64.8
+ com.vladsch.flexmark:flexmark-ext-definition@0.64.8
+ com.vladsch.flexmark:flexmark-ext-emoji@0.64.8
+ com.vladsch.flexmark:flexmark-ext-escaped-character@0.64.8
+ com.vladsch.flexmark:flexmark-ext-footnotes@0.64.8
+ com.vladsch.flexmark:flexmark-ext-gfm-strikethrough@0.64.8
+ com.vladsch.flexmark:flexmark-ext-gfm-tasklist@0.64.8
+ com.vladsch.flexmark:flexmark-ext-ins@0.64.8
+ com.vladsch.flexmark:flexmark-ext-jekyll-front-matter@0.64.8
+ com.vladsch.flexmark:flexmark-ext-superscript@0.64.8
+ com.vladsch.flexmark:flexmark-ext-tables@0.64.8
+ com.vladsch.flexmark:flexmark-ext-toc@0.64.8
+ com.vladsch.flexmark:flexmark-ext-typographic@0.64.8
+ com.vladsch.flexmark:flexmark-ext-wikilink@0.64.8
+ com.vladsch.flexmark:flexmark-util-ast@0.64.8
+ com.vladsch.flexmark:flexmark-util-data@0.64.8
+ com.vladsch.flexmark:flexmark-util-misc@0.64.8
+ com.vladsch.flexmark:flexmark-util-sequence@0.64.8
+ com.vladsch.flexmark:flexmark-util
+ 0.50.40
+ 0.62.2
+ com.vladsch.flexmark:flexmark-util-ast@0.62.2
+ com.vladsch.flexmark:flexmark-util-builder@0.62.2
+ com.vladsch.flexmark:flexmark-util-collection@0.62.2
+ com.vladsch.flexmark:flexmark-util-data@0.62.2
+ com.vladsch.flexmark:flexmark-util-dependency@0.62.2
+ com.vladsch.flexmark:flexmark-util-format@0.62.2
+ com.vladsch.flexmark:flexmark-util-html@0.62.2
+ com.vladsch.flexmark:flexmark-util-misc@0.62.2
+ com.vladsch.flexmark:flexmark-util-options@0.62.2
+ com.vladsch.flexmark:flexmark-util-sequence@0.62.2
+ com.vladsch.flexmark:flexmark-util-visitor@0.62.2
+ org.jetbrains:annotations@15.0
+ 0.64.8
+ com.vladsch.flexmark:flexmark-util-ast@0.64.8
+ com.vladsch.flexmark:flexmark-util-builder@0.64.8
+ com.vladsch.flexmark:flexmark-util-collection@0.64.8
+ com.vladsch.flexmark:flexmark-util-data@0.64.8
+ com.vladsch.flexmark:flexmark-util-dependency@0.64.8
+ com.vladsch.flexmark:flexmark-util-format@0.64.8
+ com.vladsch.flexmark:flexmark-util-html@0.64.8
+ com.vladsch.flexmark:flexmark-util-misc@0.64.8
+ com.vladsch.flexmark:flexmark-util-options@0.64.8
+ com.vladsch.flexmark:flexmark-util-sequence@0.64.8
+ com.vladsch.flexmark:flexmark-util-visitor@0.64.8
+ org.jetbrains:annotations@24.0.1
+ com.vladsch.flexmark:flexmark-util-ast
+ 0.62.2
+ com.vladsch.flexmark:flexmark-util-collection@0.62.2
+ com.vladsch.flexmark:flexmark-util-misc@0.62.2
+ com.vladsch.flexmark:flexmark-util-data@0.62.2
+ com.vladsch.flexmark:flexmark-util-sequence@0.62.2
+ com.vladsch.flexmark:flexmark-util-visitor@0.62.2
+ org.jetbrains:annotations@15.0
+ 0.64.8
+ com.vladsch.flexmark:flexmark-util-collection@0.64.8
+ com.vladsch.flexmark:flexmark-util-misc@0.64.8
+ com.vladsch.flexmark:flexmark-util-data@0.64.8
+ com.vladsch.flexmark:flexmark-util-sequence@0.64.8
+ com.vladsch.flexmark:flexmark-util-visitor@0.64.8
+ org.jetbrains:annotations@24.0.1
+ com.vladsch.flexmark:flexmark-util-builder
+ 0.62.2
+ com.vladsch.flexmark:flexmark-util-misc@0.62.2
+ com.vladsch.flexmark:flexmark-util-data@0.62.2
+ org.jetbrains:annotations@15.0
+ 0.64.8
+ com.vladsch.flexmark:flexmark-util-misc@0.64.8
+ com.vladsch.flexmark:flexmark-util-data@0.64.8
+ org.jetbrains:annotations@24.0.1
+ com.vladsch.flexmark:flexmark-util-collection
+ 0.62.2
+ com.vladsch.flexmark:flexmark-util-misc@0.62.2
+ org.jetbrains:annotations@15.0
+ 0.64.8
+ com.vladsch.flexmark:flexmark-util-misc@0.64.8
+ org.jetbrains:annotations@24.0.1
+ com.vladsch.flexmark:flexmark-util-data
+ 0.62.2
+ com.vladsch.flexmark:flexmark-util-misc@0.62.2
+ org.jetbrains:annotations@15.0
+ 0.64.8
+ com.vladsch.flexmark:flexmark-util-misc@0.64.8
+ org.jetbrains:annotations@24.0.1
+ com.vladsch.flexmark:flexmark-util-dependency
+ 0.62.2
+ com.vladsch.flexmark:flexmark-util-collection@0.62.2
+ com.vladsch.flexmark:flexmark-util-misc@0.62.2
+ com.vladsch.flexmark:flexmark-util-data@0.62.2
+ org.jetbrains:annotations@15.0
+ 0.64.8
+ com.vladsch.flexmark:flexmark-util-collection@0.64.8
+ com.vladsch.flexmark:flexmark-util-misc@0.64.8
+ com.vladsch.flexmark:flexmark-util-data@0.64.8
+ org.jetbrains:annotations@24.0.1
+ com.vladsch.flexmark:flexmark-util-format
+ 0.62.2
+ com.vladsch.flexmark:flexmark-util-ast@0.62.2
+ com.vladsch.flexmark:flexmark-util-collection@0.62.2
+ com.vladsch.flexmark:flexmark-util-data@0.62.2
+ com.vladsch.flexmark:flexmark-util-html@0.62.2
+ com.vladsch.flexmark:flexmark-util-misc@0.62.2
+ com.vladsch.flexmark:flexmark-util-sequence@0.62.2
+ org.jetbrains:annotations@15.0
+ 0.64.8
+ com.vladsch.flexmark:flexmark-util-ast@0.64.8
+ com.vladsch.flexmark:flexmark-util-collection@0.64.8
+ com.vladsch.flexmark:flexmark-util-data@0.64.8
+ com.vladsch.flexmark:flexmark-util-html@0.64.8
+ com.vladsch.flexmark:flexmark-util-misc@0.64.8
+ com.vladsch.flexmark:flexmark-util-sequence@0.64.8
+ org.jetbrains:annotations@24.0.1
+ com.vladsch.flexmark:flexmark-util-html
+ 0.62.2
+ com.vladsch.flexmark:flexmark-util-misc@0.62.2
+ com.vladsch.flexmark:flexmark-util-sequence@0.62.2
+ org.jetbrains:annotations@15.0
+ 0.64.8
+ com.vladsch.flexmark:flexmark-util-misc@0.64.8
+ com.vladsch.flexmark:flexmark-util-sequence@0.64.8
+ org.jetbrains:annotations@24.0.1
+ com.vladsch.flexmark:flexmark-util-misc
+ 0.62.2
+ org.jetbrains:annotations@15.0
+ 0.64.8
+ org.jetbrains:annotations@24.0.1
+ com.vladsch.flexmark:flexmark-util-options
+ 0.62.2
+ com.vladsch.flexmark:flexmark-util-misc@0.62.2
+ com.vladsch.flexmark:flexmark-util-sequence@0.62.2
+ org.jetbrains:annotations@15.0
+ 0.64.8
+ com.vladsch.flexmark:flexmark-util-misc@0.64.8
+ com.vladsch.flexmark:flexmark-util-sequence@0.64.8
+ org.jetbrains:annotations@24.0.1
+ com.vladsch.flexmark:flexmark-util-sequence
+ 0.62.2
+ com.vladsch.flexmark:flexmark-util-collection@0.62.2
+ com.vladsch.flexmark:flexmark-util-data@0.62.2
+ com.vladsch.flexmark:flexmark-util-misc@0.62.2
+ org.jetbrains:annotations@15.0
+ 0.64.8
+ com.vladsch.flexmark:flexmark-util-collection@0.64.8
+ com.vladsch.flexmark:flexmark-util-data@0.64.8
+ com.vladsch.flexmark:flexmark-util-misc@0.64.8
+ org.jetbrains:annotations@24.0.1
+ com.vladsch.flexmark:flexmark-util-visitor
+ 0.62.2
+ org.jetbrains:annotations@15.0
+ 0.64.8
+ org.jetbrains:annotations@24.0.1
+ com.vladsch.flexmark:flexmark-youtrack-converter
+ 0.50.40
+ com.vladsch.flexmark:flexmark-util@0.50.40
+ com.vladsch.flexmark:flexmark@0.50.40
+ com.vladsch.flexmark:flexmark-ext-gfm-strikethrough@0.50.40
+ com.vladsch.flexmark:flexmark-ext-tables@0.50.40
+ 0.62.2
+ com.vladsch.flexmark:flexmark-util@0.62.2
+ com.vladsch.flexmark:flexmark@0.62.2
+ com.vladsch.flexmark:flexmark-ext-gfm-strikethrough@0.62.2
+ com.vladsch.flexmark:flexmark-ext-tables@0.62.2
+ 0.64.8
+ com.vladsch.flexmark:flexmark-util@0.64.8
+ com.vladsch.flexmark:flexmark@0.64.8
+ com.vladsch.flexmark:flexmark-ext-gfm-strikethrough@0.64.8
+ com.vladsch.flexmark:flexmark-ext-tables@0.64.8
+ com.zaxxer:HikariCP
+ 4.0.3
+ org.slf4j:slf4j-api@1.7.30
+ Opt|org.javassist:javassist@3.27.0-GA
+ Opt|io.micrometer:micrometer-core@1.5.10
+ Opt Scope provided MavenExclusions org.jboss.logging:jboss-logging,org.jboss.logging:jboss-logging-annotations|org.hibernate:hibernate-core@5.4.16.Final
+ Opt Scope provided|io.dropwizard.metrics:metrics-core@3.2.5
+ Opt Scope provided|io.dropwizard.metrics:metrics-healthchecks@3.2.5
+ Opt Scope provided|io.prometheus:simpleclient@0.9.0
+ 5.0.1
+ org.slf4j:slf4j-api@1.7.30
+ Opt|org.javassist:javassist@3.27.0-GA
+ Opt|io.micrometer:micrometer-core@1.5.10
+ Opt Scope provided MavenExclusions org.jboss.logging:jboss-logging,org.jboss.logging:jboss-logging-annotations|org.hibernate:hibernate-core@5.4.16.Final
+ Opt Scope provided|io.dropwizard.metrics:metrics-core@3.2.5
+ Opt Scope provided|io.dropwizard.metrics:metrics-healthchecks@3.2.5
+ Opt Scope provided|io.prometheus:simpleclient@0.9.0
+ com.zaxxer:HikariCP-java7
+ 2.4.13
+ org.slf4j:slf4j-api@1.7.21
+ Opt|org.javassist:javassist@3.20.0-GA
+ Opt Scope provided MavenExclusions org.jboss.logging:jboss-logging,org.jboss.logging:jboss-logging-annotations|org.hibernate:hibernate-core@5.0.9.Final
+ Opt Scope provided|io.dropwizard.metrics:metrics-core@3.1.2
+ Opt Scope provided|io.dropwizard.metrics:metrics-healthchecks@3.1.2
+ Opt Scope provided|io.prometheus:simpleclient@0.0.16
+ commons-beanutils:commons-beanutils
+ 1.9.4
+ commons-logging:commons-logging@1.2
+ commons-collections:commons-collections@3.2.2
+ 20030211.134440
+ commons-cli:commons-cli
+ 1.4
+ 1.5.0
+ 20040117.000000
+ commons-codec:commons-codec
+ 1.9
+ 1.11
+ 1.14
+ 1.15
+ 1.16.0
+ 20041127.091804
+ junit:junit@3.8.1
+ commons-collections:commons-collections
+ 3.2.2
+ commons-configuration:commons-configuration
+ 1.9
+ Opt|commons-collections:commons-collections@3.2.1
+ commons-lang:commons-lang@2.6
+ MavenExclusions logkit:logkit,avalon-framework:avalon-framework|commons-logging:commons-logging@1.1.1
+ Opt|commons-digester:commons-digester@1.8.1
+ Opt|commons-beanutils:commons-beanutils@1.8.3
+ Opt|commons-codec:commons-codec@1.6
+ Opt|org.apache.commons:commons-jexl@2.1.1
+ Opt|org.apache.commons:commons-vfs2@2.0
+ Opt MavenExclusions xerces:xerces,ant:ant-optional|commons-jxpath:commons-jxpath@1.3
+ Opt|xml-resolver:xml-resolver@1.2
+ Scope provided|javax.servlet:servlet-api@2.4
+ Scope provided|xml-apis:xml-apis@1.0.b2
+ Opt|log4j:log4j@1.2.8
+ commons-daemon:commons-daemon
+ 1.0.13
+ commons-httpclient:commons-httpclient
+ 3.1
+ commons-logging:commons-logging@1.0.4
+ commons-codec:commons-codec@1.2
+ commons-io:commons-io
+ 2.6
+ 2.7
+ 2.14.0
+ 20030203.000550
+ commons-lang:commons-lang
+ 2.6
+ 20030203.000129
+ commons-logging:commons-logging
+ 1.1.1
+ Opt|log4j:log4j@1.2.12
+ Opt|logkit:logkit@1.0.1
+ Opt|avalon-framework:avalon-framework@4.1.3
+ Opt Scope provided|javax.servlet:servlet-api@2.3
+ 1.2
+ Opt|log4j:log4j@1.2.17
+ Opt|logkit:logkit@1.0.1
+ Opt|avalon-framework:avalon-framework@4.1.5
+ Opt Scope provided|javax.servlet:servlet-api@2.3
+ commons-net:commons-net
+ 3.1
+ 3.6
+ 3.9.0
+ de.rototor.pdfbox:graphics2d
+ 0.24
+ org.apache.pdfbox:pdfbox@2.0.16
+ 0.32
+ org.apache.pdfbox:pdfbox@2.0.24
+ de.rototor.pdfbox:pdfboxgraphics2d-parent
+ 0.32
+ org.apache.pdfbox:pdfbox@2.0.24
+ de.ruedigermoeller:fst
+ 2.50
+ com.fasterxml.jackson.core:jackson-core@2.8.8
+ org.javassist:javassist@3.21.0-GA
+ org.objenesis:objenesis@2.5.1
+ dev.failsafe:failsafe
+ 3.3.1
+ dev.failsafe:failsafe-parent
+ 3.3.1
+ dnsjava:dnsjava
+ 3.4.0
+ org.slf4j:slf4j-api@1.7.30
+ Scope provided|org.projectlombok:lombok@1.18.10
+ Scope provided|org.robolectric:android-all@10-robolectric-5803371
+ Opt|net.java.dev.jna:jna@5.6.0
+ Opt|net.java.dev.jna:jna-platform@5.6.0
+ Opt|org.bouncycastle:bcprov-jdk15on@1.68
+ dom4j:dom4j
+ 1.6.1
+ Opt|jaxme:jaxme-api@0.3
+ Opt|jaxen:jaxen@1.1-beta-6
+ Opt|msv:xsdlib@20030807
+ Opt|msv:relaxngDatatype@20030807
+ Opt|pull-parser:pull-parser@2
+ Opt|xpp3:xpp3@1.1.3.3
+ Opt|stax:stax-api@1.0
+ xml-apis:xml-apis@1.0.b2
+ findbugs:annotations
+ 1.0.0
+ io.atomix:atomix
+ 3.0.0-rc4
+ io.atomix:atomix-cluster@3.0.0-rc4
+ io.atomix:atomix-primitive@3.0.0-rc4
+ Opt|io.atomix:atomix-gossip@3.0.0-rc4
+ Opt|io.atomix:atomix-raft@3.0.0-rc4
+ Opt|io.atomix:atomix-primary-backup@3.0.0-rc4
+ io.atomix:atomix-utils@3.0.0-rc4
+ Opt|javax.ws.rs:javax.ws.rs-api@2.0
+ org.slf4j:slf4j-api@1.7.7
+ org.hamcrest:hamcrest-all@1.3
+ 3.0.0-rc5
+ io.atomix:atomix-cluster@3.0.0-rc5
+ io.atomix:atomix-primitive@3.0.0-rc5
+ Opt|io.atomix:atomix-gossip@3.0.0-rc5
+ Opt|io.atomix:atomix-raft@3.0.0-rc5
+ Opt|io.atomix:atomix-primary-backup@3.0.0-rc5
+ io.atomix:atomix-utils@3.0.0-rc5
+ Opt|javax.ws.rs:javax.ws.rs-api@2.0
+ org.slf4j:slf4j-api@1.7.7
+ 3.1.6
+ io.atomix:atomix-cluster@3.1.6
+ io.atomix:atomix-primitive@3.1.6
+ Opt|io.atomix:atomix-gossip@3.1.6
+ Opt|io.atomix:atomix-raft@3.1.6
+ Opt|io.atomix:atomix-primary-backup@3.1.6
+ Opt|io.atomix:atomix-log@3.1.6
+ io.atomix:atomix-utils@3.1.6
+ org.slf4j:slf4j-api@1.7.7
+ io.atomix:atomix-cluster
+ 3.0.0-rc4
+ io.atomix:atomix-utils@3.0.0-rc4
+ io.netty:netty-transport@4.1.27.Final
+ io.netty:netty-codec@4.1.27.Final
+ io.netty:netty-handler@4.1.27.Final
+ MavenClassifier linux-x86_64|io.netty:netty-transport-native-epoll@4.1.27.Final
+ org.slf4j:slf4j-api@1.7.7
+ org.hamcrest:hamcrest-all@1.3
+ 3.0.0-rc5
+ io.atomix:atomix-utils@3.0.0-rc5
+ io.netty:netty-transport@4.1.27.Final
+ io.netty:netty-codec@4.1.27.Final
+ io.netty:netty-handler@4.1.27.Final
+ MavenClassifier linux-x86_64|io.netty:netty-transport-native-epoll@4.1.27.Final
+ org.slf4j:slf4j-api@1.7.7
+ 3.1.6
+ io.atomix:atomix-utils@3.1.6
+ io.netty:netty-transport@4.1.27.Final
+ io.netty:netty-codec@4.1.27.Final
+ io.netty:netty-handler@4.1.27.Final
+ MavenClassifier linux-x86_64|io.netty:netty-transport-native-epoll@4.1.27.Final
+ org.slf4j:slf4j-api@1.7.7
+ io.atomix:atomix-parent
+ 3.0.0-rc4
+ org.slf4j:slf4j-api@1.7.7
+ org.hamcrest:hamcrest-all@1.3
+ 3.0.0-rc5
+ org.slf4j:slf4j-api@1.7.7
+ 3.1.6
+ org.slf4j:slf4j-api@1.7.7
+ io.atomix:atomix-primary-backup
+ 3.0.0-rc4
+ io.atomix:atomix-primitive@3.0.0-rc4
+ io.atomix:atomix-utils@3.0.0-rc4
+ org.slf4j:slf4j-api@1.7.7
+ org.hamcrest:hamcrest-all@1.3
+ 3.0.0-rc5
+ io.atomix:atomix-primitive@3.0.0-rc5
+ io.atomix:atomix-utils@3.0.0-rc5
+ org.slf4j:slf4j-api@1.7.7
+ io.atomix:atomix-primitive
+ 3.0.0-rc4
+ io.atomix:atomix-cluster@3.0.0-rc4
+ io.atomix:atomix-storage@3.0.0-rc4
+ io.atomix:atomix-utils@3.0.0-rc4
+ org.slf4j:slf4j-api@1.7.7
+ org.hamcrest:hamcrest-all@1.3
+ 3.0.0-rc5
+ io.atomix:atomix-cluster@3.0.0-rc5
+ io.atomix:atomix-storage@3.0.0-rc5
+ io.atomix:atomix-utils@3.0.0-rc5
+ org.slf4j:slf4j-api@1.7.7
+ 3.1.6
+ io.atomix:atomix-cluster@3.1.6
+ io.atomix:atomix-storage@3.1.6
+ io.atomix:atomix-utils@3.1.6
+ org.slf4j:slf4j-api@1.7.7
+ io.atomix:atomix-protocols-parent
+ 3.0.0-rc4
+ org.slf4j:slf4j-api@1.7.7
+ org.hamcrest:hamcrest-all@1.3
+ 3.0.0-rc5
+ org.slf4j:slf4j-api@1.7.7
+ io.atomix:atomix-raft
+ 3.0.0-rc4
+ io.atomix:atomix-primitive@3.0.0-rc4
+ org.slf4j:slf4j-api@1.7.7
+ org.hamcrest:hamcrest-all@1.3
+ 3.0.0-rc5
+ io.atomix:atomix-primitive@3.0.0-rc5
+ org.slf4j:slf4j-api@1.7.7
+ io.atomix:atomix-storage
+ 3.0.0-rc4
+ io.atomix:atomix-utils@3.0.0-rc4
+ org.slf4j:slf4j-api@1.7.7
+ org.hamcrest:hamcrest-all@1.3
+ 3.0.0-rc5
+ io.atomix:atomix-utils@3.0.0-rc5
+ org.slf4j:slf4j-api@1.7.7
+ 3.1.6
+ io.atomix:atomix-utils@3.1.6
+ org.slf4j:slf4j-api@1.7.7
+ io.atomix:atomix-utils
+ 3.0.0-rc4
+ com.google.guava:guava@22.0
+ org.apache.commons:commons-lang3@3.7
+ org.apache.commons:commons-math3@3.6.1
+ com.esotericsoftware:kryo@4.0.2
+ com.typesafe:config@1.3.2
+ io.github.lukehutch:fast-classpath-scanner@2.21
+ org.slf4j:slf4j-api@1.7.7
+ org.hamcrest:hamcrest-all@1.3
+ 3.0.0-rc5
+ com.google.guava:guava@22.0
+ org.apache.commons:commons-lang3@3.7
+ org.apache.commons:commons-math3@3.6.1
+ com.esotericsoftware:kryo@4.0.2
+ com.typesafe:config@1.3.2
+ io.github.lukehutch:fast-classpath-scanner@2.21
+ org.slf4j:slf4j-api@1.7.7
+ 3.1.6
+ com.google.guava:guava@22.0
+ org.apache.commons:commons-lang3@3.7
+ org.apache.commons:commons-math3@3.6.1
+ com.esotericsoftware:kryo@4.0.2
+ com.typesafe:config@1.3.2
+ io.github.classgraph:classgraph@4.2.3
+ org.slf4j:slf4j-api@1.7.7
+ io.dropwizard.metrics:metrics-bom
+ 4.1.14
+ org.slf4j:slf4j-api@1.7.30
+ 4.2.9
+ 4.2.17
+ io.dropwizard.metrics:metrics-core
+ 3.2.4
+ org.slf4j:slf4j-api@1.7.22
+ 4.1.14
+ org.slf4j:slf4j-api@1.7.30
+ 4.2.9
+ org.slf4j:slf4j-api@1.7.36
+ 4.2.17
+ org.slf4j:slf4j-api@1.7.36
+ io.dropwizard.metrics:metrics-healthchecks
+ 4.1.14
+ Opt|io.dropwizard.metrics:metrics-jvm@4.1.14
+ org.slf4j:slf4j-api@1.7.30
+ 4.2.9
+ io.dropwizard.metrics:metrics-core@4.2.9
+ Opt|io.dropwizard.metrics:metrics-jvm@4.2.9
+ org.slf4j:slf4j-api@1.7.36
+ io.dropwizard.metrics:metrics-jmx
+ 4.1.14
+ io.dropwizard.metrics:metrics-core@4.1.14
+ org.slf4j:slf4j-api@1.7.30
+ 4.2.9
+ io.dropwizard.metrics:metrics-core@4.2.9
+ org.slf4j:slf4j-api@1.7.36
+ 4.2.17
+ io.dropwizard.metrics:metrics-core@4.2.17
+ org.slf4j:slf4j-api@1.7.36
+ io.dropwizard.metrics:metrics-json
+ 4.1.14
+ io.dropwizard.metrics:metrics-core@4.1.14
+ Opt|io.dropwizard.metrics:metrics-healthchecks@4.1.14
+ com.fasterxml.jackson.core:jackson-databind@2.9.10.5
+ org.slf4j:slf4j-api@1.7.30
+ 4.2.9
+ io.dropwizard.metrics:metrics-core@4.2.9
+ Opt|io.dropwizard.metrics:metrics-healthchecks@4.2.9
+ com.fasterxml.jackson.core:jackson-core@2.12.6
+ com.fasterxml.jackson.core:jackson-databind@2.12.6
+ io.dropwizard.metrics:metrics-jvm
+ 4.1.14
+ io.dropwizard.metrics:metrics-core@4.1.14
+ org.slf4j:slf4j-api@1.7.30
+ 4.2.9
+ io.dropwizard.metrics:metrics-core@4.2.9
+ org.slf4j:slf4j-api@1.7.36
+ io.dropwizard.metrics:metrics-parent
+ 3.2.4
+ org.slf4j:slf4j-api@1.7.22
+ 4.1.14
+ org.slf4j:slf4j-api@1.7.30
+ 4.2.9
+ 4.2.17
+ io.dropwizard.metrics:metrics-servlets
+ 4.1.14
+ io.dropwizard.metrics:metrics-core@4.1.14
+ io.dropwizard.metrics:metrics-healthchecks@4.1.14
+ io.dropwizard.metrics:metrics-json@4.1.14
+ io.dropwizard.metrics:metrics-jvm@4.1.14
+ com.helger:profiler@1.1.1
+ Scope provided|javax.servlet:javax.servlet-api@3.1.0
+ com.fasterxml.jackson.core:jackson-databind@2.9.10.5
+ org.slf4j:slf4j-api@1.7.30
+ 4.2.9
+ io.dropwizard.metrics:metrics-core@4.2.9
+ io.dropwizard.metrics:metrics-healthchecks@4.2.9
+ io.dropwizard.metrics:metrics-json@4.2.9
+ io.dropwizard.metrics:metrics-jvm@4.2.9
+ com.helger:profiler@1.1.1
+ Scope provided|javax.servlet:javax.servlet-api@3.1.0
+ com.fasterxml.jackson.core:jackson-databind@2.12.6
+ io.github.classgraph:classgraph
+ 4.2.3
+ 4.8.112
+ Scope provided|org.eclipse.jdt:org.eclipse.jdt.annotation@2.2.600
+ io.github.lukehutch:fast-classpath-scanner
+ 2.21
+ io.micrometer:micrometer-core
+ 1.6.0
+ org.hdrhistogram:HdrHistogram@2.1.12
+ Scope runtime MavenExclusions org.hdrhistogram:HdrHistogram|org.latencyutils:LatencyUtils@2.0.3
+ Opt|com.google.code.findbugs:jsr305@3.0.2
+ Opt|io.dropwizard.metrics:metrics-core@4.0.7
+ Opt|com.google.guava:guava@30.0-jre
+ Opt|com.github.ben-manes.caffeine:caffeine@2.8.6
+ Opt|net.sf.ehcache:ehcache@2.10.6
+ Opt|javax.cache:cache-api@1.1.1
+ Opt|com.hazelcast:hazelcast@4.1-BETA-1
+ Opt|org.hibernate:hibernate-entitymanager@5.4.22.Final
+ Opt|org.eclipse.jetty:jetty-server@9.4.33.v20201020
+ Opt|org.eclipse.jetty:jetty-client@9.4.33.v20201020
+ Opt|org.apache.tomcat.embed:tomcat-embed-core@8.5.59
+ Opt|org.apache.httpcomponents:httpclient@4.5.13
+ Opt|org.apache.httpcomponents:httpasyncclient@4.1.4
+ Opt|com.netflix.hystrix:hystrix-core@1.5.12
+ Opt|ch.qos.logback:logback-classic@1.2.3
+ Opt|org.apache.logging.log4j:log4j-core@2.13.3
+ Opt|io.projectreactor:reactor-core@3.3.11.RELEASE
+ Opt|io.projectreactor.netty:reactor-netty@0.9.13.RELEASE
+ Opt|org.aspectj:aspectjweaver@1.8.14
+ Opt|com.squareup.okhttp3:okhttp@4.10.0-RC1
+ Opt|org.mongodb:mongo-java-driver@3.12.7
+ Opt|org.jooq:jooq@3.13.6
+ Opt|org.apache.kafka:kafka-clients@2.6.0
+ Opt|org.apache.kafka:kafka-streams@2.6.0
+ 1.9.9
+ org.hdrhistogram:HdrHistogram@2.1.12
+ Scope runtime MavenExclusions org.hdrhistogram:HdrHistogram|org.latencyutils:LatencyUtils@2.0.3
+ Opt|com.google.code.findbugs:jsr305@3.0.2
+ Opt|org.aspectj:aspectjweaver@1.8.14
+ Opt|io.dropwizard.metrics:metrics-core@4.2.17
+ Opt|com.google.guava:guava@31.1-jre
+ Opt|com.github.ben-manes.caffeine:caffeine@2.9.3
+ Opt|net.sf.ehcache:ehcache@2.10.9.2
+ Opt|javax.cache:cache-api@1.1.1
+ Opt|com.hazelcast:hazelcast@5.1.1
+ Opt|org.hibernate:hibernate-entitymanager@5.6.8.Final
+ Opt|org.eclipse.jetty:jetty-server@9.4.46.v20220331
+ Opt|org.eclipse.jetty:jetty-client@9.4.48.v20220622
+ Opt|org.apache.tomcat.embed:tomcat-embed-core@8.5.78
+ Opt|org.glassfish.jersey.core:jersey-server@2.37
+ Opt|io.grpc:grpc-api@1.45.1
+ Opt|org.apache.httpcomponents:httpclient@4.5.13
+ Opt|org.apache.httpcomponents:httpasyncclient@4.1.5
+ Opt|com.netflix.hystrix:hystrix-core@1.5.12
+ Opt|ch.qos.logback:logback-classic@1.2.11
+ Opt|org.apache.logging.log4j:log4j-core@2.17.2
+ Opt|com.squareup.okhttp3:okhttp@5.0.0-alpha.6
+ Opt|org.mongodb:mongodb-driver-sync@4.6.0-alpha0
+ Opt|org.jooq:jooq@3.14.15
+ Opt|org.apache.kafka:kafka-clients@2.8.1
+ Opt|org.apache.kafka:kafka-streams@2.8.1
+ io.micrometer:micrometer-registry-jmx
+ 1.6.0
+ io.micrometer:micrometer-core@1.6.0
+ io.dropwizard.metrics:metrics-jmx@4.0.7
+ Opt|com.google.code.findbugs:jsr305@3.0.2
+ 1.9.9
+ io.micrometer:micrometer-core@1.9.9
+ io.dropwizard.metrics:metrics-jmx@4.2.17
+ Opt|com.google.code.findbugs:jsr305@3.0.2
+ io.micrometer:micrometer-registry-prometheus
+ 1.6.0
+ io.micrometer:micrometer-core@1.6.0
+ io.prometheus:simpleclient_common@0.9.0
+ Opt|com.google.code.findbugs:jsr305@3.0.2
+ 1.9.9
+ io.micrometer:micrometer-core@1.9.9
+ io.prometheus:simpleclient_common@0.15.0
+ Opt|com.google.code.findbugs:jsr305@3.0.2
+ io.netty:netty
+ 3.5.2.Final
+ Opt|org.jboss.marshalling:jboss-marshalling@1.3.14.GA
+ Opt|com.google.protobuf:protobuf-java@2.4.1
+ Opt|javax.servlet:servlet-api@2.5
+ Opt|javax.activation:activation@1.1.1
+ Opt|org.apache.felix:org.osgi.core@1.4.0
+ Opt MavenExclusions org.apache.felix:javax.servlet,org.apache.felix:org.osgi.foundation|org.apache.felix:org.osgi.compendium@1.4.0
+ Opt|org.slf4j:slf4j-api@1.6.4
+ Opt|commons-logging:commons-logging@1.1.1
+ Opt|org.jboss.logging:jboss-logging-spi@2.1.2.GA
+ Opt MavenExclusions javax.mail:mail,javax.jms:jms,com.sun.jdmk:jmxtools,com.sun.jmx:jmxri|log4j:log4j@1.2.16
+ 3.9.8.Final
+ Opt MavenClassifier windows-x86_64|io.netty:netty-tcnative@1.1.30.Fork2
+ Opt|org.jboss.marshalling:jboss-marshalling@1.3.14.GA
+ Opt|com.google.protobuf:protobuf-java@2.5.0
+ Opt|org.bouncycastle:bcpkix-jdk15on@1.50
+ Opt|org.eclipse.jetty.npn:npn-api@1.1.0.v20120525
+ Opt|javax.servlet:servlet-api@2.5
+ Opt|javax.activation:activation@1.1.1
+ Opt|org.apache.felix:org.osgi.core@1.4.0
+ Opt MavenExclusions org.apache.felix:javax.servlet,org.apache.felix:org.osgi.foundation|org.apache.felix:org.osgi.compendium@1.4.0
+ Opt|org.slf4j:slf4j-api@1.6.4
+ Opt|commons-logging:commons-logging@1.1.1
+ Opt|org.jboss.logging:jboss-logging@3.1.4.GA
+ Opt MavenExclusions javax.mail:mail,javax.jms:jms,com.sun.jdmk:jmxtools,com.sun.jmx:jmxri|log4j:log4j@1.2.16
+ io.netty:netty-all
+ 4.1.100.Final
+ MavenExclusions io.netty:netty-common|io.netty:netty-buffer@4.1.100.Final
+ MavenExclusions io.netty:netty-common,io.netty:netty-buffer,io.netty:netty-transport,com.google.protobuf:protobuf-java,com.google.protobuf.nano:protobuf-javanano,org.jboss.marshalling:jboss-marshalling,com.jcraft:jzlib,com.ning:compress-lzf,net.jpountz.lz4:lz4,com.github.jponge:lzma-java,com.github.luben:zstd-jni,com.aayushatharva.brotli4j:brotli4j,com.aayushatharva.brotli4j:native-linux-x86_64,com.aayushatharva.brotli4j:native-linux-aarch64,com.aayushatharva.brotli4j:native-osx-x86_64,com.aayushatharva.brotli4j:native-osx-aarch64,com.aayushatharva.brotli4j:native-windows-x86_64|io.netty:netty-codec@4.1.100.Final
+ MavenExclusions io.netty:netty-common,io.netty:netty-buffer,io.netty:netty-transport,io.netty:netty-codec|io.netty:netty-codec-dns@4.1.100.Final
+ MavenExclusions io.netty:netty-buffer,io.netty:netty-transport,io.netty:netty-codec|io.netty:netty-codec-haproxy@4.1.100.Final
+ MavenExclusions io.netty:netty-common,io.netty:netty-buffer,io.netty:netty-transport,io.netty:netty-codec,io.netty:netty-handler,com.jcraft:jzlib,com.aayushatharva.brotli4j:brotli4j,com.github.luben:zstd-jni|io.netty:netty-codec-http@4.1.100.Final
+ MavenExclusions io.netty:netty-common,io.netty:netty-buffer,io.netty:netty-transport,io.netty:netty-codec,io.netty:netty-handler,io.netty:netty-codec-http,com.jcraft:jzlib,com.aayushatharva.brotli4j:brotli4j,com.github.luben:zstd-jni|io.netty:netty-codec-http2@4.1.100.Final
+ MavenExclusions io.netty:netty-common,io.netty:netty-buffer,io.netty:netty-transport,io.netty:netty-codec|io.netty:netty-codec-memcache@4.1.100.Final
+ MavenExclusions io.netty:netty-common,io.netty:netty-buffer,io.netty:netty-transport,io.netty:netty-codec|io.netty:netty-codec-mqtt@4.1.100.Final
+ MavenExclusions io.netty:netty-common,io.netty:netty-buffer,io.netty:netty-transport,io.netty:netty-codec|io.netty:netty-codec-redis@4.1.100.Final
+ MavenExclusions io.netty:netty-common,io.netty:netty-buffer,io.netty:netty-transport,io.netty:netty-codec|io.netty:netty-codec-smtp@4.1.100.Final
+ MavenExclusions io.netty:netty-common,io.netty:netty-buffer,io.netty:netty-transport,io.netty:netty-codec|io.netty:netty-codec-socks@4.1.100.Final
+ MavenExclusions io.netty:netty-common,io.netty:netty-buffer,io.netty:netty-transport,io.netty:netty-codec|io.netty:netty-codec-stomp@4.1.100.Final
+ MavenExclusions io.netty:netty-buffer,io.netty:netty-transport,io.netty:netty-codec,com.fasterxml:aalto-xml|io.netty:netty-codec-xml@4.1.100.Final
+ MavenExclusions org.graalvm.nativeimage:svm,org.jetbrains:annotations-java5,org.slf4j:slf4j-api,commons-logging:commons-logging,org.apache.logging.log4j:log4j-1.2-api,org.apache.logging.log4j:log4j-api,io.projectreactor.tools:blockhound|io.netty:netty-common@4.1.100.Final
+ MavenExclusions io.netty:netty-common,io.netty:netty-resolver,io.netty:netty-buffer,io.netty:netty-transport,io.netty:netty-transport-native-unix-common,io.netty:netty-codec,io.netty:netty-tcnative-classes,io.netty:netty-tcnative-boringssl-static,org.bouncycastle:bcpkix-jdk15on,org.bouncycastle:bctls-jdk15on,org.eclipse.jetty.npn:npn-api,org.eclipse.jetty.alpn:alpn-api,org.conscrypt:conscrypt-openjdk-uber|io.netty:netty-handler@4.1.100.Final
+ MavenExclusions io.netty:netty-jni-util,io.netty:netty-common,io.netty:netty-buffer,io.netty:netty-transport|io.netty:netty-transport-native-unix-common@4.1.100.Final
+ MavenExclusions io.netty:netty-common,io.netty:netty-buffer,io.netty:netty-transport,io.netty:netty-codec,io.netty:netty-codec-socks,io.netty:netty-codec-http|io.netty:netty-handler-proxy@4.1.100.Final
+ MavenExclusions org.bouncycastle:bcpkix-jdk15on,io.netty:netty-codec-http,io.netty:netty-transport,io.netty:netty-resolver-dns|io.netty:netty-handler-ssl-ocsp@4.1.100.Final
+ MavenExclusions io.netty:netty-common|io.netty:netty-resolver@4.1.100.Final
+ MavenExclusions io.netty:netty-common,io.netty:netty-buffer,io.netty:netty-resolver,io.netty:netty-transport,io.netty:netty-codec,io.netty:netty-codec-dns,io.netty:netty-handler|io.netty:netty-resolver-dns@4.1.100.Final
+ MavenExclusions io.netty:netty-common,io.netty:netty-buffer,io.netty:netty-resolver|io.netty:netty-transport@4.1.100.Final
+ MavenExclusions io.netty:netty-buffer,io.netty:netty-transport,org.rxtx:rxtx|io.netty:netty-transport-rxtx@4.1.100.Final
+ MavenExclusions io.netty:netty-common,io.netty:netty-buffer,io.netty:netty-codec,io.netty:netty-transport|io.netty:netty-transport-sctp@4.1.100.Final
+ MavenExclusions io.netty:netty-common,io.netty:netty-buffer,io.netty:netty-transport,com.barchart.udt:barchart-udt-bundle|io.netty:netty-transport-udt@4.1.100.Final
+ MavenExclusions io.netty:netty-common,io.netty:netty-buffer,io.netty:netty-transport,io.netty:netty-transport-native-unix-common|io.netty:netty-transport-classes-epoll@4.1.100.Final
+ MavenExclusions io.netty:netty-common,io.netty:netty-buffer,io.netty:netty-transport,io.netty:netty-transport-native-unix-common|io.netty:netty-transport-classes-kqueue@4.1.100.Final
+ MavenExclusions io.netty:netty-common,io.netty:netty-resolver-dns,io.netty:netty-transport-native-unix-common|io.netty:netty-resolver-dns-classes-macos@4.1.100.Final
+ Scope runtime MavenClassifier linux-x86_64 MavenExclusions io.netty:netty-common,io.netty:netty-buffer,io.netty:netty-transport,io.netty:netty-transport-native-unix-common,io.netty:netty-transport-classes-epoll,org.bouncycastle:bcpkix-jdk15on|io.netty:netty-transport-native-epoll@4.1.100.Final
+ Scope runtime MavenClassifier linux-aarch_64 MavenExclusions io.netty:netty-common,io.netty:netty-buffer,io.netty:netty-transport,io.netty:netty-transport-native-unix-common,io.netty:netty-transport-classes-epoll,org.bouncycastle:bcpkix-jdk15on|io.netty:netty-transport-native-epoll@4.1.100.Final
+ Scope runtime MavenClassifier osx-x86_64 MavenExclusions io.netty:netty-common,io.netty:netty-buffer,io.netty:netty-transport,io.netty:netty-transport-native-unix-common,io.netty:netty-transport-classes-kqueue,org.bouncycastle:bcpkix-jdk15on,io.netty:netty-transport-native-unix-common|io.netty:netty-transport-native-kqueue@4.1.100.Final
+ Scope runtime MavenClassifier osx-aarch_64 MavenExclusions io.netty:netty-common,io.netty:netty-buffer,io.netty:netty-transport,io.netty:netty-transport-native-unix-common,io.netty:netty-transport-classes-kqueue,org.bouncycastle:bcpkix-jdk15on,io.netty:netty-transport-native-unix-common|io.netty:netty-transport-native-kqueue@4.1.100.Final
+ Scope runtime MavenClassifier osx-x86_64 MavenExclusions io.netty:netty-resolver-dns-classes-macos,io.netty:netty-transport-native-unix-common|io.netty:netty-resolver-dns-native-macos@4.1.100.Final
+ Scope runtime MavenClassifier osx-aarch_64 MavenExclusions io.netty:netty-resolver-dns-classes-macos,io.netty:netty-transport-native-unix-common|io.netty:netty-resolver-dns-native-macos@4.1.100.Final
+ io.netty:netty-bom
+ 4.1.27.Final
+ io.netty:netty-buffer
+ 4.1.27.Final
+ io.netty:netty-common@4.1.27.Final
+ 4.1.91.Final
+ io.netty:netty-common@4.1.91.Final
+ 4.1.100.Final
+ io.netty:netty-common@4.1.100.Final
+ io.netty:netty-codec
+ 4.1.27.Final
+ io.netty:netty-transport@4.1.27.Final
+ Opt|com.google.protobuf:protobuf-java@2.6.1
+ Opt|com.google.protobuf.nano:protobuf-javanano@3.0.0-alpha-5
+ Opt|org.jboss.marshalling:jboss-marshalling@1.4.11.Final
+ Opt|com.jcraft:jzlib@1.1.3
+ Opt|com.ning:compress-lzf@1.0.3
+ Opt|net.jpountz.lz4:lz4@1.3.0
+ Opt|com.github.jponge:lzma-java@1.3
+ 4.1.68.Final
+ io.netty:netty-common@4.1.68.Final
+ io.netty:netty-buffer@4.1.68.Final
+ io.netty:netty-transport@4.1.68.Final
+ Opt|com.google.protobuf:protobuf-java@2.6.1
+ Opt|com.google.protobuf.nano:protobuf-javanano@3.0.0-alpha-5
+ Opt|org.jboss.marshalling:jboss-marshalling@1.4.11.Final
+ Opt|com.jcraft:jzlib@1.1.3
+ Opt|com.ning:compress-lzf@1.0.3
+ Opt|net.jpountz.lz4:lz4@1.3.0
+ Opt|com.github.jponge:lzma-java@1.3
+ Opt|com.github.luben:zstd-jni@1.5.0-2
+ Opt|com.aayushatharva.brotli4j:brotli4j@1.5.0
+ Opt|com.aayushatharva.brotli4j:native-linux-x86_64@1.5.0
+ Opt|com.aayushatharva.brotli4j:native-osx-x86_64@1.5.0
+ Opt|com.aayushatharva.brotli4j:native-windows-x86_64@1.5.0
+ 4.1.91.Final
+ io.netty:netty-common@4.1.91.Final
+ io.netty:netty-buffer@4.1.91.Final
+ io.netty:netty-transport@4.1.91.Final
+ Opt|com.google.protobuf:protobuf-java@2.6.1
+ Opt|com.google.protobuf.nano:protobuf-javanano@3.0.0-alpha-5
+ Opt|org.jboss.marshalling:jboss-marshalling@1.4.11.Final
+ Opt|com.jcraft:jzlib@1.1.3
+ Opt|com.ning:compress-lzf@1.0.3
+ Opt|net.jpountz.lz4:lz4@1.3.0
+ Opt|com.github.jponge:lzma-java@1.3
+ Opt|com.github.luben:zstd-jni@1.5.0-2
+ Opt|com.aayushatharva.brotli4j:brotli4j@1.11.0
+ Opt|com.aayushatharva.brotli4j:native-linux-x86_64@1.11.0
+ Opt|com.aayushatharva.brotli4j:native-linux-aarch64@1.11.0
+ Opt|com.aayushatharva.brotli4j:native-osx-x86_64@1.11.0
+ Opt|com.aayushatharva.brotli4j:native-osx-aarch64@1.11.0
+ Opt|com.aayushatharva.brotli4j:native-windows-x86_64@1.11.0
+ 4.1.100.Final
+ io.netty:netty-common@4.1.100.Final
+ io.netty:netty-buffer@4.1.100.Final
+ io.netty:netty-transport@4.1.100.Final
+ Opt|com.google.protobuf:protobuf-java@2.6.1
+ Opt|com.google.protobuf.nano:protobuf-javanano@3.0.0-alpha-5
+ Opt|org.jboss.marshalling:jboss-marshalling@1.4.11.Final
+ Opt|com.jcraft:jzlib@1.1.3
+ Opt|com.ning:compress-lzf@1.0.3
+ Opt|net.jpountz.lz4:lz4@1.3.0
+ Opt|com.github.jponge:lzma-java@1.3
+ Opt|com.github.luben:zstd-jni@1.5.0-2
+ Opt|com.aayushatharva.brotli4j:brotli4j@1.12.0
+ Opt|com.aayushatharva.brotli4j:native-linux-x86_64@1.12.0
+ Opt|com.aayushatharva.brotli4j:native-linux-aarch64@1.12.0
+ Opt|com.aayushatharva.brotli4j:native-osx-x86_64@1.12.0
+ Opt|com.aayushatharva.brotli4j:native-osx-aarch64@1.12.0
+ Opt|com.aayushatharva.brotli4j:native-windows-x86_64@1.12.0
+ io.netty:netty-codec-dns
+ 4.1.100.Final
+ io.netty:netty-common@4.1.100.Final
+ io.netty:netty-buffer@4.1.100.Final
+ io.netty:netty-transport@4.1.100.Final
+ io.netty:netty-codec@4.1.100.Final
+ io.netty:netty-codec-haproxy
+ 4.1.100.Final
+ io.netty:netty-buffer@4.1.100.Final
+ io.netty:netty-transport@4.1.100.Final
+ io.netty:netty-codec@4.1.100.Final
+ io.netty:netty-codec-http
+ 4.1.91.Final
+ io.netty:netty-common@4.1.91.Final
+ io.netty:netty-buffer@4.1.91.Final
+ io.netty:netty-transport@4.1.91.Final
+ io.netty:netty-codec@4.1.91.Final
+ io.netty:netty-handler@4.1.91.Final
+ Opt|com.jcraft:jzlib@1.1.3
+ Opt|com.aayushatharva.brotli4j:brotli4j@1.11.0
+ Opt|com.github.luben:zstd-jni@1.5.0-2
+ 4.1.100.Final
+ io.netty:netty-common@4.1.100.Final
+ io.netty:netty-buffer@4.1.100.Final
+ io.netty:netty-transport@4.1.100.Final
+ io.netty:netty-codec@4.1.100.Final
+ io.netty:netty-handler@4.1.100.Final
+ Opt|com.jcraft:jzlib@1.1.3
+ Opt|com.aayushatharva.brotli4j:brotli4j@1.12.0
+ Opt|com.github.luben:zstd-jni@1.5.0-2
+ io.netty:netty-codec-http2
+ 4.1.100.Final
+ io.netty:netty-common@4.1.100.Final
+ io.netty:netty-buffer@4.1.100.Final
+ io.netty:netty-transport@4.1.100.Final
+ io.netty:netty-codec@4.1.100.Final
+ io.netty:netty-handler@4.1.100.Final
+ io.netty:netty-codec-http@4.1.100.Final
+ Opt|com.jcraft:jzlib@1.1.3
+ Opt|com.aayushatharva.brotli4j:brotli4j@1.12.0
+ Opt|com.github.luben:zstd-jni@1.5.0-2
+ io.netty:netty-codec-memcache
+ 4.1.100.Final
+ io.netty:netty-common@4.1.100.Final
+ io.netty:netty-buffer@4.1.100.Final
+ io.netty:netty-transport@4.1.100.Final
+ io.netty:netty-codec@4.1.100.Final
+ io.netty:netty-codec-mqtt
+ 4.1.100.Final
+ io.netty:netty-common@4.1.100.Final
+ io.netty:netty-buffer@4.1.100.Final
+ io.netty:netty-transport@4.1.100.Final
+ io.netty:netty-codec@4.1.100.Final
+ io.netty:netty-codec-redis
+ 4.1.100.Final
+ io.netty:netty-common@4.1.100.Final
+ io.netty:netty-buffer@4.1.100.Final
+ io.netty:netty-transport@4.1.100.Final
+ io.netty:netty-codec@4.1.100.Final
+ io.netty:netty-codec-smtp
+ 4.1.100.Final
+ io.netty:netty-common@4.1.100.Final
+ io.netty:netty-buffer@4.1.100.Final
+ io.netty:netty-transport@4.1.100.Final
+ io.netty:netty-codec@4.1.100.Final
+ io.netty:netty-codec-socks
+ 4.1.60.Final
+ io.netty:netty-common@4.1.60.Final
+ io.netty:netty-buffer@4.1.60.Final
+ io.netty:netty-transport@4.1.60.Final
+ io.netty:netty-codec@4.1.60.Final
+ 4.1.100.Final
+ io.netty:netty-common@4.1.100.Final
+ io.netty:netty-buffer@4.1.100.Final
+ io.netty:netty-transport@4.1.100.Final
+ io.netty:netty-codec@4.1.100.Final
+ io.netty:netty-codec-stomp
+ 4.1.100.Final
+ io.netty:netty-common@4.1.100.Final
+ io.netty:netty-buffer@4.1.100.Final
+ io.netty:netty-transport@4.1.100.Final
+ io.netty:netty-codec@4.1.100.Final
+ io.netty:netty-codec-xml
+ 4.1.100.Final
+ io.netty:netty-buffer@4.1.100.Final
+ io.netty:netty-transport@4.1.100.Final
+ io.netty:netty-codec@4.1.100.Final
+ com.fasterxml:aalto-xml@1.0.0
+ io.netty:netty-common
+ 4.1.27.Final
+ Opt|org.slf4j:slf4j-api@1.7.21
+ Opt|commons-logging:commons-logging@1.2
+ Opt MavenExclusions javax.mail:mail,javax.jms:jms,com.sun.jdmk:jmxtools,com.sun.jmx:jmxri|log4j:log4j@1.2.17
+ Opt|org.apache.logging.log4j:log4j-api@2.6.2
+ 4.1.45.Final
+ Scope provided MavenExclusions com.oracle.substratevm:svm-hosted-native-linux-amd64,com.oracle.substratevm:svm-hosted-native-darwin-amd64,com.oracle.substratevm:svm-hosted-native-windows-amd64,org.graalvm.sdk:graal-sdk,com.oracle.substratevm:objectfile,com.oracle.substratevm:pointsto,org.graalvm.truffle:truffle-nfi,org.graalvm.compiler:compiler|com.oracle.substratevm:svm@19.0.0
+ Opt|org.slf4j:slf4j-api@1.7.21
+ Opt|commons-logging:commons-logging@1.2
+ Opt MavenExclusions javax.mail:mail,javax.jms:jms,com.sun.jdmk:jmxtools,com.sun.jmx:jmxri|log4j:log4j@1.2.17
+ Opt|org.apache.logging.log4j:log4j-api@2.6.2
+ Opt|io.projectreactor.tools:blockhound@1.0.1.RELEASE
+ 4.1.46.Final
+ Scope provided MavenExclusions com.oracle.substratevm:svm-hosted-native-linux-amd64,com.oracle.substratevm:svm-hosted-native-darwin-amd64,com.oracle.substratevm:svm-hosted-native-windows-amd64,org.graalvm.sdk:graal-sdk,com.oracle.substratevm:objectfile,com.oracle.substratevm:pointsto,org.graalvm.truffle:truffle-nfi,org.graalvm.compiler:compiler|com.oracle.substratevm:svm@19.0.0
+ Opt|org.slf4j:slf4j-api@1.7.21
+ Opt|commons-logging:commons-logging@1.2
+ Opt MavenExclusions javax.mail:mail,javax.jms:jms,com.sun.jdmk:jmxtools,com.sun.jmx:jmxri|log4j:log4j@1.2.17
+ Opt|org.apache.logging.log4j:log4j-api@2.6.2
+ Opt|io.projectreactor.tools:blockhound@1.0.2.RELEASE
+ 4.1.68.Final
+ Scope provided MavenExclusions org.graalvm.nativeimage:svm-hosted-native-linux-amd64,org.graalvm.nativeimage:svm-hosted-native-darwin-amd64,org.graalvm.nativeimage:svm-hosted-native-windows-amd64,org.graalvm.sdk:graal-sdk,org.graalvm.nativeimage:objectfile,org.graalvm.nativeimage:pointsto,org.graalvm.truffle:truffle-nfi,org.graalvm.compiler:compiler|org.graalvm.nativeimage:svm@19.3.6
+ Opt|org.slf4j:slf4j-api@1.7.30
+ Opt|commons-logging:commons-logging@1.2
+ Opt MavenExclusions javax.mail:mail,javax.jms:jms,com.sun.jdmk:jmxtools,com.sun.jmx:jmxri|org.apache.logging.log4j:log4j-1.2-api@2.14.1
+ Opt|org.apache.logging.log4j:log4j-api@2.6.2
+ Opt|io.projectreactor.tools:blockhound@1.0.6.RELEASE
+ 4.1.91.Final
+ Scope provided MavenExclusions org.graalvm.nativeimage:svm-hosted-native-linux-amd64,org.graalvm.nativeimage:svm-hosted-native-darwin-amd64,org.graalvm.nativeimage:svm-hosted-native-windows-amd64,org.graalvm.sdk:graal-sdk,org.graalvm.nativeimage:objectfile,org.graalvm.nativeimage:pointsto,org.graalvm.truffle:truffle-nfi,org.graalvm.compiler:compiler|org.graalvm.nativeimage:svm@19.3.6
+ Scope provided|org.jetbrains:annotations-java5@23.0.0
+ Opt|org.slf4j:slf4j-api@1.7.30
+ Opt|commons-logging:commons-logging@1.2
+ Opt MavenExclusions javax.mail:mail,javax.jms:jms,com.sun.jdmk:jmxtools,com.sun.jmx:jmxri|org.apache.logging.log4j:log4j-1.2-api@2.17.2
+ Opt|org.apache.logging.log4j:log4j-api@2.17.2
+ Opt|io.projectreactor.tools:blockhound@1.0.6.RELEASE
+ 4.1.94.Final
+ Scope provided MavenExclusions org.graalvm.nativeimage:svm-hosted-native-linux-amd64,org.graalvm.nativeimage:svm-hosted-native-darwin-amd64,org.graalvm.nativeimage:svm-hosted-native-windows-amd64,org.graalvm.sdk:graal-sdk,org.graalvm.nativeimage:objectfile,org.graalvm.nativeimage:pointsto,org.graalvm.truffle:truffle-nfi,org.graalvm.compiler:compiler|org.graalvm.nativeimage:svm@19.3.6
+ Scope provided|org.jetbrains:annotations-java5@23.0.0
+ Opt|org.slf4j:slf4j-api@1.7.30
+ Opt|commons-logging:commons-logging@1.2
+ Opt MavenExclusions javax.mail:mail,javax.jms:jms,com.sun.jdmk:jmxtools,com.sun.jmx:jmxri|org.apache.logging.log4j:log4j-1.2-api@2.17.2
+ Opt|org.apache.logging.log4j:log4j-api@2.17.2
+ Opt|io.projectreactor.tools:blockhound@1.0.6.RELEASE
+ 4.1.100.Final
+ Scope provided MavenExclusions org.graalvm.nativeimage:svm-hosted-native-linux-amd64,org.graalvm.nativeimage:svm-hosted-native-darwin-amd64,org.graalvm.nativeimage:svm-hosted-native-windows-amd64,org.graalvm.sdk:graal-sdk,org.graalvm.nativeimage:objectfile,org.graalvm.nativeimage:pointsto,org.graalvm.truffle:truffle-nfi,org.graalvm.compiler:compiler|org.graalvm.nativeimage:svm@19.3.6
+ Scope provided|org.jetbrains:annotations-java5@23.0.0
+ Opt|org.slf4j:slf4j-api@1.7.30
+ Opt|commons-logging:commons-logging@1.2
+ Opt MavenExclusions javax.mail:mail,javax.jms:jms,com.sun.jdmk:jmxtools,com.sun.jmx:jmxri|org.apache.logging.log4j:log4j-1.2-api@2.17.2
+ Opt|org.apache.logging.log4j:log4j-api@2.17.2
+ Opt|io.projectreactor.tools:blockhound@1.0.6.RELEASE
+ io.netty:netty-handler
+ 4.1.27.Final
+ io.netty:netty-buffer@4.1.27.Final
+ io.netty:netty-transport@4.1.27.Final
+ io.netty:netty-codec@4.1.27.Final
+ Opt|org.bouncycastle:bcpkix-jdk15on@1.54
+ Opt Scope provided|org.eclipse.jetty.npn:npn-api@1.1.1.v20141010
+ Opt Scope provided|org.eclipse.jetty.alpn:alpn-api@1.1.2.v20150522
+ Opt|org.conscrypt:conscrypt-openjdk-uber@1.1.3
+ 4.1.45.Final
+ io.netty:netty-common@4.1.45.Final
+ io.netty:netty-buffer@4.1.45.Final
+ io.netty:netty-transport@4.1.45.Final
+ io.netty:netty-codec@4.1.45.Final
+ Opt|org.bouncycastle:bcpkix-jdk15on@1.54
+ Opt Scope provided|org.eclipse.jetty.npn:npn-api@1.1.1.v20141010
+ Opt Scope provided|org.eclipse.jetty.alpn:alpn-api@1.1.2.v20150522
+ Opt|org.conscrypt:conscrypt-openjdk-uber@1.3.0
+ 4.1.46.Final
+ io.netty:netty-common@4.1.46.Final
+ io.netty:netty-resolver@4.1.46.Final
+ io.netty:netty-buffer@4.1.46.Final
+ io.netty:netty-transport@4.1.46.Final
+ io.netty:netty-codec@4.1.46.Final
+ Opt|org.bouncycastle:bcpkix-jdk15on@1.54
+ Opt Scope provided|org.eclipse.jetty.npn:npn-api@1.1.1.v20141010
+ Opt Scope provided|org.eclipse.jetty.alpn:alpn-api@1.1.2.v20150522
+ Opt|org.conscrypt:conscrypt-openjdk-uber@1.3.0
+ 4.1.91.Final
+ io.netty:netty-common@4.1.91.Final
+ io.netty:netty-resolver@4.1.91.Final
+ io.netty:netty-buffer@4.1.91.Final
+ io.netty:netty-transport@4.1.91.Final
+ io.netty:netty-transport-native-unix-common@4.1.91.Final
+ io.netty:netty-codec@4.1.91.Final
+ Opt|io.netty:netty-tcnative-classes@2.0.59.Final
+ Opt|org.bouncycastle:bcpkix-jdk15on@1.69
+ Opt|org.bouncycastle:bctls-jdk15on@1.69
+ Opt Scope provided|org.eclipse.jetty.npn:npn-api@1.1.1.v20141010
+ Opt Scope provided|org.eclipse.jetty.alpn:alpn-api@1.1.2.v20150522
+ Opt|org.conscrypt:conscrypt-openjdk-uber@2.5.2
+ 4.1.94.Final
+ io.netty:netty-common@4.1.94.Final
+ io.netty:netty-resolver@4.1.94.Final
+ io.netty:netty-buffer@4.1.94.Final
+ io.netty:netty-transport@4.1.94.Final
+ io.netty:netty-transport-native-unix-common@4.1.94.Final
+ io.netty:netty-codec@4.1.94.Final
+ Opt|io.netty:netty-tcnative-classes@2.0.61.Final
+ Opt|org.bouncycastle:bcpkix-jdk15on@1.69
+ Opt|org.bouncycastle:bctls-jdk15on@1.69
+ Opt Scope provided|org.eclipse.jetty.npn:npn-api@1.1.1.v20141010
+ Opt Scope provided|org.eclipse.jetty.alpn:alpn-api@1.1.2.v20150522
+ Opt|org.conscrypt:conscrypt-openjdk-uber@2.5.2
+ 4.1.100.Final
+ io.netty:netty-common@4.1.100.Final
+ io.netty:netty-resolver@4.1.100.Final
+ io.netty:netty-buffer@4.1.100.Final
+ io.netty:netty-transport@4.1.100.Final
+ io.netty:netty-transport-native-unix-common@4.1.100.Final
+ io.netty:netty-codec@4.1.100.Final
+ Opt|io.netty:netty-tcnative-classes@2.0.61.Final
+ Opt|org.bouncycastle:bcpkix-jdk15on@1.69
+ Opt|org.bouncycastle:bctls-jdk15on@1.69
+ Opt Scope provided|org.eclipse.jetty.npn:npn-api@1.1.1.v20141010
+ Opt Scope provided|org.eclipse.jetty.alpn:alpn-api@1.1.2.v20150522
+ Opt|org.conscrypt:conscrypt-openjdk-uber@2.5.2
+ io.netty:netty-handler-proxy
+ 4.1.60.Final
+ io.netty:netty-common@4.1.60.Final
+ io.netty:netty-buffer@4.1.60.Final
+ io.netty:netty-transport@4.1.60.Final
+ io.netty:netty-codec@4.1.60.Final
+ io.netty:netty-codec-socks@4.1.60.Final
+ io.netty:netty-codec-http@4.1.60.Final
+ 4.1.100.Final
+ io.netty:netty-common@4.1.100.Final
+ io.netty:netty-buffer@4.1.100.Final
+ io.netty:netty-transport@4.1.100.Final
+ io.netty:netty-codec@4.1.100.Final
+ io.netty:netty-codec-socks@4.1.100.Final
+ io.netty:netty-codec-http@4.1.100.Final
+ io.netty:netty-handler-ssl-ocsp
+ 4.1.100.Final
+ Scope provided|org.bouncycastle:bcpkix-jdk15on@1.69
+ io.netty:netty-codec-http@4.1.100.Final
+ io.netty:netty-transport@4.1.100.Final
+ io.netty:netty-resolver-dns@4.1.100.Final
+ io.netty:netty-parent
+ 4.1.27.Final
+ 4.1.45.Final
+ 4.1.46.Final
+ 4.1.60.Final
+ 4.1.68.Final
+ 4.1.91.Final
+ 4.1.94.Final
+ 4.1.100.Final
+ io.netty:netty-resolver
+ 4.1.27.Final
+ io.netty:netty-common@4.1.27.Final
+ 4.1.91.Final
+ io.netty:netty-common@4.1.91.Final
+ 4.1.100.Final
+ io.netty:netty-common@4.1.100.Final
+ io.netty:netty-resolver-dns
+ 4.1.100.Final
+ io.netty:netty-common@4.1.100.Final
+ io.netty:netty-buffer@4.1.100.Final
+ io.netty:netty-resolver@4.1.100.Final
+ io.netty:netty-transport@4.1.100.Final
+ io.netty:netty-codec@4.1.100.Final
+ io.netty:netty-codec-dns@4.1.100.Final
+ io.netty:netty-handler@4.1.100.Final
+ io.netty:netty-resolver-dns-classes-macos
+ 4.1.100.Final
+ io.netty:netty-common@4.1.100.Final
+ io.netty:netty-resolver-dns@4.1.100.Final
+ io.netty:netty-transport-native-unix-common@4.1.100.Final
+ io.netty:netty-resolver-dns-native-macos
+ 4.1.100.Final
+ io.netty:netty-resolver-dns-classes-macos@4.1.100.Final
+ io.netty:netty-transport
+ 4.1.27.Final
+ io.netty:netty-buffer@4.1.27.Final
+ io.netty:netty-resolver@4.1.27.Final
+ 4.1.91.Final
+ io.netty:netty-common@4.1.91.Final
+ io.netty:netty-buffer@4.1.91.Final
+ io.netty:netty-resolver@4.1.91.Final
+ 4.1.100.Final
+ io.netty:netty-common@4.1.100.Final
+ io.netty:netty-buffer@4.1.100.Final
+ io.netty:netty-resolver@4.1.100.Final
+ io.netty:netty-transport-classes-epoll
+ 4.1.91.Final
+ io.netty:netty-common@4.1.91.Final
+ io.netty:netty-buffer@4.1.91.Final
+ io.netty:netty-transport@4.1.91.Final
+ io.netty:netty-transport-native-unix-common@4.1.91.Final
+ 4.1.100.Final
+ io.netty:netty-common@4.1.100.Final
+ io.netty:netty-buffer@4.1.100.Final
+ io.netty:netty-transport@4.1.100.Final
+ io.netty:netty-transport-native-unix-common@4.1.100.Final
+ io.netty:netty-transport-classes-kqueue
+ 4.1.91.Final
+ io.netty:netty-common@4.1.91.Final
+ io.netty:netty-buffer@4.1.91.Final
+ io.netty:netty-transport@4.1.91.Final
+ io.netty:netty-transport-native-unix-common@4.1.91.Final
+ 4.1.100.Final
+ io.netty:netty-common@4.1.100.Final
+ io.netty:netty-buffer@4.1.100.Final
+ io.netty:netty-transport@4.1.100.Final
+ io.netty:netty-transport-native-unix-common@4.1.100.Final
+ io.netty:netty-transport-native-epoll
+ 4.1.27.Final
+ io.netty:netty-common@4.1.27.Final
+ io.netty:netty-buffer@4.1.27.Final
+ io.netty:netty-transport-native-unix-common@4.1.27.Final
+ io.netty:netty-transport@4.1.27.Final
+ 4.1.60.Final
+ io.netty:netty-common@4.1.60.Final
+ io.netty:netty-buffer@4.1.60.Final
+ io.netty:netty-transport@4.1.60.Final
+ io.netty:netty-transport-native-unix-common@4.1.60.Final
+ 4.1.91.Final
+ io.netty:netty-common@4.1.91.Final
+ io.netty:netty-buffer@4.1.91.Final
+ io.netty:netty-transport@4.1.91.Final
+ io.netty:netty-transport-native-unix-common@4.1.91.Final
+ io.netty:netty-transport-classes-epoll@4.1.91.Final
+ Opt|org.bouncycastle:bcpkix-jdk15on@1.69
+ 4.1.100.Final
+ io.netty:netty-common@4.1.100.Final
+ io.netty:netty-buffer@4.1.100.Final
+ io.netty:netty-transport@4.1.100.Final
+ io.netty:netty-transport-native-unix-common@4.1.100.Final
+ io.netty:netty-transport-classes-epoll@4.1.100.Final
+ Opt|org.bouncycastle:bcpkix-jdk15on@1.69
+ io.netty:netty-transport-native-kqueue
+ 4.1.60.Final
+ io.netty:netty-common@4.1.60.Final
+ io.netty:netty-buffer@4.1.60.Final
+ io.netty:netty-transport@4.1.60.Final
+ io.netty:netty-transport-native-unix-common@4.1.60.Final
+ 4.1.91.Final
+ io.netty:netty-common@4.1.91.Final
+ io.netty:netty-buffer@4.1.91.Final
+ io.netty:netty-transport@4.1.91.Final
+ io.netty:netty-transport-native-unix-common@4.1.91.Final
+ io.netty:netty-transport-classes-kqueue@4.1.91.Final
+ Opt|org.bouncycastle:bcpkix-jdk15on@1.69
+ 4.1.100.Final
+ io.netty:netty-common@4.1.100.Final
+ io.netty:netty-buffer@4.1.100.Final
+ io.netty:netty-transport@4.1.100.Final
+ io.netty:netty-transport-native-unix-common@4.1.100.Final
+ io.netty:netty-transport-classes-kqueue@4.1.100.Final
+ Opt|org.bouncycastle:bcpkix-jdk15on@1.69
+ io.netty:netty-transport-native-unix-common
+ 4.1.27.Final
+ io.netty:netty-common@4.1.27.Final
+ io.netty:netty-transport@4.1.27.Final
+ 4.1.91.Final
+ Opt MavenClassifier sources|io.netty:netty-jni-util@0.0.6.Final
+ io.netty:netty-common@4.1.91.Final
+ io.netty:netty-buffer@4.1.91.Final
+ io.netty:netty-transport@4.1.91.Final
+ 4.1.94.Final
+ Opt MavenClassifier sources|io.netty:netty-jni-util@0.0.6.Final
+ io.netty:netty-common@4.1.94.Final
+ io.netty:netty-buffer@4.1.94.Final
+ io.netty:netty-transport@4.1.94.Final
+ 4.1.100.Final
+ Opt MavenClassifier sources|io.netty:netty-jni-util@0.0.9.Final
+ io.netty:netty-common@4.1.100.Final
+ io.netty:netty-buffer@4.1.100.Final
+ io.netty:netty-transport@4.1.100.Final
+ io.netty:netty-transport-rxtx
+ 4.1.100.Final
+ io.netty:netty-buffer@4.1.100.Final
+ io.netty:netty-transport@4.1.100.Final
+ org.rxtx:rxtx@2.1.7
+ io.netty:netty-transport-sctp
+ 4.1.100.Final
+ io.netty:netty-common@4.1.100.Final
+ io.netty:netty-buffer@4.1.100.Final
+ io.netty:netty-codec@4.1.100.Final
+ io.netty:netty-transport@4.1.100.Final
+ io.netty:netty-transport-udt
+ 4.1.100.Final
+ io.netty:netty-common@4.1.100.Final
+ io.netty:netty-buffer@4.1.100.Final
+ io.netty:netty-transport@4.1.100.Final
+ com.barchart.udt:barchart-udt-bundle@2.3.0
+ io.opentelemetry:opentelemetry-api
+ 1.25.0
+ io.opentelemetry:opentelemetry-context@1.25.0
+ io.opentelemetry:opentelemetry-api-events
+ 1.25.0-alpha
+ io.opentelemetry:opentelemetry-api@1.25.0
+ io.opentelemetry:opentelemetry-api-logs
+ 1.25.0-alpha
+ io.opentelemetry:opentelemetry-api@1.25.0
+ io.opentelemetry:opentelemetry-context
+ 1.25.0
+ io.opentelemetry:opentelemetry-exporter-logging
+ 1.25.0
+ io.opentelemetry:opentelemetry-sdk@1.25.0
+ io.opentelemetry:opentelemetry-sdk-metrics@1.25.0
+ io.opentelemetry:opentelemetry-sdk-logs@1.25.0-alpha
+ Scope runtime|io.opentelemetry:opentelemetry-sdk-extension-autoconfigure-spi@1.25.0
+ io.opentelemetry:opentelemetry-sdk
+ 1.25.0
+ io.opentelemetry:opentelemetry-api@1.25.0
+ io.opentelemetry:opentelemetry-sdk-common@1.25.0
+ io.opentelemetry:opentelemetry-sdk-trace@1.25.0
+ io.opentelemetry:opentelemetry-sdk-metrics@1.25.0
+ Scope runtime|io.opentelemetry:opentelemetry-sdk-logs@1.25.0-alpha
+ io.opentelemetry:opentelemetry-sdk-common
+ 1.25.0
+ io.opentelemetry:opentelemetry-api@1.25.0
+ Scope runtime|io.opentelemetry:opentelemetry-semconv@1.25.0-alpha
+ io.opentelemetry:opentelemetry-sdk-extension-autoconfigure
+ 1.25.0-alpha
+ io.opentelemetry:opentelemetry-sdk@1.25.0
+ io.opentelemetry:opentelemetry-sdk-metrics@1.25.0
+ io.opentelemetry:opentelemetry-sdk-logs@1.25.0-alpha
+ io.opentelemetry:opentelemetry-sdk-extension-autoconfigure-spi@1.25.0
+ Scope runtime|io.opentelemetry:opentelemetry-semconv@1.25.0-alpha
+ io.opentelemetry:opentelemetry-sdk-extension-autoconfigure-spi
+ 1.25.0
+ io.opentelemetry:opentelemetry-sdk@1.25.0
+ Scope runtime|io.opentelemetry:opentelemetry-sdk-metrics@1.25.0
+ Scope runtime|io.opentelemetry:opentelemetry-sdk-logs@1.25.0-alpha
+ io.opentelemetry:opentelemetry-sdk-logs
+ 1.25.0-alpha
+ io.opentelemetry:opentelemetry-api-logs@1.25.0-alpha
+ io.opentelemetry:opentelemetry-api-events@1.25.0-alpha
+ io.opentelemetry:opentelemetry-sdk-common@1.25.0
+ io.opentelemetry:opentelemetry-sdk-metrics
+ 1.25.0
+ io.opentelemetry:opentelemetry-api@1.25.0
+ io.opentelemetry:opentelemetry-sdk-common@1.25.0
+ io.opentelemetry:opentelemetry-sdk-trace
+ 1.25.0
+ io.opentelemetry:opentelemetry-api@1.25.0
+ io.opentelemetry:opentelemetry-sdk-common@1.25.0
+ Scope runtime|io.opentelemetry:opentelemetry-semconv@1.25.0-alpha
+ io.opentelemetry:opentelemetry-semconv
+ 1.25.0-alpha
+ io.opentelemetry:opentelemetry-api@1.25.0
+ io.ous:jtoml
+ 2.0.0
+ io.prometheus:parent
+ 0.9.0
+ 0.15.0
+ io.prometheus:simpleclient
+ 0.9.0
+ 0.15.0
+ io.prometheus:simpleclient_tracer_otel@0.15.0
+ io.prometheus:simpleclient_tracer_otel_agent@0.15.0
+ io.prometheus:simpleclient_common
+ 0.9.0
+ io.prometheus:simpleclient@0.9.0
+ 0.15.0
+ io.prometheus:simpleclient@0.15.0
+ io.prometheus:simpleclient_tracer
+ 0.15.0
+ io.prometheus:simpleclient_tracer_common
+ 0.15.0
+ io.prometheus:simpleclient_tracer_otel
+ 0.15.0
+ io.prometheus:simpleclient_tracer_common@0.15.0
+ Scope provided|io.opentelemetry:opentelemetry-api@1.10.1
+ io.prometheus:simpleclient_tracer_otel_agent
+ 0.15.0
+ io.prometheus:simpleclient_tracer_common@0.15.0
+ Scope provided|io.opentelemetry:opentelemetry-api@1.10.1
+ jakarta.activation:jakarta.activation-api
+ 1.2.1
+ 2.1.0
+ 2.1.3
+ jakarta.annotation:ca-parent
+ 1.3.5
+ jakarta.annotation:jakarta.annotation-api
+ 1.3.5
+ 3.0.0-M1
+ jakarta.inject:jakarta.inject-api
+ 2.0.1
+ jakarta.servlet:jakarta.servlet-api
+ 6.1.0-M2
+ jakarta.validation:jakarta.validation-api
+ 2.0.2
+ 3.1.0-M1
+ jakarta.ws.rs:all
+ 3.1.0
+ jakarta.ws.rs:jakarta.ws.rs-api
+ 2.1.6
+ 3.1.0
+ Opt Scope provided|jakarta.xml.bind:jakarta.xml.bind-api@3.0.1
+ Scope provided|jakarta.activation:jakarta.activation-api@2.0.1
+ jakarta.xml.bind:jakarta.xml.bind-api
+ 2.3.2
+ jakarta.activation:jakarta.activation-api@1.2.1
+ 4.0.0
+ jakarta.activation:jakarta.activation-api@2.1.0
+ 4.0.1
+ jakarta.activation:jakarta.activation-api@2.1.2
+ jakarta.xml.bind:jakarta.xml.bind-api-parent
+ 2.3.2
+ 4.0.0
+ 4.0.1
+ javax.activation:activation
+ 1.1
+ javax.annotation:javax.annotation-api
+ 1.2
+ 1.3.1
+ 1.3.2
+ javax.annotation:jsr250-api
+ 1.0
+ javax.enterprise:cdi-api
+ 1.0
+ Opt|javax.el:el-api@2.1.2-b04
+ Opt MavenExclusions jbossws:jboss-jaxrpc,org.jboss.javaee:jboss-transaction-api,jboss.jbossws:jboss-jaxrpc|org.jboss.ejb3:jboss-ejb3-api@3.1.0
+ org.jboss.interceptor:jboss-interceptor-api@1.1
+ javax.annotation:jsr250-api@1.0
+ javax.inject:javax.inject@1
+ javax.inject:javax.inject
+ 1
+ javax.servlet.jsp:jsp-api
+ 2.1
+ 2.2
+ Scope provided|org.glassfish:javax.servlet@3.0-b72
+ Scope provided|javax.el:el-api@2.2
+ javax.servlet:javax.servlet-api
+ 3.1.0
+ 4.0.1
+ javax.servlet:servlet-api
+ 2.5
+ javax.websocket:javax.websocket-all
+ 1.0
+ javax.websocket:javax.websocket-api
+ 1.0
+ Opt|javax.websocket:javax.websocket-client-api@1.0
+ javax.websocket:javax.websocket-client-api
+ 1.0
+ javax.ws.rs:javax.ws.rs-api
+ 2.1
+ 2.1.1
+ javax.ws.rs:jsr311-api
+ 1.1.1
+ javax.xml.bind:jaxb-api
+ 2.2.2
+ javax.xml.stream:stax-api@1.0-2
+ javax.activation:activation@1.1
+ 2.2.11
+ 2.3.0
+ javax.xml.bind:jaxb-api-parent
+ 2.3.0
+ javax.xml.stream:stax-api
+ 1.0-2
+ jaxen:jaxen
+ 1.1.6
+ Opt|dom4j:dom4j@1.6.1
+ Opt|jdom:jdom@1.0
+ Scope provided|xml-apis:xml-apis@1.3.02
+ Scope provided|xerces:xercesImpl@2.6.2
+ Opt|xom:xom@1.0
+ jline:jline
+ 2.14.3
+ joda-time:joda-time
+ 2.9.9
+ Opt|org.joda:joda-convert@1.2
+ junit:junit
+ 3.8.1
+ 4.12
+ org.hamcrest:hamcrest-core@1.3
+ 4.13.2
+ org.hamcrest:hamcrest-core@1.3
+ log4j:log4j
+ 1.2.17
+ Opt|javax.mail:mail@1.4.3
+ Scope provided|org.apache.openejb:javaee-api@5.0-2
+ Opt|org.apache.geronimo.specs:geronimo-jms_1.1_spec@1.0
+ net.bytebuddy:byte-buddy
+ 1.11.13
+ Scope provided|net.java.dev.jna:jna@5.8.0
+ Scope provided|net.java.dev.jna:jna-platform@5.8.0
+ Scope provided|com.google.code.findbugs:findbugs-annotations@3.0.1
+ 1.14.4
+ Scope provided|net.java.dev.jna:jna@5.12.1
+ Scope provided|net.java.dev.jna:jna-platform@5.12.1
+ Scope provided|com.google.code.findbugs:findbugs-annotations@3.0.1
+ Scope provided|com.google.code.findbugs:jsr305@3.0.2
+ 1.14.11
+ Scope provided|net.java.dev.jna:jna@5.12.1
+ Scope provided|net.java.dev.jna:jna-platform@5.12.1
+ Scope provided|com.google.code.findbugs:findbugs-annotations@3.0.1
+ Scope provided|com.google.code.findbugs:jsr305@3.0.2
+ net.bytebuddy:byte-buddy-agent
+ 1.11.13
+ Scope provided|net.java.dev.jna:jna@5.8.0
+ Scope provided|net.java.dev.jna:jna-platform@5.8.0
+ Scope provided|com.google.code.findbugs:findbugs-annotations@3.0.1
+ 1.14.11
+ Scope provided|net.java.dev.jna:jna@5.12.1
+ Scope provided|net.java.dev.jna:jna-platform@5.12.1
+ Scope provided|com.google.code.findbugs:findbugs-annotations@3.0.1
+ Scope provided|com.google.code.findbugs:jsr305@3.0.2
+ net.bytebuddy:byte-buddy-parent
+ 1.11.13
+ Scope provided|com.google.code.findbugs:findbugs-annotations@3.0.1
+ 1.14.4
+ Scope provided|com.google.code.findbugs:findbugs-annotations@3.0.1
+ Scope provided|com.google.code.findbugs:jsr305@3.0.2
+ 1.14.11
+ Scope provided|com.google.code.findbugs:findbugs-annotations@3.0.1
+ Scope provided|com.google.code.findbugs:jsr305@3.0.2
+ net.java.dev.jna:jna
+ 4.1.0
+ 4.5.1
+ 5.2.0
+ 5.9.0
+ 5.13.0
+ net.java.dev.jna:jna-platform
+ 4.1.0
+ net.java.dev.jna:jna@4.1.0
+ 4.5.1
+ net.java.dev.jna:jna@4.5.1
+ net.java:jvnet-parent
+ 1
+ 3
+ 4
+ 5
+ net.jcip:jcip-annotations
+ 1.0
+ net.sf.ehcache:ehcache-core
+ 2.4.4
+ org.slf4j:slf4j-api@1.6.1
+ Scope provided|org.slf4j:slf4j-jdk14@1.6.1
+ Scope provided|javax.servlet:servlet-api@2.4
+ Scope provided MavenExclusions javax.transaction:jta,javax.security:jacc,net.sf.ehcache:ehcache|org.hibernate:hibernate-core@3.5.1-Final
+ Scope provided|javax.transaction:jta@1.1
+ net.sf.ehcache:ehcache-parent
+ 2.2
+ net.sourceforge.cssparser:cssparser
+ 0.9.16
+ org.w3c.css:sac@1.3
+ net.sourceforge.htmlunit:htmlunit
+ 2.18
+ MavenExclusions xerces:xercesImpl|xalan:xalan@2.7.2
+ commons-collections:commons-collections@3.2.1
+ org.apache.commons:commons-lang3@3.4
+ org.apache.httpcomponents:httpclient@4.5
+ org.apache.httpcomponents:httpmime@4.5
+ commons-codec:commons-codec@1.10
+ net.sourceforge.htmlunit:htmlunit-core-js@2.17
+ xerces:xercesImpl@2.11.0
+ MavenExclusions xerces:xercesImpl|net.sourceforge.nekohtml:nekohtml@1.9.22
+ net.sourceforge.cssparser:cssparser@0.9.16
+ commons-io:commons-io@2.4
+ commons-logging:commons-logging@1.2
+ org.eclipse.jetty.websocket:websocket-client@9.2.12.v20150709
+ 2.37.0
+ MavenExclusions xerces:xercesImpl,xml-apis:xml-apis|xalan:xalan@2.7.2
+ org.apache.commons:commons-lang3@3.9
+ MavenExclusions org.apache.commons:commons-lang3|org.apache.commons:commons-text@1.8
+ org.apache.httpcomponents:httpmime@4.5.11
+ net.sourceforge.htmlunit:htmlunit-core-js@2.37.0
+ net.sourceforge.htmlunit:neko-htmlunit@2.37.0
+ net.sourceforge.htmlunit:htmlunit-cssparser@1.5.0
+ commons-io:commons-io@2.6
+ commons-logging:commons-logging@1.2
+ commons-net:commons-net@3.6
+ org.brotli:dec@0.1.2
+ org.eclipse.jetty.websocket:websocket-client@9.4.26.v20200117
+ net.sourceforge.htmlunit:htmlunit-core-js
+ 2.17
+ 2.37.0
+ net.sourceforge.htmlunit:htmlunit-cssparser
+ 1.5.0
+ net.sourceforge.htmlunit:neko-htmlunit
+ 2.37.0
+ xerces:xercesImpl@2.12.0
+ 2.61.0
+ xerces:xercesImpl@2.12.2
+ net.sourceforge.nekohtml:nekohtml
+ 1.9.22
+ xerces:xercesImpl@2.11.0
+ org.apache.avro:avro
+ 1.9.2
+ com.fasterxml.jackson.core:jackson-core@2.10.2
+ com.fasterxml.jackson.core:jackson-databind@2.10.2
+ org.apache.commons:commons-compress@1.19
+ Opt|org.xerial.snappy:snappy-java@1.1.7.3
+ Opt Scope provided|org.tukaani:xz@1.8
+ Opt|com.github.luben:zstd-jni@1.4.3-1
+ Opt|joda-time:joda-time@2.10.1
+ org.slf4j:slf4j-api@1.7.25
+ org.apache.avro:avro-parent
+ 1.9.2
+ org.slf4j:slf4j-api@1.7.25
+ org.apache.avro:avro-toplevel
+ 1.9.2
+ org.apache.commons:commons-collections4
+ 4.4
+ org.apache.commons:commons-compress
+ 1.5
+ org.tukaani:xz@1.2
+ 1.16.1
+ org.objenesis:objenesis@2.6
+ Opt|com.github.luben:zstd-jni@1.3.3-3
+ Opt|org.brotli:dec@0.1.2
+ Opt|org.tukaani:xz@1.8
+ 1.21
+ Opt|com.github.luben:zstd-jni@1.5.0-2
+ Opt|org.brotli:dec@0.1.2
+ Opt|org.tukaani:xz@1.9
+ Opt|asm:asm@3.2
+ Scope provided|org.osgi:org.osgi.core@6.0.0
+ 1.24.0
+ Opt|com.github.luben:zstd-jni@1.5.5-5
+ Opt|org.brotli:dec@0.1.2
+ Opt|org.tukaani:xz@1.9
+ Opt|org.ow2.asm:asm@9.5
+ Scope provided|org.osgi:org.osgi.core@6.0.0
+ 1.26.0
+ Opt|com.github.luben:zstd-jni@1.5.5-11
+ Opt|org.brotli:dec@0.1.2
+ Opt|org.tukaani:xz@1.9
+ Opt|commons-codec:commons-codec@1.16.1
+ Opt|org.ow2.asm:asm@9.6
+ commons-io:commons-io@2.15.1
+ org.apache.commons:commons-lang3@3.14.0
+ Scope provided|org.osgi:org.osgi.core@6.0.0
+ org.apache.commons:commons-configuration2
+ 2.2
+ org.apache.commons:commons-lang3@3.6
+ MavenExclusions logkit:logkit,avalon-framework:avalon-framework|commons-logging:commons-logging@1.2
+ Opt|commons-beanutils:commons-beanutils@1.9.3
+ Opt|commons-codec:commons-codec@1.10
+ Opt|org.apache.commons:commons-jexl@2.1.1
+ Opt|org.apache.commons:commons-vfs2@2.1
+ Opt MavenExclusions xerces:xerces,ant:ant-optional|commons-jxpath:commons-jxpath@1.3
+ Opt|xml-resolver:xml-resolver@1.2
+ Opt|org.springframework:spring-core@4.3.9.RELEASE
+ Opt|org.springframework:spring-beans@4.3.9.RELEASE
+ Scope provided|javax.servlet:servlet-api@2.4
+ Scope provided|xml-apis:xml-apis@1.0.b2
+ Opt|org.yaml:snakeyaml@1.18
+ Opt|com.fasterxml.jackson.core:jackson-databind@2.8.9
+ Opt|log4j:log4j@1.2.17
+ 2.8.0
+ org.apache.commons:commons-lang3@3.12.0
+ org.apache.commons:commons-text@1.9
+ MavenExclusions logkit:logkit,avalon-framework:avalon-framework|commons-logging:commons-logging@1.2
+ Opt|commons-beanutils:commons-beanutils@1.9.4
+ Opt|commons-codec:commons-codec@1.15
+ Opt|org.apache.commons:commons-jexl@2.1.1
+ Opt|org.apache.commons:commons-vfs2@2.9.0
+ Opt MavenExclusions xerces:xerces,ant:ant-optional|commons-jxpath:commons-jxpath@1.3
+ Opt|xml-resolver:xml-resolver@1.2
+ Opt|org.springframework:spring-core@5.3.21
+ Opt|org.springframework:spring-beans@5.3.21
+ Scope provided|javax.servlet:servlet-api@2.5
+ Opt|org.yaml:snakeyaml@1.30
+ Opt|com.fasterxml.jackson.core:jackson-databind@2.13.3
+ Opt|log4j:log4j@1.2.17
+ 2.9.0
+ org.apache.commons:commons-lang3@3.12.0
+ org.apache.commons:commons-text@1.10.0
+ MavenExclusions logkit:logkit,avalon-framework:avalon-framework|commons-logging:commons-logging@1.2
+ Opt|commons-beanutils:commons-beanutils@1.9.4
+ Opt|commons-codec:commons-codec@1.15
+ Opt|org.apache.commons:commons-jexl@2.1.1
+ Opt|org.apache.commons:commons-vfs2@2.9.0
+ Opt MavenExclusions xerces:xerces,ant:ant-optional|commons-jxpath:commons-jxpath@1.3
+ Opt|xml-resolver:xml-resolver@1.2
+ Opt|org.springframework:spring-core@5.3.26
+ Opt|org.springframework:spring-beans@5.3.26
+ Scope provided|javax.servlet:servlet-api@2.5
+ Opt|org.yaml:snakeyaml@2.0
+ Opt|com.fasterxml.jackson.core:jackson-databind@2.14.2
+ Opt|org.apache.logging.log4j:log4j-1.2-api@2.20.0
+ Opt|org.apache.logging.log4j:log4j-core@2.20.0
+ 2.10.1
+ org.apache.commons:commons-lang3@3.14.0
+ org.apache.commons:commons-text@1.11.0
+ MavenExclusions logkit:logkit,avalon-framework:avalon-framework|commons-logging:commons-logging@1.3.0
+ Opt|commons-beanutils:commons-beanutils@1.9.4
+ Opt|commons-codec:commons-codec@1.16.1
+ Opt|org.apache.commons:commons-jexl@2.1.1
+ Opt|org.apache.commons:commons-vfs2@2.9.0
+ Opt MavenExclusions xerces:xerces,ant:ant-optional|commons-jxpath:commons-jxpath@1.3
+ Opt|xml-resolver:xml-resolver@1.2
+ Opt MavenExclusions org.springframework:spring-jcl|org.springframework:spring-core@5.3.33
+ Opt|org.springframework:spring-beans@5.3.33
+ Opt Scope provided|javax.servlet:servlet-api@2.5
+ Opt|org.yaml:snakeyaml@2.2
+ Opt|com.fasterxml.jackson.core:jackson-databind@2.17.0
+ Opt|org.apache.logging.log4j:log4j-1.2-api@2.23.1
+ Opt|org.apache.logging.log4j:log4j-core@2.23.1
+ org.apache.commons:commons-csv
+ 1.9.0
+ org.apache.commons:commons-exec
+ 1.3
+ 1.4.0
+ org.apache.commons:commons-lang3
+ 3.9
+ 3.10
+ 3.11
+ 3.12.0
+ 3.13.0
+ Scope provided|org.apache.commons:commons-text@1.10.0
+ org.apache.commons:commons-math3
+ 3.1.1
+ 3.6.1
+ org.apache.commons:commons-parent
+ 5
+ 17
+ 23
+ 24
+ 25
+ 28
+ 32
+ 34
+ 35
+ 39
+ 42
+ 43
+ 47
+ 48
+ 50
+ 51
+ 52
+ 53
+ 54
+ 56
+ 58
+ 61
+ 62
+ 65
+ 66
+ 67
+ org.apache.commons:commons-pool2
+ 2.3
+ Opt|cglib:cglib@3.1
+ Opt|org.ow2.asm:asm-util@5.0.3
+ org.apache.commons:commons-text
+ 1.9
+ org.apache.commons:commons-lang3@3.11
+ 1.10.0
+ org.apache.commons:commons-lang3@3.12.0
+ org.apache.commons:commons-vfs2
+ 2.2
+ commons-logging:commons-logging@1.2
+ Opt|ant:ant@1.6.5
+ Opt|commons-net:commons-net@3.6
+ Opt|org.apache.commons:commons-compress@1.14
+ Opt|org.apache.commons:commons-collections4@4.1
+ Opt MavenExclusions *:*|org.apache.hadoop:hadoop-common@2.6.0
+ Opt MavenExclusions *:*|org.apache.hadoop:hadoop-hdfs@2.6.0
+ Opt|commons-httpclient:commons-httpclient@3.1
+ Opt|org.apache.jackrabbit:jackrabbit-webdav@1.6.5
+ Opt|com.jcraft:jsch@0.1.54
+ 2.6.0
+ commons-logging:commons-logging@1.2
+ Opt|ant:ant@1.6.5
+ Opt|commons-net:commons-net@3.6
+ Opt|org.apache.commons:commons-compress@1.19
+ Opt|org.apache.commons:commons-collections4@4.4
+ org.apache.hadoop:hadoop-hdfs-client@3.2.1
+ Opt MavenExclusions *:*|org.apache.hadoop:hadoop-common@3.2.1
+ Opt MavenExclusions *:*|org.apache.hadoop:hadoop-hdfs@3.2.1
+ Opt|commons-httpclient:commons-httpclient@3.1
+ Opt|org.apache.httpcomponents:httpclient@4.5.10
+ Opt|org.apache.httpcomponents.client5:httpclient5@5.0-beta6
+ Opt|com.jcraft:jsch@0.1.55
+ org.apache.commons:commons-vfs2-jackrabbit1
+ 2.6.0
+ org.apache.commons:commons-vfs2@2.6.0
+ commons-logging:commons-logging@1.2
+ commons-httpclient:commons-httpclient@3.1
+ org.apache.httpcomponents:httpclient@4.5.10
+ org.apache.jackrabbit:jackrabbit-webdav@1.6.5
+ org.apache.commons:commons-vfs2-project
+ 2.2
+ 2.6.0
+ org.apache.curator:apache-curator
+ 2.7.1
+ MavenExclusions com.sun.jmx:jmxri,com.sun.jdmk:jmxtools,javax.jms:jms,junit:junit,org.slf4j:slf4j-log4j12|org.apache.zookeeper:zookeeper@3.4.6
+ com.google.guava:guava@16.0.1
+ 5.2.0
+ org.apache.curator:curator-client
+ 2.7.1
+ org.slf4j:slf4j-api@1.7.6
+ MavenExclusions com.sun.jmx:jmxri,com.sun.jdmk:jmxtools,javax.jms:jms,junit:junit,org.slf4j:slf4j-log4j12|org.apache.zookeeper:zookeeper@3.4.6
+ com.google.guava:guava@16.0.1
+ 5.2.0
+ MavenExclusions com.sun.jmx:jmxri,com.sun.jdmk:jmxtools,javax.jms:jms,junit:junit,org.slf4j:slf4j-log4j12|org.apache.zookeeper:zookeeper@3.6.3
+ com.google.guava:guava@27.0.1-jre
+ org.slf4j:slf4j-api@1.7.25
+ org.apache.curator:curator-framework
+ 2.7.1
+ org.apache.curator:curator-client@2.7.1
+ MavenExclusions com.sun.jmx:jmxri,com.sun.jdmk:jmxtools,javax.jms:jms,junit:junit,org.slf4j:slf4j-log4j12|org.apache.zookeeper:zookeeper@3.4.6
+ com.google.guava:guava@16.0.1
+ 5.2.0
+ org.apache.curator:curator-client@5.2.0
+ Scope provided|com.fasterxml.jackson.core:jackson-core@2.10.0
+ Scope provided|com.fasterxml.jackson.core:jackson-databind@2.10.0
+ org.apache.curator:curator-recipes
+ 2.7.1
+ org.apache.curator:curator-framework@2.7.1
+ MavenExclusions com.sun.jmx:jmxri,com.sun.jdmk:jmxtools,javax.jms:jms,junit:junit,org.slf4j:slf4j-log4j12|org.apache.zookeeper:zookeeper@3.4.6
+ com.google.guava:guava@16.0.1
+ 5.2.0
+ org.apache.curator:curator-framework@5.2.0
+ org.apache.directory.api:api-asn1-api
+ 1.0.0-M20
+ org.apache.directory.api:api-i18n@1.0.0-M20
+ Scope provided|findbugs:annotations@1.0.0
+ org.slf4j:slf4j-api@1.7.5
+ 2.1.5
+ org.apache.directory.api:api-i18n@2.1.5
+ org.apache.directory.api:api-asn1-ber
+ 1.0.0-M20
+ org.apache.directory.api:api-i18n@1.0.0-M20
+ org.apache.directory.api:api-asn1-api@1.0.0-M20
+ org.apache.directory.api:api-util@1.0.0-M20
+ Scope provided|findbugs:annotations@1.0.0
+ org.slf4j:slf4j-api@1.7.5
+ 2.1.5
+ org.apache.directory.api:api-i18n@2.1.5
+ org.apache.directory.api:api-asn1-api@2.1.5
+ org.apache.directory.api:api-util@2.1.5
+ org.slf4j:slf4j-api@1.7.36
+ org.apache.directory.api:api-asn1-parent
+ 1.0.0-M20
+ Scope provided|findbugs:annotations@1.0.0
+ org.slf4j:slf4j-api@1.7.5
+ 2.1.5
+ org.apache.directory.api:api-i18n
+ 1.0.0-M20
+ Scope provided|findbugs:annotations@1.0.0
+ org.slf4j:slf4j-api@1.7.5
+ 2.1.5
+ org.apache.directory.api:api-ldap-model
+ 1.0.0-M20
+ org.apache.directory.api:api-util@1.0.0-M20
+ org.apache.directory.api:api-asn1-api@1.0.0-M20
+ org.apache.directory.api:api-asn1-ber@1.0.0-M20
+ org.apache.directory.api:api-i18n@1.0.0-M20
+ org.apache.mina:mina-core@2.0.7
+ antlr:antlr@2.7.7
+ commons-lang:commons-lang@2.6
+ commons-collections:commons-collections@3.2.1
+ Scope provided|findbugs:annotations@1.0.0
+ org.slf4j:slf4j-api@1.7.5
+ 1.0.0-M31
+ org.apache.directory.api:api-util@1.0.0-M31
+ org.apache.directory.api:api-asn1-api@1.0.0-M31
+ org.apache.directory.api:api-asn1-ber@1.0.0-M31
+ org.apache.directory.api:api-i18n@1.0.0-M31
+ org.apache.mina:mina-core@2.0.9
+ Scope provided|antlr:antlr@2.7.7
+ org.apache.servicemix.bundles:org.apache.servicemix.bundles.antlr@2.7.7_5
+ commons-lang:commons-lang@2.6
+ commons-collections:commons-collections@3.2.1
+ Scope provided|findbugs:annotations@1.0.0
+ 2.1.5
+ org.apache.directory.api:api-util@2.1.5
+ org.apache.directory.api:api-asn1-api@2.1.5
+ org.apache.directory.api:api-asn1-ber@2.1.5
+ org.apache.directory.api:api-i18n@2.1.5
+ org.apache.mina:mina-core@2.2.3
+ Scope provided|antlr:antlr@2.7.7
+ org.apache.servicemix.bundles:org.apache.servicemix.bundles.antlr@2.7.7_5
+ org.apache.commons:commons-lang3@3.13.0
+ org.apache.commons:commons-collections4@4.4
+ commons-codec:commons-codec@1.16.0
+ MavenExclusions com.google.errorprone:error_prone_annotations,org.checkerframework:checker-qual|com.github.ben-manes.caffeine:caffeine@2.9.3
+ org.apache.directory.api:api-ldap-parent
+ 1.0.0-M20
+ Scope provided|findbugs:annotations@1.0.0
+ org.slf4j:slf4j-api@1.7.5
+ 1.0.0-M31
+ 2.1.5
+ org.apache.directory.api:api-parent
+ 1.0.0-M20
+ Scope provided|findbugs:annotations@1.0.0
+ org.slf4j:slf4j-api@1.7.5
+ 1.0.0-M31
+ 2.1.5
+ org.apache.directory.api:api-util
+ 1.0.0-M20
+ org.apache.directory.api:api-i18n@1.0.0-M20
+ Scope provided|findbugs:annotations@1.0.0
+ org.slf4j:slf4j-api@1.7.5
+ 2.1.5
+ org.apache.directory.api:api-i18n@2.1.5
+ org.slf4j:slf4j-api@1.7.36
+ org.apache.directory.project:project
+ 31
+ 34
+ 48
+ org.apache.directory.server:apacheds-i18n
+ 2.0.0-M15
+ Scope provided|findbugs:annotations@1.0.0
+ org.slf4j:slf4j-api@1.7.5
+ 2.0.0.AM27
+ Scope provided|findbugs:annotations@1.0.0
+ org.slf4j:slf4j-api@1.7.36
+ org.apache.directory.server:apacheds-kerberos-codec
+ 2.0.0-M15
+ org.apache.directory.server:apacheds-i18n@2.0.0-M15
+ org.apache.directory.api:api-asn1-api@1.0.0-M20
+ org.apache.directory.api:api-asn1-ber@1.0.0-M20
+ org.apache.directory.api:api-i18n@1.0.0-M20
+ org.apache.directory.api:api-ldap-model@1.0.0-M20
+ org.apache.directory.api:api-util@1.0.0-M20
+ net.sf.ehcache:ehcache-core@2.4.4
+ Scope provided|findbugs:annotations@1.0.0
+ org.slf4j:slf4j-api@1.7.5
+ 2.0.0.AM27
+ org.apache.directory.server:apacheds-i18n@2.0.0.AM27
+ org.apache.directory.api:api-asn1-api@2.1.5
+ org.apache.directory.api:api-asn1-ber@2.1.5
+ org.apache.directory.api:api-i18n@2.1.5
+ org.apache.directory.api:api-ldap-model@2.1.5
+ org.apache.directory.api:api-util@2.1.5
+ MavenExclusions com.google.errorprone:error_prone_annotations,org.checkerframework:checker-qual|com.github.ben-manes.caffeine:caffeine@2.9.3
+ Scope provided|findbugs:annotations@1.0.0
+ org.slf4j:slf4j-api@1.7.36
+ org.apache.directory.server:apacheds-parent
+ 2.0.0-M15
+ Scope provided|findbugs:annotations@1.0.0
+ org.slf4j:slf4j-api@1.7.5
+ 2.0.0.AM27
+ Scope provided|findbugs:annotations@1.0.0
+ org.slf4j:slf4j-api@1.7.36
+ org.apache.geronimo.genesis:genesis
+ 2.2
+ org.apache.geronimo.genesis:genesis-default-flava
+ 2.2
+ org.apache.geronimo.genesis:genesis-java5-flava
+ 2.2
+ org.apache.geronimo.specs:geronimo-jcache_1.0_spec
+ 1.0-alpha-1
+ Scope provided|org.apache.geronimo.specs:geronimo-jcdi_1.0_spec@1.0
+ org.apache.hadoop.thirdparty:hadoop-shaded-guava
+ 1.2.0
+ org.apache.hadoop.thirdparty:hadoop-shaded-protobuf_3_21
+ 1.2.0
+ org.apache.hadoop.thirdparty:hadoop-thirdparty
+ 1.2.0
+ org.apache.hadoop:hadoop-annotations
+ 2.7.7
+ Scope provided|jdiff:jdiff@1.0.9
+ 3.4.0
+ Scope provided|jdiff:jdiff@1.0.9
+ org.apache.hadoop:hadoop-auth
+ 2.7.7
+ Scope provided|org.apache.hadoop:hadoop-annotations@2.7.7
+ Scope provided|javax.servlet:servlet-api@2.5
+ org.slf4j:slf4j-api@1.7.10
+ commons-codec:commons-codec@1.4
+ Scope runtime MavenExclusions com.sun.jdmk:jmxtools,com.sun.jmx:jmxri,javax.mail:mail,javax.jms:jmx,javax.jms:jms|log4j:log4j@1.2.17
+ Scope runtime|org.slf4j:slf4j-log4j12@1.7.10
+ org.apache.httpcomponents:httpclient@4.2.5
+ MavenExclusions org.apache.directory.api:api-asn1-ber,org.apache.directory.api:api-i18n,org.apache.directory.api:api-ldap-model,net.sf.ehcache:ehcache-core|org.apache.directory.server:apacheds-kerberos-codec@2.0.0-M15
+ MavenExclusions junit:junit,com.sun.jdmk:jmxtools,com.sun.jmx:jmxri,org.jboss.netty:netty|org.apache.zookeeper:zookeeper@3.4.6
+ org.apache.curator:curator-framework@2.7.1
+ 3.4.0
+ Scope provided|org.apache.hadoop:hadoop-annotations@3.4.0
+ Scope provided|javax.servlet:javax.servlet-api@3.1.0
+ org.slf4j:slf4j-api@1.7.36
+ commons-codec:commons-codec@1.15
+ Scope runtime MavenExclusions com.sun.jdmk:jmxtools,com.sun.jmx:jmxri,javax.mail:mail,javax.jms:jmx,javax.jms:jms|ch.qos.reload4j:reload4j@1.2.22
+ Scope runtime|org.slf4j:slf4j-reload4j@1.7.36
+ org.apache.httpcomponents:httpclient@4.5.13
+ MavenExclusions org.bouncycastle:bcprov-jdk15on|com.nimbusds:nimbus-jose-jwt@9.31
+ MavenExclusions junit:junit,com.sun.jdmk:jmxtools,com.sun.jmx:jmxri,org.jboss.netty:netty,jline:jline,commons-cli:commons-cli,io.netty:*,commons-io:commons-io,commons-collections:commons-collections,org.apache.kerby:kerb-core,org.apache.kerby:kerb-simplekdc,org.apache.kerby:kerby-config,log4j:log4j,org.slf4j:slf4j-api,org.slf4j:slf4j-log4j12,org.slf4j:slf4j-reload4j,org.eclipse.jetty:jetty-client,ch.qos.logback:logback-core,ch.qos.logback:logback-classic|org.apache.zookeeper:zookeeper@3.8.3
+ io.dropwizard.metrics:metrics-core@3.2.4
+ Scope provided MavenExclusions org.osgi:org.osgi.core|org.xerial.snappy:snappy-java@1.1.10.4
+ MavenExclusions org.apache.zookeeper:zookeeper,com.google.guava:guava,org.slf4j:slf4j-api|org.apache.curator:curator-framework@5.2.0
+ MavenExclusions org.jboss.xnio:xnio-api|org.apache.kerby:kerb-simplekdc@2.0.3
+ org.apache.hadoop.thirdparty:hadoop-shaded-guava@1.2.0
+ org.apache.hadoop:hadoop-client
+ 2.7.7
+ MavenExclusions javax.servlet:servlet-api,commons-logging:commons-logging-api,jetty:org.mortbay.jetty,org.mortbay.jetty:jetty,org.mortbay.jetty:jetty-util,org.mortbay.jetty:servlet-api-2.5,com.sun.jersey:jersey-core,com.sun.jersey:jersey-json,com.sun.jersey:jersey-server,org.eclipse.jdt:core,org.apache.avro:avro-ipc,net.sf.kosmosfs:kfs,net.java.dev.jets3t:jets3t,com.jcraft:jsch|org.apache.hadoop:hadoop-common@2.7.7
+ MavenExclusions commons-daemon:commons-daemon,org.apache.avro:avro,org.mortbay.jetty:jetty,com.sun.jersey:jersey-core,com.sun.jersey:jersey-server,javax.servlet:servlet-api|org.apache.hadoop:hadoop-hdfs@2.7.7
+ MavenExclusions javax.servlet:servlet-api,org.apache.hadoop:hadoop-yarn-server-nodemanager,org.apache.hadoop:hadoop-yarn-server-web-proxy,org.apache.hadoop:hadoop-annotations,com.google.inject.extensions:guice-servlet,junit:junit,org.apache.avro:avro,jline:jline,io.netty:netty|org.apache.hadoop:hadoop-mapreduce-client-app@2.7.7
+ MavenExclusions org.apache.hadoop:hadoop-annotations,com.google.inject:guice,com.sun.jersey.jersey-test-framework:jersey-test-framework-grizzly2,com.sun.jersey:jersey-server,com.sun.jersey.contribs:jersey-guice,com.google.inject.extensions:guice-servlet,org.apache.avro:avro,com.sun.jersey:jersey-core,com.sun.jersey:jersey-json,io.netty:netty|org.apache.hadoop:hadoop-yarn-api@2.7.7
+ MavenExclusions junit:junit,com.google.inject:guice,com.sun.jersey.jersey-test-framework:jersey-test-framework-grizzly2,com.sun.jersey:jersey-server,com.sun.jersey.contribs:jersey-guice,org.apache.avro:avro,org.apache.hadoop:hadoop-annotations,com.google.inject.extensions:guice-servlet,com.sun.jersey:jersey-json,io.netty:netty|org.apache.hadoop:hadoop-mapreduce-client-core@2.7.7
+ MavenExclusions junit:junit,org.apache.avro:avro,org.apache.hadoop:hadoop-annotations,com.google.inject.extensions:guice-servlet,io.netty:netty|org.apache.hadoop:hadoop-mapreduce-client-jobclient@2.7.7
+ MavenExclusions jdk.tools:jdk.tools|org.apache.hadoop:hadoop-annotations@2.7.7
+ 3.4.0
+ MavenExclusions javax.servlet:javax.servlet-api,commons-logging:commons-logging-api,jetty:org.eclipse.jetty,org.eclipse.jetty:jetty-server,org.eclipse.jetty:jetty-util,org.eclipse.jetty:servlet-api-2.5,com.sun.jersey:jersey-core,com.github.pjfanning:jersey-json,org.codehaus.jettison:jettison,com.sun.jersey:jersey-server,org.eclipse.jdt:core,org.apache.avro:avro-ipc,net.sf.kosmosfs:kfs,com.jcraft:jsch,org.apache.zookeeper:zookeeper,org.slf4j:slf4j-log4j12|org.apache.hadoop:hadoop-common@3.4.0
+ MavenExclusions org.apache.avro:avro,org.eclipse.jetty:jetty-server,com.sun.jersey:jersey-core,com.sun.jersey:jersey-server,javax.servlet:javax.servlet-api|org.apache.hadoop:hadoop-hdfs-client@3.4.0
+ MavenExclusions org.apache.hadoop:hadoop-annotations,com.google.inject:guice,com.sun.jersey.jersey-test-framework:jersey-test-framework-grizzly2,com.sun.jersey:jersey-server,com.sun.jersey.contribs:jersey-guice,com.google.inject.extensions:guice-servlet,org.apache.avro:avro,com.sun.jersey:jersey-core,com.github.pjfanning:jersey-json,org.codehaus.jettison:jettison,io.netty:netty|org.apache.hadoop:hadoop-yarn-api@3.4.0
+ MavenExclusions org.apache.hadoop:hadoop-yarn-api,org.apache.hadoop:hadoop-yarn-common,org.apache.hadoop:hadoop-annotations,com.google.guava:guava,commons-cli:commons-cli,ch.qos.reload4j:reload4j,com.sun.jersey:jersey-core,com.sun.jersey:jersey-server,com.github.pjfanning:jersey-json,org.codehaus.jettison:jettison,com.sun.jersey:jersey-servlet,io.netty:netty,com.google.inject.extensions:guice-servlet|org.apache.hadoop:hadoop-yarn-client@3.4.0
+ MavenExclusions junit:junit,com.google.inject:guice,com.sun.jersey.jersey-test-framework:jersey-test-framework-grizzly2,com.sun.jersey:jersey-server,com.sun.jersey.contribs:jersey-guice,org.apache.avro:avro,org.apache.hadoop:hadoop-annotations,com.google.inject.extensions:guice-servlet,com.github.pjfanning:jersey-json,org.codehaus.jettison:jettison,io.netty:netty|org.apache.hadoop:hadoop-mapreduce-client-core@3.4.0
+ MavenExclusions junit:junit,org.apache.avro:avro,org.apache.hadoop:hadoop-annotations,com.google.inject.extensions:guice-servlet,io.netty:netty|org.apache.hadoop:hadoop-mapreduce-client-jobclient@3.4.0
+ MavenExclusions jdk.tools:jdk.tools|org.apache.hadoop:hadoop-annotations@3.4.0
+ org.apache.hadoop:hadoop-client-api
+ 3.2.4
+ 3.4.0
+ MavenExclusions org.osgi:org.osgi.core|org.xerial.snappy:snappy-java@1.1.10.4
+ org.apache.hadoop:hadoop-client-runtime
+ 3.2.4
+ Scope runtime|org.apache.hadoop:hadoop-client-api@3.2.4
+ Scope runtime|org.apache.htrace:htrace-core4@4.1.0-incubating
+ Scope runtime|org.slf4j:slf4j-api@1.7.35
+ Scope runtime MavenExclusions avalon-framework:avalon-framework,logkit:logkit,javax.servlet:javax.servlet-api|commons-logging:commons-logging@1.1.3
+ Scope runtime|com.google.code.findbugs:jsr305@3.0.2
+ Opt Scope runtime MavenExclusions com.sun.jdmk:jmxtools,com.sun.jmx:jmxri,javax.mail:mail,javax.jms:jmx,javax.jms:jms|ch.qos.reload4j:reload4j@1.2.18.3
+ 3.4.0
+ Scope runtime|org.apache.hadoop:hadoop-client-api@3.4.0
+ Scope runtime MavenExclusions org.osgi:org.osgi.core|org.xerial.snappy:snappy-java@1.1.10.4
+ Scope runtime|org.slf4j:slf4j-api@1.7.36
+ Scope runtime MavenExclusions avalon-framework:avalon-framework,logkit:logkit,javax.servlet:javax.servlet-api|commons-logging:commons-logging@1.2
+ Scope runtime|com.google.code.findbugs:jsr305@3.0.2
+ Opt Scope runtime MavenExclusions com.sun.jdmk:jmxtools,com.sun.jmx:jmxri,javax.mail:mail,javax.jms:jmx,javax.jms:jms|ch.qos.reload4j:reload4j@1.2.22
+ org.apache.hadoop:hadoop-common
+ 2.7.7
+ org.apache.hadoop:hadoop-annotations@2.7.7
+ com.google.guava:guava@11.0.2
+ commons-cli:commons-cli@1.2
+ org.apache.commons:commons-math3@3.1.1
+ xmlenc:xmlenc@0.52
+ commons-httpclient:commons-httpclient@3.1
+ commons-codec:commons-codec@1.4
+ commons-io:commons-io@2.4
+ commons-net:commons-net@3.1
+ commons-collections:commons-collections@3.2.2
+ javax.servlet:servlet-api@2.5
+ MavenExclusions org.mortbay.jetty:servlet-api|org.mortbay.jetty:jetty@6.1.26
+ org.mortbay.jetty:jetty-util@6.1.26
+ org.mortbay.jetty:jetty-sslengine@6.1.26
+ Scope runtime|javax.servlet.jsp:jsp-api@2.1
+ com.sun.jersey:jersey-core@1.9
+ MavenExclusions stax:stax-api|com.sun.jersey:jersey-json@1.9
+ com.sun.jersey:jersey-server@1.9
+ MavenExclusions avalon-framework:avalon-framework,logkit:logkit,javax.servlet:servlet-api|commons-logging:commons-logging@1.1.3
+ MavenExclusions com.sun.jdmk:jmxtools,com.sun.jmx:jmxri,javax.mail:mail,javax.jms:jmx,javax.jms:jms|log4j:log4j@1.2.17
+ net.java.dev.jets3t:jets3t@0.9.0
+ commons-lang:commons-lang@2.6
+ commons-configuration:commons-configuration@1.6
+ org.slf4j:slf4j-api@1.7.10
+ Scope runtime|org.slf4j:slf4j-log4j12@1.7.10
+ org.codehaus.jackson:jackson-core-asl@1.9.13
+ org.codehaus.jackson:jackson-mapper-asl@1.9.13
+ org.apache.avro:avro@1.7.4
+ Scope provided|org.apache.ant:ant@1.8.1
+ com.google.protobuf:protobuf-java@2.5.0
+ com.google.code.gson:gson@2.2.4
+ org.apache.hadoop:hadoop-auth@2.7.7
+ com.jcraft:jsch@0.1.54
+ org.apache.curator:curator-client@2.7.1
+ org.apache.curator:curator-recipes@2.7.1
+ com.google.code.findbugs:jsr305@3.0.0
+ org.apache.htrace:htrace-core@3.1.0-incubating
+ MavenExclusions jline:jline,org.jboss.netty:netty,junit:junit,com.sun.jdmk:jmxtools,com.sun.jmx:jmxri|org.apache.zookeeper:zookeeper@3.4.6
+ org.apache.commons:commons-compress@1.4.1
+ 3.4.0
+ org.apache.hadoop.thirdparty:hadoop-shaded-protobuf_3_21@1.2.0
+ org.apache.hadoop:hadoop-annotations@3.4.0
+ org.apache.hadoop.thirdparty:hadoop-shaded-guava@1.2.0
+ MavenExclusions com.google.errorprone:error_prone_annotations|com.google.guava:guava@27.0-jre
+ commons-cli:commons-cli@1.5.0
+ org.apache.commons:commons-math3@3.6.1
+ org.apache.httpcomponents:httpclient@4.5.13
+ commons-codec:commons-codec@1.15
+ commons-io:commons-io@2.14.0
+ commons-net:commons-net@3.9.0
+ commons-collections:commons-collections@3.2.2
+ javax.servlet:javax.servlet-api@3.1.0
+ Scope runtime|jakarta.activation:jakarta.activation-api@1.2.1
+ MavenExclusions org.eclipse.jetty:javax.servlet-api|org.eclipse.jetty:jetty-server@9.4.53.v20231009
+ org.eclipse.jetty:jetty-util@9.4.53.v20231009
+ org.eclipse.jetty:jetty-servlet@9.4.53.v20231009
+ org.eclipse.jetty:jetty-webapp@9.4.53.v20231009
+ Scope runtime|javax.servlet.jsp:jsp-api@2.1
+ MavenExclusions org.osgi:org.osgi.core|com.sun.jersey:jersey-core@1.19.4
+ MavenExclusions javax.enterprise:cdi-api,javax.servlet:servlet-api,ch.qos.cal10n:cal10n-api|com.sun.jersey:jersey-servlet@1.19.4
+ MavenExclusions com.fasterxml.jackson.core:jackson-core,com.fasterxml.jackson.core:jackson-databind,com.fasterxml.jackson.jaxrs:jackson-jaxrs-json-provider,org.codehaus.jettison:jettison|com.github.pjfanning:jersey-json@1.20
+ MavenExclusions stax:stax-api|org.codehaus.jettison:jettison@1.5.4
+ com.sun.jersey:jersey-server@1.19.4
+ MavenExclusions com.sun.jdmk:jmxtools,com.sun.jmx:jmxri,javax.mail:mail,javax.jms:jmx,javax.jms:jms|ch.qos.reload4j:reload4j@1.2.22
+ commons-beanutils:commons-beanutils@1.9.4
+ MavenExclusions javax.servlet:servlet-api|org.apache.commons:commons-configuration2@2.8.0
+ org.apache.commons:commons-lang3@3.12.0
+ org.apache.commons:commons-text@1.10.0
+ org.slf4j:slf4j-api@1.7.36
+ org.slf4j:slf4j-reload4j@1.7.36
+ org.apache.avro:avro@1.9.2
+ com.google.re2j:re2j@1.1
+ Scope provided|com.google.protobuf:protobuf-java@2.5.0
+ com.google.code.gson:gson@2.9.0
+ org.apache.hadoop:hadoop-auth@3.4.0
+ com.jcraft:jsch@0.1.55
+ MavenExclusions org.apache.zookeeper:zookeeper,com.google.guava:guava,org.slf4j:slf4j-api|org.apache.curator:curator-client@5.2.0
+ MavenExclusions org.apache.zookeeper:zookeeper,com.google.guava:guava,org.slf4j:slf4j-api,log4j:log4j|org.apache.curator:curator-recipes@5.2.0
+ com.google.code.findbugs:jsr305@3.0.2
+ MavenExclusions org.jboss.netty:netty,junit:junit,com.sun.jdmk:jmxtools,com.sun.jmx:jmxri|org.apache.zookeeper:zookeeper@3.8.3
+ io.netty:netty-handler@4.1.100.Final
+ io.netty:netty-transport-native-epoll@4.1.100.Final
+ io.dropwizard.metrics:metrics-core@3.2.4
+ org.apache.commons:commons-compress@1.24.0
+ org.bouncycastle:bcprov-jdk15on@1.70
+ org.apache.kerby:kerb-core@2.0.3
+ com.fasterxml.jackson.core:jackson-databind@2.12.7.1
+ org.codehaus.woodstox:stax2-api@4.2.1
+ com.fasterxml.woodstox:woodstox-core@5.4.0
+ dnsjava:dnsjava@3.4.0
+ Scope provided|org.wildfly.openssl:wildfly-openssl-java@1.1.3.Final
+ MavenExclusions org.osgi:org.osgi.core|org.xerial.snappy:snappy-java@1.1.10.4
+ Scope provided|org.lz4:lz4-java@1.7.1
+ org.apache.hadoop:hadoop-hdfs
+ 2.7.7
+ Scope provided|org.apache.hadoop:hadoop-annotations@2.7.7
+ Scope provided|org.apache.hadoop:hadoop-auth@2.7.7
+ Scope provided|org.apache.hadoop:hadoop-common@2.7.7
+ com.google.guava:guava@11.0.2
+ MavenExclusions org.mortbay.jetty:servlet-api|org.mortbay.jetty:jetty@6.1.26
+ org.mortbay.jetty:jetty-util@6.1.26
+ com.sun.jersey:jersey-core@1.9
+ com.sun.jersey:jersey-server@1.9
+ commons-cli:commons-cli@1.2
+ commons-codec:commons-codec@1.4
+ commons-io:commons-io@2.4
+ commons-lang:commons-lang@2.6
+ MavenExclusions avalon-framework:avalon-framework,logkit:logkit,javax.servlet:servlet-api|commons-logging:commons-logging@1.1.3
+ commons-daemon:commons-daemon@1.0.13
+ MavenExclusions com.sun.jdmk:jmxtools,com.sun.jmx:jmxri,javax.mail:mail,javax.jms:jmx,javax.jms:jms|log4j:log4j@1.2.17
+ com.google.protobuf:protobuf-java@2.5.0
+ javax.servlet:servlet-api@2.5
+ Scope provided|org.slf4j:slf4j-log4j12@1.7.10
+ org.codehaus.jackson:jackson-core-asl@1.9.13
+ org.codehaus.jackson:jackson-mapper-asl@1.9.13
+ xmlenc:xmlenc@0.52
+ io.netty:netty@3.6.2.Final
+ io.netty:netty-all@4.0.23.Final
+ xerces:xercesImpl@2.9.1
+ org.apache.htrace:htrace-core@3.1.0-incubating
+ org.fusesource.leveldbjni:leveldbjni-all@1.8
+ 3.4.0
+ Scope provided|org.apache.hadoop:hadoop-auth@3.4.0
+ Scope provided MavenExclusions org.slf4j:slf4j-reload4j|org.apache.hadoop:hadoop-common@3.4.0
+ Scope provided|org.apache.hadoop:hadoop-hdfs-client@3.4.0
+ Scope provided|io.dropwizard.metrics:metrics-core@3.2.4
+ Scope provided MavenExclusions org.osgi:org.osgi.core|org.xerial.snappy:snappy-java@1.1.10.4
+ org.apache.hadoop.thirdparty:hadoop-shaded-guava@1.2.0
+ MavenExclusions org.eclipse.jetty:javax.servlet-api|org.eclipse.jetty:jetty-server@9.4.53.v20231009
+ org.eclipse.jetty:jetty-util@9.4.53.v20231009
+ org.eclipse.jetty:jetty-util-ajax@9.4.53.v20231009
+ MavenExclusions org.osgi:org.osgi.core|com.sun.jersey:jersey-core@1.19.4
+ com.sun.jersey:jersey-server@1.19.4
+ commons-cli:commons-cli@1.5.0
+ commons-codec:commons-codec@1.15
+ commons-io:commons-io@2.14.0
+ commons-daemon:commons-daemon@1.0.13
+ MavenExclusions com.sun.jdmk:jmxtools,com.sun.jmx:jmxri,javax.mail:mail,javax.jms:jmx,javax.jms:jms|ch.qos.reload4j:reload4j@1.2.22
+ Scope provided|com.google.protobuf:protobuf-java@2.5.0
+ javax.servlet:javax.servlet-api@3.1.0
+ Scope provided MavenExclusions xml-apis:xml-apis,xerces:xercesImpl|com.google.code.findbugs:findbugs@3.0.1
+ Scope provided|org.slf4j:slf4j-reload4j@1.7.36
+ io.netty:netty-all@4.1.100.Final
+ MavenExclusions com.fasterxml.jackson.core:jackson-core|org.fusesource.leveldbjni:leveldbjni-all@1.8
+ com.fasterxml.jackson.core:jackson-databind@2.12.7.1
+ org.apache.hadoop:hadoop-annotations@3.4.0
+ org.apache.hadoop:hadoop-hdfs-client
+ 3.4.0
+ Scope provided MavenExclusions ch.qos.reload4j:reload4j,org.slf4j:slf4j-ext|org.apache.hadoop:hadoop-common@3.4.0
+ com.fasterxml.jackson.core:jackson-annotations@2.12.7
+ com.fasterxml.jackson.core:jackson-databind@2.12.7.1
+ Scope provided|org.apache.hadoop:hadoop-annotations@3.4.0
+ org.apache.hadoop:hadoop-main
+ 2.7.7
+ 3.2.4
+ 3.4.0
+ org.apache.hadoop:hadoop-mapreduce-client
+ 2.7.7
+ com.google.protobuf:protobuf-java@2.5.0
+ MavenExclusions org.mortbay.jetty:jetty,org.apache.ant:ant,org.jboss.netty:netty,org.apache.velocity:velocity,org.slf4j:slf4j-api,com.thoughtworks.paranamer:paranamer-ant|org.apache.avro:avro@1.7.4
+ Scope provided|org.apache.hadoop:hadoop-common@2.7.7
+ org.slf4j:slf4j-api@1.7.10
+ org.slf4j:slf4j-log4j12@1.7.10
+ org.apache.hadoop:hadoop-annotations@2.7.7
+ com.google.inject.extensions:guice-servlet@3.0
+ io.netty:netty@3.6.2.Final
+ Scope provided MavenExclusions avalon-framework:avalon-framework,logkit:logkit,javax.servlet:servlet-api|commons-logging:commons-logging@1.1.3
+ Scope provided|com.google.guava:guava@11.0.2
+ Scope provided|commons-codec:commons-codec@1.4
+ Scope provided|commons-cli:commons-cli@1.2
+ Scope provided|commons-lang:commons-lang@2.6
+ Scope provided|commons-collections:commons-collections@3.2.2
+ 3.4.0
+ Scope provided|com.google.protobuf:protobuf-java@2.5.0
+ MavenExclusions org.eclipse.jetty:jetty-server,org.apache.ant:ant,org.jboss.netty:netty,org.apache.velocity:velocity,org.slf4j:slf4j-api,com.thoughtworks.paranamer:paranamer-ant,org.xerial.snappy:snappy-java|org.apache.avro:avro@1.9.2
+ Scope provided MavenExclusions org.slf4j:slf4j-reload4j|org.apache.hadoop:hadoop-common@3.4.0
+ org.slf4j:slf4j-api@1.7.36
+ org.slf4j:slf4j-reload4j@1.7.36
+ org.apache.hadoop:hadoop-annotations@3.4.0
+ com.google.inject.extensions:guice-servlet@4.2.3
+ io.netty:netty-all@4.1.100.Final
+ Scope provided|org.apache.hadoop.thirdparty:hadoop-shaded-guava@1.2.0
+ Scope provided|commons-codec:commons-codec@1.15
+ Scope provided|commons-cli:commons-cli@1.5.0
+ Scope provided|commons-collections:commons-collections@3.2.2
+ org.apache.hadoop:hadoop-mapreduce-client-app
+ 2.7.7
+ org.apache.hadoop:hadoop-mapreduce-client-common@2.7.7
+ org.apache.hadoop:hadoop-yarn-server-web-proxy@2.7.7
+ org.apache.hadoop:hadoop-mapreduce-client-shuffle@2.7.7
+ com.google.protobuf:protobuf-java@2.5.0
+ MavenExclusions org.mortbay.jetty:jetty,org.apache.ant:ant,org.jboss.netty:netty,org.apache.velocity:velocity,org.slf4j:slf4j-api,com.thoughtworks.paranamer:paranamer-ant|org.apache.avro:avro@1.7.4
+ Scope provided|org.apache.hadoop:hadoop-common@2.7.7
+ org.slf4j:slf4j-api@1.7.10
+ org.slf4j:slf4j-log4j12@1.7.10
+ org.apache.hadoop:hadoop-annotations@2.7.7
+ com.google.inject.extensions:guice-servlet@3.0
+ io.netty:netty@3.6.2.Final
+ Scope provided MavenExclusions avalon-framework:avalon-framework,logkit:logkit,javax.servlet:servlet-api|commons-logging:commons-logging@1.1.3
+ Scope provided|com.google.guava:guava@11.0.2
+ Scope provided|commons-codec:commons-codec@1.4
+ Scope provided|commons-cli:commons-cli@1.2
+ Scope provided|commons-lang:commons-lang@2.6
+ Scope provided|commons-collections:commons-collections@3.2.2
+ org.apache.hadoop:hadoop-mapreduce-client-common
+ 2.7.7
+ org.apache.hadoop:hadoop-yarn-common@2.7.7
+ org.apache.hadoop:hadoop-yarn-client@2.7.7
+ org.apache.hadoop:hadoop-mapreduce-client-core@2.7.7
+ org.apache.hadoop:hadoop-yarn-server-common@2.7.7
+ com.google.protobuf:protobuf-java@2.5.0
+ MavenExclusions org.mortbay.jetty:jetty,org.apache.ant:ant,org.jboss.netty:netty,org.apache.velocity:velocity,org.slf4j:slf4j-api,com.thoughtworks.paranamer:paranamer-ant|org.apache.avro:avro@1.7.4
+ Scope provided|org.apache.hadoop:hadoop-common@2.7.7
+ org.slf4j:slf4j-api@1.7.10
+ org.slf4j:slf4j-log4j12@1.7.10
+ org.apache.hadoop:hadoop-annotations@2.7.7
+ com.google.inject.extensions:guice-servlet@3.0
+ io.netty:netty@3.6.2.Final
+ Scope provided MavenExclusions avalon-framework:avalon-framework,logkit:logkit,javax.servlet:servlet-api|commons-logging:commons-logging@1.1.3
+ Scope provided|com.google.guava:guava@11.0.2
+ Scope provided|commons-codec:commons-codec@1.4
+ Scope provided|commons-cli:commons-cli@1.2
+ Scope provided|commons-lang:commons-lang@2.6
+ Scope provided|commons-collections:commons-collections@3.2.2
+ 3.4.0
+ org.apache.hadoop:hadoop-yarn-common@3.4.0
+ org.apache.hadoop:hadoop-yarn-client@3.4.0
+ MavenExclusions org.slf4j:slf4j-reload4j|org.apache.hadoop:hadoop-mapreduce-client-core@3.4.0
+ Scope provided|com.google.protobuf:protobuf-java@2.5.0
+ MavenExclusions org.eclipse.jetty:jetty-server,org.apache.ant:ant,org.jboss.netty:netty,org.apache.velocity:velocity,org.slf4j:slf4j-api,com.thoughtworks.paranamer:paranamer-ant,org.xerial.snappy:snappy-java|org.apache.avro:avro@1.9.2
+ Scope provided MavenExclusions org.slf4j:slf4j-reload4j|org.apache.hadoop:hadoop-common@3.4.0
+ org.slf4j:slf4j-api@1.7.36
+ org.slf4j:slf4j-reload4j@1.7.36
+ org.apache.hadoop:hadoop-annotations@3.4.0
+ com.google.inject.extensions:guice-servlet@4.2.3
+ io.netty:netty-all@4.1.100.Final
+ Scope provided|org.apache.hadoop.thirdparty:hadoop-shaded-guava@1.2.0
+ Scope provided|commons-codec:commons-codec@1.15
+ Scope provided|commons-cli:commons-cli@1.5.0
+ Scope provided|commons-collections:commons-collections@3.2.2
+ org.apache.hadoop:hadoop-mapreduce-client-core
+ 2.7.7
+ org.apache.hadoop:hadoop-yarn-common@2.7.7
+ com.google.protobuf:protobuf-java@2.5.0
+ MavenExclusions org.mortbay.jetty:jetty,org.apache.ant:ant,org.jboss.netty:netty,org.apache.velocity:velocity,org.slf4j:slf4j-api,com.thoughtworks.paranamer:paranamer-ant|org.apache.avro:avro@1.7.4
+ Scope provided|org.apache.hadoop:hadoop-common@2.7.7
+ org.slf4j:slf4j-api@1.7.10
+ org.slf4j:slf4j-log4j12@1.7.10
+ org.apache.hadoop:hadoop-annotations@2.7.7
+ com.google.inject.extensions:guice-servlet@3.0
+ io.netty:netty@3.6.2.Final
+ Scope provided MavenExclusions avalon-framework:avalon-framework,logkit:logkit,javax.servlet:servlet-api|commons-logging:commons-logging@1.1.3
+ Scope provided|com.google.guava:guava@11.0.2
+ Scope provided|commons-codec:commons-codec@1.4
+ Scope provided|commons-cli:commons-cli@1.2
+ Scope provided|commons-lang:commons-lang@2.6
+ Scope provided|commons-collections:commons-collections@3.2.2
+ 3.4.0
+ org.apache.hadoop:hadoop-yarn-client@3.4.0
+ org.apache.hadoop:hadoop-yarn-common@3.4.0
+ MavenExclusions org.json:json|org.apache.hadoop:hadoop-hdfs-client@3.4.0
+ com.fasterxml.jackson.core:jackson-databind@2.12.7.1
+ Scope provided|com.google.protobuf:protobuf-java@2.5.0
+ MavenExclusions org.eclipse.jetty:jetty-server,org.apache.ant:ant,org.jboss.netty:netty,org.apache.velocity:velocity,org.slf4j:slf4j-api,com.thoughtworks.paranamer:paranamer-ant,org.xerial.snappy:snappy-java|org.apache.avro:avro@1.9.2
+ Scope provided MavenExclusions org.slf4j:slf4j-reload4j|org.apache.hadoop:hadoop-common@3.4.0
+ org.slf4j:slf4j-api@1.7.36
+ org.slf4j:slf4j-reload4j@1.7.36
+ org.apache.hadoop:hadoop-annotations@3.4.0
+ com.google.inject.extensions:guice-servlet@4.2.3
+ io.netty:netty-all@4.1.100.Final
+ Scope provided|org.apache.hadoop.thirdparty:hadoop-shaded-guava@1.2.0
+ Scope provided|commons-codec:commons-codec@1.15
+ Scope provided|commons-cli:commons-cli@1.5.0
+ Scope provided|commons-collections:commons-collections@3.2.2
+ org.apache.hadoop:hadoop-mapreduce-client-jobclient
+ 2.7.7
+ org.apache.hadoop:hadoop-mapreduce-client-common@2.7.7
+ org.apache.hadoop:hadoop-mapreduce-client-shuffle@2.7.7
+ com.google.protobuf:protobuf-java@2.5.0
+ MavenExclusions org.mortbay.jetty:jetty,org.apache.ant:ant,org.jboss.netty:netty,org.apache.velocity:velocity,org.slf4j:slf4j-api,com.thoughtworks.paranamer:paranamer-ant|org.apache.avro:avro@1.7.4
+ Scope provided|org.apache.hadoop:hadoop-common@2.7.7
+ org.slf4j:slf4j-api@1.7.10
+ org.slf4j:slf4j-log4j12@1.7.10
+ org.apache.hadoop:hadoop-annotations@2.7.7
+ com.google.inject.extensions:guice-servlet@3.0
+ io.netty:netty@3.6.2.Final
+ Scope provided MavenExclusions avalon-framework:avalon-framework,logkit:logkit,javax.servlet:servlet-api|commons-logging:commons-logging@1.1.3
+ Scope provided|com.google.guava:guava@11.0.2
+ Scope provided|commons-codec:commons-codec@1.4
+ Scope provided|commons-cli:commons-cli@1.2
+ Scope provided|commons-lang:commons-lang@2.6
+ Scope provided|commons-collections:commons-collections@3.2.2
+ 3.4.0
+ org.apache.hadoop:hadoop-mapreduce-client-common@3.4.0
+ Scope provided|com.google.protobuf:protobuf-java@2.5.0
+ MavenExclusions org.eclipse.jetty:jetty-server,org.apache.ant:ant,org.jboss.netty:netty,org.apache.velocity:velocity,org.slf4j:slf4j-api,com.thoughtworks.paranamer:paranamer-ant,org.xerial.snappy:snappy-java|org.apache.avro:avro@1.9.2
+ Scope provided MavenExclusions org.slf4j:slf4j-reload4j|org.apache.hadoop:hadoop-common@3.4.0
+ org.slf4j:slf4j-api@1.7.36
+ org.slf4j:slf4j-reload4j@1.7.36
+ org.apache.hadoop:hadoop-annotations@3.4.0
+ com.google.inject.extensions:guice-servlet@4.2.3
+ io.netty:netty-all@4.1.100.Final
+ Scope provided|org.apache.hadoop.thirdparty:hadoop-shaded-guava@1.2.0
+ Scope provided|commons-codec:commons-codec@1.15
+ Scope provided|commons-cli:commons-cli@1.5.0
+ Scope provided|commons-collections:commons-collections@3.2.2
+ org.apache.hadoop:hadoop-mapreduce-client-shuffle
+ 2.7.7
+ org.apache.hadoop:hadoop-yarn-server-common@2.7.7
+ org.apache.hadoop:hadoop-yarn-server-nodemanager@2.7.7
+ org.apache.hadoop:hadoop-mapreduce-client-common@2.7.7
+ org.fusesource.leveldbjni:leveldbjni-all@1.8
+ com.google.protobuf:protobuf-java@2.5.0
+ MavenExclusions org.mortbay.jetty:jetty,org.apache.ant:ant,org.jboss.netty:netty,org.apache.velocity:velocity,org.slf4j:slf4j-api,com.thoughtworks.paranamer:paranamer-ant|org.apache.avro:avro@1.7.4
+ Scope provided|org.apache.hadoop:hadoop-common@2.7.7
+ org.slf4j:slf4j-api@1.7.10
+ org.slf4j:slf4j-log4j12@1.7.10
+ org.apache.hadoop:hadoop-annotations@2.7.7
+ com.google.inject.extensions:guice-servlet@3.0
+ io.netty:netty@3.6.2.Final
+ Scope provided MavenExclusions avalon-framework:avalon-framework,logkit:logkit,javax.servlet:servlet-api|commons-logging:commons-logging@1.1.3
+ Scope provided|com.google.guava:guava@11.0.2
+ Scope provided|commons-codec:commons-codec@1.4
+ Scope provided|commons-cli:commons-cli@1.2
+ Scope provided|commons-lang:commons-lang@2.6
+ Scope provided|commons-collections:commons-collections@3.2.2
+ org.apache.hadoop:hadoop-project
+ 2.7.7
+ 3.2.4
+ 3.4.0
+ org.apache.hadoop:hadoop-project-dist
+ 2.7.7
+ Scope provided|org.apache.hadoop:hadoop-annotations@2.7.7
+ 3.4.0
+ Scope provided|org.apache.hadoop:hadoop-annotations@3.4.0
+ org.apache.hadoop:hadoop-registry
+ 3.4.0
+ org.slf4j:slf4j-api@1.7.36
+ org.apache.hadoop:hadoop-auth@3.4.0
+ org.apache.hadoop:hadoop-annotations@3.4.0
+ MavenExclusions org.slf4j:slf4j-reload4j|org.apache.hadoop:hadoop-common@3.4.0
+ MavenExclusions junit:junit,com.sun.jdmk:jmxtools,com.sun.jmx:jmxri,org.jboss.netty:netty,jline:jline,commons-cli:commons-cli,io.netty:*,commons-io:commons-io,commons-collections:commons-collections,org.apache.kerby:kerb-core,org.apache.kerby:kerb-simplekdc,org.apache.kerby:kerby-config,log4j:log4j,org.slf4j:slf4j-api,org.slf4j:slf4j-log4j12,org.slf4j:slf4j-reload4j,org.eclipse.jetty:jetty-client,ch.qos.logback:logback-core,ch.qos.logback:logback-classic|org.apache.zookeeper:zookeeper@3.8.3
+ MavenExclusions org.apache.zookeeper:zookeeper,com.google.guava:guava,org.slf4j:slf4j-api|org.apache.curator:curator-client@5.2.0
+ MavenExclusions org.apache.zookeeper:zookeeper,com.google.guava:guava,org.slf4j:slf4j-api|org.apache.curator:curator-framework@5.2.0
+ MavenExclusions org.apache.zookeeper:zookeeper,com.google.guava:guava,org.slf4j:slf4j-api,log4j:log4j|org.apache.curator:curator-recipes@5.2.0
+ commons-cli:commons-cli@1.5.0
+ commons-daemon:commons-daemon@1.0.13
+ commons-io:commons-io@2.14.0
+ commons-net:commons-net@3.9.0
+ com.fasterxml.jackson.core:jackson-annotations@2.12.7
+ com.fasterxml.jackson.core:jackson-core@2.12.7
+ com.fasterxml.jackson.core:jackson-databind@2.12.7.1
+ org.apache.hadoop.thirdparty:hadoop-shaded-guava@1.2.0
+ dnsjava:dnsjava@3.4.0
+ io.dropwizard.metrics:metrics-core@3.2.4
+ Scope provided MavenExclusions org.osgi:org.osgi.core|org.xerial.snappy:snappy-java@1.1.10.4
+ org.apache.hadoop:hadoop-yarn
+ 2.7.7
+ 3.4.0
+ org.apache.hadoop:hadoop-yarn-api
+ 2.7.7
+ commons-lang:commons-lang@2.6
+ com.google.guava:guava@11.0.2
+ MavenExclusions avalon-framework:avalon-framework,logkit:logkit,javax.servlet:servlet-api|commons-logging:commons-logging@1.1.3
+ Scope provided|org.apache.hadoop:hadoop-common@2.7.7
+ org.apache.hadoop:hadoop-annotations@2.7.7
+ com.google.protobuf:protobuf-java@2.5.0
+ 3.4.0
+ org.apache.hadoop.thirdparty:hadoop-shaded-guava@1.2.0
+ javax.xml.bind:jaxb-api@2.2.11
+ Scope provided MavenExclusions org.apache.hadoop.thirdparty:hadoop-shaded-protobuf_3_21|org.apache.hadoop:hadoop-common@3.4.0
+ org.apache.hadoop:hadoop-annotations@3.4.0
+ com.google.protobuf:protobuf-java@2.5.0
+ org.apache.hadoop.thirdparty:hadoop-shaded-protobuf_3_21@1.2.0
+ com.fasterxml.jackson.core:jackson-annotations@2.12.7
+ org.apache.hadoop:hadoop-yarn-client
+ 2.7.7
+ Scope provided|org.apache.hadoop:hadoop-common@2.7.7
+ com.google.guava:guava@11.0.2
+ MavenExclusions avalon-framework:avalon-framework,logkit:logkit,javax.servlet:servlet-api|commons-logging:commons-logging@1.1.3
+ commons-lang:commons-lang@2.6
+ commons-cli:commons-cli@1.2
+ MavenExclusions com.sun.jdmk:jmxtools,com.sun.jmx:jmxri,javax.mail:mail,javax.jms:jmx,javax.jms:jms|log4j:log4j@1.2.17
+ org.apache.hadoop:hadoop-annotations@2.7.7
+ org.apache.hadoop:hadoop-yarn-api@2.7.7
+ org.apache.hadoop:hadoop-yarn-common@2.7.7
+ 3.4.0
+ Scope provided MavenExclusions org.slf4j:slf4j-reload4j|org.apache.hadoop:hadoop-common@3.4.0
+ org.apache.hadoop.thirdparty:hadoop-shaded-guava@1.2.0
+ commons-cli:commons-cli@1.5.0
+ MavenExclusions com.sun.jdmk:jmxtools,com.sun.jmx:jmxri,javax.mail:mail,javax.jms:jmx,javax.jms:jms|ch.qos.reload4j:reload4j@1.2.22
+ org.eclipse.jetty.websocket:websocket-client@9.4.53.v20231009
+ org.apache.hadoop:hadoop-annotations@3.4.0
+ Scope provided|io.dropwizard.metrics:metrics-core@3.2.4
+ Scope provided MavenExclusions org.osgi:org.osgi.core|org.xerial.snappy:snappy-java@1.1.10.4
+ org.apache.hadoop:hadoop-yarn-api@3.4.0
+ org.apache.hadoop:hadoop-yarn-common@3.4.0
+ org.jline:jline@3.9.0
+ org.apache.hadoop:hadoop-yarn-common
+ 2.7.7
+ Scope provided|org.apache.hadoop:hadoop-common@2.7.7
+ org.apache.hadoop:hadoop-yarn-api@2.7.7
+ javax.xml.bind:jaxb-api@2.2.2
+ org.apache.commons:commons-compress@1.4.1
+ commons-lang:commons-lang@2.6
+ javax.servlet:servlet-api@2.5
+ commons-codec:commons-codec@1.4
+ org.mortbay.jetty:jetty-util@6.1.26
+ com.sun.jersey:jersey-core@1.9
+ com.sun.jersey:jersey-client@1.9
+ org.codehaus.jackson:jackson-core-asl@1.9.13
+ org.codehaus.jackson:jackson-mapper-asl@1.9.13
+ org.codehaus.jackson:jackson-jaxrs@1.9.13
+ org.codehaus.jackson:jackson-xc@1.9.13
+ com.google.guava:guava@11.0.2
+ MavenExclusions avalon-framework:avalon-framework,logkit:logkit,javax.servlet:servlet-api|commons-logging:commons-logging@1.1.3
+ commons-cli:commons-cli@1.2
+ org.slf4j:slf4j-api@1.7.10
+ org.apache.hadoop:hadoop-annotations@2.7.7
+ com.google.inject.extensions:guice-servlet@3.0
+ com.google.protobuf:protobuf-java@2.5.0
+ commons-io:commons-io@2.4
+ com.google.inject:guice@3.0
+ com.sun.jersey:jersey-server@1.9
+ MavenExclusions stax:stax-api|com.sun.jersey:jersey-json@1.9
+ com.sun.jersey.contribs:jersey-guice@1.9
+ MavenExclusions com.sun.jdmk:jmxtools,com.sun.jmx:jmxri,javax.mail:mail,javax.jms:jmx,javax.jms:jms|log4j:log4j@1.2.17
+ 3.4.0
+ Scope provided MavenExclusions org.slf4j:slf4j-reload4j|org.apache.hadoop:hadoop-common@3.4.0
+ org.apache.hadoop:hadoop-hdfs-client@3.4.0
+ org.apache.hadoop:hadoop-yarn-api@3.4.0
+ org.apache.hadoop:hadoop-auth@3.4.0
+ javax.xml.bind:jaxb-api@2.2.11
+ org.apache.commons:commons-compress@1.24.0
+ javax.servlet:javax.servlet-api@3.1.0
+ commons-codec:commons-codec@1.15
+ org.eclipse.jetty:jetty-util@9.4.53.v20231009
+ MavenExclusions org.osgi:org.osgi.core|com.sun.jersey:jersey-core@1.19.4
+ com.sun.jersey:jersey-client@1.19.4
+ org.apache.hadoop.thirdparty:hadoop-shaded-guava@1.2.0
+ commons-cli:commons-cli@1.5.0
+ org.slf4j:slf4j-api@1.7.36
+ org.apache.hadoop:hadoop-annotations@3.4.0
+ com.google.inject.extensions:guice-servlet@4.2.3
+ Scope provided|com.google.protobuf:protobuf-java@2.5.0
+ commons-io:commons-io@2.14.0
+ com.google.inject:guice@4.2.3
+ com.sun.jersey:jersey-server@1.19.4
+ MavenExclusions com.fasterxml.jackson.core:jackson-core,com.fasterxml.jackson.core:jackson-databind,com.fasterxml.jackson.jaxrs:jackson-jaxrs-json-provider,org.codehaus.jettison:jettison|com.github.pjfanning:jersey-json@1.20
+ com.sun.jersey.contribs:jersey-guice@1.19.4
+ MavenExclusions com.sun.jdmk:jmxtools,com.sun.jmx:jmxri,javax.mail:mail,javax.jms:jmx,javax.jms:jms|ch.qos.reload4j:reload4j@1.2.22
+ com.fasterxml.jackson.core:jackson-core@2.12.7
+ com.fasterxml.jackson.core:jackson-databind@2.12.7.1
+ com.fasterxml.jackson.module:jackson-module-jaxb-annotations@2.12.7
+ com.fasterxml.jackson.jaxrs:jackson-jaxrs-json-provider@2.12.7
+ org.apache.hadoop:hadoop-yarn-server
+ 2.7.7
+ 3.4.0
+ org.apache.hadoop:hadoop-yarn-server-applicationhistoryservice
+ 3.4.0
+ javax.servlet:javax.servlet-api@3.1.0
+ Scope provided MavenExclusions org.slf4j:slf4j-reload4j|org.apache.hadoop:hadoop-common@3.4.0
+ org.apache.hadoop:hadoop-annotations@3.4.0
+ com.google.inject.extensions:guice-servlet@4.2.3
+ com.google.protobuf:protobuf-java@2.5.0
+ com.google.inject:guice@4.2.3
+ MavenExclusions org.osgi:org.osgi.core|com.sun.jersey:jersey-core@1.19.4
+ com.sun.jersey:jersey-client@1.19.4
+ MavenExclusions com.fasterxml.jackson.core:jackson-core,com.fasterxml.jackson.core:jackson-databind,com.fasterxml.jackson.jaxrs:jackson-jaxrs-json-provider,org.codehaus.jettison:jettison|com.github.pjfanning:jersey-json@1.20
+ com.sun.jersey.contribs:jersey-guice@1.19.4
+ org.apache.hadoop:hadoop-yarn-common@3.4.0
+ org.apache.hadoop:hadoop-yarn-api@3.4.0
+ javax.xml.bind:jaxb-api@2.2.11
+ MavenExclusions stax:stax-api|org.codehaus.jettison:jettison@1.5.4
+ org.apache.hadoop.thirdparty:hadoop-shaded-guava@1.2.0
+ org.apache.hadoop:hadoop-yarn-server-common@3.4.0
+ commons-collections:commons-collections@3.2.2
+ MavenExclusions com.fasterxml.jackson.core:jackson-core|org.fusesource.leveldbjni:leveldbjni-all@1.8
+ MavenExclusions org.javassist:javassist,com.cedarsoftware:java-util|de.ruedigermoeller:fst@2.50
+ org.apache.hadoop:hadoop-yarn-server-common
+ 2.7.7
+ Scope provided|org.apache.hadoop:hadoop-common@2.7.7
+ org.apache.hadoop:hadoop-yarn-api@2.7.7
+ org.apache.hadoop:hadoop-yarn-common@2.7.7
+ com.google.guava:guava@11.0.2
+ MavenExclusions avalon-framework:avalon-framework,logkit:logkit,javax.servlet:servlet-api|commons-logging:commons-logging@1.1.3
+ org.apache.hadoop:hadoop-annotations@2.7.7
+ com.google.protobuf:protobuf-java@2.5.0
+ MavenExclusions jline:jline|org.apache.zookeeper:zookeeper@3.4.6
+ org.fusesource.leveldbjni:leveldbjni-all@1.8
+ 3.4.0
+ Scope provided MavenExclusions org.slf4j:slf4j-reload4j|org.apache.hadoop:hadoop-common@3.4.0
+ org.apache.hadoop:hadoop-yarn-api@3.4.0
+ org.apache.hadoop:hadoop-yarn-common@3.4.0
+ org.apache.hadoop:hadoop-registry@3.4.0
+ org.apache.hadoop.thirdparty:hadoop-shaded-guava@1.2.0
+ org.apache.hadoop:hadoop-annotations@3.4.0
+ Scope provided|com.google.protobuf:protobuf-java@2.5.0
+ MavenExclusions junit:junit,com.sun.jdmk:jmxtools,com.sun.jmx:jmxri,org.jboss.netty:netty,jline:jline,commons-cli:commons-cli,io.netty:*,commons-io:commons-io,commons-collections:commons-collections,org.apache.kerby:kerb-core,org.apache.kerby:kerb-simplekdc,org.apache.kerby:kerby-config,log4j:log4j,org.slf4j:slf4j-api,org.slf4j:slf4j-log4j12,org.slf4j:slf4j-reload4j,org.eclipse.jetty:jetty-client,ch.qos.logback:logback-core,ch.qos.logback:logback-classic|org.apache.zookeeper:zookeeper@3.8.3
+ io.dropwizard.metrics:metrics-core@3.2.4
+ Scope provided MavenExclusions org.osgi:org.osgi.core|org.xerial.snappy:snappy-java@1.1.10.4
+ MavenExclusions com.fasterxml.jackson.core:jackson-core|org.fusesource.leveldbjni:leveldbjni-all@1.8
+ MavenExclusions org.osgi:org.osgi.core|org.apache.geronimo.specs:geronimo-jcache_1.0_spec@1.0-alpha-1
+ MavenExclusions org.slf4j:slf4j-api|org.ehcache:ehcache@3.3.1
+ MavenExclusions org.slf4j:slf4j-api|com.zaxxer:HikariCP@4.0.3
+ Scope runtime MavenExclusions com.microsoft.azure:azure-keyvault|com.microsoft.sqlserver:mssql-jdbc@6.2.1.jre7
+ org.apache.hadoop:hadoop-yarn-server-nodemanager
+ 3.4.0
+ Scope provided MavenExclusions org.slf4j:slf4j-reload4j|org.apache.hadoop:hadoop-common@3.4.0
+ org.apache.hadoop:hadoop-yarn-common@3.4.0
+ org.apache.hadoop:hadoop-yarn-api@3.4.0
+ org.apache.hadoop:hadoop-registry@3.4.0
+ javax.xml.bind:jaxb-api@2.2.11
+ MavenExclusions stax:stax-api|org.codehaus.jettison:jettison@1.5.4
+ javax.servlet:javax.servlet-api@3.1.0
+ commons-codec:commons-codec@1.15
+ MavenExclusions org.osgi:org.osgi.core|com.sun.jersey:jersey-core@1.19.4
+ com.sun.jersey:jersey-client@1.19.4
+ org.eclipse.jetty:jetty-util@9.4.53.v20231009
+ MavenExclusions org.ow2.asm:asm,org.eclipse.jetty:jetty-webapp|org.eclipse.jetty.websocket:javax-websocket-server-impl@9.4.53.v20231009
+ org.apache.hadoop.thirdparty:hadoop-shaded-guava@1.2.0
+ org.slf4j:slf4j-api@1.7.36
+ org.apache.hadoop:hadoop-annotations@3.4.0
+ com.google.inject.extensions:guice-servlet@4.2.3
+ com.google.protobuf:protobuf-java@2.5.0
+ io.dropwizard.metrics:metrics-core@3.2.4
+ com.google.inject:guice@4.2.3
+ MavenExclusions com.fasterxml.jackson.core:jackson-core,com.fasterxml.jackson.core:jackson-databind,com.fasterxml.jackson.jaxrs:jackson-jaxrs-json-provider,org.codehaus.jettison:jettison|com.github.pjfanning:jersey-json@1.20
+ com.sun.jersey.contribs:jersey-guice@1.19.4
+ org.apache.hadoop:hadoop-yarn-server-common@3.4.0
+ MavenExclusions com.fasterxml.jackson.core:jackson-core|org.fusesource.leveldbjni:leveldbjni-all@1.8
+ net.java.dev.jna:jna@5.2.0
+ org.apache.hadoop:hadoop-yarn-server-resourcemanager
+ 3.4.0
+ javax.servlet:javax.servlet-api@3.1.0
+ Scope provided MavenExclusions org.slf4j:slf4j-reload4j|org.apache.hadoop:hadoop-common@3.4.0
+ org.slf4j:slf4j-api@1.7.36
+ org.apache.hadoop:hadoop-annotations@3.4.0
+ com.google.inject.extensions:guice-servlet@4.2.3
+ Scope provided|com.google.protobuf:protobuf-java@2.5.0
+ commons-io:commons-io@2.14.0
+ com.google.inject:guice@4.2.3
+ MavenExclusions com.fasterxml.jackson.core:jackson-core,com.fasterxml.jackson.core:jackson-databind,com.fasterxml.jackson.jaxrs:jackson-jaxrs-json-provider,org.codehaus.jettison:jettison|com.github.pjfanning:jersey-json@1.20
+ com.sun.jersey.contribs:jersey-guice@1.19.4
+ org.apache.hadoop:hadoop-yarn-common@3.4.0
+ org.apache.hadoop:hadoop-yarn-api@3.4.0
+ javax.xml.bind:jaxb-api@2.2.11
+ MavenExclusions stax:stax-api|org.codehaus.jettison:jettison@1.5.4
+ MavenExclusions org.osgi:org.osgi.core|com.sun.jersey:jersey-core@1.19.4
+ com.sun.jersey:jersey-client@1.19.4
+ org.eclipse.jetty:jetty-util@9.4.53.v20231009
+ org.eclipse.jetty:jetty-util-ajax@9.4.53.v20231009
+ org.apache.hadoop.thirdparty:hadoop-shaded-guava@1.2.0
+ MavenExclusions com.sun.jdmk:jmxtools,com.sun.jmx:jmxri,javax.mail:mail,javax.jms:jmx,javax.jms:jms|ch.qos.reload4j:reload4j@1.2.22
+ org.apache.hadoop:hadoop-yarn-server-common@3.4.0
+ org.apache.hadoop:hadoop-yarn-server-applicationhistoryservice@3.4.0
+ Scope provided|org.apache.hadoop:hadoop-yarn-server-timelineservice@3.4.0
+ org.apache.hadoop:hadoop-yarn-server-web-proxy@3.4.0
+ MavenExclusions org.apache.zookeeper:zookeeper,com.google.guava:guava,org.slf4j:slf4j-api|org.apache.curator:curator-client@5.2.0
+ MavenExclusions junit:junit,com.sun.jdmk:jmxtools,com.sun.jmx:jmxri,org.jboss.netty:netty,jline:jline,commons-cli:commons-cli,io.netty:*,commons-io:commons-io,commons-collections:commons-collections,org.apache.kerby:kerb-core,org.apache.kerby:kerb-simplekdc,org.apache.kerby:kerby-config,log4j:log4j,org.slf4j:slf4j-api,org.slf4j:slf4j-log4j12,org.slf4j:slf4j-reload4j,org.eclipse.jetty:jetty-client,ch.qos.logback:logback-core,ch.qos.logback:logback-classic|org.apache.zookeeper:zookeeper@3.8.3
+ io.dropwizard.metrics:metrics-core@3.2.4
+ Scope provided MavenExclusions org.osgi:org.osgi.core|org.xerial.snappy:snappy-java@1.1.10.4
+ MavenExclusions com.fasterxml.jackson.core:jackson-core|org.fusesource.leveldbjni:leveldbjni-all@1.8
+ MavenExclusions joda-time:joda-time,com.google.code.findbugs:jsr305,com.fasterxml.jackson.core:*,com.fasterxml.jackson.dataformat:*,org.codehaus.jackson:*,com.google.code.gson:gson,com.google.code.findbugs:annotations,org.scala-lang:scala-library,org.jsonschema2pojo:jsonschema2pojo-scalagen,com.google.code.javaparser:javaparser,javax.validation:validation-api|org.jsonschema2pojo:jsonschema2pojo-core@1.0.2
+ com.fasterxml.jackson.core:jackson-databind@2.12.7.1
+ org.apache.hadoop:hadoop-yarn-server-tests
+ 3.4.0
+ Scope provided MavenExclusions org.slf4j:slf4j-reload4j|org.apache.hadoop:hadoop-common@3.4.0
+ org.apache.hadoop:hadoop-annotations@3.4.0
+ org.apache.hadoop:hadoop-yarn-server-common@3.4.0
+ org.apache.hadoop:hadoop-yarn-server-nodemanager@3.4.0
+ org.apache.hadoop:hadoop-yarn-server-resourcemanager@3.4.0
+ org.apache.hadoop:hadoop-yarn-server-timelineservice@3.4.0
+ org.apache.hadoop:hadoop-yarn-common@3.4.0
+ org.apache.hadoop:hadoop-yarn-api@3.4.0
+ org.apache.hadoop.thirdparty:hadoop-shaded-guava@1.2.0
+ org.apache.hadoop:hadoop-yarn-server-timelineservice
+ 3.4.0
+ Scope provided MavenExclusions org.slf4j:slf4j-reload4j|org.apache.hadoop:hadoop-common@3.4.0
+ org.apache.hadoop:hadoop-annotations@3.4.0
+ org.apache.hadoop:hadoop-yarn-api@3.4.0
+ org.apache.hadoop:hadoop-yarn-common@3.4.0
+ org.apache.hadoop:hadoop-yarn-server-common@3.4.0
+ org.apache.hadoop:hadoop-yarn-server-applicationhistoryservice@3.4.0
+ org.apache.hadoop.thirdparty:hadoop-shaded-guava@1.2.0
+ com.google.inject:guice@4.2.3
+ commons-io:commons-io@2.14.0
+ javax.servlet:javax.servlet-api@3.1.0
+ javax.xml.bind:jaxb-api@2.2.11
+ com.fasterxml.jackson.core:jackson-core@2.12.7
+ com.fasterxml.jackson.core:jackson-databind@2.12.7.1
+ com.sun.jersey:jersey-client@1.19.4
+ org.apache.commons:commons-csv@1.9.0
+ javax.ws.rs:jsr311-api@1.1.1
+ org.apache.hadoop:hadoop-yarn-server-web-proxy
+ 3.4.0
+ javax.servlet:javax.servlet-api@3.1.0
+ Scope provided MavenExclusions org.slf4j:slf4j-reload4j|org.apache.hadoop:hadoop-common@3.4.0
+ Scope provided|org.apache.hadoop:hadoop-minikdc@3.4.0
+ org.apache.hadoop:hadoop-yarn-server-common@3.4.0
+ org.apache.hadoop:hadoop-yarn-common@3.4.0
+ org.apache.hadoop:hadoop-yarn-api@3.4.0
+ org.apache.hadoop.thirdparty:hadoop-shaded-guava@1.2.0
+ MavenExclusions org.eclipse.jetty:javax.servlet-api|org.eclipse.jetty:jetty-server@9.4.53.v20231009
+ org.bouncycastle:bcprov-jdk15on@1.70
+ org.bouncycastle:bcpkix-jdk15on@1.70
+ org.apache.htrace:htrace
+ 3.1.0-incubating
+ 4.1.0-incubating
+ org.apache.htrace:htrace-core
+ 3.1.0-incubating
+ org.apache.htrace:htrace-core4
+ 4.1.0-incubating
+ org.apache.httpcomponents:httpasyncclient
+ 4.0.2
+ org.apache.httpcomponents:httpcore@4.3.2
+ org.apache.httpcomponents:httpcore-nio@4.3.2
+ org.apache.httpcomponents:httpclient@4.3.5
+ commons-logging:commons-logging@1.1.3
+ 4.1.5
+ org.apache.httpcomponents:httpcore@4.4.15
+ org.apache.httpcomponents:httpcore-nio@4.4.15
+ org.apache.httpcomponents:httpclient@4.5.13
+ commons-logging:commons-logging@1.2
+ org.apache.httpcomponents:httpclient
+ 4.4.1
+ org.apache.httpcomponents:httpcore@4.4.1
+ commons-logging:commons-logging@1.2
+ commons-codec:commons-codec@1.9
+ 4.5.1
+ org.apache.httpcomponents:httpcore@4.4.3
+ commons-logging:commons-logging@1.2
+ commons-codec:commons-codec@1.9
+ 4.5.9
+ org.apache.httpcomponents:httpcore@4.4.11
+ commons-logging:commons-logging@1.2
+ commons-codec:commons-codec@1.11
+ 4.5.13
+ org.apache.httpcomponents:httpcore@4.4.13
+ commons-logging:commons-logging@1.2
+ commons-codec:commons-codec@1.11
+ org.apache.httpcomponents:httpcomponents-asyncclient
+ 4.0.2
+ 4.1.5
+ org.apache.httpcomponents:httpcomponents-client
+ 4.4.1
+ 4.5
+ 4.5.1
+ 4.5.9
+ 4.5.11
+ 4.5.13
+ org.apache.httpcomponents:httpcomponents-core
+ 4.3.2
+ 4.4.1
+ 4.4.9
+ 4.4.11
+ 4.4.13
+ 4.4.15
+ org.apache.httpcomponents:httpcomponents-parent
+ 9
+ 11
+ org.apache.httpcomponents:httpcore
+ 4.4.1
+ 4.4.9
+ 4.4.11
+ 4.4.13
+ 4.4.15
+ org.apache.httpcomponents:httpcore-nio
+ 4.3.2
+ org.apache.httpcomponents:httpcore@4.3.2
+ 4.4.15
+ org.apache.httpcomponents:httpcore@4.4.15
+ org.apache.httpcomponents:httpmime
+ 4.5
+ org.apache.httpcomponents:httpclient@4.5
+ 4.5.11
+ org.apache.httpcomponents:httpclient@4.5.11
+ org.apache.httpcomponents:project
+ 7
+ org.apache.jackrabbit:jackrabbit-jcr-commons
+ 1.5.2
+ Scope provided|javax.jcr:jcr@1.0
+ 1.6.5
+ Scope provided|javax.jcr:jcr@1.0
+ org.apache.jackrabbit:jackrabbit-parent
+ 1.5.0
+ 1.6.5
+ org.apache.jackrabbit:jackrabbit-webdav
+ 1.5.2
+ org.apache.jackrabbit:jackrabbit-jcr-commons@1.5.2
+ org.slf4j:slf4j-api@1.5.3
+ Scope provided|javax.servlet:servlet-api@2.3
+ MavenExclusions junit:junit|commons-httpclient:commons-httpclient@3.0
+ 1.6.5
+ org.apache.jackrabbit:jackrabbit-jcr-commons@1.6.5
+ org.slf4j:slf4j-api@1.5.3
+ Scope provided|javax.servlet:servlet-api@2.3
+ MavenExclusions junit:junit|commons-httpclient:commons-httpclient@3.0
+ org.apache.jackrabbit:parent
+ 5
+ org.apache.kerby:kerb-admin
+ 2.0.3
+ org.apache.kerby:kerb-server@2.0.3
+ org.apache.kerby:kerb-util@2.0.3
+ org.apache.kerby:kerby-xdr@2.0.3
+ org.jline:jline@3.22.0
+ com.jcraft:jsch@0.1.55
+ org.jboss.xnio:xnio-api@3.8.8.Final
+ org.apache.kerby:kerb-client
+ 2.0.3
+ org.apache.kerby:kerby-config@2.0.3
+ org.apache.kerby:kerb-core@2.0.3
+ org.apache.kerby:kerb-common@2.0.3
+ org.apache.kerby:kerb-util@2.0.3
+ org.apache.kerby:token-provider@2.0.3
+ org.apache.kerby:kerb-common
+ 2.0.3
+ org.apache.kerby:kerby-config@2.0.3
+ org.apache.kerby:kerb-crypto@2.0.3
+ commons-io:commons-io@2.11.0
+ org.apache.kerby:kerb-core
+ 2.0.3
+ org.apache.kerby:kerby-pkix@2.0.3
+ org.apache.kerby:kerb-crypto
+ 2.0.3
+ org.apache.kerby:kerby-util@2.0.3
+ org.apache.kerby:kerb-core@2.0.3
+ org.apache.kerby:kerb-identity
+ 2.0.3
+ org.apache.kerby:kerby-config@2.0.3
+ org.apache.kerby:kerb-common@2.0.3
+ org.apache.kerby:kerb-core@2.0.3
+ org.apache.kerby:kerb-server
+ 2.0.3
+ org.apache.kerby:kerb-common@2.0.3
+ org.apache.kerby:kerb-identity@2.0.3
+ org.apache.kerby:kerb-simplekdc
+ 2.0.3
+ org.apache.kerby:kerb-client@2.0.3
+ org.apache.kerby:kerb-admin@2.0.3
+ org.apache.kerby:kerb-util
+ 2.0.3
+ org.apache.kerby:kerby-config@2.0.3
+ org.apache.kerby:kerb-core@2.0.3
+ org.apache.kerby:kerb-crypto@2.0.3
+ org.apache.kerby:kerby-all
+ 2.0.3
+ org.apache.kerby:kerby-asn1
+ 2.0.3
+ org.apache.kerby:kerby-common
+ 2.0.3
+ org.apache.kerby:kerby-config
+ 2.0.3
+ org.slf4j:slf4j-api@1.7.36
+ org.apache.kerby:kerby-kerb
+ 2.0.3
+ org.apache.kerby:kerby-pkix
+ 2.0.3
+ org.apache.kerby:kerby-asn1@2.0.3
+ org.apache.kerby:kerby-util@2.0.3
+ org.slf4j:slf4j-api@1.7.36
+ org.apache.kerby:kerby-provider
+ 2.0.3
+ org.apache.kerby:kerby-util
+ 2.0.3
+ org.apache.kerby:kerby-xdr
+ 2.0.3
+ org.apache.kerby:token-provider
+ 2.0.3
+ org.apache.kerby:kerb-core@2.0.3
+ com.nimbusds:nimbus-jose-jwt@9.30.1
+ org.apache.lucene:lucene-analyzers-common
+ 5.3.1
+ org.apache.lucene:lucene-core@5.3.1
+ 8.7.0
+ org.apache.lucene:lucene-core@8.7.0
+ org.apache.lucene:lucene-core
+ 5.3.1
+ 8.7.0
+ org.apache.lucene:lucene-highlighter
+ 5.3.1
+ MavenExclusions org.apache.lucene:lucene-core|org.apache.lucene:lucene-analyzers-common@5.3.1
+ org.apache.lucene:lucene-core@5.3.1
+ MavenExclusions org.apache.lucene:lucene-core,org.apache.lucene:lucene-grouping|org.apache.lucene:lucene-join@5.3.1
+ MavenExclusions org.apache.lucene:lucene-core|org.apache.lucene:lucene-memory@5.3.1
+ MavenExclusions org.apache.lucene:lucene-core|org.apache.lucene:lucene-queries@5.3.1
+ 8.7.0
+ org.apache.lucene:lucene-core@8.7.0
+ MavenExclusions org.apache.lucene:lucene-core|org.apache.lucene:lucene-memory@8.7.0
+ MavenExclusions org.apache.lucene:lucene-core|org.apache.lucene:lucene-queries@8.7.0
+ org.apache.lucene:lucene-join
+ 5.3.1
+ org.apache.lucene:lucene-core@5.3.1
+ MavenExclusions org.apache.lucene:lucene-core,org.apache.lucene:lucene-queries|org.apache.lucene:lucene-grouping@5.3.1
+ org.apache.lucene:lucene-memory
+ 5.3.1
+ org.apache.lucene:lucene-core@5.3.1
+ 8.7.0
+ org.apache.lucene:lucene-core@8.7.0
+ org.apache.lucene:lucene-parent
+ 5.3.1
+ 8.7.0
+ org.apache.lucene:lucene-queries
+ 5.3.1
+ org.apache.lucene:lucene-core@5.3.1
+ 8.7.0
+ org.apache.lucene:lucene-core@8.7.0
+ org.apache.lucene:lucene-queryparser
+ 5.3.1
+ org.apache.lucene:lucene-core@5.3.1
+ MavenExclusions org.apache.lucene:lucene-core|org.apache.lucene:lucene-queries@5.3.1
+ MavenExclusions org.apache.lucene:lucene-core,jakarta-regexp:jakarta-regexp|org.apache.lucene:lucene-sandbox@5.3.1
+ 8.7.0
+ org.apache.lucene:lucene-core@8.7.0
+ MavenExclusions org.apache.lucene:lucene-core|org.apache.lucene:lucene-queries@8.7.0
+ MavenExclusions org.apache.lucene:lucene-core|org.apache.lucene:lucene-sandbox@8.7.0
+ org.apache.lucene:lucene-sandbox
+ 5.3.1
+ org.apache.lucene:lucene-core@5.3.1
+ jakarta-regexp:jakarta-regexp@1.4
+ 8.7.0
+ org.apache.lucene:lucene-core@8.7.0
+ org.apache.lucene:lucene-solr-grandparent
+ 5.3.1
+ 8.7.0
+ org.apache.maven.plugin-tools:maven-plugin-annotations
+ 3.2
+ org.apache.maven:maven-artifact@3.0
+ 4.0.0-beta-1
+ org.apache.maven.plugin-tools:maven-plugin-tools
+ 3.2
+ org.apache.maven.resolver:maven-resolver
+ 1.4.1
+ org.apache.maven.resolver:maven-resolver-api
+ 1.4.1
+ org.apache.maven.resolver:maven-resolver-connector-basic
+ 1.4.1
+ org.apache.maven.resolver:maven-resolver-api@1.4.1
+ org.apache.maven.resolver:maven-resolver-spi@1.4.1
+ org.apache.maven.resolver:maven-resolver-util@1.4.1
+ Opt Scope provided|javax.inject:javax.inject@1
+ org.slf4j:slf4j-api@1.7.25
+ org.apache.maven.resolver:maven-resolver-impl
+ 1.4.1
+ org.apache.maven.resolver:maven-resolver-api@1.4.1
+ org.apache.maven.resolver:maven-resolver-spi@1.4.1
+ org.apache.maven.resolver:maven-resolver-util@1.4.1
+ Opt Scope provided|javax.inject:javax.inject@1
+ Opt Scope provided|org.eclipse.sisu:org.eclipse.sisu.inject@0.3.3
+ Opt Scope provided MavenClassifier no_aop MavenExclusions aopalliance:aopalliance,com.google.code.findbugs:jsr305|org.sonatype.sisu:sisu-guice@3.2.6
+ org.slf4j:slf4j-api@1.7.25
+ org.apache.maven.resolver:maven-resolver-spi
+ 1.4.1
+ org.apache.maven.resolver:maven-resolver-api@1.4.1
+ org.apache.maven.resolver:maven-resolver-transport-file
+ 1.4.1
+ org.apache.maven.resolver:maven-resolver-api@1.4.1
+ org.apache.maven.resolver:maven-resolver-spi@1.4.1
+ Opt Scope provided|javax.inject:javax.inject@1
+ org.slf4j:slf4j-api@1.7.25
+ org.apache.maven.resolver:maven-resolver-transport-http
+ 1.4.1
+ org.apache.maven.resolver:maven-resolver-api@1.4.1
+ org.apache.maven.resolver:maven-resolver-spi@1.4.1
+ org.apache.maven.resolver:maven-resolver-util@1.4.1
+ MavenExclusions commons-logging:commons-logging|org.apache.httpcomponents:httpclient@4.5.6
+ org.apache.httpcomponents:httpcore@4.4.10
+ Scope runtime|org.slf4j:jcl-over-slf4j@1.7.25
+ Opt Scope provided|javax.inject:javax.inject@1
+ org.slf4j:slf4j-api@1.7.25
+ org.apache.maven.resolver:maven-resolver-util
+ 1.4.1
+ org.apache.maven.resolver:maven-resolver-api@1.4.1
+ org.apache.maven.wagon:wagon
+ 2.7
+ org.apache.maven.wagon:wagon-http
+ 2.7
+ org.apache.maven.wagon:wagon-http-shared@2.7
+ org.apache.httpcomponents:httpclient@4.3.5
+ commons-logging:commons-logging@1.1.3
+ org.apache.httpcomponents:httpcore@4.3.2
+ org.apache.maven.wagon:wagon-provider-api@2.7
+ org.apache.maven.wagon:wagon-http-lightweight
+ 2.7
+ org.apache.maven.wagon:wagon-http-shared@2.7
+ org.apache.maven.wagon:wagon-provider-api@2.7
+ org.apache.maven.wagon:wagon-http-shared
+ 2.7
+ org.jsoup:jsoup@1.7.2
+ commons-lang:commons-lang@2.6
+ commons-io:commons-io@2.2
+ org.apache.maven.wagon:wagon-provider-api@2.7
+ org.apache.maven.wagon:wagon-provider-api
+ 2.7
+ org.codehaus.plexus:plexus-utils@3.0.15
+ org.apache.maven.wagon:wagon-providers
+ 2.7
+ org.apache.maven.wagon:wagon-provider-api@2.7
+ org.apache.maven:maven
+ 3.0
+ 3.0.3
+ 3.6.3
+ org.apache.maven:maven-aether-provider
+ 3.0.3
+ org.apache.maven:maven-model@3.0.3
+ org.apache.maven:maven-model-builder@3.0.3
+ org.apache.maven:maven-repository-metadata@3.0.3
+ org.sonatype.aether:aether-api@1.11
+ org.sonatype.aether:aether-spi@1.11
+ org.sonatype.aether:aether-util@1.11
+ org.sonatype.aether:aether-impl@1.11
+ MavenExclusions junit:junit|org.codehaus.plexus:plexus-component-annotations@1.5.5
+ org.codehaus.plexus:plexus-utils@2.0.6
+ org.apache.maven:maven-artifact
+ 3.0
+ org.codehaus.plexus:plexus-utils@2.0.4
+ 3.6.3
+ org.codehaus.plexus:plexus-utils@3.2.1
+ org.apache.commons:commons-lang3@3.8.1
+ org.apache.maven:maven-builder-support
+ 3.6.3
+ org.apache.maven:maven-model
+ 3.0.3
+ org.codehaus.plexus:plexus-utils@2.0.6
+ 3.6.3
+ org.codehaus.plexus:plexus-utils@3.2.1
+ org.apache.maven:maven-model-builder
+ 3.0.3
+ org.codehaus.plexus:plexus-utils@2.0.6
+ org.codehaus.plexus:plexus-interpolation@1.14
+ MavenExclusions junit:junit|org.codehaus.plexus:plexus-component-annotations@1.5.5
+ org.apache.maven:maven-model@3.0.3
+ 3.6.3
+ org.codehaus.plexus:plexus-utils@3.2.1
+ org.codehaus.plexus:plexus-interpolation@1.25
+ javax.inject:javax.inject@1
+ org.apache.maven:maven-model@3.6.3
+ org.apache.maven:maven-artifact@3.6.3
+ org.apache.maven:maven-builder-support@3.6.3
+ org.eclipse.sisu:org.eclipse.sisu.inject@0.3.4
+ org.apache.maven:maven-parent
+ 15
+ 22
+ 24
+ 33
+ org.apache.maven:maven-plugin-api
+ 3.0
+ org.apache.maven:maven-model@3.0
+ MavenExclusions org.apache.maven.wagon:wagon-provider-api|org.apache.maven:maven-artifact@3.0
+ org.sonatype.sisu:sisu-inject-plexus@1.4.2
+ 3.6.3
+ org.apache.maven:maven-model@3.6.3
+ MavenExclusions org.apache.maven.wagon:wagon-provider-api|org.apache.maven:maven-artifact@3.6.3
+ org.eclipse.sisu:org.eclipse.sisu.plexus@0.3.4
+ org.codehaus.plexus:plexus-utils@3.2.1
+ org.codehaus.plexus:plexus-classworlds@2.6.0
+ org.apache.maven:maven-repository-metadata
+ 3.0.3
+ org.codehaus.plexus:plexus-utils@2.0.6
+ 3.6.3
+ org.codehaus.plexus:plexus-utils@3.2.1
+ org.apache.maven:maven-resolver-provider
+ 3.6.3
+ org.apache.maven:maven-model@3.6.3
+ org.apache.maven:maven-model-builder@3.6.3
+ org.apache.maven:maven-repository-metadata@3.6.3
+ org.apache.maven.resolver:maven-resolver-api@1.4.1
+ org.apache.maven.resolver:maven-resolver-spi@1.4.1
+ org.apache.maven.resolver:maven-resolver-util@1.4.1
+ org.apache.maven.resolver:maven-resolver-impl@1.4.1
+ org.codehaus.plexus:plexus-utils@3.2.1
+ javax.inject:javax.inject@1
+ Opt MavenClassifier no_aop MavenExclusions aopalliance:aopalliance|com.google.inject:guice@4.2.1
+ org.slf4j:slf4j-api@1.7.29
+ org.apache.mina:mina-core
+ 2.0.7
+ org.slf4j:slf4j-api@1.6.6
+ 2.0.9
+ org.slf4j:slf4j-api@1.7.7
+ 2.0.21
+ org.slf4j:slf4j-api@1.7.26
+ 2.0.22
+ org.slf4j:slf4j-api@1.7.26
+ 2.2.3
+ org.slf4j:slf4j-api@1.7.36
+ org.apache.mina:mina-parent
+ 2.0.7
+ org.slf4j:slf4j-api@1.6.6
+ 2.0.9
+ org.slf4j:slf4j-api@1.7.7
+ 2.0.21
+ org.slf4j:slf4j-api@1.7.26
+ 2.0.22
+ org.slf4j:slf4j-api@1.7.26
+ 2.2.3
+ org.slf4j:slf4j-api@1.7.36
+ org.apache.pdfbox:fontbox
+ 2.0.16
+ commons-logging:commons-logging@1.2
+ 2.0.23
+ commons-logging:commons-logging@1.2
+ 2.0.24
+ commons-logging:commons-logging@1.2
+ org.apache.pdfbox:pdfbox
+ 2.0.16
+ org.apache.pdfbox:fontbox@2.0.16
+ commons-logging:commons-logging@1.2
+ Opt|org.bouncycastle:bcmail-jdk15on@1.60
+ Opt|org.bouncycastle:bcprov-jdk15on@1.60
+ 2.0.23
+ org.apache.pdfbox:fontbox@2.0.23
+ commons-logging:commons-logging@1.2
+ Opt|org.bouncycastle:bcmail-jdk15on@1.64
+ Opt|org.bouncycastle:bcprov-jdk15on@1.64
+ 2.0.24
+ org.apache.pdfbox:fontbox@2.0.24
+ commons-logging:commons-logging@1.2
+ Opt|org.bouncycastle:bcmail-jdk15on@1.64
+ Opt|org.bouncycastle:bcprov-jdk15on@1.64
+ org.apache.pdfbox:pdfbox-parent
+ 2.0.16
+ 2.0.23
+ 2.0.24
+ org.apache.pdfbox:xmpbox
+ 2.0.16
+ commons-logging:commons-logging@1.2
+ 2.0.24
+ commons-logging:commons-logging@1.2
+ org.apache.servicemix.bundles:bundles-pom
+ 6
+ org.apache.servicemix.bundles:org.apache.servicemix.bundles.antlr
+ 2.7.7_5
+ org.apache.servicemix:servicemix-pom
+ 5
+ org.apache.shiro.crypto:shiro-crypto-support
+ 2.0.1
+ org.apache.shiro.crypto:shiro-hashes-argon2
+ 2.0.1
+ org.apache.shiro:shiro-crypto-hash@2.0.1
+ Opt|aopalliance:aopalliance@1.0
+ Opt|com.google.inject:guice@4.2.3
+ org.apache.shiro.crypto:shiro-hashes-bcrypt
+ 2.0.1
+ org.apache.shiro:shiro-crypto-hash@2.0.1
+ Opt|aopalliance:aopalliance@1.0
+ Opt|com.google.inject:guice@4.2.3
+ org.apache.shiro:shiro-cache
+ 1.10.0
+ org.apache.shiro:shiro-lang@1.10.0
+ 1.13.0
+ org.apache.shiro:shiro-lang@1.13.0
+ 2.0.1
+ org.apache.shiro:shiro-lang@2.0.1
+ org.apache.shiro:shiro-config
+ 1.10.0
+ 1.13.0
+ 2.0.1
+ org.apache.shiro:shiro-config-core
+ 1.10.0
+ org.apache.shiro:shiro-lang@1.10.0
+ 2.0.1
+ org.apache.shiro:shiro-lang@2.0.1
+ org.apache.shiro:shiro-config-ogdl
+ 1.10.0
+ org.apache.shiro:shiro-lang@1.10.0
+ org.apache.shiro:shiro-config-core@1.10.0
+ org.apache.shiro:shiro-event@1.10.0
+ MavenExclusions commons-logging:commons-logging|commons-beanutils:commons-beanutils@1.9.4
+ Opt MavenExclusions commons-logging:commons-logging|org.apache.commons:commons-configuration2@2.8.0
+ org.slf4j:slf4j-api@1.7.36
+ 1.13.0
+ org.apache.shiro:shiro-lang@1.13.0
+ org.apache.shiro:shiro-config-core@1.13.0
+ org.apache.shiro:shiro-event@1.13.0
+ MavenExclusions commons-logging:commons-logging|commons-beanutils:commons-beanutils@1.9.4
+ Opt MavenExclusions commons-logging:commons-logging|org.apache.commons:commons-configuration2@2.9.0
+ org.slf4j:slf4j-api@1.7.36
+ 2.0.1
+ org.apache.shiro:shiro-lang@2.0.1
+ org.apache.shiro:shiro-config-core@2.0.1
+ org.apache.shiro:shiro-event@2.0.1
+ MavenExclusions commons-logging:commons-logging|commons-beanutils:commons-beanutils@1.9.4
+ Opt MavenExclusions commons-logging:commons-logging|org.apache.commons:commons-configuration2@2.10.1
+ org.slf4j:slf4j-api@2.0.13
+ org.apache.shiro:shiro-core
+ 1.10.0
+ org.apache.shiro:shiro-lang@1.10.0
+ org.apache.shiro:shiro-cache@1.10.0
+ org.apache.shiro:shiro-crypto-hash@1.10.0
+ org.apache.shiro:shiro-crypto-cipher@1.10.0
+ org.apache.shiro:shiro-config-core@1.10.0
+ org.apache.shiro:shiro-config-ogdl@1.10.0
+ org.apache.shiro:shiro-event@1.10.0
+ 1.13.0
+ org.apache.shiro:shiro-lang@1.13.0
+ org.apache.shiro:shiro-cache@1.13.0
+ org.apache.shiro:shiro-crypto-hash@1.13.0
+ org.apache.shiro:shiro-crypto-cipher@1.13.0
+ org.apache.shiro:shiro-config-core@1.13.0
+ org.apache.shiro:shiro-config-ogdl@1.13.0
+ org.apache.shiro:shiro-event@1.13.0
+ 2.0.1
+ org.apache.shiro:shiro-lang@2.0.1
+ org.apache.shiro:shiro-cache@2.0.1
+ org.apache.shiro:shiro-crypto-hash@2.0.1
+ Scope runtime|org.apache.shiro.crypto:shiro-hashes-argon2@2.0.1
+ Scope runtime|org.apache.shiro.crypto:shiro-hashes-bcrypt@2.0.1
+ org.apache.shiro:shiro-crypto-cipher@2.0.1
+ org.apache.shiro:shiro-config-core@2.0.1
+ org.apache.shiro:shiro-config-ogdl@2.0.1
+ org.apache.shiro:shiro-event@2.0.1
+ Opt Scope provided|jakarta.annotation:jakarta.annotation-api@1.3.5
+ Opt MavenExclusions commons-logging:commons-logging|org.apache.commons:commons-configuration2@2.10.1
+ Opt Scope provided|org.projectlombok:lombok@1.18.32
+ org.apache.shiro:shiro-crypto
+ 1.10.0
+ 1.13.0
+ 2.0.1
+ org.apache.shiro:shiro-crypto-cipher
+ 1.10.0
+ org.apache.shiro:shiro-lang@1.10.0
+ org.apache.shiro:shiro-crypto-core@1.10.0
+ 1.13.0
+ org.apache.shiro:shiro-lang@1.13.0
+ org.apache.shiro:shiro-crypto-core@1.13.0
+ 2.0.1
+ org.apache.shiro:shiro-lang@2.0.1
+ org.apache.shiro:shiro-crypto-core@2.0.1
+ org.apache.shiro:shiro-crypto-core
+ 1.10.0
+ org.apache.shiro:shiro-lang@1.10.0
+ 1.13.0
+ org.apache.shiro:shiro-lang@1.13.0
+ 2.0.1
+ org.apache.shiro:shiro-lang@2.0.1
+ org.apache.shiro:shiro-crypto-hash
+ 1.10.0
+ org.apache.shiro:shiro-lang@1.10.0
+ org.apache.shiro:shiro-crypto-core@1.10.0
+ 1.13.0
+ org.apache.shiro:shiro-lang@1.13.0
+ org.apache.shiro:shiro-crypto-core@1.13.0
+ 2.0.1
+ org.apache.shiro:shiro-lang@2.0.1
+ org.apache.shiro:shiro-crypto-core@2.0.1
+ org.bouncycastle:bcprov-jdk18on@1.78.1
+ org.apache.shiro:shiro-event
+ 1.10.0
+ org.apache.shiro:shiro-lang@1.10.0
+ 1.13.0
+ org.apache.shiro:shiro-lang@1.13.0
+ 2.0.1
+ org.apache.shiro:shiro-lang@2.0.1
+ org.apache.shiro:shiro-lang
+ 1.10.0
+ org.slf4j:slf4j-api@1.7.36
+ 1.13.0
+ org.slf4j:slf4j-api@1.7.36
+ 2.0.1
+ org.slf4j:slf4j-api@2.0.13
+ Opt Scope provided|javax.servlet.jsp:jsp-api@2.2
+ org.apache.shiro:shiro-root
+ 1.10.0
+ 1.12.0
+ 1.13.0
+ 2.0.1
+ org.apache.shiro:shiro-web
+ 1.10.0
+ org.apache.shiro:shiro-core@1.10.0
+ Scope provided|javax.servlet.jsp:jsp-api@2.2
+ Scope provided|org.apache.taglibs:taglibs-standard-spec@1.2.5
+ Scope provided|org.apache.taglibs:taglibs-standard-impl@1.2.5
+ Scope provided|javax.servlet:javax.servlet-api@3.1.0
+ org.owasp.encoder:encoder@1.2.3
+ 1.12.0
+ org.apache.shiro:shiro-core@1.12.0
+ Scope provided|javax.servlet.jsp:jsp-api@2.2
+ Scope provided|org.apache.taglibs:taglibs-standard-spec@1.2.5
+ Scope provided|org.apache.taglibs:taglibs-standard-impl@1.2.5
+ Scope provided|javax.servlet:javax.servlet-api@3.1.0
+ org.owasp.encoder:encoder@1.2.3
+ 1.13.0
+ org.apache.shiro:shiro-core@1.13.0
+ Scope provided|javax.servlet.jsp:jsp-api@2.2
+ Scope provided|org.apache.taglibs:taglibs-standard-spec@1.2.5
+ Scope provided|org.apache.taglibs:taglibs-standard-impl@1.2.5
+ Scope provided|javax.servlet:javax.servlet-api@3.1.0
+ org.owasp.encoder:encoder@1.2.3
+ 2.0.1
+ org.apache.shiro:shiro-core@2.0.1
+ Scope provided|javax.servlet.jsp:jsp-api@2.2
+ Scope provided|org.apache.taglibs:taglibs-standard-spec@1.2.5
+ Scope provided|org.apache.taglibs:taglibs-standard-impl@1.2.5
+ Scope provided|javax.servlet:javax.servlet-api@4.0.1
+ org.owasp.encoder:encoder@1.2.3
+ org.apache.taglibs:taglibs-parent
+ 3
+ org.apache.taglibs:taglibs-standard
+ 1.2.5
+ org.apache.taglibs:taglibs-standard-impl
+ 1.2.5
+ Scope provided|org.apache.taglibs:taglibs-standard-spec@1.2.5
+ Scope provided|javax.servlet:servlet-api@2.5
+ Scope provided|javax.servlet.jsp:jsp-api@2.1
+ Scope provided|javax.el:el-api@1.0
+ Opt Scope provided|xalan:xalan@2.7.1
+ org.apache.taglibs:taglibs-standard-spec
+ 1.2.5
+ Scope provided|javax.servlet:servlet-api@2.5
+ Scope provided|javax.servlet.jsp:jsp-api@2.1
+ Scope provided|javax.el:el-api@1.0
+ org.apache.thrift:libthrift
+ 0.9.3-1
+ org.slf4j:slf4j-api@1.7.12
+ Scope provided|javax.servlet:servlet-api@2.5
+ org.apache.httpcomponents:httpclient@4.4.1
+ org.apache.httpcomponents:httpcore@4.4.1
+ 0.13.0
+ org.slf4j:slf4j-api@1.7.25
+ org.apache.httpcomponents:httpclient@4.5.6
+ org.apache.httpcomponents:httpcore@4.4.1
+ Scope provided|javax.servlet:servlet-api@2.5
+ javax.annotation:javax.annotation-api@1.3.2
+ 0.14.0
+ org.slf4j:slf4j-api@1.7.28
+ org.apache.httpcomponents:httpclient@4.5.10
+ org.apache.httpcomponents:httpcore@4.4.12
+ org.apache.tomcat.embed:tomcat-embed-core@8.5.46
+ javax.annotation:javax.annotation-api@1.3.2
+ org.apache.tomcat.embed:tomcat-embed-core
+ 8.5.46
+ org.apache.tomcat:tomcat-annotations-api@8.5.46
+ 8.5.99
+ org.apache.tomcat:tomcat-annotations-api@8.5.99
+ org.apache.tomcat:tomcat-annotations-api
+ 8.5.46
+ 8.5.99
+ org.apache.yetus:audience-annotations
+ 0.12.0
+ org.apache.yetus:yetus-project
+ 0.12.0
+ org.apache.zeppelin:zeppelin
+ 0.9.0-preview2
+ 0.11.1
+ org.apache.zeppelin:zeppelin-common
+ 0.11.1
+ com.google.code.gson:gson@2.8.9
+ org.slf4j:slf4j-api@1.7.35
+ org.apache.zeppelin:zeppelin-interpreter
+ 0.9.0-preview2
+ MavenExclusions org.apache.commons:commons-math3,org.apache.commons:commons-lang3|io.atomix:atomix@3.0.0-rc4
+ io.atomix:atomix-raft@3.0.0-rc4
+ io.atomix:atomix-primary-backup@3.0.0-rc4
+ org.apache.commons:commons-math3@3.1.1
+ org.apache.commons:commons-lang3@3.10
+ MavenExclusions javax.annotation:javax.annotation-api|org.apache.thrift:libthrift@0.13.0
+ com.google.code.gson:gson@2.2
+ org.danilopianini:gson-extras@0.2.1
+ commons-configuration:commons-configuration@1.9
+ org.apache.commons:commons-exec@1.3
+ org.apache.commons:commons-pool2@2.3
+ org.slf4j:slf4j-api@1.7.30
+ org.slf4j:slf4j-log4j12@1.7.30
+ MavenExclusions org.codehaus.plexus:plexus-utils,org.sonatype.sisu:sisu-inject-plexus,org.apache.maven:maven-model|org.apache.maven:maven-plugin-api@3.0
+ org.sonatype.aether:aether-api@1.12
+ org.sonatype.aether:aether-util@1.12
+ org.sonatype.aether:aether-impl@1.12
+ org.bouncycastle:bcpkix-jdk15on@1.60
+ MavenExclusions org.sonatype.aether:aether-api,org.sonatype.aether:aether-spi,org.sonatype.aether:aether-util,org.sonatype.aether:aether-impl,org.codehaus.plexus:plexus-utils|org.apache.maven:maven-aether-provider@3.0.3
+ org.sonatype.aether:aether-connector-file@1.12
+ MavenExclusions org.apache.maven.wagon:wagon-provider-api|org.sonatype.aether:aether-connector-wagon@1.12
+ commons-httpclient:commons-httpclient@3.1
+ MavenExclusions org.codehaus.plexus:plexus-utils|org.apache.maven.wagon:wagon-provider-api@2.7
+ MavenExclusions org.apache.maven.wagon:wagon-http-shared|org.apache.maven.wagon:wagon-http-lightweight@2.7
+ org.apache.maven.wagon:wagon-http@2.7
+ jline:jline@2.14.3
+ Scope provided MavenExclusions com.sun.jersey:jersey-core,com.sun.jersey:jersey-json,com.sun.jersey:jersey-client,com.sun.jersey:jersey-server,javax.servlet:servlet-api,org.apache.avro:avro,org.apache.jackrabbit:jackrabbit-webdav,io.netty:netty,io.netty:netty-all,commons-httpclient:commons-httpclient,org.eclipse.jgit:org.eclipse.jgit,com.jcraft:jsch,org.apache.commons:commons-compress,xml-apis:xml-apis,xerces:xercesImpl,com.google.guava:guava,com.google.code.findbugs:jsr305,org.apache.commons:commons-math3,com.fasterxml.jackson.core:jackson-annotations,com.nimbusds:nimbus-jose-jwt,org.eclipse.jetty:jetty-xml,org.eclipse.jetty:jetty-servlet,org.eclipse.jetty:jetty-util,commons-beanutils:commons-beanutils,org.apache.commons:commons-configuration2,org.eclipse.jetty:jetty-webapp,com.fasterxml.jackson.module:jackson-module-jaxb-annotations,com.fasterxml.jackson.core:jackson-core,com.fasterxml.jackson.core:jackson-databind|org.apache.hadoop:hadoop-client@2.7.7
+ 0.11.1
+ org.apache.zeppelin:zeppelin-common@0.11.1
+ MavenExclusions org.apache.commons:commons-lang3|io.atomix:atomix@3.0.0-rc5
+ io.atomix:atomix-raft@3.0.0-rc5
+ io.atomix:atomix-primary-backup@3.0.0-rc5
+ org.apache.commons:commons-lang3@3.12.0
+ MavenExclusions commons-logging:commons-logging|org.apache.thrift:libthrift@0.13.0
+ com.google.code.gson:gson@2.8.9
+ MavenExclusions commons-logging:commons-logging|org.apache.commons:commons-configuration2@2.8.0
+ MavenExclusions commons-logging:commons-logging|commons-beanutils:commons-beanutils@1.9.4
+ org.apache.commons:commons-exec@1.3
+ org.apache.commons:commons-pool2@2.3
+ commons-io:commons-io@2.7
+ MavenExclusions ch.qos.reload4j:reload4j|org.slf4j:slf4j-reload4j@1.7.35
+ ch.qos.reload4j:reload4j@1.2.25
+ org.slf4j:jcl-over-slf4j@1.7.35
+ org.apache.maven:maven-plugin-api@3.6.3
+ MavenExclusions org.codehaus.plexus:plexus-classworlds,org.codehaus.plexus:plexus-utils|org.eclipse.sisu:org.eclipse.sisu.plexus@0.3.4
+ org.apache.maven:maven-resolver-provider@3.6.3
+ org.apache.maven.resolver:maven-resolver-connector-basic@1.4.1
+ org.apache.maven.resolver:maven-resolver-transport-file@1.4.1
+ org.apache.maven.resolver:maven-resolver-transport-http@1.4.1
+ jline:jline@2.14.3
+ Scope provided MavenExclusions log4j:log4j,org.slf4j:slf4j-log4j12|org.apache.hadoop:hadoop-common@2.7.7
+ Scope provided MavenExclusions log4j:log4j|org.apache.hadoop:hadoop-yarn-client@2.7.7
+ org.apache.zeppelin:zeppelin-interpreter-parent
+ 0.9.0-preview2
+ org.apache.zeppelin:zeppelin-interpreter-shaded@0.9.0-preview2
+ Scope provided|org.apache.zeppelin:zeppelin-interpreter@0.9.0-preview2
+ org.slf4j:slf4j-api@1.7.30
+ org.slf4j:slf4j-log4j12@1.7.30
+ commons-logging:commons-logging@1.1.1
+ org.apache.commons:commons-exec@1.3
+ log4j:log4j@1.2.17
+ org.apache.zeppelin:zeppelin-jupyter
+ 0.9.0-preview2
+ com.google.code.gson:gson@2.2
+ org.danilopianini:gson-extras@0.2.1
+ commons-cli:commons-cli@1.4
+ MavenExclusions org.apache.zeppelin:zeppelin-interpreter-shaded|org.apache.zeppelin:zeppelin-markdown@0.9.0-preview2
+ 0.11.1
+ com.google.code.gson:gson@2.8.9
+ org.danilopianini:gson-extras@0.2.2
+ commons-cli:commons-cli@1.4
+ MavenExclusions commons-logging:commons-logging|com.vladsch.flexmark:flexmark-all@0.62.2
+ org.apache.commons:commons-lang3@3.12.0
+ org.apache.zeppelin:zeppelin-markdown
+ 0.9.0-preview2
+ org.commonjava.googlecode.markdown4j:markdown4j@2.2-cj-1.0
+ org.pegdown:pegdown@1.6.0
+ com.vladsch.flexmark:flexmark-all@0.50.40
+ org.apache.commons:commons-lang3@3.10
+ commons-io:commons-io@2.4
+ org.apache.zeppelin:zeppelin-interpreter-shaded@0.9.0-preview2
+ Scope provided|org.apache.zeppelin:zeppelin-interpreter@0.9.0-preview2
+ org.slf4j:slf4j-api@1.7.30
+ org.slf4j:slf4j-log4j12@1.7.30
+ commons-logging:commons-logging@1.1.1
+ org.apache.commons:commons-exec@1.3
+ log4j:log4j@1.2.17
+ org.apache.zeppelin:zeppelin-zengine
+ 0.9.0-preview2
+ org.apache.zeppelin:zeppelin-interpreter@0.9.0-preview2
+ MavenExclusions org.ow2.asm:asm,org.jsoup:jsoup|org.apache.zeppelin:zeppelin-jupyter@0.9.0-preview2
+ org.slf4j:slf4j-api@1.7.30
+ org.slf4j:slf4j-log4j12@1.7.30
+ commons-io:commons-io@2.6
+ commons-cli:commons-cli@1.4
+ commons-logging:commons-logging@1.1.1
+ joda-time:joda-time@2.9.9
+ MavenExclusions commons-httpclient:commons-httpclient|org.apache.jackrabbit:jackrabbit-webdav@1.5.2
+ org.apache.httpcomponents:httpclient@4.5.1
+ org.apache.httpcomponents:httpasyncclient@4.0.2
+ org.eclipse.jetty:jetty-client@9.4.27.v20200227
+ org.eclipse.jetty.websocket:websocket-client@9.4.27.v20200227
+ org.quartz-scheduler:quartz@2.3.2
+ com.google.code.gson:gson@2.2
+ org.apache.lucene:lucene-core@5.3.1
+ org.apache.lucene:lucene-analyzers-common@5.3.1
+ org.apache.lucene:lucene-queryparser@5.3.1
+ org.apache.lucene:lucene-highlighter@5.3.1
+ MavenExclusions org.codehaus.plexus:plexus-utils,org.apache.maven:maven-plugin-api,org.apache.maven:maven-artifact|com.github.eirslett:frontend-maven-plugin@1.3
+ MavenExclusions org.codehaus.plexus:plexus-utils|org.apache.commons:commons-vfs2@2.2
+ MavenExclusions org.apache.commons:commons-lang3|org.apache.commons:commons-configuration2@2.2
+ org.eclipse.jgit:org.eclipse.jgit@4.5.4.201711221230-r
+ org.codehaus.jettison:jettison@1.4.0
+ Scope provided MavenExclusions com.sun.jersey:jersey-core,com.sun.jersey:jersey-json,com.sun.jersey:jersey-client,com.sun.jersey:jersey-server,javax.servlet:servlet-api,org.apache.avro:avro,org.apache.jackrabbit:jackrabbit-webdav,io.netty:netty,io.netty:netty-all,commons-httpclient:commons-httpclient,org.eclipse.jgit:org.eclipse.jgit,com.jcraft:jsch,org.apache.commons:commons-compress,xml-apis:xml-apis,xerces:xercesImpl,com.google.guava:guava,com.google.code.findbugs:jsr305,org.apache.commons:commons-math3,com.fasterxml.jackson.core:jackson-annotations,com.nimbusds:nimbus-jose-jwt,org.eclipse.jetty:jetty-xml,org.eclipse.jetty:jetty-servlet,org.eclipse.jetty:jetty-util,commons-beanutils:commons-beanutils,org.apache.commons:commons-configuration2,org.eclipse.jetty:jetty-webapp,com.fasterxml.jackson.module:jackson-module-jaxb-annotations,com.fasterxml.jackson.core:jackson-core,com.fasterxml.jackson.core:jackson-databind|org.apache.hadoop:hadoop-client@2.7.7
+ org.apache.commons:commons-lang3@3.10
+ org.apache.commons:commons-compress@1.5
+ 0.11.1
+ org.apache.zeppelin:zeppelin-common@0.11.1
+ org.apache.zeppelin:zeppelin-interpreter@0.11.1
+ MavenExclusions org.ow2.asm:asm,org.jsoup:jsoup|org.apache.zeppelin:zeppelin-jupyter@0.11.1
+ org.slf4j:slf4j-api@1.7.35
+ commons-io:commons-io@2.7
+ commons-cli:commons-cli@1.4
+ org.bouncycastle:bcpkix-jdk15on@1.70
+ MavenExclusions commons-httpclient:commons-httpclient|org.apache.commons:commons-vfs2-jackrabbit1@2.6.0
+ MavenExclusions commons-logging:commons-logging|org.apache.httpcomponents:httpclient@4.5.13
+ MavenExclusions commons-logging:commons-logging|org.apache.httpcomponents:httpasyncclient@4.0.2
+ org.eclipse.jetty:jetty-client@9.4.52.v20230823
+ org.eclipse.jetty.websocket:websocket-client@9.4.52.v20230823
+ org.quartz-scheduler:quartz@2.3.2
+ io.micrometer:micrometer-core@1.6.0
+ io.dropwizard.metrics:metrics-healthchecks@4.1.14
+ com.google.code.gson:gson@2.8.9
+ org.apache.lucene:lucene-core@8.7.0
+ org.apache.lucene:lucene-analyzers-common@8.7.0
+ org.apache.lucene:lucene-queryparser@8.7.0
+ org.apache.lucene:lucene-highlighter@8.7.0
+ MavenExclusions org.codehaus.plexus:plexus-utils,org.apache.commons:commons-compress,com.fasterxml.jackson.core:jackson-databind|com.github.eirslett:frontend-plugin-core@1.6
+ MavenExclusions org.codehaus.plexus:plexus-utils,org.apache.hadoop:hadoop-hdfs-client|org.apache.commons:commons-vfs2@2.6.0
+ org.eclipse.jgit:org.eclipse.jgit@4.5.4.201711221230-r
+ org.codehaus.jettison:jettison@1.5.4
+ org.apache.commons:commons-lang3@3.12.0
+ org.apache.commons:commons-compress@1.21
+ Scope provided MavenExclusions log4j:log4j|org.apache.hadoop:hadoop-common@2.7.7
+ Scope provided MavenExclusions javax.servlet:servlet-api,org.apache.avro:avro,org.apache.jackrabbit:jackrabbit-webdav,io.netty:netty,commons-httpclient:commons-httpclient,org.eclipse.jgit:org.eclipse.jgit,com.jcraft:jsch,org.apache.commons:commons-compress,xml-apis:xml-apis,xerces:xercesImpl,org.codehaus.jackson:jackson-mapper-asl,org.codehaus.jackson:jackson-core-asl,com.google.guava:guava,com.google.code.findbugs:jsr305,org.apache.commons:commons-math3,commons-logging:commons-logging,log4j:log4j|org.apache.hadoop:hadoop-yarn-client@2.7.7
+ org.apache.zookeeper:parent
+ 3.8.3
+ org.apache.zookeeper:zookeeper
+ 3.4.6
+ org.slf4j:slf4j-api@1.6.1
+ org.slf4j:slf4j-log4j12@1.6.1
+ Opt|org.apache.maven.wagon:wagon-http@2.4
+ Opt|org.apache.maven:maven-ant-tasks@2.1.3
+ log4j:log4j@1.2.16
+ jline:jline@0.9.94
+ io.netty:netty@3.7.0.Final
+ Opt|org.vafer:jdeb@0.8
+ Opt|jdiff:jdiff@1.0.9
+ Opt|xerces:xerces@1.4.4
+ Opt|org.apache.rat:apache-rat-tasks@0.6
+ Opt|commons-lang:commons-lang@2.4
+ Opt|commons-collections:commons-collections@3.1
+ 3.8.3
+ Opt Scope provided|com.github.spotbugs:spotbugs-annotations@4.0.2
+ org.apache.zookeeper:zookeeper-jute@3.8.3
+ Scope provided|commons-cli:commons-cli@1.5.0
+ org.apache.yetus:audience-annotations@0.12.0
+ io.netty:netty-handler@4.1.94.Final
+ io.netty:netty-transport-native-epoll@4.1.94.Final
+ org.slf4j:slf4j-api@1.7.30
+ ch.qos.logback:logback-core@1.2.10
+ ch.qos.logback:logback-classic@1.2.10
+ Scope provided|org.eclipse.jetty:jetty-server@9.4.52.v20230823
+ Scope provided|org.eclipse.jetty:jetty-servlet@9.4.52.v20230823
+ Scope provided|org.eclipse.jetty:jetty-client@9.4.52.v20230823
+ Scope provided|com.fasterxml.jackson.core:jackson-databind@2.15.2
+ Scope provided|jline:jline@2.14.6
+ Scope provided MavenExclusions org.slf4j:slf4j-api|io.dropwizard.metrics:metrics-core@4.1.12.1
+ Scope provided|org.xerial.snappy:snappy-java@1.1.10.5
+ commons-io:commons-io@2.11.0
+ org.apache.zookeeper:zookeeper-jute
+ 3.8.3
+ org.apache.yetus:audience-annotations@0.12.0
+ org.apache:apache
+ 4
+ 6
+ 7
+ 9
+ 10
+ 11
+ 12
+ 13
+ 14
+ 15
+ 16
+ 17
+ 18
+ 19
+ 21
+ 22
+ 23
+ 24
+ 27
+ 28
+ 29
+ 30
+ 31
+ 32
+ org.apiguardian:apiguardian-api
+ 1.1.0
+ 1.1.2
+ org.assertj:assertj-core
+ 3.9.1
+ Opt Scope provided|junit:junit@4.12
+ Opt Scope provided|org.opentest4j:opentest4j@1.0.0
+ Opt Scope provided|org.hamcrest:hamcrest-core@1.3
+ org.assertj:assertj-parent-pom
+ 2.1.9
+ org.asynchttpclient:async-http-client
+ 2.12.3
+ org.asynchttpclient:async-http-client-netty-utils@2.12.3
+ io.netty:netty-codec-http@4.1.60.Final
+ io.netty:netty-handler@4.1.60.Final
+ io.netty:netty-codec-socks@4.1.60.Final
+ io.netty:netty-handler-proxy@4.1.60.Final
+ MavenClassifier linux-x86_64|io.netty:netty-transport-native-epoll@4.1.60.Final
+ MavenClassifier osx-x86_64|io.netty:netty-transport-native-kqueue@4.1.60.Final
+ org.reactivestreams:reactive-streams@1.0.3
+ com.typesafe.netty:netty-reactive-streams@2.0.4
+ org.slf4j:slf4j-api@1.7.30
+ com.sun.activation:jakarta.activation@1.2.2
+ org.asynchttpclient:async-http-client-netty-utils
+ 2.12.3
+ io.netty:netty-buffer@4.1.60.Final
+ org.slf4j:slf4j-api@1.7.30
+ com.sun.activation:jakarta.activation@1.2.2
+ org.asynchttpclient:async-http-client-project
+ 2.12.3
+ org.slf4j:slf4j-api@1.7.30
+ com.sun.activation:jakarta.activation@1.2.2
+ org.awaitility:awaitility
+ 4.2.1
+ org.hamcrest:hamcrest@2.1
+ org.awaitility:awaitility-parent
+ 4.2.1
+ org.bitbucket.cowwoc:diff-match-patch
+ 1.1
+ 1.2
+ org.bouncycastle:bcpkix-jdk15on
+ 1.60
+ org.bouncycastle:bcprov-jdk15on@1.60
+ 1.70
+ org.bouncycastle:bcprov-jdk15on@1.70
+ org.bouncycastle:bcutil-jdk15on@1.70
+ org.bouncycastle:bcprov-jdk15on
+ 1.60
+ 1.70
+ org.bouncycastle:bcprov-jdk18on
+ 1.78.1
+ org.bouncycastle:bcutil-jdk15on
+ 1.70
+ org.bouncycastle:bcprov-jdk15on@1.70
+ org.brotli:dec
+ 0.1.2
+ org.brotli:parent
+ 0.1.2
+ org.checkerframework:checker-compat-qual
+ 2.0.0
+ org.checkerframework:checker-qual
+ 2.5.2
+ 3.12.0
+ 3.33.0
+ org.codehaus.jackson:jackson-core-asl
+ 1.9.13
+ org.codehaus.jackson:jackson-jaxrs
+ 1.9.13
+ org.codehaus.jackson:jackson-core-asl@1.9.13
+ org.codehaus.jackson:jackson-mapper-asl@1.9.13
+ org.codehaus.jackson:jackson-mapper-asl
+ 1.9.13
+ org.codehaus.jackson:jackson-core-asl@1.9.13
+ org.codehaus.jackson:jackson-xc
+ 1.9.13
+ org.codehaus.jackson:jackson-core-asl@1.9.13
+ org.codehaus.jackson:jackson-mapper-asl@1.9.13
+ org.codehaus.jettison:jettison
+ 1.4.0
+ 1.5.4
+ org.codehaus.mojo:animal-sniffer-annotations
+ 1.14
+ 1.17
+ org.codehaus.mojo:animal-sniffer-parent
+ 1.14
+ 1.17
+ org.codehaus.mojo:mojo-parent
+ 34
+ 40
+ org.codehaus.plexus:plexus
+ 2.0.7
+ 5.1
+ org.codehaus.plexus:plexus-classworlds
+ 2.4
+ 2.6.0
+ org.codehaus.plexus:plexus-component-annotations
+ 1.5.5
+ org.codehaus.plexus:plexus-components
+ 1.1.18
+ org.codehaus.plexus:plexus-containers
+ 1.5.5
+ org.codehaus.plexus:plexus-interpolation
+ 1.14
+ 1.25
+ org.codehaus.plexus:plexus-utils
+ 2.0.7
+ 3.2.1
+ org.codehaus.woodstox:stax2-api
+ 4.2.1
+ org.codehaus:codehaus-parent
+ 4
+ org.commonjava.googlecode.markdown4j:markdown4j
+ 2.2-cj-1.0
+ org.commonjava:commonjava
+ 2
+ org.danilopianini:gson-extras
+ 0.2.1
+ com.google.code.gson:gson@[2.3.1, )
+ 0.2.2
+ com.google.code.gson:gson@2.8.6
+ Scope runtime|javax.annotation:jsr250-api@1.0
+ 1.3.0
+ com.google.code.gson:gson@2.11.0
+ Scope runtime|javax.annotation:jsr250-api@1.0
+ org.eclipse.ee4j:project
+ 1.0.2
+ 1.0.5
+ 1.0.6
+ 1.0.7
+ 1.0.9
+ org.eclipse.jetty.websocket:javax-websocket-client-impl
+ 9.4.9.v20180320
+ org.eclipse.jetty.websocket:websocket-client@9.4.9.v20180320
+ javax.websocket:javax.websocket-client-api@1.0
+ 9.4.52.v20230823
+ org.eclipse.jetty.websocket:websocket-client@9.4.52.v20230823
+ javax.websocket:javax.websocket-client-api@1.0
+ 9.4.53.v20231009
+ org.eclipse.jetty.websocket:websocket-client@9.4.53.v20231009
+ javax.websocket:javax.websocket-client-api@1.0
+ org.eclipse.jetty.websocket:javax-websocket-server-impl
+ 9.4.9.v20180320
+ org.eclipse.jetty:jetty-annotations@9.4.9.v20180320
+ org.eclipse.jetty.websocket:javax-websocket-client-impl@9.4.9.v20180320
+ org.eclipse.jetty.websocket:websocket-server@9.4.9.v20180320
+ javax.websocket:javax.websocket-api@1.0
+ 9.4.52.v20230823
+ org.eclipse.jetty:jetty-annotations@9.4.52.v20230823
+ org.eclipse.jetty.websocket:javax-websocket-client-impl@9.4.52.v20230823
+ org.eclipse.jetty.websocket:websocket-server@9.4.52.v20230823
+ javax.websocket:javax.websocket-api@1.0
+ 9.4.53.v20231009
+ org.eclipse.jetty:jetty-annotations@9.4.53.v20231009
+ org.eclipse.jetty.websocket:javax-websocket-client-impl@9.4.53.v20231009
+ org.eclipse.jetty.websocket:websocket-server@9.4.53.v20231009
+ javax.websocket:javax.websocket-api@1.0
+ org.eclipse.jetty.websocket:websocket-api
+ 9.4.9.v20180320
+ 9.4.27.v20200227
+ 9.4.52.v20230823
+ 9.4.53.v20231009
+ org.eclipse.jetty.websocket:websocket-client
+ 9.4.9.v20180320
+ org.eclipse.jetty:jetty-client@9.4.9.v20180320
+ org.eclipse.jetty:jetty-xml@9.4.9.v20180320
+ org.eclipse.jetty:jetty-util@9.4.9.v20180320
+ org.eclipse.jetty:jetty-io@9.4.9.v20180320
+ org.eclipse.jetty.websocket:websocket-common@9.4.9.v20180320
+ 9.4.27.v20200227
+ org.eclipse.jetty:jetty-client@9.4.27.v20200227
+ org.eclipse.jetty:jetty-xml@9.4.27.v20200227
+ org.eclipse.jetty:jetty-util@9.4.27.v20200227
+ org.eclipse.jetty:jetty-io@9.4.27.v20200227
+ org.eclipse.jetty.websocket:websocket-common@9.4.27.v20200227
+ 9.4.52.v20230823
+ org.eclipse.jetty:jetty-client@9.4.52.v20230823
+ Opt|org.eclipse.jetty:jetty-xml@9.4.52.v20230823
+ org.eclipse.jetty:jetty-util@9.4.52.v20230823
+ org.eclipse.jetty:jetty-io@9.4.52.v20230823
+ org.eclipse.jetty.websocket:websocket-common@9.4.52.v20230823
+ 9.4.53.v20231009
+ org.eclipse.jetty:jetty-client@9.4.53.v20231009
+ Opt|org.eclipse.jetty:jetty-xml@9.4.53.v20231009
+ org.eclipse.jetty:jetty-util@9.4.53.v20231009
+ org.eclipse.jetty:jetty-io@9.4.53.v20231009
+ org.eclipse.jetty.websocket:websocket-common@9.4.53.v20231009
+ org.eclipse.jetty.websocket:websocket-common
+ 9.4.9.v20180320
+ org.eclipse.jetty.websocket:websocket-api@9.4.9.v20180320
+ org.eclipse.jetty:jetty-util@9.4.9.v20180320
+ org.eclipse.jetty:jetty-io@9.4.9.v20180320
+ 9.4.27.v20200227
+ org.eclipse.jetty.websocket:websocket-api@9.4.27.v20200227
+ org.eclipse.jetty:jetty-util@9.4.27.v20200227
+ org.eclipse.jetty:jetty-io@9.4.27.v20200227
+ 9.4.52.v20230823
+ org.eclipse.jetty.websocket:websocket-api@9.4.52.v20230823
+ org.eclipse.jetty:jetty-util@9.4.52.v20230823
+ org.eclipse.jetty:jetty-io@9.4.52.v20230823
+ 9.4.53.v20231009
+ org.eclipse.jetty.websocket:websocket-api@9.4.53.v20231009
+ org.eclipse.jetty:jetty-util@9.4.53.v20231009
+ org.eclipse.jetty:jetty-io@9.4.53.v20231009
+ org.eclipse.jetty.websocket:websocket-parent
+ 9.4.9.v20180320
+ 9.4.27.v20200227
+ 9.4.52.v20230823
+ 9.4.53.v20231009
+ org.eclipse.jetty.websocket:websocket-server
+ 9.4.9.v20180320
+ org.eclipse.jetty.websocket:websocket-common@9.4.9.v20180320
+ org.eclipse.jetty.websocket:websocket-client@9.4.9.v20180320
+ org.eclipse.jetty.websocket:websocket-servlet@9.4.9.v20180320
+ org.eclipse.jetty:jetty-servlet@9.4.9.v20180320
+ Scope provided|javax.servlet:javax.servlet-api@3.1.0
+ org.eclipse.jetty:jetty-http@9.4.9.v20180320
+ Scope provided|org.eclipse.jetty:jetty-server@9.4.9.v20180320
+ 9.4.52.v20230823
+ org.eclipse.jetty.websocket:websocket-common@9.4.52.v20230823
+ org.eclipse.jetty.websocket:websocket-client@9.4.52.v20230823
+ org.eclipse.jetty.websocket:websocket-servlet@9.4.52.v20230823
+ org.eclipse.jetty:jetty-servlet@9.4.52.v20230823
+ Scope provided|javax.servlet:javax.servlet-api@3.1.0
+ org.eclipse.jetty:jetty-http@9.4.52.v20230823
+ Scope provided|org.eclipse.jetty:jetty-server@9.4.52.v20230823
+ 9.4.53.v20231009
+ org.eclipse.jetty.websocket:websocket-common@9.4.53.v20231009
+ org.eclipse.jetty.websocket:websocket-client@9.4.53.v20231009
+ org.eclipse.jetty.websocket:websocket-servlet@9.4.53.v20231009
+ org.eclipse.jetty:jetty-servlet@9.4.53.v20231009
+ Scope provided|javax.servlet:javax.servlet-api@3.1.0
+ org.eclipse.jetty:jetty-http@9.4.53.v20231009
+ Scope provided|org.eclipse.jetty:jetty-server@9.4.53.v20231009
+ org.eclipse.jetty.websocket:websocket-servlet
+ 9.4.9.v20180320
+ org.eclipse.jetty.websocket:websocket-api@9.4.9.v20180320
+ javax.servlet:javax.servlet-api@3.1.0
+ 9.4.52.v20230823
+ org.eclipse.jetty.websocket:websocket-api@9.4.52.v20230823
+ javax.servlet:javax.servlet-api@3.1.0
+ 9.4.53.v20231009
+ org.eclipse.jetty.websocket:websocket-api@9.4.53.v20231009
+ javax.servlet:javax.servlet-api@3.1.0
+ org.eclipse.jetty:jetty-annotations
+ 9.4.9.v20180320
+ org.eclipse.jetty:jetty-plus@9.4.9.v20180320
+ org.eclipse.jetty:jetty-webapp@9.4.9.v20180320
+ javax.annotation:javax.annotation-api@1.2
+ org.ow2.asm:asm@6.0
+ org.ow2.asm:asm-commons@6.0
+ 9.4.52.v20230823
+ org.eclipse.jetty:jetty-plus@9.4.52.v20230823
+ org.eclipse.jetty:jetty-webapp@9.4.52.v20230823
+ javax.annotation:javax.annotation-api@1.3.2
+ org.ow2.asm:asm@9.5
+ org.ow2.asm:asm-commons@9.5
+ 9.4.53.v20231009
+ org.eclipse.jetty:jetty-plus@9.4.53.v20231009
+ org.eclipse.jetty:jetty-webapp@9.4.53.v20231009
+ javax.annotation:javax.annotation-api@1.3.2
+ org.ow2.asm:asm@9.6
+ org.ow2.asm:asm-commons@9.6
+ org.eclipse.jetty:jetty-bom
+ 9.4.45.v20220203
+ org.eclipse.jetty:jetty-client
+ 9.4.9.v20180320
+ org.eclipse.jetty:jetty-http@9.4.9.v20180320
+ org.eclipse.jetty:jetty-io@9.4.9.v20180320
+ Opt|org.eclipse.jetty:jetty-jmx@9.4.9.v20180320
+ 9.4.27.v20200227
+ org.eclipse.jetty:jetty-http@9.4.27.v20200227
+ org.eclipse.jetty:jetty-io@9.4.27.v20200227
+ Opt|org.eclipse.jetty:jetty-jmx@9.4.27.v20200227
+ 9.4.52.v20230823
+ org.eclipse.jetty:jetty-http@9.4.52.v20230823
+ org.eclipse.jetty:jetty-io@9.4.52.v20230823
+ Opt|org.eclipse.jetty:jetty-jmx@9.4.52.v20230823
+ 9.4.53.v20231009
+ org.eclipse.jetty:jetty-http@9.4.53.v20231009
+ org.eclipse.jetty:jetty-io@9.4.53.v20231009
+ Opt|org.eclipse.jetty:jetty-jmx@9.4.53.v20231009
+ org.eclipse.jetty:jetty-http
+ 9.4.9.v20180320
+ org.eclipse.jetty:jetty-util@9.4.9.v20180320
+ org.eclipse.jetty:jetty-io@9.4.9.v20180320
+ 9.4.27.v20200227
+ org.eclipse.jetty:jetty-util@9.4.27.v20200227
+ org.eclipse.jetty:jetty-io@9.4.27.v20200227
+ Scope provided|javax.servlet:javax.servlet-api@3.1.0
+ 9.4.52.v20230823
+ org.eclipse.jetty:jetty-util@9.4.52.v20230823
+ org.eclipse.jetty:jetty-io@9.4.52.v20230823
+ Scope provided|javax.servlet:javax.servlet-api@3.1.0
+ 9.4.53.v20231009
+ org.eclipse.jetty:jetty-util@9.4.53.v20231009
+ org.eclipse.jetty:jetty-io@9.4.53.v20231009
+ Scope provided|javax.servlet:javax.servlet-api@3.1.0
+ org.eclipse.jetty:jetty-io
+ 9.4.9.v20180320
+ org.eclipse.jetty:jetty-util@9.4.9.v20180320
+ 9.4.27.v20200227
+ org.eclipse.jetty:jetty-util@9.4.27.v20200227
+ 9.4.52.v20230823
+ org.eclipse.jetty:jetty-util@9.4.52.v20230823
+ Opt|org.eclipse.jetty:jetty-jmx@9.4.52.v20230823
+ 9.4.53.v20231009
+ org.eclipse.jetty:jetty-util@9.4.53.v20231009
+ Opt|org.eclipse.jetty:jetty-jmx@9.4.53.v20231009
+ org.eclipse.jetty:jetty-jmx
+ 9.4.9.v20180320
+ org.eclipse.jetty:jetty-util@9.4.9.v20180320
+ 9.4.52.v20230823
+ org.eclipse.jetty:jetty-util@9.4.52.v20230823
+ org.eclipse.jetty:jetty-jndi
+ 9.4.9.v20180320
+ org.eclipse.jetty:jetty-util@9.4.9.v20180320
+ Scope provided|org.eclipse.jetty:jetty-webapp@9.4.9.v20180320
+ Scope provided MavenExclusions org.eclipse.jetty.orbit:javax.activation|org.eclipse.jetty.orbit:javax.mail.glassfish@1.4.1.v201005082020
+ 9.4.52.v20230823
+ org.eclipse.jetty:jetty-util@9.4.52.v20230823
+ Scope provided|org.eclipse.jetty:jetty-webapp@9.4.52.v20230823
+ Scope provided MavenExclusions org.eclipse.jetty.orbit:javax.activation|org.eclipse.jetty.orbit:javax.mail.glassfish@1.4.1.v201005082020
+ 9.4.53.v20231009
+ org.eclipse.jetty:jetty-util@9.4.53.v20231009
+ Scope provided|org.eclipse.jetty:jetty-webapp@9.4.53.v20231009
+ Scope provided MavenExclusions org.eclipse.jetty.orbit:javax.activation|org.eclipse.jetty.orbit:javax.mail.glassfish@1.4.1.v201005082020
+ org.eclipse.jetty:jetty-parent
+ 14
+ org.eclipse.jetty:jetty-plus
+ 9.4.9.v20180320
+ Scope provided|javax.transaction:javax.transaction-api@1.2
+ org.eclipse.jetty:jetty-webapp@9.4.9.v20180320
+ org.eclipse.jetty:jetty-jndi@9.4.9.v20180320
+ 9.4.52.v20230823
+ Scope provided|javax.transaction:javax.transaction-api@1.3
+ org.eclipse.jetty:jetty-webapp@9.4.52.v20230823
+ org.eclipse.jetty:jetty-jndi@9.4.52.v20230823
+ 9.4.53.v20231009
+ Scope provided|javax.transaction:javax.transaction-api@1.3
+ org.eclipse.jetty:jetty-webapp@9.4.53.v20231009
+ org.eclipse.jetty:jetty-jndi@9.4.53.v20231009
+ org.eclipse.jetty:jetty-project
+ 9.4.9.v20180320
+ 9.4.27.v20200227
+ 9.4.52.v20230823
+ 9.4.53.v20231009
+ org.eclipse.jetty:jetty-security
+ 9.4.9.v20180320
+ org.eclipse.jetty:jetty-server@9.4.9.v20180320
+ 9.4.52.v20230823
+ org.eclipse.jetty:jetty-server@9.4.52.v20230823
+ 9.4.53.v20231009
+ org.eclipse.jetty:jetty-server@9.4.53.v20231009
+ org.eclipse.jetty:jetty-server
+ 9.4.9.v20180320
+ javax.servlet:javax.servlet-api@3.1.0
+ org.eclipse.jetty:jetty-http@9.4.9.v20180320
+ org.eclipse.jetty:jetty-io@9.4.9.v20180320
+ Opt|org.eclipse.jetty:jetty-jmx@9.4.9.v20180320
+ 9.4.52.v20230823
+ javax.servlet:javax.servlet-api@3.1.0
+ org.eclipse.jetty:jetty-http@9.4.52.v20230823
+ org.eclipse.jetty:jetty-io@9.4.52.v20230823
+ Opt|org.eclipse.jetty:jetty-jmx@9.4.52.v20230823
+ 9.4.53.v20231009
+ javax.servlet:javax.servlet-api@3.1.0
+ org.eclipse.jetty:jetty-http@9.4.53.v20231009
+ org.eclipse.jetty:jetty-io@9.4.53.v20231009
+ Opt|org.eclipse.jetty:jetty-jmx@9.4.53.v20231009
+ org.eclipse.jetty:jetty-servlet
+ 9.4.9.v20180320
+ org.eclipse.jetty:jetty-security@9.4.9.v20180320
+ Opt|org.eclipse.jetty:jetty-jmx@9.4.9.v20180320
+ 9.4.52.v20230823
+ org.eclipse.jetty:jetty-security@9.4.52.v20230823
+ org.eclipse.jetty:jetty-util-ajax@9.4.52.v20230823
+ Opt|org.eclipse.jetty:jetty-jmx@9.4.52.v20230823
+ 9.4.53.v20231009
+ org.eclipse.jetty:jetty-security@9.4.53.v20231009
+ org.eclipse.jetty:jetty-util-ajax@9.4.53.v20231009
+ Opt|org.eclipse.jetty:jetty-jmx@9.4.53.v20231009
+ org.eclipse.jetty:jetty-util
+ 9.4.9.v20180320
+ Scope provided|javax.servlet:javax.servlet-api@3.1.0
+ Opt Scope provided|org.slf4j:slf4j-api@1.6.6
+ 9.4.27.v20200227
+ Scope provided|javax.servlet:javax.servlet-api@3.1.0
+ Opt Scope provided|org.slf4j:slf4j-api@1.7.25
+ 9.4.52.v20230823
+ 9.4.53.v20231009
+ Scope provided|javax.servlet:javax.servlet-api@3.1.0
+ Opt Scope provided|org.slf4j:slf4j-api@1.7.36
+ org.eclipse.jetty:jetty-util-ajax
+ 9.4.52.v20230823
+ org.eclipse.jetty:jetty-util@9.4.52.v20230823
+ Scope provided|javax.servlet:javax.servlet-api@3.1.0
+ 9.4.53.v20231009
+ org.eclipse.jetty:jetty-util@9.4.53.v20231009
+ Scope provided|javax.servlet:javax.servlet-api@3.1.0
+ org.eclipse.jetty:jetty-webapp
+ 9.4.9.v20180320
+ org.eclipse.jetty:jetty-xml@9.4.9.v20180320
+ org.eclipse.jetty:jetty-servlet@9.4.9.v20180320
+ Opt|org.eclipse.jetty:jetty-jmx@9.4.9.v20180320
+ 9.4.52.v20230823
+ org.eclipse.jetty:jetty-xml@9.4.52.v20230823
+ org.eclipse.jetty:jetty-servlet@9.4.52.v20230823
+ Opt|org.eclipse.jetty:jetty-jmx@9.4.52.v20230823
+ 9.4.53.v20231009
+ org.eclipse.jetty:jetty-xml@9.4.53.v20231009
+ org.eclipse.jetty:jetty-servlet@9.4.53.v20231009
+ Opt|org.eclipse.jetty:jetty-jmx@9.4.53.v20231009
+ org.eclipse.jetty:jetty-xml
+ 9.4.9.v20180320
+ org.eclipse.jetty:jetty-util@9.4.9.v20180320
+ 9.4.27.v20200227
+ org.eclipse.jetty:jetty-util@9.4.27.v20200227
+ 9.4.52.v20230823
+ org.eclipse.jetty:jetty-util@9.4.52.v20230823
+ 9.4.53.v20231009
+ org.eclipse.jetty:jetty-util@9.4.53.v20231009
+ org.eclipse.jgit:org.eclipse.jgit
+ 4.5.4.201711221230-r
+ com.jcraft:jsch@0.1.53
+ com.googlecode.javaewah:JavaEWAH@0.7.9
+ org.apache.httpcomponents:httpclient@4.3.6
+ org.slf4j:slf4j-api@1.7.2
+ Scope provided|javax.servlet:javax.servlet-api@3.1.0
+ 5.13.3.202401111512-r
+ com.googlecode.javaewah:JavaEWAH@1.1.13
+ org.slf4j:slf4j-api@1.7.30
+ org.eclipse.jgit:org.eclipse.jgit-parent
+ 4.5.4.201711221230-r
+ 5.13.3.202401111512-r
+ org.eclipse.sisu:org.eclipse.sisu.inject
+ 0.3.4
+ Scope provided|com.google.inject:guice@3.0
+ org.eclipse.sisu:org.eclipse.sisu.plexus
+ 0.3.4
+ Scope provided|com.google.inject:guice@3.0
+ MavenExclusions javax.el:el-api,org.jboss.ejb3:jboss-ejb3-api,org.jboss.interceptor:jboss-interceptor-api|javax.enterprise:cdi-api@1.0
+ org.eclipse.sisu:org.eclipse.sisu.inject@0.3.4
+ org.codehaus.plexus:plexus-component-annotations@1.5.5
+ org.codehaus.plexus:plexus-classworlds@2.5.2
+ org.codehaus.plexus:plexus-utils@3.0.17
+ Opt|junit:junit@4.11
+ org.eclipse.sisu:sisu-inject
+ 0.3.4
+ org.eclipse.sisu:sisu-plexus
+ 0.3.4
+ org.ehcache:ehcache
+ 3.3.1
+ org.slf4j:slf4j-api@1.7.7
+ org.fusesource.leveldbjni:leveldbjni-all
+ 1.8
+ Scope provided|org.fusesource.leveldbjni:leveldbjni@1.8
+ Scope provided|org.fusesource.leveldbjni:leveldbjni-osx@1.8
+ Scope provided|org.fusesource.leveldbjni:leveldbjni-linux32@1.8
+ Scope provided|org.fusesource.leveldbjni:leveldbjni-linux64@1.8
+ Scope provided|org.fusesource.leveldbjni:leveldbjni-win32@1.8
+ Scope provided|org.fusesource.leveldbjni:leveldbjni-win64@1.8
+ org.fusesource.leveldbjni:leveldbjni-project
+ 1.8
+ org.fusesource:fusesource-pom
+ 1.9
+ org.glassfish.hk2.external:aopalliance-repackaged
+ 2.6.1
+ Opt|aopalliance:aopalliance@1.0
+ 4.0.0-M1
+ Opt|aopalliance:aopalliance@1.0
+ org.glassfish.hk2.external:jakarta.inject
+ 2.6.1
+ Opt|javax.inject:javax.inject@1
+ org.glassfish.hk2:external
+ 2.6.1
+ 4.0.0-M1
+ org.glassfish.hk2:hk2-api
+ 2.6.1
+ Opt|org.glassfish.hk2:osgi-resource-locator@1.0.3
+ org.glassfish.hk2.external:jakarta.inject@2.6.1
+ org.glassfish.hk2:hk2-utils@2.6.1
+ org.glassfish.hk2.external:aopalliance-repackaged@2.6.1
+ 4.0.0-M1
+ Opt|org.glassfish.hk2:osgi-resource-locator@2.4.0
+ jakarta.inject:jakarta.inject-api@2.0.1
+ org.glassfish.hk2:hk2-utils@4.0.0-M1
+ org.glassfish.hk2.external:aopalliance-repackaged@4.0.0-M1
+ org.glassfish.hk2:hk2-locator
+ 2.6.1
+ org.glassfish.hk2.external:jakarta.inject@2.6.1
+ org.glassfish.hk2.external:aopalliance-repackaged@2.6.1
+ org.glassfish.hk2:hk2-api@2.6.1
+ org.glassfish.hk2:hk2-utils@2.6.1
+ jakarta.annotation:jakarta.annotation-api@1.3.4
+ org.javassist:javassist@3.22.0-CR2
+ 4.0.0-M1
+ jakarta.inject:jakarta.inject-api@2.0.1
+ org.glassfish.hk2.external:aopalliance-repackaged@4.0.0-M1
+ org.glassfish.hk2:hk2-api@4.0.0-M1
+ org.glassfish.hk2:hk2-utils@4.0.0-M1
+ jakarta.annotation:jakarta.annotation-api@3.0.0-M1
+ org.javassist:javassist@3.29.2-GA
+ org.glassfish.hk2:hk2-parent
+ 2.6.1
+ 4.0.0-M1
+ org.glassfish.hk2:hk2-utils
+ 2.6.1
+ jakarta.annotation:jakarta.annotation-api@1.3.4
+ org.glassfish.hk2.external:jakarta.inject@2.6.1
+ Opt|javax.validation:validation-api@2.0.1.Final
+ Opt|org.hibernate.validator:hibernate-validator@6.0.10.Final
+ Opt|org.jboss.logging:jboss-logging@3.3.1.Final
+ Opt|com.fasterxml:classmate@1.3.3
+ 4.0.0-M1
+ jakarta.annotation:jakarta.annotation-api@3.0.0-M1
+ jakarta.inject:jakarta.inject-api@2.0.1
+ Opt|jakarta.validation:jakarta.validation-api@3.0.2
+ Opt|org.hibernate.validator:hibernate-validator@8.0.1.Final
+ Opt|org.jboss.logging:jboss-logging@3.5.3.Final
+ Opt|com.fasterxml:classmate@1.6.0
+ org.glassfish.hk2:osgi-resource-locator
+ 1.0.3
+ Scope provided|org.osgi:osgi.core@6.0.0
+ Scope provided|org.osgi:osgi.cmpn@6.0.0
+ org.glassfish.jersey.containers:jersey-container-servlet-core
+ 2.30
+ Scope provided|jakarta.servlet:jakarta.servlet-api@4.0.3
+ Scope provided|jakarta.persistence:jakarta.persistence-api@2.2.3
+ MavenExclusions javax.inject:javax.inject|org.glassfish.hk2.external:jakarta.inject@2.6.1
+ org.glassfish.jersey.core:jersey-common@2.30
+ org.glassfish.jersey.core:jersey-server@2.30
+ jakarta.ws.rs:jakarta.ws.rs-api@2.1.6
+ 4.0.0-M1
+ Scope provided|jakarta.servlet:jakarta.servlet-api@6.1.0-M2
+ Opt Scope provided|jakarta.persistence:jakarta.persistence-api@3.1.0
+ jakarta.inject:jakarta.inject-api@2.0.1
+ org.glassfish.jersey.core:jersey-common@4.0.0-M1
+ org.glassfish.jersey.core:jersey-server@4.0.0-M1
+ MavenExclusions jakarta.activation:jakarta.activation-api|jakarta.ws.rs:jakarta.ws.rs-api@3.1.0
+ org.glassfish.jersey.containers:project
+ 2.30
+ org.glassfish.jersey.core:jersey-common@2.30
+ org.glassfish.jersey.core:jersey-server@2.30
+ jakarta.ws.rs:jakarta.ws.rs-api@2.1.6
+ 4.0.0-M1
+ org.glassfish.jersey.core:jersey-common@4.0.0-M1
+ org.glassfish.jersey.core:jersey-server@4.0.0-M1
+ MavenExclusions jakarta.activation:jakarta.activation-api|jakarta.ws.rs:jakarta.ws.rs-api@3.1.0
+ org.glassfish.jersey.core:jersey-client
+ 2.30
+ jakarta.ws.rs:jakarta.ws.rs-api@2.1.6
+ org.glassfish.jersey.core:jersey-common@2.30
+ MavenExclusions javax.inject:javax.inject|org.glassfish.hk2.external:jakarta.inject@2.6.1
+ 4.0.0-M1
+ jakarta.ws.rs:jakarta.ws.rs-api@3.1.0
+ org.glassfish.jersey.core:jersey-common@4.0.0-M1
+ jakarta.inject:jakarta.inject-api@2.0.1
+ org.glassfish.jersey.core:jersey-common
+ 2.30
+ jakarta.ws.rs:jakarta.ws.rs-api@2.1.6
+ jakarta.annotation:jakarta.annotation-api@1.3.5
+ Scope provided|org.osgi:org.osgi.core@6.0.0
+ MavenExclusions javax.inject:javax.inject|org.glassfish.hk2.external:jakarta.inject@2.6.1
+ org.glassfish.hk2:osgi-resource-locator@1.0.3
+ 2.34
+ jakarta.ws.rs:jakarta.ws.rs-api@2.1.6
+ jakarta.annotation:jakarta.annotation-api@1.3.5
+ Scope provided|org.osgi:org.osgi.core@6.0.0
+ MavenExclusions javax.inject:javax.inject|org.glassfish.hk2.external:jakarta.inject@2.6.1
+ org.glassfish.hk2:osgi-resource-locator@1.0.3
+ 4.0.0-M1
+ jakarta.ws.rs:jakarta.ws.rs-api@3.1.0
+ jakarta.annotation:jakarta.annotation-api@3.0.0-M1
+ Opt Scope provided|org.eclipse.angus:angus-activation@2.0.2
+ Scope provided|org.osgi:org.osgi.core@6.0.0
+ jakarta.inject:jakarta.inject-api@2.0.1
+ org.glassfish.hk2:osgi-resource-locator@1.0.3
+ org.glassfish.jersey.core:jersey-server
+ 2.30
+ org.glassfish.jersey.core:jersey-common@2.30
+ org.glassfish.jersey.core:jersey-client@2.30
+ jakarta.ws.rs:jakarta.ws.rs-api@2.1.6
+ org.glassfish.jersey.media:jersey-media-jaxb@2.30
+ jakarta.annotation:jakarta.annotation-api@1.3.5
+ MavenExclusions javax.inject:javax.inject|org.glassfish.hk2.external:jakarta.inject@2.6.1
+ jakarta.validation:jakarta.validation-api@2.0.2
+ Scope provided|org.osgi:org.osgi.core@6.0.0
+ 4.0.0-M1
+ org.glassfish.jersey.core:jersey-common@4.0.0-M1
+ org.glassfish.jersey.core:jersey-client@4.0.0-M1
+ jakarta.ws.rs:jakarta.ws.rs-api@3.1.0
+ jakarta.annotation:jakarta.annotation-api@3.0.0-M1
+ jakarta.inject:jakarta.inject-api@2.0.1
+ jakarta.validation:jakarta.validation-api@3.1.0-M1
+ Scope provided|org.osgi:org.osgi.core@6.0.0
+ Opt Scope provided|jakarta.xml.bind:jakarta.xml.bind-api@4.0.1
+ org.glassfish.jersey.ext:jersey-entity-filtering
+ 2.30
+ Scope provided|org.glassfish.jersey.core:jersey-client@2.30
+ Scope provided|org.glassfish.jersey.core:jersey-server@2.30
+ jakarta.ws.rs:jakarta.ws.rs-api@2.1.6
+ 4.0.0-M1
+ Scope provided|jakarta.xml.bind:jakarta.xml.bind-api@4.0.1
+ Scope provided|org.glassfish.jersey.core:jersey-client@4.0.0-M1
+ Scope provided|org.glassfish.jersey.core:jersey-server@4.0.0-M1
+ jakarta.ws.rs:jakarta.ws.rs-api@3.1.0
+ org.glassfish.jersey.ext:project
+ 2.30
+ jakarta.ws.rs:jakarta.ws.rs-api@2.1.6
+ 4.0.0-M1
+ jakarta.ws.rs:jakarta.ws.rs-api@3.1.0
+ org.glassfish.jersey.inject:jersey-hk2
+ 2.30
+ org.glassfish.jersey.core:jersey-common@2.30
+ MavenExclusions jakarta.annotation:jakarta.annotation-api,org.javassist:javassist|org.glassfish.hk2:hk2-locator@2.6.1
+ org.javassist:javassist@3.25.0-GA
+ 4.0.0-M1
+ org.glassfish.jersey.core:jersey-common@4.0.0-M1
+ MavenExclusions jakarta.annotation:jakarta.annotation-api,org.javassist:javassist,jakarta.inject:jakarta.inject-api|org.glassfish.hk2:hk2-locator@4.0.0-M1
+ org.javassist:javassist@3.29.2-GA
+ org.glassfish.jersey.inject:project
+ 2.30
+ 4.0.0-M1
+ org.glassfish.jersey.media:jersey-media-jaxb
+ 2.30
+ org.glassfish.jersey.core:jersey-common@2.30
+ Scope provided|jakarta.xml.bind:jakarta.xml.bind-api@2.3.2
+ MavenExclusions javax.inject:javax.inject|org.glassfish.hk2.external:jakarta.inject@2.6.1
+ org.glassfish.hk2:osgi-resource-locator@1.0.3
+ org.glassfish.jersey.media:jersey-media-json-jackson
+ 2.30
+ org.glassfish.jersey.core:jersey-common@2.30
+ org.glassfish.jersey.ext:jersey-entity-filtering@2.30
+ com.fasterxml.jackson.core:jackson-annotations@2.9.9
+ com.fasterxml.jackson.core:jackson-databind@2.9.9
+ com.fasterxml.jackson.module:jackson-module-jaxb-annotations@2.9.9
+ 4.0.0-M1
+ MavenExclusions jakarta.activation:jakarta.activation-api|org.glassfish.jersey.core:jersey-common@4.0.0-M1
+ org.glassfish.jersey.ext:jersey-entity-filtering@4.0.0-M1
+ com.fasterxml.jackson.core:jackson-annotations@2.16.1
+ com.fasterxml.jackson.core:jackson-databind@2.16.1
+ Opt Scope provided MavenExclusions jakarta.xml.bind:jakarta.xml.bind-api,jakarta.activation:jakarta.activation-api|com.fasterxml.jackson.module:jackson-module-jaxb-annotations@2.16.1
+ MavenExclusions jakarta.xml.bind:jakarta.xml.bind-api,jakarta.activation:jakarta.activation-api|com.fasterxml.jackson.module:jackson-module-jakarta-xmlbind-annotations@2.16.1
+ jakarta.xml.bind:jakarta.xml.bind-api@4.0.1
+ org.glassfish.jersey.media:project
+ 2.30
+ 4.0.0-M1
+ org.glassfish.jersey:project
+ 2.30
+ 2.34
+ 4.0.0-M1
+ org.glassfish.web:jsp
+ 2.2
+ org.hamcrest:hamcrest
+ 2.1
+ 2.2-rc1
+ 2.2
+ org.hamcrest:hamcrest-all
+ 1.3
+ org.hamcrest:hamcrest-core
+ 1.3
+ org.hamcrest:hamcrest-parent
+ 1.3
+ org.hdrhistogram:HdrHistogram
+ 2.1.12
+ org.infinispan:infinispan-bom
+ 11.0.17.Final
+ org.infinispan:infinispan-build-configuration-parent
+ 11.0.17.Final
+ org.javassist:javassist
+ 3.25.0-GA
+ 3.29.2-GA
+ org.jboss.weld:weld-api-bom
+ 1.0
+ org.jboss.weld:weld-api-parent
+ 1.0
+ org.jboss.weld:weld-parent
+ 6
+ org.jboss:jboss-parent
+ 35
+ 36
+ org.jetbrains:annotations
+ 15.0
+ 17.0.0
+ 24.0.1
+ org.jline:jline
+ 3.9.0
+ Opt|org.fusesource.jansi:jansi@1.17.1
+ Opt|net.java.dev.jna:jna@4.2.2
+ Opt|com.googlecode.juniversalchardet:juniversalchardet@1.0.3
+ Opt|org.apache.sshd:sshd-core@1.4.0
+ Opt|com.google.code.findbugs:jsr305@3.0.2
+ org.jline:jline-parent
+ 3.9.0
+ org.json:json
+ 20240303
+ org.jsonschema2pojo:jsonschema2pojo
+ 1.0.2
+ com.google.code.findbugs:annotations@1.3.9
+ org.jsonschema2pojo:jsonschema2pojo-core
+ 1.0.2
+ org.jsonschema2pojo:jsonschema2pojo-scalagen@1.0.2
+ com.fasterxml.jackson.core:jackson-databind@2.9.10
+ com.fasterxml.jackson.dataformat:jackson-dataformat-yaml@2.9.10
+ org.scala-lang:scala-library@2.11.12
+ com.google.code.javaparser:javaparser@1.0.10
+ com.sun.codemodel:codemodel@2.6
+ com.google.code.gson:gson@2.5
+ com.google.code.findbugs:jsr305@3.0.1
+ commons-lang:commons-lang@2.6
+ commons-io:commons-io@2.4
+ javax.validation:validation-api@1.0.0.GA
+ joda-time:joda-time@2.2
+ org.codehaus.jackson:jackson-mapper-asl@1.9.13
+ com.google.code.findbugs:annotations@1.3.9
+ org.jsoup:jsoup
+ 1.7.2
+ 1.15.4
+ Scope provided|com.google.code.findbugs:jsr305@3.0.2
+ org.junit.jupiter:junit-jupiter-api
+ 5.7.1
+ org.apiguardian:apiguardian-api@1.1.0
+ org.opentest4j:opentest4j@1.2.0
+ org.junit.platform:junit-platform-commons@1.7.1
+ 5.9.3
+ org.opentest4j:opentest4j@1.2.0
+ org.junit.platform:junit-platform-commons@1.9.3
+ org.apiguardian:apiguardian-api@1.1.2
+ org.junit.jupiter:junit-jupiter-engine
+ 5.7.1
+ org.apiguardian:apiguardian-api@1.1.0
+ org.junit.platform:junit-platform-engine@1.7.1
+ org.junit.jupiter:junit-jupiter-api@5.7.1
+ 5.9.3
+ org.junit.platform:junit-platform-engine@1.9.3
+ org.junit.jupiter:junit-jupiter-api@5.9.3
+ org.apiguardian:apiguardian-api@1.1.2
+ org.junit.jupiter:junit-jupiter-params
+ 5.9.3
+ org.junit.jupiter:junit-jupiter-api@5.9.3
+ org.apiguardian:apiguardian-api@1.1.2
+ org.junit.platform:junit-platform-commons
+ 1.7.1
+ org.apiguardian:apiguardian-api@1.1.0
+ 1.9.3
+ org.apiguardian:apiguardian-api@1.1.2
+ org.junit.platform:junit-platform-engine
+ 1.7.1
+ org.apiguardian:apiguardian-api@1.1.0
+ org.opentest4j:opentest4j@1.2.0
+ org.junit.platform:junit-platform-commons@1.7.1
+ 1.9.3
+ org.opentest4j:opentest4j@1.2.0
+ org.junit.platform:junit-platform-commons@1.9.3
+ org.apiguardian:apiguardian-api@1.1.2
+ org.junit:junit-bom
+ 5.7.1
+ 5.9.1
+ 5.9.2
+ 5.9.3
+ 5.10.0
+ 5.10.1
+ 5.10.2
+ org.kohsuke:libpam4j
+ 1.9
+ net.java.dev.jna:jna@4.1.0
+ 1.11
+ net.java.dev.jna:jna@4.5.2
+ org.kohsuke:pom
+ 17
+ org.latencyutils:LatencyUtils
+ 2.0.3
+ org.hdrhistogram:HdrHistogram@2.1.8
+ org.lz4:lz4-java
+ 1.7.1
+ org.mockito:mockito-core
+ 3.12.4
+ net.bytebuddy:byte-buddy@1.11.13
+ net.bytebuddy:byte-buddy-agent@1.11.13
+ org.objenesis:objenesis@3.2
+ 5.9.0
+ net.bytebuddy:byte-buddy@1.14.11
+ net.bytebuddy:byte-buddy-agent@1.14.11
+ Scope runtime|org.objenesis:objenesis@3.3
+ org.mortbay.jetty:jetty-parent
+ 10
+ org.mortbay.jetty:jetty-sslengine
+ 6.1.26
+ org.mortbay.jetty:jetty@6.1.26
+ org.mortbay.jetty:jetty-util
+ 6.1.26
+ Scope provided|org.mortbay.jetty:servlet-api@2.5-20081211
+ Opt|org.slf4j:slf4j-api@1.3.1
+ org.mortbay.jetty:project
+ 6.1.26
+ org.nibor.autolink:autolink
+ 0.6.0
+ org.objenesis:objenesis
+ 2.5.1
+ 2.6
+ 3.3
+ org.objenesis:objenesis-parent
+ 2.5.1
+ 2.6
+ 3.3
+ org.opentest4j:opentest4j
+ 1.2.0
+ org.osgi:org.osgi.core
+ 6.0.0
+ org.ow2.asm:asm
+ 5.0.4
+ 6.0
+ 9.5
+ org.ow2.asm:asm-analysis
+ 5.0.3
+ org.ow2.asm:asm-tree@5.0.3
+ org.ow2.asm:asm-commons
+ 5.0.2
+ org.ow2.asm:asm-tree@5.0.2
+ 6.0
+ org.ow2.asm:asm-tree@6.0
+ 9.5
+ org.ow2.asm:asm@9.5
+ org.ow2.asm:asm-tree@9.5
+ 9.6
+ org.ow2.asm:asm@9.6
+ org.ow2.asm:asm-tree@9.6
+ org.ow2.asm:asm-debug-all
+ 5.0.2
+ org.ow2.asm:asm-parent
+ 5.0.2
+ 5.0.3
+ 5.0.4
+ 6.0
+ org.ow2.asm:asm-tree
+ 5.0.2
+ org.ow2.asm:asm@5.0.2
+ 5.0.3
+ org.ow2.asm:asm@5.0.3
+ 6.0
+ org.ow2.asm:asm@6.0
+ 9.5
+ org.ow2.asm:asm@9.5
+ 9.6
+ org.ow2.asm:asm@9.6
+ org.ow2.asm:asm-util
+ 5.0.3
+ org.ow2.asm:asm-tree@5.0.3
+ org.ow2:ow2
+ 1.3
+ 1.5.1
+ org.owasp.encoder:encoder
+ 1.2.3
+ org.owasp.encoder:encoder-parent
+ 1.2.3
+ org.parboiled:parboiled-core
+ 1.1.7
+ org.parboiled:parboiled-java
+ 1.1.7
+ org.parboiled:parboiled-core@1.1.7
+ org.ow2.asm:asm@5.0.3
+ org.ow2.asm:asm-tree@5.0.3
+ org.ow2.asm:asm-analysis@5.0.3
+ org.ow2.asm:asm-util@5.0.3
+ org.pegdown:pegdown
+ 1.6.0
+ org.parboiled:parboiled-java@1.1.7
+ org.quartz-scheduler:quartz
+ 2.3.2
+ com.mchange:c3p0@0.9.5.4
+ com.mchange:mchange-commons-java@0.2.15
+ com.zaxxer:HikariCP-java7@2.4.13
+ org.slf4j:slf4j-api@1.7.7
+ 2.5.0-rc1
+ Scope runtime|org.slf4j:slf4j-api@1.7.36
+ Scope provided|com.mchange:c3p0@0.9.5.5
+ Scope provided|com.zaxxer:HikariCP@5.0.1
+ Scope runtime|jakarta.xml.bind:jakarta.xml.bind-api@4.0.0
+ Scope provided|org.slf4j:slf4j-log4j12@1.7.36
+ org.quartz-scheduler:quartz-parent
+ 2.3.2
+ org.reactivestreams:reactive-streams
+ 1.0.3
+ org.rnorth.duct-tape:duct-tape
+ 1.0.7
+ Scope provided|org.slf4j:slf4j-api@1.7.7
+ org.jetbrains:annotations@13.0
+ 1.0.8
+ Scope provided|org.slf4j:slf4j-api@1.7.7
+ org.jetbrains:annotations@17.0.0
+ org.rnorth.visible-assertions:visible-assertions
+ 2.1.1
+ Scope provided|junit:junit@4.12
+ net.java.dev.jna:jna@4.5.1
+ org.rnorth:tcp-unix-socket-proxy
+ 1.0.2
+ com.kohlschutter.junixsocket:junixsocket-native-common@2.0.4
+ com.kohlschutter.junixsocket:junixsocket-common@2.0.4
+ org.slf4j:slf4j-api@1.7.21
+ org.scijava:native-lib-loader
+ 2.0.2
+ org.scijava:pom-scijava
+ 3.1
+ org.seleniumhq.selenium:selenium-api
+ 2.48.2
+ com.google.guava:guava@18.0
+ com.google.code.gson:gson@2.3.1
+ org.apache.httpcomponents:httpclient@4.5.1
+ 4.9.1
+ org.seleniumhq.selenium:selenium-chrome-driver
+ 2.48.2
+ org.seleniumhq.selenium:selenium-remote-driver@2.48.2
+ 4.9.1
+ com.google.auto.service:auto-service-annotations@1.0.1
+ com.google.auto.service:auto-service@1.0.1
+ com.google.guava:guava@31.1-jre
+ org.seleniumhq.selenium:selenium-api@4.9.1
+ org.seleniumhq.selenium:selenium-chromium-driver@4.9.1
+ org.seleniumhq.selenium:selenium-json@4.9.1
+ org.seleniumhq.selenium:selenium-manager@4.9.1
+ org.seleniumhq.selenium:selenium-remote-driver@4.9.1
+ org.seleniumhq.selenium:selenium-chromium-driver
+ 4.9.1
+ com.google.auto.service:auto-service-annotations@1.0.1
+ com.google.auto.service:auto-service@1.0.1
+ com.google.guava:guava@31.1-jre
+ org.seleniumhq.selenium:selenium-json@4.9.1
+ org.seleniumhq.selenium:selenium-remote-driver@4.9.1
+ org.seleniumhq.selenium:selenium-devtools-v111
+ 4.9.1
+ com.google.auto.service:auto-service-annotations@1.0.1
+ com.google.auto.service:auto-service@1.0.1
+ com.google.guava:guava@31.1-jre
+ org.seleniumhq.selenium:selenium-api@4.9.1
+ org.seleniumhq.selenium:selenium-json@4.9.1
+ org.seleniumhq.selenium:selenium-remote-driver@4.9.1
+ org.seleniumhq.selenium:selenium-devtools-v112
+ 4.9.1
+ com.google.auto.service:auto-service-annotations@1.0.1
+ com.google.auto.service:auto-service@1.0.1
+ com.google.guava:guava@31.1-jre
+ org.seleniumhq.selenium:selenium-api@4.9.1
+ org.seleniumhq.selenium:selenium-json@4.9.1
+ org.seleniumhq.selenium:selenium-remote-driver@4.9.1
+ org.seleniumhq.selenium:selenium-devtools-v113
+ 4.9.1
+ com.google.auto.service:auto-service-annotations@1.0.1
+ com.google.auto.service:auto-service@1.0.1
+ com.google.guava:guava@31.1-jre
+ org.seleniumhq.selenium:selenium-api@4.9.1
+ org.seleniumhq.selenium:selenium-json@4.9.1
+ org.seleniumhq.selenium:selenium-remote-driver@4.9.1
+ org.seleniumhq.selenium:selenium-devtools-v85
+ 4.9.1
+ com.google.auto.service:auto-service-annotations@1.0.1
+ com.google.auto.service:auto-service@1.0.1
+ com.google.guava:guava@31.1-jre
+ org.seleniumhq.selenium:selenium-api@4.9.1
+ org.seleniumhq.selenium:selenium-json@4.9.1
+ org.seleniumhq.selenium:selenium-remote-driver@4.9.1
+ org.seleniumhq.selenium:selenium-edge-driver
+ 2.48.2
+ org.seleniumhq.selenium:selenium-remote-driver@2.48.2
+ commons-io:commons-io@2.4
+ org.apache.commons:commons-exec@1.3
+ 4.9.1
+ com.google.auto.service:auto-service-annotations@1.0.1
+ com.google.auto.service:auto-service@1.0.1
+ com.google.guava:guava@31.1-jre
+ org.seleniumhq.selenium:selenium-api@4.9.1
+ org.seleniumhq.selenium:selenium-chromium-driver@4.9.1
+ org.seleniumhq.selenium:selenium-manager@4.9.1
+ org.seleniumhq.selenium:selenium-remote-driver@4.9.1
+ org.seleniumhq.selenium:selenium-firefox-driver
+ 2.48.2
+ org.seleniumhq.selenium:selenium-remote-driver@2.48.2
+ commons-io:commons-io@2.4
+ org.apache.commons:commons-exec@1.3
+ 4.9.1
+ com.google.auto.service:auto-service-annotations@1.0.1
+ com.google.auto.service:auto-service@1.0.1
+ com.google.guava:guava@31.1-jre
+ org.seleniumhq.selenium:selenium-api@4.9.1
+ org.seleniumhq.selenium:selenium-devtools-v85@4.9.1
+ org.seleniumhq.selenium:selenium-http@4.9.1
+ org.seleniumhq.selenium:selenium-json@4.9.1
+ org.seleniumhq.selenium:selenium-manager@4.9.1
+ org.seleniumhq.selenium:selenium-remote-driver@4.9.1
+ org.seleniumhq.selenium:selenium-htmlunit-driver
+ 2.48.2
+ org.seleniumhq.selenium:selenium-support@2.48.2
+ net.sourceforge.htmlunit:htmlunit@2.18
+ org.apache.httpcomponents:httpclient@4.5.1
+ org.seleniumhq.selenium:selenium-http
+ 4.9.1
+ com.google.guava:guava@31.1-jre
+ dev.failsafe:failsafe@3.3.1
+ org.seleniumhq.selenium:selenium-api@4.9.1
+ org.seleniumhq.selenium:selenium-json@4.9.1
+ org.seleniumhq.selenium:selenium-ie-driver
+ 2.48.2
+ net.java.dev.jna:jna@4.1.0
+ net.java.dev.jna:jna-platform@4.1.0
+ org.seleniumhq.selenium:selenium-remote-driver@2.48.2
+ 4.9.1
+ com.google.auto.service:auto-service-annotations@1.0.1
+ com.google.auto.service:auto-service@1.0.1
+ org.seleniumhq.selenium:selenium-api@4.9.1
+ org.seleniumhq.selenium:selenium-manager@4.9.1
+ org.seleniumhq.selenium:selenium-remote-driver@4.9.1
+ org.seleniumhq.selenium:selenium-java
+ 2.48.2
+ org.seleniumhq.selenium:selenium-chrome-driver@2.48.2
+ org.seleniumhq.selenium:selenium-edge-driver@2.48.2
+ org.seleniumhq.selenium:selenium-htmlunit-driver@2.48.2
+ org.seleniumhq.selenium:selenium-firefox-driver@2.48.2
+ org.seleniumhq.selenium:selenium-ie-driver@2.48.2
+ org.seleniumhq.selenium:selenium-safari-driver@2.48.2
+ org.seleniumhq.selenium:selenium-support@2.48.2
+ org.webbitserver:webbit@0.4.14
+ org.seleniumhq.selenium:selenium-leg-rc@2.48.2
+ 4.9.1
+ org.seleniumhq.selenium:selenium-api@4.9.1
+ org.seleniumhq.selenium:selenium-chrome-driver@4.9.1
+ org.seleniumhq.selenium:selenium-devtools-v111@4.9.1
+ org.seleniumhq.selenium:selenium-devtools-v112@4.9.1
+ org.seleniumhq.selenium:selenium-devtools-v113@4.9.1
+ org.seleniumhq.selenium:selenium-devtools-v85@4.9.1
+ org.seleniumhq.selenium:selenium-edge-driver@4.9.1
+ org.seleniumhq.selenium:selenium-firefox-driver@4.9.1
+ org.seleniumhq.selenium:selenium-ie-driver@4.9.1
+ org.seleniumhq.selenium:selenium-remote-driver@4.9.1
+ org.seleniumhq.selenium:selenium-safari-driver@4.9.1
+ org.seleniumhq.selenium:selenium-support@4.9.1
+ org.seleniumhq.selenium:selenium-json
+ 4.9.1
+ org.seleniumhq.selenium:selenium-api@4.9.1
+ org.seleniumhq.selenium:selenium-leg-rc
+ 2.48.2
+ org.seleniumhq.selenium:selenium-remote-driver@2.48.2
+ Opt|junit:junit@4.12
+ Opt|org.testng:testng@6.8
+ org.seleniumhq.selenium:selenium-manager
+ 4.9.1
+ com.google.guava:guava@31.1-jre
+ org.seleniumhq.selenium:selenium-api@4.9.1
+ org.seleniumhq.selenium:selenium-json@4.9.1
+ org.seleniumhq.selenium:selenium-parent
+ 2.48.2
+ org.seleniumhq.selenium:selenium-remote-driver
+ 2.48.2
+ cglib:cglib-nodep@2.1_3
+ com.google.code.gson:gson@2.3.1
+ org.seleniumhq.selenium:selenium-api@2.48.2
+ org.apache.httpcomponents:httpclient@4.5.1
+ com.google.guava:guava@18.0
+ org.apache.commons:commons-exec@1.3
+ net.java.dev.jna:jna@4.1.0
+ net.java.dev.jna:jna-platform@4.1.0
+ 4.9.1
+ com.beust:jcommander@1.82
+ com.google.auto.service:auto-service-annotations@1.0.1
+ com.google.auto.service:auto-service@1.0.1
+ com.google.guava:guava@31.1-jre
+ io.netty:netty-buffer@4.1.91.Final
+ io.netty:netty-codec-http@4.1.91.Final
+ io.netty:netty-common@4.1.91.Final
+ io.netty:netty-transport-classes-epoll@4.1.91.Final
+ io.netty:netty-transport-classes-kqueue@4.1.91.Final
+ io.netty:netty-transport-native-epoll@4.1.91.Final
+ io.netty:netty-transport-native-kqueue@4.1.91.Final
+ io.netty:netty-transport-native-unix-common@4.1.91.Final
+ io.netty:netty-transport@4.1.91.Final
+ io.opentelemetry:opentelemetry-api@1.25.0
+ io.opentelemetry:opentelemetry-context@1.25.0
+ io.opentelemetry:opentelemetry-exporter-logging@1.25.0
+ io.opentelemetry:opentelemetry-sdk-common@1.25.0
+ io.opentelemetry:opentelemetry-sdk-extension-autoconfigure-spi@1.25.0
+ io.opentelemetry:opentelemetry-sdk-extension-autoconfigure@1.25.0-alpha
+ io.opentelemetry:opentelemetry-sdk-trace@1.25.0
+ io.opentelemetry:opentelemetry-sdk@1.25.0
+ io.opentelemetry:opentelemetry-semconv@1.25.0-alpha
+ io.ous:jtoml@2.0.0
+ net.bytebuddy:byte-buddy@1.14.4
+ org.apache.commons:commons-exec@1.3
+ org.asynchttpclient:async-http-client@2.12.3
+ org.seleniumhq.selenium:selenium-api@4.9.1
+ org.seleniumhq.selenium:selenium-http@4.9.1
+ org.seleniumhq.selenium:selenium-json@4.9.1
+ org.seleniumhq.selenium:selenium-manager@4.9.1
+ org.seleniumhq.selenium:selenium-safari-driver
+ 2.48.2
+ org.seleniumhq.selenium:selenium-remote-driver@2.48.2
+ org.webbitserver:webbit@0.4.14
+ 4.9.1
+ com.google.auto.service:auto-service-annotations@1.0.1
+ com.google.auto.service:auto-service@1.0.1
+ com.google.guava:guava@31.1-jre
+ org.seleniumhq.selenium:selenium-api@4.9.1
+ org.seleniumhq.selenium:selenium-remote-driver@4.9.1
+ org.seleniumhq.selenium:selenium-support
+ 2.48.2
+ org.seleniumhq.selenium:selenium-remote-driver@2.48.2
+ Opt|org.hamcrest:hamcrest-all@1.3
+ Opt|junit:junit@4.12
+ 4.9.1
+ com.google.auto.service:auto-service-annotations@1.0.1
+ com.google.auto.service:auto-service@1.0.1
+ com.google.guava:guava@31.1-jre
+ net.bytebuddy:byte-buddy@1.14.4
+ org.seleniumhq.selenium:selenium-api@4.9.1
+ org.seleniumhq.selenium:selenium-json@4.9.1
+ org.seleniumhq.selenium:selenium-remote-driver@4.9.1
+ org.slf4j:jcl-over-slf4j
+ 1.7.35
+ org.slf4j:slf4j-api@1.7.35
+ 2.1.0-alpha1
+ org.slf4j:slf4j-api@2.1.0-alpha1
+ org.slf4j:slf4j-api
+ 1.7.12
+ 1.7.25
+ 1.7.30
+ 1.7.35
+ 1.7.36
+ 2.0.13
+ 2.1.0-alpha1
+ org.slf4j:slf4j-bom
+ 2.0.13
+ 2.1.0-alpha1
+ org.slf4j:slf4j-ext
+ 1.7.25
+ org.slf4j:slf4j-api@1.7.25
+ Opt|ch.qos.cal10n:cal10n-api@0.8.1
+ Opt|javassist:javassist@3.4.GA
+ Opt|commons-lang:commons-lang@2.4
+ org.slf4j:slf4j-log4j12
+ 1.7.30
+ org.slf4j:slf4j-api@1.7.30
+ log4j:log4j@1.2.17
+ 1.7.36
+ org.slf4j:slf4j-parent
+ 1.7.12
+ 1.7.25
+ 1.7.30
+ 1.7.35
+ 1.7.36
+ 2.0.13
+ 2.1.0-alpha1
+ org.slf4j:slf4j-reload4j
+ 1.7.35
+ org.slf4j:slf4j-api@1.7.35
+ ch.qos.reload4j:reload4j@1.2.18.3
+ 1.7.36
+ org.slf4j:slf4j-api@1.7.36
+ ch.qos.reload4j:reload4j@1.2.19
+ 2.1.0-alpha1
+ org.slf4j:slf4j-api@2.1.0-alpha1
+ ch.qos.reload4j:reload4j@1.2.25
+ org.sonatype.aether:aether
+ 1.12
+ org.sonatype.aether:aether-api
+ 1.12
+ org.sonatype.aether:aether-connector-file
+ 1.12
+ org.sonatype.aether:aether-api@1.12
+ org.sonatype.aether:aether-spi@1.12
+ org.sonatype.aether:aether-util@1.12
+ Scope provided|org.codehaus.plexus:plexus-component-annotations@1.5.5
+ org.sonatype.aether:aether-connector-wagon
+ 1.12
+ org.sonatype.aether:aether-api@1.12
+ org.sonatype.aether:aether-spi@1.12
+ org.sonatype.aether:aether-util@1.12
+ org.apache.maven.wagon:wagon-provider-api@1.0-beta-6
+ Scope provided|org.codehaus.plexus:plexus-component-annotations@1.5.5
+ org.codehaus.plexus:plexus-classworlds@2.4
+ org.codehaus.plexus:plexus-utils@2.0.7
+ org.sonatype.sisu:sisu-inject-plexus@2.2.2
+ org.sonatype.aether:aether-impl
+ 1.12
+ org.sonatype.aether:aether-api@1.12
+ org.sonatype.aether:aether-spi@1.12
+ org.sonatype.aether:aether-util@1.12
+ Scope provided|org.codehaus.plexus:plexus-component-annotations@1.5.5
+ Scope provided MavenExclusions org.codehaus.plexus:plexus-classworlds,org.codehaus.plexus:plexus-utils,org.sonatype.sisu:sisu-inject-bean|org.sonatype.sisu:sisu-inject-plexus@2.2.2
+ Scope provided|org.slf4j:slf4j-api@1.6.1
+ org.sonatype.aether:aether-spi
+ 1.12
+ org.sonatype.aether:aether-api@1.12
+ org.sonatype.aether:aether-util
+ 1.12
+ org.sonatype.aether:aether-api@1.12
+ org.sonatype.forge:forge-parent
+ 5
+ 6
+ 9
+ org.sonatype.oss:oss-parent
+ 5
+ 6
+ 7
+ 9
+ org.sonatype.plexus:plexus-build-api
+ 0.0.7
+ org.codehaus.plexus:plexus-utils@1.5.8
+ Scope provided MavenExclusions commons-logging:commons-logging,commons-logging:commons-logging-api,log4j:log4j|org.codehaus.plexus:plexus-container-default@1.0-alpha-9
+ org.sonatype.sisu.inject:cglib
+ 2.2.1-v20090111
+ asm:asm@3.1
+ Opt|asm:asm-util@3.1
+ Opt|org.apache.ant:ant@1.8.1
+ org.sonatype.sisu.inject:containers
+ 2.2.2
+ org.sonatype.sisu.inject:guice-bean
+ 2.2.2
+ org.sonatype.sisu.inject:guice-parent
+ 3.0.2
+ org.sonatype.sisu.inject:guice-plexus
+ 2.2.2
+ org.sonatype.sisu:sisu-guice
+ 3.0.2
+ javax.inject:javax.inject@1
+ aopalliance:aopalliance@1.0
+ Opt|org.slf4j:slf4j-api@1.6.1
+ org.sonatype.sisu.inject:cglib@2.2.1-v20090111
+ org.sonatype.sisu:sisu-inject
+ 2.2.2
+ org.sonatype.sisu:sisu-inject-bean
+ 2.2.2
+ MavenClassifier no_aop MavenExclusions javax.inject:javax.inject,aopalliance:aopalliance|org.sonatype.sisu:sisu-guice@3.0.2
+ Opt|org.sonatype.sisu.inject:guice-bean-containers@2.2.2
+ Opt|org.osgi:org.osgi.core@4.2.0
+ Opt|org.osgi:org.osgi.compendium@4.2.0
+ Opt|org.testng:testng@6.0.1
+ org.sonatype.sisu:sisu-inject-plexus
+ 2.2.2
+ org.codehaus.plexus:plexus-component-annotations@1.5.5
+ org.codehaus.plexus:plexus-classworlds@2.4
+ org.codehaus.plexus:plexus-utils@2.0.7
+ org.sonatype.sisu:sisu-inject-bean@2.2.2
+ Opt|org.sonatype.sisu.inject:guice-plexus-shim@2.2.2
+ Opt|org.slf4j:slf4j-api@1.6.1
+ Opt|junit:junit@4.8.2
+ org.sonatype.sisu:sisu-parent
+ 2.2.2
+ org.sonatype.spice:spice-parent
+ 15
+ org.testcontainers:junit-jupiter
+ 1.19.8
+ org.testcontainers:testcontainers@1.19.8
+ org.testcontainers:neo4j
+ 1.19.8
+ org.testcontainers:testcontainers@1.19.8
+ org.testcontainers:testcontainers
+ 1.9.1
+ junit:junit@4.12
+ org.slf4j:slf4j-api@1.7.25
+ org.slf4j:slf4j-ext@1.7.25
+ org.jetbrains:annotations@15.0
+ javax.annotation:javax.annotation-api@1.3.1
+ com.google.code.findbugs:jsr305@3.0.2
+ org.apache.commons:commons-compress@1.16.1
+ javax.xml.bind:jaxb-api@2.3.0
+ MavenExclusions org.jetbrains:annotations|org.rnorth.duct-tape:duct-tape@1.0.7
+ org.rnorth.visible-assertions:visible-assertions@2.1.1
+ MavenExclusions log4j:log4j|org.rnorth:tcp-unix-socket-proxy@1.0.2
+ net.java.dev.jna:jna-platform@4.5.1
+ 1.19.8
+ junit:junit@4.13.2
+ org.slf4j:slf4j-api@1.7.36
+ org.apache.commons:commons-compress@1.24.0
+ org.rnorth.duct-tape:duct-tape@1.0.8
+ com.github.docker-java:docker-java-api@3.3.6
+ com.github.docker-java:docker-java-transport-zerodep@3.3.6
+ Scope provided|com.google.cloud.tools:jib-core@0.23.0
+ org.testcontainers:testcontainers-bom
+ 1.16.1
+ org.tukaani:xz
+ 1.2
+ org.w3c.css:sac
+ 1.3
+ org.webbitserver:webbit
+ 0.4.14
+ io.netty:netty@3.5.2.Final
+ org.wildfly.openssl:wildfly-openssl-java
+ 1.1.3.Final
+ org.wildfly.openssl:wildfly-openssl-parent
+ 1.1.3.Final
+ org.xerial.snappy:snappy-java
+ 1.1.10.4
+ Scope provided|org.osgi:org.osgi.core@6.0.0
+ xalan:serializer
+ 2.7.2
+ xml-apis:xml-apis@1.3.04
+ Opt|xerces:xercesImpl@2.9.1
+ xalan:xalan
+ 2.7.2
+ xalan:serializer@2.7.2
+ Opt|xerces:xercesImpl@2.9.1
+ 2.7.3
+ xerces:xercesImpl
+ 2.11.0
+ xml-apis:xml-apis@1.4.01
+ Opt|xml-resolver:xml-resolver@1.2
+ 2.12.0
+ xml-apis:xml-apis@1.4.01
+ Opt|xml-resolver:xml-resolver@1.2
+ 2.12.1
+ xml-apis:xml-apis@1.4.01
+ Opt|xml-resolver:xml-resolver@1.2
+ 2.12.2
+ xml-apis:xml-apis@1.4.01
+ Opt|xml-resolver:xml-resolver@1.2
+ xml-apis:xml-apis
+ 1.4.01
+ 2.0.2
+ xmlenc:xmlenc
+ 0.52
+vulns:
+ - schema_version: 1.6.0
+ id: GHSA-vmfg-rjjm-rjrj
+ modified: 2024-03-09T05:18:12.019858Z
+ published: 2021-06-07T16:07:36Z
+ aliases:
+ - CVE-2017-5929
+ summary: QOS.ch Logback vulnerable to Deserialization of Untrusted Data
+ details: QOS.ch Logback before 1.2.0 has a serialization vulnerability affecting the SocketServer and ServerSocketReceiver components. The RemoteStreamAppenderClient class in logback-classic and the SocketNode classes in logback-classic and logback-access allow data to be deserialized over a Java Socket, via an ObjectInputStream, without validating the data beforehand. When data is received from the Socket, to be logged, it is deserialized into Java objects.An attacker can exploit this vulnerability by sending malicious, serialized Java objects over the connection to the Socket, which may result in execution of arbitrary code when those objects are deserialized. Note that although logback-core is implicated by the Logback project here, the Sonatype Security Research team discovered that the vulnerability is actually present in the logback-classic and logback-access components. Versions prior to 1.2.0 are vulnerable, as stated in the advisory.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: ch.qos.logback:logback-classic
+ purl: pkg:maven/ch.qos.logback/logback-classic
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: 1.2.0
+ versions:
+ - 0.2.5
+ - "0.3"
+ - "0.5"
+ - "0.6"
+ - "0.7"
+ - 0.7.1
+ - "0.8"
+ - 0.8.1
+ - "0.9"
+ - 0.9.1
+ - 0.9.10
+ - 0.9.11
+ - 0.9.12
+ - 0.9.13
+ - 0.9.14
+ - 0.9.15
+ - 0.9.16
+ - 0.9.17
+ - 0.9.18
+ - 0.9.19
+ - 0.9.2
+ - 0.9.20
+ - 0.9.21
+ - 0.9.22
+ - 0.9.23
+ - 0.9.24
+ - 0.9.25
+ - 0.9.26
+ - 0.9.27
+ - 0.9.28
+ - 0.9.29
+ - 0.9.3
+ - 0.9.30
+ - 0.9.4
+ - 0.9.5
+ - 0.9.6
+ - 0.9.7
+ - 0.9.8
+ - 0.9.9
+ - 1.0.0
+ - 1.0.1
+ - 1.0.10
+ - 1.0.11
+ - 1.0.12
+ - 1.0.13
+ - 1.0.2
+ - 1.0.3
+ - 1.0.4
+ - 1.0.5
+ - 1.0.6
+ - 1.0.7
+ - 1.0.8
+ - 1.0.9
+ - 1.1.0
+ - 1.1.1
+ - 1.1.10
+ - 1.1.11
+ - 1.1.2
+ - 1.1.3
+ - 1.1.4
+ - 1.1.5
+ - 1.1.6
+ - 1.1.7
+ - 1.1.8
+ - 1.1.9
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/06/GHSA-vmfg-rjjm-rjrj/GHSA-vmfg-rjjm-rjrj.json
+ - package:
+ ecosystem: Maven
+ name: ch.qos.logback:logback-core
+ purl: pkg:maven/ch.qos.logback/logback-core
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: 1.2.0
+ versions:
+ - 0.2.5
+ - "0.3"
+ - "0.5"
+ - "0.6"
+ - "0.7"
+ - 0.7.1
+ - "0.8"
+ - 0.8.1
+ - "0.9"
+ - 0.9.1
+ - 0.9.10
+ - 0.9.11
+ - 0.9.12
+ - 0.9.13
+ - 0.9.14
+ - 0.9.15
+ - 0.9.16
+ - 0.9.17
+ - 0.9.18
+ - 0.9.19
+ - 0.9.2
+ - 0.9.20
+ - 0.9.21
+ - 0.9.22
+ - 0.9.23
+ - 0.9.24
+ - 0.9.25
+ - 0.9.26
+ - 0.9.27
+ - 0.9.28
+ - 0.9.29
+ - 0.9.3
+ - 0.9.30
+ - 0.9.4
+ - 0.9.5
+ - 0.9.6
+ - 0.9.7
+ - 0.9.8
+ - 0.9.9
+ - 1.0.0
+ - 1.0.1
+ - 1.0.10
+ - 1.0.11
+ - 1.0.12
+ - 1.0.13
+ - 1.0.2
+ - 1.0.3
+ - 1.0.4
+ - 1.0.5
+ - 1.0.6
+ - 1.0.7
+ - 1.0.8
+ - 1.0.9
+ - 1.1.0
+ - 1.1.1
+ - 1.1.10
+ - 1.1.11
+ - 1.1.2
+ - 1.1.3
+ - 1.1.4
+ - 1.1.5
+ - 1.1.6
+ - 1.1.7
+ - 1.1.8
+ - 1.1.9
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/06/GHSA-vmfg-rjjm-rjrj/GHSA-vmfg-rjjm-rjrj.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2017-5929
+ - type: WEB
+ url: https://github.com/qos-ch/logback/commit/f46044b805bca91efe5fd6afe52257cd02f775f8
+ - type: WEB
+ url: https://logback.qos.ch/news.html
+ - type: WEB
+ url: https://lists.apache.org/thread.html/re9b787727291786dfe088e3cd078c7d195c0b5781e15d3cd24a3b2fc@%3Cdev.mnemonic.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rd2227af3c9ada2a72dc72ed05517f5857a34d487580e1f2803922ff9@%3Ccommits.cassandra.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rc5f0cc2f3b153bdf15ee7389d78585829abc9c7af4d322ba1085dd3e@%3Ccommits.cassandra.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rbb4dfca2f7e3e8f3570eec21c79832d33a51dfde6762725660b60169@%3Cdev.mnemonic.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/ra007cec726a3927c918ec94c4316d05d1829c49eae8dc3648adc35e2@%3Ccommits.cassandra.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r967953a14e05016bc4bcae9ef3dd92e770181158b4246976ed8295c9@%3Cdev.brooklyn.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r718f27bed898008a8e037d9cc848cfc1df4d18abcbaee0cb0c142cfb@%3Ccommits.cassandra.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r632ec30791b441e2eb5a3129532bf1b689bf181d0ef7daf50bcf0fd6@%3Ccommits.cassandra.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r4673642893562c58cbee60c151ded6c077e8a2d02296e862224a9161@%3Ccommits.cassandra.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r397bf63783240fbb5713389d3f889d287ae0c11509006700ac720037@%3Ccommits.cassandra.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r2c2d57ca180e8173c90fe313ddf8eabbdcf8e3ae196f8b9f42599790@%3Ccommits.mnemonic.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r2a08573ddee4a86dc96d469485a5843a01710ee0dc2078dfca410c79@%3Ccommits.cassandra.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r0bb19330e48d5ad784fa20dacba9e5538d8d60f5cd9142e0f1432b4b@%3Ccommits.cassandra.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/fa4eaaa6ff41ac6f79811e053c152ee89b7c5da8a6ac848ae97df67f@%3Ccommits.cassandra.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/a6db61616180d73711d6db25703085940026e2dbc40f153f9d22b203@%3Ccommits.cassandra.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/18d509024d9aeb07f0e9579066f80bf5d4dcf20467b0c240043890d1@%3Ccommits.cassandra.apache.org%3E
+ - type: PACKAGE
+ url: https://github.com/qos-ch/logback
+ - type: WEB
+ url: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5929
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2018:2927
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2017:1832
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2017:1676
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2017:1675
+ database_specific:
+ cwe_ids:
+ - CWE-502
+ github_reviewed: true
+ github_reviewed_at: "2021-06-04T20:45:34Z"
+ nvd_published_at: "2017-03-13T06:59:00Z"
+ severity: CRITICAL
+ - schema_version: 1.6.0
+ id: GHSA-vmq6-5m68-f53m
+ modified: 2024-02-16T08:07:48.81685Z
+ published: 2023-11-29T12:30:16Z
+ aliases:
+ - CVE-2023-6378
+ summary: logback serialization vulnerability
+ details: |-
+ A serialization vulnerability in logback receiver component part of logback allows an attacker to mount a Denial-Of-Service attack by sending poisoned data.
