github.com/google/osv-scalibr@v0.4.1/guidedremediation/internal/strategy/override/testdata/zeppelin-server/vulnerabilities.json (about) 1 { 2 "vulns": [ 3 { 4 "affected": [ 5 { 6 "database_specific": { 7 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/06/GHSA-vmfg-rjjm-rjrj/GHSA-vmfg-rjjm-rjrj.json" 8 }, 9 "package": { 10 "ecosystem": "Maven", 11 "name": "ch.qos.logback:logback-classic", 12 "purl": "pkg:maven/ch.qos.logback/logback-classic" 13 }, 14 "ranges": [ 15 { 16 "events": [ 17 { 18 "introduced": "0" 19 }, 20 { 21 "fixed": "1.2.0" 22 } 23 ], 24 "type": "ECOSYSTEM" 25 } 26 ], 27 "versions": [ 28 "0.2.5", 29 "0.3", 30 "0.5", 31 "0.6", 32 "0.7", 33 "0.7.1", 34 "0.8", 35 "0.8.1", 36 "0.9", 37 "0.9.1", 38 "0.9.10", 39 "0.9.11", 40 "0.9.12", 41 "0.9.13", 42 "0.9.14", 43 "0.9.15", 44 "0.9.16", 45 "0.9.17", 46 "0.9.18", 47 "0.9.19", 48 "0.9.2", 49 "0.9.20", 50 "0.9.21", 51 "0.9.22", 52 "0.9.23", 53 "0.9.24", 54 "0.9.25", 55 "0.9.26", 56 "0.9.27", 57 "0.9.28", 58 "0.9.29", 59 "0.9.3", 60 "0.9.30", 61 "0.9.4", 62 "0.9.5", 63 "0.9.6", 64 "0.9.7", 65 "0.9.8", 66 "0.9.9", 67 "1.0.0", 68 "1.0.1", 69 "1.0.10", 70 "1.0.11", 71 "1.0.12", 72 "1.0.13", 73 "1.0.2", 74 "1.0.3", 75 "1.0.4", 76 "1.0.5", 77 "1.0.6", 78 "1.0.7", 79 "1.0.8", 80 "1.0.9", 81 "1.1.0", 82 "1.1.1", 83 "1.1.10", 84 "1.1.11", 85 "1.1.2", 86 "1.1.3", 87 "1.1.4", 88 "1.1.5", 89 "1.1.6", 90 "1.1.7", 91 "1.1.8", 92 "1.1.9" 93 ] 94 }, 95 { 96 "database_specific": { 97 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/06/GHSA-vmfg-rjjm-rjrj/GHSA-vmfg-rjjm-rjrj.json" 98 }, 99 "package": { 100 "ecosystem": "Maven", 101 "name": "ch.qos.logback:logback-core", 102 "purl": "pkg:maven/ch.qos.logback/logback-core" 103 }, 104 "ranges": [ 105 { 106 "events": [ 107 { 108 "introduced": "0" 109 }, 110 { 111 "fixed": "1.2.0" 112 } 113 ], 114 "type": "ECOSYSTEM" 115 } 116 ], 117 "versions": [ 118 "0.2.5", 119 "0.3", 120 "0.5", 121 "0.6", 122 "0.7", 123 "0.7.1", 124 "0.8", 125 "0.8.1", 126 "0.9", 127 "0.9.1", 128 "0.9.10", 129 "0.9.11", 130 "0.9.12", 131 "0.9.13", 132 "0.9.14", 133 "0.9.15", 134 "0.9.16", 135 "0.9.17", 136 "0.9.18", 137 "0.9.19", 138 "0.9.2", 139 "0.9.20", 140 "0.9.21", 141 "0.9.22", 142 "0.9.23", 143 "0.9.24", 144 "0.9.25", 145 "0.9.26", 146 "0.9.27", 147 "0.9.28", 148 "0.9.29", 149 "0.9.3", 150 "0.9.30", 151 "0.9.4", 152 "0.9.5", 153 "0.9.6", 154 "0.9.7", 155 "0.9.8", 156 "0.9.9", 157 "1.0.0", 158 "1.0.1", 159 "1.0.10", 160 "1.0.11", 161 "1.0.12", 162 "1.0.13", 163 "1.0.2", 164 "1.0.3", 165 "1.0.4", 166 "1.0.5", 167 "1.0.6", 168 "1.0.7", 169 "1.0.8", 170 "1.0.9", 171 "1.1.0", 172 "1.1.1", 173 "1.1.10", 174 "1.1.11", 175 "1.1.2", 176 "1.1.3", 177 "1.1.4", 178 "1.1.5", 179 "1.1.6", 180 "1.1.7", 181 "1.1.8", 182 "1.1.9" 183 ] 184 } 185 ], 186 "aliases": [ 187 "CVE-2017-5929" 188 ], 189 "database_specific": { 190 "cwe_ids": [ 191 "CWE-502" 192 ], 193 "github_reviewed": true, 194 "github_reviewed_at": "2021-06-04T20:45:34Z", 195 "nvd_published_at": "2017-03-13T06:59:00Z", 196 "severity": "CRITICAL" 197 }, 198 "details": "QOS.ch Logback before 1.2.0 has a serialization vulnerability affecting the SocketServer and ServerSocketReceiver components. The RemoteStreamAppenderClient class in logback-classic and the SocketNode classes in logback-classic and logback-access allow data to be deserialized over a Java Socket, via an ObjectInputStream, without validating the data beforehand. When data is received from the Socket, to be logged, it is deserialized into Java objects.An attacker can exploit this vulnerability by sending malicious, serialized Java objects over the connection to the Socket, which may result in execution of arbitrary code when those objects are deserialized. Note that although logback-core is implicated by the Logback project here, the Sonatype Security Research team discovered that the vulnerability is actually present in the logback-classic and logback-access components. Versions prior to 1.2.0 are vulnerable, as stated in the advisory.", 199 "id": "GHSA-vmfg-rjjm-rjrj", 200 "modified": "2024-03-09T05:18:12.019858Z", 201 "published": "2021-06-07T16:07:36Z", 202 "references": [ 203 { 204 "type": "ADVISORY", 205 "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-5929" 206 }, 207 { 208 "type": "WEB", 209 "url": "https://github.com/qos-ch/logback/commit/f46044b805bca91efe5fd6afe52257cd02f775f8" 210 }, 211 { 212 "type": "WEB", 213 "url": "https://logback.qos.ch/news.html" 214 }, 215 { 216 "type": "WEB", 217 "url": "https://lists.apache.org/thread.html/re9b787727291786dfe088e3cd078c7d195c0b5781e15d3cd24a3b2fc@%3Cdev.mnemonic.apache.org%3E" 218 }, 219 { 220 "type": "WEB", 221 "url": "https://lists.apache.org/thread.html/rd2227af3c9ada2a72dc72ed05517f5857a34d487580e1f2803922ff9@%3Ccommits.cassandra.apache.org%3E" 222 }, 223 { 224 "type": "WEB", 225 "url": "https://lists.apache.org/thread.html/rc5f0cc2f3b153bdf15ee7389d78585829abc9c7af4d322ba1085dd3e@%3Ccommits.cassandra.apache.org%3E" 226 }, 227 { 228 "type": "WEB", 229 "url": "https://lists.apache.org/thread.html/rbb4dfca2f7e3e8f3570eec21c79832d33a51dfde6762725660b60169@%3Cdev.mnemonic.apache.org%3E" 230 }, 231 { 232 "type": "WEB", 233 "url": "https://lists.apache.org/thread.html/ra007cec726a3927c918ec94c4316d05d1829c49eae8dc3648adc35e2@%3Ccommits.cassandra.apache.org%3E" 234 }, 235 { 236 "type": "WEB", 237 "url": "https://lists.apache.org/thread.html/r967953a14e05016bc4bcae9ef3dd92e770181158b4246976ed8295c9@%3Cdev.brooklyn.apache.org%3E" 238 }, 239 { 240 "type": "WEB", 241 "url": "https://lists.apache.org/thread.html/r718f27bed898008a8e037d9cc848cfc1df4d18abcbaee0cb0c142cfb@%3Ccommits.cassandra.apache.org%3E" 242 }, 243 { 244 "type": "WEB", 245 "url": "https://lists.apache.org/thread.html/r632ec30791b441e2eb5a3129532bf1b689bf181d0ef7daf50bcf0fd6@%3Ccommits.cassandra.apache.org%3E" 246 }, 247 { 248 "type": "WEB", 249 "url": "https://lists.apache.org/thread.html/r4673642893562c58cbee60c151ded6c077e8a2d02296e862224a9161@%3Ccommits.cassandra.apache.org%3E" 250 }, 251 { 252 "type": "WEB", 253 "url": "https://lists.apache.org/thread.html/r397bf63783240fbb5713389d3f889d287ae0c11509006700ac720037@%3Ccommits.cassandra.apache.org%3E" 254 }, 255 { 256 "type": "WEB", 257 "url": "https://lists.apache.org/thread.html/r2c2d57ca180e8173c90fe313ddf8eabbdcf8e3ae196f8b9f42599790@%3Ccommits.mnemonic.apache.org%3E" 258 }, 259 { 260 "type": "WEB", 261 "url": "https://lists.apache.org/thread.html/r2a08573ddee4a86dc96d469485a5843a01710ee0dc2078dfca410c79@%3Ccommits.cassandra.apache.org%3E" 262 }, 263 { 264 "type": "WEB", 265 "url": "https://lists.apache.org/thread.html/r0bb19330e48d5ad784fa20dacba9e5538d8d60f5cd9142e0f1432b4b@%3Ccommits.cassandra.apache.org%3E" 266 }, 267 { 268 "type": "WEB", 269 "url": "https://lists.apache.org/thread.html/fa4eaaa6ff41ac6f79811e053c152ee89b7c5da8a6ac848ae97df67f@%3Ccommits.cassandra.apache.org%3E" 270 }, 271 { 272 "type": "WEB", 273 "url": "https://lists.apache.org/thread.html/a6db61616180d73711d6db25703085940026e2dbc40f153f9d22b203@%3Ccommits.cassandra.apache.org%3E" 274 }, 275 { 276 "type": "WEB", 277 "url": "https://lists.apache.org/thread.html/18d509024d9aeb07f0e9579066f80bf5d4dcf20467b0c240043890d1@%3Ccommits.cassandra.apache.org%3E" 278 }, 279 { 280 "type": "PACKAGE", 281 "url": "https://github.com/qos-ch/logback" 282 }, 283 { 284 "type": "WEB", 285 "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5929" 286 }, 287 { 288 "type": "WEB", 289 "url": "https://access.redhat.com/errata/RHSA-2018:2927" 290 }, 291 { 292 "type": "WEB", 293 "url": "https://access.redhat.com/errata/RHSA-2017:1832" 294 }, 295 { 296 "type": "WEB", 297 "url": "https://access.redhat.com/errata/RHSA-2017:1676" 298 }, 299 { 300 "type": "WEB", 301 "url": "https://access.redhat.com/errata/RHSA-2017:1675" 302 } 303 ], 304 "schema_version": "1.6.0", 305 "severity": [ 306 { 307 "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", 308 "type": "CVSS_V3" 309 } 310 ], 311 "summary": "QOS.ch Logback vulnerable to Deserialization of Untrusted Data" 312 }, 313 { 314 "affected": [ 315 { 316 "database_specific": { 317 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/11/GHSA-vmq6-5m68-f53m/GHSA-vmq6-5m68-f53m.json" 318 }, 319 "package": { 320 "ecosystem": "Maven", 321 "name": "ch.qos.logback:logback-classic", 322 "purl": "pkg:maven/ch.qos.logback/logback-classic" 323 }, 324 "ranges": [ 325 { 326 "events": [ 327 { 328 "introduced": "1.3.0" 329 }, 330 { 331 "fixed": "1.3.12" 332 } 333 ], 334 "type": "ECOSYSTEM" 335 } 336 ], 337 "versions": [ 338 "1.3.0", 339 "1.3.1", 340 "1.3.10", 341 "1.3.11", 342 "1.3.2", 343 "1.3.3", 344 "1.3.4", 345 "1.3.5", 346 "1.3.6", 347 "1.3.7", 348 "1.3.8", 349 "1.3.9" 350 ] 351 }, 352 { 353 "database_specific": { 354 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/11/GHSA-vmq6-5m68-f53m/GHSA-vmq6-5m68-f53m.json" 355 }, 356 "package": { 357 "ecosystem": "Maven", 358 "name": "ch.qos.logback:logback-classic", 359 "purl": "pkg:maven/ch.qos.logback/logback-classic" 360 }, 361 "ranges": [ 362 { 363 "events": [ 364 { 365 "introduced": "1.4.0" 366 }, 367 { 368 "fixed": "1.4.12" 369 } 370 ], 371 "type": "ECOSYSTEM" 372 } 373 ], 374 "versions": [ 375 "1.4.0", 376 "1.4.1", 377 "1.4.10", 378 "1.4.11", 379 "1.4.2", 380 "1.4.3", 381 "1.4.4", 382 "1.4.5", 383 "1.4.6", 384 "1.4.7", 385 "1.4.8", 386 "1.4.9" 387 ] 388 }, 389 { 390 "database_specific": { 391 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/11/GHSA-vmq6-5m68-f53m/GHSA-vmq6-5m68-f53m.json" 392 }, 393 "package": { 394 "ecosystem": "Maven", 395 "name": "ch.qos.logback:logback-core", 396 "purl": "pkg:maven/ch.qos.logback/logback-core" 397 }, 398 "ranges": [ 399 { 400 "events": [ 401 { 402 "introduced": "1.3.0" 403 }, 404 { 405 "fixed": "1.3.12" 406 } 407 ], 408 "type": "ECOSYSTEM" 409 } 410 ], 411 "versions": [ 412 "1.3.0", 413 "1.3.1", 414 "1.3.10", 415 "1.3.11", 416 "1.3.2", 417 "1.3.3", 418 "1.3.4", 419 "1.3.5", 420 "1.3.6", 421 "1.3.7", 422 "1.3.8", 423 "1.3.9" 424 ] 425 }, 426 { 427 "database_specific": { 428 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/11/GHSA-vmq6-5m68-f53m/GHSA-vmq6-5m68-f53m.json" 429 }, 430 "package": { 431 "ecosystem": "Maven", 432 "name": "ch.qos.logback:logback-core", 433 "purl": "pkg:maven/ch.qos.logback/logback-core" 434 }, 435 "ranges": [ 436 { 437 "events": [ 438 { 439 "introduced": "1.4.0" 440 }, 441 { 442 "fixed": "1.4.12" 443 } 444 ], 445 "type": "ECOSYSTEM" 446 } 447 ], 448 "versions": [ 449 "1.4.0", 450 "1.4.1", 451 "1.4.10", 452 "1.4.11", 453 "1.4.2", 454 "1.4.3", 455 "1.4.4", 456 "1.4.5", 457 "1.4.6", 458 "1.4.7", 459 "1.4.8", 460 "1.4.9" 461 ] 462 }, 463 { 464 "database_specific": { 465 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/11/GHSA-vmq6-5m68-f53m/GHSA-vmq6-5m68-f53m.json" 466 }, 467 "package": { 468 "ecosystem": "Maven", 469 "name": "ch.qos.logback:logback-core", 470 "purl": "pkg:maven/ch.qos.logback/logback-core" 471 }, 472 "ranges": [ 473 { 474 "events": [ 475 { 476 "introduced": "0" 477 }, 478 { 479 "fixed": "1.2.13" 480 } 481 ], 482 "type": "ECOSYSTEM" 483 } 484 ], 485 "versions": [ 486 "0.2.5", 487 "0.3", 488 "0.5", 489 "0.6", 490 "0.7", 491 "0.7.1", 492 "0.8", 493 "0.8.1", 494 "0.9", 495 "0.9.1", 496 "0.9.10", 497 "0.9.11", 498 "0.9.12", 499 "0.9.13", 500 "0.9.14", 501 "0.9.15", 502 "0.9.16", 503 "0.9.17", 504 "0.9.18", 505 "0.9.19", 506 "0.9.2", 507 "0.9.20", 508 "0.9.21", 509 "0.9.22", 510 "0.9.23", 511 "0.9.24", 512 "0.9.25", 513 "0.9.26", 514 "0.9.27", 515 "0.9.28", 516 "0.9.29", 517 "0.9.3", 518 "0.9.30", 519 "0.9.4", 520 "0.9.5", 521 "0.9.6", 522 "0.9.7", 523 "0.9.8", 524 "0.9.9", 525 "1.0.0", 526 "1.0.1", 527 "1.0.10", 528 "1.0.11", 529 "1.0.12", 530 "1.0.13", 531 "1.0.2", 532 "1.0.3", 533 "1.0.4", 534 "1.0.5", 535 "1.0.6", 536 "1.0.7", 537 "1.0.8", 538 "1.0.9", 539 "1.1.0", 540 "1.1.1", 541 "1.1.10", 542 "1.1.11", 543 "1.1.2", 544 "1.1.3", 545 "1.1.4", 546 "1.1.5", 547 "1.1.6", 548 "1.1.7", 549 "1.1.8", 550 "1.1.9", 551 "1.2.0", 552 "1.2.1", 553 "1.2.10", 554 "1.2.11", 555 "1.2.12", 556 "1.2.2", 557 "1.2.3", 558 "1.2.4", 559 "1.2.4-groovyless", 560 "1.2.5", 561 "1.2.6", 562 "1.2.7", 563 "1.2.8", 564 "1.2.9" 565 ] 566 }, 567 { 568 "database_specific": { 569 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/11/GHSA-vmq6-5m68-f53m/GHSA-vmq6-5m68-f53m.json" 570 }, 571 "package": { 572 "ecosystem": "Maven", 573 "name": "ch.qos.logback:logback-classic", 574 "purl": "pkg:maven/ch.qos.logback/logback-classic" 575 }, 576 "ranges": [ 577 { 578 "events": [ 579 { 580 "introduced": "0" 581 }, 582 { 583 "fixed": "1.2.13" 584 } 585 ], 586 "type": "ECOSYSTEM" 587 } 588 ], 589 "versions": [ 590 "0.2.5", 591 "0.3", 592 "0.5", 593 "0.6", 594 "0.7", 595 "0.7.1", 596 "0.8", 597 "0.8.1", 598 "0.9", 599 "0.9.1", 600 "0.9.10", 601 "0.9.11", 602 "0.9.12", 603 "0.9.13", 604 "0.9.14", 605 "0.9.15", 606 "0.9.16", 607 "0.9.17", 608 "0.9.18", 609 "0.9.19", 610 "0.9.2", 611 "0.9.20", 612 "0.9.21", 613 "0.9.22", 614 "0.9.23", 615 "0.9.24", 616 "0.9.25", 617 "0.9.26", 618 "0.9.27", 619 "0.9.28", 620 "0.9.29", 621 "0.9.3", 622 "0.9.30", 623 "0.9.4", 624 "0.9.5", 625 "0.9.6", 626 "0.9.7", 627 "0.9.8", 628 "0.9.9", 629 "1.0.0", 630 "1.0.1", 631 "1.0.10", 632 "1.0.11", 633 "1.0.12", 634 "1.0.13", 635 "1.0.2", 636 "1.0.3", 637 "1.0.4", 638 "1.0.5", 639 "1.0.6", 640 "1.0.7", 641 "1.0.8", 642 "1.0.9", 643 "1.1.0", 644 "1.1.1", 645 "1.1.10", 646 "1.1.11", 647 "1.1.2", 648 "1.1.3", 649 "1.1.4", 650 "1.1.5", 651 "1.1.6", 652 "1.1.7", 653 "1.1.8", 654 "1.1.9", 655 "1.2.0", 656 "1.2.1", 657 "1.2.10", 658 "1.2.11", 659 "1.2.12", 660 "1.2.2", 661 "1.2.3", 662 "1.2.4", 663 "1.2.4-groovyless", 664 "1.2.5", 665 "1.2.6", 666 "1.2.7", 667 "1.2.8", 668 "1.2.9" 669 ] 670 } 671 ], 672 "aliases": [ 673 "CVE-2023-6378" 674 ], 675 "database_specific": { 676 "cwe_ids": [ 677 "CWE-502" 678 ], 679 "github_reviewed": true, 680 "github_reviewed_at": "2023-11-29T21:33:01Z", 681 "nvd_published_at": "2023-11-29T12:15:07Z", 682 "severity": "HIGH" 683 }, 684 "details": "A serialization vulnerability in logback receiver component part of logback allows an attacker to mount a Denial-Of-Service attack by sending poisoned data.\n\nThis is only exploitable if logback receiver component is deployed. See https://logback.qos.ch/manual/receivers.html", 685 "id": "GHSA-vmq6-5m68-f53m", 686 "modified": "2024-02-16T08:07:48.81685Z", 687 "published": "2023-11-29T12:30:16Z", 688 "references": [ 689 { 690 "type": "ADVISORY", 691 "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6378" 692 }, 693 { 694 "type": "WEB", 695 "url": "https://github.com/qos-ch/logback/issues/745#issuecomment-1836227158" 696 }, 697 { 698 "type": "WEB", 699 "url": "https://github.com/qos-ch/logback/commit/9c782b45be4abdafb7e17481e24e7354c2acd1eb" 700 }, 701 { 702 "type": "WEB", 703 "url": "https://github.com/qos-ch/logback/commit/b8eac23a9de9e05fb6d51160b3f46acd91af9731" 704 }, 705 { 706 "type": "WEB", 707 "url": "https://github.com/qos-ch/logback/commit/bb095154be011267b64e37a1d401546e7cc2b7c3" 708 }, 709 { 710 "type": "PACKAGE", 711 "url": "https://github.com/qos-ch/logback" 712 }, 713 { 714 "type": "WEB", 715 "url": "https://logback.qos.ch/manual/receivers.html" 716 }, 717 { 718 "type": "WEB", 719 "url": "https://logback.qos.ch/news.html#1.2.13" 720 }, 721 { 722 "type": "WEB", 723 "url": "https://logback.qos.ch/news.html#1.3.12" 724 } 725 ], 726 "related": [ 727 "CGA-334h-ff83-4pcg", 728 "CGA-69p6-hjq3-r85h", 729 "CGA-753q-8vfj-7pr3", 730 "CGA-9334-5jx3-592c", 731 "CGA-p5qq-x3qc-jpwx", 732 "CGA-rg2w-hc6f-9pwx" 733 ], 734 "schema_version": "1.6.0", 735 "severity": [ 736 { 737 "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H", 738 "type": "CVSS_V3" 739 } 740 ], 741 "summary": "logback serialization vulnerability" 742 }, 743 { 744 "affected": [ 745 { 746 "database_specific": { 747 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-668q-qrv7-99fm/GHSA-668q-qrv7-99fm.json" 748 }, 749 "package": { 750 "ecosystem": "Maven", 751 "name": "ch.qos.logback:logback-core", 752 "purl": "pkg:maven/ch.qos.logback/logback-core" 753 }, 754 "ranges": [ 755 { 756 "events": [ 757 { 758 "introduced": "0" 759 }, 760 { 761 "fixed": "1.2.9" 762 } 763 ], 764 "type": "ECOSYSTEM" 765 } 766 ], 767 "versions": [ 768 "0.2.5", 769 "0.3", 770 "0.5", 771 "0.6", 772 "0.7", 773 "0.7.1", 774 "0.8", 775 "0.8.1", 776 "0.9", 777 "0.9.1", 778 "0.9.10", 779 "0.9.11", 780 "0.9.12", 781 "0.9.13", 782 "0.9.14", 783 "0.9.15", 784 "0.9.16", 785 "0.9.17", 786 "0.9.18", 787 "0.9.19", 788 "0.9.2", 789 "0.9.20", 790 "0.9.21", 791 "0.9.22", 792 "0.9.23", 793 "0.9.24", 794 "0.9.25", 795 "0.9.26", 796 "0.9.27", 797 "0.9.28", 798 "0.9.29", 799 "0.9.3", 800 "0.9.30", 801 "0.9.4", 802 "0.9.5", 803 "0.9.6", 804 "0.9.7", 805 "0.9.8", 806 "0.9.9", 807 "1.0.0", 808 "1.0.1", 809 "1.0.10", 810 "1.0.11", 811 "1.0.12", 812 "1.0.13", 813 "1.0.2", 814 "1.0.3", 815 "1.0.4", 816 "1.0.5", 817 "1.0.6", 818 "1.0.7", 819 "1.0.8", 820 "1.0.9", 821 "1.1.0", 822 "1.1.1", 823 "1.1.10", 824 "1.1.11", 825 "1.1.2", 826 "1.1.3", 827 "1.1.4", 828 "1.1.5", 829 "1.1.6", 830 "1.1.7", 831 "1.1.8", 832 "1.1.9", 833 "1.2.0", 834 "1.2.1", 835 "1.2.2", 836 "1.2.3", 837 "1.2.4", 838 "1.2.4-groovyless", 839 "1.2.5", 840 "1.2.6", 841 "1.2.7", 842 "1.2.8" 843 ] 844 } 845 ], 846 "aliases": [ 847 "CVE-2021-42550" 848 ], 849 "database_specific": { 850 "cwe_ids": [ 851 "CWE-502" 852 ], 853 "github_reviewed": true, 854 "github_reviewed_at": "2021-12-17T19:25:11Z", 855 "nvd_published_at": "2021-12-16T19:15:00Z", 856 "severity": "MODERATE" 857 }, 858 "details": "In logback version 1.2.7 and prior versions, an attacker with the required privileges to edit configurations files could craft a malicious configuration allowing to execute arbitrary code loaded from LDAP servers.", 859 "id": "GHSA-668q-qrv7-99fm", 860 "modified": "2024-02-16T08:18:41.537541Z", 861 "published": "2021-12-17T20:00:50Z", 862 "references": [ 863 { 864 "type": "ADVISORY", 865 "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-42550" 866 }, 867 { 868 "type": "WEB", 869 "url": "https://github.com/qos-ch/logback/commit/87291079a1de9369ac67e20dc70a8fdc7cc4359c" 870 }, 871 { 872 "type": "WEB", 873 "url": "https://github.com/qos-ch/logback/commit/ef4fc4186b74b45ce80d86833820106ff27edd42" 874 }, 875 { 876 "type": "WEB", 877 "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-371761.pdf" 878 }, 879 { 880 "type": "WEB", 881 "url": "https://github.com/cn-panda/logbackRceDemo" 882 }, 883 { 884 "type": "PACKAGE", 885 "url": "https://github.com/qos-ch/logback" 886 }, 887 { 888 "type": "WEB", 889 "url": "https://github.com/qos-ch/logback/blob/1502cba4c1dfd135b2e715bc0cf80c0045d4d128/logback-site/src/site/pages/news.html" 890 }, 891 { 892 "type": "WEB", 893 "url": "https://jira.qos.ch/browse/LOGBACK-1591" 894 }, 895 { 896 "type": "WEB", 897 "url": "https://security.netapp.com/advisory/ntap-20211229-0001" 898 }, 899 { 900 "type": "WEB", 901 "url": "http://logback.qos.ch/news.html" 902 }, 903 { 904 "type": "WEB", 905 "url": "http://packetstormsecurity.com/files/167794/Open-Xchange-App-Suite-7.10.x-Cross-Site-Scripting-Command-Injection.html" 906 }, 907 { 908 "type": "WEB", 909 "url": "http://seclists.org/fulldisclosure/2022/Jul/11" 910 } 911 ], 912 "schema_version": "1.6.0", 913 "severity": [ 914 { 915 "score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", 916 "type": "CVSS_V3" 917 } 918 ], 919 "summary": "Deserialization of Untrusted Data in logback" 920 }, 921 { 922 "affected": [ 923 { 924 "database_specific": { 925 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/12/GHSA-gm62-rw4g-vrc4/GHSA-gm62-rw4g-vrc4.json" 926 }, 927 "package": { 928 "ecosystem": "Maven", 929 "name": "ch.qos.logback:logback-core", 930 "purl": "pkg:maven/ch.qos.logback/logback-core" 931 }, 932 "ranges": [ 933 { 934 "events": [ 935 { 936 "introduced": "1.4.13" 937 }, 938 { 939 "fixed": "1.4.14" 940 } 941 ], 942 "type": "ECOSYSTEM" 943 } 944 ], 945 "versions": [ 946 "1.4.13" 947 ] 948 }, 949 { 950 "database_specific": { 951 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/12/GHSA-gm62-rw4g-vrc4/GHSA-gm62-rw4g-vrc4.json" 952 }, 953 "package": { 954 "ecosystem": "Maven", 955 "name": "ch.qos.logback:logback-core", 956 "purl": "pkg:maven/ch.qos.logback/logback-core" 957 }, 958 "ranges": [ 959 { 960 "events": [ 961 { 962 "introduced": "1.3.13" 963 }, 964 { 965 "fixed": "1.3.14" 966 } 967 ], 968 "type": "ECOSYSTEM" 969 } 970 ], 971 "versions": [ 972 "1.3.13" 973 ] 974 }, 975 { 976 "database_specific": { 977 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/12/GHSA-gm62-rw4g-vrc4/GHSA-gm62-rw4g-vrc4.json" 978 }, 979 "package": { 980 "ecosystem": "Maven", 981 "name": "ch.qos.logback:logback-core", 982 "purl": "pkg:maven/ch.qos.logback/logback-core" 983 }, 984 "ranges": [ 985 { 986 "events": [ 987 { 988 "introduced": "1.2.12" 989 }, 990 { 991 "fixed": "1.2.13" 992 } 993 ], 994 "type": "ECOSYSTEM" 995 } 996 ], 997 "versions": [ 998 "1.2.12" 999 ] 1000 } 1001 ], 1002 "aliases": [ 1003 "CVE-2023-6481" 1004 ], 1005 "database_specific": { 1006 "cwe_ids": [], 1007 "github_reviewed": true, 1008 "github_reviewed_at": "2023-12-08T15:06:33Z", 1009 "nvd_published_at": "2023-12-04T09:15:37Z", 1010 "severity": "HIGH" 1011 }, 1012 "details": "A serialization vulnerability in logback receiver component part of logback version 1.4.13, 1.3.13 and 1.2.12 allows an attacker to mount a Denial-Of-Service attack by sending poisoned data.\n", 1013 "id": "GHSA-gm62-rw4g-vrc4", 1014 "modified": "2023-12-08T15:26:30.180357Z", 1015 "published": "2023-12-04T09:30:23Z", 1016 "references": [ 1017 { 1018 "type": "ADVISORY", 1019 "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6481" 1020 }, 1021 { 1022 "type": "WEB", 1023 "url": "https://github.com/qos-ch/logback/commit/7018a3609c7bcc9dc7bf5903509901a986e5f578" 1024 }, 1025 { 1026 "type": "WEB", 1027 "url": "https://github.com/qos-ch/logback/commit/c612b2fa3caf6eef3c75f1cd5859438451d0fd6f" 1028 }, 1029 { 1030 "type": "PACKAGE", 1031 "url": "https://github.com/qos-ch/logback" 1032 }, 1033 { 1034 "type": "WEB", 1035 "url": "https://logback.qos.ch/news.html#1.3.12" 1036 }, 1037 { 1038 "type": "WEB", 1039 "url": "https://logback.qos.ch/news.html#1.3.14" 1040 } 1041 ], 1042 "related": [ 1043 "CGA-gvp8-cqcj-9m75" 1044 ], 1045 "schema_version": "1.6.0", 1046 "severity": [ 1047 { 1048 "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H", 1049 "type": "CVSS_V3" 1050 } 1051 ], 1052 "summary": "Logback is vulnerable to an attacker mounting a Denial-Of-Service attack by sending poisoned data" 1053 }, 1054 { 1055 "affected": [ 1056 { 1057 "database_specific": { 1058 "last_known_affected_version_range": "\u003c= 2.9.10.3", 1059 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/05/GHSA-27xj-rqx5-2255/GHSA-27xj-rqx5-2255.json" 1060 }, 1061 "package": { 1062 "ecosystem": "Maven", 1063 "name": "com.fasterxml.jackson.core:jackson-databind", 1064 "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" 1065 }, 1066 "ranges": [ 1067 { 1068 "events": [ 1069 { 1070 "introduced": "2.9.0" 1071 }, 1072 { 1073 "fixed": "2.9.10.4" 1074 } 1075 ], 1076 "type": "ECOSYSTEM" 1077 } 1078 ], 1079 "versions": [ 1080 "2.9.0", 1081 "2.9.0.pr1", 1082 "2.9.0.pr2", 1083 "2.9.0.pr3", 1084 "2.9.0.pr4", 1085 "2.9.1", 1086 "2.9.10", 1087 "2.9.10.1", 1088 "2.9.10.2", 1089 "2.9.10.3", 1090 "2.9.2", 1091 "2.9.3", 1092 "2.9.4", 1093 "2.9.5", 1094 "2.9.6", 1095 "2.9.7", 1096 "2.9.8", 1097 "2.9.9", 1098 "2.9.9.1", 1099 "2.9.9.2", 1100 "2.9.9.3" 1101 ] 1102 } 1103 ], 1104 "aliases": [ 1105 "CVE-2020-11619" 1106 ], 1107 "database_specific": { 1108 "cwe_ids": [ 1109 "CWE-502" 1110 ], 1111 "github_reviewed": true, 1112 "github_reviewed_at": "2020-04-23T19:32:22Z", 1113 "nvd_published_at": "2020-04-07T23:15:00Z", 1114 "severity": "HIGH" 1115 }, 1116 "details": "FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.springframework.aop.config.MethodLocatingFactoryBean (aka spring-aop).", 1117 "id": "GHSA-27xj-rqx5-2255", 1118 "modified": "2024-02-16T08:06:12.878312Z", 1119 "published": "2020-05-15T18:58:44Z", 1120 "references": [ 1121 { 1122 "type": "ADVISORY", 1123 "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11619" 1124 }, 1125 { 1126 "type": "WEB", 1127 "url": "https://github.com/FasterXML/jackson-databind/issues/2680" 1128 }, 1129 { 1130 "type": "PACKAGE", 1131 "url": "https://github.com/FasterXML/jackson-databind" 1132 }, 1133 { 1134 "type": "WEB", 1135 "url": "https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3E" 1136 }, 1137 { 1138 "type": "WEB", 1139 "url": "https://lists.debian.org/debian-lts-announce/2020/04/msg00012.html" 1140 }, 1141 { 1142 "type": "WEB", 1143 "url": "https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062" 1144 }, 1145 { 1146 "type": "WEB", 1147 "url": "https://security.netapp.com/advisory/ntap-20200511-0004" 1148 }, 1149 { 1150 "type": "WEB", 1151 "url": "https://www.oracle.com/security-alerts/cpujan2021.html" 1152 }, 1153 { 1154 "type": "WEB", 1155 "url": "https://www.oracle.com/security-alerts/cpujul2020.html" 1156 }, 1157 { 1158 "type": "WEB", 1159 "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" 1160 } 1161 ], 1162 "schema_version": "1.6.0", 1163 "severity": [ 1164 { 1165 "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", 1166 "type": "CVSS_V3" 1167 } 1168 ], 1169 "summary": "jackson-databind mishandles the interaction between serialization gadgets and typing" 1170 }, 1171 { 1172 "affected": [ 1173 { 1174 "database_specific": { 1175 "last_known_affected_version_range": "\u003c= 2.6.7.3", 1176 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/02/GHSA-288c-cq4h-88gq/GHSA-288c-cq4h-88gq.json" 1177 }, 1178 "package": { 1179 "ecosystem": "Maven", 1180 "name": "com.fasterxml.jackson.core:jackson-databind", 1181 "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" 1182 }, 1183 "ranges": [ 1184 { 1185 "events": [ 1186 { 1187 "introduced": "2.6.0" 1188 }, 1189 { 1190 "fixed": "2.6.7.4" 1191 } 1192 ], 1193 "type": "ECOSYSTEM" 1194 } 1195 ], 1196 "versions": [ 1197 "2.6.0", 1198 "2.6.1", 1199 "2.6.2", 1200 "2.6.3", 1201 "2.6.4", 1202 "2.6.5", 1203 "2.6.6", 1204 "2.6.7", 1205 "2.6.7.1", 1206 "2.6.7.2", 1207 "2.6.7.3" 1208 ] 1209 }, 1210 { 1211 "database_specific": { 1212 "last_known_affected_version_range": "\u003c= 2.9.10.6", 1213 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/02/GHSA-288c-cq4h-88gq/GHSA-288c-cq4h-88gq.json" 1214 }, 1215 "package": { 1216 "ecosystem": "Maven", 1217 "name": "com.fasterxml.jackson.core:jackson-databind", 1218 "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" 1219 }, 1220 "ranges": [ 1221 { 1222 "events": [ 1223 { 1224 "introduced": "2.7.0.0" 1225 }, 1226 { 1227 "fixed": "2.9.10.7" 1228 } 1229 ], 1230 "type": "ECOSYSTEM" 1231 } 1232 ], 1233 "versions": [ 1234 "2.7.0", 1235 "2.7.1", 1236 "2.7.1-1", 1237 "2.7.2", 1238 "2.7.3", 1239 "2.7.4", 1240 "2.7.5", 1241 "2.7.6", 1242 "2.7.7", 1243 "2.7.8", 1244 "2.7.9", 1245 "2.7.9.1", 1246 "2.7.9.2", 1247 "2.7.9.3", 1248 "2.7.9.4", 1249 "2.7.9.5", 1250 "2.7.9.6", 1251 "2.7.9.7", 1252 "2.8.0", 1253 "2.8.0.rc1", 1254 "2.8.0.rc2", 1255 "2.8.1", 1256 "2.8.10", 1257 "2.8.11", 1258 "2.8.11.1", 1259 "2.8.11.2", 1260 "2.8.11.3", 1261 "2.8.11.4", 1262 "2.8.11.5", 1263 "2.8.11.6", 1264 "2.8.2", 1265 "2.8.3", 1266 "2.8.4", 1267 "2.8.5", 1268 "2.8.6", 1269 "2.8.7", 1270 "2.8.8", 1271 "2.8.8.1", 1272 "2.8.9", 1273 "2.9.0", 1274 "2.9.0.pr1", 1275 "2.9.0.pr2", 1276 "2.9.0.pr3", 1277 "2.9.0.pr4", 1278 "2.9.1", 1279 "2.9.10", 1280 "2.9.10.1", 1281 "2.9.10.2", 1282 "2.9.10.3", 1283 "2.9.10.4", 1284 "2.9.10.5", 1285 "2.9.10.6", 1286 "2.9.2", 1287 "2.9.3", 1288 "2.9.4", 1289 "2.9.5", 1290 "2.9.6", 1291 "2.9.7", 1292 "2.9.8", 1293 "2.9.9", 1294 "2.9.9.1", 1295 "2.9.9.2", 1296 "2.9.9.3" 1297 ] 1298 }, 1299 { 1300 "database_specific": { 1301 "last_known_affected_version_range": "\u003c= 2.10.5.0", 1302 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/02/GHSA-288c-cq4h-88gq/GHSA-288c-cq4h-88gq.json" 1303 }, 1304 "package": { 1305 "ecosystem": "Maven", 1306 "name": "com.fasterxml.jackson.core:jackson-databind", 1307 "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" 1308 }, 1309 "ranges": [ 1310 { 1311 "events": [ 1312 { 1313 "introduced": "2.10.0.0" 1314 }, 1315 { 1316 "fixed": "2.10.5.1" 1317 } 1318 ], 1319 "type": "ECOSYSTEM" 1320 } 1321 ], 1322 "versions": [ 1323 "2.10.0", 1324 "2.10.0.pr1", 1325 "2.10.0.pr2", 1326 "2.10.0.pr3", 1327 "2.10.1", 1328 "2.10.2", 1329 "2.10.3", 1330 "2.10.4", 1331 "2.10.5" 1332 ] 1333 } 1334 ], 1335 "aliases": [ 1336 "CVE-2020-25649" 1337 ], 1338 "database_specific": { 1339 "cwe_ids": [ 1340 "CWE-611" 1341 ], 1342 "github_reviewed": true, 1343 "github_reviewed_at": "2021-02-18T20:41:26Z", 1344 "nvd_published_at": "2020-12-03T17:15:00Z", 1345 "severity": "HIGH" 1346 }, 1347 "details": "A flaw was found in FasterXML Jackson Databind, where it did not have entity expansion secured properly. This flaw allows vulnerability to XML external entity (XXE) attacks. The highest threat from this vulnerability is data integrity.", 1348 "id": "GHSA-288c-cq4h-88gq", 1349 "modified": "2024-03-15T00:47:09.937706Z", 1350 "published": "2021-02-18T20:51:54Z", 1351 "references": [ 1352 { 1353 "type": "ADVISORY", 1354 "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-25649" 1355 }, 1356 { 1357 "type": "WEB", 1358 "url": "https://github.com/FasterXML/jackson-databind/issues/2589" 1359 }, 1360 { 1361 "type": "WEB", 1362 "url": "https://github.com/FasterXML/jackson-databind/commit/3d932709abd0b5390efe67451653fc9efa9db677" 1363 }, 1364 { 1365 "type": "WEB", 1366 "url": "https://github.com/FasterXML/jackson-databind/commit/612f971b78c60202e9cd75a299050c8f2d724a59" 1367 }, 1368 { 1369 "type": "WEB", 1370 "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" 1371 }, 1372 { 1373 "type": "WEB", 1374 "url": "https://lists.apache.org/thread.html/rc82ff47853289e9cd17f5cfbb053c04cafc75ee32e3d7223963f83bb@%3Cdev.knox.apache.org%3E" 1375 }, 1376 { 1377 "type": "WEB", 1378 "url": "https://lists.apache.org/thread.html/rc15e90bbef196a5c6c01659e015249d6c9a73581ca9afb8aeecf00d2@%3Cjira.kafka.apache.org%3E" 1379 }, 1380 { 1381 "type": "WEB", 1382 "url": "https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7@%3Cusers.kafka.apache.org%3E" 1383 }, 1384 { 1385 "type": "WEB", 1386 "url": "https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7@%3Cdev.kafka.apache.org%3E" 1387 }, 1388 { 1389 "type": "WEB", 1390 "url": "https://lists.apache.org/thread.html/rb674520b9f6c808c1bf263b1369e14048ec3243615f35cfd24e33604@%3Cissues.zookeeper.apache.org%3E" 1391 }, 1392 { 1393 "type": "WEB", 1394 "url": "https://lists.apache.org/thread.html/raf13235de6df1d47a717199e1ecd700dff3236632f5c9a1488d9845b@%3Cjira.kafka.apache.org%3E" 1395 }, 1396 { 1397 "type": "WEB", 1398 "url": "https://lists.apache.org/thread.html/ra95faf968f3463acb3f31a6fbec31453fc5045325f99f396961886d3@%3Cissues.flink.apache.org%3E" 1399 }, 1400 { 1401 "type": "WEB", 1402 "url": "https://lists.apache.org/thread.html/ra409f798a1e5a6652b7097429b388650ccd65fd958cee0b6f69bba00@%3Cissues.hive.apache.org%3E" 1403 }, 1404 { 1405 "type": "WEB", 1406 "url": "https://lists.apache.org/thread.html/ra1157e57a01d25e36b0dc17959ace758fc21ba36746de29ba1d8b130@%3Cjira.kafka.apache.org%3E" 1407 }, 1408 { 1409 "type": "WEB", 1410 "url": "https://lists.apache.org/thread.html/r98bfe3b90ea9408f12c4b447edcb5638703d80bc782430aa0c210a54@%3Cissues.zookeeper.apache.org%3E" 1411 }, 1412 { 1413 "type": "WEB", 1414 "url": "https://lists.apache.org/thread.html/r95a297eb5fd1f2d3a2281f15340e2413f952e9d5503296c3adc7201a@%3Ccommits.tomee.apache.org%3E" 1415 }, 1416 { 1417 "type": "WEB", 1418 "url": "https://lists.apache.org/thread.html/r94c7e86e546120f157264ba5ba61fd29b3a8d530ed325a9b4fa334d7@%3Ccommits.zookeeper.apache.org%3E" 1419 }, 1420 { 1421 "type": "WEB", 1422 "url": "https://lists.apache.org/thread.html/r91722ecfba688b0c565675f8bf380269fde8ec62b54d6161db544c22@%3Ccommits.karaf.apache.org%3E" 1423 }, 1424 { 1425 "type": "WEB", 1426 "url": "https://lists.apache.org/thread.html/r90d1e97b0a743cf697d89a792a9b669909cc5a1692d1e0083a22e66c@%3Cissues.zookeeper.apache.org%3E" 1427 }, 1428 { 1429 "type": "WEB", 1430 "url": "https://lists.apache.org/thread.html/r900d4408c4189b376d1ec580ea7740ea6f8710dc2f0b7e9c9eeb5ae0@%3Cdev.zookeeper.apache.org%3E" 1431 }, 1432 { 1433 "type": "WEB", 1434 "url": "https://lists.apache.org/thread.html/r8ae961c80930e2717c75025414ce48a432cea1137c02f648b1fb9524@%3Cissues.hive.apache.org%3E" 1435 }, 1436 { 1437 "type": "WEB", 1438 "url": "https://lists.apache.org/thread.html/r8937a7160717fe8b2221767163c4de4f65bc5466405cb1c5310f9080@%3Cusers.kafka.apache.org%3E" 1439 }, 1440 { 1441 "type": "WEB", 1442 "url": "https://www.oracle.com/security-alerts/cpujul2022.html" 1443 }, 1444 { 1445 "type": "WEB", 1446 "url": "https://www.oracle.com/security-alerts/cpujan2022.html" 1447 }, 1448 { 1449 "type": "WEB", 1450 "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" 1451 }, 1452 { 1453 "type": "WEB", 1454 "url": "https://www.oracle.com/security-alerts/cpuApr2021.html" 1455 }, 1456 { 1457 "type": "WEB", 1458 "url": "https://www.oracle.com//security-alerts/cpujul2021.html" 1459 }, 1460 { 1461 "type": "WEB", 1462 "url": "https://security.netapp.com/advisory/ntap-20210108-0007" 1463 }, 1464 { 1465 "type": "WEB", 1466 "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6X2UT4X6M7DLQYBOOHMXBWGYJ65RL2CT" 1467 }, 1468 { 1469 "type": "WEB", 1470 "url": "https://lists.apache.org/thread.html/rf1809a1374041a969d77afab21fc38925de066bc97e86157d3ac3402@%3Ccommits.karaf.apache.org%3E" 1471 }, 1472 { 1473 "type": "WEB", 1474 "url": "https://lists.apache.org/thread.html/re96dc7a13e13e56190a5d80f9e5440a0d0c83aeec6467b562fbf2dca@%3Cjira.kafka.apache.org%3E" 1475 }, 1476 { 1477 "type": "WEB", 1478 "url": "https://lists.apache.org/thread.html/re16f81d3ad49a93dd2f0cba9f8fc88e5fb89f30bf9a2ad7b6f3e69c1@%3Ccommits.karaf.apache.org%3E" 1479 }, 1480 { 1481 "type": "WEB", 1482 "url": "https://lists.apache.org/thread.html/rdf9a34726482222c90d50ae1b9847881de67dde8cfde4999633d2cdc@%3Ccommits.zookeeper.apache.org%3E" 1483 }, 1484 { 1485 "type": "WEB", 1486 "url": "https://lists.apache.org/thread.html/rdca8711bb7aa5d47a44682606cd0ea3497e2e922f22b7ee83e81e6c1@%3Cissues.hive.apache.org%3E" 1487 }, 1488 { 1489 "type": "WEB", 1490 "url": "https://lists.apache.org/thread.html/rd6f6bf848c2d47fa4a85c27d011d948778b8f7e58ba495968435a0b3@%3Cissues.zookeeper.apache.org%3E" 1491 }, 1492 { 1493 "type": "WEB", 1494 "url": "https://lists.apache.org/thread.html/rd57c7582adc90e233f23f3727db3df9115b27a823b92374f11453f34@%3Cissues.hive.apache.org%3E" 1495 }, 1496 { 1497 "type": "WEB", 1498 "url": "https://lists.apache.org/thread.html/rd317f15a675d114dbf5b488d27eeb2467b4424356b16116eb18a652d@%3Cjira.kafka.apache.org%3E" 1499 }, 1500 { 1501 "type": "WEB", 1502 "url": "https://lists.apache.org/thread.html/rc959cdb57c4fe198316130ff4a5ecbf9d680e356032ff2e9f4f05d54@%3Cjira.kafka.apache.org%3E" 1503 }, 1504 { 1505 "type": "WEB", 1506 "url": "https://lists.apache.org/thread.html/rc88f2fa2b7bd6443921727aeee7704a1fb02433e722e2abf677e0d3d@%3Ccommits.zookeeper.apache.org%3E" 1507 }, 1508 { 1509 "type": "WEB", 1510 "url": "https://lists.apache.org/thread.html/r5f8a1608d758936bd6bbc5eed980777437b611537bf6fff40663fc71@%3Cjira.kafka.apache.org%3E" 1511 }, 1512 { 1513 "type": "WEB", 1514 "url": "https://lists.apache.org/thread.html/r5b130fe668503c4b7e2caf1b16f86b7f2070fd1b7ef8f26195a2ffbd@%3Cissues.hive.apache.org%3E" 1515 }, 1516 { 1517 "type": "WEB", 1518 "url": "https://lists.apache.org/thread.html/r45e7350dfc92bb192f3f88e9971c11ab2be0953cc375be3dda5170bd@%3Cissues.flink.apache.org%3E" 1519 }, 1520 { 1521 "type": "WEB", 1522 "url": "https://lists.apache.org/thread.html/r407538adec3185dd35a05c9a26ae2f74425b15132470cf540f41d85b@%3Cissues.hive.apache.org%3E" 1523 }, 1524 { 1525 "type": "WEB", 1526 "url": "https://lists.apache.org/thread.html/r3e6ae311842de4e64c5d560a475b7f9cc7e0a9a8649363c6cf7537eb@%3Ccommits.karaf.apache.org%3E" 1527 }, 1528 { 1529 "type": "WEB", 1530 "url": "https://lists.apache.org/thread.html/r31f4ee7d561d56a0c2c2c6eb1d6ce3e05917ff9654fdbfec05dc2b83@%3Ccommits.servicecomb.apache.org%3E" 1531 }, 1532 { 1533 "type": "WEB", 1534 "url": "https://lists.apache.org/thread.html/r2f5c5479f99398ef344b7ebd4d90bc3316236c45d0f3bc42090efcd7@%3Cissues.hive.apache.org%3E" 1535 }, 1536 { 1537 "type": "WEB", 1538 "url": "https://lists.apache.org/thread.html/r2eb66c182853c69ecfb52f63d3dec09495e9b65be829fd889a081ae1@%3Cdev.hive.apache.org%3E" 1539 }, 1540 { 1541 "type": "WEB", 1542 "url": "https://lists.apache.org/thread.html/r2b6ddb3a4f4cd11d8f6305011e1b7438ba813511f2e3ab3180c7ffda@%3Ccommits.druid.apache.org%3E" 1543 }, 1544 { 1545 "type": "WEB", 1546 "url": "https://lists.apache.org/thread.html/r2882fc1f3032cd7be66e28787f04ec6f1874ac68d47e310e30ff7eb1@%3Cjira.kafka.apache.org%3E" 1547 }, 1548 { 1549 "type": "WEB", 1550 "url": "https://lists.apache.org/thread.html/r1b7ed0c4b6c4301d4dfd6fdbc5581b0a789d3240cab55d766f33c6c6@%3Cjira.kafka.apache.org%3E" 1551 }, 1552 { 1553 "type": "WEB", 1554 "url": "https://lists.apache.org/thread.html/r0b8dc3acd4503e4ecb6fbd6ea7d95f59941168d8452ac0ab1d1d96bb@%3Cissues.zookeeper.apache.org%3E" 1555 }, 1556 { 1557 "type": "WEB", 1558 "url": "https://lists.apache.org/thread.html/r0881e23bd9034c8f51fdccdc8f4d085ba985dcd738f8520569ca5c3d@%3Cissues.hive.apache.org%3E" 1559 }, 1560 { 1561 "type": "WEB", 1562 "url": "https://lists.apache.org/thread.html/r04529cedaca40c2ff90af4880493f9c88a8ebf4d1d6c861d23108a5a@%3Cnotifications.zookeeper.apache.org%3E" 1563 }, 1564 { 1565 "type": "WEB", 1566 "url": "https://lists.apache.org/thread.html/r024b7bda9c43c5560d81238748775c5ecfe01b57280f90df1f773949@%3Cissues.hive.apache.org%3E" 1567 }, 1568 { 1569 "type": "WEB", 1570 "url": "https://lists.apache.org/thread.html/r011d1430e8f40dff9550c3bc5d0f48b14c01ba8aecabd91d5e495386@%3Ccommits.turbine.apache.org%3E" 1571 }, 1572 { 1573 "type": "PACKAGE", 1574 "url": "https://github.com/FasterXML/jackson-databind" 1575 }, 1576 { 1577 "type": "WEB", 1578 "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1887664" 1579 }, 1580 { 1581 "type": "WEB", 1582 "url": "https://lists.apache.org/thread.html/r8937a7160717fe8b2221767163c4de4f65bc5466405cb1c5310f9080@%3Cdev.kafka.apache.org%3E" 1583 }, 1584 { 1585 "type": "WEB", 1586 "url": "https://lists.apache.org/thread.html/r8764bb835bcb8e311c882ff91dd3949c9824e905e880930be56f6ba3@%3Cuser.spark.apache.org%3E" 1587 }, 1588 { 1589 "type": "WEB", 1590 "url": "https://lists.apache.org/thread.html/r86c78bf7656fdb2dab69cbf17f3d7492300f771025f1a3a65d5e5ce5@%3Ccommits.zookeeper.apache.org%3E" 1591 }, 1592 { 1593 "type": "WEB", 1594 "url": "https://lists.apache.org/thread.html/r7cb5b4b3e4bd41a8042e5725b7285877a17bcbf07f4eb3f7b316af60@%3Creviews.iotdb.apache.org%3E" 1595 }, 1596 { 1597 "type": "WEB", 1598 "url": "https://lists.apache.org/thread.html/r78d53a0a269c18394daf5940105dc8c7f9a2399503c2e78be20abe7e@%3Cjira.kafka.apache.org%3E" 1599 }, 1600 { 1601 "type": "WEB", 1602 "url": "https://lists.apache.org/thread.html/r765283e145049df9b8998f14dcd444345555aae02b1610cfb3188bf8@%3Cnotifications.iotdb.apache.org%3E" 1603 }, 1604 { 1605 "type": "WEB", 1606 "url": "https://lists.apache.org/thread.html/r73bef1bb601a9f093f915f8075eb49fcca51efade57b817afd5def07@%3Ccommits.iotdb.apache.org%3E" 1607 }, 1608 { 1609 "type": "WEB", 1610 "url": "https://lists.apache.org/thread.html/r6e3d4f7991542119a4ca6330271d7fbf7b9fb3abab24ada82ddf1ee4@%3Cnotifications.zookeeper.apache.org%3E" 1611 }, 1612 { 1613 "type": "WEB", 1614 "url": "https://lists.apache.org/thread.html/r6cbd599b80e787f02ff7a1391d9278a03f37d6a6f4f943f0f01a62fb@%3Creviews.iotdb.apache.org%3E" 1615 }, 1616 { 1617 "type": "WEB", 1618 "url": "https://lists.apache.org/thread.html/r6b11eca1d646f45eb0d35d174e6b1e47cfae5295b92000856bfb6304@%3Cusers.kafka.apache.org%3E" 1619 }, 1620 { 1621 "type": "WEB", 1622 "url": "https://lists.apache.org/thread.html/r6b11eca1d646f45eb0d35d174e6b1e47cfae5295b92000856bfb6304@%3Cdev.kafka.apache.org%3E" 1623 }, 1624 { 1625 "type": "WEB", 1626 "url": "https://lists.apache.org/thread.html/r6a6df5647583541e3cb71c75141008802f7025cee1c430d4ed78f4cc@%3Cissues.hive.apache.org%3E" 1627 }, 1628 { 1629 "type": "WEB", 1630 "url": "https://lists.apache.org/thread.html/r6a4f3ef6edfed2e0884269d84798f766779bbbc1005f7884e0800d61@%3Cdev.knox.apache.org%3E" 1631 }, 1632 { 1633 "type": "WEB", 1634 "url": "https://lists.apache.org/thread.html/r68d029ee74ab0f3b0569d0c05f5688cb45dd3abe96a6534735252805@%3Cnotifications.zookeeper.apache.org%3E" 1635 }, 1636 { 1637 "type": "WEB", 1638 "url": "https://lists.apache.org/thread.html/r63c87aab97155f3f3cbe11d030c4a184ea0de440ee714977db02e956@%3Cjira.kafka.apache.org%3E" 1639 }, 1640 { 1641 "type": "WEB", 1642 "url": "https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc@%3Cusers.kafka.apache.org%3E" 1643 }, 1644 { 1645 "type": "WEB", 1646 "url": "https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc@%3Cdev.kafka.apache.org%3E" 1647 }, 1648 { 1649 "type": "WEB", 1650 "url": "https://lists.apache.org/thread.html/r605764e05e201db33b3e9c2e66ff620658f07ad74f296abe483f7042@%3Creviews.iotdb.apache.org%3E" 1651 } 1652 ], 1653 "schema_version": "1.6.0", 1654 "severity": [ 1655 { 1656 "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", 1657 "type": "CVSS_V3" 1658 } 1659 ], 1660 "summary": "XML External Entity (XXE) Injection in Jackson Databind" 1661 }, 1662 { 1663 "affected": [ 1664 { 1665 "database_specific": { 1666 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/03/GHSA-3x8x-79m2-3w2w/GHSA-3x8x-79m2-3w2w.json" 1667 }, 1668 "package": { 1669 "ecosystem": "Maven", 1670 "name": "com.fasterxml.jackson.core:jackson-databind", 1671 "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" 1672 }, 1673 "ranges": [ 1674 { 1675 "events": [ 1676 { 1677 "introduced": "2.10.0" 1678 }, 1679 { 1680 "fixed": "2.12.6" 1681 } 1682 ], 1683 "type": "ECOSYSTEM" 1684 } 1685 ], 1686 "versions": [ 1687 "2.10.0", 1688 "2.10.0.pr1", 1689 "2.10.0.pr2", 1690 "2.10.0.pr3", 1691 "2.10.1", 1692 "2.10.2", 1693 "2.10.3", 1694 "2.10.4", 1695 "2.10.5", 1696 "2.10.5.1", 1697 "2.11.0", 1698 "2.11.0.rc1", 1699 "2.11.1", 1700 "2.11.2", 1701 "2.11.3", 1702 "2.11.4", 1703 "2.12.0", 1704 "2.12.0-rc1", 1705 "2.12.0-rc2", 1706 "2.12.1", 1707 "2.12.2", 1708 "2.12.3", 1709 "2.12.4", 1710 "2.12.5" 1711 ] 1712 }, 1713 { 1714 "database_specific": { 1715 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/03/GHSA-3x8x-79m2-3w2w/GHSA-3x8x-79m2-3w2w.json" 1716 }, 1717 "package": { 1718 "ecosystem": "Maven", 1719 "name": "com.fasterxml.jackson.core:jackson-databind", 1720 "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" 1721 }, 1722 "ranges": [ 1723 { 1724 "events": [ 1725 { 1726 "introduced": "2.13.0" 1727 }, 1728 { 1729 "fixed": "2.13.1" 1730 } 1731 ], 1732 "type": "ECOSYSTEM" 1733 } 1734 ], 1735 "versions": [ 1736 "2.13.0" 1737 ] 1738 } 1739 ], 1740 "aliases": [ 1741 "CVE-2021-46877" 1742 ], 1743 "database_specific": { 1744 "cwe_ids": [], 1745 "github_reviewed": true, 1746 "github_reviewed_at": "2023-03-20T21:14:14Z", 1747 "nvd_published_at": "2023-03-18T22:15:00Z", 1748 "severity": "HIGH" 1749 }, 1750 "details": "jackson-databind 2.10.x through 2.12.x before 2.12.6 and 2.13.x before 2.13.1 allows attackers to cause a denial of service (2 GB transient heap usage per read) in uncommon situations involving JsonNode JDK serialization.", 1751 "id": "GHSA-3x8x-79m2-3w2w", 1752 "modified": "2023-11-08T04:07:27.620078Z", 1753 "published": "2023-03-19T00:30:25Z", 1754 "references": [ 1755 { 1756 "type": "ADVISORY", 1757 "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-46877" 1758 }, 1759 { 1760 "type": "WEB", 1761 "url": "https://github.com/FasterXML/jackson-databind/issues/3328" 1762 }, 1763 { 1764 "type": "WEB", 1765 "url": "https://github.com/FasterXML/jackson-databind/commit/3ccde7d938fea547e598fdefe9a82cff37fed5cb" 1766 }, 1767 { 1768 "type": "PACKAGE", 1769 "url": "https://github.com/FasterXML/jackson-databind" 1770 }, 1771 { 1772 "type": "WEB", 1773 "url": "https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.12.6" 1774 }, 1775 { 1776 "type": "WEB", 1777 "url": "https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.13.1" 1778 }, 1779 { 1780 "type": "WEB", 1781 "url": "https://groups.google.com/g/jackson-user/c/OsBsirPM_Vw" 1782 } 1783 ], 1784 "schema_version": "1.6.0", 1785 "severity": [ 1786 { 1787 "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", 1788 "type": "CVSS_V3" 1789 } 1790 ], 1791 "summary": "jackson-databind possible Denial of Service if using JDK serialization to serialize JsonNode" 1792 }, 1793 { 1794 "affected": [ 1795 { 1796 "database_specific": { 1797 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/01/GHSA-4gq5-ch57-c2mg/GHSA-4gq5-ch57-c2mg.json" 1798 }, 1799 "package": { 1800 "ecosystem": "Maven", 1801 "name": "com.fasterxml.jackson.core:jackson-databind", 1802 "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" 1803 }, 1804 "ranges": [ 1805 { 1806 "events": [ 1807 { 1808 "introduced": "2.9.0" 1809 }, 1810 { 1811 "fixed": "2.9.7" 1812 } 1813 ], 1814 "type": "ECOSYSTEM" 1815 } 1816 ], 1817 "versions": [ 1818 "2.9.0", 1819 "2.9.0.pr1", 1820 "2.9.0.pr2", 1821 "2.9.0.pr3", 1822 "2.9.0.pr4", 1823 "2.9.1", 1824 "2.9.2", 1825 "2.9.3", 1826 "2.9.4", 1827 "2.9.5", 1828 "2.9.6" 1829 ] 1830 }, 1831 { 1832 "database_specific": { 1833 "last_known_affected_version_range": "\u003c= 2.8.11.2", 1834 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/01/GHSA-4gq5-ch57-c2mg/GHSA-4gq5-ch57-c2mg.json" 1835 }, 1836 "package": { 1837 "ecosystem": "Maven", 1838 "name": "com.fasterxml.jackson.core:jackson-databind", 1839 "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" 1840 }, 1841 "ranges": [ 1842 { 1843 "events": [ 1844 { 1845 "introduced": "2.8.0" 1846 }, 1847 { 1848 "fixed": "2.8.11.3" 1849 } 1850 ], 1851 "type": "ECOSYSTEM" 1852 } 1853 ], 1854 "versions": [ 1855 "2.8.0", 1856 "2.8.1", 1857 "2.8.10", 1858 "2.8.11", 1859 "2.8.11.1", 1860 "2.8.11.2", 1861 "2.8.2", 1862 "2.8.3", 1863 "2.8.4", 1864 "2.8.5", 1865 "2.8.6", 1866 "2.8.7", 1867 "2.8.8", 1868 "2.8.8.1", 1869 "2.8.9" 1870 ] 1871 }, 1872 { 1873 "database_specific": { 1874 "last_known_affected_version_range": "\u003c= 2.7.9.4", 1875 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/01/GHSA-4gq5-ch57-c2mg/GHSA-4gq5-ch57-c2mg.json" 1876 }, 1877 "package": { 1878 "ecosystem": "Maven", 1879 "name": "com.fasterxml.jackson.core:jackson-databind", 1880 "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" 1881 }, 1882 "ranges": [ 1883 { 1884 "events": [ 1885 { 1886 "introduced": "2.0.0" 1887 }, 1888 { 1889 "fixed": "2.7.9.5" 1890 } 1891 ], 1892 "type": "ECOSYSTEM" 1893 } 1894 ], 1895 "versions": [ 1896 "2.0.0", 1897 "2.0.1", 1898 "2.0.2", 1899 "2.0.4", 1900 "2.0.5", 1901 "2.0.6", 1902 "2.1.0", 1903 "2.1.1", 1904 "2.1.2", 1905 "2.1.3", 1906 "2.1.4", 1907 "2.1.5", 1908 "2.2.0", 1909 "2.2.0-rc1", 1910 "2.2.1", 1911 "2.2.2", 1912 "2.2.3", 1913 "2.2.4", 1914 "2.3.0", 1915 "2.3.0-rc1", 1916 "2.3.1", 1917 "2.3.2", 1918 "2.3.3", 1919 "2.3.4", 1920 "2.3.5", 1921 "2.4.0", 1922 "2.4.0-rc1", 1923 "2.4.0-rc2", 1924 "2.4.0-rc3", 1925 "2.4.1", 1926 "2.4.1.1", 1927 "2.4.1.2", 1928 "2.4.1.3", 1929 "2.4.2", 1930 "2.4.3", 1931 "2.4.4", 1932 "2.4.5", 1933 "2.4.5.1", 1934 "2.4.6", 1935 "2.4.6.1", 1936 "2.5.0", 1937 "2.5.0-rc1", 1938 "2.5.1", 1939 "2.5.2", 1940 "2.5.3", 1941 "2.5.4", 1942 "2.5.5", 1943 "2.6.0", 1944 "2.6.0-rc1", 1945 "2.6.0-rc2", 1946 "2.6.0-rc3", 1947 "2.6.0-rc4", 1948 "2.6.1", 1949 "2.6.2", 1950 "2.6.3", 1951 "2.6.4", 1952 "2.6.5", 1953 "2.6.6", 1954 "2.6.7", 1955 "2.6.7.1", 1956 "2.6.7.2", 1957 "2.6.7.3", 1958 "2.6.7.4", 1959 "2.6.7.5", 1960 "2.7.0", 1961 "2.7.0-rc1", 1962 "2.7.0-rc2", 1963 "2.7.0-rc3", 1964 "2.7.1", 1965 "2.7.1-1", 1966 "2.7.2", 1967 "2.7.3", 1968 "2.7.4", 1969 "2.7.5", 1970 "2.7.6", 1971 "2.7.7", 1972 "2.7.8", 1973 "2.7.9", 1974 "2.7.9.1", 1975 "2.7.9.2", 1976 "2.7.9.3", 1977 "2.7.9.4" 1978 ] 1979 } 1980 ], 1981 "aliases": [ 1982 "CVE-2018-14719" 1983 ], 1984 "database_specific": { 1985 "cwe_ids": [ 1986 "CWE-502" 1987 ], 1988 "github_reviewed": true, 1989 "github_reviewed_at": "2020-06-16T20:58:21Z", 1990 "nvd_published_at": "2019-01-02T18:29:00Z", 1991 "severity": "CRITICAL" 1992 }, 1993 "details": "FasterXML jackson-databind 2.x before 2.9.7, 2.8.11.3, and 2.7.9.5 might allow remote attackers to execute arbitrary code by leveraging failure to block the blaze-ds-opt and blaze-ds-core classes from polymorphic deserialization.", 1994 "id": "GHSA-4gq5-ch57-c2mg", 1995 "modified": "2024-03-15T05:20:21.411726Z", 1996 "published": "2019-01-04T19:09:49Z", 1997 "references": [ 1998 { 1999 "type": "ADVISORY", 2000 "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-14719" 2001 }, 2002 { 2003 "type": "WEB", 2004 "url": "https://github.com/FasterXML/jackson-databind/issues/2097" 2005 }, 2006 { 2007 "type": "WEB", 2008 "url": "https://github.com/FasterXML/jackson-databind/commit/87d29af25e82a249ea15858e2d4ecbf64091db44" 2009 }, 2010 { 2011 "type": "WEB", 2012 "url": "https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.7" 2013 }, 2014 { 2015 "type": "WEB", 2016 "url": "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E" 2017 }, 2018 { 2019 "type": "WEB", 2020 "url": "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E" 2021 }, 2022 { 2023 "type": "WEB", 2024 "url": "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E" 2025 }, 2026 { 2027 "type": "WEB", 2028 "url": "https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8@%3Ccommits.pulsar.apache.org%3E" 2029 }, 2030 { 2031 "type": "WEB", 2032 "url": "https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3E" 2033 }, 2034 { 2035 "type": "WEB", 2036 "url": "https://lists.debian.org/debian-lts-announce/2019/03/msg00005.html" 2037 }, 2038 { 2039 "type": "WEB", 2040 "url": "https://seclists.org/bugtraq/2019/May/68" 2041 }, 2042 { 2043 "type": "WEB", 2044 "url": "https://security.netapp.com/advisory/ntap-20190530-0003" 2045 }, 2046 { 2047 "type": "WEB", 2048 "url": "https://www.debian.org/security/2019/dsa-4452" 2049 }, 2050 { 2051 "type": "WEB", 2052 "url": "https://www.oracle.com/security-alerts/cpuapr2020.html" 2053 }, 2054 { 2055 "type": "WEB", 2056 "url": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html" 2057 }, 2058 { 2059 "type": "WEB", 2060 "url": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html" 2061 }, 2062 { 2063 "type": "WEB", 2064 "url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html" 2065 }, 2066 { 2067 "type": "WEB", 2068 "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html" 2069 }, 2070 { 2071 "type": "PACKAGE", 2072 "url": "https://github.com/FasterXML/jackson-databind" 2073 }, 2074 { 2075 "type": "WEB", 2076 "url": "https://access.redhat.com/errata/RHSA-2019:4037" 2077 }, 2078 { 2079 "type": "WEB", 2080 "url": "https://access.redhat.com/errata/RHSA-2019:3892" 2081 }, 2082 { 2083 "type": "WEB", 2084 "url": "https://access.redhat.com/errata/RHSA-2019:3149" 2085 }, 2086 { 2087 "type": "WEB", 2088 "url": "https://access.redhat.com/errata/RHSA-2019:3140" 2089 }, 2090 { 2091 "type": "WEB", 2092 "url": "https://access.redhat.com/errata/RHSA-2019:3002" 2093 }, 2094 { 2095 "type": "WEB", 2096 "url": "https://access.redhat.com/errata/RHSA-2019:2858" 2097 }, 2098 { 2099 "type": "WEB", 2100 "url": "https://access.redhat.com/errata/RHSA-2019:2804" 2101 }, 2102 { 2103 "type": "WEB", 2104 "url": "https://access.redhat.com/errata/RHSA-2019:1823" 2105 }, 2106 { 2107 "type": "WEB", 2108 "url": "https://access.redhat.com/errata/RHSA-2019:1822" 2109 }, 2110 { 2111 "type": "WEB", 2112 "url": "https://access.redhat.com/errata/RHSA-2019:1797" 2113 }, 2114 { 2115 "type": "WEB", 2116 "url": "https://access.redhat.com/errata/RHSA-2019:1782" 2117 }, 2118 { 2119 "type": "WEB", 2120 "url": "https://access.redhat.com/errata/RHSA-2019:0877" 2121 }, 2122 { 2123 "type": "WEB", 2124 "url": "https://access.redhat.com/errata/RHSA-2019:0782" 2125 }, 2126 { 2127 "type": "WEB", 2128 "url": "https://access.redhat.com/errata/RHBA-2019:0959" 2129 } 2130 ], 2131 "schema_version": "1.6.0", 2132 "severity": [ 2133 { 2134 "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", 2135 "type": "CVSS_V3" 2136 } 2137 ], 2138 "summary": "Arbitrary Code Execution in jackson-databind" 2139 }, 2140 { 2141 "affected": [ 2142 { 2143 "database_specific": { 2144 "last_known_affected_version_range": "\u003c= 2.6.7.3", 2145 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/03/GHSA-4w82-r329-3q67/GHSA-4w82-r329-3q67.json" 2146 }, 2147 "package": { 2148 "ecosystem": "Maven", 2149 "name": "com.fasterxml.jackson.core:jackson-databind", 2150 "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" 2151 }, 2152 "ranges": [ 2153 { 2154 "events": [ 2155 { 2156 "introduced": "2.0.0" 2157 }, 2158 { 2159 "fixed": "2.6.7.4" 2160 } 2161 ], 2162 "type": "ECOSYSTEM" 2163 } 2164 ], 2165 "versions": [ 2166 "2.0.0", 2167 "2.0.1", 2168 "2.0.2", 2169 "2.0.4", 2170 "2.0.5", 2171 "2.0.6", 2172 "2.1.0", 2173 "2.1.1", 2174 "2.1.2", 2175 "2.1.3", 2176 "2.1.4", 2177 "2.1.5", 2178 "2.2.0", 2179 "2.2.0-rc1", 2180 "2.2.1", 2181 "2.2.2", 2182 "2.2.3", 2183 "2.2.4", 2184 "2.3.0", 2185 "2.3.0-rc1", 2186 "2.3.1", 2187 "2.3.2", 2188 "2.3.3", 2189 "2.3.4", 2190 "2.3.5", 2191 "2.4.0", 2192 "2.4.0-rc1", 2193 "2.4.0-rc2", 2194 "2.4.0-rc3", 2195 "2.4.1", 2196 "2.4.1.1", 2197 "2.4.1.2", 2198 "2.4.1.3", 2199 "2.4.2", 2200 "2.4.3", 2201 "2.4.4", 2202 "2.4.5", 2203 "2.4.5.1", 2204 "2.4.6", 2205 "2.4.6.1", 2206 "2.5.0", 2207 "2.5.0-rc1", 2208 "2.5.1", 2209 "2.5.2", 2210 "2.5.3", 2211 "2.5.4", 2212 "2.5.5", 2213 "2.6.0", 2214 "2.6.0-rc1", 2215 "2.6.0-rc2", 2216 "2.6.0-rc3", 2217 "2.6.0-rc4", 2218 "2.6.1", 2219 "2.6.2", 2220 "2.6.3", 2221 "2.6.4", 2222 "2.6.5", 2223 "2.6.6", 2224 "2.6.7", 2225 "2.6.7.1", 2226 "2.6.7.2", 2227 "2.6.7.3" 2228 ] 2229 }, 2230 { 2231 "database_specific": { 2232 "last_known_affected_version_range": "\u003c= 2.7.9.6", 2233 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/03/GHSA-4w82-r329-3q67/GHSA-4w82-r329-3q67.json" 2234 }, 2235 "package": { 2236 "ecosystem": "Maven", 2237 "name": "com.fasterxml.jackson.core:jackson-databind", 2238 "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" 2239 }, 2240 "ranges": [ 2241 { 2242 "events": [ 2243 { 2244 "introduced": "2.7.0" 2245 }, 2246 { 2247 "fixed": "2.7.9.7" 2248 } 2249 ], 2250 "type": "ECOSYSTEM" 2251 } 2252 ], 2253 "versions": [ 2254 "2.7.0", 2255 "2.7.1", 2256 "2.7.1-1", 2257 "2.7.2", 2258 "2.7.3", 2259 "2.7.4", 2260 "2.7.5", 2261 "2.7.6", 2262 "2.7.7", 2263 "2.7.8", 2264 "2.7.9", 2265 "2.7.9.1", 2266 "2.7.9.2", 2267 "2.7.9.3", 2268 "2.7.9.4", 2269 "2.7.9.5", 2270 "2.7.9.6" 2271 ] 2272 }, 2273 { 2274 "database_specific": { 2275 "last_known_affected_version_range": "\u003c= 2.8.11.4", 2276 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/03/GHSA-4w82-r329-3q67/GHSA-4w82-r329-3q67.json" 2277 }, 2278 "package": { 2279 "ecosystem": "Maven", 2280 "name": "com.fasterxml.jackson.core:jackson-databind", 2281 "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" 2282 }, 2283 "ranges": [ 2284 { 2285 "events": [ 2286 { 2287 "introduced": "2.8.0" 2288 }, 2289 { 2290 "fixed": "2.8.11.5" 2291 } 2292 ], 2293 "type": "ECOSYSTEM" 2294 } 2295 ], 2296 "versions": [ 2297 "2.8.0", 2298 "2.8.1", 2299 "2.8.10", 2300 "2.8.11", 2301 "2.8.11.1", 2302 "2.8.11.2", 2303 "2.8.11.3", 2304 "2.8.11.4", 2305 "2.8.2", 2306 "2.8.3", 2307 "2.8.4", 2308 "2.8.5", 2309 "2.8.6", 2310 "2.8.7", 2311 "2.8.8", 2312 "2.8.8.1", 2313 "2.8.9" 2314 ] 2315 }, 2316 { 2317 "database_specific": { 2318 "last_known_affected_version_range": "\u003c= 2.9.10.2", 2319 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/03/GHSA-4w82-r329-3q67/GHSA-4w82-r329-3q67.json" 2320 }, 2321 "package": { 2322 "ecosystem": "Maven", 2323 "name": "com.fasterxml.jackson.core:jackson-databind", 2324 "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" 2325 }, 2326 "ranges": [ 2327 { 2328 "events": [ 2329 { 2330 "introduced": "2.9.0" 2331 }, 2332 { 2333 "fixed": "2.9.10.3" 2334 } 2335 ], 2336 "type": "ECOSYSTEM" 2337 } 2338 ], 2339 "versions": [ 2340 "2.9.0", 2341 "2.9.0.pr1", 2342 "2.9.0.pr2", 2343 "2.9.0.pr3", 2344 "2.9.0.pr4", 2345 "2.9.1", 2346 "2.9.10", 2347 "2.9.10.1", 2348 "2.9.10.2", 2349 "2.9.2", 2350 "2.9.3", 2351 "2.9.4", 2352 "2.9.5", 2353 "2.9.6", 2354 "2.9.7", 2355 "2.9.8", 2356 "2.9.9", 2357 "2.9.9.1", 2358 "2.9.9.2", 2359 "2.9.9.3" 2360 ] 2361 } 2362 ], 2363 "aliases": [ 2364 "CVE-2020-8840" 2365 ], 2366 "database_specific": { 2367 "cwe_ids": [ 2368 "CWE-502" 2369 ], 2370 "github_reviewed": true, 2371 "github_reviewed_at": "2020-02-25T20:56:51Z", 2372 "nvd_published_at": "2020-02-10T21:56:00Z", 2373 "severity": "CRITICAL" 2374 }, 2375 "details": "FasterXML jackson-databind 2.x before 2.6.7.4, 2.7.x before 2.7.9.7, 2.8.x before 2.8.11.5 and 2.9.x before 2.9.10.2 lacks certain xbean-reflect/JNDI blocking, as demonstrated by org.apache.xbean.propertyeditor.JndiConverter.", 2376 "id": "GHSA-4w82-r329-3q67", 2377 "modified": "2024-03-16T05:18:54.922179Z", 2378 "published": "2020-03-04T20:52:14Z", 2379 "references": [ 2380 { 2381 "type": "ADVISORY", 2382 "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8840" 2383 }, 2384 { 2385 "type": "WEB", 2386 "url": "https://github.com/FasterXML/jackson-databind/issues/2620" 2387 }, 2388 { 2389 "type": "WEB", 2390 "url": "https://github.com/FasterXML/jackson-databind/commit/74aba4042fce35ee0b91bd2847e788c10040d78b" 2391 }, 2392 { 2393 "type": "WEB", 2394 "url": "https://github.com/FasterXML/jackson-databind/commit/914e7c9f2cb8ce66724bf26a72adc7e958992497" 2395 }, 2396 { 2397 "type": "WEB", 2398 "url": "https://github.com/FasterXML/jackson-databind/commit/9bb52c7122271df75435ec7e66ecf6b02b1ee14f" 2399 }, 2400 { 2401 "type": "WEB", 2402 "url": "https://lists.apache.org/thread.html/ra275f29615f35d5b40106d1582a41e5388b2a5131564e9e01a572987@%3Cdev.ranger.apache.org%3E" 2403 }, 2404 { 2405 "type": "WEB", 2406 "url": "https://lists.apache.org/thread.html/rac5ee5d686818be7e7c430d35108ee01a88aae54f832d32f62431fd1@%3Cnotifications.zookeeper.apache.org%3E" 2407 }, 2408 { 2409 "type": "WEB", 2410 "url": "https://lists.apache.org/thread.html/rb43f9a65150948a6bebd3cb77ee3e105d40db2820fd547528f4e7f89@%3Cissues.zookeeper.apache.org%3E" 2411 }, 2412 { 2413 "type": "WEB", 2414 "url": "https://lists.apache.org/thread.html/rb5eedf90ba3633e171a2ffdfe484651c9490dc5df74c8a29244cbc0e@%3Ccommits.zookeeper.apache.org%3E" 2415 }, 2416 { 2417 "type": "WEB", 2418 "url": "https://lists.apache.org/thread.html/rb73708bf714ed6dbc1212da082e7703e586077f0c92f3940b2e82caf@%3Cdev.ranger.apache.org%3E" 2419 }, 2420 { 2421 "type": "WEB", 2422 "url": "https://lists.apache.org/thread.html/rb99c7321eba5d4c907beec46675d52827528b738cfafd48eb4d862f1@%3Cdev.tomee.apache.org%3E" 2423 }, 2424 { 2425 "type": "WEB", 2426 "url": "https://lists.apache.org/thread.html/rc068e824654c4b8bd4f2490bec869e29edbfcd5dfe02d47cbf7433b2@%3Cdev.tomee.apache.org%3E" 2427 }, 2428 { 2429 "type": "WEB", 2430 "url": "https://lists.apache.org/thread.html/rc717fd6c65190f4e592345713f9ef0723fb7d71f624caa2a17caa26a@%3Cdev.ranger.apache.org%3E" 2431 }, 2432 { 2433 "type": "WEB", 2434 "url": "https://lists.apache.org/thread.html/rcc72b497e3dff2dc62ec9b89ceb90bc4e1b14fc56c3c252a6fcbb013@%3Cdev.ranger.apache.org%3E" 2435 }, 2436 { 2437 "type": "WEB", 2438 "url": "https://lists.apache.org/thread.html/rdea588d4a0ebf9cb7ce8c3a8f18d0d306507c4f8ba178dd3d20207b8@%3Cdev.tomee.apache.org%3E" 2439 }, 2440 { 2441 "type": "WEB", 2442 "url": "https://lists.apache.org/thread.html/rdf311f13e6356297e0ffe74397fdd25a3687b0a16e687c3ff5b834d8@%3Cdev.ranger.apache.org%3E" 2443 }, 2444 { 2445 "type": "WEB", 2446 "url": "https://lists.apache.org/thread.html/rdf8d389271a291dde3b2f99c36918d6cb1e796958af626cc140fee23@%3Ccommits.zookeeper.apache.org%3E" 2447 }, 2448 { 2449 "type": "WEB", 2450 "url": "https://lists.apache.org/thread.html/re7326b8655eab931f2a9ce074fd9a1a51b5db11456bee9b48e1e170c@%3Cissues.zookeeper.apache.org%3E" 2451 }, 2452 { 2453 "type": "WEB", 2454 "url": "https://lists.apache.org/thread.html/re8ae2670ec456ef1c5a2a661a2838ab2cd00e9efa1e88c069f546f21@%3Ccommits.zookeeper.apache.org%3E" 2455 }, 2456 { 2457 "type": "WEB", 2458 "url": "https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3E" 2459 }, 2460 { 2461 "type": "WEB", 2462 "url": "https://lists.apache.org/thread.html/rf28ab6f224b48452afd567dfffb705fbda0fdbbf6535f6bc69d47e91@%3Cdev.ranger.apache.org%3E" 2463 }, 2464 { 2465 "type": "WEB", 2466 "url": "https://lists.apache.org/thread.html/rfc1ccfe89332155b72ce17f13a2701d3e7b9ec213324ceb90e79a28a@%3Cdev.ranger.apache.org%3E" 2467 }, 2468 { 2469 "type": "WEB", 2470 "url": "https://lists.debian.org/debian-lts-announce/2020/02/msg00020.html" 2471 }, 2472 { 2473 "type": "WEB", 2474 "url": "https://security.netapp.com/advisory/ntap-20200327-0002" 2475 }, 2476 { 2477 "type": "WEB", 2478 "url": "https://www.oracle.com/security-alerts/cpuapr2020.html" 2479 }, 2480 { 2481 "type": "WEB", 2482 "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" 2483 }, 2484 { 2485 "type": "PACKAGE", 2486 "url": "https://github.com/FasterXML/jackson-databind" 2487 }, 2488 { 2489 "type": "WEB", 2490 "url": "https://lists.apache.org/thread.html/r078e68a926ea6be12e8404e47f45aabf04bb4668e8265c0de41db6db@%3Ccommits.druid.apache.org%3E" 2491 }, 2492 { 2493 "type": "WEB", 2494 "url": "https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0@%3Cissues.bookkeeper.apache.org%3E" 2495 }, 2496 { 2497 "type": "WEB", 2498 "url": "https://lists.apache.org/thread.html/r1c09b9551f6953dbeca190a4c4b78198cdbb9825fce36f96fe3d8218@%3Cdev.tomee.apache.org%3E" 2499 }, 2500 { 2501 "type": "WEB", 2502 "url": "https://lists.apache.org/thread.html/r1efc776fc6ce3387593deaa94bbdd296733b1b01408a39c8d1ab9e0e@%3Cdev.ranger.apache.org%3E" 2503 }, 2504 { 2505 "type": "WEB", 2506 "url": "https://lists.apache.org/thread.html/r2fa8046bd47fb407ca09b5107a80fa6147ba4ebe879caae5c98b7657@%3Cdev.ranger.apache.org%3E" 2507 }, 2508 { 2509 "type": "WEB", 2510 "url": "https://lists.apache.org/thread.html/r319f19c74e06c201b9d4e8b282a4e4b2da6dcda022fb46f007dd00d3@%3Ccommits.druid.apache.org%3E" 2511 }, 2512 { 2513 "type": "WEB", 2514 "url": "https://lists.apache.org/thread.html/r3539bd3a377991217d724879d239e16e86001c54160076408574e1da@%3Cnotifications.zookeeper.apache.org%3E" 2515 }, 2516 { 2517 "type": "WEB", 2518 "url": "https://lists.apache.org/thread.html/r3d20a2660b36551fd8257d479941782af4a7169582449fac1704bde2@%3Ccommits.druid.apache.org%3E" 2519 }, 2520 { 2521 "type": "WEB", 2522 "url": "https://lists.apache.org/thread.html/r428d068b2a4923f1a5a4f5fc6381b95205cfe7620169d16db78e9c71@%3Cnotifications.zookeeper.apache.org%3E" 2523 }, 2524 { 2525 "type": "WEB", 2526 "url": "https://lists.apache.org/thread.html/r446646c5588b10f5e02409ad580b12f314869009cdfbf844ca395cec@%3Cdev.ranger.apache.org%3E" 2527 }, 2528 { 2529 "type": "WEB", 2530 "url": "https://lists.apache.org/thread.html/r46bebdeb59b8b7212d63a010ca445a9f5c4e9d64dcf693cab6f399d3@%3Ccommits.zookeeper.apache.org%3E" 2531 }, 2532 { 2533 "type": "WEB", 2534 "url": "https://lists.apache.org/thread.html/r5d8bea8e9d17b6efcf4a0e4e194e91ef46a99f505777a31a60da2b38@%3Cdev.ranger.apache.org%3E" 2535 }, 2536 { 2537 "type": "WEB", 2538 "url": "https://lists.apache.org/thread.html/r65ee95fa09c831843bac81eaa582fdddc2b6119912a72d1c83a9b882@%3Cissues.zookeeper.apache.org%3E" 2539 }, 2540 { 2541 "type": "WEB", 2542 "url": "https://lists.apache.org/thread.html/r6fdd4c61a09a0c89f581b4ddb3dc6f154ab0c705fcfd0a7358b2e4e5@%3Cissues.zookeeper.apache.org%3E" 2543 }, 2544 { 2545 "type": "WEB", 2546 "url": "https://lists.apache.org/thread.html/r7762d69e85c58d6948823424017ef4c08f47de077644277fa18cc116@%3Cdev.ranger.apache.org%3E" 2547 }, 2548 { 2549 "type": "WEB", 2550 "url": "https://lists.apache.org/thread.html/r7e5c10534ed06bf805473ac85e8412fe3908a8fa4cabf5027bf11220@%3Cdev.kafka.apache.org%3E" 2551 }, 2552 { 2553 "type": "WEB", 2554 "url": "https://lists.apache.org/thread.html/r8170007fd9b263d65b37d92a7b5d7bc357aedbb113a32838bc4a9485@%3Cissues.zookeeper.apache.org%3E" 2555 }, 2556 { 2557 "type": "WEB", 2558 "url": "https://lists.apache.org/thread.html/r8e96c340004b7898cad3204ea51280ef6e4b553a684e1452bf1b18b1@%3Cjira.kafka.apache.org%3E" 2559 }, 2560 { 2561 "type": "WEB", 2562 "url": "https://lists.apache.org/thread.html/r94930e39b60fff236160c1c4110fe884dc093044b067aa5fc98d7ee1@%3Cdev.ranger.apache.org%3E" 2563 }, 2564 { 2565 "type": "WEB", 2566 "url": "https://lists.apache.org/thread.html/r9e59ebaf76fd00b2fa3ff5ebf18fe075ca9f4376216612c696f76718@%3Cdev.ranger.apache.org%3E" 2567 }, 2568 { 2569 "type": "WEB", 2570 "url": "https://lists.apache.org/thread.html/r9ecf211c22760b00967ebe158c6ed7dba9142078e2a630ab8904a5b7@%3Cdev.zookeeper.apache.org%3E" 2571 }, 2572 { 2573 "type": "WEB", 2574 "url": "http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20200610-01-fastjason-en" 2575 } 2576 ], 2577 "schema_version": "1.6.0", 2578 "severity": [ 2579 { 2580 "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", 2581 "type": "CVSS_V3" 2582 } 2583 ], 2584 "summary": "Deserialization of Untrusted Data in jackson-databind" 2585 }, 2586 { 2587 "affected": [ 2588 { 2589 "database_specific": { 2590 "last_known_affected_version_range": "\u003c= 2.13.2.0", 2591 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/03/GHSA-57j2-w4cx-62h2/GHSA-57j2-w4cx-62h2.json" 2592 }, 2593 "package": { 2594 "ecosystem": "Maven", 2595 "name": "com.fasterxml.jackson.core:jackson-databind", 2596 "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" 2597 }, 2598 "ranges": [ 2599 { 2600 "events": [ 2601 { 2602 "introduced": "2.13.0" 2603 }, 2604 { 2605 "fixed": "2.13.2.1" 2606 } 2607 ], 2608 "type": "ECOSYSTEM" 2609 } 2610 ], 2611 "versions": [ 2612 "2.13.0", 2613 "2.13.1", 2614 "2.13.2" 2615 ] 2616 }, 2617 { 2618 "database_specific": { 2619 "last_known_affected_version_range": "\u003c= 2.12.6.0", 2620 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/03/GHSA-57j2-w4cx-62h2/GHSA-57j2-w4cx-62h2.json" 2621 }, 2622 "package": { 2623 "ecosystem": "Maven", 2624 "name": "com.fasterxml.jackson.core:jackson-databind", 2625 "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" 2626 }, 2627 "ranges": [ 2628 { 2629 "events": [ 2630 { 2631 "introduced": "0" 2632 }, 2633 { 2634 "fixed": "2.12.6.1" 2635 } 2636 ], 2637 "type": "ECOSYSTEM" 2638 } 2639 ], 2640 "versions": [ 2641 "2.0.0", 2642 "2.0.0-RC1", 2643 "2.0.0-RC2", 2644 "2.0.0-RC3", 2645 "2.0.1", 2646 "2.0.2", 2647 "2.0.4", 2648 "2.0.5", 2649 "2.0.6", 2650 "2.1.0", 2651 "2.1.1", 2652 "2.1.2", 2653 "2.1.3", 2654 "2.1.4", 2655 "2.1.5", 2656 "2.10.0", 2657 "2.10.0.pr1", 2658 "2.10.0.pr2", 2659 "2.10.0.pr3", 2660 "2.10.1", 2661 "2.10.2", 2662 "2.10.3", 2663 "2.10.4", 2664 "2.10.5", 2665 "2.10.5.1", 2666 "2.11.0", 2667 "2.11.0.rc1", 2668 "2.11.1", 2669 "2.11.2", 2670 "2.11.3", 2671 "2.11.4", 2672 "2.12.0", 2673 "2.12.0-rc1", 2674 "2.12.0-rc2", 2675 "2.12.1", 2676 "2.12.2", 2677 "2.12.3", 2678 "2.12.4", 2679 "2.12.5", 2680 "2.12.6", 2681 "2.2.0", 2682 "2.2.0-rc1", 2683 "2.2.1", 2684 "2.2.2", 2685 "2.2.3", 2686 "2.2.4", 2687 "2.3.0", 2688 "2.3.0-rc1", 2689 "2.3.1", 2690 "2.3.2", 2691 "2.3.3", 2692 "2.3.4", 2693 "2.3.5", 2694 "2.4.0", 2695 "2.4.0-rc1", 2696 "2.4.0-rc2", 2697 "2.4.0-rc3", 2698 "2.4.1", 2699 "2.4.1.1", 2700 "2.4.1.2", 2701 "2.4.1.3", 2702 "2.4.2", 2703 "2.4.3", 2704 "2.4.4", 2705 "2.4.5", 2706 "2.4.5.1", 2707 "2.4.6", 2708 "2.4.6.1", 2709 "2.5.0", 2710 "2.5.0-rc1", 2711 "2.5.1", 2712 "2.5.2", 2713 "2.5.3", 2714 "2.5.4", 2715 "2.5.5", 2716 "2.6.0", 2717 "2.6.0-rc1", 2718 "2.6.0-rc2", 2719 "2.6.0-rc3", 2720 "2.6.0-rc4", 2721 "2.6.1", 2722 "2.6.2", 2723 "2.6.3", 2724 "2.6.4", 2725 "2.6.5", 2726 "2.6.6", 2727 "2.6.7", 2728 "2.6.7.1", 2729 "2.6.7.2", 2730 "2.6.7.3", 2731 "2.6.7.4", 2732 "2.6.7.5", 2733 "2.7.0", 2734 "2.7.0-rc1", 2735 "2.7.0-rc2", 2736 "2.7.0-rc3", 2737 "2.7.1", 2738 "2.7.1-1", 2739 "2.7.2", 2740 "2.7.3", 2741 "2.7.4", 2742 "2.7.5", 2743 "2.7.6", 2744 "2.7.7", 2745 "2.7.8", 2746 "2.7.9", 2747 "2.7.9.1", 2748 "2.7.9.2", 2749 "2.7.9.3", 2750 "2.7.9.4", 2751 "2.7.9.5", 2752 "2.7.9.6", 2753 "2.7.9.7", 2754 "2.8.0", 2755 "2.8.0.rc1", 2756 "2.8.0.rc2", 2757 "2.8.1", 2758 "2.8.10", 2759 "2.8.11", 2760 "2.8.11.1", 2761 "2.8.11.2", 2762 "2.8.11.3", 2763 "2.8.11.4", 2764 "2.8.11.5", 2765 "2.8.11.6", 2766 "2.8.2", 2767 "2.8.3", 2768 "2.8.4", 2769 "2.8.5", 2770 "2.8.6", 2771 "2.8.7", 2772 "2.8.8", 2773 "2.8.8.1", 2774 "2.8.9", 2775 "2.9.0", 2776 "2.9.0.pr1", 2777 "2.9.0.pr2", 2778 "2.9.0.pr3", 2779 "2.9.0.pr4", 2780 "2.9.1", 2781 "2.9.10", 2782 "2.9.10.1", 2783 "2.9.10.2", 2784 "2.9.10.3", 2785 "2.9.10.4", 2786 "2.9.10.5", 2787 "2.9.10.6", 2788 "2.9.10.7", 2789 "2.9.10.8", 2790 "2.9.2", 2791 "2.9.3", 2792 "2.9.4", 2793 "2.9.5", 2794 "2.9.6", 2795 "2.9.7", 2796 "2.9.8", 2797 "2.9.9", 2798 "2.9.9.1", 2799 "2.9.9.2", 2800 "2.9.9.3" 2801 ] 2802 } 2803 ], 2804 "aliases": [ 2805 "CVE-2020-36518" 2806 ], 2807 "database_specific": { 2808 "cwe_ids": [ 2809 "CWE-787" 2810 ], 2811 "github_reviewed": true, 2812 "github_reviewed_at": "2022-03-22T14:36:44Z", 2813 "nvd_published_at": "2022-03-11T07:15:00Z", 2814 "severity": "HIGH" 2815 }, 2816 "details": "jackson-databind is a data-binding package for the Jackson Data Processor. jackson-databind allows a Java stack overflow exception and denial of service via a large depth of nested objects.", 2817 "id": "GHSA-57j2-w4cx-62h2", 2818 "modified": "2024-03-15T00:31:45.682369Z", 2819 "published": "2022-03-12T00:00:36Z", 2820 "references": [ 2821 { 2822 "type": "ADVISORY", 2823 "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36518" 2824 }, 2825 { 2826 "type": "WEB", 2827 "url": "https://github.com/FasterXML/jackson-databind/issues/2816" 2828 }, 2829 { 2830 "type": "WEB", 2831 "url": "https://github.com/FasterXML/jackson-databind/commit/0a8157c6ca478b1bc7be4ba7dccdb3863275f0de" 2832 }, 2833 { 2834 "type": "WEB", 2835 "url": "https://github.com/FasterXML/jackson-databind/commit/3cc52f82ecf943e06c1d7c3b078e405fb3923d2b" 2836 }, 2837 { 2838 "type": "WEB", 2839 "url": "https://github.com/FasterXML/jackson-databind/commit/8238ab41d0350fb915797c89d46777b4496b74fd" 2840 }, 2841 { 2842 "type": "WEB", 2843 "url": "https://github.com/FasterXML/jackson-databind/commit/b3587924ee5d8695942f364d0d404d48d0ea6126" 2844 }, 2845 { 2846 "type": "WEB", 2847 "url": "https://github.com/FasterXML/jackson-databind/commit/fcfc4998ec23f0b1f7f8a9521c2b317b6c25892b" 2848 }, 2849 { 2850 "type": "PACKAGE", 2851 "url": "https://github.com/FasterXML/jackson-databind" 2852 }, 2853 { 2854 "type": "WEB", 2855 "url": "https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.12" 2856 }, 2857 { 2858 "type": "WEB", 2859 "url": "https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.13" 2860 }, 2861 { 2862 "type": "WEB", 2863 "url": "https://lists.debian.org/debian-lts-announce/2022/05/msg00001.html" 2864 }, 2865 { 2866 "type": "WEB", 2867 "url": "https://lists.debian.org/debian-lts-announce/2022/11/msg00035.html" 2868 }, 2869 { 2870 "type": "WEB", 2871 "url": "https://security.netapp.com/advisory/ntap-20220506-0004" 2872 }, 2873 { 2874 "type": "WEB", 2875 "url": "https://www.debian.org/security/2022/dsa-5283" 2876 }, 2877 { 2878 "type": "WEB", 2879 "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" 2880 }, 2881 { 2882 "type": "WEB", 2883 "url": "https://www.oracle.com/security-alerts/cpujul2022.html" 2884 } 2885 ], 2886 "schema_version": "1.6.0", 2887 "severity": [ 2888 { 2889 "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", 2890 "type": "CVSS_V3" 2891 } 2892 ], 2893 "summary": "Deeply nested json in jackson-databind" 2894 }, 2895 { 2896 "affected": [ 2897 { 2898 "database_specific": { 2899 "last_known_affected_version_range": "\u003c= 2.9.10.3", 2900 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-58pp-9c76-5625/GHSA-58pp-9c76-5625.json" 2901 }, 2902 "package": { 2903 "ecosystem": "Maven", 2904 "name": "com.fasterxml.jackson.core:jackson-databind", 2905 "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" 2906 }, 2907 "ranges": [ 2908 { 2909 "events": [ 2910 { 2911 "introduced": "2.9.0" 2912 }, 2913 { 2914 "fixed": "2.9.10.4" 2915 } 2916 ], 2917 "type": "ECOSYSTEM" 2918 } 2919 ], 2920 "versions": [ 2921 "2.9.0", 2922 "2.9.0.pr1", 2923 "2.9.0.pr2", 2924 "2.9.0.pr3", 2925 "2.9.0.pr4", 2926 "2.9.1", 2927 "2.9.10", 2928 "2.9.10.1", 2929 "2.9.10.2", 2930 "2.9.10.3", 2931 "2.9.2", 2932 "2.9.3", 2933 "2.9.4", 2934 "2.9.5", 2935 "2.9.6", 2936 "2.9.7", 2937 "2.9.8", 2938 "2.9.9", 2939 "2.9.9.1", 2940 "2.9.9.2", 2941 "2.9.9.3" 2942 ] 2943 } 2944 ], 2945 "aliases": [ 2946 "CVE-2020-11112" 2947 ], 2948 "database_specific": { 2949 "cwe_ids": [ 2950 "CWE-502" 2951 ], 2952 "github_reviewed": true, 2953 "github_reviewed_at": "2020-06-10T21:11:14Z", 2954 "nvd_published_at": "2020-03-31T05:15:00Z", 2955 "severity": "HIGH" 2956 }, 2957 "details": "FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.proxy.provider.remoting.RmiProvider (aka apache/commons-proxy).", 2958 "id": "GHSA-58pp-9c76-5625", 2959 "modified": "2024-02-16T07:55:08.550842Z", 2960 "published": "2020-06-10T21:12:41Z", 2961 "references": [ 2962 { 2963 "type": "ADVISORY", 2964 "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11112" 2965 }, 2966 { 2967 "type": "WEB", 2968 "url": "https://github.com/FasterXML/jackson-databind/issues/2666" 2969 }, 2970 { 2971 "type": "PACKAGE", 2972 "url": "https://github.com/FasterXML/jackson-databind" 2973 }, 2974 { 2975 "type": "WEB", 2976 "url": "https://lists.debian.org/debian-lts-announce/2020/04/msg00012.html" 2977 }, 2978 { 2979 "type": "WEB", 2980 "url": "https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062" 2981 }, 2982 { 2983 "type": "WEB", 2984 "url": "https://security.netapp.com/advisory/ntap-20200403-0002" 2985 }, 2986 { 2987 "type": "WEB", 2988 "url": "https://www.oracle.com/security-alerts/cpujan2021.html" 2989 }, 2990 { 2991 "type": "WEB", 2992 "url": "https://www.oracle.com/security-alerts/cpujul2020.html" 2993 }, 2994 { 2995 "type": "WEB", 2996 "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" 2997 }, 2998 { 2999 "type": "WEB", 3000 "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" 3001 } 3002 ], 3003 "schema_version": "1.6.0", 3004 "severity": [ 3005 { 3006 "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", 3007 "type": "CVSS_V3" 3008 } 3009 ], 3010 "summary": "jackson-databind mishandles the interaction between serialization gadgets and typing" 3011 }, 3012 { 3013 "affected": [ 3014 { 3015 "database_specific": { 3016 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/01/GHSA-5949-rw7g-wx7w/GHSA-5949-rw7g-wx7w.json" 3017 }, 3018 "package": { 3019 "ecosystem": "Maven", 3020 "name": "com.fasterxml.jackson.core:jackson-databind", 3021 "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" 3022 }, 3023 "ranges": [ 3024 { 3025 "events": [ 3026 { 3027 "introduced": "2.7.0" 3028 }, 3029 { 3030 "fixed": "2.9.10.7" 3031 } 3032 ], 3033 "type": "ECOSYSTEM" 3034 } 3035 ], 3036 "versions": [ 3037 "2.7.0", 3038 "2.7.1", 3039 "2.7.1-1", 3040 "2.7.2", 3041 "2.7.3", 3042 "2.7.4", 3043 "2.7.5", 3044 "2.7.6", 3045 "2.7.7", 3046 "2.7.8", 3047 "2.7.9", 3048 "2.7.9.1", 3049 "2.7.9.2", 3050 "2.7.9.3", 3051 "2.7.9.4", 3052 "2.7.9.5", 3053 "2.7.9.6", 3054 "2.7.9.7", 3055 "2.8.0", 3056 "2.8.0.rc1", 3057 "2.8.0.rc2", 3058 "2.8.1", 3059 "2.8.10", 3060 "2.8.11", 3061 "2.8.11.1", 3062 "2.8.11.2", 3063 "2.8.11.3", 3064 "2.8.11.4", 3065 "2.8.11.5", 3066 "2.8.11.6", 3067 "2.8.2", 3068 "2.8.3", 3069 "2.8.4", 3070 "2.8.5", 3071 "2.8.6", 3072 "2.8.7", 3073 "2.8.8", 3074 "2.8.8.1", 3075 "2.8.9", 3076 "2.9.0", 3077 "2.9.0.pr1", 3078 "2.9.0.pr2", 3079 "2.9.0.pr3", 3080 "2.9.0.pr4", 3081 "2.9.1", 3082 "2.9.10", 3083 "2.9.10.1", 3084 "2.9.10.2", 3085 "2.9.10.3", 3086 "2.9.10.4", 3087 "2.9.10.5", 3088 "2.9.10.6", 3089 "2.9.2", 3090 "2.9.3", 3091 "2.9.4", 3092 "2.9.5", 3093 "2.9.6", 3094 "2.9.7", 3095 "2.9.8", 3096 "2.9.9", 3097 "2.9.9.1", 3098 "2.9.9.2", 3099 "2.9.9.3" 3100 ] 3101 }, 3102 { 3103 "database_specific": { 3104 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/01/GHSA-5949-rw7g-wx7w/GHSA-5949-rw7g-wx7w.json" 3105 }, 3106 "package": { 3107 "ecosystem": "Maven", 3108 "name": "com.fasterxml.jackson.core:jackson-databind", 3109 "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" 3110 }, 3111 "ranges": [ 3112 { 3113 "events": [ 3114 { 3115 "introduced": "0" 3116 }, 3117 { 3118 "fixed": "2.6.7.5" 3119 } 3120 ], 3121 "type": "ECOSYSTEM" 3122 } 3123 ], 3124 "versions": [ 3125 "2.0.0", 3126 "2.0.0-RC1", 3127 "2.0.0-RC2", 3128 "2.0.0-RC3", 3129 "2.0.1", 3130 "2.0.2", 3131 "2.0.4", 3132 "2.0.5", 3133 "2.0.6", 3134 "2.1.0", 3135 "2.1.1", 3136 "2.1.2", 3137 "2.1.3", 3138 "2.1.4", 3139 "2.1.5", 3140 "2.2.0", 3141 "2.2.0-rc1", 3142 "2.2.1", 3143 "2.2.2", 3144 "2.2.3", 3145 "2.2.4", 3146 "2.3.0", 3147 "2.3.0-rc1", 3148 "2.3.1", 3149 "2.3.2", 3150 "2.3.3", 3151 "2.3.4", 3152 "2.3.5", 3153 "2.4.0", 3154 "2.4.0-rc1", 3155 "2.4.0-rc2", 3156 "2.4.0-rc3", 3157 "2.4.1", 3158 "2.4.1.1", 3159 "2.4.1.2", 3160 "2.4.1.3", 3161 "2.4.2", 3162 "2.4.3", 3163 "2.4.4", 3164 "2.4.5", 3165 "2.4.5.1", 3166 "2.4.6", 3167 "2.4.6.1", 3168 "2.5.0", 3169 "2.5.0-rc1", 3170 "2.5.1", 3171 "2.5.2", 3172 "2.5.3", 3173 "2.5.4", 3174 "2.5.5", 3175 "2.6.0", 3176 "2.6.0-rc1", 3177 "2.6.0-rc2", 3178 "2.6.0-rc3", 3179 "2.6.0-rc4", 3180 "2.6.1", 3181 "2.6.2", 3182 "2.6.3", 3183 "2.6.4", 3184 "2.6.5", 3185 "2.6.6", 3186 "2.6.7", 3187 "2.6.7.1", 3188 "2.6.7.2", 3189 "2.6.7.3", 3190 "2.6.7.4" 3191 ] 3192 } 3193 ], 3194 "aliases": [ 3195 "CVE-2021-20190" 3196 ], 3197 "database_specific": { 3198 "cwe_ids": [ 3199 "CWE-502" 3200 ], 3201 "github_reviewed": true, 3202 "github_reviewed_at": "2021-01-20T04:44:51Z", 3203 "nvd_published_at": "2021-01-19T17:15:00Z", 3204 "severity": "HIGH" 3205 }, 3206 "details": "A flaw was found in jackson-databind before 2.9.10.7 and 2.6.7.5. FasterXML mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.", 3207 "id": "GHSA-5949-rw7g-wx7w", 3208 "modified": "2024-03-15T00:32:45.692417Z", 3209 "published": "2021-01-20T21:20:15Z", 3210 "references": [ 3211 { 3212 "type": "ADVISORY", 3213 "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20190" 3214 }, 3215 { 3216 "type": "WEB", 3217 "url": "https://github.com/FasterXML/jackson-databind/issues/2854" 3218 }, 3219 { 3220 "type": "WEB", 3221 "url": "https://github.com/FasterXML/jackson-databind/commit/08fbfacf89a4a4c026a6227a1b470ab7a13e2e88" 3222 }, 3223 { 3224 "type": "WEB", 3225 "url": "https://github.com/FasterXML/jackson-databind/commit/7dbf51bf78d157098074a20bd9da39bd48c18e4a" 3226 }, 3227 { 3228 "type": "WEB", 3229 "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1916633" 3230 }, 3231 { 3232 "type": "PACKAGE", 3233 "url": "https://github.com/FasterXML/jackson-databind" 3234 }, 3235 { 3236 "type": "WEB", 3237 "url": "https://lists.apache.org/thread.html/r380e9257bacb8551ee6fcf2c59890ae9477b2c78e553fa9ea08e9d9a@%3Ccommits.nifi.apache.org%3E" 3238 }, 3239 { 3240 "type": "WEB", 3241 "url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html" 3242 }, 3243 { 3244 "type": "WEB", 3245 "url": "https://security.netapp.com/advisory/ntap-20210219-0008" 3246 }, 3247 { 3248 "type": "WEB", 3249 "url": "https://www.oracle.com//security-alerts/cpujul2021.html" 3250 } 3251 ], 3252 "schema_version": "1.6.0", 3253 "severity": [ 3254 { 3255 "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", 3256 "type": "CVSS_V3" 3257 } 3258 ], 3259 "summary": "Deserialization of untrusted data in jackson-databind" 3260 }, 3261 { 3262 "affected": [ 3263 { 3264 "database_specific": { 3265 "last_known_affected_version_range": "\u003c= 2.9.10.3", 3266 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/04/GHSA-5p34-5m6p-p58g/GHSA-5p34-5m6p-p58g.json" 3267 }, 3268 "package": { 3269 "ecosystem": "Maven", 3270 "name": "com.fasterxml.jackson.core:jackson-databind", 3271 "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" 3272 }, 3273 "ranges": [ 3274 { 3275 "events": [ 3276 { 3277 "introduced": "2.9.0" 3278 }, 3279 { 3280 "fixed": "2.9.10.4" 3281 } 3282 ], 3283 "type": "ECOSYSTEM" 3284 } 3285 ], 3286 "versions": [ 3287 "2.9.0", 3288 "2.9.0.pr1", 3289 "2.9.0.pr2", 3290 "2.9.0.pr3", 3291 "2.9.0.pr4", 3292 "2.9.1", 3293 "2.9.10", 3294 "2.9.10.1", 3295 "2.9.10.2", 3296 "2.9.10.3", 3297 "2.9.2", 3298 "2.9.3", 3299 "2.9.4", 3300 "2.9.5", 3301 "2.9.6", 3302 "2.9.7", 3303 "2.9.8", 3304 "2.9.9", 3305 "2.9.9.1", 3306 "2.9.9.2", 3307 "2.9.9.3" 3308 ] 3309 } 3310 ], 3311 "aliases": [ 3312 "CVE-2020-9546" 3313 ], 3314 "database_specific": { 3315 "cwe_ids": [ 3316 "CWE-502" 3317 ], 3318 "github_reviewed": true, 3319 "github_reviewed_at": "2020-04-23T19:26:40Z", 3320 "nvd_published_at": "2020-03-02T04:15:00Z", 3321 "severity": "CRITICAL" 3322 }, 3323 "details": "FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig (aka shaded hikari-config).", 3324 "id": "GHSA-5p34-5m6p-p58g", 3325 "modified": "2024-03-14T05:17:58.62415Z", 3326 "published": "2020-04-23T21:08:40Z", 3327 "references": [ 3328 { 3329 "type": "ADVISORY", 3330 "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-9546" 3331 }, 3332 { 3333 "type": "WEB", 3334 "url": "https://github.com/FasterXML/jackson-databind/issues/2631" 3335 }, 3336 { 3337 "type": "WEB", 3338 "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" 3339 }, 3340 { 3341 "type": "WEB", 3342 "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" 3343 }, 3344 { 3345 "type": "WEB", 3346 "url": "https://www.oracle.com/security-alerts/cpujul2020.html" 3347 }, 3348 { 3349 "type": "WEB", 3350 "url": "https://www.oracle.com/security-alerts/cpujan2021.html" 3351 }, 3352 { 3353 "type": "WEB", 3354 "url": "https://security.netapp.com/advisory/ntap-20200904-0006" 3355 }, 3356 { 3357 "type": "WEB", 3358 "url": "https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062" 3359 }, 3360 { 3361 "type": "WEB", 3362 "url": "https://lists.debian.org/debian-lts-announce/2020/03/msg00008.html" 3363 }, 3364 { 3365 "type": "WEB", 3366 "url": "https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3E" 3367 }, 3368 { 3369 "type": "WEB", 3370 "url": "https://lists.apache.org/thread.html/rdd4df698d5d8e635144d2994922bf0842e933809eae259521f3b5097@%3Cissues.zookeeper.apache.org%3E" 3371 }, 3372 { 3373 "type": "WEB", 3374 "url": "https://lists.apache.org/thread.html/rdd49ab9565bec436a896bc00c4b9fc9dce1598e106c318524fbdfec6@%3Cissues.zookeeper.apache.org%3E" 3375 }, 3376 { 3377 "type": "WEB", 3378 "url": "https://lists.apache.org/thread.html/rd5a4457be4623038c3989294429bc063eec433a2e55995d81591e2ca@%3Cissues.zookeeper.apache.org%3E" 3379 }, 3380 { 3381 "type": "WEB", 3382 "url": "https://lists.apache.org/thread.html/rb6fecb5e96a6d61e175ff49f33f2713798dd05cf03067c169d195596@%3Cissues.zookeeper.apache.org%3E" 3383 }, 3384 { 3385 "type": "WEB", 3386 "url": "https://lists.apache.org/thread.html/r98c9b6e4c9e17792e2cd1ec3e4aa20b61a791939046d3f10888176bb@%3Cissues.zookeeper.apache.org%3E" 3387 }, 3388 { 3389 "type": "WEB", 3390 "url": "https://lists.apache.org/thread.html/r9464a40d25c3ba1a55622db72f113eb494a889656962d098c70c5bb1@%3Cdev.zookeeper.apache.org%3E" 3391 }, 3392 { 3393 "type": "WEB", 3394 "url": "https://lists.apache.org/thread.html/r893a0104e50c1c2559eb9a5812add28ae8c3e5f43712947a9847ec18@%3Cnotifications.zookeeper.apache.org%3E" 3395 }, 3396 { 3397 "type": "WEB", 3398 "url": "https://lists.apache.org/thread.html/r35d30db00440ef63b791c4b7f7acb036e14d4a23afa2a249cb66c0fd@%3Cissues.zookeeper.apache.org%3E" 3399 }, 3400 { 3401 "type": "PACKAGE", 3402 "url": "https://github.com/FasterXML/jackson-databind" 3403 } 3404 ], 3405 "schema_version": "1.6.0", 3406 "severity": [ 3407 { 3408 "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", 3409 "type": "CVSS_V3" 3410 } 3411 ], 3412 "summary": "jackson-databind mishandles the interaction between serialization gadgets and typing" 3413 }, 3414 { 3415 "affected": [ 3416 { 3417 "database_specific": { 3418 "last_known_affected_version_range": "\u003c= 2.9.10.7", 3419 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-5r5r-6hpj-8gg9/GHSA-5r5r-6hpj-8gg9.json" 3420 }, 3421 "package": { 3422 "ecosystem": "Maven", 3423 "name": "com.fasterxml.jackson.core:jackson-databind", 3424 "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" 3425 }, 3426 "ranges": [ 3427 { 3428 "events": [ 3429 { 3430 "introduced": "2.0.0" 3431 }, 3432 { 3433 "fixed": "2.9.10.8" 3434 } 3435 ], 3436 "type": "ECOSYSTEM" 3437 } 3438 ], 3439 "versions": [ 3440 "2.0.0", 3441 "2.0.1", 3442 "2.0.2", 3443 "2.0.4", 3444 "2.0.5", 3445 "2.0.6", 3446 "2.1.0", 3447 "2.1.1", 3448 "2.1.2", 3449 "2.1.3", 3450 "2.1.4", 3451 "2.1.5", 3452 "2.2.0", 3453 "2.2.0-rc1", 3454 "2.2.1", 3455 "2.2.2", 3456 "2.2.3", 3457 "2.2.4", 3458 "2.3.0", 3459 "2.3.0-rc1", 3460 "2.3.1", 3461 "2.3.2", 3462 "2.3.3", 3463 "2.3.4", 3464 "2.3.5", 3465 "2.4.0", 3466 "2.4.0-rc1", 3467 "2.4.0-rc2", 3468 "2.4.0-rc3", 3469 "2.4.1", 3470 "2.4.1.1", 3471 "2.4.1.2", 3472 "2.4.1.3", 3473 "2.4.2", 3474 "2.4.3", 3475 "2.4.4", 3476 "2.4.5", 3477 "2.4.5.1", 3478 "2.4.6", 3479 "2.4.6.1", 3480 "2.5.0", 3481 "2.5.0-rc1", 3482 "2.5.1", 3483 "2.5.2", 3484 "2.5.3", 3485 "2.5.4", 3486 "2.5.5", 3487 "2.6.0", 3488 "2.6.0-rc1", 3489 "2.6.0-rc2", 3490 "2.6.0-rc3", 3491 "2.6.0-rc4", 3492 "2.6.1", 3493 "2.6.2", 3494 "2.6.3", 3495 "2.6.4", 3496 "2.6.5", 3497 "2.6.6", 3498 "2.6.7", 3499 "2.6.7.1", 3500 "2.6.7.2", 3501 "2.6.7.3", 3502 "2.6.7.4", 3503 "2.6.7.5", 3504 "2.7.0", 3505 "2.7.0-rc1", 3506 "2.7.0-rc2", 3507 "2.7.0-rc3", 3508 "2.7.1", 3509 "2.7.1-1", 3510 "2.7.2", 3511 "2.7.3", 3512 "2.7.4", 3513 "2.7.5", 3514 "2.7.6", 3515 "2.7.7", 3516 "2.7.8", 3517 "2.7.9", 3518 "2.7.9.1", 3519 "2.7.9.2", 3520 "2.7.9.3", 3521 "2.7.9.4", 3522 "2.7.9.5", 3523 "2.7.9.6", 3524 "2.7.9.7", 3525 "2.8.0", 3526 "2.8.0.rc1", 3527 "2.8.0.rc2", 3528 "2.8.1", 3529 "2.8.10", 3530 "2.8.11", 3531 "2.8.11.1", 3532 "2.8.11.2", 3533 "2.8.11.3", 3534 "2.8.11.4", 3535 "2.8.11.5", 3536 "2.8.11.6", 3537 "2.8.2", 3538 "2.8.3", 3539 "2.8.4", 3540 "2.8.5", 3541 "2.8.6", 3542 "2.8.7", 3543 "2.8.8", 3544 "2.8.8.1", 3545 "2.8.9", 3546 "2.9.0", 3547 "2.9.0.pr1", 3548 "2.9.0.pr2", 3549 "2.9.0.pr3", 3550 "2.9.0.pr4", 3551 "2.9.1", 3552 "2.9.10", 3553 "2.9.10.1", 3554 "2.9.10.2", 3555 "2.9.10.3", 3556 "2.9.10.4", 3557 "2.9.10.5", 3558 "2.9.10.6", 3559 "2.9.10.7", 3560 "2.9.2", 3561 "2.9.3", 3562 "2.9.4", 3563 "2.9.5", 3564 "2.9.6", 3565 "2.9.7", 3566 "2.9.8", 3567 "2.9.9", 3568 "2.9.9.1", 3569 "2.9.9.2", 3570 "2.9.9.3" 3571 ] 3572 } 3573 ], 3574 "aliases": [ 3575 "CVE-2020-35728" 3576 ], 3577 "database_specific": { 3578 "cwe_ids": [ 3579 "CWE-502" 3580 ], 3581 "github_reviewed": true, 3582 "github_reviewed_at": "2021-04-07T22:24:20Z", 3583 "nvd_published_at": "2020-12-27T05:15:00Z", 3584 "severity": "HIGH" 3585 }, 3586 "details": "FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool (aka embedded Xalan in org.glassfish.web/javax.servlet.jsp.jstl).", 3587 "id": "GHSA-5r5r-6hpj-8gg9", 3588 "modified": "2024-02-18T05:42:28.539166Z", 3589 "published": "2021-12-09T19:15:24Z", 3590 "references": [ 3591 { 3592 "type": "ADVISORY", 3593 "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-35728" 3594 }, 3595 { 3596 "type": "WEB", 3597 "url": "https://github.com/FasterXML/jackson-databind/issues/2999" 3598 }, 3599 { 3600 "type": "WEB", 3601 "url": "https://github.com/FasterXML/jackson-databind/commit/1ca0388c2fb37ac6a06f1c188ae89c41e3e15e84" 3602 }, 3603 { 3604 "type": "PACKAGE", 3605 "url": "https://github.com/FasterXML/jackson-databind" 3606 }, 3607 { 3608 "type": "WEB", 3609 "url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html" 3610 }, 3611 { 3612 "type": "WEB", 3613 "url": "https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062" 3614 }, 3615 { 3616 "type": "WEB", 3617 "url": "https://security.netapp.com/advisory/ntap-20210129-0007" 3618 }, 3619 { 3620 "type": "WEB", 3621 "url": "https://www.oracle.com//security-alerts/cpujul2021.html" 3622 }, 3623 { 3624 "type": "WEB", 3625 "url": "https://www.oracle.com/security-alerts/cpuApr2021.html" 3626 }, 3627 { 3628 "type": "WEB", 3629 "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" 3630 }, 3631 { 3632 "type": "WEB", 3633 "url": "https://www.oracle.com/security-alerts/cpujan2022.html" 3634 }, 3635 { 3636 "type": "WEB", 3637 "url": "https://www.oracle.com/security-alerts/cpujul2022.html" 3638 }, 3639 { 3640 "type": "WEB", 3641 "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" 3642 } 3643 ], 3644 "schema_version": "1.6.0", 3645 "severity": [ 3646 { 3647 "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", 3648 "type": "CVSS_V3" 3649 } 3650 ], 3651 "summary": "Serialization gadget exploit in jackson-databind" 3652 }, 3653 { 3654 "affected": [ 3655 { 3656 "database_specific": { 3657 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/05/GHSA-5ww9-j83m-q7qx/GHSA-5ww9-j83m-q7qx.json" 3658 }, 3659 "package": { 3660 "ecosystem": "Maven", 3661 "name": "com.fasterxml.jackson.core:jackson-databind", 3662 "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" 3663 }, 3664 "ranges": [ 3665 { 3666 "events": [ 3667 { 3668 "introduced": "2.9.0" 3669 }, 3670 { 3671 "fixed": "2.9.9" 3672 } 3673 ], 3674 "type": "ECOSYSTEM" 3675 } 3676 ], 3677 "versions": [ 3678 "2.9.0", 3679 "2.9.0.pr1", 3680 "2.9.0.pr2", 3681 "2.9.0.pr3", 3682 "2.9.0.pr4", 3683 "2.9.1", 3684 "2.9.2", 3685 "2.9.3", 3686 "2.9.4", 3687 "2.9.5", 3688 "2.9.6", 3689 "2.9.7", 3690 "2.9.8" 3691 ] 3692 }, 3693 { 3694 "database_specific": { 3695 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/05/GHSA-5ww9-j83m-q7qx/GHSA-5ww9-j83m-q7qx.json" 3696 }, 3697 "package": { 3698 "ecosystem": "Maven", 3699 "name": "com.fasterxml.jackson.core:jackson-databind", 3700 "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" 3701 }, 3702 "ranges": [ 3703 { 3704 "events": [ 3705 { 3706 "introduced": "2.8.0" 3707 }, 3708 { 3709 "fixed": "2.8.11.4" 3710 } 3711 ], 3712 "type": "ECOSYSTEM" 3713 } 3714 ], 3715 "versions": [ 3716 "2.8.0", 3717 "2.8.1", 3718 "2.8.10", 3719 "2.8.11", 3720 "2.8.11.1", 3721 "2.8.11.2", 3722 "2.8.11.3", 3723 "2.8.2", 3724 "2.8.3", 3725 "2.8.4", 3726 "2.8.5", 3727 "2.8.6", 3728 "2.8.7", 3729 "2.8.8", 3730 "2.8.8.1", 3731 "2.8.9" 3732 ] 3733 }, 3734 { 3735 "database_specific": { 3736 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/05/GHSA-5ww9-j83m-q7qx/GHSA-5ww9-j83m-q7qx.json" 3737 }, 3738 "package": { 3739 "ecosystem": "Maven", 3740 "name": "com.fasterxml.jackson.core:jackson-databind", 3741 "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" 3742 }, 3743 "ranges": [ 3744 { 3745 "events": [ 3746 { 3747 "introduced": "2.7.0" 3748 }, 3749 { 3750 "fixed": "2.7.9.6" 3751 } 3752 ], 3753 "type": "ECOSYSTEM" 3754 } 3755 ], 3756 "versions": [ 3757 "2.7.0", 3758 "2.7.1", 3759 "2.7.1-1", 3760 "2.7.2", 3761 "2.7.3", 3762 "2.7.4", 3763 "2.7.5", 3764 "2.7.6", 3765 "2.7.7", 3766 "2.7.8", 3767 "2.7.9", 3768 "2.7.9.1", 3769 "2.7.9.2", 3770 "2.7.9.3", 3771 "2.7.9.4", 3772 "2.7.9.5" 3773 ] 3774 }, 3775 { 3776 "database_specific": { 3777 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/05/GHSA-5ww9-j83m-q7qx/GHSA-5ww9-j83m-q7qx.json" 3778 }, 3779 "package": { 3780 "ecosystem": "Maven", 3781 "name": "com.fasterxml.jackson.core:jackson-databind", 3782 "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" 3783 }, 3784 "ranges": [ 3785 { 3786 "events": [ 3787 { 3788 "introduced": "2.0.0" 3789 }, 3790 { 3791 "fixed": "2.6.7.3" 3792 } 3793 ], 3794 "type": "ECOSYSTEM" 3795 } 3796 ], 3797 "versions": [ 3798 "2.0.0", 3799 "2.0.1", 3800 "2.0.2", 3801 "2.0.4", 3802 "2.0.5", 3803 "2.0.6", 3804 "2.1.0", 3805 "2.1.1", 3806 "2.1.2", 3807 "2.1.3", 3808 "2.1.4", 3809 "2.1.5", 3810 "2.2.0", 3811 "2.2.0-rc1", 3812 "2.2.1", 3813 "2.2.2", 3814 "2.2.3", 3815 "2.2.4", 3816 "2.3.0", 3817 "2.3.0-rc1", 3818 "2.3.1", 3819 "2.3.2", 3820 "2.3.3", 3821 "2.3.4", 3822 "2.3.5", 3823 "2.4.0", 3824 "2.4.0-rc1", 3825 "2.4.0-rc2", 3826 "2.4.0-rc3", 3827 "2.4.1", 3828 "2.4.1.1", 3829 "2.4.1.2", 3830 "2.4.1.3", 3831 "2.4.2", 3832 "2.4.3", 3833 "2.4.4", 3834 "2.4.5", 3835 "2.4.5.1", 3836 "2.4.6", 3837 "2.4.6.1", 3838 "2.5.0", 3839 "2.5.0-rc1", 3840 "2.5.1", 3841 "2.5.2", 3842 "2.5.3", 3843 "2.5.4", 3844 "2.5.5", 3845 "2.6.0", 3846 "2.6.0-rc1", 3847 "2.6.0-rc2", 3848 "2.6.0-rc3", 3849 "2.6.0-rc4", 3850 "2.6.1", 3851 "2.6.2", 3852 "2.6.3", 3853 "2.6.4", 3854 "2.6.5", 3855 "2.6.6", 3856 "2.6.7", 3857 "2.6.7.1", 3858 "2.6.7.2" 3859 ] 3860 } 3861 ], 3862 "aliases": [ 3863 "CVE-2019-12086" 3864 ], 3865 "database_specific": { 3866 "cwe_ids": [ 3867 "CWE-502" 3868 ], 3869 "github_reviewed": true, 3870 "github_reviewed_at": "2019-05-22T04:34:56Z", 3871 "nvd_published_at": "2019-05-17T17:29:00Z", 3872 "severity": "HIGH" 3873 }, 3874 "details": "A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint, the service has the mysql-connector-java jar (8.0.14 or earlier) in the classpath, and an attacker can host a crafted MySQL server reachable by the victim, an attacker can send a crafted JSON message that allows them to read arbitrary local files on the server. This occurs because of missing com.mysql.cj.jdbc.admin.MiniAdmin validation.", 3875 "id": "GHSA-5ww9-j83m-q7qx", 3876 "modified": "2024-03-15T01:17:50.01682Z", 3877 "published": "2019-05-23T09:32:24Z", 3878 "references": [ 3879 { 3880 "type": "ADVISORY", 3881 "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-12086" 3882 }, 3883 { 3884 "type": "WEB", 3885 "url": "https://github.com/FasterXML/jackson-databind/issues/2326" 3886 }, 3887 { 3888 "type": "WEB", 3889 "url": "https://github.com/FasterXML/jackson-databind/commit/efc3c0d02f4743dbaa6d1b9c466772a2f13d966b" 3890 }, 3891 { 3892 "type": "WEB", 3893 "url": "https://github.com/FasterXML/jackson-databind/commit/dda513bd7251b4f32b7b60b1c13740e3b5a43024" 3894 }, 3895 { 3896 "type": "WEB", 3897 "url": "https://github.com/FasterXML/jackson-databind/commit/d30f036208ab1c60bd5ce429cb4f7f1a3e5682e8" 3898 }, 3899 { 3900 "type": "WEB", 3901 "url": "https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b@%3Ccommits.nifi.apache.org%3E" 3902 }, 3903 { 3904 "type": "WEB", 3905 "url": "https://lists.apache.org/thread.html/rda99599896c3667f2cc9e9d34c7b6ef5d2bbed1f4801e1d75a2b0679@%3Ccommits.nifi.apache.org%3E" 3906 }, 3907 { 3908 "type": "WEB", 3909 "url": "https://lists.debian.org/debian-lts-announce/2019/05/msg00030.html" 3910 }, 3911 { 3912 "type": "WEB", 3913 "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OVRZDN2T6AZ6DJCZJ3VSIQIVHBVMVWBL" 3914 }, 3915 { 3916 "type": "WEB", 3917 "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TXRVXNRFHJSQWFHPRJQRI5UPMZ63B544" 3918 }, 3919 { 3920 "type": "WEB", 3921 "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UKUALE2TUCKEKOHE2D342PQXN4MWCSLC" 3922 }, 3923 { 3924 "type": "WEB", 3925 "url": "https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062" 3926 }, 3927 { 3928 "type": "WEB", 3929 "url": "https://seclists.org/bugtraq/2019/May/68" 3930 }, 3931 { 3932 "type": "WEB", 3933 "url": "https://security.netapp.com/advisory/ntap-20190530-0003" 3934 }, 3935 { 3936 "type": "WEB", 3937 "url": "https://web.archive.org/web/20200227030031/http://www.securityfocus.com/bid/109227" 3938 }, 3939 { 3940 "type": "WEB", 3941 "url": "https://web.archive.org/web/20200808181049/http://russiansecurity.expert/2016/04/20/mysql-connect-file-read" 3942 }, 3943 { 3944 "type": "WEB", 3945 "url": "https://www.debian.org/security/2019/dsa-4452" 3946 }, 3947 { 3948 "type": "WEB", 3949 "url": "https://www.oracle.com/security-alerts/cpuApr2021.html" 3950 }, 3951 { 3952 "type": "WEB", 3953 "url": "https://www.oracle.com/security-alerts/cpuapr2020.html" 3954 }, 3955 { 3956 "type": "WEB", 3957 "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" 3958 }, 3959 { 3960 "type": "WEB", 3961 "url": "https://www.oracle.com/security-alerts/cpujan2020.html" 3962 }, 3963 { 3964 "type": "WEB", 3965 "url": "https://www.oracle.com/security-alerts/cpujul2020.html" 3966 }, 3967 { 3968 "type": "WEB", 3969 "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" 3970 }, 3971 { 3972 "type": "WEB", 3973 "url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html" 3974 }, 3975 { 3976 "type": "WEB", 3977 "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html" 3978 }, 3979 { 3980 "type": "WEB", 3981 "url": "https://access.redhat.com/errata/RHSA-2019:2858" 3982 }, 3983 { 3984 "type": "WEB", 3985 "url": "https://access.redhat.com/errata/RHSA-2019:2935" 3986 }, 3987 { 3988 "type": "WEB", 3989 "url": "https://access.redhat.com/errata/RHSA-2019:2936" 3990 }, 3991 { 3992 "type": "WEB", 3993 "url": "https://access.redhat.com/errata/RHSA-2019:2937" 3994 }, 3995 { 3996 "type": "WEB", 3997 "url": "https://access.redhat.com/errata/RHSA-2019:2938" 3998 }, 3999 { 4000 "type": "WEB", 4001 "url": "https://access.redhat.com/errata/RHSA-2019:2998" 4002 }, 4003 { 4004 "type": "WEB", 4005 "url": "https://access.redhat.com/errata/RHSA-2019:3044" 4006 }, 4007 { 4008 "type": "WEB", 4009 "url": "https://access.redhat.com/errata/RHSA-2019:3045" 4010 }, 4011 { 4012 "type": "WEB", 4013 "url": "https://access.redhat.com/errata/RHSA-2019:3046" 4014 }, 4015 { 4016 "type": "WEB", 4017 "url": "https://access.redhat.com/errata/RHSA-2019:3050" 4018 }, 4019 { 4020 "type": "WEB", 4021 "url": "https://access.redhat.com/errata/RHSA-2019:3149" 4022 }, 4023 { 4024 "type": "WEB", 4025 "url": "https://access.redhat.com/errata/RHSA-2019:3200" 4026 }, 4027 { 4028 "type": "PACKAGE", 4029 "url": "https://github.com/FasterXML/jackson-databind" 4030 }, 4031 { 4032 "type": "WEB", 4033 "url": "https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.9" 4034 }, 4035 { 4036 "type": "WEB", 4037 "url": "https://lists.apache.org/thread.html/3f99ae8dcdbd69438cb733d745ee3ad5e852068490719a66509b4592@%3Ccommits.cassandra.apache.org%3E" 4038 }, 4039 { 4040 "type": "WEB", 4041 "url": "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E" 4042 }, 4043 { 4044 "type": "WEB", 4045 "url": "https://lists.apache.org/thread.html/88cd25375805950ae7337e669b0cb0eeda98b9604c1b8d806dccbad2@%3Creviews.spark.apache.org%3E" 4046 }, 4047 { 4048 "type": "WEB", 4049 "url": "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E" 4050 }, 4051 { 4052 "type": "WEB", 4053 "url": "https://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3@%3Ccommits.nifi.apache.org%3E" 4054 }, 4055 { 4056 "type": "WEB", 4057 "url": "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E" 4058 }, 4059 { 4060 "type": "WEB", 4061 "url": "https://lists.apache.org/thread.html/r204ba2a9ea750f38d789d2bb429cc0925ad6133deea7cbc3001d96b5@%3Csolr-user.lucene.apache.org%3E" 4062 } 4063 ], 4064 "schema_version": "1.6.0", 4065 "severity": [ 4066 { 4067 "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", 4068 "type": "CVSS_V3" 4069 } 4070 ], 4071 "summary": "Information exposure in FasterXML jackson-databind" 4072 }, 4073 { 4074 "affected": [ 4075 { 4076 "database_specific": { 4077 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/01/GHSA-645p-88qh-w398/GHSA-645p-88qh-w398.json" 4078 }, 4079 "package": { 4080 "ecosystem": "Maven", 4081 "name": "com.fasterxml.jackson.core:jackson-databind", 4082 "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" 4083 }, 4084 "ranges": [ 4085 { 4086 "events": [ 4087 { 4088 "introduced": "2.9.0" 4089 }, 4090 { 4091 "fixed": "2.9.7" 4092 } 4093 ], 4094 "type": "ECOSYSTEM" 4095 } 4096 ], 4097 "versions": [ 4098 "2.9.0", 4099 "2.9.0.pr1", 4100 "2.9.0.pr2", 4101 "2.9.0.pr3", 4102 "2.9.0.pr4", 4103 "2.9.1", 4104 "2.9.2", 4105 "2.9.3", 4106 "2.9.4", 4107 "2.9.5", 4108 "2.9.6" 4109 ] 4110 }, 4111 { 4112 "database_specific": { 4113 "last_known_affected_version_range": "\u003c= 2.8.11.2", 4114 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/01/GHSA-645p-88qh-w398/GHSA-645p-88qh-w398.json" 4115 }, 4116 "package": { 4117 "ecosystem": "Maven", 4118 "name": "com.fasterxml.jackson.core:jackson-databind", 4119 "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" 4120 }, 4121 "ranges": [ 4122 { 4123 "events": [ 4124 { 4125 "introduced": "2.8.0" 4126 }, 4127 { 4128 "fixed": "2.8.11.3" 4129 } 4130 ], 4131 "type": "ECOSYSTEM" 4132 } 4133 ], 4134 "versions": [ 4135 "2.8.0", 4136 "2.8.1", 4137 "2.8.10", 4138 "2.8.11", 4139 "2.8.11.1", 4140 "2.8.11.2", 4141 "2.8.2", 4142 "2.8.3", 4143 "2.8.4", 4144 "2.8.5", 4145 "2.8.6", 4146 "2.8.7", 4147 "2.8.8", 4148 "2.8.8.1", 4149 "2.8.9" 4150 ] 4151 }, 4152 { 4153 "database_specific": { 4154 "last_known_affected_version_range": "\u003c= 2.7.9.4", 4155 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/01/GHSA-645p-88qh-w398/GHSA-645p-88qh-w398.json" 4156 }, 4157 "package": { 4158 "ecosystem": "Maven", 4159 "name": "com.fasterxml.jackson.core:jackson-databind", 4160 "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" 4161 }, 4162 "ranges": [ 4163 { 4164 "events": [ 4165 { 4166 "introduced": "2.7.0" 4167 }, 4168 { 4169 "fixed": "2.7.9.5" 4170 } 4171 ], 4172 "type": "ECOSYSTEM" 4173 } 4174 ], 4175 "versions": [ 4176 "2.7.0", 4177 "2.7.1", 4178 "2.7.1-1", 4179 "2.7.2", 4180 "2.7.3", 4181 "2.7.4", 4182 "2.7.5", 4183 "2.7.6", 4184 "2.7.7", 4185 "2.7.8", 4186 "2.7.9", 4187 "2.7.9.1", 4188 "2.7.9.2", 4189 "2.7.9.3", 4190 "2.7.9.4" 4191 ] 4192 }, 4193 { 4194 "database_specific": { 4195 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/01/GHSA-645p-88qh-w398/GHSA-645p-88qh-w398.json" 4196 }, 4197 "package": { 4198 "ecosystem": "Maven", 4199 "name": "com.fasterxml.jackson.core:jackson-databind", 4200 "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" 4201 }, 4202 "ranges": [ 4203 { 4204 "events": [ 4205 { 4206 "introduced": "2.0.0" 4207 }, 4208 { 4209 "fixed": "2.6.7.3" 4210 } 4211 ], 4212 "type": "ECOSYSTEM" 4213 } 4214 ], 4215 "versions": [ 4216 "2.0.0", 4217 "2.0.1", 4218 "2.0.2", 4219 "2.0.4", 4220 "2.0.5", 4221 "2.0.6", 4222 "2.1.0", 4223 "2.1.1", 4224 "2.1.2", 4225 "2.1.3", 4226 "2.1.4", 4227 "2.1.5", 4228 "2.2.0", 4229 "2.2.0-rc1", 4230 "2.2.1", 4231 "2.2.2", 4232 "2.2.3", 4233 "2.2.4", 4234 "2.3.0", 4235 "2.3.0-rc1", 4236 "2.3.1", 4237 "2.3.2", 4238 "2.3.3", 4239 "2.3.4", 4240 "2.3.5", 4241 "2.4.0", 4242 "2.4.0-rc1", 4243 "2.4.0-rc2", 4244 "2.4.0-rc3", 4245 "2.4.1", 4246 "2.4.1.1", 4247 "2.4.1.2", 4248 "2.4.1.3", 4249 "2.4.2", 4250 "2.4.3", 4251 "2.4.4", 4252 "2.4.5", 4253 "2.4.5.1", 4254 "2.4.6", 4255 "2.4.6.1", 4256 "2.5.0", 4257 "2.5.0-rc1", 4258 "2.5.1", 4259 "2.5.2", 4260 "2.5.3", 4261 "2.5.4", 4262 "2.5.5", 4263 "2.6.0", 4264 "2.6.0-rc1", 4265 "2.6.0-rc2", 4266 "2.6.0-rc3", 4267 "2.6.0-rc4", 4268 "2.6.1", 4269 "2.6.2", 4270 "2.6.3", 4271 "2.6.4", 4272 "2.6.5", 4273 "2.6.6", 4274 "2.6.7", 4275 "2.6.7.1", 4276 "2.6.7.2" 4277 ] 4278 } 4279 ], 4280 "aliases": [ 4281 "CVE-2018-14718" 4282 ], 4283 "database_specific": { 4284 "cwe_ids": [ 4285 "CWE-502" 4286 ], 4287 "github_reviewed": true, 4288 "github_reviewed_at": "2020-06-16T21:17:52Z", 4289 "nvd_published_at": "2019-01-02T18:29:00Z", 4290 "severity": "CRITICAL" 4291 }, 4292 "details": "FasterXML jackson-databind 2.x before 2.9.7, 2.8.11.3, 2.7.9.5, and 2.6.7.3 might allow remote attackers to execute arbitrary code by leveraging failure to block the slf4j-ext class from polymorphic deserialization.", 4293 "id": "GHSA-645p-88qh-w398", 4294 "modified": "2024-03-16T05:19:17.936174Z", 4295 "published": "2019-01-04T19:06:55Z", 4296 "references": [ 4297 { 4298 "type": "ADVISORY", 4299 "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-14718" 4300 }, 4301 { 4302 "type": "WEB", 4303 "url": "https://github.com/FasterXML/jackson-databind/issues/2097" 4304 }, 4305 { 4306 "type": "WEB", 4307 "url": "https://github.com/FasterXML/jackson-databind/commit/87d29af25e82a249ea15858e2d4ecbf64091db44" 4308 }, 4309 { 4310 "type": "WEB", 4311 "url": "https://access.redhat.com/errata/RHBA-2019:0959" 4312 }, 4313 { 4314 "type": "WEB", 4315 "url": "https://lists.apache.org/thread.html/6a78f88716c3c57aa74ec05764a37ab3874769a347805903b393b286@%3Cdev.lucene.apache.org%3E" 4316 }, 4317 { 4318 "type": "WEB", 4319 "url": "https://lists.apache.org/thread.html/82b01bfb6787097427ce97cec6a7127e93718bc05d1efd5eaffc228f@%3Cdev.lucene.apache.org%3E" 4320 }, 4321 { 4322 "type": "WEB", 4323 "url": "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E" 4324 }, 4325 { 4326 "type": "WEB", 4327 "url": "https://lists.apache.org/thread.html/ba973114605d936be276ee6ce09dfbdbf78aa56f6cdc6e79bfa7b8df@%3Cdev.lucene.apache.org%3E" 4328 }, 4329 { 4330 "type": "WEB", 4331 "url": "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E" 4332 }, 4333 { 4334 "type": "WEB", 4335 "url": "https://lists.apache.org/thread.html/r1d4a247329a8478073163567bbc8c8cb6b49c6bfc2bf58153a857af1@%3Ccommits.druid.apache.org%3E" 4336 }, 4337 { 4338 "type": "WEB", 4339 "url": "https://lists.debian.org/debian-lts-announce/2019/03/msg00005.html" 4340 }, 4341 { 4342 "type": "WEB", 4343 "url": "https://seclists.org/bugtraq/2019/May/68" 4344 }, 4345 { 4346 "type": "WEB", 4347 "url": "https://security.netapp.com/advisory/ntap-20190530-0003" 4348 }, 4349 { 4350 "type": "WEB", 4351 "url": "https://www.debian.org/security/2019/dsa-4452" 4352 }, 4353 { 4354 "type": "WEB", 4355 "url": "https://www.oracle.com/security-alerts/cpuapr2020.html" 4356 }, 4357 { 4358 "type": "WEB", 4359 "url": "https://www.oracle.com/security-alerts/cpujan2020.html" 4360 }, 4361 { 4362 "type": "WEB", 4363 "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" 4364 }, 4365 { 4366 "type": "WEB", 4367 "url": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html" 4368 }, 4369 { 4370 "type": "WEB", 4371 "url": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html" 4372 }, 4373 { 4374 "type": "WEB", 4375 "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html" 4376 }, 4377 { 4378 "type": "WEB", 4379 "url": "https://access.redhat.com/errata/RHSA-2019:0782" 4380 }, 4381 { 4382 "type": "WEB", 4383 "url": "https://access.redhat.com/errata/RHSA-2019:0877" 4384 }, 4385 { 4386 "type": "WEB", 4387 "url": "https://access.redhat.com/errata/RHSA-2019:1782" 4388 }, 4389 { 4390 "type": "WEB", 4391 "url": "https://access.redhat.com/errata/RHSA-2019:1797" 4392 }, 4393 { 4394 "type": "WEB", 4395 "url": "https://access.redhat.com/errata/RHSA-2019:1822" 4396 }, 4397 { 4398 "type": "WEB", 4399 "url": "https://access.redhat.com/errata/RHSA-2019:1823" 4400 }, 4401 { 4402 "type": "WEB", 4403 "url": "https://access.redhat.com/errata/RHSA-2019:2804" 4404 }, 4405 { 4406 "type": "WEB", 4407 "url": "https://access.redhat.com/errata/RHSA-2019:2858" 4408 }, 4409 { 4410 "type": "WEB", 4411 "url": "https://access.redhat.com/errata/RHSA-2019:3002" 4412 }, 4413 { 4414 "type": "WEB", 4415 "url": "https://access.redhat.com/errata/RHSA-2019:3140" 4416 }, 4417 { 4418 "type": "WEB", 4419 "url": "https://access.redhat.com/errata/RHSA-2019:3149" 4420 }, 4421 { 4422 "type": "WEB", 4423 "url": "https://access.redhat.com/errata/RHSA-2019:3892" 4424 }, 4425 { 4426 "type": "WEB", 4427 "url": "https://access.redhat.com/errata/RHSA-2019:4037" 4428 }, 4429 { 4430 "type": "PACKAGE", 4431 "url": "https://github.com/FasterXML/jackson-databind" 4432 }, 4433 { 4434 "type": "WEB", 4435 "url": "https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.7" 4436 }, 4437 { 4438 "type": "ADVISORY", 4439 "url": "https://github.com/advisories/GHSA-645p-88qh-w398" 4440 }, 4441 { 4442 "type": "WEB", 4443 "url": "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E" 4444 }, 4445 { 4446 "type": "WEB", 4447 "url": "http://www.securityfocus.com/bid/106601" 4448 } 4449 ], 4450 "schema_version": "1.6.0", 4451 "severity": [ 4452 { 4453 "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", 4454 "type": "CVSS_V3" 4455 } 4456 ], 4457 "summary": "Arbitrary Code Execution in jackson-databind" 4458 }, 4459 { 4460 "affected": [ 4461 { 4462 "database_specific": { 4463 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/08/GHSA-6fpp-rgj9-8rwc/GHSA-6fpp-rgj9-8rwc.json" 4464 }, 4465 "package": { 4466 "ecosystem": "Maven", 4467 "name": "com.fasterxml.jackson.core:jackson-databind", 4468 "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" 4469 }, 4470 "ranges": [ 4471 { 4472 "events": [ 4473 { 4474 "introduced": "2.9.0" 4475 }, 4476 { 4477 "fixed": "2.9.9.2" 4478 } 4479 ], 4480 "type": "ECOSYSTEM" 4481 } 4482 ], 4483 "versions": [ 4484 "2.9.0", 4485 "2.9.0.pr1", 4486 "2.9.0.pr2", 4487 "2.9.0.pr3", 4488 "2.9.0.pr4", 4489 "2.9.1", 4490 "2.9.2", 4491 "2.9.3", 4492 "2.9.4", 4493 "2.9.5", 4494 "2.9.6", 4495 "2.9.7", 4496 "2.9.8", 4497 "2.9.9", 4498 "2.9.9.1" 4499 ] 4500 }, 4501 { 4502 "database_specific": { 4503 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/08/GHSA-6fpp-rgj9-8rwc/GHSA-6fpp-rgj9-8rwc.json" 4504 }, 4505 "package": { 4506 "ecosystem": "Maven", 4507 "name": "com.fasterxml.jackson.core:jackson-databind", 4508 "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" 4509 }, 4510 "ranges": [ 4511 { 4512 "events": [ 4513 { 4514 "introduced": "2.8.0" 4515 }, 4516 { 4517 "fixed": "2.8.11.4" 4518 } 4519 ], 4520 "type": "ECOSYSTEM" 4521 } 4522 ], 4523 "versions": [ 4524 "2.8.0", 4525 "2.8.1", 4526 "2.8.10", 4527 "2.8.11", 4528 "2.8.11.1", 4529 "2.8.11.2", 4530 "2.8.11.3", 4531 "2.8.2", 4532 "2.8.3", 4533 "2.8.4", 4534 "2.8.5", 4535 "2.8.6", 4536 "2.8.7", 4537 "2.8.8", 4538 "2.8.8.1", 4539 "2.8.9" 4540 ] 4541 }, 4542 { 4543 "database_specific": { 4544 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/08/GHSA-6fpp-rgj9-8rwc/GHSA-6fpp-rgj9-8rwc.json" 4545 }, 4546 "package": { 4547 "ecosystem": "Maven", 4548 "name": "com.fasterxml.jackson.core:jackson-databind", 4549 "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" 4550 }, 4551 "ranges": [ 4552 { 4553 "events": [ 4554 { 4555 "introduced": "0" 4556 }, 4557 { 4558 "fixed": "2.7.9.6" 4559 } 4560 ], 4561 "type": "ECOSYSTEM" 4562 } 4563 ], 4564 "versions": [ 4565 "2.0.0", 4566 "2.0.0-RC1", 4567 "2.0.0-RC2", 4568 "2.0.0-RC3", 4569 "2.0.1", 4570 "2.0.2", 4571 "2.0.4", 4572 "2.0.5", 4573 "2.0.6", 4574 "2.1.0", 4575 "2.1.1", 4576 "2.1.2", 4577 "2.1.3", 4578 "2.1.4", 4579 "2.1.5", 4580 "2.2.0", 4581 "2.2.0-rc1", 4582 "2.2.1", 4583 "2.2.2", 4584 "2.2.3", 4585 "2.2.4", 4586 "2.3.0", 4587 "2.3.0-rc1", 4588 "2.3.1", 4589 "2.3.2", 4590 "2.3.3", 4591 "2.3.4", 4592 "2.3.5", 4593 "2.4.0", 4594 "2.4.0-rc1", 4595 "2.4.0-rc2", 4596 "2.4.0-rc3", 4597 "2.4.1", 4598 "2.4.1.1", 4599 "2.4.1.2", 4600 "2.4.1.3", 4601 "2.4.2", 4602 "2.4.3", 4603 "2.4.4", 4604 "2.4.5", 4605 "2.4.5.1", 4606 "2.4.6", 4607 "2.4.6.1", 4608 "2.5.0", 4609 "2.5.0-rc1", 4610 "2.5.1", 4611 "2.5.2", 4612 "2.5.3", 4613 "2.5.4", 4614 "2.5.5", 4615 "2.6.0", 4616 "2.6.0-rc1", 4617 "2.6.0-rc2", 4618 "2.6.0-rc3", 4619 "2.6.0-rc4", 4620 "2.6.1", 4621 "2.6.2", 4622 "2.6.3", 4623 "2.6.4", 4624 "2.6.5", 4625 "2.6.6", 4626 "2.6.7", 4627 "2.6.7.1", 4628 "2.6.7.2", 4629 "2.6.7.3", 4630 "2.6.7.4", 4631 "2.6.7.5", 4632 "2.7.0", 4633 "2.7.0-rc1", 4634 "2.7.0-rc2", 4635 "2.7.0-rc3", 4636 "2.7.1", 4637 "2.7.1-1", 4638 "2.7.2", 4639 "2.7.3", 4640 "2.7.4", 4641 "2.7.5", 4642 "2.7.6", 4643 "2.7.7", 4644 "2.7.8", 4645 "2.7.9", 4646 "2.7.9.1", 4647 "2.7.9.2", 4648 "2.7.9.3", 4649 "2.7.9.4", 4650 "2.7.9.5" 4651 ] 4652 } 4653 ], 4654 "aliases": [ 4655 "CVE-2019-14379" 4656 ], 4657 "database_specific": { 4658 "cwe_ids": [ 4659 "CWE-1321", 4660 "CWE-915" 4661 ], 4662 "github_reviewed": true, 4663 "github_reviewed_at": "2019-08-01T15:38:02Z", 4664 "nvd_published_at": "2019-07-29T12:15:00Z", 4665 "severity": "CRITICAL" 4666 }, 4667 "details": "SubTypeValidator.java in FasterXML jackson-databind before 2.9.9.2, 2.8.11.4, and 2.7.9.6 mishandles default typing when ehcache is used (because of net.sf.ehcache.transaction.manager.DefaultTransactionManagerLookup), leading to remote code execution.", 4668 "id": "GHSA-6fpp-rgj9-8rwc", 4669 "modified": "2024-03-15T05:18:54.134884Z", 4670 "published": "2019-08-01T19:18:00Z", 4671 "references": [ 4672 { 4673 "type": "ADVISORY", 4674 "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-14379" 4675 }, 4676 { 4677 "type": "WEB", 4678 "url": "https://github.com/FasterXML/jackson-databind/issues/2387" 4679 }, 4680 { 4681 "type": "WEB", 4682 "url": "https://github.com/FasterXML/jackson-databind/commit/ad418eeb974e357f2797aef64aa0e3ffaaa6125b" 4683 }, 4684 { 4685 "type": "WEB", 4686 "url": "https://lists.apache.org/thread.html/f17f63b0f8a57e4a5759e01d25cffc0548f0b61ff5c6bfd704ad2f2a@%3Ccommits.ambari.apache.org%3E" 4687 }, 4688 { 4689 "type": "WEB", 4690 "url": "https://lists.apache.org/thread.html/ee0a051428d2c719acfa297d0854a189ea5e284ef3ed491fa672f4be@%3Cdev.tomee.apache.org%3E" 4691 }, 4692 { 4693 "type": "WEB", 4694 "url": "https://lists.apache.org/thread.html/e25e734c315f70d8876a846926cfe3bfa1a4888044f146e844caf72f@%3Ccommits.ambari.apache.org%3E" 4695 }, 4696 { 4697 "type": "WEB", 4698 "url": "https://lists.apache.org/thread.html/d161ff3d59c5a8213400dd6afb1cce1fac4f687c32d1e0c0bfbfaa2d@%3Cissues.iceberg.apache.org%3E" 4699 }, 4700 { 4701 "type": "WEB", 4702 "url": "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E" 4703 }, 4704 { 4705 "type": "WEB", 4706 "url": "https://lists.apache.org/thread.html/99944f86abefde389da9b4040ea2327c6aa0b53a2ff9352bd4cfec17@%3Cissues.iceberg.apache.org%3E" 4707 }, 4708 { 4709 "type": "WEB", 4710 "url": "https://lists.apache.org/thread.html/940b4c3fef002461b89a050935337056d4a036a65ef68e0bbd4621ef@%3Cdev.struts.apache.org%3E" 4711 }, 4712 { 4713 "type": "WEB", 4714 "url": "https://lists.apache.org/thread.html/87e46591de8925f719664a845572d184027258c5a7af0a471b53c77b@%3Cdev.tomee.apache.org%3E" 4715 }, 4716 { 4717 "type": "WEB", 4718 "url": "https://lists.apache.org/thread.html/8723b52c2544e6cb804bc8a36622c584acd1bd6c53f2b6034c9fea54@%3Cissues.iceberg.apache.org%3E" 4719 }, 4720 { 4721 "type": "WEB", 4722 "url": "https://lists.apache.org/thread.html/859815b2e9f1575acbb2b260b73861c16ca49bca627fa0c46419051f@%3Cissues.iceberg.apache.org%3E" 4723 }, 4724 { 4725 "type": "WEB", 4726 "url": "https://lists.apache.org/thread.html/75f482fdc84abe6d0c8f438a76437c335a7bbeb5cddd4d70b4bc0cbf@%3Cissues.iceberg.apache.org%3E" 4727 }, 4728 { 4729 "type": "WEB", 4730 "url": "https://lists.apache.org/thread.html/689c6bcc6c7612eee71e453a115a4c8581e7b718537025d4b265783d@%3Cissues.iceberg.apache.org%3E" 4731 }, 4732 { 4733 "type": "WEB", 4734 "url": "https://lists.apache.org/thread.html/6788e4c991f75b89d290ad06b463fcd30bcae99fee610345a35b7bc6@%3Cissues.iceberg.apache.org%3E" 4735 }, 4736 { 4737 "type": "WEB", 4738 "url": "https://access.redhat.com/errata/RHBA-2019:2824" 4739 }, 4740 { 4741 "type": "WEB", 4742 "url": "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E" 4743 }, 4744 { 4745 "type": "WEB", 4746 "url": "https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0@%3Cissues.bookkeeper.apache.org%3E" 4747 }, 4748 { 4749 "type": "WEB", 4750 "url": "https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3E" 4751 }, 4752 { 4753 "type": "WEB", 4754 "url": "https://lists.debian.org/debian-lts-announce/2019/08/msg00011.html" 4755 }, 4756 { 4757 "type": "WEB", 4758 "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OVRZDN2T6AZ6DJCZJ3VSIQIVHBVMVWBL" 4759 }, 4760 { 4761 "type": "WEB", 4762 "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TXRVXNRFHJSQWFHPRJQRI5UPMZ63B544" 4763 }, 4764 { 4765 "type": "WEB", 4766 "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UKUALE2TUCKEKOHE2D342PQXN4MWCSLC" 4767 }, 4768 { 4769 "type": "WEB", 4770 "url": "https://security.netapp.com/advisory/ntap-20190814-0001" 4771 }, 4772 { 4773 "type": "WEB", 4774 "url": "https://support.apple.com/kb/HT213189" 4775 }, 4776 { 4777 "type": "WEB", 4778 "url": "https://www.oracle.com/security-alerts/cpuApr2021.html" 4779 }, 4780 { 4781 "type": "WEB", 4782 "url": "https://www.oracle.com/security-alerts/cpuapr2020.html" 4783 }, 4784 { 4785 "type": "WEB", 4786 "url": "https://www.oracle.com/security-alerts/cpujan2020.html" 4787 }, 4788 { 4789 "type": "WEB", 4790 "url": "https://www.oracle.com/security-alerts/cpujul2020.html" 4791 }, 4792 { 4793 "type": "WEB", 4794 "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" 4795 }, 4796 { 4797 "type": "WEB", 4798 "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html" 4799 }, 4800 { 4801 "type": "WEB", 4802 "url": "https://access.redhat.com/errata/RHSA-2019:2743" 4803 }, 4804 { 4805 "type": "WEB", 4806 "url": "https://access.redhat.com/errata/RHSA-2019:2858" 4807 }, 4808 { 4809 "type": "WEB", 4810 "url": "https://access.redhat.com/errata/RHSA-2019:2935" 4811 }, 4812 { 4813 "type": "WEB", 4814 "url": "https://access.redhat.com/errata/RHSA-2019:2936" 4815 }, 4816 { 4817 "type": "WEB", 4818 "url": "https://access.redhat.com/errata/RHSA-2019:2937" 4819 }, 4820 { 4821 "type": "WEB", 4822 "url": "https://access.redhat.com/errata/RHSA-2019:2938" 4823 }, 4824 { 4825 "type": "WEB", 4826 "url": "https://access.redhat.com/errata/RHSA-2019:2998" 4827 }, 4828 { 4829 "type": "WEB", 4830 "url": "https://access.redhat.com/errata/RHSA-2019:3044" 4831 }, 4832 { 4833 "type": "WEB", 4834 "url": "https://access.redhat.com/errata/RHSA-2019:3045" 4835 }, 4836 { 4837 "type": "WEB", 4838 "url": "https://access.redhat.com/errata/RHSA-2019:3046" 4839 }, 4840 { 4841 "type": "WEB", 4842 "url": "https://access.redhat.com/errata/RHSA-2019:3050" 4843 }, 4844 { 4845 "type": "WEB", 4846 "url": "https://access.redhat.com/errata/RHSA-2019:3149" 4847 }, 4848 { 4849 "type": "WEB", 4850 "url": "https://access.redhat.com/errata/RHSA-2019:3200" 4851 }, 4852 { 4853 "type": "WEB", 4854 "url": "https://access.redhat.com/errata/RHSA-2019:3292" 4855 }, 4856 { 4857 "type": "WEB", 4858 "url": "https://access.redhat.com/errata/RHSA-2019:3297" 4859 }, 4860 { 4861 "type": "WEB", 4862 "url": "https://access.redhat.com/errata/RHSA-2019:3901" 4863 }, 4864 { 4865 "type": "WEB", 4866 "url": "https://access.redhat.com/errata/RHSA-2020:0727" 4867 }, 4868 { 4869 "type": "PACKAGE", 4870 "url": "https://github.com/FasterXML/jackson-databind" 4871 }, 4872 { 4873 "type": "WEB", 4874 "url": "https://github.com/FasterXML/jackson-databind/compare/jackson-databind-2.9.9.1...jackson-databind-2.9.9.2" 4875 }, 4876 { 4877 "type": "WEB", 4878 "url": "https://lists.apache.org/thread.html/0d4b630d9ee724aee50703397d9d1afa2b2befc9395ba7797d0ccea9@%3Cdev.tomee.apache.org%3E" 4879 }, 4880 { 4881 "type": "WEB", 4882 "url": "https://lists.apache.org/thread.html/0fcef7321095ce0bc597d468d150cff3d647f4cb3aef3bd4d20e1c69@%3Ccommits.tinkerpop.apache.org%3E" 4883 }, 4884 { 4885 "type": "WEB", 4886 "url": "https://lists.apache.org/thread.html/2766188be238a446a250ef76801037d452979152d85bce5e46805815@%3Cissues.iceberg.apache.org%3E" 4887 }, 4888 { 4889 "type": "WEB", 4890 "url": "https://lists.apache.org/thread.html/2d2a76440becb610b9a9cb49b15eac3934b02c2dbcaacde1000353e4@%3Cdev.tomee.apache.org%3E" 4891 }, 4892 { 4893 "type": "WEB", 4894 "url": "https://lists.apache.org/thread.html/34717424b4d08b74f65c09a083d6dd1cb0763f37a15d6de135998c1d@%3Cdev.tomee.apache.org%3E" 4895 }, 4896 { 4897 "type": "WEB", 4898 "url": "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E" 4899 }, 4900 { 4901 "type": "WEB", 4902 "url": "https://lists.apache.org/thread.html/525bcf949a4b0da87a375cbad2680b8beccde749522f24c49befe7fb@%3Ccommits.pulsar.apache.org%3E" 4903 }, 4904 { 4905 "type": "WEB", 4906 "url": "https://lists.apache.org/thread.html/56c8042873595b8c863054c7bfccab4bf2c01c6f5abedae249d914b9@%3Cdev.tomee.apache.org%3E" 4907 }, 4908 { 4909 "type": "WEB", 4910 "url": "https://lists.apache.org/thread.html/5ecc333113b139429f4f05000d4aa2886974d4df3269c1dd990bb319@%3Cdev.tomee.apache.org%3E" 4911 }, 4912 { 4913 "type": "WEB", 4914 "url": "https://lists.apache.org/thread.html/5fc0e16b7af2590bf1e97c76c136291c4fdb244ee63c65c485c9a7a1@%3Cdev.tomee.apache.org%3E" 4915 }, 4916 { 4917 "type": "WEB", 4918 "url": "http://seclists.org/fulldisclosure/2022/Mar/23" 4919 } 4920 ], 4921 "schema_version": "1.6.0", 4922 "severity": [ 4923 { 4924 "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", 4925 "type": "CVSS_V3" 4926 } 4927 ], 4928 "summary": "Deserialization of untrusted data in FasterXML jackson-databind" 4929 }, 4930 { 4931 "affected": [ 4932 { 4933 "database_specific": { 4934 "last_known_affected_version_range": "\u003c= 2.7.9.3", 4935 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-6wqp-v4v6-c87c/GHSA-6wqp-v4v6-c87c.json" 4936 }, 4937 "package": { 4938 "ecosystem": "Maven", 4939 "name": "com.fasterxml.jackson.core:jackson-databind", 4940 "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" 4941 }, 4942 "ranges": [ 4943 { 4944 "events": [ 4945 { 4946 "introduced": "2.7.0" 4947 }, 4948 { 4949 "fixed": "2.7.9.4" 4950 } 4951 ], 4952 "type": "ECOSYSTEM" 4953 } 4954 ], 4955 "versions": [ 4956 "2.7.0", 4957 "2.7.1", 4958 "2.7.1-1", 4959 "2.7.2", 4960 "2.7.3", 4961 "2.7.4", 4962 "2.7.5", 4963 "2.7.6", 4964 "2.7.7", 4965 "2.7.8", 4966 "2.7.9", 4967 "2.7.9.1", 4968 "2.7.9.2", 4969 "2.7.9.3" 4970 ] 4971 }, 4972 { 4973 "database_specific": { 4974 "last_known_affected_version_range": "\u003c= 2.8.11.1", 4975 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-6wqp-v4v6-c87c/GHSA-6wqp-v4v6-c87c.json" 4976 }, 4977 "package": { 4978 "ecosystem": "Maven", 4979 "name": "com.fasterxml.jackson.core:jackson-databind", 4980 "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" 4981 }, 4982 "ranges": [ 4983 { 4984 "events": [ 4985 { 4986 "introduced": "2.8.0" 4987 }, 4988 { 4989 "fixed": "2.8.11.2" 4990 } 4991 ], 4992 "type": "ECOSYSTEM" 4993 } 4994 ], 4995 "versions": [ 4996 "2.8.0", 4997 "2.8.1", 4998 "2.8.10", 4999 "2.8.11", 5000 "2.8.11.1", 5001 "2.8.2", 5002 "2.8.3", 5003 "2.8.4", 5004 "2.8.5", 5005 "2.8.6", 5006 "2.8.7", 5007 "2.8.8", 5008 "2.8.8.1", 5009 "2.8.9" 5010 ] 5011 }, 5012 { 5013 "database_specific": { 5014 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-6wqp-v4v6-c87c/GHSA-6wqp-v4v6-c87c.json" 5015 }, 5016 "package": { 5017 "ecosystem": "Maven", 5018 "name": "com.fasterxml.jackson.core:jackson-databind", 5019 "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" 5020 }, 5021 "ranges": [ 5022 { 5023 "events": [ 5024 { 5025 "introduced": "2.9.0" 5026 }, 5027 { 5028 "fixed": "2.9.6" 5029 } 5030 ], 5031 "type": "ECOSYSTEM" 5032 } 5033 ], 5034 "versions": [ 5035 "2.9.0", 5036 "2.9.0.pr1", 5037 "2.9.0.pr2", 5038 "2.9.0.pr3", 5039 "2.9.0.pr4", 5040 "2.9.1", 5041 "2.9.2", 5042 "2.9.3", 5043 "2.9.4", 5044 "2.9.5" 5045 ] 5046 } 5047 ], 5048 "aliases": [ 5049 "CVE-2018-12023" 5050 ], 5051 "database_specific": { 5052 "cwe_ids": [ 5053 "CWE-502" 5054 ], 5055 "github_reviewed": true, 5056 "github_reviewed_at": "2020-06-11T21:43:23Z", 5057 "nvd_published_at": null, 5058 "severity": "HIGH" 5059 }, 5060 "details": "An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Oracle JDBC jar in the classpath, and an attacker can provide an LDAP service to access, it is possible to make the service execute a malicious payload.", 5061 "id": "GHSA-6wqp-v4v6-c87c", 5062 "modified": "2024-03-11T05:21:31.707912Z", 5063 "published": "2020-06-15T18:44:51Z", 5064 "references": [ 5065 { 5066 "type": "ADVISORY", 5067 "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-12023" 5068 }, 5069 { 5070 "type": "WEB", 5071 "url": "https://github.com/FasterXML/jackson-databind/issues/2058" 5072 }, 5073 { 5074 "type": "WEB", 5075 "url": "https://github.com/FasterXML/jackson-databind/commit/7487cf7eb14be2f65a1eb108e8629c07ef45e0a" 5076 }, 5077 { 5078 "type": "WEB", 5079 "url": "https://github.com/FasterXML/jackson-databind/commit/28badf7ef60ac3e7ef151cd8e8ec010b8479226a" 5080 }, 5081 { 5082 "type": "WEB", 5083 "url": "https://github.com/FasterXML/jackson-databind/commit/bf261d404c2f79fd3406237710d40ebb03c99d84" 5084 }, 5085 { 5086 "type": "WEB", 5087 "url": "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E" 5088 }, 5089 { 5090 "type": "WEB", 5091 "url": "https://lists.apache.org/thread.html/7fcf88aff0d1deaa5c3c7be8d58c05ad7ad5da94b59065d8e7c50c5d@%3Cissues.lucene.apache.org%3E" 5092 }, 5093 { 5094 "type": "WEB", 5095 "url": "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E" 5096 }, 5097 { 5098 "type": "WEB", 5099 "url": "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E" 5100 }, 5101 { 5102 "type": "WEB", 5103 "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZEDLDUYBSTDY4GWDBUXGJNS2RFYTFVRC" 5104 }, 5105 { 5106 "type": "WEB", 5107 "url": "https://seclists.org/bugtraq/2019/May/68" 5108 }, 5109 { 5110 "type": "WEB", 5111 "url": "https://security.netapp.com/advisory/ntap-20190530-0003" 5112 }, 5113 { 5114 "type": "WEB", 5115 "url": "https://www.blackhat.com/docs/us-16/materials/us-16-Munoz-A-Journey-From-JNDI-LDAP-Manipulation-To-RCE.pdf" 5116 }, 5117 { 5118 "type": "WEB", 5119 "url": "https://www.debian.org/security/2019/dsa-4452" 5120 }, 5121 { 5122 "type": "WEB", 5123 "url": "https://www.oracle.com/security-alerts/cpuapr2020.html" 5124 }, 5125 { 5126 "type": "WEB", 5127 "url": "https://www.oracle.com/security-alerts/cpujul2020.html" 5128 }, 5129 { 5130 "type": "WEB", 5131 "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" 5132 }, 5133 { 5134 "type": "WEB", 5135 "url": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html" 5136 }, 5137 { 5138 "type": "WEB", 5139 "url": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html" 5140 }, 5141 { 5142 "type": "WEB", 5143 "url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html" 5144 }, 5145 { 5146 "type": "WEB", 5147 "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html" 5148 }, 5149 { 5150 "type": "WEB", 5151 "url": "https://access.redhat.com/errata/RHBA-2019:0959" 5152 }, 5153 { 5154 "type": "WEB", 5155 "url": "https://access.redhat.com/errata/RHSA-2019:0782" 5156 }, 5157 { 5158 "type": "WEB", 5159 "url": "https://access.redhat.com/errata/RHSA-2019:0877" 5160 }, 5161 { 5162 "type": "WEB", 5163 "url": "https://access.redhat.com/errata/RHSA-2019:1106" 5164 }, 5165 { 5166 "type": "WEB", 5167 "url": "https://access.redhat.com/errata/RHSA-2019:1107" 5168 }, 5169 { 5170 "type": "WEB", 5171 "url": "https://access.redhat.com/errata/RHSA-2019:1108" 5172 }, 5173 { 5174 "type": "WEB", 5175 "url": "https://access.redhat.com/errata/RHSA-2019:1140" 5176 }, 5177 { 5178 "type": "WEB", 5179 "url": "https://access.redhat.com/errata/RHSA-2019:1782" 5180 }, 5181 { 5182 "type": "WEB", 5183 "url": "https://access.redhat.com/errata/RHSA-2019:1797" 5184 }, 5185 { 5186 "type": "WEB", 5187 "url": "https://access.redhat.com/errata/RHSA-2019:1822" 5188 }, 5189 { 5190 "type": "WEB", 5191 "url": "https://access.redhat.com/errata/RHSA-2019:1823" 5192 }, 5193 { 5194 "type": "WEB", 5195 "url": "https://access.redhat.com/errata/RHSA-2019:2804" 5196 }, 5197 { 5198 "type": "WEB", 5199 "url": "https://access.redhat.com/errata/RHSA-2019:2858" 5200 }, 5201 { 5202 "type": "WEB", 5203 "url": "https://access.redhat.com/errata/RHSA-2019:3002" 5204 }, 5205 { 5206 "type": "WEB", 5207 "url": "https://access.redhat.com/errata/RHSA-2019:3140" 5208 }, 5209 { 5210 "type": "WEB", 5211 "url": "https://access.redhat.com/errata/RHSA-2019:3149" 5212 }, 5213 { 5214 "type": "WEB", 5215 "url": "https://access.redhat.com/errata/RHSA-2019:3892" 5216 }, 5217 { 5218 "type": "WEB", 5219 "url": "https://access.redhat.com/errata/RHSA-2019:4037" 5220 }, 5221 { 5222 "type": "PACKAGE", 5223 "url": "https://github.com/FasterXML/jackson-databind" 5224 }, 5225 { 5226 "type": "WEB", 5227 "url": "http://www.securityfocus.com/bid/105659" 5228 } 5229 ], 5230 "schema_version": "1.6.0", 5231 "severity": [ 5232 { 5233 "score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", 5234 "type": "CVSS_V3" 5235 } 5236 ], 5237 "summary": "Deserialization of Untrusted Data" 5238 }, 5239 { 5240 "affected": [ 5241 { 5242 "database_specific": { 5243 "last_known_affected_version_range": "\u003c= 2.9.10.3", 5244 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/04/GHSA-758m-v56v-grj4/GHSA-758m-v56v-grj4.json" 5245 }, 5246 "package": { 5247 "ecosystem": "Maven", 5248 "name": "com.fasterxml.jackson.core:jackson-databind", 5249 "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" 5250 }, 5251 "ranges": [ 5252 { 5253 "events": [ 5254 { 5255 "introduced": "2.9.0" 5256 }, 5257 { 5258 "fixed": "2.9.10.4" 5259 } 5260 ], 5261 "type": "ECOSYSTEM" 5262 } 5263 ], 5264 "versions": [ 5265 "2.9.0", 5266 "2.9.0.pr1", 5267 "2.9.0.pr2", 5268 "2.9.0.pr3", 5269 "2.9.0.pr4", 5270 "2.9.1", 5271 "2.9.10", 5272 "2.9.10.1", 5273 "2.9.10.2", 5274 "2.9.10.3", 5275 "2.9.2", 5276 "2.9.3", 5277 "2.9.4", 5278 "2.9.5", 5279 "2.9.6", 5280 "2.9.7", 5281 "2.9.8", 5282 "2.9.9", 5283 "2.9.9.1", 5284 "2.9.9.2", 5285 "2.9.9.3" 5286 ] 5287 } 5288 ], 5289 "aliases": [ 5290 "CVE-2020-10969" 5291 ], 5292 "database_specific": { 5293 "cwe_ids": [ 5294 "CWE-502" 5295 ], 5296 "github_reviewed": true, 5297 "github_reviewed_at": "2020-04-23T19:28:10Z", 5298 "nvd_published_at": "2020-03-26T13:15:00Z", 5299 "severity": "HIGH" 5300 }, 5301 "details": "FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to javax.swing.JEditorPane.", 5302 "id": "GHSA-758m-v56v-grj4", 5303 "modified": "2024-06-25T14:20:03.301633Z", 5304 "published": "2020-04-23T21:36:03Z", 5305 "references": [ 5306 { 5307 "type": "ADVISORY", 5308 "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-10969" 5309 }, 5310 { 5311 "type": "WEB", 5312 "url": "https://github.com/FasterXML/jackson-databind/issues/2642" 5313 }, 5314 { 5315 "type": "WEB", 5316 "url": "https://github.com/FasterXML/jackson-databind/commit/6ba48457984943df0de92c54144f7dcae01b1221" 5317 }, 5318 { 5319 "type": "PACKAGE", 5320 "url": "https://github.com/FasterXML/jackson-databind" 5321 }, 5322 { 5323 "type": "WEB", 5324 "url": "https://lists.debian.org/debian-lts-announce/2020/04/msg00012.html" 5325 }, 5326 { 5327 "type": "WEB", 5328 "url": "https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062" 5329 }, 5330 { 5331 "type": "WEB", 5332 "url": "https://security.netapp.com/advisory/ntap-20200403-0002" 5333 }, 5334 { 5335 "type": "WEB", 5336 "url": "https://www.oracle.com/security-alerts/cpujan2021.html" 5337 }, 5338 { 5339 "type": "WEB", 5340 "url": "https://www.oracle.com/security-alerts/cpujul2020.html" 5341 }, 5342 { 5343 "type": "WEB", 5344 "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" 5345 }, 5346 { 5347 "type": "WEB", 5348 "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" 5349 } 5350 ], 5351 "schema_version": "1.6.0", 5352 "severity": [ 5353 { 5354 "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", 5355 "type": "CVSS_V3" 5356 } 5357 ], 5358 "summary": "jackson-databind mishandles the interaction between serialization gadgets and typing" 5359 }, 5360 { 5361 "affected": [ 5362 { 5363 "database_specific": { 5364 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/09/GHSA-85cw-hj65-qqv9/GHSA-85cw-hj65-qqv9.json" 5365 }, 5366 "package": { 5367 "ecosystem": "Maven", 5368 "name": "com.fasterxml.jackson.core:jackson-databind", 5369 "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" 5370 }, 5371 "ranges": [ 5372 { 5373 "events": [ 5374 { 5375 "introduced": "2.9.0" 5376 }, 5377 { 5378 "fixed": "2.9.10" 5379 } 5380 ], 5381 "type": "ECOSYSTEM" 5382 } 5383 ], 5384 "versions": [ 5385 "2.9.0", 5386 "2.9.0.pr1", 5387 "2.9.0.pr2", 5388 "2.9.0.pr3", 5389 "2.9.0.pr4", 5390 "2.9.1", 5391 "2.9.2", 5392 "2.9.3", 5393 "2.9.4", 5394 "2.9.5", 5395 "2.9.6", 5396 "2.9.7", 5397 "2.9.8", 5398 "2.9.9", 5399 "2.9.9.1", 5400 "2.9.9.2", 5401 "2.9.9.3" 5402 ] 5403 }, 5404 { 5405 "database_specific": { 5406 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/09/GHSA-85cw-hj65-qqv9/GHSA-85cw-hj65-qqv9.json" 5407 }, 5408 "package": { 5409 "ecosystem": "Maven", 5410 "name": "com.fasterxml.jackson.core:jackson-databind", 5411 "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" 5412 }, 5413 "ranges": [ 5414 { 5415 "events": [ 5416 { 5417 "introduced": "2.7.0" 5418 }, 5419 { 5420 "fixed": "2.8.11.5" 5421 } 5422 ], 5423 "type": "ECOSYSTEM" 5424 } 5425 ], 5426 "versions": [ 5427 "2.7.0", 5428 "2.7.1", 5429 "2.7.1-1", 5430 "2.7.2", 5431 "2.7.3", 5432 "2.7.4", 5433 "2.7.5", 5434 "2.7.6", 5435 "2.7.7", 5436 "2.7.8", 5437 "2.7.9", 5438 "2.7.9.1", 5439 "2.7.9.2", 5440 "2.7.9.3", 5441 "2.7.9.4", 5442 "2.7.9.5", 5443 "2.7.9.6", 5444 "2.7.9.7", 5445 "2.8.0", 5446 "2.8.0.rc1", 5447 "2.8.0.rc2", 5448 "2.8.1", 5449 "2.8.10", 5450 "2.8.11", 5451 "2.8.11.1", 5452 "2.8.11.2", 5453 "2.8.11.3", 5454 "2.8.11.4", 5455 "2.8.2", 5456 "2.8.3", 5457 "2.8.4", 5458 "2.8.5", 5459 "2.8.6", 5460 "2.8.7", 5461 "2.8.8", 5462 "2.8.8.1", 5463 "2.8.9" 5464 ] 5465 }, 5466 { 5467 "database_specific": { 5468 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/09/GHSA-85cw-hj65-qqv9/GHSA-85cw-hj65-qqv9.json" 5469 }, 5470 "package": { 5471 "ecosystem": "Maven", 5472 "name": "com.fasterxml.jackson.core:jackson-databind", 5473 "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" 5474 }, 5475 "ranges": [ 5476 { 5477 "events": [ 5478 { 5479 "introduced": "0" 5480 }, 5481 { 5482 "fixed": "2.6.7.3" 5483 } 5484 ], 5485 "type": "ECOSYSTEM" 5486 } 5487 ], 5488 "versions": [ 5489 "2.0.0", 5490 "2.0.0-RC1", 5491 "2.0.0-RC2", 5492 "2.0.0-RC3", 5493 "2.0.1", 5494 "2.0.2", 5495 "2.0.4", 5496 "2.0.5", 5497 "2.0.6", 5498 "2.1.0", 5499 "2.1.1", 5500 "2.1.2", 5501 "2.1.3", 5502 "2.1.4", 5503 "2.1.5", 5504 "2.2.0", 5505 "2.2.0-rc1", 5506 "2.2.1", 5507 "2.2.2", 5508 "2.2.3", 5509 "2.2.4", 5510 "2.3.0", 5511 "2.3.0-rc1", 5512 "2.3.1", 5513 "2.3.2", 5514 "2.3.3", 5515 "2.3.4", 5516 "2.3.5", 5517 "2.4.0", 5518 "2.4.0-rc1", 5519 "2.4.0-rc2", 5520 "2.4.0-rc3", 5521 "2.4.1", 5522 "2.4.1.1", 5523 "2.4.1.2", 5524 "2.4.1.3", 5525 "2.4.2", 5526 "2.4.3", 5527 "2.4.4", 5528 "2.4.5", 5529 "2.4.5.1", 5530 "2.4.6", 5531 "2.4.6.1", 5532 "2.5.0", 5533 "2.5.0-rc1", 5534 "2.5.1", 5535 "2.5.2", 5536 "2.5.3", 5537 "2.5.4", 5538 "2.5.5", 5539 "2.6.0", 5540 "2.6.0-rc1", 5541 "2.6.0-rc2", 5542 "2.6.0-rc3", 5543 "2.6.0-rc4", 5544 "2.6.1", 5545 "2.6.2", 5546 "2.6.3", 5547 "2.6.4", 5548 "2.6.5", 5549 "2.6.6", 5550 "2.6.7", 5551 "2.6.7.1", 5552 "2.6.7.2" 5553 ] 5554 } 5555 ], 5556 "aliases": [ 5557 "CVE-2019-16335" 5558 ], 5559 "database_specific": { 5560 "cwe_ids": [ 5561 "CWE-502" 5562 ], 5563 "github_reviewed": true, 5564 "github_reviewed_at": "2019-09-19T09:22:56Z", 5565 "nvd_published_at": "2019-09-15T22:15:00Z", 5566 "severity": "CRITICAL" 5567 }, 5568 "details": "A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10, 2.8.11.5, and 2.6.7.3. It is related to com.zaxxer.hikari.HikariDataSource. This is a different vulnerability than CVE-2019-14540.", 5569 "id": "GHSA-85cw-hj65-qqv9", 5570 "modified": "2024-03-15T05:20:15.574552Z", 5571 "published": "2019-09-23T18:33:45Z", 5572 "references": [ 5573 { 5574 "type": "ADVISORY", 5575 "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-16335" 5576 }, 5577 { 5578 "type": "WEB", 5579 "url": "https://github.com/FasterXML/jackson-databind/issues/2449" 5580 }, 5581 { 5582 "type": "WEB", 5583 "url": "https://github.com/FasterXML/jackson-databind/commit/73c1c2cc76e6cdd7f3a5615cbe3207fe96e4d3db" 5584 }, 5585 { 5586 "type": "WEB", 5587 "url": "https://access.redhat.com/errata/RHSA-2019:3200" 5588 }, 5589 { 5590 "type": "WEB", 5591 "url": "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E" 5592 }, 5593 { 5594 "type": "WEB", 5595 "url": "https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0@%3Cissues.bookkeeper.apache.org%3E" 5596 }, 5597 { 5598 "type": "WEB", 5599 "url": "https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b@%3Ccommits.nifi.apache.org%3E" 5600 }, 5601 { 5602 "type": "WEB", 5603 "url": "https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3E" 5604 }, 5605 { 5606 "type": "WEB", 5607 "url": "https://lists.debian.org/debian-lts-announce/2019/10/msg00001.html" 5608 }, 5609 { 5610 "type": "WEB", 5611 "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Q7CANA7KV53JROZDX5Z5P26UG5VN2K43" 5612 }, 5613 { 5614 "type": "WEB", 5615 "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TH5VFUN4P7CCIP7KSEXYA5MUTFCUDUJT" 5616 }, 5617 { 5618 "type": "WEB", 5619 "url": "https://seclists.org/bugtraq/2019/Oct/6" 5620 }, 5621 { 5622 "type": "WEB", 5623 "url": "https://security.netapp.com/advisory/ntap-20191004-0002" 5624 }, 5625 { 5626 "type": "WEB", 5627 "url": "https://www.debian.org/security/2019/dsa-4542" 5628 }, 5629 { 5630 "type": "WEB", 5631 "url": "https://www.oracle.com/security-alerts/cpuapr2020.html" 5632 }, 5633 { 5634 "type": "WEB", 5635 "url": "https://www.oracle.com/security-alerts/cpujan2020.html" 5636 }, 5637 { 5638 "type": "WEB", 5639 "url": "https://www.oracle.com/security-alerts/cpujul2020.html" 5640 }, 5641 { 5642 "type": "WEB", 5643 "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" 5644 }, 5645 { 5646 "type": "WEB", 5647 "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html" 5648 }, 5649 { 5650 "type": "WEB", 5651 "url": "https://access.redhat.com/errata/RHSA-2020:0159" 5652 }, 5653 { 5654 "type": "WEB", 5655 "url": "https://access.redhat.com/errata/RHSA-2020:0160" 5656 }, 5657 { 5658 "type": "WEB", 5659 "url": "https://access.redhat.com/errata/RHSA-2020:0161" 5660 }, 5661 { 5662 "type": "WEB", 5663 "url": "https://access.redhat.com/errata/RHSA-2020:0164" 5664 }, 5665 { 5666 "type": "WEB", 5667 "url": "https://access.redhat.com/errata/RHSA-2020:0445" 5668 }, 5669 { 5670 "type": "WEB", 5671 "url": "https://access.redhat.com/errata/RHSA-2020:0729" 5672 }, 5673 { 5674 "type": "PACKAGE", 5675 "url": "https://github.com/FasterXML/jackson-databind" 5676 }, 5677 { 5678 "type": "WEB", 5679 "url": "https://lists.apache.org/thread.html/0fcef7321095ce0bc597d468d150cff3d647f4cb3aef3bd4d20e1c69@%3Ccommits.tinkerpop.apache.org%3E" 5680 }, 5681 { 5682 "type": "WEB", 5683 "url": "https://lists.apache.org/thread.html/40c00861b53bb611dee7d6f35f864aa7d1c1bd77df28db597cbf27e1@%3Cissues.hbase.apache.org%3E" 5684 }, 5685 { 5686 "type": "WEB", 5687 "url": "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E" 5688 }, 5689 { 5690 "type": "WEB", 5691 "url": "https://lists.apache.org/thread.html/a360b46061c91c5cad789b6c3190aef9b9f223a2b75c9c9f046fe016@%3Cissues.hbase.apache.org%3E" 5692 }, 5693 { 5694 "type": "WEB", 5695 "url": "https://lists.apache.org/thread.html/ad0d238e97a7da5eca47a014f0f7e81f440ed6bf74a93183825e18b9@%3Cissues.hbase.apache.org%3E" 5696 }, 5697 { 5698 "type": "WEB", 5699 "url": "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E" 5700 }, 5701 { 5702 "type": "WEB", 5703 "url": "https://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3@%3Ccommits.nifi.apache.org%3E" 5704 }, 5705 { 5706 "type": "WEB", 5707 "url": "https://lists.apache.org/thread.html/dc6b5cad721a4f6b3b62ed1163894941140d9d5656140fb757505ca0@%3Cissues.hbase.apache.org%3E" 5708 }, 5709 { 5710 "type": "WEB", 5711 "url": "https://lists.apache.org/thread.html/e90c3feb21702e68a8c08afce37045adb3870f2bf8223fa403fb93fb@%3Ccommits.hbase.apache.org%3E" 5712 } 5713 ], 5714 "schema_version": "1.6.0", 5715 "severity": [ 5716 { 5717 "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", 5718 "type": "CVSS_V3" 5719 } 5720 ], 5721 "summary": "Polymorphic Typing issue in FasterXML jackson-databind" 5722 }, 5723 { 5724 "affected": [ 5725 { 5726 "database_specific": { 5727 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-89qr-369f-5m5x/GHSA-89qr-369f-5m5x.json" 5728 }, 5729 "package": { 5730 "ecosystem": "Maven", 5731 "name": "com.fasterxml.jackson.core:jackson-databind", 5732 "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" 5733 }, 5734 "ranges": [ 5735 { 5736 "events": [ 5737 { 5738 "introduced": "2.7.0" 5739 }, 5740 { 5741 "fixed": "2.9.10.8" 5742 } 5743 ], 5744 "type": "ECOSYSTEM" 5745 } 5746 ], 5747 "versions": [ 5748 "2.7.0", 5749 "2.7.1", 5750 "2.7.1-1", 5751 "2.7.2", 5752 "2.7.3", 5753 "2.7.4", 5754 "2.7.5", 5755 "2.7.6", 5756 "2.7.7", 5757 "2.7.8", 5758 "2.7.9", 5759 "2.7.9.1", 5760 "2.7.9.2", 5761 "2.7.9.3", 5762 "2.7.9.4", 5763 "2.7.9.5", 5764 "2.7.9.6", 5765 "2.7.9.7", 5766 "2.8.0", 5767 "2.8.0.rc1", 5768 "2.8.0.rc2", 5769 "2.8.1", 5770 "2.8.10", 5771 "2.8.11", 5772 "2.8.11.1", 5773 "2.8.11.2", 5774 "2.8.11.3", 5775 "2.8.11.4", 5776 "2.8.11.5", 5777 "2.8.11.6", 5778 "2.8.2", 5779 "2.8.3", 5780 "2.8.4", 5781 "2.8.5", 5782 "2.8.6", 5783 "2.8.7", 5784 "2.8.8", 5785 "2.8.8.1", 5786 "2.8.9", 5787 "2.9.0", 5788 "2.9.0.pr1", 5789 "2.9.0.pr2", 5790 "2.9.0.pr3", 5791 "2.9.0.pr4", 5792 "2.9.1", 5793 "2.9.10", 5794 "2.9.10.1", 5795 "2.9.10.2", 5796 "2.9.10.3", 5797 "2.9.10.4", 5798 "2.9.10.5", 5799 "2.9.10.6", 5800 "2.9.10.7", 5801 "2.9.2", 5802 "2.9.3", 5803 "2.9.4", 5804 "2.9.5", 5805 "2.9.6", 5806 "2.9.7", 5807 "2.9.8", 5808 "2.9.9", 5809 "2.9.9.1", 5810 "2.9.9.2", 5811 "2.9.9.3" 5812 ] 5813 }, 5814 { 5815 "database_specific": { 5816 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-89qr-369f-5m5x/GHSA-89qr-369f-5m5x.json" 5817 }, 5818 "package": { 5819 "ecosystem": "Maven", 5820 "name": "com.fasterxml.jackson.core:jackson-databind", 5821 "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" 5822 }, 5823 "ranges": [ 5824 { 5825 "events": [ 5826 { 5827 "introduced": "2.0.0" 5828 }, 5829 { 5830 "fixed": "2.6.7.5" 5831 } 5832 ], 5833 "type": "ECOSYSTEM" 5834 } 5835 ], 5836 "versions": [ 5837 "2.0.0", 5838 "2.0.1", 5839 "2.0.2", 5840 "2.0.4", 5841 "2.0.5", 5842 "2.0.6", 5843 "2.1.0", 5844 "2.1.1", 5845 "2.1.2", 5846 "2.1.3", 5847 "2.1.4", 5848 "2.1.5", 5849 "2.2.0", 5850 "2.2.0-rc1", 5851 "2.2.1", 5852 "2.2.2", 5853 "2.2.3", 5854 "2.2.4", 5855 "2.3.0", 5856 "2.3.0-rc1", 5857 "2.3.1", 5858 "2.3.2", 5859 "2.3.3", 5860 "2.3.4", 5861 "2.3.5", 5862 "2.4.0", 5863 "2.4.0-rc1", 5864 "2.4.0-rc2", 5865 "2.4.0-rc3", 5866 "2.4.1", 5867 "2.4.1.1", 5868 "2.4.1.2", 5869 "2.4.1.3", 5870 "2.4.2", 5871 "2.4.3", 5872 "2.4.4", 5873 "2.4.5", 5874 "2.4.5.1", 5875 "2.4.6", 5876 "2.4.6.1", 5877 "2.5.0", 5878 "2.5.0-rc1", 5879 "2.5.1", 5880 "2.5.2", 5881 "2.5.3", 5882 "2.5.4", 5883 "2.5.5", 5884 "2.6.0", 5885 "2.6.0-rc1", 5886 "2.6.0-rc2", 5887 "2.6.0-rc3", 5888 "2.6.0-rc4", 5889 "2.6.1", 5890 "2.6.2", 5891 "2.6.3", 5892 "2.6.4", 5893 "2.6.5", 5894 "2.6.6", 5895 "2.6.7", 5896 "2.6.7.1", 5897 "2.6.7.2", 5898 "2.6.7.3", 5899 "2.6.7.4" 5900 ] 5901 } 5902 ], 5903 "aliases": [ 5904 "CVE-2020-36182" 5905 ], 5906 "database_specific": { 5907 "cwe_ids": [ 5908 "CWE-502" 5909 ], 5910 "github_reviewed": true, 5911 "github_reviewed_at": "2021-03-18T23:37:58Z", 5912 "nvd_published_at": "2021-01-07T00:15:00Z", 5913 "severity": "HIGH" 5914 }, 5915 "details": "FasterXML jackson-databind 2.x before 2.9.10.8 and 2.6.7.5 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.cpdsadapter.DriverAdapterCPDS.", 5916 "id": "GHSA-89qr-369f-5m5x", 5917 "modified": "2024-02-18T05:37:27.581808Z", 5918 "published": "2021-12-09T19:15:46Z", 5919 "references": [ 5920 { 5921 "type": "ADVISORY", 5922 "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36182" 5923 }, 5924 { 5925 "type": "WEB", 5926 "url": "https://github.com/FasterXML/jackson-databind/issues/3004" 5927 }, 5928 { 5929 "type": "WEB", 5930 "url": "https://github.com/FasterXML/jackson-databind/commit/3ded28aece694d0df39c9f0fa1ff385b14a8656b" 5931 }, 5932 { 5933 "type": "WEB", 5934 "url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062" 5935 }, 5936 { 5937 "type": "PACKAGE", 5938 "url": "https://github.com/FasterXML/jackson-databind" 5939 }, 5940 { 5941 "type": "WEB", 5942 "url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html" 5943 }, 5944 { 5945 "type": "WEB", 5946 "url": "https://security.netapp.com/advisory/ntap-20210205-0005" 5947 }, 5948 { 5949 "type": "WEB", 5950 "url": "https://www.oracle.com//security-alerts/cpujul2021.html" 5951 }, 5952 { 5953 "type": "WEB", 5954 "url": "https://www.oracle.com/security-alerts/cpuApr2021.html" 5955 }, 5956 { 5957 "type": "WEB", 5958 "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" 5959 }, 5960 { 5961 "type": "WEB", 5962 "url": "https://www.oracle.com/security-alerts/cpujan2022.html" 5963 }, 5964 { 5965 "type": "WEB", 5966 "url": "https://www.oracle.com/security-alerts/cpujul2022.html" 5967 }, 5968 { 5969 "type": "WEB", 5970 "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" 5971 } 5972 ], 5973 "schema_version": "1.6.0", 5974 "severity": [ 5975 { 5976 "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", 5977 "type": "CVSS_V3" 5978 } 5979 ], 5980 "summary": "Unsafe Deserialization in jackson-databind" 5981 }, 5982 { 5983 "affected": [ 5984 { 5985 "database_specific": { 5986 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-8c4j-34r4-xr8g/GHSA-8c4j-34r4-xr8g.json" 5987 }, 5988 "package": { 5989 "ecosystem": "Maven", 5990 "name": "com.fasterxml.jackson.core:jackson-databind", 5991 "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" 5992 }, 5993 "ranges": [ 5994 { 5995 "events": [ 5996 { 5997 "introduced": "2.7.0" 5998 }, 5999 { 6000 "fixed": "2.9.10.8" 6001 } 6002 ], 6003 "type": "ECOSYSTEM" 6004 } 6005 ], 6006 "versions": [ 6007 "2.7.0", 6008 "2.7.1", 6009 "2.7.1-1", 6010 "2.7.2", 6011 "2.7.3", 6012 "2.7.4", 6013 "2.7.5", 6014 "2.7.6", 6015 "2.7.7", 6016 "2.7.8", 6017 "2.7.9", 6018 "2.7.9.1", 6019 "2.7.9.2", 6020 "2.7.9.3", 6021 "2.7.9.4", 6022 "2.7.9.5", 6023 "2.7.9.6", 6024 "2.7.9.7", 6025 "2.8.0", 6026 "2.8.0.rc1", 6027 "2.8.0.rc2", 6028 "2.8.1", 6029 "2.8.10", 6030 "2.8.11", 6031 "2.8.11.1", 6032 "2.8.11.2", 6033 "2.8.11.3", 6034 "2.8.11.4", 6035 "2.8.11.5", 6036 "2.8.11.6", 6037 "2.8.2", 6038 "2.8.3", 6039 "2.8.4", 6040 "2.8.5", 6041 "2.8.6", 6042 "2.8.7", 6043 "2.8.8", 6044 "2.8.8.1", 6045 "2.8.9", 6046 "2.9.0", 6047 "2.9.0.pr1", 6048 "2.9.0.pr2", 6049 "2.9.0.pr3", 6050 "2.9.0.pr4", 6051 "2.9.1", 6052 "2.9.10", 6053 "2.9.10.1", 6054 "2.9.10.2", 6055 "2.9.10.3", 6056 "2.9.10.4", 6057 "2.9.10.5", 6058 "2.9.10.6", 6059 "2.9.10.7", 6060 "2.9.2", 6061 "2.9.3", 6062 "2.9.4", 6063 "2.9.5", 6064 "2.9.6", 6065 "2.9.7", 6066 "2.9.8", 6067 "2.9.9", 6068 "2.9.9.1", 6069 "2.9.9.2", 6070 "2.9.9.3" 6071 ] 6072 }, 6073 { 6074 "database_specific": { 6075 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-8c4j-34r4-xr8g/GHSA-8c4j-34r4-xr8g.json" 6076 }, 6077 "package": { 6078 "ecosystem": "Maven", 6079 "name": "com.fasterxml.jackson.core:jackson-databind", 6080 "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" 6081 }, 6082 "ranges": [ 6083 { 6084 "events": [ 6085 { 6086 "introduced": "2.0.0" 6087 }, 6088 { 6089 "fixed": "2.6.7.5" 6090 } 6091 ], 6092 "type": "ECOSYSTEM" 6093 } 6094 ], 6095 "versions": [ 6096 "2.0.0", 6097 "2.0.1", 6098 "2.0.2", 6099 "2.0.4", 6100 "2.0.5", 6101 "2.0.6", 6102 "2.1.0", 6103 "2.1.1", 6104 "2.1.2", 6105 "2.1.3", 6106 "2.1.4", 6107 "2.1.5", 6108 "2.2.0", 6109 "2.2.0-rc1", 6110 "2.2.1", 6111 "2.2.2", 6112 "2.2.3", 6113 "2.2.4", 6114 "2.3.0", 6115 "2.3.0-rc1", 6116 "2.3.1", 6117 "2.3.2", 6118 "2.3.3", 6119 "2.3.4", 6120 "2.3.5", 6121 "2.4.0", 6122 "2.4.0-rc1", 6123 "2.4.0-rc2", 6124 "2.4.0-rc3", 6125 "2.4.1", 6126 "2.4.1.1", 6127 "2.4.1.2", 6128 "2.4.1.3", 6129 "2.4.2", 6130 "2.4.3", 6131 "2.4.4", 6132 "2.4.5", 6133 "2.4.5.1", 6134 "2.4.6", 6135 "2.4.6.1", 6136 "2.5.0", 6137 "2.5.0-rc1", 6138 "2.5.1", 6139 "2.5.2", 6140 "2.5.3", 6141 "2.5.4", 6142 "2.5.5", 6143 "2.6.0", 6144 "2.6.0-rc1", 6145 "2.6.0-rc2", 6146 "2.6.0-rc3", 6147 "2.6.0-rc4", 6148 "2.6.1", 6149 "2.6.2", 6150 "2.6.3", 6151 "2.6.4", 6152 "2.6.5", 6153 "2.6.6", 6154 "2.6.7", 6155 "2.6.7.1", 6156 "2.6.7.2", 6157 "2.6.7.3", 6158 "2.6.7.4" 6159 ] 6160 } 6161 ], 6162 "aliases": [ 6163 "CVE-2020-36180" 6164 ], 6165 "database_specific": { 6166 "cwe_ids": [ 6167 "CWE-502" 6168 ], 6169 "github_reviewed": true, 6170 "github_reviewed_at": "2021-03-18T23:36:46Z", 6171 "nvd_published_at": "2021-01-07T00:15:00Z", 6172 "severity": "HIGH" 6173 }, 6174 "details": "FasterXML jackson-databind 2.x before 2.9.10.8 and 2.6.7.5 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.cpdsadapter.DriverAdapterCPDS.", 6175 "id": "GHSA-8c4j-34r4-xr8g", 6176 "modified": "2024-02-18T05:31:52.762759Z", 6177 "published": "2021-12-09T19:16:18Z", 6178 "references": [ 6179 { 6180 "type": "ADVISORY", 6181 "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36180" 6182 }, 6183 { 6184 "type": "WEB", 6185 "url": "https://github.com/FasterXML/jackson-databind/issues/3004" 6186 }, 6187 { 6188 "type": "WEB", 6189 "url": "https://github.com/FasterXML/jackson-databind/commit/3ded28aece694d0df39c9f0fa1ff385b14a8656b" 6190 }, 6191 { 6192 "type": "WEB", 6193 "url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062" 6194 }, 6195 { 6196 "type": "PACKAGE", 6197 "url": "https://github.com/FasterXML/jackson-databind" 6198 }, 6199 { 6200 "type": "WEB", 6201 "url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html" 6202 }, 6203 { 6204 "type": "WEB", 6205 "url": "https://security.netapp.com/advisory/ntap-20210205-0005" 6206 }, 6207 { 6208 "type": "WEB", 6209 "url": "https://www.oracle.com//security-alerts/cpujul2021.html" 6210 }, 6211 { 6212 "type": "WEB", 6213 "url": "https://www.oracle.com/security-alerts/cpuApr2021.html" 6214 }, 6215 { 6216 "type": "WEB", 6217 "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" 6218 }, 6219 { 6220 "type": "WEB", 6221 "url": "https://www.oracle.com/security-alerts/cpujan2022.html" 6222 }, 6223 { 6224 "type": "WEB", 6225 "url": "https://www.oracle.com/security-alerts/cpujul2022.html" 6226 }, 6227 { 6228 "type": "WEB", 6229 "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" 6230 } 6231 ], 6232 "schema_version": "1.6.0", 6233 "severity": [ 6234 { 6235 "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", 6236 "type": "CVSS_V3" 6237 } 6238 ], 6239 "summary": "Unsafe Deserialization in jackson-databind" 6240 }, 6241 { 6242 "affected": [ 6243 { 6244 "database_specific": { 6245 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-8w26-6f25-cm9x/GHSA-8w26-6f25-cm9x.json" 6246 }, 6247 "package": { 6248 "ecosystem": "Maven", 6249 "name": "com.fasterxml.jackson.core:jackson-databind", 6250 "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" 6251 }, 6252 "ranges": [ 6253 { 6254 "events": [ 6255 { 6256 "introduced": "2.0.0" 6257 }, 6258 { 6259 "fixed": "2.9.10.8" 6260 } 6261 ], 6262 "type": "ECOSYSTEM" 6263 } 6264 ], 6265 "versions": [ 6266 "2.0.0", 6267 "2.0.1", 6268 "2.0.2", 6269 "2.0.4", 6270 "2.0.5", 6271 "2.0.6", 6272 "2.1.0", 6273 "2.1.1", 6274 "2.1.2", 6275 "2.1.3", 6276 "2.1.4", 6277 "2.1.5", 6278 "2.2.0", 6279 "2.2.0-rc1", 6280 "2.2.1", 6281 "2.2.2", 6282 "2.2.3", 6283 "2.2.4", 6284 "2.3.0", 6285 "2.3.0-rc1", 6286 "2.3.1", 6287 "2.3.2", 6288 "2.3.3", 6289 "2.3.4", 6290 "2.3.5", 6291 "2.4.0", 6292 "2.4.0-rc1", 6293 "2.4.0-rc2", 6294 "2.4.0-rc3", 6295 "2.4.1", 6296 "2.4.1.1", 6297 "2.4.1.2", 6298 "2.4.1.3", 6299 "2.4.2", 6300 "2.4.3", 6301 "2.4.4", 6302 "2.4.5", 6303 "2.4.5.1", 6304 "2.4.6", 6305 "2.4.6.1", 6306 "2.5.0", 6307 "2.5.0-rc1", 6308 "2.5.1", 6309 "2.5.2", 6310 "2.5.3", 6311 "2.5.4", 6312 "2.5.5", 6313 "2.6.0", 6314 "2.6.0-rc1", 6315 "2.6.0-rc2", 6316 "2.6.0-rc3", 6317 "2.6.0-rc4", 6318 "2.6.1", 6319 "2.6.2", 6320 "2.6.3", 6321 "2.6.4", 6322 "2.6.5", 6323 "2.6.6", 6324 "2.6.7", 6325 "2.6.7.1", 6326 "2.6.7.2", 6327 "2.6.7.3", 6328 "2.6.7.4", 6329 "2.6.7.5", 6330 "2.7.0", 6331 "2.7.0-rc1", 6332 "2.7.0-rc2", 6333 "2.7.0-rc3", 6334 "2.7.1", 6335 "2.7.1-1", 6336 "2.7.2", 6337 "2.7.3", 6338 "2.7.4", 6339 "2.7.5", 6340 "2.7.6", 6341 "2.7.7", 6342 "2.7.8", 6343 "2.7.9", 6344 "2.7.9.1", 6345 "2.7.9.2", 6346 "2.7.9.3", 6347 "2.7.9.4", 6348 "2.7.9.5", 6349 "2.7.9.6", 6350 "2.7.9.7", 6351 "2.8.0", 6352 "2.8.0.rc1", 6353 "2.8.0.rc2", 6354 "2.8.1", 6355 "2.8.10", 6356 "2.8.11", 6357 "2.8.11.1", 6358 "2.8.11.2", 6359 "2.8.11.3", 6360 "2.8.11.4", 6361 "2.8.11.5", 6362 "2.8.11.6", 6363 "2.8.2", 6364 "2.8.3", 6365 "2.8.4", 6366 "2.8.5", 6367 "2.8.6", 6368 "2.8.7", 6369 "2.8.8", 6370 "2.8.8.1", 6371 "2.8.9", 6372 "2.9.0", 6373 "2.9.0.pr1", 6374 "2.9.0.pr2", 6375 "2.9.0.pr3", 6376 "2.9.0.pr4", 6377 "2.9.1", 6378 "2.9.10", 6379 "2.9.10.1", 6380 "2.9.10.2", 6381 "2.9.10.3", 6382 "2.9.10.4", 6383 "2.9.10.5", 6384 "2.9.10.6", 6385 "2.9.10.7", 6386 "2.9.2", 6387 "2.9.3", 6388 "2.9.4", 6389 "2.9.5", 6390 "2.9.6", 6391 "2.9.7", 6392 "2.9.8", 6393 "2.9.9", 6394 "2.9.9.1", 6395 "2.9.9.2", 6396 "2.9.9.3" 6397 ] 6398 } 6399 ], 6400 "aliases": [ 6401 "CVE-2020-36185" 6402 ], 6403 "database_specific": { 6404 "cwe_ids": [ 6405 "CWE-502" 6406 ], 6407 "github_reviewed": true, 6408 "github_reviewed_at": "2021-03-18T23:37:42Z", 6409 "nvd_published_at": "2021-01-06T23:15:00Z", 6410 "severity": "HIGH" 6411 }, 6412 "details": "FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to `org.apache.tomcat.dbcp.dbcp2.datasources.SharedPoolDataSource`.", 6413 "id": "GHSA-8w26-6f25-cm9x", 6414 "modified": "2024-02-18T05:30:48.085017Z", 6415 "published": "2021-12-09T19:16:02Z", 6416 "references": [ 6417 { 6418 "type": "ADVISORY", 6419 "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36185" 6420 }, 6421 { 6422 "type": "WEB", 6423 "url": "https://github.com/FasterXML/jackson-databind/issues/2998" 6424 }, 6425 { 6426 "type": "WEB", 6427 "url": "https://github.com/FasterXML/jackson-databind/commit/567194c53ae91f0a14dc27239afb739b1c10448a" 6428 }, 6429 { 6430 "type": "WEB", 6431 "url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062" 6432 }, 6433 { 6434 "type": "PACKAGE", 6435 "url": "https://github.com/FasterXML/jackson-databind" 6436 }, 6437 { 6438 "type": "WEB", 6439 "url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html" 6440 }, 6441 { 6442 "type": "WEB", 6443 "url": "https://security.netapp.com/advisory/ntap-20210205-0005" 6444 }, 6445 { 6446 "type": "WEB", 6447 "url": "https://www.oracle.com//security-alerts/cpujul2021.html" 6448 }, 6449 { 6450 "type": "WEB", 6451 "url": "https://www.oracle.com/security-alerts/cpuApr2021.html" 6452 }, 6453 { 6454 "type": "WEB", 6455 "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" 6456 }, 6457 { 6458 "type": "WEB", 6459 "url": "https://www.oracle.com/security-alerts/cpujan2022.html" 6460 }, 6461 { 6462 "type": "WEB", 6463 "url": "https://www.oracle.com/security-alerts/cpujul2022.html" 6464 }, 6465 { 6466 "type": "WEB", 6467 "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" 6468 } 6469 ], 6470 "schema_version": "1.6.0", 6471 "severity": [ 6472 { 6473 "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", 6474 "type": "CVSS_V3" 6475 } 6476 ], 6477 "summary": "Unsafe Deserialization in jackson-databind" 6478 }, 6479 { 6480 "affected": [ 6481 { 6482 "database_specific": { 6483 "last_known_affected_version_range": "\u003c= 2.9.10.3", 6484 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/04/GHSA-95cm-88f5-f2c7/GHSA-95cm-88f5-f2c7.json" 6485 }, 6486 "package": { 6487 "ecosystem": "Maven", 6488 "name": "com.fasterxml.jackson.core:jackson-databind", 6489 "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" 6490 }, 6491 "ranges": [ 6492 { 6493 "events": [ 6494 { 6495 "introduced": "2.9.0" 6496 }, 6497 { 6498 "fixed": "2.9.10.4" 6499 } 6500 ], 6501 "type": "ECOSYSTEM" 6502 } 6503 ], 6504 "versions": [ 6505 "2.9.0", 6506 "2.9.0.pr1", 6507 "2.9.0.pr2", 6508 "2.9.0.pr3", 6509 "2.9.0.pr4", 6510 "2.9.1", 6511 "2.9.10", 6512 "2.9.10.1", 6513 "2.9.10.2", 6514 "2.9.10.3", 6515 "2.9.2", 6516 "2.9.3", 6517 "2.9.4", 6518 "2.9.5", 6519 "2.9.6", 6520 "2.9.7", 6521 "2.9.8", 6522 "2.9.9", 6523 "2.9.9.1", 6524 "2.9.9.2", 6525 "2.9.9.3" 6526 ] 6527 } 6528 ], 6529 "aliases": [ 6530 "CVE-2020-10672" 6531 ], 6532 "database_specific": { 6533 "cwe_ids": [ 6534 "CWE-502" 6535 ], 6536 "github_reviewed": true, 6537 "github_reviewed_at": "2020-04-22T21:12:55Z", 6538 "nvd_published_at": "2020-03-18T22:15:00Z", 6539 "severity": "HIGH" 6540 }, 6541 "details": "FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.aries.transaction.jms.internal.XaPooledConnectionFactory (aka aries.transaction.jms).", 6542 "id": "GHSA-95cm-88f5-f2c7", 6543 "modified": "2024-07-03T21:23:01.986952Z", 6544 "published": "2020-04-23T16:32:59Z", 6545 "references": [ 6546 { 6547 "type": "ADVISORY", 6548 "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-10672" 6549 }, 6550 { 6551 "type": "WEB", 6552 "url": "https://github.com/FasterXML/jackson-databind/issues/2659" 6553 }, 6554 { 6555 "type": "WEB", 6556 "url": "https://github.com/FasterXML/jackson-databind/commit/08fbfacf89a4a4c026a6227a1b470ab7a13e2e88" 6557 }, 6558 { 6559 "type": "WEB", 6560 "url": "https://github.com/FasterXML/jackson-databind/commit/592872f4235c7f2a3280725278da55544032f72d" 6561 }, 6562 { 6563 "type": "PACKAGE", 6564 "url": "https://github.com/FasterXML/jackson-databind" 6565 }, 6566 { 6567 "type": "WEB", 6568 "url": "https://lists.debian.org/debian-lts-announce/2020/03/msg00027.html" 6569 }, 6570 { 6571 "type": "WEB", 6572 "url": "https://medium.com/%40cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062" 6573 }, 6574 { 6575 "type": "WEB", 6576 "url": "https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062" 6577 }, 6578 { 6579 "type": "WEB", 6580 "url": "https://security.netapp.com/advisory/ntap-20200403-0002" 6581 }, 6582 { 6583 "type": "WEB", 6584 "url": "https://www.oracle.com/security-alerts/cpujan2021.html" 6585 }, 6586 { 6587 "type": "WEB", 6588 "url": "https://www.oracle.com/security-alerts/cpujul2020.html" 6589 }, 6590 { 6591 "type": "WEB", 6592 "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" 6593 }, 6594 { 6595 "type": "WEB", 6596 "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" 6597 } 6598 ], 6599 "schema_version": "1.6.0", 6600 "severity": [ 6601 { 6602 "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", 6603 "type": "CVSS_V3" 6604 } 6605 ], 6606 "summary": "jackson-databind mishandles the interaction between serialization gadgets and typing" 6607 }, 6608 { 6609 "affected": [ 6610 { 6611 "database_specific": { 6612 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-9gph-22xh-8x98/GHSA-9gph-22xh-8x98.json" 6613 }, 6614 "package": { 6615 "ecosystem": "Maven", 6616 "name": "com.fasterxml.jackson.core:jackson-databind", 6617 "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" 6618 }, 6619 "ranges": [ 6620 { 6621 "events": [ 6622 { 6623 "introduced": "2.7.0" 6624 }, 6625 { 6626 "fixed": "2.9.10.8" 6627 } 6628 ], 6629 "type": "ECOSYSTEM" 6630 } 6631 ], 6632 "versions": [ 6633 "2.7.0", 6634 "2.7.1", 6635 "2.7.1-1", 6636 "2.7.2", 6637 "2.7.3", 6638 "2.7.4", 6639 "2.7.5", 6640 "2.7.6", 6641 "2.7.7", 6642 "2.7.8", 6643 "2.7.9", 6644 "2.7.9.1", 6645 "2.7.9.2", 6646 "2.7.9.3", 6647 "2.7.9.4", 6648 "2.7.9.5", 6649 "2.7.9.6", 6650 "2.7.9.7", 6651 "2.8.0", 6652 "2.8.0.rc1", 6653 "2.8.0.rc2", 6654 "2.8.1", 6655 "2.8.10", 6656 "2.8.11", 6657 "2.8.11.1", 6658 "2.8.11.2", 6659 "2.8.11.3", 6660 "2.8.11.4", 6661 "2.8.11.5", 6662 "2.8.11.6", 6663 "2.8.2", 6664 "2.8.3", 6665 "2.8.4", 6666 "2.8.5", 6667 "2.8.6", 6668 "2.8.7", 6669 "2.8.8", 6670 "2.8.8.1", 6671 "2.8.9", 6672 "2.9.0", 6673 "2.9.0.pr1", 6674 "2.9.0.pr2", 6675 "2.9.0.pr3", 6676 "2.9.0.pr4", 6677 "2.9.1", 6678 "2.9.10", 6679 "2.9.10.1", 6680 "2.9.10.2", 6681 "2.9.10.3", 6682 "2.9.10.4", 6683 "2.9.10.5", 6684 "2.9.10.6", 6685 "2.9.10.7", 6686 "2.9.2", 6687 "2.9.3", 6688 "2.9.4", 6689 "2.9.5", 6690 "2.9.6", 6691 "2.9.7", 6692 "2.9.8", 6693 "2.9.9", 6694 "2.9.9.1", 6695 "2.9.9.2", 6696 "2.9.9.3" 6697 ] 6698 }, 6699 { 6700 "database_specific": { 6701 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-9gph-22xh-8x98/GHSA-9gph-22xh-8x98.json" 6702 }, 6703 "package": { 6704 "ecosystem": "Maven", 6705 "name": "com.fasterxml.jackson.core:jackson-databind", 6706 "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" 6707 }, 6708 "ranges": [ 6709 { 6710 "events": [ 6711 { 6712 "introduced": "2.0.0" 6713 }, 6714 { 6715 "fixed": "2.6.7.5" 6716 } 6717 ], 6718 "type": "ECOSYSTEM" 6719 } 6720 ], 6721 "versions": [ 6722 "2.0.0", 6723 "2.0.1", 6724 "2.0.2", 6725 "2.0.4", 6726 "2.0.5", 6727 "2.0.6", 6728 "2.1.0", 6729 "2.1.1", 6730 "2.1.2", 6731 "2.1.3", 6732 "2.1.4", 6733 "2.1.5", 6734 "2.2.0", 6735 "2.2.0-rc1", 6736 "2.2.1", 6737 "2.2.2", 6738 "2.2.3", 6739 "2.2.4", 6740 "2.3.0", 6741 "2.3.0-rc1", 6742 "2.3.1", 6743 "2.3.2", 6744 "2.3.3", 6745 "2.3.4", 6746 "2.3.5", 6747 "2.4.0", 6748 "2.4.0-rc1", 6749 "2.4.0-rc2", 6750 "2.4.0-rc3", 6751 "2.4.1", 6752 "2.4.1.1", 6753 "2.4.1.2", 6754 "2.4.1.3", 6755 "2.4.2", 6756 "2.4.3", 6757 "2.4.4", 6758 "2.4.5", 6759 "2.4.5.1", 6760 "2.4.6", 6761 "2.4.6.1", 6762 "2.5.0", 6763 "2.5.0-rc1", 6764 "2.5.1", 6765 "2.5.2", 6766 "2.5.3", 6767 "2.5.4", 6768 "2.5.5", 6769 "2.6.0", 6770 "2.6.0-rc1", 6771 "2.6.0-rc2", 6772 "2.6.0-rc3", 6773 "2.6.0-rc4", 6774 "2.6.1", 6775 "2.6.2", 6776 "2.6.3", 6777 "2.6.4", 6778 "2.6.5", 6779 "2.6.6", 6780 "2.6.7", 6781 "2.6.7.1", 6782 "2.6.7.2", 6783 "2.6.7.3", 6784 "2.6.7.4" 6785 ] 6786 } 6787 ], 6788 "aliases": [ 6789 "CVE-2020-36179" 6790 ], 6791 "database_specific": { 6792 "cwe_ids": [ 6793 "CWE-502" 6794 ], 6795 "github_reviewed": true, 6796 "github_reviewed_at": "2021-03-18T23:37:47Z", 6797 "nvd_published_at": "2021-01-07T00:15:00Z", 6798 "severity": "HIGH" 6799 }, 6800 "details": "FasterXML jackson-databind 2.x before 2.9.10.8 and 2.6.7.5 mishandles the interaction between serialization gadgets and typing, related to `oadd.org.apache.commons.dbcp.cpdsadapter.DriverAdapterCPDS`.", 6801 "id": "GHSA-9gph-22xh-8x98", 6802 "modified": "2024-02-18T05:33:27.617261Z", 6803 "published": "2021-12-09T19:15:54Z", 6804 "references": [ 6805 { 6806 "type": "ADVISORY", 6807 "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36179" 6808 }, 6809 { 6810 "type": "WEB", 6811 "url": "https://github.com/FasterXML/jackson-databind/issues/3004" 6812 }, 6813 { 6814 "type": "WEB", 6815 "url": "https://github.com/FasterXML/jackson-databind/commit/3ded28aece694d0df39c9f0fa1ff385b14a8656b" 6816 }, 6817 { 6818 "type": "WEB", 6819 "url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062" 6820 }, 6821 { 6822 "type": "PACKAGE", 6823 "url": "https://github.com/FasterXML/jackson-databind" 6824 }, 6825 { 6826 "type": "WEB", 6827 "url": "https://lists.apache.org/thread.html/rc255f41d9a61d3dc79a51fb5c713de4ae10e71e3673feeb0b180b436@%3Cissues.spark.apache.org%3E" 6828 }, 6829 { 6830 "type": "WEB", 6831 "url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html" 6832 }, 6833 { 6834 "type": "WEB", 6835 "url": "https://security.netapp.com/advisory/ntap-20210205-0005" 6836 }, 6837 { 6838 "type": "WEB", 6839 "url": "https://www.oracle.com//security-alerts/cpujul2021.html" 6840 }, 6841 { 6842 "type": "WEB", 6843 "url": "https://www.oracle.com/security-alerts/cpuApr2021.html" 6844 }, 6845 { 6846 "type": "WEB", 6847 "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" 6848 }, 6849 { 6850 "type": "WEB", 6851 "url": "https://www.oracle.com/security-alerts/cpujan2022.html" 6852 }, 6853 { 6854 "type": "WEB", 6855 "url": "https://www.oracle.com/security-alerts/cpujul2022.html" 6856 }, 6857 { 6858 "type": "WEB", 6859 "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" 6860 } 6861 ], 6862 "schema_version": "1.6.0", 6863 "severity": [ 6864 { 6865 "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", 6866 "type": "CVSS_V3" 6867 } 6868 ], 6869 "summary": "Unsafe Deserialization in jackson-databind" 6870 }, 6871 { 6872 "affected": [ 6873 { 6874 "database_specific": { 6875 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-9m6f-7xcq-8vf8/GHSA-9m6f-7xcq-8vf8.json" 6876 }, 6877 "package": { 6878 "ecosystem": "Maven", 6879 "name": "com.fasterxml.jackson.core:jackson-databind", 6880 "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" 6881 }, 6882 "ranges": [ 6883 { 6884 "events": [ 6885 { 6886 "introduced": "2.7.00" 6887 }, 6888 { 6889 "fixed": "2.9.10.8" 6890 } 6891 ], 6892 "type": "ECOSYSTEM" 6893 } 6894 ], 6895 "versions": [ 6896 "2.7.0", 6897 "2.7.1", 6898 "2.7.1-1", 6899 "2.7.2", 6900 "2.7.3", 6901 "2.7.4", 6902 "2.7.5", 6903 "2.7.6", 6904 "2.7.7", 6905 "2.7.8", 6906 "2.7.9", 6907 "2.7.9.1", 6908 "2.7.9.2", 6909 "2.7.9.3", 6910 "2.7.9.4", 6911 "2.7.9.5", 6912 "2.7.9.6", 6913 "2.7.9.7", 6914 "2.8.0", 6915 "2.8.0.rc1", 6916 "2.8.0.rc2", 6917 "2.8.1", 6918 "2.8.10", 6919 "2.8.11", 6920 "2.8.11.1", 6921 "2.8.11.2", 6922 "2.8.11.3", 6923 "2.8.11.4", 6924 "2.8.11.5", 6925 "2.8.11.6", 6926 "2.8.2", 6927 "2.8.3", 6928 "2.8.4", 6929 "2.8.5", 6930 "2.8.6", 6931 "2.8.7", 6932 "2.8.8", 6933 "2.8.8.1", 6934 "2.8.9", 6935 "2.9.0", 6936 "2.9.0.pr1", 6937 "2.9.0.pr2", 6938 "2.9.0.pr3", 6939 "2.9.0.pr4", 6940 "2.9.1", 6941 "2.9.10", 6942 "2.9.10.1", 6943 "2.9.10.2", 6944 "2.9.10.3", 6945 "2.9.10.4", 6946 "2.9.10.5", 6947 "2.9.10.6", 6948 "2.9.10.7", 6949 "2.9.2", 6950 "2.9.3", 6951 "2.9.4", 6952 "2.9.5", 6953 "2.9.6", 6954 "2.9.7", 6955 "2.9.8", 6956 "2.9.9", 6957 "2.9.9.1", 6958 "2.9.9.2", 6959 "2.9.9.3" 6960 ] 6961 }, 6962 { 6963 "database_specific": { 6964 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-9m6f-7xcq-8vf8/GHSA-9m6f-7xcq-8vf8.json" 6965 }, 6966 "package": { 6967 "ecosystem": "Maven", 6968 "name": "com.fasterxml.jackson.core:jackson-databind", 6969 "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" 6970 }, 6971 "ranges": [ 6972 { 6973 "events": [ 6974 { 6975 "introduced": "2.0.0" 6976 }, 6977 { 6978 "fixed": "2.6.7.5" 6979 } 6980 ], 6981 "type": "ECOSYSTEM" 6982 } 6983 ], 6984 "versions": [ 6985 "2.0.0", 6986 "2.0.1", 6987 "2.0.2", 6988 "2.0.4", 6989 "2.0.5", 6990 "2.0.6", 6991 "2.1.0", 6992 "2.1.1", 6993 "2.1.2", 6994 "2.1.3", 6995 "2.1.4", 6996 "2.1.5", 6997 "2.2.0", 6998 "2.2.0-rc1", 6999 "2.2.1", 7000 "2.2.2", 7001 "2.2.3", 7002 "2.2.4", 7003 "2.3.0", 7004 "2.3.0-rc1", 7005 "2.3.1", 7006 "2.3.2", 7007 "2.3.3", 7008 "2.3.4", 7009 "2.3.5", 7010 "2.4.0", 7011 "2.4.0-rc1", 7012 "2.4.0-rc2", 7013 "2.4.0-rc3", 7014 "2.4.1", 7015 "2.4.1.1", 7016 "2.4.1.2", 7017 "2.4.1.3", 7018 "2.4.2", 7019 "2.4.3", 7020 "2.4.4", 7021 "2.4.5", 7022 "2.4.5.1", 7023 "2.4.6", 7024 "2.4.6.1", 7025 "2.5.0", 7026 "2.5.0-rc1", 7027 "2.5.1", 7028 "2.5.2", 7029 "2.5.3", 7030 "2.5.4", 7031 "2.5.5", 7032 "2.6.0", 7033 "2.6.0-rc1", 7034 "2.6.0-rc2", 7035 "2.6.0-rc3", 7036 "2.6.0-rc4", 7037 "2.6.1", 7038 "2.6.2", 7039 "2.6.3", 7040 "2.6.4", 7041 "2.6.5", 7042 "2.6.6", 7043 "2.6.7", 7044 "2.6.7.1", 7045 "2.6.7.2", 7046 "2.6.7.3", 7047 "2.6.7.4" 7048 ] 7049 } 7050 ], 7051 "aliases": [ 7052 "CVE-2020-36183" 7053 ], 7054 "database_specific": { 7055 "cwe_ids": [ 7056 "CWE-502" 7057 ], 7058 "github_reviewed": true, 7059 "github_reviewed_at": "2021-03-18T23:27:59Z", 7060 "nvd_published_at": "2021-01-07T00:15:00Z", 7061 "severity": "HIGH" 7062 }, 7063 "details": "FasterXML jackson-databind 2.x before 2.9.10.8 and 2.6.7.5 mishandles the interaction between serialization gadgets and typing, related to org.docx4j.org.apache.xalan.lib.sql.JNDIConnectionPool.", 7064 "id": "GHSA-9m6f-7xcq-8vf8", 7065 "modified": "2024-02-18T05:32:25.400029Z", 7066 "published": "2021-12-09T19:16:34Z", 7067 "references": [ 7068 { 7069 "type": "ADVISORY", 7070 "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36183" 7071 }, 7072 { 7073 "type": "WEB", 7074 "url": "https://github.com/FasterXML/jackson-databind/issues/3003" 7075 }, 7076 { 7077 "type": "WEB", 7078 "url": "https://github.com/FasterXML/jackson-databind/commit/12e23c962ffb4cf1857c5461d72ae54cc8008f29" 7079 }, 7080 { 7081 "type": "WEB", 7082 "url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062" 7083 }, 7084 { 7085 "type": "PACKAGE", 7086 "url": "https://github.com/FasterXML/jackson-databind" 7087 }, 7088 { 7089 "type": "WEB", 7090 "url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html" 7091 }, 7092 { 7093 "type": "WEB", 7094 "url": "https://security.netapp.com/advisory/ntap-20210205-0005" 7095 }, 7096 { 7097 "type": "WEB", 7098 "url": "https://www.oracle.com//security-alerts/cpujul2021.html" 7099 }, 7100 { 7101 "type": "WEB", 7102 "url": "https://www.oracle.com/security-alerts/cpuApr2021.html" 7103 }, 7104 { 7105 "type": "WEB", 7106 "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" 7107 }, 7108 { 7109 "type": "WEB", 7110 "url": "https://www.oracle.com/security-alerts/cpujan2022.html" 7111 }, 7112 { 7113 "type": "WEB", 7114 "url": "https://www.oracle.com/security-alerts/cpujul2022.html" 7115 }, 7116 { 7117 "type": "WEB", 7118 "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" 7119 } 7120 ], 7121 "schema_version": "1.6.0", 7122 "severity": [ 7123 { 7124 "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", 7125 "type": "CVSS_V3" 7126 } 7127 ], 7128 "summary": "Unsafe Deserialization in jackson-databind" 7129 }, 7130 { 7131 "affected": [ 7132 { 7133 "database_specific": { 7134 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/01/GHSA-9mxf-g3x6-wv74/GHSA-9mxf-g3x6-wv74.json" 7135 }, 7136 "package": { 7137 "ecosystem": "Maven", 7138 "name": "com.fasterxml.jackson.core:jackson-databind", 7139 "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" 7140 }, 7141 "ranges": [ 7142 { 7143 "events": [ 7144 { 7145 "introduced": "2.9.0" 7146 }, 7147 { 7148 "fixed": "2.9.7" 7149 } 7150 ], 7151 "type": "ECOSYSTEM" 7152 } 7153 ], 7154 "versions": [ 7155 "2.9.0", 7156 "2.9.0.pr1", 7157 "2.9.0.pr2", 7158 "2.9.0.pr3", 7159 "2.9.0.pr4", 7160 "2.9.1", 7161 "2.9.2", 7162 "2.9.3", 7163 "2.9.4", 7164 "2.9.5", 7165 "2.9.6" 7166 ] 7167 }, 7168 { 7169 "database_specific": { 7170 "last_known_affected_version_range": "\u003c= 2.8.11.2", 7171 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/01/GHSA-9mxf-g3x6-wv74/GHSA-9mxf-g3x6-wv74.json" 7172 }, 7173 "package": { 7174 "ecosystem": "Maven", 7175 "name": "com.fasterxml.jackson.core:jackson-databind", 7176 "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" 7177 }, 7178 "ranges": [ 7179 { 7180 "events": [ 7181 { 7182 "introduced": "2.8.0" 7183 }, 7184 { 7185 "fixed": "2.8.11.3" 7186 } 7187 ], 7188 "type": "ECOSYSTEM" 7189 } 7190 ], 7191 "versions": [ 7192 "2.8.0", 7193 "2.8.1", 7194 "2.8.10", 7195 "2.8.11", 7196 "2.8.11.1", 7197 "2.8.11.2", 7198 "2.8.2", 7199 "2.8.3", 7200 "2.8.4", 7201 "2.8.5", 7202 "2.8.6", 7203 "2.8.7", 7204 "2.8.8", 7205 "2.8.8.1", 7206 "2.8.9" 7207 ] 7208 }, 7209 { 7210 "database_specific": { 7211 "last_known_affected_version_range": "\u003c= 2.7.9.4", 7212 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/01/GHSA-9mxf-g3x6-wv74/GHSA-9mxf-g3x6-wv74.json" 7213 }, 7214 "package": { 7215 "ecosystem": "Maven", 7216 "name": "com.fasterxml.jackson.core:jackson-databind", 7217 "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" 7218 }, 7219 "ranges": [ 7220 { 7221 "events": [ 7222 { 7223 "introduced": "2.7.0" 7224 }, 7225 { 7226 "fixed": "2.7.9.5" 7227 } 7228 ], 7229 "type": "ECOSYSTEM" 7230 } 7231 ], 7232 "versions": [ 7233 "2.7.0", 7234 "2.7.1", 7235 "2.7.1-1", 7236 "2.7.2", 7237 "2.7.3", 7238 "2.7.4", 7239 "2.7.5", 7240 "2.7.6", 7241 "2.7.7", 7242 "2.7.8", 7243 "2.7.9", 7244 "2.7.9.1", 7245 "2.7.9.2", 7246 "2.7.9.3", 7247 "2.7.9.4" 7248 ] 7249 } 7250 ], 7251 "aliases": [ 7252 "CVE-2018-14721" 7253 ], 7254 "database_specific": { 7255 "cwe_ids": [ 7256 "CWE-918" 7257 ], 7258 "github_reviewed": true, 7259 "github_reviewed_at": "2020-06-16T21:29:04Z", 7260 "nvd_published_at": null, 7261 "severity": "CRITICAL" 7262 }, 7263 "details": "FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to conduct server-side request forgery (SSRF) attacks by leveraging failure to block the axis2-jaxws class from polymorphic deserialization.", 7264 "id": "GHSA-9mxf-g3x6-wv74", 7265 "modified": "2024-03-14T05:33:39.45989Z", 7266 "published": "2019-01-04T19:07:06Z", 7267 "references": [ 7268 { 7269 "type": "ADVISORY", 7270 "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-14721" 7271 }, 7272 { 7273 "type": "WEB", 7274 "url": "https://github.com/FasterXML/jackson-databind/issues/2097" 7275 }, 7276 { 7277 "type": "WEB", 7278 "url": "https://github.com/FasterXML/jackson-databind/commit/87d29af25e82a249ea15858e2d4ecbf64091db44" 7279 }, 7280 { 7281 "type": "WEB", 7282 "url": "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E" 7283 }, 7284 { 7285 "type": "WEB", 7286 "url": "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E" 7287 }, 7288 { 7289 "type": "WEB", 7290 "url": "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E" 7291 }, 7292 { 7293 "type": "WEB", 7294 "url": "https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8@%3Ccommits.pulsar.apache.org%3E" 7295 }, 7296 { 7297 "type": "WEB", 7298 "url": "https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3E" 7299 }, 7300 { 7301 "type": "WEB", 7302 "url": "https://lists.debian.org/debian-lts-announce/2019/03/msg00005.html" 7303 }, 7304 { 7305 "type": "WEB", 7306 "url": "https://seclists.org/bugtraq/2019/May/68" 7307 }, 7308 { 7309 "type": "WEB", 7310 "url": "https://security.netapp.com/advisory/ntap-20190530-0003" 7311 }, 7312 { 7313 "type": "WEB", 7314 "url": "https://www.debian.org/security/2019/dsa-4452" 7315 }, 7316 { 7317 "type": "WEB", 7318 "url": "https://www.oracle.com/security-alerts/cpuapr2020.html" 7319 }, 7320 { 7321 "type": "WEB", 7322 "url": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html" 7323 }, 7324 { 7325 "type": "WEB", 7326 "url": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html" 7327 }, 7328 { 7329 "type": "WEB", 7330 "url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html" 7331 }, 7332 { 7333 "type": "WEB", 7334 "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html" 7335 }, 7336 { 7337 "type": "ADVISORY", 7338 "url": "https://github.com/advisories/GHSA-9mxf-g3x6-wv74" 7339 }, 7340 { 7341 "type": "WEB", 7342 "url": "https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.7" 7343 }, 7344 { 7345 "type": "WEB", 7346 "url": "https://access.redhat.com/errata/RHSA-2019:4037" 7347 }, 7348 { 7349 "type": "WEB", 7350 "url": "https://access.redhat.com/errata/RHSA-2019:3892" 7351 }, 7352 { 7353 "type": "WEB", 7354 "url": "https://access.redhat.com/errata/RHSA-2019:3149" 7355 }, 7356 { 7357 "type": "WEB", 7358 "url": "https://access.redhat.com/errata/RHSA-2019:2858" 7359 }, 7360 { 7361 "type": "WEB", 7362 "url": "https://access.redhat.com/errata/RHSA-2019:1823" 7363 }, 7364 { 7365 "type": "WEB", 7366 "url": "https://access.redhat.com/errata/RHSA-2019:1822" 7367 }, 7368 { 7369 "type": "WEB", 7370 "url": "https://access.redhat.com/errata/RHSA-2019:1140" 7371 }, 7372 { 7373 "type": "WEB", 7374 "url": "https://access.redhat.com/errata/RHSA-2019:1108" 7375 }, 7376 { 7377 "type": "WEB", 7378 "url": "https://access.redhat.com/errata/RHSA-2019:1107" 7379 }, 7380 { 7381 "type": "WEB", 7382 "url": "https://access.redhat.com/errata/RHSA-2019:1106" 7383 }, 7384 { 7385 "type": "WEB", 7386 "url": "https://access.redhat.com/errata/RHSA-2019:0782" 7387 }, 7388 { 7389 "type": "WEB", 7390 "url": "https://access.redhat.com/errata/RHBA-2019:0959" 7391 } 7392 ], 7393 "schema_version": "1.6.0", 7394 "severity": [ 7395 { 7396 "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", 7397 "type": "CVSS_V3" 7398 } 7399 ], 7400 "summary": "Server-Side Request Forgery (SSRF) in jackson-databind" 7401 }, 7402 { 7403 "affected": [ 7404 { 7405 "database_specific": { 7406 "last_known_affected_version_range": "\u003c= 2.9.10.3", 7407 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/05/GHSA-9vvp-fxw6-jcxr/GHSA-9vvp-fxw6-jcxr.json" 7408 }, 7409 "package": { 7410 "ecosystem": "Maven", 7411 "name": "com.fasterxml.jackson.core:jackson-databind", 7412 "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" 7413 }, 7414 "ranges": [ 7415 { 7416 "events": [ 7417 { 7418 "introduced": "2.9.0" 7419 }, 7420 { 7421 "fixed": "2.9.10.4" 7422 } 7423 ], 7424 "type": "ECOSYSTEM" 7425 } 7426 ], 7427 "versions": [ 7428 "2.9.0", 7429 "2.9.0.pr1", 7430 "2.9.0.pr2", 7431 "2.9.0.pr3", 7432 "2.9.0.pr4", 7433 "2.9.1", 7434 "2.9.10", 7435 "2.9.10.1", 7436 "2.9.10.2", 7437 "2.9.10.3", 7438 "2.9.2", 7439 "2.9.3", 7440 "2.9.4", 7441 "2.9.5", 7442 "2.9.6", 7443 "2.9.7", 7444 "2.9.8", 7445 "2.9.9", 7446 "2.9.9.1", 7447 "2.9.9.2", 7448 "2.9.9.3" 7449 ] 7450 } 7451 ], 7452 "aliases": [ 7453 "CVE-2020-11113" 7454 ], 7455 "database_specific": { 7456 "cwe_ids": [ 7457 "CWE-502" 7458 ], 7459 "github_reviewed": true, 7460 "github_reviewed_at": "2020-04-23T19:31:52Z", 7461 "nvd_published_at": "2020-03-31T05:15:00Z", 7462 "severity": "HIGH" 7463 }, 7464 "details": "FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.openjpa.ee.WASRegistryManagedRuntime (aka openjpa).", 7465 "id": "GHSA-9vvp-fxw6-jcxr", 7466 "modified": "2024-03-15T01:01:13.76706Z", 7467 "published": "2020-05-15T18:58:47Z", 7468 "references": [ 7469 { 7470 "type": "ADVISORY", 7471 "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11113" 7472 }, 7473 { 7474 "type": "WEB", 7475 "url": "https://github.com/FasterXML/jackson-databind/issues/2670" 7476 }, 7477 { 7478 "type": "WEB", 7479 "url": "https://github.com/FasterXML/jackson-databind/commit/08fbfacf89a4a4c026a6227a1b470ab7a13e2e88" 7480 }, 7481 { 7482 "type": "WEB", 7483 "url": "https://github.com/FasterXML/jackson-databind/commit/e2ba12d5d60715d95105e3e790fc234cfb59893d" 7484 }, 7485 { 7486 "type": "PACKAGE", 7487 "url": "https://github.com/FasterXML/jackson-databind" 7488 }, 7489 { 7490 "type": "WEB", 7491 "url": "https://lists.debian.org/debian-lts-announce/2020/04/msg00012.html" 7492 }, 7493 { 7494 "type": "WEB", 7495 "url": "https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062" 7496 }, 7497 { 7498 "type": "WEB", 7499 "url": "https://security.netapp.com/advisory/ntap-20200403-0002" 7500 }, 7501 { 7502 "type": "WEB", 7503 "url": "https://www.oracle.com/security-alerts/cpujan2021.html" 7504 }, 7505 { 7506 "type": "WEB", 7507 "url": "https://www.oracle.com/security-alerts/cpujul2020.html" 7508 }, 7509 { 7510 "type": "WEB", 7511 "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" 7512 }, 7513 { 7514 "type": "WEB", 7515 "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" 7516 } 7517 ], 7518 "schema_version": "1.6.0", 7519 "severity": [ 7520 { 7521 "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", 7522 "type": "CVSS_V3" 7523 } 7524 ], 7525 "summary": "jackson-databind mishandles the interaction between serialization gadgets and typing" 7526 }, 7527 { 7528 "affected": [ 7529 { 7530 "database_specific": { 7531 "last_known_affected_version_range": "\u003c= 2.9.10.4", 7532 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-c265-37vj-cwcc/GHSA-c265-37vj-cwcc.json" 7533 }, 7534 "package": { 7535 "ecosystem": "Maven", 7536 "name": "com.fasterxml.jackson.core:jackson-databind", 7537 "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" 7538 }, 7539 "ranges": [ 7540 { 7541 "events": [ 7542 { 7543 "introduced": "2.9.0" 7544 }, 7545 { 7546 "fixed": "2.9.10.5" 7547 } 7548 ], 7549 "type": "ECOSYSTEM" 7550 } 7551 ], 7552 "versions": [ 7553 "2.9.0", 7554 "2.9.0.pr1", 7555 "2.9.0.pr2", 7556 "2.9.0.pr3", 7557 "2.9.0.pr4", 7558 "2.9.1", 7559 "2.9.10", 7560 "2.9.10.1", 7561 "2.9.10.2", 7562 "2.9.10.3", 7563 "2.9.10.4", 7564 "2.9.2", 7565 "2.9.3", 7566 "2.9.4", 7567 "2.9.5", 7568 "2.9.6", 7569 "2.9.7", 7570 "2.9.8", 7571 "2.9.9", 7572 "2.9.9.1", 7573 "2.9.9.2", 7574 "2.9.9.3" 7575 ] 7576 } 7577 ], 7578 "aliases": [ 7579 "CVE-2020-14062" 7580 ], 7581 "database_specific": { 7582 "cwe_ids": [ 7583 "CWE-502" 7584 ], 7585 "github_reviewed": true, 7586 "github_reviewed_at": "2020-06-18T13:06:04Z", 7587 "nvd_published_at": "2020-06-14T20:15:00Z", 7588 "severity": "HIGH" 7589 }, 7590 "details": "FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to com.sun.org.apache.xalan.internal.lib.sql.JNDIConnectionPool (aka xalan2).", 7591 "id": "GHSA-c265-37vj-cwcc", 7592 "modified": "2024-06-25T14:18:28.49907Z", 7593 "published": "2020-06-18T14:44:48Z", 7594 "references": [ 7595 { 7596 "type": "ADVISORY", 7597 "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-14062" 7598 }, 7599 { 7600 "type": "WEB", 7601 "url": "https://github.com/FasterXML/jackson-databind/issues/2704" 7602 }, 7603 { 7604 "type": "WEB", 7605 "url": "https://github.com/FasterXML/jackson-databind/commit/840eae2ca81c597a0010b2126f32dce17d384b70" 7606 }, 7607 { 7608 "type": "WEB", 7609 "url": "https://github.com/FasterXML/jackson-databind/commit/99001cdb6807b5c7b170ec6a9092ecbb618ae79c" 7610 }, 7611 { 7612 "type": "PACKAGE", 7613 "url": "https://github.com/FasterXML/jackson-databind" 7614 }, 7615 { 7616 "type": "WEB", 7617 "url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00001.html" 7618 }, 7619 { 7620 "type": "WEB", 7621 "url": "https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062" 7622 }, 7623 { 7624 "type": "WEB", 7625 "url": "https://security.netapp.com/advisory/ntap-20200702-0003" 7626 }, 7627 { 7628 "type": "WEB", 7629 "url": "https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-570625" 7630 }, 7631 { 7632 "type": "WEB", 7633 "url": "https://www.oracle.com//security-alerts/cpujul2021.html" 7634 }, 7635 { 7636 "type": "WEB", 7637 "url": "https://www.oracle.com/security-alerts/cpuApr2021.html" 7638 }, 7639 { 7640 "type": "WEB", 7641 "url": "https://www.oracle.com/security-alerts/cpujan2021.html" 7642 }, 7643 { 7644 "type": "WEB", 7645 "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" 7646 }, 7647 { 7648 "type": "WEB", 7649 "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" 7650 } 7651 ], 7652 "schema_version": "1.6.0", 7653 "severity": [ 7654 { 7655 "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", 7656 "type": "CVSS_V3" 7657 } 7658 ], 7659 "summary": "Deserialization of untrusted data in Jackson Databind" 7660 }, 7661 { 7662 "affected": [ 7663 { 7664 "database_specific": { 7665 "last_known_affected_version_range": "\u003c= 2.9.10.4", 7666 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-c2q3-4qrh-fm48/GHSA-c2q3-4qrh-fm48.json" 7667 }, 7668 "package": { 7669 "ecosystem": "Maven", 7670 "name": "com.fasterxml.jackson.core:jackson-databind", 7671 "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" 7672 }, 7673 "ranges": [ 7674 { 7675 "events": [ 7676 { 7677 "introduced": "2.9.0" 7678 }, 7679 { 7680 "fixed": "2.9.10.5" 7681 } 7682 ], 7683 "type": "ECOSYSTEM" 7684 } 7685 ], 7686 "versions": [ 7687 "2.9.0", 7688 "2.9.0.pr1", 7689 "2.9.0.pr2", 7690 "2.9.0.pr3", 7691 "2.9.0.pr4", 7692 "2.9.1", 7693 "2.9.10", 7694 "2.9.10.1", 7695 "2.9.10.2", 7696 "2.9.10.3", 7697 "2.9.10.4", 7698 "2.9.2", 7699 "2.9.3", 7700 "2.9.4", 7701 "2.9.5", 7702 "2.9.6", 7703 "2.9.7", 7704 "2.9.8", 7705 "2.9.9", 7706 "2.9.9.1", 7707 "2.9.9.2", 7708 "2.9.9.3" 7709 ] 7710 } 7711 ], 7712 "aliases": [ 7713 "CVE-2020-14061" 7714 ], 7715 "database_specific": { 7716 "cwe_ids": [ 7717 "CWE-502" 7718 ], 7719 "github_reviewed": true, 7720 "github_reviewed_at": "2020-06-18T13:06:14Z", 7721 "nvd_published_at": "2020-06-14T20:15:00Z", 7722 "severity": "HIGH" 7723 }, 7724 "details": "FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to oracle.jms.AQjmsQueueConnectionFactory, oracle.jms.AQjmsXATopicConnectionFactory, oracle.jms.AQjmsTopicConnectionFactory, oracle.jms.AQjmsXAQueueConnectionFactory, and oracle.jms.AQjmsXAConnectionFactory (aka weblogic/oracle-aqjms).", 7725 "id": "GHSA-c2q3-4qrh-fm48", 7726 "modified": "2024-02-17T05:36:21.468281Z", 7727 "published": "2020-06-18T14:44:50Z", 7728 "references": [ 7729 { 7730 "type": "ADVISORY", 7731 "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-14061" 7732 }, 7733 { 7734 "type": "WEB", 7735 "url": "https://github.com/FasterXML/jackson-databind/issues/2698" 7736 }, 7737 { 7738 "type": "WEB", 7739 "url": "https://github.com/FasterXML/jackson-databind/commit/5c8642aeae9c756b438ab7637c90ef3c77966e6e" 7740 }, 7741 { 7742 "type": "PACKAGE", 7743 "url": "https://github.com/FasterXML/jackson-databind" 7744 }, 7745 { 7746 "type": "WEB", 7747 "url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00001.html" 7748 }, 7749 { 7750 "type": "WEB", 7751 "url": "https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062" 7752 }, 7753 { 7754 "type": "WEB", 7755 "url": "https://security.netapp.com/advisory/ntap-20200702-0003" 7756 }, 7757 { 7758 "type": "WEB", 7759 "url": "https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-572316" 7760 }, 7761 { 7762 "type": "WEB", 7763 "url": "https://www.oracle.com//security-alerts/cpujul2021.html" 7764 }, 7765 { 7766 "type": "WEB", 7767 "url": "https://www.oracle.com/security-alerts/cpuApr2021.html" 7768 }, 7769 { 7770 "type": "WEB", 7771 "url": "https://www.oracle.com/security-alerts/cpujan2021.html" 7772 }, 7773 { 7774 "type": "WEB", 7775 "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" 7776 }, 7777 { 7778 "type": "WEB", 7779 "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" 7780 } 7781 ], 7782 "schema_version": "1.6.0", 7783 "severity": [ 7784 { 7785 "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", 7786 "type": "CVSS_V3" 7787 } 7788 ], 7789 "summary": "Deserialization of untrusted data in Jackson Databind" 7790 }, 7791 { 7792 "affected": [ 7793 { 7794 "database_specific": { 7795 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/01/GHSA-c8hm-7hpq-7jhg/GHSA-c8hm-7hpq-7jhg.json" 7796 }, 7797 "package": { 7798 "ecosystem": "Maven", 7799 "name": "com.fasterxml.jackson.core:jackson-databind", 7800 "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" 7801 }, 7802 "ranges": [ 7803 { 7804 "events": [ 7805 { 7806 "introduced": "2.9.0" 7807 }, 7808 { 7809 "fixed": "2.9.8" 7810 } 7811 ], 7812 "type": "ECOSYSTEM" 7813 } 7814 ], 7815 "versions": [ 7816 "2.9.0", 7817 "2.9.0.pr1", 7818 "2.9.0.pr2", 7819 "2.9.0.pr3", 7820 "2.9.0.pr4", 7821 "2.9.1", 7822 "2.9.2", 7823 "2.9.3", 7824 "2.9.4", 7825 "2.9.5", 7826 "2.9.6", 7827 "2.9.7" 7828 ] 7829 }, 7830 { 7831 "database_specific": { 7832 "last_known_affected_version_range": "\u003c= 2.8.11.2", 7833 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/01/GHSA-c8hm-7hpq-7jhg/GHSA-c8hm-7hpq-7jhg.json" 7834 }, 7835 "package": { 7836 "ecosystem": "Maven", 7837 "name": "com.fasterxml.jackson.core:jackson-databind", 7838 "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" 7839 }, 7840 "ranges": [ 7841 { 7842 "events": [ 7843 { 7844 "introduced": "2.8.0" 7845 }, 7846 { 7847 "fixed": "2.8.11.3" 7848 } 7849 ], 7850 "type": "ECOSYSTEM" 7851 } 7852 ], 7853 "versions": [ 7854 "2.8.0", 7855 "2.8.1", 7856 "2.8.10", 7857 "2.8.11", 7858 "2.8.11.1", 7859 "2.8.11.2", 7860 "2.8.2", 7861 "2.8.3", 7862 "2.8.4", 7863 "2.8.5", 7864 "2.8.6", 7865 "2.8.7", 7866 "2.8.8", 7867 "2.8.8.1", 7868 "2.8.9" 7869 ] 7870 }, 7871 { 7872 "database_specific": { 7873 "last_known_affected_version_range": "\u003c= 2.7.9.4", 7874 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/01/GHSA-c8hm-7hpq-7jhg/GHSA-c8hm-7hpq-7jhg.json" 7875 }, 7876 "package": { 7877 "ecosystem": "Maven", 7878 "name": "com.fasterxml.jackson.core:jackson-databind", 7879 "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" 7880 }, 7881 "ranges": [ 7882 { 7883 "events": [ 7884 { 7885 "introduced": "2.7.0" 7886 }, 7887 { 7888 "fixed": "2.7.9.5" 7889 } 7890 ], 7891 "type": "ECOSYSTEM" 7892 } 7893 ], 7894 "versions": [ 7895 "2.7.0", 7896 "2.7.1", 7897 "2.7.1-1", 7898 "2.7.2", 7899 "2.7.3", 7900 "2.7.4", 7901 "2.7.5", 7902 "2.7.6", 7903 "2.7.7", 7904 "2.7.8", 7905 "2.7.9", 7906 "2.7.9.1", 7907 "2.7.9.2", 7908 "2.7.9.3", 7909 "2.7.9.4" 7910 ] 7911 }, 7912 { 7913 "database_specific": { 7914 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/01/GHSA-c8hm-7hpq-7jhg/GHSA-c8hm-7hpq-7jhg.json" 7915 }, 7916 "package": { 7917 "ecosystem": "Maven", 7918 "name": "com.fasterxml.jackson.core:jackson-databind", 7919 "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" 7920 }, 7921 "ranges": [ 7922 { 7923 "events": [ 7924 { 7925 "introduced": "2.0.0" 7926 }, 7927 { 7928 "fixed": "2.6.7.3" 7929 } 7930 ], 7931 "type": "ECOSYSTEM" 7932 } 7933 ], 7934 "versions": [ 7935 "2.0.0", 7936 "2.0.1", 7937 "2.0.2", 7938 "2.0.4", 7939 "2.0.5", 7940 "2.0.6", 7941 "2.1.0", 7942 "2.1.1", 7943 "2.1.2", 7944 "2.1.3", 7945 "2.1.4", 7946 "2.1.5", 7947 "2.2.0", 7948 "2.2.0-rc1", 7949 "2.2.1", 7950 "2.2.2", 7951 "2.2.3", 7952 "2.2.4", 7953 "2.3.0", 7954 "2.3.0-rc1", 7955 "2.3.1", 7956 "2.3.2", 7957 "2.3.3", 7958 "2.3.4", 7959 "2.3.5", 7960 "2.4.0", 7961 "2.4.0-rc1", 7962 "2.4.0-rc2", 7963 "2.4.0-rc3", 7964 "2.4.1", 7965 "2.4.1.1", 7966 "2.4.1.2", 7967 "2.4.1.3", 7968 "2.4.2", 7969 "2.4.3", 7970 "2.4.4", 7971 "2.4.5", 7972 "2.4.5.1", 7973 "2.4.6", 7974 "2.4.6.1", 7975 "2.5.0", 7976 "2.5.0-rc1", 7977 "2.5.1", 7978 "2.5.2", 7979 "2.5.3", 7980 "2.5.4", 7981 "2.5.5", 7982 "2.6.0", 7983 "2.6.0-rc1", 7984 "2.6.0-rc2", 7985 "2.6.0-rc3", 7986 "2.6.0-rc4", 7987 "2.6.1", 7988 "2.6.2", 7989 "2.6.3", 7990 "2.6.4", 7991 "2.6.5", 7992 "2.6.6", 7993 "2.6.7", 7994 "2.6.7.1", 7995 "2.6.7.2" 7996 ] 7997 } 7998 ], 7999 "aliases": [ 8000 "CVE-2018-19362" 8001 ], 8002 "database_specific": { 8003 "cwe_ids": [ 8004 "CWE-502" 8005 ], 8006 "github_reviewed": true, 8007 "github_reviewed_at": "2020-06-16T21:30:35Z", 8008 "nvd_published_at": null, 8009 "severity": "CRITICAL" 8010 }, 8011 "details": "FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the jboss-common-core class from polymorphic deserialization.", 8012 "id": "GHSA-c8hm-7hpq-7jhg", 8013 "modified": "2024-03-15T01:17:19.251183Z", 8014 "published": "2019-01-04T19:07:03Z", 8015 "references": [ 8016 { 8017 "type": "ADVISORY", 8018 "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-19362" 8019 }, 8020 { 8021 "type": "WEB", 8022 "url": "https://github.com/FasterXML/jackson-databind/issues/2186" 8023 }, 8024 { 8025 "type": "WEB", 8026 "url": "https://github.com/FasterXML/jackson-databind/commit/72cd4025a229fb28ec133235003dd4616f70afaa" 8027 }, 8028 { 8029 "type": "WEB", 8030 "url": "https://github.com/FasterXML/jackson-databind/commit/42912cac4753f3f718ece875e4d486f8264c2f2b" 8031 }, 8032 { 8033 "type": "WEB", 8034 "url": "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E" 8035 }, 8036 { 8037 "type": "WEB", 8038 "url": "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E" 8039 }, 8040 { 8041 "type": "WEB", 8042 "url": "https://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3@%3Ccommits.nifi.apache.org%3E" 8043 }, 8044 { 8045 "type": "WEB", 8046 "url": "https://lists.apache.org/thread.html/c70da3cb6e3f03e0ad8013e38b6959419d866c4a7c80fdd34b73f25c@%3Ccommits.pulsar.apache.org%3E" 8047 }, 8048 { 8049 "type": "WEB", 8050 "url": "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E" 8051 }, 8052 { 8053 "type": "WEB", 8054 "url": "https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8@%3Ccommits.pulsar.apache.org%3E" 8055 }, 8056 { 8057 "type": "WEB", 8058 "url": "https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0@%3Cissues.bookkeeper.apache.org%3E" 8059 }, 8060 { 8061 "type": "WEB", 8062 "url": "https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b@%3Ccommits.nifi.apache.org%3E" 8063 }, 8064 { 8065 "type": "WEB", 8066 "url": "https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3E" 8067 }, 8068 { 8069 "type": "WEB", 8070 "url": "https://lists.debian.org/debian-lts-announce/2019/03/msg00005.html" 8071 }, 8072 { 8073 "type": "WEB", 8074 "url": "https://seclists.org/bugtraq/2019/May/68" 8075 }, 8076 { 8077 "type": "WEB", 8078 "url": "https://security.netapp.com/advisory/ntap-20190530-0003" 8079 }, 8080 { 8081 "type": "WEB", 8082 "url": "https://www.debian.org/security/2019/dsa-4452" 8083 }, 8084 { 8085 "type": "WEB", 8086 "url": "https://www.oracle.com/security-alerts/cpuapr2020.html" 8087 }, 8088 { 8089 "type": "WEB", 8090 "url": "https://www.oracle.com/security-alerts/cpujan2020.html" 8091 }, 8092 { 8093 "type": "WEB", 8094 "url": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html" 8095 }, 8096 { 8097 "type": "WEB", 8098 "url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html" 8099 }, 8100 { 8101 "type": "WEB", 8102 "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html" 8103 }, 8104 { 8105 "type": "WEB", 8106 "url": "https://access.redhat.com/errata/RHBA-2019:0959" 8107 }, 8108 { 8109 "type": "WEB", 8110 "url": "https://access.redhat.com/errata/RHSA-2019:0782" 8111 }, 8112 { 8113 "type": "WEB", 8114 "url": "https://access.redhat.com/errata/RHSA-2019:0877" 8115 }, 8116 { 8117 "type": "WEB", 8118 "url": "https://access.redhat.com/errata/RHSA-2019:1782" 8119 }, 8120 { 8121 "type": "WEB", 8122 "url": "https://access.redhat.com/errata/RHSA-2019:1797" 8123 }, 8124 { 8125 "type": "WEB", 8126 "url": "https://access.redhat.com/errata/RHSA-2019:1822" 8127 }, 8128 { 8129 "type": "WEB", 8130 "url": "https://access.redhat.com/errata/RHSA-2019:1823" 8131 }, 8132 { 8133 "type": "WEB", 8134 "url": "https://access.redhat.com/errata/RHSA-2019:2804" 8135 }, 8136 { 8137 "type": "WEB", 8138 "url": "https://access.redhat.com/errata/RHSA-2019:2858" 8139 }, 8140 { 8141 "type": "WEB", 8142 "url": "https://access.redhat.com/errata/RHSA-2019:3002" 8143 }, 8144 { 8145 "type": "WEB", 8146 "url": "https://access.redhat.com/errata/RHSA-2019:3140" 8147 }, 8148 { 8149 "type": "WEB", 8150 "url": "https://access.redhat.com/errata/RHSA-2019:3149" 8151 }, 8152 { 8153 "type": "WEB", 8154 "url": "https://access.redhat.com/errata/RHSA-2019:3892" 8155 }, 8156 { 8157 "type": "WEB", 8158 "url": "https://access.redhat.com/errata/RHSA-2019:4037" 8159 }, 8160 { 8161 "type": "PACKAGE", 8162 "url": "https://github.com/FasterXML/jackson-databind" 8163 }, 8164 { 8165 "type": "WEB", 8166 "url": "https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.8" 8167 }, 8168 { 8169 "type": "ADVISORY", 8170 "url": "https://github.com/advisories/GHSA-c8hm-7hpq-7jhg" 8171 }, 8172 { 8173 "type": "WEB", 8174 "url": "https://issues.apache.org/jira/browse/TINKERPOP-2121" 8175 }, 8176 { 8177 "type": "WEB", 8178 "url": "https://lists.apache.org/thread.html/37e1ed724a1b0e5d191d98c822c426670bdfde83804567131847d2a3@%3Cdevnull.infra.apache.org%3E" 8179 }, 8180 { 8181 "type": "WEB", 8182 "url": "http://www.securityfocus.com/bid/107985" 8183 } 8184 ], 8185 "schema_version": "1.6.0", 8186 "severity": [ 8187 { 8188 "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", 8189 "type": "CVSS_V3" 8190 } 8191 ], 8192 "summary": "com.fasterxml.jackson.core:jackson-databind vulnerable to Deserialization of Untrusted Data" 8193 }, 8194 { 8195 "affected": [ 8196 { 8197 "database_specific": { 8198 "last_known_affected_version_range": "\u003c= 2.6.7.2", 8199 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/05/GHSA-cf6r-3wgc-h863/GHSA-cf6r-3wgc-h863.json" 8200 }, 8201 "package": { 8202 "ecosystem": "Maven", 8203 "name": "com.fasterxml.jackson.core:jackson-databind", 8204 "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" 8205 }, 8206 "ranges": [ 8207 { 8208 "events": [ 8209 { 8210 "introduced": "0" 8211 }, 8212 { 8213 "fixed": "2.6.7.3" 8214 } 8215 ], 8216 "type": "ECOSYSTEM" 8217 } 8218 ], 8219 "versions": [ 8220 "2.0.0", 8221 "2.0.0-RC1", 8222 "2.0.0-RC2", 8223 "2.0.0-RC3", 8224 "2.0.1", 8225 "2.0.2", 8226 "2.0.4", 8227 "2.0.5", 8228 "2.0.6", 8229 "2.1.0", 8230 "2.1.1", 8231 "2.1.2", 8232 "2.1.3", 8233 "2.1.4", 8234 "2.1.5", 8235 "2.2.0", 8236 "2.2.0-rc1", 8237 "2.2.1", 8238 "2.2.2", 8239 "2.2.3", 8240 "2.2.4", 8241 "2.3.0", 8242 "2.3.0-rc1", 8243 "2.3.1", 8244 "2.3.2", 8245 "2.3.3", 8246 "2.3.4", 8247 "2.3.5", 8248 "2.4.0", 8249 "2.4.0-rc1", 8250 "2.4.0-rc2", 8251 "2.4.0-rc3", 8252 "2.4.1", 8253 "2.4.1.1", 8254 "2.4.1.2", 8255 "2.4.1.3", 8256 "2.4.2", 8257 "2.4.3", 8258 "2.4.4", 8259 "2.4.5", 8260 "2.4.5.1", 8261 "2.4.6", 8262 "2.4.6.1", 8263 "2.5.0", 8264 "2.5.0-rc1", 8265 "2.5.1", 8266 "2.5.2", 8267 "2.5.3", 8268 "2.5.4", 8269 "2.5.5", 8270 "2.6.0", 8271 "2.6.0-rc1", 8272 "2.6.0-rc2", 8273 "2.6.0-rc3", 8274 "2.6.0-rc4", 8275 "2.6.1", 8276 "2.6.2", 8277 "2.6.3", 8278 "2.6.4", 8279 "2.6.5", 8280 "2.6.6", 8281 "2.6.7", 8282 "2.6.7.1", 8283 "2.6.7.2" 8284 ] 8285 }, 8286 { 8287 "database_specific": { 8288 "last_known_affected_version_range": "\u003c= 2.8.11.4", 8289 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/05/GHSA-cf6r-3wgc-h863/GHSA-cf6r-3wgc-h863.json" 8290 }, 8291 "package": { 8292 "ecosystem": "Maven", 8293 "name": "com.fasterxml.jackson.core:jackson-databind", 8294 "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" 8295 }, 8296 "ranges": [ 8297 { 8298 "events": [ 8299 { 8300 "introduced": "2.7.0" 8301 }, 8302 { 8303 "fixed": "2.8.11.5" 8304 } 8305 ], 8306 "type": "ECOSYSTEM" 8307 } 8308 ], 8309 "versions": [ 8310 "2.7.0", 8311 "2.7.1", 8312 "2.7.1-1", 8313 "2.7.2", 8314 "2.7.3", 8315 "2.7.4", 8316 "2.7.5", 8317 "2.7.6", 8318 "2.7.7", 8319 "2.7.8", 8320 "2.7.9", 8321 "2.7.9.1", 8322 "2.7.9.2", 8323 "2.7.9.3", 8324 "2.7.9.4", 8325 "2.7.9.5", 8326 "2.7.9.6", 8327 "2.7.9.7", 8328 "2.8.0", 8329 "2.8.0.rc1", 8330 "2.8.0.rc2", 8331 "2.8.1", 8332 "2.8.10", 8333 "2.8.11", 8334 "2.8.11.1", 8335 "2.8.11.2", 8336 "2.8.11.3", 8337 "2.8.11.4", 8338 "2.8.2", 8339 "2.8.3", 8340 "2.8.4", 8341 "2.8.5", 8342 "2.8.6", 8343 "2.8.7", 8344 "2.8.8", 8345 "2.8.8.1", 8346 "2.8.9" 8347 ] 8348 }, 8349 { 8350 "database_specific": { 8351 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/05/GHSA-cf6r-3wgc-h863/GHSA-cf6r-3wgc-h863.json" 8352 }, 8353 "package": { 8354 "ecosystem": "Maven", 8355 "name": "com.fasterxml.jackson.core:jackson-databind", 8356 "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" 8357 }, 8358 "ranges": [ 8359 { 8360 "events": [ 8361 { 8362 "introduced": "2.9.0" 8363 }, 8364 { 8365 "fixed": "2.9.10" 8366 } 8367 ], 8368 "type": "ECOSYSTEM" 8369 } 8370 ], 8371 "versions": [ 8372 "2.9.0", 8373 "2.9.0.pr1", 8374 "2.9.0.pr2", 8375 "2.9.0.pr3", 8376 "2.9.0.pr4", 8377 "2.9.1", 8378 "2.9.2", 8379 "2.9.3", 8380 "2.9.4", 8381 "2.9.5", 8382 "2.9.6", 8383 "2.9.7", 8384 "2.9.8", 8385 "2.9.9", 8386 "2.9.9.1", 8387 "2.9.9.2", 8388 "2.9.9.3" 8389 ] 8390 } 8391 ], 8392 "aliases": [ 8393 "CVE-2019-14892" 8394 ], 8395 "database_specific": { 8396 "cwe_ids": [ 8397 "CWE-200", 8398 "CWE-502" 8399 ], 8400 "github_reviewed": true, 8401 "github_reviewed_at": "2020-04-23T19:29:41Z", 8402 "nvd_published_at": "2020-03-02T17:15:00Z", 8403 "severity": "HIGH" 8404 }, 8405 "details": "A flaw was discovered in jackson-databind in versions before 2.9.10, 2.8.11.5, and 2.6.7.3, where it would permit polymorphic deserialization of a malicious object using commons-configuration 1 and 2 JNDI classes. An attacker could use this flaw to execute arbitrary code.", 8406 "id": "GHSA-cf6r-3wgc-h863", 8407 "modified": "2024-02-18T05:32:56.325249Z", 8408 "published": "2020-05-15T18:58:58Z", 8409 "references": [ 8410 { 8411 "type": "ADVISORY", 8412 "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-14892" 8413 }, 8414 { 8415 "type": "WEB", 8416 "url": "https://github.com/FasterXML/jackson-databind/issues/2462" 8417 }, 8418 { 8419 "type": "WEB", 8420 "url": "https://github.com/FasterXML/jackson-databind/commit/41b7f9b90149e9d44a65a8261a8deedc7186f6af" 8421 }, 8422 { 8423 "type": "WEB", 8424 "url": "https://github.com/FasterXML/jackson-databind/commit/819cdbcab51c6da9fb896380f2d46e9b7d4fdc3b" 8425 }, 8426 { 8427 "type": "WEB", 8428 "url": "https://access.redhat.com/errata/RHSA-2020:0729" 8429 }, 8430 { 8431 "type": "WEB", 8432 "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14892" 8433 }, 8434 { 8435 "type": "PACKAGE", 8436 "url": "https://github.com/FasterXML/jackson-databind" 8437 }, 8438 { 8439 "type": "WEB", 8440 "url": "https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0@%3Cissues.bookkeeper.apache.org%3E" 8441 }, 8442 { 8443 "type": "WEB", 8444 "url": "https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3E" 8445 }, 8446 { 8447 "type": "WEB", 8448 "url": "https://security.netapp.com/advisory/ntap-20200904-0005" 8449 } 8450 ], 8451 "schema_version": "1.6.0", 8452 "severity": [ 8453 { 8454 "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", 8455 "type": "CVSS_V3" 8456 } 8457 ], 8458 "summary": "Polymorphic deserialization of malicious object in jackson-databind" 8459 }, 8460 { 8461 "affected": [ 8462 { 8463 "database_specific": { 8464 "last_known_affected_version_range": "\u003c= 2.8.11.0", 8465 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-cggj-fvv3-cqwv/GHSA-cggj-fvv3-cqwv.json" 8466 }, 8467 "package": { 8468 "ecosystem": "Maven", 8469 "name": "com.fasterxml.jackson.core:jackson-databind", 8470 "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" 8471 }, 8472 "ranges": [ 8473 { 8474 "events": [ 8475 { 8476 "introduced": "2.8.0" 8477 }, 8478 { 8479 "fixed": "2.8.11.1" 8480 } 8481 ], 8482 "type": "ECOSYSTEM" 8483 } 8484 ], 8485 "versions": [ 8486 "2.8.0", 8487 "2.8.1", 8488 "2.8.10", 8489 "2.8.11", 8490 "2.8.2", 8491 "2.8.3", 8492 "2.8.4", 8493 "2.8.5", 8494 "2.8.6", 8495 "2.8.7", 8496 "2.8.8", 8497 "2.8.8.1", 8498 "2.8.9" 8499 ] 8500 }, 8501 { 8502 "database_specific": { 8503 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-cggj-fvv3-cqwv/GHSA-cggj-fvv3-cqwv.json" 8504 }, 8505 "package": { 8506 "ecosystem": "Maven", 8507 "name": "com.fasterxml.jackson.core:jackson-databind", 8508 "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" 8509 }, 8510 "ranges": [ 8511 { 8512 "events": [ 8513 { 8514 "introduced": "2.9.0" 8515 }, 8516 { 8517 "fixed": "2.9.5" 8518 } 8519 ], 8520 "type": "ECOSYSTEM" 8521 } 8522 ], 8523 "versions": [ 8524 "2.9.0", 8525 "2.9.0.pr1", 8526 "2.9.0.pr2", 8527 "2.9.0.pr3", 8528 "2.9.0.pr4", 8529 "2.9.1", 8530 "2.9.2", 8531 "2.9.3", 8532 "2.9.4" 8533 ] 8534 }, 8535 { 8536 "database_specific": { 8537 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-cggj-fvv3-cqwv/GHSA-cggj-fvv3-cqwv.json" 8538 }, 8539 "package": { 8540 "ecosystem": "Maven", 8541 "name": "com.fasterxml.jackson.core:jackson-databind", 8542 "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" 8543 }, 8544 "ranges": [ 8545 { 8546 "events": [ 8547 { 8548 "introduced": "2.7.0" 8549 }, 8550 { 8551 "fixed": "2.7.9.3" 8552 } 8553 ], 8554 "type": "ECOSYSTEM" 8555 } 8556 ], 8557 "versions": [ 8558 "2.7.0", 8559 "2.7.1", 8560 "2.7.1-1", 8561 "2.7.2", 8562 "2.7.3", 8563 "2.7.4", 8564 "2.7.5", 8565 "2.7.6", 8566 "2.7.7", 8567 "2.7.8", 8568 "2.7.9", 8569 "2.7.9.1", 8570 "2.7.9.2" 8571 ] 8572 }, 8573 { 8574 "database_specific": { 8575 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-cggj-fvv3-cqwv/GHSA-cggj-fvv3-cqwv.json" 8576 }, 8577 "package": { 8578 "ecosystem": "Maven", 8579 "name": "com.fasterxml.jackson.core:jackson-databind", 8580 "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" 8581 }, 8582 "ranges": [ 8583 { 8584 "events": [ 8585 { 8586 "introduced": "0" 8587 }, 8588 { 8589 "fixed": "2.6.7.5" 8590 } 8591 ], 8592 "type": "ECOSYSTEM" 8593 } 8594 ], 8595 "versions": [ 8596 "2.0.0", 8597 "2.0.0-RC1", 8598 "2.0.0-RC2", 8599 "2.0.0-RC3", 8600 "2.0.1", 8601 "2.0.2", 8602 "2.0.4", 8603 "2.0.5", 8604 "2.0.6", 8605 "2.1.0", 8606 "2.1.1", 8607 "2.1.2", 8608 "2.1.3", 8609 "2.1.4", 8610 "2.1.5", 8611 "2.2.0", 8612 "2.2.0-rc1", 8613 "2.2.1", 8614 "2.2.2", 8615 "2.2.3", 8616 "2.2.4", 8617 "2.3.0", 8618 "2.3.0-rc1", 8619 "2.3.1", 8620 "2.3.2", 8621 "2.3.3", 8622 "2.3.4", 8623 "2.3.5", 8624 "2.4.0", 8625 "2.4.0-rc1", 8626 "2.4.0-rc2", 8627 "2.4.0-rc3", 8628 "2.4.1", 8629 "2.4.1.1", 8630 "2.4.1.2", 8631 "2.4.1.3", 8632 "2.4.2", 8633 "2.4.3", 8634 "2.4.4", 8635 "2.4.5", 8636 "2.4.5.1", 8637 "2.4.6", 8638 "2.4.6.1", 8639 "2.5.0", 8640 "2.5.0-rc1", 8641 "2.5.1", 8642 "2.5.2", 8643 "2.5.3", 8644 "2.5.4", 8645 "2.5.5", 8646 "2.6.0", 8647 "2.6.0-rc1", 8648 "2.6.0-rc2", 8649 "2.6.0-rc3", 8650 "2.6.0-rc4", 8651 "2.6.1", 8652 "2.6.2", 8653 "2.6.3", 8654 "2.6.4", 8655 "2.6.5", 8656 "2.6.6", 8657 "2.6.7", 8658 "2.6.7.1", 8659 "2.6.7.2", 8660 "2.6.7.3", 8661 "2.6.7.4" 8662 ] 8663 } 8664 ], 8665 "aliases": [ 8666 "CVE-2018-7489" 8667 ], 8668 "database_specific": { 8669 "cwe_ids": [ 8670 "CWE-184", 8671 "CWE-502" 8672 ], 8673 "github_reviewed": true, 8674 "github_reviewed_at": "2020-06-16T21:31:30Z", 8675 "nvd_published_at": "2018-02-26T15:29:00Z", 8676 "severity": "CRITICAL" 8677 }, 8678 "details": "FasterXML jackson-databind before before 2.6.7.5, 2.7.x before 2.7.9.3, 2.8.x before 2.8.11.1, and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath.", 8679 "id": "GHSA-cggj-fvv3-cqwv", 8680 "modified": "2024-03-15T01:18:46.938616Z", 8681 "published": "2018-10-16T17:45:18Z", 8682 "references": [ 8683 { 8684 "type": "ADVISORY", 8685 "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-7489" 8686 }, 8687 { 8688 "type": "WEB", 8689 "url": "https://github.com/FasterXML/jackson-databind/issues/1931" 8690 }, 8691 { 8692 "type": "WEB", 8693 "url": "https://github.com/FasterXML/jackson-databind/commit/e66c0a9d3c926ff1b63bf586c824ead1d02f2a3d" 8694 }, 8695 { 8696 "type": "WEB", 8697 "url": "https://github.com/FasterXML/jackson-databind/commit/ca2bfc86af82a1479112004b663ba74c760752e6" 8698 }, 8699 { 8700 "type": "WEB", 8701 "url": "https://github.com/FasterXML/jackson-databind/commit/c921f0935d5e41bf206e702d8077a275ba1a6efc" 8702 }, 8703 { 8704 "type": "WEB", 8705 "url": "https://github.com/FasterXML/jackson-databind/commit/6799f8f10cc78e9af6d443ed6982d00a13f2e7d2" 8706 }, 8707 { 8708 "type": "WEB", 8709 "url": "https://github.com/FasterXML/jackson-databind/commit/bc22f90eb7f896ace9567598a99cb1ff6e0f9d9d" 8710 }, 8711 { 8712 "type": "WEB", 8713 "url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html" 8714 }, 8715 { 8716 "type": "WEB", 8717 "url": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html" 8718 }, 8719 { 8720 "type": "WEB", 8721 "url": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html" 8722 }, 8723 { 8724 "type": "WEB", 8725 "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" 8726 }, 8727 { 8728 "type": "WEB", 8729 "url": "https://www.debian.org/security/2018/dsa-4190" 8730 }, 8731 { 8732 "type": "WEB", 8733 "url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbhf03902en_us" 8734 }, 8735 { 8736 "type": "WEB", 8737 "url": "https://security.netapp.com/advisory/ntap-20180328-0001" 8738 }, 8739 { 8740 "type": "WEB", 8741 "url": "https://lists.apache.org/thread.html/r1d4a247329a8478073163567bbc8c8cb6b49c6bfc2bf58153a857af1@%3Ccommits.druid.apache.org%3E" 8742 }, 8743 { 8744 "type": "ADVISORY", 8745 "url": "https://github.com/advisories/GHSA-cggj-fvv3-cqwv" 8746 }, 8747 { 8748 "type": "PACKAGE", 8749 "url": "https://github.com/FasterXML/jackson-databind" 8750 }, 8751 { 8752 "type": "WEB", 8753 "url": "https://access.redhat.com/errata/RHSA-2019:3149" 8754 }, 8755 { 8756 "type": "WEB", 8757 "url": "https://access.redhat.com/errata/RHSA-2019:2858" 8758 }, 8759 { 8760 "type": "WEB", 8761 "url": "https://access.redhat.com/errata/RHSA-2018:2939" 8762 }, 8763 { 8764 "type": "WEB", 8765 "url": "https://access.redhat.com/errata/RHSA-2018:2938" 8766 }, 8767 { 8768 "type": "WEB", 8769 "url": "https://access.redhat.com/errata/RHSA-2018:2090" 8770 }, 8771 { 8772 "type": "WEB", 8773 "url": "https://access.redhat.com/errata/RHSA-2018:2089" 8774 }, 8775 { 8776 "type": "WEB", 8777 "url": "https://access.redhat.com/errata/RHSA-2018:2088" 8778 }, 8779 { 8780 "type": "WEB", 8781 "url": "https://access.redhat.com/errata/RHSA-2018:1786" 8782 }, 8783 { 8784 "type": "WEB", 8785 "url": "https://access.redhat.com/errata/RHSA-2018:1451" 8786 }, 8787 { 8788 "type": "WEB", 8789 "url": "https://access.redhat.com/errata/RHSA-2018:1450" 8790 }, 8791 { 8792 "type": "WEB", 8793 "url": "https://access.redhat.com/errata/RHSA-2018:1449" 8794 }, 8795 { 8796 "type": "WEB", 8797 "url": "https://access.redhat.com/errata/RHSA-2018:1448" 8798 }, 8799 { 8800 "type": "WEB", 8801 "url": "https://access.redhat.com/errata/RHSA-2018:1447" 8802 }, 8803 { 8804 "type": "WEB", 8805 "url": "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html" 8806 }, 8807 { 8808 "type": "WEB", 8809 "url": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html" 8810 }, 8811 { 8812 "type": "WEB", 8813 "url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html" 8814 } 8815 ], 8816 "schema_version": "1.6.0", 8817 "severity": [ 8818 { 8819 "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", 8820 "type": "CVSS_V3" 8821 } 8822 ], 8823 "summary": "FasterXML jackson-databind allows unauthenticated remote code execution " 8824 }, 8825 { 8826 "affected": [ 8827 { 8828 "database_specific": { 8829 "last_known_affected_version_range": "\u003c= 2.7.9.3", 8830 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/03/GHSA-cjjf-94ff-43w7/GHSA-cjjf-94ff-43w7.json" 8831 }, 8832 "package": { 8833 "ecosystem": "Maven", 8834 "name": "com.fasterxml.jackson.core:jackson-databind", 8835 "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" 8836 }, 8837 "ranges": [ 8838 { 8839 "events": [ 8840 { 8841 "introduced": "0" 8842 }, 8843 { 8844 "fixed": "2.7.9.4" 8845 } 8846 ], 8847 "type": "ECOSYSTEM" 8848 } 8849 ], 8850 "versions": [ 8851 "2.0.0", 8852 "2.0.0-RC1", 8853 "2.0.0-RC2", 8854 "2.0.0-RC3", 8855 "2.0.1", 8856 "2.0.2", 8857 "2.0.4", 8858 "2.0.5", 8859 "2.0.6", 8860 "2.1.0", 8861 "2.1.1", 8862 "2.1.2", 8863 "2.1.3", 8864 "2.1.4", 8865 "2.1.5", 8866 "2.2.0", 8867 "2.2.0-rc1", 8868 "2.2.1", 8869 "2.2.2", 8870 "2.2.3", 8871 "2.2.4", 8872 "2.3.0", 8873 "2.3.0-rc1", 8874 "2.3.1", 8875 "2.3.2", 8876 "2.3.3", 8877 "2.3.4", 8878 "2.3.5", 8879 "2.4.0", 8880 "2.4.0-rc1", 8881 "2.4.0-rc2", 8882 "2.4.0-rc3", 8883 "2.4.1", 8884 "2.4.1.1", 8885 "2.4.1.2", 8886 "2.4.1.3", 8887 "2.4.2", 8888 "2.4.3", 8889 "2.4.4", 8890 "2.4.5", 8891 "2.4.5.1", 8892 "2.4.6", 8893 "2.4.6.1", 8894 "2.5.0", 8895 "2.5.0-rc1", 8896 "2.5.1", 8897 "2.5.2", 8898 "2.5.3", 8899 "2.5.4", 8900 "2.5.5", 8901 "2.6.0", 8902 "2.6.0-rc1", 8903 "2.6.0-rc2", 8904 "2.6.0-rc3", 8905 "2.6.0-rc4", 8906 "2.6.1", 8907 "2.6.2", 8908 "2.6.3", 8909 "2.6.4", 8910 "2.6.5", 8911 "2.6.6", 8912 "2.6.7", 8913 "2.6.7.1", 8914 "2.6.7.2", 8915 "2.6.7.3", 8916 "2.6.7.4", 8917 "2.6.7.5", 8918 "2.7.0", 8919 "2.7.0-rc1", 8920 "2.7.0-rc2", 8921 "2.7.0-rc3", 8922 "2.7.1", 8923 "2.7.1-1", 8924 "2.7.2", 8925 "2.7.3", 8926 "2.7.4", 8927 "2.7.5", 8928 "2.7.6", 8929 "2.7.7", 8930 "2.7.8", 8931 "2.7.9", 8932 "2.7.9.1", 8933 "2.7.9.2", 8934 "2.7.9.3" 8935 ] 8936 }, 8937 { 8938 "database_specific": { 8939 "last_known_affected_version_range": "\u003c= 2.8.11.1", 8940 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/03/GHSA-cjjf-94ff-43w7/GHSA-cjjf-94ff-43w7.json" 8941 }, 8942 "package": { 8943 "ecosystem": "Maven", 8944 "name": "com.fasterxml.jackson.core:jackson-databind", 8945 "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" 8946 }, 8947 "ranges": [ 8948 { 8949 "events": [ 8950 { 8951 "introduced": "2.8.0" 8952 }, 8953 { 8954 "fixed": "2.8.11.2" 8955 } 8956 ], 8957 "type": "ECOSYSTEM" 8958 } 8959 ], 8960 "versions": [ 8961 "2.8.0", 8962 "2.8.1", 8963 "2.8.10", 8964 "2.8.11", 8965 "2.8.11.1", 8966 "2.8.2", 8967 "2.8.3", 8968 "2.8.4", 8969 "2.8.5", 8970 "2.8.6", 8971 "2.8.7", 8972 "2.8.8", 8973 "2.8.8.1", 8974 "2.8.9" 8975 ] 8976 }, 8977 { 8978 "database_specific": { 8979 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/03/GHSA-cjjf-94ff-43w7/GHSA-cjjf-94ff-43w7.json" 8980 }, 8981 "package": { 8982 "ecosystem": "Maven", 8983 "name": "com.fasterxml.jackson.core:jackson-databind", 8984 "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" 8985 }, 8986 "ranges": [ 8987 { 8988 "events": [ 8989 { 8990 "introduced": "2.9.0" 8991 }, 8992 { 8993 "fixed": "2.9.6" 8994 } 8995 ], 8996 "type": "ECOSYSTEM" 8997 } 8998 ], 8999 "versions": [ 9000 "2.9.0", 9001 "2.9.0.pr1", 9002 "2.9.0.pr2", 9003 "2.9.0.pr3", 9004 "2.9.0.pr4", 9005 "2.9.1", 9006 "2.9.2", 9007 "2.9.3", 9008 "2.9.4", 9009 "2.9.5" 9010 ] 9011 } 9012 ], 9013 "aliases": [ 9014 "CVE-2018-12022" 9015 ], 9016 "database_specific": { 9017 "cwe_ids": [ 9018 "CWE-502" 9019 ], 9020 "github_reviewed": true, 9021 "github_reviewed_at": "2020-06-16T20:42:00Z", 9022 "nvd_published_at": "2019-03-21T16:00:12Z", 9023 "severity": "HIGH" 9024 }, 9025 "details": "An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Jodd-db jar (for database access for the Jodd framework) in the classpath, and an attacker can provide an LDAP service to access, it is possible to make the service execute a malicious payload.", 9026 "id": "GHSA-cjjf-94ff-43w7", 9027 "modified": "2024-03-11T05:19:23.395848Z", 9028 "published": "2019-03-25T18:03:09Z", 9029 "references": [ 9030 { 9031 "type": "ADVISORY", 9032 "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-12022" 9033 }, 9034 { 9035 "type": "WEB", 9036 "url": "https://github.com/FasterXML/jackson-databind/issues/2052" 9037 }, 9038 { 9039 "type": "WEB", 9040 "url": "https://github.com/FasterXML/jackson-databind/commit/28badf7ef60ac3e7ef151cd8e8ec010b8479226a" 9041 }, 9042 { 9043 "type": "WEB", 9044 "url": "https://github.com/FasterXML/jackson-databind/commit/7487cf7eb14be2f65a1eb108e8629c07ef45e0a" 9045 }, 9046 { 9047 "type": "WEB", 9048 "url": "https://github.com/FasterXML/jackson-databind/commit/bf261d404c2f79fd3406237710d40ebb03c99d84" 9049 }, 9050 { 9051 "type": "ADVISORY", 9052 "url": "https://github.com/advisories/GHSA-cjjf-94ff-43w7" 9053 }, 9054 { 9055 "type": "WEB", 9056 "url": "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E" 9057 }, 9058 { 9059 "type": "WEB", 9060 "url": "https://lists.apache.org/thread.html/7fcf88aff0d1deaa5c3c7be8d58c05ad7ad5da94b59065d8e7c50c5d@%3Cissues.lucene.apache.org%3E" 9061 }, 9062 { 9063 "type": "WEB", 9064 "url": "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E" 9065 }, 9066 { 9067 "type": "WEB", 9068 "url": "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E" 9069 }, 9070 { 9071 "type": "WEB", 9072 "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZEDLDUYBSTDY4GWDBUXGJNS2RFYTFVRC" 9073 }, 9074 { 9075 "type": "WEB", 9076 "url": "https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062" 9077 }, 9078 { 9079 "type": "WEB", 9080 "url": "https://seclists.org/bugtraq/2019/May/68" 9081 }, 9082 { 9083 "type": "WEB", 9084 "url": "https://security.netapp.com/advisory/ntap-20190530-0003" 9085 }, 9086 { 9087 "type": "WEB", 9088 "url": "https://www.blackhat.com/docs/us-16/materials/us-16-Munoz-A-Journey-From-JNDI-LDAP-Manipulation-To-RCE.pdf" 9089 }, 9090 { 9091 "type": "WEB", 9092 "url": "https://www.debian.org/security/2019/dsa-4452" 9093 }, 9094 { 9095 "type": "WEB", 9096 "url": "https://www.oracle.com/security-alerts/cpuapr2020.html" 9097 }, 9098 { 9099 "type": "WEB", 9100 "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" 9101 }, 9102 { 9103 "type": "WEB", 9104 "url": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html" 9105 }, 9106 { 9107 "type": "WEB", 9108 "url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html" 9109 }, 9110 { 9111 "type": "WEB", 9112 "url": "https://access.redhat.com/errata/RHBA-2019:0959" 9113 }, 9114 { 9115 "type": "WEB", 9116 "url": "https://access.redhat.com/errata/RHSA-2019:0782" 9117 }, 9118 { 9119 "type": "WEB", 9120 "url": "https://access.redhat.com/errata/RHSA-2019:0877" 9121 }, 9122 { 9123 "type": "WEB", 9124 "url": "https://access.redhat.com/errata/RHSA-2019:1106" 9125 }, 9126 { 9127 "type": "WEB", 9128 "url": "https://access.redhat.com/errata/RHSA-2019:1107" 9129 }, 9130 { 9131 "type": "WEB", 9132 "url": "https://access.redhat.com/errata/RHSA-2019:1108" 9133 }, 9134 { 9135 "type": "WEB", 9136 "url": "https://access.redhat.com/errata/RHSA-2019:1140" 9137 }, 9138 { 9139 "type": "WEB", 9140 "url": "https://access.redhat.com/errata/RHSA-2019:1782" 9141 }, 9142 { 9143 "type": "WEB", 9144 "url": "https://access.redhat.com/errata/RHSA-2019:1797" 9145 }, 9146 { 9147 "type": "WEB", 9148 "url": "https://access.redhat.com/errata/RHSA-2019:1822" 9149 }, 9150 { 9151 "type": "WEB", 9152 "url": "https://access.redhat.com/errata/RHSA-2019:1823" 9153 }, 9154 { 9155 "type": "WEB", 9156 "url": "https://access.redhat.com/errata/RHSA-2019:2804" 9157 }, 9158 { 9159 "type": "WEB", 9160 "url": "https://access.redhat.com/errata/RHSA-2019:2858" 9161 }, 9162 { 9163 "type": "WEB", 9164 "url": "https://access.redhat.com/errata/RHSA-2019:3002" 9165 }, 9166 { 9167 "type": "WEB", 9168 "url": "https://access.redhat.com/errata/RHSA-2019:3140" 9169 }, 9170 { 9171 "type": "WEB", 9172 "url": "https://access.redhat.com/errata/RHSA-2019:3149" 9173 }, 9174 { 9175 "type": "WEB", 9176 "url": "https://access.redhat.com/errata/RHSA-2019:3892" 9177 }, 9178 { 9179 "type": "WEB", 9180 "url": "https://access.redhat.com/errata/RHSA-2019:4037" 9181 }, 9182 { 9183 "type": "WEB", 9184 "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1671098" 9185 }, 9186 { 9187 "type": "PACKAGE", 9188 "url": "https://github.com/FasterXML/jackson-databind" 9189 }, 9190 { 9191 "type": "WEB", 9192 "url": "http://www.securityfocus.com/bid/107585" 9193 } 9194 ], 9195 "schema_version": "1.6.0", 9196 "severity": [ 9197 { 9198 "score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", 9199 "type": "CVSS_V3" 9200 } 9201 ], 9202 "summary": "jackson-databind Deserialization of Untrusted Data vulnerability" 9203 }, 9204 { 9205 "affected": [ 9206 { 9207 "database_specific": { 9208 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/07/GHSA-cmfg-87vq-g5g4/GHSA-cmfg-87vq-g5g4.json" 9209 }, 9210 "package": { 9211 "ecosystem": "Maven", 9212 "name": "com.fasterxml.jackson.core:jackson-databind", 9213 "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" 9214 }, 9215 "ranges": [ 9216 { 9217 "events": [ 9218 { 9219 "introduced": "2.9.0" 9220 }, 9221 { 9222 "fixed": "2.9.9.1" 9223 } 9224 ], 9225 "type": "ECOSYSTEM" 9226 } 9227 ], 9228 "versions": [ 9229 "2.9.0", 9230 "2.9.0.pr1", 9231 "2.9.0.pr2", 9232 "2.9.0.pr3", 9233 "2.9.0.pr4", 9234 "2.9.1", 9235 "2.9.2", 9236 "2.9.3", 9237 "2.9.4", 9238 "2.9.5", 9239 "2.9.6", 9240 "2.9.7", 9241 "2.9.8", 9242 "2.9.9" 9243 ] 9244 }, 9245 { 9246 "database_specific": { 9247 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/07/GHSA-cmfg-87vq-g5g4/GHSA-cmfg-87vq-g5g4.json" 9248 }, 9249 "package": { 9250 "ecosystem": "Maven", 9251 "name": "com.fasterxml.jackson.core:jackson-databind", 9252 "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" 9253 }, 9254 "ranges": [ 9255 { 9256 "events": [ 9257 { 9258 "introduced": "2.8.0" 9259 }, 9260 { 9261 "fixed": "2.8.11.4" 9262 } 9263 ], 9264 "type": "ECOSYSTEM" 9265 } 9266 ], 9267 "versions": [ 9268 "2.8.0", 9269 "2.8.1", 9270 "2.8.10", 9271 "2.8.11", 9272 "2.8.11.1", 9273 "2.8.11.2", 9274 "2.8.11.3", 9275 "2.8.2", 9276 "2.8.3", 9277 "2.8.4", 9278 "2.8.5", 9279 "2.8.6", 9280 "2.8.7", 9281 "2.8.8", 9282 "2.8.8.1", 9283 "2.8.9" 9284 ] 9285 }, 9286 { 9287 "database_specific": { 9288 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/07/GHSA-cmfg-87vq-g5g4/GHSA-cmfg-87vq-g5g4.json" 9289 }, 9290 "package": { 9291 "ecosystem": "Maven", 9292 "name": "com.fasterxml.jackson.core:jackson-databind", 9293 "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" 9294 }, 9295 "ranges": [ 9296 { 9297 "events": [ 9298 { 9299 "introduced": "2.7.0" 9300 }, 9301 { 9302 "fixed": "2.7.9.6" 9303 } 9304 ], 9305 "type": "ECOSYSTEM" 9306 } 9307 ], 9308 "versions": [ 9309 "2.7.0", 9310 "2.7.1", 9311 "2.7.1-1", 9312 "2.7.2", 9313 "2.7.3", 9314 "2.7.4", 9315 "2.7.5", 9316 "2.7.6", 9317 "2.7.7", 9318 "2.7.8", 9319 "2.7.9", 9320 "2.7.9.1", 9321 "2.7.9.2", 9322 "2.7.9.3", 9323 "2.7.9.4", 9324 "2.7.9.5" 9325 ] 9326 }, 9327 { 9328 "database_specific": { 9329 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/07/GHSA-cmfg-87vq-g5g4/GHSA-cmfg-87vq-g5g4.json" 9330 }, 9331 "package": { 9332 "ecosystem": "Maven", 9333 "name": "com.fasterxml.jackson.core:jackson-databind", 9334 "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" 9335 }, 9336 "ranges": [ 9337 { 9338 "events": [ 9339 { 9340 "introduced": "2.0.0" 9341 }, 9342 { 9343 "fixed": "2.6.7.3" 9344 } 9345 ], 9346 "type": "ECOSYSTEM" 9347 } 9348 ], 9349 "versions": [ 9350 "2.0.0", 9351 "2.0.1", 9352 "2.0.2", 9353 "2.0.4", 9354 "2.0.5", 9355 "2.0.6", 9356 "2.1.0", 9357 "2.1.1", 9358 "2.1.2", 9359 "2.1.3", 9360 "2.1.4", 9361 "2.1.5", 9362 "2.2.0", 9363 "2.2.0-rc1", 9364 "2.2.1", 9365 "2.2.2", 9366 "2.2.3", 9367 "2.2.4", 9368 "2.3.0", 9369 "2.3.0-rc1", 9370 "2.3.1", 9371 "2.3.2", 9372 "2.3.3", 9373 "2.3.4", 9374 "2.3.5", 9375 "2.4.0", 9376 "2.4.0-rc1", 9377 "2.4.0-rc2", 9378 "2.4.0-rc3", 9379 "2.4.1", 9380 "2.4.1.1", 9381 "2.4.1.2", 9382 "2.4.1.3", 9383 "2.4.2", 9384 "2.4.3", 9385 "2.4.4", 9386 "2.4.5", 9387 "2.4.5.1", 9388 "2.4.6", 9389 "2.4.6.1", 9390 "2.5.0", 9391 "2.5.0-rc1", 9392 "2.5.1", 9393 "2.5.2", 9394 "2.5.3", 9395 "2.5.4", 9396 "2.5.5", 9397 "2.6.0", 9398 "2.6.0-rc1", 9399 "2.6.0-rc2", 9400 "2.6.0-rc3", 9401 "2.6.0-rc4", 9402 "2.6.1", 9403 "2.6.2", 9404 "2.6.3", 9405 "2.6.4", 9406 "2.6.5", 9407 "2.6.6", 9408 "2.6.7", 9409 "2.6.7.1", 9410 "2.6.7.2" 9411 ] 9412 } 9413 ], 9414 "aliases": [ 9415 "CVE-2019-12814" 9416 ], 9417 "database_specific": { 9418 "cwe_ids": [ 9419 "CWE-502" 9420 ], 9421 "github_reviewed": true, 9422 "github_reviewed_at": "2019-07-17T14:51:50Z", 9423 "nvd_published_at": "2019-06-19T14:15:10Z", 9424 "severity": "MODERATE" 9425 }, 9426 "details": "A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x through 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has JDOM 1.x or 2.x jar in the classpath, an attacker can send a specifically crafted JSON message that allows them to read arbitrary local files on the server.", 9427 "id": "GHSA-cmfg-87vq-g5g4", 9428 "modified": "2024-03-15T01:18:17.903231Z", 9429 "published": "2019-07-17T15:26:12Z", 9430 "references": [ 9431 { 9432 "type": "ADVISORY", 9433 "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-12814" 9434 }, 9435 { 9436 "type": "WEB", 9437 "url": "https://github.com/FasterXML/jackson-databind/issues/2341" 9438 }, 9439 { 9440 "type": "WEB", 9441 "url": "https://github.com/FasterXML/jackson-databind/commit/5f7c69bba07a7155adde130d9dee2e54a54f1fa5" 9442 }, 9443 { 9444 "type": "WEB", 9445 "url": "https://lists.apache.org/thread.html/ee0a051428d2c719acfa297d0854a189ea5e284ef3ed491fa672f4be@%3Cdev.tomee.apache.org%3E" 9446 }, 9447 { 9448 "type": "WEB", 9449 "url": "https://lists.apache.org/thread.html/e0733058c0366b703e6757d8d2a7a04b943581f659e9c271f0841dfe@%3Cnotifications.geode.apache.org%3E" 9450 }, 9451 { 9452 "type": "WEB", 9453 "url": "https://lists.apache.org/thread.html/bf20574dbc2db255f1fd489942b5720f675e32a2c4f44eb6a36060cd@%3Ccommits.accumulo.apache.org%3E" 9454 }, 9455 { 9456 "type": "WEB", 9457 "url": "https://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3@%3Ccommits.nifi.apache.org%3E" 9458 }, 9459 { 9460 "type": "WEB", 9461 "url": "https://lists.apache.org/thread.html/b148fa2e9ef468c4de00de255dd728b74e2a97d935f8ced31eb41ba2@%3Cnotifications.zookeeper.apache.org%3E" 9462 }, 9463 { 9464 "type": "WEB", 9465 "url": "https://lists.apache.org/thread.html/b0a2b2cca072650dbd5882719976c3d353972c44f6736ddf0ba95209@%3Cissues.zookeeper.apache.org%3E" 9466 }, 9467 { 9468 "type": "WEB", 9469 "url": "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E" 9470 }, 9471 { 9472 "type": "WEB", 9473 "url": "https://lists.apache.org/thread.html/a78239b1f11cddfa86e4edee19064c40b6272214630bfef070c37957@%3Cissues.zookeeper.apache.org%3E" 9474 }, 9475 { 9476 "type": "WEB", 9477 "url": "https://lists.apache.org/thread.html/a62aa2706105d68f1c02023fe24aaa3c13b4d8a1826181fed07d9682@%3Cnotifications.zookeeper.apache.org%3E" 9478 }, 9479 { 9480 "type": "WEB", 9481 "url": "https://lists.apache.org/thread.html/a3ae8a8c5e32c413cd27071d3a204166050bf79ce7f1299f6866338f@%3Cissues.zookeeper.apache.org%3E" 9482 }, 9483 { 9484 "type": "WEB", 9485 "url": "https://lists.apache.org/thread.html/940b4c3fef002461b89a050935337056d4a036a65ef68e0bbd4621ef@%3Cdev.struts.apache.org%3E" 9486 }, 9487 { 9488 "type": "WEB", 9489 "url": "https://lists.apache.org/thread.html/8fe2983f6d9fee0aa737e4bd24483f8f5cf9b938b9adad0c4e79b2a4@%3Cnotifications.zookeeper.apache.org%3E" 9490 }, 9491 { 9492 "type": "WEB", 9493 "url": "https://lists.apache.org/thread.html/87e46591de8925f719664a845572d184027258c5a7af0a471b53c77b@%3Cdev.tomee.apache.org%3E" 9494 }, 9495 { 9496 "type": "WEB", 9497 "url": "https://lists.apache.org/thread.html/71f9ffd92410a889e27b95a219eaa843fd820f8550898633d85d4ea3@%3Cissues.zookeeper.apache.org%3E" 9498 }, 9499 { 9500 "type": "WEB", 9501 "url": "https://lists.apache.org/thread.html/eff7280055fc717ea8129cd28a9dd57b8446d00b36260c1caee10b87@%3Cnotifications.zookeeper.apache.org%3E" 9502 }, 9503 { 9504 "type": "WEB", 9505 "url": "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E" 9506 }, 9507 { 9508 "type": "WEB", 9509 "url": "https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b@%3Ccommits.nifi.apache.org%3E" 9510 }, 9511 { 9512 "type": "WEB", 9513 "url": "https://lists.debian.org/debian-lts-announce/2019/06/msg00019.html" 9514 }, 9515 { 9516 "type": "WEB", 9517 "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OVRZDN2T6AZ6DJCZJ3VSIQIVHBVMVWBL" 9518 }, 9519 { 9520 "type": "WEB", 9521 "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TXRVXNRFHJSQWFHPRJQRI5UPMZ63B544" 9522 }, 9523 { 9524 "type": "WEB", 9525 "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UKUALE2TUCKEKOHE2D342PQXN4MWCSLC" 9526 }, 9527 { 9528 "type": "WEB", 9529 "url": "https://security.netapp.com/advisory/ntap-20190625-0006" 9530 }, 9531 { 9532 "type": "WEB", 9533 "url": "https://www.oracle.com/security-alerts/cpujan2020.html" 9534 }, 9535 { 9536 "type": "WEB", 9537 "url": "https://www.oracle.com/security-alerts/cpujul2020.html" 9538 }, 9539 { 9540 "type": "WEB", 9541 "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" 9542 }, 9543 { 9544 "type": "WEB", 9545 "url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html" 9546 }, 9547 { 9548 "type": "WEB", 9549 "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html" 9550 }, 9551 { 9552 "type": "WEB", 9553 "url": "https://access.redhat.com/errata/RHSA-2019:2858" 9554 }, 9555 { 9556 "type": "WEB", 9557 "url": "https://access.redhat.com/errata/RHSA-2019:2935" 9558 }, 9559 { 9560 "type": "WEB", 9561 "url": "https://access.redhat.com/errata/RHSA-2019:2936" 9562 }, 9563 { 9564 "type": "WEB", 9565 "url": "https://access.redhat.com/errata/RHSA-2019:2937" 9566 }, 9567 { 9568 "type": "WEB", 9569 "url": "https://access.redhat.com/errata/RHSA-2019:2938" 9570 }, 9571 { 9572 "type": "WEB", 9573 "url": "https://access.redhat.com/errata/RHSA-2019:3044" 9574 }, 9575 { 9576 "type": "WEB", 9577 "url": "https://access.redhat.com/errata/RHSA-2019:3045" 9578 }, 9579 { 9580 "type": "WEB", 9581 "url": "https://access.redhat.com/errata/RHSA-2019:3046" 9582 }, 9583 { 9584 "type": "WEB", 9585 "url": "https://access.redhat.com/errata/RHSA-2019:3050" 9586 }, 9587 { 9588 "type": "WEB", 9589 "url": "https://access.redhat.com/errata/RHSA-2019:3149" 9590 }, 9591 { 9592 "type": "WEB", 9593 "url": "https://access.redhat.com/errata/RHSA-2019:3200" 9594 }, 9595 { 9596 "type": "WEB", 9597 "url": "https://access.redhat.com/errata/RHSA-2019:3292" 9598 }, 9599 { 9600 "type": "WEB", 9601 "url": "https://access.redhat.com/errata/RHSA-2019:3297" 9602 }, 9603 { 9604 "type": "PACKAGE", 9605 "url": "https://github.com/FasterXML/jackson-databind" 9606 }, 9607 { 9608 "type": "WEB", 9609 "url": "https://lists.apache.org/thread.html/0d4b630d9ee724aee50703397d9d1afa2b2befc9395ba7797d0ccea9@%3Cdev.tomee.apache.org%3E" 9610 }, 9611 { 9612 "type": "WEB", 9613 "url": "https://lists.apache.org/thread.html/129da0204c876f746636018751a086cc581e0e07bcdeb3ee22ff5731@%3Cdev.zookeeper.apache.org%3E" 9614 }, 9615 { 9616 "type": "WEB", 9617 "url": "https://lists.apache.org/thread.html/15a55e1d837fa686db493137cc0330c7ee1089ed9a9eea7ae7151ef1@%3Cissues.zookeeper.apache.org%3E" 9618 }, 9619 { 9620 "type": "WEB", 9621 "url": "https://lists.apache.org/thread.html/1e04d9381c801b31ab28dec813c31c304b2a596b2a3707fa5462c5c0@%3Cnotifications.zookeeper.apache.org%3E" 9622 }, 9623 { 9624 "type": "WEB", 9625 "url": "https://lists.apache.org/thread.html/28be28ffd6471d230943a255c36fe196a54ef5afc494a4781d16e37c@%3Cissues.zookeeper.apache.org%3E" 9626 }, 9627 { 9628 "type": "WEB", 9629 "url": "https://lists.apache.org/thread.html/2d2a76440becb610b9a9cb49b15eac3934b02c2dbcaacde1000353e4@%3Cdev.tomee.apache.org%3E" 9630 }, 9631 { 9632 "type": "WEB", 9633 "url": "https://lists.apache.org/thread.html/2ff264b6a94c5363a35c4c88fa93216f60ec54d1d973ed6b76a9f560@%3Cissues.zookeeper.apache.org%3E" 9634 }, 9635 { 9636 "type": "WEB", 9637 "url": "https://lists.apache.org/thread.html/34717424b4d08b74f65c09a083d6dd1cb0763f37a15d6de135998c1d@%3Cdev.tomee.apache.org%3E" 9638 }, 9639 { 9640 "type": "WEB", 9641 "url": "https://lists.apache.org/thread.html/3f99ae8dcdbd69438cb733d745ee3ad5e852068490719a66509b4592@%3Ccommits.cassandra.apache.org%3E" 9642 }, 9643 { 9644 "type": "WEB", 9645 "url": "https://lists.apache.org/thread.html/4b832d1327703d6b287a6d223307f8f884d798821209a10647e93324@%3Cnotifications.zookeeper.apache.org%3E" 9646 }, 9647 { 9648 "type": "WEB", 9649 "url": "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E" 9650 }, 9651 { 9652 "type": "WEB", 9653 "url": "https://lists.apache.org/thread.html/56c8042873595b8c863054c7bfccab4bf2c01c6f5abedae249d914b9@%3Cdev.tomee.apache.org%3E" 9654 }, 9655 { 9656 "type": "WEB", 9657 "url": "https://lists.apache.org/thread.html/5ecc333113b139429f4f05000d4aa2886974d4df3269c1dd990bb319@%3Cdev.tomee.apache.org%3E" 9658 }, 9659 { 9660 "type": "WEB", 9661 "url": "https://lists.apache.org/thread.html/5fc0e16b7af2590bf1e97c76c136291c4fdb244ee63c65c485c9a7a1@%3Cdev.tomee.apache.org%3E" 9662 } 9663 ], 9664 "schema_version": "1.6.0", 9665 "severity": [ 9666 { 9667 "score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", 9668 "type": "CVSS_V3" 9669 } 9670 ], 9671 "summary": "Deserialization of untrusted data in FasterXML jackson-databind" 9672 }, 9673 { 9674 "affected": [ 9675 { 9676 "database_specific": { 9677 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-cvm9-fjm9-3572/GHSA-cvm9-fjm9-3572.json" 9678 }, 9679 "package": { 9680 "ecosystem": "Maven", 9681 "name": "com.fasterxml.jackson.core:jackson-databind", 9682 "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" 9683 }, 9684 "ranges": [ 9685 { 9686 "events": [ 9687 { 9688 "introduced": "2.7.0" 9689 }, 9690 { 9691 "fixed": "2.9.10.8" 9692 } 9693 ], 9694 "type": "ECOSYSTEM" 9695 } 9696 ], 9697 "versions": [ 9698 "2.7.0", 9699 "2.7.1", 9700 "2.7.1-1", 9701 "2.7.2", 9702 "2.7.3", 9703 "2.7.4", 9704 "2.7.5", 9705 "2.7.6", 9706 "2.7.7", 9707 "2.7.8", 9708 "2.7.9", 9709 "2.7.9.1", 9710 "2.7.9.2", 9711 "2.7.9.3", 9712 "2.7.9.4", 9713 "2.7.9.5", 9714 "2.7.9.6", 9715 "2.7.9.7", 9716 "2.8.0", 9717 "2.8.0.rc1", 9718 "2.8.0.rc2", 9719 "2.8.1", 9720 "2.8.10", 9721 "2.8.11", 9722 "2.8.11.1", 9723 "2.8.11.2", 9724 "2.8.11.3", 9725 "2.8.11.4", 9726 "2.8.11.5", 9727 "2.8.11.6", 9728 "2.8.2", 9729 "2.8.3", 9730 "2.8.4", 9731 "2.8.5", 9732 "2.8.6", 9733 "2.8.7", 9734 "2.8.8", 9735 "2.8.8.1", 9736 "2.8.9", 9737 "2.9.0", 9738 "2.9.0.pr1", 9739 "2.9.0.pr2", 9740 "2.9.0.pr3", 9741 "2.9.0.pr4", 9742 "2.9.1", 9743 "2.9.10", 9744 "2.9.10.1", 9745 "2.9.10.2", 9746 "2.9.10.3", 9747 "2.9.10.4", 9748 "2.9.10.5", 9749 "2.9.10.6", 9750 "2.9.10.7", 9751 "2.9.2", 9752 "2.9.3", 9753 "2.9.4", 9754 "2.9.5", 9755 "2.9.6", 9756 "2.9.7", 9757 "2.9.8", 9758 "2.9.9", 9759 "2.9.9.1", 9760 "2.9.9.2", 9761 "2.9.9.3" 9762 ] 9763 }, 9764 { 9765 "database_specific": { 9766 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-cvm9-fjm9-3572/GHSA-cvm9-fjm9-3572.json" 9767 }, 9768 "package": { 9769 "ecosystem": "Maven", 9770 "name": "com.fasterxml.jackson.core:jackson-databind", 9771 "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" 9772 }, 9773 "ranges": [ 9774 { 9775 "events": [ 9776 { 9777 "introduced": "2.0.0" 9778 }, 9779 { 9780 "fixed": "2.6.7.5" 9781 } 9782 ], 9783 "type": "ECOSYSTEM" 9784 } 9785 ], 9786 "versions": [ 9787 "2.0.0", 9788 "2.0.1", 9789 "2.0.2", 9790 "2.0.4", 9791 "2.0.5", 9792 "2.0.6", 9793 "2.1.0", 9794 "2.1.1", 9795 "2.1.2", 9796 "2.1.3", 9797 "2.1.4", 9798 "2.1.5", 9799 "2.2.0", 9800 "2.2.0-rc1", 9801 "2.2.1", 9802 "2.2.2", 9803 "2.2.3", 9804 "2.2.4", 9805 "2.3.0", 9806 "2.3.0-rc1", 9807 "2.3.1", 9808 "2.3.2", 9809 "2.3.3", 9810 "2.3.4", 9811 "2.3.5", 9812 "2.4.0", 9813 "2.4.0-rc1", 9814 "2.4.0-rc2", 9815 "2.4.0-rc3", 9816 "2.4.1", 9817 "2.4.1.1", 9818 "2.4.1.2", 9819 "2.4.1.3", 9820 "2.4.2", 9821 "2.4.3", 9822 "2.4.4", 9823 "2.4.5", 9824 "2.4.5.1", 9825 "2.4.6", 9826 "2.4.6.1", 9827 "2.5.0", 9828 "2.5.0-rc1", 9829 "2.5.1", 9830 "2.5.2", 9831 "2.5.3", 9832 "2.5.4", 9833 "2.5.5", 9834 "2.6.0", 9835 "2.6.0-rc1", 9836 "2.6.0-rc2", 9837 "2.6.0-rc3", 9838 "2.6.0-rc4", 9839 "2.6.1", 9840 "2.6.2", 9841 "2.6.3", 9842 "2.6.4", 9843 "2.6.5", 9844 "2.6.6", 9845 "2.6.7", 9846 "2.6.7.1", 9847 "2.6.7.2", 9848 "2.6.7.3", 9849 "2.6.7.4" 9850 ] 9851 } 9852 ], 9853 "aliases": [ 9854 "CVE-2020-36181" 9855 ], 9856 "database_specific": { 9857 "cwe_ids": [ 9858 "CWE-502" 9859 ], 9860 "github_reviewed": true, 9861 "github_reviewed_at": "2021-03-18T23:37:23Z", 9862 "nvd_published_at": "2021-01-06T23:15:00Z", 9863 "severity": "HIGH" 9864 }, 9865 "details": "FasterXML jackson-databind 2.x before 2.9.10.8 and 2.6.7.5 mishandles the interaction between serialization gadgets and typing, related to `org.apache.tomcat.dbcp.dbcp.cpdsadapter.DriverAdapterCPDS`.", 9866 "id": "GHSA-cvm9-fjm9-3572", 9867 "modified": "2024-02-18T05:25:36.165759Z", 9868 "published": "2021-12-09T19:16:10Z", 9869 "references": [ 9870 { 9871 "type": "ADVISORY", 9872 "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36181" 9873 }, 9874 { 9875 "type": "WEB", 9876 "url": "https://github.com/FasterXML/jackson-databind/issues/3004" 9877 }, 9878 { 9879 "type": "WEB", 9880 "url": "https://github.com/FasterXML/jackson-databind/commit/3ded28aece694d0df39c9f0fa1ff385b14a8656b" 9881 }, 9882 { 9883 "type": "WEB", 9884 "url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062" 9885 }, 9886 { 9887 "type": "PACKAGE", 9888 "url": "https://github.com/FasterXML/jackson-databind" 9889 }, 9890 { 9891 "type": "WEB", 9892 "url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html" 9893 }, 9894 { 9895 "type": "WEB", 9896 "url": "https://security.netapp.com/advisory/ntap-20210205-0005" 9897 }, 9898 { 9899 "type": "WEB", 9900 "url": "https://www.oracle.com//security-alerts/cpujul2021.html" 9901 }, 9902 { 9903 "type": "WEB", 9904 "url": "https://www.oracle.com/security-alerts/cpuApr2021.html" 9905 }, 9906 { 9907 "type": "WEB", 9908 "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" 9909 }, 9910 { 9911 "type": "WEB", 9912 "url": "https://www.oracle.com/security-alerts/cpujan2022.html" 9913 }, 9914 { 9915 "type": "WEB", 9916 "url": "https://www.oracle.com/security-alerts/cpujul2022.html" 9917 }, 9918 { 9919 "type": "WEB", 9920 "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" 9921 } 9922 ], 9923 "schema_version": "1.6.0", 9924 "severity": [ 9925 { 9926 "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", 9927 "type": "CVSS_V3" 9928 } 9929 ], 9930 "summary": "Unsafe Deserialization in jackson-databind" 9931 }, 9932 { 9933 "affected": [ 9934 { 9935 "database_specific": { 9936 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-f3j5-rmmp-3fc5/GHSA-f3j5-rmmp-3fc5.json" 9937 }, 9938 "package": { 9939 "ecosystem": "Maven", 9940 "name": "com.fasterxml.jackson.core:jackson-databind", 9941 "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" 9942 }, 9943 "ranges": [ 9944 { 9945 "events": [ 9946 { 9947 "introduced": "2.9.0" 9948 }, 9949 { 9950 "fixed": "2.9.10" 9951 } 9952 ], 9953 "type": "ECOSYSTEM" 9954 } 9955 ], 9956 "versions": [ 9957 "2.9.0", 9958 "2.9.0.pr1", 9959 "2.9.0.pr2", 9960 "2.9.0.pr3", 9961 "2.9.0.pr4", 9962 "2.9.1", 9963 "2.9.2", 9964 "2.9.3", 9965 "2.9.4", 9966 "2.9.5", 9967 "2.9.6", 9968 "2.9.7", 9969 "2.9.8", 9970 "2.9.9", 9971 "2.9.9.1", 9972 "2.9.9.2", 9973 "2.9.9.3" 9974 ] 9975 }, 9976 { 9977 "database_specific": { 9978 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-f3j5-rmmp-3fc5/GHSA-f3j5-rmmp-3fc5.json" 9979 }, 9980 "package": { 9981 "ecosystem": "Maven", 9982 "name": "com.fasterxml.jackson.core:jackson-databind", 9983 "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" 9984 }, 9985 "ranges": [ 9986 { 9987 "events": [ 9988 { 9989 "introduced": "0" 9990 }, 9991 { 9992 "fixed": "2.8.11.5" 9993 } 9994 ], 9995 "type": "ECOSYSTEM" 9996 } 9997 ], 9998 "versions": [ 9999 "2.0.0", 10000 "2.0.0-RC1", 10001 "2.0.0-RC2", 10002 "2.0.0-RC3", 10003 "2.0.1", 10004 "2.0.2", 10005 "2.0.4", 10006 "2.0.5", 10007 "2.0.6", 10008 "2.1.0", 10009 "2.1.1", 10010 "2.1.2", 10011 "2.1.3", 10012 "2.1.4", 10013 "2.1.5", 10014 "2.2.0", 10015 "2.2.0-rc1", 10016 "2.2.1", 10017 "2.2.2", 10018 "2.2.3", 10019 "2.2.4", 10020 "2.3.0", 10021 "2.3.0-rc1", 10022 "2.3.1", 10023 "2.3.2", 10024 "2.3.3", 10025 "2.3.4", 10026 "2.3.5", 10027 "2.4.0", 10028 "2.4.0-rc1", 10029 "2.4.0-rc2", 10030 "2.4.0-rc3", 10031 "2.4.1", 10032 "2.4.1.1", 10033 "2.4.1.2", 10034 "2.4.1.3", 10035 "2.4.2", 10036 "2.4.3", 10037 "2.4.4", 10038 "2.4.5", 10039 "2.4.5.1", 10040 "2.4.6", 10041 "2.4.6.1", 10042 "2.5.0", 10043 "2.5.0-rc1", 10044 "2.5.1", 10045 "2.5.2", 10046 "2.5.3", 10047 "2.5.4", 10048 "2.5.5", 10049 "2.6.0", 10050 "2.6.0-rc1", 10051 "2.6.0-rc2", 10052 "2.6.0-rc3", 10053 "2.6.0-rc4", 10054 "2.6.1", 10055 "2.6.2", 10056 "2.6.3", 10057 "2.6.4", 10058 "2.6.5", 10059 "2.6.6", 10060 "2.6.7", 10061 "2.6.7.1", 10062 "2.6.7.2", 10063 "2.6.7.3", 10064 "2.6.7.4", 10065 "2.6.7.5", 10066 "2.7.0", 10067 "2.7.0-rc1", 10068 "2.7.0-rc2", 10069 "2.7.0-rc3", 10070 "2.7.1", 10071 "2.7.1-1", 10072 "2.7.2", 10073 "2.7.3", 10074 "2.7.4", 10075 "2.7.5", 10076 "2.7.6", 10077 "2.7.7", 10078 "2.7.8", 10079 "2.7.9", 10080 "2.7.9.1", 10081 "2.7.9.2", 10082 "2.7.9.3", 10083 "2.7.9.4", 10084 "2.7.9.5", 10085 "2.7.9.6", 10086 "2.7.9.7", 10087 "2.8.0", 10088 "2.8.0.rc1", 10089 "2.8.0.rc2", 10090 "2.8.1", 10091 "2.8.10", 10092 "2.8.11", 10093 "2.8.11.1", 10094 "2.8.11.2", 10095 "2.8.11.3", 10096 "2.8.11.4", 10097 "2.8.2", 10098 "2.8.3", 10099 "2.8.4", 10100 "2.8.5", 10101 "2.8.6", 10102 "2.8.7", 10103 "2.8.8", 10104 "2.8.8.1", 10105 "2.8.9" 10106 ] 10107 } 10108 ], 10109 "aliases": [ 10110 "CVE-2019-17267" 10111 ], 10112 "database_specific": { 10113 "cwe_ids": [ 10114 "CWE-502" 10115 ], 10116 "github_reviewed": true, 10117 "github_reviewed_at": "2020-06-11T21:47:17Z", 10118 "nvd_published_at": "2019-10-07T00:15:00Z", 10119 "severity": "CRITICAL" 10120 }, 10121 "details": "A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10 and 2.8.11.5. It is related to net.sf.ehcache.hibernate.EhcacheJtaTransactionManagerLookup.", 10122 "id": "GHSA-f3j5-rmmp-3fc5", 10123 "modified": "2024-03-15T05:20:35.120151Z", 10124 "published": "2020-06-15T18:44:48Z", 10125 "references": [ 10126 { 10127 "type": "ADVISORY", 10128 "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-17267" 10129 }, 10130 { 10131 "type": "WEB", 10132 "url": "https://github.com/FasterXML/jackson-databind/issues/2460" 10133 }, 10134 { 10135 "type": "WEB", 10136 "url": "https://github.com/FasterXML/jackson-databind/commit/191a4cdf87b56d2ddddb77edd895ee756b7f75eb" 10137 }, 10138 { 10139 "type": "WEB", 10140 "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" 10141 }, 10142 { 10143 "type": "WEB", 10144 "url": "https://www.oracle.com/security-alerts/cpujul2020.html" 10145 }, 10146 { 10147 "type": "WEB", 10148 "url": "https://www.oracle.com/security-alerts/cpujan2020.html" 10149 }, 10150 { 10151 "type": "WEB", 10152 "url": "https://security.netapp.com/advisory/ntap-20191017-0006" 10153 }, 10154 { 10155 "type": "WEB", 10156 "url": "https://lists.debian.org/debian-lts-announce/2019/12/msg00013.html" 10157 }, 10158 { 10159 "type": "WEB", 10160 "url": "https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3E" 10161 }, 10162 { 10163 "type": "WEB", 10164 "url": "https://lists.apache.org/thread.html/r9d727fc681fb3828794acbefcaee31393742b4d73a29461ccd9597a8@%3Cdev.skywalking.apache.org%3E" 10165 }, 10166 { 10167 "type": "WEB", 10168 "url": "https://lists.apache.org/thread.html/r392099ed2757ff2e383b10440594e914d080511d7da1c8fed0612c1f@%3Ccommits.druid.apache.org%3E" 10169 }, 10170 { 10171 "type": "WEB", 10172 "url": "https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0@%3Cissues.bookkeeper.apache.org%3E" 10173 }, 10174 { 10175 "type": "WEB", 10176 "url": "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E" 10177 }, 10178 { 10179 "type": "WEB", 10180 "url": "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E" 10181 }, 10182 { 10183 "type": "WEB", 10184 "url": "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E" 10185 }, 10186 { 10187 "type": "WEB", 10188 "url": "https://github.com/FasterXML/jackson-databind/compare/jackson-databind-2.9.9.3...jackson-databind-2.9.10" 10189 }, 10190 { 10191 "type": "PACKAGE", 10192 "url": "https://github.com/FasterXML/jackson-databind" 10193 }, 10194 { 10195 "type": "WEB", 10196 "url": "https://access.redhat.com/errata/RHSA-2020:0445" 10197 }, 10198 { 10199 "type": "WEB", 10200 "url": "https://access.redhat.com/errata/RHSA-2020:0164" 10201 }, 10202 { 10203 "type": "WEB", 10204 "url": "https://access.redhat.com/errata/RHSA-2020:0161" 10205 }, 10206 { 10207 "type": "WEB", 10208 "url": "https://access.redhat.com/errata/RHSA-2020:0160" 10209 }, 10210 { 10211 "type": "WEB", 10212 "url": "https://access.redhat.com/errata/RHSA-2020:0159" 10213 }, 10214 { 10215 "type": "WEB", 10216 "url": "https://access.redhat.com/errata/RHSA-2019:3200" 10217 } 10218 ], 10219 "schema_version": "1.6.0", 10220 "severity": [ 10221 { 10222 "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", 10223 "type": "CVSS_V3" 10224 } 10225 ], 10226 "summary": "Improper Input Validation in jackson-databind" 10227 }, 10228 { 10229 "affected": [ 10230 { 10231 "database_specific": { 10232 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/01/GHSA-f9hv-mg5h-xcw9/GHSA-f9hv-mg5h-xcw9.json" 10233 }, 10234 "package": { 10235 "ecosystem": "Maven", 10236 "name": "com.fasterxml.jackson.core:jackson-databind", 10237 "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" 10238 }, 10239 "ranges": [ 10240 { 10241 "events": [ 10242 { 10243 "introduced": "2.9.0" 10244 }, 10245 { 10246 "fixed": "2.9.8" 10247 } 10248 ], 10249 "type": "ECOSYSTEM" 10250 } 10251 ], 10252 "versions": [ 10253 "2.9.0", 10254 "2.9.0.pr1", 10255 "2.9.0.pr2", 10256 "2.9.0.pr3", 10257 "2.9.0.pr4", 10258 "2.9.1", 10259 "2.9.2", 10260 "2.9.3", 10261 "2.9.4", 10262 "2.9.5", 10263 "2.9.6", 10264 "2.9.7" 10265 ] 10266 }, 10267 { 10268 "database_specific": { 10269 "last_known_affected_version_range": "\u003c= 2.8.11.2", 10270 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/01/GHSA-f9hv-mg5h-xcw9/GHSA-f9hv-mg5h-xcw9.json" 10271 }, 10272 "package": { 10273 "ecosystem": "Maven", 10274 "name": "com.fasterxml.jackson.core:jackson-databind", 10275 "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" 10276 }, 10277 "ranges": [ 10278 { 10279 "events": [ 10280 { 10281 "introduced": "2.8.0" 10282 }, 10283 { 10284 "fixed": "2.8.11.3" 10285 } 10286 ], 10287 "type": "ECOSYSTEM" 10288 } 10289 ], 10290 "versions": [ 10291 "2.8.0", 10292 "2.8.1", 10293 "2.8.10", 10294 "2.8.11", 10295 "2.8.11.1", 10296 "2.8.11.2", 10297 "2.8.2", 10298 "2.8.3", 10299 "2.8.4", 10300 "2.8.5", 10301 "2.8.6", 10302 "2.8.7", 10303 "2.8.8", 10304 "2.8.8.1", 10305 "2.8.9" 10306 ] 10307 }, 10308 { 10309 "database_specific": { 10310 "last_known_affected_version_range": "\u003c= 2.7.9.4", 10311 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/01/GHSA-f9hv-mg5h-xcw9/GHSA-f9hv-mg5h-xcw9.json" 10312 }, 10313 "package": { 10314 "ecosystem": "Maven", 10315 "name": "com.fasterxml.jackson.core:jackson-databind", 10316 "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" 10317 }, 10318 "ranges": [ 10319 { 10320 "events": [ 10321 { 10322 "introduced": "2.7.0" 10323 }, 10324 { 10325 "fixed": "2.7.9.5" 10326 } 10327 ], 10328 "type": "ECOSYSTEM" 10329 } 10330 ], 10331 "versions": [ 10332 "2.7.0", 10333 "2.7.1", 10334 "2.7.1-1", 10335 "2.7.2", 10336 "2.7.3", 10337 "2.7.4", 10338 "2.7.5", 10339 "2.7.6", 10340 "2.7.7", 10341 "2.7.8", 10342 "2.7.9", 10343 "2.7.9.1", 10344 "2.7.9.2", 10345 "2.7.9.3", 10346 "2.7.9.4" 10347 ] 10348 } 10349 ], 10350 "aliases": [ 10351 "CVE-2018-19360" 10352 ], 10353 "database_specific": { 10354 "cwe_ids": [ 10355 "CWE-502" 10356 ], 10357 "github_reviewed": true, 10358 "github_reviewed_at": "2020-06-16T21:34:16Z", 10359 "nvd_published_at": null, 10360 "severity": "CRITICAL" 10361 }, 10362 "details": "FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the axis2-transport-jms class from polymorphic deserialization.", 10363 "id": "GHSA-f9hv-mg5h-xcw9", 10364 "modified": "2024-03-12T05:18:23.439473Z", 10365 "published": "2019-01-04T19:06:57Z", 10366 "references": [ 10367 { 10368 "type": "ADVISORY", 10369 "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-19360" 10370 }, 10371 { 10372 "type": "WEB", 10373 "url": "https://github.com/FasterXML/jackson-databind/issues/2186" 10374 }, 10375 { 10376 "type": "WEB", 10377 "url": "https://github.com/FasterXML/jackson-databind/commit/42912cac4753f3f718ece875e4d486f8264c2f2b" 10378 }, 10379 { 10380 "type": "WEB", 10381 "url": "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E" 10382 }, 10383 { 10384 "type": "WEB", 10385 "url": "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E" 10386 }, 10387 { 10388 "type": "WEB", 10389 "url": "https://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3@%3Ccommits.nifi.apache.org%3E" 10390 }, 10391 { 10392 "type": "WEB", 10393 "url": "https://lists.apache.org/thread.html/c70da3cb6e3f03e0ad8013e38b6959419d866c4a7c80fdd34b73f25c@%3Ccommits.pulsar.apache.org%3E" 10394 }, 10395 { 10396 "type": "WEB", 10397 "url": "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E" 10398 }, 10399 { 10400 "type": "WEB", 10401 "url": "https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8@%3Ccommits.pulsar.apache.org%3E" 10402 }, 10403 { 10404 "type": "WEB", 10405 "url": "https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0@%3Cissues.bookkeeper.apache.org%3E" 10406 }, 10407 { 10408 "type": "WEB", 10409 "url": "https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b@%3Ccommits.nifi.apache.org%3E" 10410 }, 10411 { 10412 "type": "WEB", 10413 "url": "https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3E" 10414 }, 10415 { 10416 "type": "WEB", 10417 "url": "https://lists.debian.org/debian-lts-announce/2019/03/msg00005.html" 10418 }, 10419 { 10420 "type": "WEB", 10421 "url": "https://seclists.org/bugtraq/2019/May/68" 10422 }, 10423 { 10424 "type": "WEB", 10425 "url": "https://security.netapp.com/advisory/ntap-20190530-0003" 10426 }, 10427 { 10428 "type": "WEB", 10429 "url": "https://www.debian.org/security/2019/dsa-4452" 10430 }, 10431 { 10432 "type": "WEB", 10433 "url": "https://www.oracle.com/security-alerts/cpuapr2020.html" 10434 }, 10435 { 10436 "type": "WEB", 10437 "url": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html" 10438 }, 10439 { 10440 "type": "WEB", 10441 "url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html" 10442 }, 10443 { 10444 "type": "WEB", 10445 "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html" 10446 }, 10447 { 10448 "type": "WEB", 10449 "url": "https://access.redhat.com/errata/RHBA-2019:0959" 10450 }, 10451 { 10452 "type": "WEB", 10453 "url": "https://access.redhat.com/errata/RHSA-2019:0782" 10454 }, 10455 { 10456 "type": "WEB", 10457 "url": "https://access.redhat.com/errata/RHSA-2019:0877" 10458 }, 10459 { 10460 "type": "WEB", 10461 "url": "https://access.redhat.com/errata/RHSA-2019:1782" 10462 }, 10463 { 10464 "type": "WEB", 10465 "url": "https://access.redhat.com/errata/RHSA-2019:1797" 10466 }, 10467 { 10468 "type": "WEB", 10469 "url": "https://access.redhat.com/errata/RHSA-2019:1822" 10470 }, 10471 { 10472 "type": "WEB", 10473 "url": "https://access.redhat.com/errata/RHSA-2019:1823" 10474 }, 10475 { 10476 "type": "WEB", 10477 "url": "https://access.redhat.com/errata/RHSA-2019:2804" 10478 }, 10479 { 10480 "type": "WEB", 10481 "url": "https://access.redhat.com/errata/RHSA-2019:2858" 10482 }, 10483 { 10484 "type": "WEB", 10485 "url": "https://access.redhat.com/errata/RHSA-2019:3002" 10486 }, 10487 { 10488 "type": "WEB", 10489 "url": "https://access.redhat.com/errata/RHSA-2019:3140" 10490 }, 10491 { 10492 "type": "WEB", 10493 "url": "https://access.redhat.com/errata/RHSA-2019:3149" 10494 }, 10495 { 10496 "type": "WEB", 10497 "url": "https://access.redhat.com/errata/RHSA-2019:3892" 10498 }, 10499 { 10500 "type": "WEB", 10501 "url": "https://access.redhat.com/errata/RHSA-2019:4037" 10502 }, 10503 { 10504 "type": "WEB", 10505 "url": "https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.8" 10506 }, 10507 { 10508 "type": "ADVISORY", 10509 "url": "https://github.com/advisories/GHSA-f9hv-mg5h-xcw9" 10510 }, 10511 { 10512 "type": "WEB", 10513 "url": "https://issues.apache.org/jira/browse/TINKERPOP-2121" 10514 }, 10515 { 10516 "type": "WEB", 10517 "url": "https://lists.apache.org/thread.html/37e1ed724a1b0e5d191d98c822c426670bdfde83804567131847d2a3@%3Cdevnull.infra.apache.org%3E" 10518 }, 10519 { 10520 "type": "WEB", 10521 "url": "http://www.securityfocus.com/bid/107985" 10522 } 10523 ], 10524 "schema_version": "1.6.0", 10525 "severity": [ 10526 { 10527 "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", 10528 "type": "CVSS_V3" 10529 } 10530 ], 10531 "summary": "Deserialization of Untrusted Data in jackson-databind due to polymorphic deserialization" 10532 }, 10533 { 10534 "affected": [ 10535 { 10536 "database_specific": { 10537 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-f9xh-2qgp-cq57/GHSA-f9xh-2qgp-cq57.json" 10538 }, 10539 "package": { 10540 "ecosystem": "Maven", 10541 "name": "com.fasterxml.jackson.core:jackson-databind", 10542 "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" 10543 }, 10544 "ranges": [ 10545 { 10546 "events": [ 10547 { 10548 "introduced": "2.7.0" 10549 }, 10550 { 10551 "fixed": "2.9.10.8" 10552 } 10553 ], 10554 "type": "ECOSYSTEM" 10555 } 10556 ], 10557 "versions": [ 10558 "2.7.0", 10559 "2.7.1", 10560 "2.7.1-1", 10561 "2.7.2", 10562 "2.7.3", 10563 "2.7.4", 10564 "2.7.5", 10565 "2.7.6", 10566 "2.7.7", 10567 "2.7.8", 10568 "2.7.9", 10569 "2.7.9.1", 10570 "2.7.9.2", 10571 "2.7.9.3", 10572 "2.7.9.4", 10573 "2.7.9.5", 10574 "2.7.9.6", 10575 "2.7.9.7", 10576 "2.8.0", 10577 "2.8.0.rc1", 10578 "2.8.0.rc2", 10579 "2.8.1", 10580 "2.8.10", 10581 "2.8.11", 10582 "2.8.11.1", 10583 "2.8.11.2", 10584 "2.8.11.3", 10585 "2.8.11.4", 10586 "2.8.11.5", 10587 "2.8.11.6", 10588 "2.8.2", 10589 "2.8.3", 10590 "2.8.4", 10591 "2.8.5", 10592 "2.8.6", 10593 "2.8.7", 10594 "2.8.8", 10595 "2.8.8.1", 10596 "2.8.9", 10597 "2.9.0", 10598 "2.9.0.pr1", 10599 "2.9.0.pr2", 10600 "2.9.0.pr3", 10601 "2.9.0.pr4", 10602 "2.9.1", 10603 "2.9.10", 10604 "2.9.10.1", 10605 "2.9.10.2", 10606 "2.9.10.3", 10607 "2.9.10.4", 10608 "2.9.10.5", 10609 "2.9.10.6", 10610 "2.9.10.7", 10611 "2.9.2", 10612 "2.9.3", 10613 "2.9.4", 10614 "2.9.5", 10615 "2.9.6", 10616 "2.9.7", 10617 "2.9.8", 10618 "2.9.9", 10619 "2.9.9.1", 10620 "2.9.9.2", 10621 "2.9.9.3" 10622 ] 10623 }, 10624 { 10625 "database_specific": { 10626 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-f9xh-2qgp-cq57/GHSA-f9xh-2qgp-cq57.json" 10627 }, 10628 "package": { 10629 "ecosystem": "Maven", 10630 "name": "com.fasterxml.jackson.core:jackson-databind", 10631 "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" 10632 }, 10633 "ranges": [ 10634 { 10635 "events": [ 10636 { 10637 "introduced": "2.0.0" 10638 }, 10639 { 10640 "fixed": "2.6.7.5" 10641 } 10642 ], 10643 "type": "ECOSYSTEM" 10644 } 10645 ], 10646 "versions": [ 10647 "2.0.0", 10648 "2.0.1", 10649 "2.0.2", 10650 "2.0.4", 10651 "2.0.5", 10652 "2.0.6", 10653 "2.1.0", 10654 "2.1.1", 10655 "2.1.2", 10656 "2.1.3", 10657 "2.1.4", 10658 "2.1.5", 10659 "2.2.0", 10660 "2.2.0-rc1", 10661 "2.2.1", 10662 "2.2.2", 10663 "2.2.3", 10664 "2.2.4", 10665 "2.3.0", 10666 "2.3.0-rc1", 10667 "2.3.1", 10668 "2.3.2", 10669 "2.3.3", 10670 "2.3.4", 10671 "2.3.5", 10672 "2.4.0", 10673 "2.4.0-rc1", 10674 "2.4.0-rc2", 10675 "2.4.0-rc3", 10676 "2.4.1", 10677 "2.4.1.1", 10678 "2.4.1.2", 10679 "2.4.1.3", 10680 "2.4.2", 10681 "2.4.3", 10682 "2.4.4", 10683 "2.4.5", 10684 "2.4.5.1", 10685 "2.4.6", 10686 "2.4.6.1", 10687 "2.5.0", 10688 "2.5.0-rc1", 10689 "2.5.1", 10690 "2.5.2", 10691 "2.5.3", 10692 "2.5.4", 10693 "2.5.5", 10694 "2.6.0", 10695 "2.6.0-rc1", 10696 "2.6.0-rc2", 10697 "2.6.0-rc3", 10698 "2.6.0-rc4", 10699 "2.6.1", 10700 "2.6.2", 10701 "2.6.3", 10702 "2.6.4", 10703 "2.6.5", 10704 "2.6.6", 10705 "2.6.7", 10706 "2.6.7.1", 10707 "2.6.7.2", 10708 "2.6.7.3", 10709 "2.6.7.4" 10710 ] 10711 } 10712 ], 10713 "aliases": [ 10714 "CVE-2020-36188" 10715 ], 10716 "database_specific": { 10717 "cwe_ids": [ 10718 "CWE-502" 10719 ], 10720 "github_reviewed": true, 10721 "github_reviewed_at": "2021-03-18T23:25:02Z", 10722 "nvd_published_at": "2021-01-06T23:15:00Z", 10723 "severity": "HIGH" 10724 }, 10725 "details": "FasterXML jackson-databind 2.x before 2.9.10.8 and 2.6.7.5 mishandles the interaction between serialization gadgets and typing, related to `com.newrelic.agent.deps.ch.qos.logback.core.db.JNDIConnectionSource`.", 10726 "id": "GHSA-f9xh-2qgp-cq57", 10727 "modified": "2024-02-18T05:32:05.421673Z", 10728 "published": "2021-12-09T19:16:42Z", 10729 "references": [ 10730 { 10731 "type": "ADVISORY", 10732 "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36188" 10733 }, 10734 { 10735 "type": "WEB", 10736 "url": "https://github.com/FasterXML/jackson-databind/issues/2996" 10737 }, 10738 { 10739 "type": "WEB", 10740 "url": "https://github.com/FasterXML/jackson-databind/commit/33d96c13fe18a2dad01b19ce195548c9acea9da4" 10741 }, 10742 { 10743 "type": "WEB", 10744 "url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062" 10745 }, 10746 { 10747 "type": "PACKAGE", 10748 "url": "https://github.com/FasterXML/jackson-databind" 10749 }, 10750 { 10751 "type": "WEB", 10752 "url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html" 10753 }, 10754 { 10755 "type": "WEB", 10756 "url": "https://security.netapp.com/advisory/ntap-20210205-0005" 10757 }, 10758 { 10759 "type": "WEB", 10760 "url": "https://www.oracle.com//security-alerts/cpujul2021.html" 10761 }, 10762 { 10763 "type": "WEB", 10764 "url": "https://www.oracle.com/security-alerts/cpuApr2021.html" 10765 }, 10766 { 10767 "type": "WEB", 10768 "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" 10769 }, 10770 { 10771 "type": "WEB", 10772 "url": "https://www.oracle.com/security-alerts/cpujan2022.html" 10773 }, 10774 { 10775 "type": "WEB", 10776 "url": "https://www.oracle.com/security-alerts/cpujul2022.html" 10777 }, 10778 { 10779 "type": "WEB", 10780 "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" 10781 } 10782 ], 10783 "schema_version": "1.6.0", 10784 "severity": [ 10785 { 10786 "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", 10787 "type": "CVSS_V3" 10788 } 10789 ], 10790 "summary": "Unsafe Deserialization in jackson-databind" 10791 }, 10792 { 10793 "affected": [ 10794 { 10795 "database_specific": { 10796 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/11/GHSA-fmmc-742q-jg75/GHSA-fmmc-742q-jg75.json" 10797 }, 10798 "package": { 10799 "ecosystem": "Maven", 10800 "name": "com.fasterxml.jackson.core:jackson-databind", 10801 "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" 10802 }, 10803 "ranges": [ 10804 { 10805 "events": [ 10806 { 10807 "introduced": "2.9.0" 10808 }, 10809 { 10810 "fixed": "2.9.10.1" 10811 } 10812 ], 10813 "type": "ECOSYSTEM" 10814 } 10815 ], 10816 "versions": [ 10817 "2.9.0", 10818 "2.9.0.pr1", 10819 "2.9.0.pr2", 10820 "2.9.0.pr3", 10821 "2.9.0.pr4", 10822 "2.9.1", 10823 "2.9.10", 10824 "2.9.2", 10825 "2.9.3", 10826 "2.9.4", 10827 "2.9.5", 10828 "2.9.6", 10829 "2.9.7", 10830 "2.9.8", 10831 "2.9.9", 10832 "2.9.9.1", 10833 "2.9.9.2", 10834 "2.9.9.3" 10835 ] 10836 }, 10837 { 10838 "database_specific": { 10839 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/11/GHSA-fmmc-742q-jg75/GHSA-fmmc-742q-jg75.json" 10840 }, 10841 "package": { 10842 "ecosystem": "Maven", 10843 "name": "com.fasterxml.jackson.core:jackson-databind", 10844 "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" 10845 }, 10846 "ranges": [ 10847 { 10848 "events": [ 10849 { 10850 "introduced": "2.7.0" 10851 }, 10852 { 10853 "fixed": "2.8.11.5" 10854 } 10855 ], 10856 "type": "ECOSYSTEM" 10857 } 10858 ], 10859 "versions": [ 10860 "2.7.0", 10861 "2.7.1", 10862 "2.7.1-1", 10863 "2.7.2", 10864 "2.7.3", 10865 "2.7.4", 10866 "2.7.5", 10867 "2.7.6", 10868 "2.7.7", 10869 "2.7.8", 10870 "2.7.9", 10871 "2.7.9.1", 10872 "2.7.9.2", 10873 "2.7.9.3", 10874 "2.7.9.4", 10875 "2.7.9.5", 10876 "2.7.9.6", 10877 "2.7.9.7", 10878 "2.8.0", 10879 "2.8.0.rc1", 10880 "2.8.0.rc2", 10881 "2.8.1", 10882 "2.8.10", 10883 "2.8.11", 10884 "2.8.11.1", 10885 "2.8.11.2", 10886 "2.8.11.3", 10887 "2.8.11.4", 10888 "2.8.2", 10889 "2.8.3", 10890 "2.8.4", 10891 "2.8.5", 10892 "2.8.6", 10893 "2.8.7", 10894 "2.8.8", 10895 "2.8.8.1", 10896 "2.8.9" 10897 ] 10898 }, 10899 { 10900 "database_specific": { 10901 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/11/GHSA-fmmc-742q-jg75/GHSA-fmmc-742q-jg75.json" 10902 }, 10903 "package": { 10904 "ecosystem": "Maven", 10905 "name": "com.fasterxml.jackson.core:jackson-databind", 10906 "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" 10907 }, 10908 "ranges": [ 10909 { 10910 "events": [ 10911 { 10912 "introduced": "0" 10913 }, 10914 { 10915 "fixed": "2.6.7.3" 10916 } 10917 ], 10918 "type": "ECOSYSTEM" 10919 } 10920 ], 10921 "versions": [ 10922 "2.0.0", 10923 "2.0.0-RC1", 10924 "2.0.0-RC2", 10925 "2.0.0-RC3", 10926 "2.0.1", 10927 "2.0.2", 10928 "2.0.4", 10929 "2.0.5", 10930 "2.0.6", 10931 "2.1.0", 10932 "2.1.1", 10933 "2.1.2", 10934 "2.1.3", 10935 "2.1.4", 10936 "2.1.5", 10937 "2.2.0", 10938 "2.2.0-rc1", 10939 "2.2.1", 10940 "2.2.2", 10941 "2.2.3", 10942 "2.2.4", 10943 "2.3.0", 10944 "2.3.0-rc1", 10945 "2.3.1", 10946 "2.3.2", 10947 "2.3.3", 10948 "2.3.4", 10949 "2.3.5", 10950 "2.4.0", 10951 "2.4.0-rc1", 10952 "2.4.0-rc2", 10953 "2.4.0-rc3", 10954 "2.4.1", 10955 "2.4.1.1", 10956 "2.4.1.2", 10957 "2.4.1.3", 10958 "2.4.2", 10959 "2.4.3", 10960 "2.4.4", 10961 "2.4.5", 10962 "2.4.5.1", 10963 "2.4.6", 10964 "2.4.6.1", 10965 "2.5.0", 10966 "2.5.0-rc1", 10967 "2.5.1", 10968 "2.5.2", 10969 "2.5.3", 10970 "2.5.4", 10971 "2.5.5", 10972 "2.6.0", 10973 "2.6.0-rc1", 10974 "2.6.0-rc2", 10975 "2.6.0-rc3", 10976 "2.6.0-rc4", 10977 "2.6.1", 10978 "2.6.2", 10979 "2.6.3", 10980 "2.6.4", 10981 "2.6.5", 10982 "2.6.6", 10983 "2.6.7", 10984 "2.6.7.1", 10985 "2.6.7.2" 10986 ] 10987 } 10988 ], 10989 "aliases": [ 10990 "CVE-2019-16943" 10991 ], 10992 "database_specific": { 10993 "cwe_ids": [ 10994 "CWE-502" 10995 ], 10996 "github_reviewed": true, 10997 "github_reviewed_at": "2019-11-13T00:30:39Z", 10998 "nvd_published_at": "2019-10-01T17:15:00Z", 10999 "severity": "CRITICAL" 11000 }, 11001 "details": "A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 prior to 2.9.10.1, 2.8.11.5, and 2.6.7.3. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the p6spy (3.8.6) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of com.p6spy.engine.spy.P6DataSource mishandling.", 11002 "id": "GHSA-fmmc-742q-jg75", 11003 "modified": "2024-03-16T05:19:55.172981Z", 11004 "published": "2019-11-13T00:32:27Z", 11005 "references": [ 11006 { 11007 "type": "ADVISORY", 11008 "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-16943" 11009 }, 11010 { 11011 "type": "WEB", 11012 "url": "https://github.com/FasterXML/jackson-databind/issues/2478" 11013 }, 11014 { 11015 "type": "WEB", 11016 "url": "https://github.com/FasterXML/jackson-databind/commit/328a0f833daf6baa443ac3b37c818a0204714b0b" 11017 }, 11018 { 11019 "type": "WEB", 11020 "url": "https://github.com/FasterXML/jackson-databind/commit/bc67eb11a7cf57561f861ff16f879f1fceb5779f" 11021 }, 11022 { 11023 "type": "WEB", 11024 "url": "https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3E" 11025 }, 11026 { 11027 "type": "WEB", 11028 "url": "https://lists.debian.org/debian-lts-announce/2019/10/msg00001.html" 11029 }, 11030 { 11031 "type": "WEB", 11032 "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Q7CANA7KV53JROZDX5Z5P26UG5VN2K43" 11033 }, 11034 { 11035 "type": "WEB", 11036 "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TH5VFUN4P7CCIP7KSEXYA5MUTFCUDUJT" 11037 }, 11038 { 11039 "type": "WEB", 11040 "url": "https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062" 11041 }, 11042 { 11043 "type": "WEB", 11044 "url": "https://seclists.org/bugtraq/2019/Oct/6" 11045 }, 11046 { 11047 "type": "WEB", 11048 "url": "https://security.netapp.com/advisory/ntap-20191017-0006" 11049 }, 11050 { 11051 "type": "WEB", 11052 "url": "https://www.debian.org/security/2019/dsa-4542" 11053 }, 11054 { 11055 "type": "WEB", 11056 "url": "https://www.oracle.com//security-alerts/cpujul2021.html" 11057 }, 11058 { 11059 "type": "WEB", 11060 "url": "https://www.oracle.com/security-alerts/cpuapr2020.html" 11061 }, 11062 { 11063 "type": "WEB", 11064 "url": "https://www.oracle.com/security-alerts/cpujan2020.html" 11065 }, 11066 { 11067 "type": "WEB", 11068 "url": "https://www.oracle.com/security-alerts/cpujul2020.html" 11069 }, 11070 { 11071 "type": "WEB", 11072 "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" 11073 }, 11074 { 11075 "type": "WEB", 11076 "url": "https://lists.apache.org/thread.html/r392099ed2757ff2e383b10440594e914d080511d7da1c8fed0612c1f@%3Ccommits.druid.apache.org%3E" 11077 }, 11078 { 11079 "type": "WEB", 11080 "url": "https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0@%3Cissues.bookkeeper.apache.org%3E" 11081 }, 11082 { 11083 "type": "WEB", 11084 "url": "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E" 11085 }, 11086 { 11087 "type": "WEB", 11088 "url": "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E" 11089 }, 11090 { 11091 "type": "WEB", 11092 "url": "https://lists.apache.org/thread.html/6788e4c991f75b89d290ad06b463fcd30bcae99fee610345a35b7bc6@%3Cissues.iceberg.apache.org%3E" 11093 }, 11094 { 11095 "type": "WEB", 11096 "url": "https://lists.apache.org/thread.html/5ec8d8d485c2c8ac55ea425f4cd96596ef37312532712639712ebcdd@%3Ccommits.iceberg.apache.org%3E" 11097 }, 11098 { 11099 "type": "WEB", 11100 "url": "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E" 11101 }, 11102 { 11103 "type": "PACKAGE", 11104 "url": "https://github.com/FasterXML/jackson-databind" 11105 }, 11106 { 11107 "type": "WEB", 11108 "url": "https://access.redhat.com/errata/RHSA-2020:0445" 11109 }, 11110 { 11111 "type": "WEB", 11112 "url": "https://access.redhat.com/errata/RHSA-2020:0164" 11113 }, 11114 { 11115 "type": "WEB", 11116 "url": "https://access.redhat.com/errata/RHSA-2020:0161" 11117 }, 11118 { 11119 "type": "WEB", 11120 "url": "https://access.redhat.com/errata/RHSA-2020:0160" 11121 }, 11122 { 11123 "type": "WEB", 11124 "url": "https://access.redhat.com/errata/RHSA-2020:0159" 11125 } 11126 ], 11127 "schema_version": "1.6.0", 11128 "severity": [ 11129 { 11130 "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", 11131 "type": "CVSS_V3" 11132 } 11133 ], 11134 "summary": "jackson-databind polymorphic typing issue" 11135 }, 11136 { 11137 "affected": [ 11138 { 11139 "database_specific": { 11140 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/05/GHSA-fqwf-pjwf-7vqv/GHSA-fqwf-pjwf-7vqv.json" 11141 }, 11142 "package": { 11143 "ecosystem": "Maven", 11144 "name": "com.fasterxml.jackson.core:jackson-databind", 11145 "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" 11146 }, 11147 "ranges": [ 11148 { 11149 "events": [ 11150 { 11151 "introduced": "2.7.0" 11152 }, 11153 { 11154 "fixed": "2.9.10.4" 11155 } 11156 ], 11157 "type": "ECOSYSTEM" 11158 } 11159 ], 11160 "versions": [ 11161 "2.7.0", 11162 "2.7.1", 11163 "2.7.1-1", 11164 "2.7.2", 11165 "2.7.3", 11166 "2.7.4", 11167 "2.7.5", 11168 "2.7.6", 11169 "2.7.7", 11170 "2.7.8", 11171 "2.7.9", 11172 "2.7.9.1", 11173 "2.7.9.2", 11174 "2.7.9.3", 11175 "2.7.9.4", 11176 "2.7.9.5", 11177 "2.7.9.6", 11178 "2.7.9.7", 11179 "2.8.0", 11180 "2.8.0.rc1", 11181 "2.8.0.rc2", 11182 "2.8.1", 11183 "2.8.10", 11184 "2.8.11", 11185 "2.8.11.1", 11186 "2.8.11.2", 11187 "2.8.11.3", 11188 "2.8.11.4", 11189 "2.8.11.5", 11190 "2.8.11.6", 11191 "2.8.2", 11192 "2.8.3", 11193 "2.8.4", 11194 "2.8.5", 11195 "2.8.6", 11196 "2.8.7", 11197 "2.8.8", 11198 "2.8.8.1", 11199 "2.8.9", 11200 "2.9.0", 11201 "2.9.0.pr1", 11202 "2.9.0.pr2", 11203 "2.9.0.pr3", 11204 "2.9.0.pr4", 11205 "2.9.1", 11206 "2.9.10", 11207 "2.9.10.1", 11208 "2.9.10.2", 11209 "2.9.10.3", 11210 "2.9.2", 11211 "2.9.3", 11212 "2.9.4", 11213 "2.9.5", 11214 "2.9.6", 11215 "2.9.7", 11216 "2.9.8", 11217 "2.9.9", 11218 "2.9.9.1", 11219 "2.9.9.2", 11220 "2.9.9.3" 11221 ] 11222 }, 11223 { 11224 "database_specific": { 11225 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/05/GHSA-fqwf-pjwf-7vqv/GHSA-fqwf-pjwf-7vqv.json" 11226 }, 11227 "package": { 11228 "ecosystem": "Maven", 11229 "name": "com.fasterxml.jackson.core:jackson-databind", 11230 "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" 11231 }, 11232 "ranges": [ 11233 { 11234 "events": [ 11235 { 11236 "introduced": "2.0.0" 11237 }, 11238 { 11239 "fixed": "2.6.7.4" 11240 } 11241 ], 11242 "type": "ECOSYSTEM" 11243 } 11244 ], 11245 "versions": [ 11246 "2.0.0", 11247 "2.0.1", 11248 "2.0.2", 11249 "2.0.4", 11250 "2.0.5", 11251 "2.0.6", 11252 "2.1.0", 11253 "2.1.1", 11254 "2.1.2", 11255 "2.1.3", 11256 "2.1.4", 11257 "2.1.5", 11258 "2.2.0", 11259 "2.2.0-rc1", 11260 "2.2.1", 11261 "2.2.2", 11262 "2.2.3", 11263 "2.2.4", 11264 "2.3.0", 11265 "2.3.0-rc1", 11266 "2.3.1", 11267 "2.3.2", 11268 "2.3.3", 11269 "2.3.4", 11270 "2.3.5", 11271 "2.4.0", 11272 "2.4.0-rc1", 11273 "2.4.0-rc2", 11274 "2.4.0-rc3", 11275 "2.4.1", 11276 "2.4.1.1", 11277 "2.4.1.2", 11278 "2.4.1.3", 11279 "2.4.2", 11280 "2.4.3", 11281 "2.4.4", 11282 "2.4.5", 11283 "2.4.5.1", 11284 "2.4.6", 11285 "2.4.6.1", 11286 "2.5.0", 11287 "2.5.0-rc1", 11288 "2.5.1", 11289 "2.5.2", 11290 "2.5.3", 11291 "2.5.4", 11292 "2.5.5", 11293 "2.6.0", 11294 "2.6.0-rc1", 11295 "2.6.0-rc2", 11296 "2.6.0-rc3", 11297 "2.6.0-rc4", 11298 "2.6.1", 11299 "2.6.2", 11300 "2.6.3", 11301 "2.6.4", 11302 "2.6.5", 11303 "2.6.6", 11304 "2.6.7", 11305 "2.6.7.1", 11306 "2.6.7.2", 11307 "2.6.7.3" 11308 ] 11309 } 11310 ], 11311 "aliases": [ 11312 "CVE-2020-10673" 11313 ], 11314 "database_specific": { 11315 "cwe_ids": [ 11316 "CWE-502" 11317 ], 11318 "github_reviewed": true, 11319 "github_reviewed_at": "2020-04-22T20:59:03Z", 11320 "nvd_published_at": "2020-03-18T22:15:00Z", 11321 "severity": "HIGH" 11322 }, 11323 "details": "FasterXML jackson-databind 2.x before 2.9.10.4 and 2.6.7.4 mishandles the interaction between serialization gadgets and typing, related to com.caucho.config.types.ResourceRef (aka caucho-quercus).", 11324 "id": "GHSA-fqwf-pjwf-7vqv", 11325 "modified": "2024-07-03T21:22:37.578162Z", 11326 "published": "2020-05-15T18:59:04Z", 11327 "references": [ 11328 { 11329 "type": "ADVISORY", 11330 "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-10673" 11331 }, 11332 { 11333 "type": "WEB", 11334 "url": "https://github.com/FasterXML/jackson-databind/issues/2660" 11335 }, 11336 { 11337 "type": "WEB", 11338 "url": "https://github.com/FasterXML/jackson-databind/commit/1645efbd392989cf015f459a91c999e59c921b15" 11339 }, 11340 { 11341 "type": "PACKAGE", 11342 "url": "https://github.com/FasterXML/jackson-databind" 11343 }, 11344 { 11345 "type": "WEB", 11346 "url": "https://lists.debian.org/debian-lts-announce/2020/03/msg00027.html" 11347 }, 11348 { 11349 "type": "WEB", 11350 "url": "https://medium.com/%40cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062" 11351 }, 11352 { 11353 "type": "WEB", 11354 "url": "https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062" 11355 }, 11356 { 11357 "type": "WEB", 11358 "url": "https://security.netapp.com/advisory/ntap-20200403-0002" 11359 }, 11360 { 11361 "type": "WEB", 11362 "url": "https://www.oracle.com/security-alerts/cpujan2021.html" 11363 }, 11364 { 11365 "type": "WEB", 11366 "url": "https://www.oracle.com/security-alerts/cpujul2020.html" 11367 }, 11368 { 11369 "type": "WEB", 11370 "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" 11371 }, 11372 { 11373 "type": "WEB", 11374 "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" 11375 } 11376 ], 11377 "schema_version": "1.6.0", 11378 "severity": [ 11379 { 11380 "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", 11381 "type": "CVSS_V3" 11382 } 11383 ], 11384 "summary": "jackson-databind mishandles the interaction between serialization gadgets and typing" 11385 }, 11386 { 11387 "affected": [ 11388 { 11389 "database_specific": { 11390 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/11/GHSA-gjmw-vf9h-g25v/GHSA-gjmw-vf9h-g25v.json" 11391 }, 11392 "package": { 11393 "ecosystem": "Maven", 11394 "name": "com.fasterxml.jackson.core:jackson-databind", 11395 "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" 11396 }, 11397 "ranges": [ 11398 { 11399 "events": [ 11400 { 11401 "introduced": "2.9.0" 11402 }, 11403 { 11404 "fixed": "2.9.10.1" 11405 } 11406 ], 11407 "type": "ECOSYSTEM" 11408 } 11409 ], 11410 "versions": [ 11411 "2.9.0", 11412 "2.9.0.pr1", 11413 "2.9.0.pr2", 11414 "2.9.0.pr3", 11415 "2.9.0.pr4", 11416 "2.9.1", 11417 "2.9.10", 11418 "2.9.2", 11419 "2.9.3", 11420 "2.9.4", 11421 "2.9.5", 11422 "2.9.6", 11423 "2.9.7", 11424 "2.9.8", 11425 "2.9.9", 11426 "2.9.9.1", 11427 "2.9.9.2", 11428 "2.9.9.3" 11429 ] 11430 }, 11431 { 11432 "database_specific": { 11433 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/11/GHSA-gjmw-vf9h-g25v/GHSA-gjmw-vf9h-g25v.json" 11434 }, 11435 "package": { 11436 "ecosystem": "Maven", 11437 "name": "com.fasterxml.jackson.core:jackson-databind", 11438 "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" 11439 }, 11440 "ranges": [ 11441 { 11442 "events": [ 11443 { 11444 "introduced": "2.7.0" 11445 }, 11446 { 11447 "fixed": "2.8.11.5" 11448 } 11449 ], 11450 "type": "ECOSYSTEM" 11451 } 11452 ], 11453 "versions": [ 11454 "2.7.0", 11455 "2.7.1", 11456 "2.7.1-1", 11457 "2.7.2", 11458 "2.7.3", 11459 "2.7.4", 11460 "2.7.5", 11461 "2.7.6", 11462 "2.7.7", 11463 "2.7.8", 11464 "2.7.9", 11465 "2.7.9.1", 11466 "2.7.9.2", 11467 "2.7.9.3", 11468 "2.7.9.4", 11469 "2.7.9.5", 11470 "2.7.9.6", 11471 "2.7.9.7", 11472 "2.8.0", 11473 "2.8.0.rc1", 11474 "2.8.0.rc2", 11475 "2.8.1", 11476 "2.8.10", 11477 "2.8.11", 11478 "2.8.11.1", 11479 "2.8.11.2", 11480 "2.8.11.3", 11481 "2.8.11.4", 11482 "2.8.2", 11483 "2.8.3", 11484 "2.8.4", 11485 "2.8.5", 11486 "2.8.6", 11487 "2.8.7", 11488 "2.8.8", 11489 "2.8.8.1", 11490 "2.8.9" 11491 ] 11492 }, 11493 { 11494 "database_specific": { 11495 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/11/GHSA-gjmw-vf9h-g25v/GHSA-gjmw-vf9h-g25v.json" 11496 }, 11497 "package": { 11498 "ecosystem": "Maven", 11499 "name": "com.fasterxml.jackson.core:jackson-databind", 11500 "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" 11501 }, 11502 "ranges": [ 11503 { 11504 "events": [ 11505 { 11506 "introduced": "0" 11507 }, 11508 { 11509 "fixed": "2.6.7.3" 11510 } 11511 ], 11512 "type": "ECOSYSTEM" 11513 } 11514 ], 11515 "versions": [ 11516 "2.0.0", 11517 "2.0.0-RC1", 11518 "2.0.0-RC2", 11519 "2.0.0-RC3", 11520 "2.0.1", 11521 "2.0.2", 11522 "2.0.4", 11523 "2.0.5", 11524 "2.0.6", 11525 "2.1.0", 11526 "2.1.1", 11527 "2.1.2", 11528 "2.1.3", 11529 "2.1.4", 11530 "2.1.5", 11531 "2.2.0", 11532 "2.2.0-rc1", 11533 "2.2.1", 11534 "2.2.2", 11535 "2.2.3", 11536 "2.2.4", 11537 "2.3.0", 11538 "2.3.0-rc1", 11539 "2.3.1", 11540 "2.3.2", 11541 "2.3.3", 11542 "2.3.4", 11543 "2.3.5", 11544 "2.4.0", 11545 "2.4.0-rc1", 11546 "2.4.0-rc2", 11547 "2.4.0-rc3", 11548 "2.4.1", 11549 "2.4.1.1", 11550 "2.4.1.2", 11551 "2.4.1.3", 11552 "2.4.2", 11553 "2.4.3", 11554 "2.4.4", 11555 "2.4.5", 11556 "2.4.5.1", 11557 "2.4.6", 11558 "2.4.6.1", 11559 "2.5.0", 11560 "2.5.0-rc1", 11561 "2.5.1", 11562 "2.5.2", 11563 "2.5.3", 11564 "2.5.4", 11565 "2.5.5", 11566 "2.6.0", 11567 "2.6.0-rc1", 11568 "2.6.0-rc2", 11569 "2.6.0-rc3", 11570 "2.6.0-rc4", 11571 "2.6.1", 11572 "2.6.2", 11573 "2.6.3", 11574 "2.6.4", 11575 "2.6.5", 11576 "2.6.6", 11577 "2.6.7", 11578 "2.6.7.1", 11579 "2.6.7.2" 11580 ] 11581 } 11582 ], 11583 "aliases": [ 11584 "CVE-2019-17531" 11585 ], 11586 "database_specific": { 11587 "cwe_ids": [ 11588 "CWE-502" 11589 ], 11590 "github_reviewed": true, 11591 "github_reviewed_at": "2019-11-13T00:30:58Z", 11592 "nvd_published_at": "2019-10-12T21:15:00Z", 11593 "severity": "CRITICAL" 11594 }, 11595 "details": "A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 prior to 2.9.10.1, 2.8.11.5, and 2.6.7.3. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the apache-log4j-extra (version 1.2.x) jar in the classpath, and an attacker can provide a JNDI service to access, it is possible to make the service execute a malicious payload. ", 11596 "id": "GHSA-gjmw-vf9h-g25v", 11597 "modified": "2024-03-16T05:19:37.211801Z", 11598 "published": "2019-11-13T00:32:38Z", 11599 "references": [ 11600 { 11601 "type": "ADVISORY", 11602 "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-17531" 11603 }, 11604 { 11605 "type": "WEB", 11606 "url": "https://github.com/FasterXML/jackson-databind/issues/2498" 11607 }, 11608 { 11609 "type": "WEB", 11610 "url": "https://github.com/FasterXML/jackson-databind/commit/b5a304a98590b6bb766134f9261e6566dcbbb6d0" 11611 }, 11612 { 11613 "type": "WEB", 11614 "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" 11615 }, 11616 { 11617 "type": "WEB", 11618 "url": "https://www.oracle.com/security-alerts/cpujul2020.html" 11619 }, 11620 { 11621 "type": "WEB", 11622 "url": "https://www.oracle.com/security-alerts/cpujan2020.html" 11623 }, 11624 { 11625 "type": "WEB", 11626 "url": "https://www.oracle.com/security-alerts/cpuapr2020.html" 11627 }, 11628 { 11629 "type": "WEB", 11630 "url": "https://www.oracle.com//security-alerts/cpujul2021.html" 11631 }, 11632 { 11633 "type": "WEB", 11634 "url": "https://security.netapp.com/advisory/ntap-20191024-0005" 11635 }, 11636 { 11637 "type": "WEB", 11638 "url": "https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062" 11639 }, 11640 { 11641 "type": "WEB", 11642 "url": "https://lists.debian.org/debian-lts-announce/2019/12/msg00013.html" 11643 }, 11644 { 11645 "type": "WEB", 11646 "url": "https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3E" 11647 }, 11648 { 11649 "type": "WEB", 11650 "url": "https://lists.apache.org/thread.html/r392099ed2757ff2e383b10440594e914d080511d7da1c8fed0612c1f@%3Ccommits.druid.apache.org%3E" 11651 }, 11652 { 11653 "type": "WEB", 11654 "url": "https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0@%3Cissues.bookkeeper.apache.org%3E" 11655 }, 11656 { 11657 "type": "WEB", 11658 "url": "https://lists.apache.org/thread.html/b3c90d38f99db546de60fea65f99a924d540fae2285f014b79606ca5@%3Ccommits.pulsar.apache.org%3E" 11659 }, 11660 { 11661 "type": "PACKAGE", 11662 "url": "https://github.com/FasterXML/jackson-databind" 11663 }, 11664 { 11665 "type": "WEB", 11666 "url": "https://access.redhat.com/errata/RHSA-2020:0445" 11667 }, 11668 { 11669 "type": "WEB", 11670 "url": "https://access.redhat.com/errata/RHSA-2020:0164" 11671 }, 11672 { 11673 "type": "WEB", 11674 "url": "https://access.redhat.com/errata/RHSA-2020:0161" 11675 }, 11676 { 11677 "type": "WEB", 11678 "url": "https://access.redhat.com/errata/RHSA-2020:0160" 11679 }, 11680 { 11681 "type": "WEB", 11682 "url": "https://access.redhat.com/errata/RHSA-2020:0159" 11683 }, 11684 { 11685 "type": "WEB", 11686 "url": "https://access.redhat.com/errata/RHSA-2019:4192" 11687 } 11688 ], 11689 "schema_version": "1.6.0", 11690 "severity": [ 11691 { 11692 "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", 11693 "type": "CVSS_V3" 11694 } 11695 ], 11696 "summary": "jackson-databind polymorphic typing issue" 11697 }, 11698 { 11699 "affected": [ 11700 { 11701 "database_specific": { 11702 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/08/GHSA-gwp4-hfv6-p7hw/GHSA-gwp4-hfv6-p7hw.json" 11703 }, 11704 "package": { 11705 "ecosystem": "Maven", 11706 "name": "com.fasterxml.jackson.core:jackson-databind", 11707 "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" 11708 }, 11709 "ranges": [ 11710 { 11711 "events": [ 11712 { 11713 "introduced": "2.9.0" 11714 }, 11715 { 11716 "fixed": "2.9.9.2" 11717 } 11718 ], 11719 "type": "ECOSYSTEM" 11720 } 11721 ], 11722 "versions": [ 11723 "2.9.0", 11724 "2.9.0.pr1", 11725 "2.9.0.pr2", 11726 "2.9.0.pr3", 11727 "2.9.0.pr4", 11728 "2.9.1", 11729 "2.9.2", 11730 "2.9.3", 11731 "2.9.4", 11732 "2.9.5", 11733 "2.9.6", 11734 "2.9.7", 11735 "2.9.8", 11736 "2.9.9", 11737 "2.9.9.1" 11738 ] 11739 }, 11740 { 11741 "database_specific": { 11742 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/08/GHSA-gwp4-hfv6-p7hw/GHSA-gwp4-hfv6-p7hw.json" 11743 }, 11744 "package": { 11745 "ecosystem": "Maven", 11746 "name": "com.fasterxml.jackson.core:jackson-databind", 11747 "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" 11748 }, 11749 "ranges": [ 11750 { 11751 "events": [ 11752 { 11753 "introduced": "2.8.0" 11754 }, 11755 { 11756 "fixed": "2.8.11.4" 11757 } 11758 ], 11759 "type": "ECOSYSTEM" 11760 } 11761 ], 11762 "versions": [ 11763 "2.8.0", 11764 "2.8.1", 11765 "2.8.10", 11766 "2.8.11", 11767 "2.8.11.1", 11768 "2.8.11.2", 11769 "2.8.11.3", 11770 "2.8.2", 11771 "2.8.3", 11772 "2.8.4", 11773 "2.8.5", 11774 "2.8.6", 11775 "2.8.7", 11776 "2.8.8", 11777 "2.8.8.1", 11778 "2.8.9" 11779 ] 11780 }, 11781 { 11782 "database_specific": { 11783 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/08/GHSA-gwp4-hfv6-p7hw/GHSA-gwp4-hfv6-p7hw.json" 11784 }, 11785 "package": { 11786 "ecosystem": "Maven", 11787 "name": "com.fasterxml.jackson.core:jackson-databind", 11788 "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" 11789 }, 11790 "ranges": [ 11791 { 11792 "events": [ 11793 { 11794 "introduced": "2.7.0" 11795 }, 11796 { 11797 "fixed": "2.7.9.6" 11798 } 11799 ], 11800 "type": "ECOSYSTEM" 11801 } 11802 ], 11803 "versions": [ 11804 "2.7.0", 11805 "2.7.1", 11806 "2.7.1-1", 11807 "2.7.2", 11808 "2.7.3", 11809 "2.7.4", 11810 "2.7.5", 11811 "2.7.6", 11812 "2.7.7", 11813 "2.7.8", 11814 "2.7.9", 11815 "2.7.9.1", 11816 "2.7.9.2", 11817 "2.7.9.3", 11818 "2.7.9.4", 11819 "2.7.9.5" 11820 ] 11821 }, 11822 { 11823 "database_specific": { 11824 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/08/GHSA-gwp4-hfv6-p7hw/GHSA-gwp4-hfv6-p7hw.json" 11825 }, 11826 "package": { 11827 "ecosystem": "Maven", 11828 "name": "com.fasterxml.jackson.core:jackson-databind", 11829 "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" 11830 }, 11831 "ranges": [ 11832 { 11833 "events": [ 11834 { 11835 "introduced": "0" 11836 }, 11837 { 11838 "fixed": "2.6.7.3" 11839 } 11840 ], 11841 "type": "ECOSYSTEM" 11842 } 11843 ], 11844 "versions": [ 11845 "2.0.0", 11846 "2.0.0-RC1", 11847 "2.0.0-RC2", 11848 "2.0.0-RC3", 11849 "2.0.1", 11850 "2.0.2", 11851 "2.0.4", 11852 "2.0.5", 11853 "2.0.6", 11854 "2.1.0", 11855 "2.1.1", 11856 "2.1.2", 11857 "2.1.3", 11858 "2.1.4", 11859 "2.1.5", 11860 "2.2.0", 11861 "2.2.0-rc1", 11862 "2.2.1", 11863 "2.2.2", 11864 "2.2.3", 11865 "2.2.4", 11866 "2.3.0", 11867 "2.3.0-rc1", 11868 "2.3.1", 11869 "2.3.2", 11870 "2.3.3", 11871 "2.3.4", 11872 "2.3.5", 11873 "2.4.0", 11874 "2.4.0-rc1", 11875 "2.4.0-rc2", 11876 "2.4.0-rc3", 11877 "2.4.1", 11878 "2.4.1.1", 11879 "2.4.1.2", 11880 "2.4.1.3", 11881 "2.4.2", 11882 "2.4.3", 11883 "2.4.4", 11884 "2.4.5", 11885 "2.4.5.1", 11886 "2.4.6", 11887 "2.4.6.1", 11888 "2.5.0", 11889 "2.5.0-rc1", 11890 "2.5.1", 11891 "2.5.2", 11892 "2.5.3", 11893 "2.5.4", 11894 "2.5.5", 11895 "2.6.0", 11896 "2.6.0-rc1", 11897 "2.6.0-rc2", 11898 "2.6.0-rc3", 11899 "2.6.0-rc4", 11900 "2.6.1", 11901 "2.6.2", 11902 "2.6.3", 11903 "2.6.4", 11904 "2.6.5", 11905 "2.6.6", 11906 "2.6.7", 11907 "2.6.7.1", 11908 "2.6.7.2" 11909 ] 11910 } 11911 ], 11912 "aliases": [ 11913 "CVE-2019-14439" 11914 ], 11915 "database_specific": { 11916 "cwe_ids": [ 11917 "CWE-502" 11918 ], 11919 "github_reviewed": true, 11920 "github_reviewed_at": "2019-08-01T15:37:50Z", 11921 "nvd_published_at": "2019-07-30T11:15:00Z", 11922 "severity": "HIGH" 11923 }, 11924 "details": "A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9.2, 2.8.11.4, 2.7.9.6, and 2.6.7.3. This occurs when Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the logback jar in the classpath.", 11925 "id": "GHSA-gwp4-hfv6-p7hw", 11926 "modified": "2024-03-13T05:27:58.436849Z", 11927 "published": "2019-08-01T19:18:06Z", 11928 "references": [ 11929 { 11930 "type": "ADVISORY", 11931 "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-14439" 11932 }, 11933 { 11934 "type": "WEB", 11935 "url": "https://github.com/FasterXML/jackson-databind/issues/2389" 11936 }, 11937 { 11938 "type": "WEB", 11939 "url": "https://github.com/FasterXML/jackson-databind/commit/ad418eeb974e357f2797aef64aa0e3ffaaa6125b" 11940 }, 11941 { 11942 "type": "WEB", 11943 "url": "https://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3@%3Ccommits.nifi.apache.org%3E" 11944 }, 11945 { 11946 "type": "WEB", 11947 "url": "https://lists.apache.org/thread.html/ee0a051428d2c719acfa297d0854a189ea5e284ef3ed491fa672f4be@%3Cdev.tomee.apache.org%3E" 11948 }, 11949 { 11950 "type": "WEB", 11951 "url": "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E" 11952 }, 11953 { 11954 "type": "WEB", 11955 "url": "https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b@%3Ccommits.nifi.apache.org%3E" 11956 }, 11957 { 11958 "type": "WEB", 11959 "url": "https://lists.debian.org/debian-lts-announce/2019/08/msg00011.html" 11960 }, 11961 { 11962 "type": "WEB", 11963 "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OVRZDN2T6AZ6DJCZJ3VSIQIVHBVMVWBL" 11964 }, 11965 { 11966 "type": "WEB", 11967 "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TXRVXNRFHJSQWFHPRJQRI5UPMZ63B544" 11968 }, 11969 { 11970 "type": "WEB", 11971 "url": "https://seclists.org/bugtraq/2019/Oct/6" 11972 }, 11973 { 11974 "type": "WEB", 11975 "url": "https://security.netapp.com/advisory/ntap-20190814-0001" 11976 }, 11977 { 11978 "type": "WEB", 11979 "url": "https://www.debian.org/security/2019/dsa-4542" 11980 }, 11981 { 11982 "type": "WEB", 11983 "url": "https://www.oracle.com/security-alerts/cpuapr2020.html" 11984 }, 11985 { 11986 "type": "WEB", 11987 "url": "https://www.oracle.com/security-alerts/cpujan2020.html" 11988 }, 11989 { 11990 "type": "WEB", 11991 "url": "https://www.oracle.com/security-alerts/cpujul2020.html" 11992 }, 11993 { 11994 "type": "WEB", 11995 "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html" 11996 }, 11997 { 11998 "type": "WEB", 11999 "url": "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E" 12000 }, 12001 { 12002 "type": "WEB", 12003 "url": "https://lists.apache.org/thread.html/940b4c3fef002461b89a050935337056d4a036a65ef68e0bbd4621ef@%3Cdev.struts.apache.org%3E" 12004 }, 12005 { 12006 "type": "WEB", 12007 "url": "https://lists.apache.org/thread.html/87e46591de8925f719664a845572d184027258c5a7af0a471b53c77b@%3Cdev.tomee.apache.org%3E" 12008 }, 12009 { 12010 "type": "WEB", 12011 "url": "https://lists.apache.org/thread.html/5fc0e16b7af2590bf1e97c76c136291c4fdb244ee63c65c485c9a7a1@%3Cdev.tomee.apache.org%3E" 12012 }, 12013 { 12014 "type": "WEB", 12015 "url": "https://lists.apache.org/thread.html/5ecc333113b139429f4f05000d4aa2886974d4df3269c1dd990bb319@%3Cdev.tomee.apache.org%3E" 12016 }, 12017 { 12018 "type": "WEB", 12019 "url": "https://lists.apache.org/thread.html/56c8042873595b8c863054c7bfccab4bf2c01c6f5abedae249d914b9@%3Cdev.tomee.apache.org%3E" 12020 }, 12021 { 12022 "type": "WEB", 12023 "url": "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E" 12024 }, 12025 { 12026 "type": "WEB", 12027 "url": "https://lists.apache.org/thread.html/3f99ae8dcdbd69438cb733d745ee3ad5e852068490719a66509b4592@%3Ccommits.cassandra.apache.org%3E" 12028 }, 12029 { 12030 "type": "WEB", 12031 "url": "https://lists.apache.org/thread.html/34717424b4d08b74f65c09a083d6dd1cb0763f37a15d6de135998c1d@%3Cdev.tomee.apache.org%3E" 12032 }, 12033 { 12034 "type": "WEB", 12035 "url": "https://lists.apache.org/thread.html/2d2a76440becb610b9a9cb49b15eac3934b02c2dbcaacde1000353e4@%3Cdev.tomee.apache.org%3E" 12036 }, 12037 { 12038 "type": "WEB", 12039 "url": "https://lists.apache.org/thread.html/0d4b630d9ee724aee50703397d9d1afa2b2befc9395ba7797d0ccea9@%3Cdev.tomee.apache.org%3E" 12040 }, 12041 { 12042 "type": "WEB", 12043 "url": "https://github.com/FasterXML/jackson-databind/compare/jackson-databind-2.9.9.1...jackson-databind-2.9.9.2" 12044 }, 12045 { 12046 "type": "PACKAGE", 12047 "url": "https://github.com/FasterXML/jackson-databind" 12048 }, 12049 { 12050 "type": "WEB", 12051 "url": "https://access.redhat.com/errata/RHSA-2019:3200" 12052 } 12053 ], 12054 "schema_version": "1.6.0", 12055 "severity": [ 12056 { 12057 "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", 12058 "type": "CVSS_V3" 12059 } 12060 ], 12061 "summary": "Deserialization of untrusted data in FasterXML jackson-databind" 12062 }, 12063 { 12064 "affected": [ 12065 { 12066 "database_specific": { 12067 "last_known_affected_version_range": "\u003c= 2.6.7.3", 12068 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/03/GHSA-gww7-p5w4-wrfv/GHSA-gww7-p5w4-wrfv.json" 12069 }, 12070 "package": { 12071 "ecosystem": "Maven", 12072 "name": "com.fasterxml.jackson.core:jackson-databind", 12073 "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" 12074 }, 12075 "ranges": [ 12076 { 12077 "events": [ 12078 { 12079 "introduced": "2.0.0" 12080 }, 12081 { 12082 "fixed": "2.6.7.4" 12083 } 12084 ], 12085 "type": "ECOSYSTEM" 12086 } 12087 ], 12088 "versions": [ 12089 "2.0.0", 12090 "2.0.1", 12091 "2.0.2", 12092 "2.0.4", 12093 "2.0.5", 12094 "2.0.6", 12095 "2.1.0", 12096 "2.1.1", 12097 "2.1.2", 12098 "2.1.3", 12099 "2.1.4", 12100 "2.1.5", 12101 "2.2.0", 12102 "2.2.0-rc1", 12103 "2.2.1", 12104 "2.2.2", 12105 "2.2.3", 12106 "2.2.4", 12107 "2.3.0", 12108 "2.3.0-rc1", 12109 "2.3.1", 12110 "2.3.2", 12111 "2.3.3", 12112 "2.3.4", 12113 "2.3.5", 12114 "2.4.0", 12115 "2.4.0-rc1", 12116 "2.4.0-rc2", 12117 "2.4.0-rc3", 12118 "2.4.1", 12119 "2.4.1.1", 12120 "2.4.1.2", 12121 "2.4.1.3", 12122 "2.4.2", 12123 "2.4.3", 12124 "2.4.4", 12125 "2.4.5", 12126 "2.4.5.1", 12127 "2.4.6", 12128 "2.4.6.1", 12129 "2.5.0", 12130 "2.5.0-rc1", 12131 "2.5.1", 12132 "2.5.2", 12133 "2.5.3", 12134 "2.5.4", 12135 "2.5.5", 12136 "2.6.0", 12137 "2.6.0-rc1", 12138 "2.6.0-rc2", 12139 "2.6.0-rc3", 12140 "2.6.0-rc4", 12141 "2.6.1", 12142 "2.6.2", 12143 "2.6.3", 12144 "2.6.4", 12145 "2.6.5", 12146 "2.6.6", 12147 "2.6.7", 12148 "2.6.7.1", 12149 "2.6.7.2", 12150 "2.6.7.3" 12151 ] 12152 }, 12153 { 12154 "database_specific": { 12155 "last_known_affected_version_range": "\u003c= 2.7.9.6", 12156 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/03/GHSA-gww7-p5w4-wrfv/GHSA-gww7-p5w4-wrfv.json" 12157 }, 12158 "package": { 12159 "ecosystem": "Maven", 12160 "name": "com.fasterxml.jackson.core:jackson-databind", 12161 "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" 12162 }, 12163 "ranges": [ 12164 { 12165 "events": [ 12166 { 12167 "introduced": "2.7.0" 12168 }, 12169 { 12170 "fixed": "2.7.9.7" 12171 } 12172 ], 12173 "type": "ECOSYSTEM" 12174 } 12175 ], 12176 "versions": [ 12177 "2.7.0", 12178 "2.7.1", 12179 "2.7.1-1", 12180 "2.7.2", 12181 "2.7.3", 12182 "2.7.4", 12183 "2.7.5", 12184 "2.7.6", 12185 "2.7.7", 12186 "2.7.8", 12187 "2.7.9", 12188 "2.7.9.1", 12189 "2.7.9.2", 12190 "2.7.9.3", 12191 "2.7.9.4", 12192 "2.7.9.5", 12193 "2.7.9.6" 12194 ] 12195 }, 12196 { 12197 "database_specific": { 12198 "last_known_affected_version_range": "\u003c= 2.8.11.4", 12199 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/03/GHSA-gww7-p5w4-wrfv/GHSA-gww7-p5w4-wrfv.json" 12200 }, 12201 "package": { 12202 "ecosystem": "Maven", 12203 "name": "com.fasterxml.jackson.core:jackson-databind", 12204 "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" 12205 }, 12206 "ranges": [ 12207 { 12208 "events": [ 12209 { 12210 "introduced": "2.8.0" 12211 }, 12212 { 12213 "fixed": "2.8.11.5" 12214 } 12215 ], 12216 "type": "ECOSYSTEM" 12217 } 12218 ], 12219 "versions": [ 12220 "2.8.0", 12221 "2.8.1", 12222 "2.8.10", 12223 "2.8.11", 12224 "2.8.11.1", 12225 "2.8.11.2", 12226 "2.8.11.3", 12227 "2.8.11.4", 12228 "2.8.2", 12229 "2.8.3", 12230 "2.8.4", 12231 "2.8.5", 12232 "2.8.6", 12233 "2.8.7", 12234 "2.8.8", 12235 "2.8.8.1", 12236 "2.8.9" 12237 ] 12238 }, 12239 { 12240 "database_specific": { 12241 "last_known_affected_version_range": "\u003c= 2.9.10.1", 12242 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/03/GHSA-gww7-p5w4-wrfv/GHSA-gww7-p5w4-wrfv.json" 12243 }, 12244 "package": { 12245 "ecosystem": "Maven", 12246 "name": "com.fasterxml.jackson.core:jackson-databind", 12247 "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" 12248 }, 12249 "ranges": [ 12250 { 12251 "events": [ 12252 { 12253 "introduced": "2.9.0" 12254 }, 12255 { 12256 "fixed": "2.9.10.2" 12257 } 12258 ], 12259 "type": "ECOSYSTEM" 12260 } 12261 ], 12262 "versions": [ 12263 "2.9.0", 12264 "2.9.0.pr1", 12265 "2.9.0.pr2", 12266 "2.9.0.pr3", 12267 "2.9.0.pr4", 12268 "2.9.1", 12269 "2.9.10", 12270 "2.9.10.1", 12271 "2.9.2", 12272 "2.9.3", 12273 "2.9.4", 12274 "2.9.5", 12275 "2.9.6", 12276 "2.9.7", 12277 "2.9.8", 12278 "2.9.9", 12279 "2.9.9.1", 12280 "2.9.9.2", 12281 "2.9.9.3" 12282 ] 12283 } 12284 ], 12285 "aliases": [ 12286 "CVE-2019-20330" 12287 ], 12288 "database_specific": { 12289 "cwe_ids": [ 12290 "CWE-502" 12291 ], 12292 "github_reviewed": true, 12293 "github_reviewed_at": "2020-02-25T02:46:33Z", 12294 "nvd_published_at": "2020-01-03T04:15:00Z", 12295 "severity": "CRITICAL" 12296 }, 12297 "details": "FasterXML jackson-databind 2.x before 2.6.7.4, 2.7.x before 2.7.9.7, 2.8.x before 2.8.11.5, and 2.9.x before 2.9.10.2 lacks certain `net.sf.ehcache` blocking.", 12298 "id": "GHSA-gww7-p5w4-wrfv", 12299 "modified": "2024-03-15T01:05:18.790961Z", 12300 "published": "2020-03-04T20:52:11Z", 12301 "references": [ 12302 { 12303 "type": "ADVISORY", 12304 "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-20330" 12305 }, 12306 { 12307 "type": "WEB", 12308 "url": "https://github.com/FasterXML/jackson-databind/issues/2526" 12309 }, 12310 { 12311 "type": "WEB", 12312 "url": "https://github.com/FasterXML/jackson-databind/commit/eb254813cc822d0af015ce8fe05febf50721dc53" 12313 }, 12314 { 12315 "type": "WEB", 12316 "url": "https://github.com/FasterXML/jackson-databind/commit/fc4214a883dc087070f25da738ef0d49c2f3387e" 12317 }, 12318 { 12319 "type": "WEB", 12320 "url": "https://lists.apache.org/thread.html/r909c822409a276ba04dc2ae31179b16f6864ba02c4f9911bdffebf95@%3Cissues.zookeeper.apache.org%3E" 12321 }, 12322 { 12323 "type": "WEB", 12324 "url": "https://lists.apache.org/thread.html/ra2e572f568de8df5ba151e6aebb225a0629faaf0476bf7c7ed877af8@%3Cnotifications.zookeeper.apache.org%3E" 12325 }, 12326 { 12327 "type": "WEB", 12328 "url": "https://lists.apache.org/thread.html/ra5ce96faec37c26b0aa15b4b6a8b1cbb145a748653e56ae83e9685d0@%3Cnotifications.zookeeper.apache.org%3E" 12329 }, 12330 { 12331 "type": "WEB", 12332 "url": "https://lists.apache.org/thread.html/ra8a80dbc7319916946397823aec0d893d24713cbf7b5aee0e957298c@%3Cdev.zookeeper.apache.org%3E" 12333 }, 12334 { 12335 "type": "WEB", 12336 "url": "https://lists.apache.org/thread.html/rb532fed78d031fff477fd840b81946f6d1200f93a63698dae65aa528@%3Ccommits.druid.apache.org%3E" 12337 }, 12338 { 12339 "type": "WEB", 12340 "url": "https://lists.apache.org/thread.html/rd1f346227e11fc515914f3a7b20d81543e51e5822ba71baa0452634a@%3Cissues.zookeeper.apache.org%3E" 12341 }, 12342 { 12343 "type": "WEB", 12344 "url": "https://lists.apache.org/thread.html/rd49cfa41bbb71ef33b53736a6af2aa8ba88c2106e30f2a34902a87d2@%3Cnotifications.zookeeper.apache.org%3E" 12345 }, 12346 { 12347 "type": "WEB", 12348 "url": "https://lists.apache.org/thread.html/rd6c6fef14944f3dcfb58d35f9317eb1c32a700e86c1b5231e45d3d0b@%3Ccommits.druid.apache.org%3E" 12349 }, 12350 { 12351 "type": "WEB", 12352 "url": "https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3E" 12353 }, 12354 { 12355 "type": "WEB", 12356 "url": "https://lists.apache.org/thread.html/rfa57d9c2a27d3af14c69607fb1a3da00e758b2092aa88eb6a51b6e99@%3Cissues.zookeeper.apache.org%3E" 12357 }, 12358 { 12359 "type": "WEB", 12360 "url": "https://lists.debian.org/debian-lts-announce/2020/02/msg00020.html" 12361 }, 12362 { 12363 "type": "WEB", 12364 "url": "https://security.netapp.com/advisory/ntap-20200127-0004" 12365 }, 12366 { 12367 "type": "WEB", 12368 "url": "https://www.oracle.com//security-alerts/cpujul2021.html" 12369 }, 12370 { 12371 "type": "WEB", 12372 "url": "https://www.oracle.com/security-alerts/cpuapr2020.html" 12373 }, 12374 { 12375 "type": "WEB", 12376 "url": "https://www.oracle.com/security-alerts/cpujul2020.html" 12377 }, 12378 { 12379 "type": "WEB", 12380 "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" 12381 }, 12382 { 12383 "type": "PACKAGE", 12384 "url": "https://github.com/FasterXML/jackson-databind" 12385 }, 12386 { 12387 "type": "WEB", 12388 "url": "https://github.com/FasterXML/jackson-databind/compare/jackson-databind-2.9.10.1...jackson-databind-2.9.10.2" 12389 }, 12390 { 12391 "type": "WEB", 12392 "url": "https://lists.apache.org/thread.html/r107c8737db39ec9ec4f4e7147b249e29be79170b9ef4b80528105a2d@%3Cdev.zookeeper.apache.org%3E" 12393 }, 12394 { 12395 "type": "WEB", 12396 "url": "https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0@%3Cissues.bookkeeper.apache.org%3E" 12397 }, 12398 { 12399 "type": "WEB", 12400 "url": "https://lists.apache.org/thread.html/r2c77dd6ab8344285bd8e481b57cf3029965a4b0036eefccef74cdd44@%3Cnotifications.zookeeper.apache.org%3E" 12401 }, 12402 { 12403 "type": "WEB", 12404 "url": "https://lists.apache.org/thread.html/r392099ed2757ff2e383b10440594e914d080511d7da1c8fed0612c1f@%3Ccommits.druid.apache.org%3E" 12405 }, 12406 { 12407 "type": "WEB", 12408 "url": "https://lists.apache.org/thread.html/r3f8180d0d25a7c6473ebb9714b0c1d19a73f455ae70d0c5fefc17e6c@%3Cissues.zookeeper.apache.org%3E" 12409 }, 12410 { 12411 "type": "WEB", 12412 "url": "https://lists.apache.org/thread.html/r428735963bee7cb99877b88d3228e28ec28af64646455c4f3e7a3c94@%3Cissues.zookeeper.apache.org%3E" 12413 }, 12414 { 12415 "type": "WEB", 12416 "url": "https://lists.apache.org/thread.html/r50f513772f12e1babf65c7c2b9c16425bac2d945351879e2e267517f@%3Cissues.zookeeper.apache.org%3E" 12417 }, 12418 { 12419 "type": "WEB", 12420 "url": "https://lists.apache.org/thread.html/r5c14fdcabdeaba258857bcb67198652e4dce1d33ddc590cd81d82393@%3Cdev.zookeeper.apache.org%3E" 12421 }, 12422 { 12423 "type": "WEB", 12424 "url": "https://lists.apache.org/thread.html/r5c3644c97f0434d1ceb48ff48897a67bdbf3baf7efbe7d04625425b3@%3Ccommits.druid.apache.org%3E" 12425 }, 12426 { 12427 "type": "WEB", 12428 "url": "https://lists.apache.org/thread.html/r5d3d10fdf28110da3f9ac1b7d08d7e252f98d7d37ce0a6bd139a2e4f@%3Cissues.zookeeper.apache.org%3E" 12429 }, 12430 { 12431 "type": "WEB", 12432 "url": "https://lists.apache.org/thread.html/r67f4d4c48197454b83d62afbed8bebbda3764e6e3a6e26a848961764@%3Ccommits.zookeeper.apache.org%3E" 12433 }, 12434 { 12435 "type": "WEB", 12436 "url": "https://lists.apache.org/thread.html/r707d23bb9ee245f50aa909add0da6e8d8f24719b1278ddd99d2428b2@%3Cissues.zookeeper.apache.org%3E" 12437 }, 12438 { 12439 "type": "WEB", 12440 "url": "https://lists.apache.org/thread.html/r7a0821b44247a1e6c6fe5f2943b90ebc4f80a8d1fb0aa9a8b29a59a2@%3Ccommits.zookeeper.apache.org%3E" 12441 }, 12442 { 12443 "type": "WEB", 12444 "url": "https://lists.apache.org/thread.html/r7fb123e7dad49af5886cfec7135c0fd5b74e4c67af029e1dc91ba744@%3Ccommits.druid.apache.org%3E" 12445 }, 12446 { 12447 "type": "WEB", 12448 "url": "https://lists.apache.org/thread.html/r8831b7fa5ca87a1cf23ee08d6dedb7877a964c1d2bd869af24056a63@%3Ccommits.zookeeper.apache.org%3E" 12449 } 12450 ], 12451 "schema_version": "1.6.0", 12452 "severity": [ 12453 { 12454 "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", 12455 "type": "CVSS_V3" 12456 } 12457 ], 12458 "summary": "Deserialization of Untrusted Data in jackson-databind" 12459 }, 12460 { 12461 "affected": [ 12462 { 12463 "database_specific": { 12464 "last_known_affected_version_range": "\u003c= 2.9.10.5", 12465 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-h3cw-g4mq-c5x2/GHSA-h3cw-g4mq-c5x2.json" 12466 }, 12467 "package": { 12468 "ecosystem": "Maven", 12469 "name": "com.fasterxml.jackson.core:jackson-databind", 12470 "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" 12471 }, 12472 "ranges": [ 12473 { 12474 "events": [ 12475 { 12476 "introduced": "2.0.0" 12477 }, 12478 { 12479 "fixed": "2.9.10.6" 12480 } 12481 ], 12482 "type": "ECOSYSTEM" 12483 } 12484 ], 12485 "versions": [ 12486 "2.0.0", 12487 "2.0.1", 12488 "2.0.2", 12489 "2.0.4", 12490 "2.0.5", 12491 "2.0.6", 12492 "2.1.0", 12493 "2.1.1", 12494 "2.1.2", 12495 "2.1.3", 12496 "2.1.4", 12497 "2.1.5", 12498 "2.2.0", 12499 "2.2.0-rc1", 12500 "2.2.1", 12501 "2.2.2", 12502 "2.2.3", 12503 "2.2.4", 12504 "2.3.0", 12505 "2.3.0-rc1", 12506 "2.3.1", 12507 "2.3.2", 12508 "2.3.3", 12509 "2.3.4", 12510 "2.3.5", 12511 "2.4.0", 12512 "2.4.0-rc1", 12513 "2.4.0-rc2", 12514 "2.4.0-rc3", 12515 "2.4.1", 12516 "2.4.1.1", 12517 "2.4.1.2", 12518 "2.4.1.3", 12519 "2.4.2", 12520 "2.4.3", 12521 "2.4.4", 12522 "2.4.5", 12523 "2.4.5.1", 12524 "2.4.6", 12525 "2.4.6.1", 12526 "2.5.0", 12527 "2.5.0-rc1", 12528 "2.5.1", 12529 "2.5.2", 12530 "2.5.3", 12531 "2.5.4", 12532 "2.5.5", 12533 "2.6.0", 12534 "2.6.0-rc1", 12535 "2.6.0-rc2", 12536 "2.6.0-rc3", 12537 "2.6.0-rc4", 12538 "2.6.1", 12539 "2.6.2", 12540 "2.6.3", 12541 "2.6.4", 12542 "2.6.5", 12543 "2.6.6", 12544 "2.6.7", 12545 "2.6.7.1", 12546 "2.6.7.2", 12547 "2.6.7.3", 12548 "2.6.7.4", 12549 "2.6.7.5", 12550 "2.7.0", 12551 "2.7.0-rc1", 12552 "2.7.0-rc2", 12553 "2.7.0-rc3", 12554 "2.7.1", 12555 "2.7.1-1", 12556 "2.7.2", 12557 "2.7.3", 12558 "2.7.4", 12559 "2.7.5", 12560 "2.7.6", 12561 "2.7.7", 12562 "2.7.8", 12563 "2.7.9", 12564 "2.7.9.1", 12565 "2.7.9.2", 12566 "2.7.9.3", 12567 "2.7.9.4", 12568 "2.7.9.5", 12569 "2.7.9.6", 12570 "2.7.9.7", 12571 "2.8.0", 12572 "2.8.0.rc1", 12573 "2.8.0.rc2", 12574 "2.8.1", 12575 "2.8.10", 12576 "2.8.11", 12577 "2.8.11.1", 12578 "2.8.11.2", 12579 "2.8.11.3", 12580 "2.8.11.4", 12581 "2.8.11.5", 12582 "2.8.11.6", 12583 "2.8.2", 12584 "2.8.3", 12585 "2.8.4", 12586 "2.8.5", 12587 "2.8.6", 12588 "2.8.7", 12589 "2.8.8", 12590 "2.8.8.1", 12591 "2.8.9", 12592 "2.9.0", 12593 "2.9.0.pr1", 12594 "2.9.0.pr2", 12595 "2.9.0.pr3", 12596 "2.9.0.pr4", 12597 "2.9.1", 12598 "2.9.10", 12599 "2.9.10.1", 12600 "2.9.10.2", 12601 "2.9.10.3", 12602 "2.9.10.4", 12603 "2.9.10.5", 12604 "2.9.2", 12605 "2.9.3", 12606 "2.9.4", 12607 "2.9.5", 12608 "2.9.6", 12609 "2.9.7", 12610 "2.9.8", 12611 "2.9.9", 12612 "2.9.9.1", 12613 "2.9.9.2", 12614 "2.9.9.3" 12615 ] 12616 } 12617 ], 12618 "aliases": [ 12619 "CVE-2020-24616" 12620 ], 12621 "database_specific": { 12622 "cwe_ids": [ 12623 "CWE-502", 12624 "CWE-94" 12625 ], 12626 "github_reviewed": true, 12627 "github_reviewed_at": "2021-04-27T17:38:11Z", 12628 "nvd_published_at": "2020-08-25T18:15:00Z", 12629 "severity": "HIGH" 12630 }, 12631 "details": "This project contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPDataSource (aka Anteros-DBCP).", 12632 "id": "GHSA-h3cw-g4mq-c5x2", 12633 "modified": "2024-02-18T05:30:45.329621Z", 12634 "published": "2021-12-09T19:14:51Z", 12635 "references": [ 12636 { 12637 "type": "ADVISORY", 12638 "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-24616" 12639 }, 12640 { 12641 "type": "WEB", 12642 "url": "https://github.com/FasterXML/jackson-databind/issues/2814" 12643 }, 12644 { 12645 "type": "WEB", 12646 "url": "https://github.com/FasterXML/jackson-databind/commit/3d97153944f7de9c19c1b3637b33d3cf1fbbe4d7" 12647 }, 12648 { 12649 "type": "PACKAGE", 12650 "url": "https://github.com/FasterXML/jackson-databind" 12651 }, 12652 { 12653 "type": "WEB", 12654 "url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html" 12655 }, 12656 { 12657 "type": "WEB", 12658 "url": "https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062" 12659 }, 12660 { 12661 "type": "WEB", 12662 "url": "https://security.netapp.com/advisory/ntap-20200904-0006" 12663 }, 12664 { 12665 "type": "WEB", 12666 "url": "https://www.oracle.com//security-alerts/cpujul2021.html" 12667 }, 12668 { 12669 "type": "WEB", 12670 "url": "https://www.oracle.com/security-alerts/cpuApr2021.html" 12671 }, 12672 { 12673 "type": "WEB", 12674 "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" 12675 }, 12676 { 12677 "type": "WEB", 12678 "url": "https://www.oracle.com/security-alerts/cpujan2021.html" 12679 }, 12680 { 12681 "type": "WEB", 12682 "url": "https://www.oracle.com/security-alerts/cpujan2022.html" 12683 }, 12684 { 12685 "type": "WEB", 12686 "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" 12687 } 12688 ], 12689 "schema_version": "1.6.0", 12690 "severity": [ 12691 { 12692 "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", 12693 "type": "CVSS_V3" 12694 } 12695 ], 12696 "summary": "Code Injection in jackson-databind" 12697 }, 12698 { 12699 "affected": [ 12700 { 12701 "database_specific": { 12702 "last_known_affected_version_range": "\u003c= 2.9.10.3", 12703 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/04/GHSA-h4rc-386g-6m85/GHSA-h4rc-386g-6m85.json" 12704 }, 12705 "package": { 12706 "ecosystem": "Maven", 12707 "name": "com.fasterxml.jackson.core:jackson-databind", 12708 "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" 12709 }, 12710 "ranges": [ 12711 { 12712 "events": [ 12713 { 12714 "introduced": "2.9.0" 12715 }, 12716 { 12717 "fixed": "2.9.10.4" 12718 } 12719 ], 12720 "type": "ECOSYSTEM" 12721 } 12722 ], 12723 "versions": [ 12724 "2.9.0", 12725 "2.9.0.pr1", 12726 "2.9.0.pr2", 12727 "2.9.0.pr3", 12728 "2.9.0.pr4", 12729 "2.9.1", 12730 "2.9.10", 12731 "2.9.10.1", 12732 "2.9.10.2", 12733 "2.9.10.3", 12734 "2.9.2", 12735 "2.9.3", 12736 "2.9.4", 12737 "2.9.5", 12738 "2.9.6", 12739 "2.9.7", 12740 "2.9.8", 12741 "2.9.9", 12742 "2.9.9.1", 12743 "2.9.9.2", 12744 "2.9.9.3" 12745 ] 12746 } 12747 ], 12748 "aliases": [ 12749 "CVE-2020-11620" 12750 ], 12751 "database_specific": { 12752 "cwe_ids": [ 12753 "CWE-502" 12754 ], 12755 "github_reviewed": true, 12756 "github_reviewed_at": "2020-04-22T21:17:03Z", 12757 "nvd_published_at": "2020-04-07T23:15:00Z", 12758 "severity": "HIGH" 12759 }, 12760 "details": "FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.jelly.impl.Embedded (aka commons-jelly).", 12761 "id": "GHSA-h4rc-386g-6m85", 12762 "modified": "2024-03-15T00:46:40.266775Z", 12763 "published": "2020-04-23T20:19:02Z", 12764 "references": [ 12765 { 12766 "type": "ADVISORY", 12767 "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11620" 12768 }, 12769 { 12770 "type": "WEB", 12771 "url": "https://github.com/FasterXML/jackson-databind/issues/2682" 12772 }, 12773 { 12774 "type": "WEB", 12775 "url": "https://github.com/FasterXML/jackson-databind/commit/08fbfacf89a4a4c026a6227a1b470ab7a13e2e88" 12776 }, 12777 { 12778 "type": "WEB", 12779 "url": "https://github.com/FasterXML/jackson-databind/commit/77040d85e3eb6710508e6445640ae1a3d5e60c22" 12780 }, 12781 { 12782 "type": "PACKAGE", 12783 "url": "https://github.com/FasterXML/jackson-databind" 12784 }, 12785 { 12786 "type": "WEB", 12787 "url": "https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3E" 12788 }, 12789 { 12790 "type": "WEB", 12791 "url": "https://lists.debian.org/debian-lts-announce/2020/04/msg00012.html" 12792 }, 12793 { 12794 "type": "WEB", 12795 "url": "https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062" 12796 }, 12797 { 12798 "type": "WEB", 12799 "url": "https://security.netapp.com/advisory/ntap-20200511-0004" 12800 }, 12801 { 12802 "type": "WEB", 12803 "url": "https://www.oracle.com/security-alerts/cpujan2021.html" 12804 }, 12805 { 12806 "type": "WEB", 12807 "url": "https://www.oracle.com/security-alerts/cpujul2020.html" 12808 }, 12809 { 12810 "type": "WEB", 12811 "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" 12812 } 12813 ], 12814 "schema_version": "1.6.0", 12815 "severity": [ 12816 { 12817 "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", 12818 "type": "CVSS_V3" 12819 } 12820 ], 12821 "summary": "jackson-databind mishandles the interaction between serialization gadgets and typing" 12822 }, 12823 { 12824 "affected": [ 12825 { 12826 "database_specific": { 12827 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-h592-38cm-4ggp/GHSA-h592-38cm-4ggp.json" 12828 }, 12829 "package": { 12830 "ecosystem": "Maven", 12831 "name": "com.fasterxml.jackson.core:jackson-databind", 12832 "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" 12833 }, 12834 "ranges": [ 12835 { 12836 "events": [ 12837 { 12838 "introduced": "2.8.0" 12839 }, 12840 { 12841 "fixed": "2.8.11" 12842 } 12843 ], 12844 "type": "ECOSYSTEM" 12845 } 12846 ], 12847 "versions": [ 12848 "2.8.0", 12849 "2.8.1", 12850 "2.8.10", 12851 "2.8.2", 12852 "2.8.3", 12853 "2.8.4", 12854 "2.8.5", 12855 "2.8.6", 12856 "2.8.7", 12857 "2.8.8", 12858 "2.8.8.1", 12859 "2.8.9" 12860 ] 12861 }, 12862 { 12863 "database_specific": { 12864 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-h592-38cm-4ggp/GHSA-h592-38cm-4ggp.json" 12865 }, 12866 "package": { 12867 "ecosystem": "Maven", 12868 "name": "com.fasterxml.jackson.core:jackson-databind", 12869 "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" 12870 }, 12871 "ranges": [ 12872 { 12873 "events": [ 12874 { 12875 "introduced": "2.9.0" 12876 }, 12877 { 12878 "fixed": "2.9.4" 12879 } 12880 ], 12881 "type": "ECOSYSTEM" 12882 } 12883 ], 12884 "versions": [ 12885 "2.9.0", 12886 "2.9.0.pr1", 12887 "2.9.0.pr2", 12888 "2.9.0.pr3", 12889 "2.9.0.pr4", 12890 "2.9.1", 12891 "2.9.2", 12892 "2.9.3" 12893 ] 12894 }, 12895 { 12896 "database_specific": { 12897 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-h592-38cm-4ggp/GHSA-h592-38cm-4ggp.json" 12898 }, 12899 "package": { 12900 "ecosystem": "Maven", 12901 "name": "com.fasterxml.jackson.core:jackson-databind", 12902 "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" 12903 }, 12904 "ranges": [ 12905 { 12906 "events": [ 12907 { 12908 "introduced": "2.0.0" 12909 }, 12910 { 12911 "fixed": "2.6.7.3" 12912 } 12913 ], 12914 "type": "ECOSYSTEM" 12915 } 12916 ], 12917 "versions": [ 12918 "2.0.0", 12919 "2.0.1", 12920 "2.0.2", 12921 "2.0.4", 12922 "2.0.5", 12923 "2.0.6", 12924 "2.1.0", 12925 "2.1.1", 12926 "2.1.2", 12927 "2.1.3", 12928 "2.1.4", 12929 "2.1.5", 12930 "2.2.0", 12931 "2.2.0-rc1", 12932 "2.2.1", 12933 "2.2.2", 12934 "2.2.3", 12935 "2.2.4", 12936 "2.3.0", 12937 "2.3.0-rc1", 12938 "2.3.1", 12939 "2.3.2", 12940 "2.3.3", 12941 "2.3.4", 12942 "2.3.5", 12943 "2.4.0", 12944 "2.4.0-rc1", 12945 "2.4.0-rc2", 12946 "2.4.0-rc3", 12947 "2.4.1", 12948 "2.4.1.1", 12949 "2.4.1.2", 12950 "2.4.1.3", 12951 "2.4.2", 12952 "2.4.3", 12953 "2.4.4", 12954 "2.4.5", 12955 "2.4.5.1", 12956 "2.4.6", 12957 "2.4.6.1", 12958 "2.5.0", 12959 "2.5.0-rc1", 12960 "2.5.1", 12961 "2.5.2", 12962 "2.5.3", 12963 "2.5.4", 12964 "2.5.5", 12965 "2.6.0", 12966 "2.6.0-rc1", 12967 "2.6.0-rc2", 12968 "2.6.0-rc3", 12969 "2.6.0-rc4", 12970 "2.6.1", 12971 "2.6.2", 12972 "2.6.3", 12973 "2.6.4", 12974 "2.6.5", 12975 "2.6.6", 12976 "2.6.7", 12977 "2.6.7.1", 12978 "2.6.7.2" 12979 ] 12980 }, 12981 { 12982 "database_specific": { 12983 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-h592-38cm-4ggp/GHSA-h592-38cm-4ggp.json" 12984 }, 12985 "package": { 12986 "ecosystem": "Maven", 12987 "name": "com.fasterxml.jackson.core:jackson-databind", 12988 "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" 12989 }, 12990 "ranges": [ 12991 { 12992 "events": [ 12993 { 12994 "introduced": "2.7.0" 12995 }, 12996 { 12997 "fixed": "2.7.9.2" 12998 } 12999 ], 13000 "type": "ECOSYSTEM" 13001 } 13002 ], 13003 "versions": [ 13004 "2.7.0", 13005 "2.7.1", 13006 "2.7.1-1", 13007 "2.7.2", 13008 "2.7.3", 13009 "2.7.4", 13010 "2.7.5", 13011 "2.7.6", 13012 "2.7.7", 13013 "2.7.8", 13014 "2.7.9", 13015 "2.7.9.1" 13016 ] 13017 } 13018 ], 13019 "aliases": [ 13020 "CVE-2017-15095" 13021 ], 13022 "database_specific": { 13023 "cwe_ids": [ 13024 "CWE-184", 13025 "CWE-502" 13026 ], 13027 "github_reviewed": true, 13028 "github_reviewed_at": "2020-06-16T21:38:56Z", 13029 "nvd_published_at": "2018-02-06T15:29:00Z", 13030 "severity": "CRITICAL" 13031 }, 13032 "details": "jackson-databind in versions prior to 2.8.11 and 2.9.4 contain a deserialization flaw which allows an unauthenticated user to perform code execution by sending maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaw CVE-2017-7525, blacklisting additonal vulnerable classes.", 13033 "id": "GHSA-h592-38cm-4ggp", 13034 "modified": "2024-03-15T01:16:50.905794Z", 13035 "published": "2018-10-18T17:42:34Z", 13036 "references": [ 13037 { 13038 "type": "ADVISORY", 13039 "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-15095" 13040 }, 13041 { 13042 "type": "WEB", 13043 "url": "https://github.com/FasterXML/jackson-databind/issues/1680" 13044 }, 13045 { 13046 "type": "WEB", 13047 "url": "https://github.com/FasterXML/jackson-databind/issues/1737" 13048 }, 13049 { 13050 "type": "WEB", 13051 "url": "https://github.com/FasterXML/jackson-databind/commit/a054585e2175ad0882f07bcafedecfac86230f1b" 13052 }, 13053 { 13054 "type": "WEB", 13055 "url": "https://github.com/FasterXML/jackson-databind/commit/a3939d36edcc755c8af55bdc1969e0fa8438f9db" 13056 }, 13057 { 13058 "type": "WEB", 13059 "url": "https://github.com/FasterXML/jackson-databind/commit/ddfddfba6414adbecaff99684ef66eebd3a92e92" 13060 }, 13061 { 13062 "type": "WEB", 13063 "url": "https://github.com/FasterXML/jackson-databind/commit/e865a7a4464da63ded9f4b1a2328ad85c9ded78b" 13064 }, 13065 { 13066 "type": "WEB", 13067 "url": "https://github.com/FasterXML/jackson-databind/commit/e8f043d1aac9b82eee907e0f0c3abbdea723a935" 13068 }, 13069 { 13070 "type": "WEB", 13071 "url": "https://github.com/tolbertam/jackson-databind/commit/80566a0f96b2003863f9d8f9ccc3b562001e147b" 13072 }, 13073 { 13074 "type": "WEB", 13075 "url": "https://access.redhat.com/errata/RHSA-2017:3189" 13076 }, 13077 { 13078 "type": "WEB", 13079 "url": "https://lists.apache.org/thread.html/f095a791bda6c0595f691eddd0febb2d396987eec5cbd29120d8c629@%3Csolr-user.lucene.apache.org%3E" 13080 }, 13081 { 13082 "type": "WEB", 13083 "url": "https://lists.debian.org/debian-lts-announce/2020/01/msg00037.html" 13084 }, 13085 { 13086 "type": "WEB", 13087 "url": "https://security.netapp.com/advisory/ntap-20171214-0003" 13088 }, 13089 { 13090 "type": "WEB", 13091 "url": "https://web.archive.org/web/20200401000000*/http://www.securityfocus.com/bid/103880" 13092 }, 13093 { 13094 "type": "WEB", 13095 "url": "https://web.archive.org/web/20201221192044/http://www.securitytracker.com/id/1039769" 13096 }, 13097 { 13098 "type": "WEB", 13099 "url": "https://www.debian.org/security/2017/dsa-4037" 13100 }, 13101 { 13102 "type": "WEB", 13103 "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" 13104 }, 13105 { 13106 "type": "WEB", 13107 "url": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html" 13108 }, 13109 { 13110 "type": "WEB", 13111 "url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html" 13112 }, 13113 { 13114 "type": "WEB", 13115 "url": "https://access.redhat.com/errata/RHSA-2017:3190" 13116 }, 13117 { 13118 "type": "WEB", 13119 "url": "https://access.redhat.com/errata/RHSA-2018:0342" 13120 }, 13121 { 13122 "type": "WEB", 13123 "url": "https://access.redhat.com/errata/RHSA-2018:0478" 13124 }, 13125 { 13126 "type": "WEB", 13127 "url": "https://access.redhat.com/errata/RHSA-2018:0479" 13128 }, 13129 { 13130 "type": "WEB", 13131 "url": "https://access.redhat.com/errata/RHSA-2018:0480" 13132 }, 13133 { 13134 "type": "WEB", 13135 "url": "https://access.redhat.com/errata/RHSA-2018:0481" 13136 }, 13137 { 13138 "type": "WEB", 13139 "url": "https://access.redhat.com/errata/RHSA-2018:0576" 13140 }, 13141 { 13142 "type": "WEB", 13143 "url": "https://access.redhat.com/errata/RHSA-2018:0577" 13144 }, 13145 { 13146 "type": "WEB", 13147 "url": "https://access.redhat.com/errata/RHSA-2018:1447" 13148 }, 13149 { 13150 "type": "WEB", 13151 "url": "https://access.redhat.com/errata/RHSA-2018:1448" 13152 }, 13153 { 13154 "type": "WEB", 13155 "url": "https://access.redhat.com/errata/RHSA-2018:1449" 13156 }, 13157 { 13158 "type": "WEB", 13159 "url": "https://access.redhat.com/errata/RHSA-2018:1450" 13160 }, 13161 { 13162 "type": "WEB", 13163 "url": "https://access.redhat.com/errata/RHSA-2018:1451" 13164 }, 13165 { 13166 "type": "WEB", 13167 "url": "https://access.redhat.com/errata/RHSA-2018:2927" 13168 }, 13169 { 13170 "type": "WEB", 13171 "url": "https://access.redhat.com/errata/RHSA-2019:2858" 13172 }, 13173 { 13174 "type": "WEB", 13175 "url": "https://access.redhat.com/errata/RHSA-2019:3149" 13176 }, 13177 { 13178 "type": "WEB", 13179 "url": "https://access.redhat.com/errata/RHSA-2019:3892" 13180 }, 13181 { 13182 "type": "PACKAGE", 13183 "url": "https://github.com/FasterXML/jackson-databind" 13184 }, 13185 { 13186 "type": "WEB", 13187 "url": "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html" 13188 }, 13189 { 13190 "type": "WEB", 13191 "url": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html" 13192 }, 13193 { 13194 "type": "WEB", 13195 "url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html" 13196 } 13197 ], 13198 "schema_version": "1.6.0", 13199 "severity": [ 13200 { 13201 "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", 13202 "type": "CVSS_V3" 13203 } 13204 ], 13205 "summary": "jackson-databind vulnerable to deserialization flaw leading to unauthenticated remote code execution" 13206 }, 13207 { 13208 "affected": [ 13209 { 13210 "database_specific": { 13211 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/09/GHSA-h822-r4r5-v8jg/GHSA-h822-r4r5-v8jg.json" 13212 }, 13213 "package": { 13214 "ecosystem": "Maven", 13215 "name": "com.fasterxml.jackson.core:jackson-databind", 13216 "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" 13217 }, 13218 "ranges": [ 13219 { 13220 "events": [ 13221 { 13222 "introduced": "2.9.0" 13223 }, 13224 { 13225 "fixed": "2.9.10" 13226 } 13227 ], 13228 "type": "ECOSYSTEM" 13229 } 13230 ], 13231 "versions": [ 13232 "2.9.0", 13233 "2.9.0.pr1", 13234 "2.9.0.pr2", 13235 "2.9.0.pr3", 13236 "2.9.0.pr4", 13237 "2.9.1", 13238 "2.9.2", 13239 "2.9.3", 13240 "2.9.4", 13241 "2.9.5", 13242 "2.9.6", 13243 "2.9.7", 13244 "2.9.8", 13245 "2.9.9", 13246 "2.9.9.1", 13247 "2.9.9.2", 13248 "2.9.9.3" 13249 ] 13250 }, 13251 { 13252 "database_specific": { 13253 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/09/GHSA-h822-r4r5-v8jg/GHSA-h822-r4r5-v8jg.json" 13254 }, 13255 "package": { 13256 "ecosystem": "Maven", 13257 "name": "com.fasterxml.jackson.core:jackson-databind", 13258 "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" 13259 }, 13260 "ranges": [ 13261 { 13262 "events": [ 13263 { 13264 "introduced": "2.7.0" 13265 }, 13266 { 13267 "fixed": "2.8.11.5" 13268 } 13269 ], 13270 "type": "ECOSYSTEM" 13271 } 13272 ], 13273 "versions": [ 13274 "2.7.0", 13275 "2.7.1", 13276 "2.7.1-1", 13277 "2.7.2", 13278 "2.7.3", 13279 "2.7.4", 13280 "2.7.5", 13281 "2.7.6", 13282 "2.7.7", 13283 "2.7.8", 13284 "2.7.9", 13285 "2.7.9.1", 13286 "2.7.9.2", 13287 "2.7.9.3", 13288 "2.7.9.4", 13289 "2.7.9.5", 13290 "2.7.9.6", 13291 "2.7.9.7", 13292 "2.8.0", 13293 "2.8.0.rc1", 13294 "2.8.0.rc2", 13295 "2.8.1", 13296 "2.8.10", 13297 "2.8.11", 13298 "2.8.11.1", 13299 "2.8.11.2", 13300 "2.8.11.3", 13301 "2.8.11.4", 13302 "2.8.2", 13303 "2.8.3", 13304 "2.8.4", 13305 "2.8.5", 13306 "2.8.6", 13307 "2.8.7", 13308 "2.8.8", 13309 "2.8.8.1", 13310 "2.8.9" 13311 ] 13312 }, 13313 { 13314 "database_specific": { 13315 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/09/GHSA-h822-r4r5-v8jg/GHSA-h822-r4r5-v8jg.json" 13316 }, 13317 "package": { 13318 "ecosystem": "Maven", 13319 "name": "com.fasterxml.jackson.core:jackson-databind", 13320 "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" 13321 }, 13322 "ranges": [ 13323 { 13324 "events": [ 13325 { 13326 "introduced": "0" 13327 }, 13328 { 13329 "fixed": "2.6.7.3" 13330 } 13331 ], 13332 "type": "ECOSYSTEM" 13333 } 13334 ], 13335 "versions": [ 13336 "2.0.0", 13337 "2.0.0-RC1", 13338 "2.0.0-RC2", 13339 "2.0.0-RC3", 13340 "2.0.1", 13341 "2.0.2", 13342 "2.0.4", 13343 "2.0.5", 13344 "2.0.6", 13345 "2.1.0", 13346 "2.1.1", 13347 "2.1.2", 13348 "2.1.3", 13349 "2.1.4", 13350 "2.1.5", 13351 "2.2.0", 13352 "2.2.0-rc1", 13353 "2.2.1", 13354 "2.2.2", 13355 "2.2.3", 13356 "2.2.4", 13357 "2.3.0", 13358 "2.3.0-rc1", 13359 "2.3.1", 13360 "2.3.2", 13361 "2.3.3", 13362 "2.3.4", 13363 "2.3.5", 13364 "2.4.0", 13365 "2.4.0-rc1", 13366 "2.4.0-rc2", 13367 "2.4.0-rc3", 13368 "2.4.1", 13369 "2.4.1.1", 13370 "2.4.1.2", 13371 "2.4.1.3", 13372 "2.4.2", 13373 "2.4.3", 13374 "2.4.4", 13375 "2.4.5", 13376 "2.4.5.1", 13377 "2.4.6", 13378 "2.4.6.1", 13379 "2.5.0", 13380 "2.5.0-rc1", 13381 "2.5.1", 13382 "2.5.2", 13383 "2.5.3", 13384 "2.5.4", 13385 "2.5.5", 13386 "2.6.0", 13387 "2.6.0-rc1", 13388 "2.6.0-rc2", 13389 "2.6.0-rc3", 13390 "2.6.0-rc4", 13391 "2.6.1", 13392 "2.6.2", 13393 "2.6.3", 13394 "2.6.4", 13395 "2.6.5", 13396 "2.6.6", 13397 "2.6.7", 13398 "2.6.7.1", 13399 "2.6.7.2" 13400 ] 13401 } 13402 ], 13403 "aliases": [ 13404 "CVE-2019-14540" 13405 ], 13406 "database_specific": { 13407 "cwe_ids": [ 13408 "CWE-502" 13409 ], 13410 "github_reviewed": true, 13411 "github_reviewed_at": "2019-09-19T09:23:48Z", 13412 "nvd_published_at": "2019-09-15T22:15:00Z", 13413 "severity": "CRITICAL" 13414 }, 13415 "details": "A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10, 2.8.11.5, and 2.6.7.3. It is related to `com.zaxxer.hikari.HikariConfig`.", 13416 "id": "GHSA-h822-r4r5-v8jg", 13417 "modified": "2024-07-15T22:00:19.609618Z", 13418 "published": "2019-09-23T18:33:25Z", 13419 "references": [ 13420 { 13421 "type": "ADVISORY", 13422 "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-14540" 13423 }, 13424 { 13425 "type": "WEB", 13426 "url": "https://github.com/FasterXML/jackson-databind/issues/2410" 13427 }, 13428 { 13429 "type": "WEB", 13430 "url": "https://github.com/FasterXML/jackson-databind/issues/2449" 13431 }, 13432 { 13433 "type": "WEB", 13434 "url": "https://github.com/FasterXML/jackson-databind/commit/73c1c2cc76e6cdd7f3a5615cbe3207fe96e4d3db" 13435 }, 13436 { 13437 "type": "WEB", 13438 "url": "https://github.com/FasterXML/jackson-databind/commit/d4983c740fec7d5576b207a8c30a63d3ea7443de" 13439 }, 13440 { 13441 "type": "WEB", 13442 "url": "https://access.redhat.com/errata/RHSA-2019:3200" 13443 }, 13444 { 13445 "type": "WEB", 13446 "url": "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E" 13447 }, 13448 { 13449 "type": "WEB", 13450 "url": "https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0@%3Cissues.bookkeeper.apache.org%3E" 13451 }, 13452 { 13453 "type": "WEB", 13454 "url": "https://lists.apache.org/thread.html/r8aaf4ee16bbaf6204731d4770d96ebb34b258cd79b491f9cdd7f2540@%3Ccommits.nifi.apache.org%3E" 13455 }, 13456 { 13457 "type": "WEB", 13458 "url": "https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b@%3Ccommits.nifi.apache.org%3E" 13459 }, 13460 { 13461 "type": "WEB", 13462 "url": "https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3E" 13463 }, 13464 { 13465 "type": "WEB", 13466 "url": "https://lists.debian.org/debian-lts-announce/2019/10/msg00001.html" 13467 }, 13468 { 13469 "type": "WEB", 13470 "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Q7CANA7KV53JROZDX5Z5P26UG5VN2K43" 13471 }, 13472 { 13473 "type": "WEB", 13474 "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TH5VFUN4P7CCIP7KSEXYA5MUTFCUDUJT" 13475 }, 13476 { 13477 "type": "WEB", 13478 "url": "https://seclists.org/bugtraq/2019/Oct/6" 13479 }, 13480 { 13481 "type": "WEB", 13482 "url": "https://security.netapp.com/advisory/ntap-20191004-0002" 13483 }, 13484 { 13485 "type": "WEB", 13486 "url": "https://www.debian.org/security/2019/dsa-4542" 13487 }, 13488 { 13489 "type": "WEB", 13490 "url": "https://www.oracle.com/security-alerts/cpuapr2020.html" 13491 }, 13492 { 13493 "type": "WEB", 13494 "url": "https://www.oracle.com/security-alerts/cpujan2020.html" 13495 }, 13496 { 13497 "type": "WEB", 13498 "url": "https://www.oracle.com/security-alerts/cpujul2020.html" 13499 }, 13500 { 13501 "type": "WEB", 13502 "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" 13503 }, 13504 { 13505 "type": "WEB", 13506 "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html" 13507 }, 13508 { 13509 "type": "WEB", 13510 "url": "https://access.redhat.com/errata/RHSA-2020:0159" 13511 }, 13512 { 13513 "type": "WEB", 13514 "url": "https://access.redhat.com/errata/RHSA-2020:0160" 13515 }, 13516 { 13517 "type": "WEB", 13518 "url": "https://access.redhat.com/errata/RHSA-2020:0161" 13519 }, 13520 { 13521 "type": "WEB", 13522 "url": "https://access.redhat.com/errata/RHSA-2020:0164" 13523 }, 13524 { 13525 "type": "WEB", 13526 "url": "https://access.redhat.com/errata/RHSA-2020:0445" 13527 }, 13528 { 13529 "type": "PACKAGE", 13530 "url": "https://github.com/FasterXML/jackson-databind" 13531 }, 13532 { 13533 "type": "WEB", 13534 "url": "https://github.com/FasterXML/jackson-databind/blob/master/release-notes/VERSION-2.x" 13535 }, 13536 { 13537 "type": "WEB", 13538 "url": "https://lists.apache.org/thread.html/0fcef7321095ce0bc597d468d150cff3d647f4cb3aef3bd4d20e1c69@%3Ccommits.tinkerpop.apache.org%3E" 13539 }, 13540 { 13541 "type": "WEB", 13542 "url": "https://lists.apache.org/thread.html/40c00861b53bb611dee7d6f35f864aa7d1c1bd77df28db597cbf27e1@%3Cissues.hbase.apache.org%3E" 13543 }, 13544 { 13545 "type": "WEB", 13546 "url": "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E" 13547 }, 13548 { 13549 "type": "WEB", 13550 "url": "https://lists.apache.org/thread.html/a360b46061c91c5cad789b6c3190aef9b9f223a2b75c9c9f046fe016@%3Cissues.hbase.apache.org%3E" 13551 }, 13552 { 13553 "type": "WEB", 13554 "url": "https://lists.apache.org/thread.html/a4f2c9fb36642a48912cdec6836ec00e497427717c5d377f8d7ccce6@%3Cnotifications.zookeeper.apache.org%3E" 13555 }, 13556 { 13557 "type": "WEB", 13558 "url": "https://lists.apache.org/thread.html/ad0d238e97a7da5eca47a014f0f7e81f440ed6bf74a93183825e18b9@%3Cissues.hbase.apache.org%3E" 13559 }, 13560 { 13561 "type": "WEB", 13562 "url": "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E" 13563 }, 13564 { 13565 "type": "WEB", 13566 "url": "https://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3@%3Ccommits.nifi.apache.org%3E" 13567 }, 13568 { 13569 "type": "WEB", 13570 "url": "https://lists.apache.org/thread.html/dc6b5cad721a4f6b3b62ed1163894941140d9d5656140fb757505ca0@%3Cissues.hbase.apache.org%3E" 13571 }, 13572 { 13573 "type": "WEB", 13574 "url": "https://lists.apache.org/thread.html/e90c3feb21702e68a8c08afce37045adb3870f2bf8223fa403fb93fb@%3Ccommits.hbase.apache.org%3E" 13575 } 13576 ], 13577 "related": [ 13578 "CGA-2vh6-9p6m-f98h" 13579 ], 13580 "schema_version": "1.6.0", 13581 "severity": [ 13582 { 13583 "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", 13584 "type": "CVSS_V3" 13585 } 13586 ], 13587 "summary": "Polymorphic Typing issue in FasterXML jackson-databind" 13588 }, 13589 { 13590 "affected": [ 13591 { 13592 "database_specific": { 13593 "last_known_affected_version_range": "\u003c= 2.9.10.4", 13594 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-j823-4qch-3rgm/GHSA-j823-4qch-3rgm.json" 13595 }, 13596 "package": { 13597 "ecosystem": "Maven", 13598 "name": "com.fasterxml.jackson.core:jackson-databind", 13599 "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" 13600 }, 13601 "ranges": [ 13602 { 13603 "events": [ 13604 { 13605 "introduced": "2.9.0" 13606 }, 13607 { 13608 "fixed": "2.9.10.5" 13609 } 13610 ], 13611 "type": "ECOSYSTEM" 13612 } 13613 ], 13614 "versions": [ 13615 "2.9.0", 13616 "2.9.0.pr1", 13617 "2.9.0.pr2", 13618 "2.9.0.pr3", 13619 "2.9.0.pr4", 13620 "2.9.1", 13621 "2.9.10", 13622 "2.9.10.1", 13623 "2.9.10.2", 13624 "2.9.10.3", 13625 "2.9.10.4", 13626 "2.9.2", 13627 "2.9.3", 13628 "2.9.4", 13629 "2.9.5", 13630 "2.9.6", 13631 "2.9.7", 13632 "2.9.8", 13633 "2.9.9", 13634 "2.9.9.1", 13635 "2.9.9.2", 13636 "2.9.9.3" 13637 ] 13638 } 13639 ], 13640 "aliases": [ 13641 "CVE-2020-14060" 13642 ], 13643 "database_specific": { 13644 "cwe_ids": [ 13645 "CWE-502" 13646 ], 13647 "github_reviewed": true, 13648 "github_reviewed_at": "2020-06-18T13:05:54Z", 13649 "nvd_published_at": "2020-06-14T21:15:00Z", 13650 "severity": "HIGH" 13651 }, 13652 "details": "FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to oadd.org.apache.xalan.lib.sql.JNDIConnectionPool (aka apache/drill).", 13653 "id": "GHSA-j823-4qch-3rgm", 13654 "modified": "2024-03-15T00:46:13.294633Z", 13655 "published": "2020-06-18T14:44:46Z", 13656 "references": [ 13657 { 13658 "type": "ADVISORY", 13659 "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-14060" 13660 }, 13661 { 13662 "type": "WEB", 13663 "url": "https://github.com/FasterXML/jackson-databind/issues/2688" 13664 }, 13665 { 13666 "type": "WEB", 13667 "url": "https://github.com/FasterXML/jackson-databind/commit/08fbfacf89a4a4c026a6227a1b470ab7a13e2e88" 13668 }, 13669 { 13670 "type": "WEB", 13671 "url": "https://github.com/FasterXML/jackson-databind/commit/ac7232e3f9004bdb4f11dcb5bc6c1fadf074f5f7" 13672 }, 13673 { 13674 "type": "WEB", 13675 "url": "https://github.com/FasterXML/jackson-databind/commit/d1c67a0396e84c08d0558fbb843b5bd1f26e1921" 13676 }, 13677 { 13678 "type": "PACKAGE", 13679 "url": "https://github.com/FasterXML/jackson-databind" 13680 }, 13681 { 13682 "type": "WEB", 13683 "url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00001.html" 13684 }, 13685 { 13686 "type": "WEB", 13687 "url": "https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062" 13688 }, 13689 { 13690 "type": "WEB", 13691 "url": "https://security.netapp.com/advisory/ntap-20200702-0003" 13692 }, 13693 { 13694 "type": "WEB", 13695 "url": "https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-572314" 13696 }, 13697 { 13698 "type": "WEB", 13699 "url": "https://www.oracle.com//security-alerts/cpujul2021.html" 13700 }, 13701 { 13702 "type": "WEB", 13703 "url": "https://www.oracle.com/security-alerts/cpuApr2021.html" 13704 }, 13705 { 13706 "type": "WEB", 13707 "url": "https://www.oracle.com/security-alerts/cpujan2021.html" 13708 }, 13709 { 13710 "type": "WEB", 13711 "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" 13712 }, 13713 { 13714 "type": "WEB", 13715 "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" 13716 } 13717 ], 13718 "schema_version": "1.6.0", 13719 "severity": [ 13720 { 13721 "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", 13722 "type": "CVSS_V3" 13723 } 13724 ], 13725 "summary": "Deserialization of untrusted data in Jackson Databind" 13726 }, 13727 { 13728 "affected": [ 13729 { 13730 "database_specific": { 13731 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/10/GHSA-jjjh-jjxp-wpff/GHSA-jjjh-jjxp-wpff.json" 13732 }, 13733 "package": { 13734 "ecosystem": "Maven", 13735 "name": "com.fasterxml.jackson.core:jackson-databind", 13736 "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" 13737 }, 13738 "ranges": [ 13739 { 13740 "events": [ 13741 { 13742 "introduced": "2.4.0-rc1" 13743 }, 13744 { 13745 "fixed": "2.12.7.1" 13746 } 13747 ], 13748 "type": "ECOSYSTEM" 13749 } 13750 ], 13751 "versions": [ 13752 "2.10.0", 13753 "2.10.0.pr1", 13754 "2.10.0.pr2", 13755 "2.10.0.pr3", 13756 "2.10.1", 13757 "2.10.2", 13758 "2.10.3", 13759 "2.10.4", 13760 "2.10.5", 13761 "2.10.5.1", 13762 "2.11.0", 13763 "2.11.0.rc1", 13764 "2.11.1", 13765 "2.11.2", 13766 "2.11.3", 13767 "2.11.4", 13768 "2.12.0", 13769 "2.12.0-rc1", 13770 "2.12.0-rc2", 13771 "2.12.1", 13772 "2.12.2", 13773 "2.12.3", 13774 "2.12.4", 13775 "2.12.5", 13776 "2.12.6", 13777 "2.12.6.1", 13778 "2.12.7", 13779 "2.4.0", 13780 "2.4.0-rc1", 13781 "2.4.0-rc2", 13782 "2.4.0-rc3", 13783 "2.4.1", 13784 "2.4.1.1", 13785 "2.4.1.2", 13786 "2.4.1.3", 13787 "2.4.2", 13788 "2.4.3", 13789 "2.4.4", 13790 "2.4.5", 13791 "2.4.5.1", 13792 "2.4.6", 13793 "2.4.6.1", 13794 "2.5.0", 13795 "2.5.0-rc1", 13796 "2.5.1", 13797 "2.5.2", 13798 "2.5.3", 13799 "2.5.4", 13800 "2.5.5", 13801 "2.6.0", 13802 "2.6.0-rc1", 13803 "2.6.0-rc2", 13804 "2.6.0-rc3", 13805 "2.6.0-rc4", 13806 "2.6.1", 13807 "2.6.2", 13808 "2.6.3", 13809 "2.6.4", 13810 "2.6.5", 13811 "2.6.6", 13812 "2.6.7", 13813 "2.6.7.1", 13814 "2.6.7.2", 13815 "2.6.7.3", 13816 "2.6.7.4", 13817 "2.6.7.5", 13818 "2.7.0", 13819 "2.7.0-rc1", 13820 "2.7.0-rc2", 13821 "2.7.0-rc3", 13822 "2.7.1", 13823 "2.7.1-1", 13824 "2.7.2", 13825 "2.7.3", 13826 "2.7.4", 13827 "2.7.5", 13828 "2.7.6", 13829 "2.7.7", 13830 "2.7.8", 13831 "2.7.9", 13832 "2.7.9.1", 13833 "2.7.9.2", 13834 "2.7.9.3", 13835 "2.7.9.4", 13836 "2.7.9.5", 13837 "2.7.9.6", 13838 "2.7.9.7", 13839 "2.8.0", 13840 "2.8.0.rc1", 13841 "2.8.0.rc2", 13842 "2.8.1", 13843 "2.8.10", 13844 "2.8.11", 13845 "2.8.11.1", 13846 "2.8.11.2", 13847 "2.8.11.3", 13848 "2.8.11.4", 13849 "2.8.11.5", 13850 "2.8.11.6", 13851 "2.8.2", 13852 "2.8.3", 13853 "2.8.4", 13854 "2.8.5", 13855 "2.8.6", 13856 "2.8.7", 13857 "2.8.8", 13858 "2.8.8.1", 13859 "2.8.9", 13860 "2.9.0", 13861 "2.9.0.pr1", 13862 "2.9.0.pr2", 13863 "2.9.0.pr3", 13864 "2.9.0.pr4", 13865 "2.9.1", 13866 "2.9.10", 13867 "2.9.10.1", 13868 "2.9.10.2", 13869 "2.9.10.3", 13870 "2.9.10.4", 13871 "2.9.10.5", 13872 "2.9.10.6", 13873 "2.9.10.7", 13874 "2.9.10.8", 13875 "2.9.2", 13876 "2.9.3", 13877 "2.9.4", 13878 "2.9.5", 13879 "2.9.6", 13880 "2.9.7", 13881 "2.9.8", 13882 "2.9.9", 13883 "2.9.9.1", 13884 "2.9.9.2", 13885 "2.9.9.3" 13886 ] 13887 }, 13888 { 13889 "database_specific": { 13890 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/10/GHSA-jjjh-jjxp-wpff/GHSA-jjjh-jjxp-wpff.json" 13891 }, 13892 "package": { 13893 "ecosystem": "Maven", 13894 "name": "com.fasterxml.jackson.core:jackson-databind", 13895 "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" 13896 }, 13897 "ranges": [ 13898 { 13899 "events": [ 13900 { 13901 "introduced": "2.13.0" 13902 }, 13903 { 13904 "fixed": "2.13.4.2" 13905 } 13906 ], 13907 "type": "ECOSYSTEM" 13908 } 13909 ], 13910 "versions": [ 13911 "2.13.0", 13912 "2.13.1", 13913 "2.13.2", 13914 "2.13.2.1", 13915 "2.13.2.2", 13916 "2.13.3", 13917 "2.13.4", 13918 "2.13.4.1" 13919 ] 13920 } 13921 ], 13922 "aliases": [ 13923 "CVE-2022-42003" 13924 ], 13925 "database_specific": { 13926 "cwe_ids": [ 13927 "CWE-400", 13928 "CWE-502" 13929 ], 13930 "github_reviewed": true, 13931 "github_reviewed_at": "2022-10-04T21:55:46Z", 13932 "nvd_published_at": "2022-10-02T05:15:00Z", 13933 "severity": "HIGH" 13934 }, 13935 "details": "In FasterXML jackson-databind 2.4.0-rc1 until 2.12.7.1 and in 2.13.x before 2.13.4.2 resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled. This was patched in 2.12.7.1, 2.13.4.2, and 2.14.0.\n\nCommits that introduced vulnerable code are \nhttps://github.com/FasterXML/jackson-databind/commit/d499f2e7bbc5ebd63af11e1f5cf1989fa323aa45, https://github.com/FasterXML/jackson-databind/commit/0e37a39502439ecbaa1a5b5188387c01bf7f7fa1, and https://github.com/FasterXML/jackson-databind/commit/7ba9ac5b87a9d6ac0d2815158ecbeb315ad4dcdc.\n\nFix commits are https://github.com/FasterXML/jackson-databind/commit/cd090979b7ea78c75e4de8a4aed04f7e9fa8deea and https://github.com/FasterXML/jackson-databind/commit/d78d00ee7b5245b93103fef3187f70543d67ca33.", 13936 "id": "GHSA-jjjh-jjxp-wpff", 13937 "modified": "2024-03-15T00:32:17.50879Z", 13938 "published": "2022-10-03T00:00:31Z", 13939 "references": [ 13940 { 13941 "type": "ADVISORY", 13942 "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42003" 13943 }, 13944 { 13945 "type": "WEB", 13946 "url": "https://github.com/FasterXML/jackson-databind/issues/3590" 13947 }, 13948 { 13949 "type": "WEB", 13950 "url": "https://github.com/FasterXML/jackson-databind/issues/3627" 13951 }, 13952 { 13953 "type": "WEB", 13954 "url": "https://github.com/FasterXML/jackson-databind/commit/0e37a39502439ecbaa1a5b5188387c01bf7f7fa1" 13955 }, 13956 { 13957 "type": "WEB", 13958 "url": "https://github.com/FasterXML/jackson-databind/commit/2c4a601c626f7790cad9d3c322d244e182838288" 13959 }, 13960 { 13961 "type": "WEB", 13962 "url": "https://github.com/FasterXML/jackson-databind/commit/7ba9ac5b87a9d6ac0d2815158ecbeb315ad4dcdc" 13963 }, 13964 { 13965 "type": "WEB", 13966 "url": "https://github.com/FasterXML/jackson-databind/commit/cd090979b7ea78c75e4de8a4aed04f7e9fa8deea" 13967 }, 13968 { 13969 "type": "WEB", 13970 "url": "https://github.com/FasterXML/jackson-databind/commit/d499f2e7bbc5ebd63af11e1f5cf1989fa323aa45" 13971 }, 13972 { 13973 "type": "WEB", 13974 "url": "https://github.com/FasterXML/jackson-databind/commit/d78d00ee7b5245b93103fef3187f70543d67ca33" 13975 }, 13976 { 13977 "type": "WEB", 13978 "url": "https://www.debian.org/security/2022/dsa-5283" 13979 }, 13980 { 13981 "type": "WEB", 13982 "url": "https://security.netapp.com/advisory/ntap-20221124-0004" 13983 }, 13984 { 13985 "type": "WEB", 13986 "url": "https://security.gentoo.org/glsa/202210-21" 13987 }, 13988 { 13989 "type": "WEB", 13990 "url": "https://lists.debian.org/debian-lts-announce/2022/11/msg00035.html" 13991 }, 13992 { 13993 "type": "WEB", 13994 "url": "https://github.com/FasterXML/jackson-databind/compare/jackson-databind-2.13.4.1...jackson-databind-2.13.4.2" 13995 }, 13996 { 13997 "type": "WEB", 13998 "url": "https://github.com/FasterXML/jackson-databind/commits/jackson-databind-2.4.0-rc1?after=75b97b8519f0d50c62523ad85170d80a197a2c86+174\u0026branch=jackson-databind-2.4.0-rc1\u0026qualified_name=refs%2Ftags%2Fjackson-databind-2.4.0-rc1" 13999 }, 14000 { 14001 "type": "WEB", 14002 "url": "https://github.com/FasterXML/jackson-databind/blob/2.13/release-notes/VERSION-2.x" 14003 }, 14004 { 14005 "type": "PACKAGE", 14006 "url": "https://github.com/FasterXML/jackson-databind" 14007 }, 14008 { 14009 "type": "WEB", 14010 "url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=51020" 14011 } 14012 ], 14013 "schema_version": "1.6.0", 14014 "severity": [ 14015 { 14016 "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", 14017 "type": "CVSS_V3" 14018 } 14019 ], 14020 "summary": "Uncontrolled Resource Consumption in Jackson-databind" 14021 }, 14022 { 14023 "affected": [ 14024 { 14025 "database_specific": { 14026 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-m6x4-97wx-4q27/GHSA-m6x4-97wx-4q27.json" 14027 }, 14028 "package": { 14029 "ecosystem": "Maven", 14030 "name": "com.fasterxml.jackson.core:jackson-databind", 14031 "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" 14032 }, 14033 "ranges": [ 14034 { 14035 "events": [ 14036 { 14037 "introduced": "2.0.0" 14038 }, 14039 { 14040 "fixed": "2.9.10.8" 14041 } 14042 ], 14043 "type": "ECOSYSTEM" 14044 } 14045 ], 14046 "versions": [ 14047 "2.0.0", 14048 "2.0.1", 14049 "2.0.2", 14050 "2.0.4", 14051 "2.0.5", 14052 "2.0.6", 14053 "2.1.0", 14054 "2.1.1", 14055 "2.1.2", 14056 "2.1.3", 14057 "2.1.4", 14058 "2.1.5", 14059 "2.2.0", 14060 "2.2.0-rc1", 14061 "2.2.1", 14062 "2.2.2", 14063 "2.2.3", 14064 "2.2.4", 14065 "2.3.0", 14066 "2.3.0-rc1", 14067 "2.3.1", 14068 "2.3.2", 14069 "2.3.3", 14070 "2.3.4", 14071 "2.3.5", 14072 "2.4.0", 14073 "2.4.0-rc1", 14074 "2.4.0-rc2", 14075 "2.4.0-rc3", 14076 "2.4.1", 14077 "2.4.1.1", 14078 "2.4.1.2", 14079 "2.4.1.3", 14080 "2.4.2", 14081 "2.4.3", 14082 "2.4.4", 14083 "2.4.5", 14084 "2.4.5.1", 14085 "2.4.6", 14086 "2.4.6.1", 14087 "2.5.0", 14088 "2.5.0-rc1", 14089 "2.5.1", 14090 "2.5.2", 14091 "2.5.3", 14092 "2.5.4", 14093 "2.5.5", 14094 "2.6.0", 14095 "2.6.0-rc1", 14096 "2.6.0-rc2", 14097 "2.6.0-rc3", 14098 "2.6.0-rc4", 14099 "2.6.1", 14100 "2.6.2", 14101 "2.6.3", 14102 "2.6.4", 14103 "2.6.5", 14104 "2.6.6", 14105 "2.6.7", 14106 "2.6.7.1", 14107 "2.6.7.2", 14108 "2.6.7.3", 14109 "2.6.7.4", 14110 "2.6.7.5", 14111 "2.7.0", 14112 "2.7.0-rc1", 14113 "2.7.0-rc2", 14114 "2.7.0-rc3", 14115 "2.7.1", 14116 "2.7.1-1", 14117 "2.7.2", 14118 "2.7.3", 14119 "2.7.4", 14120 "2.7.5", 14121 "2.7.6", 14122 "2.7.7", 14123 "2.7.8", 14124 "2.7.9", 14125 "2.7.9.1", 14126 "2.7.9.2", 14127 "2.7.9.3", 14128 "2.7.9.4", 14129 "2.7.9.5", 14130 "2.7.9.6", 14131 "2.7.9.7", 14132 "2.8.0", 14133 "2.8.0.rc1", 14134 "2.8.0.rc2", 14135 "2.8.1", 14136 "2.8.10", 14137 "2.8.11", 14138 "2.8.11.1", 14139 "2.8.11.2", 14140 "2.8.11.3", 14141 "2.8.11.4", 14142 "2.8.11.5", 14143 "2.8.11.6", 14144 "2.8.2", 14145 "2.8.3", 14146 "2.8.4", 14147 "2.8.5", 14148 "2.8.6", 14149 "2.8.7", 14150 "2.8.8", 14151 "2.8.8.1", 14152 "2.8.9", 14153 "2.9.0", 14154 "2.9.0.pr1", 14155 "2.9.0.pr2", 14156 "2.9.0.pr3", 14157 "2.9.0.pr4", 14158 "2.9.1", 14159 "2.9.10", 14160 "2.9.10.1", 14161 "2.9.10.2", 14162 "2.9.10.3", 14163 "2.9.10.4", 14164 "2.9.10.5", 14165 "2.9.10.6", 14166 "2.9.10.7", 14167 "2.9.2", 14168 "2.9.3", 14169 "2.9.4", 14170 "2.9.5", 14171 "2.9.6", 14172 "2.9.7", 14173 "2.9.8", 14174 "2.9.9", 14175 "2.9.9.1", 14176 "2.9.9.2", 14177 "2.9.9.3" 14178 ] 14179 } 14180 ], 14181 "aliases": [ 14182 "CVE-2020-36184" 14183 ], 14184 "database_specific": { 14185 "cwe_ids": [ 14186 "CWE-502" 14187 ], 14188 "github_reviewed": true, 14189 "github_reviewed_at": "2021-03-18T23:30:19Z", 14190 "nvd_published_at": "2021-01-06T23:15:00Z", 14191 "severity": "HIGH" 14192 }, 14193 "details": "FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.datasources.PerUserPoolDataSource.", 14194 "id": "GHSA-m6x4-97wx-4q27", 14195 "modified": "2024-02-18T05:21:54.725837Z", 14196 "published": "2021-12-09T19:16:26Z", 14197 "references": [ 14198 { 14199 "type": "ADVISORY", 14200 "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36184" 14201 }, 14202 { 14203 "type": "WEB", 14204 "url": "https://github.com/FasterXML/jackson-databind/issues/2998" 14205 }, 14206 { 14207 "type": "WEB", 14208 "url": "https://github.com/FasterXML/jackson-databind/commit/567194c53ae91f0a14dc27239afb739b1c10448a" 14209 }, 14210 { 14211 "type": "WEB", 14212 "url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062" 14213 }, 14214 { 14215 "type": "PACKAGE", 14216 "url": "https://github.com/FasterXML/jackson-databind" 14217 }, 14218 { 14219 "type": "WEB", 14220 "url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html" 14221 }, 14222 { 14223 "type": "WEB", 14224 "url": "https://security.netapp.com/advisory/ntap-20210205-0005" 14225 }, 14226 { 14227 "type": "WEB", 14228 "url": "https://www.oracle.com//security-alerts/cpujul2021.html" 14229 }, 14230 { 14231 "type": "WEB", 14232 "url": "https://www.oracle.com/security-alerts/cpuApr2021.html" 14233 }, 14234 { 14235 "type": "WEB", 14236 "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" 14237 }, 14238 { 14239 "type": "WEB", 14240 "url": "https://www.oracle.com/security-alerts/cpujan2022.html" 14241 }, 14242 { 14243 "type": "WEB", 14244 "url": "https://www.oracle.com/security-alerts/cpujul2022.html" 14245 }, 14246 { 14247 "type": "WEB", 14248 "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" 14249 } 14250 ], 14251 "schema_version": "1.6.0", 14252 "severity": [ 14253 { 14254 "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", 14255 "type": "CVSS_V3" 14256 } 14257 ], 14258 "summary": "Unsafe Deserialization in jackson-databind" 14259 }, 14260 { 14261 "affected": [ 14262 { 14263 "database_specific": { 14264 "last_known_affected_version_range": "\u003c= 2.9.10.4", 14265 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-mc6h-4qgp-37qh/GHSA-mc6h-4qgp-37qh.json" 14266 }, 14267 "package": { 14268 "ecosystem": "Maven", 14269 "name": "com.fasterxml.jackson.core:jackson-databind", 14270 "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" 14271 }, 14272 "ranges": [ 14273 { 14274 "events": [ 14275 { 14276 "introduced": "2.9.0" 14277 }, 14278 { 14279 "fixed": "2.9.10.5" 14280 } 14281 ], 14282 "type": "ECOSYSTEM" 14283 } 14284 ], 14285 "versions": [ 14286 "2.9.0", 14287 "2.9.0.pr1", 14288 "2.9.0.pr2", 14289 "2.9.0.pr3", 14290 "2.9.0.pr4", 14291 "2.9.1", 14292 "2.9.10", 14293 "2.9.10.1", 14294 "2.9.10.2", 14295 "2.9.10.3", 14296 "2.9.10.4", 14297 "2.9.2", 14298 "2.9.3", 14299 "2.9.4", 14300 "2.9.5", 14301 "2.9.6", 14302 "2.9.7", 14303 "2.9.8", 14304 "2.9.9", 14305 "2.9.9.1", 14306 "2.9.9.2", 14307 "2.9.9.3" 14308 ] 14309 } 14310 ], 14311 "aliases": [ 14312 "CVE-2020-14195" 14313 ], 14314 "database_specific": { 14315 "cwe_ids": [ 14316 "CWE-502" 14317 ], 14318 "github_reviewed": true, 14319 "github_reviewed_at": "2020-06-18T13:05:45Z", 14320 "nvd_published_at": "2020-06-16T16:15:00Z", 14321 "severity": "HIGH" 14322 }, 14323 "details": "FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to org.jsecurity.realm.jndi.JndiRealmFactory (aka org.jsecurity).", 14324 "id": "GHSA-mc6h-4qgp-37qh", 14325 "modified": "2024-03-15T00:47:36.920636Z", 14326 "published": "2020-06-18T14:44:43Z", 14327 "references": [ 14328 { 14329 "type": "ADVISORY", 14330 "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-14195" 14331 }, 14332 { 14333 "type": "WEB", 14334 "url": "https://github.com/FasterXML/jackson-databind/issues/2765" 14335 }, 14336 { 14337 "type": "WEB", 14338 "url": "https://github.com/FasterXML/jackson-databind/commit/08fbfacf89a4a4c026a6227a1b470ab7a13e2e88" 14339 }, 14340 { 14341 "type": "WEB", 14342 "url": "https://github.com/FasterXML/jackson-databind/commit/f6d9c664f6d481703138319f6a0f1fdbddb3a259" 14343 }, 14344 { 14345 "type": "PACKAGE", 14346 "url": "https://github.com/FasterXML/jackson-databind" 14347 }, 14348 { 14349 "type": "WEB", 14350 "url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00001.html" 14351 }, 14352 { 14353 "type": "WEB", 14354 "url": "https://security.netapp.com/advisory/ntap-20200702-0003" 14355 }, 14356 { 14357 "type": "WEB", 14358 "url": "https://www.oracle.com//security-alerts/cpujul2021.html" 14359 }, 14360 { 14361 "type": "WEB", 14362 "url": "https://www.oracle.com/security-alerts/cpuApr2021.html" 14363 }, 14364 { 14365 "type": "WEB", 14366 "url": "https://www.oracle.com/security-alerts/cpujan2021.html" 14367 }, 14368 { 14369 "type": "WEB", 14370 "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" 14371 }, 14372 { 14373 "type": "WEB", 14374 "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" 14375 } 14376 ], 14377 "schema_version": "1.6.0", 14378 "severity": [ 14379 { 14380 "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", 14381 "type": "CVSS_V3" 14382 } 14383 ], 14384 "summary": "Deserialization of untrusted data in Jackson Databind" 14385 }, 14386 { 14387 "affected": [ 14388 { 14389 "database_specific": { 14390 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/07/GHSA-mph4-vhrx-mv67/GHSA-mph4-vhrx-mv67.json" 14391 }, 14392 "package": { 14393 "ecosystem": "Maven", 14394 "name": "com.fasterxml.jackson.core:jackson-databind", 14395 "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" 14396 }, 14397 "ranges": [ 14398 { 14399 "events": [ 14400 { 14401 "introduced": "2.9.0" 14402 }, 14403 { 14404 "fixed": "2.9.9.1" 14405 } 14406 ], 14407 "type": "ECOSYSTEM" 14408 } 14409 ], 14410 "versions": [ 14411 "2.9.0", 14412 "2.9.0.pr1", 14413 "2.9.0.pr2", 14414 "2.9.0.pr3", 14415 "2.9.0.pr4", 14416 "2.9.1", 14417 "2.9.2", 14418 "2.9.3", 14419 "2.9.4", 14420 "2.9.5", 14421 "2.9.6", 14422 "2.9.7", 14423 "2.9.8", 14424 "2.9.9" 14425 ] 14426 }, 14427 { 14428 "database_specific": { 14429 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/07/GHSA-mph4-vhrx-mv67/GHSA-mph4-vhrx-mv67.json" 14430 }, 14431 "package": { 14432 "ecosystem": "Maven", 14433 "name": "com.fasterxml.jackson.core:jackson-databind", 14434 "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" 14435 }, 14436 "ranges": [ 14437 { 14438 "events": [ 14439 { 14440 "introduced": "2.8.0" 14441 }, 14442 { 14443 "fixed": "2.8.11.4" 14444 } 14445 ], 14446 "type": "ECOSYSTEM" 14447 } 14448 ], 14449 "versions": [ 14450 "2.8.0", 14451 "2.8.1", 14452 "2.8.10", 14453 "2.8.11", 14454 "2.8.11.1", 14455 "2.8.11.2", 14456 "2.8.11.3", 14457 "2.8.2", 14458 "2.8.3", 14459 "2.8.4", 14460 "2.8.5", 14461 "2.8.6", 14462 "2.8.7", 14463 "2.8.8", 14464 "2.8.8.1", 14465 "2.8.9" 14466 ] 14467 }, 14468 { 14469 "database_specific": { 14470 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/07/GHSA-mph4-vhrx-mv67/GHSA-mph4-vhrx-mv67.json" 14471 }, 14472 "package": { 14473 "ecosystem": "Maven", 14474 "name": "com.fasterxml.jackson.core:jackson-databind", 14475 "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" 14476 }, 14477 "ranges": [ 14478 { 14479 "events": [ 14480 { 14481 "introduced": "2.7.0" 14482 }, 14483 { 14484 "fixed": "2.7.9.6" 14485 } 14486 ], 14487 "type": "ECOSYSTEM" 14488 } 14489 ], 14490 "versions": [ 14491 "2.7.0", 14492 "2.7.1", 14493 "2.7.1-1", 14494 "2.7.2", 14495 "2.7.3", 14496 "2.7.4", 14497 "2.7.5", 14498 "2.7.6", 14499 "2.7.7", 14500 "2.7.8", 14501 "2.7.9", 14502 "2.7.9.1", 14503 "2.7.9.2", 14504 "2.7.9.3", 14505 "2.7.9.4", 14506 "2.7.9.5" 14507 ] 14508 }, 14509 { 14510 "database_specific": { 14511 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/07/GHSA-mph4-vhrx-mv67/GHSA-mph4-vhrx-mv67.json" 14512 }, 14513 "package": { 14514 "ecosystem": "Maven", 14515 "name": "com.fasterxml.jackson.core:jackson-databind", 14516 "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" 14517 }, 14518 "ranges": [ 14519 { 14520 "events": [ 14521 { 14522 "introduced": "2.0.0" 14523 }, 14524 { 14525 "fixed": "2.6.7.3" 14526 } 14527 ], 14528 "type": "ECOSYSTEM" 14529 } 14530 ], 14531 "versions": [ 14532 "2.0.0", 14533 "2.0.1", 14534 "2.0.2", 14535 "2.0.4", 14536 "2.0.5", 14537 "2.0.6", 14538 "2.1.0", 14539 "2.1.1", 14540 "2.1.2", 14541 "2.1.3", 14542 "2.1.4", 14543 "2.1.5", 14544 "2.2.0", 14545 "2.2.0-rc1", 14546 "2.2.1", 14547 "2.2.2", 14548 "2.2.3", 14549 "2.2.4", 14550 "2.3.0", 14551 "2.3.0-rc1", 14552 "2.3.1", 14553 "2.3.2", 14554 "2.3.3", 14555 "2.3.4", 14556 "2.3.5", 14557 "2.4.0", 14558 "2.4.0-rc1", 14559 "2.4.0-rc2", 14560 "2.4.0-rc3", 14561 "2.4.1", 14562 "2.4.1.1", 14563 "2.4.1.2", 14564 "2.4.1.3", 14565 "2.4.2", 14566 "2.4.3", 14567 "2.4.4", 14568 "2.4.5", 14569 "2.4.5.1", 14570 "2.4.6", 14571 "2.4.6.1", 14572 "2.5.0", 14573 "2.5.0-rc1", 14574 "2.5.1", 14575 "2.5.2", 14576 "2.5.3", 14577 "2.5.4", 14578 "2.5.5", 14579 "2.6.0", 14580 "2.6.0-rc1", 14581 "2.6.0-rc2", 14582 "2.6.0-rc3", 14583 "2.6.0-rc4", 14584 "2.6.1", 14585 "2.6.2", 14586 "2.6.3", 14587 "2.6.4", 14588 "2.6.5", 14589 "2.6.6", 14590 "2.6.7", 14591 "2.6.7.1", 14592 "2.6.7.2" 14593 ] 14594 } 14595 ], 14596 "aliases": [ 14597 "CVE-2019-12384" 14598 ], 14599 "database_specific": { 14600 "cwe_ids": [ 14601 "CWE-502" 14602 ], 14603 "github_reviewed": true, 14604 "github_reviewed_at": "2019-06-27T11:07:42Z", 14605 "nvd_published_at": "2019-06-24T16:15:15Z", 14606 "severity": "MODERATE" 14607 }, 14608 "details": "FasterXML jackson-databind 2.x before 2.9.9.1 might allow attackers to have a variety of impacts by leveraging failure to block the logback-core class from polymorphic deserialization. Depending on the classpath content, remote code execution may be possible.", 14609 "id": "GHSA-mph4-vhrx-mv67", 14610 "modified": "2024-03-15T01:16:21.467932Z", 14611 "published": "2019-07-05T21:07:27Z", 14612 "references": [ 14613 { 14614 "type": "ADVISORY", 14615 "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-12384" 14616 }, 14617 { 14618 "type": "WEB", 14619 "url": "https://github.com/FasterXML/jackson-databind/issues/2334" 14620 }, 14621 { 14622 "type": "WEB", 14623 "url": "https://github.com/FasterXML/jackson-databind/commit/c9ef4a10d6f6633cf470d6a469514b68fa2be234" 14624 }, 14625 { 14626 "type": "WEB", 14627 "url": "https://access.redhat.com/errata/RHSA-2019:1820" 14628 }, 14629 { 14630 "type": "WEB", 14631 "url": "https://lists.apache.org/thread.html/5ecc333113b139429f4f05000d4aa2886974d4df3269c1dd990bb319@%3Cdev.tomee.apache.org%3E" 14632 }, 14633 { 14634 "type": "WEB", 14635 "url": "https://lists.apache.org/thread.html/5fc0e16b7af2590bf1e97c76c136291c4fdb244ee63c65c485c9a7a1@%3Cdev.tomee.apache.org%3E" 14636 }, 14637 { 14638 "type": "WEB", 14639 "url": "https://lists.apache.org/thread.html/87e46591de8925f719664a845572d184027258c5a7af0a471b53c77b@%3Cdev.tomee.apache.org%3E" 14640 }, 14641 { 14642 "type": "WEB", 14643 "url": "https://lists.apache.org/thread.html/940b4c3fef002461b89a050935337056d4a036a65ef68e0bbd4621ef@%3Cdev.struts.apache.org%3E" 14644 }, 14645 { 14646 "type": "WEB", 14647 "url": "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E" 14648 }, 14649 { 14650 "type": "WEB", 14651 "url": "https://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3@%3Ccommits.nifi.apache.org%3E" 14652 }, 14653 { 14654 "type": "WEB", 14655 "url": "https://lists.apache.org/thread.html/e0733058c0366b703e6757d8d2a7a04b943581f659e9c271f0841dfe@%3Cnotifications.geode.apache.org%3E" 14656 }, 14657 { 14658 "type": "WEB", 14659 "url": "https://lists.apache.org/thread.html/ee0a051428d2c719acfa297d0854a189ea5e284ef3ed491fa672f4be@%3Cdev.tomee.apache.org%3E" 14660 }, 14661 { 14662 "type": "WEB", 14663 "url": "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E" 14664 }, 14665 { 14666 "type": "WEB", 14667 "url": "https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b@%3Ccommits.nifi.apache.org%3E" 14668 }, 14669 { 14670 "type": "WEB", 14671 "url": "https://lists.debian.org/debian-lts-announce/2019/06/msg00019.html" 14672 }, 14673 { 14674 "type": "WEB", 14675 "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OVRZDN2T6AZ6DJCZJ3VSIQIVHBVMVWBL" 14676 }, 14677 { 14678 "type": "WEB", 14679 "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TXRVXNRFHJSQWFHPRJQRI5UPMZ63B544" 14680 }, 14681 { 14682 "type": "WEB", 14683 "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UKUALE2TUCKEKOHE2D342PQXN4MWCSLC" 14684 }, 14685 { 14686 "type": "WEB", 14687 "url": "https://seclists.org/bugtraq/2019/Oct/6" 14688 }, 14689 { 14690 "type": "WEB", 14691 "url": "https://security.netapp.com/advisory/ntap-20190703-0002" 14692 }, 14693 { 14694 "type": "WEB", 14695 "url": "https://www.debian.org/security/2019/dsa-4542" 14696 }, 14697 { 14698 "type": "WEB", 14699 "url": "https://www.oracle.com/security-alerts/cpuapr2020.html" 14700 }, 14701 { 14702 "type": "WEB", 14703 "url": "https://www.oracle.com/security-alerts/cpujan2020.html" 14704 }, 14705 { 14706 "type": "WEB", 14707 "url": "https://www.oracle.com/security-alerts/cpujul2020.html" 14708 }, 14709 { 14710 "type": "WEB", 14711 "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" 14712 }, 14713 { 14714 "type": "WEB", 14715 "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html" 14716 }, 14717 { 14718 "type": "WEB", 14719 "url": "https://access.redhat.com/errata/RHSA-2019:2720" 14720 }, 14721 { 14722 "type": "WEB", 14723 "url": "https://access.redhat.com/errata/RHSA-2019:2858" 14724 }, 14725 { 14726 "type": "WEB", 14727 "url": "https://access.redhat.com/errata/RHSA-2019:2935" 14728 }, 14729 { 14730 "type": "WEB", 14731 "url": "https://access.redhat.com/errata/RHSA-2019:2936" 14732 }, 14733 { 14734 "type": "WEB", 14735 "url": "https://access.redhat.com/errata/RHSA-2019:2937" 14736 }, 14737 { 14738 "type": "WEB", 14739 "url": "https://access.redhat.com/errata/RHSA-2019:2938" 14740 }, 14741 { 14742 "type": "WEB", 14743 "url": "https://access.redhat.com/errata/RHSA-2019:2998" 14744 }, 14745 { 14746 "type": "WEB", 14747 "url": "https://access.redhat.com/errata/RHSA-2019:3149" 14748 }, 14749 { 14750 "type": "WEB", 14751 "url": "https://access.redhat.com/errata/RHSA-2019:3200" 14752 }, 14753 { 14754 "type": "WEB", 14755 "url": "https://access.redhat.com/errata/RHSA-2019:3292" 14756 }, 14757 { 14758 "type": "WEB", 14759 "url": "https://access.redhat.com/errata/RHSA-2019:3297" 14760 }, 14761 { 14762 "type": "WEB", 14763 "url": "https://access.redhat.com/errata/RHSA-2019:3901" 14764 }, 14765 { 14766 "type": "WEB", 14767 "url": "https://access.redhat.com/errata/RHSA-2019:4352" 14768 }, 14769 { 14770 "type": "WEB", 14771 "url": "https://blog.doyensec.com/2019/07/22/jackson-gadgets.html" 14772 }, 14773 { 14774 "type": "WEB", 14775 "url": "https://doyensec.com/research.html" 14776 }, 14777 { 14778 "type": "PACKAGE", 14779 "url": "https://github.com/FasterXML/jackson-databind" 14780 }, 14781 { 14782 "type": "WEB", 14783 "url": "https://github.com/FasterXML/jackson-databind/compare/74b90a4...a977aad" 14784 }, 14785 { 14786 "type": "WEB", 14787 "url": "https://lists.apache.org/thread.html/0d4b630d9ee724aee50703397d9d1afa2b2befc9395ba7797d0ccea9@%3Cdev.tomee.apache.org%3E" 14788 }, 14789 { 14790 "type": "WEB", 14791 "url": "https://lists.apache.org/thread.html/2d2a76440becb610b9a9cb49b15eac3934b02c2dbcaacde1000353e4@%3Cdev.tomee.apache.org%3E" 14792 }, 14793 { 14794 "type": "WEB", 14795 "url": "https://lists.apache.org/thread.html/34717424b4d08b74f65c09a083d6dd1cb0763f37a15d6de135998c1d@%3Cdev.tomee.apache.org%3E" 14796 }, 14797 { 14798 "type": "WEB", 14799 "url": "https://lists.apache.org/thread.html/3f99ae8dcdbd69438cb733d745ee3ad5e852068490719a66509b4592@%3Ccommits.cassandra.apache.org%3E" 14800 }, 14801 { 14802 "type": "WEB", 14803 "url": "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E" 14804 }, 14805 { 14806 "type": "WEB", 14807 "url": "https://lists.apache.org/thread.html/56c8042873595b8c863054c7bfccab4bf2c01c6f5abedae249d914b9@%3Cdev.tomee.apache.org%3E" 14808 } 14809 ], 14810 "schema_version": "1.6.0", 14811 "severity": [ 14812 { 14813 "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", 14814 "type": "CVSS_V3" 14815 } 14816 ], 14817 "summary": "Deserialization of Untrusted Data in FasterXML jackson-databind" 14818 }, 14819 { 14820 "affected": [ 14821 { 14822 "database_specific": { 14823 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/10/GHSA-mx7p-6679-8g3q/GHSA-mx7p-6679-8g3q.json" 14824 }, 14825 "package": { 14826 "ecosystem": "Maven", 14827 "name": "com.fasterxml.jackson.core:jackson-databind", 14828 "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" 14829 }, 14830 "ranges": [ 14831 { 14832 "events": [ 14833 { 14834 "introduced": "2.9.0" 14835 }, 14836 { 14837 "fixed": "2.9.10.1" 14838 } 14839 ], 14840 "type": "ECOSYSTEM" 14841 } 14842 ], 14843 "versions": [ 14844 "2.9.0", 14845 "2.9.0.pr1", 14846 "2.9.0.pr2", 14847 "2.9.0.pr3", 14848 "2.9.0.pr4", 14849 "2.9.1", 14850 "2.9.10", 14851 "2.9.2", 14852 "2.9.3", 14853 "2.9.4", 14854 "2.9.5", 14855 "2.9.6", 14856 "2.9.7", 14857 "2.9.8", 14858 "2.9.9", 14859 "2.9.9.1", 14860 "2.9.9.2", 14861 "2.9.9.3" 14862 ] 14863 }, 14864 { 14865 "database_specific": { 14866 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/10/GHSA-mx7p-6679-8g3q/GHSA-mx7p-6679-8g3q.json" 14867 }, 14868 "package": { 14869 "ecosystem": "Maven", 14870 "name": "com.fasterxml.jackson.core:jackson-databind", 14871 "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" 14872 }, 14873 "ranges": [ 14874 { 14875 "events": [ 14876 { 14877 "introduced": "2.7.0" 14878 }, 14879 { 14880 "fixed": "2.8.11.5" 14881 } 14882 ], 14883 "type": "ECOSYSTEM" 14884 } 14885 ], 14886 "versions": [ 14887 "2.7.0", 14888 "2.7.1", 14889 "2.7.1-1", 14890 "2.7.2", 14891 "2.7.3", 14892 "2.7.4", 14893 "2.7.5", 14894 "2.7.6", 14895 "2.7.7", 14896 "2.7.8", 14897 "2.7.9", 14898 "2.7.9.1", 14899 "2.7.9.2", 14900 "2.7.9.3", 14901 "2.7.9.4", 14902 "2.7.9.5", 14903 "2.7.9.6", 14904 "2.7.9.7", 14905 "2.8.0", 14906 "2.8.0.rc1", 14907 "2.8.0.rc2", 14908 "2.8.1", 14909 "2.8.10", 14910 "2.8.11", 14911 "2.8.11.1", 14912 "2.8.11.2", 14913 "2.8.11.3", 14914 "2.8.11.4", 14915 "2.8.2", 14916 "2.8.3", 14917 "2.8.4", 14918 "2.8.5", 14919 "2.8.6", 14920 "2.8.7", 14921 "2.8.8", 14922 "2.8.8.1", 14923 "2.8.9" 14924 ] 14925 }, 14926 { 14927 "database_specific": { 14928 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/10/GHSA-mx7p-6679-8g3q/GHSA-mx7p-6679-8g3q.json" 14929 }, 14930 "package": { 14931 "ecosystem": "Maven", 14932 "name": "com.fasterxml.jackson.core:jackson-databind", 14933 "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" 14934 }, 14935 "ranges": [ 14936 { 14937 "events": [ 14938 { 14939 "introduced": "2.0.0" 14940 }, 14941 { 14942 "fixed": "2.6.7.3" 14943 } 14944 ], 14945 "type": "ECOSYSTEM" 14946 } 14947 ], 14948 "versions": [ 14949 "2.0.0", 14950 "2.0.1", 14951 "2.0.2", 14952 "2.0.4", 14953 "2.0.5", 14954 "2.0.6", 14955 "2.1.0", 14956 "2.1.1", 14957 "2.1.2", 14958 "2.1.3", 14959 "2.1.4", 14960 "2.1.5", 14961 "2.2.0", 14962 "2.2.0-rc1", 14963 "2.2.1", 14964 "2.2.2", 14965 "2.2.3", 14966 "2.2.4", 14967 "2.3.0", 14968 "2.3.0-rc1", 14969 "2.3.1", 14970 "2.3.2", 14971 "2.3.3", 14972 "2.3.4", 14973 "2.3.5", 14974 "2.4.0", 14975 "2.4.0-rc1", 14976 "2.4.0-rc2", 14977 "2.4.0-rc3", 14978 "2.4.1", 14979 "2.4.1.1", 14980 "2.4.1.2", 14981 "2.4.1.3", 14982 "2.4.2", 14983 "2.4.3", 14984 "2.4.4", 14985 "2.4.5", 14986 "2.4.5.1", 14987 "2.4.6", 14988 "2.4.6.1", 14989 "2.5.0", 14990 "2.5.0-rc1", 14991 "2.5.1", 14992 "2.5.2", 14993 "2.5.3", 14994 "2.5.4", 14995 "2.5.5", 14996 "2.6.0", 14997 "2.6.0-rc1", 14998 "2.6.0-rc2", 14999 "2.6.0-rc3", 15000 "2.6.0-rc4", 15001 "2.6.1", 15002 "2.6.2", 15003 "2.6.3", 15004 "2.6.4", 15005 "2.6.5", 15006 "2.6.6", 15007 "2.6.7", 15008 "2.6.7.1", 15009 "2.6.7.2" 15010 ] 15011 } 15012 ], 15013 "aliases": [ 15014 "CVE-2019-16942" 15015 ], 15016 "database_specific": { 15017 "cwe_ids": [ 15018 "CWE-502" 15019 ], 15020 "github_reviewed": true, 15021 "github_reviewed_at": "2019-10-28T19:19:01Z", 15022 "nvd_published_at": "2019-10-01T17:15:00Z", 15023 "severity": "CRITICAL" 15024 }, 15025 "details": "A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the commons-dbcp (1.4) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of org.apache.commons.dbcp.datasources.SharedPoolDataSource and org.apache.commons.dbcp.datasources.PerUserPoolDataSource mishandling.", 15026 "id": "GHSA-mx7p-6679-8g3q", 15027 "modified": "2024-03-15T01:01:46.432481Z", 15028 "published": "2019-10-28T20:51:15Z", 15029 "references": [ 15030 { 15031 "type": "ADVISORY", 15032 "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-16942" 15033 }, 15034 { 15035 "type": "WEB", 15036 "url": "https://github.com/FasterXML/jackson-databind/issues/2478" 15037 }, 15038 { 15039 "type": "WEB", 15040 "url": "https://github.com/FasterXML/jackson-databind/commit/328a0f833daf6baa443ac3b37c818a0204714b0b" 15041 }, 15042 { 15043 "type": "WEB", 15044 "url": "https://github.com/FasterXML/jackson-databind/commit/54aa38d87dcffa5ccc23e64922e9536c82c1b9c8" 15045 }, 15046 { 15047 "type": "WEB", 15048 "url": "https://github.com/FasterXML/jackson-databind/commit/9593e16cf5a3d289a9c584f7123639655de9ddac" 15049 }, 15050 { 15051 "type": "WEB", 15052 "url": "https://github.com/FasterXML/jackson-databind/commit/bc67eb11a7cf57561f861ff16f879f1fceb5779f" 15053 }, 15054 { 15055 "type": "WEB", 15056 "url": "https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3E" 15057 }, 15058 { 15059 "type": "WEB", 15060 "url": "https://lists.debian.org/debian-lts-announce/2019/10/msg00001.html" 15061 }, 15062 { 15063 "type": "WEB", 15064 "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Q7CANA7KV53JROZDX5Z5P26UG5VN2K43" 15065 }, 15066 { 15067 "type": "WEB", 15068 "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TH5VFUN4P7CCIP7KSEXYA5MUTFCUDUJT" 15069 }, 15070 { 15071 "type": "WEB", 15072 "url": "https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062" 15073 }, 15074 { 15075 "type": "WEB", 15076 "url": "https://seclists.org/bugtraq/2019/Oct/6" 15077 }, 15078 { 15079 "type": "WEB", 15080 "url": "https://security.netapp.com/advisory/ntap-20191017-0006" 15081 }, 15082 { 15083 "type": "WEB", 15084 "url": "https://www.debian.org/security/2019/dsa-4542" 15085 }, 15086 { 15087 "type": "WEB", 15088 "url": "https://www.oracle.com//security-alerts/cpujul2021.html" 15089 }, 15090 { 15091 "type": "WEB", 15092 "url": "https://www.oracle.com/security-alerts/cpuApr2021.html" 15093 }, 15094 { 15095 "type": "WEB", 15096 "url": "https://www.oracle.com/security-alerts/cpuapr2020.html" 15097 }, 15098 { 15099 "type": "WEB", 15100 "url": "https://www.oracle.com/security-alerts/cpujan2020.html" 15101 }, 15102 { 15103 "type": "WEB", 15104 "url": "https://www.oracle.com/security-alerts/cpujul2020.html" 15105 }, 15106 { 15107 "type": "WEB", 15108 "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" 15109 }, 15110 { 15111 "type": "WEB", 15112 "url": "https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0@%3Cissues.bookkeeper.apache.org%3E" 15113 }, 15114 { 15115 "type": "WEB", 15116 "url": "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E" 15117 }, 15118 { 15119 "type": "WEB", 15120 "url": "https://lists.apache.org/thread.html/b2e23c94f9dfef53e04c492e5d02e5c75201734be7adc73a49ef2370@%3Cissues.geode.apache.org%3E" 15121 }, 15122 { 15123 "type": "WEB", 15124 "url": "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E" 15125 }, 15126 { 15127 "type": "WEB", 15128 "url": "https://lists.apache.org/thread.html/a430dbc9be874c41314cc69e697384567a9a24025e819d9485547954@%3Cissues.geode.apache.org%3E" 15129 }, 15130 { 15131 "type": "WEB", 15132 "url": "https://lists.apache.org/thread.html/7782a937c9259a58337ee36b2961f00e2d744feafc13084e176d0df5@%3Cissues.geode.apache.org%3E" 15133 }, 15134 { 15135 "type": "WEB", 15136 "url": "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E" 15137 }, 15138 { 15139 "type": "WEB", 15140 "url": "https://issues.apache.org/jira/browse/GEODE-7255" 15141 }, 15142 { 15143 "type": "PACKAGE", 15144 "url": "https://github.com/FasterXML/jackson-databind" 15145 }, 15146 { 15147 "type": "WEB", 15148 "url": "https://access.redhat.com/errata/RHSA-2020:0445" 15149 }, 15150 { 15151 "type": "WEB", 15152 "url": "https://access.redhat.com/errata/RHSA-2020:0164" 15153 }, 15154 { 15155 "type": "WEB", 15156 "url": "https://access.redhat.com/errata/RHSA-2020:0161" 15157 }, 15158 { 15159 "type": "WEB", 15160 "url": "https://access.redhat.com/errata/RHSA-2020:0160" 15161 }, 15162 { 15163 "type": "WEB", 15164 "url": "https://access.redhat.com/errata/RHSA-2020:0159" 15165 }, 15166 { 15167 "type": "WEB", 15168 "url": "https://access.redhat.com/errata/RHSA-2019:3901" 15169 } 15170 ], 15171 "schema_version": "1.6.0", 15172 "severity": [ 15173 { 15174 "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", 15175 "type": "CVSS_V3" 15176 } 15177 ], 15178 "summary": "Polymorphic Typing in FasterXML jackson-databind" 15179 }, 15180 { 15181 "affected": [ 15182 { 15183 "database_specific": { 15184 "last_known_affected_version_range": "\u003c= 2.7.9.4", 15185 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/01/GHSA-mx9v-gmh4-mgqw/GHSA-mx9v-gmh4-mgqw.json" 15186 }, 15187 "package": { 15188 "ecosystem": "Maven", 15189 "name": "com.fasterxml.jackson.core:jackson-databind", 15190 "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" 15191 }, 15192 "ranges": [ 15193 { 15194 "events": [ 15195 { 15196 "introduced": "2.7.0" 15197 }, 15198 { 15199 "fixed": "2.7.9.5" 15200 } 15201 ], 15202 "type": "ECOSYSTEM" 15203 } 15204 ], 15205 "versions": [ 15206 "2.7.0", 15207 "2.7.1", 15208 "2.7.1-1", 15209 "2.7.2", 15210 "2.7.3", 15211 "2.7.4", 15212 "2.7.5", 15213 "2.7.6", 15214 "2.7.7", 15215 "2.7.8", 15216 "2.7.9", 15217 "2.7.9.1", 15218 "2.7.9.2", 15219 "2.7.9.3", 15220 "2.7.9.4" 15221 ] 15222 }, 15223 { 15224 "database_specific": { 15225 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/01/GHSA-mx9v-gmh4-mgqw/GHSA-mx9v-gmh4-mgqw.json" 15226 }, 15227 "package": { 15228 "ecosystem": "Maven", 15229 "name": "com.fasterxml.jackson.core:jackson-databind", 15230 "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" 15231 }, 15232 "ranges": [ 15233 { 15234 "events": [ 15235 { 15236 "introduced": "2.9.0" 15237 }, 15238 { 15239 "fixed": "2.9.8" 15240 } 15241 ], 15242 "type": "ECOSYSTEM" 15243 } 15244 ], 15245 "versions": [ 15246 "2.9.0", 15247 "2.9.0.pr1", 15248 "2.9.0.pr2", 15249 "2.9.0.pr3", 15250 "2.9.0.pr4", 15251 "2.9.1", 15252 "2.9.2", 15253 "2.9.3", 15254 "2.9.4", 15255 "2.9.5", 15256 "2.9.6", 15257 "2.9.7" 15258 ] 15259 }, 15260 { 15261 "database_specific": { 15262 "last_known_affected_version_range": "\u003c= 2.8.11.2", 15263 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/01/GHSA-mx9v-gmh4-mgqw/GHSA-mx9v-gmh4-mgqw.json" 15264 }, 15265 "package": { 15266 "ecosystem": "Maven", 15267 "name": "com.fasterxml.jackson.core:jackson-databind", 15268 "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" 15269 }, 15270 "ranges": [ 15271 { 15272 "events": [ 15273 { 15274 "introduced": "2.8.0" 15275 }, 15276 { 15277 "fixed": "2.8.11.3" 15278 } 15279 ], 15280 "type": "ECOSYSTEM" 15281 } 15282 ], 15283 "versions": [ 15284 "2.8.0", 15285 "2.8.1", 15286 "2.8.10", 15287 "2.8.11", 15288 "2.8.11.1", 15289 "2.8.11.2", 15290 "2.8.2", 15291 "2.8.3", 15292 "2.8.4", 15293 "2.8.5", 15294 "2.8.6", 15295 "2.8.7", 15296 "2.8.8", 15297 "2.8.8.1", 15298 "2.8.9" 15299 ] 15300 } 15301 ], 15302 "aliases": [ 15303 "CVE-2018-19361" 15304 ], 15305 "database_specific": { 15306 "cwe_ids": [ 15307 "CWE-502" 15308 ], 15309 "github_reviewed": true, 15310 "github_reviewed_at": "2020-06-16T21:47:38Z", 15311 "nvd_published_at": null, 15312 "severity": "CRITICAL" 15313 }, 15314 "details": "FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the openjpa class from polymorphic deserialization.", 15315 "id": "GHSA-mx9v-gmh4-mgqw", 15316 "modified": "2024-03-14T05:32:02.133724Z", 15317 "published": "2019-01-04T19:07:01Z", 15318 "references": [ 15319 { 15320 "type": "ADVISORY", 15321 "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-19361" 15322 }, 15323 { 15324 "type": "WEB", 15325 "url": "https://github.com/FasterXML/jackson-databind/issues/2186" 15326 }, 15327 { 15328 "type": "WEB", 15329 "url": "https://github.com/FasterXML/jackson-databind/commit/42912cac4753f3f718ece875e4d486f8264c2f2b" 15330 }, 15331 { 15332 "type": "WEB", 15333 "url": "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E" 15334 }, 15335 { 15336 "type": "WEB", 15337 "url": "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E" 15338 }, 15339 { 15340 "type": "WEB", 15341 "url": "https://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3@%3Ccommits.nifi.apache.org%3E" 15342 }, 15343 { 15344 "type": "WEB", 15345 "url": "https://lists.apache.org/thread.html/c70da3cb6e3f03e0ad8013e38b6959419d866c4a7c80fdd34b73f25c@%3Ccommits.pulsar.apache.org%3E" 15346 }, 15347 { 15348 "type": "WEB", 15349 "url": "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E" 15350 }, 15351 { 15352 "type": "WEB", 15353 "url": "https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8@%3Ccommits.pulsar.apache.org%3E" 15354 }, 15355 { 15356 "type": "WEB", 15357 "url": "https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0@%3Cissues.bookkeeper.apache.org%3E" 15358 }, 15359 { 15360 "type": "WEB", 15361 "url": "https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b@%3Ccommits.nifi.apache.org%3E" 15362 }, 15363 { 15364 "type": "WEB", 15365 "url": "https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3E" 15366 }, 15367 { 15368 "type": "WEB", 15369 "url": "https://lists.debian.org/debian-lts-announce/2019/03/msg00005.html" 15370 }, 15371 { 15372 "type": "WEB", 15373 "url": "https://seclists.org/bugtraq/2019/May/68" 15374 }, 15375 { 15376 "type": "WEB", 15377 "url": "https://security.netapp.com/advisory/ntap-20190530-0003" 15378 }, 15379 { 15380 "type": "WEB", 15381 "url": "https://www.debian.org/security/2019/dsa-4452" 15382 }, 15383 { 15384 "type": "WEB", 15385 "url": "https://www.oracle.com/security-alerts/cpuapr2020.html" 15386 }, 15387 { 15388 "type": "WEB", 15389 "url": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html" 15390 }, 15391 { 15392 "type": "WEB", 15393 "url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html" 15394 }, 15395 { 15396 "type": "WEB", 15397 "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html" 15398 }, 15399 { 15400 "type": "WEB", 15401 "url": "https://access.redhat.com/errata/RHBA-2019:0959" 15402 }, 15403 { 15404 "type": "WEB", 15405 "url": "https://access.redhat.com/errata/RHSA-2019:0782" 15406 }, 15407 { 15408 "type": "WEB", 15409 "url": "https://access.redhat.com/errata/RHSA-2019:0877" 15410 }, 15411 { 15412 "type": "WEB", 15413 "url": "https://access.redhat.com/errata/RHSA-2019:1782" 15414 }, 15415 { 15416 "type": "WEB", 15417 "url": "https://access.redhat.com/errata/RHSA-2019:1797" 15418 }, 15419 { 15420 "type": "WEB", 15421 "url": "https://access.redhat.com/errata/RHSA-2019:1822" 15422 }, 15423 { 15424 "type": "WEB", 15425 "url": "https://access.redhat.com/errata/RHSA-2019:1823" 15426 }, 15427 { 15428 "type": "WEB", 15429 "url": "https://access.redhat.com/errata/RHSA-2019:2804" 15430 }, 15431 { 15432 "type": "WEB", 15433 "url": "https://access.redhat.com/errata/RHSA-2019:2858" 15434 }, 15435 { 15436 "type": "WEB", 15437 "url": "https://access.redhat.com/errata/RHSA-2019:3002" 15438 }, 15439 { 15440 "type": "WEB", 15441 "url": "https://access.redhat.com/errata/RHSA-2019:3140" 15442 }, 15443 { 15444 "type": "WEB", 15445 "url": "https://access.redhat.com/errata/RHSA-2019:3149" 15446 }, 15447 { 15448 "type": "WEB", 15449 "url": "https://access.redhat.com/errata/RHSA-2019:3892" 15450 }, 15451 { 15452 "type": "WEB", 15453 "url": "https://access.redhat.com/errata/RHSA-2019:4037" 15454 }, 15455 { 15456 "type": "WEB", 15457 "url": "https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.8" 15458 }, 15459 { 15460 "type": "ADVISORY", 15461 "url": "https://github.com/advisories/GHSA-mx9v-gmh4-mgqw" 15462 }, 15463 { 15464 "type": "WEB", 15465 "url": "https://issues.apache.org/jira/browse/TINKERPOP-2121" 15466 }, 15467 { 15468 "type": "WEB", 15469 "url": "https://lists.apache.org/thread.html/37e1ed724a1b0e5d191d98c822c426670bdfde83804567131847d2a3@%3Cdevnull.infra.apache.org%3E" 15470 }, 15471 { 15472 "type": "WEB", 15473 "url": "http://www.securityfocus.com/bid/107985" 15474 } 15475 ], 15476 "schema_version": "1.6.0", 15477 "severity": [ 15478 { 15479 "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", 15480 "type": "CVSS_V3" 15481 } 15482 ], 15483 "summary": "Deserialization of Untrusted Data in jackson-databind" 15484 }, 15485 { 15486 "affected": [ 15487 { 15488 "database_specific": { 15489 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/05/GHSA-p43x-xfjf-5jhr/GHSA-p43x-xfjf-5jhr.json" 15490 }, 15491 "package": { 15492 "ecosystem": "Maven", 15493 "name": "com.fasterxml.jackson.core:jackson-databind", 15494 "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" 15495 }, 15496 "ranges": [ 15497 { 15498 "events": [ 15499 { 15500 "introduced": "2.9.0" 15501 }, 15502 { 15503 "fixed": "2.9.10.4" 15504 } 15505 ], 15506 "type": "ECOSYSTEM" 15507 } 15508 ], 15509 "versions": [ 15510 "2.9.0", 15511 "2.9.0.pr1", 15512 "2.9.0.pr2", 15513 "2.9.0.pr3", 15514 "2.9.0.pr4", 15515 "2.9.1", 15516 "2.9.10", 15517 "2.9.10.1", 15518 "2.9.10.2", 15519 "2.9.10.3", 15520 "2.9.2", 15521 "2.9.3", 15522 "2.9.4", 15523 "2.9.5", 15524 "2.9.6", 15525 "2.9.7", 15526 "2.9.8", 15527 "2.9.9", 15528 "2.9.9.1", 15529 "2.9.9.2", 15530 "2.9.9.3" 15531 ] 15532 }, 15533 { 15534 "database_specific": { 15535 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/05/GHSA-p43x-xfjf-5jhr/GHSA-p43x-xfjf-5jhr.json" 15536 }, 15537 "package": { 15538 "ecosystem": "Maven", 15539 "name": "com.fasterxml.jackson.core:jackson-databind", 15540 "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" 15541 }, 15542 "ranges": [ 15543 { 15544 "events": [ 15545 { 15546 "introduced": "2.8.0" 15547 }, 15548 { 15549 "fixed": "2.8.11.6" 15550 } 15551 ], 15552 "type": "ECOSYSTEM" 15553 } 15554 ], 15555 "versions": [ 15556 "2.8.0", 15557 "2.8.1", 15558 "2.8.10", 15559 "2.8.11", 15560 "2.8.11.1", 15561 "2.8.11.2", 15562 "2.8.11.3", 15563 "2.8.11.4", 15564 "2.8.11.5", 15565 "2.8.2", 15566 "2.8.3", 15567 "2.8.4", 15568 "2.8.5", 15569 "2.8.6", 15570 "2.8.7", 15571 "2.8.8", 15572 "2.8.8.1", 15573 "2.8.9" 15574 ] 15575 }, 15576 { 15577 "database_specific": { 15578 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/05/GHSA-p43x-xfjf-5jhr/GHSA-p43x-xfjf-5jhr.json" 15579 }, 15580 "package": { 15581 "ecosystem": "Maven", 15582 "name": "com.fasterxml.jackson.core:jackson-databind", 15583 "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" 15584 }, 15585 "ranges": [ 15586 { 15587 "events": [ 15588 { 15589 "introduced": "2.0.0" 15590 }, 15591 { 15592 "fixed": "2.7.9.7" 15593 } 15594 ], 15595 "type": "ECOSYSTEM" 15596 } 15597 ], 15598 "versions": [ 15599 "2.0.0", 15600 "2.0.1", 15601 "2.0.2", 15602 "2.0.4", 15603 "2.0.5", 15604 "2.0.6", 15605 "2.1.0", 15606 "2.1.1", 15607 "2.1.2", 15608 "2.1.3", 15609 "2.1.4", 15610 "2.1.5", 15611 "2.2.0", 15612 "2.2.0-rc1", 15613 "2.2.1", 15614 "2.2.2", 15615 "2.2.3", 15616 "2.2.4", 15617 "2.3.0", 15618 "2.3.0-rc1", 15619 "2.3.1", 15620 "2.3.2", 15621 "2.3.3", 15622 "2.3.4", 15623 "2.3.5", 15624 "2.4.0", 15625 "2.4.0-rc1", 15626 "2.4.0-rc2", 15627 "2.4.0-rc3", 15628 "2.4.1", 15629 "2.4.1.1", 15630 "2.4.1.2", 15631 "2.4.1.3", 15632 "2.4.2", 15633 "2.4.3", 15634 "2.4.4", 15635 "2.4.5", 15636 "2.4.5.1", 15637 "2.4.6", 15638 "2.4.6.1", 15639 "2.5.0", 15640 "2.5.0-rc1", 15641 "2.5.1", 15642 "2.5.2", 15643 "2.5.3", 15644 "2.5.4", 15645 "2.5.5", 15646 "2.6.0", 15647 "2.6.0-rc1", 15648 "2.6.0-rc2", 15649 "2.6.0-rc3", 15650 "2.6.0-rc4", 15651 "2.6.1", 15652 "2.6.2", 15653 "2.6.3", 15654 "2.6.4", 15655 "2.6.5", 15656 "2.6.6", 15657 "2.6.7", 15658 "2.6.7.1", 15659 "2.6.7.2", 15660 "2.6.7.3", 15661 "2.6.7.4", 15662 "2.6.7.5", 15663 "2.7.0", 15664 "2.7.0-rc1", 15665 "2.7.0-rc2", 15666 "2.7.0-rc3", 15667 "2.7.1", 15668 "2.7.1-1", 15669 "2.7.2", 15670 "2.7.3", 15671 "2.7.4", 15672 "2.7.5", 15673 "2.7.6", 15674 "2.7.7", 15675 "2.7.8", 15676 "2.7.9", 15677 "2.7.9.1", 15678 "2.7.9.2", 15679 "2.7.9.3", 15680 "2.7.9.4", 15681 "2.7.9.5", 15682 "2.7.9.6" 15683 ] 15684 } 15685 ], 15686 "aliases": [ 15687 "CVE-2020-9548" 15688 ], 15689 "database_specific": { 15690 "cwe_ids": [ 15691 "CWE-502" 15692 ], 15693 "github_reviewed": true, 15694 "github_reviewed_at": "2020-04-23T19:24:13Z", 15695 "nvd_published_at": "2020-03-02T04:15:00Z", 15696 "severity": "CRITICAL" 15697 }, 15698 "details": "FasterXML jackson-databind 2.x before 2.9.10.4, 2.8.11.6, and 2.7.9.7 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPConfig (aka anteros-core).", 15699 "id": "GHSA-p43x-xfjf-5jhr", 15700 "modified": "2024-03-15T00:33:14.700288Z", 15701 "published": "2020-05-15T18:59:01Z", 15702 "references": [ 15703 { 15704 "type": "ADVISORY", 15705 "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-9548" 15706 }, 15707 { 15708 "type": "WEB", 15709 "url": "https://github.com/FasterXML/jackson-databind/issues/2634" 15710 }, 15711 { 15712 "type": "WEB", 15713 "url": "https://github.com/FasterXML/jackson-databind/commit/1e64db6a2fad331f96c7363fda3bc5f3dffa25bb" 15714 }, 15715 { 15716 "type": "WEB", 15717 "url": "https://github.com/FasterXML/jackson-databind/commit/9f4e97019fb0dd836533d0b6198c88787e235ae2" 15718 }, 15719 { 15720 "type": "WEB", 15721 "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" 15722 }, 15723 { 15724 "type": "WEB", 15725 "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" 15726 }, 15727 { 15728 "type": "WEB", 15729 "url": "https://www.oracle.com/security-alerts/cpujul2020.html" 15730 }, 15731 { 15732 "type": "WEB", 15733 "url": "https://www.oracle.com/security-alerts/cpujan2021.html" 15734 }, 15735 { 15736 "type": "WEB", 15737 "url": "https://security.netapp.com/advisory/ntap-20200904-0006" 15738 }, 15739 { 15740 "type": "WEB", 15741 "url": "https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062" 15742 }, 15743 { 15744 "type": "WEB", 15745 "url": "https://lists.debian.org/debian-lts-announce/2020/03/msg00008.html" 15746 }, 15747 { 15748 "type": "WEB", 15749 "url": "https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3E" 15750 }, 15751 { 15752 "type": "WEB", 15753 "url": "https://lists.apache.org/thread.html/rdd4df698d5d8e635144d2994922bf0842e933809eae259521f3b5097@%3Cissues.zookeeper.apache.org%3E" 15754 }, 15755 { 15756 "type": "WEB", 15757 "url": "https://lists.apache.org/thread.html/rdd49ab9565bec436a896bc00c4b9fc9dce1598e106c318524fbdfec6@%3Cissues.zookeeper.apache.org%3E" 15758 }, 15759 { 15760 "type": "WEB", 15761 "url": "https://lists.apache.org/thread.html/rd5a4457be4623038c3989294429bc063eec433a2e55995d81591e2ca@%3Cissues.zookeeper.apache.org%3E" 15762 }, 15763 { 15764 "type": "WEB", 15765 "url": "https://lists.apache.org/thread.html/rb6fecb5e96a6d61e175ff49f33f2713798dd05cf03067c169d195596@%3Cissues.zookeeper.apache.org%3E" 15766 }, 15767 { 15768 "type": "WEB", 15769 "url": "https://lists.apache.org/thread.html/r98c9b6e4c9e17792e2cd1ec3e4aa20b61a791939046d3f10888176bb@%3Cissues.zookeeper.apache.org%3E" 15770 }, 15771 { 15772 "type": "WEB", 15773 "url": "https://lists.apache.org/thread.html/r9464a40d25c3ba1a55622db72f113eb494a889656962d098c70c5bb1@%3Cdev.zookeeper.apache.org%3E" 15774 }, 15775 { 15776 "type": "WEB", 15777 "url": "https://lists.apache.org/thread.html/r35d30db00440ef63b791c4b7f7acb036e14d4a23afa2a249cb66c0fd@%3Cissues.zookeeper.apache.org%3E" 15778 }, 15779 { 15780 "type": "PACKAGE", 15781 "url": "https://github.com/FasterXML/jackson-databind" 15782 } 15783 ], 15784 "schema_version": "1.6.0", 15785 "severity": [ 15786 { 15787 "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", 15788 "type": "CVSS_V3" 15789 } 15790 ], 15791 "summary": "jackson-databind mishandles the interaction between serialization gadgets and typing" 15792 }, 15793 { 15794 "affected": [ 15795 { 15796 "database_specific": { 15797 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/05/GHSA-q93h-jc49-78gg/GHSA-q93h-jc49-78gg.json" 15798 }, 15799 "package": { 15800 "ecosystem": "Maven", 15801 "name": "com.fasterxml.jackson.core:jackson-databind", 15802 "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" 15803 }, 15804 "ranges": [ 15805 { 15806 "events": [ 15807 { 15808 "introduced": "2.9.0" 15809 }, 15810 { 15811 "fixed": "2.9.10.4" 15812 } 15813 ], 15814 "type": "ECOSYSTEM" 15815 } 15816 ], 15817 "versions": [ 15818 "2.9.0", 15819 "2.9.0.pr1", 15820 "2.9.0.pr2", 15821 "2.9.0.pr3", 15822 "2.9.0.pr4", 15823 "2.9.1", 15824 "2.9.10", 15825 "2.9.10.1", 15826 "2.9.10.2", 15827 "2.9.10.3", 15828 "2.9.2", 15829 "2.9.3", 15830 "2.9.4", 15831 "2.9.5", 15832 "2.9.6", 15833 "2.9.7", 15834 "2.9.8", 15835 "2.9.9", 15836 "2.9.9.1", 15837 "2.9.9.2", 15838 "2.9.9.3" 15839 ] 15840 }, 15841 { 15842 "database_specific": { 15843 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/05/GHSA-q93h-jc49-78gg/GHSA-q93h-jc49-78gg.json" 15844 }, 15845 "package": { 15846 "ecosystem": "Maven", 15847 "name": "com.fasterxml.jackson.core:jackson-databind", 15848 "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" 15849 }, 15850 "ranges": [ 15851 { 15852 "events": [ 15853 { 15854 "introduced": "2.8.0" 15855 }, 15856 { 15857 "fixed": "2.8.11.6" 15858 } 15859 ], 15860 "type": "ECOSYSTEM" 15861 } 15862 ], 15863 "versions": [ 15864 "2.8.0", 15865 "2.8.1", 15866 "2.8.10", 15867 "2.8.11", 15868 "2.8.11.1", 15869 "2.8.11.2", 15870 "2.8.11.3", 15871 "2.8.11.4", 15872 "2.8.11.5", 15873 "2.8.2", 15874 "2.8.3", 15875 "2.8.4", 15876 "2.8.5", 15877 "2.8.6", 15878 "2.8.7", 15879 "2.8.8", 15880 "2.8.8.1", 15881 "2.8.9" 15882 ] 15883 }, 15884 { 15885 "database_specific": { 15886 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/05/GHSA-q93h-jc49-78gg/GHSA-q93h-jc49-78gg.json" 15887 }, 15888 "package": { 15889 "ecosystem": "Maven", 15890 "name": "com.fasterxml.jackson.core:jackson-databind", 15891 "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" 15892 }, 15893 "ranges": [ 15894 { 15895 "events": [ 15896 { 15897 "introduced": "2.0.0" 15898 }, 15899 { 15900 "fixed": "2.7.9.7" 15901 } 15902 ], 15903 "type": "ECOSYSTEM" 15904 } 15905 ], 15906 "versions": [ 15907 "2.0.0", 15908 "2.0.1", 15909 "2.0.2", 15910 "2.0.4", 15911 "2.0.5", 15912 "2.0.6", 15913 "2.1.0", 15914 "2.1.1", 15915 "2.1.2", 15916 "2.1.3", 15917 "2.1.4", 15918 "2.1.5", 15919 "2.2.0", 15920 "2.2.0-rc1", 15921 "2.2.1", 15922 "2.2.2", 15923 "2.2.3", 15924 "2.2.4", 15925 "2.3.0", 15926 "2.3.0-rc1", 15927 "2.3.1", 15928 "2.3.2", 15929 "2.3.3", 15930 "2.3.4", 15931 "2.3.5", 15932 "2.4.0", 15933 "2.4.0-rc1", 15934 "2.4.0-rc2", 15935 "2.4.0-rc3", 15936 "2.4.1", 15937 "2.4.1.1", 15938 "2.4.1.2", 15939 "2.4.1.3", 15940 "2.4.2", 15941 "2.4.3", 15942 "2.4.4", 15943 "2.4.5", 15944 "2.4.5.1", 15945 "2.4.6", 15946 "2.4.6.1", 15947 "2.5.0", 15948 "2.5.0-rc1", 15949 "2.5.1", 15950 "2.5.2", 15951 "2.5.3", 15952 "2.5.4", 15953 "2.5.5", 15954 "2.6.0", 15955 "2.6.0-rc1", 15956 "2.6.0-rc2", 15957 "2.6.0-rc3", 15958 "2.6.0-rc4", 15959 "2.6.1", 15960 "2.6.2", 15961 "2.6.3", 15962 "2.6.4", 15963 "2.6.5", 15964 "2.6.6", 15965 "2.6.7", 15966 "2.6.7.1", 15967 "2.6.7.2", 15968 "2.6.7.3", 15969 "2.6.7.4", 15970 "2.6.7.5", 15971 "2.7.0", 15972 "2.7.0-rc1", 15973 "2.7.0-rc2", 15974 "2.7.0-rc3", 15975 "2.7.1", 15976 "2.7.1-1", 15977 "2.7.2", 15978 "2.7.3", 15979 "2.7.4", 15980 "2.7.5", 15981 "2.7.6", 15982 "2.7.7", 15983 "2.7.8", 15984 "2.7.9", 15985 "2.7.9.1", 15986 "2.7.9.2", 15987 "2.7.9.3", 15988 "2.7.9.4", 15989 "2.7.9.5", 15990 "2.7.9.6" 15991 ] 15992 } 15993 ], 15994 "aliases": [ 15995 "CVE-2020-9547" 15996 ], 15997 "database_specific": { 15998 "cwe_ids": [ 15999 "CWE-502" 16000 ], 16001 "github_reviewed": true, 16002 "github_reviewed_at": "2020-04-22T20:58:56Z", 16003 "nvd_published_at": "2020-03-02T04:15:00Z", 16004 "severity": "CRITICAL" 16005 }, 16006 "details": "FasterXML jackson-databind 2.x before 2.9.10.4, 2.8.11.6, and 2.7.9.7 mishandles the interaction between serialization gadgets and typing, related to `com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig` (aka `ibatis-sqlmap`).", 16007 "id": "GHSA-q93h-jc49-78gg", 16008 "modified": "2024-03-16T05:19:47.711015Z", 16009 "published": "2020-05-15T18:59:10Z", 16010 "references": [ 16011 { 16012 "type": "ADVISORY", 16013 "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-9547" 16014 }, 16015 { 16016 "type": "WEB", 16017 "url": "https://github.com/FasterXML/jackson-databind/issues/2634" 16018 }, 16019 { 16020 "type": "WEB", 16021 "url": "https://github.com/FasterXML/jackson-databind/commit/9f4e97019fb0dd836533d0b6198c88787e235ae2" 16022 }, 16023 { 16024 "type": "WEB", 16025 "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" 16026 }, 16027 { 16028 "type": "WEB", 16029 "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" 16030 }, 16031 { 16032 "type": "WEB", 16033 "url": "https://www.oracle.com/security-alerts/cpujul2020.html" 16034 }, 16035 { 16036 "type": "WEB", 16037 "url": "https://www.oracle.com/security-alerts/cpujan2021.html" 16038 }, 16039 { 16040 "type": "WEB", 16041 "url": "https://security.netapp.com/advisory/ntap-20200904-0006" 16042 }, 16043 { 16044 "type": "WEB", 16045 "url": "https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062" 16046 }, 16047 { 16048 "type": "WEB", 16049 "url": "https://lists.debian.org/debian-lts-announce/2020/03/msg00008.html" 16050 }, 16051 { 16052 "type": "WEB", 16053 "url": "https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3E" 16054 }, 16055 { 16056 "type": "WEB", 16057 "url": "https://lists.apache.org/thread.html/redbe4f1e21bf080f637cf9fbec47729750a2f443a919765360337428@%3Cnotifications.zookeeper.apache.org%3E" 16058 }, 16059 { 16060 "type": "WEB", 16061 "url": "https://lists.apache.org/thread.html/rdd4df698d5d8e635144d2994922bf0842e933809eae259521f3b5097@%3Cissues.zookeeper.apache.org%3E" 16062 }, 16063 { 16064 "type": "WEB", 16065 "url": "https://lists.apache.org/thread.html/rdd49ab9565bec436a896bc00c4b9fc9dce1598e106c318524fbdfec6@%3Cissues.zookeeper.apache.org%3E" 16066 }, 16067 { 16068 "type": "WEB", 16069 "url": "https://lists.apache.org/thread.html/rd5a4457be4623038c3989294429bc063eec433a2e55995d81591e2ca@%3Cissues.zookeeper.apache.org%3E" 16070 }, 16071 { 16072 "type": "WEB", 16073 "url": "https://lists.apache.org/thread.html/rd0e958d6d5c5ee16efed73314cd0e445c8dbb4bdcc80fc9d1d6c11fc@%3Cdev.zookeeper.apache.org%3E" 16074 }, 16075 { 16076 "type": "WEB", 16077 "url": "https://lists.apache.org/thread.html/rc0d5d0f72da1ed6fc5e438b1ddb3fa090c73006b55f873cf845375ab@%3Cnotifications.zookeeper.apache.org%3E" 16078 }, 16079 { 16080 "type": "WEB", 16081 "url": "https://lists.apache.org/thread.html/rb6fecb5e96a6d61e175ff49f33f2713798dd05cf03067c169d195596@%3Cissues.zookeeper.apache.org%3E" 16082 }, 16083 { 16084 "type": "WEB", 16085 "url": "https://lists.apache.org/thread.html/ra3e90712f2d59f8cef03fa796f5adf163d32b81fe7b95385f21790e6@%3Cnotifications.zookeeper.apache.org%3E" 16086 }, 16087 { 16088 "type": "WEB", 16089 "url": "https://lists.apache.org/thread.html/r98c9b6e4c9e17792e2cd1ec3e4aa20b61a791939046d3f10888176bb@%3Cissues.zookeeper.apache.org%3E" 16090 }, 16091 { 16092 "type": "WEB", 16093 "url": "https://lists.apache.org/thread.html/r9464a40d25c3ba1a55622db72f113eb494a889656962d098c70c5bb1@%3Cdev.zookeeper.apache.org%3E" 16094 }, 16095 { 16096 "type": "WEB", 16097 "url": "https://lists.apache.org/thread.html/r893a0104e50c1c2559eb9a5812add28ae8c3e5f43712947a9847ec18@%3Cnotifications.zookeeper.apache.org%3E" 16098 }, 16099 { 16100 "type": "WEB", 16101 "url": "https://lists.apache.org/thread.html/r742ef70d126548dcf7de5be5779355c9d76a9aec71d7a9ef02c6398a@%3Cnotifications.zookeeper.apache.org%3E" 16102 }, 16103 { 16104 "type": "WEB", 16105 "url": "https://lists.apache.org/thread.html/r4accb2e0de9679174efd3d113a059bab71ff3ec53e882790d21c1cc1@%3Cnotifications.zookeeper.apache.org%3E" 16106 }, 16107 { 16108 "type": "WEB", 16109 "url": "https://lists.apache.org/thread.html/r35d30db00440ef63b791c4b7f7acb036e14d4a23afa2a249cb66c0fd@%3Cissues.zookeeper.apache.org%3E" 16110 }, 16111 { 16112 "type": "PACKAGE", 16113 "url": "https://github.com/FasterXML/jackson-databind" 16114 } 16115 ], 16116 "schema_version": "1.6.0", 16117 "severity": [ 16118 { 16119 "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", 16120 "type": "CVSS_V3" 16121 } 16122 ], 16123 "summary": "jackson-databind mishandles the interaction between serialization gadgets and typing" 16124 }, 16125 { 16126 "affected": [ 16127 { 16128 "database_specific": { 16129 "last_known_affected_version_range": "\u003c= 2.6.7.4", 16130 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-qjw2-hr98-qgfh/GHSA-qjw2-hr98-qgfh.json" 16131 }, 16132 "package": { 16133 "ecosystem": "Maven", 16134 "name": "com.fasterxml.jackson.core:jackson-databind", 16135 "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" 16136 }, 16137 "ranges": [ 16138 { 16139 "events": [ 16140 { 16141 "introduced": "2.0" 16142 }, 16143 { 16144 "fixed": "2.6.7.5" 16145 } 16146 ], 16147 "type": "ECOSYSTEM" 16148 } 16149 ], 16150 "versions": [ 16151 "2.0.0", 16152 "2.0.1", 16153 "2.0.2", 16154 "2.0.4", 16155 "2.0.5", 16156 "2.0.6", 16157 "2.1.0", 16158 "2.1.1", 16159 "2.1.2", 16160 "2.1.3", 16161 "2.1.4", 16162 "2.1.5", 16163 "2.2.0", 16164 "2.2.0-rc1", 16165 "2.2.1", 16166 "2.2.2", 16167 "2.2.3", 16168 "2.2.4", 16169 "2.3.0", 16170 "2.3.0-rc1", 16171 "2.3.1", 16172 "2.3.2", 16173 "2.3.3", 16174 "2.3.4", 16175 "2.3.5", 16176 "2.4.0", 16177 "2.4.0-rc1", 16178 "2.4.0-rc2", 16179 "2.4.0-rc3", 16180 "2.4.1", 16181 "2.4.1.1", 16182 "2.4.1.2", 16183 "2.4.1.3", 16184 "2.4.2", 16185 "2.4.3", 16186 "2.4.4", 16187 "2.4.5", 16188 "2.4.5.1", 16189 "2.4.6", 16190 "2.4.6.1", 16191 "2.5.0", 16192 "2.5.0-rc1", 16193 "2.5.1", 16194 "2.5.2", 16195 "2.5.3", 16196 "2.5.4", 16197 "2.5.5", 16198 "2.6.0", 16199 "2.6.0-rc1", 16200 "2.6.0-rc2", 16201 "2.6.0-rc3", 16202 "2.6.0-rc4", 16203 "2.6.1", 16204 "2.6.2", 16205 "2.6.3", 16206 "2.6.4", 16207 "2.6.5", 16208 "2.6.6", 16209 "2.6.7", 16210 "2.6.7.1", 16211 "2.6.7.2", 16212 "2.6.7.3", 16213 "2.6.7.4" 16214 ] 16215 }, 16216 { 16217 "database_specific": { 16218 "last_known_affected_version_range": "\u003c= 2.9.10.5", 16219 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-qjw2-hr98-qgfh/GHSA-qjw2-hr98-qgfh.json" 16220 }, 16221 "package": { 16222 "ecosystem": "Maven", 16223 "name": "com.fasterxml.jackson.core:jackson-databind", 16224 "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" 16225 }, 16226 "ranges": [ 16227 { 16228 "events": [ 16229 { 16230 "introduced": "2.7.0" 16231 }, 16232 { 16233 "fixed": "2.9.10.6" 16234 } 16235 ], 16236 "type": "ECOSYSTEM" 16237 } 16238 ], 16239 "versions": [ 16240 "2.7.0", 16241 "2.7.1", 16242 "2.7.1-1", 16243 "2.7.2", 16244 "2.7.3", 16245 "2.7.4", 16246 "2.7.5", 16247 "2.7.6", 16248 "2.7.7", 16249 "2.7.8", 16250 "2.7.9", 16251 "2.7.9.1", 16252 "2.7.9.2", 16253 "2.7.9.3", 16254 "2.7.9.4", 16255 "2.7.9.5", 16256 "2.7.9.6", 16257 "2.7.9.7", 16258 "2.8.0", 16259 "2.8.0.rc1", 16260 "2.8.0.rc2", 16261 "2.8.1", 16262 "2.8.10", 16263 "2.8.11", 16264 "2.8.11.1", 16265 "2.8.11.2", 16266 "2.8.11.3", 16267 "2.8.11.4", 16268 "2.8.11.5", 16269 "2.8.11.6", 16270 "2.8.2", 16271 "2.8.3", 16272 "2.8.4", 16273 "2.8.5", 16274 "2.8.6", 16275 "2.8.7", 16276 "2.8.8", 16277 "2.8.8.1", 16278 "2.8.9", 16279 "2.9.0", 16280 "2.9.0.pr1", 16281 "2.9.0.pr2", 16282 "2.9.0.pr3", 16283 "2.9.0.pr4", 16284 "2.9.1", 16285 "2.9.10", 16286 "2.9.10.1", 16287 "2.9.10.2", 16288 "2.9.10.3", 16289 "2.9.10.4", 16290 "2.9.10.5", 16291 "2.9.2", 16292 "2.9.3", 16293 "2.9.4", 16294 "2.9.5", 16295 "2.9.6", 16296 "2.9.7", 16297 "2.9.8", 16298 "2.9.9", 16299 "2.9.9.1", 16300 "2.9.9.2", 16301 "2.9.9.3" 16302 ] 16303 } 16304 ], 16305 "aliases": [ 16306 "CVE-2020-24750" 16307 ], 16308 "database_specific": { 16309 "cwe_ids": [ 16310 "CWE-502" 16311 ], 16312 "github_reviewed": true, 16313 "github_reviewed_at": "2021-03-18T23:41:09Z", 16314 "nvd_published_at": "2020-09-17T19:15:00Z", 16315 "severity": "HIGH" 16316 }, 16317 "details": "FasterXML jackson-databind 2.x before 2.6.7.5 and from 2.7.