+
+ This is only exploitable if logback receiver component is deployed. See https://logback.qos.ch/manual/receivers.html
+ affected:
+ - package:
+ ecosystem: Maven
+ name: ch.qos.logback:logback-classic
+ purl: pkg:maven/ch.qos.logback/logback-classic
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 1.3.0
+ - fixed: 1.3.12
+ versions:
+ - 1.3.0
+ - 1.3.1
+ - 1.3.10
+ - 1.3.11
+ - 1.3.2
+ - 1.3.3
+ - 1.3.4
+ - 1.3.5
+ - 1.3.6
+ - 1.3.7
+ - 1.3.8
+ - 1.3.9
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/11/GHSA-vmq6-5m68-f53m/GHSA-vmq6-5m68-f53m.json
+ - package:
+ ecosystem: Maven
+ name: ch.qos.logback:logback-classic
+ purl: pkg:maven/ch.qos.logback/logback-classic
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 1.4.0
+ - fixed: 1.4.12
+ versions:
+ - 1.4.0
+ - 1.4.1
+ - 1.4.10
+ - 1.4.11
+ - 1.4.2
+ - 1.4.3
+ - 1.4.4
+ - 1.4.5
+ - 1.4.6
+ - 1.4.7
+ - 1.4.8
+ - 1.4.9
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/11/GHSA-vmq6-5m68-f53m/GHSA-vmq6-5m68-f53m.json
+ - package:
+ ecosystem: Maven
+ name: ch.qos.logback:logback-core
+ purl: pkg:maven/ch.qos.logback/logback-core
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 1.3.0
+ - fixed: 1.3.12
+ versions:
+ - 1.3.0
+ - 1.3.1
+ - 1.3.10
+ - 1.3.11
+ - 1.3.2
+ - 1.3.3
+ - 1.3.4
+ - 1.3.5
+ - 1.3.6
+ - 1.3.7
+ - 1.3.8
+ - 1.3.9
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/11/GHSA-vmq6-5m68-f53m/GHSA-vmq6-5m68-f53m.json
+ - package:
+ ecosystem: Maven
+ name: ch.qos.logback:logback-core
+ purl: pkg:maven/ch.qos.logback/logback-core
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 1.4.0
+ - fixed: 1.4.12
+ versions:
+ - 1.4.0
+ - 1.4.1
+ - 1.4.10
+ - 1.4.11
+ - 1.4.2
+ - 1.4.3
+ - 1.4.4
+ - 1.4.5
+ - 1.4.6
+ - 1.4.7
+ - 1.4.8
+ - 1.4.9
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/11/GHSA-vmq6-5m68-f53m/GHSA-vmq6-5m68-f53m.json
+ - package:
+ ecosystem: Maven
+ name: ch.qos.logback:logback-core
+ purl: pkg:maven/ch.qos.logback/logback-core
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: 1.2.13
+ versions:
+ - 0.2.5
+ - "0.3"
+ - "0.5"
+ - "0.6"
+ - "0.7"
+ - 0.7.1
+ - "0.8"
+ - 0.8.1
+ - "0.9"
+ - 0.9.1
+ - 0.9.10
+ - 0.9.11
+ - 0.9.12
+ - 0.9.13
+ - 0.9.14
+ - 0.9.15
+ - 0.9.16
+ - 0.9.17
+ - 0.9.18
+ - 0.9.19
+ - 0.9.2
+ - 0.9.20
+ - 0.9.21
+ - 0.9.22
+ - 0.9.23
+ - 0.9.24
+ - 0.9.25
+ - 0.9.26
+ - 0.9.27
+ - 0.9.28
+ - 0.9.29
+ - 0.9.3
+ - 0.9.30
+ - 0.9.4
+ - 0.9.5
+ - 0.9.6
+ - 0.9.7
+ - 0.9.8
+ - 0.9.9
+ - 1.0.0
+ - 1.0.1
+ - 1.0.10
+ - 1.0.11
+ - 1.0.12
+ - 1.0.13
+ - 1.0.2
+ - 1.0.3
+ - 1.0.4
+ - 1.0.5
+ - 1.0.6
+ - 1.0.7
+ - 1.0.8
+ - 1.0.9
+ - 1.1.0
+ - 1.1.1
+ - 1.1.10
+ - 1.1.11
+ - 1.1.2
+ - 1.1.3
+ - 1.1.4
+ - 1.1.5
+ - 1.1.6
+ - 1.1.7
+ - 1.1.8
+ - 1.1.9
+ - 1.2.0
+ - 1.2.1
+ - 1.2.10
+ - 1.2.11
+ - 1.2.12
+ - 1.2.2
+ - 1.2.3
+ - 1.2.4
+ - 1.2.4-groovyless
+ - 1.2.5
+ - 1.2.6
+ - 1.2.7
+ - 1.2.8
+ - 1.2.9
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/11/GHSA-vmq6-5m68-f53m/GHSA-vmq6-5m68-f53m.json
+ - package:
+ ecosystem: Maven
+ name: ch.qos.logback:logback-classic
+ purl: pkg:maven/ch.qos.logback/logback-classic
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: 1.2.13
+ versions:
+ - 0.2.5
+ - "0.3"
+ - "0.5"
+ - "0.6"
+ - "0.7"
+ - 0.7.1
+ - "0.8"
+ - 0.8.1
+ - "0.9"
+ - 0.9.1
+ - 0.9.10
+ - 0.9.11
+ - 0.9.12
+ - 0.9.13
+ - 0.9.14
+ - 0.9.15
+ - 0.9.16
+ - 0.9.17
+ - 0.9.18
+ - 0.9.19
+ - 0.9.2
+ - 0.9.20
+ - 0.9.21
+ - 0.9.22
+ - 0.9.23
+ - 0.9.24
+ - 0.9.25
+ - 0.9.26
+ - 0.9.27
+ - 0.9.28
+ - 0.9.29
+ - 0.9.3
+ - 0.9.30
+ - 0.9.4
+ - 0.9.5
+ - 0.9.6
+ - 0.9.7
+ - 0.9.8
+ - 0.9.9
+ - 1.0.0
+ - 1.0.1
+ - 1.0.10
+ - 1.0.11
+ - 1.0.12
+ - 1.0.13
+ - 1.0.2
+ - 1.0.3
+ - 1.0.4
+ - 1.0.5
+ - 1.0.6
+ - 1.0.7
+ - 1.0.8
+ - 1.0.9
+ - 1.1.0
+ - 1.1.1
+ - 1.1.10
+ - 1.1.11
+ - 1.1.2
+ - 1.1.3
+ - 1.1.4
+ - 1.1.5
+ - 1.1.6
+ - 1.1.7
+ - 1.1.8
+ - 1.1.9
+ - 1.2.0
+ - 1.2.1
+ - 1.2.10
+ - 1.2.11
+ - 1.2.12
+ - 1.2.2
+ - 1.2.3
+ - 1.2.4
+ - 1.2.4-groovyless
+ - 1.2.5
+ - 1.2.6
+ - 1.2.7
+ - 1.2.8
+ - 1.2.9
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/11/GHSA-vmq6-5m68-f53m/GHSA-vmq6-5m68-f53m.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2023-6378
+ - type: WEB
+ url: https://github.com/qos-ch/logback/issues/745#issuecomment-1836227158
+ - type: WEB
+ url: https://github.com/qos-ch/logback/commit/9c782b45be4abdafb7e17481e24e7354c2acd1eb
+ - type: WEB
+ url: https://github.com/qos-ch/logback/commit/b8eac23a9de9e05fb6d51160b3f46acd91af9731
+ - type: WEB
+ url: https://github.com/qos-ch/logback/commit/bb095154be011267b64e37a1d401546e7cc2b7c3
+ - type: PACKAGE
+ url: https://github.com/qos-ch/logback
+ - type: WEB
+ url: https://logback.qos.ch/manual/receivers.html
+ - type: WEB
+ url: https://logback.qos.ch/news.html#1.2.13
+ - type: WEB
+ url: https://logback.qos.ch/news.html#1.3.12
+ database_specific:
+ cwe_ids:
+ - CWE-502
+ github_reviewed: true
+ github_reviewed_at: "2023-11-29T21:33:01Z"
+ nvd_published_at: "2023-11-29T12:15:07Z"
+ severity: HIGH
+ - schema_version: 1.6.0
+ id: GHSA-668q-qrv7-99fm
+ modified: 2024-02-16T08:18:41.537541Z
+ published: 2021-12-17T20:00:50Z
+ aliases:
+ - CVE-2021-42550
+ summary: Deserialization of Untrusted Data in logback
+ details: In logback version 1.2.7 and prior versions, an attacker with the required privileges to edit configurations files could craft a malicious configuration allowing to execute arbitrary code loaded from LDAP servers.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: ch.qos.logback:logback-core
+ purl: pkg:maven/ch.qos.logback/logback-core
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: 1.2.9
+ versions:
+ - 0.2.5
+ - "0.3"
+ - "0.5"
+ - "0.6"
+ - "0.7"
+ - 0.7.1
+ - "0.8"
+ - 0.8.1
+ - "0.9"
+ - 0.9.1
+ - 0.9.10
+ - 0.9.11
+ - 0.9.12
+ - 0.9.13
+ - 0.9.14
+ - 0.9.15
+ - 0.9.16
+ - 0.9.17
+ - 0.9.18
+ - 0.9.19
+ - 0.9.2
+ - 0.9.20
+ - 0.9.21
+ - 0.9.22
+ - 0.9.23
+ - 0.9.24
+ - 0.9.25
+ - 0.9.26
+ - 0.9.27
+ - 0.9.28
+ - 0.9.29
+ - 0.9.3
+ - 0.9.30
+ - 0.9.4
+ - 0.9.5
+ - 0.9.6
+ - 0.9.7
+ - 0.9.8
+ - 0.9.9
+ - 1.0.0
+ - 1.0.1
+ - 1.0.10
+ - 1.0.11
+ - 1.0.12
+ - 1.0.13
+ - 1.0.2
+ - 1.0.3
+ - 1.0.4
+ - 1.0.5
+ - 1.0.6
+ - 1.0.7
+ - 1.0.8
+ - 1.0.9
+ - 1.1.0
+ - 1.1.1
+ - 1.1.10
+ - 1.1.11
+ - 1.1.2
+ - 1.1.3
+ - 1.1.4
+ - 1.1.5
+ - 1.1.6
+ - 1.1.7
+ - 1.1.8
+ - 1.1.9
+ - 1.2.0
+ - 1.2.1
+ - 1.2.2
+ - 1.2.3
+ - 1.2.4
+ - 1.2.4-groovyless
+ - 1.2.5
+ - 1.2.6
+ - 1.2.7
+ - 1.2.8
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-668q-qrv7-99fm/GHSA-668q-qrv7-99fm.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2021-42550
+ - type: WEB
+ url: https://github.com/qos-ch/logback/commit/87291079a1de9369ac67e20dc70a8fdc7cc4359c
+ - type: WEB
+ url: https://github.com/qos-ch/logback/commit/ef4fc4186b74b45ce80d86833820106ff27edd42
+ - type: WEB
+ url: https://cert-portal.siemens.com/productcert/pdf/ssa-371761.pdf
+ - type: WEB
+ url: https://github.com/cn-panda/logbackRceDemo
+ - type: PACKAGE
+ url: https://github.com/qos-ch/logback
+ - type: WEB
+ url: https://github.com/qos-ch/logback/blob/1502cba4c1dfd135b2e715bc0cf80c0045d4d128/logback-site/src/site/pages/news.html
+ - type: WEB
+ url: https://jira.qos.ch/browse/LOGBACK-1591
+ - type: WEB
+ url: https://security.netapp.com/advisory/ntap-20211229-0001
+ - type: WEB
+ url: http://logback.qos.ch/news.html
+ - type: WEB
+ url: http://packetstormsecurity.com/files/167794/Open-Xchange-App-Suite-7.10.x-Cross-Site-Scripting-Command-Injection.html
+ - type: WEB
+ url: http://seclists.org/fulldisclosure/2022/Jul/11
+ database_specific:
+ cwe_ids:
+ - CWE-502
+ github_reviewed: true
+ github_reviewed_at: "2021-12-17T19:25:11Z"
+ nvd_published_at: "2021-12-16T19:15:00Z"
+ severity: MODERATE
+ - schema_version: 1.6.0
+ id: GHSA-gm62-rw4g-vrc4
+ modified: 2023-12-08T15:26:30.180357Z
+ published: 2023-12-04T09:30:23Z
+ aliases:
+ - CVE-2023-6481
+ summary: Logback is vulnerable to an attacker mounting a Denial-Of-Service attack by sending poisoned data
+ details: |
+ A serialization vulnerability in logback receiver component part of logback version 1.4.13, 1.3.13 and 1.2.12 allows an attacker to mount a Denial-Of-Service attack by sending poisoned data.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: ch.qos.logback:logback-core
+ purl: pkg:maven/ch.qos.logback/logback-core
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 1.4.13
+ - fixed: 1.4.14
+ versions:
+ - 1.4.13
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/12/GHSA-gm62-rw4g-vrc4/GHSA-gm62-rw4g-vrc4.json
+ - package:
+ ecosystem: Maven
+ name: ch.qos.logback:logback-core
+ purl: pkg:maven/ch.qos.logback/logback-core
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 1.3.13
+ - fixed: 1.3.14
+ versions:
+ - 1.3.13
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/12/GHSA-gm62-rw4g-vrc4/GHSA-gm62-rw4g-vrc4.json
+ - package:
+ ecosystem: Maven
+ name: ch.qos.logback:logback-core
+ purl: pkg:maven/ch.qos.logback/logback-core
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 1.2.12
+ - fixed: 1.2.13
+ versions:
+ - 1.2.12
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/12/GHSA-gm62-rw4g-vrc4/GHSA-gm62-rw4g-vrc4.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2023-6481
+ - type: WEB
+ url: https://github.com/qos-ch/logback/commit/7018a3609c7bcc9dc7bf5903509901a986e5f578
+ - type: WEB
+ url: https://github.com/qos-ch/logback/commit/c612b2fa3caf6eef3c75f1cd5859438451d0fd6f
+ - type: PACKAGE
+ url: https://github.com/qos-ch/logback
+ - type: WEB
+ url: https://logback.qos.ch/news.html#1.3.12
+ - type: WEB
+ url: https://logback.qos.ch/news.html#1.3.14
+ database_specific:
+ cwe_ids: []
+ github_reviewed: true
+ github_reviewed_at: "2023-12-08T15:06:33Z"
+ nvd_published_at: "2023-12-04T09:15:37Z"
+ severity: HIGH
+ - schema_version: 1.6.0
+ id: GHSA-vmfg-rjjm-rjrj
+ modified: 2024-03-09T05:18:12.019858Z
+ published: 2021-06-07T16:07:36Z
+ aliases:
+ - CVE-2017-5929
+ summary: QOS.ch Logback vulnerable to Deserialization of Untrusted Data
+ details: QOS.ch Logback before 1.2.0 has a serialization vulnerability affecting the SocketServer and ServerSocketReceiver components. The RemoteStreamAppenderClient class in logback-classic and the SocketNode classes in logback-classic and logback-access allow data to be deserialized over a Java Socket, via an ObjectInputStream, without validating the data beforehand. When data is received from the Socket, to be logged, it is deserialized into Java objects.An attacker can exploit this vulnerability by sending malicious, serialized Java objects over the connection to the Socket, which may result in execution of arbitrary code when those objects are deserialized. Note that although logback-core is implicated by the Logback project here, the Sonatype Security Research team discovered that the vulnerability is actually present in the logback-classic and logback-access components. Versions prior to 1.2.0 are vulnerable, as stated in the advisory.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: ch.qos.logback:logback-classic
+ purl: pkg:maven/ch.qos.logback/logback-classic
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: 1.2.0
+ versions:
+ - 0.2.5
+ - "0.3"
+ - "0.5"
+ - "0.6"
+ - "0.7"
+ - 0.7.1
+ - "0.8"
+ - 0.8.1
+ - "0.9"
+ - 0.9.1
+ - 0.9.10
+ - 0.9.11
+ - 0.9.12
+ - 0.9.13
+ - 0.9.14
+ - 0.9.15
+ - 0.9.16
+ - 0.9.17
+ - 0.9.18
+ - 0.9.19
+ - 0.9.2
+ - 0.9.20
+ - 0.9.21
+ - 0.9.22
+ - 0.9.23
+ - 0.9.24
+ - 0.9.25
+ - 0.9.26
+ - 0.9.27
+ - 0.9.28
+ - 0.9.29
+ - 0.9.3
+ - 0.9.30
+ - 0.9.4
+ - 0.9.5
+ - 0.9.6
+ - 0.9.7
+ - 0.9.8
+ - 0.9.9
+ - 1.0.0
+ - 1.0.1
+ - 1.0.10
+ - 1.0.11
+ - 1.0.12
+ - 1.0.13
+ - 1.0.2
+ - 1.0.3
+ - 1.0.4
+ - 1.0.5
+ - 1.0.6
+ - 1.0.7
+ - 1.0.8
+ - 1.0.9
+ - 1.1.0
+ - 1.1.1
+ - 1.1.10
+ - 1.1.11
+ - 1.1.2
+ - 1.1.3
+ - 1.1.4
+ - 1.1.5
+ - 1.1.6
+ - 1.1.7
+ - 1.1.8
+ - 1.1.9
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/06/GHSA-vmfg-rjjm-rjrj/GHSA-vmfg-rjjm-rjrj.json
+ - package:
+ ecosystem: Maven
+ name: ch.qos.logback:logback-core
+ purl: pkg:maven/ch.qos.logback/logback-core
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: 1.2.0
+ versions:
+ - 0.2.5
+ - "0.3"
+ - "0.5"
+ - "0.6"
+ - "0.7"
+ - 0.7.1
+ - "0.8"
+ - 0.8.1
+ - "0.9"
+ - 0.9.1
+ - 0.9.10
+ - 0.9.11
+ - 0.9.12
+ - 0.9.13
+ - 0.9.14
+ - 0.9.15
+ - 0.9.16
+ - 0.9.17
+ - 0.9.18
+ - 0.9.19
+ - 0.9.2
+ - 0.9.20
+ - 0.9.21
+ - 0.9.22
+ - 0.9.23
+ - 0.9.24
+ - 0.9.25
+ - 0.9.26
+ - 0.9.27
+ - 0.9.28
+ - 0.9.29
+ - 0.9.3
+ - 0.9.30
+ - 0.9.4
+ - 0.9.5
+ - 0.9.6
+ - 0.9.7
+ - 0.9.8
+ - 0.9.9
+ - 1.0.0
+ - 1.0.1
+ - 1.0.10
+ - 1.0.11
+ - 1.0.12
+ - 1.0.13
+ - 1.0.2
+ - 1.0.3
+ - 1.0.4
+ - 1.0.5
+ - 1.0.6
+ - 1.0.7
+ - 1.0.8
+ - 1.0.9
+ - 1.1.0
+ - 1.1.1
+ - 1.1.10
+ - 1.1.11
+ - 1.1.2
+ - 1.1.3
+ - 1.1.4
+ - 1.1.5
+ - 1.1.6
+ - 1.1.7
+ - 1.1.8
+ - 1.1.9
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/06/GHSA-vmfg-rjjm-rjrj/GHSA-vmfg-rjjm-rjrj.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2017-5929
+ - type: WEB
+ url: https://github.com/qos-ch/logback/commit/f46044b805bca91efe5fd6afe52257cd02f775f8
+ - type: WEB
+ url: https://logback.qos.ch/news.html
+ - type: WEB
+ url: https://lists.apache.org/thread.html/re9b787727291786dfe088e3cd078c7d195c0b5781e15d3cd24a3b2fc@%3Cdev.mnemonic.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rd2227af3c9ada2a72dc72ed05517f5857a34d487580e1f2803922ff9@%3Ccommits.cassandra.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rc5f0cc2f3b153bdf15ee7389d78585829abc9c7af4d322ba1085dd3e@%3Ccommits.cassandra.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rbb4dfca2f7e3e8f3570eec21c79832d33a51dfde6762725660b60169@%3Cdev.mnemonic.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/ra007cec726a3927c918ec94c4316d05d1829c49eae8dc3648adc35e2@%3Ccommits.cassandra.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r967953a14e05016bc4bcae9ef3dd92e770181158b4246976ed8295c9@%3Cdev.brooklyn.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r718f27bed898008a8e037d9cc848cfc1df4d18abcbaee0cb0c142cfb@%3Ccommits.cassandra.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r632ec30791b441e2eb5a3129532bf1b689bf181d0ef7daf50bcf0fd6@%3Ccommits.cassandra.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r4673642893562c58cbee60c151ded6c077e8a2d02296e862224a9161@%3Ccommits.cassandra.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r397bf63783240fbb5713389d3f889d287ae0c11509006700ac720037@%3Ccommits.cassandra.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r2c2d57ca180e8173c90fe313ddf8eabbdcf8e3ae196f8b9f42599790@%3Ccommits.mnemonic.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r2a08573ddee4a86dc96d469485a5843a01710ee0dc2078dfca410c79@%3Ccommits.cassandra.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r0bb19330e48d5ad784fa20dacba9e5538d8d60f5cd9142e0f1432b4b@%3Ccommits.cassandra.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/fa4eaaa6ff41ac6f79811e053c152ee89b7c5da8a6ac848ae97df67f@%3Ccommits.cassandra.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/a6db61616180d73711d6db25703085940026e2dbc40f153f9d22b203@%3Ccommits.cassandra.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/18d509024d9aeb07f0e9579066f80bf5d4dcf20467b0c240043890d1@%3Ccommits.cassandra.apache.org%3E
+ - type: PACKAGE
+ url: https://github.com/qos-ch/logback
+ - type: WEB
+ url: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5929
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2018:2927
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2017:1832
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2017:1676
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2017:1675
+ database_specific:
+ cwe_ids:
+ - CWE-502
+ github_reviewed: true
+ github_reviewed_at: "2021-06-04T20:45:34Z"
+ nvd_published_at: "2017-03-13T06:59:00Z"
+ severity: CRITICAL
+ - schema_version: 1.6.0
+ id: GHSA-vmq6-5m68-f53m
+ modified: 2024-02-16T08:07:48.81685Z
+ published: 2023-11-29T12:30:16Z
+ aliases:
+ - CVE-2023-6378
+ summary: logback serialization vulnerability
+ details: |-
+ A serialization vulnerability in logback receiver component part of logback allows an attacker to mount a Denial-Of-Service attack by sending poisoned data.
+
+ This is only exploitable if logback receiver component is deployed. See https://logback.qos.ch/manual/receivers.html
+ affected:
+ - package:
+ ecosystem: Maven
+ name: ch.qos.logback:logback-classic
+ purl: pkg:maven/ch.qos.logback/logback-classic
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 1.3.0
+ - fixed: 1.3.12
+ versions:
+ - 1.3.0
+ - 1.3.1
+ - 1.3.10
+ - 1.3.11
+ - 1.3.2
+ - 1.3.3
+ - 1.3.4
+ - 1.3.5
+ - 1.3.6
+ - 1.3.7
+ - 1.3.8
+ - 1.3.9
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/11/GHSA-vmq6-5m68-f53m/GHSA-vmq6-5m68-f53m.json
+ - package:
+ ecosystem: Maven
+ name: ch.qos.logback:logback-classic
+ purl: pkg:maven/ch.qos.logback/logback-classic
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 1.4.0
+ - fixed: 1.4.12
+ versions:
+ - 1.4.0
+ - 1.4.1
+ - 1.4.10
+ - 1.4.11
+ - 1.4.2
+ - 1.4.3
+ - 1.4.4
+ - 1.4.5
+ - 1.4.6
+ - 1.4.7
+ - 1.4.8
+ - 1.4.9
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/11/GHSA-vmq6-5m68-f53m/GHSA-vmq6-5m68-f53m.json
+ - package:
+ ecosystem: Maven
+ name: ch.qos.logback:logback-core
+ purl: pkg:maven/ch.qos.logback/logback-core
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 1.3.0
+ - fixed: 1.3.12
+ versions:
+ - 1.3.0
+ - 1.3.1
+ - 1.3.10
+ - 1.3.11
+ - 1.3.2
+ - 1.3.3
+ - 1.3.4
+ - 1.3.5
+ - 1.3.6
+ - 1.3.7
+ - 1.3.8
+ - 1.3.9
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/11/GHSA-vmq6-5m68-f53m/GHSA-vmq6-5m68-f53m.json
+ - package:
+ ecosystem: Maven
+ name: ch.qos.logback:logback-core
+ purl: pkg:maven/ch.qos.logback/logback-core
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 1.4.0
+ - fixed: 1.4.12
+ versions:
+ - 1.4.0
+ - 1.4.1
+ - 1.4.10
+ - 1.4.11
+ - 1.4.2
+ - 1.4.3
+ - 1.4.4
+ - 1.4.5
+ - 1.4.6
+ - 1.4.7
+ - 1.4.8
+ - 1.4.9
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/11/GHSA-vmq6-5m68-f53m/GHSA-vmq6-5m68-f53m.json
+ - package:
+ ecosystem: Maven
+ name: ch.qos.logback:logback-core
+ purl: pkg:maven/ch.qos.logback/logback-core
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: 1.2.13
+ versions:
+ - 0.2.5
+ - "0.3"
+ - "0.5"
+ - "0.6"
+ - "0.7"
+ - 0.7.1
+ - "0.8"
+ - 0.8.1
+ - "0.9"
+ - 0.9.1
+ - 0.9.10
+ - 0.9.11
+ - 0.9.12
+ - 0.9.13
+ - 0.9.14
+ - 0.9.15
+ - 0.9.16
+ - 0.9.17
+ - 0.9.18
+ - 0.9.19
+ - 0.9.2
+ - 0.9.20
+ - 0.9.21
+ - 0.9.22
+ - 0.9.23
+ - 0.9.24
+ - 0.9.25
+ - 0.9.26
+ - 0.9.27
+ - 0.9.28
+ - 0.9.29
+ - 0.9.3
+ - 0.9.30
+ - 0.9.4
+ - 0.9.5
+ - 0.9.6
+ - 0.9.7
+ - 0.9.8
+ - 0.9.9
+ - 1.0.0
+ - 1.0.1
+ - 1.0.10
+ - 1.0.11
+ - 1.0.12
+ - 1.0.13
+ - 1.0.2
+ - 1.0.3
+ - 1.0.4
+ - 1.0.5
+ - 1.0.6
+ - 1.0.7
+ - 1.0.8
+ - 1.0.9
+ - 1.1.0
+ - 1.1.1
+ - 1.1.10
+ - 1.1.11
+ - 1.1.2
+ - 1.1.3
+ - 1.1.4
+ - 1.1.5
+ - 1.1.6
+ - 1.1.7
+ - 1.1.8
+ - 1.1.9
+ - 1.2.0
+ - 1.2.1
+ - 1.2.10
+ - 1.2.11
+ - 1.2.12
+ - 1.2.2
+ - 1.2.3
+ - 1.2.4
+ - 1.2.4-groovyless
+ - 1.2.5
+ - 1.2.6
+ - 1.2.7
+ - 1.2.8
+ - 1.2.9
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/11/GHSA-vmq6-5m68-f53m/GHSA-vmq6-5m68-f53m.json
+ - package:
+ ecosystem: Maven
+ name: ch.qos.logback:logback-classic
+ purl: pkg:maven/ch.qos.logback/logback-classic
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: 1.2.13
+ versions:
+ - 0.2.5
+ - "0.3"
+ - "0.5"
+ - "0.6"
+ - "0.7"
+ - 0.7.1
+ - "0.8"
+ - 0.8.1
+ - "0.9"
+ - 0.9.1
+ - 0.9.10
+ - 0.9.11
+ - 0.9.12
+ - 0.9.13
+ - 0.9.14
+ - 0.9.15
+ - 0.9.16
+ - 0.9.17
+ - 0.9.18
+ - 0.9.19
+ - 0.9.2
+ - 0.9.20
+ - 0.9.21
+ - 0.9.22
+ - 0.9.23
+ - 0.9.24
+ - 0.9.25
+ - 0.9.26
+ - 0.9.27
+ - 0.9.28
+ - 0.9.29
+ - 0.9.3
+ - 0.9.30
+ - 0.9.4
+ - 0.9.5
+ - 0.9.6
+ - 0.9.7
+ - 0.9.8
+ - 0.9.9
+ - 1.0.0
+ - 1.0.1
+ - 1.0.10
+ - 1.0.11
+ - 1.0.12
+ - 1.0.13
+ - 1.0.2
+ - 1.0.3
+ - 1.0.4
+ - 1.0.5
+ - 1.0.6
+ - 1.0.7
+ - 1.0.8
+ - 1.0.9
+ - 1.1.0
+ - 1.1.1
+ - 1.1.10
+ - 1.1.11
+ - 1.1.2
+ - 1.1.3
+ - 1.1.4
+ - 1.1.5
+ - 1.1.6
+ - 1.1.7
+ - 1.1.8
+ - 1.1.9
+ - 1.2.0
+ - 1.2.1
+ - 1.2.10
+ - 1.2.11
+ - 1.2.12
+ - 1.2.2
+ - 1.2.3
+ - 1.2.4
+ - 1.2.4-groovyless
+ - 1.2.5
+ - 1.2.6
+ - 1.2.7
+ - 1.2.8
+ - 1.2.9
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/11/GHSA-vmq6-5m68-f53m/GHSA-vmq6-5m68-f53m.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2023-6378
+ - type: WEB
+ url: https://github.com/qos-ch/logback/issues/745#issuecomment-1836227158
+ - type: WEB
+ url: https://github.com/qos-ch/logback/commit/9c782b45be4abdafb7e17481e24e7354c2acd1eb
+ - type: WEB
+ url: https://github.com/qos-ch/logback/commit/b8eac23a9de9e05fb6d51160b3f46acd91af9731
+ - type: WEB
+ url: https://github.com/qos-ch/logback/commit/bb095154be011267b64e37a1d401546e7cc2b7c3
+ - type: PACKAGE
+ url: https://github.com/qos-ch/logback
+ - type: WEB
+ url: https://logback.qos.ch/manual/receivers.html
+ - type: WEB
+ url: https://logback.qos.ch/news.html#1.2.13
+ - type: WEB
+ url: https://logback.qos.ch/news.html#1.3.12
+ database_specific:
+ cwe_ids:
+ - CWE-502
+ github_reviewed: true
+ github_reviewed_at: "2023-11-29T21:33:01Z"
+ nvd_published_at: "2023-11-29T12:15:07Z"
+ severity: HIGH
+ - schema_version: 1.6.0
+ id: GHSA-27xj-rqx5-2255
+ modified: 2024-02-16T08:06:12.878312Z
+ published: 2020-05-15T18:58:44Z
+ aliases:
+ - CVE-2020-11619
+ summary: jackson-databind mishandles the interaction between serialization gadgets and typing
+ details: FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.springframework.aop.config.MethodLocatingFactoryBean (aka spring-aop).
+ affected:
+ - package:
+ ecosystem: Maven
+ name: com.fasterxml.jackson.core:jackson-databind
+ purl: pkg:maven/com.fasterxml.jackson.core/jackson-databind
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.9.0
+ - fixed: 2.9.10.4
+ versions:
+ - 2.9.0
+ - 2.9.0.pr1
+ - 2.9.0.pr2
+ - 2.9.0.pr3
+ - 2.9.0.pr4
+ - 2.9.1
+ - 2.9.10
+ - 2.9.10.1
+ - 2.9.10.2
+ - 2.9.10.3
+ - 2.9.2
+ - 2.9.3
+ - 2.9.4
+ - 2.9.5
+ - 2.9.6
+ - 2.9.7
+ - 2.9.8
+ - 2.9.9
+ - 2.9.9.1
+ - 2.9.9.2
+ - 2.9.9.3
+ database_specific:
+ last_known_affected_version_range: <= 2.9.10.3
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/05/GHSA-27xj-rqx5-2255/GHSA-27xj-rqx5-2255.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2020-11619
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/issues/2680
+ - type: PACKAGE
+ url: https://github.com/FasterXML/jackson-databind
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3E
+ - type: WEB
+ url: https://lists.debian.org/debian-lts-announce/2020/04/msg00012.html
+ - type: WEB
+ url: https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
+ - type: WEB
+ url: https://security.netapp.com/advisory/ntap-20200511-0004
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpujan2021.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpujul2020.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuoct2020.html
+ database_specific:
+ cwe_ids:
+ - CWE-502
+ github_reviewed: true
+ github_reviewed_at: "2020-04-23T19:32:22Z"
+ nvd_published_at: "2020-04-07T23:15:00Z"
+ severity: HIGH
+ - schema_version: 1.6.0
+ id: GHSA-288c-cq4h-88gq
+ modified: 2024-03-15T00:47:09.937706Z
+ published: 2021-02-18T20:51:54Z
+ aliases:
+ - CVE-2020-25649
+ summary: XML External Entity (XXE) Injection in Jackson Databind
+ details: A flaw was found in FasterXML Jackson Databind, where it did not have entity expansion secured properly. This flaw allows vulnerability to XML external entity (XXE) attacks. The highest threat from this vulnerability is data integrity.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: com.fasterxml.jackson.core:jackson-databind
+ purl: pkg:maven/com.fasterxml.jackson.core/jackson-databind
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.6.0
+ - fixed: 2.6.7.4
+ versions:
+ - 2.6.0
+ - 2.6.1
+ - 2.6.2
+ - 2.6.3
+ - 2.6.4
+ - 2.6.5
+ - 2.6.6
+ - 2.6.7
+ - 2.6.7.1
+ - 2.6.7.2
+ - 2.6.7.3
+ database_specific:
+ last_known_affected_version_range: <= 2.6.7.3
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/02/GHSA-288c-cq4h-88gq/GHSA-288c-cq4h-88gq.json
+ - package:
+ ecosystem: Maven
+ name: com.fasterxml.jackson.core:jackson-databind
+ purl: pkg:maven/com.fasterxml.jackson.core/jackson-databind
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.7.0.0
+ - fixed: 2.9.10.7
+ versions:
+ - 2.7.0
+ - 2.7.1
+ - 2.7.1-1
+ - 2.7.2
+ - 2.7.3
+ - 2.7.4
+ - 2.7.5
+ - 2.7.6
+ - 2.7.7
+ - 2.7.8
+ - 2.7.9
+ - 2.7.9.1
+ - 2.7.9.2
+ - 2.7.9.3
+ - 2.7.9.4
+ - 2.7.9.5
+ - 2.7.9.6
+ - 2.7.9.7
+ - 2.8.0
+ - 2.8.0.rc1
+ - 2.8.0.rc2
+ - 2.8.1
+ - 2.8.10
+ - 2.8.11
+ - 2.8.11.1
+ - 2.8.11.2
+ - 2.8.11.3
+ - 2.8.11.4
+ - 2.8.11.5
+ - 2.8.11.6
+ - 2.8.2
+ - 2.8.3
+ - 2.8.4
+ - 2.8.5
+ - 2.8.6
+ - 2.8.7
+ - 2.8.8
+ - 2.8.8.1
+ - 2.8.9
+ - 2.9.0
+ - 2.9.0.pr1
+ - 2.9.0.pr2
+ - 2.9.0.pr3
+ - 2.9.0.pr4
+ - 2.9.1
+ - 2.9.10
+ - 2.9.10.1
+ - 2.9.10.2
+ - 2.9.10.3
+ - 2.9.10.4
+ - 2.9.10.5
+ - 2.9.10.6
+ - 2.9.2
+ - 2.9.3
+ - 2.9.4
+ - 2.9.5
+ - 2.9.6
+ - 2.9.7
+ - 2.9.8
+ - 2.9.9
+ - 2.9.9.1
+ - 2.9.9.2
+ - 2.9.9.3
+ database_specific:
+ last_known_affected_version_range: <= 2.9.10.6
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/02/GHSA-288c-cq4h-88gq/GHSA-288c-cq4h-88gq.json
+ - package:
+ ecosystem: Maven
+ name: com.fasterxml.jackson.core:jackson-databind
+ purl: pkg:maven/com.fasterxml.jackson.core/jackson-databind
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.10.0.0
+ - fixed: 2.10.5.1
+ versions:
+ - 2.10.0
+ - 2.10.0.pr1
+ - 2.10.0.pr2
+ - 2.10.0.pr3
+ - 2.10.1
+ - 2.10.2
+ - 2.10.3
+ - 2.10.4
+ - 2.10.5
+ database_specific:
+ last_known_affected_version_range: <= 2.10.5.0
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/02/GHSA-288c-cq4h-88gq/GHSA-288c-cq4h-88gq.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2020-25649
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/issues/2589
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/commit/3d932709abd0b5390efe67451653fc9efa9db677
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/commit/612f971b78c60202e9cd75a299050c8f2d724a59
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuoct2021.html
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rc82ff47853289e9cd17f5cfbb053c04cafc75ee32e3d7223963f83bb@%3Cdev.knox.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rc15e90bbef196a5c6c01659e015249d6c9a73581ca9afb8aeecf00d2@%3Cjira.kafka.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7@%3Cusers.kafka.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7@%3Cdev.kafka.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rb674520b9f6c808c1bf263b1369e14048ec3243615f35cfd24e33604@%3Cissues.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/raf13235de6df1d47a717199e1ecd700dff3236632f5c9a1488d9845b@%3Cjira.kafka.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/ra95faf968f3463acb3f31a6fbec31453fc5045325f99f396961886d3@%3Cissues.flink.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/ra409f798a1e5a6652b7097429b388650ccd65fd958cee0b6f69bba00@%3Cissues.hive.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/ra1157e57a01d25e36b0dc17959ace758fc21ba36746de29ba1d8b130@%3Cjira.kafka.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r98bfe3b90ea9408f12c4b447edcb5638703d80bc782430aa0c210a54@%3Cissues.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r95a297eb5fd1f2d3a2281f15340e2413f952e9d5503296c3adc7201a@%3Ccommits.tomee.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r94c7e86e546120f157264ba5ba61fd29b3a8d530ed325a9b4fa334d7@%3Ccommits.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r91722ecfba688b0c565675f8bf380269fde8ec62b54d6161db544c22@%3Ccommits.karaf.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r90d1e97b0a743cf697d89a792a9b669909cc5a1692d1e0083a22e66c@%3Cissues.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r900d4408c4189b376d1ec580ea7740ea6f8710dc2f0b7e9c9eeb5ae0@%3Cdev.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r8ae961c80930e2717c75025414ce48a432cea1137c02f648b1fb9524@%3Cissues.hive.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r8937a7160717fe8b2221767163c4de4f65bc5466405cb1c5310f9080@%3Cusers.kafka.apache.org%3E
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpujul2022.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpujan2022.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuapr2022.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuApr2021.html
+ - type: WEB
+ url: https://www.oracle.com//security-alerts/cpujul2021.html
+ - type: WEB
+ url: https://security.netapp.com/advisory/ntap-20210108-0007
+ - type: WEB
+ url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6X2UT4X6M7DLQYBOOHMXBWGYJ65RL2CT
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rf1809a1374041a969d77afab21fc38925de066bc97e86157d3ac3402@%3Ccommits.karaf.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/re96dc7a13e13e56190a5d80f9e5440a0d0c83aeec6467b562fbf2dca@%3Cjira.kafka.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/re16f81d3ad49a93dd2f0cba9f8fc88e5fb89f30bf9a2ad7b6f3e69c1@%3Ccommits.karaf.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rdf9a34726482222c90d50ae1b9847881de67dde8cfde4999633d2cdc@%3Ccommits.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rdca8711bb7aa5d47a44682606cd0ea3497e2e922f22b7ee83e81e6c1@%3Cissues.hive.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rd6f6bf848c2d47fa4a85c27d011d948778b8f7e58ba495968435a0b3@%3Cissues.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rd57c7582adc90e233f23f3727db3df9115b27a823b92374f11453f34@%3Cissues.hive.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rd317f15a675d114dbf5b488d27eeb2467b4424356b16116eb18a652d@%3Cjira.kafka.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rc959cdb57c4fe198316130ff4a5ecbf9d680e356032ff2e9f4f05d54@%3Cjira.kafka.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rc88f2fa2b7bd6443921727aeee7704a1fb02433e722e2abf677e0d3d@%3Ccommits.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r5f8a1608d758936bd6bbc5eed980777437b611537bf6fff40663fc71@%3Cjira.kafka.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r5b130fe668503c4b7e2caf1b16f86b7f2070fd1b7ef8f26195a2ffbd@%3Cissues.hive.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r45e7350dfc92bb192f3f88e9971c11ab2be0953cc375be3dda5170bd@%3Cissues.flink.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r407538adec3185dd35a05c9a26ae2f74425b15132470cf540f41d85b@%3Cissues.hive.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r3e6ae311842de4e64c5d560a475b7f9cc7e0a9a8649363c6cf7537eb@%3Ccommits.karaf.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r31f4ee7d561d56a0c2c2c6eb1d6ce3e05917ff9654fdbfec05dc2b83@%3Ccommits.servicecomb.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r2f5c5479f99398ef344b7ebd4d90bc3316236c45d0f3bc42090efcd7@%3Cissues.hive.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r2eb66c182853c69ecfb52f63d3dec09495e9b65be829fd889a081ae1@%3Cdev.hive.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r2b6ddb3a4f4cd11d8f6305011e1b7438ba813511f2e3ab3180c7ffda@%3Ccommits.druid.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r2882fc1f3032cd7be66e28787f04ec6f1874ac68d47e310e30ff7eb1@%3Cjira.kafka.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r1b7ed0c4b6c4301d4dfd6fdbc5581b0a789d3240cab55d766f33c6c6@%3Cjira.kafka.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r0b8dc3acd4503e4ecb6fbd6ea7d95f59941168d8452ac0ab1d1d96bb@%3Cissues.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r0881e23bd9034c8f51fdccdc8f4d085ba985dcd738f8520569ca5c3d@%3Cissues.hive.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r04529cedaca40c2ff90af4880493f9c88a8ebf4d1d6c861d23108a5a@%3Cnotifications.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r024b7bda9c43c5560d81238748775c5ecfe01b57280f90df1f773949@%3Cissues.hive.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r011d1430e8f40dff9550c3bc5d0f48b14c01ba8aecabd91d5e495386@%3Ccommits.turbine.apache.org%3E
+ - type: PACKAGE
+ url: https://github.com/FasterXML/jackson-databind
+ - type: WEB
+ url: https://bugzilla.redhat.com/show_bug.cgi?id=1887664
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r8937a7160717fe8b2221767163c4de4f65bc5466405cb1c5310f9080@%3Cdev.kafka.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r8764bb835bcb8e311c882ff91dd3949c9824e905e880930be56f6ba3@%3Cuser.spark.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r86c78bf7656fdb2dab69cbf17f3d7492300f771025f1a3a65d5e5ce5@%3Ccommits.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r7cb5b4b3e4bd41a8042e5725b7285877a17bcbf07f4eb3f7b316af60@%3Creviews.iotdb.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r78d53a0a269c18394daf5940105dc8c7f9a2399503c2e78be20abe7e@%3Cjira.kafka.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r765283e145049df9b8998f14dcd444345555aae02b1610cfb3188bf8@%3Cnotifications.iotdb.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r73bef1bb601a9f093f915f8075eb49fcca51efade57b817afd5def07@%3Ccommits.iotdb.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r6e3d4f7991542119a4ca6330271d7fbf7b9fb3abab24ada82ddf1ee4@%3Cnotifications.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r6cbd599b80e787f02ff7a1391d9278a03f37d6a6f4f943f0f01a62fb@%3Creviews.iotdb.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r6b11eca1d646f45eb0d35d174e6b1e47cfae5295b92000856bfb6304@%3Cusers.kafka.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r6b11eca1d646f45eb0d35d174e6b1e47cfae5295b92000856bfb6304@%3Cdev.kafka.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r6a6df5647583541e3cb71c75141008802f7025cee1c430d4ed78f4cc@%3Cissues.hive.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r6a4f3ef6edfed2e0884269d84798f766779bbbc1005f7884e0800d61@%3Cdev.knox.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r68d029ee74ab0f3b0569d0c05f5688cb45dd3abe96a6534735252805@%3Cnotifications.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r63c87aab97155f3f3cbe11d030c4a184ea0de440ee714977db02e956@%3Cjira.kafka.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc@%3Cusers.kafka.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc@%3Cdev.kafka.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r605764e05e201db33b3e9c2e66ff620658f07ad74f296abe483f7042@%3Creviews.iotdb.apache.org%3E
+ database_specific:
+ cwe_ids:
+ - CWE-611
+ github_reviewed: true
+ github_reviewed_at: "2021-02-18T20:41:26Z"
+ nvd_published_at: "2020-12-03T17:15:00Z"
+ severity: HIGH
+ - schema_version: 1.6.0
+ id: GHSA-3x8x-79m2-3w2w
+ modified: 2023-11-08T04:07:27.620078Z
+ published: 2023-03-19T00:30:25Z
+ aliases:
+ - CVE-2021-46877
+ summary: jackson-databind possible Denial of Service if using JDK serialization to serialize JsonNode
+ details: jackson-databind 2.10.x through 2.12.x before 2.12.6 and 2.13.x before 2.13.1 allows attackers to cause a denial of service (2 GB transient heap usage per read) in uncommon situations involving JsonNode JDK serialization.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: com.fasterxml.jackson.core:jackson-databind
+ purl: pkg:maven/com.fasterxml.jackson.core/jackson-databind
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.10.0
+ - fixed: 2.12.6
+ versions:
+ - 2.10.0
+ - 2.10.0.pr1
+ - 2.10.0.pr2
+ - 2.10.0.pr3
+ - 2.10.1
+ - 2.10.2
+ - 2.10.3
+ - 2.10.4
+ - 2.10.5
+ - 2.10.5.1
+ - 2.11.0
+ - 2.11.0.rc1
+ - 2.11.1
+ - 2.11.2
+ - 2.11.3
+ - 2.11.4
+ - 2.12.0
+ - 2.12.0-rc1
+ - 2.12.0-rc2
+ - 2.12.1
+ - 2.12.2
+ - 2.12.3
+ - 2.12.4
+ - 2.12.5
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/03/GHSA-3x8x-79m2-3w2w/GHSA-3x8x-79m2-3w2w.json
+ - package:
+ ecosystem: Maven
+ name: com.fasterxml.jackson.core:jackson-databind
+ purl: pkg:maven/com.fasterxml.jackson.core/jackson-databind
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.13.0
+ - fixed: 2.13.1
+ versions:
+ - 2.13.0
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/03/GHSA-3x8x-79m2-3w2w/GHSA-3x8x-79m2-3w2w.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2021-46877
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/issues/3328
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/commit/3ccde7d938fea547e598fdefe9a82cff37fed5cb
+ - type: PACKAGE
+ url: https://github.com/FasterXML/jackson-databind
+ - type: WEB
+ url: https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.12.6
+ - type: WEB
+ url: https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.13.1
+ - type: WEB
+ url: https://groups.google.com/g/jackson-user/c/OsBsirPM_Vw
+ database_specific:
+ cwe_ids: []
+ github_reviewed: true
+ github_reviewed_at: "2023-03-20T21:14:14Z"
+ nvd_published_at: "2023-03-18T22:15:00Z"
+ severity: HIGH
+ - schema_version: 1.6.0
+ id: GHSA-4gq5-ch57-c2mg
+ modified: 2024-03-15T05:20:21.411726Z
+ published: 2019-01-04T19:09:49Z
+ aliases:
+ - CVE-2018-14719
+ summary: Arbitrary Code Execution in jackson-databind
+ details: FasterXML jackson-databind 2.x before 2.9.7, 2.8.11.3, and 2.7.9.5 might allow remote attackers to execute arbitrary code by leveraging failure to block the blaze-ds-opt and blaze-ds-core classes from polymorphic deserialization.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: com.fasterxml.jackson.core:jackson-databind
+ purl: pkg:maven/com.fasterxml.jackson.core/jackson-databind
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.9.0
+ - fixed: 2.9.7
+ versions:
+ - 2.9.0
+ - 2.9.0.pr1
+ - 2.9.0.pr2
+ - 2.9.0.pr3
+ - 2.9.0.pr4
+ - 2.9.1
+ - 2.9.2
+ - 2.9.3
+ - 2.9.4
+ - 2.9.5
+ - 2.9.6
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/01/GHSA-4gq5-ch57-c2mg/GHSA-4gq5-ch57-c2mg.json
+ - package:
+ ecosystem: Maven
+ name: com.fasterxml.jackson.core:jackson-databind
+ purl: pkg:maven/com.fasterxml.jackson.core/jackson-databind
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.8.0
+ - fixed: 2.8.11.3
+ versions:
+ - 2.8.0
+ - 2.8.1
+ - 2.8.10
+ - 2.8.11
+ - 2.8.11.1
+ - 2.8.11.2
+ - 2.8.2
+ - 2.8.3
+ - 2.8.4
+ - 2.8.5
+ - 2.8.6
+ - 2.8.7
+ - 2.8.8
+ - 2.8.8.1
+ - 2.8.9
+ database_specific:
+ last_known_affected_version_range: <= 2.8.11.2
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/01/GHSA-4gq5-ch57-c2mg/GHSA-4gq5-ch57-c2mg.json
+ - package:
+ ecosystem: Maven
+ name: com.fasterxml.jackson.core:jackson-databind
+ purl: pkg:maven/com.fasterxml.jackson.core/jackson-databind
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.0.0
+ - fixed: 2.7.9.5
+ versions:
+ - 2.0.0
+ - 2.0.1
+ - 2.0.2
+ - 2.0.4
+ - 2.0.5
+ - 2.0.6
+ - 2.1.0
+ - 2.1.1
+ - 2.1.2
+ - 2.1.3
+ - 2.1.4
+ - 2.1.5
+ - 2.2.0
+ - 2.2.0-rc1
+ - 2.2.1
+ - 2.2.2
+ - 2.2.3
+ - 2.2.4
+ - 2.3.0
+ - 2.3.0-rc1
+ - 2.3.1
+ - 2.3.2
+ - 2.3.3
+ - 2.3.4
+ - 2.3.5
+ - 2.4.0
+ - 2.4.0-rc1
+ - 2.4.0-rc2
+ - 2.4.0-rc3
+ - 2.4.1
+ - 2.4.1.1
+ - 2.4.1.2
+ - 2.4.1.3
+ - 2.4.2
+ - 2.4.3
+ - 2.4.4
+ - 2.4.5
+ - 2.4.5.1
+ - 2.4.6
+ - 2.4.6.1
+ - 2.5.0
+ - 2.5.0-rc1
+ - 2.5.1
+ - 2.5.2
+ - 2.5.3
+ - 2.5.4
+ - 2.5.5
+ - 2.6.0
+ - 2.6.0-rc1
+ - 2.6.0-rc2
+ - 2.6.0-rc3
+ - 2.6.0-rc4
+ - 2.6.1
+ - 2.6.2
+ - 2.6.3
+ - 2.6.4
+ - 2.6.5
+ - 2.6.6
+ - 2.6.7
+ - 2.6.7.1
+ - 2.6.7.2
+ - 2.6.7.3
+ - 2.6.7.4
+ - 2.6.7.5
+ - 2.7.0
+ - 2.7.0-rc1
+ - 2.7.0-rc2
+ - 2.7.0-rc3
+ - 2.7.1
+ - 2.7.1-1
+ - 2.7.2
+ - 2.7.3
+ - 2.7.4
+ - 2.7.5
+ - 2.7.6
+ - 2.7.7
+ - 2.7.8
+ - 2.7.9
+ - 2.7.9.1
+ - 2.7.9.2
+ - 2.7.9.3
+ - 2.7.9.4
+ database_specific:
+ last_known_affected_version_range: <= 2.7.9.4
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/01/GHSA-4gq5-ch57-c2mg/GHSA-4gq5-ch57-c2mg.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2018-14719
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/issues/2097
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/commit/87d29af25e82a249ea15858e2d4ecbf64091db44
+ - type: WEB
+ url: https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.7
+ - type: WEB
+ url: https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8@%3Ccommits.pulsar.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3E
+ - type: WEB
+ url: https://lists.debian.org/debian-lts-announce/2019/03/msg00005.html
+ - type: WEB
+ url: https://seclists.org/bugtraq/2019/May/68
+ - type: WEB
+ url: https://security.netapp.com/advisory/ntap-20190530-0003
+ - type: WEB
+ url: https://www.debian.org/security/2019/dsa-4452
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuapr2020.html
+ - type: WEB
+ url: https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
+ - type: WEB
+ url: https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html
+ - type: WEB
+ url: https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
+ - type: WEB
+ url: https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
+ - type: PACKAGE
+ url: https://github.com/FasterXML/jackson-databind
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:4037
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:3892
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:3149
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:3140
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:3002
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:2858
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:2804
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:1823
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:1822
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:1797
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:1782
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:0877
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:0782
+ - type: WEB
+ url: https://access.redhat.com/errata/RHBA-2019:0959
+ database_specific:
+ cwe_ids:
+ - CWE-502
+ github_reviewed: true
+ github_reviewed_at: "2020-06-16T20:58:21Z"
+ nvd_published_at: "2019-01-02T18:29:00Z"
+ severity: CRITICAL
+ - schema_version: 1.6.0
+ id: GHSA-4w82-r329-3q67
+ modified: 2024-03-16T05:18:54.922179Z
+ published: 2020-03-04T20:52:14Z
+ aliases:
+ - CVE-2020-8840
+ summary: Deserialization of Untrusted Data in jackson-databind
+ details: FasterXML jackson-databind 2.x before 2.6.7.4, 2.7.x before 2.7.9.7, 2.8.x before 2.8.11.5 and 2.9.x before 2.9.10.2 lacks certain xbean-reflect/JNDI blocking, as demonstrated by org.apache.xbean.propertyeditor.JndiConverter.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: com.fasterxml.jackson.core:jackson-databind
+ purl: pkg:maven/com.fasterxml.jackson.core/jackson-databind
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.0.0
+ - fixed: 2.6.7.4
+ versions:
+ - 2.0.0
+ - 2.0.1
+ - 2.0.2
+ - 2.0.4
+ - 2.0.5
+ - 2.0.6
+ - 2.1.0
+ - 2.1.1
+ - 2.1.2
+ - 2.1.3
+ - 2.1.4
+ - 2.1.5
+ - 2.2.0
+ - 2.2.0-rc1
+ - 2.2.1
+ - 2.2.2
+ - 2.2.3
+ - 2.2.4
+ - 2.3.0
+ - 2.3.0-rc1
+ - 2.3.1
+ - 2.3.2
+ - 2.3.3
+ - 2.3.4
+ - 2.3.5
+ - 2.4.0
+ - 2.4.0-rc1
+ - 2.4.0-rc2
+ - 2.4.0-rc3
+ - 2.4.1
+ - 2.4.1.1
+ - 2.4.1.2
+ - 2.4.1.3
+ - 2.4.2
+ - 2.4.3
+ - 2.4.4
+ - 2.4.5
+ - 2.4.5.1
+ - 2.4.6
+ - 2.4.6.1
+ - 2.5.0
+ - 2.5.0-rc1
+ - 2.5.1
+ - 2.5.2
+ - 2.5.3
+ - 2.5.4
+ - 2.5.5
+ - 2.6.0
+ - 2.6.0-rc1
+ - 2.6.0-rc2
+ - 2.6.0-rc3
+ - 2.6.0-rc4
+ - 2.6.1
+ - 2.6.2
+ - 2.6.3
+ - 2.6.4
+ - 2.6.5
+ - 2.6.6
+ - 2.6.7
+ - 2.6.7.1
+ - 2.6.7.2
+ - 2.6.7.3
+ database_specific:
+ last_known_affected_version_range: <= 2.6.7.3
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/03/GHSA-4w82-r329-3q67/GHSA-4w82-r329-3q67.json
+ - package:
+ ecosystem: Maven
+ name: com.fasterxml.jackson.core:jackson-databind
+ purl: pkg:maven/com.fasterxml.jackson.core/jackson-databind
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.7.0
+ - fixed: 2.7.9.7
+ versions:
+ - 2.7.0
+ - 2.7.1
+ - 2.7.1-1
+ - 2.7.2
+ - 2.7.3
+ - 2.7.4
+ - 2.7.5
+ - 2.7.6
+ - 2.7.7
+ - 2.7.8
+ - 2.7.9
+ - 2.7.9.1
+ - 2.7.9.2
+ - 2.7.9.3
+ - 2.7.9.4
+ - 2.7.9.5
+ - 2.7.9.6
+ database_specific:
+ last_known_affected_version_range: <= 2.7.9.6
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/03/GHSA-4w82-r329-3q67/GHSA-4w82-r329-3q67.json
+ - package:
+ ecosystem: Maven
+ name: com.fasterxml.jackson.core:jackson-databind
+ purl: pkg:maven/com.fasterxml.jackson.core/jackson-databind
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.8.0
+ - fixed: 2.8.11.5
+ versions:
+ - 2.8.0
+ - 2.8.1
+ - 2.8.10
+ - 2.8.11
+ - 2.8.11.1
+ - 2.8.11.2
+ - 2.8.11.3
+ - 2.8.11.4
+ - 2.8.2
+ - 2.8.3
+ - 2.8.4
+ - 2.8.5
+ - 2.8.6
+ - 2.8.7
+ - 2.8.8
+ - 2.8.8.1
+ - 2.8.9
+ database_specific:
+ last_known_affected_version_range: <= 2.8.11.4
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/03/GHSA-4w82-r329-3q67/GHSA-4w82-r329-3q67.json
+ - package:
+ ecosystem: Maven
+ name: com.fasterxml.jackson.core:jackson-databind
+ purl: pkg:maven/com.fasterxml.jackson.core/jackson-databind
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.9.0
+ - fixed: 2.9.10.3
+ versions:
+ - 2.9.0
+ - 2.9.0.pr1
+ - 2.9.0.pr2
+ - 2.9.0.pr3
+ - 2.9.0.pr4
+ - 2.9.1
+ - 2.9.10
+ - 2.9.10.1
+ - 2.9.10.2
+ - 2.9.2
+ - 2.9.3
+ - 2.9.4
+ - 2.9.5
+ - 2.9.6
+ - 2.9.7
+ - 2.9.8
+ - 2.9.9
+ - 2.9.9.1
+ - 2.9.9.2
+ - 2.9.9.3
+ database_specific:
+ last_known_affected_version_range: <= 2.9.10.2
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/03/GHSA-4w82-r329-3q67/GHSA-4w82-r329-3q67.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2020-8840
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/issues/2620
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/commit/74aba4042fce35ee0b91bd2847e788c10040d78b
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/commit/914e7c9f2cb8ce66724bf26a72adc7e958992497
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/commit/9bb52c7122271df75435ec7e66ecf6b02b1ee14f
+ - type: WEB
+ url: https://lists.apache.org/thread.html/ra275f29615f35d5b40106d1582a41e5388b2a5131564e9e01a572987@%3Cdev.ranger.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rac5ee5d686818be7e7c430d35108ee01a88aae54f832d32f62431fd1@%3Cnotifications.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rb43f9a65150948a6bebd3cb77ee3e105d40db2820fd547528f4e7f89@%3Cissues.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rb5eedf90ba3633e171a2ffdfe484651c9490dc5df74c8a29244cbc0e@%3Ccommits.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rb73708bf714ed6dbc1212da082e7703e586077f0c92f3940b2e82caf@%3Cdev.ranger.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rb99c7321eba5d4c907beec46675d52827528b738cfafd48eb4d862f1@%3Cdev.tomee.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rc068e824654c4b8bd4f2490bec869e29edbfcd5dfe02d47cbf7433b2@%3Cdev.tomee.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rc717fd6c65190f4e592345713f9ef0723fb7d71f624caa2a17caa26a@%3Cdev.ranger.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rcc72b497e3dff2dc62ec9b89ceb90bc4e1b14fc56c3c252a6fcbb013@%3Cdev.ranger.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rdea588d4a0ebf9cb7ce8c3a8f18d0d306507c4f8ba178dd3d20207b8@%3Cdev.tomee.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rdf311f13e6356297e0ffe74397fdd25a3687b0a16e687c3ff5b834d8@%3Cdev.ranger.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rdf8d389271a291dde3b2f99c36918d6cb1e796958af626cc140fee23@%3Ccommits.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/re7326b8655eab931f2a9ce074fd9a1a51b5db11456bee9b48e1e170c@%3Cissues.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/re8ae2670ec456ef1c5a2a661a2838ab2cd00e9efa1e88c069f546f21@%3Ccommits.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rf28ab6f224b48452afd567dfffb705fbda0fdbbf6535f6bc69d47e91@%3Cdev.ranger.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rfc1ccfe89332155b72ce17f13a2701d3e7b9ec213324ceb90e79a28a@%3Cdev.ranger.apache.org%3E
+ - type: WEB
+ url: https://lists.debian.org/debian-lts-announce/2020/02/msg00020.html
+ - type: WEB
+ url: https://security.netapp.com/advisory/ntap-20200327-0002
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuapr2020.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuoct2020.html
+ - type: PACKAGE
+ url: https://github.com/FasterXML/jackson-databind
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r078e68a926ea6be12e8404e47f45aabf04bb4668e8265c0de41db6db@%3Ccommits.druid.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0@%3Cissues.bookkeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r1c09b9551f6953dbeca190a4c4b78198cdbb9825fce36f96fe3d8218@%3Cdev.tomee.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r1efc776fc6ce3387593deaa94bbdd296733b1b01408a39c8d1ab9e0e@%3Cdev.ranger.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r2fa8046bd47fb407ca09b5107a80fa6147ba4ebe879caae5c98b7657@%3Cdev.ranger.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r319f19c74e06c201b9d4e8b282a4e4b2da6dcda022fb46f007dd00d3@%3Ccommits.druid.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r3539bd3a377991217d724879d239e16e86001c54160076408574e1da@%3Cnotifications.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r3d20a2660b36551fd8257d479941782af4a7169582449fac1704bde2@%3Ccommits.druid.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r428d068b2a4923f1a5a4f5fc6381b95205cfe7620169d16db78e9c71@%3Cnotifications.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r446646c5588b10f5e02409ad580b12f314869009cdfbf844ca395cec@%3Cdev.ranger.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r46bebdeb59b8b7212d63a010ca445a9f5c4e9d64dcf693cab6f399d3@%3Ccommits.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r5d8bea8e9d17b6efcf4a0e4e194e91ef46a99f505777a31a60da2b38@%3Cdev.ranger.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r65ee95fa09c831843bac81eaa582fdddc2b6119912a72d1c83a9b882@%3Cissues.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r6fdd4c61a09a0c89f581b4ddb3dc6f154ab0c705fcfd0a7358b2e4e5@%3Cissues.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r7762d69e85c58d6948823424017ef4c08f47de077644277fa18cc116@%3Cdev.ranger.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r7e5c10534ed06bf805473ac85e8412fe3908a8fa4cabf5027bf11220@%3Cdev.kafka.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r8170007fd9b263d65b37d92a7b5d7bc357aedbb113a32838bc4a9485@%3Cissues.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r8e96c340004b7898cad3204ea51280ef6e4b553a684e1452bf1b18b1@%3Cjira.kafka.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r94930e39b60fff236160c1c4110fe884dc093044b067aa5fc98d7ee1@%3Cdev.ranger.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r9e59ebaf76fd00b2fa3ff5ebf18fe075ca9f4376216612c696f76718@%3Cdev.ranger.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r9ecf211c22760b00967ebe158c6ed7dba9142078e2a630ab8904a5b7@%3Cdev.zookeeper.apache.org%3E
+ - type: WEB
+ url: http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20200610-01-fastjason-en
+ database_specific:
+ cwe_ids:
+ - CWE-502
+ github_reviewed: true
+ github_reviewed_at: "2020-02-25T20:56:51Z"
+ nvd_published_at: "2020-02-10T21:56:00Z"
+ severity: CRITICAL
+ - schema_version: 1.6.0
+ id: GHSA-57j2-w4cx-62h2
+ modified: 2024-03-15T00:31:45.682369Z
+ published: 2022-03-12T00:00:36Z
+ aliases:
+ - CVE-2020-36518
+ summary: Deeply nested json in jackson-databind
+ details: jackson-databind is a data-binding package for the Jackson Data Processor. jackson-databind allows a Java stack overflow exception and denial of service via a large depth of nested objects.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: com.fasterxml.jackson.core:jackson-databind
+ purl: pkg:maven/com.fasterxml.jackson.core/jackson-databind
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.13.0
+ - fixed: 2.13.2.1
+ versions:
+ - 2.13.0
+ - 2.13.1
+ - 2.13.2
+ database_specific:
+ last_known_affected_version_range: <= 2.13.2.0
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/03/GHSA-57j2-w4cx-62h2/GHSA-57j2-w4cx-62h2.json
+ - package:
+ ecosystem: Maven
+ name: com.fasterxml.jackson.core:jackson-databind
+ purl: pkg:maven/com.fasterxml.jackson.core/jackson-databind
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: 2.12.6.1
+ versions:
+ - 2.0.0
+ - 2.0.0-RC1
+ - 2.0.0-RC2
+ - 2.0.0-RC3
+ - 2.0.1
+ - 2.0.2
+ - 2.0.4
+ - 2.0.5
+ - 2.0.6
+ - 2.1.0
+ - 2.1.1
+ - 2.1.2
+ - 2.1.3
+ - 2.1.4
+ - 2.1.5
+ - 2.10.0
+ - 2.10.0.pr1
+ - 2.10.0.pr2
+ - 2.10.0.pr3
+ - 2.10.1
+ - 2.10.2
+ - 2.10.3
+ - 2.10.4
+ - 2.10.5
+ - 2.10.5.1
+ - 2.11.0
+ - 2.11.0.rc1
+ - 2.11.1
+ - 2.11.2
+ - 2.11.3
+ - 2.11.4
+ - 2.12.0
+ - 2.12.0-rc1
+ - 2.12.0-rc2
+ - 2.12.1
+ - 2.12.2
+ - 2.12.3
+ - 2.12.4
+ - 2.12.5
+ - 2.12.6
+ - 2.2.0
+ - 2.2.0-rc1
+ - 2.2.1
+ - 2.2.2
+ - 2.2.3
+ - 2.2.4
+ - 2.3.0
+ - 2.3.0-rc1
+ - 2.3.1
+ - 2.3.2
+ - 2.3.3
+ - 2.3.4
+ - 2.3.5
+ - 2.4.0
+ - 2.4.0-rc1
+ - 2.4.0-rc2
+ - 2.4.0-rc3
+ - 2.4.1
+ - 2.4.1.1
+ - 2.4.1.2
+ - 2.4.1.3
+ - 2.4.2
+ - 2.4.3
+ - 2.4.4
+ - 2.4.5
+ - 2.4.5.1
+ - 2.4.6
+ - 2.4.6.1
+ - 2.5.0
+ - 2.5.0-rc1
+ - 2.5.1
+ - 2.5.2
+ - 2.5.3
+ - 2.5.4
+ - 2.5.5
+ - 2.6.0
+ - 2.6.0-rc1
+ - 2.6.0-rc2
+ - 2.6.0-rc3
+ - 2.6.0-rc4
+ - 2.6.1
+ - 2.6.2
+ - 2.6.3
+ - 2.6.4
+ - 2.6.5
+ - 2.6.6
+ - 2.6.7
+ - 2.6.7.1
+ - 2.6.7.2
+ - 2.6.7.3
+ - 2.6.7.4
+ - 2.6.7.5
+ - 2.7.0
+ - 2.7.0-rc1
+ - 2.7.0-rc2
+ - 2.7.0-rc3
+ - 2.7.1
+ - 2.7.1-1
+ - 2.7.2
+ - 2.7.3
+ - 2.7.4
+ - 2.7.5
+ - 2.7.6
+ - 2.7.7
+ - 2.7.8
+ - 2.7.9
+ - 2.7.9.1
+ - 2.7.9.2
+ - 2.7.9.3
+ - 2.7.9.4
+ - 2.7.9.5
+ - 2.7.9.6
+ - 2.7.9.7
+ - 2.8.0
+ - 2.8.0.rc1
+ - 2.8.0.rc2
+ - 2.8.1
+ - 2.8.10
+ - 2.8.11
+ - 2.8.11.1
+ - 2.8.11.2
+ - 2.8.11.3
+ - 2.8.11.4
+ - 2.8.11.5
+ - 2.8.11.6
+ - 2.8.2
+ - 2.8.3
+ - 2.8.4
+ - 2.8.5
+ - 2.8.6
+ - 2.8.7
+ - 2.8.8
+ - 2.8.8.1
+ - 2.8.9
+ - 2.9.0
+ - 2.9.0.pr1
+ - 2.9.0.pr2
+ - 2.9.0.pr3
+ - 2.9.0.pr4
+ - 2.9.1
+ - 2.9.10
+ - 2.9.10.1
+ - 2.9.10.2
+ - 2.9.10.3
+ - 2.9.10.4
+ - 2.9.10.5
+ - 2.9.10.6
+ - 2.9.10.7
+ - 2.9.10.8
+ - 2.9.2
+ - 2.9.3
+ - 2.9.4
+ - 2.9.5
+ - 2.9.6
+ - 2.9.7
+ - 2.9.8
+ - 2.9.9
+ - 2.9.9.1
+ - 2.9.9.2
+ - 2.9.9.3
+ database_specific:
+ last_known_affected_version_range: <= 2.12.6.0
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/03/GHSA-57j2-w4cx-62h2/GHSA-57j2-w4cx-62h2.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2020-36518
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/issues/2816
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/commit/0a8157c6ca478b1bc7be4ba7dccdb3863275f0de
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/commit/3cc52f82ecf943e06c1d7c3b078e405fb3923d2b
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/commit/8238ab41d0350fb915797c89d46777b4496b74fd
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/commit/b3587924ee5d8695942f364d0d404d48d0ea6126
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/commit/fcfc4998ec23f0b1f7f8a9521c2b317b6c25892b
+ - type: PACKAGE
+ url: https://github.com/FasterXML/jackson-databind
+ - type: WEB
+ url: https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.12
+ - type: WEB
+ url: https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.13
+ - type: WEB
+ url: https://lists.debian.org/debian-lts-announce/2022/05/msg00001.html
+ - type: WEB
+ url: https://lists.debian.org/debian-lts-announce/2022/11/msg00035.html
+ - type: WEB
+ url: https://security.netapp.com/advisory/ntap-20220506-0004
+ - type: WEB
+ url: https://www.debian.org/security/2022/dsa-5283
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuapr2022.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpujul2022.html
+ database_specific:
+ cwe_ids:
+ - CWE-787
+ github_reviewed: true
+ github_reviewed_at: "2022-03-22T14:36:44Z"
+ nvd_published_at: "2022-03-11T07:15:00Z"
+ severity: HIGH
+ - schema_version: 1.6.0
+ id: GHSA-58pp-9c76-5625
+ modified: 2024-02-16T07:55:08.550842Z
+ published: 2020-06-10T21:12:41Z
+ aliases:
+ - CVE-2020-11112
+ summary: jackson-databind mishandles the interaction between serialization gadgets and typing
+ details: FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.proxy.provider.remoting.RmiProvider (aka apache/commons-proxy).
+ affected:
+ - package:
+ ecosystem: Maven
+ name: com.fasterxml.jackson.core:jackson-databind
+ purl: pkg:maven/com.fasterxml.jackson.core/jackson-databind
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.9.0
+ - fixed: 2.9.10.4
+ versions:
+ - 2.9.0
+ - 2.9.0.pr1
+ - 2.9.0.pr2
+ - 2.9.0.pr3
+ - 2.9.0.pr4
+ - 2.9.1
+ - 2.9.10
+ - 2.9.10.1
+ - 2.9.10.2
+ - 2.9.10.3
+ - 2.9.2
+ - 2.9.3
+ - 2.9.4
+ - 2.9.5
+ - 2.9.6
+ - 2.9.7
+ - 2.9.8
+ - 2.9.9
+ - 2.9.9.1
+ - 2.9.9.2
+ - 2.9.9.3
+ database_specific:
+ last_known_affected_version_range: <= 2.9.10.3
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-58pp-9c76-5625/GHSA-58pp-9c76-5625.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2020-11112
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/issues/2666
+ - type: PACKAGE
+ url: https://github.com/FasterXML/jackson-databind
+ - type: WEB
+ url: https://lists.debian.org/debian-lts-announce/2020/04/msg00012.html
+ - type: WEB
+ url: https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
+ - type: WEB
+ url: https://security.netapp.com/advisory/ntap-20200403-0002
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpujan2021.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpujul2020.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuoct2020.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuoct2021.html
+ database_specific:
+ cwe_ids:
+ - CWE-502
+ github_reviewed: true
+ github_reviewed_at: "2020-06-10T21:11:14Z"
+ nvd_published_at: "2020-03-31T05:15:00Z"
+ severity: HIGH
+ - schema_version: 1.6.0
+ id: GHSA-5949-rw7g-wx7w
+ modified: 2024-03-15T00:32:45.692417Z
+ published: 2021-01-20T21:20:15Z
+ aliases:
+ - CVE-2021-20190
+ summary: Deserialization of untrusted data in jackson-databind
+ details: A flaw was found in jackson-databind before 2.9.10.7 and 2.6.7.5. FasterXML mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: com.fasterxml.jackson.core:jackson-databind
+ purl: pkg:maven/com.fasterxml.jackson.core/jackson-databind
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.7.0
+ - fixed: 2.9.10.7
+ versions:
+ - 2.7.0
+ - 2.7.1
+ - 2.7.1-1
+ - 2.7.2
+ - 2.7.3
+ - 2.7.4
+ - 2.7.5
+ - 2.7.6
+ - 2.7.7
+ - 2.7.8
+ - 2.7.9
+ - 2.7.9.1
+ - 2.7.9.2
+ - 2.7.9.3
+ - 2.7.9.4
+ - 2.7.9.5
+ - 2.7.9.6
+ - 2.7.9.7
+ - 2.8.0
+ - 2.8.0.rc1
+ - 2.8.0.rc2
+ - 2.8.1
+ - 2.8.10
+ - 2.8.11
+ - 2.8.11.1
+ - 2.8.11.2
+ - 2.8.11.3
+ - 2.8.11.4
+ - 2.8.11.5
+ - 2.8.11.6
+ - 2.8.2
+ - 2.8.3
+ - 2.8.4
+ - 2.8.5
+ - 2.8.6
+ - 2.8.7
+ - 2.8.8
+ - 2.8.8.1
+ - 2.8.9
+ - 2.9.0
+ - 2.9.0.pr1
+ - 2.9.0.pr2
+ - 2.9.0.pr3
+ - 2.9.0.pr4
+ - 2.9.1
+ - 2.9.10
+ - 2.9.10.1
+ - 2.9.10.2
+ - 2.9.10.3
+ - 2.9.10.4
+ - 2.9.10.5
+ - 2.9.10.6
+ - 2.9.2
+ - 2.9.3
+ - 2.9.4
+ - 2.9.5
+ - 2.9.6
+ - 2.9.7
+ - 2.9.8
+ - 2.9.9
+ - 2.9.9.1
+ - 2.9.9.2
+ - 2.9.9.3
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/01/GHSA-5949-rw7g-wx7w/GHSA-5949-rw7g-wx7w.json
+ - package:
+ ecosystem: Maven
+ name: com.fasterxml.jackson.core:jackson-databind
+ purl: pkg:maven/com.fasterxml.jackson.core/jackson-databind
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: 2.6.7.5
+ versions:
+ - 2.0.0
+ - 2.0.0-RC1
+ - 2.0.0-RC2
+ - 2.0.0-RC3
+ - 2.0.1
+ - 2.0.2
+ - 2.0.4
+ - 2.0.5
+ - 2.0.6
+ - 2.1.0
+ - 2.1.1
+ - 2.1.2
+ - 2.1.3
+ - 2.1.4
+ - 2.1.5
+ - 2.2.0
+ - 2.2.0-rc1
+ - 2.2.1
+ - 2.2.2
+ - 2.2.3
+ - 2.2.4
+ - 2.3.0
+ - 2.3.0-rc1
+ - 2.3.1
+ - 2.3.2
+ - 2.3.3
+ - 2.3.4
+ - 2.3.5
+ - 2.4.0
+ - 2.4.0-rc1
+ - 2.4.0-rc2
+ - 2.4.0-rc3
+ - 2.4.1
+ - 2.4.1.1
+ - 2.4.1.2
+ - 2.4.1.3
+ - 2.4.2
+ - 2.4.3
+ - 2.4.4
+ - 2.4.5
+ - 2.4.5.1
+ - 2.4.6
+ - 2.4.6.1
+ - 2.5.0
+ - 2.5.0-rc1
+ - 2.5.1
+ - 2.5.2
+ - 2.5.3
+ - 2.5.4
+ - 2.5.5
+ - 2.6.0
+ - 2.6.0-rc1
+ - 2.6.0-rc2
+ - 2.6.0-rc3
+ - 2.6.0-rc4
+ - 2.6.1
+ - 2.6.2
+ - 2.6.3
+ - 2.6.4
+ - 2.6.5
+ - 2.6.6
+ - 2.6.7
+ - 2.6.7.1
+ - 2.6.7.2
+ - 2.6.7.3
+ - 2.6.7.4
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/01/GHSA-5949-rw7g-wx7w/GHSA-5949-rw7g-wx7w.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2021-20190
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/issues/2854
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/commit/08fbfacf89a4a4c026a6227a1b470ab7a13e2e88
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/commit/7dbf51bf78d157098074a20bd9da39bd48c18e4a
+ - type: WEB
+ url: https://bugzilla.redhat.com/show_bug.cgi?id=1916633
+ - type: PACKAGE
+ url: https://github.com/FasterXML/jackson-databind
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r380e9257bacb8551ee6fcf2c59890ae9477b2c78e553fa9ea08e9d9a@%3Ccommits.nifi.apache.org%3E
+ - type: WEB
+ url: https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html
+ - type: WEB
+ url: https://security.netapp.com/advisory/ntap-20210219-0008
+ - type: WEB
+ url: https://www.oracle.com//security-alerts/cpujul2021.html
+ database_specific:
+ cwe_ids:
+ - CWE-502
+ github_reviewed: true
+ github_reviewed_at: "2021-01-20T04:44:51Z"
+ nvd_published_at: "2021-01-19T17:15:00Z"
+ severity: HIGH
+ - schema_version: 1.6.0
+ id: GHSA-5p34-5m6p-p58g
+ modified: 2024-03-14T05:17:58.62415Z
+ published: 2020-04-23T21:08:40Z
+ aliases:
+ - CVE-2020-9546
+ summary: jackson-databind mishandles the interaction between serialization gadgets and typing
+ details: FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig (aka shaded hikari-config).
+ affected:
+ - package:
+ ecosystem: Maven
+ name: com.fasterxml.jackson.core:jackson-databind
+ purl: pkg:maven/com.fasterxml.jackson.core/jackson-databind
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.9.0
+ - fixed: 2.9.10.4
+ versions:
+ - 2.9.0
+ - 2.9.0.pr1
+ - 2.9.0.pr2
+ - 2.9.0.pr3
+ - 2.9.0.pr4
+ - 2.9.1
+ - 2.9.10
+ - 2.9.10.1
+ - 2.9.10.2
+ - 2.9.10.3
+ - 2.9.2
+ - 2.9.3
+ - 2.9.4
+ - 2.9.5
+ - 2.9.6
+ - 2.9.7
+ - 2.9.8
+ - 2.9.9
+ - 2.9.9.1
+ - 2.9.9.2
+ - 2.9.9.3
+ database_specific:
+ last_known_affected_version_range: <= 2.9.10.3
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/04/GHSA-5p34-5m6p-p58g/GHSA-5p34-5m6p-p58g.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2020-9546
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/issues/2631
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuoct2021.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuoct2020.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpujul2020.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpujan2021.html
+ - type: WEB
+ url: https://security.netapp.com/advisory/ntap-20200904-0006
+ - type: WEB
+ url: https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
+ - type: WEB
+ url: https://lists.debian.org/debian-lts-announce/2020/03/msg00008.html
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rdd4df698d5d8e635144d2994922bf0842e933809eae259521f3b5097@%3Cissues.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rdd49ab9565bec436a896bc00c4b9fc9dce1598e106c318524fbdfec6@%3Cissues.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rd5a4457be4623038c3989294429bc063eec433a2e55995d81591e2ca@%3Cissues.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rb6fecb5e96a6d61e175ff49f33f2713798dd05cf03067c169d195596@%3Cissues.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r98c9b6e4c9e17792e2cd1ec3e4aa20b61a791939046d3f10888176bb@%3Cissues.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r9464a40d25c3ba1a55622db72f113eb494a889656962d098c70c5bb1@%3Cdev.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r893a0104e50c1c2559eb9a5812add28ae8c3e5f43712947a9847ec18@%3Cnotifications.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r35d30db00440ef63b791c4b7f7acb036e14d4a23afa2a249cb66c0fd@%3Cissues.zookeeper.apache.org%3E
+ - type: PACKAGE
+ url: https://github.com/FasterXML/jackson-databind
+ database_specific:
+ cwe_ids:
+ - CWE-502
+ github_reviewed: true
+ github_reviewed_at: "2020-04-23T19:26:40Z"
+ nvd_published_at: "2020-03-02T04:15:00Z"
+ severity: CRITICAL
+ - schema_version: 1.6.0
+ id: GHSA-5r5r-6hpj-8gg9
+ modified: 2024-02-18T05:42:28.539166Z
+ published: 2021-12-09T19:15:24Z
+ aliases:
+ - CVE-2020-35728
+ summary: Serialization gadget exploit in jackson-databind
+ details: FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool (aka embedded Xalan in org.glassfish.web/javax.servlet.jsp.jstl).
+ affected:
+ - package:
+ ecosystem: Maven
+ name: com.fasterxml.jackson.core:jackson-databind
+ purl: pkg:maven/com.fasterxml.jackson.core/jackson-databind
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.0.0
+ - fixed: 2.9.10.8
+ versions:
+ - 2.0.0
+ - 2.0.1
+ - 2.0.2
+ - 2.0.4
+ - 2.0.5
+ - 2.0.6
+ - 2.1.0
+ - 2.1.1
+ - 2.1.2
+ - 2.1.3
+ - 2.1.4
+ - 2.1.5
+ - 2.2.0
+ - 2.2.0-rc1
+ - 2.2.1
+ - 2.2.2
+ - 2.2.3
+ - 2.2.4
+ - 2.3.0
+ - 2.3.0-rc1
+ - 2.3.1
+ - 2.3.2
+ - 2.3.3
+ - 2.3.4
+ - 2.3.5
+ - 2.4.0
+ - 2.4.0-rc1
+ - 2.4.0-rc2
+ - 2.4.0-rc3
+ - 2.4.1
+ - 2.4.1.1
+ - 2.4.1.2
+ - 2.4.1.3
+ - 2.4.2
+ - 2.4.3
+ - 2.4.4
+ - 2.4.5
+ - 2.4.5.1
+ - 2.4.6
+ - 2.4.6.1
+ - 2.5.0
+ - 2.5.0-rc1
+ - 2.5.1
+ - 2.5.2
+ - 2.5.3
+ - 2.5.4
+ - 2.5.5
+ - 2.6.0
+ - 2.6.0-rc1
+ - 2.6.0-rc2
+ - 2.6.0-rc3
+ - 2.6.0-rc4
+ - 2.6.1
+ - 2.6.2
+ - 2.6.3
+ - 2.6.4
+ - 2.6.5
+ - 2.6.6
+ - 2.6.7
+ - 2.6.7.1
+ - 2.6.7.2
+ - 2.6.7.3
+ - 2.6.7.4
+ - 2.6.7.5
+ - 2.7.0
+ - 2.7.0-rc1
+ - 2.7.0-rc2
+ - 2.7.0-rc3
+ - 2.7.1
+ - 2.7.1-1
+ - 2.7.2
+ - 2.7.3
+ - 2.7.4
+ - 2.7.5
+ - 2.7.6
+ - 2.7.7
+ - 2.7.8
+ - 2.7.9
+ - 2.7.9.1
+ - 2.7.9.2
+ - 2.7.9.3
+ - 2.7.9.4
+ - 2.7.9.5
+ - 2.7.9.6
+ - 2.7.9.7
+ - 2.8.0
+ - 2.8.0.rc1
+ - 2.8.0.rc2
+ - 2.8.1
+ - 2.8.10
+ - 2.8.11
+ - 2.8.11.1
+ - 2.8.11.2
+ - 2.8.11.3
+ - 2.8.11.4
+ - 2.8.11.5
+ - 2.8.11.6
+ - 2.8.2
+ - 2.8.3
+ - 2.8.4
+ - 2.8.5
+ - 2.8.6
+ - 2.8.7
+ - 2.8.8
+ - 2.8.8.1
+ - 2.8.9
+ - 2.9.0
+ - 2.9.0.pr1
+ - 2.9.0.pr2
+ - 2.9.0.pr3
+ - 2.9.0.pr4
+ - 2.9.1
+ - 2.9.10
+ - 2.9.10.1
+ - 2.9.10.2
+ - 2.9.10.3
+ - 2.9.10.4
+ - 2.9.10.5
+ - 2.9.10.6
+ - 2.9.10.7
+ - 2.9.2
+ - 2.9.3
+ - 2.9.4
+ - 2.9.5
+ - 2.9.6
+ - 2.9.7
+ - 2.9.8
+ - 2.9.9
+ - 2.9.9.1
+ - 2.9.9.2
+ - 2.9.9.3
+ database_specific:
+ last_known_affected_version_range: <= 2.9.10.7
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-5r5r-6hpj-8gg9/GHSA-5r5r-6hpj-8gg9.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2020-35728
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/issues/2999
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/commit/1ca0388c2fb37ac6a06f1c188ae89c41e3e15e84
+ - type: PACKAGE
+ url: https://github.com/FasterXML/jackson-databind
+ - type: WEB
+ url: https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html
+ - type: WEB
+ url: https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
+ - type: WEB
+ url: https://security.netapp.com/advisory/ntap-20210129-0007
+ - type: WEB
+ url: https://www.oracle.com//security-alerts/cpujul2021.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuApr2021.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuapr2022.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpujan2022.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpujul2022.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuoct2021.html
+ database_specific:
+ cwe_ids:
+ - CWE-502
+ github_reviewed: true
+ github_reviewed_at: "2021-04-07T22:24:20Z"
+ nvd_published_at: "2020-12-27T05:15:00Z"
+ severity: HIGH
+ - schema_version: 1.6.0
+ id: GHSA-5ww9-j83m-q7qx
+ modified: 2024-03-15T01:17:50.01682Z
+ published: 2019-05-23T09:32:24Z
+ aliases:
+ - CVE-2019-12086
+ summary: Information exposure in FasterXML jackson-databind
+ details: A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint, the service has the mysql-connector-java jar (8.0.14 or earlier) in the classpath, and an attacker can host a crafted MySQL server reachable by the victim, an attacker can send a crafted JSON message that allows them to read arbitrary local files on the server. This occurs because of missing com.mysql.cj.jdbc.admin.MiniAdmin validation.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: com.fasterxml.jackson.core:jackson-databind
+ purl: pkg:maven/com.fasterxml.jackson.core/jackson-databind
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.9.0
+ - fixed: 2.9.9
+ versions:
+ - 2.9.0
+ - 2.9.0.pr1
+ - 2.9.0.pr2
+ - 2.9.0.pr3
+ - 2.9.0.pr4
+ - 2.9.1
+ - 2.9.2
+ - 2.9.3
+ - 2.9.4
+ - 2.9.5
+ - 2.9.6
+ - 2.9.7
+ - 2.9.8
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/05/GHSA-5ww9-j83m-q7qx/GHSA-5ww9-j83m-q7qx.json
+ - package:
+ ecosystem: Maven
+ name: com.fasterxml.jackson.core:jackson-databind
+ purl: pkg:maven/com.fasterxml.jackson.core/jackson-databind
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.8.0
+ - fixed: 2.8.11.4
+ versions:
+ - 2.8.0
+ - 2.8.1
+ - 2.8.10
+ - 2.8.11
+ - 2.8.11.1
+ - 2.8.11.2
+ - 2.8.11.3
+ - 2.8.2
+ - 2.8.3
+ - 2.8.4
+ - 2.8.5
+ - 2.8.6
+ - 2.8.7
+ - 2.8.8
+ - 2.8.8.1
+ - 2.8.9
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/05/GHSA-5ww9-j83m-q7qx/GHSA-5ww9-j83m-q7qx.json
+ - package:
+ ecosystem: Maven
+ name: com.fasterxml.jackson.core:jackson-databind
+ purl: pkg:maven/com.fasterxml.jackson.core/jackson-databind
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.7.0
+ - fixed: 2.7.9.6
+ versions:
+ - 2.7.0
+ - 2.7.1
+ - 2.7.1-1
+ - 2.7.2
+ - 2.7.3
+ - 2.7.4
+ - 2.7.5
+ - 2.7.6
+ - 2.7.7
+ - 2.7.8
+ - 2.7.9
+ - 2.7.9.1
+ - 2.7.9.2
+ - 2.7.9.3
+ - 2.7.9.4
+ - 2.7.9.5
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/05/GHSA-5ww9-j83m-q7qx/GHSA-5ww9-j83m-q7qx.json
+ - package:
+ ecosystem: Maven
+ name: com.fasterxml.jackson.core:jackson-databind
+ purl: pkg:maven/com.fasterxml.jackson.core/jackson-databind
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.0.0
+ - fixed: 2.6.7.3
+ versions:
+ - 2.0.0
+ - 2.0.1
+ - 2.0.2
+ - 2.0.4
+ - 2.0.5
+ - 2.0.6
+ - 2.1.0
+ - 2.1.1
+ - 2.1.2
+ - 2.1.3
+ - 2.1.4
+ - 2.1.5
+ - 2.2.0
+ - 2.2.0-rc1
+ - 2.2.1
+ - 2.2.2
+ - 2.2.3
+ - 2.2.4
+ - 2.3.0
+ - 2.3.0-rc1
+ - 2.3.1
+ - 2.3.2
+ - 2.3.3
+ - 2.3.4
+ - 2.3.5
+ - 2.4.0
+ - 2.4.0-rc1
+ - 2.4.0-rc2
+ - 2.4.0-rc3
+ - 2.4.1
+ - 2.4.1.1
+ - 2.4.1.2
+ - 2.4.1.3
+ - 2.4.2
+ - 2.4.3
+ - 2.4.4
+ - 2.4.5
+ - 2.4.5.1
+ - 2.4.6
+ - 2.4.6.1
+ - 2.5.0
+ - 2.5.0-rc1
+ - 2.5.1
+ - 2.5.2
+ - 2.5.3
+ - 2.5.4
+ - 2.5.5
+ - 2.6.0
+ - 2.6.0-rc1
+ - 2.6.0-rc2
+ - 2.6.0-rc3
+ - 2.6.0-rc4
+ - 2.6.1
+ - 2.6.2
+ - 2.6.3
+ - 2.6.4
+ - 2.6.5
+ - 2.6.6
+ - 2.6.7
+ - 2.6.7.1
+ - 2.6.7.2
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/05/GHSA-5ww9-j83m-q7qx/GHSA-5ww9-j83m-q7qx.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2019-12086
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/issues/2326
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/commit/efc3c0d02f4743dbaa6d1b9c466772a2f13d966b
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/commit/dda513bd7251b4f32b7b60b1c13740e3b5a43024
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/commit/d30f036208ab1c60bd5ce429cb4f7f1a3e5682e8
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b@%3Ccommits.nifi.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rda99599896c3667f2cc9e9d34c7b6ef5d2bbed1f4801e1d75a2b0679@%3Ccommits.nifi.apache.org%3E
+ - type: WEB
+ url: https://lists.debian.org/debian-lts-announce/2019/05/msg00030.html
+ - type: WEB
+ url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OVRZDN2T6AZ6DJCZJ3VSIQIVHBVMVWBL
+ - type: WEB
+ url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TXRVXNRFHJSQWFHPRJQRI5UPMZ63B544
+ - type: WEB
+ url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UKUALE2TUCKEKOHE2D342PQXN4MWCSLC
+ - type: WEB
+ url: https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
+ - type: WEB
+ url: https://seclists.org/bugtraq/2019/May/68
+ - type: WEB
+ url: https://security.netapp.com/advisory/ntap-20190530-0003
+ - type: WEB
+ url: https://web.archive.org/web/20200227030031/http://www.securityfocus.com/bid/109227
+ - type: WEB
+ url: https://web.archive.org/web/20200808181049/http://russiansecurity.expert/2016/04/20/mysql-connect-file-read
+ - type: WEB
+ url: https://www.debian.org/security/2019/dsa-4452
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuApr2021.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuapr2020.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuapr2022.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpujan2020.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpujul2020.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuoct2020.html
+ - type: WEB
+ url: https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
+ - type: WEB
+ url: https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:2858
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:2935
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:2936
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:2937
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:2938
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:2998
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:3044
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:3045
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:3046
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:3050
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:3149
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:3200
+ - type: PACKAGE
+ url: https://github.com/FasterXML/jackson-databind
+ - type: WEB
+ url: https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.9
+ - type: WEB
+ url: https://lists.apache.org/thread.html/3f99ae8dcdbd69438cb733d745ee3ad5e852068490719a66509b4592@%3Ccommits.cassandra.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/88cd25375805950ae7337e669b0cb0eeda98b9604c1b8d806dccbad2@%3Creviews.spark.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3@%3Ccommits.nifi.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r204ba2a9ea750f38d789d2bb429cc0925ad6133deea7cbc3001d96b5@%3Csolr-user.lucene.apache.org%3E
+ database_specific:
+ cwe_ids:
+ - CWE-502
+ github_reviewed: true
+ github_reviewed_at: "2019-05-22T04:34:56Z"
+ nvd_published_at: "2019-05-17T17:29:00Z"
+ severity: HIGH
+ - schema_version: 1.6.0
+ id: GHSA-645p-88qh-w398
+ modified: 2024-03-16T05:19:17.936174Z
+ published: 2019-01-04T19:06:55Z
+ aliases:
+ - CVE-2018-14718
+ summary: Arbitrary Code Execution in jackson-databind
+ details: FasterXML jackson-databind 2.x before 2.9.7, 2.8.11.3, 2.7.9.5, and 2.6.7.3 might allow remote attackers to execute arbitrary code by leveraging failure to block the slf4j-ext class from polymorphic deserialization.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: com.fasterxml.jackson.core:jackson-databind
+ purl: pkg:maven/com.fasterxml.jackson.core/jackson-databind
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.9.0
+ - fixed: 2.9.7
+ versions:
+ - 2.9.0
+ - 2.9.0.pr1
+ - 2.9.0.pr2
+ - 2.9.0.pr3
+ - 2.9.0.pr4
+ - 2.9.1
+ - 2.9.2
+ - 2.9.3
+ - 2.9.4
+ - 2.9.5
+ - 2.9.6
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/01/GHSA-645p-88qh-w398/GHSA-645p-88qh-w398.json
+ - package:
+ ecosystem: Maven
+ name: com.fasterxml.jackson.core:jackson-databind
+ purl: pkg:maven/com.fasterxml.jackson.core/jackson-databind
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.8.0
+ - fixed: 2.8.11.3
+ versions:
+ - 2.8.0
+ - 2.8.1
+ - 2.8.10
+ - 2.8.11
+ - 2.8.11.1
+ - 2.8.11.2
+ - 2.8.2
+ - 2.8.3
+ - 2.8.4
+ - 2.8.5
+ - 2.8.6
+ - 2.8.7
+ - 2.8.8
+ - 2.8.8.1
+ - 2.8.9
+ database_specific:
+ last_known_affected_version_range: <= 2.8.11.2
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/01/GHSA-645p-88qh-w398/GHSA-645p-88qh-w398.json
+ - package:
+ ecosystem: Maven
+ name: com.fasterxml.jackson.core:jackson-databind
+ purl: pkg:maven/com.fasterxml.jackson.core/jackson-databind
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.7.0
+ - fixed: 2.7.9.5
+ versions:
+ - 2.7.0
+ - 2.7.1
+ - 2.7.1-1
+ - 2.7.2
+ - 2.7.3
+ - 2.7.4
+ - 2.7.5
+ - 2.7.6
+ - 2.7.7
+ - 2.7.8
+ - 2.7.9
+ - 2.7.9.1
+ - 2.7.9.2
+ - 2.7.9.3
+ - 2.7.9.4
+ database_specific:
+ last_known_affected_version_range: <= 2.7.9.4
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/01/GHSA-645p-88qh-w398/GHSA-645p-88qh-w398.json
+ - package:
+ ecosystem: Maven
+ name: com.fasterxml.jackson.core:jackson-databind
+ purl: pkg:maven/com.fasterxml.jackson.core/jackson-databind
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.0.0
+ - fixed: 2.6.7.3
+ versions:
+ - 2.0.0
+ - 2.0.1
+ - 2.0.2
+ - 2.0.4
+ - 2.0.5
+ - 2.0.6
+ - 2.1.0
+ - 2.1.1
+ - 2.1.2
+ - 2.1.3
+ - 2.1.4
+ - 2.1.5
+ - 2.2.0
+ - 2.2.0-rc1
+ - 2.2.1
+ - 2.2.2
+ - 2.2.3
+ - 2.2.4
+ - 2.3.0
+ - 2.3.0-rc1
+ - 2.3.1
+ - 2.3.2
+ - 2.3.3
+ - 2.3.4
+ - 2.3.5
+ - 2.4.0
+ - 2.4.0-rc1
+ - 2.4.0-rc2
+ - 2.4.0-rc3
+ - 2.4.1
+ - 2.4.1.1
+ - 2.4.1.2
+ - 2.4.1.3
+ - 2.4.2
+ - 2.4.3
+ - 2.4.4
+ - 2.4.5
+ - 2.4.5.1
+ - 2.4.6
+ - 2.4.6.1
+ - 2.5.0
+ - 2.5.0-rc1
+ - 2.5.1
+ - 2.5.2
+ - 2.5.3
+ - 2.5.4
+ - 2.5.5
+ - 2.6.0
+ - 2.6.0-rc1
+ - 2.6.0-rc2
+ - 2.6.0-rc3
+ - 2.6.0-rc4
+ - 2.6.1
+ - 2.6.2
+ - 2.6.3
+ - 2.6.4
+ - 2.6.5
+ - 2.6.6
+ - 2.6.7
+ - 2.6.7.1
+ - 2.6.7.2
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/01/GHSA-645p-88qh-w398/GHSA-645p-88qh-w398.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2018-14718
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/issues/2097
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/commit/87d29af25e82a249ea15858e2d4ecbf64091db44
+ - type: WEB
+ url: https://access.redhat.com/errata/RHBA-2019:0959
+ - type: WEB
+ url: https://lists.apache.org/thread.html/6a78f88716c3c57aa74ec05764a37ab3874769a347805903b393b286@%3Cdev.lucene.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/82b01bfb6787097427ce97cec6a7127e93718bc05d1efd5eaffc228f@%3Cdev.lucene.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/ba973114605d936be276ee6ce09dfbdbf78aa56f6cdc6e79bfa7b8df@%3Cdev.lucene.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r1d4a247329a8478073163567bbc8c8cb6b49c6bfc2bf58153a857af1@%3Ccommits.druid.apache.org%3E
+ - type: WEB
+ url: https://lists.debian.org/debian-lts-announce/2019/03/msg00005.html
+ - type: WEB
+ url: https://seclists.org/bugtraq/2019/May/68
+ - type: WEB
+ url: https://security.netapp.com/advisory/ntap-20190530-0003
+ - type: WEB
+ url: https://www.debian.org/security/2019/dsa-4452
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuapr2020.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpujan2020.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuoct2020.html
+ - type: WEB
+ url: https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
+ - type: WEB
+ url: https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html
+ - type: WEB
+ url: https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:0782
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:0877
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:1782
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:1797
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:1822
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:1823
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:2804
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:2858
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:3002
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:3140
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:3149
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:3892
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:4037
+ - type: PACKAGE
+ url: https://github.com/FasterXML/jackson-databind
+ - type: WEB
+ url: https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.7
+ - type: ADVISORY
+ url: https://github.com/advisories/GHSA-645p-88qh-w398
+ - type: WEB
+ url: https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E
+ - type: WEB
+ url: http://www.securityfocus.com/bid/106601
+ database_specific:
+ cwe_ids:
+ - CWE-502
+ github_reviewed: true
+ github_reviewed_at: "2020-06-16T21:17:52Z"
+ nvd_published_at: "2019-01-02T18:29:00Z"
+ severity: CRITICAL
+ - schema_version: 1.6.0
+ id: GHSA-6fpp-rgj9-8rwc
+ modified: 2024-03-15T05:18:54.134884Z
+ published: 2019-08-01T19:18:00Z
+ aliases:
+ - CVE-2019-14379
+ summary: Deserialization of untrusted data in FasterXML jackson-databind
+ details: SubTypeValidator.java in FasterXML jackson-databind before 2.9.9.2, 2.8.11.4, and 2.7.9.6 mishandles default typing when ehcache is used (because of net.sf.ehcache.transaction.manager.DefaultTransactionManagerLookup), leading to remote code execution.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: com.fasterxml.jackson.core:jackson-databind
+ purl: pkg:maven/com.fasterxml.jackson.core/jackson-databind
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.9.0
+ - fixed: 2.9.9.2
+ versions:
+ - 2.9.0
+ - 2.9.0.pr1
+ - 2.9.0.pr2
+ - 2.9.0.pr3
+ - 2.9.0.pr4
+ - 2.9.1
+ - 2.9.2
+ - 2.9.3
+ - 2.9.4
+ - 2.9.5
+ - 2.9.6
+ - 2.9.7
+ - 2.9.8
+ - 2.9.9
+ - 2.9.9.1
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/08/GHSA-6fpp-rgj9-8rwc/GHSA-6fpp-rgj9-8rwc.json
+ - package:
+ ecosystem: Maven
+ name: com.fasterxml.jackson.core:jackson-databind
+ purl: pkg:maven/com.fasterxml.jackson.core/jackson-databind
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.8.0
+ - fixed: 2.8.11.4
+ versions:
+ - 2.8.0
+ - 2.8.1
+ - 2.8.10
+ - 2.8.11
+ - 2.8.11.1
+ - 2.8.11.2
+ - 2.8.11.3
+ - 2.8.2
+ - 2.8.3
+ - 2.8.4
+ - 2.8.5
+ - 2.8.6
+ - 2.8.7
+ - 2.8.8
+ - 2.8.8.1
+ - 2.8.9
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/08/GHSA-6fpp-rgj9-8rwc/GHSA-6fpp-rgj9-8rwc.json
+ - package:
+ ecosystem: Maven
+ name: com.fasterxml.jackson.core:jackson-databind
+ purl: pkg:maven/com.fasterxml.jackson.core/jackson-databind
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: 2.7.9.6
+ versions:
+ - 2.0.0
+ - 2.0.0-RC1
+ - 2.0.0-RC2
+ - 2.0.0-RC3
+ - 2.0.1
+ - 2.0.2
+ - 2.0.4
+ - 2.0.5
+ - 2.0.6
+ - 2.1.0
+ - 2.1.1
+ - 2.1.2
+ - 2.1.3
+ - 2.1.4
+ - 2.1.5
+ - 2.2.0
+ - 2.2.0-rc1
+ - 2.2.1
+ - 2.2.2
+ - 2.2.3
+ - 2.2.4
+ - 2.3.0
+ - 2.3.0-rc1
+ - 2.3.1
+ - 2.3.2
+ - 2.3.3
+ - 2.3.4
+ - 2.3.5
+ - 2.4.0
+ - 2.4.0-rc1
+ - 2.4.0-rc2
+ - 2.4.0-rc3
+ - 2.4.1
+ - 2.4.1.1
+ - 2.4.1.2
+ - 2.4.1.3
+ - 2.4.2
+ - 2.4.3
+ - 2.4.4
+ - 2.4.5
+ - 2.4.5.1
+ - 2.4.6
+ - 2.4.6.1
+ - 2.5.0
+ - 2.5.0-rc1
+ - 2.5.1
+ - 2.5.2
+ - 2.5.3
+ - 2.5.4
+ - 2.5.5
+ - 2.6.0
+ - 2.6.0-rc1
+ - 2.6.0-rc2
+ - 2.6.0-rc3
+ - 2.6.0-rc4
+ - 2.6.1
+ - 2.6.2
+ - 2.6.3
+ - 2.6.4
+ - 2.6.5
+ - 2.6.6
+ - 2.6.7
+ - 2.6.7.1
+ - 2.6.7.2
+ - 2.6.7.3
+ - 2.6.7.4
+ - 2.6.7.5
+ - 2.7.0
+ - 2.7.0-rc1
+ - 2.7.0-rc2
+ - 2.7.0-rc3
+ - 2.7.1
+ - 2.7.1-1
+ - 2.7.2
+ - 2.7.3
+ - 2.7.4
+ - 2.7.5
+ - 2.7.6
+ - 2.7.7
+ - 2.7.8
+ - 2.7.9
+ - 2.7.9.1
+ - 2.7.9.2
+ - 2.7.9.3
+ - 2.7.9.4
+ - 2.7.9.5
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/08/GHSA-6fpp-rgj9-8rwc/GHSA-6fpp-rgj9-8rwc.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2019-14379
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/issues/2387
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/commit/ad418eeb974e357f2797aef64aa0e3ffaaa6125b
+ - type: WEB
+ url: https://lists.apache.org/thread.html/f17f63b0f8a57e4a5759e01d25cffc0548f0b61ff5c6bfd704ad2f2a@%3Ccommits.ambari.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/ee0a051428d2c719acfa297d0854a189ea5e284ef3ed491fa672f4be@%3Cdev.tomee.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/e25e734c315f70d8876a846926cfe3bfa1a4888044f146e844caf72f@%3Ccommits.ambari.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/d161ff3d59c5a8213400dd6afb1cce1fac4f687c32d1e0c0bfbfaa2d@%3Cissues.iceberg.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/99944f86abefde389da9b4040ea2327c6aa0b53a2ff9352bd4cfec17@%3Cissues.iceberg.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/940b4c3fef002461b89a050935337056d4a036a65ef68e0bbd4621ef@%3Cdev.struts.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/87e46591de8925f719664a845572d184027258c5a7af0a471b53c77b@%3Cdev.tomee.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/8723b52c2544e6cb804bc8a36622c584acd1bd6c53f2b6034c9fea54@%3Cissues.iceberg.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/859815b2e9f1575acbb2b260b73861c16ca49bca627fa0c46419051f@%3Cissues.iceberg.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/75f482fdc84abe6d0c8f438a76437c335a7bbeb5cddd4d70b4bc0cbf@%3Cissues.iceberg.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/689c6bcc6c7612eee71e453a115a4c8581e7b718537025d4b265783d@%3Cissues.iceberg.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/6788e4c991f75b89d290ad06b463fcd30bcae99fee610345a35b7bc6@%3Cissues.iceberg.apache.org%3E
+ - type: WEB
+ url: https://access.redhat.com/errata/RHBA-2019:2824
+ - type: WEB
+ url: https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0@%3Cissues.bookkeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3E
+ - type: WEB
+ url: https://lists.debian.org/debian-lts-announce/2019/08/msg00011.html
+ - type: WEB
+ url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OVRZDN2T6AZ6DJCZJ3VSIQIVHBVMVWBL
+ - type: WEB
+ url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TXRVXNRFHJSQWFHPRJQRI5UPMZ63B544
+ - type: WEB
+ url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UKUALE2TUCKEKOHE2D342PQXN4MWCSLC
+ - type: WEB
+ url: https://security.netapp.com/advisory/ntap-20190814-0001
+ - type: WEB
+ url: https://support.apple.com/kb/HT213189
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuApr2021.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuapr2020.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpujan2020.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpujul2020.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuoct2020.html
+ - type: WEB
+ url: https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:2743
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:2858
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:2935
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:2936
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:2937
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:2938
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:2998
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:3044
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:3045
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:3046
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:3050
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:3149
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:3200
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:3292
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:3297
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:3901
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2020:0727
+ - type: PACKAGE
+ url: https://github.com/FasterXML/jackson-databind
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/compare/jackson-databind-2.9.9.1...jackson-databind-2.9.9.2
+ - type: WEB
+ url: https://lists.apache.org/thread.html/0d4b630d9ee724aee50703397d9d1afa2b2befc9395ba7797d0ccea9@%3Cdev.tomee.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/0fcef7321095ce0bc597d468d150cff3d647f4cb3aef3bd4d20e1c69@%3Ccommits.tinkerpop.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/2766188be238a446a250ef76801037d452979152d85bce5e46805815@%3Cissues.iceberg.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/2d2a76440becb610b9a9cb49b15eac3934b02c2dbcaacde1000353e4@%3Cdev.tomee.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/34717424b4d08b74f65c09a083d6dd1cb0763f37a15d6de135998c1d@%3Cdev.tomee.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/525bcf949a4b0da87a375cbad2680b8beccde749522f24c49befe7fb@%3Ccommits.pulsar.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/56c8042873595b8c863054c7bfccab4bf2c01c6f5abedae249d914b9@%3Cdev.tomee.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/5ecc333113b139429f4f05000d4aa2886974d4df3269c1dd990bb319@%3Cdev.tomee.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/5fc0e16b7af2590bf1e97c76c136291c4fdb244ee63c65c485c9a7a1@%3Cdev.tomee.apache.org%3E
+ - type: WEB
+ url: http://seclists.org/fulldisclosure/2022/Mar/23
+ database_specific:
+ cwe_ids:
+ - CWE-1321
+ - CWE-915
+ github_reviewed: true
+ github_reviewed_at: "2019-08-01T15:38:02Z"
+ nvd_published_at: "2019-07-29T12:15:00Z"
+ severity: CRITICAL
+ - schema_version: 1.6.0
+ id: GHSA-6wqp-v4v6-c87c
+ modified: 2024-03-11T05:21:31.707912Z
+ published: 2020-06-15T18:44:51Z
+ aliases:
+ - CVE-2018-12023
+ summary: Deserialization of Untrusted Data
+ details: An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Oracle JDBC jar in the classpath, and an attacker can provide an LDAP service to access, it is possible to make the service execute a malicious payload.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: com.fasterxml.jackson.core:jackson-databind
+ purl: pkg:maven/com.fasterxml.jackson.core/jackson-databind
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.7.0
+ - fixed: 2.7.9.4
+ versions:
+ - 2.7.0
+ - 2.7.1
+ - 2.7.1-1
+ - 2.7.2
+ - 2.7.3
+ - 2.7.4
+ - 2.7.5
+ - 2.7.6
+ - 2.7.7
+ - 2.7.8
+ - 2.7.9
+ - 2.7.9.1
+ - 2.7.9.2
+ - 2.7.9.3
+ database_specific:
+ last_known_affected_version_range: <= 2.7.9.3
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-6wqp-v4v6-c87c/GHSA-6wqp-v4v6-c87c.json
+ - package:
+ ecosystem: Maven
+ name: com.fasterxml.jackson.core:jackson-databind
+ purl: pkg:maven/com.fasterxml.jackson.core/jackson-databind
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.8.0
+ - fixed: 2.8.11.2
+ versions:
+ - 2.8.0
+ - 2.8.1
+ - 2.8.10
+ - 2.8.11
+ - 2.8.11.1
+ - 2.8.2
+ - 2.8.3
+ - 2.8.4
+ - 2.8.5
+ - 2.8.6
+ - 2.8.7
+ - 2.8.8
+ - 2.8.8.1
+ - 2.8.9
+ database_specific:
+ last_known_affected_version_range: <= 2.8.11.1
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-6wqp-v4v6-c87c/GHSA-6wqp-v4v6-c87c.json
+ - package:
+ ecosystem: Maven
+ name: com.fasterxml.jackson.core:jackson-databind
+ purl: pkg:maven/com.fasterxml.jackson.core/jackson-databind
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.9.0
+ - fixed: 2.9.6
+ versions:
+ - 2.9.0
+ - 2.9.0.pr1
+ - 2.9.0.pr2
+ - 2.9.0.pr3
+ - 2.9.0.pr4
+ - 2.9.1
+ - 2.9.2
+ - 2.9.3
+ - 2.9.4
+ - 2.9.5
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-6wqp-v4v6-c87c/GHSA-6wqp-v4v6-c87c.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2018-12023
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/issues/2058
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/commit/7487cf7eb14be2f65a1eb108e8629c07ef45e0a
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/commit/28badf7ef60ac3e7ef151cd8e8ec010b8479226a
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/commit/bf261d404c2f79fd3406237710d40ebb03c99d84
+ - type: WEB
+ url: https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/7fcf88aff0d1deaa5c3c7be8d58c05ad7ad5da94b59065d8e7c50c5d@%3Cissues.lucene.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E
+ - type: WEB
+ url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZEDLDUYBSTDY4GWDBUXGJNS2RFYTFVRC
+ - type: WEB
+ url: https://seclists.org/bugtraq/2019/May/68
+ - type: WEB
+ url: https://security.netapp.com/advisory/ntap-20190530-0003
+ - type: WEB
+ url: https://www.blackhat.com/docs/us-16/materials/us-16-Munoz-A-Journey-From-JNDI-LDAP-Manipulation-To-RCE.pdf
+ - type: WEB
+ url: https://www.debian.org/security/2019/dsa-4452
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuapr2020.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpujul2020.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuoct2020.html
+ - type: WEB
+ url: https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
+ - type: WEB
+ url: https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html
+ - type: WEB
+ url: https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
+ - type: WEB
+ url: https://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html
+ - type: WEB
+ url: https://access.redhat.com/errata/RHBA-2019:0959
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:0782
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:0877
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:1106
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:1107
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:1108
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:1140
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:1782
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:1797
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:1822
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:1823
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:2804
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:2858
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:3002
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:3140
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:3149
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:3892
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:4037
+ - type: PACKAGE
+ url: https://github.com/FasterXML/jackson-databind
+ - type: WEB
+ url: http://www.securityfocus.com/bid/105659
+ database_specific:
+ cwe_ids:
+ - CWE-502
+ github_reviewed: true
+ github_reviewed_at: "2020-06-11T21:43:23Z"
+ nvd_published_at: null
+ severity: HIGH
+ - schema_version: 1.6.0
+ id: GHSA-758m-v56v-grj4
+ modified: 2024-06-25T14:20:03.301633Z
+ published: 2020-04-23T21:36:03Z
+ aliases:
+ - CVE-2020-10969
+ summary: jackson-databind mishandles the interaction between serialization gadgets and typing
+ details: FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to javax.swing.JEditorPane.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: com.fasterxml.jackson.core:jackson-databind
+ purl: pkg:maven/com.fasterxml.jackson.core/jackson-databind
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.9.0
+ - fixed: 2.9.10.4
+ versions:
+ - 2.9.0
+ - 2.9.0.pr1
+ - 2.9.0.pr2
+ - 2.9.0.pr3
+ - 2.9.0.pr4
+ - 2.9.1
+ - 2.9.10
+ - 2.9.10.1
+ - 2.9.10.2
+ - 2.9.10.3
+ - 2.9.2
+ - 2.9.3
+ - 2.9.4
+ - 2.9.5
+ - 2.9.6
+ - 2.9.7
+ - 2.9.8
+ - 2.9.9
+ - 2.9.9.1
+ - 2.9.9.2
+ - 2.9.9.3
+ database_specific:
+ last_known_affected_version_range: <= 2.9.10.3
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/04/GHSA-758m-v56v-grj4/GHSA-758m-v56v-grj4.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2020-10969
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/issues/2642
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/commit/6ba48457984943df0de92c54144f7dcae01b1221
+ - type: PACKAGE
+ url: https://github.com/FasterXML/jackson-databind
+ - type: WEB
+ url: https://lists.debian.org/debian-lts-announce/2020/04/msg00012.html
+ - type: WEB
+ url: https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
+ - type: WEB
+ url: https://security.netapp.com/advisory/ntap-20200403-0002
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpujan2021.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpujul2020.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuoct2020.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuoct2021.html
+ database_specific:
+ cwe_ids:
+ - CWE-502
+ github_reviewed: true
+ github_reviewed_at: "2020-04-23T19:28:10Z"
+ nvd_published_at: "2020-03-26T13:15:00Z"
+ severity: HIGH
+ - schema_version: 1.6.0
+ id: GHSA-85cw-hj65-qqv9
+ modified: 2024-03-15T05:20:15.574552Z
+ published: 2019-09-23T18:33:45Z
+ aliases:
+ - CVE-2019-16335
+ summary: Polymorphic Typing issue in FasterXML jackson-databind
+ details: A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10, 2.8.11.5, and 2.6.7.3. It is related to com.zaxxer.hikari.HikariDataSource. This is a different vulnerability than CVE-2019-14540.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: com.fasterxml.jackson.core:jackson-databind
+ purl: pkg:maven/com.fasterxml.jackson.core/jackson-databind
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.9.0
+ - fixed: 2.9.10
+ versions:
+ - 2.9.0
+ - 2.9.0.pr1
+ - 2.9.0.pr2
+ - 2.9.0.pr3
+ - 2.9.0.pr4
+ - 2.9.1
+ - 2.9.2
+ - 2.9.3
+ - 2.9.4
+ - 2.9.5
+ - 2.9.6
+ - 2.9.7
+ - 2.9.8
+ - 2.9.9
+ - 2.9.9.1
+ - 2.9.9.2
+ - 2.9.9.3
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/09/GHSA-85cw-hj65-qqv9/GHSA-85cw-hj65-qqv9.json
+ - package:
+ ecosystem: Maven
+ name: com.fasterxml.jackson.core:jackson-databind
+ purl: pkg:maven/com.fasterxml.jackson.core/jackson-databind
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.7.0
+ - fixed: 2.8.11.5
+ versions:
+ - 2.7.0
+ - 2.7.1
+ - 2.7.1-1
+ - 2.7.2
+ - 2.7.3
+ - 2.7.4
+ - 2.7.5
+ - 2.7.6
+ - 2.7.7
+ - 2.7.8
+ - 2.7.9
+ - 2.7.9.1
+ - 2.7.9.2
+ - 2.7.9.3
+ - 2.7.9.4
+ - 2.7.9.5
+ - 2.7.9.6
+ - 2.7.9.7
+ - 2.8.0
+ - 2.8.0.rc1
+ - 2.8.0.rc2
+ - 2.8.1
+ - 2.8.10
+ - 2.8.11
+ - 2.8.11.1
+ - 2.8.11.2
+ - 2.8.11.3
+ - 2.8.11.4
+ - 2.8.2
+ - 2.8.3
+ - 2.8.4
+ - 2.8.5
+ - 2.8.6
+ - 2.8.7
+ - 2.8.8
+ - 2.8.8.1
+ - 2.8.9
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/09/GHSA-85cw-hj65-qqv9/GHSA-85cw-hj65-qqv9.json
+ - package:
+ ecosystem: Maven
+ name: com.fasterxml.jackson.core:jackson-databind
+ purl: pkg:maven/com.fasterxml.jackson.core/jackson-databind
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: 2.6.7.3
+ versions:
+ - 2.0.0
+ - 2.0.0-RC1
+ - 2.0.0-RC2
+ - 2.0.0-RC3
+ - 2.0.1
+ - 2.0.2
+ - 2.0.4
+ - 2.0.5
+ - 2.0.6
+ - 2.1.0
+ - 2.1.1
+ - 2.1.2
+ - 2.1.3
+ - 2.1.4
+ - 2.1.5
+ - 2.2.0
+ - 2.2.0-rc1
+ - 2.2.1
+ - 2.2.2
+ - 2.2.3
+ - 2.2.4
+ - 2.3.0
+ - 2.3.0-rc1
+ - 2.3.1
+ - 2.3.2
+ - 2.3.3
+ - 2.3.4
+ - 2.3.5
+ - 2.4.0
+ - 2.4.0-rc1
+ - 2.4.0-rc2
+ - 2.4.0-rc3
+ - 2.4.1
+ - 2.4.1.1
+ - 2.4.1.2
+ - 2.4.1.3
+ - 2.4.2
+ - 2.4.3
+ - 2.4.4
+ - 2.4.5
+ - 2.4.5.1
+ - 2.4.6
+ - 2.4.6.1
+ - 2.5.0
+ - 2.5.0-rc1
+ - 2.5.1
+ - 2.5.2
+ - 2.5.3
+ - 2.5.4
+ - 2.5.5
+ - 2.6.0
+ - 2.6.0-rc1
+ - 2.6.0-rc2
+ - 2.6.0-rc3
+ - 2.6.0-rc4
+ - 2.6.1
+ - 2.6.2
+ - 2.6.3
+ - 2.6.4
+ - 2.6.5
+ - 2.6.6
+ - 2.6.7
+ - 2.6.7.1
+ - 2.6.7.2
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/09/GHSA-85cw-hj65-qqv9/GHSA-85cw-hj65-qqv9.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2019-16335
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/issues/2449
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/commit/73c1c2cc76e6cdd7f3a5615cbe3207fe96e4d3db
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:3200
+ - type: WEB
+ url: https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0@%3Cissues.bookkeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b@%3Ccommits.nifi.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3E
+ - type: WEB
+ url: https://lists.debian.org/debian-lts-announce/2019/10/msg00001.html
+ - type: WEB
+ url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Q7CANA7KV53JROZDX5Z5P26UG5VN2K43
+ - type: WEB
+ url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TH5VFUN4P7CCIP7KSEXYA5MUTFCUDUJT
+ - type: WEB
+ url: https://seclists.org/bugtraq/2019/Oct/6
+ - type: WEB
+ url: https://security.netapp.com/advisory/ntap-20191004-0002
+ - type: WEB
+ url: https://www.debian.org/security/2019/dsa-4542
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuapr2020.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpujan2020.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpujul2020.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuoct2020.html
+ - type: WEB
+ url: https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2020:0159
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2020:0160
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2020:0161
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2020:0164
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2020:0445
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2020:0729
+ - type: PACKAGE
+ url: https://github.com/FasterXML/jackson-databind
+ - type: WEB
+ url: https://lists.apache.org/thread.html/0fcef7321095ce0bc597d468d150cff3d647f4cb3aef3bd4d20e1c69@%3Ccommits.tinkerpop.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/40c00861b53bb611dee7d6f35f864aa7d1c1bd77df28db597cbf27e1@%3Cissues.hbase.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/a360b46061c91c5cad789b6c3190aef9b9f223a2b75c9c9f046fe016@%3Cissues.hbase.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/ad0d238e97a7da5eca47a014f0f7e81f440ed6bf74a93183825e18b9@%3Cissues.hbase.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3@%3Ccommits.nifi.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/dc6b5cad721a4f6b3b62ed1163894941140d9d5656140fb757505ca0@%3Cissues.hbase.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/e90c3feb21702e68a8c08afce37045adb3870f2bf8223fa403fb93fb@%3Ccommits.hbase.apache.org%3E
+ database_specific:
+ cwe_ids:
+ - CWE-502
+ github_reviewed: true
+ github_reviewed_at: "2019-09-19T09:22:56Z"
+ nvd_published_at: "2019-09-15T22:15:00Z"
+ severity: CRITICAL
+ - schema_version: 1.6.0
+ id: GHSA-89qr-369f-5m5x
+ modified: 2024-02-18T05:37:27.581808Z
+ published: 2021-12-09T19:15:46Z
+ aliases:
+ - CVE-2020-36182
+ summary: Unsafe Deserialization in jackson-databind
+ details: FasterXML jackson-databind 2.x before 2.9.10.8 and 2.6.7.5 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.cpdsadapter.DriverAdapterCPDS.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: com.fasterxml.jackson.core:jackson-databind
+ purl: pkg:maven/com.fasterxml.jackson.core/jackson-databind
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.7.0
+ - fixed: 2.9.10.8
+ versions:
+ - 2.7.0
+ - 2.7.1
+ - 2.7.1-1
+ - 2.7.2
+ - 2.7.3
+ - 2.7.4
+ - 2.7.5
+ - 2.7.6
+ - 2.7.7
+ - 2.7.8
+ - 2.7.9
+ - 2.7.9.1
+ - 2.7.9.2
+ - 2.7.9.3
+ - 2.7.9.4
+ - 2.7.9.5
+ - 2.7.9.6
+ - 2.7.9.7
+ - 2.8.0
+ - 2.8.0.rc1
+ - 2.8.0.rc2
+ - 2.8.1
+ - 2.8.10
+ - 2.8.11
+ - 2.8.11.1
+ - 2.8.11.2
+ - 2.8.11.3
+ - 2.8.11.4
+ - 2.8.11.5
+ - 2.8.11.6
+ - 2.8.2
+ - 2.8.3
+ - 2.8.4
+ - 2.8.5
+ - 2.8.6
+ - 2.8.7
+ - 2.8.8
+ - 2.8.8.1
+ - 2.8.9
+ - 2.9.0
+ - 2.9.0.pr1
+ - 2.9.0.pr2
+ - 2.9.0.pr3
+ - 2.9.0.pr4
+ - 2.9.1
+ - 2.9.10
+ - 2.9.10.1
+ - 2.9.10.2
+ - 2.9.10.3
+ - 2.9.10.4
+ - 2.9.10.5
+ - 2.9.10.6
+ - 2.9.10.7
+ - 2.9.2
+ - 2.9.3
+ - 2.9.4
+ - 2.9.5
+ - 2.9.6
+ - 2.9.7
+ - 2.9.8
+ - 2.9.9
+ - 2.9.9.1
+ - 2.9.9.2
+ - 2.9.9.3
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-89qr-369f-5m5x/GHSA-89qr-369f-5m5x.json
+ - package:
+ ecosystem: Maven
+ name: com.fasterxml.jackson.core:jackson-databind
+ purl: pkg:maven/com.fasterxml.jackson.core/jackson-databind
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.0.0
+ - fixed: 2.6.7.5
+ versions:
+ - 2.0.0
+ - 2.0.1
+ - 2.0.2
+ - 2.0.4
+ - 2.0.5
+ - 2.0.6
+ - 2.1.0
+ - 2.1.1
+ - 2.1.2
+ - 2.1.3
+ - 2.1.4
+ - 2.1.5
+ - 2.2.0
+ - 2.2.0-rc1
+ - 2.2.1
+ - 2.2.2
+ - 2.2.3
+ - 2.2.4
+ - 2.3.0
+ - 2.3.0-rc1
+ - 2.3.1
+ - 2.3.2
+ - 2.3.3
+ - 2.3.4
+ - 2.3.5
+ - 2.4.0
+ - 2.4.0-rc1
+ - 2.4.0-rc2
+ - 2.4.0-rc3
+ - 2.4.1
+ - 2.4.1.1
+ - 2.4.1.2
+ - 2.4.1.3
+ - 2.4.2
+ - 2.4.3
+ - 2.4.4
+ - 2.4.5
+ - 2.4.5.1
+ - 2.4.6
+ - 2.4.6.1
+ - 2.5.0
+ - 2.5.0-rc1
+ - 2.5.1
+ - 2.5.2
+ - 2.5.3
+ - 2.5.4
+ - 2.5.5
+ - 2.6.0
+ - 2.6.0-rc1
+ - 2.6.0-rc2
+ - 2.6.0-rc3
+ - 2.6.0-rc4
+ - 2.6.1
+ - 2.6.2
+ - 2.6.3
+ - 2.6.4
+ - 2.6.5
+ - 2.6.6
+ - 2.6.7
+ - 2.6.7.1
+ - 2.6.7.2
+ - 2.6.7.3
+ - 2.6.7.4
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-89qr-369f-5m5x/GHSA-89qr-369f-5m5x.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2020-36182
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/issues/3004
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/commit/3ded28aece694d0df39c9f0fa1ff385b14a8656b
+ - type: WEB
+ url: https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
+ - type: PACKAGE
+ url: https://github.com/FasterXML/jackson-databind
+ - type: WEB
+ url: https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html
+ - type: WEB
+ url: https://security.netapp.com/advisory/ntap-20210205-0005
+ - type: WEB
+ url: https://www.oracle.com//security-alerts/cpujul2021.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuApr2021.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuapr2022.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpujan2022.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpujul2022.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuoct2021.html
+ database_specific:
+ cwe_ids:
+ - CWE-502
+ github_reviewed: true
+ github_reviewed_at: "2021-03-18T23:37:58Z"
+ nvd_published_at: "2021-01-07T00:15:00Z"
+ severity: HIGH
+ - schema_version: 1.6.0
+ id: GHSA-8c4j-34r4-xr8g
+ modified: 2024-02-18T05:31:52.762759Z
+ published: 2021-12-09T19:16:18Z
+ aliases:
+ - CVE-2020-36180
+ summary: Unsafe Deserialization in jackson-databind
+ details: FasterXML jackson-databind 2.x before 2.9.10.8 and 2.6.7.5 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.cpdsadapter.DriverAdapterCPDS.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: com.fasterxml.jackson.core:jackson-databind
+ purl: pkg:maven/com.fasterxml.jackson.core/jackson-databind
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.7.0
+ - fixed: 2.9.10.8
+ versions:
+ - 2.7.0
+ - 2.7.1
+ - 2.7.1-1
+ - 2.7.2
+ - 2.7.3
+ - 2.7.4
+ - 2.7.5
+ - 2.7.6
+ - 2.7.7
+ - 2.7.8
+ - 2.7.9
+ - 2.7.9.1
+ - 2.7.9.2
+ - 2.7.9.3
+ - 2.7.9.4
+ - 2.7.9.5
+ - 2.7.9.6
+ - 2.7.9.7
+ - 2.8.0
+ - 2.8.0.rc1
+ - 2.8.0.rc2
+ - 2.8.1
+ - 2.8.10
+ - 2.8.11
+ - 2.8.11.1
+ - 2.8.11.2
+ - 2.8.11.3
+ - 2.8.11.4
+ - 2.8.11.5
+ - 2.8.11.6
+ - 2.8.2
+ - 2.8.3
+ - 2.8.4
+ - 2.8.5
+ - 2.8.6
+ - 2.8.7
+ - 2.8.8
+ - 2.8.8.1
+ - 2.8.9
+ - 2.9.0
+ - 2.9.0.pr1
+ - 2.9.0.pr2
+ - 2.9.0.pr3
+ - 2.9.0.pr4
+ - 2.9.1
+ - 2.9.10
+ - 2.9.10.1
+ - 2.9.10.2
+ - 2.9.10.3
+ - 2.9.10.4
+ - 2.9.10.5
+ - 2.9.10.6
+ - 2.9.10.7
+ - 2.9.2
+ - 2.9.3
+ - 2.9.4
+ - 2.9.5
+ - 2.9.6
+ - 2.9.7
+ - 2.9.8
+ - 2.9.9
+ - 2.9.9.1
+ - 2.9.9.2
+ - 2.9.9.3
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-8c4j-34r4-xr8g/GHSA-8c4j-34r4-xr8g.json
+ - package:
+ ecosystem: Maven
+ name: com.fasterxml.jackson.core:jackson-databind
+ purl: pkg:maven/com.fasterxml.jackson.core/jackson-databind
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.0.0
+ - fixed: 2.6.7.5
+ versions:
+ - 2.0.0
+ - 2.0.1
+ - 2.0.2
+ - 2.0.4
+ - 2.0.5
+ - 2.0.6
+ - 2.1.0
+ - 2.1.1
+ - 2.1.2
+ - 2.1.3
+ - 2.1.4
+ - 2.1.5
+ - 2.2.0
+ - 2.2.0-rc1
+ - 2.2.1
+ - 2.2.2
+ - 2.2.3
+ - 2.2.4
+ - 2.3.0
+ - 2.3.0-rc1
+ - 2.3.1
+ - 2.3.2
+ - 2.3.3
+ - 2.3.4
+ - 2.3.5
+ - 2.4.0
+ - 2.4.0-rc1
+ - 2.4.0-rc2
+ - 2.4.0-rc3
+ - 2.4.1
+ - 2.4.1.1
+ - 2.4.1.2
+ - 2.4.1.3
+ - 2.4.2
+ - 2.4.3
+ - 2.4.4
+ - 2.4.5
+ - 2.4.5.1
+ - 2.4.6
+ - 2.4.6.1
+ - 2.5.0
+ - 2.5.0-rc1
+ - 2.5.1
+ - 2.5.2
+ - 2.5.3
+ - 2.5.4
+ - 2.5.5
+ - 2.6.0
+ - 2.6.0-rc1
+ - 2.6.0-rc2
+ - 2.6.0-rc3
+ - 2.6.0-rc4
+ - 2.6.1
+ - 2.6.2
+ - 2.6.3
+ - 2.6.4
+ - 2.6.5
+ - 2.6.6
+ - 2.6.7
+ - 2.6.7.1
+ - 2.6.7.2
+ - 2.6.7.3
+ - 2.6.7.4
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-8c4j-34r4-xr8g/GHSA-8c4j-34r4-xr8g.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2020-36180
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/issues/3004
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/commit/3ded28aece694d0df39c9f0fa1ff385b14a8656b
+ - type: WEB
+ url: https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
+ - type: PACKAGE
+ url: https://github.com/FasterXML/jackson-databind
+ - type: WEB
+ url: https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html
+ - type: WEB
+ url: https://security.netapp.com/advisory/ntap-20210205-0005
+ - type: WEB
+ url: https://www.oracle.com//security-alerts/cpujul2021.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuApr2021.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuapr2022.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpujan2022.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpujul2022.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuoct2021.html
+ database_specific:
+ cwe_ids:
+ - CWE-502
+ github_reviewed: true
+ github_reviewed_at: "2021-03-18T23:36:46Z"
+ nvd_published_at: "2021-01-07T00:15:00Z"
+ severity: HIGH
+ - schema_version: 1.6.0
+ id: GHSA-8w26-6f25-cm9x
+ modified: 2024-02-18T05:30:48.085017Z
+ published: 2021-12-09T19:16:02Z
+ aliases:
+ - CVE-2020-36185
+ summary: Unsafe Deserialization in jackson-databind
+ details: FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to `org.apache.tomcat.dbcp.dbcp2.datasources.SharedPoolDataSource`.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: com.fasterxml.jackson.core:jackson-databind
+ purl: pkg:maven/com.fasterxml.jackson.core/jackson-databind
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.0.0
+ - fixed: 2.9.10.8
+ versions:
+ - 2.0.0
+ - 2.0.1
+ - 2.0.2
+ - 2.0.4
+ - 2.0.5
+ - 2.0.6
+ - 2.1.0
+ - 2.1.1
+ - 2.1.2
+ - 2.1.3
+ - 2.1.4
+ - 2.1.5
+ - 2.2.0
+ - 2.2.0-rc1
+ - 2.2.1
+ - 2.2.2
+ - 2.2.3
+ - 2.2.4
+ - 2.3.0
+ - 2.3.0-rc1
+ - 2.3.1
+ - 2.3.2
+ - 2.3.3
+ - 2.3.4
+ - 2.3.5
+ - 2.4.0
+ - 2.4.0-rc1
+ - 2.4.0-rc2
+ - 2.4.0-rc3
+ - 2.4.1
+ - 2.4.1.1
+ - 2.4.1.2
+ - 2.4.1.3
+ - 2.4.2
+ - 2.4.3
+ - 2.4.4
+ - 2.4.5
+ - 2.4.5.1
+ - 2.4.6
+ - 2.4.6.1
+ - 2.5.0
+ - 2.5.0-rc1
+ - 2.5.1
+ - 2.5.2
+ - 2.5.3
+ - 2.5.4
+ - 2.5.5
+ - 2.6.0
+ - 2.6.0-rc1
+ - 2.6.0-rc2
+ - 2.6.0-rc3
+ - 2.6.0-rc4
+ - 2.6.1
+ - 2.6.2
+ - 2.6.3
+ - 2.6.4
+ - 2.6.5
+ - 2.6.6
+ - 2.6.7
+ - 2.6.7.1
+ - 2.6.7.2
+ - 2.6.7.3
+ - 2.6.7.4
+ - 2.6.7.5
+ - 2.7.0
+ - 2.7.0-rc1
+ - 2.7.0-rc2
+ - 2.7.0-rc3
+ - 2.7.1
+ - 2.7.1-1
+ - 2.7.2
+ - 2.7.3
+ - 2.7.4
+ - 2.7.5
+ - 2.7.6
+ - 2.7.7
+ - 2.7.8
+ - 2.7.9
+ - 2.7.9.1
+ - 2.7.9.2
+ - 2.7.9.3
+ - 2.7.9.4
+ - 2.7.9.5
+ - 2.7.9.6
+ - 2.7.9.7
+ - 2.8.0
+ - 2.8.0.rc1
+ - 2.8.0.rc2
+ - 2.8.1
+ - 2.8.10
+ - 2.8.11
+ - 2.8.11.1
+ - 2.8.11.2
+ - 2.8.11.3
+ - 2.8.11.4
+ - 2.8.11.5
+ - 2.8.11.6
+ - 2.8.2
+ - 2.8.3
+ - 2.8.4
+ - 2.8.5
+ - 2.8.6
+ - 2.8.7
+ - 2.8.8
+ - 2.8.8.1
+ - 2.8.9
+ - 2.9.0
+ - 2.9.0.pr1
+ - 2.9.0.pr2
+ - 2.9.0.pr3
+ - 2.9.0.pr4
+ - 2.9.1
+ - 2.9.10
+ - 2.9.10.1
+ - 2.9.10.2
+ - 2.9.10.3
+ - 2.9.10.4
+ - 2.9.10.5
+ - 2.9.10.6
+ - 2.9.10.7
+ - 2.9.2
+ - 2.9.3
+ - 2.9.4
+ - 2.9.5
+ - 2.9.6
+ - 2.9.7
+ - 2.9.8
+ - 2.9.9
+ - 2.9.9.1
+ - 2.9.9.2
+ - 2.9.9.3
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-8w26-6f25-cm9x/GHSA-8w26-6f25-cm9x.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2020-36185
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/issues/2998
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/commit/567194c53ae91f0a14dc27239afb739b1c10448a
+ - type: WEB
+ url: https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
+ - type: PACKAGE
+ url: https://github.com/FasterXML/jackson-databind
+ - type: WEB
+ url: https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html
+ - type: WEB
+ url: https://security.netapp.com/advisory/ntap-20210205-0005
+ - type: WEB
+ url: https://www.oracle.com//security-alerts/cpujul2021.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuApr2021.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuapr2022.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpujan2022.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpujul2022.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuoct2021.html
+ database_specific:
+ cwe_ids:
+ - CWE-502
+ github_reviewed: true
+ github_reviewed_at: "2021-03-18T23:37:42Z"
+ nvd_published_at: "2021-01-06T23:15:00Z"
+ severity: HIGH
+ - schema_version: 1.6.0
+ id: GHSA-95cm-88f5-f2c7
+ modified: 2024-07-03T21:23:01.986952Z
+ published: 2020-04-23T16:32:59Z
+ aliases:
+ - CVE-2020-10672
+ summary: jackson-databind mishandles the interaction between serialization gadgets and typing
+ details: FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.aries.transaction.jms.internal.XaPooledConnectionFactory (aka aries.transaction.jms).
+ affected:
+ - package:
+ ecosystem: Maven
+ name: com.fasterxml.jackson.core:jackson-databind
+ purl: pkg:maven/com.fasterxml.jackson.core/jackson-databind
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.9.0
+ - fixed: 2.9.10.4
+ versions:
+ - 2.9.0
+ - 2.9.0.pr1
+ - 2.9.0.pr2
+ - 2.9.0.pr3
+ - 2.9.0.pr4
+ - 2.9.1
+ - 2.9.10
+ - 2.9.10.1
+ - 2.9.10.2
+ - 2.9.10.3
+ - 2.9.2
+ - 2.9.3
+ - 2.9.4
+ - 2.9.5
+ - 2.9.6
+ - 2.9.7
+ - 2.9.8
+ - 2.9.9
+ - 2.9.9.1
+ - 2.9.9.2
+ - 2.9.9.3
+ database_specific:
+ last_known_affected_version_range: <= 2.9.10.3
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/04/GHSA-95cm-88f5-f2c7/GHSA-95cm-88f5-f2c7.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2020-10672
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/issues/2659
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/commit/08fbfacf89a4a4c026a6227a1b470ab7a13e2e88
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/commit/592872f4235c7f2a3280725278da55544032f72d
+ - type: PACKAGE
+ url: https://github.com/FasterXML/jackson-databind
+ - type: WEB
+ url: https://lists.debian.org/debian-lts-announce/2020/03/msg00027.html
+ - type: WEB
+ url: https://medium.com/%40cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
+ - type: WEB
+ url: https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
+ - type: WEB
+ url: https://security.netapp.com/advisory/ntap-20200403-0002
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpujan2021.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpujul2020.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuoct2020.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuoct2021.html
+ database_specific:
+ cwe_ids:
+ - CWE-502
+ github_reviewed: true
+ github_reviewed_at: "2020-04-22T21:12:55Z"
+ nvd_published_at: "2020-03-18T22:15:00Z"
+ severity: HIGH
+ - schema_version: 1.6.0
+ id: GHSA-9gph-22xh-8x98
+ modified: 2024-02-18T05:33:27.617261Z
+ published: 2021-12-09T19:15:54Z
+ aliases:
+ - CVE-2020-36179
+ summary: Unsafe Deserialization in jackson-databind
+ details: FasterXML jackson-databind 2.x before 2.9.10.8 and 2.6.7.5 mishandles the interaction between serialization gadgets and typing, related to `oadd.org.apache.commons.dbcp.cpdsadapter.DriverAdapterCPDS`.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: com.fasterxml.jackson.core:jackson-databind
+ purl: pkg:maven/com.fasterxml.jackson.core/jackson-databind
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.7.0
+ - fixed: 2.9.10.8
+ versions:
+ - 2.7.0
+ - 2.7.1
+ - 2.7.1-1
+ - 2.7.2
+ - 2.7.3
+ - 2.7.4
+ - 2.7.5
+ - 2.7.6
+ - 2.7.7
+ - 2.7.8
+ - 2.7.9
+ - 2.7.9.1
+ - 2.7.9.2
+ - 2.7.9.3
+ - 2.7.9.4
+ - 2.7.9.5
+ - 2.7.9.6
+ - 2.7.9.7
+ - 2.8.0
+ - 2.8.0.rc1
+ - 2.8.0.rc2
+ - 2.8.1
+ - 2.8.10
+ - 2.8.11
+ - 2.8.11.1
+ - 2.8.11.2
+ - 2.8.11.3
+ - 2.8.11.4
+ - 2.8.11.5
+ - 2.8.11.6
+ - 2.8.2
+ - 2.8.3
+ - 2.8.4
+ - 2.8.5
+ - 2.8.6
+ - 2.8.7
+ - 2.8.8
+ - 2.8.8.1
+ - 2.8.9
+ - 2.9.0
+ - 2.9.0.pr1
+ - 2.9.0.pr2
+ - 2.9.0.pr3
+ - 2.9.0.pr4
+ - 2.9.1
+ - 2.9.10
+ - 2.9.10.1
+ - 2.9.10.2
+ - 2.9.10.3
+ - 2.9.10.4
+ - 2.9.10.5
+ - 2.9.10.6
+ - 2.9.10.7
+ - 2.9.2
+ - 2.9.3
+ - 2.9.4
+ - 2.9.5
+ - 2.9.6
+ - 2.9.7
+ - 2.9.8
+ - 2.9.9
+ - 2.9.9.1
+ - 2.9.9.2
+ - 2.9.9.3
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-9gph-22xh-8x98/GHSA-9gph-22xh-8x98.json
+ - package:
+ ecosystem: Maven
+ name: com.fasterxml.jackson.core:jackson-databind
+ purl: pkg:maven/com.fasterxml.jackson.core/jackson-databind
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.0.0
+ - fixed: 2.6.7.5
+ versions:
+ - 2.0.0
+ - 2.0.1
+ - 2.0.2
+ - 2.0.4
+ - 2.0.5
+ - 2.0.6
+ - 2.1.0
+ - 2.1.1
+ - 2.1.2
+ - 2.1.3
+ - 2.1.4
+ - 2.1.5
+ - 2.2.0
+ - 2.2.0-rc1
+ - 2.2.1
+ - 2.2.2
+ - 2.2.3
+ - 2.2.4
+ - 2.3.0
+ - 2.3.0-rc1
+ - 2.3.1
+ - 2.3.2
+ - 2.3.3
+ - 2.3.4
+ - 2.3.5
+ - 2.4.0
+ - 2.4.0-rc1
+ - 2.4.0-rc2
+ - 2.4.0-rc3
+ - 2.4.1
+ - 2.4.1.1
+ - 2.4.1.2
+ - 2.4.1.3
+ - 2.4.2
+ - 2.4.3
+ - 2.4.4
+ - 2.4.5
+ - 2.4.5.1
+ - 2.4.6
+ - 2.4.6.1
+ - 2.5.0
+ - 2.5.0-rc1
+ - 2.5.1
+ - 2.5.2
+ - 2.5.3
+ - 2.5.4
+ - 2.5.5
+ - 2.6.0
+ - 2.6.0-rc1
+ - 2.6.0-rc2
+ - 2.6.0-rc3
+ - 2.6.0-rc4
+ - 2.6.1
+ - 2.6.2
+ - 2.6.3
+ - 2.6.4
+ - 2.6.5
+ - 2.6.6
+ - 2.6.7
+ - 2.6.7.1
+ - 2.6.7.2
+ - 2.6.7.3
+ - 2.6.7.4
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-9gph-22xh-8x98/GHSA-9gph-22xh-8x98.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2020-36179
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/issues/3004
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/commit/3ded28aece694d0df39c9f0fa1ff385b14a8656b
+ - type: WEB
+ url: https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
+ - type: PACKAGE
+ url: https://github.com/FasterXML/jackson-databind
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rc255f41d9a61d3dc79a51fb5c713de4ae10e71e3673feeb0b180b436@%3Cissues.spark.apache.org%3E
+ - type: WEB
+ url: https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html
+ - type: WEB
+ url: https://security.netapp.com/advisory/ntap-20210205-0005
+ - type: WEB
+ url: https://www.oracle.com//security-alerts/cpujul2021.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuApr2021.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuapr2022.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpujan2022.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpujul2022.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuoct2021.html
+ database_specific:
+ cwe_ids:
+ - CWE-502
+ github_reviewed: true
+ github_reviewed_at: "2021-03-18T23:37:47Z"
+ nvd_published_at: "2021-01-07T00:15:00Z"
+ severity: HIGH
+ - schema_version: 1.6.0
+ id: GHSA-9m6f-7xcq-8vf8
+ modified: 2024-02-18T05:32:25.400029Z
+ published: 2021-12-09T19:16:34Z
+ aliases:
+ - CVE-2020-36183
+ summary: Unsafe Deserialization in jackson-databind
+ details: FasterXML jackson-databind 2.x before 2.9.10.8 and 2.6.7.5 mishandles the interaction between serialization gadgets and typing, related to org.docx4j.org.apache.xalan.lib.sql.JNDIConnectionPool.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: com.fasterxml.jackson.core:jackson-databind
+ purl: pkg:maven/com.fasterxml.jackson.core/jackson-databind
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.7.00
+ - fixed: 2.9.10.8
+ versions:
+ - 2.7.0
+ - 2.7.1
+ - 2.7.1-1
+ - 2.7.2
+ - 2.7.3
+ - 2.7.4
+ - 2.7.5
+ - 2.7.6
+ - 2.7.7
+ - 2.7.8
+ - 2.7.9
+ - 2.7.9.1
+ - 2.7.9.2
+ - 2.7.9.3
+ - 2.7.9.4
+ - 2.7.9.5
+ - 2.7.9.6
+ - 2.7.9.7
+ - 2.8.0
+ - 2.8.0.rc1
+ - 2.8.0.rc2
+ - 2.8.1
+ - 2.8.10
+ - 2.8.11
+ - 2.8.11.1
+ - 2.8.11.2
+ - 2.8.11.3
+ - 2.8.11.4
+ - 2.8.11.5
+ - 2.8.11.6
+ - 2.8.2
+ - 2.8.3
+ - 2.8.4
+ - 2.8.5
+ - 2.8.6
+ - 2.8.7
+ - 2.8.8
+ - 2.8.8.1
+ - 2.8.9
+ - 2.9.0
+ - 2.9.0.pr1
+ - 2.9.0.pr2
+ - 2.9.0.pr3
+ - 2.9.0.pr4
+ - 2.9.1
+ - 2.9.10
+ - 2.9.10.1
+ - 2.9.10.2
+ - 2.9.10.3
+ - 2.9.10.4
+ - 2.9.10.5
+ - 2.9.10.6
+ - 2.9.10.7
+ - 2.9.2
+ - 2.9.3
+ - 2.9.4
+ - 2.9.5
+ - 2.9.6
+ - 2.9.7
+ - 2.9.8
+ - 2.9.9
+ - 2.9.9.1
+ - 2.9.9.2
+ - 2.9.9.3
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-9m6f-7xcq-8vf8/GHSA-9m6f-7xcq-8vf8.json
+ - package:
+ ecosystem: Maven
+ name: com.fasterxml.jackson.core:jackson-databind
+ purl: pkg:maven/com.fasterxml.jackson.core/jackson-databind
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.0.0
+ - fixed: 2.6.7.5
+ versions:
+ - 2.0.0
+ - 2.0.1
+ - 2.0.2
+ - 2.0.4
+ - 2.0.5
+ - 2.0.6
+ - 2.1.0
+ - 2.1.1
+ - 2.1.2
+ - 2.1.3
+ - 2.1.4
+ - 2.1.5
+ - 2.2.0
+ - 2.2.0-rc1
+ - 2.2.1
+ - 2.2.2
+ - 2.2.3
+ - 2.2.4
+ - 2.3.0
+ - 2.3.0-rc1
+ - 2.3.1
+ - 2.3.2
+ - 2.3.3
+ - 2.3.4
+ - 2.3.5
+ - 2.4.0
+ - 2.4.0-rc1
+ - 2.4.0-rc2
+ - 2.4.0-rc3
+ - 2.4.1
+ - 2.4.1.1
+ - 2.4.1.2
+ - 2.4.1.3
+ - 2.4.2
+ - 2.4.3
+ - 2.4.4
+ - 2.4.5
+ - 2.4.5.1
+ - 2.4.6
+ - 2.4.6.1
+ - 2.5.0
+ - 2.5.0-rc1
+ - 2.5.1
+ - 2.5.2
+ - 2.5.3
+ - 2.5.4
+ - 2.5.5
+ - 2.6.0
+ - 2.6.0-rc1
+ - 2.6.0-rc2
+ - 2.6.0-rc3
+ - 2.6.0-rc4
+ - 2.6.1
+ - 2.6.2
+ - 2.6.3
+ - 2.6.4
+ - 2.6.5
+ - 2.6.6
+ - 2.6.7
+ - 2.6.7.1
+ - 2.6.7.2
+ - 2.6.7.3
+ - 2.6.7.4
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-9m6f-7xcq-8vf8/GHSA-9m6f-7xcq-8vf8.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2020-36183
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/issues/3003
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/commit/12e23c962ffb4cf1857c5461d72ae54cc8008f29
+ - type: WEB
+ url: https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
+ - type: PACKAGE
+ url: https://github.com/FasterXML/jackson-databind
+ - type: WEB
+ url: https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html
+ - type: WEB
+ url: https://security.netapp.com/advisory/ntap-20210205-0005
+ - type: WEB
+ url: https://www.oracle.com//security-alerts/cpujul2021.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuApr2021.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuapr2022.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpujan2022.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpujul2022.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuoct2021.html
+ database_specific:
+ cwe_ids:
+ - CWE-502
+ github_reviewed: true
+ github_reviewed_at: "2021-03-18T23:27:59Z"
+ nvd_published_at: "2021-01-07T00:15:00Z"
+ severity: HIGH
+ - schema_version: 1.6.0
+ id: GHSA-9mxf-g3x6-wv74
+ modified: 2024-03-14T05:33:39.45989Z
+ published: 2019-01-04T19:07:06Z
+ aliases:
+ - CVE-2018-14721
+ summary: Server-Side Request Forgery (SSRF) in jackson-databind
+ details: FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to conduct server-side request forgery (SSRF) attacks by leveraging failure to block the axis2-jaxws class from polymorphic deserialization.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: com.fasterxml.jackson.core:jackson-databind
+ purl: pkg:maven/com.fasterxml.jackson.core/jackson-databind
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.9.0
+ - fixed: 2.9.7
+ versions:
+ - 2.9.0
+ - 2.9.0.pr1
+ - 2.9.0.pr2
+ - 2.9.0.pr3
+ - 2.9.0.pr4
+ - 2.9.1
+ - 2.9.2
+ - 2.9.3
+ - 2.9.4
+ - 2.9.5
+ - 2.9.6
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/01/GHSA-9mxf-g3x6-wv74/GHSA-9mxf-g3x6-wv74.json
+ - package:
+ ecosystem: Maven
+ name: com.fasterxml.jackson.core:jackson-databind
+ purl: pkg:maven/com.fasterxml.jackson.core/jackson-databind
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.8.0
+ - fixed: 2.8.11.3
+ versions:
+ - 2.8.0
+ - 2.8.1
+ - 2.8.10
+ - 2.8.11
+ - 2.8.11.1
+ - 2.8.11.2
+ - 2.8.2
+ - 2.8.3
+ - 2.8.4
+ - 2.8.5
+ - 2.8.6
+ - 2.8.7
+ - 2.8.8
+ - 2.8.8.1
+ - 2.8.9
+ database_specific:
+ last_known_affected_version_range: <= 2.8.11.2
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/01/GHSA-9mxf-g3x6-wv74/GHSA-9mxf-g3x6-wv74.json
+ - package:
+ ecosystem: Maven
+ name: com.fasterxml.jackson.core:jackson-databind
+ purl: pkg:maven/com.fasterxml.jackson.core/jackson-databind
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.7.0
+ - fixed: 2.7.9.5
+ versions:
+ - 2.7.0
+ - 2.7.1
+ - 2.7.1-1
+ - 2.7.2
+ - 2.7.3
+ - 2.7.4
+ - 2.7.5
+ - 2.7.6
+ - 2.7.7
+ - 2.7.8
+ - 2.7.9
+ - 2.7.9.1
+ - 2.7.9.2
+ - 2.7.9.3
+ - 2.7.9.4
+ database_specific:
+ last_known_affected_version_range: <= 2.7.9.4
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/01/GHSA-9mxf-g3x6-wv74/GHSA-9mxf-g3x6-wv74.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2018-14721
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/issues/2097
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/commit/87d29af25e82a249ea15858e2d4ecbf64091db44
+ - type: WEB
+ url: https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8@%3Ccommits.pulsar.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3E
+ - type: WEB
+ url: https://lists.debian.org/debian-lts-announce/2019/03/msg00005.html
+ - type: WEB
+ url: https://seclists.org/bugtraq/2019/May/68
+ - type: WEB
+ url: https://security.netapp.com/advisory/ntap-20190530-0003
+ - type: WEB
+ url: https://www.debian.org/security/2019/dsa-4452
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuapr2020.html
+ - type: WEB
+ url: https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
+ - type: WEB
+ url: https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html
+ - type: WEB
+ url: https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
+ - type: WEB
+ url: https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
+ - type: ADVISORY
+ url: https://github.com/advisories/GHSA-9mxf-g3x6-wv74
+ - type: WEB
+ url: https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.7
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:4037
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:3892
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:3149
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:2858
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:1823
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:1822
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:1140
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:1108
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:1107
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:1106
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:0782
+ - type: WEB
+ url: https://access.redhat.com/errata/RHBA-2019:0959
+ database_specific:
+ cwe_ids:
+ - CWE-918
+ github_reviewed: true
+ github_reviewed_at: "2020-06-16T21:29:04Z"
+ nvd_published_at: null
+ severity: CRITICAL
+ - schema_version: 1.6.0
+ id: GHSA-9vvp-fxw6-jcxr
+ modified: 2024-03-15T01:01:13.76706Z
+ published: 2020-05-15T18:58:47Z
+ aliases:
+ - CVE-2020-11113
+ summary: jackson-databind mishandles the interaction between serialization gadgets and typing
+ details: FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.openjpa.ee.WASRegistryManagedRuntime (aka openjpa).
+ affected:
+ - package:
+ ecosystem: Maven
+ name: com.fasterxml.jackson.core:jackson-databind
+ purl: pkg:maven/com.fasterxml.jackson.core/jackson-databind
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.9.0
+ - fixed: 2.9.10.4
+ versions:
+ - 2.9.0
+ - 2.9.0.pr1
+ - 2.9.0.pr2
+ - 2.9.0.pr3
+ - 2.9.0.pr4
+ - 2.9.1
+ - 2.9.10
+ - 2.9.10.1
+ - 2.9.10.2
+ - 2.9.10.3
+ - 2.9.2
+ - 2.9.3
+ - 2.9.4
+ - 2.9.5
+ - 2.9.6
+ - 2.9.7
+ - 2.9.8
+ - 2.9.9
+ - 2.9.9.1
+ - 2.9.9.2
+ - 2.9.9.3
+ database_specific:
+ last_known_affected_version_range: <= 2.9.10.3
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/05/GHSA-9vvp-fxw6-jcxr/GHSA-9vvp-fxw6-jcxr.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2020-11113
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/issues/2670
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/commit/08fbfacf89a4a4c026a6227a1b470ab7a13e2e88
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/commit/e2ba12d5d60715d95105e3e790fc234cfb59893d
+ - type: PACKAGE
+ url: https://github.com/FasterXML/jackson-databind
+ - type: WEB
+ url: https://lists.debian.org/debian-lts-announce/2020/04/msg00012.html
+ - type: WEB
+ url: https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
+ - type: WEB
+ url: https://security.netapp.com/advisory/ntap-20200403-0002
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpujan2021.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpujul2020.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuoct2020.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuoct2021.html
+ database_specific:
+ cwe_ids:
+ - CWE-502
+ github_reviewed: true
+ github_reviewed_at: "2020-04-23T19:31:52Z"
+ nvd_published_at: "2020-03-31T05:15:00Z"
+ severity: HIGH
+ - schema_version: 1.6.0
+ id: GHSA-c265-37vj-cwcc
+ modified: 2024-06-25T14:18:28.49907Z
+ published: 2020-06-18T14:44:48Z
+ aliases:
+ - CVE-2020-14062
+ summary: Deserialization of untrusted data in Jackson Databind
+ details: FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to com.sun.org.apache.xalan.internal.lib.sql.JNDIConnectionPool (aka xalan2).
+ affected:
+ - package:
+ ecosystem: Maven
+ name: com.fasterxml.jackson.core:jackson-databind
+ purl: pkg:maven/com.fasterxml.jackson.core/jackson-databind
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.9.0
+ - fixed: 2.9.10.5
+ versions:
+ - 2.9.0
+ - 2.9.0.pr1
+ - 2.9.0.pr2
+ - 2.9.0.pr3
+ - 2.9.0.pr4
+ - 2.9.1
+ - 2.9.10
+ - 2.9.10.1
+ - 2.9.10.2
+ - 2.9.10.3
+ - 2.9.10.4
+ - 2.9.2
+ - 2.9.3
+ - 2.9.4
+ - 2.9.5
+ - 2.9.6
+ - 2.9.7
+ - 2.9.8
+ - 2.9.9
+ - 2.9.9.1
+ - 2.9.9.2
+ - 2.9.9.3
+ database_specific:
+ last_known_affected_version_range: <= 2.9.10.4
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-c265-37vj-cwcc/GHSA-c265-37vj-cwcc.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2020-14062
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/issues/2704
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/commit/840eae2ca81c597a0010b2126f32dce17d384b70
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/commit/99001cdb6807b5c7b170ec6a9092ecbb618ae79c
+ - type: PACKAGE
+ url: https://github.com/FasterXML/jackson-databind
+ - type: WEB
+ url: https://lists.debian.org/debian-lts-announce/2020/07/msg00001.html
+ - type: WEB
+ url: https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
+ - type: WEB
+ url: https://security.netapp.com/advisory/ntap-20200702-0003
+ - type: WEB
+ url: https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-570625
+ - type: WEB
+ url: https://www.oracle.com//security-alerts/cpujul2021.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuApr2021.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpujan2021.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuoct2020.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuoct2021.html
+ database_specific:
+ cwe_ids:
+ - CWE-502
+ github_reviewed: true
+ github_reviewed_at: "2020-06-18T13:06:04Z"
+ nvd_published_at: "2020-06-14T20:15:00Z"
+ severity: HIGH
+ - schema_version: 1.6.0
+ id: GHSA-c2q3-4qrh-fm48
+ modified: 2024-02-17T05:36:21.468281Z
+ published: 2020-06-18T14:44:50Z
+ aliases:
+ - CVE-2020-14061
+ summary: Deserialization of untrusted data in Jackson Databind
+ details: FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to oracle.jms.AQjmsQueueConnectionFactory, oracle.jms.AQjmsXATopicConnectionFactory, oracle.jms.AQjmsTopicConnectionFactory, oracle.jms.AQjmsXAQueueConnectionFactory, and oracle.jms.AQjmsXAConnectionFactory (aka weblogic/oracle-aqjms).
+ affected:
+ - package:
+ ecosystem: Maven
+ name: com.fasterxml.jackson.core:jackson-databind
+ purl: pkg:maven/com.fasterxml.jackson.core/jackson-databind
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.9.0
+ - fixed: 2.9.10.5
+ versions:
+ - 2.9.0
+ - 2.9.0.pr1
+ - 2.9.0.pr2
+ - 2.9.0.pr3
+ - 2.9.0.pr4
+ - 2.9.1
+ - 2.9.10
+ - 2.9.10.1
+ - 2.9.10.2
+ - 2.9.10.3
+ - 2.9.10.4
+ - 2.9.2
+ - 2.9.3
+ - 2.9.4
+ - 2.9.5
+ - 2.9.6
+ - 2.9.7
+ - 2.9.8
+ - 2.9.9
+ - 2.9.9.1
+ - 2.9.9.2
+ - 2.9.9.3
+ database_specific:
+ last_known_affected_version_range: <= 2.9.10.4
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-c2q3-4qrh-fm48/GHSA-c2q3-4qrh-fm48.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2020-14061
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/issues/2698
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/commit/5c8642aeae9c756b438ab7637c90ef3c77966e6e
+ - type: PACKAGE
+ url: https://github.com/FasterXML/jackson-databind
+ - type: WEB
+ url: https://lists.debian.org/debian-lts-announce/2020/07/msg00001.html
+ - type: WEB
+ url: https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
+ - type: WEB
+ url: https://security.netapp.com/advisory/ntap-20200702-0003
+ - type: WEB
+ url: https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-572316
+ - type: WEB
+ url: https://www.oracle.com//security-alerts/cpujul2021.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuApr2021.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpujan2021.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuoct2020.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuoct2021.html
+ database_specific:
+ cwe_ids:
+ - CWE-502
+ github_reviewed: true
+ github_reviewed_at: "2020-06-18T13:06:14Z"
+ nvd_published_at: "2020-06-14T20:15:00Z"
+ severity: HIGH
+ - schema_version: 1.6.0
+ id: GHSA-c8hm-7hpq-7jhg
+ modified: 2024-03-15T01:17:19.251183Z
+ published: 2019-01-04T19:07:03Z
+ aliases:
+ - CVE-2018-19362
+ summary: com.fasterxml.jackson.core:jackson-databind vulnerable to Deserialization of Untrusted Data
+ details: FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the jboss-common-core class from polymorphic deserialization.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: com.fasterxml.jackson.core:jackson-databind
+ purl: pkg:maven/com.fasterxml.jackson.core/jackson-databind
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.9.0
+ - fixed: 2.9.8
+ versions:
+ - 2.9.0
+ - 2.9.0.pr1
+ - 2.9.0.pr2
+ - 2.9.0.pr3
+ - 2.9.0.pr4
+ - 2.9.1
+ - 2.9.2
+ - 2.9.3
+ - 2.9.4
+ - 2.9.5
+ - 2.9.6
+ - 2.9.7
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/01/GHSA-c8hm-7hpq-7jhg/GHSA-c8hm-7hpq-7jhg.json
+ - package:
+ ecosystem: Maven
+ name: com.fasterxml.jackson.core:jackson-databind
+ purl: pkg:maven/com.fasterxml.jackson.core/jackson-databind
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.8.0
+ - fixed: 2.8.11.3
+ versions:
+ - 2.8.0
+ - 2.8.1
+ - 2.8.10
+ - 2.8.11
+ - 2.8.11.1
+ - 2.8.11.2
+ - 2.8.2
+ - 2.8.3
+ - 2.8.4
+ - 2.8.5
+ - 2.8.6
+ - 2.8.7
+ - 2.8.8
+ - 2.8.8.1
+ - 2.8.9
+ database_specific:
+ last_known_affected_version_range: <= 2.8.11.2
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/01/GHSA-c8hm-7hpq-7jhg/GHSA-c8hm-7hpq-7jhg.json
+ - package:
+ ecosystem: Maven
+ name: com.fasterxml.jackson.core:jackson-databind
+ purl: pkg:maven/com.fasterxml.jackson.core/jackson-databind
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.7.0
+ - fixed: 2.7.9.5
+ versions:
+ - 2.7.0
+ - 2.7.1
+ - 2.7.1-1
+ - 2.7.2
+ - 2.7.3
+ - 2.7.4
+ - 2.7.5
+ - 2.7.6
+ - 2.7.7
+ - 2.7.8
+ - 2.7.9
+ - 2.7.9.1
+ - 2.7.9.2
+ - 2.7.9.3
+ - 2.7.9.4
+ database_specific:
+ last_known_affected_version_range: <= 2.7.9.4
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/01/GHSA-c8hm-7hpq-7jhg/GHSA-c8hm-7hpq-7jhg.json
+ - package:
+ ecosystem: Maven
+ name: com.fasterxml.jackson.core:jackson-databind
+ purl: pkg:maven/com.fasterxml.jackson.core/jackson-databind
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.0.0
+ - fixed: 2.6.7.3
+ versions:
+ - 2.0.0
+ - 2.0.1
+ - 2.0.2
+ - 2.0.4
+ - 2.0.5
+ - 2.0.6
+ - 2.1.0
+ - 2.1.1
+ - 2.1.2
+ - 2.1.3
+ - 2.1.4
+ - 2.1.5
+ - 2.2.0
+ - 2.2.0-rc1
+ - 2.2.1
+ - 2.2.2
+ - 2.2.3
+ - 2.2.4
+ - 2.3.0
+ - 2.3.0-rc1
+ - 2.3.1
+ - 2.3.2
+ - 2.3.3
+ - 2.3.4
+ - 2.3.5
+ - 2.4.0
+ - 2.4.0-rc1
+ - 2.4.0-rc2
+ - 2.4.0-rc3
+ - 2.4.1
+ - 2.4.1.1
+ - 2.4.1.2
+ - 2.4.1.3
+ - 2.4.2
+ - 2.4.3
+ - 2.4.4
+ - 2.4.5
+ - 2.4.5.1
+ - 2.4.6
+ - 2.4.6.1
+ - 2.5.0
+ - 2.5.0-rc1
+ - 2.5.1
+ - 2.5.2
+ - 2.5.3
+ - 2.5.4
+ - 2.5.5
+ - 2.6.0
+ - 2.6.0-rc1
+ - 2.6.0-rc2
+ - 2.6.0-rc3
+ - 2.6.0-rc4
+ - 2.6.1
+ - 2.6.2
+ - 2.6.3
+ - 2.6.4
+ - 2.6.5
+ - 2.6.6
+ - 2.6.7
+ - 2.6.7.1
+ - 2.6.7.2
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/01/GHSA-c8hm-7hpq-7jhg/GHSA-c8hm-7hpq-7jhg.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2018-19362
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/issues/2186
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/commit/72cd4025a229fb28ec133235003dd4616f70afaa
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/commit/42912cac4753f3f718ece875e4d486f8264c2f2b
+ - type: WEB
+ url: https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3@%3Ccommits.nifi.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/c70da3cb6e3f03e0ad8013e38b6959419d866c4a7c80fdd34b73f25c@%3Ccommits.pulsar.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8@%3Ccommits.pulsar.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0@%3Cissues.bookkeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b@%3Ccommits.nifi.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3E
+ - type: WEB
+ url: https://lists.debian.org/debian-lts-announce/2019/03/msg00005.html
+ - type: WEB
+ url: https://seclists.org/bugtraq/2019/May/68
+ - type: WEB
+ url: https://security.netapp.com/advisory/ntap-20190530-0003
+ - type: WEB
+ url: https://www.debian.org/security/2019/dsa-4452
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuapr2020.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpujan2020.html
+ - type: WEB
+ url: https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
+ - type: WEB
+ url: https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
+ - type: WEB
+ url: https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
+ - type: WEB
+ url: https://access.redhat.com/errata/RHBA-2019:0959
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:0782
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:0877
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:1782
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:1797
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:1822
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:1823
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:2804
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:2858
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:3002
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:3140
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:3149
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:3892
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:4037
+ - type: PACKAGE
+ url: https://github.com/FasterXML/jackson-databind
+ - type: WEB
+ url: https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.8
+ - type: ADVISORY
+ url: https://github.com/advisories/GHSA-c8hm-7hpq-7jhg
+ - type: WEB
+ url: https://issues.apache.org/jira/browse/TINKERPOP-2121
+ - type: WEB
+ url: https://lists.apache.org/thread.html/37e1ed724a1b0e5d191d98c822c426670bdfde83804567131847d2a3@%3Cdevnull.infra.apache.org%3E
+ - type: WEB
+ url: http://www.securityfocus.com/bid/107985
+ database_specific:
+ cwe_ids:
+ - CWE-502
+ github_reviewed: true
+ github_reviewed_at: "2020-06-16T21:30:35Z"
+ nvd_published_at: null
+ severity: CRITICAL
+ - schema_version: 1.6.0
+ id: GHSA-cf6r-3wgc-h863
+ modified: 2024-02-18T05:32:56.325249Z
+ published: 2020-05-15T18:58:58Z
+ aliases:
+ - CVE-2019-14892
+ summary: Polymorphic deserialization of malicious object in jackson-databind
+ details: A flaw was discovered in jackson-databind in versions before 2.9.10, 2.8.11.5, and 2.6.7.3, where it would permit polymorphic deserialization of a malicious object using commons-configuration 1 and 2 JNDI classes. An attacker could use this flaw to execute arbitrary code.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: com.fasterxml.jackson.core:jackson-databind
+ purl: pkg:maven/com.fasterxml.jackson.core/jackson-databind
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: 2.6.7.3
+ versions:
+ - 2.0.0
+ - 2.0.0-RC1
+ - 2.0.0-RC2
+ - 2.0.0-RC3
+ - 2.0.1
+ - 2.0.2
+ - 2.0.4
+ - 2.0.5
+ - 2.0.6
+ - 2.1.0
+ - 2.1.1
+ - 2.1.2
+ - 2.1.3
+ - 2.1.4
+ - 2.1.5
+ - 2.2.0
+ - 2.2.0-rc1
+ - 2.2.1
+ - 2.2.2
+ - 2.2.3
+ - 2.2.4
+ - 2.3.0
+ - 2.3.0-rc1
+ - 2.3.1
+ - 2.3.2
+ - 2.3.3
+ - 2.3.4
+ - 2.3.5
+ - 2.4.0
+ - 2.4.0-rc1
+ - 2.4.0-rc2
+ - 2.4.0-rc3
+ - 2.4.1
+ - 2.4.1.1
+ - 2.4.1.2
+ - 2.4.1.3
+ - 2.4.2
+ - 2.4.3
+ - 2.4.4
+ - 2.4.5
+ - 2.4.5.1
+ - 2.4.6
+ - 2.4.6.1
+ - 2.5.0
+ - 2.5.0-rc1
+ - 2.5.1
+ - 2.5.2
+ - 2.5.3
+ - 2.5.4
+ - 2.5.5
+ - 2.6.0
+ - 2.6.0-rc1
+ - 2.6.0-rc2
+ - 2.6.0-rc3
+ - 2.6.0-rc4
+ - 2.6.1
+ - 2.6.2
+ - 2.6.3
+ - 2.6.4
+ - 2.6.5
+ - 2.6.6
+ - 2.6.7
+ - 2.6.7.1
+ - 2.6.7.2
+ database_specific:
+ last_known_affected_version_range: <= 2.6.7.2
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/05/GHSA-cf6r-3wgc-h863/GHSA-cf6r-3wgc-h863.json
+ - package:
+ ecosystem: Maven
+ name: com.fasterxml.jackson.core:jackson-databind
+ purl: pkg:maven/com.fasterxml.jackson.core/jackson-databind
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.7.0
+ - fixed: 2.8.11.5
+ versions:
+ - 2.7.0
+ - 2.7.1
+ - 2.7.1-1
+ - 2.7.2
+ - 2.7.3
+ - 2.7.4
+ - 2.7.5
+ - 2.7.6
+ - 2.7.7
+ - 2.7.8
+ - 2.7.9
+ - 2.7.9.1
+ - 2.7.9.2
+ - 2.7.9.3
+ - 2.7.9.4
+ - 2.7.9.5
+ - 2.7.9.6
+ - 2.7.9.7
+ - 2.8.0
+ - 2.8.0.rc1
+ - 2.8.0.rc2
+ - 2.8.1
+ - 2.8.10
+ - 2.8.11
+ - 2.8.11.1
+ - 2.8.11.2
+ - 2.8.11.3
+ - 2.8.11.4
+ - 2.8.2
+ - 2.8.3
+ - 2.8.4
+ - 2.8.5
+ - 2.8.6
+ - 2.8.7
+ - 2.8.8
+ - 2.8.8.1
+ - 2.8.9
+ database_specific:
+ last_known_affected_version_range: <= 2.8.11.4
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/05/GHSA-cf6r-3wgc-h863/GHSA-cf6r-3wgc-h863.json
+ - package:
+ ecosystem: Maven
+ name: com.fasterxml.jackson.core:jackson-databind
+ purl: pkg:maven/com.fasterxml.jackson.core/jackson-databind
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.9.0
+ - fixed: 2.9.10
+ versions:
+ - 2.9.0
+ - 2.9.0.pr1
+ - 2.9.0.pr2
+ - 2.9.0.pr3
+ - 2.9.0.pr4
+ - 2.9.1
+ - 2.9.2
+ - 2.9.3
+ - 2.9.4
+ - 2.9.5
+ - 2.9.6
+ - 2.9.7
+ - 2.9.8
+ - 2.9.9
+ - 2.9.9.1
+ - 2.9.9.2
+ - 2.9.9.3
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/05/GHSA-cf6r-3wgc-h863/GHSA-cf6r-3wgc-h863.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2019-14892
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/issues/2462
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/commit/41b7f9b90149e9d44a65a8261a8deedc7186f6af
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/commit/819cdbcab51c6da9fb896380f2d46e9b7d4fdc3b
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2020:0729
+ - type: WEB
+ url: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14892
+ - type: PACKAGE
+ url: https://github.com/FasterXML/jackson-databind
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0@%3Cissues.bookkeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3E
+ - type: WEB
+ url: https://security.netapp.com/advisory/ntap-20200904-0005
+ database_specific:
+ cwe_ids:
+ - CWE-200
+ - CWE-502
+ github_reviewed: true
+ github_reviewed_at: "2020-04-23T19:29:41Z"
+ nvd_published_at: "2020-03-02T17:15:00Z"
+ severity: HIGH
+ - schema_version: 1.6.0
+ id: GHSA-cggj-fvv3-cqwv
+ modified: 2024-03-15T01:18:46.938616Z
+ published: 2018-10-16T17:45:18Z
+ aliases:
+ - CVE-2018-7489
+ summary: 'FasterXML jackson-databind allows unauthenticated remote code execution '
+ details: FasterXML jackson-databind before before 2.6.7.5, 2.7.x before 2.7.9.3, 2.8.x before 2.8.11.1, and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: com.fasterxml.jackson.core:jackson-databind
+ purl: pkg:maven/com.fasterxml.jackson.core/jackson-databind
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.8.0
+ - fixed: 2.8.11.1
+ versions:
+ - 2.8.0
+ - 2.8.1
+ - 2.8.10
+ - 2.8.11
+ - 2.8.2
+ - 2.8.3
+ - 2.8.4
+ - 2.8.5
+ - 2.8.6
+ - 2.8.7
+ - 2.8.8
+ - 2.8.8.1
+ - 2.8.9
+ database_specific:
+ last_known_affected_version_range: <= 2.8.11.0
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-cggj-fvv3-cqwv/GHSA-cggj-fvv3-cqwv.json
+ - package:
+ ecosystem: Maven
+ name: com.fasterxml.jackson.core:jackson-databind
+ purl: pkg:maven/com.fasterxml.jackson.core/jackson-databind
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.9.0
+ - fixed: 2.9.5
+ versions:
+ - 2.9.0
+ - 2.9.0.pr1
+ - 2.9.0.pr2
+ - 2.9.0.pr3
+ - 2.9.0.pr4
+ - 2.9.1
+ - 2.9.2
+ - 2.9.3
+ - 2.9.4
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-cggj-fvv3-cqwv/GHSA-cggj-fvv3-cqwv.json
+ - package:
+ ecosystem: Maven
+ name: com.fasterxml.jackson.core:jackson-databind
+ purl: pkg:maven/com.fasterxml.jackson.core/jackson-databind
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.7.0
+ - fixed: 2.7.9.3
+ versions:
+ - 2.7.0
+ - 2.7.1
+ - 2.7.1-1
+ - 2.7.2
+ - 2.7.3
+ - 2.7.4
+ - 2.7.5
+ - 2.7.6
+ - 2.7.7
+ - 2.7.8
+ - 2.7.9
+ - 2.7.9.1
+ - 2.7.9.2
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-cggj-fvv3-cqwv/GHSA-cggj-fvv3-cqwv.json
+ - package:
+ ecosystem: Maven
+ name: com.fasterxml.jackson.core:jackson-databind
+ purl: pkg:maven/com.fasterxml.jackson.core/jackson-databind
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: 2.6.7.5
+ versions:
+ - 2.0.0
+ - 2.0.0-RC1
+ - 2.0.0-RC2
+ - 2.0.0-RC3
+ - 2.0.1
+ - 2.0.2
+ - 2.0.4
+ - 2.0.5
+ - 2.0.6
+ - 2.1.0
+ - 2.1.1
+ - 2.1.2
+ - 2.1.3
+ - 2.1.4
+ - 2.1.5
+ - 2.2.0
+ - 2.2.0-rc1
+ - 2.2.1
+ - 2.2.2
+ - 2.2.3
+ - 2.2.4
+ - 2.3.0
+ - 2.3.0-rc1
+ - 2.3.1
+ - 2.3.2
+ - 2.3.3
+ - 2.3.4
+ - 2.3.5
+ - 2.4.0
+ - 2.4.0-rc1
+ - 2.4.0-rc2
+ - 2.4.0-rc3
+ - 2.4.1
+ - 2.4.1.1
+ - 2.4.1.2
+ - 2.4.1.3
+ - 2.4.2
+ - 2.4.3
+ - 2.4.4
+ - 2.4.5
+ - 2.4.5.1
+ - 2.4.6
+ - 2.4.6.1
+ - 2.5.0
+ - 2.5.0-rc1
+ - 2.5.1
+ - 2.5.2
+ - 2.5.3
+ - 2.5.4
+ - 2.5.5
+ - 2.6.0
+ - 2.6.0-rc1
+ - 2.6.0-rc2
+ - 2.6.0-rc3
+ - 2.6.0-rc4
+ - 2.6.1
+ - 2.6.2
+ - 2.6.3
+ - 2.6.4
+ - 2.6.5
+ - 2.6.6
+ - 2.6.7
+ - 2.6.7.1
+ - 2.6.7.2
+ - 2.6.7.3
+ - 2.6.7.4
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-cggj-fvv3-cqwv/GHSA-cggj-fvv3-cqwv.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2018-7489
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/issues/1931
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/commit/e66c0a9d3c926ff1b63bf586c824ead1d02f2a3d
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/commit/ca2bfc86af82a1479112004b663ba74c760752e6
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/commit/c921f0935d5e41bf206e702d8077a275ba1a6efc
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/commit/6799f8f10cc78e9af6d443ed6982d00a13f2e7d2
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/commit/bc22f90eb7f896ace9567598a99cb1ff6e0f9d9d
+ - type: WEB
+ url: https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
+ - type: WEB
+ url: https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html
+ - type: WEB
+ url: https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuoct2020.html
+ - type: WEB
+ url: https://www.debian.org/security/2018/dsa-4190
+ - type: WEB
+ url: https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03902en_us
+ - type: WEB
+ url: https://security.netapp.com/advisory/ntap-20180328-0001
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r1d4a247329a8478073163567bbc8c8cb6b49c6bfc2bf58153a857af1@%3Ccommits.druid.apache.org%3E
+ - type: ADVISORY
+ url: https://github.com/advisories/GHSA-cggj-fvv3-cqwv
+ - type: PACKAGE
+ url: https://github.com/FasterXML/jackson-databind
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:3149
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:2858
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2018:2939
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2018:2938
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2018:2090
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2018:2089
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2018:2088
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2018:1786
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2018:1451
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2018:1450
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2018:1449
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2018:1448
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2018:1447
+ - type: WEB
+ url: http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html
+ - type: WEB
+ url: http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
+ - type: WEB
+ url: http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html
+ database_specific:
+ cwe_ids:
+ - CWE-184
+ - CWE-502
+ github_reviewed: true
+ github_reviewed_at: "2020-06-16T21:31:30Z"
+ nvd_published_at: "2018-02-26T15:29:00Z"
+ severity: CRITICAL
+ - schema_version: 1.6.0
+ id: GHSA-cjjf-94ff-43w7
+ modified: 2024-03-11T05:19:23.395848Z
+ published: 2019-03-25T18:03:09Z
+ aliases:
+ - CVE-2018-12022
+ summary: jackson-databind Deserialization of Untrusted Data vulnerability
+ details: An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Jodd-db jar (for database access for the Jodd framework) in the classpath, and an attacker can provide an LDAP service to access, it is possible to make the service execute a malicious payload.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: com.fasterxml.jackson.core:jackson-databind
+ purl: pkg:maven/com.fasterxml.jackson.core/jackson-databind
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: 2.7.9.4
+ versions:
+ - 2.0.0
+ - 2.0.0-RC1
+ - 2.0.0-RC2
+ - 2.0.0-RC3
+ - 2.0.1
+ - 2.0.2
+ - 2.0.4
+ - 2.0.5
+ - 2.0.6
+ - 2.1.0
+ - 2.1.1
+ - 2.1.2
+ - 2.1.3
+ - 2.1.4
+ - 2.1.5
+ - 2.2.0
+ - 2.2.0-rc1
+ - 2.2.1
+ - 2.2.2
+ - 2.2.3
+ - 2.2.4
+ - 2.3.0
+ - 2.3.0-rc1
+ - 2.3.1
+ - 2.3.2
+ - 2.3.3
+ - 2.3.4
+ - 2.3.5
+ - 2.4.0
+ - 2.4.0-rc1
+ - 2.4.0-rc2
+ - 2.4.0-rc3
+ - 2.4.1
+ - 2.4.1.1
+ - 2.4.1.2
+ - 2.4.1.3
+ - 2.4.2
+ - 2.4.3
+ - 2.4.4
+ - 2.4.5
+ - 2.4.5.1
+ - 2.4.6
+ - 2.4.6.1
+ - 2.5.0
+ - 2.5.0-rc1
+ - 2.5.1
+ - 2.5.2
+ - 2.5.3
+ - 2.5.4
+ - 2.5.5
+ - 2.6.0
+ - 2.6.0-rc1
+ - 2.6.0-rc2
+ - 2.6.0-rc3
+ - 2.6.0-rc4
+ - 2.6.1
+ - 2.6.2
+ - 2.6.3
+ - 2.6.4
+ - 2.6.5
+ - 2.6.6
+ - 2.6.7
+ - 2.6.7.1
+ - 2.6.7.2
+ - 2.6.7.3
+ - 2.6.7.4
+ - 2.6.7.5
+ - 2.7.0
+ - 2.7.0-rc1
+ - 2.7.0-rc2
+ - 2.7.0-rc3
+ - 2.7.1
+ - 2.7.1-1
+ - 2.7.2
+ - 2.7.3
+ - 2.7.4
+ - 2.7.5
+ - 2.7.6
+ - 2.7.7
+ - 2.7.8
+ - 2.7.9
+ - 2.7.9.1
+ - 2.7.9.2
+ - 2.7.9.3
+ database_specific:
+ last_known_affected_version_range: <= 2.7.9.3
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/03/GHSA-cjjf-94ff-43w7/GHSA-cjjf-94ff-43w7.json
+ - package:
+ ecosystem: Maven
+ name: com.fasterxml.jackson.core:jackson-databind
+ purl: pkg:maven/com.fasterxml.jackson.core/jackson-databind
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.8.0
+ - fixed: 2.8.11.2
+ versions:
+ - 2.8.0
+ - 2.8.1
+ - 2.8.10
+ - 2.8.11
+ - 2.8.11.1
+ - 2.8.2
+ - 2.8.3
+ - 2.8.4
+ - 2.8.5
+ - 2.8.6
+ - 2.8.7
+ - 2.8.8
+ - 2.8.8.1
+ - 2.8.9
+ database_specific:
+ last_known_affected_version_range: <= 2.8.11.1
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/03/GHSA-cjjf-94ff-43w7/GHSA-cjjf-94ff-43w7.json
+ - package:
+ ecosystem: Maven
+ name: com.fasterxml.jackson.core:jackson-databind
+ purl: pkg:maven/com.fasterxml.jackson.core/jackson-databind
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.9.0
+ - fixed: 2.9.6
+ versions:
+ - 2.9.0
+ - 2.9.0.pr1
+ - 2.9.0.pr2
+ - 2.9.0.pr3
+ - 2.9.0.pr4
+ - 2.9.1
+ - 2.9.2
+ - 2.9.3
+ - 2.9.4
+ - 2.9.5
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/03/GHSA-cjjf-94ff-43w7/GHSA-cjjf-94ff-43w7.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2018-12022
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/issues/2052
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/commit/28badf7ef60ac3e7ef151cd8e8ec010b8479226a
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/commit/7487cf7eb14be2f65a1eb108e8629c07ef45e0a
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/commit/bf261d404c2f79fd3406237710d40ebb03c99d84
+ - type: ADVISORY
+ url: https://github.com/advisories/GHSA-cjjf-94ff-43w7
+ - type: WEB
+ url: https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/7fcf88aff0d1deaa5c3c7be8d58c05ad7ad5da94b59065d8e7c50c5d@%3Cissues.lucene.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E
+ - type: WEB
+ url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZEDLDUYBSTDY4GWDBUXGJNS2RFYTFVRC
+ - type: WEB
+ url: https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
+ - type: WEB
+ url: https://seclists.org/bugtraq/2019/May/68
+ - type: WEB
+ url: https://security.netapp.com/advisory/ntap-20190530-0003
+ - type: WEB
+ url: https://www.blackhat.com/docs/us-16/materials/us-16-Munoz-A-Journey-From-JNDI-LDAP-Manipulation-To-RCE.pdf
+ - type: WEB
+ url: https://www.debian.org/security/2019/dsa-4452
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuapr2020.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuoct2020.html
+ - type: WEB
+ url: https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
+ - type: WEB
+ url: https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
+ - type: WEB
+ url: https://access.redhat.com/errata/RHBA-2019:0959
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:0782
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:0877
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:1106
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:1107
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:1108
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:1140
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:1782
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:1797
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:1822
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:1823
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:2804
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:2858
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:3002
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:3140
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:3149
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:3892
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:4037
+ - type: WEB
+ url: https://bugzilla.redhat.com/show_bug.cgi?id=1671098
+ - type: PACKAGE
+ url: https://github.com/FasterXML/jackson-databind
+ - type: WEB
+ url: http://www.securityfocus.com/bid/107585
+ database_specific:
+ cwe_ids:
+ - CWE-502
+ github_reviewed: true
+ github_reviewed_at: "2020-06-16T20:42:00Z"
+ nvd_published_at: "2019-03-21T16:00:12Z"
+ severity: HIGH
+ - schema_version: 1.6.0
+ id: GHSA-cmfg-87vq-g5g4
+ modified: 2024-03-15T01:18:17.903231Z
+ published: 2019-07-17T15:26:12Z
+ aliases:
+ - CVE-2019-12814
+ summary: Deserialization of untrusted data in FasterXML jackson-databind
+ details: A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x through 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has JDOM 1.x or 2.x jar in the classpath, an attacker can send a specifically crafted JSON message that allows them to read arbitrary local files on the server.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: com.fasterxml.jackson.core:jackson-databind
+ purl: pkg:maven/com.fasterxml.jackson.core/jackson-databind
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.9.0
+ - fixed: 2.9.9.1
+ versions:
+ - 2.9.0
+ - 2.9.0.pr1
+ - 2.9.0.pr2
+ - 2.9.0.pr3
+ - 2.9.0.pr4
+ - 2.9.1
+ - 2.9.2
+ - 2.9.3
+ - 2.9.4
+ - 2.9.5
+ - 2.9.6
+ - 2.9.7
+ - 2.9.8
+ - 2.9.9
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/07/GHSA-cmfg-87vq-g5g4/GHSA-cmfg-87vq-g5g4.json
+ - package:
+ ecosystem: Maven
+ name: com.fasterxml.jackson.core:jackson-databind
+ purl: pkg:maven/com.fasterxml.jackson.core/jackson-databind
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.8.0
+ - fixed: 2.8.11.4
+ versions:
+ - 2.8.0
+ - 2.8.1
+ - 2.8.10
+ - 2.8.11
+ - 2.8.11.1
+ - 2.8.11.2
+ - 2.8.11.3
+ - 2.8.2
+ - 2.8.3
+ - 2.8.4
+ - 2.8.5
+ - 2.8.6
+ - 2.8.7
+ - 2.8.8
+ - 2.8.8.1
+ - 2.8.9
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/07/GHSA-cmfg-87vq-g5g4/GHSA-cmfg-87vq-g5g4.json
+ - package:
+ ecosystem: Maven
+ name: com.fasterxml.jackson.core:jackson-databind
+ purl: pkg:maven/com.fasterxml.jackson.core/jackson-databind
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.7.0
+ - fixed: 2.7.9.6
+ versions:
+ - 2.7.0
+ - 2.7.1
+ - 2.7.1-1
+ - 2.7.2
+ - 2.7.3
+ - 2.7.4
+ - 2.7.5
+ - 2.7.6
+ - 2.7.7
+ - 2.7.8
+ - 2.7.9
+ - 2.7.9.1
+ - 2.7.9.2
+ - 2.7.9.3
+ - 2.7.9.4
+ - 2.7.9.5
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/07/GHSA-cmfg-87vq-g5g4/GHSA-cmfg-87vq-g5g4.json
+ - package:
+ ecosystem: Maven
+ name: com.fasterxml.jackson.core:jackson-databind
+ purl: pkg:maven/com.fasterxml.jackson.core/jackson-databind
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.0.0
+ - fixed: 2.6.7.3
+ versions:
+ - 2.0.0
+ - 2.0.1
+ - 2.0.2
+ - 2.0.4
+ - 2.0.5
+ - 2.0.6
+ - 2.1.0
+ - 2.1.1
+ - 2.1.2
+ - 2.1.3
+ - 2.1.4
+ - 2.1.5
+ - 2.2.0
+ - 2.2.0-rc1
+ - 2.2.1
+ - 2.2.2
+ - 2.2.3
+ - 2.2.4
+ - 2.3.0
+ - 2.3.0-rc1
+ - 2.3.1
+ - 2.3.2
+ - 2.3.3
+ - 2.3.4
+ - 2.3.5
+ - 2.4.0
+ - 2.4.0-rc1
+ - 2.4.0-rc2
+ - 2.4.0-rc3
+ - 2.4.1
+ - 2.4.1.1
+ - 2.4.1.2
+ - 2.4.1.3
+ - 2.4.2
+ - 2.4.3
+ - 2.4.4
+ - 2.4.5
+ - 2.4.5.1
+ - 2.4.6
+ - 2.4.6.1
+ - 2.5.0
+ - 2.5.0-rc1
+ - 2.5.1
+ - 2.5.2
+ - 2.5.3
+ - 2.5.4
+ - 2.5.5
+ - 2.6.0
+ - 2.6.0-rc1
+ - 2.6.0-rc2
+ - 2.6.0-rc3
+ - 2.6.0-rc4
+ - 2.6.1
+ - 2.6.2
+ - 2.6.3
+ - 2.6.4
+ - 2.6.5
+ - 2.6.6
+ - 2.6.7
+ - 2.6.7.1
+ - 2.6.7.2
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/07/GHSA-cmfg-87vq-g5g4/GHSA-cmfg-87vq-g5g4.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2019-12814
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/issues/2341
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/commit/5f7c69bba07a7155adde130d9dee2e54a54f1fa5
+ - type: WEB
+ url: https://lists.apache.org/thread.html/ee0a051428d2c719acfa297d0854a189ea5e284ef3ed491fa672f4be@%3Cdev.tomee.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/e0733058c0366b703e6757d8d2a7a04b943581f659e9c271f0841dfe@%3Cnotifications.geode.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/bf20574dbc2db255f1fd489942b5720f675e32a2c4f44eb6a36060cd@%3Ccommits.accumulo.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3@%3Ccommits.nifi.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/b148fa2e9ef468c4de00de255dd728b74e2a97d935f8ced31eb41ba2@%3Cnotifications.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/b0a2b2cca072650dbd5882719976c3d353972c44f6736ddf0ba95209@%3Cissues.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/a78239b1f11cddfa86e4edee19064c40b6272214630bfef070c37957@%3Cissues.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/a62aa2706105d68f1c02023fe24aaa3c13b4d8a1826181fed07d9682@%3Cnotifications.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/a3ae8a8c5e32c413cd27071d3a204166050bf79ce7f1299f6866338f@%3Cissues.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/940b4c3fef002461b89a050935337056d4a036a65ef68e0bbd4621ef@%3Cdev.struts.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/8fe2983f6d9fee0aa737e4bd24483f8f5cf9b938b9adad0c4e79b2a4@%3Cnotifications.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/87e46591de8925f719664a845572d184027258c5a7af0a471b53c77b@%3Cdev.tomee.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/71f9ffd92410a889e27b95a219eaa843fd820f8550898633d85d4ea3@%3Cissues.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/eff7280055fc717ea8129cd28a9dd57b8446d00b36260c1caee10b87@%3Cnotifications.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b@%3Ccommits.nifi.apache.org%3E
+ - type: WEB
+ url: https://lists.debian.org/debian-lts-announce/2019/06/msg00019.html
+ - type: WEB
+ url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OVRZDN2T6AZ6DJCZJ3VSIQIVHBVMVWBL
+ - type: WEB
+ url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TXRVXNRFHJSQWFHPRJQRI5UPMZ63B544
+ - type: WEB
+ url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UKUALE2TUCKEKOHE2D342PQXN4MWCSLC
+ - type: WEB
+ url: https://security.netapp.com/advisory/ntap-20190625-0006
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpujan2020.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpujul2020.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuoct2020.html
+ - type: WEB
+ url: https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
+ - type: WEB
+ url: https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:2858
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:2935
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:2936
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:2937
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:2938
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:3044
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:3045
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:3046
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:3050
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:3149
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:3200
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:3292
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:3297
+ - type: PACKAGE
+ url: https://github.com/FasterXML/jackson-databind
+ - type: WEB
+ url: https://lists.apache.org/thread.html/0d4b630d9ee724aee50703397d9d1afa2b2befc9395ba7797d0ccea9@%3Cdev.tomee.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/129da0204c876f746636018751a086cc581e0e07bcdeb3ee22ff5731@%3Cdev.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/15a55e1d837fa686db493137cc0330c7ee1089ed9a9eea7ae7151ef1@%3Cissues.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/1e04d9381c801b31ab28dec813c31c304b2a596b2a3707fa5462c5c0@%3Cnotifications.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/28be28ffd6471d230943a255c36fe196a54ef5afc494a4781d16e37c@%3Cissues.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/2d2a76440becb610b9a9cb49b15eac3934b02c2dbcaacde1000353e4@%3Cdev.tomee.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/2ff264b6a94c5363a35c4c88fa93216f60ec54d1d973ed6b76a9f560@%3Cissues.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/34717424b4d08b74f65c09a083d6dd1cb0763f37a15d6de135998c1d@%3Cdev.tomee.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/3f99ae8dcdbd69438cb733d745ee3ad5e852068490719a66509b4592@%3Ccommits.cassandra.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/4b832d1327703d6b287a6d223307f8f884d798821209a10647e93324@%3Cnotifications.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/56c8042873595b8c863054c7bfccab4bf2c01c6f5abedae249d914b9@%3Cdev.tomee.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/5ecc333113b139429f4f05000d4aa2886974d4df3269c1dd990bb319@%3Cdev.tomee.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/5fc0e16b7af2590bf1e97c76c136291c4fdb244ee63c65c485c9a7a1@%3Cdev.tomee.apache.org%3E
+ database_specific:
+ cwe_ids:
+ - CWE-502
+ github_reviewed: true
+ github_reviewed_at: "2019-07-17T14:51:50Z"
+ nvd_published_at: "2019-06-19T14:15:10Z"
+ severity: MODERATE
+ - schema_version: 1.6.0
+ id: GHSA-cvm9-fjm9-3572
+ modified: 2024-02-18T05:25:36.165759Z
+ published: 2021-12-09T19:16:10Z
+ aliases:
+ - CVE-2020-36181
+ summary: Unsafe Deserialization in jackson-databind
+ details: FasterXML jackson-databind 2.x before 2.9.10.8 and 2.6.7.5 mishandles the interaction between serialization gadgets and typing, related to `org.apache.tomcat.dbcp.dbcp.cpdsadapter.DriverAdapterCPDS`.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: com.fasterxml.jackson.core:jackson-databind
+ purl: pkg:maven/com.fasterxml.jackson.core/jackson-databind
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.7.0
+ - fixed: 2.9.10.8
+ versions:
+ - 2.7.0
+ - 2.7.1
+ - 2.7.1-1
+ - 2.7.2
+ - 2.7.3
+ - 2.7.4
+ - 2.7.5
+ - 2.7.6
+ - 2.7.7
+ - 2.7.8
+ - 2.7.9
+ - 2.7.9.1
+ - 2.7.9.2
+ - 2.7.9.3
+ - 2.7.9.4
+ - 2.7.9.5
+ - 2.7.9.6
+ - 2.7.9.7
+ - 2.8.0
+ - 2.8.0.rc1
+ - 2.8.0.rc2
+ - 2.8.1
+ - 2.8.10
+ - 2.8.11
+ - 2.8.11.1
+ - 2.8.11.2
+ - 2.8.11.3
+ - 2.8.11.4
+ - 2.8.11.5
+ - 2.8.11.6
+ - 2.8.2
+ - 2.8.3
+ - 2.8.4
+ - 2.8.5
+ - 2.8.6
+ - 2.8.7
+ - 2.8.8
+ - 2.8.8.1
+ - 2.8.9
+ - 2.9.0
+ - 2.9.0.pr1
+ - 2.9.0.pr2
+ - 2.9.0.pr3
+ - 2.9.0.pr4
+ - 2.9.1
+ - 2.9.10
+ - 2.9.10.1
+ - 2.9.10.2
+ - 2.9.10.3
+ - 2.9.10.4
+ - 2.9.10.5
+ - 2.9.10.6
+ - 2.9.10.7
+ - 2.9.2
+ - 2.9.3
+ - 2.9.4
+ - 2.9.5
+ - 2.9.6
+ - 2.9.7
+ - 2.9.8
+ - 2.9.9
+ - 2.9.9.1
+ - 2.9.9.2
+ - 2.9.9.3
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-cvm9-fjm9-3572/GHSA-cvm9-fjm9-3572.json
+ - package:
+ ecosystem: Maven
+ name: com.fasterxml.jackson.core:jackson-databind
+ purl: pkg:maven/com.fasterxml.jackson.core/jackson-databind
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.0.0
+ - fixed: 2.6.7.5
+ versions:
+ - 2.0.0
+ - 2.0.1
+ - 2.0.2
+ - 2.0.4
+ - 2.0.5
+ - 2.0.6
+ - 2.1.0
+ - 2.1.1
+ - 2.1.2
+ - 2.1.3
+ - 2.1.4
+ - 2.1.5
+ - 2.2.0
+ - 2.2.0-rc1
+ - 2.2.1
+ - 2.2.2
+ - 2.2.3
+ - 2.2.4
+ - 2.3.0
+ - 2.3.0-rc1
+ - 2.3.1
+ - 2.3.2
+ - 2.3.3
+ - 2.3.4
+ - 2.3.5
+ - 2.4.0
+ - 2.4.0-rc1
+ - 2.4.0-rc2
+ - 2.4.0-rc3
+ - 2.4.1
+ - 2.4.1.1
+ - 2.4.1.2
+ - 2.4.1.3
+ - 2.4.2
+ - 2.4.3
+ - 2.4.4
+ - 2.4.5
+ - 2.4.5.1
+ - 2.4.6
+ - 2.4.6.1
+ - 2.5.0
+ - 2.5.0-rc1
+ - 2.5.1
+ - 2.5.2
+ - 2.5.3
+ - 2.5.4
+ - 2.5.5
+ - 2.6.0
+ - 2.6.0-rc1
+ - 2.6.0-rc2
+ - 2.6.0-rc3
+ - 2.6.0-rc4
+ - 2.6.1
+ - 2.6.2
+ - 2.6.3
+ - 2.6.4
+ - 2.6.5
+ - 2.6.6
+ - 2.6.7
+ - 2.6.7.1
+ - 2.6.7.2
+ - 2.6.7.3
+ - 2.6.7.4
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-cvm9-fjm9-3572/GHSA-cvm9-fjm9-3572.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2020-36181
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/issues/3004
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/commit/3ded28aece694d0df39c9f0fa1ff385b14a8656b
+ - type: WEB
+ url: https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
+ - type: PACKAGE
+ url: https://github.com/FasterXML/jackson-databind
+ - type: WEB
+ url: https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html
+ - type: WEB
+ url: https://security.netapp.com/advisory/ntap-20210205-0005
+ - type: WEB
+ url: https://www.oracle.com//security-alerts/cpujul2021.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuApr2021.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuapr2022.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpujan2022.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpujul2022.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuoct2021.html
+ database_specific:
+ cwe_ids:
+ - CWE-502
+ github_reviewed: true
+ github_reviewed_at: "2021-03-18T23:37:23Z"
+ nvd_published_at: "2021-01-06T23:15:00Z"
+ severity: HIGH
+ - schema_version: 1.6.0
+ id: GHSA-f3j5-rmmp-3fc5
+ modified: 2024-03-15T05:20:35.120151Z
+ published: 2020-06-15T18:44:48Z
+ aliases:
+ - CVE-2019-17267
+ summary: Improper Input Validation in jackson-databind
+ details: A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10 and 2.8.11.5. It is related to net.sf.ehcache.hibernate.EhcacheJtaTransactionManagerLookup.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: com.fasterxml.jackson.core:jackson-databind
+ purl: pkg:maven/com.fasterxml.jackson.core/jackson-databind
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.9.0
+ - fixed: 2.9.10
+ versions:
+ - 2.9.0
+ - 2.9.0.pr1
+ - 2.9.0.pr2
+ - 2.9.0.pr3
+ - 2.9.0.pr4
+ - 2.9.1
+ - 2.9.2
+ - 2.9.3
+ - 2.9.4
+ - 2.9.5
+ - 2.9.6
+ - 2.9.7
+ - 2.9.8
+ - 2.9.9
+ - 2.9.9.1
+ - 2.9.9.2
+ - 2.9.9.3
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-f3j5-rmmp-3fc5/GHSA-f3j5-rmmp-3fc5.json
+ - package:
+ ecosystem: Maven
+ name: com.fasterxml.jackson.core:jackson-databind
+ purl: pkg:maven/com.fasterxml.jackson.core/jackson-databind
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: 2.8.11.5
+ versions:
+ - 2.0.0
+ - 2.0.0-RC1
+ - 2.0.0-RC2
+ - 2.0.0-RC3
+ - 2.0.1
+ - 2.0.2
+ - 2.0.4
+ - 2.0.5
+ - 2.0.6
+ - 2.1.0
+ - 2.1.1
+ - 2.1.2
+ - 2.1.3
+ - 2.1.4
+ - 2.1.5
+ - 2.2.0
+ - 2.2.0-rc1
+ - 2.2.1
+ - 2.2.2
+ - 2.2.3
+ - 2.2.4
+ - 2.3.0
+ - 2.3.0-rc1
+ - 2.3.1
+ - 2.3.2
+ - 2.3.3
+ - 2.3.4
+ - 2.3.5
+ - 2.4.0
+ - 2.4.0-rc1
+ - 2.4.0-rc2
+ - 2.4.0-rc3
+ - 2.4.1
+ - 2.4.1.1
+ - 2.4.1.2
+ - 2.4.1.3
+ - 2.4.2
+ - 2.4.3
+ - 2.4.4
+ - 2.4.5
+ - 2.4.5.1
+ - 2.4.6
+ - 2.4.6.1
+ - 2.5.0
+ - 2.5.0-rc1
+ - 2.5.1
+ - 2.5.2
+ - 2.5.3
+ - 2.5.4
+ - 2.5.5
+ - 2.6.0
+ - 2.6.0-rc1
+ - 2.6.0-rc2
+ - 2.6.0-rc3
+ - 2.6.0-rc4
+ - 2.6.1
+ - 2.6.2
+ - 2.6.3
+ - 2.6.4
+ - 2.6.5
+ - 2.6.6
+ - 2.6.7
+ - 2.6.7.1
+ - 2.6.7.2
+ - 2.6.7.3
+ - 2.6.7.4
+ - 2.6.7.5
+ - 2.7.0
+ - 2.7.0-rc1
+ - 2.7.0-rc2
+ - 2.7.0-rc3
+ - 2.7.1
+ - 2.7.1-1
+ - 2.7.2
+ - 2.7.3
+ - 2.7.4
+ - 2.7.5
+ - 2.7.6
+ - 2.7.7
+ - 2.7.8
+ - 2.7.9
+ - 2.7.9.1
+ - 2.7.9.2
+ - 2.7.9.3
+ - 2.7.9.4
+ - 2.7.9.5
+ - 2.7.9.6
+ - 2.7.9.7
+ - 2.8.0
+ - 2.8.0.rc1
+ - 2.8.0.rc2
+ - 2.8.1
+ - 2.8.10
+ - 2.8.11
+ - 2.8.11.1
+ - 2.8.11.2
+ - 2.8.11.3
+ - 2.8.11.4
+ - 2.8.2
+ - 2.8.3
+ - 2.8.4
+ - 2.8.5
+ - 2.8.6
+ - 2.8.7
+ - 2.8.8
+ - 2.8.8.1
+ - 2.8.9
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-f3j5-rmmp-3fc5/GHSA-f3j5-rmmp-3fc5.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2019-17267
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/issues/2460
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/commit/191a4cdf87b56d2ddddb77edd895ee756b7f75eb
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuoct2020.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpujul2020.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpujan2020.html
+ - type: WEB
+ url: https://security.netapp.com/advisory/ntap-20191017-0006
+ - type: WEB
+ url: https://lists.debian.org/debian-lts-announce/2019/12/msg00013.html
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r9d727fc681fb3828794acbefcaee31393742b4d73a29461ccd9597a8@%3Cdev.skywalking.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r392099ed2757ff2e383b10440594e914d080511d7da1c8fed0612c1f@%3Ccommits.druid.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0@%3Cissues.bookkeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/compare/jackson-databind-2.9.9.3...jackson-databind-2.9.10
+ - type: PACKAGE
+ url: https://github.com/FasterXML/jackson-databind
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2020:0445
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2020:0164
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2020:0161
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2020:0160
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2020:0159
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:3200
+ database_specific:
+ cwe_ids:
+ - CWE-502
+ github_reviewed: true
+ github_reviewed_at: "2020-06-11T21:47:17Z"
+ nvd_published_at: "2019-10-07T00:15:00Z"
+ severity: CRITICAL
+ - schema_version: 1.6.0
+ id: GHSA-f9hv-mg5h-xcw9
+ modified: 2024-03-12T05:18:23.439473Z
+ published: 2019-01-04T19:06:57Z
+ aliases:
+ - CVE-2018-19360
+ summary: Deserialization of Untrusted Data in jackson-databind due to polymorphic deserialization
+ details: FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the axis2-transport-jms class from polymorphic deserialization.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: com.fasterxml.jackson.core:jackson-databind
+ purl: pkg:maven/com.fasterxml.jackson.core/jackson-databind
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.9.0
+ - fixed: 2.9.8
+ versions:
+ - 2.9.0
+ - 2.9.0.pr1
+ - 2.9.0.pr2
+ - 2.9.0.pr3
+ - 2.9.0.pr4
+ - 2.9.1
+ - 2.9.2
+ - 2.9.3
+ - 2.9.4
+ - 2.9.5
+ - 2.9.6
+ - 2.9.7
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/01/GHSA-f9hv-mg5h-xcw9/GHSA-f9hv-mg5h-xcw9.json
+ - package:
+ ecosystem: Maven
+ name: com.fasterxml.jackson.core:jackson-databind
+ purl: pkg:maven/com.fasterxml.jackson.core/jackson-databind
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.8.0
+ - fixed: 2.8.11.3
+ versions:
+ - 2.8.0
+ - 2.8.1
+ - 2.8.10
+ - 2.8.11
+ - 2.8.11.1
+ - 2.8.11.2
+ - 2.8.2
+ - 2.8.3
+ - 2.8.4
+ - 2.8.5
+ - 2.8.6
+ - 2.8.7
+ - 2.8.8
+ - 2.8.8.1
+ - 2.8.9
+ database_specific:
+ last_known_affected_version_range: <= 2.8.11.2
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/01/GHSA-f9hv-mg5h-xcw9/GHSA-f9hv-mg5h-xcw9.json
+ - package:
+ ecosystem: Maven
+ name: com.fasterxml.jackson.core:jackson-databind
+ purl: pkg:maven/com.fasterxml.jackson.core/jackson-databind
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.7.0
+ - fixed: 2.7.9.5
+ versions:
+ - 2.7.0
+ - 2.7.1
+ - 2.7.1-1
+ - 2.7.2
+ - 2.7.3
+ - 2.7.4
+ - 2.7.5
+ - 2.7.6
+ - 2.7.7
+ - 2.7.8
+ - 2.7.9
+ - 2.7.9.1
+ - 2.7.9.2
+ - 2.7.9.3
+ - 2.7.9.4
+ database_specific:
+ last_known_affected_version_range: <= 2.7.9.4
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/01/GHSA-f9hv-mg5h-xcw9/GHSA-f9hv-mg5h-xcw9.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2018-19360
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/issues/2186
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/commit/42912cac4753f3f718ece875e4d486f8264c2f2b
+ - type: WEB
+ url: https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3@%3Ccommits.nifi.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/c70da3cb6e3f03e0ad8013e38b6959419d866c4a7c80fdd34b73f25c@%3Ccommits.pulsar.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8@%3Ccommits.pulsar.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0@%3Cissues.bookkeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b@%3Ccommits.nifi.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3E
+ - type: WEB
+ url: https://lists.debian.org/debian-lts-announce/2019/03/msg00005.html
+ - type: WEB
+ url: https://seclists.org/bugtraq/2019/May/68
+ - type: WEB
+ url: https://security.netapp.com/advisory/ntap-20190530-0003
+ - type: WEB
+ url: https://www.debian.org/security/2019/dsa-4452
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuapr2020.html
+ - type: WEB
+ url: https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
+ - type: WEB
+ url: https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
+ - type: WEB
+ url: https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
+ - type: WEB
+ url: https://access.redhat.com/errata/RHBA-2019:0959
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:0782
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:0877
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:1782
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:1797
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:1822
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:1823
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:2804
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:2858
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:3002
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:3140
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:3149
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:3892
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:4037
+ - type: WEB
+ url: https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.8
+ - type: ADVISORY
+ url: https://github.com/advisories/GHSA-f9hv-mg5h-xcw9
+ - type: WEB
+ url: https://issues.apache.org/jira/browse/TINKERPOP-2121
+ - type: WEB
+ url: https://lists.apache.org/thread.html/37e1ed724a1b0e5d191d98c822c426670bdfde83804567131847d2a3@%3Cdevnull.infra.apache.org%3E
+ - type: WEB
+ url: http://www.securityfocus.com/bid/107985
+ database_specific:
+ cwe_ids:
+ - CWE-502
+ github_reviewed: true
+ github_reviewed_at: "2020-06-16T21:34:16Z"
+ nvd_published_at: null
+ severity: CRITICAL
+ - schema_version: 1.6.0
+ id: GHSA-f9xh-2qgp-cq57
+ modified: 2024-02-18T05:32:05.421673Z
+ published: 2021-12-09T19:16:42Z
+ aliases:
+ - CVE-2020-36188
+ summary: Unsafe Deserialization in jackson-databind
+ details: FasterXML jackson-databind 2.x before 2.9.10.8 and 2.6.7.5 mishandles the interaction between serialization gadgets and typing, related to `com.newrelic.agent.deps.ch.qos.logback.core.db.JNDIConnectionSource`.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: com.fasterxml.jackson.core:jackson-databind
+ purl: pkg:maven/com.fasterxml.jackson.core/jackson-databind
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.7.0
+ - fixed: 2.9.10.8
+ versions:
+ - 2.7.0
+ - 2.7.1
+ - 2.7.1-1
+ - 2.7.2
+ - 2.7.3
+ - 2.7.4
+ - 2.7.5
+ - 2.7.6
+ - 2.7.7
+ - 2.7.8
+ - 2.7.9
+ - 2.7.9.1
+ - 2.7.9.2
+ - 2.7.9.3
+ - 2.7.9.4
+ - 2.7.9.5
+ - 2.7.9.6
+ - 2.7.9.7
+ - 2.8.0
+ - 2.8.0.rc1
+ - 2.8.0.rc2
+ - 2.8.1
+ - 2.8.10
+ - 2.8.11
+ - 2.8.11.1
+ - 2.8.11.2
+ - 2.8.11.3
+ - 2.8.11.4
+ - 2.8.11.5
+ - 2.8.11.6
+ - 2.8.2
+ - 2.8.3
+ - 2.8.4
+ - 2.8.5
+ - 2.8.6
+ - 2.8.7
+ - 2.8.8
+ - 2.8.8.1
+ - 2.8.9
+ - 2.9.0
+ - 2.9.0.pr1
+ - 2.9.0.pr2
+ - 2.9.0.pr3
+ - 2.9.0.pr4
+ - 2.9.1
+ - 2.9.10
+ - 2.9.10.1
+ - 2.9.10.2
+ - 2.9.10.3
+ - 2.9.10.4
+ - 2.9.10.5
+ - 2.9.10.6
+ - 2.9.10.7
+ - 2.9.2
+ - 2.9.3
+ - 2.9.4
+ - 2.9.5
+ - 2.9.6
+ - 2.9.7
+ - 2.9.8
+ - 2.9.9
+ - 2.9.9.1
+ - 2.9.9.2
+ - 2.9.9.3
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-f9xh-2qgp-cq57/GHSA-f9xh-2qgp-cq57.json
+ - package:
+ ecosystem: Maven
+ name: com.fasterxml.jackson.core:jackson-databind
+ purl: pkg:maven/com.fasterxml.jackson.core/jackson-databind
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.0.0
+ - fixed: 2.6.7.5
+ versions:
+ - 2.0.0
+ - 2.0.1
+ - 2.0.2
+ - 2.0.4
+ - 2.0.5
+ - 2.0.6
+ - 2.1.0
+ - 2.1.1
+ - 2.1.2
+ - 2.1.3
+ - 2.1.4
+ - 2.1.5
+ - 2.2.0
+ - 2.2.0-rc1
+ - 2.2.1
+ - 2.2.2
+ - 2.2.3
+ - 2.2.4
+ - 2.3.0
+ - 2.3.0-rc1
+ - 2.3.1
+ - 2.3.2
+ - 2.3.3
+ - 2.3.4
+ - 2.3.5
+ - 2.4.0
+ - 2.4.0-rc1
+ - 2.4.0-rc2
+ - 2.4.0-rc3
+ - 2.4.1
+ - 2.4.1.1
+ - 2.4.1.2
+ - 2.4.1.3
+ - 2.4.2
+ - 2.4.3
+ - 2.4.4
+ - 2.4.5
+ - 2.4.5.1
+ - 2.4.6
+ - 2.4.6.1
+ - 2.5.0
+ - 2.5.0-rc1
+ - 2.5.1
+ - 2.5.2
+ - 2.5.3
+ - 2.5.4
+ - 2.5.5
+ - 2.6.0
+ - 2.6.0-rc1
+ - 2.6.0-rc2
+ - 2.6.0-rc3
+ - 2.6.0-rc4
+ - 2.6.1
+ - 2.6.2
+ - 2.6.3
+ - 2.6.4
+ - 2.6.5
+ - 2.6.6
+ - 2.6.7
+ - 2.6.7.1
+ - 2.6.7.2
+ - 2.6.7.3
+ - 2.6.7.4
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-f9xh-2qgp-cq57/GHSA-f9xh-2qgp-cq57.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2020-36188
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/issues/2996
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/commit/33d96c13fe18a2dad01b19ce195548c9acea9da4
+ - type: WEB
+ url: https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
+ - type: PACKAGE
+ url: https://github.com/FasterXML/jackson-databind
+ - type: WEB
+ url: https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html
+ - type: WEB
+ url: https://security.netapp.com/advisory/ntap-20210205-0005
+ - type: WEB
+ url: https://www.oracle.com//security-alerts/cpujul2021.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuApr2021.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuapr2022.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpujan2022.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpujul2022.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuoct2021.html
+ database_specific:
+ cwe_ids:
+ - CWE-502
+ github_reviewed: true
+ github_reviewed_at: "2021-03-18T23:25:02Z"
+ nvd_published_at: "2021-01-06T23:15:00Z"
+ severity: HIGH
+ - schema_version: 1.6.0
+ id: GHSA-fmmc-742q-jg75
+ modified: 2024-03-16T05:19:55.172981Z
+ published: 2019-11-13T00:32:27Z
+ aliases:
+ - CVE-2019-16943
+ summary: jackson-databind polymorphic typing issue
+ details: A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 prior to 2.9.10.1, 2.8.11.5, and 2.6.7.3. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the p6spy (3.8.6) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of com.p6spy.engine.spy.P6DataSource mishandling.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: com.fasterxml.jackson.core:jackson-databind
+ purl: pkg:maven/com.fasterxml.jackson.core/jackson-databind
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.9.0
+ - fixed: 2.9.10.1
+ versions:
+ - 2.9.0
+ - 2.9.0.pr1
+ - 2.9.0.pr2
+ - 2.9.0.pr3
+ - 2.9.0.pr4
+ - 2.9.1
+ - 2.9.10
+ - 2.9.2
+ - 2.9.3
+ - 2.9.4
+ - 2.9.5
+ - 2.9.6
+ - 2.9.7
+ - 2.9.8
+ - 2.9.9
+ - 2.9.9.1
+ - 2.9.9.2
+ - 2.9.9.3
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/11/GHSA-fmmc-742q-jg75/GHSA-fmmc-742q-jg75.json
+ - package:
+ ecosystem: Maven
+ name: com.fasterxml.jackson.core:jackson-databind
+ purl: pkg:maven/com.fasterxml.jackson.core/jackson-databind
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.7.0
+ - fixed: 2.8.11.5
+ versions:
+ - 2.7.0
+ - 2.7.1
+ - 2.7.1-1
+ - 2.7.2
+ - 2.7.3
+ - 2.7.4
+ - 2.7.5
+ - 2.7.6
+ - 2.7.7
+ - 2.7.8
+ - 2.7.9
+ - 2.7.9.1
+ - 2.7.9.2
+ - 2.7.9.3
+ - 2.7.9.4
+ - 2.7.9.5
+ - 2.7.9.6
+ - 2.7.9.7
+ - 2.8.0
+ - 2.8.0.rc1
+ - 2.8.0.rc2
+ - 2.8.1
+ - 2.8.10
+ - 2.8.11
+ - 2.8.11.1
+ - 2.8.11.2
+ - 2.8.11.3
+ - 2.8.11.4
+ - 2.8.2
+ - 2.8.3
+ - 2.8.4
+ - 2.8.5
+ - 2.8.6
+ - 2.8.7
+ - 2.8.8
+ - 2.8.8.1
+ - 2.8.9
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/11/GHSA-fmmc-742q-jg75/GHSA-fmmc-742q-jg75.json
+ - package:
+ ecosystem: Maven
+ name: com.fasterxml.jackson.core:jackson-databind
+ purl: pkg:maven/com.fasterxml.jackson.core/jackson-databind
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: 2.6.7.3
+ versions:
+ - 2.0.0
+ - 2.0.0-RC1
+ - 2.0.0-RC2
+ - 2.0.0-RC3
+ - 2.0.1
+ - 2.0.2
+ - 2.0.4
+ - 2.0.5
+ - 2.0.6
+ - 2.1.0
+ - 2.1.1
+ - 2.1.2
+ - 2.1.3
+ - 2.1.4
+ - 2.1.5
+ - 2.2.0
+ - 2.2.0-rc1
+ - 2.2.1
+ - 2.2.2
+ - 2.2.3
+ - 2.2.4
+ - 2.3.0
+ - 2.3.0-rc1
+ - 2.3.1
+ - 2.3.2
+ - 2.3.3
+ - 2.3.4
+ - 2.3.5
+ - 2.4.0
+ - 2.4.0-rc1
+ - 2.4.0-rc2
+ - 2.4.0-rc3
+ - 2.4.1
+ - 2.4.1.1
+ - 2.4.1.2
+ - 2.4.1.3
+ - 2.4.2
+ - 2.4.3
+ - 2.4.4
+ - 2.4.5
+ - 2.4.5.1
+ - 2.4.6
+ - 2.4.6.1
+ - 2.5.0
+ - 2.5.0-rc1
+ - 2.5.1
+ - 2.5.2
+ - 2.5.3
+ - 2.5.4
+ - 2.5.5
+ - 2.6.0
+ - 2.6.0-rc1
+ - 2.6.0-rc2
+ - 2.6.0-rc3
+ - 2.6.0-rc4
+ - 2.6.1
+ - 2.6.2
+ - 2.6.3
+ - 2.6.4
+ - 2.6.5
+ - 2.6.6
+ - 2.6.7
+ - 2.6.7.1
+ - 2.6.7.2
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/11/GHSA-fmmc-742q-jg75/GHSA-fmmc-742q-jg75.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2019-16943
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/issues/2478
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/commit/328a0f833daf6baa443ac3b37c818a0204714b0b
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/commit/bc67eb11a7cf57561f861ff16f879f1fceb5779f
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3E
+ - type: WEB
+ url: https://lists.debian.org/debian-lts-announce/2019/10/msg00001.html
+ - type: WEB
+ url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Q7CANA7KV53JROZDX5Z5P26UG5VN2K43
+ - type: WEB
+ url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TH5VFUN4P7CCIP7KSEXYA5MUTFCUDUJT
+ - type: WEB
+ url: https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
+ - type: WEB
+ url: https://seclists.org/bugtraq/2019/Oct/6
+ - type: WEB
+ url: https://security.netapp.com/advisory/ntap-20191017-0006
+ - type: WEB
+ url: https://www.debian.org/security/2019/dsa-4542
+ - type: WEB
+ url: https://www.oracle.com//security-alerts/cpujul2021.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuapr2020.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpujan2020.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpujul2020.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuoct2020.html
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r392099ed2757ff2e383b10440594e914d080511d7da1c8fed0612c1f@%3Ccommits.druid.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0@%3Cissues.bookkeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/6788e4c991f75b89d290ad06b463fcd30bcae99fee610345a35b7bc6@%3Cissues.iceberg.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/5ec8d8d485c2c8ac55ea425f4cd96596ef37312532712639712ebcdd@%3Ccommits.iceberg.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E
+ - type: PACKAGE
+ url: https://github.com/FasterXML/jackson-databind
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2020:0445
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2020:0164
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2020:0161
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2020:0160
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2020:0159
+ database_specific:
+ cwe_ids:
+ - CWE-502
+ github_reviewed: true
+ github_reviewed_at: "2019-11-13T00:30:39Z"
+ nvd_published_at: "2019-10-01T17:15:00Z"
+ severity: CRITICAL
+ - schema_version: 1.6.0
+ id: GHSA-fqwf-pjwf-7vqv
+ modified: 2024-07-03T21:22:37.578162Z
+ published: 2020-05-15T18:59:04Z
+ aliases:
+ - CVE-2020-10673
+ summary: jackson-databind mishandles the interaction between serialization gadgets and typing
+ details: FasterXML jackson-databind 2.x before 2.9.10.4 and 2.6.7.4 mishandles the interaction between serialization gadgets and typing, related to com.caucho.config.types.ResourceRef (aka caucho-quercus).
+ affected:
+ - package:
+ ecosystem: Maven
+ name: com.fasterxml.jackson.core:jackson-databind
+ purl: pkg:maven/com.fasterxml.jackson.core/jackson-databind
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.7.0
+ - fixed: 2.9.10.4
+ versions:
+ - 2.7.0
+ - 2.7.1
+ - 2.7.1-1
+ - 2.7.2
+ - 2.7.3
+ - 2.7.4
+ - 2.7.5
+ - 2.7.6
+ - 2.7.7
+ - 2.7.8
+ - 2.7.9
+ - 2.7.9.1
+ - 2.7.9.2
+ - 2.7.9.3
+ - 2.7.9.4
+ - 2.7.9.5
+ - 2.7.9.6
+ - 2.7.9.7
+ - 2.8.0
+ - 2.8.0.rc1
+ - 2.8.0.rc2
+ - 2.8.1
+ - 2.8.10
+ - 2.8.11
+ - 2.8.11.1
+ - 2.8.11.2
+ - 2.8.11.3
+ - 2.8.11.4
+ - 2.8.11.5
+ - 2.8.11.6
+ - 2.8.2
+ - 2.8.3
+ - 2.8.4
+ - 2.8.5
+ - 2.8.6
+ - 2.8.7
+ - 2.8.8
+ - 2.8.8.1
+ - 2.8.9
+ - 2.9.0
+ - 2.9.0.pr1
+ - 2.9.0.pr2
+ - 2.9.0.pr3
+ - 2.9.0.pr4
+ - 2.9.1
+ - 2.9.10
+ - 2.9.10.1
+ - 2.9.10.2
+ - 2.9.10.3
+ - 2.9.2
+ - 2.9.3
+ - 2.9.4
+ - 2.9.5
+ - 2.9.6
+ - 2.9.7
+ - 2.9.8
+ - 2.9.9
+ - 2.9.9.1
+ - 2.9.9.2
+ - 2.9.9.3
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/05/GHSA-fqwf-pjwf-7vqv/GHSA-fqwf-pjwf-7vqv.json
+ - package:
+ ecosystem: Maven
+ name: com.fasterxml.jackson.core:jackson-databind
+ purl: pkg:maven/com.fasterxml.jackson.core/jackson-databind
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.0.0
+ - fixed: 2.6.7.4
+ versions:
+ - 2.0.0
+ - 2.0.1
+ - 2.0.2
+ - 2.0.4
+ - 2.0.5
+ - 2.0.6
+ - 2.1.0
+ - 2.1.1
+ - 2.1.2
+ - 2.1.3
+ - 2.1.4
+ - 2.1.5
+ - 2.2.0
+ - 2.2.0-rc1
+ - 2.2.1
+ - 2.2.2
+ - 2.2.3
+ - 2.2.4
+ - 2.3.0
+ - 2.3.0-rc1
+ - 2.3.1
+ - 2.3.2
+ - 2.3.3
+ - 2.3.4
+ - 2.3.5
+ - 2.4.0
+ - 2.4.0-rc1
+ - 2.4.0-rc2
+ - 2.4.0-rc3
+ - 2.4.1
+ - 2.4.1.1
+ - 2.4.1.2
+ - 2.4.1.3
+ - 2.4.2
+ - 2.4.3
+ - 2.4.4
+ - 2.4.5
+ - 2.4.5.1
+ - 2.4.6
+ - 2.4.6.1
+ - 2.5.0
+ - 2.5.0-rc1
+ - 2.5.1
+ - 2.5.2
+ - 2.5.3
+ - 2.5.4
+ - 2.5.5
+ - 2.6.0
+ - 2.6.0-rc1
+ - 2.6.0-rc2
+ - 2.6.0-rc3
+ - 2.6.0-rc4
+ - 2.6.1
+ - 2.6.2
+ - 2.6.3
+ - 2.6.4
+ - 2.6.5
+ - 2.6.6
+ - 2.6.7
+ - 2.6.7.1
+ - 2.6.7.2
+ - 2.6.7.3
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/05/GHSA-fqwf-pjwf-7vqv/GHSA-fqwf-pjwf-7vqv.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2020-10673
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/issues/2660
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/commit/1645efbd392989cf015f459a91c999e59c921b15
+ - type: PACKAGE
+ url: https://github.com/FasterXML/jackson-databind
+ - type: WEB
+ url: https://lists.debian.org/debian-lts-announce/2020/03/msg00027.html
+ - type: WEB
+ url: https://medium.com/%40cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
+ - type: WEB
+ url: https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
+ - type: WEB
+ url: https://security.netapp.com/advisory/ntap-20200403-0002
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpujan2021.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpujul2020.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuoct2020.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuoct2021.html
+ database_specific:
+ cwe_ids:
+ - CWE-502
+ github_reviewed: true
+ github_reviewed_at: "2020-04-22T20:59:03Z"
+ nvd_published_at: "2020-03-18T22:15:00Z"
+ severity: HIGH
+ - schema_version: 1.6.0
+ id: GHSA-gjmw-vf9h-g25v
+ modified: 2024-03-16T05:19:37.211801Z
+ published: 2019-11-13T00:32:38Z
+ aliases:
+ - CVE-2019-17531
+ summary: jackson-databind polymorphic typing issue
+ details: 'A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 prior to 2.9.10.1, 2.8.11.5, and 2.6.7.3. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the apache-log4j-extra (version 1.2.x) jar in the classpath, and an attacker can provide a JNDI service to access, it is possible to make the service execute a malicious payload. '
+ affected:
+ - package:
+ ecosystem: Maven
+ name: com.fasterxml.jackson.core:jackson-databind
+ purl: pkg:maven/com.fasterxml.jackson.core/jackson-databind
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.9.0
+ - fixed: 2.9.10.1
+ versions:
+ - 2.9.0
+ - 2.9.0.pr1
+ - 2.9.0.pr2
+ - 2.9.0.pr3
+ - 2.9.0.pr4
+ - 2.9.1
+ - 2.9.10
+ - 2.9.2
+ - 2.9.3
+ - 2.9.4
+ - 2.9.5
+ - 2.9.6
+ - 2.9.7
+ - 2.9.8
+ - 2.9.9
+ - 2.9.9.1
+ - 2.9.9.2
+ - 2.9.9.3
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/11/GHSA-gjmw-vf9h-g25v/GHSA-gjmw-vf9h-g25v.json
+ - package:
+ ecosystem: Maven
+ name: com.fasterxml.jackson.core:jackson-databind
+ purl: pkg:maven/com.fasterxml.jackson.core/jackson-databind
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.7.0
+ - fixed: 2.8.11.5
+ versions:
+ - 2.7.0
+ - 2.7.1
+ - 2.7.1-1
+ - 2.7.2
+ - 2.7.3
+ - 2.7.4
+ - 2.7.5
+ - 2.7.6
+ - 2.7.7
+ - 2.7.8
+ - 2.7.9
+ - 2.7.9.1
+ - 2.7.9.2
+ - 2.7.9.3
+ - 2.7.9.4
+ - 2.7.9.5
+ - 2.7.9.6
+ - 2.7.9.7
+ - 2.8.0
+ - 2.8.0.rc1
+ - 2.8.0.rc2
+ - 2.8.1
+ - 2.8.10
+ - 2.8.11
+ - 2.8.11.1
+ - 2.8.11.2
+ - 2.8.11.3
+ - 2.8.11.4
+ - 2.8.2
+ - 2.8.3
+ - 2.8.4
+ - 2.8.5
+ - 2.8.6
+ - 2.8.7
+ - 2.8.8
+ - 2.8.8.1
+ - 2.8.9
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/11/GHSA-gjmw-vf9h-g25v/GHSA-gjmw-vf9h-g25v.json
+ - package:
+ ecosystem: Maven
+ name: com.fasterxml.jackson.core:jackson-databind
+ purl: pkg:maven/com.fasterxml.jackson.core/jackson-databind
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: 2.6.7.3
+ versions:
+ - 2.0.0
+ - 2.0.0-RC1
+ - 2.0.0-RC2
+ - 2.0.0-RC3
+ - 2.0.1
+ - 2.0.2
+ - 2.0.4
+ - 2.0.5
+ - 2.0.6
+ - 2.1.0
+ - 2.1.1
+ - 2.1.2
+ - 2.1.3
+ - 2.1.4
+ - 2.1.5
+ - 2.2.0
+ - 2.2.0-rc1
+ - 2.2.1
+ - 2.2.2
+ - 2.2.3
+ - 2.2.4
+ - 2.3.0
+ - 2.3.0-rc1
+ - 2.3.1
+ - 2.3.2
+ - 2.3.3
+ - 2.3.4
+ - 2.3.5
+ - 2.4.0
+ - 2.4.0-rc1
+ - 2.4.0-rc2
+ - 2.4.0-rc3
+ - 2.4.1
+ - 2.4.1.1
+ - 2.4.1.2
+ - 2.4.1.3
+ - 2.4.2
+ - 2.4.3
+ - 2.4.4
+ - 2.4.5
+ - 2.4.5.1
+ - 2.4.6
+ - 2.4.6.1
+ - 2.5.0
+ - 2.5.0-rc1
+ - 2.5.1
+ - 2.5.2
+ - 2.5.3
+ - 2.5.4
+ - 2.5.5
+ - 2.6.0
+ - 2.6.0-rc1
+ - 2.6.0-rc2
+ - 2.6.0-rc3
+ - 2.6.0-rc4
+ - 2.6.1
+ - 2.6.2
+ - 2.6.3
+ - 2.6.4
+ - 2.6.5
+ - 2.6.6
+ - 2.6.7
+ - 2.6.7.1
+ - 2.6.7.2
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/11/GHSA-gjmw-vf9h-g25v/GHSA-gjmw-vf9h-g25v.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2019-17531
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/issues/2498
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/commit/b5a304a98590b6bb766134f9261e6566dcbbb6d0
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuoct2020.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpujul2020.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpujan2020.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuapr2020.html
+ - type: WEB
+ url: https://www.oracle.com//security-alerts/cpujul2021.html
+ - type: WEB
+ url: https://security.netapp.com/advisory/ntap-20191024-0005
+ - type: WEB
+ url: https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
+ - type: WEB
+ url: https://lists.debian.org/debian-lts-announce/2019/12/msg00013.html
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r392099ed2757ff2e383b10440594e914d080511d7da1c8fed0612c1f@%3Ccommits.druid.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0@%3Cissues.bookkeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/b3c90d38f99db546de60fea65f99a924d540fae2285f014b79606ca5@%3Ccommits.pulsar.apache.org%3E
+ - type: PACKAGE
+ url: https://github.com/FasterXML/jackson-databind
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2020:0445
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2020:0164
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2020:0161
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2020:0160
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2020:0159
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:4192
+ database_specific:
+ cwe_ids:
+ - CWE-502
+ github_reviewed: true
+ github_reviewed_at: "2019-11-13T00:30:58Z"
+ nvd_published_at: "2019-10-12T21:15:00Z"
+ severity: CRITICAL
+ - schema_version: 1.6.0
+ id: GHSA-gwp4-hfv6-p7hw
+ modified: 2024-03-13T05:27:58.436849Z
+ published: 2019-08-01T19:18:06Z
+ aliases:
+ - CVE-2019-14439
+ summary: Deserialization of untrusted data in FasterXML jackson-databind
+ details: A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9.2, 2.8.11.4, 2.7.9.6, and 2.6.7.3. This occurs when Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the logback jar in the classpath.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: com.fasterxml.jackson.core:jackson-databind
+ purl: pkg:maven/com.fasterxml.jackson.core/jackson-databind
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.9.0
+ - fixed: 2.9.9.2
+ versions:
+ - 2.9.0
+ - 2.9.0.pr1
+ - 2.9.0.pr2
+ - 2.9.0.pr3
+ - 2.9.0.pr4
+ - 2.9.1
+ - 2.9.2
+ - 2.9.3
+ - 2.9.4
+ - 2.9.5
+ - 2.9.6
+ - 2.9.7
+ - 2.9.8
+ - 2.9.9
+ - 2.9.9.1
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/08/GHSA-gwp4-hfv6-p7hw/GHSA-gwp4-hfv6-p7hw.json
+ - package:
+ ecosystem: Maven
+ name: com.fasterxml.jackson.core:jackson-databind
+ purl: pkg:maven/com.fasterxml.jackson.core/jackson-databind
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.8.0
+ - fixed: 2.8.11.4
+ versions:
+ - 2.8.0
+ - 2.8.1
+ - 2.8.10
+ - 2.8.11
+ - 2.8.11.1
+ - 2.8.11.2
+ - 2.8.11.3
+ - 2.8.2
+ - 2.8.3
+ - 2.8.4
+ - 2.8.5
+ - 2.8.6
+ - 2.8.7
+ - 2.8.8
+ - 2.8.8.1
+ - 2.8.9
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/08/GHSA-gwp4-hfv6-p7hw/GHSA-gwp4-hfv6-p7hw.json
+ - package:
+ ecosystem: Maven
+ name: com.fasterxml.jackson.core:jackson-databind
+ purl: pkg:maven/com.fasterxml.jackson.core/jackson-databind
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.7.0
+ - fixed: 2.7.9.6
+ versions:
+ - 2.7.0
+ - 2.7.1
+ - 2.7.1-1
+ - 2.7.2
+ - 2.7.3
+ - 2.7.4
+ - 2.7.5
+ - 2.7.6
+ - 2.7.7
+ - 2.7.8
+ - 2.7.9
+ - 2.7.9.1
+ - 2.7.9.2
+ - 2.7.9.3
+ - 2.7.9.4
+ - 2.7.9.5
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/08/GHSA-gwp4-hfv6-p7hw/GHSA-gwp4-hfv6-p7hw.json
+ - package:
+ ecosystem: Maven
+ name: com.fasterxml.jackson.core:jackson-databind
+ purl: pkg:maven/com.fasterxml.jackson.core/jackson-databind
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: 2.6.7.3
+ versions:
+ - 2.0.0
+ - 2.0.0-RC1
+ - 2.0.0-RC2
+ - 2.0.0-RC3
+ - 2.0.1
+ - 2.0.2
+ - 2.0.4
+ - 2.0.5
+ - 2.0.6
+ - 2.1.0
+ - 2.1.1
+ - 2.1.2
+ - 2.1.3
+ - 2.1.4
+ - 2.1.5
+ - 2.2.0
+ - 2.2.0-rc1
+ - 2.2.1
+ - 2.2.2
+ - 2.2.3
+ - 2.2.4
+ - 2.3.0
+ - 2.3.0-rc1
+ - 2.3.1
+ - 2.3.2
+ - 2.3.3
+ - 2.3.4
+ - 2.3.5
+ - 2.4.0
+ - 2.4.0-rc1
+ - 2.4.0-rc2
+ - 2.4.0-rc3
+ - 2.4.1
+ - 2.4.1.1
+ - 2.4.1.2
+ - 2.4.1.3
+ - 2.4.2
+ - 2.4.3
+ - 2.4.4
+ - 2.4.5
+ - 2.4.5.1
+ - 2.4.6
+ - 2.4.6.1
+ - 2.5.0
+ - 2.5.0-rc1
+ - 2.5.1
+ - 2.5.2
+ - 2.5.3
+ - 2.5.4
+ - 2.5.5
+ - 2.6.0
+ - 2.6.0-rc1
+ - 2.6.0-rc2
+ - 2.6.0-rc3
+ - 2.6.0-rc4
+ - 2.6.1
+ - 2.6.2
+ - 2.6.3
+ - 2.6.4
+ - 2.6.5
+ - 2.6.6
+ - 2.6.7
+ - 2.6.7.1
+ - 2.6.7.2
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/08/GHSA-gwp4-hfv6-p7hw/GHSA-gwp4-hfv6-p7hw.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2019-14439
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/issues/2389
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/commit/ad418eeb974e357f2797aef64aa0e3ffaaa6125b
+ - type: WEB
+ url: https://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3@%3Ccommits.nifi.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/ee0a051428d2c719acfa297d0854a189ea5e284ef3ed491fa672f4be@%3Cdev.tomee.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b@%3Ccommits.nifi.apache.org%3E
+ - type: WEB
+ url: https://lists.debian.org/debian-lts-announce/2019/08/msg00011.html
+ - type: WEB
+ url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OVRZDN2T6AZ6DJCZJ3VSIQIVHBVMVWBL
+ - type: WEB
+ url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TXRVXNRFHJSQWFHPRJQRI5UPMZ63B544
+ - type: WEB
+ url: https://seclists.org/bugtraq/2019/Oct/6
+ - type: WEB
+ url: https://security.netapp.com/advisory/ntap-20190814-0001
+ - type: WEB
+ url: https://www.debian.org/security/2019/dsa-4542
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuapr2020.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpujan2020.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpujul2020.html
+ - type: WEB
+ url: https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
+ - type: WEB
+ url: https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/940b4c3fef002461b89a050935337056d4a036a65ef68e0bbd4621ef@%3Cdev.struts.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/87e46591de8925f719664a845572d184027258c5a7af0a471b53c77b@%3Cdev.tomee.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/5fc0e16b7af2590bf1e97c76c136291c4fdb244ee63c65c485c9a7a1@%3Cdev.tomee.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/5ecc333113b139429f4f05000d4aa2886974d4df3269c1dd990bb319@%3Cdev.tomee.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/56c8042873595b8c863054c7bfccab4bf2c01c6f5abedae249d914b9@%3Cdev.tomee.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/3f99ae8dcdbd69438cb733d745ee3ad5e852068490719a66509b4592@%3Ccommits.cassandra.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/34717424b4d08b74f65c09a083d6dd1cb0763f37a15d6de135998c1d@%3Cdev.tomee.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/2d2a76440becb610b9a9cb49b15eac3934b02c2dbcaacde1000353e4@%3Cdev.tomee.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/0d4b630d9ee724aee50703397d9d1afa2b2befc9395ba7797d0ccea9@%3Cdev.tomee.apache.org%3E
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/compare/jackson-databind-2.9.9.1...jackson-databind-2.9.9.2
+ - type: PACKAGE
+ url: https://github.com/FasterXML/jackson-databind
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:3200
+ database_specific:
+ cwe_ids:
+ - CWE-502
+ github_reviewed: true
+ github_reviewed_at: "2019-08-01T15:37:50Z"
+ nvd_published_at: "2019-07-30T11:15:00Z"
+ severity: HIGH
+ - schema_version: 1.6.0
+ id: GHSA-gww7-p5w4-wrfv
+ modified: 2024-03-15T01:05:18.790961Z
+ published: 2020-03-04T20:52:11Z
+ aliases:
+ - CVE-2019-20330
+ summary: Deserialization of Untrusted Data in jackson-databind
+ details: FasterXML jackson-databind 2.x before 2.6.7.4, 2.7.x before 2.7.9.7, 2.8.x before 2.8.11.5, and 2.9.x before 2.9.10.2 lacks certain `net.sf.ehcache` blocking.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: com.fasterxml.jackson.core:jackson-databind
+ purl: pkg:maven/com.fasterxml.jackson.core/jackson-databind
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.0.0
+ - fixed: 2.6.7.4
+ versions:
+ - 2.0.0
+ - 2.0.1
+ - 2.0.2
+ - 2.0.4
+ - 2.0.5
+ - 2.0.6
+ - 2.1.0
+ - 2.1.1
+ - 2.1.2
+ - 2.1.3
+ - 2.1.4
+ - 2.1.5
+ - 2.2.0
+ - 2.2.0-rc1
+ - 2.2.1
+ - 2.2.2
+ - 2.2.3
+ - 2.2.4
+ - 2.3.0
+ - 2.3.0-rc1
+ - 2.3.1
+ - 2.3.2
+ - 2.3.3
+ - 2.3.4
+ - 2.3.5
+ - 2.4.0
+ - 2.4.0-rc1
+ - 2.4.0-rc2
+ - 2.4.0-rc3
+ - 2.4.1
+ - 2.4.1.1
+ - 2.4.1.2
+ - 2.4.1.3
+ - 2.4.2
+ - 2.4.3
+ - 2.4.4
+ - 2.4.5
+ - 2.4.5.1
+ - 2.4.6
+ - 2.4.6.1
+ - 2.5.0
+ - 2.5.0-rc1
+ - 2.5.1
+ - 2.5.2
+ - 2.5.3
+ - 2.5.4
+ - 2.5.5
+ - 2.6.0
+ - 2.6.0-rc1
+ - 2.6.0-rc2
+ - 2.6.0-rc3
+ - 2.6.0-rc4
+ - 2.6.1
+ - 2.6.2
+ - 2.6.3
+ - 2.6.4
+ - 2.6.5
+ - 2.6.6
+ - 2.6.7
+ - 2.6.7.1
+ - 2.6.7.2
+ - 2.6.7.3
+ database_specific:
+ last_known_affected_version_range: <= 2.6.7.3
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/03/GHSA-gww7-p5w4-wrfv/GHSA-gww7-p5w4-wrfv.json
+ - package:
+ ecosystem: Maven
+ name: com.fasterxml.jackson.core:jackson-databind
+ purl: pkg:maven/com.fasterxml.jackson.core/jackson-databind
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.7.0
+ - fixed: 2.7.9.7
+ versions:
+ - 2.7.0
+ - 2.7.1
+ - 2.7.1-1
+ - 2.7.2
+ - 2.7.3
+ - 2.7.4
+ - 2.7.5
+ - 2.7.6
+ - 2.7.7
+ - 2.7.8
+ - 2.7.9
+ - 2.7.9.1
+ - 2.7.9.2
+ - 2.7.9.3
+ - 2.7.9.4
+ - 2.7.9.5
+ - 2.7.9.6
+ database_specific:
+ last_known_affected_version_range: <= 2.7.9.6
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/03/GHSA-gww7-p5w4-wrfv/GHSA-gww7-p5w4-wrfv.json
+ - package:
+ ecosystem: Maven
+ name: com.fasterxml.jackson.core:jackson-databind
+ purl: pkg:maven/com.fasterxml.jackson.core/jackson-databind
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.8.0
+ - fixed: 2.8.11.5
+ versions:
+ - 2.8.0
+ - 2.8.1
+ - 2.8.10
+ - 2.8.11
+ - 2.8.11.1
+ - 2.8.11.2
+ - 2.8.11.3
+ - 2.8.11.4
+ - 2.8.2
+ - 2.8.3
+ - 2.8.4
+ - 2.8.5
+ - 2.8.6
+ - 2.8.7
+ - 2.8.8
+ - 2.8.8.1
+ - 2.8.9
+ database_specific:
+ last_known_affected_version_range: <= 2.8.11.4
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/03/GHSA-gww7-p5w4-wrfv/GHSA-gww7-p5w4-wrfv.json
+ - package:
+ ecosystem: Maven
+ name: com.fasterxml.jackson.core:jackson-databind
+ purl: pkg:maven/com.fasterxml.jackson.core/jackson-databind
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.9.0
+ - fixed: 2.9.10.2
+ versions:
+ - 2.9.0
+ - 2.9.0.pr1
+ - 2.9.0.pr2
+ - 2.9.0.pr3
+ - 2.9.0.pr4
+ - 2.9.1
+ - 2.9.10
+ - 2.9.10.1
+ - 2.9.2
+ - 2.9.3
+ - 2.9.4
+ - 2.9.5
+ - 2.9.6
+ - 2.9.7
+ - 2.9.8
+ - 2.9.9
+ - 2.9.9.1
+ - 2.9.9.2
+ - 2.9.9.3
+ database_specific:
+ last_known_affected_version_range: <= 2.9.10.1
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/03/GHSA-gww7-p5w4-wrfv/GHSA-gww7-p5w4-wrfv.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2019-20330
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/issues/2526
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/commit/eb254813cc822d0af015ce8fe05febf50721dc53
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/commit/fc4214a883dc087070f25da738ef0d49c2f3387e
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r909c822409a276ba04dc2ae31179b16f6864ba02c4f9911bdffebf95@%3Cissues.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/ra2e572f568de8df5ba151e6aebb225a0629faaf0476bf7c7ed877af8@%3Cnotifications.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/ra5ce96faec37c26b0aa15b4b6a8b1cbb145a748653e56ae83e9685d0@%3Cnotifications.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/ra8a80dbc7319916946397823aec0d893d24713cbf7b5aee0e957298c@%3Cdev.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rb532fed78d031fff477fd840b81946f6d1200f93a63698dae65aa528@%3Ccommits.druid.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rd1f346227e11fc515914f3a7b20d81543e51e5822ba71baa0452634a@%3Cissues.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rd49cfa41bbb71ef33b53736a6af2aa8ba88c2106e30f2a34902a87d2@%3Cnotifications.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rd6c6fef14944f3dcfb58d35f9317eb1c32a700e86c1b5231e45d3d0b@%3Ccommits.druid.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rfa57d9c2a27d3af14c69607fb1a3da00e758b2092aa88eb6a51b6e99@%3Cissues.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.debian.org/debian-lts-announce/2020/02/msg00020.html
+ - type: WEB
+ url: https://security.netapp.com/advisory/ntap-20200127-0004
+ - type: WEB
+ url: https://www.oracle.com//security-alerts/cpujul2021.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuapr2020.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpujul2020.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuoct2020.html
+ - type: PACKAGE
+ url: https://github.com/FasterXML/jackson-databind
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/compare/jackson-databind-2.9.10.1...jackson-databind-2.9.10.2
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r107c8737db39ec9ec4f4e7147b249e29be79170b9ef4b80528105a2d@%3Cdev.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0@%3Cissues.bookkeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r2c77dd6ab8344285bd8e481b57cf3029965a4b0036eefccef74cdd44@%3Cnotifications.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r392099ed2757ff2e383b10440594e914d080511d7da1c8fed0612c1f@%3Ccommits.druid.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r3f8180d0d25a7c6473ebb9714b0c1d19a73f455ae70d0c5fefc17e6c@%3Cissues.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r428735963bee7cb99877b88d3228e28ec28af64646455c4f3e7a3c94@%3Cissues.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r50f513772f12e1babf65c7c2b9c16425bac2d945351879e2e267517f@%3Cissues.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r5c14fdcabdeaba258857bcb67198652e4dce1d33ddc590cd81d82393@%3Cdev.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r5c3644c97f0434d1ceb48ff48897a67bdbf3baf7efbe7d04625425b3@%3Ccommits.druid.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r5d3d10fdf28110da3f9ac1b7d08d7e252f98d7d37ce0a6bd139a2e4f@%3Cissues.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r67f4d4c48197454b83d62afbed8bebbda3764e6e3a6e26a848961764@%3Ccommits.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r707d23bb9ee245f50aa909add0da6e8d8f24719b1278ddd99d2428b2@%3Cissues.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r7a0821b44247a1e6c6fe5f2943b90ebc4f80a8d1fb0aa9a8b29a59a2@%3Ccommits.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r7fb123e7dad49af5886cfec7135c0fd5b74e4c67af029e1dc91ba744@%3Ccommits.druid.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r8831b7fa5ca87a1cf23ee08d6dedb7877a964c1d2bd869af24056a63@%3Ccommits.zookeeper.apache.org%3E
+ database_specific:
+ cwe_ids:
+ - CWE-502
+ github_reviewed: true
+ github_reviewed_at: "2020-02-25T02:46:33Z"
+ nvd_published_at: "2020-01-03T04:15:00Z"
+ severity: CRITICAL
+ - schema_version: 1.6.0
+ id: GHSA-h3cw-g4mq-c5x2
+ modified: 2024-02-18T05:30:45.329621Z
+ published: 2021-12-09T19:14:51Z
+ aliases:
+ - CVE-2020-24616
+ summary: Code Injection in jackson-databind
+ details: This project contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPDataSource (aka Anteros-DBCP).
+ affected:
+ - package:
+ ecosystem: Maven
+ name: com.fasterxml.jackson.core:jackson-databind
+ purl: pkg:maven/com.fasterxml.jackson.core/jackson-databind
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.0.0
+ - fixed: 2.9.10.6
+ versions:
+ - 2.0.0
+ - 2.0.1
+ - 2.0.2
+ - 2.0.4
+ - 2.0.5
+ - 2.0.6
+ - 2.1.0
+ - 2.1.1
+ - 2.1.2
+ - 2.1.3
+ - 2.1.4
+ - 2.1.5
+ - 2.2.0
+ - 2.2.0-rc1
+ - 2.2.1
+ - 2.2.2
+ - 2.2.3
+ - 2.2.4
+ - 2.3.0
+ - 2.3.0-rc1
+ - 2.3.1
+ - 2.3.2
+ - 2.3.3
+ - 2.3.4
+ - 2.3.5
+ - 2.4.0
+ - 2.4.0-rc1
+ - 2.4.0-rc2
+ - 2.4.0-rc3
+ - 2.4.1
+ - 2.4.1.1
+ - 2.4.1.2
+ - 2.4.1.3
+ - 2.4.2
+ - 2.4.3
+ - 2.4.4
+ - 2.4.5
+ - 2.4.5.1
+ - 2.4.6
+ - 2.4.6.1
+ - 2.5.0
+ - 2.5.0-rc1
+ - 2.5.1
+ - 2.5.2
+ - 2.5.3
+ - 2.5.4
+ - 2.5.5
+ - 2.6.0
+ - 2.6.0-rc1
+ - 2.6.0-rc2
+ - 2.6.0-rc3
+ - 2.6.0-rc4
+ - 2.6.1
+ - 2.6.2
+ - 2.6.3
+ - 2.6.4
+ - 2.6.5
+ - 2.6.6
+ - 2.6.7
+ - 2.6.7.1
+ - 2.6.7.2
+ - 2.6.7.3
+ - 2.6.7.4
+ - 2.6.7.5
+ - 2.7.0
+ - 2.7.0-rc1
+ - 2.7.0-rc2
+ - 2.7.0-rc3
+ - 2.7.1
+ - 2.7.1-1
+ - 2.7.2
+ - 2.7.3
+ - 2.7.4
+ - 2.7.5
+ - 2.7.6
+ - 2.7.7
+ - 2.7.8
+ - 2.7.9
+ - 2.7.9.1
+ - 2.7.9.2
+ - 2.7.9.3
+ - 2.7.9.4
+ - 2.7.9.5
+ - 2.7.9.6
+ - 2.7.9.7
+ - 2.8.0
+ - 2.8.0.rc1
+ - 2.8.0.rc2
+ - 2.8.1
+ - 2.8.10
+ - 2.8.11
+ - 2.8.11.1
+ - 2.8.11.2
+ - 2.8.11.3
+ - 2.8.11.4
+ - 2.8.11.5
+ - 2.8.11.6
+ - 2.8.2
+ - 2.8.3
+ - 2.8.4
+ - 2.8.5
+ - 2.8.6
+ - 2.8.7
+ - 2.8.8
+ - 2.8.8.1
+ - 2.8.9
+ - 2.9.0
+ - 2.9.0.pr1
+ - 2.9.0.pr2
+ - 2.9.0.pr3
+ - 2.9.0.pr4
+ - 2.9.1
+ - 2.9.10
+ - 2.9.10.1
+ - 2.9.10.2
+ - 2.9.10.3
+ - 2.9.10.4
+ - 2.9.10.5
+ - 2.9.2
+ - 2.9.3
+ - 2.9.4
+ - 2.9.5
+ - 2.9.6
+ - 2.9.7
+ - 2.9.8
+ - 2.9.9
+ - 2.9.9.1
+ - 2.9.9.2
+ - 2.9.9.3
+ database_specific:
+ last_known_affected_version_range: <= 2.9.10.5
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-h3cw-g4mq-c5x2/GHSA-h3cw-g4mq-c5x2.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2020-24616
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/issues/2814
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/commit/3d97153944f7de9c19c1b3637b33d3cf1fbbe4d7
+ - type: PACKAGE
+ url: https://github.com/FasterXML/jackson-databind
+ - type: WEB
+ url: https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html
+ - type: WEB
+ url: https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
+ - type: WEB
+ url: https://security.netapp.com/advisory/ntap-20200904-0006
+ - type: WEB
+ url: https://www.oracle.com//security-alerts/cpujul2021.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuApr2021.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuapr2022.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpujan2021.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpujan2022.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuoct2021.html
+ database_specific:
+ cwe_ids:
+ - CWE-502
+ - CWE-94
+ github_reviewed: true
+ github_reviewed_at: "2021-04-27T17:38:11Z"
+ nvd_published_at: "2020-08-25T18:15:00Z"
+ severity: HIGH
+ - schema_version: 1.6.0
+ id: GHSA-h4rc-386g-6m85
+ modified: 2024-03-15T00:46:40.266775Z
+ published: 2020-04-23T20:19:02Z
+ aliases:
+ - CVE-2020-11620
+ summary: jackson-databind mishandles the interaction between serialization gadgets and typing
+ details: FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.jelly.impl.Embedded (aka commons-jelly).
+ affected:
+ - package:
+ ecosystem: Maven
+ name: com.fasterxml.jackson.core:jackson-databind
+ purl: pkg:maven/com.fasterxml.jackson.core/jackson-databind
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.9.0
+ - fixed: 2.9.10.4
+ versions:
+ - 2.9.0
+ - 2.9.0.pr1
+ - 2.9.0.pr2
+ - 2.9.0.pr3
+ - 2.9.0.pr4
+ - 2.9.1
+ - 2.9.10
+ - 2.9.10.1
+ - 2.9.10.2
+ - 2.9.10.3
+ - 2.9.2
+ - 2.9.3
+ - 2.9.4
+ - 2.9.5
+ - 2.9.6
+ - 2.9.7
+ - 2.9.8
+ - 2.9.9
+ - 2.9.9.1
+ - 2.9.9.2
+ - 2.9.9.3
+ database_specific:
+ last_known_affected_version_range: <= 2.9.10.3
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/04/GHSA-h4rc-386g-6m85/GHSA-h4rc-386g-6m85.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2020-11620
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/issues/2682
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/commit/08fbfacf89a4a4c026a6227a1b470ab7a13e2e88
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/commit/77040d85e3eb6710508e6445640ae1a3d5e60c22
+ - type: PACKAGE
+ url: https://github.com/FasterXML/jackson-databind
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3E
+ - type: WEB
+ url: https://lists.debian.org/debian-lts-announce/2020/04/msg00012.html
+ - type: WEB
+ url: https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
+ - type: WEB
+ url: https://security.netapp.com/advisory/ntap-20200511-0004
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpujan2021.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpujul2020.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuoct2020.html
+ database_specific:
+ cwe_ids:
+ - CWE-502
+ github_reviewed: true
+ github_reviewed_at: "2020-04-22T21:17:03Z"
+ nvd_published_at: "2020-04-07T23:15:00Z"
+ severity: HIGH
+ - schema_version: 1.6.0
+ id: GHSA-h592-38cm-4ggp
+ modified: 2024-03-15T01:16:50.905794Z
+ published: 2018-10-18T17:42:34Z
+ aliases:
+ - CVE-2017-15095
+ summary: jackson-databind vulnerable to deserialization flaw leading to unauthenticated remote code execution
+ details: jackson-databind in versions prior to 2.8.11 and 2.9.4 contain a deserialization flaw which allows an unauthenticated user to perform code execution by sending maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaw CVE-2017-7525, blacklisting additonal vulnerable classes.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: com.fasterxml.jackson.core:jackson-databind
+ purl: pkg:maven/com.fasterxml.jackson.core/jackson-databind
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.8.0
+ - fixed: 2.8.11
+ versions:
+ - 2.8.0
+ - 2.8.1
+ - 2.8.10
+ - 2.8.2
+ - 2.8.3
+ - 2.8.4
+ - 2.8.5
+ - 2.8.6
+ - 2.8.7
+ - 2.8.8
+ - 2.8.8.1
+ - 2.8.9
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-h592-38cm-4ggp/GHSA-h592-38cm-4ggp.json
+ - package:
+ ecosystem: Maven
+ name: com.fasterxml.jackson.core:jackson-databind
+ purl: pkg:maven/com.fasterxml.jackson.core/jackson-databind
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.9.0
+ - fixed: 2.9.4
+ versions:
+ - 2.9.0
+ - 2.9.0.pr1
+ - 2.9.0.pr2
+ - 2.9.0.pr3
+ - 2.9.0.pr4
+ - 2.9.1
+ - 2.9.2
+ - 2.9.3
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-h592-38cm-4ggp/GHSA-h592-38cm-4ggp.json
+ - package:
+ ecosystem: Maven
+ name: com.fasterxml.jackson.core:jackson-databind
+ purl: pkg:maven/com.fasterxml.jackson.core/jackson-databind
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.0.0
+ - fixed: 2.6.7.3
+ versions:
+ - 2.0.0
+ - 2.0.1
+ - 2.0.2
+ - 2.0.4
+ - 2.0.5
+ - 2.0.6
+ - 2.1.0
+ - 2.1.1
+ - 2.1.2
+ - 2.1.3
+ - 2.1.4
+ - 2.1.5
+ - 2.2.0
+ - 2.2.0-rc1
+ - 2.2.1
+ - 2.2.2
+ - 2.2.3
+ - 2.2.4
+ - 2.3.0
+ - 2.3.0-rc1
+ - 2.3.1
+ - 2.3.2
+ - 2.3.3
+ - 2.3.4
+ - 2.3.5
+ - 2.4.0
+ - 2.4.0-rc1
+ - 2.4.0-rc2
+ - 2.4.0-rc3
+ - 2.4.1
+ - 2.4.1.1
+ - 2.4.1.2
+ - 2.4.1.3
+ - 2.4.2
+ - 2.4.3
+ - 2.4.4
+ - 2.4.5
+ - 2.4.5.1
+ - 2.4.6
+ - 2.4.6.1
+ - 2.5.0
+ - 2.5.0-rc1
+ - 2.5.1
+ - 2.5.2
+ - 2.5.3
+ - 2.5.4
+ - 2.5.5
+ - 2.6.0
+ - 2.6.0-rc1
+ - 2.6.0-rc2
+ - 2.6.0-rc3
+ - 2.6.0-rc4
+ - 2.6.1
+ - 2.6.2
+ - 2.6.3
+ - 2.6.4
+ - 2.6.5
+ - 2.6.6
+ - 2.6.7
+ - 2.6.7.1
+ - 2.6.7.2
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-h592-38cm-4ggp/GHSA-h592-38cm-4ggp.json
+ - package:
+ ecosystem: Maven
+ name: com.fasterxml.jackson.core:jackson-databind
+ purl: pkg:maven/com.fasterxml.jackson.core/jackson-databind
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.7.0
+ - fixed: 2.7.9.2
+ versions:
+ - 2.7.0
+ - 2.7.1
+ - 2.7.1-1
+ - 2.7.2
+ - 2.7.3
+ - 2.7.4
+ - 2.7.5
+ - 2.7.6
+ - 2.7.7
+ - 2.7.8
+ - 2.7.9
+ - 2.7.9.1
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-h592-38cm-4ggp/GHSA-h592-38cm-4ggp.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2017-15095
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/issues/1680
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/issues/1737
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/commit/a054585e2175ad0882f07bcafedecfac86230f1b
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/commit/a3939d36edcc755c8af55bdc1969e0fa8438f9db
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/commit/ddfddfba6414adbecaff99684ef66eebd3a92e92
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/commit/e865a7a4464da63ded9f4b1a2328ad85c9ded78b
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/commit/e8f043d1aac9b82eee907e0f0c3abbdea723a935
+ - type: WEB
+ url: https://github.com/tolbertam/jackson-databind/commit/80566a0f96b2003863f9d8f9ccc3b562001e147b
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2017:3189
+ - type: WEB
+ url: https://lists.apache.org/thread.html/f095a791bda6c0595f691eddd0febb2d396987eec5cbd29120d8c629@%3Csolr-user.lucene.apache.org%3E
+ - type: WEB
+ url: https://lists.debian.org/debian-lts-announce/2020/01/msg00037.html
+ - type: WEB
+ url: https://security.netapp.com/advisory/ntap-20171214-0003
+ - type: WEB
+ url: https://web.archive.org/web/20200401000000*/http://www.securityfocus.com/bid/103880
+ - type: WEB
+ url: https://web.archive.org/web/20201221192044/http://www.securitytracker.com/id/1039769
+ - type: WEB
+ url: https://www.debian.org/security/2017/dsa-4037
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuoct2020.html
+ - type: WEB
+ url: https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html
+ - type: WEB
+ url: https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2017:3190
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2018:0342
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2018:0478
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2018:0479
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2018:0480
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2018:0481
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2018:0576
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2018:0577
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2018:1447
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2018:1448
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2018:1449
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2018:1450
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2018:1451
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2018:2927
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:2858
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:3149
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:3892
+ - type: PACKAGE
+ url: https://github.com/FasterXML/jackson-databind
+ - type: WEB
+ url: http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html
+ - type: WEB
+ url: http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
+ - type: WEB
+ url: http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html
+ database_specific:
+ cwe_ids:
+ - CWE-184
+ - CWE-502
+ github_reviewed: true
+ github_reviewed_at: "2020-06-16T21:38:56Z"
+ nvd_published_at: "2018-02-06T15:29:00Z"
+ severity: CRITICAL
+ - schema_version: 1.6.0
+ id: GHSA-h822-r4r5-v8jg
+ modified: 2024-07-04T22:14:29.999145Z
+ published: 2019-09-23T18:33:25Z
+ aliases:
+ - CGA-2vh6-9p6m-f98h
+ - CVE-2019-14540
+ summary: Polymorphic Typing issue in FasterXML jackson-databind
+ details: A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10, 2.8.11.5, and 2.6.7.3. It is related to `com.zaxxer.hikari.HikariConfig`.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: com.fasterxml.jackson.core:jackson-databind
+ purl: pkg:maven/com.fasterxml.jackson.core/jackson-databind
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.9.0
+ - fixed: 2.9.10
+ versions:
+ - 2.9.0
+ - 2.9.0.pr1
+ - 2.9.0.pr2
+ - 2.9.0.pr3
+ - 2.9.0.pr4
+ - 2.9.1
+ - 2.9.2
+ - 2.9.3
+ - 2.9.4
+ - 2.9.5
+ - 2.9.6
+ - 2.9.7
+ - 2.9.8
+ - 2.9.9
+ - 2.9.9.1
+ - 2.9.9.2
+ - 2.9.9.3
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/09/GHSA-h822-r4r5-v8jg/GHSA-h822-r4r5-v8jg.json
+ - package:
+ ecosystem: Maven
+ name: com.fasterxml.jackson.core:jackson-databind
+ purl: pkg:maven/com.fasterxml.jackson.core/jackson-databind
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.7.0
+ - fixed: 2.8.11.5
+ versions:
+ - 2.7.0
+ - 2.7.1
+ - 2.7.1-1
+ - 2.7.2
+ - 2.7.3
+ - 2.7.4
+ - 2.7.5
+ - 2.7.6
+ - 2.7.7
+ - 2.7.8
+ - 2.7.9
+ - 2.7.9.1
+ - 2.7.9.2
+ - 2.7.9.3
+ - 2.7.9.4
+ - 2.7.9.5
+ - 2.7.9.6
+ - 2.7.9.7
+ - 2.8.0
+ - 2.8.0.rc1
+ - 2.8.0.rc2
+ - 2.8.1
+ - 2.8.10
+ - 2.8.11
+ - 2.8.11.1
+ - 2.8.11.2
+ - 2.8.11.3
+ - 2.8.11.4
+ - 2.8.2
+ - 2.8.3
+ - 2.8.4
+ - 2.8.5
+ - 2.8.6
+ - 2.8.7
+ - 2.8.8
+ - 2.8.8.1
+ - 2.8.9
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/09/GHSA-h822-r4r5-v8jg/GHSA-h822-r4r5-v8jg.json
+ - package:
+ ecosystem: Maven
+ name: com.fasterxml.jackson.core:jackson-databind
+ purl: pkg:maven/com.fasterxml.jackson.core/jackson-databind
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: 2.6.7.3
+ versions:
+ - 2.0.0
+ - 2.0.0-RC1
+ - 2.0.0-RC2
+ - 2.0.0-RC3
+ - 2.0.1
+ - 2.0.2
+ - 2.0.4
+ - 2.0.5
+ - 2.0.6
+ - 2.1.0
+ - 2.1.1
+ - 2.1.2
+ - 2.1.3
+ - 2.1.4
+ - 2.1.5
+ - 2.2.0
+ - 2.2.0-rc1
+ - 2.2.1
+ - 2.2.2
+ - 2.2.3
+ - 2.2.4
+ - 2.3.0
+ - 2.3.0-rc1
+ - 2.3.1
+ - 2.3.2
+ - 2.3.3
+ - 2.3.4
+ - 2.3.5
+ - 2.4.0
+ - 2.4.0-rc1
+ - 2.4.0-rc2
+ - 2.4.0-rc3
+ - 2.4.1
+ - 2.4.1.1
+ - 2.4.1.2
+ - 2.4.1.3
+ - 2.4.2
+ - 2.4.3
+ - 2.4.4
+ - 2.4.5
+ - 2.4.5.1
+ - 2.4.6
+ - 2.4.6.1
+ - 2.5.0
+ - 2.5.0-rc1
+ - 2.5.1
+ - 2.5.2
+ - 2.5.3
+ - 2.5.4
+ - 2.5.5
+ - 2.6.0
+ - 2.6.0-rc1
+ - 2.6.0-rc2
+ - 2.6.0-rc3
+ - 2.6.0-rc4
+ - 2.6.1
+ - 2.6.2
+ - 2.6.3
+ - 2.6.4
+ - 2.6.5
+ - 2.6.6
+ - 2.6.7
+ - 2.6.7.1
+ - 2.6.7.2
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/09/GHSA-h822-r4r5-v8jg/GHSA-h822-r4r5-v8jg.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2019-14540
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/issues/2410
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/issues/2449
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/commit/73c1c2cc76e6cdd7f3a5615cbe3207fe96e4d3db
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/commit/d4983c740fec7d5576b207a8c30a63d3ea7443de
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:3200
+ - type: WEB
+ url: https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0@%3Cissues.bookkeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r8aaf4ee16bbaf6204731d4770d96ebb34b258cd79b491f9cdd7f2540@%3Ccommits.nifi.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b@%3Ccommits.nifi.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3E
+ - type: WEB
+ url: https://lists.debian.org/debian-lts-announce/2019/10/msg00001.html
+ - type: WEB
+ url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Q7CANA7KV53JROZDX5Z5P26UG5VN2K43
+ - type: WEB
+ url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TH5VFUN4P7CCIP7KSEXYA5MUTFCUDUJT
+ - type: WEB
+ url: https://seclists.org/bugtraq/2019/Oct/6
+ - type: WEB
+ url: https://security.netapp.com/advisory/ntap-20191004-0002
+ - type: WEB
+ url: https://www.debian.org/security/2019/dsa-4542
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuapr2020.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpujan2020.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpujul2020.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuoct2020.html
+ - type: WEB
+ url: https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2020:0159
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2020:0160
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2020:0161
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2020:0164
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2020:0445
+ - type: PACKAGE
+ url: https://github.com/FasterXML/jackson-databind
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/blob/master/release-notes/VERSION-2.x
+ - type: WEB
+ url: https://lists.apache.org/thread.html/0fcef7321095ce0bc597d468d150cff3d647f4cb3aef3bd4d20e1c69@%3Ccommits.tinkerpop.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/40c00861b53bb611dee7d6f35f864aa7d1c1bd77df28db597cbf27e1@%3Cissues.hbase.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/a360b46061c91c5cad789b6c3190aef9b9f223a2b75c9c9f046fe016@%3Cissues.hbase.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/a4f2c9fb36642a48912cdec6836ec00e497427717c5d377f8d7ccce6@%3Cnotifications.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/ad0d238e97a7da5eca47a014f0f7e81f440ed6bf74a93183825e18b9@%3Cissues.hbase.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3@%3Ccommits.nifi.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/dc6b5cad721a4f6b3b62ed1163894941140d9d5656140fb757505ca0@%3Cissues.hbase.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/e90c3feb21702e68a8c08afce37045adb3870f2bf8223fa403fb93fb@%3Ccommits.hbase.apache.org%3E
+ database_specific:
+ cwe_ids:
+ - CWE-502
+ github_reviewed: true
+ github_reviewed_at: "2019-09-19T09:23:48Z"
+ nvd_published_at: "2019-09-15T22:15:00Z"
+ severity: CRITICAL
+ - schema_version: 1.6.0
+ id: GHSA-j823-4qch-3rgm
+ modified: 2024-03-15T00:46:13.294633Z
+ published: 2020-06-18T14:44:46Z
+ aliases:
+ - CVE-2020-14060
+ summary: Deserialization of untrusted data in Jackson Databind
+ details: FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to oadd.org.apache.xalan.lib.sql.JNDIConnectionPool (aka apache/drill).
+ affected:
+ - package:
+ ecosystem: Maven
+ name: com.fasterxml.jackson.core:jackson-databind
+ purl: pkg:maven/com.fasterxml.jackson.core/jackson-databind
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.9.0
+ - fixed: 2.9.10.5
+ versions:
+ - 2.9.0
+ - 2.9.0.pr1
+ - 2.9.0.pr2
+ - 2.9.0.pr3
+ - 2.9.0.pr4
+ - 2.9.1
+ - 2.9.10
+ - 2.9.10.1
+ - 2.9.10.2
+ - 2.9.10.3
+ - 2.9.10.4
+ - 2.9.2
+ - 2.9.3
+ - 2.9.4
+ - 2.9.5
+ - 2.9.6
+ - 2.9.7
+ - 2.9.8
+ - 2.9.9
+ - 2.9.9.1
+ - 2.9.9.2
+ - 2.9.9.3
+ database_specific:
+ last_known_affected_version_range: <= 2.9.10.4
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-j823-4qch-3rgm/GHSA-j823-4qch-3rgm.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2020-14060
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/issues/2688
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/commit/08fbfacf89a4a4c026a6227a1b470ab7a13e2e88
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/commit/ac7232e3f9004bdb4f11dcb5bc6c1fadf074f5f7
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/commit/d1c67a0396e84c08d0558fbb843b5bd1f26e1921
+ - type: PACKAGE
+ url: https://github.com/FasterXML/jackson-databind
+ - type: WEB
+ url: https://lists.debian.org/debian-lts-announce/2020/07/msg00001.html
+ - type: WEB
+ url: https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
+ - type: WEB
+ url: https://security.netapp.com/advisory/ntap-20200702-0003
+ - type: WEB
+ url: https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-572314
+ - type: WEB
+ url: https://www.oracle.com//security-alerts/cpujul2021.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuApr2021.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpujan2021.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuoct2020.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuoct2021.html
+ database_specific:
+ cwe_ids:
+ - CWE-502
+ github_reviewed: true
+ github_reviewed_at: "2020-06-18T13:05:54Z"
+ nvd_published_at: "2020-06-14T21:15:00Z"
+ severity: HIGH
+ - schema_version: 1.6.0
+ id: GHSA-jjjh-jjxp-wpff
+ modified: 2024-03-15T00:32:17.50879Z
+ published: 2022-10-03T00:00:31Z
+ aliases:
+ - CVE-2022-42003
+ summary: Uncontrolled Resource Consumption in Jackson-databind
+ details: "In FasterXML jackson-databind 2.4.0-rc1 until 2.12.7.1 and in 2.13.x before 2.13.4.2 resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled. This was patched in 2.12.7.1, 2.13.4.2, and 2.14.0.\n\nCommits that introduced vulnerable code are \nhttps://github.com/FasterXML/jackson-databind/commit/d499f2e7bbc5ebd63af11e1f5cf1989fa323aa45, https://github.com/FasterXML/jackson-databind/commit/0e37a39502439ecbaa1a5b5188387c01bf7f7fa1, and https://github.com/FasterXML/jackson-databind/commit/7ba9ac5b87a9d6ac0d2815158ecbeb315ad4dcdc.\n\nFix commits are https://github.com/FasterXML/jackson-databind/commit/cd090979b7ea78c75e4de8a4aed04f7e9fa8deea and https://github.com/FasterXML/jackson-databind/commit/d78d00ee7b5245b93103fef3187f70543d67ca33."
+ affected:
+ - package:
+ ecosystem: Maven
+ name: com.fasterxml.jackson.core:jackson-databind
+ purl: pkg:maven/com.fasterxml.jackson.core/jackson-databind
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.4.0-rc1
+ - fixed: 2.12.7.1
+ versions:
+ - 2.10.0
+ - 2.10.0.pr1
+ - 2.10.0.pr2
+ - 2.10.0.pr3
+ - 2.10.1
+ - 2.10.2
+ - 2.10.3
+ - 2.10.4
+ - 2.10.5
+ - 2.10.5.1
+ - 2.11.0
+ - 2.11.0.rc1
+ - 2.11.1
+ - 2.11.2
+ - 2.11.3
+ - 2.11.4
+ - 2.12.0
+ - 2.12.0-rc1
+ - 2.12.0-rc2
+ - 2.12.1
+ - 2.12.2
+ - 2.12.3
+ - 2.12.4
+ - 2.12.5
+ - 2.12.6
+ - 2.12.6.1
+ - 2.12.7
+ - 2.4.0
+ - 2.4.0-rc1
+ - 2.4.0-rc2
+ - 2.4.0-rc3
+ - 2.4.1
+ - 2.4.1.1
+ - 2.4.1.2
+ - 2.4.1.3
+ - 2.4.2
+ - 2.4.3
+ - 2.4.4
+ - 2.4.5
+ - 2.4.5.1
+ - 2.4.6
+ - 2.4.6.1
+ - 2.5.0
+ - 2.5.0-rc1
+ - 2.5.1
+ - 2.5.2
+ - 2.5.3
+ - 2.5.4
+ - 2.5.5
+ - 2.6.0
+ - 2.6.0-rc1
+ - 2.6.0-rc2
+ - 2.6.0-rc3
+ - 2.6.0-rc4
+ - 2.6.1
+ - 2.6.2
+ - 2.6.3
+ - 2.6.4
+ - 2.6.5
+ - 2.6.6
+ - 2.6.7
+ - 2.6.7.1
+ - 2.6.7.2
+ - 2.6.7.3
+ - 2.6.7.4
+ - 2.6.7.5
+ - 2.7.0
+ - 2.7.0-rc1
+ - 2.7.0-rc2
+ - 2.7.0-rc3
+ - 2.7.1
+ - 2.7.1-1
+ - 2.7.2
+ - 2.7.3
+ - 2.7.4
+ - 2.7.5
+ - 2.7.6
+ - 2.7.7
+ - 2.7.8
+ - 2.7.9
+ - 2.7.9.1
+ - 2.7.9.2
+ - 2.7.9.3
+ - 2.7.9.4
+ - 2.7.9.5
+ - 2.7.9.6
+ - 2.7.9.7
+ - 2.8.0
+ - 2.8.0.rc1
+ - 2.8.0.rc2
+ - 2.8.1
+ - 2.8.10
+ - 2.8.11
+ - 2.8.11.1
+ - 2.8.11.2
+ - 2.8.11.3
+ - 2.8.11.4
+ - 2.8.11.5
+ - 2.8.11.6
+ - 2.8.2
+ - 2.8.3
+ - 2.8.4
+ - 2.8.5
+ - 2.8.6
+ - 2.8.7
+ - 2.8.8
+ - 2.8.8.1
+ - 2.8.9
+ - 2.9.0
+ - 2.9.0.pr1
+ - 2.9.0.pr2
+ - 2.9.0.pr3
+ - 2.9.0.pr4
+ - 2.9.1
+ - 2.9.10
+ - 2.9.10.1
+ - 2.9.10.2
+ - 2.9.10.3
+ - 2.9.10.4
+ - 2.9.10.5
+ - 2.9.10.6
+ - 2.9.10.7
+ - 2.9.10.8
+ - 2.9.2
+ - 2.9.3
+ - 2.9.4
+ - 2.9.5
+ - 2.9.6
+ - 2.9.7
+ - 2.9.8
+ - 2.9.9
+ - 2.9.9.1
+ - 2.9.9.2
+ - 2.9.9.3
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/10/GHSA-jjjh-jjxp-wpff/GHSA-jjjh-jjxp-wpff.json
+ - package:
+ ecosystem: Maven
+ name: com.fasterxml.jackson.core:jackson-databind
+ purl: pkg:maven/com.fasterxml.jackson.core/jackson-databind
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.13.0
+ - fixed: 2.13.4.2
+ versions:
+ - 2.13.0
+ - 2.13.1
+ - 2.13.2
+ - 2.13.2.1
+ - 2.13.2.2
+ - 2.13.3
+ - 2.13.4
+ - 2.13.4.1
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/10/GHSA-jjjh-jjxp-wpff/GHSA-jjjh-jjxp-wpff.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2022-42003
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/issues/3590
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/issues/3627
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/commit/0e37a39502439ecbaa1a5b5188387c01bf7f7fa1
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/commit/2c4a601c626f7790cad9d3c322d244e182838288
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/commit/7ba9ac5b87a9d6ac0d2815158ecbeb315ad4dcdc
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/commit/cd090979b7ea78c75e4de8a4aed04f7e9fa8deea
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/commit/d499f2e7bbc5ebd63af11e1f5cf1989fa323aa45
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/commit/d78d00ee7b5245b93103fef3187f70543d67ca33
+ - type: WEB
+ url: https://www.debian.org/security/2022/dsa-5283
+ - type: WEB
+ url: https://security.netapp.com/advisory/ntap-20221124-0004
+ - type: WEB
+ url: https://security.gentoo.org/glsa/202210-21
+ - type: WEB
+ url: https://lists.debian.org/debian-lts-announce/2022/11/msg00035.html
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/compare/jackson-databind-2.13.4.1...jackson-databind-2.13.4.2
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/commits/jackson-databind-2.4.0-rc1?after=75b97b8519f0d50c62523ad85170d80a197a2c86+174&branch=jackson-databind-2.4.0-rc1&qualified_name=refs%2Ftags%2Fjackson-databind-2.4.0-rc1
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/blob/2.13/release-notes/VERSION-2.x
+ - type: PACKAGE
+ url: https://github.com/FasterXML/jackson-databind
+ - type: WEB
+ url: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=51020
+ database_specific:
+ cwe_ids:
+ - CWE-400
+ - CWE-502
+ github_reviewed: true
+ github_reviewed_at: "2022-10-04T21:55:46Z"
+ nvd_published_at: "2022-10-02T05:15:00Z"
+ severity: HIGH
+ - schema_version: 1.6.0
+ id: GHSA-m6x4-97wx-4q27
+ modified: 2024-02-18T05:21:54.725837Z
+ published: 2021-12-09T19:16:26Z
+ aliases:
+ - CVE-2020-36184
+ summary: Unsafe Deserialization in jackson-databind
+ details: FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.datasources.PerUserPoolDataSource.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: com.fasterxml.jackson.core:jackson-databind
+ purl: pkg:maven/com.fasterxml.jackson.core/jackson-databind
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.0.0
+ - fixed: 2.9.10.8
+ versions:
+ - 2.0.0
+ - 2.0.1
+ - 2.0.2
+ - 2.0.4
+ - 2.0.5
+ - 2.0.6
+ - 2.1.0
+ - 2.1.1
+ - 2.1.2
+ - 2.1.3
+ - 2.1.4
+ - 2.1.5
+ - 2.2.0
+ - 2.2.0-rc1
+ - 2.2.1
+ - 2.2.2
+ - 2.2.3
+ - 2.2.4
+ - 2.3.0
+ - 2.3.0-rc1
+ - 2.3.1
+ - 2.3.2
+ - 2.3.3
+ - 2.3.4
+ - 2.3.5
+ - 2.4.0
+ - 2.4.0-rc1
+ - 2.4.0-rc2
+ - 2.4.0-rc3
+ - 2.4.1
+ - 2.4.1.1
+ - 2.4.1.2
+ - 2.4.1.3
+ - 2.4.2
+ - 2.4.3
+ - 2.4.4
+ - 2.4.5
+ - 2.4.5.1
+ - 2.4.6
+ - 2.4.6.1
+ - 2.5.0
+ - 2.5.0-rc1
+ - 2.5.1
+ - 2.5.2
+ - 2.5.3
+ - 2.5.4
+ - 2.5.5
+ - 2.6.0
+ - 2.6.0-rc1
+ - 2.6.0-rc2
+ - 2.6.0-rc3
+ - 2.6.0-rc4
+ - 2.6.1
+ - 2.6.2
+ - 2.6.3
+ - 2.6.4
+ - 2.6.5
+ - 2.6.6
+ - 2.6.7
+ - 2.6.7.1
+ - 2.6.7.2
+ - 2.6.7.3
+ - 2.6.7.4
+ - 2.6.7.5
+ - 2.7.0
+ - 2.7.0-rc1
+ - 2.7.0-rc2
+ - 2.7.0-rc3
+ - 2.7.1
+ - 2.7.1-1
+ - 2.7.2
+ - 2.7.3
+ - 2.7.4
+ - 2.7.5
+ - 2.7.6
+ - 2.7.7
+ - 2.7.8
+ - 2.7.9
+ - 2.7.9.1
+ - 2.7.9.2
+ - 2.7.9.3
+ - 2.7.9.4
+ - 2.7.9.5
+ - 2.7.9.6
+ - 2.7.9.7
+ - 2.8.0
+ - 2.8.0.rc1
+ - 2.8.0.rc2
+ - 2.8.1
+ - 2.8.10
+ - 2.8.11
+ - 2.8.11.1
+ - 2.8.11.2
+ - 2.8.11.3
+ - 2.8.11.4
+ - 2.8.11.5
+ - 2.8.11.6
+ - 2.8.2
+ - 2.8.3
+ - 2.8.4
+ - 2.8.5
+ - 2.8.6
+ - 2.8.7
+ - 2.8.8
+ - 2.8.8.1
+ - 2.8.9
+ - 2.9.0
+ - 2.9.0.pr1
+ - 2.9.0.pr2
+ - 2.9.0.pr3
+ - 2.9.0.pr4
+ - 2.9.1
+ - 2.9.10
+ - 2.9.10.1
+ - 2.9.10.2
+ - 2.9.10.3
+ - 2.9.10.4
+ - 2.9.10.5
+ - 2.9.10.6
+ - 2.9.10.7
+ - 2.9.2
+ - 2.9.3
+ - 2.9.4
+ - 2.9.5
+ - 2.9.6
+ - 2.9.7
+ - 2.9.8
+ - 2.9.9
+ - 2.9.9.1
+ - 2.9.9.2
+ - 2.9.9.3
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-m6x4-97wx-4q27/GHSA-m6x4-97wx-4q27.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2020-36184
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/issues/2998
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/commit/567194c53ae91f0a14dc27239afb739b1c10448a
+ - type: WEB
+ url: https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
+ - type: PACKAGE
+ url: https://github.com/FasterXML/jackson-databind
+ - type: WEB
+ url: https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html
+ - type: WEB
+ url: https://security.netapp.com/advisory/ntap-20210205-0005
+ - type: WEB
+ url: https://www.oracle.com//security-alerts/cpujul2021.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuApr2021.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuapr2022.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpujan2022.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpujul2022.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuoct2021.html
+ database_specific:
+ cwe_ids:
+ - CWE-502
+ github_reviewed: true
+ github_reviewed_at: "2021-03-18T23:30:19Z"
+ nvd_published_at: "2021-01-06T23:15:00Z"
+ severity: HIGH
+ - schema_version: 1.6.0
+ id: GHSA-mc6h-4qgp-37qh
+ modified: 2024-03-15T00:47:36.920636Z
+ published: 2020-06-18T14:44:43Z
+ aliases:
+ - CVE-2020-14195
+ summary: Deserialization of untrusted data in Jackson Databind
+ details: FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to org.jsecurity.realm.jndi.JndiRealmFactory (aka org.jsecurity).
+ affected:
+ - package:
+ ecosystem: Maven
+ name: com.fasterxml.jackson.core:jackson-databind
+ purl: pkg:maven/com.fasterxml.jackson.core/jackson-databind
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.9.0
+ - fixed: 2.9.10.5
+ versions:
+ - 2.9.0
+ - 2.9.0.pr1
+ - 2.9.0.pr2
+ - 2.9.0.pr3
+ - 2.9.0.pr4
+ - 2.9.1
+ - 2.9.10
+ - 2.9.10.1
+ - 2.9.10.2
+ - 2.9.10.3
+ - 2.9.10.4
+ - 2.9.2
+ - 2.9.3
+ - 2.9.4
+ - 2.9.5
+ - 2.9.6
+ - 2.9.7
+ - 2.9.8
+ - 2.9.9
+ - 2.9.9.1
+ - 2.9.9.2
+ - 2.9.9.3
+ database_specific:
+ last_known_affected_version_range: <= 2.9.10.4
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-mc6h-4qgp-37qh/GHSA-mc6h-4qgp-37qh.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2020-14195
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/issues/2765
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/commit/08fbfacf89a4a4c026a6227a1b470ab7a13e2e88
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/commit/f6d9c664f6d481703138319f6a0f1fdbddb3a259
+ - type: PACKAGE
+ url: https://github.com/FasterXML/jackson-databind
+ - type: WEB
+ url: https://lists.debian.org/debian-lts-announce/2020/07/msg00001.html
+ - type: WEB
+ url: https://security.netapp.com/advisory/ntap-20200702-0003
+ - type: WEB
+ url: https://www.oracle.com//security-alerts/cpujul2021.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuApr2021.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpujan2021.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuoct2020.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuoct2021.html
+ database_specific:
+ cwe_ids:
+ - CWE-502
+ github_reviewed: true
+ github_reviewed_at: "2020-06-18T13:05:45Z"
+ nvd_published_at: "2020-06-16T16:15:00Z"
+ severity: HIGH
+ - schema_version: 1.6.0
+ id: GHSA-mph4-vhrx-mv67
+ modified: 2024-03-15T01:16:21.467932Z
+ published: 2019-07-05T21:07:27Z
+ aliases:
+ - CVE-2019-12384
+ summary: Deserialization of Untrusted Data in FasterXML jackson-databind
+ details: FasterXML jackson-databind 2.x before 2.9.9.1 might allow attackers to have a variety of impacts by leveraging failure to block the logback-core class from polymorphic deserialization. Depending on the classpath content, remote code execution may be possible.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: com.fasterxml.jackson.core:jackson-databind
+ purl: pkg:maven/com.fasterxml.jackson.core/jackson-databind
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.9.0
+ - fixed: 2.9.9.1
+ versions:
+ - 2.9.0
+ - 2.9.0.pr1
+ - 2.9.0.pr2
+ - 2.9.0.pr3
+ - 2.9.0.pr4
+ - 2.9.1
+ - 2.9.2
+ - 2.9.3
+ - 2.9.4
+ - 2.9.5
+ - 2.9.6
+ - 2.9.7
+ - 2.9.8
+ - 2.9.9
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/07/GHSA-mph4-vhrx-mv67/GHSA-mph4-vhrx-mv67.json
+ - package:
+ ecosystem: Maven
+ name: com.fasterxml.jackson.core:jackson-databind
+ purl: pkg:maven/com.fasterxml.jackson.core/jackson-databind
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.8.0
+ - fixed: 2.8.11.4
+ versions:
+ - 2.8.0
+ - 2.8.1
+ - 2.8.10
+ - 2.8.11
+ - 2.8.11.1
+ - 2.8.11.2
+ - 2.8.11.3
+ - 2.8.2
+ - 2.8.3
+ - 2.8.4
+ - 2.8.5
+ - 2.8.6
+ - 2.8.7
+ - 2.8.8
+ - 2.8.8.1
+ - 2.8.9
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/07/GHSA-mph4-vhrx-mv67/GHSA-mph4-vhrx-mv67.json
+ - package:
+ ecosystem: Maven
+ name: com.fasterxml.jackson.core:jackson-databind
+ purl: pkg:maven/com.fasterxml.jackson.core/jackson-databind
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.7.0
+ - fixed: 2.7.9.6
+ versions:
+ - 2.7.0
+ - 2.7.1
+ - 2.7.1-1
+ - 2.7.2
+ - 2.7.3
+ - 2.7.4
+ - 2.7.5
+ - 2.7.6
+ - 2.7.7
+ - 2.7.8
+ - 2.7.9
+ - 2.7.9.1
+ - 2.7.9.2
+ - 2.7.9.3
+ - 2.7.9.4
+ - 2.7.9.5
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/07/GHSA-mph4-vhrx-mv67/GHSA-mph4-vhrx-mv67.json
+ - package:
+ ecosystem: Maven
+ name: com.fasterxml.jackson.core:jackson-databind
+ purl: pkg:maven/com.fasterxml.jackson.core/jackson-databind
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.0.0
+ - fixed: 2.6.7.3
+ versions:
+ - 2.0.0
+ - 2.0.1
+ - 2.0.2
+ - 2.0.4
+ - 2.0.5
+ - 2.0.6
+ - 2.1.0
+ - 2.1.1
+ - 2.1.2
+ - 2.1.3
+ - 2.1.4
+ - 2.1.5
+ - 2.2.0
+ - 2.2.0-rc1
+ - 2.2.1
+ - 2.2.2
+ - 2.2.3
+ - 2.2.4
+ - 2.3.0
+ - 2.3.0-rc1
+ - 2.3.1
+ - 2.3.2
+ - 2.3.3
+ - 2.3.4
+ - 2.3.5
+ - 2.4.0
+ - 2.4.0-rc1
+ - 2.4.0-rc2
+ - 2.4.0-rc3
+ - 2.4.1
+ - 2.4.1.1
+ - 2.4.1.2
+ - 2.4.1.3
+ - 2.4.2
+ - 2.4.3
+ - 2.4.4
+ - 2.4.5
+ - 2.4.5.1
+ - 2.4.6
+ - 2.4.6.1
+ - 2.5.0
+ - 2.5.0-rc1
+ - 2.5.1
+ - 2.5.2
+ - 2.5.3
+ - 2.5.4
+ - 2.5.5
+ - 2.6.0
+ - 2.6.0-rc1
+ - 2.6.0-rc2
+ - 2.6.0-rc3
+ - 2.6.0-rc4
+ - 2.6.1
+ - 2.6.2
+ - 2.6.3
+ - 2.6.4
+ - 2.6.5
+ - 2.6.6
+ - 2.6.7
+ - 2.6.7.1
+ - 2.6.7.2
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/07/GHSA-mph4-vhrx-mv67/GHSA-mph4-vhrx-mv67.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2019-12384
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/issues/2334
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/commit/c9ef4a10d6f6633cf470d6a469514b68fa2be234
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:1820
+ - type: WEB
+ url: https://lists.apache.org/thread.html/5ecc333113b139429f4f05000d4aa2886974d4df3269c1dd990bb319@%3Cdev.tomee.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/5fc0e16b7af2590bf1e97c76c136291c4fdb244ee63c65c485c9a7a1@%3Cdev.tomee.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/87e46591de8925f719664a845572d184027258c5a7af0a471b53c77b@%3Cdev.tomee.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/940b4c3fef002461b89a050935337056d4a036a65ef68e0bbd4621ef@%3Cdev.struts.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3@%3Ccommits.nifi.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/e0733058c0366b703e6757d8d2a7a04b943581f659e9c271f0841dfe@%3Cnotifications.geode.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/ee0a051428d2c719acfa297d0854a189ea5e284ef3ed491fa672f4be@%3Cdev.tomee.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b@%3Ccommits.nifi.apache.org%3E
+ - type: WEB
+ url: https://lists.debian.org/debian-lts-announce/2019/06/msg00019.html
+ - type: WEB
+ url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OVRZDN2T6AZ6DJCZJ3VSIQIVHBVMVWBL
+ - type: WEB
+ url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TXRVXNRFHJSQWFHPRJQRI5UPMZ63B544
+ - type: WEB
+ url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UKUALE2TUCKEKOHE2D342PQXN4MWCSLC
+ - type: WEB
+ url: https://seclists.org/bugtraq/2019/Oct/6
+ - type: WEB
+ url: https://security.netapp.com/advisory/ntap-20190703-0002
+ - type: WEB
+ url: https://www.debian.org/security/2019/dsa-4542
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuapr2020.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpujan2020.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpujul2020.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuoct2020.html
+ - type: WEB
+ url: https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:2720
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:2858
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:2935
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:2936
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:2937
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:2938
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:2998
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:3149
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:3200
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:3292
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:3297
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:3901
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:4352
+ - type: WEB
+ url: https://blog.doyensec.com/2019/07/22/jackson-gadgets.html
+ - type: WEB
+ url: https://doyensec.com/research.html
+ - type: PACKAGE
+ url: https://github.com/FasterXML/jackson-databind
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/compare/74b90a4...a977aad
+ - type: WEB
+ url: https://lists.apache.org/thread.html/0d4b630d9ee724aee50703397d9d1afa2b2befc9395ba7797d0ccea9@%3Cdev.tomee.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/2d2a76440becb610b9a9cb49b15eac3934b02c2dbcaacde1000353e4@%3Cdev.tomee.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/34717424b4d08b74f65c09a083d6dd1cb0763f37a15d6de135998c1d@%3Cdev.tomee.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/3f99ae8dcdbd69438cb733d745ee3ad5e852068490719a66509b4592@%3Ccommits.cassandra.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/56c8042873595b8c863054c7bfccab4bf2c01c6f5abedae249d914b9@%3Cdev.tomee.apache.org%3E
+ database_specific:
+ cwe_ids:
+ - CWE-502
+ github_reviewed: true
+ github_reviewed_at: "2019-06-27T11:07:42Z"
+ nvd_published_at: "2019-06-24T16:15:15Z"
+ severity: MODERATE
+ - schema_version: 1.6.0
+ id: GHSA-mx7p-6679-8g3q
+ modified: 2024-03-15T01:01:46.432481Z
+ published: 2019-10-28T20:51:15Z
+ aliases:
+ - CVE-2019-16942
+ summary: Polymorphic Typing in FasterXML jackson-databind
+ details: A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the commons-dbcp (1.4) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of org.apache.commons.dbcp.datasources.SharedPoolDataSource and org.apache.commons.dbcp.datasources.PerUserPoolDataSource mishandling.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: com.fasterxml.jackson.core:jackson-databind
+ purl: pkg:maven/com.fasterxml.jackson.core/jackson-databind
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.9.0
+ - fixed: 2.9.10.1
+ versions:
+ - 2.9.0
+ - 2.9.0.pr1
+ - 2.9.0.pr2
+ - 2.9.0.pr3
+ - 2.9.0.pr4
+ - 2.9.1
+ - 2.9.10
+ - 2.9.2
+ - 2.9.3
+ - 2.9.4
+ - 2.9.5
+ - 2.9.6
+ - 2.9.7
+ - 2.9.8
+ - 2.9.9
+ - 2.9.9.1
+ - 2.9.9.2
+ - 2.9.9.3
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/10/GHSA-mx7p-6679-8g3q/GHSA-mx7p-6679-8g3q.json
+ - package:
+ ecosystem: Maven
+ name: com.fasterxml.jackson.core:jackson-databind
+ purl: pkg:maven/com.fasterxml.jackson.core/jackson-databind
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.7.0
+ - fixed: 2.8.11.5
+ versions:
+ - 2.7.0
+ - 2.7.1
+ - 2.7.1-1
+ - 2.7.2
+ - 2.7.3
+ - 2.7.4
+ - 2.7.5
+ - 2.7.6
+ - 2.7.7
+ - 2.7.8
+ - 2.7.9
+ - 2.7.9.1
+ - 2.7.9.2
+ - 2.7.9.3
+ - 2.7.9.4
+ - 2.7.9.5
+ - 2.7.9.6
+ - 2.7.9.7
+ - 2.8.0
+ - 2.8.0.rc1
+ - 2.8.0.rc2
+ - 2.8.1
+ - 2.8.10
+ - 2.8.11
+ - 2.8.11.1
+ - 2.8.11.2
+ - 2.8.11.3
+ - 2.8.11.4
+ - 2.8.2
+ - 2.8.3
+ - 2.8.4
+ - 2.8.5
+ - 2.8.6
+ - 2.8.7
+ - 2.8.8
+ - 2.8.8.1
+ - 2.8.9
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/10/GHSA-mx7p-6679-8g3q/GHSA-mx7p-6679-8g3q.json
+ - package:
+ ecosystem: Maven
+ name: com.fasterxml.jackson.core:jackson-databind
+ purl: pkg:maven/com.fasterxml.jackson.core/jackson-databind
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.0.0
+ - fixed: 2.6.7.3
+ versions:
+ - 2.0.0
+ - 2.0.1
+ - 2.0.2
+ - 2.0.4
+ - 2.0.5
+ - 2.0.6
+ - 2.1.0
+ - 2.1.1
+ - 2.1.2
+ - 2.1.3
+ - 2.1.4
+ - 2.1.5
+ - 2.2.0
+ - 2.2.0-rc1
+ - 2.2.1
+ - 2.2.2
+ - 2.2.3
+ - 2.2.4
+ - 2.3.0
+ - 2.3.0-rc1
+ - 2.3.1
+ - 2.3.2
+ - 2.3.3
+ - 2.3.4
+ - 2.3.5
+ - 2.4.0
+ - 2.4.0-rc1
+ - 2.4.0-rc2
+ - 2.4.0-rc3
+ - 2.4.1
+ - 2.4.1.1
+ - 2.4.1.2
+ - 2.4.1.3
+ - 2.4.2
+ - 2.4.3
+ - 2.4.4
+ - 2.4.5
+ - 2.4.5.1
+ - 2.4.6
+ - 2.4.6.1
+ - 2.5.0
+ - 2.5.0-rc1
+ - 2.5.1
+ - 2.5.2
+ - 2.5.3
+ - 2.5.4
+ - 2.5.5
+ - 2.6.0
+ - 2.6.0-rc1
+ - 2.6.0-rc2
+ - 2.6.0-rc3
+ - 2.6.0-rc4
+ - 2.6.1
+ - 2.6.2
+ - 2.6.3
+ - 2.6.4
+ - 2.6.5
+ - 2.6.6
+ - 2.6.7
+ - 2.6.7.1
+ - 2.6.7.2
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/10/GHSA-mx7p-6679-8g3q/GHSA-mx7p-6679-8g3q.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2019-16942
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/issues/2478
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/commit/328a0f833daf6baa443ac3b37c818a0204714b0b
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/commit/54aa38d87dcffa5ccc23e64922e9536c82c1b9c8
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/commit/9593e16cf5a3d289a9c584f7123639655de9ddac
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/commit/bc67eb11a7cf57561f861ff16f879f1fceb5779f
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3E
+ - type: WEB
+ url: https://lists.debian.org/debian-lts-announce/2019/10/msg00001.html
+ - type: WEB
+ url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Q7CANA7KV53JROZDX5Z5P26UG5VN2K43
+ - type: WEB
+ url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TH5VFUN4P7CCIP7KSEXYA5MUTFCUDUJT
+ - type: WEB
+ url: https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
+ - type: WEB
+ url: https://seclists.org/bugtraq/2019/Oct/6
+ - type: WEB
+ url: https://security.netapp.com/advisory/ntap-20191017-0006
+ - type: WEB
+ url: https://www.debian.org/security/2019/dsa-4542
+ - type: WEB
+ url: https://www.oracle.com//security-alerts/cpujul2021.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuApr2021.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuapr2020.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpujan2020.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpujul2020.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuoct2020.html
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0@%3Cissues.bookkeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/b2e23c94f9dfef53e04c492e5d02e5c75201734be7adc73a49ef2370@%3Cissues.geode.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/a430dbc9be874c41314cc69e697384567a9a24025e819d9485547954@%3Cissues.geode.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/7782a937c9259a58337ee36b2961f00e2d744feafc13084e176d0df5@%3Cissues.geode.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E
+ - type: WEB
+ url: https://issues.apache.org/jira/browse/GEODE-7255
+ - type: PACKAGE
+ url: https://github.com/FasterXML/jackson-databind
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2020:0445
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2020:0164
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2020:0161
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2020:0160
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2020:0159
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:3901
+ database_specific:
+ cwe_ids:
+ - CWE-502
+ github_reviewed: true
+ github_reviewed_at: "2019-10-28T19:19:01Z"
+ nvd_published_at: "2019-10-01T17:15:00Z"
+ severity: CRITICAL
+ - schema_version: 1.6.0
+ id: GHSA-mx9v-gmh4-mgqw
+ modified: 2024-03-14T05:32:02.133724Z
+ published: 2019-01-04T19:07:01Z
+ aliases:
+ - CVE-2018-19361
+ summary: Deserialization of Untrusted Data in jackson-databind
+ details: FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the openjpa class from polymorphic deserialization.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: com.fasterxml.jackson.core:jackson-databind
+ purl: pkg:maven/com.fasterxml.jackson.core/jackson-databind
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.7.0
+ - fixed: 2.7.9.5
+ versions:
+ - 2.7.0
+ - 2.7.1
+ - 2.7.1-1
+ - 2.7.2
+ - 2.7.3
+ - 2.7.4
+ - 2.7.5
+ - 2.7.6
+ - 2.7.7
+ - 2.7.8
+ - 2.7.9
+ - 2.7.9.1
+ - 2.7.9.2
+ - 2.7.9.3
+ - 2.7.9.4
+ database_specific:
+ last_known_affected_version_range: <= 2.7.9.4
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/01/GHSA-mx9v-gmh4-mgqw/GHSA-mx9v-gmh4-mgqw.json
+ - package:
+ ecosystem: Maven
+ name: com.fasterxml.jackson.core:jackson-databind
+ purl: pkg:maven/com.fasterxml.jackson.core/jackson-databind
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.9.0
+ - fixed: 2.9.8
+ versions:
+ - 2.9.0
+ - 2.9.0.pr1
+ - 2.9.0.pr2
+ - 2.9.0.pr3
+ - 2.9.0.pr4
+ - 2.9.1
+ - 2.9.2
+ - 2.9.3
+ - 2.9.4
+ - 2.9.5
+ - 2.9.6
+ - 2.9.7
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/01/GHSA-mx9v-gmh4-mgqw/GHSA-mx9v-gmh4-mgqw.json
+ - package:
+ ecosystem: Maven
+ name: com.fasterxml.jackson.core:jackson-databind
+ purl: pkg:maven/com.fasterxml.jackson.core/jackson-databind
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.8.0
+ - fixed: 2.8.11.3
+ versions:
+ - 2.8.0
+ - 2.8.1
+ - 2.8.10
+ - 2.8.11
+ - 2.8.11.1
+ - 2.8.11.2
+ - 2.8.2
+ - 2.8.3
+ - 2.8.4
+ - 2.8.5
+ - 2.8.6
+ - 2.8.7
+ - 2.8.8
+ - 2.8.8.1
+ - 2.8.9
+ database_specific:
+ last_known_affected_version_range: <= 2.8.11.2
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/01/GHSA-mx9v-gmh4-mgqw/GHSA-mx9v-gmh4-mgqw.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2018-19361
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/issues/2186
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/commit/42912cac4753f3f718ece875e4d486f8264c2f2b
+ - type: WEB
+ url: https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3@%3Ccommits.nifi.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/c70da3cb6e3f03e0ad8013e38b6959419d866c4a7c80fdd34b73f25c@%3Ccommits.pulsar.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8@%3Ccommits.pulsar.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0@%3Cissues.bookkeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b@%3Ccommits.nifi.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3E
+ - type: WEB
+ url: https://lists.debian.org/debian-lts-announce/2019/03/msg00005.html
+ - type: WEB
+ url: https://seclists.org/bugtraq/2019/May/68
+ - type: WEB
+ url: https://security.netapp.com/advisory/ntap-20190530-0003
+ - type: WEB
+ url: https://www.debian.org/security/2019/dsa-4452
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuapr2020.html
+ - type: WEB
+ url: https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
+ - type: WEB
+ url: https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
+ - type: WEB
+ url: https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
+ - type: WEB
+ url: https://access.redhat.com/errata/RHBA-2019:0959
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:0782
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:0877
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:1782
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:1797
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:1822
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:1823
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:2804
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:2858
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:3002
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:3140
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:3149
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:3892
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:4037
+ - type: WEB
+ url: https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.8
+ - type: ADVISORY
+ url: https://github.com/advisories/GHSA-mx9v-gmh4-mgqw
+ - type: WEB
+ url: https://issues.apache.org/jira/browse/TINKERPOP-2121
+ - type: WEB
+ url: https://lists.apache.org/thread.html/37e1ed724a1b0e5d191d98c822c426670bdfde83804567131847d2a3@%3Cdevnull.infra.apache.org%3E
+ - type: WEB
+ url: http://www.securityfocus.com/bid/107985
+ database_specific:
+ cwe_ids:
+ - CWE-502
+ github_reviewed: true
+ github_reviewed_at: "2020-06-16T21:47:38Z"
+ nvd_published_at: null
+ severity: CRITICAL
+ - schema_version: 1.6.0
+ id: GHSA-p43x-xfjf-5jhr
+ modified: 2024-03-15T00:33:14.700288Z
+ published: 2020-05-15T18:59:01Z
+ aliases:
+ - CVE-2020-9548
+ summary: jackson-databind mishandles the interaction between serialization gadgets and typing
+ details: FasterXML jackson-databind 2.x before 2.9.10.4, 2.8.11.6, and 2.7.9.7 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPConfig (aka anteros-core).
+ affected:
+ - package:
+ ecosystem: Maven
+ name: com.fasterxml.jackson.core:jackson-databind
+ purl: pkg:maven/com.fasterxml.jackson.core/jackson-databind
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.9.0
+ - fixed: 2.9.10.4
+ versions:
+ - 2.9.0
+ - 2.9.0.pr1
+ - 2.9.0.pr2
+ - 2.9.0.pr3
+ - 2.9.0.pr4
+ - 2.9.1
+ - 2.9.10
+ - 2.9.10.1
+ - 2.9.10.2
+ - 2.9.10.3
+ - 2.9.2
+ - 2.9.3
+ - 2.9.4
+ - 2.9.5
+ - 2.9.6
+ - 2.9.7
+ - 2.9.8
+ - 2.9.9
+ - 2.9.9.1
+ - 2.9.9.2
+ - 2.9.9.3
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/05/GHSA-p43x-xfjf-5jhr/GHSA-p43x-xfjf-5jhr.json
+ - package:
+ ecosystem: Maven
+ name: com.fasterxml.jackson.core:jackson-databind
+ purl: pkg:maven/com.fasterxml.jackson.core/jackson-databind
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.8.0
+ - fixed: 2.8.11.6
+ versions:
+ - 2.8.0
+ - 2.8.1
+ - 2.8.10
+ - 2.8.11
+ - 2.8.11.1
+ - 2.8.11.2
+ - 2.8.11.3
+ - 2.8.11.4
+ - 2.8.11.5
+ - 2.8.2
+ - 2.8.3
+ - 2.8.4
+ - 2.8.5
+ - 2.8.6
+ - 2.8.7
+ - 2.8.8
+ - 2.8.8.1
+ - 2.8.9
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/05/GHSA-p43x-xfjf-5jhr/GHSA-p43x-xfjf-5jhr.json
+ - package:
+ ecosystem: Maven
+ name: com.fasterxml.jackson.core:jackson-databind
+ purl: pkg:maven/com.fasterxml.jackson.core/jackson-databind
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.0.0
+ - fixed: 2.7.9.7
+ versions:
+ - 2.0.0
+ - 2.0.1
+ - 2.0.2
+ - 2.0.4
+ - 2.0.5
+ - 2.0.6
+ - 2.1.0
+ - 2.1.1
+ - 2.1.2
+ - 2.1.3
+ - 2.1.4
+ - 2.1.5
+ - 2.2.0
+ - 2.2.0-rc1
+ - 2.2.1
+ - 2.2.2
+ - 2.2.3
+ - 2.2.4
+ - 2.3.0
+ - 2.3.0-rc1
+ - 2.3.1
+ - 2.3.2
+ - 2.3.3
+ - 2.3.4
+ - 2.3.5
+ - 2.4.0
+ - 2.4.0-rc1
+ - 2.4.0-rc2
+ - 2.4.0-rc3
+ - 2.4.1
+ - 2.4.1.1
+ - 2.4.1.2
+ - 2.4.1.3
+ - 2.4.2
+ - 2.4.3
+ - 2.4.4
+ - 2.4.5
+ - 2.4.5.1
+ - 2.4.6
+ - 2.4.6.1
+ - 2.5.0
+ - 2.5.0-rc1
+ - 2.5.1
+ - 2.5.2
+ - 2.5.3
+ - 2.5.4
+ - 2.5.5
+ - 2.6.0
+ - 2.6.0-rc1
+ - 2.6.0-rc2
+ - 2.6.0-rc3
+ - 2.6.0-rc4
+ - 2.6.1
+ - 2.6.2
+ - 2.6.3
+ - 2.6.4
+ - 2.6.5
+ - 2.6.6
+ - 2.6.7
+ - 2.6.7.1
+ - 2.6.7.2
+ - 2.6.7.3
+ - 2.6.7.4
+ - 2.6.7.5
+ - 2.7.0
+ - 2.7.0-rc1
+ - 2.7.0-rc2
+ - 2.7.0-rc3
+ - 2.7.1
+ - 2.7.1-1
+ - 2.7.2
+ - 2.7.3
+ - 2.7.4
+ - 2.7.5
+ - 2.7.6
+ - 2.7.7
+ - 2.7.8
+ - 2.7.9
+ - 2.7.9.1
+ - 2.7.9.2
+ - 2.7.9.3
+ - 2.7.9.4
+ - 2.7.9.5
+ - 2.7.9.6
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/05/GHSA-p43x-xfjf-5jhr/GHSA-p43x-xfjf-5jhr.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2020-9548
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/issues/2634
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/commit/1e64db6a2fad331f96c7363fda3bc5f3dffa25bb
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/commit/9f4e97019fb0dd836533d0b6198c88787e235ae2
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuoct2021.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuoct2020.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpujul2020.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpujan2021.html
+ - type: WEB
+ url: https://security.netapp.com/advisory/ntap-20200904-0006
+ - type: WEB
+ url: https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
+ - type: WEB
+ url: https://lists.debian.org/debian-lts-announce/2020/03/msg00008.html
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rdd4df698d5d8e635144d2994922bf0842e933809eae259521f3b5097@%3Cissues.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rdd49ab9565bec436a896bc00c4b9fc9dce1598e106c318524fbdfec6@%3Cissues.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rd5a4457be4623038c3989294429bc063eec433a2e55995d81591e2ca@%3Cissues.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rb6fecb5e96a6d61e175ff49f33f2713798dd05cf03067c169d195596@%3Cissues.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r98c9b6e4c9e17792e2cd1ec3e4aa20b61a791939046d3f10888176bb@%3Cissues.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r9464a40d25c3ba1a55622db72f113eb494a889656962d098c70c5bb1@%3Cdev.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r35d30db00440ef63b791c4b7f7acb036e14d4a23afa2a249cb66c0fd@%3Cissues.zookeeper.apache.org%3E
+ - type: PACKAGE
+ url: https://github.com/FasterXML/jackson-databind
+ database_specific:
+ cwe_ids:
+ - CWE-502
+ github_reviewed: true
+ github_reviewed_at: "2020-04-23T19:24:13Z"
+ nvd_published_at: "2020-03-02T04:15:00Z"
+ severity: CRITICAL
+ - schema_version: 1.6.0
+ id: GHSA-q93h-jc49-78gg
+ modified: 2024-03-16T05:19:47.711015Z
+ published: 2020-05-15T18:59:10Z
+ aliases:
+ - CVE-2020-9547
+ summary: jackson-databind mishandles the interaction between serialization gadgets and typing
+ details: FasterXML jackson-databind 2.x before 2.9.10.4, 2.8.11.6, and 2.7.9.7 mishandles the interaction between serialization gadgets and typing, related to `com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig` (aka `ibatis-sqlmap`).
+ affected:
+ - package:
+ ecosystem: Maven
+ name: com.fasterxml.jackson.core:jackson-databind
+ purl: pkg:maven/com.fasterxml.jackson.core/jackson-databind
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.9.0
+ - fixed: 2.9.10.4
+ versions:
+ - 2.9.0
+ - 2.9.0.pr1
+ - 2.9.0.pr2
+ - 2.9.0.pr3
+ - 2.9.0.pr4
+ - 2.9.1
+ - 2.9.10
+ - 2.9.10.1
+ - 2.9.10.2
+ - 2.9.10.3
+ - 2.9.2
+ - 2.9.3
+ - 2.9.4
+ - 2.9.5
+ - 2.9.6
+ - 2.9.7
+ - 2.9.8
+ - 2.9.9
+ - 2.9.9.1
+ - 2.9.9.2
+ - 2.9.9.3
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/05/GHSA-q93h-jc49-78gg/GHSA-q93h-jc49-78gg.json
+ - package:
+ ecosystem: Maven
+ name: com.fasterxml.jackson.core:jackson-databind
+ purl: pkg:maven/com.fasterxml.jackson.core/jackson-databind
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.8.0
+ - fixed: 2.8.11.6
+ versions:
+ - 2.8.0
+ - 2.8.1
+ - 2.8.10
+ - 2.8.11
+ - 2.8.11.1
+ - 2.8.11.2
+ - 2.8.11.3
+ - 2.8.11.4
+ - 2.8.11.5
+ - 2.8.2
+ - 2.8.3
+ - 2.8.4
+ - 2.8.5
+ - 2.8.6
+ - 2.8.7
+ - 2.8.8
+ - 2.8.8.1
+ - 2.8.9
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/05/GHSA-q93h-jc49-78gg/GHSA-q93h-jc49-78gg.json
+ - package:
+ ecosystem: Maven
+ name: com.fasterxml.jackson.core:jackson-databind
+ purl: pkg:maven/com.fasterxml.jackson.core/jackson-databind
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.0.0
+ - fixed: 2.7.9.7
+ versions:
+ - 2.0.0
+ - 2.0.1
+ - 2.0.2
+ - 2.0.4
+ - 2.0.5
+ - 2.0.6
+ - 2.1.0
+ - 2.1.1
+ - 2.1.2
+ - 2.1.3
+ - 2.1.4
+ - 2.1.5
+ - 2.2.0
+ - 2.2.0-rc1
+ - 2.2.1
+ - 2.2.2
+ - 2.2.3
+ - 2.2.4
+ - 2.3.0
+ - 2.3.0-rc1
+ - 2.3.1
+ - 2.3.2
+ - 2.3.3
+ - 2.3.4
+ - 2.3.5
+ - 2.4.0
+ - 2.4.0-rc1
+ - 2.4.0-rc2
+ - 2.4.0-rc3
+ - 2.4.1
+ - 2.4.1.1
+ - 2.4.1.2
+ - 2.4.1.3
+ - 2.4.2
+ - 2.4.3
+ - 2.4.4
+ - 2.4.5
+ - 2.4.5.1
+ - 2.4.6
+ - 2.4.6.1
+ - 2.5.0
+ - 2.5.0-rc1
+ - 2.5.1
+ - 2.5.2
+ - 2.5.3
+ - 2.5.4
+ - 2.5.5
+ - 2.6.0
+ - 2.6.0-rc1
+ - 2.6.0-rc2
+ - 2.6.0-rc3
+ - 2.6.0-rc4
+ - 2.6.1
+ - 2.6.2
+ - 2.6.3
+ - 2.6.4
+ - 2.6.5
+ - 2.6.6
+ - 2.6.7
+ - 2.6.7.1
+ - 2.6.7.2
+ - 2.6.7.3
+ - 2.6.7.4
+ - 2.6.7.5
+ - 2.7.0
+ - 2.7.0-rc1
+ - 2.7.0-rc2
+ - 2.7.0-rc3
+ - 2.7.1
+ - 2.7.1-1
+ - 2.7.2
+ - 2.7.3
+ - 2.7.4
+ - 2.7.5
+ - 2.7.6
+ - 2.7.7
+ - 2.7.8
+ - 2.7.9
+ - 2.7.9.1
+ - 2.7.9.2
+ - 2.7.9.3
+ - 2.7.9.4
+ - 2.7.9.5
+ - 2.7.9.6
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/05/GHSA-q93h-jc49-78gg/GHSA-q93h-jc49-78gg.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2020-9547
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/issues/2634
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/commit/9f4e97019fb0dd836533d0b6198c88787e235ae2
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuoct2021.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuoct2020.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpujul2020.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpujan2021.html
+ - type: WEB
+ url: https://security.netapp.com/advisory/ntap-20200904-0006
+ - type: WEB
+ url: https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
+ - type: WEB
+ url: https://lists.debian.org/debian-lts-announce/2020/03/msg00008.html
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/redbe4f1e21bf080f637cf9fbec47729750a2f443a919765360337428@%3Cnotifications.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rdd4df698d5d8e635144d2994922bf0842e933809eae259521f3b5097@%3Cissues.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rdd49ab9565bec436a896bc00c4b9fc9dce1598e106c318524fbdfec6@%3Cissues.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rd5a4457be4623038c3989294429bc063eec433a2e55995d81591e2ca@%3Cissues.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rd0e958d6d5c5ee16efed73314cd0e445c8dbb4bdcc80fc9d1d6c11fc@%3Cdev.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rc0d5d0f72da1ed6fc5e438b1ddb3fa090c73006b55f873cf845375ab@%3Cnotifications.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rb6fecb5e96a6d61e175ff49f33f2713798dd05cf03067c169d195596@%3Cissues.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/ra3e90712f2d59f8cef03fa796f5adf163d32b81fe7b95385f21790e6@%3Cnotifications.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r98c9b6e4c9e17792e2cd1ec3e4aa20b61a791939046d3f10888176bb@%3Cissues.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r9464a40d25c3ba1a55622db72f113eb494a889656962d098c70c5bb1@%3Cdev.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r893a0104e50c1c2559eb9a5812add28ae8c3e5f43712947a9847ec18@%3Cnotifications.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r742ef70d126548dcf7de5be5779355c9d76a9aec71d7a9ef02c6398a@%3Cnotifications.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r4accb2e0de9679174efd3d113a059bab71ff3ec53e882790d21c1cc1@%3Cnotifications.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r35d30db00440ef63b791c4b7f7acb036e14d4a23afa2a249cb66c0fd@%3Cissues.zookeeper.apache.org%3E
+ - type: PACKAGE
+ url: https://github.com/FasterXML/jackson-databind
+ database_specific:
+ cwe_ids:
+ - CWE-502
+ github_reviewed: true
+ github_reviewed_at: "2020-04-22T20:58:56Z"
+ nvd_published_at: "2020-03-02T04:15:00Z"
+ severity: CRITICAL
+ - schema_version: 1.6.0
+ id: GHSA-qjw2-hr98-qgfh
+ modified: 2024-02-18T05:20:56.89447Z
+ published: 2021-12-09T19:15:36Z
+ aliases:
+ - CVE-2020-24750
+ summary: Unsafe Deserialization in jackson-databind
+ details: FasterXML jackson-databind 2.x before 2.6.7.5 and from 2.7.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to com.pastdev.httpcomponents.configuration.JndiConfiguration.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: com.fasterxml.jackson.core:jackson-databind
+ purl: pkg:maven/com.fasterxml.jackson.core/jackson-databind
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "2.0"
+ - fixed: 2.6.7.5
+ versions:
+ - 2.0.0
+ - 2.0.1
+ - 2.0.2
+ - 2.0.4
+ - 2.0.5
+ - 2.0.6
+ - 2.1.0
+ - 2.1.1
+ - 2.1.2
+ - 2.1.3
+ - 2.1.4
+ - 2.1.5
+ - 2.2.0
+ - 2.2.0-rc1
+ - 2.2.1
+ - 2.2.2
+ - 2.2.3
+ - 2.2.4
+ - 2.3.0
+ - 2.3.0-rc1
+ - 2.3.1
+ - 2.3.2
+ - 2.3.3
+ - 2.3.4
+ - 2.3.5
+ - 2.4.0
+ - 2.4.0-rc1
+ - 2.4.0-rc2
+ - 2.4.0-rc3
+ - 2.4.1
+ - 2.4.1.1
+ - 2.4.1.2
+ - 2.4.1.3
+ - 2.4.2
+ - 2.4.3
+ - 2.4.4
+ - 2.4.5
+ - 2.4.5.1
+ - 2.4.6
+ - 2.4.6.1
+ - 2.5.0
+ - 2.5.0-rc1
+ - 2.5.1
+ - 2.5.2
+ - 2.5.3
+ - 2.5.4
+ - 2.5.5
+ - 2.6.0
+ - 2.6.0-rc1
+ - 2.6.0-rc2
+ - 2.6.0-rc3
+ - 2.6.0-rc4
+ - 2.6.1
+ - 2.6.2
+ - 2.6.3
+ - 2.6.4
+ - 2.6.5
+ - 2.6.6
+ - 2.6.7
+ - 2.6.7.1
+ - 2.6.7.2
+ - 2.6.7.3
+ - 2.6.7.4
+ database_specific:
+ last_known_affected_version_range: <= 2.6.7.4
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-qjw2-hr98-qgfh/GHSA-qjw2-hr98-qgfh.json
+ - package:
+ ecosystem: Maven
+ name: com.fasterxml.jackson.core:jackson-databind
+ purl: pkg:maven/com.fasterxml.jackson.core/jackson-databind
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.7.0
+ - fixed: 2.9.10.6
+ versions:
+ - 2.7.0
+ - 2.7.1
+ - 2.7.1-1
+ - 2.7.2
+ - 2.7.3
+ - 2.7.4
+ - 2.7.5
+ - 2.7.6
+ - 2.7.7
+ - 2.7.8
+ - 2.7.9
+ - 2.7.9.1
+ - 2.7.9.2
+ - 2.7.9.3
+ - 2.7.9.4
+ - 2.7.9.5
+ - 2.7.9.6
+ - 2.7.9.7
+ - 2.8.0
+ - 2.8.0.rc1
+ - 2.8.0.rc2
+ - 2.8.1
+ - 2.8.10
+ - 2.8.11
+ - 2.8.11.1
+ - 2.8.11.2
+ - 2.8.11.3
+ - 2.8.11.4
+ - 2.8.11.5
+ - 2.8.11.6
+ - 2.8.2
+ - 2.8.3
+ - 2.8.4
+ - 2.8.5
+ - 2.8.6
+ - 2.8.7
+ - 2.8.8
+ - 2.8.8.1
+ - 2.8.9
+ - 2.9.0
+ - 2.9.0.pr1
+ - 2.9.0.pr2
+ - 2.9.0.pr3
+ - 2.9.0.pr4
+ - 2.9.1
+ - 2.9.10
+ - 2.9.10.1
+ - 2.9.10.2
+ - 2.9.10.3
+ - 2.9.10.4
+ - 2.9.10.5
+ - 2.9.2
+ - 2.9.3
+ - 2.9.4
+ - 2.9.5
+ - 2.9.6
+ - 2.9.7
+ - 2.9.8
+ - 2.9.9
+ - 2.9.9.1
+ - 2.9.9.2
+ - 2.9.9.3
+ database_specific:
+ last_known_affected_version_range: <= 2.9.10.5
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-qjw2-hr98-qgfh/GHSA-qjw2-hr98-qgfh.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2020-24750
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/issues/2798
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/commit/2118e71325486c68f089a9761c9d8a11b4ddd1cb
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/commit/6cc9f1a1af323cd156f5668a47e43bab324ae16f
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/commit/ad5a630174f08d279504bc51ebba8772fd71b86b
+ - type: PACKAGE
+ url: https://github.com/FasterXML/jackson-databind
+ - type: WEB
+ url: https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html
+ - type: WEB
+ url: https://security.netapp.com/advisory/ntap-20201009-0003
+ - type: WEB
+ url: https://www.oracle.com//security-alerts/cpujul2021.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuApr2021.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuapr2022.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpujan2021.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpujan2022.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuoct2021.html
+ database_specific:
+ cwe_ids:
+ - CWE-502
+ github_reviewed: true
+ github_reviewed_at: "2021-03-18T23:41:09Z"
+ nvd_published_at: "2020-09-17T19:15:00Z"
+ severity: HIGH
+ - schema_version: 1.6.0
+ id: GHSA-qmqc-x3r4-6v39
+ modified: 2024-02-16T08:19:01.021763Z
+ published: 2020-05-15T18:59:07Z
+ aliases:
+ - CVE-2019-14893
+ summary: Polymorphic deserialization of malicious object in jackson-databind
+ details: A flaw was discovered in FasterXML jackson-databind in all versions before 2.9.10 and 2.10.0, where it would permit polymorphic deserialization of malicious objects using the xalan JNDI gadget when used in conjunction with polymorphic type handling methods such as `enableDefaultTyping()` or when @JsonTypeInfo is using `Id.CLASS` or `Id.MINIMAL_CLASS` or in any other way which ObjectMapper.readValue might instantiate objects from unsafe sources. An attacker could use this flaw to execute arbitrary code.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: com.fasterxml.jackson.core:jackson-databind
+ purl: pkg:maven/com.fasterxml.jackson.core/jackson-databind
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.9.0
+ - fixed: 2.9.10
+ versions:
+ - 2.9.0
+ - 2.9.0.pr1
+ - 2.9.0.pr2
+ - 2.9.0.pr3
+ - 2.9.0.pr4
+ - 2.9.1
+ - 2.9.2
+ - 2.9.3
+ - 2.9.4
+ - 2.9.5
+ - 2.9.6
+ - 2.9.7
+ - 2.9.8
+ - 2.9.9
+ - 2.9.9.1
+ - 2.9.9.2
+ - 2.9.9.3
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/05/GHSA-qmqc-x3r4-6v39/GHSA-qmqc-x3r4-6v39.json
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2019-14893
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/issues/2469
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/commit/998efd708284778f29d83d7962a9bd935c228317
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2020:0729
+ - type: WEB
+ url: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14893
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0@%3Cissues.bookkeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3E
+ - type: WEB
+ url: https://security.netapp.com/advisory/ntap-20200327-0006
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpujul2020.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuoct2020.html
+ database_specific:
+ cwe_ids:
+ - CWE-502
+ github_reviewed: true
+ github_reviewed_at: "2020-04-22T20:58:45Z"
+ nvd_published_at: "2020-03-02T21:15:00Z"
+ severity: HIGH
+ - schema_version: 1.6.0
+ id: GHSA-qr7j-h6gg-jmgc
+ modified: 2024-03-11T05:21:14.31398Z
+ published: 2019-07-16T17:42:21Z
+ aliases:
+ - CVE-2018-11307
+ summary: Deserialization of Untrusted Data in jackson-databind
+ details: An issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.5. Use of Jackson default typing along with a gadget class from iBatis allows exfiltration of content. Fixed in 2.7.9.4, 2.8.11.2, and 2.9.6.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: com.fasterxml.jackson.core:jackson-databind
+ purl: pkg:maven/com.fasterxml.jackson.core/jackson-databind
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.0.0
+ - fixed: 2.7.9.4
+ versions:
+ - 2.0.0
+ - 2.0.1
+ - 2.0.2
+ - 2.0.4
+ - 2.0.5
+ - 2.0.6
+ - 2.1.0
+ - 2.1.1
+ - 2.1.2
+ - 2.1.3
+ - 2.1.4
+ - 2.1.5
+ - 2.2.0
+ - 2.2.0-rc1
+ - 2.2.1
+ - 2.2.2
+ - 2.2.3
+ - 2.2.4
+ - 2.3.0
+ - 2.3.0-rc1
+ - 2.3.1
+ - 2.3.2
+ - 2.3.3
+ - 2.3.4
+ - 2.3.5
+ - 2.4.0
+ - 2.4.0-rc1
+ - 2.4.0-rc2
+ - 2.4.0-rc3
+ - 2.4.1
+ - 2.4.1.1
+ - 2.4.1.2
+ - 2.4.1.3
+ - 2.4.2
+ - 2.4.3
+ - 2.4.4
+ - 2.4.5
+ - 2.4.5.1
+ - 2.4.6
+ - 2.4.6.1
+ - 2.5.0
+ - 2.5.0-rc1
+ - 2.5.1
+ - 2.5.2
+ - 2.5.3
+ - 2.5.4
+ - 2.5.5
+ - 2.6.0
+ - 2.6.0-rc1
+ - 2.6.0-rc2
+ - 2.6.0-rc3
+ - 2.6.0-rc4
+ - 2.6.1
+ - 2.6.2
+ - 2.6.3
+ - 2.6.4
+ - 2.6.5
+ - 2.6.6
+ - 2.6.7
+ - 2.6.7.1
+ - 2.6.7.2
+ - 2.6.7.3
+ - 2.6.7.4
+ - 2.6.7.5
+ - 2.7.0
+ - 2.7.0-rc1
+ - 2.7.0-rc2
+ - 2.7.0-rc3
+ - 2.7.1
+ - 2.7.1-1
+ - 2.7.2
+ - 2.7.3
+ - 2.7.4
+ - 2.7.5
+ - 2.7.6
+ - 2.7.7
+ - 2.7.8
+ - 2.7.9
+ - 2.7.9.1
+ - 2.7.9.2
+ - 2.7.9.3
+ database_specific:
+ last_known_affected_version_range: <= 2.7.9.3
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/07/GHSA-qr7j-h6gg-jmgc/GHSA-qr7j-h6gg-jmgc.json
+ - package:
+ ecosystem: Maven
+ name: com.fasterxml.jackson.core:jackson-databind
+ purl: pkg:maven/com.fasterxml.jackson.core/jackson-databind
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.8.0
+ - fixed: 2.8.11.2
+ versions:
+ - 2.8.0
+ - 2.8.1
+ - 2.8.10
+ - 2.8.11
+ - 2.8.11.1
+ - 2.8.2
+ - 2.8.3
+ - 2.8.4
+ - 2.8.5
+ - 2.8.6
+ - 2.8.7
+ - 2.8.8
+ - 2.8.8.1
+ - 2.8.9
+ database_specific:
+ last_known_affected_version_range: <= 2.8.11.1
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/07/GHSA-qr7j-h6gg-jmgc/GHSA-qr7j-h6gg-jmgc.json
+ - package:
+ ecosystem: Maven
+ name: com.fasterxml.jackson.core:jackson-databind
+ purl: pkg:maven/com.fasterxml.jackson.core/jackson-databind
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.9.0
+ - fixed: 2.9.6
+ versions:
+ - 2.9.0
+ - 2.9.0.pr1
+ - 2.9.0.pr2
+ - 2.9.0.pr3
+ - 2.9.0.pr4
+ - 2.9.1
+ - 2.9.2
+ - 2.9.3
+ - 2.9.4
+ - 2.9.5
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/07/GHSA-qr7j-h6gg-jmgc/GHSA-qr7j-h6gg-jmgc.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2018-11307
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2017-7525
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/issues/2032
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/commit/051bd5e447fbc9539e12a4fe90eb989dba0c656
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/commit/27b4defc270454dea6842bd9279f17387eceb73
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/commit/78e78738d69adcb59fdac9fc12d9053ce8809f3d
+ - type: WEB
+ url: https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuoct2020.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpujan2020.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuapr2020.html
+ - type: WEB
+ url: https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
+ - type: WEB
+ url: https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/7fcf88aff0d1deaa5c3c7be8d58c05ad7ad5da94b59065d8e7c50c5d@%3Cissues.lucene.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E
+ - type: PACKAGE
+ url: https://github.com/FasterXML/jackson-databind
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:4037
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:3892
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:3149
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:3140
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:3002
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:2858
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:2804
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:1823
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:1822
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:0782
+ database_specific:
+ cwe_ids:
+ - CWE-502
+ github_reviewed: true
+ github_reviewed_at: "2019-07-16T00:41:07Z"
+ nvd_published_at: "2019-07-09T16:15:00Z"
+ severity: CRITICAL
+ - schema_version: 1.6.0
+ id: GHSA-qxxx-2pp7-5hmx
+ modified: 2024-03-11T05:19:49.08006Z
+ published: 2018-10-16T17:21:35Z
+ aliases:
+ - CVE-2017-7525
+ summary: jackson-databind is vulnerable to a deserialization flaw
+ details: A deserialization flaw was discovered in the jackson-databind, versions before 2.6.7.1, 2.7.9.1 and 2.8.9, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: com.fasterxml.jackson.core:jackson-databind
+ purl: pkg:maven/com.fasterxml.jackson.core/jackson-databind
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: 2.6.7.1
+ versions:
+ - 2.0.0
+ - 2.0.0-RC1
+ - 2.0.0-RC2
+ - 2.0.0-RC3
+ - 2.0.1
+ - 2.0.2
+ - 2.0.4
+ - 2.0.5
+ - 2.0.6
+ - 2.1.0
+ - 2.1.1
+ - 2.1.2
+ - 2.1.3
+ - 2.1.4
+ - 2.1.5
+ - 2.2.0
+ - 2.2.0-rc1
+ - 2.2.1
+ - 2.2.2
+ - 2.2.3
+ - 2.2.4
+ - 2.3.0
+ - 2.3.0-rc1
+ - 2.3.1
+ - 2.3.2
+ - 2.3.3
+ - 2.3.4
+ - 2.3.5
+ - 2.4.0
+ - 2.4.0-rc1
+ - 2.4.0-rc2
+ - 2.4.0-rc3
+ - 2.4.1
+ - 2.4.1.1
+ - 2.4.1.2
+ - 2.4.1.3
+ - 2.4.2
+ - 2.4.3
+ - 2.4.4
+ - 2.4.5
+ - 2.4.5.1
+ - 2.4.6
+ - 2.4.6.1
+ - 2.5.0
+ - 2.5.0-rc1
+ - 2.5.1
+ - 2.5.2
+ - 2.5.3
+ - 2.5.4
+ - 2.5.5
+ - 2.6.0
+ - 2.6.0-rc1
+ - 2.6.0-rc2
+ - 2.6.0-rc3
+ - 2.6.0-rc4
+ - 2.6.1
+ - 2.6.2
+ - 2.6.3
+ - 2.6.4
+ - 2.6.5
+ - 2.6.6
+ - 2.6.7
+ database_specific:
+ last_known_affected_version_range: <= 2.6.7.0
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-qxxx-2pp7-5hmx/GHSA-qxxx-2pp7-5hmx.json
+ - package:
+ ecosystem: Maven
+ name: com.fasterxml.jackson.core:jackson-databind
+ purl: pkg:maven/com.fasterxml.jackson.core/jackson-databind
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.7.0
+ - fixed: 2.7.9.1
+ versions:
+ - 2.7.0
+ - 2.7.1
+ - 2.7.1-1
+ - 2.7.2
+ - 2.7.3
+ - 2.7.4
+ - 2.7.5
+ - 2.7.6
+ - 2.7.7
+ - 2.7.8
+ - 2.7.9
+ database_specific:
+ last_known_affected_version_range: <= 2.7.9.0
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-qxxx-2pp7-5hmx/GHSA-qxxx-2pp7-5hmx.json
+ - package:
+ ecosystem: Maven
+ name: com.fasterxml.jackson.core:jackson-databind
+ purl: pkg:maven/com.fasterxml.jackson.core/jackson-databind
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.8.0
+ - fixed: 2.8.9
+ versions:
+ - 2.8.0
+ - 2.8.1
+ - 2.8.2
+ - 2.8.3
+ - 2.8.4
+ - 2.8.5
+ - 2.8.6
+ - 2.8.7
+ - 2.8.8
+ - 2.8.8.1
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-qxxx-2pp7-5hmx/GHSA-qxxx-2pp7-5hmx.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2017-7525
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/issues/1723
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/issues/1599
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/commit/fd8dec2c7fab8b4b4bd60502a0f1d63ec23c24da
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/commit/fa87c1ddbe803ebb7295f5c2ebfe38e12f6e6162
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/commit/3bfbb835e530055c1941ddf87fde0b08d08dcd38
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/commit/60d459cedcf079c6106ae7da2ac562bc32dcabe1
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/commit/680d75b011edd67a2d2a2e9980998a968194c2ef
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/commit/6ce32ffd18facac6abdbbf559c817b47fcb622c1
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/commit/90042692085deeb05ae75c569c9909f7dba24415
+ - type: ADVISORY
+ url: https://github.com/advisories/GHSA-qxxx-2pp7-5hmx
+ - type: WEB
+ url: https://lists.apache.org/thread.html/3c87dc8bca99a2b3b4743713b33d1de05b1d6b761fdf316224e9c81f@%3Cdev.lucene.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/4641ed8616ccc2c1fbddac2c3dc9900c96387bc226eaf0232d61909b@%3Ccommits.cassandra.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/5008bcbd45ee65ce39e4220b6ac53d28a24d6bc67d5804e9773a7399@%3Csolr-user.lucene.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451@%3Csolr-user.lucene.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe@%3Ccommits.druid.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/b1f33fe5ade396bb903fdcabe9f243f7692c7dfce5418d3743c2d346@%3Cdev.lucene.apache.org%3E
+ - type: WEB
+ url: https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
+ - type: WEB
+ url: https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html
+ - type: WEB
+ url: https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuoct2020.html
+ - type: WEB
+ url: https://www.debian.org/security/2017/dsa-4004
+ - type: WEB
+ url: https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03902en_us
+ - type: WEB
+ url: https://security.netapp.com/advisory/ntap-20171214-0002
+ - type: WEB
+ url: https://lists.debian.org/debian-lts-announce/2020/08/msg00039.html
+ - type: WEB
+ url: https://lists.debian.org/debian-lts-announce/2020/01/msg00037.html
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rf7f87810c38dc9abf9f93989f76008f504cbf7c1a355214640b2d04c@%3Ccommits.cassandra.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r68acf97f4526ba59a33cc6e592261ea4f85d890f99e79c82d57dd589@%3Cissues.spark.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r42ac3e39e6265db12d9fc6ae1cd4b5fea7aed9830dc6f6d58228fed7@%3Ccommits.cassandra.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/f60afd3c7e9ebaaf70fad4a4beb75cf8740ac959017a31e7006c7486@%3Cdev.lucene.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/f095a791bda6c0595f691eddd0febb2d396987eec5cbd29120d8c629@%3Csolr-user.lucene.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/c9d5ff20929e8a3c8794facf4c4b326a9c10618812eec356caa20b87@%3Csolr-user.lucene.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/c2ed4c0126b43e324cf740012a0edd371fd36096fd777be7bfe7a2a6@%3Cdev.lucene.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/c10a2bf0fdc3d25faf17bd191d6ec46b29a353fa9c97bebd7c4e5913@%3Cdev.lucene.apache.org%3E
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2017:1834
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2017:1835
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2017:1836
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2017:1837
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2017:1839
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2017:1840
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2017:2477
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2017:2546
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2017:2547
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2017:2633
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2017:2635
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2017:2636
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2017:2637
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2017:2638
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2017:3141
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2017:3454
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2017:3455
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2017:3456
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2017:3458
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2018:0294
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2018:0342
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2018:1449
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2018:1450
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:0910
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:2858
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:3149
+ - type: WEB
+ url: https://bugzilla.redhat.com/show_bug.cgi?id=1462702
+ - type: WEB
+ url: https://cwiki.apache.org/confluence/display/WW/S2-055
+ - type: PACKAGE
+ url: https://github.com/FasterXML/jackson-databind
+ - type: WEB
+ url: http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html
+ - type: WEB
+ url: http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
+ - type: WEB
+ url: http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html
+ database_specific:
+ cwe_ids:
+ - CWE-184
+ - CWE-502
+ github_reviewed: true
+ github_reviewed_at: "2020-06-16T21:53:14Z"
+ nvd_published_at: "2018-02-06T15:29:00Z"
+ severity: CRITICAL
+ - schema_version: 1.6.0
+ id: GHSA-r3gr-cxrf-hg25
+ modified: 2024-06-25T14:20:21.32305Z
+ published: 2021-12-09T19:15:11Z
+ aliases:
+ - CVE-2020-35491
+ summary: Serialization gadgets exploit in jackson-databind
+ details: FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.datasources.SharedPoolDataSource.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: com.fasterxml.jackson.core:jackson-databind
+ purl: pkg:maven/com.fasterxml.jackson.core/jackson-databind
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.0.0
+ - fixed: 2.9.10.8
+ versions:
+ - 2.0.0
+ - 2.0.1
+ - 2.0.2
+ - 2.0.4
+ - 2.0.5
+ - 2.0.6
+ - 2.1.0
+ - 2.1.1
+ - 2.1.2
+ - 2.1.3
+ - 2.1.4
+ - 2.1.5
+ - 2.2.0
+ - 2.2.0-rc1
+ - 2.2.1
+ - 2.2.2
+ - 2.2.3
+ - 2.2.4
+ - 2.3.0
+ - 2.3.0-rc1
+ - 2.3.1
+ - 2.3.2
+ - 2.3.3
+ - 2.3.4
+ - 2.3.5
+ - 2.4.0
+ - 2.4.0-rc1
+ - 2.4.0-rc2
+ - 2.4.0-rc3
+ - 2.4.1
+ - 2.4.1.1
+ - 2.4.1.2
+ - 2.4.1.3
+ - 2.4.2
+ - 2.4.3
+ - 2.4.4
+ - 2.4.5
+ - 2.4.5.1
+ - 2.4.6
+ - 2.4.6.1
+ - 2.5.0
+ - 2.5.0-rc1
+ - 2.5.1
+ - 2.5.2
+ - 2.5.3
+ - 2.5.4
+ - 2.5.5
+ - 2.6.0
+ - 2.6.0-rc1
+ - 2.6.0-rc2
+ - 2.6.0-rc3
+ - 2.6.0-rc4
+ - 2.6.1
+ - 2.6.2
+ - 2.6.3
+ - 2.6.4
+ - 2.6.5
+ - 2.6.6
+ - 2.6.7
+ - 2.6.7.1
+ - 2.6.7.2
+ - 2.6.7.3
+ - 2.6.7.4
+ - 2.6.7.5
+ - 2.7.0
+ - 2.7.0-rc1
+ - 2.7.0-rc2
+ - 2.7.0-rc3
+ - 2.7.1
+ - 2.7.1-1
+ - 2.7.2
+ - 2.7.3
+ - 2.7.4
+ - 2.7.5
+ - 2.7.6
+ - 2.7.7
+ - 2.7.8
+ - 2.7.9
+ - 2.7.9.1
+ - 2.7.9.2
+ - 2.7.9.3
+ - 2.7.9.4
+ - 2.7.9.5
+ - 2.7.9.6
+ - 2.7.9.7
+ - 2.8.0
+ - 2.8.0.rc1
+ - 2.8.0.rc2
+ - 2.8.1
+ - 2.8.10
+ - 2.8.11
+ - 2.8.11.1
+ - 2.8.11.2
+ - 2.8.11.3
+ - 2.8.11.4
+ - 2.8.11.5
+ - 2.8.11.6
+ - 2.8.2
+ - 2.8.3
+ - 2.8.4
+ - 2.8.5
+ - 2.8.6
+ - 2.8.7
+ - 2.8.8
+ - 2.8.8.1
+ - 2.8.9
+ - 2.9.0
+ - 2.9.0.pr1
+ - 2.9.0.pr2
+ - 2.9.0.pr3
+ - 2.9.0.pr4
+ - 2.9.1
+ - 2.9.10
+ - 2.9.10.1
+ - 2.9.10.2
+ - 2.9.10.3
+ - 2.9.10.4
+ - 2.9.10.5
+ - 2.9.10.6
+ - 2.9.10.7
+ - 2.9.2
+ - 2.9.3
+ - 2.9.4
+ - 2.9.5
+ - 2.9.6
+ - 2.9.7
+ - 2.9.8
+ - 2.9.9
+ - 2.9.9.1
+ - 2.9.9.2
+ - 2.9.9.3
+ database_specific:
+ last_known_affected_version_range: <= 2.9.10.7
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-r3gr-cxrf-hg25/GHSA-r3gr-cxrf-hg25.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2020-35491
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/issues/2986
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/commit/41b8bdb5ccc1d8edb71acf1c8234da235a24249d
+ - type: WEB
+ url: https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
+ - type: PACKAGE
+ url: https://github.com/FasterXML/jackson-databind
+ - type: WEB
+ url: https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html
+ - type: WEB
+ url: https://security.netapp.com/advisory/ntap-20210122-0005
+ - type: WEB
+ url: https://www.oracle.com//security-alerts/cpujul2021.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuApr2021.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuapr2022.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpujan2022.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpujul2022.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuoct2021.html
+ database_specific:
+ cwe_ids:
+ - CWE-502
+ - CWE-913
+ github_reviewed: true
+ github_reviewed_at: "2021-04-08T21:05:38Z"
+ nvd_published_at: "2020-12-17T19:15:00Z"
+ severity: HIGH
+ - schema_version: 1.6.0
+ id: GHSA-r695-7vr9-jgc2
+ modified: 2024-02-18T05:30:45.856594Z
+ published: 2021-12-09T19:16:51Z
+ aliases:
+ - CVE-2020-36187
+ summary: Unsafe Deserialization in jackson-databind
+ details: FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.datasources.SharedPoolDataSource.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: com.fasterxml.jackson.core:jackson-databind
+ purl: pkg:maven/com.fasterxml.jackson.core/jackson-databind
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.0.0
+ - fixed: 2.9.10.8
+ versions:
+ - 2.0.0
+ - 2.0.1
+ - 2.0.2
+ - 2.0.4
+ - 2.0.5
+ - 2.0.6
+ - 2.1.0
+ - 2.1.1
+ - 2.1.2
+ - 2.1.3
+ - 2.1.4
+ - 2.1.5
+ - 2.2.0
+ - 2.2.0-rc1
+ - 2.2.1
+ - 2.2.2
+ - 2.2.3
+ - 2.2.4
+ - 2.3.0
+ - 2.3.0-rc1
+ - 2.3.1
+ - 2.3.2
+ - 2.3.3
+ - 2.3.4
+ - 2.3.5
+ - 2.4.0
+ - 2.4.0-rc1
+ - 2.4.0-rc2
+ - 2.4.0-rc3
+ - 2.4.1
+ - 2.4.1.1
+ - 2.4.1.2
+ - 2.4.1.3
+ - 2.4.2
+ - 2.4.3
+ - 2.4.4
+ - 2.4.5
+ - 2.4.5.1
+ - 2.4.6
+ - 2.4.6.1
+ - 2.5.0
+ - 2.5.0-rc1
+ - 2.5.1
+ - 2.5.2
+ - 2.5.3
+ - 2.5.4
+ - 2.5.5
+ - 2.6.0
+ - 2.6.0-rc1
+ - 2.6.0-rc2
+ - 2.6.0-rc3
+ - 2.6.0-rc4
+ - 2.6.1
+ - 2.6.2
+ - 2.6.3
+ - 2.6.4
+ - 2.6.5
+ - 2.6.6
+ - 2.6.7
+ - 2.6.7.1
+ - 2.6.7.2
+ - 2.6.7.3
+ - 2.6.7.4
+ - 2.6.7.5
+ - 2.7.0
+ - 2.7.0-rc1
+ - 2.7.0-rc2
+ - 2.7.0-rc3
+ - 2.7.1
+ - 2.7.1-1
+ - 2.7.2
+ - 2.7.3
+ - 2.7.4
+ - 2.7.5
+ - 2.7.6
+ - 2.7.7
+ - 2.7.8
+ - 2.7.9
+ - 2.7.9.1
+ - 2.7.9.2
+ - 2.7.9.3
+ - 2.7.9.4
+ - 2.7.9.5
+ - 2.7.9.6
+ - 2.7.9.7
+ - 2.8.0
+ - 2.8.0.rc1
+ - 2.8.0.rc2
+ - 2.8.1
+ - 2.8.10
+ - 2.8.11
+ - 2.8.11.1
+ - 2.8.11.2
+ - 2.8.11.3
+ - 2.8.11.4
+ - 2.8.11.5
+ - 2.8.11.6
+ - 2.8.2
+ - 2.8.3
+ - 2.8.4
+ - 2.8.5
+ - 2.8.6
+ - 2.8.7
+ - 2.8.8
+ - 2.8.8.1
+ - 2.8.9
+ - 2.9.0
+ - 2.9.0.pr1
+ - 2.9.0.pr2
+ - 2.9.0.pr3
+ - 2.9.0.pr4
+ - 2.9.1
+ - 2.9.10
+ - 2.9.10.1
+ - 2.9.10.2
+ - 2.9.10.3
+ - 2.9.10.4
+ - 2.9.10.5
+ - 2.9.10.6
+ - 2.9.10.7
+ - 2.9.2
+ - 2.9.3
+ - 2.9.4
+ - 2.9.5
+ - 2.9.6
+ - 2.9.7
+ - 2.9.8
+ - 2.9.9
+ - 2.9.9.1
+ - 2.9.9.2
+ - 2.9.9.3
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-r695-7vr9-jgc2/GHSA-r695-7vr9-jgc2.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2020-36187
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/issues/2997
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/commit/3e8fa3beea49ea62109df9e643c9cb678dabdde1
+ - type: WEB
+ url: https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
+ - type: PACKAGE
+ url: https://github.com/FasterXML/jackson-databind
+ - type: WEB
+ url: https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html
+ - type: WEB
+ url: https://security.netapp.com/advisory/ntap-20210205-0005
+ - type: WEB
+ url: https://www.oracle.com//security-alerts/cpujul2021.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuApr2021.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuapr2022.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpujan2022.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpujul2022.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuoct2021.html
+ database_specific:
+ cwe_ids:
+ - CWE-502
+ github_reviewed: true
+ github_reviewed_at: "2021-03-18T23:23:27Z"
+ nvd_published_at: "2021-01-06T23:15:00Z"
+ severity: HIGH
+ - schema_version: 1.6.0
+ id: GHSA-rf6r-2c4q-2vwg
+ modified: 2024-03-15T01:05:13.129194Z
+ published: 2020-05-15T18:58:54Z
+ aliases:
+ - CVE-2020-10968
+ summary: jackson-databind mishandles the interaction between serialization gadgets and typing
+ details: FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.aoju.bus.proxy.provider.remoting.RmiProvider (aka bus-proxy).
+ affected:
+ - package:
+ ecosystem: Maven
+ name: com.fasterxml.jackson.core:jackson-databind
+ purl: pkg:maven/com.fasterxml.jackson.core/jackson-databind
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.9.0
+ - fixed: 2.9.10.4
+ versions:
+ - 2.9.0
+ - 2.9.0.pr1
+ - 2.9.0.pr2
+ - 2.9.0.pr3
+ - 2.9.0.pr4
+ - 2.9.1
+ - 2.9.10
+ - 2.9.10.1
+ - 2.9.10.2
+ - 2.9.10.3
+ - 2.9.2
+ - 2.9.3
+ - 2.9.4
+ - 2.9.5
+ - 2.9.6
+ - 2.9.7
+ - 2.9.8
+ - 2.9.9
+ - 2.9.9.1
+ - 2.9.9.2
+ - 2.9.9.3
+ database_specific:
+ last_known_affected_version_range: <= 2.9.10.3
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/05/GHSA-rf6r-2c4q-2vwg/GHSA-rf6r-2c4q-2vwg.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2020-10968
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/issues/2662
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/commit/05d7e0e13f43e12db6a51726df12c8b4d8040676
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/commit/08fbfacf89a4a4c026a6227a1b470ab7a13e2e88
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind
+ - type: WEB
+ url: https://lists.debian.org/debian-lts-announce/2020/04/msg00012.html
+ - type: WEB
+ url: https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
+ - type: WEB
+ url: https://security.netapp.com/advisory/ntap-20200403-0002
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpujan2021.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpujul2020.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuoct2020.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuoct2021.html
+ database_specific:
+ cwe_ids:
+ - CWE-502
+ github_reviewed: true
+ github_reviewed_at: "2020-04-23T19:30:49Z"
+ nvd_published_at: "2020-03-26T13:15:00Z"
+ severity: HIGH
+ - schema_version: 1.6.0
+ id: GHSA-rfx6-vp9g-rh7v
+ modified: 2024-03-11T05:17:47.425595Z
+ published: 2018-10-18T17:42:48Z
+ aliases:
+ - CVE-2017-17485
+ summary: jackson-databind vulnerable to remote code execution due to incorrect deserialization and blocklist bypass
+ details: FasterXML jackson-databind through 2.8.10 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the Spring libraries are available in the classpath.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: com.fasterxml.jackson.core:jackson-databind
+ purl: pkg:maven/com.fasterxml.jackson.core/jackson-databind
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.9.0
+ - fixed: 2.9.4
+ versions:
+ - 2.9.0
+ - 2.9.0.pr1
+ - 2.9.0.pr2
+ - 2.9.0.pr3
+ - 2.9.0.pr4
+ - 2.9.1
+ - 2.9.2
+ - 2.9.3
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-rfx6-vp9g-rh7v/GHSA-rfx6-vp9g-rh7v.json
+ - package:
+ ecosystem: Maven
+ name: com.fasterxml.jackson.core:jackson-databind
+ purl: pkg:maven/com.fasterxml.jackson.core/jackson-databind
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.8.0
+ - fixed: 2.8.11
+ versions:
+ - 2.8.0
+ - 2.8.1
+ - 2.8.10
+ - 2.8.2
+ - 2.8.3
+ - 2.8.4
+ - 2.8.5
+ - 2.8.6
+ - 2.8.7
+ - 2.8.8
+ - 2.8.8.1
+ - 2.8.9
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-rfx6-vp9g-rh7v/GHSA-rfx6-vp9g-rh7v.json
+ - package:
+ ecosystem: Maven
+ name: com.fasterxml.jackson.core:jackson-databind
+ purl: pkg:maven/com.fasterxml.jackson.core/jackson-databind
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: 2.7.9.2
+ versions:
+ - 2.0.0
+ - 2.0.0-RC1
+ - 2.0.0-RC2
+ - 2.0.0-RC3
+ - 2.0.1
+ - 2.0.2
+ - 2.0.4
+ - 2.0.5
+ - 2.0.6
+ - 2.1.0
+ - 2.1.1
+ - 2.1.2
+ - 2.1.3
+ - 2.1.4
+ - 2.1.5
+ - 2.2.0
+ - 2.2.0-rc1
+ - 2.2.1
+ - 2.2.2
+ - 2.2.3
+ - 2.2.4
+ - 2.3.0
+ - 2.3.0-rc1
+ - 2.3.1
+ - 2.3.2
+ - 2.3.3
+ - 2.3.4
+ - 2.3.5
+ - 2.4.0
+ - 2.4.0-rc1
+ - 2.4.0-rc2
+ - 2.4.0-rc3
+ - 2.4.1
+ - 2.4.1.1
+ - 2.4.1.2
+ - 2.4.1.3
+ - 2.4.2
+ - 2.4.3
+ - 2.4.4
+ - 2.4.5
+ - 2.4.5.1
+ - 2.4.6
+ - 2.4.6.1
+ - 2.5.0
+ - 2.5.0-rc1
+ - 2.5.1
+ - 2.5.2
+ - 2.5.3
+ - 2.5.4
+ - 2.5.5
+ - 2.6.0
+ - 2.6.0-rc1
+ - 2.6.0-rc2
+ - 2.6.0-rc3
+ - 2.6.0-rc4
+ - 2.6.1
+ - 2.6.2
+ - 2.6.3
+ - 2.6.4
+ - 2.6.5
+ - 2.6.6
+ - 2.6.7
+ - 2.6.7.1
+ - 2.6.7.2
+ - 2.6.7.3
+ - 2.6.7.4
+ - 2.6.7.5
+ - 2.7.0
+ - 2.7.0-rc1
+ - 2.7.0-rc2
+ - 2.7.0-rc3
+ - 2.7.1
+ - 2.7.1-1
+ - 2.7.2
+ - 2.7.3
+ - 2.7.4
+ - 2.7.5
+ - 2.7.6
+ - 2.7.7
+ - 2.7.8
+ - 2.7.9
+ - 2.7.9.1
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-rfx6-vp9g-rh7v/GHSA-rfx6-vp9g-rh7v.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2017-17485
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/issues/1855
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/commit/10fe7f17ea7c8da2a71e7a0c774b420a1d5c1b50
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/commit/2235894210c75f624a3d0cd60bfb0434a20a18bf
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/commit/459107dccc9b3ea991af3e6ad0953e54b01ef7c1
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/commit/4f16f67ebd22c7522fdbb8a7eb87e3026a807d61
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/commit/978798382ceb72229e5036aa1442943933d6d171
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/commit/f031f27a31625d07922bdd090664c69544200a5d
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/commit/eb217dd0f87c5fb471e0668575644aa7eba9a3d3
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/commit/bb45fb16709018842f858f1a6e1118676aaa34bd
+ - type: PACKAGE
+ url: https://github.com/FasterXML/jackson-databind
+ - type: WEB
+ url: https://github.com/irsl/jackson-rce-via-spel
+ - type: WEB
+ url: https://security.netapp.com/advisory/ntap-20180201-0003
+ - type: WEB
+ url: https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03902en_us
+ - type: WEB
+ url: https://web.archive.org/web/20200927162225/http://www.securityfocus.com/archive/1/541652/100/0/threaded
+ - type: WEB
+ url: https://www.debian.org/security/2018/dsa-4114
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuoct2020.html
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2018:0116
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2018:0342
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2018:0478
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2018:0479
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2018:0480
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2018:0481
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2018:1447
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2018:1448
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2018:1449
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2018:1450
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2018:1451
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2018:2930
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:1782
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:1797
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:2858
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:3149
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:3892
+ database_specific:
+ cwe_ids:
+ - CWE-502
+ github_reviewed: true
+ github_reviewed_at: "2020-06-16T21:54:38Z"
+ nvd_published_at: "2018-01-10T18:29:00Z"
+ severity: CRITICAL
+ - schema_version: 1.6.0
+ id: GHSA-rgv9-q543-rqg4
+ modified: 2024-03-14T23:46:09.729455Z
+ published: 2022-10-03T00:00:31Z
+ aliases:
+ - CVE-2022-42004
+ summary: Uncontrolled Resource Consumption in FasterXML jackson-databind
+ details: In FasterXML jackson-databind before 2.12.7.1 and in 2.13.x before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An application is vulnerable only with certain customized choices for deserialization.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: com.fasterxml.jackson.core:jackson-databind
+ purl: pkg:maven/com.fasterxml.jackson.core/jackson-databind
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: 2.12.7.1
+ versions:
+ - 2.0.0
+ - 2.0.0-RC1
+ - 2.0.0-RC2
+ - 2.0.0-RC3
+ - 2.0.1
+ - 2.0.2
+ - 2.0.4
+ - 2.0.5
+ - 2.0.6
+ - 2.1.0
+ - 2.1.1
+ - 2.1.2
+ - 2.1.3
+ - 2.1.4
+ - 2.1.5
+ - 2.10.0
+ - 2.10.0.pr1
+ - 2.10.0.pr2
+ - 2.10.0.pr3
+ - 2.10.1
+ - 2.10.2
+ - 2.10.3
+ - 2.10.4
+ - 2.10.5
+ - 2.10.5.1
+ - 2.11.0
+ - 2.11.0.rc1
+ - 2.11.1
+ - 2.11.2
+ - 2.11.3
+ - 2.11.4
+ - 2.12.0
+ - 2.12.0-rc1
+ - 2.12.0-rc2
+ - 2.12.1
+ - 2.12.2
+ - 2.12.3
+ - 2.12.4
+ - 2.12.5
+ - 2.12.6
+ - 2.12.6.1
+ - 2.12.7
+ - 2.2.0
+ - 2.2.0-rc1
+ - 2.2.1
+ - 2.2.2
+ - 2.2.3
+ - 2.2.4
+ - 2.3.0
+ - 2.3.0-rc1
+ - 2.3.1
+ - 2.3.2
+ - 2.3.3
+ - 2.3.4
+ - 2.3.5
+ - 2.4.0
+ - 2.4.0-rc1
+ - 2.4.0-rc2
+ - 2.4.0-rc3
+ - 2.4.1
+ - 2.4.1.1
+ - 2.4.1.2
+ - 2.4.1.3
+ - 2.4.2
+ - 2.4.3
+ - 2.4.4
+ - 2.4.5
+ - 2.4.5.1
+ - 2.4.6
+ - 2.4.6.1
+ - 2.5.0
+ - 2.5.0-rc1
+ - 2.5.1
+ - 2.5.2
+ - 2.5.3
+ - 2.5.4
+ - 2.5.5
+ - 2.6.0
+ - 2.6.0-rc1
+ - 2.6.0-rc2
+ - 2.6.0-rc3
+ - 2.6.0-rc4
+ - 2.6.1
+ - 2.6.2
+ - 2.6.3
+ - 2.6.4
+ - 2.6.5
+ - 2.6.6
+ - 2.6.7
+ - 2.6.7.1
+ - 2.6.7.2
+ - 2.6.7.3
+ - 2.6.7.4
+ - 2.6.7.5
+ - 2.7.0
+ - 2.7.0-rc1
+ - 2.7.0-rc2
+ - 2.7.0-rc3
+ - 2.7.1
+ - 2.7.1-1
+ - 2.7.2
+ - 2.7.3
+ - 2.7.4
+ - 2.7.5
+ - 2.7.6
+ - 2.7.7
+ - 2.7.8
+ - 2.7.9
+ - 2.7.9.1
+ - 2.7.9.2
+ - 2.7.9.3
+ - 2.7.9.4
+ - 2.7.9.5
+ - 2.7.9.6
+ - 2.7.9.7
+ - 2.8.0
+ - 2.8.0.rc1
+ - 2.8.0.rc2
+ - 2.8.1
+ - 2.8.10
+ - 2.8.11
+ - 2.8.11.1
+ - 2.8.11.2
+ - 2.8.11.3
+ - 2.8.11.4
+ - 2.8.11.5
+ - 2.8.11.6
+ - 2.8.2
+ - 2.8.3
+ - 2.8.4
+ - 2.8.5
+ - 2.8.6
+ - 2.8.7
+ - 2.8.8
+ - 2.8.8.1
+ - 2.8.9
+ - 2.9.0
+ - 2.9.0.pr1
+ - 2.9.0.pr2
+ - 2.9.0.pr3
+ - 2.9.0.pr4
+ - 2.9.1
+ - 2.9.10
+ - 2.9.10.1
+ - 2.9.10.2
+ - 2.9.10.3
+ - 2.9.10.4
+ - 2.9.10.5
+ - 2.9.10.6
+ - 2.9.10.7
+ - 2.9.10.8
+ - 2.9.2
+ - 2.9.3
+ - 2.9.4
+ - 2.9.5
+ - 2.9.6
+ - 2.9.7
+ - 2.9.8
+ - 2.9.9
+ - 2.9.9.1
+ - 2.9.9.2
+ - 2.9.9.3
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/10/GHSA-rgv9-q543-rqg4/GHSA-rgv9-q543-rqg4.json
+ - package:
+ ecosystem: Maven
+ name: com.fasterxml.jackson.core:jackson-databind
+ purl: pkg:maven/com.fasterxml.jackson.core/jackson-databind
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.13.0
+ - fixed: 2.13.4
+ versions:
+ - 2.13.0
+ - 2.13.1
+ - 2.13.2
+ - 2.13.2.1
+ - 2.13.2.2
+ - 2.13.3
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/10/GHSA-rgv9-q543-rqg4/GHSA-rgv9-q543-rqg4.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2022-42004
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/issues/3582
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/commit/063183589218fec19a9293ed2f17ec53ea80ba88
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/commit/35de19e7144c4df8ab178b800ba86e80c3d84252
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/commit/cd090979b7ea78c75e4de8a4aed04f7e9fa8deea
+ - type: WEB
+ url: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50490
+ - type: PACKAGE
+ url: https://github.com/FasterXML/jackson-databind
+ - type: WEB
+ url: https://lists.debian.org/debian-lts-announce/2022/11/msg00035.html
+ - type: WEB
+ url: https://security.gentoo.org/glsa/202210-21
+ - type: WEB
+ url: https://security.netapp.com/advisory/ntap-20221118-0008
+ - type: WEB
+ url: https://www.debian.org/security/2022/dsa-5283
+ database_specific:
+ cwe_ids:
+ - CWE-400
+ - CWE-502
+ github_reviewed: true
+ github_reviewed_at: "2022-10-04T21:56:21Z"
+ nvd_published_at: "2022-10-02T05:15:00Z"
+ severity: HIGH
+ - schema_version: 1.6.0
+ id: GHSA-rpr3-cw39-3pxh
+ modified: 2024-02-17T05:35:59.864022Z
+ published: 2022-07-15T19:41:47Z
+ aliases:
+ - CVE-2020-10650
+ summary: jackson-databind before 2.9.10.4 vulnerable to unsafe deserialization
+ details: The com.fasterxml.jackson.core:jackson-databind library before version 2.9.10.4 is vulnerable to an Unsafe Deserialization vulnerability when handling interactions related to the class `ignite-jta`.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: com.fasterxml.jackson.core:jackson-databind
+ purl: pkg:maven/com.fasterxml.jackson.core/jackson-databind
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: 2.9.10.4
+ versions:
+ - 2.0.0
+ - 2.0.0-RC1
+ - 2.0.0-RC2
+ - 2.0.0-RC3
+ - 2.0.1
+ - 2.0.2
+ - 2.0.4
+ - 2.0.5
+ - 2.0.6
+ - 2.1.0
+ - 2.1.1
+ - 2.1.2
+ - 2.1.3
+ - 2.1.4
+ - 2.1.5
+ - 2.2.0
+ - 2.2.0-rc1
+ - 2.2.1
+ - 2.2.2
+ - 2.2.3
+ - 2.2.4
+ - 2.3.0
+ - 2.3.0-rc1
+ - 2.3.1
+ - 2.3.2
+ - 2.3.3
+ - 2.3.4
+ - 2.3.5
+ - 2.4.0
+ - 2.4.0-rc1
+ - 2.4.0-rc2
+ - 2.4.0-rc3
+ - 2.4.1
+ - 2.4.1.1
+ - 2.4.1.2
+ - 2.4.1.3
+ - 2.4.2
+ - 2.4.3
+ - 2.4.4
+ - 2.4.5
+ - 2.4.5.1
+ - 2.4.6
+ - 2.4.6.1
+ - 2.5.0
+ - 2.5.0-rc1
+ - 2.5.1
+ - 2.5.2
+ - 2.5.3
+ - 2.5.4
+ - 2.5.5
+ - 2.6.0
+ - 2.6.0-rc1
+ - 2.6.0-rc2
+ - 2.6.0-rc3
+ - 2.6.0-rc4
+ - 2.6.1
+ - 2.6.2
+ - 2.6.3
+ - 2.6.4
+ - 2.6.5
+ - 2.6.6
+ - 2.6.7
+ - 2.6.7.1
+ - 2.6.7.2
+ - 2.6.7.3
+ - 2.6.7.4
+ - 2.6.7.5
+ - 2.7.0
+ - 2.7.0-rc1
+ - 2.7.0-rc2
+ - 2.7.0-rc3
+ - 2.7.1
+ - 2.7.1-1
+ - 2.7.2
+ - 2.7.3
+ - 2.7.4
+ - 2.7.5
+ - 2.7.6
+ - 2.7.7
+ - 2.7.8
+ - 2.7.9
+ - 2.7.9.1
+ - 2.7.9.2
+ - 2.7.9.3
+ - 2.7.9.4
+ - 2.7.9.5
+ - 2.7.9.6
+ - 2.7.9.7
+ - 2.8.0
+ - 2.8.0.rc1
+ - 2.8.0.rc2
+ - 2.8.1
+ - 2.8.10
+ - 2.8.11
+ - 2.8.11.1
+ - 2.8.11.2
+ - 2.8.11.3
+ - 2.8.11.4
+ - 2.8.11.5
+ - 2.8.11.6
+ - 2.8.2
+ - 2.8.3
+ - 2.8.4
+ - 2.8.5
+ - 2.8.6
+ - 2.8.7
+ - 2.8.8
+ - 2.8.8.1
+ - 2.8.9
+ - 2.9.0
+ - 2.9.0.pr1
+ - 2.9.0.pr2
+ - 2.9.0.pr3
+ - 2.9.0.pr4
+ - 2.9.1
+ - 2.9.10
+ - 2.9.10.1
+ - 2.9.10.2
+ - 2.9.10.3
+ - 2.9.2
+ - 2.9.3
+ - 2.9.4
+ - 2.9.5
+ - 2.9.6
+ - 2.9.7
+ - 2.9.8
+ - 2.9.9
+ - 2.9.9.1
+ - 2.9.9.2
+ - 2.9.9.3
+ database_specific:
+ last_known_affected_version_range: <= 2.9.10.3
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/07/GHSA-rpr3-cw39-3pxh/GHSA-rpr3-cw39-3pxh.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2020-10650
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/issues/2658
+ - type: WEB
+ url: https://github.com/luisgarciacheckmarx/LGV_onefile/issues/19
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/pull/2864
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/commit/a424c038ba0c0d65e579e22001dec925902ac0ef
+ - type: PACKAGE
+ url: https://github.com/FasterXML/jackson-databind
+ - type: WEB
+ url: https://lists.debian.org/debian-lts-announce/2023/04/msg00032.html
+ - type: WEB
+ url: https://medium.com/%40cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
+ - type: WEB
+ url: https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
+ - type: WEB
+ url: https://security.netapp.com/advisory/ntap-20230818-0007
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpujan2021.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuoct2022.html
+ database_specific:
+ cwe_ids:
+ - CWE-502
+ github_reviewed: true
+ github_reviewed_at: "2022-07-15T19:41:47Z"
+ nvd_published_at: "2022-12-26T20:15:00Z"
+ severity: HIGH
+ - schema_version: 1.6.0
+ id: GHSA-v3xw-c963-f5hc
+ modified: 2024-02-16T08:09:27.960507Z
+ published: 2020-05-15T18:58:50Z
+ aliases:
+ - CVE-2020-11111
+ summary: jackson-databind mishandles the interaction between serialization gadgets and typing
+ details: FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.activemq.* (aka activemq-jms, activemq-core, activemq-pool, and activemq-pool-jms).
+ affected:
+ - package:
+ ecosystem: Maven
+ name: com.fasterxml.jackson.core:jackson-databind
+ purl: pkg:maven/com.fasterxml.jackson.core/jackson-databind
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.9.0
+ - fixed: 2.9.10.4
+ versions:
+ - 2.9.0
+ - 2.9.0.pr1
+ - 2.9.0.pr2
+ - 2.9.0.pr3
+ - 2.9.0.pr4
+ - 2.9.1
+ - 2.9.10
+ - 2.9.10.1
+ - 2.9.10.2
+ - 2.9.10.3
+ - 2.9.2
+ - 2.9.3
+ - 2.9.4
+ - 2.9.5
+ - 2.9.6
+ - 2.9.7
+ - 2.9.8
+ - 2.9.9
+ - 2.9.9.1
+ - 2.9.9.2
+ - 2.9.9.3
+ database_specific:
+ last_known_affected_version_range: <= 2.9.10.3
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/05/GHSA-v3xw-c963-f5hc/GHSA-v3xw-c963-f5hc.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2020-11111
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/issues/2664
+ - type: PACKAGE
+ url: https://github.com/FasterXML/jackson-databind
+ - type: WEB
+ url: https://lists.debian.org/debian-lts-announce/2020/04/msg00012.html
+ - type: WEB
+ url: https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
+ - type: WEB
+ url: https://security.netapp.com/advisory/ntap-20200403-0002
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpujan2021.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpujul2020.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuoct2020.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuoct2021.html
+ database_specific:
+ cwe_ids:
+ - CWE-502
+ github_reviewed: true
+ github_reviewed_at: "2020-04-23T19:31:18Z"
+ nvd_published_at: "2020-03-31T05:15:00Z"
+ severity: HIGH
+ - schema_version: 1.6.0
+ id: GHSA-v585-23hc-c647
+ modified: 2024-02-18T05:22:38.02446Z
+ published: 2021-11-19T20:13:06Z
+ aliases:
+ - CVE-2020-36186
+ summary: Unsafe Deserialization in jackson-databind
+ details: FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to `org.apache.tomcat.dbcp.dbcp.datasources.PerUserPoolDataSource`.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: com.fasterxml.jackson.core:jackson-databind
+ purl: pkg:maven/com.fasterxml.jackson.core/jackson-databind
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.0.0
+ - fixed: 2.9.10.8
+ versions:
+ - 2.0.0
+ - 2.0.1
+ - 2.0.2
+ - 2.0.4
+ - 2.0.5
+ - 2.0.6
+ - 2.1.0
+ - 2.1.1
+ - 2.1.2
+ - 2.1.3
+ - 2.1.4
+ - 2.1.5
+ - 2.2.0
+ - 2.2.0-rc1
+ - 2.2.1
+ - 2.2.2
+ - 2.2.3
+ - 2.2.4
+ - 2.3.0
+ - 2.3.0-rc1
+ - 2.3.1
+ - 2.3.2
+ - 2.3.3
+ - 2.3.4
+ - 2.3.5
+ - 2.4.0
+ - 2.4.0-rc1
+ - 2.4.0-rc2
+ - 2.4.0-rc3
+ - 2.4.1
+ - 2.4.1.1
+ - 2.4.1.2
+ - 2.4.1.3
+ - 2.4.2
+ - 2.4.3
+ - 2.4.4
+ - 2.4.5
+ - 2.4.5.1
+ - 2.4.6
+ - 2.4.6.1
+ - 2.5.0
+ - 2.5.0-rc1
+ - 2.5.1
+ - 2.5.2
+ - 2.5.3
+ - 2.5.4
+ - 2.5.5
+ - 2.6.0
+ - 2.6.0-rc1
+ - 2.6.0-rc2
+ - 2.6.0-rc3
+ - 2.6.0-rc4
+ - 2.6.1
+ - 2.6.2
+ - 2.6.3
+ - 2.6.4
+ - 2.6.5
+ - 2.6.6
+ - 2.6.7
+ - 2.6.7.1
+ - 2.6.7.2
+ - 2.6.7.3
+ - 2.6.7.4
+ - 2.6.7.5
+ - 2.7.0
+ - 2.7.0-rc1
+ - 2.7.0-rc2
+ - 2.7.0-rc3
+ - 2.7.1
+ - 2.7.1-1
+ - 2.7.2
+ - 2.7.3
+ - 2.7.4
+ - 2.7.5
+ - 2.7.6
+ - 2.7.7
+ - 2.7.8
+ - 2.7.9
+ - 2.7.9.1
+ - 2.7.9.2
+ - 2.7.9.3
+ - 2.7.9.4
+ - 2.7.9.5
+ - 2.7.9.6
+ - 2.7.9.7
+ - 2.8.0
+ - 2.8.0.rc1
+ - 2.8.0.rc2
+ - 2.8.1
+ - 2.8.10
+ - 2.8.11
+ - 2.8.11.1
+ - 2.8.11.2
+ - 2.8.11.3
+ - 2.8.11.4
+ - 2.8.11.5
+ - 2.8.11.6
+ - 2.8.2
+ - 2.8.3
+ - 2.8.4
+ - 2.8.5
+ - 2.8.6
+ - 2.8.7
+ - 2.8.8
+ - 2.8.8.1
+ - 2.8.9
+ - 2.9.0
+ - 2.9.0.pr1
+ - 2.9.0.pr2
+ - 2.9.0.pr3
+ - 2.9.0.pr4
+ - 2.9.1
+ - 2.9.10
+ - 2.9.10.1
+ - 2.9.10.2
+ - 2.9.10.3
+ - 2.9.10.4
+ - 2.9.10.5
+ - 2.9.10.6
+ - 2.9.10.7
+ - 2.9.2
+ - 2.9.3
+ - 2.9.4
+ - 2.9.5
+ - 2.9.6
+ - 2.9.7
+ - 2.9.8
+ - 2.9.9
+ - 2.9.9.1
+ - 2.9.9.2
+ - 2.9.9.3
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/11/GHSA-v585-23hc-c647/GHSA-v585-23hc-c647.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2020-36186
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/issues/2997
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/commit/3e8fa3beea49ea62109df9e643c9cb678dabdde1
+ - type: WEB
+ url: https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
+ - type: PACKAGE
+ url: https://github.com/FasterXML/jackson-databind
+ - type: WEB
+ url: https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html
+ - type: WEB
+ url: https://security.netapp.com/advisory/ntap-20210205-0005
+ - type: WEB
+ url: https://www.oracle.com//security-alerts/cpujul2021.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuApr2021.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuapr2022.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpujan2022.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpujul2022.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuoct2021.html
+ database_specific:
+ cwe_ids:
+ - CWE-502
+ github_reviewed: true
+ github_reviewed_at: "2021-03-18T23:16:26Z"
+ nvd_published_at: "2021-01-06T23:15:00Z"
+ severity: HIGH
+ - schema_version: 1.6.0
+ id: GHSA-vfqx-33qm-g869
+ modified: 2024-02-18T05:24:26.785781Z
+ published: 2021-12-09T19:16:59Z
+ aliases:
+ - CVE-2020-36189
+ summary: Unsafe Deserialization in jackson-databind
+ details: FasterXML jackson-databind 2.x before 2.9.10.8 an 2.6.7.5 mishandles the interaction between serialization gadgets and typing, related to com.newrelic.agent.deps.ch.qos.logback.core.db.DriverManagerConnectionSource.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: com.fasterxml.jackson.core:jackson-databind
+ purl: pkg:maven/com.fasterxml.jackson.core/jackson-databind
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.7.0
+ - fixed: 2.9.10.8
+ versions:
+ - 2.7.0
+ - 2.7.1
+ - 2.7.1-1
+ - 2.7.2
+ - 2.7.3
+ - 2.7.4
+ - 2.7.5
+ - 2.7.6
+ - 2.7.7
+ - 2.7.8
+ - 2.7.9
+ - 2.7.9.1
+ - 2.7.9.2
+ - 2.7.9.3
+ - 2.7.9.4
+ - 2.7.9.5
+ - 2.7.9.6
+ - 2.7.9.7
+ - 2.8.0
+ - 2.8.0.rc1
+ - 2.8.0.rc2
+ - 2.8.1
+ - 2.8.10
+ - 2.8.11
+ - 2.8.11.1
+ - 2.8.11.2
+ - 2.8.11.3
+ - 2.8.11.4
+ - 2.8.11.5
+ - 2.8.11.6
+ - 2.8.2
+ - 2.8.3
+ - 2.8.4
+ - 2.8.5
+ - 2.8.6
+ - 2.8.7
+ - 2.8.8
+ - 2.8.8.1
+ - 2.8.9
+ - 2.9.0
+ - 2.9.0.pr1
+ - 2.9.0.pr2
+ - 2.9.0.pr3
+ - 2.9.0.pr4
+ - 2.9.1
+ - 2.9.10
+ - 2.9.10.1
+ - 2.9.10.2
+ - 2.9.10.3
+ - 2.9.10.4
+ - 2.9.10.5
+ - 2.9.10.6
+ - 2.9.10.7
+ - 2.9.2
+ - 2.9.3
+ - 2.9.4
+ - 2.9.5
+ - 2.9.6
+ - 2.9.7
+ - 2.9.8
+ - 2.9.9
+ - 2.9.9.1
+ - 2.9.9.2
+ - 2.9.9.3
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-vfqx-33qm-g869/GHSA-vfqx-33qm-g869.json
+ - package:
+ ecosystem: Maven
+ name: com.fasterxml.jackson.core:jackson-databind
+ purl: pkg:maven/com.fasterxml.jackson.core/jackson-databind
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: 2.6.7.5
+ versions:
+ - 2.0.0
+ - 2.0.0-RC1
+ - 2.0.0-RC2
+ - 2.0.0-RC3
+ - 2.0.1
+ - 2.0.2
+ - 2.0.4
+ - 2.0.5
+ - 2.0.6
+ - 2.1.0
+ - 2.1.1
+ - 2.1.2
+ - 2.1.3
+ - 2.1.4
+ - 2.1.5
+ - 2.2.0
+ - 2.2.0-rc1
+ - 2.2.1
+ - 2.2.2
+ - 2.2.3
+ - 2.2.4
+ - 2.3.0
+ - 2.3.0-rc1
+ - 2.3.1
+ - 2.3.2
+ - 2.3.3
+ - 2.3.4
+ - 2.3.5
+ - 2.4.0
+ - 2.4.0-rc1
+ - 2.4.0-rc2
+ - 2.4.0-rc3
+ - 2.4.1
+ - 2.4.1.1
+ - 2.4.1.2
+ - 2.4.1.3
+ - 2.4.2
+ - 2.4.3
+ - 2.4.4
+ - 2.4.5
+ - 2.4.5.1
+ - 2.4.6
+ - 2.4.6.1
+ - 2.5.0
+ - 2.5.0-rc1
+ - 2.5.1
+ - 2.5.2
+ - 2.5.3
+ - 2.5.4
+ - 2.5.5
+ - 2.6.0
+ - 2.6.0-rc1
+ - 2.6.0-rc2
+ - 2.6.0-rc3
+ - 2.6.0-rc4
+ - 2.6.1
+ - 2.6.2
+ - 2.6.3
+ - 2.6.4
+ - 2.6.5
+ - 2.6.6
+ - 2.6.7
+ - 2.6.7.1
+ - 2.6.7.2
+ - 2.6.7.3
+ - 2.6.7.4
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-vfqx-33qm-g869/GHSA-vfqx-33qm-g869.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2020-36189
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/issues/2996
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/commit/33d96c13fe18a2dad01b19ce195548c9acea9da4
+ - type: WEB
+ url: https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
+ - type: PACKAGE
+ url: https://github.com/FasterXML/jackson-databind
+ - type: WEB
+ url: https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html
+ - type: WEB
+ url: https://security.netapp.com/advisory/ntap-20210205-0005
+ - type: WEB
+ url: https://www.oracle.com//security-alerts/cpujul2021.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuApr2021.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuapr2022.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpujan2022.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpujul2022.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuoct2021.html
+ database_specific:
+ cwe_ids:
+ - CWE-502
+ github_reviewed: true
+ github_reviewed_at: "2021-03-18T23:14:22Z"
+ nvd_published_at: "2021-01-06T23:15:00Z"
+ severity: HIGH
+ - schema_version: 1.6.0
+ id: GHSA-w3f4-3q6j-rh82
+ modified: 2024-03-11T05:18:22.727055Z
+ published: 2020-06-30T20:40:50Z
+ aliases:
+ - CVE-2018-5968
+ summary: Deserialization of Untrusted Data in jackson-databind
+ details: FasterXML jackson-databind through 2.8.11 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 and CVE-2017-17485 deserialization flaws. This is exploitable via two different gadgets that bypass a blacklist.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: com.fasterxml.jackson.core:jackson-databind
+ purl: pkg:maven/com.fasterxml.jackson.core/jackson-databind
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.8.0
+ - fixed: 2.8.11.1
+ versions:
+ - 2.8.0
+ - 2.8.1
+ - 2.8.10
+ - 2.8.11
+ - 2.8.2
+ - 2.8.3
+ - 2.8.4
+ - 2.8.5
+ - 2.8.6
+ - 2.8.7
+ - 2.8.8
+ - 2.8.8.1
+ - 2.8.9
+ database_specific:
+ last_known_affected_version_range: < 2.8.11
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-w3f4-3q6j-rh82/GHSA-w3f4-3q6j-rh82.json
+ - package:
+ ecosystem: Maven
+ name: com.fasterxml.jackson.core:jackson-databind
+ purl: pkg:maven/com.fasterxml.jackson.core/jackson-databind
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.9.0
+ - fixed: 2.9.4
+ versions:
+ - 2.9.0
+ - 2.9.0.pr1
+ - 2.9.0.pr2
+ - 2.9.0.pr3
+ - 2.9.0.pr4
+ - 2.9.1
+ - 2.9.2
+ - 2.9.3
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-w3f4-3q6j-rh82/GHSA-w3f4-3q6j-rh82.json
+ - package:
+ ecosystem: Maven
+ name: com.fasterxml.jackson.core:jackson-databind
+ purl: pkg:maven/com.fasterxml.jackson.core/jackson-databind
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: 2.7.9.5
+ versions:
+ - 2.0.0
+ - 2.0.0-RC1
+ - 2.0.0-RC2
+ - 2.0.0-RC3
+ - 2.0.1
+ - 2.0.2
+ - 2.0.4
+ - 2.0.5
+ - 2.0.6
+ - 2.1.0
+ - 2.1.1
+ - 2.1.2
+ - 2.1.3
+ - 2.1.4
+ - 2.1.5
+ - 2.2.0
+ - 2.2.0-rc1
+ - 2.2.1
+ - 2.2.2
+ - 2.2.3
+ - 2.2.4
+ - 2.3.0
+ - 2.3.0-rc1
+ - 2.3.1
+ - 2.3.2
+ - 2.3.3
+ - 2.3.4
+ - 2.3.5
+ - 2.4.0
+ - 2.4.0-rc1
+ - 2.4.0-rc2
+ - 2.4.0-rc3
+ - 2.4.1
+ - 2.4.1.1
+ - 2.4.1.2
+ - 2.4.1.3
+ - 2.4.2
+ - 2.4.3
+ - 2.4.4
+ - 2.4.5
+ - 2.4.5.1
+ - 2.4.6
+ - 2.4.6.1
+ - 2.5.0
+ - 2.5.0-rc1
+ - 2.5.1
+ - 2.5.2
+ - 2.5.3
+ - 2.5.4
+ - 2.5.5
+ - 2.6.0
+ - 2.6.0-rc1
+ - 2.6.0-rc2
+ - 2.6.0-rc3
+ - 2.6.0-rc4
+ - 2.6.1
+ - 2.6.2
+ - 2.6.3
+ - 2.6.4
+ - 2.6.5
+ - 2.6.6
+ - 2.6.7
+ - 2.6.7.1
+ - 2.6.7.2
+ - 2.6.7.3
+ - 2.6.7.4
+ - 2.6.7.5
+ - 2.7.0
+ - 2.7.0-rc1
+ - 2.7.0-rc2
+ - 2.7.0-rc3
+ - 2.7.1
+ - 2.7.1-1
+ - 2.7.2
+ - 2.7.3
+ - 2.7.4
+ - 2.7.5
+ - 2.7.6
+ - 2.7.7
+ - 2.7.8
+ - 2.7.9
+ - 2.7.9.1
+ - 2.7.9.2
+ - 2.7.9.3
+ - 2.7.9.4
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-w3f4-3q6j-rh82/GHSA-w3f4-3q6j-rh82.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2018-5968
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/issues/1899
+ - type: WEB
+ url: https://github.com/GulajavaMinistudio/jackson-databind/pull/92/commits/038b471e2efde2e8f96b4e0be958d3e5a1ff1d05
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/commit/454be8bb8c913be18298327a84ca45a280b61605
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/commit/038b471e2efde2e8f96b4e0be958d3e5a1ff1d0
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/commit/03ea0bec6293d4330b5ad19d1d62aca0e3cb6381
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuoct2020.html
+ - type: WEB
+ url: https://www.debian.org/security/2018/dsa-4114
+ - type: WEB
+ url: https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03902en_us
+ - type: WEB
+ url: https://security.netapp.com/advisory/ntap-20180423-0002
+ - type: PACKAGE
+ url: https://github.com/FasterXML/jackson-databind
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:3149
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:2858
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2018:1525
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2018:0481
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2018:0480
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2018:0479
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2018:0478
+ database_specific:
+ cwe_ids:
+ - CWE-184
+ - CWE-502
+ github_reviewed: true
+ github_reviewed_at: "2020-06-30T20:40:31Z"
+ nvd_published_at: "2018-01-22T04:29:00Z"
+ severity: HIGH
+ - schema_version: 1.6.0
+ id: GHSA-wh8g-3j2c-rqj5
+ modified: 2024-03-15T00:31:15.123603Z
+ published: 2021-12-09T19:15:00Z
+ aliases:
+ - CVE-2020-35490
+ summary: Serialization gadgets exploit in jackson-databind
+ details: FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.datasources.PerUserPoolDataSource.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: com.fasterxml.jackson.core:jackson-databind
+ purl: pkg:maven/com.fasterxml.jackson.core/jackson-databind
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.0.0
+ - fixed: 2.9.10.8
+ versions:
+ - 2.0.0
+ - 2.0.1
+ - 2.0.2
+ - 2.0.4
+ - 2.0.5
+ - 2.0.6
+ - 2.1.0
+ - 2.1.1
+ - 2.1.2
+ - 2.1.3
+ - 2.1.4
+ - 2.1.5
+ - 2.2.0
+ - 2.2.0-rc1
+ - 2.2.1
+ - 2.2.2
+ - 2.2.3
+ - 2.2.4
+ - 2.3.0
+ - 2.3.0-rc1
+ - 2.3.1
+ - 2.3.2
+ - 2.3.3
+ - 2.3.4
+ - 2.3.5
+ - 2.4.0
+ - 2.4.0-rc1
+ - 2.4.0-rc2
+ - 2.4.0-rc3
+ - 2.4.1
+ - 2.4.1.1
+ - 2.4.1.2
+ - 2.4.1.3
+ - 2.4.2
+ - 2.4.3
+ - 2.4.4
+ - 2.4.5
+ - 2.4.5.1
+ - 2.4.6
+ - 2.4.6.1
+ - 2.5.0
+ - 2.5.0-rc1
+ - 2.5.1
+ - 2.5.2
+ - 2.5.3
+ - 2.5.4
+ - 2.5.5
+ - 2.6.0
+ - 2.6.0-rc1
+ - 2.6.0-rc2
+ - 2.6.0-rc3
+ - 2.6.0-rc4
+ - 2.6.1
+ - 2.6.2
+ - 2.6.3
+ - 2.6.4
+ - 2.6.5
+ - 2.6.6
+ - 2.6.7
+ - 2.6.7.1
+ - 2.6.7.2
+ - 2.6.7.3
+ - 2.6.7.4
+ - 2.6.7.5
+ - 2.7.0
+ - 2.7.0-rc1
+ - 2.7.0-rc2
+ - 2.7.0-rc3
+ - 2.7.1
+ - 2.7.1-1
+ - 2.7.2
+ - 2.7.3
+ - 2.7.4
+ - 2.7.5
+ - 2.7.6
+ - 2.7.7
+ - 2.7.8
+ - 2.7.9
+ - 2.7.9.1
+ - 2.7.9.2
+ - 2.7.9.3
+ - 2.7.9.4
+ - 2.7.9.5
+ - 2.7.9.6
+ - 2.7.9.7
+ - 2.8.0
+ - 2.8.0.rc1
+ - 2.8.0.rc2
+ - 2.8.1
+ - 2.8.10
+ - 2.8.11
+ - 2.8.11.1
+ - 2.8.11.2
+ - 2.8.11.3
+ - 2.8.11.4
+ - 2.8.11.5
+ - 2.8.11.6
+ - 2.8.2
+ - 2.8.3
+ - 2.8.4
+ - 2.8.5
+ - 2.8.6
+ - 2.8.7
+ - 2.8.8
+ - 2.8.8.1
+ - 2.8.9
+ - 2.9.0
+ - 2.9.0.pr1
+ - 2.9.0.pr2
+ - 2.9.0.pr3
+ - 2.9.0.pr4
+ - 2.9.1
+ - 2.9.10
+ - 2.9.10.1
+ - 2.9.10.2
+ - 2.9.10.3
+ - 2.9.10.4
+ - 2.9.10.5
+ - 2.9.10.6
+ - 2.9.10.7
+ - 2.9.2
+ - 2.9.3
+ - 2.9.4
+ - 2.9.5
+ - 2.9.6
+ - 2.9.7
+ - 2.9.8
+ - 2.9.9
+ - 2.9.9.1
+ - 2.9.9.2
+ - 2.9.9.3
+ database_specific:
+ last_known_affected_version_range: <= 2.9.10.7
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-wh8g-3j2c-rqj5/GHSA-wh8g-3j2c-rqj5.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2020-35490
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/issues/2986
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/commit/41b8bdb5ccc1d8edb71acf1c8234da235a24249d
+ - type: WEB
+ url: https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
+ - type: PACKAGE
+ url: https://github.com/FasterXML/jackson-databind
+ - type: WEB
+ url: https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html
+ - type: WEB
+ url: https://security.netapp.com/advisory/ntap-20210122-0005
+ - type: WEB
+ url: https://www.oracle.com//security-alerts/cpujul2021.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuApr2021.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuapr2022.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpujan2022.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpujul2022.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuoct2021.html
+ database_specific:
+ cwe_ids:
+ - CWE-502
+ github_reviewed: true
+ github_reviewed_at: "2021-04-08T21:06:39Z"
+ nvd_published_at: "2020-12-17T19:15:00Z"
+ severity: HIGH
+ - schema_version: 1.6.0
+ id: GHSA-x2w5-5m2g-7h5m
+ modified: 2024-03-12T05:18:06.737632Z
+ published: 2019-01-04T19:09:46Z
+ aliases:
+ - CVE-2018-14720
+ summary: XML External Entity Reference (XXE) in jackson-databind
+ details: FasterXML jackson-databind 2.x before 2.9.7 might allow attackers to conduct external XML entity (XXE) attacks by leveraging failure to block unspecified JDK classes from polymorphic deserialization.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: com.fasterxml.jackson.core:jackson-databind
+ purl: pkg:maven/com.fasterxml.jackson.core/jackson-databind
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.9.0
+ - fixed: 2.9.7
+ versions:
+ - 2.9.0
+ - 2.9.0.pr1
+ - 2.9.0.pr2
+ - 2.9.0.pr3
+ - 2.9.0.pr4
+ - 2.9.1
+ - 2.9.2
+ - 2.9.3
+ - 2.9.4
+ - 2.9.5
+ - 2.9.6
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/01/GHSA-x2w5-5m2g-7h5m/GHSA-x2w5-5m2g-7h5m.json
+ - package:
+ ecosystem: Maven
+ name: com.fasterxml.jackson.core:jackson-databind
+ purl: pkg:maven/com.fasterxml.jackson.core/jackson-databind
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.8.0
+ - fixed: 2.8.11.3
+ versions:
+ - 2.8.0
+ - 2.8.1
+ - 2.8.10
+ - 2.8.11
+ - 2.8.11.1
+ - 2.8.11.2
+ - 2.8.2
+ - 2.8.3
+ - 2.8.4
+ - 2.8.5
+ - 2.8.6
+ - 2.8.7
+ - 2.8.8
+ - 2.8.8.1
+ - 2.8.9
+ database_specific:
+ last_known_affected_version_range: <= 2.8.11.2
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/01/GHSA-x2w5-5m2g-7h5m/GHSA-x2w5-5m2g-7h5m.json
+ - package:
+ ecosystem: Maven
+ name: com.fasterxml.jackson.core:jackson-databind
+ purl: pkg:maven/com.fasterxml.jackson.core/jackson-databind
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.7.0
+ - fixed: 2.7.9.5
+ versions:
+ - 2.7.0
+ - 2.7.1
+ - 2.7.1-1
+ - 2.7.2
+ - 2.7.3
+ - 2.7.4
+ - 2.7.5
+ - 2.7.6
+ - 2.7.7
+ - 2.7.8
+ - 2.7.9
+ - 2.7.9.1
+ - 2.7.9.2
+ - 2.7.9.3
+ - 2.7.9.4
+ database_specific:
+ last_known_affected_version_range: <= 2.7.9.2
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/01/GHSA-x2w5-5m2g-7h5m/GHSA-x2w5-5m2g-7h5m.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2018-14720
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/issues/2097
+ - type: WEB
+ url: https://github.com/FasterXML/jackson-databind/commit/87d29af25e82a249ea15858e2d4ecbf64091db44
+ - type: WEB
+ url: https://lists.apache.org/thread.html/82b01bfb6787097427ce97cec6a7127e93718bc05d1efd5eaffc228f@%3Cdev.lucene.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/ba973114605d936be276ee6ce09dfbdbf78aa56f6cdc6e79bfa7b8df@%3Cdev.lucene.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8@%3Ccommits.pulsar.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3E
+ - type: WEB
+ url: https://lists.debian.org/debian-lts-announce/2019/03/msg00005.html
+ - type: WEB
+ url: https://seclists.org/bugtraq/2019/May/68
+ - type: WEB
+ url: https://security.netapp.com/advisory/ntap-20190530-0003
+ - type: WEB
+ url: https://www.debian.org/security/2019/dsa-4452
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuapr2020.html
+ - type: WEB
+ url: https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
+ - type: WEB
+ url: https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html
+ - type: WEB
+ url: https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
+ - type: WEB
+ url: https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
+ - type: WEB
+ url: https://lists.apache.org/thread.html/6a78f88716c3c57aa74ec05764a37ab3874769a347805903b393b286@%3Cdev.lucene.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E
+ - type: ADVISORY
+ url: https://github.com/advisories/GHSA-x2w5-5m2g-7h5m
+ - type: WEB
+ url: https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.7
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:4037
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:3892
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:3149
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:2858
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:1823
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:1822
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:1140
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:1108
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:1107
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:1106
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:0782
+ - type: WEB
+ url: https://access.redhat.com/errata/RHBA-2019:0959
+ database_specific:
+ cwe_ids:
+ - CWE-502
+ - CWE-611
+ github_reviewed: true
+ github_reviewed_at: "2020-06-16T22:01:50Z"
+ nvd_published_at: null
+ severity: CRITICAL
+ - schema_version: 1.6.0
+ id: GHSA-3f7h-mf4q-vrm4
+ modified: 2024-02-16T08:14:53.496757Z
+ published: 2022-09-17T00:00:41Z
+ aliases:
+ - CVE-2022-40152
+ summary: Denial of Service due to parser crash
+ details: "Those using FasterXML/woodstox to seralize XML data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial of service attack.\n\nThis vulnerability is only relevant for users making use of the DTD parsing functionality. "
+ affected:
+ - package:
+ ecosystem: Maven
+ name: com.fasterxml.woodstox:woodstox-core
+ purl: pkg:maven/com.fasterxml.woodstox/woodstox-core
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 6.0.0
+ - fixed: 6.4.0
+ versions:
+ - 6.0.0
+ - 6.0.0.pr1
+ - 6.0.0.pr2
+ - 6.0.1
+ - 6.0.2
+ - 6.0.3
+ - 6.1.0
+ - 6.1.1
+ - 6.2.0
+ - 6.2.1
+ - 6.2.2
+ - 6.2.3
+ - 6.2.4
+ - 6.2.5
+ - 6.2.6
+ - 6.2.7
+ - 6.2.8
+ - 6.3.0
+ - 6.3.1
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/09/GHSA-3f7h-mf4q-vrm4/GHSA-3f7h-mf4q-vrm4.json
+ - package:
+ ecosystem: Maven
+ name: com.fasterxml.woodstox:woodstox-core
+ purl: pkg:maven/com.fasterxml.woodstox/woodstox-core
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: 5.4.0
+ versions:
+ - 5.0.0
+ - 5.0.1
+ - 5.0.2
+ - 5.0.3
+ - 5.1.0
+ - 5.2.0
+ - 5.2.1
+ - 5.3.0
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/09/GHSA-3f7h-mf4q-vrm4/GHSA-3f7h-mf4q-vrm4.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2022-40152
+ - type: WEB
+ url: https://github.com/FasterXML/woodstox/issues/157
+ - type: WEB
+ url: https://github.com/FasterXML/woodstox/issues/160
+ - type: WEB
+ url: https://github.com/x-stream/xstream/issues/304
+ - type: WEB
+ url: https://github.com/FasterXML/woodstox/pull/159
+ - type: WEB
+ url: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47434
+ - type: PACKAGE
+ url: https://github.com/FasterXML/woodstox
+ database_specific:
+ cwe_ids: []
+ github_reviewed: true
+ github_reviewed_at: "2022-09-20T21:21:07Z"
+ nvd_published_at: "2022-09-16T10:15:00Z"
+ severity: MODERATE
+ - schema_version: 1.6.0
+ id: GHSA-4jrv-ppp4-jm57
+ modified: 2024-02-21T05:33:31.839656Z
+ published: 2022-05-03T00:00:44Z
+ aliases:
+ - CVE-2022-25647
+ - SNYK-JAVA-COMGOOGLECODEGSON-1730327
+ summary: Deserialization of Untrusted Data in Gson
+ details: The package `com.google.code.gson:gson` before 2.8.9 is vulnerable to Deserialization of Untrusted Data via the `writeReplace()` method in internal classes, which may lead to denial of service attacks.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: com.google.code.gson:gson
+ purl: pkg:maven/com.google.code.gson/gson
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: 2.8.9
+ versions:
+ - "1.1"
+ - "1.4"
+ - "1.5"
+ - "1.6"
+ - "1.7"
+ - 1.7.1
+ - 1.7.2
+ - "2.0"
+ - "2.1"
+ - "2.2"
+ - 2.2.1
+ - 2.2.2
+ - 2.2.3
+ - 2.2.4
+ - "2.3"
+ - 2.3.1
+ - "2.4"
+ - "2.5"
+ - "2.6"
+ - 2.6.1
+ - 2.6.2
+ - "2.7"
+ - 2.8.0
+ - 2.8.1
+ - 2.8.2
+ - 2.8.3
+ - 2.8.4
+ - 2.8.5
+ - 2.8.6
+ - 2.8.7
+ - 2.8.8
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-4jrv-ppp4-jm57/GHSA-4jrv-ppp4-jm57.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:H
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2022-25647
+ - type: WEB
+ url: https://github.com/google/gson/pull/1991
+ - type: WEB
+ url: https://github.com/google/gson/pull/1991/commits
+ - type: PACKAGE
+ url: https://github.com/google/gson
+ - type: WEB
+ url: https://lists.debian.org/debian-lts-announce/2022/05/msg00015.html
+ - type: WEB
+ url: https://lists.debian.org/debian-lts-announce/2022/09/msg00009.html
+ - type: WEB
+ url: https://security.netapp.com/advisory/ntap-20220901-0009
+ - type: WEB
+ url: https://snyk.io/vuln/SNYK-JAVA-COMGOOGLECODEGSON-1730327
+ - type: WEB
+ url: https://www.debian.org/security/2022/dsa-5227
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpujul2022.html
+ database_specific:
+ cwe_ids:
+ - CWE-502
+ github_reviewed: true
+ github_reviewed_at: "2022-05-20T20:31:08Z"
+ nvd_published_at: "2022-05-01T16:15:00Z"
+ severity: HIGH
+ - schema_version: 1.6.0
+ id: GHSA-5mg8-w23w-74h3
+ modified: 2024-06-19T13:14:36.584442Z
+ published: 2021-03-25T17:04:19Z
+ aliases:
+ - CGA-c5f6-f2ff-f6g9
+ - CVE-2020-8908
+ - SNYK-JAVA-COMGOOGLEGUAVA-1015415
+ summary: Information Disclosure in Guava
+ details: |
+ A temp directory creation vulnerability exists in Guava prior to version 32.0.0 allowing an attacker with access to the machine to potentially access data in a temporary directory created by the Guava `com.google.common.io.Files.createTempDir()`. The permissions granted to the directory created default to the standard unix-like /tmp ones, leaving the files open. Maintainers recommend explicitly changing the permissions after the creation of the directory, or removing uses of the vulnerable method.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: com.google.guava:guava
+ purl: pkg:maven/com.google.guava/guava
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: 32.0.0-android
+ versions:
+ - "10.0"
+ - 10.0-rc1
+ - 10.0-rc2
+ - 10.0-rc3
+ - 10.0.1
+ - "11.0"
+ - 11.0-rc1
+ - 11.0.1
+ - 11.0.2
+ - "12.0"
+ - 12.0-rc1
+ - 12.0-rc2
+ - 12.0.1
+ - "13.0"
+ - 13.0-rc1
+ - 13.0-rc2
+ - 13.0.1
+ - "14.0"
+ - 14.0-rc1
+ - 14.0-rc2
+ - 14.0-rc3
+ - 14.0.1
+ - "15.0"
+ - 15.0-rc1
+ - "16.0"
+ - 16.0-rc1
+ - 16.0.1
+ - "17.0"
+ - 17.0-rc1
+ - 17.0-rc2
+ - "18.0"
+ - 18.0-rc1
+ - 18.0-rc2
+ - "19.0"
+ - 19.0-rc1
+ - 19.0-rc2
+ - 19.0-rc3
+ - "20.0"
+ - 20.0-rc1
+ - "21.0"
+ - 21.0-rc1
+ - 21.0-rc2
+ - "22.0"
+ - 22.0-android
+ - 22.0-rc1
+ - 22.0-rc1-android
+ - "23.0"
+ - 23.0-android
+ - 23.0-rc1
+ - 23.0-rc1-android
+ - 23.1-android
+ - 23.1-jre
+ - 23.2-android
+ - 23.2-jre
+ - 23.3-android
+ - 23.3-jre
+ - 23.4-android
+ - 23.4-jre
+ - 23.5-android
+ - 23.5-jre
+ - 23.6-android
+ - 23.6-jre
+ - 23.6.1-android
+ - 23.6.1-jre
+ - 24.0-android
+ - 24.0-jre
+ - 24.1-android
+ - 24.1-jre
+ - 24.1.1-android
+ - 24.1.1-jre
+ - 25.0-android
+ - 25.0-jre
+ - 25.1-android
+ - 25.1-jre
+ - 26.0-android
+ - 26.0-jre
+ - 27.0-android
+ - 27.0-jre
+ - 27.0.1-android
+ - 27.0.1-jre
+ - 27.1-android
+ - 27.1-jre
+ - 28.0-android
+ - 28.0-jre
+ - 28.1-android
+ - 28.1-jre
+ - 28.2-android
+ - 28.2-jre
+ - 29.0-android
+ - 29.0-jre
+ - 30.0-android
+ - 30.0-jre
+ - 30.1-android
+ - 30.1-jre
+ - 30.1.1-android
+ - 30.1.1-jre
+ - 31.0-android
+ - 31.0-jre
+ - 31.0.1-android
+ - 31.0.1-jre
+ - 31.1-android
+ - 31.1-jre
+ - r03
+ - r05
+ - r06
+ - r07
+ - r08
+ - r09
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/03/GHSA-5mg8-w23w-74h3/GHSA-5mg8-w23w-74h3.json
+ ecosystem_specific:
+ affected_functions:
+ - com.google.common.io.Files.createTempDir
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2020-8908
+ - type: WEB
+ url: https://github.com/google/guava/issues/4011
+ - type: WEB
+ url: https://github.com/google/guava/issues/4011#issuecomment-1578991974
+ - type: WEB
+ url: https://github.com/google/guava/commit/feb83a1c8fd2e7670b244d5afd23cba5aca43284
+ - type: WEB
+ url: https://github.com/google/guava/commit/fec0dbc4634006a6162cfd4d0d09c962073ddf40
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rd5d58088812cf8e677d99b07f73c654014c524c94e7fedbdee047604@%3Ctorque-dev.db.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rd5d58088812cf8e677d99b07f73c654014c524c94e7fedbdee047604%40%3Ctorque-dev.db.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rd2704306ec729ccac726e50339b8a8f079515cc29ccb77713b16e7c5@%3Cissues.hive.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rd2704306ec729ccac726e50339b8a8f079515cc29ccb77713b16e7c5%40%3Cissues.hive.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rd01f5ff0164c468ec7abc96ff7646cea3cce6378da2e4aa29c6bcb95@%3Cgithub.arrow.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rd01f5ff0164c468ec7abc96ff7646cea3cce6378da2e4aa29c6bcb95%40%3Cgithub.arrow.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rcafc3a637d82bdc9a24036b2ddcad1e519dd0e6f848fcc3d606fd78f@%3Cdev.hive.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rcafc3a637d82bdc9a24036b2ddcad1e519dd0e6f848fcc3d606fd78f%40%3Cdev.hive.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rc607bc52f3507b8b9c28c6a747c3122f51ac24afe80af2a670785b97@%3Cissues.geode.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rc607bc52f3507b8b9c28c6a747c3122f51ac24afe80af2a670785b97%40%3Cissues.geode.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rc2dbc4633a6eea1fcbce6831876cfa17b73759a98c65326d1896cb1a@%3Ctorque-dev.db.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rc2dbc4633a6eea1fcbce6831876cfa17b73759a98c65326d1896cb1a%40%3Ctorque-dev.db.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rbc7642b9800249553f13457e46b813bea1aec99d2bc9106510e00ff3@%3Ctorque-dev.db.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rbc7642b9800249553f13457e46b813bea1aec99d2bc9106510e00ff3%40%3Ctorque-dev.db.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rb8c0f1b7589864396690fe42a91a71dea9412e86eec66dc85bbacaaf@%3Ccommits.cxf.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rb8c0f1b7589864396690fe42a91a71dea9412e86eec66dc85bbacaaf%40%3Ccommits.cxf.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rb2364f4cf4d274eab5a7ecfaf64bf575cedf8b0173551997c749d322@%3Cgitbox.hive.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rb2364f4cf4d274eab5a7ecfaf64bf575cedf8b0173551997c749d322%40%3Cgitbox.hive.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/ra7ab308481ee729f998691e8e3e02e93b1dedfc98f6b1cd3d86923b3@%3Cyarn-issues.hadoop.apache.org%3E
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuoct2021.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpujan2022.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuapr2022.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuApr2021.html
+ - type: WEB
+ url: https://www.oracle.com//security-alerts/cpujul2021.html
+ - type: WEB
+ url: https://snyk.io/vuln/SNYK-JAVA-COMGOOGLEGUAVA-1015415
+ - type: WEB
+ url: https://security.netapp.com/advisory/ntap-20220210-0003
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rfc27e2727a20a574f39273e0432aa97486a332f9b3068f6ac1346594@%3Cdev.myfaces.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rfc27e2727a20a574f39273e0432aa97486a332f9b3068f6ac1346594%40%3Cdev.myfaces.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rf9f0fa84b8ae1a285f0210bafec6de2a9eba083007d04640b82aa625@%3Cissues.geode.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rf9f0fa84b8ae1a285f0210bafec6de2a9eba083007d04640b82aa625%40%3Cissues.geode.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rf00b688ffa620c990597f829ff85fdbba8bf73ee7bfb34783e1f0d4e@%3Cyarn-dev.hadoop.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rf00b688ffa620c990597f829ff85fdbba8bf73ee7bfb34783e1f0d4e%40%3Cyarn-dev.hadoop.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/reebbd63c25bc1a946caa419cec2be78079f8449d1af48e52d47c9e85@%3Cissues.geode.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/reebbd63c25bc1a946caa419cec2be78079f8449d1af48e52d47c9e85%40%3Cissues.geode.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/re120f6b3d2f8222121080342c5801fdafca2f5188ceeb3b49c8a1d27@%3Cyarn-issues.hadoop.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/re120f6b3d2f8222121080342c5801fdafca2f5188ceeb3b49c8a1d27%40%3Cyarn-issues.hadoop.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rd7e12d56d49d73e2b8549694974b07561b79b05455f7f781954231bf@%3Cdev.pig.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rd7e12d56d49d73e2b8549694974b07561b79b05455f7f781954231bf%40%3Cdev.pig.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/ra7ab308481ee729f998691e8e3e02e93b1dedfc98f6b1cd3d86923b3%40%3Cyarn-issues.hadoop.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r4776f62dfae4a0006658542f43034a7fc199350e35a66d4e18164ee6%40%3Ccommits.cxf.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r3dd8881de891598d622227e9840dd7c2ef1d08abbb49e9690c7ae1bc@%3Cissues.geode.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r3dd8881de891598d622227e9840dd7c2ef1d08abbb49e9690c7ae1bc%40%3Cissues.geode.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r3c3b33ee5bef0c67391d27a97cbfd89d44f328cf072b601b58d4e748@%3Ccommits.pulsar.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r3c3b33ee5bef0c67391d27a97cbfd89d44f328cf072b601b58d4e748%40%3Ccommits.pulsar.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r2fe45d96eea8434b91592ca08109118f6308d60f6d0e21d52438cfb4@%3Cdev.drill.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r2fe45d96eea8434b91592ca08109118f6308d60f6d0e21d52438cfb4%40%3Cdev.drill.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r294be9d31c0312d2c0837087204b5d4bf49d0552890e6eec716fa6a6@%3Cyarn-issues.hadoop.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r294be9d31c0312d2c0837087204b5d4bf49d0552890e6eec716fa6a6%40%3Cyarn-issues.hadoop.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r215b3d50f56faeb2f9383505f3e62faa9f549bb23e8a9848b78a968e@%3Ccommits.ws.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r215b3d50f56faeb2f9383505f3e62faa9f549bb23e8a9848b78a968e%40%3Ccommits.ws.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r161b87f8037bbaff400194a63cd2016c9a69f5949f06dcc79beeab54@%3Cdev.drill.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r161b87f8037bbaff400194a63cd2016c9a69f5949f06dcc79beeab54%40%3Cdev.drill.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r07ed3e4417ad043a27bee7bb33322e9bfc7d7e6d1719b8e3dfd95c14@%3Cdev.drill.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r07ed3e4417ad043a27bee7bb33322e9bfc7d7e6d1719b8e3dfd95c14%40%3Cdev.drill.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r037fed1d0ebde50c9caf8d99815db3093c344c3f651c5a49a09824ce@%3Cdev.drill.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r007add131977f4f576c232b25e024249a3d16f66aad14a4b52819d21@%3Ccommon-issues.hadoop.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r007add131977f4f576c232b25e024249a3d16f66aad14a4b52819d21%40%3Ccommon-issues.hadoop.apache.org%3E
+ - type: PACKAGE
+ url: https://github.com/google/guava
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r841c5e14e1b55281523ebcde661ece00b38a0569e00ef5e12bd5f6ba@%3Cissues.maven.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r841c5e14e1b55281523ebcde661ece00b38a0569e00ef5e12bd5f6ba%40%3Cissues.maven.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r7b0e81d8367264d6cad98766a469d64d11248eb654417809bfdacf09@%3Cyarn-issues.hadoop.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r7b0e81d8367264d6cad98766a469d64d11248eb654417809bfdacf09%40%3Cyarn-issues.hadoop.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r79e47ed555bdb1180e528420a7a2bb898541367a29a3bc6bbf0baf2c@%3Cissues.hive.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r79e47ed555bdb1180e528420a7a2bb898541367a29a3bc6bbf0baf2c%40%3Cissues.hive.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r68d86f4b06c808204f62bcb254fcb5b0432528ee8d37a07ef4bc8222@%3Ccommits.ws.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r68d86f4b06c808204f62bcb254fcb5b0432528ee8d37a07ef4bc8222%40%3Ccommits.ws.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r6874dfe26eefc41b7c9a5e4a0487846fc4accf8c78ff948b24a1104a@%3Cdev.drill.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r6874dfe26eefc41b7c9a5e4a0487846fc4accf8c78ff948b24a1104a%40%3Cdev.drill.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r5d61b98ceb7bba939a651de5900dbd67be3817db6bfcc41c6e04e199@%3Cyarn-issues.hadoop.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r5d61b98ceb7bba939a651de5900dbd67be3817db6bfcc41c6e04e199%40%3Cyarn-issues.hadoop.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r5b3d93dfdfb7708e796e8762ab40edbde8ff8add48aba53e5ea26f44@%3Cissues.geode.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r5b3d93dfdfb7708e796e8762ab40edbde8ff8add48aba53e5ea26f44%40%3Cissues.geode.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r58a8775205ab1839dba43054b09a9ab3b25b423a4170b2413c4067ac@%3Ccommon-issues.hadoop.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r58a8775205ab1839dba43054b09a9ab3b25b423a4170b2413c4067ac%40%3Ccommon-issues.hadoop.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r49549a8322f62cd3acfa4490d25bfba0be04f3f9ff4d14fe36199d27@%3Cyarn-dev.hadoop.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r49549a8322f62cd3acfa4490d25bfba0be04f3f9ff4d14fe36199d27%40%3Cyarn-dev.hadoop.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r4776f62dfae4a0006658542f43034a7fc199350e35a66d4e18164ee6@%3Ccommits.cxf.apache.org%3E
+ database_specific:
+ cwe_ids:
+ - CWE-173
+ - CWE-200
+ - CWE-378
+ - CWE-732
+ github_reviewed: true
+ github_reviewed_at: "2021-03-25T17:01:09Z"
+ nvd_published_at: "2020-12-10T23:15:00Z"
+ severity: LOW
+ - schema_version: 1.6.0
+ id: GHSA-7g45-4rm6-3mm3
+ modified: 2024-06-19T13:14:37.524118Z
+ published: 2023-06-14T18:30:38Z
+ aliases:
+ - CGA-5wxh-2846-4r2x
+ - CVE-2023-2976
+ summary: Guava vulnerable to insecure use of temporary directory
+ details: |+
+ Use of Java's default temporary directory for file creation in `FileBackedOutputStream` in Google Guava versions 1.0 to 31.1 on Unix systems and Android Ice Cream Sandwich allows other users and apps on the machine with access to the default Java temporary directory to be able to access the files created by the class.
+
+ Even though the security vulnerability is fixed in version 32.0.0, maintainers recommend using version 32.0.1 as version 32.0.0 breaks some functionality under Windows.
+
+ affected:
+ - package:
+ ecosystem: Maven
+ name: com.google.guava:guava
+ purl: pkg:maven/com.google.guava/guava
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "1.0"
+ - fixed: 32.0.0-android
+ versions:
+ - "10.0"
+ - 10.0-rc1
+ - 10.0-rc2
+ - 10.0-rc3
+ - 10.0.1
+ - "11.0"
+ - 11.0-rc1
+ - 11.0.1
+ - 11.0.2
+ - "12.0"
+ - 12.0-rc1
+ - 12.0-rc2
+ - 12.0.1
+ - "13.0"
+ - 13.0-rc1
+ - 13.0-rc2
+ - 13.0.1
+ - "14.0"
+ - 14.0-rc1
+ - 14.0-rc2
+ - 14.0-rc3
+ - 14.0.1
+ - "15.0"
+ - 15.0-rc1
+ - "16.0"
+ - 16.0-rc1
+ - 16.0.1
+ - "17.0"
+ - 17.0-rc1
+ - 17.0-rc2
+ - "18.0"
+ - 18.0-rc1
+ - 18.0-rc2
+ - "19.0"
+ - 19.0-rc1
+ - 19.0-rc2
+ - 19.0-rc3
+ - "20.0"
+ - 20.0-rc1
+ - "21.0"
+ - 21.0-rc1
+ - 21.0-rc2
+ - "22.0"
+ - 22.0-android
+ - 22.0-rc1
+ - 22.0-rc1-android
+ - "23.0"
+ - 23.0-android
+ - 23.0-rc1
+ - 23.0-rc1-android
+ - 23.1-android
+ - 23.1-jre
+ - 23.2-android
+ - 23.2-jre
+ - 23.3-android
+ - 23.3-jre
+ - 23.4-android
+ - 23.4-jre
+ - 23.5-android
+ - 23.5-jre
+ - 23.6-android
+ - 23.6-jre
+ - 23.6.1-android
+ - 23.6.1-jre
+ - 24.0-android
+ - 24.0-jre
+ - 24.1-android
+ - 24.1-jre
+ - 24.1.1-android
+ - 24.1.1-jre
+ - 25.0-android
+ - 25.0-jre
+ - 25.1-android
+ - 25.1-jre
+ - 26.0-android
+ - 26.0-jre
+ - 27.0-android
+ - 27.0-jre
+ - 27.0.1-android
+ - 27.0.1-jre
+ - 27.1-android
+ - 27.1-jre
+ - 28.0-android
+ - 28.0-jre
+ - 28.1-android
+ - 28.1-jre
+ - 28.2-android
+ - 28.2-jre
+ - 29.0-android
+ - 29.0-jre
+ - 30.0-android
+ - 30.0-jre
+ - 30.1-android
+ - 30.1-jre
+ - 30.1.1-android
+ - 30.1.1-jre
+ - 31.0-android
+ - 31.0-jre
+ - 31.0.1-android
+ - 31.0.1-jre
+ - 31.1-android
+ - 31.1-jre
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/06/GHSA-7g45-4rm6-3mm3/GHSA-7g45-4rm6-3mm3.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2023-2976
+ - type: WEB
+ url: https://github.com/google/guava/issues/2575
+ - type: WEB
+ url: https://github.com/google/guava/issues/6532
+ - type: WEB
+ url: https://github.com/google/guava/commit/feb83a1c8fd2e7670b244d5afd23cba5aca43284
+ - type: PACKAGE
+ url: https://github.com/google/guava
+ - type: WEB
+ url: https://github.com/google/guava/releases/tag/v32.0.0
+ - type: WEB
+ url: https://security.netapp.com/advisory/ntap-20230818-0008
+ - type: WEB
+ url: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01006.html
+ database_specific:
+ cwe_ids:
+ - CWE-379
+ - CWE-552
+ github_reviewed: true
+ github_reviewed_at: "2023-06-14T21:01:07Z"
+ nvd_published_at: "2023-06-14T18:15:09Z"
+ severity: MODERATE
+ - schema_version: 1.6.0
+ id: GHSA-mvr2-9pj6-7w5j
+ modified: 2024-03-13T05:32:38.939984Z
+ published: 2020-06-15T20:35:11Z
+ aliases:
+ - CVE-2018-10237
+ summary: Denial of Service in Google Guava
+ details: Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attacks against servers that depend on this library and deserialize attacker-provided data, because the AtomicDoubleArray class (when serialized with Java serialization) and the CompoundOrdering class (when serialized with GWT serialization) perform eager allocation without appropriate checks on what a client has sent and whether the data size is reasonable.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: com.google.guava:guava
+ purl: pkg:maven/com.google.guava/guava
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "11.0"
+ - fixed: 24.1.1-android
+ versions:
+ - "11.0"
+ - 11.0.1
+ - 11.0.2
+ - "12.0"
+ - 12.0-rc1
+ - 12.0-rc2
+ - 12.0.1
+ - "13.0"
+ - 13.0-rc1
+ - 13.0-rc2
+ - 13.0.1
+ - "14.0"
+ - 14.0-rc1
+ - 14.0-rc2
+ - 14.0-rc3
+ - 14.0.1
+ - "15.0"
+ - 15.0-rc1
+ - "16.0"
+ - 16.0-rc1
+ - 16.0.1
+ - "17.0"
+ - 17.0-rc1
+ - 17.0-rc2
+ - "18.0"
+ - 18.0-rc1
+ - 18.0-rc2
+ - "19.0"
+ - 19.0-rc1
+ - 19.0-rc2
+ - 19.0-rc3
+ - "20.0"
+ - 20.0-rc1
+ - "21.0"
+ - 21.0-rc1
+ - 21.0-rc2
+ - "22.0"
+ - 22.0-android
+ - 22.0-rc1
+ - 22.0-rc1-android
+ - "23.0"
+ - 23.0-android
+ - 23.0-rc1
+ - 23.0-rc1-android
+ - 23.1-android
+ - 23.1-jre
+ - 23.2-android
+ - 23.2-jre
+ - 23.3-android
+ - 23.3-jre
+ - 23.4-android
+ - 23.4-jre
+ - 23.5-android
+ - 23.5-jre
+ - 23.6-android
+ - 23.6-jre
+ - 23.6.1-android
+ - 23.6.1-jre
+ - 24.0-android
+ - 24.0-jre
+ - 24.1-android
+ - 24.1-jre
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-mvr2-9pj6-7w5j/GHSA-mvr2-9pj6-7w5j.json
+ - package:
+ ecosystem: Maven
+ name: com.google.guava:guava-jdk5
+ purl: pkg:maven/com.google.guava/guava-jdk5
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - last_affected: "17.0"
+ versions:
+ - "13.0"
+ - 14.0.1
+ - 14.0.1-rc1
+ - "16.0"
+ - 16.0-rc1
+ - "17.0"
+ - 17.0-rc1
+ - 17.0-rc2
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-mvr2-9pj6-7w5j/GHSA-mvr2-9pj6-7w5j.json
+ - package:
+ ecosystem: Maven
+ name: com.googlecode.guava-osgi:guava-osgi
+ purl: pkg:maven/com.googlecode.guava-osgi/guava-osgi
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - last_affected: 11.0.1
+ versions:
+ - 10.0.0
+ - 10.0.1
+ - 11.0.0
+ - 11.0.1
+ - 3.0.0
+ - 4.0.0
+ - 5.0.0
+ - 6.0.0
+ - 7.0.0
+ - 8.0.0
+ - 9.0.0
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-mvr2-9pj6-7w5j/GHSA-mvr2-9pj6-7w5j.json
+ - package:
+ ecosystem: Maven
+ name: de.mhus.ports:vaadin-shared-deps
+ purl: pkg:maven/de.mhus.ports/vaadin-shared-deps
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - last_affected: 7.4.0
+ versions:
+ - 1.3.1
+ - 1.3.4
+ - 1.3.6
+ - 1.3.7
+ - 1.6.0
+ - 1.6.1
+ - 6.2.0
+ - 7.0.0
+ - 7.1.0
+ - 7.2.0
+ - 7.4.0
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-mvr2-9pj6-7w5j/GHSA-mvr2-9pj6-7w5j.json
+ - package:
+ ecosystem: Maven
+ name: org.hudsonci.lib.guava:guava
+ purl: pkg:maven/org.hudsonci.lib.guava/guava
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - last_affected: 14.0.1-h-3
+ versions:
+ - 14.0.1-h-1
+ - 14.0.1-h-2
+ - 14.0.1-h-3
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-mvr2-9pj6-7w5j/GHSA-mvr2-9pj6-7w5j.json
+ - package:
+ ecosystem: Maven
+ name: org.sonatype.sisu:sisu-guava
+ purl: pkg:maven/org.sonatype.sisu/sisu-guava
+ versions:
+ - 0.11.1
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-mvr2-9pj6-7w5j/GHSA-mvr2-9pj6-7w5j.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2018-10237
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2018:2423
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r223bc776a077d0795786c38cbc6e7dd808fce1a9161b00ba9c0a5d55@%3Cissues.lucene.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r22c8173b804cd4a420c43064ba4e363d0022aa421008b1989f7354d4@%3Cissues.flink.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r27eb79a87a760335226dbfa6a7b7bffea539a535f8e80c41e482106d@%3Cdev.cxf.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r2ea4e5e5aa8ad73b001a466c582899620961f47d77a40af712c1fdf9@%3Cdev.cxf.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r30e7d7b6bfa630dacc41649a0e96dad75165d50474c1241068aa0f94@%3Cissues.storm.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r352e40ca9874d1beb4ad95403792adca7eb295e6bc3bd7b65fabcc21@%3Ccommits.samza.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r38e2ab87528d3c904e7fac496e8fd766b9277656ff95b97d6b6b6dcd@%3Cdev.cxf.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r3c3b33ee5bef0c67391d27a97cbfd89d44f328cf072b601b58d4e748@%3Ccommits.pulsar.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r43491b25b2e5c368c34b106a82eff910a5cea3e90de82ad75cc16540@%3Cdev.syncope.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r50fc0bcc734dd82e691d36d209258683141bfc0083739a77e56ad92d@%3Cdev.flink.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r841c5e14e1b55281523ebcde661ece00b38a0569e00ef5e12bd5f6ba@%3Cissues.maven.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r95799427b335807a4c54776908125c3e66597b65845ae50096d9278a@%3Cdev.cxf.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/ra0adb9653c7de9539b93cc8434143b655f753b9f60580ff260becb2b@%3Cusers.kafka.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/ra4f44016926dcb034b3b230280a18102062f94ae55b8a31bb92fed84@%3Cissues.lucene.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/ra8906723927aef2a599398c238eacfc845b74d812e0093ec2fc70a7d@%3Cissues.flink.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rb3da574c34bc6bd37972d2266af3093b90d7e437460423c24f477919@%3Cissues.lucene.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rc78f6e84f82cc662860e96526d8ab969f34dbe12dc560e22d9d147a3@%3Cdev.cxf.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rc8467f357b943ceaa86f289f8bc1a5d1c7955b75d3bac1426f2d4ac1@%3Ccommon-dev.hadoop.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rd01f5ff0164c468ec7abc96ff7646cea3cce6378da2e4aa29c6bcb95@%3Cgithub.arrow.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rd0c8ec6e044aa2958dd0549ebf8ecead7f5968c9474ba73a504161b2@%3Cdev.cxf.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rdc56c15693c236e31e1e95f847b8e5e74fc0a05741d47488e7fc8c45@%3Cissues.flink.apache.org%3E
+ - type: WEB
+ url: https://security.netapp.com/advisory/ntap-20220629-0008
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuapr2020.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpujan2021.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpujul2020.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuoct2021.html
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2018:2424
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2018:2425
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2018:2428
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2018:2598
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2018:2643
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2018:2740
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2018:2741
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2018:2742
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2018:2743
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2018:2927
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:2858
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:3149
+ - type: PACKAGE
+ url: https://github.com/google/guava
+ - type: WEB
+ url: https://github.com/google/guava/wiki/CVE-2018-10237
+ - type: WEB
+ url: https://groups.google.com/d/topic/guava-announce/xqWALw4W1vs/discussion
+ - type: WEB
+ url: https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272@%3Cissues.activemq.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/19fa48533bc7ea1accf6b12746a74ed888ae6e49a5cf81ae4f807495@%3Ccommon-dev.hadoop.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/33c6bccfeb7adf644d4d79894ca8f09370be6ed4b20632c2e228d085@%3Ccommits.cassandra.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/3d5dbdd92ac9ceaef90e40f78599f9109f2f345252e0ac9d98e7e084@%3Cgitbox.activemq.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/3ddd79c801edd99c0978e83dbe2168ebd36fd42acfa5dac38fb03dd6@%3Cissues.activemq.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/cc48fe770c45a74dc3b37ed0817393e0c96701fc49bc431ed922f3cc@%3Chdfs-dev.hadoop.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8@%3Ccommits.pulsar.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r02e39d7beb32eebcdbb4b516e95f67d71c90d5d462b26f4078d21eeb@%3Cdev.flink.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r02e39d7beb32eebcdbb4b516e95f67d71c90d5d462b26f4078d21eeb@%3Cuser.flink.apache.org%3E
+ - type: WEB
+ url: http://www.securitytracker.com/id/1041707
+ database_specific:
+ cwe_ids:
+ - CWE-502
+ - CWE-770
+ github_reviewed: true
+ github_reviewed_at: "2020-06-11T18:34:57Z"
+ nvd_published_at: "2018-04-26T21:29:00Z"
+ severity: MODERATE
+ - schema_version: 1.6.0
+ id: GHSA-4gg5-vx3j-xwc7
+ modified: 2023-11-08T04:09:49.928473Z
+ published: 2022-12-12T15:30:33Z
+ aliases:
+ - CVE-2022-3510
+ summary: Protobuf Java vulnerable to Uncontrolled Resource Consumption
+ details: A parsing issue similar to CVE-2022-3171, but with Message-Type Extensions in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: com.google.protobuf:protobuf-java
+ purl: pkg:maven/com.google.protobuf/protobuf-java
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: 3.16.3
+ versions:
+ - 2.0.1
+ - 2.0.3
+ - 2.1.0
+ - 2.2.0
+ - 2.3.0
+ - 2.4.0a
+ - 2.4.1
+ - 2.5.0
+ - 2.6.0
+ - 2.6.1
+ - 3.0.0
+ - 3.0.0-alpha-2
+ - 3.0.0-alpha-3
+ - 3.0.0-alpha-3.1
+ - 3.0.0-beta-1
+ - 3.0.0-beta-2
+ - 3.0.0-beta-3
+ - 3.0.0-beta-4
+ - 3.0.2
+ - 3.1.0
+ - 3.10.0
+ - 3.10.0-rc-1
+ - 3.11.0
+ - 3.11.0-rc-1
+ - 3.11.0-rc-2
+ - 3.11.1
+ - 3.11.3
+ - 3.11.4
+ - 3.12.0
+ - 3.12.0-rc-1
+ - 3.12.0-rc-2
+ - 3.12.1
+ - 3.12.2
+ - 3.12.4
+ - 3.13.0
+ - 3.13.0-rc-3
+ - 3.14.0
+ - 3.14.0-rc-1
+ - 3.14.0-rc-2
+ - 3.14.0-rc-3
+ - 3.15.0
+ - 3.15.0-rc-1
+ - 3.15.0-rc-2
+ - 3.15.1
+ - 3.15.2
+ - 3.15.3
+ - 3.15.4
+ - 3.15.5
+ - 3.15.6
+ - 3.15.7
+ - 3.15.8
+ - 3.16.0
+ - 3.16.0-rc-1
+ - 3.16.0-rc-2
+ - 3.16.1
+ - 3.2.0
+ - 3.2.0-rc.1
+ - 3.2.0rc2
+ - 3.3.0
+ - 3.3.1
+ - 3.4.0
+ - 3.5.0
+ - 3.5.1
+ - 3.6.0
+ - 3.6.1
+ - 3.7.0
+ - 3.7.0-rc1
+ - 3.7.1
+ - 3.8.0
+ - 3.8.0-rc-1
+ - 3.9.0
+ - 3.9.0-rc-1
+ - 3.9.1
+ - 3.9.2
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-4gg5-vx3j-xwc7/GHSA-4gg5-vx3j-xwc7.json
+ - package:
+ ecosystem: Maven
+ name: com.google.protobuf:protobuf-java
+ purl: pkg:maven/com.google.protobuf/protobuf-java
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 3.17.0
+ - fixed: 3.19.6
+ versions:
+ - 3.17.0
+ - 3.17.1
+ - 3.17.2
+ - 3.17.3
+ - 3.18.0
+ - 3.18.0-rc-1
+ - 3.18.0-rc-2
+ - 3.18.1
+ - 3.18.2
+ - 3.18.3
+ - 3.19.0
+ - 3.19.0-rc-1
+ - 3.19.0-rc-2
+ - 3.19.1
+ - 3.19.2
+ - 3.19.3
+ - 3.19.4
+ - 3.19.5
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-4gg5-vx3j-xwc7/GHSA-4gg5-vx3j-xwc7.json
+ - package:
+ ecosystem: Maven
+ name: com.google.protobuf:protobuf-java
+ purl: pkg:maven/com.google.protobuf/protobuf-java
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 3.20.0
+ - fixed: 3.20.3
+ versions:
+ - 3.20.0
+ - 3.20.1
+ - 3.20.1-rc-1
+ - 3.20.2
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-4gg5-vx3j-xwc7/GHSA-4gg5-vx3j-xwc7.json
+ - package:
+ ecosystem: Maven
+ name: com.google.protobuf:protobuf-java
+ purl: pkg:maven/com.google.protobuf/protobuf-java
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 3.21.0
+ - fixed: 3.21.7
+ versions:
+ - 3.21.0
+ - 3.21.1
+ - 3.21.2
+ - 3.21.3
+ - 3.21.4
+ - 3.21.5
+ - 3.21.6
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-4gg5-vx3j-xwc7/GHSA-4gg5-vx3j-xwc7.json
+ - package:
+ ecosystem: Maven
+ name: com.google.protobuf:protobuf-javalite
+ purl: pkg:maven/com.google.protobuf/protobuf-javalite
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: 3.16.3
+ versions:
+ - 3.10.0
+ - 3.10.0-rc-1
+ - 3.11.0
+ - 3.11.0-rc-1
+ - 3.11.0-rc-2
+ - 3.11.1
+ - 3.11.3
+ - 3.11.4
+ - 3.12.0
+ - 3.12.0-rc-1
+ - 3.12.0-rc-2
+ - 3.12.1
+ - 3.12.2
+ - 3.12.4
+ - 3.13.0
+ - 3.13.0-rc-3
+ - 3.14.0
+ - 3.14.0-rc-1
+ - 3.14.0-rc-2
+ - 3.14.0-rc-3
+ - 3.15.0
+ - 3.15.0-rc-1
+ - 3.15.0-rc-2
+ - 3.15.1
+ - 3.15.2
+ - 3.15.3
+ - 3.15.4
+ - 3.15.5
+ - 3.15.6
+ - 3.15.7
+ - 3.15.8
+ - 3.16.0
+ - 3.16.0-rc-1
+ - 3.16.0-rc-2
+ - 3.16.1
+ - 3.8.0
+ - 3.8.0-rc-1
+ - 3.9.0
+ - 3.9.0-rc-1
+ - 3.9.1
+ - 3.9.2
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-4gg5-vx3j-xwc7/GHSA-4gg5-vx3j-xwc7.json
+ - package:
+ ecosystem: Maven
+ name: com.google.protobuf:protobuf-javalite
+ purl: pkg:maven/com.google.protobuf/protobuf-javalite
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 3.17.0
+ - fixed: 3.19.6
+ versions:
+ - 3.17.0
+ - 3.17.1
+ - 3.17.2
+ - 3.17.3
+ - 3.18.0
+ - 3.18.0-rc-1
+ - 3.18.0-rc-2
+ - 3.18.1
+ - 3.18.2
+ - 3.18.3
+ - 3.19.0
+ - 3.19.0-rc-1
+ - 3.19.0-rc-2
+ - 3.19.1
+ - 3.19.2
+ - 3.19.3
+ - 3.19.4
+ - 3.19.5
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-4gg5-vx3j-xwc7/GHSA-4gg5-vx3j-xwc7.json
+ - package:
+ ecosystem: Maven
+ name: com.google.protobuf:protobuf-javalite
+ purl: pkg:maven/com.google.protobuf/protobuf-javalite
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 3.20.0
+ - fixed: 3.20.3
+ versions:
+ - 3.20.0
+ - 3.20.1
+ - 3.20.1-rc-1
+ - 3.20.2
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-4gg5-vx3j-xwc7/GHSA-4gg5-vx3j-xwc7.json
+ - package:
+ ecosystem: Maven
+ name: com.google.protobuf:protobuf-javalite
+ purl: pkg:maven/com.google.protobuf/protobuf-javalite
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 3.21.0
+ - fixed: 3.21.7
+ versions:
+ - 3.21.0
+ - 3.21.1
+ - 3.21.2
+ - 3.21.3
+ - 3.21.4
+ - 3.21.5
+ - 3.21.6
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-4gg5-vx3j-xwc7/GHSA-4gg5-vx3j-xwc7.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2022-3510
+ - type: WEB
+ url: https://github.com/protocolbuffers/protobuf/commit/db7c17803320525722f45c1d26fc08bc41d1bf48
+ - type: PACKAGE
+ url: https://github.com/protocolbuffers/protobuf/tree/main/java
+ database_specific:
+ cwe_ids:
+ - CWE-400
+ github_reviewed: true
+ github_reviewed_at: "2022-12-12T22:34:26Z"
+ nvd_published_at: "2022-12-12T13:15:00Z"
+ severity: HIGH
+ - schema_version: 1.6.0
+ id: GHSA-77rm-9x9h-xj3g
+ modified: 2024-07-04T22:14:33.687545Z
+ published: 2022-01-27T00:01:15Z
+ aliases:
+ - CGA-7g2g-x6vq-38fw
+ - CVE-2021-22570
+ - PYSEC-2022-48
+ summary: NULL Pointer Dereference in Protocol Buffers
+ details: Nullptr dereference when a null char is present in a proto symbol. The symbol is parsed incorrectly, leading to an unchecked call into the proto file's name during generation of the resulting error message. Since the symbol is incorrectly parsed, the file is nullptr. We recommend upgrading to version 3.15.0 or greater.
+ affected:
+ - package:
+ ecosystem: NuGet
+ name: Google.Protobuf
+ purl: pkg:nuget/Google.Protobuf
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: 3.15.0
+ versions:
+ - 0.0.1-test1
+ - 3.0.0
+ - 3.0.0-alpha4
+ - 3.0.0-beta2
+ - 3.0.0-beta3
+ - 3.0.0-beta4
+ - 3.1.0
+ - 3.10.0
+ - 3.10.0-rc1
+ - 3.10.1
+ - 3.11.0-rc1
+ - 3.11.0-rc2
+ - 3.11.1
+ - 3.11.2
+ - 3.11.3
+ - 3.11.4
+ - 3.12.0
+ - 3.12.0-rc1
+ - 3.12.0-rc2
+ - 3.12.1
+ - 3.12.2
+ - 3.12.3
+ - 3.12.4
+ - 3.13.0
+ - 3.13.0-rc3
+ - 3.14.0
+ - 3.14.0-rc1
+ - 3.14.0-rc2
+ - 3.14.0-rc3
+ - 3.15.0-rc1
+ - 3.15.0-rc2
+ - 3.2.0
+ - 3.2.0-rc1
+ - 3.2.0-rc2
+ - 3.3.0
+ - 3.4.0
+ - 3.4.1
+ - 3.5.0
+ - 3.5.1
+ - 3.6.0
+ - 3.6.1
+ - 3.7.0
+ - 3.8.0
+ - 3.9.0
+ - 3.9.0-rc1
+ - 3.9.1
+ - 3.9.2
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/01/GHSA-77rm-9x9h-xj3g/GHSA-77rm-9x9h-xj3g.json
+ - package:
+ ecosystem: Packagist
+ name: google/protobuf
+ purl: pkg:composer/google/protobuf
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: 3.15.0
+ versions:
+ - v3.1.0-alpha-1
+ - v3.10.0
+ - v3.10.0RC1
+ - v3.11.0
+ - v3.11.0RC1
+ - v3.11.0RC2
+ - v3.11.1
+ - v3.11.2
+ - v3.11.3
+ - v3.11.4
+ - v3.12.0
+ - v3.12.0RC1
+ - v3.12.0RC2
+ - v3.12.1
+ - v3.12.2
+ - v3.12.4
+ - v3.13.0
+ - v3.13.0.1
+ - v3.13.0RC3
+ - v3.14.0
+ - v3.14.0RC1
+ - v3.14.0RC2
+ - v3.14.0RC3
+ - v3.15.0RC1
+ - v3.15.0RC2
+ - v3.2.0-alpha-1
+ - v3.3.0
+ - v3.3.0rc1
+ - v3.3.1
+ - v3.3.2
+ - v3.4.0
+ - v3.4.0rc1
+ - v3.4.0rc2
+ - v3.4.0rc3
+ - v3.4.1
+ - v3.5.0
+ - v3.5.0.1
+ - v3.5.1
+ - v3.5.1.1
+ - v3.5.2
+ - v3.6.0
+ - v3.6.0.1
+ - v3.6.0rc1
+ - v3.6.0rc2
+ - v3.6.1
+ - v3.6.1.1
+ - v3.6.1.2
+ - v3.6.1.3
+ - v3.7.0
+ - v3.7.0-rc.3
+ - v3.7.0rc1
+ - v3.7.0rc2
+ - v3.7.1
+ - v3.8.0
+ - v3.8.0RC1
+ - v3.9.0
+ - v3.9.0RC1
+ - v3.9.1
+ - v3.9.2
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/01/GHSA-77rm-9x9h-xj3g/GHSA-77rm-9x9h-xj3g.json
+ - package:
+ ecosystem: Maven
+ name: com.google.protobuf:protobuf-java
+ purl: pkg:maven/com.google.protobuf/protobuf-java
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: 3.15.0
+ versions:
+ - 2.0.1
+ - 2.0.3
+ - 2.1.0
+ - 2.2.0
+ - 2.3.0
+ - 2.4.0a
+ - 2.4.1
+ - 2.5.0
+ - 2.6.0
+ - 2.6.1
+ - 3.0.0
+ - 3.0.0-alpha-2
+ - 3.0.0-alpha-3
+ - 3.0.0-alpha-3.1
+ - 3.0.0-beta-1
+ - 3.0.0-beta-2
+ - 3.0.0-beta-3
+ - 3.0.0-beta-4
+ - 3.0.2
+ - 3.1.0
+ - 3.10.0
+ - 3.10.0-rc-1
+ - 3.11.0
+ - 3.11.0-rc-1
+ - 3.11.0-rc-2
+ - 3.11.1
+ - 3.11.3
+ - 3.11.4
+ - 3.12.0
+ - 3.12.0-rc-1
+ - 3.12.0-rc-2
+ - 3.12.1
+ - 3.12.2
+ - 3.12.4
+ - 3.13.0
+ - 3.13.0-rc-3
+ - 3.14.0
+ - 3.14.0-rc-1
+ - 3.14.0-rc-2
+ - 3.14.0-rc-3
+ - 3.15.0-rc-1
+ - 3.15.0-rc-2
+ - 3.2.0
+ - 3.2.0-rc.1
+ - 3.2.0rc2
+ - 3.3.0
+ - 3.3.1
+ - 3.4.0
+ - 3.5.0
+ - 3.5.1
+ - 3.6.0
+ - 3.6.1
+ - 3.7.0
+ - 3.7.0-rc1
+ - 3.7.1
+ - 3.8.0
+ - 3.8.0-rc-1
+ - 3.9.0
+ - 3.9.0-rc-1
+ - 3.9.1
+ - 3.9.2
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/01/GHSA-77rm-9x9h-xj3g/GHSA-77rm-9x9h-xj3g.json
+ - package:
+ ecosystem: Go
+ name: github.com/protocolbuffers/protobuf
+ purl: pkg:golang/github.com/protocolbuffers/protobuf
+ ranges:
+ - type: SEMVER
+ events:
+ - introduced: "0"
+ - fixed: 3.15.0
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/01/GHSA-77rm-9x9h-xj3g/GHSA-77rm-9x9h-xj3g.json
+ - package:
+ ecosystem: PyPI
+ name: protobuf
+ purl: pkg:pypi/protobuf
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: 3.15.0
+ versions:
+ - 2.0.0beta
+ - 2.0.3
+ - 2.3.0
+ - 2.4.1
+ - 2.5.0
+ - 2.6.0
+ - 2.6.1
+ - 3.0.0
+ - 3.0.0a2
+ - 3.0.0a3
+ - 3.0.0b1
+ - 3.0.0b1.post1
+ - 3.0.0b1.post2
+ - 3.0.0b2
+ - 3.0.0b2.post1
+ - 3.0.0b2.post2
+ - 3.0.0b3
+ - 3.0.0b4
+ - 3.1.0
+ - 3.1.0.post1
+ - 3.10.0
+ - 3.10.0rc1
+ - 3.11.0
+ - 3.11.0rc1
+ - 3.11.0rc2
+ - 3.11.1
+ - 3.11.2
+ - 3.11.3
+ - 3.12.0
+ - 3.12.0rc1
+ - 3.12.0rc2
+ - 3.12.1
+ - 3.12.2
+ - 3.12.4
+ - 3.13.0
+ - 3.13.0rc3
+ - 3.14.0
+ - 3.14.0rc1
+ - 3.14.0rc2
+ - 3.14.0rc3
+ - 3.15.0rc1
+ - 3.15.0rc2
+ - 3.2.0
+ - 3.2.0rc1
+ - 3.2.0rc1.post1
+ - 3.2.0rc2
+ - 3.3.0
+ - 3.4.0
+ - 3.5.0.post1
+ - 3.5.1
+ - 3.5.2
+ - 3.5.2.post1
+ - 3.6.0
+ - 3.6.1
+ - 3.7.0
+ - 3.7.0rc2
+ - 3.7.0rc3
+ - 3.7.1
+ - 3.8.0
+ - 3.8.0rc1
+ - 3.9.0
+ - 3.9.0rc1
+ - 3.9.1
+ - 3.9.2
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/01/GHSA-77rm-9x9h-xj3g/GHSA-77rm-9x9h-xj3g.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2021-22570
+ - type: PACKAGE
+ url: https://github.com/protocolbuffers/protobuf
+ - type: WEB
+ url: https://github.com/protocolbuffers/protobuf/releases/tag/v3.15.0
+ - type: WEB
+ url: https://lists.debian.org/debian-lts-announce/2023/04/msg00019.html
+ - type: WEB
+ url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3DVUZPALAQ34TQP6KFNLM4IZS6B32XSA
+ - type: WEB
+ url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5PAGL5M2KGYPN3VEQCRJJE6NA7D5YG5X
+ - type: WEB
+ url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BTRGBRC5KGCA4SK5MUNLPYJRAGXMBIYY
+ - type: WEB
+ url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IFX6KPNOFHYD6L4XES5PCM3QNSKZBOTQ
+ - type: WEB
+ url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KQJB6ZPRLKV6WCMX2PRRRQBFAOXFBK6B
+ - type: WEB
+ url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MRWRAXAFR3JR7XCFWTHC2KALSZKWACCE
+ - type: WEB
+ url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NVTWVQRB5OCCTMKEQFY5MYED3DXDVSLP
+ - type: WEB
+ url: https://security.netapp.com/advisory/ntap-20220429-0005
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuapr2022.html
+ database_specific:
+ cwe_ids:
+ - CWE-476
+ github_reviewed: true
+ github_reviewed_at: "2022-02-03T22:48:51Z"
+ nvd_published_at: "2022-01-26T14:15:00Z"
+ severity: HIGH
+ - schema_version: 1.6.0
+ id: GHSA-g5ww-5jh7-63cx
+ modified: 2023-11-08T04:09:49.867103Z
+ published: 2022-12-12T15:30:33Z
+ aliases:
+ - CVE-2022-3509
+ summary: Protobuf Java vulnerable to Uncontrolled Resource Consumption
+ details: A parsing issue similar to CVE-2022-3171, but with textformat in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: com.google.protobuf:protobuf-java
+ purl: pkg:maven/com.google.protobuf/protobuf-java
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: 3.16.3
+ versions:
+ - 2.0.1
+ - 2.0.3
+ - 2.1.0
+ - 2.2.0
+ - 2.3.0
+ - 2.4.0a
+ - 2.4.1
+ - 2.5.0
+ - 2.6.0
+ - 2.6.1
+ - 3.0.0
+ - 3.0.0-alpha-2
+ - 3.0.0-alpha-3
+ - 3.0.0-alpha-3.1
+ - 3.0.0-beta-1
+ - 3.0.0-beta-2
+ - 3.0.0-beta-3
+ - 3.0.0-beta-4
+ - 3.0.2
+ - 3.1.0
+ - 3.10.0
+ - 3.10.0-rc-1
+ - 3.11.0
+ - 3.11.0-rc-1
+ - 3.11.0-rc-2
+ - 3.11.1
+ - 3.11.3
+ - 3.11.4
+ - 3.12.0
+ - 3.12.0-rc-1
+ - 3.12.0-rc-2
+ - 3.12.1
+ - 3.12.2
+ - 3.12.4
+ - 3.13.0
+ - 3.13.0-rc-3
+ - 3.14.0
+ - 3.14.0-rc-1
+ - 3.14.0-rc-2
+ - 3.14.0-rc-3
+ - 3.15.0
+ - 3.15.0-rc-1
+ - 3.15.0-rc-2
+ - 3.15.1
+ - 3.15.2
+ - 3.15.3
+ - 3.15.4
+ - 3.15.5
+ - 3.15.6
+ - 3.15.7
+ - 3.15.8
+ - 3.16.0
+ - 3.16.0-rc-1
+ - 3.16.0-rc-2
+ - 3.16.1
+ - 3.2.0
+ - 3.2.0-rc.1
+ - 3.2.0rc2
+ - 3.3.0
+ - 3.3.1
+ - 3.4.0
+ - 3.5.0
+ - 3.5.1
+ - 3.6.0
+ - 3.6.1
+ - 3.7.0
+ - 3.7.0-rc1
+ - 3.7.1
+ - 3.8.0
+ - 3.8.0-rc-1
+ - 3.9.0
+ - 3.9.0-rc-1
+ - 3.9.1
+ - 3.9.2
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-g5ww-5jh7-63cx/GHSA-g5ww-5jh7-63cx.json
+ - package:
+ ecosystem: Maven
+ name: com.google.protobuf:protobuf-java
+ purl: pkg:maven/com.google.protobuf/protobuf-java
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 3.17.0
+ - fixed: 3.19.6
+ versions:
+ - 3.17.0
+ - 3.17.1
+ - 3.17.2
+ - 3.17.3
+ - 3.18.0
+ - 3.18.0-rc-1
+ - 3.18.0-rc-2
+ - 3.18.1
+ - 3.18.2
+ - 3.18.3
+ - 3.19.0
+ - 3.19.0-rc-1
+ - 3.19.0-rc-2
+ - 3.19.1
+ - 3.19.2
+ - 3.19.3
+ - 3.19.4
+ - 3.19.5
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-g5ww-5jh7-63cx/GHSA-g5ww-5jh7-63cx.json
+ - package:
+ ecosystem: Maven
+ name: com.google.protobuf:protobuf-java
+ purl: pkg:maven/com.google.protobuf/protobuf-java
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 3.20.0
+ - fixed: 3.20.3
+ versions:
+ - 3.20.0
+ - 3.20.1
+ - 3.20.1-rc-1
+ - 3.20.2
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-g5ww-5jh7-63cx/GHSA-g5ww-5jh7-63cx.json
+ - package:
+ ecosystem: Maven
+ name: com.google.protobuf:protobuf-java
+ purl: pkg:maven/com.google.protobuf/protobuf-java
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 3.21.0
+ - fixed: 3.21.7
+ versions:
+ - 3.21.0
+ - 3.21.1
+ - 3.21.2
+ - 3.21.3
+ - 3.21.4
+ - 3.21.5
+ - 3.21.6
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-g5ww-5jh7-63cx/GHSA-g5ww-5jh7-63cx.json
+ - package:
+ ecosystem: Maven
+ name: com.google.protobuf:protobuf-javalite
+ purl: pkg:maven/com.google.protobuf/protobuf-javalite
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: 3.16.3
+ versions:
+ - 3.10.0
+ - 3.10.0-rc-1
+ - 3.11.0
+ - 3.11.0-rc-1
+ - 3.11.0-rc-2
+ - 3.11.1
+ - 3.11.3
+ - 3.11.4
+ - 3.12.0
+ - 3.12.0-rc-1
+ - 3.12.0-rc-2
+ - 3.12.1
+ - 3.12.2
+ - 3.12.4
+ - 3.13.0
+ - 3.13.0-rc-3
+ - 3.14.0
+ - 3.14.0-rc-1
+ - 3.14.0-rc-2
+ - 3.14.0-rc-3
+ - 3.15.0
+ - 3.15.0-rc-1
+ - 3.15.0-rc-2
+ - 3.15.1
+ - 3.15.2
+ - 3.15.3
+ - 3.15.4
+ - 3.15.5
+ - 3.15.6
+ - 3.15.7
+ - 3.15.8
+ - 3.16.0
+ - 3.16.0-rc-1
+ - 3.16.0-rc-2
+ - 3.16.1
+ - 3.8.0
+ - 3.8.0-rc-1
+ - 3.9.0
+ - 3.9.0-rc-1
+ - 3.9.1
+ - 3.9.2
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-g5ww-5jh7-63cx/GHSA-g5ww-5jh7-63cx.json
+ - package:
+ ecosystem: Maven
+ name: com.google.protobuf:protobuf-javalite
+ purl: pkg:maven/com.google.protobuf/protobuf-javalite
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 3.17.0
+ - fixed: 3.19.6
+ versions:
+ - 3.17.0
+ - 3.17.1
+ - 3.17.2
+ - 3.17.3
+ - 3.18.0
+ - 3.18.0-rc-1
+ - 3.18.0-rc-2
+ - 3.18.1
+ - 3.18.2
+ - 3.18.3
+ - 3.19.0
+ - 3.19.0-rc-1
+ - 3.19.0-rc-2
+ - 3.19.1
+ - 3.19.2
+ - 3.19.3
+ - 3.19.4
+ - 3.19.5
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-g5ww-5jh7-63cx/GHSA-g5ww-5jh7-63cx.json
+ - package:
+ ecosystem: Maven
+ name: com.google.protobuf:protobuf-javalite
+ purl: pkg:maven/com.google.protobuf/protobuf-javalite
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 3.20.0
+ - fixed: 3.20.3
+ versions:
+ - 3.20.0
+ - 3.20.1
+ - 3.20.1-rc-1
+ - 3.20.2
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-g5ww-5jh7-63cx/GHSA-g5ww-5jh7-63cx.json
+ - package:
+ ecosystem: Maven
+ name: com.google.protobuf:protobuf-javalite
+ purl: pkg:maven/com.google.protobuf/protobuf-javalite
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 3.21.0
+ - fixed: 3.21.7
+ versions:
+ - 3.21.0
+ - 3.21.1
+ - 3.21.2
+ - 3.21.3
+ - 3.21.4
+ - 3.21.5
+ - 3.21.6
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-g5ww-5jh7-63cx/GHSA-g5ww-5jh7-63cx.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2022-3509
+ - type: WEB
+ url: https://github.com/protocolbuffers/protobuf/commit/a3888f53317a8018e7a439bac4abeb8f3425d5e9
+ - type: PACKAGE
+ url: https://github.com/protocolbuffers/protobuf/tree/main/java
+ database_specific:
+ cwe_ids:
+ - CWE-400
+ github_reviewed: true
+ github_reviewed_at: "2022-12-12T22:33:53Z"
+ nvd_published_at: "2022-12-12T13:15:00Z"
+ severity: HIGH
+ - schema_version: 1.6.0
+ id: GHSA-h4h5-3hr4-j3g2
+ modified: 2024-02-17T05:33:48.377272Z
+ published: 2022-10-04T22:17:15Z
+ aliases:
+ - CVE-2022-3171
+ summary: protobuf-java has a potential Denial of Service issue
+ details: "## Summary\nA potential Denial of Service issue in `protobuf-java` core and lite was discovered in the parsing procedure for binary and text format data. Input streams containing multiple instances of non-repeated [embedded messages](http://developers.google.com/protocol-buffers/docs/encoding#embedded) with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. \n\nReporter: [OSS Fuzz](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=48771)\n\nAffected versions: This issue affects both the Java full and lite Protobuf runtimes, as well as Protobuf for Kotlin and JRuby, which themselves use the Java Protobuf runtime.\n\n## Severity\n\n[CVE-2022-3171](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3171) Medium - CVSS Score: 5.7 (NOTE: there may be a delay in publication)\n\n## Remediation and Mitigation\n\nPlease update to the latest available versions of the following packages:\n\nprotobuf-java (3.21.7, 3.20.3, 3.19.6, 3.16.3)\nprotobuf-javalite (3.21.7, 3.20.3, 3.19.6, 3.16.3)\nprotobuf-kotlin (3.21.7, 3.20.3, 3.19.6, 3.16.3)\nprotobuf-kotlin-lite (3.21.7, 3.20.3, 3.19.6, 3.16.3)\ngoogle-protobuf [JRuby gem only] (3.21.7, 3.20.3, 3.19.6)\n"
+ affected:
+ - package:
+ ecosystem: Maven
+ name: com.google.protobuf:protobuf-java
+ purl: pkg:maven/com.google.protobuf/protobuf-java
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 3.21.0-rc-1
+ - fixed: 3.21.7
+ versions:
+ - 3.21.0
+ - 3.21.0-rc-1
+ - 3.21.0-rc-2
+ - 3.21.1
+ - 3.21.2
+ - 3.21.3
+ - 3.21.4
+ - 3.21.5
+ - 3.21.6
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/10/GHSA-h4h5-3hr4-j3g2/GHSA-h4h5-3hr4-j3g2.json
+ - package:
+ ecosystem: Maven
+ name: com.google.protobuf:protobuf-kotlin
+ purl: pkg:maven/com.google.protobuf/protobuf-kotlin
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 3.21.0-rc-1
+ - fixed: 3.21.7
+ versions:
+ - 3.21.0
+ - 3.21.0-rc-1
+ - 3.21.0-rc-2
+ - 3.21.1
+ - 3.21.2
+ - 3.21.3
+ - 3.21.4
+ - 3.21.5
+ - 3.21.6
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/10/GHSA-h4h5-3hr4-j3g2/GHSA-h4h5-3hr4-j3g2.json
+ - package:
+ ecosystem: RubyGems
+ name: google-protobuf
+ purl: pkg:gem/google-protobuf
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 3.21.0.rc.1
+ - fixed: 3.21.7
+ versions:
+ - 3.21.0
+ - 3.21.0.rc.1
+ - 3.21.0.rc.2
+ - 3.21.1
+ - 3.21.2
+ - 3.21.3
+ - 3.21.4
+ - 3.21.5
+ - 3.21.6
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/10/GHSA-h4h5-3hr4-j3g2/GHSA-h4h5-3hr4-j3g2.json
+ - package:
+ ecosystem: Maven
+ name: com.google.protobuf:protobuf-javalite
+ purl: pkg:maven/com.google.protobuf/protobuf-javalite
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 3.21.0-rc-1
+ - fixed: 3.21.7
+ versions:
+ - 3.21.0
+ - 3.21.0-rc-1
+ - 3.21.0-rc-2
+ - 3.21.1
+ - 3.21.2
+ - 3.21.3
+ - 3.21.4
+ - 3.21.5
+ - 3.21.6
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/10/GHSA-h4h5-3hr4-j3g2/GHSA-h4h5-3hr4-j3g2.json
+ - package:
+ ecosystem: Maven
+ name: com.google.protobuf:protobuf-kotlin-lite
+ purl: pkg:maven/com.google.protobuf/protobuf-kotlin-lite
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 3.21.0-rc-1
+ - fixed: 3.21.7
+ versions:
+ - 3.21.0
+ - 3.21.0-rc-1
+ - 3.21.0-rc-2
+ - 3.21.1
+ - 3.21.2
+ - 3.21.3
+ - 3.21.4
+ - 3.21.5
+ - 3.21.6
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/10/GHSA-h4h5-3hr4-j3g2/GHSA-h4h5-3hr4-j3g2.json
+ - package:
+ ecosystem: Maven
+ name: com.google.protobuf:protobuf-java
+ purl: pkg:maven/com.google.protobuf/protobuf-java
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 3.20.0-rc-1
+ - fixed: 3.20.3
+ versions:
+ - 3.20.0
+ - 3.20.0-rc-1
+ - 3.20.1
+ - 3.20.1-rc-1
+ - 3.20.2
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/10/GHSA-h4h5-3hr4-j3g2/GHSA-h4h5-3hr4-j3g2.json
+ - package:
+ ecosystem: Maven
+ name: com.google.protobuf:protobuf-java
+ purl: pkg:maven/com.google.protobuf/protobuf-java
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 3.17.0-rc-1
+ - fixed: 3.19.6
+ versions:
+ - 3.17.0
+ - 3.17.0-rc-1
+ - 3.17.0-rc-2
+ - 3.17.1
+ - 3.17.2
+ - 3.17.3
+ - 3.18.0
+ - 3.18.0-rc-1
+ - 3.18.0-rc-2
+ - 3.18.1
+ - 3.18.2
+ - 3.18.3
+ - 3.19.0
+ - 3.19.0-rc-1
+ - 3.19.0-rc-2
+ - 3.19.1
+ - 3.19.2
+ - 3.19.3
+ - 3.19.4
+ - 3.19.5
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/10/GHSA-h4h5-3hr4-j3g2/GHSA-h4h5-3hr4-j3g2.json
+ - package:
+ ecosystem: Maven
+ name: com.google.protobuf:protobuf-java
+ purl: pkg:maven/com.google.protobuf/protobuf-java
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: 3.16.3
+ versions:
+ - 2.0.1
+ - 2.0.3
+ - 2.1.0
+ - 2.2.0
+ - 2.3.0
+ - 2.4.0a
+ - 2.4.1
+ - 2.5.0
+ - 2.6.0
+ - 2.6.1
+ - 3.0.0
+ - 3.0.0-alpha-2
+ - 3.0.0-alpha-3
+ - 3.0.0-alpha-3.1
+ - 3.0.0-beta-1
+ - 3.0.0-beta-2
+ - 3.0.0-beta-3
+ - 3.0.0-beta-4
+ - 3.0.2
+ - 3.1.0
+ - 3.10.0
+ - 3.10.0-rc-1
+ - 3.11.0
+ - 3.11.0-rc-1
+ - 3.11.0-rc-2
+ - 3.11.1
+ - 3.11.3
+ - 3.11.4
+ - 3.12.0
+ - 3.12.0-rc-1
+ - 3.12.0-rc-2
+ - 3.12.1
+ - 3.12.2
+ - 3.12.4
+ - 3.13.0
+ - 3.13.0-rc-3
+ - 3.14.0
+ - 3.14.0-rc-1
+ - 3.14.0-rc-2
+ - 3.14.0-rc-3
+ - 3.15.0
+ - 3.15.0-rc-1
+ - 3.15.0-rc-2
+ - 3.15.1
+ - 3.15.2
+ - 3.15.3
+ - 3.15.4
+ - 3.15.5
+ - 3.15.6
+ - 3.15.7
+ - 3.15.8
+ - 3.16.0
+ - 3.16.0-rc-1
+ - 3.16.0-rc-2
+ - 3.16.1
+ - 3.2.0
+ - 3.2.0-rc.1
+ - 3.2.0rc2
+ - 3.3.0
+ - 3.3.1
+ - 3.4.0
+ - 3.5.0
+ - 3.5.1
+ - 3.6.0
+ - 3.6.1
+ - 3.7.0
+ - 3.7.0-rc1
+ - 3.7.1
+ - 3.8.0
+ - 3.8.0-rc-1
+ - 3.9.0
+ - 3.9.0-rc-1
+ - 3.9.1
+ - 3.9.2
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/10/GHSA-h4h5-3hr4-j3g2/GHSA-h4h5-3hr4-j3g2.json
+ - package:
+ ecosystem: Maven
+ name: com.google.protobuf:protobuf-kotlin
+ purl: pkg:maven/com.google.protobuf/protobuf-kotlin
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 3.20.0-rc-1
+ - fixed: 3.20.3
+ versions:
+ - 3.20.0
+ - 3.20.0-rc-1
+ - 3.20.1
+ - 3.20.1-rc-1
+ - 3.20.2
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/10/GHSA-h4h5-3hr4-j3g2/GHSA-h4h5-3hr4-j3g2.json
+ - package:
+ ecosystem: Maven
+ name: com.google.protobuf:protobuf-kotlin
+ purl: pkg:maven/com.google.protobuf/protobuf-kotlin
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 3.17.0-rc-1
+ - fixed: 3.19.6
+ versions:
+ - 3.17.0
+ - 3.17.0-rc-2
+ - 3.17.1
+ - 3.17.2
+ - 3.17.3
+ - 3.18.0
+ - 3.18.0-rc-1
+ - 3.18.0-rc-2
+ - 3.18.1
+ - 3.18.2
+ - 3.18.3
+ - 3.19.0
+ - 3.19.0-rc-1
+ - 3.19.0-rc-2
+ - 3.19.1
+ - 3.19.2
+ - 3.19.3
+ - 3.19.4
+ - 3.19.5
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/10/GHSA-h4h5-3hr4-j3g2/GHSA-h4h5-3hr4-j3g2.json
+ - package:
+ ecosystem: Maven
+ name: com.google.protobuf:protobuf-kotlin
+ purl: pkg:maven/com.google.protobuf/protobuf-kotlin
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: 3.16.3
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/10/GHSA-h4h5-3hr4-j3g2/GHSA-h4h5-3hr4-j3g2.json
+ - package:
+ ecosystem: RubyGems
+ name: google-protobuf
+ purl: pkg:gem/google-protobuf
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 3.20.0.rc.1
+ - fixed: 3.20.3
+ versions:
+ - 3.20.0
+ - 3.20.0.rc.1
+ - 3.20.0.rc.2
+ - 3.20.1
+ - 3.20.1.rc.1
+ - 3.20.2
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/10/GHSA-h4h5-3hr4-j3g2/GHSA-h4h5-3hr4-j3g2.json
+ - package:
+ ecosystem: RubyGems
+ name: google-protobuf
+ purl: pkg:gem/google-protobuf
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 3.17.0.rc.1
+ - fixed: 3.19.6
+ versions:
+ - 3.17.0
+ - 3.17.0.rc.1
+ - 3.17.0.rc.2
+ - 3.17.1
+ - 3.17.2
+ - 3.17.3
+ - 3.18.0
+ - 3.18.0.rc.1
+ - 3.18.0.rc.2
+ - 3.18.1
+ - 3.18.2
+ - 3.18.3
+ - 3.19.0
+ - 3.19.0.rc.1
+ - 3.19.0.rc.2
+ - 3.19.1
+ - 3.19.2
+ - 3.19.3
+ - 3.19.4
+ - 3.19.5
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/10/GHSA-h4h5-3hr4-j3g2/GHSA-h4h5-3hr4-j3g2.json
+ - package:
+ ecosystem: RubyGems
+ name: google-protobuf
+ purl: pkg:gem/google-protobuf
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: 3.16.3
+ versions:
+ - 3.0.0
+ - 3.0.0.alpha.1.0
+ - 3.0.0.alpha.1.1
+ - 3.0.0.alpha.2.0
+ - 3.0.0.alpha.3
+ - 3.0.0.alpha.3.1.pre
+ - 3.0.0.alpha.4.0
+ - 3.0.0.alpha.5.0.3
+ - 3.0.0.alpha.5.0.4
+ - 3.0.0.alpha.5.0.5
+ - 3.0.0.alpha.5.0.5.1
+ - 3.0.2
+ - 3.1.0
+ - 3.1.0.0.pre
+ - 3.10.0.rc.1
+ - 3.10.1
+ - 3.11.0
+ - 3.11.0.rc.1
+ - 3.11.0.rc.2
+ - 3.11.1
+ - 3.11.2
+ - 3.11.3
+ - 3.11.4
+ - 3.12.0
+ - 3.12.0.rc.1
+ - 3.12.0.rc.2
+ - 3.12.1
+ - 3.12.2
+ - 3.12.4
+ - 3.13.0
+ - 3.13.0.rc.3
+ - 3.14.0
+ - 3.14.0.rc.1
+ - 3.14.0.rc.2
+ - 3.14.0.rc.3
+ - 3.15.0
+ - 3.15.0.rc.1
+ - 3.15.0.rc.2
+ - 3.15.1
+ - 3.15.2
+ - 3.15.3
+ - 3.15.4
+ - 3.15.5
+ - 3.15.6
+ - 3.15.7
+ - 3.15.8
+ - 3.16.0
+ - 3.16.0.rc.1
+ - 3.16.0.rc.2
+ - 3.2.0
+ - 3.2.0.1
+ - 3.2.0.2
+ - 3.2.1.pre
+ - 3.3.0
+ - 3.4.0.1
+ - 3.4.0.2
+ - 3.4.1.1
+ - 3.5.0
+ - 3.5.0.pre
+ - 3.5.1
+ - 3.5.1.1
+ - 3.5.1.2
+ - 3.6.0
+ - 3.6.1
+ - 3.7.0
+ - 3.7.0.rc.2
+ - 3.7.0.rc.3
+ - 3.7.1
+ - 3.8.0
+ - 3.8.0.rc.1
+ - 3.9.0
+ - 3.9.0.rc.1
+ - 3.9.1
+ - 3.9.2
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/10/GHSA-h4h5-3hr4-j3g2/GHSA-h4h5-3hr4-j3g2.json
+ - package:
+ ecosystem: Maven
+ name: com.google.protobuf:protobuf-javalite
+ purl: pkg:maven/com.google.protobuf/protobuf-javalite
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 3.20.0-rc-1
+ - fixed: 3.20.3
+ versions:
+ - 3.20.0
+ - 3.20.0-rc-1
+ - 3.20.1
+ - 3.20.1-rc-1
+ - 3.20.2
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/10/GHSA-h4h5-3hr4-j3g2/GHSA-h4h5-3hr4-j3g2.json
+ - package:
+ ecosystem: Maven
+ name: com.google.protobuf:protobuf-javalite
+ purl: pkg:maven/com.google.protobuf/protobuf-javalite
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 3.17.0-rc-1
+ - fixed: 3.19.6
+ versions:
+ - 3.17.0
+ - 3.17.0-rc-1
+ - 3.17.0-rc-2
+ - 3.17.1
+ - 3.17.2
+ - 3.17.3
+ - 3.18.0
+ - 3.18.0-rc-1
+ - 3.18.0-rc-2
+ - 3.18.1
+ - 3.18.2
+ - 3.18.3
+ - 3.19.0
+ - 3.19.0-rc-1
+ - 3.19.0-rc-2
+ - 3.19.1
+ - 3.19.2
+ - 3.19.3
+ - 3.19.4
+ - 3.19.5
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/10/GHSA-h4h5-3hr4-j3g2/GHSA-h4h5-3hr4-j3g2.json
+ - package:
+ ecosystem: Maven
+ name: com.google.protobuf:protobuf-javalite
+ purl: pkg:maven/com.google.protobuf/protobuf-javalite
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: 3.16.3
+ versions:
+ - 3.10.0
+ - 3.10.0-rc-1
+ - 3.11.0
+ - 3.11.0-rc-1
+ - 3.11.0-rc-2
+ - 3.11.1
+ - 3.11.3
+ - 3.11.4
+ - 3.12.0
+ - 3.12.0-rc-1
+ - 3.12.0-rc-2
+ - 3.12.1
+ - 3.12.2
+ - 3.12.4
+ - 3.13.0
+ - 3.13.0-rc-3
+ - 3.14.0
+ - 3.14.0-rc-1
+ - 3.14.0-rc-2
+ - 3.14.0-rc-3
+ - 3.15.0
+ - 3.15.0-rc-1
+ - 3.15.0-rc-2
+ - 3.15.1
+ - 3.15.2
+ - 3.15.3
+ - 3.15.4
+ - 3.15.5
+ - 3.15.6
+ - 3.15.7
+ - 3.15.8
+ - 3.16.0
+ - 3.16.0-rc-1
+ - 3.16.0-rc-2
+ - 3.16.1
+ - 3.8.0
+ - 3.8.0-rc-1
+ - 3.9.0
+ - 3.9.0-rc-1
+ - 3.9.1
+ - 3.9.2
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/10/GHSA-h4h5-3hr4-j3g2/GHSA-h4h5-3hr4-j3g2.json
+ - package:
+ ecosystem: Maven
+ name: com.google.protobuf:protobuf-kotlin-lite
+ purl: pkg:maven/com.google.protobuf/protobuf-kotlin-lite
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 3.20.0-rc-1
+ - fixed: 3.20.3
+ versions:
+ - 3.20.0
+ - 3.20.0-rc-1
+ - 3.20.1
+ - 3.20.1-rc-1
+ - 3.20.2
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/10/GHSA-h4h5-3hr4-j3g2/GHSA-h4h5-3hr4-j3g2.json
+ - package:
+ ecosystem: Maven
+ name: com.google.protobuf:protobuf-kotlin-lite
+ purl: pkg:maven/com.google.protobuf/protobuf-kotlin-lite
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 3.17.0-rc-1
+ - fixed: 3.19.6
+ versions:
+ - 3.17.0
+ - 3.17.0-rc-2
+ - 3.17.1
+ - 3.17.2
+ - 3.17.3
+ - 3.18.0
+ - 3.18.0-rc-1
+ - 3.18.0-rc-2
+ - 3.18.1
+ - 3.18.2
+ - 3.18.3
+ - 3.19.0
+ - 3.19.0-rc-1
+ - 3.19.0-rc-2
+ - 3.19.1
+ - 3.19.2
+ - 3.19.3
+ - 3.19.4
+ - 3.19.5
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/10/GHSA-h4h5-3hr4-j3g2/GHSA-h4h5-3hr4-j3g2.json
+ - package:
+ ecosystem: Maven
+ name: com.google.protobuf:protobuf-kotlin-lite
+ purl: pkg:maven/com.google.protobuf/protobuf-kotlin-lite
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: 3.16.3
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/10/GHSA-h4h5-3hr4-j3g2/GHSA-h4h5-3hr4-j3g2.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
+ references:
+ - type: WEB
+ url: https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-h4h5-3hr4-j3g2
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2022-3171
+ - type: WEB
+ url: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=48771
+ - type: PACKAGE
+ url: https://github.com/protocolbuffers/protobuf
+ - type: WEB
+ url: https://github.com/protocolbuffers/protobuf/releases/tag/v21.7
+ - type: WEB
+ url: https://github.com/protocolbuffers/protobuf/releases/tag/v3.16.3
+ - type: WEB
+ url: https://github.com/protocolbuffers/protobuf/releases/tag/v3.19.6
+ - type: WEB
+ url: https://github.com/protocolbuffers/protobuf/releases/tag/v3.20.3
+ - type: WEB
+ url: https://github.com/rubysec/ruby-advisory-db/blob/master/gems/google-protobuf/CVE-2022-3171.yml
+ - type: WEB
+ url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CBAUKJQL6O4TIWYBENORSY5P43TVB4M3
+ - type: WEB
+ url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MPCGUT3T5L6C3IDWUPSUO22QDCGQKTOP
+ - type: WEB
+ url: https://security.gentoo.org/glsa/202301-09
+ database_specific:
+ cwe_ids:
+ - CWE-20
+ github_reviewed: true
+ github_reviewed_at: "2022-10-04T22:17:15Z"
+ nvd_published_at: "2022-10-12T23:15:00Z"
+ severity: MODERATE
+ - schema_version: 1.6.0
+ id: GHSA-wrvw-hg22-4m67
+ modified: 2023-11-08T04:05:00.773426Z
+ published: 2022-01-07T22:31:44Z
+ aliases:
+ - CVE-2021-22569
+ summary: A potential Denial of Service issue in protobuf-java
+ details: "## Summary\n\nA potential Denial of Service issue in protobuf-java was discovered in the parsing procedure for binary data.\n\nReporter: [OSS-Fuzz](https://github.com/google/oss-fuzz)\n\nAffected versions: All versions of Java Protobufs (including Kotlin and JRuby) prior to the versions listed below. Protobuf \"javalite\" users (typically Android) are not affected.\n\n## Severity\n\n[CVE-2021-22569](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22569) **High** - CVSS Score: 7.5, An implementation weakness in how unknown fields are parsed in Java. A small (~800 KB) malicious payload can occupy the parser for several minutes by creating large numbers of short-lived objects that cause frequent, repeated GC pauses.\n\n## Proof of Concept\n\nFor reproduction details, please refer to the oss-fuzz issue that identifies the specific inputs that exercise this parsing weakness.\n\n## Remediation and Mitigation\n\nPlease update to the latest available versions of the following packages:\n\n- protobuf-java (3.16.1, 3.18.2, 3.19.2) \n- protobuf-kotlin (3.18.2, 3.19.2)\n- google-protobuf [JRuby gem only] (3.19.2) \n"
+ affected:
+ - package:
+ ecosystem: Maven
+ name: com.google.protobuf:protobuf-java
+ purl: pkg:maven/com.google.protobuf/protobuf-java
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: 3.16.1
+ versions:
+ - 2.0.1
+ - 2.0.3
+ - 2.1.0
+ - 2.2.0
+ - 2.3.0
+ - 2.4.0a
+ - 2.4.1
+ - 2.5.0
+ - 2.6.0
+ - 2.6.1
+ - 3.0.0
+ - 3.0.0-alpha-2
+ - 3.0.0-alpha-3
+ - 3.0.0-alpha-3.1
+ - 3.0.0-beta-1
+ - 3.0.0-beta-2
+ - 3.0.0-beta-3
+ - 3.0.0-beta-4
+ - 3.0.2
+ - 3.1.0
+ - 3.10.0
+ - 3.10.0-rc-1
+ - 3.11.0
+ - 3.11.0-rc-1
+ - 3.11.0-rc-2
+ - 3.11.1
+ - 3.11.3
+ - 3.11.4
+ - 3.12.0
+ - 3.12.0-rc-1
+ - 3.12.0-rc-2
+ - 3.12.1
+ - 3.12.2
+ - 3.12.4
+ - 3.13.0
+ - 3.13.0-rc-3
+ - 3.14.0
+ - 3.14.0-rc-1
+ - 3.14.0-rc-2
+ - 3.14.0-rc-3
+ - 3.15.0
+ - 3.15.0-rc-1
+ - 3.15.0-rc-2
+ - 3.15.1
+ - 3.15.2
+ - 3.15.3
+ - 3.15.4
+ - 3.15.5
+ - 3.15.6
+ - 3.15.7
+ - 3.15.8
+ - 3.16.0
+ - 3.16.0-rc-1
+ - 3.16.0-rc-2
+ - 3.2.0
+ - 3.2.0-rc.1
+ - 3.2.0rc2
+ - 3.3.0
+ - 3.3.1
+ - 3.4.0
+ - 3.5.0
+ - 3.5.1
+ - 3.6.0
+ - 3.6.1
+ - 3.7.0
+ - 3.7.0-rc1
+ - 3.7.1
+ - 3.8.0
+ - 3.8.0-rc-1
+ - 3.9.0
+ - 3.9.0-rc-1
+ - 3.9.1
+ - 3.9.2
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/01/GHSA-wrvw-hg22-4m67/GHSA-wrvw-hg22-4m67.json
+ - package:
+ ecosystem: RubyGems
+ name: google-protobuf
+ purl: pkg:gem/google-protobuf
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: 3.19.2
+ versions:
+ - 3.0.0
+ - 3.0.0.alpha.1.0
+ - 3.0.0.alpha.1.1
+ - 3.0.0.alpha.2.0
+ - 3.0.0.alpha.3
+ - 3.0.0.alpha.3.1.pre
+ - 3.0.0.alpha.4.0
+ - 3.0.0.alpha.5.0.3
+ - 3.0.0.alpha.5.0.4
+ - 3.0.0.alpha.5.0.5
+ - 3.0.0.alpha.5.0.5.1
+ - 3.0.2
+ - 3.1.0
+ - 3.1.0.0.pre
+ - 3.10.0.rc.1
+ - 3.10.1
+ - 3.11.0
+ - 3.11.0.rc.1
+ - 3.11.0.rc.2
+ - 3.11.1
+ - 3.11.2
+ - 3.11.3
+ - 3.11.4
+ - 3.12.0
+ - 3.12.0.rc.1
+ - 3.12.0.rc.2
+ - 3.12.1
+ - 3.12.2
+ - 3.12.4
+ - 3.13.0
+ - 3.13.0.rc.3
+ - 3.14.0
+ - 3.14.0.rc.1
+ - 3.14.0.rc.2
+ - 3.14.0.rc.3
+ - 3.15.0
+ - 3.15.0.rc.1
+ - 3.15.0.rc.2
+ - 3.15.1
+ - 3.15.2
+ - 3.15.3
+ - 3.15.4
+ - 3.15.5
+ - 3.15.6
+ - 3.15.7
+ - 3.15.8
+ - 3.16.0
+ - 3.16.0.rc.1
+ - 3.16.0.rc.2
+ - 3.17.0
+ - 3.17.0.rc.1
+ - 3.17.0.rc.2
+ - 3.17.1
+ - 3.17.2
+ - 3.17.3
+ - 3.18.0
+ - 3.18.0.rc.1
+ - 3.18.0.rc.2
+ - 3.18.1
+ - 3.18.2
+ - 3.18.3
+ - 3.19.0
+ - 3.19.0.rc.1
+ - 3.19.0.rc.2
+ - 3.19.1
+ - 3.2.0
+ - 3.2.0.1
+ - 3.2.0.2
+ - 3.2.1.pre
+ - 3.3.0
+ - 3.4.0.1
+ - 3.4.0.2
+ - 3.4.1.1
+ - 3.5.0
+ - 3.5.0.pre
+ - 3.5.1
+ - 3.5.1.1
+ - 3.5.1.2
+ - 3.6.0
+ - 3.6.1
+ - 3.7.0
+ - 3.7.0.rc.2
+ - 3.7.0.rc.3
+ - 3.7.1
+ - 3.8.0
+ - 3.8.0.rc.1
+ - 3.9.0
+ - 3.9.0.rc.1
+ - 3.9.1
+ - 3.9.2
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/01/GHSA-wrvw-hg22-4m67/GHSA-wrvw-hg22-4m67.json
+ - package:
+ ecosystem: Maven
+ name: com.google.protobuf:protobuf-java
+ purl: pkg:maven/com.google.protobuf/protobuf-java
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 3.18.0
+ - fixed: 3.18.2
+ versions:
+ - 3.18.0
+ - 3.18.1
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/01/GHSA-wrvw-hg22-4m67/GHSA-wrvw-hg22-4m67.json
+ - package:
+ ecosystem: Maven
+ name: com.google.protobuf:protobuf-java
+ purl: pkg:maven/com.google.protobuf/protobuf-java
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 3.19.0
+ - fixed: 3.19.2
+ versions:
+ - 3.19.0
+ - 3.19.1
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/01/GHSA-wrvw-hg22-4m67/GHSA-wrvw-hg22-4m67.json
+ - package:
+ ecosystem: Maven
+ name: com.google.protobuf:protobuf-kotlin
+ purl: pkg:maven/com.google.protobuf/protobuf-kotlin
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 3.18.0
+ - fixed: 3.18.2
+ versions:
+ - 3.18.0
+ - 3.18.1
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/01/GHSA-wrvw-hg22-4m67/GHSA-wrvw-hg22-4m67.json
+ - package:
+ ecosystem: Maven
+ name: com.google.protobuf:protobuf-kotlin
+ purl: pkg:maven/com.google.protobuf/protobuf-kotlin
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 3.19.0
+ - fixed: 3.19.2
+ versions:
+ - 3.19.0
+ - 3.19.1
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/01/GHSA-wrvw-hg22-4m67/GHSA-wrvw-hg22-4m67.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
+ references:
+ - type: WEB
+ url: https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-wrvw-hg22-4m67
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2021-22569
+ - type: WEB
+ url: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=39330
+ - type: WEB
+ url: https://cloud.google.com/support/bulletins#gcp-2022-001
+ - type: PACKAGE
+ url: https://github.com/protocolbuffers/protobuf
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuapr2022.html
+ - type: WEB
+ url: http://www.openwall.com/lists/oss-security/2022/01/12/4
+ - type: WEB
+ url: http://www.openwall.com/lists/oss-security/2022/01/12/7
+ database_specific:
+ cwe_ids:
+ - CWE-696
+ github_reviewed: true
+ github_reviewed_at: "2022-01-07T22:23:14Z"
+ nvd_published_at: "2022-01-10T14:10:00Z"
+ severity: HIGH
+ - schema_version: 1.6.0
+ id: GHSA-q446-82vq-w674
+ modified: 2024-02-20T05:33:38.873866Z
+ published: 2022-05-13T01:09:33Z
+ aliases:
+ - CVE-2016-5725
+ summary: Improper Limitation of a Pathname to a Restricted Directory in JCraft JSch
+ details: Directory traversal vulnerability in JCraft JSch before 0.1.54 on Windows, when the mode is ChannelSftp.OVERWRITE, allows remote SFTP servers to write to arbitrary files via a ..\ (dot dot backslash) in a response to a recursive GET command.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: com.jcraft:jsch
+ purl: pkg:maven/com.jcraft/jsch
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: 0.1.54
+ versions:
+ - 0.1.23
+ - 0.1.24
+ - 0.1.25
+ - 0.1.27
+ - 0.1.29
+ - 0.1.31
+ - 0.1.38
+ - 0.1.41
+ - 0.1.42
+ - 0.1.43
+ - 0.1.43-1
+ - 0.1.44
+ - 0.1.44-1
+ - 0.1.45
+ - 0.1.46
+ - 0.1.47
+ - 0.1.48
+ - 0.1.49
+ - 0.1.50
+ - 0.1.51
+ - 0.1.52
+ - 0.1.53
+ database_specific:
+ last_known_affected_version_range: <= 0.1.53
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-q446-82vq-w674/GHSA-q446-82vq-w674.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2016-5725
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2017:3115
+ - type: WEB
+ url: https://github.com/tintinweb/pub/tree/master/pocs/cve-2016-5725
+ - type: WEB
+ url: https://lists.debian.org/debian-lts-announce/2020/04/msg00017.html
+ - type: WEB
+ url: https://www.exploit-db.com/exploits/40411
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuApr2021.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpujan2021.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuoct2020.html
+ - type: WEB
+ url: http://packetstormsecurity.com/files/138809/jsch-0.1.53-Path-Traversal.html
+ - type: WEB
+ url: http://seclists.org/fulldisclosure/2016/Sep/53
+ - type: WEB
+ url: http://www.jcraft.com/jsch/ChangeLog
+ database_specific:
+ cwe_ids:
+ - CWE-22
+ github_reviewed: true
+ github_reviewed_at: "2022-07-06T19:44:21Z"
+ nvd_published_at: "2017-01-19T22:59:00Z"
+ severity: MODERATE
+ - schema_version: 1.6.0
+ id: GHSA-84p2-vf58-xhxv
+ modified: 2024-02-16T08:07:45.873484Z
+ published: 2019-04-23T16:03:18Z
+ aliases:
+ - CVE-2019-5427
+ summary: Billion laughs attack in c3p0
+ details: c3p0 version < 0.9.5.4 may be exploited by a billion laughs attack when loading XML configuration due to missing protections against recursive entity expansion when loading configuration.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: com.mchange:c3p0
+ purl: pkg:maven/com.mchange/c3p0
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: 0.9.5.4
+ versions:
+ - 0.9.2
+ - 0.9.2-pre2-RELEASE
+ - 0.9.2-pre3
+ - 0.9.2-pre4
+ - 0.9.2-pre5
+ - 0.9.2-pre6
+ - 0.9.2-pre7
+ - 0.9.2-pre8
+ - 0.9.2.1
+ - 0.9.5
+ - 0.9.5-pre1
+ - 0.9.5-pre10
+ - 0.9.5-pre2
+ - 0.9.5-pre3
+ - 0.9.5-pre4
+ - 0.9.5-pre5
+ - 0.9.5-pre6
+ - 0.9.5-pre7
+ - 0.9.5-pre8
+ - 0.9.5-pre9
+ - 0.9.5.1
+ - 0.9.5.2
+ - 0.9.5.3
+ database_specific:
+ last_known_affected_version_range: <= 0.9.5.3
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/04/GHSA-84p2-vf58-xhxv/GHSA-84p2-vf58-xhxv.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2019-5427
+ - type: WEB
+ url: https://hackerone.com/reports/509315
+ - type: WEB
+ url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BFIVX6HOVNLAM7W3SUAMHYRNLCVQSAWR
+ - type: WEB
+ url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MQ47OFV57Y2DAHMGA5H3JOL4WHRWRFN4
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuapr2020.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpujan2021.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpujul2020.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuoct2020.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuoct2021.html
+ database_specific:
+ cwe_ids:
+ - CWE-776
+ github_reviewed: true
+ github_reviewed_at: "2019-04-23T16:01:51Z"
+ nvd_published_at: "2019-04-22T21:29:00Z"
+ severity: HIGH
+ - schema_version: 1.6.0
+ id: GHSA-q485-j897-qc27
+ modified: 2024-02-17T05:36:17.856971Z
+ published: 2019-01-07T19:14:34Z
+ aliases:
+ - CVE-2018-20433
+ summary: XML External Entity Reference in mchange:c3p0
+ details: c3p0 0.9.5.2 allows XXE in extractXmlConfigFromInputStream in com/mchange/v2/c3p0/cfg/C3P0ConfigXmlUtils.java during initialization.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: com.mchange:c3p0
+ purl: pkg:maven/com.mchange/c3p0
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: 0.9.5.3
+ versions:
+ - 0.9.2
+ - 0.9.2-pre2-RELEASE
+ - 0.9.2-pre3
+ - 0.9.2-pre4
+ - 0.9.2-pre5
+ - 0.9.2-pre6
+ - 0.9.2-pre7
+ - 0.9.2-pre8
+ - 0.9.2.1
+ - 0.9.5
+ - 0.9.5-pre1
+ - 0.9.5-pre10
+ - 0.9.5-pre2
+ - 0.9.5-pre3
+ - 0.9.5-pre4
+ - 0.9.5-pre5
+ - 0.9.5-pre6
+ - 0.9.5-pre7
+ - 0.9.5-pre8
+ - 0.9.5-pre9
+ - 0.9.5.1
+ - 0.9.5.2
+ database_specific:
+ last_known_affected_version_range: <= 0.9.5.2
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/01/GHSA-q485-j897-qc27/GHSA-q485-j897-qc27.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2018-20433
+ - type: WEB
+ url: https://github.com/zhutougg/c3p0/commit/2eb0ea97f745740b18dd45e4a909112d4685f87b
+ - type: ADVISORY
+ url: https://github.com/advisories/GHSA-q485-j897-qc27
+ - type: PACKAGE
+ url: https://github.com/zhutougg/c3p0
+ - type: WEB
+ url: https://lists.debian.org/debian-lts-announce/2018/12/msg00021.html
+ - type: WEB
+ url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BFIVX6HOVNLAM7W3SUAMHYRNLCVQSAWR
+ - type: WEB
+ url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MQ47OFV57Y2DAHMGA5H3JOL4WHRWRFN4
+ database_specific:
+ cwe_ids:
+ - CWE-611
+ github_reviewed: true
+ github_reviewed_at: "2020-06-16T21:50:54Z"
+ nvd_published_at: null
+ severity: CRITICAL
+ - schema_version: 1.6.0
+ id: GHSA-2qp9-wg27-9pcv
+ modified: 2023-11-08T03:58:54.698483Z
+ published: 2022-05-13T01:30:32Z
+ aliases:
+ - CVE-2017-12972
+ summary: Nimbus JOSE+JWT missing overflow check
+ details: In Nimbus JOSE+JWT before 4.39, there is no integer-overflow check when converting length values from bytes to bits, which allows attackers to conduct HMAC bypass attacks by shifting Additional Authenticated Data (AAD) and ciphertext so that different plaintext is obtained for the same HMAC.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: com.nimbusds:nimbus-jose-jwt
+ purl: pkg:maven/com.nimbusds/nimbus-jose-jwt
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: "4.39"
+ versions:
+ - "2.10"
+ - 2.10.1
+ - 2.11.0
+ - 2.12.0
+ - 2.13.0
+ - 2.13.1
+ - 2.14.0
+ - 2.15.0
+ - 2.15.1
+ - 2.15.2
+ - "2.16"
+ - "2.17"
+ - 2.17.1
+ - 2.17.2
+ - "2.18"
+ - 2.18.1
+ - 2.18.2
+ - "2.19"
+ - 2.19.1
+ - "2.20"
+ - "2.21"
+ - "2.22"
+ - 2.22.1
+ - "2.23"
+ - "2.24"
+ - "2.25"
+ - "2.26"
+ - 2.26.1
+ - "2.9"
+ - "3.0"
+ - "3.1"
+ - 3.1.1
+ - 3.1.2
+ - "3.10"
+ - "3.2"
+ - 3.2.1
+ - 3.2.2
+ - "3.3"
+ - "3.4"
+ - "3.5"
+ - "3.6"
+ - "3.7"
+ - "3.8"
+ - 3.8.1
+ - 3.8.2
+ - "3.9"
+ - 3.9.1
+ - 3.9.2
+ - "4.0"
+ - 4.0-rc1
+ - 4.0-rc2
+ - 4.0-rc3
+ - 4.0-rc4
+ - 4.0.1
+ - "4.1"
+ - 4.1.1
+ - "4.10"
+ - "4.11"
+ - 4.11.1
+ - 4.11.2
+ - "4.12"
+ - "4.13"
+ - 4.13.1
+ - "4.14"
+ - "4.15"
+ - 4.15.1
+ - "4.16"
+ - 4.16.1
+ - 4.16.2
+ - "4.17"
+ - "4.18"
+ - "4.19"
+ - "4.2"
+ - "4.20"
+ - "4.21"
+ - "4.22"
+ - "4.23"
+ - "4.24"
+ - "4.25"
+ - "4.26"
+ - 4.26.1
+ - "4.27"
+ - 4.27.1
+ - "4.28"
+ - "4.29"
+ - "4.3"
+ - 4.3.1
+ - "4.30"
+ - 4.31.1
+ - "4.32"
+ - "4.33"
+ - "4.34"
+ - 4.34.1
+ - 4.34.2
+ - "4.35"
+ - "4.36"
+ - 4.36.1
+ - "4.37"
+ - 4.37.1
+ - "4.38"
+ - "4.4"
+ - "4.5"
+ - "4.6"
+ - "4.7"
+ - "4.8"
+ - "4.9"
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-2qp9-wg27-9pcv/GHSA-2qp9-wg27-9pcv.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2017-12972
+ - type: WEB
+ url: https://bitbucket.org/connect2id/nimbus-jose-jwt/commits/0d2bd649ea386539220d4facfe1f65eb1dadb86c
+ - type: WEB
+ url: https://bitbucket.org/connect2id/nimbus-jose-jwt/issues/224/byte-to-bit-overflow-in-cbc
+ - type: WEB
+ url: https://bitbucket.org/connect2id/nimbus-jose-jwt/src/master/CHANGELOG.txt
+ - type: WEB
+ url: https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe@%3Ccommits.druid.apache.org%3E
+ database_specific:
+ cwe_ids:
+ - CWE-345
+ github_reviewed: true
+ github_reviewed_at: "2022-11-08T22:28:09Z"
+ nvd_published_at: "2017-08-20T16:29:00Z"
+ severity: HIGH
+ - schema_version: 1.6.0
+ id: GHSA-f6vf-pq8c-69m4
+ modified: 2024-03-14T05:19:45.441054Z
+ published: 2019-10-16T18:31:17Z
+ aliases:
+ - CVE-2019-17195
+ summary: Improper Check for Unusual or Exceptional Conditions in Connect2id Nimbus JOSE+JWT
+ details: Connect2id Nimbus JOSE+JWT before v7.9 can throw various uncaught exceptions while parsing a JWT, which could result in an application crash (potential information disclosure) or a potential authentication bypass.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: com.nimbusds:nimbus-jose-jwt
+ purl: pkg:maven/com.nimbusds/nimbus-jose-jwt
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: "7.9"
+ versions:
+ - "2.10"
+ - 2.10.1
+ - 2.11.0
+ - 2.12.0
+ - 2.13.0
+ - 2.13.1
+ - 2.14.0
+ - 2.15.0
+ - 2.15.1
+ - 2.15.2
+ - "2.16"
+ - "2.17"
+ - 2.17.1
+ - 2.17.2
+ - "2.18"
+ - 2.18.1
+ - 2.18.2
+ - "2.19"
+ - 2.19.1
+ - "2.20"
+ - "2.21"
+ - "2.22"
+ - 2.22.1
+ - "2.23"
+ - "2.24"
+ - "2.25"
+ - "2.26"
+ - 2.26.1
+ - "2.9"
+ - "3.0"
+ - "3.1"
+ - 3.1.1
+ - 3.1.2
+ - "3.10"
+ - "3.2"
+ - 3.2.1
+ - 3.2.2
+ - "3.3"
+ - "3.4"
+ - "3.5"
+ - "3.6"
+ - "3.7"
+ - "3.8"
+ - 3.8.1
+ - 3.8.2
+ - "3.9"
+ - 3.9.1
+ - 3.9.2
+ - "4.0"
+ - 4.0-rc1
+ - 4.0-rc2
+ - 4.0-rc3
+ - 4.0-rc4
+ - 4.0.1
+ - "4.1"
+ - 4.1.1
+ - "4.10"
+ - "4.11"
+ - 4.11.1
+ - 4.11.2
+ - "4.12"
+ - "4.13"
+ - 4.13.1
+ - "4.14"
+ - "4.15"
+ - 4.15.1
+ - "4.16"
+ - 4.16.1
+ - 4.16.2
+ - "4.17"
+ - "4.18"
+ - "4.19"
+ - "4.2"
+ - "4.20"
+ - "4.21"
+ - "4.22"
+ - "4.23"
+ - "4.24"
+ - "4.25"
+ - "4.26"
+ - 4.26.1
+ - "4.27"
+ - 4.27.1
+ - "4.28"
+ - "4.29"
+ - "4.3"
+ - 4.3.1
+ - "4.30"
+ - 4.31.1
+ - "4.32"
+ - "4.33"
+ - "4.34"
+ - 4.34.1
+ - 4.34.2
+ - "4.35"
+ - "4.36"
+ - 4.36.1
+ - "4.37"
+ - 4.37.1
+ - "4.38"
+ - "4.39"
+ - 4.39.1
+ - 4.39.2
+ - "4.4"
+ - "4.40"
+ - "4.41"
+ - 4.41.1
+ - 4.41.2
+ - 4.41.3
+ - "4.5"
+ - "4.6"
+ - "4.7"
+ - "4.8"
+ - "4.9"
+ - "5.0"
+ - "5.1"
+ - "5.10"
+ - "5.11"
+ - "5.12"
+ - "5.13"
+ - "5.14"
+ - "5.2"
+ - "5.3"
+ - "5.4"
+ - "5.5"
+ - "5.6"
+ - "5.7"
+ - "5.8"
+ - "5.9"
+ - "6.0"
+ - 6.0.1
+ - 6.0.2
+ - "6.1"
+ - 6.1.1
+ - "6.2"
+ - "6.3"
+ - 6.3.1
+ - "6.4"
+ - 6.4.1
+ - 6.4.2
+ - "6.5"
+ - 6.5.1
+ - "6.6"
+ - "6.7"
+ - "6.8"
+ - "7.0"
+ - 7.0.1
+ - "7.1"
+ - 7.2.1
+ - "7.3"
+ - "7.4"
+ - "7.5"
+ - 7.5.1
+ - "7.6"
+ - "7.7"
+ - "7.8"
+ - 7.8.1
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/10/GHSA-f6vf-pq8c-69m4/GHSA-f6vf-pq8c-69m4.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2019-17195
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuoct2021.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpujan2022.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpujan2021.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuapr2022.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuapr2020.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuApr2021.html
+ - type: WEB
+ url: https://www.oracle.com//security-alerts/cpujul2021.html
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rcac26c2d4df22341fa6ebbfe93ba1eff77d2dcd3f6106a1dc1f9ac98@%3Cdev.avro.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r5e08837e695efd36be73510ce58ec05785dbcea077819d8acc2d990d@%3Ccommits.druid.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r35f6301a3e6a56259224786dd9c2a935ba27ff6b494d15a3b66efe6a@%3Cdev.avro.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r33dc233634aedb04fa77db3eb79ea12d15ca4da89fa46a1c585ecb0b@%3Ccommits.druid.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r2667286c8ceffaf893b16829b9612d8f7c4ee6b30362c6c1b583e3c2@%3Ccommits.druid.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/e10d43984f39327e443e875adcd4a5049193a7c010e81971908caf41@%3Ccommon-issues.hadoop.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/8768553cda5838f59ee3865cac546e824fa740e82d9dc2a7fc44e80d@%3Ccommon-dev.hadoop.apache.org%3E
+ - type: WEB
+ url: https://connect2id.com/blog/nimbus-jose-jwt-7-9
+ - type: WEB
+ url: https://bitbucket.org/connect2id/nimbus-jose-jwt/src/master/SECURITY-CHANGELOG.txt
+ - type: PACKAGE
+ url: https://bitbucket.org/connect2id/nimbus-jose-jwt
+ database_specific:
+ cwe_ids:
+ - CWE-754
+ - CWE-755
+ github_reviewed: true
+ github_reviewed_at: "2019-10-16T15:26:53Z"
+ nvd_published_at: "2019-10-15T14:15:00Z"
+ severity: CRITICAL
+ - schema_version: 1.6.0
+ id: GHSA-gvpg-vgmx-xg6w
+ modified: 2024-03-15T14:58:52.822457Z
+ published: 2024-02-11T06:30:27Z
+ aliases:
+ - CVE-2023-52428
+ summary: Denial of Service in Connect2id Nimbus JOSE+JWT
+ details: In Connect2id Nimbus JOSE+JWT before 9.37.2, an attacker can cause a denial of service (resource consumption) via a large JWE p2c header value (aka iteration count) for the PasswordBasedDecrypter (PBKDF2) component.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: com.nimbusds:nimbus-jose-jwt
+ purl: pkg:maven/com.nimbusds/nimbus-jose-jwt
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: 9.37.2
+ versions:
+ - "2.10"
+ - 2.10.1
+ - 2.11.0
+ - 2.12.0
+ - 2.13.0
+ - 2.13.1
+ - 2.14.0
+ - 2.15.0
+ - 2.15.1
+ - 2.15.2
+ - "2.16"
+ - "2.17"
+ - 2.17.1
+ - 2.17.2
+ - "2.18"
+ - 2.18.1
+ - 2.18.2
+ - "2.19"
+ - 2.19.1
+ - "2.20"
+ - "2.21"
+ - "2.22"
+ - 2.22.1
+ - "2.23"
+ - "2.24"
+ - "2.25"
+ - "2.26"
+ - 2.26.1
+ - "2.9"
+ - "3.0"
+ - "3.1"
+ - 3.1.1
+ - 3.1.2
+ - "3.10"
+ - "3.2"
+ - 3.2.1
+ - 3.2.2
+ - "3.3"
+ - "3.4"
+ - "3.5"
+ - "3.6"
+ - "3.7"
+ - "3.8"
+ - 3.8.1
+ - 3.8.2
+ - "3.9"
+ - 3.9.1
+ - 3.9.2
+ - "4.0"
+ - 4.0-rc1
+ - 4.0-rc2
+ - 4.0-rc3
+ - 4.0-rc4
+ - 4.0.1
+ - "4.1"
+ - 4.1.1
+ - "4.10"
+ - "4.11"
+ - 4.11.1
+ - 4.11.2
+ - "4.12"
+ - "4.13"
+ - 4.13.1
+ - "4.14"
+ - "4.15"
+ - 4.15.1
+ - "4.16"
+ - 4.16.1
+ - 4.16.2
+ - "4.17"
+ - "4.18"
+ - "4.19"
+ - "4.2"
+ - "4.20"
+ - "4.21"
+ - "4.22"
+ - "4.23"
+ - "4.24"
+ - "4.25"
+ - "4.26"
+ - 4.26.1
+ - "4.27"
+ - 4.27.1
+ - "4.28"
+ - "4.29"
+ - "4.3"
+ - 4.3.1
+ - "4.30"
+ - 4.31.1
+ - "4.32"
+ - "4.33"
+ - "4.34"
+ - 4.34.1
+ - 4.34.2
+ - "4.35"
+ - "4.36"
+ - 4.36.1
+ - "4.37"
+ - 4.37.1
+ - "4.38"
+ - "4.39"
+ - 4.39.1
+ - 4.39.2
+ - "4.4"
+ - "4.40"
+ - "4.41"
+ - 4.41.1
+ - 4.41.2
+ - 4.41.3
+ - "4.5"
+ - "4.6"
+ - "4.7"
+ - "4.8"
+ - "4.9"
+ - "5.0"
+ - "5.1"
+ - "5.10"
+ - "5.11"
+ - "5.12"
+ - "5.13"
+ - "5.14"
+ - "5.2"
+ - "5.3"
+ - "5.4"
+ - "5.5"
+ - "5.6"
+ - "5.7"
+ - "5.8"
+ - "5.9"
+ - "6.0"
+ - 6.0.1
+ - 6.0.2
+ - "6.1"
+ - 6.1.1
+ - "6.2"
+ - "6.3"
+ - 6.3.1
+ - "6.4"
+ - 6.4.1
+ - 6.4.2
+ - "6.5"
+ - 6.5.1
+ - "6.6"
+ - "6.7"
+ - "6.8"
+ - "7.0"
+ - 7.0.1
+ - "7.1"
+ - 7.2.1
+ - "7.3"
+ - "7.4"
+ - "7.5"
+ - 7.5.1
+ - "7.6"
+ - "7.7"
+ - "7.8"
+ - 7.8.1
+ - "7.9"
+ - "8.0"
+ - "8.1"
+ - "8.10"
+ - "8.11"
+ - "8.12"
+ - "8.13"
+ - "8.14"
+ - 8.14.1
+ - "8.15"
+ - "8.16"
+ - "8.17"
+ - 8.17.1
+ - "8.18"
+ - 8.18.1
+ - "8.19"
+ - "8.2"
+ - 8.2.1
+ - "8.20"
+ - 8.20.1
+ - 8.20.2
+ - "8.21"
+ - 8.21.1
+ - "8.22"
+ - 8.22.1
+ - "8.23"
+ - "8.3"
+ - "8.4"
+ - 8.4.1
+ - "8.5"
+ - 8.5.1
+ - "8.6"
+ - "8.7"
+ - "8.8"
+ - "8.9"
+ - "9.0"
+ - 9.0.1
+ - "9.1"
+ - 9.1.1
+ - 9.1.2
+ - 9.1.3
+ - 9.1.4
+ - 9.1.5
+ - "9.10"
+ - 9.10.1
+ - "9.11"
+ - 9.11.1
+ - 9.11.2
+ - 9.11.3
+ - "9.12"
+ - 9.12.1
+ - "9.13"
+ - "9.14"
+ - "9.15"
+ - 9.15.1
+ - 9.15.2
+ - "9.16"
+ - 9.16-preview.1
+ - 9.16.1
+ - "9.17"
+ - "9.18"
+ - "9.19"
+ - "9.2"
+ - "9.20"
+ - "9.21"
+ - 9.21.1
+ - "9.22"
+ - "9.23"
+ - "9.24"
+ - 9.24.1
+ - 9.24.2
+ - 9.24.3
+ - 9.24.4
+ - "9.25"
+ - 9.25.1
+ - 9.25.2
+ - 9.25.3
+ - 9.25.4
+ - 9.25.5
+ - 9.25.6
+ - "9.26"
+ - "9.27"
+ - "9.28"
+ - "9.29"
+ - "9.3"
+ - "9.30"
+ - 9.30.1
+ - 9.30.2
+ - "9.31"
+ - "9.32"
+ - "9.33"
+ - "9.34"
+ - "9.35"
+ - "9.36"
+ - "9.37"
+ - 9.37.1
+ - "9.4"
+ - 9.4.1
+ - 9.4.2
+ - "9.5"
+ - "9.6"
+ - 9.6.1
+ - "9.7"
+ - "9.8"
+ - 9.8.1
+ - "9.9"
+ - 9.9.1
+ - 9.9.2
+ - 9.9.3
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/02/GHSA-gvpg-vgmx-xg6w/GHSA-gvpg-vgmx-xg6w.json
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2023-52428
+ - type: PACKAGE
+ url: https://bitbucket.org/connect2id/nimbus-jose-jwt
+ - type: WEB
+ url: https://bitbucket.org/connect2id/nimbus-jose-jwt/commits/3b3b77e
+ - type: WEB
+ url: https://bitbucket.org/connect2id/nimbus-jose-jwt/issues/526
+ - type: WEB
+ url: https://connect2id.com/products/nimbus-jose-jwt
+ database_specific:
+ cwe_ids:
+ - CWE-400
+ github_reviewed: true
+ github_reviewed_at: "2024-03-15T14:23:03Z"
+ nvd_published_at: "2024-02-11T05:15:08Z"
+ severity: MODERATE
+ - schema_version: 1.6.0
+ id: GHSA-jfmq-4g4m-99rh
+ modified: 2023-11-08T03:58:54.759362Z
+ published: 2022-05-13T01:42:51Z
+ aliases:
+ - CVE-2017-12973
+ summary: Nimbus JOSE+JWT vulnerable to padding oracle attack
+ details: Nimbus JOSE+JWT before 4.39 proceeds improperly after detection of an invalid HMAC in authenticated AES-CBC decryption, which allows attackers to conduct a padding oracle attack.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: com.nimbusds:nimbus-jose-jwt
+ purl: pkg:maven/com.nimbusds/nimbus-jose-jwt
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: "4.39"
+ versions:
+ - "2.10"
+ - 2.10.1
+ - 2.11.0
+ - 2.12.0
+ - 2.13.0
+ - 2.13.1
+ - 2.14.0
+ - 2.15.0
+ - 2.15.1
+ - 2.15.2
+ - "2.16"
+ - "2.17"
+ - 2.17.1
+ - 2.17.2
+ - "2.18"
+ - 2.18.1
+ - 2.18.2
+ - "2.19"
+ - 2.19.1
+ - "2.20"
+ - "2.21"
+ - "2.22"
+ - 2.22.1
+ - "2.23"
+ - "2.24"
+ - "2.25"
+ - "2.26"
+ - 2.26.1
+ - "2.9"
+ - "3.0"
+ - "3.1"
+ - 3.1.1
+ - 3.1.2
+ - "3.10"
+ - "3.2"
+ - 3.2.1
+ - 3.2.2
+ - "3.3"
+ - "3.4"
+ - "3.5"
+ - "3.6"
+ - "3.7"
+ - "3.8"
+ - 3.8.1
+ - 3.8.2
+ - "3.9"
+ - 3.9.1
+ - 3.9.2
+ - "4.0"
+ - 4.0-rc1
+ - 4.0-rc2
+ - 4.0-rc3
+ - 4.0-rc4
+ - 4.0.1
+ - "4.1"
+ - 4.1.1
+ - "4.10"
+ - "4.11"
+ - 4.11.1
+ - 4.11.2
+ - "4.12"
+ - "4.13"
+ - 4.13.1
+ - "4.14"
+ - "4.15"
+ - 4.15.1
+ - "4.16"
+ - 4.16.1
+ - 4.16.2
+ - "4.17"
+ - "4.18"
+ - "4.19"
+ - "4.2"
+ - "4.20"
+ - "4.21"
+ - "4.22"
+ - "4.23"
+ - "4.24"
+ - "4.25"
+ - "4.26"
+ - 4.26.1
+ - "4.27"
+ - 4.27.1
+ - "4.28"
+ - "4.29"
+ - "4.3"
+ - 4.3.1
+ - "4.30"
+ - 4.31.1
+ - "4.32"
+ - "4.33"
+ - "4.34"
+ - 4.34.1
+ - 4.34.2
+ - "4.35"
+ - "4.36"
+ - 4.36.1
+ - "4.37"
+ - 4.37.1
+ - "4.38"
+ - "4.4"
+ - "4.5"
+ - "4.6"
+ - "4.7"
+ - "4.8"
+ - "4.9"
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-jfmq-4g4m-99rh/GHSA-jfmq-4g4m-99rh.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2017-12973
+ - type: WEB
+ url: https://bitbucket.org/connect2id/nimbus-jose-jwt/commits/6a29f10f723f406eb25555f55842c59a43a38912
+ - type: WEB
+ url: https://bitbucket.org/connect2id/nimbus-jose-jwt/issues/223/aescbc-return-immediately-on-invalid-hmac
+ - type: WEB
+ url: https://bitbucket.org/connect2id/nimbus-jose-jwt/src/master/CHANGELOG.txt
+ database_specific:
+ cwe_ids:
+ - CWE-354
+ github_reviewed: true
+ github_reviewed_at: "2022-11-08T23:03:33Z"
+ nvd_published_at: "2017-08-20T16:29:00Z"
+ severity: LOW
+ - schema_version: 1.6.0
+ id: GHSA-pfv2-37f7-9m6w
+ modified: 2023-11-08T03:58:54.822926Z
+ published: 2022-05-13T01:30:32Z
+ aliases:
+ - CVE-2017-12974
+ summary: Improper Verification of Cryptographic Signature in Nimbus JOSE+JWT
+ details: Nimbus JOSE+JWT before 4.36 proceeds with ECKey construction without ensuring that the public x and y coordinates are on the specified curve, which allows attackers to conduct an Invalid Curve Attack in environments where the JCE provider lacks the applicable curve validation.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: com.nimbusds:nimbus-jose-jwt
+ purl: pkg:maven/com.nimbusds/nimbus-jose-jwt
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: "4.36"
+ versions:
+ - "2.10"
+ - 2.10.1
+ - 2.11.0
+ - 2.12.0
+ - 2.13.0
+ - 2.13.1
+ - 2.14.0
+ - 2.15.0
+ - 2.15.1
+ - 2.15.2
+ - "2.16"
+ - "2.17"
+ - 2.17.1
+ - 2.17.2
+ - "2.18"
+ - 2.18.1
+ - 2.18.2
+ - "2.19"
+ - 2.19.1
+ - "2.20"
+ - "2.21"
+ - "2.22"
+ - 2.22.1
+ - "2.23"
+ - "2.24"
+ - "2.25"
+ - "2.26"
+ - 2.26.1
+ - "2.9"
+ - "3.0"
+ - "3.1"
+ - 3.1.1
+ - 3.1.2
+ - "3.10"
+ - "3.2"
+ - 3.2.1
+ - 3.2.2
+ - "3.3"
+ - "3.4"
+ - "3.5"
+ - "3.6"
+ - "3.7"
+ - "3.8"
+ - 3.8.1
+ - 3.8.2
+ - "3.9"
+ - 3.9.1
+ - 3.9.2
+ - "4.0"
+ - 4.0-rc1
+ - 4.0-rc2
+ - 4.0-rc3
+ - 4.0-rc4
+ - 4.0.1
+ - "4.1"
+ - 4.1.1
+ - "4.10"
+ - "4.11"
+ - 4.11.1
+ - 4.11.2
+ - "4.12"
+ - "4.13"
+ - 4.13.1
+ - "4.14"
+ - "4.15"
+ - 4.15.1
+ - "4.16"
+ - 4.16.1
+ - 4.16.2
+ - "4.17"
+ - "4.18"
+ - "4.19"
+ - "4.2"
+ - "4.20"
+ - "4.21"
+ - "4.22"
+ - "4.23"
+ - "4.24"
+ - "4.25"
+ - "4.26"
+ - 4.26.1
+ - "4.27"
+ - 4.27.1
+ - "4.28"
+ - "4.29"
+ - "4.3"
+ - 4.3.1
+ - "4.30"
+ - 4.31.1
+ - "4.32"
+ - "4.33"
+ - "4.34"
+ - 4.34.1
+ - 4.34.2
+ - "4.35"
+ - "4.4"
+ - "4.5"
+ - "4.6"
+ - "4.7"
+ - "4.8"
+ - "4.9"
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-pfv2-37f7-9m6w/GHSA-pfv2-37f7-9m6w.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2017-12974
+ - type: WEB
+ url: https://bitbucket.org/connect2id/nimbus-jose-jwt/commits/f3a7a801f0c6b078899fed9226368eb7b44e2b2f
+ - type: WEB
+ url: https://bitbucket.org/connect2id/nimbus-jose-jwt/issues/217/explicit-check-for-ec-public-key-on-curve
+ - type: WEB
+ url: https://bitbucket.org/connect2id/nimbus-jose-jwt/src/master/CHANGELOG.txt
+ - type: PACKAGE
+ url: https://github.com/felx/nimbus-jose-jwt
+ - type: WEB
+ url: https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe@%3Ccommits.druid.apache.org%3E
+ database_specific:
+ cwe_ids:
+ - CWE-347
+ github_reviewed: true
+ github_reviewed_at: "2022-07-01T20:20:30Z"
+ nvd_published_at: "2017-08-20T16:29:00Z"
+ severity: HIGH
+ - schema_version: 1.6.0
+ id: GHSA-6phf-73q6-gh87
+ modified: 2024-03-08T05:28:43.649817Z
+ published: 2020-06-15T20:36:17Z
+ aliases:
+ - CVE-2019-10086
+ summary: Insecure Deserialization in Apache Commons Beanutils
+ details: In Apache Commons Beanutils 1.9.2, a special BeanIntrospector class was added which allows suppressing the ability for an attacker to access the classloader via the class property available on all Java objects. We, however were not using this by default characteristic of the PropertyUtilsBean.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: commons-beanutils:commons-beanutils
+ purl: pkg:maven/commons-beanutils/commons-beanutils
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: 1.9.4
+ versions:
+ - "1.0"
+ - "1.2"
+ - "1.3"
+ - "1.4"
+ - 1.4.1
+ - "1.5"
+ - "1.6"
+ - 1.6.1
+ - 1.7.0
+ - 1.8.0
+ - 1.8.0-BETA
+ - 1.8.1
+ - 1.8.2
+ - 1.8.3
+ - 1.9.0
+ - 1.9.1
+ - 1.9.2
+ - 1.9.3
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-6phf-73q6-gh87/GHSA-6phf-73q6-gh87.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2019-10086
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:4317
+ - type: WEB
+ url: https://lists.apache.org/thread.html/ra41fd0ad4b7e1d675c03a5081a16a6603085a4e37d30b866067566fe@%3Cissues.nifi.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/ra87ac17410a62e813cba901fdd4e9a674dd53daaf714870f28e905f1@%3Cdev.atlas.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/ra9a139fdc0999750dcd519e81384bc1fe3946f311b1796221205f51c@%3Ccommits.dolphinscheduler.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/racd3e7b2149fa2f255f016bd6bffab0fea77b6fb81c50db9a17f78e6@%3Cdev.atlas.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rae81e0c8ebdf47ffaa85a01240836bfece8a990c48f55c7933162b5c@%3Cdev.atlas.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rb1f76c2c0a4d6efb8a3523974f9d085d5838b73e7bffdf9a8f212997@%3Cissues.nifi.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rb8dac04cb7e9cc5dedee8dabaa1c92614f590642e5ebf02a145915ba@%3Ccommits.atlas.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rcc029be4edaaf5b8bb85818aab494e16f312fced07a0f4a202771ba2@%3Cissues.nifi.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rd2d2493f4f1af6980d265b8d84c857e2b7ab80a46e1423710c448957@%3Cissues.nifi.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/re2028d4d76ba1db3e3c3a722d6c6034e801cc3b309f69cc166eaa32b@%3Ccommits.nifi.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/re3cd7cb641d7fc6684e4fc3c336a8bad4a01434bb5625a06e3600fd1@%3Cissues.nifi.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rec74f3a94dd850259c730b4ba6f7b6211222b58900ec088754aa0534@%3Cissues.nifi.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/reee57101464cf7622d640ae013b2162eb864f603ec4093de8240bb8f@%3Cdev.atlas.apache.org%3E
+ - type: WEB
+ url: https://lists.debian.org/debian-lts-announce/2019/08/msg00030.html
+ - type: WEB
+ url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4APPGLBWMFAS4WHNLR4LIJ65DJGPV7TF
+ - type: WEB
+ url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JIUYSL2RSIWZVNSUIXJTIFPIPIF6OAIO
+ - type: WEB
+ url: https://www.oracle.com//security-alerts/cpujul2021.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuApr2021.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuapr2020.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuapr2022.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpujan2020.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpujan2021.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpujan2022.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpujul2020.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpujul2022.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuoct2021.html
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2020:0057
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2020:0194
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2020:0804
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2020:0805
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2020:0806
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2020:0811
+ - type: PACKAGE
+ url: https://github.com/apache/commons-beanutils
+ - type: WEB
+ url: https://lists.apache.org/thread.html/02094ad226dbc17a2368beaf27e61d8b1432f5baf77d0ca995bb78bc@%3Cissues.commons.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/1f78f1e32cc5614ec0c5b822ba4bd7fc8e8b5c46c8e038b6bd609cb5@%3Cissues.commons.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/2fd61dc89df9aeab738d2b49f48d42c76f7d53b980ba04e1d48bce48@%3Cdev.shiro.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/3d1ed1a1596c08c4d5fea97b36c651ce167b773f1afc75251ce7a125@%3Ccommits.tinkerpop.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/5261066cd7adee081ee05c8bf0e96cf0b2eeaced391e19117ae4daa6@%3Cdev.shiro.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/956995acee0d8bc046f1df0a55b7fbeb65dd2f82864e5de1078bacb0@%3Cissues.commons.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/a684107d3a78e431cf0fbb90629e8559a36ff8fe94c3a76e620b39fa@%3Cdev.shiro.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/c94bc9649d5109a663b2129371dc45753fbdeacd340105548bbe93c3@%3Cdev.shiro.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/d6ca9439c53374b597f33b7ec180001625597db48ea30356af01145f@%3Cdev.shiro.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r18d8b4f9263e5cad3bbaef0cdba0e2ccdf9201316ac4b85e23eb7ee4@%3Cdev.atlas.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r2d5f1d88c39bd615271abda63964a0bee9b2b57fef1f84cb4c43032e@%3Cissues.nifi.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r306c0322aa5c0da731e03f3ce9f07f4745c052c6b73f4e78faf232ca@%3Cdev.atlas.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r43de02fd4a4f52c4bdeff8c02f09625d83cd047498009c1cdab857db@%3Cdev.rocketmq.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r46e536fc98942dce99fadd2e313aeefe90c1a769c5cd85d98df9d098@%3Cissues.nifi.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r513a7a21c422170318115463b399dd58ab447fe0990b13e5884f0825@%3Ccommits.dolphinscheduler.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r6194ced4828deb32023cd314e31f41c61d388b58935d102c7de91f58@%3Cdev.atlas.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r967953a14e05016bc4bcae9ef3dd92e770181158b4246976ed8295c9@%3Cdev.brooklyn.apache.org%3E
+ - type: WEB
+ url: http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00007.html
+ - type: WEB
+ url: http://mail-archives.apache.org/mod_mbox/www-announce/201908.mbox/%3cC628798F-315D-4428-8CB1-4ED1ECC958E4@apache.org%3e
+ database_specific:
+ cwe_ids:
+ - CWE-502
+ github_reviewed: true
+ github_reviewed_at: "2020-06-11T15:08:49Z"
+ nvd_published_at: "2019-08-20T21:15:00Z"
+ severity: HIGH
+ - schema_version: 1.6.0
+ id: GHSA-p66x-2cv9-qq3v
+ modified: 2024-06-05T16:03:45.518647Z
+ published: 2020-06-10T23:38:01Z
+ aliases:
+ - CVE-2014-0114
+ summary: Arbitrary code execution in Apache Commons BeanUtils
+ details: Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: commons-beanutils:commons-beanutils
+ purl: pkg:maven/commons-beanutils/commons-beanutils
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 1.8.0
+ - fixed: 1.9.4
+ versions:
+ - 1.8.0
+ - 1.8.1
+ - 1.8.2
+ - 1.8.3
+ - 1.9.0
+ - 1.9.1
+ - 1.9.2
+ - 1.9.3
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-p66x-2cv9-qq3v/GHSA-p66x-2cv9-qq3v.json
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2014-0114
+ - type: WEB
+ url: https://github.com/apache/commons-beanutils/pull/7
+ - type: WEB
+ url: https://github.com/apache/commons-beanutils/commit/62e82ad92cf4818709d6044aaf257b73d42659a4
+ - type: WEB
+ url: https://lists.apache.org/thread.html/aa4ca069c7aea5b1d7329bc21576c44a39bcc4eb7bb2760c4b16f2f6%40%3Cissues.commons.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/aa4ca069c7aea5b1d7329bc21576c44a39bcc4eb7bb2760c4b16f2f6@%3Cissues.commons.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/c24c0b931632a397142882ba248b7bd440027960f22845c6f664c639%40%3Ccommits.commons.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/c24c0b931632a397142882ba248b7bd440027960f22845c6f664c639@%3Ccommits.commons.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/c70da3cb6e3f03e0ad8013e38b6959419d866c4a7c80fdd34b73f25c%40%3Ccommits.pulsar.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/c70da3cb6e3f03e0ad8013e38b6959419d866c4a7c80fdd34b73f25c@%3Ccommits.pulsar.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/c7e31c3c90b292e0bafccc4e1b19c9afc1503a65d82cb7833dfd7478%40%3Cissues.commons.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/c7e31c3c90b292e0bafccc4e1b19c9afc1503a65d82cb7833dfd7478@%3Cissues.commons.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/cee6b1c4533be1a753614f6a7d7c533c42091e7cafd7053b8f62792a%40%3Cissues.commons.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/cee6b1c4533be1a753614f6a7d7c533c42091e7cafd7053b8f62792a@%3Cissues.commons.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/d27c51b3c933f885460aa6d3004eb228916615caaaddbb8e8bfeeb40%40%3Cgitbox.activemq.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/d27c51b3c933f885460aa6d3004eb228916615caaaddbb8e8bfeeb40@%3Cgitbox.activemq.apache.org%3E
+ - type: WEB
+ url: https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
+ - type: WEB
+ url: https://lists.apache.org/thread.html/9b5505632f5683ee17bda4f7878525e672226c7807d57709283ffa64@%3Cissues.commons.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/9b5505632f5683ee17bda4f7878525e672226c7807d57709283ffa64%40%3Cissues.commons.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/97fc033dad4233a5d82fcb75521eabdd23dd99ef32eb96f407f96a1a@%3Cissues.commons.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/97fc033dad4233a5d82fcb75521eabdd23dd99ef32eb96f407f96a1a%40%3Cissues.commons.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/956995acee0d8bc046f1df0a55b7fbeb65dd2f82864e5de1078bacb0@%3Cissues.commons.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/956995acee0d8bc046f1df0a55b7fbeb65dd2f82864e5de1078bacb0%40%3Cissues.commons.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe@%3Ccommits.druid.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe%40%3Ccommits.druid.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/918ec15a80fc766ff46c5d769cb8efc88fed6674faadd61a7105166b@%3Cannounce.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/918ec15a80fc766ff46c5d769cb8efc88fed6674faadd61a7105166b%40%3Cannounce.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/8e2bdfabd5b14836aa3cf900aa0a62ff9f4e22a518bb4e553ebcf55f@%3Cissues.commons.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/8e2bdfabd5b14836aa3cf900aa0a62ff9f4e22a518bb4e553ebcf55f%40%3Cissues.commons.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/88c497eead24ed517a2bb3159d3dc48725c215e97fe7a98b2cf3ea25@%3Cdev.commons.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/88c497eead24ed517a2bb3159d3dc48725c215e97fe7a98b2cf3ea25%40%3Cdev.commons.apache.org%3E
+ - type: WEB
+ url: https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html
+ - type: WEB
+ url: https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
+ - type: WEB
+ url: https://web.archive.org/web/20150710065242/http://www.securityfocus.com/archive/1/534161/100/0/threaded
+ - type: WEB
+ url: https://web.archive.org/web/20140618110851/http://www.securityfocus.com/bid/67121
+ - type: WEB
+ url: https://snyk.io/vuln/SNYK-JAVA-COMMONSBEANUTILS-30077
+ - type: WEB
+ url: https://security.netapp.com/advisory/ntap-20180629-0006
+ - type: WEB
+ url: https://security.netapp.com/advisory/ntap-20140911-0001
+ - type: WEB
+ url: https://security.gentoo.org/glsa/201607-09
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rf5230a049d989dbfdd404b4320a265dceeeba459a4d04ec21873bd55%40%3Csolr-user.lucene.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r75d67108e557bb5d4c4318435067714a0180de525314b7e8dab9d04e@%3Cissues.activemq.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r75d67108e557bb5d4c4318435067714a0180de525314b7e8dab9d04e%40%3Cissues.activemq.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r458d61eaeadecaad04382ebe583230bc027f48d9e85e4731bc573477%40%3Ccommits.dolphinscheduler.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r204ba2a9ea750f38d789d2bb429cc0925ad6133deea7cbc3001d96b5@%3Csolr-user.lucene.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r204ba2a9ea750f38d789d2bb429cc0925ad6133deea7cbc3001d96b5%40%3Csolr-user.lucene.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/ffde3f266d3bde190b54c9202169e7918a92de7e7e0337d792dc7263@%3Cissues.commons.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/ffde3f266d3bde190b54c9202169e7918a92de7e7e0337d792dc7263%40%3Cissues.commons.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/fda473f46e51019a78ab217a7a3a3d48dafd90846e75bd5536ef72f3@%3Cnotifications.commons.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/fda473f46e51019a78ab217a7a3a3d48dafd90846e75bd5536ef72f3%40%3Cnotifications.commons.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/f3682772e62926b5c009eed63c62767021be6da0bb7427610751809f@%3Cissues.commons.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/f3682772e62926b5c009eed63c62767021be6da0bb7427610751809f%40%3Cissues.commons.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/ebc4f019798f6ce2a39f3e0c26a9068563a9ba092cdf3ece398d4e2f@%3Cnotifications.commons.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/ebc4f019798f6ce2a39f3e0c26a9068563a9ba092cdf3ece398d4e2f%40%3Cnotifications.commons.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/df1c385f2112edffeff57a6b21d12e8d24031a9f578cb8ba22a947a8@%3Cissues.commons.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/df1c385f2112edffeff57a6b21d12e8d24031a9f578cb8ba22a947a8%40%3Cissues.commons.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/df093c662b5e49fe9e38ef91f78ffab09d0839dea7df69a747dffa86@%3Cdev.commons.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/df093c662b5e49fe9e38ef91f78ffab09d0839dea7df69a747dffa86%40%3Cdev.commons.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/2454e058fd05ba30ca29442fdeb7ea47505d47a888fbc9f3a53f31d0%40%3Cissues.commons.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/1f78f1e32cc5614ec0c5b822ba4bd7fc8e8b5c46c8e038b6bd609cb5@%3Cissues.commons.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/1f78f1e32cc5614ec0c5b822ba4bd7fc8e8b5c46c8e038b6bd609cb5%40%3Cissues.commons.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/15fcdf27fa060de276edc0b4098526afc21c236852eb3de9be9594f3@%3Cissues.commons.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/15fcdf27fa060de276edc0b4098526afc21c236852eb3de9be9594f3%40%3Cissues.commons.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/1565e8b786dff4cb3b48ecc8381222c462c92076c9e41408158797b5@%3Ccommits.commons.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/1565e8b786dff4cb3b48ecc8381222c462c92076c9e41408158797b5%40%3Ccommits.commons.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/0efed939139f5b9dcd62b8acf7cb8a9789227d14abdc0c6f141c4a4c@%3Cissues.activemq.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/0efed939139f5b9dcd62b8acf7cb8a9789227d14abdc0c6f141c4a4c%40%3Cissues.activemq.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/0a35108a56e2d575e3b3985588794e39fbf264097aba66f4c5569e4f@%3Cuser.commons.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/0a35108a56e2d575e3b3985588794e39fbf264097aba66f4c5569e4f%40%3Cuser.commons.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/09981ae3df188a2ad1ce20f62ef76a5b2d27cf6b9ebab366cf1d6cc6@%3Cissues.commons.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/09981ae3df188a2ad1ce20f62ef76a5b2d27cf6b9ebab366cf1d6cc6%40%3Cissues.commons.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/098e9aae118ac5c06998a9ba4544ab2475162981d290fdef88e6f883@%3Cissues.commons.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/098e9aae118ac5c06998a9ba4544ab2475162981d290fdef88e6f883%40%3Cissues.commons.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/084ae814e69178d2ce174cfdf149bc6e46d7524f3308c08d3adb43cb@%3Cissues.commons.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/084ae814e69178d2ce174cfdf149bc6e46d7524f3308c08d3adb43cb%40%3Cissues.commons.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/080af531a9113e29d3f6a060e3f992dc9f40315ec7234e15c3b339e3@%3Cissues.commons.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/080af531a9113e29d3f6a060e3f992dc9f40315ec7234e15c3b339e3%40%3Cissues.commons.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/0340493a1ddf3660dee09a5c503449cdac5bec48cdc478de65858859@%3Cdev.commons.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/0340493a1ddf3660dee09a5c503449cdac5bec48cdc478de65858859%40%3Cdev.commons.apache.org%3E
+ - type: WEB
+ url: https://issues.apache.org/jira/browse/BEANUTILS-463
+ - type: WEB
+ url: https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05324755
+ - type: PACKAGE
+ url: https://github.com/apache/commons-beanutils
+ - type: WEB
+ url: https://bugzilla.redhat.com/show_bug.cgi?id=1116665
+ - type: WEB
+ url: https://bugzilla.redhat.com/show_bug.cgi?id=1091938
+ - type: WEB
+ url: https://access.redhat.com/solutions/869353
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:2995
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2018:2669
+ - type: WEB
+ url: https://lists.apache.org/thread.html/869c08899f34c1a70c9fb42f92ac0d043c98781317e0c19d7ba3f5e3@%3Cissues.commons.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/869c08899f34c1a70c9fb42f92ac0d043c98781317e0c19d7ba3f5e3%40%3Cissues.commons.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451@%3Csolr-user.lucene.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451%40%3Csolr-user.lucene.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/6b30629b32d020c40d537f00b004d281c37528d471de15ca8aec2cd4@%3Cissues.commons.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/6b30629b32d020c40d537f00b004d281c37528d471de15ca8aec2cd4%40%3Cissues.commons.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/6afe2f935493e69a332b9c5a4f23cafe95c15ede1591a492cf612293@%3Cissues.commons.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/6afe2f935493e69a332b9c5a4f23cafe95c15ede1591a492cf612293%40%3Cissues.commons.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/66176fa3caeca77058d9f5b0316419a43b4c3fa2b572e05b87132226@%3Cissues.commons.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/66176fa3caeca77058d9f5b0316419a43b4c3fa2b572e05b87132226%40%3Cissues.commons.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/65b39fa6d700e511927e5668a4038127432178a210aff81500eb36e5@%3Cissues.commons.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/65b39fa6d700e511927e5668a4038127432178a210aff81500eb36e5%40%3Cissues.commons.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/4c3fd707a049bfe0577dba8fc9c4868ffcdabe68ad86586a0a49242e@%3Cissues.commons.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/4c3fd707a049bfe0577dba8fc9c4868ffcdabe68ad86586a0a49242e%40%3Cissues.commons.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/42ad6326d62ea8453d0d0ce12eff39bbb7c5b4fca9639da007291346@%3Cissues.commons.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/42ad6326d62ea8453d0d0ce12eff39bbb7c5b4fca9639da007291346%40%3Cissues.commons.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/40fc236a35801a535cd49cf1979dbeab034b833c63a284941bce5bf1@%3Cdev.commons.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/40fc236a35801a535cd49cf1979dbeab034b833c63a284941bce5bf1%40%3Cdev.commons.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/3f500972dceb48e3cb351f58565aecf6728b1ea7a69593af86c30b30@%3Cissues.activemq.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/3f500972dceb48e3cb351f58565aecf6728b1ea7a69593af86c30b30%40%3Cissues.activemq.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/37e1ed724a1b0e5d191d98c822c426670bdfde83804567131847d2a3@%3Cdevnull.infra.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/37e1ed724a1b0e5d191d98c822c426670bdfde83804567131847d2a3%40%3Cdevnull.infra.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/31f9dc2c9cb68e390634a4202f84b8569f64b6569bfcce46348fd9fd@%3Ccommits.commons.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/31f9dc2c9cb68e390634a4202f84b8569f64b6569bfcce46348fd9fd%40%3Ccommits.commons.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/2ba22f2e3de945039db735cf6cbf7f8be901ab2537337c7b1dd6a0f0@%3Cissues.commons.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/2ba22f2e3de945039db735cf6cbf7f8be901ab2537337c7b1dd6a0f0%40%3Cissues.commons.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/2454e058fd05ba30ca29442fdeb7ea47505d47a888fbc9f3a53f31d0@%3Cissues.commons.apache.org%3E
+ - type: WEB
+ url: http://advisories.mageia.org/MGASA-2014-0219.html
+ - type: WEB
+ url: http://apache-ignite-developers.2346864.n4.nabble.com/CVE-2014-0114-Apache-Ignite-is-vulnerable-to-existing-CVE-2014-0114-td31205.html
+ - type: WEB
+ url: http://commons.apache.org/proper/commons-beanutils/javadocs/v1.9.2/RELEASE-NOTES.txt
+ - type: WEB
+ url: http://lists.fedoraproject.org/pipermail/package-announce/2014-August/136958.html
+ - type: WEB
+ url: http://marc.info/?l=bugtraq&m=140119284401582&w=2
+ - type: WEB
+ url: http://marc.info/?l=bugtraq&m=140801096002766&w=2
+ - type: WEB
+ url: http://marc.info/?l=bugtraq&m=141451023707502&w=2
+ - type: WEB
+ url: http://openwall.com/lists/oss-security/2014/06/15/10
+ - type: WEB
+ url: http://openwall.com/lists/oss-security/2014/07/08/1
+ - type: WEB
+ url: http://seclists.org/fulldisclosure/2014/Dec/23
+ - type: WEB
+ url: http://www-01.ibm.com/support/docview.wss?uid=swg21674128
+ - type: WEB
+ url: http://www-01.ibm.com/support/docview.wss?uid=swg21674812
+ - type: WEB
+ url: http://www-01.ibm.com/support/docview.wss?uid=swg21675266
+ - type: WEB
+ url: http://www-01.ibm.com/support/docview.wss?uid=swg21675387
+ - type: WEB
+ url: http://www-01.ibm.com/support/docview.wss?uid=swg21675689
+ - type: WEB
+ url: http://www-01.ibm.com/support/docview.wss?uid=swg21675898
+ - type: WEB
+ url: http://www-01.ibm.com/support/docview.wss?uid=swg21675972
+ - type: WEB
+ url: http://www-01.ibm.com/support/docview.wss?uid=swg21676091
+ - type: WEB
+ url: http://www-01.ibm.com/support/docview.wss?uid=swg21676110
+ - type: WEB
+ url: http://www-01.ibm.com/support/docview.wss?uid=swg21676303
+ - type: WEB
+ url: http://www-01.ibm.com/support/docview.wss?uid=swg21676375
+ - type: WEB
+ url: http://www-01.ibm.com/support/docview.wss?uid=swg21676931
+ - type: WEB
+ url: http://www-01.ibm.com/support/docview.wss?uid=swg21677110
+ - type: WEB
+ url: http://www-01.ibm.com/support/docview.wss?uid=swg27042296
+ - type: WEB
+ url: http://www.debian.org/security/2014/dsa-2940
+ - type: WEB
+ url: http://www.ibm.com/support/docview.wss?uid=swg21675496
+ - type: WEB
+ url: http://www.mandriva.com/security/advisories?name=MDVSA-2014:095
+ - type: WEB
+ url: http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html
+ - type: WEB
+ url: http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
+ - type: WEB
+ url: http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html
+ - type: WEB
+ url: http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
+ - type: WEB
+ url: http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html
+ - type: WEB
+ url: http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html
+ - type: WEB
+ url: http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html
+ - type: WEB
+ url: http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html
+ - type: WEB
+ url: http://www.vmware.com/security/advisories/VMSA-2014-0008.html
+ - type: WEB
+ url: http://www.vmware.com/security/advisories/VMSA-2014-0012.html
+ database_specific:
+ cwe_ids:
+ - CWE-20
+ github_reviewed: true
+ github_reviewed_at: "2020-06-10T23:37:42Z"
+ nvd_published_at: "2014-04-30T10:49:00Z"
+ severity: HIGH
+ - schema_version: 1.6.0
+ id: GHSA-6hgm-866r-3cjv
+ modified: 2024-02-16T08:23:38.195784Z
+ published: 2020-06-15T20:36:20Z
+ aliases:
+ - CVE-2015-6420
+ summary: Insecure Deserialization in Apache Commons Collection
+ details: Serialized-object interfaces in Java applications using the Apache Commons Collections (ACC) library may allow remote attackers to execute arbitrary commands via a crafted serialized Java object.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: org.apache.commons:commons-collections4
+ purl: pkg:maven/org.apache.commons/commons-collections4
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: "4.1"
+ versions:
+ - "4.0"
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-6hgm-866r-3cjv/GHSA-6hgm-866r-3cjv.json
+ - package:
+ ecosystem: Maven
+ name: commons-collections:commons-collections
+ purl: pkg:maven/commons-collections/commons-collections
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: 3.2.2
+ versions:
+ - "1.0"
+ - "2.0"
+ - 2.0.20020914.015953
+ - 2.0.20020914.020746
+ - 2.0.20020914.020858
+ - "2.1"
+ - 2.1.1
+ - "3.0"
+ - 3.0-dev2
+ - "3.1"
+ - "3.2"
+ - 3.2.1
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-6hgm-866r-3cjv/GHSA-6hgm-866r-3cjv.json
+ - package:
+ ecosystem: Maven
+ name: net.sourceforge.collections:collections-generic
+ purl: pkg:maven/net.sourceforge.collections/collections-generic
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - last_affected: 4.0.1
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-6hgm-866r-3cjv/GHSA-6hgm-866r-3cjv.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.servicemix.bundles:org.apache.servicemix.bundles.collections-generic
+ purl: pkg:maven/org.apache.servicemix.bundles/org.apache.servicemix.bundles.collections-generic
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - last_affected: "4.01"
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-6hgm-866r-3cjv/GHSA-6hgm-866r-3cjv.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.servicemix.bundles:org.apache.servicemix.bundles.commons-collections
+ purl: pkg:maven/org.apache.servicemix.bundles/org.apache.servicemix.bundles.commons-collections
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - last_affected: 3.2.1
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-6hgm-866r-3cjv/GHSA-6hgm-866r-3cjv.json
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2015-6420
+ - type: WEB
+ url: https://arxiv.org/pdf/2306.05534
+ - type: PACKAGE
+ url: https://github.com/apache/commons-collections
+ - type: WEB
+ url: https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05376917
+ - type: WEB
+ url: https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05390722
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r352e40ca9874d1beb4ad95403792adca7eb295e6bc3bd7b65fabcc21@%3Ccommits.samza.apache.org%3E
+ - type: WEB
+ url: https://www.kb.cert.org/vuls/id/581311
+ - type: WEB
+ url: https://www.tenable.com/security/research/tra-2017-14
+ - type: WEB
+ url: https://www.tenable.com/security/research/tra-2017-23
+ - type: WEB
+ url: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151209-java-deserialization
+ - type: WEB
+ url: http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
+ - type: WEB
+ url: http://www.securityfocus.com/bid/78872
+ database_specific:
+ cwe_ids:
+ - CWE-502
+ github_reviewed: true
+ github_reviewed_at: "2020-06-11T15:58:44Z"
+ nvd_published_at: "2015-12-15T05:59:00Z"
+ severity: HIGH
+ - schema_version: 1.6.0
+ id: GHSA-fjq5-5j5f-mvxh
+ modified: 2024-02-17T05:22:18.562352Z
+ published: 2022-05-13T01:25:20Z
+ aliases:
+ - CVE-2015-7501
+ summary: Deserialization of Untrusted Data in Apache commons collections
+ details: It was found that the Apache commons-collections library permitted code execution when deserializing objects involving a specially constructed chain of classes. A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using the commons-collections library.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: commons-collections:commons-collections
+ purl: pkg:maven/commons-collections/commons-collections
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: 3.2.2
+ versions:
+ - "1.0"
+ - "2.0"
+ - 2.0.20020914.015953
+ - 2.0.20020914.020746
+ - 2.0.20020914.020858
+ - "2.1"
+ - 2.1.1
+ - "3.0"
+ - 3.0-dev2
+ - "3.1"
+ - "3.2"
+ - 3.2.1
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-fjq5-5j5f-mvxh/GHSA-fjq5-5j5f-mvxh.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.commons:commons-collections4
+ purl: pkg:maven/org.apache.commons/commons-collections4
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: "4.1"
+ versions:
+ - "4.0"
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-fjq5-5j5f-mvxh/GHSA-fjq5-5j5f-mvxh.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.servicemix.bundles:org.apache.servicemix.bundles.commons-collections
+ purl: pkg:maven/org.apache.servicemix.bundles/org.apache.servicemix.bundles.commons-collections
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 3.2.1
+ versions:
+ - 3.2.1_1
+ - 3.2.1_2
+ - 3.2.1_3
+ database_specific:
+ last_known_affected_version_range: < 3.2.2
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-fjq5-5j5f-mvxh/GHSA-fjq5-5j5f-mvxh.json
+ - package:
+ ecosystem: Maven
+ name: net.sourceforge.collections:collections-generic
+ purl: pkg:maven/net.sourceforge.collections/collections-generic
+ versions:
+ - "4.01"
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-fjq5-5j5f-mvxh/GHSA-fjq5-5j5f-mvxh.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.servicemix.bundles:org.apache.servicemix.bundles.collections-generic
+ purl: pkg:maven/org.apache.servicemix.bundles/org.apache.servicemix.bundles.collections-generic
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "4.01"
+ versions:
+ - "4.01_1"
+ database_specific:
+ last_known_affected_version_range: < 4.02
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-fjq5-5j5f-mvxh/GHSA-fjq5-5j5f-mvxh.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2015-7501
+ - type: WEB
+ url: https://access.redhat.com/security/vulnerabilities/2059393
+ - type: WEB
+ url: https://access.redhat.com/solutions/2045023
+ - type: WEB
+ url: https://arxiv.org/pdf/2306.05534.pdf
+ - type: WEB
+ url: https://bugzilla.redhat.com/show_bug.cgi?id=1279330
+ - type: WEB
+ url: https://commons.apache.org/proper/commons-collections/release_4_1.html
+ - type: WEB
+ url: https://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability
+ - type: PACKAGE
+ url: https://github.com/apache/commons-collections
+ - type: WEB
+ url: https://github.com/jensdietrich/xshady-release/tree/main/CVE-2015-7501
+ - type: WEB
+ url: https://issues.apache.org/jira/browse/COLLECTIONS-580.