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to com.pastdev.httpcomponents.configuration.JndiConfiguration.", 16318 "id": "GHSA-qjw2-hr98-qgfh", 16319 "modified": "2024-02-18T05:20:56.89447Z", 16320 "published": "2021-12-09T19:15:36Z", 16321 "references": [ 16322 { 16323 "type": "ADVISORY", 16324 "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-24750" 16325 }, 16326 { 16327 "type": "WEB", 16328 "url": "https://github.com/FasterXML/jackson-databind/issues/2798" 16329 }, 16330 { 16331 "type": "WEB", 16332 "url": "https://github.com/FasterXML/jackson-databind/commit/2118e71325486c68f089a9761c9d8a11b4ddd1cb" 16333 }, 16334 { 16335 "type": "WEB", 16336 "url": "https://github.com/FasterXML/jackson-databind/commit/6cc9f1a1af323cd156f5668a47e43bab324ae16f" 16337 }, 16338 { 16339 "type": "WEB", 16340 "url": "https://github.com/FasterXML/jackson-databind/commit/ad5a630174f08d279504bc51ebba8772fd71b86b" 16341 }, 16342 { 16343 "type": "PACKAGE", 16344 "url": "https://github.com/FasterXML/jackson-databind" 16345 }, 16346 { 16347 "type": "WEB", 16348 "url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html" 16349 }, 16350 { 16351 "type": "WEB", 16352 "url": "https://security.netapp.com/advisory/ntap-20201009-0003" 16353 }, 16354 { 16355 "type": "WEB", 16356 "url": "https://www.oracle.com//security-alerts/cpujul2021.html" 16357 }, 16358 { 16359 "type": "WEB", 16360 "url": "https://www.oracle.com/security-alerts/cpuApr2021.html" 16361 }, 16362 { 16363 "type": "WEB", 16364 "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" 16365 }, 16366 { 16367 "type": "WEB", 16368 "url": "https://www.oracle.com/security-alerts/cpujan2021.html" 16369 }, 16370 { 16371 "type": "WEB", 16372 "url": "https://www.oracle.com/security-alerts/cpujan2022.html" 16373 }, 16374 { 16375 "type": "WEB", 16376 "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" 16377 } 16378 ], 16379 "schema_version": "1.6.0", 16380 "severity": [ 16381 { 16382 "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", 16383 "type": "CVSS_V3" 16384 } 16385 ], 16386 "summary": "Unsafe Deserialization in jackson-databind" 16387 }, 16388 { 16389 "affected": [ 16390 { 16391 "database_specific": { 16392 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/05/GHSA-qmqc-x3r4-6v39/GHSA-qmqc-x3r4-6v39.json" 16393 }, 16394 "package": { 16395 "ecosystem": "Maven", 16396 "name": "com.fasterxml.jackson.core:jackson-databind", 16397 "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" 16398 }, 16399 "ranges": [ 16400 { 16401 "events": [ 16402 { 16403 "introduced": "2.9.0" 16404 }, 16405 { 16406 "fixed": "2.9.10" 16407 } 16408 ], 16409 "type": "ECOSYSTEM" 16410 } 16411 ], 16412 "versions": [ 16413 "2.9.0", 16414 "2.9.0.pr1", 16415 "2.9.0.pr2", 16416 "2.9.0.pr3", 16417 "2.9.0.pr4", 16418 "2.9.1", 16419 "2.9.2", 16420 "2.9.3", 16421 "2.9.4", 16422 "2.9.5", 16423 "2.9.6", 16424 "2.9.7", 16425 "2.9.8", 16426 "2.9.9", 16427 "2.9.9.1", 16428 "2.9.9.2", 16429 "2.9.9.3" 16430 ] 16431 } 16432 ], 16433 "aliases": [ 16434 "CVE-2019-14893" 16435 ], 16436 "database_specific": { 16437 "cwe_ids": [ 16438 "CWE-502" 16439 ], 16440 "github_reviewed": true, 16441 "github_reviewed_at": "2020-04-22T20:58:45Z", 16442 "nvd_published_at": "2020-03-02T21:15:00Z", 16443 "severity": "HIGH" 16444 }, 16445 "details": "A flaw was discovered in FasterXML jackson-databind in all versions before 2.9.10 and 2.10.0, where it would permit polymorphic deserialization of malicious objects using the xalan JNDI gadget when used in conjunction with polymorphic type handling methods such as `enableDefaultTyping()` or when @JsonTypeInfo is using `Id.CLASS` or `Id.MINIMAL_CLASS` or in any other way which ObjectMapper.readValue might instantiate objects from unsafe sources. An attacker could use this flaw to execute arbitrary code.", 16446 "id": "GHSA-qmqc-x3r4-6v39", 16447 "modified": "2024-02-16T08:19:01.021763Z", 16448 "published": "2020-05-15T18:59:07Z", 16449 "references": [ 16450 { 16451 "type": "ADVISORY", 16452 "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-14893" 16453 }, 16454 { 16455 "type": "WEB", 16456 "url": "https://github.com/FasterXML/jackson-databind/issues/2469" 16457 }, 16458 { 16459 "type": "WEB", 16460 "url": "https://github.com/FasterXML/jackson-databind/commit/998efd708284778f29d83d7962a9bd935c228317" 16461 }, 16462 { 16463 "type": "WEB", 16464 "url": "https://access.redhat.com/errata/RHSA-2020:0729" 16465 }, 16466 { 16467 "type": "WEB", 16468 "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14893" 16469 }, 16470 { 16471 "type": "WEB", 16472 "url": "https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0@%3Cissues.bookkeeper.apache.org%3E" 16473 }, 16474 { 16475 "type": "WEB", 16476 "url": "https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3E" 16477 }, 16478 { 16479 "type": "WEB", 16480 "url": "https://security.netapp.com/advisory/ntap-20200327-0006" 16481 }, 16482 { 16483 "type": "WEB", 16484 "url": "https://www.oracle.com/security-alerts/cpujul2020.html" 16485 }, 16486 { 16487 "type": "WEB", 16488 "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" 16489 } 16490 ], 16491 "schema_version": "1.6.0", 16492 "summary": "Polymorphic deserialization of malicious object in jackson-databind" 16493 }, 16494 { 16495 "affected": [ 16496 { 16497 "database_specific": { 16498 "last_known_affected_version_range": "\u003c= 2.7.9.3", 16499 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/07/GHSA-qr7j-h6gg-jmgc/GHSA-qr7j-h6gg-jmgc.json" 16500 }, 16501 "package": { 16502 "ecosystem": "Maven", 16503 "name": "com.fasterxml.jackson.core:jackson-databind", 16504 "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" 16505 }, 16506 "ranges": [ 16507 { 16508 "events": [ 16509 { 16510 "introduced": "2.0.0" 16511 }, 16512 { 16513 "fixed": "2.7.9.4" 16514 } 16515 ], 16516 "type": "ECOSYSTEM" 16517 } 16518 ], 16519 "versions": [ 16520 "2.0.0", 16521 "2.0.1", 16522 "2.0.2", 16523 "2.0.4", 16524 "2.0.5", 16525 "2.0.6", 16526 "2.1.0", 16527 "2.1.1", 16528 "2.1.2", 16529 "2.1.3", 16530 "2.1.4", 16531 "2.1.5", 16532 "2.2.0", 16533 "2.2.0-rc1", 16534 "2.2.1", 16535 "2.2.2", 16536 "2.2.3", 16537 "2.2.4", 16538 "2.3.0", 16539 "2.3.0-rc1", 16540 "2.3.1", 16541 "2.3.2", 16542 "2.3.3", 16543 "2.3.4", 16544 "2.3.5", 16545 "2.4.0", 16546 "2.4.0-rc1", 16547 "2.4.0-rc2", 16548 "2.4.0-rc3", 16549 "2.4.1", 16550 "2.4.1.1", 16551 "2.4.1.2", 16552 "2.4.1.3", 16553 "2.4.2", 16554 "2.4.3", 16555 "2.4.4", 16556 "2.4.5", 16557 "2.4.5.1", 16558 "2.4.6", 16559 "2.4.6.1", 16560 "2.5.0", 16561 "2.5.0-rc1", 16562 "2.5.1", 16563 "2.5.2", 16564 "2.5.3", 16565 "2.5.4", 16566 "2.5.5", 16567 "2.6.0", 16568 "2.6.0-rc1", 16569 "2.6.0-rc2", 16570 "2.6.0-rc3", 16571 "2.6.0-rc4", 16572 "2.6.1", 16573 "2.6.2", 16574 "2.6.3", 16575 "2.6.4", 16576 "2.6.5", 16577 "2.6.6", 16578 "2.6.7", 16579 "2.6.7.1", 16580 "2.6.7.2", 16581 "2.6.7.3", 16582 "2.6.7.4", 16583 "2.6.7.5", 16584 "2.7.0", 16585 "2.7.0-rc1", 16586 "2.7.0-rc2", 16587 "2.7.0-rc3", 16588 "2.7.1", 16589 "2.7.1-1", 16590 "2.7.2", 16591 "2.7.3", 16592 "2.7.4", 16593 "2.7.5", 16594 "2.7.6", 16595 "2.7.7", 16596 "2.7.8", 16597 "2.7.9", 16598 "2.7.9.1", 16599 "2.7.9.2", 16600 "2.7.9.3" 16601 ] 16602 }, 16603 { 16604 "database_specific": { 16605 "last_known_affected_version_range": "\u003c= 2.8.11.1", 16606 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/07/GHSA-qr7j-h6gg-jmgc/GHSA-qr7j-h6gg-jmgc.json" 16607 }, 16608 "package": { 16609 "ecosystem": "Maven", 16610 "name": "com.fasterxml.jackson.core:jackson-databind", 16611 "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" 16612 }, 16613 "ranges": [ 16614 { 16615 "events": [ 16616 { 16617 "introduced": "2.8.0" 16618 }, 16619 { 16620 "fixed": "2.8.11.2" 16621 } 16622 ], 16623 "type": "ECOSYSTEM" 16624 } 16625 ], 16626 "versions": [ 16627 "2.8.0", 16628 "2.8.1", 16629 "2.8.10", 16630 "2.8.11", 16631 "2.8.11.1", 16632 "2.8.2", 16633 "2.8.3", 16634 "2.8.4", 16635 "2.8.5", 16636 "2.8.6", 16637 "2.8.7", 16638 "2.8.8", 16639 "2.8.8.1", 16640 "2.8.9" 16641 ] 16642 }, 16643 { 16644 "database_specific": { 16645 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/07/GHSA-qr7j-h6gg-jmgc/GHSA-qr7j-h6gg-jmgc.json" 16646 }, 16647 "package": { 16648 "ecosystem": "Maven", 16649 "name": "com.fasterxml.jackson.core:jackson-databind", 16650 "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" 16651 }, 16652 "ranges": [ 16653 { 16654 "events": [ 16655 { 16656 "introduced": "2.9.0" 16657 }, 16658 { 16659 "fixed": "2.9.6" 16660 } 16661 ], 16662 "type": "ECOSYSTEM" 16663 } 16664 ], 16665 "versions": [ 16666 "2.9.0", 16667 "2.9.0.pr1", 16668 "2.9.0.pr2", 16669 "2.9.0.pr3", 16670 "2.9.0.pr4", 16671 "2.9.1", 16672 "2.9.2", 16673 "2.9.3", 16674 "2.9.4", 16675 "2.9.5" 16676 ] 16677 } 16678 ], 16679 "aliases": [ 16680 "CVE-2018-11307" 16681 ], 16682 "database_specific": { 16683 "cwe_ids": [ 16684 "CWE-502" 16685 ], 16686 "github_reviewed": true, 16687 "github_reviewed_at": "2019-07-16T00:41:07Z", 16688 "nvd_published_at": "2019-07-09T16:15:00Z", 16689 "severity": "CRITICAL" 16690 }, 16691 "details": "An issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.5. Use of Jackson default typing along with a gadget class from iBatis allows exfiltration of content. Fixed in 2.7.9.4, 2.8.11.2, and 2.9.6.", 16692 "id": "GHSA-qr7j-h6gg-jmgc", 16693 "modified": "2024-03-11T05:21:14.31398Z", 16694 "published": "2019-07-16T17:42:21Z", 16695 "references": [ 16696 { 16697 "type": "ADVISORY", 16698 "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-11307" 16699 }, 16700 { 16701 "type": "ADVISORY", 16702 "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-7525" 16703 }, 16704 { 16705 "type": "WEB", 16706 "url": "https://github.com/FasterXML/jackson-databind/issues/2032" 16707 }, 16708 { 16709 "type": "WEB", 16710 "url": "https://github.com/FasterXML/jackson-databind/commit/051bd5e447fbc9539e12a4fe90eb989dba0c656" 16711 }, 16712 { 16713 "type": "WEB", 16714 "url": "https://github.com/FasterXML/jackson-databind/commit/27b4defc270454dea6842bd9279f17387eceb73" 16715 }, 16716 { 16717 "type": "WEB", 16718 "url": "https://github.com/FasterXML/jackson-databind/commit/78e78738d69adcb59fdac9fc12d9053ce8809f3d" 16719 }, 16720 { 16721 "type": "WEB", 16722 "url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html" 16723 }, 16724 { 16725 "type": "WEB", 16726 "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" 16727 }, 16728 { 16729 "type": "WEB", 16730 "url": "https://www.oracle.com/security-alerts/cpujan2020.html" 16731 }, 16732 { 16733 "type": "WEB", 16734 "url": "https://www.oracle.com/security-alerts/cpuapr2020.html" 16735 }, 16736 { 16737 "type": "WEB", 16738 "url": "https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062" 16739 }, 16740 { 16741 "type": "WEB", 16742 "url": "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E" 16743 }, 16744 { 16745 "type": "WEB", 16746 "url": "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E" 16747 }, 16748 { 16749 "type": "WEB", 16750 "url": "https://lists.apache.org/thread.html/7fcf88aff0d1deaa5c3c7be8d58c05ad7ad5da94b59065d8e7c50c5d@%3Cissues.lucene.apache.org%3E" 16751 }, 16752 { 16753 "type": "WEB", 16754 "url": "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E" 16755 }, 16756 { 16757 "type": "PACKAGE", 16758 "url": "https://github.com/FasterXML/jackson-databind" 16759 }, 16760 { 16761 "type": "WEB", 16762 "url": "https://access.redhat.com/errata/RHSA-2019:4037" 16763 }, 16764 { 16765 "type": "WEB", 16766 "url": "https://access.redhat.com/errata/RHSA-2019:3892" 16767 }, 16768 { 16769 "type": "WEB", 16770 "url": "https://access.redhat.com/errata/RHSA-2019:3149" 16771 }, 16772 { 16773 "type": "WEB", 16774 "url": "https://access.redhat.com/errata/RHSA-2019:3140" 16775 }, 16776 { 16777 "type": "WEB", 16778 "url": "https://access.redhat.com/errata/RHSA-2019:3002" 16779 }, 16780 { 16781 "type": "WEB", 16782 "url": "https://access.redhat.com/errata/RHSA-2019:2858" 16783 }, 16784 { 16785 "type": "WEB", 16786 "url": "https://access.redhat.com/errata/RHSA-2019:2804" 16787 }, 16788 { 16789 "type": "WEB", 16790 "url": "https://access.redhat.com/errata/RHSA-2019:1823" 16791 }, 16792 { 16793 "type": "WEB", 16794 "url": "https://access.redhat.com/errata/RHSA-2019:1822" 16795 }, 16796 { 16797 "type": "WEB", 16798 "url": "https://access.redhat.com/errata/RHSA-2019:0782" 16799 } 16800 ], 16801 "schema_version": "1.6.0", 16802 "severity": [ 16803 { 16804 "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", 16805 "type": "CVSS_V3" 16806 } 16807 ], 16808 "summary": "Deserialization of Untrusted Data in jackson-databind" 16809 }, 16810 { 16811 "affected": [ 16812 { 16813 "database_specific": { 16814 "last_known_affected_version_range": "\u003c= 2.6.7.0", 16815 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-qxxx-2pp7-5hmx/GHSA-qxxx-2pp7-5hmx.json" 16816 }, 16817 "package": { 16818 "ecosystem": "Maven", 16819 "name": "com.fasterxml.jackson.core:jackson-databind", 16820 "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" 16821 }, 16822 "ranges": [ 16823 { 16824 "events": [ 16825 { 16826 "introduced": "0" 16827 }, 16828 { 16829 "fixed": "2.6.7.1" 16830 } 16831 ], 16832 "type": "ECOSYSTEM" 16833 } 16834 ], 16835 "versions": [ 16836 "2.0.0", 16837 "2.0.0-RC1", 16838 "2.0.0-RC2", 16839 "2.0.0-RC3", 16840 "2.0.1", 16841 "2.0.2", 16842 "2.0.4", 16843 "2.0.5", 16844 "2.0.6", 16845 "2.1.0", 16846 "2.1.1", 16847 "2.1.2", 16848 "2.1.3", 16849 "2.1.4", 16850 "2.1.5", 16851 "2.2.0", 16852 "2.2.0-rc1", 16853 "2.2.1", 16854 "2.2.2", 16855 "2.2.3", 16856 "2.2.4", 16857 "2.3.0", 16858 "2.3.0-rc1", 16859 "2.3.1", 16860 "2.3.2", 16861 "2.3.3", 16862 "2.3.4", 16863 "2.3.5", 16864 "2.4.0", 16865 "2.4.0-rc1", 16866 "2.4.0-rc2", 16867 "2.4.0-rc3", 16868 "2.4.1", 16869 "2.4.1.1", 16870 "2.4.1.2", 16871 "2.4.1.3", 16872 "2.4.2", 16873 "2.4.3", 16874 "2.4.4", 16875 "2.4.5", 16876 "2.4.5.1", 16877 "2.4.6", 16878 "2.4.6.1", 16879 "2.5.0", 16880 "2.5.0-rc1", 16881 "2.5.1", 16882 "2.5.2", 16883 "2.5.3", 16884 "2.5.4", 16885 "2.5.5", 16886 "2.6.0", 16887 "2.6.0-rc1", 16888 "2.6.0-rc2", 16889 "2.6.0-rc3", 16890 "2.6.0-rc4", 16891 "2.6.1", 16892 "2.6.2", 16893 "2.6.3", 16894 "2.6.4", 16895 "2.6.5", 16896 "2.6.6", 16897 "2.6.7" 16898 ] 16899 }, 16900 { 16901 "database_specific": { 16902 "last_known_affected_version_range": "\u003c= 2.7.9.0", 16903 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-qxxx-2pp7-5hmx/GHSA-qxxx-2pp7-5hmx.json" 16904 }, 16905 "package": { 16906 "ecosystem": "Maven", 16907 "name": "com.fasterxml.jackson.core:jackson-databind", 16908 "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" 16909 }, 16910 "ranges": [ 16911 { 16912 "events": [ 16913 { 16914 "introduced": "2.7.0" 16915 }, 16916 { 16917 "fixed": "2.7.9.1" 16918 } 16919 ], 16920 "type": "ECOSYSTEM" 16921 } 16922 ], 16923 "versions": [ 16924 "2.7.0", 16925 "2.7.1", 16926 "2.7.1-1", 16927 "2.7.2", 16928 "2.7.3", 16929 "2.7.4", 16930 "2.7.5", 16931 "2.7.6", 16932 "2.7.7", 16933 "2.7.8", 16934 "2.7.9" 16935 ] 16936 }, 16937 { 16938 "database_specific": { 16939 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-qxxx-2pp7-5hmx/GHSA-qxxx-2pp7-5hmx.json" 16940 }, 16941 "package": { 16942 "ecosystem": "Maven", 16943 "name": "com.fasterxml.jackson.core:jackson-databind", 16944 "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" 16945 }, 16946 "ranges": [ 16947 { 16948 "events": [ 16949 { 16950 "introduced": "2.8.0" 16951 }, 16952 { 16953 "fixed": "2.8.9" 16954 } 16955 ], 16956 "type": "ECOSYSTEM" 16957 } 16958 ], 16959 "versions": [ 16960 "2.8.0", 16961 "2.8.1", 16962 "2.8.2", 16963 "2.8.3", 16964 "2.8.4", 16965 "2.8.5", 16966 "2.8.6", 16967 "2.8.7", 16968 "2.8.8", 16969 "2.8.8.1" 16970 ] 16971 } 16972 ], 16973 "aliases": [ 16974 "CVE-2017-7525" 16975 ], 16976 "database_specific": { 16977 "cwe_ids": [ 16978 "CWE-184", 16979 "CWE-502" 16980 ], 16981 "github_reviewed": true, 16982 "github_reviewed_at": "2020-06-16T21:53:14Z", 16983 "nvd_published_at": "2018-02-06T15:29:00Z", 16984 "severity": "CRITICAL" 16985 }, 16986 "details": "A deserialization flaw was discovered in the jackson-databind, versions before 2.6.7.1, 2.7.9.1 and 2.8.9, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper.", 16987 "id": "GHSA-qxxx-2pp7-5hmx", 16988 "modified": "2024-03-11T05:19:49.08006Z", 16989 "published": "2018-10-16T17:21:35Z", 16990 "references": [ 16991 { 16992 "type": "ADVISORY", 16993 "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-7525" 16994 }, 16995 { 16996 "type": "WEB", 16997 "url": "https://github.com/FasterXML/jackson-databind/issues/1723" 16998 }, 16999 { 17000 "type": "WEB", 17001 "url": "https://github.com/FasterXML/jackson-databind/issues/1599" 17002 }, 17003 { 17004 "type": "WEB", 17005 "url": "https://github.com/FasterXML/jackson-databind/commit/fd8dec2c7fab8b4b4bd60502a0f1d63ec23c24da" 17006 }, 17007 { 17008 "type": "WEB", 17009 "url": "https://github.com/FasterXML/jackson-databind/commit/fa87c1ddbe803ebb7295f5c2ebfe38e12f6e6162" 17010 }, 17011 { 17012 "type": "WEB", 17013 "url": "https://github.com/FasterXML/jackson-databind/commit/3bfbb835e530055c1941ddf87fde0b08d08dcd38" 17014 }, 17015 { 17016 "type": "WEB", 17017 "url": "https://github.com/FasterXML/jackson-databind/commit/60d459cedcf079c6106ae7da2ac562bc32dcabe1" 17018 }, 17019 { 17020 "type": "WEB", 17021 "url": "https://github.com/FasterXML/jackson-databind/commit/680d75b011edd67a2d2a2e9980998a968194c2ef" 17022 }, 17023 { 17024 "type": "WEB", 17025 "url": "https://github.com/FasterXML/jackson-databind/commit/6ce32ffd18facac6abdbbf559c817b47fcb622c1" 17026 }, 17027 { 17028 "type": "WEB", 17029 "url": "https://github.com/FasterXML/jackson-databind/commit/90042692085deeb05ae75c569c9909f7dba24415" 17030 }, 17031 { 17032 "type": "ADVISORY", 17033 "url": "https://github.com/advisories/GHSA-qxxx-2pp7-5hmx" 17034 }, 17035 { 17036 "type": "WEB", 17037 "url": "https://lists.apache.org/thread.html/3c87dc8bca99a2b3b4743713b33d1de05b1d6b761fdf316224e9c81f@%3Cdev.lucene.apache.org%3E" 17038 }, 17039 { 17040 "type": "WEB", 17041 "url": "https://lists.apache.org/thread.html/4641ed8616ccc2c1fbddac2c3dc9900c96387bc226eaf0232d61909b@%3Ccommits.cassandra.apache.org%3E" 17042 }, 17043 { 17044 "type": "WEB", 17045 "url": "https://lists.apache.org/thread.html/5008bcbd45ee65ce39e4220b6ac53d28a24d6bc67d5804e9773a7399@%3Csolr-user.lucene.apache.org%3E" 17046 }, 17047 { 17048 "type": "WEB", 17049 "url": "https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451@%3Csolr-user.lucene.apache.org%3E" 17050 }, 17051 { 17052 "type": "WEB", 17053 "url": "https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe@%3Ccommits.druid.apache.org%3E" 17054 }, 17055 { 17056 "type": "WEB", 17057 "url": "https://lists.apache.org/thread.html/b1f33fe5ade396bb903fdcabe9f243f7692c7dfce5418d3743c2d346@%3Cdev.lucene.apache.org%3E" 17058 }, 17059 { 17060 "type": "WEB", 17061 "url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html" 17062 }, 17063 { 17064 "type": "WEB", 17065 "url": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html" 17066 }, 17067 { 17068 "type": "WEB", 17069 "url": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html" 17070 }, 17071 { 17072 "type": "WEB", 17073 "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" 17074 }, 17075 { 17076 "type": "WEB", 17077 "url": "https://www.debian.org/security/2017/dsa-4004" 17078 }, 17079 { 17080 "type": "WEB", 17081 "url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbhf03902en_us" 17082 }, 17083 { 17084 "type": "WEB", 17085 "url": "https://security.netapp.com/advisory/ntap-20171214-0002" 17086 }, 17087 { 17088 "type": "WEB", 17089 "url": "https://lists.debian.org/debian-lts-announce/2020/08/msg00039.html" 17090 }, 17091 { 17092 "type": "WEB", 17093 "url": "https://lists.debian.org/debian-lts-announce/2020/01/msg00037.html" 17094 }, 17095 { 17096 "type": "WEB", 17097 "url": "https://lists.apache.org/thread.html/rf7f87810c38dc9abf9f93989f76008f504cbf7c1a355214640b2d04c@%3Ccommits.cassandra.apache.org%3E" 17098 }, 17099 { 17100 "type": "WEB", 17101 "url": "https://lists.apache.org/thread.html/r68acf97f4526ba59a33cc6e592261ea4f85d890f99e79c82d57dd589@%3Cissues.spark.apache.org%3E" 17102 }, 17103 { 17104 "type": "WEB", 17105 "url": "https://lists.apache.org/thread.html/r42ac3e39e6265db12d9fc6ae1cd4b5fea7aed9830dc6f6d58228fed7@%3Ccommits.cassandra.apache.org%3E" 17106 }, 17107 { 17108 "type": "WEB", 17109 "url": "https://lists.apache.org/thread.html/f60afd3c7e9ebaaf70fad4a4beb75cf8740ac959017a31e7006c7486@%3Cdev.lucene.apache.org%3E" 17110 }, 17111 { 17112 "type": "WEB", 17113 "url": "https://lists.apache.org/thread.html/f095a791bda6c0595f691eddd0febb2d396987eec5cbd29120d8c629@%3Csolr-user.lucene.apache.org%3E" 17114 }, 17115 { 17116 "type": "WEB", 17117 "url": "https://lists.apache.org/thread.html/c9d5ff20929e8a3c8794facf4c4b326a9c10618812eec356caa20b87@%3Csolr-user.lucene.apache.org%3E" 17118 }, 17119 { 17120 "type": "WEB", 17121 "url": "https://lists.apache.org/thread.html/c2ed4c0126b43e324cf740012a0edd371fd36096fd777be7bfe7a2a6@%3Cdev.lucene.apache.org%3E" 17122 }, 17123 { 17124 "type": "WEB", 17125 "url": "https://lists.apache.org/thread.html/c10a2bf0fdc3d25faf17bd191d6ec46b29a353fa9c97bebd7c4e5913@%3Cdev.lucene.apache.org%3E" 17126 }, 17127 { 17128 "type": "WEB", 17129 "url": "https://access.redhat.com/errata/RHSA-2017:1834" 17130 }, 17131 { 17132 "type": "WEB", 17133 "url": "https://access.redhat.com/errata/RHSA-2017:1835" 17134 }, 17135 { 17136 "type": "WEB", 17137 "url": "https://access.redhat.com/errata/RHSA-2017:1836" 17138 }, 17139 { 17140 "type": "WEB", 17141 "url": "https://access.redhat.com/errata/RHSA-2017:1837" 17142 }, 17143 { 17144 "type": "WEB", 17145 "url": "https://access.redhat.com/errata/RHSA-2017:1839" 17146 }, 17147 { 17148 "type": "WEB", 17149 "url": "https://access.redhat.com/errata/RHSA-2017:1840" 17150 }, 17151 { 17152 "type": "WEB", 17153 "url": "https://access.redhat.com/errata/RHSA-2017:2477" 17154 }, 17155 { 17156 "type": "WEB", 17157 "url": "https://access.redhat.com/errata/RHSA-2017:2546" 17158 }, 17159 { 17160 "type": "WEB", 17161 "url": "https://access.redhat.com/errata/RHSA-2017:2547" 17162 }, 17163 { 17164 "type": "WEB", 17165 "url": "https://access.redhat.com/errata/RHSA-2017:2633" 17166 }, 17167 { 17168 "type": "WEB", 17169 "url": "https://access.redhat.com/errata/RHSA-2017:2635" 17170 }, 17171 { 17172 "type": "WEB", 17173 "url": "https://access.redhat.com/errata/RHSA-2017:2636" 17174 }, 17175 { 17176 "type": "WEB", 17177 "url": "https://access.redhat.com/errata/RHSA-2017:2637" 17178 }, 17179 { 17180 "type": "WEB", 17181 "url": "https://access.redhat.com/errata/RHSA-2017:2638" 17182 }, 17183 { 17184 "type": "WEB", 17185 "url": "https://access.redhat.com/errata/RHSA-2017:3141" 17186 }, 17187 { 17188 "type": "WEB", 17189 "url": "https://access.redhat.com/errata/RHSA-2017:3454" 17190 }, 17191 { 17192 "type": "WEB", 17193 "url": "https://access.redhat.com/errata/RHSA-2017:3455" 17194 }, 17195 { 17196 "type": "WEB", 17197 "url": "https://access.redhat.com/errata/RHSA-2017:3456" 17198 }, 17199 { 17200 "type": "WEB", 17201 "url": "https://access.redhat.com/errata/RHSA-2017:3458" 17202 }, 17203 { 17204 "type": "WEB", 17205 "url": "https://access.redhat.com/errata/RHSA-2018:0294" 17206 }, 17207 { 17208 "type": "WEB", 17209 "url": "https://access.redhat.com/errata/RHSA-2018:0342" 17210 }, 17211 { 17212 "type": "WEB", 17213 "url": "https://access.redhat.com/errata/RHSA-2018:1449" 17214 }, 17215 { 17216 "type": "WEB", 17217 "url": "https://access.redhat.com/errata/RHSA-2018:1450" 17218 }, 17219 { 17220 "type": "WEB", 17221 "url": "https://access.redhat.com/errata/RHSA-2019:0910" 17222 }, 17223 { 17224 "type": "WEB", 17225 "url": "https://access.redhat.com/errata/RHSA-2019:2858" 17226 }, 17227 { 17228 "type": "WEB", 17229 "url": "https://access.redhat.com/errata/RHSA-2019:3149" 17230 }, 17231 { 17232 "type": "WEB", 17233 "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1462702" 17234 }, 17235 { 17236 "type": "WEB", 17237 "url": "https://cwiki.apache.org/confluence/display/WW/S2-055" 17238 }, 17239 { 17240 "type": "PACKAGE", 17241 "url": "https://github.com/FasterXML/jackson-databind" 17242 }, 17243 { 17244 "type": "WEB", 17245 "url": "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html" 17246 }, 17247 { 17248 "type": "WEB", 17249 "url": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html" 17250 }, 17251 { 17252 "type": "WEB", 17253 "url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html" 17254 } 17255 ], 17256 "schema_version": "1.6.0", 17257 "severity": [ 17258 { 17259 "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", 17260 "type": "CVSS_V3" 17261 } 17262 ], 17263 "summary": "jackson-databind is vulnerable to a deserialization flaw" 17264 }, 17265 { 17266 "affected": [ 17267 { 17268 "database_specific": { 17269 "last_known_affected_version_range": "\u003c= 2.9.10.7", 17270 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-r3gr-cxrf-hg25/GHSA-r3gr-cxrf-hg25.json" 17271 }, 17272 "package": { 17273 "ecosystem": "Maven", 17274 "name": "com.fasterxml.jackson.core:jackson-databind", 17275 "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" 17276 }, 17277 "ranges": [ 17278 { 17279 "events": [ 17280 { 17281 "introduced": "2.0.0" 17282 }, 17283 { 17284 "fixed": "2.9.10.8" 17285 } 17286 ], 17287 "type": "ECOSYSTEM" 17288 } 17289 ], 17290 "versions": [ 17291 "2.0.0", 17292 "2.0.1", 17293 "2.0.2", 17294 "2.0.4", 17295 "2.0.5", 17296 "2.0.6", 17297 "2.1.0", 17298 "2.1.1", 17299 "2.1.2", 17300 "2.1.3", 17301 "2.1.4", 17302 "2.1.5", 17303 "2.2.0", 17304 "2.2.0-rc1", 17305 "2.2.1", 17306 "2.2.2", 17307 "2.2.3", 17308 "2.2.4", 17309 "2.3.0", 17310 "2.3.0-rc1", 17311 "2.3.1", 17312 "2.3.2", 17313 "2.3.3", 17314 "2.3.4", 17315 "2.3.5", 17316 "2.4.0", 17317 "2.4.0-rc1", 17318 "2.4.0-rc2", 17319 "2.4.0-rc3", 17320 "2.4.1", 17321 "2.4.1.1", 17322 "2.4.1.2", 17323 "2.4.1.3", 17324 "2.4.2", 17325 "2.4.3", 17326 "2.4.4", 17327 "2.4.5", 17328 "2.4.5.1", 17329 "2.4.6", 17330 "2.4.6.1", 17331 "2.5.0", 17332 "2.5.0-rc1", 17333 "2.5.1", 17334 "2.5.2", 17335 "2.5.3", 17336 "2.5.4", 17337 "2.5.5", 17338 "2.6.0", 17339 "2.6.0-rc1", 17340 "2.6.0-rc2", 17341 "2.6.0-rc3", 17342 "2.6.0-rc4", 17343 "2.6.1", 17344 "2.6.2", 17345 "2.6.3", 17346 "2.6.4", 17347 "2.6.5", 17348 "2.6.6", 17349 "2.6.7", 17350 "2.6.7.1", 17351 "2.6.7.2", 17352 "2.6.7.3", 17353 "2.6.7.4", 17354 "2.6.7.5", 17355 "2.7.0", 17356 "2.7.0-rc1", 17357 "2.7.0-rc2", 17358 "2.7.0-rc3", 17359 "2.7.1", 17360 "2.7.1-1", 17361 "2.7.2", 17362 "2.7.3", 17363 "2.7.4", 17364 "2.7.5", 17365 "2.7.6", 17366 "2.7.7", 17367 "2.7.8", 17368 "2.7.9", 17369 "2.7.9.1", 17370 "2.7.9.2", 17371 "2.7.9.3", 17372 "2.7.9.4", 17373 "2.7.9.5", 17374 "2.7.9.6", 17375 "2.7.9.7", 17376 "2.8.0", 17377 "2.8.0.rc1", 17378 "2.8.0.rc2", 17379 "2.8.1", 17380 "2.8.10", 17381 "2.8.11", 17382 "2.8.11.1", 17383 "2.8.11.2", 17384 "2.8.11.3", 17385 "2.8.11.4", 17386 "2.8.11.5", 17387 "2.8.11.6", 17388 "2.8.2", 17389 "2.8.3", 17390 "2.8.4", 17391 "2.8.5", 17392 "2.8.6", 17393 "2.8.7", 17394 "2.8.8", 17395 "2.8.8.1", 17396 "2.8.9", 17397 "2.9.0", 17398 "2.9.0.pr1", 17399 "2.9.0.pr2", 17400 "2.9.0.pr3", 17401 "2.9.0.pr4", 17402 "2.9.1", 17403 "2.9.10", 17404 "2.9.10.1", 17405 "2.9.10.2", 17406 "2.9.10.3", 17407 "2.9.10.4", 17408 "2.9.10.5", 17409 "2.9.10.6", 17410 "2.9.10.7", 17411 "2.9.2", 17412 "2.9.3", 17413 "2.9.4", 17414 "2.9.5", 17415 "2.9.6", 17416 "2.9.7", 17417 "2.9.8", 17418 "2.9.9", 17419 "2.9.9.1", 17420 "2.9.9.2", 17421 "2.9.9.3" 17422 ] 17423 } 17424 ], 17425 "aliases": [ 17426 "CVE-2020-35491" 17427 ], 17428 "database_specific": { 17429 "cwe_ids": [ 17430 "CWE-502", 17431 "CWE-913" 17432 ], 17433 "github_reviewed": true, 17434 "github_reviewed_at": "2021-04-08T21:05:38Z", 17435 "nvd_published_at": "2020-12-17T19:15:00Z", 17436 "severity": "HIGH" 17437 }, 17438 "details": "FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.datasources.SharedPoolDataSource.", 17439 "id": "GHSA-r3gr-cxrf-hg25", 17440 "modified": "2024-06-25T14:20:21.32305Z", 17441 "published": "2021-12-09T19:15:11Z", 17442 "references": [ 17443 { 17444 "type": "ADVISORY", 17445 "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-35491" 17446 }, 17447 { 17448 "type": "WEB", 17449 "url": "https://github.com/FasterXML/jackson-databind/issues/2986" 17450 }, 17451 { 17452 "type": "WEB", 17453 "url": "https://github.com/FasterXML/jackson-databind/commit/41b8bdb5ccc1d8edb71acf1c8234da235a24249d" 17454 }, 17455 { 17456 "type": "WEB", 17457 "url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062" 17458 }, 17459 { 17460 "type": "PACKAGE", 17461 "url": "https://github.com/FasterXML/jackson-databind" 17462 }, 17463 { 17464 "type": "WEB", 17465 "url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html" 17466 }, 17467 { 17468 "type": "WEB", 17469 "url": "https://security.netapp.com/advisory/ntap-20210122-0005" 17470 }, 17471 { 17472 "type": "WEB", 17473 "url": "https://www.oracle.com//security-alerts/cpujul2021.html" 17474 }, 17475 { 17476 "type": "WEB", 17477 "url": "https://www.oracle.com/security-alerts/cpuApr2021.html" 17478 }, 17479 { 17480 "type": "WEB", 17481 "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" 17482 }, 17483 { 17484 "type": "WEB", 17485 "url": "https://www.oracle.com/security-alerts/cpujan2022.html" 17486 }, 17487 { 17488 "type": "WEB", 17489 "url": "https://www.oracle.com/security-alerts/cpujul2022.html" 17490 }, 17491 { 17492 "type": "WEB", 17493 "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" 17494 } 17495 ], 17496 "schema_version": "1.6.0", 17497 "severity": [ 17498 { 17499 "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", 17500 "type": "CVSS_V3" 17501 } 17502 ], 17503 "summary": "Serialization gadgets exploit in jackson-databind" 17504 }, 17505 { 17506 "affected": [ 17507 { 17508 "database_specific": { 17509 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-r695-7vr9-jgc2/GHSA-r695-7vr9-jgc2.json" 17510 }, 17511 "package": { 17512 "ecosystem": "Maven", 17513 "name": "com.fasterxml.jackson.core:jackson-databind", 17514 "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" 17515 }, 17516 "ranges": [ 17517 { 17518 "events": [ 17519 { 17520 "introduced": "2.0.0" 17521 }, 17522 { 17523 "fixed": "2.9.10.8" 17524 } 17525 ], 17526 "type": "ECOSYSTEM" 17527 } 17528 ], 17529 "versions": [ 17530 "2.0.0", 17531 "2.0.1", 17532 "2.0.2", 17533 "2.0.4", 17534 "2.0.5", 17535 "2.0.6", 17536 "2.1.0", 17537 "2.1.1", 17538 "2.1.2", 17539 "2.1.3", 17540 "2.1.4", 17541 "2.1.5", 17542 "2.2.0", 17543 "2.2.0-rc1", 17544 "2.2.1", 17545 "2.2.2", 17546 "2.2.3", 17547 "2.2.4", 17548 "2.3.0", 17549 "2.3.0-rc1", 17550 "2.3.1", 17551 "2.3.2", 17552 "2.3.3", 17553 "2.3.4", 17554 "2.3.5", 17555 "2.4.0", 17556 "2.4.0-rc1", 17557 "2.4.0-rc2", 17558 "2.4.0-rc3", 17559 "2.4.1", 17560 "2.4.1.1", 17561 "2.4.1.2", 17562 "2.4.1.3", 17563 "2.4.2", 17564 "2.4.3", 17565 "2.4.4", 17566 "2.4.5", 17567 "2.4.5.1", 17568 "2.4.6", 17569 "2.4.6.1", 17570 "2.5.0", 17571 "2.5.0-rc1", 17572 "2.5.1", 17573 "2.5.2", 17574 "2.5.3", 17575 "2.5.4", 17576 "2.5.5", 17577 "2.6.0", 17578 "2.6.0-rc1", 17579 "2.6.0-rc2", 17580 "2.6.0-rc3", 17581 "2.6.0-rc4", 17582 "2.6.1", 17583 "2.6.2", 17584 "2.6.3", 17585 "2.6.4", 17586 "2.6.5", 17587 "2.6.6", 17588 "2.6.7", 17589 "2.6.7.1", 17590 "2.6.7.2", 17591 "2.6.7.3", 17592 "2.6.7.4", 17593 "2.6.7.5", 17594 "2.7.0", 17595 "2.7.0-rc1", 17596 "2.7.0-rc2", 17597 "2.7.0-rc3", 17598 "2.7.1", 17599 "2.7.1-1", 17600 "2.7.2", 17601 "2.7.3", 17602 "2.7.4", 17603 "2.7.5", 17604 "2.7.6", 17605 "2.7.7", 17606 "2.7.8", 17607 "2.7.9", 17608 "2.7.9.1", 17609 "2.7.9.2", 17610 "2.7.9.3", 17611 "2.7.9.4", 17612 "2.7.9.5", 17613 "2.7.9.6", 17614 "2.7.9.7", 17615 "2.8.0", 17616 "2.8.0.rc1", 17617 "2.8.0.rc2", 17618 "2.8.1", 17619 "2.8.10", 17620 "2.8.11", 17621 "2.8.11.1", 17622 "2.8.11.2", 17623 "2.8.11.3", 17624 "2.8.11.4", 17625 "2.8.11.5", 17626 "2.8.11.6", 17627 "2.8.2", 17628 "2.8.3", 17629 "2.8.4", 17630 "2.8.5", 17631 "2.8.6", 17632 "2.8.7", 17633 "2.8.8", 17634 "2.8.8.1", 17635 "2.8.9", 17636 "2.9.0", 17637 "2.9.0.pr1", 17638 "2.9.0.pr2", 17639 "2.9.0.pr3", 17640 "2.9.0.pr4", 17641 "2.9.1", 17642 "2.9.10", 17643 "2.9.10.1", 17644 "2.9.10.2", 17645 "2.9.10.3", 17646 "2.9.10.4", 17647 "2.9.10.5", 17648 "2.9.10.6", 17649 "2.9.10.7", 17650 "2.9.2", 17651 "2.9.3", 17652 "2.9.4", 17653 "2.9.5", 17654 "2.9.6", 17655 "2.9.7", 17656 "2.9.8", 17657 "2.9.9", 17658 "2.9.9.1", 17659 "2.9.9.2", 17660 "2.9.9.3" 17661 ] 17662 } 17663 ], 17664 "aliases": [ 17665 "CVE-2020-36187" 17666 ], 17667 "database_specific": { 17668 "cwe_ids": [ 17669 "CWE-502" 17670 ], 17671 "github_reviewed": true, 17672 "github_reviewed_at": "2021-03-18T23:23:27Z", 17673 "nvd_published_at": "2021-01-06T23:15:00Z", 17674 "severity": "HIGH" 17675 }, 17676 "details": "FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.datasources.SharedPoolDataSource.", 17677 "id": "GHSA-r695-7vr9-jgc2", 17678 "modified": "2024-02-18T05:30:45.856594Z", 17679 "published": "2021-12-09T19:16:51Z", 17680 "references": [ 17681 { 17682 "type": "ADVISORY", 17683 "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36187" 17684 }, 17685 { 17686 "type": "WEB", 17687 "url": "https://github.com/FasterXML/jackson-databind/issues/2997" 17688 }, 17689 { 17690 "type": "WEB", 17691 "url": "https://github.com/FasterXML/jackson-databind/commit/3e8fa3beea49ea62109df9e643c9cb678dabdde1" 17692 }, 17693 { 17694 "type": "WEB", 17695 "url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062" 17696 }, 17697 { 17698 "type": "PACKAGE", 17699 "url": "https://github.com/FasterXML/jackson-databind" 17700 }, 17701 { 17702 "type": "WEB", 17703 "url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html" 17704 }, 17705 { 17706 "type": "WEB", 17707 "url": "https://security.netapp.com/advisory/ntap-20210205-0005" 17708 }, 17709 { 17710 "type": "WEB", 17711 "url": "https://www.oracle.com//security-alerts/cpujul2021.html" 17712 }, 17713 { 17714 "type": "WEB", 17715 "url": "https://www.oracle.com/security-alerts/cpuApr2021.html" 17716 }, 17717 { 17718 "type": "WEB", 17719 "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" 17720 }, 17721 { 17722 "type": "WEB", 17723 "url": "https://www.oracle.com/security-alerts/cpujan2022.html" 17724 }, 17725 { 17726 "type": "WEB", 17727 "url": "https://www.oracle.com/security-alerts/cpujul2022.html" 17728 }, 17729 { 17730 "type": "WEB", 17731 "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" 17732 } 17733 ], 17734 "schema_version": "1.6.0", 17735 "severity": [ 17736 { 17737 "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", 17738 "type": "CVSS_V3" 17739 } 17740 ], 17741 "summary": "Unsafe Deserialization in jackson-databind" 17742 }, 17743 { 17744 "affected": [ 17745 { 17746 "database_specific": { 17747 "last_known_affected_version_range": "\u003c= 2.9.10.3", 17748 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/05/GHSA-rf6r-2c4q-2vwg/GHSA-rf6r-2c4q-2vwg.json" 17749 }, 17750 "package": { 17751 "ecosystem": "Maven", 17752 "name": "com.fasterxml.jackson.core:jackson-databind", 17753 "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" 17754 }, 17755 "ranges": [ 17756 { 17757 "events": [ 17758 { 17759 "introduced": "2.9.0" 17760 }, 17761 { 17762 "fixed": "2.9.10.4" 17763 } 17764 ], 17765 "type": "ECOSYSTEM" 17766 } 17767 ], 17768 "versions": [ 17769 "2.9.0", 17770 "2.9.0.pr1", 17771 "2.9.0.pr2", 17772 "2.9.0.pr3", 17773 "2.9.0.pr4", 17774 "2.9.1", 17775 "2.9.10", 17776 "2.9.10.1", 17777 "2.9.10.2", 17778 "2.9.10.3", 17779 "2.9.2", 17780 "2.9.3", 17781 "2.9.4", 17782 "2.9.5", 17783 "2.9.6", 17784 "2.9.7", 17785 "2.9.8", 17786 "2.9.9", 17787 "2.9.9.1", 17788 "2.9.9.2", 17789 "2.9.9.3" 17790 ] 17791 } 17792 ], 17793 "aliases": [ 17794 "CVE-2020-10968" 17795 ], 17796 "database_specific": { 17797 "cwe_ids": [ 17798 "CWE-502" 17799 ], 17800 "github_reviewed": true, 17801 "github_reviewed_at": "2020-04-23T19:30:49Z", 17802 "nvd_published_at": "2020-03-26T13:15:00Z", 17803 "severity": "HIGH" 17804 }, 17805 "details": "FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.aoju.bus.proxy.provider.remoting.RmiProvider (aka bus-proxy).", 17806 "id": "GHSA-rf6r-2c4q-2vwg", 17807 "modified": "2024-03-15T01:05:13.129194Z", 17808 "published": "2020-05-15T18:58:54Z", 17809 "references": [ 17810 { 17811 "type": "ADVISORY", 17812 "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-10968" 17813 }, 17814 { 17815 "type": "WEB", 17816 "url": "https://github.com/FasterXML/jackson-databind/issues/2662" 17817 }, 17818 { 17819 "type": "WEB", 17820 "url": "https://github.com/FasterXML/jackson-databind/commit/05d7e0e13f43e12db6a51726df12c8b4d8040676" 17821 }, 17822 { 17823 "type": "WEB", 17824 "url": "https://github.com/FasterXML/jackson-databind/commit/08fbfacf89a4a4c026a6227a1b470ab7a13e2e88" 17825 }, 17826 { 17827 "type": "WEB", 17828 "url": "https://github.com/FasterXML/jackson-databind" 17829 }, 17830 { 17831 "type": "WEB", 17832 "url": "https://lists.debian.org/debian-lts-announce/2020/04/msg00012.html" 17833 }, 17834 { 17835 "type": "WEB", 17836 "url": "https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062" 17837 }, 17838 { 17839 "type": "WEB", 17840 "url": "https://security.netapp.com/advisory/ntap-20200403-0002" 17841 }, 17842 { 17843 "type": "WEB", 17844 "url": "https://www.oracle.com/security-alerts/cpujan2021.html" 17845 }, 17846 { 17847 "type": "WEB", 17848 "url": "https://www.oracle.com/security-alerts/cpujul2020.html" 17849 }, 17850 { 17851 "type": "WEB", 17852 "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" 17853 }, 17854 { 17855 "type": "WEB", 17856 "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" 17857 } 17858 ], 17859 "schema_version": "1.6.0", 17860 "severity": [ 17861 { 17862 "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", 17863 "type": "CVSS_V3" 17864 } 17865 ], 17866 "summary": "jackson-databind mishandles the interaction between serialization gadgets and typing" 17867 }, 17868 { 17869 "affected": [ 17870 { 17871 "database_specific": { 17872 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-rfx6-vp9g-rh7v/GHSA-rfx6-vp9g-rh7v.json" 17873 }, 17874 "package": { 17875 "ecosystem": "Maven", 17876 "name": "com.fasterxml.jackson.core:jackson-databind", 17877 "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" 17878 }, 17879 "ranges": [ 17880 { 17881 "events": [ 17882 { 17883 "introduced": "2.9.0" 17884 }, 17885 { 17886 "fixed": "2.9.4" 17887 } 17888 ], 17889 "type": "ECOSYSTEM" 17890 } 17891 ], 17892 "versions": [ 17893 "2.9.0", 17894 "2.9.0.pr1", 17895 "2.9.0.pr2", 17896 "2.9.0.pr3", 17897 "2.9.0.pr4", 17898 "2.9.1", 17899 "2.9.2", 17900 "2.9.3" 17901 ] 17902 }, 17903 { 17904 "database_specific": { 17905 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-rfx6-vp9g-rh7v/GHSA-rfx6-vp9g-rh7v.json" 17906 }, 17907 "package": { 17908 "ecosystem": "Maven", 17909 "name": "com.fasterxml.jackson.core:jackson-databind", 17910 "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" 17911 }, 17912 "ranges": [ 17913 { 17914 "events": [ 17915 { 17916 "introduced": "2.8.0" 17917 }, 17918 { 17919 "fixed": "2.8.11" 17920 } 17921 ], 17922 "type": "ECOSYSTEM" 17923 } 17924 ], 17925 "versions": [ 17926 "2.8.0", 17927 "2.8.1", 17928 "2.8.10", 17929 "2.8.2", 17930 "2.8.3", 17931 "2.8.4", 17932 "2.8.5", 17933 "2.8.6", 17934 "2.8.7", 17935 "2.8.8", 17936 "2.8.8.1", 17937 "2.8.9" 17938 ] 17939 }, 17940 { 17941 "database_specific": { 17942 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-rfx6-vp9g-rh7v/GHSA-rfx6-vp9g-rh7v.json" 17943 }, 17944 "package": { 17945 "ecosystem": "Maven", 17946 "name": "com.fasterxml.jackson.core:jackson-databind", 17947 "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" 17948 }, 17949 "ranges": [ 17950 { 17951 "events": [ 17952 { 17953 "introduced": "0" 17954 }, 17955 { 17956 "fixed": "2.7.9.2" 17957 } 17958 ], 17959 "type": "ECOSYSTEM" 17960 } 17961 ], 17962 "versions": [ 17963 "2.0.0", 17964 "2.0.0-RC1", 17965 "2.0.0-RC2", 17966 "2.0.0-RC3", 17967 "2.0.1", 17968 "2.0.2", 17969 "2.0.4", 17970 "2.0.5", 17971 "2.0.6", 17972 "2.1.0", 17973 "2.1.1", 17974 "2.1.2", 17975 "2.1.3", 17976 "2.1.4", 17977 "2.1.5", 17978 "2.2.0", 17979 "2.2.0-rc1", 17980 "2.2.1", 17981 "2.2.2", 17982 "2.2.3", 17983 "2.2.4", 17984 "2.3.0", 17985 "2.3.0-rc1", 17986 "2.3.1", 17987 "2.3.2", 17988 "2.3.3", 17989 "2.3.4", 17990 "2.3.5", 17991 "2.4.0", 17992 "2.4.0-rc1", 17993 "2.4.0-rc2", 17994 "2.4.0-rc3", 17995 "2.4.1", 17996 "2.4.1.1", 17997 "2.4.1.2", 17998 "2.4.1.3", 17999 "2.4.2", 18000 "2.4.3", 18001 "2.4.4", 18002 "2.4.5", 18003 "2.4.5.1", 18004 "2.4.6", 18005 "2.4.6.1", 18006 "2.5.0", 18007 "2.5.0-rc1", 18008 "2.5.1", 18009 "2.5.2", 18010 "2.5.3", 18011 "2.5.4", 18012 "2.5.5", 18013 "2.6.0", 18014 "2.6.0-rc1", 18015 "2.6.0-rc2", 18016 "2.6.0-rc3", 18017 "2.6.0-rc4", 18018 "2.6.1", 18019 "2.6.2", 18020 "2.6.3", 18021 "2.6.4", 18022 "2.6.5", 18023 "2.6.6", 18024 "2.6.7", 18025 "2.6.7.1", 18026 "2.6.7.2", 18027 "2.6.7.3", 18028 "2.6.7.4", 18029 "2.6.7.5", 18030 "2.7.0", 18031 "2.7.0-rc1", 18032 "2.7.0-rc2", 18033 "2.7.0-rc3", 18034 "2.7.1", 18035 "2.7.1-1", 18036 "2.7.2", 18037 "2.7.3", 18038 "2.7.4", 18039 "2.7.5", 18040 "2.7.6", 18041 "2.7.7", 18042 "2.7.8", 18043 "2.7.9", 18044 "2.7.9.1" 18045 ] 18046 } 18047 ], 18048 "aliases": [ 18049 "CVE-2017-17485" 18050 ], 18051 "database_specific": { 18052 "cwe_ids": [ 18053 "CWE-502" 18054 ], 18055 "github_reviewed": true, 18056 "github_reviewed_at": "2020-06-16T21:54:38Z", 18057 "nvd_published_at": "2018-01-10T18:29:00Z", 18058 "severity": "CRITICAL" 18059 }, 18060 "details": "FasterXML jackson-databind through 2.8.10 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the Spring libraries are available in the classpath.", 18061 "id": "GHSA-rfx6-vp9g-rh7v", 18062 "modified": "2024-03-11T05:17:47.425595Z", 18063 "published": "2018-10-18T17:42:48Z", 18064 "references": [ 18065 { 18066 "type": "ADVISORY", 18067 "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-17485" 18068 }, 18069 { 18070 "type": "WEB", 18071 "url": "https://github.com/FasterXML/jackson-databind/issues/1855" 18072 }, 18073 { 18074 "type": "WEB", 18075 "url": "https://github.com/FasterXML/jackson-databind/commit/10fe7f17ea7c8da2a71e7a0c774b420a1d5c1b50" 18076 }, 18077 { 18078 "type": "WEB", 18079 "url": "https://github.com/FasterXML/jackson-databind/commit/2235894210c75f624a3d0cd60bfb0434a20a18bf" 18080 }, 18081 { 18082 "type": "WEB", 18083 "url": "https://github.com/FasterXML/jackson-databind/commit/459107dccc9b3ea991af3e6ad0953e54b01ef7c1" 18084 }, 18085 { 18086 "type": "WEB", 18087 "url": "https://github.com/FasterXML/jackson-databind/commit/4f16f67ebd22c7522fdbb8a7eb87e3026a807d61" 18088 }, 18089 { 18090 "type": "WEB", 18091 "url": "https://github.com/FasterXML/jackson-databind/commit/978798382ceb72229e5036aa1442943933d6d171" 18092 }, 18093 { 18094 "type": "WEB", 18095 "url": "https://github.com/FasterXML/jackson-databind/commit/f031f27a31625d07922bdd090664c69544200a5d" 18096 }, 18097 { 18098 "type": "WEB", 18099 "url": "https://github.com/FasterXML/jackson-databind/commit/eb217dd0f87c5fb471e0668575644aa7eba9a3d3" 18100 }, 18101 { 18102 "type": "WEB", 18103 "url": "https://github.com/FasterXML/jackson-databind/commit/bb45fb16709018842f858f1a6e1118676aaa34bd" 18104 }, 18105 { 18106 "type": "PACKAGE", 18107 "url": "https://github.com/FasterXML/jackson-databind" 18108 }, 18109 { 18110 "type": "WEB", 18111 "url": "https://github.com/irsl/jackson-rce-via-spel" 18112 }, 18113 { 18114 "type": "WEB", 18115 "url": "https://security.netapp.com/advisory/ntap-20180201-0003" 18116 }, 18117 { 18118 "type": "WEB", 18119 "url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbhf03902en_us" 18120 }, 18121 { 18122 "type": "WEB", 18123 "url": "https://web.archive.org/web/20200927162225/http://www.securityfocus.com/archive/1/541652/100/0/threaded" 18124 }, 18125 { 18126 "type": "WEB", 18127 "url": "https://www.debian.org/security/2018/dsa-4114" 18128 }, 18129 { 18130 "type": "WEB", 18131 "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" 18132 }, 18133 { 18134 "type": "WEB", 18135 "url": "https://access.redhat.com/errata/RHSA-2018:0116" 18136 }, 18137 { 18138 "type": "WEB", 18139 "url": "https://access.redhat.com/errata/RHSA-2018:0342" 18140 }, 18141 { 18142 "type": "WEB", 18143 "url": "https://access.redhat.com/errata/RHSA-2018:0478" 18144 }, 18145 { 18146 "type": "WEB", 18147 "url": "https://access.redhat.com/errata/RHSA-2018:0479" 18148 }, 18149 { 18150 "type": "WEB", 18151 "url": "https://access.redhat.com/errata/RHSA-2018:0480" 18152 }, 18153 { 18154 "type": "WEB", 18155 "url": "https://access.redhat.com/errata/RHSA-2018:0481" 18156 }, 18157 { 18158 "type": "WEB", 18159 "url": "https://access.redhat.com/errata/RHSA-2018:1447" 18160 }, 18161 { 18162 "type": "WEB", 18163 "url": "https://access.redhat.com/errata/RHSA-2018:1448" 18164 }, 18165 { 18166 "type": "WEB", 18167 "url": "https://access.redhat.com/errata/RHSA-2018:1449" 18168 }, 18169 { 18170 "type": "WEB", 18171 "url": "https://access.redhat.com/errata/RHSA-2018:1450" 18172 }, 18173 { 18174 "type": "WEB", 18175 "url": "https://access.redhat.com/errata/RHSA-2018:1451" 18176 }, 18177 { 18178 "type": "WEB", 18179 "url": "https://access.redhat.com/errata/RHSA-2018:2930" 18180 }, 18181 { 18182 "type": "WEB", 18183 "url": "https://access.redhat.com/errata/RHSA-2019:1782" 18184 }, 18185 { 18186 "type": "WEB", 18187 "url": "https://access.redhat.com/errata/RHSA-2019:1797" 18188 }, 18189 { 18190 "type": "WEB", 18191 "url": "https://access.redhat.com/errata/RHSA-2019:2858" 18192 }, 18193 { 18194 "type": "WEB", 18195 "url": "https://access.redhat.com/errata/RHSA-2019:3149" 18196 }, 18197 { 18198 "type": "WEB", 18199 "url": "https://access.redhat.com/errata/RHSA-2019:3892" 18200 } 18201 ], 18202 "schema_version": "1.6.0", 18203 "severity": [ 18204 { 18205 "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", 18206 "type": "CVSS_V3" 18207 } 18208 ], 18209 "summary": "jackson-databind vulnerable to remote code execution due to incorrect deserialization and blocklist bypass" 18210 }, 18211 { 18212 "affected": [ 18213 { 18214 "database_specific": { 18215 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/10/GHSA-rgv9-q543-rqg4/GHSA-rgv9-q543-rqg4.json" 18216 }, 18217 "package": { 18218 "ecosystem": "Maven", 18219 "name": "com.fasterxml.jackson.core:jackson-databind", 18220 "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" 18221 }, 18222 "ranges": [ 18223 { 18224 "events": [ 18225 { 18226 "introduced": "0" 18227 }, 18228 { 18229 "fixed": "2.12.7.1" 18230 } 18231 ], 18232 "type": "ECOSYSTEM" 18233 } 18234 ], 18235 "versions": [ 18236 "2.0.0", 18237 "2.0.0-RC1", 18238 "2.0.0-RC2", 18239 "2.0.0-RC3", 18240 "2.0.1", 18241 "2.0.2", 18242 "2.0.4", 18243 "2.0.5", 18244 "2.0.6", 18245 "2.1.0", 18246 "2.1.1", 18247 "2.1.2", 18248 "2.1.3", 18249 "2.1.4", 18250 "2.1.5", 18251 "2.10.0", 18252 "2.10.0.pr1", 18253 "2.10.0.pr2", 18254 "2.10.0.pr3", 18255 "2.10.1", 18256 "2.10.2", 18257 "2.10.3", 18258 "2.10.4", 18259 "2.10.5", 18260 "2.10.5.1", 18261 "2.11.0", 18262 "2.11.0.rc1", 18263 "2.11.1", 18264 "2.11.2", 18265 "2.11.3", 18266 "2.11.4", 18267 "2.12.0", 18268 "2.12.0-rc1", 18269 "2.12.0-rc2", 18270 "2.12.1", 18271 "2.12.2", 18272 "2.12.3", 18273 "2.12.4", 18274 "2.12.5", 18275 "2.12.6", 18276 "2.12.6.1", 18277 "2.12.7", 18278 "2.2.0", 18279 "2.2.0-rc1", 18280 "2.2.1", 18281 "2.2.2", 18282 "2.2.3", 18283 "2.2.4", 18284 "2.3.0", 18285 "2.3.0-rc1", 18286 "2.3.1", 18287 "2.3.2", 18288 "2.3.3", 18289 "2.3.4", 18290 "2.3.5", 18291 "2.4.0", 18292 "2.4.0-rc1", 18293 "2.4.0-rc2", 18294 "2.4.0-rc3", 18295 "2.4.1", 18296 "2.4.1.1", 18297 "2.4.1.2", 18298 "2.4.1.3", 18299 "2.4.2", 18300 "2.4.3", 18301 "2.4.4", 18302 "2.4.5", 18303 "2.4.5.1", 18304 "2.4.6", 18305 "2.4.6.1", 18306 "2.5.0", 18307 "2.5.0-rc1", 18308 "2.5.1", 18309 "2.5.2", 18310 "2.5.3", 18311 "2.5.4", 18312 "2.5.5", 18313 "2.6.0", 18314 "2.6.0-rc1", 18315 "2.6.0-rc2", 18316 "2.6.0-rc3", 18317 "2.6.0-rc4", 18318 "2.6.1", 18319 "2.6.2", 18320 "2.6.3", 18321 "2.6.4", 18322 "2.6.5", 18323 "2.6.6", 18324 "2.6.7", 18325 "2.6.7.1", 18326 "2.6.7.2", 18327 "2.6.7.3", 18328 "2.6.7.4", 18329 "2.6.7.5", 18330 "2.7.0", 18331 "2.7.0-rc1", 18332 "2.7.0-rc2", 18333 "2.7.0-rc3", 18334 "2.7.1", 18335 "2.7.1-1", 18336 "2.7.2", 18337 "2.7.3", 18338 "2.7.4", 18339 "2.7.5", 18340 "2.7.6", 18341 "2.7.7", 18342 "2.7.8", 18343 "2.7.9", 18344 "2.7.9.1", 18345 "2.7.9.2", 18346 "2.7.9.3", 18347 "2.7.9.4", 18348 "2.7.9.5", 18349 "2.7.9.6", 18350 "2.7.9.7", 18351 "2.8.0", 18352 "2.8.0.rc1", 18353 "2.8.0.rc2", 18354 "2.8.1", 18355 "2.8.10", 18356 "2.8.11", 18357 "2.8.11.1", 18358 "2.8.11.2", 18359 "2.8.11.3", 18360 "2.8.11.4", 18361 "2.8.11.5", 18362 "2.8.11.6", 18363 "2.8.2", 18364 "2.8.3", 18365 "2.8.4", 18366 "2.8.5", 18367 "2.8.6", 18368 "2.8.7", 18369 "2.8.8", 18370 "2.8.8.1", 18371 "2.8.9", 18372 "2.9.0", 18373 "2.9.0.pr1", 18374 "2.9.0.pr2", 18375 "2.9.0.pr3", 18376 "2.9.0.pr4", 18377 "2.9.1", 18378 "2.9.10", 18379 "2.9.10.1", 18380 "2.9.10.2", 18381 "2.9.10.3", 18382 "2.9.10.4", 18383 "2.9.10.5", 18384 "2.9.10.6", 18385 "2.9.10.7", 18386 "2.9.10.8", 18387 "2.9.2", 18388 "2.9.3", 18389 "2.9.4", 18390 "2.9.5", 18391 "2.9.6", 18392 "2.9.7", 18393 "2.9.8", 18394 "2.9.9", 18395 "2.9.9.1", 18396 "2.9.9.2", 18397 "2.9.9.3" 18398 ] 18399 }, 18400 { 18401 "database_specific": { 18402 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/10/GHSA-rgv9-q543-rqg4/GHSA-rgv9-q543-rqg4.json" 18403 }, 18404 "package": { 18405 "ecosystem": "Maven", 18406 "name": "com.fasterxml.jackson.core:jackson-databind", 18407 "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" 18408 }, 18409 "ranges": [ 18410 { 18411 "events": [ 18412 { 18413 "introduced": "2.13.0" 18414 }, 18415 { 18416 "fixed": "2.13.4" 18417 } 18418 ], 18419 "type": "ECOSYSTEM" 18420 } 18421 ], 18422 "versions": [ 18423 "2.13.0", 18424 "2.13.1", 18425 "2.13.2", 18426 "2.13.2.1", 18427 "2.13.2.2", 18428 "2.13.3" 18429 ] 18430 } 18431 ], 18432 "aliases": [ 18433 "CVE-2022-42004" 18434 ], 18435 "database_specific": { 18436 "cwe_ids": [ 18437 "CWE-400", 18438 "CWE-502" 18439 ], 18440 "github_reviewed": true, 18441 "github_reviewed_at": "2022-10-04T21:56:21Z", 18442 "nvd_published_at": "2022-10-02T05:15:00Z", 18443 "severity": "HIGH" 18444 }, 18445 "details": "In FasterXML jackson-databind before 2.12.7.1 and in 2.13.x before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An application is vulnerable only with certain customized choices for deserialization.", 18446 "id": "GHSA-rgv9-q543-rqg4", 18447 "modified": "2024-03-14T23:46:09.729455Z", 18448 "published": "2022-10-03T00:00:31Z", 18449 "references": [ 18450 { 18451 "type": "ADVISORY", 18452 "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42004" 18453 }, 18454 { 18455 "type": "WEB", 18456 "url": "https://github.com/FasterXML/jackson-databind/issues/3582" 18457 }, 18458 { 18459 "type": "WEB", 18460 "url": "https://github.com/FasterXML/jackson-databind/commit/063183589218fec19a9293ed2f17ec53ea80ba88" 18461 }, 18462 { 18463 "type": "WEB", 18464 "url": "https://github.com/FasterXML/jackson-databind/commit/35de19e7144c4df8ab178b800ba86e80c3d84252" 18465 }, 18466 { 18467 "type": "WEB", 18468 "url": "https://github.com/FasterXML/jackson-databind/commit/cd090979b7ea78c75e4de8a4aed04f7e9fa8deea" 18469 }, 18470 { 18471 "type": "WEB", 18472 "url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50490" 18473 }, 18474 { 18475 "type": "PACKAGE", 18476 "url": "https://github.com/FasterXML/jackson-databind" 18477 }, 18478 { 18479 "type": "WEB", 18480 "url": "https://lists.debian.org/debian-lts-announce/2022/11/msg00035.html" 18481 }, 18482 { 18483 "type": "WEB", 18484 "url": "https://security.gentoo.org/glsa/202210-21" 18485 }, 18486 { 18487 "type": "WEB", 18488 "url": "https://security.netapp.com/advisory/ntap-20221118-0008" 18489 }, 18490 { 18491 "type": "WEB", 18492 "url": "https://www.debian.org/security/2022/dsa-5283" 18493 } 18494 ], 18495 "schema_version": "1.6.0", 18496 "severity": [ 18497 { 18498 "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", 18499 "type": "CVSS_V3" 18500 } 18501 ], 18502 "summary": "Uncontrolled Resource Consumption in FasterXML jackson-databind" 18503 }, 18504 { 18505 "affected": [ 18506 { 18507 "database_specific": { 18508 "last_known_affected_version_range": "\u003c= 2.9.10.3", 18509 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/07/GHSA-rpr3-cw39-3pxh/GHSA-rpr3-cw39-3pxh.json" 18510 }, 18511 "package": { 18512 "ecosystem": "Maven", 18513 "name": "com.fasterxml.jackson.core:jackson-databind", 18514 "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" 18515 }, 18516 "ranges": [ 18517 { 18518 "events": [ 18519 { 18520 "introduced": "0" 18521 }, 18522 { 18523 "fixed": "2.9.10.4" 18524 } 18525 ], 18526 "type": "ECOSYSTEM" 18527 } 18528 ], 18529 "versions": [ 18530 "2.0.0", 18531 "2.0.0-RC1", 18532 "2.0.0-RC2", 18533 "2.0.0-RC3", 18534 "2.0.1", 18535 "2.0.2", 18536 "2.0.4", 18537 "2.0.5", 18538 "2.0.6", 18539 "2.1.0", 18540 "2.1.1", 18541 "2.1.2", 18542 "2.1.3", 18543 "2.1.4", 18544 "2.1.5", 18545 "2.2.0", 18546 "2.2.0-rc1", 18547 "2.2.1", 18548 "2.2.2", 18549 "2.2.3", 18550 "2.2.4", 18551 "2.3.0", 18552 "2.3.0-rc1", 18553 "2.3.1", 18554 "2.3.2", 18555 "2.3.3", 18556 "2.3.4", 18557 "2.3.5", 18558 "2.4.0", 18559 "2.4.0-rc1", 18560 "2.4.0-rc2", 18561 "2.4.0-rc3", 18562 "2.4.1", 18563 "2.4.1.1", 18564 "2.4.1.2", 18565 "2.4.1.3", 18566 "2.4.2", 18567 "2.4.3", 18568 "2.4.4", 18569 "2.4.5", 18570 "2.4.5.1", 18571 "2.4.6", 18572 "2.4.6.1", 18573 "2.5.0", 18574 "2.5.0-rc1", 18575 "2.5.1", 18576 "2.5.2", 18577 "2.5.3", 18578 "2.5.4", 18579 "2.5.5", 18580 "2.6.0", 18581 "2.6.0-rc1", 18582 "2.6.0-rc2", 18583 "2.6.0-rc3", 18584 "2.6.0-rc4", 18585 "2.6.1", 18586 "2.6.2", 18587 "2.6.3", 18588 "2.6.4", 18589 "2.6.5", 18590 "2.6.6", 18591 "2.6.7", 18592 "2.6.7.1", 18593 "2.6.7.2", 18594 "2.6.7.3", 18595 "2.6.7.4", 18596 "2.6.7.5", 18597 "2.7.0", 18598 "2.7.0-rc1", 18599 "2.7.0-rc2", 18600 "2.7.0-rc3", 18601 "2.7.1", 18602 "2.7.1-1", 18603 "2.7.2", 18604 "2.7.3", 18605 "2.7.4", 18606 "2.7.5", 18607 "2.7.6", 18608 "2.7.7", 18609 "2.7.8", 18610 "2.7.9", 18611 "2.7.9.1", 18612 "2.7.9.2", 18613 "2.7.9.3", 18614 "2.7.9.4", 18615 "2.7.9.5", 18616 "2.7.9.6", 18617 "2.7.9.7", 18618 "2.8.0", 18619 "2.8.0.rc1", 18620 "2.8.0.rc2", 18621 "2.8.1", 18622 "2.8.10", 18623 "2.8.11", 18624 "2.8.11.1", 18625 "2.8.11.2", 18626 "2.8.11.3", 18627 "2.8.11.4", 18628 "2.8.11.5", 18629 "2.8.11.6", 18630 "2.8.2", 18631 "2.8.3", 18632 "2.8.4", 18633 "2.8.5", 18634 "2.8.6", 18635 "2.8.7", 18636 "2.8.8", 18637 "2.8.8.1", 18638 "2.8.9", 18639 "2.9.0", 18640 "2.9.0.pr1", 18641 "2.9.0.pr2", 18642 "2.9.0.pr3", 18643 "2.9.0.pr4", 18644 "2.9.1", 18645 "2.9.10", 18646 "2.9.10.1", 18647 "2.9.10.2", 18648 "2.9.10.3", 18649 "2.9.2", 18650 "2.9.3", 18651 "2.9.4", 18652 "2.9.5", 18653 "2.9.6", 18654 "2.9.7", 18655 "2.9.8", 18656 "2.9.9", 18657 "2.9.9.1", 18658 "2.9.9.2", 18659 "2.9.9.3" 18660 ] 18661 } 18662 ], 18663 "aliases": [ 18664 "CVE-2020-10650" 18665 ], 18666 "database_specific": { 18667 "cwe_ids": [ 18668 "CWE-502" 18669 ], 18670 "github_reviewed": true, 18671 "github_reviewed_at": "2022-07-15T19:41:47Z", 18672 "nvd_published_at": "2022-12-26T20:15:00Z", 18673 "severity": "HIGH" 18674 }, 18675 "details": "The com.fasterxml.jackson.core:jackson-databind library before version 2.9.10.4 is vulnerable to an Unsafe Deserialization vulnerability when handling interactions related to the class `ignite-jta`.", 18676 "id": "GHSA-rpr3-cw39-3pxh", 18677 "modified": "2024-02-17T05:35:59.864022Z", 18678 "published": "2022-07-15T19:41:47Z", 18679 "references": [ 18680 { 18681 "type": "ADVISORY", 18682 "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-10650" 18683 }, 18684 { 18685 "type": "WEB", 18686 "url": "https://github.com/FasterXML/jackson-databind/issues/2658" 18687 }, 18688 { 18689 "type": "WEB", 18690 "url": "https://github.com/luisgarciacheckmarx/LGV_onefile/issues/19" 18691 }, 18692 { 18693 "type": "WEB", 18694 "url": "https://github.com/FasterXML/jackson-databind/pull/2864" 18695 }, 18696 { 18697 "type": "WEB", 18698 "url": "https://github.com/FasterXML/jackson-databind/commit/a424c038ba0c0d65e579e22001dec925902ac0ef" 18699 }, 18700 { 18701 "type": "PACKAGE", 18702 "url": "https://github.com/FasterXML/jackson-databind" 18703 }, 18704 { 18705 "type": "WEB", 18706 "url": "https://lists.debian.org/debian-lts-announce/2023/04/msg00032.html" 18707 }, 18708 { 18709 "type": "WEB", 18710 "url": "https://medium.com/%40cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062" 18711 }, 18712 { 18713 "type": "WEB", 18714 "url": "https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062" 18715 }, 18716 { 18717 "type": "WEB", 18718 "url": "https://security.netapp.com/advisory/ntap-20230818-0007" 18719 }, 18720 { 18721 "type": "WEB", 18722 "url": "https://www.oracle.com/security-alerts/cpujan2021.html" 18723 }, 18724 { 18725 "type": "WEB", 18726 "url": "https://www.oracle.com/security-alerts/cpuoct2022.html" 18727 } 18728 ], 18729 "schema_version": "1.6.0", 18730 "severity": [ 18731 { 18732 "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", 18733 "type": "CVSS_V3" 18734 } 18735 ], 18736 "summary": "jackson-databind before 2.9.10.4 vulnerable to unsafe deserialization" 18737 }, 18738 { 18739 "affected": [ 18740 { 18741 "database_specific": { 18742 "last_known_affected_version_range": "\u003c= 2.9.10.3", 18743 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/05/GHSA-v3xw-c963-f5hc/GHSA-v3xw-c963-f5hc.json" 18744 }, 18745 "package": { 18746 "ecosystem": "Maven", 18747 "name": "com.fasterxml.jackson.core:jackson-databind", 18748 "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" 18749 }, 18750 "ranges": [ 18751 { 18752 "events": [ 18753 { 18754 "introduced": "2.9.0" 18755 }, 18756 { 18757 "fixed": "2.9.10.4" 18758 } 18759 ], 18760 "type": "ECOSYSTEM" 18761 } 18762 ], 18763 "versions": [ 18764 "2.9.0", 18765 "2.9.0.pr1", 18766 "2.9.0.pr2", 18767 "2.9.0.pr3", 18768 "2.9.0.pr4", 18769 "2.9.1", 18770 "2.9.10", 18771 "2.9.10.1", 18772 "2.9.10.2", 18773 "2.9.10.3", 18774 "2.9.2", 18775 "2.9.3", 18776 "2.9.4", 18777 "2.9.5", 18778 "2.9.6", 18779 "2.9.7", 18780 "2.9.8", 18781 "2.9.9", 18782 "2.9.9.1", 18783 "2.9.9.2", 18784 "2.9.9.3" 18785 ] 18786 } 18787 ], 18788 "aliases": [ 18789 "CVE-2020-11111" 18790 ], 18791 "database_specific": { 18792 "cwe_ids": [ 18793 "CWE-502" 18794 ], 18795 "github_reviewed": true, 18796 "github_reviewed_at": "2020-04-23T19:31:18Z", 18797 "nvd_published_at": "2020-03-31T05:15:00Z", 18798 "severity": "HIGH" 18799 }, 18800 "details": "FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.activemq.* (aka activemq-jms, activemq-core, activemq-pool, and activemq-pool-jms).", 18801 "id": "GHSA-v3xw-c963-f5hc", 18802 "modified": "2024-02-16T08:09:27.960507Z", 18803 "published": "2020-05-15T18:58:50Z", 18804 "references": [ 18805 { 18806 "type": "ADVISORY", 18807 "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11111" 18808 }, 18809 { 18810 "type": "WEB", 18811 "url": "https://github.com/FasterXML/jackson-databind/issues/2664" 18812 }, 18813 { 18814 "type": "PACKAGE", 18815 "url": "https://github.com/FasterXML/jackson-databind" 18816 }, 18817 { 18818 "type": "WEB", 18819 "url": "https://lists.debian.org/debian-lts-announce/2020/04/msg00012.html" 18820 }, 18821 { 18822 "type": "WEB", 18823 "url": "https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062" 18824 }, 18825 { 18826 "type": "WEB", 18827 "url": "https://security.netapp.com/advisory/ntap-20200403-0002" 18828 }, 18829 { 18830 "type": "WEB", 18831 "url": "https://www.oracle.com/security-alerts/cpujan2021.html" 18832 }, 18833 { 18834 "type": "WEB", 18835 "url": "https://www.oracle.com/security-alerts/cpujul2020.html" 18836 }, 18837 { 18838 "type": "WEB", 18839 "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" 18840 }, 18841 { 18842 "type": "WEB", 18843 "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" 18844 } 18845 ], 18846 "schema_version": "1.6.0", 18847 "severity": [ 18848 { 18849 "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", 18850 "type": "CVSS_V3" 18851 } 18852 ], 18853 "summary": "jackson-databind mishandles the interaction between serialization gadgets and typing" 18854 }, 18855 { 18856 "affected": [ 18857 { 18858 "database_specific": { 18859 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/11/GHSA-v585-23hc-c647/GHSA-v585-23hc-c647.json" 18860 }, 18861 "package": { 18862 "ecosystem": "Maven", 18863 "name": "com.fasterxml.jackson.core:jackson-databind", 18864 "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" 18865 }, 18866 "ranges": [ 18867 { 18868 "events": [ 18869 { 18870 "introduced": "2.0.0" 18871 }, 18872 { 18873 "fixed": "2.9.10.8" 18874 } 18875 ], 18876 "type": "ECOSYSTEM" 18877 } 18878 ], 18879 "versions": [ 18880 "2.0.0", 18881 "2.0.1", 18882 "2.0.2", 18883 "2.0.4", 18884 "2.0.5", 18885 "2.0.6", 18886 "2.1.0", 18887 "2.1.1", 18888 "2.1.2", 18889 "2.1.3", 18890 "2.1.4", 18891 "2.1.5", 18892 "2.2.0", 18893 "2.2.0-rc1", 18894 "2.2.1", 18895 "2.2.2", 18896 "2.2.3", 18897 "2.2.4", 18898 "2.3.0", 18899 "2.3.0-rc1", 18900 "2.3.1", 18901 "2.3.2", 18902 "2.3.3", 18903 "2.3.4", 18904 "2.3.5", 18905 "2.4.0", 18906 "2.4.0-rc1", 18907 "2.4.0-rc2", 18908 "2.4.0-rc3", 18909 "2.4.1", 18910 "2.4.1.1", 18911 "2.4.1.2", 18912 "2.4.1.3", 18913 "2.4.2", 18914 "2.4.3", 18915 "2.4.4", 18916 "2.4.5", 18917 "2.4.5.1", 18918 "2.4.6", 18919 "2.4.6.1", 18920 "2.5.0", 18921 "2.5.0-rc1", 18922 "2.5.1", 18923 "2.5.2", 18924 "2.5.3", 18925 "2.5.4", 18926 "2.5.5", 18927 "2.6.0", 18928 "2.6.0-rc1", 18929 "2.6.0-rc2", 18930 "2.6.0-rc3", 18931 "2.6.0-rc4", 18932 "2.6.1", 18933 "2.6.2", 18934 "2.6.3", 18935 "2.6.4", 18936 "2.6.5", 18937 "2.6.6", 18938 "2.6.7", 18939 "2.6.7.1", 18940 "2.6.7.2", 18941 "2.6.7.3", 18942 "2.6.7.4", 18943 "2.6.7.5", 18944 "2.7.0", 18945 "2.7.0-rc1", 18946 "2.7.0-rc2", 18947 "2.7.0-rc3", 18948 "2.7.1", 18949 "2.7.1-1", 18950 "2.7.2", 18951 "2.7.3", 18952 "2.7.4", 18953 "2.7.5", 18954 "2.7.6", 18955 "2.7.7", 18956 "2.7.8", 18957 "2.7.9", 18958 "2.7.9.1", 18959 "2.7.9.2", 18960 "2.7.9.3", 18961 "2.7.9.4", 18962 "2.7.9.5", 18963 "2.7.9.6", 18964 "2.7.9.7", 18965 "2.8.0", 18966 "2.8.0.rc1", 18967 "2.8.0.rc2", 18968 "2.8.1", 18969 "2.8.10", 18970 "2.8.11", 18971 "2.8.11.1", 18972 "2.8.11.2", 18973 "2.8.11.3", 18974 "2.8.11.4", 18975 "2.8.11.5", 18976 "2.8.11.6", 18977 "2.8.2", 18978 "2.8.3", 18979 "2.8.4", 18980 "2.8.5", 18981 "2.8.6", 18982 "2.8.7", 18983 "2.8.8", 18984 "2.8.8.1", 18985 "2.8.9", 18986 "2.9.0", 18987 "2.9.0.pr1", 18988 "2.9.0.pr2", 18989 "2.9.0.pr3", 18990 "2.9.0.pr4", 18991 "2.9.1", 18992 "2.9.10", 18993 "2.9.10.1", 18994 "2.9.10.2", 18995 "2.9.10.3", 18996 "2.9.10.4", 18997 "2.9.10.5", 18998 "2.9.10.6", 18999 "2.9.10.7", 19000 "2.9.2", 19001 "2.9.3", 19002 "2.9.4", 19003 "2.9.5", 19004 "2.9.6", 19005 "2.9.7", 19006 "2.9.8", 19007 "2.9.9", 19008 "2.9.9.1", 19009 "2.9.9.2", 19010 "2.9.9.3" 19011 ] 19012 } 19013 ], 19014 "aliases": [ 19015 "CVE-2020-36186" 19016 ], 19017 "database_specific": { 19018 "cwe_ids": [ 19019 "CWE-502" 19020 ], 19021 "github_reviewed": true, 19022 "github_reviewed_at": "2021-03-18T23:16:26Z", 19023 "nvd_published_at": "2021-01-06T23:15:00Z", 19024 "severity": "HIGH" 19025 }, 19026 "details": "FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to `org.apache.tomcat.dbcp.dbcp.datasources.PerUserPoolDataSource`.", 19027 "id": "GHSA-v585-23hc-c647", 19028 "modified": "2024-02-18T05:22:38.02446Z", 19029 "published": "2021-11-19T20:13:06Z", 19030 "references": [ 19031 { 19032 "type": "ADVISORY", 19033 "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36186" 19034 }, 19035 { 19036 "type": "WEB", 19037 "url": "https://github.com/FasterXML/jackson-databind/issues/2997" 19038 }, 19039 { 19040 "type": "WEB", 19041 "url": "https://github.com/FasterXML/jackson-databind/commit/3e8fa3beea49ea62109df9e643c9cb678dabdde1" 19042 }, 19043 { 19044 "type": "WEB", 19045 "url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062" 19046 }, 19047 { 19048 "type": "PACKAGE", 19049 "url": "https://github.com/FasterXML/jackson-databind" 19050 }, 19051 { 19052 "type": "WEB", 19053 "url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html" 19054 }, 19055 { 19056 "type": "WEB", 19057 "url": "https://security.netapp.com/advisory/ntap-20210205-0005" 19058 }, 19059 { 19060 "type": "WEB", 19061 "url": "https://www.oracle.com//security-alerts/cpujul2021.html" 19062 }, 19063 { 19064 "type": "WEB", 19065 "url": "https://www.oracle.com/security-alerts/cpuApr2021.html" 19066 }, 19067 { 19068 "type": "WEB", 19069 "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" 19070 }, 19071 { 19072 "type": "WEB", 19073 "url": "https://www.oracle.com/security-alerts/cpujan2022.html" 19074 }, 19075 { 19076 "type": "WEB", 19077 "url": "https://www.oracle.com/security-alerts/cpujul2022.html" 19078 }, 19079 { 19080 "type": "WEB", 19081 "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" 19082 } 19083 ], 19084 "schema_version": "1.6.0", 19085 "severity": [ 19086 { 19087 "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", 19088 "type": "CVSS_V3" 19089 } 19090 ], 19091 "summary": "Unsafe Deserialization in jackson-databind" 19092 }, 19093 { 19094 "affected": [ 19095 { 19096 "database_specific": { 19097 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-vfqx-33qm-g869/GHSA-vfqx-33qm-g869.json" 19098 }, 19099 "package": { 19100 "ecosystem": "Maven", 19101 "name": "com.fasterxml.jackson.core:jackson-databind", 19102 "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" 19103 }, 19104 "ranges": [ 19105 { 19106 "events": [ 19107 { 19108 "introduced": "2.7.0" 19109 }, 19110 { 19111 "fixed": "2.9.10.8" 19112 } 19113 ], 19114 "type": "ECOSYSTEM" 19115 } 19116 ], 19117 "versions": [ 19118 "2.7.0", 19119 "2.7.1", 19120 "2.7.1-1", 19121 "2.7.2", 19122 "2.7.3", 19123 "2.7.4", 19124 "2.7.5", 19125 "2.7.6", 19126 "2.7.7", 19127 "2.7.8", 19128 "2.7.9", 19129 "2.7.9.1", 19130 "2.7.9.2", 19131 "2.7.9.3", 19132 "2.7.9.4", 19133 "2.7.9.5", 19134 "2.7.9.6", 19135 "2.7.9.7", 19136 "2.8.0", 19137 "2.8.0.rc1", 19138 "2.8.0.rc2", 19139 "2.8.1", 19140 "2.8.10", 19141 "2.8.11", 19142 "2.8.11.1", 19143 "2.8.11.2", 19144 "2.8.11.3", 19145 "2.8.11.4", 19146 "2.8.11.5", 19147 "2.8.11.6", 19148 "2.8.2", 19149 "2.8.3", 19150 "2.8.4", 19151 "2.8.5", 19152 "2.8.6", 19153 "2.8.7", 19154 "2.8.8", 19155 "2.8.8.1", 19156 "2.8.9", 19157 "2.9.0", 19158 "2.9.0.pr1", 19159 "2.9.0.pr2", 19160 "2.9.0.pr3", 19161 "2.9.0.pr4", 19162 "2.9.1", 19163 "2.9.10", 19164 "2.9.10.1", 19165 "2.9.10.2", 19166 "2.9.10.3", 19167 "2.9.10.4", 19168 "2.9.10.5", 19169 "2.9.10.6", 19170 "2.9.10.7", 19171 "2.9.2", 19172 "2.9.3", 19173 "2.9.4", 19174 "2.9.5", 19175 "2.9.6", 19176 "2.9.7", 19177 "2.9.8", 19178 "2.9.9", 19179 "2.9.9.1", 19180 "2.9.9.2", 19181 "2.9.9.3" 19182 ] 19183 }, 19184 { 19185 "database_specific": { 19186 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-vfqx-33qm-g869/GHSA-vfqx-33qm-g869.json" 19187 }, 19188 "package": { 19189 "ecosystem": "Maven", 19190 "name": "com.fasterxml.jackson.core:jackson-databind", 19191 "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" 19192 }, 19193 "ranges": [ 19194 { 19195 "events": [ 19196 { 19197 "introduced": "0" 19198 }, 19199 { 19200 "fixed": "2.6.7.5" 19201 } 19202 ], 19203 "type": "ECOSYSTEM" 19204 } 19205 ], 19206 "versions": [ 19207 "2.0.0", 19208 "2.0.0-RC1", 19209 "2.0.0-RC2", 19210 "2.0.0-RC3", 19211 "2.0.1", 19212 "2.0.2", 19213 "2.0.4", 19214 "2.0.5", 19215 "2.0.6", 19216 "2.1.0", 19217 "2.1.1", 19218 "2.1.2", 19219 "2.1.3", 19220 "2.1.4", 19221 "2.1.5", 19222 "2.2.0", 19223 "2.2.0-rc1", 19224 "2.2.1", 19225 "2.2.2", 19226 "2.2.3", 19227 "2.2.4", 19228 "2.3.0", 19229 "2.3.0-rc1", 19230 "2.3.1", 19231 "2.3.2", 19232 "2.3.3", 19233 "2.3.4", 19234 "2.3.5", 19235 "2.4.0", 19236 "2.4.0-rc1", 19237 "2.4.0-rc2", 19238 "2.4.0-rc3", 19239 "2.4.1", 19240 "2.4.1.1", 19241 "2.4.1.2", 19242 "2.4.1.3", 19243 "2.4.2", 19244 "2.4.3", 19245 "2.4.4", 19246 "2.4.5", 19247 "2.4.5.1", 19248 "2.4.6", 19249 "2.4.6.1", 19250 "2.5.0", 19251 "2.5.0-rc1", 19252 "2.5.1", 19253 "2.5.2", 19254 "2.5.3", 19255 "2.5.4", 19256 "2.5.5", 19257 "2.6.0", 19258 "2.6.0-rc1", 19259 "2.6.0-rc2", 19260 "2.6.0-rc3", 19261 "2.6.0-rc4", 19262 "2.6.1", 19263 "2.6.2", 19264 "2.6.3", 19265 "2.6.4", 19266 "2.6.5", 19267 "2.6.6", 19268 "2.6.7", 19269 "2.6.7.1", 19270 "2.6.7.2", 19271 "2.6.7.3", 19272 "2.6.7.4" 19273 ] 19274 } 19275 ], 19276 "aliases": [ 19277 "CVE-2020-36189" 19278 ], 19279 "database_specific": { 19280 "cwe_ids": [ 19281 "CWE-502" 19282 ], 19283 "github_reviewed": true, 19284 "github_reviewed_at": "2021-03-18T23:14:22Z", 19285 "nvd_published_at": "2021-01-06T23:15:00Z", 19286 "severity": "HIGH" 19287 }, 19288 "details": "FasterXML jackson-databind 2.x before 2.9.10.8 an 2.6.7.5 mishandles the interaction between serialization gadgets and typing, related to com.newrelic.agent.deps.ch.qos.logback.core.db.DriverManagerConnectionSource.", 19289 "id": "GHSA-vfqx-33qm-g869", 19290 "modified": "2024-02-18T05:24:26.785781Z", 19291 "published": "2021-12-09T19:16:59Z", 19292 "references": [ 19293 { 19294 "type": "ADVISORY", 19295 "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36189" 19296 }, 19297 { 19298 "type": "WEB", 19299 "url": "https://github.com/FasterXML/jackson-databind/issues/2996" 19300 }, 19301 { 19302 "type": "WEB", 19303 "url": "https://github.com/FasterXML/jackson-databind/commit/33d96c13fe18a2dad01b19ce195548c9acea9da4" 19304 }, 19305 { 19306 "type": "WEB", 19307 "url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062" 19308 }, 19309 { 19310 "type": "PACKAGE", 19311 "url": "https://github.com/FasterXML/jackson-databind" 19312 }, 19313 { 19314 "type": "WEB", 19315 "url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html" 19316 }, 19317 { 19318 "type": "WEB", 19319 "url": "https://security.netapp.com/advisory/ntap-20210205-0005" 19320 }, 19321 { 19322 "type": "WEB", 19323 "url": "https://www.oracle.com//security-alerts/cpujul2021.html" 19324 }, 19325 { 19326 "type": "WEB", 19327 "url": "https://www.oracle.com/security-alerts/cpuApr2021.html" 19328 }, 19329 { 19330 "type": "WEB", 19331 "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" 19332 }, 19333 { 19334 "type": "WEB", 19335 "url": "https://www.oracle.com/security-alerts/cpujan2022.html" 19336 }, 19337 { 19338 "type": "WEB", 19339 "url": "https://www.oracle.com/security-alerts/cpujul2022.html" 19340 }, 19341 { 19342 "type": "WEB", 19343 "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" 19344 } 19345 ], 19346 "schema_version": "1.6.0", 19347 "severity": [ 19348 { 19349 "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", 19350 "type": "CVSS_V3" 19351 } 19352 ], 19353 "summary": "Unsafe Deserialization in jackson-databind" 19354 }, 19355 { 19356 "affected": [ 19357 { 19358 "database_specific": { 19359 "last_known_affected_version_range": "\u003c 2.8.11", 19360 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-w3f4-3q6j-rh82/GHSA-w3f4-3q6j-rh82.json" 19361 }, 19362 "package": { 19363 "ecosystem": "Maven", 19364 "name": "com.fasterxml.jackson.core:jackson-databind", 19365 "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" 19366 }, 19367 "ranges": [ 19368 { 19369 "events": [ 19370 { 19371 "introduced": "2.8.0" 19372 }, 19373 { 19374 "fixed": "2.8.11.1" 19375 } 19376 ], 19377 "type": "ECOSYSTEM" 19378 } 19379 ], 19380 "versions": [ 19381 "2.8.0", 19382 "2.8.1", 19383 "2.8.10", 19384 "2.8.11", 19385 "2.8.2", 19386 "2.8.3", 19387 "2.8.4", 19388 "2.8.5", 19389 "2.8.6", 19390 "2.8.7", 19391 "2.8.8", 19392 "2.8.8.1", 19393 "2.8.9" 19394 ] 19395 }, 19396 { 19397 "database_specific": { 19398 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-w3f4-3q6j-rh82/GHSA-w3f4-3q6j-rh82.json" 19399 }, 19400 "package": { 19401 "ecosystem": "Maven", 19402 "name": "com.fasterxml.jackson.core:jackson-databind", 19403 "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" 19404 }, 19405 "ranges": [ 19406 { 19407 "events": [ 19408 { 19409 "introduced": "2.9.0" 19410 }, 19411 { 19412 "fixed": "2.9.4" 19413 } 19414 ], 19415 "type": "ECOSYSTEM" 19416 } 19417 ], 19418 "versions": [ 19419 "2.9.0", 19420 "2.9.0.pr1", 19421 "2.9.0.pr2", 19422 "2.9.0.pr3", 19423 "2.9.0.pr4", 19424 "2.9.1", 19425 "2.9.2", 19426 "2.9.3" 19427 ] 19428 }, 19429 { 19430 "database_specific": { 19431 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-w3f4-3q6j-rh82/GHSA-w3f4-3q6j-rh82.json" 19432 }, 19433 "package": { 19434 "ecosystem": "Maven", 19435 "name": "com.fasterxml.jackson.core:jackson-databind", 19436 "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" 19437 }, 19438 "ranges": [ 19439 { 19440 "events": [ 19441 { 19442 "introduced": "0" 19443 }, 19444 { 19445 "fixed": "2.7.9.5" 19446 } 19447 ], 19448 "type": "ECOSYSTEM" 19449 } 19450 ], 19451 "versions": [ 19452 "2.0.0", 19453 "2.0.0-RC1", 19454 "2.0.0-RC2", 19455 "2.0.0-RC3", 19456 "2.0.1", 19457 "2.0.2", 19458 "2.0.4", 19459 "2.0.5", 19460 "2.0.6", 19461 "2.1.0", 19462 "2.1.1", 19463 "2.1.2", 19464 "2.1.3", 19465 "2.1.4", 19466 "2.1.5", 19467 "2.2.0", 19468 "2.2.0-rc1", 19469 "2.2.1", 19470 "2.2.2", 19471 "2.2.3", 19472 "2.2.4", 19473 "2.3.0", 19474 "2.3.0-rc1", 19475 "2.3.1", 19476 "2.3.2", 19477 "2.3.3", 19478 "2.3.4", 19479 "2.3.5", 19480 "2.4.0", 19481 "2.4.0-rc1", 19482 "2.4.0-rc2", 19483 "2.4.0-rc3", 19484 "2.4.1", 19485 "2.4.1.1", 19486 "2.4.1.2", 19487 "2.4.1.3", 19488 "2.4.2", 19489 "2.4.3", 19490 "2.4.4", 19491 "2.4.5", 19492 "2.4.5.1", 19493 "2.4.6", 19494 "2.4.6.1", 19495 "2.5.0", 19496 "2.5.0-rc1", 19497 "2.5.1", 19498 "2.5.2", 19499 "2.5.3", 19500 "2.5.4", 19501 "2.5.5", 19502 "2.6.0", 19503 "2.6.0-rc1", 19504 "2.6.0-rc2", 19505 "2.6.0-rc3", 19506 "2.6.0-rc4", 19507 "2.6.1", 19508 "2.6.2", 19509 "2.6.3", 19510 "2.6.4", 19511 "2.6.5", 19512 "2.6.6", 19513 "2.6.7", 19514 "2.6.7.1", 19515 "2.6.7.2", 19516 "2.6.7.3", 19517 "2.6.7.4", 19518 "2.6.7.5", 19519 "2.7.0", 19520 "2.7.0-rc1", 19521 "2.7.0-rc2", 19522 "2.7.0-rc3", 19523 "2.7.1", 19524 "2.7.1-1", 19525 "2.7.2", 19526 "2.7.3", 19527 "2.7.4", 19528 "2.7.5", 19529 "2.7.6", 19530 "2.7.7", 19531 "2.7.8", 19532 "2.7.9", 19533 "2.7.9.1", 19534 "2.7.9.2", 19535 "2.7.9.3", 19536 "2.7.9.4" 19537 ] 19538 } 19539 ], 19540 "aliases": [ 19541 "CVE-2018-5968" 19542 ], 19543 "database_specific": { 19544 "cwe_ids": [ 19545 "CWE-184", 19546 "CWE-502" 19547 ], 19548 "github_reviewed": true, 19549 "github_reviewed_at": "2020-06-30T20:40:31Z", 19550 "nvd_published_at": "2018-01-22T04:29:00Z", 19551 "severity": "HIGH" 19552 }, 19553 "details": "FasterXML jackson-databind through 2.8.11 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 and CVE-2017-17485 deserialization flaws. This is exploitable via two different gadgets that bypass a blacklist.", 19554 "id": "GHSA-w3f4-3q6j-rh82", 19555 "modified": "2024-03-11T05:18:22.727055Z", 19556 "published": "2020-06-30T20:40:50Z", 19557 "references": [ 19558 { 19559 "type": "ADVISORY", 19560 "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-5968" 19561 }, 19562 { 19563 "type": "WEB", 19564 "url": "https://github.com/FasterXML/jackson-databind/issues/1899" 19565 }, 19566 { 19567 "type": "WEB", 19568 "url": "https://github.com/GulajavaMinistudio/jackson-databind/pull/92/commits/038b471e2efde2e8f96b4e0be958d3e5a1ff1d05" 19569 }, 19570 { 19571 "type": "WEB", 19572 "url": "https://github.com/FasterXML/jackson-databind/commit/454be8bb8c913be18298327a84ca45a280b61605" 19573 }, 19574 { 19575 "type": "WEB", 19576 "url": "https://github.com/FasterXML/jackson-databind/commit/038b471e2efde2e8f96b4e0be958d3e5a1ff1d0" 19577 }, 19578 { 19579 "type": "WEB", 19580 "url": "https://github.com/FasterXML/jackson-databind/commit/03ea0bec6293d4330b5ad19d1d62aca0e3cb6381" 19581 }, 19582 { 19583 "type": "WEB", 19584 "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" 19585 }, 19586 { 19587 "type": "WEB", 19588 "url": "https://www.debian.org/security/2018/dsa-4114" 19589 }, 19590 { 19591 "type": "WEB", 19592 "url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbhf03902en_us" 19593 }, 19594 { 19595 "type": "WEB", 19596 "url": "https://security.netapp.com/advisory/ntap-20180423-0002" 19597 }, 19598 { 19599 "type": "PACKAGE", 19600 "url": "https://github.com/FasterXML/jackson-databind" 19601 }, 19602 { 19603 "type": "WEB", 19604 "url": "https://access.redhat.com/errata/RHSA-2019:3149" 19605 }, 19606 { 19607 "type": "WEB", 19608 "url": "https://access.redhat.com/errata/RHSA-2019:2858" 19609 }, 19610 { 19611 "type": "WEB", 19612 "url": "https://access.redhat.com/errata/RHSA-2018:1525" 19613 }, 19614 { 19615 "type": "WEB", 19616 "url": "https://access.redhat.com/errata/RHSA-2018:0481" 19617 }, 19618 { 19619 "type": "WEB", 19620 "url": "https://access.redhat.com/errata/RHSA-2018:0480" 19621 }, 19622 { 19623 "type": "WEB", 19624 "url": "https://access.redhat.com/errata/RHSA-2018:0479" 19625 }, 19626 { 19627 "type": "WEB", 19628 "url": "https://access.redhat.com/errata/RHSA-2018:0478" 19629 } 19630 ], 19631 "schema_version": "1.6.0", 19632 "severity": [ 19633 { 19634 "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", 19635 "type": "CVSS_V3" 19636 } 19637 ], 19638 "summary": "Deserialization of Untrusted Data in jackson-databind" 19639 }, 19640 { 19641 "affected": [ 19642 { 19643 "database_specific": { 19644 "last_known_affected_version_range": "\u003c= 2.9.10.7", 19645 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-wh8g-3j2c-rqj5/GHSA-wh8g-3j2c-rqj5.json" 19646 }, 19647 "package": { 19648 "ecosystem": "Maven", 19649 "name": "com.fasterxml.jackson.core:jackson-databind", 19650 "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" 19651 }, 19652 "ranges": [ 19653 { 19654 "events": [ 19655 { 19656 "introduced": "2.0.0" 19657 }, 19658 { 19659 "fixed": "2.9.10.8" 19660 } 19661 ], 19662 "type": "ECOSYSTEM" 19663 } 19664 ], 19665 "versions": [ 19666 "2.0.0", 19667 "2.0.1", 19668 "2.0.2", 19669 "2.0.4", 19670 "2.0.5", 19671 "2.0.6", 19672 "2.1.0", 19673 "2.1.1", 19674 "2.1.2", 19675 "2.1.3", 19676 "2.1.4", 19677 "2.1.5", 19678 "2.2.0", 19679 "2.2.0-rc1", 19680 "2.2.1", 19681 "2.2.2", 19682 "2.2.3", 19683 "2.2.4", 19684 "2.3.0", 19685 "2.3.0-rc1", 19686 "2.3.1", 19687 "2.3.2", 19688 "2.3.3", 19689 "2.3.4", 19690 "2.3.5", 19691 "2.4.0", 19692 "2.4.0-rc1", 19693 "2.4.0-rc2", 19694 "2.4.0-rc3", 19695 "2.4.1", 19696 "2.4.1.1", 19697 "2.4.1.2", 19698 "2.4.1.3", 19699 "2.4.2", 19700 "2.4.3", 19701 "2.4.4", 19702 "2.4.5", 19703 "2.4.5.1", 19704 "2.4.6", 19705 "2.4.6.1", 19706 "2.5.0", 19707 "2.5.0-rc1", 19708 "2.5.1", 19709 "2.5.2", 19710 "2.5.3", 19711 "2.5.4", 19712 "2.5.5", 19713 "2.6.0", 19714 "2.6.0-rc1", 19715 "2.6.0-rc2", 19716 "2.6.0-rc3", 19717 "2.6.0-rc4", 19718 "2.6.1", 19719 "2.6.2", 19720 "2.6.3", 19721 "2.6.4", 19722 "2.6.5", 19723 "2.6.6", 19724 "2.6.7", 19725 "2.6.7.1", 19726 "2.6.7.2", 19727 "2.6.7.3", 19728 "2.6.7.4", 19729 "2.6.7.5", 19730 "2.7.0", 19731 "2.7.0-rc1", 19732 "2.7.0-rc2", 19733 "2.7.0-rc3", 19734 "2.7.1", 19735 "2.7.1-1", 19736 "2.7.2", 19737 "2.7.3", 19738 "2.7.4", 19739 "2.7.5", 19740 "2.7.6", 19741 "2.7.7", 19742 "2.7.8", 19743 "2.7.9", 19744 "2.7.9.1", 19745 "2.7.9.2", 19746 "2.7.9.3", 19747 "2.7.9.4", 19748 "2.7.9.5", 19749 "2.7.9.6", 19750 "2.7.9.7", 19751 "2.8.0", 19752 "2.8.0.rc1", 19753 "2.8.0.rc2", 19754 "2.8.1", 19755 "2.8.10", 19756 "2.8.11", 19757 "2.8.11.1", 19758 "2.8.11.2", 19759 "2.8.11.3", 19760 "2.8.11.4", 19761 "2.8.11.5", 19762 "2.8.11.6", 19763 "2.8.2", 19764 "2.8.3", 19765 "2.8.4", 19766 "2.8.5", 19767 "2.8.6", 19768 "2.8.7", 19769 "2.8.8", 19770 "2.8.8.1", 19771 "2.8.9", 19772 "2.9.0", 19773 "2.9.0.pr1", 19774 "2.9.0.pr2", 19775 "2.9.0.pr3", 19776 "2.9.0.pr4", 19777 "2.9.1", 19778 "2.9.10", 19779 "2.9.10.1", 19780 "2.9.10.2", 19781 "2.9.10.3", 19782 "2.9.10.4", 19783 "2.9.10.5", 19784 "2.9.10.6", 19785 "2.9.10.7", 19786 "2.9.2", 19787 "2.9.3", 19788 "2.9.4", 19789 "2.9.5", 19790 "2.9.6", 19791 "2.9.7", 19792 "2.9.8", 19793 "2.9.9", 19794 "2.9.9.1", 19795 "2.9.9.2", 19796 "2.9.9.3" 19797 ] 19798 } 19799 ], 19800 "aliases": [ 19801 "CVE-2020-35490" 19802 ], 19803 "database_specific": { 19804 "cwe_ids": [ 19805 "CWE-502" 19806 ], 19807 "github_reviewed": true, 19808 "github_reviewed_at": "2021-04-08T21:06:39Z", 19809 "nvd_published_at": "2020-12-17T19:15:00Z", 19810 "severity": "HIGH" 19811 }, 19812 "details": "FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.datasources.PerUserPoolDataSource.", 19813 "id": "GHSA-wh8g-3j2c-rqj5", 19814 "modified": "2024-03-15T00:31:15.123603Z", 19815 "published": "2021-12-09T19:15:00Z", 19816 "references": [ 19817 { 19818 "type": "ADVISORY", 19819 "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-35490" 19820 }, 19821 { 19822 "type": "WEB", 19823 "url": "https://github.com/FasterXML/jackson-databind/issues/2986" 19824 }, 19825 { 19826 "type": "WEB", 19827 "url": "https://github.com/FasterXML/jackson-databind/commit/41b8bdb5ccc1d8edb71acf1c8234da235a24249d" 19828 }, 19829 { 19830 "type": "WEB", 19831 "url": "https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062" 19832 }, 19833 { 19834 "type": "PACKAGE", 19835 "url": "https://github.com/FasterXML/jackson-databind" 19836 }, 19837 { 19838 "type": "WEB", 19839 "url": "https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html" 19840 }, 19841 { 19842 "type": "WEB", 19843 "url": "https://security.netapp.com/advisory/ntap-20210122-0005" 19844 }, 19845 { 19846 "type": "WEB", 19847 "url": "https://www.oracle.com//security-alerts/cpujul2021.html" 19848 }, 19849 { 19850 "type": "WEB", 19851 "url": "https://www.oracle.com/security-alerts/cpuApr2021.html" 19852 }, 19853 { 19854 "type": "WEB", 19855 "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" 19856 }, 19857 { 19858 "type": "WEB", 19859 "url": "https://www.oracle.com/security-alerts/cpujan2022.html" 19860 }, 19861 { 19862 "type": "WEB", 19863 "url": "https://www.oracle.com/security-alerts/cpujul2022.html" 19864 }, 19865 { 19866 "type": "WEB", 19867 "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" 19868 } 19869 ], 19870 "schema_version": "1.6.0", 19871 "severity": [ 19872 { 19873 "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", 19874 "type": "CVSS_V3" 19875 } 19876 ], 19877 "summary": "Serialization gadgets exploit in jackson-databind" 19878 }, 19879 { 19880 "affected": [ 19881 { 19882 "database_specific": { 19883 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/01/GHSA-x2w5-5m2g-7h5m/GHSA-x2w5-5m2g-7h5m.json" 19884 }, 19885 "package": { 19886 "ecosystem": "Maven", 19887 "name": "com.fasterxml.jackson.core:jackson-databind", 19888 "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" 19889 }, 19890 "ranges": [ 19891 { 19892 "events": [ 19893 { 19894 "introduced": "2.9.0" 19895 }, 19896 { 19897 "fixed": "2.9.7" 19898 } 19899 ], 19900 "type": "ECOSYSTEM" 19901 } 19902 ], 19903 "versions": [ 19904 "2.9.0", 19905 "2.9.0.pr1", 19906 "2.9.0.pr2", 19907 "2.9.0.pr3", 19908 "2.9.0.pr4", 19909 "2.9.1", 19910 "2.9.2", 19911 "2.9.3", 19912 "2.9.4", 19913 "2.9.5", 19914 "2.9.6" 19915 ] 19916 }, 19917 { 19918 "database_specific": { 19919 "last_known_affected_version_range": "\u003c= 2.8.11.2", 19920 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/01/GHSA-x2w5-5m2g-7h5m/GHSA-x2w5-5m2g-7h5m.json" 19921 }, 19922 "package": { 19923 "ecosystem": "Maven", 19924 "name": "com.fasterxml.jackson.core:jackson-databind", 19925 "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" 19926 }, 19927 "ranges": [ 19928 { 19929 "events": [ 19930 { 19931 "introduced": "2.8.0" 19932 }, 19933 { 19934 "fixed": "2.8.11.3" 19935 } 19936 ], 19937 "type": "ECOSYSTEM" 19938 } 19939 ], 19940 "versions": [ 19941 "2.8.0", 19942 "2.8.1", 19943 "2.8.10", 19944 "2.8.11", 19945 "2.8.11.1", 19946 "2.8.11.2", 19947 "2.8.2", 19948 "2.8.3", 19949 "2.8.4", 19950 "2.8.5", 19951 "2.8.6", 19952 "2.8.7", 19953 "2.8.8", 19954 "2.8.8.1", 19955 "2.8.9" 19956 ] 19957 }, 19958 { 19959 "database_specific": { 19960 "last_known_affected_version_range": "\u003c= 2.7.9.2", 19961 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/01/GHSA-x2w5-5m2g-7h5m/GHSA-x2w5-5m2g-7h5m.json" 19962 }, 19963 "package": { 19964 "ecosystem": "Maven", 19965 "name": "com.fasterxml.jackson.core:jackson-databind", 19966 "purl": "pkg:maven/com.fasterxml.jackson.core/jackson-databind" 19967 }, 19968 "ranges": [ 19969 { 19970 "events": [ 19971 { 19972 "introduced": "2.7.0" 19973 }, 19974 { 19975 "fixed": "2.7.9.5" 19976 } 19977 ], 19978 "type": "ECOSYSTEM" 19979 } 19980 ], 19981 "versions": [ 19982 "2.7.0", 19983 "2.7.1", 19984 "2.7.1-1", 19985 "2.7.2", 19986 "2.7.3", 19987 "2.7.4", 19988 "2.7.5", 19989 "2.7.6", 19990 "2.7.7", 19991 "2.7.8", 19992 "2.7.9", 19993 "2.7.9.1", 19994 "2.7.9.2", 19995 "2.7.9.3", 19996 "2.7.9.4" 19997 ] 19998 } 19999 ], 20000 "aliases": [ 20001 "CVE-2018-14720" 20002 ], 20003 "database_specific": { 20004 "cwe_ids": [ 20005 "CWE-502", 20006 "CWE-611" 20007 ], 20008 "github_reviewed": true, 20009 "github_reviewed_at": "2020-06-16T22:01:50Z", 20010 "nvd_published_at": null, 20011 "severity": "CRITICAL" 20012 }, 20013 "details": "FasterXML jackson-databind 2.x before 2.9.7 might allow attackers to conduct external XML entity (XXE) attacks by leveraging failure to block unspecified JDK classes from polymorphic deserialization.", 20014 "id": "GHSA-x2w5-5m2g-7h5m", 20015 "modified": "2024-03-12T05:18:06.737632Z", 20016 "published": "2019-01-04T19:09:46Z", 20017 "references": [ 20018 { 20019 "type": "ADVISORY", 20020 "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-14720" 20021 }, 20022 { 20023 "type": "WEB", 20024 "url": "https://github.com/FasterXML/jackson-databind/issues/2097" 20025 }, 20026 { 20027 "type": "WEB", 20028 "url": "https://github.com/FasterXML/jackson-databind/commit/87d29af25e82a249ea15858e2d4ecbf64091db44" 20029 }, 20030 { 20031 "type": "WEB", 20032 "url": "https://lists.apache.org/thread.html/82b01bfb6787097427ce97cec6a7127e93718bc05d1efd5eaffc228f@%3Cdev.lucene.apache.org%3E" 20033 }, 20034 { 20035 "type": "WEB", 20036 "url": "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E" 20037 }, 20038 { 20039 "type": "WEB", 20040 "url": "https://lists.apache.org/thread.html/ba973114605d936be276ee6ce09dfbdbf78aa56f6cdc6e79bfa7b8df@%3Cdev.lucene.apache.org%3E" 20041 }, 20042 { 20043 "type": "WEB", 20044 "url": "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E" 20045 }, 20046 { 20047 "type": "WEB", 20048 "url": "https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8@%3Ccommits.pulsar.apache.org%3E" 20049 }, 20050 { 20051 "type": "WEB", 20052 "url": "https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3E" 20053 }, 20054 { 20055 "type": "WEB", 20056 "url": "https://lists.debian.org/debian-lts-announce/2019/03/msg00005.html" 20057 }, 20058 { 20059 "type": "WEB", 20060 "url": "https://seclists.org/bugtraq/2019/May/68" 20061 }, 20062 { 20063 "type": "WEB", 20064 "url": "https://security.netapp.com/advisory/ntap-20190530-0003" 20065 }, 20066 { 20067 "type": "WEB", 20068 "url": "https://www.debian.org/security/2019/dsa-4452" 20069 }, 20070 { 20071 "type": "WEB", 20072 "url": "https://www.oracle.com/security-alerts/cpuapr2020.html" 20073 }, 20074 { 20075 "type": "WEB", 20076 "url": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html" 20077 }, 20078 { 20079 "type": "WEB", 20080 "url": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html" 20081 }, 20082 { 20083 "type": "WEB", 20084 "url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html" 20085 }, 20086 { 20087 "type": "WEB", 20088 "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html" 20089 }, 20090 { 20091 "type": "WEB", 20092 "url": "https://lists.apache.org/thread.html/6a78f88716c3c57aa74ec05764a37ab3874769a347805903b393b286@%3Cdev.lucene.apache.org%3E" 20093 }, 20094 { 20095 "type": "WEB", 20096 "url": "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E" 20097 }, 20098 { 20099 "type": "ADVISORY", 20100 "url": "https://github.com/advisories/GHSA-x2w5-5m2g-7h5m" 20101 }, 20102 { 20103 "type": "WEB", 20104 "url": "https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.7" 20105 }, 20106 { 20107 "type": "WEB", 20108 "url": "https://access.redhat.com/errata/RHSA-2019:4037" 20109 }, 20110 { 20111 "type": "WEB", 20112 "url": "https://access.redhat.com/errata/RHSA-2019:3892" 20113 }, 20114 { 20115 "type": "WEB", 20116 "url": "https://access.redhat.com/errata/RHSA-2019:3149" 20117 }, 20118 { 20119 "type": "WEB", 20120 "url": "https://access.redhat.com/errata/RHSA-2019:2858" 20121 }, 20122 { 20123 "type": "WEB", 20124 "url": "https://access.redhat.com/errata/RHSA-2019:1823" 20125 }, 20126 { 20127 "type": "WEB", 20128 "url": "https://access.redhat.com/errata/RHSA-2019:1822" 20129 }, 20130 { 20131 "type": "WEB", 20132 "url": "https://access.redhat.com/errata/RHSA-2019:1140" 20133 }, 20134 { 20135 "type": "WEB", 20136 "url": "https://access.redhat.com/errata/RHSA-2019:1108" 20137 }, 20138 { 20139 "type": "WEB", 20140 "url": "https://access.redhat.com/errata/RHSA-2019:1107" 20141 }, 20142 { 20143 "type": "WEB", 20144 "url": "https://access.redhat.com/errata/RHSA-2019:1106" 20145 }, 20146 { 20147 "type": "WEB", 20148 "url": "https://access.redhat.com/errata/RHSA-2019:0782" 20149 }, 20150 { 20151 "type": "WEB", 20152 "url": "https://access.redhat.com/errata/RHBA-2019:0959" 20153 } 20154 ], 20155 "schema_version": "1.6.0", 20156 "severity": [ 20157 { 20158 "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", 20159 "type": "CVSS_V3" 20160 } 20161 ], 20162 "summary": "XML External Entity Reference (XXE) in jackson-databind" 20163 }, 20164 { 20165 "affected": [ 20166 { 20167 "database_specific": { 20168 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/09/GHSA-3f7h-mf4q-vrm4/GHSA-3f7h-mf4q-vrm4.json" 20169 }, 20170 "package": { 20171 "ecosystem": "Maven", 20172 "name": "com.fasterxml.woodstox:woodstox-core", 20173 "purl": "pkg:maven/com.fasterxml.woodstox/woodstox-core" 20174 }, 20175 "ranges": [ 20176 { 20177 "events": [ 20178 { 20179 "introduced": "6.0.0" 20180 }, 20181 { 20182 "fixed": "6.4.0" 20183 } 20184 ], 20185 "type": "ECOSYSTEM" 20186 } 20187 ], 20188 "versions": [ 20189 "6.0.0", 20190 "6.0.0.pr1", 20191 "6.0.0.pr2", 20192 "6.0.1", 20193 "6.0.2", 20194 "6.0.3", 20195 "6.1.0", 20196 "6.1.1", 20197 "6.2.0", 20198 "6.2.1", 20199 "6.2.2", 20200 "6.2.3", 20201 "6.2.4", 20202 "6.2.5", 20203 "6.2.6", 20204 "6.2.7", 20205 "6.2.8", 20206 "6.3.0", 20207 "6.3.1" 20208 ] 20209 }, 20210 { 20211 "database_specific": { 20212 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/09/GHSA-3f7h-mf4q-vrm4/GHSA-3f7h-mf4q-vrm4.json" 20213 }, 20214 "package": { 20215 "ecosystem": "Maven", 20216 "name": "com.fasterxml.woodstox:woodstox-core", 20217 "purl": "pkg:maven/com.fasterxml.woodstox/woodstox-core" 20218 }, 20219 "ranges": [ 20220 { 20221 "events": [ 20222 { 20223 "introduced": "0" 20224 }, 20225 { 20226 "fixed": "5.4.0" 20227 } 20228 ], 20229 "type": "ECOSYSTEM" 20230 } 20231 ], 20232 "versions": [ 20233 "5.0.0", 20234 "5.0.1", 20235 "5.0.2", 20236 "5.0.3", 20237 "5.1.0", 20238 "5.2.0", 20239 "5.2.1", 20240 "5.3.0" 20241 ] 20242 } 20243 ], 20244 "aliases": [ 20245 "CVE-2022-40152" 20246 ], 20247 "database_specific": { 20248 "cwe_ids": [], 20249 "github_reviewed": true, 20250 "github_reviewed_at": "2022-09-20T21:21:07Z", 20251 "nvd_published_at": "2022-09-16T10:15:00Z", 20252 "severity": "MODERATE" 20253 }, 20254 "details": "Those using FasterXML/woodstox to seralize XML data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial of service attack.\n\nThis vulnerability is only relevant for users making use of the DTD parsing functionality. ", 20255 "id": "GHSA-3f7h-mf4q-vrm4", 20256 "modified": "2024-02-16T08:14:53.496757Z", 20257 "published": "2022-09-17T00:00:41Z", 20258 "references": [ 20259 { 20260 "type": "ADVISORY", 20261 "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40152" 20262 }, 20263 { 20264 "type": "WEB", 20265 "url": "https://github.com/FasterXML/woodstox/issues/157" 20266 }, 20267 { 20268 "type": "WEB", 20269 "url": "https://github.com/FasterXML/woodstox/issues/160" 20270 }, 20271 { 20272 "type": "WEB", 20273 "url": "https://github.com/x-stream/xstream/issues/304" 20274 }, 20275 { 20276 "type": "WEB", 20277 "url": "https://github.com/FasterXML/woodstox/pull/159" 20278 }, 20279 { 20280 "type": "WEB", 20281 "url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47434" 20282 }, 20283 { 20284 "type": "PACKAGE", 20285 "url": "https://github.com/FasterXML/woodstox" 20286 } 20287 ], 20288 "schema_version": "1.6.0", 20289 "severity": [ 20290 { 20291 "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", 20292 "type": "CVSS_V3" 20293 } 20294 ], 20295 "summary": "Denial of Service due to parser crash" 20296 }, 20297 { 20298 "affected": [ 20299 { 20300 "database_specific": { 20301 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-4jrv-ppp4-jm57/GHSA-4jrv-ppp4-jm57.json" 20302 }, 20303 "package": { 20304 "ecosystem": "Maven", 20305 "name": "com.google.code.gson:gson", 20306 "purl": "pkg:maven/com.google.code.gson/gson" 20307 }, 20308 "ranges": [ 20309 { 20310 "events": [ 20311 { 20312 "introduced": "0" 20313 }, 20314 { 20315 "fixed": "2.8.9" 20316 } 20317 ], 20318 "type": "ECOSYSTEM" 20319 } 20320 ], 20321 "versions": [ 20322 "1.1", 20323 "1.4", 20324 "1.5", 20325 "1.6", 20326 "1.7", 20327 "1.7.1", 20328 "1.7.2", 20329 "2.0", 20330 "2.1", 20331 "2.2", 20332 "2.2.1", 20333 "2.2.2", 20334 "2.2.3", 20335 "2.2.4", 20336 "2.3", 20337 "2.3.1", 20338 "2.4", 20339 "2.5", 20340 "2.6", 20341 "2.6.1", 20342 "2.6.2", 20343 "2.7", 20344 "2.8.0", 20345 "2.8.1", 20346 "2.8.2", 20347 "2.8.3", 20348 "2.8.4", 20349 "2.8.5", 20350 "2.8.6", 20351 "2.8.7", 20352 "2.8.8" 20353 ] 20354 } 20355 ], 20356 "aliases": [ 20357 "CVE-2022-25647", 20358 "SNYK-JAVA-COMGOOGLECODEGSON-1730327" 20359 ], 20360 "database_specific": { 20361 "cwe_ids": [ 20362 "CWE-502" 20363 ], 20364 "github_reviewed": true, 20365 "github_reviewed_at": "2022-05-20T20:31:08Z", 20366 "nvd_published_at": "2022-05-01T16:15:00Z", 20367 "severity": "HIGH" 20368 }, 20369 "details": "The package `com.google.code.gson:gson` before 2.8.9 is vulnerable to Deserialization of Untrusted Data via the `writeReplace()` method in internal classes, which may lead to denial of service attacks.", 20370 "id": "GHSA-4jrv-ppp4-jm57", 20371 "modified": "2024-08-01T07:56:49.343914Z", 20372 "published": "2022-05-03T00:00:44Z", 20373 "references": [ 20374 { 20375 "type": "ADVISORY", 20376 "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25647" 20377 }, 20378 { 20379 "type": "WEB", 20380 "url": "https://github.com/google/gson/pull/1991" 20381 }, 20382 { 20383 "type": "WEB", 20384 "url": "https://github.com/google/gson/pull/1991/commits" 20385 }, 20386 { 20387 "type": "PACKAGE", 20388 "url": "https://github.com/google/gson" 20389 }, 20390 { 20391 "type": "WEB", 20392 "url": "https://lists.debian.org/debian-lts-announce/2022/05/msg00015.html" 20393 }, 20394 { 20395 "type": "WEB", 20396 "url": "https://lists.debian.org/debian-lts-announce/2022/09/msg00009.html" 20397 }, 20398 { 20399 "type": "WEB", 20400 "url": "https://security.netapp.com/advisory/ntap-20220901-0009" 20401 }, 20402 { 20403 "type": "WEB", 20404 "url": "https://snyk.io/vuln/SNYK-JAVA-COMGOOGLECODEGSON-1730327" 20405 }, 20406 { 20407 "type": "WEB", 20408 "url": "https://www.debian.org/security/2022/dsa-5227" 20409 }, 20410 { 20411 "type": "WEB", 20412 "url": "https://www.oracle.com/security-alerts/cpujul2022.html" 20413 } 20414 ], 20415 "related": [ 20416 "CGA-828p-4xp8-m457" 20417 ], 20418 "schema_version": "1.6.0", 20419 "severity": [ 20420 { 20421 "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:H", 20422 "type": "CVSS_V3" 20423 } 20424 ], 20425 "summary": "Deserialization of Untrusted Data in Gson" 20426 }, 20427 { 20428 "affected": [ 20429 { 20430 "database_specific": { 20431 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/03/GHSA-5mg8-w23w-74h3/GHSA-5mg8-w23w-74h3.json" 20432 }, 20433 "ecosystem_specific": { 20434 "affected_functions": [ 20435 "com.google.common.io.Files.createTempDir" 20436 ] 20437 }, 20438 "package": { 20439 "ecosystem": "Maven", 20440 "name": "com.google.guava:guava", 20441 "purl": "pkg:maven/com.google.guava/guava" 20442 }, 20443 "ranges": [ 20444 { 20445 "events": [ 20446 { 20447 "introduced": "0" 20448 }, 20449 { 20450 "fixed": "32.0.0-android" 20451 } 20452 ], 20453 "type": "ECOSYSTEM" 20454 } 20455 ], 20456 "versions": [ 20457 "10.0", 20458 "10.0-rc1", 20459 "10.0-rc2", 20460 "10.0-rc3", 20461 "10.0.1", 20462 "11.0", 20463 "11.0-rc1", 20464 "11.0.1", 20465 "11.0.2", 20466 "12.0", 20467 "12.0-rc1", 20468 "12.0-rc2", 20469 "12.0.1", 20470 "13.0", 20471 "13.0-rc1", 20472 "13.0-rc2", 20473 "13.0.1", 20474 "14.0", 20475 "14.0-rc1", 20476 "14.0-rc2", 20477 "14.0-rc3", 20478 "14.0.1", 20479 "15.0", 20480 "15.0-rc1", 20481 "16.0", 20482 "16.0-rc1", 20483 "16.0.1", 20484 "17.0", 20485 "17.0-rc1", 20486 "17.0-rc2", 20487 "18.0", 20488 "18.0-rc1", 20489 "18.0-rc2", 20490 "19.0", 20491 "19.0-rc1", 20492 "19.0-rc2", 20493 "19.0-rc3", 20494 "20.0", 20495 "20.0-rc1", 20496 "21.0", 20497 "21.0-rc1", 20498 "21.0-rc2", 20499 "22.0", 20500 "22.0-android", 20501 "22.0-rc1", 20502 "22.0-rc1-android", 20503 "23.0", 20504 "23.0-android", 20505 "23.0-rc1", 20506 "23.0-rc1-android", 20507 "23.1-android", 20508 "23.1-jre", 20509 "23.2-android", 20510 "23.2-jre", 20511 "23.3-android", 20512 "23.3-jre", 20513 "23.4-android", 20514 "23.4-jre", 20515 "23.5-android", 20516 "23.5-jre", 20517 "23.6-android", 20518 "23.6-jre", 20519 "23.6.1-android", 20520 "23.6.1-jre", 20521 "24.0-android", 20522 "24.0-jre", 20523 "24.1-android", 20524 "24.1-jre", 20525 "24.1.1-android", 20526 "24.1.1-jre", 20527 "25.0-android", 20528 "25.0-jre", 20529 "25.1-android", 20530 "25.1-jre", 20531 "26.0-android", 20532 "26.0-jre", 20533 "27.0-android", 20534 "27.0-jre", 20535 "27.0.1-android", 20536 "27.0.1-jre", 20537 "27.1-android", 20538 "27.1-jre", 20539 "28.0-android", 20540 "28.0-jre", 20541 "28.1-android", 20542 "28.1-jre", 20543 "28.2-android", 20544 "28.2-jre", 20545 "29.0-android", 20546 "29.0-jre", 20547 "30.0-android", 20548 "30.0-jre", 20549 "30.1-android", 20550 "30.1-jre", 20551 "30.1.1-android", 20552 "30.1.1-jre", 20553 "31.0-android", 20554 "31.0-jre", 20555 "31.0.1-android", 20556 "31.0.1-jre", 20557 "31.1-android", 20558 "31.1-jre", 20559 "r03", 20560 "r05", 20561 "r06", 20562 "r07", 20563 "r08", 20564 "r09" 20565 ] 20566 } 20567 ], 20568 "aliases": [ 20569 "CVE-2020-8908", 20570 "SNYK-JAVA-COMGOOGLEGUAVA-1015415" 20571 ], 20572 "database_specific": { 20573 "cwe_ids": [ 20574 "CWE-173", 20575 "CWE-200", 20576 "CWE-378", 20577 "CWE-732" 20578 ], 20579 "github_reviewed": true, 20580 "github_reviewed_at": "2021-03-25T17:01:09Z", 20581 "nvd_published_at": "2020-12-10T23:15:00Z", 20582 "severity": "LOW" 20583 }, 20584 "details": "A temp directory creation vulnerability exists in Guava prior to version 32.0.0 allowing an attacker with access to the machine to potentially access data in a temporary directory created by the Guava `com.google.common.io.Files.createTempDir()`. The permissions granted to the directory created default to the standard unix-like /tmp ones, leaving the files open. Maintainers recommend explicitly changing the permissions after the creation of the directory, or removing uses of the vulnerable method.\n", 20585 "id": "GHSA-5mg8-w23w-74h3", 20586 "modified": "2024-08-01T09:26:49.388185Z", 20587 "published": "2021-03-25T17:04:19Z", 20588 "references": [ 20589 { 20590 "type": "ADVISORY", 20591 "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8908" 20592 }, 20593 { 20594 "type": "WEB", 20595 "url": "https://github.com/google/guava/issues/4011" 20596 }, 20597 { 20598 "type": "WEB", 20599 "url": "https://github.com/google/guava/issues/4011#issuecomment-1578991974" 20600 }, 20601 { 20602 "type": "WEB", 20603 "url": "https://github.com/google/guava/commit/feb83a1c8fd2e7670b244d5afd23cba5aca43284" 20604 }, 20605 { 20606 "type": "WEB", 20607 "url": "https://github.com/google/guava/commit/fec0dbc4634006a6162cfd4d0d09c962073ddf40" 20608 }, 20609 { 20610 "type": "WEB", 20611 "url": "https://lists.apache.org/thread.html/rd5d58088812cf8e677d99b07f73c654014c524c94e7fedbdee047604@%3Ctorque-dev.db.apache.org%3E" 20612 }, 20613 { 20614 "type": "WEB", 20615 "url": "https://lists.apache.org/thread.html/rd5d58088812cf8e677d99b07f73c654014c524c94e7fedbdee047604%40%3Ctorque-dev.db.apache.org%3E" 20616 }, 20617 { 20618 "type": "WEB", 20619 "url": "https://lists.apache.org/thread.html/rd2704306ec729ccac726e50339b8a8f079515cc29ccb77713b16e7c5@%3Cissues.hive.apache.org%3E" 20620 }, 20621 { 20622 "type": "WEB", 20623 "url": "https://lists.apache.org/thread.html/rd2704306ec729ccac726e50339b8a8f079515cc29ccb77713b16e7c5%40%3Cissues.hive.apache.org%3E" 20624 }, 20625 { 20626 "type": "WEB", 20627 "url": "https://lists.apache.org/thread.html/rd01f5ff0164c468ec7abc96ff7646cea3cce6378da2e4aa29c6bcb95@%3Cgithub.arrow.apache.org%3E" 20628 }, 20629 { 20630 "type": "WEB", 20631 "url": "https://lists.apache.org/thread.html/rd01f5ff0164c468ec7abc96ff7646cea3cce6378da2e4aa29c6bcb95%40%3Cgithub.arrow.apache.org%3E" 20632 }, 20633 { 20634 "type": "WEB", 20635 "url": "https://lists.apache.org/thread.html/rcafc3a637d82bdc9a24036b2ddcad1e519dd0e6f848fcc3d606fd78f@%3Cdev.hive.apache.org%3E" 20636 }, 20637 { 20638 "type": "WEB", 20639 "url": "https://lists.apache.org/thread.html/rcafc3a637d82bdc9a24036b2ddcad1e519dd0e6f848fcc3d606fd78f%40%3Cdev.hive.apache.org%3E" 20640 }, 20641 { 20642 "type": "WEB", 20643 "url": "https://lists.apache.org/thread.html/rc607bc52f3507b8b9c28c6a747c3122f51ac24afe80af2a670785b97@%3Cissues.geode.apache.org%3E" 20644 }, 20645 { 20646 "type": "WEB", 20647 "url": "https://lists.apache.org/thread.html/rc607bc52f3507b8b9c28c6a747c3122f51ac24afe80af2a670785b97%40%3Cissues.geode.apache.org%3E" 20648 }, 20649 { 20650 "type": "WEB", 20651 "url": "https://lists.apache.org/thread.html/rc2dbc4633a6eea1fcbce6831876cfa17b73759a98c65326d1896cb1a@%3Ctorque-dev.db.apache.org%3E" 20652 }, 20653 { 20654 "type": "WEB", 20655 "url": "https://lists.apache.org/thread.html/rc2dbc4633a6eea1fcbce6831876cfa17b73759a98c65326d1896cb1a%40%3Ctorque-dev.db.apache.org%3E" 20656 }, 20657 { 20658 "type": "WEB", 20659 "url": "https://lists.apache.org/thread.html/rbc7642b9800249553f13457e46b813bea1aec99d2bc9106510e00ff3@%3Ctorque-dev.db.apache.org%3E" 20660 }, 20661 { 20662 "type": "WEB", 20663 "url": "https://lists.apache.org/thread.html/rbc7642b9800249553f13457e46b813bea1aec99d2bc9106510e00ff3%40%3Ctorque-dev.db.apache.org%3E" 20664 }, 20665 { 20666 "type": "WEB", 20667 "url": "https://lists.apache.org/thread.html/rb8c0f1b7589864396690fe42a91a71dea9412e86eec66dc85bbacaaf@%3Ccommits.cxf.apache.org%3E" 20668 }, 20669 { 20670 "type": "WEB", 20671 "url": "https://lists.apache.org/thread.html/rb8c0f1b7589864396690fe42a91a71dea9412e86eec66dc85bbacaaf%40%3Ccommits.cxf.apache.org%3E" 20672 }, 20673 { 20674 "type": "WEB", 20675 "url": "https://lists.apache.org/thread.html/rb2364f4cf4d274eab5a7ecfaf64bf575cedf8b0173551997c749d322@%3Cgitbox.hive.apache.org%3E" 20676 }, 20677 { 20678 "type": "WEB", 20679 "url": "https://lists.apache.org/thread.html/rb2364f4cf4d274eab5a7ecfaf64bf575cedf8b0173551997c749d322%40%3Cgitbox.hive.apache.org%3E" 20680 }, 20681 { 20682 "type": "WEB", 20683 "url": "https://lists.apache.org/thread.html/ra7ab308481ee729f998691e8e3e02e93b1dedfc98f6b1cd3d86923b3@%3Cyarn-issues.hadoop.apache.org%3E" 20684 }, 20685 { 20686 "type": "WEB", 20687 "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" 20688 }, 20689 { 20690 "type": "WEB", 20691 "url": "https://www.oracle.com/security-alerts/cpujan2022.html" 20692 }, 20693 { 20694 "type": "WEB", 20695 "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" 20696 }, 20697 { 20698 "type": "WEB", 20699 "url": "https://www.oracle.com/security-alerts/cpuApr2021.html" 20700 }, 20701 { 20702 "type": "WEB", 20703 "url": "https://www.oracle.com//security-alerts/cpujul2021.html" 20704 }, 20705 { 20706 "type": "WEB", 20707 "url": "https://snyk.io/vuln/SNYK-JAVA-COMGOOGLEGUAVA-1015415" 20708 }, 20709 { 20710 "type": "WEB", 20711 "url": "https://security.netapp.com/advisory/ntap-20220210-0003" 20712 }, 20713 { 20714 "type": "WEB", 20715 "url": "https://lists.apache.org/thread.html/rfc27e2727a20a574f39273e0432aa97486a332f9b3068f6ac1346594@%3Cdev.myfaces.apache.org%3E" 20716 }, 20717 { 20718 "type": "WEB", 20719 "url": "https://lists.apache.org/thread.html/rfc27e2727a20a574f39273e0432aa97486a332f9b3068f6ac1346594%40%3Cdev.myfaces.apache.org%3E" 20720 }, 20721 { 20722 "type": "WEB", 20723 "url": "https://lists.apache.org/thread.html/rf9f0fa84b8ae1a285f0210bafec6de2a9eba083007d04640b82aa625@%3Cissues.geode.apache.org%3E" 20724 }, 20725 { 20726 "type": "WEB", 20727 "url": "https://lists.apache.org/thread.html/rf9f0fa84b8ae1a285f0210bafec6de2a9eba083007d04640b82aa625%40%3Cissues.geode.apache.org%3E" 20728 }, 20729 { 20730 "type": "WEB", 20731 "url": "https://lists.apache.org/thread.html/rf00b688ffa620c990597f829ff85fdbba8bf73ee7bfb34783e1f0d4e@%3Cyarn-dev.hadoop.apache.org%3E" 20732 }, 20733 { 20734 "type": "WEB", 20735 "url": "https://lists.apache.org/thread.html/rf00b688ffa620c990597f829ff85fdbba8bf73ee7bfb34783e1f0d4e%40%3Cyarn-dev.hadoop.apache.org%3E" 20736 }, 20737 { 20738 "type": "WEB", 20739 "url": "https://lists.apache.org/thread.html/reebbd63c25bc1a946caa419cec2be78079f8449d1af48e52d47c9e85@%3Cissues.geode.apache.org%3E" 20740 }, 20741 { 20742 "type": "WEB", 20743 "url": "https://lists.apache.org/thread.html/reebbd63c25bc1a946caa419cec2be78079f8449d1af48e52d47c9e85%40%3Cissues.geode.apache.org%3E" 20744 }, 20745 { 20746 "type": "WEB", 20747 "url": "https://lists.apache.org/thread.html/re120f6b3d2f8222121080342c5801fdafca2f5188ceeb3b49c8a1d27@%3Cyarn-issues.hadoop.apache.org%3E" 20748 }, 20749 { 20750 "type": "WEB", 20751 "url": "https://lists.apache.org/thread.html/re120f6b3d2f8222121080342c5801fdafca2f5188ceeb3b49c8a1d27%40%3Cyarn-issues.hadoop.apache.org%3E" 20752 }, 20753 { 20754 "type": "WEB", 20755 "url": "https://lists.apache.org/thread.html/rd7e12d56d49d73e2b8549694974b07561b79b05455f7f781954231bf@%3Cdev.pig.apache.org%3E" 20756 }, 20757 { 20758 "type": "WEB", 20759 "url": "https://lists.apache.org/thread.html/rd7e12d56d49d73e2b8549694974b07561b79b05455f7f781954231bf%40%3Cdev.pig.apache.org%3E" 20760 }, 20761 { 20762 "type": "WEB", 20763 "url": "https://lists.apache.org/thread.html/ra7ab308481ee729f998691e8e3e02e93b1dedfc98f6b1cd3d86923b3%40%3Cyarn-issues.hadoop.apache.org%3E" 20764 }, 20765 { 20766 "type": "WEB", 20767 "url": "https://lists.apache.org/thread.html/r4776f62dfae4a0006658542f43034a7fc199350e35a66d4e18164ee6%40%3Ccommits.cxf.apache.org%3E" 20768 }, 20769 { 20770 "type": "WEB", 20771 "url": "https://lists.apache.org/thread.html/r3dd8881de891598d622227e9840dd7c2ef1d08abbb49e9690c7ae1bc@%3Cissues.geode.apache.org%3E" 20772 }, 20773 { 20774 "type": "WEB", 20775 "url": "https://lists.apache.org/thread.html/r3dd8881de891598d622227e9840dd7c2ef1d08abbb49e9690c7ae1bc%40%3Cissues.geode.apache.org%3E" 20776 }, 20777 { 20778 "type": "WEB", 20779 "url": "https://lists.apache.org/thread.html/r3c3b33ee5bef0c67391d27a97cbfd89d44f328cf072b601b58d4e748@%3Ccommits.pulsar.apache.org%3E" 20780 }, 20781 { 20782 "type": "WEB", 20783 "url": "https://lists.apache.org/thread.html/r3c3b33ee5bef0c67391d27a97cbfd89d44f328cf072b601b58d4e748%40%3Ccommits.pulsar.apache.org%3E" 20784 }, 20785 { 20786 "type": "WEB", 20787 "url": "https://lists.apache.org/thread.html/r2fe45d96eea8434b91592ca08109118f6308d60f6d0e21d52438cfb4@%3Cdev.drill.apache.org%3E" 20788 }, 20789 { 20790 "type": "WEB", 20791 "url": "https://lists.apache.org/thread.html/r2fe45d96eea8434b91592ca08109118f6308d60f6d0e21d52438cfb4%40%3Cdev.drill.apache.org%3E" 20792 }, 20793 { 20794 "type": "WEB", 20795 "url": "https://lists.apache.org/thread.html/r294be9d31c0312d2c0837087204b5d4bf49d0552890e6eec716fa6a6@%3Cyarn-issues.hadoop.apache.org%3E" 20796 }, 20797 { 20798 "type": "WEB", 20799 "url": "https://lists.apache.org/thread.html/r294be9d31c0312d2c0837087204b5d4bf49d0552890e6eec716fa6a6%40%3Cyarn-issues.hadoop.apache.org%3E" 20800 }, 20801 { 20802 "type": "WEB", 20803 "url": "https://lists.apache.org/thread.html/r215b3d50f56faeb2f9383505f3e62faa9f549bb23e8a9848b78a968e@%3Ccommits.ws.apache.org%3E" 20804 }, 20805 { 20806 "type": "WEB", 20807 "url": "https://lists.apache.org/thread.html/r215b3d50f56faeb2f9383505f3e62faa9f549bb23e8a9848b78a968e%40%3Ccommits.ws.apache.org%3E" 20808 }, 20809 { 20810 "type": "WEB", 20811 "url": "https://lists.apache.org/thread.html/r161b87f8037bbaff400194a63cd2016c9a69f5949f06dcc79beeab54@%3Cdev.drill.apache.org%3E" 20812 }, 20813 { 20814 "type": "WEB", 20815 "url": "https://lists.apache.org/thread.html/r161b87f8037bbaff400194a63cd2016c9a69f5949f06dcc79beeab54%40%3Cdev.drill.apache.org%3E" 20816 }, 20817 { 20818 "type": "WEB", 20819 "url": "https://lists.apache.org/thread.html/r07ed3e4417ad043a27bee7bb33322e9bfc7d7e6d1719b8e3dfd95c14@%3Cdev.drill.apache.org%3E" 20820 }, 20821 { 20822 "type": "WEB", 20823 "url": "https://lists.apache.org/thread.html/r07ed3e4417ad043a27bee7bb33322e9bfc7d7e6d1719b8e3dfd95c14%40%3Cdev.drill.apache.org%3E" 20824 }, 20825 { 20826 "type": "WEB", 20827 "url": "https://lists.apache.org/thread.html/r037fed1d0ebde50c9caf8d99815db3093c344c3f651c5a49a09824ce@%3Cdev.drill.apache.org%3E" 20828 }, 20829 { 20830 "type": "WEB", 20831 "url": "https://lists.apache.org/thread.html/r007add131977f4f576c232b25e024249a3d16f66aad14a4b52819d21@%3Ccommon-issues.hadoop.apache.org%3E" 20832 }, 20833 { 20834 "type": "WEB", 20835 "url": "https://lists.apache.org/thread.html/r007add131977f4f576c232b25e024249a3d16f66aad14a4b52819d21%40%3Ccommon-issues.hadoop.apache.org%3E" 20836 }, 20837 { 20838 "type": "PACKAGE", 20839 "url": "https://github.com/google/guava" 20840 }, 20841 { 20842 "type": "WEB", 20843 "url": "https://lists.apache.org/thread.html/r841c5e14e1b55281523ebcde661ece00b38a0569e00ef5e12bd5f6ba@%3Cissues.maven.apache.org%3E" 20844 }, 20845 { 20846 "type": "WEB", 20847 "url": "https://lists.apache.org/thread.html/r841c5e14e1b55281523ebcde661ece00b38a0569e00ef5e12bd5f6ba%40%3Cissues.maven.apache.org%3E" 20848 }, 20849 { 20850 "type": "WEB", 20851 "url": "https://lists.apache.org/thread.html/r7b0e81d8367264d6cad98766a469d64d11248eb654417809bfdacf09@%3Cyarn-issues.hadoop.apache.org%3E" 20852 }, 20853 { 20854 "type": "WEB", 20855 "url": "https://lists.apache.org/thread.html/r7b0e81d8367264d6cad98766a469d64d11248eb654417809bfdacf09%40%3Cyarn-issues.hadoop.apache.org%3E" 20856 }, 20857 { 20858 "type": "WEB", 20859 "url": "https://lists.apache.org/thread.html/r79e47ed555bdb1180e528420a7a2bb898541367a29a3bc6bbf0baf2c@%3Cissues.hive.apache.org%3E" 20860 }, 20861 { 20862 "type": "WEB", 20863 "url": "https://lists.apache.org/thread.html/r79e47ed555bdb1180e528420a7a2bb898541367a29a3bc6bbf0baf2c%40%3Cissues.hive.apache.org%3E" 20864 }, 20865 { 20866 "type": "WEB", 20867 "url": "https://lists.apache.org/thread.html/r68d86f4b06c808204f62bcb254fcb5b0432528ee8d37a07ef4bc8222@%3Ccommits.ws.apache.org%3E" 20868 }, 20869 { 20870 "type": "WEB", 20871 "url": "https://lists.apache.org/thread.html/r68d86f4b06c808204f62bcb254fcb5b0432528ee8d37a07ef4bc8222%40%3Ccommits.ws.apache.org%3E" 20872 }, 20873 { 20874 "type": "WEB", 20875 "url": "https://lists.apache.org/thread.html/r6874dfe26eefc41b7c9a5e4a0487846fc4accf8c78ff948b24a1104a@%3Cdev.drill.apache.org%3E" 20876 }, 20877 { 20878 "type": "WEB", 20879 "url": "https://lists.apache.org/thread.html/r6874dfe26eefc41b7c9a5e4a0487846fc4accf8c78ff948b24a1104a%40%3Cdev.drill.apache.org%3E" 20880 }, 20881 { 20882 "type": "WEB", 20883 "url": "https://lists.apache.org/thread.html/r5d61b98ceb7bba939a651de5900dbd67be3817db6bfcc41c6e04e199@%3Cyarn-issues.hadoop.apache.org%3E" 20884 }, 20885 { 20886 "type": "WEB", 20887 "url": "https://lists.apache.org/thread.html/r5d61b98ceb7bba939a651de5900dbd67be3817db6bfcc41c6e04e199%40%3Cyarn-issues.hadoop.apache.org%3E" 20888 }, 20889 { 20890 "type": "WEB", 20891 "url": "https://lists.apache.org/thread.html/r5b3d93dfdfb7708e796e8762ab40edbde8ff8add48aba53e5ea26f44@%3Cissues.geode.apache.org%3E" 20892 }, 20893 { 20894 "type": "WEB", 20895 "url": "https://lists.apache.org/thread.html/r5b3d93dfdfb7708e796e8762ab40edbde8ff8add48aba53e5ea26f44%40%3Cissues.geode.apache.org%3E" 20896 }, 20897 { 20898 "type": "WEB", 20899 "url": "https://lists.apache.org/thread.html/r58a8775205ab1839dba43054b09a9ab3b25b423a4170b2413c4067ac@%3Ccommon-issues.hadoop.apache.org%3E" 20900 }, 20901 { 20902 "type": "WEB", 20903 "url": "https://lists.apache.org/thread.html/r58a8775205ab1839dba43054b09a9ab3b25b423a4170b2413c4067ac%40%3Ccommon-issues.hadoop.apache.org%3E" 20904 }, 20905 { 20906 "type": "WEB", 20907 "url": "https://lists.apache.org/thread.html/r49549a8322f62cd3acfa4490d25bfba0be04f3f9ff4d14fe36199d27@%3Cyarn-dev.hadoop.apache.org%3E" 20908 }, 20909 { 20910 "type": "WEB", 20911 "url": "https://lists.apache.org/thread.html/r49549a8322f62cd3acfa4490d25bfba0be04f3f9ff4d14fe36199d27%40%3Cyarn-dev.hadoop.apache.org%3E" 20912 }, 20913 { 20914 "type": "WEB", 20915 "url": "https://lists.apache.org/thread.html/r4776f62dfae4a0006658542f43034a7fc199350e35a66d4e18164ee6@%3Ccommits.cxf.apache.org%3E" 20916 } 20917 ], 20918 "related": [ 20919 "CGA-4jpf-w26h-cg9j", 20920 "CGA-9wv6-wh8w-g624", 20921 "CGA-c5f6-f2ff-f6g9", 20922 "CGA-cffm-4mv2-8x2h", 20923 "CGA-f85c-8jfc-2g85", 20924 "CGA-gpmg-5xqr-j8wx", 20925 "CGA-m9rw-cj52-34gw", 20926 "CGA-v8xq-jj26-jf85", 20927 "CGA-vm4c-5phc-7w2r" 20928 ], 20929 "schema_version": "1.6.0", 20930 "severity": [ 20931 { 20932 "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", 20933 "type": "CVSS_V3" 20934 } 20935 ], 20936 "summary": "Information Disclosure in Guava" 20937 }, 20938 { 20939 "affected": [ 20940 { 20941 "database_specific": { 20942 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/06/GHSA-7g45-4rm6-3mm3/GHSA-7g45-4rm6-3mm3.json" 20943 }, 20944 "package": { 20945 "ecosystem": "Maven", 20946 "name": "com.google.guava:guava", 20947 "purl": "pkg:maven/com.google.guava/guava" 20948 }, 20949 "ranges": [ 20950 { 20951 "events": [ 20952 { 20953 "introduced": "1.0" 20954 }, 20955 { 20956 "fixed": "32.0.0-android" 20957 } 20958 ], 20959 "type": "ECOSYSTEM" 20960 } 20961 ], 20962 "versions": [ 20963 "10.0", 20964 "10.0-rc1", 20965 "10.0-rc2", 20966 "10.0-rc3", 20967 "10.0.1", 20968 "11.0", 20969 "11.0-rc1", 20970 "11.0.1", 20971 "11.0.2", 20972 "12.0", 20973 "12.0-rc1", 20974 "12.0-rc2", 20975 "12.0.1", 20976 "13.0", 20977 "13.0-rc1", 20978 "13.0-rc2", 20979 "13.0.1", 20980 "14.0", 20981 "14.0-rc1", 20982 "14.0-rc2", 20983 "14.0-rc3", 20984 "14.0.1", 20985 "15.0", 20986 "15.0-rc1", 20987 "16.0", 20988 "16.0-rc1", 20989 "16.0.1", 20990 "17.0", 20991 "17.0-rc1", 20992 "17.0-rc2", 20993 "18.0", 20994 "18.0-rc1", 20995 "18.0-rc2", 20996 "19.0", 20997 "19.0-rc1", 20998 "19.0-rc2", 20999 "19.0-rc3", 21000 "20.0", 21001 "20.0-rc1", 21002 "21.0", 21003 "21.0-rc1", 21004 "21.0-rc2", 21005 "22.0", 21006 "22.0-android", 21007 "22.0-rc1", 21008 "22.0-rc1-android", 21009 "23.0", 21010 "23.0-android", 21011 "23.0-rc1", 21012 "23.0-rc1-android", 21013 "23.1-android", 21014 "23.1-jre", 21015 "23.2-android", 21016 "23.2-jre", 21017 "23.3-android", 21018 "23.3-jre", 21019 "23.4-android", 21020 "23.4-jre", 21021 "23.5-android", 21022 "23.5-jre", 21023 "23.6-android", 21024 "23.6-jre", 21025 "23.6.1-android", 21026 "23.6.1-jre", 21027 "24.0-android", 21028 "24.0-jre", 21029 "24.1-android", 21030 "24.1-jre", 21031 "24.1.1-android", 21032 "24.1.1-jre", 21033 "25.0-android", 21034 "25.0-jre", 21035 "25.1-android", 21036 "25.1-jre", 21037 "26.0-android", 21038 "26.0-jre", 21039 "27.0-android", 21040 "27.0-jre", 21041 "27.0.1-android", 21042 "27.0.1-jre", 21043 "27.1-android", 21044 "27.1-jre", 21045 "28.0-android", 21046 "28.0-jre", 21047 "28.1-android", 21048 "28.1-jre", 21049 "28.2-android", 21050 "28.2-jre", 21051 "29.0-android", 21052 "29.0-jre", 21053 "30.0-android", 21054 "30.0-jre", 21055 "30.1-android", 21056 "30.1-jre", 21057 "30.1.1-android", 21058 "30.1.1-jre", 21059 "31.0-android", 21060 "31.0-jre", 21061 "31.0.1-android", 21062 "31.0.1-jre", 21063 "31.1-android", 21064 "31.1-jre" 21065 ] 21066 } 21067 ], 21068 "aliases": [ 21069 "CVE-2023-2976" 21070 ], 21071 "database_specific": { 21072 "cwe_ids": [ 21073 "CWE-379", 21074 "CWE-552" 21075 ], 21076 "github_reviewed": true, 21077 "github_reviewed_at": "2023-06-14T21:01:07Z", 21078 "nvd_published_at": "2023-06-14T18:15:09Z", 21079 "severity": "MODERATE" 21080 }, 21081 "details": "Use of Java's default temporary directory for file creation in `FileBackedOutputStream` in Google Guava versions 1.0 to 31.1 on Unix systems and Android Ice Cream Sandwich allows other users and apps on the machine with access to the default Java temporary directory to be able to access the files created by the class.\n\nEven though the security vulnerability is fixed in version 32.0.0, maintainers recommend using version 32.0.1 as version 32.0.0 breaks some functionality under Windows.