+ - type: WEB
+ url: https://sourceforge.net/p/collections/code/HEAD/tree
+ - type: WEB
+ url: http://rhn.redhat.com/errata/RHSA-2016-1773.html
+ database_specific:
+ cwe_ids:
+ - CWE-502
+ github_reviewed: true
+ github_reviewed_at: "2022-11-03T22:57:31Z"
+ nvd_published_at: "2017-11-09T17:29:00Z"
+ severity: CRITICAL
+ - schema_version: 1.6.0
+ id: GHSA-3832-9276-x7gf
+ modified: 2024-03-14T22:02:33.751135Z
+ published: 2022-05-13T01:10:34Z
+ aliases:
+ - CVE-2012-5783
+ summary: Improper Certificate Validation in apache HttpClient
+ details: Apache Commons HttpClient 3.x, as used in Amazon Flexible Payments Service (FPS) merchant Java SDK and other products, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: commons-httpclient:commons-httpclient
+ purl: pkg:maven/commons-httpclient/commons-httpclient
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "3.0"
+ - fixed: "4.0"
+ versions:
+ - "3.0"
+ - 3.0.1
+ - "3.1"
+ - 3.1-alpha1
+ - 3.1-beta1
+ - 3.1-jenkins-1
+ - 3.1-jenkins-2
+ - 3.1-jenkins-3
+ - 3.1-rc1
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-3832-9276-x7gf/GHSA-3832-9276-x7gf.json
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2012-5783
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2017:0868
+ - type: WEB
+ url: https://exchange.xforce.ibmcloud.com/vulnerabilities/79984
+ - type: PACKAGE
+ url: https://github.com/apache/httpcomponents-client
+ - type: WEB
+ url: https://issues.apache.org/jira/browse/HTTPCLIENT-1265
+ - type: WEB
+ url: http://lists.opensuse.org/opensuse-updates/2013-02/msg00078.html
+ - type: WEB
+ url: http://lists.opensuse.org/opensuse-updates/2013-04/msg00040.html
+ - type: WEB
+ url: http://lists.opensuse.org/opensuse-updates/2013-04/msg00041.html
+ - type: WEB
+ url: http://lists.opensuse.org/opensuse-updates/2013-04/msg00053.html
+ - type: WEB
+ url: http://rhn.redhat.com/errata/RHSA-2013-0270.html
+ - type: WEB
+ url: http://rhn.redhat.com/errata/RHSA-2013-0679.html
+ - type: WEB
+ url: http://rhn.redhat.com/errata/RHSA-2013-0680.html
+ - type: WEB
+ url: http://rhn.redhat.com/errata/RHSA-2013-0682.html
+ - type: WEB
+ url: http://rhn.redhat.com/errata/RHSA-2013-1853.html
+ - type: WEB
+ url: http://rhn.redhat.com/errata/RHSA-2014-0224.html
+ - type: WEB
+ url: http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf
+ - type: WEB
+ url: http://www.ubuntu.com/usn/USN-2769-1
+ database_specific:
+ cwe_ids:
+ - CWE-295
+ github_reviewed: true
+ github_reviewed_at: "2022-07-13T13:58:59Z"
+ nvd_published_at: "2012-11-04T22:55:00Z"
+ severity: MODERATE
+ - schema_version: 1.6.0
+ id: GHSA-gwrp-pvrq-jmwv
+ modified: 2024-03-12T05:31:30.961796Z
+ published: 2021-04-26T16:04:00Z
+ aliases:
+ - CVE-2021-29425
+ summary: Path Traversal and Improper Input Validation in Apache Commons IO
+ details: In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper input string, like "//../foo", or "\\..\foo", the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus "limited" path traversal), if the calling code would use the result to construct a path value.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: commons-io:commons-io
+ purl: pkg:maven/commons-io/commons-io
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: "2.7"
+ versions:
+ - "0.1"
+ - "1.0"
+ - "1.1"
+ - "1.2"
+ - "1.3"
+ - 1.3.1
+ - 1.3.2
+ - "1.4"
+ - "2.0"
+ - 2.0.1
+ - "2.1"
+ - "2.2"
+ - "2.3"
+ - "2.4"
+ - "2.5"
+ - "2.6"
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-gwrp-pvrq-jmwv/GHSA-gwrp-pvrq-jmwv.json
+ - package:
+ ecosystem: Maven
+ name: com.cosium.vet:vet
+ purl: pkg:maven/com.cosium.vet/vet
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "1.0"
+ - last_affected: "3.22"
+ versions:
+ - "1.0"
+ - "1.1"
+ - "1.11"
+ - "1.12"
+ - "1.13"
+ - "1.2"
+ - "1.3"
+ - "1.4"
+ - "1.5"
+ - "2.2"
+ - "2.3"
+ - "2.6"
+ - "2.7"
+ - "2.8"
+ - "2.9"
+ - "3.0"
+ - "3.10"
+ - "3.11"
+ - "3.12"
+ - "3.13"
+ - "3.14"
+ - "3.15"
+ - "3.16"
+ - "3.17"
+ - "3.18"
+ - "3.19"
+ - "3.22"
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-gwrp-pvrq-jmwv/GHSA-gwrp-pvrq-jmwv.json
+ - package:
+ ecosystem: Maven
+ name: com.diamondq.common:common-thirdparty.jcasbin
+ purl: pkg:maven/com.diamondq.common/common-thirdparty.jcasbin
+ versions:
+ - 1.4.0
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-gwrp-pvrq-jmwv/GHSA-gwrp-pvrq-jmwv.json
+ - package:
+ ecosystem: Maven
+ name: com.liferay:com.liferay.sass.compiler.jsass
+ purl: pkg:maven/com.liferay/com.liferay.sass.compiler.jsass
+ versions:
+ - 1.0.1
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-gwrp-pvrq-jmwv/GHSA-gwrp-pvrq-jmwv.json
+ - package:
+ ecosystem: Maven
+ name: com.virjar:ratel-api
+ purl: pkg:maven/com.virjar/ratel-api
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 1.0.0
+ - last_affected: 1.3.6
+ versions:
+ - 1.0.0
+ - 1.1.0
+ - 1.2.0
+ - 1.3.0
+ - 1.3.1
+ - 1.3.2
+ - 1.3.3
+ - 1.3.4
+ - 1.3.5
+ - 1.3.6
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-gwrp-pvrq-jmwv/GHSA-gwrp-pvrq-jmwv.json
+ - package:
+ ecosystem: Maven
+ name: net.hasor:cobble-lang
+ purl: pkg:maven/net.hasor/cobble-lang
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 4.4.1
+ - last_affected: 4.6.2
+ versions:
+ - 4.4.1
+ - 4.4.2
+ - 4.5.0
+ - 4.5.1
+ - 4.5.2
+ - 4.5.3
+ - 4.5.4
+ - 4.6.0
+ - 4.6.1
+ - 4.6.2
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-gwrp-pvrq-jmwv/GHSA-gwrp-pvrq-jmwv.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.commons:commons-io
+ purl: pkg:maven/org.apache.commons/commons-io
+ versions:
+ - 1.3.2
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-gwrp-pvrq-jmwv/GHSA-gwrp-pvrq-jmwv.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.servicemix.bundles:org.apache.servicemix.bundles.commons-io
+ purl: pkg:maven/org.apache.servicemix.bundles/org.apache.servicemix.bundles.commons-io
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "1.4"
+ - last_affected: "1.5"
+ versions:
+ - "1.4_1"
+ - "1.4_2"
+ - "1.4_3"
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-gwrp-pvrq-jmwv/GHSA-gwrp-pvrq-jmwv.json
+ - package:
+ ecosystem: Maven
+ name: org.checkerframework.annotatedlib:commons-io
+ purl: pkg:maven/org.checkerframework.annotatedlib/commons-io
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "2.6"
+ - fixed: "2.7"
+ versions:
+ - "2.6"
+ - 2.6.0.1
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-gwrp-pvrq-jmwv/GHSA-gwrp-pvrq-jmwv.json
+ - package:
+ ecosystem: Maven
+ name: org.smartboot.servlet:servlet-core
+ purl: pkg:maven/org.smartboot.servlet/servlet-core
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 0.1.9
+ - last_affected: "0.6"
+ versions:
+ - 0.1.9
+ - "0.2"
+ - 0.2.1
+ - "0.3"
+ - 0.3.1
+ - "0.4"
+ - "0.5"
+ - "0.6"
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-gwrp-pvrq-jmwv/GHSA-gwrp-pvrq-jmwv.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2021-29425
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r8efcbabde973ea72f5e0933adc48ef1425db5cde850bf641b3993f31@%3Cdev.commons.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r92ea904f4bae190b03bd42a4355ce3c2fbe8f36ab673e03f6ca3f9fa@%3Cnotifications.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/ra8ef65aedc086d2d3d21492b4c08ae0eb8a3a42cc52e29ba1bc009d8@%3Cdev.creadur.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/raa053846cae9d497606027816ae87b4e002b2e0eb66cb0dee710e1f5@%3Cdev.creadur.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rad4ae544747df32ccd58fff5a86cd556640396aeb161aa71dd3d192a@%3Cuser.commons.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rbebd3e19651baa7a4a5503a9901c95989df9d40602c8e35cb05d3eb5@%3Cdev.creadur.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rc10fa20ef4d13cbf6ebe0b06b5edb95466a1424a9b7673074ed03260@%3Cnotifications.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rc2dd3204260e9227a67253ef68b6f1599446005bfa0e1ddce4573a80@%3Cpluto-dev.portals.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rc359823b5500e9a9a2572678ddb8e01d3505a7ffcadfa8d13b8780ab%40%3Cuser.commons.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rc5f3df5316c5237b78a3dff5ab95b311ad08e61d418cd992ca7e34ae@%3Cnotifications.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rc65f9bc679feffe4589ea0981ee98bc0af9139470f077a91580eeee0@%3Cpluto-dev.portals.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rca71a10ca533eb9bfac2d590533f02e6fb9064d3b6aa3ec90fdc4f51@%3Cnotifications.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rd09d4ab3e32e4b3a480e2ff6ff118712981ca82e817f28f2a85652a6@%3Cnotifications.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/re41e9967bee064e7369411c28f0f5b2ad28b8334907c9c6208017279@%3Cnotifications.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/red3aea910403d8620c73e1c7b9c9b145798d0469eb3298a7be7891af@%3Cnotifications.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rfa2f08b7c0caf80ca9f4a18bd875918fdd4e894e2ea47942a4589b9c@%3Cdev.creadur.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rfcd2c649c205f12b72dde044f905903460669a220a2eb7e12652d19d@%3Cdev.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rfd01af05babc95b8949e6d8ea78d9834699e1b06981040dde419a330@%3Cdev.commons.apache.org%3E
+ - type: WEB
+ url: https://lists.debian.org/debian-lts-announce/2021/08/msg00016.html
+ - type: WEB
+ url: https://security.netapp.com/advisory/ntap-20220210-0004
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuapr2022.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpujan2022.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpujul2022.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuoct2021.html
+ - type: WEB
+ url: https://arxiv.org/pdf/2306.05534.pdf
+ - type: WEB
+ url: https://github.com/jensdietrich/xshady-release/tree/main/CVE-2021-29425
+ - type: WEB
+ url: https://issues.apache.org/jira/browse/IO-556
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r01b4a1fcdf3311c936ce33d75a9398b6c255f00c1a2f312ac21effe1@%3Cnotifications.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r0bfa8f7921abdfae788b1f076a12f73a92c93cc0a6e1083bce0027c5@%3Cnotifications.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r0d73e2071d1f1afe1a15da14c5b6feb2cf17e3871168d5a3c8451436@%3Ccommits.pulsar.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r1c2f4683c35696cf6f863e3c107e37ec41305b1930dd40c17260de71@%3Ccommits.pulsar.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r20416f39ca7f7344e7d76fe4d7063bb1d91ad106926626e7e83fb346@%3Cnotifications.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r2345b49dbffa8a5c3c589c082fe39228a2c1d14f11b96c523da701db@%3Cnotifications.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r2721aba31a8562639c4b937150897e24f78f747cdbda8641c0f659fe@%3Cusers.kafka.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r27b1eedda37468256c4bb768fde1e8b79b37ec975cbbfd0d65a7ac34@%3Cdev.myfaces.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r2bc986a070457daca457a54fe71ee09d2584c24dc262336ca32b6a19@%3Cdev.creadur.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r2df50af2641d38f432ef025cd2ba5858215cc0cf3fc10396a674ad2e@%3Cpluto-scm.portals.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r345330b7858304938b7b8029d02537a116d75265a598c98fa333504a@%3Cdev.creadur.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r4050f9f6b42ebfa47a98cbdee4aabed4bb5fb8093db7dbb88faceba2@%3Ccommits.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r462db908acc1e37c455e11b1a25992b81efd18e641e7e0ceb1b6e046@%3Cnotifications.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r477c285126ada5c3b47946bb702cb222ac4e7fd3100c8549bdd6d3b2@%3Cissues.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r47ab6f68cbba8e730f42c4ea752f3a44eb95fb09064070f2476bb401@%3Cdev.creadur.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r5149f78be265be69d34eacb4e4b0fc7c9c697bcdfa91a1c1658d717b@%3Cissues.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r523a6ffad58f71c4f3761e3cee72df878e48cdc89ebdce933be1475c@%3Cdev.creadur.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r808be7d93b17a7055c1981a8453ae5f0d0fce5855407793c5d0ffffa@%3Cuser.commons.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r8569a41d565ca880a4dee0e645dad1cd17ab4a92e68055ad9ebb7375@%3Cdev.creadur.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r86528f4b7d222aed7891e7ac03d69a0db2a2dfa17b86ac3470d7f374@%3Cnotifications.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r873d5ddafc0a68fd999725e559776dc4971d1ab39c0f5cc81bd9bc04@%3Ccommits.pulsar.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r8bfc7235e6b39d90e6f446325a5a44c3e9e50da18860fdabcee23e29@%3Cissues.zookeeper.apache.org%3E
+ database_specific:
+ cwe_ids:
+ - CWE-20
+ - CWE-22
+ github_reviewed: true
+ github_reviewed_at: "2021-04-26T15:21:31Z"
+ nvd_published_at: "2021-04-13T07:15:00Z"
+ severity: MODERATE
+ - schema_version: 1.6.0
+ id: GHSA-cgp8-4m63-fhh5
+ modified: 2023-11-08T04:06:18.513983Z
+ published: 2022-12-03T15:30:26Z
+ aliases:
+ - CVE-2021-37533
+ summary: Apache Commons Net vulnerable to information leakage via malicious server
+ details: |
+ Prior to Apache Commons Net 3.9.0, Net's FTP client trusts the host from PASV response by default. A malicious server can redirect the Commons Net code to use a different host, but the user has to connect to the malicious server in the first place. This may lead to leakage of information about services running on the private network of the client.
+ The default in version 3.9.0 is now false to ignore such hosts, as cURL does. See https://issues.apache.org/jira/browse/NET-711.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: commons-net:commons-net
+ purl: pkg:maven/commons-net/commons-net
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: 3.9.0
+ versions:
+ - 1.0.0
+ - 1.1.0
+ - 1.2.0
+ - 1.2.1
+ - 1.2.2
+ - 1.3.0
+ - 1.4.0
+ - 1.4.1
+ - "2.0"
+ - "2.2"
+ - "3.0"
+ - 3.0.1
+ - "3.1"
+ - "3.2"
+ - "3.3"
+ - "3.4"
+ - "3.5"
+ - "3.6"
+ - "3.7"
+ - 3.7.1
+ - 3.7.2
+ - 3.8.0
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-cgp8-4m63-fhh5/GHSA-cgp8-4m63-fhh5.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2021-37533
+ - type: WEB
+ url: https://github.com/apache/commons-net/commit/4fe1bae56e53f32756b1ca3296f3dd2c45e3e060
+ - type: PACKAGE
+ url: https://github.com/apache/commons-net
+ - type: WEB
+ url: https://issues.apache.org/jira/browse/NET-711
+ - type: WEB
+ url: https://lists.apache.org/thread/o6yn9r9x6s94v97264hmgol1sf48mvx7
+ - type: WEB
+ url: https://lists.debian.org/debian-lts-announce/2022/12/msg00038.html
+ - type: WEB
+ url: https://www.debian.org/security/2022/dsa-5307
+ - type: WEB
+ url: http://www.openwall.com/lists/oss-security/2022/12/03/1
+ database_specific:
+ cwe_ids:
+ - CWE-20
+ github_reviewed: true
+ github_reviewed_at: "2022-12-05T23:21:08Z"
+ nvd_published_at: "2022-12-03T15:15:00Z"
+ severity: MODERATE
+ - schema_version: 1.6.0
+ id: GHSA-6pcc-3rfx-4gpm
+ modified: 2024-03-14T05:33:05.821277Z
+ published: 2018-10-16T17:01:25Z
+ aliases:
+ - CVE-2018-1000632
+ summary: Dom4j contains a XML Injection vulnerability
+ details: |-
+ dom4j version prior to version 2.1.1 contains a CWE-91: XML Injection vulnerability in Class: Element. Methods: addElement, addAttribute that can result in an attacker tampering with XML documents through XML injection. This attack appear to be exploitable via an attacker specifying attributes or elements in the XML document. This vulnerability appears to have been fixed in 2.1.1 or later.
+
+ Note: This advisory applies to `dom4j:dom4j` version 1.x legacy artifacts. To resolve this a change to the latest version of `org.dom4j:dom4j` is recommended.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: org.dom4j:dom4j
+ purl: pkg:maven/org.dom4j/dom4j
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: 2.0.3
+ versions:
+ - 2.0.0
+ - 2.0.0-RC1
+ - 2.0.1
+ - 2.0.2
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-6pcc-3rfx-4gpm/GHSA-6pcc-3rfx-4gpm.json
+ - package:
+ ecosystem: Maven
+ name: org.dom4j:dom4j
+ purl: pkg:maven/org.dom4j/dom4j
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.1.0
+ - fixed: 2.1.1
+ versions:
+ - 2.1.0
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-6pcc-3rfx-4gpm/GHSA-6pcc-3rfx-4gpm.json
+ - package:
+ ecosystem: Maven
+ name: dom4j:dom4j
+ purl: pkg:maven/dom4j/dom4j
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - last_affected: 1.6.1
+ versions:
+ - "1.1"
+ - "1.3"
+ - "1.4"
+ - 1.4-dev-2
+ - 1.4-dev-3
+ - 1.4-dev-4
+ - 1.4-dev-5
+ - 1.4-dev-6
+ - 1.4-dev-7
+ - 1.4-dev-8
+ - "1.5"
+ - 1.5-beta-2
+ - 1.5-rc1
+ - 1.5.1
+ - 1.5.2
+ - "1.6"
+ - 1.6.1
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-6pcc-3rfx-4gpm/GHSA-6pcc-3rfx-4gpm.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2018-1000632
+ - type: WEB
+ url: https://github.com/dom4j/dom4j/issues/48
+ - type: WEB
+ url: https://github.com/dom4j/dom4j/commit/e598eb43d418744c4dbf62f647dd2381c9ce9387
+ - type: WEB
+ url: https://github.com/dom4j/dom4j/commit/c2a99d7dee8ce7a4e5bef134bb781a6672bd8a0f
+ - type: WEB
+ url: https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451@%3Csolr-user.lucene.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/7e9e78f0e4288fac6591992836d2a80d4df19161e54bd71ab4b8e458@%3Cdev.maven.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/7f6e120e6ed473f4e00dde4c398fc6698eb383bd7857d20513e989ce@%3Cdev.maven.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/9d4c1af6f702c3d6d6f229de57112ddccac8ce44446a01b7937ab9e0@%3Ccommits.maven.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/d7d960b2778e35ec9b4d40c8efd468c7ce7163bcf6489b633491c89f@%3Cdev.maven.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rb1b990d7920ae0d50da5109b73b92bab736d46c9788dd4b135cb1a51@%3Cnotifications.freemarker.apache.org%3E
+ - type: WEB
+ url: https://lists.debian.org/debian-lts-announce/2018/09/msg00028.html
+ - type: WEB
+ url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IOOVVCRQE6ATFD2JM2EMDXOQXTRIVZGP
+ - type: WEB
+ url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KJULAHVR3I5SX7OSMXAG75IMNSAYOXGA
+ - type: WEB
+ url: https://security.netapp.com/advisory/ntap-20190530-0001
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuApr2021.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuapr2020.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpujul2020.html
+ - type: WEB
+ url: https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html
+ - type: WEB
+ url: https://lists.apache.org/thread.html/5a020ecaa3c701f408f612f7ba2ee37a021644c4a39da2079ed3ddbc@%3Ccommits.maven.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/4a77652531d62299a30815cf5f233af183425db8e3c9a824a814e768@%3Cdev.maven.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/00571f362a7a2470fba50a31282c65637c40d2e21ebe6ee535a4ed74@%3Ccommits.maven.apache.org%3E
+ - type: WEB
+ url: https://ihacktoprotect.com/post/dom4j-xml-injection
+ - type: WEB
+ url: https://github.com/dom4j/dom4j
+ - type: ADVISORY
+ url: https://github.com/advisories/GHSA-6pcc-3rfx-4gpm
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:3172
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:1162
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:1161
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:1160
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:1159
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:0380
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:0365
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:0364
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:0362
+ database_specific:
+ cwe_ids:
+ - CWE-91
+ github_reviewed: true
+ github_reviewed_at: "2020-06-16T21:19:56Z"
+ nvd_published_at: "2018-08-20T19:31:00Z"
+ severity: HIGH
+ - schema_version: 1.6.0
+ id: GHSA-hwj3-m3p6-hj38
+ modified: 2024-03-08T05:17:29.315551Z
+ published: 2020-06-05T16:13:36Z
+ aliases:
+ - CVE-2020-10683
+ summary: dom4j allows External Entities by default which might enable XXE attacks
+ details: |-
+ dom4j before 2.1.3 allows external DTDs and External Entities by default, which might enable XXE attacks. However, there is popular external documentation from OWASP showing how to enable the safe, non-default behavior in any application that uses dom4j.
+
+ Note: This advisory applies to `dom4j:dom4j` version 1.x legacy artifacts. To resolve this a change to the latest version of `org.dom4j:dom4j` is recommended.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: org.dom4j:dom4j
+ purl: pkg:maven/org.dom4j/dom4j
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: 2.0.3
+ versions:
+ - 2.0.0
+ - 2.0.0-RC1
+ - 2.0.1
+ - 2.0.2
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-hwj3-m3p6-hj38/GHSA-hwj3-m3p6-hj38.json
+ - package:
+ ecosystem: Maven
+ name: org.dom4j:dom4j
+ purl: pkg:maven/org.dom4j/dom4j
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.1.0
+ - fixed: 2.1.3
+ versions:
+ - 2.1.0
+ - 2.1.1
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-hwj3-m3p6-hj38/GHSA-hwj3-m3p6-hj38.json
+ - package:
+ ecosystem: Maven
+ name: dom4j:dom4j
+ purl: pkg:maven/dom4j/dom4j
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - last_affected: 1.6.1
+ versions:
+ - "1.1"
+ - "1.3"
+ - "1.4"
+ - 1.4-dev-2
+ - 1.4-dev-3
+ - 1.4-dev-4
+ - 1.4-dev-5
+ - 1.4-dev-6
+ - 1.4-dev-7
+ - 1.4-dev-8
+ - "1.5"
+ - 1.5-beta-2
+ - 1.5-rc1
+ - 1.5.1
+ - 1.5.2
+ - "1.6"
+ - 1.6.1
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-hwj3-m3p6-hj38/GHSA-hwj3-m3p6-hj38.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2020-10683
+ - type: WEB
+ url: https://github.com/dom4j/dom4j/issues/87
+ - type: WEB
+ url: https://github.com/dom4j/dom4j/commit/1707bf3d898a8ada3b213acb0e3b38f16eaae73d
+ - type: WEB
+ url: https://github.com/dom4j/dom4j/commit/a8228522a99a02146106672a34c104adbda5c658
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuoct2021.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuoct2020.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpujul2022.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpujul2020.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpujan2022.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpujan2021.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuApr2021.html
+ - type: WEB
+ url: https://www.oracle.com//security-alerts/cpujul2021.html
+ - type: WEB
+ url: https://usn.ubuntu.com/4575-1
+ - type: WEB
+ url: https://security.netapp.com/advisory/ntap-20200518-0002
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rb1b990d7920ae0d50da5109b73b92bab736d46c9788dd4b135cb1a51@%3Cnotifications.freemarker.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r91c64cd51e68e97d524395474eaa25362d564572276b9917fcbf5c32@%3Cdev.velocity.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r51f3f9801058e47153c0ad9bc6209d57a592fc0e7aefd787760911b8@%3Cdev.velocity.apache.org%3E
+ - type: WEB
+ url: https://github.com/dom4j/dom4j/releases/tag/version-2.1.3
+ - type: WEB
+ url: https://github.com/dom4j/dom4j/commits/version-2.0.3
+ - type: PACKAGE
+ url: https://github.com/dom4j/dom4j
+ - type: WEB
+ url: https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html
+ - type: WEB
+ url: https://bugzilla.redhat.com/show_bug.cgi?id=1694235
+ - type: WEB
+ url: http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00061.html
+ database_specific:
+ cwe_ids:
+ - CWE-611
+ github_reviewed: true
+ github_reviewed_at: "2020-06-04T19:38:22Z"
+ nvd_published_at: "2020-05-01T19:15:00Z"
+ severity: CRITICAL
+ - schema_version: 1.6.0
+ id: GHSA-2fqw-684c-pvp7
+ modified: 2023-11-08T04:03:32.892349Z
+ published: 2021-12-17T20:40:50Z
+ aliases:
+ - CVE-2020-35213
+ summary: An issue in Atomix v3.1.5 allows attackers to cause a denial of service (DoS) via false link event messages sent to a master ONOS node.
+ details: An issue in Atomix v3.1.5 allows attackers to cause a denial of service (DoS) via false link event messages sent to a master ONOS node.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: io.atomix:atomix
+ purl: pkg:maven/io.atomix/atomix
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - last_affected: 3.1.5
+ versions:
+ - 0.1.0-beta1
+ - 0.1.0-beta2
+ - 0.1.0-beta3
+ - 0.1.0-beta4
+ - 0.1.0-beta5
+ - 1.0.0
+ - 1.0.0-rc1
+ - 1.0.0-rc2
+ - 1.0.0-rc3
+ - 1.0.0-rc4
+ - 1.0.0-rc5
+ - 1.0.0-rc6
+ - 1.0.0-rc7
+ - 1.0.0-rc8
+ - 1.0.0-rc9
+ - 1.0.1
+ - 1.0.1-rc1
+ - 1.0.2
+ - 1.0.3
+ - 1.0.4
+ - 1.0.5
+ - 1.0.6
+ - 1.0.7
+ - 1.0.8
+ - 2.0.0
+ - 2.0.0-alpha1
+ - 2.0.0-raft-beta1
+ - 2.0.0-raft-final
+ - 2.0.1
+ - 2.0.10
+ - 2.0.11
+ - 2.0.12
+ - 2.0.13
+ - 2.0.14
+ - 2.0.15
+ - 2.0.16
+ - 2.0.17
+ - 2.0.18
+ - 2.0.19
+ - 2.0.2
+ - 2.0.20
+ - 2.0.21
+ - 2.0.22
+ - 2.0.23
+ - 2.0.24
+ - 2.0.25
+ - 2.0.26
+ - 2.0.27
+ - 2.0.28
+ - 2.0.29
+ - 2.0.3
+ - 2.0.30
+ - 2.0.4
+ - 2.0.5
+ - 2.0.6
+ - 2.0.7
+ - 2.0.8
+ - 2.0.9
+ - 2.1.0-beta1
+ - 2.1.0-beta2
+ - 2.1.0-beta3
+ - 3.0.0
+ - 3.0.0-rc1
+ - 3.0.0-rc10
+ - 3.0.0-rc11
+ - 3.0.0-rc12
+ - 3.0.0-rc3
+ - 3.0.0-rc4
+ - 3.0.0-rc5
+ - 3.0.0-rc6
+ - 3.0.0-rc7
+ - 3.0.0-rc8
+ - 3.0.0-rc9
+ - 3.0.1
+ - 3.0.10
+ - 3.0.11
+ - 3.0.2
+ - 3.0.3
+ - 3.0.4
+ - 3.0.5
+ - 3.0.6
+ - 3.0.7
+ - 3.0.8
+ - 3.0.9
+ - 3.1.0
+ - 3.1.0-beta1
+ - 3.1.0-beta2
+ - 3.1.0-beta3
+ - 3.1.0-beta4
+ - 3.1.0-rc1
+ - 3.1.0-rc2
+ - 3.1.1
+ - 3.1.2
+ - 3.1.3
+ - 3.1.4
+ - 3.1.5
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-2fqw-684c-pvp7/GHSA-2fqw-684c-pvp7.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2020-35213
+ - type: WEB
+ url: https://docs.google.com/presentation/d/1i8tVVGE8z9Rtl9UTwktOJpkZwT4kBVLgIk307qMiw_8/edit?usp=sharing
+ - type: PACKAGE
+ url: https://github.com/atomix/atomix
+ database_specific:
+ cwe_ids:
+ - CWE-74
+ github_reviewed: true
+ github_reviewed_at: "2021-12-17T18:42:16Z"
+ nvd_published_at: "2021-12-16T20:15:00Z"
+ severity: HIGH
+ - schema_version: 1.6.0
+ id: GHSA-4jhc-wjr3-pwh2
+ modified: 2023-11-08T04:03:32.831494Z
+ published: 2021-12-17T20:40:38Z
+ aliases:
+ - CVE-2020-35211
+ summary: An issue in Atomix v3.1.5 allows unauthorized Atomix nodes to become the lead node.
+ details: An issue in Atomix v3.1.5 allows unauthorized Atomix nodes to become the lead node in a target cluster via manipulation of the variable terms in RaftContext.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: io.atomix:atomix
+ purl: pkg:maven/io.atomix/atomix
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - last_affected: 3.1.5
+ versions:
+ - 0.1.0-beta1
+ - 0.1.0-beta2
+ - 0.1.0-beta3
+ - 0.1.0-beta4
+ - 0.1.0-beta5
+ - 1.0.0
+ - 1.0.0-rc1
+ - 1.0.0-rc2
+ - 1.0.0-rc3
+ - 1.0.0-rc4
+ - 1.0.0-rc5
+ - 1.0.0-rc6
+ - 1.0.0-rc7
+ - 1.0.0-rc8
+ - 1.0.0-rc9
+ - 1.0.1
+ - 1.0.1-rc1
+ - 1.0.2
+ - 1.0.3
+ - 1.0.4
+ - 1.0.5
+ - 1.0.6
+ - 1.0.7
+ - 1.0.8
+ - 2.0.0
+ - 2.0.0-alpha1
+ - 2.0.0-raft-beta1
+ - 2.0.0-raft-final
+ - 2.0.1
+ - 2.0.10
+ - 2.0.11
+ - 2.0.12
+ - 2.0.13
+ - 2.0.14
+ - 2.0.15
+ - 2.0.16
+ - 2.0.17
+ - 2.0.18
+ - 2.0.19
+ - 2.0.2
+ - 2.0.20
+ - 2.0.21
+ - 2.0.22
+ - 2.0.23
+ - 2.0.24
+ - 2.0.25
+ - 2.0.26
+ - 2.0.27
+ - 2.0.28
+ - 2.0.29
+ - 2.0.3
+ - 2.0.30
+ - 2.0.4
+ - 2.0.5
+ - 2.0.6
+ - 2.0.7
+ - 2.0.8
+ - 2.0.9
+ - 2.1.0-beta1
+ - 2.1.0-beta2
+ - 2.1.0-beta3
+ - 3.0.0
+ - 3.0.0-rc1
+ - 3.0.0-rc10
+ - 3.0.0-rc11
+ - 3.0.0-rc12
+ - 3.0.0-rc3
+ - 3.0.0-rc4
+ - 3.0.0-rc5
+ - 3.0.0-rc6
+ - 3.0.0-rc7
+ - 3.0.0-rc8
+ - 3.0.0-rc9
+ - 3.0.1
+ - 3.0.10
+ - 3.0.11
+ - 3.0.2
+ - 3.0.3
+ - 3.0.4
+ - 3.0.5
+ - 3.0.6
+ - 3.0.7
+ - 3.0.8
+ - 3.0.9
+ - 3.1.0
+ - 3.1.0-beta1
+ - 3.1.0-beta2
+ - 3.1.0-beta3
+ - 3.1.0-beta4
+ - 3.1.0-rc1
+ - 3.1.0-rc2
+ - 3.1.1
+ - 3.1.2
+ - 3.1.3
+ - 3.1.4
+ - 3.1.5
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-4jhc-wjr3-pwh2/GHSA-4jhc-wjr3-pwh2.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2020-35211
+ - type: WEB
+ url: https://docs.google.com/presentation/d/1C_IpRfSU-9FMezcHCFZ-qg-15JO-W36yvqcnzI8sQs8/edit?usp=sharing
+ - type: PACKAGE
+ url: https://github.com/atomix/atomix
+ database_specific:
+ cwe_ids: []
+ github_reviewed: true
+ github_reviewed_at: "2021-12-17T18:48:40Z"
+ nvd_published_at: "2021-12-16T20:15:00Z"
+ severity: HIGH
+ - schema_version: 1.6.0
+ id: GHSA-6vvh-5794-vpmj
+ modified: 2023-11-08T04:03:33.073526Z
+ published: 2021-12-17T20:40:58Z
+ aliases:
+ - CVE-2020-35216
+ summary: An issue in Atomix v3.1.5 allows attackers to cause a denial of service (DoS) via false member down event messages.
+ details: An issue in Atomix v3.1.5 allows attackers to cause a denial of service (DoS) via false member down event messages.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: io.atomix:atomix
+ purl: pkg:maven/io.atomix/atomix
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - last_affected: 3.1.5
+ versions:
+ - 0.1.0-beta1
+ - 0.1.0-beta2
+ - 0.1.0-beta3
+ - 0.1.0-beta4
+ - 0.1.0-beta5
+ - 1.0.0
+ - 1.0.0-rc1
+ - 1.0.0-rc2
+ - 1.0.0-rc3
+ - 1.0.0-rc4
+ - 1.0.0-rc5
+ - 1.0.0-rc6
+ - 1.0.0-rc7
+ - 1.0.0-rc8
+ - 1.0.0-rc9
+ - 1.0.1
+ - 1.0.1-rc1
+ - 1.0.2
+ - 1.0.3
+ - 1.0.4
+ - 1.0.5
+ - 1.0.6
+ - 1.0.7
+ - 1.0.8
+ - 2.0.0
+ - 2.0.0-alpha1
+ - 2.0.0-raft-beta1
+ - 2.0.0-raft-final
+ - 2.0.1
+ - 2.0.10
+ - 2.0.11
+ - 2.0.12
+ - 2.0.13
+ - 2.0.14
+ - 2.0.15
+ - 2.0.16
+ - 2.0.17
+ - 2.0.18
+ - 2.0.19
+ - 2.0.2
+ - 2.0.20
+ - 2.0.21
+ - 2.0.22
+ - 2.0.23
+ - 2.0.24
+ - 2.0.25
+ - 2.0.26
+ - 2.0.27
+ - 2.0.28
+ - 2.0.29
+ - 2.0.3
+ - 2.0.30
+ - 2.0.4
+ - 2.0.5
+ - 2.0.6
+ - 2.0.7
+ - 2.0.8
+ - 2.0.9
+ - 2.1.0-beta1
+ - 2.1.0-beta2
+ - 2.1.0-beta3
+ - 3.0.0
+ - 3.0.0-rc1
+ - 3.0.0-rc10
+ - 3.0.0-rc11
+ - 3.0.0-rc12
+ - 3.0.0-rc3
+ - 3.0.0-rc4
+ - 3.0.0-rc5
+ - 3.0.0-rc6
+ - 3.0.0-rc7
+ - 3.0.0-rc8
+ - 3.0.0-rc9
+ - 3.0.1
+ - 3.0.10
+ - 3.0.11
+ - 3.0.2
+ - 3.0.3
+ - 3.0.4
+ - 3.0.5
+ - 3.0.6
+ - 3.0.7
+ - 3.0.8
+ - 3.0.9
+ - 3.1.0
+ - 3.1.0-beta1
+ - 3.1.0-beta2
+ - 3.1.0-beta3
+ - 3.1.0-beta4
+ - 3.1.0-rc1
+ - 3.1.0-rc2
+ - 3.1.1
+ - 3.1.2
+ - 3.1.3
+ - 3.1.4
+ - 3.1.5
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-6vvh-5794-vpmj/GHSA-6vvh-5794-vpmj.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2020-35216
+ - type: WEB
+ url: https://docs.google.com/presentation/d/1woXwR3vciv7ltFan6LyK5vsWXmaUi8ArZonhk80Gr5U/edit?usp=sharing
+ - type: PACKAGE
+ url: https://github.com/atomix/atomix
+ database_specific:
+ cwe_ids:
+ - CWE-362
+ github_reviewed: true
+ github_reviewed_at: "2021-12-17T15:12:52Z"
+ nvd_published_at: "2021-12-16T20:15:00Z"
+ severity: MODERATE
+ - schema_version: 1.6.0
+ id: GHSA-7fr2-94h7-ccg2
+ modified: 2023-11-08T04:03:32.704475Z
+ published: 2021-12-17T20:41:33Z
+ aliases:
+ - CVE-2020-35209
+ summary: An issue in Atomix v3.1.5 allows unauthorized Atomix nodes to join a target cluster via providing configuration information.
+ details: An issue in Atomix v3.1.5 allows unauthorized Atomix nodes to join a target cluster via providing configuration information.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: io.atomix:atomix
+ purl: pkg:maven/io.atomix/atomix
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - last_affected: 3.1.5
+ versions:
+ - 0.1.0-beta1
+ - 0.1.0-beta2
+ - 0.1.0-beta3
+ - 0.1.0-beta4
+ - 0.1.0-beta5
+ - 1.0.0
+ - 1.0.0-rc1
+ - 1.0.0-rc2
+ - 1.0.0-rc3
+ - 1.0.0-rc4
+ - 1.0.0-rc5
+ - 1.0.0-rc6
+ - 1.0.0-rc7
+ - 1.0.0-rc8
+ - 1.0.0-rc9
+ - 1.0.1
+ - 1.0.1-rc1
+ - 1.0.2
+ - 1.0.3
+ - 1.0.4
+ - 1.0.5
+ - 1.0.6
+ - 1.0.7
+ - 1.0.8
+ - 2.0.0
+ - 2.0.0-alpha1
+ - 2.0.0-raft-beta1
+ - 2.0.0-raft-final
+ - 2.0.1
+ - 2.0.10
+ - 2.0.11
+ - 2.0.12
+ - 2.0.13
+ - 2.0.14
+ - 2.0.15
+ - 2.0.16
+ - 2.0.17
+ - 2.0.18
+ - 2.0.19
+ - 2.0.2
+ - 2.0.20
+ - 2.0.21
+ - 2.0.22
+ - 2.0.23
+ - 2.0.24
+ - 2.0.25
+ - 2.0.26
+ - 2.0.27
+ - 2.0.28
+ - 2.0.29
+ - 2.0.3
+ - 2.0.30
+ - 2.0.4
+ - 2.0.5
+ - 2.0.6
+ - 2.0.7
+ - 2.0.8
+ - 2.0.9
+ - 2.1.0-beta1
+ - 2.1.0-beta2
+ - 2.1.0-beta3
+ - 3.0.0
+ - 3.0.0-rc1
+ - 3.0.0-rc10
+ - 3.0.0-rc11
+ - 3.0.0-rc12
+ - 3.0.0-rc3
+ - 3.0.0-rc4
+ - 3.0.0-rc5
+ - 3.0.0-rc6
+ - 3.0.0-rc7
+ - 3.0.0-rc8
+ - 3.0.0-rc9
+ - 3.0.1
+ - 3.0.10
+ - 3.0.11
+ - 3.0.2
+ - 3.0.3
+ - 3.0.4
+ - 3.0.5
+ - 3.0.6
+ - 3.0.7
+ - 3.0.8
+ - 3.0.9
+ - 3.1.0
+ - 3.1.0-beta1
+ - 3.1.0-beta2
+ - 3.1.0-beta3
+ - 3.1.0-beta4
+ - 3.1.0-rc1
+ - 3.1.0-rc2
+ - 3.1.1
+ - 3.1.2
+ - 3.1.3
+ - 3.1.4
+ - 3.1.5
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-7fr2-94h7-ccg2/GHSA-7fr2-94h7-ccg2.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2020-35209
+ - type: WEB
+ url: https://docs.google.com/presentation/d/1W5KU7ffh4dheR8iD54ulABImi6byAhSI-OhEKw2adRo/edit?usp=sharing
+ - type: PACKAGE
+ url: https://github.com/atomix/atomix
+ database_specific:
+ cwe_ids: []
+ github_reviewed: true
+ github_reviewed_at: "2021-12-17T18:40:51Z"
+ nvd_published_at: "2021-12-16T20:15:00Z"
+ severity: HIGH
+ - schema_version: 1.6.0
+ id: GHSA-g7p8-r2ch-4rmf
+ modified: 2023-11-08T04:03:33.012848Z
+ published: 2021-12-17T20:41:45Z
+ aliases:
+ - CVE-2020-35215
+ summary: Malicious Atomix node queries expose sensitive information
+ details: An issue in Atomix v3.1.5 allows attackers to access sensitive information when a malicious Atomix node queries distributed variable primitives which contain the entire primitive lists that ONOS nodes use to share important states.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: io.atomix:atomix
+ purl: pkg:maven/io.atomix/atomix
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - last_affected: 3.1.5
+ versions:
+ - 0.1.0-beta1
+ - 0.1.0-beta2
+ - 0.1.0-beta3
+ - 0.1.0-beta4
+ - 0.1.0-beta5
+ - 1.0.0
+ - 1.0.0-rc1
+ - 1.0.0-rc2
+ - 1.0.0-rc3
+ - 1.0.0-rc4
+ - 1.0.0-rc5
+ - 1.0.0-rc6
+ - 1.0.0-rc7
+ - 1.0.0-rc8
+ - 1.0.0-rc9
+ - 1.0.1
+ - 1.0.1-rc1
+ - 1.0.2
+ - 1.0.3
+ - 1.0.4
+ - 1.0.5
+ - 1.0.6
+ - 1.0.7
+ - 1.0.8
+ - 2.0.0
+ - 2.0.0-alpha1
+ - 2.0.0-raft-beta1
+ - 2.0.0-raft-final
+ - 2.0.1
+ - 2.0.10
+ - 2.0.11
+ - 2.0.12
+ - 2.0.13
+ - 2.0.14
+ - 2.0.15
+ - 2.0.16
+ - 2.0.17
+ - 2.0.18
+ - 2.0.19
+ - 2.0.2
+ - 2.0.20
+ - 2.0.21
+ - 2.0.22
+ - 2.0.23
+ - 2.0.24
+ - 2.0.25
+ - 2.0.26
+ - 2.0.27
+ - 2.0.28
+ - 2.0.29
+ - 2.0.3
+ - 2.0.30
+ - 2.0.4
+ - 2.0.5
+ - 2.0.6
+ - 2.0.7
+ - 2.0.8
+ - 2.0.9
+ - 2.1.0-beta1
+ - 2.1.0-beta2
+ - 2.1.0-beta3
+ - 3.0.0
+ - 3.0.0-rc1
+ - 3.0.0-rc10
+ - 3.0.0-rc11
+ - 3.0.0-rc12
+ - 3.0.0-rc3
+ - 3.0.0-rc4
+ - 3.0.0-rc5
+ - 3.0.0-rc6
+ - 3.0.0-rc7
+ - 3.0.0-rc8
+ - 3.0.0-rc9
+ - 3.0.1
+ - 3.0.10
+ - 3.0.11
+ - 3.0.2
+ - 3.0.3
+ - 3.0.4
+ - 3.0.5
+ - 3.0.6
+ - 3.0.7
+ - 3.0.8
+ - 3.0.9
+ - 3.1.0
+ - 3.1.0-beta1
+ - 3.1.0-beta2
+ - 3.1.0-beta3
+ - 3.1.0-beta4
+ - 3.1.0-rc1
+ - 3.1.0-rc2
+ - 3.1.1
+ - 3.1.2
+ - 3.1.3
+ - 3.1.4
+ - 3.1.5
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-g7p8-r2ch-4rmf/GHSA-g7p8-r2ch-4rmf.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2020-35215
+ - type: WEB
+ url: https://docs.google.com/presentation/d/1pRRLfdSUqUZ688CZ9e9AyceuXPGp9oyGj7j4bdSsBcw/edit?usp=sharing
+ - type: PACKAGE
+ url: https://github.com/atomix/atomix
+ database_specific:
+ cwe_ids:
+ - CWE-668
+ github_reviewed: true
+ github_reviewed_at: "2021-12-17T19:00:58Z"
+ nvd_published_at: "2021-12-16T20:15:00Z"
+ severity: MODERATE
+ - schema_version: 1.6.0
+ id: GHSA-m4h3-7mc2-v295
+ modified: 2023-11-08T04:03:32.952486Z
+ published: 2021-12-17T20:41:21Z
+ aliases:
+ - CVE-2020-35214
+ summary: An issue in Atomix v3.1.5 allows a malicious Atomix node to remove states of ONOS storage via abuse of primitive operations.
+ details: An issue in Atomix v3.1.5 allows a malicious Atomix node to remove states of ONOS storage via abuse of primitive operations.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: io.atomix:atomix
+ purl: pkg:maven/io.atomix/atomix
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - last_affected: 3.1.5
+ versions:
+ - 0.1.0-beta1
+ - 0.1.0-beta2
+ - 0.1.0-beta3
+ - 0.1.0-beta4
+ - 0.1.0-beta5
+ - 1.0.0
+ - 1.0.0-rc1
+ - 1.0.0-rc2
+ - 1.0.0-rc3
+ - 1.0.0-rc4
+ - 1.0.0-rc5
+ - 1.0.0-rc6
+ - 1.0.0-rc7
+ - 1.0.0-rc8
+ - 1.0.0-rc9
+ - 1.0.1
+ - 1.0.1-rc1
+ - 1.0.2
+ - 1.0.3
+ - 1.0.4
+ - 1.0.5
+ - 1.0.6
+ - 1.0.7
+ - 1.0.8
+ - 2.0.0
+ - 2.0.0-alpha1
+ - 2.0.0-raft-beta1
+ - 2.0.0-raft-final
+ - 2.0.1
+ - 2.0.10
+ - 2.0.11
+ - 2.0.12
+ - 2.0.13
+ - 2.0.14
+ - 2.0.15
+ - 2.0.16
+ - 2.0.17
+ - 2.0.18
+ - 2.0.19
+ - 2.0.2
+ - 2.0.20
+ - 2.0.21
+ - 2.0.22
+ - 2.0.23
+ - 2.0.24
+ - 2.0.25
+ - 2.0.26
+ - 2.0.27
+ - 2.0.28
+ - 2.0.29
+ - 2.0.3
+ - 2.0.30
+ - 2.0.4
+ - 2.0.5
+ - 2.0.6
+ - 2.0.7
+ - 2.0.8
+ - 2.0.9
+ - 2.1.0-beta1
+ - 2.1.0-beta2
+ - 2.1.0-beta3
+ - 3.0.0
+ - 3.0.0-rc1
+ - 3.0.0-rc10
+ - 3.0.0-rc11
+ - 3.0.0-rc12
+ - 3.0.0-rc3
+ - 3.0.0-rc4
+ - 3.0.0-rc5
+ - 3.0.0-rc6
+ - 3.0.0-rc7
+ - 3.0.0-rc8
+ - 3.0.0-rc9
+ - 3.0.1
+ - 3.0.10
+ - 3.0.11
+ - 3.0.2
+ - 3.0.3
+ - 3.0.4
+ - 3.0.5
+ - 3.0.6
+ - 3.0.7
+ - 3.0.8
+ - 3.0.9
+ - 3.1.0
+ - 3.1.0-beta1
+ - 3.1.0-beta2
+ - 3.1.0-beta3
+ - 3.1.0-beta4
+ - 3.1.0-rc1
+ - 3.1.0-rc2
+ - 3.1.1
+ - 3.1.2
+ - 3.1.3
+ - 3.1.4
+ - 3.1.5
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-m4h3-7mc2-v295/GHSA-m4h3-7mc2-v295.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2020-35214
+ - type: WEB
+ url: https://docs.google.com/presentation/d/1wJi4QJko5ZCdADuzmAG9ed-nQLyJVkLBJf6cylAL71A/edit?usp=sharing
+ - type: PACKAGE
+ url: https://github.com/atomix/atomix
+ database_specific:
+ cwe_ids: []
+ github_reviewed: true
+ github_reviewed_at: "2021-12-17T19:11:26Z"
+ nvd_published_at: "2021-12-16T20:15:00Z"
+ severity: HIGH
+ - schema_version: 1.6.0
+ id: GHSA-mf27-wg66-m8f5
+ modified: 2023-11-08T04:03:32.770438Z
+ published: 2021-12-17T20:41:09Z
+ aliases:
+ - CVE-2020-35210
+ summary: A vulnerability in Atomix v3.1.5 allows attackers to cause a denial of service (DoS) via a Raft session flooding attack using Raft OpenSessionRequest messages.
+ details: A vulnerability in Atomix v3.1.5 allows attackers to cause a denial of service (DoS) via a Raft session flooding attack using Raft OpenSessionRequest messages.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: io.atomix:atomix
+ purl: pkg:maven/io.atomix/atomix
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - last_affected: 3.1.5
+ versions:
+ - 0.1.0-beta1
+ - 0.1.0-beta2
+ - 0.1.0-beta3
+ - 0.1.0-beta4
+ - 0.1.0-beta5
+ - 1.0.0
+ - 1.0.0-rc1
+ - 1.0.0-rc2
+ - 1.0.0-rc3
+ - 1.0.0-rc4
+ - 1.0.0-rc5
+ - 1.0.0-rc6
+ - 1.0.0-rc7
+ - 1.0.0-rc8
+ - 1.0.0-rc9
+ - 1.0.1
+ - 1.0.1-rc1
+ - 1.0.2
+ - 1.0.3
+ - 1.0.4
+ - 1.0.5
+ - 1.0.6
+ - 1.0.7
+ - 1.0.8
+ - 2.0.0
+ - 2.0.0-alpha1
+ - 2.0.0-raft-beta1
+ - 2.0.0-raft-final
+ - 2.0.1
+ - 2.0.10
+ - 2.0.11
+ - 2.0.12
+ - 2.0.13
+ - 2.0.14
+ - 2.0.15
+ - 2.0.16
+ - 2.0.17
+ - 2.0.18
+ - 2.0.19
+ - 2.0.2
+ - 2.0.20
+ - 2.0.21
+ - 2.0.22
+ - 2.0.23
+ - 2.0.24
+ - 2.0.25
+ - 2.0.26
+ - 2.0.27
+ - 2.0.28
+ - 2.0.29
+ - 2.0.3
+ - 2.0.30
+ - 2.0.4
+ - 2.0.5
+ - 2.0.6
+ - 2.0.7
+ - 2.0.8
+ - 2.0.9
+ - 2.1.0-beta1
+ - 2.1.0-beta2
+ - 2.1.0-beta3
+ - 3.0.0
+ - 3.0.0-rc1
+ - 3.0.0-rc10
+ - 3.0.0-rc11
+ - 3.0.0-rc12
+ - 3.0.0-rc3
+ - 3.0.0-rc4
+ - 3.0.0-rc5
+ - 3.0.0-rc6
+ - 3.0.0-rc7
+ - 3.0.0-rc8
+ - 3.0.0-rc9
+ - 3.0.1
+ - 3.0.10
+ - 3.0.11
+ - 3.0.2
+ - 3.0.3
+ - 3.0.4
+ - 3.0.5
+ - 3.0.6
+ - 3.0.7
+ - 3.0.8
+ - 3.0.9
+ - 3.1.0
+ - 3.1.0-beta1
+ - 3.1.0-beta2
+ - 3.1.0-beta3
+ - 3.1.0-beta4
+ - 3.1.0-rc1
+ - 3.1.0-rc2
+ - 3.1.1
+ - 3.1.2
+ - 3.1.3
+ - 3.1.4
+ - 3.1.5
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-mf27-wg66-m8f5/GHSA-mf27-wg66-m8f5.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2020-35210
+ - type: WEB
+ url: https://docs.google.com/presentation/d/1eZznIciFI06_5UJrXvlLugH2-nmjfYpQO5NyNMc9RxU/edit?usp=sharing
+ - type: PACKAGE
+ url: https://github.com/atomix/atomix
+ database_specific:
+ cwe_ids:
+ - CWE-400
+ github_reviewed: true
+ github_reviewed_at: "2021-12-17T17:20:09Z"
+ nvd_published_at: "2021-12-16T20:15:00Z"
+ severity: MODERATE
+ - schema_version: 1.6.0
+ id: GHSA-v2xm-76pq-phcf
+ modified: 2024-06-25T02:34:01.955562Z
+ published: 2024-06-21T06:31:12Z
+ aliases:
+ - CVE-2021-47621
+ summary: ClassGraph XML External Entity Reference
+ details: ClassGraph before 4.8.112 was not resistant to XML eXternal Entity (XXE) attacks.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: io.github.classgraph:classgraph
+ purl: pkg:maven/io.github.classgraph/classgraph
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: 4.8.112
+ versions:
+ - 4.0.0
+ - 4.0.0-beta-11
+ - 4.0.0-beta-12
+ - 4.0.1
+ - 4.0.2
+ - 4.0.3
+ - 4.0.4
+ - 4.0.5
+ - 4.0.6
+ - 4.0.7
+ - 4.1.0
+ - 4.1.1
+ - 4.1.2
+ - 4.1.3
+ - 4.1.4
+ - 4.1.5
+ - 4.1.6
+ - 4.1.7
+ - 4.2.0
+ - 4.2.1
+ - 4.2.10
+ - 4.2.11
+ - 4.2.12
+ - 4.2.2
+ - 4.2.3
+ - 4.2.4
+ - 4.2.5
+ - 4.2.6
+ - 4.2.7
+ - 4.2.8
+ - 4.2.9
+ - 4.3.0
+ - 4.3.1
+ - 4.4.0
+ - 4.4.1
+ - 4.4.10
+ - 4.4.11
+ - 4.4.12
+ - 4.4.2
+ - 4.4.3
+ - 4.4.4
+ - 4.4.5
+ - 4.4.6
+ - 4.4.7
+ - 4.4.8
+ - 4.4.9
+ - 4.6.0
+ - 4.6.1
+ - 4.6.10
+ - 4.6.11
+ - 4.6.12
+ - 4.6.13
+ - 4.6.14
+ - 4.6.15
+ - 4.6.16
+ - 4.6.17
+ - 4.6.18
+ - 4.6.19
+ - 4.6.2
+ - 4.6.20
+ - 4.6.21
+ - 4.6.22
+ - 4.6.23
+ - 4.6.24
+ - 4.6.25
+ - 4.6.26
+ - 4.6.27
+ - 4.6.28
+ - 4.6.29
+ - 4.6.3
+ - 4.6.30
+ - 4.6.31
+ - 4.6.32
+ - 4.6.4
+ - 4.6.5
+ - 4.6.6
+ - 4.6.7
+ - 4.6.8
+ - 4.6.9
+ - 4.8.0
+ - 4.8.1
+ - 4.8.10
+ - 4.8.100
+ - 4.8.101
+ - 4.8.102
+ - 4.8.103
+ - 4.8.104
+ - 4.8.105
+ - 4.8.106
+ - 4.8.107
+ - 4.8.108
+ - 4.8.109
+ - 4.8.11
+ - 4.8.110
+ - 4.8.111
+ - 4.8.12
+ - 4.8.13
+ - 4.8.14
+ - 4.8.15
+ - 4.8.16
+ - 4.8.17
+ - 4.8.19
+ - 4.8.2
+ - 4.8.20
+ - 4.8.21
+ - 4.8.22
+ - 4.8.23
+ - 4.8.24
+ - 4.8.25
+ - 4.8.26
+ - 4.8.27
+ - 4.8.28
+ - 4.8.29
+ - 4.8.3
+ - 4.8.30
+ - 4.8.31
+ - 4.8.32
+ - 4.8.33
+ - 4.8.34
+ - 4.8.35
+ - 4.8.36
+ - 4.8.37
+ - 4.8.38
+ - 4.8.39
+ - 4.8.4
+ - 4.8.40
+ - 4.8.41
+ - 4.8.42
+ - 4.8.43
+ - 4.8.44
+ - 4.8.45
+ - 4.8.46
+ - 4.8.47
+ - 4.8.48
+ - 4.8.49
+ - 4.8.5
+ - 4.8.50
+ - 4.8.51
+ - 4.8.52
+ - 4.8.53
+ - 4.8.54
+ - 4.8.55
+ - 4.8.56
+ - 4.8.57
+ - 4.8.58
+ - 4.8.59
+ - 4.8.6
+ - 4.8.60
+ - 4.8.61
+ - 4.8.62
+ - 4.8.63
+ - 4.8.64
+ - 4.8.65
+ - 4.8.66
+ - 4.8.67
+ - 4.8.68
+ - 4.8.69
+ - 4.8.7
+ - 4.8.70
+ - 4.8.71
+ - 4.8.72
+ - 4.8.73
+ - 4.8.74
+ - 4.8.75
+ - 4.8.76
+ - 4.8.77
+ - 4.8.78
+ - 4.8.79
+ - 4.8.8
+ - 4.8.80
+ - 4.8.81
+ - 4.8.82
+ - 4.8.83
+ - 4.8.84
+ - 4.8.85
+ - 4.8.86
+ - 4.8.87
+ - 4.8.88
+ - 4.8.89
+ - 4.8.9
+ - 4.8.90
+ - 4.8.91
+ - 4.8.92
+ - 4.8.93
+ - 4.8.94
+ - 4.8.95
+ - 4.8.96
+ - 4.8.97
+ - 4.8.98
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/06/GHSA-v2xm-76pq-phcf/GHSA-v2xm-76pq-phcf.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
+ - type: CVSS_V4
+ score: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2021-47621
+ - type: WEB
+ url: https://github.com/classgraph/classgraph/pull/539
+ - type: WEB
+ url: https://github.com/classgraph/classgraph/commit/681362ad6b0b9d9abaffb2e07099ce54d7a41fa3
+ - type: WEB
+ url: https://docs.r3.com/en/platform/corda/4.8/enterprise/release-notes-enterprise.html
+ - type: PACKAGE
+ url: https://github.com/classgraph/classgraph
+ - type: WEB
+ url: https://github.com/classgraph/classgraph/releases/tag/classgraph-4.8.112
+ database_specific:
+ cwe_ids:
+ - CWE-611
+ github_reviewed: true
+ github_reviewed_at: "2024-06-21T15:06:26Z"
+ nvd_published_at: "2024-06-21T06:15:10Z"
+ severity: MODERATE
+ - schema_version: 1.6.0
+ id: GHSA-5mcr-gq6c-3hq2
+ modified: 2024-03-11T05:19:48.200129Z
+ published: 2021-02-08T21:17:48Z
+ aliases:
+ - CVE-2021-21290
+ - CVE-2022-24823
+ - GHSA-269q-hmxg-m83q
+ summary: Local Information Disclosure Vulnerability in Netty on Unix-Like systems
+ details: "### Impact\n\nWhen netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled.\n\nThe CVSSv3.1 score of this vulnerability is calculated to be a [6.2/10](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N&version=3.1)\n\n### Vulnerability Details\n\nOn unix-like systems, the temporary directory is shared between all user. As such, writing to this directory using APIs that do not explicitly set the file/directory permissions can lead to information disclosure. Of note, this does not impact modern MacOS Operating Systems.\n\nThe method `File.createTempFile` on unix-like systems creates a random file, but, by default will create this file with the permissions `-rw-r--r--`. Thus, if sensitive information is written to this file, other local users can read this information.\n\nThis is the case in netty's `AbstractDiskHttpData` is vulnerable.\n\nhttps://github.com/netty/netty/blob/e5951d46fc89db507ba7d2968d2ede26378f0b04/codec-http/src/main/java/io/netty/handler/codec/http/multipart/AbstractDiskHttpData.java#L80-L101\n\n`AbstractDiskHttpData` is used as a part of the `DefaultHttpDataFactory` class which is used by `HttpPostRequestDecoder` / `HttpPostMultiPartRequestDecoder`.\n\nYou may be affected by this vulnerability your project contains the following code patterns:\n\n```java\nchannelPipeline.addLast(new HttpPostRequestDecoder(...));\n```\n\n```java\nchannelPipeline.addLast(new HttpPostMultiPartRequestDecoder(...));\n```\n\n### Patches\n\nThis has been patched in version `4.1.59.Final`.\n\n### Workarounds\n\nSpecify your own `java.io.tmpdir` when you start the JVM or use `DefaultHttpDataFactory.setBaseDir(...)` to set the directory to something that is only readable by the current user.\n\n### References\n\n - [CWE-378: Creation of Temporary File With Insecure Permissions](https://cwe.mitre.org/data/definitions/378.html)\n - [CWE-379: Creation of Temporary File in Directory with Insecure Permissions](https://cwe.mitre.org/data/definitions/379.html)\n\n### Similar Vulnerabilities\n\nSimilar, but not the same.\n\n - JUnit 4 - https://github.com/junit-team/junit4/security/advisories/GHSA-269g-pwp5-87pp\n - Google Guava - https://github.com/google/guava/issues/4011\n - Apache Ant - https://nvd.nist.gov/vuln/detail/CVE-2020-1945\n - JetBrains Kotlin Compiler - https://nvd.nist.gov/vuln/detail/CVE-2020-15824\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [netty](https://github.com/netty/netty)\n* Email us [here](mailto:netty-security@googlegroups.com)\n\n### Original Report\n\n> Hi Netty Security Team,\n> \n> I've been working on some security research leveraging custom CodeQL queries to detect local information disclosure vulnerabilities in java applications. This was the result from running this query against the netty project:\n> https://lgtm.com/query/7723301787255288599/\n> \n> Netty contains three local information disclosure vulnerabilities, so far as I can tell.\n> \n> One is here, where the private key for the certificate is written to a temporary file.\n> \n> https://github.com/netty/netty/blob/e5951d46fc89db507ba7d2968d2ede26378f0b04/handler/src/main/java/io/netty/handler/ssl/util/SelfSignedCertificate.java#L316-L346\n> \n> One is here, where the certificate is written to a temporary file.\n> \n> https://github.com/netty/netty/blob/e5951d46fc89db507ba7d2968d2ede26378f0b04/handler/src/main/java/io/netty/handler/ssl/util/SelfSignedCertificate.java#L348-L371\n> \n> The final one is here, where the 'AbstractDiskHttpData' creates a temporary file if the getBaseDirectory() method returns null. I believe that 'AbstractDiskHttpData' is used as a part of the file upload support? If this is the case, any files uploaded would be similarly vulnerable.\n> \n> https://github.com/netty/netty/blob/e5951d46fc89db507ba7d2968d2ede26378f0b04/codec-http/src/main/java/io/netty/handler/codec/http/multipart/AbstractDiskHttpData.java#L91\n> \n> All of these vulnerabilities exist because `File.createTempFile(String, String)` will create a temporary file in the system temporary directory if the 'java.io.tmpdir' system property is not explicitly set. It is my understanding that when java creates a file, by default, and using this method, the permissions on that file utilize the umask. In a majority of cases, this means that the file that java creates has the permissions: `-rw-r--r--`, thus, any other local user on that system can read the contents of that file.\n> \n> Impacted OS:\n> - Any OS where the system temporary directory is shared between multiple users. This is not the case for MacOS or Windows.\n> \n> Mitigation.\n> \n> Moving to the `Files` API instead will fix this vulnerability. \n> https://docs.oracle.com/javase/8/docs/api/java/nio/file/Files.html#createTempFile-java.nio.file.Path-java.lang.String-java.lang.String-java.nio.file.attribute.FileAttribute...-\n> \n> This API will explicitly set the posix file permissions to something safe, by default.\n> \n> I recently disclosed a similar vulnerability in JUnit 4:\n> https://github.com/junit-team/junit4/security/advisories/GHSA-269g-pwp5-87pp\n> \n> If you're also curious, this vulnerability in Jetty was also mine, also involving temporary directories, but is not the same vulnerability as in this case.\n> https://github.com/eclipse/jetty.project/security/advisories/GHSA-g3wg-6mcf-8jj6\n> \n> I would appreciate it if we could perform disclosure of this vulnerability leveraging the GitHub security advisories feature here. GitHub has a nice credit system that I appreciate, plus the disclosures, as you can see from the sampling above, end up looking very nice.\n> https://github.com/netty/netty/security/advisories\n> \n> This vulnerability disclosure follows Google's [90-day vulnerability disclosure policy](https://www.google.com/about/appsecurity/) (I'm not an employee of Google, I just like their policy). Full disclosure will occur either at the end of the 90-day deadline or whenever a patch is made widely available, whichever occurs first.\n> \n> Cheers,\n> Jonathan Leitschuh"
+ affected:
+ - package:
+ ecosystem: Maven
+ name: io.netty:netty-codec-http
+ purl: pkg:maven/io.netty/netty-codec-http
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 4.0.0
+ - fixed: 4.1.59.Final
+ versions:
+ - 4.0.0.Final
+ - 4.0.1.Final
+ - 4.0.10.Final
+ - 4.0.11.Final
+ - 4.0.12.Final
+ - 4.0.13.Final
+ - 4.0.14.Beta1
+ - 4.0.14.Final
+ - 4.0.15.Final
+ - 4.0.16.Final
+ - 4.0.17.Final
+ - 4.0.18.Final
+ - 4.0.19.Final
+ - 4.0.2.Final
+ - 4.0.20.Final
+ - 4.0.21.Final
+ - 4.0.22.Final
+ - 4.0.23.Final
+ - 4.0.24.Final
+ - 4.0.25.Final
+ - 4.0.26.Final
+ - 4.0.27.Final
+ - 4.0.28.Final
+ - 4.0.29.Final
+ - 4.0.3.Final
+ - 4.0.30.Final
+ - 4.0.31.Final
+ - 4.0.32.Final
+ - 4.0.33.Final
+ - 4.0.34.Final
+ - 4.0.35.Final
+ - 4.0.36.Final
+ - 4.0.37.Final
+ - 4.0.38.Final
+ - 4.0.39.Final
+ - 4.0.4.Final
+ - 4.0.40.Final
+ - 4.0.41.Final
+ - 4.0.42.Final
+ - 4.0.43.Final
+ - 4.0.44.Final
+ - 4.0.45.Final
+ - 4.0.46.Final
+ - 4.0.47.Final
+ - 4.0.48.Final
+ - 4.0.49.Final
+ - 4.0.5.Final
+ - 4.0.50.Final
+ - 4.0.51.Final
+ - 4.0.52.Final
+ - 4.0.53.Final
+ - 4.0.54.Final
+ - 4.0.55.Final
+ - 4.0.56.Final
+ - 4.0.6.Final
+ - 4.0.7.Final
+ - 4.0.8.Final
+ - 4.0.9.Final
+ - 4.1.0.Beta1
+ - 4.1.0.Beta2
+ - 4.1.0.Beta3
+ - 4.1.0.Beta4
+ - 4.1.0.Beta5
+ - 4.1.0.Beta6
+ - 4.1.0.Beta7
+ - 4.1.0.Beta8
+ - 4.1.0.CR1
+ - 4.1.0.CR2
+ - 4.1.0.CR3
+ - 4.1.0.CR4
+ - 4.1.0.CR5
+ - 4.1.0.CR6
+ - 4.1.0.CR7
+ - 4.1.0.Final
+ - 4.1.1.Final
+ - 4.1.10.Final
+ - 4.1.11.Final
+ - 4.1.12.Final
+ - 4.1.13.Final
+ - 4.1.14.Final
+ - 4.1.15.Final
+ - 4.1.16.Final
+ - 4.1.17.Final
+ - 4.1.18.Final
+ - 4.1.19.Final
+ - 4.1.2.Final
+ - 4.1.20.Final
+ - 4.1.21.Final
+ - 4.1.22.Final
+ - 4.1.23.Final
+ - 4.1.24.Final
+ - 4.1.25.Final
+ - 4.1.26.Final
+ - 4.1.27.Final
+ - 4.1.28.Final
+ - 4.1.29.Final
+ - 4.1.3.Final
+ - 4.1.30.Final
+ - 4.1.31.Final
+ - 4.1.32.Final
+ - 4.1.33.Final
+ - 4.1.34.Final
+ - 4.1.35.Final
+ - 4.1.36.Final
+ - 4.1.37.Final
+ - 4.1.38.Final
+ - 4.1.39.Final
+ - 4.1.4.Final
+ - 4.1.40.Final
+ - 4.1.41.Final
+ - 4.1.42.Final
+ - 4.1.43.Final
+ - 4.1.44.Final
+ - 4.1.45.Final
+ - 4.1.46.Final
+ - 4.1.47.Final
+ - 4.1.48.Final
+ - 4.1.49.Final
+ - 4.1.5.Final
+ - 4.1.50.Final
+ - 4.1.51.Final
+ - 4.1.52.Final
+ - 4.1.53.Final
+ - 4.1.54.Final
+ - 4.1.55.Final
+ - 4.1.56.Final
+ - 4.1.57.Final
+ - 4.1.58.Final
+ - 4.1.6.Final
+ - 4.1.7.Final
+ - 4.1.8.Final
+ - 4.1.9.Final
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/02/GHSA-5mcr-gq6c-3hq2/GHSA-5mcr-gq6c-3hq2.json
+ - package:
+ ecosystem: Maven
+ name: org.jboss.netty:netty
+ purl: pkg:maven/org.jboss.netty/netty
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ versions:
+ - 3.0.0.CR1
+ - 3.0.0.CR2
+ - 3.0.0.CR3
+ - 3.0.0.CR4
+ - 3.0.0.CR5
+ - 3.0.0.GA
+ - 3.0.1.GA
+ - 3.0.2.GA
+ - 3.1.0.ALPHA1
+ - 3.1.0.ALPHA2
+ - 3.1.0.ALPHA3
+ - 3.1.0.ALPHA4
+ - 3.1.0.BETA1
+ - 3.1.0.BETA2
+ - 3.1.0.BETA3
+ - 3.1.0.CR1
+ - 3.1.0.GA
+ - 3.1.1.GA
+ - 3.1.2.GA
+ - 3.1.3.GA
+ - 3.1.4.GA
+ - 3.1.5.GA
+ - 3.2.0.ALPHA1
+ - 3.2.0.ALPHA2
+ - 3.2.0.ALPHA3
+ - 3.2.0.ALPHA4
+ - 3.2.0.BETA1
+ - 3.2.0.CR1
+ - 3.2.0.Final
+ - 3.2.1.Final
+ - 3.2.10.Final
+ - 3.2.2.Final
+ - 3.2.3.Final
+ - 3.2.4.Final
+ - 3.2.5.Final
+ - 3.2.6.Final
+ - 3.2.7.Final
+ - 3.2.8.Final
+ - 3.2.9.Final
+ database_specific:
+ last_known_affected_version_range: < 4.0.0
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/02/GHSA-5mcr-gq6c-3hq2/GHSA-5mcr-gq6c-3hq2.json
+ - package:
+ ecosystem: Maven
+ name: io.netty:netty
+ purl: pkg:maven/io.netty/netty
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ versions:
+ - 3.10.0.Final
+ - 3.10.1.Final
+ - 3.10.2.Final
+ - 3.10.3.Final
+ - 3.10.4.Final
+ - 3.10.5.Final
+ - 3.10.6.Final
+ - 3.3.0.Final
+ - 3.3.1.Final
+ - 3.4.0.Alpha1
+ - 3.4.0.Alpha2
+ - 3.4.0.Beta1
+ - 3.4.0.Final
+ - 3.4.1.Final
+ - 3.4.2.Final
+ - 3.4.3.Final
+ - 3.4.4.Final
+ - 3.4.5.Final
+ - 3.4.6.Final
+ - 3.5.0.Beta1
+ - 3.5.0.Final
+ - 3.5.1.Final
+ - 3.5.10.Final
+ - 3.5.11.Final
+ - 3.5.12.Final
+ - 3.5.13.Final
+ - 3.5.2.Final
+ - 3.5.3.Final
+ - 3.5.4.Final
+ - 3.5.5.Final
+ - 3.5.6.Final
+ - 3.5.7.Final
+ - 3.5.8.Final
+ - 3.5.9.Final
+ - 3.6.0.Beta1
+ - 3.6.0.Final
+ - 3.6.1.Final
+ - 3.6.10.Final
+ - 3.6.2.Final
+ - 3.6.3.Final
+ - 3.6.4.Final
+ - 3.6.5.Final
+ - 3.6.6.Final
+ - 3.6.7.Final
+ - 3.6.8.Final
+ - 3.6.9.Final
+ - 3.7.0.Final
+ - 3.7.1.Final
+ - 3.8.0.Final
+ - 3.8.1.Final
+ - 3.8.2.Final
+ - 3.8.3.Final
+ - 3.9.0.Final
+ - 3.9.1.1.Final
+ - 3.9.1.Final
+ - 3.9.2.Final
+ - 3.9.3.Final
+ - 3.9.4.Final
+ - 3.9.5.Final
+ - 3.9.6.Final
+ - 3.9.7.Final
+ - 3.9.8.Final
+ - 3.9.9.Final
+ - 4.0.0.Alpha1
+ - 4.0.0.Alpha2
+ - 4.0.0.Alpha3
+ - 4.0.0.Alpha4
+ - 4.0.0.Alpha5
+ - 4.0.0.Alpha6
+ - 4.0.0.Alpha7
+ - 4.0.0.Alpha8
+ database_specific:
+ last_known_affected_version_range: < 4.0.0
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/02/GHSA-5mcr-gq6c-3hq2/GHSA-5mcr-gq6c-3hq2.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
+ references:
+ - type: WEB
+ url: https://github.com/netty/netty/security/advisories/GHSA-5mcr-gq6c-3hq2
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2021-21290
+ - type: WEB
+ url: https://github.com/netty/netty/commit/c735357bf29d07856ad171c6611a2e1a0e0000ec
+ - type: PACKAGE
+ url: https://github.com/netty/netty
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r7bb3cdc192e9a6f863d3ea05422f09fa1ae2b88d4663e63696ee7ef5@%3Cdev.ranger.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r9924ef9357537722b28d04c98a189750b80694a19754e5057c34ca48@%3Ccommits.pulsar.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/ra0fc2b4553dd7aaf75febb61052b7f1243ac3a180a71c01f29093013@%3Cjira.kafka.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/ra503756ced78fdc2136bd33e87cb7553028645b261b1f5c6186a121e@%3Cjira.kafka.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rb06c1e766aa45ee422e8261a8249b561784186483e8f742ea627bda4@%3Cdev.kafka.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rb51d6202ff1a773f96eaa694b7da4ad3f44922c40b3d4e1a19c2f325@%3Ccommits.pulsar.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rb592033a2462548d061a83ac9449c5ff66098751748fcd1e2d008233@%3Cissues.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rc0087125cb15b4b78e44000f841cd37fefedfda942fd7ddf3ad1b528@%3Cissues.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rc488f80094872ad925f0c73d283d4c00d32def81977438e27a3dc2bb@%3Cjira.kafka.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rcd163e421273e8dca1c71ea298dce3dd11b41d51c3a812e0394e6a5d@%3Ccommits.pulsar.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rdba4f78ac55f803893a1a2265181595e79e3aa027e2e651dfba98c18@%3Cjira.kafka.apache.org%3E
+ - type: WEB
+ url: https://lists.debian.org/debian-lts-announce/2021/02/msg00016.html
+ - type: WEB
+ url: https://security.netapp.com/advisory/ntap-20220210-0011
+ - type: WEB
+ url: https://www.debian.org/security/2021/dsa-4885
+ - type: WEB
+ url: https://www.oracle.com//security-alerts/cpujul2021.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuApr2021.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuapr2022.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuoct2021.html
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r0053443ce19ff125981559f8c51cf66e3ab4350f47812b8cf0733a05@%3Cdev.kafka.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r02e467123d45006a1dda20a38349e9c74c3a4b53e2e07be0939ecb3f@%3Cdev.ranger.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r0857b613604c696bf9743f0af047360baaded48b1c75cf6945a083c5@%3Cjira.kafka.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r10308b625e49d4e9491d7e079606ca0df2f0a4d828f1ad1da64ba47b@%3Cjira.kafka.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r1908a34b9cc7120e5c19968a116ddbcffea5e9deb76c2be4fa461904@%3Cdev.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r2748097ea4b774292539cf3de6e3b267fc7a88d6c8ec40f4e2e87bd4@%3Cdev.kafka.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r2936730ef0a06e724b96539bc7eacfcd3628987c16b1b99c790e7b87@%3Cissues.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r2fda4dab73097051977f2ab818f75e04fbcb15bb1003c8530eac1059@%3Cjira.kafka.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r326ec431f06eab7cb7113a7a338e59731b8d556d05258457f12bac1b@%3Cdev.kafka.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r4efed2c501681cb2e8d629da16e48d9eac429624fd4c9a8c6b8e7020@%3Cdev.tinkerpop.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r584cf871f188c406d8bd447ff4e2fd9817fca862436c064d0951a071@%3Ccommits.pulsar.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r59bac5c09f7a4179b9e2460e8f41c278aaf3b9a21cc23678eb893e41@%3Cjira.kafka.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r5bf303d7c04da78f276765da08559fdc62420f1df539b277ca31f63b@%3Cissues.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r5c701840aa2845191721e39821445e1e8c59711e71942b7796a6ec29@%3Cusers.activemq.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r5e4a540089760c8ecc2c411309d74264f1dad634ad93ad583ca16214@%3Ccommits.kafka.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r5e66e286afb5506cdfe9bbf68a323e8d09614f6d1ddc806ed0224700@%3Cjira.kafka.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r71dbb66747ff537640bb91eb0b2b24edef21ac07728097016f58b01f@%3Ccommits.kafka.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r743149dcc8db1de473e6bff0b3ddf10140a7357bc2add75f7d1fbb12@%3Cdev.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r790c2926efcd062067eb18fde2486527596d7275381cfaff2f7b3890@%3Cissues.bookkeeper.apache.org%3E
+ database_specific:
+ cwe_ids:
+ - CWE-378
+ - CWE-379
+ - CWE-668
+ github_reviewed: true
+ github_reviewed_at: "2021-02-08T20:07:45Z"
+ nvd_published_at: "2021-02-08T20:15:00Z"
+ severity: MODERATE
+ - schema_version: 1.6.0
+ id: GHSA-7vpq-g998-qpv7
+ modified: 2024-04-16T16:16:02.819787Z
+ published: 2022-05-13T01:54:02Z
+ aliases:
+ - CVE-2014-0193
+ summary: Netty denial of service vulnerability
+ details: '`WebSocket08FrameDecoder` in Netty 3.6.x before 3.6.9, 3.7.x before 3.7.1, 3.8.x before 3.8.2, 3.9.x before 3.9.1, and 4.0.x before 4.0.19 allows remote attackers to cause a denial of service (memory consumption) via a `TextWebSocketFrame` followed by a long stream of `ContinuationWebSocketFrames`.'
+ affected:
+ - package:
+ ecosystem: Maven
+ name: io.netty:netty
+ purl: pkg:maven/io.netty/netty
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 3.6.0.Beta1
+ - fixed: 3.6.9.Final
+ versions:
+ - 3.6.0.Beta1
+ - 3.6.0.Final
+ - 3.6.1.Final
+ - 3.6.2.Final
+ - 3.6.3.Final
+ - 3.6.4.Final
+ - 3.6.5.Final
+ - 3.6.6.Final
+ - 3.6.7.Final
+ - 3.6.8.Final
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-7vpq-g998-qpv7/GHSA-7vpq-g998-qpv7.json
+ - package:
+ ecosystem: Maven
+ name: io.netty:netty
+ purl: pkg:maven/io.netty/netty
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 3.7.0.Final
+ - fixed: 3.7.1.Final
+ versions:
+ - 3.7.0.Final
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-7vpq-g998-qpv7/GHSA-7vpq-g998-qpv7.json
+ - package:
+ ecosystem: Maven
+ name: io.netty:netty
+ purl: pkg:maven/io.netty/netty
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 3.8.0.Final
+ - fixed: 3.8.2.Final
+ versions:
+ - 3.8.0.Final
+ - 3.8.1.Final
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-7vpq-g998-qpv7/GHSA-7vpq-g998-qpv7.json
+ - package:
+ ecosystem: Maven
+ name: io.netty:netty
+ purl: pkg:maven/io.netty/netty
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 3.9.0.Final
+ - fixed: 3.9.1.Final
+ versions:
+ - 3.9.0.Final
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-7vpq-g998-qpv7/GHSA-7vpq-g998-qpv7.json
+ - package:
+ ecosystem: Maven
+ name: io.netty:netty
+ purl: pkg:maven/io.netty/netty
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 4.0.0.Alpha1
+ - fixed: 4.0.19.Final
+ versions:
+ - 4.0.0.Alpha1
+ - 4.0.0.Alpha2
+ - 4.0.0.Alpha3
+ - 4.0.0.Alpha4
+ - 4.0.0.Alpha5
+ - 4.0.0.Alpha6
+ - 4.0.0.Alpha7
+ - 4.0.0.Alpha8
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-7vpq-g998-qpv7/GHSA-7vpq-g998-qpv7.json
+ - package:
+ ecosystem: Maven
+ name: io.netty:netty-all
+ purl: pkg:maven/io.netty/netty-all
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 4.0.0.Alpha1
+ - fixed: 4.0.19.Final
+ versions:
+ - 4.0.0.Beta1
+ - 4.0.0.Beta2
+ - 4.0.0.Beta3
+ - 4.0.0.CR1
+ - 4.0.0.CR2
+ - 4.0.0.CR3
+ - 4.0.0.CR4
+ - 4.0.0.CR5
+ - 4.0.0.CR6
+ - 4.0.0.CR7
+ - 4.0.0.CR8
+ - 4.0.0.CR9
+ - 4.0.0.Final
+ - 4.0.1.Final
+ - 4.0.10.Final
+ - 4.0.11.Final
+ - 4.0.12.Final
+ - 4.0.13.Final
+ - 4.0.14.Beta1
+ - 4.0.14.Final
+ - 4.0.15.Final
+ - 4.0.16.Final
+ - 4.0.17.Final
+ - 4.0.18.Final
+ - 4.0.2.Final
+ - 4.0.3.Final
+ - 4.0.4.Final
+ - 4.0.5.Final
+ - 4.0.6.Final
+ - 4.0.7.Final
+ - 4.0.8.Final
+ - 4.0.9.Final
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-7vpq-g998-qpv7/GHSA-7vpq-g998-qpv7.json
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2014-0193
+ - type: WEB
+ url: https://github.com/netty/netty/issues/2441
+ - type: WEB
+ url: https://github.com/netty/netty/commit/8599ab5bdb761bb99d41a975d689f74c12e4892b
+ - type: PACKAGE
+ url: https://github.com/netty/netty
+ - type: WEB
+ url: https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8%40%3Ccommits.pulsar.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8@%3Ccommits.pulsar.apache.org%3E
+ - type: WEB
+ url: https://lists.debian.org/debian-lts-announce/2020/02/msg00018.html
+ - type: WEB
+ url: https://web.archive.org/web/20140509033427/http://www.securityfocus.com/bid/67182
+ - type: WEB
+ url: https://web.archive.org/web/20140509044857/http://secunia.com/advisories/58280
+ - type: WEB
+ url: https://web.archive.org/web/20161119201425/http://secunia.com/advisories/59290
+ - type: WEB
+ url: http://netty.io/news/2014/04/30/release-day.html
+ - type: WEB
+ url: http://rhn.redhat.com/errata/RHSA-2014-1019.html
+ - type: WEB
+ url: http://rhn.redhat.com/errata/RHSA-2014-1020.html
+ - type: WEB
+ url: http://rhn.redhat.com/errata/RHSA-2014-1021.html
+ - type: WEB
+ url: http://rhn.redhat.com/errata/RHSA-2014-1351.html
+ - type: WEB
+ url: http://rhn.redhat.com/errata/RHSA-2015-0675.html
+ - type: WEB
+ url: http://rhn.redhat.com/errata/RHSA-2015-0720.html
+ - type: WEB
+ url: http://rhn.redhat.com/errata/RHSA-2015-0765.html
+ database_specific:
+ cwe_ids: []
+ github_reviewed: true
+ github_reviewed_at: "2023-08-07T20:25:36Z"
+ nvd_published_at: "2014-05-06T14:55:00Z"
+ severity: MODERATE
+ - schema_version: 1.6.0
+ id: GHSA-9vjp-v76f-g363
+ modified: 2024-03-11T05:32:25.452063Z
+ published: 2021-09-09T17:11:31Z
+ aliases:
+ - CVE-2021-37137
+ summary: ' SnappyFrameDecoder doesn''t restrict chunk length any may buffer skippable chunks in an unnecessary way'
+ details: |-
+ ### Impact
+ The Snappy frame decoder function doesn't restrict the chunk length which may lead to excessive memory usage. Beside this it also may buffer reserved skippable chunks until the whole chunk was received which may lead to excessive memory usage as well.
+
+ This vulnerability can be triggered by supplying malicious input that decompresses to a very big size (via a network stream or a file) or by sending a huge skippable chunk.
+
+ ### Impact
+
+ All users of SnappyFrameDecoder are affected and so the application may be in risk for a DoS attach due excessive memory usage.
+
+ ### References
+ https://github.com/netty/netty/blob/netty-4.1.67.Final/codec/src/main/java/io/netty/handler/codec/compression/SnappyFrameDecoder.java#L79
+ https://github.com/netty/netty/blob/netty-4.1.67.Final/codec/src/main/java/io/netty/handler/codec/compression/SnappyFrameDecoder.java#L171
+ https://github.com/netty/netty/blob/netty-4.1.67.Final/codec/src/main/java/io/netty/handler/codec/compression/SnappyFrameDecoder.java#L185
+ affected:
+ - package:
+ ecosystem: Maven
+ name: io.netty:netty-codec
+ purl: pkg:maven/io.netty/netty-codec
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 4.0.0
+ - fixed: 4.1.68.Final
+ versions:
+ - 4.0.0.Final
+ - 4.0.1.Final
+ - 4.0.10.Final
+ - 4.0.11.Final
+ - 4.0.12.Final
+ - 4.0.13.Final
+ - 4.0.14.Beta1
+ - 4.0.14.Final
+ - 4.0.15.Final
+ - 4.0.16.Final
+ - 4.0.17.Final
+ - 4.0.18.Final
+ - 4.0.19.Final
+ - 4.0.2.Final
+ - 4.0.20.Final
+ - 4.0.21.Final
+ - 4.0.22.Final
+ - 4.0.23.Final
+ - 4.0.24.Final
+ - 4.0.25.Final
+ - 4.0.26.Final
+ - 4.0.27.Final
+ - 4.0.28.Final
+ - 4.0.29.Final
+ - 4.0.3.Final
+ - 4.0.30.Final
+ - 4.0.31.Final
+ - 4.0.32.Final
+ - 4.0.33.Final
+ - 4.0.34.Final
+ - 4.0.35.Final
+ - 4.0.36.Final
+ - 4.0.37.Final
+ - 4.0.38.Final
+ - 4.0.39.Final
+ - 4.0.4.Final
+ - 4.0.40.Final
+ - 4.0.41.Final
+ - 4.0.42.Final
+ - 4.0.43.Final
+ - 4.0.44.Final
+ - 4.0.45.Final
+ - 4.0.46.Final
+ - 4.0.47.Final
+ - 4.0.48.Final
+ - 4.0.49.Final
+ - 4.0.5.Final
+ - 4.0.50.Final
+ - 4.0.51.Final
+ - 4.0.52.Final
+ - 4.0.53.Final
+ - 4.0.54.Final
+ - 4.0.55.Final
+ - 4.0.56.Final
+ - 4.0.6.Final
+ - 4.0.7.Final
+ - 4.0.8.Final
+ - 4.0.9.Final
+ - 4.1.0.Beta1
+ - 4.1.0.Beta2
+ - 4.1.0.Beta3
+ - 4.1.0.Beta4
+ - 4.1.0.Beta5
+ - 4.1.0.Beta6
+ - 4.1.0.Beta7
+ - 4.1.0.Beta8
+ - 4.1.0.CR1
+ - 4.1.0.CR2
+ - 4.1.0.CR3
+ - 4.1.0.CR4
+ - 4.1.0.CR5
+ - 4.1.0.CR6
+ - 4.1.0.CR7
+ - 4.1.0.Final
+ - 4.1.1.Final
+ - 4.1.10.Final
+ - 4.1.11.Final
+ - 4.1.12.Final
+ - 4.1.13.Final
+ - 4.1.14.Final
+ - 4.1.15.Final
+ - 4.1.16.Final
+ - 4.1.17.Final
+ - 4.1.18.Final
+ - 4.1.19.Final
+ - 4.1.2.Final
+ - 4.1.20.Final
+ - 4.1.21.Final
+ - 4.1.22.Final
+ - 4.1.23.Final
+ - 4.1.24.Final
+ - 4.1.25.Final
+ - 4.1.26.Final
+ - 4.1.27.Final
+ - 4.1.28.Final
+ - 4.1.29.Final
+ - 4.1.3.Final
+ - 4.1.30.Final
+ - 4.1.31.Final
+ - 4.1.32.Final
+ - 4.1.33.Final
+ - 4.1.34.Final
+ - 4.1.35.Final
+ - 4.1.36.Final
+ - 4.1.37.Final
+ - 4.1.38.Final
+ - 4.1.39.Final
+ - 4.1.4.Final
+ - 4.1.40.Final
+ - 4.1.41.Final
+ - 4.1.42.Final
+ - 4.1.43.Final
+ - 4.1.44.Final
+ - 4.1.45.Final
+ - 4.1.46.Final
+ - 4.1.47.Final
+ - 4.1.48.Final
+ - 4.1.49.Final
+ - 4.1.5.Final
+ - 4.1.50.Final
+ - 4.1.51.Final
+ - 4.1.52.Final
+ - 4.1.53.Final
+ - 4.1.54.Final
+ - 4.1.55.Final
+ - 4.1.56.Final
+ - 4.1.57.Final
+ - 4.1.58.Final
+ - 4.1.59.Final
+ - 4.1.6.Final
+ - 4.1.60.Final
+ - 4.1.61.Final
+ - 4.1.62.Final
+ - 4.1.63.Final
+ - 4.1.64.Final
+ - 4.1.65.Final
+ - 4.1.66.Final
+ - 4.1.67.Final
+ - 4.1.7.Final
+ - 4.1.8.Final
+ - 4.1.9.Final
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/09/GHSA-9vjp-v76f-g363/GHSA-9vjp-v76f-g363.json
+ - package:
+ ecosystem: Maven
+ name: org.jboss.netty:netty
+ purl: pkg:maven/org.jboss.netty/netty
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ versions:
+ - 3.0.0.CR1
+ - 3.0.0.CR2
+ - 3.0.0.CR3
+ - 3.0.0.CR4
+ - 3.0.0.CR5
+ - 3.0.0.GA
+ - 3.0.1.GA
+ - 3.0.2.GA
+ - 3.1.0.ALPHA1
+ - 3.1.0.ALPHA2
+ - 3.1.0.ALPHA3
+ - 3.1.0.ALPHA4
+ - 3.1.0.BETA1
+ - 3.1.0.BETA2
+ - 3.1.0.BETA3
+ - 3.1.0.CR1
+ - 3.1.0.GA
+ - 3.1.1.GA
+ - 3.1.2.GA
+ - 3.1.3.GA
+ - 3.1.4.GA
+ - 3.1.5.GA
+ - 3.2.0.ALPHA1
+ - 3.2.0.ALPHA2
+ - 3.2.0.ALPHA3
+ - 3.2.0.ALPHA4
+ - 3.2.0.BETA1
+ - 3.2.0.CR1
+ - 3.2.0.Final
+ - 3.2.1.Final
+ - 3.2.10.Final
+ - 3.2.2.Final
+ - 3.2.3.Final
+ - 3.2.4.Final
+ - 3.2.5.Final
+ - 3.2.6.Final
+ - 3.2.7.Final
+ - 3.2.8.Final
+ - 3.2.9.Final
+ database_specific:
+ last_known_affected_version_range: < 4.0.0
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/09/GHSA-9vjp-v76f-g363/GHSA-9vjp-v76f-g363.json
+ - package:
+ ecosystem: Maven
+ name: io.netty:netty
+ purl: pkg:maven/io.netty/netty
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ versions:
+ - 3.10.0.Final
+ - 3.10.1.Final
+ - 3.10.2.Final
+ - 3.10.3.Final
+ - 3.10.4.Final
+ - 3.10.5.Final
+ - 3.10.6.Final
+ - 3.3.0.Final
+ - 3.3.1.Final
+ - 3.4.0.Alpha1
+ - 3.4.0.Alpha2
+ - 3.4.0.Beta1
+ - 3.4.0.Final
+ - 3.4.1.Final
+ - 3.4.2.Final
+ - 3.4.3.Final
+ - 3.4.4.Final
+ - 3.4.5.Final
+ - 3.4.6.Final
+ - 3.5.0.Beta1
+ - 3.5.0.Final
+ - 3.5.1.Final
+ - 3.5.10.Final
+ - 3.5.11.Final
+ - 3.5.12.Final
+ - 3.5.13.Final
+ - 3.5.2.Final
+ - 3.5.3.Final
+ - 3.5.4.Final
+ - 3.5.5.Final
+ - 3.5.6.Final
+ - 3.5.7.Final
+ - 3.5.8.Final
+ - 3.5.9.Final
+ - 3.6.0.Beta1
+ - 3.6.0.Final
+ - 3.6.1.Final
+ - 3.6.10.Final
+ - 3.6.2.Final
+ - 3.6.3.Final
+ - 3.6.4.Final
+ - 3.6.5.Final
+ - 3.6.6.Final
+ - 3.6.7.Final
+ - 3.6.8.Final
+ - 3.6.9.Final
+ - 3.7.0.Final
+ - 3.7.1.Final
+ - 3.8.0.Final
+ - 3.8.1.Final
+ - 3.8.2.Final
+ - 3.8.3.Final
+ - 3.9.0.Final
+ - 3.9.1.1.Final
+ - 3.9.1.Final
+ - 3.9.2.Final
+ - 3.9.3.Final
+ - 3.9.4.Final
+ - 3.9.5.Final
+ - 3.9.6.Final
+ - 3.9.7.Final
+ - 3.9.8.Final
+ - 3.9.9.Final
+ - 4.0.0.Alpha1
+ - 4.0.0.Alpha2
+ - 4.0.0.Alpha3
+ - 4.0.0.Alpha4
+ - 4.0.0.Alpha5
+ - 4.0.0.Alpha6
+ - 4.0.0.Alpha7
+ - 4.0.0.Alpha8
+ database_specific:
+ last_known_affected_version_range: < 4.0.0
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/09/GHSA-9vjp-v76f-g363/GHSA-9vjp-v76f-g363.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
+ references:
+ - type: WEB
+ url: https://github.com/netty/netty/security/advisories/GHSA-9vjp-v76f-g363
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2021-37137
+ - type: WEB
+ url: https://github.com/netty/netty/commit/6da4956b31023ae967451e1d94ff51a746a9194f
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpujul2022.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpujan2022.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuapr2022.html
+ - type: WEB
+ url: https://www.debian.org/security/2023/dsa-5316
+ - type: WEB
+ url: https://security.netapp.com/advisory/ntap-20220210-0012
+ - type: WEB
+ url: https://lists.debian.org/debian-lts-announce/2023/01/msg00008.html
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rfb2bf8597e53364ccab212fbcbb2a4e9f0a9e1429b1dc08023c6868e@%3Cdev.tinkerpop.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rd262f59b1586a108e320e5c966feeafbb1b8cdc96965debc7cc10b16@%3Ccommits.druid.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r75490c61c2cb7b6ae2c81238fd52ae13636c60435abcd732d41531a0@%3Ccommits.druid.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r5e05eba32476c580412f9fbdfc9b8782d5b40558018ac4ac07192a04@%3Ccommits.druid.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r5406eaf3b07577d233b9f07cfc8f26e28369e6bab5edfcab41f28abb@%3Ccommits.druid.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r06a145c9bd41a7344da242cef07977b24abe3349161ede948e30913d@%3Ccommits.druid.apache.org%3E
+ - type: WEB
+ url: https://github.com/netty/netty/blob/4.1/codec/src/main/java/io/netty/handler/codec/compression/SnappyFrameDecoder.java#L79
+ - type: WEB
+ url: https://github.com/netty/netty/blob/4.1/codec/src/main/java/io/netty/handler/codec/compression/SnappyFrameDecoder.java#L185
+ - type: WEB
+ url: https://github.com/netty/netty/blob/4.1/codec/src/main/java/io/netty/handler/codec/compression/SnappyFrameDecoder.java#L171
+ - type: PACKAGE
+ url: https://github.com/netty/netty
+ database_specific:
+ cwe_ids:
+ - CWE-400
+ github_reviewed: true
+ github_reviewed_at: "2021-09-09T14:44:10Z"
+ nvd_published_at: "2021-10-19T15:15:00Z"
+ severity: HIGH
+ - schema_version: 1.6.0
+ id: GHSA-cqqj-4p63-rrmm
+ modified: 2024-03-11T05:19:31.586438Z
+ published: 2020-02-21T18:55:24Z
+ aliases:
+ - CVE-2019-20444
+ summary: HTTP Request Smuggling in Netty
+ details: HttpObjectDecoder.java in Netty before 4.1.44 allows an HTTP header that lacks a colon, which might be interpreted as a separate header with an incorrect syntax, or might be interpreted as an "invalid fold."
+ affected:
+ - package:
+ ecosystem: Maven
+ name: io.netty:netty-codec-http
+ purl: pkg:maven/io.netty/netty-codec-http
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 4.0.0
+ - fixed: 4.1.44
+ versions:
+ - 4.0.0.Final
+ - 4.0.1.Final
+ - 4.0.10.Final
+ - 4.0.11.Final
+ - 4.0.12.Final
+ - 4.0.13.Final
+ - 4.0.14.Beta1
+ - 4.0.14.Final
+ - 4.0.15.Final
+ - 4.0.16.Final
+ - 4.0.17.Final
+ - 4.0.18.Final
+ - 4.0.19.Final
+ - 4.0.2.Final
+ - 4.0.20.Final
+ - 4.0.21.Final
+ - 4.0.22.Final
+ - 4.0.23.Final
+ - 4.0.24.Final
+ - 4.0.25.Final
+ - 4.0.26.Final
+ - 4.0.27.Final
+ - 4.0.28.Final
+ - 4.0.29.Final
+ - 4.0.3.Final
+ - 4.0.30.Final
+ - 4.0.31.Final
+ - 4.0.32.Final
+ - 4.0.33.Final
+ - 4.0.34.Final
+ - 4.0.35.Final
+ - 4.0.36.Final
+ - 4.0.37.Final
+ - 4.0.38.Final
+ - 4.0.39.Final
+ - 4.0.4.Final
+ - 4.0.40.Final
+ - 4.0.41.Final
+ - 4.0.42.Final
+ - 4.0.43.Final
+ - 4.0.44.Final
+ - 4.0.45.Final
+ - 4.0.46.Final
+ - 4.0.47.Final
+ - 4.0.48.Final
+ - 4.0.49.Final
+ - 4.0.5.Final
+ - 4.0.50.Final
+ - 4.0.51.Final
+ - 4.0.52.Final
+ - 4.0.53.Final
+ - 4.0.54.Final
+ - 4.0.55.Final
+ - 4.0.56.Final
+ - 4.0.6.Final
+ - 4.0.7.Final
+ - 4.0.8.Final
+ - 4.0.9.Final
+ - 4.1.0.Beta1
+ - 4.1.0.Beta2
+ - 4.1.0.Beta3
+ - 4.1.0.Beta4
+ - 4.1.0.Beta5
+ - 4.1.0.Beta6
+ - 4.1.0.Beta7
+ - 4.1.0.Beta8
+ - 4.1.0.CR1
+ - 4.1.0.CR2
+ - 4.1.0.CR3
+ - 4.1.0.CR4
+ - 4.1.0.CR5
+ - 4.1.0.CR6
+ - 4.1.0.CR7
+ - 4.1.0.Final
+ - 4.1.1.Final
+ - 4.1.10.Final
+ - 4.1.11.Final
+ - 4.1.12.Final
+ - 4.1.13.Final
+ - 4.1.14.Final
+ - 4.1.15.Final
+ - 4.1.16.Final
+ - 4.1.17.Final
+ - 4.1.18.Final
+ - 4.1.19.Final
+ - 4.1.2.Final
+ - 4.1.20.Final
+ - 4.1.21.Final
+ - 4.1.22.Final
+ - 4.1.23.Final
+ - 4.1.24.Final
+ - 4.1.25.Final
+ - 4.1.26.Final
+ - 4.1.27.Final
+ - 4.1.28.Final
+ - 4.1.29.Final
+ - 4.1.3.Final
+ - 4.1.30.Final
+ - 4.1.31.Final
+ - 4.1.32.Final
+ - 4.1.33.Final
+ - 4.1.34.Final
+ - 4.1.35.Final
+ - 4.1.36.Final
+ - 4.1.37.Final
+ - 4.1.38.Final
+ - 4.1.39.Final
+ - 4.1.4.Final
+ - 4.1.40.Final
+ - 4.1.41.Final
+ - 4.1.42.Final
+ - 4.1.43.Final
+ - 4.1.5.Final
+ - 4.1.6.Final
+ - 4.1.7.Final
+ - 4.1.8.Final
+ - 4.1.9.Final
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/02/GHSA-cqqj-4p63-rrmm/GHSA-cqqj-4p63-rrmm.json
+ - package:
+ ecosystem: Maven
+ name: org.jboss.netty:netty
+ purl: pkg:maven/org.jboss.netty/netty
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ versions:
+ - 3.0.0.CR1
+ - 3.0.0.CR2
+ - 3.0.0.CR3
+ - 3.0.0.CR4
+ - 3.0.0.CR5
+ - 3.0.0.GA
+ - 3.0.1.GA
+ - 3.0.2.GA
+ - 3.1.0.ALPHA1
+ - 3.1.0.ALPHA2
+ - 3.1.0.ALPHA3
+ - 3.1.0.ALPHA4
+ - 3.1.0.BETA1
+ - 3.1.0.BETA2
+ - 3.1.0.BETA3
+ - 3.1.0.CR1
+ - 3.1.0.GA
+ - 3.1.1.GA
+ - 3.1.2.GA
+ - 3.1.3.GA
+ - 3.1.4.GA
+ - 3.1.5.GA
+ - 3.2.0.ALPHA1
+ - 3.2.0.ALPHA2
+ - 3.2.0.ALPHA3
+ - 3.2.0.ALPHA4
+ - 3.2.0.BETA1
+ - 3.2.0.CR1
+ - 3.2.0.Final
+ - 3.2.1.Final
+ - 3.2.10.Final
+ - 3.2.2.Final
+ - 3.2.3.Final
+ - 3.2.4.Final
+ - 3.2.5.Final
+ - 3.2.6.Final
+ - 3.2.7.Final
+ - 3.2.8.Final
+ - 3.2.9.Final
+ database_specific:
+ last_known_affected_version_range: < 4.0.0
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/02/GHSA-cqqj-4p63-rrmm/GHSA-cqqj-4p63-rrmm.json
+ - package:
+ ecosystem: Maven
+ name: io.netty:netty
+ purl: pkg:maven/io.netty/netty
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ versions:
+ - 3.10.0.Final
+ - 3.10.1.Final
+ - 3.10.2.Final
+ - 3.10.3.Final
+ - 3.10.4.Final
+ - 3.10.5.Final
+ - 3.10.6.Final
+ - 3.3.0.Final
+ - 3.3.1.Final
+ - 3.4.0.Alpha1
+ - 3.4.0.Alpha2
+ - 3.4.0.Beta1
+ - 3.4.0.Final
+ - 3.4.1.Final
+ - 3.4.2.Final
+ - 3.4.3.Final
+ - 3.4.4.Final
+ - 3.4.5.Final
+ - 3.4.6.Final
+ - 3.5.0.Beta1
+ - 3.5.0.Final
+ - 3.5.1.Final
+ - 3.5.10.Final
+ - 3.5.11.Final
+ - 3.5.12.Final
+ - 3.5.13.Final
+ - 3.5.2.Final
+ - 3.5.3.Final
+ - 3.5.4.Final
+ - 3.5.5.Final
+ - 3.5.6.Final
+ - 3.5.7.Final
+ - 3.5.8.Final
+ - 3.5.9.Final
+ - 3.6.0.Beta1
+ - 3.6.0.Final
+ - 3.6.1.Final
+ - 3.6.10.Final
+ - 3.6.2.Final
+ - 3.6.3.Final
+ - 3.6.4.Final
+ - 3.6.5.Final
+ - 3.6.6.Final
+ - 3.6.7.Final
+ - 3.6.8.Final
+ - 3.6.9.Final
+ - 3.7.0.Final
+ - 3.7.1.Final
+ - 3.8.0.Final
+ - 3.8.1.Final
+ - 3.8.2.Final
+ - 3.8.3.Final
+ - 3.9.0.Final
+ - 3.9.1.1.Final
+ - 3.9.1.Final
+ - 3.9.2.Final
+ - 3.9.3.Final
+ - 3.9.4.Final
+ - 3.9.5.Final
+ - 3.9.6.Final
+ - 3.9.7.Final
+ - 3.9.8.Final
+ - 3.9.9.Final
+ - 4.0.0.Alpha1
+ - 4.0.0.Alpha2
+ - 4.0.0.Alpha3
+ - 4.0.0.Alpha4
+ - 4.0.0.Alpha5
+ - 4.0.0.Alpha6
+ - 4.0.0.Alpha7
+ - 4.0.0.Alpha8
+ database_specific:
+ last_known_affected_version_range: < 4.0.0
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/02/GHSA-cqqj-4p63-rrmm/GHSA-cqqj-4p63-rrmm.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2019-20444
+ - type: WEB
+ url: https://github.com/netty/netty/issues/9866
+ - type: WEB
+ url: https://github.com/netty/netty/pull/9871/files#diff-e26989b9171ef22c27c9f7d80689cfb059d568c9bd10e75970d96c02d0654878
+ - type: WEB
+ url: https://github.com/netty/netty/pull/9871
+ - type: WEB
+ url: https://www.debian.org/security/2021/dsa-4885
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26@%3Ccommits.pulsar.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rce71d33747010d32d31d90f5d737dae26291d96552f513a266c92fbb@%3Cnotifications.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rcb2c59428f34d4757702f9ae739a8795bda7bea97b857e708a9c62c6@%3Ccommon-commits.hadoop.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rc7eb5634b71d284483e58665b22bf274a69bd184d9bd7ede52015d91@%3Ccommon-issues.hadoop.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rb84c57670ec48ef23f4d07973b7fa69f629b8e7fcfb48874362feb6f@%3Ccommits.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rb3361f6c6a5f834ad3db5e998c352760d393c0891b8d3bea90baa836@%3Ccommon-issues.hadoop.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/raaac04b7567c554786132144bea3dcb72568edd410c1e6f0101742e7@%3Cissues.flink.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/ra9fbfe7d4830ae675bf34c7c0f8c22fc8a4099f65706c1bc4f54c593@%3Cissues.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/ra2ace4bcb5cf487f72cbcbfa0f8cc08e755ec2b93d7e69f276148b08@%3Cissues.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/ra1a71b576a45426af5ee65255be9596ff3181a342f4ba73b800db78f@%3Cdev.geode.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r9b20cdac704cf9a583400350e2d5b576fa8417c18ddb961201676c60@%3Ccommits.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r96e08f929234e8ba1ef4a93a0fd2870f535a1f9ab628fabc46115986@%3Cdev.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r959474dcf7f88565ed89f6252ca5a274419006cb71348f14764b183d@%3Ccommits.cassandra.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r91e0fa345c86c128b75a4a791b4b503b53173ff4c13049ac7129d319@%3Cnotifications.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r90030b0117490caed526e57271bf4d7f9b012091ac5083c895d16543@%3Ccommon-issues.hadoop.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r1fcccf8bdb3531c28bc9aa605a6a1bea7e68cef6fc12e01faafb2fb5@%3Cissues.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://usn.ubuntu.com/4532-1
+ - type: WEB
+ url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TS6VX7OMXPDJIU5LRGUAHRK6MENAVJ46
+ - type: WEB
+ url: https://lists.debian.org/debian-lts-announce/2020/09/msg00004.html
+ - type: WEB
+ url: https://lists.debian.org/debian-lts-announce/2020/09/msg00003.html
+ - type: WEB
+ url: https://lists.debian.org/debian-lts-announce/2020/02/msg00018.html
+ - type: WEB
+ url: https://lists.debian.org/debian-lts-announce/2020/02/msg00017.html
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rff210a24f3a924829790e69eaefa84820902b7b31f17c3bf2def9114@%3Ccommits.druid.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rfb55f245b08d8a6ec0fb4dc159022227cd22de34c4419c2fbb18802b@%3Cnotifications.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rf5b2dfb7401666a19915f8eaef3ba9f5c3386e2066fcd2ae66e16a2f@%3Cdev.flink.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rf2bf8e2eb0a03227f5bc100b544113f8cafea01e887bb068e8d1fa41@%3Ccommon-issues.hadoop.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/re78eaef7d01ad65c370df30e45c686fffff00b37f7bfd78b26a08762@%3Ccommon-issues.hadoop.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/re45ee9256d3233c31d78e59ee59c7dc841c7fbd83d0769285b41e948@%3Ccommits.druid.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/re0b78a3d0a4ba2cf9f4e14e1d05040bde9051d5c78071177186336c9@%3Ccommon-issues.hadoop.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rdd5d243a5f8ed8b83c0104e321aa420e5e98792a95749e3c9a54c0b9@%3Ccommon-commits.hadoop.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rdb69125652311d0c41f6066ff44072a3642cf33a4b5e3c4f9c1ec9c2@%3Ccommits.pulsar.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rd8f72411fb75b98d366400ae789966373b5c3eb3f511e717caf3e49e@%3Cissues.flink.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0@%3Cissues.bookkeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r0f5e72d5f69b4720dfe64fcbc2da9afae949ed1e9cbffa84bb7d92d7@%3Cnotifications.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r0c3d49bfdbc62fd3915676433cc5899c5506d06da1c552ef1b7923a5@%3Ccommon-issues.hadoop.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r0aa8b28e76ec01c697b15e161e6797e88fc8d406ed762e253401106e@%3Ccommits.camel.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r059b042bca47be53ff8a51fd04d95eb01bb683f1afa209db136e8cb7@%3Cdev.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://github.com/netty/netty/compare/netty-4.1.43.Final...netty-4.1.44.Final
+ - type: PACKAGE
+ url: https://github.com/netty/netty
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2020:0811
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2020:0806
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2020:0805
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2020:0804
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2020:0606
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2020:0605
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2020:0601
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2020:0567
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2020:0497
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r86befa74c5cd1482c711134104aec339bf7ae879f2c4437d7ec477d4@%3Ccommon-commits.hadoop.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r8402d67fdfe9cf169f859d52a7670b28a08eff31e54b522cc1432532@%3Ccommon-issues.hadoop.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r832724df393a7ef25ca4c7c2eb83ad2d6c21c74569acda5233f9f1ec@%3Ccommits.pulsar.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r819aaeb9944bdcfca438dcc51f05650dc728daf64dfd7d774fc2499b@%3Ccommits.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r804895eedd72c9ec67898286eb185e04df852b0dd5fe53cf5b6138f9@%3Cissues.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r7790b9d99696d9eddce8a8c96f13bb68460984294ea6fea3800143e4@%3Ccommits.pulsar.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r70b1ff22ee80e8101805b9a473116dd33265709007d2deb6f8c80bf2@%3Ccommits.druid.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r6945f3c346b7af89bbd3526a7c9b705b1e3569070ebcd0964bcedd7d@%3Cissues.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r640eb9b3213058a963e18291f903fc1584e577f60035f941e32f760a@%3Cissues.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r4d3f1d3e333d9c2b2f6e6ae8ed8750d4de03410ac294bcd12c7eefa3@%3Ccommits.cassandra.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r4c675b2d0cc2a5e506b11ee10d60a378859ee340aca052e4c7ef4749@%3Cnotifications.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r489886fe72a98768eed665474cba13bad8d6fe0654f24987706636c5@%3Cdev.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r36fcf538b28f2029e8b4f6b9a772f3b107913a78f09b095c5b153a62@%3Cissues.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r34912a9b1a5c269a77b8be94ef6fb6d1e9b3c69129719dc00f01cf0b@%3Cdev.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r310d2ce22304d5298ff87f10134f918c87919b452734f9841d95682d@%3Ccommits.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r2f2989b7815d809ff3fda8ce330f553e5f133505afd04ffbc135f35f@%3Cissues.spark.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r205937c85817a911b0c72655c2377e7a2c9322d6ef6ce1b118d34d8d@%3Cdev.geode.apache.org%3E
+ database_specific:
+ cwe_ids:
+ - CWE-444
+ github_reviewed: true
+ github_reviewed_at: "2020-02-20T20:54:33Z"
+ nvd_published_at: "2020-01-29T21:15:00Z"
+ severity: CRITICAL
+ - schema_version: 1.6.0
+ id: GHSA-f256-j965-7f32
+ modified: 2024-03-11T05:20:24.99029Z
+ published: 2021-03-30T15:10:38Z
+ aliases:
+ - BIT-zookeeper-2021-21295
+ - CVE-2021-21295
+ - CVE-2021-21409
+ - GHSA-wm47-8v5p-wjpj
+ summary: Possible request smuggling in HTTP/2 due missing validation of content-length
+ details: "### Impact\nThe content-length header is not correctly validated if the request only use a single Http2HeaderFrame with the endStream set to to true. This could lead to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1\n\nThis is a followup of https://github.com/netty/netty/security/advisories/GHSA-wm47-8v5p-wjpj which did miss to fix this one case. \n\n### Patches\nThis was fixed as part of 4.1.61.Final\n\n### Workarounds\nValidation can be done by the user before proxy the request by validating the header."
+ affected:
+ - package:
+ ecosystem: Maven
+ name: io.netty:netty-codec-http2
+ purl: pkg:maven/io.netty/netty-codec-http2
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 4.0.0
+ - fixed: 4.1.61.Final
+ versions:
+ - 4.1.0.Beta4
+ - 4.1.0.Beta5
+ - 4.1.0.Beta6
+ - 4.1.0.Beta7
+ - 4.1.0.Beta8
+ - 4.1.0.CR1
+ - 4.1.0.CR2
+ - 4.1.0.CR3
+ - 4.1.0.CR4
+ - 4.1.0.CR5
+ - 4.1.0.CR6
+ - 4.1.0.CR7
+ - 4.1.0.Final
+ - 4.1.1.Final
+ - 4.1.10.Final
+ - 4.1.11.Final
+ - 4.1.12.Final
+ - 4.1.13.Final
+ - 4.1.14.Final
+ - 4.1.15.Final
+ - 4.1.16.Final
+ - 4.1.17.Final
+ - 4.1.18.Final
+ - 4.1.19.Final
+ - 4.1.2.Final
+ - 4.1.20.Final
+ - 4.1.21.Final
+ - 4.1.22.Final
+ - 4.1.23.Final
+ - 4.1.24.Final
+ - 4.1.25.Final
+ - 4.1.26.Final
+ - 4.1.27.Final
+ - 4.1.28.Final
+ - 4.1.29.Final
+ - 4.1.3.Final
+ - 4.1.30.Final
+ - 4.1.31.Final
+ - 4.1.32.Final
+ - 4.1.33.Final
+ - 4.1.34.Final
+ - 4.1.35.Final
+ - 4.1.36.Final
+ - 4.1.37.Final
+ - 4.1.38.Final
+ - 4.1.39.Final
+ - 4.1.4.Final
+ - 4.1.40.Final
+ - 4.1.41.Final
+ - 4.1.42.Final
+ - 4.1.43.Final
+ - 4.1.44.Final
+ - 4.1.45.Final
+ - 4.1.46.Final
+ - 4.1.47.Final
+ - 4.1.48.Final
+ - 4.1.49.Final
+ - 4.1.5.Final
+ - 4.1.50.Final
+ - 4.1.51.Final
+ - 4.1.52.Final
+ - 4.1.53.Final
+ - 4.1.54.Final
+ - 4.1.55.Final
+ - 4.1.56.Final
+ - 4.1.57.Final
+ - 4.1.58.Final
+ - 4.1.59.Final
+ - 4.1.6.Final
+ - 4.1.60.Final
+ - 4.1.7.Final
+ - 4.1.8.Final
+ - 4.1.9.Final
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/03/GHSA-f256-j965-7f32/GHSA-f256-j965-7f32.json
+ - package:
+ ecosystem: Maven
+ name: org.jboss.netty:netty
+ purl: pkg:maven/org.jboss.netty/netty
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ versions:
+ - 3.0.0.CR1
+ - 3.0.0.CR2
+ - 3.0.0.CR3
+ - 3.0.0.CR4
+ - 3.0.0.CR5
+ - 3.0.0.GA
+ - 3.0.1.GA
+ - 3.0.2.GA
+ - 3.1.0.ALPHA1
+ - 3.1.0.ALPHA2
+ - 3.1.0.ALPHA3
+ - 3.1.0.ALPHA4
+ - 3.1.0.BETA1
+ - 3.1.0.BETA2
+ - 3.1.0.BETA3
+ - 3.1.0.CR1
+ - 3.1.0.GA
+ - 3.1.1.GA
+ - 3.1.2.GA
+ - 3.1.3.GA
+ - 3.1.4.GA
+ - 3.1.5.GA
+ - 3.2.0.ALPHA1
+ - 3.2.0.ALPHA2
+ - 3.2.0.ALPHA3
+ - 3.2.0.ALPHA4
+ - 3.2.0.BETA1
+ - 3.2.0.CR1
+ - 3.2.0.Final
+ - 3.2.1.Final
+ - 3.2.10.Final
+ - 3.2.2.Final
+ - 3.2.3.Final
+ - 3.2.4.Final
+ - 3.2.5.Final
+ - 3.2.6.Final
+ - 3.2.7.Final
+ - 3.2.8.Final
+ - 3.2.9.Final
+ database_specific:
+ last_known_affected_version_range: < 4.0.0
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/03/GHSA-f256-j965-7f32/GHSA-f256-j965-7f32.json
+ - package:
+ ecosystem: Maven
+ name: io.netty:netty
+ purl: pkg:maven/io.netty/netty
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ versions:
+ - 3.10.0.Final
+ - 3.10.1.Final
+ - 3.10.2.Final
+ - 3.10.3.Final
+ - 3.10.4.Final
+ - 3.10.5.Final
+ - 3.10.6.Final
+ - 3.3.0.Final
+ - 3.3.1.Final
+ - 3.4.0.Alpha1
+ - 3.4.0.Alpha2
+ - 3.4.0.Beta1
+ - 3.4.0.Final
+ - 3.4.1.Final
+ - 3.4.2.Final
+ - 3.4.3.Final
+ - 3.4.4.Final
+ - 3.4.5.Final
+ - 3.4.6.Final
+ - 3.5.0.Beta1
+ - 3.5.0.Final
+ - 3.5.1.Final
+ - 3.5.10.Final
+ - 3.5.11.Final
+ - 3.5.12.Final
+ - 3.5.13.Final
+ - 3.5.2.Final
+ - 3.5.3.Final
+ - 3.5.4.Final
+ - 3.5.5.Final
+ - 3.5.6.Final
+ - 3.5.7.Final
+ - 3.5.8.Final
+ - 3.5.9.Final
+ - 3.6.0.Beta1
+ - 3.6.0.Final
+ - 3.6.1.Final
+ - 3.6.10.Final
+ - 3.6.2.Final
+ - 3.6.3.Final
+ - 3.6.4.Final
+ - 3.6.5.Final
+ - 3.6.6.Final
+ - 3.6.7.Final
+ - 3.6.8.Final
+ - 3.6.9.Final
+ - 3.7.0.Final
+ - 3.7.1.Final
+ - 3.8.0.Final
+ - 3.8.1.Final
+ - 3.8.2.Final
+ - 3.8.3.Final
+ - 3.9.0.Final
+ - 3.9.1.1.Final
+ - 3.9.1.Final
+ - 3.9.2.Final
+ - 3.9.3.Final
+ - 3.9.4.Final
+ - 3.9.5.Final
+ - 3.9.6.Final
+ - 3.9.7.Final
+ - 3.9.8.Final
+ - 3.9.9.Final
+ - 4.0.0.Alpha1
+ - 4.0.0.Alpha2
+ - 4.0.0.Alpha3
+ - 4.0.0.Alpha4
+ - 4.0.0.Alpha5
+ - 4.0.0.Alpha6
+ - 4.0.0.Alpha7
+ - 4.0.0.Alpha8
+ database_specific:
+ last_known_affected_version_range: < 4.0.0
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/03/GHSA-f256-j965-7f32/GHSA-f256-j965-7f32.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
+ references:
+ - type: WEB
+ url: https://github.com/netty/netty/security/advisories/GHSA-f256-j965-7f32
+ - type: WEB
+ url: https://github.com/netty/netty/security/advisories/GHSA-wm47-8v5p-wjpj
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2021-21409
+ - type: WEB
+ url: https://github.com/netty/netty/commit/b0fa4d5aab4215f3c22ce6123dd8dd5f38dc0432
+ - type: WEB
+ url: https://lists.apache.org/thread.html/re39391adcb863f0e9f3f15e7986255948f263f02e4700b82453e7102@%3Cissues.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/re1911e05c08f3ec2bab85744d788773519a0afb27272a31ac2a0b4e8@%3Cnotifications.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rdd5715f3ee5e3216d5e0083a07994f67da6dbb9731ce9e7a6389b18e@%3Ccommits.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rdd206d9dd7eb894cc089b37fe6edde2932de88d63a6d8368b44f5101@%3Ccommits.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rd8f72411fb75b98d366400ae789966373b5c3eb3f511e717caf3e49e@%3Cissues.flink.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rd4a6b7dec38ea6cd28b6f94bd4b312629a52b80be3786d5fb0e474bc@%3Cissues.kudu.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rcae42fba06979934208bbd515584b241d3ad01d1bb8b063512644362@%3Cdev.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rca0978b634a0c3ebee4126ec29c7f570b165fae3f8f3658754c1cbd3@%3Cissues.kudu.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rbde2f13daf4911504f0eaea43eee4f42555241b5f6d9d71564b6c5fa@%3Cjira.kafka.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rba2a9ef1d0af882ab58fadb336a58818495245dda43d32a7d7837187@%3Cissues.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rafc77f9f03031297394f3d372ccea751b23576f8a2ae9b6b053894c5@%3Cissues.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rac8cf45a1bab9ead5c9a860cbadd6faaeb7792203617b6ec3874736d@%3Cissues.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/raa413040db6d2197593cc03edecfd168732e697119e6447b0a25d525@%3Cissues.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/ra66e93703e3f4bd31bdfd0b6fb0c32ae96b528259bb1aa2b6d38e401@%3Cissues.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/re4b0141939370304d676fe23774d0c6fbc584b648919825402d0cb39@%3Cnotifications.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/re7c69756a102bebce8b8681882844a53e2f23975a189363e68ad0324@%3Cissues.flink.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/re9e6ed60941da831675de2f8f733c026757fb4fa28a7b6c9f3dfb575@%3Cdev.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/redef0fb5474fd686781007de9ddb852b24f1b04131a248d9a4789183@%3Cnotifications.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rf148b2bf6c2754153a8629bc7495e216bd0bd4c915695486542a10b4@%3Cnotifications.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rf38e4dcdefc7c59f7ba0799a399d6d6e37b555d406a1dfc2fcbf0b35@%3Ccommits.pulsar.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rf521ff2be2e2dd38984174d3451e6ee935c845948845c8fccd86371d@%3Cissues.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rf934292a4a1c189827f625d567838d2c1001e4739b158638d844105b@%3Cissues.kudu.apache.org%3E
+ - type: WEB
+ url: https://security.netapp.com/advisory/ntap-20210604-0003
+ - type: WEB
+ url: https://www.debian.org/security/2021/dsa-4885
+ - type: WEB
+ url: https://www.oracle.com//security-alerts/cpujul2021.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuapr2022.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpujan2022.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuoct2021.html
+ - type: WEB
+ url: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21295
+ - type: PACKAGE
+ url: https://github.com/netty/netty
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r0b09f3e31e004fe583f677f7afa46bd30110904576c13c5ac818ac2c@%3Cissues.flink.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r0ca82fec33334e571fe5b388272260778883e307e15415d7b1443de2@%3Cissues.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r101f82d8f3b5af0bf79aecbd5b2dd3b404f6bb51d1a54c2c3d29bed9@%3Cnotifications.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r1b3cb056364794f919aaf26ceaf7423de64e7fdd05a914066e7d5219@%3Cissues.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r2732aa3884cacfecac4c54cfaa77c279ba815cad44b464a567216f83@%3Cissues.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r31044fb995e894749cb821c6fe56f487c16a97028e6e360e59f09d58@%3Cissues.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r4a98827bb4a7edbd69ef862f2351391845697c40711820d10df52ca5@%3Ccommits.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r4b8be87acf5b9c098a2ee350b5ca5716fe7afeaf0a21a4ee45a90687@%3Cissues.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r4ea2f1a9d79d4fc1896e085f31fb60a21b1770d0a26a5250f849372d@%3Cissues.kudu.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r584cf871f188c406d8bd447ff4e2fd9817fca862436c064d0951a071@%3Ccommits.pulsar.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r5baac01f9e06c40ff7aab209d5751b3b58802c63734e33324b70a06a@%3Cissues.flink.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r5cbea8614812289a9b98d0cfc54b47f54cef424ac98d5e315b791795@%3Cnotifications.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r5f2f120b2b8d099226473db1832ffb4d7c1d6dc2d228a164bf293a8e@%3Cissues.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r602e98daacc98934f097f07f2eed6eb07c18bfc1949c8489dc7bfcf5@%3Cissues.flink.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r61564d86a75403b854cdafee67fc69c8b88c5f6802c2c838f4282cc8@%3Ccommits.pulsar.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r69efd8ef003f612c43e4154e788ca3b1f837feaacd16d97854402355@%3Ccommits.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r6dac9bd799ceac499c7a7e152a9b0dc7f2fe7f89ec5605d129bb047b@%3Cissues.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r70c3a7bfa904f06a1902f4df20ee26e4f09a46b8fd3eb304dc57a2de@%3Cdev.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r7879ddcb990c835c6b246654770d836f9d031dee982be836744e50ed@%3Ccommits.pulsar.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r7b54563abebe3dbbe421e1ba075c2030d8d460372f8c79b7789684b6@%3Cissues.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r823d4b27fcba8dad5fe945bdefce3ca5a0031187966eb6ef3cc22ba9@%3Cissues.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r855b4b6814ac829ce2d48dd9d8138d07f33387e710de798ee92c011e@%3Cissues.flink.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r967002f0939e69bdec58f070735a19dd57c1f2b8f817949ca17cddae@%3Cissues.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r9ec78dc409f3f1edff88f21cab53737f36aad46f582a9825389092e0@%3Cissues.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r9fe840c36b74f92b8d4a089ada1f9fd1d6293742efa18b10e06b66d2@%3Ccommits.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/ra64d56a8a331ffd7bdcd24a9aaaeeedeacd5d639f5a683389123f898@%3Cdev.flink.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/ra655e5cec74d1ddf62adacb71d398abd96f3ea2c588f6bbf048348eb@%3Cissues.kudu.apache.org%3E
+ database_specific:
+ cwe_ids:
+ - CWE-444
+ github_reviewed: true
+ github_reviewed_at: "2021-03-30T15:03:26Z"
+ nvd_published_at: "2021-03-30T15:15:00Z"
+ severity: MODERATE
+ - schema_version: 1.6.0
+ id: GHSA-grg4-wf29-r9vv
+ modified: 2024-03-11T05:19:43.92959Z
+ published: 2021-09-09T17:11:21Z
+ aliases:
+ - CVE-2021-37136
+ summary: Bzip2Decoder doesn't allow setting size restrictions for decompressed data
+ details: |-
+ ### Impact
+ The Bzip2 decompression decoder function doesn't allow setting size restrictions on the decompressed output data (which affects the allocation size used during decompression).
+
+
+ All users of Bzip2Decoder are affected. The malicious input can trigger an OOME and so a DoS attack
+
+ ### Workarounds
+ No workarounds other than not using the `Bzip2Decoder`
+
+ ### References
+
+ Relevant code areas:
+
+ https://github.com/netty/netty/blob/netty-4.1.67.Final/codec/src/main/java/io/netty/handler/codec/compression/Bzip2Decoder.java#L80
+ https://github.com/netty/netty/blob/netty-4.1.67.Final/codec/src/main/java/io/netty/handler/codec/compression/Bzip2Decoder.java#L294
+ https://github.com/netty/netty/blob/netty-4.1.67.Final/codec/src/main/java/io/netty/handler/codec/compression/Bzip2Decoder.java#L305
+ affected:
+ - package:
+ ecosystem: Maven
+ name: io.netty:netty-codec
+ purl: pkg:maven/io.netty/netty-codec
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: 4.1.68.Final
+ versions:
+ - 4.0.0.Alpha1
+ - 4.0.0.Alpha2
+ - 4.0.0.Alpha3
+ - 4.0.0.Alpha4
+ - 4.0.0.Alpha5
+ - 4.0.0.Alpha6
+ - 4.0.0.Alpha7
+ - 4.0.0.Alpha8
+ - 4.0.0.Beta1
+ - 4.0.0.Beta2
+ - 4.0.0.Beta3
+ - 4.0.0.CR1
+ - 4.0.0.CR2
+ - 4.0.0.CR3
+ - 4.0.0.CR4
+ - 4.0.0.CR5
+ - 4.0.0.CR6
+ - 4.0.0.CR7
+ - 4.0.0.CR8
+ - 4.0.0.CR9
+ - 4.0.0.Final
+ - 4.0.1.Final
+ - 4.0.10.Final
+ - 4.0.11.Final
+ - 4.0.12.Final
+ - 4.0.13.Final
+ - 4.0.14.Beta1
+ - 4.0.14.Final
+ - 4.0.15.Final
+ - 4.0.16.Final
+ - 4.0.17.Final
+ - 4.0.18.Final
+ - 4.0.19.Final
+ - 4.0.2.Final
+ - 4.0.20.Final
+ - 4.0.21.Final
+ - 4.0.22.Final
+ - 4.0.23.Final
+ - 4.0.24.Final
+ - 4.0.25.Final
+ - 4.0.26.Final
+ - 4.0.27.Final
+ - 4.0.28.Final
+ - 4.0.29.Final
+ - 4.0.3.Final
+ - 4.0.30.Final
+ - 4.0.31.Final
+ - 4.0.32.Final
+ - 4.0.33.Final
+ - 4.0.34.Final
+ - 4.0.35.Final
+ - 4.0.36.Final
+ - 4.0.37.Final
+ - 4.0.38.Final
+ - 4.0.39.Final
+ - 4.0.4.Final
+ - 4.0.40.Final
+ - 4.0.41.Final
+ - 4.0.42.Final
+ - 4.0.43.Final
+ - 4.0.44.Final
+ - 4.0.45.Final
+ - 4.0.46.Final
+ - 4.0.47.Final
+ - 4.0.48.Final
+ - 4.0.49.Final
+ - 4.0.5.Final
+ - 4.0.50.Final
+ - 4.0.51.Final
+ - 4.0.52.Final
+ - 4.0.53.Final
+ - 4.0.54.Final
+ - 4.0.55.Final
+ - 4.0.56.Final
+ - 4.0.6.Final
+ - 4.0.7.Final
+ - 4.0.8.Final
+ - 4.0.9.Final
+ - 4.1.0.Beta1
+ - 4.1.0.Beta2
+ - 4.1.0.Beta3
+ - 4.1.0.Beta4
+ - 4.1.0.Beta5
+ - 4.1.0.Beta6
+ - 4.1.0.Beta7
+ - 4.1.0.Beta8
+ - 4.1.0.CR1
+ - 4.1.0.CR2
+ - 4.1.0.CR3
+ - 4.1.0.CR4
+ - 4.1.0.CR5
+ - 4.1.0.CR6
+ - 4.1.0.CR7
+ - 4.1.0.Final
+ - 4.1.1.Final
+ - 4.1.10.Final
+ - 4.1.11.Final
+ - 4.1.12.Final
+ - 4.1.13.Final
+ - 4.1.14.Final
+ - 4.1.15.Final
+ - 4.1.16.Final
+ - 4.1.17.Final
+ - 4.1.18.Final
+ - 4.1.19.Final
+ - 4.1.2.Final
+ - 4.1.20.Final
+ - 4.1.21.Final
+ - 4.1.22.Final
+ - 4.1.23.Final
+ - 4.1.24.Final
+ - 4.1.25.Final
+ - 4.1.26.Final
+ - 4.1.27.Final
+ - 4.1.28.Final
+ - 4.1.29.Final
+ - 4.1.3.Final
+ - 4.1.30.Final
+ - 4.1.31.Final
+ - 4.1.32.Final
+ - 4.1.33.Final
+ - 4.1.34.Final
+ - 4.1.35.Final
+ - 4.1.36.Final
+ - 4.1.37.Final
+ - 4.1.38.Final
+ - 4.1.39.Final
+ - 4.1.4.Final
+ - 4.1.40.Final
+ - 4.1.41.Final
+ - 4.1.42.Final
+ - 4.1.43.Final
+ - 4.1.44.Final
+ - 4.1.45.Final
+ - 4.1.46.Final
+ - 4.1.47.Final
+ - 4.1.48.Final
+ - 4.1.49.Final
+ - 4.1.5.Final
+ - 4.1.50.Final
+ - 4.1.51.Final
+ - 4.1.52.Final
+ - 4.1.53.Final
+ - 4.1.54.Final
+ - 4.1.55.Final
+ - 4.1.56.Final
+ - 4.1.57.Final
+ - 4.1.58.Final
+ - 4.1.59.Final
+ - 4.1.6.Final
+ - 4.1.60.Final
+ - 4.1.61.Final
+ - 4.1.62.Final
+ - 4.1.63.Final
+ - 4.1.64.Final
+ - 4.1.65.Final
+ - 4.1.66.Final
+ - 4.1.67.Final
+ - 4.1.7.Final
+ - 4.1.8.Final
+ - 4.1.9.Final
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/09/GHSA-grg4-wf29-r9vv/GHSA-grg4-wf29-r9vv.json
+ - package:
+ ecosystem: Maven
+ name: org.jboss.netty:netty
+ purl: pkg:maven/org.jboss.netty/netty
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ versions:
+ - 3.0.0.CR1
+ - 3.0.0.CR2
+ - 3.0.0.CR3
+ - 3.0.0.CR4
+ - 3.0.0.CR5
+ - 3.0.0.GA
+ - 3.0.1.GA
+ - 3.0.2.GA
+ - 3.1.0.ALPHA1
+ - 3.1.0.ALPHA2
+ - 3.1.0.ALPHA3
+ - 3.1.0.ALPHA4
+ - 3.1.0.BETA1
+ - 3.1.0.BETA2
+ - 3.1.0.BETA3
+ - 3.1.0.CR1
+ - 3.1.0.GA
+ - 3.1.1.GA
+ - 3.1.2.GA
+ - 3.1.3.GA
+ - 3.1.4.GA
+ - 3.1.5.GA
+ - 3.2.0.ALPHA1
+ - 3.2.0.ALPHA2
+ - 3.2.0.ALPHA3
+ - 3.2.0.ALPHA4
+ - 3.2.0.BETA1
+ - 3.2.0.CR1
+ - 3.2.0.Final
+ - 3.2.1.Final
+ - 3.2.10.Final
+ - 3.2.2.Final
+ - 3.2.3.Final
+ - 3.2.4.Final
+ - 3.2.5.Final
+ - 3.2.6.Final
+ - 3.2.7.Final
+ - 3.2.8.Final
+ - 3.2.9.Final
+ database_specific:
+ last_known_affected_version_range: < 4.0.0
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/09/GHSA-grg4-wf29-r9vv/GHSA-grg4-wf29-r9vv.json
+ - package:
+ ecosystem: Maven
+ name: io.netty:netty
+ purl: pkg:maven/io.netty/netty
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ versions:
+ - 3.10.0.Final
+ - 3.10.1.Final
+ - 3.10.2.Final
+ - 3.10.3.Final
+ - 3.10.4.Final
+ - 3.10.5.Final
+ - 3.10.6.Final
+ - 3.3.0.Final
+ - 3.3.1.Final
+ - 3.4.0.Alpha1
+ - 3.4.0.Alpha2
+ - 3.4.0.Beta1
+ - 3.4.0.Final
+ - 3.4.1.Final
+ - 3.4.2.Final
+ - 3.4.3.Final
+ - 3.4.4.Final
+ - 3.4.5.Final
+ - 3.4.6.Final
+ - 3.5.0.Beta1
+ - 3.5.0.Final
+ - 3.5.1.Final
+ - 3.5.10.Final
+ - 3.5.11.Final
+ - 3.5.12.Final
+ - 3.5.13.Final
+ - 3.5.2.Final
+ - 3.5.3.Final
+ - 3.5.4.Final
+ - 3.5.5.Final
+ - 3.5.6.Final
+ - 3.5.7.Final
+ - 3.5.8.Final
+ - 3.5.9.Final
+ - 3.6.0.Beta1
+ - 3.6.0.Final
+ - 3.6.1.Final
+ - 3.6.10.Final
+ - 3.6.2.Final
+ - 3.6.3.Final
+ - 3.6.4.Final
+ - 3.6.5.Final
+ - 3.6.6.Final
+ - 3.6.7.Final
+ - 3.6.8.Final
+ - 3.6.9.Final
+ - 3.7.0.Final
+ - 3.7.1.Final
+ - 3.8.0.Final
+ - 3.8.1.Final
+ - 3.8.2.Final
+ - 3.8.3.Final
+ - 3.9.0.Final
+ - 3.9.1.1.Final
+ - 3.9.1.Final
+ - 3.9.2.Final
+ - 3.9.3.Final
+ - 3.9.4.Final
+ - 3.9.5.Final
+ - 3.9.6.Final
+ - 3.9.7.Final
+ - 3.9.8.Final
+ - 3.9.9.Final
+ - 4.0.0.Alpha1
+ - 4.0.0.Alpha2
+ - 4.0.0.Alpha3
+ - 4.0.0.Alpha4
+ - 4.0.0.Alpha5
+ - 4.0.0.Alpha6
+ - 4.0.0.Alpha7
+ - 4.0.0.Alpha8
+ database_specific:
+ last_known_affected_version_range: < 4.0.0
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/09/GHSA-grg4-wf29-r9vv/GHSA-grg4-wf29-r9vv.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
+ references:
+ - type: WEB
+ url: https://github.com/netty/netty/security/advisories/GHSA-grg4-wf29-r9vv
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2021-37136
+ - type: WEB
+ url: https://github.com/netty/netty/commit/41d3d61a61608f2223bb364955ab2045dd5e4020
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpujul2022.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpujan2022.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuapr2022.html
+ - type: WEB
+ url: https://www.debian.org/security/2023/dsa-5316
+ - type: WEB
+ url: https://security.netapp.com/advisory/ntap-20220210-0012
+ - type: WEB
+ url: https://lists.debian.org/debian-lts-announce/2023/01/msg00008.html
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rfb2bf8597e53364ccab212fbcbb2a4e9f0a9e1429b1dc08023c6868e@%3Cdev.tinkerpop.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rd262f59b1586a108e320e5c966feeafbb1b8cdc96965debc7cc10b16@%3Ccommits.druid.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r75490c61c2cb7b6ae2c81238fd52ae13636c60435abcd732d41531a0@%3Ccommits.druid.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r5e05eba32476c580412f9fbdfc9b8782d5b40558018ac4ac07192a04@%3Ccommits.druid.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r5406eaf3b07577d233b9f07cfc8f26e28369e6bab5edfcab41f28abb@%3Ccommits.druid.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r06a145c9bd41a7344da242cef07977b24abe3349161ede948e30913d@%3Ccommits.druid.apache.org%3E
+ - type: WEB
+ url: https://github.com/netty/netty/blob/4.1/codec/src/main/java/io/netty/handler/codec/compression/Bzip2Decoder.java#L80
+ - type: WEB
+ url: https://github.com/netty/netty/blob/4.1/codec/src/main/java/io/netty/handler/codec/compression/Bzip2Decoder.java#L305
+ - type: WEB
+ url: https://github.com/netty/netty/blob/4.1/codec/src/main/java/io/netty/handler/codec/compression/Bzip2Decoder.java#L294
+ - type: PACKAGE
+ url: https://github.com/netty/netty
+ database_specific:
+ cwe_ids:
+ - CWE-400
+ github_reviewed: true
+ github_reviewed_at: "2021-09-09T14:36:56Z"
+ nvd_published_at: "2021-10-19T15:15:00Z"
+ severity: HIGH
+ - schema_version: 1.6.0
+ id: GHSA-p2v9-g2qv-p635
+ modified: 2024-03-11T05:20:08.431863Z
+ published: 2020-02-21T18:55:04Z
+ aliases:
+ - CVE-2019-20445
+ summary: HTTP Request Smuggling in Netty
+ details: HttpObjectDecoder.java in Netty before 4.1.44 allows a Content-Length header to be accompanied by a second Content-Length header, or by a Transfer-Encoding header.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: io.netty:netty-handler
+ purl: pkg:maven/io.netty/netty-handler
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 4.0.0
+ - fixed: 4.1.45
+ versions:
+ - 4.0.0.Final
+ - 4.0.1.Final
+ - 4.0.10.Final
+ - 4.0.11.Final
+ - 4.0.12.Final
+ - 4.0.13.Final
+ - 4.0.14.Beta1
+ - 4.0.14.Final
+ - 4.0.15.Final
+ - 4.0.16.Final
+ - 4.0.17.Final
+ - 4.0.18.Final
+ - 4.0.19.Final
+ - 4.0.2.Final
+ - 4.0.20.Final
+ - 4.0.21.Final
+ - 4.0.22.Final
+ - 4.0.23.Final
+ - 4.0.24.Final
+ - 4.0.25.Final
+ - 4.0.26.Final
+ - 4.0.27.Final
+ - 4.0.28.Final
+ - 4.0.29.Final
+ - 4.0.3.Final
+ - 4.0.30.Final
+ - 4.0.31.Final
+ - 4.0.32.Final
+ - 4.0.33.Final
+ - 4.0.34.Final
+ - 4.0.35.Final
+ - 4.0.36.Final
+ - 4.0.37.Final
+ - 4.0.38.Final
+ - 4.0.39.Final
+ - 4.0.4.Final
+ - 4.0.40.Final
+ - 4.0.41.Final
+ - 4.0.42.Final
+ - 4.0.43.Final
+ - 4.0.44.Final
+ - 4.0.45.Final
+ - 4.0.46.Final
+ - 4.0.47.Final
+ - 4.0.48.Final
+ - 4.0.49.Final
+ - 4.0.5.Final
+ - 4.0.50.Final
+ - 4.0.51.Final
+ - 4.0.52.Final
+ - 4.0.53.Final
+ - 4.0.54.Final
+ - 4.0.55.Final
+ - 4.0.56.Final
+ - 4.0.6.Final
+ - 4.0.7.Final
+ - 4.0.8.Final
+ - 4.0.9.Final
+ - 4.1.0.Beta1
+ - 4.1.0.Beta2
+ - 4.1.0.Beta3
+ - 4.1.0.Beta4
+ - 4.1.0.Beta5
+ - 4.1.0.Beta6
+ - 4.1.0.Beta7
+ - 4.1.0.Beta8
+ - 4.1.0.CR1
+ - 4.1.0.CR2
+ - 4.1.0.CR3
+ - 4.1.0.CR4
+ - 4.1.0.CR5
+ - 4.1.0.CR6
+ - 4.1.0.CR7
+ - 4.1.0.Final
+ - 4.1.1.Final
+ - 4.1.10.Final
+ - 4.1.11.Final
+ - 4.1.12.Final
+ - 4.1.13.Final
+ - 4.1.14.Final
+ - 4.1.15.Final
+ - 4.1.16.Final
+ - 4.1.17.Final
+ - 4.1.18.Final
+ - 4.1.19.Final
+ - 4.1.2.Final
+ - 4.1.20.Final
+ - 4.1.21.Final
+ - 4.1.22.Final
+ - 4.1.23.Final
+ - 4.1.24.Final
+ - 4.1.25.Final
+ - 4.1.26.Final
+ - 4.1.27.Final
+ - 4.1.28.Final
+ - 4.1.29.Final
+ - 4.1.3.Final
+ - 4.1.30.Final
+ - 4.1.31.Final
+ - 4.1.32.Final
+ - 4.1.33.Final
+ - 4.1.34.Final
+ - 4.1.35.Final
+ - 4.1.36.Final
+ - 4.1.37.Final
+ - 4.1.38.Final
+ - 4.1.39.Final
+ - 4.1.4.Final
+ - 4.1.40.Final
+ - 4.1.41.Final
+ - 4.1.42.Final
+ - 4.1.43.Final
+ - 4.1.44.Final
+ - 4.1.5.Final
+ - 4.1.6.Final
+ - 4.1.7.Final
+ - 4.1.8.Final
+ - 4.1.9.Final
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/02/GHSA-p2v9-g2qv-p635/GHSA-p2v9-g2qv-p635.json
+ - package:
+ ecosystem: Maven
+ name: org.jboss.netty:netty
+ purl: pkg:maven/org.jboss.netty/netty
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ versions:
+ - 3.0.0.CR1
+ - 3.0.0.CR2
+ - 3.0.0.CR3
+ - 3.0.0.CR4
+ - 3.0.0.CR5
+ - 3.0.0.GA
+ - 3.0.1.GA
+ - 3.0.2.GA
+ - 3.1.0.ALPHA1
+ - 3.1.0.ALPHA2
+ - 3.1.0.ALPHA3
+ - 3.1.0.ALPHA4
+ - 3.1.0.BETA1
+ - 3.1.0.BETA2
+ - 3.1.0.BETA3
+ - 3.1.0.CR1
+ - 3.1.0.GA
+ - 3.1.1.GA
+ - 3.1.2.GA
+ - 3.1.3.GA
+ - 3.1.4.GA
+ - 3.1.5.GA
+ - 3.2.0.ALPHA1
+ - 3.2.0.ALPHA2
+ - 3.2.0.ALPHA3
+ - 3.2.0.ALPHA4
+ - 3.2.0.BETA1
+ - 3.2.0.CR1
+ - 3.2.0.Final
+ - 3.2.1.Final
+ - 3.2.10.Final
+ - 3.2.2.Final
+ - 3.2.3.Final
+ - 3.2.4.Final
+ - 3.2.5.Final
+ - 3.2.6.Final
+ - 3.2.7.Final
+ - 3.2.8.Final
+ - 3.2.9.Final
+ database_specific:
+ last_known_affected_version_range: < 4.0.0
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/02/GHSA-p2v9-g2qv-p635/GHSA-p2v9-g2qv-p635.json
+ - package:
+ ecosystem: Maven
+ name: io.netty:netty
+ purl: pkg:maven/io.netty/netty
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ versions:
+ - 3.10.0.Final
+ - 3.10.1.Final
+ - 3.10.2.Final
+ - 3.10.3.Final
+ - 3.10.4.Final
+ - 3.10.5.Final
+ - 3.10.6.Final
+ - 3.3.0.Final
+ - 3.3.1.Final
+ - 3.4.0.Alpha1
+ - 3.4.0.Alpha2
+ - 3.4.0.Beta1
+ - 3.4.0.Final
+ - 3.4.1.Final
+ - 3.4.2.Final
+ - 3.4.3.Final
+ - 3.4.4.Final
+ - 3.4.5.Final
+ - 3.4.6.Final
+ - 3.5.0.Beta1
+ - 3.5.0.Final
+ - 3.5.1.Final
+ - 3.5.10.Final
+ - 3.5.11.Final
+ - 3.5.12.Final
+ - 3.5.13.Final
+ - 3.5.2.Final
+ - 3.5.3.Final
+ - 3.5.4.Final
+ - 3.5.5.Final
+ - 3.5.6.Final
+ - 3.5.7.Final
+ - 3.5.8.Final
+ - 3.5.9.Final
+ - 3.6.0.Beta1
+ - 3.6.0.Final
+ - 3.6.1.Final
+ - 3.6.10.Final
+ - 3.6.2.Final
+ - 3.6.3.Final
+ - 3.6.4.Final
+ - 3.6.5.Final
+ - 3.6.6.Final
+ - 3.6.7.Final
+ - 3.6.8.Final
+ - 3.6.9.Final
+ - 3.7.0.Final
+ - 3.7.1.Final
+ - 3.8.0.Final
+ - 3.8.1.Final
+ - 3.8.2.Final
+ - 3.8.3.Final
+ - 3.9.0.Final
+ - 3.9.1.1.Final
+ - 3.9.1.Final
+ - 3.9.2.Final
+ - 3.9.3.Final
+ - 3.9.4.Final
+ - 3.9.5.Final
+ - 3.9.6.Final
+ - 3.9.7.Final
+ - 3.9.8.Final
+ - 3.9.9.Final
+ - 4.0.0.Alpha1
+ - 4.0.0.Alpha2
+ - 4.0.0.Alpha3
+ - 4.0.0.Alpha4
+ - 4.0.0.Alpha5
+ - 4.0.0.Alpha6
+ - 4.0.0.Alpha7
+ - 4.0.0.Alpha8
+ database_specific:
+ last_known_affected_version_range: < 4.0.0
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/02/GHSA-p2v9-g2qv-p635/GHSA-p2v9-g2qv-p635.json
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2019-20445
+ - type: WEB
+ url: https://github.com/netty/netty/issues/9861
+ - type: WEB
+ url: https://github.com/netty/netty/pull/9865
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26@%3Ccommits.pulsar.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rce71d33747010d32d31d90f5d737dae26291d96552f513a266c92fbb@%3Cnotifications.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rbdb59c683d666130906a9c05a1d2b034c4cc08cda7ed41322bd54fe2@%3Cissues.flume.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rb84c57670ec48ef23f4d07973b7fa69f629b8e7fcfb48874362feb6f@%3Ccommits.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rb5c065e7bd701b0744f9f28ad769943f91745102716c1eb516325f11@%3Cissues.spark.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/raaac04b7567c554786132144bea3dcb72568edd410c1e6f0101742e7@%3Cissues.flink.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/ra9fbfe7d4830ae675bf34c7c0f8c22fc8a4099f65706c1bc4f54c593@%3Cissues.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/ra2ace4bcb5cf487f72cbcbfa0f8cc08e755ec2b93d7e69f276148b08@%3Cissues.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/ra1a71b576a45426af5ee65255be9596ff3181a342f4ba73b800db78f@%3Cdev.geode.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r9b20cdac704cf9a583400350e2d5b576fa8417c18ddb961201676c60@%3Ccommits.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r96e08f929234e8ba1ef4a93a0fd2870f535a1f9ab628fabc46115986@%3Cdev.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r959474dcf7f88565ed89f6252ca5a274419006cb71348f14764b183d@%3Ccommits.cassandra.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r832724df393a7ef25ca4c7c2eb83ad2d6c21c74569acda5233f9f1ec@%3Ccommits.pulsar.apache.org%3E
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2020:0497
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rd8f72411fb75b98d366400ae789966373b5c3eb3f511e717caf3e49e@%3Cissues.flink.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rdb69125652311d0c41f6066ff44072a3642cf33a4b5e3c4f9c1ec9c2@%3Ccommits.pulsar.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/re45ee9256d3233c31d78e59ee59c7dc841c7fbd83d0769285b41e948@%3Ccommits.druid.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rf5b2dfb7401666a19915f8eaef3ba9f5c3386e2066fcd2ae66e16a2f@%3Cdev.flink.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rfb55f245b08d8a6ec0fb4dc159022227cd22de34c4419c2fbb18802b@%3Cnotifications.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rff210a24f3a924829790e69eaefa84820902b7b31f17c3bf2def9114@%3Ccommits.druid.apache.org%3E
+ - type: WEB
+ url: https://lists.debian.org/debian-lts-announce/2020/02/msg00017.html
+ - type: WEB
+ url: https://lists.debian.org/debian-lts-announce/2020/02/msg00018.html
+ - type: WEB
+ url: https://lists.debian.org/debian-lts-announce/2020/09/msg00003.html
+ - type: WEB
+ url: https://lists.debian.org/debian-lts-announce/2020/09/msg00004.html
+ - type: WEB
+ url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TS6VX7OMXPDJIU5LRGUAHRK6MENAVJ46
+ - type: WEB
+ url: https://usn.ubuntu.com/4532-1
+ - type: WEB
+ url: https://www.debian.org/security/2021/dsa-4885
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2020:0567
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2020:0601
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2020:0605
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2020:0606
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2020:0804
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2020:0805
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2020:0806
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2020:0811
+ - type: PACKAGE
+ url: https://github.com/netty/netty
+ - type: WEB
+ url: https://github.com/netty/netty/compare/netty-4.1.43.Final...netty-4.1.44.Final
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r030beff88aeb6d7a2d6cd21342bd18686153ce6e26a4171d0e035663@%3Cissues.flume.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0@%3Cissues.bookkeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r1fcccf8bdb3531c28bc9aa605a6a1bea7e68cef6fc12e01faafb2fb5@%3Cissues.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r205937c85817a911b0c72655c2377e7a2c9322d6ef6ce1b118d34d8d@%3Cdev.geode.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r2f2989b7815d809ff3fda8ce330f553e5f133505afd04ffbc135f35f@%3Cissues.spark.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r310d2ce22304d5298ff87f10134f918c87919b452734f9841d95682d@%3Ccommits.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r36fcf538b28f2029e8b4f6b9a772f3b107913a78f09b095c5b153a62@%3Cissues.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r46f93de62b1e199f3f9babb18128681677c53493546f532ed88c359d@%3Creviews.spark.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r4d3f1d3e333d9c2b2f6e6ae8ed8750d4de03410ac294bcd12c7eefa3@%3Ccommits.cassandra.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r4ff40646e9ccce13560458419accdfc227b8b6ca4ead3a8a91decc74@%3Cissues.flume.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r640eb9b3213058a963e18291f903fc1584e577f60035f941e32f760a@%3Cissues.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r6945f3c346b7af89bbd3526a7c9b705b1e3569070ebcd0964bcedd7d@%3Cissues.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r70b1ff22ee80e8101805b9a473116dd33265709007d2deb6f8c80bf2@%3Ccommits.druid.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r7790b9d99696d9eddce8a8c96f13bb68460984294ea6fea3800143e4@%3Ccommits.pulsar.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r804895eedd72c9ec67898286eb185e04df852b0dd5fe53cf5b6138f9@%3Cissues.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r81700644754e66ffea465c869cb477de25f8041e21598e8818fc2c45@%3Cdev.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r819aaeb9944bdcfca438dcc51f05650dc728daf64dfd7d774fc2499b@%3Ccommits.zookeeper.apache.org%3E
+ database_specific:
+ cwe_ids:
+ - CWE-444
+ github_reviewed: true
+ github_reviewed_at: "2020-02-20T20:54:25Z"
+ nvd_published_at: "2020-01-29T21:15:00Z"
+ severity: MODERATE
+ - schema_version: 1.6.0
+ id: GHSA-wm47-8v5p-wjpj
+ modified: 2024-03-11T05:16:16.38061Z
+ published: 2021-03-09T18:49:49Z
+ aliases:
+ - BIT-zookeeper-2021-21295
+ - CVE-2021-21295
+ - CVE-2021-21409
+ - GHSA-f256-j965-7f32
+ summary: Possible request smuggling in HTTP/2 due missing validation
+ details: "### Impact\nIf a Content-Length header is present in the original HTTP/2 request, the field is not validated by `Http2MultiplexHandler` as it is propagated up. This is fine as long as the request is not proxied through as HTTP/1.1.\nIf the request comes in as an HTTP/2 stream, gets converted into the HTTP/1.1 domain objects (`HttpRequest`, `HttpContent`, etc.) via `Http2StreamFrameToHttpObjectCodec `and then sent up to the child channel's pipeline and proxied through a remote peer as HTTP/1.1 this may result in request smuggling. \n\nIn a proxy case, users may assume the content-length is validated somehow, which is not the case. If the request is forwarded to a backend channel that is a HTTP/1.1 connection, the Content-Length now has meaning and needs to be checked.\n\nAn attacker can smuggle requests inside the body as it gets downgraded from HTTP/2 to HTTP/1.1. A sample attack request looks like:\n\n```\nPOST / HTTP/2\n:authority:: externaldomain.com\nContent-Length: 4\n\nasdfGET /evilRedirect HTTP/1.1\nHost: internaldomain.com\n```\n\nUsers are only affected if all of this is `true`:\n * `HTTP2MultiplexCodec` or `Http2FrameCodec` is used\n * `Http2StreamFrameToHttpObjectCodec` is used to convert to HTTP/1.1 objects\n * These HTTP/1.1 objects are forwarded to another remote peer.\n \n\n### Patches\nThis has been patched in 4.1.60.Final\n\n### Workarounds\nThe user can do the validation by themselves by implementing a custom `ChannelInboundHandler` that is put in the `ChannelPipeline` behind `Http2StreamFrameToHttpObjectCodec`.\n\n### References\nRelated change to workaround the problem: https://github.com/Netflix/zuul/pull/980 "
+ affected:
+ - package:
+ ecosystem: Maven
+ name: io.netty:netty-codec-http2
+ purl: pkg:maven/io.netty/netty-codec-http2
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 4.0.0
+ - fixed: 4.1.60.Final
+ versions:
+ - 4.1.0.Beta4
+ - 4.1.0.Beta5
+ - 4.1.0.Beta6
+ - 4.1.0.Beta7
+ - 4.1.0.Beta8
+ - 4.1.0.CR1
+ - 4.1.0.CR2
+ - 4.1.0.CR3
+ - 4.1.0.CR4
+ - 4.1.0.CR5
+ - 4.1.0.CR6
+ - 4.1.0.CR7
+ - 4.1.0.Final
+ - 4.1.1.Final
+ - 4.1.10.Final
+ - 4.1.11.Final
+ - 4.1.12.Final
+ - 4.1.13.Final
+ - 4.1.14.Final
+ - 4.1.15.Final
+ - 4.1.16.Final
+ - 4.1.17.Final
+ - 4.1.18.Final
+ - 4.1.19.Final
+ - 4.1.2.Final
+ - 4.1.20.Final
+ - 4.1.21.Final
+ - 4.1.22.Final
+ - 4.1.23.Final
+ - 4.1.24.Final
+ - 4.1.25.Final
+ - 4.1.26.Final
+ - 4.1.27.Final
+ - 4.1.28.Final
+ - 4.1.29.Final
+ - 4.1.3.Final
+ - 4.1.30.Final
+ - 4.1.31.Final
+ - 4.1.32.Final
+ - 4.1.33.Final
+ - 4.1.34.Final
+ - 4.1.35.Final
+ - 4.1.36.Final
+ - 4.1.37.Final
+ - 4.1.38.Final
+ - 4.1.39.Final
+ - 4.1.4.Final
+ - 4.1.40.Final
+ - 4.1.41.Final
+ - 4.1.42.Final
+ - 4.1.43.Final
+ - 4.1.44.Final
+ - 4.1.45.Final
+ - 4.1.46.Final
+ - 4.1.47.Final
+ - 4.1.48.Final
+ - 4.1.49.Final
+ - 4.1.5.Final
+ - 4.1.50.Final
+ - 4.1.51.Final
+ - 4.1.52.Final
+ - 4.1.53.Final
+ - 4.1.54.Final
+ - 4.1.55.Final
+ - 4.1.56.Final
+ - 4.1.57.Final
+ - 4.1.58.Final
+ - 4.1.59.Final
+ - 4.1.6.Final
+ - 4.1.7.Final
+ - 4.1.8.Final
+ - 4.1.9.Final
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/03/GHSA-wm47-8v5p-wjpj/GHSA-wm47-8v5p-wjpj.json
+ - package:
+ ecosystem: Maven
+ name: org.jboss.netty:netty
+ purl: pkg:maven/org.jboss.netty/netty
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ versions:
+ - 3.0.0.CR1
+ - 3.0.0.CR2
+ - 3.0.0.CR3
+ - 3.0.0.CR4
+ - 3.0.0.CR5
+ - 3.0.0.GA
+ - 3.0.1.GA
+ - 3.0.2.GA
+ - 3.1.0.ALPHA1
+ - 3.1.0.ALPHA2
+ - 3.1.0.ALPHA3
+ - 3.1.0.ALPHA4
+ - 3.1.0.BETA1
+ - 3.1.0.BETA2
+ - 3.1.0.BETA3
+ - 3.1.0.CR1
+ - 3.1.0.GA
+ - 3.1.1.GA
+ - 3.1.2.GA
+ - 3.1.3.GA
+ - 3.1.4.GA
+ - 3.1.5.GA
+ - 3.2.0.ALPHA1
+ - 3.2.0.ALPHA2
+ - 3.2.0.ALPHA3
+ - 3.2.0.ALPHA4
+ - 3.2.0.BETA1
+ - 3.2.0.CR1
+ - 3.2.0.Final
+ - 3.2.1.Final
+ - 3.2.10.Final
+ - 3.2.2.Final
+ - 3.2.3.Final
+ - 3.2.4.Final
+ - 3.2.5.Final
+ - 3.2.6.Final
+ - 3.2.7.Final
+ - 3.2.8.Final
+ - 3.2.9.Final
+ database_specific:
+ last_known_affected_version_range: < 4.0.0
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/03/GHSA-wm47-8v5p-wjpj/GHSA-wm47-8v5p-wjpj.json
+ - package:
+ ecosystem: Maven
+ name: io.netty:netty
+ purl: pkg:maven/io.netty/netty
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ versions:
+ - 3.10.0.Final
+ - 3.10.1.Final
+ - 3.10.2.Final
+ - 3.10.3.Final
+ - 3.10.4.Final
+ - 3.10.5.Final
+ - 3.10.6.Final
+ - 3.3.0.Final
+ - 3.3.1.Final
+ - 3.4.0.Alpha1
+ - 3.4.0.Alpha2
+ - 3.4.0.Beta1
+ - 3.4.0.Final
+ - 3.4.1.Final
+ - 3.4.2.Final
+ - 3.4.3.Final
+ - 3.4.4.Final
+ - 3.4.5.Final
+ - 3.4.6.Final
+ - 3.5.0.Beta1
+ - 3.5.0.Final
+ - 3.5.1.Final
+ - 3.5.10.Final
+ - 3.5.11.Final
+ - 3.5.12.Final
+ - 3.5.13.Final
+ - 3.5.2.Final
+ - 3.5.3.Final
+ - 3.5.4.Final
+ - 3.5.5.Final
+ - 3.5.6.Final
+ - 3.5.7.Final
+ - 3.5.8.Final
+ - 3.5.9.Final
+ - 3.6.0.Beta1
+ - 3.6.0.Final
+ - 3.6.1.Final
+ - 3.6.10.Final
+ - 3.6.2.Final
+ - 3.6.3.Final
+ - 3.6.4.Final
+ - 3.6.5.Final
+ - 3.6.6.Final
+ - 3.6.7.Final
+ - 3.6.8.Final
+ - 3.6.9.Final
+ - 3.7.0.Final
+ - 3.7.1.Final
+ - 3.8.0.Final
+ - 3.8.1.Final
+ - 3.8.2.Final
+ - 3.8.3.Final
+ - 3.9.0.Final
+ - 3.9.1.1.Final
+ - 3.9.1.Final
+ - 3.9.2.Final
+ - 3.9.3.Final
+ - 3.9.4.Final
+ - 3.9.5.Final
+ - 3.9.6.Final
+ - 3.9.7.Final
+ - 3.9.8.Final
+ - 3.9.9.Final
+ - 4.0.0.Alpha1
+ - 4.0.0.Alpha2
+ - 4.0.0.Alpha3
+ - 4.0.0.Alpha4
+ - 4.0.0.Alpha5
+ - 4.0.0.Alpha6
+ - 4.0.0.Alpha7
+ - 4.0.0.Alpha8
+ database_specific:
+ last_known_affected_version_range: < 4.0.0
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/03/GHSA-wm47-8v5p-wjpj/GHSA-wm47-8v5p-wjpj.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
+ references:
+ - type: WEB
+ url: https://github.com/netty/netty/security/advisories/GHSA-wm47-8v5p-wjpj
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2021-21295
+ - type: WEB
+ url: https://github.com/Netflix/zuul/pull/980
+ - type: WEB
+ url: https://github.com/netty/netty/commit/89c241e3b1795ff257af4ad6eadc616cb2fb3dc4
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rc73b8dd01b1be276d06bdf07883ecd93fe1a01f139a99ef30ba4308c@%3Ccommits.servicecomb.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rc165e36ca7cb5417aec3f21bbc4ec00fb38ecebdd96a82cfab9bd56f@%3Cjira.kafka.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rc0087125cb15b4b78e44000f841cd37fefedfda942fd7ddf3ad1b528@%3Cissues.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rbed09768f496244a2e138dbbe6d2847ddf796c9c8ef9e50f2e3e30d9@%3Cnotifications.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rbadcbcb50195f00bbd196403865ced521ca70787999583c07be38d0e@%3Cnotifications.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rb95d42ce220ed4a4683aa17833b5006d657bc4254bc5cb03cd5e6bfb@%3Cissues.hbase.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rb592033a2462548d061a83ac9449c5ff66098751748fcd1e2d008233@%3Cissues.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rb523bb6c60196c5f58514b86a8585c2069a4852039b45de3818b29d2@%3Ccommits.servicecomb.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rb51d6202ff1a773f96eaa694b7da4ad3f44922c40b3d4e1a19c2f325@%3Ccommits.pulsar.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rb06c1e766aa45ee422e8261a8249b561784186483e8f742ea627bda4@%3Cdev.kafka.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rae198f44c3f7ac5264045e6ba976be1703cff38dcf1609916e50210d@%3Ccommits.servicecomb.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/racc191a1f70a4f13155e8002c61bddef2870b26441971c697436ad5d@%3Ccommits.servicecomb.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/ra96c74c37ed7252f78392e1ad16442bd16ae72a4d6c8db50dd55c88b@%3Ccommits.servicecomb.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/ra83096bcbfe6e1f4d54449f8a013117a0536404e9d307ab4a0d34f81@%3Cissues.hbase.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/ra655e5cec74d1ddf62adacb71d398abd96f3ea2c588f6bbf048348eb@%3Cissues.kudu.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/ra64d56a8a331ffd7bdcd24a9aaaeeedeacd5d639f5a683389123f898@%3Cdev.flink.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r9924ef9357537722b28d04c98a189750b80694a19754e5057c34ca48@%3Ccommits.pulsar.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r96ce18044880c33634c4b3fcecc57b8b90673c9364d63eba00385523@%3Cjira.kafka.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r905b92099998291956eebf4f1c5d95f5a0cbcece2946cc46d32274fd@%3Cdev.hbase.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r9051e4f484a970b5566dc1870ecd9c1eb435214e2652cf3ea4d0c0cc@%3Cjira.kafka.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r8db1d7b3b9acc9e8d2776395e280eb9615dd7790e1da8c57039963de@%3Cnotifications.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r8bcaf7821247b1836b10f6a1a3a3212b06272fd4cde4a859de1b78cf@%3Ccommits.servicecomb.apache.org%3E
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuapr2022.html
+ - type: WEB
+ url: https://www.debian.org/security/2021/dsa-4885
+ - type: WEB
+ url: https://security.netapp.com/advisory/ntap-20210604-0003
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rfff6ff8ffb31e8a32619c79774def44b6ffbb037c128c5ad3eab7171@%3Cissues.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rf934292a4a1c189827f625d567838d2c1001e4739b158638d844105b@%3Cissues.kudu.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rf87b870a22aa5c77c27900967b518a71a7d954c2952860fce3794b60@%3Ccommits.servicecomb.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rf36f1114e84a3379b20587063686148e2d5a39abc0b8a66ff2a9087a@%3Cissues.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/reafc834062486adfc7be5bb8f7b7793be0d33f483678a094c3f9d468@%3Ccommits.servicecomb.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/re7c69756a102bebce8b8681882844a53e2f23975a189363e68ad0324@%3Cissues.flink.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/re6207ebe2ca4d44f2a6deee695ad6f27fd29d78980f1d46ed1574f91@%3Cissues.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/re4f70b62843e92163fab03b65e2aa8078693293a0c36f1cc260079ed@%3Ccommits.servicecomb.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rddbb4f8d5db23265bb63d14ef4b3723b438abc1589f877db11d35450@%3Cissues.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rdc096e13ac4501ea2e2b03a197682a313b85d3d3ec89d5ae5551b384@%3Cissues.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rdb4db3f5a9c478ca52a7b164680b88877a5a9c174e7047676c006b2c@%3Ccommits.servicecomb.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rd8f72411fb75b98d366400ae789966373b5c3eb3f511e717caf3e49e@%3Cissues.flink.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rd4a6b7dec38ea6cd28b6f94bd4b312629a52b80be3786d5fb0e474bc@%3Cissues.kudu.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rd25c88aad0e76240dd09f0eb34bdab924933946429e068a167adcb73@%3Ccommits.servicecomb.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rcfc535afd413d9934d6ee509dce234dac41fa3747a7555befb17447e@%3Cissues.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rcfc154eb2de23d2dc08a56100341161e1a40a8ea86c693735437e8f2@%3Ccommits.servicecomb.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rcf3752209a8b04996373bf57fdc808b3bfaa2be8702698a0323641f8@%3Ccommits.hbase.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rcd163e421273e8dca1c71ea298dce3dd11b41d51c3a812e0394e6a5d@%3Ccommits.pulsar.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rca0978b634a0c3ebee4126ec29c7f570b165fae3f8f3658754c1cbd3@%3Cissues.kudu.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r86cd38a825ab2344f3e6cad570528852f29a4ffdf56ab67d75c36edf@%3Cissues.hbase.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r3ff9e735ca33612d900607dc139ebd38a64cadc6bce292e53eb86d7f@%3Cissues.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r3c4596b9b37f5ae91628ccf169d33cd5a0da4b16b6c39d5bad8e03f3@%3Cdev.jackrabbit.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r3c293431c781696681abbfe1c573c2d9dcdae6fd3ff330ea22f0433f@%3Cjira.kafka.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r393a339ab0b63ef9e6502253eeab26e7643b3e69738d5948b2b1d064@%3Cissues.hbase.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r33eb06b05afbc7df28d31055cae0cb3fd36cab808c884bf6d680bea5@%3Cdev.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r32b0b640ad2be3b858f0af51c68a7d5c5a66a462c8bbb93699825cd3@%3Cissues.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r312ce5bd3c6bf08c138349b507b6f1c25fe9cf40b6f2b0014c9d12b1@%3Cnotifications.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r2e93ce23e04c3f0a61e987d1111d0695cb668ac4ec4edbf237bd3e80@%3Ccommits.servicecomb.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r2936730ef0a06e724b96539bc7eacfcd3628987c16b1b99c790e7b87@%3Cissues.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r27b7e5a588ec826b15f38c40be500c50073400019ce7b8adfd07fece@%3Cissues.hbase.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r268850f26639ebe249356ed6d8edb54ee8943be6f200f770784fb190@%3Cissues.hbase.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r22b2f34447d71c9a0ad9079b7860323d5584fb9b40eb42668c21eaf1@%3Cissues.hbase.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r22adb45fe902aeafcd0a1c4db13984224a667676c323c66db3af38a1@%3Ccommits.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r1bca0b81193b74a451fc6d687ab58ef3a1f5ec40f6c61561d8dd9509@%3Cissues.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r1908a34b9cc7120e5c19968a116ddbcffea5e9deb76c2be4fa461904@%3Cdev.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r16c4b55ac82be72f28adad4f8061477e5f978199d5725691dcc82c24@%3Ccommits.servicecomb.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r15f66ada9a5faf4bac69d9e7c4521cedfefa62df9509881603791969@%3Cjira.kafka.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r0b09f3e31e004fe583f677f7afa46bd30110904576c13c5ac818ac2c@%3Cissues.flink.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r04a3e0d9f53421fb946c60cc54762b7151dc692eb4e39970a7579052@%3Ccommits.servicecomb.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r040a5e4d9cca2f98354b58a70b27099672276f66995c4e2e39545d0b@%3Cissues.hbase.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r02e467123d45006a1dda20a38349e9c74c3a4b53e2e07be0939ecb3f@%3Cdev.ranger.apache.org%3E
+ - type: PACKAGE
+ url: https://github.com/netty/netty
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r855b4b6814ac829ce2d48dd9d8138d07f33387e710de798ee92c011e@%3Cissues.flink.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r837bbcbf12e335e83ab448b1bd2c1ad7e86efdc14034b23811422e6a@%3Ccommits.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r7bb3cdc192e9a6f863d3ea05422f09fa1ae2b88d4663e63696ee7ef5@%3Cdev.ranger.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r790c2926efcd062067eb18fde2486527596d7275381cfaff2f7b3890@%3Cissues.bookkeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r70cebada51bc6d49138272437d8a28fe971d0197334ef906b575044c@%3Ccommits.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r6d32fc3cd547f7c9a288a57c7f525f5d00a00d5d163613e0d10a23ef@%3Ccommits.servicecomb.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r6aee7e3566cb3e51eeed2fd8786704d91f80a7581e00a787ba9f37f6@%3Cissues.hbase.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r6a29316d758db628a1df49ca219d64caf493999b52cc77847bfba675@%3Cnotifications.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r6a122c25e352eb134d01e7f4fc4d345a491c5ee9453fef6fc754d15b@%3Ccommits.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r67e6a636cbc1958383a1cd72b7fd0cd7493360b1dd0e6c12f5761798@%3Cnotifications.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r67c4f90658fde875521c949448c54c98517beecdc7f618f902c620ec@%3Cissues.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r602e98daacc98934f097f07f2eed6eb07c18bfc1949c8489dc7bfcf5@%3Cissues.flink.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r5fc5786cdd640b1b0a3c643237ce0011f0a08a296b11c0e2c669022c@%3Cdev.kafka.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r5e66e286afb5506cdfe9bbf68a323e8d09614f6d1ddc806ed0224700@%3Cjira.kafka.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r5baac01f9e06c40ff7aab209d5751b3b58802c63734e33324b70a06a@%3Cissues.flink.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r59bac5c09f7a4179b9e2460e8f41c278aaf3b9a21cc23678eb893e41@%3Cjira.kafka.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r584cf871f188c406d8bd447ff4e2fd9817fca862436c064d0951a071@%3Ccommits.pulsar.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r57245853c7245baab09eae08728c52b58fd77666538092389cc3e882@%3Ccommits.servicecomb.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r5470456cf1409a99893ae9dd57439799f6dc1a60fda90e11570f66fe@%3Cnotifications.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r5232e33a1f3b310a3e083423f736f3925ebdb150844d60ac582809f8@%3Cnotifications.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r4ea2f1a9d79d4fc1896e085f31fb60a21b1770d0a26a5250f849372d@%3Cissues.kudu.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r490ca5611c150d193b320a2608209180713b7c68e501b67b0cffb925@%3Ccommits.servicecomb.apache.org%3E
+ database_specific:
+ cwe_ids:
+ - CWE-444
+ github_reviewed: true
+ github_reviewed_at: "2021-03-09T18:47:09Z"
+ nvd_published_at: "2021-03-09T19:15:00Z"
+ severity: MODERATE
+ - schema_version: 1.6.0
+ id: GHSA-wx5j-54mm-rqqq
+ modified: 2024-02-22T05:37:31.471154Z
+ published: 2021-12-09T19:09:17Z
+ aliases:
+ - CVE-2021-43797
+ summary: HTTP request smuggling in netty
+ details: |+
+ ### Impact
+
+ Netty currently just skips control chars when these are present at the beginning / end of the header name. We should better fail fast as these are not allowed by the spec and could lead to HTTP request smuggling.
+
+ Failing to do the validation might cause netty to "sanitize" header names before it forward these to another remote system when used as proxy. This remote system can't see the invalid usage anymore and so not do the validation itself.
+
+ affected:
+ - package:
+ ecosystem: Maven
+ name: io.netty:netty-codec-http
+ purl: pkg:maven/io.netty/netty-codec-http
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 4.0.0
+ - fixed: 4.1.71.Final
+ versions:
+ - 4.0.0.Final
+ - 4.0.1.Final
+ - 4.0.10.Final
+ - 4.0.11.Final
+ - 4.0.12.Final
+ - 4.0.13.Final
+ - 4.0.14.Beta1
+ - 4.0.14.Final
+ - 4.0.15.Final
+ - 4.0.16.Final
+ - 4.0.17.Final
+ - 4.0.18.Final
+ - 4.0.19.Final
+ - 4.0.2.Final
+ - 4.0.20.Final
+ - 4.0.21.Final
+ - 4.0.22.Final
+ - 4.0.23.Final
+ - 4.0.24.Final
+ - 4.0.25.Final
+ - 4.0.26.Final
+ - 4.0.27.Final
+ - 4.0.28.Final
+ - 4.0.29.Final
+ - 4.0.3.Final
+ - 4.0.30.Final
+ - 4.0.31.Final
+ - 4.0.32.Final
+ - 4.0.33.Final
+ - 4.0.34.Final
+ - 4.0.35.Final
+ - 4.0.36.Final
+ - 4.0.37.Final
+ - 4.0.38.Final
+ - 4.0.39.Final
+ - 4.0.4.Final
+ - 4.0.40.Final
+ - 4.0.41.Final
+ - 4.0.42.Final
+ - 4.0.43.Final
+ - 4.0.44.Final
+ - 4.0.45.Final
+ - 4.0.46.Final
+ - 4.0.47.Final
+ - 4.0.48.Final
+ - 4.0.49.Final
+ - 4.0.5.Final
+ - 4.0.50.Final
+ - 4.0.51.Final
+ - 4.0.52.Final
+ - 4.0.53.Final
+ - 4.0.54.Final
+ - 4.0.55.Final
+ - 4.0.56.Final
+ - 4.0.6.Final
+ - 4.0.7.Final
+ - 4.0.8.Final
+ - 4.0.9.Final
+ - 4.1.0.Beta1
+ - 4.1.0.Beta2
+ - 4.1.0.Beta3
+ - 4.1.0.Beta4
+ - 4.1.0.Beta5
+ - 4.1.0.Beta6
+ - 4.1.0.Beta7
+ - 4.1.0.Beta8
+ - 4.1.0.CR1
+ - 4.1.0.CR2
+ - 4.1.0.CR3
+ - 4.1.0.CR4
+ - 4.1.0.CR5
+ - 4.1.0.CR6
+ - 4.1.0.CR7
+ - 4.1.0.Final
+ - 4.1.1.Final
+ - 4.1.10.Final
+ - 4.1.11.Final
+ - 4.1.12.Final
+ - 4.1.13.Final
+ - 4.1.14.Final
+ - 4.1.15.Final
+ - 4.1.16.Final
+ - 4.1.17.Final
+ - 4.1.18.Final
+ - 4.1.19.Final
+ - 4.1.2.Final
+ - 4.1.20.Final
+ - 4.1.21.Final
+ - 4.1.22.Final
+ - 4.1.23.Final
+ - 4.1.24.Final
+ - 4.1.25.Final
+ - 4.1.26.Final
+ - 4.1.27.Final
+ - 4.1.28.Final
+ - 4.1.29.Final
+ - 4.1.3.Final
+ - 4.1.30.Final
+ - 4.1.31.Final
+ - 4.1.32.Final
+ - 4.1.33.Final
+ - 4.1.34.Final
+ - 4.1.35.Final
+ - 4.1.36.Final
+ - 4.1.37.Final
+ - 4.1.38.Final
+ - 4.1.39.Final
+ - 4.1.4.Final
+ - 4.1.40.Final
+ - 4.1.41.Final
+ - 4.1.42.Final
+ - 4.1.43.Final
+ - 4.1.44.Final
+ - 4.1.45.Final
+ - 4.1.46.Final
+ - 4.1.47.Final
+ - 4.1.48.Final
+ - 4.1.49.Final
+ - 4.1.5.Final
+ - 4.1.50.Final
+ - 4.1.51.Final
+ - 4.1.52.Final
+ - 4.1.53.Final
+ - 4.1.54.Final
+ - 4.1.55.Final
+ - 4.1.56.Final
+ - 4.1.57.Final
+ - 4.1.58.Final
+ - 4.1.59.Final
+ - 4.1.6.Final
+ - 4.1.60.Final
+ - 4.1.61.Final
+ - 4.1.62.Final
+ - 4.1.63.Final
+ - 4.1.64.Final
+ - 4.1.65.Final
+ - 4.1.66.Final
+ - 4.1.67.Final
+ - 4.1.68.Final
+ - 4.1.69.Final
+ - 4.1.7.Final
+ - 4.1.70.Final
+ - 4.1.8.Final
+ - 4.1.9.Final
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-wx5j-54mm-rqqq/GHSA-wx5j-54mm-rqqq.json
+ - package:
+ ecosystem: Maven
+ name: org.jboss.netty:netty
+ purl: pkg:maven/org.jboss.netty/netty
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ versions:
+ - 3.0.0.CR1
+ - 3.0.0.CR2
+ - 3.0.0.CR3
+ - 3.0.0.CR4
+ - 3.0.0.CR5
+ - 3.0.0.GA
+ - 3.0.1.GA
+ - 3.0.2.GA
+ - 3.1.0.ALPHA1
+ - 3.1.0.ALPHA2
+ - 3.1.0.ALPHA3
+ - 3.1.0.ALPHA4
+ - 3.1.0.BETA1
+ - 3.1.0.BETA2
+ - 3.1.0.BETA3
+ - 3.1.0.CR1
+ - 3.1.0.GA
+ - 3.1.1.GA
+ - 3.1.2.GA
+ - 3.1.3.GA
+ - 3.1.4.GA
+ - 3.1.5.GA
+ - 3.2.0.ALPHA1
+ - 3.2.0.ALPHA2
+ - 3.2.0.ALPHA3
+ - 3.2.0.ALPHA4
+ - 3.2.0.BETA1
+ - 3.2.0.CR1
+ - 3.2.0.Final
+ - 3.2.1.Final
+ - 3.2.10.Final
+ - 3.2.2.Final
+ - 3.2.3.Final
+ - 3.2.4.Final
+ - 3.2.5.Final
+ - 3.2.6.Final
+ - 3.2.7.Final
+ - 3.2.8.Final
+ - 3.2.9.Final
+ database_specific:
+ last_known_affected_version_range: < 4.0.0
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-wx5j-54mm-rqqq/GHSA-wx5j-54mm-rqqq.json
+ - package:
+ ecosystem: Maven
+ name: io.netty:netty
+ purl: pkg:maven/io.netty/netty
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ versions:
+ - 3.10.0.Final
+ - 3.10.1.Final
+ - 3.10.2.Final
+ - 3.10.3.Final
+ - 3.10.4.Final
+ - 3.10.5.Final
+ - 3.10.6.Final
+ - 3.3.0.Final
+ - 3.3.1.Final
+ - 3.4.0.Alpha1
+ - 3.4.0.Alpha2
+ - 3.4.0.Beta1
+ - 3.4.0.Final
+ - 3.4.1.Final
+ - 3.4.2.Final
+ - 3.4.3.Final
+ - 3.4.4.Final
+ - 3.4.5.Final
+ - 3.4.6.Final
+ - 3.5.0.Beta1
+ - 3.5.0.Final
+ - 3.5.1.Final
+ - 3.5.10.Final
+ - 3.5.11.Final
+ - 3.5.12.Final
+ - 3.5.13.Final
+ - 3.5.2.Final
+ - 3.5.3.Final
+ - 3.5.4.Final
+ - 3.5.5.Final
+ - 3.5.6.Final
+ - 3.5.7.Final
+ - 3.5.8.Final
+ - 3.5.9.Final
+ - 3.6.0.Beta1
+ - 3.6.0.Final
+ - 3.6.1.Final
+ - 3.6.10.Final
+ - 3.6.2.Final
+ - 3.6.3.Final
+ - 3.6.4.Final
+ - 3.6.5.Final
+ - 3.6.6.Final
+ - 3.6.7.Final
+ - 3.6.8.Final
+ - 3.6.9.Final
+ - 3.7.0.Final
+ - 3.7.1.Final
+ - 3.8.0.Final
+ - 3.8.1.Final
+ - 3.8.2.Final
+ - 3.8.3.Final
+ - 3.9.0.Final
+ - 3.9.1.1.Final
+ - 3.9.1.Final
+ - 3.9.2.Final
+ - 3.9.3.Final
+ - 3.9.4.Final
+ - 3.9.5.Final
+ - 3.9.6.Final
+ - 3.9.7.Final
+ - 3.9.8.Final
+ - 3.9.9.Final
+ - 4.0.0.Alpha1
+ - 4.0.0.Alpha2
+ - 4.0.0.Alpha3
+ - 4.0.0.Alpha4
+ - 4.0.0.Alpha5
+ - 4.0.0.Alpha6
+ - 4.0.0.Alpha7
+ - 4.0.0.Alpha8
+ database_specific:
+ last_known_affected_version_range: < 4.0.0
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-wx5j-54mm-rqqq/GHSA-wx5j-54mm-rqqq.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
+ references:
+ - type: WEB
+ url: https://github.com/netty/netty/security/advisories/GHSA-wx5j-54mm-rqqq
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2021-43797
+ - type: WEB
+ url: https://github.com/netty/netty/pull/11891
+ - type: WEB
+ url: https://github.com/netty/netty/commit/07aa6b5938a8b6ed7a6586e066400e2643897323
+ - type: WEB
+ url: https://github.com/netty/netty
+ - type: WEB
+ url: https://lists.debian.org/debian-lts-announce/2023/01/msg00008.html
+ - type: WEB
+ url: https://security.netapp.com/advisory/ntap-20220107-0003
+ - type: WEB
+ url: https://www.debian.org/security/2023/dsa-5316
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuapr2022.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpujul2022.html
+ database_specific:
+ cwe_ids:
+ - CWE-444
+ github_reviewed: true
+ github_reviewed_at: "2021-12-09T18:17:28Z"
+ nvd_published_at: "2021-12-09T19:15:00Z"
+ severity: MODERATE
+ - schema_version: 1.6.0
+ id: GHSA-xfv3-rrfm-f2rv
+ modified: 2024-02-16T08:04:08.95464Z
+ published: 2020-06-30T21:01:21Z
+ aliases:
+ - CVE-2015-2156
+ summary: Information Exposure in Netty
+ details: Netty before 3.9.8.Final, 3.10.x before 3.10.3.Final, 4.0.x before 4.0.28.Final, and 4.1.x before 4.1.0.Beta5 and Play Framework 2.x before 2.3.9 might allow remote attackers to bypass the httpOnly flag on cookies and obtain sensitive information by leveraging improper validation of cookie name and value characters.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: io.netty:netty-parent
+ purl: pkg:maven/io.netty/netty-parent
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 4.0.0
+ - fixed: 4.0.28.Final
+ versions:
+ - 4.0.0.Final
+ - 4.0.1.Final
+ - 4.0.10.Final
+ - 4.0.11.Final
+ - 4.0.12.Final
+ - 4.0.13.Final
+ - 4.0.14.Beta1
+ - 4.0.14.Final
+ - 4.0.15.Final
+ - 4.0.16.Final
+ - 4.0.17.Final
+ - 4.0.18.Final
+ - 4.0.19.Final
+ - 4.0.2.Final
+ - 4.0.20.Final
+ - 4.0.21.Final
+ - 4.0.22.Final
+ - 4.0.23.Final
+ - 4.0.24.Final
+ - 4.0.25.Final
+ - 4.0.26.Final
+ - 4.0.27.Final
+ - 4.0.3.Final
+ - 4.0.4.Final
+ - 4.0.5.Final
+ - 4.0.6.Final
+ - 4.0.7.Final
+ - 4.0.8.Final
+ - 4.0.9.Final
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-xfv3-rrfm-f2rv/GHSA-xfv3-rrfm-f2rv.json
+ - package:
+ ecosystem: Maven
+ name: org.jboss.netty:netty
+ purl: pkg:maven/org.jboss.netty/netty
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: 3.9.8.Final
+ versions:
+ - 3.0.0.CR1
+ - 3.0.0.CR2
+ - 3.0.0.CR3
+ - 3.0.0.CR4
+ - 3.0.0.CR5
+ - 3.0.0.GA
+ - 3.0.1.GA
+ - 3.0.2.GA
+ - 3.1.0.ALPHA1
+ - 3.1.0.ALPHA2
+ - 3.1.0.ALPHA3
+ - 3.1.0.ALPHA4
+ - 3.1.0.BETA1
+ - 3.1.0.BETA2
+ - 3.1.0.BETA3
+ - 3.1.0.CR1
+ - 3.1.0.GA
+ - 3.1.1.GA
+ - 3.1.2.GA
+ - 3.1.3.GA
+ - 3.1.4.GA
+ - 3.1.5.GA
+ - 3.2.0.ALPHA1
+ - 3.2.0.ALPHA2
+ - 3.2.0.ALPHA3
+ - 3.2.0.ALPHA4
+ - 3.2.0.BETA1
+ - 3.2.0.CR1
+ - 3.2.0.Final
+ - 3.2.1.Final
+ - 3.2.10.Final
+ - 3.2.2.Final
+ - 3.2.3.Final
+ - 3.2.4.Final
+ - 3.2.5.Final
+ - 3.2.6.Final
+ - 3.2.7.Final
+ - 3.2.8.Final
+ - 3.2.9.Final
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-xfv3-rrfm-f2rv/GHSA-xfv3-rrfm-f2rv.json
+ - package:
+ ecosystem: Maven
+ name: org.jboss.netty:netty
+ purl: pkg:maven/org.jboss.netty/netty
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 3.10.0
+ - fixed: 3.10.3.Final
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-xfv3-rrfm-f2rv/GHSA-xfv3-rrfm-f2rv.json
+ - package:
+ ecosystem: Maven
+ name: io.netty:netty
+ purl: pkg:maven/io.netty/netty
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 3.10.0
+ - fixed: 3.10.3.Final
+ versions:
+ - 3.10.0.Final
+ - 3.10.1.Final
+ - 3.10.2.Final
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-xfv3-rrfm-f2rv/GHSA-xfv3-rrfm-f2rv.json
+ - package:
+ ecosystem: Maven
+ name: io.netty:netty
+ purl: pkg:maven/io.netty/netty
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: 3.9.8.Final
+ versions:
+ - 3.3.0.Final
+ - 3.3.1.Final
+ - 3.4.0.Alpha1
+ - 3.4.0.Alpha2
+ - 3.4.0.Beta1
+ - 3.4.0.Final
+ - 3.4.1.Final
+ - 3.4.2.Final
+ - 3.4.3.Final
+ - 3.4.4.Final
+ - 3.4.5.Final
+ - 3.4.6.Final
+ - 3.5.0.Beta1
+ - 3.5.0.Final
+ - 3.5.1.Final
+ - 3.5.10.Final
+ - 3.5.11.Final
+ - 3.5.12.Final
+ - 3.5.13.Final
+ - 3.5.2.Final
+ - 3.5.3.Final
+ - 3.5.4.Final
+ - 3.5.5.Final
+ - 3.5.6.Final
+ - 3.5.7.Final
+ - 3.5.8.Final
+ - 3.5.9.Final
+ - 3.6.0.Beta1
+ - 3.6.0.Final
+ - 3.6.1.Final
+ - 3.6.10.Final
+ - 3.6.2.Final
+ - 3.6.3.Final
+ - 3.6.4.Final
+ - 3.6.5.Final
+ - 3.6.6.Final
+ - 3.6.7.Final
+ - 3.6.8.Final
+ - 3.6.9.Final
+ - 3.7.0.Final
+ - 3.7.1.Final
+ - 3.8.0.Final
+ - 3.8.1.Final
+ - 3.8.2.Final
+ - 3.8.3.Final
+ - 3.9.0.Final
+ - 3.9.1.1.Final
+ - 3.9.1.Final
+ - 3.9.2.Final
+ - 3.9.3.Final
+ - 3.9.4.Final
+ - 3.9.5.Final
+ - 3.9.6.Final
+ - 3.9.7.Final
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-xfv3-rrfm-f2rv/GHSA-xfv3-rrfm-f2rv.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2015-2156
+ - type: WEB
+ url: https://github.com/netty/netty/pull/3748/commits/4ac519f534493bb0ca7a77e1c779138a54faa7b9
+ - type: WEB
+ url: https://github.com/netty/netty/pull/3754
+ - type: WEB
+ url: https://github.com/netty/netty/commit/2caa38a2795fe1f1ae6ceda4d69e826ed7c55e55
+ - type: WEB
+ url: https://github.com/netty/netty/commit/31815598a2af37f0b71ea94eada70d6659c23752
+ - type: WEB
+ url: https://bugzilla.redhat.com/show_bug.cgi?id=1222923
+ - type: PACKAGE
+ url: https://github.com/netty/netty
+ - type: WEB
+ url: https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe@%3Ccommits.druid.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/a19bb1003b0d6cd22475ba83c019b4fc7facfef2a9e13f71132529d3@%3Ccommits.cassandra.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/dc1275aef115bda172851a231c76c0932d973f9ffd8bc375c4aba769@%3Ccommits.cassandra.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8@%3Ccommits.pulsar.apache.org%3E
+ - type: WEB
+ url: https://snyk.io/vuln/SNYK-JAVA-IONETTY-73571
+ - type: WEB
+ url: https://www.playframework.com/security/vulnerability/CVE-2015-2156-HttpOnlyBypass
+ - type: WEB
+ url: http://lists.fedoraproject.org/pipermail/package-announce/2015-June/159379.html
+ - type: WEB
+ url: http://lists.fedoraproject.org/pipermail/package-announce/2015-May/159166.html
+ - type: WEB
+ url: http://netty.io/news/2015/05/08/3-9-8-Final-and-3.html
+ - type: WEB
+ url: http://www.openwall.com/lists/oss-security/2015/05/17/1
+ - type: WEB
+ url: http://www.securityfocus.com/bid/74704
+ database_specific:
+ cwe_ids:
+ - CWE-20
+ github_reviewed: true
+ github_reviewed_at: "2020-06-30T20:59:55Z"
+ nvd_published_at: null
+ severity: HIGH
+ - schema_version: 1.6.0
+ id: GHSA-7vpq-g998-qpv7
+ modified: 2024-04-16T16:16:02.819787Z
+ published: 2022-05-13T01:54:02Z
+ aliases:
+ - CVE-2014-0193
+ summary: Netty denial of service vulnerability
+ details: '`WebSocket08FrameDecoder` in Netty 3.6.x before 3.6.9, 3.7.x before 3.7.1, 3.8.x before 3.8.2, 3.9.x before 3.9.1, and 4.0.x before 4.0.19 allows remote attackers to cause a denial of service (memory consumption) via a `TextWebSocketFrame` followed by a long stream of `ContinuationWebSocketFrames`.'
+ affected:
+ - package:
+ ecosystem: Maven
+ name: io.netty:netty
+ purl: pkg:maven/io.netty/netty
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 3.6.0.Beta1
+ - fixed: 3.6.9.Final
+ versions:
+ - 3.6.0.Beta1
+ - 3.6.0.Final
+ - 3.6.1.Final
+ - 3.6.2.Final
+ - 3.6.3.Final
+ - 3.6.4.Final
+ - 3.6.5.Final
+ - 3.6.6.Final
+ - 3.6.7.Final
+ - 3.6.8.Final
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-7vpq-g998-qpv7/GHSA-7vpq-g998-qpv7.json
+ - package:
+ ecosystem: Maven
+ name: io.netty:netty
+ purl: pkg:maven/io.netty/netty
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 3.7.0.Final
+ - fixed: 3.7.1.Final
+ versions:
+ - 3.7.0.Final
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-7vpq-g998-qpv7/GHSA-7vpq-g998-qpv7.json
+ - package:
+ ecosystem: Maven
+ name: io.netty:netty
+ purl: pkg:maven/io.netty/netty
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 3.8.0.Final
+ - fixed: 3.8.2.Final
+ versions:
+ - 3.8.0.Final
+ - 3.8.1.Final
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-7vpq-g998-qpv7/GHSA-7vpq-g998-qpv7.json
+ - package:
+ ecosystem: Maven
+ name: io.netty:netty
+ purl: pkg:maven/io.netty/netty
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 3.9.0.Final
+ - fixed: 3.9.1.Final
+ versions:
+ - 3.9.0.Final
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-7vpq-g998-qpv7/GHSA-7vpq-g998-qpv7.json
+ - package:
+ ecosystem: Maven
+ name: io.netty:netty
+ purl: pkg:maven/io.netty/netty
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 4.0.0.Alpha1
+ - fixed: 4.0.19.Final
+ versions:
+ - 4.0.0.Alpha1
+ - 4.0.0.Alpha2
+ - 4.0.0.Alpha3
+ - 4.0.0.Alpha4
+ - 4.0.0.Alpha5
+ - 4.0.0.Alpha6
+ - 4.0.0.Alpha7
+ - 4.0.0.Alpha8
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-7vpq-g998-qpv7/GHSA-7vpq-g998-qpv7.json
+ - package:
+ ecosystem: Maven
+ name: io.netty:netty-all
+ purl: pkg:maven/io.netty/netty-all
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 4.0.0.Alpha1
+ - fixed: 4.0.19.Final
+ versions:
+ - 4.0.0.Beta1
+ - 4.0.0.Beta2
+ - 4.0.0.Beta3
+ - 4.0.0.CR1
+ - 4.0.0.CR2
+ - 4.0.0.CR3
+ - 4.0.0.CR4
+ - 4.0.0.CR5
+ - 4.0.0.CR6
+ - 4.0.0.CR7
+ - 4.0.0.CR8
+ - 4.0.0.CR9
+ - 4.0.0.Final
+ - 4.0.1.Final
+ - 4.0.10.Final
+ - 4.0.11.Final
+ - 4.0.12.Final
+ - 4.0.13.Final
+ - 4.0.14.Beta1
+ - 4.0.14.Final
+ - 4.0.15.Final
+ - 4.0.16.Final
+ - 4.0.17.Final
+ - 4.0.18.Final
+ - 4.0.2.Final
+ - 4.0.3.Final
+ - 4.0.4.Final
+ - 4.0.5.Final
+ - 4.0.6.Final
+ - 4.0.7.Final
+ - 4.0.8.Final
+ - 4.0.9.Final
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-7vpq-g998-qpv7/GHSA-7vpq-g998-qpv7.json
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2014-0193
+ - type: WEB
+ url: https://github.com/netty/netty/issues/2441
+ - type: WEB
+ url: https://github.com/netty/netty/commit/8599ab5bdb761bb99d41a975d689f74c12e4892b
+ - type: PACKAGE
+ url: https://github.com/netty/netty
+ - type: WEB
+ url: https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8%40%3Ccommits.pulsar.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8@%3Ccommits.pulsar.apache.org%3E
+ - type: WEB
+ url: https://lists.debian.org/debian-lts-announce/2020/02/msg00018.html
+ - type: WEB
+ url: https://web.archive.org/web/20140509033427/http://www.securityfocus.com/bid/67182
+ - type: WEB
+ url: https://web.archive.org/web/20140509044857/http://secunia.com/advisories/58280
+ - type: WEB
+ url: https://web.archive.org/web/20161119201425/http://secunia.com/advisories/59290
+ - type: WEB
+ url: http://netty.io/news/2014/04/30/release-day.html
+ - type: WEB
+ url: http://rhn.redhat.com/errata/RHSA-2014-1019.html
+ - type: WEB
+ url: http://rhn.redhat.com/errata/RHSA-2014-1020.html
+ - type: WEB
+ url: http://rhn.redhat.com/errata/RHSA-2014-1021.html
+ - type: WEB
+ url: http://rhn.redhat.com/errata/RHSA-2014-1351.html
+ - type: WEB
+ url: http://rhn.redhat.com/errata/RHSA-2015-0675.html
+ - type: WEB
+ url: http://rhn.redhat.com/errata/RHSA-2015-0720.html
+ - type: WEB
+ url: http://rhn.redhat.com/errata/RHSA-2015-0765.html
+ database_specific:
+ cwe_ids: []
+ github_reviewed: true
+ github_reviewed_at: "2023-08-07T20:25:36Z"
+ nvd_published_at: "2014-05-06T14:55:00Z"
+ severity: MODERATE
+ - schema_version: 1.6.0
+ id: GHSA-p979-4mfw-53vg
+ modified: 2024-05-21T17:15:48.126109Z
+ published: 2019-10-11T18:41:23Z
+ aliases:
+ - CVE-2019-16869
+ summary: HTTP Request Smuggling in Netty
+ details: 'Netty before 4.1.42.Final mishandles whitespace before the colon in HTTP headers (such as a "Transfer-Encoding : chunked" line), which leads to HTTP request smuggling.'
+ affected:
+ - package:
+ ecosystem: Maven
+ name: io.netty:netty-all
+ purl: pkg:maven/io.netty/netty-all
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 4.0.0.Alpha1
+ - fixed: 4.1.42.Final
+ versions:
+ - 4.0.0.Beta1
+ - 4.0.0.Beta2
+ - 4.0.0.Beta3
+ - 4.0.0.CR1
+ - 4.0.0.CR2
+ - 4.0.0.CR3
+ - 4.0.0.CR4
+ - 4.0.0.CR5
+ - 4.0.0.CR6
+ - 4.0.0.CR7
+ - 4.0.0.CR8
+ - 4.0.0.CR9
+ - 4.0.0.Final
+ - 4.0.1.Final
+ - 4.0.10.Final
+ - 4.0.11.Final
+ - 4.0.12.Final
+ - 4.0.13.Final
+ - 4.0.14.Beta1
+ - 4.0.14.Final
+ - 4.0.15.Final
+ - 4.0.16.Final
+ - 4.0.17.Final
+ - 4.0.18.Final
+ - 4.0.19.Final
+ - 4.0.2.Final
+ - 4.0.20.Final
+ - 4.0.21.Final
+ - 4.0.22.Final
+ - 4.0.23.Final
+ - 4.0.24.Final
+ - 4.0.25.Final
+ - 4.0.26.Final
+ - 4.0.27.Final
+ - 4.0.28.Final
+ - 4.0.29.Final
+ - 4.0.3.Final
+ - 4.0.30.Final
+ - 4.0.31.Final
+ - 4.0.32.Final
+ - 4.0.33.Final
+ - 4.0.34.Final
+ - 4.0.35.Final
+ - 4.0.36.Final
+ - 4.0.37.Final
+ - 4.0.38.Final
+ - 4.0.39.Final
+ - 4.0.4.Final
+ - 4.0.40.Final
+ - 4.0.41.Final
+ - 4.0.42.Final
+ - 4.0.43.Final
+ - 4.0.44.Final
+ - 4.0.45.Final
+ - 4.0.46.Final
+ - 4.0.47.Final
+ - 4.0.48.Final
+ - 4.0.49.Final
+ - 4.0.5.Final
+ - 4.0.50.Final
+ - 4.0.51.Final
+ - 4.0.52.Final
+ - 4.0.53.Final
+ - 4.0.54.Final
+ - 4.0.55.Final
+ - 4.0.56.Final
+ - 4.0.6.Final
+ - 4.0.7.Final
+ - 4.0.8.Final
+ - 4.0.9.Final
+ - 4.1.0.Beta1
+ - 4.1.0.Beta2
+ - 4.1.0.Beta3
+ - 4.1.0.Beta4
+ - 4.1.0.Beta5
+ - 4.1.0.Beta6
+ - 4.1.0.Beta7
+ - 4.1.0.Beta8
+ - 4.1.0.CR1
+ - 4.1.0.CR2
+ - 4.1.0.CR3
+ - 4.1.0.CR4
+ - 4.1.0.CR5
+ - 4.1.0.CR6
+ - 4.1.0.CR7
+ - 4.1.0.Final
+ - 4.1.1.Final
+ - 4.1.10.Final
+ - 4.1.11.Final
+ - 4.1.12.Final
+ - 4.1.13.Final
+ - 4.1.14.Final
+ - 4.1.15.Final
+ - 4.1.16.Final
+ - 4.1.17.Final
+ - 4.1.18.Final
+ - 4.1.19.Final
+ - 4.1.2.Final
+ - 4.1.20.Final
+ - 4.1.21.Final
+ - 4.1.22.Final
+ - 4.1.23.Final
+ - 4.1.24.Final
+ - 4.1.25.Final
+ - 4.1.26.Final
+ - 4.1.27.Final
+ - 4.1.28.Final
+ - 4.1.29.Final
+ - 4.1.3.Final
+ - 4.1.30.Final
+ - 4.1.31.Final
+ - 4.1.32.Final
+ - 4.1.33.Final
+ - 4.1.34.Final
+ - 4.1.35.Final
+ - 4.1.36.Final
+ - 4.1.37.Final
+ - 4.1.38.Final
+ - 4.1.39.Final
+ - 4.1.4.Final
+ - 4.1.40.Final
+ - 4.1.41.Final
+ - 4.1.5.Final
+ - 4.1.6.Final
+ - 4.1.7.Final
+ - 4.1.8.Final
+ - 4.1.9.Final
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/10/GHSA-p979-4mfw-53vg/GHSA-p979-4mfw-53vg.json
+ - package:
+ ecosystem: Maven
+ name: org.jboss.netty:netty
+ purl: pkg:maven/org.jboss.netty/netty
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ versions:
+ - 3.0.0.CR1
+ - 3.0.0.CR2
+ - 3.0.0.CR3
+ - 3.0.0.CR4
+ - 3.0.0.CR5
+ - 3.0.0.GA
+ - 3.0.1.GA
+ - 3.0.2.GA
+ - 3.1.0.ALPHA1
+ - 3.1.0.ALPHA2
+ - 3.1.0.ALPHA3
+ - 3.1.0.ALPHA4
+ - 3.1.0.BETA1
+ - 3.1.0.BETA2
+ - 3.1.0.BETA3
+ - 3.1.0.CR1
+ - 3.1.0.GA
+ - 3.1.1.GA
+ - 3.1.2.GA
+ - 3.1.3.GA
+ - 3.1.4.GA
+ - 3.1.5.GA
+ - 3.2.0.ALPHA1
+ - 3.2.0.ALPHA2
+ - 3.2.0.ALPHA3
+ - 3.2.0.ALPHA4
+ - 3.2.0.BETA1
+ - 3.2.0.CR1
+ - 3.2.0.Final
+ - 3.2.1.Final
+ - 3.2.10.Final
+ - 3.2.2.Final
+ - 3.2.3.Final
+ - 3.2.4.Final
+ - 3.2.5.Final
+ - 3.2.6.Final
+ - 3.2.7.Final
+ - 3.2.8.Final
+ - 3.2.9.Final
+ database_specific:
+ last_known_affected_version_range: < 4.0.0
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/10/GHSA-p979-4mfw-53vg/GHSA-p979-4mfw-53vg.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2019-16869
+ - type: WEB
+ url: https://github.com/netty/netty/issues/9571
+ - type: WEB
+ url: https://lists.apache.org/thread.html/raaac04b7567c554786132144bea3dcb72568edd410c1e6f0101742e7@%3Cissues.flink.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r959474dcf7f88565ed89f6252ca5a274419006cb71348f14764b183d@%3Ccommits.cassandra.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r90030b0117490caed526e57271bf4d7f9b012091ac5083c895d16543@%3Ccommon-issues.hadoop.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r86befa74c5cd1482c711134104aec339bf7ae879f2c4437d7ec477d4@%3Ccommon-commits.hadoop.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r8402d67fdfe9cf169f859d52a7670b28a08eff31e54b522cc1432532@%3Ccommon-issues.hadoop.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r832724df393a7ef25ca4c7c2eb83ad2d6c21c74569acda5233f9f1ec@%3Ccommits.pulsar.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r831e0548fad736a98140d0b3b7dc575af0c50faea0b266434ba813cc@%3Cdev.rocketmq.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r7790b9d99696d9eddce8a8c96f13bb68460984294ea6fea3800143e4@%3Ccommits.pulsar.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r73c400ab66d79821dec9e3472f0e2c048d528672bdb0f8bf44d7cb1f@%3Ccommits.cassandra.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r4d3f1d3e333d9c2b2f6e6ae8ed8750d4de03410ac294bcd12c7eefa3@%3Ccommits.cassandra.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r3225f7dfe6b8a37e800ecb8e31abd7ac6c4312dbd3223dd8139c37bb@%3Ccommits.cassandra.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r131e572d003914843552fa45c4398b9903fb74144986e8b107c0a3a7@%3Ccommits.cassandra.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r0c3d49bfdbc62fd3915676433cc5899c5506d06da1c552ef1b7923a5@%3Ccommon-issues.hadoop.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r0aa8b28e76ec01c697b15e161e6797e88fc8d406ed762e253401106e@%3Ccommits.camel.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/f6c5ebfb018787c764f000362d59e4b231c0a36b6253aa866de8c64e@%3Ccommits.cassandra.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/ee6faea9e542c0b90afd70297a9daa203e20d41aa2ac7fca6703662f@%3Cissues.spark.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/e39931d7cdd17241e69a0a09a89d99d7435bcc59afee8a9628d67769@%3Cdev.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/e192fe8797c192679759ffa6b15e4d0806546945a41d8ebfbc6ee3ac@%3Ccommits.tinkerpop.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/d7d530599dc7813056c712213e367b68cdf56fb5c9b73f864870bc4c@%3Cdev.olingo.apache.org%3E
+ - type: WEB
+ url: https://www.debian.org/security/2020/dsa-4597
+ - type: WEB
+ url: https://usn.ubuntu.com/4532-1
+ - type: WEB
+ url: https://seclists.org/bugtraq/2020/Jan/6
+ - type: WEB
+ url: https://lists.debian.org/debian-lts-announce/2020/09/msg00004.html
+ - type: WEB
+ url: https://lists.debian.org/debian-lts-announce/2020/02/msg00018.html
+ - type: WEB
+ url: https://lists.debian.org/debian-lts-announce/2019/09/msg00035.html
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rf5b2dfb7401666a19915f8eaef3ba9f5c3386e2066fcd2ae66e16a2f@%3Cdev.flink.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rf2bf8e2eb0a03227f5bc100b544113f8cafea01e887bb068e8d1fa41@%3Ccommon-issues.hadoop.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/re78eaef7d01ad65c370df30e45c686fffff00b37f7bfd78b26a08762@%3Ccommon-issues.hadoop.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/re45ee9256d3233c31d78e59ee59c7dc841c7fbd83d0769285b41e948@%3Ccommits.druid.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/re0b78a3d0a4ba2cf9f4e14e1d05040bde9051d5c78071177186336c9@%3Ccommon-issues.hadoop.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rdd5d243a5f8ed8b83c0104e321aa420e5e98792a95749e3c9a54c0b9@%3Ccommon-commits.hadoop.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rdb69125652311d0c41f6066ff44072a3642cf33a4b5e3c4f9c1ec9c2@%3Ccommits.pulsar.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26@%3Ccommits.pulsar.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rcddf723a4b4117f8ed6042e9ac25e8c5110a617bab77694b61b14833@%3Cdev.rocketmq.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rcb2c59428f34d4757702f9ae739a8795bda7bea97b857e708a9c62c6@%3Ccommon-commits.hadoop.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rc8d554aad889d12b140d9fd7d2d6fc2e8716e9792f6f4e4b2cdc2d05@%3Ccommits.cassandra.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rc7eb5634b71d284483e58665b22bf274a69bd184d9bd7ede52015d91@%3Ccommon-issues.hadoop.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rb3361f6c6a5f834ad3db5e998c352760d393c0891b8d3bea90baa836@%3Ccommon-issues.hadoop.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rb25b42f666d2cac5e6e6b3f771faf60d1f1aa58073dcdd8db14edf8a@%3Cdev.rocketmq.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/6063699b87b501ecca8dd3b0e82251bfc85f29363a9b46ac5ace80cf@%3Cdev.olingo.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/51923a9ba513b2e816e02a9d1fd8aa6f12e3e4e99bbd9dc884bccbbe@%3Cissues.spark.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/3e6d7aae1cca10257e3caf2d69b22f74c875f12a1314155af422569d@%3Cdev.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/380f6d2730603a2cd6b0a8bea9bcb21a86c199147e77e448c5f7390b@%3Ccommits.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/37ed432b8eb35d8bd757f53783ec3e334bd51f514534432bea7f1c3d@%3Cissues.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/35961d1ae00849974353a932b4fef12ebce074541552eceefa04f1fd@%3Cdev.olingo.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/2e1cf538b502713c2c42ffa46d81f4688edb5676eb55bd9fc4b4fed7@%3Cissues.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/2494a2ac7f66af6e4646a4937b17972a4ec7cd3c7333c66ffd6c639d@%3Cdev.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/19fed892608db1efe5a5ce14372137669ff639df0205323959af7de3@%3Cdev.olingo.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/0acadfb96176768caac79b404110df62d14d30aa9d53b6dbdb1407ac@%3Cissues.spark.apache.org%3E
+ - type: WEB
+ url: https://github.com/netty/netty/compare/netty-4.1.41.Final...netty-4.1.42.Final
+ - type: PACKAGE
+ url: https://github.com/netty/netty
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2020:0445
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2020:0164
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2020:0161
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2020:0160
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2020:0159
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:3901
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:3892
+ - type: WEB
+ url: https://lists.apache.org/thread.html/d3eb0dbea75ef5c400bd49dfa1901ad50be606cca3cb29e0d01b6a54@%3Cissues.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/d14f721e0099b914daebe29bca199fde85d8354253be9d6d3d46507a@%3Ccommits.cassandra.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/cf5aa087632ead838f8ac3a42e9837684e7afe6e0fcb7704e0c73bc0@%3Ccommits.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/cbf6e6a04cb37e9320ad20e437df63beeab1755fc0761918ed5c5a6e@%3Ccommits.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/bdf7a5e597346a75d2d884ca48c767525e35137ad59d8f10b8fc943c@%3Cdev.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/b3ddeebbfaf8a288d7de8ab2611cf2609ab76b9809f0633248546b7c@%3Cissues.spark.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/b3dda6399a0ea2b647624b899fd330fca81834e41b13e3e11e1002d8@%3Cdev.olingo.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/b2cd51795f938632c6f60a4c59d9e587fbacd7f7d0e0a3684850a30f@%3Cissues.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/b264fa5801e87698e9f43f2b5585fbc5ebdc26c6f4aad861b258fb69@%3Cdev.olingo.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/af6e9c2d716868606523857a4cd7a5ee506e6d1710f5fb0d567ec030@%3Cdev.olingo.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/a0f77c73af32cbe4ff0968bfcbbe80ae6361f3dccdd46f3177547266@%3Cissues.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe@%3Ccommits.druid.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/9128111213b7b734ffc85db08d8f789b00a85a7f241b708e55debbd0@%3Cissues.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/860acce024d79837e963a51a42bab2cef8e8d017aad2b455ecd1dcf0@%3Cissues.spark.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/799eb85d67cbddc1851a3e63a07b55e95b2f44f1685225d38570ce89@%3Cissues.spark.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/76540c8b0ed761bfa6c81fa28c13057f13a5448aed079d656f6a3c79@%3Cissues.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/6e1e34c0d5635a987d595df9e532edac212307243bb1b49eead6d55b@%3Cissues.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/681493a2f9b63f5b468f741d88d1aa51b2cfcf7a1c5b74ea8c4343fb@%3Cissues.spark.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/64b10f49c68333aaecf00348c5670fe182e49fd60d45c4a3ab241f8b@%3Cissues.spark.apache.org%3E
+ database_specific:
+ cwe_ids:
+ - CWE-444
+ github_reviewed: true
+ github_reviewed_at: "2019-09-30T14:47:35Z"
+ nvd_published_at: "2019-09-26T16:15:00Z"
+ severity: HIGH
+ - schema_version: 1.6.0
+ id: GHSA-9vjp-v76f-g363
+ modified: 2024-03-11T05:32:25.452063Z
+ published: 2021-09-09T17:11:31Z
+ aliases:
+ - CVE-2021-37137
+ summary: ' SnappyFrameDecoder doesn''t restrict chunk length any may buffer skippable chunks in an unnecessary way'
+ details: |-
+ ### Impact
+ The Snappy frame decoder function doesn't restrict the chunk length which may lead to excessive memory usage. Beside this it also may buffer reserved skippable chunks until the whole chunk was received which may lead to excessive memory usage as well.
+
+ This vulnerability can be triggered by supplying malicious input that decompresses to a very big size (via a network stream or a file) or by sending a huge skippable chunk.
+
+ ### Impact
+
+ All users of SnappyFrameDecoder are affected and so the application may be in risk for a DoS attach due excessive memory usage.
+
+ ### References
+ https://github.com/netty/netty/blob/netty-4.1.67.Final/codec/src/main/java/io/netty/handler/codec/compression/SnappyFrameDecoder.java#L79
+ https://github.com/netty/netty/blob/netty-4.1.67.Final/codec/src/main/java/io/netty/handler/codec/compression/SnappyFrameDecoder.java#L171
+ https://github.com/netty/netty/blob/netty-4.1.67.Final/codec/src/main/java/io/netty/handler/codec/compression/SnappyFrameDecoder.java#L185
+ affected:
+ - package:
+ ecosystem: Maven
+ name: io.netty:netty-codec
+ purl: pkg:maven/io.netty/netty-codec
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 4.0.0
+ - fixed: 4.1.68.Final
+ versions:
+ - 4.0.0.Final
+ - 4.0.1.Final
+ - 4.0.10.Final
+ - 4.0.11.Final
+ - 4.0.12.Final
+ - 4.0.13.Final
+ - 4.0.14.Beta1
+ - 4.0.14.Final
+ - 4.0.15.Final
+ - 4.0.16.Final
+ - 4.0.17.Final
+ - 4.0.18.Final
+ - 4.0.19.Final
+ - 4.0.2.Final
+ - 4.0.20.Final
+ - 4.0.21.Final
+ - 4.0.22.Final
+ - 4.0.23.Final
+ - 4.0.24.Final
+ - 4.0.25.Final
+ - 4.0.26.Final
+ - 4.0.27.Final
+ - 4.0.28.Final
+ - 4.0.29.Final
+ - 4.0.3.Final
+ - 4.0.30.Final
+ - 4.0.31.Final
+ - 4.0.32.Final
+ - 4.0.33.Final
+ - 4.0.34.Final
+ - 4.0.35.Final
+ - 4.0.36.Final
+ - 4.0.37.Final
+ - 4.0.38.Final
+ - 4.0.39.Final
+ - 4.0.4.Final
+ - 4.0.40.Final
+ - 4.0.41.Final
+ - 4.0.42.Final
+ - 4.0.43.Final
+ - 4.0.44.Final
+ - 4.0.45.Final
+ - 4.0.46.Final
+ - 4.0.47.Final
+ - 4.0.48.Final
+ - 4.0.49.Final
+ - 4.0.5.Final
+ - 4.0.50.Final
+ - 4.0.51.Final
+ - 4.0.52.Final
+ - 4.0.53.Final
+ - 4.0.54.Final
+ - 4.0.55.Final
+ - 4.0.56.Final
+ - 4.0.6.Final
+ - 4.0.7.Final
+ - 4.0.8.Final
+ - 4.0.9.Final
+ - 4.1.0.Beta1
+ - 4.1.0.Beta2
+ - 4.1.0.Beta3
+ - 4.1.0.Beta4
+ - 4.1.0.Beta5
+ - 4.1.0.Beta6
+ - 4.1.0.Beta7
+ - 4.1.0.Beta8
+ - 4.1.0.CR1
+ - 4.1.0.CR2
+ - 4.1.0.CR3
+ - 4.1.0.CR4
+ - 4.1.0.CR5
+ - 4.1.0.CR6
+ - 4.1.0.CR7
+ - 4.1.0.Final
+ - 4.1.1.Final
+ - 4.1.10.Final
+ - 4.1.11.Final
+ - 4.1.12.Final
+ - 4.1.13.Final
+ - 4.1.14.Final
+ - 4.1.15.Final
+ - 4.1.16.Final
+ - 4.1.17.Final
+ - 4.1.18.Final
+ - 4.1.19.Final
+ - 4.1.2.Final
+ - 4.1.20.Final
+ - 4.1.21.Final
+ - 4.1.22.Final
+ - 4.1.23.Final
+ - 4.1.24.Final
+ - 4.1.25.Final
+ - 4.1.26.Final
+ - 4.1.27.Final
+ - 4.1.28.Final
+ - 4.1.29.Final
+ - 4.1.3.Final
+ - 4.1.30.Final
+ - 4.1.31.Final
+ - 4.1.32.Final
+ - 4.1.33.Final
+ - 4.1.34.Final
+ - 4.1.35.Final
+ - 4.1.36.Final
+ - 4.1.37.Final
+ - 4.1.38.Final
+ - 4.1.39.Final
+ - 4.1.4.Final
+ - 4.1.40.Final
+ - 4.1.41.Final
+ - 4.1.42.Final
+ - 4.1.43.Final
+ - 4.1.44.Final
+ - 4.1.45.Final
+ - 4.1.46.Final
+ - 4.1.47.Final
+ - 4.1.48.Final
+ - 4.1.49.Final
+ - 4.1.5.Final
+ - 4.1.50.Final
+ - 4.1.51.Final
+ - 4.1.52.Final
+ - 4.1.53.Final
+ - 4.1.54.Final
+ - 4.1.55.Final
+ - 4.1.56.Final
+ - 4.1.57.Final
+ - 4.1.58.Final
+ - 4.1.59.Final
+ - 4.1.6.Final
+ - 4.1.60.Final
+ - 4.1.61.Final
+ - 4.1.62.Final
+ - 4.1.63.Final
+ - 4.1.64.Final
+ - 4.1.65.Final
+ - 4.1.66.Final
+ - 4.1.67.Final
+ - 4.1.7.Final
+ - 4.1.8.Final
+ - 4.1.9.Final
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/09/GHSA-9vjp-v76f-g363/GHSA-9vjp-v76f-g363.json
+ - package:
+ ecosystem: Maven
+ name: org.jboss.netty:netty
+ purl: pkg:maven/org.jboss.netty/netty
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ versions:
+ - 3.0.0.CR1
+ - 3.0.0.CR2
+ - 3.0.0.CR3
+ - 3.0.0.CR4
+ - 3.0.0.CR5
+ - 3.0.0.GA
+ - 3.0.1.GA
+ - 3.0.2.GA
+ - 3.1.0.ALPHA1
+ - 3.1.0.ALPHA2
+ - 3.1.0.ALPHA3
+ - 3.1.0.ALPHA4
+ - 3.1.0.BETA1
+ - 3.1.0.BETA2
+ - 3.1.0.BETA3
+ - 3.1.0.CR1
+ - 3.1.0.GA
+ - 3.1.1.GA
+ - 3.1.2.GA
+ - 3.1.3.GA
+ - 3.1.4.GA
+ - 3.1.5.GA
+ - 3.2.0.ALPHA1
+ - 3.2.0.ALPHA2
+ - 3.2.0.ALPHA3
+ - 3.2.0.ALPHA4
+ - 3.2.0.BETA1
+ - 3.2.0.CR1
+ - 3.2.0.Final
+ - 3.2.1.Final
+ - 3.2.10.Final
+ - 3.2.2.Final
+ - 3.2.3.Final
+ - 3.2.4.Final
+ - 3.2.5.Final
+ - 3.2.6.Final
+ - 3.2.7.Final
+ - 3.2.8.Final
+ - 3.2.9.Final
+ database_specific:
+ last_known_affected_version_range: < 4.0.0
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/09/GHSA-9vjp-v76f-g363/GHSA-9vjp-v76f-g363.json
+ - package:
+ ecosystem: Maven
+ name: io.netty:netty
+ purl: pkg:maven/io.netty/netty
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ versions:
+ - 3.10.0.Final
+ - 3.10.1.Final
+ - 3.10.2.Final
+ - 3.10.3.Final
+ - 3.10.4.Final
+ - 3.10.5.Final
+ - 3.10.6.Final
+ - 3.3.0.Final
+ - 3.3.1.Final
+ - 3.4.0.Alpha1
+ - 3.4.0.Alpha2
+ - 3.4.0.Beta1
+ - 3.4.0.Final
+ - 3.4.1.Final
+ - 3.4.2.Final
+ - 3.4.3.Final
+ - 3.4.4.Final
+ - 3.4.5.Final
+ - 3.4.6.Final
+ - 3.5.0.Beta1
+ - 3.5.0.Final
+ - 3.5.1.Final
+ - 3.5.10.Final
+ - 3.5.11.Final
+ - 3.5.12.Final
+ - 3.5.13.Final
+ - 3.5.2.Final
+ - 3.5.3.Final
+ - 3.5.4.Final
+ - 3.5.5.Final
+ - 3.5.6.Final
+ - 3.5.7.Final
+ - 3.5.8.Final
+ - 3.5.9.Final
+ - 3.6.0.Beta1
+ - 3.6.0.Final
+ - 3.6.1.Final
+ - 3.6.10.Final
+ - 3.6.2.Final
+ - 3.6.3.Final
+ - 3.6.4.Final
+ - 3.6.5.Final
+ - 3.6.6.Final
+ - 3.6.7.Final
+ - 3.6.8.Final
+ - 3.6.9.Final
+ - 3.7.0.Final
+ - 3.7.1.Final
+ - 3.8.0.Final
+ - 3.8.1.Final
+ - 3.8.2.Final
+ - 3.8.3.Final
+ - 3.9.0.Final
+ - 3.9.1.1.Final
+ - 3.9.1.Final
+ - 3.9.2.Final
+ - 3.9.3.Final
+ - 3.9.4.Final
+ - 3.9.5.Final
+ - 3.9.6.Final
+ - 3.9.7.Final
+ - 3.9.8.Final
+ - 3.9.9.Final
+ - 4.0.0.Alpha1
+ - 4.0.0.Alpha2
+ - 4.0.0.Alpha3
+ - 4.0.0.Alpha4
+ - 4.0.0.Alpha5
+ - 4.0.0.Alpha6
+ - 4.0.0.Alpha7
+ - 4.0.0.Alpha8
+ database_specific:
+ last_known_affected_version_range: < 4.0.0
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/09/GHSA-9vjp-v76f-g363/GHSA-9vjp-v76f-g363.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
+ references:
+ - type: WEB
+ url: https://github.com/netty/netty/security/advisories/GHSA-9vjp-v76f-g363
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2021-37137
+ - type: WEB
+ url: https://github.com/netty/netty/commit/6da4956b31023ae967451e1d94ff51a746a9194f
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpujul2022.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpujan2022.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuapr2022.html
+ - type: WEB
+ url: https://www.debian.org/security/2023/dsa-5316
+ - type: WEB
+ url: https://security.netapp.com/advisory/ntap-20220210-0012
+ - type: WEB
+ url: https://lists.debian.org/debian-lts-announce/2023/01/msg00008.html
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rfb2bf8597e53364ccab212fbcbb2a4e9f0a9e1429b1dc08023c6868e@%3Cdev.tinkerpop.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rd262f59b1586a108e320e5c966feeafbb1b8cdc96965debc7cc10b16@%3Ccommits.druid.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r75490c61c2cb7b6ae2c81238fd52ae13636c60435abcd732d41531a0@%3Ccommits.druid.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r5e05eba32476c580412f9fbdfc9b8782d5b40558018ac4ac07192a04@%3Ccommits.druid.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r5406eaf3b07577d233b9f07cfc8f26e28369e6bab5edfcab41f28abb@%3Ccommits.druid.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r06a145c9bd41a7344da242cef07977b24abe3349161ede948e30913d@%3Ccommits.druid.apache.org%3E
+ - type: WEB
+ url: https://github.com/netty/netty/blob/4.1/codec/src/main/java/io/netty/handler/codec/compression/SnappyFrameDecoder.java#L79
+ - type: WEB
+ url: https://github.com/netty/netty/blob/4.1/codec/src/main/java/io/netty/handler/codec/compression/SnappyFrameDecoder.java#L185
+ - type: WEB
+ url: https://github.com/netty/netty/blob/4.1/codec/src/main/java/io/netty/handler/codec/compression/SnappyFrameDecoder.java#L171
+ - type: PACKAGE
+ url: https://github.com/netty/netty
+ database_specific:
+ cwe_ids:
+ - CWE-400
+ github_reviewed: true
+ github_reviewed_at: "2021-09-09T14:44:10Z"
+ nvd_published_at: "2021-10-19T15:15:00Z"
+ severity: HIGH
+ - schema_version: 1.6.0
+ id: GHSA-grg4-wf29-r9vv
+ modified: 2024-03-11T05:19:43.92959Z
+ published: 2021-09-09T17:11:21Z
+ aliases:
+ - CVE-2021-37136
+ summary: Bzip2Decoder doesn't allow setting size restrictions for decompressed data
+ details: |-
+ ### Impact
+ The Bzip2 decompression decoder function doesn't allow setting size restrictions on the decompressed output data (which affects the allocation size used during decompression).
+
+
+ All users of Bzip2Decoder are affected. The malicious input can trigger an OOME and so a DoS attack
+
+ ### Workarounds
+ No workarounds other than not using the `Bzip2Decoder`
+
+ ### References
+
+ Relevant code areas:
+
+ https://github.com/netty/netty/blob/netty-4.1.67.Final/codec/src/main/java/io/netty/handler/codec/compression/Bzip2Decoder.java#L80
+ https://github.com/netty/netty/blob/netty-4.1.67.Final/codec/src/main/java/io/netty/handler/codec/compression/Bzip2Decoder.java#L294
+ https://github.com/netty/netty/blob/netty-4.1.67.Final/codec/src/main/java/io/netty/handler/codec/compression/Bzip2Decoder.java#L305
+ affected:
+ - package:
+ ecosystem: Maven
+ name: io.netty:netty-codec
+ purl: pkg:maven/io.netty/netty-codec
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: 4.1.68.Final
+ versions:
+ - 4.0.0.Alpha1
+ - 4.0.0.Alpha2
+ - 4.0.0.Alpha3
+ - 4.0.0.Alpha4
+ - 4.0.0.Alpha5
+ - 4.0.0.Alpha6
+ - 4.0.0.Alpha7
+ - 4.0.0.Alpha8
+ - 4.0.0.Beta1
+ - 4.0.0.Beta2
+ - 4.0.0.Beta3
+ - 4.0.0.CR1
+ - 4.0.0.CR2
+ - 4.0.0.CR3
+ - 4.0.0.CR4
+ - 4.0.0.CR5
+ - 4.0.0.CR6
+ - 4.0.0.CR7
+ - 4.0.0.CR8
+ - 4.0.0.CR9
+ - 4.0.0.Final
+ - 4.0.1.Final
+ - 4.0.10.Final
+ - 4.0.11.Final
+ - 4.0.12.Final
+ - 4.0.13.Final
+ - 4.0.14.Beta1
+ - 4.0.14.Final
+ - 4.0.15.Final
+ - 4.0.16.Final
+ - 4.0.17.Final
+ - 4.0.18.Final
+ - 4.0.19.Final
+ - 4.0.2.Final
+ - 4.0.20.Final
+ - 4.0.21.Final
+ - 4.0.22.Final
+ - 4.0.23.Final
+ - 4.0.24.Final
+ - 4.0.25.Final
+ - 4.0.26.Final
+ - 4.0.27.Final
+ - 4.0.28.Final
+ - 4.0.29.Final
+ - 4.0.3.Final
+ - 4.0.30.Final
+ - 4.0.31.Final
+ - 4.0.32.Final
+ - 4.0.33.Final
+ - 4.0.34.Final
+ - 4.0.35.Final
+ - 4.0.36.Final
+ - 4.0.37.Final
+ - 4.0.38.Final
+ - 4.0.39.Final
+ - 4.0.4.Final
+ - 4.0.40.Final
+ - 4.0.41.Final
+ - 4.0.42.Final
+ - 4.0.43.Final
+ - 4.0.44.Final
+ - 4.0.45.Final
+ - 4.0.46.Final
+ - 4.0.47.Final
+ - 4.0.48.Final
+ - 4.0.49.Final
+ - 4.0.5.Final
+ - 4.0.50.Final
+ - 4.0.51.Final
+ - 4.0.52.Final
+ - 4.0.53.Final
+ - 4.0.54.Final
+ - 4.0.55.Final
+ - 4.0.56.Final
+ - 4.0.6.Final
+ - 4.0.7.Final
+ - 4.0.8.Final
+ - 4.0.9.Final
+ - 4.1.0.Beta1
+ - 4.1.0.Beta2
+ - 4.1.0.Beta3
+ - 4.1.0.Beta4
+ - 4.1.0.Beta5
+ - 4.1.0.Beta6
+ - 4.1.0.Beta7
+ - 4.1.0.Beta8
+ - 4.1.0.CR1
+ - 4.1.0.CR2
+ - 4.1.0.CR3
+ - 4.1.0.CR4
+ - 4.1.0.CR5
+ - 4.1.0.CR6
+ - 4.1.0.CR7
+ - 4.1.0.Final
+ - 4.1.1.Final
+ - 4.1.10.Final
+ - 4.1.11.Final
+ - 4.1.12.Final
+ - 4.1.13.Final
+ - 4.1.14.Final
+ - 4.1.15.Final
+ - 4.1.16.Final
+ - 4.1.17.Final
+ - 4.1.18.Final
+ - 4.1.19.Final
+ - 4.1.2.Final
+ - 4.1.20.Final
+ - 4.1.21.Final
+ - 4.1.22.Final
+ - 4.1.23.Final
+ - 4.1.24.Final
+ - 4.1.25.Final
+ - 4.1.26.Final
+ - 4.1.27.Final
+ - 4.1.28.Final
+ - 4.1.29.Final
+ - 4.1.3.Final
+ - 4.1.30.Final
+ - 4.1.31.Final
+ - 4.1.32.Final
+ - 4.1.33.Final
+ - 4.1.34.Final
+ - 4.1.35.Final
+ - 4.1.36.Final
+ - 4.1.37.Final
+ - 4.1.38.Final
+ - 4.1.39.Final
+ - 4.1.4.Final
+ - 4.1.40.Final
+ - 4.1.41.Final
+ - 4.1.42.Final
+ - 4.1.43.Final
+ - 4.1.44.Final
+ - 4.1.45.Final
+ - 4.1.46.Final
+ - 4.1.47.Final
+ - 4.1.48.Final
+ - 4.1.49.Final
+ - 4.1.5.Final
+ - 4.1.50.Final
+ - 4.1.51.Final
+ - 4.1.52.Final
+ - 4.1.53.Final
+ - 4.1.54.Final
+ - 4.1.55.Final
+ - 4.1.56.Final
+ - 4.1.57.Final
+ - 4.1.58.Final
+ - 4.1.59.Final
+ - 4.1.6.Final
+ - 4.1.60.Final
+ - 4.1.61.Final
+ - 4.1.62.Final
+ - 4.1.63.Final
+ - 4.1.64.Final
+ - 4.1.65.Final
+ - 4.1.66.Final
+ - 4.1.67.Final
+ - 4.1.7.Final
+ - 4.1.8.Final
+ - 4.1.9.Final
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/09/GHSA-grg4-wf29-r9vv/GHSA-grg4-wf29-r9vv.json
+ - package:
+ ecosystem: Maven
+ name: org.jboss.netty:netty
+ purl: pkg:maven/org.jboss.netty/netty
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ versions:
+ - 3.0.0.CR1
+ - 3.0.0.CR2
+ - 3.0.0.CR3
+ - 3.0.0.CR4
+ - 3.0.0.CR5
+ - 3.0.0.GA
+ - 3.0.1.GA
+ - 3.0.2.GA
+ - 3.1.0.ALPHA1
+ - 3.1.0.ALPHA2
+ - 3.1.0.ALPHA3
+ - 3.1.0.ALPHA4
+ - 3.1.0.BETA1
+ - 3.1.0.BETA2
+ - 3.1.0.BETA3
+ - 3.1.0.CR1
+ - 3.1.0.GA
+ - 3.1.1.GA
+ - 3.1.2.GA
+ - 3.1.3.GA
+ - 3.1.4.GA
+ - 3.1.5.GA
+ - 3.2.0.ALPHA1
+ - 3.2.0.ALPHA2
+ - 3.2.0.ALPHA3
+ - 3.2.0.ALPHA4
+ - 3.2.0.BETA1
+ - 3.2.0.CR1
+ - 3.2.0.Final
+ - 3.2.1.Final
+ - 3.2.10.Final
+ - 3.2.2.Final
+ - 3.2.3.Final
+ - 3.2.4.Final
+ - 3.2.5.Final
+ - 3.2.6.Final
+ - 3.2.7.Final
+ - 3.2.8.Final
+ - 3.2.9.Final
+ database_specific:
+ last_known_affected_version_range: < 4.0.0
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/09/GHSA-grg4-wf29-r9vv/GHSA-grg4-wf29-r9vv.json
+ - package:
+ ecosystem: Maven
+ name: io.netty:netty
+ purl: pkg:maven/io.netty/netty
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ versions:
+ - 3.10.0.Final
+ - 3.10.1.Final
+ - 3.10.2.Final
+ - 3.10.3.Final
+ - 3.10.4.Final
+ - 3.10.5.Final
+ - 3.10.6.Final
+ - 3.3.0.Final
+ - 3.3.1.Final
+ - 3.4.0.Alpha1
+ - 3.4.0.Alpha2
+ - 3.4.0.Beta1
+ - 3.4.0.Final
+ - 3.4.1.Final
+ - 3.4.2.Final
+ - 3.4.3.Final
+ - 3.4.4.Final
+ - 3.4.5.Final
+ - 3.4.6.Final
+ - 3.5.0.Beta1
+ - 3.5.0.Final
+ - 3.5.1.Final
+ - 3.5.10.Final
+ - 3.5.11.Final
+ - 3.5.12.Final
+ - 3.5.13.Final
+ - 3.5.2.Final
+ - 3.5.3.Final
+ - 3.5.4.Final
+ - 3.5.5.Final
+ - 3.5.6.Final
+ - 3.5.7.Final
+ - 3.5.8.Final
+ - 3.5.9.Final
+ - 3.6.0.Beta1
+ - 3.6.0.Final
+ - 3.6.1.Final
+ - 3.6.10.Final
+ - 3.6.2.Final
+ - 3.6.3.Final
+ - 3.6.4.Final
+ - 3.6.5.Final
+ - 3.6.6.Final
+ - 3.6.7.Final
+ - 3.6.8.Final
+ - 3.6.9.Final
+ - 3.7.0.Final
+ - 3.7.1.Final
+ - 3.8.0.Final
+ - 3.8.1.Final
+ - 3.8.2.Final
+ - 3.8.3.Final
+ - 3.9.0.Final
+ - 3.9.1.1.Final
+ - 3.9.1.Final
+ - 3.9.2.Final
+ - 3.9.3.Final
+ - 3.9.4.Final
+ - 3.9.5.Final
+ - 3.9.6.Final
+ - 3.9.7.Final
+ - 3.9.8.Final
+ - 3.9.9.Final
+ - 4.0.0.Alpha1
+ - 4.0.0.Alpha2
+ - 4.0.0.Alpha3
+ - 4.0.0.Alpha4
+ - 4.0.0.Alpha5
+ - 4.0.0.Alpha6
+ - 4.0.0.Alpha7
+ - 4.0.0.Alpha8
+ database_specific:
+ last_known_affected_version_range: < 4.0.0
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/09/GHSA-grg4-wf29-r9vv/GHSA-grg4-wf29-r9vv.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
+ references:
+ - type: WEB
+ url: https://github.com/netty/netty/security/advisories/GHSA-grg4-wf29-r9vv
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2021-37136
+ - type: WEB
+ url: https://github.com/netty/netty/commit/41d3d61a61608f2223bb364955ab2045dd5e4020
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpujul2022.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpujan2022.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuapr2022.html
+ - type: WEB
+ url: https://www.debian.org/security/2023/dsa-5316
+ - type: WEB
+ url: https://security.netapp.com/advisory/ntap-20220210-0012
+ - type: WEB
+ url: https://lists.debian.org/debian-lts-announce/2023/01/msg00008.html
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rfb2bf8597e53364ccab212fbcbb2a4e9f0a9e1429b1dc08023c6868e@%3Cdev.tinkerpop.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rd262f59b1586a108e320e5c966feeafbb1b8cdc96965debc7cc10b16@%3Ccommits.druid.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r75490c61c2cb7b6ae2c81238fd52ae13636c60435abcd732d41531a0@%3Ccommits.druid.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r5e05eba32476c580412f9fbdfc9b8782d5b40558018ac4ac07192a04@%3Ccommits.druid.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r5406eaf3b07577d233b9f07cfc8f26e28369e6bab5edfcab41f28abb@%3Ccommits.druid.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r06a145c9bd41a7344da242cef07977b24abe3349161ede948e30913d@%3Ccommits.druid.apache.org%3E
+ - type: WEB
+ url: https://github.com/netty/netty/blob/4.1/codec/src/main/java/io/netty/handler/codec/compression/Bzip2Decoder.java#L80
+ - type: WEB
+ url: https://github.com/netty/netty/blob/4.1/codec/src/main/java/io/netty/handler/codec/compression/Bzip2Decoder.java#L305
+ - type: WEB
+ url: https://github.com/netty/netty/blob/4.1/codec/src/main/java/io/netty/handler/codec/compression/Bzip2Decoder.java#L294
+ - type: PACKAGE
+ url: https://github.com/netty/netty
+ database_specific:
+ cwe_ids:
+ - CWE-400
+ github_reviewed: true
+ github_reviewed_at: "2021-09-09T14:36:56Z"
+ nvd_published_at: "2021-10-19T15:15:00Z"
+ severity: HIGH
+ - schema_version: 1.6.0
+ id: GHSA-fx2c-96vj-985v
+ modified: 2024-02-16T08:25:02.300508Z
+ published: 2022-12-12T21:24:29Z
+ aliases:
+ - CVE-2022-41881
+ summary: HAProxyMessageDecoder Stack Exhaustion DoS
+ details: |
+ ### Impact
+ A StackOverflowError can be raised when parsing a malformed crafted message due to an infinite recursion.
+
+ ### Patches
+ Users should upgrade to 4.1.86.Final.
+
+ ### Workarounds
+ There is no workaround, except using a custom HaProxyMessageDecoder.
+
+ ### References
+ When parsing a TLV with type = PP2_TYPE_SSL, the value can be again a TLV with type = PP2_TYPE_SSL and so on.
+ The only limitation of the recursion is that the TLV length cannot be bigger than 0xffff because it is encoded in an unsigned short type.
+ Providing a TLV with a nesting level that is large enough will lead to raising of a StackOverflowError.
+ The StackOverflowError will be caught if HAProxyMessageDecoder is used as part of Netty’s ChannelPipeline, but using it directly without the ChannelPipeline will lead to a thrown exception / crash.
+
+
+ ### For more information
+ If you have any questions or comments about this advisory:
+ * Open an issue in [netty](https://github.com/netty/netty)
+ affected:
+ - package:
+ ecosystem: Maven
+ name: io.netty:netty-codec-haproxy
+ purl: pkg:maven/io.netty/netty-codec-haproxy
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: 4.1.86.Final
+ versions:
+ - 4.0.29.Final
+ - 4.0.30.Final
+ - 4.0.31.Final
+ - 4.0.32.Final
+ - 4.0.33.Final
+ - 4.0.34.Final
+ - 4.0.35.Final
+ - 4.0.36.Final
+ - 4.0.37.Final
+ - 4.0.38.Final
+ - 4.0.39.Final
+ - 4.0.40.Final
+ - 4.0.41.Final
+ - 4.0.42.Final
+ - 4.0.43.Final
+ - 4.0.44.Final
+ - 4.0.45.Final
+ - 4.0.46.Final
+ - 4.0.47.Final
+ - 4.0.48.Final
+ - 4.0.49.Final
+ - 4.0.50.Final
+ - 4.0.51.Final
+ - 4.0.52.Final
+ - 4.0.53.Final
+ - 4.0.54.Final
+ - 4.0.55.Final
+ - 4.0.56.Final
+ - 4.1.0.Beta1
+ - 4.1.0.Beta2
+ - 4.1.0.Beta3
+ - 4.1.0.Beta4
+ - 4.1.0.Beta5
+ - 4.1.0.Beta6
+ - 4.1.0.Beta7
+ - 4.1.0.Beta8
+ - 4.1.0.CR1
+ - 4.1.0.CR2
+ - 4.1.0.CR3
+ - 4.1.0.CR4
+ - 4.1.0.CR5
+ - 4.1.0.CR6
+ - 4.1.0.CR7
+ - 4.1.0.Final
+ - 4.1.1.Final
+ - 4.1.10.Final
+ - 4.1.11.Final
+ - 4.1.12.Final
+ - 4.1.13.Final
+ - 4.1.14.Final
+ - 4.1.15.Final
+ - 4.1.16.Final
+ - 4.1.17.Final
+ - 4.1.18.Final
+ - 4.1.19.Final
+ - 4.1.2.Final
+ - 4.1.20.Final
+ - 4.1.21.Final
+ - 4.1.22.Final
+ - 4.1.23.Final
+ - 4.1.24.Final
+ - 4.1.25.Final
+ - 4.1.26.Final
+ - 4.1.27.Final
+ - 4.1.28.Final
+ - 4.1.29.Final
+ - 4.1.3.Final
+ - 4.1.30.Final
+ - 4.1.31.Final
+ - 4.1.32.Final
+ - 4.1.33.Final
+ - 4.1.34.Final
+ - 4.1.35.Final
+ - 4.1.36.Final
+ - 4.1.37.Final
+ - 4.1.38.Final
+ - 4.1.39.Final
+ - 4.1.4.Final
+ - 4.1.40.Final
+ - 4.1.41.Final
+ - 4.1.42.Final
+ - 4.1.43.Final
+ - 4.1.44.Final
+ - 4.1.45.Final
+ - 4.1.46.Final
+ - 4.1.47.Final
+ - 4.1.48.Final
+ - 4.1.49.Final
+ - 4.1.5.Final
+ - 4.1.50.Final
+ - 4.1.51.Final
+ - 4.1.52.Final
+ - 4.1.53.Final
+ - 4.1.54.Final
+ - 4.1.55.Final
+ - 4.1.56.Final
+ - 4.1.57.Final
+ - 4.1.58.Final
+ - 4.1.59.Final
+ - 4.1.6.Final
+ - 4.1.60.Final
+ - 4.1.61.Final
+ - 4.1.62.Final
+ - 4.1.63.Final
+ - 4.1.64.Final
+ - 4.1.65.Final
+ - 4.1.66.Final
+ - 4.1.67.Final
+ - 4.1.68.Final
+ - 4.1.69.Final
+ - 4.1.7.Final
+ - 4.1.70.Final
+ - 4.1.71.Final
+ - 4.1.72.Final
+ - 4.1.73.Final
+ - 4.1.74.Final
+ - 4.1.75.Final
+ - 4.1.76.Final
+ - 4.1.77.Final
+ - 4.1.78.Final
+ - 4.1.79.Final
+ - 4.1.8.Final
+ - 4.1.80.Final
+ - 4.1.81.Final
+ - 4.1.82.Final
+ - 4.1.83.Final
+ - 4.1.84.Final
+ - 4.1.85.Final
+ - 4.1.9.Final
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-fx2c-96vj-985v/GHSA-fx2c-96vj-985v.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
+ references:
+ - type: WEB
+ url: https://github.com/netty/netty/security/advisories/GHSA-fx2c-96vj-985v
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2022-41881
+ - type: PACKAGE
+ url: https://github.com/netty/netty
+ - type: WEB
+ url: https://lists.debian.org/debian-lts-announce/2023/01/msg00008.html
+ - type: WEB
+ url: https://security.netapp.com/advisory/ntap-20230113-0004
+ - type: WEB
+ url: https://www.debian.org/security/2023/dsa-5316
+ database_specific:
+ cwe_ids:
+ - CWE-674
+ github_reviewed: true
+ github_reviewed_at: "2022-12-12T21:24:29Z"
+ nvd_published_at: "2022-12-12T18:15:00Z"
+ severity: MODERATE
+ - schema_version: 1.6.0
+ id: GHSA-269q-hmxg-m83q
+ modified: 2024-02-20T05:29:12.144193Z
+ published: 2022-05-10T08:46:50Z
+ aliases:
+ - CVE-2021-21290
+ - CVE-2022-24823
+ - GHSA-5mcr-gq6c-3hq2
+ summary: Local Information Disclosure Vulnerability in io.netty:netty-codec-http
+ details: |
+ ### Description ###
+ [GHSA-5mcr-gq6c-3hq2](https://github.com/netty/netty/security/advisories/GHSA-5mcr-gq6c-3hq2) (CVE-2021-21290) contains an insufficient fix for the vulnerability identified.
+
+ ### Impact ###
+
+ When netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled.
+
+ This only impacts applications running on Java version 6 and lower. Additionally, this vulnerability impacts code running on Unix-like systems, and very old versions of Mac OSX and Windows as they all share the system temporary directory between all users.
+
+ ### Vulnerability Details ###
+
+ To fix the vulnerability the code was changed to the following:
+
+ ```java
+ @SuppressJava6Requirement(reason = "Guarded by version check")
+ public static File createTempFile(String prefix, String suffix, File directory) throws IOException {
+ if (javaVersion() >= 7) {
+ if (directory == null) {
+ return Files.createTempFile(prefix, suffix).toFile();
+ }
+ return Files.createTempFile(directory.toPath(), prefix, suffix).toFile();
+ }
+ if (directory == null) {
+ return File.createTempFile(prefix, suffix);
+ }
+ File file = File.createTempFile(prefix, suffix, directory);
+ // Try to adjust the perms, if this fails there is not much else we can do...
+ file.setReadable(false, false);
+ file.setReadable(true, true);
+ return file;
+ }
+ ```
+
+ Unfortunately, this logic path was left vulnerable:
+
+ ```java
+ if (directory == null) {
+ return File.createTempFile(prefix, suffix);
+ }
+ ```
+
+ This file is still readable by all local users.
+
+ ### Patches ###
+
+ Update to 4.1.77.Final
+
+ ### Workarounds ###
+
+ Specify your own `java.io.tmpdir` when you start the JVM or use `DefaultHttpDataFactory.setBaseDir(...)` to set the directory to something that is only readable by the current user or update to Java 7 or above.
+
+ ### References ###
+
+ - [CWE-378: Creation of Temporary File With Insecure Permissions](https://cwe.mitre.org/data/definitions/378.html)
+ - [CWE-379: Creation of Temporary File in Directory with Insecure Permissions](https://cwe.mitre.org/data/definitions/379.html)
+
+
+ ### For more information ###
+
+ If you have any questions or comments about this advisory:
+
+ Open an issue in [netty](https://github.com/netty/netty)
+ affected:
+ - package:
+ ecosystem: Maven
+ name: io.netty:netty-codec-http
+ purl: pkg:maven/io.netty/netty-codec-http
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: 4.1.77.Final
+ versions:
+ - 4.0.0.Alpha1
+ - 4.0.0.Alpha2
+ - 4.0.0.Alpha3
+ - 4.0.0.Alpha4
+ - 4.0.0.Alpha5
+ - 4.0.0.Alpha6
+ - 4.0.0.Alpha7
+ - 4.0.0.Alpha8
+ - 4.0.0.Beta1
+ - 4.0.0.Beta2
+ - 4.0.0.Beta3
+ - 4.0.0.CR1
+ - 4.0.0.CR2
+ - 4.0.0.CR3
+ - 4.0.0.CR4
+ - 4.0.0.CR5
+ - 4.0.0.CR6
+ - 4.0.0.CR7
+ - 4.0.0.CR8
+ - 4.0.0.CR9
+ - 4.0.0.Final
+ - 4.0.1.Final
+ - 4.0.10.Final
+ - 4.0.11.Final
+ - 4.0.12.Final
+ - 4.0.13.Final
+ - 4.0.14.Beta1
+ - 4.0.14.Final
+ - 4.0.15.Final
+ - 4.0.16.Final
+ - 4.0.17.Final
+ - 4.0.18.Final
+ - 4.0.19.Final
+ - 4.0.2.Final
+ - 4.0.20.Final
+ - 4.0.21.Final
+ - 4.0.22.Final
+ - 4.0.23.Final
+ - 4.0.24.Final
+ - 4.0.25.Final
+ - 4.0.26.Final
+ - 4.0.27.Final
+ - 4.0.28.Final
+ - 4.0.29.Final
+ - 4.0.3.Final
+ - 4.0.30.Final
+ - 4.0.31.Final
+ - 4.0.32.Final
+ - 4.0.33.Final
+ - 4.0.34.Final
+ - 4.0.35.Final
+ - 4.0.36.Final
+ - 4.0.37.Final
+ - 4.0.38.Final
+ - 4.0.39.Final
+ - 4.0.4.Final
+ - 4.0.40.Final
+ - 4.0.41.Final
+ - 4.0.42.Final
+ - 4.0.43.Final
+ - 4.0.44.Final
+ - 4.0.45.Final
+ - 4.0.46.Final
+ - 4.0.47.Final
+ - 4.0.48.Final
+ - 4.0.49.Final
+ - 4.0.5.Final
+ - 4.0.50.Final
+ - 4.0.51.Final
+ - 4.0.52.Final
+ - 4.0.53.Final
+ - 4.0.54.Final
+ - 4.0.55.Final
+ - 4.0.56.Final
+ - 4.0.6.Final
+ - 4.0.7.Final
+ - 4.0.8.Final
+ - 4.0.9.Final
+ - 4.1.0.Beta1
+ - 4.1.0.Beta2
+ - 4.1.0.Beta3
+ - 4.1.0.Beta4
+ - 4.1.0.Beta5
+ - 4.1.0.Beta6
+ - 4.1.0.Beta7
+ - 4.1.0.Beta8
+ - 4.1.0.CR1
+ - 4.1.0.CR2
+ - 4.1.0.CR3
+ - 4.1.0.CR4
+ - 4.1.0.CR5
+ - 4.1.0.CR6
+ - 4.1.0.CR7
+ - 4.1.0.Final
+ - 4.1.1.Final
+ - 4.1.10.Final
+ - 4.1.11.Final
+ - 4.1.12.Final
+ - 4.1.13.Final
+ - 4.1.14.Final
+ - 4.1.15.Final
+ - 4.1.16.Final
+ - 4.1.17.Final
+ - 4.1.18.Final
+ - 4.1.19.Final
+ - 4.1.2.Final
+ - 4.1.20.Final
+ - 4.1.21.Final
+ - 4.1.22.Final
+ - 4.1.23.Final
+ - 4.1.24.Final
+ - 4.1.25.Final
+ - 4.1.26.Final
+ - 4.1.27.Final
+ - 4.1.28.Final
+ - 4.1.29.Final
+ - 4.1.3.Final
+ - 4.1.30.Final
+ - 4.1.31.Final
+ - 4.1.32.Final
+ - 4.1.33.Final
+ - 4.1.34.Final
+ - 4.1.35.Final
+ - 4.1.36.Final
+ - 4.1.37.Final
+ - 4.1.38.Final
+ - 4.1.39.Final
+ - 4.1.4.Final
+ - 4.1.40.Final
+ - 4.1.41.Final
+ - 4.1.42.Final
+ - 4.1.43.Final
+ - 4.1.44.Final
+ - 4.1.45.Final
+ - 4.1.46.Final
+ - 4.1.47.Final
+ - 4.1.48.Final
+ - 4.1.49.Final
+ - 4.1.5.Final
+ - 4.1.50.Final
+ - 4.1.51.Final
+ - 4.1.52.Final
+ - 4.1.53.Final
+ - 4.1.54.Final
+ - 4.1.55.Final
+ - 4.1.56.Final
+ - 4.1.57.Final
+ - 4.1.58.Final
+ - 4.1.59.Final
+ - 4.1.6.Final
+ - 4.1.60.Final
+ - 4.1.61.Final
+ - 4.1.62.Final
+ - 4.1.63.Final
+ - 4.1.64.Final
+ - 4.1.65.Final
+ - 4.1.66.Final
+ - 4.1.67.Final
+ - 4.1.68.Final
+ - 4.1.69.Final
+ - 4.1.7.Final
+ - 4.1.70.Final
+ - 4.1.71.Final
+ - 4.1.72.Final
+ - 4.1.73.Final
+ - 4.1.74.Final
+ - 4.1.75.Final
+ - 4.1.76.Final
+ - 4.1.8.Final
+ - 4.1.9.Final
+ database_specific:
+ last_known_affected_version_range: <= 4.1.76.Final
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-269q-hmxg-m83q/GHSA-269q-hmxg-m83q.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
+ references:
+ - type: WEB
+ url: https://github.com/netty/netty/security/advisories/GHSA-269q-hmxg-m83q
+ - type: WEB
+ url: https://github.com/netty/netty/security/advisories/GHSA-5mcr-gq6c-3hq2
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2022-24823
+ - type: WEB
+ url: https://github.com/netty/netty/commit/185f8b2756a36aaa4f973f1a2a025e7d981823f1
+ - type: PACKAGE
+ url: https://github.com/netty/netty
+ - type: WEB
+ url: https://security.netapp.com/advisory/ntap-20220616-0004
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpujul2022.html
+ database_specific:
+ cwe_ids:
+ - CWE-378
+ - CWE-379
+ - CWE-668
+ github_reviewed: true
+ github_reviewed_at: "2022-05-10T08:46:50Z"
+ nvd_published_at: "2022-05-06T12:15:00Z"
+ severity: MODERATE
+ - schema_version: 1.6.0
+ id: GHSA-5jpm-x58v-624v
+ modified: 2024-06-25T02:33:50.755318Z
+ published: 2024-03-25T19:40:50Z
+ aliases:
+ - CGA-mgv4-g226-vxr2
+ - CVE-2024-29025
+ summary: Netty's HttpPostRequestDecoder can OOM
+ details: "### Summary\nThe `HttpPostRequestDecoder` can be tricked to accumulate data. I have spotted currently two attack vectors \n\n### Details\n1. While the decoder can store items on the disk if configured so, there are no limits to the number of fields the form can have, an attacher can send a chunked post consisting of many small fields that will be accumulated in the `bodyListHttpData` list.\n2. The decoder cumulates bytes in the `undecodedChunk` buffer until it can decode a field, this field can cumulate data without limits\n\n### PoC\n\nHere is a Netty branch that provides a fix + tests : https://github.com/vietj/netty/tree/post-request-decoder\n\n\nHere is a reproducer with Vert.x (which uses this decoder) https://gist.github.com/vietj/f558b8ea81ec6505f1e9a6ca283c9ae3\n\n### Impact\nAny Netty based HTTP server that uses the `HttpPostRequestDecoder` to decode a form."
+ affected:
+ - package:
+ ecosystem: Maven
+ name: io.netty:netty-codec-http
+ purl: pkg:maven/io.netty/netty-codec-http
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: 4.1.108.Final
+ versions:
+ - 4.0.0.Alpha1
+ - 4.0.0.Alpha2
+ - 4.0.0.Alpha3
+ - 4.0.0.Alpha4
+ - 4.0.0.Alpha5
+ - 4.0.0.Alpha6
+ - 4.0.0.Alpha7
+ - 4.0.0.Alpha8
+ - 4.0.0.Beta1
+ - 4.0.0.Beta2
+ - 4.0.0.Beta3
+ - 4.0.0.CR1
+ - 4.0.0.CR2
+ - 4.0.0.CR3
+ - 4.0.0.CR4
+ - 4.0.0.CR5
+ - 4.0.0.CR6
+ - 4.0.0.CR7
+ - 4.0.0.CR8
+ - 4.0.0.CR9
+ - 4.0.0.Final
+ - 4.0.1.Final
+ - 4.0.10.Final
+ - 4.0.11.Final
+ - 4.0.12.Final
+ - 4.0.13.Final
+ - 4.0.14.Beta1
+ - 4.0.14.Final
+ - 4.0.15.Final
+ - 4.0.16.Final
+ - 4.0.17.Final
+ - 4.0.18.Final
+ - 4.0.19.Final
+ - 4.0.2.Final
+ - 4.0.20.Final
+ - 4.0.21.Final
+ - 4.0.22.Final
+ - 4.0.23.Final
+ - 4.0.24.Final
+ - 4.0.25.Final
+ - 4.0.26.Final
+ - 4.0.27.Final
+ - 4.0.28.Final
+ - 4.0.29.Final
+ - 4.0.3.Final
+ - 4.0.30.Final
+ - 4.0.31.Final
+ - 4.0.32.Final
+ - 4.0.33.Final
+ - 4.0.34.Final
+ - 4.0.35.Final
+ - 4.0.36.Final
+ - 4.0.37.Final
+ - 4.0.38.Final
+ - 4.0.39.Final
+ - 4.0.4.Final
+ - 4.0.40.Final
+ - 4.0.41.Final
+ - 4.0.42.Final
+ - 4.0.43.Final
+ - 4.0.44.Final
+ - 4.0.45.Final
+ - 4.0.46.Final
+ - 4.0.47.Final
+ - 4.0.48.Final
+ - 4.0.49.Final
+ - 4.0.5.Final
+ - 4.0.50.Final
+ - 4.0.51.Final
+ - 4.0.52.Final
+ - 4.0.53.Final
+ - 4.0.54.Final
+ - 4.0.55.Final
+ - 4.0.56.Final
+ - 4.0.6.Final
+ - 4.0.7.Final
+ - 4.0.8.Final
+ - 4.0.9.Final
+ - 4.1.0.Beta1
+ - 4.1.0.Beta2
+ - 4.1.0.Beta3
+ - 4.1.0.Beta4
+ - 4.1.0.Beta5
+ - 4.1.0.Beta6
+ - 4.1.0.Beta7
+ - 4.1.0.Beta8
+ - 4.1.0.CR1
+ - 4.1.0.CR2
+ - 4.1.0.CR3
+ - 4.1.0.CR4
+ - 4.1.0.CR5
+ - 4.1.0.CR6
+ - 4.1.0.CR7
+ - 4.1.0.Final
+ - 4.1.1.Final
+ - 4.1.10.Final
+ - 4.1.100.Final
+ - 4.1.101.Final
+ - 4.1.102.Final
+ - 4.1.103.Final
+ - 4.1.104.Final
+ - 4.1.105.Final
+ - 4.1.106.Final
+ - 4.1.107.Final
+ - 4.1.11.Final
+ - 4.1.12.Final
+ - 4.1.13.Final
+ - 4.1.14.Final
+ - 4.1.15.Final
+ - 4.1.16.Final
+ - 4.1.17.Final
+ - 4.1.18.Final
+ - 4.1.19.Final
+ - 4.1.2.Final
+ - 4.1.20.Final
+ - 4.1.21.Final
+ - 4.1.22.Final
+ - 4.1.23.Final
+ - 4.1.24.Final
+ - 4.1.25.Final
+ - 4.1.26.Final
+ - 4.1.27.Final
+ - 4.1.28.Final
+ - 4.1.29.Final
+ - 4.1.3.Final
+ - 4.1.30.Final
+ - 4.1.31.Final
+ - 4.1.32.Final
+ - 4.1.33.Final
+ - 4.1.34.Final
+ - 4.1.35.Final
+ - 4.1.36.Final
+ - 4.1.37.Final
+ - 4.1.38.Final
+ - 4.1.39.Final
+ - 4.1.4.Final
+ - 4.1.40.Final
+ - 4.1.41.Final
+ - 4.1.42.Final
+ - 4.1.43.Final
+ - 4.1.44.Final
+ - 4.1.45.Final
+ - 4.1.46.Final
+ - 4.1.47.Final
+ - 4.1.48.Final
+ - 4.1.49.Final
+ - 4.1.5.Final
+ - 4.1.50.Final
+ - 4.1.51.Final
+ - 4.1.52.Final
+ - 4.1.53.Final
+ - 4.1.54.Final
+ - 4.1.55.Final
+ - 4.1.56.Final
+ - 4.1.57.Final
+ - 4.1.58.Final
+ - 4.1.59.Final
+ - 4.1.6.Final
+ - 4.1.60.Final
+ - 4.1.61.Final
+ - 4.1.62.Final
+ - 4.1.63.Final
+ - 4.1.64.Final
+ - 4.1.65.Final
+ - 4.1.66.Final
+ - 4.1.67.Final
+ - 4.1.68.Final
+ - 4.1.69.Final
+ - 4.1.7.Final
+ - 4.1.70.Final
+ - 4.1.71.Final
+ - 4.1.72.Final
+ - 4.1.73.Final
+ - 4.1.74.Final
+ - 4.1.75.Final
+ - 4.1.76.Final
+ - 4.1.77.Final
+ - 4.1.78.Final
+ - 4.1.79.Final
+ - 4.1.8.Final
+ - 4.1.80.Final
+ - 4.1.81.Final
+ - 4.1.82.Final
+ - 4.1.83.Final
+ - 4.1.84.Final
+ - 4.1.85.Final
+ - 4.1.86.Final
+ - 4.1.87.Final
+ - 4.1.88.Final
+ - 4.1.89.Final
+ - 4.1.9.Final
+ - 4.1.90.Final
+ - 4.1.91.Final
+ - 4.1.92.Final
+ - 4.1.93.Final
+ - 4.1.94.Final
+ - 4.1.95.Final
+ - 4.1.96.Final
+ - 4.1.97.Final
+ - 4.1.98.Final
+ - 4.1.99.Final
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/03/GHSA-5jpm-x58v-624v/GHSA-5jpm-x58v-624v.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
+ references:
+ - type: WEB
+ url: https://github.com/netty/netty/security/advisories/GHSA-5jpm-x58v-624v
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2024-29025
+ - type: WEB
+ url: https://github.com/netty/netty/commit/0d0c6ed782d13d423586ad0c71737b2c7d02058c
+ - type: WEB
+ url: https://gist.github.com/vietj/f558b8ea81ec6505f1e9a6ca283c9ae3
+ - type: PACKAGE
+ url: https://github.com/netty/netty
+ - type: WEB
+ url: https://github.com/vietj/netty/tree/post-request-decoder
+ - type: WEB
+ url: https://lists.debian.org/debian-lts-announce/2024/06/msg00015.html
+ database_specific:
+ cwe_ids:
+ - CWE-770
+ github_reviewed: true
+ github_reviewed_at: "2024-03-25T19:40:50Z"
+ nvd_published_at: "2024-03-25T20:15:08Z"
+ severity: MODERATE
+ - schema_version: 1.6.0
+ id: GHSA-5mcr-gq6c-3hq2
+ modified: 2024-03-11T05:19:48.200129Z
+ published: 2021-02-08T21:17:48Z
+ aliases:
+ - CVE-2021-21290
+ - CVE-2022-24823
+ - GHSA-269q-hmxg-m83q
+ summary: Local Information Disclosure Vulnerability in Netty on Unix-Like systems
+ details: "### Impact\n\nWhen netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled.\n\nThe CVSSv3.1 score of this vulnerability is calculated to be a [6.2/10](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N&version=3.1)\n\n### Vulnerability Details\n\nOn unix-like systems, the temporary directory is shared between all user. As such, writing to this directory using APIs that do not explicitly set the file/directory permissions can lead to information disclosure. Of note, this does not impact modern MacOS Operating Systems.\n\nThe method `File.createTempFile` on unix-like systems creates a random file, but, by default will create this file with the permissions `-rw-r--r--`. Thus, if sensitive information is written to this file, other local users can read this information.\n\nThis is the case in netty's `AbstractDiskHttpData` is vulnerable.\n\nhttps://github.com/netty/netty/blob/e5951d46fc89db507ba7d2968d2ede26378f0b04/codec-http/src/main/java/io/netty/handler/codec/http/multipart/AbstractDiskHttpData.java#L80-L101\n\n`AbstractDiskHttpData` is used as a part of the `DefaultHttpDataFactory` class which is used by `HttpPostRequestDecoder` / `HttpPostMultiPartRequestDecoder`.\n\nYou may be affected by this vulnerability your project contains the following code patterns:\n\n```java\nchannelPipeline.addLast(new HttpPostRequestDecoder(...));\n```\n\n```java\nchannelPipeline.addLast(new HttpPostMultiPartRequestDecoder(...));\n```\n\n### Patches\n\nThis has been patched in version `4.1.59.Final`.\n\n### Workarounds\n\nSpecify your own `java.io.tmpdir` when you start the JVM or use `DefaultHttpDataFactory.setBaseDir(...)` to set the directory to something that is only readable by the current user.\n\n### References\n\n - [CWE-378: Creation of Temporary File With Insecure Permissions](https://cwe.mitre.org/data/definitions/378.html)\n - [CWE-379: Creation of Temporary File in Directory with Insecure Permissions](https://cwe.mitre.org/data/definitions/379.html)\n\n### Similar Vulnerabilities\n\nSimilar, but not the same.\n\n - JUnit 4 - https://github.com/junit-team/junit4/security/advisories/GHSA-269g-pwp5-87pp\n - Google Guava - https://github.com/google/guava/issues/4011\n - Apache Ant - https://nvd.nist.gov/vuln/detail/CVE-2020-1945\n - JetBrains Kotlin Compiler - https://nvd.nist.gov/vuln/detail/CVE-2020-15824\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [netty](https://github.com/netty/netty)\n* Email us [here](mailto:netty-security@googlegroups.com)\n\n### Original Report\n\n> Hi Netty Security Team,\n> \n> I've been working on some security research leveraging custom CodeQL queries to detect local information disclosure vulnerabilities in java applications. This was the result from running this query against the netty project:\n> https://lgtm.com/query/7723301787255288599/\n> \n> Netty contains three local information disclosure vulnerabilities, so far as I can tell.\n> \n> One is here, where the private key for the certificate is written to a temporary file.\n> \n> https://github.com/netty/netty/blob/e5951d46fc89db507ba7d2968d2ede26378f0b04/handler/src/main/java/io/netty/handler/ssl/util/SelfSignedCertificate.java#L316-L346\n> \n> One is here, where the certificate is written to a temporary file.\n> \n> https://github.com/netty/netty/blob/e5951d46fc89db507ba7d2968d2ede26378f0b04/handler/src/main/java/io/netty/handler/ssl/util/SelfSignedCertificate.java#L348-L371\n> \n> The final one is here, where the 'AbstractDiskHttpData' creates a temporary file if the getBaseDirectory() method returns null. I believe that 'AbstractDiskHttpData' is used as a part of the file upload support? If this is the case, any files uploaded would be similarly vulnerable.\n> \n> https://github.com/netty/netty/blob/e5951d46fc89db507ba7d2968d2ede26378f0b04/codec-http/src/main/java/io/netty/handler/codec/http/multipart/AbstractDiskHttpData.java#L91\n> \n> All of these vulnerabilities exist because `File.createTempFile(String, String)` will create a temporary file in the system temporary directory if the 'java.io.tmpdir' system property is not explicitly set. It is my understanding that when java creates a file, by default, and using this method, the permissions on that file utilize the umask. In a majority of cases, this means that the file that java creates has the permissions: `-rw-r--r--`, thus, any other local user on that system can read the contents of that file.\n> \n> Impacted OS:\n> - Any OS where the system temporary directory is shared between multiple users. This is not the case for MacOS or Windows.\n> \n> Mitigation.\n> \n> Moving to the `Files` API instead will fix this vulnerability. \n> https://docs.oracle.com/javase/8/docs/api/java/nio/file/Files.html#createTempFile-java.nio.file.Path-java.lang.String-java.lang.String-java.nio.file.attribute.FileAttribute...-\n> \n> This API will explicitly set the posix file permissions to something safe, by default.\n> \n> I recently disclosed a similar vulnerability in JUnit 4:\n> https://github.com/junit-team/junit4/security/advisories/GHSA-269g-pwp5-87pp\n> \n> If you're also curious, this vulnerability in Jetty was also mine, also involving temporary directories, but is not the same vulnerability as in this case.\n> https://github.com/eclipse/jetty.project/security/advisories/GHSA-g3wg-6mcf-8jj6\n> \n> I would appreciate it if we could perform disclosure of this vulnerability leveraging the GitHub security advisories feature here. GitHub has a nice credit system that I appreciate, plus the disclosures, as you can see from the sampling above, end up looking very nice.\n> https://github.com/netty/netty/security/advisories\n> \n> This vulnerability disclosure follows Google's [90-day vulnerability disclosure policy](https://www.google.com/about/appsecurity/) (I'm not an employee of Google, I just like their policy). Full disclosure will occur either at the end of the 90-day deadline or whenever a patch is made widely available, whichever occurs first.\n> \n> Cheers,\n> Jonathan Leitschuh"
+ affected:
+ - package:
+ ecosystem: Maven
+ name: io.netty:netty-codec-http
+ purl: pkg:maven/io.netty/netty-codec-http
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 4.0.0
+ - fixed: 4.1.59.Final
+ versions:
+ - 4.0.0.Final
+ - 4.0.1.Final
+ - 4.0.10.Final
+ - 4.0.11.Final
+ - 4.0.12.Final
+ - 4.0.13.Final
+ - 4.0.14.Beta1
+ - 4.0.14.Final
+ - 4.0.15.Final
+ - 4.0.16.Final
+ - 4.0.17.Final
+ - 4.0.18.Final
+ - 4.0.19.Final
+ - 4.0.2.Final
+ - 4.0.20.Final
+ - 4.0.21.Final
+ - 4.0.22.Final
+ - 4.0.23.Final
+ - 4.0.24.Final
+ - 4.0.25.Final
+ - 4.0.26.Final
+ - 4.0.27.Final
+ - 4.0.28.Final
+ - 4.0.29.Final
+ - 4.0.3.Final
+ - 4.0.30.Final
+ - 4.0.31.Final
+ - 4.0.32.Final
+ - 4.0.33.Final
+ - 4.0.34.Final
+ - 4.0.35.Final
+ - 4.0.36.Final
+ - 4.0.37.Final
+ - 4.0.38.Final
+ - 4.0.39.Final
+ - 4.0.4.Final
+ - 4.0.40.Final
+ - 4.0.41.Final
+ - 4.0.42.Final
+ - 4.0.43.Final
+ - 4.0.44.Final
+ - 4.0.45.Final
+ - 4.0.46.Final
+ - 4.0.47.Final
+ - 4.0.48.Final
+ - 4.0.49.Final
+ - 4.0.5.Final
+ - 4.0.50.Final
+ - 4.0.51.Final
+ - 4.0.52.Final
+ - 4.0.53.Final
+ - 4.0.54.Final
+ - 4.0.55.Final
+ - 4.0.56.Final
+ - 4.0.6.Final
+ - 4.0.7.Final
+ - 4.0.8.Final
+ - 4.0.9.Final
+ - 4.1.0.Beta1
+ - 4.1.0.Beta2
+ - 4.1.0.Beta3
+ - 4.1.0.Beta4
+ - 4.1.0.Beta5
+ - 4.1.0.Beta6
+ - 4.1.0.Beta7
+ - 4.1.0.Beta8
+ - 4.1.0.CR1
+ - 4.1.0.CR2
+ - 4.1.0.CR3
+ - 4.1.0.CR4
+ - 4.1.0.CR5
+ - 4.1.0.CR6
+ - 4.1.0.CR7
+ - 4.1.0.Final
+ - 4.1.1.Final
+ - 4.1.10.Final
+ - 4.1.11.Final
+ - 4.1.12.Final
+ - 4.1.13.Final
+ - 4.1.14.Final
+ - 4.1.15.Final
+ - 4.1.16.Final
+ - 4.1.17.Final
+ - 4.1.18.Final
+ - 4.1.19.Final
+ - 4.1.2.Final
+ - 4.1.20.Final
+ - 4.1.21.Final
+ - 4.1.22.Final
+ - 4.1.23.Final
+ - 4.1.24.Final
+ - 4.1.25.Final
+ - 4.1.26.Final
+ - 4.1.27.Final
+ - 4.1.28.Final
+ - 4.1.29.Final
+ - 4.1.3.Final
+ - 4.1.30.Final
+ - 4.1.31.Final
+ - 4.1.32.Final
+ - 4.1.33.Final
+ - 4.1.34.Final
+ - 4.1.35.Final
+ - 4.1.36.Final
+ - 4.1.37.Final
+ - 4.1.38.Final
+ - 4.1.39.Final
+ - 4.1.4.Final
+ - 4.1.40.Final
+ - 4.1.41.Final
+ - 4.1.42.Final
+ - 4.1.43.Final
+ - 4.1.44.Final
+ - 4.1.45.Final
+ - 4.1.46.Final
+ - 4.1.47.Final
+ - 4.1.48.Final
+ - 4.1.49.Final
+ - 4.1.5.Final
+ - 4.1.50.Final
+ - 4.1.51.Final
+ - 4.1.52.Final
+ - 4.1.53.Final
+ - 4.1.54.Final
+ - 4.1.55.Final
+ - 4.1.56.Final
+ - 4.1.57.Final
+ - 4.1.58.Final
+ - 4.1.6.Final
+ - 4.1.7.Final
+ - 4.1.8.Final
+ - 4.1.9.Final
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/02/GHSA-5mcr-gq6c-3hq2/GHSA-5mcr-gq6c-3hq2.json
+ - package:
+ ecosystem: Maven
+ name: org.jboss.netty:netty
+ purl: pkg:maven/org.jboss.netty/netty
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ versions:
+ - 3.0.0.CR1
+ - 3.0.0.CR2
+ - 3.0.0.CR3
+ - 3.0.0.CR4
+ - 3.0.0.CR5
+ - 3.0.0.GA
+ - 3.0.1.GA
+ - 3.0.2.GA
+ - 3.1.0.ALPHA1
+ - 3.1.0.ALPHA2
+ - 3.1.0.ALPHA3
+ - 3.1.0.ALPHA4
+ - 3.1.0.BETA1
+ - 3.1.0.BETA2
+ - 3.1.0.BETA3
+ - 3.1.0.CR1
+ - 3.1.0.GA
+ - 3.1.1.GA
+ - 3.1.2.GA
+ - 3.1.3.GA
+ - 3.1.4.GA
+ - 3.1.5.GA
+ - 3.2.0.ALPHA1
+ - 3.2.0.ALPHA2
+ - 3.2.0.ALPHA3
+ - 3.2.0.ALPHA4
+ - 3.2.0.BETA1
+ - 3.2.0.CR1
+ - 3.2.0.Final
+ - 3.2.1.Final
+ - 3.2.10.Final
+ - 3.2.2.Final
+ - 3.2.3.Final
+ - 3.2.4.Final
+ - 3.2.5.Final
+ - 3.2.6.Final
+ - 3.2.7.Final
+ - 3.2.8.Final
+ - 3.2.9.Final
+ database_specific:
+ last_known_affected_version_range: < 4.0.0
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/02/GHSA-5mcr-gq6c-3hq2/GHSA-5mcr-gq6c-3hq2.json
+ - package:
+ ecosystem: Maven
+ name: io.netty:netty
+ purl: pkg:maven/io.netty/netty
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ versions:
+ - 3.10.0.Final
+ - 3.10.1.Final
+ - 3.10.2.Final
+ - 3.10.3.Final
+ - 3.10.4.Final
+ - 3.10.5.Final
+ - 3.10.6.Final
+ - 3.3.0.Final
+ - 3.3.1.Final
+ - 3.4.0.Alpha1
+ - 3.4.0.Alpha2
+ - 3.4.0.Beta1
+ - 3.4.0.Final
+ - 3.4.1.Final
+ - 3.4.2.Final
+ - 3.4.3.Final
+ - 3.4.4.Final
+ - 3.4.5.Final
+ - 3.4.6.Final
+ - 3.5.0.Beta1
+ - 3.5.0.Final
+ - 3.5.1.Final
+ - 3.5.10.Final
+ - 3.5.11.Final
+ - 3.5.12.Final
+ - 3.5.13.Final
+ - 3.5.2.Final
+ - 3.5.3.Final
+ - 3.5.4.Final
+ - 3.5.5.Final
+ - 3.5.6.Final
+ - 3.5.7.Final
+ - 3.5.8.Final
+ - 3.5.9.Final
+ - 3.6.0.Beta1
+ - 3.6.0.Final
+ - 3.6.1.Final
+ - 3.6.10.Final
+ - 3.6.2.Final
+ - 3.6.3.Final
+ - 3.6.4.Final
+ - 3.6.5.Final
+ - 3.6.6.Final
+ - 3.6.7.Final
+ - 3.6.8.Final
+ - 3.6.9.Final
+ - 3.7.0.Final
+ - 3.7.1.Final
+ - 3.8.0.Final
+ - 3.8.1.Final
+ - 3.8.2.Final
+ - 3.8.3.Final
+ - 3.9.0.Final
+ - 3.9.1.1.Final
+ - 3.9.1.Final
+ - 3.9.2.Final
+ - 3.9.3.Final
+ - 3.9.4.Final
+ - 3.9.5.Final
+ - 3.9.6.Final
+ - 3.9.7.Final
+ - 3.9.8.Final
+ - 3.9.9.Final
+ - 4.0.0.Alpha1
+ - 4.0.0.Alpha2
+ - 4.0.0.Alpha3
+ - 4.0.0.Alpha4
+ - 4.0.0.Alpha5
+ - 4.0.0.Alpha6
+ - 4.0.0.Alpha7
+ - 4.0.0.Alpha8
+ database_specific:
+ last_known_affected_version_range: < 4.0.0
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/02/GHSA-5mcr-gq6c-3hq2/GHSA-5mcr-gq6c-3hq2.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
+ references:
+ - type: WEB
+ url: https://github.com/netty/netty/security/advisories/GHSA-5mcr-gq6c-3hq2
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2021-21290
+ - type: WEB
+ url: https://github.com/netty/netty/commit/c735357bf29d07856ad171c6611a2e1a0e0000ec
+ - type: PACKAGE
+ url: https://github.com/netty/netty
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r7bb3cdc192e9a6f863d3ea05422f09fa1ae2b88d4663e63696ee7ef5@%3Cdev.ranger.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r9924ef9357537722b28d04c98a189750b80694a19754e5057c34ca48@%3Ccommits.pulsar.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/ra0fc2b4553dd7aaf75febb61052b7f1243ac3a180a71c01f29093013@%3Cjira.kafka.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/ra503756ced78fdc2136bd33e87cb7553028645b261b1f5c6186a121e@%3Cjira.kafka.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rb06c1e766aa45ee422e8261a8249b561784186483e8f742ea627bda4@%3Cdev.kafka.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rb51d6202ff1a773f96eaa694b7da4ad3f44922c40b3d4e1a19c2f325@%3Ccommits.pulsar.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rb592033a2462548d061a83ac9449c5ff66098751748fcd1e2d008233@%3Cissues.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rc0087125cb15b4b78e44000f841cd37fefedfda942fd7ddf3ad1b528@%3Cissues.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rc488f80094872ad925f0c73d283d4c00d32def81977438e27a3dc2bb@%3Cjira.kafka.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rcd163e421273e8dca1c71ea298dce3dd11b41d51c3a812e0394e6a5d@%3Ccommits.pulsar.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rdba4f78ac55f803893a1a2265181595e79e3aa027e2e651dfba98c18@%3Cjira.kafka.apache.org%3E
+ - type: WEB
+ url: https://lists.debian.org/debian-lts-announce/2021/02/msg00016.html
+ - type: WEB
+ url: https://security.netapp.com/advisory/ntap-20220210-0011
+ - type: WEB
+ url: https://www.debian.org/security/2021/dsa-4885
+ - type: WEB
+ url: https://www.oracle.com//security-alerts/cpujul2021.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuApr2021.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuapr2022.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuoct2021.html
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r0053443ce19ff125981559f8c51cf66e3ab4350f47812b8cf0733a05@%3Cdev.kafka.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r02e467123d45006a1dda20a38349e9c74c3a4b53e2e07be0939ecb3f@%3Cdev.ranger.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r0857b613604c696bf9743f0af047360baaded48b1c75cf6945a083c5@%3Cjira.kafka.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r10308b625e49d4e9491d7e079606ca0df2f0a4d828f1ad1da64ba47b@%3Cjira.kafka.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r1908a34b9cc7120e5c19968a116ddbcffea5e9deb76c2be4fa461904@%3Cdev.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r2748097ea4b774292539cf3de6e3b267fc7a88d6c8ec40f4e2e87bd4@%3Cdev.kafka.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r2936730ef0a06e724b96539bc7eacfcd3628987c16b1b99c790e7b87@%3Cissues.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r2fda4dab73097051977f2ab818f75e04fbcb15bb1003c8530eac1059@%3Cjira.kafka.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r326ec431f06eab7cb7113a7a338e59731b8d556d05258457f12bac1b@%3Cdev.kafka.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r4efed2c501681cb2e8d629da16e48d9eac429624fd4c9a8c6b8e7020@%3Cdev.tinkerpop.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r584cf871f188c406d8bd447ff4e2fd9817fca862436c064d0951a071@%3Ccommits.pulsar.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r59bac5c09f7a4179b9e2460e8f41c278aaf3b9a21cc23678eb893e41@%3Cjira.kafka.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r5bf303d7c04da78f276765da08559fdc62420f1df539b277ca31f63b@%3Cissues.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r5c701840aa2845191721e39821445e1e8c59711e71942b7796a6ec29@%3Cusers.activemq.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r5e4a540089760c8ecc2c411309d74264f1dad634ad93ad583ca16214@%3Ccommits.kafka.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r5e66e286afb5506cdfe9bbf68a323e8d09614f6d1ddc806ed0224700@%3Cjira.kafka.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r71dbb66747ff537640bb91eb0b2b24edef21ac07728097016f58b01f@%3Ccommits.kafka.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r743149dcc8db1de473e6bff0b3ddf10140a7357bc2add75f7d1fbb12@%3Cdev.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r790c2926efcd062067eb18fde2486527596d7275381cfaff2f7b3890@%3Cissues.bookkeeper.apache.org%3E
+ database_specific:
+ cwe_ids:
+ - CWE-378
+ - CWE-379
+ - CWE-668
+ github_reviewed: true
+ github_reviewed_at: "2021-02-08T20:07:45Z"
+ nvd_published_at: "2021-02-08T20:15:00Z"
+ severity: MODERATE
+ - schema_version: 1.6.0
+ id: GHSA-cqqj-4p63-rrmm
+ modified: 2024-03-11T05:19:31.586438Z
+ published: 2020-02-21T18:55:24Z
+ aliases:
+ - CVE-2019-20444
+ summary: HTTP Request Smuggling in Netty
+ details: HttpObjectDecoder.java in Netty before 4.1.44 allows an HTTP header that lacks a colon, which might be interpreted as a separate header with an incorrect syntax, or might be interpreted as an "invalid fold."
+ affected:
+ - package:
+ ecosystem: Maven
+ name: io.netty:netty-codec-http
+ purl: pkg:maven/io.netty/netty-codec-http
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 4.0.0
+ - fixed: 4.1.44
+ versions:
+ - 4.0.0.Final
+ - 4.0.1.Final
+ - 4.0.10.Final
+ - 4.0.11.Final
+ - 4.0.12.Final
+ - 4.0.13.Final
+ - 4.0.14.Beta1
+ - 4.0.14.Final
+ - 4.0.15.Final
+ - 4.0.16.Final
+ - 4.0.17.Final
+ - 4.0.18.Final
+ - 4.0.19.Final
+ - 4.0.2.Final
+ - 4.0.20.Final
+ - 4.0.21.Final
+ - 4.0.22.Final
+ - 4.0.23.Final
+ - 4.0.24.Final
+ - 4.0.25.Final
+ - 4.0.26.Final
+ - 4.0.27.Final
+ - 4.0.28.Final
+ - 4.0.29.Final
+ - 4.0.3.Final
+ - 4.0.30.Final
+ - 4.0.31.Final
+ - 4.0.32.Final
+ - 4.0.33.Final
+ - 4.0.34.Final
+ - 4.0.35.Final
+ - 4.0.36.Final
+ - 4.0.37.Final
+ - 4.0.38.Final
+ - 4.0.39.Final
+ - 4.0.4.Final
+ - 4.0.40.Final
+ - 4.0.41.Final
+ - 4.0.42.Final
+ - 4.0.43.Final
+ - 4.0.44.Final
+ - 4.0.45.Final
+ - 4.0.46.Final
+ - 4.0.47.Final
+ - 4.0.48.Final
+ - 4.0.49.Final
+ - 4.0.5.Final
+ - 4.0.50.Final
+ - 4.0.51.Final
+ - 4.0.52.Final
+ - 4.0.53.Final
+ - 4.0.54.Final
+ - 4.0.55.Final
+ - 4.0.56.Final
+ - 4.0.6.Final
+ - 4.0.7.Final
+ - 4.0.8.Final
+ - 4.0.9.Final
+ - 4.1.0.Beta1
+ - 4.1.0.Beta2
+ - 4.1.0.Beta3
+ - 4.1.0.Beta4
+ - 4.1.0.Beta5
+ - 4.1.0.Beta6
+ - 4.1.0.Beta7
+ - 4.1.0.Beta8
+ - 4.1.0.CR1
+ - 4.1.0.CR2
+ - 4.1.0.CR3
+ - 4.1.0.CR4
+ - 4.1.0.CR5
+ - 4.1.0.CR6
+ - 4.1.0.CR7
+ - 4.1.0.Final
+ - 4.1.1.Final
+ - 4.1.10.Final
+ - 4.1.11.Final
+ - 4.1.12.Final
+ - 4.1.13.Final
+ - 4.1.14.Final
+ - 4.1.15.Final
+ - 4.1.16.Final
+ - 4.1.17.Final
+ - 4.1.18.Final
+ - 4.1.19.Final
+ - 4.1.2.Final
+ - 4.1.20.Final
+ - 4.1.21.Final
+ - 4.1.22.Final
+ - 4.1.23.Final
+ - 4.1.24.Final
+ - 4.1.25.Final
+ - 4.1.26.Final
+ - 4.1.27.Final
+ - 4.1.28.Final
+ - 4.1.29.Final
+ - 4.1.3.Final
+ - 4.1.30.Final
+ - 4.1.31.Final
+ - 4.1.32.Final
+ - 4.1.33.Final
+ - 4.1.34.Final
+ - 4.1.35.Final
+ - 4.1.36.Final
+ - 4.1.37.Final
+ - 4.1.38.Final
+ - 4.1.39.Final
+ - 4.1.4.Final
+ - 4.1.40.Final
+ - 4.1.41.Final
+ - 4.1.42.Final
+ - 4.1.43.Final
+ - 4.1.5.Final
+ - 4.1.6.Final
+ - 4.1.7.Final
+ - 4.1.8.Final
+ - 4.1.9.Final
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/02/GHSA-cqqj-4p63-rrmm/GHSA-cqqj-4p63-rrmm.json
+ - package:
+ ecosystem: Maven
+ name: org.jboss.netty:netty
+ purl: pkg:maven/org.jboss.netty/netty
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ versions:
+ - 3.0.0.CR1
+ - 3.0.0.CR2
+ - 3.0.0.CR3
+ - 3.0.0.CR4
+ - 3.0.0.CR5
+ - 3.0.0.GA
+ - 3.0.1.GA
+ - 3.0.2.GA
+ - 3.1.0.ALPHA1
+ - 3.1.0.ALPHA2
+ - 3.1.0.ALPHA3
+ - 3.1.0.ALPHA4
+ - 3.1.0.BETA1
+ - 3.1.0.BETA2
+ - 3.1.0.BETA3
+ - 3.1.0.CR1
+ - 3.1.0.GA
+ - 3.1.1.GA
+ - 3.1.2.GA
+ - 3.1.3.GA
+ - 3.1.4.GA
+ - 3.1.5.GA
+ - 3.2.0.ALPHA1
+ - 3.2.0.ALPHA2
+ - 3.2.0.ALPHA3
+ - 3.2.0.ALPHA4
+ - 3.2.0.BETA1
+ - 3.2.0.CR1
+ - 3.2.0.Final
+ - 3.2.1.Final
+ - 3.2.10.Final
+ - 3.2.2.Final
+ - 3.2.3.Final
+ - 3.2.4.Final
+ - 3.2.5.Final
+ - 3.2.6.Final
+ - 3.2.7.Final
+ - 3.2.8.Final
+ - 3.2.9.Final
+ database_specific:
+ last_known_affected_version_range: < 4.0.0
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/02/GHSA-cqqj-4p63-rrmm/GHSA-cqqj-4p63-rrmm.json
+ - package:
+ ecosystem: Maven
+ name: io.netty:netty
+ purl: pkg:maven/io.netty/netty
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ versions:
+ - 3.10.0.Final
+ - 3.10.1.Final
+ - 3.10.2.Final
+ - 3.10.3.Final
+ - 3.10.4.Final
+ - 3.10.5.Final
+ - 3.10.6.Final
+ - 3.3.0.Final
+ - 3.3.1.Final
+ - 3.4.0.Alpha1
+ - 3.4.0.Alpha2
+ - 3.4.0.Beta1
+ - 3.4.0.Final
+ - 3.4.1.Final
+ - 3.4.2.Final
+ - 3.4.3.Final
+ - 3.4.4.Final
+ - 3.4.5.Final
+ - 3.4.6.Final
+ - 3.5.0.Beta1
+ - 3.5.0.Final
+ - 3.5.1.Final
+ - 3.5.10.Final
+ - 3.5.11.Final
+ - 3.5.12.Final
+ - 3.5.13.Final
+ - 3.5.2.Final
+ - 3.5.3.Final
+ - 3.5.4.Final
+ - 3.5.5.Final
+ - 3.5.6.Final
+ - 3.5.7.Final
+ - 3.5.8.Final
+ - 3.5.9.Final
+ - 3.6.0.Beta1
+ - 3.6.0.Final
+ - 3.6.1.Final
+ - 3.6.10.Final
+ - 3.6.2.Final
+ - 3.6.3.Final
+ - 3.6.4.Final
+ - 3.6.5.Final
+ - 3.6.6.Final
+ - 3.6.7.Final
+ - 3.6.8.Final
+ - 3.6.9.Final
+ - 3.7.0.Final
+ - 3.7.1.Final
+ - 3.8.0.Final
+ - 3.8.1.Final
+ - 3.8.2.Final
+ - 3.8.3.Final
+ - 3.9.0.Final
+ - 3.9.1.1.Final
+ - 3.9.1.Final
+ - 3.9.2.Final
+ - 3.9.3.Final
+ - 3.9.4.Final
+ - 3.9.5.Final
+ - 3.9.6.Final
+ - 3.9.7.Final
+ - 3.9.8.Final
+ - 3.9.9.Final
+ - 4.0.0.Alpha1
+ - 4.0.0.Alpha2
+ - 4.0.0.Alpha3
+ - 4.0.0.Alpha4
+ - 4.0.0.Alpha5
+ - 4.0.0.Alpha6
+ - 4.0.0.Alpha7
+ - 4.0.0.Alpha8
+ database_specific:
+ last_known_affected_version_range: < 4.0.0
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/02/GHSA-cqqj-4p63-rrmm/GHSA-cqqj-4p63-rrmm.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2019-20444
+ - type: WEB
+ url: https://github.com/netty/netty/issues/9866
+ - type: WEB
+ url: https://github.com/netty/netty/pull/9871/files#diff-e26989b9171ef22c27c9f7d80689cfb059d568c9bd10e75970d96c02d0654878
+ - type: WEB
+ url: https://github.com/netty/netty/pull/9871
+ - type: WEB
+ url: https://www.debian.org/security/2021/dsa-4885
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26@%3Ccommits.pulsar.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rce71d33747010d32d31d90f5d737dae26291d96552f513a266c92fbb@%3Cnotifications.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rcb2c59428f34d4757702f9ae739a8795bda7bea97b857e708a9c62c6@%3Ccommon-commits.hadoop.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rc7eb5634b71d284483e58665b22bf274a69bd184d9bd7ede52015d91@%3Ccommon-issues.hadoop.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rb84c57670ec48ef23f4d07973b7fa69f629b8e7fcfb48874362feb6f@%3Ccommits.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rb3361f6c6a5f834ad3db5e998c352760d393c0891b8d3bea90baa836@%3Ccommon-issues.hadoop.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/raaac04b7567c554786132144bea3dcb72568edd410c1e6f0101742e7@%3Cissues.flink.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/ra9fbfe7d4830ae675bf34c7c0f8c22fc8a4099f65706c1bc4f54c593@%3Cissues.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/ra2ace4bcb5cf487f72cbcbfa0f8cc08e755ec2b93d7e69f276148b08@%3Cissues.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/ra1a71b576a45426af5ee65255be9596ff3181a342f4ba73b800db78f@%3Cdev.geode.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r9b20cdac704cf9a583400350e2d5b576fa8417c18ddb961201676c60@%3Ccommits.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r96e08f929234e8ba1ef4a93a0fd2870f535a1f9ab628fabc46115986@%3Cdev.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r959474dcf7f88565ed89f6252ca5a274419006cb71348f14764b183d@%3Ccommits.cassandra.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r91e0fa345c86c128b75a4a791b4b503b53173ff4c13049ac7129d319@%3Cnotifications.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r90030b0117490caed526e57271bf4d7f9b012091ac5083c895d16543@%3Ccommon-issues.hadoop.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r1fcccf8bdb3531c28bc9aa605a6a1bea7e68cef6fc12e01faafb2fb5@%3Cissues.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://usn.ubuntu.com/4532-1
+ - type: WEB
+ url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TS6VX7OMXPDJIU5LRGUAHRK6MENAVJ46
+ - type: WEB
+ url: https://lists.debian.org/debian-lts-announce/2020/09/msg00004.html
+ - type: WEB
+ url: https://lists.debian.org/debian-lts-announce/2020/09/msg00003.html
+ - type: WEB
+ url: https://lists.debian.org/debian-lts-announce/2020/02/msg00018.html
+ - type: WEB
+ url: https://lists.debian.org/debian-lts-announce/2020/02/msg00017.html
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rff210a24f3a924829790e69eaefa84820902b7b31f17c3bf2def9114@%3Ccommits.druid.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rfb55f245b08d8a6ec0fb4dc159022227cd22de34c4419c2fbb18802b@%3Cnotifications.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rf5b2dfb7401666a19915f8eaef3ba9f5c3386e2066fcd2ae66e16a2f@%3Cdev.flink.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rf2bf8e2eb0a03227f5bc100b544113f8cafea01e887bb068e8d1fa41@%3Ccommon-issues.hadoop.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/re78eaef7d01ad65c370df30e45c686fffff00b37f7bfd78b26a08762@%3Ccommon-issues.hadoop.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/re45ee9256d3233c31d78e59ee59c7dc841c7fbd83d0769285b41e948@%3Ccommits.druid.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/re0b78a3d0a4ba2cf9f4e14e1d05040bde9051d5c78071177186336c9@%3Ccommon-issues.hadoop.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rdd5d243a5f8ed8b83c0104e321aa420e5e98792a95749e3c9a54c0b9@%3Ccommon-commits.hadoop.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rdb69125652311d0c41f6066ff44072a3642cf33a4b5e3c4f9c1ec9c2@%3Ccommits.pulsar.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rd8f72411fb75b98d366400ae789966373b5c3eb3f511e717caf3e49e@%3Cissues.flink.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0@%3Cissues.bookkeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r0f5e72d5f69b4720dfe64fcbc2da9afae949ed1e9cbffa84bb7d92d7@%3Cnotifications.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r0c3d49bfdbc62fd3915676433cc5899c5506d06da1c552ef1b7923a5@%3Ccommon-issues.hadoop.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r0aa8b28e76ec01c697b15e161e6797e88fc8d406ed762e253401106e@%3Ccommits.camel.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r059b042bca47be53ff8a51fd04d95eb01bb683f1afa209db136e8cb7@%3Cdev.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://github.com/netty/netty/compare/netty-4.1.43.Final...netty-4.1.44.Final
+ - type: PACKAGE
+ url: https://github.com/netty/netty
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2020:0811
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2020:0806
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2020:0805
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2020:0804
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2020:0606
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2020:0605
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2020:0601
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2020:0567
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2020:0497
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r86befa74c5cd1482c711134104aec339bf7ae879f2c4437d7ec477d4@%3Ccommon-commits.hadoop.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r8402d67fdfe9cf169f859d52a7670b28a08eff31e54b522cc1432532@%3Ccommon-issues.hadoop.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r832724df393a7ef25ca4c7c2eb83ad2d6c21c74569acda5233f9f1ec@%3Ccommits.pulsar.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r819aaeb9944bdcfca438dcc51f05650dc728daf64dfd7d774fc2499b@%3Ccommits.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r804895eedd72c9ec67898286eb185e04df852b0dd5fe53cf5b6138f9@%3Cissues.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r7790b9d99696d9eddce8a8c96f13bb68460984294ea6fea3800143e4@%3Ccommits.pulsar.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r70b1ff22ee80e8101805b9a473116dd33265709007d2deb6f8c80bf2@%3Ccommits.druid.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r6945f3c346b7af89bbd3526a7c9b705b1e3569070ebcd0964bcedd7d@%3Cissues.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r640eb9b3213058a963e18291f903fc1584e577f60035f941e32f760a@%3Cissues.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r4d3f1d3e333d9c2b2f6e6ae8ed8750d4de03410ac294bcd12c7eefa3@%3Ccommits.cassandra.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r4c675b2d0cc2a5e506b11ee10d60a378859ee340aca052e4c7ef4749@%3Cnotifications.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r489886fe72a98768eed665474cba13bad8d6fe0654f24987706636c5@%3Cdev.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r36fcf538b28f2029e8b4f6b9a772f3b107913a78f09b095c5b153a62@%3Cissues.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r34912a9b1a5c269a77b8be94ef6fb6d1e9b3c69129719dc00f01cf0b@%3Cdev.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r310d2ce22304d5298ff87f10134f918c87919b452734f9841d95682d@%3Ccommits.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r2f2989b7815d809ff3fda8ce330f553e5f133505afd04ffbc135f35f@%3Cissues.spark.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r205937c85817a911b0c72655c2377e7a2c9322d6ef6ce1b118d34d8d@%3Cdev.geode.apache.org%3E
+ database_specific:
+ cwe_ids:
+ - CWE-444
+ github_reviewed: true
+ github_reviewed_at: "2020-02-20T20:54:33Z"
+ nvd_published_at: "2020-01-29T21:15:00Z"
+ severity: CRITICAL
+ - schema_version: 1.6.0
+ id: GHSA-hh82-3pmq-7frp
+ modified: 2024-02-16T08:16:47.348878Z
+ published: 2022-12-12T21:25:44Z
+ aliases:
+ - CVE-2022-41915
+ summary: Netty vulnerable to HTTP Response splitting from assigning header value iterator
+ details: |
+ ### Impact
+ When calling `DefaultHttpHeaders.set` with an _iterator_ of values (as opposed to a single given value), header value validation was not performed, allowing malicious header values in the iterator to perform [HTTP Response Splitting](https://owasp.org/www-community/attacks/HTTP_Response_Splitting).
+
+ ### Patches
+ The necessary validation was added in Netty 4.1.86.Final.
+
+ ### Workarounds
+ Integrators can work around the issue by changing the `DefaultHttpHeaders.set(CharSequence, Iterator)` call, into a `remove()` call, and call `add()` in a loop over the iterator of values.
+
+ ### References
+ [HTTP Response Splitting](https://owasp.org/www-community/attacks/HTTP_Response_Splitting)
+ [CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers](https://cwe.mitre.org/data/definitions/113.html)
+
+ ### For more information
+ If you have any questions or comments about this advisory:
+ * Open an issue in [[example link to repo](https://github.com/netty/netty)](https://github.com/netty/netty)
+ * Email us at [netty-security@googlegroups.com](mailto:netty-security@googlegroups.com)
+ affected:
+ - package:
+ ecosystem: Maven
+ name: io.netty:netty-codec-http
+ purl: pkg:maven/io.netty/netty-codec-http
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 4.1.83.Final
+ - fixed: 4.1.86.Final
+ versions:
+ - 4.1.83.Final
+ - 4.1.84.Final
+ - 4.1.85.Final
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-hh82-3pmq-7frp/GHSA-hh82-3pmq-7frp.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
+ references:
+ - type: WEB
+ url: https://github.com/netty/netty/security/advisories/GHSA-hh82-3pmq-7frp
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2022-41915
+ - type: WEB
+ url: https://github.com/netty/netty/issues/13084
+ - type: WEB
+ url: https://github.com/netty/netty/pull/12760
+ - type: WEB
+ url: https://github.com/netty/netty/commit/c37c637f096e7be3dffd36edee3455c8e90cb1b0
+ - type: WEB
+ url: https://github.com/netty/netty/commit/fe18adff1c2b333acb135ab779a3b9ba3295a1c4
+ - type: WEB
+ url: https://github.com/netty/netty
+ - type: WEB
+ url: https://lists.debian.org/debian-lts-announce/2023/01/msg00008.html
+ - type: WEB
+ url: https://security.netapp.com/advisory/ntap-20230113-0004
+ - type: WEB
+ url: https://www.debian.org/security/2023/dsa-5316
+ database_specific:
+ cwe_ids:
+ - CWE-113
+ - CWE-436
+ github_reviewed: true
+ github_reviewed_at: "2022-12-12T21:25:44Z"
+ nvd_published_at: "2022-12-13T07:15:00Z"
+ severity: MODERATE
+ - schema_version: 1.6.0
+ id: GHSA-wx5j-54mm-rqqq
+ modified: 2024-02-22T05:37:31.471154Z
+ published: 2021-12-09T19:09:17Z
+ aliases:
+ - CVE-2021-43797
+ summary: HTTP request smuggling in netty
+ details: |+
+ ### Impact
+
+ Netty currently just skips control chars when these are present at the beginning / end of the header name. We should better fail fast as these are not allowed by the spec and could lead to HTTP request smuggling.
+
+ Failing to do the validation might cause netty to "sanitize" header names before it forward these to another remote system when used as proxy. This remote system can't see the invalid usage anymore and so not do the validation itself.
+
+ affected:
+ - package:
+ ecosystem: Maven
+ name: io.netty:netty-codec-http
+ purl: pkg:maven/io.netty/netty-codec-http
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 4.0.0
+ - fixed: 4.1.71.Final
+ versions:
+ - 4.0.0.Final
+ - 4.0.1.Final
+ - 4.0.10.Final
+ - 4.0.11.Final
+ - 4.0.12.Final
+ - 4.0.13.Final
+ - 4.0.14.Beta1
+ - 4.0.14.Final
+ - 4.0.15.Final
+ - 4.0.16.Final
+ - 4.0.17.Final
+ - 4.0.18.Final
+ - 4.0.19.Final
+ - 4.0.2.Final
+ - 4.0.20.Final
+ - 4.0.21.Final
+ - 4.0.22.Final
+ - 4.0.23.Final
+ - 4.0.24.Final
+ - 4.0.25.Final
+ - 4.0.26.Final
+ - 4.0.27.Final
+ - 4.0.28.Final
+ - 4.0.29.Final
+ - 4.0.3.Final
+ - 4.0.30.Final
+ - 4.0.31.Final
+ - 4.0.32.Final
+ - 4.0.33.Final
+ - 4.0.34.Final
+ - 4.0.35.Final
+ - 4.0.36.Final
+ - 4.0.37.Final
+ - 4.0.38.Final
+ - 4.0.39.Final
+ - 4.0.4.Final
+ - 4.0.40.Final
+ - 4.0.41.Final
+ - 4.0.42.Final
+ - 4.0.43.Final
+ - 4.0.44.Final
+ - 4.0.45.Final
+ - 4.0.46.Final
+ - 4.0.47.Final
+ - 4.0.48.Final
+ - 4.0.49.Final
+ - 4.0.5.Final
+ - 4.0.50.Final
+ - 4.0.51.Final
+ - 4.0.52.Final
+ - 4.0.53.Final
+ - 4.0.54.Final
+ - 4.0.55.Final
+ - 4.0.56.Final
+ - 4.0.6.Final
+ - 4.0.7.Final
+ - 4.0.8.Final
+ - 4.0.9.Final
+ - 4.1.0.Beta1
+ - 4.1.0.Beta2
+ - 4.1.0.Beta3
+ - 4.1.0.Beta4
+ - 4.1.0.Beta5
+ - 4.1.0.Beta6
+ - 4.1.0.Beta7
+ - 4.1.0.Beta8
+ - 4.1.0.CR1
+ - 4.1.0.CR2
+ - 4.1.0.CR3
+ - 4.1.0.CR4
+ - 4.1.0.CR5
+ - 4.1.0.CR6
+ - 4.1.0.CR7
+ - 4.1.0.Final
+ - 4.1.1.Final
+ - 4.1.10.Final
+ - 4.1.11.Final
+ - 4.1.12.Final
+ - 4.1.13.Final
+ - 4.1.14.Final
+ - 4.1.15.Final
+ - 4.1.16.Final
+ - 4.1.17.Final
+ - 4.1.18.Final
+ - 4.1.19.Final
+ - 4.1.2.Final
+ - 4.1.20.Final
+ - 4.1.21.Final
+ - 4.1.22.Final
+ - 4.1.23.Final
+ - 4.1.24.Final
+ - 4.1.25.Final
+ - 4.1.26.Final
+ - 4.1.27.Final
+ - 4.1.28.Final
+ - 4.1.29.Final
+ - 4.1.3.Final
+ - 4.1.30.Final
+ - 4.1.31.Final
+ - 4.1.32.Final
+ - 4.1.33.Final
+ - 4.1.34.Final
+ - 4.1.35.Final
+ - 4.1.36.Final
+ - 4.1.37.Final
+ - 4.1.38.Final
+ - 4.1.39.Final
+ - 4.1.4.Final
+ - 4.1.40.Final
+ - 4.1.41.Final
+ - 4.1.42.Final
+ - 4.1.43.Final
+ - 4.1.44.Final
+ - 4.1.45.Final
+ - 4.1.46.Final
+ - 4.1.47.Final
+ - 4.1.48.Final
+ - 4.1.49.Final
+ - 4.1.5.Final
+ - 4.1.50.Final
+ - 4.1.51.Final
+ - 4.1.52.Final
+ - 4.1.53.Final
+ - 4.1.54.Final
+ - 4.1.55.Final
+ - 4.1.56.Final
+ - 4.1.57.Final
+ - 4.1.58.Final
+ - 4.1.59.Final
+ - 4.1.6.Final
+ - 4.1.60.Final
+ - 4.1.61.Final
+ - 4.1.62.Final
+ - 4.1.63.Final
+ - 4.1.64.Final
+ - 4.1.65.Final
+ - 4.1.66.Final
+ - 4.1.67.Final
+ - 4.1.68.Final
+ - 4.1.69.Final
+ - 4.1.7.Final
+ - 4.1.70.Final
+ - 4.1.8.Final
+ - 4.1.9.Final
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-wx5j-54mm-rqqq/GHSA-wx5j-54mm-rqqq.json
+ - package:
+ ecosystem: Maven
+ name: org.jboss.netty:netty
+ purl: pkg:maven/org.jboss.netty/netty
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ versions:
+ - 3.0.0.CR1
+ - 3.0.0.CR2
+ - 3.0.0.CR3
+ - 3.0.0.CR4
+ - 3.0.0.CR5
+ - 3.0.0.GA
+ - 3.0.1.GA
+ - 3.0.2.GA
+ - 3.1.0.ALPHA1
+ - 3.1.0.ALPHA2
+ - 3.1.0.ALPHA3
+ - 3.1.0.ALPHA4
+ - 3.1.0.BETA1
+ - 3.1.0.BETA2
+ - 3.1.0.BETA3
+ - 3.1.0.CR1
+ - 3.1.0.GA
+ - 3.1.1.GA
+ - 3.1.2.GA
+ - 3.1.3.GA
+ - 3.1.4.GA
+ - 3.1.5.GA
+ - 3.2.0.ALPHA1
+ - 3.2.0.ALPHA2
+ - 3.2.0.ALPHA3
+ - 3.2.0.ALPHA4
+ - 3.2.0.BETA1
+ - 3.2.0.CR1
+ - 3.2.0.Final
+ - 3.2.1.Final
+ - 3.2.10.Final
+ - 3.2.2.Final
+ - 3.2.3.Final
+ - 3.2.4.Final
+ - 3.2.5.Final
+ - 3.2.6.Final
+ - 3.2.7.Final
+ - 3.2.8.Final
+ - 3.2.9.Final
+ database_specific:
+ last_known_affected_version_range: < 4.0.0
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-wx5j-54mm-rqqq/GHSA-wx5j-54mm-rqqq.json
+ - package:
+ ecosystem: Maven
+ name: io.netty:netty
+ purl: pkg:maven/io.netty/netty
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ versions:
+ - 3.10.0.Final
+ - 3.10.1.Final
+ - 3.10.2.Final
+ - 3.10.3.Final
+ - 3.10.4.Final
+ - 3.10.5.Final
+ - 3.10.6.Final
+ - 3.3.0.Final
+ - 3.3.1.Final
+ - 3.4.0.Alpha1
+ - 3.4.0.Alpha2
+ - 3.4.0.Beta1
+ - 3.4.0.Final
+ - 3.4.1.Final
+ - 3.4.2.Final
+ - 3.4.3.Final
+ - 3.4.4.Final
+ - 3.4.5.Final
+ - 3.4.6.Final
+ - 3.5.0.Beta1
+ - 3.5.0.Final
+ - 3.5.1.Final
+ - 3.5.10.Final
+ - 3.5.11.Final
+ - 3.5.12.Final
+ - 3.5.13.Final
+ - 3.5.2.Final
+ - 3.5.3.Final
+ - 3.5.4.Final
+ - 3.5.5.Final
+ - 3.5.6.Final
+ - 3.5.7.Final
+ - 3.5.8.Final
+ - 3.5.9.Final
+ - 3.6.0.Beta1
+ - 3.6.0.Final
+ - 3.6.1.Final
+ - 3.6.10.Final
+ - 3.6.2.Final
+ - 3.6.3.Final
+ - 3.6.4.Final
+ - 3.6.5.Final
+ - 3.6.6.Final
+ - 3.6.7.Final
+ - 3.6.8.Final
+ - 3.6.9.Final
+ - 3.7.0.Final
+ - 3.7.1.Final
+ - 3.8.0.Final
+ - 3.8.1.Final
+ - 3.8.2.Final
+ - 3.8.3.Final
+ - 3.9.0.Final
+ - 3.9.1.1.Final
+ - 3.9.1.Final
+ - 3.9.2.Final
+ - 3.9.3.Final
+ - 3.9.4.Final
+ - 3.9.5.Final
+ - 3.9.6.Final
+ - 3.9.7.Final
+ - 3.9.8.Final
+ - 3.9.9.Final
+ - 4.0.0.Alpha1
+ - 4.0.0.Alpha2
+ - 4.0.0.Alpha3
+ - 4.0.0.Alpha4
+ - 4.0.0.Alpha5
+ - 4.0.0.Alpha6
+ - 4.0.0.Alpha7
+ - 4.0.0.Alpha8
+ database_specific:
+ last_known_affected_version_range: < 4.0.0
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-wx5j-54mm-rqqq/GHSA-wx5j-54mm-rqqq.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
+ references:
+ - type: WEB
+ url: https://github.com/netty/netty/security/advisories/GHSA-wx5j-54mm-rqqq
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2021-43797
+ - type: WEB
+ url: https://github.com/netty/netty/pull/11891
+ - type: WEB
+ url: https://github.com/netty/netty/commit/07aa6b5938a8b6ed7a6586e066400e2643897323
+ - type: WEB
+ url: https://github.com/netty/netty
+ - type: WEB
+ url: https://lists.debian.org/debian-lts-announce/2023/01/msg00008.html
+ - type: WEB
+ url: https://security.netapp.com/advisory/ntap-20220107-0003
+ - type: WEB
+ url: https://www.debian.org/security/2023/dsa-5316
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuapr2022.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpujul2022.html
+ database_specific:
+ cwe_ids:
+ - CWE-444
+ github_reviewed: true
+ github_reviewed_at: "2021-12-09T18:17:28Z"
+ nvd_published_at: "2021-12-09T19:15:00Z"
+ severity: MODERATE
+ - schema_version: 1.6.0
+ id: GHSA-f256-j965-7f32
+ modified: 2024-03-11T05:20:24.99029Z
+ published: 2021-03-30T15:10:38Z
+ aliases:
+ - BIT-zookeeper-2021-21295
+ - CVE-2021-21295
+ - CVE-2021-21409
+ - GHSA-wm47-8v5p-wjpj
+ summary: Possible request smuggling in HTTP/2 due missing validation of content-length
+ details: "### Impact\nThe content-length header is not correctly validated if the request only use a single Http2HeaderFrame with the endStream set to to true. This could lead to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1\n\nThis is a followup of https://github.com/netty/netty/security/advisories/GHSA-wm47-8v5p-wjpj which did miss to fix this one case. \n\n### Patches\nThis was fixed as part of 4.1.61.Final\n\n### Workarounds\nValidation can be done by the user before proxy the request by validating the header."
+ affected:
+ - package:
+ ecosystem: Maven
+ name: io.netty:netty-codec-http2
+ purl: pkg:maven/io.netty/netty-codec-http2
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 4.0.0
+ - fixed: 4.1.61.Final
+ versions:
+ - 4.1.0.Beta4
+ - 4.1.0.Beta5
+ - 4.1.0.Beta6
+ - 4.1.0.Beta7
+ - 4.1.0.Beta8
+ - 4.1.0.CR1
+ - 4.1.0.CR2
+ - 4.1.0.CR3
+ - 4.1.0.CR4
+ - 4.1.0.CR5
+ - 4.1.0.CR6
+ - 4.1.0.CR7
+ - 4.1.0.Final
+ - 4.1.1.Final
+ - 4.1.10.Final
+ - 4.1.11.Final
+ - 4.1.12.Final
+ - 4.1.13.Final
+ - 4.1.14.Final
+ - 4.1.15.Final
+ - 4.1.16.Final
+ - 4.1.17.Final
+ - 4.1.18.Final
+ - 4.1.19.Final
+ - 4.1.2.Final
+ - 4.1.20.Final
+ - 4.1.21.Final
+ - 4.1.22.Final
+ - 4.1.23.Final
+ - 4.1.24.Final
+ - 4.1.25.Final
+ - 4.1.26.Final
+ - 4.1.27.Final
+ - 4.1.28.Final
+ - 4.1.29.Final
+ - 4.1.3.Final
+ - 4.1.30.Final
+ - 4.1.31.Final
+ - 4.1.32.Final
+ - 4.1.33.Final
+ - 4.1.34.Final
+ - 4.1.35.Final
+ - 4.1.36.Final
+ - 4.1.37.Final
+ - 4.1.38.Final
+ - 4.1.39.Final
+ - 4.1.4.Final
+ - 4.1.40.Final
+ - 4.1.41.Final
+ - 4.1.42.Final
+ - 4.1.43.Final
+ - 4.1.44.Final
+ - 4.1.45.Final
+ - 4.1.46.Final
+ - 4.1.47.Final
+ - 4.1.48.Final
+ - 4.1.49.Final
+ - 4.1.5.Final
+ - 4.1.50.Final
+ - 4.1.51.Final
+ - 4.1.52.Final
+ - 4.1.53.Final
+ - 4.1.54.Final
+ - 4.1.55.Final
+ - 4.1.56.Final
+ - 4.1.57.Final
+ - 4.1.58.Final
+ - 4.1.59.Final
+ - 4.1.6.Final
+ - 4.1.60.Final
+ - 4.1.7.Final
+ - 4.1.8.Final
+ - 4.1.9.Final
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/03/GHSA-f256-j965-7f32/GHSA-f256-j965-7f32.json
+ - package:
+ ecosystem: Maven
+ name: org.jboss.netty:netty
+ purl: pkg:maven/org.jboss.netty/netty
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ versions:
+ - 3.0.0.CR1
+ - 3.0.0.CR2
+ - 3.0.0.CR3
+ - 3.0.0.CR4
+ - 3.0.0.CR5
+ - 3.0.0.GA
+ - 3.0.1.GA
+ - 3.0.2.GA
+ - 3.1.0.ALPHA1
+ - 3.1.0.ALPHA2
+ - 3.1.0.ALPHA3
+ - 3.1.0.ALPHA4
+ - 3.1.0.BETA1
+ - 3.1.0.BETA2
+ - 3.1.0.BETA3
+ - 3.1.0.CR1
+ - 3.1.0.GA
+ - 3.1.1.GA
+ - 3.1.2.GA
+ - 3.1.3.GA
+ - 3.1.4.GA
+ - 3.1.5.GA
+ - 3.2.0.ALPHA1
+ - 3.2.0.ALPHA2
+ - 3.2.0.ALPHA3
+ - 3.2.0.ALPHA4
+ - 3.2.0.BETA1
+ - 3.2.0.CR1
+ - 3.2.0.Final
+ - 3.2.1.Final
+ - 3.2.10.Final
+ - 3.2.2.Final
+ - 3.2.3.Final
+ - 3.2.4.Final
+ - 3.2.5.Final
+ - 3.2.6.Final
+ - 3.2.7.Final
+ - 3.2.8.Final
+ - 3.2.9.Final
+ database_specific:
+ last_known_affected_version_range: < 4.0.0
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/03/GHSA-f256-j965-7f32/GHSA-f256-j965-7f32.json
+ - package:
+ ecosystem: Maven
+ name: io.netty:netty
+ purl: pkg:maven/io.netty/netty
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ versions:
+ - 3.10.0.Final
+ - 3.10.1.Final
+ - 3.10.2.Final
+ - 3.10.3.Final
+ - 3.10.4.Final
+ - 3.10.5.Final
+ - 3.10.6.Final
+ - 3.3.0.Final
+ - 3.3.1.Final
+ - 3.4.0.Alpha1
+ - 3.4.0.Alpha2
+ - 3.4.0.Beta1
+ - 3.4.0.Final
+ - 3.4.1.Final
+ - 3.4.2.Final
+ - 3.4.3.Final
+ - 3.4.4.Final
+ - 3.4.5.Final
+ - 3.4.6.Final
+ - 3.5.0.Beta1
+ - 3.5.0.Final
+ - 3.5.1.Final
+ - 3.5.10.Final
+ - 3.5.11.Final
+ - 3.5.12.Final
+ - 3.5.13.Final
+ - 3.5.2.Final
+ - 3.5.3.Final
+ - 3.5.4.Final
+ - 3.5.5.Final
+ - 3.5.6.Final
+ - 3.5.7.Final
+ - 3.5.8.Final
+ - 3.5.9.Final
+ - 3.6.0.Beta1
+ - 3.6.0.Final
+ - 3.6.1.Final
+ - 3.6.10.Final
+ - 3.6.2.Final
+ - 3.6.3.Final
+ - 3.6.4.Final
+ - 3.6.5.Final
+ - 3.6.6.Final
+ - 3.6.7.Final
+ - 3.6.8.Final
+ - 3.6.9.Final
+ - 3.7.0.Final
+ - 3.7.1.Final
+ - 3.8.0.Final
+ - 3.8.1.Final
+ - 3.8.2.Final
+ - 3.8.3.Final
+ - 3.9.0.Final
+ - 3.9.1.1.Final
+ - 3.9.1.Final
+ - 3.9.2.Final
+ - 3.9.3.Final
+ - 3.9.4.Final
+ - 3.9.5.Final
+ - 3.9.6.Final
+ - 3.9.7.Final
+ - 3.9.8.Final
+ - 3.9.9.Final
+ - 4.0.0.Alpha1
+ - 4.0.0.Alpha2
+ - 4.0.0.Alpha3
+ - 4.0.0.Alpha4
+ - 4.0.0.Alpha5
+ - 4.0.0.Alpha6
+ - 4.0.0.Alpha7
+ - 4.0.0.Alpha8
+ database_specific:
+ last_known_affected_version_range: < 4.0.0
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/03/GHSA-f256-j965-7f32/GHSA-f256-j965-7f32.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
+ references:
+ - type: WEB
+ url: https://github.com/netty/netty/security/advisories/GHSA-f256-j965-7f32
+ - type: WEB
+ url: https://github.com/netty/netty/security/advisories/GHSA-wm47-8v5p-wjpj
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2021-21409
+ - type: WEB
+ url: https://github.com/netty/netty/commit/b0fa4d5aab4215f3c22ce6123dd8dd5f38dc0432
+ - type: WEB
+ url: https://lists.apache.org/thread.html/re39391adcb863f0e9f3f15e7986255948f263f02e4700b82453e7102@%3Cissues.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/re1911e05c08f3ec2bab85744d788773519a0afb27272a31ac2a0b4e8@%3Cnotifications.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rdd5715f3ee5e3216d5e0083a07994f67da6dbb9731ce9e7a6389b18e@%3Ccommits.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rdd206d9dd7eb894cc089b37fe6edde2932de88d63a6d8368b44f5101@%3Ccommits.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rd8f72411fb75b98d366400ae789966373b5c3eb3f511e717caf3e49e@%3Cissues.flink.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rd4a6b7dec38ea6cd28b6f94bd4b312629a52b80be3786d5fb0e474bc@%3Cissues.kudu.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rcae42fba06979934208bbd515584b241d3ad01d1bb8b063512644362@%3Cdev.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rca0978b634a0c3ebee4126ec29c7f570b165fae3f8f3658754c1cbd3@%3Cissues.kudu.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rbde2f13daf4911504f0eaea43eee4f42555241b5f6d9d71564b6c5fa@%3Cjira.kafka.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rba2a9ef1d0af882ab58fadb336a58818495245dda43d32a7d7837187@%3Cissues.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rafc77f9f03031297394f3d372ccea751b23576f8a2ae9b6b053894c5@%3Cissues.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rac8cf45a1bab9ead5c9a860cbadd6faaeb7792203617b6ec3874736d@%3Cissues.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/raa413040db6d2197593cc03edecfd168732e697119e6447b0a25d525@%3Cissues.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/ra66e93703e3f4bd31bdfd0b6fb0c32ae96b528259bb1aa2b6d38e401@%3Cissues.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/re4b0141939370304d676fe23774d0c6fbc584b648919825402d0cb39@%3Cnotifications.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/re7c69756a102bebce8b8681882844a53e2f23975a189363e68ad0324@%3Cissues.flink.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/re9e6ed60941da831675de2f8f733c026757fb4fa28a7b6c9f3dfb575@%3Cdev.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/redef0fb5474fd686781007de9ddb852b24f1b04131a248d9a4789183@%3Cnotifications.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rf148b2bf6c2754153a8629bc7495e216bd0bd4c915695486542a10b4@%3Cnotifications.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rf38e4dcdefc7c59f7ba0799a399d6d6e37b555d406a1dfc2fcbf0b35@%3Ccommits.pulsar.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rf521ff2be2e2dd38984174d3451e6ee935c845948845c8fccd86371d@%3Cissues.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rf934292a4a1c189827f625d567838d2c1001e4739b158638d844105b@%3Cissues.kudu.apache.org%3E
+ - type: WEB
+ url: https://security.netapp.com/advisory/ntap-20210604-0003
+ - type: WEB
+ url: https://www.debian.org/security/2021/dsa-4885
+ - type: WEB
+ url: https://www.oracle.com//security-alerts/cpujul2021.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuapr2022.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpujan2022.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuoct2021.html
+ - type: WEB
+ url: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21295
+ - type: PACKAGE
+ url: https://github.com/netty/netty
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r0b09f3e31e004fe583f677f7afa46bd30110904576c13c5ac818ac2c@%3Cissues.flink.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r0ca82fec33334e571fe5b388272260778883e307e15415d7b1443de2@%3Cissues.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r101f82d8f3b5af0bf79aecbd5b2dd3b404f6bb51d1a54c2c3d29bed9@%3Cnotifications.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r1b3cb056364794f919aaf26ceaf7423de64e7fdd05a914066e7d5219@%3Cissues.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r2732aa3884cacfecac4c54cfaa77c279ba815cad44b464a567216f83@%3Cissues.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r31044fb995e894749cb821c6fe56f487c16a97028e6e360e59f09d58@%3Cissues.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r4a98827bb4a7edbd69ef862f2351391845697c40711820d10df52ca5@%3Ccommits.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r4b8be87acf5b9c098a2ee350b5ca5716fe7afeaf0a21a4ee45a90687@%3Cissues.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r4ea2f1a9d79d4fc1896e085f31fb60a21b1770d0a26a5250f849372d@%3Cissues.kudu.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r584cf871f188c406d8bd447ff4e2fd9817fca862436c064d0951a071@%3Ccommits.pulsar.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r5baac01f9e06c40ff7aab209d5751b3b58802c63734e33324b70a06a@%3Cissues.flink.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r5cbea8614812289a9b98d0cfc54b47f54cef424ac98d5e315b791795@%3Cnotifications.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r5f2f120b2b8d099226473db1832ffb4d7c1d6dc2d228a164bf293a8e@%3Cissues.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r602e98daacc98934f097f07f2eed6eb07c18bfc1949c8489dc7bfcf5@%3Cissues.flink.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r61564d86a75403b854cdafee67fc69c8b88c5f6802c2c838f4282cc8@%3Ccommits.pulsar.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r69efd8ef003f612c43e4154e788ca3b1f837feaacd16d97854402355@%3Ccommits.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r6dac9bd799ceac499c7a7e152a9b0dc7f2fe7f89ec5605d129bb047b@%3Cissues.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r70c3a7bfa904f06a1902f4df20ee26e4f09a46b8fd3eb304dc57a2de@%3Cdev.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r7879ddcb990c835c6b246654770d836f9d031dee982be836744e50ed@%3Ccommits.pulsar.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r7b54563abebe3dbbe421e1ba075c2030d8d460372f8c79b7789684b6@%3Cissues.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r823d4b27fcba8dad5fe945bdefce3ca5a0031187966eb6ef3cc22ba9@%3Cissues.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r855b4b6814ac829ce2d48dd9d8138d07f33387e710de798ee92c011e@%3Cissues.flink.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r967002f0939e69bdec58f070735a19dd57c1f2b8f817949ca17cddae@%3Cissues.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r9ec78dc409f3f1edff88f21cab53737f36aad46f582a9825389092e0@%3Cissues.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r9fe840c36b74f92b8d4a089ada1f9fd1d6293742efa18b10e06b66d2@%3Ccommits.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/ra64d56a8a331ffd7bdcd24a9aaaeeedeacd5d639f5a683389123f898@%3Cdev.flink.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/ra655e5cec74d1ddf62adacb71d398abd96f3ea2c588f6bbf048348eb@%3Cissues.kudu.apache.org%3E
+ database_specific:
+ cwe_ids:
+ - CWE-444
+ github_reviewed: true
+ github_reviewed_at: "2021-03-30T15:03:26Z"
+ nvd_published_at: "2021-03-30T15:15:00Z"
+ severity: MODERATE
+ - schema_version: 1.6.0
+ id: GHSA-wm47-8v5p-wjpj
+ modified: 2024-03-11T05:16:16.38061Z
+ published: 2021-03-09T18:49:49Z
+ aliases:
+ - BIT-zookeeper-2021-21295
+ - CVE-2021-21295
+ - CVE-2021-21409
+ - GHSA-f256-j965-7f32
+ summary: Possible request smuggling in HTTP/2 due missing validation
+ details: "### Impact\nIf a Content-Length header is present in the original HTTP/2 request, the field is not validated by `Http2MultiplexHandler` as it is propagated up. This is fine as long as the request is not proxied through as HTTP/1.1.\nIf the request comes in as an HTTP/2 stream, gets converted into the HTTP/1.1 domain objects (`HttpRequest`, `HttpContent`, etc.) via `Http2StreamFrameToHttpObjectCodec `and then sent up to the child channel's pipeline and proxied through a remote peer as HTTP/1.1 this may result in request smuggling. \n\nIn a proxy case, users may assume the content-length is validated somehow, which is not the case. If the request is forwarded to a backend channel that is a HTTP/1.1 connection, the Content-Length now has meaning and needs to be checked.\n\nAn attacker can smuggle requests inside the body as it gets downgraded from HTTP/2 to HTTP/1.1. A sample attack request looks like:\n\n```\nPOST / HTTP/2\n:authority:: externaldomain.com\nContent-Length: 4\n\nasdfGET /evilRedirect HTTP/1.1\nHost: internaldomain.com\n```\n\nUsers are only affected if all of this is `true`:\n * `HTTP2MultiplexCodec` or `Http2FrameCodec` is used\n * `Http2StreamFrameToHttpObjectCodec` is used to convert to HTTP/1.1 objects\n * These HTTP/1.1 objects are forwarded to another remote peer.\n \n\n### Patches\nThis has been patched in 4.1.60.Final\n\n### Workarounds\nThe user can do the validation by themselves by implementing a custom `ChannelInboundHandler` that is put in the `ChannelPipeline` behind `Http2StreamFrameToHttpObjectCodec`.\n\n### References\nRelated change to workaround the problem: https://github.com/Netflix/zuul/pull/980 "
+ affected:
+ - package:
+ ecosystem: Maven
+ name: io.netty:netty-codec-http2
+ purl: pkg:maven/io.netty/netty-codec-http2
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 4.0.0
+ - fixed: 4.1.60.Final
+ versions:
+ - 4.1.0.Beta4
+ - 4.1.0.Beta5
+ - 4.1.0.Beta6
+ - 4.1.0.Beta7
+ - 4.1.0.Beta8
+ - 4.1.0.CR1
+ - 4.1.0.CR2
+ - 4.1.0.CR3
+ - 4.1.0.CR4
+ - 4.1.0.CR5
+ - 4.1.0.CR6
+ - 4.1.0.CR7
+ - 4.1.0.Final
+ - 4.1.1.Final
+ - 4.1.10.Final
+ - 4.1.11.Final
+ - 4.1.12.Final
+ - 4.1.13.Final
+ - 4.1.14.Final
+ - 4.1.15.Final
+ - 4.1.16.Final
+ - 4.1.17.Final
+ - 4.1.18.Final
+ - 4.1.19.Final
+ - 4.1.2.Final
+ - 4.1.20.Final
+ - 4.1.21.Final
+ - 4.1.22.Final
+ - 4.1.23.Final
+ - 4.1.24.Final
+ - 4.1.25.Final
+ - 4.1.26.Final
+ - 4.1.27.Final
+ - 4.1.28.Final
+ - 4.1.29.Final
+ - 4.1.3.Final
+ - 4.1.30.Final
+ - 4.1.31.Final
+ - 4.1.32.Final
+ - 4.1.33.Final
+ - 4.1.34.Final
+ - 4.1.35.Final
+ - 4.1.36.Final
+ - 4.1.37.Final
+ - 4.1.38.Final
+ - 4.1.39.Final
+ - 4.1.4.Final
+ - 4.1.40.Final
+ - 4.1.41.Final
+ - 4.1.42.Final
+ - 4.1.43.Final
+ - 4.1.44.Final
+ - 4.1.45.Final
+ - 4.1.46.Final
+ - 4.1.47.Final
+ - 4.1.48.Final
+ - 4.1.49.Final
+ - 4.1.5.Final
+ - 4.1.50.Final
+ - 4.1.51.Final
+ - 4.1.52.Final
+ - 4.1.53.Final
+ - 4.1.54.Final
+ - 4.1.55.Final
+ - 4.1.56.Final
+ - 4.1.57.Final
+ - 4.1.58.Final
+ - 4.1.59.Final
+ - 4.1.6.Final
+ - 4.1.7.Final
+ - 4.1.8.Final
+ - 4.1.9.Final
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/03/GHSA-wm47-8v5p-wjpj/GHSA-wm47-8v5p-wjpj.json
+ - package:
+ ecosystem: Maven
+ name: org.jboss.netty:netty
+ purl: pkg:maven/org.jboss.netty/netty
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ versions:
+ - 3.0.0.CR1
+ - 3.0.0.CR2
+ - 3.0.0.CR3
+ - 3.0.0.CR4
+ - 3.0.0.CR5
+ - 3.0.0.GA
+ - 3.0.1.GA
+ - 3.0.2.GA
+ - 3.1.0.ALPHA1
+ - 3.1.0.ALPHA2
+ - 3.1.0.ALPHA3
+ - 3.1.0.ALPHA4
+ - 3.1.0.BETA1
+ - 3.1.0.BETA2
+ - 3.1.0.BETA3
+ - 3.1.0.CR1
+ - 3.1.0.GA
+ - 3.1.1.GA
+ - 3.1.2.GA
+ - 3.1.3.GA
+ - 3.1.4.GA
+ - 3.1.5.GA
+ - 3.2.0.ALPHA1
+ - 3.2.0.ALPHA2
+ - 3.2.0.ALPHA3
+ - 3.2.0.ALPHA4
+ - 3.2.0.BETA1
+ - 3.2.0.CR1
+ - 3.2.0.Final
+ - 3.2.1.Final
+ - 3.2.10.Final
+ - 3.2.2.Final
+ - 3.2.3.Final
+ - 3.2.4.Final
+ - 3.2.5.Final
+ - 3.2.6.Final
+ - 3.2.7.Final
+ - 3.2.8.Final
+ - 3.2.9.Final
+ database_specific:
+ last_known_affected_version_range: < 4.0.0
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/03/GHSA-wm47-8v5p-wjpj/GHSA-wm47-8v5p-wjpj.json
+ - package:
+ ecosystem: Maven
+ name: io.netty:netty
+ purl: pkg:maven/io.netty/netty
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ versions:
+ - 3.10.0.Final
+ - 3.10.1.Final
+ - 3.10.2.Final
+ - 3.10.3.Final
+ - 3.10.4.Final
+ - 3.10.5.Final
+ - 3.10.6.Final
+ - 3.3.0.Final
+ - 3.3.1.Final
+ - 3.4.0.Alpha1
+ - 3.4.0.Alpha2
+ - 3.4.0.Beta1
+ - 3.4.0.Final
+ - 3.4.1.Final
+ - 3.4.2.Final
+ - 3.4.3.Final
+ - 3.4.4.Final
+ - 3.4.5.Final
+ - 3.4.6.Final
+ - 3.5.0.Beta1
+ - 3.5.0.Final
+ - 3.5.1.Final
+ - 3.5.10.Final
+ - 3.5.11.Final
+ - 3.5.12.Final
+ - 3.5.13.Final
+ - 3.5.2.Final
+ - 3.5.3.Final
+ - 3.5.4.Final
+ - 3.5.5.Final
+ - 3.5.6.Final
+ - 3.5.7.Final
+ - 3.5.8.Final
+ - 3.5.9.Final
+ - 3.6.0.Beta1
+ - 3.6.0.Final
+ - 3.6.1.Final
+ - 3.6.10.Final
+ - 3.6.2.Final
+ - 3.6.3.Final
+ - 3.6.4.Final
+ - 3.6.5.Final
+ - 3.6.6.Final
+ - 3.6.7.Final
+ - 3.6.8.Final
+ - 3.6.9.Final
+ - 3.7.0.Final
+ - 3.7.1.Final
+ - 3.8.0.Final
+ - 3.8.1.Final
+ - 3.8.2.Final
+ - 3.8.3.Final
+ - 3.9.0.Final
+ - 3.9.1.1.Final
+ - 3.9.1.Final
+ - 3.9.2.Final
+ - 3.9.3.Final
+ - 3.9.4.Final
+ - 3.9.5.Final
+ - 3.9.6.Final
+ - 3.9.7.Final
+ - 3.9.8.Final
+ - 3.9.9.Final
+ - 4.0.0.Alpha1
+ - 4.0.0.Alpha2
+ - 4.0.0.Alpha3
+ - 4.0.0.Alpha4
+ - 4.0.0.Alpha5
+ - 4.0.0.Alpha6
+ - 4.0.0.Alpha7
+ - 4.0.0.Alpha8
+ database_specific:
+ last_known_affected_version_range: < 4.0.0
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/03/GHSA-wm47-8v5p-wjpj/GHSA-wm47-8v5p-wjpj.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
+ references:
+ - type: WEB
+ url: https://github.com/netty/netty/security/advisories/GHSA-wm47-8v5p-wjpj
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2021-21295
+ - type: WEB
+ url: https://github.com/Netflix/zuul/pull/980
+ - type: WEB
+ url: https://github.com/netty/netty/commit/89c241e3b1795ff257af4ad6eadc616cb2fb3dc4
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rc73b8dd01b1be276d06bdf07883ecd93fe1a01f139a99ef30ba4308c@%3Ccommits.servicecomb.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rc165e36ca7cb5417aec3f21bbc4ec00fb38ecebdd96a82cfab9bd56f@%3Cjira.kafka.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rc0087125cb15b4b78e44000f841cd37fefedfda942fd7ddf3ad1b528@%3Cissues.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rbed09768f496244a2e138dbbe6d2847ddf796c9c8ef9e50f2e3e30d9@%3Cnotifications.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rbadcbcb50195f00bbd196403865ced521ca70787999583c07be38d0e@%3Cnotifications.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rb95d42ce220ed4a4683aa17833b5006d657bc4254bc5cb03cd5e6bfb@%3Cissues.hbase.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rb592033a2462548d061a83ac9449c5ff66098751748fcd1e2d008233@%3Cissues.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rb523bb6c60196c5f58514b86a8585c2069a4852039b45de3818b29d2@%3Ccommits.servicecomb.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rb51d6202ff1a773f96eaa694b7da4ad3f44922c40b3d4e1a19c2f325@%3Ccommits.pulsar.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rb06c1e766aa45ee422e8261a8249b561784186483e8f742ea627bda4@%3Cdev.kafka.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rae198f44c3f7ac5264045e6ba976be1703cff38dcf1609916e50210d@%3Ccommits.servicecomb.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/racc191a1f70a4f13155e8002c61bddef2870b26441971c697436ad5d@%3Ccommits.servicecomb.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/ra96c74c37ed7252f78392e1ad16442bd16ae72a4d6c8db50dd55c88b@%3Ccommits.servicecomb.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/ra83096bcbfe6e1f4d54449f8a013117a0536404e9d307ab4a0d34f81@%3Cissues.hbase.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/ra655e5cec74d1ddf62adacb71d398abd96f3ea2c588f6bbf048348eb@%3Cissues.kudu.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/ra64d56a8a331ffd7bdcd24a9aaaeeedeacd5d639f5a683389123f898@%3Cdev.flink.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r9924ef9357537722b28d04c98a189750b80694a19754e5057c34ca48@%3Ccommits.pulsar.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r96ce18044880c33634c4b3fcecc57b8b90673c9364d63eba00385523@%3Cjira.kafka.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r905b92099998291956eebf4f1c5d95f5a0cbcece2946cc46d32274fd@%3Cdev.hbase.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r9051e4f484a970b5566dc1870ecd9c1eb435214e2652cf3ea4d0c0cc@%3Cjira.kafka.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r8db1d7b3b9acc9e8d2776395e280eb9615dd7790e1da8c57039963de@%3Cnotifications.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r8bcaf7821247b1836b10f6a1a3a3212b06272fd4cde4a859de1b78cf@%3Ccommits.servicecomb.apache.org%3E
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuapr2022.html
+ - type: WEB
+ url: https://www.debian.org/security/2021/dsa-4885
+ - type: WEB
+ url: https://security.netapp.com/advisory/ntap-20210604-0003
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rfff6ff8ffb31e8a32619c79774def44b6ffbb037c128c5ad3eab7171@%3Cissues.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rf934292a4a1c189827f625d567838d2c1001e4739b158638d844105b@%3Cissues.kudu.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rf87b870a22aa5c77c27900967b518a71a7d954c2952860fce3794b60@%3Ccommits.servicecomb.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rf36f1114e84a3379b20587063686148e2d5a39abc0b8a66ff2a9087a@%3Cissues.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/reafc834062486adfc7be5bb8f7b7793be0d33f483678a094c3f9d468@%3Ccommits.servicecomb.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/re7c69756a102bebce8b8681882844a53e2f23975a189363e68ad0324@%3Cissues.flink.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/re6207ebe2ca4d44f2a6deee695ad6f27fd29d78980f1d46ed1574f91@%3Cissues.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/re4f70b62843e92163fab03b65e2aa8078693293a0c36f1cc260079ed@%3Ccommits.servicecomb.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rddbb4f8d5db23265bb63d14ef4b3723b438abc1589f877db11d35450@%3Cissues.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rdc096e13ac4501ea2e2b03a197682a313b85d3d3ec89d5ae5551b384@%3Cissues.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rdb4db3f5a9c478ca52a7b164680b88877a5a9c174e7047676c006b2c@%3Ccommits.servicecomb.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rd8f72411fb75b98d366400ae789966373b5c3eb3f511e717caf3e49e@%3Cissues.flink.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rd4a6b7dec38ea6cd28b6f94bd4b312629a52b80be3786d5fb0e474bc@%3Cissues.kudu.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rd25c88aad0e76240dd09f0eb34bdab924933946429e068a167adcb73@%3Ccommits.servicecomb.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rcfc535afd413d9934d6ee509dce234dac41fa3747a7555befb17447e@%3Cissues.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rcfc154eb2de23d2dc08a56100341161e1a40a8ea86c693735437e8f2@%3Ccommits.servicecomb.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rcf3752209a8b04996373bf57fdc808b3bfaa2be8702698a0323641f8@%3Ccommits.hbase.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rcd163e421273e8dca1c71ea298dce3dd11b41d51c3a812e0394e6a5d@%3Ccommits.pulsar.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rca0978b634a0c3ebee4126ec29c7f570b165fae3f8f3658754c1cbd3@%3Cissues.kudu.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r86cd38a825ab2344f3e6cad570528852f29a4ffdf56ab67d75c36edf@%3Cissues.hbase.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r3ff9e735ca33612d900607dc139ebd38a64cadc6bce292e53eb86d7f@%3Cissues.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r3c4596b9b37f5ae91628ccf169d33cd5a0da4b16b6c39d5bad8e03f3@%3Cdev.jackrabbit.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r3c293431c781696681abbfe1c573c2d9dcdae6fd3ff330ea22f0433f@%3Cjira.kafka.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r393a339ab0b63ef9e6502253eeab26e7643b3e69738d5948b2b1d064@%3Cissues.hbase.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r33eb06b05afbc7df28d31055cae0cb3fd36cab808c884bf6d680bea5@%3Cdev.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r32b0b640ad2be3b858f0af51c68a7d5c5a66a462c8bbb93699825cd3@%3Cissues.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r312ce5bd3c6bf08c138349b507b6f1c25fe9cf40b6f2b0014c9d12b1@%3Cnotifications.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r2e93ce23e04c3f0a61e987d1111d0695cb668ac4ec4edbf237bd3e80@%3Ccommits.servicecomb.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r2936730ef0a06e724b96539bc7eacfcd3628987c16b1b99c790e7b87@%3Cissues.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r27b7e5a588ec826b15f38c40be500c50073400019ce7b8adfd07fece@%3Cissues.hbase.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r268850f26639ebe249356ed6d8edb54ee8943be6f200f770784fb190@%3Cissues.hbase.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r22b2f34447d71c9a0ad9079b7860323d5584fb9b40eb42668c21eaf1@%3Cissues.hbase.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r22adb45fe902aeafcd0a1c4db13984224a667676c323c66db3af38a1@%3Ccommits.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r1bca0b81193b74a451fc6d687ab58ef3a1f5ec40f6c61561d8dd9509@%3Cissues.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r1908a34b9cc7120e5c19968a116ddbcffea5e9deb76c2be4fa461904@%3Cdev.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r16c4b55ac82be72f28adad4f8061477e5f978199d5725691dcc82c24@%3Ccommits.servicecomb.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r15f66ada9a5faf4bac69d9e7c4521cedfefa62df9509881603791969@%3Cjira.kafka.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r0b09f3e31e004fe583f677f7afa46bd30110904576c13c5ac818ac2c@%3Cissues.flink.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r04a3e0d9f53421fb946c60cc54762b7151dc692eb4e39970a7579052@%3Ccommits.servicecomb.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r040a5e4d9cca2f98354b58a70b27099672276f66995c4e2e39545d0b@%3Cissues.hbase.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r02e467123d45006a1dda20a38349e9c74c3a4b53e2e07be0939ecb3f@%3Cdev.ranger.apache.org%3E
+ - type: PACKAGE
+ url: https://github.com/netty/netty
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r855b4b6814ac829ce2d48dd9d8138d07f33387e710de798ee92c011e@%3Cissues.flink.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r837bbcbf12e335e83ab448b1bd2c1ad7e86efdc14034b23811422e6a@%3Ccommits.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r7bb3cdc192e9a6f863d3ea05422f09fa1ae2b88d4663e63696ee7ef5@%3Cdev.ranger.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r790c2926efcd062067eb18fde2486527596d7275381cfaff2f7b3890@%3Cissues.bookkeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r70cebada51bc6d49138272437d8a28fe971d0197334ef906b575044c@%3Ccommits.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r6d32fc3cd547f7c9a288a57c7f525f5d00a00d5d163613e0d10a23ef@%3Ccommits.servicecomb.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r6aee7e3566cb3e51eeed2fd8786704d91f80a7581e00a787ba9f37f6@%3Cissues.hbase.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r6a29316d758db628a1df49ca219d64caf493999b52cc77847bfba675@%3Cnotifications.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r6a122c25e352eb134d01e7f4fc4d345a491c5ee9453fef6fc754d15b@%3Ccommits.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r67e6a636cbc1958383a1cd72b7fd0cd7493360b1dd0e6c12f5761798@%3Cnotifications.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r67c4f90658fde875521c949448c54c98517beecdc7f618f902c620ec@%3Cissues.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r602e98daacc98934f097f07f2eed6eb07c18bfc1949c8489dc7bfcf5@%3Cissues.flink.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r5fc5786cdd640b1b0a3c643237ce0011f0a08a296b11c0e2c669022c@%3Cdev.kafka.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r5e66e286afb5506cdfe9bbf68a323e8d09614f6d1ddc806ed0224700@%3Cjira.kafka.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r5baac01f9e06c40ff7aab209d5751b3b58802c63734e33324b70a06a@%3Cissues.flink.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r59bac5c09f7a4179b9e2460e8f41c278aaf3b9a21cc23678eb893e41@%3Cjira.kafka.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r584cf871f188c406d8bd447ff4e2fd9817fca862436c064d0951a071@%3Ccommits.pulsar.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r57245853c7245baab09eae08728c52b58fd77666538092389cc3e882@%3Ccommits.servicecomb.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r5470456cf1409a99893ae9dd57439799f6dc1a60fda90e11570f66fe@%3Cnotifications.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r5232e33a1f3b310a3e083423f736f3925ebdb150844d60ac582809f8@%3Cnotifications.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r4ea2f1a9d79d4fc1896e085f31fb60a21b1770d0a26a5250f849372d@%3Cissues.kudu.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r490ca5611c150d193b320a2608209180713b7c68e501b67b0cffb925@%3Ccommits.servicecomb.apache.org%3E
+ database_specific:
+ cwe_ids:
+ - CWE-444
+ github_reviewed: true
+ github_reviewed_at: "2021-03-09T18:47:09Z"
+ nvd_published_at: "2021-03-09T19:15:00Z"
+ severity: MODERATE
+ - schema_version: 1.6.0
+ id: GHSA-xpw8-rcwv-8f8p
+ modified: 2024-02-16T08:23:58.662031Z
+ published: 2023-10-10T22:22:54Z
+ aliases:
+ - BIT-apisix-2023-44487
+ - BIT-aspnet-core-2023-44487
+ - BIT-contour-2023-44487
+ - BIT-dotnet-2023-44487
+ - BIT-dotnet-sdk-2023-44487
+ - BIT-envoy-2023-44487
+ - BIT-golang-2023-44487
+ - BIT-jenkins-2023-44487
+ - BIT-kong-2023-44487
+ - BIT-nginx-2023-44487
+ - BIT-nginx-ingress-controller-2023-44487
+ - BIT-node-2023-44487
+ - BIT-solr-2023-44487
+ - BIT-tomcat-2023-44487
+ - BIT-varnish-2023-44487
+ - CVE-2023-44487
+ - GHSA-2m7v-gc89-fjqf
+ - GHSA-qppj-fm5r-hxr3
+ - GHSA-vx74-f528-fxqg
+ summary: io.netty:netty-codec-http2 vulnerable to HTTP/2 Rapid Reset Attack
+ details: "A client might overload the server by issue frequent RST frames. This can cause a massive amount of load on the remote system and so cause a DDOS attack. \n\n### Impact\nThis is a DDOS attack, any http2 server is affected and so you should update as soon as possible.\n\n### Patches\nThis is patched in version 4.1.100.Final.\n\n### Workarounds\nA user can limit the amount of RST frames that are accepted per connection over a timeframe manually using either an own `Http2FrameListener` implementation or an `ChannelInboundHandler` implementation (depending which http2 API is used).\n\n### References\n- https://www.cve.org/CVERecord?id=CVE-2023-44487\n- https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/\n- https://cloud.google.com/blog/products/identity-security/google-cloud-mitigated-largest-ddos-attack-peaking-above-398-million-rps/"
+ affected:
+ - package:
+ ecosystem: Maven
+ name: io.netty:netty-codec-http2
+ purl: pkg:maven/io.netty/netty-codec-http2
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: 4.1.100.Final
+ versions:
+ - 4.1.0.Beta4
+ - 4.1.0.Beta5
+ - 4.1.0.Beta6
+ - 4.1.0.Beta7
+ - 4.1.0.Beta8
+ - 4.1.0.CR1
+ - 4.1.0.CR2
+ - 4.1.0.CR3
+ - 4.1.0.CR4
+ - 4.1.0.CR5
+ - 4.1.0.CR6
+ - 4.1.0.CR7
+ - 4.1.0.Final
+ - 4.1.1.Final
+ - 4.1.10.Final
+ - 4.1.11.Final
+ - 4.1.12.Final
+ - 4.1.13.Final
+ - 4.1.14.Final
+ - 4.1.15.Final
+ - 4.1.16.Final
+ - 4.1.17.Final
+ - 4.1.18.Final
+ - 4.1.19.Final
+ - 4.1.2.Final
+ - 4.1.20.Final
+ - 4.1.21.Final
+ - 4.1.22.Final
+ - 4.1.23.Final
+ - 4.1.24.Final
+ - 4.1.25.Final
+ - 4.1.26.Final
+ - 4.1.27.Final
+ - 4.1.28.Final
+ - 4.1.29.Final
+ - 4.1.3.Final
+ - 4.1.30.Final
+ - 4.1.31.Final
+ - 4.1.32.Final
+ - 4.1.33.Final
+ - 4.1.34.Final
+ - 4.1.35.Final
+ - 4.1.36.Final
+ - 4.1.37.Final
+ - 4.1.38.Final
+ - 4.1.39.Final
+ - 4.1.4.Final
+ - 4.1.40.Final
+ - 4.1.41.Final
+ - 4.1.42.Final
+ - 4.1.43.Final
+ - 4.1.44.Final
+ - 4.1.45.Final
+ - 4.1.46.Final
+ - 4.1.47.Final
+ - 4.1.48.Final
+ - 4.1.49.Final
+ - 4.1.5.Final
+ - 4.1.50.Final
+ - 4.1.51.Final
+ - 4.1.52.Final
+ - 4.1.53.Final
+ - 4.1.54.Final
+ - 4.1.55.Final
+ - 4.1.56.Final
+ - 4.1.57.Final
+ - 4.1.58.Final
+ - 4.1.59.Final
+ - 4.1.6.Final
+ - 4.1.60.Final
+ - 4.1.61.Final
+ - 4.1.62.Final
+ - 4.1.63.Final
+ - 4.1.64.Final
+ - 4.1.65.Final
+ - 4.1.66.Final
+ - 4.1.67.Final
+ - 4.1.68.Final
+ - 4.1.69.Final
+ - 4.1.7.Final
+ - 4.1.70.Final
+ - 4.1.71.Final
+ - 4.1.72.Final
+ - 4.1.73.Final
+ - 4.1.74.Final
+ - 4.1.75.Final
+ - 4.1.76.Final
+ - 4.1.77.Final
+ - 4.1.78.Final
+ - 4.1.79.Final
+ - 4.1.8.Final
+ - 4.1.80.Final
+ - 4.1.81.Final
+ - 4.1.82.Final
+ - 4.1.83.Final
+ - 4.1.84.Final
+ - 4.1.85.Final
+ - 4.1.86.Final
+ - 4.1.87.Final
+ - 4.1.88.Final
+ - 4.1.89.Final
+ - 4.1.9.Final
+ - 4.1.90.Final
+ - 4.1.91.Final
+ - 4.1.92.Final
+ - 4.1.93.Final
+ - 4.1.94.Final
+ - 4.1.95.Final
+ - 4.1.96.Final
+ - 4.1.97.Final
+ - 4.1.98.Final
+ - 4.1.99.Final
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-xpw8-rcwv-8f8p/GHSA-xpw8-rcwv-8f8p.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
+ references:
+ - type: WEB
+ url: https://github.com/apple/swift-nio-http2/security/advisories/GHSA-qppj-fm5r-hxr3
+ - type: WEB
+ url: https://github.com/netty/netty/security/advisories/GHSA-xpw8-rcwv-8f8p
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2023-44487
+ - type: WEB
+ url: https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61
+ - type: PACKAGE
+ url: https://github.com/netty/netty
+ - type: WEB
+ url: https://www.cve.org/CVERecord?id=CVE-2023-44487
+ database_specific:
+ cwe_ids:
+ - CWE-400
+ github_reviewed: true
+ github_reviewed_at: "2023-10-10T22:22:54Z"
+ nvd_published_at: null
+ severity: HIGH
+ - schema_version: 1.6.0
+ id: GHSA-6mjq-h674-j845
+ modified: 2024-06-25T02:35:08.283799Z
+ published: 2023-06-20T16:33:22Z
+ aliases:
+ - CVE-2023-34462
+ summary: netty-handler SniHandler 16MB allocation
+ details: "### Summary\nThe `SniHandler` can allocate up to 16MB of heap for each channel during the TLS handshake. When the handler or the channel does not have an idle timeout, it can be used to make a TCP server using the `SniHandler` to allocate 16MB of heap.\n\n### Details\nThe `SniHandler` class is a handler that waits for the TLS handshake to configure a `SslHandler` according to the indicated server name by the `ClientHello` record. For this matter it allocates a `ByteBuf` using the value defined in the `ClientHello` record. \n\nNormally the value of the packet should be smaller than the handshake packet but there are not checks done here and the way the code is written, it is possible to craft a packet that makes the `SslClientHelloHandler`\n\n1/ allocate a 16MB `ByteBuf`\n2/ not fail `decode` method `in` buffer\n3/ get out of the loop without an exception\n\nThe combination of this without the use of a timeout makes easy to connect to a TCP server and allocate 16MB of heap memory per connection.\n\n### Impact\nIf the user has no idle timeout handler configured it might be possible for a remote peer to send a client hello packet which lead the server to buffer up to 16MB of data per connection. This could lead to a OutOfMemoryError and so result in a DDOS."
+ affected:
+ - package:
+ ecosystem: Maven
+ name: io.netty:netty-handler
+ purl: pkg:maven/io.netty/netty-handler
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: 4.1.94.Final
+ versions:
+ - 4.0.0.Alpha1
+ - 4.0.0.Alpha2
+ - 4.0.0.Alpha3
+ - 4.0.0.Alpha4
+ - 4.0.0.Alpha5
+ - 4.0.0.Alpha6
+ - 4.0.0.Alpha7
+ - 4.0.0.Alpha8
+ - 4.0.0.Beta1
+ - 4.0.0.Beta2
+ - 4.0.0.Beta3
+ - 4.0.0.CR1
+ - 4.0.0.CR2
+ - 4.0.0.CR3
+ - 4.0.0.CR4
+ - 4.0.0.CR5
+ - 4.0.0.CR6
+ - 4.0.0.CR7
+ - 4.0.0.CR8
+ - 4.0.0.CR9
+ - 4.0.0.Final
+ - 4.0.1.Final
+ - 4.0.10.Final
+ - 4.0.11.Final
+ - 4.0.12.Final
+ - 4.0.13.Final
+ - 4.0.14.Beta1
+ - 4.0.14.Final
+ - 4.0.15.Final
+ - 4.0.16.Final
+ - 4.0.17.Final
+ - 4.0.18.Final
+ - 4.0.19.Final
+ - 4.0.2.Final
+ - 4.0.20.Final
+ - 4.0.21.Final
+ - 4.0.22.Final
+ - 4.0.23.Final
+ - 4.0.24.Final
+ - 4.0.25.Final
+ - 4.0.26.Final
+ - 4.0.27.Final
+ - 4.0.28.Final
+ - 4.0.29.Final
+ - 4.0.3.Final
+ - 4.0.30.Final
+ - 4.0.31.Final
+ - 4.0.32.Final
+ - 4.0.33.Final
+ - 4.0.34.Final
+ - 4.0.35.Final
+ - 4.0.36.Final
+ - 4.0.37.Final
+ - 4.0.38.Final
+ - 4.0.39.Final
+ - 4.0.4.Final
+ - 4.0.40.Final
+ - 4.0.41.Final
+ - 4.0.42.Final
+ - 4.0.43.Final
+ - 4.0.44.Final
+ - 4.0.45.Final
+ - 4.0.46.Final
+ - 4.0.47.Final
+ - 4.0.48.Final
+ - 4.0.49.Final
+ - 4.0.5.Final
+ - 4.0.50.Final
+ - 4.0.51.Final
+ - 4.0.52.Final
+ - 4.0.53.Final
+ - 4.0.54.Final
+ - 4.0.55.Final
+ - 4.0.56.Final
+ - 4.0.6.Final
+ - 4.0.7.Final
+ - 4.0.8.Final
+ - 4.0.9.Final
+ - 4.1.0.Beta1
+ - 4.1.0.Beta2
+ - 4.1.0.Beta3
+ - 4.1.0.Beta4
+ - 4.1.0.Beta5
+ - 4.1.0.Beta6
+ - 4.1.0.Beta7
+ - 4.1.0.Beta8
+ - 4.1.0.CR1
+ - 4.1.0.CR2
+ - 4.1.0.CR3
+ - 4.1.0.CR4
+ - 4.1.0.CR5
+ - 4.1.0.CR6
+ - 4.1.0.CR7
+ - 4.1.0.Final
+ - 4.1.1.Final
+ - 4.1.10.Final
+ - 4.1.11.Final
+ - 4.1.12.Final
+ - 4.1.13.Final
+ - 4.1.14.Final
+ - 4.1.15.Final
+ - 4.1.16.Final
+ - 4.1.17.Final
+ - 4.1.18.Final
+ - 4.1.19.Final
+ - 4.1.2.Final
+ - 4.1.20.Final
+ - 4.1.21.Final
+ - 4.1.22.Final
+ - 4.1.23.Final
+ - 4.1.24.Final
+ - 4.1.25.Final
+ - 4.1.26.Final
+ - 4.1.27.Final
+ - 4.1.28.Final
+ - 4.1.29.Final
+ - 4.1.3.Final
+ - 4.1.30.Final
+ - 4.1.31.Final
+ - 4.1.32.Final
+ - 4.1.33.Final
+ - 4.1.34.Final
+ - 4.1.35.Final
+ - 4.1.36.Final
+ - 4.1.37.Final
+ - 4.1.38.Final
+ - 4.1.39.Final
+ - 4.1.4.Final
+ - 4.1.40.Final
+ - 4.1.41.Final
+ - 4.1.42.Final
+ - 4.1.43.Final
+ - 4.1.44.Final
+ - 4.1.45.Final
+ - 4.1.46.Final
+ - 4.1.47.Final
+ - 4.1.48.Final
+ - 4.1.49.Final
+ - 4.1.5.Final
+ - 4.1.50.Final
+ - 4.1.51.Final
+ - 4.1.52.Final
+ - 4.1.53.Final
+ - 4.1.54.Final
+ - 4.1.55.Final
+ - 4.1.56.Final
+ - 4.1.57.Final
+ - 4.1.58.Final
+ - 4.1.59.Final
+ - 4.1.6.Final
+ - 4.1.60.Final
+ - 4.1.61.Final
+ - 4.1.62.Final
+ - 4.1.63.Final
+ - 4.1.64.Final
+ - 4.1.65.Final
+ - 4.1.66.Final
+ - 4.1.67.Final
+ - 4.1.68.Final
+ - 4.1.69.Final
+ - 4.1.7.Final
+ - 4.1.70.Final
+ - 4.1.71.Final
+ - 4.1.72.Final
+ - 4.1.73.Final
+ - 4.1.74.Final
+ - 4.1.75.Final
+ - 4.1.76.Final
+ - 4.1.77.Final
+ - 4.1.78.Final
+ - 4.1.79.Final
+ - 4.1.8.Final
+ - 4.1.80.Final
+ - 4.1.81.Final
+ - 4.1.82.Final
+ - 4.1.83.Final
+ - 4.1.84.Final
+ - 4.1.85.Final
+ - 4.1.86.Final
+ - 4.1.87.Final
+ - 4.1.88.Final
+ - 4.1.89.Final
+ - 4.1.9.Final
+ - 4.1.90.Final
+ - 4.1.91.Final
+ - 4.1.92.Final
+ - 4.1.93.Final
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/06/GHSA-6mjq-h674-j845/GHSA-6mjq-h674-j845.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
+ references:
+ - type: WEB
+ url: https://github.com/netty/netty/security/advisories/GHSA-6mjq-h674-j845
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2023-34462
+ - type: WEB
+ url: https://github.com/netty/netty/commit/535da17e45201ae4278c0479e6162bb4127d4c32
+ - type: PACKAGE
+ url: https://github.com/netty/netty
+ - type: WEB
+ url: https://security.netapp.com/advisory/ntap-20230803-0001
+ - type: WEB
+ url: https://security.netapp.com/advisory/ntap-20240621-0007
+ - type: WEB
+ url: https://www.debian.org/security/2023/dsa-5558
+ database_specific:
+ cwe_ids:
+ - CWE-400
+ - CWE-770
+ github_reviewed: true
+ github_reviewed_at: "2023-06-20T16:33:22Z"
+ nvd_published_at: "2023-06-22T23:15:09Z"
+ severity: MODERATE
+ - schema_version: 1.6.0
+ id: GHSA-9959-6p3m-wxpc
+ modified: 2023-11-08T03:57:37.697735Z
+ published: 2020-06-30T21:01:31Z
+ aliases:
+ - CVE-2014-3488
+ summary: Denial of service in Netty
+ details: The SslHandler in Netty before 3.9.2 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted SSLv2Hello message.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: io.netty:netty-handler
+ purl: pkg:maven/io.netty/netty-handler
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: 3.9.2
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-9959-6p3m-wxpc/GHSA-9959-6p3m-wxpc.json
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2014-3488
+ - type: WEB
+ url: https://github.com/netty/netty/issues/2562
+ - type: WEB
+ url: https://github.com/netty/netty/commit/2fa9400a59d0563a66908aba55c41e7285a04994
+ - type: PACKAGE
+ url: https://github.com/netty/netty
+ - type: WEB
+ url: https://lists.debian.org/debian-lts-announce/2020/02/msg00018.html
+ - type: WEB
+ url: https://snyk.io/vuln/SNYK-JAVA-ORGJBOSSNETTY-31630
+ - type: WEB
+ url: http://netty.io/news/2014/06/11/3-9-2-Final.html
+ - type: WEB
+ url: http://secunia.com/advisories/59196
+ database_specific:
+ cwe_ids:
+ - CWE-119
+ github_reviewed: true
+ github_reviewed_at: "2020-06-30T20:50:42Z"
+ nvd_published_at: null
+ severity: MODERATE
+ - schema_version: 1.6.0
+ id: GHSA-ff2w-cq2g-wv5f
+ modified: 2024-03-14T05:20:05.937087Z
+ published: 2020-02-21T18:55:50Z
+ aliases:
+ - CVE-2020-7238
+ summary: HTTP Request Smuggling in Netty
+ details: Netty 4.1.43.Final allows HTTP Request Smuggling because it mishandles Transfer-Encoding whitespace (such as a [space]Transfer-Encoding:chunked line) and a later Content-Length header. This issue exists because of an incomplete fix for CVE-2019-16869.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: io.netty:netty-handler
+ purl: pkg:maven/io.netty/netty-handler
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 4.1.43
+ - fixed: 4.1.45
+ versions:
+ - 4.1.43.Final
+ - 4.1.44.Final
+ database_specific:
+ last_known_affected_version_range: <= 4.1.44
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/02/GHSA-ff2w-cq2g-wv5f/GHSA-ff2w-cq2g-wv5f.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2020-7238
+ - type: WEB
+ url: https://github.com/jdordonezn/CVE-2020-72381/issues/1
+ - type: WEB
+ url: https://github.com/netty/netty/issues/9861
+ - type: WEB
+ url: https://github.com/netty/netty/pull/9865
+ - type: WEB
+ url: https://www.debian.org/security/2021/dsa-4885
+ - type: WEB
+ url: https://netty.io/news
+ - type: WEB
+ url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TS6VX7OMXPDJIU5LRGUAHRK6MENAVJ46
+ - type: WEB
+ url: https://lists.debian.org/debian-lts-announce/2020/09/msg00003.html
+ - type: WEB
+ url: https://lists.debian.org/debian-lts-announce/2020/02/msg00018.html
+ - type: WEB
+ url: https://lists.debian.org/debian-lts-announce/2020/02/msg00017.html
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rc8d554aad889d12b140d9fd7d2d6fc2e8716e9792f6f4e4b2cdc2d05@%3Ccommits.cassandra.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r131e572d003914843552fa45c4398b9903fb74144986e8b107c0a3a7@%3Ccommits.cassandra.apache.org%3E
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2020:0811
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2020:0806
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2020:0805
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2020:0804
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2020:0606
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2020:0605
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2020:0601
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2020:0567
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2020:0497
+ database_specific:
+ cwe_ids:
+ - CWE-444
+ github_reviewed: true
+ github_reviewed_at: "2020-02-20T20:54:49Z"
+ nvd_published_at: "2020-01-27T17:15:00Z"
+ severity: HIGH
+ - schema_version: 1.6.0
+ id: GHSA-mm9x-g8pc-w292
+ modified: 2024-03-14T05:18:47.685399Z
+ published: 2020-06-15T19:36:16Z
+ aliases:
+ - CVE-2020-11612
+ summary: Denial of Service in Netty
+ details: The ZlibDecoders in Netty 4.1.x before 4.1.46 allow for unbounded memory allocation while decoding a ZlibEncoded byte stream. An attacker could send a large ZlibEncoded byte stream to the Netty server, forcing the server to allocate all of its free memory to a single decoder.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: io.netty:netty-handler
+ purl: pkg:maven/io.netty/netty-handler
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 4.1.0
+ - fixed: 4.1.46
+ versions:
+ - 4.1.0.Final
+ - 4.1.1.Final
+ - 4.1.10.Final
+ - 4.1.11.Final
+ - 4.1.12.Final
+ - 4.1.13.Final
+ - 4.1.14.Final
+ - 4.1.15.Final
+ - 4.1.16.Final
+ - 4.1.17.Final
+ - 4.1.18.Final
+ - 4.1.19.Final
+ - 4.1.2.Final
+ - 4.1.20.Final
+ - 4.1.21.Final
+ - 4.1.22.Final
+ - 4.1.23.Final
+ - 4.1.24.Final
+ - 4.1.25.Final
+ - 4.1.26.Final
+ - 4.1.27.Final
+ - 4.1.28.Final
+ - 4.1.29.Final
+ - 4.1.3.Final
+ - 4.1.30.Final
+ - 4.1.31.Final
+ - 4.1.32.Final
+ - 4.1.33.Final
+ - 4.1.34.Final
+ - 4.1.35.Final
+ - 4.1.36.Final
+ - 4.1.37.Final
+ - 4.1.38.Final
+ - 4.1.39.Final
+ - 4.1.4.Final
+ - 4.1.40.Final
+ - 4.1.41.Final
+ - 4.1.42.Final
+ - 4.1.43.Final
+ - 4.1.44.Final
+ - 4.1.45.Final
+ - 4.1.5.Final
+ - 4.1.6.Final
+ - 4.1.7.Final
+ - 4.1.8.Final
+ - 4.1.9.Final
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-mm9x-g8pc-w292/GHSA-mm9x-g8pc-w292.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2020-11612
+ - type: WEB
+ url: https://github.com/netty/netty/issues/6168
+ - type: WEB
+ url: https://github.com/netty/netty/pull/9924
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r9c30b7fca4baedebcb46d6e0f90071b30cc4a0e074164d50122ec5ec@%3Ccommits.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/ra98e3a8541a09271f96478d5e22c7e3bd1afdf48641c8be25d62d9f9@%3Ccommits.druid.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/raaac04b7567c554786132144bea3dcb72568edd410c1e6f0101742e7@%3Cissues.flink.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rd302ddb501fa02c5119120e5fc21df9a1c00e221c490edbe2d7ad365@%3Cnotifications.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rdb69125652311d0c41f6066ff44072a3642cf33a4b5e3c4f9c1ec9c2@%3Ccommits.pulsar.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/re1ea144e91f03175d661b2d3e97c7d74b912e019613fa90419cf63f4@%3Cissues.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/ref2c8a0cbb3b8271e5b9a06457ba78ad2028128627186531730f50ef@%3Cnotifications.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/ref3943adbc3a8813aee0e3a9dd919bacbb27f626be030a3c6d6c7f83@%3Ccommits.pulsar.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rf5b2dfb7401666a19915f8eaef3ba9f5c3386e2066fcd2ae66e16a2f@%3Cdev.flink.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rf803b65b4a57589d79cf2e83d8ece0539018d32864f932f63c972844@%3Cnotifications.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rf9f8bcc4ca8d2788f77455ff594468404732a4497baebe319043f4d5@%3Ccommits.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rfd173eac20d5e5f581c8984b685c836dafea8eb2f7ff85f617704cf1@%3Cdev.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rff8859c0d06b1688344b39097f9685c43b461cf2bc41f60f001704e9@%3Ccommits.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.debian.org/debian-lts-announce/2020/09/msg00003.html
+ - type: WEB
+ url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TS6VX7OMXPDJIU5LRGUAHRK6MENAVJ46
+ - type: WEB
+ url: https://security.netapp.com/advisory/ntap-20201223-0001
+ - type: WEB
+ url: https://www.debian.org/security/2021/dsa-4885
+ - type: WEB
+ url: https://www.oracle.com//security-alerts/cpujul2021.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuApr2021.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuapr2022.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpujan2021.html
+ - type: WEB
+ url: https://github.com/netty/netty/compare/netty-4.1.45.Final...netty-4.1.46.Final
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r14446ed58208cb6d97b6faa6ebf145f1cf2c70c0886c0c133f4d3b6f@%3Ccommits.druid.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r255ed239e65d0596812362adc474bee96caf7ba042c7ad2f3c62cec7@%3Cissues.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r281882fdf9ea89aac02fd2f92786693a956aac2ce9840cce87c7df6b@%3Ccommits.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r2958e4d49ee046e1e561e44fdc114a0d2285927501880f15852a9b53@%3Ccommits.druid.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r31424427cc6d7db46beac481bdeed9a823fc20bb1b9deede38557f71@%3Cnotifications.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r3195127e46c87a680b5d1d3733470f83b886bfd3b890c50df718bed1@%3Ccommits.druid.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r3ea4918d20d0c1fa26cac74cc7cda001d8990bc43473d062867ef70d@%3Cnotifications.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r4a7e4e23bd84ac24abf30ab5d5edf989c02b555e1eca6a2f28636692@%3Cnotifications.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r4f4a14d6a608db447b725ec2e96c26ac9664d83cd879aa21e2cfeb24@%3Cnotifications.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r5030cd8ea5df1e64cf6a7b633eff145992fbca03e8bfc687cd2427ab@%3Cnotifications.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r5a0b1f0b1c3bcd66f5177fbd6f6de2d0f8cae24a13ab2669f274251a@%3Cnotifications.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r5b1ad61552591b747cd31b3a908d5ff2e8f2a8a6847583dd6b7b1ee7@%3Cissues.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r69b23a94d4ae45394cabae012dd1f4a963996869c44c478eb1c61082@%3Ccommits.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r7641ee788e1eb1be4bb206a7d15f8a64ec6ef23e5ec6132d5a567695@%3Cnotifications.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r7790b9d99696d9eddce8a8c96f13bb68460984294ea6fea3800143e4@%3Ccommits.pulsar.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r7836bbdbe95c99d4d725199f0c169927d4e87ba57e4beeeb699c097a@%3Ccommits.druid.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r832724df393a7ef25ca4c7c2eb83ad2d6c21c74569acda5233f9f1ec@%3Ccommits.pulsar.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r866288c2ada00ce148b7307cdf869f15f24302b3eb2128af33830997@%3Ccommits.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r88e2b91560c065ed67e62adf8f401c417e4d70256d11ea447215a70c@%3Cissues.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r8a654f11e1172b0effbfd6f8d5b6ca651ae4ac724a976923c268a42f@%3Ccommits.druid.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r9addb580456807cd11d6f0c6b6373b7d7161d06d2278866c30c7febb@%3Ccommits.zookeeper.apache.org%3E
+ database_specific:
+ cwe_ids:
+ - CWE-119
+ - CWE-400
+ - CWE-770
+ github_reviewed: true
+ github_reviewed_at: "2020-06-11T19:58:52Z"
+ nvd_published_at: "2020-04-07T18:15:00Z"
+ severity: HIGH
+ - schema_version: 1.6.0
+ id: GHSA-p2v9-g2qv-p635
+ modified: 2024-03-11T05:20:08.431863Z
+ published: 2020-02-21T18:55:04Z
+ aliases:
+ - CVE-2019-20445
+ summary: HTTP Request Smuggling in Netty
+ details: HttpObjectDecoder.java in Netty before 4.1.44 allows a Content-Length header to be accompanied by a second Content-Length header, or by a Transfer-Encoding header.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: io.netty:netty-handler
+ purl: pkg:maven/io.netty/netty-handler
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 4.0.0
+ - fixed: 4.1.45
+ versions:
+ - 4.0.0.Final
+ - 4.0.1.Final
+ - 4.0.10.Final
+ - 4.0.11.Final
+ - 4.0.12.Final
+ - 4.0.13.Final
+ - 4.0.14.Beta1
+ - 4.0.14.Final
+ - 4.0.15.Final
+ - 4.0.16.Final
+ - 4.0.17.Final
+ - 4.0.18.Final
+ - 4.0.19.Final
+ - 4.0.2.Final
+ - 4.0.20.Final
+ - 4.0.21.Final
+ - 4.0.22.Final
+ - 4.0.23.Final
+ - 4.0.24.Final
+ - 4.0.25.Final
+ - 4.0.26.Final
+ - 4.0.27.Final
+ - 4.0.28.Final
+ - 4.0.29.Final
+ - 4.0.3.Final
+ - 4.0.30.Final
+ - 4.0.31.Final
+ - 4.0.32.Final
+ - 4.0.33.Final
+ - 4.0.34.Final
+ - 4.0.35.Final
+ - 4.0.36.Final
+ - 4.0.37.Final
+ - 4.0.38.Final
+ - 4.0.39.Final
+ - 4.0.4.Final
+ - 4.0.40.Final
+ - 4.0.41.Final
+ - 4.0.42.Final
+ - 4.0.43.Final
+ - 4.0.44.Final
+ - 4.0.45.Final
+ - 4.0.46.Final
+ - 4.0.47.Final
+ - 4.0.48.Final
+ - 4.0.49.Final
+ - 4.0.5.Final
+ - 4.0.50.Final
+ - 4.0.51.Final
+ - 4.0.52.Final
+ - 4.0.53.Final
+ - 4.0.54.Final
+ - 4.0.55.Final
+ - 4.0.56.Final
+ - 4.0.6.Final
+ - 4.0.7.Final
+ - 4.0.8.Final
+ - 4.0.9.Final
+ - 4.1.0.Beta1
+ - 4.1.0.Beta2
+ - 4.1.0.Beta3
+ - 4.1.0.Beta4
+ - 4.1.0.Beta5
+ - 4.1.0.Beta6
+ - 4.1.0.Beta7
+ - 4.1.0.Beta8
+ - 4.1.0.CR1
+ - 4.1.0.CR2
+ - 4.1.0.CR3
+ - 4.1.0.CR4
+ - 4.1.0.CR5
+ - 4.1.0.CR6
+ - 4.1.0.CR7
+ - 4.1.0.Final
+ - 4.1.1.Final
+ - 4.1.10.Final
+ - 4.1.11.Final
+ - 4.1.12.Final
+ - 4.1.13.Final
+ - 4.1.14.Final
+ - 4.1.15.Final
+ - 4.1.16.Final
+ - 4.1.17.Final
+ - 4.1.18.Final
+ - 4.1.19.Final
+ - 4.1.2.Final
+ - 4.1.20.Final
+ - 4.1.21.Final
+ - 4.1.22.Final
+ - 4.1.23.Final
+ - 4.1.24.Final
+ - 4.1.25.Final
+ - 4.1.26.Final
+ - 4.1.27.Final
+ - 4.1.28.Final
+ - 4.1.29.Final
+ - 4.1.3.Final
+ - 4.1.30.Final
+ - 4.1.31.Final
+ - 4.1.32.Final
+ - 4.1.33.Final
+ - 4.1.34.Final
+ - 4.1.35.Final
+ - 4.1.36.Final
+ - 4.1.37.Final
+ - 4.1.38.Final
+ - 4.1.39.Final
+ - 4.1.4.Final
+ - 4.1.40.Final
+ - 4.1.41.Final
+ - 4.1.42.Final
+ - 4.1.43.Final
+ - 4.1.44.Final
+ - 4.1.5.Final
+ - 4.1.6.Final
+ - 4.1.7.Final
+ - 4.1.8.Final
+ - 4.1.9.Final
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/02/GHSA-p2v9-g2qv-p635/GHSA-p2v9-g2qv-p635.json
+ - package:
+ ecosystem: Maven
+ name: org.jboss.netty:netty
+ purl: pkg:maven/org.jboss.netty/netty
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ versions:
+ - 3.0.0.CR1
+ - 3.0.0.CR2
+ - 3.0.0.CR3
+ - 3.0.0.CR4
+ - 3.0.0.CR5
+ - 3.0.0.GA
+ - 3.0.1.GA
+ - 3.0.2.GA
+ - 3.1.0.ALPHA1
+ - 3.1.0.ALPHA2
+ - 3.1.0.ALPHA3
+ - 3.1.0.ALPHA4
+ - 3.1.0.BETA1
+ - 3.1.0.BETA2
+ - 3.1.0.BETA3
+ - 3.1.0.CR1
+ - 3.1.0.GA
+ - 3.1.1.GA
+ - 3.1.2.GA
+ - 3.1.3.GA
+ - 3.1.4.GA
+ - 3.1.5.GA
+ - 3.2.0.ALPHA1
+ - 3.2.0.ALPHA2
+ - 3.2.0.ALPHA3
+ - 3.2.0.ALPHA4
+ - 3.2.0.BETA1
+ - 3.2.0.CR1
+ - 3.2.0.Final
+ - 3.2.1.Final
+ - 3.2.10.Final
+ - 3.2.2.Final
+ - 3.2.3.Final
+ - 3.2.4.Final
+ - 3.2.5.Final
+ - 3.2.6.Final
+ - 3.2.7.Final
+ - 3.2.8.Final
+ - 3.2.9.Final
+ database_specific:
+ last_known_affected_version_range: < 4.0.0
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/02/GHSA-p2v9-g2qv-p635/GHSA-p2v9-g2qv-p635.json
+ - package:
+ ecosystem: Maven
+ name: io.netty:netty
+ purl: pkg:maven/io.netty/netty
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ versions:
+ - 3.10.0.Final
+ - 3.10.1.Final
+ - 3.10.2.Final
+ - 3.10.3.Final
+ - 3.10.4.Final
+ - 3.10.5.Final
+ - 3.10.6.Final
+ - 3.3.0.Final
+ - 3.3.1.Final
+ - 3.4.0.Alpha1
+ - 3.4.0.Alpha2
+ - 3.4.0.Beta1
+ - 3.4.0.Final
+ - 3.4.1.Final
+ - 3.4.2.Final
+ - 3.4.3.Final
+ - 3.4.4.Final
+ - 3.4.5.Final
+ - 3.4.6.Final
+ - 3.5.0.Beta1
+ - 3.5.0.Final
+ - 3.5.1.Final
+ - 3.5.10.Final
+ - 3.5.11.Final
+ - 3.5.12.Final
+ - 3.5.13.Final
+ - 3.5.2.Final
+ - 3.5.3.Final
+ - 3.5.4.Final
+ - 3.5.5.Final
+ - 3.5.6.Final
+ - 3.5.7.Final
+ - 3.5.8.Final
+ - 3.5.9.Final
+ - 3.6.0.Beta1
+ - 3.6.0.Final
+ - 3.6.1.Final
+ - 3.6.10.Final
+ - 3.6.2.Final
+ - 3.6.3.Final
+ - 3.6.4.Final
+ - 3.6.5.Final
+ - 3.6.6.Final
+ - 3.6.7.Final
+ - 3.6.8.Final
+ - 3.6.9.Final
+ - 3.7.0.Final
+ - 3.7.1.Final
+ - 3.8.0.Final
+ - 3.8.1.Final
+ - 3.8.2.Final
+ - 3.8.3.Final
+ - 3.9.0.Final
+ - 3.9.1.1.Final
+ - 3.9.1.Final
+ - 3.9.2.Final
+ - 3.9.3.Final
+ - 3.9.4.Final
+ - 3.9.5.Final
+ - 3.9.6.Final
+ - 3.9.7.Final
+ - 3.9.8.Final
+ - 3.9.9.Final
+ - 4.0.0.Alpha1
+ - 4.0.0.Alpha2
+ - 4.0.0.Alpha3
+ - 4.0.0.Alpha4
+ - 4.0.0.Alpha5
+ - 4.0.0.Alpha6
+ - 4.0.0.Alpha7
+ - 4.0.0.Alpha8
+ database_specific:
+ last_known_affected_version_range: < 4.0.0
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/02/GHSA-p2v9-g2qv-p635/GHSA-p2v9-g2qv-p635.json
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2019-20445
+ - type: WEB
+ url: https://github.com/netty/netty/issues/9861
+ - type: WEB
+ url: https://github.com/netty/netty/pull/9865
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26@%3Ccommits.pulsar.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rce71d33747010d32d31d90f5d737dae26291d96552f513a266c92fbb@%3Cnotifications.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rbdb59c683d666130906a9c05a1d2b034c4cc08cda7ed41322bd54fe2@%3Cissues.flume.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rb84c57670ec48ef23f4d07973b7fa69f629b8e7fcfb48874362feb6f@%3Ccommits.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rb5c065e7bd701b0744f9f28ad769943f91745102716c1eb516325f11@%3Cissues.spark.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/raaac04b7567c554786132144bea3dcb72568edd410c1e6f0101742e7@%3Cissues.flink.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/ra9fbfe7d4830ae675bf34c7c0f8c22fc8a4099f65706c1bc4f54c593@%3Cissues.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/ra2ace4bcb5cf487f72cbcbfa0f8cc08e755ec2b93d7e69f276148b08@%3Cissues.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/ra1a71b576a45426af5ee65255be9596ff3181a342f4ba73b800db78f@%3Cdev.geode.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r9b20cdac704cf9a583400350e2d5b576fa8417c18ddb961201676c60@%3Ccommits.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r96e08f929234e8ba1ef4a93a0fd2870f535a1f9ab628fabc46115986@%3Cdev.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r959474dcf7f88565ed89f6252ca5a274419006cb71348f14764b183d@%3Ccommits.cassandra.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r832724df393a7ef25ca4c7c2eb83ad2d6c21c74569acda5233f9f1ec@%3Ccommits.pulsar.apache.org%3E
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2020:0497
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rd8f72411fb75b98d366400ae789966373b5c3eb3f511e717caf3e49e@%3Cissues.flink.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rdb69125652311d0c41f6066ff44072a3642cf33a4b5e3c4f9c1ec9c2@%3Ccommits.pulsar.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/re45ee9256d3233c31d78e59ee59c7dc841c7fbd83d0769285b41e948@%3Ccommits.druid.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rf5b2dfb7401666a19915f8eaef3ba9f5c3386e2066fcd2ae66e16a2f@%3Cdev.flink.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rfb55f245b08d8a6ec0fb4dc159022227cd22de34c4419c2fbb18802b@%3Cnotifications.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rff210a24f3a924829790e69eaefa84820902b7b31f17c3bf2def9114@%3Ccommits.druid.apache.org%3E
+ - type: WEB
+ url: https://lists.debian.org/debian-lts-announce/2020/02/msg00017.html
+ - type: WEB
+ url: https://lists.debian.org/debian-lts-announce/2020/02/msg00018.html
+ - type: WEB
+ url: https://lists.debian.org/debian-lts-announce/2020/09/msg00003.html
+ - type: WEB
+ url: https://lists.debian.org/debian-lts-announce/2020/09/msg00004.html
+ - type: WEB
+ url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TS6VX7OMXPDJIU5LRGUAHRK6MENAVJ46
+ - type: WEB
+ url: https://usn.ubuntu.com/4532-1
+ - type: WEB
+ url: https://www.debian.org/security/2021/dsa-4885
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2020:0567
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2020:0601
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2020:0605
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2020:0606
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2020:0804
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2020:0805
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2020:0806
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2020:0811
+ - type: PACKAGE
+ url: https://github.com/netty/netty
+ - type: WEB
+ url: https://github.com/netty/netty/compare/netty-4.1.43.Final...netty-4.1.44.Final
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r030beff88aeb6d7a2d6cd21342bd18686153ce6e26a4171d0e035663@%3Cissues.flume.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0@%3Cissues.bookkeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r1fcccf8bdb3531c28bc9aa605a6a1bea7e68cef6fc12e01faafb2fb5@%3Cissues.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r205937c85817a911b0c72655c2377e7a2c9322d6ef6ce1b118d34d8d@%3Cdev.geode.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r2f2989b7815d809ff3fda8ce330f553e5f133505afd04ffbc135f35f@%3Cissues.spark.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r310d2ce22304d5298ff87f10134f918c87919b452734f9841d95682d@%3Ccommits.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r36fcf538b28f2029e8b4f6b9a772f3b107913a78f09b095c5b153a62@%3Cissues.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r46f93de62b1e199f3f9babb18128681677c53493546f532ed88c359d@%3Creviews.spark.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r4d3f1d3e333d9c2b2f6e6ae8ed8750d4de03410ac294bcd12c7eefa3@%3Ccommits.cassandra.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r4ff40646e9ccce13560458419accdfc227b8b6ca4ead3a8a91decc74@%3Cissues.flume.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r640eb9b3213058a963e18291f903fc1584e577f60035f941e32f760a@%3Cissues.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r6945f3c346b7af89bbd3526a7c9b705b1e3569070ebcd0964bcedd7d@%3Cissues.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r70b1ff22ee80e8101805b9a473116dd33265709007d2deb6f8c80bf2@%3Ccommits.druid.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r7790b9d99696d9eddce8a8c96f13bb68460984294ea6fea3800143e4@%3Ccommits.pulsar.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r804895eedd72c9ec67898286eb185e04df852b0dd5fe53cf5b6138f9@%3Cissues.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r81700644754e66ffea465c869cb477de25f8041e21598e8818fc2c45@%3Cdev.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r819aaeb9944bdcfca438dcc51f05650dc728daf64dfd7d774fc2499b@%3Ccommits.zookeeper.apache.org%3E
+ database_specific:
+ cwe_ids:
+ - CWE-444
+ github_reviewed: true
+ github_reviewed_at: "2020-02-20T20:54:25Z"
+ nvd_published_at: "2020-01-29T21:15:00Z"
+ severity: MODERATE
+ - schema_version: 1.6.0
+ id: GHSA-rv63-gqm8-9w8q
+ modified: 2024-02-16T08:13:46.004283Z
+ published: 2022-05-13T01:11:43Z
+ aliases:
+ - CVE-2016-4970
+ summary: Loop with Unreachable Exit Condition in Netty
+ details: handler/ssl/OpenSslEngine.java in Netty 4.0.x before 4.0.37.Final and 4.1.x before 4.1.1.Final allows remote attackers to cause a denial of service (infinite loop).
+ affected:
+ - package:
+ ecosystem: Maven
+ name: io.netty:netty-handler
+ purl: pkg:maven/io.netty/netty-handler
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 4.0.0.Alpha1
+ - fixed: 4.0.37.Final
+ versions:
+ - 4.0.0.Alpha1
+ - 4.0.0.Alpha2
+ - 4.0.0.Alpha3
+ - 4.0.0.Alpha4
+ - 4.0.0.Alpha5
+ - 4.0.0.Alpha6
+ - 4.0.0.Alpha7
+ - 4.0.0.Alpha8
+ - 4.0.0.Beta1
+ - 4.0.0.Beta2
+ - 4.0.0.Beta3
+ - 4.0.0.CR1
+ - 4.0.0.CR2
+ - 4.0.0.CR3
+ - 4.0.0.CR4
+ - 4.0.0.CR5
+ - 4.0.0.CR6
+ - 4.0.0.CR7
+ - 4.0.0.CR8
+ - 4.0.0.CR9
+ - 4.0.0.Final
+ - 4.0.1.Final
+ - 4.0.10.Final
+ - 4.0.11.Final
+ - 4.0.12.Final
+ - 4.0.13.Final
+ - 4.0.14.Beta1
+ - 4.0.14.Final
+ - 4.0.15.Final
+ - 4.0.16.Final
+ - 4.0.17.Final
+ - 4.0.18.Final
+ - 4.0.19.Final
+ - 4.0.2.Final
+ - 4.0.20.Final
+ - 4.0.21.Final
+ - 4.0.22.Final
+ - 4.0.23.Final
+ - 4.0.24.Final
+ - 4.0.25.Final
+ - 4.0.26.Final
+ - 4.0.27.Final
+ - 4.0.28.Final
+ - 4.0.29.Final
+ - 4.0.3.Final
+ - 4.0.30.Final
+ - 4.0.31.Final
+ - 4.0.32.Final
+ - 4.0.33.Final
+ - 4.0.34.Final
+ - 4.0.35.Final
+ - 4.0.36.Final
+ - 4.0.4.Final
+ - 4.0.5.Final
+ - 4.0.6.Final
+ - 4.0.7.Final
+ - 4.0.8.Final
+ - 4.0.9.Final
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-rv63-gqm8-9w8q/GHSA-rv63-gqm8-9w8q.json
+ - package:
+ ecosystem: Maven
+ name: io.netty:netty-handler
+ purl: pkg:maven/io.netty/netty-handler
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 4.1.0.Beta1
+ - fixed: 4.1.1.Final
+ versions:
+ - 4.1.0.Beta1
+ - 4.1.0.Beta2
+ - 4.1.0.Beta3
+ - 4.1.0.Beta4
+ - 4.1.0.Beta5
+ - 4.1.0.Beta6
+ - 4.1.0.Beta7
+ - 4.1.0.Beta8
+ - 4.1.0.CR1
+ - 4.1.0.CR2
+ - 4.1.0.CR3
+ - 4.1.0.CR4
+ - 4.1.0.CR5
+ - 4.1.0.CR6
+ - 4.1.0.CR7
+ - 4.1.0.Final
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-rv63-gqm8-9w8q/GHSA-rv63-gqm8-9w8q.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2016-4970
+ - type: WEB
+ url: https://github.com/netty/netty/pull/5364
+ - type: WEB
+ url: https://bugzilla.redhat.com/show_bug.cgi?id=1343616
+ - type: PACKAGE
+ url: https://github.com/netty/netty
+ - type: WEB
+ url: https://lists.apache.org/thread.html/afaa5860e3a6d327eb96c3d82cbd2f5996de815a16854ed1ad310144@%3Ccommits.cassandra.apache.org%3E
+ - type: WEB
+ url: https://wiki.opendaylight.org/view/Security_Advisories
+ - type: WEB
+ url: http://netty.io/news/2016/06/07/4-0-37-Final.html
+ - type: WEB
+ url: http://netty.io/news/2016/06/07/4-1-1-Final.html
+ - type: WEB
+ url: http://rhn.redhat.com/errata/RHSA-2017-0179.html
+ - type: WEB
+ url: http://rhn.redhat.com/errata/RHSA-2017-1097.html
+ database_specific:
+ cwe_ids:
+ - CWE-835
+ github_reviewed: true
+ github_reviewed_at: "2022-07-06T19:54:08Z"
+ nvd_published_at: "2017-04-13T14:59:00Z"
+ severity: HIGH
+ - schema_version: 1.6.0
+ id: GHSA-xfv3-rrfm-f2rv
+ modified: 2024-02-16T08:04:08.95464Z
+ published: 2020-06-30T21:01:21Z
+ aliases:
+ - CVE-2015-2156
+ summary: Information Exposure in Netty
+ details: Netty before 3.9.8.Final, 3.10.x before 3.10.3.Final, 4.0.x before 4.0.28.Final, and 4.1.x before 4.1.0.Beta5 and Play Framework 2.x before 2.3.9 might allow remote attackers to bypass the httpOnly flag on cookies and obtain sensitive information by leveraging improper validation of cookie name and value characters.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: io.netty:netty-parent
+ purl: pkg:maven/io.netty/netty-parent
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 4.0.0
+ - fixed: 4.0.28.Final
+ versions:
+ - 4.0.0.Final
+ - 4.0.1.Final
+ - 4.0.10.Final
+ - 4.0.11.Final
+ - 4.0.12.Final
+ - 4.0.13.Final
+ - 4.0.14.Beta1
+ - 4.0.14.Final
+ - 4.0.15.Final
+ - 4.0.16.Final
+ - 4.0.17.Final
+ - 4.0.18.Final
+ - 4.0.19.Final
+ - 4.0.2.Final
+ - 4.0.20.Final
+ - 4.0.21.Final
+ - 4.0.22.Final
+ - 4.0.23.Final
+ - 4.0.24.Final
+ - 4.0.25.Final
+ - 4.0.26.Final
+ - 4.0.27.Final
+ - 4.0.3.Final
+ - 4.0.4.Final
+ - 4.0.5.Final
+ - 4.0.6.Final
+ - 4.0.7.Final
+ - 4.0.8.Final
+ - 4.0.9.Final
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-xfv3-rrfm-f2rv/GHSA-xfv3-rrfm-f2rv.json
+ - package:
+ ecosystem: Maven
+ name: org.jboss.netty:netty
+ purl: pkg:maven/org.jboss.netty/netty
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: 3.9.8.Final
+ versions:
+ - 3.0.0.CR1
+ - 3.0.0.CR2
+ - 3.0.0.CR3
+ - 3.0.0.CR4
+ - 3.0.0.CR5
+ - 3.0.0.GA
+ - 3.0.1.GA
+ - 3.0.2.GA
+ - 3.1.0.ALPHA1
+ - 3.1.0.ALPHA2
+ - 3.1.0.ALPHA3
+ - 3.1.0.ALPHA4
+ - 3.1.0.BETA1
+ - 3.1.0.BETA2
+ - 3.1.0.BETA3
+ - 3.1.0.CR1
+ - 3.1.0.GA
+ - 3.1.1.GA
+ - 3.1.2.GA
+ - 3.1.3.GA
+ - 3.1.4.GA
+ - 3.1.5.GA
+ - 3.2.0.ALPHA1
+ - 3.2.0.ALPHA2
+ - 3.2.0.ALPHA3
+ - 3.2.0.ALPHA4
+ - 3.2.0.BETA1
+ - 3.2.0.CR1
+ - 3.2.0.Final
+ - 3.2.1.Final
+ - 3.2.10.Final
+ - 3.2.2.Final
+ - 3.2.3.Final
+ - 3.2.4.Final
+ - 3.2.5.Final
+ - 3.2.6.Final
+ - 3.2.7.Final
+ - 3.2.8.Final
+ - 3.2.9.Final
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-xfv3-rrfm-f2rv/GHSA-xfv3-rrfm-f2rv.json
+ - package:
+ ecosystem: Maven
+ name: org.jboss.netty:netty
+ purl: pkg:maven/org.jboss.netty/netty
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 3.10.0
+ - fixed: 3.10.3.Final
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-xfv3-rrfm-f2rv/GHSA-xfv3-rrfm-f2rv.json
+ - package:
+ ecosystem: Maven
+ name: io.netty:netty
+ purl: pkg:maven/io.netty/netty
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 3.10.0
+ - fixed: 3.10.3.Final
+ versions:
+ - 3.10.0.Final
+ - 3.10.1.Final
+ - 3.10.2.Final
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-xfv3-rrfm-f2rv/GHSA-xfv3-rrfm-f2rv.json
+ - package:
+ ecosystem: Maven
+ name: io.netty:netty
+ purl: pkg:maven/io.netty/netty
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: 3.9.8.Final
+ versions:
+ - 3.3.0.Final
+ - 3.3.1.Final
+ - 3.4.0.Alpha1
+ - 3.4.0.Alpha2
+ - 3.4.0.Beta1
+ - 3.4.0.Final
+ - 3.4.1.Final
+ - 3.4.2.Final
+ - 3.4.3.Final
+ - 3.4.4.Final
+ - 3.4.5.Final
+ - 3.4.6.Final
+ - 3.5.0.Beta1
+ - 3.5.0.Final
+ - 3.5.1.Final
+ - 3.5.10.Final
+ - 3.5.11.Final
+ - 3.5.12.Final
+ - 3.5.13.Final
+ - 3.5.2.Final
+ - 3.5.3.Final
+ - 3.5.4.Final
+ - 3.5.5.Final
+ - 3.5.6.Final
+ - 3.5.7.Final
+ - 3.5.8.Final
+ - 3.5.9.Final
+ - 3.6.0.Beta1
+ - 3.6.0.Final
+ - 3.6.1.Final
+ - 3.6.10.Final
+ - 3.6.2.Final
+ - 3.6.3.Final
+ - 3.6.4.Final
+ - 3.6.5.Final
+ - 3.6.6.Final
+ - 3.6.7.Final
+ - 3.6.8.Final
+ - 3.6.9.Final
+ - 3.7.0.Final
+ - 3.7.1.Final
+ - 3.8.0.Final
+ - 3.8.1.Final
+ - 3.8.2.Final
+ - 3.8.3.Final
+ - 3.9.0.Final
+ - 3.9.1.1.Final
+ - 3.9.1.Final
+ - 3.9.2.Final
+ - 3.9.3.Final
+ - 3.9.4.Final
+ - 3.9.5.Final
+ - 3.9.6.Final
+ - 3.9.7.Final
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-xfv3-rrfm-f2rv/GHSA-xfv3-rrfm-f2rv.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2015-2156
+ - type: WEB
+ url: https://github.com/netty/netty/pull/3748/commits/4ac519f534493bb0ca7a77e1c779138a54faa7b9
+ - type: WEB
+ url: https://github.com/netty/netty/pull/3754
+ - type: WEB
+ url: https://github.com/netty/netty/commit/2caa38a2795fe1f1ae6ceda4d69e826ed7c55e55
+ - type: WEB
+ url: https://github.com/netty/netty/commit/31815598a2af37f0b71ea94eada70d6659c23752
+ - type: WEB
+ url: https://bugzilla.redhat.com/show_bug.cgi?id=1222923
+ - type: PACKAGE
+ url: https://github.com/netty/netty
+ - type: WEB
+ url: https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe@%3Ccommits.druid.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/a19bb1003b0d6cd22475ba83c019b4fc7facfef2a9e13f71132529d3@%3Ccommits.cassandra.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/dc1275aef115bda172851a231c76c0932d973f9ffd8bc375c4aba769@%3Ccommits.cassandra.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8@%3Ccommits.pulsar.apache.org%3E
+ - type: WEB
+ url: https://snyk.io/vuln/SNYK-JAVA-IONETTY-73571
+ - type: WEB
+ url: https://www.playframework.com/security/vulnerability/CVE-2015-2156-HttpOnlyBypass
+ - type: WEB
+ url: http://lists.fedoraproject.org/pipermail/package-announce/2015-June/159379.html
+ - type: WEB
+ url: http://lists.fedoraproject.org/pipermail/package-announce/2015-May/159166.html
+ - type: WEB
+ url: http://netty.io/news/2015/05/08/3-9-8-Final-and-3.html
+ - type: WEB
+ url: http://www.openwall.com/lists/oss-security/2015/05/17/1
+ - type: WEB
+ url: http://www.securityfocus.com/bid/74704
+ database_specific:
+ cwe_ids:
+ - CWE-20
+ github_reviewed: true
+ github_reviewed_at: "2020-06-30T20:59:55Z"
+ nvd_published_at: null
+ severity: HIGH
+ - schema_version: 1.6.0
+ id: GHSA-269g-pwp5-87pp
+ modified: 2024-03-15T05:20:38.405881Z
+ published: 2020-10-12T17:33:00Z
+ aliases:
+ - CVE-2020-15250
+ summary: TemporaryFolder on unix-like systems does not limit access to created files
+ details: "### Vulnerability\n\nThe JUnit4 test rule [TemporaryFolder](https://junit.org/junit4/javadoc/4.13/org/junit/rules/TemporaryFolder.html) contains a local information disclosure vulnerability.\n\nExample of vulnerable code:\n```java\npublic static class HasTempFolder {\n @Rule\n public TemporaryFolder folder = new TemporaryFolder();\n\n @Test\n public void testUsingTempFolder() throws IOException {\n folder.getRoot(); // Previous file permissions: `drwxr-xr-x`; After fix:`drwx------`\n File createdFile= folder.newFile(\"myfile.txt\"); // unchanged/irrelevant file permissions\n File createdFolder= folder.newFolder(\"subfolder\"); // unchanged/irrelevant file permissions\n // ...\n }\n}\n```\n\n### Impact\n\nOn Unix like systems, the system's temporary directory is shared between all users on that system. Because of this, when files and directories are written into this directory they are, by default, readable by other users on that same system.\n\nThis vulnerability **does not** allow other users to overwrite the contents of these directories or files. This is purely an information disclosure vulnerability.\n\nWhen analyzing the impact of this vulnerability, here are the important questions to ask:\n\n1. Do the JUnit tests write sensitive information, like API keys or passwords, into the temporary folder?\n - If yes, this vulnerability impacts you, but only if you also answer 'yes' to question 2.\n - If no, this vulnerability does not impact you.\n2. Do the JUnit tests ever execute in an environment where the OS has other untrusted users. \n _This may apply in CI/CD environments but normally won't be 'yes' for personal developer machines._\n - If yes, and you answered 'yes' to question 1, this vulnerability impacts you.\n - If no, this vulnerability does not impact you.\n\n### Patches\n\nBecause certain JDK file system APIs were only added in JDK 1.7, this this fix is dependent upon the version of the JDK you are using.\n - Java 1.7 and higher users: this vulnerability is fixed in 4.13.1.\n - Java 1.6 and lower users: **no patch is available, you must use the workaround below.**\n\n### Workarounds\n\nIf you are unable to patch, or are stuck running on Java 1.6, specifying the `java.io.tmpdir` system environment variable to a directory that is exclusively owned by the executing user will fix this vulnerability.\n\n### References\n- [CWE-200: Exposure of Sensitive Information to an Unauthorized Actor](https://cwe.mitre.org/data/definitions/200.html)\n- Fix commit https://github.com/junit-team/junit4/commit/610155b8c22138329f0723eec22521627dbc52ae\n\n#### Similar Vulnerabilities\n - Google Guava - https://github.com/google/guava/issues/4011\n - Apache Ant - https://nvd.nist.gov/vuln/detail/CVE-2020-1945\n - JetBrains Kotlin Compiler - https://nvd.nist.gov/vuln/detail/CVE-2020-15824\n\n### For more information\nIf you have any questions or comments about this advisory, please pen an issue in [junit-team/junit4](https://github.com/junit-team/junit4/issues)."
+ affected:
+ - package:
+ ecosystem: Maven
+ name: junit:junit
+ purl: pkg:maven/junit/junit
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "4.7"
+ - fixed: 4.13.1
+ versions:
+ - "4.10"
+ - "4.11"
+ - 4.11-beta-1
+ - "4.12"
+ - 4.12-beta-1
+ - 4.12-beta-2
+ - 4.12-beta-3
+ - "4.13"
+ - 4.13-beta-1
+ - 4.13-beta-2
+ - 4.13-beta-3
+ - 4.13-rc-1
+ - 4.13-rc-2
+ - "4.7"
+ - "4.8"
+ - 4.8.1
+ - 4.8.2
+ - "4.9"
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/10/GHSA-269g-pwp5-87pp/GHSA-269g-pwp5-87pp.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N
+ references:
+ - type: WEB
+ url: https://github.com/junit-team/junit4/security/advisories/GHSA-269g-pwp5-87pp
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2020-15250
+ - type: WEB
+ url: https://github.com/junit-team/junit4/issues/1676
+ - type: WEB
+ url: https://github.com/junit-team/junit4/commit/610155b8c22138329f0723eec22521627dbc52ae
+ - type: WEB
+ url: https://lists.apache.org/thread.html/ra1bdb9efae84794e8ffa2f8474be8290ba57830eefe9714b95da714b@%3Cdev.pdfbox.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/raebf13f53cd5d23d990712e3d11c80da9a7bae94a6284050f148ed99@%3Ccommits.pulsar.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rb2771949c676ca984e58a5cd5ca79c2634dee1945e0406e48e0f8457@%3Cdev.creadur.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rb2ffe2993f4dccc48d832e1a0f1c419477781b6ea16e725ca2276dbb@%3Cdev.knox.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rb33212dab7beccaf1ffef9b88610047c644f644c7a0ebdc44d77e381@%3Ccommits.turbine.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rbaec90e699bc7c7bd9a053f76707a36fda48b6d558f31dc79147dbf9@%3Cdev.creadur.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rc49cf1547ef6cac1be4b3c92339b2cae0acacf5acaba13cfa429a872@%3Cdev.creadur.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rdbdd30510a7c4d0908fd22075c02b75bbc2e0d977ec22249ef3133cb@%3Ccommits.pulsar.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rde385b8b53ed046600ef68dd6b4528dea7566aaddb02c3e702cc28bc@%3Ccommits.creadur.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rde8e70b95c992378e8570e4df400c6008a9839eabdfb8f800a3e5af6@%3Ccommits.pulsar.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rdef7d1380c86e7c0edf8a0f89a2a8db86fce5e363457d56b722691b4@%3Ccommits.pulsar.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rea812d8612fdc46842a2a57248cad4b01ddfdb1e9b037c49e68fdbfb@%3Ccommits.pulsar.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/reb700e60b9642eafa4b7922bfee80796394135aa09c7a239ef9f7486@%3Ccommits.pulsar.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rf2ec93f4ca9a97d1958eb4a31b1830f723419ce9bf2018a6e5741d5b@%3Ccommits.pulsar.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rf6e5d894d4b03bef537c9d6641272e0197c047c0d1982b4e176d0353@%3Cdev.knox.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rf797d119cc3f51a8d7c3c5cbe50cb4524c8487282b986edde83a9467@%3Ccommits.pulsar.apache.org%3E
+ - type: WEB
+ url: https://lists.debian.org/debian-lts-announce/2020/11/msg00003.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuapr2022.html
+ - type: PACKAGE
+ url: https://github.com/junit-team/junit4
+ - type: WEB
+ url: https://github.com/junit-team/junit4/blob/7852b90cfe1cea1e0cdaa19d490c83f0d8684b50/doc/ReleaseNotes4.13.1.md
+ - type: WEB
+ url: https://junit.org/junit4/javadoc/4.13/org/junit/rules/TemporaryFolder.html
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r01110833b63616ddbef59ae4e10c0fbd0060f0a51206defd4cb4d917@%3Ccommits.pulsar.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r09cfbb5aedd76023691bbce9ca4ce2e16bb07dd37554a17efc19935d@%3Cpluto-dev.portals.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r1209986f79359b518d09513ff05a88e5b3c398540e775edea76a4774@%3Cdev.knox.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r29d703d1986d9b871466ff24082a1828ac8ad27bb0965a93a383872e@%3Cpluto-scm.portals.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r2b78f23bc2711a76a7fc73ad67b7fcd6817c5cfccefd6f30a4f54943@%3Cdev.knox.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r30f502d2f79e8d635361adb8108dcbb73095163fcbd776ee7984a094@%3Ccommits.creadur.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r500517c23200fb2fdb0b82770a62dd6c88b3521cfb01cfd0c76e3f8b@%3Cdev.creadur.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r5f8841507576f595bb783ccec6a7cb285ea90d4e6f5043eae0e61a41@%3Cdev.creadur.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r687f489b10b0d14e46f626aa88476545e1a2600b24c4ebd3c0d2a10b@%3Cdev.knox.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r717877028482c55acf604d7a0106af4ca05da4208c708fb157b53672@%3Ccommits.creadur.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r742b44fd75215fc75963b8ecc22b2e4372e68d67d3d859d2b5e8743f@%3Cdev.knox.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r8b02dc6f18df11ff39eedb3038f1e31e6f90a779b1959bae65107279@%3Cdev.knox.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r925eaae7dd8f77dd61eefc49c1fcf54bd9ecfe605486870d7b1e9390@%3Cpluto-dev.portals.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r934208a520b38f5cf0cae199b6b076bfe7d081809528b0eff2459e40@%3Cdev.knox.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r95f8ef60c4b3a5284b647bb3132cda08e6fadad888a66b84f49da0b0@%3Ccommits.creadur.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r9710067c7096b83cb6ae8f53a2f6f94e9c042d1bf1d6929f8f2a2b7a@%3Ccommits.knox.apache.org%3E
+ database_specific:
+ cwe_ids:
+ - CWE-200
+ - CWE-732
+ github_reviewed: true
+ github_reviewed_at: "2020-10-12T17:32:34Z"
+ nvd_published_at: "2020-10-12T18:15:00Z"
+ severity: MODERATE
+ - schema_version: 1.6.0
+ id: GHSA-2qrg-x229-3v8q
+ modified: 2024-03-10T05:17:36.915276Z
+ published: 2020-01-06T18:43:49Z
+ aliases:
+ - CVE-2019-17571
+ summary: Deserialization of Untrusted Data in Log4j
+ details: |-
+ Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions 1.2 up to 1.2.17.
+
+ Users are advised to migrate to `org.apache.logging.log4j:log4j-core`.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: log4j:log4j
+ purl: pkg:maven/log4j/log4j
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "1.2"
+ - last_affected: 1.2.17
+ versions:
+ - 1.2.11
+ - 1.2.12
+ - 1.2.13
+ - 1.2.14
+ - 1.2.15
+ - 1.2.16
+ - 1.2.17
+ - 1.2.4
+ - 1.2.5
+ - 1.2.6
+ - 1.2.7
+ - 1.2.8
+ - 1.2.9
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/01/GHSA-2qrg-x229-3v8q/GHSA-2qrg-x229-3v8q.json
+ - package:
+ ecosystem: Maven
+ name: org.zenframework.z8.dependencies.commons:log4j-1.2.17
+ purl: pkg:maven/org.zenframework.z8.dependencies.commons/log4j-1.2.17
+ versions:
+ - "2.0"
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/01/GHSA-2qrg-x229-3v8q/GHSA-2qrg-x229-3v8q.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2019-17571
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rd3a9511eebab60e23f224841390a3f8cd5358cff605c5f7042171e47@%3Cdev.tinkerpop.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26@%3Ccommits.pulsar.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rcd71280585425dad7e232f239c5709e425efdd0d3de4a92f808a4767@%3Cissues.bookkeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rca24a281000fb681d7e26e5c031a21eb4b0593a7735f781b53dae4e2@%3Cdev.tika.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rc628307962ae1b8cc2d21b8e4b7dd6d7755b2dd52fa56a151a27e4fd@%3Cissues.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rc1eaed7f7d774d5d02f66e49baced31e04827a1293d61a70bd003ca7@%3Cdev.tika.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rc17d8491beee51607693019857e41e769795366b85be00aa2f4b3159@%3Cnotifications.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7@%3Cusers.kafka.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7@%3Cdev.kafka.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rbdf18e39428b5c80fc35113470198b1fe53b287a76a46b0f8780b5fd@%3Cdev.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rbd19de368abf0764e4383ec44d527bc9870176f488a494f09a40500d@%3Ccommon-dev.hadoop.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rbc45eb0f53fd6242af3e666c2189464f848a851d408289840cecc6e3@%3Ccommits.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rb3c94619728c8f8c176d8e175e0a1086ca737ecdfcd5a2214bb768bc@%3Ccommits.bookkeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rb1b29aee737e1c37fe1d48528cb0febac4f5deed51f5412e6fdfe2bf@%3Cissues.activemq.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/raedd12dc24412b3780432bf202a2618a21a727788543e5337a458ead@%3Cissues.activemq.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/ra9611a8431cb62369bce8909d7645597e1dd45c24b448836b1e54940@%3Cissues.bookkeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/ra54fa49be3e773d99ccc9c2a422311cf77e3ecd3b8594ee93043a6b1@%3Cdev.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/ra38785cfc0e7f17f8e24bebf775dd032c033fadcaea29e5bc9fffc60@%3Cdev.tika.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/ra18a903f785aed9403aea38bc6f36844a056283c00dcfc6936b6318c@%3Cissues.bookkeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r9fb3238cfc3222f2392ca6517353aadae18f76866157318ac562e706@%3Ccommon-issues.hadoop.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r9dc2505651788ac668299774d9e7af4dc616be2f56fdc684d1170882@%3Cusers.activemq.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r9d2e28e71f91ba0b6f4114c8ecd96e2b1f7e0d06bdf8eb768c183aa9@%3Ccommon-issues.hadoop.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r9d0d03f2e7d9e13c68b530f81d02b0fec33133edcf27330d8089fcfb@%3Cissues.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r9a9e3b42cd5d1c4536a14ef04f75048dec8e2740ac6a138ea912177f@%3Cpluto-dev.portals.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r944183c871594fe9a555b8519a7c945bbcf6714d72461aa6c929028f@%3Cissues.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r90c23eb8c82835fa82df85ae5e88c81fd9241e20a22971b0fb8f2c34@%3Cissues.bookkeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r909b8e3a36913944d3b7bafe9635d4ca84f8f0e2cd146a1784f667c2@%3Cissues.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r8e3f7da12bf5750b0a02e69a78a61073a2ac950eed7451ce70a65177@%3Ccommits.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpujul2022.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpujul2020.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuapr2022.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuapr2020.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuApr2021.html
+ - type: WEB
+ url: https://www.debian.org/security/2020/dsa-4686
+ - type: WEB
+ url: https://usn.ubuntu.com/4495-1
+ - type: WEB
+ url: https://security.netapp.com/advisory/ntap-20200110-0001
+ - type: WEB
+ url: https://lists.debian.org/debian-lts-announce/2020/01/msg00008.html
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rfdf65fa675c64a64459817344e0e6c44d51ee264beea6e5851fb60dc@%3Cissues.bookkeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772@%3Cdev.mina.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rf9c19bcc2f7a98a880fa3e3456c003d331812b55836b34ef648063c9@%3Cjira.kafka.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rf77f79699c8d7e430c14cf480f12ed1297e6e8cf2ed379a425941e80@%3Cpluto-dev.portals.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rf53eeefb7e7e524deaacb9f8671cbf01b8a253e865fb94e7656722c0@%3Cissues.bookkeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rf2567488cfc9212b42e34c6393cfa1c14e30e4838b98dda84d71041f@%3Cdev.tika.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rf1b434e11834a4449cd7addb69ed0aef0923112b5938182b363a968c@%3Cnotifications.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rec34b1cccf907898e7cb36051ffac3ccf1ea89d0b261a2a3b3fb267f@%3Ccommits.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/reaf6b996f74f12b4557bc221abe88f58270ac583942fa41293c61f94@%3Cpluto-scm.portals.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/re8c21ed9dd218c217d242ffa90778428e446b082b5e1c29f567e8374@%3Cissues.activemq.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/re36da78e4f3955ba6c1c373a2ab85a4deb215ca74b85fcd66142fea1@%3Cissues.bookkeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rdf2a0d94c3b5b523aeff7741ae71347415276062811b687f30ea6573@%3Ccommits.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rdec0d8ac1f03e6905b0de2df1d5fcdb98b94556e4f6cccf7519fdb26@%3Cdev.tika.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rdb7ddf28807e27c7801f6e56a0dfb31092d34c61bdd4fa2de9182119@%3Cissues.bookkeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rda4849c6823dd3e83c7a356eb883180811d5c28359fe46865fd151c3@%3Cusers.kafka.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rd882ab6b642fe59cbbe94dc02bd197342058208f482e57b537940a4b@%3Cpluto-dev.portals.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rd7805c1bf9388968508c6c8f84588773216e560055ddcc813d19f347@%3Ccommon-issues.hadoop.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rd6254837403e8cbfc7018baa9be29705f3f06bd007c83708f9a97679@%3Cissues.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rd5dbeee4808c0f2b9b51479b50de3cc6adb1072c332a200d9107f13e@%3Cissues.activemq.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r3d666e4e8905157f3c046d31398b04f2bfd4519e31f266de108c6919@%3Cissues.activemq.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r3cf50d05ce8cec8c09392624b7bae750e7643dae60ef2438641ee015@%3Cissues.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r3c575cabc7386e646fb12cb82b0b38ae5a6ade8a800f827107824495@%3Cjira.kafka.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r3bf7b982dfa0779f8a71f843d2aa6b4184a53e6be7f149ee079387fd@%3Cdev.kafka.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r3a85514a518f3080ab1fc2652cfe122c2ccf67cfb32356acb1b08fe8@%3Cdev.tika.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r3784834e80df2f284577a5596340fb84346c91a2dea6a073e65e3397@%3Cissues.activemq.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r356d57d6225f91fdc30f8b0a2bed229d1ece55e16e552878c5fa809a@%3Cissues.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r3543ead2317dcd3306f69ee37b07dd383dbba6e2f47ff11eb55879ad@%3Cusers.activemq.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r2ff63f210842a3c5e42f03a35d8f3a345134d073c80a04077341c211@%3Cissues.activemq.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r2ce8d26154bea939536e6cf27ed02d3192bf5c5d04df885a80fe89b3@%3Cissues.activemq.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r2756fd570b6709d55a61831ca028405bcb3e312175a60bc5d911c81f@%3Cjira.kafka.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r2721aba31a8562639c4b937150897e24f78f747cdbda8641c0f659fe@%3Cusers.kafka.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r26244f9f7d9a8a27a092eb0b2a0ca9395e88fcde8b5edaeca7ce569c@%3Ccommon-issues.hadoop.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r1b7734dfdfd938640f2f5fb6f4231a267145c71ed60cc7faa1cbac07@%3Ccommon-issues.hadoop.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0@%3Cissues.bookkeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r18f1c010b554a3a2d761e8ffffd8674fd4747bcbcf16c643d708318c@%3Cissues.activemq.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r189aaeaad897f7d6b96f7c43a8ef2dfb9f6e9f8c1cc9ad182ce9b9ae@%3Cjira.kafka.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r13d4b5c60ff63f3c4fab51d6ff266655be503b8a1884e2f2fab67c3a@%3Ccommon-issues.hadoop.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r107c8737db39ec9ec4f4e7147b249e29be79170b9ef4b80528105a2d@%3Cdev.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r05755112a8c164abc1004bb44f198b1e3d8ca3d546a8f13ebd3aa05f@%3Cissues.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/eea03d504b36e8f870e8321d908e1def1addda16adda04327fe7c125%40%3Cdev.logging.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/8ab32b4c9f1826f20add7c40be08909de9f58a89dc1de9c09953f5ac@%3Cissues.activemq.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/752ec92cd1e334a639e79bfbd689a4ec2c6579ec5bb41b53ffdf358d@%3Cdev.kafka.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/6114ce566200d76e3cc45c521a62c2c5a4eac15738248f58a99f622c@%3Cissues.activemq.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/564f03b4e9511fcba29c68fc0299372dadbdb002718fa8edcc4325e4@%3Cjira.kafka.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/479471e6debd608c837b9815b76eab24676657d4444fcfd5ef96d6e6@%3Cdev.tika.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/44491fb9cc19acc901f7cff34acb7376619f15638439416e3e14761c@%3Cdev.tika.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/277b4b5c2b0e06a825ccec565fa65bd671f35a4d58e3e2ec5d0618e1@%3Cdev.tika.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r8d78a0fbb56d505461e29868d1026e98c402e6a568c13a6da67896a2@%3Cdev.jena.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r8c6300245c0bcef095e9f07b48157e2c6471df0816db3408fcf1d748@%3Ccommon-issues.hadoop.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r8c392ca48bb7e50754e4bc05865e9731b23d568d18a520fe3d8c1f75@%3Ccommon-issues.hadoop.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r8a1cfd4705258c106e488091fcec85f194c82f2bbde6bd151e201870@%3Cjira.kafka.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r8890b8f18f1de821595792b58b968a89692a255bc20d86d395270740@%3Ccommits.druid.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r8418a0dff1729f19cf1024937e23a2db4c0f94f2794a423f5c10e8e7@%3Cissues.bookkeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r8244fd0831db894d5e89911ded9c72196d395a90ae655414d23ed0dd@%3Cusers.activemq.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r7f462c69d5ded4c0223e014d95a3496690423c5f6f05c09e2f2a407a@%3Cjira.kafka.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r7bcdc710857725c311b856c0b82cee6207178af5dcde1bd43d289826@%3Cissues.activemq.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r7a1acc95373105169bd44df710c2f462cad31fb805364d2958a5ee03@%3Cjira.kafka.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r746fbc3fc13aee292ae6851f7a5080f592fa3a67b983c6887cdb1fc5@%3Cdev.tika.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r71e26f9c2d5826c6f95ad60f7d052d75e1e70b0d2dd853db6fc26d5f@%3Cjira.kafka.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r6d34da5a0ca17ab08179a30c971446c7421af0e96f6d60867eabfc52@%3Cissues.bookkeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r6b45a2fcc8e98ac93a179183dbb7f340027bdb8e3ab393418076b153@%3Ccommon-issues.hadoop.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r6aec6b8f70167fa325fb98b3b5c9ce0ffaed026e697b69b85ac24628@%3Cissues.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r696507338dd5f44efc23d98cafe30f217cf3ba78e77ed1324c7a5179@%3Cjira.kafka.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r681b4432d0605f327b68b9f8a42662993e699d04614de4851c35ffd1@%3Cdev.tika.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r6236b5f8646d48af8b66d5050f288304016840788e508c883356fe0e@%3Clog4j-user.logging.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc@%3Cusers.kafka.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc@%3Cdev.kafka.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r61590890edcc64140e0c606954b29a063c3d08a2b41d447256d51a78@%3Cissues.activemq.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r5c084578b3e3b40bd903c9d9e525097421bcd88178e672f612102eb2@%3Cjira.kafka.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r594411f4bddebaf48a4c70266d0b7849e0d82bb72826f61b3a35bba7@%3Cissues.bookkeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r52a5129df402352adc34d052bab9234c8ef63596306506a89fdc7328@%3Cusers.activemq.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r4b25538be50126194cc646836c718b1a4d8f71bd9c912af5b59134ad@%3Cdev.tika.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r4ac89cbecd9e298ae9fafb5afda6fa77ac75c78d1ac957837e066c4e@%3Cuser.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r48efc7cb5aeb4e1f67aaa06fb4b5479a5635d12f07d0b93fc2d08809@%3Ccommits.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r48d5019bd42e0770f7e5351e420a63a41ff1f16924942442c6aff6a8@%3Ccommits.zookeeper.apache.org%3E
+ - type: WEB
+ url: http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00022.html
+ database_specific:
+ cwe_ids:
+ - CWE-502
+ github_reviewed: true
+ github_reviewed_at: "2019-12-27T22:02:37Z"
+ nvd_published_at: "2019-12-20T17:15:00Z"
+ severity: CRITICAL
+ - schema_version: 1.6.0
+ id: GHSA-65fg-84f6-3jq3
+ modified: 2024-02-16T08:18:09.971724Z
+ published: 2022-01-21T23:26:47Z
+ aliases:
+ - CVE-2022-23305
+ summary: SQL Injection in Log4j 1.2.x
+ details: By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converters from PatternLayout. The message converter, %m, is likely to always be included. This allows attackers to manipulate the SQL by entering crafted strings into input fields or headers of an application that are logged allowing unintended SQL queries to be executed. Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default. Beginning in version 2.0-beta8, the JDBCAppender was re-introduced with proper support for parameterized SQL queries and further customization over the columns written to in logs. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: log4j:log4j
+ purl: pkg:maven/log4j/log4j
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - last_affected: 1.2.17
+ versions:
+ - 1.1.3
+ - 1.2.11
+ - 1.2.12
+ - 1.2.13
+ - 1.2.14
+ - 1.2.15
+ - 1.2.16
+ - 1.2.17
+ - 1.2.4
+ - 1.2.5
+ - 1.2.6
+ - 1.2.7
+ - 1.2.8
+ - 1.2.9
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/01/GHSA-65fg-84f6-3jq3/GHSA-65fg-84f6-3jq3.json
+ - package:
+ ecosystem: Maven
+ name: org.zenframework.z8.dependencies.commons:log4j-1.2.17
+ purl: pkg:maven/org.zenframework.z8.dependencies.commons/log4j-1.2.17
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - last_affected: "2.0"
+ versions:
+ - "2.0"
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/01/GHSA-65fg-84f6-3jq3/GHSA-65fg-84f6-3jq3.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2022-23305
+ - type: PACKAGE
+ url: https://github.com/apache/logging-log4j1
+ - type: WEB
+ url: https://lists.apache.org/thread/pt6lh3pbsvxqlwlp4c5l798dv2hkc85y
+ - type: WEB
+ url: https://logging.apache.org/log4j/1.2/index.html
+ - type: WEB
+ url: https://security.netapp.com/advisory/ntap-20220217-0007
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuapr2022.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpujul2022.html
+ - type: WEB
+ url: http://www.openwall.com/lists/oss-security/2022/01/18/4
+ database_specific:
+ cwe_ids:
+ - CWE-89
+ github_reviewed: true
+ github_reviewed_at: "2022-01-19T22:31:49Z"
+ nvd_published_at: "2022-01-18T16:15:00Z"
+ severity: CRITICAL
+ - schema_version: 1.6.0
+ id: GHSA-f7vh-qwp3-x37m
+ modified: 2024-02-16T08:22:45.37439Z
+ published: 2022-01-19T00:01:15Z
+ aliases:
+ - CVE-2022-23307
+ summary: Deserialization of Untrusted Data in Apache Log4j
+ details: |-
+ CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw V2.0 Chainsaw was a component of Apache Log4j 1.2.x where the same issue exists.
+
+ Users are advised to migrate from `log4j:log4j` to `org.apache.logging.log4j:log4j` for an updated version of the library.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: log4j:log4j
+ purl: pkg:maven/log4j/log4j
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - last_affected: 1.2.17
+ versions:
+ - 1.1.3
+ - 1.2.11
+ - 1.2.12
+ - 1.2.13
+ - 1.2.14
+ - 1.2.15
+ - 1.2.16
+ - 1.2.17
+ - 1.2.4
+ - 1.2.5
+ - 1.2.6
+ - 1.2.7
+ - 1.2.8
+ - 1.2.9
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/01/GHSA-f7vh-qwp3-x37m/GHSA-f7vh-qwp3-x37m.json
+ - package:
+ ecosystem: Maven
+ name: org.zenframework.z8.dependencies.commons:log4j-1.2.17
+ purl: pkg:maven/org.zenframework.z8.dependencies.commons/log4j-1.2.17
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - last_affected: "2.0"
+ versions:
+ - "2.0"
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/01/GHSA-f7vh-qwp3-x37m/GHSA-f7vh-qwp3-x37m.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2022-23307
+ - type: WEB
+ url: https://lists.apache.org/thread/rg4yyc89vs3dw6kpy3r92xop9loywyhh
+ - type: WEB
+ url: https://logging.apache.org/log4j/1.2/index.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuapr2022.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpujul2022.html
+ database_specific:
+ cwe_ids:
+ - CWE-502
+ github_reviewed: true
+ github_reviewed_at: "2022-06-20T22:48:35Z"
+ nvd_published_at: "2022-01-18T16:15:00Z"
+ severity: CRITICAL
+ - schema_version: 1.6.0
+ id: GHSA-fp5r-v3w9-4333
+ modified: 2024-02-16T08:10:41.694989Z
+ published: 2021-12-14T19:49:31Z
+ aliases:
+ - CVE-2021-4104
+ summary: JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data
+ details: JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: log4j:log4j
+ purl: pkg:maven/log4j/log4j
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 1.2.0
+ - last_affected: 1.2.17
+ versions:
+ - 1.2.11
+ - 1.2.12
+ - 1.2.13
+ - 1.2.14
+ - 1.2.15
+ - 1.2.16
+ - 1.2.17
+ - 1.2.4
+ - 1.2.5
+ - 1.2.6
+ - 1.2.7
+ - 1.2.8
+ - 1.2.9
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-fp5r-v3w9-4333/GHSA-fp5r-v3w9-4333.json
+ - package:
+ ecosystem: Maven
+ name: org.zenframework.z8.dependencies.commons:log4j-1.2.17
+ purl: pkg:maven/org.zenframework.z8.dependencies.commons/log4j-1.2.17
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - last_affected: "2.0"
+ versions:
+ - "2.0"
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-fp5r-v3w9-4333/GHSA-fp5r-v3w9-4333.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2021-4104
+ - type: WEB
+ url: https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126
+ - type: WEB
+ url: https://access.redhat.com/security/cve/CVE-2021-4104
+ - type: PACKAGE
+ url: https://github.com/apache/logging-log4j2
+ - type: WEB
+ url: https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0033
+ - type: WEB
+ url: https://security.gentoo.org/glsa/202209-02
+ - type: WEB
+ url: https://security.gentoo.org/glsa/202310-16
+ - type: WEB
+ url: https://security.gentoo.org/glsa/202312-02
+ - type: WEB
+ url: https://security.gentoo.org/glsa/202312-04
+ - type: WEB
+ url: https://security.netapp.com/advisory/ntap-20211223-0007
+ - type: WEB
+ url: https://www.cve.org/CVERecord?id=CVE-2021-44228
+ - type: WEB
+ url: https://www.kb.cert.org/vuls/id/930724
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuapr2022.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpujan2022.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpujul2022.html
+ - type: WEB
+ url: http://www.openwall.com/lists/oss-security/2022/01/18/3
+ database_specific:
+ cwe_ids:
+ - CWE-502
+ github_reviewed: true
+ github_reviewed_at: "2021-12-14T19:47:27Z"
+ nvd_published_at: "2021-12-14T12:15:00Z"
+ severity: HIGH
+ - schema_version: 1.6.0
+ id: GHSA-w9p3-5cr8-m3jj
+ modified: 2024-02-16T08:25:11.246999Z
+ published: 2022-01-21T23:27:14Z
+ aliases:
+ - CVE-2022-23302
+ summary: Deserialization of Untrusted Data in Log4j 1.x
+ details: JMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration or if the configuration references an LDAP service the attacker has access to. The attacker can provide a TopicConnectionFactoryBindingName configuration causing JMSSink to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-4104. Note this issue only affects Log4j 1.x when specifically configured to use JMSSink, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: log4j:log4j
+ purl: pkg:maven/log4j/log4j
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - last_affected: 1.2.17
+ versions:
+ - 1.1.3
+ - 1.2.11
+ - 1.2.12
+ - 1.2.13
+ - 1.2.14
+ - 1.2.15
+ - 1.2.16
+ - 1.2.17
+ - 1.2.4
+ - 1.2.5
+ - 1.2.6
+ - 1.2.7
+ - 1.2.8
+ - 1.2.9
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/01/GHSA-w9p3-5cr8-m3jj/GHSA-w9p3-5cr8-m3jj.json
+ - package:
+ ecosystem: Maven
+ name: org.zenframework.z8.dependencies.commons:log4j-1.2.17
+ purl: pkg:maven/org.zenframework.z8.dependencies.commons/log4j-1.2.17
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - last_affected: "2.0"
+ versions:
+ - "2.0"
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/01/GHSA-w9p3-5cr8-m3jj/GHSA-w9p3-5cr8-m3jj.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2022-23302
+ - type: PACKAGE
+ url: https://github.com/apache/logging-log4j1
+ - type: WEB
+ url: https://lists.apache.org/thread/bsr3l5qz4g0myrjhy9h67bcxodpkwj4w
+ - type: WEB
+ url: https://logging.apache.org/log4j/1.2/index.html
+ - type: WEB
+ url: https://security.netapp.com/advisory/ntap-20220217-0006
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuapr2022.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpujul2022.html
+ - type: WEB
+ url: http://www.openwall.com/lists/oss-security/2022/01/18/3
+ database_specific:
+ cwe_ids:
+ - CWE-502
+ github_reviewed: true
+ github_reviewed_at: "2022-01-19T22:31:40Z"
+ nvd_published_at: "2022-01-18T16:15:00Z"
+ severity: HIGH
+ - schema_version: 1.6.0
+ id: GHSA-3xrr-7m6p-p7xh
+ modified: 2024-02-17T05:32:04.097962Z
+ published: 2023-07-06T19:24:13Z
+ aliases:
+ - CVE-2023-26119
+ summary: HtmlUnit Code Injection vulnerability
+ details: Versions of the package `net.sourceforge.htmlunit:htmlunit` from 0 and before 3.0.0 are vulnerable to Remote Code Execution (RCE) via XSTL, when browsing the attacker’s webpage.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: net.sourceforge.htmlunit:htmlunit
+ purl: pkg:maven/net.sourceforge.htmlunit/htmlunit
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: 3.0.0
+ versions:
+ - "1.14"
+ - "2.0"
+ - "2.1"
+ - 2.1.5
+ - "2.10"
+ - "2.11"
+ - "2.12"
+ - "2.13"
+ - "2.14"
+ - "2.15"
+ - "2.16"
+ - "2.17"
+ - "2.18"
+ - "2.19"
+ - "2.2"
+ - "2.20"
+ - "2.21"
+ - "2.22"
+ - "2.23"
+ - "2.24"
+ - "2.25"
+ - "2.26"
+ - "2.27"
+ - "2.28"
+ - "2.29"
+ - "2.3"
+ - "2.30"
+ - "2.31"
+ - "2.32"
+ - "2.33"
+ - 2.34.0
+ - 2.34.1
+ - 2.35.0
+ - 2.36.0
+ - 2.37.0
+ - 2.38.0
+ - 2.39.0
+ - 2.39.1
+ - "2.4"
+ - 2.40.0
+ - 2.41.0
+ - 2.42.0
+ - 2.43.0
+ - 2.44.0
+ - 2.45.0
+ - 2.46.0
+ - 2.47.0
+ - 2.47.1
+ - 2.48.0
+ - 2.49.0
+ - 2.49.1
+ - "2.5"
+ - 2.50.0
+ - 2.51.0
+ - 2.52.0
+ - 2.53.0
+ - 2.54.0
+ - 2.55.0
+ - 2.56.0
+ - 2.57.0
+ - 2.58.0
+ - 2.59.0
+ - "2.6"
+ - 2.60.0
+ - 2.61.0
+ - 2.62.0
+ - 2.63.0
+ - 2.64.0
+ - 2.65.0
+ - 2.65.1
+ - 2.66.0
+ - 2.67.0
+ - 2.68.0
+ - 2.69.0
+ - "2.7"
+ - 2.70.0
+ - "2.8"
+ - "2.9"
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-3xrr-7m6p-p7xh/GHSA-3xrr-7m6p-p7xh.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2023-26119
+ - type: WEB
+ url: https://github.com/HtmlUnit/htmlunit/commit/641325bbc84702dc9800ec7037aec061ce21956b
+ - type: PACKAGE
+ url: https://github.com/HtmlUnit/htmlunit
+ - type: WEB
+ url: https://security.snyk.io/vuln/SNYK-JAVA-NETSOURCEFORGEHTMLUNIT-3252500
+ - type: WEB
+ url: https://siebene.github.io/2022/12/30/HtmlUnit-RCE
+ database_specific:
+ cwe_ids:
+ - CWE-74
+ - CWE-94
+ github_reviewed: true
+ github_reviewed_at: "2023-07-06T22:00:23Z"
+ nvd_published_at: "2023-04-03T05:15:00Z"
+ severity: CRITICAL
+ - schema_version: 1.6.0
+ id: GHSA-5mh9-r3rr-9597
+ modified: 2024-02-17T05:35:45.707621Z
+ published: 2020-05-21T21:08:33Z
+ aliases:
+ - CVE-2020-5529
+ summary: Code execution vulnerability in HtmlUnit
+ details: 'HtmlUnit prior to 2.37.0 contains code execution vulnerabilities. HtmlUnit initializes Rhino engine improperly, hence a malicious JavScript code can execute arbitrary Java code on the application. Moreover, when embedded in Android application, Android-specific initialization of Rhino engine is done in an improper way, hence a malicious JavaScript code can execute arbitrary Java code on the application. '
+ affected:
+ - package:
+ ecosystem: Maven
+ name: net.sourceforge.htmlunit:htmlunit
+ purl: pkg:maven/net.sourceforge.htmlunit/htmlunit
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: 2.37.0
+ versions:
+ - "1.14"
+ - "2.0"
+ - "2.1"
+ - 2.1.5
+ - "2.10"
+ - "2.11"
+ - "2.12"
+ - "2.13"
+ - "2.14"
+ - "2.15"
+ - "2.16"
+ - "2.17"
+ - "2.18"
+ - "2.19"
+ - "2.2"
+ - "2.20"
+ - "2.21"
+ - "2.22"
+ - "2.23"
+ - "2.24"
+ - "2.25"
+ - "2.26"
+ - "2.27"
+ - "2.28"
+ - "2.29"
+ - "2.3"
+ - "2.30"
+ - "2.31"
+ - "2.32"
+ - "2.33"
+ - 2.34.0
+ - 2.34.1
+ - 2.35.0
+ - 2.36.0
+ - "2.4"
+ - "2.5"
+ - "2.6"
+ - "2.7"
+ - "2.8"
+ - "2.9"
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/05/GHSA-5mh9-r3rr-9597/GHSA-5mh9-r3rr-9597.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2020-5529
+ - type: WEB
+ url: https://github.com/HtmlUnit/htmlunit/commit/bc1f58d483cc8854a9c4c1739abd5e04a2eb0367
+ - type: PACKAGE
+ url: https://github.com/HtmlUnit/htmlunit
+ - type: WEB
+ url: https://github.com/HtmlUnit/htmlunit/releases/tag/2.37.0
+ - type: WEB
+ url: https://jvn.jp/en/jp/JVN34535327
+ - type: WEB
+ url: https://lists.apache.org/thread.html/ra2cd7f8e61dc6b8a2d9065094cd1f46aa63ad10f237ee363e26e8563%40%3Ccommits.camel.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/ra2cd7f8e61dc6b8a2d9065094cd1f46aa63ad10f237ee363e26e8563@%3Ccommits.camel.apache.org%3E
+ - type: WEB
+ url: https://lists.debian.org/debian-lts-announce/2020/08/msg00023.html
+ - type: WEB
+ url: https://usn.ubuntu.com/4584-1
+ database_specific:
+ cwe_ids:
+ - CWE-665
+ github_reviewed: true
+ github_reviewed_at: "2020-05-21T17:25:38Z"
+ nvd_published_at: "2020-02-11T12:15:00Z"
+ severity: HIGH
+ - schema_version: 1.6.0
+ id: GHSA-6jmm-mp6w-4rrg
+ modified: 2023-11-08T04:09:13.64201Z
+ published: 2022-04-26T21:14:57Z
+ aliases:
+ - CVE-2022-29546
+ summary: OutOfMemory Exception by specifically crafted processing instruction in NekoHtml Parser
+ details: |
+ ### Impact
+ NekoHtml Parser suffers from a denial of service vulnerability on versions 2.60.0 and below. A specifically crafted input regarding the parsing of processing instructions leads to heap memory consumption. Please update to version 2.61.0.
+
+ ### For more information
+ If you have any questions or comments about this advisory:
+ * Open an issue in [https://github.com/HtmlUnit/htmlunit-neko](https://github.com/HtmlUnit/htmlunit-neko)
+ * Email us at [rbri at rbri.de]
+ affected:
+ - package:
+ ecosystem: Maven
+ name: net.sourceforge.htmlunit:neko-htmlunit
+ purl: pkg:maven/net.sourceforge.htmlunit/neko-htmlunit
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: 2.61.0
+ versions:
+ - "2.21"
+ - "2.23"
+ - "2.24"
+ - "2.25"
+ - "2.27"
+ - "2.28"
+ - "2.30"
+ - "2.31"
+ - "2.32"
+ - "2.33"
+ - 2.34.0
+ - 2.35.0
+ - 2.36.0
+ - 2.37.0
+ - 2.38.0
+ - 2.39.0
+ - 2.40.0
+ - 2.41.0
+ - 2.42.0
+ - 2.43.0
+ - 2.44.0
+ - 2.45.0
+ - 2.46.0
+ - 2.47.0
+ - 2.47.1
+ - 2.48.0
+ - 2.49.0
+ - 2.50.0
+ - 2.51.0
+ - 2.52.0
+ - 2.53.0
+ - 2.54.0
+ - 2.55.0
+ - 2.56.0
+ - 2.57.0
+ - 2.58.0
+ - 2.59.0
+ - 2.60.0
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/04/GHSA-6jmm-mp6w-4rrg/GHSA-6jmm-mp6w-4rrg.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
+ references:
+ - type: WEB
+ url: https://github.com/HtmlUnit/htmlunit-neko/security/advisories/GHSA-6jmm-mp6w-4rrg
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2022-29546
+ - type: WEB
+ url: https://github.com/HtmlUnit/htmlunit-neko/commit/9d2aecd69223469e40c12ca3edddda09009110cc
+ - type: PACKAGE
+ url: https://github.com/HtmlUnit/htmlunit-neko
+ database_specific:
+ cwe_ids:
+ - CWE-400
+ github_reviewed: true
+ github_reviewed_at: "2022-04-26T21:14:57Z"
+ nvd_published_at: "2022-04-25T03:15:00Z"
+ severity: HIGH
+ - schema_version: 1.6.0
+ id: GHSA-g9hh-vvx3-v37v
+ modified: 2024-02-20T05:33:28.550353Z
+ published: 2022-04-23T00:03:04Z
+ aliases:
+ - CVE-2022-28366
+ summary: Denial of service in HtmlUnit-Neko
+ details: 'Certain Neko-related HTML parsers allow a denial of service via crafted Processing Instruction (PI) input that causes excessive heap memory consumption. In particular, this issue exists in HtmlUnit-Neko through 2.26, and is fixed in 2.27. This issue also exists in CyberNeko HTML through 1.9.22 (also affecting OWASP AntiSamy before 1.6.6), but 1.9.22 is the last version of CyberNeko HTML. NOTE: this may be related to CVE-2022-24939.'
+ affected:
+ - package:
+ ecosystem: Maven
+ name: net.sourceforge.htmlunit:neko-htmlunit
+ purl: pkg:maven/net.sourceforge.htmlunit/neko-htmlunit
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: "2.27"
+ versions:
+ - "2.21"
+ - "2.23"
+ - "2.24"
+ - "2.25"
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/04/GHSA-g9hh-vvx3-v37v/GHSA-g9hh-vvx3-v37v.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2022-28366
+ - type: PACKAGE
+ url: https://github.com/HtmlUnit/htmlunit-neko
+ - type: WEB
+ url: https://github.com/nahsra/antisamy/releases/tag/v1.6.6
+ - type: WEB
+ url: https://search.maven.org/artifact/net.sourceforge.htmlunit/neko-htmlunit
+ - type: WEB
+ url: https://sourceforge.net/projects/htmlunit/files/htmlunit/2.27
+ database_specific:
+ cwe_ids: []
+ github_reviewed: true
+ github_reviewed_at: "2022-04-26T20:12:38Z"
+ nvd_published_at: "2022-04-21T23:15:00Z"
+ severity: HIGH
+ - schema_version: 1.6.0
+ id: GHSA-rhrv-645h-fjfh
+ modified: 2024-06-25T02:34:10.322533Z
+ published: 2023-09-29T18:30:22Z
+ aliases:
+ - CVE-2023-39410
+ - PYSEC-2023-188
+ summary: Apache Avro Java SDK vulnerable to Improper Input Validation
+ details: |+
+ When deserializing untrusted or corrupted data, it is possible for a reader to consume memory beyond the allowed constraints and thus lead to out of memory on the system.
+
+ This issue affects Java applications using Apache Avro Java SDK up to and including 1.11.2. Users should update to apache-avro version 1.11.3 which addresses this issue.
+
+ affected:
+ - package:
+ ecosystem: Maven
+ name: org.apache.avro:avro
+ purl: pkg:maven/org.apache.avro/avro
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: 1.11.3
+ versions:
+ - 1.10.0
+ - 1.10.1
+ - 1.10.2
+ - 1.11.0
+ - 1.11.1
+ - 1.11.2
+ - 1.4.0
+ - 1.4.1
+ - 1.5.0
+ - 1.5.1
+ - 1.5.2
+ - 1.5.3
+ - 1.5.4
+ - 1.6.0
+ - 1.6.1
+ - 1.6.2
+ - 1.6.3
+ - 1.7.0
+ - 1.7.1
+ - 1.7.2
+ - 1.7.3
+ - 1.7.4
+ - 1.7.5
+ - 1.7.6
+ - 1.7.7
+ - 1.8.0
+ - 1.8.1
+ - 1.8.2
+ - 1.9.0
+ - 1.9.1
+ - 1.9.2
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/09/GHSA-rhrv-645h-fjfh/GHSA-rhrv-645h-fjfh.json
+ - package:
+ ecosystem: PyPI
+ name: avro
+ purl: pkg:pypi/avro
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: 1.11.3
+ versions:
+ - 1.10.0
+ - 1.10.1
+ - 1.10.2
+ - 1.11.0
+ - 1.11.1
+ - 1.11.2
+ - 1.3.3
+ - 1.4.1
+ - 1.5.0
+ - 1.5.1
+ - 1.5.2
+ - 1.5.3
+ - 1.5.4
+ - 1.6.0
+ - 1.6.1
+ - 1.6.2
+ - 1.6.3
+ - 1.7.0
+ - 1.7.1
+ - 1.7.2
+ - 1.7.3
+ - 1.7.4
+ - 1.7.5
+ - 1.7.6
+ - 1.7.7
+ - 1.8.0
+ - 1.8.1
+ - 1.8.2
+ - 1.9.0
+ - 1.9.1
+ - 1.9.2
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/09/GHSA-rhrv-645h-fjfh/GHSA-rhrv-645h-fjfh.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2023-39410
+ - type: WEB
+ url: https://github.com/apache/avro/commit/a12a7e44ddbe060c3dc731863cad5c15f9267828
+ - type: PACKAGE
+ url: https://github.com/apache/avro
+ - type: WEB
+ url: https://github.com/pypa/advisory-database/tree/main/vulns/avro/PYSEC-2023-188.yaml
+ - type: WEB
+ url: https://lists.apache.org/thread/q142wj99cwdd0jo5lvdoxzoymlqyjdds
+ - type: WEB
+ url: https://security.netapp.com/advisory/ntap-20240621-0006
+ - type: WEB
+ url: https://www.openwall.com/lists/oss-security/2023/09/29/6
+ - type: WEB
+ url: http://www.openwall.com/lists/oss-security/2023/09/29/6
+ database_specific:
+ cwe_ids:
+ - CWE-20
+ - CWE-502
+ github_reviewed: true
+ github_reviewed_at: "2023-09-29T22:06:14Z"
+ nvd_published_at: "2023-09-29T17:15:46Z"
+ severity: HIGH
+ - schema_version: 1.6.0
+ id: GHSA-6hgm-866r-3cjv
+ modified: 2024-02-16T08:23:38.195784Z
+ published: 2020-06-15T20:36:20Z
+ aliases:
+ - CVE-2015-6420
+ summary: Insecure Deserialization in Apache Commons Collection
+ details: Serialized-object interfaces in Java applications using the Apache Commons Collections (ACC) library may allow remote attackers to execute arbitrary commands via a crafted serialized Java object.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: org.apache.commons:commons-collections4
+ purl: pkg:maven/org.apache.commons/commons-collections4
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: "4.1"
+ versions:
+ - "4.0"
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-6hgm-866r-3cjv/GHSA-6hgm-866r-3cjv.json
+ - package:
+ ecosystem: Maven
+ name: commons-collections:commons-collections
+ purl: pkg:maven/commons-collections/commons-collections
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: 3.2.2
+ versions:
+ - "1.0"
+ - "2.0"
+ - 2.0.20020914.015953
+ - 2.0.20020914.020746
+ - 2.0.20020914.020858
+ - "2.1"
+ - 2.1.1
+ - "3.0"
+ - 3.0-dev2
+ - "3.1"
+ - "3.2"
+ - 3.2.1
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-6hgm-866r-3cjv/GHSA-6hgm-866r-3cjv.json
+ - package:
+ ecosystem: Maven
+ name: net.sourceforge.collections:collections-generic
+ purl: pkg:maven/net.sourceforge.collections/collections-generic
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - last_affected: 4.0.1
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-6hgm-866r-3cjv/GHSA-6hgm-866r-3cjv.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.servicemix.bundles:org.apache.servicemix.bundles.collections-generic
+ purl: pkg:maven/org.apache.servicemix.bundles/org.apache.servicemix.bundles.collections-generic
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - last_affected: "4.01"
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-6hgm-866r-3cjv/GHSA-6hgm-866r-3cjv.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.servicemix.bundles:org.apache.servicemix.bundles.commons-collections
+ purl: pkg:maven/org.apache.servicemix.bundles/org.apache.servicemix.bundles.commons-collections
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - last_affected: 3.2.1
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-6hgm-866r-3cjv/GHSA-6hgm-866r-3cjv.json
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2015-6420
+ - type: WEB
+ url: https://arxiv.org/pdf/2306.05534
+ - type: PACKAGE
+ url: https://github.com/apache/commons-collections
+ - type: WEB
+ url: https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05376917
+ - type: WEB
+ url: https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05390722
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r352e40ca9874d1beb4ad95403792adca7eb295e6bc3bd7b65fabcc21@%3Ccommits.samza.apache.org%3E
+ - type: WEB
+ url: https://www.kb.cert.org/vuls/id/581311
+ - type: WEB
+ url: https://www.tenable.com/security/research/tra-2017-14
+ - type: WEB
+ url: https://www.tenable.com/security/research/tra-2017-23
+ - type: WEB
+ url: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151209-java-deserialization
+ - type: WEB
+ url: http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
+ - type: WEB
+ url: http://www.securityfocus.com/bid/78872
+ database_specific:
+ cwe_ids:
+ - CWE-502
+ github_reviewed: true
+ github_reviewed_at: "2020-06-11T15:58:44Z"
+ nvd_published_at: "2015-12-15T05:59:00Z"
+ severity: HIGH
+ - schema_version: 1.6.0
+ id: GHSA-fjq5-5j5f-mvxh
+ modified: 2024-02-17T05:22:18.562352Z
+ published: 2022-05-13T01:25:20Z
+ aliases:
+ - CVE-2015-7501
+ summary: Deserialization of Untrusted Data in Apache commons collections
+ details: It was found that the Apache commons-collections library permitted code execution when deserializing objects involving a specially constructed chain of classes. A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using the commons-collections library.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: commons-collections:commons-collections
+ purl: pkg:maven/commons-collections/commons-collections
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: 3.2.2
+ versions:
+ - "1.0"
+ - "2.0"
+ - 2.0.20020914.015953
+ - 2.0.20020914.020746
+ - 2.0.20020914.020858
+ - "2.1"
+ - 2.1.1
+ - "3.0"
+ - 3.0-dev2
+ - "3.1"
+ - "3.2"
+ - 3.2.1
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-fjq5-5j5f-mvxh/GHSA-fjq5-5j5f-mvxh.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.commons:commons-collections4
+ purl: pkg:maven/org.apache.commons/commons-collections4
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: "4.1"
+ versions:
+ - "4.0"
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-fjq5-5j5f-mvxh/GHSA-fjq5-5j5f-mvxh.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.servicemix.bundles:org.apache.servicemix.bundles.commons-collections
+ purl: pkg:maven/org.apache.servicemix.bundles/org.apache.servicemix.bundles.commons-collections
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 3.2.1
+ versions:
+ - 3.2.1_1
+ - 3.2.1_2
+ - 3.2.1_3
+ database_specific:
+ last_known_affected_version_range: < 3.2.2
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-fjq5-5j5f-mvxh/GHSA-fjq5-5j5f-mvxh.json
+ - package:
+ ecosystem: Maven
+ name: net.sourceforge.collections:collections-generic
+ purl: pkg:maven/net.sourceforge.collections/collections-generic
+ versions:
+ - "4.01"
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-fjq5-5j5f-mvxh/GHSA-fjq5-5j5f-mvxh.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.servicemix.bundles:org.apache.servicemix.bundles.collections-generic
+ purl: pkg:maven/org.apache.servicemix.bundles/org.apache.servicemix.bundles.collections-generic
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "4.01"
+ versions:
+ - "4.01_1"
+ database_specific:
+ last_known_affected_version_range: < 4.02
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-fjq5-5j5f-mvxh/GHSA-fjq5-5j5f-mvxh.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2015-7501
+ - type: WEB
+ url: https://access.redhat.com/security/vulnerabilities/2059393
+ - type: WEB
+ url: https://access.redhat.com/solutions/2045023
+ - type: WEB
+ url: https://arxiv.org/pdf/2306.05534.pdf
+ - type: WEB
+ url: https://bugzilla.redhat.com/show_bug.cgi?id=1279330
+ - type: WEB
+ url: https://commons.apache.org/proper/commons-collections/release_4_1.html
+ - type: WEB
+ url: https://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability
+ - type: PACKAGE
+ url: https://github.com/apache/commons-collections
+ - type: WEB
+ url: https://github.com/jensdietrich/xshady-release/tree/main/CVE-2015-7501
+ - type: WEB
+ url: https://issues.apache.org/jira/browse/COLLECTIONS-580.
+ - type: WEB
+ url: https://sourceforge.net/p/collections/code/HEAD/tree
+ - type: WEB
+ url: http://rhn.redhat.com/errata/RHSA-2016-1773.html
+ database_specific:
+ cwe_ids:
+ - CWE-502
+ github_reviewed: true
+ github_reviewed_at: "2022-11-03T22:57:31Z"
+ nvd_published_at: "2017-11-09T17:29:00Z"
+ severity: CRITICAL
+ - schema_version: 1.6.0
+ id: GHSA-4265-ccf5-phj5
+ modified: 2024-06-19T13:14:35.235591Z
+ published: 2024-02-19T09:30:52Z
+ aliases:
+ - CGA-96mq-j5w6-4gc5
+ - CVE-2024-26308
+ summary: 'Apache Commons Compress: OutOfMemoryError unpacking broken Pack200 file'
+ details: |+
+ Allocation of Resources Without Limits or Throttling vulnerability in Apache Commons Compress. This issue affects Apache Commons Compress: from 1.21 before 1.26.
+
+ Users are recommended to upgrade to version 1.26, which fixes the issue.
+
+ affected:
+ - package:
+ ecosystem: Maven
+ name: org.apache.commons:commons-compress
+ purl: pkg:maven/org.apache.commons/commons-compress
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "1.21"
+ - fixed: 1.26.0
+ versions:
+ - "1.21"
+ - "1.22"
+ - 1.23.0
+ - 1.24.0
+ - 1.25.0
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/02/GHSA-4265-ccf5-phj5/GHSA-4265-ccf5-phj5.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2024-26308
+ - type: PACKAGE
+ url: https://github.com/apache/commons-compress
+ - type: WEB
+ url: https://lists.apache.org/thread/ch5yo2d21p7vlqrhll9b17otbyq4npfg
+ - type: WEB
+ url: https://security.netapp.com/advisory/ntap-20240307-0009
+ - type: WEB
+ url: http://www.openwall.com/lists/oss-security/2024/02/19/2
+ database_specific:
+ cwe_ids:
+ - CWE-770
+ github_reviewed: true
+ github_reviewed_at: "2024-02-20T23:59:29Z"
+ nvd_published_at: "2024-02-19T09:15:38Z"
+ severity: HIGH
+ - schema_version: 1.6.0
+ id: GHSA-4g9r-vxhx-9pgx
+ modified: 2024-06-19T13:14:34.812344Z
+ published: 2024-02-19T09:30:50Z
+ aliases:
+ - CGA-2xg7-8qm4-vx87
+ - CVE-2024-25710
+ summary: 'Apache Commons Compress: Denial of service caused by an infinite loop for a corrupted DUMP file'
+ details: |+
+ Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in Apache Commons Compress. This issue affects Apache Commons Compress: from 1.3 through 1.25.0.
+
+ Users are recommended to upgrade to version 1.26.0 which fixes the issue.
+
+ affected:
+ - package:
+ ecosystem: Maven
+ name: org.apache.commons:commons-compress
+ purl: pkg:maven/org.apache.commons/commons-compress
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "1.3"
+ - fixed: 1.26.0
+ versions:
+ - "1.10"
+ - "1.11"
+ - "1.12"
+ - "1.13"
+ - "1.14"
+ - "1.15"
+ - "1.16"
+ - 1.16.1
+ - "1.17"
+ - "1.18"
+ - "1.19"
+ - "1.20"
+ - "1.21"
+ - "1.22"
+ - 1.23.0
+ - 1.24.0
+ - 1.25.0
+ - "1.3"
+ - "1.4"
+ - 1.4.1
+ - "1.5"
+ - "1.6"
+ - "1.7"
+ - "1.8"
+ - 1.8.1
+ - "1.9"
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/02/GHSA-4g9r-vxhx-9pgx/GHSA-4g9r-vxhx-9pgx.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2024-25710
+ - type: PACKAGE
+ url: https://github.com/apache/commons-compress
+ - type: WEB
+ url: https://lists.apache.org/thread/cz8qkcwphy4cx8gltn932ln51cbtq6kf
+ - type: WEB
+ url: https://security.netapp.com/advisory/ntap-20240307-0010
+ - type: WEB
+ url: http://www.openwall.com/lists/oss-security/2024/02/19/1
+ database_specific:
+ cwe_ids:
+ - CWE-835
+ github_reviewed: true
+ github_reviewed_at: "2024-02-20T23:58:47Z"
+ nvd_published_at: "2024-02-19T09:15:37Z"
+ severity: HIGH
+ - schema_version: 1.6.0
+ id: GHSA-53x6-4x5p-rrvv
+ modified: 2024-03-16T05:19:51.25548Z
+ published: 2019-10-11T18:41:08Z
+ aliases:
+ - CVE-2019-12402
+ summary: Denial of Service in Apache Commons Compress
+ details: The file name encoding algorithm used internally in Apache Commons Compress 1.15 to 1.18 can get into an infinite loop when faced with specially crafted inputs. This can lead to a denial of service attack if an attacker can choose the file names inside of an archive created by Compress.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: org.apache.commons:commons-compress
+ purl: pkg:maven/org.apache.commons/commons-compress
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "1.15"
+ - fixed: "1.19"
+ versions:
+ - "1.15"
+ - "1.16"
+ - 1.16.1
+ - "1.17"
+ - "1.18"
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/10/GHSA-53x6-4x5p-rrvv/GHSA-53x6-4x5p-rrvv.json
+ - package:
+ ecosystem: Maven
+ name: io.github.1tchy.java9modular.org.apache.commons:commons-compress
+ purl: pkg:maven/io.github.1tchy.java9modular.org.apache.commons/commons-compress
+ versions:
+ - 1.18.1
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/10/GHSA-53x6-4x5p-rrvv/GHSA-53x6-4x5p-rrvv.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2019-12402
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuoct2021.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuoct2020.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpujul2020.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpujan2021.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuapr2022.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuapr2020.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuApr2021.html
+ - type: WEB
+ url: https://www.oracle.com//security-alerts/cpujul2021.html
+ - type: WEB
+ url: https://security.netapp.com/advisory/ntap-20230818-0001
+ - type: WEB
+ url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WZB3GB7YXIOUKIOQ27VTIP6KKGJJ3CKL
+ - type: WEB
+ url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QLJIK2AUOZOWXR3S5XXBUNMOF3RTHTI7
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rf5230a049d989dbfdd404b4320a265dceeeba459a4d04ec21873bd55@%3Csolr-user.lucene.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/re13bd219dd4b651134f6357f12bd07a0344eea7518c577bbdd185265@%3Cissues.flink.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rdebc1830d6c09c11d5a4804ca26769dbd292d17d361c61dea50915f0@%3Cissues.flink.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rd3f99d732baed459b425fb0a9e9e14f7843c9459b12037e4a9d753b5@%3Cissues.flink.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rcc35ab6be300365de5ff9587e0479d10d7d7c79070921837e3693162@%3Cissues.flink.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r972f82d821b805d04602976a9736c01b6bf218cfe0c3f48b472db488@%3Cissues.flink.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r7af60fbd8b2350d49d14e53a3ab2801998b9d1af2d6fcac60b060a53@%3Cdev.brooklyn.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r5caf4fcb69d2749225391e61db7216282955204849ba94f83afe011f@%3Cissues.flink.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r590c15cebee9b8e757e2f738127a9a71e48ede647a3044c504e050a4@%3Cissues.flink.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r5103b1c9242c0f812ac96e524344144402cbff9b6e078d1557bc7b1e@%3Cissues.flink.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r4363c994c8bca033569a98da9218cc0c62bb695c1e47a98e5084e5a0@%3Cissues.flink.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r25422df9ad22fec56d9eeca3ab8bd6d66365e9f6bfe311b64730edf5@%3Cissues.flink.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r233267e24519bacd0f9fb9f61a1287cb9f4bcb6e75d83f34f405c521@%3Cissues.flink.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r21d64797914001119d2fc766b88c6da181dc2308d20f14e7a7f46117@%3Cissues.flink.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r204ba2a9ea750f38d789d2bb429cc0925ad6133deea7cbc3001d96b5@%3Csolr-user.lucene.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r05cf37c1e1e662e968cfece1102fcd50fe207181fdbf2c30aadfafd3@%3Cissues.flink.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe@%3Ccommits.druid.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/54cc4e9fa6b24520135f6fa4724dfb3465bc14703c7dc7e52353a0ea@%3Ccommits.creadur.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/308cc15f1f1dc53e97046fddbac240e6cd16de89a2746cf257be7f5b@%3Cdev.commons.apache.org%3E
+ - type: WEB
+ url: https://github.com/jensdietrich/xshady-release/tree/main/CVE-2019-12402
+ database_specific:
+ cwe_ids:
+ - CWE-835
+ github_reviewed: true
+ github_reviewed_at: "2019-09-30T09:39:36Z"
+ nvd_published_at: "2019-08-30T09:15:00Z"
+ severity: HIGH
+ - schema_version: 1.6.0
+ id: GHSA-6fxm-66hq-fc96
+ modified: 2024-03-11T05:32:27.181208Z
+ published: 2022-05-13T01:07:05Z
+ aliases:
+ - CVE-2012-2098
+ summary: Uncontrolled Resource Consumption in Apache Commons Compress
+ details: Algorithmic complexity vulnerability in the sorting algorithms in bzip2 compressing stream (BZip2CompressorOutputStream) in Apache Commons Compress before 1.4.1 allows remote attackers to cause a denial of service (CPU consumption) via a file with many repeating inputs.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: org.apache.commons:commons-compress
+ purl: pkg:maven/org.apache.commons/commons-compress
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: 1.4.1
+ versions:
+ - "1.0"
+ - "1.1"
+ - "1.2"
+ - "1.3"
+ - "1.4"
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-6fxm-66hq-fc96/GHSA-6fxm-66hq-fc96.json
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2012-2098
+ - type: WEB
+ url: https://github.com/apache/commons-compress/commit/020c03d8ef579e80511023fb46ece30e9c3dd27d
+ - type: WEB
+ url: https://github.com/apache/commons-compress/commit/0600296ab8f8a0bbdfedd483f51b38005eb8e34e
+ - type: WEB
+ url: https://github.com/apache/commons-compress/commit/1ce57d976c4f25fe99edcadf079840c278f3cb84
+ - type: WEB
+ url: https://github.com/apache/commons-compress/commit/2ab2fcb356753927afaa731b9d2dcc47d3083408
+ - type: WEB
+ url: https://github.com/apache/commons-compress/commit/654222e628097763ee6ca561ae77be5c06666173
+ - type: WEB
+ url: https://github.com/apache/commons-compress/commit/6ced422bf5eca3aac05396367bafb33ec21bf74e
+ - type: WEB
+ url: https://github.com/apache/commons-compress/commit/6e95697e783767f3549f00d7d2e1b002eac4a3d4
+ - type: WEB
+ url: https://github.com/apache/commons-compress/commit/8f702469cbf4c451b6dea349290bc4af0f6f76c7
+ - type: WEB
+ url: https://github.com/apache/commons-compress/commit/b06f7b41c936ef1a79589d16ea5c1d8b93f71f66
+ - type: WEB
+ url: https://github.com/apache/commons-compress/commit/cca0e6e5341aacddefd4c4d36cef7cbdbc2a8777
+ - type: WEB
+ url: https://github.com/apache/commons-compress/commit/ea31005111f0abede7e43e4ba0012e62e0808b22
+ - type: WEB
+ url: https://github.com/apache/commons-compress/commit/fdd7459bc5470e90024dbe762249166481cce769
+ - type: WEB
+ url: https://web.archive.org/web/20140724002926/http://secunia.com/advisories/49286
+ - type: WEB
+ url: https://web.archive.org/web/20140724023114/http://secunia.com/advisories/49255
+ - type: WEB
+ url: https://web.archive.org/web/20200517014414/http://www.securitytracker.com/id?1027096
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpujan2021.html
+ - type: WEB
+ url: https://web.archive.org/web/20130525085523/http://www.securityfocus.com/bid/53676
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r204ba2a9ea750f38d789d2bb429cc0925ad6133deea7cbc3001d96b5@
+ - type: PACKAGE
+ url: https://github.com/apache/commons-compress
+ - type: WEB
+ url: https://exchange.xforce.ibmcloud.com/vulnerabilities/75857
+ - type: WEB
+ url: http://ant.apache.org/security.html
+ - type: WEB
+ url: http://archives.neohapsis.com/archives/bugtraq/2012-05/0130.html
+ - type: WEB
+ url: http://commons.apache.org/compress/security.html
+ - type: WEB
+ url: http://lists.fedoraproject.org/pipermail/package-announce/2012-June/081697.html
+ - type: WEB
+ url: http://lists.fedoraproject.org/pipermail/package-announce/2012-June/081746.html
+ - type: WEB
+ url: http://lists.fedoraproject.org/pipermail/package-announce/2013-May/105049.html
+ - type: WEB
+ url: http://lists.fedoraproject.org/pipermail/package-announce/2013-May/105060.html
+ - type: WEB
+ url: http://packetstormsecurity.org/files/113014/Apache-Commons-Compress-Apache-Ant-Denial-Of-Service.html
+ - type: WEB
+ url: http://www-01.ibm.com/support/docview.wss?uid=swg21644047
+ - type: WEB
+ url: http://www.openwall.com/lists/oss-security/2023/09/13/3
+ database_specific:
+ cwe_ids:
+ - CWE-400
+ github_reviewed: true
+ github_reviewed_at: "2022-07-13T21:10:51Z"
+ nvd_published_at: "2012-06-29T19:55:00Z"
+ severity: MODERATE
+ - schema_version: 1.6.0
+ id: GHSA-7hfm-57qf-j43q
+ modified: 2024-03-08T05:18:24.619639Z
+ published: 2021-08-02T16:55:07Z
+ aliases:
+ - CVE-2021-35515
+ summary: Excessive Iteration in Compress
+ details: When reading a specially crafted 7Z archive, the construction of the list of codecs that decompress an entry can result in an infinite loop. This could be used to mount a denial of service attack against services that use Compress' sevenz package.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: org.apache.commons:commons-compress
+ purl: pkg:maven/org.apache.commons/commons-compress
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: "1.21"
+ versions:
+ - "1.0"
+ - "1.1"
+ - "1.10"
+ - "1.11"
+ - "1.12"
+ - "1.13"
+ - "1.14"
+ - "1.15"
+ - "1.16"
+ - 1.16.1
+ - "1.17"
+ - "1.18"
+ - "1.19"
+ - "1.2"
+ - "1.20"
+ - "1.3"
+ - "1.4"
+ - 1.4.1
+ - "1.5"
+ - "1.6"
+ - "1.7"
+ - "1.8"
+ - 1.8.1
+ - "1.9"
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-7hfm-57qf-j43q/GHSA-7hfm-57qf-j43q.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2021-35515
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuoct2021.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpujul2022.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpujan2022.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuapr2022.html
+ - type: WEB
+ url: https://security.netapp.com/advisory/ntap-20211022-0001
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rfba19167efc785ad3561e7ef29f340d65ac8f0d897aed00e0731e742@%3Cnotifications.skywalking.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rf2f4d7940371a7c7c5b679f50e28fc7fcc82cd00670ced87e013ac88@%3Ccommits.druid.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rd4332baaf6debd03d60deb7ec93bee49e5fdbe958cb6800dff7fb00e@%3Cnotifications.skywalking.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rbe91c512c5385181149ab087b6c909825d34299f5c491c6482a2ed57@%3Ccommits.druid.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rbaea15ddc5a7c0c6b66660f1d6403b28595e2561bb283eade7d7cd69@%3Cannounce.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rba65ed5ddb0586f5b12598f55ec7db3633e7b7fede60466367fbf86a@%3Cnotifications.skywalking.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rb7adf3e55359819e77230b4586521e5c6874ce5ed93384bdc14d6aee@%3Cnotifications.skywalking.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rb6e1fa80d34e5ada45f72655d84bfd90db0ca44ef19236a49198c88c@%3Cnotifications.skywalking.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rb064d705fdfa44b5dae4c366b369ef6597951083196321773b983e71@%3Ccommits.pulsar.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/racd0c0381c8404f298b226cd9db2eaae965b14c9c568224aa3f437ae@%3Cnotifications.skywalking.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rab292091eadd1ecc63c516e9541a7f241091cf2e652b8185a6059945@%3Ccommits.druid.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r9f54c0caa462267e0cc68b49f141e91432b36b23348d18c65bd0d040@%3Cnotifications.skywalking.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r67ef3c07fe3b8c1b02d48012149d280ad6da8e4cec253b527520fb2b@%3Cdev.poi.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r19ebfd71770ec0617a9ea180e321ef927b3fefb4c81ec5d1902d20ab%40%3Cuser.commons.apache.org%3E
+ - type: WEB
+ url: https://commons.apache.org/proper/commons-compress/security-reports.html
+ - type: WEB
+ url: http://www.openwall.com/lists/oss-security/2021/07/13/1
+ database_specific:
+ cwe_ids:
+ - CWE-834
+ - CWE-835
+ github_reviewed: true
+ github_reviewed_at: "2021-07-14T17:35:41Z"
+ nvd_published_at: "2021-07-13T08:15:00Z"
+ severity: HIGH
+ - schema_version: 1.6.0
+ id: GHSA-cgwf-w82q-5jrr
+ modified: 2024-02-22T02:01:05.5264Z
+ published: 2023-09-14T09:30:28Z
+ aliases:
+ - CVE-2023-42503
+ summary: Apache Commons Compress denial of service vulnerability
+ details: "Improper Input Validation, Uncontrolled Resource Consumption vulnerability in Apache Commons Compress in TAR parsing.This issue affects Apache Commons Compress: from 1.22 before 1.24.0.\n\nUsers are recommended to upgrade to version 1.24.0, which fixes the issue.\n\nA third party can create a malformed TAR file by manipulating file modification times headers, which when parsed with Apache Commons Compress, will cause a denial of service issue via CPU consumption.\n\nIn version 1.22 of Apache Commons Compress, support was added for file modification times with higher precision (issue # COMPRESS-612 [1]). The format for the PAX extended headers carrying this data consists of two numbers separated by a period [2], indicating seconds and subsecond precision (for example “1647221103.5998539”). The impacted fields are “atime”, “ctime”, “mtime” and “LIBARCHIVE.creationtime”. No input validation is performed prior to the parsing of header values.\n\nParsing of these numbers uses the BigDecimal [3] class from the JDK which has a publicly known algorithmic complexity issue when doing operations on large numbers, causing denial of service (see issue # JDK-6560193 [4]). A third party can manipulate file time headers in a TAR file by placing a number with a very long fraction (300,000 digits) or a number with exponent notation (such as “9e9999999”) within a file modification time header, and the parsing of files with these headers will take hours instead of seconds, leading to a denial of service via exhaustion of CPU resources. This issue is similar to CVE-2012-2098 [5].\n\n[1]: https://issues.apache.org/jira/browse/COMPRESS-612 \n[2]: https://pubs.opengroup.org/onlinepubs/9699919799/utilities/pax.html#tag_20_92_13_05 \n[3]: https://docs.oracle.com/javase/8/docs/api/java/math/BigDecimal.html \n[4]: https://bugs.openjdk.org/browse/JDK-6560193 \n[5]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2098 \n\nOnly applications using CompressorStreamFactory class (with auto-detection of file types), TarArchiveInputStream and TarFile classes to parse TAR files are impacted. Since this code was introduced in v1.22, only that version and later versions are impacted.\n\n"
+ affected:
+ - package:
+ ecosystem: Maven
+ name: org.apache.commons:commons-compress
+ purl: pkg:maven/org.apache.commons/commons-compress
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "1.22"
+ - fixed: 1.24.0
+ versions:
+ - "1.22"
+ - 1.23.0
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/09/GHSA-cgwf-w82q-5jrr/GHSA-cgwf-w82q-5jrr.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2023-42503
+ - type: WEB
+ url: https://github.com/apache/commons-compress/commit/aae38bfb820159ae7a0b792e779571f6a46b3889
+ - type: PACKAGE
+ url: https://github.com/apache/commons-compress
+ - type: WEB
+ url: https://lists.apache.org/thread/5xwcyr600mn074vgxq92tjssrchmc93c
+ - type: WEB
+ url: https://security.netapp.com/advisory/ntap-20231020-0003
+ database_specific:
+ cwe_ids:
+ - CWE-20
+ - CWE-400
+ github_reviewed: true
+ github_reviewed_at: "2023-09-14T19:35:27Z"
+ nvd_published_at: "2023-09-14T08:15:08Z"
+ severity: MODERATE
+ - schema_version: 1.6.0
+ id: GHSA-crv7-7245-f45f
+ modified: 2024-03-08T05:19:35.252507Z
+ published: 2021-08-02T16:55:15Z
+ aliases:
+ - CVE-2021-35516
+ summary: Improper Handling of Length Parameter Inconsistency in Compress
+ details: When reading a specially crafted 7Z archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' sevenz package.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: org.apache.commons:commons-compress
+ purl: pkg:maven/org.apache.commons/commons-compress
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: "1.21"
+ versions:
+ - "1.0"
+ - "1.1"
+ - "1.10"
+ - "1.11"
+ - "1.12"
+ - "1.13"
+ - "1.14"
+ - "1.15"
+ - "1.16"
+ - 1.16.1
+ - "1.17"
+ - "1.18"
+ - "1.19"
+ - "1.2"
+ - "1.20"
+ - "1.3"
+ - "1.4"
+ - 1.4.1
+ - "1.5"
+ - "1.6"
+ - "1.7"
+ - "1.8"
+ - 1.8.1
+ - "1.9"
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-crv7-7245-f45f/GHSA-crv7-7245-f45f.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2021-35516
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuoct2021.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpujul2022.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpujan2022.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuapr2022.html
+ - type: WEB
+ url: https://security.netapp.com/advisory/ntap-20211022-0001
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rfba19167efc785ad3561e7ef29f340d65ac8f0d897aed00e0731e742@%3Cnotifications.skywalking.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rf68442d67eb166f4b6cf0bbbe6c7f99098c12954f37332073c9822ca%40%3Cuser.commons.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rf5b1016fb15b7118b9a5e16bb0b78cb4f1dfcf7821eb137ab5757c91@%3Cannounce.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rd4332baaf6debd03d60deb7ec93bee49e5fdbe958cb6800dff7fb00e@%3Cnotifications.skywalking.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rba65ed5ddb0586f5b12598f55ec7db3633e7b7fede60466367fbf86a@%3Cnotifications.skywalking.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rb7adf3e55359819e77230b4586521e5c6874ce5ed93384bdc14d6aee@%3Cnotifications.skywalking.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rb6e1fa80d34e5ada45f72655d84bfd90db0ca44ef19236a49198c88c@%3Cnotifications.skywalking.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rb064d705fdfa44b5dae4c366b369ef6597951083196321773b983e71@%3Ccommits.pulsar.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/racd0c0381c8404f298b226cd9db2eaae965b14c9c568224aa3f437ae@%3Cnotifications.skywalking.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r9f54c0caa462267e0cc68b49f141e91432b36b23348d18c65bd0d040@%3Cnotifications.skywalking.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r67ef3c07fe3b8c1b02d48012149d280ad6da8e4cec253b527520fb2b@%3Cdev.poi.apache.org%3E
+ - type: WEB
+ url: https://commons.apache.org/proper/commons-compress/security-reports.html
+ - type: WEB
+ url: http://www.openwall.com/lists/oss-security/2021/07/13/2
+ database_specific:
+ cwe_ids:
+ - CWE-130
+ - CWE-770
+ github_reviewed: true
+ github_reviewed_at: "2021-07-14T18:11:52Z"
+ nvd_published_at: "2021-07-13T08:15:00Z"
+ severity: HIGH
+ - schema_version: 1.6.0
+ id: GHSA-h436-432x-8fvx
+ modified: 2024-02-27T18:34:05.707371Z
+ published: 2019-03-14T15:41:12Z
+ aliases:
+ - CVE-2018-1324
+ summary: Apache Commons Compress vulnerable to denial of service due to infinite loop
+ details: A specially crafted ZIP archive can be used to cause an infinite loop inside of Apache Commons Compress' extra field parser used by the ZipFile and ZipArchiveInputStream classes in versions 1.11 to 1.15. This can be used to mount a denial of service attack against services that use Compress' zip package.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: org.apache.commons:commons-compress
+ purl: pkg:maven/org.apache.commons/commons-compress
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "1.11"
+ - fixed: "1.16"
+ versions:
+ - "1.11"
+ - "1.12"
+ - "1.13"
+ - "1.14"
+ - "1.15"
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/03/GHSA-h436-432x-8fvx/GHSA-h436-432x-8fvx.json
+ - package:
+ ecosystem: Maven
+ name: com.liferay:com.liferay.portal.tools.bundle.support
+ purl: pkg:maven/com.liferay/com.liferay.portal.tools.bundle.support
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 3.2.7
+ - fixed: 3.7.4
+ versions:
+ - 3.2.7
+ - 3.3.0
+ - 3.4.0
+ - 3.4.1
+ - 3.4.2
+ - 3.4.3
+ - 3.5.0
+ - 3.5.1
+ - 3.5.2
+ - 3.5.3
+ - 3.5.4
+ - 3.5.5
+ - 3.5.6
+ - 3.6.0
+ - 3.6.1
+ - 3.7.0
+ - 3.7.1
+ - 3.7.2
+ - 3.7.3
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/03/GHSA-h436-432x-8fvx/GHSA-h436-432x-8fvx.json
+ - package:
+ ecosystem: Maven
+ name: io.takari:commons-compress
+ purl: pkg:maven/io.takari/commons-compress
+ versions:
+ - "1.12"
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/03/GHSA-h436-432x-8fvx/GHSA-h436-432x-8fvx.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2018-1324
+ - type: WEB
+ url: https://github.com/apache/commons-compress/commit/2a2f1dc48e22a34ddb72321a4db211da91aa933b
+ - type: WEB
+ url: https://arxiv.org/pdf/2306.05534.pdf
+ - type: ADVISORY
+ url: https://github.com/advisories/GHSA-h436-432x-8fvx
+ - type: PACKAGE
+ url: https://github.com/apache/commons-compress
+ - type: WEB
+ url: https://github.com/jensdietrich/xshady-release/tree/main/CVE-2018-1324
+ - type: WEB
+ url: https://lists.apache.org/thread.html/1c7b6df6d1c5c8583518a0afa017782924918e4d6acfaf23ed5b2089@%3Cdev.commons.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/b8ef29df0f1d55aa741170748352ae8e425c7b1d286b2f257711a2dd@%3Cdev.creadur.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8@%3Ccommits.pulsar.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r5532dc8d5456b5151e8c286801e2e5769f5c04118b29c3b5d13ea387@%3Cissues.beam.apache.org%3E
+ database_specific:
+ cwe_ids:
+ - CWE-835
+ github_reviewed: true
+ github_reviewed_at: "2020-06-16T21:38:39Z"
+ nvd_published_at: "2018-03-16T13:29:00Z"
+ severity: MODERATE
+ - schema_version: 1.6.0
+ id: GHSA-hrmr-f5m6-m9pq
+ modified: 2024-06-05T17:33:15.862538Z
+ published: 2018-10-19T16:41:27Z
+ aliases:
+ - CVE-2018-11771
+ summary: Moderate severity vulnerability that affects org.apache.commons:commons-compress
+ details: When reading a specially crafted ZIP archive, the read method of Apache Commons Compress 1.7 to 1.17's ZipArchiveInputStream can fail to return the correct EOF indication after the end of the stream has been reached. When combined with a java.io.InputStreamReader this can lead to an infinite stream, which can be used to mount a denial of service attack against services that use Compress' zip package.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: org.apache.commons:commons-compress
+ purl: pkg:maven/org.apache.commons/commons-compress
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "1.7"
+ - fixed: "1.18"
+ versions:
+ - "1.10"
+ - "1.11"
+ - "1.12"
+ - "1.13"
+ - "1.14"
+ - "1.15"
+ - "1.16"
+ - 1.16.1
+ - "1.17"
+ - "1.7"
+ - "1.8"
+ - 1.8.1
+ - "1.9"
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-hrmr-f5m6-m9pq/GHSA-hrmr-f5m6-m9pq.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2018-11771
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpujan2022.html
+ - type: WEB
+ url: https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8@%3Ccommits.pulsar.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/f9cdd32af7d73e943452167d15801db39e8130409ebb9efb243b3f41@%3Ccommits.tinkerpop.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/f28052d04cb8dbaae39bfd3dc8438e58c2a8be306a3f381f4728d7c1@%3Ccommits.commons.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/eeecc1669242b28a3777ae13c68b376b0148d589d3d8170340d61120@%3Cdev.tinkerpop.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/e3eae9e6fc021c4c22dda59a335d21c12eecab480b48115a2f098ef6@%3Ccommits.tinkerpop.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/c7954dc1e8fafd7ca1449f078953b419ebf8936e087f235f3bd024be@%3Ccommits.tinkerpop.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/b907e70bc422905d7962fd18f863f746bf7b4e7ed9da25c148580c61@%3Cnotifications.commons.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/b8ef29df0f1d55aa741170748352ae8e425c7b1d286b2f257711a2dd@%3Cdev.creadur.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/b8da751fc0ca949534cdf2744111da6bb0349d2798fac94b0a50f330@%3Cannounce.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/714c6ac1b1b50f8557e7342903ef45f1538a7bc60a0b47d6e48c273d@%3Ccommits.tinkerpop.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/6c79965066c30d4e330e04d911d3761db41b82c89ae38d9a6b37a6f1@%3Cdev.tinkerpop.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/35f60d6d0407c13c39411038ba1aca71d92595ed7041beff4d07f2ee@%3Ccommits.tinkerpop.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/3565494c263dfeb4dcb2a71cb24d09a1ca285cd6ac74edc025a3af8a@%3Ccommits.tinkerpop.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/0adb631517766e793e18a59723e2df08ced41eb9a57478f14781c9f7@%3Cdev.tinkerpop.apache.org%3E
+ - type: PACKAGE
+ url: https://github.com/apache/commons-compress
+ - type: WEB
+ url: http://www.securityfocus.com/bid/105139
+ - type: WEB
+ url: http://www.securitytracker.com/id/1041503
+ database_specific:
+ cwe_ids:
+ - CWE-835
+ github_reviewed: true
+ github_reviewed_at: "2020-06-16T21:40:55Z"
+ nvd_published_at: "2018-08-16T15:29:00Z"
+ severity: MODERATE
+ - schema_version: 1.6.0
+ id: GHSA-mc84-pj99-q6hh
+ modified: 2024-03-08T05:19:48.954731Z
+ published: 2021-08-02T16:55:53Z
+ aliases:
+ - CVE-2021-36090
+ summary: Improper Handling of Length Parameter Inconsistency in Compress
+ details: When reading a specially crafted ZIP archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' zip package.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: org.apache.commons:commons-compress
+ purl: pkg:maven/org.apache.commons/commons-compress
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: "1.21"
+ versions:
+ - "1.0"
+ - "1.1"
+ - "1.10"
+ - "1.11"
+ - "1.12"
+ - "1.13"
+ - "1.14"
+ - "1.15"
+ - "1.16"
+ - 1.16.1
+ - "1.17"
+ - "1.18"
+ - "1.19"
+ - "1.2"
+ - "1.20"
+ - "1.3"
+ - "1.4"
+ - 1.4.1
+ - "1.5"
+ - "1.6"
+ - "1.7"
+ - "1.8"
+ - 1.8.1
+ - "1.9"
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-mc84-pj99-q6hh/GHSA-mc84-pj99-q6hh.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2021-36090
+ - type: WEB
+ url: https://commons.apache.org/proper/commons-compress/security-reports.html
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rbbf42642c3e4167788a7c13763d192ee049604d099681f765385d99d@%3Cdev.drill.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rbe91c512c5385181149ab087b6c909825d34299f5c491c6482a2ed57@%3Ccommits.druid.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rc4134026d7d7b053d4f9f2205531122732405012c8804fd850a9b26f%40%3Cuser.commons.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rc7df4c2f0bbe2028a1498a46d322c91184f7a369e3e4c57d9518cacf@%3Cdev.drill.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rd4332baaf6debd03d60deb7ec93bee49e5fdbe958cb6800dff7fb00e@%3Cnotifications.skywalking.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rdd5412a5b9a25aed2a02c3317052d38a97128314d50bc1ed36e81d38@%3Cuser.ant.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rf2f4d7940371a7c7c5b679f50e28fc7fcc82cd00670ced87e013ac88@%3Ccommits.druid.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rf3f0a09fee197168a813966c5816157f6c600a47313a0d6813148ea6@%3Cissues.drill.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rf93b6bb267580e01deb7f3696f7eaca00a290c66189a658cf7230a1a@%3Cissues.drill.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rfba19167efc785ad3561e7ef29f340d65ac8f0d897aed00e0731e742@%3Cnotifications.skywalking.apache.org%3E
+ - type: WEB
+ url: https://security.netapp.com/advisory/ntap-20211022-0001
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuapr2022.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpujan2022.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpujul2022.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuoct2021.html
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r0e87177f8e78b4ee453cd4d3d8f4ddec6f10d2c27707dd71e12cafc9@%3Cannounce.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r25f4c44616045085bc3cf901bb7e68e445eee53d1966fc08998fc456@%3Cdev.drill.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r3227b1287e5bd8db6523b862c22676b046ad8f4fc96433225f46a2bd@%3Cissues.drill.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r4f03c5de923e3f2a8c316248681258125140514ef3307bfe1538e1ab@%3Cdev.drill.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r54049b66afbca766b6763c7531e9fe7a20293a112bcb65462a134949@%3Ccommits.drill.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r67ef3c07fe3b8c1b02d48012149d280ad6da8e4cec253b527520fb2b@%3Cdev.poi.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r75ffc7a461e7e7ae77690fa75bd47bb71365c732e0fbcc44da4f8ff5@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r9a23d4dbf4e34d498664080bff59f2893b855eb16dae33e4aa92fa53@%3Cannounce.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r9f54c0caa462267e0cc68b49f141e91432b36b23348d18c65bd0d040@%3Cnotifications.skywalking.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rab292091eadd1ecc63c516e9541a7f241091cf2e652b8185a6059945@%3Ccommits.druid.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/racd0c0381c8404f298b226cd9db2eaae965b14c9c568224aa3f437ae@%3Cnotifications.skywalking.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rb064d705fdfa44b5dae4c366b369ef6597951083196321773b983e71@%3Ccommits.pulsar.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rb5fa2ee61828fa2e42361b58468717e84902dd71c4aea8dc0b865df7@%3Cnotifications.james.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rb6e1fa80d34e5ada45f72655d84bfd90db0ca44ef19236a49198c88c@%3Cnotifications.skywalking.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rb7adf3e55359819e77230b4586521e5c6874ce5ed93384bdc14d6aee@%3Cnotifications.skywalking.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rba65ed5ddb0586f5b12598f55ec7db3633e7b7fede60466367fbf86a@%3Cnotifications.skywalking.apache.org%3E
+ - type: WEB
+ url: http://www.openwall.com/lists/oss-security/2021/07/13/4
+ - type: WEB
+ url: http://www.openwall.com/lists/oss-security/2021/07/13/6
+ database_specific:
+ cwe_ids:
+ - CWE-130
+ github_reviewed: true
+ github_reviewed_at: "2021-07-14T19:37:10Z"
+ nvd_published_at: "2021-07-13T08:15:00Z"
+ severity: HIGH
+ - schema_version: 1.6.0
+ id: GHSA-xqfj-vm6h-2x34
+ modified: 2024-03-08T05:19:25.295269Z
+ published: 2021-08-02T16:55:39Z
+ aliases:
+ - CVE-2021-35517
+ summary: Improper Handling of Length Parameter Inconsistency in Compress
+ details: When reading a specially crafted TAR archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' tar package.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: org.apache.commons:commons-compress
+ purl: pkg:maven/org.apache.commons/commons-compress
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: "1.21"
+ versions:
+ - "1.0"
+ - "1.1"
+ - "1.10"
+ - "1.11"
+ - "1.12"
+ - "1.13"
+ - "1.14"
+ - "1.15"
+ - "1.16"
+ - 1.16.1
+ - "1.17"
+ - "1.18"
+ - "1.19"
+ - "1.2"
+ - "1.20"
+ - "1.3"
+ - "1.4"
+ - 1.4.1
+ - "1.5"
+ - "1.6"
+ - "1.7"
+ - "1.8"
+ - 1.8.1
+ - "1.9"
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-xqfj-vm6h-2x34/GHSA-xqfj-vm6h-2x34.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2021-35517
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuoct2021.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpujul2022.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpujan2022.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuapr2022.html
+ - type: WEB
+ url: https://security.netapp.com/advisory/ntap-20211022-0001
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rfba19167efc785ad3561e7ef29f340d65ac8f0d897aed00e0731e742@%3Cnotifications.skywalking.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rd4332baaf6debd03d60deb7ec93bee49e5fdbe958cb6800dff7fb00e@%3Cnotifications.skywalking.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rba65ed5ddb0586f5b12598f55ec7db3633e7b7fede60466367fbf86a@%3Cnotifications.skywalking.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rb7adf3e55359819e77230b4586521e5c6874ce5ed93384bdc14d6aee@%3Cnotifications.skywalking.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rb6e1fa80d34e5ada45f72655d84bfd90db0ca44ef19236a49198c88c@%3Cnotifications.skywalking.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rb064d705fdfa44b5dae4c366b369ef6597951083196321773b983e71@%3Ccommits.pulsar.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/racd0c0381c8404f298b226cd9db2eaae965b14c9c568224aa3f437ae@%3Cnotifications.skywalking.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/ra393ffdc7c90a4a37ea023946f390285693795013a642d80fba20203@%3Cannounce.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r9f54c0caa462267e0cc68b49f141e91432b36b23348d18c65bd0d040@%3Cnotifications.skywalking.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r67ef3c07fe3b8c1b02d48012149d280ad6da8e4cec253b527520fb2b@%3Cdev.poi.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r605d906b710b95f1bbe0036a53ac6968f667f2c249b6fbabada9a940%40%3Cuser.commons.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r54afdab05e01de970649c2d91a993f68a6b00cd73e6e34e16c832d46@%3Cuser.ant.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r457b2ed564860996b20d938566fe8bd4bfb7c37be8e205448ccb5975@%3Cannounce.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r31f75743ac173b0a606f8ea6ea53f351f386c44e7bcf78ae04007c29@%3Cissues.flink.apache.org%3E
+ - type: WEB
+ url: https://commons.apache.org/proper/commons-compress/security-reports.html
+ - type: WEB
+ url: http://www.openwall.com/lists/oss-security/2021/07/13/3
+ - type: WEB
+ url: http://www.openwall.com/lists/oss-security/2021/07/13/5
+ database_specific:
+ cwe_ids:
+ - CWE-130
+ - CWE-770
+ github_reviewed: true
+ github_reviewed_at: "2021-07-14T18:12:57Z"
+ nvd_published_at: "2021-07-13T08:15:00Z"
+ severity: HIGH
+ - schema_version: 1.6.0
+ id: GHSA-7qx4-pp76-vrqh
+ modified: 2023-11-08T04:02:46.926629Z
+ published: 2020-05-21T19:08:08Z
+ aliases:
+ - CVE-2020-1953
+ summary: Remote code execution in Apache Commons Configuration
+ details: Apache Commons Configuration uses a third-party library to parse YAML files which by default allows the instantiation of classes if the YAML includes special statements. Apache Commons Configuration versions 2.2, 2.3, 2.4, 2.5, 2.6 did not change the default settings of this library. So if a YAML file was loaded from an untrusted source, it could therefore load and execute code out of the control of the host application.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: org.apache.commons:commons-configuration2
+ purl: pkg:maven/org.apache.commons/commons-configuration2
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "2.2"
+ - fixed: "2.7"
+ versions:
+ - "2.2"
+ - "2.3"
+ - "2.4"
+ - "2.5"
+ - "2.6"
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/05/GHSA-7qx4-pp76-vrqh/GHSA-7qx4-pp76-vrqh.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2020-1953
+ - type: WEB
+ url: https://github.com/apache/commons-configuration/commit/add7375cf37fd316d4838c6c56b054fc293b4641
+ - type: WEB
+ url: https://lists.apache.org/thread.html/d0e00f2e147a9e9b13a6829133092f349b2882bf6860397368a52600@%3Cannounce.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r16a2e949e35780c8974cf66104e812410f3904f752df6b66bf292269@%3Ccommits.servicecomb.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rde2186ad6ac0d6ed8d51af7509244adcf1ce0f9a3b7e1d1dd3b64676@%3Ccommits.camel.apache.org%3E
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuoct2020.html
+ database_specific:
+ cwe_ids:
+ - CWE-20
+ github_reviewed: true
+ github_reviewed_at: "2020-05-21T17:12:19Z"
+ nvd_published_at: "2020-03-13T15:15:00Z"
+ severity: CRITICAL
+ - schema_version: 1.6.0
+ id: GHSA-9w38-p64v-xpmv
+ modified: 2024-05-02T19:01:50.467813Z
+ published: 2024-03-21T09:31:14Z
+ aliases:
+ - CVE-2024-29133
+ summary: 'Apache Commons Configuration: StackOverflowError calling ListDelimiterHandler.flatten(Object, int) with a cyclical object tree'
+ details: "This Out-of-bounds Write vulnerability in Apache Commons Configuration affects Apache Commons Configuration: from 2.0 before 2.10.1. User can see this as a 'StackOverflowError' calling 'ListDelimiterHandler.flatten(Object, int)' with a cyclical object tree.\nUsers are recommended to upgrade to version 2.10.1, which fixes the issue. \n\n"
+ affected:
+ - package:
+ ecosystem: Maven
+ name: org.apache.commons:commons-configuration2
+ purl: pkg:maven/org.apache.commons/commons-configuration2
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "2.0"
+ - fixed: 2.10.1
+ versions:
+ - "2.0"
+ - "2.1"
+ - 2.1.1
+ - 2.10.0
+ - "2.2"
+ - "2.3"
+ - "2.4"
+ - "2.5"
+ - "2.6"
+ - "2.7"
+ - 2.8.0
+ - 2.9.0
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/03/GHSA-9w38-p64v-xpmv/GHSA-9w38-p64v-xpmv.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2024-29133
+ - type: WEB
+ url: https://github.com/apache/commons-configuration/commit/43f4dab021e9acb8db390db2ae80aa0cee4f9ee4
+ - type: WEB
+ url: https://issues.apache.org/jira/browse/CONFIGURATION-841
+ - type: WEB
+ url: https://lists.apache.org/thread/ccb9w15bscznh6tnp3wsvrrj9crbszh2
+ - type: WEB
+ url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SNKDKEEKZNL5FGCTZKJ6CFXFVWFL5FJ7
+ - type: WEB
+ url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YD4AFTIIQW662LUAQRMWS6BBKYSZG3YS
+ - type: PACKAGE
+ url: apache/commons-configuration
+ - type: WEB
+ url: http://www.openwall.com/lists/oss-security/2024/03/20/3
+ database_specific:
+ cwe_ids:
+ - CWE-787
+ github_reviewed: true
+ github_reviewed_at: "2024-03-21T18:59:08Z"
+ nvd_published_at: "2024-03-21T09:15:07Z"
+ severity: MODERATE
+ - schema_version: 1.6.0
+ id: GHSA-xj57-8qj4-c4m6
+ modified: 2024-02-17T05:33:18.672687Z
+ published: 2022-07-07T00:00:26Z
+ aliases:
+ - CVE-2022-33980
+ summary: Code injection in Apache Commons Configuration
+ details: 'Apache Commons Configuration performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is "${prefix:name}", where "prefix" is used to locate an instance of org.apache.commons.configuration2.interpol.Lookup that performs the interpolation. Starting with version 2.4 and continuing through 2.7, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers. These lookups are: - "script" - execute expressions using the JVM script execution engine (javax.script) - "dns" - resolve dns records - "url" - load values from urls, including from remote servers Applications using the interpolation defaults in the affected versions may be vulnerable to remote code execution or unintentional contact with remote servers if untrusted configuration values are used. Users are recommended to upgrade to Apache Commons Configuration 2.8.0, which disables the problematic interpolators by default.'
+ affected:
+ - package:
+ ecosystem: Maven
+ name: org.apache.commons:commons-configuration2
+ purl: pkg:maven/org.apache.commons/commons-configuration2
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "2.4"
+ - fixed: 2.8.0
+ versions:
+ - "2.4"
+ - "2.5"
+ - "2.6"
+ - "2.7"
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/07/GHSA-xj57-8qj4-c4m6/GHSA-xj57-8qj4-c4m6.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2022-33980
+ - type: WEB
+ url: https://commons.apache.org/proper/commons-configuration/changes-report.html#a2.8.0
+ - type: PACKAGE
+ url: https://github.com/apache/commons-configuration
+ - type: WEB
+ url: https://issues.apache.org/jira/browse/CONFIGURATION-753
+ - type: WEB
+ url: https://issues.apache.org/jira/browse/CONFIGURATION-764
+ - type: WEB
+ url: https://lists.apache.org/thread/tdf5n7j80lfxdhs2764vn0xmpfodm87s
+ - type: WEB
+ url: https://security.netapp.com/advisory/ntap-20221028-0015
+ - type: WEB
+ url: https://www.debian.org/security/2022/dsa-5290
+ - type: WEB
+ url: http://www.openwall.com/lists/oss-security/2022/07/06/5
+ - type: WEB
+ url: http://www.openwall.com/lists/oss-security/2022/11/15/4
+ database_specific:
+ cwe_ids:
+ - CWE-74
+ github_reviewed: true
+ github_reviewed_at: "2022-07-07T16:56:07Z"
+ nvd_published_at: "2022-07-06T13:15:00Z"
+ severity: CRITICAL
+ - schema_version: 1.6.0
+ id: GHSA-xjp4-hw94-mvp5
+ modified: 2024-05-02T19:03:02.271426Z
+ published: 2024-03-21T09:31:14Z
+ aliases:
+ - CVE-2024-29131
+ summary: 'Apache Commons Configuration: StackOverflowError adding property in AbstractListDelimiterHandler.flattenIterator()'
+ details: "This Out-of-bounds Write vulnerability in Apache Commons Configuration affects Apache Commons Configuration: from 2.0 before 2.10.1. User can see this as a 'StackOverflowError' when adding a property in 'AbstractListDelimiterHandler.flattenIterator()'.\nUsers are recommended to upgrade to version 2.10.1, which fixes the issue. \n\n"
+ affected:
+ - package:
+ ecosystem: Maven
+ name: org.apache.commons:commons-configuration2
+ purl: pkg:maven/org.apache.commons/commons-configuration2
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "2.0"
+ - fixed: 2.10.1
+ versions:
+ - "2.0"
+ - "2.1"
+ - 2.1.1
+ - 2.10.0
+ - "2.2"
+ - "2.3"
+ - "2.4"
+ - "2.5"
+ - "2.6"
+ - "2.7"
+ - 2.8.0
+ - 2.9.0
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/03/GHSA-xjp4-hw94-mvp5/GHSA-xjp4-hw94-mvp5.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2024-29131
+ - type: WEB
+ url: https://github.com/apache/commons-configuration/commit/56b5c4dcdffbde27870df5a3105d6a5f9b22f554
+ - type: PACKAGE
+ url: https://github.com/apache/commons-configuration
+ - type: WEB
+ url: https://issues.apache.org/jira/browse/CONFIGURATION-840
+ - type: WEB
+ url: https://lists.apache.org/thread/03nzzzjn4oknyw5y0871tw7ltj0t3r37
+ - type: WEB
+ url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SNKDKEEKZNL5FGCTZKJ6CFXFVWFL5FJ7
+ - type: WEB
+ url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YD4AFTIIQW662LUAQRMWS6BBKYSZG3YS
+ - type: WEB
+ url: http://www.openwall.com/lists/oss-security/2024/03/20/4
+ database_specific:
+ cwe_ids:
+ - CWE-787
+ github_reviewed: true
+ github_reviewed_at: "2024-03-21T18:58:52Z"
+ nvd_published_at: "2024-03-21T09:15:07Z"
+ severity: MODERATE
+ - schema_version: 1.6.0
+ id: GHSA-599f-7c49-w659
+ modified: 2024-02-16T08:09:06.872889Z
+ published: 2022-10-13T19:00:17Z
+ aliases:
+ - CVE-2022-42889
+ summary: Arbitrary code execution in Apache Commons Text
+ details: 'Apache Commons Text performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is "${prefix:name}", where "prefix" is used to locate an instance of org.apache.commons.text.lookup.StringLookup that performs the interpolation. Starting with version 1.5 and continuing through 1.9, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers. These lookups are: - "script" - execute expressions using the JVM script execution engine (javax.script) - "dns" - resolve dns records - "url" - load values from urls, including from remote servers Applications using the interpolation defaults in the affected versions may be vulnerable to remote code execution or unintentional contact with remote servers if untrusted configuration values are used. Users are recommended to upgrade to Apache Commons Text 1.10.0, which disables the problematic interpolators by default.'
+ affected:
+ - package:
+ ecosystem: Maven
+ name: org.apache.commons:commons-text
+ purl: pkg:maven/org.apache.commons/commons-text
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "1.5"
+ - fixed: 1.10.0
+ versions:
+ - "1.5"
+ - "1.6"
+ - "1.7"
+ - "1.8"
+ - "1.9"
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/10/GHSA-599f-7c49-w659/GHSA-599f-7c49-w659.json
+ - package:
+ ecosystem: Maven
+ name: com.guicedee.services:commons-text
+ purl: pkg:maven/com.guicedee.services/commons-text
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - last_affected: 1.2.2.1-jre17
+ versions:
+ - 0.70.0.1
+ - 0.70.0.1-rc1
+ - 0.70.0.1-rc13
+ - 0.70.0.1-rc14
+ - 0.70.0.1-rc15
+ - 0.70.0.1-rc2
+ - 0.70.0.1-rc3
+ - 0.70.0.1-rc4
+ - 0.70.0.1-rc5
+ - 0.70.0.2
+ - 0.70.0.3
+ - 0.70.0.4
+ - 0.70.0.5
+ - 0.70.0.6
+ - 0.70.0.7
+ - 1.0.0.0
+ - 1.0.1.0
+ - 1.0.1.0-jre12
+ - 1.0.1.0-jre13
+ - 1.0.1.0-jre8
+ - 1.0.1.1
+ - 1.0.1.1-jre12
+ - 1.0.1.1-jre13
+ - 1.0.1.1-jre8
+ - 1.0.1.2
+ - 1.0.1.3
+ - 1.0.1.3-jre12
+ - 1.0.1.3-jre13
+ - 1.0.1.3-jre8
+ - 1.0.1.4
+ - 1.0.1.4-jre12
+ - 1.0.1.4-jre13
+ - 1.0.1.4-jre8
+ - 1.0.1.5
+ - 1.0.1.5-jre12
+ - 1.0.1.5-jre13
+ - 1.0.1.5-jre8
+ - 1.0.1.6
+ - 1.0.1.6-jre12
+ - 1.0.1.6-jre13
+ - 1.0.1.7
+ - 1.0.1.7-jre12
+ - 1.0.1.7-jre13
+ - 1.0.1.7-jre8
+ - 1.0.10.0
+ - 1.0.10.0-jre13
+ - 1.0.10.0-jre14
+ - 1.0.10.1
+ - 1.0.10.1-jre14
+ - 1.0.10.3
+ - 1.0.10.3-jre14
+ - 1.0.10.4
+ - 1.0.10.4-jre12
+ - 1.0.10.4-jre13
+ - 1.0.10.4-jre14
+ - 1.0.11.0-jre14
+ - 1.0.11.2-jre14
+ - 1.0.11.5
+ - 1.0.11.5-jre12
+ - 1.0.11.5-jre14
+ - 1.0.11.6-jre14
+ - 1.0.11.7
+ - 1.0.11.7-jre12
+ - 1.0.11.7-jre14
+ - 1.0.12.0
+ - 1.0.12.0-jre12
+ - 1.0.12.0-jre13
+ - 1.0.12.0-jre14
+ - 1.0.12.0-jre8
+ - 1.0.12.1
+ - 1.0.12.1-jre12
+ - 1.0.12.1-jre14
+ - 1.0.12.2
+ - 1.0.12.2-jre12
+ - 1.0.12.2-jre14
+ - 1.0.12.3
+ - 1.0.12.3-jre12
+ - 1.0.12.3-jre13
+ - 1.0.12.3-jre14
+ - 1.0.12.4
+ - 1.0.12.4-jre12
+ - 1.0.12.4-jre13
+ - 1.0.12.4-jre14
+ - 1.0.12.4-jre8
+ - 1.0.12.5
+ - 1.0.12.5-jre14
+ - 1.0.13.0
+ - 1.0.13.0-jre12
+ - 1.0.13.0-jre13
+ - 1.0.13.0-jre14
+ - 1.0.13.0-jre8
+ - 1.0.13.1
+ - 1.0.13.1-jre13
+ - 1.0.13.1-jre14
+ - 1.0.13.1-jre8
+ - 1.0.13.2
+ - 1.0.13.2-jre12
+ - 1.0.13.2-jre13
+ - 1.0.13.2-jre14
+ - 1.0.13.2-jre8
+ - 1.0.13.3
+ - 1.0.13.3-jre14
+ - 1.0.13.4
+ - 1.0.13.4-jre12
+ - 1.0.13.4-jre13
+ - 1.0.13.4-jre14
+ - 1.0.13.5
+ - 1.0.13.5-jre12
+ - 1.0.13.5-jre14
+ - 1.0.13.5-jre8
+ - 1.0.14.0-RC1-jre14
+ - 1.0.14.0-RC1-jre8
+ - 1.0.14.1
+ - 1.0.14.1-jre12
+ - 1.0.14.1-jre13
+ - 1.0.14.1-jre14
+ - 1.0.14.1-jre8
+ - 1.0.14.3-jre8
+ - 1.0.14.4-jre14
+ - 1.0.14.4-jre8
+ - 1.0.15.1
+ - 1.0.15.1-jre12
+ - 1.0.15.1-jre13
+ - 1.0.15.1-jre14
+ - 1.0.15.1-jre8
+ - 1.0.15.2
+ - 1.0.15.2-jre12
+ - 1.0.15.2-jre14
+ - 1.0.15.2-jre8
+ - 1.0.15.3-jre14
+ - 1.0.15.3-jre8
+ - 1.0.15.4
+ - 1.0.15.4-jre14
+ - 1.0.15.4-jre8
+ - 1.0.15.5
+ - 1.0.15.5-jre14
+ - 1.0.15.5-jre8
+ - 1.0.16.0
+ - 1.0.16.0-jre14
+ - 1.0.16.0-jre8
+ - 1.0.17.0
+ - 1.0.17.0-jre14
+ - 1.0.17.1
+ - 1.0.17.1-jre14
+ - 1.0.17.1-jre8
+ - 1.0.18.0
+ - 1.0.18.0-jre14
+ - 1.0.18.0-jre15
+ - 1.0.18.0-jre8
+ - 1.0.18.1
+ - 1.0.18.1-jre14
+ - 1.0.18.1-jre15
+ - 1.0.18.1-jre8
+ - 1.0.19.0
+ - 1.0.19.0-jre14
+ - 1.0.19.0-jre15
+ - 1.0.19.1
+ - 1.0.19.1-jre12
+ - 1.0.19.1-jre13
+ - 1.0.19.1-jre14
+ - 1.0.19.1-jre15
+ - 1.0.19.1-jre8
+ - 1.0.19.10
+ - 1.0.19.10-jre12
+ - 1.0.19.10-jre14
+ - 1.0.19.10-jre15
+ - 1.0.19.10-jre8
+ - 1.0.19.11
+ - 1.0.19.11-jre14
+ - 1.0.19.11-jre8
+ - 1.0.19.12-jre14
+ - 1.0.19.12-jre8
+ - 1.0.19.13
+ - 1.0.19.13-jre14
+ - 1.0.19.13-jre15
+ - 1.0.19.13-jre8
+ - 1.0.19.2
+ - 1.0.19.2-jre13
+ - 1.0.19.2-jre14
+ - 1.0.19.2-jre15
+ - 1.0.19.2-jre8
+ - 1.0.19.3
+ - 1.0.19.3-jre13
+ - 1.0.19.3-jre14
+ - 1.0.19.3-jre15
+ - 1.0.19.3-jre8
+ - 1.0.19.4
+ - 1.0.19.4-jre14
+ - 1.0.19.4-jre15
+ - 1.0.19.4-jre8
+ - 1.0.19.5
+ - 1.0.19.5-jre14
+ - 1.0.19.5-jre15
+ - 1.0.19.5-jre8
+ - 1.0.19.6
+ - 1.0.19.6-jre14
+ - 1.0.19.6-jre8
+ - 1.0.19.7-jre14
+ - 1.0.19.7-jre8
+ - 1.0.19.8-jre8
+ - 1.0.19.9
+ - 1.0.19.9-jre13
+ - 1.0.19.9-jre14
+ - 1.0.19.9-jre15
+ - 1.0.19.9-jre8
+ - 1.0.2.0
+ - 1.0.2.0-jre12
+ - 1.0.2.0-jre13
+ - 1.0.2.0-jre8
+ - 1.0.2.1
+ - 1.0.2.1-jre12
+ - 1.0.2.1-jre13
+ - 1.0.2.10
+ - 1.0.2.10-jre12
+ - 1.0.2.10-jre13
+ - 1.0.2.11
+ - 1.0.2.11-jre13
+ - 1.0.2.12
+ - 1.0.2.12-jre13
+ - 1.0.2.13
+ - 1.0.2.13-jre13
+ - 1.0.2.14
+ - 1.0.2.14-jre13
+ - 1.0.2.15
+ - 1.0.2.15-jre13
+ - 1.0.2.16-jre13
+ - 1.0.2.17-jre13
+ - 1.0.2.18
+ - 1.0.2.18-jre12
+ - 1.0.2.18-jre13
+ - 1.0.2.2
+ - 1.0.2.2-jre12
+ - 1.0.2.2-jre13
+ - 1.0.2.2-jre8
+ - 1.0.2.3
+ - 1.0.2.3-jre12
+ - 1.0.2.3-jre13
+ - 1.0.2.3-jre8
+ - 1.0.2.4
+ - 1.0.2.4-jre12
+ - 1.0.2.4-jre13
+ - 1.0.2.6-jre13
+ - 1.0.2.7-jre12
+ - 1.0.2.7-jre13
+ - 1.0.2.8
+ - 1.0.2.8-jre12
+ - 1.0.2.8-jre13
+ - 1.0.2.9-jre12
+ - 1.0.2.9-jre13
+ - 1.0.20.0
+ - 1.0.20.0-jre14
+ - 1.0.20.0-jre15
+ - 1.0.20.0-jre8
+ - 1.0.20.1
+ - 1.0.20.1-jre14
+ - 1.0.20.1-jre15
+ - 1.0.20.1-jre8
+ - 1.0.20.2
+ - 1.0.20.2-jre14
+ - 1.0.20.2-jre15
+ - 1.0.20.2-jre8
+ - 1.0.3.1-jre13
+ - 1.0.3.2
+ - 1.0.3.2-jre13
+ - 1.0.3.3
+ - 1.0.3.3-jre12
+ - 1.0.3.3-jre13
+ - 1.0.4.1-jre13
+ - 1.0.4.2
+ - 1.0.4.2-jre13
+ - 1.0.4.3-jre13
+ - 1.0.4.4
+ - 1.0.4.4-jre13
+ - 1.0.5.0
+ - 1.0.5.0-jre13
+ - 1.0.5.1
+ - 1.0.5.1-jre12
+ - 1.0.5.1-jre13
+ - 1.0.5.2
+ - 1.0.5.2-jre12
+ - 1.0.5.2-jre13
+ - 1.0.5.3
+ - 1.0.5.3-jre12
+ - 1.0.5.3-jre13
+ - 1.0.5.4-jre13
+ - 1.0.5.4-jre14
+ - 1.0.5.5
+ - 1.0.5.5-jre12
+ - 1.0.5.5-jre13
+ - 1.0.5.5-jre14
+ - 1.0.6.1
+ - 1.0.6.1-jre12
+ - 1.0.6.1-jre13
+ - 1.0.6.1-jre14
+ - 1.0.6.2
+ - 1.0.6.2-jre12
+ - 1.0.6.2-jre13
+ - 1.0.6.2-jre14
+ - 1.0.6.3
+ - 1.0.6.3-jre12
+ - 1.0.6.3-jre13
+ - 1.0.6.3-jre14
+ - 1.0.6.4-jre14
+ - 1.0.6.5
+ - 1.0.6.5-jre12
+ - 1.0.6.5-jre13
+ - 1.0.6.5-jre14
+ - 1.0.6.7
+ - 1.0.6.7-jre14
+ - 1.0.7.0
+ - 1.0.7.0-jre12
+ - 1.0.7.0-jre13
+ - 1.0.7.0-jre14
+ - 1.0.7.1
+ - 1.0.7.1-jre13
+ - 1.0.7.1-jre14
+ - 1.0.7.10
+ - 1.0.7.10-jre13
+ - 1.0.7.10-jre14
+ - 1.0.7.11
+ - 1.0.7.11-jre14
+ - 1.0.7.12
+ - 1.0.7.12-jre12
+ - 1.0.7.12-jre13
+ - 1.0.7.12-jre14
+ - 1.0.7.2-jre14
+ - 1.0.7.3
+ - 1.0.7.3-jre13
+ - 1.0.7.3-jre14
+ - 1.0.7.4
+ - 1.0.7.4-jre14
+ - 1.0.7.5
+ - 1.0.7.5-jre14
+ - 1.0.7.6
+ - 1.0.7.6-jre14
+ - 1.0.7.9
+ - 1.0.7.9-jre14
+ - 1.0.8.1
+ - 1.0.8.1-jre14
+ - 1.0.8.12
+ - 1.0.8.12-jre12
+ - 1.0.8.12-jre14
+ - 1.0.8.16
+ - 1.0.8.16-jre14
+ - 1.0.8.18
+ - 1.0.8.18-jre14
+ - 1.0.8.2
+ - 1.0.8.2-jre13
+ - 1.0.8.2-jre14
+ - 1.0.8.3
+ - 1.0.8.3-jre13
+ - 1.0.8.3-jre14
+ - 1.0.8.4
+ - 1.0.8.4-jre12
+ - 1.0.8.4-jre13
+ - 1.0.8.4-jre14
+ - 1.0.8.5
+ - 1.0.8.5-jre12
+ - 1.0.8.5-jre13
+ - 1.0.8.5-jre14
+ - 1.0.8.6-jre14
+ - 1.0.9.0
+ - 1.0.9.0-jre14
+ - 1.0.9.1
+ - 1.0.9.1-jre14
+ - 1.0.9.10
+ - 1.0.9.10-jre14
+ - 1.0.9.11
+ - 1.0.9.11-jre14
+ - 1.0.9.13
+ - 1.0.9.13-jre14
+ - 1.0.9.14
+ - 1.0.9.14-jre14
+ - 1.0.9.2
+ - 1.0.9.2-jre14
+ - 1.0.9.3-jre14
+ - 1.0.9.4-jre14
+ - 1.0.9.5-jre14
+ - 1.0.9.7-jre14
+ - 1.1.0.0-jre15
+ - 1.1.0.1
+ - 1.1.0.1-jre14
+ - 1.1.0.1-jre15
+ - 1.1.0.2
+ - 1.1.0.2-jre14
+ - 1.1.0.2-jre15
+ - 1.1.0.3
+ - 1.1.0.3-jre14
+ - 1.1.0.3-jre15
+ - 1.1.0.3-jre8
+ - 1.1.0.4-jre14
+ - 1.1.0.4-jre15
+ - 1.1.0.4-jre8
+ - 1.1.0.5-jre14
+ - 1.1.0.5-jre15
+ - 1.1.0.6
+ - 1.1.0.6-jre14
+ - 1.1.0.6-jre15
+ - 1.1.0.7
+ - 1.1.0.7-jre14
+ - 1.1.0.7-jre15
+ - 1.1.0.7-jre8
+ - 1.1.0.8-SNAPSHOT-jre14
+ - 1.1.1.0
+ - 1.1.1.0-SNAPSHOT-jre14
+ - 1.1.1.0-SNAPSHOT-jre15
+ - 1.1.1.0-SNAPSHOT-jre8
+ - 1.1.1.0-jre14
+ - 1.1.1.0-jre15
+ - 1.1.1.0-jre8
+ - 1.1.1.1-SP1
+ - 1.1.1.1-jre14-SP1
+ - 1.1.1.1-jre15-SP1
+ - 1.1.1.2
+ - 1.1.1.2-jre14
+ - 1.1.1.2-jre15
+ - 1.1.1.3
+ - 1.1.1.3-jre14
+ - 1.1.1.3-jre15
+ - 1.1.1.3-jre16
+ - 1.1.1.3-jre8
+ - 1.1.1.4
+ - 1.1.1.4-jre14
+ - 1.1.1.4-jre15
+ - 1.1.1.4-jre16
+ - 1.1.1.4-jre8
+ - 1.1.1.5-jre15
+ - 1.1.1.7
+ - 1.1.1.7-jre15
+ - 1.1.1.7-jre16
+ - 1.1.1.7-jre8
+ - 1.1.1.8-jre15
+ - 1.1.1.8-jre16
+ - 1.1.1.9-jre15
+ - 1.1.1.9-jre16
+ - 1.2.0.0-jre16
+ - 1.2.0.1-jre11
+ - 1.2.0.1-jre15
+ - 1.2.0.1-jre16
+ - 1.2.0.2-jre16
+ - 1.2.0.3-jre17-rc1
+ - 1.2.1.1-jre17
+ - 1.2.1.2-jre17
+ - 1.2.2.1
+ - 1.2.2.1-jre17
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/10/GHSA-599f-7c49-w659/GHSA-599f-7c49-w659.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2022-42889
+ - type: WEB
+ url: https://arxiv.org/pdf/2306.05534
+ - type: PACKAGE
+ url: https://github.com/apache/commons-text
+ - type: WEB
+ url: https://lists.apache.org/thread/n2bd4vdsgkqh2tm14l1wyc3jyol7s1om
+ - type: WEB
+ url: https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0022
+ - type: WEB
+ url: https://security.gentoo.org/glsa/202301-05
+ - type: WEB
+ url: https://security.netapp.com/advisory/ntap-20221020-0004
+ - type: ADVISORY
+ url: https://securitylab.github.com/advisories/GHSL-2022-018_Apache_Commons_Text
+ - type: WEB
+ url: http://packetstormsecurity.com/files/171003/OX-App-Suite-Cross-Site-Scripting-Server-Side-Request-Forgery.html
+ - type: WEB
+ url: http://packetstormsecurity.com/files/176650/Apache-Commons-Text-1.9-Remote-Code-Execution.html
+ - type: WEB
+ url: http://seclists.org/fulldisclosure/2023/Feb/3
+ - type: WEB
+ url: http://www.openwall.com/lists/oss-security/2022/10/13/4
+ - type: WEB
+ url: http://www.openwall.com/lists/oss-security/2022/10/18/1
+ database_specific:
+ cwe_ids:
+ - CWE-94
+ github_reviewed: true
+ github_reviewed_at: "2022-10-13T20:22:17Z"
+ nvd_published_at: "2022-10-13T13:15:00Z"
+ severity: CRITICAL
+ - schema_version: 1.6.0
+ id: GHSA-cx3q-cv6w-mx4h
+ modified: 2023-11-08T03:57:53.766909Z
+ published: 2022-05-17T00:51:52Z
+ aliases:
+ - CVE-2015-3250
+ summary: Exposure of Sensitive Information to an Unauthorized Actor in Apache Directory LDAP API
+ details: Apache Directory LDAP API before 1.0.0-M31 allows attackers to conduct timing attacks via unspecified vectors.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: org.apache.directory.api:api-ldap-model
+ purl: pkg:maven/org.apache.directory.api/api-ldap-model
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: 1.0.0-M31
+ versions:
+ - 1.0.0-M14
+ - 1.0.0-M15
+ - 1.0.0-M16
+ - 1.0.0-M17
+ - 1.0.0-M18
+ - 1.0.0-M19
+ - 1.0.0-M20
+ - 1.0.0-M21
+ - 1.0.0-M22
+ - 1.0.0-M23
+ - 1.0.0-M24
+ - 1.0.0-M25
+ - 1.0.0-M26
+ - 1.0.0-M27
+ - 1.0.0-M28
+ - 1.0.0-M29
+ - 1.0.0-M30
+ database_specific:
+ last_known_affected_version_range: <= 1.0.0-M30
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-cx3q-cv6w-mx4h/GHSA-cx3q-cv6w-mx4h.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2015-3250
+ - type: WEB
+ url: https://bugzilla.redhat.com/show_bug.cgi?id=1241163
+ - type: WEB
+ url: http://directory.apache.org/api/#news_1
+ - type: WEB
+ url: http://www.openwall.com/lists/oss-security/2015/07/07/11
+ - type: WEB
+ url: http://www.openwall.com/lists/oss-security/2015/07/07/5
+ database_specific:
+ cwe_ids:
+ - CWE-200
+ github_reviewed: true
+ github_reviewed_at: "2022-07-06T20:17:29Z"
+ nvd_published_at: "2017-09-07T13:29:00Z"
+ severity: HIGH
+ - schema_version: 1.6.0
+ id: GHSA-jpmf-8cj2-595g
+ modified: 2023-11-08T03:57:39.881301Z
+ published: 2022-05-17T04:20:31Z
+ aliases:
+ - CVE-2014-3627
+ summary: Improper Link Resolution Before File Access in Apache Hadoop
+ details: The YARN NodeManager daemon in Apache Hadoop 0.23.0 through 0.23.11 and 2.x before 2.5.2, when using Kerberos authentication, allows remote cluster users to change the permissions of certain files to world-readable via a symlink attack in a public tar archive, which is not properly handled during localization, related to distributed cache.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: org.apache.hadoop:hadoop-client
+ purl: pkg:maven/org.apache.hadoop/hadoop-client
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 0.23.0
+ - fixed: 1.0.1
+ versions:
+ - 0.23.1
+ - 0.23.10
+ - 0.23.11
+ - 0.23.3
+ - 0.23.4
+ - 0.23.5
+ - 0.23.6
+ - 0.23.7
+ - 0.23.8
+ - 0.23.9
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-jpmf-8cj2-595g/GHSA-jpmf-8cj2-595g.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.hadoop:hadoop-client
+ purl: pkg:maven/org.apache.hadoop/hadoop-client
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.0.0
+ - fixed: 2.5.2
+ versions:
+ - 2.0.1-alpha
+ - 2.0.2-alpha
+ - 2.0.3-alpha
+ - 2.0.4-alpha
+ - 2.0.5-alpha
+ - 2.0.6-alpha
+ - 2.1.0-beta
+ - 2.1.1-beta
+ - 2.2.0
+ - 2.3.0
+ - 2.4.0
+ - 2.4.1
+ - 2.5.0
+ - 2.5.1
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-jpmf-8cj2-595g/GHSA-jpmf-8cj2-595g.json
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2014-3627
+ - type: WEB
+ url: http://mail-archives.apache.org/mod_mbox/hadoop-general/201411.mbox/%3CCALwhT97dOi04aC3VbekaB+zn2UAS_OZV2EAiP78GmjnMzfp2Ug@mail.gmail.com%3E
+ database_specific:
+ cwe_ids:
+ - CWE-59
+ github_reviewed: true
+ github_reviewed_at: "2022-07-07T22:33:19Z"
+ nvd_published_at: "2014-12-05T16:59:00Z"
+ severity: MODERATE
+ - schema_version: 1.6.0
+ id: GHSA-pr9x-qmp5-j3rr
+ modified: 2023-11-08T03:59:20.588772Z
+ published: 2022-05-13T01:08:56Z
+ aliases:
+ - CVE-2017-3162
+ summary: Improper Input Validation in Apache Hadoop
+ details: HDFS clients interact with a servlet on the DataNode to browse the HDFS namespace. The NameNode is provided as a query parameter that is not validated in Apache Hadoop before 2.7.0.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: org.apache.hadoop:hadoop-client
+ purl: pkg:maven/org.apache.hadoop/hadoop-client
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: 2.7.0
+ versions:
+ - 0.23.1
+ - 0.23.10
+ - 0.23.11
+ - 0.23.3
+ - 0.23.4
+ - 0.23.5
+ - 0.23.6
+ - 0.23.7
+ - 0.23.8
+ - 0.23.9
+ - 1.0.1
+ - 1.0.2
+ - 1.0.3
+ - 1.0.4
+ - 1.1.0
+ - 1.1.1
+ - 1.1.2
+ - 1.2.0
+ - 1.2.1
+ - 2.0.0-alpha
+ - 2.0.1-alpha
+ - 2.0.2-alpha
+ - 2.0.3-alpha
+ - 2.0.4-alpha
+ - 2.0.5-alpha
+ - 2.0.6-alpha
+ - 2.1.0-beta
+ - 2.1.1-beta
+ - 2.2.0
+ - 2.3.0
+ - 2.4.0
+ - 2.4.1
+ - 2.5.0
+ - 2.5.1
+ - 2.5.2
+ - 2.6.0
+ - 2.6.1
+ - 2.6.2
+ - 2.6.3
+ - 2.6.4
+ - 2.6.5
+ database_specific:
+ last_known_affected_version_range: <= 2.6.5
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-pr9x-qmp5-j3rr/GHSA-pr9x-qmp5-j3rr.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2017-3162
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r127f75748fcabc63bc5a1bec6885753eb9b2bed803b6ed7bd46f965b@%3Cuser.hadoop.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r66de86b9a608c1da70b2d27d765c11ec88edf6e5dd6f379ab33e072a@%3Cuser.flink.apache.org%3E
+ - type: WEB
+ url: https://s.apache.org/k2ss
+ - type: WEB
+ url: http://www.securityfocus.com/bid/98017
+ database_specific:
+ cwe_ids:
+ - CWE-20
+ github_reviewed: true
+ github_reviewed_at: "2022-07-01T17:31:15Z"
+ nvd_published_at: "2017-04-26T20:59:00Z"
+ severity: HIGH
+ - schema_version: 1.6.0
+ id: GHSA-q46v-cj5v-hvg6
+ modified: 2023-11-08T03:57:07.826616Z
+ published: 2022-05-17T00:22:31Z
+ aliases:
+ - CVE-2012-4449
+ summary: Use of a Broken or Risky Cryptographic Algorithm in Apache Hadoop
+ details: Apache Hadoop before 0.23.4, 1.x before 1.0.4, and 2.x before 2.0.2 generate token passwords using a 20-bit secret when Kerberos security features are enabled, which makes it easier for context-dependent attackers to crack secret keys via a brute-force attack.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: org.apache.hadoop:hadoop-client
+ purl: pkg:maven/org.apache.hadoop/hadoop-client
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: 0.23.4
+ versions:
+ - 0.23.1
+ - 0.23.3
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-q46v-cj5v-hvg6/GHSA-q46v-cj5v-hvg6.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.hadoop:hadoop-client
+ purl: pkg:maven/org.apache.hadoop/hadoop-client
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 1.0.0
+ - fixed: 1.0.4
+ versions:
+ - 1.0.1
+ - 1.0.2
+ - 1.0.3
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-q46v-cj5v-hvg6/GHSA-q46v-cj5v-hvg6.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.hadoop:hadoop-client
+ purl: pkg:maven/org.apache.hadoop/hadoop-client
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.0.0
+ - fixed: 2.0.2
+ versions:
+ - 2.0.1-alpha
+ - 2.0.2-alpha
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-q46v-cj5v-hvg6/GHSA-q46v-cj5v-hvg6.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2012-4449
+ - type: WEB
+ url: https://www.cloudera.com/documentation/other/security-bulletins/topics/csb_topic_1.html#topic_1_0
+ - type: WEB
+ url: http://mail-archives.apache.org/mod_mbox/hadoop-general/201210.mbox/%3CCA+z3+9FYdPmzBEaMZ71SUqzRx=eU=o4mSHUsbrpzgR9X_F1c0Q@mail.gmail.com%3E
+ database_specific:
+ cwe_ids:
+ - CWE-327
+ github_reviewed: true
+ github_reviewed_at: "2022-07-13T15:47:55Z"
+ nvd_published_at: "2017-10-30T19:29:00Z"
+ severity: CRITICAL
+ - schema_version: 1.6.0
+ id: GHSA-qm7f-r83w-3p46
+ modified: 2023-11-08T03:59:20.528031Z
+ published: 2022-05-13T01:08:56Z
+ aliases:
+ - CVE-2017-3161
+ summary: Improper Neutralization of Input During Web Page Generation in Apache Hadoop
+ details: The HDFS web UI in Apache Hadoop before 2.7.0 is vulnerable to a cross-site scripting (XSS) attack through an unescaped query parameter.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: org.apache.hadoop:hadoop-client
+ purl: pkg:maven/org.apache.hadoop/hadoop-client
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: 2.7.0
+ versions:
+ - 0.23.1
+ - 0.23.10
+ - 0.23.11
+ - 0.23.3
+ - 0.23.4
+ - 0.23.5
+ - 0.23.6
+ - 0.23.7
+ - 0.23.8
+ - 0.23.9
+ - 1.0.1
+ - 1.0.2
+ - 1.0.3
+ - 1.0.4
+ - 1.1.0
+ - 1.1.1
+ - 1.1.2
+ - 1.2.0
+ - 1.2.1
+ - 2.0.0-alpha
+ - 2.0.1-alpha
+ - 2.0.2-alpha
+ - 2.0.3-alpha
+ - 2.0.4-alpha
+ - 2.0.5-alpha
+ - 2.0.6-alpha
+ - 2.1.0-beta
+ - 2.1.1-beta
+ - 2.2.0
+ - 2.3.0
+ - 2.4.0
+ - 2.4.1
+ - 2.5.0
+ - 2.5.1
+ - 2.5.2
+ - 2.6.0
+ - 2.6.1
+ - 2.6.2
+ - 2.6.3
+ - 2.6.4
+ - 2.6.5
+ database_specific:
+ last_known_affected_version_range: <= 2.6.5
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-qm7f-r83w-3p46/GHSA-qm7f-r83w-3p46.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2017-3161
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r127f75748fcabc63bc5a1bec6885753eb9b2bed803b6ed7bd46f965b@%3Cuser.hadoop.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r66de86b9a608c1da70b2d27d765c11ec88edf6e5dd6f379ab33e072a@%3Cuser.flink.apache.org%3E
+ - type: WEB
+ url: https://s.apache.org/4MQm
+ - type: WEB
+ url: http://www.securityfocus.com/bid/98025
+ database_specific:
+ cwe_ids:
+ - CWE-79
+ github_reviewed: true
+ github_reviewed_at: "2022-07-01T17:31:59Z"
+ nvd_published_at: "2017-04-26T20:59:00Z"
+ severity: MODERATE
+ - schema_version: 1.6.0
+ id: GHSA-qmh2-h7r6-gm6q
+ modified: 2023-11-08T03:57:05.91736Z
+ published: 2022-05-17T02:54:07Z
+ aliases:
+ - CVE-2012-3376
+ summary: Client BlockTokens not checked in Apache Hadoop
+ details: DataNodes in Apache Hadoop 2.0.0 alpha does not check the BlockTokens of clients when Kerberos is enabled and the DataNode has checked out the same BlockPool twice from a NodeName, which might allow remote clients to read arbitrary blocks, write to blocks to which they only have read access, and have other unspecified impacts.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: org.apache.hadoop:hadoop-client
+ purl: pkg:maven/org.apache.hadoop/hadoop-client
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.0.0-alpha
+ - fixed: 2.0.1-alpha
+ versions:
+ - 2.0.0-alpha
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-qmh2-h7r6-gm6q/GHSA-qmh2-h7r6-gm6q.json
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2012-3376
+ - type: PACKAGE
+ url: https://github.com/apache/hadoop
+ - type: WEB
+ url: https://seclists.org/fulldisclosure/2012/Jul/78
+ - type: WEB
+ url: https://www.cloudera.com/documentation/other/security-bulletins/topics/csb_topic_1.html
+ - type: WEB
+ url: http://archives.neohapsis.com/archives/bugtraq/2012-07/0049.html
+ database_specific:
+ cwe_ids: []
+ github_reviewed: true
+ github_reviewed_at: "2022-07-13T21:25:16Z"
+ nvd_published_at: "2012-07-12T19:55:00Z"
+ severity: HIGH
+ - schema_version: 1.6.0
+ id: GHSA-7q56-mp4c-gggg
+ modified: 2023-11-08T03:58:31.207186Z
+ published: 2022-05-17T03:35:31Z
+ aliases:
+ - CVE-2016-5393
+ summary: Improper Access Control in Apache Hadoop
+ details: In Apache Hadoop 2.6.x before 2.6.5 and 2.7.x before 2.7.3, a remote user who can authenticate with the HDFS NameNode can possibly run arbitrary commands with the same privileges as the HDFS service.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: org.apache.hadoop:hadoop-common
+ purl: pkg:maven/org.apache.hadoop/hadoop-common
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.6.0
+ - fixed: 2.6.5
+ versions:
+ - 2.6.0
+ - 2.6.1
+ - 2.6.2
+ - 2.6.3
+ - 2.6.4
+ database_specific:
+ last_known_affected_version_range: <= 2.6.4
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-7q56-mp4c-gggg/GHSA-7q56-mp4c-gggg.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.hadoop:hadoop-common
+ purl: pkg:maven/org.apache.hadoop/hadoop-common
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.7.0
+ - fixed: 2.7.3
+ versions:
+ - 2.7.0
+ - 2.7.1
+ - 2.7.2
+ database_specific:
+ last_known_affected_version_range: <= 2.7.2
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-7q56-mp4c-gggg/GHSA-7q56-mp4c-gggg.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2016-5393
+ - type: WEB
+ url: http://mail-archives.apache.org/mod_mbox/hadoop-general/201611.mbox/%3CCAA0W1bTbUmUUSF1rjRpX-2DvWutcrPt7TJSWUcSLg1F0gyHG1Q%40mail.gmail.com%3E
+ - type: WEB
+ url: http://www.securityfocus.com/bid/94574
+ database_specific:
+ cwe_ids:
+ - CWE-284
+ github_reviewed: true
+ github_reviewed_at: "2022-07-06T19:44:12Z"
+ nvd_published_at: "2016-11-29T06:59:00Z"
+ severity: HIGH
+ - schema_version: 1.6.0
+ id: GHSA-8r28-r8cp-g6cp
+ modified: 2023-11-08T03:58:30.347713Z
+ published: 2022-05-13T01:08:56Z
+ aliases:
+ - CVE-2016-5001
+ summary: Exposure of Sensitive Information to an Unauthorized Actor in Apache Hadoop
+ details: This is an information disclosure vulnerability in Apache Hadoop before 2.6.4 and 2.7.x before 2.7.2 in the short-circuit reads feature of HDFS. A local user on an HDFS DataNode may be able to craft a block token that grants unauthorized read access to random files by guessing certain fields in the token.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: org.apache.hadoop:hadoop-common
+ purl: pkg:maven/org.apache.hadoop/hadoop-common
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: 2.6.4
+ versions:
+ - 0.22.0
+ - 0.23.1
+ - 0.23.10
+ - 0.23.11
+ - 0.23.3
+ - 0.23.4
+ - 0.23.5
+ - 0.23.6
+ - 0.23.7
+ - 0.23.8
+ - 0.23.9
+ - 2.0.0-alpha
+ - 2.0.1-alpha
+ - 2.0.2-alpha
+ - 2.0.3-alpha
+ - 2.0.4-alpha
+ - 2.0.5-alpha
+ - 2.0.6-alpha
+ - 2.1.0-beta
+ - 2.1.1-beta
+ - 2.2.0
+ - 2.3.0
+ - 2.4.0
+ - 2.4.1
+ - 2.5.0
+ - 2.5.1
+ - 2.5.2
+ - 2.6.0
+ - 2.6.1
+ - 2.6.2
+ - 2.6.3
+ database_specific:
+ last_known_affected_version_range: <= 2.6.3
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-8r28-r8cp-g6cp/GHSA-8r28-r8cp-g6cp.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.hadoop:hadoop-common
+ purl: pkg:maven/org.apache.hadoop/hadoop-common
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.7.0
+ - fixed: 2.7.2
+ versions:
+ - 2.7.0
+ - 2.7.1
+ database_specific:
+ last_known_affected_version_range: <= 2.7.1
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-8r28-r8cp-g6cp/GHSA-8r28-r8cp-g6cp.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2016-5001
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r66de86b9a608c1da70b2d27d765c11ec88edf6e5dd6f379ab33e072a@%3Cuser.flink.apache.org%3E
+ - type: WEB
+ url: http://seclists.org/oss-sec/2016/q4/698
+ database_specific:
+ cwe_ids:
+ - CWE-200
+ github_reviewed: true
+ github_reviewed_at: "2022-07-06T19:43:24Z"
+ nvd_published_at: "2017-08-30T19:29:00Z"
+ severity: MODERATE
+ - schema_version: 1.6.0
+ id: GHSA-8wm5-8h9c-47pc
+ modified: 2024-02-21T05:29:29.300541Z
+ published: 2022-08-05T00:00:24Z
+ aliases:
+ - CVE-2022-25168
+ summary: Apache Hadoop argument injection vulnerability
+ details: Apache Hadoop's `FileUtil.unTar(File, File)` API does not escape the input file name before being passed to the shell. An attacker can inject arbitrary commands. This is only used in Hadoop 3.3 InMemoryAliasMap.completeBootstrapTransfer, which is only ever run by a local user. It has been used in Hadoop 2.x for yarn localization, which does enable remote code execution. It is used in Apache Spark, from the SQL command ADD ARCHIVE. As the ADD ARCHIVE command adds new binaries to the classpath, being able to execute shell scripts does not confer new permissions to the caller. SPARK-38305. "Check existence of file before untarring/zipping", which is included in 3.3.0, 3.1.4, 3.2.2, prevents shell commands being executed, regardless of which version of the hadoop libraries are in use. Users should upgrade to Apache Hadoop 2.10.2, 3.2.4, 3.3.3 or upper (including HADOOP-18136).