\n\n", 21082 "id": "GHSA-7g45-4rm6-3mm3", 21083 "modified": "2024-07-15T22:00:20.197101Z", 21084 "published": "2023-06-14T18:30:38Z", 21085 "references": [ 21086 { 21087 "type": "ADVISORY", 21088 "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2976" 21089 }, 21090 { 21091 "type": "WEB", 21092 "url": "https://github.com/google/guava/issues/2575" 21093 }, 21094 { 21095 "type": "WEB", 21096 "url": "https://github.com/google/guava/issues/6532" 21097 }, 21098 { 21099 "type": "WEB", 21100 "url": "https://github.com/google/guava/commit/feb83a1c8fd2e7670b244d5afd23cba5aca43284" 21101 }, 21102 { 21103 "type": "PACKAGE", 21104 "url": "https://github.com/google/guava" 21105 }, 21106 { 21107 "type": "WEB", 21108 "url": "https://github.com/google/guava/releases/tag/v32.0.0" 21109 }, 21110 { 21111 "type": "WEB", 21112 "url": "https://security.netapp.com/advisory/ntap-20230818-0008" 21113 }, 21114 { 21115 "type": "WEB", 21116 "url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01006.html" 21117 } 21118 ], 21119 "related": [ 21120 "CGA-3qxr-rw2h-5f86", 21121 "CGA-5wxh-2846-4r2x", 21122 "CGA-6p73-mwqp-2hp8", 21123 "CGA-7xcf-rqw8-qr59", 21124 "CGA-955j-7j6c-gqwh", 21125 "CGA-gghr-qw4h-4xq9", 21126 "CGA-jf73-gm5w-p8jg", 21127 "CGA-px7h-7xf8-q54x", 21128 "CGA-q6xm-fh5w-65wh" 21129 ], 21130 "schema_version": "1.6.0", 21131 "severity": [ 21132 { 21133 "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", 21134 "type": "CVSS_V3" 21135 } 21136 ], 21137 "summary": "Guava vulnerable to insecure use of temporary directory" 21138 }, 21139 { 21140 "affected": [ 21141 { 21142 "database_specific": { 21143 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-mvr2-9pj6-7w5j/GHSA-mvr2-9pj6-7w5j.json" 21144 }, 21145 "package": { 21146 "ecosystem": "Maven", 21147 "name": "com.google.guava:guava", 21148 "purl": "pkg:maven/com.google.guava/guava" 21149 }, 21150 "ranges": [ 21151 { 21152 "events": [ 21153 { 21154 "introduced": "11.0" 21155 }, 21156 { 21157 "fixed": "24.1.1-android" 21158 } 21159 ], 21160 "type": "ECOSYSTEM" 21161 } 21162 ], 21163 "versions": [ 21164 "11.0", 21165 "11.0.1", 21166 "11.0.2", 21167 "12.0", 21168 "12.0-rc1", 21169 "12.0-rc2", 21170 "12.0.1", 21171 "13.0", 21172 "13.0-rc1", 21173 "13.0-rc2", 21174 "13.0.1", 21175 "14.0", 21176 "14.0-rc1", 21177 "14.0-rc2", 21178 "14.0-rc3", 21179 "14.0.1", 21180 "15.0", 21181 "15.0-rc1", 21182 "16.0", 21183 "16.0-rc1", 21184 "16.0.1", 21185 "17.0", 21186 "17.0-rc1", 21187 "17.0-rc2", 21188 "18.0", 21189 "18.0-rc1", 21190 "18.0-rc2", 21191 "19.0", 21192 "19.0-rc1", 21193 "19.0-rc2", 21194 "19.0-rc3", 21195 "20.0", 21196 "20.0-rc1", 21197 "21.0", 21198 "21.0-rc1", 21199 "21.0-rc2", 21200 "22.0", 21201 "22.0-android", 21202 "22.0-rc1", 21203 "22.0-rc1-android", 21204 "23.0", 21205 "23.0-android", 21206 "23.0-rc1", 21207 "23.0-rc1-android", 21208 "23.1-android", 21209 "23.1-jre", 21210 "23.2-android", 21211 "23.2-jre", 21212 "23.3-android", 21213 "23.3-jre", 21214 "23.4-android", 21215 "23.4-jre", 21216 "23.5-android", 21217 "23.5-jre", 21218 "23.6-android", 21219 "23.6-jre", 21220 "23.6.1-android", 21221 "23.6.1-jre", 21222 "24.0-android", 21223 "24.0-jre", 21224 "24.1-android", 21225 "24.1-jre" 21226 ] 21227 }, 21228 { 21229 "database_specific": { 21230 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-mvr2-9pj6-7w5j/GHSA-mvr2-9pj6-7w5j.json" 21231 }, 21232 "package": { 21233 "ecosystem": "Maven", 21234 "name": "com.google.guava:guava-jdk5", 21235 "purl": "pkg:maven/com.google.guava/guava-jdk5" 21236 }, 21237 "ranges": [ 21238 { 21239 "events": [ 21240 { 21241 "introduced": "0" 21242 }, 21243 { 21244 "last_affected": "17.0" 21245 } 21246 ], 21247 "type": "ECOSYSTEM" 21248 } 21249 ], 21250 "versions": [ 21251 "13.0", 21252 "14.0.1", 21253 "14.0.1-rc1", 21254 "16.0", 21255 "16.0-rc1", 21256 "17.0", 21257 "17.0-rc1", 21258 "17.0-rc2" 21259 ] 21260 }, 21261 { 21262 "database_specific": { 21263 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-mvr2-9pj6-7w5j/GHSA-mvr2-9pj6-7w5j.json" 21264 }, 21265 "package": { 21266 "ecosystem": "Maven", 21267 "name": "com.googlecode.guava-osgi:guava-osgi", 21268 "purl": "pkg:maven/com.googlecode.guava-osgi/guava-osgi" 21269 }, 21270 "ranges": [ 21271 { 21272 "events": [ 21273 { 21274 "introduced": "0" 21275 }, 21276 { 21277 "last_affected": "11.0.1" 21278 } 21279 ], 21280 "type": "ECOSYSTEM" 21281 } 21282 ], 21283 "versions": [ 21284 "10.0.0", 21285 "10.0.1", 21286 "11.0.0", 21287 "11.0.1", 21288 "3.0.0", 21289 "4.0.0", 21290 "5.0.0", 21291 "6.0.0", 21292 "7.0.0", 21293 "8.0.0", 21294 "9.0.0" 21295 ] 21296 }, 21297 { 21298 "database_specific": { 21299 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-mvr2-9pj6-7w5j/GHSA-mvr2-9pj6-7w5j.json" 21300 }, 21301 "package": { 21302 "ecosystem": "Maven", 21303 "name": "de.mhus.ports:vaadin-shared-deps", 21304 "purl": "pkg:maven/de.mhus.ports/vaadin-shared-deps" 21305 }, 21306 "ranges": [ 21307 { 21308 "events": [ 21309 { 21310 "introduced": "0" 21311 }, 21312 { 21313 "last_affected": "7.4.0" 21314 } 21315 ], 21316 "type": "ECOSYSTEM" 21317 } 21318 ], 21319 "versions": [ 21320 "1.3.1", 21321 "1.3.4", 21322 "1.3.6", 21323 "1.3.7", 21324 "1.6.0", 21325 "1.6.1", 21326 "6.2.0", 21327 "7.0.0", 21328 "7.1.0", 21329 "7.2.0", 21330 "7.4.0" 21331 ] 21332 }, 21333 { 21334 "database_specific": { 21335 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-mvr2-9pj6-7w5j/GHSA-mvr2-9pj6-7w5j.json" 21336 }, 21337 "package": { 21338 "ecosystem": "Maven", 21339 "name": "org.hudsonci.lib.guava:guava", 21340 "purl": "pkg:maven/org.hudsonci.lib.guava/guava" 21341 }, 21342 "ranges": [ 21343 { 21344 "events": [ 21345 { 21346 "introduced": "0" 21347 }, 21348 { 21349 "last_affected": "14.0.1-h-3" 21350 } 21351 ], 21352 "type": "ECOSYSTEM" 21353 } 21354 ], 21355 "versions": [ 21356 "14.0.1-h-1", 21357 "14.0.1-h-2", 21358 "14.0.1-h-3" 21359 ] 21360 }, 21361 { 21362 "database_specific": { 21363 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-mvr2-9pj6-7w5j/GHSA-mvr2-9pj6-7w5j.json" 21364 }, 21365 "package": { 21366 "ecosystem": "Maven", 21367 "name": "org.sonatype.sisu:sisu-guava", 21368 "purl": "pkg:maven/org.sonatype.sisu/sisu-guava" 21369 }, 21370 "versions": [ 21371 "0.11.1" 21372 ] 21373 } 21374 ], 21375 "aliases": [ 21376 "CVE-2018-10237" 21377 ], 21378 "database_specific": { 21379 "cwe_ids": [ 21380 "CWE-502", 21381 "CWE-770" 21382 ], 21383 "github_reviewed": true, 21384 "github_reviewed_at": "2020-06-11T18:34:57Z", 21385 "nvd_published_at": "2018-04-26T21:29:00Z", 21386 "severity": "MODERATE" 21387 }, 21388 "details": "Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attacks against servers that depend on this library and deserialize attacker-provided data, because the AtomicDoubleArray class (when serialized with Java serialization) and the CompoundOrdering class (when serialized with GWT serialization) perform eager allocation without appropriate checks on what a client has sent and whether the data size is reasonable.", 21389 "id": "GHSA-mvr2-9pj6-7w5j", 21390 "modified": "2024-03-13T05:32:38.939984Z", 21391 "published": "2020-06-15T20:35:11Z", 21392 "references": [ 21393 { 21394 "type": "ADVISORY", 21395 "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-10237" 21396 }, 21397 { 21398 "type": "WEB", 21399 "url": "https://access.redhat.com/errata/RHSA-2018:2423" 21400 }, 21401 { 21402 "type": "WEB", 21403 "url": "https://lists.apache.org/thread.html/r223bc776a077d0795786c38cbc6e7dd808fce1a9161b00ba9c0a5d55@%3Cissues.lucene.apache.org%3E" 21404 }, 21405 { 21406 "type": "WEB", 21407 "url": "https://lists.apache.org/thread.html/r22c8173b804cd4a420c43064ba4e363d0022aa421008b1989f7354d4@%3Cissues.flink.apache.org%3E" 21408 }, 21409 { 21410 "type": "WEB", 21411 "url": "https://lists.apache.org/thread.html/r27eb79a87a760335226dbfa6a7b7bffea539a535f8e80c41e482106d@%3Cdev.cxf.apache.org%3E" 21412 }, 21413 { 21414 "type": "WEB", 21415 "url": "https://lists.apache.org/thread.html/r2ea4e5e5aa8ad73b001a466c582899620961f47d77a40af712c1fdf9@%3Cdev.cxf.apache.org%3E" 21416 }, 21417 { 21418 "type": "WEB", 21419 "url": "https://lists.apache.org/thread.html/r30e7d7b6bfa630dacc41649a0e96dad75165d50474c1241068aa0f94@%3Cissues.storm.apache.org%3E" 21420 }, 21421 { 21422 "type": "WEB", 21423 "url": "https://lists.apache.org/thread.html/r352e40ca9874d1beb4ad95403792adca7eb295e6bc3bd7b65fabcc21@%3Ccommits.samza.apache.org%3E" 21424 }, 21425 { 21426 "type": "WEB", 21427 "url": "https://lists.apache.org/thread.html/r38e2ab87528d3c904e7fac496e8fd766b9277656ff95b97d6b6b6dcd@%3Cdev.cxf.apache.org%3E" 21428 }, 21429 { 21430 "type": "WEB", 21431 "url": "https://lists.apache.org/thread.html/r3c3b33ee5bef0c67391d27a97cbfd89d44f328cf072b601b58d4e748@%3Ccommits.pulsar.apache.org%3E" 21432 }, 21433 { 21434 "type": "WEB", 21435 "url": "https://lists.apache.org/thread.html/r43491b25b2e5c368c34b106a82eff910a5cea3e90de82ad75cc16540@%3Cdev.syncope.apache.org%3E" 21436 }, 21437 { 21438 "type": "WEB", 21439 "url": "https://lists.apache.org/thread.html/r50fc0bcc734dd82e691d36d209258683141bfc0083739a77e56ad92d@%3Cdev.flink.apache.org%3E" 21440 }, 21441 { 21442 "type": "WEB", 21443 "url": "https://lists.apache.org/thread.html/r841c5e14e1b55281523ebcde661ece00b38a0569e00ef5e12bd5f6ba@%3Cissues.maven.apache.org%3E" 21444 }, 21445 { 21446 "type": "WEB", 21447 "url": "https://lists.apache.org/thread.html/r95799427b335807a4c54776908125c3e66597b65845ae50096d9278a@%3Cdev.cxf.apache.org%3E" 21448 }, 21449 { 21450 "type": "WEB", 21451 "url": "https://lists.apache.org/thread.html/ra0adb9653c7de9539b93cc8434143b655f753b9f60580ff260becb2b@%3Cusers.kafka.apache.org%3E" 21452 }, 21453 { 21454 "type": "WEB", 21455 "url": "https://lists.apache.org/thread.html/ra4f44016926dcb034b3b230280a18102062f94ae55b8a31bb92fed84@%3Cissues.lucene.apache.org%3E" 21456 }, 21457 { 21458 "type": "WEB", 21459 "url": "https://lists.apache.org/thread.html/ra8906723927aef2a599398c238eacfc845b74d812e0093ec2fc70a7d@%3Cissues.flink.apache.org%3E" 21460 }, 21461 { 21462 "type": "WEB", 21463 "url": "https://lists.apache.org/thread.html/rb3da574c34bc6bd37972d2266af3093b90d7e437460423c24f477919@%3Cissues.lucene.apache.org%3E" 21464 }, 21465 { 21466 "type": "WEB", 21467 "url": "https://lists.apache.org/thread.html/rc78f6e84f82cc662860e96526d8ab969f34dbe12dc560e22d9d147a3@%3Cdev.cxf.apache.org%3E" 21468 }, 21469 { 21470 "type": "WEB", 21471 "url": "https://lists.apache.org/thread.html/rc8467f357b943ceaa86f289f8bc1a5d1c7955b75d3bac1426f2d4ac1@%3Ccommon-dev.hadoop.apache.org%3E" 21472 }, 21473 { 21474 "type": "WEB", 21475 "url": "https://lists.apache.org/thread.html/rd01f5ff0164c468ec7abc96ff7646cea3cce6378da2e4aa29c6bcb95@%3Cgithub.arrow.apache.org%3E" 21476 }, 21477 { 21478 "type": "WEB", 21479 "url": "https://lists.apache.org/thread.html/rd0c8ec6e044aa2958dd0549ebf8ecead7f5968c9474ba73a504161b2@%3Cdev.cxf.apache.org%3E" 21480 }, 21481 { 21482 "type": "WEB", 21483 "url": "https://lists.apache.org/thread.html/rdc56c15693c236e31e1e95f847b8e5e74fc0a05741d47488e7fc8c45@%3Cissues.flink.apache.org%3E" 21484 }, 21485 { 21486 "type": "WEB", 21487 "url": "https://security.netapp.com/advisory/ntap-20220629-0008" 21488 }, 21489 { 21490 "type": "WEB", 21491 "url": "https://www.oracle.com/security-alerts/cpuapr2020.html" 21492 }, 21493 { 21494 "type": "WEB", 21495 "url": "https://www.oracle.com/security-alerts/cpujan2021.html" 21496 }, 21497 { 21498 "type": "WEB", 21499 "url": "https://www.oracle.com/security-alerts/cpujul2020.html" 21500 }, 21501 { 21502 "type": "WEB", 21503 "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" 21504 }, 21505 { 21506 "type": "WEB", 21507 "url": "https://access.redhat.com/errata/RHSA-2018:2424" 21508 }, 21509 { 21510 "type": "WEB", 21511 "url": "https://access.redhat.com/errata/RHSA-2018:2425" 21512 }, 21513 { 21514 "type": "WEB", 21515 "url": "https://access.redhat.com/errata/RHSA-2018:2428" 21516 }, 21517 { 21518 "type": "WEB", 21519 "url": "https://access.redhat.com/errata/RHSA-2018:2598" 21520 }, 21521 { 21522 "type": "WEB", 21523 "url": "https://access.redhat.com/errata/RHSA-2018:2643" 21524 }, 21525 { 21526 "type": "WEB", 21527 "url": "https://access.redhat.com/errata/RHSA-2018:2740" 21528 }, 21529 { 21530 "type": "WEB", 21531 "url": "https://access.redhat.com/errata/RHSA-2018:2741" 21532 }, 21533 { 21534 "type": "WEB", 21535 "url": "https://access.redhat.com/errata/RHSA-2018:2742" 21536 }, 21537 { 21538 "type": "WEB", 21539 "url": "https://access.redhat.com/errata/RHSA-2018:2743" 21540 }, 21541 { 21542 "type": "WEB", 21543 "url": "https://access.redhat.com/errata/RHSA-2018:2927" 21544 }, 21545 { 21546 "type": "WEB", 21547 "url": "https://access.redhat.com/errata/RHSA-2019:2858" 21548 }, 21549 { 21550 "type": "WEB", 21551 "url": "https://access.redhat.com/errata/RHSA-2019:3149" 21552 }, 21553 { 21554 "type": "PACKAGE", 21555 "url": "https://github.com/google/guava" 21556 }, 21557 { 21558 "type": "WEB", 21559 "url": "https://github.com/google/guava/wiki/CVE-2018-10237" 21560 }, 21561 { 21562 "type": "WEB", 21563 "url": "https://groups.google.com/d/topic/guava-announce/xqWALw4W1vs/discussion" 21564 }, 21565 { 21566 "type": "WEB", 21567 "url": "https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272@%3Cissues.activemq.apache.org%3E" 21568 }, 21569 { 21570 "type": "WEB", 21571 "url": "https://lists.apache.org/thread.html/19fa48533bc7ea1accf6b12746a74ed888ae6e49a5cf81ae4f807495@%3Ccommon-dev.hadoop.apache.org%3E" 21572 }, 21573 { 21574 "type": "WEB", 21575 "url": "https://lists.apache.org/thread.html/33c6bccfeb7adf644d4d79894ca8f09370be6ed4b20632c2e228d085@%3Ccommits.cassandra.apache.org%3E" 21576 }, 21577 { 21578 "type": "WEB", 21579 "url": "https://lists.apache.org/thread.html/3d5dbdd92ac9ceaef90e40f78599f9109f2f345252e0ac9d98e7e084@%3Cgitbox.activemq.apache.org%3E" 21580 }, 21581 { 21582 "type": "WEB", 21583 "url": "https://lists.apache.org/thread.html/3ddd79c801edd99c0978e83dbe2168ebd36fd42acfa5dac38fb03dd6@%3Cissues.activemq.apache.org%3E" 21584 }, 21585 { 21586 "type": "WEB", 21587 "url": "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E" 21588 }, 21589 { 21590 "type": "WEB", 21591 "url": "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E" 21592 }, 21593 { 21594 "type": "WEB", 21595 "url": "https://lists.apache.org/thread.html/cc48fe770c45a74dc3b37ed0817393e0c96701fc49bc431ed922f3cc@%3Chdfs-dev.hadoop.apache.org%3E" 21596 }, 21597 { 21598 "type": "WEB", 21599 "url": "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E" 21600 }, 21601 { 21602 "type": "WEB", 21603 "url": "https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8@%3Ccommits.pulsar.apache.org%3E" 21604 }, 21605 { 21606 "type": "WEB", 21607 "url": "https://lists.apache.org/thread.html/r02e39d7beb32eebcdbb4b516e95f67d71c90d5d462b26f4078d21eeb@%3Cdev.flink.apache.org%3E" 21608 }, 21609 { 21610 "type": "WEB", 21611 "url": "https://lists.apache.org/thread.html/r02e39d7beb32eebcdbb4b516e95f67d71c90d5d462b26f4078d21eeb@%3Cuser.flink.apache.org%3E" 21612 }, 21613 { 21614 "type": "WEB", 21615 "url": "http://www.securitytracker.com/id/1041707" 21616 } 21617 ], 21618 "related": [ 21619 "CGA-4jxw-mwcp-83m9" 21620 ], 21621 "schema_version": "1.6.0", 21622 "severity": [ 21623 { 21624 "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", 21625 "type": "CVSS_V3" 21626 } 21627 ], 21628 "summary": "Denial of Service in Google Guava" 21629 }, 21630 { 21631 "affected": [ 21632 { 21633 "database_specific": { 21634 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-4gg5-vx3j-xwc7/GHSA-4gg5-vx3j-xwc7.json" 21635 }, 21636 "package": { 21637 "ecosystem": "Maven", 21638 "name": "com.google.protobuf:protobuf-java", 21639 "purl": "pkg:maven/com.google.protobuf/protobuf-java" 21640 }, 21641 "ranges": [ 21642 { 21643 "events": [ 21644 { 21645 "introduced": "0" 21646 }, 21647 { 21648 "fixed": "3.16.3" 21649 } 21650 ], 21651 "type": "ECOSYSTEM" 21652 } 21653 ], 21654 "versions": [ 21655 "2.0.1", 21656 "2.0.3", 21657 "2.1.0", 21658 "2.2.0", 21659 "2.3.0", 21660 "2.4.0a", 21661 "2.4.1", 21662 "2.5.0", 21663 "2.6.0", 21664 "2.6.1", 21665 "3.0.0", 21666 "3.0.0-alpha-2", 21667 "3.0.0-alpha-3", 21668 "3.0.0-alpha-3.1", 21669 "3.0.0-beta-1", 21670 "3.0.0-beta-2", 21671 "3.0.0-beta-3", 21672 "3.0.0-beta-4", 21673 "3.0.2", 21674 "3.1.0", 21675 "3.10.0", 21676 "3.10.0-rc-1", 21677 "3.11.0", 21678 "3.11.0-rc-1", 21679 "3.11.0-rc-2", 21680 "3.11.1", 21681 "3.11.3", 21682 "3.11.4", 21683 "3.12.0", 21684 "3.12.0-rc-1", 21685 "3.12.0-rc-2", 21686 "3.12.1", 21687 "3.12.2", 21688 "3.12.4", 21689 "3.13.0", 21690 "3.13.0-rc-3", 21691 "3.14.0", 21692 "3.14.0-rc-1", 21693 "3.14.0-rc-2", 21694 "3.14.0-rc-3", 21695 "3.15.0", 21696 "3.15.0-rc-1", 21697 "3.15.0-rc-2", 21698 "3.15.1", 21699 "3.15.2", 21700 "3.15.3", 21701 "3.15.4", 21702 "3.15.5", 21703 "3.15.6", 21704 "3.15.7", 21705 "3.15.8", 21706 "3.16.0", 21707 "3.16.0-rc-1", 21708 "3.16.0-rc-2", 21709 "3.16.1", 21710 "3.2.0", 21711 "3.2.0-rc.1", 21712 "3.2.0rc2", 21713 "3.3.0", 21714 "3.3.1", 21715 "3.4.0", 21716 "3.5.0", 21717 "3.5.1", 21718 "3.6.0", 21719 "3.6.1", 21720 "3.7.0", 21721 "3.7.0-rc1", 21722 "3.7.1", 21723 "3.8.0", 21724 "3.8.0-rc-1", 21725 "3.9.0", 21726 "3.9.0-rc-1", 21727 "3.9.1", 21728 "3.9.2" 21729 ] 21730 }, 21731 { 21732 "database_specific": { 21733 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-4gg5-vx3j-xwc7/GHSA-4gg5-vx3j-xwc7.json" 21734 }, 21735 "package": { 21736 "ecosystem": "Maven", 21737 "name": "com.google.protobuf:protobuf-java", 21738 "purl": "pkg:maven/com.google.protobuf/protobuf-java" 21739 }, 21740 "ranges": [ 21741 { 21742 "events": [ 21743 { 21744 "introduced": "3.17.0" 21745 }, 21746 { 21747 "fixed": "3.19.6" 21748 } 21749 ], 21750 "type": "ECOSYSTEM" 21751 } 21752 ], 21753 "versions": [ 21754 "3.17.0", 21755 "3.17.1", 21756 "3.17.2", 21757 "3.17.3", 21758 "3.18.0", 21759 "3.18.0-rc-1", 21760 "3.18.0-rc-2", 21761 "3.18.1", 21762 "3.18.2", 21763 "3.18.3", 21764 "3.19.0", 21765 "3.19.0-rc-1", 21766 "3.19.0-rc-2", 21767 "3.19.1", 21768 "3.19.2", 21769 "3.19.3", 21770 "3.19.4", 21771 "3.19.5" 21772 ] 21773 }, 21774 { 21775 "database_specific": { 21776 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-4gg5-vx3j-xwc7/GHSA-4gg5-vx3j-xwc7.json" 21777 }, 21778 "package": { 21779 "ecosystem": "Maven", 21780 "name": "com.google.protobuf:protobuf-java", 21781 "purl": "pkg:maven/com.google.protobuf/protobuf-java" 21782 }, 21783 "ranges": [ 21784 { 21785 "events": [ 21786 { 21787 "introduced": "3.20.0" 21788 }, 21789 { 21790 "fixed": "3.20.3" 21791 } 21792 ], 21793 "type": "ECOSYSTEM" 21794 } 21795 ], 21796 "versions": [ 21797 "3.20.0", 21798 "3.20.1", 21799 "3.20.1-rc-1", 21800 "3.20.2" 21801 ] 21802 }, 21803 { 21804 "database_specific": { 21805 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-4gg5-vx3j-xwc7/GHSA-4gg5-vx3j-xwc7.json" 21806 }, 21807 "package": { 21808 "ecosystem": "Maven", 21809 "name": "com.google.protobuf:protobuf-java", 21810 "purl": "pkg:maven/com.google.protobuf/protobuf-java" 21811 }, 21812 "ranges": [ 21813 { 21814 "events": [ 21815 { 21816 "introduced": "3.21.0" 21817 }, 21818 { 21819 "fixed": "3.21.7" 21820 } 21821 ], 21822 "type": "ECOSYSTEM" 21823 } 21824 ], 21825 "versions": [ 21826 "3.21.0", 21827 "3.21.1", 21828 "3.21.2", 21829 "3.21.3", 21830 "3.21.4", 21831 "3.21.5", 21832 "3.21.6" 21833 ] 21834 }, 21835 { 21836 "database_specific": { 21837 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-4gg5-vx3j-xwc7/GHSA-4gg5-vx3j-xwc7.json" 21838 }, 21839 "package": { 21840 "ecosystem": "Maven", 21841 "name": "com.google.protobuf:protobuf-javalite", 21842 "purl": "pkg:maven/com.google.protobuf/protobuf-javalite" 21843 }, 21844 "ranges": [ 21845 { 21846 "events": [ 21847 { 21848 "introduced": "0" 21849 }, 21850 { 21851 "fixed": "3.16.3" 21852 } 21853 ], 21854 "type": "ECOSYSTEM" 21855 } 21856 ], 21857 "versions": [ 21858 "3.10.0", 21859 "3.10.0-rc-1", 21860 "3.11.0", 21861 "3.11.0-rc-1", 21862 "3.11.0-rc-2", 21863 "3.11.1", 21864 "3.11.3", 21865 "3.11.4", 21866 "3.12.0", 21867 "3.12.0-rc-1", 21868 "3.12.0-rc-2", 21869 "3.12.1", 21870 "3.12.2", 21871 "3.12.4", 21872 "3.13.0", 21873 "3.13.0-rc-3", 21874 "3.14.0", 21875 "3.14.0-rc-1", 21876 "3.14.0-rc-2", 21877 "3.14.0-rc-3", 21878 "3.15.0", 21879 "3.15.0-rc-1", 21880 "3.15.0-rc-2", 21881 "3.15.1", 21882 "3.15.2", 21883 "3.15.3", 21884 "3.15.4", 21885 "3.15.5", 21886 "3.15.6", 21887 "3.15.7", 21888 "3.15.8", 21889 "3.16.0", 21890 "3.16.0-rc-1", 21891 "3.16.0-rc-2", 21892 "3.16.1", 21893 "3.8.0", 21894 "3.8.0-rc-1", 21895 "3.9.0", 21896 "3.9.0-rc-1", 21897 "3.9.1", 21898 "3.9.2" 21899 ] 21900 }, 21901 { 21902 "database_specific": { 21903 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-4gg5-vx3j-xwc7/GHSA-4gg5-vx3j-xwc7.json" 21904 }, 21905 "package": { 21906 "ecosystem": "Maven", 21907 "name": "com.google.protobuf:protobuf-javalite", 21908 "purl": "pkg:maven/com.google.protobuf/protobuf-javalite" 21909 }, 21910 "ranges": [ 21911 { 21912 "events": [ 21913 { 21914 "introduced": "3.17.0" 21915 }, 21916 { 21917 "fixed": "3.19.6" 21918 } 21919 ], 21920 "type": "ECOSYSTEM" 21921 } 21922 ], 21923 "versions": [ 21924 "3.17.0", 21925 "3.17.1", 21926 "3.17.2", 21927 "3.17.3", 21928 "3.18.0", 21929 "3.18.0-rc-1", 21930 "3.18.0-rc-2", 21931 "3.18.1", 21932 "3.18.2", 21933 "3.18.3", 21934 "3.19.0", 21935 "3.19.0-rc-1", 21936 "3.19.0-rc-2", 21937 "3.19.1", 21938 "3.19.2", 21939 "3.19.3", 21940 "3.19.4", 21941 "3.19.5" 21942 ] 21943 }, 21944 { 21945 "database_specific": { 21946 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-4gg5-vx3j-xwc7/GHSA-4gg5-vx3j-xwc7.json" 21947 }, 21948 "package": { 21949 "ecosystem": "Maven", 21950 "name": "com.google.protobuf:protobuf-javalite", 21951 "purl": "pkg:maven/com.google.protobuf/protobuf-javalite" 21952 }, 21953 "ranges": [ 21954 { 21955 "events": [ 21956 { 21957 "introduced": "3.20.0" 21958 }, 21959 { 21960 "fixed": "3.20.3" 21961 } 21962 ], 21963 "type": "ECOSYSTEM" 21964 } 21965 ], 21966 "versions": [ 21967 "3.20.0", 21968 "3.20.1", 21969 "3.20.1-rc-1", 21970 "3.20.2" 21971 ] 21972 }, 21973 { 21974 "database_specific": { 21975 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-4gg5-vx3j-xwc7/GHSA-4gg5-vx3j-xwc7.json" 21976 }, 21977 "package": { 21978 "ecosystem": "Maven", 21979 "name": "com.google.protobuf:protobuf-javalite", 21980 "purl": "pkg:maven/com.google.protobuf/protobuf-javalite" 21981 }, 21982 "ranges": [ 21983 { 21984 "events": [ 21985 { 21986 "introduced": "3.21.0" 21987 }, 21988 { 21989 "fixed": "3.21.7" 21990 } 21991 ], 21992 "type": "ECOSYSTEM" 21993 } 21994 ], 21995 "versions": [ 21996 "3.21.0", 21997 "3.21.1", 21998 "3.21.2", 21999 "3.21.3", 22000 "3.21.4", 22001 "3.21.5", 22002 "3.21.6" 22003 ] 22004 } 22005 ], 22006 "aliases": [ 22007 "CVE-2022-3510" 22008 ], 22009 "database_specific": { 22010 "cwe_ids": [ 22011 "CWE-400" 22012 ], 22013 "github_reviewed": true, 22014 "github_reviewed_at": "2022-12-12T22:34:26Z", 22015 "nvd_published_at": "2022-12-12T13:15:00Z", 22016 "severity": "HIGH" 22017 }, 22018 "details": "A parsing issue similar to CVE-2022-3171, but with Message-Type Extensions in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.", 22019 "id": "GHSA-4gg5-vx3j-xwc7", 22020 "modified": "2023-11-08T04:09:49.928473Z", 22021 "published": "2022-12-12T15:30:33Z", 22022 "references": [ 22023 { 22024 "type": "ADVISORY", 22025 "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3510" 22026 }, 22027 { 22028 "type": "WEB", 22029 "url": "https://github.com/protocolbuffers/protobuf/commit/db7c17803320525722f45c1d26fc08bc41d1bf48" 22030 }, 22031 { 22032 "type": "PACKAGE", 22033 "url": "https://github.com/protocolbuffers/protobuf/tree/main/java" 22034 } 22035 ], 22036 "related": [ 22037 "CGA-fgmv-5mj3-v9vh", 22038 "CGA-g664-j68v-pmw2", 22039 "CGA-rh7m-9hc4-75h6" 22040 ], 22041 "schema_version": "1.6.0", 22042 "severity": [ 22043 { 22044 "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", 22045 "type": "CVSS_V3" 22046 } 22047 ], 22048 "summary": "Protobuf Java vulnerable to Uncontrolled Resource Consumption" 22049 }, 22050 { 22051 "affected": [ 22052 { 22053 "database_specific": { 22054 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/01/GHSA-77rm-9x9h-xj3g/GHSA-77rm-9x9h-xj3g.json" 22055 }, 22056 "package": { 22057 "ecosystem": "NuGet", 22058 "name": "Google.Protobuf", 22059 "purl": "pkg:nuget/Google.Protobuf" 22060 }, 22061 "ranges": [ 22062 { 22063 "events": [ 22064 { 22065 "introduced": "0" 22066 }, 22067 { 22068 "fixed": "3.15.0" 22069 } 22070 ], 22071 "type": "ECOSYSTEM" 22072 } 22073 ], 22074 "versions": [ 22075 "0.0.1-test1", 22076 "3.0.0", 22077 "3.0.0-alpha4", 22078 "3.0.0-beta2", 22079 "3.0.0-beta3", 22080 "3.0.0-beta4", 22081 "3.1.0", 22082 "3.10.0", 22083 "3.10.0-rc1", 22084 "3.10.1", 22085 "3.11.0-rc1", 22086 "3.11.0-rc2", 22087 "3.11.1", 22088 "3.11.2", 22089 "3.11.3", 22090 "3.11.4", 22091 "3.12.0", 22092 "3.12.0-rc1", 22093 "3.12.0-rc2", 22094 "3.12.1", 22095 "3.12.2", 22096 "3.12.3", 22097 "3.12.4", 22098 "3.13.0", 22099 "3.13.0-rc3", 22100 "3.14.0", 22101 "3.14.0-rc1", 22102 "3.14.0-rc2", 22103 "3.14.0-rc3", 22104 "3.15.0-rc1", 22105 "3.15.0-rc2", 22106 "3.2.0", 22107 "3.2.0-rc1", 22108 "3.2.0-rc2", 22109 "3.3.0", 22110 "3.4.0", 22111 "3.4.1", 22112 "3.5.0", 22113 "3.5.1", 22114 "3.6.0", 22115 "3.6.1", 22116 "3.7.0", 22117 "3.8.0", 22118 "3.9.0", 22119 "3.9.0-rc1", 22120 "3.9.1", 22121 "3.9.2" 22122 ] 22123 }, 22124 { 22125 "database_specific": { 22126 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/01/GHSA-77rm-9x9h-xj3g/GHSA-77rm-9x9h-xj3g.json" 22127 }, 22128 "package": { 22129 "ecosystem": "Packagist", 22130 "name": "google/protobuf", 22131 "purl": "pkg:composer/google/protobuf" 22132 }, 22133 "ranges": [ 22134 { 22135 "events": [ 22136 { 22137 "introduced": "0" 22138 }, 22139 { 22140 "fixed": "3.15.0" 22141 } 22142 ], 22143 "type": "ECOSYSTEM" 22144 } 22145 ], 22146 "versions": [ 22147 "v3.1.0-alpha-1", 22148 "v3.10.0", 22149 "v3.10.0RC1", 22150 "v3.11.0", 22151 "v3.11.0RC1", 22152 "v3.11.0RC2", 22153 "v3.11.1", 22154 "v3.11.2", 22155 "v3.11.3", 22156 "v3.11.4", 22157 "v3.12.0", 22158 "v3.12.0RC1", 22159 "v3.12.0RC2", 22160 "v3.12.1", 22161 "v3.12.2", 22162 "v3.12.4", 22163 "v3.13.0", 22164 "v3.13.0.1", 22165 "v3.13.0RC3", 22166 "v3.14.0", 22167 "v3.14.0RC1", 22168 "v3.14.0RC2", 22169 "v3.14.0RC3", 22170 "v3.15.0RC1", 22171 "v3.15.0RC2", 22172 "v3.2.0-alpha-1", 22173 "v3.3.0", 22174 "v3.3.0rc1", 22175 "v3.3.1", 22176 "v3.3.2", 22177 "v3.4.0", 22178 "v3.4.0rc1", 22179 "v3.4.0rc2", 22180 "v3.4.0rc3", 22181 "v3.4.1", 22182 "v3.5.0", 22183 "v3.5.0.1", 22184 "v3.5.1", 22185 "v3.5.1.1", 22186 "v3.5.2", 22187 "v3.6.0", 22188 "v3.6.0.1", 22189 "v3.6.0rc1", 22190 "v3.6.0rc2", 22191 "v3.6.1", 22192 "v3.6.1.1", 22193 "v3.6.1.2", 22194 "v3.6.1.3", 22195 "v3.7.0", 22196 "v3.7.0-rc.3", 22197 "v3.7.0rc1", 22198 "v3.7.0rc2", 22199 "v3.7.1", 22200 "v3.8.0", 22201 "v3.8.0RC1", 22202 "v3.9.0", 22203 "v3.9.0RC1", 22204 "v3.9.1", 22205 "v3.9.2" 22206 ] 22207 }, 22208 { 22209 "database_specific": { 22210 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/01/GHSA-77rm-9x9h-xj3g/GHSA-77rm-9x9h-xj3g.json" 22211 }, 22212 "package": { 22213 "ecosystem": "Maven", 22214 "name": "com.google.protobuf:protobuf-java", 22215 "purl": "pkg:maven/com.google.protobuf/protobuf-java" 22216 }, 22217 "ranges": [ 22218 { 22219 "events": [ 22220 { 22221 "introduced": "0" 22222 }, 22223 { 22224 "fixed": "3.15.0" 22225 } 22226 ], 22227 "type": "ECOSYSTEM" 22228 } 22229 ], 22230 "versions": [ 22231 "2.0.1", 22232 "2.0.3", 22233 "2.1.0", 22234 "2.2.0", 22235 "2.3.0", 22236 "2.4.0a", 22237 "2.4.1", 22238 "2.5.0", 22239 "2.6.0", 22240 "2.6.1", 22241 "3.0.0", 22242 "3.0.0-alpha-2", 22243 "3.0.0-alpha-3", 22244 "3.0.0-alpha-3.1", 22245 "3.0.0-beta-1", 22246 "3.0.0-beta-2", 22247 "3.0.0-beta-3", 22248 "3.0.0-beta-4", 22249 "3.0.2", 22250 "3.1.0", 22251 "3.10.0", 22252 "3.10.0-rc-1", 22253 "3.11.0", 22254 "3.11.0-rc-1", 22255 "3.11.0-rc-2", 22256 "3.11.1", 22257 "3.11.3", 22258 "3.11.4", 22259 "3.12.0", 22260 "3.12.0-rc-1", 22261 "3.12.0-rc-2", 22262 "3.12.1", 22263 "3.12.2", 22264 "3.12.4", 22265 "3.13.0", 22266 "3.13.0-rc-3", 22267 "3.14.0", 22268 "3.14.0-rc-1", 22269 "3.14.0-rc-2", 22270 "3.14.0-rc-3", 22271 "3.15.0-rc-1", 22272 "3.15.0-rc-2", 22273 "3.2.0", 22274 "3.2.0-rc.1", 22275 "3.2.0rc2", 22276 "3.3.0", 22277 "3.3.1", 22278 "3.4.0", 22279 "3.5.0", 22280 "3.5.1", 22281 "3.6.0", 22282 "3.6.1", 22283 "3.7.0", 22284 "3.7.0-rc1", 22285 "3.7.1", 22286 "3.8.0", 22287 "3.8.0-rc-1", 22288 "3.9.0", 22289 "3.9.0-rc-1", 22290 "3.9.1", 22291 "3.9.2" 22292 ] 22293 }, 22294 { 22295 "database_specific": { 22296 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/01/GHSA-77rm-9x9h-xj3g/GHSA-77rm-9x9h-xj3g.json" 22297 }, 22298 "package": { 22299 "ecosystem": "Go", 22300 "name": "github.com/protocolbuffers/protobuf", 22301 "purl": "pkg:golang/github.com/protocolbuffers/protobuf" 22302 }, 22303 "ranges": [ 22304 { 22305 "events": [ 22306 { 22307 "introduced": "0" 22308 }, 22309 { 22310 "fixed": "3.15.0" 22311 } 22312 ], 22313 "type": "SEMVER" 22314 } 22315 ] 22316 }, 22317 { 22318 "database_specific": { 22319 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/01/GHSA-77rm-9x9h-xj3g/GHSA-77rm-9x9h-xj3g.json" 22320 }, 22321 "package": { 22322 "ecosystem": "PyPI", 22323 "name": "protobuf", 22324 "purl": "pkg:pypi/protobuf" 22325 }, 22326 "ranges": [ 22327 { 22328 "events": [ 22329 { 22330 "introduced": "0" 22331 }, 22332 { 22333 "fixed": "3.15.0" 22334 } 22335 ], 22336 "type": "ECOSYSTEM" 22337 } 22338 ], 22339 "versions": [ 22340 "2.0.0beta", 22341 "2.0.3", 22342 "2.3.0", 22343 "2.4.1", 22344 "2.5.0", 22345 "2.6.0", 22346 "2.6.1", 22347 "3.0.0", 22348 "3.0.0a2", 22349 "3.0.0a3", 22350 "3.0.0b1", 22351 "3.0.0b1.post1", 22352 "3.0.0b1.post2", 22353 "3.0.0b2", 22354 "3.0.0b2.post1", 22355 "3.0.0b2.post2", 22356 "3.0.0b3", 22357 "3.0.0b4", 22358 "3.1.0", 22359 "3.1.0.post1", 22360 "3.10.0", 22361 "3.10.0rc1", 22362 "3.11.0", 22363 "3.11.0rc1", 22364 "3.11.0rc2", 22365 "3.11.1", 22366 "3.11.2", 22367 "3.11.3", 22368 "3.12.0", 22369 "3.12.0rc1", 22370 "3.12.0rc2", 22371 "3.12.1", 22372 "3.12.2", 22373 "3.12.4", 22374 "3.13.0", 22375 "3.13.0rc3", 22376 "3.14.0", 22377 "3.14.0rc1", 22378 "3.14.0rc2", 22379 "3.14.0rc3", 22380 "3.15.0rc1", 22381 "3.15.0rc2", 22382 "3.2.0", 22383 "3.2.0rc1", 22384 "3.2.0rc1.post1", 22385 "3.2.0rc2", 22386 "3.3.0", 22387 "3.4.0", 22388 "3.5.0.post1", 22389 "3.5.1", 22390 "3.5.2", 22391 "3.5.2.post1", 22392 "3.6.0", 22393 "3.6.1", 22394 "3.7.0", 22395 "3.7.0rc2", 22396 "3.7.0rc3", 22397 "3.7.1", 22398 "3.8.0", 22399 "3.8.0rc1", 22400 "3.9.0", 22401 "3.9.0rc1", 22402 "3.9.1", 22403 "3.9.2" 22404 ] 22405 } 22406 ], 22407 "aliases": [ 22408 "CVE-2021-22570", 22409 "PYSEC-2022-48" 22410 ], 22411 "database_specific": { 22412 "cwe_ids": [ 22413 "CWE-476" 22414 ], 22415 "github_reviewed": true, 22416 "github_reviewed_at": "2022-02-03T22:48:51Z", 22417 "nvd_published_at": "2022-01-26T14:15:00Z", 22418 "severity": "HIGH" 22419 }, 22420 "details": "Nullptr dereference when a null char is present in a proto symbol. The symbol is parsed incorrectly, leading to an unchecked call into the proto file's name during generation of the resulting error message. Since the symbol is incorrectly parsed, the file is nullptr. We recommend upgrading to version 3.15.0 or greater.", 22421 "id": "GHSA-77rm-9x9h-xj3g", 22422 "modified": "2024-07-15T22:00:20.04146Z", 22423 "published": "2022-01-27T00:01:15Z", 22424 "references": [ 22425 { 22426 "type": "ADVISORY", 22427 "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22570" 22428 }, 22429 { 22430 "type": "PACKAGE", 22431 "url": "https://github.com/protocolbuffers/protobuf" 22432 }, 22433 { 22434 "type": "WEB", 22435 "url": "https://github.com/protocolbuffers/protobuf/releases/tag/v3.15.0" 22436 }, 22437 { 22438 "type": "WEB", 22439 "url": "https://lists.debian.org/debian-lts-announce/2023/04/msg00019.html" 22440 }, 22441 { 22442 "type": "WEB", 22443 "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3DVUZPALAQ34TQP6KFNLM4IZS6B32XSA" 22444 }, 22445 { 22446 "type": "WEB", 22447 "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5PAGL5M2KGYPN3VEQCRJJE6NA7D5YG5X" 22448 }, 22449 { 22450 "type": "WEB", 22451 "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BTRGBRC5KGCA4SK5MUNLPYJRAGXMBIYY" 22452 }, 22453 { 22454 "type": "WEB", 22455 "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IFX6KPNOFHYD6L4XES5PCM3QNSKZBOTQ" 22456 }, 22457 { 22458 "type": "WEB", 22459 "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KQJB6ZPRLKV6WCMX2PRRRQBFAOXFBK6B" 22460 }, 22461 { 22462 "type": "WEB", 22463 "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MRWRAXAFR3JR7XCFWTHC2KALSZKWACCE" 22464 }, 22465 { 22466 "type": "WEB", 22467 "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NVTWVQRB5OCCTMKEQFY5MYED3DXDVSLP" 22468 }, 22469 { 22470 "type": "WEB", 22471 "url": "https://security.netapp.com/advisory/ntap-20220429-0005" 22472 }, 22473 { 22474 "type": "WEB", 22475 "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" 22476 } 22477 ], 22478 "related": [ 22479 "CGA-5jch-qfp3-55q7", 22480 "CGA-7g2g-x6vq-38fw", 22481 "CGA-j6xc-c2g5-wpw4" 22482 ], 22483 "schema_version": "1.6.0", 22484 "severity": [ 22485 { 22486 "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", 22487 "type": "CVSS_V3" 22488 } 22489 ], 22490 "summary": "NULL Pointer Dereference in Protocol Buffers" 22491 }, 22492 { 22493 "affected": [ 22494 { 22495 "database_specific": { 22496 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-g5ww-5jh7-63cx/GHSA-g5ww-5jh7-63cx.json" 22497 }, 22498 "package": { 22499 "ecosystem": "Maven", 22500 "name": "com.google.protobuf:protobuf-java", 22501 "purl": "pkg:maven/com.google.protobuf/protobuf-java" 22502 }, 22503 "ranges": [ 22504 { 22505 "events": [ 22506 { 22507 "introduced": "0" 22508 }, 22509 { 22510 "fixed": "3.16.3" 22511 } 22512 ], 22513 "type": "ECOSYSTEM" 22514 } 22515 ], 22516 "versions": [ 22517 "2.0.1", 22518 "2.0.3", 22519 "2.1.0", 22520 "2.2.0", 22521 "2.3.0", 22522 "2.4.0a", 22523 "2.4.1", 22524 "2.5.0", 22525 "2.6.0", 22526 "2.6.1", 22527 "3.0.0", 22528 "3.0.0-alpha-2", 22529 "3.0.0-alpha-3", 22530 "3.0.0-alpha-3.1", 22531 "3.0.0-beta-1", 22532 "3.0.0-beta-2", 22533 "3.0.0-beta-3", 22534 "3.0.0-beta-4", 22535 "3.0.2", 22536 "3.1.0", 22537 "3.10.0", 22538 "3.10.0-rc-1", 22539 "3.11.0", 22540 "3.11.0-rc-1", 22541 "3.11.0-rc-2", 22542 "3.11.1", 22543 "3.11.3", 22544 "3.11.4", 22545 "3.12.0", 22546 "3.12.0-rc-1", 22547 "3.12.0-rc-2", 22548 "3.12.1", 22549 "3.12.2", 22550 "3.12.4", 22551 "3.13.0", 22552 "3.13.0-rc-3", 22553 "3.14.0", 22554 "3.14.0-rc-1", 22555 "3.14.0-rc-2", 22556 "3.14.0-rc-3", 22557 "3.15.0", 22558 "3.15.0-rc-1", 22559 "3.15.0-rc-2", 22560 "3.15.1", 22561 "3.15.2", 22562 "3.15.3", 22563 "3.15.4", 22564 "3.15.5", 22565 "3.15.6", 22566 "3.15.7", 22567 "3.15.8", 22568 "3.16.0", 22569 "3.16.0-rc-1", 22570 "3.16.0-rc-2", 22571 "3.16.1", 22572 "3.2.0", 22573 "3.2.0-rc.1", 22574 "3.2.0rc2", 22575 "3.3.0", 22576 "3.3.1", 22577 "3.4.0", 22578 "3.5.0", 22579 "3.5.1", 22580 "3.6.0", 22581 "3.6.1", 22582 "3.7.0", 22583 "3.7.0-rc1", 22584 "3.7.1", 22585 "3.8.0", 22586 "3.8.0-rc-1", 22587 "3.9.0", 22588 "3.9.0-rc-1", 22589 "3.9.1", 22590 "3.9.2" 22591 ] 22592 }, 22593 { 22594 "database_specific": { 22595 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-g5ww-5jh7-63cx/GHSA-g5ww-5jh7-63cx.json" 22596 }, 22597 "package": { 22598 "ecosystem": "Maven", 22599 "name": "com.google.protobuf:protobuf-java", 22600 "purl": "pkg:maven/com.google.protobuf/protobuf-java" 22601 }, 22602 "ranges": [ 22603 { 22604 "events": [ 22605 { 22606 "introduced": "3.17.0" 22607 }, 22608 { 22609 "fixed": "3.19.6" 22610 } 22611 ], 22612 "type": "ECOSYSTEM" 22613 } 22614 ], 22615 "versions": [ 22616 "3.17.0", 22617 "3.17.1", 22618 "3.17.2", 22619 "3.17.3", 22620 "3.18.0", 22621 "3.18.0-rc-1", 22622 "3.18.0-rc-2", 22623 "3.18.1", 22624 "3.18.2", 22625 "3.18.3", 22626 "3.19.0", 22627 "3.19.0-rc-1", 22628 "3.19.0-rc-2", 22629 "3.19.1", 22630 "3.19.2", 22631 "3.19.3", 22632 "3.19.4", 22633 "3.19.5" 22634 ] 22635 }, 22636 { 22637 "database_specific": { 22638 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-g5ww-5jh7-63cx/GHSA-g5ww-5jh7-63cx.json" 22639 }, 22640 "package": { 22641 "ecosystem": "Maven", 22642 "name": "com.google.protobuf:protobuf-java", 22643 "purl": "pkg:maven/com.google.protobuf/protobuf-java" 22644 }, 22645 "ranges": [ 22646 { 22647 "events": [ 22648 { 22649 "introduced": "3.20.0" 22650 }, 22651 { 22652 "fixed": "3.20.3" 22653 } 22654 ], 22655 "type": "ECOSYSTEM" 22656 } 22657 ], 22658 "versions": [ 22659 "3.20.0", 22660 "3.20.1", 22661 "3.20.1-rc-1", 22662 "3.20.2" 22663 ] 22664 }, 22665 { 22666 "database_specific": { 22667 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-g5ww-5jh7-63cx/GHSA-g5ww-5jh7-63cx.json" 22668 }, 22669 "package": { 22670 "ecosystem": "Maven", 22671 "name": "com.google.protobuf:protobuf-java", 22672 "purl": "pkg:maven/com.google.protobuf/protobuf-java" 22673 }, 22674 "ranges": [ 22675 { 22676 "events": [ 22677 { 22678 "introduced": "3.21.0" 22679 }, 22680 { 22681 "fixed": "3.21.7" 22682 } 22683 ], 22684 "type": "ECOSYSTEM" 22685 } 22686 ], 22687 "versions": [ 22688 "3.21.0", 22689 "3.21.1", 22690 "3.21.2", 22691 "3.21.3", 22692 "3.21.4", 22693 "3.21.5", 22694 "3.21.6" 22695 ] 22696 }, 22697 { 22698 "database_specific": { 22699 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-g5ww-5jh7-63cx/GHSA-g5ww-5jh7-63cx.json" 22700 }, 22701 "package": { 22702 "ecosystem": "Maven", 22703 "name": "com.google.protobuf:protobuf-javalite", 22704 "purl": "pkg:maven/com.google.protobuf/protobuf-javalite" 22705 }, 22706 "ranges": [ 22707 { 22708 "events": [ 22709 { 22710 "introduced": "0" 22711 }, 22712 { 22713 "fixed": "3.16.3" 22714 } 22715 ], 22716 "type": "ECOSYSTEM" 22717 } 22718 ], 22719 "versions": [ 22720 "3.10.0", 22721 "3.10.0-rc-1", 22722 "3.11.0", 22723 "3.11.0-rc-1", 22724 "3.11.0-rc-2", 22725 "3.11.1", 22726 "3.11.3", 22727 "3.11.4", 22728 "3.12.0", 22729 "3.12.0-rc-1", 22730 "3.12.0-rc-2", 22731 "3.12.1", 22732 "3.12.2", 22733 "3.12.4", 22734 "3.13.0", 22735 "3.13.0-rc-3", 22736 "3.14.0", 22737 "3.14.0-rc-1", 22738 "3.14.0-rc-2", 22739 "3.14.0-rc-3", 22740 "3.15.0", 22741 "3.15.0-rc-1", 22742 "3.15.0-rc-2", 22743 "3.15.1", 22744 "3.15.2", 22745 "3.15.3", 22746 "3.15.4", 22747 "3.15.5", 22748 "3.15.6", 22749 "3.15.7", 22750 "3.15.8", 22751 "3.16.0", 22752 "3.16.0-rc-1", 22753 "3.16.0-rc-2", 22754 "3.16.1", 22755 "3.8.0", 22756 "3.8.0-rc-1", 22757 "3.9.0", 22758 "3.9.0-rc-1", 22759 "3.9.1", 22760 "3.9.2" 22761 ] 22762 }, 22763 { 22764 "database_specific": { 22765 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-g5ww-5jh7-63cx/GHSA-g5ww-5jh7-63cx.json" 22766 }, 22767 "package": { 22768 "ecosystem": "Maven", 22769 "name": "com.google.protobuf:protobuf-javalite", 22770 "purl": "pkg:maven/com.google.protobuf/protobuf-javalite" 22771 }, 22772 "ranges": [ 22773 { 22774 "events": [ 22775 { 22776 "introduced": "3.17.0" 22777 }, 22778 { 22779 "fixed": "3.19.6" 22780 } 22781 ], 22782 "type": "ECOSYSTEM" 22783 } 22784 ], 22785 "versions": [ 22786 "3.17.0", 22787 "3.17.1", 22788 "3.17.2", 22789 "3.17.3", 22790 "3.18.0", 22791 "3.18.0-rc-1", 22792 "3.18.0-rc-2", 22793 "3.18.1", 22794 "3.18.2", 22795 "3.18.3", 22796 "3.19.0", 22797 "3.19.0-rc-1", 22798 "3.19.0-rc-2", 22799 "3.19.1", 22800 "3.19.2", 22801 "3.19.3", 22802 "3.19.4", 22803 "3.19.5" 22804 ] 22805 }, 22806 { 22807 "database_specific": { 22808 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-g5ww-5jh7-63cx/GHSA-g5ww-5jh7-63cx.json" 22809 }, 22810 "package": { 22811 "ecosystem": "Maven", 22812 "name": "com.google.protobuf:protobuf-javalite", 22813 "purl": "pkg:maven/com.google.protobuf/protobuf-javalite" 22814 }, 22815 "ranges": [ 22816 { 22817 "events": [ 22818 { 22819 "introduced": "3.20.0" 22820 }, 22821 { 22822 "fixed": "3.20.3" 22823 } 22824 ], 22825 "type": "ECOSYSTEM" 22826 } 22827 ], 22828 "versions": [ 22829 "3.20.0", 22830 "3.20.1", 22831 "3.20.1-rc-1", 22832 "3.20.2" 22833 ] 22834 }, 22835 { 22836 "database_specific": { 22837 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-g5ww-5jh7-63cx/GHSA-g5ww-5jh7-63cx.json" 22838 }, 22839 "package": { 22840 "ecosystem": "Maven", 22841 "name": "com.google.protobuf:protobuf-javalite", 22842 "purl": "pkg:maven/com.google.protobuf/protobuf-javalite" 22843 }, 22844 "ranges": [ 22845 { 22846 "events": [ 22847 { 22848 "introduced": "3.21.0" 22849 }, 22850 { 22851 "fixed": "3.21.7" 22852 } 22853 ], 22854 "type": "ECOSYSTEM" 22855 } 22856 ], 22857 "versions": [ 22858 "3.21.0", 22859 "3.21.1", 22860 "3.21.2", 22861 "3.21.3", 22862 "3.21.4", 22863 "3.21.5", 22864 "3.21.6" 22865 ] 22866 } 22867 ], 22868 "aliases": [ 22869 "CVE-2022-3509" 22870 ], 22871 "database_specific": { 22872 "cwe_ids": [ 22873 "CWE-400" 22874 ], 22875 "github_reviewed": true, 22876 "github_reviewed_at": "2022-12-12T22:33:53Z", 22877 "nvd_published_at": "2022-12-12T13:15:00Z", 22878 "severity": "HIGH" 22879 }, 22880 "details": "A parsing issue similar to CVE-2022-3171, but with textformat in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.", 22881 "id": "GHSA-g5ww-5jh7-63cx", 22882 "modified": "2023-11-08T04:09:49.867103Z", 22883 "published": "2022-12-12T15:30:33Z", 22884 "references": [ 22885 { 22886 "type": "ADVISORY", 22887 "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3509" 22888 }, 22889 { 22890 "type": "WEB", 22891 "url": "https://github.com/protocolbuffers/protobuf/commit/a3888f53317a8018e7a439bac4abeb8f3425d5e9" 22892 }, 22893 { 22894 "type": "PACKAGE", 22895 "url": "https://github.com/protocolbuffers/protobuf/tree/main/java" 22896 } 22897 ], 22898 "related": [ 22899 "CGA-43ph-pj7p-v2hh", 22900 "CGA-77gj-vphq-h4fj", 22901 "CGA-mr3q-c88f-3c44" 22902 ], 22903 "schema_version": "1.6.0", 22904 "severity": [ 22905 { 22906 "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", 22907 "type": "CVSS_V3" 22908 } 22909 ], 22910 "summary": "Protobuf Java vulnerable to Uncontrolled Resource Consumption" 22911 }, 22912 { 22913 "affected": [ 22914 { 22915 "database_specific": { 22916 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/10/GHSA-h4h5-3hr4-j3g2/GHSA-h4h5-3hr4-j3g2.json" 22917 }, 22918 "package": { 22919 "ecosystem": "Maven", 22920 "name": "com.google.protobuf:protobuf-java", 22921 "purl": "pkg:maven/com.google.protobuf/protobuf-java" 22922 }, 22923 "ranges": [ 22924 { 22925 "events": [ 22926 { 22927 "introduced": "3.21.0-rc-1" 22928 }, 22929 { 22930 "fixed": "3.21.7" 22931 } 22932 ], 22933 "type": "ECOSYSTEM" 22934 } 22935 ], 22936 "versions": [ 22937 "3.21.0", 22938 "3.21.0-rc-1", 22939 "3.21.0-rc-2", 22940 "3.21.1", 22941 "3.21.2", 22942 "3.21.3", 22943 "3.21.4", 22944 "3.21.5", 22945 "3.21.6" 22946 ] 22947 }, 22948 { 22949 "database_specific": { 22950 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/10/GHSA-h4h5-3hr4-j3g2/GHSA-h4h5-3hr4-j3g2.json" 22951 }, 22952 "package": { 22953 "ecosystem": "Maven", 22954 "name": "com.google.protobuf:protobuf-kotlin", 22955 "purl": "pkg:maven/com.google.protobuf/protobuf-kotlin" 22956 }, 22957 "ranges": [ 22958 { 22959 "events": [ 22960 { 22961 "introduced": "3.21.0-rc-1" 22962 }, 22963 { 22964 "fixed": "3.21.7" 22965 } 22966 ], 22967 "type": "ECOSYSTEM" 22968 } 22969 ], 22970 "versions": [ 22971 "3.21.0", 22972 "3.21.0-rc-1", 22973 "3.21.0-rc-2", 22974 "3.21.1", 22975 "3.21.2", 22976 "3.21.3", 22977 "3.21.4", 22978 "3.21.5", 22979 "3.21.6" 22980 ] 22981 }, 22982 { 22983 "database_specific": { 22984 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/10/GHSA-h4h5-3hr4-j3g2/GHSA-h4h5-3hr4-j3g2.json" 22985 }, 22986 "package": { 22987 "ecosystem": "RubyGems", 22988 "name": "google-protobuf", 22989 "purl": "pkg:gem/google-protobuf" 22990 }, 22991 "ranges": [ 22992 { 22993 "events": [ 22994 { 22995 "introduced": "3.21.0.rc.1" 22996 }, 22997 { 22998 "fixed": "3.21.7" 22999 } 23000 ], 23001 "type": "ECOSYSTEM" 23002 } 23003 ], 23004 "versions": [ 23005 "3.21.0", 23006 "3.21.0.rc.1", 23007 "3.21.0.rc.2", 23008 "3.21.1", 23009 "3.21.2", 23010 "3.21.3", 23011 "3.21.4", 23012 "3.21.5", 23013 "3.21.6" 23014 ] 23015 }, 23016 { 23017 "database_specific": { 23018 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/10/GHSA-h4h5-3hr4-j3g2/GHSA-h4h5-3hr4-j3g2.json" 23019 }, 23020 "package": { 23021 "ecosystem": "Maven", 23022 "name": "com.google.protobuf:protobuf-javalite", 23023 "purl": "pkg:maven/com.google.protobuf/protobuf-javalite" 23024 }, 23025 "ranges": [ 23026 { 23027 "events": [ 23028 { 23029 "introduced": "3.21.0-rc-1" 23030 }, 23031 { 23032 "fixed": "3.21.7" 23033 } 23034 ], 23035 "type": "ECOSYSTEM" 23036 } 23037 ], 23038 "versions": [ 23039 "3.21.0", 23040 "3.21.0-rc-1", 23041 "3.21.0-rc-2", 23042 "3.21.1", 23043 "3.21.2", 23044 "3.21.3", 23045 "3.21.4", 23046 "3.21.5", 23047 "3.21.6" 23048 ] 23049 }, 23050 { 23051 "database_specific": { 23052 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/10/GHSA-h4h5-3hr4-j3g2/GHSA-h4h5-3hr4-j3g2.json" 23053 }, 23054 "package": { 23055 "ecosystem": "Maven", 23056 "name": "com.google.protobuf:protobuf-kotlin-lite", 23057 "purl": "pkg:maven/com.google.protobuf/protobuf-kotlin-lite" 23058 }, 23059 "ranges": [ 23060 { 23061 "events": [ 23062 { 23063 "introduced": "3.21.0-rc-1" 23064 }, 23065 { 23066 "fixed": "3.21.7" 23067 } 23068 ], 23069 "type": "ECOSYSTEM" 23070 } 23071 ], 23072 "versions": [ 23073 "3.21.0", 23074 "3.21.0-rc-1", 23075 "3.21.0-rc-2", 23076 "3.21.1", 23077 "3.21.2", 23078 "3.21.3", 23079 "3.21.4", 23080 "3.21.5", 23081 "3.21.6" 23082 ] 23083 }, 23084 { 23085 "database_specific": { 23086 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/10/GHSA-h4h5-3hr4-j3g2/GHSA-h4h5-3hr4-j3g2.json" 23087 }, 23088 "package": { 23089 "ecosystem": "Maven", 23090 "name": "com.google.protobuf:protobuf-java", 23091 "purl": "pkg:maven/com.google.protobuf/protobuf-java" 23092 }, 23093 "ranges": [ 23094 { 23095 "events": [ 23096 { 23097 "introduced": "3.20.0-rc-1" 23098 }, 23099 { 23100 "fixed": "3.20.3" 23101 } 23102 ], 23103 "type": "ECOSYSTEM" 23104 } 23105 ], 23106 "versions": [ 23107 "3.20.0", 23108 "3.20.0-rc-1", 23109 "3.20.1", 23110 "3.20.1-rc-1", 23111 "3.20.2" 23112 ] 23113 }, 23114 { 23115 "database_specific": { 23116 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/10/GHSA-h4h5-3hr4-j3g2/GHSA-h4h5-3hr4-j3g2.json" 23117 }, 23118 "package": { 23119 "ecosystem": "Maven", 23120 "name": "com.google.protobuf:protobuf-java", 23121 "purl": "pkg:maven/com.google.protobuf/protobuf-java" 23122 }, 23123 "ranges": [ 23124 { 23125 "events": [ 23126 { 23127 "introduced": "3.17.0-rc-1" 23128 }, 23129 { 23130 "fixed": "3.19.6" 23131 } 23132 ], 23133 "type": "ECOSYSTEM" 23134 } 23135 ], 23136 "versions": [ 23137 "3.17.0", 23138 "3.17.0-rc-1", 23139 "3.17.0-rc-2", 23140 "3.17.1", 23141 "3.17.2", 23142 "3.17.3", 23143 "3.18.0", 23144 "3.18.0-rc-1", 23145 "3.18.0-rc-2", 23146 "3.18.1", 23147 "3.18.2", 23148 "3.18.3", 23149 "3.19.0", 23150 "3.19.0-rc-1", 23151 "3.19.0-rc-2", 23152 "3.19.1", 23153 "3.19.2", 23154 "3.19.3", 23155 "3.19.4", 23156 "3.19.5" 23157 ] 23158 }, 23159 { 23160 "database_specific": { 23161 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/10/GHSA-h4h5-3hr4-j3g2/GHSA-h4h5-3hr4-j3g2.json" 23162 }, 23163 "package": { 23164 "ecosystem": "Maven", 23165 "name": "com.google.protobuf:protobuf-java", 23166 "purl": "pkg:maven/com.google.protobuf/protobuf-java" 23167 }, 23168 "ranges": [ 23169 { 23170 "events": [ 23171 { 23172 "introduced": "0" 23173 }, 23174 { 23175 "fixed": "3.16.3" 23176 } 23177 ], 23178 "type": "ECOSYSTEM" 23179 } 23180 ], 23181 "versions": [ 23182 "2.0.1", 23183 "2.0.3", 23184 "2.1.0", 23185 "2.2.0", 23186 "2.3.0", 23187 "2.4.0a", 23188 "2.4.1", 23189 "2.5.0", 23190 "2.6.0", 23191 "2.6.1", 23192 "3.0.0", 23193 "3.0.0-alpha-2", 23194 "3.0.0-alpha-3", 23195 "3.0.0-alpha-3.1", 23196 "3.0.0-beta-1", 23197 "3.0.0-beta-2", 23198 "3.0.0-beta-3", 23199 "3.0.0-beta-4", 23200 "3.0.2", 23201 "3.1.0", 23202 "3.10.0", 23203 "3.10.0-rc-1", 23204 "3.11.0", 23205 "3.11.0-rc-1", 23206 "3.11.0-rc-2", 23207 "3.11.1", 23208 "3.11.3", 23209 "3.11.4", 23210 "3.12.0", 23211 "3.12.0-rc-1", 23212 "3.12.0-rc-2", 23213 "3.12.1", 23214 "3.12.2", 23215 "3.12.4", 23216 "3.13.0", 23217 "3.13.0-rc-3", 23218 "3.14.0", 23219 "3.14.0-rc-1", 23220 "3.14.0-rc-2", 23221 "3.14.0-rc-3", 23222 "3.15.0", 23223 "3.15.0-rc-1", 23224 "3.15.0-rc-2", 23225 "3.15.1", 23226 "3.15.2", 23227 "3.15.3", 23228 "3.15.4", 23229 "3.15.5", 23230 "3.15.6", 23231 "3.15.7", 23232 "3.15.8", 23233 "3.16.0", 23234 "3.16.0-rc-1", 23235 "3.16.0-rc-2", 23236 "3.16.1", 23237 "3.2.0", 23238 "3.2.0-rc.1", 23239 "3.2.0rc2", 23240 "3.3.0", 23241 "3.3.1", 23242 "3.4.0", 23243 "3.5.0", 23244 "3.5.1", 23245 "3.6.0", 23246 "3.6.1", 23247 "3.7.0", 23248 "3.7.0-rc1", 23249 "3.7.1", 23250 "3.8.0", 23251 "3.8.0-rc-1", 23252 "3.9.0", 23253 "3.9.0-rc-1", 23254 "3.9.1", 23255 "3.9.2" 23256 ] 23257 }, 23258 { 23259 "database_specific": { 23260 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/10/GHSA-h4h5-3hr4-j3g2/GHSA-h4h5-3hr4-j3g2.json" 23261 }, 23262 "package": { 23263 "ecosystem": "Maven", 23264 "name": "com.google.protobuf:protobuf-kotlin", 23265 "purl": "pkg:maven/com.google.protobuf/protobuf-kotlin" 23266 }, 23267 "ranges": [ 23268 { 23269 "events": [ 23270 { 23271 "introduced": "3.20.0-rc-1" 23272 }, 23273 { 23274 "fixed": "3.20.3" 23275 } 23276 ], 23277 "type": "ECOSYSTEM" 23278 } 23279 ], 23280 "versions": [ 23281 "3.20.0", 23282 "3.20.0-rc-1", 23283 "3.20.1", 23284 "3.20.1-rc-1", 23285 "3.20.2" 23286 ] 23287 }, 23288 { 23289 "database_specific": { 23290 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/10/GHSA-h4h5-3hr4-j3g2/GHSA-h4h5-3hr4-j3g2.json" 23291 }, 23292 "package": { 23293 "ecosystem": "Maven", 23294 "name": "com.google.protobuf:protobuf-kotlin", 23295 "purl": "pkg:maven/com.google.protobuf/protobuf-kotlin" 23296 }, 23297 "ranges": [ 23298 { 23299 "events": [ 23300 { 23301 "introduced": "3.17.0-rc-1" 23302 }, 23303 { 23304 "fixed": "3.19.6" 23305 } 23306 ], 23307 "type": "ECOSYSTEM" 23308 } 23309 ], 23310 "versions": [ 23311 "3.17.0", 23312 "3.17.0-rc-2", 23313 "3.17.1", 23314 "3.17.2", 23315 "3.17.3", 23316 "3.18.0", 23317 "3.18.0-rc-1", 23318 "3.18.0-rc-2", 23319 "3.18.1", 23320 "3.18.2", 23321 "3.18.3", 23322 "3.19.0", 23323 "3.19.0-rc-1", 23324 "3.19.0-rc-2", 23325 "3.19.1", 23326 "3.19.2", 23327 "3.19.3", 23328 "3.19.4", 23329 "3.19.5" 23330 ] 23331 }, 23332 { 23333 "database_specific": { 23334 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/10/GHSA-h4h5-3hr4-j3g2/GHSA-h4h5-3hr4-j3g2.json" 23335 }, 23336 "package": { 23337 "ecosystem": "Maven", 23338 "name": "com.google.protobuf:protobuf-kotlin", 23339 "purl": "pkg:maven/com.google.protobuf/protobuf-kotlin" 23340 }, 23341 "ranges": [ 23342 { 23343 "events": [ 23344 { 23345 "introduced": "0" 23346 }, 23347 { 23348 "fixed": "3.16.3" 23349 } 23350 ], 23351 "type": "ECOSYSTEM" 23352 } 23353 ] 23354 }, 23355 { 23356 "database_specific": { 23357 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/10/GHSA-h4h5-3hr4-j3g2/GHSA-h4h5-3hr4-j3g2.json" 23358 }, 23359 "package": { 23360 "ecosystem": "RubyGems", 23361 "name": "google-protobuf", 23362 "purl": "pkg:gem/google-protobuf" 23363 }, 23364 "ranges": [ 23365 { 23366 "events": [ 23367 { 23368 "introduced": "3.20.0.rc.1" 23369 }, 23370 { 23371 "fixed": "3.20.3" 23372 } 23373 ], 23374 "type": "ECOSYSTEM" 23375 } 23376 ], 23377 "versions": [ 23378 "3.20.0", 23379 "3.20.0.rc.1", 23380 "3.20.0.rc.2", 23381 "3.20.1", 23382 "3.20.1.rc.1", 23383 "3.20.2" 23384 ] 23385 }, 23386 { 23387 "database_specific": { 23388 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/10/GHSA-h4h5-3hr4-j3g2/GHSA-h4h5-3hr4-j3g2.json" 23389 }, 23390 "package": { 23391 "ecosystem": "RubyGems", 23392 "name": "google-protobuf", 23393 "purl": "pkg:gem/google-protobuf" 23394 }, 23395 "ranges": [ 23396 { 23397 "events": [ 23398 { 23399 "introduced": "3.17.0.rc.1" 23400 }, 23401 { 23402 "fixed": "3.19.6" 23403 } 23404 ], 23405 "type": "ECOSYSTEM" 23406 } 23407 ], 23408 "versions": [ 23409 "3.17.0", 23410 "3.17.0.rc.1", 23411 "3.17.0.rc.2", 23412 "3.17.1", 23413 "3.17.2", 23414 "3.17.3", 23415 "3.18.0", 23416 "3.18.0.rc.1", 23417 "3.18.0.rc.2", 23418 "3.18.1", 23419 "3.18.2", 23420 "3.18.3", 23421 "3.19.0", 23422 "3.19.0.rc.1", 23423 "3.19.0.rc.2", 23424 "3.19.1", 23425 "3.19.2", 23426 "3.19.3", 23427 "3.19.4", 23428 "3.19.5" 23429 ] 23430 }, 23431 { 23432 "database_specific": { 23433 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/10/GHSA-h4h5-3hr4-j3g2/GHSA-h4h5-3hr4-j3g2.json" 23434 }, 23435 "package": { 23436 "ecosystem": "RubyGems", 23437 "name": "google-protobuf", 23438 "purl": "pkg:gem/google-protobuf" 23439 }, 23440 "ranges": [ 23441 { 23442 "events": [ 23443 { 23444 "introduced": "0" 23445 }, 23446 { 23447 "fixed": "3.16.3" 23448 } 23449 ], 23450 "type": "ECOSYSTEM" 23451 } 23452 ], 23453 "versions": [ 23454 "3.0.0", 23455 "3.0.0.alpha.1.0", 23456 "3.0.0.alpha.1.1", 23457 "3.0.0.alpha.2.0", 23458 "3.0.0.alpha.3", 23459 "3.0.0.alpha.3.1.pre", 23460 "3.0.0.alpha.4.0", 23461 "3.0.0.alpha.5.0.3", 23462 "3.0.0.alpha.5.0.4", 23463 "3.0.0.alpha.5.0.5", 23464 "3.0.0.alpha.5.0.5.1", 23465 "3.0.2", 23466 "3.1.0", 23467 "3.1.0.0.pre", 23468 "3.10.0.rc.1", 23469 "3.10.1", 23470 "3.11.0", 23471 "3.11.0.rc.1", 23472 "3.11.0.rc.2", 23473 "3.11.1", 23474 "3.11.2", 23475 "3.11.3", 23476 "3.11.4", 23477 "3.12.0", 23478 "3.12.0.rc.1", 23479 "3.12.0.rc.2", 23480 "3.12.1", 23481 "3.12.2", 23482 "3.12.4", 23483 "3.13.0", 23484 "3.13.0.rc.3", 23485 "3.14.0", 23486 "3.14.0.rc.1", 23487 "3.14.0.rc.2", 23488 "3.14.0.rc.3", 23489 "3.15.0", 23490 "3.15.0.rc.1", 23491 "3.15.0.rc.2", 23492 "3.15.1", 23493 "3.15.2", 23494 "3.15.3", 23495 "3.15.4", 23496 "3.15.5", 23497 "3.15.6", 23498 "3.15.7", 23499 "3.15.8", 23500 "3.16.0", 23501 "3.16.0.rc.1", 23502 "3.16.0.rc.2", 23503 "3.2.0", 23504 "3.2.0.1", 23505 "3.2.0.2", 23506 "3.2.1.pre", 23507 "3.3.0", 23508 "3.4.0.1", 23509 "3.4.0.2", 23510 "3.4.1.1", 23511 "3.5.0", 23512 "3.5.0.pre", 23513 "3.5.1", 23514 "3.5.1.1", 23515 "3.5.1.2", 23516 "3.6.0", 23517 "3.6.1", 23518 "3.7.0", 23519 "3.7.0.rc.2", 23520 "3.7.0.rc.3", 23521 "3.7.1", 23522 "3.8.0", 23523 "3.8.0.rc.1", 23524 "3.9.0", 23525 "3.9.0.rc.1", 23526 "3.9.1", 23527 "3.9.2" 23528 ] 23529 }, 23530 { 23531 "database_specific": { 23532 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/10/GHSA-h4h5-3hr4-j3g2/GHSA-h4h5-3hr4-j3g2.json" 23533 }, 23534 "package": { 23535 "ecosystem": "Maven", 23536 "name": "com.google.protobuf:protobuf-javalite", 23537 "purl": "pkg:maven/com.google.protobuf/protobuf-javalite" 23538 }, 23539 "ranges": [ 23540 { 23541 "events": [ 23542 { 23543 "introduced": "3.20.0-rc-1" 23544 }, 23545 { 23546 "fixed": "3.20.3" 23547 } 23548 ], 23549 "type": "ECOSYSTEM" 23550 } 23551 ], 23552 "versions": [ 23553 "3.20.0", 23554 "3.20.0-rc-1", 23555 "3.20.1", 23556 "3.20.1-rc-1", 23557 "3.20.2" 23558 ] 23559 }, 23560 { 23561 "database_specific": { 23562 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/10/GHSA-h4h5-3hr4-j3g2/GHSA-h4h5-3hr4-j3g2.json" 23563 }, 23564 "package": { 23565 "ecosystem": "Maven", 23566 "name": "com.google.protobuf:protobuf-javalite", 23567 "purl": "pkg:maven/com.google.protobuf/protobuf-javalite" 23568 }, 23569 "ranges": [ 23570 { 23571 "events": [ 23572 { 23573 "introduced": "3.17.0-rc-1" 23574 }, 23575 { 23576 "fixed": "3.19.6" 23577 } 23578 ], 23579 "type": "ECOSYSTEM" 23580 } 23581 ], 23582 "versions": [ 23583 "3.17.0", 23584 "3.17.0-rc-1", 23585 "3.17.0-rc-2", 23586 "3.17.1", 23587 "3.17.2", 23588 "3.17.3", 23589 "3.18.0", 23590 "3.18.0-rc-1", 23591 "3.18.0-rc-2", 23592 "3.18.1", 23593 "3.18.2", 23594 "3.18.3", 23595 "3.19.0", 23596 "3.19.0-rc-1", 23597 "3.19.0-rc-2", 23598 "3.19.1", 23599 "3.19.2", 23600 "3.19.3", 23601 "3.19.4", 23602 "3.19.5" 23603 ] 23604 }, 23605 { 23606 "database_specific": { 23607 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/10/GHSA-h4h5-3hr4-j3g2/GHSA-h4h5-3hr4-j3g2.json" 23608 }, 23609 "package": { 23610 "ecosystem": "Maven", 23611 "name": "com.google.protobuf:protobuf-javalite", 23612 "purl": "pkg:maven/com.google.protobuf/protobuf-javalite" 23613 }, 23614 "ranges": [ 23615 { 23616 "events": [ 23617 { 23618 "introduced": "0" 23619 }, 23620 { 23621 "fixed": "3.16.3" 23622 } 23623 ], 23624 "type": "ECOSYSTEM" 23625 } 23626 ], 23627 "versions": [ 23628 "3.10.0", 23629 "3.10.0-rc-1", 23630 "3.11.0", 23631 "3.11.0-rc-1", 23632 "3.11.0-rc-2", 23633 "3.11.1", 23634 "3.11.3", 23635 "3.11.4", 23636 "3.12.0", 23637 "3.12.0-rc-1", 23638 "3.12.0-rc-2", 23639 "3.12.1", 23640 "3.12.2", 23641 "3.12.4", 23642 "3.13.0", 23643 "3.13.0-rc-3", 23644 "3.14.0", 23645 "3.14.0-rc-1", 23646 "3.14.0-rc-2", 23647 "3.14.0-rc-3", 23648 "3.15.0", 23649 "3.15.0-rc-1", 23650 "3.15.0-rc-2", 23651 "3.15.1", 23652 "3.15.2", 23653 "3.15.3", 23654 "3.15.4", 23655 "3.15.5", 23656 "3.15.6", 23657 "3.15.7", 23658 "3.15.8", 23659 "3.16.0", 23660 "3.16.0-rc-1", 23661 "3.16.0-rc-2", 23662 "3.16.1", 23663 "3.8.0", 23664 "3.8.0-rc-1", 23665 "3.9.0", 23666 "3.9.0-rc-1", 23667 "3.9.1", 23668 "3.9.2" 23669 ] 23670 }, 23671 { 23672 "database_specific": { 23673 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/10/GHSA-h4h5-3hr4-j3g2/GHSA-h4h5-3hr4-j3g2.json" 23674 }, 23675 "package": { 23676 "ecosystem": "Maven", 23677 "name": "com.google.protobuf:protobuf-kotlin-lite", 23678 "purl": "pkg:maven/com.google.protobuf/protobuf-kotlin-lite" 23679 }, 23680 "ranges": [ 23681 { 23682 "events": [ 23683 { 23684 "introduced": "3.20.0-rc-1" 23685 }, 23686 { 23687 "fixed": "3.20.3" 23688 } 23689 ], 23690 "type": "ECOSYSTEM" 23691 } 23692 ], 23693 "versions": [ 23694 "3.20.0", 23695 "3.20.0-rc-1", 23696 "3.20.1", 23697 "3.20.1-rc-1", 23698 "3.20.2" 23699 ] 23700 }, 23701 { 23702 "database_specific": { 23703 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/10/GHSA-h4h5-3hr4-j3g2/GHSA-h4h5-3hr4-j3g2.json" 23704 }, 23705 "package": { 23706 "ecosystem": "Maven", 23707 "name": "com.google.protobuf:protobuf-kotlin-lite", 23708 "purl": "pkg:maven/com.google.protobuf/protobuf-kotlin-lite" 23709 }, 23710 "ranges": [ 23711 { 23712 "events": [ 23713 { 23714 "introduced": "3.17.0-rc-1" 23715 }, 23716 { 23717 "fixed": "3.19.6" 23718 } 23719 ], 23720 "type": "ECOSYSTEM" 23721 } 23722 ], 23723 "versions": [ 23724 "3.17.0", 23725 "3.17.0-rc-2", 23726 "3.17.1", 23727 "3.17.2", 23728 "3.17.3", 23729 "3.18.0", 23730 "3.18.0-rc-1", 23731 "3.18.0-rc-2", 23732 "3.18.1", 23733 "3.18.2", 23734 "3.18.3", 23735 "3.19.0", 23736 "3.19.0-rc-1", 23737 "3.19.0-rc-2", 23738 "3.19.1", 23739 "3.19.2", 23740 "3.19.3", 23741 "3.19.4", 23742 "3.19.5" 23743 ] 23744 }, 23745 { 23746 "database_specific": { 23747 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/10/GHSA-h4h5-3hr4-j3g2/GHSA-h4h5-3hr4-j3g2.json" 23748 }, 23749 "package": { 23750 "ecosystem": "Maven", 23751 "name": "com.google.protobuf:protobuf-kotlin-lite", 23752 "purl": "pkg:maven/com.google.protobuf/protobuf-kotlin-lite" 23753 }, 23754 "ranges": [ 23755 { 23756 "events": [ 23757 { 23758 "introduced": "0" 23759 }, 23760 { 23761 "fixed": "3.16.3" 23762 } 23763 ], 23764 "type": "ECOSYSTEM" 23765 } 23766 ] 23767 } 23768 ], 23769 "aliases": [ 23770 "CVE-2022-3171" 23771 ], 23772 "database_specific": { 23773 "cwe_ids": [ 23774 "CWE-20" 23775 ], 23776 "github_reviewed": true, 23777 "github_reviewed_at": "2022-10-04T22:17:15Z", 23778 "nvd_published_at": "2022-10-12T23:15:00Z", 23779 "severity": "MODERATE" 23780 }, 23781 "details": "## Summary\nA potential Denial of Service issue in `protobuf-java` core and lite was discovered in the parsing procedure for binary and text format data. Input streams containing multiple instances of non-repeated [embedded messages](http://developers.google.com/protocol-buffers/docs/encoding#embedded) with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. \n\nReporter: [OSS Fuzz](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=48771)\n\nAffected versions: This issue affects both the Java full and lite Protobuf runtimes, as well as Protobuf for Kotlin and JRuby, which themselves use the Java Protobuf runtime.\n\n## Severity\n\n[CVE-2022-3171](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3171) Medium - CVSS Score: 5.7 (NOTE: there may be a delay in publication)\n\n## Remediation and Mitigation\n\nPlease update to the latest available versions of the following packages:\n\nprotobuf-java (3.21.7, 3.20.3, 3.19.6, 3.16.3)\nprotobuf-javalite (3.21.7, 3.20.3, 3.19.6, 3.16.3)\nprotobuf-kotlin (3.21.7, 3.20.3, 3.19.6, 3.16.3)\nprotobuf-kotlin-lite (3.21.7, 3.20.3, 3.19.6, 3.16.3)\ngoogle-protobuf [JRuby gem only] (3.21.7, 3.20.3, 3.19.6)\n", 23782 "id": "GHSA-h4h5-3hr4-j3g2", 23783 "modified": "2024-02-17T05:33:48.377272Z", 23784 "published": "2022-10-04T22:17:15Z", 23785 "references": [ 23786 { 23787 "type": "WEB", 23788 "url": "https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-h4h5-3hr4-j3g2" 23789 }, 23790 { 23791 "type": "ADVISORY", 23792 "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3171" 23793 }, 23794 { 23795 "type": "WEB", 23796 "url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=48771" 23797 }, 23798 { 23799 "type": "PACKAGE", 23800 "url": "https://github.com/protocolbuffers/protobuf" 23801 }, 23802 { 23803 "type": "WEB", 23804 "url": "https://github.com/protocolbuffers/protobuf/releases/tag/v21.7" 23805 }, 23806 { 23807 "type": "WEB", 23808 "url": "https://github.com/protocolbuffers/protobuf/releases/tag/v3.16.3" 23809 }, 23810 { 23811 "type": "WEB", 23812 "url": "https://github.com/protocolbuffers/protobuf/releases/tag/v3.19.6" 23813 }, 23814 { 23815 "type": "WEB", 23816 "url": "https://github.com/protocolbuffers/protobuf/releases/tag/v3.20.3" 23817 }, 23818 { 23819 "type": "WEB", 23820 "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/google-protobuf/CVE-2022-3171.yml" 23821 }, 23822 { 23823 "type": "WEB", 23824 "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CBAUKJQL6O4TIWYBENORSY5P43TVB4M3" 23825 }, 23826 { 23827 "type": "WEB", 23828 "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MPCGUT3T5L6C3IDWUPSUO22QDCGQKTOP" 23829 }, 23830 { 23831 "type": "WEB", 23832 "url": "https://security.gentoo.org/glsa/202301-09" 23833 } 23834 ], 23835 "related": [ 23836 "CGA-4823-v8jx-rx3q", 23837 "CGA-j4r7-qxxx-756w", 23838 "CGA-jwcm-r7hw-56j9" 23839 ], 23840 "schema_version": "1.6.0", 23841 "severity": [ 23842 { 23843 "score": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", 23844 "type": "CVSS_V3" 23845 } 23846 ], 23847 "summary": "protobuf-java has a potential Denial of Service issue" 23848 }, 23849 { 23850 "affected": [ 23851 { 23852 "database_specific": { 23853 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/01/GHSA-wrvw-hg22-4m67/GHSA-wrvw-hg22-4m67.json" 23854 }, 23855 "package": { 23856 "ecosystem": "Maven", 23857 "name": "com.google.protobuf:protobuf-java", 23858 "purl": "pkg:maven/com.google.protobuf/protobuf-java" 23859 }, 23860 "ranges": [ 23861 { 23862 "events": [ 23863 { 23864 "introduced": "0" 23865 }, 23866 { 23867 "fixed": "3.16.1" 23868 } 23869 ], 23870 "type": "ECOSYSTEM" 23871 } 23872 ], 23873 "versions": [ 23874 "2.0.1", 23875 "2.0.3", 23876 "2.1.0", 23877 "2.2.0", 23878 "2.3.0", 23879 "2.4.0a", 23880 "2.4.1", 23881 "2.5.0", 23882 "2.6.0", 23883 "2.6.1", 23884 "3.0.0", 23885 "3.0.0-alpha-2", 23886 "3.0.0-alpha-3", 23887 "3.0.0-alpha-3.1", 23888 "3.0.0-beta-1", 23889 "3.0.0-beta-2", 23890 "3.0.0-beta-3", 23891 "3.0.0-beta-4", 23892 "3.0.2", 23893 "3.1.0", 23894 "3.10.0", 23895 "3.10.0-rc-1", 23896 "3.11.0", 23897 "3.11.0-rc-1", 23898 "3.11.0-rc-2", 23899 "3.11.1", 23900 "3.11.3", 23901 "3.11.4", 23902 "3.12.0", 23903 "3.12.0-rc-1", 23904 "3.12.0-rc-2", 23905 "3.12.1", 23906 "3.12.2", 23907 "3.12.4", 23908 "3.13.0", 23909 "3.13.0-rc-3", 23910 "3.14.0", 23911 "3.14.0-rc-1", 23912 "3.14.0-rc-2", 23913 "3.14.0-rc-3", 23914 "3.15.0", 23915 "3.15.0-rc-1", 23916 "3.15.0-rc-2", 23917 "3.15.1", 23918 "3.15.2", 23919 "3.15.3", 23920 "3.15.4", 23921 "3.15.5", 23922 "3.15.6", 23923 "3.15.7", 23924 "3.15.8", 23925 "3.16.0", 23926 "3.16.0-rc-1", 23927 "3.16.0-rc-2", 23928 "3.2.0", 23929 "3.2.0-rc.1", 23930 "3.2.0rc2", 23931 "3.3.0", 23932 "3.3.1", 23933 "3.4.0", 23934 "3.5.0", 23935 "3.5.1", 23936 "3.6.0", 23937 "3.6.1", 23938 "3.7.0", 23939 "3.7.0-rc1", 23940 "3.7.1", 23941 "3.8.0", 23942 "3.8.0-rc-1", 23943 "3.9.0", 23944 "3.9.0-rc-1", 23945 "3.9.1", 23946 "3.9.2" 23947 ] 23948 }, 23949 { 23950 "database_specific": { 23951 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/01/GHSA-wrvw-hg22-4m67/GHSA-wrvw-hg22-4m67.json" 23952 }, 23953 "package": { 23954 "ecosystem": "RubyGems", 23955 "name": "google-protobuf", 23956 "purl": "pkg:gem/google-protobuf" 23957 }, 23958 "ranges": [ 23959 { 23960 "events": [ 23961 { 23962 "introduced": "0" 23963 }, 23964 { 23965 "fixed": "3.19.2" 23966 } 23967 ], 23968 "type": "ECOSYSTEM" 23969 } 23970 ], 23971 "versions": [ 23972 "3.0.0", 23973 "3.0.0.alpha.1.0", 23974 "3.0.0.alpha.1.1", 23975 "3.0.0.alpha.2.0", 23976 "3.0.0.alpha.3", 23977 "3.0.0.alpha.3.1.pre", 23978 "3.0.0.alpha.4.0", 23979 "3.0.0.alpha.5.0.3", 23980 "3.0.0.alpha.5.0.4", 23981 "3.0.0.alpha.5.0.5", 23982 "3.0.0.alpha.5.0.5.1", 23983 "3.0.2", 23984 "3.1.0", 23985 "3.1.0.0.pre", 23986 "3.10.0.rc.1", 23987 "3.10.1", 23988 "3.11.0", 23989 "3.11.0.rc.1", 23990 "3.11.0.rc.2", 23991 "3.11.1", 23992 "3.11.2", 23993 "3.11.3", 23994 "3.11.4", 23995 "3.12.0", 23996 "3.12.0.rc.1", 23997 "3.12.0.rc.2", 23998 "3.12.1", 23999 "3.12.2", 24000 "3.12.4", 24001 "3.13.0", 24002 "3.13.0.rc.3", 24003 "3.14.0", 24004 "3.14.0.rc.1", 24005 "3.14.0.rc.2", 24006 "3.14.0.rc.3", 24007 "3.15.0", 24008 "3.15.0.rc.1", 24009 "3.15.0.rc.2", 24010 "3.15.1", 24011 "3.15.2", 24012 "3.15.3", 24013 "3.15.4", 24014 "3.15.5", 24015 "3.15.6", 24016 "3.15.7", 24017 "3.15.8", 24018 "3.16.0", 24019 "3.16.0.rc.1", 24020 "3.16.0.rc.2", 24021 "3.17.0", 24022 "3.17.0.rc.1", 24023 "3.17.0.rc.2", 24024 "3.17.1", 24025 "3.17.2", 24026 "3.17.3", 24027 "3.18.0", 24028 "3.18.0.rc.1", 24029 "3.18.0.rc.2", 24030 "3.18.1", 24031 "3.18.2", 24032 "3.18.3", 24033 "3.19.0", 24034 "3.19.0.rc.1", 24035 "3.19.0.rc.2", 24036 "3.19.1", 24037 "3.2.0", 24038 "3.2.0.1", 24039 "3.2.0.2", 24040 "3.2.1.pre", 24041 "3.3.0", 24042 "3.4.0.1", 24043 "3.4.0.2", 24044 "3.4.1.1", 24045 "3.5.0", 24046 "3.5.0.pre", 24047 "3.5.1", 24048 "3.5.1.1", 24049 "3.5.1.2", 24050 "3.6.0", 24051 "3.6.1", 24052 "3.7.0", 24053 "3.7.0.rc.2", 24054 "3.7.0.rc.3", 24055 "3.7.1", 24056 "3.8.0", 24057 "3.8.0.rc.1", 24058 "3.9.0", 24059 "3.9.0.rc.1", 24060 "3.9.1", 24061 "3.9.2" 24062 ] 24063 }, 24064 { 24065 "database_specific": { 24066 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/01/GHSA-wrvw-hg22-4m67/GHSA-wrvw-hg22-4m67.json" 24067 }, 24068 "package": { 24069 "ecosystem": "Maven", 24070 "name": "com.google.protobuf:protobuf-java", 24071 "purl": "pkg:maven/com.google.protobuf/protobuf-java" 24072 }, 24073 "ranges": [ 24074 { 24075 "events": [ 24076 { 24077 "introduced": "3.18.0" 24078 }, 24079 { 24080 "fixed": "3.18.2" 24081 } 24082 ], 24083 "type": "ECOSYSTEM" 24084 } 24085 ], 24086 "versions": [ 24087 "3.18.0", 24088 "3.18.1" 24089 ] 24090 }, 24091 { 24092 "database_specific": { 24093 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/01/GHSA-wrvw-hg22-4m67/GHSA-wrvw-hg22-4m67.json" 24094 }, 24095 "package": { 24096 "ecosystem": "Maven", 24097 "name": "com.google.protobuf:protobuf-java", 24098 "purl": "pkg:maven/com.google.protobuf/protobuf-java" 24099 }, 24100 "ranges": [ 24101 { 24102 "events": [ 24103 { 24104 "introduced": "3.19.0" 24105 }, 24106 { 24107 "fixed": "3.19.2" 24108 } 24109 ], 24110 "type": "ECOSYSTEM" 24111 } 24112 ], 24113 "versions": [ 24114 "3.19.0", 24115 "3.19.1" 24116 ] 24117 }, 24118 { 24119 "database_specific": { 24120 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/01/GHSA-wrvw-hg22-4m67/GHSA-wrvw-hg22-4m67.json" 24121 }, 24122 "package": { 24123 "ecosystem": "Maven", 24124 "name": "com.google.protobuf:protobuf-kotlin", 24125 "purl": "pkg:maven/com.google.protobuf/protobuf-kotlin" 24126 }, 24127 "ranges": [ 24128 { 24129 "events": [ 24130 { 24131 "introduced": "3.18.0" 24132 }, 24133 { 24134 "fixed": "3.18.2" 24135 } 24136 ], 24137 "type": "ECOSYSTEM" 24138 } 24139 ], 24140 "versions": [ 24141 "3.18.0", 24142 "3.18.1" 24143 ] 24144 }, 24145 { 24146 "database_specific": { 24147 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/01/GHSA-wrvw-hg22-4m67/GHSA-wrvw-hg22-4m67.json" 24148 }, 24149 "package": { 24150 "ecosystem": "Maven", 24151 "name": "com.google.protobuf:protobuf-kotlin", 24152 "purl": "pkg:maven/com.google.protobuf/protobuf-kotlin" 24153 }, 24154 "ranges": [ 24155 { 24156 "events": [ 24157 { 24158 "introduced": "3.19.0" 24159 }, 24160 { 24161 "fixed": "3.19.2" 24162 } 24163 ], 24164 "type": "ECOSYSTEM" 24165 } 24166 ], 24167 "versions": [ 24168 "3.19.0", 24169 "3.19.1" 24170 ] 24171 } 24172 ], 24173 "aliases": [ 24174 "CVE-2021-22569" 24175 ], 24176 "database_specific": { 24177 "cwe_ids": [ 24178 "CWE-696" 24179 ], 24180 "github_reviewed": true, 24181 "github_reviewed_at": "2022-01-07T22:23:14Z", 24182 "nvd_published_at": "2022-01-10T14:10:00Z", 24183 "severity": "HIGH" 24184 }, 24185 "details": "## Summary\n\nA potential Denial of Service issue in protobuf-java was discovered in the parsing procedure for binary data.\n\nReporter: [OSS-Fuzz](https://github.com/google/oss-fuzz)\n\nAffected versions: All versions of Java Protobufs (including Kotlin and JRuby) prior to the versions listed below. Protobuf \"javalite\" users (typically Android) are not affected.\n\n## Severity\n\n[CVE-2021-22569](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22569) **High** - CVSS Score: 7.5, An implementation weakness in how unknown fields are parsed in Java. A small (~800 KB) malicious payload can occupy the parser for several minutes by creating large numbers of short-lived objects that cause frequent, repeated GC pauses.\n\n## Proof of Concept\n\nFor reproduction details, please refer to the oss-fuzz issue that identifies the specific inputs that exercise this parsing weakness.\n\n## Remediation and Mitigation\n\nPlease update to the latest available versions of the following packages:\n\n- protobuf-java (3.16.1, 3.18.2, 3.19.2) \n- protobuf-kotlin (3.18.2, 3.19.2)\n- google-protobuf [JRuby gem only] (3.19.2) \n", 24186 "id": "GHSA-wrvw-hg22-4m67", 24187 "modified": "2023-11-08T04:05:00.773426Z", 24188 "published": "2022-01-07T22:31:44Z", 24189 "references": [ 24190 { 24191 "type": "WEB", 24192 "url": "https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-wrvw-hg22-4m67" 24193 }, 24194 { 24195 "type": "ADVISORY", 24196 "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22569" 24197 }, 24198 { 24199 "type": "WEB", 24200 "url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=39330" 24201 }, 24202 { 24203 "type": "WEB", 24204 "url": "https://cloud.google.com/support/bulletins#gcp-2022-001" 24205 }, 24206 { 24207 "type": "PACKAGE", 24208 "url": "https://github.com/protocolbuffers/protobuf" 24209 }, 24210 { 24211 "type": "WEB", 24212 "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" 24213 }, 24214 { 24215 "type": "WEB", 24216 "url": "http://www.openwall.com/lists/oss-security/2022/01/12/4" 24217 }, 24218 { 24219 "type": "WEB", 24220 "url": "http://www.openwall.com/lists/oss-security/2022/01/12/7" 24221 } 24222 ], 24223 "related": [ 24224 "CGA-7g86-w24x-hwm7", 24225 "CGA-8j74-3gff-6wq3", 24226 "CGA-gp73-784m-3935" 24227 ], 24228 "schema_version": "1.6.0", 24229 "severity": [ 24230 { 24231 "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", 24232 "type": "CVSS_V3" 24233 } 24234 ], 24235 "summary": "A potential Denial of Service issue in protobuf-java" 24236 }, 24237 { 24238 "affected": [ 24239 { 24240 "database_specific": { 24241 "last_known_affected_version_range": "\u003c= 0.1.53", 24242 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-q446-82vq-w674/GHSA-q446-82vq-w674.json" 24243 }, 24244 "package": { 24245 "ecosystem": "Maven", 24246 "name": "com.jcraft:jsch", 24247 "purl": "pkg:maven/com.jcraft/jsch" 24248 }, 24249 "ranges": [ 24250 { 24251 "events": [ 24252 { 24253 "introduced": "0" 24254 }, 24255 { 24256 "fixed": "0.1.54" 24257 } 24258 ], 24259 "type": "ECOSYSTEM" 24260 } 24261 ], 24262 "versions": [ 24263 "0.1.23", 24264 "0.1.24", 24265 "0.1.25", 24266 "0.1.27", 24267 "0.1.29", 24268 "0.1.31", 24269 "0.1.38", 24270 "0.1.41", 24271 "0.1.42", 24272 "0.1.43", 24273 "0.1.43-1", 24274 "0.1.44", 24275 "0.1.44-1", 24276 "0.1.45", 24277 "0.1.46", 24278 "0.1.47", 24279 "0.1.48", 24280 "0.1.49", 24281 "0.1.50", 24282 "0.1.51", 24283 "0.1.52", 24284 "0.1.53" 24285 ] 24286 } 24287 ], 24288 "aliases": [ 24289 "CVE-2016-5725" 24290 ], 24291 "database_specific": { 24292 "cwe_ids": [ 24293 "CWE-22" 24294 ], 24295 "github_reviewed": true, 24296 "github_reviewed_at": "2022-07-06T19:44:21Z", 24297 "nvd_published_at": "2017-01-19T22:59:00Z", 24298 "severity": "MODERATE" 24299 }, 24300 "details": "Directory traversal vulnerability in JCraft JSch before 0.1.54 on Windows, when the mode is ChannelSftp.OVERWRITE, allows remote SFTP servers to write to arbitrary files via a ..\\ (dot dot backslash) in a response to a recursive GET command.", 24301 "id": "GHSA-q446-82vq-w674", 24302 "modified": "2024-02-20T05:33:38.873866Z", 24303 "published": "2022-05-13T01:09:33Z", 24304 "references": [ 24305 { 24306 "type": "ADVISORY", 24307 "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-5725" 24308 }, 24309 { 24310 "type": "WEB", 24311 "url": "https://access.redhat.com/errata/RHSA-2017:3115" 24312 }, 24313 { 24314 "type": "WEB", 24315 "url": "https://github.com/tintinweb/pub/tree/master/pocs/cve-2016-5725" 24316 }, 24317 { 24318 "type": "WEB", 24319 "url": "https://lists.debian.org/debian-lts-announce/2020/04/msg00017.html" 24320 }, 24321 { 24322 "type": "WEB", 24323 "url": "https://www.exploit-db.com/exploits/40411" 24324 }, 24325 { 24326 "type": "WEB", 24327 "url": "https://www.oracle.com/security-alerts/cpuApr2021.html" 24328 }, 24329 { 24330 "type": "WEB", 24331 "url": "https://www.oracle.com/security-alerts/cpujan2021.html" 24332 }, 24333 { 24334 "type": "WEB", 24335 "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" 24336 }, 24337 { 24338 "type": "WEB", 24339 "url": "http://packetstormsecurity.com/files/138809/jsch-0.1.53-Path-Traversal.html" 24340 }, 24341 { 24342 "type": "WEB", 24343 "url": "http://seclists.org/fulldisclosure/2016/Sep/53" 24344 }, 24345 { 24346 "type": "WEB", 24347 "url": "http://www.jcraft.com/jsch/ChangeLog" 24348 } 24349 ], 24350 "schema_version": "1.6.0", 24351 "severity": [ 24352 { 24353 "score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", 24354 "type": "CVSS_V3" 24355 } 24356 ], 24357 "summary": "Improper Limitation of a Pathname to a Restricted Directory in JCraft JSch" 24358 }, 24359 { 24360 "affected": [ 24361 { 24362 "database_specific": { 24363 "last_known_affected_version_range": "\u003c= 0.9.5.3", 24364 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/04/GHSA-84p2-vf58-xhxv/GHSA-84p2-vf58-xhxv.json" 24365 }, 24366 "package": { 24367 "ecosystem": "Maven", 24368 "name": "com.mchange:c3p0", 24369 "purl": "pkg:maven/com.mchange/c3p0" 24370 }, 24371 "ranges": [ 24372 { 24373 "events": [ 24374 { 24375 "introduced": "0" 24376 }, 24377 { 24378 "fixed": "0.9.5.4" 24379 } 24380 ], 24381 "type": "ECOSYSTEM" 24382 } 24383 ], 24384 "versions": [ 24385 "0.9.2", 24386 "0.9.2-pre2-RELEASE", 24387 "0.9.2-pre3", 24388 "0.9.2-pre4", 24389 "0.9.2-pre5", 24390 "0.9.2-pre6", 24391 "0.9.2-pre7", 24392 "0.9.2-pre8", 24393 "0.9.2.1", 24394 "0.9.5", 24395 "0.9.5-pre1", 24396 "0.9.5-pre10", 24397 "0.9.5-pre2", 24398 "0.9.5-pre3", 24399 "0.9.5-pre4", 24400 "0.9.5-pre5", 24401 "0.9.5-pre6", 24402 "0.9.5-pre7", 24403 "0.9.5-pre8", 24404 "0.9.5-pre9", 24405 "0.9.5.1", 24406 "0.9.5.2", 24407 "0.9.5.3" 24408 ] 24409 } 24410 ], 24411 "aliases": [ 24412 "CVE-2019-5427" 24413 ], 24414 "database_specific": { 24415 "cwe_ids": [ 24416 "CWE-776" 24417 ], 24418 "github_reviewed": true, 24419 "github_reviewed_at": "2019-04-23T16:01:51Z", 24420 "nvd_published_at": "2019-04-22T21:29:00Z", 24421 "severity": "HIGH" 24422 }, 24423 "details": "c3p0 version \u003c 0.9.5.4 may be exploited by a billion laughs attack when loading XML configuration due to missing protections against recursive entity expansion when loading configuration.", 24424 "id": "GHSA-84p2-vf58-xhxv", 24425 "modified": "2024-02-16T08:07:45.873484Z", 24426 "published": "2019-04-23T16:03:18Z", 24427 "references": [ 24428 { 24429 "type": "ADVISORY", 24430 "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-5427" 24431 }, 24432 { 24433 "type": "WEB", 24434 "url": "https://hackerone.com/reports/509315" 24435 }, 24436 { 24437 "type": "WEB", 24438 "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BFIVX6HOVNLAM7W3SUAMHYRNLCVQSAWR" 24439 }, 24440 { 24441 "type": "WEB", 24442 "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MQ47OFV57Y2DAHMGA5H3JOL4WHRWRFN4" 24443 }, 24444 { 24445 "type": "WEB", 24446 "url": "https://www.oracle.com/security-alerts/cpuapr2020.html" 24447 }, 24448 { 24449 "type": "WEB", 24450 "url": "https://www.oracle.com/security-alerts/cpujan2021.html" 24451 }, 24452 { 24453 "type": "WEB", 24454 "url": "https://www.oracle.com/security-alerts/cpujul2020.html" 24455 }, 24456 { 24457 "type": "WEB", 24458 "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" 24459 }, 24460 { 24461 "type": "WEB", 24462 "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" 24463 } 24464 ], 24465 "schema_version": "1.6.0", 24466 "severity": [ 24467 { 24468 "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", 24469 "type": "CVSS_V3" 24470 } 24471 ], 24472 "summary": "Billion laughs attack in c3p0" 24473 }, 24474 { 24475 "affected": [ 24476 { 24477 "database_specific": { 24478 "last_known_affected_version_range": "\u003c= 0.9.5.2", 24479 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/01/GHSA-q485-j897-qc27/GHSA-q485-j897-qc27.json" 24480 }, 24481 "package": { 24482 "ecosystem": "Maven", 24483 "name": "com.mchange:c3p0", 24484 "purl": "pkg:maven/com.mchange/c3p0" 24485 }, 24486 "ranges": [ 24487 { 24488 "events": [ 24489 { 24490 "introduced": "0" 24491 }, 24492 { 24493 "fixed": "0.9.5.3" 24494 } 24495 ], 24496 "type": "ECOSYSTEM" 24497 } 24498 ], 24499 "versions": [ 24500 "0.9.2", 24501 "0.9.2-pre2-RELEASE", 24502 "0.9.2-pre3", 24503 "0.9.2-pre4", 24504 "0.9.2-pre5", 24505 "0.9.2-pre6", 24506 "0.9.2-pre7", 24507 "0.9.2-pre8", 24508 "0.9.2.1", 24509 "0.9.5", 24510 "0.9.5-pre1", 24511 "0.9.5-pre10", 24512 "0.9.5-pre2", 24513 "0.9.5-pre3", 24514 "0.9.5-pre4", 24515 "0.9.5-pre5", 24516 "0.9.5-pre6", 24517 "0.9.5-pre7", 24518 "0.9.5-pre8", 24519 "0.9.5-pre9", 24520 "0.9.5.1", 24521 "0.9.5.2" 24522 ] 24523 } 24524 ], 24525 "aliases": [ 24526 "CVE-2018-20433" 24527 ], 24528 "database_specific": { 24529 "cwe_ids": [ 24530 "CWE-611" 24531 ], 24532 "github_reviewed": true, 24533 "github_reviewed_at": "2020-06-16T21:50:54Z", 24534 "nvd_published_at": null, 24535 "severity": "CRITICAL" 24536 }, 24537 "details": "c3p0 0.9.5.2 allows XXE in extractXmlConfigFromInputStream in com/mchange/v2/c3p0/cfg/C3P0ConfigXmlUtils.java during initialization.", 24538 "id": "GHSA-q485-j897-qc27", 24539 "modified": "2024-02-17T05:36:17.856971Z", 24540 "published": "2019-01-07T19:14:34Z", 24541 "references": [ 24542 { 24543 "type": "ADVISORY", 24544 "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-20433" 24545 }, 24546 { 24547 "type": "WEB", 24548 "url": "https://github.com/zhutougg/c3p0/commit/2eb0ea97f745740b18dd45e4a909112d4685f87b" 24549 }, 24550 { 24551 "type": "ADVISORY", 24552 "url": "https://github.com/advisories/GHSA-q485-j897-qc27" 24553 }, 24554 { 24555 "type": "PACKAGE", 24556 "url": "https://github.com/zhutougg/c3p0" 24557 }, 24558 { 24559 "type": "WEB", 24560 "url": "https://lists.debian.org/debian-lts-announce/2018/12/msg00021.html" 24561 }, 24562 { 24563 "type": "WEB", 24564 "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BFIVX6HOVNLAM7W3SUAMHYRNLCVQSAWR" 24565 }, 24566 { 24567 "type": "WEB", 24568 "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MQ47OFV57Y2DAHMGA5H3JOL4WHRWRFN4" 24569 } 24570 ], 24571 "schema_version": "1.6.0", 24572 "severity": [ 24573 { 24574 "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", 24575 "type": "CVSS_V3" 24576 } 24577 ], 24578 "summary": "XML External Entity Reference in mchange:c3p0" 24579 }, 24580 { 24581 "affected": [ 24582 { 24583 "database_specific": { 24584 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-2qp9-wg27-9pcv/GHSA-2qp9-wg27-9pcv.json" 24585 }, 24586 "package": { 24587 "ecosystem": "Maven", 24588 "name": "com.nimbusds:nimbus-jose-jwt", 24589 "purl": "pkg:maven/com.nimbusds/nimbus-jose-jwt" 24590 }, 24591 "ranges": [ 24592 { 24593 "events": [ 24594 { 24595 "introduced": "0" 24596 }, 24597 { 24598 "fixed": "4.39" 24599 } 24600 ], 24601 "type": "ECOSYSTEM" 24602 } 24603 ], 24604 "versions": [ 24605 "2.10", 24606 "2.10.1", 24607 "2.11.0", 24608 "2.12.0", 24609 "2.13.0", 24610 "2.13.1", 24611 "2.14.0", 24612 "2.15.0", 24613 "2.15.1", 24614 "2.15.2", 24615 "2.16", 24616 "2.17", 24617 "2.17.1", 24618 "2.17.2", 24619 "2.18", 24620 "2.18.1", 24621 "2.18.2", 24622 "2.19", 24623 "2.19.1", 24624 "2.20", 24625 "2.21", 24626 "2.22", 24627 "2.22.1", 24628 "2.23", 24629 "2.24", 24630 "2.25", 24631 "2.26", 24632 "2.26.1", 24633 "2.9", 24634 "3.0", 24635 "3.1", 24636 "3.1.1", 24637 "3.1.2", 24638 "3.10", 24639 "3.2", 24640 "3.2.1", 24641 "3.2.2", 24642 "3.3", 24643 "3.4", 24644 "3.5", 24645 "3.6", 24646 "3.7", 24647 "3.8", 24648 "3.8.1", 24649 "3.8.2", 24650 "3.9", 24651 "3.9.1", 24652 "3.9.2", 24653 "4.0", 24654 "4.0-rc1", 24655 "4.0-rc2", 24656 "4.0-rc3", 24657 "4.0-rc4", 24658 "4.0.1", 24659 "4.1", 24660 "4.1.1", 24661 "4.10", 24662 "4.11", 24663 "4.11.1", 24664 "4.11.2", 24665 "4.12", 24666 "4.13", 24667 "4.13.1", 24668 "4.14", 24669 "4.15", 24670 "4.15.1", 24671 "4.16", 24672 "4.16.1", 24673 "4.16.2", 24674 "4.17", 24675 "4.18", 24676 "4.19", 24677 "4.2", 24678 "4.20", 24679 "4.21", 24680 "4.22", 24681 "4.23", 24682 "4.24", 24683 "4.25", 24684 "4.26", 24685 "4.26.1", 24686 "4.27", 24687 "4.27.1", 24688 "4.28", 24689 "4.29", 24690 "4.3", 24691 "4.3.1", 24692 "4.30", 24693 "4.31.1", 24694 "4.32", 24695 "4.33", 24696 "4.34", 24697 "4.34.1", 24698 "4.34.2", 24699 "4.35", 24700 "4.36", 24701 "4.36.1", 24702 "4.37", 24703 "4.37.1", 24704 "4.38", 24705 "4.4", 24706 "4.5", 24707 "4.6", 24708 "4.7", 24709 "4.8", 24710 "4.9" 24711 ] 24712 } 24713 ], 24714 "aliases": [ 24715 "CVE-2017-12972" 24716 ], 24717 "database_specific": { 24718 "cwe_ids": [ 24719 "CWE-345" 24720 ], 24721 "github_reviewed": true, 24722 "github_reviewed_at": "2022-11-08T22:28:09Z", 24723 "nvd_published_at": "2017-08-20T16:29:00Z", 24724 "severity": "HIGH" 24725 }, 24726 "details": "In Nimbus JOSE+JWT before 4.39, there is no integer-overflow check when converting length values from bytes to bits, which allows attackers to conduct HMAC bypass attacks by shifting Additional Authenticated Data (AAD) and ciphertext so that different plaintext is obtained for the same HMAC.", 24727 "id": "GHSA-2qp9-wg27-9pcv", 24728 "modified": "2023-11-08T03:58:54.698483Z", 24729 "published": "2022-05-13T01:30:32Z", 24730 "references": [ 24731 { 24732 "type": "ADVISORY", 24733 "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-12972" 24734 }, 24735 { 24736 "type": "WEB", 24737 "url": "https://bitbucket.org/connect2id/nimbus-jose-jwt/commits/0d2bd649ea386539220d4facfe1f65eb1dadb86c" 24738 }, 24739 { 24740 "type": "WEB", 24741 "url": "https://bitbucket.org/connect2id/nimbus-jose-jwt/issues/224/byte-to-bit-overflow-in-cbc" 24742 }, 24743 { 24744 "type": "WEB", 24745 "url": "https://bitbucket.org/connect2id/nimbus-jose-jwt/src/master/CHANGELOG.txt" 24746 }, 24747 { 24748 "type": "WEB", 24749 "url": "https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe@%3Ccommits.druid.apache.org%3E" 24750 } 24751 ], 24752 "schema_version": "1.6.0", 24753 "severity": [ 24754 { 24755 "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", 24756 "type": "CVSS_V3" 24757 } 24758 ], 24759 "summary": "Nimbus JOSE+JWT missing overflow check" 24760 }, 24761 { 24762 "affected": [ 24763 { 24764 "database_specific": { 24765 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/10/GHSA-f6vf-pq8c-69m4/GHSA-f6vf-pq8c-69m4.json" 24766 }, 24767 "package": { 24768 "ecosystem": "Maven", 24769 "name": "com.nimbusds:nimbus-jose-jwt", 24770 "purl": "pkg:maven/com.nimbusds/nimbus-jose-jwt" 24771 }, 24772 "ranges": [ 24773 { 24774 "events": [ 24775 { 24776 "introduced": "0" 24777 }, 24778 { 24779 "fixed": "7.9" 24780 } 24781 ], 24782 "type": "ECOSYSTEM" 24783 } 24784 ], 24785 "versions": [ 24786 "2.10", 24787 "2.10.1", 24788 "2.11.0", 24789 "2.12.0", 24790 "2.13.0", 24791 "2.13.1", 24792 "2.14.0", 24793 "2.15.0", 24794 "2.15.1", 24795 "2.15.2", 24796 "2.16", 24797 "2.17", 24798 "2.17.1", 24799 "2.17.2", 24800 "2.18", 24801 "2.18.1", 24802 "2.18.2", 24803 "2.19", 24804 "2.19.1", 24805 "2.20", 24806 "2.21", 24807 "2.22", 24808 "2.22.1", 24809 "2.23", 24810 "2.24", 24811 "2.25", 24812 "2.26", 24813 "2.26.1", 24814 "2.9", 24815 "3.0", 24816 "3.1", 24817 "3.1.1", 24818 "3.1.2", 24819 "3.10", 24820 "3.2", 24821 "3.2.1", 24822 "3.2.2", 24823 "3.3", 24824 "3.4", 24825 "3.5", 24826 "3.6", 24827 "3.7", 24828 "3.8", 24829 "3.8.1", 24830 "3.8.2", 24831 "3.9", 24832 "3.9.1", 24833 "3.9.2", 24834 "4.0", 24835 "4.0-rc1", 24836 "4.0-rc2", 24837 "4.0-rc3", 24838 "4.0-rc4", 24839 "4.0.1", 24840 "4.1", 24841 "4.1.1", 24842 "4.10", 24843 "4.11", 24844 "4.11.1", 24845 "4.11.2", 24846 "4.12", 24847 "4.13", 24848 "4.13.1", 24849 "4.14", 24850 "4.15", 24851 "4.15.1", 24852 "4.16", 24853 "4.16.1", 24854 "4.16.2", 24855 "4.17", 24856 "4.18", 24857 "4.19", 24858 "4.2", 24859 "4.20", 24860 "4.21", 24861 "4.22", 24862 "4.23", 24863 "4.24", 24864 "4.25", 24865 "4.26", 24866 "4.26.1", 24867 "4.27", 24868 "4.27.1", 24869 "4.28", 24870 "4.29", 24871 "4.3", 24872 "4.3.1", 24873 "4.30", 24874 "4.31.1", 24875 "4.32", 24876 "4.33", 24877 "4.34", 24878 "4.34.1", 24879 "4.34.2", 24880 "4.35", 24881 "4.36", 24882 "4.36.1", 24883 "4.37", 24884 "4.37.1", 24885 "4.38", 24886 "4.39", 24887 "4.39.1", 24888 "4.39.2", 24889 "4.4", 24890 "4.40", 24891 "4.41", 24892 "4.41.1", 24893 "4.41.2", 24894 "4.41.3", 24895 "4.5", 24896 "4.6", 24897 "4.7", 24898 "4.8", 24899 "4.9", 24900 "5.0", 24901 "5.1", 24902 "5.10", 24903 "5.11", 24904 "5.12", 24905 "5.13", 24906 "5.14", 24907 "5.2", 24908 "5.3", 24909 "5.4", 24910 "5.5", 24911 "5.6", 24912 "5.7", 24913 "5.8", 24914 "5.9", 24915 "6.0", 24916 "6.0.1", 24917 "6.0.2", 24918 "6.1", 24919 "6.1.1", 24920 "6.2", 24921 "6.3", 24922 "6.3.1", 24923 "6.4", 24924 "6.4.1", 24925 "6.4.2", 24926 "6.5", 24927 "6.5.1", 24928 "6.6", 24929 "6.7", 24930 "6.8", 24931 "7.0", 24932 "7.0.1", 24933 "7.1", 24934 "7.2.1", 24935 "7.3", 24936 "7.4", 24937 "7.5", 24938 "7.5.1", 24939 "7.6", 24940 "7.7", 24941 "7.8", 24942 "7.8.1" 24943 ] 24944 } 24945 ], 24946 "aliases": [ 24947 "CVE-2019-17195" 24948 ], 24949 "database_specific": { 24950 "cwe_ids": [ 24951 "CWE-754", 24952 "CWE-755" 24953 ], 24954 "github_reviewed": true, 24955 "github_reviewed_at": "2019-10-16T15:26:53Z", 24956 "nvd_published_at": "2019-10-15T14:15:00Z", 24957 "severity": "CRITICAL" 24958 }, 24959 "details": "Connect2id Nimbus JOSE+JWT before v7.9 can throw various uncaught exceptions while parsing a JWT, which could result in an application crash (potential information disclosure) or a potential authentication bypass.", 24960 "id": "GHSA-f6vf-pq8c-69m4", 24961 "modified": "2024-03-14T05:19:45.441054Z", 24962 "published": "2019-10-16T18:31:17Z", 24963 "references": [ 24964 { 24965 "type": "ADVISORY", 24966 "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-17195" 24967 }, 24968 { 24969 "type": "WEB", 24970 "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" 24971 }, 24972 { 24973 "type": "WEB", 24974 "url": "https://www.oracle.com/security-alerts/cpujan2022.html" 24975 }, 24976 { 24977 "type": "WEB", 24978 "url": "https://www.oracle.com/security-alerts/cpujan2021.html" 24979 }, 24980 { 24981 "type": "WEB", 24982 "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" 24983 }, 24984 { 24985 "type": "WEB", 24986 "url": "https://www.oracle.com/security-alerts/cpuapr2020.html" 24987 }, 24988 { 24989 "type": "WEB", 24990 "url": "https://www.oracle.com/security-alerts/cpuApr2021.html" 24991 }, 24992 { 24993 "type": "WEB", 24994 "url": "https://www.oracle.com//security-alerts/cpujul2021.html" 24995 }, 24996 { 24997 "type": "WEB", 24998 "url": "https://lists.apache.org/thread.html/rcac26c2d4df22341fa6ebbfe93ba1eff77d2dcd3f6106a1dc1f9ac98@%3Cdev.avro.apache.org%3E" 24999 }, 25000 { 25001 "type": "WEB", 25002 "url": "https://lists.apache.org/thread.html/r5e08837e695efd36be73510ce58ec05785dbcea077819d8acc2d990d@%3Ccommits.druid.apache.org%3E" 25003 }, 25004 { 25005 "type": "WEB", 25006 "url": "https://lists.apache.org/thread.html/r35f6301a3e6a56259224786dd9c2a935ba27ff6b494d15a3b66efe6a@%3Cdev.avro.apache.org%3E" 25007 }, 25008 { 25009 "type": "WEB", 25010 "url": "https://lists.apache.org/thread.html/r33dc233634aedb04fa77db3eb79ea12d15ca4da89fa46a1c585ecb0b@%3Ccommits.druid.apache.org%3E" 25011 }, 25012 { 25013 "type": "WEB", 25014 "url": "https://lists.apache.org/thread.html/r2667286c8ceffaf893b16829b9612d8f7c4ee6b30362c6c1b583e3c2@%3Ccommits.druid.apache.org%3E" 25015 }, 25016 { 25017 "type": "WEB", 25018 "url": "https://lists.apache.org/thread.html/e10d43984f39327e443e875adcd4a5049193a7c010e81971908caf41@%3Ccommon-issues.hadoop.apache.org%3E" 25019 }, 25020 { 25021 "type": "WEB", 25022 "url": "https://lists.apache.org/thread.html/8768553cda5838f59ee3865cac546e824fa740e82d9dc2a7fc44e80d@%3Ccommon-dev.hadoop.apache.org%3E" 25023 }, 25024 { 25025 "type": "WEB", 25026 "url": "https://connect2id.com/blog/nimbus-jose-jwt-7-9" 25027 }, 25028 { 25029 "type": "WEB", 25030 "url": "https://bitbucket.org/connect2id/nimbus-jose-jwt/src/master/SECURITY-CHANGELOG.txt" 25031 }, 25032 { 25033 "type": "PACKAGE", 25034 "url": "https://bitbucket.org/connect2id/nimbus-jose-jwt" 25035 } 25036 ], 25037 "schema_version": "1.6.0", 25038 "severity": [ 25039 { 25040 "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", 25041 "type": "CVSS_V3" 25042 } 25043 ], 25044 "summary": "Improper Check for Unusual or Exceptional Conditions in Connect2id Nimbus JOSE+JWT" 25045 }, 25046 { 25047 "affected": [ 25048 { 25049 "database_specific": { 25050 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/02/GHSA-gvpg-vgmx-xg6w/GHSA-gvpg-vgmx-xg6w.json" 25051 }, 25052 "package": { 25053 "ecosystem": "Maven", 25054 "name": "com.nimbusds:nimbus-jose-jwt", 25055 "purl": "pkg:maven/com.nimbusds/nimbus-jose-jwt" 25056 }, 25057 "ranges": [ 25058 { 25059 "events": [ 25060 { 25061 "introduced": "0" 25062 }, 25063 { 25064 "fixed": "9.37.2" 25065 } 25066 ], 25067 "type": "ECOSYSTEM" 25068 } 25069 ], 25070 "versions": [ 25071 "2.10", 25072 "2.10.1", 25073 "2.11.0", 25074 "2.12.0", 25075 "2.13.0", 25076 "2.13.1", 25077 "2.14.0", 25078 "2.15.0", 25079 "2.15.1", 25080 "2.15.2", 25081 "2.16", 25082 "2.17", 25083 "2.17.1", 25084 "2.17.2", 25085 "2.18", 25086 "2.18.1", 25087 "2.18.2", 25088 "2.19", 25089 "2.19.1", 25090 "2.20", 25091 "2.21", 25092 "2.22", 25093 "2.22.1", 25094 "2.23", 25095 "2.24", 25096 "2.25", 25097 "2.26", 25098 "2.26.1", 25099 "2.9", 25100 "3.0", 25101 "3.1", 25102 "3.1.1", 25103 "3.1.2", 25104 "3.10", 25105 "3.2", 25106 "3.2.1", 25107 "3.2.2", 25108 "3.3", 25109 "3.4", 25110 "3.5", 25111 "3.6", 25112 "3.7", 25113 "3.8", 25114 "3.8.1", 25115 "3.8.2", 25116 "3.9", 25117 "3.9.1", 25118 "3.9.2", 25119 "4.0", 25120 "4.0-rc1", 25121 "4.0-rc2", 25122 "4.0-rc3", 25123 "4.0-rc4", 25124 "4.0.1", 25125 "4.1", 25126 "4.1.1", 25127 "4.10", 25128 "4.11", 25129 "4.11.1", 25130 "4.11.2", 25131 "4.12", 25132 "4.13", 25133 "4.13.1", 25134 "4.14", 25135 "4.15", 25136 "4.15.1", 25137 "4.16", 25138 "4.16.1", 25139 "4.16.2", 25140 "4.17", 25141 "4.18", 25142 "4.19", 25143 "4.2", 25144 "4.20", 25145 "4.21", 25146 "4.22", 25147 "4.23", 25148 "4.24", 25149 "4.25", 25150 "4.26", 25151 "4.26.1", 25152 "4.27", 25153 "4.27.1", 25154 "4.28", 25155 "4.29", 25156 "4.3", 25157 "4.3.1", 25158 "4.30", 25159 "4.31.1", 25160 "4.32", 25161 "4.33", 25162 "4.34", 25163 "4.34.1", 25164 "4.34.2", 25165 "4.35", 25166 "4.36", 25167 "4.36.1", 25168 "4.37", 25169 "4.37.1", 25170 "4.38", 25171 "4.39", 25172 "4.39.1", 25173 "4.39.2", 25174 "4.4", 25175 "4.40", 25176 "4.41", 25177 "4.41.1", 25178 "4.41.2", 25179 "4.41.3", 25180 "4.5", 25181 "4.6", 25182 "4.7", 25183 "4.8", 25184 "4.9", 25185 "5.0", 25186 "5.1", 25187 "5.10", 25188 "5.11", 25189 "5.12", 25190 "5.13", 25191 "5.14", 25192 "5.2", 25193 "5.3", 25194 "5.4", 25195 "5.5", 25196 "5.6", 25197 "5.7", 25198 "5.8", 25199 "5.9", 25200 "6.0", 25201 "6.0.1", 25202 "6.0.2", 25203 "6.1", 25204 "6.1.1", 25205 "6.2", 25206 "6.3", 25207 "6.3.1", 25208 "6.4", 25209 "6.4.1", 25210 "6.4.2", 25211 "6.5", 25212 "6.5.1", 25213 "6.6", 25214 "6.7", 25215 "6.8", 25216 "7.0", 25217 "7.0.1", 25218 "7.1", 25219 "7.2.1", 25220 "7.3", 25221 "7.4", 25222 "7.5", 25223 "7.5.1", 25224 "7.6", 25225 "7.7", 25226 "7.8", 25227 "7.8.1", 25228 "7.9", 25229 "8.0", 25230 "8.1", 25231 "8.10", 25232 "8.11", 25233 "8.12", 25234 "8.13", 25235 "8.14", 25236 "8.14.1", 25237 "8.15", 25238 "8.16", 25239 "8.17", 25240 "8.17.1", 25241 "8.18", 25242 "8.18.1", 25243 "8.19", 25244 "8.2", 25245 "8.2.1", 25246 "8.20", 25247 "8.20.1", 25248 "8.20.2", 25249 "8.21", 25250 "8.21.1", 25251 "8.22", 25252 "8.22.1", 25253 "8.23", 25254 "8.3", 25255 "8.4", 25256 "8.4.1", 25257 "8.5", 25258 "8.5.1", 25259 "8.6", 25260 "8.7", 25261 "8.8", 25262 "8.9", 25263 "9.0", 25264 "9.0.1", 25265 "9.1", 25266 "9.1.1", 25267 "9.1.2", 25268 "9.1.3", 25269 "9.1.4", 25270 "9.1.5", 25271 "9.10", 25272 "9.10.1", 25273 "9.11", 25274 "9.11.1", 25275 "9.11.2", 25276 "9.11.3", 25277 "9.12", 25278 "9.12.1", 25279 "9.13", 25280 "9.14", 25281 "9.15", 25282 "9.15.1", 25283 "9.15.2", 25284 "9.16", 25285 "9.16-preview.1", 25286 "9.16.1", 25287 "9.17", 25288 "9.18", 25289 "9.19", 25290 "9.2", 25291 "9.20", 25292 "9.21", 25293 "9.21.1", 25294 "9.22", 25295 "9.23", 25296 "9.24", 25297 "9.24.1", 25298 "9.24.2", 25299 "9.24.3", 25300 "9.24.4", 25301 "9.25", 25302 "9.25.1", 25303 "9.25.2", 25304 "9.25.3", 25305 "9.25.4", 25306 "9.25.5", 25307 "9.25.6", 25308 "9.26", 25309 "9.27", 25310 "9.28", 25311 "9.29", 25312 "9.3", 25313 "9.30", 25314 "9.30.1", 25315 "9.30.2", 25316 "9.31", 25317 "9.32", 25318 "9.33", 25319 "9.34", 25320 "9.35", 25321 "9.36", 25322 "9.37", 25323 "9.37.1", 25324 "9.4", 25325 "9.4.1", 25326 "9.4.2", 25327 "9.5", 25328 "9.6", 25329 "9.6.1", 25330 "9.7", 25331 "9.8", 25332 "9.8.1", 25333 "9.9", 25334 "9.9.1", 25335 "9.9.2", 25336 "9.9.3" 25337 ] 25338 } 25339 ], 25340 "aliases": [ 25341 "CVE-2023-52428" 25342 ], 25343 "database_specific": { 25344 "cwe_ids": [ 25345 "CWE-400" 25346 ], 25347 "github_reviewed": true, 25348 "github_reviewed_at": "2024-03-15T14:23:03Z", 25349 "nvd_published_at": "2024-02-11T05:15:08Z", 25350 "severity": "MODERATE" 25351 }, 25352 "details": "In Connect2id Nimbus JOSE+JWT before 9.37.2, an attacker can cause a denial of service (resource consumption) via a large JWE p2c header value (aka iteration count) for the PasswordBasedDecrypter (PBKDF2) component.", 25353 "id": "GHSA-gvpg-vgmx-xg6w", 25354 "modified": "2024-03-15T14:58:52.822457Z", 25355 "published": "2024-02-11T06:30:27Z", 25356 "references": [ 25357 { 25358 "type": "ADVISORY", 25359 "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52428" 25360 }, 25361 { 25362 "type": "PACKAGE", 25363 "url": "https://bitbucket.org/connect2id/nimbus-jose-jwt" 25364 }, 25365 { 25366 "type": "WEB", 25367 "url": "https://bitbucket.org/connect2id/nimbus-jose-jwt/commits/3b3b77e" 25368 }, 25369 { 25370 "type": "WEB", 25371 "url": "https://bitbucket.org/connect2id/nimbus-jose-jwt/issues/526" 25372 }, 25373 { 25374 "type": "WEB", 25375 "url": "https://connect2id.com/products/nimbus-jose-jwt" 25376 } 25377 ], 25378 "related": [ 25379 "CGA-7847-h394-6rg8", 25380 "CGA-7v5w-r37c-32w7", 25381 "CGA-7x8r-hc4w-927c", 25382 "CGA-xqhq-97gr-pfg7" 25383 ], 25384 "schema_version": "1.6.0", 25385 "summary": "Denial of Service in Connect2id Nimbus JOSE+JWT" 25386 }, 25387 { 25388 "affected": [ 25389 { 25390 "database_specific": { 25391 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-jfmq-4g4m-99rh/GHSA-jfmq-4g4m-99rh.json" 25392 }, 25393 "package": { 25394 "ecosystem": "Maven", 25395 "name": "com.nimbusds:nimbus-jose-jwt", 25396 "purl": "pkg:maven/com.nimbusds/nimbus-jose-jwt" 25397 }, 25398 "ranges": [ 25399 { 25400 "events": [ 25401 { 25402 "introduced": "0" 25403 }, 25404 { 25405 "fixed": "4.39" 25406 } 25407 ], 25408 "type": "ECOSYSTEM" 25409 } 25410 ], 25411 "versions": [ 25412 "2.10", 25413 "2.10.1", 25414 "2.11.0", 25415 "2.12.0", 25416 "2.13.0", 25417 "2.13.1", 25418 "2.14.0", 25419 "2.15.0", 25420 "2.15.1", 25421 "2.15.2", 25422 "2.16", 25423 "2.17", 25424 "2.17.1", 25425 "2.17.2", 25426 "2.18", 25427 "2.18.1", 25428 "2.18.2", 25429 "2.19", 25430 "2.19.1", 25431 "2.20", 25432 "2.21", 25433 "2.22", 25434 "2.22.1", 25435 "2.23", 25436 "2.24", 25437 "2.25", 25438 "2.26", 25439 "2.26.1", 25440 "2.9", 25441 "3.0", 25442 "3.1", 25443 "3.1.1", 25444 "3.1.2", 25445 "3.10", 25446 "3.2", 25447 "3.2.1", 25448 "3.2.2", 25449 "3.3", 25450 "3.4", 25451 "3.5", 25452 "3.6", 25453 "3.7", 25454 "3.8", 25455 "3.8.1", 25456 "3.8.2", 25457 "3.9", 25458 "3.9.1", 25459 "3.9.2", 25460 "4.0", 25461 "4.0-rc1", 25462 "4.0-rc2", 25463 "4.0-rc3", 25464 "4.0-rc4", 25465 "4.0.1", 25466 "4.1", 25467 "4.1.1", 25468 "4.10", 25469 "4.11", 25470 "4.11.1", 25471 "4.11.2", 25472 "4.12", 25473 "4.13", 25474 "4.13.1", 25475 "4.14", 25476 "4.15", 25477 "4.15.1", 25478 "4.16", 25479 "4.16.1", 25480 "4.16.2", 25481 "4.17", 25482 "4.18", 25483 "4.19", 25484 "4.2", 25485 "4.20", 25486 "4.21", 25487 "4.22", 25488 "4.23", 25489 "4.24", 25490 "4.25", 25491 "4.26", 25492 "4.26.1", 25493 "4.27", 25494 "4.27.1", 25495 "4.28", 25496 "4.29", 25497 "4.3", 25498 "4.3.1", 25499 "4.30", 25500 "4.31.1", 25501 "4.32", 25502 "4.33", 25503 "4.34", 25504 "4.34.1", 25505 "4.34.2", 25506 "4.35", 25507 "4.36", 25508 "4.36.1", 25509 "4.37", 25510 "4.37.1", 25511 "4.38", 25512 "4.4", 25513 "4.5", 25514 "4.6", 25515 "4.7", 25516 "4.8", 25517 "4.9" 25518 ] 25519 } 25520 ], 25521 "aliases": [ 25522 "CVE-2017-12973" 25523 ], 25524 "database_specific": { 25525 "cwe_ids": [ 25526 "CWE-354" 25527 ], 25528 "github_reviewed": true, 25529 "github_reviewed_at": "2022-11-08T23:03:33Z", 25530 "nvd_published_at": "2017-08-20T16:29:00Z", 25531 "severity": "LOW" 25532 }, 25533 "details": "Nimbus JOSE+JWT before 4.39 proceeds improperly after detection of an invalid HMAC in authenticated AES-CBC decryption, which allows attackers to conduct a padding oracle attack.", 25534 "id": "GHSA-jfmq-4g4m-99rh", 25535 "modified": "2023-11-08T03:58:54.759362Z", 25536 "published": "2022-05-13T01:42:51Z", 25537 "references": [ 25538 { 25539 "type": "ADVISORY", 25540 "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-12973" 25541 }, 25542 { 25543 "type": "WEB", 25544 "url": "https://bitbucket.org/connect2id/nimbus-jose-jwt/commits/6a29f10f723f406eb25555f55842c59a43a38912" 25545 }, 25546 { 25547 "type": "WEB", 25548 "url": "https://bitbucket.org/connect2id/nimbus-jose-jwt/issues/223/aescbc-return-immediately-on-invalid-hmac" 25549 }, 25550 { 25551 "type": "WEB", 25552 "url": "https://bitbucket.org/connect2id/nimbus-jose-jwt/src/master/CHANGELOG.txt" 25553 } 25554 ], 25555 "schema_version": "1.6.0", 25556 "severity": [ 25557 { 25558 "score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N", 25559 "type": "CVSS_V3" 25560 } 25561 ], 25562 "summary": "Nimbus JOSE+JWT vulnerable to padding oracle attack" 25563 }, 25564 { 25565 "affected": [ 25566 { 25567 "database_specific": { 25568 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-pfv2-37f7-9m6w/GHSA-pfv2-37f7-9m6w.json" 25569 }, 25570 "package": { 25571 "ecosystem": "Maven", 25572 "name": "com.nimbusds:nimbus-jose-jwt", 25573 "purl": "pkg:maven/com.nimbusds/nimbus-jose-jwt" 25574 }, 25575 "ranges": [ 25576 { 25577 "events": [ 25578 { 25579 "introduced": "0" 25580 }, 25581 { 25582 "fixed": "4.36" 25583 } 25584 ], 25585 "type": "ECOSYSTEM" 25586 } 25587 ], 25588 "versions": [ 25589 "2.10", 25590 "2.10.1", 25591 "2.11.0", 25592 "2.12.0", 25593 "2.13.0", 25594 "2.13.1", 25595 "2.14.0", 25596 "2.15.0", 25597 "2.15.1", 25598 "2.15.2", 25599 "2.16", 25600 "2.17", 25601 "2.17.1", 25602 "2.17.2", 25603 "2.18", 25604 "2.18.1", 25605 "2.18.2", 25606 "2.19", 25607 "2.19.1", 25608 "2.20", 25609 "2.21", 25610 "2.22", 25611 "2.22.1", 25612 "2.23", 25613 "2.24", 25614 "2.25", 25615 "2.26", 25616 "2.26.1", 25617 "2.9", 25618 "3.0", 25619 "3.1", 25620 "3.1.1", 25621 "3.1.2", 25622 "3.10", 25623 "3.2", 25624 "3.2.1", 25625 "3.2.2", 25626 "3.3", 25627 "3.4", 25628 "3.5", 25629 "3.6", 25630 "3.7", 25631 "3.8", 25632 "3.8.1", 25633 "3.8.2", 25634 "3.9", 25635 "3.9.1", 25636 "3.9.2", 25637 "4.0", 25638 "4.0-rc1", 25639 "4.0-rc2", 25640 "4.0-rc3", 25641 "4.0-rc4", 25642 "4.0.1", 25643 "4.1", 25644 "4.1.1", 25645 "4.10", 25646 "4.11", 25647 "4.11.1", 25648 "4.11.2", 25649 "4.12", 25650 "4.13", 25651 "4.13.1", 25652 "4.14", 25653 "4.15", 25654 "4.15.1", 25655 "4.16", 25656 "4.16.1", 25657 "4.16.2", 25658 "4.17", 25659 "4.18", 25660 "4.19", 25661 "4.2", 25662 "4.20", 25663 "4.21", 25664 "4.22", 25665 "4.23", 25666 "4.24", 25667 "4.25", 25668 "4.26", 25669 "4.26.1", 25670 "4.27", 25671 "4.27.1", 25672 "4.28", 25673 "4.29", 25674 "4.3", 25675 "4.3.1", 25676 "4.30", 25677 "4.31.1", 25678 "4.32", 25679 "4.33", 25680 "4.34", 25681 "4.34.1", 25682 "4.34.2", 25683 "4.35", 25684 "4.4", 25685 "4.5", 25686 "4.6", 25687 "4.7", 25688 "4.8", 25689 "4.9" 25690 ] 25691 } 25692 ], 25693 "aliases": [ 25694 "CVE-2017-12974" 25695 ], 25696 "database_specific": { 25697 "cwe_ids": [ 25698 "CWE-347" 25699 ], 25700 "github_reviewed": true, 25701 "github_reviewed_at": "2022-07-01T20:20:30Z", 25702 "nvd_published_at": "2017-08-20T16:29:00Z", 25703 "severity": "HIGH" 25704 }, 25705 "details": "Nimbus JOSE+JWT before 4.36 proceeds with ECKey construction without ensuring that the public x and y coordinates are on the specified curve, which allows attackers to conduct an Invalid Curve Attack in environments where the JCE provider lacks the applicable curve validation.", 25706 "id": "GHSA-pfv2-37f7-9m6w", 25707 "modified": "2023-11-08T03:58:54.822926Z", 25708 "published": "2022-05-13T01:30:32Z", 25709 "references": [ 25710 { 25711 "type": "ADVISORY", 25712 "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-12974" 25713 }, 25714 { 25715 "type": "WEB", 25716 "url": "https://bitbucket.org/connect2id/nimbus-jose-jwt/commits/f3a7a801f0c6b078899fed9226368eb7b44e2b2f" 25717 }, 25718 { 25719 "type": "WEB", 25720 "url": "https://bitbucket.org/connect2id/nimbus-jose-jwt/issues/217/explicit-check-for-ec-public-key-on-curve" 25721 }, 25722 { 25723 "type": "WEB", 25724 "url": "https://bitbucket.org/connect2id/nimbus-jose-jwt/src/master/CHANGELOG.txt" 25725 }, 25726 { 25727 "type": "PACKAGE", 25728 "url": "https://github.com/felx/nimbus-jose-jwt" 25729 }, 25730 { 25731 "type": "WEB", 25732 "url": "https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe@%3Ccommits.druid.apache.org%3E" 25733 } 25734 ], 25735 "schema_version": "1.6.0", 25736 "severity": [ 25737 { 25738 "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", 25739 "type": "CVSS_V3" 25740 } 25741 ], 25742 "summary": "Improper Verification of Cryptographic Signature in Nimbus JOSE+JWT" 25743 }, 25744 { 25745 "affected": [ 25746 { 25747 "database_specific": { 25748 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-6phf-73q6-gh87/GHSA-6phf-73q6-gh87.json" 25749 }, 25750 "package": { 25751 "ecosystem": "Maven", 25752 "name": "commons-beanutils:commons-beanutils", 25753 "purl": "pkg:maven/commons-beanutils/commons-beanutils" 25754 }, 25755 "ranges": [ 25756 { 25757 "events": [ 25758 { 25759 "introduced": "0" 25760 }, 25761 { 25762 "fixed": "1.9.4" 25763 } 25764 ], 25765 "type": "ECOSYSTEM" 25766 } 25767 ], 25768 "versions": [ 25769 "1.0", 25770 "1.2", 25771 "1.3", 25772 "1.4", 25773 "1.4.1", 25774 "1.5", 25775 "1.6", 25776 "1.6.1", 25777 "1.7.0", 25778 "1.8.0", 25779 "1.8.0-BETA", 25780 "1.8.1", 25781 "1.8.2", 25782 "1.8.3", 25783 "1.9.0", 25784 "1.9.1", 25785 "1.9.2", 25786 "1.9.3" 25787 ] 25788 } 25789 ], 25790 "aliases": [ 25791 "CVE-2019-10086" 25792 ], 25793 "database_specific": { 25794 "cwe_ids": [ 25795 "CWE-502" 25796 ], 25797 "github_reviewed": true, 25798 "github_reviewed_at": "2020-06-11T15:08:49Z", 25799 "nvd_published_at": "2019-08-20T21:15:00Z", 25800 "severity": "HIGH" 25801 }, 25802 "details": "In Apache Commons Beanutils 1.9.2, a special BeanIntrospector class was added which allows suppressing the ability for an attacker to access the classloader via the class property available on all Java objects. We, however were not using this by default characteristic of the PropertyUtilsBean.", 25803 "id": "GHSA-6phf-73q6-gh87", 25804 "modified": "2024-03-08T05:28:43.649817Z", 25805 "published": "2020-06-15T20:36:17Z", 25806 "references": [ 25807 { 25808 "type": "ADVISORY", 25809 "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10086" 25810 }, 25811 { 25812 "type": "WEB", 25813 "url": "https://access.redhat.com/errata/RHSA-2019:4317" 25814 }, 25815 { 25816 "type": "WEB", 25817 "url": "https://lists.apache.org/thread.html/ra41fd0ad4b7e1d675c03a5081a16a6603085a4e37d30b866067566fe@%3Cissues.nifi.apache.org%3E" 25818 }, 25819 { 25820 "type": "WEB", 25821 "url": "https://lists.apache.org/thread.html/ra87ac17410a62e813cba901fdd4e9a674dd53daaf714870f28e905f1@%3Cdev.atlas.apache.org%3E" 25822 }, 25823 { 25824 "type": "WEB", 25825 "url": "https://lists.apache.org/thread.html/ra9a139fdc0999750dcd519e81384bc1fe3946f311b1796221205f51c@%3Ccommits.dolphinscheduler.apache.org%3E" 25826 }, 25827 { 25828 "type": "WEB", 25829 "url": "https://lists.apache.org/thread.html/racd3e7b2149fa2f255f016bd6bffab0fea77b6fb81c50db9a17f78e6@%3Cdev.atlas.apache.org%3E" 25830 }, 25831 { 25832 "type": "WEB", 25833 "url": "https://lists.apache.org/thread.html/rae81e0c8ebdf47ffaa85a01240836bfece8a990c48f55c7933162b5c@%3Cdev.atlas.apache.org%3E" 25834 }, 25835 { 25836 "type": "WEB", 25837 "url": "https://lists.apache.org/thread.html/rb1f76c2c0a4d6efb8a3523974f9d085d5838b73e7bffdf9a8f212997@%3Cissues.nifi.apache.org%3E" 25838 }, 25839 { 25840 "type": "WEB", 25841 "url": "https://lists.apache.org/thread.html/rb8dac04cb7e9cc5dedee8dabaa1c92614f590642e5ebf02a145915ba@%3Ccommits.atlas.apache.org%3E" 25842 }, 25843 { 25844 "type": "WEB", 25845 "url": "https://lists.apache.org/thread.html/rcc029be4edaaf5b8bb85818aab494e16f312fced07a0f4a202771ba2@%3Cissues.nifi.apache.org%3E" 25846 }, 25847 { 25848 "type": "WEB", 25849 "url": "https://lists.apache.org/thread.html/rd2d2493f4f1af6980d265b8d84c857e2b7ab80a46e1423710c448957@%3Cissues.nifi.apache.org%3E" 25850 }, 25851 { 25852 "type": "WEB", 25853 "url": "https://lists.apache.org/thread.html/re2028d4d76ba1db3e3c3a722d6c6034e801cc3b309f69cc166eaa32b@%3Ccommits.nifi.apache.org%3E" 25854 }, 25855 { 25856 "type": "WEB", 25857 "url": "https://lists.apache.org/thread.html/re3cd7cb641d7fc6684e4fc3c336a8bad4a01434bb5625a06e3600fd1@%3Cissues.nifi.apache.org%3E" 25858 }, 25859 { 25860 "type": "WEB", 25861 "url": "https://lists.apache.org/thread.html/rec74f3a94dd850259c730b4ba6f7b6211222b58900ec088754aa0534@%3Cissues.nifi.apache.org%3E" 25862 }, 25863 { 25864 "type": "WEB", 25865 "url": "https://lists.apache.org/thread.html/reee57101464cf7622d640ae013b2162eb864f603ec4093de8240bb8f@%3Cdev.atlas.apache.org%3E" 25866 }, 25867 { 25868 "type": "WEB", 25869 "url": "https://lists.debian.org/debian-lts-announce/2019/08/msg00030.html" 25870 }, 25871 { 25872 "type": "WEB", 25873 "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4APPGLBWMFAS4WHNLR4LIJ65DJGPV7TF" 25874 }, 25875 { 25876 "type": "WEB", 25877 "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JIUYSL2RSIWZVNSUIXJTIFPIPIF6OAIO" 25878 }, 25879 { 25880 "type": "WEB", 25881 "url": "https://www.oracle.com//security-alerts/cpujul2021.html" 25882 }, 25883 { 25884 "type": "WEB", 25885 "url": "https://www.oracle.com/security-alerts/cpuApr2021.html" 25886 }, 25887 { 25888 "type": "WEB", 25889 "url": "https://www.oracle.com/security-alerts/cpuapr2020.html" 25890 }, 25891 { 25892 "type": "WEB", 25893 "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" 25894 }, 25895 { 25896 "type": "WEB", 25897 "url": "https://www.oracle.com/security-alerts/cpujan2020.html" 25898 }, 25899 { 25900 "type": "WEB", 25901 "url": "https://www.oracle.com/security-alerts/cpujan2021.html" 25902 }, 25903 { 25904 "type": "WEB", 25905 "url": "https://www.oracle.com/security-alerts/cpujan2022.html" 25906 }, 25907 { 25908 "type": "WEB", 25909 "url": "https://www.oracle.com/security-alerts/cpujul2020.html" 25910 }, 25911 { 25912 "type": "WEB", 25913 "url": "https://www.oracle.com/security-alerts/cpujul2022.html" 25914 }, 25915 { 25916 "type": "WEB", 25917 "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" 25918 }, 25919 { 25920 "type": "WEB", 25921 "url": "https://access.redhat.com/errata/RHSA-2020:0057" 25922 }, 25923 { 25924 "type": "WEB", 25925 "url": "https://access.redhat.com/errata/RHSA-2020:0194" 25926 }, 25927 { 25928 "type": "WEB", 25929 "url": "https://access.redhat.com/errata/RHSA-2020:0804" 25930 }, 25931 { 25932 "type": "WEB", 25933 "url": "https://access.redhat.com/errata/RHSA-2020:0805" 25934 }, 25935 { 25936 "type": "WEB", 25937 "url": "https://access.redhat.com/errata/RHSA-2020:0806" 25938 }, 25939 { 25940 "type": "WEB", 25941 "url": "https://access.redhat.com/errata/RHSA-2020:0811" 25942 }, 25943 { 25944 "type": "PACKAGE", 25945 "url": "https://github.com/apache/commons-beanutils" 25946 }, 25947 { 25948 "type": "WEB", 25949 "url": "https://lists.apache.org/thread.html/02094ad226dbc17a2368beaf27e61d8b1432f5baf77d0ca995bb78bc@%3Cissues.commons.apache.org%3E" 25950 }, 25951 { 25952 "type": "WEB", 25953 "url": "https://lists.apache.org/thread.html/1f78f1e32cc5614ec0c5b822ba4bd7fc8e8b5c46c8e038b6bd609cb5@%3Cissues.commons.apache.org%3E" 25954 }, 25955 { 25956 "type": "WEB", 25957 "url": "https://lists.apache.org/thread.html/2fd61dc89df9aeab738d2b49f48d42c76f7d53b980ba04e1d48bce48@%3Cdev.shiro.apache.org%3E" 25958 }, 25959 { 25960 "type": "WEB", 25961 "url": "https://lists.apache.org/thread.html/3d1ed1a1596c08c4d5fea97b36c651ce167b773f1afc75251ce7a125@%3Ccommits.tinkerpop.apache.org%3E" 25962 }, 25963 { 25964 "type": "WEB", 25965 "url": "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E" 25966 }, 25967 { 25968 "type": "WEB", 25969 "url": "https://lists.apache.org/thread.html/5261066cd7adee081ee05c8bf0e96cf0b2eeaced391e19117ae4daa6@%3Cdev.shiro.apache.org%3E" 25970 }, 25971 { 25972 "type": "WEB", 25973 "url": "https://lists.apache.org/thread.html/956995acee0d8bc046f1df0a55b7fbeb65dd2f82864e5de1078bacb0@%3Cissues.commons.apache.org%3E" 25974 }, 25975 { 25976 "type": "WEB", 25977 "url": "https://lists.apache.org/thread.html/a684107d3a78e431cf0fbb90629e8559a36ff8fe94c3a76e620b39fa@%3Cdev.shiro.apache.org%3E" 25978 }, 25979 { 25980 "type": "WEB", 25981 "url": "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E" 25982 }, 25983 { 25984 "type": "WEB", 25985 "url": "https://lists.apache.org/thread.html/c94bc9649d5109a663b2129371dc45753fbdeacd340105548bbe93c3@%3Cdev.shiro.apache.org%3E" 25986 }, 25987 { 25988 "type": "WEB", 25989 "url": "https://lists.apache.org/thread.html/d6ca9439c53374b597f33b7ec180001625597db48ea30356af01145f@%3Cdev.shiro.apache.org%3E" 25990 }, 25991 { 25992 "type": "WEB", 25993 "url": "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E" 25994 }, 25995 { 25996 "type": "WEB", 25997 "url": "https://lists.apache.org/thread.html/r18d8b4f9263e5cad3bbaef0cdba0e2ccdf9201316ac4b85e23eb7ee4@%3Cdev.atlas.apache.org%3E" 25998 }, 25999 { 26000 "type": "WEB", 26001 "url": "https://lists.apache.org/thread.html/r2d5f1d88c39bd615271abda63964a0bee9b2b57fef1f84cb4c43032e@%3Cissues.nifi.apache.org%3E" 26002 }, 26003 { 26004 "type": "WEB", 26005 "url": "https://lists.apache.org/thread.html/r306c0322aa5c0da731e03f3ce9f07f4745c052c6b73f4e78faf232ca@%3Cdev.atlas.apache.org%3E" 26006 }, 26007 { 26008 "type": "WEB", 26009 "url": "https://lists.apache.org/thread.html/r43de02fd4a4f52c4bdeff8c02f09625d83cd047498009c1cdab857db@%3Cdev.rocketmq.apache.org%3E" 26010 }, 26011 { 26012 "type": "WEB", 26013 "url": "https://lists.apache.org/thread.html/r46e536fc98942dce99fadd2e313aeefe90c1a769c5cd85d98df9d098@%3Cissues.nifi.apache.org%3E" 26014 }, 26015 { 26016 "type": "WEB", 26017 "url": "https://lists.apache.org/thread.html/r513a7a21c422170318115463b399dd58ab447fe0990b13e5884f0825@%3Ccommits.dolphinscheduler.apache.org%3E" 26018 }, 26019 { 26020 "type": "WEB", 26021 "url": "https://lists.apache.org/thread.html/r6194ced4828deb32023cd314e31f41c61d388b58935d102c7de91f58@%3Cdev.atlas.apache.org%3E" 26022 }, 26023 { 26024 "type": "WEB", 26025 "url": "https://lists.apache.org/thread.html/r967953a14e05016bc4bcae9ef3dd92e770181158b4246976ed8295c9@%3Cdev.brooklyn.apache.org%3E" 26026 }, 26027 { 26028 "type": "WEB", 26029 "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00007.html" 26030 }, 26031 { 26032 "type": "WEB", 26033 "url": "http://mail-archives.apache.org/mod_mbox/www-announce/201908.mbox/%3cC628798F-315D-4428-8CB1-4ED1ECC958E4@apache.org%3e" 26034 } 26035 ], 26036 "related": [ 26037 "CGA-3x75-f9j7-7hm9" 26038 ], 26039 "schema_version": "1.6.0", 26040 "severity": [ 26041 { 26042 "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", 26043 "type": "CVSS_V3" 26044 } 26045 ], 26046 "summary": "Insecure Deserialization in Apache Commons Beanutils" 26047 }, 26048 { 26049 "affected": [ 26050 { 26051 "database_specific": { 26052 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-p66x-2cv9-qq3v/GHSA-p66x-2cv9-qq3v.json" 26053 }, 26054 "package": { 26055 "ecosystem": "Maven", 26056 "name": "commons-beanutils:commons-beanutils", 26057 "purl": "pkg:maven/commons-beanutils/commons-beanutils" 26058 }, 26059 "ranges": [ 26060 { 26061 "events": [ 26062 { 26063 "introduced": "1.8.0" 26064 }, 26065 { 26066 "fixed": "1.9.4" 26067 } 26068 ], 26069 "type": "ECOSYSTEM" 26070 } 26071 ], 26072 "versions": [ 26073 "1.8.0", 26074 "1.8.1", 26075 "1.8.2", 26076 "1.8.3", 26077 "1.9.0", 26078 "1.9.1", 26079 "1.9.2", 26080 "1.9.3" 26081 ] 26082 } 26083 ], 26084 "aliases": [ 26085 "CVE-2014-0114" 26086 ], 26087 "database_specific": { 26088 "cwe_ids": [ 26089 "CWE-20" 26090 ], 26091 "github_reviewed": true, 26092 "github_reviewed_at": "2020-06-10T23:37:42Z", 26093 "nvd_published_at": "2014-04-30T10:49:00Z", 26094 "severity": "HIGH" 26095 }, 26096 "details": "Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to \"manipulate\" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1.", 26097 "id": "GHSA-p66x-2cv9-qq3v", 26098 "modified": "2024-06-05T16:03:45.518647Z", 26099 "published": "2020-06-10T23:38:01Z", 26100 "references": [ 26101 { 26102 "type": "ADVISORY", 26103 "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-0114" 26104 }, 26105 { 26106 "type": "WEB", 26107 "url": "https://github.com/apache/commons-beanutils/pull/7" 26108 }, 26109 { 26110 "type": "WEB", 26111 "url": "https://github.com/apache/commons-beanutils/commit/62e82ad92cf4818709d6044aaf257b73d42659a4" 26112 }, 26113 { 26114 "type": "WEB", 26115 "url": "https://lists.apache.org/thread.html/aa4ca069c7aea5b1d7329bc21576c44a39bcc4eb7bb2760c4b16f2f6%40%3Cissues.commons.apache.org%3E" 26116 }, 26117 { 26118 "type": "WEB", 26119 "url": "https://lists.apache.org/thread.html/aa4ca069c7aea5b1d7329bc21576c44a39bcc4eb7bb2760c4b16f2f6@%3Cissues.commons.apache.org%3E" 26120 }, 26121 { 26122 "type": "WEB", 26123 "url": "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E" 26124 }, 26125 { 26126 "type": "WEB", 26127 "url": "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E" 26128 }, 26129 { 26130 "type": "WEB", 26131 "url": "https://lists.apache.org/thread.html/c24c0b931632a397142882ba248b7bd440027960f22845c6f664c639%40%3Ccommits.commons.apache.org%3E" 26132 }, 26133 { 26134 "type": "WEB", 26135 "url": "https://lists.apache.org/thread.html/c24c0b931632a397142882ba248b7bd440027960f22845c6f664c639@%3Ccommits.commons.apache.org%3E" 26136 }, 26137 { 26138 "type": "WEB", 26139 "url": "https://lists.apache.org/thread.html/c70da3cb6e3f03e0ad8013e38b6959419d866c4a7c80fdd34b73f25c%40%3Ccommits.pulsar.apache.org%3E" 26140 }, 26141 { 26142 "type": "WEB", 26143 "url": "https://lists.apache.org/thread.html/c70da3cb6e3f03e0ad8013e38b6959419d866c4a7c80fdd34b73f25c@%3Ccommits.pulsar.apache.org%3E" 26144 }, 26145 { 26146 "type": "WEB", 26147 "url": "https://lists.apache.org/thread.html/c7e31c3c90b292e0bafccc4e1b19c9afc1503a65d82cb7833dfd7478%40%3Cissues.commons.apache.org%3E" 26148 }, 26149 { 26150 "type": "WEB", 26151 "url": "https://lists.apache.org/thread.html/c7e31c3c90b292e0bafccc4e1b19c9afc1503a65d82cb7833dfd7478@%3Cissues.commons.apache.org%3E" 26152 }, 26153 { 26154 "type": "WEB", 26155 "url": "https://lists.apache.org/thread.html/cee6b1c4533be1a753614f6a7d7c533c42091e7cafd7053b8f62792a%40%3Cissues.commons.apache.org%3E" 26156 }, 26157 { 26158 "type": "WEB", 26159 "url": "https://lists.apache.org/thread.html/cee6b1c4533be1a753614f6a7d7c533c42091e7cafd7053b8f62792a@%3Cissues.commons.apache.org%3E" 26160 }, 26161 { 26162 "type": "WEB", 26163 "url": "https://lists.apache.org/thread.html/d27c51b3c933f885460aa6d3004eb228916615caaaddbb8e8bfeeb40%40%3Cgitbox.activemq.apache.org%3E" 26164 }, 26165 { 26166 "type": "WEB", 26167 "url": "https://lists.apache.org/thread.html/d27c51b3c933f885460aa6d3004eb228916615caaaddbb8e8bfeeb40@%3Cgitbox.activemq.apache.org%3E" 26168 }, 26169 { 26170 "type": "WEB", 26171 "url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html" 26172 }, 26173 { 26174 "type": "WEB", 26175 "url": "https://lists.apache.org/thread.html/9b5505632f5683ee17bda4f7878525e672226c7807d57709283ffa64@%3Cissues.commons.apache.org%3E" 26176 }, 26177 { 26178 "type": "WEB", 26179 "url": "https://lists.apache.org/thread.html/9b5505632f5683ee17bda4f7878525e672226c7807d57709283ffa64%40%3Cissues.commons.apache.org%3E" 26180 }, 26181 { 26182 "type": "WEB", 26183 "url": "https://lists.apache.org/thread.html/97fc033dad4233a5d82fcb75521eabdd23dd99ef32eb96f407f96a1a@%3Cissues.commons.apache.org%3E" 26184 }, 26185 { 26186 "type": "WEB", 26187 "url": "https://lists.apache.org/thread.html/97fc033dad4233a5d82fcb75521eabdd23dd99ef32eb96f407f96a1a%40%3Cissues.commons.apache.org%3E" 26188 }, 26189 { 26190 "type": "WEB", 26191 "url": "https://lists.apache.org/thread.html/956995acee0d8bc046f1df0a55b7fbeb65dd2f82864e5de1078bacb0@%3Cissues.commons.apache.org%3E" 26192 }, 26193 { 26194 "type": "WEB", 26195 "url": "https://lists.apache.org/thread.html/956995acee0d8bc046f1df0a55b7fbeb65dd2f82864e5de1078bacb0%40%3Cissues.commons.apache.org%3E" 26196 }, 26197 { 26198 "type": "WEB", 26199 "url": "https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe@%3Ccommits.druid.apache.org%3E" 26200 }, 26201 { 26202 "type": "WEB", 26203 "url": "https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe%40%3Ccommits.druid.apache.org%3E" 26204 }, 26205 { 26206 "type": "WEB", 26207 "url": "https://lists.apache.org/thread.html/918ec15a80fc766ff46c5d769cb8efc88fed6674faadd61a7105166b@%3Cannounce.apache.org%3E" 26208 }, 26209 { 26210 "type": "WEB", 26211 "url": "https://lists.apache.org/thread.html/918ec15a80fc766ff46c5d769cb8efc88fed6674faadd61a7105166b%40%3Cannounce.apache.org%3E" 26212 }, 26213 { 26214 "type": "WEB", 26215 "url": "https://lists.apache.org/thread.html/8e2bdfabd5b14836aa3cf900aa0a62ff9f4e22a518bb4e553ebcf55f@%3Cissues.commons.apache.org%3E" 26216 }, 26217 { 26218 "type": "WEB", 26219 "url": "https://lists.apache.org/thread.html/8e2bdfabd5b14836aa3cf900aa0a62ff9f4e22a518bb4e553ebcf55f%40%3Cissues.commons.apache.org%3E" 26220 }, 26221 { 26222 "type": "WEB", 26223 "url": "https://lists.apache.org/thread.html/88c497eead24ed517a2bb3159d3dc48725c215e97fe7a98b2cf3ea25@%3Cdev.commons.apache.org%3E" 26224 }, 26225 { 26226 "type": "WEB", 26227 "url": "https://lists.apache.org/thread.html/88c497eead24ed517a2bb3159d3dc48725c215e97fe7a98b2cf3ea25%40%3Cdev.commons.apache.org%3E" 26228 }, 26229 { 26230 "type": "WEB", 26231 "url": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html" 26232 }, 26233 { 26234 "type": "WEB", 26235 "url": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html" 26236 }, 26237 { 26238 "type": "WEB", 26239 "url": "https://web.archive.org/web/20150710065242/http://www.securityfocus.com/archive/1/534161/100/0/threaded" 26240 }, 26241 { 26242 "type": "WEB", 26243 "url": "https://web.archive.org/web/20140618110851/http://www.securityfocus.com/bid/67121" 26244 }, 26245 { 26246 "type": "WEB", 26247 "url": "https://snyk.io/vuln/SNYK-JAVA-COMMONSBEANUTILS-30077" 26248 }, 26249 { 26250 "type": "WEB", 26251 "url": "https://security.netapp.com/advisory/ntap-20180629-0006" 26252 }, 26253 { 26254 "type": "WEB", 26255 "url": "https://security.netapp.com/advisory/ntap-20140911-0001" 26256 }, 26257 { 26258 "type": "WEB", 26259 "url": "https://security.gentoo.org/glsa/201607-09" 26260 }, 26261 { 26262 "type": "WEB", 26263 "url": "https://lists.apache.org/thread.html/rf5230a049d989dbfdd404b4320a265dceeeba459a4d04ec21873bd55%40%3Csolr-user.lucene.apache.org%3E" 26264 }, 26265 { 26266 "type": "WEB", 26267 "url": "https://lists.apache.org/thread.html/r75d67108e557bb5d4c4318435067714a0180de525314b7e8dab9d04e@%3Cissues.activemq.apache.org%3E" 26268 }, 26269 { 26270 "type": "WEB", 26271 "url": "https://lists.apache.org/thread.html/r75d67108e557bb5d4c4318435067714a0180de525314b7e8dab9d04e%40%3Cissues.activemq.apache.org%3E" 26272 }, 26273 { 26274 "type": "WEB", 26275 "url": "https://lists.apache.org/thread.html/r458d61eaeadecaad04382ebe583230bc027f48d9e85e4731bc573477%40%3Ccommits.dolphinscheduler.apache.org%3E" 26276 }, 26277 { 26278 "type": "WEB", 26279 "url": "https://lists.apache.org/thread.html/r204ba2a9ea750f38d789d2bb429cc0925ad6133deea7cbc3001d96b5@%3Csolr-user.lucene.apache.org%3E" 26280 }, 26281 { 26282 "type": "WEB", 26283 "url": "https://lists.apache.org/thread.html/r204ba2a9ea750f38d789d2bb429cc0925ad6133deea7cbc3001d96b5%40%3Csolr-user.lucene.apache.org%3E" 26284 }, 26285 { 26286 "type": "WEB", 26287 "url": "https://lists.apache.org/thread.html/ffde3f266d3bde190b54c9202169e7918a92de7e7e0337d792dc7263@%3Cissues.commons.apache.org%3E" 26288 }, 26289 { 26290 "type": "WEB", 26291 "url": "https://lists.apache.org/thread.html/ffde3f266d3bde190b54c9202169e7918a92de7e7e0337d792dc7263%40%3Cissues.commons.apache.org%3E" 26292 }, 26293 { 26294 "type": "WEB", 26295 "url": "https://lists.apache.org/thread.html/fda473f46e51019a78ab217a7a3a3d48dafd90846e75bd5536ef72f3@%3Cnotifications.commons.apache.org%3E" 26296 }, 26297 { 26298 "type": "WEB", 26299 "url": "https://lists.apache.org/thread.html/fda473f46e51019a78ab217a7a3a3d48dafd90846e75bd5536ef72f3%40%3Cnotifications.commons.apache.org%3E" 26300 }, 26301 { 26302 "type": "WEB", 26303 "url": "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E" 26304 }, 26305 { 26306 "type": "WEB", 26307 "url": "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E" 26308 }, 26309 { 26310 "type": "WEB", 26311 "url": "https://lists.apache.org/thread.html/f3682772e62926b5c009eed63c62767021be6da0bb7427610751809f@%3Cissues.commons.apache.org%3E" 26312 }, 26313 { 26314 "type": "WEB", 26315 "url": "https://lists.apache.org/thread.html/f3682772e62926b5c009eed63c62767021be6da0bb7427610751809f%40%3Cissues.commons.apache.org%3E" 26316 }, 26317 { 26318 "type": "WEB", 26319 "url": "https://lists.apache.org/thread.html/ebc4f019798f6ce2a39f3e0c26a9068563a9ba092cdf3ece398d4e2f@%3Cnotifications.commons.apache.org%3E" 26320 }, 26321 { 26322 "type": "WEB", 26323 "url": "https://lists.apache.org/thread.html/ebc4f019798f6ce2a39f3e0c26a9068563a9ba092cdf3ece398d4e2f%40%3Cnotifications.commons.apache.org%3E" 26324 }, 26325 { 26326 "type": "WEB", 26327 "url": "https://lists.apache.org/thread.html/df1c385f2112edffeff57a6b21d12e8d24031a9f578cb8ba22a947a8@%3Cissues.commons.apache.org%3E" 26328 }, 26329 { 26330 "type": "WEB", 26331 "url": "https://lists.apache.org/thread.html/df1c385f2112edffeff57a6b21d12e8d24031a9f578cb8ba22a947a8%40%3Cissues.commons.apache.org%3E" 26332 }, 26333 { 26334 "type": "WEB", 26335 "url": "https://lists.apache.org/thread.html/df093c662b5e49fe9e38ef91f78ffab09d0839dea7df69a747dffa86@%3Cdev.commons.apache.org%3E" 26336 }, 26337 { 26338 "type": "WEB", 26339 "url": "https://lists.apache.org/thread.html/df093c662b5e49fe9e38ef91f78ffab09d0839dea7df69a747dffa86%40%3Cdev.commons.apache.org%3E" 26340 }, 26341 { 26342 "type": "WEB", 26343 "url": "https://lists.apache.org/thread.html/2454e058fd05ba30ca29442fdeb7ea47505d47a888fbc9f3a53f31d0%40%3Cissues.commons.apache.org%3E" 26344 }, 26345 { 26346 "type": "WEB", 26347 "url": "https://lists.apache.org/thread.html/1f78f1e32cc5614ec0c5b822ba4bd7fc8e8b5c46c8e038b6bd609cb5@%3Cissues.commons.apache.org%3E" 26348 }, 26349 { 26350 "type": "WEB", 26351 "url": "https://lists.apache.org/thread.html/1f78f1e32cc5614ec0c5b822ba4bd7fc8e8b5c46c8e038b6bd609cb5%40%3Cissues.commons.apache.org%3E" 26352 }, 26353 { 26354 "type": "WEB", 26355 "url": "https://lists.apache.org/thread.html/15fcdf27fa060de276edc0b4098526afc21c236852eb3de9be9594f3@%3Cissues.commons.apache.org%3E" 26356 }, 26357 { 26358 "type": "WEB", 26359 "url": "https://lists.apache.org/thread.html/15fcdf27fa060de276edc0b4098526afc21c236852eb3de9be9594f3%40%3Cissues.commons.apache.org%3E" 26360 }, 26361 { 26362 "type": "WEB", 26363 "url": "https://lists.apache.org/thread.html/1565e8b786dff4cb3b48ecc8381222c462c92076c9e41408158797b5@%3Ccommits.commons.apache.org%3E" 26364 }, 26365 { 26366 "type": "WEB", 26367 "url": "https://lists.apache.org/thread.html/1565e8b786dff4cb3b48ecc8381222c462c92076c9e41408158797b5%40%3Ccommits.commons.apache.org%3E" 26368 }, 26369 { 26370 "type": "WEB", 26371 "url": "https://lists.apache.org/thread.html/0efed939139f5b9dcd62b8acf7cb8a9789227d14abdc0c6f141c4a4c@%3Cissues.activemq.apache.org%3E" 26372 }, 26373 { 26374 "type": "WEB", 26375 "url": "https://lists.apache.org/thread.html/0efed939139f5b9dcd62b8acf7cb8a9789227d14abdc0c6f141c4a4c%40%3Cissues.activemq.apache.org%3E" 26376 }, 26377 { 26378 "type": "WEB", 26379 "url": "https://lists.apache.org/thread.html/0a35108a56e2d575e3b3985588794e39fbf264097aba66f4c5569e4f@%3Cuser.commons.apache.org%3E" 26380 }, 26381 { 26382 "type": "WEB", 26383 "url": "https://lists.apache.org/thread.html/0a35108a56e2d575e3b3985588794e39fbf264097aba66f4c5569e4f%40%3Cuser.commons.apache.org%3E" 26384 }, 26385 { 26386 "type": "WEB", 26387 "url": "https://lists.apache.org/thread.html/09981ae3df188a2ad1ce20f62ef76a5b2d27cf6b9ebab366cf1d6cc6@%3Cissues.commons.apache.org%3E" 26388 }, 26389 { 26390 "type": "WEB", 26391 "url": "https://lists.apache.org/thread.html/09981ae3df188a2ad1ce20f62ef76a5b2d27cf6b9ebab366cf1d6cc6%40%3Cissues.commons.apache.org%3E" 26392 }, 26393 { 26394 "type": "WEB", 26395 "url": "https://lists.apache.org/thread.html/098e9aae118ac5c06998a9ba4544ab2475162981d290fdef88e6f883@%3Cissues.commons.apache.org%3E" 26396 }, 26397 { 26398 "type": "WEB", 26399 "url": "https://lists.apache.org/thread.html/098e9aae118ac5c06998a9ba4544ab2475162981d290fdef88e6f883%40%3Cissues.commons.apache.org%3E" 26400 }, 26401 { 26402 "type": "WEB", 26403 "url": "https://lists.apache.org/thread.html/084ae814e69178d2ce174cfdf149bc6e46d7524f3308c08d3adb43cb@%3Cissues.commons.apache.org%3E" 26404 }, 26405 { 26406 "type": "WEB", 26407 "url": "https://lists.apache.org/thread.html/084ae814e69178d2ce174cfdf149bc6e46d7524f3308c08d3adb43cb%40%3Cissues.commons.apache.org%3E" 26408 }, 26409 { 26410 "type": "WEB", 26411 "url": "https://lists.apache.org/thread.html/080af531a9113e29d3f6a060e3f992dc9f40315ec7234e15c3b339e3@%3Cissues.commons.apache.org%3E" 26412 }, 26413 { 26414 "type": "WEB", 26415 "url": "https://lists.apache.org/thread.html/080af531a9113e29d3f6a060e3f992dc9f40315ec7234e15c3b339e3%40%3Cissues.commons.apache.org%3E" 26416 }, 26417 { 26418 "type": "WEB", 26419 "url": "https://lists.apache.org/thread.html/0340493a1ddf3660dee09a5c503449cdac5bec48cdc478de65858859@%3Cdev.commons.apache.org%3E" 26420 }, 26421 { 26422 "type": "WEB", 26423 "url": "https://lists.apache.org/thread.html/0340493a1ddf3660dee09a5c503449cdac5bec48cdc478de65858859%40%3Cdev.commons.apache.org%3E" 26424 }, 26425 { 26426 "type": "WEB", 26427 "url": "https://issues.apache.org/jira/browse/BEANUTILS-463" 26428 }, 26429 { 26430 "type": "WEB", 26431 "url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05324755" 26432 }, 26433 { 26434 "type": "PACKAGE", 26435 "url": "https://github.com/apache/commons-beanutils" 26436 }, 26437 { 26438 "type": "WEB", 26439 "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1116665" 26440 }, 26441 { 26442 "type": "WEB", 26443 "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1091938" 26444 }, 26445 { 26446 "type": "WEB", 26447 "url": "https://access.redhat.com/solutions/869353" 26448 }, 26449 { 26450 "type": "WEB", 26451 "url": "https://access.redhat.com/errata/RHSA-2019:2995" 26452 }, 26453 { 26454 "type": "WEB", 26455 "url": "https://access.redhat.com/errata/RHSA-2018:2669" 26456 }, 26457 { 26458 "type": "WEB", 26459 "url": "https://lists.apache.org/thread.html/869c08899f34c1a70c9fb42f92ac0d043c98781317e0c19d7ba3f5e3@%3Cissues.commons.apache.org%3E" 26460 }, 26461 { 26462 "type": "WEB", 26463 "url": "https://lists.apache.org/thread.html/869c08899f34c1a70c9fb42f92ac0d043c98781317e0c19d7ba3f5e3%40%3Cissues.commons.apache.org%3E" 26464 }, 26465 { 26466 "type": "WEB", 26467 "url": "https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451@%3Csolr-user.lucene.apache.org%3E" 26468 }, 26469 { 26470 "type": "WEB", 26471 "url": "https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451%40%3Csolr-user.lucene.apache.org%3E" 26472 }, 26473 { 26474 "type": "WEB", 26475 "url": "https://lists.apache.org/thread.html/6b30629b32d020c40d537f00b004d281c37528d471de15ca8aec2cd4@%3Cissues.commons.apache.org%3E" 26476 }, 26477 { 26478 "type": "WEB", 26479 "url": "https://lists.apache.org/thread.html/6b30629b32d020c40d537f00b004d281c37528d471de15ca8aec2cd4%40%3Cissues.commons.apache.org%3E" 26480 }, 26481 { 26482 "type": "WEB", 26483 "url": "https://lists.apache.org/thread.html/6afe2f935493e69a332b9c5a4f23cafe95c15ede1591a492cf612293@%3Cissues.commons.apache.org%3E" 26484 }, 26485 { 26486 "type": "WEB", 26487 "url": "https://lists.apache.org/thread.html/6afe2f935493e69a332b9c5a4f23cafe95c15ede1591a492cf612293%40%3Cissues.commons.apache.org%3E" 26488 }, 26489 { 26490 "type": "WEB", 26491 "url": "https://lists.apache.org/thread.html/66176fa3caeca77058d9f5b0316419a43b4c3fa2b572e05b87132226@%3Cissues.commons.apache.org%3E" 26492 }, 26493 { 26494 "type": "WEB", 26495 "url": "https://lists.apache.org/thread.html/66176fa3caeca77058d9f5b0316419a43b4c3fa2b572e05b87132226%40%3Cissues.commons.apache.org%3E" 26496 }, 26497 { 26498 "type": "WEB", 26499 "url": "https://lists.apache.org/thread.html/65b39fa6d700e511927e5668a4038127432178a210aff81500eb36e5@%3Cissues.commons.apache.org%3E" 26500 }, 26501 { 26502 "type": "WEB", 26503 "url": "https://lists.apache.org/thread.html/65b39fa6d700e511927e5668a4038127432178a210aff81500eb36e5%40%3Cissues.commons.apache.org%3E" 26504 }, 26505 { 26506 "type": "WEB", 26507 "url": "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E" 26508 }, 26509 { 26510 "type": "WEB", 26511 "url": "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E" 26512 }, 26513 { 26514 "type": "WEB", 26515 "url": "https://lists.apache.org/thread.html/4c3fd707a049bfe0577dba8fc9c4868ffcdabe68ad86586a0a49242e@%3Cissues.commons.apache.org%3E" 26516 }, 26517 { 26518 "type": "WEB", 26519 "url": "https://lists.apache.org/thread.html/4c3fd707a049bfe0577dba8fc9c4868ffcdabe68ad86586a0a49242e%40%3Cissues.commons.apache.org%3E" 26520 }, 26521 { 26522 "type": "WEB", 26523 "url": "https://lists.apache.org/thread.html/42ad6326d62ea8453d0d0ce12eff39bbb7c5b4fca9639da007291346@%3Cissues.commons.apache.org%3E" 26524 }, 26525 { 26526 "type": "WEB", 26527 "url": "https://lists.apache.org/thread.html/42ad6326d62ea8453d0d0ce12eff39bbb7c5b4fca9639da007291346%40%3Cissues.commons.apache.org%3E" 26528 }, 26529 { 26530 "type": "WEB", 26531 "url": "https://lists.apache.org/thread.html/40fc236a35801a535cd49cf1979dbeab034b833c63a284941bce5bf1@%3Cdev.commons.apache.org%3E" 26532 }, 26533 { 26534 "type": "WEB", 26535 "url": "https://lists.apache.org/thread.html/40fc236a35801a535cd49cf1979dbeab034b833c63a284941bce5bf1%40%3Cdev.commons.apache.org%3E" 26536 }, 26537 { 26538 "type": "WEB", 26539 "url": "https://lists.apache.org/thread.html/3f500972dceb48e3cb351f58565aecf6728b1ea7a69593af86c30b30@%3Cissues.activemq.apache.org%3E" 26540 }, 26541 { 26542 "type": "WEB", 26543 "url": "https://lists.apache.org/thread.html/3f500972dceb48e3cb351f58565aecf6728b1ea7a69593af86c30b30%40%3Cissues.activemq.apache.org%3E" 26544 }, 26545 { 26546 "type": "WEB", 26547 "url": "https://lists.apache.org/thread.html/37e1ed724a1b0e5d191d98c822c426670bdfde83804567131847d2a3@%3Cdevnull.infra.apache.org%3E" 26548 }, 26549 { 26550 "type": "WEB", 26551 "url": "https://lists.apache.org/thread.html/37e1ed724a1b0e5d191d98c822c426670bdfde83804567131847d2a3%40%3Cdevnull.infra.apache.org%3E" 26552 }, 26553 { 26554 "type": "WEB", 26555 "url": "https://lists.apache.org/thread.html/31f9dc2c9cb68e390634a4202f84b8569f64b6569bfcce46348fd9fd@%3Ccommits.commons.apache.org%3E" 26556 }, 26557 { 26558 "type": "WEB", 26559 "url": "https://lists.apache.org/thread.html/31f9dc2c9cb68e390634a4202f84b8569f64b6569bfcce46348fd9fd%40%3Ccommits.commons.apache.org%3E" 26560 }, 26561 { 26562 "type": "WEB", 26563 "url": "https://lists.apache.org/thread.html/2ba22f2e3de945039db735cf6cbf7f8be901ab2537337c7b1dd6a0f0@%3Cissues.commons.apache.org%3E" 26564 }, 26565 { 26566 "type": "WEB", 26567 "url": "https://lists.apache.org/thread.html/2ba22f2e3de945039db735cf6cbf7f8be901ab2537337c7b1dd6a0f0%40%3Cissues.commons.apache.org%3E" 26568 }, 26569 { 26570 "type": "WEB", 26571 "url": "https://lists.apache.org/thread.html/2454e058fd05ba30ca29442fdeb7ea47505d47a888fbc9f3a53f31d0@%3Cissues.commons.apache.org%3E" 26572 }, 26573 { 26574 "type": "WEB", 26575 "url": "http://advisories.mageia.org/MGASA-2014-0219.html" 26576 }, 26577 { 26578 "type": "WEB", 26579 "url": "http://apache-ignite-developers.2346864.n4.nabble.com/CVE-2014-0114-Apache-Ignite-is-vulnerable-to-existing-CVE-2014-0114-td31205.html" 26580 }, 26581 { 26582 "type": "WEB", 26583 "url": "http://commons.apache.org/proper/commons-beanutils/javadocs/v1.9.2/RELEASE-NOTES.txt" 26584 }, 26585 { 26586 "type": "WEB", 26587 "url": "http://lists.fedoraproject.org/pipermail/package-announce/2014-August/136958.html" 26588 }, 26589 { 26590 "type": "WEB", 26591 "url": "http://marc.info/?l=bugtraq\u0026m=140119284401582\u0026w=2" 26592 }, 26593 { 26594 "type": "WEB", 26595 "url": "http://marc.info/?l=bugtraq\u0026m=140801096002766\u0026w=2" 26596 }, 26597 { 26598 "type": "WEB", 26599 "url": "http://marc.info/?l=bugtraq\u0026m=141451023707502\u0026w=2" 26600 }, 26601 { 26602 "type": "WEB", 26603 "url": "http://openwall.com/lists/oss-security/2014/06/15/10" 26604 }, 26605 { 26606 "type": "WEB", 26607 "url": "http://openwall.com/lists/oss-security/2014/07/08/1" 26608 }, 26609 { 26610 "type": "WEB", 26611 "url": "http://seclists.org/fulldisclosure/2014/Dec/23" 26612 }, 26613 { 26614 "type": "WEB", 26615 "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21674128" 26616 }, 26617 { 26618 "type": "WEB", 26619 "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21674812" 26620 }, 26621 { 26622 "type": "WEB", 26623 "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21675266" 26624 }, 26625 { 26626 "type": "WEB", 26627 "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21675387" 26628 }, 26629 { 26630 "type": "WEB", 26631 "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21675689" 26632 }, 26633 { 26634 "type": "WEB", 26635 "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21675898" 26636 }, 26637 { 26638 "type": "WEB", 26639 "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21675972" 26640 }, 26641 { 26642 "type": "WEB", 26643 "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21676091" 26644 }, 26645 { 26646 "type": "WEB", 26647 "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21676110" 26648 }, 26649 { 26650 "type": "WEB", 26651 "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21676303" 26652 }, 26653 { 26654 "type": "WEB", 26655 "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21676375" 26656 }, 26657 { 26658 "type": "WEB", 26659 "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21676931" 26660 }, 26661 { 26662 "type": "WEB", 26663 "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21677110" 26664 }, 26665 { 26666 "type": "WEB", 26667 "url": "http://www-01.ibm.com/support/docview.wss?uid=swg27042296" 26668 }, 26669 { 26670 "type": "WEB", 26671 "url": "http://www.debian.org/security/2014/dsa-2940" 26672 }, 26673 { 26674 "type": "WEB", 26675 "url": "http://www.ibm.com/support/docview.wss?uid=swg21675496" 26676 }, 26677 { 26678 "type": "WEB", 26679 "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2014:095" 26680 }, 26681 { 26682 "type": "WEB", 26683 "url": "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html" 26684 }, 26685 { 26686 "type": "WEB", 26687 "url": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html" 26688 }, 26689 { 26690 "type": "WEB", 26691 "url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html" 26692 }, 26693 { 26694 "type": "WEB", 26695 "url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html" 26696 }, 26697 { 26698 "type": "WEB", 26699 "url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html" 26700 }, 26701 { 26702 "type": "WEB", 26703 "url": "http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html" 26704 }, 26705 { 26706 "type": "WEB", 26707 "url": "http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html" 26708 }, 26709 { 26710 "type": "WEB", 26711 "url": "http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html" 26712 }, 26713 { 26714 "type": "WEB", 26715 "url": "http://www.vmware.com/security/advisories/VMSA-2014-0008.html" 26716 }, 26717 { 26718 "type": "WEB", 26719 "url": "http://www.vmware.com/security/advisories/VMSA-2014-0012.html" 26720 } 26721 ], 26722 "schema_version": "1.6.0", 26723 "summary": "Arbitrary code execution in Apache Commons BeanUtils" 26724 }, 26725 { 26726 "affected": [ 26727 { 26728 "database_specific": { 26729 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-6hgm-866r-3cjv/GHSA-6hgm-866r-3cjv.json" 26730 }, 26731 "package": { 26732 "ecosystem": "Maven", 26733 "name": "org.apache.commons:commons-collections4", 26734 "purl": "pkg:maven/org.apache.commons/commons-collections4" 26735 }, 26736 "ranges": [ 26737 { 26738 "events": [ 26739 { 26740 "introduced": "0" 26741 }, 26742 { 26743 "fixed": "4.1" 26744 } 26745 ], 26746 "type": "ECOSYSTEM" 26747 } 26748 ], 26749 "versions": [ 26750 "4.0" 26751 ] 26752 }, 26753 { 26754 "database_specific": { 26755 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-6hgm-866r-3cjv/GHSA-6hgm-866r-3cjv.json" 26756 }, 26757 "package": { 26758 "ecosystem": "Maven", 26759 "name": "commons-collections:commons-collections", 26760 "purl": "pkg:maven/commons-collections/commons-collections" 26761 }, 26762 "ranges": [ 26763 { 26764 "events": [ 26765 { 26766 "introduced": "0" 26767 }, 26768 { 26769 "fixed": "3.2.2" 26770 } 26771 ], 26772 "type": "ECOSYSTEM" 26773 } 26774 ], 26775 "versions": [ 26776 "1.0", 26777 "2.0", 26778 "2.0.20020914.015953", 26779 "2.0.20020914.020746", 26780 "2.0.20020914.020858", 26781 "2.1", 26782 "2.1.1", 26783 "3.0", 26784 "3.0-dev2", 26785 "3.1", 26786 "3.2", 26787 "3.2.1" 26788 ] 26789 }, 26790 { 26791 "database_specific": { 26792 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-6hgm-866r-3cjv/GHSA-6hgm-866r-3cjv.json" 26793 }, 26794 "package": { 26795 "ecosystem": "Maven", 26796 "name": "net.sourceforge.collections:collections-generic", 26797 "purl": "pkg:maven/net.sourceforge.collections/collections-generic" 26798 }, 26799 "ranges": [ 26800 { 26801 "events": [ 26802 { 26803 "introduced": "0" 26804 }, 26805 { 26806 "last_affected": "4.0.1" 26807 } 26808 ], 26809 "type": "ECOSYSTEM" 26810 } 26811 ] 26812 }, 26813 { 26814 "database_specific": { 26815 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-6hgm-866r-3cjv/GHSA-6hgm-866r-3cjv.json" 26816 }, 26817 "package": { 26818 "ecosystem": "Maven", 26819 "name": "org.apache.servicemix.bundles:org.apache.servicemix.bundles.collections-generic", 26820 "purl": "pkg:maven/org.apache.servicemix.bundles/org.apache.servicemix.bundles.collections-generic" 26821 }, 26822 "ranges": [ 26823 { 26824 "events": [ 26825 { 26826 "introduced": "0" 26827 }, 26828 { 26829 "last_affected": "4.01" 26830 } 26831 ], 26832 "type": "ECOSYSTEM" 26833 } 26834 ] 26835 }, 26836 { 26837 "database_specific": { 26838 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-6hgm-866r-3cjv/GHSA-6hgm-866r-3cjv.json" 26839 }, 26840 "package": { 26841 "ecosystem": "Maven", 26842 "name": "org.apache.servicemix.bundles:org.apache.servicemix.bundles.commons-collections", 26843 "purl": "pkg:maven/org.apache.servicemix.bundles/org.apache.servicemix.bundles.commons-collections" 26844 }, 26845 "ranges": [ 26846 { 26847 "events": [ 26848 { 26849 "introduced": "0" 26850 }, 26851 { 26852 "last_affected": "3.2.1" 26853 } 26854 ], 26855 "type": "ECOSYSTEM" 26856 } 26857 ] 26858 } 26859 ], 26860 "aliases": [ 26861 "CVE-2015-6420" 26862 ], 26863 "database_specific": { 26864 "cwe_ids": [ 26865 "CWE-502" 26866 ], 26867 "github_reviewed": true, 26868 "github_reviewed_at": "2020-06-11T15:58:44Z", 26869 "nvd_published_at": "2015-12-15T05:59:00Z", 26870 "severity": "HIGH" 26871 }, 26872 "details": "Serialized-object interfaces in Java applications using the Apache Commons Collections (ACC) library may allow remote attackers to execute arbitrary commands via a crafted serialized Java object.", 26873 "id": "GHSA-6hgm-866r-3cjv", 26874 "modified": "2024-02-16T08:23:38.195784Z", 26875 "published": "2020-06-15T20:36:20Z", 26876 "references": [ 26877 { 26878 "type": "ADVISORY", 26879 "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-6420" 26880 }, 26881 { 26882 "type": "WEB", 26883 "url": "https://arxiv.org/pdf/2306.05534" 26884 }, 26885 { 26886 "type": "PACKAGE", 26887 "url": "https://github.com/apache/commons-collections" 26888 }, 26889 { 26890 "type": "WEB", 26891 "url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05376917" 26892 }, 26893 { 26894 "type": "WEB", 26895 "url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05390722" 26896 }, 26897 { 26898 "type": "WEB", 26899 "url": "https://lists.apache.org/thread.html/r352e40ca9874d1beb4ad95403792adca7eb295e6bc3bd7b65fabcc21@%3Ccommits.samza.apache.org%3E" 26900 }, 26901 { 26902 "type": "WEB", 26903 "url": "https://www.kb.cert.org/vuls/id/581311" 26904 }, 26905 { 26906 "type": "WEB", 26907 "url": "https://www.tenable.com/security/research/tra-2017-14" 26908 }, 26909 { 26910 "type": "WEB", 26911 "url": "https://www.tenable.com/security/research/tra-2017-23" 26912 }, 26913 { 26914 "type": "WEB", 26915 "url": "http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151209-java-deserialization" 26916 }, 26917 { 26918 "type": "WEB", 26919 "url": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html" 26920 }, 26921 { 26922 "type": "WEB", 26923 "url": "http://www.securityfocus.com/bid/78872" 26924 } 26925 ], 26926 "schema_version": "1.6.0", 26927 "summary": "Insecure Deserialization in Apache Commons Collection" 26928 }, 26929 { 26930 "affected": [ 26931 { 26932 "database_specific": { 26933 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-fjq5-5j5f-mvxh/GHSA-fjq5-5j5f-mvxh.json" 26934 }, 26935 "package": { 26936 "ecosystem": "Maven", 26937 "name": "commons-collections:commons-collections", 26938 "purl": "pkg:maven/commons-collections/commons-collections" 26939 }, 26940 "ranges": [ 26941 { 26942 "events": [ 26943 { 26944 "introduced": "0" 26945 }, 26946 { 26947 "fixed": "3.2.2" 26948 } 26949 ], 26950 "type": "ECOSYSTEM" 26951 } 26952 ], 26953 "versions": [ 26954 "1.0", 26955 "2.0", 26956 "2.0.20020914.015953", 26957 "2.0.20020914.020746", 26958 "2.0.20020914.020858", 26959 "2.1", 26960 "2.1.1", 26961 "3.0", 26962 "3.0-dev2", 26963 "3.1", 26964 "3.2", 26965 "3.2.1" 26966 ] 26967 }, 26968 { 26969 "database_specific": { 26970 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-fjq5-5j5f-mvxh/GHSA-fjq5-5j5f-mvxh.json" 26971 }, 26972 "package": { 26973 "ecosystem": "Maven", 26974 "name": "org.apache.commons:commons-collections4", 26975 "purl": "pkg:maven/org.apache.commons/commons-collections4" 26976 }, 26977 "ranges": [ 26978 { 26979 "events": [ 26980 { 26981 "introduced": "0" 26982 }, 26983 { 26984 "fixed": "4.1" 26985 } 26986 ], 26987 "type": "ECOSYSTEM" 26988 } 26989 ], 26990 "versions": [ 26991 "4.0" 26992 ] 26993 }, 26994 { 26995 "database_specific": { 26996 "last_known_affected_version_range": "\u003c 3.2.2", 26997 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-fjq5-5j5f-mvxh/GHSA-fjq5-5j5f-mvxh.json" 26998 }, 26999 "package": { 27000 "ecosystem": "Maven", 27001 "name": "org.apache.servicemix.bundles:org.apache.servicemix.bundles.commons-collections", 27002 "purl": "pkg:maven/org.apache.servicemix.bundles/org.apache.servicemix.bundles.commons-collections" 27003 }, 27004 "ranges": [ 27005 { 27006 "events": [ 27007 { 27008 "introduced": "3.2.1" 27009 } 27010 ], 27011 "type": "ECOSYSTEM" 27012 } 27013 ], 27014 "versions": [ 27015 "3.2.1_1", 27016 "3.2.1_2", 27017 "3.2.1_3" 27018 ] 27019 }, 27020 { 27021 "database_specific": { 27022 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-fjq5-5j5f-mvxh/GHSA-fjq5-5j5f-mvxh.json" 27023 }, 27024 "package": { 27025 "ecosystem": "Maven", 27026 "name": "net.sourceforge.collections:collections-generic", 27027 "purl": "pkg:maven/net.sourceforge.collections/collections-generic" 27028 }, 27029 "versions": [ 27030 "4.01" 27031 ] 27032 }, 27033 { 27034 "database_specific": { 27035 "last_known_affected_version_range": "\u003c 4.02", 27036 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-fjq5-5j5f-mvxh/GHSA-fjq5-5j5f-mvxh.json" 27037 }, 27038 "package": { 27039 "ecosystem": "Maven", 27040 "name": "org.apache.servicemix.bundles:org.apache.servicemix.bundles.collections-generic", 27041 "purl": "pkg:maven/org.apache.servicemix.bundles/org.apache.servicemix.bundles.collections-generic" 27042 }, 27043 "ranges": [ 27044 { 27045 "events": [ 27046 { 27047 "introduced": "4.01" 27048 } 27049 ], 27050 "type": "ECOSYSTEM" 27051 } 27052 ], 27053 "versions": [ 27054 "4.01_1" 27055 ] 27056 } 27057 ], 27058 "aliases": [ 27059 "CVE-2015-7501" 27060 ], 27061 "database_specific": { 27062 "cwe_ids": [ 27063 "CWE-502" 27064 ], 27065 "github_reviewed": true, 27066 "github_reviewed_at": "2022-11-03T22:57:31Z", 27067 "nvd_published_at": "2017-11-09T17:29:00Z", 27068 "severity": "CRITICAL" 27069 }, 27070 "details": "It was found that the Apache commons-collections library permitted code execution when deserializing objects involving a specially constructed chain of classes. A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using the commons-collections library.", 27071 "id": "GHSA-fjq5-5j5f-mvxh", 27072 "modified": "2024-02-17T05:22:18.562352Z", 27073 "published": "2022-05-13T01:25:20Z", 27074 "references": [ 27075 { 27076 "type": "ADVISORY", 27077 "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-7501" 27078 }, 27079 { 27080 "type": "WEB", 27081 "url": "https://access.redhat.com/security/vulnerabilities/2059393" 27082 }, 27083 { 27084 "type": "WEB", 27085 "url": "https://access.redhat.com/solutions/2045023" 27086 }, 27087 { 27088 "type": "WEB", 27089 "url": "https://arxiv.org/pdf/2306.05534.pdf" 27090 }, 27091 { 27092 "type": "WEB", 27093 "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1279330" 27094 }, 27095 { 27096 "type": "WEB", 27097 "url": "https://commons.apache.org/proper/commons-collections/release_4_1.html" 27098 }, 27099 { 27100 "type": "WEB", 27101 "url": "https://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability" 27102 }, 27103 { 27104 "type": "PACKAGE", 27105 "url": "https://github.com/apache/commons-collections" 27106 }, 27107 { 27108 "type": "WEB", 27109 "url": "https://github.com/jensdietrich/xshady-release/tree/main/CVE-2015-7501" 27110 }, 27111 { 27112 "type": "WEB", 27113 "url": "https://issues.apache.org/jira/browse/COLLECTIONS-580." 27114 }, 27115 { 27116 "type": "WEB", 27117 "url": "https://sourceforge.net/p/collections/code/HEAD/tree" 27118 }, 27119 { 27120 "type": "WEB", 27121 "url": "http://rhn.redhat.com/errata/RHSA-2016-1773.html" 27122 } 27123 ], 27124 "schema_version": "1.6.0", 27125 "severity": [ 27126 { 27127 "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", 27128 "type": "CVSS_V3" 27129 } 27130 ], 27131 "summary": "Deserialization of Untrusted Data in Apache commons collections" 27132 }, 27133 { 27134 "affected": [ 27135 { 27136 "database_specific": { 27137 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-3832-9276-x7gf/GHSA-3832-9276-x7gf.json" 27138 }, 27139 "package": { 27140 "ecosystem": "Maven", 27141 "name": "commons-httpclient:commons-httpclient", 27142 "purl": "pkg:maven/commons-httpclient/commons-httpclient" 27143 }, 27144 "ranges": [ 27145 { 27146 "events": [ 27147 { 27148 "introduced": "3.0" 27149 }, 27150 { 27151 "fixed": "4.0" 27152 } 27153 ], 27154 "type": "ECOSYSTEM" 27155 } 27156 ], 27157 "versions": [ 27158 "3.0", 27159 "3.0.1", 27160 "3.1", 27161 "3.1-alpha1", 27162 "3.1-beta1", 27163 "3.1-jenkins-1", 27164 "3.1-jenkins-2", 27165 "3.1-jenkins-3", 27166 "3.1-rc1" 27167 ] 27168 } 27169 ], 27170 "aliases": [ 27171 "CVE-2012-5783" 27172 ], 27173 "database_specific": { 27174 "cwe_ids": [ 27175 "CWE-295" 27176 ], 27177 "github_reviewed": true, 27178 "github_reviewed_at": "2022-07-13T13:58:59Z", 27179 "nvd_published_at": "2012-11-04T22:55:00Z", 27180 "severity": "MODERATE" 27181 }, 27182 "details": "Apache Commons HttpClient 3.x, as used in Amazon Flexible Payments Service (FPS) merchant Java SDK and other products, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.", 27183 "id": "GHSA-3832-9276-x7gf", 27184 "modified": "2024-03-14T22:02:33.751135Z", 27185 "published": "2022-05-13T01:10:34Z", 27186 "references": [ 27187 { 27188 "type": "ADVISORY", 27189 "url": "https://nvd.nist.gov/vuln/detail/CVE-2012-5783" 27190 }, 27191 { 27192 "type": "WEB", 27193 "url": "https://access.redhat.com/errata/RHSA-2017:0868" 27194 }, 27195 { 27196 "type": "WEB", 27197 "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/79984" 27198 }, 27199 { 27200 "type": "PACKAGE", 27201 "url": "https://github.com/apache/httpcomponents-client" 27202 }, 27203 { 27204 "type": "WEB", 27205 "url": "https://issues.apache.org/jira/browse/HTTPCLIENT-1265" 27206 }, 27207 { 27208 "type": "WEB", 27209 "url": "http://lists.opensuse.org/opensuse-updates/2013-02/msg00078.html" 27210 }, 27211 { 27212 "type": "WEB", 27213 "url": "http://lists.opensuse.org/opensuse-updates/2013-04/msg00040.html" 27214 }, 27215 { 27216 "type": "WEB", 27217 "url": "http://lists.opensuse.org/opensuse-updates/2013-04/msg00041.html" 27218 }, 27219 { 27220 "type": "WEB", 27221 "url": "http://lists.opensuse.org/opensuse-updates/2013-04/msg00053.html" 27222 }, 27223 { 27224 "type": "WEB", 27225 "url": "http://rhn.redhat.com/errata/RHSA-2013-0270.html" 27226 }, 27227 { 27228 "type": "WEB", 27229 "url": "http://rhn.redhat.com/errata/RHSA-2013-0679.html" 27230 }, 27231 { 27232 "type": "WEB", 27233 "url": "http://rhn.redhat.com/errata/RHSA-2013-0680.html" 27234 }, 27235 { 27236 "type": "WEB", 27237 "url": "http://rhn.redhat.com/errata/RHSA-2013-0682.html" 27238 }, 27239 { 27240 "type": "WEB", 27241 "url": "http://rhn.redhat.com/errata/RHSA-2013-1853.html" 27242 }, 27243 { 27244 "type": "WEB", 27245 "url": "http://rhn.redhat.com/errata/RHSA-2014-0224.html" 27246 }, 27247 { 27248 "type": "WEB", 27249 "url": "http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf" 27250 }, 27251 { 27252 "type": "WEB", 27253 "url": "http://www.ubuntu.com/usn/USN-2769-1" 27254 } 27255 ], 27256 "related": [ 27257 "CGA-36v2-2382-h797", 27258 "CGA-7hvw-h9c4-h6h5" 27259 ], 27260 "schema_version": "1.6.0", 27261 "summary": "Improper Certificate Validation in apache HttpClient" 27262 }, 27263 { 27264 "affected": [ 27265 { 27266 "database_specific": { 27267 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-gwrp-pvrq-jmwv/GHSA-gwrp-pvrq-jmwv.json" 27268 }, 27269 "package": { 27270 "ecosystem": "Maven", 27271 "name": "commons-io:commons-io", 27272 "purl": "pkg:maven/commons-io/commons-io" 27273 }, 27274 "ranges": [ 27275 { 27276 "events": [ 27277 { 27278 "introduced": "0" 27279 }, 27280 { 27281 "fixed": "2.7" 27282 } 27283 ], 27284 "type": "ECOSYSTEM" 27285 } 27286 ], 27287 "versions": [ 27288 "0.1", 27289 "1.0", 27290 "1.1", 27291 "1.2", 27292 "1.3", 27293 "1.3.1", 27294 "1.3.2", 27295 "1.4", 27296 "2.0", 27297 "2.0.1", 27298 "2.1", 27299 "2.2", 27300 "2.3", 27301 "2.4", 27302 "2.5", 27303 "2.6" 27304 ] 27305 }, 27306 { 27307 "database_specific": { 27308 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-gwrp-pvrq-jmwv/GHSA-gwrp-pvrq-jmwv.json" 27309 }, 27310 "package": { 27311 "ecosystem": "Maven", 27312 "name": "com.cosium.vet:vet", 27313 "purl": "pkg:maven/com.cosium.vet/vet" 27314 }, 27315 "ranges": [ 27316 { 27317 "events": [ 27318 { 27319 "introduced": "1.0" 27320 }, 27321 { 27322 "last_affected": "3.22" 27323 } 27324 ], 27325 "type": "ECOSYSTEM" 27326 } 27327 ], 27328 "versions": [ 27329 "1.0", 27330 "1.1", 27331 "1.11", 27332 "1.12", 27333 "1.13", 27334 "1.2", 27335 "1.3", 27336 "1.4", 27337 "1.5", 27338 "2.2", 27339 "2.3", 27340 "2.6", 27341 "2.7", 27342 "2.8", 27343 "2.9", 27344 "3.0", 27345 "3.10", 27346 "3.11", 27347 "3.12", 27348 "3.13", 27349 "3.14", 27350 "3.15", 27351 "3.16", 27352 "3.17", 27353 "3.18", 27354 "3.19", 27355 "3.22" 27356 ] 27357 }, 27358 { 27359 "database_specific": { 27360 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-gwrp-pvrq-jmwv/GHSA-gwrp-pvrq-jmwv.json" 27361 }, 27362 "package": { 27363 "ecosystem": "Maven", 27364 "name": "com.diamondq.common:common-thirdparty.jcasbin", 27365 "purl": "pkg:maven/com.diamondq.common/common-thirdparty.jcasbin" 27366 }, 27367 "versions": [ 27368 "1.4.0" 27369 ] 27370 }, 27371 { 27372 "database_specific": { 27373 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-gwrp-pvrq-jmwv/GHSA-gwrp-pvrq-jmwv.json" 27374 }, 27375 "package": { 27376 "ecosystem": "Maven", 27377 "name": "com.liferay:com.liferay.sass.compiler.jsass", 27378 "purl": "pkg:maven/com.liferay/com.liferay.sass.compiler.jsass" 27379 }, 27380 "versions": [ 27381 "1.0.1" 27382 ] 27383 }, 27384 { 27385 "database_specific": { 27386 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-gwrp-pvrq-jmwv/GHSA-gwrp-pvrq-jmwv.json" 27387 }, 27388 "package": { 27389 "ecosystem": "Maven", 27390 "name": "com.virjar:ratel-api", 27391 "purl": "pkg:maven/com.virjar/ratel-api" 27392 }, 27393 "ranges": [ 27394 { 27395 "events": [ 27396 { 27397 "introduced": "1.0.0" 27398 }, 27399 { 27400 "last_affected": "1.3.6" 27401 } 27402 ], 27403 "type": "ECOSYSTEM" 27404 } 27405 ], 27406 "versions": [ 27407 "1.0.0", 27408 "1.1.0", 27409 "1.2.0", 27410 "1.3.0", 27411 "1.3.1", 27412 "1.3.2", 27413 "1.3.3", 27414 "1.3.4", 27415 "1.3.5", 27416 "1.3.6" 27417 ] 27418 }, 27419 { 27420 "database_specific": { 27421 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-gwrp-pvrq-jmwv/GHSA-gwrp-pvrq-jmwv.json" 27422 }, 27423 "package": { 27424 "ecosystem": "Maven", 27425 "name": "net.hasor:cobble-lang", 27426 "purl": "pkg:maven/net.hasor/cobble-lang" 27427 }, 27428 "ranges": [ 27429 { 27430 "events": [ 27431 { 27432 "introduced": "4.4.1" 27433 }, 27434 { 27435 "last_affected": "4.6.2" 27436 } 27437 ], 27438 "type": "ECOSYSTEM" 27439 } 27440 ], 27441 "versions": [ 27442 "4.4.1", 27443 "4.4.2", 27444 "4.5.0", 27445 "4.5.1", 27446 "4.5.2", 27447 "4.5.3", 27448 "4.5.4", 27449 "4.6.0", 27450 "4.6.1", 27451 "4.6.2" 27452 ] 27453 }, 27454 { 27455 "database_specific": { 27456 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-gwrp-pvrq-jmwv/GHSA-gwrp-pvrq-jmwv.json" 27457 }, 27458 "package": { 27459 "ecosystem": "Maven", 27460 "name": "org.apache.commons:commons-io", 27461 "purl": "pkg:maven/org.apache.commons/commons-io" 27462 }, 27463 "versions": [ 27464 "1.3.2" 27465 ] 27466 }, 27467 { 27468 "database_specific": { 27469 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-gwrp-pvrq-jmwv/GHSA-gwrp-pvrq-jmwv.json" 27470 }, 27471 "package": { 27472 "ecosystem": "Maven", 27473 "name": "org.apache.servicemix.bundles:org.apache.servicemix.bundles.commons-io", 27474 "purl": "pkg:maven/org.apache.servicemix.bundles/org.apache.servicemix.bundles.commons-io" 27475 }, 27476 "ranges": [ 27477 { 27478 "events": [ 27479 { 27480 "introduced": "1.4" 27481 }, 27482 { 27483 "last_affected": "1.5" 27484 } 27485 ], 27486 "type": "ECOSYSTEM" 27487 } 27488 ], 27489 "versions": [ 27490 "1.4_1", 27491 "1.4_2", 27492 "1.4_3" 27493 ] 27494 }, 27495 { 27496 "database_specific": { 27497 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-gwrp-pvrq-jmwv/GHSA-gwrp-pvrq-jmwv.json" 27498 }, 27499 "package": { 27500 "ecosystem": "Maven", 27501 "name": "org.checkerframework.annotatedlib:commons-io", 27502 "purl": "pkg:maven/org.checkerframework.annotatedlib/commons-io" 27503 }, 27504 "ranges": [ 27505 { 27506 "events": [ 27507 { 27508 "introduced": "2.6" 27509 }, 27510 { 27511 "fixed": "2.7" 27512 } 27513 ], 27514 "type": "ECOSYSTEM" 27515 } 27516 ], 27517 "versions": [ 27518 "2.6", 27519 "2.6.0.1" 27520 ] 27521 }, 27522 { 27523 "database_specific": { 27524 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-gwrp-pvrq-jmwv/GHSA-gwrp-pvrq-jmwv.json" 27525 }, 27526 "package": { 27527 "ecosystem": "Maven", 27528 "name": "org.smartboot.servlet:servlet-core", 27529 "purl": "pkg:maven/org.smartboot.servlet/servlet-core" 27530 }, 27531 "ranges": [ 27532 { 27533 "events": [ 27534 { 27535 "introduced": "0.1.9" 27536 }, 27537 { 27538 "last_affected": "0.6" 27539 } 27540 ], 27541 "type": "ECOSYSTEM" 27542 } 27543 ], 27544 "versions": [ 27545 "0.1.9", 27546 "0.2", 27547 "0.2.1", 27548 "0.3", 27549 "0.3.1", 27550 "0.4", 27551 "0.5", 27552 "0.6" 27553 ] 27554 } 27555 ], 27556 "aliases": [ 27557 "CVE-2021-29425" 27558 ], 27559 "database_specific": { 27560 "cwe_ids": [ 27561 "CWE-20", 27562 "CWE-22" 27563 ], 27564 "github_reviewed": true, 27565 "github_reviewed_at": "2021-04-26T15:21:31Z", 27566 "nvd_published_at": "2021-04-13T07:15:00Z", 27567 "severity": "MODERATE" 27568 }, 27569 "details": "In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper input string, like \"//../foo\", or \"\\\\..\\foo\", the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus \"limited\" path traversal), if the calling code would use the result to construct a path value.", 27570 "id": "GHSA-gwrp-pvrq-jmwv", 27571 "modified": "2024-03-12T05:31:30.961796Z", 27572 "published": "2021-04-26T16:04:00Z", 27573 "references": [ 27574 { 27575 "type": "ADVISORY", 27576 "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-29425" 27577 }, 27578 { 27579 "type": "WEB", 27580 "url": "https://lists.apache.org/thread.html/r8efcbabde973ea72f5e0933adc48ef1425db5cde850bf641b3993f31@%3Cdev.commons.apache.org%3E" 27581 }, 27582 { 27583 "type": "WEB", 27584 "url": "https://lists.apache.org/thread.html/r92ea904f4bae190b03bd42a4355ce3c2fbe8f36ab673e03f6ca3f9fa@%3Cnotifications.zookeeper.apache.org%3E" 27585 }, 27586 { 27587 "type": "WEB", 27588 "url": "https://lists.apache.org/thread.html/ra8ef65aedc086d2d3d21492b4c08ae0eb8a3a42cc52e29ba1bc009d8@%3Cdev.creadur.apache.org%3E" 27589 }, 27590 { 27591 "type": "WEB", 27592 "url": "https://lists.apache.org/thread.html/raa053846cae9d497606027816ae87b4e002b2e0eb66cb0dee710e1f5@%3Cdev.creadur.apache.org%3E" 27593 }, 27594 { 27595 "type": "WEB", 27596 "url": "https://lists.apache.org/thread.html/rad4ae544747df32ccd58fff5a86cd556640396aeb161aa71dd3d192a@%3Cuser.commons.apache.org%3E" 27597 }, 27598 { 27599 "type": "WEB", 27600 "url": "https://lists.apache.org/thread.html/rbebd3e19651baa7a4a5503a9901c95989df9d40602c8e35cb05d3eb5@%3Cdev.creadur.apache.org%3E" 27601 }, 27602 { 27603 "type": "WEB", 27604 "url": "https://lists.apache.org/thread.html/rc10fa20ef4d13cbf6ebe0b06b5edb95466a1424a9b7673074ed03260@%3Cnotifications.zookeeper.apache.org%3E" 27605 }, 27606 { 27607 "type": "WEB", 27608 "url": "https://lists.apache.org/thread.html/rc2dd3204260e9227a67253ef68b6f1599446005bfa0e1ddce4573a80@%3Cpluto-dev.portals.apache.org%3E" 27609 }, 27610 { 27611 "type": "WEB", 27612 "url": "https://lists.apache.org/thread.html/rc359823b5500e9a9a2572678ddb8e01d3505a7ffcadfa8d13b8780ab%40%3Cuser.commons.apache.org%3E" 27613 }, 27614 { 27615 "type": "WEB", 27616 "url": "https://lists.apache.org/thread.html/rc5f3df5316c5237b78a3dff5ab95b311ad08e61d418cd992ca7e34ae@%3Cnotifications.zookeeper.apache.org%3E" 27617 }, 27618 { 27619 "type": "WEB", 27620 "url": "https://lists.apache.org/thread.html/rc65f9bc679feffe4589ea0981ee98bc0af9139470f077a91580eeee0@%3Cpluto-dev.portals.apache.org%3E" 27621 }, 27622 { 27623 "type": "WEB", 27624 "url": "https://lists.apache.org/thread.html/rca71a10ca533eb9bfac2d590533f02e6fb9064d3b6aa3ec90fdc4f51@%3Cnotifications.zookeeper.apache.org%3E" 27625 }, 27626 { 27627 "type": "WEB", 27628 "url": "https://lists.apache.org/thread.html/rd09d4ab3e32e4b3a480e2ff6ff118712981ca82e817f28f2a85652a6@%3Cnotifications.zookeeper.apache.org%3E" 27629 }, 27630 { 27631 "type": "WEB", 27632 "url": "https://lists.apache.org/thread.html/re41e9967bee064e7369411c28f0f5b2ad28b8334907c9c6208017279@%3Cnotifications.zookeeper.apache.org%3E" 27633 }, 27634 { 27635 "type": "WEB", 27636 "url": "https://lists.apache.org/thread.html/red3aea910403d8620c73e1c7b9c9b145798d0469eb3298a7be7891af@%3Cnotifications.zookeeper.apache.org%3E" 27637 }, 27638 { 27639 "type": "WEB", 27640 "url": "https://lists.apache.org/thread.html/rfa2f08b7c0caf80ca9f4a18bd875918fdd4e894e2ea47942a4589b9c@%3Cdev.creadur.apache.org%3E" 27641 }, 27642 { 27643 "type": "WEB", 27644 "url": "https://lists.apache.org/thread.html/rfcd2c649c205f12b72dde044f905903460669a220a2eb7e12652d19d@%3Cdev.zookeeper.apache.org%3E" 27645 }, 27646 { 27647 "type": "WEB", 27648 "url": "https://lists.apache.org/thread.html/rfd01af05babc95b8949e6d8ea78d9834699e1b06981040dde419a330@%3Cdev.commons.apache.org%3E" 27649 }, 27650 { 27651 "type": "WEB", 27652 "url": "https://lists.debian.org/debian-lts-announce/2021/08/msg00016.html" 27653 }, 27654 { 27655 "type": "WEB", 27656 "url": "https://security.netapp.com/advisory/ntap-20220210-0004" 27657 }, 27658 { 27659 "type": "WEB", 27660 "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" 27661 }, 27662 { 27663 "type": "WEB", 27664 "url": "https://www.oracle.com/security-alerts/cpujan2022.html" 27665 }, 27666 { 27667 "type": "WEB", 27668 "url": "https://www.oracle.com/security-alerts/cpujul2022.html" 27669 }, 27670 { 27671 "type": "WEB", 27672 "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" 27673 }, 27674 { 27675 "type": "WEB", 27676 "url": "https://arxiv.org/pdf/2306.05534.pdf" 27677 }, 27678 { 27679 "type": "WEB", 27680 "url": "https://github.com/jensdietrich/xshady-release/tree/main/CVE-2021-29425" 27681 }, 27682 { 27683 "type": "WEB", 27684 "url": "https://issues.apache.org/jira/browse/IO-556" 27685 }, 27686 { 27687 "type": "WEB", 27688 "url": "https://lists.apache.org/thread.html/r01b4a1fcdf3311c936ce33d75a9398b6c255f00c1a2f312ac21effe1@%3Cnotifications.zookeeper.apache.org%3E" 27689 }, 27690 { 27691 "type": "WEB", 27692 "url": "https://lists.apache.org/thread.html/r0bfa8f7921abdfae788b1f076a12f73a92c93cc0a6e1083bce0027c5@%3Cnotifications.zookeeper.apache.org%3E" 27693 }, 27694 { 27695 "type": "WEB", 27696 "url": "https://lists.apache.org/thread.html/r0d73e2071d1f1afe1a15da14c5b6feb2cf17e3871168d5a3c8451436@%3Ccommits.pulsar.apache.org%3E" 27697 }, 27698 { 27699 "type": "WEB", 27700 "url": "https://lists.apache.org/thread.html/r1c2f4683c35696cf6f863e3c107e37ec41305b1930dd40c17260de71@%3Ccommits.pulsar.apache.org%3E" 27701 }, 27702 { 27703 "type": "WEB", 27704 "url": "https://lists.apache.org/thread.html/r20416f39ca7f7344e7d76fe4d7063bb1d91ad106926626e7e83fb346@%3Cnotifications.zookeeper.apache.org%3E" 27705 }, 27706 { 27707 "type": "WEB", 27708 "url": "https://lists.apache.org/thread.html/r2345b49dbffa8a5c3c589c082fe39228a2c1d14f11b96c523da701db@%3Cnotifications.zookeeper.apache.org%3E" 27709 }, 27710 { 27711 "type": "WEB", 27712 "url": "https://lists.apache.org/thread.html/r2721aba31a8562639c4b937150897e24f78f747cdbda8641c0f659fe@%3Cusers.kafka.apache.org%3E" 27713 }, 27714 { 27715 "type": "WEB", 27716 "url": "https://lists.apache.org/thread.html/r27b1eedda37468256c4bb768fde1e8b79b37ec975cbbfd0d65a7ac34@%3Cdev.myfaces.apache.org%3E" 27717 }, 27718 { 27719 "type": "WEB", 27720 "url": "https://lists.apache.org/thread.html/r2bc986a070457daca457a54fe71ee09d2584c24dc262336ca32b6a19@%3Cdev.creadur.apache.org%3E" 27721 }, 27722 { 27723 "type": "WEB", 27724 "url": "https://lists.apache.org/thread.html/r2df50af2641d38f432ef025cd2ba5858215cc0cf3fc10396a674ad2e@%3Cpluto-scm.portals.apache.org%3E" 27725 }, 27726 { 27727 "type": "WEB", 27728 "url": "https://lists.apache.org/thread.html/r345330b7858304938b7b8029d02537a116d75265a598c98fa333504a@%3Cdev.creadur.apache.org%3E" 27729 }, 27730 { 27731 "type": "WEB", 27732 "url": "https://lists.apache.org/thread.html/r4050f9f6b42ebfa47a98cbdee4aabed4bb5fb8093db7dbb88faceba2@%3Ccommits.zookeeper.apache.org%3E" 27733 }, 27734 { 27735 "type": "WEB", 27736 "url": "https://lists.apache.org/thread.html/r462db908acc1e37c455e11b1a25992b81efd18e641e7e0ceb1b6e046@%3Cnotifications.zookeeper.apache.org%3E" 27737 }, 27738 { 27739 "type": "WEB", 27740 "url": "https://lists.apache.org/thread.html/r477c285126ada5c3b47946bb702cb222ac4e7fd3100c8549bdd6d3b2@%3Cissues.zookeeper.apache.org%3E" 27741 }, 27742 { 27743 "type": "WEB", 27744 "url": "https://lists.apache.org/thread.html/r47ab6f68cbba8e730f42c4ea752f3a44eb95fb09064070f2476bb401@%3Cdev.creadur.apache.org%3E" 27745 }, 27746 { 27747 "type": "WEB", 27748 "url": "https://lists.apache.org/thread.html/r5149f78be265be69d34eacb4e4b0fc7c9c697bcdfa91a1c1658d717b@%3Cissues.zookeeper.apache.org%3E" 27749 }, 27750 { 27751 "type": "WEB", 27752 "url": "https://lists.apache.org/thread.html/r523a6ffad58f71c4f3761e3cee72df878e48cdc89ebdce933be1475c@%3Cdev.creadur.apache.org%3E" 27753 }, 27754 { 27755 "type": "WEB", 27756 "url": "https://lists.apache.org/thread.html/r808be7d93b17a7055c1981a8453ae5f0d0fce5855407793c5d0ffffa@%3Cuser.commons.apache.org%3E" 27757 }, 27758 { 27759 "type": "WEB", 27760 "url": "https://lists.apache.org/thread.html/r8569a41d565ca880a4dee0e645dad1cd17ab4a92e68055ad9ebb7375@%3Cdev.creadur.apache.org%3E" 27761 }, 27762 { 27763 "type": "WEB", 27764 "url": "https://lists.apache.org/thread.html/r86528f4b7d222aed7891e7ac03d69a0db2a2dfa17b86ac3470d7f374@%3Cnotifications.zookeeper.apache.org%3E" 27765 }, 27766 { 27767 "type": "WEB", 27768 "url": "https://lists.apache.org/thread.html/r873d5ddafc0a68fd999725e559776dc4971d1ab39c0f5cc81bd9bc04@%3Ccommits.pulsar.apache.org%3E" 27769 }, 27770 { 27771 "type": "WEB", 27772 "url": "https://lists.apache.org/thread.html/r8bfc7235e6b39d90e6f446325a5a44c3e9e50da18860fdabcee23e29@%3Cissues.zookeeper.apache.org%3E" 27773 } 27774 ], 27775 "schema_version": "1.6.0", 27776 "severity": [ 27777 { 27778 "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", 27779 "type": "CVSS_V3" 27780 } 27781 ], 27782 "summary": "Path Traversal and Improper Input Validation in Apache Commons IO" 27783 }, 27784 { 27785 "affected": [ 27786 { 27787 "database_specific": { 27788 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-cgp8-4m63-fhh5/GHSA-cgp8-4m63-fhh5.json" 27789 }, 27790 "package": { 27791 "ecosystem": "Maven", 27792 "name": "commons-net:commons-net", 27793 "purl": "pkg:maven/commons-net/commons-net" 27794 }, 27795 "ranges": [ 27796 { 27797 "events": [ 27798 { 27799 "introduced": "0" 27800 }, 27801 { 27802 "fixed": "3.9.0" 27803 } 27804 ], 27805 "type": "ECOSYSTEM" 27806 } 27807 ], 27808 "versions": [ 27809 "1.0.0", 27810 "1.1.0", 27811 "1.2.0", 27812 "1.2.1", 27813 "1.2.2", 27814 "1.3.0", 27815 "1.4.0", 27816 "1.4.1", 27817 "2.0", 27818 "2.2", 27819 "3.0", 27820 "3.0.1", 27821 "3.1", 27822 "3.2", 27823 "3.3", 27824 "3.4", 27825 "3.5", 27826 "3.6", 27827 "3.7", 27828 "3.7.1", 27829 "3.7.2", 27830 "3.8.0" 27831 ] 27832 } 27833 ], 27834 "aliases": [ 27835 "CVE-2021-37533" 27836 ], 27837 "database_specific": { 27838 "cwe_ids": [ 27839 "CWE-20" 27840 ], 27841 "github_reviewed": true, 27842 "github_reviewed_at": "2022-12-05T23:21:08Z", 27843 "nvd_published_at": "2022-12-03T15:15:00Z", 27844 "severity": "MODERATE" 27845 }, 27846 "details": "Prior to Apache Commons Net 3.9.0, Net's FTP client trusts the host from PASV response by default. A malicious server can redirect the Commons Net code to use a different host, but the user has to connect to the malicious server in the first place. This may lead to leakage of information about services running on the private network of the client.\nThe default in version 3.9.0 is now false to ignore such hosts, as cURL does. See https://issues.apache.org/jira/browse/NET-711.\n", 27847 "id": "GHSA-cgp8-4m63-fhh5", 27848 "modified": "2023-11-08T04:06:18.513983Z", 27849 "published": "2022-12-03T15:30:26Z", 27850 "references": [ 27851 { 27852 "type": "ADVISORY", 27853 "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-37533" 27854 }, 27855 { 27856 "type": "WEB", 27857 "url": "https://github.com/apache/commons-net/commit/4fe1bae56e53f32756b1ca3296f3dd2c45e3e060" 27858 }, 27859 { 27860 "type": "PACKAGE", 27861 "url": "https://github.com/apache/commons-net" 27862 }, 27863 { 27864 "type": "WEB", 27865 "url": "https://issues.apache.org/jira/browse/NET-711" 27866 }, 27867 { 27868 "type": "WEB", 27869 "url": "https://lists.apache.org/thread/o6yn9r9x6s94v97264hmgol1sf48mvx7" 27870 }, 27871 { 27872 "type": "WEB", 27873 "url": "https://lists.debian.org/debian-lts-announce/2022/12/msg00038.html" 27874 }, 27875 { 27876 "type": "WEB", 27877 "url": "https://www.debian.org/security/2022/dsa-5307" 27878 }, 27879 { 27880 "type": "WEB", 27881 "url": "http://www.openwall.com/lists/oss-security/2022/12/03/1" 27882 } 27883 ], 27884 "schema_version": "1.6.0", 27885 "severity": [ 27886 { 27887 "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", 27888 "type": "CVSS_V3" 27889 } 27890 ], 27891 "summary": "Apache Commons Net vulnerable to information leakage via malicious server" 27892 }, 27893 { 27894 "affected": [ 27895 { 27896 "database_specific": { 27897 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/07/GHSA-cfxw-4h78-h7fw/GHSA-cfxw-4h78-h7fw.json" 27898 }, 27899 "package": { 27900 "ecosystem": "Maven", 27901 "name": "dnsjava:dnsjava", 27902 "purl": "pkg:maven/dnsjava/dnsjava" 27903 }, 27904 "ranges": [ 27905 { 27906 "events": [ 27907 { 27908 "introduced": "0" 27909 }, 27910 { 27911 "fixed": "3.6.0" 27912 } 27913 ], 27914 "type": "ECOSYSTEM" 27915 } 27916 ], 27917 "versions": [ 27918 "1.2.3", 27919 "1.3.2", 27920 "2.0.1", 27921 "2.0.6", 27922 "2.0.7", 27923 "2.0.8", 27924 "2.1.0", 27925 "2.1.1", 27926 "2.1.6", 27927 "2.1.7", 27928 "2.1.8", 27929 "2.1.9", 27930 "3.0.0", 27931 "3.0.0-next.1", 27932 "3.0.1", 27933 "3.0.2", 27934 "3.1.0", 27935 "3.2.0", 27936 "3.2.1", 27937 "3.2.2", 27938 "3.3.0", 27939 "3.3.1", 27940 "3.4.0", 27941 "3.4.1", 27942 "3.4.2", 27943 "3.4.3", 27944 "3.5.0", 27945 "3.5.1", 27946 "3.5.2", 27947 "3.5.3" 27948 ] 27949 } 27950 ], 27951 "aliases": [ 27952 "CVE-2024-25638" 27953 ], 27954 "database_specific": { 27955 "cwe_ids": [ 27956 "CWE-345", 27957 "CWE-349" 27958 ], 27959 "github_reviewed": true, 27960 "github_reviewed_at": "2024-07-22T14:33:41Z", 27961 "nvd_published_at": "2024-07-22T14:15:04Z", 27962 "severity": "HIGH" 27963 }, 27964 "details": "### Summary\n\nRecords in DNS replies are not checked for their relevance to the query, allowing an attacker to respond with RRs from different zones.\n\n### Details\n\nDNS Messages are not authenticated. They do not guarantee that\n\n- received RRs are authentic\n- not received RRs do not exist\n- all or any received records in a response relate to the request\n\nApplications utilizing DNSSEC generally expect these guarantees to be met, however DNSSEC by itself only guarantees the first two.\nTo meet the third guarantee, resolvers generally follow an (undocumented, as far as RFCs go) algorithm such as: (simplified, e.g. lacks DNSSEC validation!)\n\n1. denote by `QNAME` the name you are querying (e.g. fraunhofer.de.), and initialize a list of aliases\n2. if the ANSWER section contains a valid PTR RRSet for `QNAME`, return it (and optionally return the list of aliases as well)\n3. if the ANSWER section contains a valid CNAME RRSet for `QNAME`, add it to the list of aliases. Set `QNAME` to the CNAME's target and go to 2.\n4. Verify that `QNAME` does not have any PTR, CNAME and DNAME records using valid NSEC or NSEC3 records. Return `null`.\n\nNote that this algorithm relies on NSEC records and thus requires a considerable portion of the DNSSEC specifications to be implemented. For this reason, it cannot be performed by a DNS client (aka application) and is typically performed as part of the resolver logic.\n\ndnsjava does not implement a comparable algorithm, and the provided APIs instead return either\n\n- the received DNS message itself (e.g. when using a ValidatingResolver such as in [this](https://github.com/dnsjava/dnsjava/blob/master/EXAMPLES.md#dnssec-resolver) example), or\n- essentially just the contents of its ANSWER section (e.g. when using a LookupSession such as in [this](https://github.com/dnsjava/dnsjava/blob/master/EXAMPLES.md#simple-lookup-with-a-resolver) example)\n\nIf applications blindly filter the received results for RRs of the desired record type (as seems to be typical usage for dnsjava), a rogue recursive resolver or (on UDP/TCP connections) a network attacker can\n\n- In addition to the actual DNS response, add RRs irrelevant to the query but of the right datatype, e.g. from another zone, as long as that zone is correctly using DNSSEC, or\n- completely exchange the relevant response records\n\n### Impact\n\nDNS(SEC) libraries are usually used as part of a larger security framework.\nTherefore, the main misuses of this vulnerability concern application code, which might take the returned records as authentic answers to the request.\nHere are three concrete examples of where this might be detrimental:\n\n- [RFC 6186](https://datatracker.ietf.org/doc/html/rfc6186) specifies that to connect to an IMAP server for a user, a mail user agent should retrieve certain SRV records and send the user's credentials to the specified servers. Exchanging the SRV records can be a tool to redirect the credentials.\n- When delivering mail via SMTP, MX records determine where to deliver the mails to. Exchanging the MX records might lead to information disclosure. Additionally, an exchange of TLSA records might allow attackers to intercept TLS traffic.\n- Some research projects like [LIGHTest](https://www.lightest.eu/) are trying to manage CA trust stores via URI and SMIMEA records in the DNS. Exchanging these allows manipulating the root of trust for dependent applications.\n\n### Mitigations\n\nAt this point, the following mitigations are recommended:\n\n- When using a ValidatingResolver, ignore any Server indications of whether or not data was available (e.g. NXDOMAIN, NODATA, ...).\n- For APIs returning RRs from DNS responses, filter the RRs using an algorithm such as the one above. This includes e.g. `LookupSession.lookupAsync`.\n- Remove APIs dealing with raw DNS messages from the examples section or place a noticable warning above.", 27965 "id": "GHSA-cfxw-4h78-h7fw", 27966 "modified": "2024-07-22T17:01:16.931359Z", 27967 "published": "2024-07-22T14:33:41Z", 27968 "references": [ 27969 { 27970 "type": "WEB", 27971 "url": "https://github.com/dnsjava/dnsjava/security/advisories/GHSA-cfxw-4h78-h7fw" 27972 }, 27973 { 27974 "type": "ADVISORY", 27975 "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25638" 27976 }, 27977 { 27978 "type": "WEB", 27979 "url": "https://github.com/dnsjava/dnsjava/commit/bc51df1c455e6c9fb7cbd42fcb6d62d16047818d" 27980 }, 27981 { 27982 "type": "PACKAGE", 27983 "url": "https://github.com/dnsjava/dnsjava" 27984 } 27985 ], 27986 "schema_version": "1.6.0", 27987 "severity": [ 27988 { 27989 "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L", 27990 "type": "CVSS_V3" 27991 }, 27992 { 27993 "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:L", 27994 "type": "CVSS_V4" 27995 } 27996 ], 27997 "summary": "DNSJava DNSSEC Bypass" 27998 }, 27999 { 28000 "affected": [ 28001 { 28002 "database_specific": { 28003 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/07/GHSA-crjg-w57m-rqqf/GHSA-crjg-w57m-rqqf.json" 28004 }, 28005 "package": { 28006 "ecosystem": "Maven", 28007 "name": "dnsjava:dnsjava", 28008 "purl": "pkg:maven/dnsjava/dnsjava" 28009 }, 28010 "ranges": [ 28011 { 28012 "events": [ 28013 { 28014 "introduced": "0" 28015 }, 28016 { 28017 "fixed": "3.6.0" 28018 } 28019 ], 28020 "type": "ECOSYSTEM" 28021 } 28022 ], 28023 "versions": [ 28024 "1.2.3", 28025 "1.3.2", 28026 "2.0.1", 28027 "2.0.6", 28028 "2.0.7", 28029 "2.0.8", 28030 "2.1.0", 28031 "2.1.1", 28032 "2.1.6", 28033 "2.1.7", 28034 "2.1.8", 28035 "2.1.9", 28036 "3.0.0", 28037 "3.0.0-next.1", 28038 "3.0.1", 28039 "3.0.2", 28040 "3.1.0", 28041 "3.2.0", 28042 "3.2.1", 28043 "3.2.2", 28044 "3.3.0", 28045 "3.3.1", 28046 "3.4.0", 28047 "3.4.1", 28048 "3.4.2", 28049 "3.4.3", 28050 "3.5.0", 28051 "3.5.1", 28052 "3.5.2", 28053 "3.5.3" 28054 ] 28055 } 28056 ], 28057 "database_specific": { 28058 "cwe_ids": [ 28059 "CWE-770" 28060 ], 28061 "github_reviewed": true, 28062 "github_reviewed_at": "2024-07-22T17:30:19Z", 28063 "nvd_published_at": null, 28064 "severity": "MODERATE" 28065 }, 28066 "details": "### Impact\nUsers using the `ValidatingResolver` for DNSSEC validation can run into CPU exhaustion with specially crafted DNSSEC-signed zones.\n\n### Patches\nUsers should upgrade to dnsjava v3.6.0\n\n### Workarounds\nAlthough not recommended, only using a non-validating resolver, will remove the vulnerability. \n\n### References\nhttps://www.athene-center.de/en/keytrap\n", 28067 "id": "GHSA-crjg-w57m-rqqf", 28068 "modified": "2024-07-22T17:46:34.452296Z", 28069 "published": "2024-07-22T17:30:19Z", 28070 "references": [ 28071 { 28072 "type": "WEB", 28073 "url": "https://github.com/dnsjava/dnsjava/security/advisories/GHSA-crjg-w57m-rqqf" 28074 }, 28075 { 28076 "type": "WEB", 28077 "url": "https://github.com/dnsjava/dnsjava/commit/07ac36a11578cc1bce0cd8ddf2fe568f062aee78" 28078 }, 28079 { 28080 "type": "WEB", 28081 "url": "https://github.com/dnsjava/dnsjava/commit/3ddc45ce8cdb5c2274e10b7401416f497694e1cf" 28082 }, 28083 { 28084 "type": "PACKAGE", 28085 "url": "https://github.com/dnsjava/dnsjava" 28086 } 28087 ], 28088 "schema_version": "1.6.0", 28089 "severity": [ 28090 { 28091 "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", 28092 "type": "CVSS_V3" 28093 }, 28094 { 28095 "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", 28096 "type": "CVSS_V4" 28097 } 28098 ], 28099 "summary": "DNSJava vulnerable to KeyTrap - Denial-of-Service Algorithmic Complexity Attacks" 28100 }, 28101 { 28102 "affected": [ 28103 { 28104 "database_specific": { 28105 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/07/GHSA-mmwx-rj87-vfgr/GHSA-mmwx-rj87-vfgr.json" 28106 }, 28107 "package": { 28108 "ecosystem": "Maven", 28109 "name": "dnsjava:dnsjava", 28110 "purl": "pkg:maven/dnsjava/dnsjava" 28111 }, 28112 "ranges": [ 28113 { 28114 "events": [ 28115 { 28116 "introduced": "0" 28117 }, 28118 { 28119 "fixed": "3.6.0" 28120 } 28121 ], 28122 "type": "ECOSYSTEM" 28123 } 28124 ], 28125 "versions": [ 28126 "1.2.3", 28127 "1.3.2", 28128 "2.0.1", 28129 "2.0.6", 28130 "2.0.7", 28131 "2.0.8", 28132 "2.1.0", 28133 "2.1.1", 28134 "2.1.6", 28135 "2.1.7", 28136 "2.1.8", 28137 "2.1.9", 28138 "3.0.0", 28139 "3.0.0-next.1", 28140 "3.0.1", 28141 "3.0.2", 28142 "3.1.0", 28143 "3.2.0", 28144 "3.2.1", 28145 "3.2.2", 28146 "3.3.0", 28147 "3.3.1", 28148 "3.4.0", 28149 "3.4.1", 28150 "3.4.2", 28151 "3.4.3", 28152 "3.5.0", 28153 "3.5.1", 28154 "3.5.2", 28155 "3.5.3" 28156 ] 28157 } 28158 ], 28159 "database_specific": { 28160 "cwe_ids": [ 28161 "CWE-400" 28162 ], 28163 "github_reviewed": true, 28164 "github_reviewed_at": "2024-07-22T14:46:59Z", 28165 "nvd_published_at": null, 28166 "severity": "MODERATE" 28167 }, 28168 "details": "### Impact\nUsers using the `ValidatingResolver` for DNSSEC validation can run into CPU exhaustion with specially crafted DNSSEC-signed zones.\n\n### Patches\nUsers should upgrade to dnsjava v3.6.0\n\n### Workarounds\nAlthough not recommended, only using a non-validating resolver, will remove the vulnerability.\n\n### References\nhttps://www.athene-center.de/en/keytrap\n", 28169 "id": "GHSA-mmwx-rj87-vfgr", 28170 "modified": "2024-07-22T16:02:02.286045Z", 28171 "published": "2024-07-22T14:46:59Z", 28172 "references": [ 28173 { 28174 "type": "WEB", 28175 "url": "https://github.com/dnsjava/dnsjava/security/advisories/GHSA-mmwx-rj87-vfgr" 28176 }, 28177 { 28178 "type": "WEB", 28179 "url": "https://github.com/dnsjava/dnsjava/commit/711af79be3214f52daa5c846b95766dc0a075116" 28180 }, 28181 { 28182 "type": "PACKAGE", 28183 "url": "https://github.com/dnsjava/dnsjava" 28184 } 28185 ], 28186 "schema_version": "1.6.0", 28187 "severity": [ 28188 { 28189 "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", 28190 "type": "CVSS_V3" 28191 }, 28192 { 28193 "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N", 28194 "type": "CVSS_V4" 28195 } 28196 ], 28197 "summary": "DNSJava affected by KeyTrap - NSEC3 closest encloser proof can exhaust CPU resources" 28198 }, 28199 { 28200 "affected": [ 28201 { 28202 "database_specific": { 28203 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-6pcc-3rfx-4gpm/GHSA-6pcc-3rfx-4gpm.json" 28204 }, 28205 "package": { 28206 "ecosystem": "Maven", 28207 "name": "org.dom4j:dom4j", 28208 "purl": "pkg:maven/org.dom4j/dom4j" 28209 }, 28210 "ranges": [ 28211 { 28212 "events": [ 28213 { 28214 "introduced": "0" 28215 }, 28216 { 28217 "fixed": "2.0.3" 28218 } 28219 ], 28220 "type": "ECOSYSTEM" 28221 } 28222 ], 28223 "versions": [ 28224 "2.0.0", 28225 "2.0.0-RC1", 28226 "2.0.1", 28227 "2.0.2" 28228 ] 28229 }, 28230 { 28231 "database_specific": { 28232 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-6pcc-3rfx-4gpm/GHSA-6pcc-3rfx-4gpm.json" 28233 }, 28234 "package": { 28235 "ecosystem": "Maven", 28236 "name": "org.dom4j:dom4j", 28237 "purl": "pkg:maven/org.dom4j/dom4j" 28238 }, 28239 "ranges": [ 28240 { 28241 "events": [ 28242 { 28243 "introduced": "2.1.0" 28244 }, 28245 { 28246 "fixed": "2.1.1" 28247 } 28248 ], 28249 "type": "ECOSYSTEM" 28250 } 28251 ], 28252 "versions": [ 28253 "2.1.0" 28254 ] 28255 }, 28256 { 28257 "database_specific": { 28258 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-6pcc-3rfx-4gpm/GHSA-6pcc-3rfx-4gpm.json" 28259 }, 28260 "package": { 28261 "ecosystem": "Maven", 28262 "name": "dom4j:dom4j", 28263 "purl": "pkg:maven/dom4j/dom4j" 28264 }, 28265 "ranges": [ 28266 { 28267 "events": [ 28268 { 28269 "introduced": "0" 28270 }, 28271 { 28272 "last_affected": "1.6.1" 28273 } 28274 ], 28275 "type": "ECOSYSTEM" 28276 } 28277 ], 28278 "versions": [ 28279 "1.1", 28280 "1.3", 28281 "1.4", 28282 "1.4-dev-2", 28283 "1.4-dev-3", 28284 "1.4-dev-4", 28285 "1.4-dev-5", 28286 "1.4-dev-6", 28287 "1.4-dev-7", 28288 "1.4-dev-8", 28289 "1.5", 28290 "1.5-beta-2", 28291 "1.5-rc1", 28292 "1.5.1", 28293 "1.5.2", 28294 "1.6", 28295 "1.6.1" 28296 ] 28297 } 28298 ], 28299 "aliases": [ 28300 "CVE-2018-1000632" 28301 ], 28302 "database_specific": { 28303 "cwe_ids": [ 28304 "CWE-91" 28305 ], 28306 "github_reviewed": true, 28307 "github_reviewed_at": "2020-06-16T21:19:56Z", 28308 "nvd_published_at": "2018-08-20T19:31:00Z", 28309 "severity": "HIGH" 28310 }, 28311 "details": "dom4j version prior to version 2.1.1 contains a CWE-91: XML Injection vulnerability in Class: Element. Methods: addElement, addAttribute that can result in an attacker tampering with XML documents through XML injection. This attack appear to be exploitable via an attacker specifying attributes or elements in the XML document. This vulnerability appears to have been fixed in 2.1.1 or later.\n\nNote: This advisory applies to `dom4j:dom4j` version 1.x legacy artifacts. To resolve this a change to the latest version of `org.dom4j:dom4j` is recommended.", 28312 "id": "GHSA-6pcc-3rfx-4gpm", 28313 "modified": "2024-03-14T05:33:05.821277Z", 28314 "published": "2018-10-16T17:01:25Z", 28315 "references": [ 28316 { 28317 "type": "ADVISORY", 28318 "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000632" 28319 }, 28320 { 28321 "type": "WEB", 28322 "url": "https://github.com/dom4j/dom4j/issues/48" 28323 }, 28324 { 28325 "type": "WEB", 28326 "url": "https://github.com/dom4j/dom4j/commit/e598eb43d418744c4dbf62f647dd2381c9ce9387" 28327 }, 28328 { 28329 "type": "WEB", 28330 "url": "https://github.com/dom4j/dom4j/commit/c2a99d7dee8ce7a4e5bef134bb781a6672bd8a0f" 28331 }, 28332 { 28333 "type": "WEB", 28334 "url": "https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451@%3Csolr-user.lucene.apache.org%3E" 28335 }, 28336 { 28337 "type": "WEB", 28338 "url": "https://lists.apache.org/thread.html/7e9e78f0e4288fac6591992836d2a80d4df19161e54bd71ab4b8e458@%3Cdev.maven.apache.org%3E" 28339 }, 28340 { 28341 "type": "WEB", 28342 "url": "https://lists.apache.org/thread.html/7f6e120e6ed473f4e00dde4c398fc6698eb383bd7857d20513e989ce@%3Cdev.maven.apache.org%3E" 28343 }, 28344 { 28345 "type": "WEB", 28346 "url": "https://lists.apache.org/thread.html/9d4c1af6f702c3d6d6f229de57112ddccac8ce44446a01b7937ab9e0@%3Ccommits.maven.apache.org%3E" 28347 }, 28348 { 28349 "type": "WEB", 28350 "url": "https://lists.apache.org/thread.html/d7d960b2778e35ec9b4d40c8efd468c7ce7163bcf6489b633491c89f@%3Cdev.maven.apache.org%3E" 28351 }, 28352 { 28353 "type": "WEB", 28354 "url": "https://lists.apache.org/thread.html/rb1b990d7920ae0d50da5109b73b92bab736d46c9788dd4b135cb1a51@%3Cnotifications.freemarker.apache.org%3E" 28355 }, 28356 { 28357 "type": "WEB", 28358 "url": "https://lists.debian.org/debian-lts-announce/2018/09/msg00028.html" 28359 }, 28360 { 28361 "type": "WEB", 28362 "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IOOVVCRQE6ATFD2JM2EMDXOQXTRIVZGP" 28363 }, 28364 { 28365 "type": "WEB", 28366 "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KJULAHVR3I5SX7OSMXAG75IMNSAYOXGA" 28367 }, 28368 { 28369 "type": "WEB", 28370 "url": "https://security.netapp.com/advisory/ntap-20190530-0001" 28371 }, 28372 { 28373 "type": "WEB", 28374 "url": "https://www.oracle.com/security-alerts/cpuApr2021.html" 28375 }, 28376 { 28377 "type": "WEB", 28378 "url": "https://www.oracle.com/security-alerts/cpuapr2020.html" 28379 }, 28380 { 28381 "type": "WEB", 28382 "url": "https://www.oracle.com/security-alerts/cpujul2020.html" 28383 }, 28384 { 28385 "type": "WEB", 28386 "url": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html" 28387 }, 28388 { 28389 "type": "WEB", 28390 "url": "https://lists.apache.org/thread.html/5a020ecaa3c701f408f612f7ba2ee37a021644c4a39da2079ed3ddbc@%3Ccommits.maven.apache.org%3E" 28391 }, 28392 { 28393 "type": "WEB", 28394 "url": "https://lists.apache.org/thread.html/4a77652531d62299a30815cf5f233af183425db8e3c9a824a814e768@%3Cdev.maven.apache.org%3E" 28395 }, 28396 { 28397 "type": "WEB", 28398 "url": "https://lists.apache.org/thread.html/00571f362a7a2470fba50a31282c65637c40d2e21ebe6ee535a4ed74@%3Ccommits.maven.apache.org%3E" 28399 }, 28400 { 28401 "type": "WEB", 28402 "url": "https://ihacktoprotect.com/post/dom4j-xml-injection" 28403 }, 28404 { 28405 "type": "WEB", 28406 "url": "https://github.com/dom4j/dom4j" 28407 }, 28408 { 28409 "type": "ADVISORY", 28410 "url": "https://github.com/advisories/GHSA-6pcc-3rfx-4gpm" 28411 }, 28412 { 28413 "type": "WEB", 28414 "url": "https://access.redhat.com/errata/RHSA-2019:3172" 28415 }, 28416 { 28417 "type": "WEB", 28418 "url": "https://access.redhat.com/errata/RHSA-2019:1162" 28419 }, 28420 { 28421 "type": "WEB", 28422 "url": "https://access.redhat.com/errata/RHSA-2019:1161" 28423 }, 28424 { 28425 "type": "WEB", 28426 "url": "https://access.redhat.com/errata/RHSA-2019:1160" 28427 }, 28428 { 28429 "type": "WEB", 28430 "url": "https://access.redhat.com/errata/RHSA-2019:1159" 28431 }, 28432 { 28433 "type": "WEB", 28434 "url": "https://access.redhat.com/errata/RHSA-2019:0380" 28435 }, 28436 { 28437 "type": "WEB", 28438 "url": "https://access.redhat.com/errata/RHSA-2019:0365" 28439 }, 28440 { 28441 "type": "WEB", 28442 "url": "https://access.redhat.com/errata/RHSA-2019:0364" 28443 }, 28444 { 28445 "type": "WEB", 28446 "url": "https://access.redhat.com/errata/RHSA-2019:0362" 28447 } 28448 ], 28449 "schema_version": "1.6.0", 28450 "severity": [ 28451 { 28452 "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", 28453 "type": "CVSS_V3" 28454 } 28455 ], 28456 "summary": "Dom4j contains a XML Injection vulnerability" 28457 }, 28458 { 28459 "affected": [ 28460 { 28461 "database_specific": { 28462 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-hwj3-m3p6-hj38/GHSA-hwj3-m3p6-hj38.json" 28463 }, 28464 "package": { 28465 "ecosystem": "Maven", 28466 "name": "org.dom4j:dom4j", 28467 "purl": "pkg:maven/org.dom4j/dom4j" 28468 }, 28469 "ranges": [ 28470 { 28471 "events": [ 28472 { 28473 "introduced": "0" 28474 }, 28475 { 28476 "fixed": "2.0.3" 28477 } 28478 ], 28479 "type": "ECOSYSTEM" 28480 } 28481 ], 28482 "versions": [ 28483 "2.0.0", 28484 "2.0.0-RC1", 28485 "2.0.1", 28486 "2.0.2" 28487 ] 28488 }, 28489 { 28490 "database_specific": { 28491 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-hwj3-m3p6-hj38/GHSA-hwj3-m3p6-hj38.json" 28492 }, 28493 "package": { 28494 "ecosystem": "Maven", 28495 "name": "org.dom4j:dom4j", 28496 "purl": "pkg:maven/org.dom4j/dom4j" 28497 }, 28498 "ranges": [ 28499 { 28500 "events": [ 28501 { 28502 "introduced": "2.1.0" 28503 }, 28504 { 28505 "fixed": "2.1.3" 28506 } 28507 ], 28508 "type": "ECOSYSTEM" 28509 } 28510 ], 28511 "versions": [ 28512 "2.1.0", 28513 "2.1.1" 28514 ] 28515 }, 28516 { 28517 "database_specific": { 28518 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-hwj3-m3p6-hj38/GHSA-hwj3-m3p6-hj38.json" 28519 }, 28520 "package": { 28521 "ecosystem": "Maven", 28522 "name": "dom4j:dom4j", 28523 "purl": "pkg:maven/dom4j/dom4j" 28524 }, 28525 "ranges": [ 28526 { 28527 "events": [ 28528 { 28529 "introduced": "0" 28530 }, 28531 { 28532 "last_affected": "1.6.1" 28533 } 28534 ], 28535 "type": "ECOSYSTEM" 28536 } 28537 ], 28538 "versions": [ 28539 "1.1", 28540 "1.3", 28541 "1.4", 28542 "1.4-dev-2", 28543 "1.4-dev-3", 28544 "1.4-dev-4", 28545 "1.4-dev-5", 28546 "1.4-dev-6", 28547 "1.4-dev-7", 28548 "1.4-dev-8", 28549 "1.5", 28550 "1.5-beta-2", 28551 "1.5-rc1", 28552 "1.5.1", 28553 "1.5.2", 28554 "1.6", 28555 "1.6.1" 28556 ] 28557 } 28558 ], 28559 "aliases": [ 28560 "CVE-2020-10683" 28561 ], 28562 "database_specific": { 28563 "cwe_ids": [ 28564 "CWE-611" 28565 ], 28566 "github_reviewed": true, 28567 "github_reviewed_at": "2020-06-04T19:38:22Z", 28568 "nvd_published_at": "2020-05-01T19:15:00Z", 28569 "severity": "CRITICAL" 28570 }, 28571 "details": "dom4j before 2.1.3 allows external DTDs and External Entities by default, which might enable XXE attacks. However, there is popular external documentation from OWASP showing how to enable the safe, non-default behavior in any application that uses dom4j.\n\nNote: This advisory applies to `dom4j:dom4j` version 1.x legacy artifacts. To resolve this a change to the latest version of `org.dom4j:dom4j` is recommended.", 28572 "id": "GHSA-hwj3-m3p6-hj38", 28573 "modified": "2024-03-08T05:17:29.315551Z", 28574 "published": "2020-06-05T16:13:36Z", 28575 "references": [ 28576 { 28577 "type": "ADVISORY", 28578 "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-10683" 28579 }, 28580 { 28581 "type": "WEB", 28582 "url": "https://github.com/dom4j/dom4j/issues/87" 28583 }, 28584 { 28585 "type": "WEB", 28586 "url": "https://github.com/dom4j/dom4j/commit/1707bf3d898a8ada3b213acb0e3b38f16eaae73d" 28587 }, 28588 { 28589 "type": "WEB", 28590 "url": "https://github.com/dom4j/dom4j/commit/a8228522a99a02146106672a34c104adbda5c658" 28591 }, 28592 { 28593 "type": "WEB", 28594 "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" 28595 }, 28596 { 28597 "type": "WEB", 28598 "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" 28599 }, 28600 { 28601 "type": "WEB", 28602 "url": "https://www.oracle.com/security-alerts/cpujul2022.html" 28603 }, 28604 { 28605 "type": "WEB", 28606 "url": "https://www.oracle.com/security-alerts/cpujul2020.html" 28607 }, 28608 { 28609 "type": "WEB", 28610 "url": "https://www.oracle.com/security-alerts/cpujan2022.html" 28611 }, 28612 { 28613 "type": "WEB", 28614 "url": "https://www.oracle.com/security-alerts/cpujan2021.html" 28615 }, 28616 { 28617 "type": "WEB", 28618 "url": "https://www.oracle.com/security-alerts/cpuApr2021.html" 28619 }, 28620 { 28621 "type": "WEB", 28622 "url": "https://www.oracle.com//security-alerts/cpujul2021.html" 28623 }, 28624 { 28625 "type": "WEB", 28626 "url": "https://usn.ubuntu.com/4575-1" 28627 }, 28628 { 28629 "type": "WEB", 28630 "url": "https://security.netapp.com/advisory/ntap-20200518-0002" 28631 }, 28632 { 28633 "type": "WEB", 28634 "url": "https://lists.apache.org/thread.html/rb1b990d7920ae0d50da5109b73b92bab736d46c9788dd4b135cb1a51@%3Cnotifications.freemarker.apache.org%3E" 28635 }, 28636 { 28637 "type": "WEB", 28638 "url": "https://lists.apache.org/thread.html/r91c64cd51e68e97d524395474eaa25362d564572276b9917fcbf5c32@%3Cdev.velocity.apache.org%3E" 28639 }, 28640 { 28641 "type": "WEB", 28642 "url": "https://lists.apache.org/thread.html/r51f3f9801058e47153c0ad9bc6209d57a592fc0e7aefd787760911b8@%3Cdev.velocity.apache.org%3E" 28643 }, 28644 { 28645 "type": "WEB", 28646 "url": "https://github.com/dom4j/dom4j/releases/tag/version-2.1.3" 28647 }, 28648 { 28649 "type": "WEB", 28650 "url": "https://github.com/dom4j/dom4j/commits/version-2.0.3" 28651 }, 28652 { 28653 "type": "PACKAGE", 28654 "url": "https://github.com/dom4j/dom4j" 28655 }, 28656 { 28657 "type": "WEB", 28658 "url": "https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html" 28659 }, 28660 { 28661 "type": "WEB", 28662 "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1694235" 28663 }, 28664 { 28665 "type": "WEB", 28666 "url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00061.html" 28667 } 28668 ], 28669 "schema_version": "1.6.0", 28670 "severity": [ 28671 { 28672 "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", 28673 "type": "CVSS_V3" 28674 } 28675 ], 28676 "summary": "dom4j allows External Entities by default which might enable XXE attacks" 28677 }, 28678 { 28679 "affected": [ 28680 { 28681 "database_specific": { 28682 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-2fqw-684c-pvp7/GHSA-2fqw-684c-pvp7.json" 28683 }, 28684 "package": { 28685 "ecosystem": "Maven", 28686 "name": "io.atomix:atomix", 28687 "purl": "pkg:maven/io.atomix/atomix" 28688 }, 28689 "ranges": [ 28690 { 28691 "events": [ 28692 { 28693 "introduced": "0" 28694 }, 28695 { 28696 "last_affected": "3.1.5" 28697 } 28698 ], 28699 "type": "ECOSYSTEM" 28700 } 28701 ], 28702 "versions": [ 28703 "0.1.0-beta1", 28704 "0.1.0-beta2", 28705 "0.1.0-beta3", 28706 "0.1.0-beta4", 28707 "0.1.0-beta5", 28708 "1.0.0", 28709 "1.0.0-rc1", 28710 "1.0.0-rc2", 28711 "1.0.0-rc3", 28712 "1.0.0-rc4", 28713 "1.0.0-rc5", 28714 "1.0.0-rc6", 28715 "1.0.0-rc7", 28716 "1.0.0-rc8", 28717 "1.0.0-rc9", 28718 "1.0.1", 28719 "1.0.1-rc1", 28720 "1.0.2", 28721 "1.0.3", 28722 "1.0.4", 28723 "1.0.5", 28724 "1.0.6", 28725 "1.0.7", 28726 "1.0.8", 28727 "2.0.0", 28728 "2.0.0-alpha1", 28729 "2.0.0-raft-beta1", 28730 "2.0.0-raft-final", 28731 "2.0.1", 28732 "2.0.10", 28733 "2.0.11", 28734 "2.0.12", 28735 "2.0.13", 28736 "2.0.14", 28737 "2.0.15", 28738 "2.0.16", 28739 "2.0.17", 28740 "2.0.18", 28741 "2.0.19", 28742 "2.0.2", 28743 "2.0.20", 28744 "2.0.21", 28745 "2.0.22", 28746 "2.0.23", 28747 "2.0.24", 28748 "2.0.25", 28749 "2.0.26", 28750 "2.0.27", 28751 "2.0.28", 28752 "2.0.29", 28753 "2.0.3", 28754 "2.0.30", 28755 "2.0.4", 28756 "2.0.5", 28757 "2.0.6", 28758 "2.0.7", 28759 "2.0.8", 28760 "2.0.9", 28761 "2.1.0-beta1", 28762 "2.1.0-beta2", 28763 "2.1.0-beta3", 28764 "3.0.0", 28765 "3.0.0-rc1", 28766 "3.0.0-rc10", 28767 "3.0.0-rc11", 28768 "3.0.0-rc12", 28769 "3.0.0-rc3", 28770 "3.0.0-rc4", 28771 "3.0.0-rc5", 28772 "3.0.0-rc6", 28773 "3.0.0-rc7", 28774 "3.0.0-rc8", 28775 "3.0.0-rc9", 28776 "3.0.1", 28777 "3.0.10", 28778 "3.0.11", 28779 "3.0.2", 28780 "3.0.3", 28781 "3.0.4", 28782 "3.0.5", 28783 "3.0.6", 28784 "3.0.7", 28785 "3.0.8", 28786 "3.0.9", 28787 "3.1.0", 28788 "3.1.0-beta1", 28789 "3.1.0-beta2", 28790 "3.1.0-beta3", 28791 "3.1.0-beta4", 28792 "3.1.0-rc1", 28793 "3.1.0-rc2", 28794 "3.1.1", 28795 "3.1.2", 28796 "3.1.3", 28797 "3.1.4", 28798 "3.1.5" 28799 ] 28800 } 28801 ], 28802 "aliases": [ 28803 "CVE-2020-35213" 28804 ], 28805 "database_specific": { 28806 "cwe_ids": [ 28807 "CWE-74" 28808 ], 28809 "github_reviewed": true, 28810 "github_reviewed_at": "2021-12-17T18:42:16Z", 28811 "nvd_published_at": "2021-12-16T20:15:00Z", 28812 "severity": "HIGH" 28813 }, 28814 "details": "An issue in Atomix v3.1.5 allows attackers to cause a denial of service (DoS) via false link event messages sent to a master ONOS node.", 28815 "id": "GHSA-2fqw-684c-pvp7", 28816 "modified": "2023-11-08T04:03:32.892349Z", 28817 "published": "2021-12-17T20:40:50Z", 28818 "references": [ 28819 { 28820 "type": "ADVISORY", 28821 "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-35213" 28822 }, 28823 { 28824 "type": "WEB", 28825 "url": "https://docs.google.com/presentation/d/1i8tVVGE8z9Rtl9UTwktOJpkZwT4kBVLgIk307qMiw_8/edit?usp=sharing" 28826 }, 28827 { 28828 "type": "PACKAGE", 28829 "url": "https://github.com/atomix/atomix" 28830 } 28831 ], 28832 "schema_version": "1.6.0", 28833 "severity": [ 28834 { 28835 "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", 28836 "type": "CVSS_V3" 28837 } 28838 ], 28839 "summary": "An issue in Atomix v3.1.5 allows attackers to cause a denial of service (DoS) via false link event messages sent to a master ONOS node." 28840 }, 28841 { 28842 "affected": [ 28843 { 28844 "database_specific": { 28845 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-4jhc-wjr3-pwh2/GHSA-4jhc-wjr3-pwh2.json" 28846 }, 28847 "package": { 28848 "ecosystem": "Maven", 28849 "name": "io.atomix:atomix", 28850 "purl": "pkg:maven/io.atomix/atomix" 28851 }, 28852 "ranges": [ 28853 { 28854 "events": [ 28855 { 28856 "introduced": "0" 28857 }, 28858 { 28859 "last_affected": "3.1.5" 28860 } 28861 ], 28862 "type": "ECOSYSTEM" 28863 } 28864 ], 28865 "versions": [ 28866 "0.1.0-beta1", 28867 "0.1.0-beta2", 28868 "0.1.0-beta3", 28869 "0.1.0-beta4", 28870 "0.1.0-beta5", 28871 "1.0.0", 28872 "1.0.0-rc1", 28873 "1.0.0-rc2", 28874 "1.0.0-rc3", 28875 "1.0.0-rc4", 28876 "1.0.0-rc5", 28877 "1.0.0-rc6", 28878 "1.0.0-rc7", 28879 "1.0.0-rc8", 28880 "1.0.0-rc9", 28881 "1.0.1", 28882 "1.0.1-rc1", 28883 "1.0.2", 28884 "1.0.3", 28885 "1.0.4", 28886 "1.0.5", 28887 "1.0.6", 28888 "1.0.7", 28889 "1.0.8", 28890 "2.0.0", 28891 "2.0.0-alpha1", 28892 "2.0.0-raft-beta1", 28893 "2.0.0-raft-final", 28894 "2.0.1", 28895 "2.0.10", 28896 "2.0.11", 28897 "2.0.12", 28898 "2.0.13", 28899 "2.0.14", 28900 "2.0.15", 28901 "2.0.16", 28902 "2.0.17", 28903 "2.0.18", 28904 "2.0.19", 28905 "2.0.2", 28906 "2.0.20", 28907 "2.0.21", 28908 "2.0.22", 28909 "2.0.23", 28910 "2.0.24", 28911 "2.0.25", 28912 "2.0.26", 28913 "2.0.27", 28914 "2.0.28", 28915 "2.0.29", 28916 "2.0.3", 28917 "2.0.30", 28918 "2.0.4", 28919 "2.0.5", 28920 "2.0.6", 28921 "2.0.7", 28922 "2.0.8", 28923 "2.0.9", 28924 "2.1.0-beta1", 28925 "2.1.0-beta2", 28926 "2.1.0-beta3", 28927 "3.0.0", 28928 "3.0.0-rc1", 28929 "3.0.0-rc10", 28930 "3.0.0-rc11", 28931 "3.0.0-rc12", 28932 "3.0.0-rc3", 28933 "3.0.0-rc4", 28934 "3.0.0-rc5", 28935 "3.0.0-rc6", 28936 "3.0.0-rc7", 28937 "3.0.0-rc8", 28938 "3.0.0-rc9", 28939 "3.0.1", 28940 "3.0.10", 28941 "3.0.11", 28942 "3.0.2", 28943 "3.0.3", 28944 "3.0.4", 28945 "3.0.5", 28946 "3.0.6", 28947 "3.0.7", 28948 "3.0.8", 28949 "3.0.9", 28950 "3.1.0", 28951 "3.1.0-beta1", 28952 "3.1.0-beta2", 28953 "3.1.0-beta3", 28954 "3.1.0-beta4", 28955 "3.1.0-rc1", 28956 "3.1.0-rc2", 28957 "3.1.1", 28958 "3.1.2", 28959 "3.1.3", 28960 "3.1.4", 28961 "3.1.5" 28962 ] 28963 } 28964 ], 28965 "aliases": [ 28966 "CVE-2020-35211" 28967 ], 28968 "database_specific": { 28969 "cwe_ids": [], 28970 "github_reviewed": true, 28971 "github_reviewed_at": "2021-12-17T18:48:40Z", 28972 "nvd_published_at": "2021-12-16T20:15:00Z", 28973 "severity": "HIGH" 28974 }, 28975 "details": "An issue in Atomix v3.1.5 allows unauthorized Atomix nodes to become the lead node in a target cluster via manipulation of the variable terms in RaftContext.", 28976 "id": "GHSA-4jhc-wjr3-pwh2", 28977 "modified": "2023-11-08T04:03:32.831494Z", 28978 "published": "2021-12-17T20:40:38Z", 28979 "references": [ 28980 { 28981 "type": "ADVISORY", 28982 "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-35211" 28983 }, 28984 { 28985 "type": "WEB", 28986 "url": "https://docs.google.com/presentation/d/1C_IpRfSU-9FMezcHCFZ-qg-15JO-W36yvqcnzI8sQs8/edit?usp=sharing" 28987 }, 28988 { 28989 "type": "PACKAGE", 28990 "url": "https://github.com/atomix/atomix" 28991 } 28992 ], 28993 "schema_version": "1.6.0", 28994 "severity": [ 28995 { 28996 "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", 28997 "type": "CVSS_V3" 28998 } 28999 ], 29000 "summary": "An issue in Atomix v3.1.5 allows unauthorized Atomix nodes to become the lead node." 29001 }, 29002 { 29003 "affected": [ 29004 { 29005 "database_specific": { 29006 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-6vvh-5794-vpmj/GHSA-6vvh-5794-vpmj.json" 29007 }, 29008 "package": { 29009 "ecosystem": "Maven", 29010 "name": "io.atomix:atomix", 29011 "purl": "pkg:maven/io.atomix/atomix" 29012 }, 29013 "ranges": [ 29014 { 29015 "events": [ 29016 { 29017 "introduced": "0" 29018 }, 29019 { 29020 "last_affected": "3.1.5" 29021 } 29022 ], 29023 "type": "ECOSYSTEM" 29024 } 29025 ], 29026 "versions": [ 29027 "0.1.0-beta1", 29028 "0.1.0-beta2", 29029 "0.1.0-beta3", 29030 "0.1.0-beta4", 29031 "0.1.0-beta5", 29032 "1.0.0", 29033 "1.0.0-rc1", 29034 "1.0.0-rc2", 29035 "1.0.0-rc3", 29036 "1.0.0-rc4", 29037 "1.0.0-rc5", 29038 "1.0.0-rc6", 29039 "1.0.0-rc7", 29040 "1.0.0-rc8", 29041 "1.0.0-rc9", 29042 "1.0.1", 29043 "1.0.1-rc1", 29044 "1.0.2", 29045 "1.0.3", 29046 "1.0.4", 29047 "1.0.5", 29048 "1.0.6", 29049 "1.0.7", 29050 "1.0.8", 29051 "2.0.0", 29052 "2.0.0-alpha1", 29053 "2.0.0-raft-beta1", 29054 "2.0.0-raft-final", 29055 "2.0.1", 29056 "2.0.10", 29057 "2.0.11", 29058 "2.0.12", 29059 "2.0.13", 29060 "2.0.14", 29061 "2.0.15", 29062 "2.0.16", 29063 "2.0.17", 29064 "2.0.18", 29065 "2.0.19", 29066 "2.0.2", 29067 "2.0.20", 29068 "2.0.21", 29069 "2.0.22", 29070 "2.0.23", 29071 "2.0.24", 29072 "2.0.25", 29073 "2.0.26", 29074 "2.0.27", 29075 "2.0.28", 29076 "2.0.29", 29077 "2.0.3", 29078 "2.0.30", 29079 "2.0.4", 29080 "2.0.5", 29081 "2.0.6", 29082 "2.0.7", 29083 "2.0.8", 29084 "2.0.9", 29085 "2.1.0-beta1", 29086 "2.1.0-beta2", 29087 "2.1.0-beta3", 29088 "3.0.0", 29089 "3.0.0-rc1", 29090 "3.0.0-rc10", 29091 "3.0.0-rc11", 29092 "3.0.0-rc12", 29093 "3.0.0-rc3", 29094 "3.0.0-rc4", 29095 "3.0.0-rc5", 29096 "3.0.0-rc6", 29097 "3.0.0-rc7", 29098 "3.0.0-rc8", 29099 "3.0.0-rc9", 29100 "3.0.1", 29101 "3.0.10", 29102 "3.0.11", 29103 "3.0.2", 29104 "3.0.3", 29105 "3.0.4", 29106 "3.0.5", 29107 "3.0.6", 29108 "3.0.7", 29109 "3.0.8", 29110 "3.0.9", 29111 "3.1.0", 29112 "3.1.0-beta1", 29113 "3.1.0-beta2", 29114 "3.1.0-beta3", 29115 "3.1.0-beta4", 29116 "3.1.0-rc1", 29117 "3.1.0-rc2", 29118 "3.1.1", 29119 "3.1.2", 29120 "3.1.3", 29121 "3.1.4", 29122 "3.1.5" 29123 ] 29124 } 29125 ], 29126 "aliases": [ 29127 "CVE-2020-35216" 29128 ], 29129 "database_specific": { 29130 "cwe_ids": [ 29131 "CWE-362" 29132 ], 29133 "github_reviewed": true, 29134 "github_reviewed_at": "2021-12-17T15:12:52Z", 29135 "nvd_published_at": "2021-12-16T20:15:00Z", 29136 "severity": "MODERATE" 29137 }, 29138 "details": "An issue in Atomix v3.1.5 allows attackers to cause a denial of service (DoS) via false member down event messages.", 29139 "id": "GHSA-6vvh-5794-vpmj", 29140 "modified": "2023-11-08T04:03:33.073526Z", 29141 "published": "2021-12-17T20:40:58Z", 29142 "references": [ 29143 { 29144 "type": "ADVISORY", 29145 "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-35216" 29146 }, 29147 { 29148 "type": "WEB", 29149 "url": "https://docs.google.com/presentation/d/1woXwR3vciv7ltFan6LyK5vsWXmaUi8ArZonhk80Gr5U/edit?usp=sharing" 29150 }, 29151 { 29152 "type": "PACKAGE", 29153 "url": "https://github.com/atomix/atomix" 29154 } 29155 ], 29156 "schema_version": "1.6.0", 29157 "severity": [ 29158 { 29159 "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", 29160 "type": "CVSS_V3" 29161 } 29162 ], 29163 "summary": "An issue in Atomix v3.1.5 allows attackers to cause a denial of service (DoS) via false member down event messages." 29164 }, 29165 { 29166 "affected": [ 29167 { 29168 "database_specific": { 29169 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-7fr2-94h7-ccg2/GHSA-7fr2-94h7-ccg2.json" 29170 }, 29171 "package": { 29172 "ecosystem": "Maven", 29173 "name": "io.atomix:atomix", 29174 "purl": "pkg:maven/io.atomix/atomix" 29175 }, 29176 "ranges": [ 29177 { 29178 "events": [ 29179 { 29180 "introduced": "0" 29181 }, 29182 { 29183 "last_affected": "3.1.5" 29184 } 29185 ], 29186 "type": "ECOSYSTEM" 29187 } 29188 ], 29189 "versions": [ 29190 "0.1.0-beta1", 29191 "0.1.0-beta2", 29192 "0.1.0-beta3", 29193 "0.1.0-beta4", 29194 "0.1.0-beta5", 29195 "1.0.0", 29196 "1.0.0-rc1", 29197 "1.0.0-rc2", 29198 "1.0.0-rc3", 29199 "1.0.0-rc4", 29200 "1.0.0-rc5", 29201 "1.0.0-rc6", 29202 "1.0.0-rc7", 29203 "1.0.0-rc8", 29204 "1.0.0-rc9", 29205 "1.0.1", 29206 "1.0.1-rc1", 29207 "1.0.2", 29208 "1.0.3", 29209 "1.0.4", 29210 "1.0.5", 29211 "1.0.6", 29212 "1.0.7", 29213 "1.0.8", 29214 "2.0.0", 29215 "2.0.0-alpha1", 29216 "2.0.0-raft-beta1", 29217 "2.0.0-raft-final", 29218 "2.0.1", 29219 "2.0.10", 29220 "2.0.11", 29221 "2.0.12", 29222 "2.0.13", 29223 "2.0.14", 29224 "2.0.15", 29225 "2.0.16", 29226 "2.0.17", 29227 "2.0.18", 29228 "2.0.19", 29229 "2.0.2", 29230 "2.0.20", 29231 "2.0.21", 29232 "2.0.22", 29233 "2.0.23", 29234 "2.0.24", 29235 "2.0.25", 29236 "2.0.26", 29237 "2.0.27", 29238 "2.0.28", 29239 "2.0.29", 29240 "2.0.3", 29241 "2.0.30", 29242 "2.0.4", 29243 "2.0.5", 29244 "2.0.6", 29245 "2.0.7", 29246 "2.0.8", 29247 "2.0.9", 29248 "2.1.0-beta1", 29249 "2.1.0-beta2", 29250 "2.1.0-beta3", 29251 "3.0.0", 29252 "3.0.0-rc1", 29253 "3.0.0-rc10", 29254 "3.0.0-rc11", 29255 "3.0.0-rc12", 29256 "3.0.0-rc3", 29257 "3.0.0-rc4", 29258 "3.0.0-rc5", 29259 "3.0.0-rc6", 29260 "3.0.0-rc7", 29261 "3.0.0-rc8", 29262 "3.0.0-rc9", 29263 "3.0.1", 29264 "3.0.10", 29265 "3.0.11", 29266 "3.0.2", 29267 "3.0.3", 29268 "3.0.4", 29269 "3.0.5", 29270 "3.0.6", 29271 "3.0.7", 29272 "3.0.8", 29273 "3.0.9", 29274 "3.1.0", 29275 "3.1.0-beta1", 29276 "3.1.0-beta2", 29277 "3.1.0-beta3", 29278 "3.1.0-beta4", 29279 "3.1.0-rc1", 29280 "3.1.0-rc2", 29281 "3.1.1", 29282 "3.1.2", 29283 "3.1.3", 29284 "3.1.4", 29285 "3.1.5" 29286 ] 29287 } 29288 ], 29289 "aliases": [ 29290 "CVE-2020-35209" 29291 ], 29292 "database_specific": { 29293 "cwe_ids": [], 29294 "github_reviewed": true, 29295 "github_reviewed_at": "2021-12-17T18:40:51Z", 29296 "nvd_published_at": "2021-12-16T20:15:00Z", 29297 "severity": "HIGH" 29298 }, 29299 "details": "An issue in Atomix v3.1.5 allows unauthorized Atomix nodes to join a target cluster via providing configuration information.", 29300 "id": "GHSA-7fr2-94h7-ccg2", 29301 "modified": "2023-11-08T04:03:32.704475Z", 29302 "published": "2021-12-17T20:41:33Z", 29303 "references": [ 29304 { 29305 "type": "ADVISORY", 29306 "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-35209" 29307 }, 29308 { 29309 "type": "WEB", 29310 "url": "https://docs.google.com/presentation/d/1W5KU7ffh4dheR8iD54ulABImi6byAhSI-OhEKw2adRo/edit?usp=sharing" 29311 }, 29312 { 29313 "type": "PACKAGE", 29314 "url": "https://github.com/atomix/atomix" 29315 } 29316 ], 29317 "schema_version": "1.6.0", 29318 "severity": [ 29319 { 29320 "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", 29321 "type": "CVSS_V3" 29322 } 29323 ], 29324 "summary": "An issue in Atomix v3.1.5 allows unauthorized Atomix nodes to join a target cluster via providing configuration information." 29325 }, 29326 { 29327 "affected": [ 29328 { 29329 "database_specific": { 29330 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-g7p8-r2ch-4rmf/GHSA-g7p8-r2ch-4rmf.json" 29331 }, 29332 "package": { 29333 "ecosystem": "Maven", 29334 "name": "io.atomix:atomix", 29335 "purl": "pkg:maven/io.atomix/atomix" 29336 }, 29337 "ranges": [ 29338 { 29339 "events": [ 29340 { 29341 "introduced": "0" 29342 }, 29343 { 29344 "last_affected": "3.1.5" 29345 } 29346 ], 29347 "type": "ECOSYSTEM" 29348 } 29349 ], 29350 "versions": [ 29351 "0.1.0-beta1", 29352 "0.1.0-beta2", 29353 "0.1.0-beta3", 29354 "0.1.0-beta4", 29355 "0.1.0-beta5", 29356 "1.0.0", 29357 "1.0.0-rc1", 29358 "1.0.0-rc2", 29359 "1.0.0-rc3", 29360 "1.0.0-rc4", 29361 "1.0.0-rc5", 29362 "1.0.0-rc6", 29363 "1.0.0-rc7", 29364 "1.0.0-rc8", 29365 "1.0.0-rc9", 29366 "1.0.1", 29367 "1.0.1-rc1", 29368 "1.0.2", 29369 "1.0.3", 29370 "1.0.4", 29371 "1.0.5", 29372 "1.0.6", 29373 "1.0.7", 29374 "1.0.8", 29375 "2.0.0", 29376 "2.0.0-alpha1", 29377 "2.0.0-raft-beta1", 29378 "2.0.0-raft-final", 29379 "2.0.1", 29380 "2.0.10", 29381 "2.0.11", 29382 "2.0.12", 29383 "2.0.13", 29384 "2.0.14", 29385 "2.0.15", 29386 "2.0.16", 29387 "2.0.17", 29388 "2.0.18", 29389 "2.0.19", 29390 "2.0.2", 29391 "2.0.20", 29392 "2.0.21", 29393 "2.0.22", 29394 "2.0.23", 29395 "2.0.24", 29396 "2.0.25", 29397 "2.0.26", 29398 "2.0.27", 29399 "2.0.28", 29400 "2.0.29", 29401 "2.0.3", 29402 "2.0.30", 29403 "2.0.4", 29404 "2.0.5", 29405 "2.0.6", 29406 "2.0.7", 29407 "2.0.8", 29408 "2.0.9", 29409 "2.1.0-beta1", 29410 "2.1.0-beta2", 29411 "2.1.0-beta3", 29412 "3.0.0", 29413 "3.0.0-rc1", 29414 "3.0.0-rc10", 29415 "3.0.0-rc11", 29416 "3.0.0-rc12", 29417 "3.0.0-rc3", 29418 "3.0.0-rc4", 29419 "3.0.0-rc5", 29420 "3.0.0-rc6", 29421 "3.0.0-rc7", 29422 "3.0.0-rc8", 29423 "3.0.0-rc9", 29424 "3.0.1", 29425 "3.0.10", 29426 "3.0.11", 29427 "3.0.2", 29428 "3.0.3", 29429 "3.0.4", 29430 "3.0.5", 29431 "3.0.6", 29432 "3.0.7", 29433 "3.0.8", 29434 "3.0.9", 29435 "3.1.0", 29436 "3.1.0-beta1", 29437 "3.1.0-beta2", 29438 "3.1.0-beta3", 29439 "3.1.0-beta4", 29440 "3.1.0-rc1", 29441 "3.1.0-rc2", 29442 "3.1.1", 29443 "3.1.2", 29444 "3.1.3", 29445 "3.1.4", 29446 "3.1.5" 29447 ] 29448 } 29449 ], 29450 "aliases": [ 29451 "CVE-2020-35215" 29452 ], 29453 "database_specific": { 29454 "cwe_ids": [ 29455 "CWE-668" 29456 ], 29457 "github_reviewed": true, 29458 "github_reviewed_at": "2021-12-17T19:00:58Z", 29459 "nvd_published_at": "2021-12-16T20:15:00Z", 29460 "severity": "MODERATE" 29461 }, 29462 "details": "An issue in Atomix v3.1.5 allows attackers to access sensitive information when a malicious Atomix node queries distributed variable primitives which contain the entire primitive lists that ONOS nodes use to share important states.", 29463 "id": "GHSA-g7p8-r2ch-4rmf", 29464 "modified": "2023-11-08T04:03:33.012848Z", 29465 "published": "2021-12-17T20:41:45Z", 29466 "references": [ 29467 { 29468 "type": "ADVISORY", 29469 "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-35215" 29470 }, 29471 { 29472 "type": "WEB", 29473 "url": "https://docs.google.com/presentation/d/1pRRLfdSUqUZ688CZ9e9AyceuXPGp9oyGj7j4bdSsBcw/edit?usp=sharing" 29474 }, 29475 { 29476 "type": "PACKAGE", 29477 "url": "https://github.com/atomix/atomix" 29478 } 29479 ], 29480 "schema_version": "1.6.0", 29481 "severity": [ 29482 { 29483 "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", 29484 "type": "CVSS_V3" 29485 } 29486 ], 29487 "summary": "Malicious Atomix node queries expose sensitive information" 29488 }, 29489 { 29490 "affected": [ 29491 { 29492 "database_specific": { 29493 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-m4h3-7mc2-v295/GHSA-m4h3-7mc2-v295.json" 29494 }, 29495 "package": { 29496 "ecosystem": "Maven", 29497 "name": "io.atomix:atomix", 29498 "purl": "pkg:maven/io.atomix/atomix" 29499 }, 29500 "ranges": [ 29501 { 29502 "events": [ 29503 { 29504 "introduced": "0" 29505 }, 29506 { 29507 "last_affected": "3.1.5" 29508 } 29509 ], 29510 "type": "ECOSYSTEM" 29511 } 29512 ], 29513 "versions": [ 29514 "0.1.0-beta1", 29515 "0.1.0-beta2", 29516 "0.1.0-beta3", 29517 "0.1.0-beta4", 29518 "0.1.0-beta5", 29519 "1.0.0", 29520 "1.0.0-rc1", 29521 "1.0.0-rc2", 29522 "1.0.0-rc3", 29523 "1.0.0-rc4", 29524 "1.0.0-rc5", 29525 "1.0.0-rc6", 29526 "1.0.0-rc7", 29527 "1.0.0-rc8", 29528 "1.0.0-rc9", 29529 "1.0.1", 29530 "1.0.1-rc1", 29531 "1.0.2", 29532 "1.0.3", 29533 "1.0.4", 29534 "1.0.5", 29535 "1.0.6", 29536 "1.0.7", 29537 "1.0.8", 29538 "2.0.0", 29539 "2.0.0-alpha1", 29540 "2.0.0-raft-beta1", 29541 "2.0.0-raft-final", 29542 "2.0.1", 29543 "2.0.10", 29544 "2.0.11", 29545 "2.0.12", 29546 "2.0.13", 29547 "2.0.14", 29548 "2.0.15", 29549 "2.0.16", 29550 "2.0.17", 29551 "2.0.18", 29552 "2.0.19", 29553 "2.0.2", 29554 "2.0.20", 29555 "2.0.21", 29556 "2.0.22", 29557 "2.0.23", 29558 "2.0.24", 29559 "2.0.25", 29560 "2.0.26", 29561 "2.0.27", 29562 "2.0.28", 29563 "2.0.29", 29564 "2.0.3", 29565 "2.0.30", 29566 "2.0.4", 29567 "2.0.5", 29568 "2.0.6", 29569 "2.0.7", 29570 "2.0.8", 29571 "2.0.9", 29572 "2.1.0-beta1", 29573 "2.1.0-beta2", 29574 "2.1.0-beta3", 29575 "3.0.0", 29576 "3.0.0-rc1", 29577 "3.0.0-rc10", 29578 "3.0.0-rc11", 29579 "3.0.0-rc12", 29580 "3.0.0-rc3", 29581 "3.0.0-rc4", 29582 "3.0.0-rc5", 29583 "3.0.0-rc6", 29584 "3.0.0-rc7", 29585 "3.0.0-rc8", 29586 "3.0.0-rc9", 29587 "3.0.1", 29588 "3.0.10", 29589 "3.0.11", 29590 "3.0.2", 29591 "3.0.3", 29592 "3.0.4", 29593 "3.0.5", 29594 "3.0.6", 29595 "3.0.7", 29596 "3.0.8", 29597 "3.0.9", 29598 "3.1.0", 29599 "3.1.0-beta1", 29600 "3.1.0-beta2", 29601 "3.1.0-beta3", 29602 "3.1.0-beta4", 29603 "3.1.0-rc1", 29604 "3.1.0-rc2", 29605 "3.1.1", 29606 "3.1.2", 29607 "3.1.3", 29608 "3.1.4", 29609 "3.1.5" 29610 ] 29611 } 29612 ], 29613 "aliases": [ 29614 "CVE-2020-35214" 29615 ], 29616 "database_specific": { 29617 "cwe_ids": [], 29618 "github_reviewed": true, 29619 "github_reviewed_at": "2021-12-17T19:11:26Z", 29620 "nvd_published_at": "2021-12-16T20:15:00Z", 29621 "severity": "HIGH" 29622 }, 29623 "details": "An issue in Atomix v3.1.5 allows a malicious Atomix node to remove states of ONOS storage via abuse of primitive operations.", 29624 "id": "GHSA-m4h3-7mc2-v295", 29625 "modified": "2023-11-08T04:03:32.952486Z", 29626 "published": "2021-12-17T20:41:21Z", 29627 "references": [ 29628 { 29629 "type": "ADVISORY", 29630 "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-35214" 29631 }, 29632 { 29633 "type": "WEB", 29634 "url": "https://docs.google.com/presentation/d/1wJi4QJko5ZCdADuzmAG9ed-nQLyJVkLBJf6cylAL71A/edit?usp=sharing" 29635 }, 29636 { 29637 "type": "PACKAGE", 29638 "url": "https://github.com/atomix/atomix" 29639 } 29640 ], 29641 "schema_version": "1.6.0", 29642 "severity": [ 29643 { 29644 "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", 29645 "type": "CVSS_V3" 29646 } 29647 ], 29648 "summary": "An issue in Atomix v3.1.5 allows a malicious Atomix node to remove states of ONOS storage via abuse of primitive operations." 29649 }, 29650 { 29651 "affected": [ 29652 { 29653 "database_specific": { 29654 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-mf27-wg66-m8f5/GHSA-mf27-wg66-m8f5.json" 29655 }, 29656 "package": { 29657 "ecosystem": "Maven", 29658 "name": "io.atomix:atomix", 29659 "purl": "pkg:maven/io.atomix/atomix" 29660 }, 29661 "ranges": [ 29662 { 29663 "events": [ 29664 { 29665 "introduced": "0" 29666 }, 29667 { 29668 "last_affected": "3.1.5" 29669 } 29670 ], 29671 "type": "ECOSYSTEM" 29672 } 29673 ], 29674 "versions": [ 29675 "0.1.0-beta1", 29676 "0.1.0-beta2", 29677 "0.1.0-beta3", 29678 "0.1.0-beta4", 29679 "0.1.0-beta5", 29680 "1.0.0", 29681 "1.0.0-rc1", 29682 "1.0.0-rc2", 29683 "1.0.0-rc3", 29684 "1.0.0-rc4", 29685 "1.0.0-rc5", 29686 "1.0.0-rc6", 29687 "1.0.0-rc7", 29688 "1.0.0-rc8", 29689 "1.0.0-rc9", 29690 "1.0.1", 29691 "1.0.1-rc1", 29692 "1.0.2", 29693 "1.0.3", 29694 "1.0.4", 29695 "1.0.5", 29696 "1.0.6", 29697 "1.0.7", 29698 "1.0.8", 29699 "2.0.0", 29700 "2.0.0-alpha1", 29701 "2.0.0-raft-beta1", 29702 "2.0.0-raft-final", 29703 "2.0.1", 29704 "2.0.10", 29705 "2.0.11", 29706 "2.0.12", 29707 "2.0.13", 29708 "2.0.14", 29709 "2.0.15", 29710 "2.0.16", 29711 "2.0.17", 29712 "2.0.18", 29713 "2.0.19", 29714 "2.0.2", 29715 "2.0.20", 29716 "2.0.21", 29717 "2.0.22", 29718 "2.0.23", 29719 "2.0.24", 29720 "2.0.25", 29721 "2.0.26", 29722 "2.0.27", 29723 "2.0.28", 29724 "2.0.29", 29725 "2.0.3", 29726 "2.0.30", 29727 "2.0.4", 29728 "2.0.5", 29729 "2.0.6", 29730 "2.0.7", 29731 "2.0.8", 29732 "2.0.9", 29733 "2.1.0-beta1", 29734 "2.1.0-beta2", 29735 "2.1.0-beta3", 29736 "3.0.0", 29737 "3.0.0-rc1", 29738 "3.0.0-rc10", 29739 "3.0.0-rc11", 29740 "3.0.0-rc12", 29741 "3.0.0-rc3", 29742 "3.0.0-rc4", 29743 "3.0.0-rc5", 29744 "3.0.0-rc6", 29745 "3.0.0-rc7", 29746 "3.0.0-rc8", 29747 "3.0.0-rc9", 29748 "3.0.1", 29749 "3.0.10", 29750 "3.0.11", 29751 "3.0.2", 29752 "3.0.3", 29753 "3.0.4", 29754 "3.0.5", 29755 "3.0.6", 29756 "3.0.7", 29757 "3.0.8", 29758 "3.0.9", 29759 "3.1.0", 29760 "3.1.0-beta1", 29761 "3.1.0-beta2", 29762 "3.1.0-beta3", 29763 "3.1.0-beta4", 29764 "3.1.0-rc1", 29765 "3.1.0-rc2", 29766 "3.1.1", 29767 "3.1.2", 29768 "3.1.3", 29769 "3.1.4", 29770 "3.1.5" 29771 ] 29772 } 29773 ], 29774 "aliases": [ 29775 "CVE-2020-35210" 29776 ], 29777 "database_specific": { 29778 "cwe_ids": [ 29779 "CWE-400" 29780 ], 29781 "github_reviewed": true, 29782 "github_reviewed_at": "2021-12-17T17:20:09Z", 29783 "nvd_published_at": "2021-12-16T20:15:00Z", 29784 "severity": "MODERATE" 29785 }, 29786 "details": "A vulnerability in Atomix v3.1.5 allows attackers to cause a denial of service (DoS) via a Raft session flooding attack using Raft OpenSessionRequest messages.", 29787 "id": "GHSA-mf27-wg66-m8f5", 29788 "modified": "2023-11-08T04:03:32.770438Z", 29789 "published": "2021-12-17T20:41:09Z", 29790 "references": [ 29791 { 29792 "type": "ADVISORY", 29793 "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-35210" 29794 }, 29795 { 29796 "type": "WEB", 29797 "url": "https://docs.google.com/presentation/d/1eZznIciFI06_5UJrXvlLugH2-nmjfYpQO5NyNMc9RxU/edit?usp=sharing" 29798 }, 29799 { 29800 "type": "PACKAGE", 29801 "url": "https://github.com/atomix/atomix" 29802 } 29803 ], 29804 "schema_version": "1.6.0", 29805 "severity": [ 29806 { 29807 "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", 29808 "type": "CVSS_V3" 29809 } 29810 ], 29811 "summary": "A vulnerability in Atomix v3.1.5 allows attackers to cause a denial of service (DoS) via a Raft session flooding attack using Raft OpenSessionRequest messages." 29812 }, 29813 { 29814 "affected": [ 29815 { 29816 "database_specific": { 29817 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/06/GHSA-v2xm-76pq-phcf/GHSA-v2xm-76pq-phcf.json" 29818 }, 29819 "package": { 29820 "ecosystem": "Maven", 29821 "name": "io.github.classgraph:classgraph", 29822 "purl": "pkg:maven/io.github.classgraph/classgraph" 29823 }, 29824 "ranges": [ 29825 { 29826 "events": [ 29827 { 29828 "introduced": "0" 29829 }, 29830 { 29831 "fixed": "4.8.112" 29832 } 29833 ], 29834 "type": "ECOSYSTEM" 29835 } 29836 ], 29837 "versions": [ 29838 "4.0.0", 29839 "4.0.0-beta-11", 29840 "4.0.0-beta-12", 29841 "4.0.1", 29842 "4.0.2", 29843 "4.0.3", 29844 "4.0.4", 29845 "4.0.5", 29846 "4.0.6", 29847 "4.0.7", 29848 "4.1.0", 29849 "4.1.1", 29850 "4.1.2", 29851 "4.1.3", 29852 "4.1.4", 29853 "4.1.5", 29854 "4.1.6", 29855 "4.1.7", 29856 "4.2.0", 29857 "4.2.1", 29858 "4.2.10", 29859 "4.2.11", 29860 "4.2.12", 29861 "4.2.2", 29862 "4.2.3", 29863 "4.2.4", 29864 "4.2.5", 29865 "4.2.6", 29866 "4.2.7", 29867 "4.2.8", 29868 "4.2.9", 29869 "4.3.0", 29870 "4.3.1", 29871 "4.4.0", 29872 "4.4.1", 29873 "4.4.10", 29874 "4.4.11", 29875 "4.4.12", 29876 "4.4.2", 29877 "4.4.3", 29878 "4.4.4", 29879 "4.4.5", 29880 "4.4.6", 29881 "4.4.7", 29882 "4.4.8", 29883 "4.4.9", 29884 "4.6.0", 29885 "4.6.1", 29886 "4.6.10", 29887 "4.6.11", 29888 "4.6.12", 29889 "4.6.13", 29890 "4.6.14", 29891 "4.6.15", 29892 "4.6.16", 29893 "4.6.17", 29894 "4.6.18", 29895 "4.6.19", 29896 "4.6.2", 29897 "4.6.20", 29898 "4.6.21", 29899 "4.6.22", 29900 "4.6.23", 29901 "4.6.24", 29902 "4.6.25", 29903 "4.6.26", 29904 "4.6.27", 29905 "4.6.28", 29906 "4.6.29", 29907 "4.6.3", 29908 "4.6.30", 29909 "4.6.31", 29910 "4.6.32", 29911 "4.6.4", 29912 "4.6.5", 29913 "4.6.6", 29914 "4.6.7", 29915 "4.6.8", 29916 "4.6.9", 29917 "4.8.0", 29918 "4.8.1", 29919 "4.8.10", 29920 "4.8.100", 29921 "4.8.101", 29922 "4.8.102", 29923 "4.8.103", 29924 "4.8.104", 29925 "4.8.105", 29926 "4.8.106", 29927 "4.8.107", 29928 "4.8.108", 29929 "4.8.109", 29930 "4.8.11", 29931 "4.8.110", 29932 "4.8.111", 29933 "4.8.12", 29934 "4.8.13", 29935 "4.8.14", 29936 "4.8.15", 29937 "4.8.16", 29938 "4.8.17", 29939 "4.8.19", 29940 "4.8.2", 29941 "4.8.20", 29942 "4.8.21", 29943 "4.8.22", 29944 "4.8.23", 29945 "4.8.24", 29946 "4.8.25", 29947 "4.8.26", 29948 "4.8.27", 29949 "4.8.28", 29950 "4.8.29", 29951 "4.8.3", 29952 "4.8.30", 29953 "4.8.31", 29954 "4.8.32", 29955 "4.8.33", 29956 "4.8.34", 29957 "4.8.35", 29958 "4.8.36", 29959 "4.8.37", 29960 "4.8.38", 29961 "4.8.39", 29962 "4.8.4", 29963 "4.8.40", 29964 "4.8.41", 29965 "4.8.42", 29966 "4.8.43", 29967 "4.8.44", 29968 "4.8.45", 29969 "4.8.46", 29970 "4.8.47", 29971 "4.8.48", 29972 "4.8.49", 29973 "4.8.5", 29974 "4.8.50", 29975 "4.8.51", 29976 "4.8.52", 29977 "4.8.53", 29978 "4.8.54", 29979 "4.8.55", 29980 "4.8.56", 29981 "4.8.57", 29982 "4.8.58", 29983 "4.8.59", 29984 "4.8.6", 29985 "4.8.60", 29986 "4.8.61", 29987 "4.8.62", 29988 "4.8.63", 29989 "4.8.64", 29990 "4.8.65", 29991 "4.8.66", 29992 "4.8.67", 29993 "4.8.68", 29994 "4.8.69", 29995 "4.8.7", 29996 "4.8.70", 29997 "4.8.71", 29998 "4.8.72", 29999 "4.8.73", 30000 "4.8.74", 30001 "4.8.75", 30002 "4.8.76", 30003 "4.8.77", 30004 "4.8.78", 30005 "4.8.79", 30006 "4.8.8", 30007 "4.8.80", 30008 "4.8.81", 30009 "4.8.82", 30010 "4.8.83", 30011 "4.8.84", 30012 "4.8.85", 30013 "4.8.86", 30014 "4.8.87", 30015 "4.8.88", 30016 "4.8.89", 30017 "4.8.9", 30018 "4.8.90", 30019 "4.8.91", 30020 "4.8.92", 30021 "4.8.93", 30022 "4.8.94", 30023 "4.8.95", 30024 "4.8.96", 30025 "4.8.97", 30026 "4.8.98" 30027 ] 30028 } 30029 ], 30030 "aliases": [ 30031 "CVE-2021-47621" 30032 ], 30033 "database_specific": { 30034 "cwe_ids": [ 30035 "CWE-611" 30036 ], 30037 "github_reviewed": true, 30038 "github_reviewed_at": "2024-06-21T15:06:26Z", 30039 "nvd_published_at": "2024-06-21T06:15:10Z", 30040 "severity": "MODERATE" 30041 }, 30042 "details": "ClassGraph before 4.8.112 was not resistant to XML eXternal Entity (XXE) attacks.", 30043 "id": "GHSA-v2xm-76pq-phcf", 30044 "modified": "2024-06-25T02:34:01.955562Z", 30045 "published": "2024-06-21T06:31:12Z", 30046 "references": [ 30047 { 30048 "type": "ADVISORY", 30049 "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47621" 30050 }, 30051 { 30052 "type": "WEB", 30053 "url": "https://github.com/classgraph/classgraph/pull/539" 30054 }, 30055 { 30056 "type": "WEB", 30057 "url": "https://github.com/classgraph/classgraph/commit/681362ad6b0b9d9abaffb2e07099ce54d7a41fa3" 30058 }, 30059 { 30060 "type": "WEB", 30061 "url": "https://docs.r3.com/en/platform/corda/4.8/enterprise/release-notes-enterprise.html" 30062 }, 30063 { 30064 "type": "PACKAGE", 30065 "url": "https://github.com/classgraph/classgraph" 30066 }, 30067 { 30068 "type": "WEB", 30069 "url": "https://github.com/classgraph/classgraph/releases/tag/classgraph-4.8.112" 30070 } 30071 ], 30072 "schema_version": "1.6.0", 30073 "severity": [ 30074 { 30075 "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", 30076 "type": "CVSS_V3" 30077 }, 30078 { 30079 "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N", 30080 "type": "CVSS_V4" 30081 } 30082 ], 30083 "summary": "ClassGraph XML External Entity Reference" 30084 }, 30085 { 30086 "affected": [ 30087 { 30088 "database_specific": { 30089 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/02/GHSA-5mcr-gq6c-3hq2/GHSA-5mcr-gq6c-3hq2.json" 30090 }, 30091 "package": { 30092 "ecosystem": "Maven", 30093 "name": "io.netty:netty-codec-http", 30094 "purl": "pkg:maven/io.netty/netty-codec-http" 30095 }, 30096 "ranges": [ 30097 { 30098 "events": [ 30099 { 30100 "introduced": "4.0.0" 30101 }, 30102 { 30103 "fixed": "4.1.59.Final" 30104 } 30105 ], 30106 "type": "ECOSYSTEM" 30107 } 30108 ], 30109 "versions": [ 30110 "4.0.0.Final", 30111 "4.0.1.Final", 30112 "4.0.10.Final", 30113 "4.0.11.Final", 30114 "4.0.12.Final", 30115 "4.0.13.Final", 30116 "4.0.14.Beta1", 30117 "4.0.14.Final", 30118 "4.0.15.Final", 30119 "4.0.16.Final", 30120 "4.0.17.Final", 30121 "4.0.18.Final", 30122 "4.0.19.Final", 30123 "4.0.2.Final", 30124 "4.0.20.Final", 30125 "4.0.21.Final", 30126 "4.0.22.Final", 30127 "4.0.23.Final", 30128 "4.0.24.Final", 30129 "4.0.25.Final", 30130 "4.0.26.Final", 30131 "4.0.27.Final", 30132 "4.0.28.Final", 30133 "4.0.29.Final", 30134 "4.0.3.Final", 30135 "4.0.30.Final", 30136 "4.0.31.Final", 30137 "4.0.32.Final", 30138 "4.0.33.Final", 30139 "4.0.34.Final", 30140 "4.0.35.Final", 30141 "4.0.36.Final", 30142 "4.0.37.Final", 30143 "4.0.38.Final", 30144 "4.0.39.Final", 30145 "4.0.4.Final", 30146 "4.0.40.Final", 30147 "4.0.41.Final", 30148 "4.0.42.Final", 30149 "4.0.43.Final", 30150 "4.0.44.Final", 30151 "4.0.45.Final", 30152 "4.0.46.Final", 30153 "4.0.47.Final", 30154 "4.0.48.Final", 30155 "4.0.49.Final", 30156 "4.0.5.Final", 30157 "4.0.50.Final", 30158 "4.0.51.Final", 30159 "4.0.52.Final", 30160 "4.0.53.Final", 30161 "4.0.54.Final", 30162 "4.0.55.Final", 30163 "4.0.56.Final", 30164 "4.0.6.Final", 30165 "4.0.7.Final", 30166 "4.0.8.Final", 30167 "4.0.9.Final", 30168 "4.1.0.Beta1", 30169 "4.1.0.Beta2", 30170 "4.1.0.Beta3", 30171 "4.1.0.Beta4", 30172 "4.1.0.Beta5", 30173 "4.1.0.Beta6", 30174 "4.1.0.Beta7", 30175 "4.1.0.Beta8", 30176 "4.1.0.CR1", 30177 "4.1.0.CR2", 30178 "4.1.0.CR3", 30179 "4.1.0.CR4", 30180 "4.1.0.CR5", 30181 "4.1.0.CR6", 30182 "4.1.0.CR7", 30183 "4.1.0.Final", 30184 "4.1.1.Final", 30185 "4.1.10.Final", 30186 "4.1.11.Final", 30187 "4.1.12.Final", 30188 "4.1.13.Final", 30189 "4.1.14.Final", 30190 "4.1.15.Final", 30191 "4.1.16.Final", 30192 "4.1.17.Final", 30193 "4.1.18.Final", 30194 "4.1.19.Final", 30195 "4.1.2.Final", 30196 "4.1.20.Final", 30197 "4.1.21.Final", 30198 "4.1.22.Final", 30199 "4.1.23.Final", 30200 "4.1.24.Final", 30201 "4.1.25.Final", 30202 "4.1.26.Final", 30203 "4.1.27.Final", 30204 "4.1.28.Final", 30205 "4.1.29.Final", 30206 "4.1.3.Final", 30207 "4.1.30.Final", 30208 "4.1.31.Final", 30209 "4.1.32.Final", 30210 "4.1.33.Final", 30211 "4.1.34.Final", 30212 "4.1.35.Final", 30213 "4.1.36.Final", 30214 "4.1.37.Final", 30215 "4.1.38.Final", 30216 "4.1.39.Final", 30217 "4.1.4.Final", 30218 "4.1.40.Final", 30219 "4.1.41.Final", 30220 "4.1.42.Final", 30221 "4.1.43.Final", 30222 "4.1.44.Final", 30223 "4.1.45.Final", 30224 "4.1.46.Final", 30225 "4.1.47.Final", 30226 "4.1.48.Final", 30227 "4.1.49.Final", 30228 "4.1.5.Final", 30229 "4.1.50.Final", 30230 "4.1.51.Final", 30231 "4.1.52.Final", 30232 "4.1.53.Final", 30233 "4.1.54.Final", 30234 "4.1.55.Final", 30235 "4.1.56.Final", 30236 "4.1.57.Final", 30237 "4.1.58.Final", 30238 "4.1.6.Final", 30239 "4.1.7.Final", 30240 "4.1.8.Final", 30241 "4.1.9.Final" 30242 ] 30243 }, 30244 { 30245 "database_specific": { 30246 "last_known_affected_version_range": "\u003c 4.0.0", 30247 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/02/GHSA-5mcr-gq6c-3hq2/GHSA-5mcr-gq6c-3hq2.json" 30248 }, 30249 "package": { 30250 "ecosystem": "Maven", 30251 "name": "org.jboss.netty:netty", 30252 "purl": "pkg:maven/org.jboss.netty/netty" 30253 }, 30254 "ranges": [ 30255 { 30256 "events": [ 30257 { 30258 "introduced": "0" 30259 } 30260 ], 30261 "type": "ECOSYSTEM" 30262 } 30263 ], 30264 "versions": [ 30265 "3.0.0.CR1", 30266 "3.0.0.CR2", 30267 "3.0.0.CR3", 30268 "3.0.0.CR4", 30269 "3.0.0.CR5", 30270 "3.0.0.GA", 30271 "3.0.1.GA", 30272 "3.0.2.GA", 30273 "3.1.0.ALPHA1", 30274 "3.1.0.ALPHA2", 30275 "3.1.0.ALPHA3", 30276 "3.1.0.ALPHA4", 30277 "3.1.0.BETA1", 30278 "3.1.0.BETA2", 30279 "3.1.0.BETA3", 30280 "3.1.0.CR1", 30281 "3.1.0.GA", 30282 "3.1.1.GA", 30283 "3.1.2.GA", 30284 "3.1.3.GA", 30285 "3.1.4.GA", 30286 "3.1.5.GA", 30287 "3.2.0.ALPHA1", 30288 "3.2.0.ALPHA2", 30289 "3.2.0.ALPHA3", 30290 "3.2.0.ALPHA4", 30291 "3.2.0.BETA1", 30292 "3.2.0.CR1", 30293 "3.2.0.Final", 30294 "3.2.1.Final", 30295 "3.2.10.Final", 30296 "3.2.2.Final", 30297 "3.2.3.Final", 30298 "3.2.4.Final", 30299 "3.2.5.Final", 30300 "3.2.6.Final", 30301 "3.2.7.Final", 30302 "3.2.8.Final", 30303 "3.2.9.Final" 30304 ] 30305 }, 30306 { 30307 "database_specific": { 30308 "last_known_affected_version_range": "\u003c 4.0.0", 30309 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/02/GHSA-5mcr-gq6c-3hq2/GHSA-5mcr-gq6c-3hq2.json" 30310 }, 30311 "package": { 30312 "ecosystem": "Maven", 30313 "name": "io.netty:netty", 30314 "purl": "pkg:maven/io.netty/netty" 30315 }, 30316 "ranges": [ 30317 { 30318 "events": [ 30319 { 30320 "introduced": "0" 30321 } 30322 ], 30323 "type": "ECOSYSTEM" 30324 } 30325 ], 30326 "versions": [ 30327 "3.10.0.Final", 30328 "3.10.1.Final", 30329 "3.10.2.Final", 30330 "3.10.3.Final", 30331 "3.10.4.Final", 30332 "3.10.5.Final", 30333 "3.10.6.Final", 30334 "3.3.0.Final", 30335 "3.3.1.Final", 30336 "3.4.0.Alpha1", 30337 "3.4.0.Alpha2", 30338 "3.4.0.Beta1", 30339 "3.4.0.Final", 30340 "3.4.1.Final", 30341 "3.4.2.Final", 30342 "3.4.3.Final", 30343 "3.4.4.Final", 30344 "3.4.5.Final", 30345 "3.4.6.Final", 30346 "3.5.0.Beta1", 30347 "3.5.0.Final", 30348 "3.5.1.Final", 30349 "3.5.10.Final", 30350 "3.5.11.Final", 30351 "3.5.12.Final", 30352 "3.5.13.Final", 30353 "3.5.2.Final", 30354 "3.5.3.Final", 30355 "3.5.4.Final", 30356 "3.5.5.Final", 30357 "3.5.6.Final", 30358 "3.5.7.Final", 30359 "3.5.8.Final", 30360 "3.5.9.Final", 30361 "3.6.0.Beta1", 30362 "3.6.0.Final", 30363 "3.6.1.Final", 30364 "3.6.10.Final", 30365 "3.6.2.Final", 30366 "3.6.3.Final", 30367 "3.6.4.Final", 30368 "3.6.5.Final", 30369 "3.6.6.Final", 30370 "3.6.7.Final", 30371 "3.6.8.Final", 30372 "3.6.9.Final", 30373 "3.7.0.Final", 30374 "3.7.1.Final", 30375 "3.8.0.Final", 30376 "3.8.1.Final", 30377 "3.8.2.Final", 30378 "3.8.3.Final", 30379 "3.9.0.Final", 30380 "3.9.1.1.Final", 30381 "3.9.1.Final", 30382 "3.9.2.Final", 30383 "3.9.3.Final", 30384 "3.9.4.Final", 30385 "3.9.5.Final", 30386 "3.9.6.Final", 30387 "3.9.7.Final", 30388 "3.9.8.Final", 30389 "3.9.9.Final", 30390 "4.0.0.Alpha1", 30391 "4.0.0.Alpha2", 30392 "4.0.0.Alpha3", 30393 "4.0.0.Alpha4", 30394 "4.0.0.Alpha5", 30395 "4.0.0.Alpha6", 30396 "4.0.0.Alpha7", 30397 "4.0.0.Alpha8" 30398 ] 30399 } 30400 ], 30401 "aliases": [ 30402 "CVE-2021-21290", 30403 "CVE-2022-24823", 30404 "GHSA-269q-hmxg-m83q" 30405 ], 30406 "database_specific": { 30407 "cwe_ids": [ 30408 "CWE-378", 30409 "CWE-379", 30410 "CWE-668" 30411 ], 30412 "github_reviewed": true, 30413 "github_reviewed_at": "2021-02-08T20:07:45Z", 30414 "nvd_published_at": "2021-02-08T20:15:00Z", 30415 "severity": "MODERATE" 30416 }, 30417 "details": "### Impact\n\nWhen netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled.\n\nThe CVSSv3.1 score of this vulnerability is calculated to be a [6.2/10](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\u0026version=3.1)\n\n### Vulnerability Details\n\nOn unix-like systems, the temporary directory is shared between all user. As such, writing to this directory using APIs that do not explicitly set the file/directory permissions can lead to information disclosure. Of note, this does not impact modern MacOS Operating Systems.\n\nThe method `File.createTempFile` on unix-like systems creates a random file, but, by default will create this file with the permissions `-rw-r--r--`. Thus, if sensitive information is written to this file, other local users can read this information.\n\nThis is the case in netty's `AbstractDiskHttpData` is vulnerable.\n\nhttps://github.com/netty/netty/blob/e5951d46fc89db507ba7d2968d2ede26378f0b04/codec-http/src/main/java/io/netty/handler/codec/http/multipart/AbstractDiskHttpData.java#L80-L101\n\n`AbstractDiskHttpData` is used as a part of the `DefaultHttpDataFactory` class which is used by `HttpPostRequestDecoder` / `HttpPostMultiPartRequestDecoder`.\n\nYou may be affected by this vulnerability your project contains the following code patterns:\n\n```java\nchannelPipeline.addLast(new HttpPostRequestDecoder(...));\n```\n\n```java\nchannelPipeline.addLast(new HttpPostMultiPartRequestDecoder(...));\n```\n\n### Patches\n\nThis has been patched in version `4.1.59.Final`.\n\n### Workarounds\n\nSpecify your own `java.io.tmpdir` when you start the JVM or use `DefaultHttpDataFactory.setBaseDir(...)` to set the directory to something that is only readable by the current user.\n\n### References\n\n - [CWE-378: Creation of Temporary File With Insecure Permissions](https://cwe.mitre.org/data/definitions/378.html)\n - [CWE-379: Creation of Temporary File in Directory with Insecure Permissions](https://cwe.mitre.org/data/definitions/379.html)\n\n### Similar Vulnerabilities\n\nSimilar, but not the same.\n\n - JUnit 4 - https://github.com/junit-team/junit4/security/advisories/GHSA-269g-pwp5-87pp\n - Google Guava - https://github.com/google/guava/issues/4011\n - Apache Ant - https://nvd.nist.gov/vuln/detail/CVE-2020-1945\n - JetBrains Kotlin Compiler - https://nvd.nist.gov/vuln/detail/CVE-2020-15824\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [netty](https://github.com/netty/netty)\n* Email us [here](mailto:netty-security@googlegroups.com)\n\n### Original Report\n\n\u003e Hi Netty Security Team,\n\u003e \n\u003e I've been working on some security research leveraging custom CodeQL queries to detect local information disclosure vulnerabilities in java applications. This was the result from running this query against the netty project:\n\u003e https://lgtm.com/query/7723301787255288599/\n\u003e \n\u003e Netty contains three local information disclosure vulnerabilities, so far as I can tell.\n\u003e \n\u003e One is here, where the private key for the certificate is written to a temporary file.\n\u003e \n\u003e https://github.com/netty/netty/blob/e5951d46fc89db507ba7d2968d2ede26378f0b04/handler/src/main/java/io/netty/handler/ssl/util/SelfSignedCertificate.java#L316-L346\n\u003e \n\u003e One is here, where the certificate is written to a temporary file.\n\u003e \n\u003e https://github.com/netty/netty/blob/e5951d46fc89db507ba7d2968d2ede26378f0b04/handler/src/main/java/io/netty/handler/ssl/util/SelfSignedCertificate.java#L348-L371\n\u003e \n\u003e The final one is here, where the 'AbstractDiskHttpData' creates a temporary file if the getBaseDirectory() method returns null. I believe that 'AbstractDiskHttpData' is used as a part of the file upload support? If this is the case, any files uploaded would be similarly vulnerable.\n\u003e \n\u003e https://github.com/netty/netty/blob/e5951d46fc89db507ba7d2968d2ede26378f0b04/codec-http/src/main/java/io/netty/handler/codec/http/multipart/AbstractDiskHttpData.java#L91\n\u003e \n\u003e All of these vulnerabilities exist because `File.createTempFile(String, String)` will create a temporary file in the system temporary directory if the 'java.io.tmpdir' system property is not explicitly set. It is my understanding that when java creates a file, by default, and using this method, the permissions on that file utilize the umask. In a majority of cases, this means that the file that java creates has the permissions: `-rw-r--r--`, thus, any other local user on that system can read the contents of that file.\n\u003e \n\u003e Impacted OS:\n\u003e - Any OS where the system temporary directory is shared between multiple users. This is not the case for MacOS or Windows.\n\u003e \n\u003e Mitigation.\n\u003e \n\u003e Moving to the `Files` API instead will fix this vulnerability. \n\u003e https://docs.oracle.com/javase/8/docs/api/java/nio/file/Files.html#createTempFile-java.nio.file.Path-java.lang.String-java.lang.String-java.nio.file.attribute.FileAttribute...-\n\u003e \n\u003e This API will explicitly set the posix file permissions to something safe, by default.\n\u003e \n\u003e I recently disclosed a similar vulnerability in JUnit 4:\n\u003e https://github.com/junit-team/junit4/security/advisories/GHSA-269g-pwp5-87pp\n\u003e \n\u003e If you're also curious, this vulnerability in Jetty was also mine, also involving temporary directories, but is not the same vulnerability as in this case.\n\u003e https://github.com/eclipse/jetty.project/security/advisories/GHSA-g3wg-6mcf-8jj6\n\u003e \n\u003e I would appreciate it if we could perform disclosure of this vulnerability leveraging the GitHub security advisories feature here. GitHub has a nice credit system that I appreciate, plus the disclosures, as you can see from the sampling above, end up looking very nice.\n\u003e https://github.com/netty/netty/security/advisories\n\u003e \n\u003e This vulnerability disclosure follows Google's [90-day vulnerability disclosure policy](https://www.google.com/about/appsecurity/) (I'm not an employee of Google, I just like their policy). Full disclosure will occur either at the end of the 90-day deadline or whenever a patch is made widely available, whichever occurs first.\n\u003e \n\u003e Cheers,\n\u003e Jonathan Leitschuh", 30418 "id": "GHSA-5mcr-gq6c-3hq2", 30419 "modified": "2024-08-01T07:56:47.8225Z", 30420 "published": "2021-02-08T21:17:48Z", 30421 "references": [ 30422 { 30423 "type": "WEB", 30424 "url": "https://github.com/netty/netty/security/advisories/GHSA-5mcr-gq6c-3hq2" 30425 }, 30426 { 30427 "type": "ADVISORY", 30428 "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21290" 30429 }, 30430 { 30431 "type": "WEB", 30432 "url": "https://github.com/netty/netty/commit/c735357bf29d07856ad171c6611a2e1a0e0000ec" 30433 }, 30434 { 30435 "type": "PACKAGE", 30436 "url": "https://github.com/netty/netty" 30437 }, 30438 { 30439 "type": "WEB", 30440 "url": "https://lists.apache.org/thread.html/r7bb3cdc192e9a6f863d3ea05422f09fa1ae2b88d4663e63696ee7ef5@%3Cdev.ranger.apache.org%3E" 30441 }, 30442 { 30443 "type": "WEB", 30444 "url": "https://lists.apache.org/thread.html/r9924ef9357537722b28d04c98a189750b80694a19754e5057c34ca48@%3Ccommits.pulsar.apache.org%3E" 30445 }, 30446 { 30447 "type": "WEB", 30448 "url": "https://lists.apache.org/thread.html/ra0fc2b4553dd7aaf75febb61052b7f1243ac3a180a71c01f29093013@%3Cjira.kafka.apache.org%3E" 30449 }, 30450 { 30451 "type": "WEB", 30452 "url": "https://lists.apache.org/thread.html/ra503756ced78fdc2136bd33e87cb7553028645b261b1f5c6186a121e@%3Cjira.kafka.apache.org%3E" 30453 }, 30454 { 30455 "type": "WEB", 30456 "url": "https://lists.apache.org/thread.html/rb06c1e766aa45ee422e8261a8249b561784186483e8f742ea627bda4@%3Cdev.kafka.apache.org%3E" 30457 }, 30458 { 30459 "type": "WEB", 30460 "url": "https://lists.apache.org/thread.html/rb51d6202ff1a773f96eaa694b7da4ad3f44922c40b3d4e1a19c2f325@%3Ccommits.pulsar.apache.org%3E" 30461 }, 30462 { 30463 "type": "WEB", 30464 "url": "https://lists.apache.org/thread.html/rb592033a2462548d061a83ac9449c5ff66098751748fcd1e2d008233@%3Cissues.zookeeper.apache.org%3E" 30465 }, 30466 { 30467 "type": "WEB", 30468 "url": "https://lists.apache.org/thread.html/rc0087125cb15b4b78e44000f841cd37fefedfda942fd7ddf3ad1b528@%3Cissues.zookeeper.apache.org%3E" 30469 }, 30470 { 30471 "type": "WEB", 30472 "url": "https://lists.apache.org/thread.html/rc488f80094872ad925f0c73d283d4c00d32def81977438e27a3dc2bb@%3Cjira.kafka.apache.org%3E" 30473 }, 30474 { 30475 "type": "WEB", 30476 "url": "https://lists.apache.org/thread.html/rcd163e421273e8dca1c71ea298dce3dd11b41d51c3a812e0394e6a5d@%3Ccommits.pulsar.apache.org%3E" 30477 }, 30478 { 30479 "type": "WEB", 30480 "url": "https://lists.apache.org/thread.html/rdba4f78ac55f803893a1a2265181595e79e3aa027e2e651dfba98c18@%3Cjira.kafka.apache.org%3E" 30481 }, 30482 { 30483 "type": "WEB", 30484 "url": "https://lists.debian.org/debian-lts-announce/2021/02/msg00016.html" 30485 }, 30486 { 30487 "type": "WEB", 30488 "url": "https://security.netapp.com/advisory/ntap-20220210-0011" 30489 }, 30490 { 30491 "type": "WEB", 30492 "url": "https://www.debian.org/security/2021/dsa-4885" 30493 }, 30494 { 30495 "type": "WEB", 30496 "url": "https://www.oracle.com//security-alerts/cpujul2021.html" 30497 }, 30498 { 30499 "type": "WEB", 30500 "url": "https://www.oracle.com/security-alerts/cpuApr2021.html" 30501 }, 30502 { 30503 "type": "WEB", 30504 "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" 30505 }, 30506 { 30507 "type": "WEB", 30508 "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" 30509 }, 30510 { 30511 "type": "WEB", 30512 "url": "https://lists.apache.org/thread.html/r0053443ce19ff125981559f8c51cf66e3ab4350f47812b8cf0733a05@%3Cdev.kafka.apache.org%3E" 30513 }, 30514 { 30515 "type": "WEB", 30516 "url": "https://lists.apache.org/thread.html/r02e467123d45006a1dda20a38349e9c74c3a4b53e2e07be0939ecb3f@%3Cdev.ranger.apache.org%3E" 30517 }, 30518 { 30519 "type": "WEB", 30520 "url": "https://lists.apache.org/thread.html/r0857b613604c696bf9743f0af047360baaded48b1c75cf6945a083c5@%3Cjira.kafka.apache.org%3E" 30521 }, 30522 { 30523 "type": "WEB", 30524 "url": "https://lists.apache.org/thread.html/r10308b625e49d4e9491d7e079606ca0df2f0a4d828f1ad1da64ba47b@%3Cjira.kafka.apache.org%3E" 30525 }, 30526 { 30527 "type": "WEB", 30528 "url": "https://lists.apache.org/thread.html/r1908a34b9cc7120e5c19968a116ddbcffea5e9deb76c2be4fa461904@%3Cdev.zookeeper.apache.org%3E" 30529 }, 30530 { 30531 "type": "WEB", 30532 "url": "https://lists.apache.org/thread.html/r2748097ea4b774292539cf3de6e3b267fc7a88d6c8ec40f4e2e87bd4@%3Cdev.kafka.apache.org%3E" 30533 }, 30534 { 30535 "type": "WEB", 30536 "url": "https://lists.apache.org/thread.html/r2936730ef0a06e724b96539bc7eacfcd3628987c16b1b99c790e7b87@%3Cissues.zookeeper.apache.org%3E" 30537 }, 30538 { 30539 "type": "WEB", 30540 "url": "https://lists.apache.org/thread.html/r2fda4dab73097051977f2ab818f75e04fbcb15bb1003c8530eac1059@%3Cjira.kafka.apache.org%3E" 30541 }, 30542 { 30543 "type": "WEB", 30544 "url": "https://lists.apache.org/thread.html/r326ec431f06eab7cb7113a7a338e59731b8d556d05258457f12bac1b@%3Cdev.kafka.apache.org%3E" 30545 }, 30546 { 30547 "type": "WEB", 30548 "url": "https://lists.apache.org/thread.html/r4efed2c501681cb2e8d629da16e48d9eac429624fd4c9a8c6b8e7020@%3Cdev.tinkerpop.apache.org%3E" 30549 }, 30550 { 30551 "type": "WEB", 30552 "url": "https://lists.apache.org/thread.html/r584cf871f188c406d8bd447ff4e2fd9817fca862436c064d0951a071@%3Ccommits.pulsar.apache.org%3E" 30553 }, 30554 { 30555 "type": "WEB", 30556 "url": "https://lists.apache.org/thread.html/r59bac5c09f7a4179b9e2460e8f41c278aaf3b9a21cc23678eb893e41@%3Cjira.kafka.apache.org%3E" 30557 }, 30558 { 30559 "type": "WEB", 30560 "url": "https://lists.apache.org/thread.html/r5bf303d7c04da78f276765da08559fdc62420f1df539b277ca31f63b@%3Cissues.zookeeper.apache.org%3E" 30561 }, 30562 { 30563 "type": "WEB", 30564 "url": "https://lists.apache.org/thread.html/r5c701840aa2845191721e39821445e1e8c59711e71942b7796a6ec29@%3Cusers.activemq.apache.org%3E" 30565 }, 30566 { 30567 "type": "WEB", 30568 "url": "https://lists.apache.org/thread.html/r5e4a540089760c8ecc2c411309d74264f1dad634ad93ad583ca16214@%3Ccommits.kafka.apache.org%3E" 30569 }, 30570 { 30571 "type": "WEB", 30572 "url": "https://lists.apache.org/thread.html/r5e66e286afb5506cdfe9bbf68a323e8d09614f6d1ddc806ed0224700@%3Cjira.kafka.apache.org%3E" 30573 }, 30574 { 30575 "type": "WEB", 30576 "url": "https://lists.apache.org/thread.html/r71dbb66747ff537640bb91eb0b2b24edef21ac07728097016f58b01f@%3Ccommits.kafka.apache.org%3E" 30577 }, 30578 { 30579 "type": "WEB", 30580 "url": "https://lists.apache.org/thread.html/r743149dcc8db1de473e6bff0b3ddf10140a7357bc2add75f7d1fbb12@%3Cdev.zookeeper.apache.org%3E" 30581 }, 30582 { 30583 "type": "WEB", 30584 "url": "https://lists.apache.org/thread.html/r790c2926efcd062067eb18fde2486527596d7275381cfaff2f7b3890@%3Cissues.bookkeeper.apache.org%3E" 30585 } 30586 ], 30587 "schema_version": "1.6.0", 30588 "severity": [ 30589 { 30590 "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", 30591 "type": "CVSS_V3" 30592 } 30593 ], 30594 "summary": "Local Information Disclosure Vulnerability in Netty on Unix-Like systems" 30595 }, 30596 { 30597 "affected": [ 30598 { 30599 "database_specific": { 30600 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-7vpq-g998-qpv7/GHSA-7vpq-g998-qpv7.json" 30601 }, 30602 "package": { 30603 "ecosystem": "Maven", 30604 "name": "io.netty:netty", 30605 "purl": "pkg:maven/io.netty/netty" 30606 }, 30607 "ranges": [ 30608 { 30609 "events": [ 30610 { 30611 "introduced": "3.6.0.Beta1" 30612 }, 30613 { 30614 "fixed": "3.6.9.Final" 30615 } 30616 ], 30617 "type": "ECOSYSTEM" 30618 } 30619 ], 30620 "versions": [ 30621 "3.6.0.Beta1", 30622 "3.6.0.Final", 30623 "3.6.1.Final", 30624 "3.6.2.Final", 30625 "3.6.3.Final", 30626 "3.6.4.Final", 30627 "3.6.5.Final", 30628 "3.6.6.Final", 30629 "3.6.7.Final", 30630 "3.6.8.Final" 30631 ] 30632 }, 30633 { 30634 "database_specific": { 30635 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-7vpq-g998-qpv7/GHSA-7vpq-g998-qpv7.json" 30636 }, 30637 "package": { 30638 "ecosystem": "Maven", 30639 "name": "io.netty:netty", 30640 "purl": "pkg:maven/io.netty/netty" 30641 }, 30642 "ranges": [ 30643 { 30644 "events": [ 30645 { 30646 "introduced": "3.7.0.Final" 30647 }, 30648 { 30649 "fixed": "3.7.1.Final" 30650 } 30651 ], 30652 "type": "ECOSYSTEM" 30653 } 30654 ], 30655 "versions": [ 30656 "3.7.0.Final" 30657 ] 30658 }, 30659 { 30660 "database_specific": { 30661 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-7vpq-g998-qpv7/GHSA-7vpq-g998-qpv7.json" 30662 }, 30663 "package": { 30664 "ecosystem": "Maven", 30665 "name": "io.netty:netty", 30666 "purl": "pkg:maven/io.netty/netty" 30667 }, 30668 "ranges": [ 30669 { 30670 "events": [ 30671 { 30672 "introduced": "3.8.0.Final" 30673 }, 30674 { 30675 "fixed": "3.8.2.Final" 30676 } 30677 ], 30678 "type": "ECOSYSTEM" 30679 } 30680 ], 30681 "versions": [ 30682 "3.8.0.Final", 30683 "3.8.1.Final" 30684 ] 30685 }, 30686 { 30687 "database_specific": { 30688 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-7vpq-g998-qpv7/GHSA-7vpq-g998-qpv7.json" 30689 }, 30690 "package": { 30691 "ecosystem": "Maven", 30692 "name": "io.netty:netty", 30693 "purl": "pkg:maven/io.netty/netty" 30694 }, 30695 "ranges": [ 30696 { 30697 "events": [ 30698 { 30699 "introduced": "3.9.0.Final" 30700 }, 30701 { 30702 "fixed": "3.9.1.Final" 30703 } 30704 ], 30705 "type": "ECOSYSTEM" 30706 } 30707 ], 30708 "versions": [ 30709 "3.9.0.Final" 30710 ] 30711 }, 30712 { 30713 "database_specific": { 30714 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-7vpq-g998-qpv7/GHSA-7vpq-g998-qpv7.json" 30715 }, 30716 "package": { 30717 "ecosystem": "Maven", 30718 "name": "io.netty:netty", 30719 "purl": "pkg:maven/io.netty/netty" 30720 }, 30721 "ranges": [ 30722 { 30723 "events": [ 30724 { 30725 "introduced": "4.0.0.Alpha1" 30726 }, 30727 { 30728 "fixed": "4.0.19.Final" 30729 } 30730 ], 30731 "type": "ECOSYSTEM" 30732 } 30733 ], 30734 "versions": [ 30735 "4.0.0.Alpha1", 30736 "4.0.0.Alpha2", 30737 "4.0.0.Alpha3", 30738 "4.0.0.Alpha4", 30739 "4.0.0.Alpha5", 30740 "4.0.0.Alpha6", 30741 "4.0.0.Alpha7", 30742 "4.0.0.Alpha8" 30743 ] 30744 }, 30745 { 30746 "database_specific": { 30747 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-7vpq-g998-qpv7/GHSA-7vpq-g998-qpv7.json" 30748 }, 30749 "package": { 30750 "ecosystem": "Maven", 30751 "name": "io.netty:netty-all", 30752 "purl": "pkg:maven/io.netty/netty-all" 30753 }, 30754 "ranges": [ 30755 { 30756 "events": [ 30757 { 30758 "introduced": "4.0.0.Alpha1" 30759 }, 30760 { 30761 "fixed": "4.0.19.Final" 30762 } 30763 ], 30764 "type": "ECOSYSTEM" 30765 } 30766 ], 30767 "versions": [ 30768 "4.0.0.Beta1", 30769 "4.0.0.Beta2", 30770 "4.0.0.Beta3", 30771 "4.0.0.CR1", 30772 "4.0.0.CR2", 30773 "4.0.0.CR3", 30774 "4.0.0.CR4", 30775 "4.0.0.CR5", 30776 "4.0.0.CR6", 30777 "4.0.0.CR7", 30778 "4.0.0.CR8", 30779 "4.0.0.CR9", 30780 "4.0.0.Final", 30781 "4.0.1.Final", 30782 "4.0.10.Final", 30783 "4.0.11.Final", 30784 "4.0.12.Final", 30785 "4.0.13.Final", 30786 "4.0.14.Beta1", 30787 "4.0.14.Final", 30788 "4.0.15.Final", 30789 "4.0.16.Final", 30790 "4.0.17.Final", 30791 "4.0.18.Final", 30792 "4.0.2.Final", 30793 "4.0.3.Final", 30794 "4.0.4.Final", 30795 "4.0.5.Final", 30796 "4.0.6.Final", 30797 "4.0.7.Final", 30798 "4.0.8.Final", 30799 "4.0.9.Final" 30800 ] 30801 } 30802 ], 30803 "aliases": [ 30804 "CVE-2014-0193" 30805 ], 30806 "database_specific": { 30807 "cwe_ids": [], 30808 "github_reviewed": true, 30809 "github_reviewed_at": "2023-08-07T20:25:36Z", 30810 "nvd_published_at": "2014-05-06T14:55:00Z", 30811 "severity": "MODERATE" 30812 }, 30813 "details": "`WebSocket08FrameDecoder` in Netty 3.6.x before 3.6.9, 3.7.x before 3.7.1, 3.8.x before 3.8.2, 3.9.x before 3.9.1, and 4.0.x before 4.0.19 allows remote attackers to cause a denial of service (memory consumption) via a `TextWebSocketFrame` followed by a long stream of `ContinuationWebSocketFrames`.", 30814 "id": "GHSA-7vpq-g998-qpv7", 30815 "modified": "2024-04-16T16:16:02.819787Z", 30816 "published": "2022-05-13T01:54:02Z", 30817 "references": [ 30818 { 30819 "type": "ADVISORY", 30820 "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-0193" 30821 }, 30822 { 30823 "type": "WEB", 30824 "url": "https://github.com/netty/netty/issues/2441" 30825 }, 30826 { 30827 "type": "WEB", 30828 "url": "https://github.com/netty/netty/commit/8599ab5bdb761bb99d41a975d689f74c12e4892b" 30829 }, 30830 { 30831 "type": "PACKAGE", 30832 "url": "https://github.com/netty/netty" 30833 }, 30834 { 30835 "type": "WEB", 30836 "url": "https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8%40%3Ccommits.pulsar.apache.org%3E" 30837 }, 30838 { 30839 "type": "WEB", 30840 "url": "https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8@%3Ccommits.pulsar.apache.org%3E" 30841 }, 30842 { 30843 "type": "WEB", 30844 "url": "https://lists.debian.org/debian-lts-announce/2020/02/msg00018.html" 30845 }, 30846 { 30847 "type": "WEB", 30848 "url": "https://web.archive.org/web/20140509033427/http://www.securityfocus.com/bid/67182" 30849 }, 30850 { 30851 "type": "WEB", 30852 "url": "https://web.archive.org/web/20140509044857/http://secunia.com/advisories/58280" 30853 }, 30854 { 30855 "type": "WEB", 30856 "url": "https://web.archive.org/web/20161119201425/http://secunia.com/advisories/59290" 30857 }, 30858 { 30859 "type": "WEB", 30860 "url": "http://netty.io/news/2014/04/30/release-day.html" 30861 }, 30862 { 30863 "type": "WEB", 30864 "url": "http://rhn.redhat.com/errata/RHSA-2014-1019.html" 30865 }, 30866 { 30867 "type": "WEB", 30868 "url": "http://rhn.redhat.com/errata/RHSA-2014-1020.html" 30869 }, 30870 { 30871 "type": "WEB", 30872 "url": "http://rhn.redhat.com/errata/RHSA-2014-1021.html" 30873 }, 30874 { 30875 "type": "WEB", 30876 "url": "http://rhn.redhat.com/errata/RHSA-2014-1351.html" 30877 }, 30878 { 30879 "type": "WEB", 30880 "url": "http://rhn.redhat.com/errata/RHSA-2015-0675.html" 30881 }, 30882 { 30883 "type": "WEB", 30884 "url": "http://rhn.redhat.com/errata/RHSA-2015-0720.html" 30885 }, 30886 { 30887 "type": "WEB", 30888 "url": "http://rhn.redhat.com/errata/RHSA-2015-0765.html" 30889 } 30890 ], 30891 "schema_version": "1.6.0", 30892 "summary": "Netty denial of service vulnerability" 30893 }, 30894 { 30895 "affected": [ 30896 { 30897 "database_specific": { 30898 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/09/GHSA-9vjp-v76f-g363/GHSA-9vjp-v76f-g363.json" 30899 }, 30900 "package": { 30901 "ecosystem": "Maven", 30902 "name": "io.netty:netty-codec", 30903 "purl": "pkg:maven/io.netty/netty-codec" 30904 }, 30905 "ranges": [ 30906 { 30907 "events": [ 30908 { 30909 "introduced": "4.0.0" 30910 }, 30911 { 30912 "fixed": "4.1.68.Final" 30913 } 30914 ], 30915 "type": "ECOSYSTEM" 30916 } 30917 ], 30918 "versions": [ 30919 "4.0.0.Final", 30920 "4.0.1.Final", 30921 "4.0.10.Final", 30922 "4.0.11.Final", 30923 "4.0.12.Final", 30924 "4.0.13.Final", 30925 "4.0.14.Beta1", 30926 "4.0.14.Final", 30927 "4.0.15.Final", 30928 "4.0.16.Final", 30929 "4.0.17.Final", 30930 "4.0.18.Final", 30931 "4.0.19.Final", 30932 "4.0.2.Final", 30933 "4.0.20.Final", 30934 "4.0.21.Final", 30935 "4.0.22.Final", 30936 "4.0.23.Final", 30937 "4.0.24.Final", 30938 "4.0.25.Final", 30939 "4.0.26.Final", 30940 "4.0.27.Final", 30941 "4.0.28.Final", 30942 "4.0.29.Final", 30943 "4.0.3.Final", 30944 "4.0.30.Final", 30945 "4.0.31.Final", 30946 "4.0.32.Final", 30947 "4.0.33.Final", 30948 "4.0.34.Final", 30949 "4.0.35.Final", 30950 "4.0.36.Final", 30951 "4.0.37.Final", 30952 "4.0.38.Final", 30953 "4.0.39.Final", 30954 "4.0.4.Final", 30955 "4.0.40.Final", 30956 "4.0.41.Final", 30957 "4.0.42.Final", 30958 "4.0.43.Final", 30959 "4.0.44.Final", 30960 "4.0.45.Final", 30961 "4.0.46.Final", 30962 "4.0.47.Final", 30963 "4.0.48.Final", 30964 "4.0.49.Final", 30965 "4.0.5.Final", 30966 "4.0.50.Final", 30967 "4.0.51.Final", 30968 "4.0.52.Final", 30969 "4.0.53.Final", 30970 "4.0.54.Final", 30971 "4.0.55.Final", 30972 "4.0.56.Final", 30973 "4.0.6.Final", 30974 "4.0.7.Final", 30975 "4.0.8.Final", 30976 "4.0.9.Final", 30977 "4.1.0.Beta1", 30978 "4.1.0.Beta2", 30979 "4.1.0.Beta3", 30980 "4.1.0.Beta4", 30981 "4.1.0.Beta5", 30982 "4.1.0.Beta6", 30983 "4.1.0.Beta7", 30984 "4.1.0.Beta8", 30985 "4.1.0.CR1", 30986 "4.1.0.CR2", 30987 "4.1.0.CR3", 30988 "4.1.0.CR4", 30989 "4.1.0.CR5", 30990 "4.1.0.CR6", 30991 "4.1.0.CR7", 30992 "4.1.0.Final", 30993 "4.1.1.Final", 30994 "4.1.10.Final", 30995 "4.1.11.Final", 30996 "4.1.12.Final", 30997 "4.1.13.Final", 30998 "4.1.14.Final", 30999 "4.1.15.Final", 31000 "4.1.16.Final", 31001 "4.1.17.Final", 31002 "4.1.18.Final", 31003 "4.1.19.Final", 31004 "4.1.2.Final", 31005 "4.1.20.Final", 31006 "4.1.21.Final", 31007 "4.1.22.Final", 31008 "4.1.23.Final", 31009 "4.1.24.Final", 31010 "4.1.25.Final", 31011 "4.1.26.Final", 31012 "4.1.27.Final", 31013 "4.1.28.Final", 31014 "4.1.29.Final", 31015 "4.1.3.Final", 31016 "4.1.30.Final", 31017 "4.1.31.Final", 31018 "4.1.32.Final", 31019 "4.1.33.Final", 31020 "4.1.34.Final", 31021 "4.1.35.Final", 31022 "4.1.36.Final", 31023 "4.1.37.Final", 31024 "4.1.38.Final", 31025 "4.1.39.Final", 31026 "4.1.4.Final", 31027 "4.1.40.Final", 31028 "4.1.41.Final", 31029 "4.1.42.Final", 31030 "4.1.43.Final", 31031 "4.1.44.Final", 31032 "4.1.45.Final", 31033 "4.1.46.Final", 31034 "4.1.47.Final", 31035 "4.1.48.Final", 31036 "4.1.49.Final", 31037 "4.1.5.Final", 31038 "4.1.50.Final", 31039 "4.1.51.Final", 31040 "4.1.52.Final", 31041 "4.1.53.Final", 31042 "4.1.54.Final", 31043 "4.1.55.Final", 31044 "4.1.56.Final", 31045 "4.1.57.Final", 31046 "4.1.58.Final", 31047 "4.1.59.Final", 31048 "4.1.6.Final", 31049 "4.1.60.Final", 31050 "4.1.61.Final", 31051 "4.1.62.Final", 31052 "4.1.63.Final", 31053 "4.1.64.Final", 31054 "4.1.65.Final", 31055 "4.1.66.Final", 31056 "4.1.67.Final", 31057 "4.1.7.Final", 31058 "4.1.8.Final", 31059 "4.1.9.Final" 31060 ] 31061 }, 31062 { 31063 "database_specific": { 31064 "last_known_affected_version_range": "\u003c 4.0.0", 31065 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/09/GHSA-9vjp-v76f-g363/GHSA-9vjp-v76f-g363.json" 31066 }, 31067 "package": { 31068 "ecosystem": "Maven", 31069 "name": "org.jboss.netty:netty", 31070 "purl": "pkg:maven/org.jboss.netty/netty" 31071 }, 31072 "ranges": [ 31073 { 31074 "events": [ 31075 { 31076 "introduced": "0" 31077 } 31078 ], 31079 "type": "ECOSYSTEM" 31080 } 31081 ], 31082 "versions": [ 31083 "3.0.0.CR1", 31084 "3.0.0.CR2", 31085 "3.0.0.CR3", 31086 "3.0.0.CR4", 31087 "3.0.0.CR5", 31088 "3.0.0.GA", 31089 "3.0.1.GA", 31090 "3.0.2.GA", 31091 "3.1.0.ALPHA1", 31092 "3.1.0.ALPHA2", 31093 "3.1.0.ALPHA3", 31094 "3.1.0.ALPHA4", 31095 "3.1.0.BETA1", 31096 "3.1.0.BETA2", 31097 "3.1.0.BETA3", 31098 "3.1.0.CR1", 31099 "3.1.0.GA", 31100 "3.1.1.GA", 31101 "3.1.2.GA", 31102 "3.1.3.GA", 31103 "3.1.4.GA", 31104 "3.1.5.GA", 31105 "3.2.0.ALPHA1", 31106 "3.2.0.ALPHA2", 31107 "3.2.0.ALPHA3", 31108 "3.2.0.ALPHA4", 31109 "3.2.0.BETA1", 31110 "3.2.0.CR1", 31111 "3.2.0.Final", 31112 "3.2.1.Final", 31113 "3.2.10.Final", 31114 "3.2.2.Final", 31115 "3.2.3.Final", 31116 "3.2.4.Final", 31117 "3.2.5.Final", 31118 "3.2.6.Final", 31119 "3.2.7.Final", 31120 "3.2.8.Final", 31121 "3.2.9.Final" 31122 ] 31123 }, 31124 { 31125 "database_specific": { 31126 "last_known_affected_version_range": "\u003c 4.0.0", 31127 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/09/GHSA-9vjp-v76f-g363/GHSA-9vjp-v76f-g363.json" 31128 }, 31129 "package": { 31130 "ecosystem": "Maven", 31131 "name": "io.netty:netty", 31132 "purl": "pkg:maven/io.netty/netty" 31133 }, 31134 "ranges": [ 31135 { 31136 "events": [ 31137 { 31138 "introduced": "0" 31139 } 31140 ], 31141 "type": "ECOSYSTEM" 31142 } 31143 ], 31144 "versions": [ 31145 "3.10.0.Final", 31146 "3.10.1.Final", 31147 "3.10.2.Final", 31148 "3.10.3.Final", 31149 "3.10.4.Final", 31150 "3.10.5.Final", 31151 "3.10.6.Final", 31152 "3.3.0.Final", 31153 "3.3.1.Final", 31154 "3.4.0.Alpha1", 31155 "3.4.0.Alpha2", 31156 "3.4.0.Beta1", 31157 "3.4.0.Final", 31158 "3.4.1.Final", 31159 "3.4.2.Final", 31160 "3.4.3.Final", 31161 "3.4.4.Final", 31162 "3.4.5.Final", 31163 "3.4.6.Final", 31164 "3.5.0.Beta1", 31165 "3.5.0.Final", 31166 "3.5.1.Final", 31167 "3.5.10.Final", 31168 "3.5.11.Final", 31169 "3.5.12.Final", 31170 "3.5.13.Final", 31171 "3.5.2.Final", 31172 "3.5.3.Final", 31173 "3.5.4.Final", 31174 "3.5.5.Final", 31175 "3.5.6.Final", 31176 "3.5.7.Final", 31177 "3.5.8.Final", 31178 "3.5.9.Final", 31179 "3.6.0.Beta1", 31180 "3.6.0.Final", 31181 "3.6.1.Final", 31182 "3.6.10.Final", 31183 "3.6.2.Final", 31184 "3.6.3.Final", 31185 "3.6.4.Final", 31186 "3.6.5.Final", 31187 "3.6.6.Final", 31188 "3.6.7.Final", 31189 "3.6.8.Final", 31190 "3.6.9.Final", 31191 "3.7.0.Final", 31192 "3.7.1.Final", 31193 "3.8.0.Final", 31194 "3.8.1.Final", 31195 "3.8.2.Final", 31196 "3.8.3.Final", 31197 "3.9.0.Final", 31198 "3.9.1.1.Final", 31199 "3.9.1.Final", 31200 "3.9.2.Final", 31201 "3.9.3.Final", 31202 "3.9.4.Final", 31203 "3.9.5.Final", 31204 "3.9.6.Final", 31205 "3.9.7.Final", 31206 "3.9.8.Final", 31207 "3.9.9.Final", 31208 "4.0.0.Alpha1", 31209 "4.0.0.Alpha2", 31210 "4.0.0.Alpha3", 31211 "4.0.0.Alpha4", 31212 "4.0.0.Alpha5", 31213 "4.0.0.Alpha6", 31214 "4.0.0.Alpha7", 31215 "4.0.0.Alpha8" 31216 ] 31217 } 31218 ], 31219 "aliases": [ 31220 "CVE-2021-37137" 31221 ], 31222 "database_specific": { 31223 "cwe_ids": [ 31224 "CWE-400" 31225 ], 31226 "github_reviewed": true, 31227 "github_reviewed_at": "2021-09-09T14:44:10Z", 31228 "nvd_published_at": "2021-10-19T15:15:00Z", 31229 "severity": "HIGH" 31230 }, 31231 "details": "### Impact\nThe Snappy frame decoder function doesn't restrict the chunk length which may lead to excessive memory usage. Beside this it also may buffer reserved skippable chunks until the whole chunk was received which may lead to excessive memory usage as well.\n\nThis vulnerability can be triggered by supplying malicious input that decompresses to a very big size (via a network stream or a file) or by sending a huge skippable chunk.\n\n### Impact\n\nAll users of SnappyFrameDecoder are affected and so the application may be in risk for a DoS attach due excessive memory usage.\n\n### References\nhttps://github.com/netty/netty/blob/netty-4.1.67.Final/codec/src/main/java/io/netty/handler/codec/compression/SnappyFrameDecoder.java#L79\nhttps://github.com/netty/netty/blob/netty-4.1.67.Final/codec/src/main/java/io/netty/handler/codec/compression/SnappyFrameDecoder.java#L171\nhttps://github.com/netty/netty/blob/netty-4.1.67.Final/codec/src/main/java/io/netty/handler/codec/compression/SnappyFrameDecoder.java#L185", 31232 "id": "GHSA-9vjp-v76f-g363", 31233 "modified": "2024-03-11T05:32:25.452063Z", 31234 "published": "2021-09-09T17:11:31Z", 31235 "references": [ 31236 { 31237 "type": "WEB", 31238 "url": "https://github.com/netty/netty/security/advisories/GHSA-9vjp-v76f-g363" 31239 }, 31240 { 31241 "type": "ADVISORY", 31242 "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-37137" 31243 }, 31244 { 31245 "type": "WEB", 31246 "url": "https://github.com/netty/netty/commit/6da4956b31023ae967451e1d94ff51a746a9194f" 31247 }, 31248 { 31249 "type": "WEB", 31250 "url": "https://www.oracle.com/security-alerts/cpujul2022.html" 31251 }, 31252 { 31253 "type": "WEB", 31254 "url": "https://www.oracle.com/security-alerts/cpujan2022.html" 31255 }, 31256 { 31257 "type": "WEB", 31258 "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" 31259 }, 31260 { 31261 "type": "WEB", 31262 "url": "https://www.debian.org/security/2023/dsa-5316" 31263 }, 31264 { 31265 "type": "WEB", 31266 "url": "https://security.netapp.com/advisory/ntap-20220210-0012" 31267 }, 31268 { 31269 "type": "WEB", 31270 "url": "https://lists.debian.org/debian-lts-announce/2023/01/msg00008.html" 31271 }, 31272 { 31273 "type": "WEB", 31274 "url": "https://lists.apache.org/thread.html/rfb2bf8597e53364ccab212fbcbb2a4e9f0a9e1429b1dc08023c6868e@%3Cdev.tinkerpop.apache.org%3E" 31275 }, 31276 { 31277 "type": "WEB", 31278 "url": "https://lists.apache.org/thread.html/rd262f59b1586a108e320e5c966feeafbb1b8cdc96965debc7cc10b16@%3Ccommits.druid.apache.org%3E" 31279 }, 31280 { 31281 "type": "WEB", 31282 "url": "https://lists.apache.org/thread.html/r75490c61c2cb7b6ae2c81238fd52ae13636c60435abcd732d41531a0@%3Ccommits.druid.apache.org%3E" 31283 }, 31284 { 31285 "type": "WEB", 31286 "url": "https://lists.apache.org/thread.html/r5e05eba32476c580412f9fbdfc9b8782d5b40558018ac4ac07192a04@%3Ccommits.druid.apache.org%3E" 31287 }, 31288 { 31289 "type": "WEB", 31290 "url": "https://lists.apache.org/thread.html/r5406eaf3b07577d233b9f07cfc8f26e28369e6bab5edfcab41f28abb@%3Ccommits.druid.apache.org%3E" 31291 }, 31292 { 31293 "type": "WEB", 31294 "url": "https://lists.apache.org/thread.html/r06a145c9bd41a7344da242cef07977b24abe3349161ede948e30913d@%3Ccommits.druid.apache.org%3E" 31295 }, 31296 { 31297 "type": "WEB", 31298 "url": "https://github.com/netty/netty/blob/4.1/codec/src/main/java/io/netty/handler/codec/compression/SnappyFrameDecoder.java#L79" 31299 }, 31300 { 31301 "type": "WEB", 31302 "url": "https://github.com/netty/netty/blob/4.1/codec/src/main/java/io/netty/handler/codec/compression/SnappyFrameDecoder.java#L185" 31303 }, 31304 { 31305 "type": "WEB", 31306 "url": "https://github.com/netty/netty/blob/4.1/codec/src/main/java/io/netty/handler/codec/compression/SnappyFrameDecoder.java#L171" 31307 }, 31308 { 31309 "type": "PACKAGE", 31310 "url": "https://github.com/netty/netty" 31311 } 31312 ], 31313 "schema_version": "1.6.0", 31314 "severity": [ 31315 { 31316 "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", 31317 "type": "CVSS_V3" 31318 } 31319 ], 31320 "summary": " SnappyFrameDecoder doesn't restrict chunk length any may buffer skippable chunks in an unnecessary way" 31321 }, 31322 { 31323 "affected": [ 31324 { 31325 "database_specific": { 31326 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/02/GHSA-cqqj-4p63-rrmm/GHSA-cqqj-4p63-rrmm.json" 31327 }, 31328 "package": { 31329 "ecosystem": "Maven", 31330 "name": "io.netty:netty-codec-http", 31331 "purl": "pkg:maven/io.netty/netty-codec-http" 31332 }, 31333 "ranges": [ 31334 { 31335 "events": [ 31336 { 31337 "introduced": "4.0.0" 31338 }, 31339 { 31340 "fixed": "4.1.44" 31341 } 31342 ], 31343 "type": "ECOSYSTEM" 31344 } 31345 ], 31346 "versions": [ 31347 "4.0.0.Final", 31348 "4.0.1.Final", 31349 "4.0.10.Final", 31350 "4.0.11.Final", 31351 "4.0.12.Final", 31352 "4.0.13.Final", 31353 "4.0.14.Beta1", 31354 "4.0.14.Final", 31355 "4.0.15.Final", 31356 "4.0.16.Final", 31357 "4.0.17.Final", 31358 "4.0.18.Final", 31359 "4.0.19.Final", 31360 "4.0.2.Final", 31361 "4.0.20.Final", 31362 "4.0.21.Final", 31363 "4.0.22.Final", 31364 "4.0.23.Final", 31365 "4.0.24.Final", 31366 "4.0.25.Final", 31367 "4.0.26.Final", 31368 "4.0.27.Final", 31369 "4.0.28.Final", 31370 "4.0.29.Final", 31371 "4.0.3.Final", 31372 "4.0.30.Final", 31373 "4.0.31.Final", 31374 "4.0.32.Final", 31375 "4.0.33.Final", 31376 "4.0.34.Final", 31377 "4.0.35.Final", 31378 "4.0.36.Final", 31379 "4.0.37.Final", 31380 "4.0.38.Final", 31381 "4.0.39.Final", 31382 "4.0.4.Final", 31383 "4.0.40.Final", 31384 "4.0.41.Final", 31385 "4.0.42.Final", 31386 "4.0.43.Final", 31387 "4.0.44.Final", 31388 "4.0.45.Final", 31389 "4.0.46.Final", 31390 "4.0.47.Final", 31391 "4.0.48.Final", 31392 "4.0.49.Final", 31393 "4.0.5.Final", 31394 "4.0.50.Final", 31395 "4.0.51.Final", 31396 "4.0.52.Final", 31397 "4.0.53.Final", 31398 "4.0.54.Final", 31399 "4.0.55.Final", 31400 "4.0.56.Final", 31401 "4.0.6.Final", 31402 "4.0.7.Final", 31403 "4.0.8.Final", 31404 "4.0.9.Final", 31405 "4.1.0.Beta1", 31406 "4.1.0.Beta2", 31407 "4.1.0.Beta3", 31408 "4.1.0.Beta4", 31409 "4.1.0.Beta5", 31410 "4.1.0.Beta6", 31411 "4.1.0.Beta7", 31412 "4.1.0.Beta8", 31413 "4.1.0.CR1", 31414 "4.1.0.CR2", 31415 "4.1.0.CR3", 31416 "4.1.0.CR4", 31417 "4.1.0.CR5", 31418 "4.1.0.CR6", 31419 "4.1.0.CR7", 31420 "4.1.0.Final", 31421 "4.1.1.Final", 31422 "4.1.10.Final", 31423 "4.1.11.Final", 31424 "4.1.12.Final", 31425 "4.1.13.Final", 31426 "4.1.14.Final", 31427 "4.1.15.Final", 31428 "4.1.16.Final", 31429 "4.1.17.Final", 31430 "4.1.18.Final", 31431 "4.1.19.Final", 31432 "4.1.2.Final", 31433 "4.1.20.Final", 31434 "4.1.21.Final", 31435 "4.1.22.Final", 31436 "4.1.23.Final", 31437 "4.1.24.Final", 31438 "4.1.25.Final", 31439 "4.1.26.Final", 31440 "4.1.27.Final", 31441 "4.1.28.Final", 31442 "4.1.29.Final", 31443 "4.1.3.Final", 31444 "4.1.30.Final", 31445 "4.1.31.Final", 31446 "4.1.32.Final", 31447 "4.1.33.Final", 31448 "4.1.34.Final", 31449 "4.1.35.Final", 31450 "4.1.36.Final", 31451 "4.1.37.Final", 31452 "4.1.38.Final", 31453 "4.1.39.Final", 31454 "4.1.4.Final", 31455 "4.1.40.Final", 31456 "4.1.41.Final", 31457 "4.1.42.Final", 31458 "4.1.43.Final", 31459 "4.1.5.Final", 31460 "4.1.6.Final", 31461 "4.1.7.Final", 31462 "4.1.8.Final", 31463 "4.1.9.Final" 31464 ] 31465 }, 31466 { 31467 "database_specific": { 31468 "last_known_affected_version_range": "\u003c 4.0.0", 31469 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/02/GHSA-cqqj-4p63-rrmm/GHSA-cqqj-4p63-rrmm.json" 31470 }, 31471 "package": { 31472 "ecosystem": "Maven", 31473 "name": "org.jboss.netty:netty", 31474 "purl": "pkg:maven/org.jboss.netty/netty" 31475 }, 31476 "ranges": [ 31477 { 31478 "events": [ 31479 { 31480 "introduced": "0" 31481 } 31482 ], 31483 "type": "ECOSYSTEM" 31484 } 31485 ], 31486 "versions": [ 31487 "3.0.0.CR1", 31488 "3.0.0.CR2", 31489 "3.0.0.CR3", 31490 "3.0.0.CR4", 31491 "3.0.0.CR5", 31492 "3.0.0.GA", 31493 "3.0.1.GA", 31494 "3.0.2.GA", 31495 "3.1.0.ALPHA1", 31496 "3.1.0.ALPHA2", 31497 "3.1.0.ALPHA3", 31498 "3.1.0.ALPHA4", 31499 "3.1.0.BETA1", 31500 "3.1.0.BETA2", 31501 "3.1.0.BETA3", 31502 "3.1.0.CR1", 31503 "3.1.0.GA", 31504 "3.1.1.GA", 31505 "3.1.2.GA", 31506 "3.1.3.GA", 31507 "3.1.4.GA", 31508 "3.1.5.GA", 31509 "3.2.0.ALPHA1", 31510 "3.2.0.ALPHA2", 31511 "3.2.0.ALPHA3", 31512 "3.2.0.ALPHA4", 31513 "3.2.0.BETA1", 31514 "3.2.0.CR1", 31515 "3.2.0.Final", 31516 "3.2.1.Final", 31517 "3.2.10.Final", 31518 "3.2.2.Final", 31519 "3.2.3.Final", 31520 "3.2.4.Final", 31521 "3.2.5.Final", 31522 "3.2.6.Final", 31523 "3.2.7.Final", 31524 "3.2.8.Final", 31525 "3.2.9.Final" 31526 ] 31527 }, 31528 { 31529 "database_specific": { 31530 "last_known_affected_version_range": "\u003c 4.0.0", 31531 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/02/GHSA-cqqj-4p63-rrmm/GHSA-cqqj-4p63-rrmm.json" 31532 }, 31533 "package": { 31534 "ecosystem": "Maven", 31535 "name": "io.netty:netty", 31536 "purl": "pkg:maven/io.netty/netty" 31537 }, 31538 "ranges": [ 31539 { 31540 "events": [ 31541 { 31542 "introduced": "0" 31543 } 31544 ], 31545 "type": "ECOSYSTEM" 31546 } 31547 ], 31548 "versions": [ 31549 "3.10.0.Final", 31550 "3.10.1.Final", 31551 "3.10.2.Final", 31552 "3.10.3.Final", 31553 "3.10.4.Final", 31554 "3.10.5.Final", 31555 "3.10.6.Final", 31556 "3.3.0.Final", 31557 "3.3.1.Final", 31558 "3.4.0.Alpha1", 31559 "3.4.0.Alpha2", 31560 "3.4.0.Beta1", 31561 "3.4.0.Final", 31562 "3.4.1.Final", 31563 "3.4.2.Final", 31564 "3.4.3.Final", 31565 "3.4.4.Final", 31566 "3.4.5.Final", 31567 "3.4.6.Final", 31568 "3.5.0.Beta1", 31569 "3.5.0.Final", 31570 "3.5.1.Final", 31571 "3.5.10.Final", 31572 "3.5.11.Final", 31573 "3.5.12.Final", 31574 "3.5.13.Final", 31575 "3.5.2.Final", 31576 "3.5.3.Final", 31577 "3.5.4.Final", 31578 "3.5.5.Final", 31579 "3.5.6.Final", 31580 "3.5.7.Final", 31581 "3.5.8.Final", 31582 "3.5.9.Final", 31583 "3.6.0.Beta1", 31584 "3.6.0.Final", 31585 "3.6.1.Final", 31586 "3.6.10.Final", 31587 "3.6.2.Final", 31588 "3.6.3.Final", 31589 "3.6.4.Final", 31590 "3.6.5.Final", 31591 "3.6.6.Final", 31592 "3.6.7.Final", 31593 "3.6.8.Final", 31594 "3.6.9.Final", 31595 "3.7.0.Final", 31596 "3.7.1.Final", 31597 "3.8.0.Final", 31598 "3.8.1.Final", 31599 "3.8.2.Final", 31600 "3.8.3.Final", 31601 "3.9.0.Final", 31602 "3.9.1.1.Final", 31603 "3.9.1.Final", 31604 "3.9.2.Final", 31605 "3.9.3.Final", 31606 "3.9.4.Final", 31607 "3.9.5.Final", 31608 "3.9.6.Final", 31609 "3.9.7.Final", 31610 "3.9.8.Final", 31611 "3.9.9.Final", 31612 "4.0.0.Alpha1", 31613 "4.0.0.Alpha2", 31614 "4.0.0.Alpha3", 31615 "4.0.0.Alpha4", 31616 "4.0.0.Alpha5", 31617 "4.0.0.Alpha6", 31618 "4.0.0.Alpha7", 31619 "4.0.0.Alpha8" 31620 ] 31621 } 31622 ], 31623 "aliases": [ 31624 "CVE-2019-20444" 31625 ], 31626 "database_specific": { 31627 "cwe_ids": [ 31628 "CWE-444" 31629 ], 31630 "github_reviewed": true, 31631 "github_reviewed_at": "2020-02-20T20:54:33Z", 31632 "nvd_published_at": "2020-01-29T21:15:00Z", 31633 "severity": "CRITICAL" 31634 }, 31635 "details": "HttpObjectDecoder.java in Netty before 4.1.44 allows an HTTP header that lacks a colon, which might be interpreted as a separate header with an incorrect syntax, or might be interpreted as an \"invalid fold.