+ affected:
+ - package:
+ ecosystem: Maven
+ name: org.apache.hadoop:hadoop-common
+ purl: pkg:maven/org.apache.hadoop/hadoop-common
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.0.0
+ - fixed: 2.10.2
+ versions:
+ - 2.0.1-alpha
+ - 2.0.2-alpha
+ - 2.0.3-alpha
+ - 2.0.4-alpha
+ - 2.0.5-alpha
+ - 2.0.6-alpha
+ - 2.1.0-beta
+ - 2.1.1-beta
+ - 2.10.0
+ - 2.10.1
+ - 2.2.0
+ - 2.3.0
+ - 2.4.0
+ - 2.4.1
+ - 2.5.0
+ - 2.5.1
+ - 2.5.2
+ - 2.6.0
+ - 2.6.1
+ - 2.6.2
+ - 2.6.3
+ - 2.6.4
+ - 2.6.5
+ - 2.7.0
+ - 2.7.1
+ - 2.7.2
+ - 2.7.3
+ - 2.7.4
+ - 2.7.5
+ - 2.7.6
+ - 2.7.7
+ - 2.8.0
+ - 2.8.1
+ - 2.8.2
+ - 2.8.3
+ - 2.8.4
+ - 2.8.5
+ - 2.9.0
+ - 2.9.1
+ - 2.9.2
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/08/GHSA-8wm5-8h9c-47pc/GHSA-8wm5-8h9c-47pc.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.hadoop:hadoop-common
+ purl: pkg:maven/org.apache.hadoop/hadoop-common
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 3.0.0-alpha
+ - fixed: 3.2.4
+ versions:
+ - 3.0.0
+ - 3.0.0-alpha1
+ - 3.0.0-alpha2
+ - 3.0.0-alpha3
+ - 3.0.0-alpha4
+ - 3.0.0-beta1
+ - 3.0.1
+ - 3.0.2
+ - 3.0.3
+ - 3.1.0
+ - 3.1.1
+ - 3.1.2
+ - 3.1.3
+ - 3.1.4
+ - 3.2.0
+ - 3.2.1
+ - 3.2.2
+ - 3.2.3
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/08/GHSA-8wm5-8h9c-47pc/GHSA-8wm5-8h9c-47pc.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.hadoop:hadoop-common
+ purl: pkg:maven/org.apache.hadoop/hadoop-common
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 3.3.0
+ - fixed: 3.3.3
+ versions:
+ - 3.3.0
+ - 3.3.1
+ - 3.3.2
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/08/GHSA-8wm5-8h9c-47pc/GHSA-8wm5-8h9c-47pc.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2022-25168
+ - type: WEB
+ url: https://github.com/apache/hadoop/commit/cae749b076f35f0be13a926ee8cfbb7ce4402746
+ - type: PACKAGE
+ url: https://github.com/apache/hadoop
+ - type: WEB
+ url: https://lists.apache.org/thread/mxqnb39jfrwgs3j6phwvlrfq4mlox130
+ - type: WEB
+ url: https://security.netapp.com/advisory/ntap-20220915-0007
+ database_specific:
+ cwe_ids:
+ - CWE-78
+ - CWE-88
+ github_reviewed: true
+ github_reviewed_at: "2022-08-11T21:14:19Z"
+ nvd_published_at: "2022-08-04T15:15:00Z"
+ severity: CRITICAL
+ - schema_version: 1.6.0
+ id: GHSA-9r7g-325h-mxrm
+ modified: 2023-11-08T03:57:32.986597Z
+ published: 2022-05-17T02:53:20Z
+ aliases:
+ - CVE-2014-0229
+ summary: Improper Authentication in Apache Hadoop
+ details: Apache Hadoop 0.23.x before 0.23.11 and 2.x before 2.4.1, as used in Cloudera CDH 5.0.x before 5.0.2, do not check authorization for the (1) refreshNamenodes, (2) deleteBlockPool, and (3) shutdownDatanode HDFS admin commands, which allows remote authenticated users to cause a denial of service (DataNodes shutdown) or perform unnecessary operations by issuing a command.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: org.apache.hadoop:hadoop-common
+ purl: pkg:maven/org.apache.hadoop/hadoop-common
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 0.23.0
+ - fixed: 0.23.11
+ versions:
+ - 0.23.1
+ - 0.23.10
+ - 0.23.3
+ - 0.23.4
+ - 0.23.5
+ - 0.23.6
+ - 0.23.7
+ - 0.23.8
+ - 0.23.9
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-9r7g-325h-mxrm/GHSA-9r7g-325h-mxrm.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.hadoop:hadoop-common
+ purl: pkg:maven/org.apache.hadoop/hadoop-common
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.0.0
+ - fixed: 2.4.1
+ versions:
+ - 2.0.1-alpha
+ - 2.0.2-alpha
+ - 2.0.3-alpha
+ - 2.0.4-alpha
+ - 2.0.5-alpha
+ - 2.0.6-alpha
+ - 2.1.0-beta
+ - 2.1.1-beta
+ - 2.2.0
+ - 2.3.0
+ - 2.4.0
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-9r7g-325h-mxrm/GHSA-9r7g-325h-mxrm.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2014-0229
+ - type: WEB
+ url: https://www.cloudera.com/documentation/other/security-bulletins/topics/csb_topic_1.html#concept_i1q_xvk_2r
+ database_specific:
+ cwe_ids:
+ - CWE-287
+ github_reviewed: true
+ github_reviewed_at: "2022-07-07T22:54:01Z"
+ nvd_published_at: "2017-03-23T20:59:00Z"
+ severity: MODERATE
+ - schema_version: 1.6.0
+ id: GHSA-f8vc-wfc8-hxqh
+ modified: 2024-03-08T05:20:12.847694Z
+ published: 2022-02-09T22:17:38Z
+ aliases:
+ - BIT-solr-2020-9492
+ - CVE-2020-9492
+ summary: Improper Privilege Management in Apache Hadoop
+ details: In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.0, WebHDFS client might send SPNEGO authorization header to remote URL without proper verification.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: org.apache.hadoop:hadoop-common
+ purl: pkg:maven/org.apache.hadoop/hadoop-common
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 3.2.0
+ - fixed: 3.2.2
+ versions:
+ - 3.2.0
+ - 3.2.1
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/02/GHSA-f8vc-wfc8-hxqh/GHSA-f8vc-wfc8-hxqh.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.hadoop:hadoop-common
+ purl: pkg:maven/org.apache.hadoop/hadoop-common
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 3.0.0
+ - fixed: 3.1.4
+ versions:
+ - 3.0.0
+ - 3.0.1
+ - 3.0.2
+ - 3.0.3
+ - 3.1.0
+ - 3.1.1
+ - 3.1.2
+ - 3.1.3
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/02/GHSA-f8vc-wfc8-hxqh/GHSA-f8vc-wfc8-hxqh.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.hadoop:hadoop-common
+ purl: pkg:maven/org.apache.hadoop/hadoop-common
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.0.0
+ - fixed: 2.10.1
+ versions:
+ - 2.0.1-alpha
+ - 2.0.2-alpha
+ - 2.0.3-alpha
+ - 2.0.4-alpha
+ - 2.0.5-alpha
+ - 2.0.6-alpha
+ - 2.1.0-beta
+ - 2.1.1-beta
+ - 2.10.0
+ - 2.2.0
+ - 2.3.0
+ - 2.4.0
+ - 2.4.1
+ - 2.5.0
+ - 2.5.1
+ - 2.5.2
+ - 2.6.0
+ - 2.6.1
+ - 2.6.2
+ - 2.6.3
+ - 2.6.4
+ - 2.6.5
+ - 2.7.0
+ - 2.7.1
+ - 2.7.2
+ - 2.7.3
+ - 2.7.4
+ - 2.7.5
+ - 2.7.6
+ - 2.7.7
+ - 2.8.0
+ - 2.8.1
+ - 2.8.2
+ - 2.8.3
+ - 2.8.4
+ - 2.8.5
+ - 2.9.0
+ - 2.9.1
+ - 2.9.2
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/02/GHSA-f8vc-wfc8-hxqh/GHSA-f8vc-wfc8-hxqh.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2020-9492
+ - type: WEB
+ url: https://github.com/apache/hadoop/commit/ca65409836d2949e9a9408d40bec0177b414cd5d
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpujul2022.html
+ - type: WEB
+ url: https://security.netapp.com/advisory/ntap-20210304-0001
+ - type: WEB
+ url: https://lists.apache.org/thread.html/re4129c6b9e0410848bbd3761187ce9c19bc1cd491037b253007df99e@%3Cissues.solr.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rca4516b00b55b347905df45e5d0432186248223f30497db87aba8710@%3Cannounce.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rc0057ebf32b646ab47f7f5744a8948332e015c39044cbb9d87ea76cd@%3Ccommits.druid.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rb12afaa421d483863c4175e42e5dbd0673917a3cff73f3fca4f8275f@%3Cissues.solr.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r941e9be04efe0f455d20aeac88516c0848decd7e7b1d93d5687060f4@%3Ccommits.druid.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r9328eb49305e4cacc80e182bfd8a2efd8e640d940e24f5bfd7d5cb26@%3Cissues.solr.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r79323adac584edab99fd5e4b52a013844b784a5d4b600da0662b33d6@%3Ccommits.druid.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r79201a209df9a4e7f761e537434131b4e39eabec4369a7d668904df4@%3Cissues.solr.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r6c2fa7949738e9d39606f1d7cd890c93a2633e3357c9aeaf886ea9a6@%3Cissues.solr.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r6341f2a468ced8872a71997aa1786ce036242413484f0fa68dc9ca02@%3Cissues.solr.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r513758942356ccd0d14538ba18a09903fc72716d74be1cb727ea91ff%40%3Cgeneral.hadoop.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r4a57de5215494c35c8304cf114be75d42df7abc6c0c54bf163c3e370@%3Cissues.solr.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r49c9ab444ab1107c6a8be8a0d66602dec32a16d96c2631fec8d309fb@%3Cissues.solr.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r0a534f1cde7555f7208e9f9b791c1ab396d215eaaef283b3a9153429@%3Ccommits.druid.apache.org%3E
+ - type: PACKAGE
+ url: https://github.com/apache/hadoop
+ database_specific:
+ cwe_ids:
+ - CWE-269
+ - CWE-863
+ github_reviewed: true
+ github_reviewed_at: "2021-04-06T18:29:12Z"
+ nvd_published_at: "2021-01-26T18:16:00Z"
+ severity: HIGH
+ - schema_version: 1.6.0
+ id: GHSA-g48f-ff5h-5f64
+ modified: 2023-11-08T03:57:50.385135Z
+ published: 2022-05-17T03:44:57Z
+ aliases:
+ - CVE-2015-1776
+ summary: Exposure of Sensitive Information to an Unauthorized Actor in Apache Hadoop
+ details: Apache Hadoop 2.6.x encrypts intermediate data generated by a MapReduce job and stores it along with the encryption key in a credentials file on disk when the Intermediate data encryption feature is enabled, which allows local users to obtain sensitive information by reading the file.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: org.apache.hadoop:hadoop-common
+ purl: pkg:maven/org.apache.hadoop/hadoop-common
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.6.0
+ - fixed: 2.6.5
+ versions:
+ - 2.6.0
+ - 2.6.1
+ - 2.6.2
+ - 2.6.3
+ - 2.6.4
+ database_specific:
+ last_known_affected_version_range: <= 2.6.4
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-g48f-ff5h-5f64/GHSA-g48f-ff5h-5f64.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2015-1776
+ - type: WEB
+ url: http://mail-archives.apache.org/mod_mbox/hadoop-general/201602.mbox/%3CCAGCyb56CPgQMcxZ7jP87SfM5OKGx+E49DtrzCTQ6+nQf2a4nSA@mail.gmail.com%3E
+ database_specific:
+ cwe_ids:
+ - CWE-200
+ github_reviewed: true
+ github_reviewed_at: "2022-07-06T20:26:12Z"
+ nvd_published_at: "2016-04-19T21:59:00Z"
+ severity: MODERATE
+ - schema_version: 1.6.0
+ id: GHSA-gx2c-fvhc-ph4j
+ modified: 2024-02-20T05:34:19.79641Z
+ published: 2022-04-08T00:00:21Z
+ aliases:
+ - CVE-2022-26612
+ summary: Path traversal in Hadoop
+ details: In Apache Hadoop, The unTar function uses unTarUsingJava function on Windows and the built-in tar utility on Unix and other OSes. As a result, a TAR entry may create a symlink under the expected extraction directory which points to an external directory. A subsequent TAR entry may extract an arbitrary file into the external directory using the symlink name. This however would be caught by the same targetDirPath check on Unix because of the getCanonicalPath call. However on Windows, getCanonicalPath doesn't resolve symbolic links, which bypasses the check. unpackEntries during TAR extraction follows symbolic links which allows writing outside expected base directory on Windows. This was addressed in Apache Hadoop 3.2.3
+ affected:
+ - package:
+ ecosystem: Maven
+ name: org.apache.hadoop:hadoop-common
+ purl: pkg:maven/org.apache.hadoop/hadoop-common
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: 3.2.3
+ versions:
+ - 0.22.0
+ - 0.23.1
+ - 0.23.10
+ - 0.23.11
+ - 0.23.3
+ - 0.23.4
+ - 0.23.5
+ - 0.23.6
+ - 0.23.7
+ - 0.23.8
+ - 0.23.9
+ - 2.0.0-alpha
+ - 2.0.1-alpha
+ - 2.0.2-alpha
+ - 2.0.3-alpha
+ - 2.0.4-alpha
+ - 2.0.5-alpha
+ - 2.0.6-alpha
+ - 2.1.0-beta
+ - 2.1.1-beta
+ - 2.10.0
+ - 2.10.1
+ - 2.10.2
+ - 2.2.0
+ - 2.3.0
+ - 2.4.0
+ - 2.4.1
+ - 2.5.0
+ - 2.5.1
+ - 2.5.2
+ - 2.6.0
+ - 2.6.1
+ - 2.6.2
+ - 2.6.3
+ - 2.6.4
+ - 2.6.5
+ - 2.7.0
+ - 2.7.1
+ - 2.7.2
+ - 2.7.3
+ - 2.7.4
+ - 2.7.5
+ - 2.7.6
+ - 2.7.7
+ - 2.8.0
+ - 2.8.1
+ - 2.8.2
+ - 2.8.3
+ - 2.8.4
+ - 2.8.5
+ - 2.9.0
+ - 2.9.1
+ - 2.9.2
+ - 3.0.0
+ - 3.0.0-alpha1
+ - 3.0.0-alpha2
+ - 3.0.0-alpha3
+ - 3.0.0-alpha4
+ - 3.0.0-beta1
+ - 3.0.1
+ - 3.0.2
+ - 3.0.3
+ - 3.1.0
+ - 3.1.1
+ - 3.1.2
+ - 3.1.3
+ - 3.1.4
+ - 3.2.0
+ - 3.2.1
+ - 3.2.2
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/04/GHSA-gx2c-fvhc-ph4j/GHSA-gx2c-fvhc-ph4j.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2022-26612
+ - type: PACKAGE
+ url: https://github.com/apache/hadoop
+ - type: WEB
+ url: https://lists.apache.org/thread/hslo7wzw2449gv1jyjk8g6ttd7935fyz
+ - type: WEB
+ url: https://security.netapp.com/advisory/ntap-20220519-0004
+ database_specific:
+ cwe_ids:
+ - CWE-22
+ github_reviewed: true
+ github_reviewed_at: "2022-04-08T22:06:47Z"
+ nvd_published_at: "2022-04-07T19:15:00Z"
+ severity: CRITICAL
+ - schema_version: 1.6.0
+ id: GHSA-h24p-qwf4-84q8
+ modified: 2023-11-08T03:59:26.035253Z
+ published: 2022-05-17T02:41:57Z
+ aliases:
+ - CVE-2017-7669
+ summary: Apache Hadoop's LinuxContainerExecutor runs docker commands as root with insufficient input validation
+ details: In Apache Hadoop 2.8.0, 3.0.0-alpha1, and 3.0.0-alpha2, the LinuxContainerExecutor runs docker commands as root with insufficient input validation. When the docker feature is enabled, authenticated users can run commands as root. This issue is fixed in versions 2.8.1 and 3.0.0-alpha3.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: org.apache.hadoop:hadoop-common
+ purl: pkg:maven/org.apache.hadoop/hadoop-common
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: 2.8.1
+ versions:
+ - 0.22.0
+ - 0.23.1
+ - 0.23.10
+ - 0.23.11
+ - 0.23.3
+ - 0.23.4
+ - 0.23.5
+ - 0.23.6
+ - 0.23.7
+ - 0.23.8
+ - 0.23.9
+ - 2.0.0-alpha
+ - 2.0.1-alpha
+ - 2.0.2-alpha
+ - 2.0.3-alpha
+ - 2.0.4-alpha
+ - 2.0.5-alpha
+ - 2.0.6-alpha
+ - 2.1.0-beta
+ - 2.1.1-beta
+ - 2.2.0
+ - 2.3.0
+ - 2.4.0
+ - 2.4.1
+ - 2.5.0
+ - 2.5.1
+ - 2.5.2
+ - 2.6.0
+ - 2.6.1
+ - 2.6.2
+ - 2.6.3
+ - 2.6.4
+ - 2.6.5
+ - 2.7.0
+ - 2.7.1
+ - 2.7.2
+ - 2.7.3
+ - 2.7.4
+ - 2.7.5
+ - 2.7.6
+ - 2.7.7
+ - 2.8.0
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-h24p-qwf4-84q8/GHSA-h24p-qwf4-84q8.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.hadoop:hadoop-common
+ purl: pkg:maven/org.apache.hadoop/hadoop-common
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 3.0.0-alpha1
+ - fixed: 3.0.0-alpha3
+ versions:
+ - 3.0.0-alpha1
+ - 3.0.0-alpha2
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-h24p-qwf4-84q8/GHSA-h24p-qwf4-84q8.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2017-7669
+ - type: WEB
+ url: https://mail-archives.apache.org/mod_mbox/hadoop-user/201706.mbox/%3C4A2FDA56-491B-4C2A-915F-C9D4A4BDB92A%40apache.org%3E
+ - type: WEB
+ url: http://www.securityfocus.com/bid/98795
+ database_specific:
+ cwe_ids:
+ - CWE-20
+ github_reviewed: true
+ github_reviewed_at: "2022-11-22T18:47:34Z"
+ nvd_published_at: "2017-06-05T01:29:00Z"
+ severity: HIGH
+ - schema_version: 1.6.0
+ id: GHSA-mf7c-35mq-75pj
+ modified: 2023-11-08T03:58:33.830753Z
+ published: 2022-05-14T03:24:59Z
+ aliases:
+ - CVE-2016-6811
+ summary: Insecure Inherited Permissions in Apache Hadoop
+ details: In Apache Hadoop 2.x before 2.7.4, a user who can escalate to yarn user can possibly run arbitrary commands as root user.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: org.apache.hadoop:hadoop-common
+ purl: pkg:maven/org.apache.hadoop/hadoop-common
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.0.0-alpha
+ - fixed: 2.7.4
+ versions:
+ - 2.0.0-alpha
+ - 2.0.1-alpha
+ - 2.0.2-alpha
+ - 2.0.3-alpha
+ - 2.0.4-alpha
+ - 2.0.5-alpha
+ - 2.0.6-alpha
+ - 2.1.0-beta
+ - 2.1.1-beta
+ - 2.2.0
+ - 2.3.0
+ - 2.4.0
+ - 2.4.1
+ - 2.5.0
+ - 2.5.1
+ - 2.5.2
+ - 2.6.0
+ - 2.6.1
+ - 2.6.2
+ - 2.6.3
+ - 2.6.4
+ - 2.6.5
+ - 2.7.0
+ - 2.7.1
+ - 2.7.2
+ - 2.7.3
+ database_specific:
+ last_known_affected_version_range: <= 2.7.3
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-mf7c-35mq-75pj/GHSA-mf7c-35mq-75pj.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2016-6811
+ - type: WEB
+ url: https://lists.apache.org/thread.html/9ba3c12bbdfd5b2cae60909e48f92608e00c8d99196390b8cfeca307@%3Cgeneral.hadoop.apache.org%3E
+ database_specific:
+ cwe_ids:
+ - CWE-277
+ github_reviewed: true
+ github_reviewed_at: "2022-07-06T19:45:49Z"
+ nvd_published_at: "2017-04-11T14:59:00Z"
+ severity: HIGH
+ - schema_version: 1.6.0
+ id: GHSA-pxv5-5vmp-3jj4
+ modified: 2023-11-08T03:57:18.469327Z
+ published: 2022-05-17T02:54:07Z
+ aliases:
+ - CVE-2013-2192
+ summary: Improper Authentication in Apache Hadoop
+ details: The RPC protocol implementation in Apache Hadoop 2.x before 2.0.6-alpha, 0.23.x before 0.23.9, and 1.x before 1.2.1, when the Kerberos security features are enabled, allows man-in-the-middle attackers to disable bidirectional authentication and obtain sensitive information by forcing a downgrade to simple authentication.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: org.apache.hadoop:hadoop-common
+ purl: pkg:maven/org.apache.hadoop/hadoop-common
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.0.0
+ - fixed: 2.0.6-alpha
+ versions:
+ - 2.0.1-alpha
+ - 2.0.2-alpha
+ - 2.0.3-alpha
+ - 2.0.4-alpha
+ - 2.0.5-alpha
+ database_specific:
+ last_known_affected_version_range: <= 2.0.5-alpha
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-pxv5-5vmp-3jj4/GHSA-pxv5-5vmp-3jj4.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.hadoop:hadoop-common
+ purl: pkg:maven/org.apache.hadoop/hadoop-common
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 0.23.0
+ - fixed: 0.23.9
+ versions:
+ - 0.23.1
+ - 0.23.3
+ - 0.23.4
+ - 0.23.5
+ - 0.23.6
+ - 0.23.7
+ - 0.23.8
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-pxv5-5vmp-3jj4/GHSA-pxv5-5vmp-3jj4.json
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2013-2192
+ - type: WEB
+ url: https://www.cloudera.com/documentation/other/security-bulletins/topics/csb_topic_1.html
+ - type: WEB
+ url: http://rhn.redhat.com/errata/RHSA-2014-0037.html
+ - type: WEB
+ url: http://rhn.redhat.com/errata/RHSA-2014-0400.html
+ - type: WEB
+ url: http://seclists.org/fulldisclosure/2013/Aug/251
+ database_specific:
+ cwe_ids:
+ - CWE-287
+ github_reviewed: true
+ github_reviewed_at: "2022-07-08T19:10:34Z"
+ nvd_published_at: "2014-01-24T18:55:00Z"
+ severity: LOW
+ - schema_version: 1.6.0
+ id: GHSA-rmpj-7c96-mrg8
+ modified: 2024-02-22T05:34:28.037449Z
+ published: 2022-06-14T00:00:37Z
+ aliases:
+ - CVE-2021-37404
+ summary: Apache Hadoop heap overflow before v2.10.2, v3.2.3, v3.3.2
+ details: There is a potential heap buffer overflow in Apache Hadoop libhdfs native code. Opening a file path provided by user without validation may result in a denial of service or arbitrary code execution. Users should upgrade to Apache Hadoop 2.10.2, 3.2.3, 3.3.2 or higher.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: org.apache.hadoop:hadoop-common
+ purl: pkg:maven/org.apache.hadoop/hadoop-common
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 3.3.0
+ - fixed: 3.3.2
+ versions:
+ - 3.3.0
+ - 3.3.1
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/06/GHSA-rmpj-7c96-mrg8/GHSA-rmpj-7c96-mrg8.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.hadoop:hadoop-common
+ purl: pkg:maven/org.apache.hadoop/hadoop-common
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 3.0.0
+ - fixed: 3.2.3
+ versions:
+ - 3.0.0
+ - 3.0.1
+ - 3.0.2
+ - 3.0.3
+ - 3.1.0
+ - 3.1.1
+ - 3.1.2
+ - 3.1.3
+ - 3.1.4
+ - 3.2.0
+ - 3.2.1
+ - 3.2.2
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/06/GHSA-rmpj-7c96-mrg8/GHSA-rmpj-7c96-mrg8.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.hadoop:hadoop-common
+ purl: pkg:maven/org.apache.hadoop/hadoop-common
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: 2.10.2
+ versions:
+ - 0.22.0
+ - 0.23.1
+ - 0.23.10
+ - 0.23.11
+ - 0.23.3
+ - 0.23.4
+ - 0.23.5
+ - 0.23.6
+ - 0.23.7
+ - 0.23.8
+ - 0.23.9
+ - 2.0.0-alpha
+ - 2.0.1-alpha
+ - 2.0.2-alpha
+ - 2.0.3-alpha
+ - 2.0.4-alpha
+ - 2.0.5-alpha
+ - 2.0.6-alpha
+ - 2.1.0-beta
+ - 2.1.1-beta
+ - 2.10.0
+ - 2.10.1
+ - 2.2.0
+ - 2.3.0
+ - 2.4.0
+ - 2.4.1
+ - 2.5.0
+ - 2.5.1
+ - 2.5.2
+ - 2.6.0
+ - 2.6.1
+ - 2.6.2
+ - 2.6.3
+ - 2.6.4
+ - 2.6.5
+ - 2.7.0
+ - 2.7.1
+ - 2.7.2
+ - 2.7.3
+ - 2.7.4
+ - 2.7.5
+ - 2.7.6
+ - 2.7.7
+ - 2.8.0
+ - 2.8.1
+ - 2.8.2
+ - 2.8.3
+ - 2.8.4
+ - 2.8.5
+ - 2.9.0
+ - 2.9.1
+ - 2.9.2
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/06/GHSA-rmpj-7c96-mrg8/GHSA-rmpj-7c96-mrg8.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2021-37404
+ - type: PACKAGE
+ url: https://github.com/apache/hadoop
+ - type: WEB
+ url: https://lists.apache.org/thread/2h56ztcj3ojc66qzf1nno88vjw9vd4wo
+ - type: WEB
+ url: https://security.netapp.com/advisory/ntap-20220715-0007
+ database_specific:
+ cwe_ids:
+ - CWE-120
+ - CWE-131
+ - CWE-787
+ github_reviewed: true
+ github_reviewed_at: "2022-06-17T01:09:36Z"
+ nvd_published_at: "2022-06-13T07:15:00Z"
+ severity: CRITICAL
+ - schema_version: 1.6.0
+ id: GHSA-37pw-qw47-4jxm
+ modified: 2024-02-16T08:05:28.334834Z
+ published: 2019-05-31T16:09:15Z
+ aliases:
+ - CVE-2018-8029
+ summary: Privilege escalation vulnerability in Apache Hadoop
+ details: In Apache Hadoop versions 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, and 2.2.0 to 2.8.4, a user who can escalate to yarn user can possibly run arbitrary commands as root user.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: org.apache.hadoop:hadoop-main
+ purl: pkg:maven/org.apache.hadoop/hadoop-main
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.2.0
+ - fixed: 2.8.4
+ versions:
+ - 2.2.0
+ - 2.3.0
+ - 2.4.0
+ - 2.4.1
+ - 2.5.0
+ - 2.5.1
+ - 2.5.2
+ - 2.6.0
+ - 2.6.1
+ - 2.6.2
+ - 2.6.3
+ - 2.6.4
+ - 2.6.5
+ - 2.7.0
+ - 2.7.1
+ - 2.7.2
+ - 2.7.3
+ - 2.7.4
+ - 2.7.5
+ - 2.7.6
+ - 2.7.7
+ - 2.8.0
+ - 2.8.1
+ - 2.8.2
+ - 2.8.3
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/05/GHSA-37pw-qw47-4jxm/GHSA-37pw-qw47-4jxm.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.hadoop:hadoop-main
+ purl: pkg:maven/org.apache.hadoop/hadoop-main
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.9.0
+ - fixed: 2.9.2
+ versions:
+ - 2.9.0
+ - 2.9.1
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/05/GHSA-37pw-qw47-4jxm/GHSA-37pw-qw47-4jxm.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.hadoop:hadoop-main
+ purl: pkg:maven/org.apache.hadoop/hadoop-main
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 3.0.0
+ - fixed: 3.1.1
+ versions:
+ - 3.0.0
+ - 3.0.1
+ - 3.0.2
+ - 3.0.3
+ - 3.1.0
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/05/GHSA-37pw-qw47-4jxm/GHSA-37pw-qw47-4jxm.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2018-8029
+ - type: WEB
+ url: https://lists.apache.org/thread.html/0b8d58e02dbd0fb8bf7320c514fe58da1d6728bdc150f1ba04e0d9fc@%3Cissues.hbase.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/17084c09e6dedf60efe08028b429c92ffd28aacc28454e4fa924578a@%3Cgeneral.hadoop.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/a0164b87660223a2d491f83c88f905fe1a9fa8dc795148d9b0d968c8@%3Cdev.hbase.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/a97c53a81e639ca2fc7b8f61a4fcd1842c2a78544041244a7c624727@%3Cissues.hbase.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r4dddf1705dbedfa94392913b2dad1cd2d1d89040facd389eea0b3510@%3Ccommits.druid.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rb21df54a4e39732ce653d2aa5672e36a792b59eb6717f2a06bb8d02a@%3Ccommits.druid.apache.org%3E
+ - type: WEB
+ url: https://security.netapp.com/advisory/ntap-20190617-0001
+ - type: WEB
+ url: http://www.securityfocus.com/bid/108518
+ database_specific:
+ cwe_ids:
+ - CWE-285
+ github_reviewed: true
+ github_reviewed_at: "2019-05-31T16:08:38Z"
+ nvd_published_at: null
+ severity: HIGH
+ - schema_version: 1.6.0
+ id: GHSA-3v44-382q-55f4
+ modified: 2023-11-08T03:58:58.547397Z
+ published: 2018-12-21T17:50:13Z
+ aliases:
+ - CVE-2017-15713
+ summary: Moderate severity vulnerability that affects org.apache.hadoop:hadoop-main
+ details: Vulnerability in Apache Hadoop 0.23.x, 2.x before 2.7.5, 2.8.x before 2.8.3, and 3.0.0-alpha through 3.0.0-beta1 allows a cluster user to expose private files owned by the user running the MapReduce job history server process. The malicious user can construct a configuration file containing XML directives that reference sensitive files on the MapReduce job history server host.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: org.apache.hadoop:hadoop-main
+ purl: pkg:maven/org.apache.hadoop/hadoop-main
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: 2.7.5
+ versions:
+ - 0.23.1
+ - 0.23.10
+ - 0.23.11
+ - 0.23.3
+ - 0.23.4
+ - 0.23.5
+ - 0.23.6
+ - 0.23.7
+ - 0.23.8
+ - 0.23.9
+ - 2.0.0-alpha
+ - 2.0.1-alpha
+ - 2.0.2-alpha
+ - 2.0.3-alpha
+ - 2.0.4-alpha
+ - 2.0.5-alpha
+ - 2.0.6-alpha
+ - 2.1.0-beta
+ - 2.1.1-beta
+ - 2.2.0
+ - 2.3.0
+ - 2.4.0
+ - 2.4.1
+ - 2.5.0
+ - 2.5.1
+ - 2.5.2
+ - 2.6.0
+ - 2.6.1
+ - 2.6.2
+ - 2.6.3
+ - 2.6.4
+ - 2.6.5
+ - 2.7.0
+ - 2.7.1
+ - 2.7.2
+ - 2.7.3
+ - 2.7.4
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/12/GHSA-3v44-382q-55f4/GHSA-3v44-382q-55f4.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.hadoop:hadoop-main
+ purl: pkg:maven/org.apache.hadoop/hadoop-main
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.8.0
+ - fixed: 2.8.3
+ versions:
+ - 2.8.0
+ - 2.8.1
+ - 2.8.2
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/12/GHSA-3v44-382q-55f4/GHSA-3v44-382q-55f4.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2017-15713
+ - type: ADVISORY
+ url: https://github.com/advisories/GHSA-3v44-382q-55f4
+ - type: WEB
+ url: https://lists.apache.org/thread.html/a790a251ace7213bde9f69777dedb453b1a01a6d18289c14a61d4f91@%3Cgeneral.hadoop.apache.org%3E
+ database_specific:
+ cwe_ids:
+ - CWE-200
+ github_reviewed: true
+ github_reviewed_at: "2020-06-16T20:56:25Z"
+ nvd_published_at: null
+ severity: MODERATE
+ - schema_version: 1.6.0
+ id: GHSA-4fh8-pm7g-pmxq
+ modified: 2024-02-17T05:29:43.227712Z
+ published: 2022-02-10T20:28:06Z
+ aliases:
+ - CVE-2018-11764
+ summary: Authentication bypass in Apache Hadoop
+ details: Web endpoint authentication check is broken in Apache Hadoop 3.0.0-alpha4, 3.0.0-beta1, and 3.0.0. Authenticated users may impersonate any user even if no proxy user is configured.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: org.apache.hadoop:hadoop-main
+ purl: pkg:maven/org.apache.hadoop/hadoop-main
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 3.0.0-alpha4
+ - fixed: 3.0.1
+ versions:
+ - 3.0.0-alpha4
+ - 3.0.0
+ - 3.0.0-beta1
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/02/GHSA-4fh8-pm7g-pmxq/GHSA-4fh8-pm7g-pmxq.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.hadoop:hadoop-main
+ purl: pkg:maven/org.apache.hadoop/hadoop-main
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 3.0.0-beta1
+ - fixed: 3.0.1
+ versions:
+ - 3.0.0-beta1
+ - 3.0.0
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/02/GHSA-4fh8-pm7g-pmxq/GHSA-4fh8-pm7g-pmxq.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.hadoop:hadoop-main
+ purl: pkg:maven/org.apache.hadoop/hadoop-main
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 3.0.0
+ - fixed: 3.0.1
+ versions:
+ - 3.0.0
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/02/GHSA-4fh8-pm7g-pmxq/GHSA-4fh8-pm7g-pmxq.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2018-11764
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r790ad0a049cde713b93589ecfd4dd2766fda0fc6807eedb6cf69f5c1%40%3Cgeneral.hadoop.apache.org%3E
+ - type: WEB
+ url: https://security.netapp.com/advisory/ntap-20201103-0003
+ database_specific:
+ cwe_ids:
+ - CWE-306
+ github_reviewed: true
+ github_reviewed_at: "2021-04-22T21:44:53Z"
+ nvd_published_at: "2020-10-21T19:15:00Z"
+ severity: HIGH
+ - schema_version: 1.6.0
+ id: GHSA-5cf4-jqwp-584g
+ modified: 2024-02-19T05:28:21.165145Z
+ published: 2019-03-25T16:17:32Z
+ aliases:
+ - CVE-2018-11767
+ summary: Improper Privilege Management in org.apache.hadoop:hadoop-main
+ details: In Apache Hadoop 2.9.0 to 2.9.1, 2.8.3 to 2.8.4, 2.7.5 to 2.7.6, KMS blocking users or granting access to users incorrectly, if the system uses non-default groups mapping mechanisms.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: org.apache.hadoop:hadoop-main
+ purl: pkg:maven/org.apache.hadoop/hadoop-main
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.7.5
+ - fixed: 2.7.7
+ versions:
+ - 2.7.5
+ - 2.7.6
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/03/GHSA-5cf4-jqwp-584g/GHSA-5cf4-jqwp-584g.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.hadoop:hadoop-main
+ purl: pkg:maven/org.apache.hadoop/hadoop-main
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.8.3
+ - fixed: 2.8.5
+ versions:
+ - 2.8.3
+ - 2.8.4
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/03/GHSA-5cf4-jqwp-584g/GHSA-5cf4-jqwp-584g.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.hadoop:hadoop-main
+ purl: pkg:maven/org.apache.hadoop/hadoop-main
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.9.0
+ - fixed: 2.9.2
+ versions:
+ - 2.9.0
+ - 2.9.1
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/03/GHSA-5cf4-jqwp-584g/GHSA-5cf4-jqwp-584g.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2018-11767
+ - type: ADVISORY
+ url: https://github.com/advisories/GHSA-5cf4-jqwp-584g
+ - type: WEB
+ url: https://lists.apache.org/thread.html/246cf223e7dc0c1dff90b78dccb6c3fe94e1a044dbf98e2333393302@%3Ccommon-issues.hadoop.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/5a44590b4eedc5e25f5bd3081d1631b52c174b5b99157f7950ddc270@%3Ccommon-dev.hadoop.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/5fb771f66946dd5c99a8a5713347c24873846f555d716f9ac17bccca@%3Cgeneral.hadoop.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe@%3Ccommits.druid.apache.org%3E
+ - type: WEB
+ url: https://security.netapp.com/advisory/ntap-20190416-0009
+ database_specific:
+ cwe_ids:
+ - CWE-269
+ github_reviewed: true
+ github_reviewed_at: "2020-06-16T21:00:30Z"
+ nvd_published_at: null
+ severity: HIGH
+ - schema_version: 1.6.0
+ id: GHSA-6x48-j4x4-cqw3
+ modified: 2024-03-04T23:01:37.312585Z
+ published: 2018-12-21T17:50:29Z
+ aliases:
+ - CVE-2018-8009
+ summary: Path Traversal in Hadoop
+ details: Apache Hadoop 3.1.0, 3.0.0-alpha to 3.0.2, 2.9.0 to 2.9.1, 2.8.0 to 2.8.4, 2.0.0-alpha to 2.7.6, 0.23.0 to 0.23.11 is exploitable via the zip slip vulnerability in places that accept a zip file.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: org.apache.hadoop:hadoop-main
+ purl: pkg:maven/org.apache.hadoop/hadoop-main
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 3.1.0
+ - fixed: 3.1.1
+ versions:
+ - 3.1.0
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/12/GHSA-6x48-j4x4-cqw3/GHSA-6x48-j4x4-cqw3.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.hadoop:hadoop-main
+ purl: pkg:maven/org.apache.hadoop/hadoop-main
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 3.0.0
+ - fixed: 3.0.3
+ versions:
+ - 3.0.0
+ - 3.0.1
+ - 3.0.2
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/12/GHSA-6x48-j4x4-cqw3/GHSA-6x48-j4x4-cqw3.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.hadoop:hadoop-main
+ purl: pkg:maven/org.apache.hadoop/hadoop-main
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.9.0
+ - fixed: 2.9.2
+ versions:
+ - 2.9.0
+ - 2.9.1
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/12/GHSA-6x48-j4x4-cqw3/GHSA-6x48-j4x4-cqw3.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.hadoop:hadoop-main
+ purl: pkg:maven/org.apache.hadoop/hadoop-main
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.8.0
+ - fixed: 2.8.5
+ versions:
+ - 2.8.0
+ - 2.8.1
+ - 2.8.2
+ - 2.8.3
+ - 2.8.4
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/12/GHSA-6x48-j4x4-cqw3/GHSA-6x48-j4x4-cqw3.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.hadoop:hadoop-main
+ purl: pkg:maven/org.apache.hadoop/hadoop-main
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: 2.7.7
+ versions:
+ - 0.23.1
+ - 0.23.10
+ - 0.23.11
+ - 0.23.3
+ - 0.23.4
+ - 0.23.5
+ - 0.23.6
+ - 0.23.7
+ - 0.23.8
+ - 0.23.9
+ - 2.0.0-alpha
+ - 2.0.1-alpha
+ - 2.0.2-alpha
+ - 2.0.3-alpha
+ - 2.0.4-alpha
+ - 2.0.5-alpha
+ - 2.0.6-alpha
+ - 2.1.0-beta
+ - 2.1.1-beta
+ - 2.2.0
+ - 2.3.0
+ - 2.4.0
+ - 2.4.1
+ - 2.5.0
+ - 2.5.1
+ - 2.5.2
+ - 2.6.0
+ - 2.6.1
+ - 2.6.2
+ - 2.6.3
+ - 2.6.4
+ - 2.6.5
+ - 2.7.0
+ - 2.7.1
+ - 2.7.2
+ - 2.7.3
+ - 2.7.4
+ - 2.7.5
+ - 2.7.6
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/12/GHSA-6x48-j4x4-cqw3/GHSA-6x48-j4x4-cqw3.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2018-8009
+ - type: WEB
+ url: https://github.com/apache/hadoop/commit/12258c7cff8d32710fbd8b9088a930e3ce27432
+ - type: WEB
+ url: https://github.com/apache/hadoop/commit/45a1c680c276c4501402f7bc4cebcf85a6fbc7f
+ - type: WEB
+ url: https://github.com/apache/hadoop/commit/65e55097da2bb3f2fbdf9ba1946da25fe58bec9
+ - type: WEB
+ url: https://github.com/apache/hadoop/commit/6a4ae6f6eeed1392a4828a5721fa1499f65bdde
+ - type: WEB
+ url: https://github.com/apache/hadoop/commit/fc4c20fc3469674cb584a4fb98bac7e3c2277c9
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:3892
+ - type: ADVISORY
+ url: https://github.com/advisories/GHSA-6x48-j4x4-cqw3
+ - type: PACKAGE
+ url: https://github.com/apache/hadoop
+ - type: WEB
+ url: https://hadoop.apache.org/cve_list.html#cve-2018-8009-http-cve-mitre-org-cgi-bin-cvename-cgi-name-cve-2018-8009-zip-slip-impact-on-apache-hadoop
+ - type: WEB
+ url: https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451@%3Csolr-user.lucene.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/a1c227745ce30acbcf388c5b0cc8423e8bf495d619cd0fa973f7f38d@%3Cuser.hadoop.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r4dddf1705dbedfa94392913b2dad1cd2d1d89040facd389eea0b3510@%3Ccommits.druid.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rb21df54a4e39732ce653d2aa5672e36a792b59eb6717f2a06bb8d02a@%3Ccommits.druid.apache.org%3E
+ - type: WEB
+ url: https://snyk.io/research/zip-slip-vulnerability
+ - type: WEB
+ url: http://www.securityfocus.com/bid/105927
+ database_specific:
+ cwe_ids:
+ - CWE-22
+ github_reviewed: true
+ github_reviewed_at: "2020-06-16T21:20:31Z"
+ nvd_published_at: null
+ severity: HIGH
+ - schema_version: 1.6.0
+ id: GHSA-99qr-9cc9-fv2x
+ modified: 2023-11-08T03:59:20.833209Z
+ published: 2018-12-21T17:50:03Z
+ aliases:
+ - CVE-2017-3166
+ summary: Moderate severity vulnerability that affects org.apache.hadoop:hadoop-main
+ details: In Apache Hadoop versions 2.6.1 to 2.6.5, 2.7.0 to 2.7.3, and 3.0.0-alpha1, if a file in an encryption zone with access permissions that make it world readable is localized via YARN's localization mechanism, that file will be stored in a world-readable location and can be shared freely with any application that requests to localize that file.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: org.apache.hadoop:hadoop-main
+ purl: pkg:maven/org.apache.hadoop/hadoop-main
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: 2.7.3
+ versions:
+ - 0.23.1
+ - 0.23.10
+ - 0.23.11
+ - 0.23.3
+ - 0.23.4
+ - 0.23.5
+ - 0.23.6
+ - 0.23.7
+ - 0.23.8
+ - 0.23.9
+ - 2.0.0-alpha
+ - 2.0.1-alpha
+ - 2.0.2-alpha
+ - 2.0.3-alpha
+ - 2.0.4-alpha
+ - 2.0.5-alpha
+ - 2.0.6-alpha
+ - 2.1.0-beta
+ - 2.1.1-beta
+ - 2.2.0
+ - 2.3.0
+ - 2.4.0
+ - 2.4.1
+ - 2.5.0
+ - 2.5.1
+ - 2.5.2
+ - 2.6.0
+ - 2.6.1
+ - 2.6.2
+ - 2.6.3
+ - 2.6.4
+ - 2.6.5
+ - 2.7.0
+ - 2.7.1
+ - 2.7.2
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/12/GHSA-99qr-9cc9-fv2x/GHSA-99qr-9cc9-fv2x.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2017-3166
+ - type: ADVISORY
+ url: https://github.com/advisories/GHSA-99qr-9cc9-fv2x
+ - type: WEB
+ url: https://lists.apache.org/thread.html/2e16689b44bdd1976b6368c143a4017fc7159d1f2d02a5d54fe9310f@%3Cgeneral.hadoop.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe@%3Ccommits.druid.apache.org%3E
+ database_specific:
+ cwe_ids:
+ - CWE-732
+ github_reviewed: true
+ github_reviewed_at: "2020-06-16T21:28:07Z"
+ nvd_published_at: null
+ severity: MODERATE
+ - schema_version: 1.6.0
+ id: GHSA-c6f9-4pmv-m7m6
+ modified: 2024-02-16T08:21:18.139729Z
+ published: 2022-05-17T02:54:07Z
+ aliases:
+ - CVE-2012-1574
+ summary: Apache Hadoop allows impersonation of arbitrary cluster user accounts
+ details: The Kerberos/MapReduce security functionality in Apache Hadoop 0.20.203.0 through 0.20.205.0, 0.23.x before 0.23.2, and 1.0.x before 1.0.2, as used in Cloudera CDH CDH3u0 through CDH3u2, Cloudera hadoop-0.20-sbin before 0.20.2+923.197, and other products, allows remote authenticated users to impersonate arbitrary cluster user accounts via unspecified vectors.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: org.apache.hadoop:hadoop-main
+ purl: pkg:maven/org.apache.hadoop/hadoop-main
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0.23"
+ - fixed: 0.23.2
+ versions:
+ - 0.23.1
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-c6f9-4pmv-m7m6/GHSA-c6f9-4pmv-m7m6.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.hadoop:hadoop-main
+ purl: pkg:maven/org.apache.hadoop/hadoop-main
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "1.0"
+ - fixed: 1.0.2
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-c6f9-4pmv-m7m6/GHSA-c6f9-4pmv-m7m6.json
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2012-1574
+ - type: PACKAGE
+ url: https://github.com/apache/hadoop
+ - type: WEB
+ url: https://seclists.org/fulldisclosure/2012/Apr/70
+ - type: WEB
+ url: https://web.archive.org/web/20120720041621/https://ccp.cloudera.com/display/DOC/Cloudera+Security+Bulletin#ClouderaSecurityBulletin-MapReducewithSecurity
+ - type: WEB
+ url: https://web.archive.org/web/20151001135054/http://archives.neohapsis.com/archives/bugtraq/2012-04/0051.html
+ - type: WEB
+ url: https://web.archive.org/web/20161215212154/https://www.cloudera.com/documentation/other/security-bulletins/topics/csb_topic_1.html#topic_1_0_2
+ - type: WEB
+ url: https://web.archive.org/web/20200229125105/http://www.securityfocus.com/bid/52939
+ database_specific:
+ cwe_ids:
+ - CWE-287
+ github_reviewed: true
+ github_reviewed_at: "2023-08-29T21:08:04Z"
+ nvd_published_at: "2012-04-12T10:45:00Z"
+ severity: MODERATE
+ - schema_version: 1.6.0
+ id: GHSA-hx83-rpqf-m267
+ modified: 2023-11-08T03:59:47.193372Z
+ published: 2019-11-20T01:38:00Z
+ aliases:
+ - CVE-2018-11768
+ summary: user/group information can be corrupted across storing in fsimage and reading back from fsimage
+ details: In Apache Hadoop 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, and 2.0.0-alpha to 2.8.4, the user/group information can be corrupted across storing in fsimage and reading back from fsimage.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: org.apache.hadoop:hadoop-main
+ purl: pkg:maven/org.apache.hadoop/hadoop-main
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.2.0
+ - fixed: 2.8.5
+ versions:
+ - 2.2.0
+ - 2.3.0
+ - 2.4.0
+ - 2.4.1
+ - 2.5.0
+ - 2.5.1
+ - 2.5.2
+ - 2.6.0
+ - 2.6.1
+ - 2.6.2
+ - 2.6.3
+ - 2.6.4
+ - 2.6.5
+ - 2.7.0
+ - 2.7.1
+ - 2.7.2
+ - 2.7.3
+ - 2.7.4
+ - 2.7.5
+ - 2.7.6
+ - 2.7.7
+ - 2.8.0
+ - 2.8.1
+ - 2.8.2
+ - 2.8.3
+ - 2.8.4
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/11/GHSA-hx83-rpqf-m267/GHSA-hx83-rpqf-m267.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.hadoop:hadoop-main
+ purl: pkg:maven/org.apache.hadoop/hadoop-main
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.9.0
+ - fixed: 2.9.2
+ versions:
+ - 2.9.0
+ - 2.9.1
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/11/GHSA-hx83-rpqf-m267/GHSA-hx83-rpqf-m267.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.hadoop:hadoop-main
+ purl: pkg:maven/org.apache.hadoop/hadoop-main
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 3.0.0
+ - fixed: 3.1.1
+ versions:
+ - 3.0.0
+ - 3.0.1
+ - 3.0.2
+ - 3.0.3
+ - 3.1.0
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/11/GHSA-hx83-rpqf-m267/GHSA-hx83-rpqf-m267.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2018-11768
+ - type: WEB
+ url: https://hadoop.apache.org/cve_list.html
+ - type: WEB
+ url: https://lists.apache.org/thread.html/2067a797b330530a6932f4b08f703b3173253d0a2b7c8c524e54adaf@%3Cgeneral.hadoop.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/2c9cc65864be0058a5d5ed2025dfb9c700bf23d352b0c826c36ff96a@%3Chdfs-dev.hadoop.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/72ca514e01cd5f08151e74f9929799b4cbe1b6e9e6cd24faa72ffcc6@%3Cdev.lucene.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/9b609d4392d886711e694cf40d86f770022baf42a1b1aa97e8244c87@%3Cdev.lucene.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/caacbbba2dcc1105163f76f3dfee5fbd22e0417e0783212787086378@%3Cgeneral.hadoop.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/ceb16af9139ab0fea24aef935b6321581976887df7ad632e9a515dda@%3Cdev.lucene.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/ea6d2dfbefab8ebe46be18b05136b83ae53b7866f1bc60c680a2b600@%3Chdfs-dev.hadoop.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/f20bb4e055d8394fc525cc7772fb84096f706389043e76220c8a29a4@%3Chdfs-dev.hadoop.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r02e39d7beb32eebcdbb4b516e95f67d71c90d5d462b26f4078d21eeb@%3Cdev.flink.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r02e39d7beb32eebcdbb4b516e95f67d71c90d5d462b26f4078d21eeb@%3Cuser.flink.apache.org%3E
+ database_specific:
+ cwe_ids:
+ - CWE-119
+ github_reviewed: true
+ github_reviewed_at: "2019-11-19T03:28:12Z"
+ nvd_published_at: null
+ severity: HIGH
+ - schema_version: 1.6.0
+ id: GHSA-mq8p-h798-xcrp
+ modified: 2023-11-08T03:58:58.669059Z
+ published: 2018-12-21T17:50:20Z
+ aliases:
+ - CVE-2017-15718
+ summary: Exposure of Sensitive Information in Hadoop
+ details: The YARN NodeManager in Apache Hadoop 2.7.3 and 2.7.4 can leak the password for credential store provider used by the NodeManager to YARN Applications.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: org.apache.hadoop:hadoop-main
+ purl: pkg:maven/org.apache.hadoop/hadoop-main
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.7.3
+ - fixed: 2.7.5
+ versions:
+ - 2.7.3
+ - 2.7.4
+ database_specific:
+ last_known_affected_version_range: <= 2.7.4
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/12/GHSA-mq8p-h798-xcrp/GHSA-mq8p-h798-xcrp.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2017-15718
+ - type: ADVISORY
+ url: https://github.com/advisories/GHSA-mq8p-h798-xcrp
+ - type: WEB
+ url: https://lists.apache.org/thread.html/773c93c2d8a6a52bbe97610c2b1c2ad205b970e1b8c04fb5b2fccad6@%3Cgeneral.hadoop.apache.org%3E
+ database_specific:
+ cwe_ids:
+ - CWE-200
+ github_reviewed: true
+ github_reviewed_at: "2020-06-16T21:47:00Z"
+ nvd_published_at: null
+ severity: CRITICAL
+ - schema_version: 1.6.0
+ id: GHSA-rhh9-cm65-3w54
+ modified: 2024-02-17T05:34:33.603105Z
+ published: 2021-04-30T17:29:30Z
+ aliases:
+ - CVE-2018-11765
+ summary: Improper Authentication in Apache Hadoop
+ details: In Apache Hadoop versions 3.0.0-alpha2 to 3.0.0, 2.9.0 to 2.9.2, 2.8.0 to 2.8.5, any users can access some servlets without authentication when Kerberos authentication is enabled and SPNEGO through HTTP is not enabled.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: org.apache.hadoop:hadoop-main
+ purl: pkg:maven/org.apache.hadoop/hadoop-main
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 3.0.0-alpha2
+ - fixed: 3.0.1
+ versions:
+ - 3.0.0
+ - 3.0.0-alpha2
+ - 3.0.0-alpha3
+ - 3.0.0-alpha4
+ - 3.0.0-beta1
+ database_specific:
+ last_known_affected_version_range: <= 3.0.0
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-rhh9-cm65-3w54/GHSA-rhh9-cm65-3w54.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.hadoop:hadoop-main
+ purl: pkg:maven/org.apache.hadoop/hadoop-main
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.9.0
+ - fixed: 2.9.3
+ versions:
+ - 2.9.0
+ - 2.9.1
+ - 2.9.2
+ database_specific:
+ last_known_affected_version_range: <= 2.9.2
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-rhh9-cm65-3w54/GHSA-rhh9-cm65-3w54.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.hadoop:hadoop-main
+ purl: pkg:maven/org.apache.hadoop/hadoop-main
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.8.0
+ - fixed: 2.8.6
+ versions:
+ - 2.8.0
+ - 2.8.1
+ - 2.8.2
+ - 2.8.3
+ - 2.8.4
+ - 2.8.5
+ database_specific:
+ last_known_affected_version_range: <= 2.8.5
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-rhh9-cm65-3w54/GHSA-rhh9-cm65-3w54.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2018-11765
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r17d94d132b207dad221595fd8b8b18628f5f5ec7e3f5be939ecd8928@%3Ccommits.druid.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r2c7f899911a04164ed1707083fcd4135f8427e04778c87d83509b0da%40%3Cgeneral.hadoop.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r46447f38ea8c89421614e9efd7de5e656186d35e10fc97cf88477a01@%3Ccommits.druid.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r4dddf1705dbedfa94392913b2dad1cd2d1d89040facd389eea0b3510@%3Ccommits.druid.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r74825601e93582167eb7cdc2f764c74c9c6d8006fa90018562fda60f@%3Ccommits.druid.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r79b15c5b66c6df175d01d7560adf0cd5c369129b9a161905e0339927@%3Ccommits.druid.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rb21df54a4e39732ce653d2aa5672e36a792b59eb6717f2a06bb8d02a@%3Ccommits.druid.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rb241464d83baa3749b08cd3dabc8dba70a9a9027edcef3b5d4c24ef4@%3Ccommits.druid.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rbe25cac0f499374f8ae17a4a44a8404927b56de28d4c41940d82b7a4@%3Ccommits.druid.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/reea5eb8622afbfbfca46bc758f79db83d90a3263a906c4d1acba4971@%3Ccommits.druid.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rf9dfa8b77585c9227db9637552eebb2ab029255a0db4eb76c2b6c4cf@%3Cdev.druid.apache.org%3E
+ - type: WEB
+ url: https://security.netapp.com/advisory/ntap-20201016-0005
+ database_specific:
+ cwe_ids:
+ - CWE-287
+ github_reviewed: true
+ github_reviewed_at: "2021-04-27T21:56:41Z"
+ nvd_published_at: "2020-09-30T18:15:00Z"
+ severity: HIGH
+ - schema_version: 1.6.0
+ id: GHSA-rqj9-cq6j-958r
+ modified: 2023-11-08T03:59:47.071659Z
+ published: 2018-12-21T17:50:26Z
+ aliases:
+ - CVE-2018-11766
+ summary: Arbitrary Command Execution in Hadoop
+ details: In Apache Hadoop 2.7.4 to 2.7.6, the security fix for CVE-2016-6811 is incomplete. A user who can escalate to yarn user can possibly run arbitrary commands as root user.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: org.apache.hadoop:hadoop-main
+ purl: pkg:maven/org.apache.hadoop/hadoop-main
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.7.4
+ - fixed: 2.7.7
+ versions:
+ - 2.7.4
+ - 2.7.5
+ - 2.7.6
+ database_specific:
+ last_known_affected_version_range: <= 2.7.6
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/12/GHSA-rqj9-cq6j-958r/GHSA-rqj9-cq6j-958r.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2018-11766
+ - type: ADVISORY
+ url: https://github.com/advisories/GHSA-rqj9-cq6j-958r
+ - type: WEB
+ url: https://lists.apache.org/thread.html/ff37bbbe09d5f03090e2dd2c3dea95de16ef4249e731f19b8959ce4c@%3Cgeneral.hadoop.apache.org%3E
+ - type: WEB
+ url: http://www.securityfocus.com/bid/106035
+ database_specific:
+ cwe_ids: []
+ github_reviewed: true
+ github_reviewed_at: "2020-06-16T21:55:32Z"
+ nvd_published_at: null
+ severity: HIGH
+ - schema_version: 1.6.0
+ id: GHSA-v569-g72v-q434
+ modified: 2023-11-08T03:59:51.778695Z
+ published: 2019-02-12T17:26:12Z
+ aliases:
+ - CVE-2018-1296
+ summary: Exposure of Sensitive Information to an Unauthorized Actor in Hadoop
+ details: In Apache Hadoop 3.0.0-alpha1 to 3.0.0, 2.9.0, 2.8.0 to 2.8.3, and 2.5.0 to 2.7.5, HDFS exposes extended attribute key/value pairs during listXAttrs, verifying only path-level search access to the directory rather than path-level read permission to the referent.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: org.apache.hadoop:hadoop-main
+ purl: pkg:maven/org.apache.hadoop/hadoop-main
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: 2.7.6
+ versions:
+ - 0.23.1
+ - 0.23.10
+ - 0.23.11
+ - 0.23.3
+ - 0.23.4
+ - 0.23.5
+ - 0.23.6
+ - 0.23.7
+ - 0.23.8
+ - 0.23.9
+ - 2.0.0-alpha
+ - 2.0.1-alpha
+ - 2.0.2-alpha
+ - 2.0.3-alpha
+ - 2.0.4-alpha
+ - 2.0.5-alpha
+ - 2.0.6-alpha
+ - 2.1.0-beta
+ - 2.1.1-beta
+ - 2.2.0
+ - 2.3.0
+ - 2.4.0
+ - 2.4.1
+ - 2.5.0
+ - 2.5.1
+ - 2.5.2
+ - 2.6.0
+ - 2.6.1
+ - 2.6.2
+ - 2.6.3
+ - 2.6.4
+ - 2.6.5
+ - 2.7.0
+ - 2.7.1
+ - 2.7.2
+ - 2.7.3
+ - 2.7.4
+ - 2.7.5
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/02/GHSA-v569-g72v-q434/GHSA-v569-g72v-q434.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.hadoop:hadoop-main
+ purl: pkg:maven/org.apache.hadoop/hadoop-main
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.8.0
+ - fixed: 2.8.4
+ versions:
+ - 2.8.0
+ - 2.8.1
+ - 2.8.2
+ - 2.8.3
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/02/GHSA-v569-g72v-q434/GHSA-v569-g72v-q434.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.hadoop:hadoop-main
+ purl: pkg:maven/org.apache.hadoop/hadoop-main
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.9.0
+ - fixed: 2.9.1
+ versions:
+ - 2.9.0
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/02/GHSA-v569-g72v-q434/GHSA-v569-g72v-q434.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2018-1296
+ - type: ADVISORY
+ url: https://github.com/advisories/GHSA-v569-g72v-q434
+ - type: WEB
+ url: https://lists.apache.org/thread.html/a5b15bc76fbdad2ee40761aacf954a13aeef67e305f86d483f267e8e@%3Cuser.hadoop.apache.org%3E
+ - type: WEB
+ url: http://www.securityfocus.com/bid/106764
+ database_specific:
+ cwe_ids:
+ - CWE-200
+ github_reviewed: true
+ github_reviewed_at: "2020-06-16T21:56:41Z"
+ nvd_published_at: null
+ severity: HIGH
+ - schema_version: 1.6.0
+ id: GHSA-v5c9-98f7-2h54
+ modified: 2024-02-16T08:24:21.090651Z
+ published: 2022-04-23T00:40:07Z
+ aliases:
+ - CVE-2012-2945
+ summary: Hadoop symlink vulnerability
+ details: Hadoop 1.0.3 contains a symlink vulnerability as a result of storing pid files in the shared `/tmp` directory by default.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: org.apache.hadoop:hadoop-main
+ purl: pkg:maven/org.apache.hadoop/hadoop-main
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: 1.0.4
+ versions:
+ - 0.23.1
+ - 0.23.10
+ - 0.23.11
+ - 0.23.3
+ - 0.23.4
+ - 0.23.5
+ - 0.23.6
+ - 0.23.7
+ - 0.23.8
+ - 0.23.9
+ database_specific:
+ last_known_affected_version_range: <= 1.0.3
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/04/GHSA-v5c9-98f7-2h54/GHSA-v5c9-98f7-2h54.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2012-2945
+ - type: WEB
+ url: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=535861
+ - type: PACKAGE
+ url: https://github.com/apache/hadoop
+ - type: WEB
+ url: https://seclists.org/fulldisclosure/2012/Jul/3
+ - type: WEB
+ url: https://security-tracker.debian.org/tracker/CVE-2012-2945
+ database_specific:
+ cwe_ids:
+ - CWE-377
+ - CWE-59
+ github_reviewed: true
+ github_reviewed_at: "2023-08-29T19:54:42Z"
+ nvd_published_at: "2019-10-29T19:15:00Z"
+ severity: HIGH
+ - schema_version: 1.6.0
+ id: GHSA-rr2m-gffv-mgrj
+ modified: 2024-02-22T05:43:15.326359Z
+ published: 2022-08-26T00:03:33Z
+ aliases:
+ - CVE-2021-25642
+ summary: Deserialization of Untrusted Data in Apache Hadoop YARN
+ details: ZKConfigurationStore which is optionally used by CapacityScheduler of Apache Hadoop YARN deserializes data obtained from ZooKeeper without validation. An attacker having access to ZooKeeper can run arbitrary commands as YARN user by exploiting this. Users should upgrade to Apache Hadoop 2.10.2, 3.2.4, 3.3.4 or later (containing YARN-11126) if ZKConfigurationStore is used.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: org.apache.hadoop:hadoop-yarn-server
+ purl: pkg:maven/org.apache.hadoop/hadoop-yarn-server
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: 2.10.2
+ versions:
+ - 0.23.1
+ - 0.23.10
+ - 0.23.11
+ - 0.23.3
+ - 0.23.4
+ - 0.23.5
+ - 0.23.6
+ - 0.23.7
+ - 0.23.8
+ - 0.23.9
+ - 2.0.0-alpha
+ - 2.0.1-alpha
+ - 2.0.2-alpha
+ - 2.0.3-alpha
+ - 2.0.4-alpha
+ - 2.0.5-alpha
+ - 2.0.6-alpha
+ - 2.1.0-beta
+ - 2.1.1-beta
+ - 2.10.0
+ - 2.10.1
+ - 2.2.0
+ - 2.3.0
+ - 2.4.0
+ - 2.4.1
+ - 2.5.0
+ - 2.5.1
+ - 2.5.2
+ - 2.6.0
+ - 2.6.1
+ - 2.6.2
+ - 2.6.3
+ - 2.6.4
+ - 2.6.5
+ - 2.7.0
+ - 2.7.1
+ - 2.7.2
+ - 2.7.3
+ - 2.7.4
+ - 2.7.5
+ - 2.7.6
+ - 2.7.7
+ - 2.8.0
+ - 2.8.1
+ - 2.8.2
+ - 2.8.3
+ - 2.8.4
+ - 2.8.5
+ - 2.9.0
+ - 2.9.1
+ - 2.9.2
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/08/GHSA-rr2m-gffv-mgrj/GHSA-rr2m-gffv-mgrj.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.hadoop:hadoop-yarn-server
+ purl: pkg:maven/org.apache.hadoop/hadoop-yarn-server
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 3.0.0
+ - fixed: 3.2.4
+ versions:
+ - 3.0.0
+ - 3.0.1
+ - 3.0.2
+ - 3.0.3
+ - 3.1.0
+ - 3.1.1
+ - 3.1.2
+ - 3.1.3
+ - 3.1.4
+ - 3.2.0
+ - 3.2.1
+ - 3.2.2
+ - 3.2.3
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/08/GHSA-rr2m-gffv-mgrj/GHSA-rr2m-gffv-mgrj.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.hadoop:hadoop-yarn-server
+ purl: pkg:maven/org.apache.hadoop/hadoop-yarn-server
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 3.3.0
+ - fixed: 3.3.4
+ versions:
+ - 3.3.0
+ - 3.3.1
+ - 3.3.2
+ - 3.3.3
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/08/GHSA-rr2m-gffv-mgrj/GHSA-rr2m-gffv-mgrj.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2021-25642
+ - type: WEB
+ url: https://github.com/apache/hadoop/commit/5e2f4339fadc88f20543915fc9b0aaeaf4f9e7bf
+ - type: PACKAGE
+ url: https://github.com/apache/hadoop
+ - type: WEB
+ url: https://lists.apache.org/thread/g6vf2h4wdgzzdgk91mqozhs58wotq150
+ - type: WEB
+ url: https://security.netapp.com/advisory/ntap-20221201-0003
+ database_specific:
+ cwe_ids:
+ - CWE-502
+ github_reviewed: true
+ github_reviewed_at: "2022-08-30T20:55:27Z"
+ nvd_published_at: "2022-08-25T14:15:00Z"
+ severity: HIGH
+ - schema_version: 1.6.0
+ id: GHSA-58jx-f5rf-qgqf
+ modified: 2024-02-21T05:31:52.226908Z
+ published: 2022-06-16T00:00:21Z
+ aliases:
+ - CVE-2021-33036
+ summary: User account escalation in Apache Hadoop
+ details: In Apache Hadoop 2.2.0 to 2.10.1, 3.0.0-alpha1 to 3.1.4, 3.2.0 to 3.2.2, and 3.3.0 to 3.3.1, a user who can escalate to yarn user can possibly run arbitrary commands as root user. Users should upgrade to Apache Hadoop 2.10.2, 3.2.3, 3.3.2 or higher.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: org.apache.hadoop:hadoop-yarn-server-common
+ purl: pkg:maven/org.apache.hadoop/hadoop-yarn-server-common
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.2.0
+ - fixed: 2.10.2
+ versions:
+ - 2.10.0
+ - 2.10.1
+ - 2.2.0
+ - 2.3.0
+ - 2.4.0
+ - 2.4.1
+ - 2.5.0
+ - 2.5.1
+ - 2.5.2
+ - 2.6.0
+ - 2.6.1
+ - 2.6.2
+ - 2.6.3
+ - 2.6.4
+ - 2.6.5
+ - 2.7.0
+ - 2.7.1
+ - 2.7.2
+ - 2.7.3
+ - 2.7.4
+ - 2.7.5
+ - 2.7.6
+ - 2.7.7
+ - 2.8.0
+ - 2.8.1
+ - 2.8.2
+ - 2.8.3
+ - 2.8.4
+ - 2.8.5
+ - 2.9.0
+ - 2.9.1
+ - 2.9.2
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/06/GHSA-58jx-f5rf-qgqf/GHSA-58jx-f5rf-qgqf.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.hadoop:hadoop-yarn-server-common
+ purl: pkg:maven/org.apache.hadoop/hadoop-yarn-server-common
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 3.0.0
+ - fixed: 3.2.3
+ versions:
+ - 3.0.0
+ - 3.0.1
+ - 3.0.2
+ - 3.0.3
+ - 3.1.0
+ - 3.1.1
+ - 3.1.2
+ - 3.1.3
+ - 3.1.4
+ - 3.2.0
+ - 3.2.1
+ - 3.2.2
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/06/GHSA-58jx-f5rf-qgqf/GHSA-58jx-f5rf-qgqf.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.hadoop:hadoop-yarn-server-common
+ purl: pkg:maven/org.apache.hadoop/hadoop-yarn-server-common
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 3.3.0
+ - fixed: 3.3.2
+ versions:
+ - 3.3.0
+ - 3.3.1
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/06/GHSA-58jx-f5rf-qgqf/GHSA-58jx-f5rf-qgqf.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2021-33036
+ - type: WEB
+ url: https://github.com/apache/hadoop/commit/227d64ab59e8aa6477769b2542ad0cd7a6d855cb
+ - type: WEB
+ url: https://github.com/apache/hadoop/commit/45801fba8b00257ab32c02a7d1a05948ba687a49
+ - type: WEB
+ url: https://github.com/apache/hadoop/commit/ba041fe6d34215f075e0a7b2078d7273147e14b7
+ - type: PACKAGE
+ url: https://github.com/apache/hadoop
+ - type: WEB
+ url: https://lists.apache.org/thread/ctr84rmo3xd2tzqcx2b277c8z692vhl5
+ - type: WEB
+ url: https://security.netapp.com/advisory/ntap-20220722-0003
+ - type: WEB
+ url: http://www.openwall.com/lists/oss-security/2022/06/15/2
+ database_specific:
+ cwe_ids:
+ - CWE-22
+ - CWE-502
+ github_reviewed: true
+ github_reviewed_at: "2022-06-17T21:46:01Z"
+ nvd_published_at: "2022-06-15T15:15:00Z"
+ severity: HIGH
+ - schema_version: 1.6.0
+ id: GHSA-895m-ww55-59vw
+ modified: 2023-11-08T03:58:25.259101Z
+ published: 2022-05-17T01:08:00Z
+ aliases:
+ - CVE-2016-3086
+ summary: Exposure of Sensitive Information to an Unauthorized Actor in Apache Hadoop
+ details: The YARN NodeManager in Apache Hadoop 2.6.x before 2.6.5 and 2.7.x before 2.7.3 can leak the password for credential store provider used by the NodeManager to YARN Applications.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: org.apache.hadoop:hadoop-yarn-server-nodemanager
+ purl: pkg:maven/org.apache.hadoop/hadoop-yarn-server-nodemanager
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.6.0
+ - fixed: 2.6.5
+ versions:
+ - 2.6.0
+ - 2.6.1
+ - 2.6.2
+ - 2.6.3
+ - 2.6.4
+ database_specific:
+ last_known_affected_version_range: <= 2.6.4
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-895m-ww55-59vw/GHSA-895m-ww55-59vw.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.hadoop:hadoop-yarn-server-nodemanager
+ purl: pkg:maven/org.apache.hadoop/hadoop-yarn-server-nodemanager
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.7.0
+ - fixed: 2.7.3
+ versions:
+ - 2.7.0
+ - 2.7.1
+ - 2.7.2
+ database_specific:
+ last_known_affected_version_range: <= 2.7.2
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-895m-ww55-59vw/GHSA-895m-ww55-59vw.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2016-3086
+ - type: WEB
+ url: http://mail-archives.apache.org/mod_mbox/hadoop-general/201701.mbox/%3C0ed32746-5a53-9051-5877-2b1abd88beb6%40apache.org%3E
+ - type: WEB
+ url: http://www.securityfocus.com/bid/95335
+ database_specific:
+ cwe_ids:
+ - CWE-200
+ github_reviewed: true
+ github_reviewed_at: "2022-07-06T19:57:06Z"
+ nvd_published_at: "2017-09-05T13:29:00Z"
+ severity: CRITICAL
+ - schema_version: 1.6.0
+ id: GHSA-2x83-r56g-cv47
+ modified: 2024-03-05T19:01:43.163298Z
+ published: 2018-10-17T00:05:15Z
+ aliases:
+ - CVE-2012-6153
+ summary: Improper certificate validation in org.apache.httpcomponents:httpclient
+ details: 'http/conn/ssl/AbstractVerifier.java in Apache Commons HttpClient before 4.2.3 does not properly verify that the server hostname matches a domain name in the subject''s Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a certificate with a subject that specifies a common name in a field that is not the CN field. NOTE: this issue exists because of an incomplete fix for CVE-2012-5783.'
+ affected:
+ - package:
+ ecosystem: Maven
+ name: org.apache.httpcomponents:httpclient
+ purl: pkg:maven/org.apache.httpcomponents/httpclient
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: 4.2.3
+ versions:
+ - "4.0"
+ - 4.0-alpha1
+ - 4.0-alpha2
+ - 4.0-alpha3
+ - 4.0-alpha4
+ - 4.0-beta1
+ - 4.0-beta2
+ - 4.0.1
+ - 4.0.2
+ - 4.0.3
+ - "4.1"
+ - 4.1-alpha1
+ - 4.1-alpha2
+ - 4.1-beta1
+ - 4.1.1
+ - 4.1.2
+ - 4.1.3
+ - "4.2"
+ - 4.2-alpha1
+ - 4.2-beta1
+ - 4.2.1
+ - 4.2.2
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-2x83-r56g-cv47/GHSA-2x83-r56g-cv47.json
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2012-6153
+ - type: WEB
+ url: https://github.com/apache/httpcomponents-client/commit/6e14fc146a66e0f3eb362f45f95d1a58ee18886a
+ - type: WEB
+ url: https://github.com/apache/httpcomponents-client/commit/b930227f907af1198765fc47beabbddae344ca7b
+ - type: WEB
+ url: https://access.redhat.com/solutions/1165533
+ - type: WEB
+ url: https://bugzilla.redhat.com/show_bug.cgi?id=1129916
+ - type: ADVISORY
+ url: https://github.com/advisories/GHSA-2x83-r56g-cv47
+ - type: WEB
+ url: https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05103564
+ - type: WEB
+ url: http://rhn.redhat.com/errata/RHSA-2014-1098.html
+ - type: WEB
+ url: http://rhn.redhat.com/errata/RHSA-2014-1833.html
+ - type: WEB
+ url: http://rhn.redhat.com/errata/RHSA-2014-1834.html
+ - type: WEB
+ url: http://rhn.redhat.com/errata/RHSA-2014-1835.html
+ - type: WEB
+ url: http://rhn.redhat.com/errata/RHSA-2014-1836.html
+ - type: WEB
+ url: http://rhn.redhat.com/errata/RHSA-2014-1891.html
+ - type: WEB
+ url: http://rhn.redhat.com/errata/RHSA-2014-1892.html
+ - type: WEB
+ url: http://rhn.redhat.com/errata/RHSA-2015-0125.html
+ - type: WEB
+ url: http://rhn.redhat.com/errata/RHSA-2015-0158.html
+ - type: WEB
+ url: http://rhn.redhat.com/errata/RHSA-2015-0675.html
+ - type: WEB
+ url: http://rhn.redhat.com/errata/RHSA-2015-0720.html
+ - type: WEB
+ url: http://rhn.redhat.com/errata/RHSA-2015-0765.html
+ - type: WEB
+ url: http://rhn.redhat.com/errata/RHSA-2015-0850.html
+ - type: WEB
+ url: http://rhn.redhat.com/errata/RHSA-2015-0851.html
+ - type: WEB
+ url: http://rhn.redhat.com/errata/RHSA-2015-1888.html
+ - type: WEB
+ url: http://svn.apache.org/viewvc?view=revision&revision=1411705
+ - type: WEB
+ url: http://www.ubuntu.com/usn/USN-2769-1
+ database_specific:
+ cwe_ids:
+ - CWE-20
+ github_reviewed: true
+ github_reviewed_at: "2020-06-16T20:53:18Z"
+ nvd_published_at: null
+ severity: HIGH
+ - schema_version: 1.6.0
+ id: GHSA-7r82-7xv7-xcpj
+ modified: 2024-03-15T05:19:17.323914Z
+ published: 2021-06-03T23:40:23Z
+ aliases:
+ - CVE-2020-13956
+ summary: Cross-site scripting in Apache HttpClient
+ details: Apache HttpClient versions prior to version 4.5.13 and 5.0.3 can misinterpret malformed authority component in request URIs passed to the library as java.net.URI object and pick the wrong target host for request execution.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: org.apache.httpcomponents:httpclient
+ purl: pkg:maven/org.apache.httpcomponents/httpclient
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: 4.5.13
+ versions:
+ - "4.0"
+ - 4.0-alpha1
+ - 4.0-alpha2
+ - 4.0-alpha3
+ - 4.0-alpha4
+ - 4.0-beta1
+ - 4.0-beta2
+ - 4.0.1
+ - 4.0.2
+ - 4.0.3
+ - "4.1"
+ - 4.1-alpha1
+ - 4.1-alpha2
+ - 4.1-beta1
+ - 4.1.1
+ - 4.1.2
+ - 4.1.3
+ - "4.2"
+ - 4.2-alpha1
+ - 4.2-beta1
+ - 4.2.1
+ - 4.2.2
+ - 4.2.3
+ - 4.2.4
+ - 4.2.5
+ - 4.2.6
+ - "4.3"
+ - 4.3-alpha1
+ - 4.3-beta1
+ - 4.3-beta2
+ - 4.3.1
+ - 4.3.2
+ - 4.3.3
+ - 4.3.4
+ - 4.3.5
+ - 4.3.6
+ - "4.4"
+ - 4.4-alpha1
+ - 4.4-beta1
+ - 4.4.1
+ - "4.5"
+ - 4.5.1
+ - 4.5.10
+ - 4.5.11
+ - 4.5.12
+ - 4.5.2
+ - 4.5.3
+ - 4.5.4
+ - 4.5.5
+ - 4.5.6
+ - 4.5.7
+ - 4.5.8
+ - 4.5.9
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/06/GHSA-7r82-7xv7-xcpj/GHSA-7r82-7xv7-xcpj.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.httpcomponents:httpclient
+ purl: pkg:maven/org.apache.httpcomponents/httpclient
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 5.0.0
+ - fixed: 5.0.3
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/06/GHSA-7r82-7xv7-xcpj/GHSA-7r82-7xv7-xcpj.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2020-13956
+ - type: WEB
+ url: https://lists.apache.org/thread.html/re504acd4d63b8df2a7353658f45c9a3137e5f80e41cf7de50058b2c1@%3Cissues.solr.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rd5ab56beb2ac6879f6ab427bc4e5f7691aed8362d17b713f61779858@%3Cissues.hive.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26@%3Ccommits.pulsar.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rcd9ad5dda60c82ab0d0c9bd3e9cb1dc740804451fc20c7f451ef5cc4@%3Cgitbox.hive.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rcced7ed3237c29cd19c1e9bf465d0038b8b2e967b99fc283db7ca553@%3Cdev.ranger.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rc990e2462ec32b09523deafb2c73606208599e196fa2d7f50bdbc587@%3Cissues.maven.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rc5c6ccb86d2afe46bbd4b71573f0448dc1f87bbcd5a0d8c7f8f904b2@%3Cissues.lucene.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rc505fee574fe8d18f9b0c655a4d120b0ae21bb6a73b96003e1d9be35@%3Cissues.solr.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rc3739e0ad4bcf1888c6925233bfc37dd71156bbc8416604833095c42@%3Cdev.drill.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rc0863892ccfd9fd0d0ae10091f24ee769fb39b8957fe4ebabfc11f17@%3Cdev.jackrabbit.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rb725052404fabffbe093c83b2c46f3f87e12c3193a82379afbc529f8@%3Csolr-user.lucene.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rb4ba262d6f08ab9cf8b1ebbcd9b00b0368ffe90dad7ad7918b4b56fc@%3Cdev.drill.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rb33212dab7beccaf1ffef9b88610047c644f644c7a0ebdc44d77e381@%3Ccommits.turbine.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rae14ae25ff4a60251e3ba2629c082c5ba3851dfd4d21218b99b56652@%3Cissues.solr.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rad6222134183046f3928f733bf680919e0c390739bfbfe6c90049673@%3Cissues.drill.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/ra8bc6b61c5df301a6fe5a716315528ecd17ccb8a7f907e24a47a1a5e@%3Cissues.lucene.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rea3dbf633dde5008d38bf6600a3738b9216e733e03f9ff7becf79625@%3Cissues.drill.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/ree942561f4620313c75982a4e5f3b74fe6f7062b073210779648eec2@%3Cissues.lucene.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/reef569c2419705754a3acf42b5f19b2a158153cef0e448158bc54917@%3Cdev.drill.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rf03228972e56cb4a03e6d9558188c2938078cf3ceb23a3fead87c9ca@%3Cissues.bookkeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rf43d17ed0d1fb4fb79036b582810ef60b18b1ef3add0d5dea825af1e@%3Cissues.lucene.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rf4db88c22e1be9eb60c7dc623d0528642c045fb196a24774ac2fa3a3@%3Cissues.lucene.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rf7ca60f78f05b772cc07d27e31bcd112f9910a05caf9095e38ee150f@%3Cdev.ranger.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rfb35f6db9ba1f1e061b63769a4eff5abadcc254ebfefc280e5a0dcf1@%3Ccommits.creadur.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rfbedcb586a1e7dfce87ee03c720e583fc2ceeafa05f35c542cecc624@%3Cissues.solr.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rfc00884c7b7ca878297bffe45fcb742c362b00b26ba37070706d44c3@%3Cissues.hive.apache.org%3E
+ - type: WEB
+ url: https://security.netapp.com/advisory/ntap-20220210-0002
+ - type: WEB
+ url: https://www.oracle.com//security-alerts/cpujul2021.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuApr2021.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuapr2022.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpujan2022.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuoct2021.html
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r4850b3fbaea02fde2886e461005e4af8d37c80a48b3ce2a6edca0e30@%3Cissues.solr.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r3f740e4c38bba1face49078aa5cbeeb558c27be601cc9712ad2dcd1e@%3Ccommits.creadur.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r3cecd59fba74404cbf4eb430135e1080897fb376f111406a78bed13a@%3Cissues.lucene.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r34efec51cb817397ccf9f86e25a75676d435ba5f83ee7b2eabdad707@%3Ccommits.creadur.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r34178ab6ef106bc940665fd3f4ba5026fac3603b3fa2aefafa0b619d@%3Cdev.ranger.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r2dc7930b43eadc78220d269b79e13ecd387e4bee52db67b2f47d4303@%3Cgitbox.hive.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r2a03dc210231d7e852ef73015f71792ac0fcaca6cccc024c522ef17d@%3Ccommits.creadur.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r2835543ef0f91adcc47da72389b816e36936f584c7be584d2314fac3@%3Cissues.lucene.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r132e4c6a560cfc519caa1aaee63bdd4036327610eadbd89f76dd5457@%3Cdev.creadur.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r12cb62751b35bdcda0ae2a08b67877d665a1f4d41eee0fa7367169e0@%3Cdev.ranger.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r0bebe6f9808ac7bdf572873b4fa96a29c6398c90dab29f131f3ebffe@%3Cissues.solr.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r0a75b8f0f72f3e18442dc56d33f3827b905f2fe5b7ba48997436f5d1@%3Cissues.solr.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r06cf3ca5c8ceb94b39cd24a73d4e96153b485a7dac88444dd876accb@%3Cissues.drill.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r043a75acdeb52b15dd5e9524cdadef4202e6a5228644206acf9363f9@%3Cdev.hive.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r03bbc318c81be21f5c8a9b85e34f2ecc741aa804a8e43b0ef2c37749@%3Cissues.maven.apache.org%3E
+ - type: PACKAGE
+ url: https://github.com/apache/httpcomponents-client
+ - type: WEB
+ url: https://lists.apache.org/thread.html/ra539f20ef0fb0c27ee39945b5f56bf162e5c13d1c60f7344dab8de3b@%3Cissues.maven.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r9e52a6c72c8365000ecd035e48cc9fee5a677a150350d4420c46443d@%3Cdev.drill.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r8aa1e5c343b89aec5b69961471950e862f15246cb6392910161c389b@%3Cissues.maven.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r87ddc09295c27f25471269ad0a79433a91224045988b88f0413a97ec@%3Cissues.bookkeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r70c429923100c5a4fae8e5bc71c8a2d39af3de4888f50a0ac3755e6f@%3Ccommits.creadur.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r6eb2dae157dbc9af1f30d1f64e9c60d4ebef618f3dce4a0e32d6ea4d@%3Ccommits.drill.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r6dab7da30f8bf075f79ee189e33b45a197502e2676481bb8787fc0d7%40%3Cdev.hc.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r6d672b46622842e565e00f6ef6bef83eb55d8792aac2bee75bff9a2a@%3Cissues.lucene.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r6a3cda38d050ebe13c1bc9a28d0a8ec38945095d07eca49046bcb89f@%3Cissues.solr.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r69a94e2f302d1b778bdfefe90fcb4b8c50b226438c3c8c1d0de85a19@%3Cdev.ranger.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r63296c45d5d84447babaf39bd1487329d8a80d8d563e67a4b6f3d8a7@%3Cdev.ranger.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r5fec9c1d67f928179adf484b01e7becd7c0a6fdfe3a08f92ea743b90@%3Cissues.hive.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r5de3d3808e7b5028df966e45115e006456c4e8931dc1e29036f17927@%3Cissues.solr.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r5b55f65c123a7481104d663a915ec45a0d103e6aaa03f42ed1c07a89@%3Cdev.jackrabbit.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r55b2a1d1e9b1ec9db792b93da8f0f99a4fd5a5310b02673359d9b4d1@%3Cdev.drill.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r549ac8c159bf0c568c19670bedeb8d7c0074beded951d34b1c1d0d05@%3Cdev.drill.apache.org%3E
+ database_specific:
+ cwe_ids:
+ - CWE-79
+ github_reviewed: true
+ github_reviewed_at: "2021-04-12T22:25:52Z"
+ nvd_published_at: "2020-12-02T17:15:00Z"
+ severity: MODERATE
+ - schema_version: 1.6.0
+ id: GHSA-cfh5-3ghh-wfjx
+ modified: 2024-04-12T22:16:00.435748Z
+ published: 2018-10-17T00:05:06Z
+ aliases:
+ - CVE-2014-3577
+ summary: Improper Verification of Cryptographic Signature in org.apache.httpcomponents:httpclient
+ details: org.apache.http.conn.ssl.AbstractVerifier in Apache HttpComponents HttpClient before 4.3.5 and HttpAsyncClient before 4.0.2 does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a "CN=" string in a field in the distinguished name (DN) of a certificate, as demonstrated by the "foo,CN=www.apache.org" string in the O field.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: org.apache.httpcomponents:httpclient
+ purl: pkg:maven/org.apache.httpcomponents/httpclient
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: 4.3.5
+ versions:
+ - "4.0"
+ - 4.0-alpha1
+ - 4.0-alpha2
+ - 4.0-alpha3
+ - 4.0-alpha4
+ - 4.0-beta1
+ - 4.0-beta2
+ - 4.0.1
+ - 4.0.2
+ - 4.0.3
+ - "4.1"
+ - 4.1-alpha1
+ - 4.1-alpha2
+ - 4.1-beta1
+ - 4.1.1
+ - 4.1.2
+ - 4.1.3
+ - "4.2"
+ - 4.2-alpha1
+ - 4.2-beta1
+ - 4.2.1
+ - 4.2.2
+ - 4.2.3
+ - 4.2.4
+ - 4.2.5
+ - 4.2.6
+ - "4.3"
+ - 4.3-alpha1
+ - 4.3-beta1
+ - 4.3-beta2
+ - 4.3.1
+ - 4.3.2
+ - 4.3.3
+ - 4.3.4
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-cfh5-3ghh-wfjx/GHSA-cfh5-3ghh-wfjx.json
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2014-3577
+ - type: WEB
+ url: https://github.com/apache/httpcomponents-client/commit/51cc67567765d67f878f0dcef61b5ded454d3122
+ - type: WEB
+ url: https://svn.apache.org/viewvc?view=revision&revision=1614064
+ - type: WEB
+ url: https://security.netapp.com/advisory/ntap-20231027-0003
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rff42cfa5e7d75b7c1af0e37589140a8f1999e578a75738740b244bd4@%3Ccommits.cxf.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rfb87e0bf3995e7d560afeed750fac9329ff5f1ad49da365129b7f89e@%3Ccommits.cxf.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rec7160382badd3ef4ad017a22f64a266c7188b9ba71394f0d321e2d4@%3Ccommits.cxf.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rd49aabd984ed540c8ff7916d4d79405f3fa311d2fdbcf9ed307839a6@%3Ccommits.cxf.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rc774278135816e7afc943dc9fc78eb0764f2c84a2b96470a0187315c@%3Ccommits.cxf.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r36e44ffc1a9b365327df62cdfaabe85b9a5637de102cea07d79b2dbf@%3Ccommits.cxf.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E
+ - type: PACKAGE
+ url: https://github.com/apache/httpcomponents-client
+ - type: ADVISORY
+ url: https://github.com/advisories/GHSA-cfh5-3ghh-wfjx
+ - type: WEB
+ url: https://exchange.xforce.ibmcloud.com/vulnerabilities/95327
+ - type: WEB
+ url: https://access.redhat.com/solutions/1165533
+ - type: WEB
+ url: http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00032.html
+ - type: WEB
+ url: http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00033.html
+ - type: WEB
+ url: http://packetstormsecurity.com/files/127913/Apache-HttpComponents-Man-In-The-Middle.html
+ - type: WEB
+ url: http://rhn.redhat.com/errata/RHSA-2014-1146.html
+ - type: WEB
+ url: http://rhn.redhat.com/errata/RHSA-2014-1166.html
+ - type: WEB
+ url: http://rhn.redhat.com/errata/RHSA-2014-1833.html
+ - type: WEB
+ url: http://rhn.redhat.com/errata/RHSA-2014-1834.html
+ - type: WEB
+ url: http://rhn.redhat.com/errata/RHSA-2014-1835.html
+ - type: WEB
+ url: http://rhn.redhat.com/errata/RHSA-2014-1836.html
+ - type: WEB
+ url: http://rhn.redhat.com/errata/RHSA-2014-1891.html
+ - type: WEB
+ url: http://rhn.redhat.com/errata/RHSA-2014-1892.html
+ - type: WEB
+ url: http://rhn.redhat.com/errata/RHSA-2015-0125.html
+ - type: WEB
+ url: http://rhn.redhat.com/errata/RHSA-2015-0158.html
+ - type: WEB
+ url: http://rhn.redhat.com/errata/RHSA-2015-0675.html
+ - type: WEB
+ url: http://rhn.redhat.com/errata/RHSA-2015-0720.html
+ - type: WEB
+ url: http://rhn.redhat.com/errata/RHSA-2015-0765.html
+ - type: WEB
+ url: http://rhn.redhat.com/errata/RHSA-2015-0850.html
+ - type: WEB
+ url: http://rhn.redhat.com/errata/RHSA-2015-0851.html
+ - type: WEB
+ url: http://rhn.redhat.com/errata/RHSA-2015-1176.html
+ - type: WEB
+ url: http://rhn.redhat.com/errata/RHSA-2015-1177.html
+ - type: WEB
+ url: http://rhn.redhat.com/errata/RHSA-2015-1888.html
+ - type: WEB
+ url: http://rhn.redhat.com/errata/RHSA-2016-1773.html
+ - type: WEB
+ url: http://rhn.redhat.com/errata/RHSA-2016-1931.html
+ - type: WEB
+ url: http://seclists.org/fulldisclosure/2014/Aug/48
+ - type: WEB
+ url: http://www.openwall.com/lists/oss-security/2021/10/06/1
+ - type: WEB
+ url: http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
+ - type: WEB
+ url: http://www.ubuntu.com/usn/USN-2769-1
+ database_specific:
+ cwe_ids:
+ - CWE-347
+ github_reviewed: true
+ github_reviewed_at: "2020-06-16T21:31:17Z"
+ nvd_published_at: "2014-08-21T14:55:00Z"
+ severity: MODERATE
+ - schema_version: 1.6.0
+ id: GHSA-fmj5-wv96-r2ch
+ modified: 2024-02-22T05:42:22.050973Z
+ published: 2018-10-17T00:05:29Z
+ aliases:
+ - CVE-2015-5262
+ summary: Denial of service vulnerability in org.apache.httpcomponents:httpclient
+ details: http/conn/ssl/SSLConnectionSocketFactory.java in Apache HttpComponents HttpClient before 4.3.6 ignores the http.socket.timeout configuration setting during an SSL handshake, which allows remote attackers to cause a denial of service (HTTPS call hang) via unspecified vectors.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: org.apache.httpcomponents:httpclient
+ purl: pkg:maven/org.apache.httpcomponents/httpclient
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: 4.3.6
+ versions:
+ - "4.0"
+ - 4.0-alpha1
+ - 4.0-alpha2
+ - 4.0-alpha3
+ - 4.0-alpha4
+ - 4.0-beta1
+ - 4.0-beta2
+ - 4.0.1
+ - 4.0.2
+ - 4.0.3
+ - "4.1"
+ - 4.1-alpha1
+ - 4.1-alpha2
+ - 4.1-beta1
+ - 4.1.1
+ - 4.1.2
+ - 4.1.3
+ - "4.2"
+ - 4.2-alpha1
+ - 4.2-beta1
+ - 4.2.1
+ - 4.2.2
+ - 4.2.3
+ - 4.2.4
+ - 4.2.5
+ - 4.2.6
+ - "4.3"
+ - 4.3-alpha1
+ - 4.3-beta1
+ - 4.3-beta2
+ - 4.3.1
+ - 4.3.2
+ - 4.3.3
+ - 4.3.4
+ - 4.3.5
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-fmj5-wv96-r2ch/GHSA-fmj5-wv96-r2ch.json
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2015-5262
+ - type: WEB
+ url: https://bugzilla.redhat.com/show_bug.cgi?id=1261538
+ - type: ADVISORY
+ url: https://github.com/advisories/GHSA-fmj5-wv96-r2ch
+ - type: WEB
+ url: https://issues.apache.org/jira/browse/HTTPCLIENT-1478
+ - type: WEB
+ url: https://jenkins.io/security/advisory/2018-02-26
+ - type: WEB
+ url: https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E
+ - type: WEB
+ url: http://lists.fedoraproject.org/pipermail/package-announce/2015-October/167962.html
+ - type: WEB
+ url: http://lists.fedoraproject.org/pipermail/package-announce/2015-October/167999.html
+ - type: WEB
+ url: http://lists.fedoraproject.org/pipermail/package-announce/2015-October/168030.html
+ - type: WEB
+ url: http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00032.html
+ - type: WEB
+ url: http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00033.html
+ - type: WEB
+ url: http://svn.apache.org/viewvc?view=revision&revision=1626784
+ - type: WEB
+ url: http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
+ - type: WEB
+ url: http://www.securitytracker.com/id/1033743
+ - type: WEB
+ url: http://www.ubuntu.com/usn/USN-2769-1
+ database_specific:
+ cwe_ids: []
+ github_reviewed: true
+ github_reviewed_at: "2020-06-16T21:34:55Z"
+ nvd_published_at: "2015-10-27T16:59:00Z"
+ severity: MODERATE
+ - schema_version: 1.6.0
+ id: GHSA-gw85-4gmf-m7rh
+ modified: 2024-03-05T19:16:07.039655Z
+ published: 2022-05-17T05:39:03Z
+ aliases:
+ - CVE-2011-1498
+ summary: Exposure of Sensitive Information to an Unauthorized Actor in Apache HttpClient
+ details: Apache HttpClient 4.x before 4.1.1 in Apache HttpComponents, when used with an authenticating proxy server, sends the Proxy-Authorization header to the origin server, which allows remote web servers to obtain sensitive information by logging this header.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: org.apache.httpcomponents:httpclient
+ purl: pkg:maven/org.apache.httpcomponents/httpclient
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 4.0.0
+ - fixed: 4.1.1
+ versions:
+ - "4.0"
+ - 4.0.1
+ - 4.0.2
+ - 4.0.3
+ - "4.1"
+ - 4.1-alpha1
+ - 4.1-alpha2
+ - 4.1-beta1
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-gw85-4gmf-m7rh/GHSA-gw85-4gmf-m7rh.json
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2011-1498
+ - type: WEB
+ url: https://github.com/apache/httpcomponents-client/commit/a572756592c969affd0ce87885724e74839176fb
+ - type: WEB
+ url: https://bugzilla.redhat.com/show_bug.cgi?id=709531
+ - type: PACKAGE
+ url: https://github.com/apache/httpcomponents-client
+ - type: WEB
+ url: https://issues.apache.org/jira/browse/HTTPCLIENT-1061
+ - type: WEB
+ url: http://lists.fedoraproject.org/pipermail/package-announce/2011-June/061440.html
+ - type: WEB
+ url: http://marc.info/?l=httpclient-users&m=129853896315461&w=2
+ - type: WEB
+ url: http://marc.info/?l=httpclient-users&m=129856318011586&w=2
+ - type: WEB
+ url: http://marc.info/?l=httpclient-users&m=129857589129183&w=2
+ - type: WEB
+ url: http://marc.info/?l=httpclient-users&m=129858274406594&w=2
+ - type: WEB
+ url: http://marc.info/?l=httpclient-users&m=129858299106950&w=2
+ - type: WEB
+ url: http://openwall.com/lists/oss-security/2011/04/07/7
+ - type: WEB
+ url: http://openwall.com/lists/oss-security/2011/04/08/1
+ - type: WEB
+ url: http://securityreason.com/securityalert/8298
+ database_specific:
+ cwe_ids:
+ - CWE-200
+ github_reviewed: true
+ github_reviewed_at: "2022-07-13T17:20:15Z"
+ nvd_published_at: "2011-07-07T21:55:00Z"
+ severity: MODERATE
+ - schema_version: 1.6.0
+ id: GHSA-pqwh-44jj-p5rm
+ modified: 2024-03-05T17:33:19.157465Z
+ published: 2022-05-13T01:25:03Z
+ aliases:
+ - CVE-2013-4366
+ summary: Hostname verification in Apache HttpClient 4.3 was disabled by default
+ details: http/impl/client/HttpClientBuilder.java in Apache HttpClient 4.3.x before 4.3.1 does not ensure that X509HostnameVerifier is not null, which allows attackers to have unspecified impact via vectors involving hostname verification.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: org.apache.httpcomponents:httpclient
+ purl: pkg:maven/org.apache.httpcomponents/httpclient
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "4.3"
+ - fixed: 4.3.1
+ versions:
+ - "4.3"
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-pqwh-44jj-p5rm/GHSA-pqwh-44jj-p5rm.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2013-4366
+ - type: WEB
+ url: https://github.com/apache/httpcomponents-client/commit/08140864e3e4c0994e094c4cf0507932baf6a66
+ - type: WEB
+ url: http://svn.apache.org/r1528614
+ - type: WEB
+ url: http://www.apache.org/dist/httpcomponents/httpclient/RELEASE_NOTES-4.3.x.txt
+ database_specific:
+ cwe_ids:
+ - CWE-20
+ github_reviewed: true
+ github_reviewed_at: "2022-06-09T22:47:59Z"
+ nvd_published_at: "2017-10-30T19:29:00Z"
+ severity: CRITICAL
+ - schema_version: 1.6.0
+ id: GHSA-9fc7-rhq3-wm7x
+ modified: 2024-02-16T08:06:20.90686Z
+ published: 2022-05-17T03:48:02Z
+ aliases:
+ - CVE-2016-6801
+ summary: Apache Jackrabbit Authentication Hijacking Vulnerability
+ details: Cross-site request forgery (CSRF) vulnerability in the CSRF content-type check in Jackrabbit-Webdav in Apache Jackrabbit 2.4.x before 2.4.6, 2.6.x before 2.6.6, 2.8.x before 2.8.3, 2.10.x before 2.10.4, 2.12.x before 2.12.4, and 2.13.x before 2.13.3 allows remote attackers to hijack the authentication of unspecified victims for requests that create a resource via an HTTP POST request with a (1) missing or (2) crafted Content-Type header.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: org.apache.jackrabbit:jackrabbit-webdav
+ purl: pkg:maven/org.apache.jackrabbit/jackrabbit-webdav
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.4.0
+ - fixed: 2.4.6
+ versions:
+ - 2.4.0
+ - 2.4.1
+ - 2.4.2
+ - 2.4.3
+ - 2.4.4
+ - 2.4.5
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-9fc7-rhq3-wm7x/GHSA-9fc7-rhq3-wm7x.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.jackrabbit:jackrabbit-webdav
+ purl: pkg:maven/org.apache.jackrabbit/jackrabbit-webdav
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.6.0
+ - fixed: 2.6.6
+ versions:
+ - 2.6.0
+ - 2.6.1
+ - 2.6.2
+ - 2.6.3
+ - 2.6.4
+ - 2.6.5
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-9fc7-rhq3-wm7x/GHSA-9fc7-rhq3-wm7x.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.jackrabbit:jackrabbit-webdav
+ purl: pkg:maven/org.apache.jackrabbit/jackrabbit-webdav
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.8.0
+ - fixed: 2.8.3
+ versions:
+ - 2.8.0
+ - 2.8.1
+ - 2.8.2
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-9fc7-rhq3-wm7x/GHSA-9fc7-rhq3-wm7x.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.jackrabbit:jackrabbit-webdav
+ purl: pkg:maven/org.apache.jackrabbit/jackrabbit-webdav
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.10.0
+ - fixed: 2.10.4
+ versions:
+ - 2.10.0
+ - 2.10.1
+ - 2.10.2
+ - 2.10.3
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-9fc7-rhq3-wm7x/GHSA-9fc7-rhq3-wm7x.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.jackrabbit:jackrabbit-webdav
+ purl: pkg:maven/org.apache.jackrabbit/jackrabbit-webdav
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.12.0
+ - fixed: 2.12.4
+ versions:
+ - 2.12.0
+ - 2.12.1
+ - 2.12.2
+ - 2.12.3
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-9fc7-rhq3-wm7x/GHSA-9fc7-rhq3-wm7x.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.jackrabbit:jackrabbit-webdav
+ purl: pkg:maven/org.apache.jackrabbit/jackrabbit-webdav
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.13.0
+ - fixed: 2.13.3
+ versions:
+ - 2.13.0
+ - 2.13.1
+ - 2.13.2
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-9fc7-rhq3-wm7x/GHSA-9fc7-rhq3-wm7x.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2016-6801
+ - type: WEB
+ url: https://github.com/apache/jackrabbit/commit/16f2f02fcaef6202a2bf24c449d4fd10eb98f08d
+ - type: WEB
+ url: https://github.com/apache/jackrabbit/commit/ea75d7c2aeaafecd9ab97736bf81c5616f703244
+ - type: WEB
+ url: https://github.com/apache/jackrabbit/commit/eae001a54aae9c243ac06b5c8f711b2cb2038700
+ - type: PACKAGE
+ url: https://github.com/apache/jackrabbit
+ - type: WEB
+ url: https://issues.apache.org/jira/browse/JCR-4009
+ - type: WEB
+ url: https://web.archive.org/web/20210123170657/http://www.securityfocus.com/bid/92966
+ - type: WEB
+ url: http://www.debian.org/security/2016/dsa-3679
+ - type: WEB
+ url: http://www.openwall.com/lists/oss-security/2016/09/14/6
+ database_specific:
+ cwe_ids:
+ - CWE-352
+ github_reviewed: true
+ github_reviewed_at: "2023-07-31T22:54:02Z"
+ nvd_published_at: "2016-09-21T14:25:00Z"
+ severity: HIGH
+ - schema_version: 1.6.0
+ id: GHSA-5h29-qq92-wj7f
+ modified: 2023-11-08T04:00:32.405493Z
+ published: 2022-05-24T16:57:28Z
+ aliases:
+ - CVE-2019-0231
+ summary: Cleartext Transmission of Sensitive Information in Apache MINA
+ details: 'Handling of the close_notify SSL/TLS message does not lead to a connection closure, leading the server to retain the socket opened and to have the client potentially receive clear text messages afterward. Mitigation: 2.0.20 users should migrate to 2.0.21, 2.1.0 users should migrate to 2.1.1. This issue affects: Apache MINA.'
+ affected:
+ - package:
+ ecosystem: Maven
+ name: org.apache.mina:mina-core
+ purl: pkg:maven/org.apache.mina/mina-core
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: 2.0.21
+ versions:
+ - 1.0.0
+ - 1.0.1
+ - 1.0.10
+ - 1.0.2
+ - 1.0.3
+ - 1.0.4
+ - 1.0.5
+ - 1.0.6
+ - 1.0.7
+ - 1.0.8
+ - 1.0.9
+ - 1.1.0
+ - 1.1.1
+ - 1.1.2
+ - 1.1.3
+ - 1.1.4
+ - 1.1.5
+ - 1.1.6
+ - 1.1.7
+ - 2.0.0
+ - 2.0.0-M1
+ - 2.0.0-M2
+ - 2.0.0-M3
+ - 2.0.0-M4
+ - 2.0.0-M5
+ - 2.0.0-M6
+ - 2.0.0-RC1
+ - 2.0.1
+ - 2.0.10
+ - 2.0.11
+ - 2.0.12
+ - 2.0.13
+ - 2.0.14
+ - 2.0.15
+ - 2.0.16
+ - 2.0.17
+ - 2.0.18
+ - 2.0.19
+ - 2.0.2
+ - 2.0.20
+ - 2.0.3
+ - 2.0.4
+ - 2.0.5
+ - 2.0.6
+ - 2.0.7
+ - 2.0.8
+ - 2.0.9
+ database_specific:
+ last_known_affected_version_range: <= 2.0.20
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-5h29-qq92-wj7f/GHSA-5h29-qq92-wj7f.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.mina:mina-core
+ purl: pkg:maven/org.apache.mina/mina-core
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.1.0
+ - fixed: 2.1.1
+ versions:
+ - 2.1.0
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-5h29-qq92-wj7f/GHSA-5h29-qq92-wj7f.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2019-0231
+ - type: WEB
+ url: http://mina.apache.org/mina-project/index.html#mina-211-mina-2021-released-posted-on-april-14-2019
+ database_specific:
+ cwe_ids:
+ - CWE-319
+ github_reviewed: true
+ github_reviewed_at: "2022-06-29T15:48:56Z"
+ nvd_published_at: "2019-10-01T20:15:00Z"
+ severity: HIGH
+ - schema_version: 1.6.0
+ id: GHSA-6mcm-j9cj-3vc3
+ modified: 2023-11-08T04:07:03.734341Z
+ published: 2021-11-03T17:30:35Z
+ aliases:
+ - CVE-2021-41973
+ summary: Infinite loop in Apache MINA
+ details: In Apache MINA, a specifically crafted, malformed HTTP request may cause the HTTP Header decoder to loop indefinitely. The decoder assumed that the HTTP Header begins at the beginning of the buffer and loops if there is more data than expected. Please update MINA to 2.1.5 or greater.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: org.apache.mina:mina-core
+ purl: pkg:maven/org.apache.mina/mina-core
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.1.0
+ - fixed: 2.1.5
+ versions:
+ - 2.1.0
+ - 2.1.1
+ - 2.1.2
+ - 2.1.3
+ - 2.1.4
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/11/GHSA-6mcm-j9cj-3vc3/GHSA-6mcm-j9cj-3vc3.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.mina:mina-core
+ purl: pkg:maven/org.apache.mina/mina-core
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: 2.0.22
+ versions:
+ - 1.0.0
+ - 1.0.1
+ - 1.0.10
+ - 1.0.2
+ - 1.0.3
+ - 1.0.4
+ - 1.0.5
+ - 1.0.6
+ - 1.0.7
+ - 1.0.8
+ - 1.0.9
+ - 1.1.0
+ - 1.1.1
+ - 1.1.2
+ - 1.1.3
+ - 1.1.4
+ - 1.1.5
+ - 1.1.6
+ - 1.1.7
+ - 2.0.0
+ - 2.0.0-M1
+ - 2.0.0-M2
+ - 2.0.0-M3
+ - 2.0.0-M4
+ - 2.0.0-M5
+ - 2.0.0-M6
+ - 2.0.0-RC1
+ - 2.0.1
+ - 2.0.10
+ - 2.0.11
+ - 2.0.12
+ - 2.0.13
+ - 2.0.14
+ - 2.0.15
+ - 2.0.16
+ - 2.0.17
+ - 2.0.18
+ - 2.0.19
+ - 2.0.2
+ - 2.0.20
+ - 2.0.21
+ - 2.0.3
+ - 2.0.4
+ - 2.0.5
+ - 2.0.6
+ - 2.0.7
+ - 2.0.8
+ - 2.0.9
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/11/GHSA-6mcm-j9cj-3vc3/GHSA-6mcm-j9cj-3vc3.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2021-41973
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r0b907da9340d5ff4e6c1a4798ef4e79700a668657f27cca8a39e9250%40%3Cdev.mina.apache.org%3E
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuapr2022.html
+ - type: WEB
+ url: http://www.openwall.com/lists/oss-security/2021/11/01/2
+ - type: WEB
+ url: http://www.openwall.com/lists/oss-security/2021/11/01/8
+ database_specific:
+ cwe_ids:
+ - CWE-835
+ github_reviewed: true
+ github_reviewed_at: "2021-11-02T19:48:48Z"
+ nvd_published_at: "2021-11-01T09:15:00Z"
+ severity: MODERATE
+ - schema_version: 1.6.0
+ id: GHSA-2h3j-m7gr-25xj
+ modified: 2024-03-15T05:17:16.776669Z
+ published: 2021-06-16T17:56:46Z
+ aliases:
+ - CVE-2021-27807
+ summary: Excessive Iteration Denial of Service in Apache PDFBox
+ details: A carefully crafted PDF file can trigger an infinite loop while loading the file. This issue affects Apache PDFBox version 2.0.22 and prior 2.0.x versions.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: org.apache.pdfbox:pdfbox
+ purl: pkg:maven/org.apache.pdfbox/pdfbox
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.0.0
+ - fixed: 2.0.23
+ versions:
+ - 2.0.0
+ - 2.0.1
+ - 2.0.10
+ - 2.0.11
+ - 2.0.12
+ - 2.0.13
+ - 2.0.14
+ - 2.0.15
+ - 2.0.16
+ - 2.0.17
+ - 2.0.18
+ - 2.0.19
+ - 2.0.2
+ - 2.0.20
+ - 2.0.21
+ - 2.0.22
+ - 2.0.3
+ - 2.0.4
+ - 2.0.5
+ - 2.0.6
+ - 2.0.7
+ - 2.0.8
+ - 2.0.9
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/06/GHSA-2h3j-m7gr-25xj/GHSA-2h3j-m7gr-25xj.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2021-27807
+ - type: WEB
+ url: https://github.com/apache/pdfbox/commit/5c5a837140fbb4ef78bb5ef9f29ad537c872c83e
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuoct2021.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuapr2022.html
+ - type: WEB
+ url: https://www.oracle.com//security-alerts/cpujul2021.html
+ - type: WEB
+ url: https://svn.apache.org/viewvc?view=revision&revision=1886911
+ - type: WEB
+ url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6PT72QOFDXLJ7PLTN66EMG5EHPTE7TFZ
+ - type: WEB
+ url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6KDA2U4KL2N3XT3PM4ZJEBBA6JJIH2G4
+ - type: WEB
+ url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2AVLKAHFMPH72TTP25INPZPGX5FODK3H
+ - type: WEB
+ url: https://lists.apache.org/thread.html/re1e35881482e07dc2be6058d9b44483457f36133cac67956686ad9b9@%3Cnotifications.ofbiz.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rc69140d894c6a9c67a8097a25656cce59b46a5620c354ceba10543c3@%3Cnotifications.ofbiz.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/raa35746227f3f8d50fff1db9899524423a718f6f35cd39bd4769fa6c@%3Cnotifications.ofbiz.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r9ffe179385637b0b5cbdabd0246118005b4b8232909d2d14cd68ccd3@%3Ccommits.ofbiz.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r818058ff1e4b9f6bef4e5a2e74faff38cb3d3885c1e2db398bc55cfb@%3Cusers.pdfbox.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r818058ff1e4b9f6bef4e5a2e74faff38cb3d3885c1e2db398bc55cfb%40%3Cusers.pdfbox.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r7ee634c21816c69ce829d0c41f35afa2a53a99bdd3c7cce8644fdc0e@%3Cnotifications.ofbiz.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r6e067a6d83ccb6892d0ff867bd216704f21fb0b6a854dea34be04f12@%3Cnotifications.ofbiz.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r5c8e2125d18af184c80f7a986fbe47eaf0d30457cd450133adc235ac@%3Ccommits.ofbiz.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r54594251369e14c185da9662a5340a52afbbdf75d61c9c3a69c8f2e8@%3Cdev.pdfbox.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r4cbc3f6981cd0a1a482531df9d44e4c42a7f63342a7ba78b7bff8a1b@%3Cnotifications.james.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r4717f902f8bc36d47b3fa978552a25e4ed3ddc2fffb52b94fbc4ab36@%3Cusers.pdfbox.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r1d268642f8b52456ee8f876b888b8ed7a9e9568c7770789f3ded7f9e@%3Ccommits.ofbiz.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r1218e60c32829f76943ecaca79237120c2ec1ab266459d711a578b50@%3Cdev.pdfbox.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r043edc5dcf9199f7f882ed7906b41cb816753766e88b8792dbf319a9@%3Cannounce.apache.org%3E
+ - type: WEB
+ url: https://issues.apache.org/jira/browse/PDFBOX-4892
+ - type: PACKAGE
+ url: https://github.com/apache/pdfbox
+ - type: WEB
+ url: http://www.openwall.com/lists/oss-security/2021/03/19/9
+ database_specific:
+ cwe_ids:
+ - CWE-834
+ github_reviewed: true
+ github_reviewed_at: "2021-03-22T18:45:15Z"
+ nvd_published_at: "2021-03-19T16:15:00Z"
+ severity: MODERATE
+ - schema_version: 1.6.0
+ id: GHSA-4c32-xmgj-2g98
+ modified: 2023-11-08T03:58:24.099687Z
+ published: 2018-10-17T18:22:15Z
+ aliases:
+ - CVE-2016-2175
+ summary: High severity vulnerability that affects org.apache.pdfbox:pdfbox
+ details: Apache PDFBox before 1.8.12 and 2.x before 2.0.1 does not properly initialize the XML parsers, which allows context-dependent attackers to conduct XML External Entity (XXE) attacks via a crafted PDF.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: org.apache.pdfbox:pdfbox
+ purl: pkg:maven/org.apache.pdfbox/pdfbox
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: 1.8.12
+ versions:
+ - 0.8.0-incubating
+ - 0.8.0-incubator
+ - 1.0.0
+ - 1.1.0
+ - 1.2.0
+ - 1.2.1
+ - 1.3.1
+ - 1.4.0
+ - 1.5.0
+ - 1.6.0
+ - 1.7.0
+ - 1.7.1
+ - 1.8.0
+ - 1.8.1
+ - 1.8.10
+ - 1.8.11
+ - 1.8.2
+ - 1.8.3
+ - 1.8.4
+ - 1.8.5
+ - 1.8.6
+ - 1.8.7
+ - 1.8.8
+ - 1.8.9
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-4c32-xmgj-2g98/GHSA-4c32-xmgj-2g98.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.pdfbox:pdfbox
+ purl: pkg:maven/org.apache.pdfbox/pdfbox
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.0.0
+ - fixed: 2.0.1
+ versions:
+ - 2.0.0
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-4c32-xmgj-2g98/GHSA-4c32-xmgj-2g98.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2016-2175
+ - type: ADVISORY
+ url: https://github.com/advisories/GHSA-4c32-xmgj-2g98
+ - type: WEB
+ url: https://lists.apache.org/thread.html/ad5fbc86c1d1821ae1b963e8561ab6d6a5f66b2848e84f5a31477f54@%3Ccommits.tika.apache.org%3E
+ - type: WEB
+ url: http://mail-archives.us.apache.org/mod_mbox/www-announce/201605.mbox/%3C83a03bcf-f86b-4688-37b5-615c080291d8@apache.org%3E
+ - type: WEB
+ url: http://packetstormsecurity.com/files/137214/Apache-PDFBox-1.8.11-2.0.0-XML-Injection.html
+ - type: WEB
+ url: http://rhn.redhat.com/errata/RHSA-2017-0179.html
+ - type: WEB
+ url: http://rhn.redhat.com/errata/RHSA-2017-0248.html
+ - type: WEB
+ url: http://rhn.redhat.com/errata/RHSA-2017-0249.html
+ - type: WEB
+ url: http://rhn.redhat.com/errata/RHSA-2017-0272.html
+ - type: WEB
+ url: http://svn.apache.org/viewvc?view=revision&revision=1739564
+ - type: WEB
+ url: http://svn.apache.org/viewvc?view=revision&revision=1739565
+ - type: WEB
+ url: http://www.debian.org/security/2016/dsa-3606
+ - type: WEB
+ url: http://www.securityfocus.com/archive/1/538503/100/0/threaded
+ - type: WEB
+ url: http://www.securityfocus.com/bid/90902
+ database_specific:
+ cwe_ids:
+ - CWE-611
+ github_reviewed: true
+ github_reviewed_at: "2020-06-16T20:58:03Z"
+ nvd_published_at: null
+ severity: HIGH
+ - schema_version: 1.6.0
+ id: GHSA-6vqp-h455-42mr
+ modified: 2024-03-15T05:36:23.028589Z
+ published: 2021-05-13T22:30:13Z
+ aliases:
+ - CVE-2021-27906
+ summary: Uncontrolled Memory Allocation in Apache PDFBox
+ details: A carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file. This issue affects Apache PDFBox version 2.0.22 and prior 2.0.x versions.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: org.apache.pdfbox:pdfbox
+ purl: pkg:maven/org.apache.pdfbox/pdfbox
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.0.0
+ - fixed: 2.0.23
+ versions:
+ - 2.0.0
+ - 2.0.1
+ - 2.0.10
+ - 2.0.11
+ - 2.0.12
+ - 2.0.13
+ - 2.0.14
+ - 2.0.15
+ - 2.0.16
+ - 2.0.17
+ - 2.0.18
+ - 2.0.19
+ - 2.0.2
+ - 2.0.20
+ - 2.0.21
+ - 2.0.22
+ - 2.0.3
+ - 2.0.4
+ - 2.0.5
+ - 2.0.6
+ - 2.0.7
+ - 2.0.8
+ - 2.0.9
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-6vqp-h455-42mr/GHSA-6vqp-h455-42mr.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2021-27906
+ - type: WEB
+ url: https://github.com/apache/pdfbox/commit/8c47be1011c11dc47300faecffd8ab32fba3646f
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuoct2021.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuapr2022.html
+ - type: WEB
+ url: https://www.oracle.com//security-alerts/cpujul2021.html
+ - type: WEB
+ url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6PT72QOFDXLJ7PLTN66EMG5EHPTE7TFZ
+ - type: WEB
+ url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6KDA2U4KL2N3XT3PM4ZJEBBA6JJIH2G4
+ - type: WEB
+ url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2AVLKAHFMPH72TTP25INPZPGX5FODK3H
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rf35026148ccc0e1af133501c0d003d052883fcc65107b3ff5d3b61cd@%3Cusers.pdfbox.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rf35026148ccc0e1af133501c0d003d052883fcc65107b3ff5d3b61cd%40%3Cusers.pdfbox.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/re1e35881482e07dc2be6058d9b44483457f36133cac67956686ad9b9@%3Cnotifications.ofbiz.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rdf78aef4793362e778e21e34328b0456e302bde4b7e74f229df0ee04@%3Cannounce.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rc69140d894c6a9c67a8097a25656cce59b46a5620c354ceba10543c3@%3Cnotifications.ofbiz.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/raa35746227f3f8d50fff1db9899524423a718f6f35cd39bd4769fa6c@%3Cnotifications.ofbiz.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r9ffe179385637b0b5cbdabd0246118005b4b8232909d2d14cd68ccd3@%3Ccommits.ofbiz.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r7ee634c21816c69ce829d0c41f35afa2a53a99bdd3c7cce8644fdc0e@%3Cnotifications.ofbiz.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r6e067a6d83ccb6892d0ff867bd216704f21fb0b6a854dea34be04f12@%3Cnotifications.ofbiz.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r64982b768c8a2220b07aaf813bd099a9863de0d13eb212fd4efe208f@%3Cusers.pdfbox.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r5c8e2125d18af184c80f7a986fbe47eaf0d30457cd450133adc235ac@%3Ccommits.ofbiz.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r54594251369e14c185da9662a5340a52afbbdf75d61c9c3a69c8f2e8@%3Cdev.pdfbox.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r4cbc3f6981cd0a1a482531df9d44e4c42a7f63342a7ba78b7bff8a1b@%3Cnotifications.james.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r1d268642f8b52456ee8f876b888b8ed7a9e9568c7770789f3ded7f9e@%3Ccommits.ofbiz.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r1218e60c32829f76943ecaca79237120c2ec1ab266459d711a578b50@%3Cdev.pdfbox.apache.org%3E
+ - type: WEB
+ url: https://issues.apache.org/jira/browse/PDFBOX-5112
+ - type: PACKAGE
+ url: https://github.com/apache/pdfbox
+ - type: WEB
+ url: http://www.openwall.com/lists/oss-security/2021/03/19/10
+ database_specific:
+ cwe_ids:
+ - CWE-789
+ github_reviewed: true
+ github_reviewed_at: "2021-03-22T18:36:26Z"
+ nvd_published_at: "2021-03-19T16:15:00Z"
+ severity: MODERATE
+ - schema_version: 1.6.0
+ id: GHSA-7grw-6pjh-jpc9
+ modified: 2024-03-08T05:18:50.960251Z
+ published: 2021-06-15T15:54:29Z
+ aliases:
+ - CVE-2021-31812
+ summary: Infinite Loop in Apache PDFBox
+ details: In Apache PDFBox, a carefully crafted PDF file can trigger an infinite loop while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: org.apache.pdfbox:pdfbox
+ purl: pkg:maven/org.apache.pdfbox/pdfbox
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.0.0
+ - fixed: 2.0.24
+ versions:
+ - 2.0.0
+ - 2.0.1
+ - 2.0.10
+ - 2.0.11
+ - 2.0.12
+ - 2.0.13
+ - 2.0.14
+ - 2.0.15
+ - 2.0.16
+ - 2.0.17
+ - 2.0.18
+ - 2.0.19
+ - 2.0.2
+ - 2.0.20
+ - 2.0.21
+ - 2.0.22
+ - 2.0.23
+ - 2.0.3
+ - 2.0.4
+ - 2.0.5
+ - 2.0.6
+ - 2.0.7
+ - 2.0.8
+ - 2.0.9
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/06/GHSA-7grw-6pjh-jpc9/GHSA-7grw-6pjh-jpc9.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.pdfbox:pdfbox-parent
+ purl: pkg:maven/org.apache.pdfbox/pdfbox-parent
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.0.0
+ - fixed: 2.0.24
+ versions:
+ - 2.0.0
+ - 2.0.1
+ - 2.0.10
+ - 2.0.11
+ - 2.0.12
+ - 2.0.13
+ - 2.0.14
+ - 2.0.15
+ - 2.0.16
+ - 2.0.17
+ - 2.0.18
+ - 2.0.19
+ - 2.0.2
+ - 2.0.20
+ - 2.0.21
+ - 2.0.22
+ - 2.0.23
+ - 2.0.3
+ - 2.0.4
+ - 2.0.5
+ - 2.0.6
+ - 2.0.7
+ - 2.0.8
+ - 2.0.9
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/06/GHSA-7grw-6pjh-jpc9/GHSA-7grw-6pjh-jpc9.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2021-31812
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuoct2021.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpujul2022.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpujan2022.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuapr2022.html
+ - type: WEB
+ url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MDJKJQOMVFDFIDS27OQJXNOYHV2O273D
+ - type: WEB
+ url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7HHWJRFXZ3PTKLJCOM7WJEYZFKFWMNSV
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rfe26bcaba564deb505c32711ba68df7ec589797dcd96ff3389a8aaba@%3Cnotifications.ofbiz.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rf251f6c358087107f8c23473468b279d59d50a75db6b4768165c78d3@%3Cannounce.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/re0cacd3fb337cdf8469853913ed2b4ddd8f8bfc52ff0ddbe61c1dfba@%3Ccommits.ofbiz.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rd4b6db6c3b8ab3c70f1c3bbd725a40920896453ffc2744ade6afd9fb@%3Cnotifications.ofbiz.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/ra2ab0ce69ce8aaff0773b8c1036438387ce004c2afc6f066626e205e@%3Cusers.pdfbox.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/ra2ab0ce69ce8aaff0773b8c1036438387ce004c2afc6f066626e205e%40%3Cusers.pdfbox.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r2090789e4dcc2c87aacbd87d5f18e2d64dcb9f6eb7c47f5cf7d293cb@%3Cnotifications.ofbiz.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r179cc3b6822c167702ab35fe36093d5da4c99af44238c8a754c6860f@%3Ccommits.ofbiz.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r143fd8445e0e778f4a85187bd79438630b96b8040e9401751fdb8aea@%3Ccommits.ofbiz.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r132e9dbbe0ebdc08b39583d8be0a575fdba573d60a42d940228bceff@%3Cnotifications.ofbiz.apache.org%3E
+ - type: WEB
+ url: http://www.openwall.com/lists/oss-security/2021/06/12/1
+ database_specific:
+ cwe_ids:
+ - CWE-834
+ - CWE-835
+ github_reviewed: true
+ github_reviewed_at: "2021-06-14T19:41:33Z"
+ nvd_published_at: "2021-06-12T10:15:00Z"
+ severity: MODERATE
+ - schema_version: 1.6.0
+ id: GHSA-c9jj-3wvg-q65h
+ modified: 2024-02-16T08:10:43.804701Z
+ published: 2019-07-05T21:12:54Z
+ aliases:
+ - CVE-2019-0228
+ summary: Vulnerability that affects org.apache.pdfbox:pdfbox
+ details: Apache PDFBox 2.0.14 does not properly initialize the XML parser, which allows context-dependent attackers to conduct XML External Entity (XXE) attacks via a crafted XFDF.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: org.apache.pdfbox:pdfbox
+ purl: pkg:maven/org.apache.pdfbox/pdfbox
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.0.14
+ - fixed: 2.0.15
+ versions:
+ - 2.0.14
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/07/GHSA-c9jj-3wvg-q65h/GHSA-c9jj-3wvg-q65h.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2019-0228
+ - type: ADVISORY
+ url: https://github.com/advisories/GHSA-c9jj-3wvg-q65h
+ - type: WEB
+ url: https://lists.apache.org/thread.html/1a3756557f8cb02790b7183ccf7665ae23f608a421c4f723113bca79@%3Cusers.pdfbox.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/8a19bd6d43e359913341043c2a114f91f9e4ae170059539ad1f5673c@%3Ccommits.tika.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/bc8db1bf459f1ad909da47350ed554ee745abe9f25f2b50cad4e06dd@%3Cserver-dev.james.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/be86fcd7cd423a3fe6b73a3cb9d7cac0b619d0deb99e6b5d172c98f4@%3Ccommits.tika.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r0a2141abeddae66dd57025f1681c8425834062b7c0c7e0b1d830a95d@%3Cusers.pdfbox.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r32b8102392a174b17fd19509a9e76047f74852b77b7bf46af95e45a2@%3Cserver-dev.james.apache.org%3E
+ - type: WEB
+ url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6HKVPTJWZGUB4MH4AAOWMRJHRDBYFHGJ
+ - type: WEB
+ url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/POPOGHJ5CVMUVCRQU7APBAN5IVZGZFDX
+ - type: WEB
+ url: https://www.oracle.com//security-alerts/cpujul2021.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuApr2021.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuapr2020.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuoct2021.html
+ database_specific:
+ cwe_ids:
+ - CWE-611
+ github_reviewed: true
+ github_reviewed_at: "2020-06-16T21:30:58Z"
+ nvd_published_at: "2019-04-17T15:29:00Z"
+ severity: CRITICAL
+ - schema_version: 1.6.0
+ id: GHSA-fg3j-q579-v8x4
+ modified: 2024-03-08T05:34:54.801835Z
+ published: 2021-06-15T15:54:32Z
+ aliases:
+ - CVE-2021-31811
+ summary: Uncontrolled memory consumption
+ details: In Apache PDFBox, a carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: org.apache.pdfbox:pdfbox
+ purl: pkg:maven/org.apache.pdfbox/pdfbox
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.0.0
+ - fixed: 2.0.24
+ versions:
+ - 2.0.0
+ - 2.0.1
+ - 2.0.10
+ - 2.0.11
+ - 2.0.12
+ - 2.0.13
+ - 2.0.14
+ - 2.0.15
+ - 2.0.16
+ - 2.0.17
+ - 2.0.18
+ - 2.0.19
+ - 2.0.2
+ - 2.0.20
+ - 2.0.21
+ - 2.0.22
+ - 2.0.23
+ - 2.0.3
+ - 2.0.4
+ - 2.0.5
+ - 2.0.6
+ - 2.0.7
+ - 2.0.8
+ - 2.0.9
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/06/GHSA-fg3j-q579-v8x4/GHSA-fg3j-q579-v8x4.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.pdfbox:pdfbox-parent
+ purl: pkg:maven/org.apache.pdfbox/pdfbox-parent
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.0.0
+ - fixed: 2.0.24
+ versions:
+ - 2.0.0
+ - 2.0.1
+ - 2.0.10
+ - 2.0.11
+ - 2.0.12
+ - 2.0.13
+ - 2.0.14
+ - 2.0.15
+ - 2.0.16
+ - 2.0.17
+ - 2.0.18
+ - 2.0.19
+ - 2.0.2
+ - 2.0.20
+ - 2.0.21
+ - 2.0.22
+ - 2.0.23
+ - 2.0.3
+ - 2.0.4
+ - 2.0.5
+ - 2.0.6
+ - 2.0.7
+ - 2.0.8
+ - 2.0.9
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/06/GHSA-fg3j-q579-v8x4/GHSA-fg3j-q579-v8x4.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2021-31811
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuoct2021.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpujul2022.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpujan2022.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuapr2022.html
+ - type: WEB
+ url: https://www.oracle.com//security-alerts/cpujul2021.html
+ - type: WEB
+ url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MDJKJQOMVFDFIDS27OQJXNOYHV2O273D
+ - type: WEB
+ url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7HHWJRFXZ3PTKLJCOM7WJEYZFKFWMNSV
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rfe26bcaba564deb505c32711ba68df7ec589797dcd96ff3389a8aaba@%3Cnotifications.ofbiz.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rf937c2236e6c79cdb99f76a70690dd345e53dbe0707cb506a202e43e@%3Cannounce.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/re3bd16f0cc8f1fbda46b06a4b8241cd417f71402809baa81548fc20e@%3Cusers.pdfbox.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/re3bd16f0cc8f1fbda46b06a4b8241cd417f71402809baa81548fc20e%40%3Cusers.pdfbox.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/re0cacd3fb337cdf8469853913ed2b4ddd8f8bfc52ff0ddbe61c1dfba@%3Ccommits.ofbiz.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rd4b6db6c3b8ab3c70f1c3bbd725a40920896453ffc2744ade6afd9fb@%3Cnotifications.ofbiz.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r2090789e4dcc2c87aacbd87d5f18e2d64dcb9f6eb7c47f5cf7d293cb@%3Cnotifications.ofbiz.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r179cc3b6822c167702ab35fe36093d5da4c99af44238c8a754c6860f@%3Ccommits.ofbiz.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r143fd8445e0e778f4a85187bd79438630b96b8040e9401751fdb8aea@%3Ccommits.ofbiz.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r132e9dbbe0ebdc08b39583d8be0a575fdba573d60a42d940228bceff@%3Cnotifications.ofbiz.apache.org%3E
+ - type: WEB
+ url: http://www.openwall.com/lists/oss-security/2021/06/12/2
+ database_specific:
+ cwe_ids:
+ - CWE-770
+ - CWE-789
+ github_reviewed: true
+ github_reviewed_at: "2021-06-14T19:39:19Z"
+ nvd_published_at: "2021-06-12T10:15:00Z"
+ severity: MODERATE
+ - schema_version: 1.6.0
+ id: GHSA-gx96-vgf7-hwfg
+ modified: 2024-02-16T08:14:19.885368Z
+ published: 2018-10-17T18:22:29Z
+ aliases:
+ - CVE-2018-11797
+ summary: In Apache PDFBox a carefully crafted PDF file can trigger an extremely long running computation
+ details: In Apache PDFBox 1.8.0 to 1.8.15 and 2.0.0RC1 to 2.0.11, a carefully crafted PDF file can trigger an extremely long running computation when parsing the page tree.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: org.apache.pdfbox:pdfbox
+ purl: pkg:maven/org.apache.pdfbox/pdfbox
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 1.8.0
+ - fixed: 1.8.16
+ versions:
+ - 1.8.0
+ - 1.8.1
+ - 1.8.10
+ - 1.8.11
+ - 1.8.12
+ - 1.8.13
+ - 1.8.14
+ - 1.8.15
+ - 1.8.2
+ - 1.8.3
+ - 1.8.4
+ - 1.8.5
+ - 1.8.6
+ - 1.8.7
+ - 1.8.8
+ - 1.8.9
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-gx96-vgf7-hwfg/GHSA-gx96-vgf7-hwfg.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.pdfbox:pdfbox
+ purl: pkg:maven/org.apache.pdfbox/pdfbox
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.0.0
+ - fixed: 2.0.12
+ versions:
+ - 2.0.0
+ - 2.0.1
+ - 2.0.10
+ - 2.0.11
+ - 2.0.2
+ - 2.0.3
+ - 2.0.4
+ - 2.0.5
+ - 2.0.6
+ - 2.0.7
+ - 2.0.8
+ - 2.0.9
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-gx96-vgf7-hwfg/GHSA-gx96-vgf7-hwfg.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2018-11797
+ - type: ADVISORY
+ url: https://github.com/advisories/GHSA-gx96-vgf7-hwfg
+ - type: WEB
+ url: https://lists.apache.org/thread.html/645574bc50b886d39c20b4065d51ccb1cd5d3a6b4750a22edbb565eb@%3Cannounce.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/a9760973a873522f4d4c0a99916ceb74f361d91006b663a0a418d34a@%3Cannounce.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r54594251369e14c185da9662a5340a52afbbdf75d61c9c3a69c8f2e8@%3Cdev.pdfbox.apache.org%3E
+ - type: WEB
+ url: https://lists.debian.org/debian-lts-announce/2018/10/msg00008.html
+ - type: WEB
+ url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6HKVPTJWZGUB4MH4AAOWMRJHRDBYFHGJ
+ - type: WEB
+ url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/POPOGHJ5CVMUVCRQU7APBAN5IVZGZFDX
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuapr2020.html
+ database_specific:
+ cwe_ids:
+ - CWE-400
+ github_reviewed: true
+ github_reviewed_at: "2020-06-16T21:38:16Z"
+ nvd_published_at: "2018-10-05T20:29:00Z"
+ severity: MODERATE
+ - schema_version: 1.6.0
+ id: GHSA-j2xq-pfff-mvgg
+ modified: 2024-02-20T05:34:40.059516Z
+ published: 2022-05-13T01:53:29Z
+ aliases:
+ - CVE-2018-8036
+ summary: Loop with Unreachable Exit Condition in Apache PDFBox
+ details: In Apache PDFBox 1.8.0 to 1.8.14 and 2.0.0RC1 to 2.0.10, a carefully crafted (or fuzzed) file can trigger an infinite loop which leads to an out of memory exception in Apache PDFBox's AFMParser.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: org.apache.pdfbox:pdfbox
+ purl: pkg:maven/org.apache.pdfbox/pdfbox
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 1.8.0
+ - fixed: 1.8.15
+ versions:
+ - 1.8.0
+ - 1.8.1
+ - 1.8.10
+ - 1.8.11
+ - 1.8.12
+ - 1.8.13
+ - 1.8.14
+ - 1.8.2
+ - 1.8.3
+ - 1.8.4
+ - 1.8.5
+ - 1.8.6
+ - 1.8.7
+ - 1.8.8
+ - 1.8.9
+ database_specific:
+ last_known_affected_version_range: <= 1.8.14
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-j2xq-pfff-mvgg/GHSA-j2xq-pfff-mvgg.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.pdfbox:pdfbox
+ purl: pkg:maven/org.apache.pdfbox/pdfbox
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.0.0RC1
+ - fixed: 2.0.11
+ versions:
+ - 2.0.0
+ - 2.0.0-RC1
+ - 2.0.0-RC2
+ - 2.0.0-RC3
+ - 2.0.1
+ - 2.0.10
+ - 2.0.2
+ - 2.0.3
+ - 2.0.4
+ - 2.0.5
+ - 2.0.6
+ - 2.0.7
+ - 2.0.8
+ - 2.0.9
+ database_specific:
+ last_known_affected_version_range: <= 2.0.10
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-j2xq-pfff-mvgg/GHSA-j2xq-pfff-mvgg.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2018-8036
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2018:2669
+ - type: WEB
+ url: https://lists.apache.org/thread.html/9f62f742fd4fcd81654a9533b8a71349b064250840592bcd502dcfb6@%3Cusers.pdfbox.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r43491b25b2e5c368c34b106a82eff910a5cea3e90de82ad75cc16540@%3Cdev.syncope.apache.org%3E
+ - type: WEB
+ url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6HKVPTJWZGUB4MH4AAOWMRJHRDBYFHGJ
+ - type: WEB
+ url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/POPOGHJ5CVMUVCRQU7APBAN5IVZGZFDX
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuapr2020.html
+ database_specific:
+ cwe_ids:
+ - CWE-835
+ github_reviewed: true
+ github_reviewed_at: "2022-06-29T18:54:14Z"
+ nvd_published_at: "2018-07-03T20:29:00Z"
+ severity: MODERATE
+ - schema_version: 1.6.0
+ id: GHSA-7grw-6pjh-jpc9
+ modified: 2024-03-08T05:18:50.960251Z
+ published: 2021-06-15T15:54:29Z
+ aliases:
+ - CVE-2021-31812
+ summary: Infinite Loop in Apache PDFBox
+ details: In Apache PDFBox, a carefully crafted PDF file can trigger an infinite loop while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: org.apache.pdfbox:pdfbox
+ purl: pkg:maven/org.apache.pdfbox/pdfbox
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.0.0
+ - fixed: 2.0.24
+ versions:
+ - 2.0.0
+ - 2.0.1
+ - 2.0.10
+ - 2.0.11
+ - 2.0.12
+ - 2.0.13
+ - 2.0.14
+ - 2.0.15
+ - 2.0.16
+ - 2.0.17
+ - 2.0.18
+ - 2.0.19
+ - 2.0.2
+ - 2.0.20
+ - 2.0.21
+ - 2.0.22
+ - 2.0.23
+ - 2.0.3
+ - 2.0.4
+ - 2.0.5
+ - 2.0.6
+ - 2.0.7
+ - 2.0.8
+ - 2.0.9
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/06/GHSA-7grw-6pjh-jpc9/GHSA-7grw-6pjh-jpc9.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.pdfbox:pdfbox-parent
+ purl: pkg:maven/org.apache.pdfbox/pdfbox-parent
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.0.0
+ - fixed: 2.0.24
+ versions:
+ - 2.0.0
+ - 2.0.1
+ - 2.0.10
+ - 2.0.11
+ - 2.0.12
+ - 2.0.13
+ - 2.0.14
+ - 2.0.15
+ - 2.0.16
+ - 2.0.17
+ - 2.0.18
+ - 2.0.19
+ - 2.0.2
+ - 2.0.20
+ - 2.0.21
+ - 2.0.22
+ - 2.0.23
+ - 2.0.3
+ - 2.0.4
+ - 2.0.5
+ - 2.0.6
+ - 2.0.7
+ - 2.0.8
+ - 2.0.9
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/06/GHSA-7grw-6pjh-jpc9/GHSA-7grw-6pjh-jpc9.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2021-31812
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuoct2021.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpujul2022.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpujan2022.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuapr2022.html
+ - type: WEB
+ url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MDJKJQOMVFDFIDS27OQJXNOYHV2O273D
+ - type: WEB
+ url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7HHWJRFXZ3PTKLJCOM7WJEYZFKFWMNSV
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rfe26bcaba564deb505c32711ba68df7ec589797dcd96ff3389a8aaba@%3Cnotifications.ofbiz.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rf251f6c358087107f8c23473468b279d59d50a75db6b4768165c78d3@%3Cannounce.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/re0cacd3fb337cdf8469853913ed2b4ddd8f8bfc52ff0ddbe61c1dfba@%3Ccommits.ofbiz.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rd4b6db6c3b8ab3c70f1c3bbd725a40920896453ffc2744ade6afd9fb@%3Cnotifications.ofbiz.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/ra2ab0ce69ce8aaff0773b8c1036438387ce004c2afc6f066626e205e@%3Cusers.pdfbox.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/ra2ab0ce69ce8aaff0773b8c1036438387ce004c2afc6f066626e205e%40%3Cusers.pdfbox.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r2090789e4dcc2c87aacbd87d5f18e2d64dcb9f6eb7c47f5cf7d293cb@%3Cnotifications.ofbiz.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r179cc3b6822c167702ab35fe36093d5da4c99af44238c8a754c6860f@%3Ccommits.ofbiz.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r143fd8445e0e778f4a85187bd79438630b96b8040e9401751fdb8aea@%3Ccommits.ofbiz.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r132e9dbbe0ebdc08b39583d8be0a575fdba573d60a42d940228bceff@%3Cnotifications.ofbiz.apache.org%3E
+ - type: WEB
+ url: http://www.openwall.com/lists/oss-security/2021/06/12/1
+ database_specific:
+ cwe_ids:
+ - CWE-834
+ - CWE-835
+ github_reviewed: true
+ github_reviewed_at: "2021-06-14T19:41:33Z"
+ nvd_published_at: "2021-06-12T10:15:00Z"
+ severity: MODERATE
+ - schema_version: 1.6.0
+ id: GHSA-fg3j-q579-v8x4
+ modified: 2024-03-08T05:34:54.801835Z
+ published: 2021-06-15T15:54:32Z
+ aliases:
+ - CVE-2021-31811
+ summary: Uncontrolled memory consumption
+ details: In Apache PDFBox, a carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: org.apache.pdfbox:pdfbox
+ purl: pkg:maven/org.apache.pdfbox/pdfbox
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.0.0
+ - fixed: 2.0.24
+ versions:
+ - 2.0.0
+ - 2.0.1
+ - 2.0.10
+ - 2.0.11
+ - 2.0.12
+ - 2.0.13
+ - 2.0.14
+ - 2.0.15
+ - 2.0.16
+ - 2.0.17
+ - 2.0.18
+ - 2.0.19
+ - 2.0.2
+ - 2.0.20
+ - 2.0.21
+ - 2.0.22
+ - 2.0.23
+ - 2.0.3
+ - 2.0.4
+ - 2.0.5
+ - 2.0.6
+ - 2.0.7
+ - 2.0.8
+ - 2.0.9
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/06/GHSA-fg3j-q579-v8x4/GHSA-fg3j-q579-v8x4.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.pdfbox:pdfbox-parent
+ purl: pkg:maven/org.apache.pdfbox/pdfbox-parent
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.0.0
+ - fixed: 2.0.24
+ versions:
+ - 2.0.0
+ - 2.0.1
+ - 2.0.10
+ - 2.0.11
+ - 2.0.12
+ - 2.0.13
+ - 2.0.14
+ - 2.0.15
+ - 2.0.16
+ - 2.0.17
+ - 2.0.18
+ - 2.0.19
+ - 2.0.2
+ - 2.0.20
+ - 2.0.21
+ - 2.0.22
+ - 2.0.23
+ - 2.0.3
+ - 2.0.4
+ - 2.0.5
+ - 2.0.6
+ - 2.0.7
+ - 2.0.8
+ - 2.0.9
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/06/GHSA-fg3j-q579-v8x4/GHSA-fg3j-q579-v8x4.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2021-31811
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuoct2021.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpujul2022.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpujan2022.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuapr2022.html
+ - type: WEB
+ url: https://www.oracle.com//security-alerts/cpujul2021.html
+ - type: WEB
+ url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MDJKJQOMVFDFIDS27OQJXNOYHV2O273D
+ - type: WEB
+ url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7HHWJRFXZ3PTKLJCOM7WJEYZFKFWMNSV
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rfe26bcaba564deb505c32711ba68df7ec589797dcd96ff3389a8aaba@%3Cnotifications.ofbiz.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rf937c2236e6c79cdb99f76a70690dd345e53dbe0707cb506a202e43e@%3Cannounce.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/re3bd16f0cc8f1fbda46b06a4b8241cd417f71402809baa81548fc20e@%3Cusers.pdfbox.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/re3bd16f0cc8f1fbda46b06a4b8241cd417f71402809baa81548fc20e%40%3Cusers.pdfbox.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/re0cacd3fb337cdf8469853913ed2b4ddd8f8bfc52ff0ddbe61c1dfba@%3Ccommits.ofbiz.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rd4b6db6c3b8ab3c70f1c3bbd725a40920896453ffc2744ade6afd9fb@%3Cnotifications.ofbiz.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r2090789e4dcc2c87aacbd87d5f18e2d64dcb9f6eb7c47f5cf7d293cb@%3Cnotifications.ofbiz.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r179cc3b6822c167702ab35fe36093d5da4c99af44238c8a754c6860f@%3Ccommits.ofbiz.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r143fd8445e0e778f4a85187bd79438630b96b8040e9401751fdb8aea@%3Ccommits.ofbiz.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r132e9dbbe0ebdc08b39583d8be0a575fdba573d60a42d940228bceff@%3Cnotifications.ofbiz.apache.org%3E
+ - type: WEB
+ url: http://www.openwall.com/lists/oss-security/2021/06/12/2
+ database_specific:
+ cwe_ids:
+ - CWE-770
+ - CWE-789
+ github_reviewed: true
+ github_reviewed_at: "2021-06-14T19:39:19Z"
+ nvd_published_at: "2021-06-12T10:15:00Z"
+ severity: MODERATE
+ - schema_version: 1.6.0
+ id: GHSA-26gr-cvq3-qxgf
+ modified: 2023-11-08T04:02:47.183256Z
+ published: 2021-05-07T15:53:18Z
+ aliases:
+ - CVE-2020-1957
+ summary: Improper Authentication in Apache Shiro
+ details: Apache Shiro before 1.5.2, when using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: org.apache.shiro:shiro-core
+ purl: pkg:maven/org.apache.shiro/shiro-core
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: 1.5.2
+ versions:
+ - 1.0.0-incubating
+ - 1.1.0
+ - 1.2.0
+ - 1.2.1
+ - 1.2.2
+ - 1.2.3
+ - 1.2.4
+ - 1.2.5
+ - 1.2.6
+ - 1.3.0
+ - 1.3.1
+ - 1.3.2
+ - 1.4.0
+ - 1.4.0-RC2
+ - 1.4.1
+ - 1.4.2
+ - 1.5.0
+ - 1.5.1
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-26gr-cvq3-qxgf/GHSA-26gr-cvq3-qxgf.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2020-1957
+ - type: PACKAGE
+ url: https://github.com/apache/shiro
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r17f371fc89d34df2d0c8131473fbc68154290e1be238895648f5a1e6%40%3Cdev.shiro.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r2d2612c034ab21a3a19d2132d47d3e4aa70105008dd58af62b653040@%3Ccommits.shiro.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rab1972d6b177f7b5c3dde9cfb0a40f03bca75f0eaf1d8311e5762cb3@%3Ccommits.shiro.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rb3982edf8bc8fcaa7a308e25a12d294fb4aac1f1e9d4e14fda639e77@%3Cdev.geode.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rc64fb2336683feff3580c3c3a8b28e80525077621089641f2f386b63@%3Ccommits.camel.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rc8b39ea8b3ef71ddc1cd74ffc866546182683c8adecf19c263fe7ac0@%3Ccommits.shiro.apache.org%3E
+ - type: WEB
+ url: https://lists.debian.org/debian-lts-announce/2020/04/msg00014.html
+ database_specific:
+ cwe_ids:
+ - CWE-287
+ github_reviewed: true
+ github_reviewed_at: "2021-05-06T20:05:12Z"
+ nvd_published_at: "2020-03-25T16:15:00Z"
+ severity: CRITICAL
+ - schema_version: 1.6.0
+ id: GHSA-2vgm-wxr3-6w2j
+ modified: 2024-03-15T05:20:51.873553Z
+ published: 2021-05-07T15:54:23Z
+ aliases:
+ - CVE-2020-13933
+ summary: Authentication bypass in Apache Shiro
+ details: Apache Shiro before 1.6.0, when using Apache Shiro, a specially crafted HTTP request may cause an authentication bypass.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: org.apache.shiro:shiro-core
+ purl: pkg:maven/org.apache.shiro/shiro-core
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: 1.6.0
+ versions:
+ - 1.0.0-incubating
+ - 1.1.0
+ - 1.2.0
+ - 1.2.1
+ - 1.2.2
+ - 1.2.3
+ - 1.2.4
+ - 1.2.5
+ - 1.2.6
+ - 1.3.0
+ - 1.3.1
+ - 1.3.2
+ - 1.4.0
+ - 1.4.0-RC2
+ - 1.4.1
+ - 1.4.2
+ - 1.5.0
+ - 1.5.1
+ - 1.5.2
+ - 1.5.3
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-2vgm-wxr3-6w2j/GHSA-2vgm-wxr3-6w2j.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2020-13933
+ - type: WEB
+ url: https://lists.debian.org/debian-lts-announce/2021/08/msg00002.html
+ - type: WEB
+ url: https://lists.apache.org/thread.html/re25b8317b00a50272a7252c4552cf1a81a97984cc2111ef7728e48e0@%3Cdev.shiro.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rb5edf49cd1451475dbcf53826ba6ef1bb7872dd6493d6112eb0c2bad@%3Cdev.shiro.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rb47d88af224e396ee34ffb88ee99fb6d04510de5722cf14b7137e6bc@%3Cdev.shiro.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r9ea6d8560d6354d41433ad006069904f0ed083527aa348b5999261a7@%3Cdev.geode.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r9d93dfb5df016b1a71a808486bc8f9fbafebbdbc8533625f91253f1d@%3Cdev.shiro.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r852971e28f54cafa7d325bd7033115c67d613b112a2a1076817390ac@%3Cdev.shiro.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r8097b81905f2a113ebdf925bcbc6d8c9d6863c807c9ee42e1e7c9293@%3Cdev.shiro.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r70b907ccb306e9391145e2b10f56cc6914a245f91720a17a486c020a@%3Cdev.shiro.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r70098e336d02047ce4d4e69293fe8d558cd68cde06f6430398959bc4@%3Cdev.shiro.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r6ea0224c1971a91dc6ade1f22508119a9c3bd56cef656f0c44bbfabb@%3Cdev.shiro.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r575301804bfac87a064359cf4b4ae9d514f2d10db7d44120765f4129@%3Cdev.shiro.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r539f87706094e79c5da0826030384373f0041068936912876856835f%40%3Cdev.shiro.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r4c1e1249e9e1acb868db0c80728c13f448d07333da06a0f1603c0a33@%3Cdev.shiro.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r4506cedc401d6b8de83787f8436aac83956e411d66848c84785db46d@%3Cdev.shiro.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r18b45d560d76c4260813c802771cc9678aa651fb8340e09366bfa198@%3Cdev.geode.apache.org%3E
+ - type: PACKAGE
+ url: https://github.com/apache/shiro
+ database_specific:
+ cwe_ids:
+ - CWE-287
+ github_reviewed: true
+ github_reviewed_at: "2021-05-05T21:37:50Z"
+ nvd_published_at: "2020-08-17T21:15:00Z"
+ severity: HIGH
+ - schema_version: 1.6.0
+ id: GHSA-45x9-q6vj-cqgq
+ modified: 2024-02-16T07:57:10.787044Z
+ published: 2022-10-12T12:00:16Z
+ aliases:
+ - CVE-2022-40664
+ summary: Apache Shiro Authentication Bypass vulnerability
+ details: Apache Shiro before 1.10.0, Authentication Bypass Vulnerability in Shiro when forwarding or including via RequestDispatcher.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: org.apache.shiro:shiro-core
+ purl: pkg:maven/org.apache.shiro/shiro-core
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: 1.10.0
+ versions:
+ - 1.0.0-incubating
+ - 1.1.0
+ - 1.2.0
+ - 1.2.1
+ - 1.2.2
+ - 1.2.3
+ - 1.2.4
+ - 1.2.5
+ - 1.2.6
+ - 1.3.0
+ - 1.3.1
+ - 1.3.2
+ - 1.4.0
+ - 1.4.0-RC2
+ - 1.4.1
+ - 1.4.2
+ - 1.5.0
+ - 1.5.1
+ - 1.5.2
+ - 1.5.3
+ - 1.6.0
+ - 1.7.0
+ - 1.7.1
+ - 1.8.0
+ - 1.9.0
+ - 1.9.1
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/10/GHSA-45x9-q6vj-cqgq/GHSA-45x9-q6vj-cqgq.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2022-40664
+ - type: PACKAGE
+ url: https://github.com/apache/shiro
+ - type: WEB
+ url: https://lists.apache.org/thread/loc2ktxng32xpy7lfwxto13k4lvnhjwg
+ - type: WEB
+ url: https://security.netapp.com/advisory/ntap-20221118-0005
+ - type: WEB
+ url: https://shiro.apache.org/blog/2022/10/10/2022/apache-shiro-1101-released.html
+ - type: WEB
+ url: http://www.openwall.com/lists/oss-security/2022/10/12/1
+ - type: WEB
+ url: http://www.openwall.com/lists/oss-security/2022/10/12/2
+ - type: WEB
+ url: http://www.openwall.com/lists/oss-security/2022/10/13/1
+ database_specific:
+ cwe_ids:
+ - CWE-287
+ github_reviewed: true
+ github_reviewed_at: "2022-10-12T19:43:15Z"
+ nvd_published_at: "2022-10-12T07:15:00Z"
+ severity: CRITICAL
+ - schema_version: 1.6.0
+ id: GHSA-4cf5-xmhp-3xj7
+ modified: 2023-11-08T04:09:36.762135Z
+ published: 2022-06-30T00:00:41Z
+ aliases:
+ - CVE-2022-32532
+ summary: Improper Authorization in Apache Shiro
+ details: Apache Shiro before 1.9.1, A RegexRequestMatcher can be misconfigured to be bypassed on some servlet containers. Applications using RegExPatternMatcher with `.` in the regular expression are possibly vulnerable to an authorization bypass.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: org.apache.shiro:shiro-core
+ purl: pkg:maven/org.apache.shiro/shiro-core
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: 1.9.1
+ versions:
+ - 1.0.0-incubating
+ - 1.1.0
+ - 1.2.0
+ - 1.2.1
+ - 1.2.2
+ - 1.2.3
+ - 1.2.4
+ - 1.2.5
+ - 1.2.6
+ - 1.3.0
+ - 1.3.1
+ - 1.3.2
+ - 1.4.0
+ - 1.4.0-RC2
+ - 1.4.1
+ - 1.4.2
+ - 1.5.0
+ - 1.5.1
+ - 1.5.2
+ - 1.5.3
+ - 1.6.0
+ - 1.7.0
+ - 1.7.1
+ - 1.8.0
+ - 1.9.0
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/06/GHSA-4cf5-xmhp-3xj7/GHSA-4cf5-xmhp-3xj7.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2022-32532
+ - type: PACKAGE
+ url: https://github.com/apache/shiro
+ - type: WEB
+ url: https://lists.apache.org/thread/y8260dw8vbm99oq7zv6y3mzn5ovk90xh
+ database_specific:
+ cwe_ids:
+ - CWE-285
+ - CWE-863
+ github_reviewed: true
+ github_reviewed_at: "2022-07-06T19:52:31Z"
+ nvd_published_at: "2022-06-29T00:15:00Z"
+ severity: CRITICAL
+ - schema_version: 1.6.0
+ id: GHSA-72w9-fcj5-3fcg
+ modified: 2023-11-08T04:02:08.91663Z
+ published: 2021-05-07T15:53:10Z
+ aliases:
+ - CVE-2020-11989
+ summary: Improper Authentication in Apache Shiro
+ details: Apache Shiro is a powerful and easy-to-use Java security framework that performs authentication, authorization, cryptography, and session management. Apache Shiro before 1.5.3, when using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: org.apache.shiro:shiro-core
+ purl: pkg:maven/org.apache.shiro/shiro-core
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: 1.5.3
+ versions:
+ - 1.0.0-incubating
+ - 1.1.0
+ - 1.2.0
+ - 1.2.1
+ - 1.2.2
+ - 1.2.3
+ - 1.2.4
+ - 1.2.5
+ - 1.2.6
+ - 1.3.0
+ - 1.3.1
+ - 1.3.2
+ - 1.4.0
+ - 1.4.0-RC2
+ - 1.4.1
+ - 1.4.2
+ - 1.5.0
+ - 1.5.1
+ - 1.5.2
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-72w9-fcj5-3fcg/GHSA-72w9-fcj5-3fcg.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2020-11989
+ - type: PACKAGE
+ url: https://github.com/apache/shiro
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r2d2612c034ab21a3a19d2132d47d3e4aa70105008dd58af62b653040@%3Ccommits.shiro.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r408fe60bc8fdfd7c74135249d646d7abadb807ebf90f6fd2b014df21@%3Cdev.geode.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r72815a124a119c450b86189767d06848e0d380b1795c6c511d54a675%40%3Cuser.shiro.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r72815a124a119c450b86189767d06848e0d380b1795c6c511d54a675@%3Cdev.shiro.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r72815a124a119c450b86189767d06848e0d380b1795c6c511d54a675@%3Cuser.shiro.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rab1972d6b177f7b5c3dde9cfb0a40f03bca75f0eaf1d8311e5762cb3@%3Ccommits.shiro.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rc8b39ea8b3ef71ddc1cd74ffc866546182683c8adecf19c263fe7ac0@%3Ccommits.shiro.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rcf3d8041e1232201fe5d74fc612a193e435784d64002409b448b58fe@%3Cdev.geode.apache.org%3E
+ database_specific:
+ cwe_ids:
+ - CWE-287
+ github_reviewed: true
+ github_reviewed_at: "2021-05-06T20:07:20Z"
+ nvd_published_at: "2020-06-22T19:15:00Z"
+ severity: CRITICAL
+ - schema_version: 1.6.0
+ id: GHSA-f6jp-j6w3-w9hm
+ modified: 2024-02-19T05:32:19.684337Z
+ published: 2021-09-20T20:18:11Z
+ aliases:
+ - CVE-2021-41303
+ summary: Apache Shiro vulnerable to a specially crafted HTTP request causing an authentication bypass
+ details: Apache Shiro before 1.8.0, when using Apache Shiro with Spring Boot, a specially crafted HTTP request may cause an authentication bypass. Users should update to Apache Shiro 1.8.0.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: org.apache.shiro:shiro-core
+ purl: pkg:maven/org.apache.shiro/shiro-core
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: 1.8.0
+ versions:
+ - 1.0.0-incubating
+ - 1.1.0
+ - 1.2.0
+ - 1.2.1
+ - 1.2.2
+ - 1.2.3
+ - 1.2.4
+ - 1.2.5
+ - 1.2.6
+ - 1.3.0
+ - 1.3.1
+ - 1.3.2
+ - 1.4.0
+ - 1.4.0-RC2
+ - 1.4.1
+ - 1.4.2
+ - 1.5.0
+ - 1.5.1
+ - 1.5.2
+ - 1.5.3
+ - 1.6.0
+ - 1.7.0
+ - 1.7.1
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/09/GHSA-f6jp-j6w3-w9hm/GHSA-f6jp-j6w3-w9hm.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2021-41303
+ - type: WEB
+ url: https://lists.apache.org/thread.html/raae98bb934e4bde304465896ea02d9798e257e486d04a42221e2c41b@%3Cuser.shiro.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/re470be1ffea44bca28ccb0e67a4cf5d744e2d2b981d00fdbbf5abc13%40%3Cannounce.shiro.apache.org%3E
+ - type: WEB
+ url: https://security.netapp.com/advisory/ntap-20220609-0001
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpujul2022.html
+ database_specific:
+ cwe_ids:
+ - CWE-287
+ github_reviewed: true
+ github_reviewed_at: "2021-09-20T19:17:39Z"
+ nvd_published_at: "2021-09-17T09:15:00Z"
+ severity: CRITICAL
+ - schema_version: 1.6.0
+ id: GHSA-jc7h-c423-mpjc
+ modified: 2024-02-16T08:22:28.165745Z
+ published: 2024-01-15T12:30:19Z
+ aliases:
+ - CVE-2023-46749
+ summary: Apache Shiro vulnerable to path traversal
+ details: "Apache Shiro before 1.130 or 2.0.0-alpha-4, may be susceptible to a path traversal attack that results in an authentication bypass when used together with path rewriting \n\nMitigation: Update to Apache Shiro 1.13.0+ or 2.0.0-alpha-4+, or ensure `blockSemicolon` is enabled (this is the default).\n\n"
+ affected:
+ - package:
+ ecosystem: Maven
+ name: org.apache.shiro:shiro-core
+ purl: pkg:maven/org.apache.shiro/shiro-core
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: 1.13.0
+ versions:
+ - 1.0.0-incubating
+ - 1.1.0
+ - 1.10.0
+ - 1.10.1
+ - 1.11.0
+ - 1.12.0
+ - 1.2.0
+ - 1.2.1
+ - 1.2.2
+ - 1.2.3
+ - 1.2.4
+ - 1.2.5
+ - 1.2.6
+ - 1.3.0
+ - 1.3.1
+ - 1.3.2
+ - 1.4.0
+ - 1.4.0-RC2
+ - 1.4.1
+ - 1.4.2
+ - 1.5.0
+ - 1.5.1
+ - 1.5.2
+ - 1.5.3
+ - 1.6.0
+ - 1.7.0
+ - 1.7.1
+ - 1.8.0
+ - 1.9.0
+ - 1.9.1
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/01/GHSA-jc7h-c423-mpjc/GHSA-jc7h-c423-mpjc.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.shiro:shiro-core
+ purl: pkg:maven/org.apache.shiro/shiro-core
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.0.0alpha1
+ - fixed: 2.0.0-alpha4
+ versions:
+ - 2.0.0-alpha-1
+ - 2.0.0-alpha-2
+ - 2.0.0-alpha-3
+ database_specific:
+ last_known_affected_version_range: < 2.0.0alpha4
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/01/GHSA-jc7h-c423-mpjc/GHSA-jc7h-c423-mpjc.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2023-46749
+ - type: WEB
+ url: https://lists.apache.org/thread/mdv7ftz7k4488rzloxo2fb0p9shnp9wm
+ database_specific:
+ cwe_ids:
+ - CWE-22
+ github_reviewed: true
+ github_reviewed_at: "2024-01-16T20:34:50Z"
+ nvd_published_at: "2024-01-15T10:15:26Z"
+ severity: MODERATE
+ - schema_version: 1.6.0
+ id: GHSA-p836-389h-j692
+ modified: 2023-11-08T03:58:28.809167Z
+ published: 2022-05-14T02:46:17Z
+ aliases:
+ - CVE-2016-4437
+ summary: Improper Access Control in Apache Shiro
+ details: Apache Shiro before 1.2.5, when a cipher key has not been configured for the "remember me" feature, allows remote attackers to execute arbitrary code or bypass intended access restrictions via an unspecified request parameter.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: org.apache.shiro:shiro-core
+ purl: pkg:maven/org.apache.shiro/shiro-core
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: 1.2.5
+ versions:
+ - 1.0.0-incubating
+ - 1.1.0
+ - 1.2.0
+ - 1.2.1
+ - 1.2.2
+ - 1.2.3
+ - 1.2.4
+ database_specific:
+ last_known_affected_version_range: <= 1.2.4
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-p836-389h-j692/GHSA-p836-389h-j692.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2016-4437
+ - type: WEB
+ url: https://lists.apache.org/thread.html/ef3a800c7d727a00e04b78e2f06c5cd8960f09ca28c9b69d94c3c4c4@%3Cannouncements.aurora.apache.org%3E
+ - type: WEB
+ url: http://packetstormsecurity.com/files/137310/Apache-Shiro-1.2.4-Information-Disclosure.html
+ - type: WEB
+ url: http://packetstormsecurity.com/files/157497/Apache-Shiro-1.2.4-Remote-Code-Execution.html
+ - type: WEB
+ url: http://rhn.redhat.com/errata/RHSA-2016-2035.html
+ - type: WEB
+ url: http://rhn.redhat.com/errata/RHSA-2016-2036.html
+ - type: WEB
+ url: http://www.securityfocus.com/archive/1/538570/100/0/threaded
+ - type: WEB
+ url: http://www.securityfocus.com/bid/91024
+ database_specific:
+ cwe_ids:
+ - CWE-284
+ github_reviewed: true
+ github_reviewed_at: "2022-07-06T19:56:32Z"
+ nvd_published_at: "2016-06-07T14:06:00Z"
+ severity: HIGH
+ - schema_version: 1.6.0
+ id: GHSA-r679-m633-g7wc
+ modified: 2023-11-08T04:01:05.150202Z
+ published: 2020-02-04T22:36:36Z
+ aliases:
+ - CVE-2019-12422
+ summary: Improper input validation in Apache Shiro
+ details: Apache Shiro before 1.4.2, when using the default "remember me" configuration, cookies could be susceptible to a padding attack.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: org.apache.shiro:shiro-core
+ purl: pkg:maven/org.apache.shiro/shiro-core
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: 1.4.2
+ versions:
+ - 1.0.0-incubating
+ - 1.1.0
+ - 1.2.0
+ - 1.2.1
+ - 1.2.2
+ - 1.2.3
+ - 1.2.4
+ - 1.2.5
+ - 1.2.6
+ - 1.3.0
+ - 1.3.1
+ - 1.3.2
+ - 1.4.0
+ - 1.4.0-RC2
+ - 1.4.1
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/02/GHSA-r679-m633-g7wc/GHSA-r679-m633-g7wc.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2019-12422
+ - type: WEB
+ url: https://lists.apache.org/thread.html/c9db14cfebfb8e74205884ed2bf2e2b30790ce24b7dde9191c82572c@%3Cdev.shiro.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r2d2612c034ab21a3a19d2132d47d3e4aa70105008dd58af62b653040@%3Ccommits.shiro.apache.org%3E
+ database_specific:
+ cwe_ids: []
+ github_reviewed: true
+ github_reviewed_at: "2020-02-04T21:49:59Z"
+ nvd_published_at: "2019-11-18T23:15:00Z"
+ severity: HIGH
+ - schema_version: 1.6.0
+ id: GHSA-3jx9-mgwx-4q83
+ modified: 2024-02-16T08:20:45.984208Z
+ published: 2022-05-14T02:42:51Z
+ aliases:
+ - CVE-2010-3863
+ summary: Apache Shiro Path Traversal vulnerability
+ details: Apache Shiro before 1.1.0, and JSecurity 0.9.x, does not canonicalize URI paths before comparing them to entries in the shiro.ini file, which allows remote attackers to bypass intended access restrictions via a crafted request, as demonstrated by the /./account/index.jsp URI.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: org.apache.shiro:shiro-root
+ purl: pkg:maven/org.apache.shiro/shiro-root
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: 1.1.0
+ versions:
+ - 1.0.0-incubating
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-3jx9-mgwx-4q83/GHSA-3jx9-mgwx-4q83.json
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2010-3863
+ - type: WEB
+ url: https://exchange.xforce.ibmcloud.com/vulnerabilities/62959
+ - type: PACKAGE
+ url: https://github.com/apache/shiro
+ - type: WEB
+ url: https://web.archive.org/web/20101120091718/http://www.vupen.com/english/advisories/2010/2888
+ - type: WEB
+ url: https://web.archive.org/web/20101129043410/http://secunia.com/advisories/41989
+ - type: WEB
+ url: https://web.archive.org/web/20110929165859/http://www.securityfocus.com/bid/44616
+ - type: WEB
+ url: https://web.archive.org/web/20161017000748/http://www.securityfocus.com/archive/1/514616/100/0/threaded
+ - type: WEB
+ url: http://archives.neohapsis.com/archives/fulldisclosure/2010-11/0020.html
+ database_specific:
+ cwe_ids:
+ - CWE-22
+ github_reviewed: true
+ github_reviewed_at: "2024-02-07T22:57:26Z"
+ nvd_published_at: "2010-11-05T17:00:00Z"
+ severity: MODERATE
+ - schema_version: 1.6.0
+ id: GHSA-7cxr-h8wm-fg4c
+ modified: 2024-02-16T08:23:48.417435Z
+ published: 2023-01-14T12:30:23Z
+ aliases:
+ - CVE-2023-22602
+ summary: Apache Shiro Interpretation Conflict vulnerability
+ details: 'When using Apache Shiro before 1.11.0 together with Spring Boot 2.6+, a specially crafted HTTP request may cause an authentication bypass. The authentication bypass occurs when Shiro and Spring Boot are using different pattern-matching techniques. Both Shiro and Spring Boot < 2.6 default to Ant style pattern matching. Mitigation: Update to Apache Shiro 1.11.0, or set the following Spring Boot configuration value: `spring.mvc.pathmatch.matching-strategy = ant_path_matcher` '
+ affected:
+ - package:
+ ecosystem: Maven
+ name: org.apache.shiro:shiro-root
+ purl: pkg:maven/org.apache.shiro/shiro-root
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: 1.11.0
+ versions:
+ - 1.0.0-incubating
+ - 1.1.0
+ - 1.10.0
+ - 1.10.1
+ - 1.2.0
+ - 1.2.1
+ - 1.2.2
+ - 1.2.3
+ - 1.2.4
+ - 1.2.5
+ - 1.2.6
+ - 1.3.0
+ - 1.3.1
+ - 1.3.2
+ - 1.4.0
+ - 1.4.0-RC2
+ - 1.4.1
+ - 1.4.2
+ - 1.5.0
+ - 1.5.1
+ - 1.5.2
+ - 1.5.3
+ - 1.6.0
+ - 1.7.0
+ - 1.7.1
+ - 1.8.0
+ - 1.9.0
+ - 1.9.1
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/01/GHSA-7cxr-h8wm-fg4c/GHSA-7cxr-h8wm-fg4c.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2023-22602
+ - type: PACKAGE
+ url: https://github.com/apache/shiro
+ - type: WEB
+ url: https://lists.apache.org/thread/dzj0k2smpzzgj6g666hrbrgsrlf9yhkl
+ database_specific:
+ cwe_ids:
+ - CWE-436
+ github_reviewed: true
+ github_reviewed_at: "2023-01-20T21:50:25Z"
+ nvd_published_at: "2023-01-14T10:15:00Z"
+ severity: HIGH
+ - schema_version: 1.6.0
+ id: GHSA-4q2v-j639-cp7p
+ modified: 2023-11-08T03:58:33.527856Z
+ published: 2022-05-14T02:46:12Z
+ aliases:
+ - CVE-2016-6802
+ summary: Improper Access Control in Apache Shiro
+ details: Apache Shiro before 1.3.2 allows attackers to bypass intended servlet filters and gain access by leveraging use of a non-root servlet context path.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: org.apache.shiro:shiro-all
+ purl: pkg:maven/org.apache.shiro/shiro-all
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: 1.3.2
+ versions:
+ - 1.0.0-incubating
+ - 1.1.0
+ - 1.2.0
+ - 1.2.1
+ - 1.2.2
+ - 1.2.3
+ - 1.2.4
+ - 1.2.5
+ - 1.2.6
+ - 1.3.0
+ - 1.3.1
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-4q2v-j639-cp7p/GHSA-4q2v-j639-cp7p.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.shiro:shiro-web
+ purl: pkg:maven/org.apache.shiro/shiro-web
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: 1.3.2
+ versions:
+ - 1.0.0-incubating
+ - 1.1.0
+ - 1.2.0
+ - 1.2.1
+ - 1.2.2
+ - 1.2.3
+ - 1.2.4
+ - 1.2.5
+ - 1.2.6
+ - 1.3.0
+ - 1.3.1
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-4q2v-j639-cp7p/GHSA-4q2v-j639-cp7p.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2016-6802
+ - type: WEB
+ url: https://github.com/apache/shiro/commit/b15ab927709ca18ea4a02538be01919a19ab65af
+ - type: WEB
+ url: https://issues.apache.org/jira/browse/SHIRO-584
+ - type: WEB
+ url: https://packetstormsecurity.com/files/138709/Apache-Shiro-Filter-Bypass.html
+ database_specific:
+ cwe_ids:
+ - CWE-284
+ github_reviewed: true
+ github_reviewed_at: "2022-11-04T22:45:53Z"
+ nvd_published_at: "2016-09-20T19:59:00Z"
+ severity: HIGH
+ - schema_version: 1.6.0
+ id: GHSA-hhw5-c326-822h
+ modified: 2024-02-16T08:13:45.335614Z
+ published: 2023-12-14T09:30:19Z
+ aliases:
+ - CVE-2023-46750
+ summary: Open redirect in Apache Shiro
+ details: |
+ URL Redirection to Untrusted Site ('Open Redirect') vulnerability when "form" authentication is used in Apache Shiro.
+ Mitigation: Update to Apache Shiro 1.13.0+ or 2.0.0-alpha-4+.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: org.apache.shiro:shiro-web
+ purl: pkg:maven/org.apache.shiro/shiro-web
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: 1.13.0
+ versions:
+ - 1.0.0-incubating
+ - 1.1.0
+ - 1.10.0
+ - 1.10.1
+ - 1.11.0
+ - 1.12.0
+ - 1.2.0
+ - 1.2.1
+ - 1.2.2
+ - 1.2.3
+ - 1.2.4
+ - 1.2.5
+ - 1.2.6
+ - 1.3.0
+ - 1.3.1
+ - 1.3.2
+ - 1.4.0
+ - 1.4.0-RC2
+ - 1.4.1
+ - 1.4.2
+ - 1.5.0
+ - 1.5.1
+ - 1.5.2
+ - 1.5.3
+ - 1.6.0
+ - 1.7.0
+ - 1.7.1
+ - 1.8.0
+ - 1.9.0
+ - 1.9.1
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/12/GHSA-hhw5-c326-822h/GHSA-hhw5-c326-822h.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.shiro:shiro-web
+ purl: pkg:maven/org.apache.shiro/shiro-web
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.0.0-alpha-1
+ - fixed: 2.0.0-alpha-4
+ versions:
+ - 2.0.0-alpha-1
+ - 2.0.0-alpha-2
+ - 2.0.0-alpha-3
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/12/GHSA-hhw5-c326-822h/GHSA-hhw5-c326-822h.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2023-46750
+ - type: WEB
+ url: https://github.com/apache/shiro/commit/3b80f5c8e5a95ba31e92e4825ecc0ba3148b555a
+ - type: WEB
+ url: https://github.com/apache/shiro/commit/8400d08d5eac0bc4fae99d28c5adc82dd8a86eda
+ - type: PACKAGE
+ url: https://github.com/apache/shiro
+ - type: WEB
+ url: https://lists.apache.org/thread/hoc9zdyzmmrfj1zhctsvvtx844tcq6w9
+ database_specific:
+ cwe_ids:
+ - CWE-601
+ github_reviewed: true
+ github_reviewed_at: "2023-12-15T03:11:05Z"
+ nvd_published_at: "2023-12-14T09:15:42Z"
+ severity: MODERATE
+ - schema_version: 1.6.0
+ id: GHSA-pmhc-2g4f-85cg
+ modified: 2024-02-20T05:31:25.133983Z
+ published: 2023-07-24T21:30:39Z
+ aliases:
+ - CVE-2023-34478
+ summary: Path Traversal in Apache Shiro
+ details: |
+ Apache Shiro, before 1.12.0 or 2.0.0-alpha-3, may be susceptible to a path traversal attack that results in an authentication bypass when used together with APIs or other web frameworks that route requests based on non-normalized requests.
+
+ Mitigation: Update to Apache Shiro 1.12.0+ or 2.0.0-alpha-3+
+ affected:
+ - package:
+ ecosystem: Maven
+ name: org.apache.shiro:shiro-web
+ purl: pkg:maven/org.apache.shiro/shiro-web
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: 1.12.0
+ versions:
+ - 1.0.0-incubating
+ - 1.1.0
+ - 1.10.0
+ - 1.10.1
+ - 1.11.0
+ - 1.2.0
+ - 1.2.1
+ - 1.2.2
+ - 1.2.3
+ - 1.2.4
+ - 1.2.5
+ - 1.2.6
+ - 1.3.0
+ - 1.3.1
+ - 1.3.2
+ - 1.4.0
+ - 1.4.0-RC2
+ - 1.4.1
+ - 1.4.2
+ - 1.5.0
+ - 1.5.1
+ - 1.5.2
+ - 1.5.3
+ - 1.6.0
+ - 1.7.0
+ - 1.7.1
+ - 1.8.0
+ - 1.9.0
+ - 1.9.1
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-pmhc-2g4f-85cg/GHSA-pmhc-2g4f-85cg.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.shiro:shiro-web
+ purl: pkg:maven/org.apache.shiro/shiro-web
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 2.0.0-alpha-1
+ - fixed: 2.0.0-alpha-3
+ versions:
+ - 2.0.0-alpha-1
+ - 2.0.0-alpha-2
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-pmhc-2g4f-85cg/GHSA-pmhc-2g4f-85cg.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2023-34478
+ - type: WEB
+ url: https://github.com/apache/shiro/commit/c3ede3f94efb442acb0795714a022c2c121d1da0
+ - type: PACKAGE
+ url: https://github.com/apache/shiro
+ - type: WEB
+ url: https://lists.apache.org/thread/mbv26onkgw9o35rldh7vmq11wpv2t2qk
+ - type: WEB
+ url: https://security.netapp.com/advisory/ntap-20230915-0005
+ - type: WEB
+ url: http://www.openwall.com/lists/oss-security/2023/07/24/4
+ database_specific:
+ cwe_ids:
+ - CWE-22
+ github_reviewed: true
+ github_reviewed_at: "2023-07-25T13:51:45Z"
+ nvd_published_at: "2023-07-24T19:15:10Z"
+ severity: CRITICAL
+ - schema_version: 1.6.0
+ id: GHSA-v98j-7crc-wvrj
+ modified: 2023-11-08T04:02:42.580112Z
+ published: 2022-02-09T22:03:57Z
+ aliases:
+ - CVE-2020-17523
+ summary: Authentication bypass in Apache Shiro
+ details: Apache Shiro before 1.7.1, when using Apache Shiro with Spring, a specially crafted HTTP request may cause an authentication bypass.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: org.apache.shiro:shiro-web
+ purl: pkg:maven/org.apache.shiro/shiro-web
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: 1.7.1
+ versions:
+ - 1.0.0-incubating
+ - 1.1.0
+ - 1.2.0
+ - 1.2.1
+ - 1.2.2
+ - 1.2.3
+ - 1.2.4
+ - 1.2.5
+ - 1.2.6
+ - 1.3.0
+ - 1.3.1
+ - 1.3.2
+ - 1.4.0
+ - 1.4.0-RC2
+ - 1.4.1
+ - 1.4.2
+ - 1.5.0
+ - 1.5.1
+ - 1.5.2
+ - 1.5.3
+ - 1.6.0
+ - 1.7.0
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/02/GHSA-v98j-7crc-wvrj/GHSA-v98j-7crc-wvrj.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.shiro:shiro-spring
+ purl: pkg:maven/org.apache.shiro/shiro-spring
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: 1.7.1
+ versions:
+ - 1.0.0-incubating
+ - 1.1.0
+ - 1.2.0
+ - 1.2.1
+ - 1.2.2
+ - 1.2.3
+ - 1.2.4
+ - 1.2.5
+ - 1.2.6
+ - 1.3.0
+ - 1.3.1
+ - 1.3.2
+ - 1.4.0
+ - 1.4.0-RC2
+ - 1.4.1
+ - 1.4.2
+ - 1.5.0
+ - 1.5.1
+ - 1.5.2
+ - 1.5.3
+ - 1.6.0
+ - 1.7.0
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/02/GHSA-v98j-7crc-wvrj/GHSA-v98j-7crc-wvrj.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.shiro:shiro-spring-boot-starter
+ purl: pkg:maven/org.apache.shiro/shiro-spring-boot-starter
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: 1.7.1
+ versions:
+ - 1.4.0
+ - 1.4.0-RC2
+ - 1.4.1
+ - 1.4.2
+ - 1.5.0
+ - 1.5.1
+ - 1.5.2
+ - 1.5.3
+ - 1.6.0
+ - 1.7.0
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/02/GHSA-v98j-7crc-wvrj/GHSA-v98j-7crc-wvrj.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2020-17523
+ - type: WEB
+ url: https://github.com/apache/shiro/pull/263
+ - type: WEB
+ url: https://issues.apache.org/jira/browse/SHIRO-797
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r5b93ddf97e2c4cda779d22fab30539bdec454cfa5baec4ad0ffae235@%3Cgitbox.activemq.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r679ca97813384bdb1a4c087810ba44d9ad9c7c11583979bb7481d196@%3Cdev.shiro.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r8244fd0831db894d5e89911ded9c72196d395a90ae655414d23ed0dd@%3Cusers.activemq.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r852971e28f54cafa7d325bd7033115c67d613b112a2a1076817390ac@%3Cdev.shiro.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r9d93dfb5df016b1a71a808486bc8f9fbafebbdbc8533625f91253f1d@%3Cdev.shiro.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rce5943430a6136d37a1f2fc201d245fe094e2727a0bc27e3b2d43a39%40%3Cdev.shiro.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rd4b613e121438b97e3eb263cac3137caddb1dbd8f648b73a4f1898a6@%3Cissues.activemq.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/re25b8317b00a50272a7252c4552cf1a81a97984cc2111ef7728e48e0@%3Cdev.shiro.apache.org%3E
+ - type: WEB
+ url: http://shiro.apache.org/download.html
+ database_specific:
+ cwe_ids:
+ - CWE-287
+ github_reviewed: true
+ github_reviewed_at: "2021-04-05T21:20:26Z"
+ nvd_published_at: "2021-02-03T17:15:00Z"
+ severity: CRITICAL
+ - schema_version: 1.6.0
+ id: GHSA-6x4w-8w53-xrvv
+ modified: 2023-11-08T03:57:48.103924Z
+ published: 2020-09-14T18:44:01Z
+ aliases:
+ - CVE-2015-0254
+ summary: XXE in Apache Standard Taglibs
+ details: Apache Standard Taglibs before 1.2.3 allows remote attackers to execute arbitrary code or conduct external XML entity (XXE) attacks via a crafted XSLT extension in a (1) or (2) JSTL XML tag.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: org.apache.taglibs:taglibs-standard
+ purl: pkg:maven/org.apache.taglibs/taglibs-standard
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: 1.2.3
+ versions:
+ - 1.2.1
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/09/GHSA-6x4w-8w53-xrvv/GHSA-6x4w-8w53-xrvv.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.taglibs:taglibs-standard-impl
+ purl: pkg:maven/org.apache.taglibs/taglibs-standard-impl
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: 1.2.3
+ versions:
+ - 1.2.1
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/09/GHSA-6x4w-8w53-xrvv/GHSA-6x4w-8w53-xrvv.json
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2015-0254
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2016:1376
+ - type: WEB
+ url: https://lists.apache.org/thread.html/8a20e48acb2a40be5130df91cf9d39d8ad93181989413d4abcaa4914@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/f8e0814e11c7f21f42224b6de111cb3f5e5ab5c15b78924c516d4ec2@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r6c93d8ade3788dbc00f5a37238bc278e7d859f2446b885460783a16f@%3Cpluto-dev.portals.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rc1686f6196bb9063bf26577a21b8033c19c1a30e5a9159869c8f3d38@%3Cpluto-dev.portals.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/re3b72cbb13e1dfe85c4a06959a3b6ca6d939b407ecca80db12b54220@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rf1179e6971bc46f0f68879a9a10cc97ad4424451b0889aeef04c8077@%3Cpluto-scm.portals.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rfc2bfd99c340dafd501676693cd889c1f9f838b97bdd0776a8f5557d@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuapr2020.html
+ - type: WEB
+ url: http://lists.opensuse.org/opensuse-updates/2015-10/msg00033.html
+ - type: WEB
+ url: http://mail-archives.apache.org/mod_mbox/tomcat-taglibs-user/201502.mbox/%3C82207A16-6348-4DEE-877E-F7B87292576A%40apache.org%3E
+ - type: WEB
+ url: http://packetstormsecurity.com/files/130575/Apache-Standard-Taglibs-1.2.1-XXE-Remote-Command-Execution.html
+ - type: WEB
+ url: http://rhn.redhat.com/errata/RHSA-2015-1695.html
+ - type: WEB
+ url: http://rhn.redhat.com/errata/RHSA-2016-1838.html
+ - type: WEB
+ url: http://rhn.redhat.com/errata/RHSA-2016-1839.html
+ - type: WEB
+ url: http://rhn.redhat.com/errata/RHSA-2016-1840.html
+ - type: WEB
+ url: http://rhn.redhat.com/errata/RHSA-2016-1841.html
+ - type: WEB
+ url: http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html
+ - type: WEB
+ url: http://www.securityfocus.com/archive/1/534772/100/0/threaded
+ - type: WEB
+ url: http://www.securityfocus.com/bid/72809
+ - type: WEB
+ url: http://www.securitytracker.com/id/1034934
+ - type: WEB
+ url: http://www.ubuntu.com/usn/USN-2551-1
+ database_specific:
+ cwe_ids:
+ - CWE-611
+ github_reviewed: true
+ github_reviewed_at: "2020-09-14T18:42:48Z"
+ nvd_published_at: "2015-03-09T14:59:00Z"
+ severity: HIGH
+ - schema_version: 1.6.0
+ id: GHSA-6x4w-8w53-xrvv
+ modified: 2023-11-08T03:57:48.103924Z
+ published: 2020-09-14T18:44:01Z
+ aliases:
+ - CVE-2015-0254
+ summary: XXE in Apache Standard Taglibs
+ details: Apache Standard Taglibs before 1.2.3 allows remote attackers to execute arbitrary code or conduct external XML entity (XXE) attacks via a crafted XSLT extension in a (1) or (2) JSTL XML tag.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: org.apache.taglibs:taglibs-standard
+ purl: pkg:maven/org.apache.taglibs/taglibs-standard
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: 1.2.3
+ versions:
+ - 1.2.1
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/09/GHSA-6x4w-8w53-xrvv/GHSA-6x4w-8w53-xrvv.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.taglibs:taglibs-standard-impl
+ purl: pkg:maven/org.apache.taglibs/taglibs-standard-impl
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: 1.2.3
+ versions:
+ - 1.2.1
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/09/GHSA-6x4w-8w53-xrvv/GHSA-6x4w-8w53-xrvv.json
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2015-0254
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2016:1376
+ - type: WEB
+ url: https://lists.apache.org/thread.html/8a20e48acb2a40be5130df91cf9d39d8ad93181989413d4abcaa4914@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/f8e0814e11c7f21f42224b6de111cb3f5e5ab5c15b78924c516d4ec2@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r6c93d8ade3788dbc00f5a37238bc278e7d859f2446b885460783a16f@%3Cpluto-dev.portals.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rc1686f6196bb9063bf26577a21b8033c19c1a30e5a9159869c8f3d38@%3Cpluto-dev.portals.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/re3b72cbb13e1dfe85c4a06959a3b6ca6d939b407ecca80db12b54220@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rf1179e6971bc46f0f68879a9a10cc97ad4424451b0889aeef04c8077@%3Cpluto-scm.portals.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rfc2bfd99c340dafd501676693cd889c1f9f838b97bdd0776a8f5557d@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuapr2020.html
+ - type: WEB
+ url: http://lists.opensuse.org/opensuse-updates/2015-10/msg00033.html
+ - type: WEB
+ url: http://mail-archives.apache.org/mod_mbox/tomcat-taglibs-user/201502.mbox/%3C82207A16-6348-4DEE-877E-F7B87292576A%40apache.org%3E
+ - type: WEB
+ url: http://packetstormsecurity.com/files/130575/Apache-Standard-Taglibs-1.2.1-XXE-Remote-Command-Execution.html
+ - type: WEB
+ url: http://rhn.redhat.com/errata/RHSA-2015-1695.html
+ - type: WEB
+ url: http://rhn.redhat.com/errata/RHSA-2016-1838.html
+ - type: WEB
+ url: http://rhn.redhat.com/errata/RHSA-2016-1839.html
+ - type: WEB
+ url: http://rhn.redhat.com/errata/RHSA-2016-1840.html
+ - type: WEB
+ url: http://rhn.redhat.com/errata/RHSA-2016-1841.html
+ - type: WEB
+ url: http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html
+ - type: WEB
+ url: http://www.securityfocus.com/archive/1/534772/100/0/threaded
+ - type: WEB
+ url: http://www.securityfocus.com/bid/72809
+ - type: WEB
+ url: http://www.securitytracker.com/id/1034934
+ - type: WEB
+ url: http://www.ubuntu.com/usn/USN-2551-1
+ database_specific:
+ cwe_ids:
+ - CWE-611
+ github_reviewed: true
+ github_reviewed_at: "2020-09-14T18:42:48Z"
+ nvd_published_at: "2015-03-09T14:59:00Z"
+ severity: HIGH
+ - schema_version: 1.6.0
+ id: GHSA-g2fg-mr77-6vrm
+ modified: 2024-03-15T05:31:48.921973Z
+ published: 2021-03-12T21:33:55Z
+ aliases:
+ - CVE-2020-13949
+ summary: Uncontrolled Resource Consumption in Apache Thrift
+ details: In Apache Thrift 0.9.3 to 0.13.0, malicious RPC clients could send short messages which would result in a large memory allocation, potentially leading to denial of service.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: org.apache.thrift:libthrift
+ purl: pkg:maven/org.apache.thrift/libthrift
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 0.9.3
+ - fixed: 0.14.0
+ versions:
+ - 0.10.0
+ - 0.11.0
+ - 0.12.0
+ - 0.13.0
+ - 0.9.3
+ - 0.9.3-1
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/03/GHSA-g2fg-mr77-6vrm/GHSA-g2fg-mr77-6vrm.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2020-13949
+ - type: WEB
+ url: https://github.com/apache/hbase/pull/2958
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rb3574bc1036b577b265be510e6b208f0a5d5d84cd7198347dc8482df@%3Cissues.hbase.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/raea1bb8cf2eb39c5e10543f547bdbbdbb563c2ac6377652f161d4e37@%3Ccommits.druid.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rae95c2234b6644bfd666b2671a1b42a09f38514d0f27cca3c7d5d55a@%3Cissues.hbase.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rada9d2244a66ede0be29afc5d5f178a209f9988db56b9b845d955741@%3Ccommits.hbase.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rad635e16b300cf434280001ee6ecd2ed2c70987bf16eb862bfa86e02@%3Cissues.hbase.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/race178e9500ab8a5a6112667d27c48559150cadb60f2814bc67c40af@%3Cissues.hbase.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/ra9f7c755790313e1adb95d29794043fb102029e803daf4212ae18063@%3Cissues.solr.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/ra7371efd8363c1cd0f5331aafd359a808cf7277472b8616d7b392128@%3Cissues.hbase.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/ra3f7f06a1759c8e2985ed24ae2f5483393c744c1956d661adc873f2c@%3Cissues.hbase.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r9ec75f690dd60fec8621ba992290962705d5b7f0d8fd0a42fab0ac9f@%3Cissues.solr.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r9b51e7c253cb0989b4c03ed9f4e5f0478e427473357209ccc4d08ebf@%3Cissues.hbase.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r995b945cc8f6ec976d8c52d42ba931a688b45fb32cbdde715b6a816a@%3Cuser.thrift.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r950ced188d62320fdb84d9e2c6ba896328194952eff7430c4f55e4b0@%3Cissues.hive.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r93f23f74315e009f4fb68ef7fc794dceee42cf87fe6613814dcd8c70@%3Cissues.hbase.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r90b4473950e26607ed77f3d70f120166f6a36a3f80888e4eeabcaf91@%3Cissues.solr.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r8dfbefcd606af6737b62461a45a9af9222040b62eab474ff2287cf75@%3Cissues.hbase.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r89fdd39965efb7c6d22bc21c286d203252cea476e1782724aca0748e@%3Cuser.thrift.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r890b8ec5203d70a59a6b1289420d46938d9029ed706aa724978789be@%3Cissues.hbase.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r8897a41f50d4eb19b268bde99328e943ba586f77779efa6de720c39f@%3Ccommits.druid.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r886b6d9a89b6fa0aafbf0a8f8f14351548d6c6f027886a3646dbd075@%3Cissues.solr.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r869331422580d35b4e65bd74cf3090298c4651bf4f31bfb19ae769da@%3Cissues.solr.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r850522c56c05aa06391546bdb530bb8fc3437f2b77d16e571ae73309@%3Cissues.hbase.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r812915ecfa541ad2ca65c68a97b2c014dc87141dfaefc4de85049681@%3Ccommits.camel.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r7ae909438ff5a2ffed9211e6ab0bd926396fd0b1fc33f31a406ee704@%3Cissues.hbase.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r7597683cc8b87a31ec864835225a543dad112d7841bf1f17bf7eb8db@%3Cissues.hbase.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r74eb88b422421c65514c23cb9c2b2216efb9254317ea1b6a264fe6dc@%3Ccommits.hbase.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r741364444c3b238ab4a161f67f0d3a8f68acc517a39e6a93aa85d753@%3Cissues.hive.apache.org%3E
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpujan2022.html
+ - type: WEB
+ url: https://www.oracle.com//security-alerts/cpujul2021.html
+ - type: WEB
+ url: https://security.gentoo.org/glsa/202107-32
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rfbb01bb85cdc2022f3b96bdc416dbfcb49a2855b3a340aa88b2e1de9@%3Ccommits.druid.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rf75979ae0ffd526f3afa935a8f0ee13c82808ea8b2bc0325eb9dcd90@%3Ccommits.camel.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rf741d08c7e0ab1542c81ea718467422bd01159ed284796a36ad88311@%3Cissues.hbase.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rf65df763f630163a3f620887efec082080555cee1adb0b8eaf2c7ddb@%3Cissues.hbase.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rf603d25213cfff81d6727c259328846b366fd32a43107637527c9768@%3Cissues.hbase.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rf568168e7f83871969928c0379813da6d034485f8b20fa73884816d6@%3Cissues.hbase.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rdcf00186c34d69826d9c6b1f010136c98b00a586136de0061f7d267e@%3Cissues.hbase.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rdc8e0f92d06decaee5db58de4ded16d80016a7db2240a8db17225c49@%3Cissues.hbase.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rd78cdd87d84499a404202f015f55935db3658bd0983ecec81e6b18c6@%3Cissues.hbase.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rd49d53b146d94a7d3a135f6b505589655ffec24ea470e345d31351bb@%3Cissues.hbase.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rd370fdb419652c5219409b315a6349b07a7e479bd3f151e9a5671774@%3Ccommits.hbase.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rd0734d91f16d5b050f0bcff78b4719300042a34fadf5e52d0edf898e@%3Cissues.solr.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rcdf62ecd36e39e4ff9c61802eee4927ce9ecff1602eed1493977ef4c@%3Cuser.thrift.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rcae4c66f67e701db44d742156dee1f3e5e4e07ad7ce10c740a76b669@%3Cissues.hive.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rcace846f74ea9e2af2f7c30cef0796724aa74089f109c8029b850163@%3Cdev.hive.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rc896ce7761999b088f3adabcb99dde2102b6a66130b8eec6c8265eab@%3Cissues.hbase.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rc7a79b08822337c68705f16ee7ddcfd352313b836e78a4b86c7a7e3d@%3Cissues.hbase.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rc7a241e0af086b226ff9ccabc4a243d206f0f887037994bfd8fcaaeb@%3Ccommits.druid.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rc48ab5455bdece9a4afab53ca0f1e4f742d5baacb241323454a87b4e@%3Cissues.hbase.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rbfbb81e7fb5d5009caf25798f02f42a7bd064a316097303ba2f9ed76@%3Ccommits.druid.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rbc5cad06a46d23253a3c819229efedecfc05f89ef53f5fdde77a86d6@%3Cuser.thrift.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rb91c32194eb5006f0b0c8bcdbd512c13495a1b277d4d51d45687f036@%3Cissues.solr.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rb51977d392b01434b0b5df5c19b9ad5b6178cfea59e676c14f24c053@%3Cissues.hive.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rb44ec04e5a9b1f87fef97bb5f054010cbfaa3b8586472a3a38a16fca@%3Cissues.hbase.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r72c3d1582d50b2ca7dd1ee97e81c847a5cf3458be26d42653c39d7a6@%3Ccommits.camel.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r298a25228868ebc0943d56c8f3641212a0962d2dbcf1507d5860038e@%3Cissues.hbase.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r286e9a13d3ab0550042997219101cb87871834b8d5ec293b0c60f009@%3Cissues.hbase.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r27b7d3d95ffa8498899ef1c9de553d469f8fe857640a3f6e58dba640@%3Cissues.hbase.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r278e96edc4bc13efb2cb1620a73e48f569162b833c6bda3e6ea18b80@%3Cissues.hbase.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r20f6f8f8cf07986dc5304baed3bf4d8a1c4cf135ff6fe3640be4d7ec@%3Cissues.solr.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r1fb2d26b81c64ce96c4fd42b9e6842ff315b02c36518213b6c057350@%3Cissues.hbase.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r1dea91f0562e0a960b45b1c5635b2a47b258b77171334276bcf260a7@%3Cissues.hbase.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r1d4a247329a8478073163567bbc8c8cb6b49c6bfc2bf58153a857af1@%3Ccommits.druid.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r196409cc4df929d540a2e66169104f2b3b258d8bd96b5f083c59ee51@%3Ccommits.camel.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r191a9279e2863b68e5496ee4ecd8be0d4fe43b324b934f0d1f106e1d@%3Cissues.hbase.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r18732bb1343894143d68db58fe4c8f56d9cd221b37f1378ed7373372@%3Cissues.hbase.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r17cca685ad53bc8300ee7fcfe874cb784a222343f217dd076e7dc1b6@%3Ccommits.camel.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r179119bbfb5610499286a84c316f6789c5afbfa5340edec6eb28d027@%3Ccommits.druid.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r15eed5d21e16a5cce810c1e096ffcffc36cd08c2f78ce2f9b24b4a6a@%3Cissues.hive.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r1504886a550426d3c05772c47b1a6350c3235e51fd1fdffbec43e974@%3Cuser.thrift.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r1456eab5f3768be69436d5b0a68b483eb316eb85eb3ef6eba156a302@%3Cissues.hbase.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r143ca388b0c83fe659db14be76889d50b453b0ee06f423181f736933@%3Cissues.hbase.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r13f40151513ff095a44a86556c65597a7e55c00f5e19764a05530266@%3Cissues.hbase.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r12090c81b67d21a814de6cf54428934a5e5613fde222759bbb05e99b@%3Cissues.hive.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r117d5d2b08d505b69558a2a31b0a1cf8990cd0385060b147e70e76a9@%3Cissues.hbase.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r1084a911dff90b2733b442ee0f5929d19b168035d447f2d25f534fe4@%3Cissues.solr.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r08a7bd19470ef8950d58cc9d9e7b02bc69c43f56c601989a7729cce5@%3Cissues.hbase.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r0372f0af2dad0b76fbd7a6cfdaad29d50384ad48dda475a5026ff9a3@%3Cissues.hbase.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r02f7771863383ae993eb83cdfb70c3cb65a355c913242c850f61f1b8@%3Cissues.hbase.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r02ba8db500d15a5949e9a7742815438002ba1cf1b361bdda52ed40ca@%3Cissues.hbase.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r01b34416677f1ba869525e1b891ac66fa6f88c024ee4d7cdea6b456b@%3Cissues.hbase.apache.org%3E
+ - type: PACKAGE
+ url: https://github.com/apache/hbase
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r6c5b7324274fd361b038c5cc316e99344b7ae20beae7163214fac14d@%3Cissues.hbase.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r6ba4f0817f98bf7c1cb314301cb7a24ba11a0b3e7a5be8b0ae3190b0@%3Cissues.solr.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r6ae3c68b0bfe430fb32f24236475276b6302bed625b23f53b68748b5@%3Cuser.thrift.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r699c031e6921b0ad0f943848e7ba1d0e88c953619d47908618998f76@%3Cissues.hbase.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r6990c849aeafe65366794bfd002febd47b7ffa8cf3c059b400bbb11d@%3Cissues.hbase.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r668aed02e287c93403e0b8df16089011ee4a96afc8f479809f1fc07f@%3Cissues.hbase.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r635133a74fa07ef3331cae49a9a088365922266edd58099a6162a5d3@%3Cissues.hive.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r62aa6d07b23095d980f348d330ed766560f9a9e940fec051f534ce37@%3Cissues.hive.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r587b4a5bcbc290269df0906bafba074f3fe4e50d4e959212f56fa7ea@%3Cissues.hbase.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r533a172534ae67f6f17c4d33a1b814d3d5ada9ccd4eb442249f33fa2@%3Ccommits.camel.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r515e01a30443cfa2dbb355c44c63149869afd684fb7b0344c58fa67b@%3Cissues.hbase.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r4fa53eacca2ac38904f38dc226caebb3f2f668b2da887f2fd416f4a7@%3Cissues.hbase.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r4d90b6d8de9697beb38814596d3a0d4994fa9aba1f6731a2c648d3ae@%3Cissues.solr.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r449288f6a941a2585262e0f4454fdefe169d5faee33314f6f89fab30@%3Cissues.hbase.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r43dc2b2e928e9d845b07ac075634cb759d91bb852421dc282f87a74a%40%3Cdev.thrift.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r421a9a76811c1aed7637b5fe5376ab14c09ccdd7b70d5211d6e76d1e@%3Cissues.hbase.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r409e296c890753296c544a74d4de0d4a3ce719207a5878262fa2bd71@%3Ccommits.hbase.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r3f97dbbbb1b2a7324521208bb595392853714e141a37b8f68d395835@%3Cnotifications.thrift.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r3f3e1d562c528b4bafef2dde51f79dd444a4b68ef24920d68068b6f9@%3Cissues.hbase.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r3e31ec7e8c39db7553be4f4fd4d27cf27c41f1ba9c985995c4ea9c5a@%3Cnotifications.thrift.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r3de0e0c26d4bd00dd28cab27fb44fba11d1c1d20275f7cce71393dd1@%3Cissues.hbase.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r3a1291a7ab8ee43db87cb0253371489810877028fc6e7c68dc640926@%3Cissues.hbase.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r36581cc7047f007dd6aadbdd34e18545ec2c1eb7ccdae6dd47a877a9@%3Ccommits.pulsar.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r3550b61639688e0efbc253c6c3e6358851c1f053109f1c149330b535@%3Cissues.hbase.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r2f6a547f226579f542eb08793631d1f2d47d7aed7e2f9d11a4e6af9f@%3Cissues.hbase.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r2ed66a3823990306b742b281af1834b9bc85f98259c870b8ffb13d93@%3Cissues.hbase.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r2d180180f37c2ab5cebd711d080d01d8452efa8ad43c5d9cd7064621@%3Cissues.hbase.apache.org%3E
+ database_specific:
+ cwe_ids:
+ - CWE-400
+ github_reviewed: true
+ github_reviewed_at: "2021-03-12T19:44:27Z"
+ nvd_published_at: "2021-02-12T20:15:00Z"
+ severity: HIGH
+ - schema_version: 1.6.0
+ id: GHSA-rj7p-rfgp-852x
+ modified: 2024-03-10T05:16:21.459619Z
+ published: 2022-05-24T17:00:01Z
+ aliases:
+ - CVE-2019-0205
+ summary: Loop with Unreachable Exit Condition in Apache Thrift
+ details: In Apache Thrift all versions up to and including 0.12.0, a server or client may run into an endless loop when feed with specific input data. Because the issue had already been partially fixed in version 0.11.0, depending on the installed version it affects only certain language bindings.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: org.apache.thrift:libthrift
+ purl: pkg:maven/org.apache.thrift/libthrift
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: 0.13.0
+ versions:
+ - 0.10.0
+ - 0.11.0
+ - 0.12.0
+ - 0.6.1
+ - 0.7.0
+ - 0.8.0
+ - 0.9.0
+ - 0.9.1
+ - 0.9.2
+ - 0.9.3
+ - 0.9.3-1
+ database_specific:
+ last_known_affected_version_range: <= 0.12.0
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-rj7p-rfgp-852x/GHSA-rj7p-rfgp-852x.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2019-0205
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r4633082b834eebccd0d322697651d931ab10ca9c51ee7ef18e1f60f4@%3Cdev.thrift.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r4d3f1d3e333d9c2b2f6e6ae8ed8750d4de03410ac294bcd12c7eefa3@%3Ccommits.cassandra.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r50bf84c60867574238d18cdad5da9f303b618114c35566a3a001ae08@%3Cdev.hive.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r53c03e1c979b9c628d0d65e0f49dd9a9f9d7572838727ad11b750575@%3Cuser.cassandra.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r55609613abab203a1f2c1f3de050b63ae8f5c4a024df0d848d6915ff@%3Ccommits.pulsar.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r569b2b3da41ff45bfacfca6787a4a8728edd556e185b69b140181d9d@%3Cdev.thrift.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r573029c2f8632e3174b9eea7cd57f9c9df33f2f706450e23fc57750a@%3Ccommits.thrift.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r67a704213d13326771f46c84bbd84c8281bb93946e155e0e40abcb4c@%3Ccommits.cassandra.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r73a3c8b80765e3d2430ff51f22b778d0c917919f01815b69ed16cf9d@%3Cissues.hive.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r7859e767c90c8f4971dec50f801372aa64e88f143c3e8a265a36f9b4@%3Cuser.cassandra.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r92b7771afee2625209c36727fefdc77033964e9a1daa81ec3327e625@%3Cuser.cassandra.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r934f312dd5add7276ac2de684d8b237554ff9f34479a812df5fd6aee@%3Ccommits.cassandra.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rab740e5c70424ef79fd095a4b076e752109aeee41c4256c2e5e5e142@%3Ccommits.pulsar.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rb139fa1d2714822d8c6e6f3bd6f5d5c91844d313201185c409288fd9@%3Ccommits.cassandra.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rba61c1f3a3b1960a6a694775b1a437751eba0825f30188f69387fe90@%3Cdev.thrift.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rce0d368a78b42c545f26c2e6e91e2b8a91b27b60d0cb45fe1911d337@%3Cnotifications.thrift.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/re387dc6ca11cb0b0ce4de8e800bb91ca50fee054b80105f5cd34adcb@%3Cdev.thrift.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rf359e5cc6a185494fc0cfe837fe82f7db2ef49242d35cbf3895aebce@%3Cdev.thrift.apache.org%3E
+ - type: WEB
+ url: https://security.gentoo.org/glsa/202107-32
+ - type: WEB
+ url: https://www.oracle.com//security-alerts/cpujul2021.html
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2020:0804
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2020:0805
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2020:0806
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2020:0811
+ - type: WEB
+ url: https://lists.apache.org/thread.html/003ac686189e6ce7b99267784d04bf60059a8c323eeda5a79a0309b8@%3Ccommits.cassandra.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/07bd68ad237a5d513751d6d2731a8828f902c738ea57d85c1a72bad3@%3Cdev.thrift.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/0d058e1bfd11727c4f2e2adf4b6e403a47c38e22431ab20066a1ac79@%3Cdev.thrift.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/1193444c17f499f92cd198d464a2c1ffc92182c83487345a854914b3@%3Cuser.thrift.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/1c18ec6ebfea0a9211992be952e8b33d0fda202c077979b84a5e09a8@%3Cuser.thrift.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/3dfa054b89274c9109c26ed1843ca15a14c03786f4016d26773878ae@%3Cdev.thrift.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/928cae83d20d8d8196c26118f7084aa37573e1d31162381fb9454fb5@%3Cdev.thrift.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/9f7150d0b02e72d1154721a412e80cf797f1b7cfa295fcefc67b1381@%3Ccommits.cassandra.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/a9669756befaeb0f8e08766d3f4d410a0fce85da3a570506f71f0b67@%3Cdev.thrift.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r0c606d4be9aa163d132edf8edd8eb55e7b9464063b99acbbf6e9e287@%3Cissues.hive.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r0d08f5576286f4a042aabde13ecf58979644f6dc210f25aa9a4d469b@%3Cdev.thrift.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r137753c9df8dd9065bea27a26af49aadc406b5a57fc584fefa008afd@%3Cdev.thrift.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r1b1a92c229ead94d53b3bcde9e624d002b54f1c6fdb830b9f4da20e1@%3Cdev.thrift.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r228ac842260c2c516af7b09f3cf4cf76e5b9c002e359954a203ab5a5@%3Cdev.thrift.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r2832722c31d78bef7526e2c701ba4b046736e4c851473194a247392f@%3Ccommits.pulsar.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r36581cc7047f007dd6aadbdd34e18545ec2c1eb7ccdae6dd47a877a9@%3Ccommits.pulsar.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r3887b48b183b6fa43e59398bd170a99239c0a16264cb5175b5b689d0@%3Ccommits.cassandra.apache.org%3E
+ - type: WEB
+ url: http://mail-archives.apache.org/mod_mbox/thrift-dev/201910.mbox/%3CVI1PR0101MB2142E0EA19F582429C3AEBCBB1920%40VI1PR0101MB2142.eurprd01.prod.exchangelabs.com%3E
+ database_specific:
+ cwe_ids:
+ - CWE-835
+ github_reviewed: true
+ github_reviewed_at: "2022-06-27T16:12:09Z"
+ nvd_published_at: "2019-10-29T19:15:00Z"
+ severity: HIGH
+ - schema_version: 1.6.0
+ id: GHSA-vx85-mj8c-4qm6
+ modified: 2024-02-16T08:22:18.795904Z
+ published: 2019-01-17T13:56:33Z
+ aliases:
+ - CVE-2018-11798
+ summary: Apache Thrift Node.js static web server sandbox escape
+ details: The Apache Thrift Node.js static web server in versions 0.9.2 through 0.11.0 have been determined to contain a security vulnerability in which a remote user has the ability to access files outside the set webservers docroot path.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: org.apache.thrift:libthrift
+ purl: pkg:maven/org.apache.thrift/libthrift
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 0.9.2
+ - fixed: 0.12.0
+ versions:
+ - 0.10.0
+ - 0.11.0
+ - 0.9.2
+ - 0.9.3
+ - 0.9.3-1
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/01/GHSA-vx85-mj8c-4qm6/GHSA-vx85-mj8c-4qm6.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2018-11798
+ - type: WEB
+ url: https://github.com/apache/thrift/pull/1606
+ - type: WEB
+ url: https://github.com/apache/thrift/commit/2a2b72f6c8aef200ecee4984f011e06052288ff2
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:1545
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:3140
+ - type: ADVISORY
+ url: https://github.com/advisories/GHSA-vx85-mj8c-4qm6
+ - type: WEB
+ url: https://issues.apache.org/jira/browse/THRIFT-4647
+ - type: WEB
+ url: https://lists.apache.org/thread.html/6e9edd282684896cedf615fb67a02bebfe6007f2d5baf03ba52e34fd@%3Cuser.thrift.apache.org%3E
+ - type: WEB
+ url: https://web.archive.org/web/20200227094236/http://www.securityfocus.com/bid/106501
+ - type: WEB
+ url: https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
+ database_specific:
+ cwe_ids:
+ - CWE-538
+ github_reviewed: true
+ github_reviewed_at: "2020-06-16T21:58:46Z"
+ nvd_published_at: null
+ severity: MODERATE
+ - schema_version: 1.6.0
+ id: GHSA-wjxj-f8rg-99wx
+ modified: 2024-03-14T05:20:15.449375Z
+ published: 2019-01-17T13:56:40Z
+ aliases:
+ - CVE-2018-1320
+ summary: Improper Input Validation in Apache Thrift
+ details: Apache Thrift Java client library versions 0.5.0 prior to 0.9.3-1 and 0.10.0 prior to 0.12.0 can bypass SASL negotiation isComplete validation in the org.apache.thrift.transport.TSaslTransport class. An assert used to determine if the SASL handshake had successfully completed could be disabled in production settings making the validation incomplete.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: org.apache.thrift:libthrift
+ purl: pkg:maven/org.apache.thrift/libthrift
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 0.5.0
+ - fixed: 0.9.3-1
+ versions:
+ - 0.6.1
+ - 0.7.0
+ - 0.8.0
+ - 0.9.0
+ - 0.9.1
+ - 0.9.2
+ - 0.9.3
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/01/GHSA-wjxj-f8rg-99wx/GHSA-wjxj-f8rg-99wx.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.thrift:libthrift
+ purl: pkg:maven/org.apache.thrift/libthrift
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 0.10.0
+ - fixed: 0.12.0
+ versions:
+ - 0.10.0
+ - 0.11.0
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/01/GHSA-wjxj-f8rg-99wx/GHSA-wjxj-f8rg-99wx.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2018-1320
+ - type: WEB
+ url: https://github.com/apache/thrift/commit/7489ed6ac8bad64e72fa83ec9d53e1eeddca6c23
+ - type: WEB
+ url: https://github.com/apache/thrift/commit/d973409661f820d80d72c0034d06a12348c8705e
+ - type: WEB
+ url: https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuapr2020.html
+ - type: WEB
+ url: https://web.archive.org/web/20200227094237/http://www.securityfocus.com/bid/106551
+ - type: WEB
+ url: https://support.f5.com/csp/article/K36361684
+ - type: WEB
+ url: https://lists.debian.org/debian-lts-announce/2019/02/msg00008.html
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r4d3f1d3e333d9c2b2f6e6ae8ed8750d4de03410ac294bcd12c7eefa3@%3Ccommits.cassandra.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r3d71a6dbb063aa61ba81278fe622b20bfe7501bb3821c27695641ac3@%3Ccommits.cassandra.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r261972a3b14cf6f1dcd94b1b265e9ef644a38ccdf0d0238fa0c4d459@%3Ccommits.cassandra.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r2278846f7ab06ec07a0aa31457235e0ded9191b216cba55f3f315f16@%3Ccommits.cassandra.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r1015eaadef8314daa9348aa423086a732cfeb998ceb5d42605c9b0b5@%3Ccommits.cassandra.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r09c3dcdccf4b74ad13bda79b354e6b793255ccfe245cca1b8cee23f5@%3Ccommits.cassandra.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/e825ff2f4e129c0ecdb6a19030b53c1ccdf810a8980667628d0c6a80@%3Cannounce.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/dfee89880c84874058c6a584d8128468f8d3c2ac25068ded91073adc@%3Cuser.storm.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/dbe3a39b48900318ad44494e8721f786901ba4520cd412c7698f534f@%3Cdev.storm.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/da5234b5e78f1c99190407f791dfe1bf6c58de8d30d15974a9669be3@%3Cuser.thrift.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/8be5b16c02567fff61b1284e5df433a4e38617bc7de4804402bf62be@%3Ccommits.cassandra.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/6b07f6f618155c777191b4fad8ade0f0cf4ed4c12a1a746ce903d816@%3Ccommits.cassandra.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/3d3b6849fcf4cd1e87703b3dde0d57aabeb9ba0193dc0cf3c97f545d@%3Ccommits.cassandra.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/187684ac8b94d55256253f5220cb55e8bd568afdf9a8a86e9bbb66c9@%3Cdevnull.infra.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/07c3cd5a2953a4b253eee4437b1397b1603d0f886437e19b657d2c54@%3Ccommits.cassandra.apache.org%3E
+ - type: WEB
+ url: https://issues.apache.org/jira/browse/THRIFT-4506
+ - type: WEB
+ url: https://github.com/apache/thrift/releases/tag/0.9.3.1
+ - type: PACKAGE
+ url: https://github.com/apache/thrift
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:2413
+ - type: WEB
+ url: http://www.openwall.com/lists/oss-security/2019/07/24/3
+ - type: WEB
+ url: http://www.securityfocus.com/bid/106551
+ database_specific:
+ cwe_ids:
+ - CWE-20
+ - CWE-295
+ github_reviewed: true
+ github_reviewed_at: "2020-06-16T22:00:45Z"
+ nvd_published_at: "2019-01-07T17:29:00Z"
+ severity: HIGH
+ - schema_version: 1.6.0
+ id: GHSA-2rvv-w9r2-rg7m
+ modified: 2024-03-11T16:46:40.808422Z
+ published: 2021-05-13T22:30:02Z
+ aliases:
+ - BIT-tomcat-2021-24122
+ - CVE-2021-24122
+ summary: Information Disclosure in Apache Tomcat
+ details: When serving resources from a network location using the NTFS file system, Apache Tomcat versions 10.0.0-M1 to 10.0.0-M9, 9.0.0.M1 to 9.0.39, 8.5.0 to 8.5.59 and 7.0.0 to 7.0.106 were susceptible to JSP source code disclosure in some configurations. The root cause was the unexpected behaviour of the JRE API File.getCanonicalPath() which in turn was caused by the inconsistent behaviour of the Windows API (FindFirstFileW) in some circumstances.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: org.apache.tomcat.embed:tomcat-embed-core
+ purl: pkg:maven/org.apache.tomcat.embed/tomcat-embed-core
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 10.0.0-M1
+ - fixed: 10.0.0-M10
+ versions:
+ - 10.0.0-M1
+ - 10.0.0-M3
+ - 10.0.0-M4
+ - 10.0.0-M5
+ - 10.0.0-M6
+ - 10.0.0-M7
+ - 10.0.0-M8
+ - 10.0.0-M9
+ database_specific:
+ last_known_affected_version_range: <= 10.0.0-M9
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-2rvv-w9r2-rg7m/GHSA-2rvv-w9r2-rg7m.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.tomcat.embed:tomcat-embed-core
+ purl: pkg:maven/org.apache.tomcat.embed/tomcat-embed-core
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 9.0.0
+ - fixed: 9.0.40
+ versions:
+ - 9.0.1
+ - 9.0.10
+ - 9.0.11
+ - 9.0.12
+ - 9.0.13
+ - 9.0.14
+ - 9.0.16
+ - 9.0.17
+ - 9.0.19
+ - 9.0.2
+ - 9.0.20
+ - 9.0.21
+ - 9.0.22
+ - 9.0.24
+ - 9.0.26
+ - 9.0.27
+ - 9.0.29
+ - 9.0.30
+ - 9.0.31
+ - 9.0.33
+ - 9.0.34
+ - 9.0.35
+ - 9.0.36
+ - 9.0.37
+ - 9.0.38
+ - 9.0.39
+ - 9.0.4
+ - 9.0.5
+ - 9.0.6
+ - 9.0.7
+ - 9.0.8
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-2rvv-w9r2-rg7m/GHSA-2rvv-w9r2-rg7m.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.tomcat.embed:tomcat-embed-core
+ purl: pkg:maven/org.apache.tomcat.embed/tomcat-embed-core
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 8.5.0
+ - fixed: 8.5.60
+ versions:
+ - 8.5.0
+ - 8.5.11
+ - 8.5.12
+ - 8.5.13
+ - 8.5.14
+ - 8.5.15
+ - 8.5.16
+ - 8.5.19
+ - 8.5.2
+ - 8.5.20
+ - 8.5.21
+ - 8.5.23
+ - 8.5.24
+ - 8.5.27
+ - 8.5.28
+ - 8.5.29
+ - 8.5.3
+ - 8.5.30
+ - 8.5.31
+ - 8.5.32
+ - 8.5.33
+ - 8.5.34
+ - 8.5.35
+ - 8.5.37
+ - 8.5.38
+ - 8.5.39
+ - 8.5.4
+ - 8.5.40
+ - 8.5.41
+ - 8.5.42
+ - 8.5.43
+ - 8.5.45
+ - 8.5.46
+ - 8.5.47
+ - 8.5.49
+ - 8.5.5
+ - 8.5.50
+ - 8.5.51
+ - 8.5.53
+ - 8.5.54
+ - 8.5.55
+ - 8.5.56
+ - 8.5.57
+ - 8.5.58
+ - 8.5.59
+ - 8.5.6
+ - 8.5.8
+ - 8.5.9
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-2rvv-w9r2-rg7m/GHSA-2rvv-w9r2-rg7m.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.tomcat.embed:tomcat-embed-core
+ purl: pkg:maven/org.apache.tomcat.embed/tomcat-embed-core
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 7.0.0
+ - fixed: 7.0.107
+ versions:
+ - 7.0.0
+ - 7.0.100
+ - 7.0.103
+ - 7.0.104
+ - 7.0.105
+ - 7.0.106
+ - 7.0.11
+ - 7.0.12
+ - 7.0.14
+ - 7.0.16
+ - 7.0.19
+ - 7.0.2
+ - 7.0.20
+ - 7.0.21
+ - 7.0.22
+ - 7.0.23
+ - 7.0.25
+ - 7.0.26
+ - 7.0.27
+ - 7.0.28
+ - 7.0.29
+ - 7.0.30
+ - 7.0.32
+ - 7.0.33
+ - 7.0.34
+ - 7.0.35
+ - 7.0.37
+ - 7.0.39
+ - 7.0.4
+ - 7.0.40
+ - 7.0.41
+ - 7.0.42
+ - 7.0.47
+ - 7.0.5
+ - 7.0.50
+ - 7.0.52
+ - 7.0.53
+ - 7.0.54
+ - 7.0.55
+ - 7.0.56
+ - 7.0.57
+ - 7.0.59
+ - 7.0.6
+ - 7.0.61
+ - 7.0.62
+ - 7.0.63
+ - 7.0.64
+ - 7.0.65
+ - 7.0.67
+ - 7.0.68
+ - 7.0.69
+ - 7.0.70
+ - 7.0.72
+ - 7.0.73
+ - 7.0.75
+ - 7.0.76
+ - 7.0.77
+ - 7.0.78
+ - 7.0.79
+ - 7.0.8
+ - 7.0.81
+ - 7.0.82
+ - 7.0.84
+ - 7.0.85
+ - 7.0.86
+ - 7.0.88
+ - 7.0.90
+ - 7.0.91
+ - 7.0.92
+ - 7.0.93
+ - 7.0.94
+ - 7.0.96
+ - 7.0.99
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-2rvv-w9r2-rg7m/GHSA-2rvv-w9r2-rg7m.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2021-24122
+ - type: WEB
+ url: https://github.com/apache/tomcat/commit/7f004ac4531c45f9a2a2d1470561fe135cf27bc2
+ - type: WEB
+ url: https://github.com/apache/tomcat/commit/800b03140e640f8892f27021e681645e8e320177
+ - type: WEB
+ url: https://github.com/apache/tomcat/commit/920dddbdb981f92e8d5872a4bb126a10af5ca8a9
+ - type: WEB
+ url: https://github.com/apache/tomcat/commit/935fc5582dc25ae10bab6f9d5629ff8d996cb533
+ - type: WEB
+ url: https://www.oracle.com//security-alerts/cpujul2021.html
+ - type: WEB
+ url: https://tomcat.apache.org/security-9.html
+ - type: WEB
+ url: https://tomcat.apache.org/security-8.html
+ - type: WEB
+ url: https://tomcat.apache.org/security-7.html
+ - type: WEB
+ url: https://tomcat.apache.org/security-10.html
+ - type: WEB
+ url: https://security.netapp.com/advisory/ntap-20210212-0008
+ - type: WEB
+ url: https://lists.debian.org/debian-lts-announce/2021/03/msg00018.html
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rca833c6d42b7b9ce1563488c0929f29fcc95947d86e5e740258c8937@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rb32a73b7cb919d4f44a2596b6b951274c0004fc8b0e393d6829a45f9@%3Cusers.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r7e0bb9ea415724550e2b325e143b23e269579e54d66fcd7754bd0c20@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r776c64337495bf28b7d5597268114a888e3fad6045c40a0da0c66d4d@%3Cdev.tomee.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r7382e1e35b9bc7c8f320b90ad77e74c13172d08034e20c18000fe710@%3Cdev.tomee.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r1595889b083e05986f42b944dc43060d6b083022260b6ea64d2cec52@%3Cannounce.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r1595889b083e05986f42b944dc43060d6b083022260b6ea64d2cec52@%3Cannounce.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r1595889b083e05986f42b944dc43060d6b083022260b6ea64d2cec52%40%3Cannounce.tomcat.apache.org%3E
+ - type: PACKAGE
+ url: https://github.com/apache/tomcat
+ - type: WEB
+ url: http://www.openwall.com/lists/oss-security/2021/01/14/1
+ database_specific:
+ cwe_ids:
+ - CWE-200
+ - CWE-706
+ github_reviewed: true
+ github_reviewed_at: "2021-04-06T21:27:31Z"
+ nvd_published_at: "2021-01-14T15:15:00Z"
+ severity: MODERATE
+ - schema_version: 1.6.0
+ id: GHSA-3vx3-xf6q-r5xp
+ modified: 2024-04-18T17:16:06.618052Z
+ published: 2022-05-13T01:25:13Z
+ aliases:
+ - CVE-2017-5648
+ summary: Exposure of Resource to Wrong Sphere in Apache Tomcat
+ details: While investigating bug 60718, it was noticed that some calls to application listeners in Apache Tomcat 9.0.0.M1 to 9.0.0.M17, 8.5.0 to 8.5.11, 8.0.0.RC1 to 8.0.41, and 7.0.0 to 7.0.75 did not use the appropriate facade object. When running an untrusted application under a SecurityManager, it was therefore possible for that untrusted application to retain a reference to the request or response object and thereby access and/or modify information associated with another web application.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: org.apache.tomcat:tomcat-catalina
+ purl: pkg:maven/org.apache.tomcat/tomcat-catalina
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 9.0.0.M1
+ - fixed: 9.0.0.M18
+ versions:
+ - 9.0.0.M1
+ - 9.0.0.M10
+ - 9.0.0.M11
+ - 9.0.0.M13
+ - 9.0.0.M15
+ - 9.0.0.M17
+ - 9.0.0.M3
+ - 9.0.0.M4
+ - 9.0.0.M6
+ - 9.0.0.M8
+ - 9.0.0.M9
+ database_specific:
+ last_known_affected_version_range: <= 9.0.0.M17
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-3vx3-xf6q-r5xp/GHSA-3vx3-xf6q-r5xp.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.tomcat:tomcat-catalina
+ purl: pkg:maven/org.apache.tomcat/tomcat-catalina
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 8.5.0
+ - fixed: 8.5.13
+ versions:
+ - 8.5.0
+ - 8.5.11
+ - 8.5.12
+ - 8.5.2
+ - 8.5.3
+ - 8.5.4
+ - 8.5.5
+ - 8.5.6
+ - 8.5.8
+ - 8.5.9
+ database_specific:
+ last_known_affected_version_range: <= 8.5.12
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-3vx3-xf6q-r5xp/GHSA-3vx3-xf6q-r5xp.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.tomcat:tomcat-catalina
+ purl: pkg:maven/org.apache.tomcat/tomcat-catalina
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 8.0.0
+ - fixed: 8.0.42
+ versions:
+ - 8.0.1
+ - 8.0.11
+ - 8.0.12
+ - 8.0.14
+ - 8.0.15
+ - 8.0.17
+ - 8.0.18
+ - 8.0.20
+ - 8.0.21
+ - 8.0.22
+ - 8.0.23
+ - 8.0.24
+ - 8.0.26
+ - 8.0.27
+ - 8.0.28
+ - 8.0.29
+ - 8.0.3
+ - 8.0.30
+ - 8.0.32
+ - 8.0.33
+ - 8.0.35
+ - 8.0.36
+ - 8.0.37
+ - 8.0.38
+ - 8.0.39
+ - 8.0.41
+ - 8.0.5
+ - 8.0.8
+ - 8.0.9
+ database_specific:
+ last_known_affected_version_range: <= 8.0.41
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-3vx3-xf6q-r5xp/GHSA-3vx3-xf6q-r5xp.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.tomcat:tomcat-catalina
+ purl: pkg:maven/org.apache.tomcat/tomcat-catalina
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 7.0.0
+ - fixed: 7.0.76
+ versions:
+ - 7.0.0
+ - 7.0.11
+ - 7.0.12
+ - 7.0.14
+ - 7.0.16
+ - 7.0.19
+ - 7.0.2
+ - 7.0.20
+ - 7.0.21
+ - 7.0.22
+ - 7.0.23
+ - 7.0.25
+ - 7.0.26
+ - 7.0.27
+ - 7.0.28
+ - 7.0.29
+ - 7.0.30
+ - 7.0.32
+ - 7.0.33
+ - 7.0.34
+ - 7.0.35
+ - 7.0.37
+ - 7.0.39
+ - 7.0.4
+ - 7.0.40
+ - 7.0.41
+ - 7.0.42
+ - 7.0.47
+ - 7.0.5
+ - 7.0.50
+ - 7.0.52
+ - 7.0.53
+ - 7.0.54
+ - 7.0.55
+ - 7.0.56
+ - 7.0.57
+ - 7.0.59
+ - 7.0.6
+ - 7.0.61
+ - 7.0.62
+ - 7.0.63
+ - 7.0.64
+ - 7.0.65
+ - 7.0.67
+ - 7.0.68
+ - 7.0.69
+ - 7.0.70
+ - 7.0.72
+ - 7.0.73
+ - 7.0.75
+ - 7.0.8
+ database_specific:
+ last_known_affected_version_range: <= 7.0.75
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-3vx3-xf6q-r5xp/GHSA-3vx3-xf6q-r5xp.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.tomcat.embed:tomcat-embed-core
+ purl: pkg:maven/org.apache.tomcat.embed/tomcat-embed-core
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 9.0.0.M1
+ - fixed: 9.0.0.M18
+ versions:
+ - 9.0.0.M1
+ - 9.0.0.M10
+ - 9.0.0.M11
+ - 9.0.0.M13
+ - 9.0.0.M15
+ - 9.0.0.M17
+ - 9.0.0.M3
+ - 9.0.0.M4
+ - 9.0.0.M6
+ - 9.0.0.M8
+ - 9.0.0.M9
+ database_specific:
+ last_known_affected_version_range: <= 9.0.0.M17
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-3vx3-xf6q-r5xp/GHSA-3vx3-xf6q-r5xp.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.tomcat.embed:tomcat-embed-core
+ purl: pkg:maven/org.apache.tomcat.embed/tomcat-embed-core
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 8.5.0
+ - fixed: 8.5.13
+ versions:
+ - 8.5.0
+ - 8.5.11
+ - 8.5.12
+ - 8.5.2
+ - 8.5.3
+ - 8.5.4
+ - 8.5.5
+ - 8.5.6
+ - 8.5.8
+ - 8.5.9
+ database_specific:
+ last_known_affected_version_range: <= 8.5.12
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-3vx3-xf6q-r5xp/GHSA-3vx3-xf6q-r5xp.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.tomcat.embed:tomcat-embed-core
+ purl: pkg:maven/org.apache.tomcat.embed/tomcat-embed-core
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 8.0.0
+ - fixed: 8.0.42
+ versions:
+ - 8.0.1
+ - 8.0.11
+ - 8.0.12
+ - 8.0.14
+ - 8.0.15
+ - 8.0.17
+ - 8.0.18
+ - 8.0.20
+ - 8.0.21
+ - 8.0.22
+ - 8.0.23
+ - 8.0.24
+ - 8.0.26
+ - 8.0.27
+ - 8.0.28
+ - 8.0.29
+ - 8.0.3
+ - 8.0.30
+ - 8.0.32
+ - 8.0.33
+ - 8.0.35
+ - 8.0.36
+ - 8.0.37
+ - 8.0.38
+ - 8.0.39
+ - 8.0.41
+ - 8.0.5
+ - 8.0.8
+ - 8.0.9
+ database_specific:
+ last_known_affected_version_range: <= 8.0.41
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-3vx3-xf6q-r5xp/GHSA-3vx3-xf6q-r5xp.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.tomcat.embed:tomcat-embed-core
+ purl: pkg:maven/org.apache.tomcat.embed/tomcat-embed-core
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 7.0.0
+ - fixed: 7.0.76
+ versions:
+ - 7.0.0
+ - 7.0.11
+ - 7.0.12
+ - 7.0.14
+ - 7.0.16
+ - 7.0.19
+ - 7.0.2
+ - 7.0.20
+ - 7.0.21
+ - 7.0.22
+ - 7.0.23
+ - 7.0.25
+ - 7.0.26
+ - 7.0.27
+ - 7.0.28
+ - 7.0.29
+ - 7.0.30
+ - 7.0.32
+ - 7.0.33
+ - 7.0.34
+ - 7.0.35
+ - 7.0.37
+ - 7.0.39
+ - 7.0.4
+ - 7.0.40
+ - 7.0.41
+ - 7.0.42
+ - 7.0.47
+ - 7.0.5
+ - 7.0.50
+ - 7.0.52
+ - 7.0.53
+ - 7.0.54
+ - 7.0.55
+ - 7.0.56
+ - 7.0.57
+ - 7.0.59
+ - 7.0.6
+ - 7.0.61
+ - 7.0.62
+ - 7.0.63
+ - 7.0.64
+ - 7.0.65
+ - 7.0.67
+ - 7.0.68
+ - 7.0.69
+ - 7.0.70
+ - 7.0.72
+ - 7.0.73
+ - 7.0.75
+ - 7.0.8
+ database_specific:
+ last_known_affected_version_range: <= 7.0.75
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-3vx3-xf6q-r5xp/GHSA-3vx3-xf6q-r5xp.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2017-5648
+ - type: WEB
+ url: https://github.com/apache/tomcat/commit/0f7b9465d594b9814e1853d1e3a6e3aa51a21610
+ - type: WEB
+ url: https://github.com/apache/tomcat/commit/6bb36dfdf6444efda074893dff493b9eb3648808
+ - type: WEB
+ url: https://github.com/apache/tomcat/commit/dfa40863421d7681fed893b4256666491887e38c
+ - type: WEB
+ url: https://github.com/apache/tomcat80/commit/6d73b079c55ee25dea1bbd0556bb568a4247dacd
+ - type: WEB
+ url: https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc%40%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/d0e00f2e147a9e9b13a6829133092f349b2882bf6860397368a52600%40%3Cannounce.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/d0e00f2e147a9e9b13a6829133092f349b2882bf6860397368a52600@%3Cannounce.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d%40%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0%40%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://security.gentoo.org/glsa/201705-09
+ - type: WEB
+ url: https://security.netapp.com/advisory/ntap-20180614-0001
+ - type: WEB
+ url: https://web.archive.org/web/20170417124117/http://www.securityfocus.com/bid/97530
+ - type: WEB
+ url: https://web.archive.org/web/20170420115120/http://www.securitytracker.com/id/1038220
+ - type: WEB
+ url: https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a%40%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424%40%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3%40%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7%40%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708%40%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551%40%3Cdev.tomcat.apache.org%3E
+ - type: PACKAGE
+ url: https://github.com/apache/tomcat
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2017:1809
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2017:1802
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2017:1801
+ - type: WEB
+ url: http://www.debian.org/security/2017/dsa-3842
+ - type: WEB
+ url: http://www.debian.org/security/2017/dsa-3843
+ - type: WEB
+ url: http://www.openwall.com/lists/oss-security/2020/07/20/8
+ database_specific:
+ cwe_ids:
+ - CWE-668
+ github_reviewed: true
+ github_reviewed_at: "2022-07-01T13:57:54Z"
+ nvd_published_at: "2017-04-17T16:59:00Z"
+ severity: CRITICAL
+ - schema_version: 1.6.0
+ id: GHSA-46j3-r4pj-4835
+ modified: 2024-03-11T05:31:02.653591Z
+ published: 2018-10-17T16:32:43Z
+ aliases:
+ - CVE-2018-8034
+ summary: The host name verification missing in Apache Tomcat
+ details: 'The host name verification when using TLS with the WebSocket client was missing. It is now enabled by default. Versions Affected: Apache Tomcat 9.0.0.M1 to 9.0.9, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, and 7.0.35 to 7.0.88.'
+ affected:
+ - package:
+ ecosystem: Maven
+ name: org.apache.tomcat.embed:tomcat-embed-core
+ purl: pkg:maven/org.apache.tomcat.embed/tomcat-embed-core
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 9.0.0
+ - fixed: 9.0.10
+ versions:
+ - 9.0.1
+ - 9.0.2
+ - 9.0.4
+ - 9.0.5
+ - 9.0.6
+ - 9.0.7
+ - 9.0.8
+ database_specific:
+ last_known_affected_version_range: <= 9.0.9
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-46j3-r4pj-4835/GHSA-46j3-r4pj-4835.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.tomcat.embed:tomcat-embed-core
+ purl: pkg:maven/org.apache.tomcat.embed/tomcat-embed-core
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 8.5.0
+ - fixed: 8.5.32
+ versions:
+ - 8.5.0
+ - 8.5.11
+ - 8.5.12
+ - 8.5.13
+ - 8.5.14
+ - 8.5.15
+ - 8.5.16
+ - 8.5.19
+ - 8.5.2
+ - 8.5.20
+ - 8.5.21
+ - 8.5.23
+ - 8.5.24
+ - 8.5.27
+ - 8.5.28
+ - 8.5.29
+ - 8.5.3
+ - 8.5.30
+ - 8.5.31
+ - 8.5.4
+ - 8.5.5
+ - 8.5.6
+ - 8.5.8
+ - 8.5.9
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-46j3-r4pj-4835/GHSA-46j3-r4pj-4835.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.tomcat.embed:tomcat-embed-core
+ purl: pkg:maven/org.apache.tomcat.embed/tomcat-embed-core
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 8.0.0
+ - fixed: 8.0.53
+ versions:
+ - 8.0.1
+ - 8.0.11
+ - 8.0.12
+ - 8.0.14
+ - 8.0.15
+ - 8.0.17
+ - 8.0.18
+ - 8.0.20
+ - 8.0.21
+ - 8.0.22
+ - 8.0.23
+ - 8.0.24
+ - 8.0.26
+ - 8.0.27
+ - 8.0.28
+ - 8.0.29
+ - 8.0.3
+ - 8.0.30
+ - 8.0.32
+ - 8.0.33
+ - 8.0.35
+ - 8.0.36
+ - 8.0.37
+ - 8.0.38
+ - 8.0.39
+ - 8.0.41
+ - 8.0.42
+ - 8.0.43
+ - 8.0.44
+ - 8.0.45
+ - 8.0.46
+ - 8.0.47
+ - 8.0.48
+ - 8.0.49
+ - 8.0.5
+ - 8.0.50
+ - 8.0.51
+ - 8.0.52
+ - 8.0.8
+ - 8.0.9
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-46j3-r4pj-4835/GHSA-46j3-r4pj-4835.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.tomcat.embed:tomcat-embed-core
+ purl: pkg:maven/org.apache.tomcat.embed/tomcat-embed-core
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 7.0.35
+ - fixed: 7.0.90
+ versions:
+ - 7.0.35
+ - 7.0.37
+ - 7.0.39
+ - 7.0.40
+ - 7.0.41
+ - 7.0.42
+ - 7.0.47
+ - 7.0.50
+ - 7.0.52
+ - 7.0.53
+ - 7.0.54
+ - 7.0.55
+ - 7.0.56
+ - 7.0.57
+ - 7.0.59
+ - 7.0.61
+ - 7.0.62
+ - 7.0.63
+ - 7.0.64
+ - 7.0.65
+ - 7.0.67
+ - 7.0.68
+ - 7.0.69
+ - 7.0.70
+ - 7.0.72
+ - 7.0.73
+ - 7.0.75
+ - 7.0.76
+ - 7.0.77
+ - 7.0.78
+ - 7.0.79
+ - 7.0.81
+ - 7.0.82
+ - 7.0.84
+ - 7.0.85
+ - 7.0.86
+ - 7.0.88
+ database_specific:
+ last_known_affected_version_range: <= 7.0.88
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-46j3-r4pj-4835/GHSA-46j3-r4pj-4835.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2018-8034
+ - type: WEB
+ url: https://github.com/apache/tomcat/commit/2c522795166c930741a9cecca76797bf48cb1634
+ - type: WEB
+ url: https://github.com/apache/tomcat/commit/2835bb4e030c1c741ed0847bb3b9c3822e4fbc8a
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9%40%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0%40%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d%40%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/eb6efa8d59c45a7a9eff94c4b925467d3b3fec8ba7697f3daa314b04@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/eb6efa8d59c45a7a9eff94c4b925467d3b3fec8ba7697f3daa314b04%40%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/e85e83e9954f169bbb77b44baae5a33d8de878df557bb32b7f793661@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/e85e83e9954f169bbb77b44baae5a33d8de878df557bb32b7f793661%40%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc%40%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/ac51944aef91dd5006b8510b0bef337adaccfe962fb90e7af9c22db4@%3Cissues.activemq.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a%40%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.debian.org/debian-lts-announce/2018/07/msg00047.html
+ - type: WEB
+ url: https://lists.debian.org/debian-lts-announce/2018/09/msg00001.html
+ - type: WEB
+ url: https://security.netapp.com/advisory/ntap-20180817-0001
+ - type: WEB
+ url: https://usn.ubuntu.com/3723-1
+ - type: WEB
+ url: https://web.archive.org/web/20200227102810/http://www.securityfocus.com/bid/104895
+ - type: WEB
+ url: https://web.archive.org/web/20200517032514/http://www.securitytracker.com/id/1041374
+ - type: WEB
+ url: https://www.debian.org/security/2018/dsa-4281
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuapr2020.html
+ - type: WEB
+ url: https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
+ - type: WEB
+ url: https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
+ - type: WEB
+ url: https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:0130
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:0131
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:0450
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:0451
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:1159
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:1160
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:1161
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:1162
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:1529
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:2205
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:3892
+ - type: PACKAGE
+ url: https://github.com/apache/tomcat
+ - type: WEB
+ url: https://lists.apache.org/thread.html/1dd0a59c1295cc08ce4c9e7edae5ad2268acc9ba55adcefa0532e5ba%40%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/1dd0a59c1295cc08ce4c9e7edae5ad2268acc9ba55adcefa0532e5ba@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551%40%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708%40%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7%40%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/5c0e00fd31efc11e147bf99d0f03c00a734447d3b131ab0818644cdb%40%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/5c0e00fd31efc11e147bf99d0f03c00a734447d3b131ab0818644cdb@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3%40%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424%40%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a%40%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/ac51944aef91dd5006b8510b0bef337adaccfe962fb90e7af9c22db4%40%3Cissues.activemq.apache.org%3E
+ - type: WEB
+ url: http://mail-archives.us.apache.org/mod_mbox/www-announce/201807.mbox/%3C20180722091057.GA70283%40minotaur.apache.org%3E
+ - type: WEB
+ url: http://mail-archives.us.apache.org/mod_mbox/www-announce/201807.mbox/%3C20180722091057.GA70283@minotaur.apache.org%3E
+ - type: WEB
+ url: http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html
+ database_specific:
+ cwe_ids:
+ - CWE-295
+ github_reviewed: true
+ github_reviewed_at: "2020-06-16T20:57:40Z"
+ nvd_published_at: "2018-08-01T18:29:00Z"
+ severity: HIGH
+ - schema_version: 1.6.0
+ id: GHSA-5q99-f34m-67gc
+ modified: 2024-03-11T05:31:33.810503Z
+ published: 2018-10-17T16:31:02Z
+ aliases:
+ - CVE-2018-11784
+ summary: Apache Tomcat Open Redirect vulnerability
+ details: When the default servlet in Apache Tomcat versions 9.0.0.M1 to 9.0.11, 8.5.0 to 8.5.33 and 7.0.23 to 7.0.90 returned a redirect to a directory (e.g. redirecting to '/foo/' when the user requested '/foo') a specially crafted URL could be used to cause the redirect to be generated to any URI of the attackers choice.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: org.apache.tomcat.embed:tomcat-embed-core
+ purl: pkg:maven/org.apache.tomcat.embed/tomcat-embed-core
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 8.5.0
+ - fixed: 8.5.34
+ versions:
+ - 8.5.0
+ - 8.5.11
+ - 8.5.12
+ - 8.5.13
+ - 8.5.14
+ - 8.5.15
+ - 8.5.16
+ - 8.5.19
+ - 8.5.2
+ - 8.5.20
+ - 8.5.21
+ - 8.5.23
+ - 8.5.24
+ - 8.5.27
+ - 8.5.28
+ - 8.5.29
+ - 8.5.3
+ - 8.5.30
+ - 8.5.31
+ - 8.5.32
+ - 8.5.33
+ - 8.5.4
+ - 8.5.5
+ - 8.5.6
+ - 8.5.8
+ - 8.5.9
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-5q99-f34m-67gc/GHSA-5q99-f34m-67gc.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.tomcat.embed:tomcat-embed-core
+ purl: pkg:maven/org.apache.tomcat.embed/tomcat-embed-core
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 7.0.23
+ - fixed: 7.0.91
+ versions:
+ - 7.0.23
+ - 7.0.25
+ - 7.0.26
+ - 7.0.27
+ - 7.0.28
+ - 7.0.29
+ - 7.0.30
+ - 7.0.32
+ - 7.0.33
+ - 7.0.34
+ - 7.0.35
+ - 7.0.37
+ - 7.0.39
+ - 7.0.40
+ - 7.0.41
+ - 7.0.42
+ - 7.0.47
+ - 7.0.50
+ - 7.0.52
+ - 7.0.53
+ - 7.0.54
+ - 7.0.55
+ - 7.0.56
+ - 7.0.57
+ - 7.0.59
+ - 7.0.61
+ - 7.0.62
+ - 7.0.63
+ - 7.0.64
+ - 7.0.65
+ - 7.0.67
+ - 7.0.68
+ - 7.0.69
+ - 7.0.70
+ - 7.0.72
+ - 7.0.73
+ - 7.0.75
+ - 7.0.76
+ - 7.0.77
+ - 7.0.78
+ - 7.0.79
+ - 7.0.81
+ - 7.0.82
+ - 7.0.84
+ - 7.0.85
+ - 7.0.86
+ - 7.0.88
+ - 7.0.90
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-5q99-f34m-67gc/GHSA-5q99-f34m-67gc.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.tomcat.embed:tomcat-embed-core
+ purl: pkg:maven/org.apache.tomcat.embed/tomcat-embed-core
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 9.0.0
+ - fixed: 9.0.12
+ versions:
+ - 9.0.1
+ - 9.0.10
+ - 9.0.11
+ - 9.0.2
+ - 9.0.4
+ - 9.0.5
+ - 9.0.6
+ - 9.0.7
+ - 9.0.8
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-5q99-f34m-67gc/GHSA-5q99-f34m-67gc.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2018-11784
+ - type: WEB
+ url: https://github.com/apache/tomcat/commit/b76e1dfb3dec3789cc700f8d022c872eb947a221
+ - type: WEB
+ url: https://github.com/apache/tomcat/commit/efb860b3ff8ebcf606199b8d0d432f76898040da
+ - type: WEB
+ url: https://github.com/apache/tomcat/commit/f9f147359b7c95511b64cd99bbc47917c01b3879
+ - type: WEB
+ url: https://lists.debian.org/debian-lts-announce/2018/10/msg00005.html
+ - type: WEB
+ url: https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a%40%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9%40%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0%40%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d%40%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/eb6efa8d59c45a7a9eff94c4b925467d3b3fec8ba7697f3daa314b04@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/eb6efa8d59c45a7a9eff94c4b925467d3b3fec8ba7697f3daa314b04%40%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:0130
+ - type: WEB
+ url: https://lists.debian.org/debian-lts-announce/2018/10/msg00006.html
+ - type: WEB
+ url: https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BZ4PX4B3QTKRM35VJAVIEOPZAF76RPBP
+ - type: WEB
+ url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BZ4PX4B3QTKRM35VJAVIEOPZAF76RPBP
+ - type: WEB
+ url: https://seclists.org/bugtraq/2019/Dec/43
+ - type: WEB
+ url: https://security.netapp.com/advisory/ntap-20181014-0002
+ - type: WEB
+ url: https://usn.ubuntu.com/3787-1
+ - type: WEB
+ url: https://web.archive.org/web/20200227030058/http://www.securityfocus.com/bid/105524
+ - type: WEB
+ url: https://www.debian.org/security/2019/dsa-4596
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuapr2020.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpujan2020.html
+ - type: WEB
+ url: https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
+ - type: WEB
+ url: https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html
+ - type: WEB
+ url: https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
+ - type: WEB
+ url: https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:0131
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:0485
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:1529
+ - type: ADVISORY
+ url: https://github.com/advisories/GHSA-5q99-f34m-67gc
+ - type: PACKAGE
+ url: https://github.com/apache/tomcat
+ - type: WEB
+ url: https://kc.mcafee.com/corporate/index?page=content&id=SB10284
+ - type: WEB
+ url: https://lists.apache.org/thread.html/1dd0a59c1295cc08ce4c9e7edae5ad2268acc9ba55adcefa0532e5ba%40%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/1dd0a59c1295cc08ce4c9e7edae5ad2268acc9ba55adcefa0532e5ba@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/23134c9b5a23892a205dc140cdd8c9c0add233600f76b313dda6bd75%40%3Cannounce.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/23134c9b5a23892a205dc140cdd8c9c0add233600f76b313dda6bd75@%3Cannounce.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551%40%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708%40%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7%40%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/5c0e00fd31efc11e147bf99d0f03c00a734447d3b131ab0818644cdb%40%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/5c0e00fd31efc11e147bf99d0f03c00a734447d3b131ab0818644cdb@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3%40%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424%40%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a%40%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc%40%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/e85e83e9954f169bbb77b44baae5a33d8de878df557bb32b7f793661%40%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/e85e83e9954f169bbb77b44baae5a33d8de878df557bb32b7f793661@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00030.html
+ - type: WEB
+ url: http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00056.html
+ - type: WEB
+ url: http://packetstormsecurity.com/files/163456/Apache-Tomcat-9.0.0M1-Open-Redirect.html
+ database_specific:
+ cwe_ids:
+ - CWE-601
+ github_reviewed: true
+ github_reviewed_at: "2020-06-16T21:17:07Z"
+ nvd_published_at: "2018-10-04T13:29:00Z"
+ severity: MODERATE
+ - schema_version: 1.6.0
+ id: GHSA-6rxj-58jh-436r
+ modified: 2024-03-12T05:33:06.196997Z
+ published: 2018-10-17T16:31:17Z
+ aliases:
+ - CVE-2018-1304
+ summary: Apache Tomcat unauthorized access vulnerability
+ details: The URL pattern of "" (the empty string) which exactly maps to the context root was not correctly handled in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 when used as part of a security constraint definition. This caused the constraint to be ignored. It was, therefore, possible for unauthorised users to gain access to web application resources that should have been protected. Only security constraints with a URL pattern of the empty string were affected.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: org.apache.tomcat.embed:tomcat-embed-core
+ purl: pkg:maven/org.apache.tomcat.embed/tomcat-embed-core
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 9.0.0
+ - fixed: 9.0.5
+ versions:
+ - 9.0.1
+ - 9.0.2
+ - 9.0.4
+ database_specific:
+ last_known_affected_version_range: <= 9.0.4
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-6rxj-58jh-436r/GHSA-6rxj-58jh-436r.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.tomcat.embed:tomcat-embed-core
+ purl: pkg:maven/org.apache.tomcat.embed/tomcat-embed-core
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 8.5.0
+ - fixed: 8.5.28
+ versions:
+ - 8.5.0
+ - 8.5.11
+ - 8.5.12
+ - 8.5.13
+ - 8.5.14
+ - 8.5.15
+ - 8.5.16
+ - 8.5.19
+ - 8.5.2
+ - 8.5.20
+ - 8.5.21
+ - 8.5.23
+ - 8.5.24
+ - 8.5.27
+ - 8.5.3
+ - 8.5.4
+ - 8.5.5
+ - 8.5.6
+ - 8.5.8
+ - 8.5.9
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-6rxj-58jh-436r/GHSA-6rxj-58jh-436r.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.tomcat.embed:tomcat-embed-core
+ purl: pkg:maven/org.apache.tomcat.embed/tomcat-embed-core
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 8.0.0
+ - fixed: 8.0.51
+ versions:
+ - 8.0.1
+ - 8.0.11
+ - 8.0.12
+ - 8.0.14
+ - 8.0.15
+ - 8.0.17
+ - 8.0.18
+ - 8.0.20
+ - 8.0.21
+ - 8.0.22
+ - 8.0.23
+ - 8.0.24
+ - 8.0.26
+ - 8.0.27
+ - 8.0.28
+ - 8.0.29
+ - 8.0.3
+ - 8.0.30
+ - 8.0.32
+ - 8.0.33
+ - 8.0.35
+ - 8.0.36
+ - 8.0.37
+ - 8.0.38
+ - 8.0.39
+ - 8.0.41
+ - 8.0.42
+ - 8.0.43
+ - 8.0.44
+ - 8.0.45
+ - 8.0.46
+ - 8.0.47
+ - 8.0.48
+ - 8.0.49
+ - 8.0.5
+ - 8.0.50
+ - 8.0.8
+ - 8.0.9
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-6rxj-58jh-436r/GHSA-6rxj-58jh-436r.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.tomcat.embed:tomcat-embed-core
+ purl: pkg:maven/org.apache.tomcat.embed/tomcat-embed-core
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 7.0.0
+ - fixed: 7.0.86
+ versions:
+ - 7.0.0
+ - 7.0.11
+ - 7.0.12
+ - 7.0.14
+ - 7.0.16
+ - 7.0.19
+ - 7.0.2
+ - 7.0.20
+ - 7.0.21
+ - 7.0.22
+ - 7.0.23
+ - 7.0.25
+ - 7.0.26
+ - 7.0.27
+ - 7.0.28
+ - 7.0.29
+ - 7.0.30
+ - 7.0.32
+ - 7.0.33
+ - 7.0.34
+ - 7.0.35
+ - 7.0.37
+ - 7.0.39
+ - 7.0.4
+ - 7.0.40
+ - 7.0.41
+ - 7.0.42
+ - 7.0.47
+ - 7.0.5
+ - 7.0.50
+ - 7.0.52
+ - 7.0.53
+ - 7.0.54
+ - 7.0.55
+ - 7.0.56
+ - 7.0.57
+ - 7.0.59
+ - 7.0.6
+ - 7.0.61
+ - 7.0.62
+ - 7.0.63
+ - 7.0.64
+ - 7.0.65
+ - 7.0.67
+ - 7.0.68
+ - 7.0.69
+ - 7.0.70
+ - 7.0.72
+ - 7.0.73
+ - 7.0.75
+ - 7.0.76
+ - 7.0.77
+ - 7.0.78
+ - 7.0.79
+ - 7.0.8
+ - 7.0.81
+ - 7.0.82
+ - 7.0.84
+ - 7.0.85
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-6rxj-58jh-436r/GHSA-6rxj-58jh-436r.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2018-1304
+ - type: WEB
+ url: https://github.com/apache/tomcat80/commit/9e700b93e3bf5c605267d20568a964169f9e0b79
+ - type: WEB
+ url: https://github.com/apache/tomcat/commit/723ea6a5bc5e7bc49e5ef84273c3b3c164a6a4fd
+ - type: WEB
+ url: https://github.com/apache/tomcat/commit/5af7c13cff7cc8366c5997418e820989fabb8f48
+ - type: WEB
+ url: https://github.com/apache/tomcat/commit/2d69fde135302e8cff984bb2131ec69f2e396964
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9%40%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0%40%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d%40%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/eb6efa8d59c45a7a9eff94c4b925467d3b3fec8ba7697f3daa314b04@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/eb6efa8d59c45a7a9eff94c4b925467d3b3fec8ba7697f3daa314b04%40%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/e85e83e9954f169bbb77b44baae5a33d8de878df557bb32b7f793661@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/e85e83e9954f169bbb77b44baae5a33d8de878df557bb32b7f793661%40%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc%40%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/b1d7e2425d6fd2cebed40d318f9365b44546077e10949b01b1f8a0fb@%3Cannounce.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a%40%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.debian.org/debian-lts-announce/2018/03/msg00004.html
+ - type: WEB
+ url: https://lists.debian.org/debian-lts-announce/2018/06/msg00008.html
+ - type: WEB
+ url: https://lists.debian.org/debian-lts-announce/2018/07/msg00044.html
+ - type: WEB
+ url: https://security.netapp.com/advisory/ntap-20180706-0001
+ - type: WEB
+ url: https://usn.ubuntu.com/3665-1
+ - type: WEB
+ url: https://web.archive.org/web/20200227102806/http://www.securityfocus.com/bid/103170
+ - type: WEB
+ url: https://web.archive.org/web/20200516074457/http://www.securitytracker.com/id/1040427
+ - type: WEB
+ url: https://www.debian.org/security/2018/dsa-4281
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuapr2020.html
+ - type: WEB
+ url: https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
+ - type: WEB
+ url: https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2018:0465
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2018:0466
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2018:1320
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2018:1447
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2018:1448
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2018:1449
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2018:1450
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2018:1451
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2018:2939
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:2205
+ - type: ADVISORY
+ url: https://github.com/advisories/GHSA-6rxj-58jh-436r
+ - type: PACKAGE
+ url: https://github.com/apache/tomcat
+ - type: WEB
+ url: https://lists.apache.org/thread.html/1dd0a59c1295cc08ce4c9e7edae5ad2268acc9ba55adcefa0532e5ba%40%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/1dd0a59c1295cc08ce4c9e7edae5ad2268acc9ba55adcefa0532e5ba@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551%40%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708%40%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7%40%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/5c0e00fd31efc11e147bf99d0f03c00a734447d3b131ab0818644cdb%40%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/5c0e00fd31efc11e147bf99d0f03c00a734447d3b131ab0818644cdb@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3%40%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424%40%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a%40%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/b1d7e2425d6fd2cebed40d318f9365b44546077e10949b01b1f8a0fb%40%3Cannounce.tomcat.apache.org%3E
+ - type: WEB
+ url: http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
+ - type: WEB
+ url: http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html
+ database_specific:
+ cwe_ids: []
+ github_reviewed: true
+ github_reviewed_at: "2020-06-16T21:20:10Z"
+ nvd_published_at: "2018-02-28T20:29:00Z"
+ severity: MODERATE
+ - schema_version: 1.6.0
+ id: GHSA-6v52-mj5r-7j2m
+ modified: 2024-03-11T05:32:05.311159Z
+ published: 2018-10-17T16:33:02Z
+ aliases:
+ - CVE-2018-8037
+ summary: Apache Tomcat Race Condition vulnerability
+ details: 'If an async request was completed by the application at the same time as the container triggered the async timeout, a race condition existed that could result in a user seeing a response intended for a different user. An additional issue was present in the NIO and NIO2 connectors that did not correctly track the closure of the connection when an async request was completed by the application and timed out by the container at the same time. This could also result in a user seeing a response intended for another user. Versions Affected: Apache Tomcat 9.0.0.M9 to 9.0.9 and 8.5.5 to 8.5.31.'