\"", 31636 "id": "GHSA-cqqj-4p63-rrmm", 31637 "modified": "2024-03-11T05:19:31.586438Z", 31638 "published": "2020-02-21T18:55:24Z", 31639 "references": [ 31640 { 31641 "type": "ADVISORY", 31642 "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-20444" 31643 }, 31644 { 31645 "type": "WEB", 31646 "url": "https://github.com/netty/netty/issues/9866" 31647 }, 31648 { 31649 "type": "WEB", 31650 "url": "https://github.com/netty/netty/pull/9871/files#diff-e26989b9171ef22c27c9f7d80689cfb059d568c9bd10e75970d96c02d0654878" 31651 }, 31652 { 31653 "type": "WEB", 31654 "url": "https://github.com/netty/netty/pull/9871" 31655 }, 31656 { 31657 "type": "WEB", 31658 "url": "https://www.debian.org/security/2021/dsa-4885" 31659 }, 31660 { 31661 "type": "WEB", 31662 "url": "https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26@%3Ccommits.pulsar.apache.org%3E" 31663 }, 31664 { 31665 "type": "WEB", 31666 "url": "https://lists.apache.org/thread.html/rce71d33747010d32d31d90f5d737dae26291d96552f513a266c92fbb@%3Cnotifications.zookeeper.apache.org%3E" 31667 }, 31668 { 31669 "type": "WEB", 31670 "url": "https://lists.apache.org/thread.html/rcb2c59428f34d4757702f9ae739a8795bda7bea97b857e708a9c62c6@%3Ccommon-commits.hadoop.apache.org%3E" 31671 }, 31672 { 31673 "type": "WEB", 31674 "url": "https://lists.apache.org/thread.html/rc7eb5634b71d284483e58665b22bf274a69bd184d9bd7ede52015d91@%3Ccommon-issues.hadoop.apache.org%3E" 31675 }, 31676 { 31677 "type": "WEB", 31678 "url": "https://lists.apache.org/thread.html/rb84c57670ec48ef23f4d07973b7fa69f629b8e7fcfb48874362feb6f@%3Ccommits.zookeeper.apache.org%3E" 31679 }, 31680 { 31681 "type": "WEB", 31682 "url": "https://lists.apache.org/thread.html/rb3361f6c6a5f834ad3db5e998c352760d393c0891b8d3bea90baa836@%3Ccommon-issues.hadoop.apache.org%3E" 31683 }, 31684 { 31685 "type": "WEB", 31686 "url": "https://lists.apache.org/thread.html/raaac04b7567c554786132144bea3dcb72568edd410c1e6f0101742e7@%3Cissues.flink.apache.org%3E" 31687 }, 31688 { 31689 "type": "WEB", 31690 "url": "https://lists.apache.org/thread.html/ra9fbfe7d4830ae675bf34c7c0f8c22fc8a4099f65706c1bc4f54c593@%3Cissues.zookeeper.apache.org%3E" 31691 }, 31692 { 31693 "type": "WEB", 31694 "url": "https://lists.apache.org/thread.html/ra2ace4bcb5cf487f72cbcbfa0f8cc08e755ec2b93d7e69f276148b08@%3Cissues.zookeeper.apache.org%3E" 31695 }, 31696 { 31697 "type": "WEB", 31698 "url": "https://lists.apache.org/thread.html/ra1a71b576a45426af5ee65255be9596ff3181a342f4ba73b800db78f@%3Cdev.geode.apache.org%3E" 31699 }, 31700 { 31701 "type": "WEB", 31702 "url": "https://lists.apache.org/thread.html/r9b20cdac704cf9a583400350e2d5b576fa8417c18ddb961201676c60@%3Ccommits.zookeeper.apache.org%3E" 31703 }, 31704 { 31705 "type": "WEB", 31706 "url": "https://lists.apache.org/thread.html/r96e08f929234e8ba1ef4a93a0fd2870f535a1f9ab628fabc46115986@%3Cdev.zookeeper.apache.org%3E" 31707 }, 31708 { 31709 "type": "WEB", 31710 "url": "https://lists.apache.org/thread.html/r959474dcf7f88565ed89f6252ca5a274419006cb71348f14764b183d@%3Ccommits.cassandra.apache.org%3E" 31711 }, 31712 { 31713 "type": "WEB", 31714 "url": "https://lists.apache.org/thread.html/r91e0fa345c86c128b75a4a791b4b503b53173ff4c13049ac7129d319@%3Cnotifications.zookeeper.apache.org%3E" 31715 }, 31716 { 31717 "type": "WEB", 31718 "url": "https://lists.apache.org/thread.html/r90030b0117490caed526e57271bf4d7f9b012091ac5083c895d16543@%3Ccommon-issues.hadoop.apache.org%3E" 31719 }, 31720 { 31721 "type": "WEB", 31722 "url": "https://lists.apache.org/thread.html/r1fcccf8bdb3531c28bc9aa605a6a1bea7e68cef6fc12e01faafb2fb5@%3Cissues.zookeeper.apache.org%3E" 31723 }, 31724 { 31725 "type": "WEB", 31726 "url": "https://usn.ubuntu.com/4532-1" 31727 }, 31728 { 31729 "type": "WEB", 31730 "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TS6VX7OMXPDJIU5LRGUAHRK6MENAVJ46" 31731 }, 31732 { 31733 "type": "WEB", 31734 "url": "https://lists.debian.org/debian-lts-announce/2020/09/msg00004.html" 31735 }, 31736 { 31737 "type": "WEB", 31738 "url": "https://lists.debian.org/debian-lts-announce/2020/09/msg00003.html" 31739 }, 31740 { 31741 "type": "WEB", 31742 "url": "https://lists.debian.org/debian-lts-announce/2020/02/msg00018.html" 31743 }, 31744 { 31745 "type": "WEB", 31746 "url": "https://lists.debian.org/debian-lts-announce/2020/02/msg00017.html" 31747 }, 31748 { 31749 "type": "WEB", 31750 "url": "https://lists.apache.org/thread.html/rff210a24f3a924829790e69eaefa84820902b7b31f17c3bf2def9114@%3Ccommits.druid.apache.org%3E" 31751 }, 31752 { 31753 "type": "WEB", 31754 "url": "https://lists.apache.org/thread.html/rfb55f245b08d8a6ec0fb4dc159022227cd22de34c4419c2fbb18802b@%3Cnotifications.zookeeper.apache.org%3E" 31755 }, 31756 { 31757 "type": "WEB", 31758 "url": "https://lists.apache.org/thread.html/rf5b2dfb7401666a19915f8eaef3ba9f5c3386e2066fcd2ae66e16a2f@%3Cdev.flink.apache.org%3E" 31759 }, 31760 { 31761 "type": "WEB", 31762 "url": "https://lists.apache.org/thread.html/rf2bf8e2eb0a03227f5bc100b544113f8cafea01e887bb068e8d1fa41@%3Ccommon-issues.hadoop.apache.org%3E" 31763 }, 31764 { 31765 "type": "WEB", 31766 "url": "https://lists.apache.org/thread.html/re78eaef7d01ad65c370df30e45c686fffff00b37f7bfd78b26a08762@%3Ccommon-issues.hadoop.apache.org%3E" 31767 }, 31768 { 31769 "type": "WEB", 31770 "url": "https://lists.apache.org/thread.html/re45ee9256d3233c31d78e59ee59c7dc841c7fbd83d0769285b41e948@%3Ccommits.druid.apache.org%3E" 31771 }, 31772 { 31773 "type": "WEB", 31774 "url": "https://lists.apache.org/thread.html/re0b78a3d0a4ba2cf9f4e14e1d05040bde9051d5c78071177186336c9@%3Ccommon-issues.hadoop.apache.org%3E" 31775 }, 31776 { 31777 "type": "WEB", 31778 "url": "https://lists.apache.org/thread.html/rdd5d243a5f8ed8b83c0104e321aa420e5e98792a95749e3c9a54c0b9@%3Ccommon-commits.hadoop.apache.org%3E" 31779 }, 31780 { 31781 "type": "WEB", 31782 "url": "https://lists.apache.org/thread.html/rdb69125652311d0c41f6066ff44072a3642cf33a4b5e3c4f9c1ec9c2@%3Ccommits.pulsar.apache.org%3E" 31783 }, 31784 { 31785 "type": "WEB", 31786 "url": "https://lists.apache.org/thread.html/rd8f72411fb75b98d366400ae789966373b5c3eb3f511e717caf3e49e@%3Cissues.flink.apache.org%3E" 31787 }, 31788 { 31789 "type": "WEB", 31790 "url": "https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0@%3Cissues.bookkeeper.apache.org%3E" 31791 }, 31792 { 31793 "type": "WEB", 31794 "url": "https://lists.apache.org/thread.html/r0f5e72d5f69b4720dfe64fcbc2da9afae949ed1e9cbffa84bb7d92d7@%3Cnotifications.zookeeper.apache.org%3E" 31795 }, 31796 { 31797 "type": "WEB", 31798 "url": "https://lists.apache.org/thread.html/r0c3d49bfdbc62fd3915676433cc5899c5506d06da1c552ef1b7923a5@%3Ccommon-issues.hadoop.apache.org%3E" 31799 }, 31800 { 31801 "type": "WEB", 31802 "url": "https://lists.apache.org/thread.html/r0aa8b28e76ec01c697b15e161e6797e88fc8d406ed762e253401106e@%3Ccommits.camel.apache.org%3E" 31803 }, 31804 { 31805 "type": "WEB", 31806 "url": "https://lists.apache.org/thread.html/r059b042bca47be53ff8a51fd04d95eb01bb683f1afa209db136e8cb7@%3Cdev.zookeeper.apache.org%3E" 31807 }, 31808 { 31809 "type": "WEB", 31810 "url": "https://github.com/netty/netty/compare/netty-4.1.43.Final...netty-4.1.44.Final" 31811 }, 31812 { 31813 "type": "PACKAGE", 31814 "url": "https://github.com/netty/netty" 31815 }, 31816 { 31817 "type": "WEB", 31818 "url": "https://access.redhat.com/errata/RHSA-2020:0811" 31819 }, 31820 { 31821 "type": "WEB", 31822 "url": "https://access.redhat.com/errata/RHSA-2020:0806" 31823 }, 31824 { 31825 "type": "WEB", 31826 "url": "https://access.redhat.com/errata/RHSA-2020:0805" 31827 }, 31828 { 31829 "type": "WEB", 31830 "url": "https://access.redhat.com/errata/RHSA-2020:0804" 31831 }, 31832 { 31833 "type": "WEB", 31834 "url": "https://access.redhat.com/errata/RHSA-2020:0606" 31835 }, 31836 { 31837 "type": "WEB", 31838 "url": "https://access.redhat.com/errata/RHSA-2020:0605" 31839 }, 31840 { 31841 "type": "WEB", 31842 "url": "https://access.redhat.com/errata/RHSA-2020:0601" 31843 }, 31844 { 31845 "type": "WEB", 31846 "url": "https://access.redhat.com/errata/RHSA-2020:0567" 31847 }, 31848 { 31849 "type": "WEB", 31850 "url": "https://access.redhat.com/errata/RHSA-2020:0497" 31851 }, 31852 { 31853 "type": "WEB", 31854 "url": "https://lists.apache.org/thread.html/r86befa74c5cd1482c711134104aec339bf7ae879f2c4437d7ec477d4@%3Ccommon-commits.hadoop.apache.org%3E" 31855 }, 31856 { 31857 "type": "WEB", 31858 "url": "https://lists.apache.org/thread.html/r8402d67fdfe9cf169f859d52a7670b28a08eff31e54b522cc1432532@%3Ccommon-issues.hadoop.apache.org%3E" 31859 }, 31860 { 31861 "type": "WEB", 31862 "url": "https://lists.apache.org/thread.html/r832724df393a7ef25ca4c7c2eb83ad2d6c21c74569acda5233f9f1ec@%3Ccommits.pulsar.apache.org%3E" 31863 }, 31864 { 31865 "type": "WEB", 31866 "url": "https://lists.apache.org/thread.html/r819aaeb9944bdcfca438dcc51f05650dc728daf64dfd7d774fc2499b@%3Ccommits.zookeeper.apache.org%3E" 31867 }, 31868 { 31869 "type": "WEB", 31870 "url": "https://lists.apache.org/thread.html/r804895eedd72c9ec67898286eb185e04df852b0dd5fe53cf5b6138f9@%3Cissues.zookeeper.apache.org%3E" 31871 }, 31872 { 31873 "type": "WEB", 31874 "url": "https://lists.apache.org/thread.html/r7790b9d99696d9eddce8a8c96f13bb68460984294ea6fea3800143e4@%3Ccommits.pulsar.apache.org%3E" 31875 }, 31876 { 31877 "type": "WEB", 31878 "url": "https://lists.apache.org/thread.html/r70b1ff22ee80e8101805b9a473116dd33265709007d2deb6f8c80bf2@%3Ccommits.druid.apache.org%3E" 31879 }, 31880 { 31881 "type": "WEB", 31882 "url": "https://lists.apache.org/thread.html/r6945f3c346b7af89bbd3526a7c9b705b1e3569070ebcd0964bcedd7d@%3Cissues.zookeeper.apache.org%3E" 31883 }, 31884 { 31885 "type": "WEB", 31886 "url": "https://lists.apache.org/thread.html/r640eb9b3213058a963e18291f903fc1584e577f60035f941e32f760a@%3Cissues.zookeeper.apache.org%3E" 31887 }, 31888 { 31889 "type": "WEB", 31890 "url": "https://lists.apache.org/thread.html/r4d3f1d3e333d9c2b2f6e6ae8ed8750d4de03410ac294bcd12c7eefa3@%3Ccommits.cassandra.apache.org%3E" 31891 }, 31892 { 31893 "type": "WEB", 31894 "url": "https://lists.apache.org/thread.html/r4c675b2d0cc2a5e506b11ee10d60a378859ee340aca052e4c7ef4749@%3Cnotifications.zookeeper.apache.org%3E" 31895 }, 31896 { 31897 "type": "WEB", 31898 "url": "https://lists.apache.org/thread.html/r489886fe72a98768eed665474cba13bad8d6fe0654f24987706636c5@%3Cdev.zookeeper.apache.org%3E" 31899 }, 31900 { 31901 "type": "WEB", 31902 "url": "https://lists.apache.org/thread.html/r36fcf538b28f2029e8b4f6b9a772f3b107913a78f09b095c5b153a62@%3Cissues.zookeeper.apache.org%3E" 31903 }, 31904 { 31905 "type": "WEB", 31906 "url": "https://lists.apache.org/thread.html/r34912a9b1a5c269a77b8be94ef6fb6d1e9b3c69129719dc00f01cf0b@%3Cdev.zookeeper.apache.org%3E" 31907 }, 31908 { 31909 "type": "WEB", 31910 "url": "https://lists.apache.org/thread.html/r310d2ce22304d5298ff87f10134f918c87919b452734f9841d95682d@%3Ccommits.zookeeper.apache.org%3E" 31911 }, 31912 { 31913 "type": "WEB", 31914 "url": "https://lists.apache.org/thread.html/r2f2989b7815d809ff3fda8ce330f553e5f133505afd04ffbc135f35f@%3Cissues.spark.apache.org%3E" 31915 }, 31916 { 31917 "type": "WEB", 31918 "url": "https://lists.apache.org/thread.html/r205937c85817a911b0c72655c2377e7a2c9322d6ef6ce1b118d34d8d@%3Cdev.geode.apache.org%3E" 31919 } 31920 ], 31921 "schema_version": "1.6.0", 31922 "severity": [ 31923 { 31924 "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", 31925 "type": "CVSS_V3" 31926 } 31927 ], 31928 "summary": "HTTP Request Smuggling in Netty" 31929 }, 31930 { 31931 "affected": [ 31932 { 31933 "database_specific": { 31934 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/03/GHSA-f256-j965-7f32/GHSA-f256-j965-7f32.json" 31935 }, 31936 "package": { 31937 "ecosystem": "Maven", 31938 "name": "io.netty:netty-codec-http2", 31939 "purl": "pkg:maven/io.netty/netty-codec-http2" 31940 }, 31941 "ranges": [ 31942 { 31943 "events": [ 31944 { 31945 "introduced": "4.0.0" 31946 }, 31947 { 31948 "fixed": "4.1.61.Final" 31949 } 31950 ], 31951 "type": "ECOSYSTEM" 31952 } 31953 ], 31954 "versions": [ 31955 "4.1.0.Beta4", 31956 "4.1.0.Beta5", 31957 "4.1.0.Beta6", 31958 "4.1.0.Beta7", 31959 "4.1.0.Beta8", 31960 "4.1.0.CR1", 31961 "4.1.0.CR2", 31962 "4.1.0.CR3", 31963 "4.1.0.CR4", 31964 "4.1.0.CR5", 31965 "4.1.0.CR6", 31966 "4.1.0.CR7", 31967 "4.1.0.Final", 31968 "4.1.1.Final", 31969 "4.1.10.Final", 31970 "4.1.11.Final", 31971 "4.1.12.Final", 31972 "4.1.13.Final", 31973 "4.1.14.Final", 31974 "4.1.15.Final", 31975 "4.1.16.Final", 31976 "4.1.17.Final", 31977 "4.1.18.Final", 31978 "4.1.19.Final", 31979 "4.1.2.Final", 31980 "4.1.20.Final", 31981 "4.1.21.Final", 31982 "4.1.22.Final", 31983 "4.1.23.Final", 31984 "4.1.24.Final", 31985 "4.1.25.Final", 31986 "4.1.26.Final", 31987 "4.1.27.Final", 31988 "4.1.28.Final", 31989 "4.1.29.Final", 31990 "4.1.3.Final", 31991 "4.1.30.Final", 31992 "4.1.31.Final", 31993 "4.1.32.Final", 31994 "4.1.33.Final", 31995 "4.1.34.Final", 31996 "4.1.35.Final", 31997 "4.1.36.Final", 31998 "4.1.37.Final", 31999 "4.1.38.Final", 32000 "4.1.39.Final", 32001 "4.1.4.Final", 32002 "4.1.40.Final", 32003 "4.1.41.Final", 32004 "4.1.42.Final", 32005 "4.1.43.Final", 32006 "4.1.44.Final", 32007 "4.1.45.Final", 32008 "4.1.46.Final", 32009 "4.1.47.Final", 32010 "4.1.48.Final", 32011 "4.1.49.Final", 32012 "4.1.5.Final", 32013 "4.1.50.Final", 32014 "4.1.51.Final", 32015 "4.1.52.Final", 32016 "4.1.53.Final", 32017 "4.1.54.Final", 32018 "4.1.55.Final", 32019 "4.1.56.Final", 32020 "4.1.57.Final", 32021 "4.1.58.Final", 32022 "4.1.59.Final", 32023 "4.1.6.Final", 32024 "4.1.60.Final", 32025 "4.1.7.Final", 32026 "4.1.8.Final", 32027 "4.1.9.Final" 32028 ] 32029 }, 32030 { 32031 "database_specific": { 32032 "last_known_affected_version_range": "\u003c 4.0.0", 32033 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/03/GHSA-f256-j965-7f32/GHSA-f256-j965-7f32.json" 32034 }, 32035 "package": { 32036 "ecosystem": "Maven", 32037 "name": "org.jboss.netty:netty", 32038 "purl": "pkg:maven/org.jboss.netty/netty" 32039 }, 32040 "ranges": [ 32041 { 32042 "events": [ 32043 { 32044 "introduced": "0" 32045 } 32046 ], 32047 "type": "ECOSYSTEM" 32048 } 32049 ], 32050 "versions": [ 32051 "3.0.0.CR1", 32052 "3.0.0.CR2", 32053 "3.0.0.CR3", 32054 "3.0.0.CR4", 32055 "3.0.0.CR5", 32056 "3.0.0.GA", 32057 "3.0.1.GA", 32058 "3.0.2.GA", 32059 "3.1.0.ALPHA1", 32060 "3.1.0.ALPHA2", 32061 "3.1.0.ALPHA3", 32062 "3.1.0.ALPHA4", 32063 "3.1.0.BETA1", 32064 "3.1.0.BETA2", 32065 "3.1.0.BETA3", 32066 "3.1.0.CR1", 32067 "3.1.0.GA", 32068 "3.1.1.GA", 32069 "3.1.2.GA", 32070 "3.1.3.GA", 32071 "3.1.4.GA", 32072 "3.1.5.GA", 32073 "3.2.0.ALPHA1", 32074 "3.2.0.ALPHA2", 32075 "3.2.0.ALPHA3", 32076 "3.2.0.ALPHA4", 32077 "3.2.0.BETA1", 32078 "3.2.0.CR1", 32079 "3.2.0.Final", 32080 "3.2.1.Final", 32081 "3.2.10.Final", 32082 "3.2.2.Final", 32083 "3.2.3.Final", 32084 "3.2.4.Final", 32085 "3.2.5.Final", 32086 "3.2.6.Final", 32087 "3.2.7.Final", 32088 "3.2.8.Final", 32089 "3.2.9.Final" 32090 ] 32091 }, 32092 { 32093 "database_specific": { 32094 "last_known_affected_version_range": "\u003c 4.0.0", 32095 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/03/GHSA-f256-j965-7f32/GHSA-f256-j965-7f32.json" 32096 }, 32097 "package": { 32098 "ecosystem": "Maven", 32099 "name": "io.netty:netty", 32100 "purl": "pkg:maven/io.netty/netty" 32101 }, 32102 "ranges": [ 32103 { 32104 "events": [ 32105 { 32106 "introduced": "0" 32107 } 32108 ], 32109 "type": "ECOSYSTEM" 32110 } 32111 ], 32112 "versions": [ 32113 "3.10.0.Final", 32114 "3.10.1.Final", 32115 "3.10.2.Final", 32116 "3.10.3.Final", 32117 "3.10.4.Final", 32118 "3.10.5.Final", 32119 "3.10.6.Final", 32120 "3.3.0.Final", 32121 "3.3.1.Final", 32122 "3.4.0.Alpha1", 32123 "3.4.0.Alpha2", 32124 "3.4.0.Beta1", 32125 "3.4.0.Final", 32126 "3.4.1.Final", 32127 "3.4.2.Final", 32128 "3.4.3.Final", 32129 "3.4.4.Final", 32130 "3.4.5.Final", 32131 "3.4.6.Final", 32132 "3.5.0.Beta1", 32133 "3.5.0.Final", 32134 "3.5.1.Final", 32135 "3.5.10.Final", 32136 "3.5.11.Final", 32137 "3.5.12.Final", 32138 "3.5.13.Final", 32139 "3.5.2.Final", 32140 "3.5.3.Final", 32141 "3.5.4.Final", 32142 "3.5.5.Final", 32143 "3.5.6.Final", 32144 "3.5.7.Final", 32145 "3.5.8.Final", 32146 "3.5.9.Final", 32147 "3.6.0.Beta1", 32148 "3.6.0.Final", 32149 "3.6.1.Final", 32150 "3.6.10.Final", 32151 "3.6.2.Final", 32152 "3.6.3.Final", 32153 "3.6.4.Final", 32154 "3.6.5.Final", 32155 "3.6.6.Final", 32156 "3.6.7.Final", 32157 "3.6.8.Final", 32158 "3.6.9.Final", 32159 "3.7.0.Final", 32160 "3.7.1.Final", 32161 "3.8.0.Final", 32162 "3.8.1.Final", 32163 "3.8.2.Final", 32164 "3.8.3.Final", 32165 "3.9.0.Final", 32166 "3.9.1.1.Final", 32167 "3.9.1.Final", 32168 "3.9.2.Final", 32169 "3.9.3.Final", 32170 "3.9.4.Final", 32171 "3.9.5.Final", 32172 "3.9.6.Final", 32173 "3.9.7.Final", 32174 "3.9.8.Final", 32175 "3.9.9.Final", 32176 "4.0.0.Alpha1", 32177 "4.0.0.Alpha2", 32178 "4.0.0.Alpha3", 32179 "4.0.0.Alpha4", 32180 "4.0.0.Alpha5", 32181 "4.0.0.Alpha6", 32182 "4.0.0.Alpha7", 32183 "4.0.0.Alpha8" 32184 ] 32185 } 32186 ], 32187 "aliases": [ 32188 "BIT-zookeeper-2021-21295", 32189 "CVE-2021-21295", 32190 "CVE-2021-21409", 32191 "GHSA-wm47-8v5p-wjpj" 32192 ], 32193 "database_specific": { 32194 "cwe_ids": [ 32195 "CWE-444" 32196 ], 32197 "github_reviewed": true, 32198 "github_reviewed_at": "2021-03-30T15:03:26Z", 32199 "nvd_published_at": "2021-03-30T15:15:00Z", 32200 "severity": "MODERATE" 32201 }, 32202 "details": "### Impact\nThe content-length header is not correctly validated if the request only use a single Http2HeaderFrame with the endStream set to to true. This could lead to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1\n\nThis is a followup of https://github.com/netty/netty/security/advisories/GHSA-wm47-8v5p-wjpj which did miss to fix this one case. \n\n### Patches\nThis was fixed as part of 4.1.61.Final\n\n### Workarounds\nValidation can be done by the user before proxy the request by validating the header.", 32203 "id": "GHSA-f256-j965-7f32", 32204 "modified": "2024-08-01T07:13:04.232041Z", 32205 "published": "2021-03-30T15:10:38Z", 32206 "references": [ 32207 { 32208 "type": "WEB", 32209 "url": "https://github.com/netty/netty/security/advisories/GHSA-f256-j965-7f32" 32210 }, 32211 { 32212 "type": "WEB", 32213 "url": "https://github.com/netty/netty/security/advisories/GHSA-wm47-8v5p-wjpj" 32214 }, 32215 { 32216 "type": "ADVISORY", 32217 "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21409" 32218 }, 32219 { 32220 "type": "WEB", 32221 "url": "https://github.com/netty/netty/commit/b0fa4d5aab4215f3c22ce6123dd8dd5f38dc0432" 32222 }, 32223 { 32224 "type": "WEB", 32225 "url": "https://lists.apache.org/thread.html/re39391adcb863f0e9f3f15e7986255948f263f02e4700b82453e7102@%3Cissues.zookeeper.apache.org%3E" 32226 }, 32227 { 32228 "type": "WEB", 32229 "url": "https://lists.apache.org/thread.html/re1911e05c08f3ec2bab85744d788773519a0afb27272a31ac2a0b4e8@%3Cnotifications.zookeeper.apache.org%3E" 32230 }, 32231 { 32232 "type": "WEB", 32233 "url": "https://lists.apache.org/thread.html/rdd5715f3ee5e3216d5e0083a07994f67da6dbb9731ce9e7a6389b18e@%3Ccommits.zookeeper.apache.org%3E" 32234 }, 32235 { 32236 "type": "WEB", 32237 "url": "https://lists.apache.org/thread.html/rdd206d9dd7eb894cc089b37fe6edde2932de88d63a6d8368b44f5101@%3Ccommits.zookeeper.apache.org%3E" 32238 }, 32239 { 32240 "type": "WEB", 32241 "url": "https://lists.apache.org/thread.html/rd8f72411fb75b98d366400ae789966373b5c3eb3f511e717caf3e49e@%3Cissues.flink.apache.org%3E" 32242 }, 32243 { 32244 "type": "WEB", 32245 "url": "https://lists.apache.org/thread.html/rd4a6b7dec38ea6cd28b6f94bd4b312629a52b80be3786d5fb0e474bc@%3Cissues.kudu.apache.org%3E" 32246 }, 32247 { 32248 "type": "WEB", 32249 "url": "https://lists.apache.org/thread.html/rcae42fba06979934208bbd515584b241d3ad01d1bb8b063512644362@%3Cdev.zookeeper.apache.org%3E" 32250 }, 32251 { 32252 "type": "WEB", 32253 "url": "https://lists.apache.org/thread.html/rca0978b634a0c3ebee4126ec29c7f570b165fae3f8f3658754c1cbd3@%3Cissues.kudu.apache.org%3E" 32254 }, 32255 { 32256 "type": "WEB", 32257 "url": "https://lists.apache.org/thread.html/rbde2f13daf4911504f0eaea43eee4f42555241b5f6d9d71564b6c5fa@%3Cjira.kafka.apache.org%3E" 32258 }, 32259 { 32260 "type": "WEB", 32261 "url": "https://lists.apache.org/thread.html/rba2a9ef1d0af882ab58fadb336a58818495245dda43d32a7d7837187@%3Cissues.zookeeper.apache.org%3E" 32262 }, 32263 { 32264 "type": "WEB", 32265 "url": "https://lists.apache.org/thread.html/rafc77f9f03031297394f3d372ccea751b23576f8a2ae9b6b053894c5@%3Cissues.zookeeper.apache.org%3E" 32266 }, 32267 { 32268 "type": "WEB", 32269 "url": "https://lists.apache.org/thread.html/rac8cf45a1bab9ead5c9a860cbadd6faaeb7792203617b6ec3874736d@%3Cissues.zookeeper.apache.org%3E" 32270 }, 32271 { 32272 "type": "WEB", 32273 "url": "https://lists.apache.org/thread.html/raa413040db6d2197593cc03edecfd168732e697119e6447b0a25d525@%3Cissues.zookeeper.apache.org%3E" 32274 }, 32275 { 32276 "type": "WEB", 32277 "url": "https://lists.apache.org/thread.html/ra66e93703e3f4bd31bdfd0b6fb0c32ae96b528259bb1aa2b6d38e401@%3Cissues.zookeeper.apache.org%3E" 32278 }, 32279 { 32280 "type": "WEB", 32281 "url": "https://lists.apache.org/thread.html/re4b0141939370304d676fe23774d0c6fbc584b648919825402d0cb39@%3Cnotifications.zookeeper.apache.org%3E" 32282 }, 32283 { 32284 "type": "WEB", 32285 "url": "https://lists.apache.org/thread.html/re7c69756a102bebce8b8681882844a53e2f23975a189363e68ad0324@%3Cissues.flink.apache.org%3E" 32286 }, 32287 { 32288 "type": "WEB", 32289 "url": "https://lists.apache.org/thread.html/re9e6ed60941da831675de2f8f733c026757fb4fa28a7b6c9f3dfb575@%3Cdev.zookeeper.apache.org%3E" 32290 }, 32291 { 32292 "type": "WEB", 32293 "url": "https://lists.apache.org/thread.html/redef0fb5474fd686781007de9ddb852b24f1b04131a248d9a4789183@%3Cnotifications.zookeeper.apache.org%3E" 32294 }, 32295 { 32296 "type": "WEB", 32297 "url": "https://lists.apache.org/thread.html/rf148b2bf6c2754153a8629bc7495e216bd0bd4c915695486542a10b4@%3Cnotifications.zookeeper.apache.org%3E" 32298 }, 32299 { 32300 "type": "WEB", 32301 "url": "https://lists.apache.org/thread.html/rf38e4dcdefc7c59f7ba0799a399d6d6e37b555d406a1dfc2fcbf0b35@%3Ccommits.pulsar.apache.org%3E" 32302 }, 32303 { 32304 "type": "WEB", 32305 "url": "https://lists.apache.org/thread.html/rf521ff2be2e2dd38984174d3451e6ee935c845948845c8fccd86371d@%3Cissues.zookeeper.apache.org%3E" 32306 }, 32307 { 32308 "type": "WEB", 32309 "url": "https://lists.apache.org/thread.html/rf934292a4a1c189827f625d567838d2c1001e4739b158638d844105b@%3Cissues.kudu.apache.org%3E" 32310 }, 32311 { 32312 "type": "WEB", 32313 "url": "https://security.netapp.com/advisory/ntap-20210604-0003" 32314 }, 32315 { 32316 "type": "WEB", 32317 "url": "https://www.debian.org/security/2021/dsa-4885" 32318 }, 32319 { 32320 "type": "WEB", 32321 "url": "https://www.oracle.com//security-alerts/cpujul2021.html" 32322 }, 32323 { 32324 "type": "WEB", 32325 "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" 32326 }, 32327 { 32328 "type": "WEB", 32329 "url": "https://www.oracle.com/security-alerts/cpujan2022.html" 32330 }, 32331 { 32332 "type": "WEB", 32333 "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" 32334 }, 32335 { 32336 "type": "WEB", 32337 "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21295" 32338 }, 32339 { 32340 "type": "PACKAGE", 32341 "url": "https://github.com/netty/netty" 32342 }, 32343 { 32344 "type": "WEB", 32345 "url": "https://lists.apache.org/thread.html/r0b09f3e31e004fe583f677f7afa46bd30110904576c13c5ac818ac2c@%3Cissues.flink.apache.org%3E" 32346 }, 32347 { 32348 "type": "WEB", 32349 "url": "https://lists.apache.org/thread.html/r0ca82fec33334e571fe5b388272260778883e307e15415d7b1443de2@%3Cissues.zookeeper.apache.org%3E" 32350 }, 32351 { 32352 "type": "WEB", 32353 "url": "https://lists.apache.org/thread.html/r101f82d8f3b5af0bf79aecbd5b2dd3b404f6bb51d1a54c2c3d29bed9@%3Cnotifications.zookeeper.apache.org%3E" 32354 }, 32355 { 32356 "type": "WEB", 32357 "url": "https://lists.apache.org/thread.html/r1b3cb056364794f919aaf26ceaf7423de64e7fdd05a914066e7d5219@%3Cissues.zookeeper.apache.org%3E" 32358 }, 32359 { 32360 "type": "WEB", 32361 "url": "https://lists.apache.org/thread.html/r2732aa3884cacfecac4c54cfaa77c279ba815cad44b464a567216f83@%3Cissues.zookeeper.apache.org%3E" 32362 }, 32363 { 32364 "type": "WEB", 32365 "url": "https://lists.apache.org/thread.html/r31044fb995e894749cb821c6fe56f487c16a97028e6e360e59f09d58@%3Cissues.zookeeper.apache.org%3E" 32366 }, 32367 { 32368 "type": "WEB", 32369 "url": "https://lists.apache.org/thread.html/r4a98827bb4a7edbd69ef862f2351391845697c40711820d10df52ca5@%3Ccommits.zookeeper.apache.org%3E" 32370 }, 32371 { 32372 "type": "WEB", 32373 "url": "https://lists.apache.org/thread.html/r4b8be87acf5b9c098a2ee350b5ca5716fe7afeaf0a21a4ee45a90687@%3Cissues.zookeeper.apache.org%3E" 32374 }, 32375 { 32376 "type": "WEB", 32377 "url": "https://lists.apache.org/thread.html/r4ea2f1a9d79d4fc1896e085f31fb60a21b1770d0a26a5250f849372d@%3Cissues.kudu.apache.org%3E" 32378 }, 32379 { 32380 "type": "WEB", 32381 "url": "https://lists.apache.org/thread.html/r584cf871f188c406d8bd447ff4e2fd9817fca862436c064d0951a071@%3Ccommits.pulsar.apache.org%3E" 32382 }, 32383 { 32384 "type": "WEB", 32385 "url": "https://lists.apache.org/thread.html/r5baac01f9e06c40ff7aab209d5751b3b58802c63734e33324b70a06a@%3Cissues.flink.apache.org%3E" 32386 }, 32387 { 32388 "type": "WEB", 32389 "url": "https://lists.apache.org/thread.html/r5cbea8614812289a9b98d0cfc54b47f54cef424ac98d5e315b791795@%3Cnotifications.zookeeper.apache.org%3E" 32390 }, 32391 { 32392 "type": "WEB", 32393 "url": "https://lists.apache.org/thread.html/r5f2f120b2b8d099226473db1832ffb4d7c1d6dc2d228a164bf293a8e@%3Cissues.zookeeper.apache.org%3E" 32394 }, 32395 { 32396 "type": "WEB", 32397 "url": "https://lists.apache.org/thread.html/r602e98daacc98934f097f07f2eed6eb07c18bfc1949c8489dc7bfcf5@%3Cissues.flink.apache.org%3E" 32398 }, 32399 { 32400 "type": "WEB", 32401 "url": "https://lists.apache.org/thread.html/r61564d86a75403b854cdafee67fc69c8b88c5f6802c2c838f4282cc8@%3Ccommits.pulsar.apache.org%3E" 32402 }, 32403 { 32404 "type": "WEB", 32405 "url": "https://lists.apache.org/thread.html/r69efd8ef003f612c43e4154e788ca3b1f837feaacd16d97854402355@%3Ccommits.zookeeper.apache.org%3E" 32406 }, 32407 { 32408 "type": "WEB", 32409 "url": "https://lists.apache.org/thread.html/r6dac9bd799ceac499c7a7e152a9b0dc7f2fe7f89ec5605d129bb047b@%3Cissues.zookeeper.apache.org%3E" 32410 }, 32411 { 32412 "type": "WEB", 32413 "url": "https://lists.apache.org/thread.html/r70c3a7bfa904f06a1902f4df20ee26e4f09a46b8fd3eb304dc57a2de@%3Cdev.zookeeper.apache.org%3E" 32414 }, 32415 { 32416 "type": "WEB", 32417 "url": "https://lists.apache.org/thread.html/r7879ddcb990c835c6b246654770d836f9d031dee982be836744e50ed@%3Ccommits.pulsar.apache.org%3E" 32418 }, 32419 { 32420 "type": "WEB", 32421 "url": "https://lists.apache.org/thread.html/r7b54563abebe3dbbe421e1ba075c2030d8d460372f8c79b7789684b6@%3Cissues.zookeeper.apache.org%3E" 32422 }, 32423 { 32424 "type": "WEB", 32425 "url": "https://lists.apache.org/thread.html/r823d4b27fcba8dad5fe945bdefce3ca5a0031187966eb6ef3cc22ba9@%3Cissues.zookeeper.apache.org%3E" 32426 }, 32427 { 32428 "type": "WEB", 32429 "url": "https://lists.apache.org/thread.html/r855b4b6814ac829ce2d48dd9d8138d07f33387e710de798ee92c011e@%3Cissues.flink.apache.org%3E" 32430 }, 32431 { 32432 "type": "WEB", 32433 "url": "https://lists.apache.org/thread.html/r967002f0939e69bdec58f070735a19dd57c1f2b8f817949ca17cddae@%3Cissues.zookeeper.apache.org%3E" 32434 }, 32435 { 32436 "type": "WEB", 32437 "url": "https://lists.apache.org/thread.html/r9ec78dc409f3f1edff88f21cab53737f36aad46f582a9825389092e0@%3Cissues.zookeeper.apache.org%3E" 32438 }, 32439 { 32440 "type": "WEB", 32441 "url": "https://lists.apache.org/thread.html/r9fe840c36b74f92b8d4a089ada1f9fd1d6293742efa18b10e06b66d2@%3Ccommits.zookeeper.apache.org%3E" 32442 }, 32443 { 32444 "type": "WEB", 32445 "url": "https://lists.apache.org/thread.html/ra64d56a8a331ffd7bdcd24a9aaaeeedeacd5d639f5a683389123f898@%3Cdev.flink.apache.org%3E" 32446 }, 32447 { 32448 "type": "WEB", 32449 "url": "https://lists.apache.org/thread.html/ra655e5cec74d1ddf62adacb71d398abd96f3ea2c588f6bbf048348eb@%3Cissues.kudu.apache.org%3E" 32450 } 32451 ], 32452 "schema_version": "1.6.0", 32453 "severity": [ 32454 { 32455 "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", 32456 "type": "CVSS_V3" 32457 } 32458 ], 32459 "summary": "Possible request smuggling in HTTP/2 due missing validation of content-length" 32460 }, 32461 { 32462 "affected": [ 32463 { 32464 "database_specific": { 32465 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/09/GHSA-grg4-wf29-r9vv/GHSA-grg4-wf29-r9vv.json" 32466 }, 32467 "package": { 32468 "ecosystem": "Maven", 32469 "name": "io.netty:netty-codec", 32470 "purl": "pkg:maven/io.netty/netty-codec" 32471 }, 32472 "ranges": [ 32473 { 32474 "events": [ 32475 { 32476 "introduced": "0" 32477 }, 32478 { 32479 "fixed": "4.1.68.Final" 32480 } 32481 ], 32482 "type": "ECOSYSTEM" 32483 } 32484 ], 32485 "versions": [ 32486 "4.0.0.Alpha1", 32487 "4.0.0.Alpha2", 32488 "4.0.0.Alpha3", 32489 "4.0.0.Alpha4", 32490 "4.0.0.Alpha5", 32491 "4.0.0.Alpha6", 32492 "4.0.0.Alpha7", 32493 "4.0.0.Alpha8", 32494 "4.0.0.Beta1", 32495 "4.0.0.Beta2", 32496 "4.0.0.Beta3", 32497 "4.0.0.CR1", 32498 "4.0.0.CR2", 32499 "4.0.0.CR3", 32500 "4.0.0.CR4", 32501 "4.0.0.CR5", 32502 "4.0.0.CR6", 32503 "4.0.0.CR7", 32504 "4.0.0.CR8", 32505 "4.0.0.CR9", 32506 "4.0.0.Final", 32507 "4.0.1.Final", 32508 "4.0.10.Final", 32509 "4.0.11.Final", 32510 "4.0.12.Final", 32511 "4.0.13.Final", 32512 "4.0.14.Beta1", 32513 "4.0.14.Final", 32514 "4.0.15.Final", 32515 "4.0.16.Final", 32516 "4.0.17.Final", 32517 "4.0.18.Final", 32518 "4.0.19.Final", 32519 "4.0.2.Final", 32520 "4.0.20.Final", 32521 "4.0.21.Final", 32522 "4.0.22.Final", 32523 "4.0.23.Final", 32524 "4.0.24.Final", 32525 "4.0.25.Final", 32526 "4.0.26.Final", 32527 "4.0.27.Final", 32528 "4.0.28.Final", 32529 "4.0.29.Final", 32530 "4.0.3.Final", 32531 "4.0.30.Final", 32532 "4.0.31.Final", 32533 "4.0.32.Final", 32534 "4.0.33.Final", 32535 "4.0.34.Final", 32536 "4.0.35.Final", 32537 "4.0.36.Final", 32538 "4.0.37.Final", 32539 "4.0.38.Final", 32540 "4.0.39.Final", 32541 "4.0.4.Final", 32542 "4.0.40.Final", 32543 "4.0.41.Final", 32544 "4.0.42.Final", 32545 "4.0.43.Final", 32546 "4.0.44.Final", 32547 "4.0.45.Final", 32548 "4.0.46.Final", 32549 "4.0.47.Final", 32550 "4.0.48.Final", 32551 "4.0.49.Final", 32552 "4.0.5.Final", 32553 "4.0.50.Final", 32554 "4.0.51.Final", 32555 "4.0.52.Final", 32556 "4.0.53.Final", 32557 "4.0.54.Final", 32558 "4.0.55.Final", 32559 "4.0.56.Final", 32560 "4.0.6.Final", 32561 "4.0.7.Final", 32562 "4.0.8.Final", 32563 "4.0.9.Final", 32564 "4.1.0.Beta1", 32565 "4.1.0.Beta2", 32566 "4.1.0.Beta3", 32567 "4.1.0.Beta4", 32568 "4.1.0.Beta5", 32569 "4.1.0.Beta6", 32570 "4.1.0.Beta7", 32571 "4.1.0.Beta8", 32572 "4.1.0.CR1", 32573 "4.1.0.CR2", 32574 "4.1.0.CR3", 32575 "4.1.0.CR4", 32576 "4.1.0.CR5", 32577 "4.1.0.CR6", 32578 "4.1.0.CR7", 32579 "4.1.0.Final", 32580 "4.1.1.Final", 32581 "4.1.10.Final", 32582 "4.1.11.Final", 32583 "4.1.12.Final", 32584 "4.1.13.Final", 32585 "4.1.14.Final", 32586 "4.1.15.Final", 32587 "4.1.16.Final", 32588 "4.1.17.Final", 32589 "4.1.18.Final", 32590 "4.1.19.Final", 32591 "4.1.2.Final", 32592 "4.1.20.Final", 32593 "4.1.21.Final", 32594 "4.1.22.Final", 32595 "4.1.23.Final", 32596 "4.1.24.Final", 32597 "4.1.25.Final", 32598 "4.1.26.Final", 32599 "4.1.27.Final", 32600 "4.1.28.Final", 32601 "4.1.29.Final", 32602 "4.1.3.Final", 32603 "4.1.30.Final", 32604 "4.1.31.Final", 32605 "4.1.32.Final", 32606 "4.1.33.Final", 32607 "4.1.34.Final", 32608 "4.1.35.Final", 32609 "4.1.36.Final", 32610 "4.1.37.Final", 32611 "4.1.38.Final", 32612 "4.1.39.Final", 32613 "4.1.4.Final", 32614 "4.1.40.Final", 32615 "4.1.41.Final", 32616 "4.1.42.Final", 32617 "4.1.43.Final", 32618 "4.1.44.Final", 32619 "4.1.45.Final", 32620 "4.1.46.Final", 32621 "4.1.47.Final", 32622 "4.1.48.Final", 32623 "4.1.49.Final", 32624 "4.1.5.Final", 32625 "4.1.50.Final", 32626 "4.1.51.Final", 32627 "4.1.52.Final", 32628 "4.1.53.Final", 32629 "4.1.54.Final", 32630 "4.1.55.Final", 32631 "4.1.56.Final", 32632 "4.1.57.Final", 32633 "4.1.58.Final", 32634 "4.1.59.Final", 32635 "4.1.6.Final", 32636 "4.1.60.Final", 32637 "4.1.61.Final", 32638 "4.1.62.Final", 32639 "4.1.63.Final", 32640 "4.1.64.Final", 32641 "4.1.65.Final", 32642 "4.1.66.Final", 32643 "4.1.67.Final", 32644 "4.1.7.Final", 32645 "4.1.8.Final", 32646 "4.1.9.Final" 32647 ] 32648 }, 32649 { 32650 "database_specific": { 32651 "last_known_affected_version_range": "\u003c 4.0.0", 32652 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/09/GHSA-grg4-wf29-r9vv/GHSA-grg4-wf29-r9vv.json" 32653 }, 32654 "package": { 32655 "ecosystem": "Maven", 32656 "name": "org.jboss.netty:netty", 32657 "purl": "pkg:maven/org.jboss.netty/netty" 32658 }, 32659 "ranges": [ 32660 { 32661 "events": [ 32662 { 32663 "introduced": "0" 32664 } 32665 ], 32666 "type": "ECOSYSTEM" 32667 } 32668 ], 32669 "versions": [ 32670 "3.0.0.CR1", 32671 "3.0.0.CR2", 32672 "3.0.0.CR3", 32673 "3.0.0.CR4", 32674 "3.0.0.CR5", 32675 "3.0.0.GA", 32676 "3.0.1.GA", 32677 "3.0.2.GA", 32678 "3.1.0.ALPHA1", 32679 "3.1.0.ALPHA2", 32680 "3.1.0.ALPHA3", 32681 "3.1.0.ALPHA4", 32682 "3.1.0.BETA1", 32683 "3.1.0.BETA2", 32684 "3.1.0.BETA3", 32685 "3.1.0.CR1", 32686 "3.1.0.GA", 32687 "3.1.1.GA", 32688 "3.1.2.GA", 32689 "3.1.3.GA", 32690 "3.1.4.GA", 32691 "3.1.5.GA", 32692 "3.2.0.ALPHA1", 32693 "3.2.0.ALPHA2", 32694 "3.2.0.ALPHA3", 32695 "3.2.0.ALPHA4", 32696 "3.2.0.BETA1", 32697 "3.2.0.CR1", 32698 "3.2.0.Final", 32699 "3.2.1.Final", 32700 "3.2.10.Final", 32701 "3.2.2.Final", 32702 "3.2.3.Final", 32703 "3.2.4.Final", 32704 "3.2.5.Final", 32705 "3.2.6.Final", 32706 "3.2.7.Final", 32707 "3.2.8.Final", 32708 "3.2.9.Final" 32709 ] 32710 }, 32711 { 32712 "database_specific": { 32713 "last_known_affected_version_range": "\u003c 4.0.0", 32714 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/09/GHSA-grg4-wf29-r9vv/GHSA-grg4-wf29-r9vv.json" 32715 }, 32716 "package": { 32717 "ecosystem": "Maven", 32718 "name": "io.netty:netty", 32719 "purl": "pkg:maven/io.netty/netty" 32720 }, 32721 "ranges": [ 32722 { 32723 "events": [ 32724 { 32725 "introduced": "0" 32726 } 32727 ], 32728 "type": "ECOSYSTEM" 32729 } 32730 ], 32731 "versions": [ 32732 "3.10.0.Final", 32733 "3.10.1.Final", 32734 "3.10.2.Final", 32735 "3.10.3.Final", 32736 "3.10.4.Final", 32737 "3.10.5.Final", 32738 "3.10.6.Final", 32739 "3.3.0.Final", 32740 "3.3.1.Final", 32741 "3.4.0.Alpha1", 32742 "3.4.0.Alpha2", 32743 "3.4.0.Beta1", 32744 "3.4.0.Final", 32745 "3.4.1.Final", 32746 "3.4.2.Final", 32747 "3.4.3.Final", 32748 "3.4.4.Final", 32749 "3.4.5.Final", 32750 "3.4.6.Final", 32751 "3.5.0.Beta1", 32752 "3.5.0.Final", 32753 "3.5.1.Final", 32754 "3.5.10.Final", 32755 "3.5.11.Final", 32756 "3.5.12.Final", 32757 "3.5.13.Final", 32758 "3.5.2.Final", 32759 "3.5.3.Final", 32760 "3.5.4.Final", 32761 "3.5.5.Final", 32762 "3.5.6.Final", 32763 "3.5.7.Final", 32764 "3.5.8.Final", 32765 "3.5.9.Final", 32766 "3.6.0.Beta1", 32767 "3.6.0.Final", 32768 "3.6.1.Final", 32769 "3.6.10.Final", 32770 "3.6.2.Final", 32771 "3.6.3.Final", 32772 "3.6.4.Final", 32773 "3.6.5.Final", 32774 "3.6.6.Final", 32775 "3.6.7.Final", 32776 "3.6.8.Final", 32777 "3.6.9.Final", 32778 "3.7.0.Final", 32779 "3.7.1.Final", 32780 "3.8.0.Final", 32781 "3.8.1.Final", 32782 "3.8.2.Final", 32783 "3.8.3.Final", 32784 "3.9.0.Final", 32785 "3.9.1.1.Final", 32786 "3.9.1.Final", 32787 "3.9.2.Final", 32788 "3.9.3.Final", 32789 "3.9.4.Final", 32790 "3.9.5.Final", 32791 "3.9.6.Final", 32792 "3.9.7.Final", 32793 "3.9.8.Final", 32794 "3.9.9.Final", 32795 "4.0.0.Alpha1", 32796 "4.0.0.Alpha2", 32797 "4.0.0.Alpha3", 32798 "4.0.0.Alpha4", 32799 "4.0.0.Alpha5", 32800 "4.0.0.Alpha6", 32801 "4.0.0.Alpha7", 32802 "4.0.0.Alpha8" 32803 ] 32804 } 32805 ], 32806 "aliases": [ 32807 "CVE-2021-37136" 32808 ], 32809 "database_specific": { 32810 "cwe_ids": [ 32811 "CWE-400" 32812 ], 32813 "github_reviewed": true, 32814 "github_reviewed_at": "2021-09-09T14:36:56Z", 32815 "nvd_published_at": "2021-10-19T15:15:00Z", 32816 "severity": "HIGH" 32817 }, 32818 "details": "### Impact\nThe Bzip2 decompression decoder function doesn't allow setting size restrictions on the decompressed output data (which affects the allocation size used during decompression).\n\n\nAll users of Bzip2Decoder are affected. The malicious input can trigger an OOME and so a DoS attack\n\n### Workarounds\nNo workarounds other than not using the `Bzip2Decoder`\n\n### References\n\nRelevant code areas:\n\nhttps://github.com/netty/netty/blob/netty-4.1.67.Final/codec/src/main/java/io/netty/handler/codec/compression/Bzip2Decoder.java#L80\nhttps://github.com/netty/netty/blob/netty-4.1.67.Final/codec/src/main/java/io/netty/handler/codec/compression/Bzip2Decoder.java#L294\nhttps://github.com/netty/netty/blob/netty-4.1.67.Final/codec/src/main/java/io/netty/handler/codec/compression/Bzip2Decoder.java#L305", 32819 "id": "GHSA-grg4-wf29-r9vv", 32820 "modified": "2024-03-11T05:19:43.92959Z", 32821 "published": "2021-09-09T17:11:21Z", 32822 "references": [ 32823 { 32824 "type": "WEB", 32825 "url": "https://github.com/netty/netty/security/advisories/GHSA-grg4-wf29-r9vv" 32826 }, 32827 { 32828 "type": "ADVISORY", 32829 "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-37136" 32830 }, 32831 { 32832 "type": "WEB", 32833 "url": "https://github.com/netty/netty/commit/41d3d61a61608f2223bb364955ab2045dd5e4020" 32834 }, 32835 { 32836 "type": "WEB", 32837 "url": "https://www.oracle.com/security-alerts/cpujul2022.html" 32838 }, 32839 { 32840 "type": "WEB", 32841 "url": "https://www.oracle.com/security-alerts/cpujan2022.html" 32842 }, 32843 { 32844 "type": "WEB", 32845 "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" 32846 }, 32847 { 32848 "type": "WEB", 32849 "url": "https://www.debian.org/security/2023/dsa-5316" 32850 }, 32851 { 32852 "type": "WEB", 32853 "url": "https://security.netapp.com/advisory/ntap-20220210-0012" 32854 }, 32855 { 32856 "type": "WEB", 32857 "url": "https://lists.debian.org/debian-lts-announce/2023/01/msg00008.html" 32858 }, 32859 { 32860 "type": "WEB", 32861 "url": "https://lists.apache.org/thread.html/rfb2bf8597e53364ccab212fbcbb2a4e9f0a9e1429b1dc08023c6868e@%3Cdev.tinkerpop.apache.org%3E" 32862 }, 32863 { 32864 "type": "WEB", 32865 "url": "https://lists.apache.org/thread.html/rd262f59b1586a108e320e5c966feeafbb1b8cdc96965debc7cc10b16@%3Ccommits.druid.apache.org%3E" 32866 }, 32867 { 32868 "type": "WEB", 32869 "url": "https://lists.apache.org/thread.html/r75490c61c2cb7b6ae2c81238fd52ae13636c60435abcd732d41531a0@%3Ccommits.druid.apache.org%3E" 32870 }, 32871 { 32872 "type": "WEB", 32873 "url": "https://lists.apache.org/thread.html/r5e05eba32476c580412f9fbdfc9b8782d5b40558018ac4ac07192a04@%3Ccommits.druid.apache.org%3E" 32874 }, 32875 { 32876 "type": "WEB", 32877 "url": "https://lists.apache.org/thread.html/r5406eaf3b07577d233b9f07cfc8f26e28369e6bab5edfcab41f28abb@%3Ccommits.druid.apache.org%3E" 32878 }, 32879 { 32880 "type": "WEB", 32881 "url": "https://lists.apache.org/thread.html/r06a145c9bd41a7344da242cef07977b24abe3349161ede948e30913d@%3Ccommits.druid.apache.org%3E" 32882 }, 32883 { 32884 "type": "WEB", 32885 "url": "https://github.com/netty/netty/blob/4.1/codec/src/main/java/io/netty/handler/codec/compression/Bzip2Decoder.java#L80" 32886 }, 32887 { 32888 "type": "WEB", 32889 "url": "https://github.com/netty/netty/blob/4.1/codec/src/main/java/io/netty/handler/codec/compression/Bzip2Decoder.java#L305" 32890 }, 32891 { 32892 "type": "WEB", 32893 "url": "https://github.com/netty/netty/blob/4.1/codec/src/main/java/io/netty/handler/codec/compression/Bzip2Decoder.java#L294" 32894 }, 32895 { 32896 "type": "PACKAGE", 32897 "url": "https://github.com/netty/netty" 32898 } 32899 ], 32900 "schema_version": "1.6.0", 32901 "severity": [ 32902 { 32903 "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", 32904 "type": "CVSS_V3" 32905 } 32906 ], 32907 "summary": "Bzip2Decoder doesn't allow setting size restrictions for decompressed data" 32908 }, 32909 { 32910 "affected": [ 32911 { 32912 "database_specific": { 32913 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/02/GHSA-p2v9-g2qv-p635/GHSA-p2v9-g2qv-p635.json" 32914 }, 32915 "package": { 32916 "ecosystem": "Maven", 32917 "name": "io.netty:netty-handler", 32918 "purl": "pkg:maven/io.netty/netty-handler" 32919 }, 32920 "ranges": [ 32921 { 32922 "events": [ 32923 { 32924 "introduced": "4.0.0" 32925 }, 32926 { 32927 "fixed": "4.1.45" 32928 } 32929 ], 32930 "type": "ECOSYSTEM" 32931 } 32932 ], 32933 "versions": [ 32934 "4.0.0.Final", 32935 "4.0.1.Final", 32936 "4.0.10.Final", 32937 "4.0.11.Final", 32938 "4.0.12.Final", 32939 "4.0.13.Final", 32940 "4.0.14.Beta1", 32941 "4.0.14.Final", 32942 "4.0.15.Final", 32943 "4.0.16.Final", 32944 "4.0.17.Final", 32945 "4.0.18.Final", 32946 "4.0.19.Final", 32947 "4.0.2.Final", 32948 "4.0.20.Final", 32949 "4.0.21.Final", 32950 "4.0.22.Final", 32951 "4.0.23.Final", 32952 "4.0.24.Final", 32953 "4.0.25.Final", 32954 "4.0.26.Final", 32955 "4.0.27.Final", 32956 "4.0.28.Final", 32957 "4.0.29.Final", 32958 "4.0.3.Final", 32959 "4.0.30.Final", 32960 "4.0.31.Final", 32961 "4.0.32.Final", 32962 "4.0.33.Final", 32963 "4.0.34.Final", 32964 "4.0.35.Final", 32965 "4.0.36.Final", 32966 "4.0.37.Final", 32967 "4.0.38.Final", 32968 "4.0.39.Final", 32969 "4.0.4.Final", 32970 "4.0.40.Final", 32971 "4.0.41.Final", 32972 "4.0.42.Final", 32973 "4.0.43.Final", 32974 "4.0.44.Final", 32975 "4.0.45.Final", 32976 "4.0.46.Final", 32977 "4.0.47.Final", 32978 "4.0.48.Final", 32979 "4.0.49.Final", 32980 "4.0.5.Final", 32981 "4.0.50.Final", 32982 "4.0.51.Final", 32983 "4.0.52.Final", 32984 "4.0.53.Final", 32985 "4.0.54.Final", 32986 "4.0.55.Final", 32987 "4.0.56.Final", 32988 "4.0.6.Final", 32989 "4.0.7.Final", 32990 "4.0.8.Final", 32991 "4.0.9.Final", 32992 "4.1.0.Beta1", 32993 "4.1.0.Beta2", 32994 "4.1.0.Beta3", 32995 "4.1.0.Beta4", 32996 "4.1.0.Beta5", 32997 "4.1.0.Beta6", 32998 "4.1.0.Beta7", 32999 "4.1.0.Beta8", 33000 "4.1.0.CR1", 33001 "4.1.0.CR2", 33002 "4.1.0.CR3", 33003 "4.1.0.CR4", 33004 "4.1.0.CR5", 33005 "4.1.0.CR6", 33006 "4.1.0.CR7", 33007 "4.1.0.Final", 33008 "4.1.1.Final", 33009 "4.1.10.Final", 33010 "4.1.11.Final", 33011 "4.1.12.Final", 33012 "4.1.13.Final", 33013 "4.1.14.Final", 33014 "4.1.15.Final", 33015 "4.1.16.Final", 33016 "4.1.17.Final", 33017 "4.1.18.Final", 33018 "4.1.19.Final", 33019 "4.1.2.Final", 33020 "4.1.20.Final", 33021 "4.1.21.Final", 33022 "4.1.22.Final", 33023 "4.1.23.Final", 33024 "4.1.24.Final", 33025 "4.1.25.Final", 33026 "4.1.26.Final", 33027 "4.1.27.Final", 33028 "4.1.28.Final", 33029 "4.1.29.Final", 33030 "4.1.3.Final", 33031 "4.1.30.Final", 33032 "4.1.31.Final", 33033 "4.1.32.Final", 33034 "4.1.33.Final", 33035 "4.1.34.Final", 33036 "4.1.35.Final", 33037 "4.1.36.Final", 33038 "4.1.37.Final", 33039 "4.1.38.Final", 33040 "4.1.39.Final", 33041 "4.1.4.Final", 33042 "4.1.40.Final", 33043 "4.1.41.Final", 33044 "4.1.42.Final", 33045 "4.1.43.Final", 33046 "4.1.44.Final", 33047 "4.1.5.Final", 33048 "4.1.6.Final", 33049 "4.1.7.Final", 33050 "4.1.8.Final", 33051 "4.1.9.Final" 33052 ] 33053 }, 33054 { 33055 "database_specific": { 33056 "last_known_affected_version_range": "\u003c 4.0.0", 33057 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/02/GHSA-p2v9-g2qv-p635/GHSA-p2v9-g2qv-p635.json" 33058 }, 33059 "package": { 33060 "ecosystem": "Maven", 33061 "name": "org.jboss.netty:netty", 33062 "purl": "pkg:maven/org.jboss.netty/netty" 33063 }, 33064 "ranges": [ 33065 { 33066 "events": [ 33067 { 33068 "introduced": "0" 33069 } 33070 ], 33071 "type": "ECOSYSTEM" 33072 } 33073 ], 33074 "versions": [ 33075 "3.0.0.CR1", 33076 "3.0.0.CR2", 33077 "3.0.0.CR3", 33078 "3.0.0.CR4", 33079 "3.0.0.CR5", 33080 "3.0.0.GA", 33081 "3.0.1.GA", 33082 "3.0.2.GA", 33083 "3.1.0.ALPHA1", 33084 "3.1.0.ALPHA2", 33085 "3.1.0.ALPHA3", 33086 "3.1.0.ALPHA4", 33087 "3.1.0.BETA1", 33088 "3.1.0.BETA2", 33089 "3.1.0.BETA3", 33090 "3.1.0.CR1", 33091 "3.1.0.GA", 33092 "3.1.1.GA", 33093 "3.1.2.GA", 33094 "3.1.3.GA", 33095 "3.1.4.GA", 33096 "3.1.5.GA", 33097 "3.2.0.ALPHA1", 33098 "3.2.0.ALPHA2", 33099 "3.2.0.ALPHA3", 33100 "3.2.0.ALPHA4", 33101 "3.2.0.BETA1", 33102 "3.2.0.CR1", 33103 "3.2.0.Final", 33104 "3.2.1.Final", 33105 "3.2.10.Final", 33106 "3.2.2.Final", 33107 "3.2.3.Final", 33108 "3.2.4.Final", 33109 "3.2.5.Final", 33110 "3.2.6.Final", 33111 "3.2.7.Final", 33112 "3.2.8.Final", 33113 "3.2.9.Final" 33114 ] 33115 }, 33116 { 33117 "database_specific": { 33118 "last_known_affected_version_range": "\u003c 4.0.0", 33119 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/02/GHSA-p2v9-g2qv-p635/GHSA-p2v9-g2qv-p635.json" 33120 }, 33121 "package": { 33122 "ecosystem": "Maven", 33123 "name": "io.netty:netty", 33124 "purl": "pkg:maven/io.netty/netty" 33125 }, 33126 "ranges": [ 33127 { 33128 "events": [ 33129 { 33130 "introduced": "0" 33131 } 33132 ], 33133 "type": "ECOSYSTEM" 33134 } 33135 ], 33136 "versions": [ 33137 "3.10.0.Final", 33138 "3.10.1.Final", 33139 "3.10.2.Final", 33140 "3.10.3.Final", 33141 "3.10.4.Final", 33142 "3.10.5.Final", 33143 "3.10.6.Final", 33144 "3.3.0.Final", 33145 "3.3.1.Final", 33146 "3.4.0.Alpha1", 33147 "3.4.0.Alpha2", 33148 "3.4.0.Beta1", 33149 "3.4.0.Final", 33150 "3.4.1.Final", 33151 "3.4.2.Final", 33152 "3.4.3.Final", 33153 "3.4.4.Final", 33154 "3.4.5.Final", 33155 "3.4.6.Final", 33156 "3.5.0.Beta1", 33157 "3.5.0.Final", 33158 "3.5.1.Final", 33159 "3.5.10.Final", 33160 "3.5.11.Final", 33161 "3.5.12.Final", 33162 "3.5.13.Final", 33163 "3.5.2.Final", 33164 "3.5.3.Final", 33165 "3.5.4.Final", 33166 "3.5.5.Final", 33167 "3.5.6.Final", 33168 "3.5.7.Final", 33169 "3.5.8.Final", 33170 "3.5.9.Final", 33171 "3.6.0.Beta1", 33172 "3.6.0.Final", 33173 "3.6.1.Final", 33174 "3.6.10.Final", 33175 "3.6.2.Final", 33176 "3.6.3.Final", 33177 "3.6.4.Final", 33178 "3.6.5.Final", 33179 "3.6.6.Final", 33180 "3.6.7.Final", 33181 "3.6.8.Final", 33182 "3.6.9.Final", 33183 "3.7.0.Final", 33184 "3.7.1.Final", 33185 "3.8.0.Final", 33186 "3.8.1.Final", 33187 "3.8.2.Final", 33188 "3.8.3.Final", 33189 "3.9.0.Final", 33190 "3.9.1.1.Final", 33191 "3.9.1.Final", 33192 "3.9.2.Final", 33193 "3.9.3.Final", 33194 "3.9.4.Final", 33195 "3.9.5.Final", 33196 "3.9.6.Final", 33197 "3.9.7.Final", 33198 "3.9.8.Final", 33199 "3.9.9.Final", 33200 "4.0.0.Alpha1", 33201 "4.0.0.Alpha2", 33202 "4.0.0.Alpha3", 33203 "4.0.0.Alpha4", 33204 "4.0.0.Alpha5", 33205 "4.0.0.Alpha6", 33206 "4.0.0.Alpha7", 33207 "4.0.0.Alpha8" 33208 ] 33209 } 33210 ], 33211 "aliases": [ 33212 "CVE-2019-20445" 33213 ], 33214 "database_specific": { 33215 "cwe_ids": [ 33216 "CWE-444" 33217 ], 33218 "github_reviewed": true, 33219 "github_reviewed_at": "2020-02-20T20:54:25Z", 33220 "nvd_published_at": "2020-01-29T21:15:00Z", 33221 "severity": "MODERATE" 33222 }, 33223 "details": "HttpObjectDecoder.java in Netty before 4.1.44 allows a Content-Length header to be accompanied by a second Content-Length header, or by a Transfer-Encoding header.", 33224 "id": "GHSA-p2v9-g2qv-p635", 33225 "modified": "2024-03-11T05:20:08.431863Z", 33226 "published": "2020-02-21T18:55:04Z", 33227 "references": [ 33228 { 33229 "type": "ADVISORY", 33230 "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-20445" 33231 }, 33232 { 33233 "type": "WEB", 33234 "url": "https://github.com/netty/netty/issues/9861" 33235 }, 33236 { 33237 "type": "WEB", 33238 "url": "https://github.com/netty/netty/pull/9865" 33239 }, 33240 { 33241 "type": "WEB", 33242 "url": "https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26@%3Ccommits.pulsar.apache.org%3E" 33243 }, 33244 { 33245 "type": "WEB", 33246 "url": "https://lists.apache.org/thread.html/rce71d33747010d32d31d90f5d737dae26291d96552f513a266c92fbb@%3Cnotifications.zookeeper.apache.org%3E" 33247 }, 33248 { 33249 "type": "WEB", 33250 "url": "https://lists.apache.org/thread.html/rbdb59c683d666130906a9c05a1d2b034c4cc08cda7ed41322bd54fe2@%3Cissues.flume.apache.org%3E" 33251 }, 33252 { 33253 "type": "WEB", 33254 "url": "https://lists.apache.org/thread.html/rb84c57670ec48ef23f4d07973b7fa69f629b8e7fcfb48874362feb6f@%3Ccommits.zookeeper.apache.org%3E" 33255 }, 33256 { 33257 "type": "WEB", 33258 "url": "https://lists.apache.org/thread.html/rb5c065e7bd701b0744f9f28ad769943f91745102716c1eb516325f11@%3Cissues.spark.apache.org%3E" 33259 }, 33260 { 33261 "type": "WEB", 33262 "url": "https://lists.apache.org/thread.html/raaac04b7567c554786132144bea3dcb72568edd410c1e6f0101742e7@%3Cissues.flink.apache.org%3E" 33263 }, 33264 { 33265 "type": "WEB", 33266 "url": "https://lists.apache.org/thread.html/ra9fbfe7d4830ae675bf34c7c0f8c22fc8a4099f65706c1bc4f54c593@%3Cissues.zookeeper.apache.org%3E" 33267 }, 33268 { 33269 "type": "WEB", 33270 "url": "https://lists.apache.org/thread.html/ra2ace4bcb5cf487f72cbcbfa0f8cc08e755ec2b93d7e69f276148b08@%3Cissues.zookeeper.apache.org%3E" 33271 }, 33272 { 33273 "type": "WEB", 33274 "url": "https://lists.apache.org/thread.html/ra1a71b576a45426af5ee65255be9596ff3181a342f4ba73b800db78f@%3Cdev.geode.apache.org%3E" 33275 }, 33276 { 33277 "type": "WEB", 33278 "url": "https://lists.apache.org/thread.html/r9b20cdac704cf9a583400350e2d5b576fa8417c18ddb961201676c60@%3Ccommits.zookeeper.apache.org%3E" 33279 }, 33280 { 33281 "type": "WEB", 33282 "url": "https://lists.apache.org/thread.html/r96e08f929234e8ba1ef4a93a0fd2870f535a1f9ab628fabc46115986@%3Cdev.zookeeper.apache.org%3E" 33283 }, 33284 { 33285 "type": "WEB", 33286 "url": "https://lists.apache.org/thread.html/r959474dcf7f88565ed89f6252ca5a274419006cb71348f14764b183d@%3Ccommits.cassandra.apache.org%3E" 33287 }, 33288 { 33289 "type": "WEB", 33290 "url": "https://lists.apache.org/thread.html/r832724df393a7ef25ca4c7c2eb83ad2d6c21c74569acda5233f9f1ec@%3Ccommits.pulsar.apache.org%3E" 33291 }, 33292 { 33293 "type": "WEB", 33294 "url": "https://access.redhat.com/errata/RHSA-2020:0497" 33295 }, 33296 { 33297 "type": "WEB", 33298 "url": "https://lists.apache.org/thread.html/rd8f72411fb75b98d366400ae789966373b5c3eb3f511e717caf3e49e@%3Cissues.flink.apache.org%3E" 33299 }, 33300 { 33301 "type": "WEB", 33302 "url": "https://lists.apache.org/thread.html/rdb69125652311d0c41f6066ff44072a3642cf33a4b5e3c4f9c1ec9c2@%3Ccommits.pulsar.apache.org%3E" 33303 }, 33304 { 33305 "type": "WEB", 33306 "url": "https://lists.apache.org/thread.html/re45ee9256d3233c31d78e59ee59c7dc841c7fbd83d0769285b41e948@%3Ccommits.druid.apache.org%3E" 33307 }, 33308 { 33309 "type": "WEB", 33310 "url": "https://lists.apache.org/thread.html/rf5b2dfb7401666a19915f8eaef3ba9f5c3386e2066fcd2ae66e16a2f@%3Cdev.flink.apache.org%3E" 33311 }, 33312 { 33313 "type": "WEB", 33314 "url": "https://lists.apache.org/thread.html/rfb55f245b08d8a6ec0fb4dc159022227cd22de34c4419c2fbb18802b@%3Cnotifications.zookeeper.apache.org%3E" 33315 }, 33316 { 33317 "type": "WEB", 33318 "url": "https://lists.apache.org/thread.html/rff210a24f3a924829790e69eaefa84820902b7b31f17c3bf2def9114@%3Ccommits.druid.apache.org%3E" 33319 }, 33320 { 33321 "type": "WEB", 33322 "url": "https://lists.debian.org/debian-lts-announce/2020/02/msg00017.html" 33323 }, 33324 { 33325 "type": "WEB", 33326 "url": "https://lists.debian.org/debian-lts-announce/2020/02/msg00018.html" 33327 }, 33328 { 33329 "type": "WEB", 33330 "url": "https://lists.debian.org/debian-lts-announce/2020/09/msg00003.html" 33331 }, 33332 { 33333 "type": "WEB", 33334 "url": "https://lists.debian.org/debian-lts-announce/2020/09/msg00004.html" 33335 }, 33336 { 33337 "type": "WEB", 33338 "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TS6VX7OMXPDJIU5LRGUAHRK6MENAVJ46" 33339 }, 33340 { 33341 "type": "WEB", 33342 "url": "https://usn.ubuntu.com/4532-1" 33343 }, 33344 { 33345 "type": "WEB", 33346 "url": "https://www.debian.org/security/2021/dsa-4885" 33347 }, 33348 { 33349 "type": "WEB", 33350 "url": "https://access.redhat.com/errata/RHSA-2020:0567" 33351 }, 33352 { 33353 "type": "WEB", 33354 "url": "https://access.redhat.com/errata/RHSA-2020:0601" 33355 }, 33356 { 33357 "type": "WEB", 33358 "url": "https://access.redhat.com/errata/RHSA-2020:0605" 33359 }, 33360 { 33361 "type": "WEB", 33362 "url": "https://access.redhat.com/errata/RHSA-2020:0606" 33363 }, 33364 { 33365 "type": "WEB", 33366 "url": "https://access.redhat.com/errata/RHSA-2020:0804" 33367 }, 33368 { 33369 "type": "WEB", 33370 "url": "https://access.redhat.com/errata/RHSA-2020:0805" 33371 }, 33372 { 33373 "type": "WEB", 33374 "url": "https://access.redhat.com/errata/RHSA-2020:0806" 33375 }, 33376 { 33377 "type": "WEB", 33378 "url": "https://access.redhat.com/errata/RHSA-2020:0811" 33379 }, 33380 { 33381 "type": "PACKAGE", 33382 "url": "https://github.com/netty/netty" 33383 }, 33384 { 33385 "type": "WEB", 33386 "url": "https://github.com/netty/netty/compare/netty-4.1.43.Final...netty-4.1.44.Final" 33387 }, 33388 { 33389 "type": "WEB", 33390 "url": "https://lists.apache.org/thread.html/r030beff88aeb6d7a2d6cd21342bd18686153ce6e26a4171d0e035663@%3Cissues.flume.apache.org%3E" 33391 }, 33392 { 33393 "type": "WEB", 33394 "url": "https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0@%3Cissues.bookkeeper.apache.org%3E" 33395 }, 33396 { 33397 "type": "WEB", 33398 "url": "https://lists.apache.org/thread.html/r1fcccf8bdb3531c28bc9aa605a6a1bea7e68cef6fc12e01faafb2fb5@%3Cissues.zookeeper.apache.org%3E" 33399 }, 33400 { 33401 "type": "WEB", 33402 "url": "https://lists.apache.org/thread.html/r205937c85817a911b0c72655c2377e7a2c9322d6ef6ce1b118d34d8d@%3Cdev.geode.apache.org%3E" 33403 }, 33404 { 33405 "type": "WEB", 33406 "url": "https://lists.apache.org/thread.html/r2f2989b7815d809ff3fda8ce330f553e5f133505afd04ffbc135f35f@%3Cissues.spark.apache.org%3E" 33407 }, 33408 { 33409 "type": "WEB", 33410 "url": "https://lists.apache.org/thread.html/r310d2ce22304d5298ff87f10134f918c87919b452734f9841d95682d@%3Ccommits.zookeeper.apache.org%3E" 33411 }, 33412 { 33413 "type": "WEB", 33414 "url": "https://lists.apache.org/thread.html/r36fcf538b28f2029e8b4f6b9a772f3b107913a78f09b095c5b153a62@%3Cissues.zookeeper.apache.org%3E" 33415 }, 33416 { 33417 "type": "WEB", 33418 "url": "https://lists.apache.org/thread.html/r46f93de62b1e199f3f9babb18128681677c53493546f532ed88c359d@%3Creviews.spark.apache.org%3E" 33419 }, 33420 { 33421 "type": "WEB", 33422 "url": "https://lists.apache.org/thread.html/r4d3f1d3e333d9c2b2f6e6ae8ed8750d4de03410ac294bcd12c7eefa3@%3Ccommits.cassandra.apache.org%3E" 33423 }, 33424 { 33425 "type": "WEB", 33426 "url": "https://lists.apache.org/thread.html/r4ff40646e9ccce13560458419accdfc227b8b6ca4ead3a8a91decc74@%3Cissues.flume.apache.org%3E" 33427 }, 33428 { 33429 "type": "WEB", 33430 "url": "https://lists.apache.org/thread.html/r640eb9b3213058a963e18291f903fc1584e577f60035f941e32f760a@%3Cissues.zookeeper.apache.org%3E" 33431 }, 33432 { 33433 "type": "WEB", 33434 "url": "https://lists.apache.org/thread.html/r6945f3c346b7af89bbd3526a7c9b705b1e3569070ebcd0964bcedd7d@%3Cissues.zookeeper.apache.org%3E" 33435 }, 33436 { 33437 "type": "WEB", 33438 "url": "https://lists.apache.org/thread.html/r70b1ff22ee80e8101805b9a473116dd33265709007d2deb6f8c80bf2@%3Ccommits.druid.apache.org%3E" 33439 }, 33440 { 33441 "type": "WEB", 33442 "url": "https://lists.apache.org/thread.html/r7790b9d99696d9eddce8a8c96f13bb68460984294ea6fea3800143e4@%3Ccommits.pulsar.apache.org%3E" 33443 }, 33444 { 33445 "type": "WEB", 33446 "url": "https://lists.apache.org/thread.html/r804895eedd72c9ec67898286eb185e04df852b0dd5fe53cf5b6138f9@%3Cissues.zookeeper.apache.org%3E" 33447 }, 33448 { 33449 "type": "WEB", 33450 "url": "https://lists.apache.org/thread.html/r81700644754e66ffea465c869cb477de25f8041e21598e8818fc2c45@%3Cdev.zookeeper.apache.org%3E" 33451 }, 33452 { 33453 "type": "WEB", 33454 "url": "https://lists.apache.org/thread.html/r819aaeb9944bdcfca438dcc51f05650dc728daf64dfd7d774fc2499b@%3Ccommits.zookeeper.apache.org%3E" 33455 } 33456 ], 33457 "schema_version": "1.6.0", 33458 "summary": "HTTP Request Smuggling in Netty" 33459 }, 33460 { 33461 "affected": [ 33462 { 33463 "database_specific": { 33464 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/03/GHSA-wm47-8v5p-wjpj/GHSA-wm47-8v5p-wjpj.json" 33465 }, 33466 "package": { 33467 "ecosystem": "Maven", 33468 "name": "io.netty:netty-codec-http2", 33469 "purl": "pkg:maven/io.netty/netty-codec-http2" 33470 }, 33471 "ranges": [ 33472 { 33473 "events": [ 33474 { 33475 "introduced": "4.0.0" 33476 }, 33477 { 33478 "fixed": "4.1.60.Final" 33479 } 33480 ], 33481 "type": "ECOSYSTEM" 33482 } 33483 ], 33484 "versions": [ 33485 "4.1.0.Beta4", 33486 "4.1.0.Beta5", 33487 "4.1.0.Beta6", 33488 "4.1.0.Beta7", 33489 "4.1.0.Beta8", 33490 "4.1.0.CR1", 33491 "4.1.0.CR2", 33492 "4.1.0.CR3", 33493 "4.1.0.CR4", 33494 "4.1.0.CR5", 33495 "4.1.0.CR6", 33496 "4.1.0.CR7", 33497 "4.1.0.Final", 33498 "4.1.1.Final", 33499 "4.1.10.Final", 33500 "4.1.11.Final", 33501 "4.1.12.Final", 33502 "4.1.13.Final", 33503 "4.1.14.Final", 33504 "4.1.15.Final", 33505 "4.1.16.Final", 33506 "4.1.17.Final", 33507 "4.1.18.Final", 33508 "4.1.19.Final", 33509 "4.1.2.Final", 33510 "4.1.20.Final", 33511 "4.1.21.Final", 33512 "4.1.22.Final", 33513 "4.1.23.Final", 33514 "4.1.24.Final", 33515 "4.1.25.Final", 33516 "4.1.26.Final", 33517 "4.1.27.Final", 33518 "4.1.28.Final", 33519 "4.1.29.Final", 33520 "4.1.3.Final", 33521 "4.1.30.Final", 33522 "4.1.31.Final", 33523 "4.1.32.Final", 33524 "4.1.33.Final", 33525 "4.1.34.Final", 33526 "4.1.35.Final", 33527 "4.1.36.Final", 33528 "4.1.37.Final", 33529 "4.1.38.Final", 33530 "4.1.39.Final", 33531 "4.1.4.Final", 33532 "4.1.40.Final", 33533 "4.1.41.Final", 33534 "4.1.42.Final", 33535 "4.1.43.Final", 33536 "4.1.44.Final", 33537 "4.1.45.Final", 33538 "4.1.46.Final", 33539 "4.1.47.Final", 33540 "4.1.48.Final", 33541 "4.1.49.Final", 33542 "4.1.5.Final", 33543 "4.1.50.Final", 33544 "4.1.51.Final", 33545 "4.1.52.Final", 33546 "4.1.53.Final", 33547 "4.1.54.Final", 33548 "4.1.55.Final", 33549 "4.1.56.Final", 33550 "4.1.57.Final", 33551 "4.1.58.Final", 33552 "4.1.59.Final", 33553 "4.1.6.Final", 33554 "4.1.7.Final", 33555 "4.1.8.Final", 33556 "4.1.9.Final" 33557 ] 33558 }, 33559 { 33560 "database_specific": { 33561 "last_known_affected_version_range": "\u003c 4.0.0", 33562 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/03/GHSA-wm47-8v5p-wjpj/GHSA-wm47-8v5p-wjpj.json" 33563 }, 33564 "package": { 33565 "ecosystem": "Maven", 33566 "name": "org.jboss.netty:netty", 33567 "purl": "pkg:maven/org.jboss.netty/netty" 33568 }, 33569 "ranges": [ 33570 { 33571 "events": [ 33572 { 33573 "introduced": "0" 33574 } 33575 ], 33576 "type": "ECOSYSTEM" 33577 } 33578 ], 33579 "versions": [ 33580 "3.0.0.CR1", 33581 "3.0.0.CR2", 33582 "3.0.0.CR3", 33583 "3.0.0.CR4", 33584 "3.0.0.CR5", 33585 "3.0.0.GA", 33586 "3.0.1.GA", 33587 "3.0.2.GA", 33588 "3.1.0.ALPHA1", 33589 "3.1.0.ALPHA2", 33590 "3.1.0.ALPHA3", 33591 "3.1.0.ALPHA4", 33592 "3.1.0.BETA1", 33593 "3.1.0.BETA2", 33594 "3.1.0.BETA3", 33595 "3.1.0.CR1", 33596 "3.1.0.GA", 33597 "3.1.1.GA", 33598 "3.1.2.GA", 33599 "3.1.3.GA", 33600 "3.1.4.GA", 33601 "3.1.5.GA", 33602 "3.2.0.ALPHA1", 33603 "3.2.0.ALPHA2", 33604 "3.2.0.ALPHA3", 33605 "3.2.0.ALPHA4", 33606 "3.2.0.BETA1", 33607 "3.2.0.CR1", 33608 "3.2.0.Final", 33609 "3.2.1.Final", 33610 "3.2.10.Final", 33611 "3.2.2.Final", 33612 "3.2.3.Final", 33613 "3.2.4.Final", 33614 "3.2.5.Final", 33615 "3.2.6.Final", 33616 "3.2.7.Final", 33617 "3.2.8.Final", 33618 "3.2.9.Final" 33619 ] 33620 }, 33621 { 33622 "database_specific": { 33623 "last_known_affected_version_range": "\u003c 4.0.0", 33624 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/03/GHSA-wm47-8v5p-wjpj/GHSA-wm47-8v5p-wjpj.json" 33625 }, 33626 "package": { 33627 "ecosystem": "Maven", 33628 "name": "io.netty:netty", 33629 "purl": "pkg:maven/io.netty/netty" 33630 }, 33631 "ranges": [ 33632 { 33633 "events": [ 33634 { 33635 "introduced": "0" 33636 } 33637 ], 33638 "type": "ECOSYSTEM" 33639 } 33640 ], 33641 "versions": [ 33642 "3.10.0.Final", 33643 "3.10.1.Final", 33644 "3.10.2.Final", 33645 "3.10.3.Final", 33646 "3.10.4.Final", 33647 "3.10.5.Final", 33648 "3.10.6.Final", 33649 "3.3.0.Final", 33650 "3.3.1.Final", 33651 "3.4.0.Alpha1", 33652 "3.4.0.Alpha2", 33653 "3.4.0.Beta1", 33654 "3.4.0.Final", 33655 "3.4.1.Final", 33656 "3.4.2.Final", 33657 "3.4.3.Final", 33658 "3.4.4.Final", 33659 "3.4.5.Final", 33660 "3.4.6.Final", 33661 "3.5.0.Beta1", 33662 "3.5.0.Final", 33663 "3.5.1.Final", 33664 "3.5.10.Final", 33665 "3.5.11.Final", 33666 "3.5.12.Final", 33667 "3.5.13.Final", 33668 "3.5.2.Final", 33669 "3.5.3.Final", 33670 "3.5.4.Final", 33671 "3.5.5.Final", 33672 "3.5.6.Final", 33673 "3.5.7.Final", 33674 "3.5.8.Final", 33675 "3.5.9.Final", 33676 "3.6.0.Beta1", 33677 "3.6.0.Final", 33678 "3.6.1.Final", 33679 "3.6.10.Final", 33680 "3.6.2.Final", 33681 "3.6.3.Final", 33682 "3.6.4.Final", 33683 "3.6.5.Final", 33684 "3.6.6.Final", 33685 "3.6.7.Final", 33686 "3.6.8.Final", 33687 "3.6.9.Final", 33688 "3.7.0.Final", 33689 "3.7.1.Final", 33690 "3.8.0.Final", 33691 "3.8.1.Final", 33692 "3.8.2.Final", 33693 "3.8.3.Final", 33694 "3.9.0.Final", 33695 "3.9.1.1.Final", 33696 "3.9.1.Final", 33697 "3.9.2.Final", 33698 "3.9.3.Final", 33699 "3.9.4.Final", 33700 "3.9.5.Final", 33701 "3.9.6.Final", 33702 "3.9.7.Final", 33703 "3.9.8.Final", 33704 "3.9.9.Final", 33705 "4.0.0.Alpha1", 33706 "4.0.0.Alpha2", 33707 "4.0.0.Alpha3", 33708 "4.0.0.Alpha4", 33709 "4.0.0.Alpha5", 33710 "4.0.0.Alpha6", 33711 "4.0.0.Alpha7", 33712 "4.0.0.Alpha8" 33713 ] 33714 } 33715 ], 33716 "aliases": [ 33717 "BIT-zookeeper-2021-21295", 33718 "CVE-2021-21295", 33719 "CVE-2021-21409", 33720 "GHSA-f256-j965-7f32" 33721 ], 33722 "database_specific": { 33723 "cwe_ids": [ 33724 "CWE-444" 33725 ], 33726 "github_reviewed": true, 33727 "github_reviewed_at": "2021-03-09T18:47:09Z", 33728 "nvd_published_at": "2021-03-09T19:15:00Z", 33729 "severity": "MODERATE" 33730 }, 33731 "details": "### Impact\nIf a Content-Length header is present in the original HTTP/2 request, the field is not validated by `Http2MultiplexHandler` as it is propagated up. This is fine as long as the request is not proxied through as HTTP/1.1.\nIf the request comes in as an HTTP/2 stream, gets converted into the HTTP/1.1 domain objects (`HttpRequest`, `HttpContent`, etc.) via `Http2StreamFrameToHttpObjectCodec `and then sent up to the child channel's pipeline and proxied through a remote peer as HTTP/1.1 this may result in request smuggling. \n\nIn a proxy case, users may assume the content-length is validated somehow, which is not the case. If the request is forwarded to a backend channel that is a HTTP/1.1 connection, the Content-Length now has meaning and needs to be checked.\n\nAn attacker can smuggle requests inside the body as it gets downgraded from HTTP/2 to HTTP/1.1. A sample attack request looks like:\n\n```\nPOST / HTTP/2\n:authority:: externaldomain.com\nContent-Length: 4\n\nasdfGET /evilRedirect HTTP/1.1\nHost: internaldomain.com\n```\n\nUsers are only affected if all of this is `true`:\n * `HTTP2MultiplexCodec` or `Http2FrameCodec` is used\n * `Http2StreamFrameToHttpObjectCodec` is used to convert to HTTP/1.1 objects\n * These HTTP/1.1 objects are forwarded to another remote peer.\n \n\n### Patches\nThis has been patched in 4.1.60.Final\n\n### Workarounds\nThe user can do the validation by themselves by implementing a custom `ChannelInboundHandler` that is put in the `ChannelPipeline` behind `Http2StreamFrameToHttpObjectCodec`.\n\n### References\nRelated change to workaround the problem: https://github.com/Netflix/zuul/pull/980 ", 33732 "id": "GHSA-wm47-8v5p-wjpj", 33733 "modified": "2024-08-01T07:13:04.232041Z", 33734 "published": "2021-03-09T18:49:49Z", 33735 "references": [ 33736 { 33737 "type": "WEB", 33738 "url": "https://github.com/netty/netty/security/advisories/GHSA-wm47-8v5p-wjpj" 33739 }, 33740 { 33741 "type": "ADVISORY", 33742 "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21295" 33743 }, 33744 { 33745 "type": "WEB", 33746 "url": "https://github.com/Netflix/zuul/pull/980" 33747 }, 33748 { 33749 "type": "WEB", 33750 "url": "https://github.com/netty/netty/commit/89c241e3b1795ff257af4ad6eadc616cb2fb3dc4" 33751 }, 33752 { 33753 "type": "WEB", 33754 "url": "https://lists.apache.org/thread.html/rc73b8dd01b1be276d06bdf07883ecd93fe1a01f139a99ef30ba4308c@%3Ccommits.servicecomb.apache.org%3E" 33755 }, 33756 { 33757 "type": "WEB", 33758 "url": "https://lists.apache.org/thread.html/rc165e36ca7cb5417aec3f21bbc4ec00fb38ecebdd96a82cfab9bd56f@%3Cjira.kafka.apache.org%3E" 33759 }, 33760 { 33761 "type": "WEB", 33762 "url": "https://lists.apache.org/thread.html/rc0087125cb15b4b78e44000f841cd37fefedfda942fd7ddf3ad1b528@%3Cissues.zookeeper.apache.org%3E" 33763 }, 33764 { 33765 "type": "WEB", 33766 "url": "https://lists.apache.org/thread.html/rbed09768f496244a2e138dbbe6d2847ddf796c9c8ef9e50f2e3e30d9@%3Cnotifications.zookeeper.apache.org%3E" 33767 }, 33768 { 33769 "type": "WEB", 33770 "url": "https://lists.apache.org/thread.html/rbadcbcb50195f00bbd196403865ced521ca70787999583c07be38d0e@%3Cnotifications.zookeeper.apache.org%3E" 33771 }, 33772 { 33773 "type": "WEB", 33774 "url": "https://lists.apache.org/thread.html/rb95d42ce220ed4a4683aa17833b5006d657bc4254bc5cb03cd5e6bfb@%3Cissues.hbase.apache.org%3E" 33775 }, 33776 { 33777 "type": "WEB", 33778 "url": "https://lists.apache.org/thread.html/rb592033a2462548d061a83ac9449c5ff66098751748fcd1e2d008233@%3Cissues.zookeeper.apache.org%3E" 33779 }, 33780 { 33781 "type": "WEB", 33782 "url": "https://lists.apache.org/thread.html/rb523bb6c60196c5f58514b86a8585c2069a4852039b45de3818b29d2@%3Ccommits.servicecomb.apache.org%3E" 33783 }, 33784 { 33785 "type": "WEB", 33786 "url": "https://lists.apache.org/thread.html/rb51d6202ff1a773f96eaa694b7da4ad3f44922c40b3d4e1a19c2f325@%3Ccommits.pulsar.apache.org%3E" 33787 }, 33788 { 33789 "type": "WEB", 33790 "url": "https://lists.apache.org/thread.html/rb06c1e766aa45ee422e8261a8249b561784186483e8f742ea627bda4@%3Cdev.kafka.apache.org%3E" 33791 }, 33792 { 33793 "type": "WEB", 33794 "url": "https://lists.apache.org/thread.html/rae198f44c3f7ac5264045e6ba976be1703cff38dcf1609916e50210d@%3Ccommits.servicecomb.apache.org%3E" 33795 }, 33796 { 33797 "type": "WEB", 33798 "url": "https://lists.apache.org/thread.html/racc191a1f70a4f13155e8002c61bddef2870b26441971c697436ad5d@%3Ccommits.servicecomb.apache.org%3E" 33799 }, 33800 { 33801 "type": "WEB", 33802 "url": "https://lists.apache.org/thread.html/ra96c74c37ed7252f78392e1ad16442bd16ae72a4d6c8db50dd55c88b@%3Ccommits.servicecomb.apache.org%3E" 33803 }, 33804 { 33805 "type": "WEB", 33806 "url": "https://lists.apache.org/thread.html/ra83096bcbfe6e1f4d54449f8a013117a0536404e9d307ab4a0d34f81@%3Cissues.hbase.apache.org%3E" 33807 }, 33808 { 33809 "type": "WEB", 33810 "url": "https://lists.apache.org/thread.html/ra655e5cec74d1ddf62adacb71d398abd96f3ea2c588f6bbf048348eb@%3Cissues.kudu.apache.org%3E" 33811 }, 33812 { 33813 "type": "WEB", 33814 "url": "https://lists.apache.org/thread.html/ra64d56a8a331ffd7bdcd24a9aaaeeedeacd5d639f5a683389123f898@%3Cdev.flink.apache.org%3E" 33815 }, 33816 { 33817 "type": "WEB", 33818 "url": "https://lists.apache.org/thread.html/r9924ef9357537722b28d04c98a189750b80694a19754e5057c34ca48@%3Ccommits.pulsar.apache.org%3E" 33819 }, 33820 { 33821 "type": "WEB", 33822 "url": "https://lists.apache.org/thread.html/r96ce18044880c33634c4b3fcecc57b8b90673c9364d63eba00385523@%3Cjira.kafka.apache.org%3E" 33823 }, 33824 { 33825 "type": "WEB", 33826 "url": "https://lists.apache.org/thread.html/r905b92099998291956eebf4f1c5d95f5a0cbcece2946cc46d32274fd@%3Cdev.hbase.apache.org%3E" 33827 }, 33828 { 33829 "type": "WEB", 33830 "url": "https://lists.apache.org/thread.html/r9051e4f484a970b5566dc1870ecd9c1eb435214e2652cf3ea4d0c0cc@%3Cjira.kafka.apache.org%3E" 33831 }, 33832 { 33833 "type": "WEB", 33834 "url": "https://lists.apache.org/thread.html/r8db1d7b3b9acc9e8d2776395e280eb9615dd7790e1da8c57039963de@%3Cnotifications.zookeeper.apache.org%3E" 33835 }, 33836 { 33837 "type": "WEB", 33838 "url": "https://lists.apache.org/thread.html/r8bcaf7821247b1836b10f6a1a3a3212b06272fd4cde4a859de1b78cf@%3Ccommits.servicecomb.apache.org%3E" 33839 }, 33840 { 33841 "type": "WEB", 33842 "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" 33843 }, 33844 { 33845 "type": "WEB", 33846 "url": "https://www.debian.org/security/2021/dsa-4885" 33847 }, 33848 { 33849 "type": "WEB", 33850 "url": "https://security.netapp.com/advisory/ntap-20210604-0003" 33851 }, 33852 { 33853 "type": "WEB", 33854 "url": "https://lists.apache.org/thread.html/rfff6ff8ffb31e8a32619c79774def44b6ffbb037c128c5ad3eab7171@%3Cissues.zookeeper.apache.org%3E" 33855 }, 33856 { 33857 "type": "WEB", 33858 "url": "https://lists.apache.org/thread.html/rf934292a4a1c189827f625d567838d2c1001e4739b158638d844105b@%3Cissues.kudu.apache.org%3E" 33859 }, 33860 { 33861 "type": "WEB", 33862 "url": "https://lists.apache.org/thread.html/rf87b870a22aa5c77c27900967b518a71a7d954c2952860fce3794b60@%3Ccommits.servicecomb.apache.org%3E" 33863 }, 33864 { 33865 "type": "WEB", 33866 "url": "https://lists.apache.org/thread.html/rf36f1114e84a3379b20587063686148e2d5a39abc0b8a66ff2a9087a@%3Cissues.zookeeper.apache.org%3E" 33867 }, 33868 { 33869 "type": "WEB", 33870 "url": "https://lists.apache.org/thread.html/reafc834062486adfc7be5bb8f7b7793be0d33f483678a094c3f9d468@%3Ccommits.servicecomb.apache.org%3E" 33871 }, 33872 { 33873 "type": "WEB", 33874 "url": "https://lists.apache.org/thread.html/re7c69756a102bebce8b8681882844a53e2f23975a189363e68ad0324@%3Cissues.flink.apache.org%3E" 33875 }, 33876 { 33877 "type": "WEB", 33878 "url": "https://lists.apache.org/thread.html/re6207ebe2ca4d44f2a6deee695ad6f27fd29d78980f1d46ed1574f91@%3Cissues.zookeeper.apache.org%3E" 33879 }, 33880 { 33881 "type": "WEB", 33882 "url": "https://lists.apache.org/thread.html/re4f70b62843e92163fab03b65e2aa8078693293a0c36f1cc260079ed@%3Ccommits.servicecomb.apache.org%3E" 33883 }, 33884 { 33885 "type": "WEB", 33886 "url": "https://lists.apache.org/thread.html/rddbb4f8d5db23265bb63d14ef4b3723b438abc1589f877db11d35450@%3Cissues.zookeeper.apache.org%3E" 33887 }, 33888 { 33889 "type": "WEB", 33890 "url": "https://lists.apache.org/thread.html/rdc096e13ac4501ea2e2b03a197682a313b85d3d3ec89d5ae5551b384@%3Cissues.zookeeper.apache.org%3E" 33891 }, 33892 { 33893 "type": "WEB", 33894 "url": "https://lists.apache.org/thread.html/rdb4db3f5a9c478ca52a7b164680b88877a5a9c174e7047676c006b2c@%3Ccommits.servicecomb.apache.org%3E" 33895 }, 33896 { 33897 "type": "WEB", 33898 "url": "https://lists.apache.org/thread.html/rd8f72411fb75b98d366400ae789966373b5c3eb3f511e717caf3e49e@%3Cissues.flink.apache.org%3E" 33899 }, 33900 { 33901 "type": "WEB", 33902 "url": "https://lists.apache.org/thread.html/rd4a6b7dec38ea6cd28b6f94bd4b312629a52b80be3786d5fb0e474bc@%3Cissues.kudu.apache.org%3E" 33903 }, 33904 { 33905 "type": "WEB", 33906 "url": "https://lists.apache.org/thread.html/rd25c88aad0e76240dd09f0eb34bdab924933946429e068a167adcb73@%3Ccommits.servicecomb.apache.org%3E" 33907 }, 33908 { 33909 "type": "WEB", 33910 "url": "https://lists.apache.org/thread.html/rcfc535afd413d9934d6ee509dce234dac41fa3747a7555befb17447e@%3Cissues.zookeeper.apache.org%3E" 33911 }, 33912 { 33913 "type": "WEB", 33914 "url": "https://lists.apache.org/thread.html/rcfc154eb2de23d2dc08a56100341161e1a40a8ea86c693735437e8f2@%3Ccommits.servicecomb.apache.org%3E" 33915 }, 33916 { 33917 "type": "WEB", 33918 "url": "https://lists.apache.org/thread.html/rcf3752209a8b04996373bf57fdc808b3bfaa2be8702698a0323641f8@%3Ccommits.hbase.apache.org%3E" 33919 }, 33920 { 33921 "type": "WEB", 33922 "url": "https://lists.apache.org/thread.html/rcd163e421273e8dca1c71ea298dce3dd11b41d51c3a812e0394e6a5d@%3Ccommits.pulsar.apache.org%3E" 33923 }, 33924 { 33925 "type": "WEB", 33926 "url": "https://lists.apache.org/thread.html/rca0978b634a0c3ebee4126ec29c7f570b165fae3f8f3658754c1cbd3@%3Cissues.kudu.apache.org%3E" 33927 }, 33928 { 33929 "type": "WEB", 33930 "url": "https://lists.apache.org/thread.html/r86cd38a825ab2344f3e6cad570528852f29a4ffdf56ab67d75c36edf@%3Cissues.hbase.apache.org%3E" 33931 }, 33932 { 33933 "type": "WEB", 33934 "url": "https://lists.apache.org/thread.html/r3ff9e735ca33612d900607dc139ebd38a64cadc6bce292e53eb86d7f@%3Cissues.zookeeper.apache.org%3E" 33935 }, 33936 { 33937 "type": "WEB", 33938 "url": "https://lists.apache.org/thread.html/r3c4596b9b37f5ae91628ccf169d33cd5a0da4b16b6c39d5bad8e03f3@%3Cdev.jackrabbit.apache.org%3E" 33939 }, 33940 { 33941 "type": "WEB", 33942 "url": "https://lists.apache.org/thread.html/r3c293431c781696681abbfe1c573c2d9dcdae6fd3ff330ea22f0433f@%3Cjira.kafka.apache.org%3E" 33943 }, 33944 { 33945 "type": "WEB", 33946 "url": "https://lists.apache.org/thread.html/r393a339ab0b63ef9e6502253eeab26e7643b3e69738d5948b2b1d064@%3Cissues.hbase.apache.org%3E" 33947 }, 33948 { 33949 "type": "WEB", 33950 "url": "https://lists.apache.org/thread.html/r33eb06b05afbc7df28d31055cae0cb3fd36cab808c884bf6d680bea5@%3Cdev.zookeeper.apache.org%3E" 33951 }, 33952 { 33953 "type": "WEB", 33954 "url": "https://lists.apache.org/thread.html/r32b0b640ad2be3b858f0af51c68a7d5c5a66a462c8bbb93699825cd3@%3Cissues.zookeeper.apache.org%3E" 33955 }, 33956 { 33957 "type": "WEB", 33958 "url": "https://lists.apache.org/thread.html/r312ce5bd3c6bf08c138349b507b6f1c25fe9cf40b6f2b0014c9d12b1@%3Cnotifications.zookeeper.apache.org%3E" 33959 }, 33960 { 33961 "type": "WEB", 33962 "url": "https://lists.apache.org/thread.html/r2e93ce23e04c3f0a61e987d1111d0695cb668ac4ec4edbf237bd3e80@%3Ccommits.servicecomb.apache.org%3E" 33963 }, 33964 { 33965 "type": "WEB", 33966 "url": "https://lists.apache.org/thread.html/r2936730ef0a06e724b96539bc7eacfcd3628987c16b1b99c790e7b87@%3Cissues.zookeeper.apache.org%3E" 33967 }, 33968 { 33969 "type": "WEB", 33970 "url": "https://lists.apache.org/thread.html/r27b7e5a588ec826b15f38c40be500c50073400019ce7b8adfd07fece@%3Cissues.hbase.apache.org%3E" 33971 }, 33972 { 33973 "type": "WEB", 33974 "url": "https://lists.apache.org/thread.html/r268850f26639ebe249356ed6d8edb54ee8943be6f200f770784fb190@%3Cissues.hbase.apache.org%3E" 33975 }, 33976 { 33977 "type": "WEB", 33978 "url": "https://lists.apache.org/thread.html/r22b2f34447d71c9a0ad9079b7860323d5584fb9b40eb42668c21eaf1@%3Cissues.hbase.apache.org%3E" 33979 }, 33980 { 33981 "type": "WEB", 33982 "url": "https://lists.apache.org/thread.html/r22adb45fe902aeafcd0a1c4db13984224a667676c323c66db3af38a1@%3Ccommits.zookeeper.apache.org%3E" 33983 }, 33984 { 33985 "type": "WEB", 33986 "url": "https://lists.apache.org/thread.html/r1bca0b81193b74a451fc6d687ab58ef3a1f5ec40f6c61561d8dd9509@%3Cissues.zookeeper.apache.org%3E" 33987 }, 33988 { 33989 "type": "WEB", 33990 "url": "https://lists.apache.org/thread.html/r1908a34b9cc7120e5c19968a116ddbcffea5e9deb76c2be4fa461904@%3Cdev.zookeeper.apache.org%3E" 33991 }, 33992 { 33993 "type": "WEB", 33994 "url": "https://lists.apache.org/thread.html/r16c4b55ac82be72f28adad4f8061477e5f978199d5725691dcc82c24@%3Ccommits.servicecomb.apache.org%3E" 33995 }, 33996 { 33997 "type": "WEB", 33998 "url": "https://lists.apache.org/thread.html/r15f66ada9a5faf4bac69d9e7c4521cedfefa62df9509881603791969@%3Cjira.kafka.apache.org%3E" 33999 }, 34000 { 34001 "type": "WEB", 34002 "url": "https://lists.apache.org/thread.html/r0b09f3e31e004fe583f677f7afa46bd30110904576c13c5ac818ac2c@%3Cissues.flink.apache.org%3E" 34003 }, 34004 { 34005 "type": "WEB", 34006 "url": "https://lists.apache.org/thread.html/r04a3e0d9f53421fb946c60cc54762b7151dc692eb4e39970a7579052@%3Ccommits.servicecomb.apache.org%3E" 34007 }, 34008 { 34009 "type": "WEB", 34010 "url": "https://lists.apache.org/thread.html/r040a5e4d9cca2f98354b58a70b27099672276f66995c4e2e39545d0b@%3Cissues.hbase.apache.org%3E" 34011 }, 34012 { 34013 "type": "WEB", 34014 "url": "https://lists.apache.org/thread.html/r02e467123d45006a1dda20a38349e9c74c3a4b53e2e07be0939ecb3f@%3Cdev.ranger.apache.org%3E" 34015 }, 34016 { 34017 "type": "PACKAGE", 34018 "url": "https://github.com/netty/netty" 34019 }, 34020 { 34021 "type": "WEB", 34022 "url": "https://lists.apache.org/thread.html/r855b4b6814ac829ce2d48dd9d8138d07f33387e710de798ee92c011e@%3Cissues.flink.apache.org%3E" 34023 }, 34024 { 34025 "type": "WEB", 34026 "url": "https://lists.apache.org/thread.html/r837bbcbf12e335e83ab448b1bd2c1ad7e86efdc14034b23811422e6a@%3Ccommits.zookeeper.apache.org%3E" 34027 }, 34028 { 34029 "type": "WEB", 34030 "url": "https://lists.apache.org/thread.html/r7bb3cdc192e9a6f863d3ea05422f09fa1ae2b88d4663e63696ee7ef5@%3Cdev.ranger.apache.org%3E" 34031 }, 34032 { 34033 "type": "WEB", 34034 "url": "https://lists.apache.org/thread.html/r790c2926efcd062067eb18fde2486527596d7275381cfaff2f7b3890@%3Cissues.bookkeeper.apache.org%3E" 34035 }, 34036 { 34037 "type": "WEB", 34038 "url": "https://lists.apache.org/thread.html/r70cebada51bc6d49138272437d8a28fe971d0197334ef906b575044c@%3Ccommits.zookeeper.apache.org%3E" 34039 }, 34040 { 34041 "type": "WEB", 34042 "url": "https://lists.apache.org/thread.html/r6d32fc3cd547f7c9a288a57c7f525f5d00a00d5d163613e0d10a23ef@%3Ccommits.servicecomb.apache.org%3E" 34043 }, 34044 { 34045 "type": "WEB", 34046 "url": "https://lists.apache.org/thread.html/r6aee7e3566cb3e51eeed2fd8786704d91f80a7581e00a787ba9f37f6@%3Cissues.hbase.apache.org%3E" 34047 }, 34048 { 34049 "type": "WEB", 34050 "url": "https://lists.apache.org/thread.html/r6a29316d758db628a1df49ca219d64caf493999b52cc77847bfba675@%3Cnotifications.zookeeper.apache.org%3E" 34051 }, 34052 { 34053 "type": "WEB", 34054 "url": "https://lists.apache.org/thread.html/r6a122c25e352eb134d01e7f4fc4d345a491c5ee9453fef6fc754d15b@%3Ccommits.zookeeper.apache.org%3E" 34055 }, 34056 { 34057 "type": "WEB", 34058 "url": "https://lists.apache.org/thread.html/r67e6a636cbc1958383a1cd72b7fd0cd7493360b1dd0e6c12f5761798@%3Cnotifications.zookeeper.apache.org%3E" 34059 }, 34060 { 34061 "type": "WEB", 34062 "url": "https://lists.apache.org/thread.html/r67c4f90658fde875521c949448c54c98517beecdc7f618f902c620ec@%3Cissues.zookeeper.apache.org%3E" 34063 }, 34064 { 34065 "type": "WEB", 34066 "url": "https://lists.apache.org/thread.html/r602e98daacc98934f097f07f2eed6eb07c18bfc1949c8489dc7bfcf5@%3Cissues.flink.apache.org%3E" 34067 }, 34068 { 34069 "type": "WEB", 34070 "url": "https://lists.apache.org/thread.html/r5fc5786cdd640b1b0a3c643237ce0011f0a08a296b11c0e2c669022c@%3Cdev.kafka.apache.org%3E" 34071 }, 34072 { 34073 "type": "WEB", 34074 "url": "https://lists.apache.org/thread.html/r5e66e286afb5506cdfe9bbf68a323e8d09614f6d1ddc806ed0224700@%3Cjira.kafka.apache.org%3E" 34075 }, 34076 { 34077 "type": "WEB", 34078 "url": "https://lists.apache.org/thread.html/r5baac01f9e06c40ff7aab209d5751b3b58802c63734e33324b70a06a@%3Cissues.flink.apache.org%3E" 34079 }, 34080 { 34081 "type": "WEB", 34082 "url": "https://lists.apache.org/thread.html/r59bac5c09f7a4179b9e2460e8f41c278aaf3b9a21cc23678eb893e41@%3Cjira.kafka.apache.org%3E" 34083 }, 34084 { 34085 "type": "WEB", 34086 "url": "https://lists.apache.org/thread.html/r584cf871f188c406d8bd447ff4e2fd9817fca862436c064d0951a071@%3Ccommits.pulsar.apache.org%3E" 34087 }, 34088 { 34089 "type": "WEB", 34090 "url": "https://lists.apache.org/thread.html/r57245853c7245baab09eae08728c52b58fd77666538092389cc3e882@%3Ccommits.servicecomb.apache.org%3E" 34091 }, 34092 { 34093 "type": "WEB", 34094 "url": "https://lists.apache.org/thread.html/r5470456cf1409a99893ae9dd57439799f6dc1a60fda90e11570f66fe@%3Cnotifications.zookeeper.apache.org%3E" 34095 }, 34096 { 34097 "type": "WEB", 34098 "url": "https://lists.apache.org/thread.html/r5232e33a1f3b310a3e083423f736f3925ebdb150844d60ac582809f8@%3Cnotifications.zookeeper.apache.org%3E" 34099 }, 34100 { 34101 "type": "WEB", 34102 "url": "https://lists.apache.org/thread.html/r4ea2f1a9d79d4fc1896e085f31fb60a21b1770d0a26a5250f849372d@%3Cissues.kudu.apache.org%3E" 34103 }, 34104 { 34105 "type": "WEB", 34106 "url": "https://lists.apache.org/thread.html/r490ca5611c150d193b320a2608209180713b7c68e501b67b0cffb925@%3Ccommits.servicecomb.apache.org%3E" 34107 } 34108 ], 34109 "schema_version": "1.6.0", 34110 "severity": [ 34111 { 34112 "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", 34113 "type": "CVSS_V3" 34114 } 34115 ], 34116 "summary": "Possible request smuggling in HTTP/2 due missing validation" 34117 }, 34118 { 34119 "affected": [ 34120 { 34121 "database_specific": { 34122 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-wx5j-54mm-rqqq/GHSA-wx5j-54mm-rqqq.json" 34123 }, 34124 "package": { 34125 "ecosystem": "Maven", 34126 "name": "io.netty:netty-codec-http", 34127 "purl": "pkg:maven/io.netty/netty-codec-http" 34128 }, 34129 "ranges": [ 34130 { 34131 "events": [ 34132 { 34133 "introduced": "4.0.0" 34134 }, 34135 { 34136 "fixed": "4.1.71.Final" 34137 } 34138 ], 34139 "type": "ECOSYSTEM" 34140 } 34141 ], 34142 "versions": [ 34143 "4.0.0.Final", 34144 "4.0.1.Final", 34145 "4.0.10.Final", 34146 "4.0.11.Final", 34147 "4.0.12.Final", 34148 "4.0.13.Final", 34149 "4.0.14.Beta1", 34150 "4.0.14.Final", 34151 "4.0.15.Final", 34152 "4.0.16.Final", 34153 "4.0.17.Final", 34154 "4.0.18.Final", 34155 "4.0.19.Final", 34156 "4.0.2.Final", 34157 "4.0.20.Final", 34158 "4.0.21.Final", 34159 "4.0.22.Final", 34160 "4.0.23.Final", 34161 "4.0.24.Final", 34162 "4.0.25.Final", 34163 "4.0.26.Final", 34164 "4.0.27.Final", 34165 "4.0.28.Final", 34166 "4.0.29.Final", 34167 "4.0.3.Final", 34168 "4.0.30.Final", 34169 "4.0.31.Final", 34170 "4.0.32.Final", 34171 "4.0.33.Final", 34172 "4.0.34.Final", 34173 "4.0.35.Final", 34174 "4.0.36.Final", 34175 "4.0.37.Final", 34176 "4.0.38.Final", 34177 "4.0.39.Final", 34178 "4.0.4.Final", 34179 "4.0.40.Final", 34180 "4.0.41.Final", 34181 "4.0.42.Final", 34182 "4.0.43.Final", 34183 "4.0.44.Final", 34184 "4.0.45.Final", 34185 "4.0.46.Final", 34186 "4.0.47.Final", 34187 "4.0.48.Final", 34188 "4.0.49.Final", 34189 "4.0.5.Final", 34190 "4.0.50.Final", 34191 "4.0.51.Final", 34192 "4.0.52.Final", 34193 "4.0.53.Final", 34194 "4.0.54.Final", 34195 "4.0.55.Final", 34196 "4.0.56.Final", 34197 "4.0.6.Final", 34198 "4.0.7.Final", 34199 "4.0.8.Final", 34200 "4.0.9.Final", 34201 "4.1.0.Beta1", 34202 "4.1.0.Beta2", 34203 "4.1.0.Beta3", 34204 "4.1.0.Beta4", 34205 "4.1.0.Beta5", 34206 "4.1.0.Beta6", 34207 "4.1.0.Beta7", 34208 "4.1.0.Beta8", 34209 "4.1.0.CR1", 34210 "4.1.0.CR2", 34211 "4.1.0.CR3", 34212 "4.1.0.CR4", 34213 "4.1.0.CR5", 34214 "4.1.0.CR6", 34215 "4.1.0.CR7", 34216 "4.1.0.Final", 34217 "4.1.1.Final", 34218 "4.1.10.Final", 34219 "4.1.11.Final", 34220 "4.1.12.Final", 34221 "4.1.13.Final", 34222 "4.1.14.Final", 34223 "4.1.15.Final", 34224 "4.1.16.Final", 34225 "4.1.17.Final", 34226 "4.1.18.Final", 34227 "4.1.19.Final", 34228 "4.1.2.Final", 34229 "4.1.20.Final", 34230 "4.1.21.Final", 34231 "4.1.22.Final", 34232 "4.1.23.Final", 34233 "4.1.24.Final", 34234 "4.1.25.Final", 34235 "4.1.26.Final", 34236 "4.1.27.Final", 34237 "4.1.28.Final", 34238 "4.1.29.Final", 34239 "4.1.3.Final", 34240 "4.1.30.Final", 34241 "4.1.31.Final", 34242 "4.1.32.Final", 34243 "4.1.33.Final", 34244 "4.1.34.Final", 34245 "4.1.35.Final", 34246 "4.1.36.Final", 34247 "4.1.37.Final", 34248 "4.1.38.Final", 34249 "4.1.39.Final", 34250 "4.1.4.Final", 34251 "4.1.40.Final", 34252 "4.1.41.Final", 34253 "4.1.42.Final", 34254 "4.1.43.Final", 34255 "4.1.44.Final", 34256 "4.1.45.Final", 34257 "4.1.46.Final", 34258 "4.1.47.Final", 34259 "4.1.48.Final", 34260 "4.1.49.Final", 34261 "4.1.5.Final", 34262 "4.1.50.Final", 34263 "4.1.51.Final", 34264 "4.1.52.Final", 34265 "4.1.53.Final", 34266 "4.1.54.Final", 34267 "4.1.55.Final", 34268 "4.1.56.Final", 34269 "4.1.57.Final", 34270 "4.1.58.Final", 34271 "4.1.59.Final", 34272 "4.1.6.Final", 34273 "4.1.60.Final", 34274 "4.1.61.Final", 34275 "4.1.62.Final", 34276 "4.1.63.Final", 34277 "4.1.64.Final", 34278 "4.1.65.Final", 34279 "4.1.66.Final", 34280 "4.1.67.Final", 34281 "4.1.68.Final", 34282 "4.1.69.Final", 34283 "4.1.7.Final", 34284 "4.1.70.Final", 34285 "4.1.8.Final", 34286 "4.1.9.Final" 34287 ] 34288 }, 34289 { 34290 "database_specific": { 34291 "last_known_affected_version_range": "\u003c 4.0.0", 34292 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-wx5j-54mm-rqqq/GHSA-wx5j-54mm-rqqq.json" 34293 }, 34294 "package": { 34295 "ecosystem": "Maven", 34296 "name": "org.jboss.netty:netty", 34297 "purl": "pkg:maven/org.jboss.netty/netty" 34298 }, 34299 "ranges": [ 34300 { 34301 "events": [ 34302 { 34303 "introduced": "0" 34304 } 34305 ], 34306 "type": "ECOSYSTEM" 34307 } 34308 ], 34309 "versions": [ 34310 "3.0.0.CR1", 34311 "3.0.0.CR2", 34312 "3.0.0.CR3", 34313 "3.0.0.CR4", 34314 "3.0.0.CR5", 34315 "3.0.0.GA", 34316 "3.0.1.GA", 34317 "3.0.2.GA", 34318 "3.1.0.ALPHA1", 34319 "3.1.0.ALPHA2", 34320 "3.1.0.ALPHA3", 34321 "3.1.0.ALPHA4", 34322 "3.1.0.BETA1", 34323 "3.1.0.BETA2", 34324 "3.1.0.BETA3", 34325 "3.1.0.CR1", 34326 "3.1.0.GA", 34327 "3.1.1.GA", 34328 "3.1.2.GA", 34329 "3.1.3.GA", 34330 "3.1.4.GA", 34331 "3.1.5.GA", 34332 "3.2.0.ALPHA1", 34333 "3.2.0.ALPHA2", 34334 "3.2.0.ALPHA3", 34335 "3.2.0.ALPHA4", 34336 "3.2.0.BETA1", 34337 "3.2.0.CR1", 34338 "3.2.0.Final", 34339 "3.2.1.Final", 34340 "3.2.10.Final", 34341 "3.2.2.Final", 34342 "3.2.3.Final", 34343 "3.2.4.Final", 34344 "3.2.5.Final", 34345 "3.2.6.Final", 34346 "3.2.7.Final", 34347 "3.2.8.Final", 34348 "3.2.9.Final" 34349 ] 34350 }, 34351 { 34352 "database_specific": { 34353 "last_known_affected_version_range": "\u003c 4.0.0", 34354 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-wx5j-54mm-rqqq/GHSA-wx5j-54mm-rqqq.json" 34355 }, 34356 "package": { 34357 "ecosystem": "Maven", 34358 "name": "io.netty:netty", 34359 "purl": "pkg:maven/io.netty/netty" 34360 }, 34361 "ranges": [ 34362 { 34363 "events": [ 34364 { 34365 "introduced": "0" 34366 } 34367 ], 34368 "type": "ECOSYSTEM" 34369 } 34370 ], 34371 "versions": [ 34372 "3.10.0.Final", 34373 "3.10.1.Final", 34374 "3.10.2.Final", 34375 "3.10.3.Final", 34376 "3.10.4.Final", 34377 "3.10.5.Final", 34378 "3.10.6.Final", 34379 "3.3.0.Final", 34380 "3.3.1.Final", 34381 "3.4.0.Alpha1", 34382 "3.4.0.Alpha2", 34383 "3.4.0.Beta1", 34384 "3.4.0.Final", 34385 "3.4.1.Final", 34386 "3.4.2.Final", 34387 "3.4.3.Final", 34388 "3.4.4.Final", 34389 "3.4.5.Final", 34390 "3.4.6.Final", 34391 "3.5.0.Beta1", 34392 "3.5.0.Final", 34393 "3.5.1.Final", 34394 "3.5.10.Final", 34395 "3.5.11.Final", 34396 "3.5.12.Final", 34397 "3.5.13.Final", 34398 "3.5.2.Final", 34399 "3.5.3.Final", 34400 "3.5.4.Final", 34401 "3.5.5.Final", 34402 "3.5.6.Final", 34403 "3.5.7.Final", 34404 "3.5.8.Final", 34405 "3.5.9.Final", 34406 "3.6.0.Beta1", 34407 "3.6.0.Final", 34408 "3.6.1.Final", 34409 "3.6.10.Final", 34410 "3.6.2.Final", 34411 "3.6.3.Final", 34412 "3.6.4.Final", 34413 "3.6.5.Final", 34414 "3.6.6.Final", 34415 "3.6.7.Final", 34416 "3.6.8.Final", 34417 "3.6.9.Final", 34418 "3.7.0.Final", 34419 "3.7.1.Final", 34420 "3.8.0.Final", 34421 "3.8.1.Final", 34422 "3.8.2.Final", 34423 "3.8.3.Final", 34424 "3.9.0.Final", 34425 "3.9.1.1.Final", 34426 "3.9.1.Final", 34427 "3.9.2.Final", 34428 "3.9.3.Final", 34429 "3.9.4.Final", 34430 "3.9.5.Final", 34431 "3.9.6.Final", 34432 "3.9.7.Final", 34433 "3.9.8.Final", 34434 "3.9.9.Final", 34435 "4.0.0.Alpha1", 34436 "4.0.0.Alpha2", 34437 "4.0.0.Alpha3", 34438 "4.0.0.Alpha4", 34439 "4.0.0.Alpha5", 34440 "4.0.0.Alpha6", 34441 "4.0.0.Alpha7", 34442 "4.0.0.Alpha8" 34443 ] 34444 } 34445 ], 34446 "aliases": [ 34447 "CVE-2021-43797" 34448 ], 34449 "database_specific": { 34450 "cwe_ids": [ 34451 "CWE-444" 34452 ], 34453 "github_reviewed": true, 34454 "github_reviewed_at": "2021-12-09T18:17:28Z", 34455 "nvd_published_at": "2021-12-09T19:15:00Z", 34456 "severity": "MODERATE" 34457 }, 34458 "details": "### Impact\n\nNetty currently just skips control chars when these are present at the beginning / end of the header name. We should better fail fast as these are not allowed by the spec and could lead to HTTP request smuggling.\n\nFailing to do the validation might cause netty to \"sanitize\" header names before it forward these to another remote system when used as proxy. This remote system can't see the invalid usage anymore and so not do the validation itself.\n\n", 34459 "id": "GHSA-wx5j-54mm-rqqq", 34460 "modified": "2024-02-22T05:37:31.471154Z", 34461 "published": "2021-12-09T19:09:17Z", 34462 "references": [ 34463 { 34464 "type": "WEB", 34465 "url": "https://github.com/netty/netty/security/advisories/GHSA-wx5j-54mm-rqqq" 34466 }, 34467 { 34468 "type": "ADVISORY", 34469 "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-43797" 34470 }, 34471 { 34472 "type": "WEB", 34473 "url": "https://github.com/netty/netty/pull/11891" 34474 }, 34475 { 34476 "type": "WEB", 34477 "url": "https://github.com/netty/netty/commit/07aa6b5938a8b6ed7a6586e066400e2643897323" 34478 }, 34479 { 34480 "type": "WEB", 34481 "url": "https://github.com/netty/netty" 34482 }, 34483 { 34484 "type": "WEB", 34485 "url": "https://lists.debian.org/debian-lts-announce/2023/01/msg00008.html" 34486 }, 34487 { 34488 "type": "WEB", 34489 "url": "https://security.netapp.com/advisory/ntap-20220107-0003" 34490 }, 34491 { 34492 "type": "WEB", 34493 "url": "https://www.debian.org/security/2023/dsa-5316" 34494 }, 34495 { 34496 "type": "WEB", 34497 "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" 34498 }, 34499 { 34500 "type": "WEB", 34501 "url": "https://www.oracle.com/security-alerts/cpujul2022.html" 34502 } 34503 ], 34504 "schema_version": "1.6.0", 34505 "severity": [ 34506 { 34507 "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", 34508 "type": "CVSS_V3" 34509 } 34510 ], 34511 "summary": "HTTP request smuggling in netty" 34512 }, 34513 { 34514 "affected": [ 34515 { 34516 "database_specific": { 34517 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-xfv3-rrfm-f2rv/GHSA-xfv3-rrfm-f2rv.json" 34518 }, 34519 "package": { 34520 "ecosystem": "Maven", 34521 "name": "io.netty:netty-parent", 34522 "purl": "pkg:maven/io.netty/netty-parent" 34523 }, 34524 "ranges": [ 34525 { 34526 "events": [ 34527 { 34528 "introduced": "4.0.0" 34529 }, 34530 { 34531 "fixed": "4.0.28.Final" 34532 } 34533 ], 34534 "type": "ECOSYSTEM" 34535 } 34536 ], 34537 "versions": [ 34538 "4.0.0.Final", 34539 "4.0.1.Final", 34540 "4.0.10.Final", 34541 "4.0.11.Final", 34542 "4.0.12.Final", 34543 "4.0.13.Final", 34544 "4.0.14.Beta1", 34545 "4.0.14.Final", 34546 "4.0.15.Final", 34547 "4.0.16.Final", 34548 "4.0.17.Final", 34549 "4.0.18.Final", 34550 "4.0.19.Final", 34551 "4.0.2.Final", 34552 "4.0.20.Final", 34553 "4.0.21.Final", 34554 "4.0.22.Final", 34555 "4.0.23.Final", 34556 "4.0.24.Final", 34557 "4.0.25.Final", 34558 "4.0.26.Final", 34559 "4.0.27.Final", 34560 "4.0.3.Final", 34561 "4.0.4.Final", 34562 "4.0.5.Final", 34563 "4.0.6.Final", 34564 "4.0.7.Final", 34565 "4.0.8.Final", 34566 "4.0.9.Final" 34567 ] 34568 }, 34569 { 34570 "database_specific": { 34571 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-xfv3-rrfm-f2rv/GHSA-xfv3-rrfm-f2rv.json" 34572 }, 34573 "package": { 34574 "ecosystem": "Maven", 34575 "name": "org.jboss.netty:netty", 34576 "purl": "pkg:maven/org.jboss.netty/netty" 34577 }, 34578 "ranges": [ 34579 { 34580 "events": [ 34581 { 34582 "introduced": "0" 34583 }, 34584 { 34585 "fixed": "3.9.8.Final" 34586 } 34587 ], 34588 "type": "ECOSYSTEM" 34589 } 34590 ], 34591 "versions": [ 34592 "3.0.0.CR1", 34593 "3.0.0.CR2", 34594 "3.0.0.CR3", 34595 "3.0.0.CR4", 34596 "3.0.0.CR5", 34597 "3.0.0.GA", 34598 "3.0.1.GA", 34599 "3.0.2.GA", 34600 "3.1.0.ALPHA1", 34601 "3.1.0.ALPHA2", 34602 "3.1.0.ALPHA3", 34603 "3.1.0.ALPHA4", 34604 "3.1.0.BETA1", 34605 "3.1.0.BETA2", 34606 "3.1.0.BETA3", 34607 "3.1.0.CR1", 34608 "3.1.0.GA", 34609 "3.1.1.GA", 34610 "3.1.2.GA", 34611 "3.1.3.GA", 34612 "3.1.4.GA", 34613 "3.1.5.GA", 34614 "3.2.0.ALPHA1", 34615 "3.2.0.ALPHA2", 34616 "3.2.0.ALPHA3", 34617 "3.2.0.ALPHA4", 34618 "3.2.0.BETA1", 34619 "3.2.0.CR1", 34620 "3.2.0.Final", 34621 "3.2.1.Final", 34622 "3.2.10.Final", 34623 "3.2.2.Final", 34624 "3.2.3.Final", 34625 "3.2.4.Final", 34626 "3.2.5.Final", 34627 "3.2.6.Final", 34628 "3.2.7.Final", 34629 "3.2.8.Final", 34630 "3.2.9.Final" 34631 ] 34632 }, 34633 { 34634 "database_specific": { 34635 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-xfv3-rrfm-f2rv/GHSA-xfv3-rrfm-f2rv.json" 34636 }, 34637 "package": { 34638 "ecosystem": "Maven", 34639 "name": "org.jboss.netty:netty", 34640 "purl": "pkg:maven/org.jboss.netty/netty" 34641 }, 34642 "ranges": [ 34643 { 34644 "events": [ 34645 { 34646 "introduced": "3.10.0" 34647 }, 34648 { 34649 "fixed": "3.10.3.Final" 34650 } 34651 ], 34652 "type": "ECOSYSTEM" 34653 } 34654 ] 34655 }, 34656 { 34657 "database_specific": { 34658 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-xfv3-rrfm-f2rv/GHSA-xfv3-rrfm-f2rv.json" 34659 }, 34660 "package": { 34661 "ecosystem": "Maven", 34662 "name": "io.netty:netty", 34663 "purl": "pkg:maven/io.netty/netty" 34664 }, 34665 "ranges": [ 34666 { 34667 "events": [ 34668 { 34669 "introduced": "3.10.0" 34670 }, 34671 { 34672 "fixed": "3.10.3.Final" 34673 } 34674 ], 34675 "type": "ECOSYSTEM" 34676 } 34677 ], 34678 "versions": [ 34679 "3.10.0.Final", 34680 "3.10.1.Final", 34681 "3.10.2.Final" 34682 ] 34683 }, 34684 { 34685 "database_specific": { 34686 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-xfv3-rrfm-f2rv/GHSA-xfv3-rrfm-f2rv.json" 34687 }, 34688 "package": { 34689 "ecosystem": "Maven", 34690 "name": "io.netty:netty", 34691 "purl": "pkg:maven/io.netty/netty" 34692 }, 34693 "ranges": [ 34694 { 34695 "events": [ 34696 { 34697 "introduced": "0" 34698 }, 34699 { 34700 "fixed": "3.9.8.Final" 34701 } 34702 ], 34703 "type": "ECOSYSTEM" 34704 } 34705 ], 34706 "versions": [ 34707 "3.3.0.Final", 34708 "3.3.1.Final", 34709 "3.4.0.Alpha1", 34710 "3.4.0.Alpha2", 34711 "3.4.0.Beta1", 34712 "3.4.0.Final", 34713 "3.4.1.Final", 34714 "3.4.2.Final", 34715 "3.4.3.Final", 34716 "3.4.4.Final", 34717 "3.4.5.Final", 34718 "3.4.6.Final", 34719 "3.5.0.Beta1", 34720 "3.5.0.Final", 34721 "3.5.1.Final", 34722 "3.5.10.Final", 34723 "3.5.11.Final", 34724 "3.5.12.Final", 34725 "3.5.13.Final", 34726 "3.5.2.Final", 34727 "3.5.3.Final", 34728 "3.5.4.Final", 34729 "3.5.5.Final", 34730 "3.5.6.Final", 34731 "3.5.7.Final", 34732 "3.5.8.Final", 34733 "3.5.9.Final", 34734 "3.6.0.Beta1", 34735 "3.6.0.Final", 34736 "3.6.1.Final", 34737 "3.6.10.Final", 34738 "3.6.2.Final", 34739 "3.6.3.Final", 34740 "3.6.4.Final", 34741 "3.6.5.Final", 34742 "3.6.6.Final", 34743 "3.6.7.Final", 34744 "3.6.8.Final", 34745 "3.6.9.Final", 34746 "3.7.0.Final", 34747 "3.7.1.Final", 34748 "3.8.0.Final", 34749 "3.8.1.Final", 34750 "3.8.2.Final", 34751 "3.8.3.Final", 34752 "3.9.0.Final", 34753 "3.9.1.1.Final", 34754 "3.9.1.Final", 34755 "3.9.2.Final", 34756 "3.9.3.Final", 34757 "3.9.4.Final", 34758 "3.9.5.Final", 34759 "3.9.6.Final", 34760 "3.9.7.Final" 34761 ] 34762 } 34763 ], 34764 "aliases": [ 34765 "CVE-2015-2156" 34766 ], 34767 "database_specific": { 34768 "cwe_ids": [ 34769 "CWE-20" 34770 ], 34771 "github_reviewed": true, 34772 "github_reviewed_at": "2020-06-30T20:59:55Z", 34773 "nvd_published_at": null, 34774 "severity": "HIGH" 34775 }, 34776 "details": "Netty before 3.9.8.Final, 3.10.x before 3.10.3.Final, 4.0.x before 4.0.28.Final, and 4.1.x before 4.1.0.Beta5 and Play Framework 2.x before 2.3.9 might allow remote attackers to bypass the httpOnly flag on cookies and obtain sensitive information by leveraging improper validation of cookie name and value characters.", 34777 "id": "GHSA-xfv3-rrfm-f2rv", 34778 "modified": "2024-02-16T08:04:08.95464Z", 34779 "published": "2020-06-30T21:01:21Z", 34780 "references": [ 34781 { 34782 "type": "ADVISORY", 34783 "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-2156" 34784 }, 34785 { 34786 "type": "WEB", 34787 "url": "https://github.com/netty/netty/pull/3748/commits/4ac519f534493bb0ca7a77e1c779138a54faa7b9" 34788 }, 34789 { 34790 "type": "WEB", 34791 "url": "https://github.com/netty/netty/pull/3754" 34792 }, 34793 { 34794 "type": "WEB", 34795 "url": "https://github.com/netty/netty/commit/2caa38a2795fe1f1ae6ceda4d69e826ed7c55e55" 34796 }, 34797 { 34798 "type": "WEB", 34799 "url": "https://github.com/netty/netty/commit/31815598a2af37f0b71ea94eada70d6659c23752" 34800 }, 34801 { 34802 "type": "WEB", 34803 "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1222923" 34804 }, 34805 { 34806 "type": "PACKAGE", 34807 "url": "https://github.com/netty/netty" 34808 }, 34809 { 34810 "type": "WEB", 34811 "url": "https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe@%3Ccommits.druid.apache.org%3E" 34812 }, 34813 { 34814 "type": "WEB", 34815 "url": "https://lists.apache.org/thread.html/a19bb1003b0d6cd22475ba83c019b4fc7facfef2a9e13f71132529d3@%3Ccommits.cassandra.apache.org%3E" 34816 }, 34817 { 34818 "type": "WEB", 34819 "url": "https://lists.apache.org/thread.html/dc1275aef115bda172851a231c76c0932d973f9ffd8bc375c4aba769@%3Ccommits.cassandra.apache.org%3E" 34820 }, 34821 { 34822 "type": "WEB", 34823 "url": "https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8@%3Ccommits.pulsar.apache.org%3E" 34824 }, 34825 { 34826 "type": "WEB", 34827 "url": "https://snyk.io/vuln/SNYK-JAVA-IONETTY-73571" 34828 }, 34829 { 34830 "type": "WEB", 34831 "url": "https://www.playframework.com/security/vulnerability/CVE-2015-2156-HttpOnlyBypass" 34832 }, 34833 { 34834 "type": "WEB", 34835 "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-June/159379.html" 34836 }, 34837 { 34838 "type": "WEB", 34839 "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-May/159166.html" 34840 }, 34841 { 34842 "type": "WEB", 34843 "url": "http://netty.io/news/2015/05/08/3-9-8-Final-and-3.html" 34844 }, 34845 { 34846 "type": "WEB", 34847 "url": "http://www.openwall.com/lists/oss-security/2015/05/17/1" 34848 }, 34849 { 34850 "type": "WEB", 34851 "url": "http://www.securityfocus.com/bid/74704" 34852 } 34853 ], 34854 "schema_version": "1.6.0", 34855 "severity": [ 34856 { 34857 "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", 34858 "type": "CVSS_V3" 34859 } 34860 ], 34861 "summary": "Information Exposure in Netty" 34862 }, 34863 { 34864 "affected": [ 34865 { 34866 "database_specific": { 34867 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-fx2c-96vj-985v/GHSA-fx2c-96vj-985v.json" 34868 }, 34869 "package": { 34870 "ecosystem": "Maven", 34871 "name": "io.netty:netty-codec-haproxy", 34872 "purl": "pkg:maven/io.netty/netty-codec-haproxy" 34873 }, 34874 "ranges": [ 34875 { 34876 "events": [ 34877 { 34878 "introduced": "0" 34879 }, 34880 { 34881 "fixed": "4.1.86.Final" 34882 } 34883 ], 34884 "type": "ECOSYSTEM" 34885 } 34886 ], 34887 "versions": [ 34888 "4.0.29.Final", 34889 "4.0.30.Final", 34890 "4.0.31.Final", 34891 "4.0.32.Final", 34892 "4.0.33.Final", 34893 "4.0.34.Final", 34894 "4.0.35.Final", 34895 "4.0.36.Final", 34896 "4.0.37.Final", 34897 "4.0.38.Final", 34898 "4.0.39.Final", 34899 "4.0.40.Final", 34900 "4.0.41.Final", 34901 "4.0.42.Final", 34902 "4.0.43.Final", 34903 "4.0.44.Final", 34904 "4.0.45.Final", 34905 "4.0.46.Final", 34906 "4.0.47.Final", 34907 "4.0.48.Final", 34908 "4.0.49.Final", 34909 "4.0.50.Final", 34910 "4.0.51.Final", 34911 "4.0.52.Final", 34912 "4.0.53.Final", 34913 "4.0.54.Final", 34914 "4.0.55.Final", 34915 "4.0.56.Final", 34916 "4.1.0.Beta1", 34917 "4.1.0.Beta2", 34918 "4.1.0.Beta3", 34919 "4.1.0.Beta4", 34920 "4.1.0.Beta5", 34921 "4.1.0.Beta6", 34922 "4.1.0.Beta7", 34923 "4.1.0.Beta8", 34924 "4.1.0.CR1", 34925 "4.1.0.CR2", 34926 "4.1.0.CR3", 34927 "4.1.0.CR4", 34928 "4.1.0.CR5", 34929 "4.1.0.CR6", 34930 "4.1.0.CR7", 34931 "4.1.0.Final", 34932 "4.1.1.Final", 34933 "4.1.10.Final", 34934 "4.1.11.Final", 34935 "4.1.12.Final", 34936 "4.1.13.Final", 34937 "4.1.14.Final", 34938 "4.1.15.Final", 34939 "4.1.16.Final", 34940 "4.1.17.Final", 34941 "4.1.18.Final", 34942 "4.1.19.Final", 34943 "4.1.2.Final", 34944 "4.1.20.Final", 34945 "4.1.21.Final", 34946 "4.1.22.Final", 34947 "4.1.23.Final", 34948 "4.1.24.Final", 34949 "4.1.25.Final", 34950 "4.1.26.Final", 34951 "4.1.27.Final", 34952 "4.1.28.Final", 34953 "4.1.29.Final", 34954 "4.1.3.Final", 34955 "4.1.30.Final", 34956 "4.1.31.Final", 34957 "4.1.32.Final", 34958 "4.1.33.Final", 34959 "4.1.34.Final", 34960 "4.1.35.Final", 34961 "4.1.36.Final", 34962 "4.1.37.Final", 34963 "4.1.38.Final", 34964 "4.1.39.Final", 34965 "4.1.4.Final", 34966 "4.1.40.Final", 34967 "4.1.41.Final", 34968 "4.1.42.Final", 34969 "4.1.43.Final", 34970 "4.1.44.Final", 34971 "4.1.45.Final", 34972 "4.1.46.Final", 34973 "4.1.47.Final", 34974 "4.1.48.Final", 34975 "4.1.49.Final", 34976 "4.1.5.Final", 34977 "4.1.50.Final", 34978 "4.1.51.Final", 34979 "4.1.52.Final", 34980 "4.1.53.Final", 34981 "4.1.54.Final", 34982 "4.1.55.Final", 34983 "4.1.56.Final", 34984 "4.1.57.Final", 34985 "4.1.58.Final", 34986 "4.1.59.Final", 34987 "4.1.6.Final", 34988 "4.1.60.Final", 34989 "4.1.61.Final", 34990 "4.1.62.Final", 34991 "4.1.63.Final", 34992 "4.1.64.Final", 34993 "4.1.65.Final", 34994 "4.1.66.Final", 34995 "4.1.67.Final", 34996 "4.1.68.Final", 34997 "4.1.69.Final", 34998 "4.1.7.Final", 34999 "4.1.70.Final", 35000 "4.1.71.Final", 35001 "4.1.72.Final", 35002 "4.1.73.Final", 35003 "4.1.74.Final", 35004 "4.1.75.Final", 35005 "4.1.76.Final", 35006 "4.1.77.Final", 35007 "4.1.78.Final", 35008 "4.1.79.Final", 35009 "4.1.8.Final", 35010 "4.1.80.Final", 35011 "4.1.81.Final", 35012 "4.1.82.Final", 35013 "4.1.83.Final", 35014 "4.1.84.Final", 35015 "4.1.85.Final", 35016 "4.1.9.Final" 35017 ] 35018 } 35019 ], 35020 "aliases": [ 35021 "CVE-2022-41881" 35022 ], 35023 "database_specific": { 35024 "cwe_ids": [ 35025 "CWE-674" 35026 ], 35027 "github_reviewed": true, 35028 "github_reviewed_at": "2022-12-12T21:24:29Z", 35029 "nvd_published_at": "2022-12-12T18:15:00Z", 35030 "severity": "MODERATE" 35031 }, 35032 "details": "### Impact\nA StackOverflowError can be raised when parsing a malformed crafted message due to an infinite recursion.\n\n### Patches\nUsers should upgrade to 4.1.86.Final.\n\n### Workarounds\nThere is no workaround, except using a custom HaProxyMessageDecoder.\n\n### References\nWhen parsing a TLV with type = PP2_TYPE_SSL, the value can be again a TLV with type = PP2_TYPE_SSL and so on.\nThe only limitation of the recursion is that the TLV length cannot be bigger than 0xffff because it is encoded in an unsigned short type.\nProviding a TLV with a nesting level that is large enough will lead to raising of a StackOverflowError.\nThe StackOverflowError will be caught if HAProxyMessageDecoder is used as part of Netty’s ChannelPipeline, but using it directly without the ChannelPipeline will lead to a thrown exception / crash.\n\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [netty](https://github.com/netty/netty)\n", 35033 "id": "GHSA-fx2c-96vj-985v", 35034 "modified": "2024-02-16T08:25:02.300508Z", 35035 "published": "2022-12-12T21:24:29Z", 35036 "references": [ 35037 { 35038 "type": "WEB", 35039 "url": "https://github.com/netty/netty/security/advisories/GHSA-fx2c-96vj-985v" 35040 }, 35041 { 35042 "type": "ADVISORY", 35043 "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41881" 35044 }, 35045 { 35046 "type": "PACKAGE", 35047 "url": "https://github.com/netty/netty" 35048 }, 35049 { 35050 "type": "WEB", 35051 "url": "https://lists.debian.org/debian-lts-announce/2023/01/msg00008.html" 35052 }, 35053 { 35054 "type": "WEB", 35055 "url": "https://security.netapp.com/advisory/ntap-20230113-0004" 35056 }, 35057 { 35058 "type": "WEB", 35059 "url": "https://www.debian.org/security/2023/dsa-5316" 35060 } 35061 ], 35062 "related": [ 35063 "CGA-qq8h-vh95-rjgj" 35064 ], 35065 "schema_version": "1.6.0", 35066 "severity": [ 35067 { 35068 "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", 35069 "type": "CVSS_V3" 35070 } 35071 ], 35072 "summary": "HAProxyMessageDecoder Stack Exhaustion DoS" 35073 }, 35074 { 35075 "affected": [ 35076 { 35077 "database_specific": { 35078 "last_known_affected_version_range": "\u003c= 4.1.76.Final", 35079 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-269q-hmxg-m83q/GHSA-269q-hmxg-m83q.json" 35080 }, 35081 "package": { 35082 "ecosystem": "Maven", 35083 "name": "io.netty:netty-codec-http", 35084 "purl": "pkg:maven/io.netty/netty-codec-http" 35085 }, 35086 "ranges": [ 35087 { 35088 "events": [ 35089 { 35090 "introduced": "0" 35091 }, 35092 { 35093 "fixed": "4.1.77.Final" 35094 } 35095 ], 35096 "type": "ECOSYSTEM" 35097 } 35098 ], 35099 "versions": [ 35100 "4.0.0.Alpha1", 35101 "4.0.0.Alpha2", 35102 "4.0.0.Alpha3", 35103 "4.0.0.Alpha4", 35104 "4.0.0.Alpha5", 35105 "4.0.0.Alpha6", 35106 "4.0.0.Alpha7", 35107 "4.0.0.Alpha8", 35108 "4.0.0.Beta1", 35109 "4.0.0.Beta2", 35110 "4.0.0.Beta3", 35111 "4.0.0.CR1", 35112 "4.0.0.CR2", 35113 "4.0.0.CR3", 35114 "4.0.0.CR4", 35115 "4.0.0.CR5", 35116 "4.0.0.CR6", 35117 "4.0.0.CR7", 35118 "4.0.0.CR8", 35119 "4.0.0.CR9", 35120 "4.0.0.Final", 35121 "4.0.1.Final", 35122 "4.0.10.Final", 35123 "4.0.11.Final", 35124 "4.0.12.Final", 35125 "4.0.13.Final", 35126 "4.0.14.Beta1", 35127 "4.0.14.Final", 35128 "4.0.15.Final", 35129 "4.0.16.Final", 35130 "4.0.17.Final", 35131 "4.0.18.Final", 35132 "4.0.19.Final", 35133 "4.0.2.Final", 35134 "4.0.20.Final", 35135 "4.0.21.Final", 35136 "4.0.22.Final", 35137 "4.0.23.Final", 35138 "4.0.24.Final", 35139 "4.0.25.Final", 35140 "4.0.26.Final", 35141 "4.0.27.Final", 35142 "4.0.28.Final", 35143 "4.0.29.Final", 35144 "4.0.3.Final", 35145 "4.0.30.Final", 35146 "4.0.31.Final", 35147 "4.0.32.Final", 35148 "4.0.33.Final", 35149 "4.0.34.Final", 35150 "4.0.35.Final", 35151 "4.0.36.Final", 35152 "4.0.37.Final", 35153 "4.0.38.Final", 35154 "4.0.39.Final", 35155 "4.0.4.Final", 35156 "4.0.40.Final", 35157 "4.0.41.Final", 35158 "4.0.42.Final", 35159 "4.0.43.Final", 35160 "4.0.44.Final", 35161 "4.0.45.Final", 35162 "4.0.46.Final", 35163 "4.0.47.Final", 35164 "4.0.48.Final", 35165 "4.0.49.Final", 35166 "4.0.5.Final", 35167 "4.0.50.Final", 35168 "4.0.51.Final", 35169 "4.0.52.Final", 35170 "4.0.53.Final", 35171 "4.0.54.Final", 35172 "4.0.55.Final", 35173 "4.0.56.Final", 35174 "4.0.6.Final", 35175 "4.0.7.Final", 35176 "4.0.8.Final", 35177 "4.0.9.Final", 35178 "4.1.0.Beta1", 35179 "4.1.0.Beta2", 35180 "4.1.0.Beta3", 35181 "4.1.0.Beta4", 35182 "4.1.0.Beta5", 35183 "4.1.0.Beta6", 35184 "4.1.0.Beta7", 35185 "4.1.0.Beta8", 35186 "4.1.0.CR1", 35187 "4.1.0.CR2", 35188 "4.1.0.CR3", 35189 "4.1.0.CR4", 35190 "4.1.0.CR5", 35191 "4.1.0.CR6", 35192 "4.1.0.CR7", 35193 "4.1.0.Final", 35194 "4.1.1.Final", 35195 "4.1.10.Final", 35196 "4.1.11.Final", 35197 "4.1.12.Final", 35198 "4.1.13.Final", 35199 "4.1.14.Final", 35200 "4.1.15.Final", 35201 "4.1.16.Final", 35202 "4.1.17.Final", 35203 "4.1.18.Final", 35204 "4.1.19.Final", 35205 "4.1.2.Final", 35206 "4.1.20.Final", 35207 "4.1.21.Final", 35208 "4.1.22.Final", 35209 "4.1.23.Final", 35210 "4.1.24.Final", 35211 "4.1.25.Final", 35212 "4.1.26.Final", 35213 "4.1.27.Final", 35214 "4.1.28.Final", 35215 "4.1.29.Final", 35216 "4.1.3.Final", 35217 "4.1.30.Final", 35218 "4.1.31.Final", 35219 "4.1.32.Final", 35220 "4.1.33.Final", 35221 "4.1.34.Final", 35222 "4.1.35.Final", 35223 "4.1.36.Final", 35224 "4.1.37.Final", 35225 "4.1.38.Final", 35226 "4.1.39.Final", 35227 "4.1.4.Final", 35228 "4.1.40.Final", 35229 "4.1.41.Final", 35230 "4.1.42.Final", 35231 "4.1.43.Final", 35232 "4.1.44.Final", 35233 "4.1.45.Final", 35234 "4.1.46.Final", 35235 "4.1.47.Final", 35236 "4.1.48.Final", 35237 "4.1.49.Final", 35238 "4.1.5.Final", 35239 "4.1.50.Final", 35240 "4.1.51.Final", 35241 "4.1.52.Final", 35242 "4.1.53.Final", 35243 "4.1.54.Final", 35244 "4.1.55.Final", 35245 "4.1.56.Final", 35246 "4.1.57.Final", 35247 "4.1.58.Final", 35248 "4.1.59.Final", 35249 "4.1.6.Final", 35250 "4.1.60.Final", 35251 "4.1.61.Final", 35252 "4.1.62.Final", 35253 "4.1.63.Final", 35254 "4.1.64.Final", 35255 "4.1.65.Final", 35256 "4.1.66.Final", 35257 "4.1.67.Final", 35258 "4.1.68.Final", 35259 "4.1.69.Final", 35260 "4.1.7.Final", 35261 "4.1.70.Final", 35262 "4.1.71.Final", 35263 "4.1.72.Final", 35264 "4.1.73.Final", 35265 "4.1.74.Final", 35266 "4.1.75.Final", 35267 "4.1.76.Final", 35268 "4.1.8.Final", 35269 "4.1.9.Final" 35270 ] 35271 } 35272 ], 35273 "aliases": [ 35274 "CVE-2021-21290", 35275 "CVE-2022-24823", 35276 "GHSA-5mcr-gq6c-3hq2" 35277 ], 35278 "database_specific": { 35279 "cwe_ids": [ 35280 "CWE-378", 35281 "CWE-379", 35282 "CWE-668" 35283 ], 35284 "github_reviewed": true, 35285 "github_reviewed_at": "2022-05-10T08:46:50Z", 35286 "nvd_published_at": "2022-05-06T12:15:00Z", 35287 "severity": "MODERATE" 35288 }, 35289 "details": "### Description ###\n[GHSA-5mcr-gq6c-3hq2](https://github.com/netty/netty/security/advisories/GHSA-5mcr-gq6c-3hq2) (CVE-2021-21290) contains an insufficient fix for the vulnerability identified.\n\n### Impact ###\n\nWhen netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled.\n\nThis only impacts applications running on Java version 6 and lower. Additionally, this vulnerability impacts code running on Unix-like systems, and very old versions of Mac OSX and Windows as they all share the system temporary directory between all users.\n\n### Vulnerability Details ###\n\nTo fix the vulnerability the code was changed to the following:\n\n```java\n @SuppressJava6Requirement(reason = \"Guarded by version check\")\n public static File createTempFile(String prefix, String suffix, File directory) throws IOException {\n if (javaVersion() \u003e= 7) {\n if (directory == null) {\n return Files.createTempFile(prefix, suffix).toFile();\n }\n return Files.createTempFile(directory.toPath(), prefix, suffix).toFile();\n }\n if (directory == null) {\n return File.createTempFile(prefix, suffix);\n }\n File file = File.createTempFile(prefix, suffix, directory);\n // Try to adjust the perms, if this fails there is not much else we can do...\n file.setReadable(false, false);\n file.setReadable(true, true);\n return file;\n }\n```\n\nUnfortunately, this logic path was left vulnerable:\n\n```java\n if (directory == null) {\n return File.createTempFile(prefix, suffix);\n }\n```\n\nThis file is still readable by all local users.\n\n### Patches ###\n\nUpdate to 4.1.77.Final\n\n### Workarounds ###\n\nSpecify your own `java.io.tmpdir` when you start the JVM or use `DefaultHttpDataFactory.setBaseDir(...)` to set the directory to something that is only readable by the current user or update to Java 7 or above.\n\n### References ###\n\n - [CWE-378: Creation of Temporary File With Insecure Permissions](https://cwe.mitre.org/data/definitions/378.html)\n - [CWE-379: Creation of Temporary File in Directory with Insecure Permissions](https://cwe.mitre.org/data/definitions/379.html)\n\n\n### For more information ###\n\nIf you have any questions or comments about this advisory:\n\nOpen an issue in [netty](https://github.com/netty/netty)\n", 35290 "id": "GHSA-269q-hmxg-m83q", 35291 "modified": "2024-08-01T07:56:47.8225Z", 35292 "published": "2022-05-10T08:46:50Z", 35293 "references": [ 35294 { 35295 "type": "WEB", 35296 "url": "https://github.com/netty/netty/security/advisories/GHSA-269q-hmxg-m83q" 35297 }, 35298 { 35299 "type": "WEB", 35300 "url": "https://github.com/netty/netty/security/advisories/GHSA-5mcr-gq6c-3hq2" 35301 }, 35302 { 35303 "type": "ADVISORY", 35304 "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24823" 35305 }, 35306 { 35307 "type": "WEB", 35308 "url": "https://github.com/netty/netty/commit/185f8b2756a36aaa4f973f1a2a025e7d981823f1" 35309 }, 35310 { 35311 "type": "PACKAGE", 35312 "url": "https://github.com/netty/netty" 35313 }, 35314 { 35315 "type": "WEB", 35316 "url": "https://security.netapp.com/advisory/ntap-20220616-0004" 35317 }, 35318 { 35319 "type": "WEB", 35320 "url": "https://www.oracle.com/security-alerts/cpujul2022.html" 35321 } 35322 ], 35323 "related": [ 35324 "CGA-m5h3-2wph-f949" 35325 ], 35326 "schema_version": "1.6.0", 35327 "severity": [ 35328 { 35329 "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", 35330 "type": "CVSS_V3" 35331 } 35332 ], 35333 "summary": "Local Information Disclosure Vulnerability in io.netty:netty-codec-http" 35334 }, 35335 { 35336 "affected": [ 35337 { 35338 "database_specific": { 35339 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/03/GHSA-5jpm-x58v-624v/GHSA-5jpm-x58v-624v.json" 35340 }, 35341 "package": { 35342 "ecosystem": "Maven", 35343 "name": "io.netty:netty-codec-http", 35344 "purl": "pkg:maven/io.netty/netty-codec-http" 35345 }, 35346 "ranges": [ 35347 { 35348 "events": [ 35349 { 35350 "introduced": "0" 35351 }, 35352 { 35353 "fixed": "4.1.108.Final" 35354 } 35355 ], 35356 "type": "ECOSYSTEM" 35357 } 35358 ], 35359 "versions": [ 35360 "4.0.0.Alpha1", 35361 "4.0.0.Alpha2", 35362 "4.0.0.Alpha3", 35363 "4.0.0.Alpha4", 35364 "4.0.0.Alpha5", 35365 "4.0.0.Alpha6", 35366 "4.0.0.Alpha7", 35367 "4.0.0.Alpha8", 35368 "4.0.0.Beta1", 35369 "4.0.0.Beta2", 35370 "4.0.0.Beta3", 35371 "4.0.0.CR1", 35372 "4.0.0.CR2", 35373 "4.0.0.CR3", 35374 "4.0.0.CR4", 35375 "4.0.0.CR5", 35376 "4.0.0.CR6", 35377 "4.0.0.CR7", 35378 "4.0.0.CR8", 35379 "4.0.0.CR9", 35380 "4.0.0.Final", 35381 "4.0.1.Final", 35382 "4.0.10.Final", 35383 "4.0.11.Final", 35384 "4.0.12.Final", 35385 "4.0.13.Final", 35386 "4.0.14.Beta1", 35387 "4.0.14.Final", 35388 "4.0.15.Final", 35389 "4.0.16.Final", 35390 "4.0.17.Final", 35391 "4.0.18.Final", 35392 "4.0.19.Final", 35393 "4.0.2.Final", 35394 "4.0.20.Final", 35395 "4.0.21.Final", 35396 "4.0.22.Final", 35397 "4.0.23.Final", 35398 "4.0.24.Final", 35399 "4.0.25.Final", 35400 "4.0.26.Final", 35401 "4.0.27.Final", 35402 "4.0.28.Final", 35403 "4.0.29.Final", 35404 "4.0.3.Final", 35405 "4.0.30.Final", 35406 "4.0.31.Final", 35407 "4.0.32.Final", 35408 "4.0.33.Final", 35409 "4.0.34.Final", 35410 "4.0.35.Final", 35411 "4.0.36.Final", 35412 "4.0.37.Final", 35413 "4.0.38.Final", 35414 "4.0.39.Final", 35415 "4.0.4.Final", 35416 "4.0.40.Final", 35417 "4.0.41.Final", 35418 "4.0.42.Final", 35419 "4.0.43.Final", 35420 "4.0.44.Final", 35421 "4.0.45.Final", 35422 "4.0.46.Final", 35423 "4.0.47.Final", 35424 "4.0.48.Final", 35425 "4.0.49.Final", 35426 "4.0.5.Final", 35427 "4.0.50.Final", 35428 "4.0.51.Final", 35429 "4.0.52.Final", 35430 "4.0.53.Final", 35431 "4.0.54.Final", 35432 "4.0.55.Final", 35433 "4.0.56.Final", 35434 "4.0.6.Final", 35435 "4.0.7.Final", 35436 "4.0.8.Final", 35437 "4.0.9.Final", 35438 "4.1.0.Beta1", 35439 "4.1.0.Beta2", 35440 "4.1.0.Beta3", 35441 "4.1.0.Beta4", 35442 "4.1.0.Beta5", 35443 "4.1.0.Beta6", 35444 "4.1.0.Beta7", 35445 "4.1.0.Beta8", 35446 "4.1.0.CR1", 35447 "4.1.0.CR2", 35448 "4.1.0.CR3", 35449 "4.1.0.CR4", 35450 "4.1.0.CR5", 35451 "4.1.0.CR6", 35452 "4.1.0.CR7", 35453 "4.1.0.Final", 35454 "4.1.1.Final", 35455 "4.1.10.Final", 35456 "4.1.100.Final", 35457 "4.1.101.Final", 35458 "4.1.102.Final", 35459 "4.1.103.Final", 35460 "4.1.104.Final", 35461 "4.1.105.Final", 35462 "4.1.106.Final", 35463 "4.1.107.Final", 35464 "4.1.11.Final", 35465 "4.1.12.Final", 35466 "4.1.13.Final", 35467 "4.1.14.Final", 35468 "4.1.15.Final", 35469 "4.1.16.Final", 35470 "4.1.17.Final", 35471 "4.1.18.Final", 35472 "4.1.19.Final", 35473 "4.1.2.Final", 35474 "4.1.20.Final", 35475 "4.1.21.Final", 35476 "4.1.22.Final", 35477 "4.1.23.Final", 35478 "4.1.24.Final", 35479 "4.1.25.Final", 35480 "4.1.26.Final", 35481 "4.1.27.Final", 35482 "4.1.28.Final", 35483 "4.1.29.Final", 35484 "4.1.3.Final", 35485 "4.1.30.Final", 35486 "4.1.31.Final", 35487 "4.1.32.Final", 35488 "4.1.33.Final", 35489 "4.1.34.Final", 35490 "4.1.35.Final", 35491 "4.1.36.Final", 35492 "4.1.37.Final", 35493 "4.1.38.Final", 35494 "4.1.39.Final", 35495 "4.1.4.Final", 35496 "4.1.40.Final", 35497 "4.1.41.Final", 35498 "4.1.42.Final", 35499 "4.1.43.Final", 35500 "4.1.44.Final", 35501 "4.1.45.Final", 35502 "4.1.46.Final", 35503 "4.1.47.Final", 35504 "4.1.48.Final", 35505 "4.1.49.Final", 35506 "4.1.5.Final", 35507 "4.1.50.Final", 35508 "4.1.51.Final", 35509 "4.1.52.Final", 35510 "4.1.53.Final", 35511 "4.1.54.Final", 35512 "4.1.55.Final", 35513 "4.1.56.Final", 35514 "4.1.57.Final", 35515 "4.1.58.Final", 35516 "4.1.59.Final", 35517 "4.1.6.Final", 35518 "4.1.60.Final", 35519 "4.1.61.Final", 35520 "4.1.62.Final", 35521 "4.1.63.Final", 35522 "4.1.64.Final", 35523 "4.1.65.Final", 35524 "4.1.66.Final", 35525 "4.1.67.Final", 35526 "4.1.68.Final", 35527 "4.1.69.Final", 35528 "4.1.7.Final", 35529 "4.1.70.Final", 35530 "4.1.71.Final", 35531 "4.1.72.Final", 35532 "4.1.73.Final", 35533 "4.1.74.Final", 35534 "4.1.75.Final", 35535 "4.1.76.Final", 35536 "4.1.77.Final", 35537 "4.1.78.Final", 35538 "4.1.79.Final", 35539 "4.1.8.Final", 35540 "4.1.80.Final", 35541 "4.1.81.Final", 35542 "4.1.82.Final", 35543 "4.1.83.Final", 35544 "4.1.84.Final", 35545 "4.1.85.Final", 35546 "4.1.86.Final", 35547 "4.1.87.Final", 35548 "4.1.88.Final", 35549 "4.1.89.Final", 35550 "4.1.9.Final", 35551 "4.1.90.Final", 35552 "4.1.91.Final", 35553 "4.1.92.Final", 35554 "4.1.93.Final", 35555 "4.1.94.Final", 35556 "4.1.95.Final", 35557 "4.1.96.Final", 35558 "4.1.97.Final", 35559 "4.1.98.Final", 35560 "4.1.99.Final" 35561 ] 35562 } 35563 ], 35564 "aliases": [ 35565 "CVE-2024-29025" 35566 ], 35567 "database_specific": { 35568 "cwe_ids": [ 35569 "CWE-770" 35570 ], 35571 "github_reviewed": true, 35572 "github_reviewed_at": "2024-03-25T19:40:50Z", 35573 "nvd_published_at": "2024-03-25T20:15:08Z", 35574 "severity": "MODERATE" 35575 }, 35576 "details": "### Summary\nThe `HttpPostRequestDecoder` can be tricked to accumulate data. I have spotted currently two attack vectors \n\n### Details\n1. While the decoder can store items on the disk if configured so, there are no limits to the number of fields the form can have, an attacher can send a chunked post consisting of many small fields that will be accumulated in the `bodyListHttpData` list.\n2. The decoder cumulates bytes in the `undecodedChunk` buffer until it can decode a field, this field can cumulate data without limits\n\n### PoC\n\nHere is a Netty branch that provides a fix + tests : https://github.com/vietj/netty/tree/post-request-decoder\n\n\nHere is a reproducer with Vert.x (which uses this decoder) https://gist.github.com/vietj/f558b8ea81ec6505f1e9a6ca283c9ae3\n\n### Impact\nAny Netty based HTTP server that uses the `HttpPostRequestDecoder` to decode a form.", 35577 "id": "GHSA-5jpm-x58v-624v", 35578 "modified": "2024-07-15T22:12:27.45622Z", 35579 "published": "2024-03-25T19:40:50Z", 35580 "references": [ 35581 { 35582 "type": "WEB", 35583 "url": "https://github.com/netty/netty/security/advisories/GHSA-5jpm-x58v-624v" 35584 }, 35585 { 35586 "type": "ADVISORY", 35587 "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-29025" 35588 }, 35589 { 35590 "type": "WEB", 35591 "url": "https://github.com/netty/netty/commit/0d0c6ed782d13d423586ad0c71737b2c7d02058c" 35592 }, 35593 { 35594 "type": "WEB", 35595 "url": "https://gist.github.com/vietj/f558b8ea81ec6505f1e9a6ca283c9ae3" 35596 }, 35597 { 35598 "type": "PACKAGE", 35599 "url": "https://github.com/netty/netty" 35600 }, 35601 { 35602 "type": "WEB", 35603 "url": "https://github.com/vietj/netty/tree/post-request-decoder" 35604 }, 35605 { 35606 "type": "WEB", 35607 "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00015.html" 35608 } 35609 ], 35610 "related": [ 35611 "CGA-6cwx-g7qh-f32h", 35612 "CGA-7p98-j4rx-8p2r", 35613 "CGA-c95w-hpgw-m6fm", 35614 "CGA-cx4c-8h3v-frh7", 35615 "CGA-cx67-5fmv-3xqf", 35616 "CGA-hc93-8f6j-gjx4", 35617 "CGA-hfg5-99f4-gpwm", 35618 "CGA-jx63-354g-58c6", 35619 "CGA-mgv4-g226-vxr2", 35620 "CGA-q576-4g28-x6p5", 35621 "CGA-r5f9-9h89-fvvx", 35622 "CGA-vcc9-rm4p-6mgh", 35623 "CGA-wgjc-48pj-2f8c", 35624 "CGA-whmv-c3jv-fc9f", 35625 "CGA-wqhj-xxjq-qrjf", 35626 "CGA-x7wj-6xrg-5wpm" 35627 ], 35628 "schema_version": "1.6.0", 35629 "severity": [ 35630 { 35631 "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", 35632 "type": "CVSS_V3" 35633 } 35634 ], 35635 "summary": "Netty's HttpPostRequestDecoder can OOM" 35636 }, 35637 { 35638 "affected": [ 35639 { 35640 "database_specific": { 35641 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-hh82-3pmq-7frp/GHSA-hh82-3pmq-7frp.json" 35642 }, 35643 "package": { 35644 "ecosystem": "Maven", 35645 "name": "io.netty:netty-codec-http", 35646 "purl": "pkg:maven/io.netty/netty-codec-http" 35647 }, 35648 "ranges": [ 35649 { 35650 "events": [ 35651 { 35652 "introduced": "4.1.83.Final" 35653 }, 35654 { 35655 "fixed": "4.1.86.Final" 35656 } 35657 ], 35658 "type": "ECOSYSTEM" 35659 } 35660 ], 35661 "versions": [ 35662 "4.1.83.Final", 35663 "4.1.84.Final", 35664 "4.1.85.Final" 35665 ] 35666 } 35667 ], 35668 "aliases": [ 35669 "CVE-2022-41915" 35670 ], 35671 "database_specific": { 35672 "cwe_ids": [ 35673 "CWE-113", 35674 "CWE-436" 35675 ], 35676 "github_reviewed": true, 35677 "github_reviewed_at": "2022-12-12T21:25:44Z", 35678 "nvd_published_at": "2022-12-13T07:15:00Z", 35679 "severity": "MODERATE" 35680 }, 35681 "details": "### Impact\nWhen calling `DefaultHttpHeaders.set` with an _iterator_ of values (as opposed to a single given value), header value validation was not performed, allowing malicious header values in the iterator to perform [HTTP Response Splitting](https://owasp.org/www-community/attacks/HTTP_Response_Splitting).\n\n### Patches\nThe necessary validation was added in Netty 4.1.86.Final.\n\n### Workarounds\nIntegrators can work around the issue by changing the `DefaultHttpHeaders.set(CharSequence, Iterator\u003c?\u003e)` call, into a `remove()` call, and call `add()` in a loop over the iterator of values.\n\n### References\n[HTTP Response Splitting](https://owasp.org/www-community/attacks/HTTP_Response_Splitting)\n[CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers](https://cwe.mitre.org/data/definitions/113.html)\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [[example link to repo](https://github.com/netty/netty)](https://github.com/netty/netty)\n* Email us at [netty-security@googlegroups.com](mailto:netty-security@googlegroups.com)\n", 35682 "id": "GHSA-hh82-3pmq-7frp", 35683 "modified": "2024-02-16T08:16:47.348878Z", 35684 "published": "2022-12-12T21:25:44Z", 35685 "references": [ 35686 { 35687 "type": "WEB", 35688 "url": "https://github.com/netty/netty/security/advisories/GHSA-hh82-3pmq-7frp" 35689 }, 35690 { 35691 "type": "ADVISORY", 35692 "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41915" 35693 }, 35694 { 35695 "type": "WEB", 35696 "url": "https://github.com/netty/netty/issues/13084" 35697 }, 35698 { 35699 "type": "WEB", 35700 "url": "https://github.com/netty/netty/pull/12760" 35701 }, 35702 { 35703 "type": "WEB", 35704 "url": "https://github.com/netty/netty/commit/c37c637f096e7be3dffd36edee3455c8e90cb1b0" 35705 }, 35706 { 35707 "type": "WEB", 35708 "url": "https://github.com/netty/netty/commit/fe18adff1c2b333acb135ab779a3b9ba3295a1c4" 35709 }, 35710 { 35711 "type": "WEB", 35712 "url": "https://github.com/netty/netty" 35713 }, 35714 { 35715 "type": "WEB", 35716 "url": "https://lists.debian.org/debian-lts-announce/2023/01/msg00008.html" 35717 }, 35718 { 35719 "type": "WEB", 35720 "url": "https://security.netapp.com/advisory/ntap-20230113-0004" 35721 }, 35722 { 35723 "type": "WEB", 35724 "url": "https://www.debian.org/security/2023/dsa-5316" 35725 } 35726 ], 35727 "schema_version": "1.6.0", 35728 "severity": [ 35729 { 35730 "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", 35731 "type": "CVSS_V3" 35732 } 35733 ], 35734 "summary": "Netty vulnerable to HTTP Response splitting from assigning header value iterator" 35735 }, 35736 { 35737 "affected": [ 35738 { 35739 "database_specific": { 35740 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-xpw8-rcwv-8f8p/GHSA-xpw8-rcwv-8f8p.json" 35741 }, 35742 "package": { 35743 "ecosystem": "Maven", 35744 "name": "io.netty:netty-codec-http2", 35745 "purl": "pkg:maven/io.netty/netty-codec-http2" 35746 }, 35747 "ranges": [ 35748 { 35749 "events": [ 35750 { 35751 "introduced": "0" 35752 }, 35753 { 35754 "fixed": "4.1.100.Final" 35755 } 35756 ], 35757 "type": "ECOSYSTEM" 35758 } 35759 ], 35760 "versions": [ 35761 "4.1.0.Beta4", 35762 "4.1.0.Beta5", 35763 "4.1.0.Beta6", 35764 "4.1.0.Beta7", 35765 "4.1.0.Beta8", 35766 "4.1.0.CR1", 35767 "4.1.0.CR2", 35768 "4.1.0.CR3", 35769 "4.1.0.CR4", 35770 "4.1.0.CR5", 35771 "4.1.0.CR6", 35772 "4.1.0.CR7", 35773 "4.1.0.Final", 35774 "4.1.1.Final", 35775 "4.1.10.Final", 35776 "4.1.11.Final", 35777 "4.1.12.Final", 35778 "4.1.13.Final", 35779 "4.1.14.Final", 35780 "4.1.15.Final", 35781 "4.1.16.Final", 35782 "4.1.17.Final", 35783 "4.1.18.Final", 35784 "4.1.19.Final", 35785 "4.1.2.Final", 35786 "4.1.20.Final", 35787 "4.1.21.Final", 35788 "4.1.22.Final", 35789 "4.1.23.Final", 35790 "4.1.24.Final", 35791 "4.1.25.Final", 35792 "4.1.26.Final", 35793 "4.1.27.Final", 35794 "4.1.28.Final", 35795 "4.1.29.Final", 35796 "4.1.3.Final", 35797 "4.1.30.Final", 35798 "4.1.31.Final", 35799 "4.1.32.Final", 35800 "4.1.33.Final", 35801 "4.1.34.Final", 35802 "4.1.35.Final", 35803 "4.1.36.Final", 35804 "4.1.37.Final", 35805 "4.1.38.Final", 35806 "4.1.39.Final", 35807 "4.1.4.Final", 35808 "4.1.40.Final", 35809 "4.1.41.Final", 35810 "4.1.42.Final", 35811 "4.1.43.Final", 35812 "4.1.44.Final", 35813 "4.1.45.Final", 35814 "4.1.46.Final", 35815 "4.1.47.Final", 35816 "4.1.48.Final", 35817 "4.1.49.Final", 35818 "4.1.5.Final", 35819 "4.1.50.Final", 35820 "4.1.51.Final", 35821 "4.1.52.Final", 35822 "4.1.53.Final", 35823 "4.1.54.Final", 35824 "4.1.55.Final", 35825 "4.1.56.Final", 35826 "4.1.57.Final", 35827 "4.1.58.Final", 35828 "4.1.59.Final", 35829 "4.1.6.Final", 35830 "4.1.60.Final", 35831 "4.1.61.Final", 35832 "4.1.62.Final", 35833 "4.1.63.Final", 35834 "4.1.64.Final", 35835 "4.1.65.Final", 35836 "4.1.66.Final", 35837 "4.1.67.Final", 35838 "4.1.68.Final", 35839 "4.1.69.Final", 35840 "4.1.7.Final", 35841 "4.1.70.Final", 35842 "4.1.71.Final", 35843 "4.1.72.Final", 35844 "4.1.73.Final", 35845 "4.1.74.Final", 35846 "4.1.75.Final", 35847 "4.1.76.Final", 35848 "4.1.77.Final", 35849 "4.1.78.Final", 35850 "4.1.79.Final", 35851 "4.1.8.Final", 35852 "4.1.80.Final", 35853 "4.1.81.Final", 35854 "4.1.82.Final", 35855 "4.1.83.Final", 35856 "4.1.84.Final", 35857 "4.1.85.Final", 35858 "4.1.86.Final", 35859 "4.1.87.Final", 35860 "4.1.88.Final", 35861 "4.1.89.Final", 35862 "4.1.9.Final", 35863 "4.1.90.Final", 35864 "4.1.91.Final", 35865 "4.1.92.Final", 35866 "4.1.93.Final", 35867 "4.1.94.Final", 35868 "4.1.95.Final", 35869 "4.1.96.Final", 35870 "4.1.97.Final", 35871 "4.1.98.Final", 35872 "4.1.99.Final" 35873 ] 35874 } 35875 ], 35876 "database_specific": { 35877 "cwe_ids": [ 35878 "CWE-400" 35879 ], 35880 "github_reviewed": true, 35881 "github_reviewed_at": "2023-10-10T22:22:54Z", 35882 "nvd_published_at": null, 35883 "severity": "HIGH" 35884 }, 35885 "details": "A client might overload the server by issue frequent RST frames. This can cause a massive amount of load on the remote system and so cause a DDOS attack. \n\n### Impact\nThis is a DDOS attack, any http2 server is affected and so you should update as soon as possible.\n\n### Patches\nThis is patched in version 4.1.100.Final.\n\n### Workarounds\nA user can limit the amount of RST frames that are accepted per connection over a timeframe manually using either an own `Http2FrameListener` implementation or an `ChannelInboundHandler` implementation (depending which http2 API is used).