+ affected:
+ - package:
+ ecosystem: Maven
+ name: org.apache.tomcat.embed:tomcat-embed-core
+ purl: pkg:maven/org.apache.tomcat.embed/tomcat-embed-core
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 9.0.0.M9
+ - fixed: 9.0.10
+ versions:
+ - 9.0.0.M10
+ - 9.0.0.M11
+ - 9.0.0.M13
+ - 9.0.0.M15
+ - 9.0.0.M17
+ - 9.0.0.M18
+ - 9.0.0.M19
+ - 9.0.0.M20
+ - 9.0.0.M21
+ - 9.0.0.M22
+ - 9.0.0.M25
+ - 9.0.0.M26
+ - 9.0.0.M27
+ - 9.0.0.M9
+ - 9.0.1
+ - 9.0.2
+ - 9.0.4
+ - 9.0.5
+ - 9.0.6
+ - 9.0.7
+ - 9.0.8
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-6v52-mj5r-7j2m/GHSA-6v52-mj5r-7j2m.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.tomcat.embed:tomcat-embed-core
+ purl: pkg:maven/org.apache.tomcat.embed/tomcat-embed-core
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 8.5.5
+ - fixed: 8.5.32
+ versions:
+ - 8.5.11
+ - 8.5.12
+ - 8.5.13
+ - 8.5.14
+ - 8.5.15
+ - 8.5.16
+ - 8.5.19
+ - 8.5.20
+ - 8.5.21
+ - 8.5.23
+ - 8.5.24
+ - 8.5.27
+ - 8.5.28
+ - 8.5.29
+ - 8.5.30
+ - 8.5.31
+ - 8.5.5
+ - 8.5.6
+ - 8.5.8
+ - 8.5.9
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-6v52-mj5r-7j2m/GHSA-6v52-mj5r-7j2m.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2018-8037
+ - type: WEB
+ url: https://github.com/apache/tomcat/commit/4c04369c287233ea2e8e5135f6c31d02e2d76293
+ - type: WEB
+ url: https://github.com/apache/tomcat/commit/ccf2e6bf5205561ad18c2300153e9173ec509d73
+ - type: WEB
+ url: https://github.com/apache/tomcat/commit/ed4b9d791f9470e4c3de691dd0153a9ce431701b
+ - type: WEB
+ url: https://github.com/apache/tomcat/commit/f94eedf02b5973598ab3dbbd4504da588e9ba6cb
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2018:2867
+ - type: WEB
+ url: https://lists.apache.org/thread.html/e85e83e9954f169bbb77b44baae5a33d8de878df557bb32b7f793661%40%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/e85e83e9954f169bbb77b44baae5a33d8de878df557bb32b7f793661@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/eb6efa8d59c45a7a9eff94c4b925467d3b3fec8ba7697f3daa314b04%40%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/eb6efa8d59c45a7a9eff94c4b925467d3b3fec8ba7697f3daa314b04@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d%40%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0%40%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9%40%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a%40%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://security.netapp.com/advisory/ntap-20180817-0001
+ - type: WEB
+ url: https://web.archive.org/web/20200227102808/http://www.securityfocus.com/bid/104894
+ - type: WEB
+ url: https://web.archive.org/web/20200515223903/http://www.securitytracker.com/id/1041376
+ - type: WEB
+ url: https://www.debian.org/security/2018/dsa-4281
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuapr2020.html
+ - type: WEB
+ url: https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2018:2868
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:1529
+ - type: PACKAGE
+ url: https://github.com/apache/tomcat
+ - type: WEB
+ url: https://lists.apache.org/thread.html/1dd0a59c1295cc08ce4c9e7edae5ad2268acc9ba55adcefa0532e5ba%40%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/1dd0a59c1295cc08ce4c9e7edae5ad2268acc9ba55adcefa0532e5ba@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/2ee3af8a43cb019e7898c9330cc8e73306553a27f2e4735dfb522d39%40%3Cusers.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/2ee3af8a43cb019e7898c9330cc8e73306553a27f2e4735dfb522d39@%3Cusers.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551%40%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/5c0e00fd31efc11e147bf99d0f03c00a734447d3b131ab0818644cdb%40%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/5c0e00fd31efc11e147bf99d0f03c00a734447d3b131ab0818644cdb@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/5d15316dfb4adf75d96d394745f8037533fa3bcc1ac8f619bf5c044c%40%3Cusers.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/5d15316dfb4adf75d96d394745f8037533fa3bcc1ac8f619bf5c044c@%3Cusers.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3%40%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a%40%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc%40%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: http://mail-archives.us.apache.org/mod_mbox/www-announce/201807.mbox/%3C20180722090623.GA92700%40minotaur.apache.org%3E
+ - type: WEB
+ url: http://mail-archives.us.apache.org/mod_mbox/www-announce/201808.mbox/%3C0c616b4d-4e81-e7f8-b81d-1bb4c575aa33%40apache.org%3E
+ - type: WEB
+ url: http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html
+ database_specific:
+ cwe_ids:
+ - CWE-362
+ github_reviewed: true
+ github_reviewed_at: "2020-06-16T21:20:12Z"
+ nvd_published_at: "2018-08-02T14:29:00Z"
+ severity: MODERATE
+ - schema_version: 1.6.0
+ id: GHSA-767j-jfh2-jvrc
+ modified: 2024-02-21T05:31:17.449525Z
+ published: 2020-02-28T01:10:58Z
+ aliases:
+ - CVE-2019-17569
+ summary: Potential HTTP request smuggling in Apache Tomcat
+ details: The refactoring present in Apache Tomcat versions 9.0.28 to 9.0.30, 8.5.48 to 8.5.50 and 7.0.98 to 7.0.99 introduced a regression. The result of the regression was that invalid Transfer-Encoding headers were incorrectly processed leading to a possibility of HTTP Request Smuggling if Tomcat was located behind a reverse proxy that incorrectly handled the invalid Transfer-Encoding header in a particular manner. Such a reverse proxy is considered unlikely.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: org.apache.tomcat.embed:tomcat-embed-core
+ purl: pkg:maven/org.apache.tomcat.embed/tomcat-embed-core
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 7.0.98
+ - fixed: 7.0.100
+ versions:
+ - 7.0.99
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/02/GHSA-767j-jfh2-jvrc/GHSA-767j-jfh2-jvrc.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.tomcat.embed:tomcat-embed-core
+ purl: pkg:maven/org.apache.tomcat.embed/tomcat-embed-core
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 8.5.48
+ - fixed: 8.5.51
+ versions:
+ - 8.5.49
+ - 8.5.50
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/02/GHSA-767j-jfh2-jvrc/GHSA-767j-jfh2-jvrc.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.tomcat.embed:tomcat-embed-core
+ purl: pkg:maven/org.apache.tomcat.embed/tomcat-embed-core
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 9.0.28
+ - fixed: 9.0.31
+ versions:
+ - 9.0.29
+ - 9.0.30
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/02/GHSA-767j-jfh2-jvrc/GHSA-767j-jfh2-jvrc.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.tomcat:tomcat
+ purl: pkg:maven/org.apache.tomcat/tomcat
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 7.0.98
+ - fixed: 7.0.100
+ versions:
+ - 7.0.99
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/02/GHSA-767j-jfh2-jvrc/GHSA-767j-jfh2-jvrc.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.tomcat:tomcat
+ purl: pkg:maven/org.apache.tomcat/tomcat
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 8.5.48
+ - fixed: 8.5.51
+ versions:
+ - 8.5.49
+ - 8.5.50
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/02/GHSA-767j-jfh2-jvrc/GHSA-767j-jfh2-jvrc.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.tomcat:tomcat
+ purl: pkg:maven/org.apache.tomcat/tomcat
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 9.0.28
+ - fixed: 9.0.31
+ versions:
+ - 9.0.29
+ - 9.0.30
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/02/GHSA-767j-jfh2-jvrc/GHSA-767j-jfh2-jvrc.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2019-17569
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r7bc994c965a34876bd94d5ff15b4e1e30b6220a15eb9b47c81915b78@%3Ccommits.tomee.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r88def002c5c78534674ca67472e035099fbe088813d50062094a1390%40%3Cannounce.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rc31cbabb46cdc58bbdd8519a8f64b6236b2635a3922bbeba0f0e3743@%3Ccommits.tomee.apache.org%3E
+ - type: WEB
+ url: https://lists.debian.org/debian-lts-announce/2020/03/msg00006.html
+ - type: WEB
+ url: https://security.netapp.com/advisory/ntap-20200327-0005
+ - type: WEB
+ url: https://www.debian.org/security/2020/dsa-4673
+ - type: WEB
+ url: https://www.debian.org/security/2020/dsa-4680
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpujan2021.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpujul2020.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuoct2020.html
+ - type: WEB
+ url: http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00025.html
+ database_specific:
+ cwe_ids:
+ - CWE-444
+ github_reviewed: true
+ github_reviewed_at: "2020-02-25T16:19:11Z"
+ nvd_published_at: "2020-02-24T22:15:00Z"
+ severity: MODERATE
+ - schema_version: 1.6.0
+ id: GHSA-7w75-32cg-r6g2
+ modified: 2024-06-25T02:30:05.155818Z
+ published: 2024-03-13T18:31:34Z
+ aliases:
+ - BIT-tomcat-2024-24549
+ - CVE-2024-24549
+ summary: Apache Tomcat Denial of Service due to improper input validation vulnerability for HTTP/2 requests
+ details: |+
+ Denial of Service due to improper input validation vulnerability for HTTP/2 requests in Apache Tomcat. When processing an HTTP/2 request, if the request exceeded any of the configured limits for headers, the associated HTTP/2 stream was not reset until after all of the headers had been processed.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M16, from 10.1.0-M1 through 10.1.18, from 9.0.0-M1 through 9.0.85, from 8.5.0 through 8.5.98.
+
+ Users are recommended to upgrade to version 11.0.0-M17, 10.1.19, 9.0.86 or 8.5.99 which fix the issue.
+
+ affected:
+ - package:
+ ecosystem: Maven
+ name: org.apache.tomcat:tomcat-coyote
+ purl: pkg:maven/org.apache.tomcat/tomcat-coyote
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 11.0.0-M1
+ - fixed: 11.0.0-M17
+ versions:
+ - 11.0.0-M1
+ - 11.0.0-M10
+ - 11.0.0-M11
+ - 11.0.0-M12
+ - 11.0.0-M13
+ - 11.0.0-M14
+ - 11.0.0-M15
+ - 11.0.0-M16
+ - 11.0.0-M3
+ - 11.0.0-M4
+ - 11.0.0-M5
+ - 11.0.0-M6
+ - 11.0.0-M7
+ - 11.0.0-M9
+ database_specific:
+ last_known_affected_version_range: <= 11.0.0-M16
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/03/GHSA-7w75-32cg-r6g2/GHSA-7w75-32cg-r6g2.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.tomcat:tomcat-coyote
+ purl: pkg:maven/org.apache.tomcat/tomcat-coyote
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 10.1.0-M1
+ - fixed: 10.1.19
+ versions:
+ - 10.1.0
+ - 10.1.0-M1
+ - 10.1.0-M10
+ - 10.1.0-M11
+ - 10.1.0-M12
+ - 10.1.0-M14
+ - 10.1.0-M15
+ - 10.1.0-M16
+ - 10.1.0-M17
+ - 10.1.0-M2
+ - 10.1.0-M4
+ - 10.1.0-M5
+ - 10.1.0-M6
+ - 10.1.0-M7
+ - 10.1.0-M8
+ - 10.1.1
+ - 10.1.10
+ - 10.1.11
+ - 10.1.12
+ - 10.1.13
+ - 10.1.14
+ - 10.1.15
+ - 10.1.16
+ - 10.1.17
+ - 10.1.18
+ - 10.1.2
+ - 10.1.4
+ - 10.1.5
+ - 10.1.6
+ - 10.1.7
+ - 10.1.8
+ - 10.1.9
+ database_specific:
+ last_known_affected_version_range: <= 10.1.18
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/03/GHSA-7w75-32cg-r6g2/GHSA-7w75-32cg-r6g2.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.tomcat:tomcat-coyote
+ purl: pkg:maven/org.apache.tomcat/tomcat-coyote
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 9.0.0-M1
+ - fixed: 9.0.86
+ versions:
+ - 9.0.0.M1
+ - 9.0.0.M10
+ - 9.0.0.M11
+ - 9.0.0.M13
+ - 9.0.0.M15
+ - 9.0.0.M17
+ - 9.0.0.M18
+ - 9.0.0.M19
+ - 9.0.0.M20
+ - 9.0.0.M21
+ - 9.0.0.M22
+ - 9.0.0.M25
+ - 9.0.0.M26
+ - 9.0.0.M27
+ - 9.0.0.M3
+ - 9.0.0.M4
+ - 9.0.0.M6
+ - 9.0.0.M8
+ - 9.0.0.M9
+ - 9.0.1
+ - 9.0.10
+ - 9.0.11
+ - 9.0.12
+ - 9.0.13
+ - 9.0.14
+ - 9.0.16
+ - 9.0.17
+ - 9.0.19
+ - 9.0.2
+ - 9.0.20
+ - 9.0.21
+ - 9.0.22
+ - 9.0.24
+ - 9.0.26
+ - 9.0.27
+ - 9.0.29
+ - 9.0.30
+ - 9.0.31
+ - 9.0.33
+ - 9.0.34
+ - 9.0.35
+ - 9.0.36
+ - 9.0.37
+ - 9.0.38
+ - 9.0.39
+ - 9.0.4
+ - 9.0.40
+ - 9.0.41
+ - 9.0.43
+ - 9.0.44
+ - 9.0.45
+ - 9.0.46
+ - 9.0.48
+ - 9.0.5
+ - 9.0.50
+ - 9.0.52
+ - 9.0.53
+ - 9.0.54
+ - 9.0.55
+ - 9.0.56
+ - 9.0.58
+ - 9.0.59
+ - 9.0.6
+ - 9.0.60
+ - 9.0.62
+ - 9.0.63
+ - 9.0.64
+ - 9.0.65
+ - 9.0.67
+ - 9.0.68
+ - 9.0.69
+ - 9.0.7
+ - 9.0.70
+ - 9.0.71
+ - 9.0.72
+ - 9.0.73
+ - 9.0.74
+ - 9.0.75
+ - 9.0.76
+ - 9.0.78
+ - 9.0.79
+ - 9.0.8
+ - 9.0.80
+ - 9.0.81
+ - 9.0.82
+ - 9.0.83
+ - 9.0.84
+ - 9.0.85
+ database_specific:
+ last_known_affected_version_range: <= 9.0.85
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/03/GHSA-7w75-32cg-r6g2/GHSA-7w75-32cg-r6g2.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.tomcat:tomcat-coyote
+ purl: pkg:maven/org.apache.tomcat/tomcat-coyote
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 8.5.0
+ - fixed: 8.5.99
+ versions:
+ - 8.5.0
+ - 8.5.11
+ - 8.5.12
+ - 8.5.13
+ - 8.5.14
+ - 8.5.15
+ - 8.5.16
+ - 8.5.19
+ - 8.5.2
+ - 8.5.20
+ - 8.5.21
+ - 8.5.23
+ - 8.5.24
+ - 8.5.27
+ - 8.5.28
+ - 8.5.29
+ - 8.5.3
+ - 8.5.30
+ - 8.5.31
+ - 8.5.32
+ - 8.5.33
+ - 8.5.34
+ - 8.5.35
+ - 8.5.37
+ - 8.5.38
+ - 8.5.39
+ - 8.5.4
+ - 8.5.40
+ - 8.5.41
+ - 8.5.42
+ - 8.5.43
+ - 8.5.45
+ - 8.5.46
+ - 8.5.47
+ - 8.5.49
+ - 8.5.5
+ - 8.5.50
+ - 8.5.51
+ - 8.5.53
+ - 8.5.54
+ - 8.5.55
+ - 8.5.56
+ - 8.5.57
+ - 8.5.58
+ - 8.5.59
+ - 8.5.6
+ - 8.5.60
+ - 8.5.61
+ - 8.5.63
+ - 8.5.64
+ - 8.5.65
+ - 8.5.66
+ - 8.5.68
+ - 8.5.69
+ - 8.5.70
+ - 8.5.71
+ - 8.5.72
+ - 8.5.73
+ - 8.5.75
+ - 8.5.76
+ - 8.5.77
+ - 8.5.78
+ - 8.5.79
+ - 8.5.8
+ - 8.5.81
+ - 8.5.82
+ - 8.5.83
+ - 8.5.84
+ - 8.5.85
+ - 8.5.86
+ - 8.5.87
+ - 8.5.88
+ - 8.5.89
+ - 8.5.9
+ - 8.5.90
+ - 8.5.91
+ - 8.5.92
+ - 8.5.93
+ - 8.5.94
+ - 8.5.95
+ - 8.5.96
+ - 8.5.97
+ - 8.5.98
+ database_specific:
+ last_known_affected_version_range: <= 8.5.98
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/03/GHSA-7w75-32cg-r6g2/GHSA-7w75-32cg-r6g2.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.tomcat.embed:tomcat-embed-core
+ purl: pkg:maven/org.apache.tomcat.embed/tomcat-embed-core
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 8.5.0
+ - fixed: 8.5.99
+ versions:
+ - 8.5.0
+ - 8.5.11
+ - 8.5.12
+ - 8.5.13
+ - 8.5.14
+ - 8.5.15
+ - 8.5.16
+ - 8.5.19
+ - 8.5.2
+ - 8.5.20
+ - 8.5.21
+ - 8.5.23
+ - 8.5.24
+ - 8.5.27
+ - 8.5.28
+ - 8.5.29
+ - 8.5.3
+ - 8.5.30
+ - 8.5.31
+ - 8.5.32
+ - 8.5.33
+ - 8.5.34
+ - 8.5.35
+ - 8.5.37
+ - 8.5.38
+ - 8.5.39
+ - 8.5.4
+ - 8.5.40
+ - 8.5.41
+ - 8.5.42
+ - 8.5.43
+ - 8.5.45
+ - 8.5.46
+ - 8.5.47
+ - 8.5.49
+ - 8.5.5
+ - 8.5.50
+ - 8.5.51
+ - 8.5.53
+ - 8.5.54
+ - 8.5.55
+ - 8.5.56
+ - 8.5.57
+ - 8.5.58
+ - 8.5.59
+ - 8.5.6
+ - 8.5.60
+ - 8.5.61
+ - 8.5.63
+ - 8.5.64
+ - 8.5.65
+ - 8.5.66
+ - 8.5.68
+ - 8.5.69
+ - 8.5.70
+ - 8.5.71
+ - 8.5.72
+ - 8.5.73
+ - 8.5.75
+ - 8.5.76
+ - 8.5.77
+ - 8.5.78
+ - 8.5.79
+ - 8.5.8
+ - 8.5.81
+ - 8.5.82
+ - 8.5.83
+ - 8.5.84
+ - 8.5.85
+ - 8.5.86
+ - 8.5.87
+ - 8.5.88
+ - 8.5.89
+ - 8.5.9
+ - 8.5.90
+ - 8.5.91
+ - 8.5.92
+ - 8.5.93
+ - 8.5.94
+ - 8.5.95
+ - 8.5.96
+ - 8.5.97
+ - 8.5.98
+ database_specific:
+ last_known_affected_version_range: <= 8.5.98
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/03/GHSA-7w75-32cg-r6g2/GHSA-7w75-32cg-r6g2.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.tomcat.embed:tomcat-embed-core
+ purl: pkg:maven/org.apache.tomcat.embed/tomcat-embed-core
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 9.0.0-M1
+ - fixed: 9.0.86
+ versions:
+ - 9.0.0.M1
+ - 9.0.0.M10
+ - 9.0.0.M11
+ - 9.0.0.M13
+ - 9.0.0.M15
+ - 9.0.0.M17
+ - 9.0.0.M18
+ - 9.0.0.M19
+ - 9.0.0.M20
+ - 9.0.0.M21
+ - 9.0.0.M22
+ - 9.0.0.M25
+ - 9.0.0.M26
+ - 9.0.0.M27
+ - 9.0.0.M3
+ - 9.0.0.M4
+ - 9.0.0.M6
+ - 9.0.0.M8
+ - 9.0.0.M9
+ - 9.0.1
+ - 9.0.10
+ - 9.0.11
+ - 9.0.12
+ - 9.0.13
+ - 9.0.14
+ - 9.0.16
+ - 9.0.17
+ - 9.0.19
+ - 9.0.2
+ - 9.0.20
+ - 9.0.21
+ - 9.0.22
+ - 9.0.24
+ - 9.0.26
+ - 9.0.27
+ - 9.0.29
+ - 9.0.30
+ - 9.0.31
+ - 9.0.33
+ - 9.0.34
+ - 9.0.35
+ - 9.0.36
+ - 9.0.37
+ - 9.0.38
+ - 9.0.39
+ - 9.0.4
+ - 9.0.40
+ - 9.0.41
+ - 9.0.43
+ - 9.0.44
+ - 9.0.45
+ - 9.0.46
+ - 9.0.48
+ - 9.0.5
+ - 9.0.50
+ - 9.0.52
+ - 9.0.53
+ - 9.0.54
+ - 9.0.55
+ - 9.0.56
+ - 9.0.58
+ - 9.0.59
+ - 9.0.6
+ - 9.0.60
+ - 9.0.62
+ - 9.0.63
+ - 9.0.64
+ - 9.0.65
+ - 9.0.67
+ - 9.0.68
+ - 9.0.69
+ - 9.0.7
+ - 9.0.70
+ - 9.0.71
+ - 9.0.72
+ - 9.0.73
+ - 9.0.74
+ - 9.0.75
+ - 9.0.76
+ - 9.0.78
+ - 9.0.79
+ - 9.0.8
+ - 9.0.80
+ - 9.0.81
+ - 9.0.82
+ - 9.0.83
+ - 9.0.84
+ - 9.0.85
+ database_specific:
+ last_known_affected_version_range: <= 9.0.85
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/03/GHSA-7w75-32cg-r6g2/GHSA-7w75-32cg-r6g2.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.tomcat.embed:tomcat-embed-core
+ purl: pkg:maven/org.apache.tomcat.embed/tomcat-embed-core
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 10.1.0-M1
+ - fixed: 10.1.19
+ versions:
+ - 10.1.0
+ - 10.1.0-M1
+ - 10.1.0-M10
+ - 10.1.0-M11
+ - 10.1.0-M12
+ - 10.1.0-M14
+ - 10.1.0-M15
+ - 10.1.0-M16
+ - 10.1.0-M17
+ - 10.1.0-M2
+ - 10.1.0-M4
+ - 10.1.0-M5
+ - 10.1.0-M6
+ - 10.1.0-M7
+ - 10.1.0-M8
+ - 10.1.1
+ - 10.1.10
+ - 10.1.11
+ - 10.1.12
+ - 10.1.13
+ - 10.1.14
+ - 10.1.15
+ - 10.1.16
+ - 10.1.17
+ - 10.1.18
+ - 10.1.2
+ - 10.1.4
+ - 10.1.5
+ - 10.1.6
+ - 10.1.7
+ - 10.1.8
+ - 10.1.9
+ database_specific:
+ last_known_affected_version_range: <= 10.1.18
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/03/GHSA-7w75-32cg-r6g2/GHSA-7w75-32cg-r6g2.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.tomcat.embed:tomcat-embed-core
+ purl: pkg:maven/org.apache.tomcat.embed/tomcat-embed-core
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 11.0.0-M1
+ - fixed: 11.0.0-M17
+ versions:
+ - 11.0.0-M1
+ - 11.0.0-M10
+ - 11.0.0-M11
+ - 11.0.0-M12
+ - 11.0.0-M13
+ - 11.0.0-M14
+ - 11.0.0-M15
+ - 11.0.0-M16
+ - 11.0.0-M3
+ - 11.0.0-M4
+ - 11.0.0-M5
+ - 11.0.0-M6
+ - 11.0.0-M7
+ - 11.0.0-M9
+ database_specific:
+ last_known_affected_version_range: <= 11.0.0-M16
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/03/GHSA-7w75-32cg-r6g2/GHSA-7w75-32cg-r6g2.json
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2024-24549
+ - type: WEB
+ url: https://github.com/apache/tomcat/commit/0cac540a882220231ba7a82330483cbd5f6b1f96
+ - type: WEB
+ url: https://github.com/apache/tomcat/commit/810f49d5ff6d64b704af85d5b8d0aab9ec3c83f5
+ - type: WEB
+ url: https://github.com/apache/tomcat/commit/8e03be9f2698f2da9027d40b9e9c0c9429b74dc0
+ - type: WEB
+ url: https://github.com/apache/tomcat/commit/d07c82194edb69d99b438828fe2cbfadbb207843
+ - type: PACKAGE
+ url: https://github.com/apache/tomcat
+ - type: WEB
+ url: https://lists.apache.org/thread/4c50rmomhbbsdgfjsgwlb51xdwfjdcvg
+ - type: WEB
+ url: https://lists.debian.org/debian-lts-announce/2024/04/msg00001.html
+ - type: WEB
+ url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3UWIS5MMGYDZBLJYT674ZI5AWFHDZ46B
+ - type: WEB
+ url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/736G4GPZWS2DSQO5WKXO3G6OMZKFEK55
+ - type: WEB
+ url: https://security.netapp.com/advisory/ntap-20240402-0002
+ - type: WEB
+ url: http://www.openwall.com/lists/oss-security/2024/03/13/3
+ database_specific:
+ cwe_ids:
+ - CWE-20
+ github_reviewed: true
+ github_reviewed_at: "2024-03-15T16:27:53Z"
+ nvd_published_at: "2024-03-13T16:15:29Z"
+ severity: MODERATE
+ - schema_version: 1.6.0
+ id: GHSA-8vmx-qmch-mpqg
+ modified: 2024-03-16T05:19:17.739703Z
+ published: 2019-04-18T14:27:35Z
+ aliases:
+ - CVE-2019-0232
+ summary: Apache Tomcat OS Command Injection vulnerability
+ details: When running on Windows with enableCmdLineArguments enabled, the CGI Servlet in Apache Tomcat 9.0.0.M1 to 9.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 is vulnerable to Remote Code Execution due to a bug in the way the JRE passes command line arguments to Windows. The CGI Servlet is disabled by default. The CGI option enableCmdLineArguments is disable by default in Tomcat 9.0.x (and will be disabled by default in all versions in response to this vulnerability). For a detailed explanation of the JRE behaviour, see Markus Wulftange's blog (https://codewhitesec.blogspot.com/2016/02/java-and-command-line-injections-in-windows.html) and this archived MSDN blog (https://web.archive.org/web/20161228144344/https://blogs.msdn.microsoft.com/twistylittlepassagesallalike/2011/04/23/everyone-quotes-command-line-arguments-the-wrong-way/).
+ affected:
+ - package:
+ ecosystem: Maven
+ name: org.apache.tomcat.embed:tomcat-embed-core
+ purl: pkg:maven/org.apache.tomcat.embed/tomcat-embed-core
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 9.0.0.M1
+ - fixed: 9.0.17
+ versions:
+ - 9.0.0.M1
+ - 9.0.0.M10
+ - 9.0.0.M11
+ - 9.0.0.M13
+ - 9.0.0.M15
+ - 9.0.0.M17
+ - 9.0.0.M18
+ - 9.0.0.M19
+ - 9.0.0.M20
+ - 9.0.0.M21
+ - 9.0.0.M22
+ - 9.0.0.M25
+ - 9.0.0.M26
+ - 9.0.0.M27
+ - 9.0.0.M3
+ - 9.0.0.M4
+ - 9.0.0.M6
+ - 9.0.0.M8
+ - 9.0.0.M9
+ - 9.0.1
+ - 9.0.10
+ - 9.0.11
+ - 9.0.12
+ - 9.0.13
+ - 9.0.14
+ - 9.0.16
+ - 9.0.2
+ - 9.0.4
+ - 9.0.5
+ - 9.0.6
+ - 9.0.7
+ - 9.0.8
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/04/GHSA-8vmx-qmch-mpqg/GHSA-8vmx-qmch-mpqg.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.tomcat.embed:tomcat-embed-core
+ purl: pkg:maven/org.apache.tomcat.embed/tomcat-embed-core
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 8.0.0
+ - fixed: 8.5.40
+ versions:
+ - 8.0.1
+ - 8.0.11
+ - 8.0.12
+ - 8.0.14
+ - 8.0.15
+ - 8.0.17
+ - 8.0.18
+ - 8.0.20
+ - 8.0.21
+ - 8.0.22
+ - 8.0.23
+ - 8.0.24
+ - 8.0.26
+ - 8.0.27
+ - 8.0.28
+ - 8.0.29
+ - 8.0.3
+ - 8.0.30
+ - 8.0.32
+ - 8.0.33
+ - 8.0.35
+ - 8.0.36
+ - 8.0.37
+ - 8.0.38
+ - 8.0.39
+ - 8.0.41
+ - 8.0.42
+ - 8.0.43
+ - 8.0.44
+ - 8.0.45
+ - 8.0.46
+ - 8.0.47
+ - 8.0.48
+ - 8.0.49
+ - 8.0.5
+ - 8.0.50
+ - 8.0.51
+ - 8.0.52
+ - 8.0.53
+ - 8.0.8
+ - 8.0.9
+ - 8.5.0
+ - 8.5.11
+ - 8.5.12
+ - 8.5.13
+ - 8.5.14
+ - 8.5.15
+ - 8.5.16
+ - 8.5.19
+ - 8.5.2
+ - 8.5.20
+ - 8.5.21
+ - 8.5.23
+ - 8.5.24
+ - 8.5.27
+ - 8.5.28
+ - 8.5.29
+ - 8.5.3
+ - 8.5.30
+ - 8.5.31
+ - 8.5.32
+ - 8.5.33
+ - 8.5.34
+ - 8.5.35
+ - 8.5.37
+ - 8.5.38
+ - 8.5.39
+ - 8.5.4
+ - 8.5.5
+ - 8.5.6
+ - 8.5.8
+ - 8.5.9
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/04/GHSA-8vmx-qmch-mpqg/GHSA-8vmx-qmch-mpqg.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.tomcat.embed:tomcat-embed-core
+ purl: pkg:maven/org.apache.tomcat.embed/tomcat-embed-core
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 7.0.0
+ - fixed: 7.0.94
+ versions:
+ - 7.0.0
+ - 7.0.11
+ - 7.0.12
+ - 7.0.14
+ - 7.0.16
+ - 7.0.19
+ - 7.0.2
+ - 7.0.20
+ - 7.0.21
+ - 7.0.22
+ - 7.0.23
+ - 7.0.25
+ - 7.0.26
+ - 7.0.27
+ - 7.0.28
+ - 7.0.29
+ - 7.0.30
+ - 7.0.32
+ - 7.0.33
+ - 7.0.34
+ - 7.0.35
+ - 7.0.37
+ - 7.0.39
+ - 7.0.4
+ - 7.0.40
+ - 7.0.41
+ - 7.0.42
+ - 7.0.47
+ - 7.0.5
+ - 7.0.50
+ - 7.0.52
+ - 7.0.53
+ - 7.0.54
+ - 7.0.55
+ - 7.0.56
+ - 7.0.57
+ - 7.0.59
+ - 7.0.6
+ - 7.0.61
+ - 7.0.62
+ - 7.0.63
+ - 7.0.64
+ - 7.0.65
+ - 7.0.67
+ - 7.0.68
+ - 7.0.69
+ - 7.0.70
+ - 7.0.72
+ - 7.0.73
+ - 7.0.75
+ - 7.0.76
+ - 7.0.77
+ - 7.0.78
+ - 7.0.79
+ - 7.0.8
+ - 7.0.81
+ - 7.0.82
+ - 7.0.84
+ - 7.0.85
+ - 7.0.86
+ - 7.0.88
+ - 7.0.90
+ - 7.0.91
+ - 7.0.92
+ - 7.0.93
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/04/GHSA-8vmx-qmch-mpqg/GHSA-8vmx-qmch-mpqg.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2019-0232
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d%40%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0%40%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9%40%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc0c6a2d3cc92ed0c%40%3Cannounce.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc0c6a2d3cc92ed0c@%3Cannounce.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a%40%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://security.netapp.com/advisory/ntap-20190419-0001
+ - type: WEB
+ url: https://web.archive.org/web/20161228144344/https://blogs.msdn.microsoft.com/twistylittlepassagesallalike/2011/04/23/everyone-quotes-command-line-arguments-the-wrong-way
+ - type: WEB
+ url: https://web.archive.org/web/20200227030103/http://www.securityfocus.com/bid/107906
+ - type: WEB
+ url: https://www.broadcom.com/support/fibre-channel-networking/security-advisories/brocade-security-advisory-2019-784
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuApr2021.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuapr2020.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpujan2020.html
+ - type: WEB
+ url: https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
+ - type: WEB
+ url: https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
+ - type: WEB
+ url: https://www.synology.com/security/advisory/Synology_SA_19_17
+ - type: WEB
+ url: https://wwws.nightwatchcybersecurity.com/2019/04/30/remote-code-execution-rce-in-cgi-servlet-apache-tomcat-on-windows-cve-2019-0232
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:1712
+ - type: WEB
+ url: https://blog.trendmicro.com/trendlabs-security-intelligence/uncovering-cve-2019-0232-a-remote-code-execution-vulnerability-in-apache-tomcat
+ - type: WEB
+ url: https://codewhitesec.blogspot.com/2016/02/java-and-command-line-injections-in-windows.html
+ - type: PACKAGE
+ url: https://github.com/apache/tomcat
+ - type: WEB
+ url: https://lists.apache.org/thread.html/1dd0a59c1295cc08ce4c9e7edae5ad2268acc9ba55adcefa0532e5ba%40%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/1dd0a59c1295cc08ce4c9e7edae5ad2268acc9ba55adcefa0532e5ba@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7%40%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/52ffb9fbf661245386a83a661183d13f1de2e5779fa23837a08e02ac%40%3Ccommits.ofbiz.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/52ffb9fbf661245386a83a661183d13f1de2e5779fa23837a08e02ac@%3Ccommits.ofbiz.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/5f297a4b9080b5f65a05bc139596d0e437d6a539b25e31d29d028767%40%3Cannounce.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/5f297a4b9080b5f65a05bc139596d0e437d6a539b25e31d29d028767@%3Cannounce.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/673b6148d92cd7bc99ea2dcf85ad75d57da44fc322d51f37fb529a2a%40%3Ccommits.ofbiz.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/673b6148d92cd7bc99ea2dcf85ad75d57da44fc322d51f37fb529a2a@%3Ccommits.ofbiz.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3%40%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/96849486813a95dfd542e1618b7923ca945508aaf4a4341f674d83e3%40%3Cnotifications.ofbiz.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/96849486813a95dfd542e1618b7923ca945508aaf4a4341f674d83e3@%3Cnotifications.ofbiz.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/a6c87a09a71162fd563ab1c4e70a08a103e0b7c199fc391f1c9c4c35%40%3Ccommits.ofbiz.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/a6c87a09a71162fd563ab1c4e70a08a103e0b7c199fc391f1c9c4c35@%3Ccommits.ofbiz.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/dd4b325cdb261183dbf5ce913c102920a8f09c26dae666a98309165b%40%3Cnotifications.ofbiz.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/dd4b325cdb261183dbf5ce913c102920a8f09c26dae666a98309165b@%3Cnotifications.ofbiz.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/f4d48b32ef2b6aa49c8830241a9475da5b46e451f964b291c7a0a715%40%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/f4d48b32ef2b6aa49c8830241a9475da5b46e451f964b291c7a0a715@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: http://packetstormsecurity.com/files/153506/Apache-Tomcat-CGIServlet-enableCmdLineArguments-Remote-Code-Execution.html
+ - type: WEB
+ url: http://seclists.org/fulldisclosure/2019/May/4
+ database_specific:
+ cwe_ids:
+ - CWE-78
+ github_reviewed: true
+ github_reviewed_at: "2020-06-16T21:26:43Z"
+ nvd_published_at: "2019-04-15T15:29:00Z"
+ severity: HIGH
+ - schema_version: 1.6.0
+ id: GHSA-9hg2-395j-83rm
+ modified: 2024-04-18T17:16:24.017955Z
+ published: 2022-05-13T01:46:13Z
+ aliases:
+ - CVE-2017-5651
+ summary: Expected Behavior Violation in Apache Tomcat
+ details: In Apache Tomcat 9.0.0.M1 to 9.0.0.M18 and 8.5.0 to 8.5.12, the refactoring of the HTTP connectors introduced a regression in the send file processing. If the send file processing completed quickly, it was possible for the Processor to be added to the processor cache twice. This could result in the same Processor being used for multiple requests which in turn could lead to unexpected errors and/or response mix-up.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: org.apache.tomcat:tomcat-coyote
+ purl: pkg:maven/org.apache.tomcat/tomcat-coyote
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 9.0.0.M1
+ - fixed: 9.0.0.M19
+ versions:
+ - 9.0.0.M1
+ - 9.0.0.M10
+ - 9.0.0.M11
+ - 9.0.0.M13
+ - 9.0.0.M15
+ - 9.0.0.M17
+ - 9.0.0.M18
+ - 9.0.0.M3
+ - 9.0.0.M4
+ - 9.0.0.M6
+ - 9.0.0.M8
+ - 9.0.0.M9
+ database_specific:
+ last_known_affected_version_range: <= 9.0.0.M18
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-9hg2-395j-83rm/GHSA-9hg2-395j-83rm.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.tomcat:tomcat-coyote
+ purl: pkg:maven/org.apache.tomcat/tomcat-coyote
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 8.5.0
+ - fixed: 8.5.13
+ versions:
+ - 8.5.0
+ - 8.5.11
+ - 8.5.12
+ - 8.5.2
+ - 8.5.3
+ - 8.5.4
+ - 8.5.5
+ - 8.5.6
+ - 8.5.8
+ - 8.5.9
+ database_specific:
+ last_known_affected_version_range: <= 8.5.12
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-9hg2-395j-83rm/GHSA-9hg2-395j-83rm.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.tomcat.embed:tomcat-embed-core
+ purl: pkg:maven/org.apache.tomcat.embed/tomcat-embed-core
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 9.0.0.M1
+ - fixed: 9.0.0.M19
+ versions:
+ - 9.0.0.M1
+ - 9.0.0.M10
+ - 9.0.0.M11
+ - 9.0.0.M13
+ - 9.0.0.M15
+ - 9.0.0.M17
+ - 9.0.0.M18
+ - 9.0.0.M3
+ - 9.0.0.M4
+ - 9.0.0.M6
+ - 9.0.0.M8
+ - 9.0.0.M9
+ database_specific:
+ last_known_affected_version_range: <= 9.0.0.M18
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-9hg2-395j-83rm/GHSA-9hg2-395j-83rm.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.tomcat.embed:tomcat-embed-core
+ purl: pkg:maven/org.apache.tomcat.embed/tomcat-embed-core
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 8.5.0
+ - fixed: 8.5.13
+ versions:
+ - 8.5.0
+ - 8.5.11
+ - 8.5.12
+ - 8.5.2
+ - 8.5.3
+ - 8.5.4
+ - 8.5.5
+ - 8.5.6
+ - 8.5.8
+ - 8.5.9
+ database_specific:
+ last_known_affected_version_range: <= 8.5.12
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-9hg2-395j-83rm/GHSA-9hg2-395j-83rm.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2017-5651
+ - type: WEB
+ url: https://github.com/apache/tomcat/commit/494429ca210641b6b7affe89a2b0a6c0ff70109b
+ - type: WEB
+ url: https://github.com/apache/tomcat/commit/9233d9d6a018be4415d4d7d6cb4fe01176adf1a8
+ - type: WEB
+ url: https://web.archive.org/web/20170420113605/http://www.securitytracker.com/id/1038219
+ - type: WEB
+ url: https://web.archive.org/web/20170417124228/http://www.securityfocus.com/bid/97544
+ - type: WEB
+ url: https://security.netapp.com/advisory/ntap-20180614-0001
+ - type: WEB
+ url: https://security.gentoo.org/glsa/201705-09
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0%40%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d%40%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/eb6efa8d59c45a7a9eff94c4b925467d3b3fec8ba7697f3daa314b04@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/eb6efa8d59c45a7a9eff94c4b925467d3b3fec8ba7697f3daa314b04%40%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc%40%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a%40%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3%40%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/6694538826b87522fb723d2dcedd537e14ebe0a381d92e5525a531d8@%3Cannounce.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/6694538826b87522fb723d2dcedd537e14ebe0a381d92e5525a531d8%40%3Cannounce.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/5c0e00fd31efc11e147bf99d0f03c00a734447d3b131ab0818644cdb@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/5c0e00fd31efc11e147bf99d0f03c00a734447d3b131ab0818644cdb%40%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551%40%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://github.com/search?q=repo%3Aapache%2Ftomcat+apache.coyote+path%3A%2F%5Eres%5C%2Fbnd%5C%2F%2F&type=code
+ - type: PACKAGE
+ url: https://github.com/apache/tomcat
+ - type: WEB
+ url: https://bz.apache.org/bugzilla/show_bug.cgi?id=60918
+ - type: WEB
+ url: http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html
+ database_specific:
+ cwe_ids:
+ - CWE-440
+ github_reviewed: true
+ github_reviewed_at: "2022-07-01T13:44:41Z"
+ nvd_published_at: "2017-04-17T16:59:00Z"
+ severity: CRITICAL
+ - schema_version: 1.6.0
+ id: GHSA-9xcj-c8cr-8c3c
+ modified: 2024-03-10T05:19:10.199468Z
+ published: 2019-12-26T18:22:26Z
+ aliases:
+ - CVE-2019-17563
+ summary: In Apache Tomcat, when using FORM authentication there was a narrow window where an attacker could perform a session fixation attack
+ details: When using FORM authentication with Apache Tomcat 9.0.0.M1 to 9.0.29, 8.5.0 to 8.5.49 and 7.0.0 to 7.0.98 there was a narrow window where an attacker could perform a session fixation attack. The window was considered too narrow for an exploit to be practical but, erring on the side of caution, this issue has been treated as a security vulnerability.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: org.apache.tomcat.embed:tomcat-embed-core
+ purl: pkg:maven/org.apache.tomcat.embed/tomcat-embed-core
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: 7.0.99
+ versions:
+ - 7.0.0
+ - 7.0.11
+ - 7.0.12
+ - 7.0.14
+ - 7.0.16
+ - 7.0.19
+ - 7.0.2
+ - 7.0.20
+ - 7.0.21
+ - 7.0.22
+ - 7.0.23
+ - 7.0.25
+ - 7.0.26
+ - 7.0.27
+ - 7.0.28
+ - 7.0.29
+ - 7.0.30
+ - 7.0.32
+ - 7.0.33
+ - 7.0.34
+ - 7.0.35
+ - 7.0.37
+ - 7.0.39
+ - 7.0.4
+ - 7.0.40
+ - 7.0.41
+ - 7.0.42
+ - 7.0.47
+ - 7.0.5
+ - 7.0.50
+ - 7.0.52
+ - 7.0.53
+ - 7.0.54
+ - 7.0.55
+ - 7.0.56
+ - 7.0.57
+ - 7.0.59
+ - 7.0.6
+ - 7.0.61
+ - 7.0.62
+ - 7.0.63
+ - 7.0.64
+ - 7.0.65
+ - 7.0.67
+ - 7.0.68
+ - 7.0.69
+ - 7.0.70
+ - 7.0.72
+ - 7.0.73
+ - 7.0.75
+ - 7.0.76
+ - 7.0.77
+ - 7.0.78
+ - 7.0.79
+ - 7.0.8
+ - 7.0.81
+ - 7.0.82
+ - 7.0.84
+ - 7.0.85
+ - 7.0.86
+ - 7.0.88
+ - 7.0.90
+ - 7.0.91
+ - 7.0.92
+ - 7.0.93
+ - 7.0.94
+ - 7.0.96
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/12/GHSA-9xcj-c8cr-8c3c/GHSA-9xcj-c8cr-8c3c.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.tomcat.embed:tomcat-embed-core
+ purl: pkg:maven/org.apache.tomcat.embed/tomcat-embed-core
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 8.0.0
+ - fixed: 8.5.50
+ versions:
+ - 8.0.1
+ - 8.0.11
+ - 8.0.12
+ - 8.0.14
+ - 8.0.15
+ - 8.0.17
+ - 8.0.18
+ - 8.0.20
+ - 8.0.21
+ - 8.0.22
+ - 8.0.23
+ - 8.0.24
+ - 8.0.26
+ - 8.0.27
+ - 8.0.28
+ - 8.0.29
+ - 8.0.3
+ - 8.0.30
+ - 8.0.32
+ - 8.0.33
+ - 8.0.35
+ - 8.0.36
+ - 8.0.37
+ - 8.0.38
+ - 8.0.39
+ - 8.0.41
+ - 8.0.42
+ - 8.0.43
+ - 8.0.44
+ - 8.0.45
+ - 8.0.46
+ - 8.0.47
+ - 8.0.48
+ - 8.0.49
+ - 8.0.5
+ - 8.0.50
+ - 8.0.51
+ - 8.0.52
+ - 8.0.53
+ - 8.0.8
+ - 8.0.9
+ - 8.5.0
+ - 8.5.11
+ - 8.5.12
+ - 8.5.13
+ - 8.5.14
+ - 8.5.15
+ - 8.5.16
+ - 8.5.19
+ - 8.5.2
+ - 8.5.20
+ - 8.5.21
+ - 8.5.23
+ - 8.5.24
+ - 8.5.27
+ - 8.5.28
+ - 8.5.29
+ - 8.5.3
+ - 8.5.30
+ - 8.5.31
+ - 8.5.32
+ - 8.5.33
+ - 8.5.34
+ - 8.5.35
+ - 8.5.37
+ - 8.5.38
+ - 8.5.39
+ - 8.5.4
+ - 8.5.40
+ - 8.5.41
+ - 8.5.42
+ - 8.5.43
+ - 8.5.45
+ - 8.5.46
+ - 8.5.47
+ - 8.5.49
+ - 8.5.5
+ - 8.5.6
+ - 8.5.8
+ - 8.5.9
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/12/GHSA-9xcj-c8cr-8c3c/GHSA-9xcj-c8cr-8c3c.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.tomcat.embed:tomcat-embed-core
+ purl: pkg:maven/org.apache.tomcat.embed/tomcat-embed-core
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 9.0.0
+ - fixed: 9.0.30
+ versions:
+ - 9.0.1
+ - 9.0.10
+ - 9.0.11
+ - 9.0.12
+ - 9.0.13
+ - 9.0.14
+ - 9.0.16
+ - 9.0.17
+ - 9.0.19
+ - 9.0.2
+ - 9.0.20
+ - 9.0.21
+ - 9.0.22
+ - 9.0.24
+ - 9.0.26
+ - 9.0.27
+ - 9.0.29
+ - 9.0.4
+ - 9.0.5
+ - 9.0.6
+ - 9.0.7
+ - 9.0.8
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/12/GHSA-9xcj-c8cr-8c3c/GHSA-9xcj-c8cr-8c3c.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2019-17563
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpujul2020.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpujan2021.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuapr2020.html
+ - type: WEB
+ url: https://www.debian.org/security/2020/dsa-4680
+ - type: WEB
+ url: https://www.debian.org/security/2019/dsa-4596
+ - type: WEB
+ url: https://usn.ubuntu.com/4251-1
+ - type: WEB
+ url: https://security.netapp.com/advisory/ntap-20200107-0001
+ - type: WEB
+ url: https://security.gentoo.org/glsa/202003-43
+ - type: WEB
+ url: https://seclists.org/bugtraq/2019/Dec/43
+ - type: WEB
+ url: https://lists.debian.org/debian-lts-announce/2020/05/msg00026.html
+ - type: WEB
+ url: https://lists.debian.org/debian-lts-announce/2020/01/msg00024.html
+ - type: WEB
+ url: https://lists.apache.org/thread.html/reb9a66f176df29b9a832caa95ebd9ffa3284e8f4922ec4fa3ad8eb2e@%3Cissues.cxf.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/8b4c1db8300117b28a0f3f743c0b9e3f964687a690cdf9662a884bbd%40%3Cannounce.tomcat.apache.org%3E
+ - type: PACKAGE
+ url: https://github.com/apache/tomcat
+ - type: WEB
+ url: http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00013.html
+ database_specific:
+ cwe_ids:
+ - CWE-384
+ github_reviewed: true
+ github_reviewed_at: "2019-12-26T18:22:01Z"
+ nvd_published_at: "2019-12-23T17:15:00Z"
+ severity: HIGH
+ - schema_version: 1.6.0
+ id: GHSA-c9hw-wf7x-jp9j
+ modified: 2024-03-14T05:20:10.150452Z
+ published: 2020-06-15T18:51:21Z
+ aliases:
+ - BIT-tomcat-2020-1938
+ - CVE-2020-1938
+ summary: Improper Privilege Management in Tomcat
+ details: 'When using the Apache JServ Protocol (AJP), care must be taken when trusting incoming connections to Apache Tomcat. Tomcat treats AJP connections as having higher trust than, for example, a similar HTTP connection. If such connections are available to an attacker, they can be exploited in ways that may be surprising. In Apache Tomcat 9.0.0.M1 to 9.0.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99, Tomcat shipped with an AJP Connector enabled by default that listened on all configured IP addresses. It was expected (and recommended in the security guide) that this Connector would be disabled if not required. This vulnerability report identified a mechanism that allowed: returning arbitrary files from anywhere in the web application, processing any file in the web application as a JSP Further, if the web application allowed file upload and stored those files within the web application (or the attacker was able to control the content of the web application by some other means) then this, along with the ability to process a file as a JSP, made remote code execution possible. It is important to note that mitigation is only required if an AJP port is accessible to untrusted users. Users wishing to take a defence-in-depth approach and block the vector that permits returning arbitrary files and execution as JSP may upgrade to Apache Tomcat 9.0.31, 8.5.51 or 7.0.100 or later. A number of changes were made to the default AJP Connector configuration in 9.0.31 to harden the default configuration. It is likely that users upgrading to 9.0.31, 8.5.51 or 7.0.100 or later will need to make small changes to their configurations.'
+ affected:
+ - package:
+ ecosystem: Maven
+ name: org.apache.tomcat.embed:tomcat-embed-core
+ purl: pkg:maven/org.apache.tomcat.embed/tomcat-embed-core
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 9.0.0
+ - fixed: 9.0.31
+ versions:
+ - 9.0.1
+ - 9.0.10
+ - 9.0.11
+ - 9.0.12
+ - 9.0.13
+ - 9.0.14
+ - 9.0.16
+ - 9.0.17
+ - 9.0.19
+ - 9.0.2
+ - 9.0.20
+ - 9.0.21
+ - 9.0.22
+ - 9.0.24
+ - 9.0.26
+ - 9.0.27
+ - 9.0.29
+ - 9.0.30
+ - 9.0.4
+ - 9.0.5
+ - 9.0.6
+ - 9.0.7
+ - 9.0.8
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-c9hw-wf7x-jp9j/GHSA-c9hw-wf7x-jp9j.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.tomcat.embed:tomcat-embed-core
+ purl: pkg:maven/org.apache.tomcat.embed/tomcat-embed-core
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 8.0.0
+ - fixed: 8.5.51
+ versions:
+ - 8.0.1
+ - 8.0.11
+ - 8.0.12
+ - 8.0.14
+ - 8.0.15
+ - 8.0.17
+ - 8.0.18
+ - 8.0.20
+ - 8.0.21
+ - 8.0.22
+ - 8.0.23
+ - 8.0.24
+ - 8.0.26
+ - 8.0.27
+ - 8.0.28
+ - 8.0.29
+ - 8.0.3
+ - 8.0.30
+ - 8.0.32
+ - 8.0.33
+ - 8.0.35
+ - 8.0.36
+ - 8.0.37
+ - 8.0.38
+ - 8.0.39
+ - 8.0.41
+ - 8.0.42
+ - 8.0.43
+ - 8.0.44
+ - 8.0.45
+ - 8.0.46
+ - 8.0.47
+ - 8.0.48
+ - 8.0.49
+ - 8.0.5
+ - 8.0.50
+ - 8.0.51
+ - 8.0.52
+ - 8.0.53
+ - 8.0.8
+ - 8.0.9
+ - 8.5.0
+ - 8.5.11
+ - 8.5.12
+ - 8.5.13
+ - 8.5.14
+ - 8.5.15
+ - 8.5.16
+ - 8.5.19
+ - 8.5.2
+ - 8.5.20
+ - 8.5.21
+ - 8.5.23
+ - 8.5.24
+ - 8.5.27
+ - 8.5.28
+ - 8.5.29
+ - 8.5.3
+ - 8.5.30
+ - 8.5.31
+ - 8.5.32
+ - 8.5.33
+ - 8.5.34
+ - 8.5.35
+ - 8.5.37
+ - 8.5.38
+ - 8.5.39
+ - 8.5.4
+ - 8.5.40
+ - 8.5.41
+ - 8.5.42
+ - 8.5.43
+ - 8.5.45
+ - 8.5.46
+ - 8.5.47
+ - 8.5.49
+ - 8.5.5
+ - 8.5.50
+ - 8.5.6
+ - 8.5.8
+ - 8.5.9
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-c9hw-wf7x-jp9j/GHSA-c9hw-wf7x-jp9j.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.tomcat.embed:tomcat-embed-core
+ purl: pkg:maven/org.apache.tomcat.embed/tomcat-embed-core
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 7.0.0
+ - fixed: 7.0.100
+ versions:
+ - 7.0.0
+ - 7.0.11
+ - 7.0.12
+ - 7.0.14
+ - 7.0.16
+ - 7.0.19
+ - 7.0.2
+ - 7.0.20
+ - 7.0.21
+ - 7.0.22
+ - 7.0.23
+ - 7.0.25
+ - 7.0.26
+ - 7.0.27
+ - 7.0.28
+ - 7.0.29
+ - 7.0.30
+ - 7.0.32
+ - 7.0.33
+ - 7.0.34
+ - 7.0.35
+ - 7.0.37
+ - 7.0.39
+ - 7.0.4
+ - 7.0.40
+ - 7.0.41
+ - 7.0.42
+ - 7.0.47
+ - 7.0.5
+ - 7.0.50
+ - 7.0.52
+ - 7.0.53
+ - 7.0.54
+ - 7.0.55
+ - 7.0.56
+ - 7.0.57
+ - 7.0.59
+ - 7.0.6
+ - 7.0.61
+ - 7.0.62
+ - 7.0.63
+ - 7.0.64
+ - 7.0.65
+ - 7.0.67
+ - 7.0.68
+ - 7.0.69
+ - 7.0.70
+ - 7.0.72
+ - 7.0.73
+ - 7.0.75
+ - 7.0.76
+ - 7.0.77
+ - 7.0.78
+ - 7.0.79
+ - 7.0.8
+ - 7.0.81
+ - 7.0.82
+ - 7.0.84
+ - 7.0.85
+ - 7.0.86
+ - 7.0.88
+ - 7.0.90
+ - 7.0.91
+ - 7.0.92
+ - 7.0.93
+ - 7.0.94
+ - 7.0.96
+ - 7.0.99
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-c9hw-wf7x-jp9j/GHSA-c9hw-wf7x-jp9j.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2020-1938
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r089dc67c0358a1556dd279c762c74f32d7a254a54836b7ee2d839d8e@%3Cdev.tomee.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rb2fc890bef23cbc7f343900005fe1edd3b091cf18dada455580258f9@%3Cusers.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rbdb1d2b651a3728f0ceba9e0853575b6f90296a94a71836a15f7364a@%3Cdev.tomee.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rc068e824654c4b8bd4f2490bec869e29edbfcd5dfe02d47cbf7433b2@%3Cdev.tomee.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rcd5cd301e9e7e39f939baf2f5d58704750be07a5e2d3393e40ca7194@%3Ccommits.tomee.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rce2af55f6e144ffcdc025f997eddceb315dfbc0b230e3d750a7f7425@%3Cnotifications.ofbiz.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rd0774c95699d5aeb5e16e9a600fb2ea296e81175e30a62094e27e3e7@%3Ccommits.ofbiz.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rd50baccd1bbb96c2327d5a8caa25a49692b3d68d96915bd1cfbb9f8b@%3Cusers.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/re5eecbe5bf967439bafeeaa85987b3a43f0e6efe06b6976ee768cde2@%3Cusers.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rf26663f42e7f1a1d1cac732469fb5e92c89908a48b61ec546dbb79ca@%3Cbugs.httpd.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rf992c5adf376294af31378a70aa8a158388a41d7039668821be28df3@%3Ccommits.tomee.apache.org%3E
+ - type: WEB
+ url: https://lists.debian.org/debian-lts-announce/2020/03/msg00006.html
+ - type: WEB
+ url: https://lists.debian.org/debian-lts-announce/2020/05/msg00026.html
+ - type: WEB
+ url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2XFLQB3O5QVP4ZBIPVIXBEZV7F2R7ZMS
+ - type: WEB
+ url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/K3IPNHCKFVUKSHDTM45UL4Q765EHHTFG
+ - type: WEB
+ url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L46WJIV6UV3FWA5O5YEY6XLA73RYD53B
+ - type: WEB
+ url: https://security.gentoo.org/glsa/202003-43
+ - type: WEB
+ url: https://security.netapp.com/advisory/ntap-20200226-0002
+ - type: WEB
+ url: https://www.debian.org/security/2020/dsa-4673
+ - type: WEB
+ url: https://www.debian.org/security/2020/dsa-4680
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpujan2021.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpujul2020.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuoct2020.html
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r1125f3044a0946d1e7e6f125a6170b58d413ebd4a95157e4608041c7@%3Cannounce.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r17aaa3a05b5b7fe9075613dd0c681efa60a4f8c8fbad152c61371b6e@%3Cusers.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r38a5b7943b9a62ecb853acc22ef08ff586a7b3c66e08f949f0396ab1@%3Cusers.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r43faacf64570b1d9a4bada407a5af3b2738b0c007b905f1b6b608c65@%3Cusers.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r47caef01f663106c2bb81d116b8380d62beac9e543dd3f3bc2c2beda@%3Ccommits.tomee.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r4afa11e0464408e68f0e9560e90b185749363a66398b1491254f7864@%3Cusers.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r4f86cb260196e5cfcbbe782822c225ddcc70f54560f14a8f11c6926f@%3Cusers.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r549b43509e387a42656f0641fa311bf27c127c244fe02007d5b8d6f6@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r57f5e4ced436ace518a9e222fabe27fb785f09f5bf974814cc48ca97@%3Ccommits.tomee.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r5e2f1201b92ee05a0527cfc076a81ea0c270be299b87895c0ddbe02b@%3Cusers.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r61f280a76902b594692f0b24a1dbf647bb5a4c197b9395e9a6796e7c@%3Cusers.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r6a5633cad1b560a1e51f5b425f02918bdf30e090fdf18c5f7c2617eb@%3Ccommits.tomee.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r74328b178f9f37fe759dffbc9c1f2793e66d79d7a8a20d3836551794@%3Cnotifications.ofbiz.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r75113652e46c4dee687236510649acfb70d2c63e074152049c3f399d@%3Cnotifications.ofbiz.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r772335e6851ad33ddb076218fa4ff70de1bf398d5b43e2ddf0130e5d@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r7c6f492fbd39af34a68681dbbba0468490ff1a97a1bd79c6a53610ef%40%3Cannounce.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r856cdd87eda7af40b50278d6de80ee4b42d63adeb433a34a7bdaf9db@%3Cnotifications.ofbiz.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r8f7484589454638af527182ae55ef5b628ba00c05c5b11887c922fb1@%3Cnotifications.ofbiz.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r90890afea72a9571d666820b2fe5942a0a5f86be406fa31da3dd0922@%3Cannounce.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r92d78655c068d0bc991d1edbdfb24f9c5134603e647cade1113d4e0a@%3Cusers.tomee.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r9f119d9ce9239114022e13dbfe385b3de7c972f24f05d6dbd35c1a2f@%3Cusers.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/ra7092f7492569b39b04ec0decf52628ba86c51f15efb38f5853e2760@%3Cnotifications.ofbiz.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rad36ec6a1ffc9e43266b030c22ceeea569243555d34fb4187ff08522@%3Cnotifications.ofbiz.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rb1c0fb105ce2b93b7ec6fc1b77dd208022621a91c12d1f580813cfed@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00025.html
+ - type: WEB
+ url: http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00002.html
+ - type: WEB
+ url: http://support.blackberry.com/kb/articleDetail?articleNumber=000062739
+ database_specific:
+ cwe_ids:
+ - CWE-269
+ github_reviewed: true
+ github_reviewed_at: "2020-06-15T16:10:05Z"
+ nvd_published_at: "2020-02-24T22:15:00Z"
+ severity: CRITICAL
+ - schema_version: 1.6.0
+ id: GHSA-cx6h-86xw-9x34
+ modified: 2024-04-24T19:31:03.102779Z
+ published: 2023-07-06T21:14:59Z
+ aliases:
+ - BIT-tomcat-2023-28709
+ - CVE-2023-28709
+ summary: Apache Tomcat - Fix for CVE-2023-24998 was incomplete
+ details: The fix for CVE-2023-24998 was incomplete. If non-default HTTP connector settings were used such that the maxParameterCount could be reached using query string parameters and a request was submitted that supplied exactly maxParameterCount parameters in the query string, the limit for uploaded request parts could be bypassed with the potential for a denial of service to occur.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: org.apache.tomcat.embed:tomcat-embed-core
+ purl: pkg:maven/org.apache.tomcat.embed/tomcat-embed-core
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 11.0.0-M2
+ - fixed: 11.0.0-M5
+ versions:
+ - 11.0.0-M3
+ - 11.0.0-M4
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-cx6h-86xw-9x34/GHSA-cx6h-86xw-9x34.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.tomcat.embed:tomcat-embed-core
+ purl: pkg:maven/org.apache.tomcat.embed/tomcat-embed-core
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 10.1.5
+ - fixed: 10.1.8
+ versions:
+ - 10.1.5
+ - 10.1.6
+ - 10.1.7
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-cx6h-86xw-9x34/GHSA-cx6h-86xw-9x34.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.tomcat.embed:tomcat-embed-core
+ purl: pkg:maven/org.apache.tomcat.embed/tomcat-embed-core
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 9.0.71
+ - fixed: 9.0.74
+ versions:
+ - 9.0.71
+ - 9.0.72
+ - 9.0.73
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-cx6h-86xw-9x34/GHSA-cx6h-86xw-9x34.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.tomcat:tomcat-coyote
+ purl: pkg:maven/org.apache.tomcat/tomcat-coyote
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 8.5.85
+ - fixed: 8.5.88
+ versions:
+ - 8.5.85
+ - 8.5.86
+ - 8.5.87
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-cx6h-86xw-9x34/GHSA-cx6h-86xw-9x34.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2023-28709
+ - type: WEB
+ url: https://github.com/apache/tomcat/commit/5badf94e79e5de206fc0ef3054fd536b1bb787cd
+ - type: WEB
+ url: https://github.com/apache/tomcat/commit/ba848da71c523d94950d3c53c19ea155189df9dc
+ - type: WEB
+ url: https://github.com/apache/tomcat/commit/d53d8e7f77042cc32a3b98f589496a1ef5088e38
+ - type: WEB
+ url: https://github.com/apache/tomcat/commit/fbd81421629afe8b8a3922d59020cde81caea861
+ - type: PACKAGE
+ url: https://github.com/apache/tomcat
+ - type: WEB
+ url: https://lists.apache.org/thread/7wvxonzwb7k9hx9jt3q33cmy7j97jo3j
+ - type: WEB
+ url: https://security.gentoo.org/glsa/202305-37
+ - type: WEB
+ url: https://security.netapp.com/advisory/ntap-20230616-0004
+ - type: WEB
+ url: https://tomcat.apache.org/security-10.html
+ - type: WEB
+ url: https://tomcat.apache.org/security-11.html
+ - type: WEB
+ url: https://tomcat.apache.org/security-8.html
+ - type: WEB
+ url: https://tomcat.apache.org/security-9.html
+ - type: WEB
+ url: https://www.debian.org/security/2023/dsa-5521
+ - type: WEB
+ url: http://www.openwall.com/lists/oss-security/2023/05/22/1
+ database_specific:
+ cwe_ids:
+ - CWE-193
+ github_reviewed: true
+ github_reviewed_at: "2023-07-06T23:34:50Z"
+ nvd_published_at: "2023-05-22T11:15:09Z"
+ severity: HIGH
+ - schema_version: 1.6.0
+ id: GHSA-f4qf-m5gf-8jm8
+ modified: 2024-04-23T22:01:15.527056Z
+ published: 2024-01-19T12:30:18Z
+ aliases:
+ - BIT-tomcat-2024-21733
+ - CVE-2024-21733
+ summary: Apache Tomcat vulnerable to Generation of Error Message Containing Sensitive Information
+ details: |+
+ Generation of Error Message Containing Sensitive Information vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 8.5.7 through 8.5.63, from 9.0.0-M11 through 9.0.43.
+
+ Users are recommended to upgrade to version 8.5.64 onwards or 9.0.44 onwards, which contain a fix for the issue.
+
+ affected:
+ - package:
+ ecosystem: Maven
+ name: org.apache.tomcat:tomcat-coyote
+ purl: pkg:maven/org.apache.tomcat/tomcat-coyote
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 9.0.0-M11
+ - fixed: 9.0.44
+ versions:
+ - 9.0.0.M1
+ - 9.0.0.M10
+ - 9.0.0.M11
+ - 9.0.0.M13
+ - 9.0.0.M15
+ - 9.0.0.M17
+ - 9.0.0.M18
+ - 9.0.0.M19
+ - 9.0.0.M20
+ - 9.0.0.M21
+ - 9.0.0.M22
+ - 9.0.0.M25
+ - 9.0.0.M26
+ - 9.0.0.M27
+ - 9.0.0.M3
+ - 9.0.0.M4
+ - 9.0.0.M6
+ - 9.0.0.M8
+ - 9.0.0.M9
+ - 9.0.1
+ - 9.0.10
+ - 9.0.11
+ - 9.0.12
+ - 9.0.13
+ - 9.0.14
+ - 9.0.16
+ - 9.0.17
+ - 9.0.19
+ - 9.0.2
+ - 9.0.20
+ - 9.0.21
+ - 9.0.22
+ - 9.0.24
+ - 9.0.26
+ - 9.0.27
+ - 9.0.29
+ - 9.0.30
+ - 9.0.31
+ - 9.0.33
+ - 9.0.34
+ - 9.0.35
+ - 9.0.36
+ - 9.0.37
+ - 9.0.38
+ - 9.0.39
+ - 9.0.4
+ - 9.0.40
+ - 9.0.41
+ - 9.0.43
+ - 9.0.5
+ - 9.0.6
+ - 9.0.7
+ - 9.0.8
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/01/GHSA-f4qf-m5gf-8jm8/GHSA-f4qf-m5gf-8jm8.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.tomcat.embed:tomcat-embed-core
+ purl: pkg:maven/org.apache.tomcat.embed/tomcat-embed-core
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 8.5.7
+ - fixed: 8.5.64
+ versions:
+ - 8.5.11
+ - 8.5.12
+ - 8.5.13
+ - 8.5.14
+ - 8.5.15
+ - 8.5.16
+ - 8.5.19
+ - 8.5.20
+ - 8.5.21
+ - 8.5.23
+ - 8.5.24
+ - 8.5.27
+ - 8.5.28
+ - 8.5.29
+ - 8.5.30
+ - 8.5.31
+ - 8.5.32
+ - 8.5.33
+ - 8.5.34
+ - 8.5.35
+ - 8.5.37
+ - 8.5.38
+ - 8.5.39
+ - 8.5.40
+ - 8.5.41
+ - 8.5.42
+ - 8.5.43
+ - 8.5.45
+ - 8.5.46
+ - 8.5.47
+ - 8.5.49
+ - 8.5.50
+ - 8.5.51
+ - 8.5.53
+ - 8.5.54
+ - 8.5.55
+ - 8.5.56
+ - 8.5.57
+ - 8.5.58
+ - 8.5.59
+ - 8.5.60
+ - 8.5.61
+ - 8.5.63
+ - 8.5.8
+ - 8.5.9
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/01/GHSA-f4qf-m5gf-8jm8/GHSA-f4qf-m5gf-8jm8.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2024-21733
+ - type: WEB
+ url: https://github.com/apache/tomcat/commit/86ccc43940861703c2be96a5f35384407522125a
+ - type: WEB
+ url: https://github.com/apache/tomcat/commit/ce4b154e7b48f66bd98858626347747cd2514311
+ - type: PACKAGE
+ url: https://github.com/apache/tomcat
+ - type: WEB
+ url: https://lists.apache.org/thread/h9bjqdd0odj6lhs2o96qgowcc6hb0cfz
+ - type: WEB
+ url: https://security.netapp.com/advisory/ntap-20240216-0005
+ - type: WEB
+ url: https://tomcat.apache.org/security-8.html
+ - type: WEB
+ url: https://tomcat.apache.org/security-9.html
+ - type: WEB
+ url: http://packetstormsecurity.com/files/176951/Apache-Tomcat-8.5.63-9.0.43-HTTP-Response-Smuggling.html
+ - type: WEB
+ url: http://www.openwall.com/lists/oss-security/2024/01/19/2
+ database_specific:
+ cwe_ids:
+ - CWE-209
+ github_reviewed: true
+ github_reviewed_at: "2024-01-29T22:30:43Z"
+ nvd_published_at: "2024-01-19T11:15:08Z"
+ severity: MODERATE
+ - schema_version: 1.6.0
+ id: GHSA-f98p-9pp6-7q6c
+ modified: 2024-03-05T18:53:37Z
+ published: 2022-05-01T23:45:13Z
+ aliases:
+ - CVE-2008-1947
+ summary: Apache Tomcat Cross-site scripting (XSS) vulnerability
+ details: Cross-site scripting (XSS) vulnerability in Apache Tomcat 5.5.9 through 5.5.26 and 6.0.0 through 6.0.16 allows remote attackers to inject arbitrary web script or HTML via the name parameter (aka the hostname attribute) to `host-manager/html/add`.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: org.apache.tomcat:tomcat
+ purl: pkg:maven/org.apache.tomcat/tomcat
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 5.5.9
+ - fixed: 5.5.27
+ database_specific:
+ last_known_affected_version_range: <= 5.5.26
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-f98p-9pp6-7q6c/GHSA-f98p-9pp6-7q6c.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.tomcat:tomcat
+ purl: pkg:maven/org.apache.tomcat/tomcat
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 6.0.0
+ - fixed: 6.0.18
+ database_specific:
+ last_known_affected_version_range: <= 6.0.16
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-f98p-9pp6-7q6c/GHSA-f98p-9pp6-7q6c.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.tomcat.embed:tomcat-embed-core
+ purl: pkg:maven/org.apache.tomcat.embed/tomcat-embed-core
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 5.5.9
+ - fixed: 5.5.27
+ database_specific:
+ last_known_affected_version_range: <= 5.5.26
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-f98p-9pp6-7q6c/GHSA-f98p-9pp6-7q6c.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.tomcat.embed:tomcat-embed-core
+ purl: pkg:maven/org.apache.tomcat.embed/tomcat-embed-core
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 6.0.0
+ - fixed: 6.0.18
+ database_specific:
+ last_known_affected_version_range: <= 6.0.16
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-f98p-9pp6-7q6c/GHSA-f98p-9pp6-7q6c.json
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2008-1947
+ - type: WEB
+ url: https://github.com/apache/tomcat/commit/ab6a6c41ac972c845717c9d639f0335865afab4d
+ - type: WEB
+ url: https://github.com/apache/tomcat/commit/78ad0fcbe29c824f1f2e45a4e2716247b033250a
+ - type: WEB
+ url: https://github.com/apache/tomcat/commit/49c71fc59c1b8f8da77aea9eb53e61db168aebab
+ - type: WEB
+ url: https://github.com/apache/tomcat/commit/5f00d434c8dc11bd49ce0b4b56fe889839056030
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf%40%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5%40%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apple.com/archives/security-announce/2008/Oct/msg00001.html
+ - type: WEB
+ url: https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11534
+ - type: WEB
+ url: https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6009
+ - type: WEB
+ url: https://web.archive.org/web/20200514224656/http://www.securityfocus.com/archive/1/507985/100/0/threaded
+ - type: WEB
+ url: https://web.archive.org/web/20201208011750/http://www.securityfocus.com/archive/1/492958/100/0/threaded
+ - type: WEB
+ url: https://www.redhat.com/archives/fedora-package-announce/2008-September/msg00712.html
+ - type: WEB
+ url: https://www.redhat.com/archives/fedora-package-announce/2008-September/msg00859.html
+ - type: WEB
+ url: https://www.redhat.com/archives/fedora-package-announce/2008-September/msg00889.html
+ - type: WEB
+ url: https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa%40%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e%40%3Cdev.tomcat.apache.org%3E
+ - type: PACKAGE
+ url: https://github.com/apache/tomcat
+ - type: WEB
+ url: https://exchange.xforce.ibmcloud.com/vulnerabilities/42816
+ - type: WEB
+ url: https://bugzilla.redhat.com/show_bug.cgi?id=446393
+ - type: WEB
+ url: https://access.redhat.com/security/cve/CVE-2008-1947
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2008:1007
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2008:0864
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2008:0862
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2008:0648
+ - type: WEB
+ url: http://lists.opensuse.org/opensuse-security-announce/2008-07/msg00001.html
+ - type: WEB
+ url: http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html
+ - type: WEB
+ url: http://marc.info/?l=bugtraq&m=123376588623823&w=2
+ - type: WEB
+ url: http://marc.info/?l=bugtraq&m=139344343412337&w=2
+ - type: WEB
+ url: http://marc.info/?l=tomcat-user&m=121244319501278&w=2
+ - type: WEB
+ url: http://support.apple.com/kb/HT3216
+ - type: WEB
+ url: http://support.avaya.com/elmodocs2/security/ASA-2008-401.htm
+ - type: WEB
+ url: http://tomcat.apache.org/security-5.html
+ - type: WEB
+ url: http://tomcat.apache.org/security-6.html
+ - type: WEB
+ url: http://www.debian.org/security/2008/dsa-1593
+ - type: WEB
+ url: http://www.mandriva.com/security/advisories?name=MDVSA-2008:188
+ - type: WEB
+ url: http://www.redhat.com/support/errata/RHSA-2008-0648.html
+ - type: WEB
+ url: http://www.redhat.com/support/errata/RHSA-2008-0862.html
+ - type: WEB
+ url: http://www.redhat.com/support/errata/RHSA-2008-0864.html
+ - type: WEB
+ url: http://www.vmware.com/security/advisories/VMSA-2009-0002.html
+ - type: WEB
+ url: http://www.vmware.com/security/advisories/VMSA-2009-0016.html
+ database_specific:
+ cwe_ids:
+ - CWE-79
+ github_reviewed: true
+ github_reviewed_at: "2024-01-08T22:33:18Z"
+ nvd_published_at: "2008-06-04T19:32:00Z"
+ severity: MODERATE
+ - schema_version: 1.6.0
+ id: GHSA-fccv-jmmp-qg76
+ modified: 2024-02-20T05:26:18.936452Z
+ published: 2023-11-28T18:30:23Z
+ aliases:
+ - BIT-tomcat-2023-46589
+ - CVE-2023-46589
+ summary: Apache Tomcat Improper Input Validation vulnerability
+ details: |-
+ Improper Input Validation vulnerability in Apache Tomcat. Tomcat from 11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.1.15, from 9.0.0-M1 through 9.0.82, and from 8.5.0 through 8.5.95 did not correctly parse HTTP trailer headers. A trailer header that exceeded the header size limit could cause Tomcat to treat a single request as multiple requests leading to the possibility of request smuggling when behind a reverse proxy.
+
+ Users are recommended to upgrade to version 11.0.0-M11 onwards, 10.1.16 onwards, 9.0.83 onwards or 8.5.96 onwards, which fix the issue.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: org.apache.tomcat:tomcat-catalina
+ purl: pkg:maven/org.apache.tomcat/tomcat-catalina
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 11.0.0-M1
+ - fixed: 11.0.0-M11
+ versions:
+ - 11.0.0-M1
+ - 11.0.0-M10
+ - 11.0.0-M3
+ - 11.0.0-M4
+ - 11.0.0-M5
+ - 11.0.0-M6
+ - 11.0.0-M7
+ - 11.0.0-M9
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/11/GHSA-fccv-jmmp-qg76/GHSA-fccv-jmmp-qg76.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.tomcat:tomcat-catalina
+ purl: pkg:maven/org.apache.tomcat/tomcat-catalina
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 10.1.0-M1
+ - fixed: 10.1.16
+ versions:
+ - 10.1.0
+ - 10.1.0-M1
+ - 10.1.0-M10
+ - 10.1.0-M11
+ - 10.1.0-M12
+ - 10.1.0-M14
+ - 10.1.0-M15
+ - 10.1.0-M16
+ - 10.1.0-M17
+ - 10.1.0-M2
+ - 10.1.0-M4
+ - 10.1.0-M5
+ - 10.1.0-M6
+ - 10.1.0-M7
+ - 10.1.0-M8
+ - 10.1.1
+ - 10.1.10
+ - 10.1.11
+ - 10.1.12
+ - 10.1.13
+ - 10.1.14
+ - 10.1.15
+ - 10.1.2
+ - 10.1.4
+ - 10.1.5
+ - 10.1.6
+ - 10.1.7
+ - 10.1.8
+ - 10.1.9
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/11/GHSA-fccv-jmmp-qg76/GHSA-fccv-jmmp-qg76.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.tomcat:tomcat-catalina
+ purl: pkg:maven/org.apache.tomcat/tomcat-catalina
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 9.0.0-M1
+ - fixed: 9.0.83
+ versions:
+ - 9.0.0.M1
+ - 9.0.0.M10
+ - 9.0.0.M11
+ - 9.0.0.M13
+ - 9.0.0.M15
+ - 9.0.0.M17
+ - 9.0.0.M18
+ - 9.0.0.M19
+ - 9.0.0.M20
+ - 9.0.0.M21
+ - 9.0.0.M22
+ - 9.0.0.M25
+ - 9.0.0.M26
+ - 9.0.0.M27
+ - 9.0.0.M3
+ - 9.0.0.M4
+ - 9.0.0.M6
+ - 9.0.0.M8
+ - 9.0.0.M9
+ - 9.0.1
+ - 9.0.10
+ - 9.0.11
+ - 9.0.12
+ - 9.0.13
+ - 9.0.14
+ - 9.0.16
+ - 9.0.17
+ - 9.0.19
+ - 9.0.2
+ - 9.0.20
+ - 9.0.21
+ - 9.0.22
+ - 9.0.24
+ - 9.0.26
+ - 9.0.27
+ - 9.0.29
+ - 9.0.30
+ - 9.0.31
+ - 9.0.33
+ - 9.0.34
+ - 9.0.35
+ - 9.0.36
+ - 9.0.37
+ - 9.0.38
+ - 9.0.39
+ - 9.0.4
+ - 9.0.40
+ - 9.0.41
+ - 9.0.43
+ - 9.0.44
+ - 9.0.45
+ - 9.0.46
+ - 9.0.48
+ - 9.0.5
+ - 9.0.50
+ - 9.0.52
+ - 9.0.53
+ - 9.0.54
+ - 9.0.55
+ - 9.0.56
+ - 9.0.58
+ - 9.0.59
+ - 9.0.6
+ - 9.0.60
+ - 9.0.62
+ - 9.0.63
+ - 9.0.64
+ - 9.0.65
+ - 9.0.67
+ - 9.0.68
+ - 9.0.69
+ - 9.0.7
+ - 9.0.70
+ - 9.0.71
+ - 9.0.72
+ - 9.0.73
+ - 9.0.74
+ - 9.0.75
+ - 9.0.76
+ - 9.0.78
+ - 9.0.79
+ - 9.0.8
+ - 9.0.80
+ - 9.0.81
+ - 9.0.82
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/11/GHSA-fccv-jmmp-qg76/GHSA-fccv-jmmp-qg76.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.tomcat:tomcat-catalina
+ purl: pkg:maven/org.apache.tomcat/tomcat-catalina
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 8.5.0
+ - fixed: 8.5.96
+ versions:
+ - 8.5.0
+ - 8.5.11
+ - 8.5.12
+ - 8.5.13
+ - 8.5.14
+ - 8.5.15
+ - 8.5.16
+ - 8.5.19
+ - 8.5.2
+ - 8.5.20
+ - 8.5.21
+ - 8.5.23
+ - 8.5.24
+ - 8.5.27
+ - 8.5.28
+ - 8.5.29
+ - 8.5.3
+ - 8.5.30
+ - 8.5.31
+ - 8.5.32
+ - 8.5.33
+ - 8.5.34
+ - 8.5.35
+ - 8.5.37
+ - 8.5.38
+ - 8.5.39
+ - 8.5.4
+ - 8.5.40
+ - 8.5.41
+ - 8.5.42
+ - 8.5.43
+ - 8.5.45
+ - 8.5.46
+ - 8.5.47
+ - 8.5.49
+ - 8.5.5
+ - 8.5.50
+ - 8.5.51
+ - 8.5.53
+ - 8.5.54
+ - 8.5.55
+ - 8.5.56
+ - 8.5.57
+ - 8.5.58
+ - 8.5.59
+ - 8.5.6
+ - 8.5.60
+ - 8.5.61
+ - 8.5.63
+ - 8.5.64
+ - 8.5.65
+ - 8.5.66
+ - 8.5.68
+ - 8.5.69
+ - 8.5.70
+ - 8.5.71
+ - 8.5.72
+ - 8.5.73
+ - 8.5.75
+ - 8.5.76
+ - 8.5.77
+ - 8.5.78
+ - 8.5.79
+ - 8.5.8
+ - 8.5.81
+ - 8.5.82
+ - 8.5.83
+ - 8.5.84
+ - 8.5.85
+ - 8.5.86
+ - 8.5.87
+ - 8.5.88
+ - 8.5.89
+ - 8.5.9
+ - 8.5.90
+ - 8.5.91
+ - 8.5.92
+ - 8.5.93
+ - 8.5.94
+ - 8.5.95
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/11/GHSA-fccv-jmmp-qg76/GHSA-fccv-jmmp-qg76.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.tomcat.embed:tomcat-embed-core
+ purl: pkg:maven/org.apache.tomcat.embed/tomcat-embed-core
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 11.0.0-M1
+ - fixed: 11.0.0-M11
+ versions:
+ - 11.0.0-M1
+ - 11.0.0-M10
+ - 11.0.0-M3
+ - 11.0.0-M4
+ - 11.0.0-M5
+ - 11.0.0-M6
+ - 11.0.0-M7
+ - 11.0.0-M9
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/11/GHSA-fccv-jmmp-qg76/GHSA-fccv-jmmp-qg76.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.tomcat.embed:tomcat-embed-core
+ purl: pkg:maven/org.apache.tomcat.embed/tomcat-embed-core
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 10.1.0-M1
+ - fixed: 10.1.16
+ versions:
+ - 10.1.0
+ - 10.1.0-M1
+ - 10.1.0-M10
+ - 10.1.0-M11
+ - 10.1.0-M12
+ - 10.1.0-M14
+ - 10.1.0-M15
+ - 10.1.0-M16
+ - 10.1.0-M17
+ - 10.1.0-M2
+ - 10.1.0-M4
+ - 10.1.0-M5
+ - 10.1.0-M6
+ - 10.1.0-M7
+ - 10.1.0-M8
+ - 10.1.1
+ - 10.1.10
+ - 10.1.11
+ - 10.1.12
+ - 10.1.13
+ - 10.1.14
+ - 10.1.15
+ - 10.1.2
+ - 10.1.4
+ - 10.1.5
+ - 10.1.6
+ - 10.1.7
+ - 10.1.8
+ - 10.1.9
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/11/GHSA-fccv-jmmp-qg76/GHSA-fccv-jmmp-qg76.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.tomcat.embed:tomcat-embed-core
+ purl: pkg:maven/org.apache.tomcat.embed/tomcat-embed-core
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 9.0.0-M1
+ - fixed: 9.0.83
+ versions:
+ - 9.0.0.M1
+ - 9.0.0.M10
+ - 9.0.0.M11
+ - 9.0.0.M13
+ - 9.0.0.M15
+ - 9.0.0.M17
+ - 9.0.0.M18
+ - 9.0.0.M19
+ - 9.0.0.M20
+ - 9.0.0.M21
+ - 9.0.0.M22
+ - 9.0.0.M25
+ - 9.0.0.M26
+ - 9.0.0.M27
+ - 9.0.0.M3
+ - 9.0.0.M4
+ - 9.0.0.M6
+ - 9.0.0.M8
+ - 9.0.0.M9
+ - 9.0.1
+ - 9.0.10
+ - 9.0.11
+ - 9.0.12
+ - 9.0.13
+ - 9.0.14
+ - 9.0.16
+ - 9.0.17
+ - 9.0.19
+ - 9.0.2
+ - 9.0.20
+ - 9.0.21
+ - 9.0.22
+ - 9.0.24
+ - 9.0.26
+ - 9.0.27
+ - 9.0.29
+ - 9.0.30
+ - 9.0.31
+ - 9.0.33
+ - 9.0.34
+ - 9.0.35
+ - 9.0.36
+ - 9.0.37
+ - 9.0.38
+ - 9.0.39
+ - 9.0.4
+ - 9.0.40
+ - 9.0.41
+ - 9.0.43
+ - 9.0.44
+ - 9.0.45
+ - 9.0.46
+ - 9.0.48
+ - 9.0.5
+ - 9.0.50
+ - 9.0.52
+ - 9.0.53
+ - 9.0.54
+ - 9.0.55
+ - 9.0.56
+ - 9.0.58
+ - 9.0.59
+ - 9.0.6
+ - 9.0.60
+ - 9.0.62
+ - 9.0.63
+ - 9.0.64
+ - 9.0.65
+ - 9.0.67
+ - 9.0.68
+ - 9.0.69
+ - 9.0.7
+ - 9.0.70
+ - 9.0.71
+ - 9.0.72
+ - 9.0.73
+ - 9.0.74
+ - 9.0.75
+ - 9.0.76
+ - 9.0.78
+ - 9.0.79
+ - 9.0.8
+ - 9.0.80
+ - 9.0.81
+ - 9.0.82
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/11/GHSA-fccv-jmmp-qg76/GHSA-fccv-jmmp-qg76.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.tomcat.embed:tomcat-embed-core
+ purl: pkg:maven/org.apache.tomcat.embed/tomcat-embed-core
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 8.5.0
+ - fixed: 8.5.96
+ versions:
+ - 8.5.0
+ - 8.5.11
+ - 8.5.12
+ - 8.5.13
+ - 8.5.14
+ - 8.5.15
+ - 8.5.16
+ - 8.5.19
+ - 8.5.2
+ - 8.5.20
+ - 8.5.21
+ - 8.5.23
+ - 8.5.24
+ - 8.5.27
+ - 8.5.28
+ - 8.5.29
+ - 8.5.3
+ - 8.5.30
+ - 8.5.31
+ - 8.5.32
+ - 8.5.33
+ - 8.5.34
+ - 8.5.35
+ - 8.5.37
+ - 8.5.38
+ - 8.5.39
+ - 8.5.4
+ - 8.5.40
+ - 8.5.41
+ - 8.5.42
+ - 8.5.43
+ - 8.5.45
+ - 8.5.46
+ - 8.5.47
+ - 8.5.49
+ - 8.5.5
+ - 8.5.50
+ - 8.5.51
+ - 8.5.53
+ - 8.5.54
+ - 8.5.55
+ - 8.5.56
+ - 8.5.57
+ - 8.5.58
+ - 8.5.59
+ - 8.5.6
+ - 8.5.60
+ - 8.5.61
+ - 8.5.63
+ - 8.5.64
+ - 8.5.65
+ - 8.5.66
+ - 8.5.68
+ - 8.5.69
+ - 8.5.70
+ - 8.5.71
+ - 8.5.72
+ - 8.5.73
+ - 8.5.75
+ - 8.5.76
+ - 8.5.77
+ - 8.5.78
+ - 8.5.79
+ - 8.5.8
+ - 8.5.81
+ - 8.5.82
+ - 8.5.83
+ - 8.5.84
+ - 8.5.85
+ - 8.5.86
+ - 8.5.87
+ - 8.5.88
+ - 8.5.89
+ - 8.5.9
+ - 8.5.90
+ - 8.5.91
+ - 8.5.92
+ - 8.5.93
+ - 8.5.94
+ - 8.5.95
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/11/GHSA-fccv-jmmp-qg76/GHSA-fccv-jmmp-qg76.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2023-46589
+ - type: WEB
+ url: https://github.com/apache/tomcat/commit/6f181e1062a472bc5f0234980f66cbde42c1041b
+ - type: WEB
+ url: https://github.com/apache/tomcat/commit/7a2d8818fcea0b51747a67af9510ce7977245ebd
+ - type: WEB
+ url: https://github.com/apache/tomcat/commit/aa92971e879a519384c517febc39fd04c48d4642
+ - type: WEB
+ url: https://github.com/apache/tomcat/commit/b5776d769bffeade865061bc8ecbeb2b56167b08
+ - type: PACKAGE
+ url: https://github.com/apache/tomcat
+ - type: WEB
+ url: https://lists.apache.org/thread/0rqq6ktozqc42ro8hhxdmmdjm1k1tpxr
+ - type: WEB
+ url: https://lists.debian.org/debian-lts-announce/2024/01/msg00001.html
+ - type: WEB
+ url: https://security.netapp.com/advisory/ntap-20231214-0009
+ - type: WEB
+ url: https://tomcat.apache.org/security-10.html
+ - type: WEB
+ url: https://tomcat.apache.org/security-11.html
+ - type: WEB
+ url: https://tomcat.apache.org/security-8.html
+ - type: WEB
+ url: https://tomcat.apache.org/security-9.html
+ - type: WEB
+ url: https://www.openwall.com/lists/oss-security/2023/11/28/2
+ - type: WEB
+ url: http://www.openwall.com/lists/oss-security/2023/11/28/2
+ database_specific:
+ cwe_ids:
+ - CWE-20
+ - CWE-444
+ github_reviewed: true
+ github_reviewed_at: "2023-11-28T23:28:54Z"
+ nvd_published_at: "2023-11-28T16:15:06Z"
+ severity: HIGH
+ - schema_version: 1.6.0
+ id: GHSA-g8pj-r55q-5c2v
+ modified: 2024-04-25T22:34:10.373884Z
+ published: 2023-10-10T18:31:35Z
+ aliases:
+ - BIT-tomcat-2023-42795
+ - CVE-2023-42795
+ summary: Apache Tomcat Incomplete Cleanup vulnerability
+ details: |-
+ Incomplete Cleanup vulnerability in Apache Tomcat.
+
+ When recycling various internal objects in Apache Tomcat from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0.80 and from 8.5.0 through 8.5.93, an error could cause Tomcat to skip some parts of the recycling process leading to information leaking from the current request/response to the next.
+
+ Users are recommended to upgrade to version 11.0.0-M12 onwards, 10.1.14 onwards, 9.0.81 onwards or 8.5.94 onwards, which fixes the issue.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: org.apache.tomcat:tomcat
+ purl: pkg:maven/org.apache.tomcat/tomcat
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 11.0.0-M1
+ - fixed: 11.0.0-M12
+ versions:
+ - 11.0.0-M1
+ - 11.0.0-M10
+ - 11.0.0-M11
+ - 11.0.0-M3
+ - 11.0.0-M4
+ - 11.0.0-M5
+ - 11.0.0-M6
+ - 11.0.0-M7
+ - 11.0.0-M9
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-g8pj-r55q-5c2v/GHSA-g8pj-r55q-5c2v.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.tomcat:tomcat
+ purl: pkg:maven/org.apache.tomcat/tomcat
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 10.1.0-M1
+ - fixed: 10.1.14
+ versions:
+ - 10.1.0
+ - 10.1.0-M1
+ - 10.1.0-M10
+ - 10.1.0-M11
+ - 10.1.0-M12
+ - 10.1.0-M14
+ - 10.1.0-M15
+ - 10.1.0-M16
+ - 10.1.0-M17
+ - 10.1.0-M2
+ - 10.1.0-M4
+ - 10.1.0-M5
+ - 10.1.0-M6
+ - 10.1.0-M7
+ - 10.1.0-M8
+ - 10.1.1
+ - 10.1.10
+ - 10.1.11
+ - 10.1.12
+ - 10.1.13
+ - 10.1.2
+ - 10.1.4
+ - 10.1.5
+ - 10.1.6
+ - 10.1.7
+ - 10.1.8
+ - 10.1.9
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-g8pj-r55q-5c2v/GHSA-g8pj-r55q-5c2v.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.tomcat:tomcat
+ purl: pkg:maven/org.apache.tomcat/tomcat
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 9.0.0-M1
+ - fixed: 9.0.81
+ versions:
+ - 9.0.0.M1
+ - 9.0.0.M10
+ - 9.0.0.M11
+ - 9.0.0.M13
+ - 9.0.0.M15
+ - 9.0.0.M17
+ - 9.0.0.M18
+ - 9.0.0.M19
+ - 9.0.0.M20
+ - 9.0.0.M21
+ - 9.0.0.M22
+ - 9.0.0.M25
+ - 9.0.0.M26
+ - 9.0.0.M27
+ - 9.0.0.M3
+ - 9.0.0.M4
+ - 9.0.0.M6
+ - 9.0.0.M8
+ - 9.0.0.M9
+ - 9.0.1
+ - 9.0.10
+ - 9.0.11
+ - 9.0.12
+ - 9.0.13
+ - 9.0.14
+ - 9.0.16
+ - 9.0.17
+ - 9.0.19
+ - 9.0.2
+ - 9.0.20
+ - 9.0.21
+ - 9.0.22
+ - 9.0.24
+ - 9.0.26
+ - 9.0.27
+ - 9.0.29
+ - 9.0.30
+ - 9.0.31
+ - 9.0.33
+ - 9.0.34
+ - 9.0.35
+ - 9.0.36
+ - 9.0.37
+ - 9.0.38
+ - 9.0.39
+ - 9.0.4
+ - 9.0.40
+ - 9.0.41
+ - 9.0.43
+ - 9.0.44
+ - 9.0.45
+ - 9.0.46
+ - 9.0.48
+ - 9.0.5
+ - 9.0.50
+ - 9.0.52
+ - 9.0.53
+ - 9.0.54
+ - 9.0.55
+ - 9.0.56
+ - 9.0.58
+ - 9.0.59
+ - 9.0.6
+ - 9.0.60
+ - 9.0.62
+ - 9.0.63
+ - 9.0.64
+ - 9.0.65
+ - 9.0.67
+ - 9.0.68
+ - 9.0.69
+ - 9.0.7
+ - 9.0.70
+ - 9.0.71
+ - 9.0.72
+ - 9.0.73
+ - 9.0.74
+ - 9.0.75
+ - 9.0.76
+ - 9.0.78
+ - 9.0.79
+ - 9.0.8
+ - 9.0.80
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-g8pj-r55q-5c2v/GHSA-g8pj-r55q-5c2v.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.tomcat:tomcat
+ purl: pkg:maven/org.apache.tomcat/tomcat
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 8.5.0
+ - fixed: 8.5.94
+ versions:
+ - 8.5.0
+ - 8.5.11
+ - 8.5.12
+ - 8.5.13
+ - 8.5.14
+ - 8.5.15
+ - 8.5.16
+ - 8.5.19
+ - 8.5.2
+ - 8.5.20
+ - 8.5.21
+ - 8.5.23
+ - 8.5.24
+ - 8.5.27
+ - 8.5.28
+ - 8.5.29
+ - 8.5.3
+ - 8.5.30
+ - 8.5.31
+ - 8.5.32
+ - 8.5.33
+ - 8.5.34
+ - 8.5.35
+ - 8.5.37
+ - 8.5.38
+ - 8.5.39
+ - 8.5.4
+ - 8.5.40
+ - 8.5.41
+ - 8.5.42
+ - 8.5.43
+ - 8.5.45
+ - 8.5.46
+ - 8.5.47
+ - 8.5.49
+ - 8.5.5
+ - 8.5.50
+ - 8.5.51
+ - 8.5.53
+ - 8.5.54
+ - 8.5.55
+ - 8.5.56
+ - 8.5.57
+ - 8.5.58
+ - 8.5.59
+ - 8.5.6
+ - 8.5.60
+ - 8.5.61
+ - 8.5.63
+ - 8.5.64
+ - 8.5.65
+ - 8.5.66
+ - 8.5.68
+ - 8.5.69
+ - 8.5.70
+ - 8.5.71
+ - 8.5.72
+ - 8.5.73
+ - 8.5.75
+ - 8.5.76
+ - 8.5.77
+ - 8.5.78
+ - 8.5.79
+ - 8.5.8
+ - 8.5.81
+ - 8.5.82
+ - 8.5.83
+ - 8.5.84
+ - 8.5.85
+ - 8.5.86
+ - 8.5.87
+ - 8.5.88
+ - 8.5.89
+ - 8.5.9
+ - 8.5.90
+ - 8.5.91
+ - 8.5.92
+ - 8.5.93
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-g8pj-r55q-5c2v/GHSA-g8pj-r55q-5c2v.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.tomcat.embed:tomcat-embed-core
+ purl: pkg:maven/org.apache.tomcat.embed/tomcat-embed-core
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 11.0.0-M1
+ - fixed: 11.0.0-M12
+ versions:
+ - 11.0.0-M1
+ - 11.0.0-M10
+ - 11.0.0-M11
+ - 11.0.0-M3
+ - 11.0.0-M4
+ - 11.0.0-M5
+ - 11.0.0-M6
+ - 11.0.0-M7
+ - 11.0.0-M9
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-g8pj-r55q-5c2v/GHSA-g8pj-r55q-5c2v.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.tomcat.embed:tomcat-embed-core
+ purl: pkg:maven/org.apache.tomcat.embed/tomcat-embed-core
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 10.1.0-M1
+ - fixed: 10.1.14
+ versions:
+ - 10.1.0
+ - 10.1.0-M1
+ - 10.1.0-M10
+ - 10.1.0-M11
+ - 10.1.0-M12
+ - 10.1.0-M14
+ - 10.1.0-M15
+ - 10.1.0-M16
+ - 10.1.0-M17
+ - 10.1.0-M2
+ - 10.1.0-M4
+ - 10.1.0-M5
+ - 10.1.0-M6
+ - 10.1.0-M7
+ - 10.1.0-M8
+ - 10.1.1
+ - 10.1.10
+ - 10.1.11
+ - 10.1.12
+ - 10.1.13
+ - 10.1.2
+ - 10.1.4
+ - 10.1.5
+ - 10.1.6
+ - 10.1.7
+ - 10.1.8
+ - 10.1.9
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-g8pj-r55q-5c2v/GHSA-g8pj-r55q-5c2v.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.tomcat.embed:tomcat-embed-core
+ purl: pkg:maven/org.apache.tomcat.embed/tomcat-embed-core
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 9.0.0-M1
+ - fixed: 9.0.81
+ versions:
+ - 9.0.0.M1
+ - 9.0.0.M10
+ - 9.0.0.M11
+ - 9.0.0.M13
+ - 9.0.0.M15
+ - 9.0.0.M17
+ - 9.0.0.M18
+ - 9.0.0.M19
+ - 9.0.0.M20
+ - 9.0.0.M21
+ - 9.0.0.M22
+ - 9.0.0.M25
+ - 9.0.0.M26
+ - 9.0.0.M27
+ - 9.0.0.M3
+ - 9.0.0.M4
+ - 9.0.0.M6
+ - 9.0.0.M8
+ - 9.0.0.M9
+ - 9.0.1
+ - 9.0.10
+ - 9.0.11
+ - 9.0.12
+ - 9.0.13
+ - 9.0.14
+ - 9.0.16
+ - 9.0.17
+ - 9.0.19
+ - 9.0.2
+ - 9.0.20
+ - 9.0.21
+ - 9.0.22
+ - 9.0.24
+ - 9.0.26
+ - 9.0.27
+ - 9.0.29
+ - 9.0.30
+ - 9.0.31
+ - 9.0.33
+ - 9.0.34
+ - 9.0.35
+ - 9.0.36
+ - 9.0.37
+ - 9.0.38
+ - 9.0.39
+ - 9.0.4
+ - 9.0.40
+ - 9.0.41
+ - 9.0.43
+ - 9.0.44
+ - 9.0.45
+ - 9.0.46
+ - 9.0.48
+ - 9.0.5
+ - 9.0.50
+ - 9.0.52
+ - 9.0.53
+ - 9.0.54
+ - 9.0.55
+ - 9.0.56
+ - 9.0.58
+ - 9.0.59
+ - 9.0.6
+ - 9.0.60
+ - 9.0.62
+ - 9.0.63
+ - 9.0.64
+ - 9.0.65
+ - 9.0.67
+ - 9.0.68
+ - 9.0.69
+ - 9.0.7
+ - 9.0.70
+ - 9.0.71
+ - 9.0.72
+ - 9.0.73
+ - 9.0.74
+ - 9.0.75
+ - 9.0.76
+ - 9.0.78
+ - 9.0.79
+ - 9.0.8
+ - 9.0.80
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-g8pj-r55q-5c2v/GHSA-g8pj-r55q-5c2v.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.tomcat.embed:tomcat-embed-core
+ purl: pkg:maven/org.apache.tomcat.embed/tomcat-embed-core
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 8.5.0
+ - fixed: 8.5.94
+ versions:
+ - 8.5.0
+ - 8.5.11
+ - 8.5.12
+ - 8.5.13
+ - 8.5.14
+ - 8.5.15
+ - 8.5.16
+ - 8.5.19
+ - 8.5.2
+ - 8.5.20
+ - 8.5.21
+ - 8.5.23
+ - 8.5.24
+ - 8.5.27
+ - 8.5.28
+ - 8.5.29
+ - 8.5.3
+ - 8.5.30
+ - 8.5.31
+ - 8.5.32
+ - 8.5.33
+ - 8.5.34
+ - 8.5.35
+ - 8.5.37
+ - 8.5.38
+ - 8.5.39
+ - 8.5.4
+ - 8.5.40
+ - 8.5.41
+ - 8.5.42
+ - 8.5.43
+ - 8.5.45
+ - 8.5.46
+ - 8.5.47
+ - 8.5.49
+ - 8.5.5
+ - 8.5.50
+ - 8.5.51
+ - 8.5.53
+ - 8.5.54
+ - 8.5.55
+ - 8.5.56
+ - 8.5.57
+ - 8.5.58
+ - 8.5.59
+ - 8.5.6
+ - 8.5.60
+ - 8.5.61
+ - 8.5.63
+ - 8.5.64
+ - 8.5.65
+ - 8.5.66
+ - 8.5.68
+ - 8.5.69
+ - 8.5.70
+ - 8.5.71
+ - 8.5.72
+ - 8.5.73
+ - 8.5.75
+ - 8.5.76
+ - 8.5.77
+ - 8.5.78
+ - 8.5.79
+ - 8.5.8
+ - 8.5.81
+ - 8.5.82
+ - 8.5.83
+ - 8.5.84
+ - 8.5.85
+ - 8.5.86
+ - 8.5.87
+ - 8.5.88
+ - 8.5.89
+ - 8.5.9
+ - 8.5.90
+ - 8.5.91
+ - 8.5.92
+ - 8.5.93
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-g8pj-r55q-5c2v/GHSA-g8pj-r55q-5c2v.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2023-42795
+ - type: WEB
+ url: https://github.com/apache/tomcat/commit/30f8063d7a9b4c43ae4722f5e382a76af1d7a6bf
+ - type: WEB
+ url: https://github.com/apache/tomcat/commit/44d05d75d696ca10ce251e4e370511e38f20ae75
+ - type: WEB
+ url: https://github.com/apache/tomcat/commit/9375d67106f8df9eb9d7b360b2bef052fe67d3d4
+ - type: WEB
+ url: https://github.com/apache/tomcat/commit/d6db22e411307c97ddf78315c15d5889356eca38
+ - type: PACKAGE
+ url: https://github.com/apache/tomcat
+ - type: WEB
+ url: https://lists.apache.org/thread/065jfyo583490r9j2v73nhpyxdob56lw
+ - type: WEB
+ url: https://lists.debian.org/debian-lts-announce/2023/10/msg00020.html
+ - type: WEB
+ url: https://security.netapp.com/advisory/ntap-20231103-0007
+ - type: WEB
+ url: https://www.debian.org/security/2023/dsa-5521
+ - type: WEB
+ url: https://www.debian.org/security/2023/dsa-5522
+ - type: WEB
+ url: http://www.openwall.com/lists/oss-security/2023/10/10/9
+ database_specific:
+ cwe_ids:
+ - CWE-459
+ github_reviewed: true
+ github_reviewed_at: "2023-10-10T22:30:05Z"
+ nvd_published_at: "2023-10-10T18:15:18Z"
+ severity: MODERATE
+ - schema_version: 1.6.0
+ id: GHSA-hfrx-6qgj-fp6c
+ modified: 2024-04-18T17:16:23.151022Z
+ published: 2023-02-20T18:30:17Z
+ aliases:
+ - CVE-2023-24998
+ summary: Apache Commons FileUpload denial of service vulnerability
+ details: Apache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads. Note that, like all of the file upload limits, the new configuration option (FileUploadBase#setFileCountMax) is not enabled by default and must be explicitly configured.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: commons-fileupload:commons-fileupload
+ purl: pkg:maven/commons-fileupload/commons-fileupload
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: "1.5"
+ versions:
+ - "1.0"
+ - 1.0-beta-1
+ - 1.0-rc1
+ - "1.1"
+ - 1.1.1
+ - "1.2"
+ - 1.2.1
+ - 1.2.2
+ - "1.3"
+ - 1.3.1
+ - 1.3.1-jenkins-1
+ - 1.3.1-jenkins-2
+ - 1.3.2
+ - 1.3.3
+ - "1.4"
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-hfrx-6qgj-fp6c/GHSA-hfrx-6qgj-fp6c.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.tomcat:tomcat-coyote
+ purl: pkg:maven/org.apache.tomcat/tomcat-coyote
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 10.1.0-M1
+ - fixed: 10.1.5
+ versions:
+ - 10.1.0
+ - 10.1.0-M1
+ - 10.1.0-M10
+ - 10.1.0-M11
+ - 10.1.0-M12
+ - 10.1.0-M14
+ - 10.1.0-M15
+ - 10.1.0-M16
+ - 10.1.0-M17
+ - 10.1.0-M2
+ - 10.1.0-M4
+ - 10.1.0-M5
+ - 10.1.0-M6
+ - 10.1.0-M7
+ - 10.1.0-M8
+ - 10.1.1
+ - 10.1.2
+ - 10.1.4
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-hfrx-6qgj-fp6c/GHSA-hfrx-6qgj-fp6c.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.tomcat:tomcat-coyote
+ purl: pkg:maven/org.apache.tomcat/tomcat-coyote
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 11.0.0-M2
+ - fixed: 11.0.0-M5
+ versions:
+ - 11.0.0-M3
+ - 11.0.0-M4
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-hfrx-6qgj-fp6c/GHSA-hfrx-6qgj-fp6c.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.tomcat:tomcat-coyote
+ purl: pkg:maven/org.apache.tomcat/tomcat-coyote
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 8.5.85
+ - fixed: 8.5.88
+ versions:
+ - 8.5.85
+ - 8.5.86
+ - 8.5.87
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-hfrx-6qgj-fp6c/GHSA-hfrx-6qgj-fp6c.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.tomcat:tomcat-coyote
+ purl: pkg:maven/org.apache.tomcat/tomcat-coyote
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 9.0.0-M1
+ - fixed: 9.0.71
+ versions:
+ - 9.0.0.M1
+ - 9.0.0.M10
+ - 9.0.0.M11
+ - 9.0.0.M13
+ - 9.0.0.M15
+ - 9.0.0.M17
+ - 9.0.0.M18
+ - 9.0.0.M19
+ - 9.0.0.M20
+ - 9.0.0.M21
+ - 9.0.0.M22
+ - 9.0.0.M25
+ - 9.0.0.M26
+ - 9.0.0.M27
+ - 9.0.0.M3
+ - 9.0.0.M4
+ - 9.0.0.M6
+ - 9.0.0.M8
+ - 9.0.0.M9
+ - 9.0.1
+ - 9.0.10
+ - 9.0.11
+ - 9.0.12
+ - 9.0.13
+ - 9.0.14
+ - 9.0.16
+ - 9.0.17
+ - 9.0.19
+ - 9.0.2
+ - 9.0.20
+ - 9.0.21
+ - 9.0.22
+ - 9.0.24
+ - 9.0.26
+ - 9.0.27
+ - 9.0.29
+ - 9.0.30
+ - 9.0.31
+ - 9.0.33
+ - 9.0.34
+ - 9.0.35
+ - 9.0.36
+ - 9.0.37
+ - 9.0.38
+ - 9.0.39
+ - 9.0.4
+ - 9.0.40
+ - 9.0.41
+ - 9.0.43
+ - 9.0.44
+ - 9.0.45
+ - 9.0.46
+ - 9.0.48
+ - 9.0.5
+ - 9.0.50
+ - 9.0.52
+ - 9.0.53
+ - 9.0.54
+ - 9.0.55
+ - 9.0.56
+ - 9.0.58
+ - 9.0.59
+ - 9.0.6
+ - 9.0.60
+ - 9.0.62
+ - 9.0.63
+ - 9.0.64
+ - 9.0.65
+ - 9.0.67
+ - 9.0.68
+ - 9.0.69
+ - 9.0.7
+ - 9.0.70
+ - 9.0.8
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-hfrx-6qgj-fp6c/GHSA-hfrx-6qgj-fp6c.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.tomcat.embed:tomcat-embed-core
+ purl: pkg:maven/org.apache.tomcat.embed/tomcat-embed-core
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 10.1.0-M1
+ - fixed: 10.1.5
+ versions:
+ - 10.1.0
+ - 10.1.0-M1
+ - 10.1.0-M10
+ - 10.1.0-M11
+ - 10.1.0-M12
+ - 10.1.0-M14
+ - 10.1.0-M15
+ - 10.1.0-M16
+ - 10.1.0-M17
+ - 10.1.0-M2
+ - 10.1.0-M4
+ - 10.1.0-M5
+ - 10.1.0-M6
+ - 10.1.0-M7
+ - 10.1.0-M8
+ - 10.1.1
+ - 10.1.2
+ - 10.1.4
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-hfrx-6qgj-fp6c/GHSA-hfrx-6qgj-fp6c.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.tomcat.embed:tomcat-embed-core
+ purl: pkg:maven/org.apache.tomcat.embed/tomcat-embed-core
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 11.0.0-M2
+ - fixed: 11.0.0-M5
+ versions:
+ - 11.0.0-M3
+ - 11.0.0-M4
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-hfrx-6qgj-fp6c/GHSA-hfrx-6qgj-fp6c.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.tomcat.embed:tomcat-embed-core
+ purl: pkg:maven/org.apache.tomcat.embed/tomcat-embed-core
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 8.5.85
+ - fixed: 8.5.88
+ versions:
+ - 8.5.85
+ - 8.5.86
+ - 8.5.87
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-hfrx-6qgj-fp6c/GHSA-hfrx-6qgj-fp6c.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.tomcat.embed:tomcat-embed-core
+ purl: pkg:maven/org.apache.tomcat.embed/tomcat-embed-core
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 9.0.0-M1
+ - fixed: 9.0.71
+ versions:
+ - 9.0.0.M1
+ - 9.0.0.M10
+ - 9.0.0.M11
+ - 9.0.0.M13
+ - 9.0.0.M15
+ - 9.0.0.M17
+ - 9.0.0.M18
+ - 9.0.0.M19
+ - 9.0.0.M20
+ - 9.0.0.M21
+ - 9.0.0.M22
+ - 9.0.0.M25
+ - 9.0.0.M26
+ - 9.0.0.M27
+ - 9.0.0.M3
+ - 9.0.0.M4
+ - 9.0.0.M6
+ - 9.0.0.M8
+ - 9.0.0.M9
+ - 9.0.1
+ - 9.0.10
+ - 9.0.11
+ - 9.0.12
+ - 9.0.13
+ - 9.0.14
+ - 9.0.16
+ - 9.0.17
+ - 9.0.19
+ - 9.0.2
+ - 9.0.20
+ - 9.0.21
+ - 9.0.22
+ - 9.0.24
+ - 9.0.26
+ - 9.0.27
+ - 9.0.29
+ - 9.0.30
+ - 9.0.31
+ - 9.0.33
+ - 9.0.34
+ - 9.0.35
+ - 9.0.36
+ - 9.0.37
+ - 9.0.38
+ - 9.0.39
+ - 9.0.4
+ - 9.0.40
+ - 9.0.41
+ - 9.0.43
+ - 9.0.44
+ - 9.0.45
+ - 9.0.46
+ - 9.0.48
+ - 9.0.5
+ - 9.0.50
+ - 9.0.52
+ - 9.0.53
+ - 9.0.54
+ - 9.0.55
+ - 9.0.56
+ - 9.0.58
+ - 9.0.59
+ - 9.0.6
+ - 9.0.60
+ - 9.0.62
+ - 9.0.63
+ - 9.0.64
+ - 9.0.65
+ - 9.0.67
+ - 9.0.68
+ - 9.0.69
+ - 9.0.7
+ - 9.0.70
+ - 9.0.8
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-hfrx-6qgj-fp6c/GHSA-hfrx-6qgj-fp6c.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2023-24998
+ - type: WEB
+ url: https://github.com/apache/commons-fileupload/commit/e20c04990f7420ca917e96a84cec58b13a1b3d17
+ - type: WEB
+ url: https://github.com/apache/tomcat/commit/8a2285f13affa961cc65595aad999db5efae45ce
+ - type: WEB
+ url: https://github.com/apache/tomcat/commit/9ca96c8c1eba86c0aaa2e6be581ba2a7d4d4ae6e
+ - type: WEB
+ url: https://github.com/apache/tomcat/commit/cf77cc545de0488fb89e24294151504a7432df74
+ - type: WEB
+ url: https://github.com/apache/tomcat/commit/d53d8e7f77042cc32a3b98f589496a1ef5088e38
+ - type: WEB
+ url: https://www.debian.org/security/2023/dsa-5522
+ - type: WEB
+ url: https://tomcat.apache.org/security-9.html
+ - type: WEB
+ url: https://tomcat.apache.org/security-8.html
+ - type: WEB
+ url: https://tomcat.apache.org/security-11.html
+ - type: WEB
+ url: https://tomcat.apache.org/security-10.html
+ - type: WEB
+ url: https://security.gentoo.org/glsa/202305-37
+ - type: WEB
+ url: https://lists.debian.org/debian-lts-announce/2023/10/msg00020.html
+ - type: WEB
+ url: https://lists.apache.org/thread/4xl4l09mhwg4vgsk7dxqogcjrobrrdoy
+ - type: WEB
+ url: https://github.com/search?q=repo%3Aapache%2Ftomcat+util.http+path%3A%2F%5Eres%5C%2Fbnd%5C%2F%2F&type=code
+ - type: PACKAGE
+ url: https://github.com/apache/commons-fileupload
+ - type: WEB
+ url: https://commons.apache.org/proper/commons-fileupload/security-reports.html
+ - type: WEB
+ url: http://www.openwall.com/lists/oss-security/2023/05/22/1
+ database_specific:
+ cwe_ids:
+ - CWE-770
+ github_reviewed: true
+ github_reviewed_at: "2023-02-22T00:12:07Z"
+ nvd_published_at: "2023-02-20T16:15:00Z"
+ severity: HIGH
+ - schema_version: 1.6.0
+ id: GHSA-hh3j-x4mc-g48r
+ modified: 2024-03-14T05:19:45.437799Z
+ published: 2019-12-26T18:22:36Z
+ aliases:
+ - CVE-2019-12418
+ summary: Insufficiently Protected Credentials in Apache Tomcat
+ details: When Apache Tomcat 9.0.0.M1 to 9.0.28, 8.5.0 to 8.5.47, 7.0.0 and 7.0.97 is configured with the JMX Remote Lifecycle Listener, a local attacker without access to the Tomcat process or configuration files is able to manipulate the RMI registry to perform a man-in-the-middle attack to capture user names and passwords used to access the JMX interface. The attacker can then use these credentials to access the JMX interface and gain complete control over the Tomcat instance.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: org.apache.tomcat.embed:tomcat-embed-core
+ purl: pkg:maven/org.apache.tomcat.embed/tomcat-embed-core
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: 7.0.99
+ versions:
+ - 7.0.0
+ - 7.0.11
+ - 7.0.12
+ - 7.0.14
+ - 7.0.16
+ - 7.0.19
+ - 7.0.2
+ - 7.0.20
+ - 7.0.21
+ - 7.0.22
+ - 7.0.23
+ - 7.0.25
+ - 7.0.26
+ - 7.0.27
+ - 7.0.28
+ - 7.0.29
+ - 7.0.30
+ - 7.0.32
+ - 7.0.33
+ - 7.0.34
+ - 7.0.35
+ - 7.0.37
+ - 7.0.39
+ - 7.0.4
+ - 7.0.40
+ - 7.0.41
+ - 7.0.42
+ - 7.0.47
+ - 7.0.5
+ - 7.0.50
+ - 7.0.52
+ - 7.0.53
+ - 7.0.54
+ - 7.0.55
+ - 7.0.56
+ - 7.0.57
+ - 7.0.59
+ - 7.0.6
+ - 7.0.61
+ - 7.0.62
+ - 7.0.63
+ - 7.0.64
+ - 7.0.65
+ - 7.0.67
+ - 7.0.68
+ - 7.0.69
+ - 7.0.70
+ - 7.0.72
+ - 7.0.73
+ - 7.0.75
+ - 7.0.76
+ - 7.0.77
+ - 7.0.78
+ - 7.0.79
+ - 7.0.8
+ - 7.0.81
+ - 7.0.82
+ - 7.0.84
+ - 7.0.85
+ - 7.0.86
+ - 7.0.88
+ - 7.0.90
+ - 7.0.91
+ - 7.0.92
+ - 7.0.93
+ - 7.0.94
+ - 7.0.96
+ database_specific:
+ last_known_affected_version_range: < 7.0.98
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/12/GHSA-hh3j-x4mc-g48r/GHSA-hh3j-x4mc-g48r.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.tomcat.embed:tomcat-embed-core
+ purl: pkg:maven/org.apache.tomcat.embed/tomcat-embed-core
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 8.0.0
+ - fixed: 8.5.49
+ versions:
+ - 8.0.1
+ - 8.0.11
+ - 8.0.12
+ - 8.0.14
+ - 8.0.15
+ - 8.0.17
+ - 8.0.18
+ - 8.0.20
+ - 8.0.21
+ - 8.0.22
+ - 8.0.23
+ - 8.0.24
+ - 8.0.26
+ - 8.0.27
+ - 8.0.28
+ - 8.0.29
+ - 8.0.3
+ - 8.0.30
+ - 8.0.32
+ - 8.0.33
+ - 8.0.35
+ - 8.0.36
+ - 8.0.37
+ - 8.0.38
+ - 8.0.39
+ - 8.0.41
+ - 8.0.42
+ - 8.0.43
+ - 8.0.44
+ - 8.0.45
+ - 8.0.46
+ - 8.0.47
+ - 8.0.48
+ - 8.0.49
+ - 8.0.5
+ - 8.0.50
+ - 8.0.51
+ - 8.0.52
+ - 8.0.53
+ - 8.0.8
+ - 8.0.9
+ - 8.5.0
+ - 8.5.11
+ - 8.5.12
+ - 8.5.13
+ - 8.5.14
+ - 8.5.15
+ - 8.5.16
+ - 8.5.19
+ - 8.5.2
+ - 8.5.20
+ - 8.5.21
+ - 8.5.23
+ - 8.5.24
+ - 8.5.27
+ - 8.5.28
+ - 8.5.29
+ - 8.5.3
+ - 8.5.30
+ - 8.5.31
+ - 8.5.32
+ - 8.5.33
+ - 8.5.34
+ - 8.5.35
+ - 8.5.37
+ - 8.5.38
+ - 8.5.39
+ - 8.5.4
+ - 8.5.40
+ - 8.5.41
+ - 8.5.42
+ - 8.5.43
+ - 8.5.45
+ - 8.5.46
+ - 8.5.47
+ - 8.5.5
+ - 8.5.6
+ - 8.5.8
+ - 8.5.9
+ database_specific:
+ last_known_affected_version_range: < 8.5.48
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/12/GHSA-hh3j-x4mc-g48r/GHSA-hh3j-x4mc-g48r.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.tomcat.embed:tomcat-embed-core
+ purl: pkg:maven/org.apache.tomcat.embed/tomcat-embed-core
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 9.0.0
+ - fixed: 9.0.29
+ versions:
+ - 9.0.1
+ - 9.0.10
+ - 9.0.11
+ - 9.0.12
+ - 9.0.13
+ - 9.0.14
+ - 9.0.16
+ - 9.0.17
+ - 9.0.19
+ - 9.0.2
+ - 9.0.20
+ - 9.0.21
+ - 9.0.22
+ - 9.0.24
+ - 9.0.26
+ - 9.0.27
+ - 9.0.4
+ - 9.0.5
+ - 9.0.6
+ - 9.0.7
+ - 9.0.8
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/12/GHSA-hh3j-x4mc-g48r/GHSA-hh3j-x4mc-g48r.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2019-12418
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuapr2020.html
+ - type: WEB
+ url: https://www.debian.org/security/2020/dsa-4680
+ - type: WEB
+ url: https://www.debian.org/security/2019/dsa-4596
+ - type: WEB
+ url: https://usn.ubuntu.com/4251-1
+ - type: WEB
+ url: https://support.f5.com/csp/article/K10107360?utm_source=f5support&utm_medium=RSS
+ - type: WEB
+ url: https://security.netapp.com/advisory/ntap-20200107-0001
+ - type: WEB
+ url: https://security.gentoo.org/glsa/202003-43
+ - type: WEB
+ url: https://seclists.org/bugtraq/2019/Dec/43
+ - type: WEB
+ url: https://lists.debian.org/debian-lts-announce/2020/03/msg00029.html
+ - type: WEB
+ url: https://lists.debian.org/debian-lts-announce/2020/01/msg00024.html
+ - type: WEB
+ url: https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/43530b91506e2e0c11cfbe691173f5df8c48f51b98262426d7493b67%40%3Cannounce.tomcat.apache.org%3E
+ - type: WEB
+ url: http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00013.html
+ database_specific:
+ cwe_ids:
+ - CWE-522
+ github_reviewed: true
+ github_reviewed_at: "2019-12-26T18:22:10Z"
+ nvd_published_at: "2019-12-23T18:15:00Z"
+ severity: HIGH
+ - schema_version: 1.6.0
+ id: GHSA-j39c-c8hj-x4j3
+ modified: 2024-02-19T05:31:44.331997Z
+ published: 2021-06-16T17:45:29Z
+ aliases:
+ - BIT-tomcat-2021-25122
+ - CVE-2021-25122
+ summary: Exposure of Sensitive Information to an Unauthorized Actor in Apache Tomcat
+ details: When responding to new h2c connection requests, Apache Tomcat versions 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41 and 8.5.0 to 8.5.61 could duplicate request headers and a limited amount of request body from one request to another meaning user A and user B could both see the results of user A's request.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: org.apache.tomcat.embed:tomcat-embed-core
+ purl: pkg:maven/org.apache.tomcat.embed/tomcat-embed-core
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 10.0.0
+ - fixed: 10.0.2
+ versions:
+ - 10.0.0
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/06/GHSA-j39c-c8hj-x4j3/GHSA-j39c-c8hj-x4j3.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.tomcat.embed:tomcat-embed-core
+ purl: pkg:maven/org.apache.tomcat.embed/tomcat-embed-core
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 9.0.0
+ - fixed: 9.0.43
+ versions:
+ - 9.0.1
+ - 9.0.10
+ - 9.0.11
+ - 9.0.12
+ - 9.0.13
+ - 9.0.14
+ - 9.0.16
+ - 9.0.17
+ - 9.0.19
+ - 9.0.2
+ - 9.0.20
+ - 9.0.21
+ - 9.0.22
+ - 9.0.24
+ - 9.0.26
+ - 9.0.27
+ - 9.0.29
+ - 9.0.30
+ - 9.0.31
+ - 9.0.33
+ - 9.0.34
+ - 9.0.35
+ - 9.0.36
+ - 9.0.37
+ - 9.0.38
+ - 9.0.39
+ - 9.0.4
+ - 9.0.40
+ - 9.0.41
+ - 9.0.5
+ - 9.0.6
+ - 9.0.7
+ - 9.0.8
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/06/GHSA-j39c-c8hj-x4j3/GHSA-j39c-c8hj-x4j3.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.tomcat.embed:tomcat-embed-core
+ purl: pkg:maven/org.apache.tomcat.embed/tomcat-embed-core
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 8.5.0
+ - fixed: 8.5.63
+ versions:
+ - 8.5.0
+ - 8.5.11
+ - 8.5.12
+ - 8.5.13
+ - 8.5.14
+ - 8.5.15
+ - 8.5.16
+ - 8.5.19
+ - 8.5.2
+ - 8.5.20
+ - 8.5.21
+ - 8.5.23
+ - 8.5.24
+ - 8.5.27
+ - 8.5.28
+ - 8.5.29
+ - 8.5.3
+ - 8.5.30
+ - 8.5.31
+ - 8.5.32
+ - 8.5.33
+ - 8.5.34
+ - 8.5.35
+ - 8.5.37
+ - 8.5.38
+ - 8.5.39
+ - 8.5.4
+ - 8.5.40
+ - 8.5.41
+ - 8.5.42
+ - 8.5.43
+ - 8.5.45
+ - 8.5.46
+ - 8.5.47
+ - 8.5.49
+ - 8.5.5
+ - 8.5.50
+ - 8.5.51
+ - 8.5.53
+ - 8.5.54
+ - 8.5.55
+ - 8.5.56
+ - 8.5.57
+ - 8.5.58
+ - 8.5.59
+ - 8.5.6
+ - 8.5.60
+ - 8.5.61
+ - 8.5.8
+ - 8.5.9
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/06/GHSA-j39c-c8hj-x4j3/GHSA-j39c-c8hj-x4j3.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2021-25122
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r7b95bc248603360501f18c8eb03bb6001ec0ee3296205b34b07105b7%40%3Cannounce.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r7b95bc248603360501f18c8eb03bb6001ec0ee3296205b34b07105b7@%3Cannounce.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r7b95bc248603360501f18c8eb03bb6001ec0ee3296205b34b07105b7@%3Cannounce.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r7b95bc248603360501f18c8eb03bb6001ec0ee3296205b34b07105b7@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r7b95bc248603360501f18c8eb03bb6001ec0ee3296205b34b07105b7@%3Cusers.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rcd90bf36b1877e1310b87ecd14ed7bbb15da52b297efd9f0e7253a3b@%3Cusers.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rd0463f9a5cbc02a485404c4b990f0da452e5ac5c237808edba11c947@%3Cusers.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rf6d5d57b114678d8898005faef31e9fd6d7c981fcc4ccfc3bc272fc9@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.debian.org/debian-lts-announce/2021/03/msg00018.html
+ - type: WEB
+ url: https://security.gentoo.org/glsa/202208-34
+ - type: WEB
+ url: https://security.netapp.com/advisory/ntap-20210409-0002
+ - type: WEB
+ url: https://www.debian.org/security/2021/dsa-4891
+ - type: WEB
+ url: https://www.oracle.com//security-alerts/cpujul2021.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpujan2022.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuoct2021.html
+ - type: WEB
+ url: http://www.openwall.com/lists/oss-security/2021/03/01/1
+ database_specific:
+ cwe_ids:
+ - CWE-200
+ github_reviewed: true
+ github_reviewed_at: "2021-03-24T19:53:13Z"
+ nvd_published_at: "2021-03-01T12:15:00Z"
+ severity: HIGH
+ - schema_version: 1.6.0
+ id: GHSA-jgwr-3qm3-26f3
+ modified: 2024-03-08T05:18:06.945365Z
+ published: 2021-03-19T20:11:13Z
+ aliases:
+ - BIT-tomcat-2021-25329
+ - CVE-2021-25329
+ summary: Potential remote code execution in Apache Tomcat
+ details: The fix for CVE-2020-9484 was incomplete. When using Apache Tomcat 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41, 8.5.0 to 8.5.61 or 7.0.0. to 7.0.107 with a configuration edge case that was highly unlikely to be used, the Tomcat instance was still vulnerable to CVE-2020-9494. Note that both the previously published prerequisites for CVE-2020-9484 and the previously published mitigations for CVE-2020-9484 also apply to this issue.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: org.apache.tomcat.embed:tomcat-embed-core
+ purl: pkg:maven/org.apache.tomcat.embed/tomcat-embed-core
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 10.0.0-M1
+ - fixed: 10.0.2
+ versions:
+ - 10.0.0
+ - 10.0.0-M1
+ - 10.0.0-M10
+ - 10.0.0-M3
+ - 10.0.0-M4
+ - 10.0.0-M5
+ - 10.0.0-M6
+ - 10.0.0-M7
+ - 10.0.0-M8
+ - 10.0.0-M9
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/03/GHSA-jgwr-3qm3-26f3/GHSA-jgwr-3qm3-26f3.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.tomcat.embed:tomcat-embed-core
+ purl: pkg:maven/org.apache.tomcat.embed/tomcat-embed-core
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 9.0.0
+ - fixed: 9.0.41
+ versions:
+ - 9.0.1
+ - 9.0.10
+ - 9.0.11
+ - 9.0.12
+ - 9.0.13
+ - 9.0.14
+ - 9.0.16
+ - 9.0.17
+ - 9.0.19
+ - 9.0.2
+ - 9.0.20
+ - 9.0.21
+ - 9.0.22
+ - 9.0.24
+ - 9.0.26
+ - 9.0.27
+ - 9.0.29
+ - 9.0.30
+ - 9.0.31
+ - 9.0.33
+ - 9.0.34
+ - 9.0.35
+ - 9.0.36
+ - 9.0.37
+ - 9.0.38
+ - 9.0.39
+ - 9.0.4
+ - 9.0.40
+ - 9.0.5
+ - 9.0.6
+ - 9.0.7
+ - 9.0.8
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/03/GHSA-jgwr-3qm3-26f3/GHSA-jgwr-3qm3-26f3.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.tomcat.embed:tomcat-embed-core
+ purl: pkg:maven/org.apache.tomcat.embed/tomcat-embed-core
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 8.0.0
+ - fixed: 8.5.61
+ versions:
+ - 8.0.1
+ - 8.0.11
+ - 8.0.12
+ - 8.0.14
+ - 8.0.15
+ - 8.0.17
+ - 8.0.18
+ - 8.0.20
+ - 8.0.21
+ - 8.0.22
+ - 8.0.23
+ - 8.0.24
+ - 8.0.26
+ - 8.0.27
+ - 8.0.28
+ - 8.0.29
+ - 8.0.3
+ - 8.0.30
+ - 8.0.32
+ - 8.0.33
+ - 8.0.35
+ - 8.0.36
+ - 8.0.37
+ - 8.0.38
+ - 8.0.39
+ - 8.0.41
+ - 8.0.42
+ - 8.0.43
+ - 8.0.44
+ - 8.0.45
+ - 8.0.46
+ - 8.0.47
+ - 8.0.48
+ - 8.0.49
+ - 8.0.5
+ - 8.0.50
+ - 8.0.51
+ - 8.0.52
+ - 8.0.53
+ - 8.0.8
+ - 8.0.9
+ - 8.5.0
+ - 8.5.11
+ - 8.5.12
+ - 8.5.13
+ - 8.5.14
+ - 8.5.15
+ - 8.5.16
+ - 8.5.19
+ - 8.5.2
+ - 8.5.20
+ - 8.5.21
+ - 8.5.23
+ - 8.5.24
+ - 8.5.27
+ - 8.5.28
+ - 8.5.29
+ - 8.5.3
+ - 8.5.30
+ - 8.5.31
+ - 8.5.32
+ - 8.5.33
+ - 8.5.34
+ - 8.5.35
+ - 8.5.37
+ - 8.5.38
+ - 8.5.39
+ - 8.5.4
+ - 8.5.40
+ - 8.5.41
+ - 8.5.42
+ - 8.5.43
+ - 8.5.45
+ - 8.5.46
+ - 8.5.47
+ - 8.5.49
+ - 8.5.5
+ - 8.5.50
+ - 8.5.51
+ - 8.5.53
+ - 8.5.54
+ - 8.5.55
+ - 8.5.56
+ - 8.5.57
+ - 8.5.58
+ - 8.5.59
+ - 8.5.6
+ - 8.5.60
+ - 8.5.8
+ - 8.5.9
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/03/GHSA-jgwr-3qm3-26f3/GHSA-jgwr-3qm3-26f3.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.tomcat.embed:tomcat-embed-core
+ purl: pkg:maven/org.apache.tomcat.embed/tomcat-embed-core
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 7.0.0
+ - fixed: 7.0.108
+ versions:
+ - 7.0.0
+ - 7.0.100
+ - 7.0.103
+ - 7.0.104
+ - 7.0.105
+ - 7.0.106
+ - 7.0.107
+ - 7.0.11
+ - 7.0.12
+ - 7.0.14
+ - 7.0.16
+ - 7.0.19
+ - 7.0.2
+ - 7.0.20
+ - 7.0.21
+ - 7.0.22
+ - 7.0.23
+ - 7.0.25
+ - 7.0.26
+ - 7.0.27
+ - 7.0.28
+ - 7.0.29
+ - 7.0.30
+ - 7.0.32
+ - 7.0.33
+ - 7.0.34
+ - 7.0.35
+ - 7.0.37
+ - 7.0.39
+ - 7.0.4
+ - 7.0.40
+ - 7.0.41
+ - 7.0.42
+ - 7.0.47
+ - 7.0.5
+ - 7.0.50
+ - 7.0.52
+ - 7.0.53
+ - 7.0.54
+ - 7.0.55
+ - 7.0.56
+ - 7.0.57
+ - 7.0.59
+ - 7.0.6
+ - 7.0.61
+ - 7.0.62
+ - 7.0.63
+ - 7.0.64
+ - 7.0.65
+ - 7.0.67
+ - 7.0.68
+ - 7.0.69
+ - 7.0.70
+ - 7.0.72
+ - 7.0.73
+ - 7.0.75
+ - 7.0.76
+ - 7.0.77
+ - 7.0.78
+ - 7.0.79
+ - 7.0.8
+ - 7.0.81
+ - 7.0.82
+ - 7.0.84
+ - 7.0.85
+ - 7.0.86
+ - 7.0.88
+ - 7.0.90
+ - 7.0.91
+ - 7.0.92
+ - 7.0.93
+ - 7.0.94
+ - 7.0.96
+ - 7.0.99
+ database_specific:
+ last_known_affected_version_range: < 7.0.107
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/03/GHSA-jgwr-3qm3-26f3/GHSA-jgwr-3qm3-26f3.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2021-25329
+ - type: WEB
+ url: https://github.com/apache/tomcat/commit/6d66e99ef85da93e4d2c2a536ca51aa3418bfaf4
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuoct2021.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpujan2022.html
+ - type: WEB
+ url: https://www.oracle.com//security-alerts/cpujul2021.html
+ - type: WEB
+ url: https://www.debian.org/security/2021/dsa-4891
+ - type: WEB
+ url: https://security.netapp.com/advisory/ntap-20210409-0002
+ - type: WEB
+ url: https://security.gentoo.org/glsa/202208-34
+ - type: WEB
+ url: https://lists.debian.org/debian-lts-announce/2021/03/msg00018.html
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rfe62fbf9d4c314f166fe8c668e50e5d9dd882a99447f26f0367474bf@%3Cusers.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rfe62fbf9d4c314f166fe8c668e50e5d9dd882a99447f26f0367474bf@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rfe62fbf9d4c314f166fe8c668e50e5d9dd882a99447f26f0367474bf@%3Cannounce.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rfe62fbf9d4c314f166fe8c668e50e5d9dd882a99447f26f0367474bf@%3Cannounce.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rfe62fbf9d4c314f166fe8c668e50e5d9dd882a99447f26f0367474bf%40%3Cannounce.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rf6d5d57b114678d8898005faef31e9fd6d7c981fcc4ccfc3bc272fc9@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rb51ccd58b2152fc75125b2406fc93e04ca9d34e737263faa6ff0f41f@%3Cusers.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r8a2ac0e476dbfc1e6440b09dcc782d444ad635d6da26f0284725a5dc@%3Cusers.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r732b2ca289dc02df2de820e8775559abd6c207f159e39f559547a085@%3Cusers.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r11ce01e8a4c7269b88f88212f21830edf73558997ac7744f37769b77@%3Cusers.tomcat.apache.org%3E
+ - type: PACKAGE
+ url: https://github.com/apache/tomcat
+ - type: WEB
+ url: http://www.openwall.com/lists/oss-security/2021/03/01/2
+ database_specific:
+ cwe_ids:
+ - CWE-502
+ github_reviewed: true
+ github_reviewed_at: "2021-03-19T20:10:56Z"
+ nvd_published_at: "2021-03-01T12:15:00Z"
+ severity: HIGH
+ - schema_version: 1.6.0
+ id: GHSA-jjpq-gp5q-8q6w
+ modified: 2024-03-11T14:57:09.068862Z
+ published: 2019-05-30T03:30:42Z
+ aliases:
+ - CVE-2019-0221
+ summary: Cross-site scripting in Apache Tomcat
+ details: The SSI printenv command in Apache Tomcat 9.0.0.M1 to 9.0.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 echoes user provided data without escaping and is, therefore, vulnerable to XSS. SSI is disabled by default. The printenv command is intended for debugging and is unlikely to be present in a production website.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: org.apache.tomcat.embed:tomcat-embed-core
+ purl: pkg:maven/org.apache.tomcat.embed/tomcat-embed-core
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 9.0.0
+ - fixed: 9.0.17
+ versions:
+ - 9.0.1
+ - 9.0.10
+ - 9.0.11
+ - 9.0.12
+ - 9.0.13
+ - 9.0.14
+ - 9.0.16
+ - 9.0.2
+ - 9.0.4
+ - 9.0.5
+ - 9.0.6
+ - 9.0.7
+ - 9.0.8
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/05/GHSA-jjpq-gp5q-8q6w/GHSA-jjpq-gp5q-8q6w.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.tomcat.embed:tomcat-embed-core
+ purl: pkg:maven/org.apache.tomcat.embed/tomcat-embed-core
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 8.0.0
+ - fixed: 8.5.40
+ versions:
+ - 8.0.1
+ - 8.0.11
+ - 8.0.12
+ - 8.0.14
+ - 8.0.15
+ - 8.0.17
+ - 8.0.18
+ - 8.0.20
+ - 8.0.21
+ - 8.0.22
+ - 8.0.23
+ - 8.0.24
+ - 8.0.26
+ - 8.0.27
+ - 8.0.28
+ - 8.0.29
+ - 8.0.3
+ - 8.0.30
+ - 8.0.32
+ - 8.0.33
+ - 8.0.35
+ - 8.0.36
+ - 8.0.37
+ - 8.0.38
+ - 8.0.39
+ - 8.0.41
+ - 8.0.42
+ - 8.0.43
+ - 8.0.44
+ - 8.0.45
+ - 8.0.46
+ - 8.0.47
+ - 8.0.48
+ - 8.0.49
+ - 8.0.5
+ - 8.0.50
+ - 8.0.51
+ - 8.0.52
+ - 8.0.53
+ - 8.0.8
+ - 8.0.9
+ - 8.5.0
+ - 8.5.11
+ - 8.5.12
+ - 8.5.13
+ - 8.5.14
+ - 8.5.15
+ - 8.5.16
+ - 8.5.19
+ - 8.5.2
+ - 8.5.20
+ - 8.5.21
+ - 8.5.23
+ - 8.5.24
+ - 8.5.27
+ - 8.5.28
+ - 8.5.29
+ - 8.5.3
+ - 8.5.30
+ - 8.5.31
+ - 8.5.32
+ - 8.5.33
+ - 8.5.34
+ - 8.5.35
+ - 8.5.37
+ - 8.5.38
+ - 8.5.39
+ - 8.5.4
+ - 8.5.5
+ - 8.5.6
+ - 8.5.8
+ - 8.5.9
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/05/GHSA-jjpq-gp5q-8q6w/GHSA-jjpq-gp5q-8q6w.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.tomcat.embed:tomcat-embed-core
+ purl: pkg:maven/org.apache.tomcat.embed/tomcat-embed-core
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 7.0.0
+ - fixed: 7.0.94
+ versions:
+ - 7.0.0
+ - 7.0.11
+ - 7.0.12
+ - 7.0.14
+ - 7.0.16
+ - 7.0.19
+ - 7.0.2
+ - 7.0.20
+ - 7.0.21
+ - 7.0.22
+ - 7.0.23
+ - 7.0.25
+ - 7.0.26
+ - 7.0.27
+ - 7.0.28
+ - 7.0.29
+ - 7.0.30
+ - 7.0.32
+ - 7.0.33
+ - 7.0.34
+ - 7.0.35
+ - 7.0.37
+ - 7.0.39
+ - 7.0.4
+ - 7.0.40
+ - 7.0.41
+ - 7.0.42
+ - 7.0.47
+ - 7.0.5
+ - 7.0.50
+ - 7.0.52
+ - 7.0.53
+ - 7.0.54
+ - 7.0.55
+ - 7.0.56
+ - 7.0.57
+ - 7.0.59
+ - 7.0.6
+ - 7.0.61
+ - 7.0.62
+ - 7.0.63
+ - 7.0.64
+ - 7.0.65
+ - 7.0.67
+ - 7.0.68
+ - 7.0.69
+ - 7.0.70
+ - 7.0.72
+ - 7.0.73
+ - 7.0.75
+ - 7.0.76
+ - 7.0.77
+ - 7.0.78
+ - 7.0.79
+ - 7.0.8
+ - 7.0.81
+ - 7.0.82
+ - 7.0.84
+ - 7.0.85
+ - 7.0.86
+ - 7.0.88
+ - 7.0.90
+ - 7.0.91
+ - 7.0.92
+ - 7.0.93
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/05/GHSA-jjpq-gp5q-8q6w/GHSA-jjpq-gp5q-8q6w.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2019-0221
+ - type: WEB
+ url: https://github.com/apache/tomcat/commit/15fcd166ea2c1bb79e8541b8e1a43da9c452ceea
+ - type: WEB
+ url: https://github.com/apache/tomcat/commit/44ec74c44dcd05cd7e90967c04d40b51440ecd7e
+ - type: WEB
+ url: https://github.com/apache/tomcat/commit/4fcdf706f3ecf35912a600242f89637f5acb32da
+ - type: WEB
+ url: https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZQTZ5BJ5F4KV6N53SGNKSW3UY5DBIQ46
+ - type: WEB
+ url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NPHQEL5AQ6LZSZD2Y6TYZ4RC3WI7NXJ3
+ - type: WEB
+ url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZQTZ5BJ5F4KV6N53SGNKSW3UY5DBIQ46
+ - type: WEB
+ url: https://seclists.org/bugtraq/2019/Dec/43
+ - type: WEB
+ url: https://security.gentoo.org/glsa/202003-43
+ - type: WEB
+ url: https://security.netapp.com/advisory/ntap-20190606-0001
+ - type: WEB
+ url: https://support.f5.com/csp/article/K13184144?utm_source=f5support&%3Butm_medium=RSS
+ - type: WEB
+ url: https://support.f5.com/csp/article/K13184144?utm_source=f5support&utm_medium=RSS
+ - type: WEB
+ url: https://tomcat.apache.org/security-7.html
+ - type: WEB
+ url: https://tomcat.apache.org/security-8.html
+ - type: WEB
+ url: https://tomcat.apache.org/security-9.html
+ - type: WEB
+ url: https://usn.ubuntu.com/4128-1
+ - type: WEB
+ url: https://usn.ubuntu.com/4128-2
+ - type: WEB
+ url: https://web.archive.org/web/20200227055048/http://www.securityfocus.com/bid/108545
+ - type: WEB
+ url: https://www.debian.org/security/2019/dsa-4596
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuApr2021.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuapr2020.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpujan2020.html
+ - type: WEB
+ url: https://wwws.nightwatchcybersecurity.com/2019/05/27/xss-in-ssi-printenv-command-apache-tomcat-cve-2019-0221
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:3929
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:3931
+ - type: PACKAGE
+ url: https://github.com/apache/tomcat
+ - type: WEB
+ url: https://lists.apache.org/thread.html/6e6e9eacf7b28fd63d249711e9d3ccd4e0a83f556e324aee37be5a8c%40%3Cannounce.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/6e6e9eacf7b28fd63d249711e9d3ccd4e0a83f556e324aee37be5a8c@%3Cannounce.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d%40%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0%40%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9%40%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc0c6a2d3cc92ed0c%40%3Cannounce.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc0c6a2d3cc92ed0c@%3Cannounce.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a%40%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.debian.org/debian-lts-announce/2019/05/msg00044.html
+ - type: WEB
+ url: https://lists.debian.org/debian-lts-announce/2019/08/msg00015.html
+ - type: WEB
+ url: https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NPHQEL5AQ6LZSZD2Y6TYZ4RC3WI7NXJ3
+ - type: WEB
+ url: http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00090.html
+ - type: WEB
+ url: http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00054.html
+ - type: WEB
+ url: http://packetstormsecurity.com/files/163457/Apache-Tomcat-9.0.0.M1-Cross-Site-Scripting.html
+ - type: WEB
+ url: http://seclists.org/fulldisclosure/2019/May/50
+ database_specific:
+ cwe_ids:
+ - CWE-79
+ github_reviewed: true
+ github_reviewed_at: "2019-05-30T03:30:07Z"
+ nvd_published_at: "2019-05-28T22:29:00Z"
+ severity: MODERATE
+ - schema_version: 1.6.0
+ id: GHSA-jx6h-3fjx-cgv5
+ modified: 2024-03-12T05:32:21.508504Z
+ published: 2018-10-17T16:31:48Z
+ aliases:
+ - CVE-2018-1305
+ summary: Apache Tomcat information exposure vulnerability
+ details: Security constraints defined by annotations of Servlets in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 were only applied once a Servlet had been loaded. Because security constraints defined in this way apply to the URL pattern and any URLs below that point, it was possible - depending on the order Servlets were loaded - for some security constraints not to be applied. This could have exposed resources to users who were not authorised to access them.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: org.apache.tomcat.embed:tomcat-embed-core
+ purl: pkg:maven/org.apache.tomcat.embed/tomcat-embed-core
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 9.0.0M1
+ - fixed: 9.0.5
+ versions:
+ - 9.0.0.M1
+ - 9.0.0.M10
+ - 9.0.0.M11
+ - 9.0.0.M13
+ - 9.0.0.M15
+ - 9.0.0.M17
+ - 9.0.0.M18
+ - 9.0.0.M19
+ - 9.0.0.M20
+ - 9.0.0.M21
+ - 9.0.0.M22
+ - 9.0.0.M25
+ - 9.0.0.M26
+ - 9.0.0.M27
+ - 9.0.0.M3
+ - 9.0.0.M4
+ - 9.0.0.M6
+ - 9.0.0.M8
+ - 9.0.0.M9
+ - 9.0.1
+ - 9.0.2
+ - 9.0.4
+ database_specific:
+ last_known_affected_version_range: <= 9.0.4
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-jx6h-3fjx-cgv5/GHSA-jx6h-3fjx-cgv5.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.tomcat.embed:tomcat-embed-core
+ purl: pkg:maven/org.apache.tomcat.embed/tomcat-embed-core
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 8.5.0
+ - fixed: 8.5.28
+ versions:
+ - 8.5.0
+ - 8.5.11
+ - 8.5.12
+ - 8.5.13
+ - 8.5.14
+ - 8.5.15
+ - 8.5.16
+ - 8.5.19
+ - 8.5.2
+ - 8.5.20
+ - 8.5.21
+ - 8.5.23
+ - 8.5.24
+ - 8.5.27
+ - 8.5.3
+ - 8.5.4
+ - 8.5.5
+ - 8.5.6
+ - 8.5.8
+ - 8.5.9
+ database_specific:
+ last_known_affected_version_range: <= 8.5.27
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-jx6h-3fjx-cgv5/GHSA-jx6h-3fjx-cgv5.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.tomcat.embed:tomcat-embed-core
+ purl: pkg:maven/org.apache.tomcat.embed/tomcat-embed-core
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 7.0.0
+ - fixed: 7.0.85
+ versions:
+ - 7.0.0
+ - 7.0.11
+ - 7.0.12
+ - 7.0.14
+ - 7.0.16
+ - 7.0.19
+ - 7.0.2
+ - 7.0.20
+ - 7.0.21
+ - 7.0.22
+ - 7.0.23
+ - 7.0.25
+ - 7.0.26
+ - 7.0.27
+ - 7.0.28
+ - 7.0.29
+ - 7.0.30
+ - 7.0.32
+ - 7.0.33
+ - 7.0.34
+ - 7.0.35
+ - 7.0.37
+ - 7.0.39
+ - 7.0.4
+ - 7.0.40
+ - 7.0.41
+ - 7.0.42
+ - 7.0.47
+ - 7.0.5
+ - 7.0.50
+ - 7.0.52
+ - 7.0.53
+ - 7.0.54
+ - 7.0.55
+ - 7.0.56
+ - 7.0.57
+ - 7.0.59
+ - 7.0.6
+ - 7.0.61
+ - 7.0.62
+ - 7.0.63
+ - 7.0.64
+ - 7.0.65
+ - 7.0.67
+ - 7.0.68
+ - 7.0.69
+ - 7.0.70
+ - 7.0.72
+ - 7.0.73
+ - 7.0.75
+ - 7.0.76
+ - 7.0.77
+ - 7.0.78
+ - 7.0.79
+ - 7.0.8
+ - 7.0.81
+ - 7.0.82
+ - 7.0.84
+ database_specific:
+ last_known_affected_version_range: <= 7.0.84
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-jx6h-3fjx-cgv5/GHSA-jx6h-3fjx-cgv5.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2018-1305
+ - type: WEB
+ url: https://github.com/apache/tomcat/commit/2349801827f09fb6582a8afdeca704294106ad9a
+ - type: WEB
+ url: https://github.com/apache/tomcat/commit/2aac69f694d42d9219eb27018b3da0ae1bdd73ab
+ - type: WEB
+ url: https://github.com/apache/tomcat/commit/3e54b2a6314eda11617ff7a7b899c251e222b1a1
+ - type: WEB
+ url: https://github.com/apache/tomcat/commit/4d637bc3986e5d09b9363e2144b8ba74fa6eac3a
+ - type: WEB
+ url: https://github.com/apache/tomcat/commit/c63b96d72cd39287e17b2ba698f4eee0ba508073
+ - type: WEB
+ url: https://github.com/apache/tomcat/commit/de6b4fd58b64828f374503b9ec76a12017b92895
+ - type: WEB
+ url: https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a%40%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9%40%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0%40%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d%40%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/eb6efa8d59c45a7a9eff94c4b925467d3b3fec8ba7697f3daa314b04@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/eb6efa8d59c45a7a9eff94c4b925467d3b3fec8ba7697f3daa314b04%40%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/e85e83e9954f169bbb77b44baae5a33d8de878df557bb32b7f793661@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/e85e83e9954f169bbb77b44baae5a33d8de878df557bb32b7f793661%40%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.debian.org/debian-lts-announce/2018/03/msg00004.html
+ - type: WEB
+ url: https://lists.debian.org/debian-lts-announce/2018/06/msg00008.html
+ - type: WEB
+ url: https://lists.debian.org/debian-lts-announce/2018/07/msg00044.html
+ - type: WEB
+ url: https://security.netapp.com/advisory/ntap-20180706-0001
+ - type: WEB
+ url: https://usn.ubuntu.com/3665-1
+ - type: WEB
+ url: https://web.archive.org/web/20200227030042/http://www.securityfocus.com/bid/103144
+ - type: WEB
+ url: https://web.archive.org/web/20200516094320/http://www.securitytracker.com/id/1040428
+ - type: WEB
+ url: https://www.debian.org/security/2018/dsa-4281
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuapr2020.html
+ - type: WEB
+ url: https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
+ - type: WEB
+ url: https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2018:0465
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2018:0466
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2018:1320
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2018:2939
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:2205
+ - type: PACKAGE
+ url: https://github.com/apache/tomcat
+ - type: WEB
+ url: https://lists.apache.org/thread.html/1dd0a59c1295cc08ce4c9e7edae5ad2268acc9ba55adcefa0532e5ba%40%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/1dd0a59c1295cc08ce4c9e7edae5ad2268acc9ba55adcefa0532e5ba@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551%40%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708%40%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7%40%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/5c0e00fd31efc11e147bf99d0f03c00a734447d3b131ab0818644cdb%40%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/5c0e00fd31efc11e147bf99d0f03c00a734447d3b131ab0818644cdb@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3%40%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424%40%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a%40%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc%40%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/d3354bb0a4eda4acc0a66f3eb24a213fdb75d12c7d16060b23e65781%40%3Cannounce.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/d3354bb0a4eda4acc0a66f3eb24a213fdb75d12c7d16060b23e65781@%3Cannounce.tomcat.apache.org%3E
+ - type: WEB
+ url: http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
+ - type: WEB
+ url: http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html
+ database_specific:
+ cwe_ids: []
+ github_reviewed: true
+ github_reviewed_at: "2020-06-16T21:44:18Z"
+ nvd_published_at: "2018-02-23T23:29:00Z"
+ severity: MODERATE
+ - schema_version: 1.6.0
+ id: GHSA-m59c-jpc8-m2x4
+ modified: 2024-03-12T05:33:41.550174Z
+ published: 2018-10-17T16:32:18Z
+ aliases:
+ - CVE-2018-1336
+ summary: 'In Apache Tomcat there is an improper handing of overflow in the UTF-8 decoder '
+ details: 'An improper handing of overflow in the UTF-8 decoder with supplementary characters can lead to an infinite loop in the decoder causing a Denial of Service. Versions Affected: Apache Tomcat 9.0.0.M9 to 9.0.7, 8.5.0 to 8.5.30, 8.0.0.RC1 to 8.0.51, and 7.0.28 to 7.0.86.'
+ affected:
+ - package:
+ ecosystem: Maven
+ name: org.apache.tomcat.embed:tomcat-embed-core
+ purl: pkg:maven/org.apache.tomcat.embed/tomcat-embed-core
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 9.0.0.M9
+ - fixed: 9.0.8
+ versions:
+ - 9.0.0.M10
+ - 9.0.0.M11
+ - 9.0.0.M13
+ - 9.0.0.M15
+ - 9.0.0.M17
+ - 9.0.0.M18
+ - 9.0.0.M19
+ - 9.0.0.M20
+ - 9.0.0.M21
+ - 9.0.0.M22
+ - 9.0.0.M25
+ - 9.0.0.M26
+ - 9.0.0.M27
+ - 9.0.0.M9
+ - 9.0.1
+ - 9.0.2
+ - 9.0.4
+ - 9.0.5
+ - 9.0.6
+ - 9.0.7
+ database_specific:
+ last_known_affected_version_range: <= 9.0.7
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-m59c-jpc8-m2x4/GHSA-m59c-jpc8-m2x4.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.tomcat.embed:tomcat-embed-core
+ purl: pkg:maven/org.apache.tomcat.embed/tomcat-embed-core
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 8.5.0
+ - fixed: 8.5.31
+ versions:
+ - 8.5.0
+ - 8.5.11
+ - 8.5.12
+ - 8.5.13
+ - 8.5.14
+ - 8.5.15
+ - 8.5.16
+ - 8.5.19
+ - 8.5.2
+ - 8.5.20
+ - 8.5.21
+ - 8.5.23
+ - 8.5.24
+ - 8.5.27
+ - 8.5.28
+ - 8.5.29
+ - 8.5.3
+ - 8.5.30
+ - 8.5.4
+ - 8.5.5
+ - 8.5.6
+ - 8.5.8
+ - 8.5.9
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-m59c-jpc8-m2x4/GHSA-m59c-jpc8-m2x4.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.tomcat.embed:tomcat-embed-core
+ purl: pkg:maven/org.apache.tomcat.embed/tomcat-embed-core
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 8.0.0RC1
+ - fixed: 8.0.51
+ versions:
+ - 8.0.0-RC1
+ - 8.0.0-RC10
+ - 8.0.0-RC3
+ - 8.0.0-RC5
+ - 8.0.1
+ - 8.0.11
+ - 8.0.12
+ - 8.0.14
+ - 8.0.15
+ - 8.0.17
+ - 8.0.18
+ - 8.0.20
+ - 8.0.21
+ - 8.0.22
+ - 8.0.23
+ - 8.0.24
+ - 8.0.26
+ - 8.0.27
+ - 8.0.28
+ - 8.0.29
+ - 8.0.3
+ - 8.0.30
+ - 8.0.32
+ - 8.0.33
+ - 8.0.35
+ - 8.0.36
+ - 8.0.37
+ - 8.0.38
+ - 8.0.39
+ - 8.0.41
+ - 8.0.42
+ - 8.0.43
+ - 8.0.44
+ - 8.0.45
+ - 8.0.46
+ - 8.0.47
+ - 8.0.48
+ - 8.0.49
+ - 8.0.5
+ - 8.0.50
+ - 8.0.8
+ - 8.0.9
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-m59c-jpc8-m2x4/GHSA-m59c-jpc8-m2x4.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.tomcat.embed:tomcat-embed-core
+ purl: pkg:maven/org.apache.tomcat.embed/tomcat-embed-core
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 7.0.28
+ - fixed: 7.0.87
+ versions:
+ - 7.0.28
+ - 7.0.29
+ - 7.0.30
+ - 7.0.32
+ - 7.0.33
+ - 7.0.34
+ - 7.0.35
+ - 7.0.37
+ - 7.0.39
+ - 7.0.40
+ - 7.0.41
+ - 7.0.42
+ - 7.0.47
+ - 7.0.50
+ - 7.0.52
+ - 7.0.53
+ - 7.0.54
+ - 7.0.55
+ - 7.0.56
+ - 7.0.57
+ - 7.0.59
+ - 7.0.61
+ - 7.0.62
+ - 7.0.63
+ - 7.0.64
+ - 7.0.65
+ - 7.0.67
+ - 7.0.68
+ - 7.0.69
+ - 7.0.70
+ - 7.0.72
+ - 7.0.73
+ - 7.0.75
+ - 7.0.76
+ - 7.0.77
+ - 7.0.78
+ - 7.0.79
+ - 7.0.81
+ - 7.0.82
+ - 7.0.84
+ - 7.0.85
+ - 7.0.86
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-m59c-jpc8-m2x4/GHSA-m59c-jpc8-m2x4.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2018-1336
+ - type: WEB
+ url: https://github.com/apache/tomcat80/commit/9e9b7fe1b5732277a26e437f1d32155de6208ef2
+ - type: WEB
+ url: https://github.com/apache/tomcat/commit/e00812b94e5830b2be3de04f4ae4ade38a700074
+ - type: WEB
+ url: https://github.com/apache/tomcat/commit/92cd494555598e99dd691712e8ee426a2f9c2e93
+ - type: WEB
+ url: https://github.com/apache/tomcat/commit/156d76a6afeef440d14044a560d6ad1d029361c4
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9%40%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0%40%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d%40%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/eb6efa8d59c45a7a9eff94c4b925467d3b3fec8ba7697f3daa314b04@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/eb6efa8d59c45a7a9eff94c4b925467d3b3fec8ba7697f3daa314b04%40%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/e85e83e9954f169bbb77b44baae5a33d8de878df557bb32b7f793661@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/e85e83e9954f169bbb77b44baae5a33d8de878df557bb32b7f793661%40%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc%40%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a%40%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a%40%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.debian.org/debian-lts-announce/2018/09/msg00001.html
+ - type: WEB
+ url: https://security.netapp.com/advisory/ntap-20180817-0001
+ - type: WEB
+ url: https://support.f5.com/csp/article/K73008537?utm_source=f5support&%3Butm_medium=RSS
+ - type: WEB
+ url: https://support.f5.com/csp/article/K73008537?utm_source=f5support&utm_medium=RSS
+ - type: WEB
+ url: https://usn.ubuntu.com/3723-1
+ - type: WEB
+ url: https://web.archive.org/web/20190703075545/http://www.securitytracker.com/id/1041375
+ - type: WEB
+ url: https://web.archive.org/web/20200227102810/http://www.securityfocus.com/bid/104898
+ - type: WEB
+ url: https://www.debian.org/security/2018/dsa-4281
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuapr2020.html
+ - type: WEB
+ url: https://access.redhat.com/errata/RHEA-2018:2188
+ - type: WEB
+ url: https://access.redhat.com/errata/RHEA-2018:2189
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2018:2700
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2018:2701
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2018:2740
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2018:2741
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2018:2742
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2018:2743
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2018:2921
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2018:2930
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2018:2939
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2018:2945
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2018:3768
+ - type: PACKAGE
+ url: https://github.com/apache/tomcat
+ - type: WEB
+ url: https://lists.apache.org/thread.html/1dd0a59c1295cc08ce4c9e7edae5ad2268acc9ba55adcefa0532e5ba%40%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/1dd0a59c1295cc08ce4c9e7edae5ad2268acc9ba55adcefa0532e5ba@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551%40%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708%40%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7%40%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/5c0e00fd31efc11e147bf99d0f03c00a734447d3b131ab0818644cdb%40%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/5c0e00fd31efc11e147bf99d0f03c00a734447d3b131ab0818644cdb@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3%40%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424%40%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: http://mail-archives.us.apache.org/mod_mbox/www-announce/201807.mbox/%3C20180722090435.GA60759%40minotaur.apache.org%3E
+ database_specific:
+ cwe_ids:
+ - CWE-835
+ github_reviewed: true
+ github_reviewed_at: "2020-06-16T21:44:57Z"
+ nvd_published_at: "2018-08-02T14:29:00Z"
+ severity: HIGH
+ - schema_version: 1.6.0
+ id: GHSA-mppv-79ch-vw6q
+ modified: 2024-04-24T19:44:03Z
+ published: 2023-06-21T12:30:19Z
+ aliases:
+ - BIT-tomcat-2023-34981
+ - CVE-2023-34981
+ summary: Apache Tomcat vulnerable to information leak
+ details: A regression in the fix for bug 66512 in Apache Tomcat 11.0.0-M5, 10.1.8, 9.0.74 and 8.5.88 meant that, if a response did not include any HTTP headers no AJP SEND_HEADERS message would be sent for the response which in turn meant that at least one AJP proxy (mod_proxy_ajp) would use the response headers from the previous request leading to an information leak.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: org.apache.tomcat.embed:tomcat-embed-core
+ purl: pkg:maven/org.apache.tomcat.embed/tomcat-embed-core
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 11.0.0-M5
+ - fixed: 11.0.0-M6
+ versions:
+ - 11.0.0-M5
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/06/GHSA-mppv-79ch-vw6q/GHSA-mppv-79ch-vw6q.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.tomcat.embed:tomcat-embed-core
+ purl: pkg:maven/org.apache.tomcat.embed/tomcat-embed-core
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 10.1.8
+ - fixed: 10.1.9
+ versions:
+ - 10.1.8
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/06/GHSA-mppv-79ch-vw6q/GHSA-mppv-79ch-vw6q.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.tomcat.embed:tomcat-embed-core
+ purl: pkg:maven/org.apache.tomcat.embed/tomcat-embed-core
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 9.0.74
+ - fixed: 9.0.75
+ versions:
+ - 9.0.74
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/06/GHSA-mppv-79ch-vw6q/GHSA-mppv-79ch-vw6q.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.tomcat:tomcat-coyote
+ purl: pkg:maven/org.apache.tomcat/tomcat-coyote
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 8.5.88
+ - fixed: 8.5.89
+ versions:
+ - 8.5.88
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/06/GHSA-mppv-79ch-vw6q/GHSA-mppv-79ch-vw6q.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2023-34981
+ - type: WEB
+ url: https://github.com/apache/tomcat/commit/2214c8030522aa9b2a367dfa5d9acff1a03666ae
+ - type: WEB
+ url: https://github.com/apache/tomcat/commit/2f0ca2378415f4cf0748f4bc8fa955f41f803fa5
+ - type: WEB
+ url: https://github.com/apache/tomcat/commit/739c7381aed22b7636351caf885ddc519ab6b442
+ - type: WEB
+ url: https://github.com/apache/tomcat/commit/f0742f47b98aca943097f7f88e0d1163f57527e3
+ - type: WEB
+ url: https://bz.apache.org/bugzilla/show_bug.cgi?id=66512
+ - type: WEB
+ url: https://bz.apache.org/bugzilla/show_bug.cgi?id=66591
+ - type: PACKAGE
+ url: https://github.com/apache/tomcat
+ - type: WEB
+ url: https://lists.apache.org/thread/j1ksjh9m9gx1q60rtk1sbzmxhvj5h5qz
+ - type: WEB
+ url: https://security.netapp.com/advisory/ntap-20230714-0003
+ - type: WEB
+ url: https://tomcat.apache.org/security-10.html
+ - type: WEB
+ url: https://tomcat.apache.org/security-11.html
+ - type: WEB
+ url: https://tomcat.apache.org/security-8.html
+ - type: WEB
+ url: https://tomcat.apache.org/security-9.html
+ database_specific:
+ cwe_ids: []
+ github_reviewed: true
+ github_reviewed_at: "2023-06-21T22:06:39Z"
+ nvd_published_at: "2023-06-21T11:15:09Z"
+ severity: HIGH
+ - schema_version: 1.6.0
+ id: GHSA-p22x-g9px-3945
+ modified: 2024-04-23T20:46:15.447071Z
+ published: 2022-11-01T12:00:30Z
+ aliases:
+ - BIT-tomcat-2022-42252
+ - CVE-2022-42252
+ summary: Apache Tomcat may reject request containing invalid Content-Length header
+ details: If Apache Tomcat 8.5.0 to 8.5.82, 9.0.0-M1 to 9.0.67, 10.0.0-M1 to 10.0.26 or 10.1.0-M1 to 10.1.0 was configured to ignore invalid HTTP headers via setting rejectIllegalHeader to false (the default for 8.5.x only), Tomcat did not reject a request containing an invalid Content-Length header making a request smuggling attack possible if Tomcat was located behind a reverse proxy that also failed to reject the request with the invalid header.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: org.apache.tomcat.embed:tomcat-embed-core
+ purl: pkg:maven/org.apache.tomcat.embed/tomcat-embed-core
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 8.5.0
+ - fixed: 8.5.83
+ versions:
+ - 8.5.0
+ - 8.5.11
+ - 8.5.12
+ - 8.5.13
+ - 8.5.14
+ - 8.5.15
+ - 8.5.16
+ - 8.5.19
+ - 8.5.2
+ - 8.5.20
+ - 8.5.21
+ - 8.5.23
+ - 8.5.24
+ - 8.5.27
+ - 8.5.28
+ - 8.5.29
+ - 8.5.3
+ - 8.5.30
+ - 8.5.31
+ - 8.5.32
+ - 8.5.33
+ - 8.5.34
+ - 8.5.35
+ - 8.5.37
+ - 8.5.38
+ - 8.5.39
+ - 8.5.4
+ - 8.5.40
+ - 8.5.41
+ - 8.5.42
+ - 8.5.43
+ - 8.5.45
+ - 8.5.46
+ - 8.5.47
+ - 8.5.49
+ - 8.5.5
+ - 8.5.50
+ - 8.5.51
+ - 8.5.53
+ - 8.5.54
+ - 8.5.55
+ - 8.5.56
+ - 8.5.57
+ - 8.5.58
+ - 8.5.59
+ - 8.5.6
+ - 8.5.60
+ - 8.5.61
+ - 8.5.63
+ - 8.5.64
+ - 8.5.65
+ - 8.5.66
+ - 8.5.68
+ - 8.5.69
+ - 8.5.70
+ - 8.5.71
+ - 8.5.72
+ - 8.5.73
+ - 8.5.75
+ - 8.5.76
+ - 8.5.77
+ - 8.5.78
+ - 8.5.79
+ - 8.5.8
+ - 8.5.81
+ - 8.5.82
+ - 8.5.9
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/11/GHSA-p22x-g9px-3945/GHSA-p22x-g9px-3945.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.tomcat.embed:tomcat-embed-core
+ purl: pkg:maven/org.apache.tomcat.embed/tomcat-embed-core
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 9.0.0-M1
+ - fixed: 9.0.68
+ versions:
+ - 9.0.0.M1
+ - 9.0.0.M10
+ - 9.0.0.M11
+ - 9.0.0.M13
+ - 9.0.0.M15
+ - 9.0.0.M17
+ - 9.0.0.M18
+ - 9.0.0.M19
+ - 9.0.0.M20
+ - 9.0.0.M21
+ - 9.0.0.M22
+ - 9.0.0.M25
+ - 9.0.0.M26
+ - 9.0.0.M27
+ - 9.0.0.M3
+ - 9.0.0.M4
+ - 9.0.0.M6
+ - 9.0.0.M8
+ - 9.0.0.M9
+ - 9.0.1
+ - 9.0.10
+ - 9.0.11
+ - 9.0.12
+ - 9.0.13
+ - 9.0.14
+ - 9.0.16
+ - 9.0.17
+ - 9.0.19
+ - 9.0.2
+ - 9.0.20
+ - 9.0.21
+ - 9.0.22
+ - 9.0.24
+ - 9.0.26
+ - 9.0.27
+ - 9.0.29
+ - 9.0.30
+ - 9.0.31
+ - 9.0.33
+ - 9.0.34
+ - 9.0.35
+ - 9.0.36
+ - 9.0.37
+ - 9.0.38
+ - 9.0.39
+ - 9.0.4
+ - 9.0.40
+ - 9.0.41
+ - 9.0.43
+ - 9.0.44
+ - 9.0.45
+ - 9.0.46
+ - 9.0.48
+ - 9.0.5
+ - 9.0.50
+ - 9.0.52
+ - 9.0.53
+ - 9.0.54
+ - 9.0.55
+ - 9.0.56
+ - 9.0.58
+ - 9.0.59
+ - 9.0.6
+ - 9.0.60
+ - 9.0.62
+ - 9.0.63
+ - 9.0.64
+ - 9.0.65
+ - 9.0.67
+ - 9.0.7
+ - 9.0.8
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/11/GHSA-p22x-g9px-3945/GHSA-p22x-g9px-3945.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.tomcat.embed:tomcat-embed-core
+ purl: pkg:maven/org.apache.tomcat.embed/tomcat-embed-core
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 10.0.0-M1
+ - fixed: 10.0.27
+ versions:
+ - 10.0.0
+ - 10.0.0-M1
+ - 10.0.0-M10
+ - 10.0.0-M3
+ - 10.0.0-M4
+ - 10.0.0-M5
+ - 10.0.0-M6
+ - 10.0.0-M7
+ - 10.0.0-M8
+ - 10.0.0-M9
+ - 10.0.10
+ - 10.0.11
+ - 10.0.12
+ - 10.0.13
+ - 10.0.14
+ - 10.0.16
+ - 10.0.17
+ - 10.0.18
+ - 10.0.2
+ - 10.0.20
+ - 10.0.21
+ - 10.0.22
+ - 10.0.23
+ - 10.0.26
+ - 10.0.4
+ - 10.0.5
+ - 10.0.6
+ - 10.0.7
+ - 10.0.8
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/11/GHSA-p22x-g9px-3945/GHSA-p22x-g9px-3945.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.tomcat.embed:tomcat-embed-core
+ purl: pkg:maven/org.apache.tomcat.embed/tomcat-embed-core
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 10.1.0-M1
+ - fixed: 10.1.1
+ versions:
+ - 10.1.0
+ - 10.1.0-M1
+ - 10.1.0-M10
+ - 10.1.0-M11
+ - 10.1.0-M12
+ - 10.1.0-M14
+ - 10.1.0-M15
+ - 10.1.0-M16
+ - 10.1.0-M17
+ - 10.1.0-M2
+ - 10.1.0-M4
+ - 10.1.0-M5
+ - 10.1.0-M6
+ - 10.1.0-M7
+ - 10.1.0-M8
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/11/GHSA-p22x-g9px-3945/GHSA-p22x-g9px-3945.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.tomcat:tomcat-coyote
+ purl: pkg:maven/org.apache.tomcat/tomcat-coyote
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 9.0.0-M1
+ - fixed: 9.0.68
+ versions:
+ - 9.0.0.M1
+ - 9.0.0.M10
+ - 9.0.0.M11
+ - 9.0.0.M13
+ - 9.0.0.M15
+ - 9.0.0.M17
+ - 9.0.0.M18
+ - 9.0.0.M19
+ - 9.0.0.M20
+ - 9.0.0.M21
+ - 9.0.0.M22
+ - 9.0.0.M25
+ - 9.0.0.M26
+ - 9.0.0.M27
+ - 9.0.0.M3
+ - 9.0.0.M4
+ - 9.0.0.M6
+ - 9.0.0.M8
+ - 9.0.0.M9
+ - 9.0.1
+ - 9.0.10
+ - 9.0.11
+ - 9.0.12
+ - 9.0.13
+ - 9.0.14
+ - 9.0.16
+ - 9.0.17
+ - 9.0.19
+ - 9.0.2
+ - 9.0.20
+ - 9.0.21
+ - 9.0.22
+ - 9.0.24
+ - 9.0.26
+ - 9.0.27
+ - 9.0.29
+ - 9.0.30
+ - 9.0.31
+ - 9.0.33
+ - 9.0.34
+ - 9.0.35
+ - 9.0.36
+ - 9.0.37
+ - 9.0.38
+ - 9.0.39
+ - 9.0.4
+ - 9.0.40
+ - 9.0.41
+ - 9.0.43
+ - 9.0.44
+ - 9.0.45
+ - 9.0.46
+ - 9.0.48
+ - 9.0.5
+ - 9.0.50
+ - 9.0.52
+ - 9.0.53
+ - 9.0.54
+ - 9.0.55
+ - 9.0.56
+ - 9.0.58
+ - 9.0.59
+ - 9.0.6
+ - 9.0.60
+ - 9.0.62
+ - 9.0.63
+ - 9.0.64
+ - 9.0.65
+ - 9.0.67
+ - 9.0.7
+ - 9.0.8
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/11/GHSA-p22x-g9px-3945/GHSA-p22x-g9px-3945.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.tomcat:tomcat-coyote
+ purl: pkg:maven/org.apache.tomcat/tomcat-coyote
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 10.0.0-M1
+ - fixed: 10.0.27
+ versions:
+ - 10.0.0
+ - 10.0.0-M1
+ - 10.0.0-M10
+ - 10.0.0-M3
+ - 10.0.0-M4
+ - 10.0.0-M5
+ - 10.0.0-M6
+ - 10.0.0-M7
+ - 10.0.0-M8
+ - 10.0.0-M9
+ - 10.0.10
+ - 10.0.11
+ - 10.0.12
+ - 10.0.13
+ - 10.0.14
+ - 10.0.16
+ - 10.0.17
+ - 10.0.18
+ - 10.0.2
+ - 10.0.20
+ - 10.0.21
+ - 10.0.22
+ - 10.0.23
+ - 10.0.26
+ - 10.0.4
+ - 10.0.5
+ - 10.0.6
+ - 10.0.7
+ - 10.0.8
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/11/GHSA-p22x-g9px-3945/GHSA-p22x-g9px-3945.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.tomcat:tomcat-coyote
+ purl: pkg:maven/org.apache.tomcat/tomcat-coyote
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 10.1.0-M1
+ - fixed: 10.1.1
+ versions:
+ - 10.1.0
+ - 10.1.0-M1
+ - 10.1.0-M10
+ - 10.1.0-M11
+ - 10.1.0-M12
+ - 10.1.0-M14
+ - 10.1.0-M15
+ - 10.1.0-M16
+ - 10.1.0-M17
+ - 10.1.0-M2
+ - 10.1.0-M4
+ - 10.1.0-M5
+ - 10.1.0-M6
+ - 10.1.0-M7
+ - 10.1.0-M8
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/11/GHSA-p22x-g9px-3945/GHSA-p22x-g9px-3945.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2022-42252
+ - type: WEB
+ url: https://github.com/apache/tomcat/commit/0d089a15047faf9cb3c82f80f4d28febd4798920
+ - type: WEB
+ url: https://github.com/apache/tomcat/commit/4c7f4fd09d2cc1692112ef70b8ee23a7a037ae77
+ - type: WEB
+ url: https://github.com/apache/tomcat/commit/a1c07906d8dcaf7957e5cc97f5cdbac7d18a205a
+ - type: WEB
+ url: https://github.com/apache/tomcat/commit/c9fe754e5d17e262dfbd3eab2a03ca96ff372dc3
+ - type: PACKAGE
+ url: https://github.com/apache/tomcat
+ - type: WEB
+ url: https://lists.apache.org/thread/zzcxzvqfdqn515zfs3dxb7n8gty589sq
+ - type: WEB
+ url: https://security.gentoo.org/glsa/202305-37
+ - type: WEB
+ url: https://tomcat.apache.org/security-10.html
+ - type: WEB
+ url: https://tomcat.apache.org/security-8.html
+ - type: WEB
+ url: https://tomcat.apache.org/security-9.html
+ database_specific:
+ cwe_ids:
+ - CWE-20
+ - CWE-444
+ github_reviewed: true
+ github_reviewed_at: "2022-11-01T18:37:42Z"
+ nvd_published_at: "2022-11-01T09:15:00Z"
+ severity: HIGH
+ - schema_version: 1.6.0
+ id: GHSA-pjfr-qf3p-3q25
+ modified: 2024-03-14T05:31:30.449163Z
+ published: 2018-10-17T16:30:31Z
+ aliases:
+ - CVE-2017-12615
+ summary: When running Apache Tomcat on Windows with HTTP PUTs enabled it was possible to upload a JSP file to the server
+ details: When running Apache Tomcat 7.0.0 to 7.0.79 on Windows with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: org.apache.tomcat.embed:tomcat-embed-core
+ purl: pkg:maven/org.apache.tomcat.embed/tomcat-embed-core
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 7.0.0
+ - fixed: 7.0.79
+ versions:
+ - 7.0.0
+ - 7.0.11
+ - 7.0.12
+ - 7.0.14
+ - 7.0.16
+ - 7.0.19
+ - 7.0.2
+ - 7.0.20
+ - 7.0.21
+ - 7.0.22
+ - 7.0.23
+ - 7.0.25
+ - 7.0.26
+ - 7.0.27
+ - 7.0.28
+ - 7.0.29
+ - 7.0.30
+ - 7.0.32
+ - 7.0.33
+ - 7.0.34
+ - 7.0.35
+ - 7.0.37
+ - 7.0.39
+ - 7.0.4
+ - 7.0.40
+ - 7.0.41
+ - 7.0.42
+ - 7.0.47
+ - 7.0.5
+ - 7.0.50
+ - 7.0.52
+ - 7.0.53
+ - 7.0.54
+ - 7.0.55
+ - 7.0.56
+ - 7.0.57
+ - 7.0.59
+ - 7.0.6
+ - 7.0.61
+ - 7.0.62
+ - 7.0.63
+ - 7.0.64
+ - 7.0.65
+ - 7.0.67
+ - 7.0.68
+ - 7.0.69
+ - 7.0.70
+ - 7.0.72
+ - 7.0.73
+ - 7.0.75
+ - 7.0.76
+ - 7.0.77
+ - 7.0.78
+ - 7.0.8
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-pjfr-qf3p-3q25/GHSA-pjfr-qf3p-3q25.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2017-12615
+ - type: WEB
+ url: https://www.synology.com/support/security/Synology_SA_17_54_Tomcat
+ - type: WEB
+ url: https://www.exploit-db.com/exploits/42953
+ - type: WEB
+ url: https://security.netapp.com/advisory/ntap-20171018-0001
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc0c6a2d3cc92ed0c@%3Cannounce.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/8fcb1e2d5895413abcf266f011b9918ae03e0b7daceb118ffbf23f8c@%3Cannounce.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://github.com/breaktoprotect/CVE-2017-12615
+ - type: ADVISORY
+ url: https://github.com/advisories/GHSA-pjfr-qf3p-3q25
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2018:0466
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2018:0465
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2017:3114
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2017:3113
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2017:3081
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2017:3080
+ - type: WEB
+ url: http://breaktoprotect.blogspot.com/2017/09/the-case-of-cve-2017-12615-tomcat-7-put.html
+ - type: WEB
+ url: http://www.securityfocus.com/bid/100901
+ - type: WEB
+ url: http://www.securitytracker.com/id/1039392
+ database_specific:
+ cwe_ids:
+ - CWE-434
+ github_reviewed: true
+ github_reviewed_at: "2020-06-16T21:49:21Z"
+ nvd_published_at: null
+ severity: HIGH
+ - schema_version: 1.6.0
+ id: GHSA-q3mw-pvr8-9ggc
+ modified: 2024-02-17T05:31:37.094178Z
+ published: 2023-08-25T21:30:48Z
+ aliases:
+ - BIT-tomcat-2023-41080
+ - CVE-2023-41080
+ summary: Apache Tomcat Open Redirect vulnerability
+ details: |-
+ URL Redirection to Untrusted Site ('Open Redirect') vulnerability in FORM authentication feature Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.0.12, from 9.0.0-M1 through 9.0.79 and from 8.5.0 through 8.5.92.
+
+ The vulnerability is limited to the ROOT (default) web application.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: org.apache.tomcat:tomcat
+ purl: pkg:maven/org.apache.tomcat/tomcat
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 11.0.0-M1
+ - fixed: 11.0.0-M11
+ versions:
+ - 11.0.0-M1
+ - 11.0.0-M10
+ - 11.0.0-M3
+ - 11.0.0-M4
+ - 11.0.0-M5
+ - 11.0.0-M6
+ - 11.0.0-M7
+ - 11.0.0-M9
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/08/GHSA-q3mw-pvr8-9ggc/GHSA-q3mw-pvr8-9ggc.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.tomcat:tomcat
+ purl: pkg:maven/org.apache.tomcat/tomcat
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 10.1.0-M1
+ - fixed: 10.1.13
+ versions:
+ - 10.1.0
+ - 10.1.0-M1
+ - 10.1.0-M10
+ - 10.1.0-M11
+ - 10.1.0-M12
+ - 10.1.0-M14
+ - 10.1.0-M15
+ - 10.1.0-M16
+ - 10.1.0-M17
+ - 10.1.0-M2
+ - 10.1.0-M4
+ - 10.1.0-M5
+ - 10.1.0-M6
+ - 10.1.0-M7
+ - 10.1.0-M8
+ - 10.1.1
+ - 10.1.10
+ - 10.1.11
+ - 10.1.12
+ - 10.1.2
+ - 10.1.4
+ - 10.1.5
+ - 10.1.6
+ - 10.1.7
+ - 10.1.8
+ - 10.1.9
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/08/GHSA-q3mw-pvr8-9ggc/GHSA-q3mw-pvr8-9ggc.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.tomcat:tomcat
+ purl: pkg:maven/org.apache.tomcat/tomcat
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 9.0.0-M1
+ - fixed: 9.0.80
+ versions:
+ - 9.0.0.M1
+ - 9.0.0.M10
+ - 9.0.0.M11
+ - 9.0.0.M13
+ - 9.0.0.M15
+ - 9.0.0.M17
+ - 9.0.0.M18
+ - 9.0.0.M19
+ - 9.0.0.M20
+ - 9.0.0.M21
+ - 9.0.0.M22
+ - 9.0.0.M25
+ - 9.0.0.M26
+ - 9.0.0.M27
+ - 9.0.0.M3
+ - 9.0.0.M4
+ - 9.0.0.M6
+ - 9.0.0.M8
+ - 9.0.0.M9
+ - 9.0.1
+ - 9.0.10
+ - 9.0.11
+ - 9.0.12
+ - 9.0.13
+ - 9.0.14
+ - 9.0.16
+ - 9.0.17
+ - 9.0.19
+ - 9.0.2
+ - 9.0.20
+ - 9.0.21
+ - 9.0.22
+ - 9.0.24
+ - 9.0.26
+ - 9.0.27
+ - 9.0.29
+ - 9.0.30
+ - 9.0.31
+ - 9.0.33
+ - 9.0.34
+ - 9.0.35
+ - 9.0.36
+ - 9.0.37
+ - 9.0.38
+ - 9.0.39
+ - 9.0.4
+ - 9.0.40
+ - 9.0.41
+ - 9.0.43
+ - 9.0.44
+ - 9.0.45
+ - 9.0.46
+ - 9.0.48
+ - 9.0.5
+ - 9.0.50
+ - 9.0.52
+ - 9.0.53
+ - 9.0.54
+ - 9.0.55
+ - 9.0.56
+ - 9.0.58
+ - 9.0.59
+ - 9.0.6
+ - 9.0.60
+ - 9.0.62
+ - 9.0.63
+ - 9.0.64
+ - 9.0.65
+ - 9.0.67
+ - 9.0.68
+ - 9.0.69
+ - 9.0.7
+ - 9.0.70
+ - 9.0.71
+ - 9.0.72
+ - 9.0.73
+ - 9.0.74
+ - 9.0.75
+ - 9.0.76
+ - 9.0.78
+ - 9.0.79
+ - 9.0.8
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/08/GHSA-q3mw-pvr8-9ggc/GHSA-q3mw-pvr8-9ggc.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.tomcat:tomcat
+ purl: pkg:maven/org.apache.tomcat/tomcat
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 8.5.0
+ - fixed: 8.5.93
+ versions:
+ - 8.5.0
+ - 8.5.11
+ - 8.5.12
+ - 8.5.13
+ - 8.5.14
+ - 8.5.15
+ - 8.5.16
+ - 8.5.19
+ - 8.5.2
+ - 8.5.20
+ - 8.5.21
+ - 8.5.23
+ - 8.5.24
+ - 8.5.27
+ - 8.5.28
+ - 8.5.29
+ - 8.5.3
+ - 8.5.30
+ - 8.5.31
+ - 8.5.32
+ - 8.5.33
+ - 8.5.34
+ - 8.5.35
+ - 8.5.37
+ - 8.5.38
+ - 8.5.39
+ - 8.5.4
+ - 8.5.40
+ - 8.5.41
+ - 8.5.42
+ - 8.5.43
+ - 8.5.45
+ - 8.5.46
+ - 8.5.47
+ - 8.5.49
+ - 8.5.5
+ - 8.5.50
+ - 8.5.51
+ - 8.5.53
+ - 8.5.54
+ - 8.5.55
+ - 8.5.56
+ - 8.5.57
+ - 8.5.58
+ - 8.5.59
+ - 8.5.6
+ - 8.5.60
+ - 8.5.61
+ - 8.5.63
+ - 8.5.64
+ - 8.5.65
+ - 8.5.66
+ - 8.5.68
+ - 8.5.69
+ - 8.5.70
+ - 8.5.71
+ - 8.5.72
+ - 8.5.73
+ - 8.5.75
+ - 8.5.76
+ - 8.5.77
+ - 8.5.78
+ - 8.5.79
+ - 8.5.8
+ - 8.5.81
+ - 8.5.82
+ - 8.5.83
+ - 8.5.84
+ - 8.5.85
+ - 8.5.86
+ - 8.5.87
+ - 8.5.88
+ - 8.5.89
+ - 8.5.9
+ - 8.5.90
+ - 8.5.91
+ - 8.5.92
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/08/GHSA-q3mw-pvr8-9ggc/GHSA-q3mw-pvr8-9ggc.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.tomcat.embed:tomcat-embed-core
+ purl: pkg:maven/org.apache.tomcat.embed/tomcat-embed-core
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 8.5.0
+ - fixed: 8.5.93
+ versions:
+ - 8.5.0
+ - 8.5.11
+ - 8.5.12
+ - 8.5.13
+ - 8.5.14
+ - 8.5.15
+ - 8.5.16
+ - 8.5.19
+ - 8.5.2
+ - 8.5.20
+ - 8.5.21
+ - 8.5.23
+ - 8.5.24
+ - 8.5.27
+ - 8.5.28
+ - 8.5.29
+ - 8.5.3
+ - 8.5.30
+ - 8.5.31
+ - 8.5.32
+ - 8.5.33
+ - 8.5.34
+ - 8.5.35
+ - 8.5.37
+ - 8.5.38
+ - 8.5.39
+ - 8.5.4
+ - 8.5.40
+ - 8.5.41
+ - 8.5.42
+ - 8.5.43
+ - 8.5.45
+ - 8.5.46
+ - 8.5.47
+ - 8.5.49
+ - 8.5.5
+ - 8.5.50
+ - 8.5.51
+ - 8.5.53
+ - 8.5.54
+ - 8.5.55
+ - 8.5.56
+ - 8.5.57
+ - 8.5.58
+ - 8.5.59
+ - 8.5.6
+ - 8.5.60
+ - 8.5.61
+ - 8.5.63
+ - 8.5.64
+ - 8.5.65
+ - 8.5.66
+ - 8.5.68
+ - 8.5.69
+ - 8.5.70
+ - 8.5.71
+ - 8.5.72
+ - 8.5.73
+ - 8.5.75
+ - 8.5.76
+ - 8.5.77
+ - 8.5.78
+ - 8.5.79
+ - 8.5.8
+ - 8.5.81
+ - 8.5.82
+ - 8.5.83
+ - 8.5.84
+ - 8.5.85
+ - 8.5.86
+ - 8.5.87
+ - 8.5.88
+ - 8.5.89
+ - 8.5.9
+ - 8.5.90
+ - 8.5.91
+ - 8.5.92
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/08/GHSA-q3mw-pvr8-9ggc/GHSA-q3mw-pvr8-9ggc.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.tomcat.embed:tomcat-embed-core
+ purl: pkg:maven/org.apache.tomcat.embed/tomcat-embed-core
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 9.0.0-M1
+ - fixed: 9.0.80
+ versions:
+ - 9.0.0.M1
+ - 9.0.0.M10
+ - 9.0.0.M11
+ - 9.0.0.M13
+ - 9.0.0.M15
+ - 9.0.0.M17
+ - 9.0.0.M18
+ - 9.0.0.M19
+ - 9.0.0.M20
+ - 9.0.0.M21
+ - 9.0.0.M22
+ - 9.0.0.M25
+ - 9.0.0.M26
+ - 9.0.0.M27
+ - 9.0.0.M3
+ - 9.0.0.M4
+ - 9.0.0.M6
+ - 9.0.0.M8
+ - 9.0.0.M9
+ - 9.0.1
+ - 9.0.10
+ - 9.0.11
+ - 9.0.12
+ - 9.0.13
+ - 9.0.14
+ - 9.0.16
+ - 9.0.17
+ - 9.0.19
+ - 9.0.2
+ - 9.0.20
+ - 9.0.21
+ - 9.0.22
+ - 9.0.24
+ - 9.0.26
+ - 9.0.27
+ - 9.0.29
+ - 9.0.30
+ - 9.0.31
+ - 9.0.33
+ - 9.0.34
+ - 9.0.35
+ - 9.0.36
+ - 9.0.37
+ - 9.0.38
+ - 9.0.39
+ - 9.0.4
+ - 9.0.40
+ - 9.0.41
+ - 9.0.43
+ - 9.0.44
+ - 9.0.45
+ - 9.0.46
+ - 9.0.48
+ - 9.0.5
+ - 9.0.50
+ - 9.0.52
+ - 9.0.53
+ - 9.0.54
+ - 9.0.55
+ - 9.0.56
+ - 9.0.58
+ - 9.0.59
+ - 9.0.6
+ - 9.0.60
+ - 9.0.62
+ - 9.0.63
+ - 9.0.64
+ - 9.0.65
+ - 9.0.67
+ - 9.0.68
+ - 9.0.69
+ - 9.0.7
+ - 9.0.70
+ - 9.0.71
+ - 9.0.72
+ - 9.0.73
+ - 9.0.74
+ - 9.0.75
+ - 9.0.76
+ - 9.0.78
+ - 9.0.79
+ - 9.0.8
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/08/GHSA-q3mw-pvr8-9ggc/GHSA-q3mw-pvr8-9ggc.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.tomcat.embed:tomcat-embed-core
+ purl: pkg:maven/org.apache.tomcat.embed/tomcat-embed-core
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 10.1.0-M1
+ - fixed: 10.1.13
+ versions:
+ - 10.1.0
+ - 10.1.0-M1
+ - 10.1.0-M10
+ - 10.1.0-M11
+ - 10.1.0-M12
+ - 10.1.0-M14
+ - 10.1.0-M15
+ - 10.1.0-M16
+ - 10.1.0-M17
+ - 10.1.0-M2
+ - 10.1.0-M4
+ - 10.1.0-M5
+ - 10.1.0-M6
+ - 10.1.0-M7
+ - 10.1.0-M8
+ - 10.1.1
+ - 10.1.10
+ - 10.1.11
+ - 10.1.12
+ - 10.1.2
+ - 10.1.4
+ - 10.1.5
+ - 10.1.6
+ - 10.1.7
+ - 10.1.8
+ - 10.1.9
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/08/GHSA-q3mw-pvr8-9ggc/GHSA-q3mw-pvr8-9ggc.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.tomcat.embed:tomcat-embed-core
+ purl: pkg:maven/org.apache.tomcat.embed/tomcat-embed-core
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 11.0.0-M1
+ - fixed: 11.0.0-M11
+ versions:
+ - 11.0.0-M1
+ - 11.0.0-M10
+ - 11.0.0-M3
+ - 11.0.0-M4
+ - 11.0.0-M5
+ - 11.0.0-M6
+ - 11.0.0-M7
+ - 11.0.0-M9
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/08/GHSA-q3mw-pvr8-9ggc/GHSA-q3mw-pvr8-9ggc.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2023-41080
+ - type: WEB
+ url: https://github.com/apache/tomcat/commit/4998ad745b67edeadefe541c94ed029b53933d3b
+ - type: WEB
+ url: https://github.com/apache/tomcat/commit/77c0ce2d169efa248b64b992e547aad549ec906b
+ - type: WEB
+ url: https://github.com/apache/tomcat/commit/bb4624a9f3e69d495182ebfa68d7983076407a27
+ - type: WEB
+ url: https://github.com/apache/tomcat/commit/e3703c9abb8fe0d5602f6ba8a8f11d4b6940815a
+ - type: PACKAGE
+ url: https://github.com/apache/tomcat
+ - type: WEB
+ url: https://lists.apache.org/thread/71wvwprtx2j2m54fovq9zr7gbm2wow2f
+ - type: WEB
+ url: https://lists.debian.org/debian-lts-announce/2023/10/msg00020.html
+ - type: WEB
+ url: https://security.netapp.com/advisory/ntap-20230921-0006
+ - type: WEB
+ url: https://www.debian.org/security/2023/dsa-5521
+ - type: WEB
+ url: https://www.debian.org/security/2023/dsa-5522
+ database_specific:
+ cwe_ids:
+ - CWE-601
+ github_reviewed: true
+ github_reviewed_at: "2023-08-25T22:05:01Z"
+ nvd_published_at: "2023-08-25T21:15:09Z"
+ severity: MODERATE
+ - schema_version: 1.6.0
+ id: GHSA-q4hg-rmq2-52q9
+ modified: 2024-03-11T15:55:43.65767Z
+ published: 2019-06-26T01:09:40Z
+ aliases:
+ - CVE-2019-10072
+ summary: Improper Locking in Apache Tomcat
+ details: The fix for CVE-2019-0199 was incomplete and did not address HTTP/2 connection window exhaustion on write in Apache Tomcat versions 9.0.0.M1 to 9.0.19 and 8.5.0 to 8.5.40 . By not sending WINDOW_UPDATE messages for the connection window (stream 0) clients were able to cause server-side threads to block eventually leading to thread exhaustion and a DoS.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: org.apache.tomcat.embed:tomcat-embed-core
+ purl: pkg:maven/org.apache.tomcat.embed/tomcat-embed-core
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 9.0.0.M1
+ - fixed: 9.0.20
+ versions:
+ - 9.0.0.M1
+ - 9.0.0.M10
+ - 9.0.0.M11
+ - 9.0.0.M13
+ - 9.0.0.M15
+ - 9.0.0.M17
+ - 9.0.0.M18
+ - 9.0.0.M19
+ - 9.0.0.M20
+ - 9.0.0.M21
+ - 9.0.0.M22
+ - 9.0.0.M25
+ - 9.0.0.M26
+ - 9.0.0.M27
+ - 9.0.0.M3
+ - 9.0.0.M4
+ - 9.0.0.M6
+ - 9.0.0.M8
+ - 9.0.0.M9
+ - 9.0.1
+ - 9.0.10
+ - 9.0.11
+ - 9.0.12
+ - 9.0.13
+ - 9.0.14
+ - 9.0.16
+ - 9.0.17
+ - 9.0.19
+ - 9.0.2
+ - 9.0.4
+ - 9.0.5
+ - 9.0.6
+ - 9.0.7
+ - 9.0.8
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/06/GHSA-q4hg-rmq2-52q9/GHSA-q4hg-rmq2-52q9.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.tomcat.embed:tomcat-embed-core
+ purl: pkg:maven/org.apache.tomcat.embed/tomcat-embed-core
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 8.5.0
+ - fixed: 8.5.41
+ versions:
+ - 8.5.0
+ - 8.5.11
+ - 8.5.12
+ - 8.5.13
+ - 8.5.14
+ - 8.5.15
+ - 8.5.16
+ - 8.5.19
+ - 8.5.2
+ - 8.5.20
+ - 8.5.21
+ - 8.5.23
+ - 8.5.24
+ - 8.5.27
+ - 8.5.28
+ - 8.5.29
+ - 8.5.3
+ - 8.5.30
+ - 8.5.31
+ - 8.5.32
+ - 8.5.33
+ - 8.5.34
+ - 8.5.35
+ - 8.5.37
+ - 8.5.38
+ - 8.5.39
+ - 8.5.4
+ - 8.5.40
+ - 8.5.5
+ - 8.5.6
+ - 8.5.8
+ - 8.5.9
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/06/GHSA-q4hg-rmq2-52q9/GHSA-q4hg-rmq2-52q9.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2019-10072
+ - type: WEB
+ url: https://github.com/apache/tomcat/commit/0bcd69c9dd8ae0ff424f2cd46de51583510b7f35
+ - type: WEB
+ url: https://github.com/apache/tomcat/commit/7f748eb6bfaba5207c89dbd7d5adf50fae847145
+ - type: WEB
+ url: https://github.com/apache/tomcat/commit/8d14c6f21d29768a39be4b6b9517060dc6606758
+ - type: WEB
+ url: https://github.com/apache/tomcat/commit/ada725a50a60867af3422c8e612aecaeea856a9a
+ - type: WEB
+ url: https://security.netapp.com/advisory/ntap-20190625-0002
+ - type: WEB
+ url: https://support.f5.com/csp/article/K17321505
+ - type: WEB
+ url: https://tomcat.apache.org/security-8.html
+ - type: WEB
+ url: https://tomcat.apache.org/security-9.html
+ - type: WEB
+ url: https://usn.ubuntu.com/4128-1
+ - type: WEB
+ url: https://usn.ubuntu.com/4128-2
+ - type: WEB
+ url: https://web.archive.org/web/20200227033743/http://www.securityfocus.com/bid/108874
+ - type: WEB
+ url: https://www.debian.org/security/2020/dsa-4680
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuApr2021.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuapr2020.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpujan2020.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuoct2020.html
+ - type: WEB
+ url: https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
+ - type: WEB
+ url: https://www.synology.com/security/advisory/Synology_SA_19_29
+ - type: WEB
+ url: https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a%40%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9%40%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0%40%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d%40%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/df1a2c1b87c8a6c500ecdbbaf134c7f1491c8d79d98b48c6b9f0fa6a@%3Cannounce.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/df1a2c1b87c8a6c500ecdbbaf134c7f1491c8d79d98b48c6b9f0fa6a%40%3Cannounce.tomcat.apache.org%3E
+ - type: PACKAGE
+ url: https://github.com/apache/tomcat
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:3931
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:3929
+ - type: WEB
+ url: http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00013.html
+ database_specific:
+ cwe_ids:
+ - CWE-667
+ github_reviewed: true
+ github_reviewed_at: "2019-06-26T00:56:45Z"
+ nvd_published_at: "2019-06-21T18:15:00Z"
+ severity: HIGH
+ - schema_version: 1.6.0
+ id: GHSA-qcxh-w3j9-58qr
+ modified: 2024-03-16T05:16:48.960226Z
+ published: 2020-06-15T18:51:09Z
+ aliases:
+ - CVE-2019-0199
+ summary: Apache Tomcat Denial of Service vulnerability
+ details: The HTTP/2 implementation in Apache Tomcat 9.0.0.M1 to 9.0.14 and 8.5.0 to 8.5.37 accepted streams with excessive numbers of SETTINGS frames and also permitted clients to keep streams open without reading/writing request/response data. By keeping streams open for requests that utilised the Servlet API's blocking I/O, clients were able to cause server-side threads to block eventually leading to thread exhaustion and a DoS.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: org.apache.tomcat.embed:tomcat-embed-core
+ purl: pkg:maven/org.apache.tomcat.embed/tomcat-embed-core
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 9.0.0
+ - fixed: 9.0.16
+ versions:
+ - 9.0.1
+ - 9.0.10
+ - 9.0.11
+ - 9.0.12
+ - 9.0.13
+ - 9.0.14
+ - 9.0.2
+ - 9.0.4
+ - 9.0.5
+ - 9.0.6
+ - 9.0.7
+ - 9.0.8
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-qcxh-w3j9-58qr/GHSA-qcxh-w3j9-58qr.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.tomcat.embed:tomcat-embed-core
+ purl: pkg:maven/org.apache.tomcat.embed/tomcat-embed-core
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 8.0.0
+ - fixed: 8.5.38
+ versions:
+ - 8.0.1
+ - 8.0.11
+ - 8.0.12
+ - 8.0.14
+ - 8.0.15
+ - 8.0.17
+ - 8.0.18
+ - 8.0.20
+ - 8.0.21
+ - 8.0.22
+ - 8.0.23
+ - 8.0.24
+ - 8.0.26
+ - 8.0.27
+ - 8.0.28
+ - 8.0.29
+ - 8.0.3
+ - 8.0.30
+ - 8.0.32
+ - 8.0.33
+ - 8.0.35
+ - 8.0.36
+ - 8.0.37
+ - 8.0.38
+ - 8.0.39
+ - 8.0.41
+ - 8.0.42
+ - 8.0.43
+ - 8.0.44
+ - 8.0.45
+ - 8.0.46
+ - 8.0.47
+ - 8.0.48
+ - 8.0.49
+ - 8.0.5
+ - 8.0.50
+ - 8.0.51
+ - 8.0.52
+ - 8.0.53
+ - 8.0.8
+ - 8.0.9
+ - 8.5.0
+ - 8.5.11
+ - 8.5.12
+ - 8.5.13
+ - 8.5.14
+ - 8.5.15
+ - 8.5.16
+ - 8.5.19
+ - 8.5.2
+ - 8.5.20
+ - 8.5.21
+ - 8.5.23
+ - 8.5.24
+ - 8.5.27
+ - 8.5.28
+ - 8.5.29
+ - 8.5.3
+ - 8.5.30
+ - 8.5.31
+ - 8.5.32
+ - 8.5.33
+ - 8.5.34
+ - 8.5.35
+ - 8.5.37
+ - 8.5.4
+ - 8.5.5
+ - 8.5.6
+ - 8.5.8
+ - 8.5.9
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-qcxh-w3j9-58qr/GHSA-qcxh-w3j9-58qr.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2019-0199
+ - type: WEB
+ url: https://lists.apache.org/thread.html/e1b0b273b6e8ddcc72c9023bc2394b1276fc72664144bf21d0a87995@%3Cannounce.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/e56886e1bac9319ecce81b3612dd7a1a43174a3a741a1c805e16880e%40%3Ccommits.tomee.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/e56886e1bac9319ecce81b3612dd7a1a43174a3a741a1c805e16880e@%3Ccommits.tomee.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/e85e83e9954f169bbb77b44baae5a33d8de878df557bb32b7f793661%40%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/e85e83e9954f169bbb77b44baae5a33d8de878df557bb32b7f793661@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/e87733036e8c84ea648cdcdca3098f3c8a897e2652c33062b2b1535c%40%3Cusers.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/e87733036e8c84ea648cdcdca3098f3c8a897e2652c33062b2b1535c@%3Cusers.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d%40%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0%40%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9%40%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a%40%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NPHQEL5AQ6LZSZD2Y6TYZ4RC3WI7NXJ3
+ - type: WEB
+ url: https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZQTZ5BJ5F4KV6N53SGNKSW3UY5DBIQ46
+ - type: WEB
+ url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NPHQEL5AQ6LZSZD2Y6TYZ4RC3WI7NXJ3
+ - type: WEB
+ url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZQTZ5BJ5F4KV6N53SGNKSW3UY5DBIQ46
+ - type: WEB
+ url: https://seclists.org/bugtraq/2019/Dec/43
+ - type: WEB
+ url: https://security.netapp.com/advisory/ntap-20190419-0001
+ - type: WEB
+ url: https://support.f5.com/csp/article/K17321505
+ - type: WEB
+ url: https://web.archive.org/web/20200227030041/http://www.securityfocus.com/bid/107674
+ - type: WEB
+ url: https://www.debian.org/security/2019/dsa-4596
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuapr2020.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpujan2020.html
+ - type: WEB
+ url: https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:3929
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:3931
+ - type: PACKAGE
+ url: https://github.com/apache/tomcat
+ - type: WEB
+ url: https://lists.apache.org/thread.html/158ab719cf60448ddbb074798f09152fdb572fc8f781e70a56118d1a%40%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/158ab719cf60448ddbb074798f09152fdb572fc8f781e70a56118d1a@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/1dd0a59c1295cc08ce4c9e7edae5ad2268acc9ba55adcefa0532e5ba%40%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/1dd0a59c1295cc08ce4c9e7edae5ad2268acc9ba55adcefa0532e5ba@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/4c438fa4c78cb1ce8979077f668ab7145baf83e7c59f2faf7eccf094%40%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/4c438fa4c78cb1ce8979077f668ab7145baf83e7c59f2faf7eccf094@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3%40%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/7bb193bc68b28d21ff1c726fd38bea164deb6333b59eec2eb3661da6%40%3Cusers.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/7bb193bc68b28d21ff1c726fd38bea164deb6333b59eec2eb3661da6@%3Cusers.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a%40%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/9fe25f98bac6d66f8a663a15c37a98bc2d8f8bbed1d408791a3e4067%40%3Cusers.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/9fe25f98bac6d66f8a663a15c37a98bc2d8f8bbed1d408791a3e4067@%3Cusers.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/a7a201bd23e67fd3326c9b22b814dd0537d3270b3b54a768e2e7ef50%40%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/a7a201bd23e67fd3326c9b22b814dd0537d3270b3b54a768e2e7ef50@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/ac0185ce240a711b542a55bccf9349ab0c2f343d70cf7835e08fabc9%40%3Cannounce.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/ac0185ce240a711b542a55bccf9349ab0c2f343d70cf7835e08fabc9@%3Cannounce.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/cf4eb2bd2083cebb3602a293c653f9a7faa96c86f672c876f25b37ef%40%3Cannounce.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/cf4eb2bd2083cebb3602a293c653f9a7faa96c86f672c876f25b37ef@%3Cannounce.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/dddb3590bac28fbe89f69f5ccbe26283d014ddc691abdd042de14600%40%3Cannounce.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/dddb3590bac28fbe89f69f5ccbe26283d014ddc691abdd042de14600@%3Cannounce.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/df1a2c1b87c8a6c500ecdbbaf134c7f1491c8d79d98b48c6b9f0fa6a%40%3Cannounce.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/df1a2c1b87c8a6c500ecdbbaf134c7f1491c8d79d98b48c6b9f0fa6a@%3Cannounce.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/e1b0b273b6e8ddcc72c9023bc2394b1276fc72664144bf21d0a87995%40%3Cannounce.tomcat.apache.org%3E
+ - type: WEB
+ url: http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00090.html
+ - type: WEB
+ url: http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00013.html
+ - type: WEB
+ url: http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00054.html
+ database_specific:
+ cwe_ids:
+ - CWE-400
+ github_reviewed: true
+ github_reviewed_at: "2020-06-15T16:43:54Z"
+ nvd_published_at: "2019-04-10T15:29:00Z"
+ severity: HIGH
+ - schema_version: 1.6.0
+ id: GHSA-qppj-fm5r-hxr3
+ modified: 2024-06-25T02:34:00.663536Z
+ published: 2023-10-10T21:28:24Z
+ aliases:
+ - BIT-apisix-2023-44487
+ - BIT-aspnet-core-2023-44487
+ - BIT-contour-2023-44487
+ - BIT-dotnet-2023-44487
+ - BIT-dotnet-sdk-2023-44487
+ - BIT-envoy-2023-44487
+ - BIT-golang-2023-44487
+ - BIT-jenkins-2023-44487
+ - BIT-kong-2023-44487
+ - BIT-nginx-2023-44487
+ - BIT-nginx-ingress-controller-2023-44487
+ - BIT-node-2023-44487
+ - BIT-solr-2023-44487
+ - BIT-tomcat-2023-44487
+ - BIT-varnish-2023-44487
+ - CVE-2023-44487
+ - GHSA-2m7v-gc89-fjqf
+ - GHSA-vx74-f528-fxqg
+ - GHSA-xpw8-rcwv-8f8p
+ summary: HTTP/2 Stream Cancellation Attack
+ details: "## HTTP/2 Rapid reset attack\nThe HTTP/2 protocol allows clients to indicate to the server that a previous stream should be canceled by sending a RST_STREAM frame. The protocol does not require the client and server to coordinate the cancellation in any way, the client may do it unilaterally. The client may also assume that the cancellation will take effect immediately when the server receives the RST_STREAM frame, before any other data from that TCP connection is processed.\n\nAbuse of this feature is called a Rapid Reset attack because it relies on the ability for an endpoint to send a RST_STREAM frame immediately after sending a request frame, which makes the other endpoint start working and then rapidly resets the request. The request is canceled, but leaves the HTTP/2 connection open. \n\nThe HTTP/2 Rapid Reset attack built on this capability is simple: The client opens a large number of streams at once as in the standard HTTP/2 attack, but rather than waiting for a response to each request stream from the server or proxy, the client cancels each request immediately.\n\nThe ability to reset streams immediately allows each connection to have an indefinite number of requests in flight. By explicitly canceling the requests, the attacker never exceeds the limit on the number of concurrent open streams. The number of in-flight requests is no longer dependent on the round-trip time (RTT), but only on the available network bandwidth.\n\nIn a typical HTTP/2 server implementation, the server will still have to do significant amounts of work for canceled requests, such as allocating new stream data structures, parsing the query and doing header decompression, and mapping the URL to a resource. For reverse proxy implementations, the request may be proxied to the backend server before the RST_STREAM frame is processed. The client on the other hand paid almost no costs for sending the requests. This creates an exploitable cost asymmetry between the server and the client.\n\nMultiple software artifacts implementing HTTP/2 are affected. This advisory was originally ingested from the `swift-nio-http2` repo advisory and their original conent follows.\n\n## swift-nio-http2 specific advisory\nswift-nio-http2 is vulnerable to a denial-of-service vulnerability in which a malicious client can create and then reset a large number of HTTP/2 streams in a short period of time. This causes swift-nio-http2 to commit to a large amount of expensive work which it then throws away, including creating entirely new `Channel`s to serve the traffic. This can easily overwhelm an `EventLoop` and prevent it from making forward progress.\n\nswift-nio-http2 1.28 contains a remediation for this issue that applies reset counter using a sliding window. This constrains the number of stream resets that may occur in a given window of time. Clients violating this limit will have their connections torn down. This allows clients to continue to cancel streams for legitimate reasons, while constraining malicious actors."
+ affected:
+ - package:
+ ecosystem: SwiftURL
+ name: github.com/apple/swift-nio-http2
+ ranges:
+ - type: SEMVER
+ events:
+ - introduced: "0"
+ - fixed: 1.28.0
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-qppj-fm5r-hxr3/GHSA-qppj-fm5r-hxr3.json
+ - package:
+ ecosystem: Go
+ name: golang.org/x/net
+ purl: pkg:golang/golang.org/x/net
+ ranges:
+ - type: SEMVER
+ events:
+ - introduced: "0"
+ - fixed: 0.17.0
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-qppj-fm5r-hxr3/GHSA-qppj-fm5r-hxr3.json
+ - package:
+ ecosystem: Go
+ name: google.golang.org/grpc
+ purl: pkg:golang/google.golang.org/grpc
+ ranges:
+ - type: SEMVER
+ events:
+ - introduced: 1.58.0
+ - fixed: 1.58.3
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-qppj-fm5r-hxr3/GHSA-qppj-fm5r-hxr3.json
+ - package:
+ ecosystem: Go
+ name: google.golang.org/grpc
+ purl: pkg:golang/google.golang.org/grpc
+ ranges:
+ - type: SEMVER
+ events:
+ - introduced: 1.57.0
+ - fixed: 1.57.1
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-qppj-fm5r-hxr3/GHSA-qppj-fm5r-hxr3.json
+ - package:
+ ecosystem: Go
+ name: google.golang.org/grpc
+ purl: pkg:golang/google.golang.org/grpc
+ ranges:
+ - type: SEMVER
+ events:
+ - introduced: "0"
+ - fixed: 1.56.3
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-qppj-fm5r-hxr3/GHSA-qppj-fm5r-hxr3.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.tomcat:tomcat
+ purl: pkg:maven/org.apache.tomcat/tomcat
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 11.0.0-M1
+ - fixed: 11.0.0-M12
+ versions:
+ - 11.0.0-M1
+ - 11.0.0-M10
+ - 11.0.0-M11
+ - 11.0.0-M3
+ - 11.0.0-M4
+ - 11.0.0-M5
+ - 11.0.0-M6
+ - 11.0.0-M7
+ - 11.0.0-M9
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-qppj-fm5r-hxr3/GHSA-qppj-fm5r-hxr3.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.tomcat:tomcat
+ purl: pkg:maven/org.apache.tomcat/tomcat
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 10.0.0
+ - fixed: 10.1.14
+ versions:
+ - 10.0.0
+ - 10.0.10
+ - 10.0.11
+ - 10.0.12
+ - 10.0.13
+ - 10.0.14
+ - 10.0.16
+ - 10.0.17
+ - 10.0.18
+ - 10.0.2
+ - 10.0.20
+ - 10.0.21
+ - 10.0.22
+ - 10.0.23
+ - 10.0.26
+ - 10.0.27
+ - 10.0.4
+ - 10.0.5
+ - 10.0.6
+ - 10.0.7
+ - 10.0.8
+ - 10.1.0
+ - 10.1.0-M1
+ - 10.1.0-M10
+ - 10.1.0-M11
+ - 10.1.0-M12
+ - 10.1.0-M14
+ - 10.1.0-M15
+ - 10.1.0-M16
+ - 10.1.0-M17
+ - 10.1.0-M2
+ - 10.1.0-M4
+ - 10.1.0-M5
+ - 10.1.0-M6
+ - 10.1.0-M7
+ - 10.1.0-M8
+ - 10.1.1
+ - 10.1.10
+ - 10.1.11
+ - 10.1.12
+ - 10.1.13
+ - 10.1.2
+ - 10.1.4
+ - 10.1.5
+ - 10.1.6
+ - 10.1.7
+ - 10.1.8
+ - 10.1.9
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-qppj-fm5r-hxr3/GHSA-qppj-fm5r-hxr3.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.tomcat:tomcat
+ purl: pkg:maven/org.apache.tomcat/tomcat
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 9.0.0
+ - fixed: 9.0.81
+ versions:
+ - 9.0.1
+ - 9.0.10
+ - 9.0.11
+ - 9.0.12
+ - 9.0.13
+ - 9.0.14
+ - 9.0.16
+ - 9.0.17
+ - 9.0.19
+ - 9.0.2
+ - 9.0.20
+ - 9.0.21
+ - 9.0.22
+ - 9.0.24
+ - 9.0.26
+ - 9.0.27
+ - 9.0.29
+ - 9.0.30
+ - 9.0.31
+ - 9.0.33
+ - 9.0.34
+ - 9.0.35
+ - 9.0.36
+ - 9.0.37
+ - 9.0.38
+ - 9.0.39
+ - 9.0.4
+ - 9.0.40
+ - 9.0.41
+ - 9.0.43
+ - 9.0.44
+ - 9.0.45
+ - 9.0.46
+ - 9.0.48
+ - 9.0.5
+ - 9.0.50
+ - 9.0.52
+ - 9.0.53
+ - 9.0.54
+ - 9.0.55
+ - 9.0.56
+ - 9.0.58
+ - 9.0.59
+ - 9.0.6
+ - 9.0.60
+ - 9.0.62
+ - 9.0.63
+ - 9.0.64
+ - 9.0.65
+ - 9.0.67
+ - 9.0.68
+ - 9.0.69
+ - 9.0.7
+ - 9.0.70
+ - 9.0.71
+ - 9.0.72
+ - 9.0.73
+ - 9.0.74
+ - 9.0.75
+ - 9.0.76
+ - 9.0.78
+ - 9.0.79
+ - 9.0.8
+ - 9.0.80
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-qppj-fm5r-hxr3/GHSA-qppj-fm5r-hxr3.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.tomcat:tomcat
+ purl: pkg:maven/org.apache.tomcat/tomcat
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 8.5.0
+ - fixed: 8.5.94
+ versions:
+ - 8.5.0
+ - 8.5.11
+ - 8.5.12
+ - 8.5.13
+ - 8.5.14
+ - 8.5.15
+ - 8.5.16
+ - 8.5.19
+ - 8.5.2
+ - 8.5.20
+ - 8.5.21
+ - 8.5.23
+ - 8.5.24
+ - 8.5.27
+ - 8.5.28
+ - 8.5.29
+ - 8.5.3
+ - 8.5.30
+ - 8.5.31
+ - 8.5.32
+ - 8.5.33
+ - 8.5.34
+ - 8.5.35
+ - 8.5.37
+ - 8.5.38
+ - 8.5.39
+ - 8.5.4
+ - 8.5.40
+ - 8.5.41
+ - 8.5.42
+ - 8.5.43
+ - 8.5.45
+ - 8.5.46
+ - 8.5.47
+ - 8.5.49
+ - 8.5.5
+ - 8.5.50
+ - 8.5.51
+ - 8.5.53
+ - 8.5.54
+ - 8.5.55
+ - 8.5.56
+ - 8.5.57
+ - 8.5.58
+ - 8.5.59
+ - 8.5.6
+ - 8.5.60
+ - 8.5.61
+ - 8.5.63
+ - 8.5.64
+ - 8.5.65
+ - 8.5.66
+ - 8.5.68
+ - 8.5.69
+ - 8.5.70
+ - 8.5.71
+ - 8.5.72
+ - 8.5.73
+ - 8.5.75
+ - 8.5.76
+ - 8.5.77
+ - 8.5.78
+ - 8.5.79
+ - 8.5.8
+ - 8.5.81
+ - 8.5.82
+ - 8.5.83
+ - 8.5.84
+ - 8.5.85
+ - 8.5.86
+ - 8.5.87
+ - 8.5.88
+ - 8.5.89
+ - 8.5.9
+ - 8.5.90
+ - 8.5.91
+ - 8.5.92
+ - 8.5.93
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-qppj-fm5r-hxr3/GHSA-qppj-fm5r-hxr3.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.tomcat.embed:tomcat-embed-core
+ purl: pkg:maven/org.apache.tomcat.embed/tomcat-embed-core
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 11.0.0-M1
+ - fixed: 11.0.0-M12
+ versions:
+ - 11.0.0-M1
+ - 11.0.0-M10
+ - 11.0.0-M11
+ - 11.0.0-M3
+ - 11.0.0-M4
+ - 11.0.0-M5
+ - 11.0.0-M6
+ - 11.0.0-M7
+ - 11.0.0-M9
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-qppj-fm5r-hxr3/GHSA-qppj-fm5r-hxr3.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.tomcat.embed:tomcat-embed-core
+ purl: pkg:maven/org.apache.tomcat.embed/tomcat-embed-core
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 10.0.0
+ - fixed: 10.1.14
+ versions:
+ - 10.0.0
+ - 10.0.10
+ - 10.0.11
+ - 10.0.12
+ - 10.0.13
+ - 10.0.14
+ - 10.0.16
+ - 10.0.17
+ - 10.0.18
+ - 10.0.2
+ - 10.0.20
+ - 10.0.21
+ - 10.0.22
+ - 10.0.23
+ - 10.0.26
+ - 10.0.27
+ - 10.0.4
+ - 10.0.5
+ - 10.0.6
+ - 10.0.7
+ - 10.0.8
+ - 10.1.0
+ - 10.1.0-M1
+ - 10.1.0-M10
+ - 10.1.0-M11
+ - 10.1.0-M12
+ - 10.1.0-M14
+ - 10.1.0-M15
+ - 10.1.0-M16
+ - 10.1.0-M17
+ - 10.1.0-M2
+ - 10.1.0-M4
+ - 10.1.0-M5
+ - 10.1.0-M6
+ - 10.1.0-M7
+ - 10.1.0-M8
+ - 10.1.1
+ - 10.1.10
+ - 10.1.11
+ - 10.1.12
+ - 10.1.13
+ - 10.1.2
+ - 10.1.4
+ - 10.1.5
+ - 10.1.6
+ - 10.1.7
+ - 10.1.8
+ - 10.1.9
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-qppj-fm5r-hxr3/GHSA-qppj-fm5r-hxr3.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.tomcat.embed:tomcat-embed-core
+ purl: pkg:maven/org.apache.tomcat.embed/tomcat-embed-core
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 9.0.0
+ - fixed: 9.0.81
+ versions:
+ - 9.0.1
+ - 9.0.10
+ - 9.0.11
+ - 9.0.12
+ - 9.0.13
+ - 9.0.14
+ - 9.0.16
+ - 9.0.17
+ - 9.0.19
+ - 9.0.2
+ - 9.0.20
+ - 9.0.21
+ - 9.0.22
+ - 9.0.24
+ - 9.0.26
+ - 9.0.27
+ - 9.0.29
+ - 9.0.30
+ - 9.0.31
+ - 9.0.33
+ - 9.0.34
+ - 9.0.35
+ - 9.0.36
+ - 9.0.37
+ - 9.0.38
+ - 9.0.39
+ - 9.0.4
+ - 9.0.40
+ - 9.0.41
+ - 9.0.43
+ - 9.0.44
+ - 9.0.45
+ - 9.0.46
+ - 9.0.48
+ - 9.0.5
+ - 9.0.50
+ - 9.0.52
+ - 9.0.53
+ - 9.0.54
+ - 9.0.55
+ - 9.0.56
+ - 9.0.58
+ - 9.0.59
+ - 9.0.6
+ - 9.0.60
+ - 9.0.62
+ - 9.0.63
+ - 9.0.64
+ - 9.0.65
+ - 9.0.67
+ - 9.0.68
+ - 9.0.69
+ - 9.0.7
+ - 9.0.70
+ - 9.0.71
+ - 9.0.72
+ - 9.0.73
+ - 9.0.74
+ - 9.0.75
+ - 9.0.76
+ - 9.0.78
+ - 9.0.79
+ - 9.0.8
+ - 9.0.80
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-qppj-fm5r-hxr3/GHSA-qppj-fm5r-hxr3.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.tomcat.embed:tomcat-embed-core
+ purl: pkg:maven/org.apache.tomcat.embed/tomcat-embed-core
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 8.5.0
+ - fixed: 8.5.94
+ versions:
+ - 8.5.0
+ - 8.5.11
+ - 8.5.12
+ - 8.5.13
+ - 8.5.14
+ - 8.5.15
+ - 8.5.16
+ - 8.5.19
+ - 8.5.2
+ - 8.5.20
+ - 8.5.21
+ - 8.5.23
+ - 8.5.24
+ - 8.5.27
+ - 8.5.28
+ - 8.5.29
+ - 8.5.3
+ - 8.5.30
+ - 8.5.31
+ - 8.5.32
+ - 8.5.33
+ - 8.5.34
+ - 8.5.35
+ - 8.5.37
+ - 8.5.38
+ - 8.5.39
+ - 8.5.4
+ - 8.5.40
+ - 8.5.41
+ - 8.5.42
+ - 8.5.43
+ - 8.5.45
+ - 8.5.46
+ - 8.5.47
+ - 8.5.49
+ - 8.5.5
+ - 8.5.50
+ - 8.5.51
+ - 8.5.53
+ - 8.5.54
+ - 8.5.55
+ - 8.5.56
+ - 8.5.57
+ - 8.5.58
+ - 8.5.59
+ - 8.5.6
+ - 8.5.60
+ - 8.5.61
+ - 8.5.63
+ - 8.5.64
+ - 8.5.65
+ - 8.5.66
+ - 8.5.68
+ - 8.5.69
+ - 8.5.70
+ - 8.5.71
+ - 8.5.72
+ - 8.5.73
+ - 8.5.75
+ - 8.5.76
+ - 8.5.77
+ - 8.5.78
+ - 8.5.79
+ - 8.5.8
+ - 8.5.81
+ - 8.5.82
+ - 8.5.83
+ - 8.5.84
+ - 8.5.85
+ - 8.5.86
+ - 8.5.87
+ - 8.5.88
+ - 8.5.89
+ - 8.5.9
+ - 8.5.90
+ - 8.5.91
+ - 8.5.92
+ - 8.5.93
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-qppj-fm5r-hxr3/GHSA-qppj-fm5r-hxr3.json
+ - package:
+ ecosystem: Maven
+ name: org.eclipse.jetty.http2:http2-common
+ purl: pkg:maven/org.eclipse.jetty.http2/http2-common
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 9.3.0
+ - fixed: 9.4.53
+ versions:
+ - 9.3.0.v20150612
+ - 9.3.1.v20150714
+ - 9.3.10.M0
+ - 9.3.10.v20160621
+ - 9.3.11.M0
+ - 9.3.11.v20160721
+ - 9.3.12.v20160915
+ - 9.3.13.M0
+ - 9.3.13.v20161014
+ - 9.3.14.v20161028
+ - 9.3.15.v20161220
+ - 9.3.16.v20170120
+ - 9.3.17.RC0
+ - 9.3.17.v20170317
+ - 9.3.18.v20170406
+ - 9.3.19.v20170502
+ - 9.3.2.v20150730
+ - 9.3.20.v20170531
+ - 9.3.21.M0
+ - 9.3.21.RC0
+ - 9.3.21.v20170918
+ - 9.3.22.v20171030
+ - 9.3.23.v20180228
+ - 9.3.24.v20180605
+ - 9.3.25.v20180904
+ - 9.3.26.v20190403
+ - 9.3.27.v20190418
+ - 9.3.28.v20191105
+ - 9.3.29.v20201019
+ - 9.3.3.v20150827
+ - 9.3.30.v20211001
+ - 9.3.4.RC0
+ - 9.3.4.RC1
+ - 9.3.4.v20151007
+ - 9.3.5.v20151012
+ - 9.3.6.v20151106
+ - 9.3.7.RC0
+ - 9.3.7.RC1
+ - 9.3.7.v20160115
+ - 9.3.8.RC0
+ - 9.3.8.v20160314
+ - 9.3.9.M0
+ - 9.3.9.M1
+ - 9.3.9.v20160517
+ - 9.4.0.M0
+ - 9.4.0.M1
+ - 9.4.0.RC0
+ - 9.4.0.RC1
+ - 9.4.0.RC2
+ - 9.4.0.RC3
+ - 9.4.0.v20161208
+ - 9.4.0.v20180619
+ - 9.4.1.v20170120
+ - 9.4.1.v20180619
+ - 9.4.10.RC0
+ - 9.4.10.RC1
+ - 9.4.10.v20180503
+ - 9.4.11.v20180605
+ - 9.4.12.RC0
+ - 9.4.12.RC1
+ - 9.4.12.RC2
+ - 9.4.12.v20180830
+ - 9.4.13.v20181111
+ - 9.4.14.v20181114
+ - 9.4.15.v20190215
+ - 9.4.16.v20190411
+ - 9.4.17.v20190418
+ - 9.4.18.v20190429
+ - 9.4.19.v20190610
+ - 9.4.2.v20170220
+ - 9.4.2.v20180619
+ - 9.4.20.v20190813
+ - 9.4.21.v20190926
+ - 9.4.22.v20191022
+ - 9.4.23.v20191118
+ - 9.4.24.v20191120
+ - 9.4.25.v20191220
+ - 9.4.26.v20200117
+ - 9.4.27.v20200227
+ - 9.4.28.v20200408
+ - 9.4.29.v20200521
+ - 9.4.3.v20170317
+ - 9.4.3.v20180619
+ - 9.4.30.v20200611
+ - 9.4.31.v20200723
+ - 9.4.32.v20200930
+ - 9.4.33.v20201020
+ - 9.4.34.v20201102
+ - 9.4.35.v20201120
+ - 9.4.36.v20210114
+ - 9.4.37.v20210219
+ - 9.4.38.v20210224
+ - 9.4.39.v20210325
+ - 9.4.4.v20170414
+ - 9.4.4.v20180619
+ - 9.4.40.v20210413
+ - 9.4.41.v20210516
+ - 9.4.42.v20210604
+ - 9.4.43.v20210629
+ - 9.4.44.v20210927
+ - 9.4.45.v20220203
+ - 9.4.46.v20220331
+ - 9.4.47.v20220610
+ - 9.4.48.v20220622
+ - 9.4.49.v20220914
+ - 9.4.5.v20170502
+ - 9.4.5.v20180619
+ - 9.4.50.v20221201
+ - 9.4.51.v20230217
+ - 9.4.52.v20230823
+ - 9.4.6.v20170531
+ - 9.4.6.v20180619
+ - 9.4.7.RC0
+ - 9.4.7.v20170914
+ - 9.4.7.v20180619
+ - 9.4.8.v20171121
+ - 9.4.8.v20180619
+ - 9.4.9.v20180320
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-qppj-fm5r-hxr3/GHSA-qppj-fm5r-hxr3.json
+ - package:
+ ecosystem: Maven
+ name: org.eclipse.jetty.http2:http2-common
+ purl: pkg:maven/org.eclipse.jetty.http2/http2-common
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 10.0.0
+ - fixed: 10.0.17
+ versions:
+ - 10.0.0
+ - 10.0.1
+ - 10.0.10
+ - 10.0.11
+ - 10.0.12
+ - 10.0.13
+ - 10.0.14
+ - 10.0.15
+ - 10.0.16
+ - 10.0.2
+ - 10.0.3
+ - 10.0.4
+ - 10.0.5
+ - 10.0.6
+ - 10.0.7
+ - 10.0.8
+ - 10.0.9
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-qppj-fm5r-hxr3/GHSA-qppj-fm5r-hxr3.json
+ - package:
+ ecosystem: Maven
+ name: org.eclipse.jetty.http2:http2-common
+ purl: pkg:maven/org.eclipse.jetty.http2/http2-common
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 11.0.0
+ - fixed: 11.0.17
+ versions:
+ - 11.0.0
+ - 11.0.1
+ - 11.0.10
+ - 11.0.11
+ - 11.0.12
+ - 11.0.13
+ - 11.0.14
+ - 11.0.15
+ - 11.0.16
+ - 11.0.2
+ - 11.0.3
+ - 11.0.4
+ - 11.0.5
+ - 11.0.6
+ - 11.0.7
+ - 11.0.8
+ - 11.0.9
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-qppj-fm5r-hxr3/GHSA-qppj-fm5r-hxr3.json
+ - package:
+ ecosystem: Maven
+ name: org.eclipse.jetty.http2:http2-server
+ purl: pkg:maven/org.eclipse.jetty.http2/http2-server
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 9.3.0
+ - fixed: 9.4.53
+ versions:
+ - 9.3.0.v20150612
+ - 9.3.1.v20150714
+ - 9.3.10.M0
+ - 9.3.10.v20160621
+ - 9.3.11.M0
+ - 9.3.11.v20160721
+ - 9.3.12.v20160915
+ - 9.3.13.M0
+ - 9.3.13.v20161014
+ - 9.3.14.v20161028
+ - 9.3.15.v20161220
+ - 9.3.16.v20170120
+ - 9.3.17.RC0
+ - 9.3.17.v20170317
+ - 9.3.18.v20170406
+ - 9.3.19.v20170502
+ - 9.3.2.v20150730
+ - 9.3.20.v20170531
+ - 9.3.21.M0
+ - 9.3.21.RC0
+ - 9.3.21.v20170918
+ - 9.3.22.v20171030
+ - 9.3.23.v20180228
+ - 9.3.24.v20180605
+ - 9.3.25.v20180904
+ - 9.3.26.v20190403
+ - 9.3.27.v20190418
+ - 9.3.28.v20191105
+ - 9.3.29.v20201019
+ - 9.3.3.v20150827
+ - 9.3.30.v20211001
+ - 9.3.4.RC0
+ - 9.3.4.RC1
+ - 9.3.4.v20151007
+ - 9.3.5.v20151012
+ - 9.3.6.v20151106
+ - 9.3.7.RC0
+ - 9.3.7.RC1
+ - 9.3.7.v20160115
+ - 9.3.8.RC0
+ - 9.3.8.v20160314
+ - 9.3.9.M0
+ - 9.3.9.M1
+ - 9.3.9.v20160517
+ - 9.4.0.M0
+ - 9.4.0.M1
+ - 9.4.0.RC0
+ - 9.4.0.RC1
+ - 9.4.0.RC2
+ - 9.4.0.RC3
+ - 9.4.0.v20161208
+ - 9.4.0.v20180619
+ - 9.4.1.v20170120
+ - 9.4.1.v20180619
+ - 9.4.10.RC0
+ - 9.4.10.RC1
+ - 9.4.10.v20180503
+ - 9.4.11.v20180605
+ - 9.4.12.RC0
+ - 9.4.12.RC1
+ - 9.4.12.RC2
+ - 9.4.12.v20180830
+ - 9.4.13.v20181111
+ - 9.4.14.v20181114
+ - 9.4.15.v20190215
+ - 9.4.16.v20190411
+ - 9.4.17.v20190418
+ - 9.4.18.v20190429
+ - 9.4.19.v20190610
+ - 9.4.2.v20170220
+ - 9.4.2.v20180619
+ - 9.4.20.v20190813
+ - 9.4.21.v20190926
+ - 9.4.22.v20191022
+ - 9.4.23.v20191118
+ - 9.4.24.v20191120
+ - 9.4.25.v20191220
+ - 9.4.26.v20200117
+ - 9.4.27.v20200227
+ - 9.4.28.v20200408
+ - 9.4.29.v20200521
+ - 9.4.3.v20170317
+ - 9.4.3.v20180619
+ - 9.4.30.v20200611
+ - 9.4.31.v20200723
+ - 9.4.32.v20200930
+ - 9.4.33.v20201020
+ - 9.4.34.v20201102
+ - 9.4.35.v20201120
+ - 9.4.36.v20210114
+ - 9.4.37.v20210219
+ - 9.4.38.v20210224
+ - 9.4.39.v20210325
+ - 9.4.4.v20170414
+ - 9.4.4.v20180619
+ - 9.4.40.v20210413
+ - 9.4.41.v20210516
+ - 9.4.42.v20210604
+ - 9.4.43.v20210629
+ - 9.4.44.v20210927
+ - 9.4.45.v20220203
+ - 9.4.46.v20220331
+ - 9.4.47.v20220610
+ - 9.4.48.v20220622
+ - 9.4.49.v20220914
+ - 9.4.5.v20170502
+ - 9.4.5.v20180619
+ - 9.4.50.v20221201
+ - 9.4.51.v20230217
+ - 9.4.52.v20230823
+ - 9.4.6.v20170531
+ - 9.4.6.v20180619
+ - 9.4.7.RC0
+ - 9.4.7.v20170914
+ - 9.4.7.v20180619
+ - 9.4.8.v20171121
+ - 9.4.8.v20180619
+ - 9.4.9.v20180320
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-qppj-fm5r-hxr3/GHSA-qppj-fm5r-hxr3.json
+ - package:
+ ecosystem: Maven
+ name: org.eclipse.jetty.http2:http2-server
+ purl: pkg:maven/org.eclipse.jetty.http2/http2-server
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 10.0.0
+ - fixed: 10.0.17
+ versions:
+ - 10.0.0
+ - 10.0.1
+ - 10.0.10
+ - 10.0.11
+ - 10.0.12
+ - 10.0.13
+ - 10.0.14
+ - 10.0.15
+ - 10.0.16
+ - 10.0.2
+ - 10.0.3
+ - 10.0.4
+ - 10.0.5
+ - 10.0.6
+ - 10.0.7
+ - 10.0.8
+ - 10.0.9
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-qppj-fm5r-hxr3/GHSA-qppj-fm5r-hxr3.json
+ - package:
+ ecosystem: Maven
+ name: org.eclipse.jetty.http2:http2-server
+ purl: pkg:maven/org.eclipse.jetty.http2/http2-server
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 11.0.0
+ - fixed: 11.0.17
+ versions:
+ - 11.0.0
+ - 11.0.1
+ - 11.0.10
+ - 11.0.11
+ - 11.0.12
+ - 11.0.13
+ - 11.0.14
+ - 11.0.15
+ - 11.0.16
+ - 11.0.2
+ - 11.0.3
+ - 11.0.4
+ - 11.0.5
+ - 11.0.6
+ - 11.0.7
+ - 11.0.8
+ - 11.0.9
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-qppj-fm5r-hxr3/GHSA-qppj-fm5r-hxr3.json
+ - package:
+ ecosystem: Maven
+ name: org.eclipse.jetty.http2:jetty-http2-common
+ purl: pkg:maven/org.eclipse.jetty.http2/jetty-http2-common
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 12.0.0
+ - fixed: 12.0.2
+ versions:
+ - 12.0.0
+ - 12.0.1
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-qppj-fm5r-hxr3/GHSA-qppj-fm5r-hxr3.json
+ - package:
+ ecosystem: Maven
+ name: org.eclipse.jetty.http2:jetty-http2-server
+ purl: pkg:maven/org.eclipse.jetty.http2/jetty-http2-server
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 12.0.0
+ - fixed: 12.0.2
+ versions:
+ - 12.0.0
+ - 12.0.1
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-qppj-fm5r-hxr3/GHSA-qppj-fm5r-hxr3.json
+ - package:
+ ecosystem: Maven
+ name: com.typesafe.akka:akka-http-core
+ purl: pkg:maven/com.typesafe.akka/akka-http-core
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: 10.5.3
+ versions:
+ - 3.0.0-RC1
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-qppj-fm5r-hxr3/GHSA-qppj-fm5r-hxr3.json
+ - package:
+ ecosystem: Maven
+ name: com.typesafe.akka:akka-http-core_2.13
+ purl: pkg:maven/com.typesafe.akka/akka-http-core_2.13
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: 10.5.3
+ versions:
+ - 10.1.10
+ - 10.1.11
+ - 10.1.12
+ - 10.1.13
+ - 10.1.14
+ - 10.1.15
+ - 10.1.8
+ - 10.1.9
+ - 10.2.0
+ - 10.2.0-M1
+ - 10.2.0-RC1
+ - 10.2.0-RC2
+ - 10.2.1
+ - 10.2.10
+ - 10.2.2
+ - 10.2.3
+ - 10.2.4
+ - 10.2.5
+ - 10.2.5-M1
+ - 10.2.5-M2
+ - 10.2.6
+ - 10.2.7
+ - 10.2.8
+ - 10.2.9
+ - 10.4.0
+ - 10.4.0-M1
+ - 10.4.0-M2
+ - 10.5.0
+ - 10.5.0-M1
+ - 10.5.1
+ - 10.5.2
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-qppj-fm5r-hxr3/GHSA-qppj-fm5r-hxr3.json
+ - package:
+ ecosystem: Maven
+ name: com.typesafe.akka:akka-http-core_2.12
+ purl: pkg:maven/com.typesafe.akka/akka-http-core_2.12
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: 10.5.3
+ versions:
+ - 10.0.0
+ - 10.0.0-RC2
+ - 10.0.1
+ - 10.0.10
+ - 10.0.11
+ - 10.0.12
+ - 10.0.13
+ - 10.0.14
+ - 10.0.15
+ - 10.0.2
+ - 10.0.3
+ - 10.0.4
+ - 10.0.5
+ - 10.0.6
+ - 10.0.6+7-e2ba6752
+ - 10.0.7
+ - 10.0.8
+ - 10.0.9
+ - 10.1.0
+ - 10.1.0-RC1
+ - 10.1.0-RC2
+ - 10.1.1
+ - 10.1.10
+ - 10.1.11
+ - 10.1.12
+ - 10.1.13
+ - 10.1.14
+ - 10.1.15
+ - 10.1.2
+ - 10.1.3
+ - 10.1.4
+ - 10.1.5
+ - 10.1.6
+ - 10.1.7
+ - 10.1.8
+ - 10.1.9
+ - 10.2.0
+ - 10.2.0-M1
+ - 10.2.0-RC1
+ - 10.2.0-RC2
+ - 10.2.1
+ - 10.2.10
+ - 10.2.2
+ - 10.2.3
+ - 10.2.4
+ - 10.2.5
+ - 10.2.5-M1
+ - 10.2.5-M2
+ - 10.2.6
+ - 10.2.7
+ - 10.2.8
+ - 10.2.9
+ - 10.4.0
+ - 10.4.0-M1
+ - 10.4.0-M2
+ - 10.5.0
+ - 10.5.0-M1
+ - 10.5.1
+ - 10.5.2
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-qppj-fm5r-hxr3/GHSA-qppj-fm5r-hxr3.json
+ - package:
+ ecosystem: Maven
+ name: com.typesafe.akka:akka-http-core_2.11
+ purl: pkg:maven/com.typesafe.akka/akka-http-core_2.11
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - last_affected: 10.1.15
+ versions:
+ - 10.0.0
+ - 10.0.0-RC2
+ - 10.0.1
+ - 10.0.10
+ - 10.0.11
+ - 10.0.12
+ - 10.0.13
+ - 10.0.14
+ - 10.0.15
+ - 10.0.2
+ - 10.0.3
+ - 10.0.4
+ - 10.0.5
+ - 10.0.6
+ - 10.0.6+7-e2ba6752
+ - 10.0.7
+ - 10.0.8
+ - 10.0.9
+ - 10.1.0
+ - 10.1.0-RC1
+ - 10.1.0-RC2
+ - 10.1.1
+ - 10.1.10
+ - 10.1.11
+ - 10.1.12
+ - 10.1.13
+ - 10.1.14
+ - 10.1.15
+ - 10.1.2
+ - 10.1.3
+ - 10.1.4
+ - 10.1.5
+ - 10.1.6
+ - 10.1.7
+ - 10.1.8
+ - 10.1.9
+ - 2.4-ARTERY-M1
+ - 2.4-ARTERY-M2
+ - 2.4-ARTERY-M3
+ - 2.4-ARTERY-M4
+ - 2.4.10
+ - 2.4.11
+ - 2.4.11.1
+ - 2.4.11.2
+ - 2.4.2
+ - 2.4.2-RC1
+ - 2.4.2-RC2
+ - 2.4.2-RC3
+ - 2.4.3
+ - 2.4.4
+ - 2.4.5
+ - 2.4.6
+ - 2.4.7
+ - 2.4.8
+ - 2.4.9
+ - 2.4.9-RC1
+ - 2.4.9-RC2
+ - 3.0.0-RC1
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-qppj-fm5r-hxr3/GHSA-qppj-fm5r-hxr3.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
+ references:
+ - type: WEB
+ url: https://github.com/apple/swift-nio-http2/security/advisories/GHSA-qppj-fm5r-hxr3
+ - type: WEB
+ url: https://github.com/h2o/h2o/security/advisories/GHSA-2m7v-gc89-fjqf
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2023-44487
+ - type: WEB
+ url: https://github.com/apache/apisix/issues/10320
+ - type: WEB
+ url: https://github.com/alibaba/tengine/issues/1872
+ - type: WEB
+ url: https://github.com/caddyserver/caddy/issues/5877
+ - type: WEB
+ url: https://github.com/akka/akka-http/issues/4323
+ - type: WEB
+ url: https://github.com/dotnet/announcements/issues/277
+ - type: WEB
+ url: https://github.com/varnishcache/varnish-cache/issues/3996
+ - type: WEB
+ url: https://github.com/eclipse/jetty.project/issues/10679
+ - type: WEB
+ url: https://github.com/Azure/AKS/issues/3947
+ - type: WEB
+ url: https://github.com/etcd-io/etcd/issues/16740
+ - type: WEB
+ url: https://github.com/golang/go/issues/63417
+ - type: WEB
+ url: https://github.com/tempesta-tech/tempesta/issues/1986
+ - type: WEB
+ url: https://github.com/haproxy/haproxy/issues/2312
+ - type: WEB
+ url: https://github.com/hyperium/hyper/issues/3337
+ - type: WEB
+ url: https://github.com/openresty/openresty/issues/930
+ - type: WEB
+ url: https://github.com/ninenines/cowboy/issues/1615
+ - type: WEB
+ url: https://github.com/junkurihara/rust-rpxy/issues/97
+ - type: WEB
+ url: https://github.com/kazu-yamamoto/http2/issues/93
+ - type: WEB
+ url: https://github.com/opensearch-project/data-prepper/issues/3474
+ - type: WEB
+ url: https://github.com/apache/trafficserver/pull/10564
+ - type: WEB
+ url: https://github.com/nodejs/node/pull/50121
+ - type: WEB
+ url: https://github.com/nghttp2/nghttp2/pull/1961
+ - type: WEB
+ url: https://github.com/microsoft/CBL-Mariner/pull/6381
+ - type: WEB
+ url: https://github.com/linkerd/website/pull/1695/commits/4b9c6836471bc8270ab48aae6fd2181bc73fd632
+ - type: WEB
+ url: https://github.com/line/armeria/pull/5232
+ - type: WEB
+ url: https://github.com/kubernetes/kubernetes/pull/121120
+ - type: WEB
+ url: https://github.com/envoyproxy/envoy/pull/30055
+ - type: WEB
+ url: https://github.com/facebook/proxygen/pull/466
+ - type: WEB
+ url: https://github.com/projectcontour/contour/pull/5826
+ - type: WEB
+ url: https://github.com/grpc/grpc-go/pull/6703
+ - type: WEB
+ url: https://github.com/h2o/h2o/pull/3291
+ - type: WEB
+ url: https://github.com/apache/httpd-site/pull/10
+ - type: WEB
+ url: https://github.com/akka/akka-http/pull/4325
+ - type: WEB
+ url: https://github.com/akka/akka-http/pull/4324
+ - type: WEB
+ url: https://github.com/kazu-yamamoto/http2/commit/f61d41a502bd0f60eb24e1ce14edc7b6df6722a1
+ - type: WEB
+ url: https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61
+ - type: WEB
+ url: https://lists.w3.org/Archives/Public/ietf-http-wg/2023OctDec/0025.html
+ - type: WEB
+ url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HT7T2R4MQKLIF4ODV4BDLPARWFPCJ5CZ
+ - type: WEB
+ url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FNA62Q767CFAFHBCDKYNPBMZWB7TWYVU
+ - type: WEB
+ url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E72T67UPDRXHIDLO3OROR25YAMN4GGW5
+ - type: WEB
+ url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CLB4TW7KALB3EEQWNWCN7OUIWWVWWCG2
+ - type: WEB
+ url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BFQD3KUEMFBHPAPBGLWQC34L4OWL5HAZ
+ - type: WEB
+ url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3N4NJ7FR4X4FPZUGNTQAPSTVB2HB2Y4A
+ - type: WEB
+ url: https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZLU6U2R2IC2K64NDPNMV55AUAO65MAF4
+ - type: WEB
+ url: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-44487
+ - type: WEB
+ url: https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZKQSIKIAT5TJ3WSLU3RDBQ35YX4GY4V3
+ - type: WEB
+ url: https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZB43REMKRQR62NJEI7I5NQ4FSXNLBKRT
+ - type: WEB
+ url: https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XFOIBB4YFICHDM7IBOP7PWXW3FX4HLL2
+ - type: WEB
+ url: https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X6QXN4ORIVF6XBW4WWFE7VNPVC74S45Y
+ - type: WEB
+ url: https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WLPRQ5TWUQQXYWBJM7ECYDAIL2YVKIUH
+ - type: WEB
+ url: https://discuss.hashicorp.com/t/hcsec-2023-32-vault-consul-and-boundary-affected-by-http-2-rapid-reset-denial-of-service-vulnerability-cve-2023-44487/59715
+ - type: WEB
+ url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZLU6U2R2IC2K64NDPNMV55AUAO65MAF4
+ - type: WEB
+ url: https://mailman.nginx.org/pipermail/nginx-devel/2023-October/S36Q5HBXR7CAIMPLLPRSSSYR4PCMWILK.html
+ - type: WEB
+ url: https://martinthomson.github.io/h2-stream-limits/draft-thomson-httpbis-h2-stream-limits.html
+ - type: WEB
+ url: https://msrc.microsoft.com/blog/2023/10/microsoft-response-to-distributed-denial-of-service-ddos-attacks-against-http/2
+ - type: WEB
+ url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZKQSIKIAT5TJ3WSLU3RDBQ35YX4GY4V3
+ - type: WEB
+ url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZB43REMKRQR62NJEI7I5NQ4FSXNLBKRT
+ - type: WEB
+ url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XFOIBB4YFICHDM7IBOP7PWXW3FX4HLL2
+ - type: WEB
+ url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X6QXN4ORIVF6XBW4WWFE7VNPVC74S45Y
+ - type: WEB
+ url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WLPRQ5TWUQQXYWBJM7ECYDAIL2YVKIUH
+ - type: WEB
+ url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VSRDIV77HNKUSM7SJC5BKE5JSHLHU2NK
+ - type: WEB
+ url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VHUHTSXLXGXS7JYKBXTA3VINUPHTNGVU
+ - type: WEB
+ url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LNMZJCDHGLJJLXO4OXWJMTVQRNWOC7UL
+ - type: WEB
+ url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LKYHSZQFDNR7RSA7LHVLLIAQMVYCUGBG
+ - type: WEB
+ url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KSEGD2IWKNUO3DWY4KQGUQM5BISRWHQE
+ - type: WEB
+ url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JMEXY22BFG5Q64HQCM5CK2Q7KDKVV4TY
+ - type: WEB
+ url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JIZSEFC3YKCGABA2BZW6ZJRMDZJMB7PJ
+ - type: WEB
+ url: https://my.f5.com/manage/s/article/K000137106
+ - type: WEB
+ url: https://ubuntu.com/security/CVE-2023-44487
+ - type: WEB
+ url: https://www.bleepingcomputer.com/news/security/new-http-2-rapid-reset-zero-day-attack-breaks-ddos-records
+ - type: WEB
+ url: https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487
+ - type: WEB
+ url: https://www.darkreading.com/cloud/internet-wide-zero-day-bug-fuels-largest-ever-ddos-event
+ - type: WEB
+ url: https://www.debian.org/security/2023/dsa-5521
+ - type: WEB
+ url: https://www.debian.org/security/2023/dsa-5522
+ - type: WEB
+ url: https://www.debian.org/security/2023/dsa-5540
+ - type: WEB
+ url: https://www.debian.org/security/2023/dsa-5549
+ - type: WEB
+ url: https://www.debian.org/security/2023/dsa-5558
+ - type: WEB
+ url: https://www.debian.org/security/2023/dsa-5570
+ - type: WEB
+ url: https://www.eclipse.org/lists/jetty-announce/msg00181.html
+ - type: WEB
+ url: https://www.haproxy.com/blog/haproxy-is-not-affected-by-the-http-2-rapid-reset-attack-cve-2023-44487
+ - type: WEB
+ url: https://www.netlify.com/blog/netlify-successfully-mitigates-cve-2023-44487
+ - type: WEB
+ url: https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products
+ - type: WEB
+ url: https://www.openwall.com/lists/oss-security/2023/10/10/6
+ - type: WEB
+ url: https://www.phoronix.com/news/HTTP2-Rapid-Reset-Attack
+ - type: WEB
+ url: https://www.theregister.com/2023/10/10/http2_rapid_reset_zeroday
+ - type: WEB
+ url: https://netty.io/news/2023/10/10/4-1-100-Final.html
+ - type: WEB
+ url: https://news.ycombinator.com/item?id=37830987
+ - type: WEB
+ url: https://news.ycombinator.com/item?id=37830998
+ - type: WEB
+ url: https://news.ycombinator.com/item?id=37831062
+ - type: WEB
+ url: https://news.ycombinator.com/item?id=37837043
+ - type: WEB
+ url: https://openssf.org/blog/2023/10/10/http-2-rapid-reset-vulnerability-highlights-need-for-rapid-response
+ - type: WEB
+ url: https://seanmonstar.com/post/730794151136935936/hyper-http2-rapid-reset-unaffected
+ - type: WEB
+ url: https://security.gentoo.org/glsa/202311-09
+ - type: WEB
+ url: https://security.netapp.com/advisory/ntap-20231016-0001
+ - type: WEB
+ url: https://security.netapp.com/advisory/ntap-20240426-0007
+ - type: WEB
+ url: https://security.netapp.com/advisory/ntap-20240621-0006
+ - type: WEB
+ url: https://security.netapp.com/advisory/ntap-20240621-0007
+ - type: WEB
+ url: https://security.paloaltonetworks.com/CVE-2023-44487
+ - type: WEB
+ url: https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.14
+ - type: WEB
+ url: https://tomcat.apache.org/security-11.html#Fixed_in_Apache_Tomcat_11.0.0-M12
+ - type: WEB
+ url: https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.94
+ - type: WEB
+ url: https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.81
+ - type: WEB
+ url: https://edg.io/lp/blog/resets-leaks-ddos-and-the-tale-of-a-hidden-cve
+ - type: WEB
+ url: https://forums.swift.org/t/swift-nio-http2-security-update-cve-2023-44487-http-2-dos/67764
+ - type: WEB
+ url: https://gist.github.com/adulau/7c2bfb8e9cdbe4b35a5e131c66a0c088
+ - type: WEB
+ url: https://github.com/Kong/kong/discussions/11741
+ - type: ADVISORY
+ url: https://github.com/advisories/GHSA-qppj-fm5r-hxr3
+ - type: ADVISORY
+ url: https://github.com/advisories/GHSA-vx74-f528-fxqg
+ - type: ADVISORY
+ url: https://github.com/advisories/GHSA-xpw8-rcwv-8f8p
+ - type: WEB
+ url: https://github.com/apache/httpd/blob/afcdbeebbff4b0c50ea26cdd16e178c0d1f24152/modules/http2/h2_mplx.c#L1101-L1113
+ - type: WEB
+ url: https://github.com/apache/tomcat/tree/main/java/org/apache/coyote/http2
+ - type: PACKAGE
+ url: https://github.com/apple/swift-nio-http2
+ - type: WEB
+ url: https://github.com/arkrwn/PoC/tree/main/CVE-2023-44487
+ - type: WEB
+ url: https://github.com/bcdannyboy/CVE-2023-44487
+ - type: WEB
+ url: https://github.com/caddyserver/caddy/releases/tag/v2.7.5
+ - type: WEB
+ url: https://github.com/dotnet/core/blob/e4613450ea0da7fd2fc6b61dfb2c1c1dec1ce9ec/release-notes/6.0/6.0.23/6.0.23.md?plain=1#L73
+ - type: WEB
+ url: https://github.com/grpc/grpc-go/releases
+ - type: WEB
+ url: https://lists.debian.org/debian-lts-announce/2023/11/msg00001.html
+ - type: WEB
+ url: https://access.redhat.com/security/cve/cve-2023-44487
+ - type: WEB
+ url: https://akka.io/security/akka-http-cve-2023-44487.html
+ - type: WEB
+ url: https://arstechnica.com/security/2023/10/how-ddosers-used-the-http-2-protocol-to-deliver-attacks-of-unprecedented-size
+ - type: WEB
+ url: https://aws.amazon.com/security/security-bulletins/AWS-2023-011
+ - type: WEB
+ url: https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack
+ - type: WEB
+ url: https://blog.cloudflare.com/zero-day-rapid-reset-http2-record-breaking-ddos-attack
+ - type: WEB
+ url: https://blog.litespeedtech.com/2023/10/11/rapid-reset-http-2-vulnerablilty
+ - type: WEB
+ url: https://blog.qualys.com/vulnerabilities-threat-research/2023/10/10/cve-2023-44487-http-2-rapid-reset-attack
+ - type: WEB
+ url: https://blog.vespa.ai/cve-2023-44487
+ - type: WEB
+ url: https://bugzilla.proxmox.com/show_bug.cgi?id=4988
+ - type: WEB
+ url: https://bugzilla.redhat.com/show_bug.cgi?id=2242803
+ - type: WEB
+ url: https://bugzilla.suse.com/show_bug.cgi?id=1216123
+ - type: WEB
+ url: https://cgit.freebsd.org/ports/commit/?id=c64c329c2c1752f46b73e3e6ce9f4329be6629f9
+ - type: WEB
+ url: https://chaos.social/@icing/111210915918780532
+ - type: WEB
+ url: https://cloud.google.com/blog/products/identity-security/google-cloud-mitigated-largest-ddos-attack-peaking-above-398-million-rps
+ - type: WEB
+ url: https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack
+ - type: WEB
+ url: https://community.traefik.io/t/is-traefik-vulnerable-to-cve-2023-44487/20125
+ - type: WEB
+ url: https://lists.debian.org/debian-lts-announce/2023/11/msg00012.html
+ - type: WEB
+ url: https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2MBEPPC36UBVOZZNAXFHKLFGSLCMN5LI
+ - type: WEB
+ url: https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3N4NJ7FR4X4FPZUGNTQAPSTVB2HB2Y4A
+ - type: WEB
+ url: https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BFQD3KUEMFBHPAPBGLWQC34L4OWL5HAZ
+ - type: WEB
+ url: https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CLB4TW7KALB3EEQWNWCN7OUIWWVWWCG2
+ - type: WEB
+ url: https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/E72T67UPDRXHIDLO3OROR25YAMN4GGW5
+ - type: WEB
+ url: https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FNA62Q767CFAFHBCDKYNPBMZWB7TWYVU
+ - type: WEB
+ url: https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HT7T2R4MQKLIF4ODV4BDLPARWFPCJ5CZ
+ - type: WEB
+ url: https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JIZSEFC3YKCGABA2BZW6ZJRMDZJMB7PJ
+ - type: WEB
+ url: https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JMEXY22BFG5Q64HQCM5CK2Q7KDKVV4TY
+ - type: WEB
+ url: https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KSEGD2IWKNUO3DWY4KQGUQM5BISRWHQE
+ - type: WEB
+ url: https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LKYHSZQFDNR7RSA7LHVLLIAQMVYCUGBG
+ - type: WEB
+ url: https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LNMZJCDHGLJJLXO4OXWJMTVQRNWOC7UL
+ - type: WEB
+ url: https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VHUHTSXLXGXS7JYKBXTA3VINUPHTNGVU
+ - type: WEB
+ url: https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VSRDIV77HNKUSM7SJC5BKE5JSHLHU2NK
+ - type: WEB
+ url: https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WE2I52RHNNU42PX6NZ2RBUHSFFJ2LVZX
+ - type: WEB
+ url: https://github.com/icing/mod_h2/blob/0a864782af0a942aa2ad4ed960a6b32cd35bcf0a/mod_http2/README.md?plain=1#L239-L244
+ - type: WEB
+ url: https://github.com/micrictor/http2-rst-stream
+ - type: WEB
+ url: https://github.com/nghttp2/nghttp2/releases/tag/v1.57.0
+ - type: WEB
+ url: https://github.com/oqtane/oqtane.framework/discussions/3367
+ - type: WEB
+ url: https://go.dev/cl/534215
+ - type: WEB
+ url: https://go.dev/cl/534235
+ - type: WEB
+ url: https://go.dev/issue/63417
+ - type: WEB
+ url: https://groups.google.com/g/golang-announce/c/iNNxDTCjZvo
+ - type: WEB
+ url: https://groups.google.com/g/golang-announce/c/iNNxDTCjZvo/m/UDd7VKQuAAAJ
+ - type: WEB
+ url: https://istio.io/latest/news/security/istio-security-2023-004
+ - type: WEB
+ url: https://linkerd.io/2023/10/12/linkerd-cve-2023-44487
+ - type: WEB
+ url: https://lists.apache.org/thread/5py8h42mxfsn8l1wy6o41xwhsjlsd87q
+ - type: WEB
+ url: https://lists.debian.org/debian-lts-announce/2023/10/msg00020.html
+ - type: WEB
+ url: https://lists.debian.org/debian-lts-announce/2023/10/msg00023.html
+ - type: WEB
+ url: https://lists.debian.org/debian-lts-announce/2023/10/msg00024.html
+ - type: WEB
+ url: https://lists.debian.org/debian-lts-announce/2023/10/msg00045.html
+ - type: WEB
+ url: https://lists.debian.org/debian-lts-announce/2023/10/msg00047.html
+ - type: WEB
+ url: http://www.openwall.com/lists/oss-security/2023/10/13/4
+ - type: WEB
+ url: http://www.openwall.com/lists/oss-security/2023/10/13/9
+ - type: WEB
+ url: http://www.openwall.com/lists/oss-security/2023/10/18/4
+ - type: WEB
+ url: http://www.openwall.com/lists/oss-security/2023/10/18/8
+ - type: WEB
+ url: http://www.openwall.com/lists/oss-security/2023/10/19/6
+ - type: WEB
+ url: http://www.openwall.com/lists/oss-security/2023/10/20/8
+ database_specific:
+ cwe_ids:
+ - CWE-400
+ github_reviewed: true
+ github_reviewed_at: "2023-10-10T21:28:24Z"
+ nvd_published_at: "2023-10-10T14:15:10Z"
+ severity: MODERATE
+ - schema_version: 1.6.0
+ id: GHSA-qxf4-chvg-4r8r
+ modified: 2024-03-14T05:17:09.684982Z
+ published: 2020-02-28T01:10:48Z
+ aliases:
+ - BIT-tomcat-2020-1935
+ - CVE-2020-1935
+ summary: Potential HTTP request smuggling in Apache Tomcat
+ details: In Apache Tomcat 9.0.0.M1 to 9.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99 the HTTP header parsing code used an approach to end-of-line parsing that allowed some invalid HTTP headers to be parsed as valid. This led to a possibility of HTTP Request Smuggling if Tomcat was located behind a reverse proxy that incorrectly handled the invalid Transfer-Encoding header in a particular manner. Such a reverse proxy is considered unlikely.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: org.apache.tomcat.embed:tomcat-embed-core
+ purl: pkg:maven/org.apache.tomcat.embed/tomcat-embed-core
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: 7.0.100
+ versions:
+ - 7.0.0
+ - 7.0.11
+ - 7.0.12
+ - 7.0.14
+ - 7.0.16
+ - 7.0.19
+ - 7.0.2
+ - 7.0.20
+ - 7.0.21
+ - 7.0.22
+ - 7.0.23
+ - 7.0.25
+ - 7.0.26
+ - 7.0.27
+ - 7.0.28
+ - 7.0.29
+ - 7.0.30
+ - 7.0.32
+ - 7.0.33
+ - 7.0.34
+ - 7.0.35
+ - 7.0.37
+ - 7.0.39
+ - 7.0.4
+ - 7.0.40
+ - 7.0.41
+ - 7.0.42
+ - 7.0.47
+ - 7.0.5
+ - 7.0.50
+ - 7.0.52
+ - 7.0.53
+ - 7.0.54
+ - 7.0.55
+ - 7.0.56
+ - 7.0.57
+ - 7.0.59
+ - 7.0.6
+ - 7.0.61
+ - 7.0.62
+ - 7.0.63
+ - 7.0.64
+ - 7.0.65
+ - 7.0.67
+ - 7.0.68
+ - 7.0.69
+ - 7.0.70
+ - 7.0.72
+ - 7.0.73
+ - 7.0.75
+ - 7.0.76
+ - 7.0.77
+ - 7.0.78
+ - 7.0.79
+ - 7.0.8
+ - 7.0.81
+ - 7.0.82
+ - 7.0.84
+ - 7.0.85
+ - 7.0.86
+ - 7.0.88
+ - 7.0.90
+ - 7.0.91
+ - 7.0.92
+ - 7.0.93
+ - 7.0.94
+ - 7.0.96
+ - 7.0.99
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/02/GHSA-qxf4-chvg-4r8r/GHSA-qxf4-chvg-4r8r.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.tomcat.embed:tomcat-embed-core
+ purl: pkg:maven/org.apache.tomcat.embed/tomcat-embed-core
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 8.0.0
+ - fixed: 8.5.51
+ versions:
+ - 8.0.1
+ - 8.0.11
+ - 8.0.12
+ - 8.0.14
+ - 8.0.15
+ - 8.0.17
+ - 8.0.18
+ - 8.0.20
+ - 8.0.21
+ - 8.0.22
+ - 8.0.23
+ - 8.0.24
+ - 8.0.26
+ - 8.0.27
+ - 8.0.28
+ - 8.0.29
+ - 8.0.3
+ - 8.0.30
+ - 8.0.32
+ - 8.0.33
+ - 8.0.35
+ - 8.0.36
+ - 8.0.37
+ - 8.0.38
+ - 8.0.39
+ - 8.0.41
+ - 8.0.42
+ - 8.0.43
+ - 8.0.44
+ - 8.0.45
+ - 8.0.46
+ - 8.0.47
+ - 8.0.48
+ - 8.0.49
+ - 8.0.5
+ - 8.0.50
+ - 8.0.51
+ - 8.0.52
+ - 8.0.53
+ - 8.0.8
+ - 8.0.9
+ - 8.5.0
+ - 8.5.11
+ - 8.5.12
+ - 8.5.13
+ - 8.5.14
+ - 8.5.15
+ - 8.5.16
+ - 8.5.19
+ - 8.5.2
+ - 8.5.20
+ - 8.5.21
+ - 8.5.23
+ - 8.5.24
+ - 8.5.27
+ - 8.5.28
+ - 8.5.29
+ - 8.5.3
+ - 8.5.30
+ - 8.5.31
+ - 8.5.32
+ - 8.5.33
+ - 8.5.34
+ - 8.5.35
+ - 8.5.37
+ - 8.5.38
+ - 8.5.39
+ - 8.5.4
+ - 8.5.40
+ - 8.5.41
+ - 8.5.42
+ - 8.5.43
+ - 8.5.45
+ - 8.5.46
+ - 8.5.47
+ - 8.5.49
+ - 8.5.5
+ - 8.5.50
+ - 8.5.6
+ - 8.5.8
+ - 8.5.9
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/02/GHSA-qxf4-chvg-4r8r/GHSA-qxf4-chvg-4r8r.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.tomcat.embed:tomcat-embed-core
+ purl: pkg:maven/org.apache.tomcat.embed/tomcat-embed-core
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 9.0.0
+ - fixed: 9.0.31
+ versions:
+ - 9.0.1
+ - 9.0.10
+ - 9.0.11
+ - 9.0.12
+ - 9.0.13
+ - 9.0.14
+ - 9.0.16
+ - 9.0.17
+ - 9.0.19
+ - 9.0.2
+ - 9.0.20
+ - 9.0.21
+ - 9.0.22
+ - 9.0.24
+ - 9.0.26
+ - 9.0.27
+ - 9.0.29
+ - 9.0.30
+ - 9.0.4
+ - 9.0.5
+ - 9.0.6
+ - 9.0.7
+ - 9.0.8
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/02/GHSA-qxf4-chvg-4r8r/GHSA-qxf4-chvg-4r8r.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.tomcat:tomcat
+ purl: pkg:maven/org.apache.tomcat/tomcat
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: 7.0.100
+ versions:
+ - 7.0.35
+ - 7.0.37
+ - 7.0.39
+ - 7.0.40
+ - 7.0.41
+ - 7.0.42
+ - 7.0.47
+ - 7.0.50
+ - 7.0.52
+ - 7.0.53
+ - 7.0.54
+ - 7.0.55
+ - 7.0.56
+ - 7.0.57
+ - 7.0.59
+ - 7.0.61
+ - 7.0.62
+ - 7.0.63
+ - 7.0.64
+ - 7.0.65
+ - 7.0.67
+ - 7.0.68
+ - 7.0.69
+ - 7.0.70
+ - 7.0.72
+ - 7.0.73
+ - 7.0.75
+ - 7.0.76
+ - 7.0.77
+ - 7.0.78
+ - 7.0.79
+ - 7.0.81
+ - 7.0.82
+ - 7.0.84
+ - 7.0.85
+ - 7.0.86
+ - 7.0.88
+ - 7.0.90
+ - 7.0.91
+ - 7.0.92
+ - 7.0.93
+ - 7.0.94
+ - 7.0.96
+ - 7.0.99
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/02/GHSA-qxf4-chvg-4r8r/GHSA-qxf4-chvg-4r8r.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.tomcat:tomcat
+ purl: pkg:maven/org.apache.tomcat/tomcat
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 8.0.0
+ - fixed: 8.5.51
+ versions:
+ - 8.0.1
+ - 8.0.11
+ - 8.0.12
+ - 8.0.14
+ - 8.0.15
+ - 8.0.17
+ - 8.0.18
+ - 8.0.20
+ - 8.0.21
+ - 8.0.22
+ - 8.0.23
+ - 8.0.24
+ - 8.0.26
+ - 8.0.27
+ - 8.0.28
+ - 8.0.29
+ - 8.0.3
+ - 8.0.30
+ - 8.0.32
+ - 8.0.33
+ - 8.0.35
+ - 8.0.36
+ - 8.0.37
+ - 8.0.38
+ - 8.0.39
+ - 8.0.41
+ - 8.0.42
+ - 8.0.43
+ - 8.0.44
+ - 8.0.45
+ - 8.0.46
+ - 8.0.47
+ - 8.0.48
+ - 8.0.49
+ - 8.0.5
+ - 8.0.50
+ - 8.0.51
+ - 8.0.52
+ - 8.0.53
+ - 8.0.8
+ - 8.0.9
+ - 8.5.0
+ - 8.5.11
+ - 8.5.12
+ - 8.5.13
+ - 8.5.14
+ - 8.5.15
+ - 8.5.16
+ - 8.5.19
+ - 8.5.2
+ - 8.5.20
+ - 8.5.21
+ - 8.5.23
+ - 8.5.24
+ - 8.5.27
+ - 8.5.28
+ - 8.5.29
+ - 8.5.3
+ - 8.5.30
+ - 8.5.31
+ - 8.5.32
+ - 8.5.33
+ - 8.5.34
+ - 8.5.35
+ - 8.5.37
+ - 8.5.38
+ - 8.5.39
+ - 8.5.4
+ - 8.5.40
+ - 8.5.41
+ - 8.5.42
+ - 8.5.43
+ - 8.5.45
+ - 8.5.46
+ - 8.5.47
+ - 8.5.49
+ - 8.5.5
+ - 8.5.50
+ - 8.5.6
+ - 8.5.8
+ - 8.5.9
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/02/GHSA-qxf4-chvg-4r8r/GHSA-qxf4-chvg-4r8r.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.tomcat:tomcat
+ purl: pkg:maven/org.apache.tomcat/tomcat
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 9.0.0
+ - fixed: 9.0.31
+ versions:
+ - 9.0.1
+ - 9.0.10
+ - 9.0.11
+ - 9.0.12
+ - 9.0.13
+ - 9.0.14
+ - 9.0.16
+ - 9.0.17
+ - 9.0.19
+ - 9.0.2
+ - 9.0.20
+ - 9.0.21
+ - 9.0.22
+ - 9.0.24
+ - 9.0.26
+ - 9.0.27
+ - 9.0.29
+ - 9.0.30
+ - 9.0.4
+ - 9.0.5
+ - 9.0.6
+ - 9.0.7
+ - 9.0.8
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/02/GHSA-qxf4-chvg-4r8r/GHSA-qxf4-chvg-4r8r.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2020-1935
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuoct2020.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpujul2020.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpujan2021.html
+ - type: WEB
+ url: https://www.debian.org/security/2020/dsa-4680
+ - type: WEB
+ url: https://www.debian.org/security/2020/dsa-4673
+ - type: WEB
+ url: https://usn.ubuntu.com/4448-1
+ - type: WEB
+ url: https://security.netapp.com/advisory/ntap-20200327-0005
+ - type: WEB
+ url: https://lists.debian.org/debian-lts-announce/2020/05/msg00026.html
+ - type: WEB
+ url: https://lists.debian.org/debian-lts-announce/2020/03/msg00006.html
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rd547be0c9d821b4b1000a694b8e58ef9f5e2d66db03a31dfe77c4b18@%3Cusers.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rc31cbabb46cdc58bbdd8519a8f64b6236b2635a3922bbeba0f0e3743@%3Ccommits.tomee.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/ra5dee390ad2d60307b8362505c059cd6a726de4d146d63dfce1e05e7@%3Cusers.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r9ce7918faf347e7aac32be930bf26c233b0b140fe37af0bb294158b6@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r80e9c8417c77d52c62809168b96912bda70ddf7748f19f8210f745b1@%3Cusers.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r7bc994c965a34876bd94d5ff15b4e1e30b6220a15eb9b47c81915b78@%3Ccommits.tomee.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r660cd379afe346f10d72c0eaa8459ccc95d83aff181671b7e9076919@%3Cusers.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r441c1f30a252bf14b07396286f6abd8089ce4240e91323211f1a2d75@%3Cusers.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r127f76181aceffea2bd4711b03c595d0f115f63e020348fe925a916c%40%3Cannounce.tomcat.apache.org%3E
+ - type: WEB
+ url: http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00025.html
+ database_specific:
+ cwe_ids:
+ - CWE-444
+ github_reviewed: true
+ github_reviewed_at: "2020-02-25T16:18:59Z"
+ nvd_published_at: "2020-02-24T22:15:00Z"
+ severity: MODERATE
+ - schema_version: 1.6.0
+ id: GHSA-r4x2-3cq5-hqvp
+ modified: 2024-03-12T05:32:05.31046Z
+ published: 2018-10-17T16:32:32Z
+ aliases:
+ - CVE-2018-8014
+ summary: The defaults settings for the CORS filter provided in Apache Tomcat are insecure and enable 'supportsCredentials' for all origins
+ details: The defaults settings for the CORS filter provided in Apache Tomcat 9.0.0.M1 to 9.0.8, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, 7.0.41 to 7.0.88 are insecure and enable 'supportsCredentials' for all origins. It is expected that users of the CORS filter will have configured it appropriately for their environment rather than using it in the default configuration. Therefore, it is expected that most users will not be impacted by this issue.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: org.apache.tomcat.embed:tomcat-embed-core
+ purl: pkg:maven/org.apache.tomcat.embed/tomcat-embed-core
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 9.0.0.M1
+ - fixed: 9.0.9
+ versions:
+ - 9.0.0.M1
+ - 9.0.0.M10
+ - 9.0.0.M11
+ - 9.0.0.M13
+ - 9.0.0.M15
+ - 9.0.0.M17
+ - 9.0.0.M18
+ - 9.0.0.M19
+ - 9.0.0.M20
+ - 9.0.0.M21
+ - 9.0.0.M22
+ - 9.0.0.M25
+ - 9.0.0.M26
+ - 9.0.0.M27
+ - 9.0.0.M3
+ - 9.0.0.M4
+ - 9.0.0.M6
+ - 9.0.0.M8
+ - 9.0.0.M9
+ - 9.0.1
+ - 9.0.2
+ - 9.0.4
+ - 9.0.5
+ - 9.0.6
+ - 9.0.7
+ - 9.0.8
+ database_specific:
+ last_known_affected_version_range: <= 9.0.8
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-r4x2-3cq5-hqvp/GHSA-r4x2-3cq5-hqvp.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.tomcat.embed:tomcat-embed-core
+ purl: pkg:maven/org.apache.tomcat.embed/tomcat-embed-core
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 8.5.0
+ - fixed: 8.5.32
+ versions:
+ - 8.5.0
+ - 8.5.11
+ - 8.5.12
+ - 8.5.13
+ - 8.5.14
+ - 8.5.15
+ - 8.5.16
+ - 8.5.19
+ - 8.5.2
+ - 8.5.20
+ - 8.5.21
+ - 8.5.23
+ - 8.5.24
+ - 8.5.27
+ - 8.5.28
+ - 8.5.29
+ - 8.5.3
+ - 8.5.30
+ - 8.5.31
+ - 8.5.4
+ - 8.5.5
+ - 8.5.6
+ - 8.5.8
+ - 8.5.9
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-r4x2-3cq5-hqvp/GHSA-r4x2-3cq5-hqvp.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.tomcat.embed:tomcat-embed-core
+ purl: pkg:maven/org.apache.tomcat.embed/tomcat-embed-core
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 8.0.0RC1
+ - fixed: 8.0.53
+ versions:
+ - 8.0.0-RC1
+ - 8.0.0-RC10
+ - 8.0.0-RC3
+ - 8.0.0-RC5
+ - 8.0.1
+ - 8.0.11
+ - 8.0.12
+ - 8.0.14
+ - 8.0.15
+ - 8.0.17
+ - 8.0.18
+ - 8.0.20
+ - 8.0.21
+ - 8.0.22
+ - 8.0.23
+ - 8.0.24
+ - 8.0.26
+ - 8.0.27
+ - 8.0.28
+ - 8.0.29
+ - 8.0.3
+ - 8.0.30
+ - 8.0.32
+ - 8.0.33
+ - 8.0.35
+ - 8.0.36
+ - 8.0.37
+ - 8.0.38
+ - 8.0.39
+ - 8.0.41
+ - 8.0.42
+ - 8.0.43
+ - 8.0.44
+ - 8.0.45
+ - 8.0.46
+ - 8.0.47
+ - 8.0.48
+ - 8.0.49
+ - 8.0.5
+ - 8.0.50
+ - 8.0.51
+ - 8.0.52
+ - 8.0.8
+ - 8.0.9
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-r4x2-3cq5-hqvp/GHSA-r4x2-3cq5-hqvp.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.tomcat.embed:tomcat-embed-core
+ purl: pkg:maven/org.apache.tomcat.embed/tomcat-embed-core
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 7.0.41
+ - fixed: 7.0.88
+ versions:
+ - 7.0.41
+ - 7.0.42
+ - 7.0.47
+ - 7.0.50
+ - 7.0.52
+ - 7.0.53
+ - 7.0.54
+ - 7.0.55
+ - 7.0.56
+ - 7.0.57
+ - 7.0.59
+ - 7.0.61
+ - 7.0.62
+ - 7.0.63
+ - 7.0.64
+ - 7.0.65
+ - 7.0.67
+ - 7.0.68
+ - 7.0.69
+ - 7.0.70
+ - 7.0.72
+ - 7.0.73
+ - 7.0.75
+ - 7.0.76
+ - 7.0.77
+ - 7.0.78
+ - 7.0.79
+ - 7.0.81
+ - 7.0.82
+ - 7.0.84
+ - 7.0.85
+ - 7.0.86
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-r4x2-3cq5-hqvp/GHSA-r4x2-3cq5-hqvp.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2018-8014
+ - type: WEB
+ url: https://github.com/apache/tomcat80/commit/2c9d8433bd3247a2856d4b2555447108758e813e
+ - type: WEB
+ url: https://github.com/apache/tomcat/commit/d83a76732e6804739b81d8b2056365307637b42d
+ - type: WEB
+ url: https://github.com/apache/tomcat/commit/5877390a9605f56d9bd6859a54ccbfb16374a78b
+ - type: WEB
+ url: https://github.com/apache/tomcat/commit/60f596a21fd6041335a3a1a4015d4512439cecb5
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9%40%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0%40%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d%40%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/fbfb713e4f8a4c0f81089b89450828011343593800cae3fb629192b1@%3Cannounce.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/fbfb713e4f8a4c0f81089b89450828011343593800cae3fb629192b1%40%3Cannounce.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/eb6efa8d59c45a7a9eff94c4b925467d3b3fec8ba7697f3daa314b04@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/eb6efa8d59c45a7a9eff94c4b925467d3b3fec8ba7697f3daa314b04%40%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/e85e83e9954f169bbb77b44baae5a33d8de878df557bb32b7f793661@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/e85e83e9954f169bbb77b44baae5a33d8de878df557bb32b7f793661%40%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a%40%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.debian.org/debian-lts-announce/2018/06/msg00008.html
+ - type: WEB
+ url: https://lists.debian.org/debian-lts-announce/2019/08/msg00015.html
+ - type: WEB
+ url: https://seclists.org/bugtraq/2019/Dec/43
+ - type: WEB
+ url: https://security.netapp.com/advisory/ntap-20181018-0002
+ - type: WEB
+ url: https://usn.ubuntu.com/3665-1
+ - type: WEB
+ url: https://web.archive.org/web/20181017143233/http://www.securityfocus.com/bid/104203
+ - type: WEB
+ url: https://web.archive.org/web/20201207080723/http://www.securitytracker.com/id/1041888
+ - type: WEB
+ url: https://web.archive.org/web/20201207101131/http://www.securitytracker.com/id/1040998
+ - type: WEB
+ url: https://www.debian.org/security/2019/dsa-4596
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuapr2020.html
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2018:2469
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2018:2470
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2018:3768
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:0450
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:0451
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:1529
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:2205
+ - type: ADVISORY
+ url: https://github.com/advisories/GHSA-r4x2-3cq5-hqvp
+ - type: PACKAGE
+ url: https://github.com/apache/tomcat
+ - type: WEB
+ url: https://lists.apache.org/thread.html/1dd0a59c1295cc08ce4c9e7edae5ad2268acc9ba55adcefa0532e5ba%40%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/1dd0a59c1295cc08ce4c9e7edae5ad2268acc9ba55adcefa0532e5ba@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551%40%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708%40%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7%40%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/5c0e00fd31efc11e147bf99d0f03c00a734447d3b131ab0818644cdb%40%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/5c0e00fd31efc11e147bf99d0f03c00a734447d3b131ab0818644cdb@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3%40%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424%40%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a%40%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a@%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/ac51944aef91dd5006b8510b0bef337adaccfe962fb90e7af9c22db4%40%3Cissues.activemq.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/ac51944aef91dd5006b8510b0bef337adaccfe962fb90e7af9c22db4@%3Cissues.activemq.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc%40%3Cdev.tomcat.apache.org%3E
+ - type: WEB
+ url: http://tomcat.apache.org/security-7.html
+ - type: WEB
+ url: http://tomcat.apache.org/security-8.html
+ - type: WEB
+ url: http://tomcat.apache.org/security-9.html
+ - type: WEB
+ url: http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html
+ database_specific:
+ cwe_ids:
+ - CWE-1188
+ github_reviewed: true
+ github_reviewed_at: "2020-06-16T21:53:40Z"
+ nvd_published_at: "2018-05-16T16:29:00Z"
+ severity: CRITICAL
+ - schema_version: 1.6.0
+ id: GHSA-r6j3-px5g-cq3x
+ modified: 2024-04-24T15:46:02.04756Z
+ published: 2023-10-10T21:31:12Z
+ aliases:
+ - BIT-tomcat-2023-45648
+ - CVE-2023-45648
+ summary: Apache Tomcat Improper Input Validation vulnerability
+ details: "Improper Input Validation vulnerability in Apache Tomcat.\n\nTomcat from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0.81 and from 8.5.0 through 8.5.93 did not correctly parse HTTP trailer headers. A specially crafted, invalid trailer header could cause Tomcat to treat a single \nrequest as multiple requests leading to the possibility of request smuggling when behind a reverse proxy.\n\nUsers are recommended to upgrade to version 11.0.0-M12 onwards, 10.1.14 onwards, 9.0.81 onwards or 8.5.94 onwards, which fix the issue."
+ affected:
+ - package:
+ ecosystem: Maven
+ name: org.apache.tomcat:tomcat
+ purl: pkg:maven/org.apache.tomcat/tomcat
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 11.0.0-M1
+ - fixed: 11.0.0-M12
+ versions:
+ - 11.0.0-M1
+ - 11.0.0-M10
+ - 11.0.0-M11
+ - 11.0.0-M3
+ - 11.0.0-M4
+ - 11.0.0-M5
+ - 11.0.0-M6
+ - 11.0.0-M7
+ - 11.0.0-M9
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-r6j3-px5g-cq3x/GHSA-r6j3-px5g-cq3x.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.tomcat:tomcat
+ purl: pkg:maven/org.apache.tomcat/tomcat
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 10.1.0-M1
+ - fixed: 10.1.14
+ versions:
+ - 10.1.0
+ - 10.1.0-M1
+ - 10.1.0-M10
+ - 10.1.0-M11
+ - 10.1.0-M12
+ - 10.1.0-M14
+ - 10.1.0-M15
+ - 10.1.0-M16
+ - 10.1.0-M17
+ - 10.1.0-M2
+ - 10.1.0-M4
+ - 10.1.0-M5
+ - 10.1.0-M6
+ - 10.1.0-M7
+ - 10.1.0-M8
+ - 10.1.1
+ - 10.1.10
+ - 10.1.11
+ - 10.1.12
+ - 10.1.13
+ - 10.1.2
+ - 10.1.4
+ - 10.1.5
+ - 10.1.6
+ - 10.1.7
+ - 10.1.8
+ - 10.1.9
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-r6j3-px5g-cq3x/GHSA-r6j3-px5g-cq3x.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.tomcat:tomcat
+ purl: pkg:maven/org.apache.tomcat/tomcat
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 9.0.0-M1
+ - fixed: 9.0.81
+ versions:
+ - 9.0.0.M1
+ - 9.0.0.M10
+ - 9.0.0.M11
+ - 9.0.0.M13
+ - 9.0.0.M15
+ - 9.0.0.M17
+ - 9.0.0.M18
+ - 9.0.0.M19
+ - 9.0.0.M20
+ - 9.0.0.M21
+ - 9.0.0.M22
+ - 9.0.0.M25
+ - 9.0.0.M26
+ - 9.0.0.M27
+ - 9.0.0.M3
+ - 9.0.0.M4
+ - 9.0.0.M6
+ - 9.0.0.M8
+ - 9.0.0.M9
+ - 9.0.1
+ - 9.0.10
+ - 9.0.11
+ - 9.0.12
+ - 9.0.13
+ - 9.0.14
+ - 9.0.16
+ - 9.0.17
+ - 9.0.19
+ - 9.0.2
+ - 9.0.20
+ - 9.0.21
+ - 9.0.22
+ - 9.0.24
+ - 9.0.26
+ - 9.0.27
+ - 9.0.29
+ - 9.0.30
+ - 9.0.31
+ - 9.0.33
+ - 9.0.34
+ - 9.0.35
+ - 9.0.36
+ - 9.0.37
+ - 9.0.38
+ - 9.0.39
+ - 9.0.4
+ - 9.0.40
+ - 9.0.41
+ - 9.0.43
+ - 9.0.44
+ - 9.0.45
+ - 9.0.46
+ - 9.0.48
+ - 9.0.5
+ - 9.0.50
+ - 9.0.52
+ - 9.0.53
+ - 9.0.54
+ - 9.0.55
+ - 9.0.56
+ - 9.0.58
+ - 9.0.59
+ - 9.0.6
+ - 9.0.60
+ - 9.0.62
+ - 9.0.63
+ - 9.0.64
+ - 9.0.65
+ - 9.0.67
+ - 9.0.68
+ - 9.0.69
+ - 9.0.7
+ - 9.0.70
+ - 9.0.71
+ - 9.0.72
+ - 9.0.73
+ - 9.0.74
+ - 9.0.75
+ - 9.0.76
+ - 9.0.78
+ - 9.0.79
+ - 9.0.8
+ - 9.0.80
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-r6j3-px5g-cq3x/GHSA-r6j3-px5g-cq3x.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.tomcat:tomcat
+ purl: pkg:maven/org.apache.tomcat/tomcat
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 8.5.0
+ - fixed: 8.5.94
+ versions:
+ - 8.5.0
+ - 8.5.11
+ - 8.5.12
+ - 8.5.13
+ - 8.5.14
+ - 8.5.15
+ - 8.5.16
+ - 8.5.19
+ - 8.5.2
+ - 8.5.20
+ - 8.5.21
+ - 8.5.23
+ - 8.5.24
+ - 8.5.27
+ - 8.5.28
+ - 8.5.29
+ - 8.5.3
+ - 8.5.30
+ - 8.5.31
+ - 8.5.32
+ - 8.5.33
+ - 8.5.34
+ - 8.5.35
+ - 8.5.37
+ - 8.5.38
+ - 8.5.39
+ - 8.5.4
+ - 8.5.40
+ - 8.5.41
+ - 8.5.42
+ - 8.5.43
+ - 8.5.45
+ - 8.5.46
+ - 8.5.47
+ - 8.5.49
+ - 8.5.5
+ - 8.5.50
+ - 8.5.51
+ - 8.5.53
+ - 8.5.54
+ - 8.5.55
+ - 8.5.56
+ - 8.5.57
+ - 8.5.58
+ - 8.5.59
+ - 8.5.6
+ - 8.5.60
+ - 8.5.61
+ - 8.5.63
+ - 8.5.64
+ - 8.5.65
+ - 8.5.66
+ - 8.5.68
+ - 8.5.69
+ - 8.5.70
+ - 8.5.71
+ - 8.5.72
+ - 8.5.73
+ - 8.5.75
+ - 8.5.76
+ - 8.5.77
+ - 8.5.78
+ - 8.5.79
+ - 8.5.8
+ - 8.5.81
+ - 8.5.82
+ - 8.5.83
+ - 8.5.84
+ - 8.5.85
+ - 8.5.86
+ - 8.5.87
+ - 8.5.88
+ - 8.5.89
+ - 8.5.9
+ - 8.5.90
+ - 8.5.91
+ - 8.5.92
+ - 8.5.93
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-r6j3-px5g-cq3x/GHSA-r6j3-px5g-cq3x.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.tomcat.embed:tomcat-embed-core
+ purl: pkg:maven/org.apache.tomcat.embed/tomcat-embed-core
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 11.0.0-M1
+ - fixed: 11.0.0-M12
+ versions:
+ - 11.0.0-M1
+ - 11.0.0-M10
+ - 11.0.0-M11
+ - 11.0.0-M3
+ - 11.0.0-M4
+ - 11.0.0-M5
+ - 11.0.0-M6
+ - 11.0.0-M7
+ - 11.0.0-M9
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-r6j3-px5g-cq3x/GHSA-r6j3-px5g-cq3x.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.tomcat.embed:tomcat-embed-core
+ purl: pkg:maven/org.apache.tomcat.embed/tomcat-embed-core
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 10.1.0-M1
+ - fixed: 10.1.14
+ versions:
+ - 10.1.0
+ - 10.1.0-M1
+ - 10.1.0-M10
+ - 10.1.0-M11
+ - 10.1.0-M12
+ - 10.1.0-M14
+ - 10.1.0-M15
+ - 10.1.0-M16
+ - 10.1.0-M17
+ - 10.1.0-M2
+ - 10.1.0-M4
+ - 10.1.0-M5
+ - 10.1.0-M6
+ - 10.1.0-M7
+ - 10.1.0-M8
+ - 10.1.1
+ - 10.1.10
+ - 10.1.11
+ - 10.1.12
+ - 10.1.13
+ - 10.1.2
+ - 10.1.4
+ - 10.1.5
+ - 10.1.6
+ - 10.1.7
+ - 10.1.8
+ - 10.1.9
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-r6j3-px5g-cq3x/GHSA-r6j3-px5g-cq3x.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.tomcat.embed:tomcat-embed-core
+ purl: pkg:maven/org.apache.tomcat.embed/tomcat-embed-core
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 9.0.0-M1
+ - fixed: 9.0.81
+ versions:
+ - 9.0.0.M1
+ - 9.0.0.M10
+ - 9.0.0.M11
+ - 9.0.0.M13
+ - 9.0.0.M15
+ - 9.0.0.M17
+ - 9.0.0.M18
+ - 9.0.0.M19
+ - 9.0.0.M20
+ - 9.0.0.M21
+ - 9.0.0.M22
+ - 9.0.0.M25
+ - 9.0.0.M26
+ - 9.0.0.M27
+ - 9.0.0.M3
+ - 9.0.0.M4
+ - 9.0.0.M6
+ - 9.0.0.M8
+ - 9.0.0.M9
+ - 9.0.1
+ - 9.0.10
+ - 9.0.11
+ - 9.0.12
+ - 9.0.13
+ - 9.0.14
+ - 9.0.16
+ - 9.0.17
+ - 9.0.19
+ - 9.0.2
+ - 9.0.20
+ - 9.0.21
+ - 9.0.22
+ - 9.0.24
+ - 9.0.26
+ - 9.0.27
+ - 9.0.29
+ - 9.0.30
+ - 9.0.31
+ - 9.0.33
+ - 9.0.34
+ - 9.0.35
+ - 9.0.36
+ - 9.0.37
+ - 9.0.38
+ - 9.0.39
+ - 9.0.4
+ - 9.0.40
+ - 9.0.41
+ - 9.0.43
+ - 9.0.44
+ - 9.0.45
+ - 9.0.46
+ - 9.0.48
+ - 9.0.5
+ - 9.0.50
+ - 9.0.52
+ - 9.0.53
+ - 9.0.54
+ - 9.0.55
+ - 9.0.56
+ - 9.0.58
+ - 9.0.59
+ - 9.0.6
+ - 9.0.60
+ - 9.0.62
+ - 9.0.63
+ - 9.0.64
+ - 9.0.65
+ - 9.0.67
+ - 9.0.68
+ - 9.0.69
+ - 9.0.7
+ - 9.0.70
+ - 9.0.71
+ - 9.0.72
+ - 9.0.73
+ - 9.0.74
+ - 9.0.75
+ - 9.0.76
+ - 9.0.78
+ - 9.0.79
+ - 9.0.8
+ - 9.0.80
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-r6j3-px5g-cq3x/GHSA-r6j3-px5g-cq3x.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.tomcat.embed:tomcat-embed-core
+ purl: pkg:maven/org.apache.tomcat.embed/tomcat-embed-core
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 8.5.0
+ - fixed: 8.5.94
+ versions:
+ - 8.5.0
+ - 8.5.11
+ - 8.5.12
+ - 8.5.13
+ - 8.5.14
+ - 8.5.15
+ - 8.5.16
+ - 8.5.19
+ - 8.5.2
+ - 8.5.20
+ - 8.5.21
+ - 8.5.23
+ - 8.5.24
+ - 8.5.27
+ - 8.5.28
+ - 8.5.29
+ - 8.5.3
+ - 8.5.30
+ - 8.5.31
+ - 8.5.32
+ - 8.5.33
+ - 8.5.34
+ - 8.5.35
+ - 8.5.37
+ - 8.5.38
+ - 8.5.39
+ - 8.5.4
+ - 8.5.40
+ - 8.5.41
+ - 8.5.42
+ - 8.5.43
+ - 8.5.45
+ - 8.5.46
+ - 8.5.47
+ - 8.5.49
+ - 8.5.5
+ - 8.5.50
+ - 8.5.51
+ - 8.5.53
+ - 8.5.54
+ - 8.5.55
+ - 8.5.56
+ - 8.5.57
+ - 8.5.58
+ - 8.5.59
+ - 8.5.6
+ - 8.5.60
+ - 8.5.61
+ - 8.5.63
+ - 8.5.64
+ - 8.5.65
+ - 8.5.66
+ - 8.5.68
+ - 8.5.69
+ - 8.5.70
+ - 8.5.71
+ - 8.5.72
+ - 8.5.73
+ - 8.5.75
+ - 8.5.76
+ - 8.5.77
+ - 8.5.78
+ - 8.5.79
+ - 8.5.8
+ - 8.5.81
+ - 8.5.82
+ - 8.5.83
+ - 8.5.84
+ - 8.5.85
+ - 8.5.86
+ - 8.5.87
+ - 8.5.88
+ - 8.5.89
+ - 8.5.9
+ - 8.5.90
+ - 8.5.91
+ - 8.5.92
+ - 8.5.93
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-r6j3-px5g-cq3x/GHSA-r6j3-px5g-cq3x.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2023-45648
+ - type: WEB
+ url: https://github.com/apache/tomcat/commit/59583245639d8c42ae0009f4a4a70464d3ea70a0
+ - type: WEB
+ url: https://github.com/apache/tomcat/commit/8ecff306507be8e4fd3adee1ae5de1ea6661a8f4
+ - type: WEB
+ url: https://github.com/apache/tomcat/commit/c83fe47725f7ae9ae213568d9039171124fb7ec6
+ - type: WEB
+ url: https://github.com/apache/tomcat/commit/eb5c094e5560764cda436362254997511a3ca1f6
+ - type: PACKAGE
+ url: https://github.com/apache/tomcat
+ - type: WEB
+ url: https://lists.apache.org/thread/2pv8yz1pyp088tsxfb7ogltk9msk0jdp
+ - type: WEB
+ url: https://lists.debian.org/debian-lts-announce/2023/10/msg00020.html
+ - type: WEB
+ url: https://security.netapp.com/advisory/ntap-20231103-0007
+ - type: WEB
+ url: https://www.debian.org/security/2023/dsa-5521
+ - type: WEB
+ url: https://www.debian.org/security/2023/dsa-5522
+ - type: WEB
+ url: http://www.openwall.com/lists/oss-security/2023/10/10/10
+ database_specific:
+ cwe_ids:
+ - CWE-20
+ github_reviewed: true
+ github_reviewed_at: "2023-10-10T22:29:58Z"
+ nvd_published_at: "2023-10-10T19:15:09Z"
+ severity: MODERATE
+ - schema_version: 1.6.0
+ id: GHSA-rq2w-37h9-vg94
+ modified: 2024-04-23T22:00:59.346897Z
+ published: 2023-01-03T21:30:21Z
+ aliases:
+ - BIT-tomcat-2022-45143
+ - CVE-2022-45143
+ summary: Apache Tomcat improperly escapes input from JsonErrorReportValve
+ details: The `JsonErrorReportValve` in Apache Tomcat 8.5.83, 9.0.40 to 9.0.68 and 10.1.0-M1 to 10.1.1 does not escape the `type`, `message` or `description` values. In some circumstances these are constructed from user provided data and it was therefore possible for users to supply values that invalidated or manipulated the JSON output.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: org.apache.tomcat.embed:tomcat-embed-core
+ purl: pkg:maven/org.apache.tomcat.embed/tomcat-embed-core
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 8.5.83
+ - fixed: 8.5.84
+ versions:
+ - 8.5.83
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/01/GHSA-rq2w-37h9-vg94/GHSA-rq2w-37h9-vg94.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.tomcat.embed:tomcat-embed-core
+ purl: pkg:maven/org.apache.tomcat.embed/tomcat-embed-core
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 9.0.40
+ - fixed: 9.0.69
+ versions:
+ - 9.0.40
+ - 9.0.41
+ - 9.0.43
+ - 9.0.44
+ - 9.0.45
+ - 9.0.46
+ - 9.0.48
+ - 9.0.50
+ - 9.0.52
+ - 9.0.53
+ - 9.0.54
+ - 9.0.55
+ - 9.0.56
+ - 9.0.58
+ - 9.0.59
+ - 9.0.60
+ - 9.0.62
+ - 9.0.63
+ - 9.0.64
+ - 9.0.65
+ - 9.0.67
+ - 9.0.68
+ database_specific:
+ last_known_affected_version_range: <= 9.0.68
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/01/GHSA-rq2w-37h9-vg94/GHSA-rq2w-37h9-vg94.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.tomcat.embed:tomcat-embed-core
+ purl: pkg:maven/org.apache.tomcat.embed/tomcat-embed-core
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 10.1.0
+ - fixed: 10.1.2
+ versions:
+ - 10.1.0
+ - 10.1.1
+ database_specific:
+ last_known_affected_version_range: <= 10.1.1
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/01/GHSA-rq2w-37h9-vg94/GHSA-rq2w-37h9-vg94.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.tomcat:tomcat-catalina
+ purl: pkg:maven/org.apache.tomcat/tomcat-catalina
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 10.1.0
+ - fixed: 10.1.2
+ versions:
+ - 10.1.0
+ - 10.1.1
+ database_specific:
+ last_known_affected_version_range: <= 10.1.1
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/01/GHSA-rq2w-37h9-vg94/GHSA-rq2w-37h9-vg94.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.tomcat:tomcat-util
+ purl: pkg:maven/org.apache.tomcat/tomcat-util
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 8.5.83
+ - fixed: 8.5.84
+ versions:
+ - 8.5.83
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/01/GHSA-rq2w-37h9-vg94/GHSA-rq2w-37h9-vg94.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.tomcat:tomcat-util
+ purl: pkg:maven/org.apache.tomcat/tomcat-util
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 9.0.40
+ - fixed: 9.0.69
+ versions:
+ - 9.0.40
+ - 9.0.41
+ - 9.0.43
+ - 9.0.44
+ - 9.0.45
+ - 9.0.46
+ - 9.0.48
+ - 9.0.50
+ - 9.0.52
+ - 9.0.53
+ - 9.0.54
+ - 9.0.55
+ - 9.0.56
+ - 9.0.58
+ - 9.0.59
+ - 9.0.60
+ - 9.0.62
+ - 9.0.63
+ - 9.0.64
+ - 9.0.65
+ - 9.0.67
+ - 9.0.68
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/01/GHSA-rq2w-37h9-vg94/GHSA-rq2w-37h9-vg94.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2022-45143
+ - type: WEB
+ url: https://github.com/apache/tomcat/commit/0cab3a56bd89f70e7481bb0d68395dc7e130dbbf
+ - type: WEB
+ url: https://github.com/apache/tomcat/commit/6a0ac6a438cbbb66b6e9c5223842f53bf0cb50aa
+ - type: WEB
+ url: https://github.com/apache/tomcat/commit/b336f4e58893ea35114f1e4a415657f723b1298e
+ - type: PACKAGE
+ url: https://github.com/apache/tomcat
+ - type: WEB
+ url: https://lists.apache.org/thread/yqkd183xrw3wqvnpcg3osbcryq85fkzj
+ - type: WEB
+ url: https://security.gentoo.org/glsa/202305-37
+ database_specific:
+ cwe_ids:
+ - CWE-116
+ - CWE-74
+ github_reviewed: true
+ github_reviewed_at: "2023-01-05T12:02:50Z"
+ nvd_published_at: "2023-01-03T19:15:00Z"
+ severity: HIGH
+ - schema_version: 1.6.0
+ id: GHSA-wf5v-jhxj-q632
+ modified: 2024-02-22T16:49:15.848607Z
+ published: 2022-05-17T00:24:30Z
+ aliases:
+ - CVE-2014-0095
+ summary: Denial of service in Apache Tomcat
+ details: 'java/org/apache/coyote/ajp/AbstractAjpProcessor.java in Apache Tomcat 8.x before 8.0.4 allows remote attackers to cause a denial of service (thread consumption) by using a "Content-Length: 0" AJP request to trigger a hang in request processing.'
+ affected:
+ - package:
+ ecosystem: Maven
+ name: org.apache.tomcat:tomcat-coyote
+ purl: pkg:maven/org.apache.tomcat/tomcat-coyote
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 8.0.0-RC1
+ - fixed: 8.0.4
+ versions:
+ - 8.0.0-RC1
+ - 8.0.0-RC10
+ - 8.0.0-RC3
+ - 8.0.0-RC5
+ - 8.0.1
+ - 8.0.3
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-wf5v-jhxj-q632/GHSA-wf5v-jhxj-q632.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.tomcat.embed:tomcat-embed-core
+ purl: pkg:maven/org.apache.tomcat.embed/tomcat-embed-core
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 8.0.0-RC1
+ - fixed: 8.0.4
+ versions:
+ - 8.0.0-RC1
+ - 8.0.0-RC10
+ - 8.0.0-RC3
+ - 8.0.0-RC5
+ - 8.0.1
+ - 8.0.3
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-wf5v-jhxj-q632/GHSA-wf5v-jhxj-q632.json
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2014-0095
+ - type: WEB
+ url: https://github.com/apache/tomcat/commit/8884dae60ace77a87ed9385442ce429e98c3a479
+ - type: WEB
+ url: https://github.com/apache/tomcat80/commit/77590c897f0e542fe363d70efdf3b82209510aee
+ - type: PACKAGE
+ url: https://github.com/apache/tomcat
+ - type: WEB
+ url: https://web.archive.org/web/20140713043210/http://www.securitytracker.com/id/1030300
+ - type: WEB
+ url: https://web.archive.org/web/20141126170141/http://www.securityfocus.com/bid/67673
+ - type: WEB
+ url: https://web.archive.org/web/20151017043748/http://secunia.com/advisories/60729
+ - type: WEB
+ url: https://web.archive.org/web/20161024215453/http://secunia.com/advisories/59873
+ - type: WEB
+ url: http://seclists.org/fulldisclosure/2014/May/134
+ - type: WEB
+ url: http://svn.apache.org/viewvc?view=revision&revision=1578392
+ - type: WEB
+ url: http://tomcat.apache.org/security-8.html
+ - type: WEB
+ url: http://www-01.ibm.com/support/docview.wss?uid=swg21678231
+ - type: WEB
+ url: http://www-01.ibm.com/support/docview.wss?uid=swg21681528
+ - type: WEB
+ url: http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html
+ database_specific:
+ cwe_ids:
+ - CWE-20
+ github_reviewed: true
+ github_reviewed_at: "2024-01-08T20:19:10Z"
+ nvd_published_at: "2014-05-31T11:17:00Z"
+ severity: MODERATE
+ - schema_version: 1.6.0
+ id: GHSA-wm9w-rjj3-j356
+ modified: 2024-07-05T20:57:34.262116Z
+ published: 2024-07-03T21:39:44Z
+ aliases:
+ - CVE-2024-34750
+ summary: Apache Tomcat - Denial of Service
+ details: |+
+ Improper Handling of Exceptional Conditions, Uncontrolled Resource Consumption vulnerability in Apache Tomcat. When processing an HTTP/2 stream, Tomcat did not handle some cases of excessive HTTP headers correctly. This led to a miscounting of active HTTP/2 streams which in turn led to the use of an incorrect infinite timeout which allowed connections to remain open which should have been closed.
+
+ This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M20, from 10.1.0-M1 through 10.1.24, from 9.0.0-M1 through 9.0.89.
+
+ Users are recommended to upgrade to version 11.0.0-M21, 10.1.25 or 9.0.90, which fixes the issue.
+
+ affected:
+ - package:
+ ecosystem: Maven
+ name: org.apache.tomcat.embed:tomcat-embed-core
+ purl: pkg:maven/org.apache.tomcat.embed/tomcat-embed-core
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 11.0.0-M1
+ - fixed: 11.0.0-M21
+ versions:
+ - 11.0.0-M1
+ - 11.0.0-M10
+ - 11.0.0-M11
+ - 11.0.0-M12
+ - 11.0.0-M13
+ - 11.0.0-M14
+ - 11.0.0-M15
+ - 11.0.0-M16
+ - 11.0.0-M17
+ - 11.0.0-M18
+ - 11.0.0-M19
+ - 11.0.0-M20
+ - 11.0.0-M3
+ - 11.0.0-M4
+ - 11.0.0-M5
+ - 11.0.0-M6
+ - 11.0.0-M7
+ - 11.0.0-M9
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/07/GHSA-wm9w-rjj3-j356/GHSA-wm9w-rjj3-j356.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.tomcat.embed:tomcat-embed-core
+ purl: pkg:maven/org.apache.tomcat.embed/tomcat-embed-core
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 10.1.0-M1
+ - fixed: 10.1.25
+ versions:
+ - 10.1.0
+ - 10.1.0-M1
+ - 10.1.0-M10
+ - 10.1.0-M11
+ - 10.1.0-M12
+ - 10.1.0-M14
+ - 10.1.0-M15
+ - 10.1.0-M16
+ - 10.1.0-M17
+ - 10.1.0-M2
+ - 10.1.0-M4
+ - 10.1.0-M5
+ - 10.1.0-M6
+ - 10.1.0-M7
+ - 10.1.0-M8
+ - 10.1.1
+ - 10.1.10
+ - 10.1.11
+ - 10.1.12
+ - 10.1.13
+ - 10.1.14
+ - 10.1.15
+ - 10.1.16
+ - 10.1.17
+ - 10.1.18
+ - 10.1.19
+ - 10.1.2
+ - 10.1.20
+ - 10.1.23
+ - 10.1.24
+ - 10.1.4
+ - 10.1.5
+ - 10.1.6
+ - 10.1.7
+ - 10.1.8
+ - 10.1.9
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/07/GHSA-wm9w-rjj3-j356/GHSA-wm9w-rjj3-j356.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.tomcat.embed:tomcat-embed-core
+ purl: pkg:maven/org.apache.tomcat.embed/tomcat-embed-core
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 9.0.0-M1
+ - fixed: 9.0.90
+ versions:
+ - 9.0.0.M1
+ - 9.0.0.M10
+ - 9.0.0.M11
+ - 9.0.0.M13
+ - 9.0.0.M15
+ - 9.0.0.M17
+ - 9.0.0.M18
+ - 9.0.0.M19
+ - 9.0.0.M20
+ - 9.0.0.M21
+ - 9.0.0.M22
+ - 9.0.0.M25
+ - 9.0.0.M26
+ - 9.0.0.M27
+ - 9.0.0.M3
+ - 9.0.0.M4
+ - 9.0.0.M6
+ - 9.0.0.M8
+ - 9.0.0.M9
+ - 9.0.1
+ - 9.0.10
+ - 9.0.11
+ - 9.0.12
+ - 9.0.13
+ - 9.0.14
+ - 9.0.16
+ - 9.0.17
+ - 9.0.19
+ - 9.0.2
+ - 9.0.20
+ - 9.0.21
+ - 9.0.22
+ - 9.0.24
+ - 9.0.26
+ - 9.0.27
+ - 9.0.29
+ - 9.0.30
+ - 9.0.31
+ - 9.0.33
+ - 9.0.34
+ - 9.0.35
+ - 9.0.36
+ - 9.0.37
+ - 9.0.38
+ - 9.0.39
+ - 9.0.4
+ - 9.0.40
+ - 9.0.41
+ - 9.0.43
+ - 9.0.44
+ - 9.0.45
+ - 9.0.46
+ - 9.0.48
+ - 9.0.5
+ - 9.0.50
+ - 9.0.52
+ - 9.0.53
+ - 9.0.54
+ - 9.0.55
+ - 9.0.56
+ - 9.0.58
+ - 9.0.59
+ - 9.0.6
+ - 9.0.60
+ - 9.0.62
+ - 9.0.63
+ - 9.0.64
+ - 9.0.65
+ - 9.0.67
+ - 9.0.68
+ - 9.0.69
+ - 9.0.7
+ - 9.0.70
+ - 9.0.71
+ - 9.0.72
+ - 9.0.73
+ - 9.0.74
+ - 9.0.75
+ - 9.0.76
+ - 9.0.78
+ - 9.0.79
+ - 9.0.8
+ - 9.0.80
+ - 9.0.81
+ - 9.0.82
+ - 9.0.83
+ - 9.0.84
+ - 9.0.85
+ - 9.0.86
+ - 9.0.87
+ - 9.0.88
+ - 9.0.89
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/07/GHSA-wm9w-rjj3-j356/GHSA-wm9w-rjj3-j356.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.tomcat:tomcat-coyote
+ purl: pkg:maven/org.apache.tomcat/tomcat-coyote
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 11.0.0-M1
+ - fixed: 11.0.0-M21
+ versions:
+ - 11.0.0-M1
+ - 11.0.0-M10
+ - 11.0.0-M11
+ - 11.0.0-M12
+ - 11.0.0-M13
+ - 11.0.0-M14
+ - 11.0.0-M15
+ - 11.0.0-M16
+ - 11.0.0-M17
+ - 11.0.0-M18
+ - 11.0.0-M19
+ - 11.0.0-M20
+ - 11.0.0-M3
+ - 11.0.0-M4
+ - 11.0.0-M5
+ - 11.0.0-M6
+ - 11.0.0-M7
+ - 11.0.0-M9
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/07/GHSA-wm9w-rjj3-j356/GHSA-wm9w-rjj3-j356.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.tomcat:tomcat-coyote
+ purl: pkg:maven/org.apache.tomcat/tomcat-coyote
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 10.1.0-M1
+ - fixed: 10.1.25
+ versions:
+ - 10.1.0
+ - 10.1.0-M1
+ - 10.1.0-M10
+ - 10.1.0-M11
+ - 10.1.0-M12
+ - 10.1.0-M14
+ - 10.1.0-M15
+ - 10.1.0-M16
+ - 10.1.0-M17
+ - 10.1.0-M2
+ - 10.1.0-M4
+ - 10.1.0-M5
+ - 10.1.0-M6
+ - 10.1.0-M7
+ - 10.1.0-M8
+ - 10.1.1
+ - 10.1.10
+ - 10.1.11
+ - 10.1.12
+ - 10.1.13
+ - 10.1.14
+ - 10.1.15
+ - 10.1.16
+ - 10.1.17
+ - 10.1.18
+ - 10.1.19
+ - 10.1.2
+ - 10.1.20
+ - 10.1.23
+ - 10.1.24
+ - 10.1.4
+ - 10.1.5
+ - 10.1.6
+ - 10.1.7
+ - 10.1.8
+ - 10.1.9
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/07/GHSA-wm9w-rjj3-j356/GHSA-wm9w-rjj3-j356.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.tomcat:tomcat-coyote
+ purl: pkg:maven/org.apache.tomcat/tomcat-coyote
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 9.0.0-M1
+ - fixed: 9.0.90
+ versions:
+ - 9.0.0.M1
+ - 9.0.0.M10
+ - 9.0.0.M11
+ - 9.0.0.M13
+ - 9.0.0.M15
+ - 9.0.0.M17
+ - 9.0.0.M18
+ - 9.0.0.M19
+ - 9.0.0.M20
+ - 9.0.0.M21
+ - 9.0.0.M22
+ - 9.0.0.M25
+ - 9.0.0.M26
+ - 9.0.0.M27
+ - 9.0.0.M3
+ - 9.0.0.M4
+ - 9.0.0.M6
+ - 9.0.0.M8
+ - 9.0.0.M9
+ - 9.0.1
+ - 9.0.10
+ - 9.0.11
+ - 9.0.12
+ - 9.0.13
+ - 9.0.14
+ - 9.0.16
+ - 9.0.17
+ - 9.0.19
+ - 9.0.2
+ - 9.0.20
+ - 9.0.21
+ - 9.0.22
+ - 9.0.24
+ - 9.0.26
+ - 9.0.27
+ - 9.0.29
+ - 9.0.30
+ - 9.0.31
+ - 9.0.33
+ - 9.0.34
+ - 9.0.35
+ - 9.0.36
+ - 9.0.37
+ - 9.0.38
+ - 9.0.39
+ - 9.0.4
+ - 9.0.40
+ - 9.0.41
+ - 9.0.43
+ - 9.0.44
+ - 9.0.45
+ - 9.0.46
+ - 9.0.48
+ - 9.0.5
+ - 9.0.50
+ - 9.0.52
+ - 9.0.53
+ - 9.0.54
+ - 9.0.55
+ - 9.0.56
+ - 9.0.58
+ - 9.0.59
+ - 9.0.6
+ - 9.0.60
+ - 9.0.62
+ - 9.0.63
+ - 9.0.64
+ - 9.0.65
+ - 9.0.67
+ - 9.0.68
+ - 9.0.69
+ - 9.0.7
+ - 9.0.70
+ - 9.0.71
+ - 9.0.72
+ - 9.0.73
+ - 9.0.74
+ - 9.0.75
+ - 9.0.76
+ - 9.0.78
+ - 9.0.79
+ - 9.0.8
+ - 9.0.80
+ - 9.0.81
+ - 9.0.82
+ - 9.0.83
+ - 9.0.84
+ - 9.0.85
+ - 9.0.86
+ - 9.0.87
+ - 9.0.88
+ - 9.0.89
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/07/GHSA-wm9w-rjj3-j356/GHSA-wm9w-rjj3-j356.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
+ - type: CVSS_V4
+ score: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2024-34750
+ - type: WEB
+ url: https://github.com/apache/tomcat/commit/2344a4c0d03e307ba6b8ab6dc8b894cc8bac63f2
+ - type: WEB
+ url: https://github.com/apache/tomcat/commit/2afae300c9ac9c0e516e2e9de580847d925365c3
+ - type: WEB
+ url: https://github.com/apache/tomcat/commit/9fec9a82887853402833a80b584e3762c7423f5f
+ - type: PACKAGE
+ url: https://github.com/apache/tomcat
+ - type: WEB
+ url: https://lists.apache.org/thread/4kqf0bc9gxymjc2x7v3p7dvplnl77y8l
+ - type: WEB
+ url: https://tomcat.apache.org/security-10.html
+ - type: WEB
+ url: https://tomcat.apache.org/security-11.html
+ - type: WEB
+ url: https://tomcat.apache.org/security-9.html
+ database_specific:
+ cwe_ids:
+ - CWE-400
+ - CWE-755
+ github_reviewed: true
+ github_reviewed_at: "2024-07-05T20:39:41Z"
+ nvd_published_at: "2024-07-03T20:15:04Z"
+ severity: HIGH
+ - schema_version: 1.6.0
+ id: GHSA-4qw8-pgpr-p9mq
+ modified: 2024-02-16T08:17:18.8158Z
+ published: 2021-09-07T22:56:43Z
+ aliases:
+ - CVE-2019-10095
+ summary: Bash command injection in Apache Zeppelin
+ details: bash command injection vulnerability in Apache Zeppelin allows an attacker to inject system commands into Spark interpreter settings. This issue affects Apache Zeppelin Apache Zeppelin version 0.9.0 and prior versions.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: org.apache.zeppelin:zeppelin
+ purl: pkg:maven/org.apache.zeppelin/zeppelin
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: 0.10.0
+ versions:
+ - 0.5.0-incubating
+ - 0.6.0
+ - 0.6.1
+ - 0.6.2
+ - 0.7.0
+ - 0.7.1
+ - 0.7.2
+ - 0.7.3
+ - 0.8.0
+ - 0.8.1
+ - 0.8.2
+ - 0.9.0
+ - 0.9.0-preview1
+ - 0.9.0-preview2
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/09/GHSA-4qw8-pgpr-p9mq/GHSA-4qw8-pgpr-p9mq.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2019-10095
+ - type: PACKAGE
+ url: https://github.com/apache/zeppelin
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rd56389ba9cab30a6c976b9a4a6df0f85cbe8fba6a60a3cf6e3ba716b%40%3Cusers.zeppelin.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rd56389ba9cab30a6c976b9a4a6df0f85cbe8fba6a60a3cf6e3ba716b@%3Cusers.zeppelin.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rdf06e8423833b3daadc30c56a2ff47c48920864d5199476daa897208%40%3Cannounce.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rdf06e8423833b3daadc30c56a2ff47c48920864d5199476daa897208%40%3Cusers.zeppelin.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rdf06e8423833b3daadc30c56a2ff47c48920864d5199476daa897208@%3Cannounce.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rdf06e8423833b3daadc30c56a2ff47c48920864d5199476daa897208@%3Cusers.zeppelin.apache.org%3E
+ - type: WEB
+ url: https://security.gentoo.org/glsa/202311-04
+ - type: WEB
+ url: http://www.openwall.com/lists/oss-security/2021/09/02/1
+ database_specific:
+ cwe_ids:
+ - CWE-77
+ - CWE-78
+ github_reviewed: true
+ github_reviewed_at: "2021-09-03T20:16:11Z"
+ nvd_published_at: "2021-09-02T17:15:00Z"
+ severity: CRITICAL
+ - schema_version: 1.6.0
+ id: GHSA-87p2-cvhq-q4mv
+ modified: 2024-02-16T08:20:33.71896Z
+ published: 2021-09-07T22:56:56Z
+ aliases:
+ - CVE-2020-13929
+ summary: Authentication bypass in Apache Zeppelin
+ details: Authentication bypass vulnerability in Apache Zeppelin allows an attacker to bypass Zeppelin authentication mechanism to act as another user. This issue affects Apache Zeppelin Apache Zeppelin version 0.9.0 and prior versions.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: org.apache.zeppelin:zeppelin
+ purl: pkg:maven/org.apache.zeppelin/zeppelin
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: 0.10.0
+ versions:
+ - 0.5.0-incubating
+ - 0.6.0
+ - 0.6.1
+ - 0.6.2
+ - 0.7.0
+ - 0.7.1
+ - 0.7.2
+ - 0.7.3
+ - 0.8.0
+ - 0.8.1
+ - 0.8.2
+ - 0.9.0
+ - 0.9.0-preview1
+ - 0.9.0-preview2
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/09/GHSA-87p2-cvhq-q4mv/GHSA-87p2-cvhq-q4mv.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2020-13929
+ - type: PACKAGE
+ url: https://github.com/apache/zeppelin
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r768800925d6407a6a87ccae0ec98776b7bda50c0e3ed3d0130dad028%40%3Cannounce.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r768800925d6407a6a87ccae0ec98776b7bda50c0e3ed3d0130dad028%40%3Cusers.zeppelin.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r768800925d6407a6a87ccae0ec98776b7bda50c0e3ed3d0130dad028@%3Cannounce.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r768800925d6407a6a87ccae0ec98776b7bda50c0e3ed3d0130dad028@%3Cusers.zeppelin.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r99529e175a7c1c9a26bd41a02802c8af7aa97319fe561874627eb999%40%3Cusers.zeppelin.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r99529e175a7c1c9a26bd41a02802c8af7aa97319fe561874627eb999@%3Cusers.zeppelin.apache.org%3E
+ - type: WEB
+ url: https://security.gentoo.org/glsa/202311-04
+ - type: WEB
+ url: http://www.openwall.com/lists/oss-security/2021/09/02/2
+ database_specific:
+ cwe_ids:
+ - CWE-287
+ github_reviewed: true
+ github_reviewed_at: "2021-09-03T20:16:12Z"
+ nvd_published_at: "2021-09-02T17:15:00Z"
+ severity: HIGH
+ - schema_version: 1.6.0
+ id: GHSA-9p8j-hrgf-jc2g
+ modified: 2023-11-08T04:10:58.147637Z
+ published: 2022-12-20T21:30:19Z
+ aliases:
+ - CVE-2022-46870
+ summary: Apache Zeppelin Cross-site Scripting vulnerability
+ details: An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Apache Zeppelin allows logged-in users to execute arbitrary javascript in other users' browsers. This issue affects Apache Zeppelin before 0.8.2. Users are recommended to upgrade to a supported version of Zeppelin.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: org.apache.zeppelin:zeppelin
+ purl: pkg:maven/org.apache.zeppelin/zeppelin
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: 0.8.2
+ versions:
+ - 0.5.0-incubating
+ - 0.6.0
+ - 0.6.1
+ - 0.6.2
+ - 0.7.0
+ - 0.7.1
+ - 0.7.2
+ - 0.7.3
+ - 0.8.0
+ - 0.8.1
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-9p8j-hrgf-jc2g/GHSA-9p8j-hrgf-jc2g.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2022-46870
+ - type: PACKAGE
+ url: https://github.com/apache/zeppelin
+ - type: WEB
+ url: https://lists.apache.org/thread/gb1wdnrm1095xw6qznpsycfrht4lwbwc
+ database_specific:
+ cwe_ids:
+ - CWE-79
+ github_reviewed: true
+ github_reviewed_at: "2022-12-20T22:10:26Z"
+ nvd_published_at: "2022-12-16T13:15:00Z"
+ severity: MODERATE
+ - schema_version: 1.6.0
+ id: GHSA-9x2h-hvg6-4r5p
+ modified: 2023-11-08T03:59:52.831613Z
+ published: 2019-04-24T16:06:52Z
+ aliases:
+ - CVE-2018-1317
+ summary: Improper Authentication in Apache Zeppelin
+ details: In Apache Zeppelin prior to 0.8.0 the cron scheduler was enabled by default and could allow users to run paragraphs as other users without authentication.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: org.apache.zeppelin:zeppelin
+ purl: pkg:maven/org.apache.zeppelin/zeppelin
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: 0.8.0
+ versions:
+ - 0.5.0-incubating
+ - 0.6.0
+ - 0.6.1
+ - 0.6.2
+ - 0.7.0
+ - 0.7.1
+ - 0.7.2
+ - 0.7.3
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/04/GHSA-9x2h-hvg6-4r5p/GHSA-9x2h-hvg6-4r5p.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2018-1317
+ - type: WEB
+ url: https://lists.apache.org/thread.html/ff6b995a5a3ba8db4d6b14b4d9dd487e7bf2e3bdd5b375b64a25fd06@%3Cusers.zeppelin.apache.org%3E
+ - type: WEB
+ url: https://zeppelin.apache.org/releases/zeppelin-release-0.8.0.html
+ - type: WEB
+ url: http://www.openwall.com/lists/oss-security/2019/04/23/1
+ database_specific:
+ cwe_ids:
+ - CWE-287
+ github_reviewed: true
+ github_reviewed_at: "2019-04-24T16:07:02Z"
+ nvd_published_at: "2019-04-23T15:29:00Z"
+ severity: HIGH
+ - schema_version: 1.6.0
+ id: GHSA-c538-924g-99q4
+ modified: 2023-11-08T03:58:53.247281Z
+ published: 2019-04-24T16:06:59Z
+ aliases:
+ - CVE-2017-12619
+ summary: Session Fixation in Apache Zeppelin
+ details: Apache Zeppelin prior to 0.7.3 was vulnerable to session fixation which allowed an attacker to hijack a valid user session. Issue was reported by "stone lone".
+ affected:
+ - package:
+ ecosystem: Maven
+ name: org.apache.zeppelin:zeppelin
+ purl: pkg:maven/org.apache.zeppelin/zeppelin
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: 0.7.3
+ versions:
+ - 0.5.0-incubating
+ - 0.6.0
+ - 0.6.1
+ - 0.6.2
+ - 0.7.0
+ - 0.7.1
+ - 0.7.2
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/04/GHSA-c538-924g-99q4/GHSA-c538-924g-99q4.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2017-12619
+ - type: WEB
+ url: https://lists.apache.org/thread.html/ff6b995a5a3ba8db4d6b14b4d9dd487e7bf2e3bdd5b375b64a25fd06@%3Cusers.zeppelin.apache.org%3E
+ - type: WEB
+ url: https://zeppelin.apache.org/releases/zeppelin-release-0.7.3.html
+ - type: WEB
+ url: http://www.openwall.com/lists/oss-security/2019/04/23/1
+ database_specific:
+ cwe_ids:
+ - CWE-384
+ github_reviewed: true
+ github_reviewed_at: "2019-04-24T16:04:01Z"
+ nvd_published_at: "2019-04-23T15:29:00Z"
+ severity: HIGH
+ - schema_version: 1.6.0
+ id: GHSA-gm67-h5wr-w3cv
+ modified: 2024-02-16T08:14:41.034081Z
+ published: 2023-07-06T19:24:05Z
+ aliases:
+ - CVE-2021-28655
+ summary: Apache Zeppelin Improper Input Validation vulnerability
+ details: The improper Input Validation vulnerability in `Move folder to Trash` feature of Apache Zeppelin allows an attacker to delete the arbitrary files. This issue affects Apache Zeppelin Apache Zeppelin version 0.9.0 and prior versions.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: org.apache.zeppelin:zeppelin
+ purl: pkg:maven/org.apache.zeppelin/zeppelin
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: 0.10.0
+ versions:
+ - 0.5.0-incubating
+ - 0.6.0
+ - 0.6.1
+ - 0.6.2
+ - 0.7.0
+ - 0.7.1
+ - 0.7.2
+ - 0.7.3
+ - 0.8.0
+ - 0.8.1
+ - 0.8.2
+ - 0.9.0
+ - 0.9.0-preview1
+ - 0.9.0-preview2
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-gm67-h5wr-w3cv/GHSA-gm67-h5wr-w3cv.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2021-28655
+ - type: PACKAGE
+ url: https://github.com/apache/zeppelin
+ - type: WEB
+ url: https://lists.apache.org/thread/bxs056g3xlsofz0jb3wny9dw4llwptd2
+ database_specific:
+ cwe_ids:
+ - CWE-20
+ github_reviewed: true
+ github_reviewed_at: "2023-07-06T21:44:43Z"
+ nvd_published_at: "2022-12-16T13:15:00Z"
+ severity: MODERATE
+ - schema_version: 1.6.0
+ id: GHSA-mf7q-gw5f-q8jj
+ modified: 2024-02-16T08:08:39.299528Z
+ published: 2021-09-07T22:55:56Z
+ aliases:
+ - CVE-2021-27578
+ summary: Cross-site Scripting in Apache Zeppelin
+ details: Cross Site Scripting vulnerability in markdown interpreter of Apache Zeppelin allows an attacker to inject malicious scripts. This issue affects Apache Zeppelin Apache Zeppelin versions prior to 0.9.0.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: org.apache.zeppelin:zeppelin
+ purl: pkg:maven/org.apache.zeppelin/zeppelin
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: 0.9.0
+ versions:
+ - 0.5.0-incubating
+ - 0.6.0
+ - 0.6.1
+ - 0.6.2
+ - 0.7.0
+ - 0.7.1
+ - 0.7.2
+ - 0.7.3
+ - 0.8.0
+ - 0.8.1
+ - 0.8.2
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/09/GHSA-mf7q-gw5f-q8jj/GHSA-mf7q-gw5f-q8jj.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2021-27578
+ - type: PACKAGE
+ url: https://github.com/apache/zeppelin
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r31012f2c8e39a5e12e14c1de030012cb8b51c037d953d73b291b7b50%40%3Cusers.zeppelin.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r31012f2c8e39a5e12e14c1de030012cb8b51c037d953d73b291b7b50@%3Cusers.zeppelin.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r90590aa5ea788128ecc2e822e1e64d5200b4cb92b06707b38da4cb3d%40%3Cannounce.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r90590aa5ea788128ecc2e822e1e64d5200b4cb92b06707b38da4cb3d%40%3Cusers.zeppelin.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r90590aa5ea788128ecc2e822e1e64d5200b4cb92b06707b38da4cb3d@%3Cannounce.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r90590aa5ea788128ecc2e822e1e64d5200b4cb92b06707b38da4cb3d@%3Cusers.zeppelin.apache.org%3E
+ - type: WEB
+ url: https://security.gentoo.org/glsa/202311-04
+ - type: WEB
+ url: http://www.openwall.com/lists/oss-security/2021/09/02/3
+ database_specific:
+ cwe_ids:
+ - CWE-79
+ github_reviewed: true
+ github_reviewed_at: "2021-09-03T20:16:10Z"
+ nvd_published_at: "2021-09-02T17:15:00Z"
+ severity: MODERATE
+ - schema_version: 1.6.0
+ id: GHSA-r2v5-5vcr-h3vq
+ modified: 2023-11-08T03:59:53.255873Z
+ published: 2019-04-24T16:07:36Z
+ aliases:
+ - CVE-2018-1328
+ summary: Cross-site Scripting in Apache Zeppelin
+ details: Apache Zeppelin prior to 0.8.0 had a stored XSS issue via Note permissions. Issue reported by "Josna Joseph".
+ affected:
+ - package:
+ ecosystem: Maven
+ name: org.apache.zeppelin:zeppelin
+ purl: pkg:maven/org.apache.zeppelin/zeppelin
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: 0.8.0
+ versions:
+ - 0.5.0-incubating
+ - 0.6.0
+ - 0.6.1
+ - 0.6.2
+ - 0.7.0
+ - 0.7.1
+ - 0.7.2
+ - 0.7.3
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/04/GHSA-r2v5-5vcr-h3vq/GHSA-r2v5-5vcr-h3vq.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2018-1328
+ - type: WEB
+ url: https://lists.apache.org/thread.html/ff6b995a5a3ba8db4d6b14b4d9dd487e7bf2e3bdd5b375b64a25fd06@%3Cusers.zeppelin.apache.org%3E
+ - type: WEB
+ url: https://zeppelin.apache.org/releases/zeppelin-release-0.8.0.html
+ - type: WEB
+ url: http://www.openwall.com/lists/oss-security/2019/04/23/1
+ database_specific:
+ cwe_ids:
+ - CWE-79
+ github_reviewed: true
+ github_reviewed_at: "2019-04-24T16:03:49Z"
+ nvd_published_at: "2019-04-23T15:29:00Z"
+ severity: MODERATE
+ - schema_version: 1.6.0
+ id: GHSA-86jx-wr74-xr74
+ modified: 2024-05-24T20:26:51.784933Z
+ published: 2024-04-09T18:30:22Z
+ aliases:
+ - CVE-2024-31866
+ summary: Improper escaping in Apache Zeppelin
+ details: |+
+ Improper Encoding or Escaping of Output vulnerability in Apache Zeppelin.
+
+ The attackers can execute shell scripts or malicious code by overriding configuration like ZEPPELIN_INTP_CLASSPATH_OVERRIDES.
+ This issue affects Apache Zeppelin: from 0.8.2 before 0.11.1.
+
+ Users are recommended to upgrade to version 0.11.1, which fixes the issue.
+
+ affected:
+ - package:
+ ecosystem: Maven
+ name: org.apache.zeppelin:zeppelin-interpreter
+ purl: pkg:maven/org.apache.zeppelin/zeppelin-interpreter
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 0.8.2
+ - fixed: 0.11.1
+ versions:
+ - 0.10.0
+ - 0.10.1
+ - 0.11.0
+ - 0.8.2
+ - 0.9.0
+ - 0.9.0-preview1
+ - 0.9.0-preview2
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/04/GHSA-86jx-wr74-xr74/GHSA-86jx-wr74-xr74.json
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2024-31866
+ - type: WEB
+ url: https://github.com/apache/zeppelin/pull/4715
+ - type: WEB
+ url: https://github.com/apache/zeppelin/commit/dd08a3966ef3b0b40f13d0291d7cac5ec3dd9f9c
+ - type: PACKAGE
+ url: https://github.com/apache/zeppelin
+ - type: WEB
+ url: https://lists.apache.org/thread/jpkbq3oktopt34x2n5wnhzc2r1410ddd
+ - type: WEB
+ url: http://www.openwall.com/lists/oss-security/2024/04/09/10
+ database_specific:
+ cwe_ids:
+ - CWE-116
+ github_reviewed: true
+ github_reviewed_at: "2024-05-24T20:11:32Z"
+ nvd_published_at: "2024-04-09T16:15:08Z"
+ severity: MODERATE
+ - schema_version: 1.6.0
+ id: GHSA-rrvf-5w4r-3x7v
+ modified: 2024-05-01T20:31:00.734193Z
+ published: 2024-04-09T18:30:22Z
+ aliases:
+ - CVE-2024-31868
+ summary: Apache Zeppelin vulnerable to cross-site scripting in the helium module
+ details: |+
+ Improper Encoding or Escaping of Output vulnerability in Apache Zeppelin.
+
+ Attackers can modify `helium.json` and perform cross-site scripting attacks on normal users. This issue affects Apache Zeppelin: from 0.8.2 before 0.11.1.
+
+ Users are recommended to upgrade to version 0.11.1, which fixes the issue.
+
+ affected:
+ - package:
+ ecosystem: Maven
+ name: org.apache.zeppelin:zeppelin-interpreter
+ purl: pkg:maven/org.apache.zeppelin/zeppelin-interpreter
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 0.8.2
+ - fixed: 0.11.1
+ versions:
+ - 0.10.0
+ - 0.10.1
+ - 0.11.0
+ - 0.8.2
+ - 0.9.0
+ - 0.9.0-preview1
+ - 0.9.0-preview2
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/04/GHSA-rrvf-5w4r-3x7v/GHSA-rrvf-5w4r-3x7v.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2024-31868
+ - type: WEB
+ url: https://github.com/apache/zeppelin/pull/4728
+ - type: PACKAGE
+ url: https://github.com/apache/zeppelin
+ - type: WEB
+ url: https://lists.apache.org/thread/55mqs673plsxmgnq7fdf2flftpllyf11
+ - type: WEB
+ url: http://www.openwall.com/lists/oss-security/2024/04/09/11
+ database_specific:
+ cwe_ids:
+ - CWE-116
+ - CWE-79
+ github_reviewed: true
+ github_reviewed_at: "2024-04-11T20:13:12Z"
+ nvd_published_at: "2024-04-09T16:15:08Z"
+ severity: MODERATE
+ - schema_version: 1.6.0
+ id: GHSA-2hw2-62cp-p9p7
+ modified: 2024-03-14T05:19:59.559879Z
+ published: 2019-05-29T18:54:11Z
+ aliases:
+ - CVE-2019-0201
+ summary: Access control bypass in Apache ZooKeeper
+ details: An issue is present in Apache ZooKeeper 1.0.0 to 3.4.13 and 3.5.0-alpha to 3.5.4-beta. ZooKeeper?s getACL() command doesn?t check any permission when retrieves the ACLs of the requested node and returns all information contained in the ACL Id field as plaintext string. DigestAuthenticationProvider overloads the Id field with the hash value that is used for user authentication. As a consequence, if Digest Authentication is in use, the unsalted hash value will be disclosed by getACL() request for unauthenticated or unprivileged users.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: org.apache.zookeeper:zookeeper
+ purl: pkg:maven/org.apache.zookeeper/zookeeper
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 1.0.0
+ - fixed: 3.4.14
+ versions:
+ - 3.3.0
+ - 3.3.1
+ - 3.3.2
+ - 3.3.3
+ - 3.3.4
+ - 3.3.5
+ - 3.3.6
+ - 3.4.0
+ - 3.4.1
+ - 3.4.10
+ - 3.4.11
+ - 3.4.12
+ - 3.4.13
+ - 3.4.2
+ - 3.4.3
+ - 3.4.4
+ - 3.4.5
+ - 3.4.6
+ - 3.4.7
+ - 3.4.8
+ - 3.4.9
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/05/GHSA-2hw2-62cp-p9p7/GHSA-2hw2-62cp-p9p7.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.zookeeper:zookeeper
+ purl: pkg:maven/org.apache.zookeeper/zookeeper
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 3.5.0
+ - fixed: 3.5.5
+ versions:
+ - 3.5.1-alpha
+ - 3.5.2-alpha
+ - 3.5.3-beta
+ - 3.5.4-beta
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/05/GHSA-2hw2-62cp-p9p7/GHSA-2hw2-62cp-p9p7.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2019-0201
+ - type: WEB
+ url: https://zookeeper.apache.org/security.html#CVE-2019-0201
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuoct2020.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpujul2020.html
+ - type: WEB
+ url: https://www.oracle.com//security-alerts/cpujul2021.html
+ - type: WEB
+ url: https://www.debian.org/security/2019/dsa-4461
+ - type: WEB
+ url: https://security.netapp.com/advisory/ntap-20190619-0001
+ - type: WEB
+ url: https://seclists.org/bugtraq/2019/Jun/13
+ - type: WEB
+ url: https://lists.debian.org/debian-lts-announce/2019/05/msg00033.html
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r40f32125c1d97ad82404cc918171d9e0fcf78e534256674e9da1eb4b@%3Ccommon-issues.hadoop.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/f6112882e30a31992a79e0a8c31ac179e9d0de7c708de3a9258d4391@%3Cissues.bookkeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/5d9a1cf41a5880557bf680b7321b4ab9a4d206c601ffb15fef6f196a@%3Ccommits.accumulo.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272@%3Cissues.activemq.apache.org%3E
+ - type: WEB
+ url: https://issues.apache.org/jira/browse/ZOOKEEPER-1392
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:4352
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:3892
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2019:3140
+ - type: WEB
+ url: http://www.securityfocus.com/bid/108427
+ database_specific:
+ cwe_ids:
+ - CWE-862
+ github_reviewed: true
+ github_reviewed_at: "2019-05-29T18:53:55Z"
+ nvd_published_at: "2019-05-23T14:29:00Z"
+ severity: MODERATE
+ - schema_version: 1.6.0
+ id: GHSA-7286-pgfv-vxvh
+ modified: 2024-06-25T02:32:48.154078Z
+ published: 2023-10-11T12:30:27Z
+ aliases:
+ - BIT-zookeeper-2023-44981
+ - CVE-2023-44981
+ summary: Authorization Bypass Through User-Controlled Key vulnerability in Apache ZooKeeper
+ details: |
+ Authorization Bypass Through User-Controlled Key vulnerability in Apache ZooKeeper. If SASL Quorum Peer authentication is enabled in ZooKeeper (quorum.auth.enableSasl=true), the authorization is done by verifying that the instance part in SASL authentication ID is listed in zoo.cfg server list. The instance part in SASL auth ID is optional and if it's missing, like 'eve@EXAMPLE.COM', the authorization check will be skipped. As a result an arbitrary endpoint could join the cluster and begin propagating counterfeit changes to the leader, essentially giving it complete read-write access to the data tree. Quorum Peer authentication is not enabled by default.
+
+ Users are recommended to upgrade to version 3.9.1, 3.8.3, 3.7.2, which fixes the issue.
+
+ Alternately ensure the ensemble election/quorum communication is protected by a firewall as this will mitigate the issue.
+
+ See the documentation for more details on correct cluster administration.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: org.apache.zookeeper:zookeeper
+ purl: pkg:maven/org.apache.zookeeper/zookeeper
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: 3.7.2
+ versions:
+ - 3.3.0
+ - 3.3.1
+ - 3.3.2
+ - 3.3.3
+ - 3.3.4
+ - 3.3.5
+ - 3.3.6
+ - 3.4.0
+ - 3.4.1
+ - 3.4.10
+ - 3.4.11
+ - 3.4.12
+ - 3.4.13
+ - 3.4.14
+ - 3.4.2
+ - 3.4.3
+ - 3.4.4
+ - 3.4.5
+ - 3.4.6
+ - 3.4.7
+ - 3.4.8
+ - 3.4.9
+ - 3.5.0-alpha
+ - 3.5.1-alpha
+ - 3.5.10
+ - 3.5.2-alpha
+ - 3.5.3-beta
+ - 3.5.4-beta
+ - 3.5.5
+ - 3.5.6
+ - 3.5.7
+ - 3.5.8
+ - 3.5.9
+ - 3.6.0
+ - 3.6.1
+ - 3.6.2
+ - 3.6.3
+ - 3.6.4
+ - 3.7.0
+ - 3.7.1
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-7286-pgfv-vxvh/GHSA-7286-pgfv-vxvh.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.zookeeper:zookeeper
+ purl: pkg:maven/org.apache.zookeeper/zookeeper
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 3.8.0
+ - fixed: 3.8.3
+ versions:
+ - 3.8.0
+ - 3.8.1
+ - 3.8.2
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-7286-pgfv-vxvh/GHSA-7286-pgfv-vxvh.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.zookeeper:zookeeper
+ purl: pkg:maven/org.apache.zookeeper/zookeeper
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 3.9.0
+ - fixed: 3.9.1
+ versions:
+ - 3.9.0
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-7286-pgfv-vxvh/GHSA-7286-pgfv-vxvh.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2023-44981
+ - type: PACKAGE
+ url: https://github.com/apache/zookeeper
+ - type: WEB
+ url: https://lists.apache.org/thread/wf0yrk84dg1942z1o74kd8nycg6pgm5b
+ - type: WEB
+ url: https://lists.debian.org/debian-lts-announce/2023/10/msg00029.html
+ - type: WEB
+ url: https://security.netapp.com/advisory/ntap-20240621-0007
+ - type: WEB
+ url: https://www.debian.org/security/2023/dsa-5544
+ - type: WEB
+ url: http://www.openwall.com/lists/oss-security/2023/10/11/4
+ database_specific:
+ cwe_ids:
+ - CWE-639
+ github_reviewed: true
+ github_reviewed_at: "2023-10-11T20:36:50Z"
+ nvd_published_at: "2023-10-11T12:15:11Z"
+ severity: CRITICAL
+ - schema_version: 1.6.0
+ id: GHSA-7cwj-j333-x7f7
+ modified: 2023-11-08T03:59:22.246576Z
+ published: 2022-05-13T01:08:23Z
+ aliases:
+ - CVE-2017-5637
+ summary: Uncontrolled Resource Consumption in Apache ZooKeeper
+ details: Two four letter word commands "wchp/wchc" are CPU intensive and could cause spike of CPU utilization on Apache ZooKeeper server if abused, which leads to the server unable to serve legitimate client requests. Apache ZooKeeper thru version 3.4.9 and 3.5.2 suffer from this issue, fixed in 3.4.10, 3.5.3, and later.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: org.apache.zookeeper:zookeeper
+ purl: pkg:maven/org.apache.zookeeper/zookeeper
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 3.4.0
+ - fixed: 3.4.10
+ versions:
+ - 3.4.0
+ - 3.4.1
+ - 3.4.2
+ - 3.4.3
+ - 3.4.4
+ - 3.4.5
+ - 3.4.6
+ - 3.4.7
+ - 3.4.8
+ - 3.4.9
+ database_specific:
+ last_known_affected_version_range: <= 3.4.9
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-7cwj-j333-x7f7/GHSA-7cwj-j333-x7f7.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.zookeeper:zookeeper
+ purl: pkg:maven/org.apache.zookeeper/zookeeper
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 3.5.0
+ - fixed: 3.5.3
+ versions:
+ - 3.5.1-alpha
+ - 3.5.2-alpha
+ - 3.5.3-beta
+ database_specific:
+ last_known_affected_version_range: <= 3.5.2
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-7cwj-j333-x7f7/GHSA-7cwj-j333-x7f7.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2017-5637
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2017:2477
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2017:3354
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2017:3355
+ - type: WEB
+ url: https://issues.apache.org/jira/browse/ZOOKEEPER-2693
+ - type: WEB
+ url: https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272@%3Cissues.activemq.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/58170aeb7a681d462b7fa31cae81110cbb749d2dc83c5736a0bb8370@%3Cdev.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3@%3Ccommits.nifi.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b@%3Ccommits.nifi.apache.org%3E
+ - type: WEB
+ url: https://www.oracle.com//security-alerts/cpujul2021.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpujul2020.html
+ - type: WEB
+ url: http://www.debian.org/security/2017/dsa-3871
+ - type: WEB
+ url: http://www.securityfocus.com/bid/98814
+ database_specific:
+ cwe_ids:
+ - CWE-400
+ github_reviewed: true
+ github_reviewed_at: "2022-07-01T16:58:11Z"
+ nvd_published_at: "2017-10-10T01:30:00Z"
+ severity: HIGH
+ - schema_version: 1.6.0
+ id: GHSA-ccqf-c5hq-77mp
+ modified: 2023-11-08T04:00:23.872615Z
+ published: 2022-05-13T01:05:57Z
+ aliases:
+ - CVE-2018-8012
+ summary: Missing Authorization in Apache ZooKeeper
+ details: No authentication/authorization is enforced when a server attempts to join a quorum in Apache ZooKeeper before 3.4.10, and 3.5.0-alpha through 3.5.3-beta. As a result an arbitrary end point could join the cluster and begin propagating counterfeit changes to the leader.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: org.apache.zookeeper:zookeeper
+ purl: pkg:maven/org.apache.zookeeper/zookeeper
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: 3.4.10
+ versions:
+ - 3.3.0
+ - 3.3.1
+ - 3.3.2
+ - 3.3.3
+ - 3.3.4
+ - 3.3.5
+ - 3.3.6
+ - 3.4.0
+ - 3.4.1
+ - 3.4.2
+ - 3.4.3
+ - 3.4.4
+ - 3.4.5
+ - 3.4.6
+ - 3.4.7
+ - 3.4.8
+ - 3.4.9
+ database_specific:
+ last_known_affected_version_range: <= 3.4.9
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-ccqf-c5hq-77mp/GHSA-ccqf-c5hq-77mp.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.zookeeper:zookeeper
+ purl: pkg:maven/org.apache.zookeeper/zookeeper
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 3.5.0-alpha
+ - fixed: 3.5.4-beta
+ versions:
+ - 3.5.0-alpha
+ - 3.5.1-alpha
+ - 3.5.2-alpha
+ - 3.5.3-beta
+ database_specific:
+ last_known_affected_version_range: <= 3.5.3-beta
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-ccqf-c5hq-77mp/GHSA-ccqf-c5hq-77mp.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2018-8012
+ - type: WEB
+ url: https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272@%3Cissues.activemq.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3@%3Ccommits.nifi.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/c75147028c1c79bdebd4f8fa5db2b77da85de2b05ecc0d54d708b393@%3Cdev.zookeeper.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r73daf1fc5d85677d9a854707e1908d14e174b7bbb0c603709c0ab33f@%3Coak-commits.jackrabbit.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r8f0d920805af93033c488af89104e2d682662bacfb8406db865d5e14@%3Cdev.jackrabbit.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rc5bc4ddb0deabf8cfb69378cecee56fcdc76929bea9e6373cb863870@%3Cdev.jackrabbit.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b@%3Ccommits.nifi.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/re3a4048e9515d4afea416df907a612ed384a16c57cf99e97ee4a12f2@%3Cdev.jackrabbit.apache.org%3E
+ - type: WEB
+ url: https://www.debian.org/security/2018/dsa-4214
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpujul2020.html
+ - type: WEB
+ url: http://www.securityfocus.com/bid/104253
+ - type: WEB
+ url: http://www.securitytracker.com/id/1040948
+ database_specific:
+ cwe_ids:
+ - CWE-862
+ github_reviewed: true
+ github_reviewed_at: "2022-06-29T19:03:52Z"
+ nvd_published_at: "2018-05-21T19:29:00Z"
+ severity: HIGH
+ - schema_version: 1.6.0
+ id: GHSA-r978-9m6m-6gm6
+ modified: 2024-05-02T19:03:17.317514Z
+ published: 2024-03-15T12:30:37Z
+ aliases:
+ - BIT-zookeeper-2024-23944
+ - CVE-2024-23944
+ summary: Apache ZooKeeper vulnerable to information disclosure in persistent watchers handling
+ details: |
+ Information disclosure in persistent watchers handling in Apache ZooKeeper due to missing ACL check. It allows an attacker to monitor child znodes by attaching a persistent watcher (addWatch command) to a parent which the attacker has already access to. ZooKeeper server doesn't do ACL check when the persistent watcher is triggered and as a consequence, the full path of znodes that a watch event gets triggered upon is exposed to the owner of the watcher. It's important to note that only the path is exposed by this vulnerability, not the data of znode, but since znode path can contain sensitive information like user name or login ID, this issue is potentially critical.
+
+ Users are recommended to upgrade to version 3.9.2, 3.8.4 which fixes the issue.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: org.apache.zookeeper:zookeeper
+ purl: pkg:maven/org.apache.zookeeper/zookeeper
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 3.8.0
+ - fixed: 3.8.4
+ versions:
+ - 3.8.0
+ - 3.8.1
+ - 3.8.2
+ - 3.8.3
+ database_specific:
+ last_known_affected_version_range: <= 3.8.3
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/03/GHSA-r978-9m6m-6gm6/GHSA-r978-9m6m-6gm6.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.zookeeper:zookeeper
+ purl: pkg:maven/org.apache.zookeeper/zookeeper
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 3.9.0
+ - fixed: 3.9.2
+ versions:
+ - 3.9.0
+ - 3.9.1
+ database_specific:
+ last_known_affected_version_range: <= 3.9.1
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/03/GHSA-r978-9m6m-6gm6/GHSA-r978-9m6m-6gm6.json
+ - package:
+ ecosystem: Maven
+ name: org.apache.zookeeper:zookeeper
+ purl: pkg:maven/org.apache.zookeeper/zookeeper
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 3.6.0
+ - last_affected: 3.7.2
+ versions:
+ - 3.6.0
+ - 3.6.1
+ - 3.6.2
+ - 3.6.3
+ - 3.6.4
+ - 3.7.0
+ - 3.7.1
+ - 3.7.2
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/03/GHSA-r978-9m6m-6gm6/GHSA-r978-9m6m-6gm6.json
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2024-23944
+ - type: WEB
+ url: https://github.com/apache/zookeeper/commit/29c7b9462681f47c2ac12e609341cf9f52abac5c
+ - type: WEB
+ url: https://github.com/apache/zookeeper/commit/65b91d2d9a56157285c2a86b106e67c26520b01d
+ - type: WEB
+ url: https://github.com/apache/zookeeper/commit/daf7cfd04005cff1a4f7cab5ab13d41db88d0cd8
+ - type: PACKAGE
+ url: https://github.com/apache/zookeeper
+ - type: WEB
+ url: https://lists.apache.org/thread/96s5nqssj03rznz9hv58txdb2k1lr79k
+ - type: WEB
+ url: http://www.openwall.com/lists/oss-security/2024/03/14/2
+ database_specific:
+ cwe_ids:
+ - CWE-200
+ github_reviewed: true
+ github_reviewed_at: "2024-03-15T19:35:37Z"
+ nvd_published_at: "2024-03-15T11:15:08Z"
+ severity: MODERATE
+ - schema_version: 1.6.0
+ id: GHSA-93jq-624g-4p9p
+ modified: 2024-03-14T05:32:17.618778Z
+ published: 2018-10-19T16:50:50Z
+ aliases:
+ - CVE-2017-14063
+ summary: Improper Input Validation in async-http-client
+ details: Async Http Client (aka async-http-client) before 2.0.35 can be tricked into connecting to a host different from the one extracted by java.net.URI if a '?' character occurs in a fragment identifier. Similar bugs were previously identified in cURL (CVE-2016-8624) and Oracle Java 8 java.net.URL.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: org.asynchttpclient:async-http-client
+ purl: pkg:maven/org.asynchttpclient/async-http-client
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: 2.0.35
+ versions:
+ - 2.0.0
+ - 2.0.0-RC1
+ - 2.0.0-RC10
+ - 2.0.0-RC11
+ - 2.0.0-RC12
+ - 2.0.0-RC13
+ - 2.0.0-RC14
+ - 2.0.0-RC15
+ - 2.0.0-RC16
+ - 2.0.0-RC17
+ - 2.0.0-RC18
+ - 2.0.0-RC19
+ - 2.0.0-RC2
+ - 2.0.0-RC20
+ - 2.0.0-RC21
+ - 2.0.0-RC3
+ - 2.0.0-RC4
+ - 2.0.0-RC5
+ - 2.0.0-RC6
+ - 2.0.0-RC7
+ - 2.0.0-RC8
+ - 2.0.0-RC9
+ - 2.0.0-alpha13
+ - 2.0.0-alpha14
+ - 2.0.0-alpha15
+ - 2.0.0-alpha16
+ - 2.0.0-alpha17
+ - 2.0.0-alpha18
+ - 2.0.0-alpha19
+ - 2.0.0-alpha20
+ - 2.0.0-alpha21
+ - 2.0.0-alpha22
+ - 2.0.0-alpha23
+ - 2.0.0-alpha24
+ - 2.0.0-alpha25
+ - 2.0.0-alpha26
+ - 2.0.0-alpha27
+ - 2.0.1
+ - 2.0.10
+ - 2.0.11
+ - 2.0.12
+ - 2.0.13
+ - 2.0.14
+ - 2.0.15
+ - 2.0.16
+ - 2.0.17
+ - 2.0.18
+ - 2.0.19
+ - 2.0.2
+ - 2.0.20
+ - 2.0.21
+ - 2.0.22
+ - 2.0.23
+ - 2.0.24
+ - 2.0.25
+ - 2.0.26
+ - 2.0.27
+ - 2.0.28
+ - 2.0.29
+ - 2.0.3
+ - 2.0.30
+ - 2.0.31
+ - 2.0.32
+ - 2.0.33
+ - 2.0.34
+ - 2.0.4
+ - 2.0.5
+ - 2.0.6
+ - 2.0.7
+ - 2.0.8
+ - 2.0.9
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-93jq-624g-4p9p/GHSA-93jq-624g-4p9p.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2017-14063
+ - type: WEB
+ url: https://github.com/AsyncHttpClient/async-http-client/issues/1455
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rfe55d83e4070bcc9285bbbf6bc39635dbcbba6d14d89aab0f339c83a@%3Ccommits.tez.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rfd823a733b02cffbef5a69953fdcbed2d1d0afad5e1ea4e96ff6bf0a@%3Cissues.tez.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rfaa4d578587f52a9c4d176af516a681a712c664e3be440a4163691d5@%3Ccommits.pulsar.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/re7367895ccbf64523efcd39a9181baf2eaa30b069d8d6496852fba56@%3Cissues.tez.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/re2510852c4a1f635b14b35e5dfd7597076928e723ab08559ede575e0@%3Ccommits.pulsar.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26@%3Ccommits.pulsar.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rcb46acc25917e01ebecca132e870da9ab935d5796686ed8a2785b026@%3Cissues.tez.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rc550b8955b37b40fee18db99f167337c41c930d8c3763b9631e01dda@%3Cissues.tez.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rbc4fbb06ccb10e26e6064f57f6bd4935eabe2d18a0cb9a7183699396@%3Cissues.tez.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rbbad61e1ba5b21e234a6664963618acfee237af754eb20300d938e1e@%3Cissues.tez.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r9ea5d489e004b40baf73880c4e11dd4de24b799d15e091e1f4017108@%3Cissues.tez.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r868875e67494a18d31e88cba2672f45c3fc6708ffdde445723004da4@%3Cissues.tez.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r79d9bab405414af45568c4683386f5e9fd02c10ca87ffa2ee33512dc@%3Ccommits.pulsar.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r7879a48644f708be0529bd39f0679ad3ad951f3dc24442878a008fd8@%3Cissues.tez.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r7046a51116207588e36ca8c2e291327e391dae40712d267117475a98@%3Cdev.tez.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r683d78c6d7a15659f2bb82dd4120dab8c45a870eaa7f1a15cce4ed3b@%3Cissues.tez.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r5f794dc07913c5f2ec08f540813b40e61b562d36f8b1f916e8705c56@%3Cissues.tez.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r5f07c30721503d4c02d5451f77a611a1a0bb2a94ddcdf071c9485ea3@%3Cissues.tez.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r5b8666c4414500ff6e993bfa69cb6afa19b1b67c4585a045c0c21662@%3Cissues.tez.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r4ebb9596d890f3528630492bd78237b3eef06f093bac238a0da9b630@%3Cissues.tez.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r41a0e2c36f7d1854a4d56cb1e4aa720ef501782d887ece1c9b1e2d60@%3Cissues.tez.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r3df4b7ccc363b4850a24842138117aa4451b875bc4773a845b828fc6@%3Cissues.tez.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r14a74d204f285dd3a4fa203de6dbb4e741ddb7fdfff7915590e5b3db@%3Cdev.tez.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r0a6b6429a7558051dbb70bd06584b4b1c334a80ec9203d3d39b7045a@%3Ccommits.tez.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r04b15fd898a6b1612153543375daaa8145a0fd1804ec9fa2e0d95c97@%3Cissues.tez.apache.org%3E
+ - type: ADVISORY
+ url: https://github.com/advisories/GHSA-93jq-624g-4p9p
+ - type: PACKAGE
+ url: https://github.com/AsyncHttpClient/async-http-client
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2018:2669
+ - type: WEB
+ url: http://openwall.com/lists/oss-security/2017/08/31/4
+ database_specific:
+ cwe_ids:
+ - CWE-20
+ github_reviewed: true
+ github_reviewed_at: "2020-06-16T21:27:19Z"
+ nvd_published_at: null
+ severity: HIGH
+ - schema_version: 1.6.0
+ id: GHSA-4446-656p-f54g
+ modified: 2024-02-22T05:44:11.786609Z
+ published: 2018-10-17T16:23:12Z
+ aliases:
+ - CVE-2018-1000613
+ summary: Deserialization of Untrusted Data in Bouncy castle
+ details: "Legion of the Bouncy Castle Java Cryptography APIs starting in version 1.57 and prior to version 1.60 contains a CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') vulnerability in XMSS/XMSS^MT private key deserialization that can result in Deserializing an XMSS/XMSS^MT private key can result in the execution of unexpected code. This attack appear to be exploitable via A handcrafted private key can include references to unexpected classes which will be picked up from the class path for the executing application. \n\nThis vulnerability appears to have been fixed in 1.60 and later."
+ affected:
+ - package:
+ ecosystem: Maven
+ name: org.bouncycastle:bcprov-jdk15on
+ purl: pkg:maven/org.bouncycastle/bcprov-jdk15on
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "1.57"
+ - fixed: "1.60"
+ versions:
+ - "1.57"
+ - "1.58"
+ - "1.59"
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-4446-656p-f54g/GHSA-4446-656p-f54g.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2018-1000613
+ - type: WEB
+ url: https://github.com/bcgit/bc-java/commit/4092ede58da51af9a21e4825fbad0d9a3ef5a223#diff-2c06e2edef41db889ee14899e12bd574
+ - type: WEB
+ url: https://github.com/bcgit/bc-java/commit/cc9f91c41be67e88fca4e38f4872418448950fd9
+ - type: WEB
+ url: https://github.com/bcgit/bc-java/commit/cd98322b171b15b3f88c5ec871175147893c31e6#diff-148a6c098af0199192d6aede960f45dc
+ - type: ADVISORY
+ url: https://github.com/advisories/GHSA-4446-656p-f54g
+ - type: PACKAGE
+ url: https://github.com/bcgit/bc-java
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2%40%3Cissues.geode.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3E
+ - type: WEB
+ url: https://security.netapp.com/advisory/ntap-20190204-0003
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuApr2021.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuapr2020.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuoct2020.html
+ - type: WEB
+ url: https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
+ - type: WEB
+ url: https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html
+ - type: WEB
+ url: https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
+ - type: WEB
+ url: http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00011.html
+ database_specific:
+ cwe_ids:
+ - CWE-470
+ - CWE-502
+ github_reviewed: true
+ github_reviewed_at: "2020-06-16T20:57:10Z"
+ nvd_published_at: "2018-07-09T20:29:00Z"
+ severity: CRITICAL
+ - schema_version: 1.6.0
+ id: GHSA-6xx3-rg99-gc3p
+ modified: 2024-02-17T05:52:01.093029Z
+ published: 2021-08-13T15:22:31Z
+ aliases:
+ - CVE-2020-15522
+ summary: Timing based private key exposure in Bouncy Castle
+ details: Bouncy Castle BC Java before 1.66, BC C# .NET before 1.8.7, BC-FJA before 1.0.2.1, BC before 1.66, BC-FNA before 1.0.1.1 have a timing issue within the EC math library that can expose information about the private key when an attacker is able to observe timing information for the generation of multiple deterministic ECDSA signatures.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: org.bouncycastle:bc-fips
+ purl: pkg:maven/org.bouncycastle/bc-fips
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: 1.0.2.1
+ versions:
+ - 1.0.0
+ - 1.0.1
+ - 1.0.2
+ database_specific:
+ last_known_affected_version_range: <= 1.0.2
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-6xx3-rg99-gc3p/GHSA-6xx3-rg99-gc3p.json
+ - package:
+ ecosystem: Maven
+ name: org.bouncycastle:bcprov-ext-jdk15on
+ purl: pkg:maven/org.bouncycastle/bcprov-ext-jdk15on
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: "1.66"
+ versions:
+ - "1.46"
+ - "1.47"
+ - "1.48"
+ - "1.49"
+ - "1.50"
+ - "1.51"
+ - "1.52"
+ - "1.53"
+ - "1.54"
+ - "1.55"
+ - "1.56"
+ - "1.57"
+ - "1.58"
+ - "1.59"
+ - "1.60"
+ - "1.61"
+ - "1.62"
+ - "1.63"
+ - "1.64"
+ - "1.65"
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-6xx3-rg99-gc3p/GHSA-6xx3-rg99-gc3p.json
+ - package:
+ ecosystem: Maven
+ name: org.bouncycastle:bcprov-ext-jdk16
+ purl: pkg:maven/org.bouncycastle/bcprov-ext-jdk16
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: "1.66"
+ versions:
+ - "1.45"
+ - "1.46"
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-6xx3-rg99-gc3p/GHSA-6xx3-rg99-gc3p.json
+ - package:
+ ecosystem: Maven
+ name: org.bouncycastle:bcprov-jdk14
+ purl: pkg:maven/org.bouncycastle/bcprov-jdk14
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: "1.66"
+ versions:
+ - "1.38"
+ - "1.43"
+ - "1.44"
+ - "1.45"
+ - "1.46"
+ - "1.47"
+ - "1.48"
+ - "1.49"
+ - "1.50"
+ - "1.51"
+ - "1.53"
+ - "1.54"
+ - "1.55"
+ - "1.56"
+ - "1.57"
+ - "1.58"
+ - "1.59"
+ - "1.60"
+ - "1.61"
+ - "1.62"
+ - "1.63"
+ - "1.64"
+ - "1.65"
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-6xx3-rg99-gc3p/GHSA-6xx3-rg99-gc3p.json
+ - package:
+ ecosystem: Maven
+ name: org.bouncycastle:bcprov-jdk15
+ purl: pkg:maven/org.bouncycastle/bcprov-jdk15
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: "1.66"
+ versions:
+ - "1.32"
+ - "1.38"
+ - "1.40"
+ - "1.43"
+ - "1.44"
+ - "1.45"
+ - "1.46"
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-6xx3-rg99-gc3p/GHSA-6xx3-rg99-gc3p.json
+ - package:
+ ecosystem: Maven
+ name: org.bouncycastle:bcprov-jdk15on
+ purl: pkg:maven/org.bouncycastle/bcprov-jdk15on
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: "1.66"
+ versions:
+ - "1.46"
+ - "1.47"
+ - "1.48"
+ - "1.49"
+ - "1.50"
+ - "1.51"
+ - "1.52"
+ - "1.53"
+ - "1.54"
+ - "1.55"
+ - "1.56"
+ - "1.57"
+ - "1.58"
+ - "1.59"
+ - "1.60"
+ - "1.61"
+ - "1.62"
+ - "1.63"
+ - "1.64"
+ - "1.65"
+ - 1.65.01
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-6xx3-rg99-gc3p/GHSA-6xx3-rg99-gc3p.json
+ - package:
+ ecosystem: Maven
+ name: org.bouncycastle:bcprov-jdk15to18
+ purl: pkg:maven/org.bouncycastle/bcprov-jdk15to18
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: "1.66"
+ versions:
+ - "1.63"
+ - "1.64"
+ - "1.65"
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-6xx3-rg99-gc3p/GHSA-6xx3-rg99-gc3p.json
+ - package:
+ ecosystem: Maven
+ name: org.bouncycastle:bcprov-jdk16
+ purl: pkg:maven/org.bouncycastle/bcprov-jdk16
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: "1.66"
+ versions:
+ - "1.38"
+ - "1.40"
+ - "1.43"
+ - "1.44"
+ - "1.45"
+ - "1.46"
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-6xx3-rg99-gc3p/GHSA-6xx3-rg99-gc3p.json
+ - package:
+ ecosystem: NuGet
+ name: BouncyCastle
+ purl: pkg:nuget/BouncyCastle
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: 1.8.7
+ versions:
+ - 1.7.0
+ - 1.8.1
+ - 1.8.2
+ - 1.8.3
+ - 1.8.3.1
+ - 1.8.4
+ - 1.8.5
+ - 1.8.6
+ - 1.8.6.1
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-6xx3-rg99-gc3p/GHSA-6xx3-rg99-gc3p.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2020-15522
+ - type: WEB
+ url: https://github.com/bcgit/bc-csharp/wiki/CVE-2020-15522
+ - type: WEB
+ url: https://github.com/bcgit/bc-java/wiki/CVE-2020-15522
+ - type: WEB
+ url: https://security.netapp.com/advisory/ntap-20210622-0007
+ - type: WEB
+ url: https://www.bouncycastle.org/releasenotes.html
+ database_specific:
+ cwe_ids:
+ - CWE-203
+ - CWE-362
+ github_reviewed: true
+ github_reviewed_at: "2021-05-21T17:50:36Z"
+ nvd_published_at: "2021-05-20T12:15:00Z"
+ severity: MODERATE
+ - schema_version: 1.6.0
+ id: GHSA-72m5-fvvv-55m6
+ modified: 2024-03-14T22:16:19.509843Z
+ published: 2021-04-22T16:16:49Z
+ aliases:
+ - CVE-2020-26939
+ summary: Observable Differences in Behavior to Error Inputs in Bouncy Castle
+ details: In Legion of the Bouncy Castle BC before 1.55 and BC-FJA before 1.0.2, attackers can obtain sensitive information about a private exponent because of Observable Differences in Behavior to Error Inputs. This occurs in org.bouncycastle.crypto.encodings.OAEPEncoding. Sending invalid ciphertext that decrypts to a short payload in the OAEP Decoder could result in the throwing of an early exception, potentially leaking some information about the private exponent of the RSA private key performing the encryption.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: org.bouncycastle:bcprov-jdk14
+ purl: pkg:maven/org.bouncycastle/bcprov-jdk14
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: "1.61"
+ versions:
+ - "1.38"
+ - "1.43"
+ - "1.44"
+ - "1.45"
+ - "1.46"
+ - "1.47"
+ - "1.48"
+ - "1.49"
+ - "1.50"
+ - "1.51"
+ - "1.53"
+ - "1.54"
+ - "1.55"
+ - "1.56"
+ - "1.57"
+ - "1.58"
+ - "1.59"
+ - "1.60"
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-72m5-fvvv-55m6/GHSA-72m5-fvvv-55m6.json
+ - package:
+ ecosystem: Maven
+ name: org.bouncycastle:bcprov-jdk15
+ purl: pkg:maven/org.bouncycastle/bcprov-jdk15
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: "1.61"
+ versions:
+ - "1.32"
+ - "1.38"
+ - "1.40"
+ - "1.43"
+ - "1.44"
+ - "1.45"
+ - "1.46"
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-72m5-fvvv-55m6/GHSA-72m5-fvvv-55m6.json
+ - package:
+ ecosystem: Maven
+ name: org.bouncycastle:bcprov-jdk16
+ purl: pkg:maven/org.bouncycastle/bcprov-jdk16
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: "1.61"
+ versions:
+ - "1.38"
+ - "1.40"
+ - "1.43"
+ - "1.44"
+ - "1.45"
+ - "1.46"
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-72m5-fvvv-55m6/GHSA-72m5-fvvv-55m6.json
+ - package:
+ ecosystem: Maven
+ name: org.bouncycastle:bc-fips
+ purl: pkg:maven/org.bouncycastle/bc-fips
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: 1.0.2
+ versions:
+ - 1.0.0
+ - 1.0.1
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-72m5-fvvv-55m6/GHSA-72m5-fvvv-55m6.json
+ - package:
+ ecosystem: Maven
+ name: org.bouncycastle:bcprov-ext-jdk15on
+ purl: pkg:maven/org.bouncycastle/bcprov-ext-jdk15on
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: "1.61"
+ versions:
+ - "1.46"
+ - "1.47"
+ - "1.48"
+ - "1.49"
+ - "1.50"
+ - "1.51"
+ - "1.52"
+ - "1.53"
+ - "1.54"
+ - "1.55"
+ - "1.56"
+ - "1.57"
+ - "1.58"
+ - "1.59"
+ - "1.60"
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-72m5-fvvv-55m6/GHSA-72m5-fvvv-55m6.json
+ - package:
+ ecosystem: Maven
+ name: org.bouncycastle:bcprov-ext-jdk16
+ purl: pkg:maven/org.bouncycastle/bcprov-ext-jdk16
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: "1.61"
+ versions:
+ - "1.45"
+ - "1.46"
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-72m5-fvvv-55m6/GHSA-72m5-fvvv-55m6.json
+ - package:
+ ecosystem: Maven
+ name: org.bouncycastle:bcprov-jdk15on
+ purl: pkg:maven/org.bouncycastle/bcprov-jdk15on
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: "1.61"
+ versions:
+ - "1.46"
+ - "1.47"
+ - "1.48"
+ - "1.49"
+ - "1.50"
+ - "1.51"
+ - "1.52"
+ - "1.53"
+ - "1.54"
+ - "1.55"
+ - "1.56"
+ - "1.57"
+ - "1.58"
+ - "1.59"
+ - "1.60"
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-72m5-fvvv-55m6/GHSA-72m5-fvvv-55m6.json
+ - package:
+ ecosystem: Maven
+ name: org.bouncycastle:bcprov-jdk15to18
+ purl: pkg:maven/org.bouncycastle/bcprov-jdk15to18
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: "1.61"
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-72m5-fvvv-55m6/GHSA-72m5-fvvv-55m6.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2020-26939
+ - type: WEB
+ url: https://github.com/bcgit/bc-java/commit/930f8b274c4f1f3a46e68b5441f1e7fadb57e8c1
+ - type: WEB
+ url: https://github.com/bcgit/bc-java/wiki/CVE-2020-26939
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r8c36ba34e80e05eecb1f80071cc834d705616f315b634ec0c7d8f42e@%3Cissues.solr.apache.org%3E
+ - type: WEB
+ url: https://lists.debian.org/debian-lts-announce/2020/11/msg00007.html
+ - type: WEB
+ url: https://security.netapp.com/advisory/ntap-20201202-0005
+ database_specific:
+ cwe_ids:
+ - CWE-203
+ github_reviewed: true
+ github_reviewed_at: "2021-04-20T16:59:30Z"
+ nvd_published_at: "2020-11-02T22:15:00Z"
+ severity: MODERATE
+ - schema_version: 1.6.0
+ id: GHSA-73xv-w5gp-frxh
+ modified: 2024-03-08T05:18:41.838529Z
+ published: 2021-04-30T16:14:15Z
+ aliases:
+ - CVE-2020-28052
+ summary: Logic error in Legion of the Bouncy Castle BC Java
+ details: An issue was discovered in Legion of the Bouncy Castle BC Java 1.65 and 1.66. The OpenBSDBCrypt.checkPassword utility method compared incorrect data when checking the password, allowing incorrect passwords to indicate they were matching with previously hashed ones that were different.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: org.bouncycastle:bcprov-jdk15to18
+ purl: pkg:maven/org.bouncycastle/bcprov-jdk15to18
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "1.65"
+ - fixed: "1.67"
+ versions:
+ - "1.65"
+ - "1.66"
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-73xv-w5gp-frxh/GHSA-73xv-w5gp-frxh.json
+ - package:
+ ecosystem: Maven
+ name: org.bouncycastle:bcprov-jdk15
+ purl: pkg:maven/org.bouncycastle/bcprov-jdk15
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "1.65"
+ - fixed: "1.67"
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-73xv-w5gp-frxh/GHSA-73xv-w5gp-frxh.json
+ - package:
+ ecosystem: Maven
+ name: org.bouncycastle:bcprov-jdk15on
+ purl: pkg:maven/org.bouncycastle/bcprov-jdk15on
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "1.65"
+ - fixed: "1.67"
+ versions:
+ - "1.65"
+ - 1.65.01
+ - "1.66"
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-73xv-w5gp-frxh/GHSA-73xv-w5gp-frxh.json
+ - package:
+ ecosystem: Maven
+ name: org.bouncycastle:bcprov-ext-jdk15on
+ purl: pkg:maven/org.bouncycastle/bcprov-ext-jdk15on
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "1.65"
+ - fixed: "1.67"
+ versions:
+ - "1.65"
+ - "1.66"
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-73xv-w5gp-frxh/GHSA-73xv-w5gp-frxh.json
+ - package:
+ ecosystem: Maven
+ name: org.bouncycastle:bcprov-jdk14
+ purl: pkg:maven/org.bouncycastle/bcprov-jdk14
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "1.65"
+ - fixed: "1.67"
+ versions:
+ - "1.65"
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-73xv-w5gp-frxh/GHSA-73xv-w5gp-frxh.json
+ - package:
+ ecosystem: Maven
+ name: org.bouncycastle:bcprov-jdk16
+ purl: pkg:maven/org.bouncycastle/bcprov-jdk16
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "1.65"
+ - fixed: "1.67"
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-73xv-w5gp-frxh/GHSA-73xv-w5gp-frxh.json
+ - package:
+ ecosystem: Maven
+ name: org.bouncycastle:bcprov-ext-jdk16
+ purl: pkg:maven/org.bouncycastle/bcprov-ext-jdk16
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "1.65"
+ - fixed: "1.67"
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-73xv-w5gp-frxh/GHSA-73xv-w5gp-frxh.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2020-28052
+ - type: WEB
+ url: https://github.com/bcgit/bc-java/commit/97578f9b7ed277e6ecb58834e85e3d18385a4219
+ - type: WEB
+ url: https://www.synopsys.com/blogs/software-security/cve-2020-28052-bouncy-castle
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuoct2021.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpujul2022.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpujan2022.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuapr2022.html
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuApr2021.html
+ - type: WEB
+ url: https://www.oracle.com//security-alerts/cpujul2021.html
+ - type: WEB
+ url: https://www.bouncycastle.org/releasenotes.html
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rfc0db1f3c375087e69a239f9284ded72d04fbb55849eadde58fa9dc2@%3Cissues.karaf.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rf9abfc0223747a56694825c050cc6b66627a293a32ea926b3de22402@%3Cissues.karaf.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rdfd2901b8b697a3f6e2c9c6ecc688fd90d7f881937affb5144d61d6e@%3Ccommits.druid.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rddd2237b8636a48d573869006ee809262525efb2b6ffa6eff50d2a2d@%3Cjira.kafka.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rdcbad6d8ce72c79827ed8c635f9a62dd919bb21c94a0b64cab2efc31@%3Cissues.karaf.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rcd37d9214b08067a2e8f2b5b4fd123a1f8cb6008698d11ef44028c21@%3Cissues.karaf.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rc9e441c1576bdc4375d32526d5cf457226928e9c87b9f54ded26271c@%3Cissues.karaf.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r954d80fd18e9dafef6e813963eb7e08c228151c2b6268ecd63b35d1f@%3Ccommits.druid.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r8c36ba34e80e05eecb1f80071cc834d705616f315b634ec0c7d8f42e@%3Cissues.solr.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r77af3ac7c3bfbd5454546e13faf7aec21d627bdcf36c9ca240436b94@%3Cissues.karaf.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r4e1619cfefcd031fac62064a3858f5c9229eef907bd5d8ef14c594fc@%3Cissues.karaf.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r37d332c0bf772f4982d1fdeeb2f88dd71dab6451213e69e43734eadc@%3Ccommits.pulsar.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r30a139c165b3da6e0d5536434ab1550534011b1fdfcd2f5d95892c5b@%3Cissues.karaf.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r2ddabd06d94b60cfb0141e4abb23201c628ab925e30742f61a04d013@%3Cissues.karaf.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r25d53acd06f29244b8a103781b0339c5e7efee9099a4d52f0c230e4a@%3Ccommits.druid.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r175f5a25d100dbe2b1bd3459b3ce882a84c3ff91b120ed4ff2d57b53@%3Ccommits.pulsar.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r167dbc42ef7c59802c2ca1ac14735ef9cf687c25208229993d6206fe@%3Cissues.karaf.apache.org%3E
+ - type: WEB
+ url: https://github.com/bcgit/bc-java/wiki/CVE-2020-28052
+ - type: PACKAGE
+ url: https://github.com/bcgit/bc-java
+ database_specific:
+ cwe_ids:
+ - CWE-670
+ github_reviewed: true
+ github_reviewed_at: "2021-03-19T00:15:55Z"
+ nvd_published_at: "2020-12-18T01:15:00Z"
+ severity: HIGH
+ - schema_version: 1.6.0
+ id: GHSA-8353-fgcr-xfhx
+ modified: 2023-11-08T03:57:14.341835Z
+ published: 2022-05-14T02:14:04Z
+ aliases:
+ - CVE-2013-1624
+ summary: Improper Input Validation in Bouncy Castle
+ details: The TLS implementation in the Bouncy Castle Java library before 1.48 and C# library before 1.8 does not properly consider timing side-channel attacks on a noncompliant MAC check operation during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, a related issue to CVE-2013-0169.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: org.bouncycastle:bcprov-jdk15on
+ purl: pkg:maven/org.bouncycastle/bcprov-jdk15on
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: "1.48"
+ versions:
+ - "1.46"
+ - "1.47"
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-8353-fgcr-xfhx/GHSA-8353-fgcr-xfhx.json
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2013-1624
+ - type: WEB
+ url: http://openwall.com/lists/oss-security/2013/02/05/24
+ - type: WEB
+ url: http://rhn.redhat.com/errata/RHSA-2014-0371.html
+ - type: WEB
+ url: http://rhn.redhat.com/errata/RHSA-2014-0372.html
+ - type: WEB
+ url: http://secunia.com/advisories/57716
+ - type: WEB
+ url: http://secunia.com/advisories/57719
+ - type: WEB
+ url: http://www.isg.rhul.ac.uk/tls/TLStiming.pdf
+ database_specific:
+ cwe_ids:
+ - CWE-20
+ github_reviewed: true
+ github_reviewed_at: "2022-07-08T18:59:52Z"
+ nvd_published_at: "2013-02-08T19:55:00Z"
+ severity: MODERATE
+ - schema_version: 1.6.0
+ id: GHSA-8477-3v39-ggpm
+ modified: 2023-11-08T04:00:20.719699Z
+ published: 2022-05-13T01:01:01Z
+ aliases:
+ - CVE-2018-5382
+ summary: Improper Validation of Integrity Check Value in Bouncy Castle
+ details: The default BKS keystore use an HMAC that is only 16 bits long, which can allow an attacker to compromise the integrity of a BKS keystore. Bouncy Castle release 1.47 changes the BKS format to a format which uses a 160 bit HMAC instead. This applies to any BKS keystore generated prior to BC 1.47. For situations where people need to create the files for legacy reasons a specific keystore type "BKS-V1" was introduced in 1.49. It should be noted that the use of "BKS-V1" is discouraged by the library authors and should only be used where it is otherwise safe to do so, as in where the use of a 16 bit checksum for the file integrity check is not going to cause a security issue in itself.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: org.bouncycastle:bcprov-jdk15on
+ purl: pkg:maven/org.bouncycastle/bcprov-jdk15on
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: "1.50"
+ versions:
+ - "1.46"
+ - "1.47"
+ - "1.48"
+ - "1.49"
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-8477-3v39-ggpm/GHSA-8477-3v39-ggpm.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2018-5382
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2018:2927
+ - type: WEB
+ url: https://www.bouncycastle.org/releasenotes.html
+ - type: WEB
+ url: https://www.kb.cert.org/vuls/id/306792
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuoct2020.html
+ - type: WEB
+ url: http://www.securityfocus.com/bid/103453
+ database_specific:
+ cwe_ids:
+ - CWE-354
+ github_reviewed: true
+ github_reviewed_at: "2022-06-28T23:51:50Z"
+ nvd_published_at: "2018-04-16T14:29:00Z"
+ severity: MODERATE
+ - schema_version: 1.6.0
+ id: GHSA-8xfc-gm6g-vgpv
+ modified: 2024-07-03T00:44:46.096029Z
+ published: 2024-05-14T15:32:54Z
+ aliases:
+ - CGA-p93x-49fc-v5m3
+ - CGA-xx3m-cg2g-f46r
+ - CVE-2024-29857
+ summary: Bouncy Castle certificate parsing issues cause high CPU usage during parameter evaluation.
+ details: An issue was discovered in ECCurve.java and ECCurve.cs in Bouncy Castle Java (BC Java) before 1.78, BC Java LTS before 2.73.6, BC-FJA before 1.0.2.5, and BC C# .Net before 2.3.1. Importing an EC certificate with crafted F2m parameters can lead to excessive CPU consumption during the evaluation of the curve parameters.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: org.bouncycastle:bcprov-jdk18on
+ purl: pkg:maven/org.bouncycastle/bcprov-jdk18on
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: "1.78"
+ versions:
+ - "1.71"
+ - 1.71.1
+ - "1.72"
+ - "1.73"
+ - "1.74"
+ - "1.75"
+ - "1.76"
+ - "1.77"
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-8xfc-gm6g-vgpv/GHSA-8xfc-gm6g-vgpv.json
+ - package:
+ ecosystem: Maven
+ name: org.bouncycastle:bcprov-jdk15on
+ purl: pkg:maven/org.bouncycastle/bcprov-jdk15on
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: "1.78"
+ versions:
+ - "1.46"
+ - "1.47"
+ - "1.48"
+ - "1.49"
+ - "1.50"
+ - "1.51"
+ - "1.52"
+ - "1.53"
+ - "1.54"
+ - "1.55"
+ - "1.56"
+ - "1.57"
+ - "1.58"
+ - "1.59"
+ - "1.60"
+ - "1.61"
+ - "1.62"
+ - "1.63"
+ - "1.64"
+ - "1.65"
+ - 1.65.01
+ - "1.66"
+ - "1.67"
+ - "1.68"
+ - "1.69"
+ - "1.70"
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-8xfc-gm6g-vgpv/GHSA-8xfc-gm6g-vgpv.json
+ - package:
+ ecosystem: Maven
+ name: org.bouncycastle:bcprov-jdk15to18
+ purl: pkg:maven/org.bouncycastle/bcprov-jdk15to18
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: "1.78"
+ versions:
+ - "1.63"
+ - "1.64"
+ - "1.65"
+ - "1.66"
+ - "1.67"
+ - "1.68"
+ - "1.69"
+ - "1.70"
+ - "1.71"
+ - "1.72"
+ - "1.73"
+ - "1.74"
+ - "1.75"
+ - "1.76"
+ - "1.77"
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-8xfc-gm6g-vgpv/GHSA-8xfc-gm6g-vgpv.json
+ - package:
+ ecosystem: Maven
+ name: org.bouncycastle:bcprov-jdk14
+ purl: pkg:maven/org.bouncycastle/bcprov-jdk14
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: "1.78"
+ versions:
+ - "1.38"
+ - "1.43"
+ - "1.44"
+ - "1.45"
+ - "1.46"
+ - "1.47"
+ - "1.48"
+ - "1.49"
+ - "1.50"
+ - "1.51"
+ - "1.53"
+ - "1.54"
+ - "1.55"
+ - "1.56"
+ - "1.57"
+ - "1.58"
+ - "1.59"
+ - "1.60"
+ - "1.61"
+ - "1.62"
+ - "1.63"
+ - "1.64"
+ - "1.65"
+ - "1.67"
+ - "1.68"
+ - "1.69"
+ - "1.70"
+ - "1.71"
+ - "1.72"
+ - "1.73"
+ - "1.74"
+ - "1.75"
+ - "1.76"
+ - "1.77"
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-8xfc-gm6g-vgpv/GHSA-8xfc-gm6g-vgpv.json
+ - package:
+ ecosystem: Maven
+ name: org.bouncycastle:bctls-jdk18on
+ purl: pkg:maven/org.bouncycastle/bctls-jdk18on
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: "1.78"
+ versions:
+ - "1.71"
+ - 1.71.1
+ - "1.72"
+ - "1.73"
+ - "1.74"
+ - "1.75"
+ - "1.76"
+ - "1.77"
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-8xfc-gm6g-vgpv/GHSA-8xfc-gm6g-vgpv.json
+ - package:
+ ecosystem: Maven
+ name: org.bouncycastle:bctls-jdk14
+ purl: pkg:maven/org.bouncycastle/bctls-jdk14
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: "1.78"
+ versions:
+ - "1.61"
+ - "1.62"
+ - "1.63"
+ - "1.64"
+ - "1.65"
+ - "1.67"
+ - "1.68"
+ - "1.69"
+ - "1.70"
+ - "1.71"
+ - "1.72"
+ - "1.73"
+ - "1.74"
+ - "1.75"
+ - "1.76"
+ - "1.77"
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-8xfc-gm6g-vgpv/GHSA-8xfc-gm6g-vgpv.json
+ - package:
+ ecosystem: Maven
+ name: org.bouncycastle:bctls-jdk15to18
+ purl: pkg:maven/org.bouncycastle/bctls-jdk15to18
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: "1.78"
+ versions:
+ - "1.63"
+ - "1.64"
+ - "1.65"
+ - "1.66"
+ - "1.67"
+ - "1.68"
+ - "1.69"
+ - "1.70"
+ - "1.71"
+ - "1.72"
+ - "1.73"
+ - "1.74"
+ - "1.75"
+ - "1.76"
+ - "1.77"
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-8xfc-gm6g-vgpv/GHSA-8xfc-gm6g-vgpv.json
+ - package:
+ ecosystem: Maven
+ name: org.bouncycastle:bcpkix-jdk18on
+ purl: pkg:maven/org.bouncycastle/bcpkix-jdk18on
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: "1.78"
+ versions:
+ - "1.71"
+ - 1.71.1
+ - "1.72"
+ - "1.73"
+ - "1.74"
+ - "1.75"
+ - "1.76"
+ - "1.77"
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-8xfc-gm6g-vgpv/GHSA-8xfc-gm6g-vgpv.json
+ - package:
+ ecosystem: Maven
+ name: org.bouncycastle:bcpkix-jdk15to18
+ purl: pkg:maven/org.bouncycastle/bcpkix-jdk15to18
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: "1.78"
+ versions:
+ - "1.63"
+ - "1.64"
+ - "1.65"
+ - "1.66"
+ - "1.67"
+ - "1.68"
+ - "1.69"
+ - "1.70"
+ - "1.71"
+ - "1.72"
+ - "1.73"
+ - "1.74"
+ - "1.75"
+ - "1.76"
+ - "1.77"
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-8xfc-gm6g-vgpv/GHSA-8xfc-gm6g-vgpv.json
+ - package:
+ ecosystem: Maven
+ name: org.bouncycastle:bcpkix-jdk14
+ purl: pkg:maven/org.bouncycastle/bcpkix-jdk14
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: "1.78"
+ versions:
+ - "1.47"
+ - "1.48"
+ - "1.49"
+ - "1.50"
+ - "1.51"
+ - "1.53"
+ - "1.54"
+ - "1.55"
+ - "1.56"
+ - "1.57"
+ - "1.58"
+ - "1.59"
+ - "1.60"
+ - "1.61"
+ - "1.62"
+ - "1.63"
+ - "1.64"
+ - "1.65"
+ - "1.67"
+ - "1.68"
+ - "1.69"
+ - "1.70"
+ - "1.71"
+ - "1.72"
+ - "1.73"
+ - "1.74"
+ - "1.75"
+ - "1.76"
+ - "1.77"
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-8xfc-gm6g-vgpv/GHSA-8xfc-gm6g-vgpv.json
+ - package:
+ ecosystem: Maven
+ name: org.bouncycastle:bc-fips
+ purl: pkg:maven/org.bouncycastle/bc-fips
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: 1.0.2.5
+ versions:
+ - 1.0.0
+ - 1.0.1
+ - 1.0.2
+ - 1.0.2.1
+ - 1.0.2.3
+ - 1.0.2.4
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-8xfc-gm6g-vgpv/GHSA-8xfc-gm6g-vgpv.json
+ - package:
+ ecosystem: NuGet
+ name: BouncyCastle
+ purl: pkg:nuget/BouncyCastle
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ versions:
+ - 1.7.0
+ - 1.8.1
+ - 1.8.2
+ - 1.8.3
+ - 1.8.3.1
+ - 1.8.4
+ - 1.8.5
+ - 1.8.6
+ - 1.8.6.1
+ - 1.8.9
+ database_specific:
+ last_known_affected_version_range: < 2.3.1
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-8xfc-gm6g-vgpv/GHSA-8xfc-gm6g-vgpv.json
+ - package:
+ ecosystem: NuGet
+ name: BouncyCastle.Cryptography
+ purl: pkg:nuget/BouncyCastle.Cryptography
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: 2.3.1
+ versions:
+ - 2.0.0
+ - 2.1.0
+ - 2.1.1
+ - 2.2.0
+ - 2.2.1
+ - 2.3.0
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-8xfc-gm6g-vgpv/GHSA-8xfc-gm6g-vgpv.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2024-29857
+ - type: WEB
+ url: https://github.com/bcgit/bc-csharp/commit/56daa6eac526f165416d17f661422d60de0dfd63
+ - type: WEB
+ url: https://github.com/bcgit/bc-java/commit/fee80dd230e7fba132d03a34f1dd1d6aae0d0281
+ - type: WEB
+ url: https://github.com/bcgit/bc-csharp/wiki/CVE%E2%80%902024%E2%80%9029857
+ - type: WEB
+ url: https://github.com/bcgit/bc-java/wiki/CVE%E2%80%902024%E2%80%9029857
+ - type: WEB
+ url: https://www.bouncycastle.org/latest_releases.html
+ database_specific:
+ cwe_ids:
+ - CWE-400
+ github_reviewed: true
+ github_reviewed_at: "2024-05-14T20:22:01Z"
+ nvd_published_at: "2024-05-14T15:17:02Z"
+ severity: MODERATE
+ - schema_version: 1.6.0
+ id: GHSA-hr8g-6v94-x4m9
+ modified: 2024-02-18T05:32:43.784092Z
+ published: 2023-07-05T03:30:23Z
+ aliases:
+ - CVE-2023-33201
+ summary: Bouncy Castle For Java LDAP injection vulnerability
+ details: |-
+ Bouncy Castle provides the `X509LDAPCertStoreSpi.java` class which can be used in conjunction with the CertPath API for validating certificate paths. Pre-1.73 the implementation did not check the X.500 name of any certificate, subject, or issuer being passed in for LDAP wild cards, meaning the presence of a wild car may lead to Information Disclosure.
+
+ A potential attack would be to generate a self-signed certificate with a subject name that contains special characters, e.g: `CN=Subject*)(objectclass=`. This will be included into the filter and provides the attacker ability to specify additional attributes in the search query. This can be exploited as a blind LDAP injection: an attacker can enumerate valid attribute values using the boolean blind injection technique. The exploitation depends on the structure of the target LDAP directory, as well as what kind of errors are exposed to the user.
+
+ Changes to the `X509LDAPCertStoreSpi.java` class add the additional checking of any X.500 name used to correctly escape wild card characters.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: org.bouncycastle:bcprov-jdk18on
+ purl: pkg:maven/org.bouncycastle/bcprov-jdk18on
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: "1.74"
+ versions:
+ - "1.71"
+ - 1.71.1
+ - "1.72"
+ - "1.73"
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-hr8g-6v94-x4m9/GHSA-hr8g-6v94-x4m9.json
+ - package:
+ ecosystem: Maven
+ name: org.bouncycastle:bcprov-jdk15to18
+ purl: pkg:maven/org.bouncycastle/bcprov-jdk15to18
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: "1.74"
+ versions:
+ - "1.63"
+ - "1.64"
+ - "1.65"
+ - "1.66"
+ - "1.67"
+ - "1.68"
+ - "1.69"
+ - "1.70"
+ - "1.71"
+ - "1.72"
+ - "1.73"
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-hr8g-6v94-x4m9/GHSA-hr8g-6v94-x4m9.json
+ - package:
+ ecosystem: Maven
+ name: org.bouncycastle:bcprov-jdk14
+ purl: pkg:maven/org.bouncycastle/bcprov-jdk14
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "1.49"
+ - fixed: "1.74"
+ versions:
+ - "1.49"
+ - "1.50"
+ - "1.51"
+ - "1.53"
+ - "1.54"
+ - "1.55"
+ - "1.56"
+ - "1.57"
+ - "1.58"
+ - "1.59"
+ - "1.60"
+ - "1.61"
+ - "1.62"
+ - "1.63"
+ - "1.64"
+ - "1.65"
+ - "1.67"
+ - "1.68"
+ - "1.69"
+ - "1.70"
+ - "1.71"
+ - "1.72"
+ - "1.73"
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-hr8g-6v94-x4m9/GHSA-hr8g-6v94-x4m9.json
+ - package:
+ ecosystem: Maven
+ name: org.bouncycastle:bcprov-ext-jdk14
+ purl: pkg:maven/org.bouncycastle/bcprov-ext-jdk14
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "1.49"
+ - fixed: "1.74"
+ versions:
+ - "1.49"
+ - "1.50"
+ - "1.51"
+ - "1.53"
+ - "1.54"
+ - "1.56"
+ - "1.57"
+ - "1.58"
+ - "1.60"
+ - "1.64"
+ - "1.65"
+ - "1.67"
+ - "1.68"
+ - "1.69"
+ - "1.70"
+ - "1.71"
+ - "1.72"
+ - "1.73"
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-hr8g-6v94-x4m9/GHSA-hr8g-6v94-x4m9.json
+ - package:
+ ecosystem: Maven
+ name: org.bouncycastle:bcprov-ext-jdk15to18
+ purl: pkg:maven/org.bouncycastle/bcprov-ext-jdk15to18
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: "1.74"
+ versions:
+ - "1.64"
+ - "1.67"
+ - "1.68"
+ - "1.69"
+ - "1.70"
+ - "1.71"
+ - "1.72"
+ - "1.73"
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-hr8g-6v94-x4m9/GHSA-hr8g-6v94-x4m9.json
+ - package:
+ ecosystem: Maven
+ name: org.bouncycastle:bcprov-ext-jdk18on
+ purl: pkg:maven/org.bouncycastle/bcprov-ext-jdk18on
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: "1.74"
+ versions:
+ - "1.71"
+ - "1.72"
+ - "1.73"
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-hr8g-6v94-x4m9/GHSA-hr8g-6v94-x4m9.json
+ - package:
+ ecosystem: Maven
+ name: org.bouncycastle:bcprov-debug-jdk14
+ purl: pkg:maven/org.bouncycastle/bcprov-debug-jdk14
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "1.49"
+ - fixed: "1.74"
+ versions:
+ - "1.55"
+ - "1.59"
+ - "1.60"
+ - "1.64"
+ - "1.68"
+ - "1.69"
+ - "1.70"
+ - "1.71"
+ - "1.72"
+ - "1.73"
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-hr8g-6v94-x4m9/GHSA-hr8g-6v94-x4m9.json
+ - package:
+ ecosystem: Maven
+ name: org.bouncycastle:bcprov-debug-jdk15to18
+ purl: pkg:maven/org.bouncycastle/bcprov-debug-jdk15to18
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: "1.74"
+ versions:
+ - "1.64"
+ - "1.68"
+ - "1.69"
+ - "1.70"
+ - "1.71"
+ - "1.72"
+ - "1.73"
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-hr8g-6v94-x4m9/GHSA-hr8g-6v94-x4m9.json
+ - package:
+ ecosystem: Maven
+ name: org.bouncycastle:bcprov-debug-jdk18on
+ purl: pkg:maven/org.bouncycastle/bcprov-debug-jdk18on
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: "1.74"
+ versions:
+ - "1.71"
+ - "1.72"
+ - "1.73"
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-hr8g-6v94-x4m9/GHSA-hr8g-6v94-x4m9.json
+ - package:
+ ecosystem: Maven
+ name: org.bouncycastle:bcprov-jdk15on
+ purl: pkg:maven/org.bouncycastle/bcprov-jdk15on
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "1.49"
+ - last_affected: "1.70"
+ versions:
+ - "1.49"
+ - "1.50"
+ - "1.51"
+ - "1.52"
+ - "1.53"
+ - "1.54"
+ - "1.55"
+ - "1.56"
+ - "1.57"
+ - "1.58"
+ - "1.59"
+ - "1.60"
+ - "1.61"
+ - "1.62"
+ - "1.63"
+ - "1.64"
+ - "1.65"
+ - 1.65.01
+ - "1.66"
+ - "1.67"
+ - "1.68"
+ - "1.69"
+ - "1.70"
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-hr8g-6v94-x4m9/GHSA-hr8g-6v94-x4m9.json
+ - package:
+ ecosystem: Maven
+ name: org.bouncycastle:bcprov-ext-jdk15on
+ purl: pkg:maven/org.bouncycastle/bcprov-ext-jdk15on
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "1.49"
+ - last_affected: "1.70"
+ versions:
+ - "1.49"
+ - "1.50"
+ - "1.51"
+ - "1.52"
+ - "1.53"
+ - "1.54"
+ - "1.55"
+ - "1.56"
+ - "1.57"
+ - "1.58"
+ - "1.59"
+ - "1.60"
+ - "1.61"
+ - "1.62"
+ - "1.63"
+ - "1.64"
+ - "1.65"
+ - "1.66"
+ - "1.67"
+ - "1.68"
+ - "1.69"
+ - "1.70"
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-hr8g-6v94-x4m9/GHSA-hr8g-6v94-x4m9.json
+ - package:
+ ecosystem: Maven
+ name: org.bouncycastle:bcprov-debug-jdk15on
+ purl: pkg:maven/org.bouncycastle/bcprov-debug-jdk15on
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "1.49"
+ - last_affected: "1.70"
+ versions:
+ - "1.52"
+ - "1.53"
+ - "1.55"
+ - "1.56"
+ - "1.57"
+ - "1.58"
+ - "1.59"
+ - "1.60"
+ - "1.61"
+ - "1.62"
+ - "1.63"
+ - "1.64"
+ - "1.65"
+ - "1.66"
+ - "1.67"
+ - "1.68"
+ - "1.69"
+ - "1.70"
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-hr8g-6v94-x4m9/GHSA-hr8g-6v94-x4m9.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2023-33201
+ - type: WEB
+ url: https://github.com/bcgit/bc-java/commit/ccf93ca736b89250ff4ce079a5aa56f5cbf0ebbd
+ - type: WEB
+ url: https://github.com/bcgit/bc-java/commit/e8c409a8389c815ea3fda5e8b94c92fdfe583bcc
+ - type: WEB
+ url: https://bouncycastle.org
+ - type: WEB
+ url: https://bouncycastle.org/releasenotes.html#r1rv74
+ - type: PACKAGE
+ url: https://github.com/bcgit/bc-java
+ - type: WEB
+ url: https://github.com/bcgit/bc-java/commits/main/prov/src/main/java/org/bouncycastle/jce/provider/X509LDAPCertStoreSpi.java
+ - type: WEB
+ url: https://github.com/bcgit/bc-java/wiki/CVE-2023-33201
+ - type: WEB
+ url: https://lists.debian.org/debian-lts-announce/2023/08/msg00000.html
+ - type: WEB
+ url: https://security.netapp.com/advisory/ntap-20230824-0008
+ database_specific:
+ cwe_ids:
+ - CWE-295
+ github_reviewed: true
+ github_reviewed_at: "2023-07-06T15:40:29Z"
+ nvd_published_at: "2023-07-05T03:15:09Z"
+ severity: MODERATE
+ - schema_version: 1.6.0
+ id: GHSA-m44j-cfrm-g8qc
+ modified: 2024-07-03T00:44:28.022114Z
+ published: 2024-05-14T15:32:54Z
+ aliases:
+ - CGA-9j68-hcjr-5xfx
+ - CGA-vxwq-f5f4-5vmj
+ - CVE-2024-30172
+ summary: Bouncy Castle crafted signature and public key can be used to trigger an infinite loop
+ details: An issue was discovered in Bouncy Castle Java Cryptography APIs before 1.78. An Ed25519 verification code infinite loop can occur via a crafted signature and public key.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: org.bouncycastle:bcprov-jdk18on
+ purl: pkg:maven/org.bouncycastle/bcprov-jdk18on
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: "1.78"
+ versions:
+ - "1.71"
+ - 1.71.1
+ - "1.72"
+ - "1.73"
+ - "1.74"
+ - "1.75"
+ - "1.76"
+ - "1.77"
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-m44j-cfrm-g8qc/GHSA-m44j-cfrm-g8qc.json
+ - package:
+ ecosystem: Maven
+ name: org.bouncycastle:bcprov-jdk15on
+ purl: pkg:maven/org.bouncycastle/bcprov-jdk15on
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: "1.78"
+ versions:
+ - "1.46"
+ - "1.47"
+ - "1.48"
+ - "1.49"
+ - "1.50"
+ - "1.51"
+ - "1.52"
+ - "1.53"
+ - "1.54"
+ - "1.55"
+ - "1.56"
+ - "1.57"
+ - "1.58"
+ - "1.59"
+ - "1.60"
+ - "1.61"
+ - "1.62"
+ - "1.63"
+ - "1.64"
+ - "1.65"
+ - 1.65.01
+ - "1.66"
+ - "1.67"
+ - "1.68"
+ - "1.69"
+ - "1.70"
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-m44j-cfrm-g8qc/GHSA-m44j-cfrm-g8qc.json
+ - package:
+ ecosystem: Maven
+ name: org.bouncycastle:bcprov-jdk15to18
+ purl: pkg:maven/org.bouncycastle/bcprov-jdk15to18
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: "1.78"
+ versions:
+ - "1.63"
+ - "1.64"
+ - "1.65"
+ - "1.66"
+ - "1.67"
+ - "1.68"
+ - "1.69"
+ - "1.70"
+ - "1.71"
+ - "1.72"
+ - "1.73"
+ - "1.74"
+ - "1.75"
+ - "1.76"
+ - "1.77"
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-m44j-cfrm-g8qc/GHSA-m44j-cfrm-g8qc.json
+ - package:
+ ecosystem: Maven
+ name: org.bouncycastle:bcprov-jdk14
+ purl: pkg:maven/org.bouncycastle/bcprov-jdk14
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: "1.78"
+ versions:
+ - "1.38"
+ - "1.43"
+ - "1.44"
+ - "1.45"
+ - "1.46"
+ - "1.47"
+ - "1.48"
+ - "1.49"
+ - "1.50"
+ - "1.51"
+ - "1.53"
+ - "1.54"
+ - "1.55"
+ - "1.56"
+ - "1.57"
+ - "1.58"
+ - "1.59"
+ - "1.60"
+ - "1.61"
+ - "1.62"
+ - "1.63"
+ - "1.64"
+ - "1.65"
+ - "1.67"
+ - "1.68"
+ - "1.69"
+ - "1.70"
+ - "1.71"
+ - "1.72"
+ - "1.73"
+ - "1.74"
+ - "1.75"
+ - "1.76"
+ - "1.77"
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-m44j-cfrm-g8qc/GHSA-m44j-cfrm-g8qc.json
+ - package:
+ ecosystem: Maven
+ name: org.bouncycastle:bctls-jdk18on
+ purl: pkg:maven/org.bouncycastle/bctls-jdk18on
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: "1.78"
+ versions:
+ - "1.71"
+ - 1.71.1
+ - "1.72"
+ - "1.73"
+ - "1.74"
+ - "1.75"
+ - "1.76"
+ - "1.77"
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-m44j-cfrm-g8qc/GHSA-m44j-cfrm-g8qc.json
+ - package:
+ ecosystem: Maven
+ name: org.bouncycastle:bctls-jdk14
+ purl: pkg:maven/org.bouncycastle/bctls-jdk14
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: "1.78"
+ versions:
+ - "1.61"
+ - "1.62"
+ - "1.63"
+ - "1.64"
+ - "1.65"
+ - "1.67"
+ - "1.68"
+ - "1.69"
+ - "1.70"
+ - "1.71"
+ - "1.72"
+ - "1.73"
+ - "1.74"
+ - "1.75"
+ - "1.76"
+ - "1.77"
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-m44j-cfrm-g8qc/GHSA-m44j-cfrm-g8qc.json
+ - package:
+ ecosystem: Maven
+ name: org.bouncycastle:bctls-jdk15to18
+ purl: pkg:maven/org.bouncycastle/bctls-jdk15to18
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: "1.78"
+ versions:
+ - "1.63"
+ - "1.64"
+ - "1.65"
+ - "1.66"
+ - "1.67"
+ - "1.68"
+ - "1.69"
+ - "1.70"
+ - "1.71"
+ - "1.72"
+ - "1.73"
+ - "1.74"
+ - "1.75"
+ - "1.76"
+ - "1.77"
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-m44j-cfrm-g8qc/GHSA-m44j-cfrm-g8qc.json
+ - package:
+ ecosystem: Maven
+ name: org.bouncycastle:bcpkix-jdk18on
+ purl: pkg:maven/org.bouncycastle/bcpkix-jdk18on
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: "1.78"
+ versions:
+ - "1.71"
+ - 1.71.1
+ - "1.72"
+ - "1.73"
+ - "1.74"
+ - "1.75"
+ - "1.76"
+ - "1.77"
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-m44j-cfrm-g8qc/GHSA-m44j-cfrm-g8qc.json
+ - package:
+ ecosystem: Maven
+ name: org.bouncycastle:bcpkix-jdk15to18
+ purl: pkg:maven/org.bouncycastle/bcpkix-jdk15to18
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: "1.78"
+ versions:
+ - "1.63"
+ - "1.64"
+ - "1.65"
+ - "1.66"
+ - "1.67"
+ - "1.68"
+ - "1.69"
+ - "1.70"
+ - "1.71"
+ - "1.72"
+ - "1.73"
+ - "1.74"
+ - "1.75"
+ - "1.76"
+ - "1.77"
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-m44j-cfrm-g8qc/GHSA-m44j-cfrm-g8qc.json
+ - package:
+ ecosystem: Maven
+ name: org.bouncycastle:bcpkix-jdk14
+ purl: pkg:maven/org.bouncycastle/bcpkix-jdk14
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: "1.78"
+ versions:
+ - "1.47"
+ - "1.48"
+ - "1.49"
+ - "1.50"
+ - "1.51"
+ - "1.53"
+ - "1.54"
+ - "1.55"
+ - "1.56"
+ - "1.57"
+ - "1.58"
+ - "1.59"
+ - "1.60"
+ - "1.61"
+ - "1.62"
+ - "1.63"
+ - "1.64"
+ - "1.65"
+ - "1.67"
+ - "1.68"
+ - "1.69"
+ - "1.70"
+ - "1.71"
+ - "1.72"
+ - "1.73"
+ - "1.74"
+ - "1.75"
+ - "1.76"
+ - "1.77"
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-m44j-cfrm-g8qc/GHSA-m44j-cfrm-g8qc.json
+ - package:
+ ecosystem: NuGet
+ name: BouncyCastle
+ purl: pkg:nuget/BouncyCastle
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ versions:
+ - 1.7.0
+ - 1.8.1
+ - 1.8.2
+ - 1.8.3
+ - 1.8.3.1
+ - 1.8.4
+ - 1.8.5
+ - 1.8.6
+ - 1.8.6.1
+ - 1.8.9
+ database_specific:
+ last_known_affected_version_range: < 2.3.1
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-m44j-cfrm-g8qc/GHSA-m44j-cfrm-g8qc.json
+ - package:
+ ecosystem: NuGet
+ name: BouncyCastle.Cryptography
+ purl: pkg:nuget/BouncyCastle.Cryptography
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: 2.3.1
+ versions:
+ - 2.0.0
+ - 2.1.0
+ - 2.1.1
+ - 2.2.0
+ - 2.2.1
+ - 2.3.0
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-m44j-cfrm-g8qc/GHSA-m44j-cfrm-g8qc.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2024-30172
+ - type: WEB
+ url: https://github.com/bcgit/bc-csharp/wiki/CVE%E2%80%902024%E2%80%9030172
+ - type: WEB
+ url: https://github.com/bcgit/bc-java/wiki/CVE%E2%80%902024%E2%80%9030172
+ - type: WEB
+ url: https://security.netapp.com/advisory/ntap-20240614-0007
+ - type: WEB
+ url: https://www.bouncycastle.org/latest_releases.html
+ database_specific:
+ cwe_ids:
+ - CWE-835
+ github_reviewed: true
+ github_reviewed_at: "2024-05-14T20:22:06Z"
+ nvd_published_at: "2024-05-14T15:21:53Z"
+ severity: MODERATE
+ - schema_version: 1.6.0
+ id: GHSA-v435-xc8x-wvr9
+ modified: 2024-07-03T00:44:44.00876Z
+ published: 2024-05-14T15:32:54Z
+ aliases:
+ - CGA-9727-f845-q3xw
+ - CGA-j49x-3x3f-7v84
+ - CVE-2024-30171
+ summary: Bouncy Castle affected by timing side-channel for RSA key exchange ("The Marvin Attack")
+ details: An issue was discovered in Bouncy Castle Java TLS API and JSSE Provider before 1.78. Timing-based leakage may occur in RSA based handshakes because of exception processing.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: org.bouncycastle:bctls-fips
+ purl: pkg:maven/org.bouncycastle/bctls-fips
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: 1.0.19
+ versions:
+ - 1.0.0
+ - 1.0.1
+ - 1.0.10
+ - 1.0.10.1
+ - 1.0.10.2
+ - 1.0.10.3
+ - 1.0.11
+ - 1.0.11.1
+ - 1.0.11.2
+ - 1.0.11.3
+ - 1.0.11.4
+ - 1.0.12
+ - 1.0.12.1
+ - 1.0.12.2
+ - 1.0.12.3
+ - 1.0.13
+ - 1.0.14
+ - 1.0.14.1
+ - 1.0.16
+ - 1.0.17
+ - 1.0.18
+ - 1.0.2
+ - 1.0.3
+ - 1.0.4
+ - 1.0.5
+ - 1.0.6
+ - 1.0.7
+ - 1.0.8
+ - 1.0.9
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-v435-xc8x-wvr9/GHSA-v435-xc8x-wvr9.json
+ - package:
+ ecosystem: Maven
+ name: org.bouncycastle:bcprov-jdk18on
+ purl: pkg:maven/org.bouncycastle/bcprov-jdk18on
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: "1.78"
+ versions:
+ - "1.71"
+ - 1.71.1
+ - "1.72"
+ - "1.73"
+ - "1.74"
+ - "1.75"
+ - "1.76"
+ - "1.77"
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-v435-xc8x-wvr9/GHSA-v435-xc8x-wvr9.json
+ - package:
+ ecosystem: Maven
+ name: org.bouncycastle:bcprov-jdk15on
+ purl: pkg:maven/org.bouncycastle/bcprov-jdk15on
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: "1.78"
+ versions:
+ - "1.46"
+ - "1.47"
+ - "1.48"
+ - "1.49"
+ - "1.50"
+ - "1.51"
+ - "1.52"
+ - "1.53"
+ - "1.54"
+ - "1.55"
+ - "1.56"
+ - "1.57"
+ - "1.58"
+ - "1.59"
+ - "1.60"
+ - "1.61"
+ - "1.62"
+ - "1.63"
+ - "1.64"
+ - "1.65"
+ - 1.65.01
+ - "1.66"
+ - "1.67"
+ - "1.68"
+ - "1.69"
+ - "1.70"
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-v435-xc8x-wvr9/GHSA-v435-xc8x-wvr9.json
+ - package:
+ ecosystem: Maven
+ name: org.bouncycastle:bcprov-jdk15to18
+ purl: pkg:maven/org.bouncycastle/bcprov-jdk15to18
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: "1.78"
+ versions:
+ - "1.63"
+ - "1.64"
+ - "1.65"
+ - "1.66"
+ - "1.67"
+ - "1.68"
+ - "1.69"
+ - "1.70"
+ - "1.71"
+ - "1.72"
+ - "1.73"
+ - "1.74"
+ - "1.75"
+ - "1.76"
+ - "1.77"
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-v435-xc8x-wvr9/GHSA-v435-xc8x-wvr9.json
+ - package:
+ ecosystem: Maven
+ name: org.bouncycastle:bcprov-jdk14
+ purl: pkg:maven/org.bouncycastle/bcprov-jdk14
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: "1.78"
+ versions:
+ - "1.38"
+ - "1.43"
+ - "1.44"
+ - "1.45"
+ - "1.46"
+ - "1.47"
+ - "1.48"
+ - "1.49"
+ - "1.50"
+ - "1.51"
+ - "1.53"
+ - "1.54"
+ - "1.55"
+ - "1.56"
+ - "1.57"
+ - "1.58"
+ - "1.59"
+ - "1.60"
+ - "1.61"
+ - "1.62"
+ - "1.63"
+ - "1.64"
+ - "1.65"
+ - "1.67"
+ - "1.68"
+ - "1.69"
+ - "1.70"
+ - "1.71"
+ - "1.72"
+ - "1.73"
+ - "1.74"
+ - "1.75"
+ - "1.76"
+ - "1.77"
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-v435-xc8x-wvr9/GHSA-v435-xc8x-wvr9.json
+ - package:
+ ecosystem: Maven
+ name: org.bouncycastle:bctls-jdk18on
+ purl: pkg:maven/org.bouncycastle/bctls-jdk18on
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: "1.78"
+ versions:
+ - "1.71"
+ - 1.71.1
+ - "1.72"
+ - "1.73"
+ - "1.74"
+ - "1.75"
+ - "1.76"
+ - "1.77"
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-v435-xc8x-wvr9/GHSA-v435-xc8x-wvr9.json
+ - package:
+ ecosystem: Maven
+ name: org.bouncycastle:bctls-jdk14
+ purl: pkg:maven/org.bouncycastle/bctls-jdk14
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: "1.78"
+ versions:
+ - "1.61"
+ - "1.62"
+ - "1.63"
+ - "1.64"
+ - "1.65"
+ - "1.67"
+ - "1.68"
+ - "1.69"
+ - "1.70"
+ - "1.71"
+ - "1.72"
+ - "1.73"
+ - "1.74"
+ - "1.75"
+ - "1.76"
+ - "1.77"
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-v435-xc8x-wvr9/GHSA-v435-xc8x-wvr9.json
+ - package:
+ ecosystem: Maven
+ name: org.bouncycastle:bctls-jdk15to18
+ purl: pkg:maven/org.bouncycastle/bctls-jdk15to18
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: "1.78"
+ versions:
+ - "1.63"
+ - "1.64"
+ - "1.65"
+ - "1.66"
+ - "1.67"
+ - "1.68"
+ - "1.69"
+ - "1.70"
+ - "1.71"
+ - "1.72"
+ - "1.73"
+ - "1.74"
+ - "1.75"
+ - "1.76"
+ - "1.77"
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-v435-xc8x-wvr9/GHSA-v435-xc8x-wvr9.json
+ - package:
+ ecosystem: NuGet
+ name: BouncyCastle
+ purl: pkg:nuget/BouncyCastle
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ versions:
+ - 1.7.0
+ - 1.8.1
+ - 1.8.2
+ - 1.8.3
+ - 1.8.3.1
+ - 1.8.4
+ - 1.8.5
+ - 1.8.6
+ - 1.8.6.1
+ - 1.8.9
+ database_specific:
+ last_known_affected_version_range: < 2.3.1
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-v435-xc8x-wvr9/GHSA-v435-xc8x-wvr9.json
+ - package:
+ ecosystem: NuGet
+ name: BouncyCastle.Cryptography
+ purl: pkg:nuget/BouncyCastle.Cryptography
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: 2.3.1
+ versions:
+ - 2.0.0
+ - 2.1.0
+ - 2.1.1
+ - 2.2.0
+ - 2.2.1
+ - 2.3.0
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-v435-xc8x-wvr9/GHSA-v435-xc8x-wvr9.json
+ - package:
+ ecosystem: Maven
+ name: org.bouncycastle:bcpkix-jdk18on
+ purl: pkg:maven/org.bouncycastle/bcpkix-jdk18on
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: "1.78"
+ versions:
+ - "1.71"
+ - 1.71.1
+ - "1.72"
+ - "1.73"
+ - "1.74"
+ - "1.75"
+ - "1.76"
+ - "1.77"
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-v435-xc8x-wvr9/GHSA-v435-xc8x-wvr9.json
+ - package:
+ ecosystem: Maven
+ name: org.bouncycastle:bcpkix-jdk15to18
+ purl: pkg:maven/org.bouncycastle/bcpkix-jdk15to18
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: "1.78"
+ versions:
+ - "1.63"
+ - "1.64"
+ - "1.65"
+ - "1.66"
+ - "1.67"
+ - "1.68"
+ - "1.69"
+ - "1.70"
+ - "1.71"
+ - "1.72"
+ - "1.73"
+ - "1.74"
+ - "1.75"
+ - "1.76"
+ - "1.77"
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-v435-xc8x-wvr9/GHSA-v435-xc8x-wvr9.json
+ - package:
+ ecosystem: Maven
+ name: org.bouncycastle:bcpkix-jdk14
+ purl: pkg:maven/org.bouncycastle/bcpkix-jdk14
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: "1.78"
+ versions:
+ - "1.47"
+ - "1.48"
+ - "1.49"
+ - "1.50"
+ - "1.51"
+ - "1.53"
+ - "1.54"
+ - "1.55"
+ - "1.56"
+ - "1.57"
+ - "1.58"
+ - "1.59"
+ - "1.60"
+ - "1.61"
+ - "1.62"
+ - "1.63"
+ - "1.64"
+ - "1.65"
+ - "1.67"
+ - "1.68"
+ - "1.69"
+ - "1.70"
+ - "1.71"
+ - "1.72"
+ - "1.73"
+ - "1.74"
+ - "1.75"
+ - "1.76"
+ - "1.77"
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-v435-xc8x-wvr9/GHSA-v435-xc8x-wvr9.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2024-30171
+ - type: WEB
+ url: https://github.com/bcgit/bc-csharp/commit/c984b8bfd8544dfc55dba91a02cbbbb9c580c217
+ - type: WEB
+ url: https://github.com/bcgit/bc-java/commit/d7d5e735abd64bf0f413f54fd9e495fc02400fb0
+ - type: WEB
+ url: https://github.com/bcgit/bc-java/commit/e0569dcb1dea9d421d84fc4c5c5688fe101afa2d
+ - type: WEB
+ url: https://github.com/bcgit/bc-csharp/wiki/CVE%E2%80%902024%E2%80%9030171
+ - type: WEB
+ url: https://github.com/bcgit/bc-java/wiki/CVE%E2%80%902024%E2%80%9030171
+ - type: WEB
+ url: https://security.netapp.com/advisory/ntap-20240614-0008
+ - type: WEB
+ url: https://www.bouncycastle.org/latest_releases.html
+ database_specific:
+ cwe_ids:
+ - CWE-203
+ github_reviewed: true
+ github_reviewed_at: "2024-05-14T20:22:03Z"
+ nvd_published_at: "2024-05-14T15:21:52Z"
+ severity: MODERATE
+ - schema_version: 1.6.0
+ id: GHSA-wjxj-5m7g-mg7q
+ modified: 2024-05-23T21:16:05.53245Z
+ published: 2023-11-23T18:30:33Z
+ aliases:
+ - CVE-2023-33202
+ summary: Bouncy Castle Denial of Service (DoS)
+ details: Bouncy Castle for Java before 1.73 contains a potential Denial of Service (DoS) issue within the Bouncy Castle org.bouncycastle.openssl.PEMParser class. This class parses OpenSSL PEM encoded streams containing X.509 certificates, PKCS8 encoded keys, and PKCS7 objects. Parsing a file that has crafted ASN.1 data through the PEMParser causes an OutOfMemoryError, which can enable a denial of service attack.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: org.bouncycastle:bcprov-ext-jdk16
+ purl: pkg:maven/org.bouncycastle/bcprov-ext-jdk16
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: "1.73"
+ versions:
+ - "1.45"
+ - "1.46"
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/11/GHSA-wjxj-5m7g-mg7q/GHSA-wjxj-5m7g-mg7q.json
+ - package:
+ ecosystem: Maven
+ name: org.bouncycastle:bcprov-jdk14
+ purl: pkg:maven/org.bouncycastle/bcprov-jdk14
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: "1.73"
+ versions:
+ - "1.38"
+ - "1.43"
+ - "1.44"
+ - "1.45"
+ - "1.46"
+ - "1.47"
+ - "1.48"
+ - "1.49"
+ - "1.50"
+ - "1.51"
+ - "1.53"
+ - "1.54"
+ - "1.55"
+ - "1.56"
+ - "1.57"
+ - "1.58"
+ - "1.59"
+ - "1.60"
+ - "1.61"
+ - "1.62"
+ - "1.63"
+ - "1.64"
+ - "1.65"
+ - "1.67"
+ - "1.68"
+ - "1.69"
+ - "1.70"
+ - "1.71"
+ - "1.72"
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/11/GHSA-wjxj-5m7g-mg7q/GHSA-wjxj-5m7g-mg7q.json
+ - package:
+ ecosystem: Maven
+ name: org.bouncycastle:bcprov-jdk15
+ purl: pkg:maven/org.bouncycastle/bcprov-jdk15
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: "1.73"
+ versions:
+ - "1.32"
+ - "1.38"
+ - "1.40"
+ - "1.43"
+ - "1.44"
+ - "1.45"
+ - "1.46"
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/11/GHSA-wjxj-5m7g-mg7q/GHSA-wjxj-5m7g-mg7q.json
+ - package:
+ ecosystem: Maven
+ name: org.bouncycastle:bcprov-jdk15to18
+ purl: pkg:maven/org.bouncycastle/bcprov-jdk15to18
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: "1.73"
+ versions:
+ - "1.63"
+ - "1.64"
+ - "1.65"
+ - "1.66"
+ - "1.67"
+ - "1.68"
+ - "1.69"
+ - "1.70"
+ - "1.71"
+ - "1.72"
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/11/GHSA-wjxj-5m7g-mg7q/GHSA-wjxj-5m7g-mg7q.json
+ - package:
+ ecosystem: Maven
+ name: org.bouncycastle:bcprov-jdk16
+ purl: pkg:maven/org.bouncycastle/bcprov-jdk16
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: "1.73"
+ versions:
+ - "1.38"
+ - "1.40"
+ - "1.43"
+ - "1.44"
+ - "1.45"
+ - "1.46"
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/11/GHSA-wjxj-5m7g-mg7q/GHSA-wjxj-5m7g-mg7q.json
+ - package:
+ ecosystem: Maven
+ name: org.bouncycastle:bcprov-jdk15on
+ purl: pkg:maven/org.bouncycastle/bcprov-jdk15on
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ versions:
+ - "1.46"
+ - "1.47"
+ - "1.48"
+ - "1.49"
+ - "1.50"
+ - "1.51"
+ - "1.52"
+ - "1.53"
+ - "1.54"
+ - "1.55"
+ - "1.56"
+ - "1.57"
+ - "1.58"
+ - "1.59"
+ - "1.60"
+ - "1.61"
+ - "1.62"
+ - "1.63"
+ - "1.64"
+ - "1.65"
+ - 1.65.01
+ - "1.66"
+ - "1.67"
+ - "1.68"
+ - "1.69"
+ - "1.70"
+ database_specific:
+ last_known_affected_version_range: < 1.70
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/11/GHSA-wjxj-5m7g-mg7q/GHSA-wjxj-5m7g-mg7q.json
+ - package:
+ ecosystem: Maven
+ name: org.bouncycastle:bcpkix-jdk18on
+ purl: pkg:maven/org.bouncycastle/bcpkix-jdk18on
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: "1.73"
+ versions:
+ - "1.71"
+ - 1.71.1
+ - "1.72"
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/11/GHSA-wjxj-5m7g-mg7q/GHSA-wjxj-5m7g-mg7q.json
+ - package:
+ ecosystem: Maven
+ name: org.bouncycastle:bcprov-ext-jdk15on
+ purl: pkg:maven/org.bouncycastle/bcprov-ext-jdk15on
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: "1.73"
+ versions:
+ - "1.46"
+ - "1.47"
+ - "1.48"
+ - "1.49"
+ - "1.50"
+ - "1.51"
+ - "1.52"
+ - "1.53"
+ - "1.54"
+ - "1.55"
+ - "1.56"
+ - "1.57"
+ - "1.58"
+ - "1.59"
+ - "1.60"
+ - "1.61"
+ - "1.62"
+ - "1.63"
+ - "1.64"
+ - "1.65"
+ - "1.66"
+ - "1.67"
+ - "1.68"
+ - "1.69"
+ - "1.70"
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/11/GHSA-wjxj-5m7g-mg7q/GHSA-wjxj-5m7g-mg7q.json
+ - package:
+ ecosystem: Maven
+ name: org.bouncycastle:bcprov-jdk18on
+ purl: pkg:maven/org.bouncycastle/bcprov-jdk18on
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: "1.73"
+ versions:
+ - "1.71"
+ - 1.71.1
+ - "1.72"
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/11/GHSA-wjxj-5m7g-mg7q/GHSA-wjxj-5m7g-mg7q.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2023-33202
+ - type: WEB
+ url: https://github.com/bcgit/bc-java/commit/0c576892862ed41894f49a8f639112e8d66d229c
+ - type: PACKAGE
+ url: https://github.com/bcgit/bc-java
+ - type: WEB
+ url: https://github.com/bcgit/bc-java/wiki/CVE-2023-33202
+ - type: WEB
+ url: https://security.netapp.com/advisory/ntap-20240125-0001
+ database_specific:
+ cwe_ids:
+ - CWE-400
+ github_reviewed: true
+ github_reviewed_at: "2023-11-24T16:54:01Z"
+ nvd_published_at: "2023-11-23T16:15:07Z"
+ severity: MODERATE
+ - schema_version: 1.6.0
+ id: GHSA-wrwf-pmmj-w989
+ modified: 2023-11-08T03:58:54.947561Z
+ published: 2022-05-13T01:14:24Z
+ aliases:
+ - CVE-2017-13098
+ summary: Observable Discrepancy in BouncyCastle
+ details: BouncyCastle TLS prior to version 1.0.3, when configured to use the JCE (Java Cryptography Extension) for cryptographic functions, provides a weak Bleichenbacher oracle when any TLS cipher suite using RSA key exchange is negotiated. An attacker can recover the private key from a vulnerable application. This vulnerability is referred to as "ROBOT."
+ affected:
+ - package:
+ ecosystem: Maven
+ name: org.bouncycastle:bcprov-jdk15on
+ purl: pkg:maven/org.bouncycastle/bcprov-jdk15on
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: 1.0.3
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-wrwf-pmmj-w989/GHSA-wrwf-pmmj-w989.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2017-13098
+ - type: WEB
+ url: https://github.com/bcgit/bc-java/commit/a00b684465b38d722ca9a3543b8af8568e6bad5c
+ - type: PACKAGE
+ url: https://github.com/bcgit/bc-java
+ - type: WEB
+ url: https://robotattack.org
+ - type: WEB
+ url: https://security.netapp.com/advisory/ntap-20171222-0001
+ - type: WEB
+ url: https://www.debian.org/security/2017/dsa-4072
+ - type: WEB
+ url: https://www.oracle.com/security-alerts/cpuoct2020.html
+ - type: WEB
+ url: http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00011.html
+ - type: WEB
+ url: http://www.kb.cert.org/vuls/id/144389
+ database_specific:
+ cwe_ids:
+ - CWE-203
+ github_reviewed: true
+ github_reviewed_at: "2022-07-01T20:14:25Z"
+ nvd_published_at: "2017-12-13T01:29:00Z"
+ severity: MODERATE
+ - schema_version: 1.6.0
+ id: GHSA-4h8f-2wvx-gg5w
+ modified: 2024-07-03T00:44:32.60405Z
+ published: 2024-05-03T18:30:37Z
+ aliases:
+ - CGA-fw2f-x94j-v2g6
+ - CGA-wvcg-3cjq-8wjm
+ - CVE-2024-34447
+ summary: Bouncy Castle Java Cryptography API vulnerable to DNS poisoning
+ details: An issue was discovered in Bouncy Castle Java Cryptography APIs before BC 1.78. When endpoint identification is enabled in the BCJSSE and an SSL socket is created without an explicit hostname (as happens with HttpsURLConnection), hostname verification could be performed against a DNS-resolved IP address in some situations, opening up a possibility of DNS poisoning.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: org.bouncycastle:bcprov-jdk18on
+ purl: pkg:maven/org.bouncycastle/bcprov-jdk18on
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "1.61"
+ - fixed: "1.78"
+ versions:
+ - "1.71"
+ - 1.71.1
+ - "1.72"
+ - "1.73"
+ - "1.74"
+ - "1.75"
+ - "1.76"
+ - "1.77"
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-4h8f-2wvx-gg5w/GHSA-4h8f-2wvx-gg5w.json
+ - package:
+ ecosystem: Maven
+ name: org.bouncycastle:bcprov-jdk15to18
+ purl: pkg:maven/org.bouncycastle/bcprov-jdk15to18
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "1.61"
+ - fixed: "1.78"
+ versions:
+ - "1.63"
+ - "1.64"
+ - "1.65"
+ - "1.66"
+ - "1.67"
+ - "1.68"
+ - "1.69"
+ - "1.70"
+ - "1.71"
+ - "1.72"
+ - "1.73"
+ - "1.74"
+ - "1.75"
+ - "1.76"
+ - "1.77"
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-4h8f-2wvx-gg5w/GHSA-4h8f-2wvx-gg5w.json
+ - package:
+ ecosystem: Maven
+ name: org.bouncycastle:bcprov-jdk14
+ purl: pkg:maven/org.bouncycastle/bcprov-jdk14
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "1.61"
+ - fixed: "1.78"
+ versions:
+ - "1.61"
+ - "1.62"
+ - "1.63"
+ - "1.64"
+ - "1.65"
+ - "1.67"
+ - "1.68"
+ - "1.69"
+ - "1.70"
+ - "1.71"
+ - "1.72"
+ - "1.73"
+ - "1.74"
+ - "1.75"
+ - "1.76"
+ - "1.77"
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-4h8f-2wvx-gg5w/GHSA-4h8f-2wvx-gg5w.json
+ - package:
+ ecosystem: Maven
+ name: org.bouncycastle:bcprov-jdk13
+ purl: pkg:maven/org.bouncycastle/bcprov-jdk13
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "1.61"
+ - fixed: "1.78"
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-4h8f-2wvx-gg5w/GHSA-4h8f-2wvx-gg5w.json
+ - package:
+ ecosystem: Maven
+ name: org.bouncycastle:bcprov-jdk12
+ purl: pkg:maven/org.bouncycastle/bcprov-jdk12
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "1.61"
+ - fixed: "1.78"
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-4h8f-2wvx-gg5w/GHSA-4h8f-2wvx-gg5w.json
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2024-34447
+ - type: WEB
+ url: https://github.com/bcgit/bc-java/issues/1656
+ - type: PACKAGE
+ url: https://github.com/bcgit/bc-java
+ - type: WEB
+ url: https://github.com/bcgit/bc-java/wiki/CVE%E2%80%902024%E2%80%9034447
+ - type: WEB
+ url: https://security.netapp.com/advisory/ntap-20240614-0007
+ - type: WEB
+ url: https://www.bouncycastle.org/latest_releases.html
+ database_specific:
+ cwe_ids: []
+ github_reviewed: true
+ github_reviewed_at: "2024-05-03T20:34:32Z"
+ nvd_published_at: "2024-05-03T16:15:11Z"
+ severity: LOW
+ - schema_version: 1.6.0
+ id: GHSA-8xfc-gm6g-vgpv
+ modified: 2024-07-03T00:44:46.096029Z
+ published: 2024-05-14T15:32:54Z
+ aliases:
+ - CGA-p93x-49fc-v5m3
+ - CGA-xx3m-cg2g-f46r
+ - CVE-2024-29857
+ summary: Bouncy Castle certificate parsing issues cause high CPU usage during parameter evaluation.
+ details: An issue was discovered in ECCurve.java and ECCurve.cs in Bouncy Castle Java (BC Java) before 1.78, BC Java LTS before 2.73.6, BC-FJA before 1.0.2.5, and BC C# .Net before 2.3.1. Importing an EC certificate with crafted F2m parameters can lead to excessive CPU consumption during the evaluation of the curve parameters.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: org.bouncycastle:bcprov-jdk18on
+ purl: pkg:maven/org.bouncycastle/bcprov-jdk18on
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: "1.78"
+ versions:
+ - "1.71"
+ - 1.71.1
+ - "1.72"
+ - "1.73"
+ - "1.74"
+ - "1.75"
+ - "1.76"
+ - "1.77"
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-8xfc-gm6g-vgpv/GHSA-8xfc-gm6g-vgpv.json
+ - package:
+ ecosystem: Maven
+ name: org.bouncycastle:bcprov-jdk15on
+ purl: pkg:maven/org.bouncycastle/bcprov-jdk15on
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: "1.78"
+ versions:
+ - "1.46"
+ - "1.47"
+ - "1.48"
+ - "1.49"
+ - "1.50"
+ - "1.51"
+ - "1.52"
+ - "1.53"
+ - "1.54"
+ - "1.55"
+ - "1.56"
+ - "1.57"
+ - "1.58"
+ - "1.59"
+ - "1.60"
+ - "1.61"
+ - "1.62"
+ - "1.63"
+ - "1.64"
+ - "1.65"
+ - 1.65.01
+ - "1.66"
+ - "1.67"
+ - "1.68"
+ - "1.69"
+ - "1.70"
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-8xfc-gm6g-vgpv/GHSA-8xfc-gm6g-vgpv.json
+ - package:
+ ecosystem: Maven
+ name: org.bouncycastle:bcprov-jdk15to18
+ purl: pkg:maven/org.bouncycastle/bcprov-jdk15to18
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: "1.78"
+ versions:
+ - "1.63"
+ - "1.64"
+ - "1.65"
+ - "1.66"
+ - "1.67"
+ - "1.68"
+ - "1.69"
+ - "1.70"
+ - "1.71"
+ - "1.72"
+ - "1.73"
+ - "1.74"
+ - "1.75"
+ - "1.76"
+ - "1.77"
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-8xfc-gm6g-vgpv/GHSA-8xfc-gm6g-vgpv.json
+ - package:
+ ecosystem: Maven
+ name: org.bouncycastle:bcprov-jdk14
+ purl: pkg:maven/org.bouncycastle/bcprov-jdk14
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: "1.78"
+ versions:
+ - "1.38"
+ - "1.43"
+ - "1.44"
+ - "1.45"
+ - "1.46"
+ - "1.47"
+ - "1.48"
+ - "1.49"
+ - "1.50"
+ - "1.51"
+ - "1.53"
+ - "1.54"
+ - "1.55"
+ - "1.56"
+ - "1.57"
+ - "1.58"
+ - "1.59"
+ - "1.60"
+ - "1.61"
+ - "1.62"
+ - "1.63"
+ - "1.64"
+ - "1.65"
+ - "1.67"
+ - "1.68"
+ - "1.69"
+ - "1.70"
+ - "1.71"
+ - "1.72"
+ - "1.73"
+ - "1.74"
+ - "1.75"
+ - "1.76"
+ - "1.77"
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-8xfc-gm6g-vgpv/GHSA-8xfc-gm6g-vgpv.json
+ - package:
+ ecosystem: Maven
+ name: org.bouncycastle:bctls-jdk18on
+ purl: pkg:maven/org.bouncycastle/bctls-jdk18on
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: "1.78"
+ versions:
+ - "1.71"
+ - 1.71.1
+ - "1.72"
+ - "1.73"
+ - "1.74"
+ - "1.75"
+ - "1.76"
+ - "1.77"
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-8xfc-gm6g-vgpv/GHSA-8xfc-gm6g-vgpv.json
+ - package:
+ ecosystem: Maven
+ name: org.bouncycastle:bctls-jdk14
+ purl: pkg:maven/org.bouncycastle/bctls-jdk14
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: "1.78"
+ versions:
+ - "1.61"
+ - "1.62"
+ - "1.63"
+ - "1.64"
+ - "1.65"
+ - "1.67"
+ - "1.68"
+ - "1.69"
+ - "1.70"
+ - "1.71"
+ - "1.72"
+ - "1.73"
+ - "1.74"
+ - "1.75"
+ - "1.76"
+ - "1.77"
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-8xfc-gm6g-vgpv/GHSA-8xfc-gm6g-vgpv.json
+ - package:
+ ecosystem: Maven
+ name: org.bouncycastle:bctls-jdk15to18
+ purl: pkg:maven/org.bouncycastle/bctls-jdk15to18
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: "1.78"
+ versions:
+ - "1.63"
+ - "1.64"
+ - "1.65"
+ - "1.66"
+ - "1.67"
+ - "1.68"
+ - "1.69"
+ - "1.70"
+ - "1.71"
+ - "1.72"
+ - "1.73"
+ - "1.74"
+ - "1.75"
+ - "1.76"
+ - "1.77"
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-8xfc-gm6g-vgpv/GHSA-8xfc-gm6g-vgpv.json
+ - package:
+ ecosystem: Maven
+ name: org.bouncycastle:bcpkix-jdk18on
+ purl: pkg:maven/org.bouncycastle/bcpkix-jdk18on
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: "1.78"
+ versions:
+ - "1.71"
+ - 1.71.1
+ - "1.72"
+ - "1.73"
+ - "1.74"
+ - "1.75"
+ - "1.76"
+ - "1.77"
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-8xfc-gm6g-vgpv/GHSA-8xfc-gm6g-vgpv.json
+ - package:
+ ecosystem: Maven
+ name: org.bouncycastle:bcpkix-jdk15to18
+ purl: pkg:maven/org.bouncycastle/bcpkix-jdk15to18
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: "1.78"
+ versions:
+ - "1.63"
+ - "1.64"
+ - "1.65"
+ - "1.66"
+ - "1.67"
+ - "1.68"
+ - "1.69"
+ - "1.70"
+ - "1.71"
+ - "1.72"
+ - "1.73"
+ - "1.74"
+ - "1.75"
+ - "1.76"
+ - "1.77"
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-8xfc-gm6g-vgpv/GHSA-8xfc-gm6g-vgpv.json
+ - package:
+ ecosystem: Maven
+ name: org.bouncycastle:bcpkix-jdk14
+ purl: pkg:maven/org.bouncycastle/bcpkix-jdk14
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: "1.78"
+ versions:
+ - "1.47"
+ - "1.48"
+ - "1.49"
+ - "1.50"
+ - "1.51"
+ - "1.53"
+ - "1.54"
+ - "1.55"
+ - "1.56"
+ - "1.57"
+ - "1.58"
+ - "1.59"
+ - "1.60"
+ - "1.61"
+ - "1.62"
+ - "1.63"
+ - "1.64"
+ - "1.65"
+ - "1.67"
+ - "1.68"
+ - "1.69"
+ - "1.70"
+ - "1.71"
+ - "1.72"
+ - "1.73"
+ - "1.74"
+ - "1.75"
+ - "1.76"
+ - "1.77"
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-8xfc-gm6g-vgpv/GHSA-8xfc-gm6g-vgpv.json
+ - package:
+ ecosystem: Maven
+ name: org.bouncycastle:bc-fips
+ purl: pkg:maven/org.bouncycastle/bc-fips
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: 1.0.2.5
+ versions:
+ - 1.0.0
+ - 1.0.1
+ - 1.0.2
+ - 1.0.2.1
+ - 1.0.2.3
+ - 1.0.2.4
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-8xfc-gm6g-vgpv/GHSA-8xfc-gm6g-vgpv.json
+ - package:
+ ecosystem: NuGet
+ name: BouncyCastle
+ purl: pkg:nuget/BouncyCastle
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ versions:
+ - 1.7.0
+ - 1.8.1
+ - 1.8.2
+ - 1.8.3
+ - 1.8.3.1
+ - 1.8.4
+ - 1.8.5
+ - 1.8.6
+ - 1.8.6.1
+ - 1.8.9
+ database_specific:
+ last_known_affected_version_range: < 2.3.1
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-8xfc-gm6g-vgpv/GHSA-8xfc-gm6g-vgpv.json
+ - package:
+ ecosystem: NuGet
+ name: BouncyCastle.Cryptography
+ purl: pkg:nuget/BouncyCastle.Cryptography
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: 2.3.1
+ versions:
+ - 2.0.0
+ - 2.1.0
+ - 2.1.1
+ - 2.2.0
+ - 2.2.1
+ - 2.3.0
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-8xfc-gm6g-vgpv/GHSA-8xfc-gm6g-vgpv.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2024-29857
+ - type: WEB
+ url: https://github.com/bcgit/bc-csharp/commit/56daa6eac526f165416d17f661422d60de0dfd63
+ - type: WEB
+ url: https://github.com/bcgit/bc-java/commit/fee80dd230e7fba132d03a34f1dd1d6aae0d0281
+ - type: WEB
+ url: https://github.com/bcgit/bc-csharp/wiki/CVE%E2%80%902024%E2%80%9029857
+ - type: WEB
+ url: https://github.com/bcgit/bc-java/wiki/CVE%E2%80%902024%E2%80%9029857
+ - type: WEB
+ url: https://www.bouncycastle.org/latest_releases.html
+ database_specific:
+ cwe_ids:
+ - CWE-400
+ github_reviewed: true
+ github_reviewed_at: "2024-05-14T20:22:01Z"
+ nvd_published_at: "2024-05-14T15:17:02Z"
+ severity: MODERATE
+ - schema_version: 1.6.0
+ id: GHSA-hr8g-6v94-x4m9
+ modified: 2024-02-18T05:32:43.784092Z
+ published: 2023-07-05T03:30:23Z
+ aliases:
+ - CVE-2023-33201
+ summary: Bouncy Castle For Java LDAP injection vulnerability
+ details: |-
+ Bouncy Castle provides the `X509LDAPCertStoreSpi.java` class which can be used in conjunction with the CertPath API for validating certificate paths. Pre-1.73 the implementation did not check the X.500 name of any certificate, subject, or issuer being passed in for LDAP wild cards, meaning the presence of a wild car may lead to Information Disclosure.
+
+ A potential attack would be to generate a self-signed certificate with a subject name that contains special characters, e.g: `CN=Subject*)(objectclass=`. This will be included into the filter and provides the attacker ability to specify additional attributes in the search query. This can be exploited as a blind LDAP injection: an attacker can enumerate valid attribute values using the boolean blind injection technique. The exploitation depends on the structure of the target LDAP directory, as well as what kind of errors are exposed to the user.
+
+ Changes to the `X509LDAPCertStoreSpi.java` class add the additional checking of any X.500 name used to correctly escape wild card characters.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: org.bouncycastle:bcprov-jdk18on
+ purl: pkg:maven/org.bouncycastle/bcprov-jdk18on
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: "1.74"
+ versions:
+ - "1.71"
+ - 1.71.1
+ - "1.72"
+ - "1.73"
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-hr8g-6v94-x4m9/GHSA-hr8g-6v94-x4m9.json
+ - package:
+ ecosystem: Maven
+ name: org.bouncycastle:bcprov-jdk15to18
+ purl: pkg:maven/org.bouncycastle/bcprov-jdk15to18
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: "1.74"
+ versions:
+ - "1.63"
+ - "1.64"
+ - "1.65"
+ - "1.66"
+ - "1.67"
+ - "1.68"
+ - "1.69"
+ - "1.70"
+ - "1.71"
+ - "1.72"
+ - "1.73"
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-hr8g-6v94-x4m9/GHSA-hr8g-6v94-x4m9.json
+ - package:
+ ecosystem: Maven
+ name: org.bouncycastle:bcprov-jdk14
+ purl: pkg:maven/org.bouncycastle/bcprov-jdk14
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "1.49"
+ - fixed: "1.74"
+ versions:
+ - "1.49"
+ - "1.50"
+ - "1.51"
+ - "1.53"
+ - "1.54"
+ - "1.55"
+ - "1.56"
+ - "1.57"
+ - "1.58"
+ - "1.59"
+ - "1.60"
+ - "1.61"
+ - "1.62"
+ - "1.63"
+ - "1.64"
+ - "1.65"
+ - "1.67"
+ - "1.68"
+ - "1.69"
+ - "1.70"
+ - "1.71"
+ - "1.72"
+ - "1.73"
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-hr8g-6v94-x4m9/GHSA-hr8g-6v94-x4m9.json
+ - package:
+ ecosystem: Maven
+ name: org.bouncycastle:bcprov-ext-jdk14
+ purl: pkg:maven/org.bouncycastle/bcprov-ext-jdk14
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "1.49"
+ - fixed: "1.74"
+ versions:
+ - "1.49"
+ - "1.50"
+ - "1.51"
+ - "1.53"
+ - "1.54"
+ - "1.56"
+ - "1.57"
+ - "1.58"
+ - "1.60"
+ - "1.64"
+ - "1.65"
+ - "1.67"
+ - "1.68"
+ - "1.69"
+ - "1.70"
+ - "1.71"
+ - "1.72"
+ - "1.73"
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-hr8g-6v94-x4m9/GHSA-hr8g-6v94-x4m9.json
+ - package:
+ ecosystem: Maven
+ name: org.bouncycastle:bcprov-ext-jdk15to18
+ purl: pkg:maven/org.bouncycastle/bcprov-ext-jdk15to18
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: "1.74"
+ versions:
+ - "1.64"
+ - "1.67"
+ - "1.68"
+ - "1.69"
+ - "1.70"
+ - "1.71"
+ - "1.72"
+ - "1.73"
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-hr8g-6v94-x4m9/GHSA-hr8g-6v94-x4m9.json
+ - package:
+ ecosystem: Maven
+ name: org.bouncycastle:bcprov-ext-jdk18on
+ purl: pkg:maven/org.bouncycastle/bcprov-ext-jdk18on
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: "1.74"
+ versions:
+ - "1.71"
+ - "1.72"
+ - "1.73"
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-hr8g-6v94-x4m9/GHSA-hr8g-6v94-x4m9.json
+ - package:
+ ecosystem: Maven
+ name: org.bouncycastle:bcprov-debug-jdk14
+ purl: pkg:maven/org.bouncycastle/bcprov-debug-jdk14
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "1.49"
+ - fixed: "1.74"
+ versions:
+ - "1.55"
+ - "1.59"
+ - "1.60"
+ - "1.64"
+ - "1.68"
+ - "1.69"
+ - "1.70"
+ - "1.71"
+ - "1.72"
+ - "1.73"
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-hr8g-6v94-x4m9/GHSA-hr8g-6v94-x4m9.json
+ - package:
+ ecosystem: Maven
+ name: org.bouncycastle:bcprov-debug-jdk15to18
+ purl: pkg:maven/org.bouncycastle/bcprov-debug-jdk15to18
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: "1.74"
+ versions:
+ - "1.64"
+ - "1.68"
+ - "1.69"
+ - "1.70"
+ - "1.71"
+ - "1.72"
+ - "1.73"
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-hr8g-6v94-x4m9/GHSA-hr8g-6v94-x4m9.json
+ - package:
+ ecosystem: Maven
+ name: org.bouncycastle:bcprov-debug-jdk18on
+ purl: pkg:maven/org.bouncycastle/bcprov-debug-jdk18on
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: "1.74"
+ versions:
+ - "1.71"
+ - "1.72"
+ - "1.73"
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-hr8g-6v94-x4m9/GHSA-hr8g-6v94-x4m9.json
+ - package:
+ ecosystem: Maven
+ name: org.bouncycastle:bcprov-jdk15on
+ purl: pkg:maven/org.bouncycastle/bcprov-jdk15on
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "1.49"
+ - last_affected: "1.70"
+ versions:
+ - "1.49"
+ - "1.50"
+ - "1.51"
+ - "1.52"
+ - "1.53"
+ - "1.54"
+ - "1.55"
+ - "1.56"
+ - "1.57"
+ - "1.58"
+ - "1.59"
+ - "1.60"
+ - "1.61"
+ - "1.62"
+ - "1.63"
+ - "1.64"
+ - "1.65"
+ - 1.65.01
+ - "1.66"
+ - "1.67"
+ - "1.68"
+ - "1.69"
+ - "1.70"
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-hr8g-6v94-x4m9/GHSA-hr8g-6v94-x4m9.json
+ - package:
+ ecosystem: Maven
+ name: org.bouncycastle:bcprov-ext-jdk15on
+ purl: pkg:maven/org.bouncycastle/bcprov-ext-jdk15on
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "1.49"
+ - last_affected: "1.70"
+ versions:
+ - "1.49"
+ - "1.50"
+ - "1.51"
+ - "1.52"
+ - "1.53"
+ - "1.54"
+ - "1.55"
+ - "1.56"
+ - "1.57"
+ - "1.58"
+ - "1.59"
+ - "1.60"
+ - "1.61"
+ - "1.62"
+ - "1.63"
+ - "1.64"
+ - "1.65"
+ - "1.66"
+ - "1.67"
+ - "1.68"
+ - "1.69"
+ - "1.70"
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-hr8g-6v94-x4m9/GHSA-hr8g-6v94-x4m9.json
+ - package:
+ ecosystem: Maven
+ name: org.bouncycastle:bcprov-debug-jdk15on
+ purl: pkg:maven/org.bouncycastle/bcprov-debug-jdk15on
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "1.49"
+ - last_affected: "1.70"
+ versions:
+ - "1.52"
+ - "1.53"
+ - "1.55"
+ - "1.56"
+ - "1.57"
+ - "1.58"
+ - "1.59"
+ - "1.60"
+ - "1.61"
+ - "1.62"
+ - "1.63"
+ - "1.64"
+ - "1.65"
+ - "1.66"
+ - "1.67"
+ - "1.68"
+ - "1.69"
+ - "1.70"
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-hr8g-6v94-x4m9/GHSA-hr8g-6v94-x4m9.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2023-33201
+ - type: WEB
+ url: https://github.com/bcgit/bc-java/commit/ccf93ca736b89250ff4ce079a5aa56f5cbf0ebbd
+ - type: WEB
+ url: https://github.com/bcgit/bc-java/commit/e8c409a8389c815ea3fda5e8b94c92fdfe583bcc
+ - type: WEB
+ url: https://bouncycastle.org
+ - type: WEB
+ url: https://bouncycastle.org/releasenotes.html#r1rv74
+ - type: PACKAGE
+ url: https://github.com/bcgit/bc-java
+ - type: WEB
+ url: https://github.com/bcgit/bc-java/commits/main/prov/src/main/java/org/bouncycastle/jce/provider/X509LDAPCertStoreSpi.java
+ - type: WEB
+ url: https://github.com/bcgit/bc-java/wiki/CVE-2023-33201
+ - type: WEB
+ url: https://lists.debian.org/debian-lts-announce/2023/08/msg00000.html
+ - type: WEB
+ url: https://security.netapp.com/advisory/ntap-20230824-0008
+ database_specific:
+ cwe_ids:
+ - CWE-295
+ github_reviewed: true
+ github_reviewed_at: "2023-07-06T15:40:29Z"
+ nvd_published_at: "2023-07-05T03:15:09Z"
+ severity: MODERATE
+ - schema_version: 1.6.0
+ id: GHSA-m44j-cfrm-g8qc
+ modified: 2024-07-03T00:44:28.022114Z
+ published: 2024-05-14T15:32:54Z
+ aliases:
+ - CGA-9j68-hcjr-5xfx
+ - CGA-vxwq-f5f4-5vmj
+ - CVE-2024-30172
+ summary: Bouncy Castle crafted signature and public key can be used to trigger an infinite loop
+ details: An issue was discovered in Bouncy Castle Java Cryptography APIs before 1.78. An Ed25519 verification code infinite loop can occur via a crafted signature and public key.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: org.bouncycastle:bcprov-jdk18on
+ purl: pkg:maven/org.bouncycastle/bcprov-jdk18on
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: "1.78"
+ versions:
+ - "1.71"
+ - 1.71.1
+ - "1.72"
+ - "1.73"
+ - "1.74"
+ - "1.75"
+ - "1.76"
+ - "1.77"
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-m44j-cfrm-g8qc/GHSA-m44j-cfrm-g8qc.json
+ - package:
+ ecosystem: Maven
+ name: org.bouncycastle:bcprov-jdk15on
+ purl: pkg:maven/org.bouncycastle/bcprov-jdk15on
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: "1.78"
+ versions:
+ - "1.46"
+ - "1.47"
+ - "1.48"
+ - "1.49"
+ - "1.50"
+ - "1.51"
+ - "1.52"
+ - "1.53"
+ - "1.54"
+ - "1.55"
+ - "1.56"
+ - "1.57"
+ - "1.58"
+ - "1.59"
+ - "1.60"
+ - "1.61"
+ - "1.62"
+ - "1.63"
+ - "1.64"
+ - "1.65"
+ - 1.65.01
+ - "1.66"
+ - "1.67"
+ - "1.68"
+ - "1.69"
+ - "1.70"
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-m44j-cfrm-g8qc/GHSA-m44j-cfrm-g8qc.json
+ - package:
+ ecosystem: Maven
+ name: org.bouncycastle:bcprov-jdk15to18
+ purl: pkg:maven/org.bouncycastle/bcprov-jdk15to18
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: "1.78"
+ versions:
+ - "1.63"
+ - "1.64"
+ - "1.65"
+ - "1.66"
+ - "1.67"
+ - "1.68"
+ - "1.69"
+ - "1.70"
+ - "1.71"
+ - "1.72"
+ - "1.73"
+ - "1.74"
+ - "1.75"
+ - "1.76"
+ - "1.77"
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-m44j-cfrm-g8qc/GHSA-m44j-cfrm-g8qc.json
+ - package:
+ ecosystem: Maven
+ name: org.bouncycastle:bcprov-jdk14
+ purl: pkg:maven/org.bouncycastle/bcprov-jdk14
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: "1.78"
+ versions:
+ - "1.38"
+ - "1.43"
+ - "1.44"
+ - "1.45"
+ - "1.46"
+ - "1.47"
+ - "1.48"
+ - "1.49"
+ - "1.50"
+ - "1.51"
+ - "1.53"
+ - "1.54"
+ - "1.55"
+ - "1.56"
+ - "1.57"
+ - "1.58"
+ - "1.59"
+ - "1.60"
+ - "1.61"
+ - "1.62"
+ - "1.63"
+ - "1.64"
+ - "1.65"
+ - "1.67"
+ - "1.68"
+ - "1.69"
+ - "1.70"
+ - "1.71"
+ - "1.72"
+ - "1.73"
+ - "1.74"
+ - "1.75"
+ - "1.76"
+ - "1.77"
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-m44j-cfrm-g8qc/GHSA-m44j-cfrm-g8qc.json
+ - package:
+ ecosystem: Maven
+ name: org.bouncycastle:bctls-jdk18on
+ purl: pkg:maven/org.bouncycastle/bctls-jdk18on
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: "1.78"
+ versions:
+ - "1.71"
+ - 1.71.1
+ - "1.72"
+ - "1.73"
+ - "1.74"
+ - "1.75"
+ - "1.76"
+ - "1.77"
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-m44j-cfrm-g8qc/GHSA-m44j-cfrm-g8qc.json
+ - package:
+ ecosystem: Maven
+ name: org.bouncycastle:bctls-jdk14
+ purl: pkg:maven/org.bouncycastle/bctls-jdk14
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: "1.78"
+ versions:
+ - "1.61"
+ - "1.62"
+ - "1.63"
+ - "1.64"
+ - "1.65"
+ - "1.67"
+ - "1.68"
+ - "1.69"
+ - "1.70"
+ - "1.71"
+ - "1.72"
+ - "1.73"
+ - "1.74"
+ - "1.75"
+ - "1.76"
+ - "1.77"
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-m44j-cfrm-g8qc/GHSA-m44j-cfrm-g8qc.json
+ - package:
+ ecosystem: Maven
+ name: org.bouncycastle:bctls-jdk15to18
+ purl: pkg:maven/org.bouncycastle/bctls-jdk15to18
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: "1.78"
+ versions:
+ - "1.63"
+ - "1.64"
+ - "1.65"
+ - "1.66"
+ - "1.67"
+ - "1.68"
+ - "1.69"
+ - "1.70"
+ - "1.71"
+ - "1.72"
+ - "1.73"
+ - "1.74"
+ - "1.75"
+ - "1.76"
+ - "1.77"
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-m44j-cfrm-g8qc/GHSA-m44j-cfrm-g8qc.json
+ - package:
+ ecosystem: Maven
+ name: org.bouncycastle:bcpkix-jdk18on
+ purl: pkg:maven/org.bouncycastle/bcpkix-jdk18on
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: "1.78"
+ versions:
+ - "1.71"
+ - 1.71.1
+ - "1.72"
+ - "1.73"
+ - "1.74"
+ - "1.75"
+ - "1.76"
+ - "1.77"
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-m44j-cfrm-g8qc/GHSA-m44j-cfrm-g8qc.json
+ - package:
+ ecosystem: Maven
+ name: org.bouncycastle:bcpkix-jdk15to18
+ purl: pkg:maven/org.bouncycastle/bcpkix-jdk15to18
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: "1.78"
+ versions:
+ - "1.63"
+ - "1.64"
+ - "1.65"
+ - "1.66"
+ - "1.67"
+ - "1.68"
+ - "1.69"
+ - "1.70"
+ - "1.71"
+ - "1.72"
+ - "1.73"
+ - "1.74"
+ - "1.75"
+ - "1.76"
+ - "1.77"
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-m44j-cfrm-g8qc/GHSA-m44j-cfrm-g8qc.json
+ - package:
+ ecosystem: Maven
+ name: org.bouncycastle:bcpkix-jdk14
+ purl: pkg:maven/org.bouncycastle/bcpkix-jdk14
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: "1.78"
+ versions:
+ - "1.47"
+ - "1.48"
+ - "1.49"
+ - "1.50"
+ - "1.51"
+ - "1.53"
+ - "1.54"
+ - "1.55"
+ - "1.56"
+ - "1.57"
+ - "1.58"
+ - "1.59"
+ - "1.60"
+ - "1.61"
+ - "1.62"
+ - "1.63"
+ - "1.64"
+ - "1.65"
+ - "1.67"
+ - "1.68"
+ - "1.69"
+ - "1.70"
+ - "1.71"
+ - "1.72"
+ - "1.73"
+ - "1.74"
+ - "1.75"
+ - "1.76"
+ - "1.77"
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-m44j-cfrm-g8qc/GHSA-m44j-cfrm-g8qc.json
+ - package:
+ ecosystem: NuGet
+ name: BouncyCastle
+ purl: pkg:nuget/BouncyCastle
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ versions:
+ - 1.7.0
+ - 1.8.1
+ - 1.8.2
+ - 1.8.3
+ - 1.8.3.1
+ - 1.8.4
+ - 1.8.5
+ - 1.8.6
+ - 1.8.6.1
+ - 1.8.9
+ database_specific:
+ last_known_affected_version_range: < 2.3.1
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-m44j-cfrm-g8qc/GHSA-m44j-cfrm-g8qc.json
+ - package:
+ ecosystem: NuGet
+ name: BouncyCastle.Cryptography
+ purl: pkg:nuget/BouncyCastle.Cryptography
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: 2.3.1
+ versions:
+ - 2.0.0
+ - 2.1.0
+ - 2.1.1
+ - 2.2.0
+ - 2.2.1
+ - 2.3.0
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-m44j-cfrm-g8qc/GHSA-m44j-cfrm-g8qc.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2024-30172
+ - type: WEB
+ url: https://github.com/bcgit/bc-csharp/wiki/CVE%E2%80%902024%E2%80%9030172
+ - type: WEB
+ url: https://github.com/bcgit/bc-java/wiki/CVE%E2%80%902024%E2%80%9030172
+ - type: WEB
+ url: https://security.netapp.com/advisory/ntap-20240614-0007
+ - type: WEB
+ url: https://www.bouncycastle.org/latest_releases.html
+ database_specific:
+ cwe_ids:
+ - CWE-835
+ github_reviewed: true
+ github_reviewed_at: "2024-05-14T20:22:06Z"
+ nvd_published_at: "2024-05-14T15:21:53Z"
+ severity: MODERATE
+ - schema_version: 1.6.0
+ id: GHSA-v435-xc8x-wvr9
+ modified: 2024-07-03T00:44:44.00876Z
+ published: 2024-05-14T15:32:54Z
+ aliases:
+ - CGA-9727-f845-q3xw
+ - CGA-j49x-3x3f-7v84
+ - CVE-2024-30171
+ summary: Bouncy Castle affected by timing side-channel for RSA key exchange ("The Marvin Attack")
+ details: An issue was discovered in Bouncy Castle Java TLS API and JSSE Provider before 1.78. Timing-based leakage may occur in RSA based handshakes because of exception processing.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: org.bouncycastle:bctls-fips
+ purl: pkg:maven/org.bouncycastle/bctls-fips
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: 1.0.19
+ versions:
+ - 1.0.0
+ - 1.0.1
+ - 1.0.10
+ - 1.0.10.1
+ - 1.0.10.2
+ - 1.0.10.3
+ - 1.0.11
+ - 1.0.11.1
+ - 1.0.11.2
+ - 1.0.11.3
+ - 1.0.11.4
+ - 1.0.12
+ - 1.0.12.1
+ - 1.0.12.2
+ - 1.0.12.3
+ - 1.0.13
+ - 1.0.14
+ - 1.0.14.1
+ - 1.0.16
+ - 1.0.17
+ - 1.0.18
+ - 1.0.2
+ - 1.0.3
+ - 1.0.4
+ - 1.0.5
+ - 1.0.6
+ - 1.0.7
+ - 1.0.8
+ - 1.0.9
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-v435-xc8x-wvr9/GHSA-v435-xc8x-wvr9.json
+ - package:
+ ecosystem: Maven
+ name: org.bouncycastle:bcprov-jdk18on
+ purl: pkg:maven/org.bouncycastle/bcprov-jdk18on
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: "1.78"
+ versions:
+ - "1.71"
+ - 1.71.1
+ - "1.72"
+ - "1.73"
+ - "1.74"
+ - "1.75"
+ - "1.76"
+ - "1.77"
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-v435-xc8x-wvr9/GHSA-v435-xc8x-wvr9.json
+ - package:
+ ecosystem: Maven
+ name: org.bouncycastle:bcprov-jdk15on
+ purl: pkg:maven/org.bouncycastle/bcprov-jdk15on
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: "1.78"
+ versions:
+ - "1.46"
+ - "1.47"
+ - "1.48"
+ - "1.49"
+ - "1.50"
+ - "1.51"
+ - "1.52"
+ - "1.53"
+ - "1.54"
+ - "1.55"
+ - "1.56"
+ - "1.57"
+ - "1.58"
+ - "1.59"
+ - "1.60"
+ - "1.61"
+ - "1.62"
+ - "1.63"
+ - "1.64"
+ - "1.65"
+ - 1.65.01
+ - "1.66"
+ - "1.67"
+ - "1.68"
+ - "1.69"
+ - "1.70"
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-v435-xc8x-wvr9/GHSA-v435-xc8x-wvr9.json
+ - package:
+ ecosystem: Maven
+ name: org.bouncycastle:bcprov-jdk15to18
+ purl: pkg:maven/org.bouncycastle/bcprov-jdk15to18
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: "1.78"
+ versions:
+ - "1.63"
+ - "1.64"
+ - "1.65"
+ - "1.66"
+ - "1.67"
+ - "1.68"
+ - "1.69"
+ - "1.70"
+ - "1.71"
+ - "1.72"
+ - "1.73"
+ - "1.74"
+ - "1.75"
+ - "1.76"
+ - "1.77"
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-v435-xc8x-wvr9/GHSA-v435-xc8x-wvr9.json
+ - package:
+ ecosystem: Maven
+ name: org.bouncycastle:bcprov-jdk14
+ purl: pkg:maven/org.bouncycastle/bcprov-jdk14
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: "1.78"
+ versions:
+ - "1.38"
+ - "1.43"
+ - "1.44"
+ - "1.45"
+ - "1.46"
+ - "1.47"
+ - "1.48"
+ - "1.49"
+ - "1.50"
+ - "1.51"
+ - "1.53"
+ - "1.54"
+ - "1.55"
+ - "1.56"
+ - "1.57"
+ - "1.58"
+ - "1.59"
+ - "1.60"
+ - "1.61"
+ - "1.62"
+ - "1.63"
+ - "1.64"
+ - "1.65"
+ - "1.67"
+ - "1.68"
+ - "1.69"
+ - "1.70"
+ - "1.71"
+ - "1.72"
+ - "1.73"
+ - "1.74"
+ - "1.75"
+ - "1.76"
+ - "1.77"
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-v435-xc8x-wvr9/GHSA-v435-xc8x-wvr9.json
+ - package:
+ ecosystem: Maven
+ name: org.bouncycastle:bctls-jdk18on
+ purl: pkg:maven/org.bouncycastle/bctls-jdk18on
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: "1.78"
+ versions:
+ - "1.71"
+ - 1.71.1
+ - "1.72"
+ - "1.73"
+ - "1.74"
+ - "1.75"
+ - "1.76"
+ - "1.77"
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-v435-xc8x-wvr9/GHSA-v435-xc8x-wvr9.json
+ - package:
+ ecosystem: Maven
+ name: org.bouncycastle:bctls-jdk14
+ purl: pkg:maven/org.bouncycastle/bctls-jdk14
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: "1.78"
+ versions:
+ - "1.61"
+ - "1.62"
+ - "1.63"
+ - "1.64"
+ - "1.65"
+ - "1.67"
+ - "1.68"
+ - "1.69"
+ - "1.70"
+ - "1.71"
+ - "1.72"
+ - "1.73"
+ - "1.74"
+ - "1.75"
+ - "1.76"
+ - "1.77"
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-v435-xc8x-wvr9/GHSA-v435-xc8x-wvr9.json
+ - package:
+ ecosystem: Maven
+ name: org.bouncycastle:bctls-jdk15to18
+ purl: pkg:maven/org.bouncycastle/bctls-jdk15to18
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: "1.78"
+ versions:
+ - "1.63"
+ - "1.64"
+ - "1.65"
+ - "1.66"
+ - "1.67"
+ - "1.68"
+ - "1.69"
+ - "1.70"
+ - "1.71"
+ - "1.72"
+ - "1.73"
+ - "1.74"
+ - "1.75"
+ - "1.76"
+ - "1.77"
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-v435-xc8x-wvr9/GHSA-v435-xc8x-wvr9.json
+ - package:
+ ecosystem: NuGet
+ name: BouncyCastle
+ purl: pkg:nuget/BouncyCastle
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ versions:
+ - 1.7.0
+ - 1.8.1
+ - 1.8.2
+ - 1.8.3
+ - 1.8.3.1
+ - 1.8.4
+ - 1.8.5
+ - 1.8.6
+ - 1.8.6.1
+ - 1.8.9
+ database_specific:
+ last_known_affected_version_range: < 2.3.1
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-v435-xc8x-wvr9/GHSA-v435-xc8x-wvr9.json
+ - package:
+ ecosystem: NuGet
+ name: BouncyCastle.Cryptography
+ purl: pkg:nuget/BouncyCastle.Cryptography
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: 2.3.1
+ versions:
+ - 2.0.0
+ - 2.1.0
+ - 2.1.1
+ - 2.2.0
+ - 2.2.1
+ - 2.3.0
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-v435-xc8x-wvr9/GHSA-v435-xc8x-wvr9.json
+ - package:
+ ecosystem: Maven
+ name: org.bouncycastle:bcpkix-jdk18on
+ purl: pkg:maven/org.bouncycastle/bcpkix-jdk18on
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: "1.78"
+ versions:
+ - "1.71"
+ - 1.71.1
+ - "1.72"
+ - "1.73"
+ - "1.74"
+ - "1.75"
+ - "1.76"
+ - "1.77"
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-v435-xc8x-wvr9/GHSA-v435-xc8x-wvr9.json
+ - package:
+ ecosystem: Maven
+ name: org.bouncycastle:bcpkix-jdk15to18
+ purl: pkg:maven/org.bouncycastle/bcpkix-jdk15to18
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: "1.78"
+ versions:
+ - "1.63"
+ - "1.64"
+ - "1.65"
+ - "1.66"
+ - "1.67"
+ - "1.68"
+ - "1.69"
+ - "1.70"
+ - "1.71"
+ - "1.72"
+ - "1.73"
+ - "1.74"
+ - "1.75"
+ - "1.76"
+ - "1.77"
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-v435-xc8x-wvr9/GHSA-v435-xc8x-wvr9.json
+ - package:
+ ecosystem: Maven
+ name: org.bouncycastle:bcpkix-jdk14
+ purl: pkg:maven/org.bouncycastle/bcpkix-jdk14
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: "1.78"
+ versions:
+ - "1.47"
+ - "1.48"
+ - "1.49"
+ - "1.50"
+ - "1.51"
+ - "1.53"
+ - "1.54"
+ - "1.55"
+ - "1.56"
+ - "1.57"
+ - "1.58"
+ - "1.59"
+ - "1.60"
+ - "1.61"
+ - "1.62"
+ - "1.63"
+ - "1.64"
+ - "1.65"
+ - "1.67"
+ - "1.68"
+ - "1.69"
+ - "1.70"
+ - "1.71"
+ - "1.72"
+ - "1.73"
+ - "1.74"
+ - "1.75"
+ - "1.76"
+ - "1.77"
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-v435-xc8x-wvr9/GHSA-v435-xc8x-wvr9.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2024-30171
+ - type: WEB
+ url: https://github.com/bcgit/bc-csharp/commit/c984b8bfd8544dfc55dba91a02cbbbb9c580c217
+ - type: WEB
+ url: https://github.com/bcgit/bc-java/commit/d7d5e735abd64bf0f413f54fd9e495fc02400fb0
+ - type: WEB
+ url: https://github.com/bcgit/bc-java/commit/e0569dcb1dea9d421d84fc4c5c5688fe101afa2d
+ - type: WEB
+ url: https://github.com/bcgit/bc-csharp/wiki/CVE%E2%80%902024%E2%80%9030171
+ - type: WEB
+ url: https://github.com/bcgit/bc-java/wiki/CVE%E2%80%902024%E2%80%9030171
+ - type: WEB
+ url: https://security.netapp.com/advisory/ntap-20240614-0008
+ - type: WEB
+ url: https://www.bouncycastle.org/latest_releases.html
+ database_specific:
+ cwe_ids:
+ - CWE-203
+ github_reviewed: true
+ github_reviewed_at: "2024-05-14T20:22:03Z"
+ nvd_published_at: "2024-05-14T15:21:52Z"
+ severity: MODERATE
+ - schema_version: 1.6.0
+ id: GHSA-wjxj-5m7g-mg7q
+ modified: 2024-05-23T21:16:05.53245Z
+ published: 2023-11-23T18:30:33Z
+ aliases:
+ - CVE-2023-33202
+ summary: Bouncy Castle Denial of Service (DoS)
+ details: Bouncy Castle for Java before 1.73 contains a potential Denial of Service (DoS) issue within the Bouncy Castle org.bouncycastle.openssl.PEMParser class. This class parses OpenSSL PEM encoded streams containing X.509 certificates, PKCS8 encoded keys, and PKCS7 objects. Parsing a file that has crafted ASN.1 data through the PEMParser causes an OutOfMemoryError, which can enable a denial of service attack.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: org.bouncycastle:bcprov-ext-jdk16
+ purl: pkg:maven/org.bouncycastle/bcprov-ext-jdk16
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: "1.73"
+ versions:
+ - "1.45"
+ - "1.46"
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/11/GHSA-wjxj-5m7g-mg7q/GHSA-wjxj-5m7g-mg7q.json
+ - package:
+ ecosystem: Maven
+ name: org.bouncycastle:bcprov-jdk14
+ purl: pkg:maven/org.bouncycastle/bcprov-jdk14
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: "1.73"
+ versions:
+ - "1.38"
+ - "1.43"
+ - "1.44"
+ - "1.45"
+ - "1.46"
+ - "1.47"
+ - "1.48"
+ - "1.49"
+ - "1.50"
+ - "1.51"
+ - "1.53"
+ - "1.54"
+ - "1.55"
+ - "1.56"
+ - "1.57"
+ - "1.58"
+ - "1.59"
+ - "1.60"
+ - "1.61"
+ - "1.62"
+ - "1.63"
+ - "1.64"
+ - "1.65"
+ - "1.67"
+ - "1.68"
+ - "1.69"
+ - "1.70"
+ - "1.71"
+ - "1.72"
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/11/GHSA-wjxj-5m7g-mg7q/GHSA-wjxj-5m7g-mg7q.json
+ - package:
+ ecosystem: Maven
+ name: org.bouncycastle:bcprov-jdk15
+ purl: pkg:maven/org.bouncycastle/bcprov-jdk15
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: "1.73"
+ versions:
+ - "1.32"
+ - "1.38"
+ - "1.40"
+ - "1.43"
+ - "1.44"
+ - "1.45"
+ - "1.46"
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/11/GHSA-wjxj-5m7g-mg7q/GHSA-wjxj-5m7g-mg7q.json
+ - package:
+ ecosystem: Maven
+ name: org.bouncycastle:bcprov-jdk15to18
+ purl: pkg:maven/org.bouncycastle/bcprov-jdk15to18
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: "1.73"
+ versions:
+ - "1.63"
+ - "1.64"
+ - "1.65"
+ - "1.66"
+ - "1.67"
+ - "1.68"
+ - "1.69"
+ - "1.70"
+ - "1.71"
+ - "1.72"
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/11/GHSA-wjxj-5m7g-mg7q/GHSA-wjxj-5m7g-mg7q.json
+ - package:
+ ecosystem: Maven
+ name: org.bouncycastle:bcprov-jdk16
+ purl: pkg:maven/org.bouncycastle/bcprov-jdk16
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: "1.73"
+ versions:
+ - "1.38"
+ - "1.40"
+ - "1.43"
+ - "1.44"
+ - "1.45"
+ - "1.46"
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/11/GHSA-wjxj-5m7g-mg7q/GHSA-wjxj-5m7g-mg7q.json
+ - package:
+ ecosystem: Maven
+ name: org.bouncycastle:bcprov-jdk15on
+ purl: pkg:maven/org.bouncycastle/bcprov-jdk15on
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ versions:
+ - "1.46"
+ - "1.47"
+ - "1.48"
+ - "1.49"
+ - "1.50"
+ - "1.51"
+ - "1.52"
+ - "1.53"
+ - "1.54"
+ - "1.55"
+ - "1.56"
+ - "1.57"
+ - "1.58"
+ - "1.59"
+ - "1.60"
+ - "1.61"
+ - "1.62"
+ - "1.63"
+ - "1.64"
+ - "1.65"
+ - 1.65.01
+ - "1.66"
+ - "1.67"
+ - "1.68"
+ - "1.69"
+ - "1.70"
+ database_specific:
+ last_known_affected_version_range: < 1.70
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/11/GHSA-wjxj-5m7g-mg7q/GHSA-wjxj-5m7g-mg7q.json
+ - package:
+ ecosystem: Maven
+ name: org.bouncycastle:bcpkix-jdk18on
+ purl: pkg:maven/org.bouncycastle/bcpkix-jdk18on
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: "1.73"
+ versions:
+ - "1.71"
+ - 1.71.1
+ - "1.72"
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/11/GHSA-wjxj-5m7g-mg7q/GHSA-wjxj-5m7g-mg7q.json
+ - package:
+ ecosystem: Maven
+ name: org.bouncycastle:bcprov-ext-jdk15on
+ purl: pkg:maven/org.bouncycastle/bcprov-ext-jdk15on
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: "1.73"
+ versions:
+ - "1.46"
+ - "1.47"
+ - "1.48"
+ - "1.49"
+ - "1.50"
+ - "1.51"
+ - "1.52"
+ - "1.53"
+ - "1.54"
+ - "1.55"
+ - "1.56"
+ - "1.57"
+ - "1.58"
+ - "1.59"
+ - "1.60"
+ - "1.61"
+ - "1.62"
+ - "1.63"
+ - "1.64"
+ - "1.65"
+ - "1.66"
+ - "1.67"
+ - "1.68"
+ - "1.69"
+ - "1.70"
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/11/GHSA-wjxj-5m7g-mg7q/GHSA-wjxj-5m7g-mg7q.json
+ - package:
+ ecosystem: Maven
+ name: org.bouncycastle:bcprov-jdk18on
+ purl: pkg:maven/org.bouncycastle/bcprov-jdk18on
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: "1.73"
+ versions:
+ - "1.71"
+ - 1.71.1
+ - "1.72"
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/11/GHSA-wjxj-5m7g-mg7q/GHSA-wjxj-5m7g-mg7q.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2023-33202
+ - type: WEB
+ url: https://github.com/bcgit/bc-java/commit/0c576892862ed41894f49a8f639112e8d66d229c
+ - type: PACKAGE
+ url: https://github.com/bcgit/bc-java
+ - type: WEB
+ url: https://github.com/bcgit/bc-java/wiki/CVE-2023-33202
+ - type: WEB
+ url: https://security.netapp.com/advisory/ntap-20240125-0001
+ database_specific:
+ cwe_ids:
+ - CWE-400
+ github_reviewed: true
+ github_reviewed_at: "2023-11-24T16:54:01Z"
+ nvd_published_at: "2023-11-23T16:15:07Z"
+ severity: MODERATE
+ - schema_version: 1.6.0
+ id: GHSA-c27h-mcmw-48hv
+ modified: 2024-03-11T05:32:32.87973Z
+ published: 2022-05-24T16:57:28Z
+ aliases:
+ - CVE-2019-10202
+ summary: Deserialization of Untrusted Data in org.codehaus.jackson:jackson-mapper-asl
+ details: A series of deserialization vulnerabilities have been discovered in Codehaus 1.9.x implemented in EAP 7. This CVE fixes CVE-2017-17485, CVE-2017-7525, CVE-2017-15095, CVE-2018-5968, CVE-2018-7489, CVE-2018-1000873, CVE-2019-12086 reported for FasterXML jackson-databind by implementing a whitelist approach that will mitigate these vulnerabilities and future ones alike.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: org.codehaus.jackson:jackson-mapper-asl
+ purl: pkg:maven/org.codehaus.jackson/jackson-mapper-asl
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - last_affected: 1.9.13
+ versions:
+ - 0.9.6
+ - 0.9.7
+ - 0.9.8
+ - 0.9.9
+ - 0.9.9-2
+ - 0.9.9-3
+ - 0.9.9-4
+ - 0.9.9-5
+ - 0.9.9-6
+ - 1.0.0
+ - 1.0.1
+ - 1.1.0
+ - 1.1.1
+ - 1.1.2
+ - 1.2.0
+ - 1.2.1
+ - 1.3.0
+ - 1.3.1
+ - 1.3.2
+ - 1.3.3
+ - 1.3.4
+ - 1.3.5
+ - 1.4.0
+ - 1.4.1
+ - 1.4.2
+ - 1.4.3
+ - 1.4.4
+ - 1.4.5
+ - 1.5.0
+ - 1.5.1
+ - 1.5.2
+ - 1.5.3
+ - 1.5.4
+ - 1.5.5
+ - 1.5.6
+ - 1.5.7
+ - 1.5.8
+ - 1.6.0
+ - 1.6.1
+ - 1.6.2
+ - 1.6.3
+ - 1.6.4
+ - 1.6.5
+ - 1.6.6
+ - 1.6.7
+ - 1.6.9
+ - 1.7.0
+ - 1.7.1
+ - 1.7.2
+ - 1.7.3
+ - 1.7.4
+ - 1.7.5
+ - 1.7.6
+ - 1.7.7
+ - 1.7.8
+ - 1.7.9
+ - 1.8.0
+ - 1.8.1
+ - 1.8.10
+ - 1.8.11
+ - 1.8.2
+ - 1.8.3
+ - 1.8.4
+ - 1.8.5
+ - 1.8.6
+ - 1.8.7
+ - 1.8.8
+ - 1.8.9
+ - 1.9.0
+ - 1.9.1
+ - 1.9.10
+ - 1.9.11
+ - 1.9.12
+ - 1.9.13
+ - 1.9.2
+ - 1.9.3
+ - 1.9.4
+ - 1.9.5
+ - 1.9.6
+ - 1.9.7
+ - 1.9.8
+ - 1.9.9
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-c27h-mcmw-48hv/GHSA-c27h-mcmw-48hv.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2019-10202
+ - type: WEB
+ url: https://lists.apache.org/thread.html/refea6018a2c4e9eb7838cab567ed219c3f726dcd83a5472fbb80d8d9@%3Cissues.flume.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/refea6018a2c4e9eb7838cab567ed219c3f726dcd83a5472fbb80d8d9%40%3Cissues.flume.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rce00a1c60f7df4b10e72fa87827c102f55b074bb91993631df2c21f9@%3Cdev.hive.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rce00a1c60f7df4b10e72fa87827c102f55b074bb91993631df2c21f9%40%3Cdev.hive.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r6dea2a887f5eb1d68f124d64b14cd1a04f682f06de8cd01b7e4214e0@%3Cissues.hive.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r6dea2a887f5eb1d68f124d64b14cd1a04f682f06de8cd01b7e4214e0%40%3Cissues.hive.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r5f16a1bd31a7e94ca78eda686179930781aa3a4a990cd55986703581@%3Cdev.hive.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r5f16a1bd31a7e94ca78eda686179930781aa3a4a990cd55986703581%40%3Cdev.hive.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r500867b74f42230a3d65b8aec31fc93ac390eeae737c91a759ab94cb@%3Cissues.hive.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r500867b74f42230a3d65b8aec31fc93ac390eeae737c91a759ab94cb%40%3Cissues.hive.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r356592d9874ab4bc9da4754592f8aa6edc894c95e17e58484bc2af7a@%3Cissues.hive.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r356592d9874ab4bc9da4754592f8aa6edc894c95e17e58484bc2af7a%40%3Cissues.hive.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r1edabcfacdad42d3c830464e9cf07a9a489059a7b7a8642cf055542d@%3Cissues.hive.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r1edabcfacdad42d3c830464e9cf07a9a489059a7b7a8642cf055542d%40%3Cissues.hive.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r0fbf2c60967bc9f73d7f5a62ad3b955789f9a14b950f42e99fca9b4e@%3Cissues.hive.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r0fbf2c60967bc9f73d7f5a62ad3b955789f9a14b950f42e99fca9b4e%40%3Cissues.hive.apache.org%3E
+ - type: WEB
+ url: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10202
+ database_specific:
+ cwe_ids:
+ - CWE-502
+ github_reviewed: true
+ github_reviewed_at: "2023-02-14T00:56:25Z"
+ nvd_published_at: "2019-10-01T15:15:00Z"
+ severity: CRITICAL
+ - schema_version: 1.6.0
+ id: GHSA-r6j9-8759-g62w
+ modified: 2024-03-13T05:36:14.612715Z
+ published: 2020-02-04T22:39:19Z
+ aliases:
+ - CVE-2019-10172
+ summary: Improper Restriction of XML External Entity Reference in jackson-mapper-asl
+ details: A flaw was found in org.codehaus.jackson:jackson-mapper-asl:1.9.x libraries. XML external entity vulnerabilities similar to CVE-2016-3720 also affects codehaus jackson-mapper-asl libraries but in different classes.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: org.codehaus.jackson:jackson-mapper-asl
+ purl: pkg:maven/org.codehaus.jackson/jackson-mapper-asl
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - last_affected: 1.9.13
+ versions:
+ - 0.9.6
+ - 0.9.7
+ - 0.9.8
+ - 0.9.9
+ - 0.9.9-2
+ - 0.9.9-3
+ - 0.9.9-4
+ - 0.9.9-5
+ - 0.9.9-6
+ - 1.0.0
+ - 1.0.1
+ - 1.1.0
+ - 1.1.1
+ - 1.1.2
+ - 1.2.0
+ - 1.2.1
+ - 1.3.0
+ - 1.3.1
+ - 1.3.2
+ - 1.3.3
+ - 1.3.4
+ - 1.3.5
+ - 1.4.0
+ - 1.4.1
+ - 1.4.2
+ - 1.4.3
+ - 1.4.4
+ - 1.4.5
+ - 1.5.0
+ - 1.5.1
+ - 1.5.2
+ - 1.5.3
+ - 1.5.4
+ - 1.5.5
+ - 1.5.6
+ - 1.5.7
+ - 1.5.8
+ - 1.6.0
+ - 1.6.1
+ - 1.6.2
+ - 1.6.3
+ - 1.6.4
+ - 1.6.5
+ - 1.6.6
+ - 1.6.7
+ - 1.6.9
+ - 1.7.0
+ - 1.7.1
+ - 1.7.2
+ - 1.7.3
+ - 1.7.4
+ - 1.7.5
+ - 1.7.6
+ - 1.7.7
+ - 1.7.8
+ - 1.7.9
+ - 1.8.0
+ - 1.8.1
+ - 1.8.10
+ - 1.8.11
+ - 1.8.2
+ - 1.8.3
+ - 1.8.4
+ - 1.8.5
+ - 1.8.6
+ - 1.8.7
+ - 1.8.8
+ - 1.8.9
+ - 1.9.0
+ - 1.9.1
+ - 1.9.10
+ - 1.9.11
+ - 1.9.12
+ - 1.9.13
+ - 1.9.2
+ - 1.9.3
+ - 1.9.4
+ - 1.9.5
+ - 1.9.6
+ - 1.9.7
+ - 1.9.8
+ - 1.9.9
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/02/GHSA-r6j9-8759-g62w/GHSA-r6j9-8759-g62w.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2019-10172
+ - type: WEB
+ url: https://lists.debian.org/debian-lts-announce/2020/08/msg00039.html
+ - type: WEB
+ url: https://lists.apache.org/thread.html/ra37700b842790883b9082e6b281fb7596f571b13078a4856cd38f2c2@%3Ccommits.cassandra.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/ra37700b842790883b9082e6b281fb7596f571b13078a4856cd38f2c2%40%3Ccommits.cassandra.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r80e8882c86c9c17a57396a5ef7c4f08878d629a0291243411be0de3a@%3Ccommits.cassandra.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r80e8882c86c9c17a57396a5ef7c4f08878d629a0291243411be0de3a%40%3Ccommits.cassandra.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r6dea2a887f5eb1d68f124d64b14cd1a04f682f06de8cd01b7e4214e0@%3Cissues.hive.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r6dea2a887f5eb1d68f124d64b14cd1a04f682f06de8cd01b7e4214e0%40%3Cissues.hive.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r68acf97f4526ba59a33cc6e592261ea4f85d890f99e79c82d57dd589@%3Cissues.spark.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r68acf97f4526ba59a33cc6e592261ea4f85d890f99e79c82d57dd589%40%3Cissues.spark.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r634468eb3218ab02713128ff6f4818c618622b2b3de4d958138dde49@%3Ccommits.cassandra.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r634468eb3218ab02713128ff6f4818c618622b2b3de4d958138dde49%40%3Ccommits.cassandra.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r5f16a1bd31a7e94ca78eda686179930781aa3a4a990cd55986703581@%3Cdev.hive.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r5f16a1bd31a7e94ca78eda686179930781aa3a4a990cd55986703581%40%3Cdev.hive.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r500867b74f42230a3d65b8aec31fc93ac390eeae737c91a759ab94cb@%3Cissues.hive.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r500867b74f42230a3d65b8aec31fc93ac390eeae737c91a759ab94cb%40%3Cissues.hive.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r4bbfa1439d7a4e1712e260bfc3d90f7cf997abfd641cccde6432d4ab@%3Ccommits.cassandra.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r4bbfa1439d7a4e1712e260bfc3d90f7cf997abfd641cccde6432d4ab%40%3Ccommits.cassandra.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r48a32f2dd6976d33f7a12b7e09ec7ea1895f8facba82b565587c28ac@%3Ccommon-issues.hadoop.apache.org%3E
+ - type: WEB
+ url: https://lists.debian.org/debian-lts-announce/2020/01/msg00037.html
+ - type: WEB
+ url: https://lists.apache.org/thread.html/re646dcc2739d92117bf9a76a33c600ed3b65e8b4e9b6f441e366b72b@%3Ccommits.cassandra.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/re646dcc2739d92117bf9a76a33c600ed3b65e8b4e9b6f441e366b72b%40%3Ccommits.cassandra.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/re07c51a8026c11e6e5513bfdc66d52d1c1027053e480fb8073356257@%3Ccommits.cassandra.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/re07c51a8026c11e6e5513bfdc66d52d1c1027053e480fb8073356257%40%3Ccommits.cassandra.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rd3a34d663e2a25b9ab1e8a1a94712cd5f100f098578aec79af48161e@%3Ccommon-dev.hadoop.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rd3a34d663e2a25b9ab1e8a1a94712cd5f100f098578aec79af48161e%40%3Ccommon-dev.hadoop.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rd27730cfc3066dfcf15927c8e800603728d5dedf17eee1f8c6e3507c@%3Ccommon-issues.hadoop.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rd27730cfc3066dfcf15927c8e800603728d5dedf17eee1f8c6e3507c%40%3Ccommon-issues.hadoop.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rce00a1c60f7df4b10e72fa87827c102f55b074bb91993631df2c21f9@%3Cdev.hive.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rce00a1c60f7df4b10e72fa87827c102f55b074bb91993631df2c21f9%40%3Cdev.hive.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rb8c09b14fd57d855dc21e0a037dc29258c2cbe9c1966bfff453a02e4@%3Ccommon-issues.hadoop.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rb8c09b14fd57d855dc21e0a037dc29258c2cbe9c1966bfff453a02e4%40%3Ccommon-issues.hadoop.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rb47911c179c9f3e8ea3f134b5645e63cd20c6fc63bd0b43ab5864bd1@%3Ccommits.cassandra.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rb47911c179c9f3e8ea3f134b5645e63cd20c6fc63bd0b43ab5864bd1%40%3Ccommits.cassandra.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rb036bf32e4dacc49335e3bdc1be8e53d6f54df692ac8e2251a6884bd@%3Ccommon-issues.hadoop.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rb036bf32e4dacc49335e3bdc1be8e53d6f54df692ac8e2251a6884bd%40%3Ccommon-issues.hadoop.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r21ac3570ce865b8f1e5d26e492aeb714a6aaa53a0c9a6f72ef181556%40%3Ccommits.cassandra.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r1f07e61b3ebabd3e5b4aa97bf1b26d98b793fdfa29a23dac60633f55@%3Ccommon-issues.hadoop.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r1f07e61b3ebabd3e5b4aa97bf1b26d98b793fdfa29a23dac60633f55%40%3Ccommon-issues.hadoop.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r1edabcfacdad42d3c830464e9cf07a9a489059a7b7a8642cf055542d@%3Cissues.hive.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r1edabcfacdad42d3c830464e9cf07a9a489059a7b7a8642cf055542d%40%3Cissues.hive.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r1cc8bce2cf3dfce08a64c4fa20bf38d33b56ad995cee2e382f522f83@%3Ccommon-issues.hadoop.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r1cc8bce2cf3dfce08a64c4fa20bf38d33b56ad995cee2e382f522f83%40%3Ccommon-issues.hadoop.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r0fbf2c60967bc9f73d7f5a62ad3b955789f9a14b950f42e99fca9b4e@%3Cissues.hive.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r0fbf2c60967bc9f73d7f5a62ad3b955789f9a14b950f42e99fca9b4e%40%3Cissues.hive.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r0d8c3e32a0a2d8a0b6118f5b3487d363afdda80c996d7b930097383d@%3Ccommon-issues.hadoop.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r0d8c3e32a0a2d8a0b6118f5b3487d363afdda80c996d7b930097383d%40%3Ccommon-issues.hadoop.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r08e1b73fabd986dcd2ddd7d09480504d1472264bed2f19b1d2002a9c@%3Ccommon-issues.hadoop.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r08e1b73fabd986dcd2ddd7d09480504d1472264bed2f19b1d2002a9c%40%3Ccommon-issues.hadoop.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r04ecadefb27cda84b699130b11b96427f1d8a7a4066d8292f7f15ed8@%3Ccommon-issues.hadoop.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r04ecadefb27cda84b699130b11b96427f1d8a7a4066d8292f7f15ed8%40%3Ccommon-issues.hadoop.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r0066c1e862613de402fee04e81cbe00bcd64b64a2711beb9a13c3b25@%3Ccommits.cassandra.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r0066c1e862613de402fee04e81cbe00bcd64b64a2711beb9a13c3b25%40%3Ccommits.cassandra.apache.org%3E
+ - type: WEB
+ url: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10172
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r48a32f2dd6976d33f7a12b7e09ec7ea1895f8facba82b565587c28ac%40%3Ccommon-issues.hadoop.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r43c6f75d203b8afc4fbd6c3200db0384a18a11c59d085b1a9bb0ccfe@%3Cuser.hadoop.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r43c6f75d203b8afc4fbd6c3200db0384a18a11c59d085b1a9bb0ccfe%40%3Cuser.hadoop.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r4176155240cdc36aad7869932d9c29551742c7fa630f209fb4a8e649@%3Ccommon-issues.hadoop.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r4176155240cdc36aad7869932d9c29551742c7fa630f209fb4a8e649%40%3Ccommon-issues.hadoop.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r386966780034aadee69ffd82d44555117c9339545b9ce990fe490a3e@%3Ccommits.cassandra.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r386966780034aadee69ffd82d44555117c9339545b9ce990fe490a3e%40%3Ccommits.cassandra.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r385c35a7c6f4acaacf37fe22922bb8e2aed9d322d0fa6dc1d45acddb@%3Ccommits.cassandra.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r385c35a7c6f4acaacf37fe22922bb8e2aed9d322d0fa6dc1d45acddb%40%3Ccommits.cassandra.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r37eb6579fa0bf94a72b6c978e2fee96f68a2b1b3ac1b1ce60aee86cf@%3Ccommits.cassandra.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r37eb6579fa0bf94a72b6c978e2fee96f68a2b1b3ac1b1ce60aee86cf%40%3Ccommits.cassandra.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r356592d9874ab4bc9da4754592f8aa6edc894c95e17e58484bc2af7a@%3Cissues.hive.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r356592d9874ab4bc9da4754592f8aa6edc894c95e17e58484bc2af7a%40%3Cissues.hive.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r33d25a342af84102903cd9dec8338a5bcba3ecfce10505bdfe793b92@%3Ccommon-issues.hadoop.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r33d25a342af84102903cd9dec8338a5bcba3ecfce10505bdfe793b92%40%3Ccommon-issues.hadoop.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r25e25973e9577c62fd0221b4b52990851adf11cbe33036bd67d4b13d@%3Ccommits.cassandra.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r25e25973e9577c62fd0221b4b52990851adf11cbe33036bd67d4b13d%40%3Ccommits.cassandra.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r21ac3570ce865b8f1e5d26e492aeb714a6aaa53a0c9a6f72ef181556@%3Ccommits.cassandra.apache.org%3E
+ database_specific:
+ cwe_ids:
+ - CWE-611
+ github_reviewed: true
+ github_reviewed_at: "2020-02-04T20:42:17Z"
+ nvd_published_at: "2019-11-18T17:15:00Z"
+ severity: HIGH
+ - schema_version: 1.6.0
+ id: GHSA-56h3-78gp-v83r
+ modified: 2023-11-08T04:10:22.798161Z
+ published: 2022-09-17T00:00:41Z
+ aliases:
+ - CVE-2022-40149
+ summary: Jettison parser crash by stackoverflow
+ details: Those using Jettison to parse untrusted XML or JSON data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial of service attack.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: org.codehaus.jettison:jettison
+ purl: pkg:maven/org.codehaus.jettison/jettison
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: 1.5.1
+ versions:
+ - "1.0"
+ - 1.0-RC1
+ - 1.0-RC2
+ - 1.0-alpha-1
+ - 1.0-beta-1
+ - 1.0.1
+ - "1.1"
+ - "1.2"
+ - "1.3"
+ - 1.3.1
+ - 1.3.2
+ - 1.3.3
+ - 1.3.4
+ - 1.3.5
+ - 1.3.6
+ - 1.3.7
+ - 1.3.8
+ - 1.4.0
+ - 1.4.1
+ - 1.5.0
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/09/GHSA-56h3-78gp-v83r/GHSA-56h3-78gp-v83r.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2022-40149
+ - type: WEB
+ url: https://github.com/jettison-json/jettison/issues/45
+ - type: WEB
+ url: https://github.com/jettison-json/jettison/pull/49/files
+ - type: WEB
+ url: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=46538
+ - type: PACKAGE
+ url: https://github.com/jettison-json/jettison
+ - type: WEB
+ url: https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1
+ - type: WEB
+ url: https://lists.debian.org/debian-lts-announce/2022/11/msg00011.html
+ - type: WEB
+ url: https://www.debian.org/security/2023/dsa-5312
+ database_specific:
+ cwe_ids:
+ - CWE-121
+ - CWE-787
+ github_reviewed: true
+ github_reviewed_at: "2022-09-20T21:22:04Z"
+ nvd_published_at: "2022-09-16T10:15:00Z"
+ severity: MODERATE
+ - schema_version: 1.6.0
+ id: GHSA-7rf3-mqpx-h7xg
+ modified: 2023-11-08T04:10:53.332746Z
+ published: 2022-12-13T15:30:26Z
+ aliases:
+ - CVE-2022-45685
+ summary: Jettison Out-of-bounds Write vulnerability
+ details: A stack overflow in Jettison before v1.5.2 allows attackers to cause a Denial of Service (DoS) via crafted JSON data.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: org.codehaus.jettison:jettison
+ purl: pkg:maven/org.codehaus.jettison/jettison
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: 1.5.2
+ versions:
+ - "1.0"
+ - 1.0-RC1
+ - 1.0-RC2
+ - 1.0-alpha-1
+ - 1.0-beta-1
+ - 1.0.1
+ - "1.1"
+ - "1.2"
+ - "1.3"
+ - 1.3.1
+ - 1.3.2
+ - 1.3.3
+ - 1.3.4
+ - 1.3.5
+ - 1.3.6
+ - 1.3.7
+ - 1.3.8
+ - 1.4.0
+ - 1.4.1
+ - 1.5.0
+ - 1.5.1
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-7rf3-mqpx-h7xg/GHSA-7rf3-mqpx-h7xg.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2022-45685
+ - type: WEB
+ url: https://github.com/jettison-json/jettison/issues/54
+ - type: PACKAGE
+ url: https://github.com/jettison-json/jettison
+ - type: WEB
+ url: https://lists.debian.org/debian-lts-announce/2022/12/msg00045.html
+ - type: WEB
+ url: https://www.debian.org/security/2023/dsa-5312
+ database_specific:
+ cwe_ids:
+ - CWE-787
+ github_reviewed: true
+ github_reviewed_at: "2023-01-04T14:27:01Z"
+ nvd_published_at: "2022-12-13T15:15:00Z"
+ severity: HIGH
+ - schema_version: 1.6.0
+ id: GHSA-grr4-wv38-f68w
+ modified: 2023-11-08T04:10:53.577855Z
+ published: 2022-12-13T15:30:27Z
+ aliases:
+ - CVE-2022-45693
+ summary: Jettison Out-of-bounds Write vulnerability
+ details: Jettison before v1.5.2 was discovered to contain a stack overflow via the map parameter. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted string.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: org.codehaus.jettison:jettison
+ purl: pkg:maven/org.codehaus.jettison/jettison
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: 1.5.2
+ versions:
+ - "1.0"
+ - 1.0-RC1
+ - 1.0-RC2
+ - 1.0-alpha-1
+ - 1.0-beta-1
+ - 1.0.1
+ - "1.1"
+ - "1.2"
+ - "1.3"
+ - 1.3.1
+ - 1.3.2
+ - 1.3.3
+ - 1.3.4
+ - 1.3.5
+ - 1.3.6
+ - 1.3.7
+ - 1.3.8
+ - 1.4.0
+ - 1.4.1
+ - 1.5.0
+ - 1.5.1
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-grr4-wv38-f68w/GHSA-grr4-wv38-f68w.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2022-45693
+ - type: WEB
+ url: https://github.com/jettison-json/jettison/issues/52
+ - type: PACKAGE
+ url: https://github.com/jettison-json/jettison
+ - type: WEB
+ url: https://lists.debian.org/debian-lts-announce/2022/12/msg00045.html
+ - type: WEB
+ url: https://www.debian.org/security/2023/dsa-5312
+ database_specific:
+ cwe_ids:
+ - CWE-787
+ github_reviewed: true
+ github_reviewed_at: "2023-01-04T14:25:45Z"
+ nvd_published_at: "2022-12-13T15:15:00Z"
+ severity: HIGH
+ - schema_version: 1.6.0
+ id: GHSA-q6g2-g7f3-rr83
+ modified: 2024-02-20T05:34:09.671471Z
+ published: 2023-03-22T06:30:21Z
+ aliases:
+ - CVE-2023-1436
+ summary: Jettison vulnerable to infinite recursion
+ details: An infinite recursion is triggered in Jettison when constructing a JSONArray from a Collection that contains a self-reference in one of its elements. This leads to a StackOverflowError exception being thrown.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: org.codehaus.jettison:jettison
+ purl: pkg:maven/org.codehaus.jettison/jettison
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: 1.5.4
+ versions:
+ - "1.0"
+ - 1.0-RC1
+ - 1.0-RC2
+ - 1.0-alpha-1
+ - 1.0-beta-1
+ - 1.0.1
+ - "1.1"
+ - "1.2"
+ - "1.3"
+ - 1.3.1
+ - 1.3.2
+ - 1.3.3
+ - 1.3.4
+ - 1.3.5
+ - 1.3.6
+ - 1.3.7
+ - 1.3.8
+ - 1.4.0
+ - 1.4.1
+ - 1.5.0
+ - 1.5.1
+ - 1.5.2
+ - 1.5.3
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/03/GHSA-q6g2-g7f3-rr83/GHSA-q6g2-g7f3-rr83.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2023-1436
+ - type: WEB
+ url: https://github.com/jettison-json/jettison/issues/60
+ - type: WEB
+ url: https://github.com/jettison-json/jettison/pull/62
+ - type: PACKAGE
+ url: https://github.com/jettison-json/jettison
+ - type: WEB
+ url: https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.4
+ - type: WEB
+ url: https://research.jfrog.com/vulnerabilities/jettison-json-array-dos-xray-427911
+ database_specific:
+ cwe_ids:
+ - CWE-674
+ github_reviewed: true
+ github_reviewed_at: "2023-03-22T21:23:09Z"
+ nvd_published_at: "2023-03-22T06:15:00Z"
+ severity: HIGH
+ - schema_version: 1.6.0
+ id: GHSA-x27m-9w8j-5vcw
+ modified: 2024-02-16T08:08:08.5959Z
+ published: 2022-09-17T00:00:41Z
+ aliases:
+ - CVE-2022-40150
+ summary: Jettison memory exhaustion
+ details: Those using Jettison to parse untrusted XML or JSON data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by Out of memory. This effect may support a denial of service attack.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: org.codehaus.jettison:jettison
+ purl: pkg:maven/org.codehaus.jettison/jettison
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: 1.5.2
+ versions:
+ - "1.0"
+ - 1.0-RC1
+ - 1.0-RC2
+ - 1.0-alpha-1
+ - 1.0-beta-1
+ - 1.0.1
+ - "1.1"
+ - "1.2"
+ - "1.3"
+ - 1.3.1
+ - 1.3.2
+ - 1.3.3
+ - 1.3.4
+ - 1.3.5
+ - 1.3.6
+ - 1.3.7
+ - 1.3.8
+ - 1.4.0
+ - 1.4.1
+ - 1.5.0
+ - 1.5.1
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/09/GHSA-x27m-9w8j-5vcw/GHSA-x27m-9w8j-5vcw.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2022-40150
+ - type: WEB
+ url: https://github.com/jettison-json/jettison/issues/45
+ - type: WEB
+ url: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=46549
+ - type: PACKAGE
+ url: https://github.com/jettison-json/jettison
+ - type: WEB
+ url: https://lists.debian.org/debian-lts-announce/2022/12/msg00045.html
+ - type: WEB
+ url: https://www.debian.org/security/2023/dsa-5312
+ database_specific:
+ cwe_ids:
+ - CWE-400
+ - CWE-674
+ github_reviewed: true
+ github_reviewed_at: "2022-09-20T21:20:42Z"
+ nvd_published_at: "2022-09-16T10:15:00Z"
+ severity: HIGH
+ - schema_version: 1.6.0
+ id: GHSA-8vhq-qq4p-grq3
+ modified: 2023-11-08T03:58:47.274867Z
+ published: 2022-05-13T01:11:53Z
+ aliases:
+ - CVE-2017-1000487
+ - SNYK-JAVA-ORGCODEHAUSPLEXUS-31522
+ summary: OS Command Injection in Plexus-utils
+ details: Plexus-utils before 3.0.16 is vulnerable to command injection because it does not correctly process the contents of double quoted strings.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: org.codehaus.plexus:plexus-utils
+ purl: pkg:maven/org.codehaus.plexus/plexus-utils
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: 3.0.16
+ versions:
+ - 1.0.4
+ - 1.0.5
+ - "1.1"
+ - "1.2"
+ - "1.3"
+ - "1.4"
+ - 1.4-alpha-1
+ - 1.4.1
+ - 1.4.2
+ - 1.4.3
+ - 1.4.4
+ - 1.4.5
+ - 1.4.6
+ - 1.4.7
+ - 1.4.8
+ - 1.4.9
+ - "1.5"
+ - 1.5.1
+ - 1.5.10
+ - 1.5.11
+ - 1.5.12
+ - 1.5.13
+ - 1.5.14
+ - 1.5.15
+ - 1.5.2
+ - 1.5.3
+ - 1.5.4
+ - 1.5.5
+ - 1.5.6
+ - 1.5.7
+ - 1.5.8
+ - 1.5.9
+ - 2.0.0
+ - 2.0.1
+ - 2.0.2
+ - 2.0.3
+ - 2.0.4
+ - 2.0.5
+ - 2.0.6
+ - 2.0.7
+ - "2.1"
+ - "3.0"
+ - 3.0.1
+ - 3.0.10
+ - 3.0.11
+ - 3.0.12
+ - 3.0.13
+ - 3.0.14
+ - 3.0.15
+ - 3.0.2
+ - 3.0.3
+ - 3.0.4
+ - 3.0.5
+ - 3.0.6
+ - 3.0.7
+ - 3.0.8
+ - 3.0.9
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-8vhq-qq4p-grq3/GHSA-8vhq-qq4p-grq3.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2017-1000487
+ - type: WEB
+ url: https://github.com/codehaus-plexus/plexus-utils/commit/b38a1b3a4352303e4312b2bb601a0d7ec6e28f41
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2018:1322
+ - type: PACKAGE
+ url: https://github.com/codehaus-plexus/plexus-utils
+ - type: WEB
+ url: https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe@%3Ccommits.druid.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r2e94f72f53df432302d359fd66cfa9e9efb8d42633d54579a4377e62@%3Cdev.avro.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/r9584c4304c888f651d214341a939bd264ed30c9e3d0d30fe85097ecf@%3Ccommits.pulsar.apache.org%3E
+ - type: WEB
+ url: https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26@%3Ccommits.pulsar.apache.org%3E
+ - type: WEB
+ url: https://lists.debian.org/debian-lts-announce/2018/01/msg00010.html
+ - type: WEB
+ url: https://lists.debian.org/debian-lts-announce/2018/01/msg00011.html
+ - type: WEB
+ url: https://snyk.io/vuln/SNYK-JAVA-ORGCODEHAUSPLEXUS-31522
+ - type: WEB
+ url: https://www.debian.org/security/2018/dsa-4146
+ - type: WEB
+ url: https://www.debian.org/security/2018/dsa-4149
+ database_specific:
+ cwe_ids:
+ - CWE-78
+ github_reviewed: true
+ github_reviewed_at: "2022-07-01T21:47:32Z"
+ nvd_published_at: "2018-01-03T20:29:00Z"
+ severity: CRITICAL
+ - schema_version: 1.6.0
+ id: GHSA-g6ph-x5wf-g337
+ modified: 2024-05-03T20:31:38.024044Z
+ published: 2023-09-25T21:30:26Z
+ aliases:
+ - CVE-2022-4244
+ summary: plexus-codehaus vulnerable to directory traversal
+ details: 'A flaw was found in plexus-codehaus. A directory traversal attack (also known as path traversal) aims to access files and directories stored outside the intended folder. By manipulating files with dot-dot-slash (`../`) sequences and their variations or by using absolute file paths, it may be possible to access arbitrary files and directories stored on the file system, including application source code, configuration, and other critical system files. '
+ affected:
+ - package:
+ ecosystem: Maven
+ name: org.codehaus.plexus:plexus-utils
+ purl: pkg:maven/org.codehaus.plexus/plexus-utils
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: 3.0.24
+ versions:
+ - 1.0.4
+ - 1.0.5
+ - "1.1"
+ - "1.2"
+ - "1.3"
+ - "1.4"
+ - 1.4-alpha-1
+ - 1.4.1
+ - 1.4.2
+ - 1.4.3
+ - 1.4.4
+ - 1.4.5
+ - 1.4.6
+ - 1.4.7
+ - 1.4.8
+ - 1.4.9
+ - "1.5"
+ - 1.5.1
+ - 1.5.10
+ - 1.5.11
+ - 1.5.12
+ - 1.5.13
+ - 1.5.14
+ - 1.5.15
+ - 1.5.2
+ - 1.5.3
+ - 1.5.4
+ - 1.5.5
+ - 1.5.6
+ - 1.5.7
+ - 1.5.8
+ - 1.5.9
+ - 2.0.0
+ - 2.0.1
+ - 2.0.2
+ - 2.0.3
+ - 2.0.4
+ - 2.0.5
+ - 2.0.6
+ - 2.0.7
+ - "2.1"
+ - "3.0"
+ - 3.0.1
+ - 3.0.10
+ - 3.0.11
+ - 3.0.12
+ - 3.0.13
+ - 3.0.14
+ - 3.0.15
+ - 3.0.16
+ - 3.0.17
+ - 3.0.18
+ - 3.0.19
+ - 3.0.2
+ - 3.0.20
+ - 3.0.21
+ - 3.0.22
+ - 3.0.23
+ - 3.0.3
+ - 3.0.4
+ - 3.0.5
+ - 3.0.6
+ - 3.0.7
+ - 3.0.8
+ - 3.0.9
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/09/GHSA-g6ph-x5wf-g337/GHSA-g6ph-x5wf-g337.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2022-4244
+ - type: WEB
+ url: https://github.com/codehaus-plexus/plexus-utils/issues/4
+ - type: WEB
+ url: https://github.com/codehaus-plexus/plexus-utils/commit/33a2853df8185b4519b1b8bfae284f03392618ef
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2023:2135
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2023:3906
+ - type: WEB
+ url: https://access.redhat.com/security/cve/CVE-2022-4244
+ - type: WEB
+ url: https://bugzilla.redhat.com/show_bug.cgi?id=2149841
+ - type: WEB
+ url: https://security.snyk.io/vuln/SNYK-JAVA-ORGCODEHAUSPLEXUS-31521
+ database_specific:
+ cwe_ids:
+ - CWE-22
+ github_reviewed: true
+ github_reviewed_at: "2023-09-26T17:59:40Z"
+ nvd_published_at: "2023-09-25T20:15:10Z"
+ severity: HIGH
+ - schema_version: 1.6.0
+ id: GHSA-jcwr-x25h-x5fh
+ modified: 2024-05-03T20:32:52.547057Z
+ published: 2023-09-25T21:30:26Z
+ aliases:
+ - CVE-2022-4245
+ summary: codehaus-plexus vulnerable to XML injection
+ details: 'A flaw was found in codehaus-plexus. The `org.codehaus.plexus.util.xml.XmlWriterUtil#writeComment` fails to sanitize comments for a `-->` sequence. This issue means that text contained in the command string could be interpreted as XML and allow for XML injection. '
+ affected:
+ - package:
+ ecosystem: Maven
+ name: org.codehaus.plexus:plexus-utils
+ purl: pkg:maven/org.codehaus.plexus/plexus-utils
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: 3.0.24
+ versions:
+ - 1.0.4
+ - 1.0.5
+ - "1.1"
+ - "1.2"
+ - "1.3"
+ - "1.4"
+ - 1.4-alpha-1
+ - 1.4.1
+ - 1.4.2
+ - 1.4.3
+ - 1.4.4
+ - 1.4.5
+ - 1.4.6
+ - 1.4.7
+ - 1.4.8
+ - 1.4.9
+ - "1.5"
+ - 1.5.1
+ - 1.5.10
+ - 1.5.11
+ - 1.5.12
+ - 1.5.13
+ - 1.5.14
+ - 1.5.15
+ - 1.5.2
+ - 1.5.3
+ - 1.5.4
+ - 1.5.5
+ - 1.5.6
+ - 1.5.7
+ - 1.5.8
+ - 1.5.9
+ - 2.0.0
+ - 2.0.1
+ - 2.0.2
+ - 2.0.3
+ - 2.0.4
+ - 2.0.5
+ - 2.0.6
+ - 2.0.7
+ - "2.1"
+ - "3.0"
+ - 3.0.1
+ - 3.0.10
+ - 3.0.11
+ - 3.0.12
+ - 3.0.13
+ - 3.0.14
+ - 3.0.15
+ - 3.0.16
+ - 3.0.17
+ - 3.0.18
+ - 3.0.19
+ - 3.0.2
+ - 3.0.20
+ - 3.0.21
+ - 3.0.22
+ - 3.0.23
+ - 3.0.3
+ - 3.0.4
+ - 3.0.5
+ - 3.0.6
+ - 3.0.7
+ - 3.0.8
+ - 3.0.9
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/09/GHSA-jcwr-x25h-x5fh/GHSA-jcwr-x25h-x5fh.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
+ references:
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2022-4245
+ - type: WEB
+ url: https://github.com/codehaus-plexus/plexus-utils/issues/3
+ - type: WEB
+ url: https://github.com/codehaus-plexus/plexus-utils/commit/f933e5e78dc2637e485447ed821fe14904f110de
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2023:2135
+ - type: WEB
+ url: https://access.redhat.com/errata/RHSA-2023:3906
+ - type: WEB
+ url: https://access.redhat.com/security/cve/CVE-2022-4245
+ - type: WEB
+ url: https://bugzilla.redhat.com/show_bug.cgi?id=2149843
+ - type: PACKAGE
+ url: https://github.com/codehaus-plexus/plexus-utils
+ - type: WEB
+ url: https://security.snyk.io/vuln/SNYK-JAVA-ORGCODEHAUSPLEXUS-461102
+ database_specific:
+ cwe_ids:
+ - CWE-611
+ - CWE-91
+ github_reviewed: true
+ github_reviewed_at: "2023-09-26T19:38:53Z"
+ nvd_published_at: "2023-09-25T20:15:10Z"
+ severity: MODERATE
+ - schema_version: 1.6.0
+ id: GHSA-cj7v-27pg-wf7q
+ modified: 2024-02-16T08:00:47.277184Z
+ published: 2022-07-07T20:55:34Z
+ aliases:
+ - CVE-2022-2047
+ summary: Jetty invalid URI parsing may produce invalid HttpURI.authority
+ details: |-
+ ### Description
+ URI use within Jetty's `HttpURI` class can parse invalid URIs such as `http://localhost;/path` as having an authority with a host of `localhost;`.
+
+ A URIs of the type `http://localhost;/path` should be interpreted to be either invalid or as `localhost;` to be the userinfo and no host.
+ However, `HttpURI.host` returns `localhost;` which is definitely wrong.
+
+ ### Impact
+ This can lead to errors with Jetty's `HttpClient`, and Jetty's `ProxyServlet` / `AsyncProxyServlet` / `AsyncMiddleManServlet` wrongly interpreting an authority with no host as one with a host.
+
+ ### Patches
+ Patched in PR [#8146](https://github.com/eclipse/jetty.project/pull/8146) for Jetty version 9.4.47.
+ Patched in PR [#8014](https://github.com/eclipse/jetty.project/pull/8015) for Jetty versions 10.0.10, and 11.0.10
+
+ ### Workarounds
+ None.
+
+ ### For more information
+ If you have any questions or comments about this advisory:
+ * Email us at security@webtide.com.
+ affected:
+ - package:
+ ecosystem: Maven
+ name: org.eclipse.jetty:jetty-http
+ purl: pkg:maven/org.eclipse.jetty/jetty-http
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: "0"
+ - fixed: 9.4.47
+ versions:
+ - 7.0.0.M0
+ - 7.0.0.M1
+ - 7.0.0.M2
+ - 7.0.0.M3
+ - 7.0.0.M4
+ - 7.0.0.RC0
+ - 7.0.0.RC1
+ - 7.0.0.RC2
+ - 7.0.0.RC3
+ - 7.0.0.RC4
+ - 7.0.0.RC5
+ - 7.0.0.RC6
+ - 7.0.0.v20091005
+ - 7.0.1.v20091125
+ - 7.0.2.RC0
+ - 7.0.2.v20100331
+ - 7.1.0.RC0
+ - 7.1.0.RC1
+ - 7.1.0.v20100505
+ - 7.1.1.v20100517
+ - 7.1.2.v20100523
+ - 7.1.3.v20100526
+ - 7.1.4.v20100610
+ - 7.1.5.v20100705
+ - 7.1.6.v20100715
+ - 7.2.0.RC0
+ - 7.2.0.v20101020
+ - 7.2.1.v20101111
+ - 7.2.2.v20101205
+ - 7.3.0.v20110203
+ - 7.3.1.v20110307
+ - 7.4.0.RC0
+ - 7.4.0.v20110414
+ - 7.4.1.v20110513
+ - 7.4.2.v20110526
+ - 7.4.3.v20110701
+ - 7.4.4.v20110707
+ - 7.4.5.v20110725
+ - 7.5.0.RC0
+ - 7.5.0.RC1
+ - 7.5.0.RC2
+ - 7.5.0.v20110901
+ - 7.5.1.v20110908
+ - 7.5.2.v20111006
+ - 7.5.3.v20111011
+ - 7.5.4.v20111024
+ - 7.6.0.RC0
+ - 7.6.0.RC1
+ - 7.6.0.RC2
+ - 7.6.0.RC3
+ - 7.6.0.RC4
+ - 7.6.0.RC5
+ - 7.6.0.v20120127
+ - 7.6.1.v20120215
+ - 7.6.10.v20130312
+ - 7.6.11.v20130520
+ - 7.6.12.v20130726
+ - 7.6.13.v20130916
+ - 7.6.14.v20131031
+ - 7.6.15.v20140411
+ - 7.6.16.v20140903
+ - 7.6.17.v20150415
+ - 7.6.18.v20150929
+ - 7.6.19.v20160209
+ - 7.6.2.v20120308
+ - 7.6.20.v20160902
+ - 7.6.21.v20160908
+ - 7.6.3.v20120416
+ - 7.6.4.v20120524
+ - 7.6.5.v20120716
+ - 7.6.6.v20120903
+ - 7.6.7.v20120910
+ - 7.6.8.v20121106
+ - 7.6.9.v20130131
+ - 8.0.0.M0
+ - 8.0.0.M1
+ - 8.0.0.M2
+ - 8.0.0.M3
+ - 8.0.0.RC0
+ - 8.0.0.v20110901
+ - 8.0.1.v20110908
+ - 8.0.2.v20111006
+ - 8.0.3.v20111011
+ - 8.0.4.v20111024
+ - 8.1.0.RC0
+ - 8.1.0.RC1
+ - 8.1.0.RC2
+ - 8.1.0.RC4
+ - 8.1.0.RC5
+ - 8.1.0.v20120127
+ - 8.1.1.v20120215
+ - 8.1.10.v20130312
+ - 8.1.11.v20130520
+ - 8.1.12.v20130726
+ - 8.1.13.v20130916
+ - 8.1.14.v20131031
+ - 8.1.15.v20140411
+ - 8.1.16.v20140903
+ - 8.1.17.v20150415
+ - 8.1.18.v20150929
+ - 8.1.19.v20160209
+ - 8.1.2.v20120308
+ - 8.1.20.v20160902
+ - 8.1.21.v20160908
+ - 8.1.22.v20160922
+ - 8.1.3.v20120416
+ - 8.1.4.v20120524
+ - 8.1.5.v20120716
+ - 8.1.6.v20120903
+ - 8.1.7.v20120910
+ - 8.1.8.v20121106
+ - 8.1.9.v20130131
+ - 8.2.0.v20160908
+ - 9.0.0.M0
+ - 9.0.0.M1
+ - 9.0.0.M2
+ - 9.0.0.M3
+ - 9.0.0.M4
+ - 9.0.0.M5
+ - 9.0.0.RC0
+ - 9.0.0.RC1
+ - 9.0.0.RC2
+ - 9.0.0.v20130308
+ - 9.0.1.v20130408
+ - 9.0.2.v20130417
+ - 9.0.3.v20130506
+ - 9.0.4.v20130625
+ - 9.0.5.v20130815
+ - 9.0.6.v20130930
+ - 9.0.7.v20131107
+ - 9.1.0.M0
+ - 9.1.0.RC0
+ - 9.1.0.RC1
+ - 9.1.0.RC2
+ - 9.1.0.v20131115
+ - 9.1.1.v20140108
+ - 9.1.2.v20140210
+ - 9.1.3.v20140225
+ - 9.1.4.v20140401
+ - 9.1.5.v20140505
+ - 9.1.6.v20160112
+ - 9.2.0.M0
+ - 9.2.0.M1
+ - 9.2.0.RC0
+ - 9.2.0.v20140526
+ - 9.2.1.v20140609
+ - 9.2.10.v20150310
+ - 9.2.11.M0
+ - 9.2.11.v20150529
+ - 9.2.12.M0
+ - 9.2.12.v20150709
+ - 9.2.13.v20150730
+ - 9.2.14.v20151106
+ - 9.2.15.v20160210
+ - 9.2.16.v20160414
+ - 9.2.17.v20160517
+ - 9.2.18.v20160721
+ - 9.2.19.v20160908
+ - 9.2.2.v20140723
+ - 9.2.20.v20161216
+ - 9.2.21.v20170120
+ - 9.2.22.v20170606
+ - 9.2.23.v20171218
+ - 9.2.24.v20180105
+ - 9.2.25.v20180606
+ - 9.2.26.v20180806
+ - 9.2.27.v20190403
+ - 9.2.28.v20190418
+ - 9.2.29.v20191105
+ - 9.2.3.v20140905
+ - 9.2.30.v20200428
+ - 9.2.4.v20141103
+ - 9.2.5.v20141112
+ - 9.2.6.v20141205
+ - 9.2.7.v20150116
+ - 9.2.8.v20150217
+ - 9.2.9.v20150224
+ - 9.3.0.M0
+ - 9.3.0.M1
+ - 9.3.0.M2
+ - 9.3.0.RC0
+ - 9.3.0.RC1
+ - 9.3.0.v20150612
+ - 9.3.1.v20150714
+ - 9.3.10.M0
+ - 9.3.10.v20160621
+ - 9.3.11.M0
+ - 9.3.11.v20160721
+ - 9.3.12.v20160915
+ - 9.3.13.M0
+ - 9.3.13.v20161014
+ - 9.3.14.v20161028
+ - 9.3.15.v20161220
+ - 9.3.16.v20170120
+ - 9.3.17.RC0
+ - 9.3.17.v20170317
+ - 9.3.18.v20170406
+ - 9.3.19.v20170502
+ - 9.3.2.v20150730
+ - 9.3.20.v20170531
+ - 9.3.21.M0
+ - 9.3.21.RC0
+ - 9.3.21.v20170918
+ - 9.3.22.v20171030
+ - 9.3.23.v20180228
+ - 9.3.24.v20180605
+ - 9.3.25.v20180904
+ - 9.3.26.v20190403
+ - 9.3.27.v20190418
+ - 9.3.28.v20191105
+ - 9.3.29.v20201019
+ - 9.3.3.v20150827
+ - 9.3.30.v20211001
+ - 9.3.4.RC0
+ - 9.3.4.RC1
+ - 9.3.4.v20151007
+ - 9.3.5.v20151012
+ - 9.3.6.v20151106
+ - 9.3.7.RC0
+ - 9.3.7.RC1
+ - 9.3.7.v20160115
+ - 9.3.8.RC0
+ - 9.3.8.v20160314
+ - 9.3.9.M0
+ - 9.3.9.M1
+ - 9.3.9.v20160517
+ - 9.4.0.M0
+ - 9.4.0.M1
+ - 9.4.0.RC0
+ - 9.4.0.RC1
+ - 9.4.0.RC2
+ - 9.4.0.RC3
+ - 9.4.0.v20161208
+ - 9.4.0.v20180619
+ - 9.4.1.v20170120
+ - 9.4.1.v20180619
+ - 9.4.10.RC0
+ - 9.4.10.RC1
+ - 9.4.10.v20180503
+ - 9.4.11.v20180605
+ - 9.4.12.RC0
+ - 9.4.12.RC1
+ - 9.4.12.RC2
+ - 9.4.12.v20180830
+ - 9.4.13.v20181111
+ - 9.4.14.v20181114
+ - 9.4.15.v20190215
+ - 9.4.16.v20190411
+ - 9.4.17.v20190418
+ - 9.4.18.v20190429
+ - 9.4.19.v20190610
+ - 9.4.2.v20170220
+ - 9.4.2.v20180619
+ - 9.4.20.v20190813
+ - 9.4.21.v20190926
+ - 9.4.22.v20191022
+ - 9.4.23.v20191118
+ - 9.4.24.v20191120
+ - 9.4.25.v20191220
+ - 9.4.26.v20200117
+ - 9.4.27.v20200227
+ - 9.4.28.v20200408
+ - 9.4.29.v20200521
+ - 9.4.3.v20170317
+ - 9.4.3.v20180619
+ - 9.4.30.v20200611
+ - 9.4.31.v20200723
+ - 9.4.32.v20200930
+ - 9.4.33.v20201020
+ - 9.4.34.v20201102
+ - 9.4.35.v20201120
+ - 9.4.36.v20210114
+ - 9.4.37.v20210219
+ - 9.4.38.v20210224
+ - 9.4.39.v20210325
+ - 9.4.4.v20170414
+ - 9.4.4.v20180619
+ - 9.4.40.v20210413
+ - 9.4.41.v20210516
+ - 9.4.42.v20210604
+ - 9.4.43.v20210629
+ - 9.4.44.v20210927
+ - 9.4.45.v20220203
+ - 9.4.46.v20220331
+ - 9.4.5.v20170502
+ - 9.4.5.v20180619
+ - 9.4.6.v20170531
+ - 9.4.6.v20180619
+ - 9.4.7.RC0
+ - 9.4.7.v20170914
+ - 9.4.7.v20180619
+ - 9.4.8.v20171121
+ - 9.4.8.v20180619
+ - 9.4.9.v20180320
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/07/GHSA-cj7v-27pg-wf7q/GHSA-cj7v-27pg-wf7q.json
+ - package:
+ ecosystem: Maven
+ name: org.eclipse.jetty:jetty-http
+ purl: pkg:maven/org.eclipse.jetty/jetty-http
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 10.0.0
+ - fixed: 10.0.10
+ versions:
+ - 10.0.0
+ - 10.0.1
+ - 10.0.2
+ - 10.0.3
+ - 10.0.4
+ - 10.0.5
+ - 10.0.6
+ - 10.0.7
+ - 10.0.8
+ - 10.0.9
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/07/GHSA-cj7v-27pg-wf7q/GHSA-cj7v-27pg-wf7q.json
+ - package:
+ ecosystem: Maven
+ name: org.eclipse.jetty:jetty-http
+ purl: pkg:maven/org.eclipse.jetty/jetty-http
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 11.0.0
+ - fixed: 11.0.10
+ versions:
+ - 11.0.0
+ - 11.0.1
+ - 11.0.2
+ - 11.0.3
+ - 11.0.4
+ - 11.0.5
+ - 11.0.6
+ - 11.0.7
+ - 11.0.8
+ - 11.0.9
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/07/GHSA-cj7v-27pg-wf7q/GHSA-cj7v-27pg-wf7q.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N
+ references:
+ - type: WEB
+ url: https://github.com/eclipse/jetty.project/security/advisories/GHSA-cj7v-27pg-wf7q
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2022-2047
+ - type: PACKAGE
+ url: https://github.com/eclipse/jetty.project
+ - type: WEB
+ url: https://lists.debian.org/debian-lts-announce/2022/08/msg00011.html
+ - type: WEB
+ url: https://security.netapp.com/advisory/ntap-20220901-0006
+ - type: WEB
+ url: https://www.debian.org/security/2022/dsa-5198
+ database_specific:
+ cwe_ids:
+ - CWE-20
+ github_reviewed: true
+ github_reviewed_at: "2022-07-07T20:55:34Z"
+ nvd_published_at: "2022-07-07T21:15:00Z"
+ severity: LOW
+ - schema_version: 1.6.0
+ id: GHSA-hmr7-m48g-48f6
+ modified: 2024-02-16T07:59:58.440241Z
+ published: 2023-09-14T16:17:27Z
+ aliases:
+ - CVE-2023-40167
+ summary: Jetty accepts "+" prefixed value in Content-Length
+ details: "### Impact\n\nJetty accepts the '+' character proceeding the content-length value in a HTTP/1 header field. This is more permissive than allowed by the RFC and other servers routinely reject such requests with 400 responses. There is no known exploit scenario, but it is conceivable that request smuggling could result if jetty is used in combination with a server that does not close the connection after sending such a 400 response.\n\n### Workarounds\n\nThere is no workaround as there is no known exploit scenario. \n\n### Original Report \n\n[RFC 9110 Secion 8.6](https://www.rfc-editor.org/rfc/rfc9110#section-8.6) defined the value of Content-Length header should be a string of 0-9 digits. However we found that Jetty accepts \"+\" prefixed Content-Length, which could lead to potential HTTP request smuggling.\n\nPayload:\n\n```\n POST / HTTP/1.1\n Host: a.com\n Content-Length: +16\n Connection: close\n \n 0123456789abcdef\n```\n\nWhen sending this payload to Jetty, it can successfully parse and identify the length.\n\nWhen sending this payload to NGINX, Apache HTTPd or other HTTP servers/parsers, they will return 400 bad request.\n\nThis behavior can lead to HTTP request smuggling and can be leveraged to bypass WAF or IDS."
+ affected:
+ - package:
+ ecosystem: Maven
+ name: org.eclipse.jetty:jetty-http
+ purl: pkg:maven/org.eclipse.jetty/jetty-http
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 9.0.0
+ - fixed: 9.4.52
+ versions:
+ - 9.0.0.v20130308
+ - 9.0.1.v20130408
+ - 9.0.2.v20130417
+ - 9.0.3.v20130506
+ - 9.0.4.v20130625
+ - 9.0.5.v20130815
+ - 9.0.6.v20130930
+ - 9.0.7.v20131107
+ - 9.1.0.M0
+ - 9.1.0.RC0
+ - 9.1.0.RC1
+ - 9.1.0.RC2
+ - 9.1.0.v20131115
+ - 9.1.1.v20140108
+ - 9.1.2.v20140210
+ - 9.1.3.v20140225
+ - 9.1.4.v20140401
+ - 9.1.5.v20140505
+ - 9.1.6.v20160112
+ - 9.2.0.M0
+ - 9.2.0.M1
+ - 9.2.0.RC0
+ - 9.2.0.v20140526
+ - 9.2.1.v20140609
+ - 9.2.10.v20150310
+ - 9.2.11.M0
+ - 9.2.11.v20150529
+ - 9.2.12.M0
+ - 9.2.12.v20150709
+ - 9.2.13.v20150730
+ - 9.2.14.v20151106
+ - 9.2.15.v20160210
+ - 9.2.16.v20160414
+ - 9.2.17.v20160517
+ - 9.2.18.v20160721
+ - 9.2.19.v20160908
+ - 9.2.2.v20140723
+ - 9.2.20.v20161216
+ - 9.2.21.v20170120
+ - 9.2.22.v20170606
+ - 9.2.23.v20171218
+ - 9.2.24.v20180105
+ - 9.2.25.v20180606
+ - 9.2.26.v20180806
+ - 9.2.27.v20190403
+ - 9.2.28.v20190418
+ - 9.2.29.v20191105
+ - 9.2.3.v20140905
+ - 9.2.30.v20200428
+ - 9.2.4.v20141103
+ - 9.2.5.v20141112
+ - 9.2.6.v20141205
+ - 9.2.7.v20150116
+ - 9.2.8.v20150217
+ - 9.2.9.v20150224
+ - 9.3.0.M0
+ - 9.3.0.M1
+ - 9.3.0.M2
+ - 9.3.0.RC0
+ - 9.3.0.RC1
+ - 9.3.0.v20150612
+ - 9.3.1.v20150714
+ - 9.3.10.M0
+ - 9.3.10.v20160621
+ - 9.3.11.M0
+ - 9.3.11.v20160721
+ - 9.3.12.v20160915
+ - 9.3.13.M0
+ - 9.3.13.v20161014
+ - 9.3.14.v20161028
+ - 9.3.15.v20161220
+ - 9.3.16.v20170120
+ - 9.3.17.RC0
+ - 9.3.17.v20170317
+ - 9.3.18.v20170406
+ - 9.3.19.v20170502
+ - 9.3.2.v20150730
+ - 9.3.20.v20170531
+ - 9.3.21.M0
+ - 9.3.21.RC0
+ - 9.3.21.v20170918
+ - 9.3.22.v20171030
+ - 9.3.23.v20180228
+ - 9.3.24.v20180605
+ - 9.3.25.v20180904
+ - 9.3.26.v20190403
+ - 9.3.27.v20190418
+ - 9.3.28.v20191105
+ - 9.3.29.v20201019
+ - 9.3.3.v20150827
+ - 9.3.30.v20211001
+ - 9.3.4.RC0
+ - 9.3.4.RC1
+ - 9.3.4.v20151007
+ - 9.3.5.v20151012
+ - 9.3.6.v20151106
+ - 9.3.7.RC0
+ - 9.3.7.RC1
+ - 9.3.7.v20160115
+ - 9.3.8.RC0
+ - 9.3.8.v20160314
+ - 9.3.9.M0
+ - 9.3.9.M1
+ - 9.3.9.v20160517
+ - 9.4.0.M0
+ - 9.4.0.M1
+ - 9.4.0.RC0
+ - 9.4.0.RC1
+ - 9.4.0.RC2
+ - 9.4.0.RC3
+ - 9.4.0.v20161208
+ - 9.4.0.v20180619
+ - 9.4.1.v20170120
+ - 9.4.1.v20180619
+ - 9.4.10.RC0
+ - 9.4.10.RC1
+ - 9.4.10.v20180503
+ - 9.4.11.v20180605
+ - 9.4.12.RC0
+ - 9.4.12.RC1
+ - 9.4.12.RC2
+ - 9.4.12.v20180830
+ - 9.4.13.v20181111
+ - 9.4.14.v20181114
+ - 9.4.15.v20190215
+ - 9.4.16.v20190411
+ - 9.4.17.v20190418
+ - 9.4.18.v20190429
+ - 9.4.19.v20190610
+ - 9.4.2.v20170220
+ - 9.4.2.v20180619
+ - 9.4.20.v20190813
+ - 9.4.21.v20190926
+ - 9.4.22.v20191022
+ - 9.4.23.v20191118
+ - 9.4.24.v20191120
+ - 9.4.25.v20191220
+ - 9.4.26.v20200117
+ - 9.4.27.v20200227
+ - 9.4.28.v20200408
+ - 9.4.29.v20200521
+ - 9.4.3.v20170317
+ - 9.4.3.v20180619
+ - 9.4.30.v20200611
+ - 9.4.31.v20200723
+ - 9.4.32.v20200930
+ - 9.4.33.v20201020
+ - 9.4.34.v20201102
+ - 9.4.35.v20201120
+ - 9.4.36.v20210114
+ - 9.4.37.v20210219
+ - 9.4.38.v20210224
+ - 9.4.39.v20210325
+ - 9.4.4.v20170414
+ - 9.4.4.v20180619
+ - 9.4.40.v20210413
+ - 9.4.41.v20210516
+ - 9.4.42.v20210604
+ - 9.4.43.v20210629
+ - 9.4.44.v20210927
+ - 9.4.45.v20220203
+ - 9.4.46.v20220331
+ - 9.4.47.v20220610
+ - 9.4.48.v20220622
+ - 9.4.49.v20220914
+ - 9.4.5.v20170502
+ - 9.4.5.v20180619
+ - 9.4.50.v20221201
+ - 9.4.51.v20230217
+ - 9.4.6.v20170531
+ - 9.4.6.v20180619
+ - 9.4.7.RC0
+ - 9.4.7.v20170914
+ - 9.4.7.v20180619
+ - 9.4.8.v20171121
+ - 9.4.8.v20180619
+ - 9.4.9.v20180320
+ database_specific:
+ last_known_affected_version_range: <= 9.4.51
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/09/GHSA-hmr7-m48g-48f6/GHSA-hmr7-m48g-48f6.json
+ - package:
+ ecosystem: Maven
+ name: org.eclipse.jetty:jetty-http
+ purl: pkg:maven/org.eclipse.jetty/jetty-http
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 10.0.0
+ - fixed: 10.0.16
+ versions:
+ - 10.0.0
+ - 10.0.1
+ - 10.0.10
+ - 10.0.11
+ - 10.0.12
+ - 10.0.13
+ - 10.0.14
+ - 10.0.15
+ - 10.0.2
+ - 10.0.3
+ - 10.0.4
+ - 10.0.5
+ - 10.0.6
+ - 10.0.7
+ - 10.0.8
+ - 10.0.9
+ database_specific:
+ last_known_affected_version_range: <= 10.0.15
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/09/GHSA-hmr7-m48g-48f6/GHSA-hmr7-m48g-48f6.json
+ - package:
+ ecosystem: Maven
+ name: org.eclipse.jetty:jetty-http
+ purl: pkg:maven/org.eclipse.jetty/jetty-http
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 11.0.0
+ - fixed: 11.0.16
+ versions:
+ - 11.0.0
+ - 11.0.1
+ - 11.0.10
+ - 11.0.11
+ - 11.0.12
+ - 11.0.13
+ - 11.0.14
+ - 11.0.15
+ - 11.0.2
+ - 11.0.3
+ - 11.0.4
+ - 11.0.5
+ - 11.0.6
+ - 11.0.7
+ - 11.0.8
+ - 11.0.9
+ database_specific:
+ last_known_affected_version_range: <= 11.0.15
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/09/GHSA-hmr7-m48g-48f6/GHSA-hmr7-m48g-48f6.json
+ - package:
+ ecosystem: Maven
+ name: org.eclipse.jetty:jetty-http
+ purl: pkg:maven/org.eclipse.jetty/jetty-http
+ ranges:
+ - type: ECOSYSTEM
+ events:
+ - introduced: 12.0.0
+ - fixed: 12.0.1
+ versions:
+ - 12.0.0
+ database_specific:
+ source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/09/GHSA-hmr7-m48g-48f6/GHSA-hmr7-m48g-48f6.json
+ severity:
+ - type: CVSS_V3
+ score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
+ references:
+ - type: WEB
+ url: https://github.com/eclipse/jetty.project/security/advisories/GHSA-hmr7-m48g-48f6
+ - type: ADVISORY
+ url: https://nvd.nist.gov/vuln/detail/CVE-2023-40167
+ - type: PACKAGE
+ url: https://github.com/eclipse/jetty.project
+ - type: WEB
+ url: https://lists.debian.org/debian-lts-announce/2023/09/msg00039.html
+ - type: WEB
+ url: https://www.debian.org/security/2023/dsa-5507
+ - type: WEB
+ url: https://www.rfc-editor.org/rfc/rfc9110#section-8.6
+ database_specific:
+ cwe_ids:
+ - CWE-130
+ github_reviewed: true
+ github_reviewed_at: "2023-09-14T16:17:27Z"
+ nvd_published_at: "2023-09-15T20:15:09Z"
+ severity: MODERATE
+ - schema_version: 1.6.0
+ id: GHSA-26vr-8j45-3r4w
+ modified: 2024-03-11T05:36:57.484846Z
+ published: 2021-04-06T17:31:30Z
+ aliases:
+ - BIT-jenkins-2021-28165
+ - CVE-2021-28165
+ summary: Jetty vulnerable to incorrect handling of invalid large TLS frame, exhausting CPU resources
+ details: |-
+ ### Impact
+ When using SSL/TLS with Jetty, either with HTTP/1.1, HTTP/2, or WebSocket, the server may receive an invalid large (greater than 17408) TLS frame that is incorrectly handled, causing CPU resources to eventually reach 100% usage.
+
+ ### Workarounds
+
+ The problem can be worked around by compiling the following class:
+ ```java
+ package org.eclipse.jetty.server.ssl.fix6072;
+
+ import java.nio.ByteBuffer;
+ import javax.net.ssl.SSLEngine;
+ import javax.net.ssl.SSLEngineResult;
+ import javax.net.ssl.SSLException;
+ import javax.net.ssl.SSLHandshakeException;
+
+ import org.eclipse.jetty.io.EndPoint;
+ import org.eclipse.jetty.io.ssl.SslConnection;
+ import org.eclipse.jetty.server.Connector;
+ import org.eclipse.jetty.server.SslConnectionFactory;
+ import org.eclipse.jetty.util.BufferUtil;
+ import org.eclipse.jetty.util.annotation.Name;
+ import org.eclipse.jetty.util.ssl.SslContextFactory;
+
+ public class SpaceCheckingSslConnectionFactory extends SslConnectionFactory
+ {
+ public SpaceCheckingSslConnectionFactory(@Name("sslContextFactory") SslContextFactory factory, @Name("next") String nextProtocol)
+ {
+ super(factory, nextProtocol);
+ }
+
+ @Override
+ protected SslConnection newSslConnection(Connector connector, EndPoint endPoint, SSLEngine engine)
+ {
+ return new SslConnection(connector.getByteBufferPool(), connector.getExecutor(), endPoint, engine, isDirectBuffersForEncryption(), isDirectBuffersForDecryption())
+ {
+ @Override
+ protected SSLEngineResult unwrap(SSLEngine sslEngine, ByteBuffer input, ByteBuffer output) throws SSLException
+ {
+ SSLEngineResult results = super.unwrap(sslEngine, input, output);
+
+ if ((results.getStatus() == SSLEngineResult.Status.BUFFER_UNDERFLOW ||
+ results.getStatus() == SSLEngineResult.Status.OK && results.bytesConsumed() == 0 && results.bytesProduced() == 0) &&
+ BufferUtil.space(input) == 0)
+ {
+ BufferUtil.clear(input);
+ throw new SSLHandshakeException("Encrypted buffer max length exceeded");
+ }
+ return results;
+ }
+ };
+ }
+ }
+ ```
+ This class can be deployed by:
+ + The resulting class file should be put into a jar file (eg sslfix6072.jar)
+ + The jar file should be made available to the server. For a normal distribution this can be done by putting the file into ${jetty.base}/lib
+ + Copy the file `${jetty.home}/modules/ssl.mod` to `${jetty.base}/modules`
+ + Edit the `${jetty.base}/modules/ssl.mod` file to have the following section:
+
+ ```
+ [lib]
+ lib/sslfix6072.jar
+ ```
+
+ + Copy the file `${jetty.home}/etc/jetty-https.xml` and`${jetty.home}/etc/jetty-http2.xml` to `${jetty.base}/etc`
+ + Edit files `${jetty.base}/etc/jetty-https.xml` and `${jetty.base}/etc/jetty-http2.xml`, changing any reference of `org.eclipse.jetty.server.SslConnectionFactory` to `org.eclipse.jetty.server.ssl.fix6072.SpaceCheckingSslConnectionFactory`. For example:
+ ```xml
+
+
+
+ http/1.1
+