\n\n### References\n- https://www.cve.org/CVERecord?id=CVE-2023-44487\n- https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/\n- https://cloud.google.com/blog/products/identity-security/google-cloud-mitigated-largest-ddos-attack-peaking-above-398-million-rps/", 35886 "id": "GHSA-xpw8-rcwv-8f8p", 35887 "modified": "2024-02-16T08:23:58.662031Z", 35888 "published": "2023-10-10T22:22:54Z", 35889 "references": [ 35890 { 35891 "type": "WEB", 35892 "url": "https://github.com/apple/swift-nio-http2/security/advisories/GHSA-qppj-fm5r-hxr3" 35893 }, 35894 { 35895 "type": "WEB", 35896 "url": "https://github.com/netty/netty/security/advisories/GHSA-xpw8-rcwv-8f8p" 35897 }, 35898 { 35899 "type": "ADVISORY", 35900 "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-44487" 35901 }, 35902 { 35903 "type": "WEB", 35904 "url": "https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61" 35905 }, 35906 { 35907 "type": "PACKAGE", 35908 "url": "https://github.com/netty/netty" 35909 }, 35910 { 35911 "type": "WEB", 35912 "url": "https://www.cve.org/CVERecord?id=CVE-2023-44487" 35913 } 35914 ], 35915 "related": [ 35916 "CGA-6774-f4f4-5fh3", 35917 "CGA-765w-472h-4f7c", 35918 "CGA-f5mc-g9q8-mr85", 35919 "CGA-gj3m-h2vc-j7mc", 35920 "CGA-qjh4-gp5w-hg7r" 35921 ], 35922 "schema_version": "1.6.0", 35923 "severity": [ 35924 { 35925 "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", 35926 "type": "CVSS_V3" 35927 } 35928 ], 35929 "summary": "io.netty:netty-codec-http2 vulnerable to HTTP/2 Rapid Reset Attack" 35930 }, 35931 { 35932 "affected": [ 35933 { 35934 "database_specific": { 35935 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/06/GHSA-6mjq-h674-j845/GHSA-6mjq-h674-j845.json" 35936 }, 35937 "package": { 35938 "ecosystem": "Maven", 35939 "name": "io.netty:netty-handler", 35940 "purl": "pkg:maven/io.netty/netty-handler" 35941 }, 35942 "ranges": [ 35943 { 35944 "events": [ 35945 { 35946 "introduced": "0" 35947 }, 35948 { 35949 "fixed": "4.1.94.Final" 35950 } 35951 ], 35952 "type": "ECOSYSTEM" 35953 } 35954 ], 35955 "versions": [ 35956 "4.0.0.Alpha1", 35957 "4.0.0.Alpha2", 35958 "4.0.0.Alpha3", 35959 "4.0.0.Alpha4", 35960 "4.0.0.Alpha5", 35961 "4.0.0.Alpha6", 35962 "4.0.0.Alpha7", 35963 "4.0.0.Alpha8", 35964 "4.0.0.Beta1", 35965 "4.0.0.Beta2", 35966 "4.0.0.Beta3", 35967 "4.0.0.CR1", 35968 "4.0.0.CR2", 35969 "4.0.0.CR3", 35970 "4.0.0.CR4", 35971 "4.0.0.CR5", 35972 "4.0.0.CR6", 35973 "4.0.0.CR7", 35974 "4.0.0.CR8", 35975 "4.0.0.CR9", 35976 "4.0.0.Final", 35977 "4.0.1.Final", 35978 "4.0.10.Final", 35979 "4.0.11.Final", 35980 "4.0.12.Final", 35981 "4.0.13.Final", 35982 "4.0.14.Beta1", 35983 "4.0.14.Final", 35984 "4.0.15.Final", 35985 "4.0.16.Final", 35986 "4.0.17.Final", 35987 "4.0.18.Final", 35988 "4.0.19.Final", 35989 "4.0.2.Final", 35990 "4.0.20.Final", 35991 "4.0.21.Final", 35992 "4.0.22.Final", 35993 "4.0.23.Final", 35994 "4.0.24.Final", 35995 "4.0.25.Final", 35996 "4.0.26.Final", 35997 "4.0.27.Final", 35998 "4.0.28.Final", 35999 "4.0.29.Final", 36000 "4.0.3.Final", 36001 "4.0.30.Final", 36002 "4.0.31.Final", 36003 "4.0.32.Final", 36004 "4.0.33.Final", 36005 "4.0.34.Final", 36006 "4.0.35.Final", 36007 "4.0.36.Final", 36008 "4.0.37.Final", 36009 "4.0.38.Final", 36010 "4.0.39.Final", 36011 "4.0.4.Final", 36012 "4.0.40.Final", 36013 "4.0.41.Final", 36014 "4.0.42.Final", 36015 "4.0.43.Final", 36016 "4.0.44.Final", 36017 "4.0.45.Final", 36018 "4.0.46.Final", 36019 "4.0.47.Final", 36020 "4.0.48.Final", 36021 "4.0.49.Final", 36022 "4.0.5.Final", 36023 "4.0.50.Final", 36024 "4.0.51.Final", 36025 "4.0.52.Final", 36026 "4.0.53.Final", 36027 "4.0.54.Final", 36028 "4.0.55.Final", 36029 "4.0.56.Final", 36030 "4.0.6.Final", 36031 "4.0.7.Final", 36032 "4.0.8.Final", 36033 "4.0.9.Final", 36034 "4.1.0.Beta1", 36035 "4.1.0.Beta2", 36036 "4.1.0.Beta3", 36037 "4.1.0.Beta4", 36038 "4.1.0.Beta5", 36039 "4.1.0.Beta6", 36040 "4.1.0.Beta7", 36041 "4.1.0.Beta8", 36042 "4.1.0.CR1", 36043 "4.1.0.CR2", 36044 "4.1.0.CR3", 36045 "4.1.0.CR4", 36046 "4.1.0.CR5", 36047 "4.1.0.CR6", 36048 "4.1.0.CR7", 36049 "4.1.0.Final", 36050 "4.1.1.Final", 36051 "4.1.10.Final", 36052 "4.1.11.Final", 36053 "4.1.12.Final", 36054 "4.1.13.Final", 36055 "4.1.14.Final", 36056 "4.1.15.Final", 36057 "4.1.16.Final", 36058 "4.1.17.Final", 36059 "4.1.18.Final", 36060 "4.1.19.Final", 36061 "4.1.2.Final", 36062 "4.1.20.Final", 36063 "4.1.21.Final", 36064 "4.1.22.Final", 36065 "4.1.23.Final", 36066 "4.1.24.Final", 36067 "4.1.25.Final", 36068 "4.1.26.Final", 36069 "4.1.27.Final", 36070 "4.1.28.Final", 36071 "4.1.29.Final", 36072 "4.1.3.Final", 36073 "4.1.30.Final", 36074 "4.1.31.Final", 36075 "4.1.32.Final", 36076 "4.1.33.Final", 36077 "4.1.34.Final", 36078 "4.1.35.Final", 36079 "4.1.36.Final", 36080 "4.1.37.Final", 36081 "4.1.38.Final", 36082 "4.1.39.Final", 36083 "4.1.4.Final", 36084 "4.1.40.Final", 36085 "4.1.41.Final", 36086 "4.1.42.Final", 36087 "4.1.43.Final", 36088 "4.1.44.Final", 36089 "4.1.45.Final", 36090 "4.1.46.Final", 36091 "4.1.47.Final", 36092 "4.1.48.Final", 36093 "4.1.49.Final", 36094 "4.1.5.Final", 36095 "4.1.50.Final", 36096 "4.1.51.Final", 36097 "4.1.52.Final", 36098 "4.1.53.Final", 36099 "4.1.54.Final", 36100 "4.1.55.Final", 36101 "4.1.56.Final", 36102 "4.1.57.Final", 36103 "4.1.58.Final", 36104 "4.1.59.Final", 36105 "4.1.6.Final", 36106 "4.1.60.Final", 36107 "4.1.61.Final", 36108 "4.1.62.Final", 36109 "4.1.63.Final", 36110 "4.1.64.Final", 36111 "4.1.65.Final", 36112 "4.1.66.Final", 36113 "4.1.67.Final", 36114 "4.1.68.Final", 36115 "4.1.69.Final", 36116 "4.1.7.Final", 36117 "4.1.70.Final", 36118 "4.1.71.Final", 36119 "4.1.72.Final", 36120 "4.1.73.Final", 36121 "4.1.74.Final", 36122 "4.1.75.Final", 36123 "4.1.76.Final", 36124 "4.1.77.Final", 36125 "4.1.78.Final", 36126 "4.1.79.Final", 36127 "4.1.8.Final", 36128 "4.1.80.Final", 36129 "4.1.81.Final", 36130 "4.1.82.Final", 36131 "4.1.83.Final", 36132 "4.1.84.Final", 36133 "4.1.85.Final", 36134 "4.1.86.Final", 36135 "4.1.87.Final", 36136 "4.1.88.Final", 36137 "4.1.89.Final", 36138 "4.1.9.Final", 36139 "4.1.90.Final", 36140 "4.1.91.Final", 36141 "4.1.92.Final", 36142 "4.1.93.Final" 36143 ] 36144 } 36145 ], 36146 "aliases": [ 36147 "CVE-2023-34462" 36148 ], 36149 "database_specific": { 36150 "cwe_ids": [ 36151 "CWE-400", 36152 "CWE-770" 36153 ], 36154 "github_reviewed": true, 36155 "github_reviewed_at": "2023-06-20T16:33:22Z", 36156 "nvd_published_at": "2023-06-22T23:15:09Z", 36157 "severity": "MODERATE" 36158 }, 36159 "details": "### Summary\nThe `SniHandler` can allocate up to 16MB of heap for each channel during the TLS handshake. When the handler or the channel does not have an idle timeout, it can be used to make a TCP server using the `SniHandler` to allocate 16MB of heap.\n\n### Details\nThe `SniHandler` class is a handler that waits for the TLS handshake to configure a `SslHandler` according to the indicated server name by the `ClientHello` record. For this matter it allocates a `ByteBuf` using the value defined in the `ClientHello` record. \n\nNormally the value of the packet should be smaller than the handshake packet but there are not checks done here and the way the code is written, it is possible to craft a packet that makes the `SslClientHelloHandler`\n\n1/ allocate a 16MB `ByteBuf`\n2/ not fail `decode` method `in` buffer\n3/ get out of the loop without an exception\n\nThe combination of this without the use of a timeout makes easy to connect to a TCP server and allocate 16MB of heap memory per connection.\n\n### Impact\nIf the user has no idle timeout handler configured it might be possible for a remote peer to send a client hello packet which lead the server to buffer up to 16MB of data per connection. This could lead to a OutOfMemoryError and so result in a DDOS.", 36160 "id": "GHSA-6mjq-h674-j845", 36161 "modified": "2024-06-25T02:35:08.283799Z", 36162 "published": "2023-06-20T16:33:22Z", 36163 "references": [ 36164 { 36165 "type": "WEB", 36166 "url": "https://github.com/netty/netty/security/advisories/GHSA-6mjq-h674-j845" 36167 }, 36168 { 36169 "type": "ADVISORY", 36170 "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34462" 36171 }, 36172 { 36173 "type": "WEB", 36174 "url": "https://github.com/netty/netty/commit/535da17e45201ae4278c0479e6162bb4127d4c32" 36175 }, 36176 { 36177 "type": "PACKAGE", 36178 "url": "https://github.com/netty/netty" 36179 }, 36180 { 36181 "type": "WEB", 36182 "url": "https://security.netapp.com/advisory/ntap-20230803-0001" 36183 }, 36184 { 36185 "type": "WEB", 36186 "url": "https://security.netapp.com/advisory/ntap-20240621-0007" 36187 }, 36188 { 36189 "type": "WEB", 36190 "url": "https://www.debian.org/security/2023/dsa-5558" 36191 } 36192 ], 36193 "related": [ 36194 "CGA-cp7x-r3q6-pfcj", 36195 "CGA-r5mp-477x-xh5j", 36196 "CGA-rq5c-v396-7c72" 36197 ], 36198 "schema_version": "1.6.0", 36199 "severity": [ 36200 { 36201 "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", 36202 "type": "CVSS_V3" 36203 } 36204 ], 36205 "summary": "netty-handler SniHandler 16MB allocation" 36206 }, 36207 { 36208 "affected": [ 36209 { 36210 "database_specific": { 36211 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-9959-6p3m-wxpc/GHSA-9959-6p3m-wxpc.json" 36212 }, 36213 "package": { 36214 "ecosystem": "Maven", 36215 "name": "io.netty:netty-handler", 36216 "purl": "pkg:maven/io.netty/netty-handler" 36217 }, 36218 "ranges": [ 36219 { 36220 "events": [ 36221 { 36222 "introduced": "0" 36223 }, 36224 { 36225 "fixed": "3.9.2" 36226 } 36227 ], 36228 "type": "ECOSYSTEM" 36229 } 36230 ] 36231 } 36232 ], 36233 "aliases": [ 36234 "CVE-2014-3488" 36235 ], 36236 "database_specific": { 36237 "cwe_ids": [ 36238 "CWE-119" 36239 ], 36240 "github_reviewed": true, 36241 "github_reviewed_at": "2020-06-30T20:50:42Z", 36242 "nvd_published_at": null, 36243 "severity": "MODERATE" 36244 }, 36245 "details": "The SslHandler in Netty before 3.9.2 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted SSLv2Hello message.", 36246 "id": "GHSA-9959-6p3m-wxpc", 36247 "modified": "2023-11-08T03:57:37.697735Z", 36248 "published": "2020-06-30T21:01:31Z", 36249 "references": [ 36250 { 36251 "type": "ADVISORY", 36252 "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-3488" 36253 }, 36254 { 36255 "type": "WEB", 36256 "url": "https://github.com/netty/netty/issues/2562" 36257 }, 36258 { 36259 "type": "WEB", 36260 "url": "https://github.com/netty/netty/commit/2fa9400a59d0563a66908aba55c41e7285a04994" 36261 }, 36262 { 36263 "type": "PACKAGE", 36264 "url": "https://github.com/netty/netty" 36265 }, 36266 { 36267 "type": "WEB", 36268 "url": "https://lists.debian.org/debian-lts-announce/2020/02/msg00018.html" 36269 }, 36270 { 36271 "type": "WEB", 36272 "url": "https://snyk.io/vuln/SNYK-JAVA-ORGJBOSSNETTY-31630" 36273 }, 36274 { 36275 "type": "WEB", 36276 "url": "http://netty.io/news/2014/06/11/3-9-2-Final.html" 36277 }, 36278 { 36279 "type": "WEB", 36280 "url": "http://secunia.com/advisories/59196" 36281 } 36282 ], 36283 "schema_version": "1.6.0", 36284 "summary": "Denial of service in Netty" 36285 }, 36286 { 36287 "affected": [ 36288 { 36289 "database_specific": { 36290 "last_known_affected_version_range": "\u003c= 4.1.44", 36291 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/02/GHSA-ff2w-cq2g-wv5f/GHSA-ff2w-cq2g-wv5f.json" 36292 }, 36293 "package": { 36294 "ecosystem": "Maven", 36295 "name": "io.netty:netty-handler", 36296 "purl": "pkg:maven/io.netty/netty-handler" 36297 }, 36298 "ranges": [ 36299 { 36300 "events": [ 36301 { 36302 "introduced": "4.1.43" 36303 }, 36304 { 36305 "fixed": "4.1.45" 36306 } 36307 ], 36308 "type": "ECOSYSTEM" 36309 } 36310 ], 36311 "versions": [ 36312 "4.1.43.Final", 36313 "4.1.44.Final" 36314 ] 36315 } 36316 ], 36317 "aliases": [ 36318 "CVE-2020-7238" 36319 ], 36320 "database_specific": { 36321 "cwe_ids": [ 36322 "CWE-444" 36323 ], 36324 "github_reviewed": true, 36325 "github_reviewed_at": "2020-02-20T20:54:49Z", 36326 "nvd_published_at": "2020-01-27T17:15:00Z", 36327 "severity": "HIGH" 36328 }, 36329 "details": "Netty 4.1.43.Final allows HTTP Request Smuggling because it mishandles Transfer-Encoding whitespace (such as a [space]Transfer-Encoding:chunked line) and a later Content-Length header. This issue exists because of an incomplete fix for CVE-2019-16869.", 36330 "id": "GHSA-ff2w-cq2g-wv5f", 36331 "modified": "2024-03-14T05:20:05.937087Z", 36332 "published": "2020-02-21T18:55:50Z", 36333 "references": [ 36334 { 36335 "type": "ADVISORY", 36336 "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7238" 36337 }, 36338 { 36339 "type": "WEB", 36340 "url": "https://github.com/jdordonezn/CVE-2020-72381/issues/1" 36341 }, 36342 { 36343 "type": "WEB", 36344 "url": "https://github.com/netty/netty/issues/9861" 36345 }, 36346 { 36347 "type": "WEB", 36348 "url": "https://github.com/netty/netty/pull/9865" 36349 }, 36350 { 36351 "type": "WEB", 36352 "url": "https://www.debian.org/security/2021/dsa-4885" 36353 }, 36354 { 36355 "type": "WEB", 36356 "url": "https://netty.io/news" 36357 }, 36358 { 36359 "type": "WEB", 36360 "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TS6VX7OMXPDJIU5LRGUAHRK6MENAVJ46" 36361 }, 36362 { 36363 "type": "WEB", 36364 "url": "https://lists.debian.org/debian-lts-announce/2020/09/msg00003.html" 36365 }, 36366 { 36367 "type": "WEB", 36368 "url": "https://lists.debian.org/debian-lts-announce/2020/02/msg00018.html" 36369 }, 36370 { 36371 "type": "WEB", 36372 "url": "https://lists.debian.org/debian-lts-announce/2020/02/msg00017.html" 36373 }, 36374 { 36375 "type": "WEB", 36376 "url": "https://lists.apache.org/thread.html/rc8d554aad889d12b140d9fd7d2d6fc2e8716e9792f6f4e4b2cdc2d05@%3Ccommits.cassandra.apache.org%3E" 36377 }, 36378 { 36379 "type": "WEB", 36380 "url": "https://lists.apache.org/thread.html/r131e572d003914843552fa45c4398b9903fb74144986e8b107c0a3a7@%3Ccommits.cassandra.apache.org%3E" 36381 }, 36382 { 36383 "type": "WEB", 36384 "url": "https://access.redhat.com/errata/RHSA-2020:0811" 36385 }, 36386 { 36387 "type": "WEB", 36388 "url": "https://access.redhat.com/errata/RHSA-2020:0806" 36389 }, 36390 { 36391 "type": "WEB", 36392 "url": "https://access.redhat.com/errata/RHSA-2020:0805" 36393 }, 36394 { 36395 "type": "WEB", 36396 "url": "https://access.redhat.com/errata/RHSA-2020:0804" 36397 }, 36398 { 36399 "type": "WEB", 36400 "url": "https://access.redhat.com/errata/RHSA-2020:0606" 36401 }, 36402 { 36403 "type": "WEB", 36404 "url": "https://access.redhat.com/errata/RHSA-2020:0605" 36405 }, 36406 { 36407 "type": "WEB", 36408 "url": "https://access.redhat.com/errata/RHSA-2020:0601" 36409 }, 36410 { 36411 "type": "WEB", 36412 "url": "https://access.redhat.com/errata/RHSA-2020:0567" 36413 }, 36414 { 36415 "type": "WEB", 36416 "url": "https://access.redhat.com/errata/RHSA-2020:0497" 36417 } 36418 ], 36419 "schema_version": "1.6.0", 36420 "severity": [ 36421 { 36422 "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", 36423 "type": "CVSS_V3" 36424 } 36425 ], 36426 "summary": "HTTP Request Smuggling in Netty" 36427 }, 36428 { 36429 "affected": [ 36430 { 36431 "database_specific": { 36432 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-mm9x-g8pc-w292/GHSA-mm9x-g8pc-w292.json" 36433 }, 36434 "package": { 36435 "ecosystem": "Maven", 36436 "name": "io.netty:netty-handler", 36437 "purl": "pkg:maven/io.netty/netty-handler" 36438 }, 36439 "ranges": [ 36440 { 36441 "events": [ 36442 { 36443 "introduced": "4.1.0" 36444 }, 36445 { 36446 "fixed": "4.1.46" 36447 } 36448 ], 36449 "type": "ECOSYSTEM" 36450 } 36451 ], 36452 "versions": [ 36453 "4.1.0.Final", 36454 "4.1.1.Final", 36455 "4.1.10.Final", 36456 "4.1.11.Final", 36457 "4.1.12.Final", 36458 "4.1.13.Final", 36459 "4.1.14.Final", 36460 "4.1.15.Final", 36461 "4.1.16.Final", 36462 "4.1.17.Final", 36463 "4.1.18.Final", 36464 "4.1.19.Final", 36465 "4.1.2.Final", 36466 "4.1.20.Final", 36467 "4.1.21.Final", 36468 "4.1.22.Final", 36469 "4.1.23.Final", 36470 "4.1.24.Final", 36471 "4.1.25.Final", 36472 "4.1.26.Final", 36473 "4.1.27.Final", 36474 "4.1.28.Final", 36475 "4.1.29.Final", 36476 "4.1.3.Final", 36477 "4.1.30.Final", 36478 "4.1.31.Final", 36479 "4.1.32.Final", 36480 "4.1.33.Final", 36481 "4.1.34.Final", 36482 "4.1.35.Final", 36483 "4.1.36.Final", 36484 "4.1.37.Final", 36485 "4.1.38.Final", 36486 "4.1.39.Final", 36487 "4.1.4.Final", 36488 "4.1.40.Final", 36489 "4.1.41.Final", 36490 "4.1.42.Final", 36491 "4.1.43.Final", 36492 "4.1.44.Final", 36493 "4.1.45.Final", 36494 "4.1.5.Final", 36495 "4.1.6.Final", 36496 "4.1.7.Final", 36497 "4.1.8.Final", 36498 "4.1.9.Final" 36499 ] 36500 } 36501 ], 36502 "aliases": [ 36503 "CVE-2020-11612" 36504 ], 36505 "database_specific": { 36506 "cwe_ids": [ 36507 "CWE-119", 36508 "CWE-400", 36509 "CWE-770" 36510 ], 36511 "github_reviewed": true, 36512 "github_reviewed_at": "2020-06-11T19:58:52Z", 36513 "nvd_published_at": "2020-04-07T18:15:00Z", 36514 "severity": "HIGH" 36515 }, 36516 "details": "The ZlibDecoders in Netty 4.1.x before 4.1.46 allow for unbounded memory allocation while decoding a ZlibEncoded byte stream. An attacker could send a large ZlibEncoded byte stream to the Netty server, forcing the server to allocate all of its free memory to a single decoder.", 36517 "id": "GHSA-mm9x-g8pc-w292", 36518 "modified": "2024-03-14T05:18:47.685399Z", 36519 "published": "2020-06-15T19:36:16Z", 36520 "references": [ 36521 { 36522 "type": "ADVISORY", 36523 "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11612" 36524 }, 36525 { 36526 "type": "WEB", 36527 "url": "https://github.com/netty/netty/issues/6168" 36528 }, 36529 { 36530 "type": "WEB", 36531 "url": "https://github.com/netty/netty/pull/9924" 36532 }, 36533 { 36534 "type": "WEB", 36535 "url": "https://lists.apache.org/thread.html/r9c30b7fca4baedebcb46d6e0f90071b30cc4a0e074164d50122ec5ec@%3Ccommits.zookeeper.apache.org%3E" 36536 }, 36537 { 36538 "type": "WEB", 36539 "url": "https://lists.apache.org/thread.html/ra98e3a8541a09271f96478d5e22c7e3bd1afdf48641c8be25d62d9f9@%3Ccommits.druid.apache.org%3E" 36540 }, 36541 { 36542 "type": "WEB", 36543 "url": "https://lists.apache.org/thread.html/raaac04b7567c554786132144bea3dcb72568edd410c1e6f0101742e7@%3Cissues.flink.apache.org%3E" 36544 }, 36545 { 36546 "type": "WEB", 36547 "url": "https://lists.apache.org/thread.html/rd302ddb501fa02c5119120e5fc21df9a1c00e221c490edbe2d7ad365@%3Cnotifications.zookeeper.apache.org%3E" 36548 }, 36549 { 36550 "type": "WEB", 36551 "url": "https://lists.apache.org/thread.html/rdb69125652311d0c41f6066ff44072a3642cf33a4b5e3c4f9c1ec9c2@%3Ccommits.pulsar.apache.org%3E" 36552 }, 36553 { 36554 "type": "WEB", 36555 "url": "https://lists.apache.org/thread.html/re1ea144e91f03175d661b2d3e97c7d74b912e019613fa90419cf63f4@%3Cissues.zookeeper.apache.org%3E" 36556 }, 36557 { 36558 "type": "WEB", 36559 "url": "https://lists.apache.org/thread.html/ref2c8a0cbb3b8271e5b9a06457ba78ad2028128627186531730f50ef@%3Cnotifications.zookeeper.apache.org%3E" 36560 }, 36561 { 36562 "type": "WEB", 36563 "url": "https://lists.apache.org/thread.html/ref3943adbc3a8813aee0e3a9dd919bacbb27f626be030a3c6d6c7f83@%3Ccommits.pulsar.apache.org%3E" 36564 }, 36565 { 36566 "type": "WEB", 36567 "url": "https://lists.apache.org/thread.html/rf5b2dfb7401666a19915f8eaef3ba9f5c3386e2066fcd2ae66e16a2f@%3Cdev.flink.apache.org%3E" 36568 }, 36569 { 36570 "type": "WEB", 36571 "url": "https://lists.apache.org/thread.html/rf803b65b4a57589d79cf2e83d8ece0539018d32864f932f63c972844@%3Cnotifications.zookeeper.apache.org%3E" 36572 }, 36573 { 36574 "type": "WEB", 36575 "url": "https://lists.apache.org/thread.html/rf9f8bcc4ca8d2788f77455ff594468404732a4497baebe319043f4d5@%3Ccommits.zookeeper.apache.org%3E" 36576 }, 36577 { 36578 "type": "WEB", 36579 "url": "https://lists.apache.org/thread.html/rfd173eac20d5e5f581c8984b685c836dafea8eb2f7ff85f617704cf1@%3Cdev.zookeeper.apache.org%3E" 36580 }, 36581 { 36582 "type": "WEB", 36583 "url": "https://lists.apache.org/thread.html/rff8859c0d06b1688344b39097f9685c43b461cf2bc41f60f001704e9@%3Ccommits.zookeeper.apache.org%3E" 36584 }, 36585 { 36586 "type": "WEB", 36587 "url": "https://lists.debian.org/debian-lts-announce/2020/09/msg00003.html" 36588 }, 36589 { 36590 "type": "WEB", 36591 "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TS6VX7OMXPDJIU5LRGUAHRK6MENAVJ46" 36592 }, 36593 { 36594 "type": "WEB", 36595 "url": "https://security.netapp.com/advisory/ntap-20201223-0001" 36596 }, 36597 { 36598 "type": "WEB", 36599 "url": "https://www.debian.org/security/2021/dsa-4885" 36600 }, 36601 { 36602 "type": "WEB", 36603 "url": "https://www.oracle.com//security-alerts/cpujul2021.html" 36604 }, 36605 { 36606 "type": "WEB", 36607 "url": "https://www.oracle.com/security-alerts/cpuApr2021.html" 36608 }, 36609 { 36610 "type": "WEB", 36611 "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" 36612 }, 36613 { 36614 "type": "WEB", 36615 "url": "https://www.oracle.com/security-alerts/cpujan2021.html" 36616 }, 36617 { 36618 "type": "WEB", 36619 "url": "https://github.com/netty/netty/compare/netty-4.1.45.Final...netty-4.1.46.Final" 36620 }, 36621 { 36622 "type": "WEB", 36623 "url": "https://lists.apache.org/thread.html/r14446ed58208cb6d97b6faa6ebf145f1cf2c70c0886c0c133f4d3b6f@%3Ccommits.druid.apache.org%3E" 36624 }, 36625 { 36626 "type": "WEB", 36627 "url": "https://lists.apache.org/thread.html/r255ed239e65d0596812362adc474bee96caf7ba042c7ad2f3c62cec7@%3Cissues.zookeeper.apache.org%3E" 36628 }, 36629 { 36630 "type": "WEB", 36631 "url": "https://lists.apache.org/thread.html/r281882fdf9ea89aac02fd2f92786693a956aac2ce9840cce87c7df6b@%3Ccommits.zookeeper.apache.org%3E" 36632 }, 36633 { 36634 "type": "WEB", 36635 "url": "https://lists.apache.org/thread.html/r2958e4d49ee046e1e561e44fdc114a0d2285927501880f15852a9b53@%3Ccommits.druid.apache.org%3E" 36636 }, 36637 { 36638 "type": "WEB", 36639 "url": "https://lists.apache.org/thread.html/r31424427cc6d7db46beac481bdeed9a823fc20bb1b9deede38557f71@%3Cnotifications.zookeeper.apache.org%3E" 36640 }, 36641 { 36642 "type": "WEB", 36643 "url": "https://lists.apache.org/thread.html/r3195127e46c87a680b5d1d3733470f83b886bfd3b890c50df718bed1@%3Ccommits.druid.apache.org%3E" 36644 }, 36645 { 36646 "type": "WEB", 36647 "url": "https://lists.apache.org/thread.html/r3ea4918d20d0c1fa26cac74cc7cda001d8990bc43473d062867ef70d@%3Cnotifications.zookeeper.apache.org%3E" 36648 }, 36649 { 36650 "type": "WEB", 36651 "url": "https://lists.apache.org/thread.html/r4a7e4e23bd84ac24abf30ab5d5edf989c02b555e1eca6a2f28636692@%3Cnotifications.zookeeper.apache.org%3E" 36652 }, 36653 { 36654 "type": "WEB", 36655 "url": "https://lists.apache.org/thread.html/r4f4a14d6a608db447b725ec2e96c26ac9664d83cd879aa21e2cfeb24@%3Cnotifications.zookeeper.apache.org%3E" 36656 }, 36657 { 36658 "type": "WEB", 36659 "url": "https://lists.apache.org/thread.html/r5030cd8ea5df1e64cf6a7b633eff145992fbca03e8bfc687cd2427ab@%3Cnotifications.zookeeper.apache.org%3E" 36660 }, 36661 { 36662 "type": "WEB", 36663 "url": "https://lists.apache.org/thread.html/r5a0b1f0b1c3bcd66f5177fbd6f6de2d0f8cae24a13ab2669f274251a@%3Cnotifications.zookeeper.apache.org%3E" 36664 }, 36665 { 36666 "type": "WEB", 36667 "url": "https://lists.apache.org/thread.html/r5b1ad61552591b747cd31b3a908d5ff2e8f2a8a6847583dd6b7b1ee7@%3Cissues.zookeeper.apache.org%3E" 36668 }, 36669 { 36670 "type": "WEB", 36671 "url": "https://lists.apache.org/thread.html/r69b23a94d4ae45394cabae012dd1f4a963996869c44c478eb1c61082@%3Ccommits.zookeeper.apache.org%3E" 36672 }, 36673 { 36674 "type": "WEB", 36675 "url": "https://lists.apache.org/thread.html/r7641ee788e1eb1be4bb206a7d15f8a64ec6ef23e5ec6132d5a567695@%3Cnotifications.zookeeper.apache.org%3E" 36676 }, 36677 { 36678 "type": "WEB", 36679 "url": "https://lists.apache.org/thread.html/r7790b9d99696d9eddce8a8c96f13bb68460984294ea6fea3800143e4@%3Ccommits.pulsar.apache.org%3E" 36680 }, 36681 { 36682 "type": "WEB", 36683 "url": "https://lists.apache.org/thread.html/r7836bbdbe95c99d4d725199f0c169927d4e87ba57e4beeeb699c097a@%3Ccommits.druid.apache.org%3E" 36684 }, 36685 { 36686 "type": "WEB", 36687 "url": "https://lists.apache.org/thread.html/r832724df393a7ef25ca4c7c2eb83ad2d6c21c74569acda5233f9f1ec@%3Ccommits.pulsar.apache.org%3E" 36688 }, 36689 { 36690 "type": "WEB", 36691 "url": "https://lists.apache.org/thread.html/r866288c2ada00ce148b7307cdf869f15f24302b3eb2128af33830997@%3Ccommits.zookeeper.apache.org%3E" 36692 }, 36693 { 36694 "type": "WEB", 36695 "url": "https://lists.apache.org/thread.html/r88e2b91560c065ed67e62adf8f401c417e4d70256d11ea447215a70c@%3Cissues.zookeeper.apache.org%3E" 36696 }, 36697 { 36698 "type": "WEB", 36699 "url": "https://lists.apache.org/thread.html/r8a654f11e1172b0effbfd6f8d5b6ca651ae4ac724a976923c268a42f@%3Ccommits.druid.apache.org%3E" 36700 }, 36701 { 36702 "type": "WEB", 36703 "url": "https://lists.apache.org/thread.html/r9addb580456807cd11d6f0c6b6373b7d7161d06d2278866c30c7febb@%3Ccommits.zookeeper.apache.org%3E" 36704 } 36705 ], 36706 "schema_version": "1.6.0", 36707 "severity": [ 36708 { 36709 "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", 36710 "type": "CVSS_V3" 36711 } 36712 ], 36713 "summary": "Denial of Service in Netty" 36714 }, 36715 { 36716 "affected": [ 36717 { 36718 "database_specific": { 36719 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-rv63-gqm8-9w8q/GHSA-rv63-gqm8-9w8q.json" 36720 }, 36721 "package": { 36722 "ecosystem": "Maven", 36723 "name": "io.netty:netty-handler", 36724 "purl": "pkg:maven/io.netty/netty-handler" 36725 }, 36726 "ranges": [ 36727 { 36728 "events": [ 36729 { 36730 "introduced": "4.0.0.Alpha1" 36731 }, 36732 { 36733 "fixed": "4.0.37.Final" 36734 } 36735 ], 36736 "type": "ECOSYSTEM" 36737 } 36738 ], 36739 "versions": [ 36740 "4.0.0.Alpha1", 36741 "4.0.0.Alpha2", 36742 "4.0.0.Alpha3", 36743 "4.0.0.Alpha4", 36744 "4.0.0.Alpha5", 36745 "4.0.0.Alpha6", 36746 "4.0.0.Alpha7", 36747 "4.0.0.Alpha8", 36748 "4.0.0.Beta1", 36749 "4.0.0.Beta2", 36750 "4.0.0.Beta3", 36751 "4.0.0.CR1", 36752 "4.0.0.CR2", 36753 "4.0.0.CR3", 36754 "4.0.0.CR4", 36755 "4.0.0.CR5", 36756 "4.0.0.CR6", 36757 "4.0.0.CR7", 36758 "4.0.0.CR8", 36759 "4.0.0.CR9", 36760 "4.0.0.Final", 36761 "4.0.1.Final", 36762 "4.0.10.Final", 36763 "4.0.11.Final", 36764 "4.0.12.Final", 36765 "4.0.13.Final", 36766 "4.0.14.Beta1", 36767 "4.0.14.Final", 36768 "4.0.15.Final", 36769 "4.0.16.Final", 36770 "4.0.17.Final", 36771 "4.0.18.Final", 36772 "4.0.19.Final", 36773 "4.0.2.Final", 36774 "4.0.20.Final", 36775 "4.0.21.Final", 36776 "4.0.22.Final", 36777 "4.0.23.Final", 36778 "4.0.24.Final", 36779 "4.0.25.Final", 36780 "4.0.26.Final", 36781 "4.0.27.Final", 36782 "4.0.28.Final", 36783 "4.0.29.Final", 36784 "4.0.3.Final", 36785 "4.0.30.Final", 36786 "4.0.31.Final", 36787 "4.0.32.Final", 36788 "4.0.33.Final", 36789 "4.0.34.Final", 36790 "4.0.35.Final", 36791 "4.0.36.Final", 36792 "4.0.4.Final", 36793 "4.0.5.Final", 36794 "4.0.6.Final", 36795 "4.0.7.Final", 36796 "4.0.8.Final", 36797 "4.0.9.Final" 36798 ] 36799 }, 36800 { 36801 "database_specific": { 36802 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-rv63-gqm8-9w8q/GHSA-rv63-gqm8-9w8q.json" 36803 }, 36804 "package": { 36805 "ecosystem": "Maven", 36806 "name": "io.netty:netty-handler", 36807 "purl": "pkg:maven/io.netty/netty-handler" 36808 }, 36809 "ranges": [ 36810 { 36811 "events": [ 36812 { 36813 "introduced": "4.1.0.Beta1" 36814 }, 36815 { 36816 "fixed": "4.1.1.Final" 36817 } 36818 ], 36819 "type": "ECOSYSTEM" 36820 } 36821 ], 36822 "versions": [ 36823 "4.1.0.Beta1", 36824 "4.1.0.Beta2", 36825 "4.1.0.Beta3", 36826 "4.1.0.Beta4", 36827 "4.1.0.Beta5", 36828 "4.1.0.Beta6", 36829 "4.1.0.Beta7", 36830 "4.1.0.Beta8", 36831 "4.1.0.CR1", 36832 "4.1.0.CR2", 36833 "4.1.0.CR3", 36834 "4.1.0.CR4", 36835 "4.1.0.CR5", 36836 "4.1.0.CR6", 36837 "4.1.0.CR7", 36838 "4.1.0.Final" 36839 ] 36840 } 36841 ], 36842 "aliases": [ 36843 "CVE-2016-4970" 36844 ], 36845 "database_specific": { 36846 "cwe_ids": [ 36847 "CWE-835" 36848 ], 36849 "github_reviewed": true, 36850 "github_reviewed_at": "2022-07-06T19:54:08Z", 36851 "nvd_published_at": "2017-04-13T14:59:00Z", 36852 "severity": "HIGH" 36853 }, 36854 "details": "handler/ssl/OpenSslEngine.java in Netty 4.0.x before 4.0.37.Final and 4.1.x before 4.1.1.Final allows remote attackers to cause a denial of service (infinite loop).", 36855 "id": "GHSA-rv63-gqm8-9w8q", 36856 "modified": "2024-02-16T08:13:46.004283Z", 36857 "published": "2022-05-13T01:11:43Z", 36858 "references": [ 36859 { 36860 "type": "ADVISORY", 36861 "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-4970" 36862 }, 36863 { 36864 "type": "WEB", 36865 "url": "https://github.com/netty/netty/pull/5364" 36866 }, 36867 { 36868 "type": "WEB", 36869 "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1343616" 36870 }, 36871 { 36872 "type": "PACKAGE", 36873 "url": "https://github.com/netty/netty" 36874 }, 36875 { 36876 "type": "WEB", 36877 "url": "https://lists.apache.org/thread.html/afaa5860e3a6d327eb96c3d82cbd2f5996de815a16854ed1ad310144@%3Ccommits.cassandra.apache.org%3E" 36878 }, 36879 { 36880 "type": "WEB", 36881 "url": "https://wiki.opendaylight.org/view/Security_Advisories" 36882 }, 36883 { 36884 "type": "WEB", 36885 "url": "http://netty.io/news/2016/06/07/4-0-37-Final.html" 36886 }, 36887 { 36888 "type": "WEB", 36889 "url": "http://netty.io/news/2016/06/07/4-1-1-Final.html" 36890 }, 36891 { 36892 "type": "WEB", 36893 "url": "http://rhn.redhat.com/errata/RHSA-2017-0179.html" 36894 }, 36895 { 36896 "type": "WEB", 36897 "url": "http://rhn.redhat.com/errata/RHSA-2017-1097.html" 36898 } 36899 ], 36900 "schema_version": "1.6.0", 36901 "severity": [ 36902 { 36903 "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", 36904 "type": "CVSS_V3" 36905 } 36906 ], 36907 "summary": "Loop with Unreachable Exit Condition in Netty" 36908 }, 36909 { 36910 "affected": [ 36911 { 36912 "database_specific": { 36913 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/10/GHSA-269g-pwp5-87pp/GHSA-269g-pwp5-87pp.json" 36914 }, 36915 "package": { 36916 "ecosystem": "Maven", 36917 "name": "junit:junit", 36918 "purl": "pkg:maven/junit/junit" 36919 }, 36920 "ranges": [ 36921 { 36922 "events": [ 36923 { 36924 "introduced": "4.7" 36925 }, 36926 { 36927 "fixed": "4.13.1" 36928 } 36929 ], 36930 "type": "ECOSYSTEM" 36931 } 36932 ], 36933 "versions": [ 36934 "4.10", 36935 "4.11", 36936 "4.11-beta-1", 36937 "4.12", 36938 "4.12-beta-1", 36939 "4.12-beta-2", 36940 "4.12-beta-3", 36941 "4.13", 36942 "4.13-beta-1", 36943 "4.13-beta-2", 36944 "4.13-beta-3", 36945 "4.13-rc-1", 36946 "4.13-rc-2", 36947 "4.7", 36948 "4.8", 36949 "4.8.1", 36950 "4.8.2", 36951 "4.9" 36952 ] 36953 } 36954 ], 36955 "aliases": [ 36956 "CVE-2020-15250" 36957 ], 36958 "database_specific": { 36959 "cwe_ids": [ 36960 "CWE-200", 36961 "CWE-732" 36962 ], 36963 "github_reviewed": true, 36964 "github_reviewed_at": "2020-10-12T17:32:34Z", 36965 "nvd_published_at": "2020-10-12T18:15:00Z", 36966 "severity": "MODERATE" 36967 }, 36968 "details": "### Vulnerability\n\nThe JUnit4 test rule [TemporaryFolder](https://junit.org/junit4/javadoc/4.13/org/junit/rules/TemporaryFolder.html) contains a local information disclosure vulnerability.\n\nExample of vulnerable code:\n```java\npublic static class HasTempFolder {\n @Rule\n public TemporaryFolder folder = new TemporaryFolder();\n\n @Test\n public void testUsingTempFolder() throws IOException {\n folder.getRoot(); // Previous file permissions: `drwxr-xr-x`; After fix:`drwx------`\n File createdFile= folder.newFile(\"myfile.txt\"); // unchanged/irrelevant file permissions\n File createdFolder= folder.newFolder(\"subfolder\"); // unchanged/irrelevant file permissions\n // ...\n }\n}\n```\n\n### Impact\n\nOn Unix like systems, the system's temporary directory is shared between all users on that system. Because of this, when files and directories are written into this directory they are, by default, readable by other users on that same system.\n\nThis vulnerability **does not** allow other users to overwrite the contents of these directories or files. This is purely an information disclosure vulnerability.\n\nWhen analyzing the impact of this vulnerability, here are the important questions to ask:\n\n1. Do the JUnit tests write sensitive information, like API keys or passwords, into the temporary folder?\n - If yes, this vulnerability impacts you, but only if you also answer 'yes' to question 2.\n - If no, this vulnerability does not impact you.\n2. Do the JUnit tests ever execute in an environment where the OS has other untrusted users. \n _This may apply in CI/CD environments but normally won't be 'yes' for personal developer machines._\n - If yes, and you answered 'yes' to question 1, this vulnerability impacts you.\n - If no, this vulnerability does not impact you.\n\n### Patches\n\nBecause certain JDK file system APIs were only added in JDK 1.7, this this fix is dependent upon the version of the JDK you are using.\n - Java 1.7 and higher users: this vulnerability is fixed in 4.13.1.\n - Java 1.6 and lower users: **no patch is available, you must use the workaround below.**\n\n### Workarounds\n\nIf you are unable to patch, or are stuck running on Java 1.6, specifying the `java.io.tmpdir` system environment variable to a directory that is exclusively owned by the executing user will fix this vulnerability.\n\n### References\n- [CWE-200: Exposure of Sensitive Information to an Unauthorized Actor](https://cwe.mitre.org/data/definitions/200.html)\n- Fix commit https://github.com/junit-team/junit4/commit/610155b8c22138329f0723eec22521627dbc52ae\n\n#### Similar Vulnerabilities\n - Google Guava - https://github.com/google/guava/issues/4011\n - Apache Ant - https://nvd.nist.gov/vuln/detail/CVE-2020-1945\n - JetBrains Kotlin Compiler - https://nvd.nist.gov/vuln/detail/CVE-2020-15824\n\n### For more information\nIf you have any questions or comments about this advisory, please pen an issue in [junit-team/junit4](https://github.com/junit-team/junit4/issues).", 36969 "id": "GHSA-269g-pwp5-87pp", 36970 "modified": "2024-03-15T05:20:38.405881Z", 36971 "published": "2020-10-12T17:33:00Z", 36972 "references": [ 36973 { 36974 "type": "WEB", 36975 "url": "https://github.com/junit-team/junit4/security/advisories/GHSA-269g-pwp5-87pp" 36976 }, 36977 { 36978 "type": "ADVISORY", 36979 "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-15250" 36980 }, 36981 { 36982 "type": "WEB", 36983 "url": "https://github.com/junit-team/junit4/issues/1676" 36984 }, 36985 { 36986 "type": "WEB", 36987 "url": "https://github.com/junit-team/junit4/commit/610155b8c22138329f0723eec22521627dbc52ae" 36988 }, 36989 { 36990 "type": "WEB", 36991 "url": "https://lists.apache.org/thread.html/ra1bdb9efae84794e8ffa2f8474be8290ba57830eefe9714b95da714b@%3Cdev.pdfbox.apache.org%3E" 36992 }, 36993 { 36994 "type": "WEB", 36995 "url": "https://lists.apache.org/thread.html/raebf13f53cd5d23d990712e3d11c80da9a7bae94a6284050f148ed99@%3Ccommits.pulsar.apache.org%3E" 36996 }, 36997 { 36998 "type": "WEB", 36999 "url": "https://lists.apache.org/thread.html/rb2771949c676ca984e58a5cd5ca79c2634dee1945e0406e48e0f8457@%3Cdev.creadur.apache.org%3E" 37000 }, 37001 { 37002 "type": "WEB", 37003 "url": "https://lists.apache.org/thread.html/rb2ffe2993f4dccc48d832e1a0f1c419477781b6ea16e725ca2276dbb@%3Cdev.knox.apache.org%3E" 37004 }, 37005 { 37006 "type": "WEB", 37007 "url": "https://lists.apache.org/thread.html/rb33212dab7beccaf1ffef9b88610047c644f644c7a0ebdc44d77e381@%3Ccommits.turbine.apache.org%3E" 37008 }, 37009 { 37010 "type": "WEB", 37011 "url": "https://lists.apache.org/thread.html/rbaec90e699bc7c7bd9a053f76707a36fda48b6d558f31dc79147dbf9@%3Cdev.creadur.apache.org%3E" 37012 }, 37013 { 37014 "type": "WEB", 37015 "url": "https://lists.apache.org/thread.html/rc49cf1547ef6cac1be4b3c92339b2cae0acacf5acaba13cfa429a872@%3Cdev.creadur.apache.org%3E" 37016 }, 37017 { 37018 "type": "WEB", 37019 "url": "https://lists.apache.org/thread.html/rdbdd30510a7c4d0908fd22075c02b75bbc2e0d977ec22249ef3133cb@%3Ccommits.pulsar.apache.org%3E" 37020 }, 37021 { 37022 "type": "WEB", 37023 "url": "https://lists.apache.org/thread.html/rde385b8b53ed046600ef68dd6b4528dea7566aaddb02c3e702cc28bc@%3Ccommits.creadur.apache.org%3E" 37024 }, 37025 { 37026 "type": "WEB", 37027 "url": "https://lists.apache.org/thread.html/rde8e70b95c992378e8570e4df400c6008a9839eabdfb8f800a3e5af6@%3Ccommits.pulsar.apache.org%3E" 37028 }, 37029 { 37030 "type": "WEB", 37031 "url": "https://lists.apache.org/thread.html/rdef7d1380c86e7c0edf8a0f89a2a8db86fce5e363457d56b722691b4@%3Ccommits.pulsar.apache.org%3E" 37032 }, 37033 { 37034 "type": "WEB", 37035 "url": "https://lists.apache.org/thread.html/rea812d8612fdc46842a2a57248cad4b01ddfdb1e9b037c49e68fdbfb@%3Ccommits.pulsar.apache.org%3E" 37036 }, 37037 { 37038 "type": "WEB", 37039 "url": "https://lists.apache.org/thread.html/reb700e60b9642eafa4b7922bfee80796394135aa09c7a239ef9f7486@%3Ccommits.pulsar.apache.org%3E" 37040 }, 37041 { 37042 "type": "WEB", 37043 "url": "https://lists.apache.org/thread.html/rf2ec93f4ca9a97d1958eb4a31b1830f723419ce9bf2018a6e5741d5b@%3Ccommits.pulsar.apache.org%3E" 37044 }, 37045 { 37046 "type": "WEB", 37047 "url": "https://lists.apache.org/thread.html/rf6e5d894d4b03bef537c9d6641272e0197c047c0d1982b4e176d0353@%3Cdev.knox.apache.org%3E" 37048 }, 37049 { 37050 "type": "WEB", 37051 "url": "https://lists.apache.org/thread.html/rf797d119cc3f51a8d7c3c5cbe50cb4524c8487282b986edde83a9467@%3Ccommits.pulsar.apache.org%3E" 37052 }, 37053 { 37054 "type": "WEB", 37055 "url": "https://lists.debian.org/debian-lts-announce/2020/11/msg00003.html" 37056 }, 37057 { 37058 "type": "WEB", 37059 "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" 37060 }, 37061 { 37062 "type": "PACKAGE", 37063 "url": "https://github.com/junit-team/junit4" 37064 }, 37065 { 37066 "type": "WEB", 37067 "url": "https://github.com/junit-team/junit4/blob/7852b90cfe1cea1e0cdaa19d490c83f0d8684b50/doc/ReleaseNotes4.13.1.md" 37068 }, 37069 { 37070 "type": "WEB", 37071 "url": "https://junit.org/junit4/javadoc/4.13/org/junit/rules/TemporaryFolder.html" 37072 }, 37073 { 37074 "type": "WEB", 37075 "url": "https://lists.apache.org/thread.html/r01110833b63616ddbef59ae4e10c0fbd0060f0a51206defd4cb4d917@%3Ccommits.pulsar.apache.org%3E" 37076 }, 37077 { 37078 "type": "WEB", 37079 "url": "https://lists.apache.org/thread.html/r09cfbb5aedd76023691bbce9ca4ce2e16bb07dd37554a17efc19935d@%3Cpluto-dev.portals.apache.org%3E" 37080 }, 37081 { 37082 "type": "WEB", 37083 "url": "https://lists.apache.org/thread.html/r1209986f79359b518d09513ff05a88e5b3c398540e775edea76a4774@%3Cdev.knox.apache.org%3E" 37084 }, 37085 { 37086 "type": "WEB", 37087 "url": "https://lists.apache.org/thread.html/r29d703d1986d9b871466ff24082a1828ac8ad27bb0965a93a383872e@%3Cpluto-scm.portals.apache.org%3E" 37088 }, 37089 { 37090 "type": "WEB", 37091 "url": "https://lists.apache.org/thread.html/r2b78f23bc2711a76a7fc73ad67b7fcd6817c5cfccefd6f30a4f54943@%3Cdev.knox.apache.org%3E" 37092 }, 37093 { 37094 "type": "WEB", 37095 "url": "https://lists.apache.org/thread.html/r30f502d2f79e8d635361adb8108dcbb73095163fcbd776ee7984a094@%3Ccommits.creadur.apache.org%3E" 37096 }, 37097 { 37098 "type": "WEB", 37099 "url": "https://lists.apache.org/thread.html/r500517c23200fb2fdb0b82770a62dd6c88b3521cfb01cfd0c76e3f8b@%3Cdev.creadur.apache.org%3E" 37100 }, 37101 { 37102 "type": "WEB", 37103 "url": "https://lists.apache.org/thread.html/r5f8841507576f595bb783ccec6a7cb285ea90d4e6f5043eae0e61a41@%3Cdev.creadur.apache.org%3E" 37104 }, 37105 { 37106 "type": "WEB", 37107 "url": "https://lists.apache.org/thread.html/r687f489b10b0d14e46f626aa88476545e1a2600b24c4ebd3c0d2a10b@%3Cdev.knox.apache.org%3E" 37108 }, 37109 { 37110 "type": "WEB", 37111 "url": "https://lists.apache.org/thread.html/r717877028482c55acf604d7a0106af4ca05da4208c708fb157b53672@%3Ccommits.creadur.apache.org%3E" 37112 }, 37113 { 37114 "type": "WEB", 37115 "url": "https://lists.apache.org/thread.html/r742b44fd75215fc75963b8ecc22b2e4372e68d67d3d859d2b5e8743f@%3Cdev.knox.apache.org%3E" 37116 }, 37117 { 37118 "type": "WEB", 37119 "url": "https://lists.apache.org/thread.html/r8b02dc6f18df11ff39eedb3038f1e31e6f90a779b1959bae65107279@%3Cdev.knox.apache.org%3E" 37120 }, 37121 { 37122 "type": "WEB", 37123 "url": "https://lists.apache.org/thread.html/r925eaae7dd8f77dd61eefc49c1fcf54bd9ecfe605486870d7b1e9390@%3Cpluto-dev.portals.apache.org%3E" 37124 }, 37125 { 37126 "type": "WEB", 37127 "url": "https://lists.apache.org/thread.html/r934208a520b38f5cf0cae199b6b076bfe7d081809528b0eff2459e40@%3Cdev.knox.apache.org%3E" 37128 }, 37129 { 37130 "type": "WEB", 37131 "url": "https://lists.apache.org/thread.html/r95f8ef60c4b3a5284b647bb3132cda08e6fadad888a66b84f49da0b0@%3Ccommits.creadur.apache.org%3E" 37132 }, 37133 { 37134 "type": "WEB", 37135 "url": "https://lists.apache.org/thread.html/r9710067c7096b83cb6ae8f53a2f6f94e9c042d1bf1d6929f8f2a2b7a@%3Ccommits.knox.apache.org%3E" 37136 } 37137 ], 37138 "schema_version": "1.6.0", 37139 "severity": [ 37140 { 37141 "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N", 37142 "type": "CVSS_V3" 37143 } 37144 ], 37145 "summary": "TemporaryFolder on unix-like systems does not limit access to created files" 37146 }, 37147 { 37148 "affected": [ 37149 { 37150 "database_specific": { 37151 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/01/GHSA-2qrg-x229-3v8q/GHSA-2qrg-x229-3v8q.json" 37152 }, 37153 "package": { 37154 "ecosystem": "Maven", 37155 "name": "log4j:log4j", 37156 "purl": "pkg:maven/log4j/log4j" 37157 }, 37158 "ranges": [ 37159 { 37160 "events": [ 37161 { 37162 "introduced": "1.2" 37163 }, 37164 { 37165 "last_affected": "1.2.17" 37166 } 37167 ], 37168 "type": "ECOSYSTEM" 37169 } 37170 ], 37171 "versions": [ 37172 "1.2.11", 37173 "1.2.12", 37174 "1.2.13", 37175 "1.2.14", 37176 "1.2.15", 37177 "1.2.16", 37178 "1.2.17", 37179 "1.2.4", 37180 "1.2.5", 37181 "1.2.6", 37182 "1.2.7", 37183 "1.2.8", 37184 "1.2.9" 37185 ] 37186 }, 37187 { 37188 "database_specific": { 37189 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/01/GHSA-2qrg-x229-3v8q/GHSA-2qrg-x229-3v8q.json" 37190 }, 37191 "package": { 37192 "ecosystem": "Maven", 37193 "name": "org.zenframework.z8.dependencies.commons:log4j-1.2.17", 37194 "purl": "pkg:maven/org.zenframework.z8.dependencies.commons/log4j-1.2.17" 37195 }, 37196 "versions": [ 37197 "2.0" 37198 ] 37199 } 37200 ], 37201 "aliases": [ 37202 "CVE-2019-17571" 37203 ], 37204 "database_specific": { 37205 "cwe_ids": [ 37206 "CWE-502" 37207 ], 37208 "github_reviewed": true, 37209 "github_reviewed_at": "2019-12-27T22:02:37Z", 37210 "nvd_published_at": "2019-12-20T17:15:00Z", 37211 "severity": "CRITICAL" 37212 }, 37213 "details": "Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions 1.2 up to 1.2.17.\n\nUsers are advised to migrate to `org.apache.logging.log4j:log4j-core`.", 37214 "id": "GHSA-2qrg-x229-3v8q", 37215 "modified": "2024-03-10T05:17:36.915276Z", 37216 "published": "2020-01-06T18:43:49Z", 37217 "references": [ 37218 { 37219 "type": "ADVISORY", 37220 "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-17571" 37221 }, 37222 { 37223 "type": "WEB", 37224 "url": "https://lists.apache.org/thread.html/rd3a9511eebab60e23f224841390a3f8cd5358cff605c5f7042171e47@%3Cdev.tinkerpop.apache.org%3E" 37225 }, 37226 { 37227 "type": "WEB", 37228 "url": "https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26@%3Ccommits.pulsar.apache.org%3E" 37229 }, 37230 { 37231 "type": "WEB", 37232 "url": "https://lists.apache.org/thread.html/rcd71280585425dad7e232f239c5709e425efdd0d3de4a92f808a4767@%3Cissues.bookkeeper.apache.org%3E" 37233 }, 37234 { 37235 "type": "WEB", 37236 "url": "https://lists.apache.org/thread.html/rca24a281000fb681d7e26e5c031a21eb4b0593a7735f781b53dae4e2@%3Cdev.tika.apache.org%3E" 37237 }, 37238 { 37239 "type": "WEB", 37240 "url": "https://lists.apache.org/thread.html/rc628307962ae1b8cc2d21b8e4b7dd6d7755b2dd52fa56a151a27e4fd@%3Cissues.zookeeper.apache.org%3E" 37241 }, 37242 { 37243 "type": "WEB", 37244 "url": "https://lists.apache.org/thread.html/rc1eaed7f7d774d5d02f66e49baced31e04827a1293d61a70bd003ca7@%3Cdev.tika.apache.org%3E" 37245 }, 37246 { 37247 "type": "WEB", 37248 "url": "https://lists.apache.org/thread.html/rc17d8491beee51607693019857e41e769795366b85be00aa2f4b3159@%3Cnotifications.zookeeper.apache.org%3E" 37249 }, 37250 { 37251 "type": "WEB", 37252 "url": "https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7@%3Cusers.kafka.apache.org%3E" 37253 }, 37254 { 37255 "type": "WEB", 37256 "url": "https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7@%3Cdev.kafka.apache.org%3E" 37257 }, 37258 { 37259 "type": "WEB", 37260 "url": "https://lists.apache.org/thread.html/rbdf18e39428b5c80fc35113470198b1fe53b287a76a46b0f8780b5fd@%3Cdev.zookeeper.apache.org%3E" 37261 }, 37262 { 37263 "type": "WEB", 37264 "url": "https://lists.apache.org/thread.html/rbd19de368abf0764e4383ec44d527bc9870176f488a494f09a40500d@%3Ccommon-dev.hadoop.apache.org%3E" 37265 }, 37266 { 37267 "type": "WEB", 37268 "url": "https://lists.apache.org/thread.html/rbc45eb0f53fd6242af3e666c2189464f848a851d408289840cecc6e3@%3Ccommits.zookeeper.apache.org%3E" 37269 }, 37270 { 37271 "type": "WEB", 37272 "url": "https://lists.apache.org/thread.html/rb3c94619728c8f8c176d8e175e0a1086ca737ecdfcd5a2214bb768bc@%3Ccommits.bookkeeper.apache.org%3E" 37273 }, 37274 { 37275 "type": "WEB", 37276 "url": "https://lists.apache.org/thread.html/rb1b29aee737e1c37fe1d48528cb0febac4f5deed51f5412e6fdfe2bf@%3Cissues.activemq.apache.org%3E" 37277 }, 37278 { 37279 "type": "WEB", 37280 "url": "https://lists.apache.org/thread.html/raedd12dc24412b3780432bf202a2618a21a727788543e5337a458ead@%3Cissues.activemq.apache.org%3E" 37281 }, 37282 { 37283 "type": "WEB", 37284 "url": "https://lists.apache.org/thread.html/ra9611a8431cb62369bce8909d7645597e1dd45c24b448836b1e54940@%3Cissues.bookkeeper.apache.org%3E" 37285 }, 37286 { 37287 "type": "WEB", 37288 "url": "https://lists.apache.org/thread.html/ra54fa49be3e773d99ccc9c2a422311cf77e3ecd3b8594ee93043a6b1@%3Cdev.zookeeper.apache.org%3E" 37289 }, 37290 { 37291 "type": "WEB", 37292 "url": "https://lists.apache.org/thread.html/ra38785cfc0e7f17f8e24bebf775dd032c033fadcaea29e5bc9fffc60@%3Cdev.tika.apache.org%3E" 37293 }, 37294 { 37295 "type": "WEB", 37296 "url": "https://lists.apache.org/thread.html/ra18a903f785aed9403aea38bc6f36844a056283c00dcfc6936b6318c@%3Cissues.bookkeeper.apache.org%3E" 37297 }, 37298 { 37299 "type": "WEB", 37300 "url": "https://lists.apache.org/thread.html/r9fb3238cfc3222f2392ca6517353aadae18f76866157318ac562e706@%3Ccommon-issues.hadoop.apache.org%3E" 37301 }, 37302 { 37303 "type": "WEB", 37304 "url": "https://lists.apache.org/thread.html/r9dc2505651788ac668299774d9e7af4dc616be2f56fdc684d1170882@%3Cusers.activemq.apache.org%3E" 37305 }, 37306 { 37307 "type": "WEB", 37308 "url": "https://lists.apache.org/thread.html/r9d2e28e71f91ba0b6f4114c8ecd96e2b1f7e0d06bdf8eb768c183aa9@%3Ccommon-issues.hadoop.apache.org%3E" 37309 }, 37310 { 37311 "type": "WEB", 37312 "url": "https://lists.apache.org/thread.html/r9d0d03f2e7d9e13c68b530f81d02b0fec33133edcf27330d8089fcfb@%3Cissues.zookeeper.apache.org%3E" 37313 }, 37314 { 37315 "type": "WEB", 37316 "url": "https://lists.apache.org/thread.html/r9a9e3b42cd5d1c4536a14ef04f75048dec8e2740ac6a138ea912177f@%3Cpluto-dev.portals.apache.org%3E" 37317 }, 37318 { 37319 "type": "WEB", 37320 "url": "https://lists.apache.org/thread.html/r944183c871594fe9a555b8519a7c945bbcf6714d72461aa6c929028f@%3Cissues.zookeeper.apache.org%3E" 37321 }, 37322 { 37323 "type": "WEB", 37324 "url": "https://lists.apache.org/thread.html/r90c23eb8c82835fa82df85ae5e88c81fd9241e20a22971b0fb8f2c34@%3Cissues.bookkeeper.apache.org%3E" 37325 }, 37326 { 37327 "type": "WEB", 37328 "url": "https://lists.apache.org/thread.html/r909b8e3a36913944d3b7bafe9635d4ca84f8f0e2cd146a1784f667c2@%3Cissues.zookeeper.apache.org%3E" 37329 }, 37330 { 37331 "type": "WEB", 37332 "url": "https://lists.apache.org/thread.html/r8e3f7da12bf5750b0a02e69a78a61073a2ac950eed7451ce70a65177@%3Ccommits.zookeeper.apache.org%3E" 37333 }, 37334 { 37335 "type": "WEB", 37336 "url": "https://www.oracle.com/security-alerts/cpujul2022.html" 37337 }, 37338 { 37339 "type": "WEB", 37340 "url": "https://www.oracle.com/security-alerts/cpujul2020.html" 37341 }, 37342 { 37343 "type": "WEB", 37344 "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" 37345 }, 37346 { 37347 "type": "WEB", 37348 "url": "https://www.oracle.com/security-alerts/cpuapr2020.html" 37349 }, 37350 { 37351 "type": "WEB", 37352 "url": "https://www.oracle.com/security-alerts/cpuApr2021.html" 37353 }, 37354 { 37355 "type": "WEB", 37356 "url": "https://www.debian.org/security/2020/dsa-4686" 37357 }, 37358 { 37359 "type": "WEB", 37360 "url": "https://usn.ubuntu.com/4495-1" 37361 }, 37362 { 37363 "type": "WEB", 37364 "url": "https://security.netapp.com/advisory/ntap-20200110-0001" 37365 }, 37366 { 37367 "type": "WEB", 37368 "url": "https://lists.debian.org/debian-lts-announce/2020/01/msg00008.html" 37369 }, 37370 { 37371 "type": "WEB", 37372 "url": "https://lists.apache.org/thread.html/rfdf65fa675c64a64459817344e0e6c44d51ee264beea6e5851fb60dc@%3Cissues.bookkeeper.apache.org%3E" 37373 }, 37374 { 37375 "type": "WEB", 37376 "url": "https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772@%3Cdev.mina.apache.org%3E" 37377 }, 37378 { 37379 "type": "WEB", 37380 "url": "https://lists.apache.org/thread.html/rf9c19bcc2f7a98a880fa3e3456c003d331812b55836b34ef648063c9@%3Cjira.kafka.apache.org%3E" 37381 }, 37382 { 37383 "type": "WEB", 37384 "url": "https://lists.apache.org/thread.html/rf77f79699c8d7e430c14cf480f12ed1297e6e8cf2ed379a425941e80@%3Cpluto-dev.portals.apache.org%3E" 37385 }, 37386 { 37387 "type": "WEB", 37388 "url": "https://lists.apache.org/thread.html/rf53eeefb7e7e524deaacb9f8671cbf01b8a253e865fb94e7656722c0@%3Cissues.bookkeeper.apache.org%3E" 37389 }, 37390 { 37391 "type": "WEB", 37392 "url": "https://lists.apache.org/thread.html/rf2567488cfc9212b42e34c6393cfa1c14e30e4838b98dda84d71041f@%3Cdev.tika.apache.org%3E" 37393 }, 37394 { 37395 "type": "WEB", 37396 "url": "https://lists.apache.org/thread.html/rf1b434e11834a4449cd7addb69ed0aef0923112b5938182b363a968c@%3Cnotifications.zookeeper.apache.org%3E" 37397 }, 37398 { 37399 "type": "WEB", 37400 "url": "https://lists.apache.org/thread.html/rec34b1cccf907898e7cb36051ffac3ccf1ea89d0b261a2a3b3fb267f@%3Ccommits.zookeeper.apache.org%3E" 37401 }, 37402 { 37403 "type": "WEB", 37404 "url": "https://lists.apache.org/thread.html/reaf6b996f74f12b4557bc221abe88f58270ac583942fa41293c61f94@%3Cpluto-scm.portals.apache.org%3E" 37405 }, 37406 { 37407 "type": "WEB", 37408 "url": "https://lists.apache.org/thread.html/re8c21ed9dd218c217d242ffa90778428e446b082b5e1c29f567e8374@%3Cissues.activemq.apache.org%3E" 37409 }, 37410 { 37411 "type": "WEB", 37412 "url": "https://lists.apache.org/thread.html/re36da78e4f3955ba6c1c373a2ab85a4deb215ca74b85fcd66142fea1@%3Cissues.bookkeeper.apache.org%3E" 37413 }, 37414 { 37415 "type": "WEB", 37416 "url": "https://lists.apache.org/thread.html/rdf2a0d94c3b5b523aeff7741ae71347415276062811b687f30ea6573@%3Ccommits.zookeeper.apache.org%3E" 37417 }, 37418 { 37419 "type": "WEB", 37420 "url": "https://lists.apache.org/thread.html/rdec0d8ac1f03e6905b0de2df1d5fcdb98b94556e4f6cccf7519fdb26@%3Cdev.tika.apache.org%3E" 37421 }, 37422 { 37423 "type": "WEB", 37424 "url": "https://lists.apache.org/thread.html/rdb7ddf28807e27c7801f6e56a0dfb31092d34c61bdd4fa2de9182119@%3Cissues.bookkeeper.apache.org%3E" 37425 }, 37426 { 37427 "type": "WEB", 37428 "url": "https://lists.apache.org/thread.html/rda4849c6823dd3e83c7a356eb883180811d5c28359fe46865fd151c3@%3Cusers.kafka.apache.org%3E" 37429 }, 37430 { 37431 "type": "WEB", 37432 "url": "https://lists.apache.org/thread.html/rd882ab6b642fe59cbbe94dc02bd197342058208f482e57b537940a4b@%3Cpluto-dev.portals.apache.org%3E" 37433 }, 37434 { 37435 "type": "WEB", 37436 "url": "https://lists.apache.org/thread.html/rd7805c1bf9388968508c6c8f84588773216e560055ddcc813d19f347@%3Ccommon-issues.hadoop.apache.org%3E" 37437 }, 37438 { 37439 "type": "WEB", 37440 "url": "https://lists.apache.org/thread.html/rd6254837403e8cbfc7018baa9be29705f3f06bd007c83708f9a97679@%3Cissues.zookeeper.apache.org%3E" 37441 }, 37442 { 37443 "type": "WEB", 37444 "url": "https://lists.apache.org/thread.html/rd5dbeee4808c0f2b9b51479b50de3cc6adb1072c332a200d9107f13e@%3Cissues.activemq.apache.org%3E" 37445 }, 37446 { 37447 "type": "WEB", 37448 "url": "https://lists.apache.org/thread.html/r3d666e4e8905157f3c046d31398b04f2bfd4519e31f266de108c6919@%3Cissues.activemq.apache.org%3E" 37449 }, 37450 { 37451 "type": "WEB", 37452 "url": "https://lists.apache.org/thread.html/r3cf50d05ce8cec8c09392624b7bae750e7643dae60ef2438641ee015@%3Cissues.zookeeper.apache.org%3E" 37453 }, 37454 { 37455 "type": "WEB", 37456 "url": "https://lists.apache.org/thread.html/r3c575cabc7386e646fb12cb82b0b38ae5a6ade8a800f827107824495@%3Cjira.kafka.apache.org%3E" 37457 }, 37458 { 37459 "type": "WEB", 37460 "url": "https://lists.apache.org/thread.html/r3bf7b982dfa0779f8a71f843d2aa6b4184a53e6be7f149ee079387fd@%3Cdev.kafka.apache.org%3E" 37461 }, 37462 { 37463 "type": "WEB", 37464 "url": "https://lists.apache.org/thread.html/r3a85514a518f3080ab1fc2652cfe122c2ccf67cfb32356acb1b08fe8@%3Cdev.tika.apache.org%3E" 37465 }, 37466 { 37467 "type": "WEB", 37468 "url": "https://lists.apache.org/thread.html/r3784834e80df2f284577a5596340fb84346c91a2dea6a073e65e3397@%3Cissues.activemq.apache.org%3E" 37469 }, 37470 { 37471 "type": "WEB", 37472 "url": "https://lists.apache.org/thread.html/r356d57d6225f91fdc30f8b0a2bed229d1ece55e16e552878c5fa809a@%3Cissues.zookeeper.apache.org%3E" 37473 }, 37474 { 37475 "type": "WEB", 37476 "url": "https://lists.apache.org/thread.html/r3543ead2317dcd3306f69ee37b07dd383dbba6e2f47ff11eb55879ad@%3Cusers.activemq.apache.org%3E" 37477 }, 37478 { 37479 "type": "WEB", 37480 "url": "https://lists.apache.org/thread.html/r2ff63f210842a3c5e42f03a35d8f3a345134d073c80a04077341c211@%3Cissues.activemq.apache.org%3E" 37481 }, 37482 { 37483 "type": "WEB", 37484 "url": "https://lists.apache.org/thread.html/r2ce8d26154bea939536e6cf27ed02d3192bf5c5d04df885a80fe89b3@%3Cissues.activemq.apache.org%3E" 37485 }, 37486 { 37487 "type": "WEB", 37488 "url": "https://lists.apache.org/thread.html/r2756fd570b6709d55a61831ca028405bcb3e312175a60bc5d911c81f@%3Cjira.kafka.apache.org%3E" 37489 }, 37490 { 37491 "type": "WEB", 37492 "url": "https://lists.apache.org/thread.html/r2721aba31a8562639c4b937150897e24f78f747cdbda8641c0f659fe@%3Cusers.kafka.apache.org%3E" 37493 }, 37494 { 37495 "type": "WEB", 37496 "url": "https://lists.apache.org/thread.html/r26244f9f7d9a8a27a092eb0b2a0ca9395e88fcde8b5edaeca7ce569c@%3Ccommon-issues.hadoop.apache.org%3E" 37497 }, 37498 { 37499 "type": "WEB", 37500 "url": "https://lists.apache.org/thread.html/r1b7734dfdfd938640f2f5fb6f4231a267145c71ed60cc7faa1cbac07@%3Ccommon-issues.hadoop.apache.org%3E" 37501 }, 37502 { 37503 "type": "WEB", 37504 "url": "https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0@%3Cissues.bookkeeper.apache.org%3E" 37505 }, 37506 { 37507 "type": "WEB", 37508 "url": "https://lists.apache.org/thread.html/r18f1c010b554a3a2d761e8ffffd8674fd4747bcbcf16c643d708318c@%3Cissues.activemq.apache.org%3E" 37509 }, 37510 { 37511 "type": "WEB", 37512 "url": "https://lists.apache.org/thread.html/r189aaeaad897f7d6b96f7c43a8ef2dfb9f6e9f8c1cc9ad182ce9b9ae@%3Cjira.kafka.apache.org%3E" 37513 }, 37514 { 37515 "type": "WEB", 37516 "url": "https://lists.apache.org/thread.html/r13d4b5c60ff63f3c4fab51d6ff266655be503b8a1884e2f2fab67c3a@%3Ccommon-issues.hadoop.apache.org%3E" 37517 }, 37518 { 37519 "type": "WEB", 37520 "url": "https://lists.apache.org/thread.html/r107c8737db39ec9ec4f4e7147b249e29be79170b9ef4b80528105a2d@%3Cdev.zookeeper.apache.org%3E" 37521 }, 37522 { 37523 "type": "WEB", 37524 "url": "https://lists.apache.org/thread.html/r05755112a8c164abc1004bb44f198b1e3d8ca3d546a8f13ebd3aa05f@%3Cissues.zookeeper.apache.org%3E" 37525 }, 37526 { 37527 "type": "WEB", 37528 "url": "https://lists.apache.org/thread.html/eea03d504b36e8f870e8321d908e1def1addda16adda04327fe7c125%40%3Cdev.logging.apache.org%3E" 37529 }, 37530 { 37531 "type": "WEB", 37532 "url": "https://lists.apache.org/thread.html/8ab32b4c9f1826f20add7c40be08909de9f58a89dc1de9c09953f5ac@%3Cissues.activemq.apache.org%3E" 37533 }, 37534 { 37535 "type": "WEB", 37536 "url": "https://lists.apache.org/thread.html/752ec92cd1e334a639e79bfbd689a4ec2c6579ec5bb41b53ffdf358d@%3Cdev.kafka.apache.org%3E" 37537 }, 37538 { 37539 "type": "WEB", 37540 "url": "https://lists.apache.org/thread.html/6114ce566200d76e3cc45c521a62c2c5a4eac15738248f58a99f622c@%3Cissues.activemq.apache.org%3E" 37541 }, 37542 { 37543 "type": "WEB", 37544 "url": "https://lists.apache.org/thread.html/564f03b4e9511fcba29c68fc0299372dadbdb002718fa8edcc4325e4@%3Cjira.kafka.apache.org%3E" 37545 }, 37546 { 37547 "type": "WEB", 37548 "url": "https://lists.apache.org/thread.html/479471e6debd608c837b9815b76eab24676657d4444fcfd5ef96d6e6@%3Cdev.tika.apache.org%3E" 37549 }, 37550 { 37551 "type": "WEB", 37552 "url": "https://lists.apache.org/thread.html/44491fb9cc19acc901f7cff34acb7376619f15638439416e3e14761c@%3Cdev.tika.apache.org%3E" 37553 }, 37554 { 37555 "type": "WEB", 37556 "url": "https://lists.apache.org/thread.html/277b4b5c2b0e06a825ccec565fa65bd671f35a4d58e3e2ec5d0618e1@%3Cdev.tika.apache.org%3E" 37557 }, 37558 { 37559 "type": "WEB", 37560 "url": "https://lists.apache.org/thread.html/r8d78a0fbb56d505461e29868d1026e98c402e6a568c13a6da67896a2@%3Cdev.jena.apache.org%3E" 37561 }, 37562 { 37563 "type": "WEB", 37564 "url": "https://lists.apache.org/thread.html/r8c6300245c0bcef095e9f07b48157e2c6471df0816db3408fcf1d748@%3Ccommon-issues.hadoop.apache.org%3E" 37565 }, 37566 { 37567 "type": "WEB", 37568 "url": "https://lists.apache.org/thread.html/r8c392ca48bb7e50754e4bc05865e9731b23d568d18a520fe3d8c1f75@%3Ccommon-issues.hadoop.apache.org%3E" 37569 }, 37570 { 37571 "type": "WEB", 37572 "url": "https://lists.apache.org/thread.html/r8a1cfd4705258c106e488091fcec85f194c82f2bbde6bd151e201870@%3Cjira.kafka.apache.org%3E" 37573 }, 37574 { 37575 "type": "WEB", 37576 "url": "https://lists.apache.org/thread.html/r8890b8f18f1de821595792b58b968a89692a255bc20d86d395270740@%3Ccommits.druid.apache.org%3E" 37577 }, 37578 { 37579 "type": "WEB", 37580 "url": "https://lists.apache.org/thread.html/r8418a0dff1729f19cf1024937e23a2db4c0f94f2794a423f5c10e8e7@%3Cissues.bookkeeper.apache.org%3E" 37581 }, 37582 { 37583 "type": "WEB", 37584 "url": "https://lists.apache.org/thread.html/r8244fd0831db894d5e89911ded9c72196d395a90ae655414d23ed0dd@%3Cusers.activemq.apache.org%3E" 37585 }, 37586 { 37587 "type": "WEB", 37588 "url": "https://lists.apache.org/thread.html/r7f462c69d5ded4c0223e014d95a3496690423c5f6f05c09e2f2a407a@%3Cjira.kafka.apache.org%3E" 37589 }, 37590 { 37591 "type": "WEB", 37592 "url": "https://lists.apache.org/thread.html/r7bcdc710857725c311b856c0b82cee6207178af5dcde1bd43d289826@%3Cissues.activemq.apache.org%3E" 37593 }, 37594 { 37595 "type": "WEB", 37596 "url": "https://lists.apache.org/thread.html/r7a1acc95373105169bd44df710c2f462cad31fb805364d2958a5ee03@%3Cjira.kafka.apache.org%3E" 37597 }, 37598 { 37599 "type": "WEB", 37600 "url": "https://lists.apache.org/thread.html/r746fbc3fc13aee292ae6851f7a5080f592fa3a67b983c6887cdb1fc5@%3Cdev.tika.apache.org%3E" 37601 }, 37602 { 37603 "type": "WEB", 37604 "url": "https://lists.apache.org/thread.html/r71e26f9c2d5826c6f95ad60f7d052d75e1e70b0d2dd853db6fc26d5f@%3Cjira.kafka.apache.org%3E" 37605 }, 37606 { 37607 "type": "WEB", 37608 "url": "https://lists.apache.org/thread.html/r6d34da5a0ca17ab08179a30c971446c7421af0e96f6d60867eabfc52@%3Cissues.bookkeeper.apache.org%3E" 37609 }, 37610 { 37611 "type": "WEB", 37612 "url": "https://lists.apache.org/thread.html/r6b45a2fcc8e98ac93a179183dbb7f340027bdb8e3ab393418076b153@%3Ccommon-issues.hadoop.apache.org%3E" 37613 }, 37614 { 37615 "type": "WEB", 37616 "url": "https://lists.apache.org/thread.html/r6aec6b8f70167fa325fb98b3b5c9ce0ffaed026e697b69b85ac24628@%3Cissues.zookeeper.apache.org%3E" 37617 }, 37618 { 37619 "type": "WEB", 37620 "url": "https://lists.apache.org/thread.html/r696507338dd5f44efc23d98cafe30f217cf3ba78e77ed1324c7a5179@%3Cjira.kafka.apache.org%3E" 37621 }, 37622 { 37623 "type": "WEB", 37624 "url": "https://lists.apache.org/thread.html/r681b4432d0605f327b68b9f8a42662993e699d04614de4851c35ffd1@%3Cdev.tika.apache.org%3E" 37625 }, 37626 { 37627 "type": "WEB", 37628 "url": "https://lists.apache.org/thread.html/r6236b5f8646d48af8b66d5050f288304016840788e508c883356fe0e@%3Clog4j-user.logging.apache.org%3E" 37629 }, 37630 { 37631 "type": "WEB", 37632 "url": "https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc@%3Cusers.kafka.apache.org%3E" 37633 }, 37634 { 37635 "type": "WEB", 37636 "url": "https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc@%3Cdev.kafka.apache.org%3E" 37637 }, 37638 { 37639 "type": "WEB", 37640 "url": "https://lists.apache.org/thread.html/r61590890edcc64140e0c606954b29a063c3d08a2b41d447256d51a78@%3Cissues.activemq.apache.org%3E" 37641 }, 37642 { 37643 "type": "WEB", 37644 "url": "https://lists.apache.org/thread.html/r5c084578b3e3b40bd903c9d9e525097421bcd88178e672f612102eb2@%3Cjira.kafka.apache.org%3E" 37645 }, 37646 { 37647 "type": "WEB", 37648 "url": "https://lists.apache.org/thread.html/r594411f4bddebaf48a4c70266d0b7849e0d82bb72826f61b3a35bba7@%3Cissues.bookkeeper.apache.org%3E" 37649 }, 37650 { 37651 "type": "WEB", 37652 "url": "https://lists.apache.org/thread.html/r52a5129df402352adc34d052bab9234c8ef63596306506a89fdc7328@%3Cusers.activemq.apache.org%3E" 37653 }, 37654 { 37655 "type": "WEB", 37656 "url": "https://lists.apache.org/thread.html/r4b25538be50126194cc646836c718b1a4d8f71bd9c912af5b59134ad@%3Cdev.tika.apache.org%3E" 37657 }, 37658 { 37659 "type": "WEB", 37660 "url": "https://lists.apache.org/thread.html/r4ac89cbecd9e298ae9fafb5afda6fa77ac75c78d1ac957837e066c4e@%3Cuser.zookeeper.apache.org%3E" 37661 }, 37662 { 37663 "type": "WEB", 37664 "url": "https://lists.apache.org/thread.html/r48efc7cb5aeb4e1f67aaa06fb4b5479a5635d12f07d0b93fc2d08809@%3Ccommits.zookeeper.apache.org%3E" 37665 }, 37666 { 37667 "type": "WEB", 37668 "url": "https://lists.apache.org/thread.html/r48d5019bd42e0770f7e5351e420a63a41ff1f16924942442c6aff6a8@%3Ccommits.zookeeper.apache.org%3E" 37669 }, 37670 { 37671 "type": "WEB", 37672 "url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00022.html" 37673 } 37674 ], 37675 "schema_version": "1.6.0", 37676 "severity": [ 37677 { 37678 "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", 37679 "type": "CVSS_V3" 37680 } 37681 ], 37682 "summary": "Deserialization of Untrusted Data in Log4j" 37683 }, 37684 { 37685 "affected": [ 37686 { 37687 "database_specific": { 37688 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/01/GHSA-65fg-84f6-3jq3/GHSA-65fg-84f6-3jq3.json" 37689 }, 37690 "package": { 37691 "ecosystem": "Maven", 37692 "name": "log4j:log4j", 37693 "purl": "pkg:maven/log4j/log4j" 37694 }, 37695 "ranges": [ 37696 { 37697 "events": [ 37698 { 37699 "introduced": "0" 37700 }, 37701 { 37702 "last_affected": "1.2.17" 37703 } 37704 ], 37705 "type": "ECOSYSTEM" 37706 } 37707 ], 37708 "versions": [ 37709 "1.1.3", 37710 "1.2.11", 37711 "1.2.12", 37712 "1.2.13", 37713 "1.2.14", 37714 "1.2.15", 37715 "1.2.16", 37716 "1.2.17", 37717 "1.2.4", 37718 "1.2.5", 37719 "1.2.6", 37720 "1.2.7", 37721 "1.2.8", 37722 "1.2.9" 37723 ] 37724 }, 37725 { 37726 "database_specific": { 37727 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/01/GHSA-65fg-84f6-3jq3/GHSA-65fg-84f6-3jq3.json" 37728 }, 37729 "package": { 37730 "ecosystem": "Maven", 37731 "name": "org.zenframework.z8.dependencies.commons:log4j-1.2.17", 37732 "purl": "pkg:maven/org.zenframework.z8.dependencies.commons/log4j-1.2.17" 37733 }, 37734 "ranges": [ 37735 { 37736 "events": [ 37737 { 37738 "introduced": "0" 37739 }, 37740 { 37741 "last_affected": "2.0" 37742 } 37743 ], 37744 "type": "ECOSYSTEM" 37745 } 37746 ], 37747 "versions": [ 37748 "2.0" 37749 ] 37750 } 37751 ], 37752 "aliases": [ 37753 "CVE-2022-23305" 37754 ], 37755 "database_specific": { 37756 "cwe_ids": [ 37757 "CWE-89" 37758 ], 37759 "github_reviewed": true, 37760 "github_reviewed_at": "2022-01-19T22:31:49Z", 37761 "nvd_published_at": "2022-01-18T16:15:00Z", 37762 "severity": "CRITICAL" 37763 }, 37764 "details": "By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converters from PatternLayout. The message converter, %m, is likely to always be included. This allows attackers to manipulate the SQL by entering crafted strings into input fields or headers of an application that are logged allowing unintended SQL queries to be executed. Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default. Beginning in version 2.0-beta8, the JDBCAppender was re-introduced with proper support for parameterized SQL queries and further customization over the columns written to in logs. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.", 37765 "id": "GHSA-65fg-84f6-3jq3", 37766 "modified": "2024-02-16T08:18:09.971724Z", 37767 "published": "2022-01-21T23:26:47Z", 37768 "references": [ 37769 { 37770 "type": "ADVISORY", 37771 "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305" 37772 }, 37773 { 37774 "type": "PACKAGE", 37775 "url": "https://github.com/apache/logging-log4j1" 37776 }, 37777 { 37778 "type": "WEB", 37779 "url": "https://lists.apache.org/thread/pt6lh3pbsvxqlwlp4c5l798dv2hkc85y" 37780 }, 37781 { 37782 "type": "WEB", 37783 "url": "https://logging.apache.org/log4j/1.2/index.html" 37784 }, 37785 { 37786 "type": "WEB", 37787 "url": "https://security.netapp.com/advisory/ntap-20220217-0007" 37788 }, 37789 { 37790 "type": "WEB", 37791 "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" 37792 }, 37793 { 37794 "type": "WEB", 37795 "url": "https://www.oracle.com/security-alerts/cpujul2022.html" 37796 }, 37797 { 37798 "type": "WEB", 37799 "url": "http://www.openwall.com/lists/oss-security/2022/01/18/4" 37800 } 37801 ], 37802 "schema_version": "1.6.0", 37803 "severity": [ 37804 { 37805 "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", 37806 "type": "CVSS_V3" 37807 } 37808 ], 37809 "summary": "SQL Injection in Log4j 1.2.x" 37810 }, 37811 { 37812 "affected": [ 37813 { 37814 "database_specific": { 37815 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/01/GHSA-f7vh-qwp3-x37m/GHSA-f7vh-qwp3-x37m.json" 37816 }, 37817 "package": { 37818 "ecosystem": "Maven", 37819 "name": "log4j:log4j", 37820 "purl": "pkg:maven/log4j/log4j" 37821 }, 37822 "ranges": [ 37823 { 37824 "events": [ 37825 { 37826 "introduced": "0" 37827 }, 37828 { 37829 "last_affected": "1.2.17" 37830 } 37831 ], 37832 "type": "ECOSYSTEM" 37833 } 37834 ], 37835 "versions": [ 37836 "1.1.3", 37837 "1.2.11", 37838 "1.2.12", 37839 "1.2.13", 37840 "1.2.14", 37841 "1.2.15", 37842 "1.2.16", 37843 "1.2.17", 37844 "1.2.4", 37845 "1.2.5", 37846 "1.2.6", 37847 "1.2.7", 37848 "1.2.8", 37849 "1.2.9" 37850 ] 37851 }, 37852 { 37853 "database_specific": { 37854 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/01/GHSA-f7vh-qwp3-x37m/GHSA-f7vh-qwp3-x37m.json" 37855 }, 37856 "package": { 37857 "ecosystem": "Maven", 37858 "name": "org.zenframework.z8.dependencies.commons:log4j-1.2.17", 37859 "purl": "pkg:maven/org.zenframework.z8.dependencies.commons/log4j-1.2.17" 37860 }, 37861 "ranges": [ 37862 { 37863 "events": [ 37864 { 37865 "introduced": "0" 37866 }, 37867 { 37868 "last_affected": "2.0" 37869 } 37870 ], 37871 "type": "ECOSYSTEM" 37872 } 37873 ], 37874 "versions": [ 37875 "2.0" 37876 ] 37877 } 37878 ], 37879 "aliases": [ 37880 "CVE-2022-23307" 37881 ], 37882 "database_specific": { 37883 "cwe_ids": [ 37884 "CWE-502" 37885 ], 37886 "github_reviewed": true, 37887 "github_reviewed_at": "2022-06-20T22:48:35Z", 37888 "nvd_published_at": "2022-01-18T16:15:00Z", 37889 "severity": "CRITICAL" 37890 }, 37891 "details": "CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw V2.0 Chainsaw was a component of Apache Log4j 1.2.x where the same issue exists.\n\nUsers are advised to migrate from `log4j:log4j` to `org.apache.logging.log4j:log4j` for an updated version of the library.", 37892 "id": "GHSA-f7vh-qwp3-x37m", 37893 "modified": "2024-02-16T08:22:45.37439Z", 37894 "published": "2022-01-19T00:01:15Z", 37895 "references": [ 37896 { 37897 "type": "ADVISORY", 37898 "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307" 37899 }, 37900 { 37901 "type": "WEB", 37902 "url": "https://lists.apache.org/thread/rg4yyc89vs3dw6kpy3r92xop9loywyhh" 37903 }, 37904 { 37905 "type": "WEB", 37906 "url": "https://logging.apache.org/log4j/1.2/index.html" 37907 }, 37908 { 37909 "type": "WEB", 37910 "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" 37911 }, 37912 { 37913 "type": "WEB", 37914 "url": "https://www.oracle.com/security-alerts/cpujul2022.html" 37915 } 37916 ], 37917 "schema_version": "1.6.0", 37918 "severity": [ 37919 { 37920 "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", 37921 "type": "CVSS_V3" 37922 } 37923 ], 37924 "summary": "Deserialization of Untrusted Data in Apache Log4j" 37925 }, 37926 { 37927 "affected": [ 37928 { 37929 "database_specific": { 37930 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-fp5r-v3w9-4333/GHSA-fp5r-v3w9-4333.json" 37931 }, 37932 "package": { 37933 "ecosystem": "Maven", 37934 "name": "log4j:log4j", 37935 "purl": "pkg:maven/log4j/log4j" 37936 }, 37937 "ranges": [ 37938 { 37939 "events": [ 37940 { 37941 "introduced": "1.2.0" 37942 }, 37943 { 37944 "last_affected": "1.2.17" 37945 } 37946 ], 37947 "type": "ECOSYSTEM" 37948 } 37949 ], 37950 "versions": [ 37951 "1.2.11", 37952 "1.2.12", 37953 "1.2.13", 37954 "1.2.14", 37955 "1.2.15", 37956 "1.2.16", 37957 "1.2.17", 37958 "1.2.4", 37959 "1.2.5", 37960 "1.2.6", 37961 "1.2.7", 37962 "1.2.8", 37963 "1.2.9" 37964 ] 37965 }, 37966 { 37967 "database_specific": { 37968 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-fp5r-v3w9-4333/GHSA-fp5r-v3w9-4333.json" 37969 }, 37970 "package": { 37971 "ecosystem": "Maven", 37972 "name": "org.zenframework.z8.dependencies.commons:log4j-1.2.17", 37973 "purl": "pkg:maven/org.zenframework.z8.dependencies.commons/log4j-1.2.17" 37974 }, 37975 "ranges": [ 37976 { 37977 "events": [ 37978 { 37979 "introduced": "0" 37980 }, 37981 { 37982 "last_affected": "2.0" 37983 } 37984 ], 37985 "type": "ECOSYSTEM" 37986 } 37987 ], 37988 "versions": [ 37989 "2.0" 37990 ] 37991 } 37992 ], 37993 "aliases": [ 37994 "CVE-2021-4104" 37995 ], 37996 "database_specific": { 37997 "cwe_ids": [ 37998 "CWE-502" 37999 ], 38000 "github_reviewed": true, 38001 "github_reviewed_at": "2021-12-14T19:47:27Z", 38002 "nvd_published_at": "2021-12-14T12:15:00Z", 38003 "severity": "HIGH" 38004 }, 38005 "details": "JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.", 38006 "id": "GHSA-fp5r-v3w9-4333", 38007 "modified": "2024-02-16T08:10:41.694989Z", 38008 "published": "2021-12-14T19:49:31Z", 38009 "references": [ 38010 { 38011 "type": "ADVISORY", 38012 "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" 38013 }, 38014 { 38015 "type": "WEB", 38016 "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" 38017 }, 38018 { 38019 "type": "WEB", 38020 "url": "https://access.redhat.com/security/cve/CVE-2021-4104" 38021 }, 38022 { 38023 "type": "PACKAGE", 38024 "url": "https://github.com/apache/logging-log4j2" 38025 }, 38026 { 38027 "type": "WEB", 38028 "url": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0033" 38029 }, 38030 { 38031 "type": "WEB", 38032 "url": "https://security.gentoo.org/glsa/202209-02" 38033 }, 38034 { 38035 "type": "WEB", 38036 "url": "https://security.gentoo.org/glsa/202310-16" 38037 }, 38038 { 38039 "type": "WEB", 38040 "url": "https://security.gentoo.org/glsa/202312-02" 38041 }, 38042 { 38043 "type": "WEB", 38044 "url": "https://security.gentoo.org/glsa/202312-04" 38045 }, 38046 { 38047 "type": "WEB", 38048 "url": "https://security.netapp.com/advisory/ntap-20211223-0007" 38049 }, 38050 { 38051 "type": "WEB", 38052 "url": "https://www.cve.org/CVERecord?id=CVE-2021-44228" 38053 }, 38054 { 38055 "type": "WEB", 38056 "url": "https://www.kb.cert.org/vuls/id/930724" 38057 }, 38058 { 38059 "type": "WEB", 38060 "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" 38061 }, 38062 { 38063 "type": "WEB", 38064 "url": "https://www.oracle.com/security-alerts/cpujan2022.html" 38065 }, 38066 { 38067 "type": "WEB", 38068 "url": "https://www.oracle.com/security-alerts/cpujul2022.html" 38069 }, 38070 { 38071 "type": "WEB", 38072 "url": "http://www.openwall.com/lists/oss-security/2022/01/18/3" 38073 } 38074 ], 38075 "schema_version": "1.6.0", 38076 "severity": [ 38077 { 38078 "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", 38079 "type": "CVSS_V3" 38080 } 38081 ], 38082 "summary": "JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data" 38083 }, 38084 { 38085 "affected": [ 38086 { 38087 "database_specific": { 38088 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/01/GHSA-w9p3-5cr8-m3jj/GHSA-w9p3-5cr8-m3jj.json" 38089 }, 38090 "package": { 38091 "ecosystem": "Maven", 38092 "name": "log4j:log4j", 38093 "purl": "pkg:maven/log4j/log4j" 38094 }, 38095 "ranges": [ 38096 { 38097 "events": [ 38098 { 38099 "introduced": "0" 38100 }, 38101 { 38102 "last_affected": "1.2.17" 38103 } 38104 ], 38105 "type": "ECOSYSTEM" 38106 } 38107 ], 38108 "versions": [ 38109 "1.1.3", 38110 "1.2.11", 38111 "1.2.12", 38112 "1.2.13", 38113 "1.2.14", 38114 "1.2.15", 38115 "1.2.16", 38116 "1.2.17", 38117 "1.2.4", 38118 "1.2.5", 38119 "1.2.6", 38120 "1.2.7", 38121 "1.2.8", 38122 "1.2.9" 38123 ] 38124 }, 38125 { 38126 "database_specific": { 38127 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/01/GHSA-w9p3-5cr8-m3jj/GHSA-w9p3-5cr8-m3jj.json" 38128 }, 38129 "package": { 38130 "ecosystem": "Maven", 38131 "name": "org.zenframework.z8.dependencies.commons:log4j-1.2.17", 38132 "purl": "pkg:maven/org.zenframework.z8.dependencies.commons/log4j-1.2.17" 38133 }, 38134 "ranges": [ 38135 { 38136 "events": [ 38137 { 38138 "introduced": "0" 38139 }, 38140 { 38141 "last_affected": "2.0" 38142 } 38143 ], 38144 "type": "ECOSYSTEM" 38145 } 38146 ], 38147 "versions": [ 38148 "2.0" 38149 ] 38150 } 38151 ], 38152 "aliases": [ 38153 "CVE-2022-23302" 38154 ], 38155 "database_specific": { 38156 "cwe_ids": [ 38157 "CWE-502" 38158 ], 38159 "github_reviewed": true, 38160 "github_reviewed_at": "2022-01-19T22:31:40Z", 38161 "nvd_published_at": "2022-01-18T16:15:00Z", 38162 "severity": "HIGH" 38163 }, 38164 "details": "JMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration or if the configuration references an LDAP service the attacker has access to. The attacker can provide a TopicConnectionFactoryBindingName configuration causing JMSSink to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-4104. Note this issue only affects Log4j 1.x when specifically configured to use JMSSink, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.", 38165 "id": "GHSA-w9p3-5cr8-m3jj", 38166 "modified": "2024-02-16T08:25:11.246999Z", 38167 "published": "2022-01-21T23:27:14Z", 38168 "references": [ 38169 { 38170 "type": "ADVISORY", 38171 "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302" 38172 }, 38173 { 38174 "type": "PACKAGE", 38175 "url": "https://github.com/apache/logging-log4j1" 38176 }, 38177 { 38178 "type": "WEB", 38179 "url": "https://lists.apache.org/thread/bsr3l5qz4g0myrjhy9h67bcxodpkwj4w" 38180 }, 38181 { 38182 "type": "WEB", 38183 "url": "https://logging.apache.org/log4j/1.2/index.html" 38184 }, 38185 { 38186 "type": "WEB", 38187 "url": "https://security.netapp.com/advisory/ntap-20220217-0006" 38188 }, 38189 { 38190 "type": "WEB", 38191 "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" 38192 }, 38193 { 38194 "type": "WEB", 38195 "url": "https://www.oracle.com/security-alerts/cpujul2022.html" 38196 }, 38197 { 38198 "type": "WEB", 38199 "url": "http://www.openwall.com/lists/oss-security/2022/01/18/3" 38200 } 38201 ], 38202 "schema_version": "1.6.0", 38203 "severity": [ 38204 { 38205 "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", 38206 "type": "CVSS_V3" 38207 } 38208 ], 38209 "summary": "Deserialization of Untrusted Data in Log4j 1.x" 38210 }, 38211 { 38212 "affected": [ 38213 { 38214 "database_specific": { 38215 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-3xrr-7m6p-p7xh/GHSA-3xrr-7m6p-p7xh.json" 38216 }, 38217 "package": { 38218 "ecosystem": "Maven", 38219 "name": "net.sourceforge.htmlunit:htmlunit", 38220 "purl": "pkg:maven/net.sourceforge.htmlunit/htmlunit" 38221 }, 38222 "ranges": [ 38223 { 38224 "events": [ 38225 { 38226 "introduced": "0" 38227 }, 38228 { 38229 "fixed": "3.0.0" 38230 } 38231 ], 38232 "type": "ECOSYSTEM" 38233 } 38234 ], 38235 "versions": [ 38236 "1.14", 38237 "2.0", 38238 "2.1", 38239 "2.1.5", 38240 "2.10", 38241 "2.11", 38242 "2.12", 38243 "2.13", 38244 "2.14", 38245 "2.15", 38246 "2.16", 38247 "2.17", 38248 "2.18", 38249 "2.19", 38250 "2.2", 38251 "2.20", 38252 "2.21", 38253 "2.22", 38254 "2.23", 38255 "2.24", 38256 "2.25", 38257 "2.26", 38258 "2.27", 38259 "2.28", 38260 "2.29", 38261 "2.3", 38262 "2.30", 38263 "2.31", 38264 "2.32", 38265 "2.33", 38266 "2.34.0", 38267 "2.34.1", 38268 "2.35.0", 38269 "2.36.0", 38270 "2.37.0", 38271 "2.38.0", 38272 "2.39.0", 38273 "2.39.1", 38274 "2.4", 38275 "2.40.0", 38276 "2.41.0", 38277 "2.42.0", 38278 "2.43.0", 38279 "2.44.0", 38280 "2.45.0", 38281 "2.46.0", 38282 "2.47.0", 38283 "2.47.1", 38284 "2.48.0", 38285 "2.49.0", 38286 "2.49.1", 38287 "2.5", 38288 "2.50.0", 38289 "2.51.0", 38290 "2.52.0", 38291 "2.53.0", 38292 "2.54.0", 38293 "2.55.0", 38294 "2.56.0", 38295 "2.57.0", 38296 "2.58.0", 38297 "2.59.0", 38298 "2.6", 38299 "2.60.0", 38300 "2.61.0", 38301 "2.62.0", 38302 "2.63.0", 38303 "2.64.0", 38304 "2.65.0", 38305 "2.65.1", 38306 "2.66.0", 38307 "2.67.0", 38308 "2.68.0", 38309 "2.69.0", 38310 "2.7", 38311 "2.70.0", 38312 "2.8", 38313 "2.9" 38314 ] 38315 } 38316 ], 38317 "aliases": [ 38318 "CVE-2023-26119" 38319 ], 38320 "database_specific": { 38321 "cwe_ids": [ 38322 "CWE-74", 38323 "CWE-94" 38324 ], 38325 "github_reviewed": true, 38326 "github_reviewed_at": "2023-07-06T22:00:23Z", 38327 "nvd_published_at": "2023-04-03T05:15:00Z", 38328 "severity": "CRITICAL" 38329 }, 38330 "details": "Versions of the package `net.sourceforge.htmlunit:htmlunit` from 0 and before 3.0.0 are vulnerable to Remote Code Execution (RCE) via XSTL, when browsing the attacker’s webpage.", 38331 "id": "GHSA-3xrr-7m6p-p7xh", 38332 "modified": "2024-02-17T05:32:04.097962Z", 38333 "published": "2023-07-06T19:24:13Z", 38334 "references": [ 38335 { 38336 "type": "ADVISORY", 38337 "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-26119" 38338 }, 38339 { 38340 "type": "WEB", 38341 "url": "https://github.com/HtmlUnit/htmlunit/commit/641325bbc84702dc9800ec7037aec061ce21956b" 38342 }, 38343 { 38344 "type": "PACKAGE", 38345 "url": "https://github.com/HtmlUnit/htmlunit" 38346 }, 38347 { 38348 "type": "WEB", 38349 "url": "https://security.snyk.io/vuln/SNYK-JAVA-NETSOURCEFORGEHTMLUNIT-3252500" 38350 }, 38351 { 38352 "type": "WEB", 38353 "url": "https://siebene.github.io/2022/12/30/HtmlUnit-RCE" 38354 } 38355 ], 38356 "schema_version": "1.6.0", 38357 "severity": [ 38358 { 38359 "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", 38360 "type": "CVSS_V3" 38361 } 38362 ], 38363 "summary": "HtmlUnit Code Injection vulnerability" 38364 }, 38365 { 38366 "affected": [ 38367 { 38368 "database_specific": { 38369 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/05/GHSA-5mh9-r3rr-9597/GHSA-5mh9-r3rr-9597.json" 38370 }, 38371 "package": { 38372 "ecosystem": "Maven", 38373 "name": "net.sourceforge.htmlunit:htmlunit", 38374 "purl": "pkg:maven/net.sourceforge.htmlunit/htmlunit" 38375 }, 38376 "ranges": [ 38377 { 38378 "events": [ 38379 { 38380 "introduced": "0" 38381 }, 38382 { 38383 "fixed": "2.37.0" 38384 } 38385 ], 38386 "type": "ECOSYSTEM" 38387 } 38388 ], 38389 "versions": [ 38390 "1.14", 38391 "2.0", 38392 "2.1", 38393 "2.1.5", 38394 "2.10", 38395 "2.11", 38396 "2.12", 38397 "2.13", 38398 "2.14", 38399 "2.15", 38400 "2.16", 38401 "2.17", 38402 "2.18", 38403 "2.19", 38404 "2.2", 38405 "2.20", 38406 "2.21", 38407 "2.22", 38408 "2.23", 38409 "2.24", 38410 "2.25", 38411 "2.26", 38412 "2.27", 38413 "2.28", 38414 "2.29", 38415 "2.3", 38416 "2.30", 38417 "2.31", 38418 "2.32", 38419 "2.33", 38420 "2.34.0", 38421 "2.34.1", 38422 "2.35.0", 38423 "2.36.0", 38424 "2.4", 38425 "2.5", 38426 "2.6", 38427 "2.7", 38428 "2.8", 38429 "2.9" 38430 ] 38431 } 38432 ], 38433 "aliases": [ 38434 "CVE-2020-5529" 38435 ], 38436 "database_specific": { 38437 "cwe_ids": [ 38438 "CWE-665" 38439 ], 38440 "github_reviewed": true, 38441 "github_reviewed_at": "2020-05-21T17:25:38Z", 38442 "nvd_published_at": "2020-02-11T12:15:00Z", 38443 "severity": "HIGH" 38444 }, 38445 "details": "HtmlUnit prior to 2.37.0 contains code execution vulnerabilities. HtmlUnit initializes Rhino engine improperly, hence a malicious JavScript code can execute arbitrary Java code on the application. Moreover, when embedded in Android application, Android-specific initialization of Rhino engine is done in an improper way, hence a malicious JavaScript code can execute arbitrary Java code on the application. ", 38446 "id": "GHSA-5mh9-r3rr-9597", 38447 "modified": "2024-02-17T05:35:45.707621Z", 38448 "published": "2020-05-21T21:08:33Z", 38449 "references": [ 38450 { 38451 "type": "ADVISORY", 38452 "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-5529" 38453 }, 38454 { 38455 "type": "WEB", 38456 "url": "https://github.com/HtmlUnit/htmlunit/commit/bc1f58d483cc8854a9c4c1739abd5e04a2eb0367" 38457 }, 38458 { 38459 "type": "PACKAGE", 38460 "url": "https://github.com/HtmlUnit/htmlunit" 38461 }, 38462 { 38463 "type": "WEB", 38464 "url": "https://github.com/HtmlUnit/htmlunit/releases/tag/2.37.0" 38465 }, 38466 { 38467 "type": "WEB", 38468 "url": "https://jvn.jp/en/jp/JVN34535327" 38469 }, 38470 { 38471 "type": "WEB", 38472 "url": "https://lists.apache.org/thread.html/ra2cd7f8e61dc6b8a2d9065094cd1f46aa63ad10f237ee363e26e8563%40%3Ccommits.camel.apache.org%3E" 38473 }, 38474 { 38475 "type": "WEB", 38476 "url": "https://lists.apache.org/thread.html/ra2cd7f8e61dc6b8a2d9065094cd1f46aa63ad10f237ee363e26e8563@%3Ccommits.camel.apache.org%3E" 38477 }, 38478 { 38479 "type": "WEB", 38480 "url": "https://lists.debian.org/debian-lts-announce/2020/08/msg00023.html" 38481 }, 38482 { 38483 "type": "WEB", 38484 "url": "https://usn.ubuntu.com/4584-1" 38485 } 38486 ], 38487 "schema_version": "1.6.0", 38488 "severity": [ 38489 { 38490 "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", 38491 "type": "CVSS_V3" 38492 } 38493 ], 38494 "summary": "Code execution vulnerability in HtmlUnit" 38495 }, 38496 { 38497 "affected": [ 38498 { 38499 "database_specific": { 38500 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/04/GHSA-6jmm-mp6w-4rrg/GHSA-6jmm-mp6w-4rrg.json" 38501 }, 38502 "package": { 38503 "ecosystem": "Maven", 38504 "name": "net.sourceforge.htmlunit:neko-htmlunit", 38505 "purl": "pkg:maven/net.sourceforge.htmlunit/neko-htmlunit" 38506 }, 38507 "ranges": [ 38508 { 38509 "events": [ 38510 { 38511 "introduced": "0" 38512 }, 38513 { 38514 "fixed": "2.61.0" 38515 } 38516 ], 38517 "type": "ECOSYSTEM" 38518 } 38519 ], 38520 "versions": [ 38521 "2.21", 38522 "2.23", 38523 "2.24", 38524 "2.25", 38525 "2.27", 38526 "2.28", 38527 "2.30", 38528 "2.31", 38529 "2.32", 38530 "2.33", 38531 "2.34.0", 38532 "2.35.0", 38533 "2.36.0", 38534 "2.37.0", 38535 "2.38.0", 38536 "2.39.0", 38537 "2.40.0", 38538 "2.41.0", 38539 "2.42.0", 38540 "2.43.0", 38541 "2.44.0", 38542 "2.45.0", 38543 "2.46.0", 38544 "2.47.0", 38545 "2.47.1", 38546 "2.48.0", 38547 "2.49.0", 38548 "2.50.0", 38549 "2.51.0", 38550 "2.52.0", 38551 "2.53.0", 38552 "2.54.0", 38553 "2.55.0", 38554 "2.56.0", 38555 "2.57.0", 38556 "2.58.0", 38557 "2.59.0", 38558 "2.60.0" 38559 ] 38560 } 38561 ], 38562 "aliases": [ 38563 "CVE-2022-29546" 38564 ], 38565 "database_specific": { 38566 "cwe_ids": [ 38567 "CWE-400" 38568 ], 38569 "github_reviewed": true, 38570 "github_reviewed_at": "2022-04-26T21:14:57Z", 38571 "nvd_published_at": "2022-04-25T03:15:00Z", 38572 "severity": "HIGH" 38573 }, 38574 "details": "### Impact\nNekoHtml Parser suffers from a denial of service vulnerability on versions 2.60.0 and below. A specifically crafted input regarding the parsing of processing instructions leads to heap memory consumption. Please update to version 2.61.0.\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [https://github.com/HtmlUnit/htmlunit-neko](https://github.com/HtmlUnit/htmlunit-neko)\n* Email us at [rbri at rbri.de]\n", 38575 "id": "GHSA-6jmm-mp6w-4rrg", 38576 "modified": "2023-11-08T04:09:13.64201Z", 38577 "published": "2022-04-26T21:14:57Z", 38578 "references": [ 38579 { 38580 "type": "WEB", 38581 "url": "https://github.com/HtmlUnit/htmlunit-neko/security/advisories/GHSA-6jmm-mp6w-4rrg" 38582 }, 38583 { 38584 "type": "ADVISORY", 38585 "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-29546" 38586 }, 38587 { 38588 "type": "WEB", 38589 "url": "https://github.com/HtmlUnit/htmlunit-neko/commit/9d2aecd69223469e40c12ca3edddda09009110cc" 38590 }, 38591 { 38592 "type": "PACKAGE", 38593 "url": "https://github.com/HtmlUnit/htmlunit-neko" 38594 } 38595 ], 38596 "schema_version": "1.6.0", 38597 "severity": [ 38598 { 38599 "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", 38600 "type": "CVSS_V3" 38601 } 38602 ], 38603 "summary": "OutOfMemory Exception by specifically crafted processing instruction in NekoHtml Parser" 38604 }, 38605 { 38606 "affected": [ 38607 { 38608 "database_specific": { 38609 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/04/GHSA-g9hh-vvx3-v37v/GHSA-g9hh-vvx3-v37v.json" 38610 }, 38611 "package": { 38612 "ecosystem": "Maven", 38613 "name": "net.sourceforge.htmlunit:neko-htmlunit", 38614 "purl": "pkg:maven/net.sourceforge.htmlunit/neko-htmlunit" 38615 }, 38616 "ranges": [ 38617 { 38618 "events": [ 38619 { 38620 "introduced": "0" 38621 }, 38622 { 38623 "fixed": "2.27" 38624 } 38625 ], 38626 "type": "ECOSYSTEM" 38627 } 38628 ], 38629 "versions": [ 38630 "2.21", 38631 "2.23", 38632 "2.24", 38633 "2.25" 38634 ] 38635 } 38636 ], 38637 "aliases": [ 38638 "CVE-2022-28366" 38639 ], 38640 "database_specific": { 38641 "cwe_ids": [], 38642 "github_reviewed": true, 38643 "github_reviewed_at": "2022-04-26T20:12:38Z", 38644 "nvd_published_at": "2022-04-21T23:15:00Z", 38645 "severity": "HIGH" 38646 }, 38647 "details": "Certain Neko-related HTML parsers allow a denial of service via crafted Processing Instruction (PI) input that causes excessive heap memory consumption. In particular, this issue exists in HtmlUnit-Neko through 2.26, and is fixed in 2.27. This issue also exists in CyberNeko HTML through 1.9.22 (also affecting OWASP AntiSamy before 1.6.6), but 1.9.22 is the last version of CyberNeko HTML. NOTE: this may be related to CVE-2022-24939.", 38648 "id": "GHSA-g9hh-vvx3-v37v", 38649 "modified": "2024-02-20T05:33:28.550353Z", 38650 "published": "2022-04-23T00:03:04Z", 38651 "references": [ 38652 { 38653 "type": "ADVISORY", 38654 "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-28366" 38655 }, 38656 { 38657 "type": "PACKAGE", 38658 "url": "https://github.com/HtmlUnit/htmlunit-neko" 38659 }, 38660 { 38661 "type": "WEB", 38662 "url": "https://github.com/nahsra/antisamy/releases/tag/v1.6.6" 38663 }, 38664 { 38665 "type": "WEB", 38666 "url": "https://search.maven.org/artifact/net.sourceforge.htmlunit/neko-htmlunit" 38667 }, 38668 { 38669 "type": "WEB", 38670 "url": "https://sourceforge.net/projects/htmlunit/files/htmlunit/2.27" 38671 } 38672 ], 38673 "schema_version": "1.6.0", 38674 "severity": [ 38675 { 38676 "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", 38677 "type": "CVSS_V3" 38678 } 38679 ], 38680 "summary": "Denial of service in HtmlUnit-Neko" 38681 }, 38682 { 38683 "affected": [ 38684 { 38685 "database_specific": { 38686 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/09/GHSA-rhrv-645h-fjfh/GHSA-rhrv-645h-fjfh.json" 38687 }, 38688 "package": { 38689 "ecosystem": "Maven", 38690 "name": "org.apache.avro:avro", 38691 "purl": "pkg:maven/org.apache.avro/avro" 38692 }, 38693 "ranges": [ 38694 { 38695 "events": [ 38696 { 38697 "introduced": "0" 38698 }, 38699 { 38700 "fixed": "1.11.3" 38701 } 38702 ], 38703 "type": "ECOSYSTEM" 38704 } 38705 ], 38706 "versions": [ 38707 "1.10.0", 38708 "1.10.1", 38709 "1.10.2", 38710 "1.11.0", 38711 "1.11.1", 38712 "1.11.2", 38713 "1.4.0", 38714 "1.4.1", 38715 "1.5.0", 38716 "1.5.1", 38717 "1.5.2", 38718 "1.5.3", 38719 "1.5.4", 38720 "1.6.0", 38721 "1.6.1", 38722 "1.6.2", 38723 "1.6.3", 38724 "1.7.0", 38725 "1.7.1", 38726 "1.7.2", 38727 "1.7.3", 38728 "1.7.4", 38729 "1.7.5", 38730 "1.7.6", 38731 "1.7.7", 38732 "1.8.0", 38733 "1.8.1", 38734 "1.8.2", 38735 "1.9.0", 38736 "1.9.1", 38737 "1.9.2" 38738 ] 38739 }, 38740 { 38741 "database_specific": { 38742 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/09/GHSA-rhrv-645h-fjfh/GHSA-rhrv-645h-fjfh.json" 38743 }, 38744 "package": { 38745 "ecosystem": "PyPI", 38746 "name": "avro", 38747 "purl": "pkg:pypi/avro" 38748 }, 38749 "ranges": [ 38750 { 38751 "events": [ 38752 { 38753 "introduced": "0" 38754 }, 38755 { 38756 "fixed": "1.11.3" 38757 } 38758 ], 38759 "type": "ECOSYSTEM" 38760 } 38761 ], 38762 "versions": [ 38763 "1.10.0", 38764 "1.10.1", 38765 "1.10.2", 38766 "1.11.0", 38767 "1.11.1", 38768 "1.11.2", 38769 "1.3.3", 38770 "1.4.1", 38771 "1.5.0", 38772 "1.5.1", 38773 "1.5.2", 38774 "1.5.3", 38775 "1.5.4", 38776 "1.6.0", 38777 "1.6.1", 38778 "1.6.2", 38779 "1.6.3", 38780 "1.7.0", 38781 "1.7.1", 38782 "1.7.2", 38783 "1.7.3", 38784 "1.7.4", 38785 "1.7.5", 38786 "1.7.6", 38787 "1.7.7", 38788 "1.8.0", 38789 "1.8.1", 38790 "1.8.2", 38791 "1.9.0", 38792 "1.9.1", 38793 "1.9.2" 38794 ] 38795 } 38796 ], 38797 "aliases": [ 38798 "CVE-2023-39410", 38799 "PYSEC-2023-188" 38800 ], 38801 "database_specific": { 38802 "cwe_ids": [ 38803 "CWE-20", 38804 "CWE-502" 38805 ], 38806 "github_reviewed": true, 38807 "github_reviewed_at": "2023-09-29T22:06:14Z", 38808 "nvd_published_at": "2023-09-29T17:15:46Z", 38809 "severity": "HIGH" 38810 }, 38811 "details": "When deserializing untrusted or corrupted data, it is possible for a reader to consume memory beyond the allowed constraints and thus lead to out of memory on the system.\n\nThis issue affects Java applications using Apache Avro Java SDK up to and including 1.11.2. Users should update to apache-avro version 1.11.3 which addresses this issue.\n\n", 38812 "id": "GHSA-rhrv-645h-fjfh", 38813 "modified": "2024-06-25T02:34:10.322533Z", 38814 "published": "2023-09-29T18:30:22Z", 38815 "references": [ 38816 { 38817 "type": "ADVISORY", 38818 "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-39410" 38819 }, 38820 { 38821 "type": "WEB", 38822 "url": "https://github.com/apache/avro/commit/a12a7e44ddbe060c3dc731863cad5c15f9267828" 38823 }, 38824 { 38825 "type": "PACKAGE", 38826 "url": "https://github.com/apache/avro" 38827 }, 38828 { 38829 "type": "WEB", 38830 "url": "https://github.com/pypa/advisory-database/tree/main/vulns/avro/PYSEC-2023-188.yaml" 38831 }, 38832 { 38833 "type": "WEB", 38834 "url": "https://lists.apache.org/thread/q142wj99cwdd0jo5lvdoxzoymlqyjdds" 38835 }, 38836 { 38837 "type": "WEB", 38838 "url": "https://security.netapp.com/advisory/ntap-20240621-0006" 38839 }, 38840 { 38841 "type": "WEB", 38842 "url": "https://www.openwall.com/lists/oss-security/2023/09/29/6" 38843 }, 38844 { 38845 "type": "WEB", 38846 "url": "http://www.openwall.com/lists/oss-security/2023/09/29/6" 38847 } 38848 ], 38849 "related": [ 38850 "CGA-8q34-h6rx-rrwj" 38851 ], 38852 "schema_version": "1.6.0", 38853 "severity": [ 38854 { 38855 "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", 38856 "type": "CVSS_V3" 38857 } 38858 ], 38859 "summary": "Apache Avro Java SDK vulnerable to Improper Input Validation" 38860 }, 38861 { 38862 "affected": [ 38863 { 38864 "database_specific": { 38865 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/02/GHSA-4265-ccf5-phj5/GHSA-4265-ccf5-phj5.json" 38866 }, 38867 "package": { 38868 "ecosystem": "Maven", 38869 "name": "org.apache.commons:commons-compress", 38870 "purl": "pkg:maven/org.apache.commons/commons-compress" 38871 }, 38872 "ranges": [ 38873 { 38874 "events": [ 38875 { 38876 "introduced": "1.21" 38877 }, 38878 { 38879 "fixed": "1.26.0" 38880 } 38881 ], 38882 "type": "ECOSYSTEM" 38883 } 38884 ], 38885 "versions": [ 38886 "1.21", 38887 "1.22", 38888 "1.23.0", 38889 "1.24.0", 38890 "1.25.0" 38891 ] 38892 } 38893 ], 38894 "aliases": [ 38895 "CVE-2024-26308" 38896 ], 38897 "database_specific": { 38898 "cwe_ids": [ 38899 "CWE-770" 38900 ], 38901 "github_reviewed": true, 38902 "github_reviewed_at": "2024-02-20T23:59:29Z", 38903 "nvd_published_at": "2024-02-19T09:15:38Z", 38904 "severity": "MODERATE" 38905 }, 38906 "details": "Allocation of Resources Without Limits or Throttling vulnerability in Apache Commons Compress. This issue affects Apache Commons Compress: from 1.21 before 1.26.\n\nUsers are recommended to upgrade to version 1.26, which fixes the issue.\n\n", 38907 "id": "GHSA-4265-ccf5-phj5", 38908 "modified": "2024-08-27T15:30:50.773089Z", 38909 "published": "2024-02-19T09:30:52Z", 38910 "references": [ 38911 { 38912 "type": "ADVISORY", 38913 "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26308" 38914 }, 38915 { 38916 "type": "PACKAGE", 38917 "url": "https://github.com/apache/commons-compress" 38918 }, 38919 { 38920 "type": "WEB", 38921 "url": "https://lists.apache.org/thread/ch5yo2d21p7vlqrhll9b17otbyq4npfg" 38922 }, 38923 { 38924 "type": "WEB", 38925 "url": "https://security.netapp.com/advisory/ntap-20240307-0009" 38926 }, 38927 { 38928 "type": "WEB", 38929 "url": "http://www.openwall.com/lists/oss-security/2024/02/19/2" 38930 } 38931 ], 38932 "related": [ 38933 "CGA-5jhg-gjx7-pq4m", 38934 "CGA-96mq-j5w6-4gc5", 38935 "CGA-cm9w-hfx3-j2p6", 38936 "CGA-ggv5-qcv7-p79c", 38937 "CGA-gjfq-fj8p-3fpm", 38938 "CGA-gp4f-pvwr-2rc6", 38939 "CGA-j2pm-vhxf-h6gg", 38940 "CGA-ppj7-32h7-rr4m", 38941 "CGA-rq5c-r89h-7gmf", 38942 "CGA-x85q-h487-67fx" 38943 ], 38944 "schema_version": "1.6.0", 38945 "severity": [ 38946 { 38947 "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", 38948 "type": "CVSS_V3" 38949 }, 38950 { 38951 "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N", 38952 "type": "CVSS_V4" 38953 } 38954 ], 38955 "summary": "Apache Commons Compress: OutOfMemoryError unpacking broken Pack200 file" 38956 }, 38957 { 38958 "affected": [ 38959 { 38960 "database_specific": { 38961 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/02/GHSA-4g9r-vxhx-9pgx/GHSA-4g9r-vxhx-9pgx.json" 38962 }, 38963 "package": { 38964 "ecosystem": "Maven", 38965 "name": "org.apache.commons:commons-compress", 38966 "purl": "pkg:maven/org.apache.commons/commons-compress" 38967 }, 38968 "ranges": [ 38969 { 38970 "events": [ 38971 { 38972 "introduced": "1.3" 38973 }, 38974 { 38975 "fixed": "1.26.0" 38976 } 38977 ], 38978 "type": "ECOSYSTEM" 38979 } 38980 ], 38981 "versions": [ 38982 "1.10", 38983 "1.11", 38984 "1.12", 38985 "1.13", 38986 "1.14", 38987 "1.15", 38988 "1.16", 38989 "1.16.1", 38990 "1.17", 38991 "1.18", 38992 "1.19", 38993 "1.20", 38994 "1.21", 38995 "1.22", 38996 "1.23.0", 38997 "1.24.0", 38998 "1.25.0", 38999 "1.3", 39000 "1.4", 39001 "1.4.1", 39002 "1.5", 39003 "1.6", 39004 "1.7", 39005 "1.8", 39006 "1.8.1", 39007 "1.9" 39008 ] 39009 } 39010 ], 39011 "aliases": [ 39012 "CVE-2024-25710" 39013 ], 39014 "database_specific": { 39015 "cwe_ids": [ 39016 "CWE-835" 39017 ], 39018 "github_reviewed": true, 39019 "github_reviewed_at": "2024-02-20T23:58:47Z", 39020 "nvd_published_at": "2024-02-19T09:15:37Z", 39021 "severity": "HIGH" 39022 }, 39023 "details": "Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in Apache Commons Compress. This issue affects Apache Commons Compress: from 1.3 through 1.25.0.\n\nUsers are recommended to upgrade to version 1.26.0 which fixes the issue.\n\n", 39024 "id": "GHSA-4g9r-vxhx-9pgx", 39025 "modified": "2024-07-15T22:00:21.067191Z", 39026 "published": "2024-02-19T09:30:50Z", 39027 "references": [ 39028 { 39029 "type": "ADVISORY", 39030 "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25710" 39031 }, 39032 { 39033 "type": "PACKAGE", 39034 "url": "https://github.com/apache/commons-compress" 39035 }, 39036 { 39037 "type": "WEB", 39038 "url": "https://lists.apache.org/thread/cz8qkcwphy4cx8gltn932ln51cbtq6kf" 39039 }, 39040 { 39041 "type": "WEB", 39042 "url": "https://security.netapp.com/advisory/ntap-20240307-0010" 39043 }, 39044 { 39045 "type": "WEB", 39046 "url": "http://www.openwall.com/lists/oss-security/2024/02/19/1" 39047 } 39048 ], 39049 "related": [ 39050 "CGA-2xg7-8qm4-vx87", 39051 "CGA-3wh2-6f5w-rxm4", 39052 "CGA-679f-cjh5-5f6q", 39053 "CGA-86rr-9236-xpq3", 39054 "CGA-f3gh-9fhg-9hjp", 39055 "CGA-gr35-gp4q-q78f", 39056 "CGA-hw3c-xmgp-wcw7", 39057 "CGA-jx86-68h8-6jqw", 39058 "CGA-qm27-j3j5-mwr9", 39059 "CGA-w8q8-p4r5-xxg9" 39060 ], 39061 "schema_version": "1.6.0", 39062 "severity": [ 39063 { 39064 "score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", 39065 "type": "CVSS_V3" 39066 } 39067 ], 39068 "summary": "Apache Commons Compress: Denial of service caused by an infinite loop for a corrupted DUMP file" 39069 }, 39070 { 39071 "affected": [ 39072 { 39073 "database_specific": { 39074 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/10/GHSA-53x6-4x5p-rrvv/GHSA-53x6-4x5p-rrvv.json" 39075 }, 39076 "package": { 39077 "ecosystem": "Maven", 39078 "name": "org.apache.commons:commons-compress", 39079 "purl": "pkg:maven/org.apache.commons/commons-compress" 39080 }, 39081 "ranges": [ 39082 { 39083 "events": [ 39084 { 39085 "introduced": "1.15" 39086 }, 39087 { 39088 "fixed": "1.19" 39089 } 39090 ], 39091 "type": "ECOSYSTEM" 39092 } 39093 ], 39094 "versions": [ 39095 "1.15", 39096 "1.16", 39097 "1.16.1", 39098 "1.17", 39099 "1.18" 39100 ] 39101 }, 39102 { 39103 "database_specific": { 39104 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/10/GHSA-53x6-4x5p-rrvv/GHSA-53x6-4x5p-rrvv.json" 39105 }, 39106 "package": { 39107 "ecosystem": "Maven", 39108 "name": "io.github.1tchy.java9modular.org.apache.commons:commons-compress", 39109 "purl": "pkg:maven/io.github.1tchy.java9modular.org.apache.commons/commons-compress" 39110 }, 39111 "versions": [ 39112 "1.18.1" 39113 ] 39114 } 39115 ], 39116 "aliases": [ 39117 "CVE-2019-12402" 39118 ], 39119 "database_specific": { 39120 "cwe_ids": [ 39121 "CWE-835" 39122 ], 39123 "github_reviewed": true, 39124 "github_reviewed_at": "2019-09-30T09:39:36Z", 39125 "nvd_published_at": "2019-08-30T09:15:00Z", 39126 "severity": "HIGH" 39127 }, 39128 "details": "The file name encoding algorithm used internally in Apache Commons Compress 1.15 to 1.18 can get into an infinite loop when faced with specially crafted inputs. This can lead to a denial of service attack if an attacker can choose the file names inside of an archive created by Compress.", 39129 "id": "GHSA-53x6-4x5p-rrvv", 39130 "modified": "2024-03-16T05:19:51.25548Z", 39131 "published": "2019-10-11T18:41:08Z", 39132 "references": [ 39133 { 39134 "type": "ADVISORY", 39135 "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-12402" 39136 }, 39137 { 39138 "type": "WEB", 39139 "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" 39140 }, 39141 { 39142 "type": "WEB", 39143 "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" 39144 }, 39145 { 39146 "type": "WEB", 39147 "url": "https://www.oracle.com/security-alerts/cpujul2020.html" 39148 }, 39149 { 39150 "type": "WEB", 39151 "url": "https://www.oracle.com/security-alerts/cpujan2021.html" 39152 }, 39153 { 39154 "type": "WEB", 39155 "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" 39156 }, 39157 { 39158 "type": "WEB", 39159 "url": "https://www.oracle.com/security-alerts/cpuapr2020.html" 39160 }, 39161 { 39162 "type": "WEB", 39163 "url": "https://www.oracle.com/security-alerts/cpuApr2021.html" 39164 }, 39165 { 39166 "type": "WEB", 39167 "url": "https://www.oracle.com//security-alerts/cpujul2021.html" 39168 }, 39169 { 39170 "type": "WEB", 39171 "url": "https://security.netapp.com/advisory/ntap-20230818-0001" 39172 }, 39173 { 39174 "type": "WEB", 39175 "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WZB3GB7YXIOUKIOQ27VTIP6KKGJJ3CKL" 39176 }, 39177 { 39178 "type": "WEB", 39179 "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QLJIK2AUOZOWXR3S5XXBUNMOF3RTHTI7" 39180 }, 39181 { 39182 "type": "WEB", 39183 "url": "https://lists.apache.org/thread.html/rf5230a049d989dbfdd404b4320a265dceeeba459a4d04ec21873bd55@%3Csolr-user.lucene.apache.org%3E" 39184 }, 39185 { 39186 "type": "WEB", 39187 "url": "https://lists.apache.org/thread.html/re13bd219dd4b651134f6357f12bd07a0344eea7518c577bbdd185265@%3Cissues.flink.apache.org%3E" 39188 }, 39189 { 39190 "type": "WEB", 39191 "url": "https://lists.apache.org/thread.html/rdebc1830d6c09c11d5a4804ca26769dbd292d17d361c61dea50915f0@%3Cissues.flink.apache.org%3E" 39192 }, 39193 { 39194 "type": "WEB", 39195 "url": "https://lists.apache.org/thread.html/rd3f99d732baed459b425fb0a9e9e14f7843c9459b12037e4a9d753b5@%3Cissues.flink.apache.org%3E" 39196 }, 39197 { 39198 "type": "WEB", 39199 "url": "https://lists.apache.org/thread.html/rcc35ab6be300365de5ff9587e0479d10d7d7c79070921837e3693162@%3Cissues.flink.apache.org%3E" 39200 }, 39201 { 39202 "type": "WEB", 39203 "url": "https://lists.apache.org/thread.html/r972f82d821b805d04602976a9736c01b6bf218cfe0c3f48b472db488@%3Cissues.flink.apache.org%3E" 39204 }, 39205 { 39206 "type": "WEB", 39207 "url": "https://lists.apache.org/thread.html/r7af60fbd8b2350d49d14e53a3ab2801998b9d1af2d6fcac60b060a53@%3Cdev.brooklyn.apache.org%3E" 39208 }, 39209 { 39210 "type": "WEB", 39211 "url": "https://lists.apache.org/thread.html/r5caf4fcb69d2749225391e61db7216282955204849ba94f83afe011f@%3Cissues.flink.apache.org%3E" 39212 }, 39213 { 39214 "type": "WEB", 39215 "url": "https://lists.apache.org/thread.html/r590c15cebee9b8e757e2f738127a9a71e48ede647a3044c504e050a4@%3Cissues.flink.apache.org%3E" 39216 }, 39217 { 39218 "type": "WEB", 39219 "url": "https://lists.apache.org/thread.html/r5103b1c9242c0f812ac96e524344144402cbff9b6e078d1557bc7b1e@%3Cissues.flink.apache.org%3E" 39220 }, 39221 { 39222 "type": "WEB", 39223 "url": "https://lists.apache.org/thread.html/r4363c994c8bca033569a98da9218cc0c62bb695c1e47a98e5084e5a0@%3Cissues.flink.apache.org%3E" 39224 }, 39225 { 39226 "type": "WEB", 39227 "url": "https://lists.apache.org/thread.html/r25422df9ad22fec56d9eeca3ab8bd6d66365e9f6bfe311b64730edf5@%3Cissues.flink.apache.org%3E" 39228 }, 39229 { 39230 "type": "WEB", 39231 "url": "https://lists.apache.org/thread.html/r233267e24519bacd0f9fb9f61a1287cb9f4bcb6e75d83f34f405c521@%3Cissues.flink.apache.org%3E" 39232 }, 39233 { 39234 "type": "WEB", 39235 "url": "https://lists.apache.org/thread.html/r21d64797914001119d2fc766b88c6da181dc2308d20f14e7a7f46117@%3Cissues.flink.apache.org%3E" 39236 }, 39237 { 39238 "type": "WEB", 39239 "url": "https://lists.apache.org/thread.html/r204ba2a9ea750f38d789d2bb429cc0925ad6133deea7cbc3001d96b5@%3Csolr-user.lucene.apache.org%3E" 39240 }, 39241 { 39242 "type": "WEB", 39243 "url": "https://lists.apache.org/thread.html/r05cf37c1e1e662e968cfece1102fcd50fe207181fdbf2c30aadfafd3@%3Cissues.flink.apache.org%3E" 39244 }, 39245 { 39246 "type": "WEB", 39247 "url": "https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe@%3Ccommits.druid.apache.org%3E" 39248 }, 39249 { 39250 "type": "WEB", 39251 "url": "https://lists.apache.org/thread.html/54cc4e9fa6b24520135f6fa4724dfb3465bc14703c7dc7e52353a0ea@%3Ccommits.creadur.apache.org%3E" 39252 }, 39253 { 39254 "type": "WEB", 39255 "url": "https://lists.apache.org/thread.html/308cc15f1f1dc53e97046fddbac240e6cd16de89a2746cf257be7f5b@%3Cdev.commons.apache.org%3E" 39256 }, 39257 { 39258 "type": "WEB", 39259 "url": "https://github.com/jensdietrich/xshady-release/tree/main/CVE-2019-12402" 39260 } 39261 ], 39262 "schema_version": "1.6.0", 39263 "severity": [ 39264 { 39265 "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", 39266 "type": "CVSS_V3" 39267 } 39268 ], 39269 "summary": "Denial of Service in Apache Commons Compress" 39270 }, 39271 { 39272 "affected": [ 39273 { 39274 "database_specific": { 39275 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-6fxm-66hq-fc96/GHSA-6fxm-66hq-fc96.json" 39276 }, 39277 "package": { 39278 "ecosystem": "Maven", 39279 "name": "org.apache.commons:commons-compress", 39280 "purl": "pkg:maven/org.apache.commons/commons-compress" 39281 }, 39282 "ranges": [ 39283 { 39284 "events": [ 39285 { 39286 "introduced": "0" 39287 }, 39288 { 39289 "fixed": "1.4.1" 39290 } 39291 ], 39292 "type": "ECOSYSTEM" 39293 } 39294 ], 39295 "versions": [ 39296 "1.0", 39297 "1.1", 39298 "1.2", 39299 "1.3", 39300 "1.4" 39301 ] 39302 } 39303 ], 39304 "aliases": [ 39305 "CVE-2012-2098" 39306 ], 39307 "database_specific": { 39308 "cwe_ids": [ 39309 "CWE-400" 39310 ], 39311 "github_reviewed": true, 39312 "github_reviewed_at": "2022-07-13T21:10:51Z", 39313 "nvd_published_at": "2012-06-29T19:55:00Z", 39314 "severity": "MODERATE" 39315 }, 39316 "details": "Algorithmic complexity vulnerability in the sorting algorithms in bzip2 compressing stream (BZip2CompressorOutputStream) in Apache Commons Compress before 1.4.1 allows remote attackers to cause a denial of service (CPU consumption) via a file with many repeating inputs.", 39317 "id": "GHSA-6fxm-66hq-fc96", 39318 "modified": "2024-03-11T05:32:27.181208Z", 39319 "published": "2022-05-13T01:07:05Z", 39320 "references": [ 39321 { 39322 "type": "ADVISORY", 39323 "url": "https://nvd.nist.gov/vuln/detail/CVE-2012-2098" 39324 }, 39325 { 39326 "type": "WEB", 39327 "url": "https://github.com/apache/commons-compress/commit/020c03d8ef579e80511023fb46ece30e9c3dd27d" 39328 }, 39329 { 39330 "type": "WEB", 39331 "url": "https://github.com/apache/commons-compress/commit/0600296ab8f8a0bbdfedd483f51b38005eb8e34e" 39332 }, 39333 { 39334 "type": "WEB", 39335 "url": "https://github.com/apache/commons-compress/commit/1ce57d976c4f25fe99edcadf079840c278f3cb84" 39336 }, 39337 { 39338 "type": "WEB", 39339 "url": "https://github.com/apache/commons-compress/commit/2ab2fcb356753927afaa731b9d2dcc47d3083408" 39340 }, 39341 { 39342 "type": "WEB", 39343 "url": "https://github.com/apache/commons-compress/commit/654222e628097763ee6ca561ae77be5c06666173" 39344 }, 39345 { 39346 "type": "WEB", 39347 "url": "https://github.com/apache/commons-compress/commit/6ced422bf5eca3aac05396367bafb33ec21bf74e" 39348 }, 39349 { 39350 "type": "WEB", 39351 "url": "https://github.com/apache/commons-compress/commit/6e95697e783767f3549f00d7d2e1b002eac4a3d4" 39352 }, 39353 { 39354 "type": "WEB", 39355 "url": "https://github.com/apache/commons-compress/commit/8f702469cbf4c451b6dea349290bc4af0f6f76c7" 39356 }, 39357 { 39358 "type": "WEB", 39359 "url": "https://github.com/apache/commons-compress/commit/b06f7b41c936ef1a79589d16ea5c1d8b93f71f66" 39360 }, 39361 { 39362 "type": "WEB", 39363 "url": "https://github.com/apache/commons-compress/commit/cca0e6e5341aacddefd4c4d36cef7cbdbc2a8777" 39364 }, 39365 { 39366 "type": "WEB", 39367 "url": "https://github.com/apache/commons-compress/commit/ea31005111f0abede7e43e4ba0012e62e0808b22" 39368 }, 39369 { 39370 "type": "WEB", 39371 "url": "https://github.com/apache/commons-compress/commit/fdd7459bc5470e90024dbe762249166481cce769" 39372 }, 39373 { 39374 "type": "WEB", 39375 "url": "https://web.archive.org/web/20140724002926/http://secunia.com/advisories/49286" 39376 }, 39377 { 39378 "type": "WEB", 39379 "url": "https://web.archive.org/web/20140724023114/http://secunia.com/advisories/49255" 39380 }, 39381 { 39382 "type": "WEB", 39383 "url": "https://web.archive.org/web/20200517014414/http://www.securitytracker.com/id?1027096" 39384 }, 39385 { 39386 "type": "WEB", 39387 "url": "https://www.oracle.com/security-alerts/cpujan2021.html" 39388 }, 39389 { 39390 "type": "WEB", 39391 "url": "https://web.archive.org/web/20130525085523/http://www.securityfocus.com/bid/53676" 39392 }, 39393 { 39394 "type": "WEB", 39395 "url": "https://lists.apache.org/thread.html/r204ba2a9ea750f38d789d2bb429cc0925ad6133deea7cbc3001d96b5@\u003csolr-user.lucene.apache.org\u003e" 39396 }, 39397 { 39398 "type": "PACKAGE", 39399 "url": "https://github.com/apache/commons-compress" 39400 }, 39401 { 39402 "type": "WEB", 39403 "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/75857" 39404 }, 39405 { 39406 "type": "WEB", 39407 "url": "http://ant.apache.org/security.html" 39408 }, 39409 { 39410 "type": "WEB", 39411 "url": "http://archives.neohapsis.com/archives/bugtraq/2012-05/0130.html" 39412 }, 39413 { 39414 "type": "WEB", 39415 "url": "http://commons.apache.org/compress/security.html" 39416 }, 39417 { 39418 "type": "WEB", 39419 "url": "http://lists.fedoraproject.org/pipermail/package-announce/2012-June/081697.html" 39420 }, 39421 { 39422 "type": "WEB", 39423 "url": "http://lists.fedoraproject.org/pipermail/package-announce/2012-June/081746.html" 39424 }, 39425 { 39426 "type": "WEB", 39427 "url": "http://lists.fedoraproject.org/pipermail/package-announce/2013-May/105049.html" 39428 }, 39429 { 39430 "type": "WEB", 39431 "url": "http://lists.fedoraproject.org/pipermail/package-announce/2013-May/105060.html" 39432 }, 39433 { 39434 "type": "WEB", 39435 "url": "http://packetstormsecurity.org/files/113014/Apache-Commons-Compress-Apache-Ant-Denial-Of-Service.html" 39436 }, 39437 { 39438 "type": "WEB", 39439 "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21644047" 39440 }, 39441 { 39442 "type": "WEB", 39443 "url": "http://www.openwall.com/lists/oss-security/2023/09/13/3" 39444 } 39445 ], 39446 "schema_version": "1.6.0", 39447 "summary": "Uncontrolled Resource Consumption in Apache Commons Compress" 39448 }, 39449 { 39450 "affected": [ 39451 { 39452 "database_specific": { 39453 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-7hfm-57qf-j43q/GHSA-7hfm-57qf-j43q.json" 39454 }, 39455 "package": { 39456 "ecosystem": "Maven", 39457 "name": "org.apache.commons:commons-compress", 39458 "purl": "pkg:maven/org.apache.commons/commons-compress" 39459 }, 39460 "ranges": [ 39461 { 39462 "events": [ 39463 { 39464 "introduced": "0" 39465 }, 39466 { 39467 "fixed": "1.21" 39468 } 39469 ], 39470 "type": "ECOSYSTEM" 39471 } 39472 ], 39473 "versions": [ 39474 "1.0", 39475 "1.1", 39476 "1.10", 39477 "1.11", 39478 "1.12", 39479 "1.13", 39480 "1.14", 39481 "1.15", 39482 "1.16", 39483 "1.16.1", 39484 "1.17", 39485 "1.18", 39486 "1.19", 39487 "1.2", 39488 "1.20", 39489 "1.3", 39490 "1.4", 39491 "1.4.1", 39492 "1.5", 39493 "1.6", 39494 "1.7", 39495 "1.8", 39496 "1.8.1", 39497 "1.9" 39498 ] 39499 } 39500 ], 39501 "aliases": [ 39502 "CVE-2021-35515" 39503 ], 39504 "database_specific": { 39505 "cwe_ids": [ 39506 "CWE-834", 39507 "CWE-835" 39508 ], 39509 "github_reviewed": true, 39510 "github_reviewed_at": "2021-07-14T17:35:41Z", 39511 "nvd_published_at": "2021-07-13T08:15:00Z", 39512 "severity": "HIGH" 39513 }, 39514 "details": "When reading a specially crafted 7Z archive, the construction of the list of codecs that decompress an entry can result in an infinite loop. This could be used to mount a denial of service attack against services that use Compress' sevenz package.", 39515 "id": "GHSA-7hfm-57qf-j43q", 39516 "modified": "2024-03-08T05:18:24.619639Z", 39517 "published": "2021-08-02T16:55:07Z", 39518 "references": [ 39519 { 39520 "type": "ADVISORY", 39521 "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-35515" 39522 }, 39523 { 39524 "type": "WEB", 39525 "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" 39526 }, 39527 { 39528 "type": "WEB", 39529 "url": "https://www.oracle.com/security-alerts/cpujul2022.html" 39530 }, 39531 { 39532 "type": "WEB", 39533 "url": "https://www.oracle.com/security-alerts/cpujan2022.html" 39534 }, 39535 { 39536 "type": "WEB", 39537 "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" 39538 }, 39539 { 39540 "type": "WEB", 39541 "url": "https://security.netapp.com/advisory/ntap-20211022-0001" 39542 }, 39543 { 39544 "type": "WEB", 39545 "url": "https://lists.apache.org/thread.html/rfba19167efc785ad3561e7ef29f340d65ac8f0d897aed00e0731e742@%3Cnotifications.skywalking.apache.org%3E" 39546 }, 39547 { 39548 "type": "WEB", 39549 "url": "https://lists.apache.org/thread.html/rf2f4d7940371a7c7c5b679f50e28fc7fcc82cd00670ced87e013ac88@%3Ccommits.druid.apache.org%3E" 39550 }, 39551 { 39552 "type": "WEB", 39553 "url": "https://lists.apache.org/thread.html/rd4332baaf6debd03d60deb7ec93bee49e5fdbe958cb6800dff7fb00e@%3Cnotifications.skywalking.apache.org%3E" 39554 }, 39555 { 39556 "type": "WEB", 39557 "url": "https://lists.apache.org/thread.html/rbe91c512c5385181149ab087b6c909825d34299f5c491c6482a2ed57@%3Ccommits.druid.apache.org%3E" 39558 }, 39559 { 39560 "type": "WEB", 39561 "url": "https://lists.apache.org/thread.html/rbaea15ddc5a7c0c6b66660f1d6403b28595e2561bb283eade7d7cd69@%3Cannounce.apache.org%3E" 39562 }, 39563 { 39564 "type": "WEB", 39565 "url": "https://lists.apache.org/thread.html/rba65ed5ddb0586f5b12598f55ec7db3633e7b7fede60466367fbf86a@%3Cnotifications.skywalking.apache.org%3E" 39566 }, 39567 { 39568 "type": "WEB", 39569 "url": "https://lists.apache.org/thread.html/rb7adf3e55359819e77230b4586521e5c6874ce5ed93384bdc14d6aee@%3Cnotifications.skywalking.apache.org%3E" 39570 }, 39571 { 39572 "type": "WEB", 39573 "url": "https://lists.apache.org/thread.html/rb6e1fa80d34e5ada45f72655d84bfd90db0ca44ef19236a49198c88c@%3Cnotifications.skywalking.apache.org%3E" 39574 }, 39575 { 39576 "type": "WEB", 39577 "url": "https://lists.apache.org/thread.html/rb064d705fdfa44b5dae4c366b369ef6597951083196321773b983e71@%3Ccommits.pulsar.apache.org%3E" 39578 }, 39579 { 39580 "type": "WEB", 39581 "url": "https://lists.apache.org/thread.html/racd0c0381c8404f298b226cd9db2eaae965b14c9c568224aa3f437ae@%3Cnotifications.skywalking.apache.org%3E" 39582 }, 39583 { 39584 "type": "WEB", 39585 "url": "https://lists.apache.org/thread.html/rab292091eadd1ecc63c516e9541a7f241091cf2e652b8185a6059945@%3Ccommits.druid.apache.org%3E" 39586 }, 39587 { 39588 "type": "WEB", 39589 "url": "https://lists.apache.org/thread.html/r9f54c0caa462267e0cc68b49f141e91432b36b23348d18c65bd0d040@%3Cnotifications.skywalking.apache.org%3E" 39590 }, 39591 { 39592 "type": "WEB", 39593 "url": "https://lists.apache.org/thread.html/r67ef3c07fe3b8c1b02d48012149d280ad6da8e4cec253b527520fb2b@%3Cdev.poi.apache.org%3E" 39594 }, 39595 { 39596 "type": "WEB", 39597 "url": "https://lists.apache.org/thread.html/r19ebfd71770ec0617a9ea180e321ef927b3fefb4c81ec5d1902d20ab%40%3Cuser.commons.apache.org%3E" 39598 }, 39599 { 39600 "type": "WEB", 39601 "url": "https://commons.apache.org/proper/commons-compress/security-reports.html" 39602 }, 39603 { 39604 "type": "WEB", 39605 "url": "http://www.openwall.com/lists/oss-security/2021/07/13/1" 39606 } 39607 ], 39608 "schema_version": "1.6.0", 39609 "severity": [ 39610 { 39611 "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", 39612 "type": "CVSS_V3" 39613 } 39614 ], 39615 "summary": "Excessive Iteration in Compress" 39616 }, 39617 { 39618 "affected": [ 39619 { 39620 "database_specific": { 39621 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/09/GHSA-cgwf-w82q-5jrr/GHSA-cgwf-w82q-5jrr.json" 39622 }, 39623 "package": { 39624 "ecosystem": "Maven", 39625 "name": "org.apache.commons:commons-compress", 39626 "purl": "pkg:maven/org.apache.commons/commons-compress" 39627 }, 39628 "ranges": [ 39629 { 39630 "events": [ 39631 { 39632 "introduced": "1.22" 39633 }, 39634 { 39635 "fixed": "1.24.0" 39636 } 39637 ], 39638 "type": "ECOSYSTEM" 39639 } 39640 ], 39641 "versions": [ 39642 "1.22", 39643 "1.23.0" 39644 ] 39645 } 39646 ], 39647 "aliases": [ 39648 "CVE-2023-42503" 39649 ], 39650 "database_specific": { 39651 "cwe_ids": [ 39652 "CWE-20", 39653 "CWE-400" 39654 ], 39655 "github_reviewed": true, 39656 "github_reviewed_at": "2023-09-14T19:35:27Z", 39657 "nvd_published_at": "2023-09-14T08:15:08Z", 39658 "severity": "MODERATE" 39659 }, 39660 "details": "Improper Input Validation, Uncontrolled Resource Consumption vulnerability in Apache Commons Compress in TAR parsing.This issue affects Apache Commons Compress: from 1.22 before 1.24.0.\n\nUsers are recommended to upgrade to version 1.24.0, which fixes the issue.\n\nA third party can create a malformed TAR file by manipulating file modification times headers, which when parsed with Apache Commons Compress, will cause a denial of service issue via CPU consumption.\n\nIn version 1.22 of Apache Commons Compress, support was added for file modification times with higher precision (issue # COMPRESS-612 [1]). The format for the PAX extended headers carrying this data consists of two numbers separated by a period [2], indicating seconds and subsecond precision (for example “1647221103.5998539”). The impacted fields are “atime”, “ctime”, “mtime” and “LIBARCHIVE.creationtime”. No input validation is performed prior to the parsing of header values.\n\nParsing of these numbers uses the BigDecimal [3] class from the JDK which has a publicly known algorithmic complexity issue when doing operations on large numbers, causing denial of service (see issue # JDK-6560193 [4]). A third party can manipulate file time headers in a TAR file by placing a number with a very long fraction (300,000 digits) or a number with exponent notation (such as “9e9999999”) within a file modification time header, and the parsing of files with these headers will take hours instead of seconds, leading to a denial of service via exhaustion of CPU resources. This issue is similar to CVE-2012-2098 [5].\n\n[1]: https://issues.apache.org/jira/browse/COMPRESS-612 \n[2]: https://pubs.opengroup.org/onlinepubs/9699919799/utilities/pax.html#tag_20_92_13_05 \n[3]: https://docs.oracle.com/javase/8/docs/api/java/math/BigDecimal.html \n[4]: https://bugs.openjdk.org/browse/JDK-6560193 \n[5]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2098 \n\nOnly applications using CompressorStreamFactory class (with auto-detection of file types), TarArchiveInputStream and TarFile classes to parse TAR files are impacted. Since this code was introduced in v1.22, only that version and later versions are impacted.\n\n", 39661 "id": "GHSA-cgwf-w82q-5jrr", 39662 "modified": "2024-02-22T02:01:05.5264Z", 39663 "published": "2023-09-14T09:30:28Z", 39664 "references": [ 39665 { 39666 "type": "ADVISORY", 39667 "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-42503" 39668 }, 39669 { 39670 "type": "WEB", 39671 "url": "https://github.com/apache/commons-compress/commit/aae38bfb820159ae7a0b792e779571f6a46b3889" 39672 }, 39673 { 39674 "type": "PACKAGE", 39675 "url": "https://github.com/apache/commons-compress" 39676 }, 39677 { 39678 "type": "WEB", 39679 "url": "https://lists.apache.org/thread/5xwcyr600mn074vgxq92tjssrchmc93c" 39680 }, 39681 { 39682 "type": "WEB", 39683 "url": "https://security.netapp.com/advisory/ntap-20231020-0003" 39684 } 39685 ], 39686 "related": [ 39687 "CGA-6gcx-2g6m-pvm8", 39688 "CGA-793c-mm63-qv25" 39689 ], 39690 "schema_version": "1.6.0", 39691 "severity": [ 39692 { 39693 "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", 39694 "type": "CVSS_V3" 39695 } 39696 ], 39697 "summary": "Apache Commons Compress denial of service vulnerability" 39698 }, 39699 { 39700 "affected": [ 39701 { 39702 "database_specific": { 39703 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-crv7-7245-f45f/GHSA-crv7-7245-f45f.json" 39704 }, 39705 "package": { 39706 "ecosystem": "Maven", 39707 "name": "org.apache.commons:commons-compress", 39708 "purl": "pkg:maven/org.apache.commons/commons-compress" 39709 }, 39710 "ranges": [ 39711 { 39712 "events": [ 39713 { 39714 "introduced": "0" 39715 }, 39716 { 39717 "fixed": "1.21" 39718 } 39719 ], 39720 "type": "ECOSYSTEM" 39721 } 39722 ], 39723 "versions": [ 39724 "1.0", 39725 "1.1", 39726 "1.10", 39727 "1.11", 39728 "1.12", 39729 "1.13", 39730 "1.14", 39731 "1.15", 39732 "1.16", 39733 "1.16.1", 39734 "1.17", 39735 "1.18", 39736 "1.19", 39737 "1.2", 39738 "1.20", 39739 "1.3", 39740 "1.4", 39741 "1.4.1", 39742 "1.5", 39743 "1.6", 39744 "1.7", 39745 "1.8", 39746 "1.8.1", 39747 "1.9" 39748 ] 39749 } 39750 ], 39751 "aliases": [ 39752 "CVE-2021-35516" 39753 ], 39754 "database_specific": { 39755 "cwe_ids": [ 39756 "CWE-130", 39757 "CWE-770" 39758 ], 39759 "github_reviewed": true, 39760 "github_reviewed_at": "2021-07-14T18:11:52Z", 39761 "nvd_published_at": "2021-07-13T08:15:00Z", 39762 "severity": "HIGH" 39763 }, 39764 "details": "When reading a specially crafted 7Z archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' sevenz package.", 39765 "id": "GHSA-crv7-7245-f45f", 39766 "modified": "2024-03-08T05:19:35.252507Z", 39767 "published": "2021-08-02T16:55:15Z", 39768 "references": [ 39769 { 39770 "type": "ADVISORY", 39771 "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-35516" 39772 }, 39773 { 39774 "type": "WEB", 39775 "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" 39776 }, 39777 { 39778 "type": "WEB", 39779 "url": "https://www.oracle.com/security-alerts/cpujul2022.html" 39780 }, 39781 { 39782 "type": "WEB", 39783 "url": "https://www.oracle.com/security-alerts/cpujan2022.html" 39784 }, 39785 { 39786 "type": "WEB", 39787 "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" 39788 }, 39789 { 39790 "type": "WEB", 39791 "url": "https://security.netapp.com/advisory/ntap-20211022-0001" 39792 }, 39793 { 39794 "type": "WEB", 39795 "url": "https://lists.apache.org/thread.html/rfba19167efc785ad3561e7ef29f340d65ac8f0d897aed00e0731e742@%3Cnotifications.skywalking.apache.org%3E" 39796 }, 39797 { 39798 "type": "WEB", 39799 "url": "https://lists.apache.org/thread.html/rf68442d67eb166f4b6cf0bbbe6c7f99098c12954f37332073c9822ca%40%3Cuser.commons.apache.org%3E" 39800 }, 39801 { 39802 "type": "WEB", 39803 "url": "https://lists.apache.org/thread.html/rf5b1016fb15b7118b9a5e16bb0b78cb4f1dfcf7821eb137ab5757c91@%3Cannounce.apache.org%3E" 39804 }, 39805 { 39806 "type": "WEB", 39807 "url": "https://lists.apache.org/thread.html/rd4332baaf6debd03d60deb7ec93bee49e5fdbe958cb6800dff7fb00e@%3Cnotifications.skywalking.apache.org%3E" 39808 }, 39809 { 39810 "type": "WEB", 39811 "url": "https://lists.apache.org/thread.html/rba65ed5ddb0586f5b12598f55ec7db3633e7b7fede60466367fbf86a@%3Cnotifications.skywalking.apache.org%3E" 39812 }, 39813 { 39814 "type": "WEB", 39815 "url": "https://lists.apache.org/thread.html/rb7adf3e55359819e77230b4586521e5c6874ce5ed93384bdc14d6aee@%3Cnotifications.skywalking.apache.org%3E" 39816 }, 39817 { 39818 "type": "WEB", 39819 "url": "https://lists.apache.org/thread.html/rb6e1fa80d34e5ada45f72655d84bfd90db0ca44ef19236a49198c88c@%3Cnotifications.skywalking.apache.org%3E" 39820 }, 39821 { 39822 "type": "WEB", 39823 "url": "https://lists.apache.org/thread.html/rb064d705fdfa44b5dae4c366b369ef6597951083196321773b983e71@%3Ccommits.pulsar.apache.org%3E" 39824 }, 39825 { 39826 "type": "WEB", 39827 "url": "https://lists.apache.org/thread.html/racd0c0381c8404f298b226cd9db2eaae965b14c9c568224aa3f437ae@%3Cnotifications.skywalking.apache.org%3E" 39828 }, 39829 { 39830 "type": "WEB", 39831 "url": "https://lists.apache.org/thread.html/r9f54c0caa462267e0cc68b49f141e91432b36b23348d18c65bd0d040@%3Cnotifications.skywalking.apache.org%3E" 39832 }, 39833 { 39834 "type": "WEB", 39835 "url": "https://lists.apache.org/thread.html/r67ef3c07fe3b8c1b02d48012149d280ad6da8e4cec253b527520fb2b@%3Cdev.poi.apache.org%3E" 39836 }, 39837 { 39838 "type": "WEB", 39839 "url": "https://commons.apache.org/proper/commons-compress/security-reports.html" 39840 }, 39841 { 39842 "type": "WEB", 39843 "url": "http://www.openwall.com/lists/oss-security/2021/07/13/2" 39844 } 39845 ], 39846 "schema_version": "1.6.0", 39847 "severity": [ 39848 { 39849 "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", 39850 "type": "CVSS_V3" 39851 } 39852 ], 39853 "summary": "Improper Handling of Length Parameter Inconsistency in Compress" 39854 }, 39855 { 39856 "affected": [ 39857 { 39858 "database_specific": { 39859 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/03/GHSA-h436-432x-8fvx/GHSA-h436-432x-8fvx.json" 39860 }, 39861 "package": { 39862 "ecosystem": "Maven", 39863 "name": "org.apache.commons:commons-compress", 39864 "purl": "pkg:maven/org.apache.commons/commons-compress" 39865 }, 39866 "ranges": [ 39867 { 39868 "events": [ 39869 { 39870 "introduced": "1.11" 39871 }, 39872 { 39873 "fixed": "1.16" 39874 } 39875 ], 39876 "type": "ECOSYSTEM" 39877 } 39878 ], 39879 "versions": [ 39880 "1.11", 39881 "1.12", 39882 "1.13", 39883 "1.14", 39884 "1.15" 39885 ] 39886 }, 39887 { 39888 "database_specific": { 39889 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/03/GHSA-h436-432x-8fvx/GHSA-h436-432x-8fvx.json" 39890 }, 39891 "package": { 39892 "ecosystem": "Maven", 39893 "name": "com.liferay:com.liferay.portal.tools.bundle.support", 39894 "purl": "pkg:maven/com.liferay/com.liferay.portal.tools.bundle.support" 39895 }, 39896 "ranges": [ 39897 { 39898 "events": [ 39899 { 39900 "introduced": "3.2.7" 39901 }, 39902 { 39903 "fixed": "3.7.4" 39904 } 39905 ], 39906 "type": "ECOSYSTEM" 39907 } 39908 ], 39909 "versions": [ 39910 "3.2.7", 39911 "3.3.0", 39912 "3.4.0", 39913 "3.4.1", 39914 "3.4.2", 39915 "3.4.3", 39916 "3.5.0", 39917 "3.5.1", 39918 "3.5.2", 39919 "3.5.3", 39920 "3.5.4", 39921 "3.5.5", 39922 "3.5.6", 39923 "3.6.0", 39924 "3.6.1", 39925 "3.7.0", 39926 "3.7.1", 39927 "3.7.2", 39928 "3.7.3" 39929 ] 39930 }, 39931 { 39932 "database_specific": { 39933 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/03/GHSA-h436-432x-8fvx/GHSA-h436-432x-8fvx.json" 39934 }, 39935 "package": { 39936 "ecosystem": "Maven", 39937 "name": "io.takari:commons-compress", 39938 "purl": "pkg:maven/io.takari/commons-compress" 39939 }, 39940 "versions": [ 39941 "1.12" 39942 ] 39943 } 39944 ], 39945 "aliases": [ 39946 "CVE-2018-1324" 39947 ], 39948 "database_specific": { 39949 "cwe_ids": [ 39950 "CWE-835" 39951 ], 39952 "github_reviewed": true, 39953 "github_reviewed_at": "2020-06-16T21:38:39Z", 39954 "nvd_published_at": "2018-03-16T13:29:00Z", 39955 "severity": "MODERATE" 39956 }, 39957 "details": "A specially crafted ZIP archive can be used to cause an infinite loop inside of Apache Commons Compress' extra field parser used by the ZipFile and ZipArchiveInputStream classes in versions 1.11 to 1.15. This can be used to mount a denial of service attack against services that use Compress' zip package.", 39958 "id": "GHSA-h436-432x-8fvx", 39959 "modified": "2024-02-27T18:34:05.707371Z", 39960 "published": "2019-03-14T15:41:12Z", 39961 "references": [ 39962 { 39963 "type": "ADVISORY", 39964 "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1324" 39965 }, 39966 { 39967 "type": "WEB", 39968 "url": "https://github.com/apache/commons-compress/commit/2a2f1dc48e22a34ddb72321a4db211da91aa933b" 39969 }, 39970 { 39971 "type": "WEB", 39972 "url": "https://arxiv.org/pdf/2306.05534.pdf" 39973 }, 39974 { 39975 "type": "ADVISORY", 39976 "url": "https://github.com/advisories/GHSA-h436-432x-8fvx" 39977 }, 39978 { 39979 "type": "PACKAGE", 39980 "url": "https://github.com/apache/commons-compress" 39981 }, 39982 { 39983 "type": "WEB", 39984 "url": "https://github.com/jensdietrich/xshady-release/tree/main/CVE-2018-1324" 39985 }, 39986 { 39987 "type": "WEB", 39988 "url": "https://lists.apache.org/thread.html/1c7b6df6d1c5c8583518a0afa017782924918e4d6acfaf23ed5b2089@%3Cdev.commons.apache.org%3E" 39989 }, 39990 { 39991 "type": "WEB", 39992 "url": "https://lists.apache.org/thread.html/b8ef29df0f1d55aa741170748352ae8e425c7b1d286b2f257711a2dd@%3Cdev.creadur.apache.org%3E" 39993 }, 39994 { 39995 "type": "WEB", 39996 "url": "https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8@%3Ccommits.pulsar.apache.org%3E" 39997 }, 39998 { 39999 "type": "WEB", 40000 "url": "https://lists.apache.org/thread.html/r5532dc8d5456b5151e8c286801e2e5769f5c04118b29c3b5d13ea387@%3Cissues.beam.apache.org%3E" 40001 } 40002 ], 40003 "schema_version": "1.6.0", 40004 "severity": [ 40005 { 40006 "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", 40007 "type": "CVSS_V3" 40008 } 40009 ], 40010 "summary": "Apache Commons Compress vulnerable to denial of service due to infinite loop" 40011 }, 40012 { 40013 "affected": [ 40014 { 40015 "database_specific": { 40016 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-hrmr-f5m6-m9pq/GHSA-hrmr-f5m6-m9pq.json" 40017 }, 40018 "package": { 40019 "ecosystem": "Maven", 40020 "name": "org.apache.commons:commons-compress", 40021 "purl": "pkg:maven/org.apache.commons/commons-compress" 40022 }, 40023 "ranges": [ 40024 { 40025 "events": [ 40026 { 40027 "introduced": "1.7" 40028 }, 40029 { 40030 "fixed": "1.18" 40031 } 40032 ], 40033 "type": "ECOSYSTEM" 40034 } 40035 ], 40036 "versions": [ 40037 "1.10", 40038 "1.11", 40039 "1.12", 40040 "1.13", 40041 "1.14", 40042 "1.15", 40043 "1.16", 40044 "1.16.1", 40045 "1.17", 40046 "1.7", 40047 "1.8", 40048 "1.8.1", 40049 "1.9" 40050 ] 40051 } 40052 ], 40053 "aliases": [ 40054 "CVE-2018-11771" 40055 ], 40056 "database_specific": { 40057 "cwe_ids": [ 40058 "CWE-835" 40059 ], 40060 "github_reviewed": true, 40061 "github_reviewed_at": "2020-06-16T21:40:55Z", 40062 "nvd_published_at": "2018-08-16T15:29:00Z", 40063 "severity": "MODERATE" 40064 }, 40065 "details": "When reading a specially crafted ZIP archive, the read method of Apache Commons Compress 1.7 to 1.17's ZipArchiveInputStream can fail to return the correct EOF indication after the end of the stream has been reached. When combined with a java.io.InputStreamReader this can lead to an infinite stream, which can be used to mount a denial of service attack against services that use Compress' zip package.", 40066 "id": "GHSA-hrmr-f5m6-m9pq", 40067 "modified": "2024-06-05T17:33:15.862538Z", 40068 "published": "2018-10-19T16:41:27Z", 40069 "references": [ 40070 { 40071 "type": "ADVISORY", 40072 "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-11771" 40073 }, 40074 { 40075 "type": "WEB", 40076 "url": "https://www.oracle.com/security-alerts/cpujan2022.html" 40077 }, 40078 { 40079 "type": "WEB", 40080 "url": "https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8@%3Ccommits.pulsar.apache.org%3E" 40081 }, 40082 { 40083 "type": "WEB", 40084 "url": "https://lists.apache.org/thread.html/f9cdd32af7d73e943452167d15801db39e8130409ebb9efb243b3f41@%3Ccommits.tinkerpop.apache.org%3E" 40085 }, 40086 { 40087 "type": "WEB", 40088 "url": "https://lists.apache.org/thread.html/f28052d04cb8dbaae39bfd3dc8438e58c2a8be306a3f381f4728d7c1@%3Ccommits.commons.apache.org%3E" 40089 }, 40090 { 40091 "type": "WEB", 40092 "url": "https://lists.apache.org/thread.html/eeecc1669242b28a3777ae13c68b376b0148d589d3d8170340d61120@%3Cdev.tinkerpop.apache.org%3E" 40093 }, 40094 { 40095 "type": "WEB", 40096 "url": "https://lists.apache.org/thread.html/e3eae9e6fc021c4c22dda59a335d21c12eecab480b48115a2f098ef6@%3Ccommits.tinkerpop.apache.org%3E" 40097 }, 40098 { 40099 "type": "WEB", 40100 "url": "https://lists.apache.org/thread.html/c7954dc1e8fafd7ca1449f078953b419ebf8936e087f235f3bd024be@%3Ccommits.tinkerpop.apache.org%3E" 40101 }, 40102 { 40103 "type": "WEB", 40104 "url": "https://lists.apache.org/thread.html/b907e70bc422905d7962fd18f863f746bf7b4e7ed9da25c148580c61@%3Cnotifications.commons.apache.org%3E" 40105 }, 40106 { 40107 "type": "WEB", 40108 "url": "https://lists.apache.org/thread.html/b8ef29df0f1d55aa741170748352ae8e425c7b1d286b2f257711a2dd@%3Cdev.creadur.apache.org%3E" 40109 }, 40110 { 40111 "type": "WEB", 40112 "url": "https://lists.apache.org/thread.html/b8da751fc0ca949534cdf2744111da6bb0349d2798fac94b0a50f330@%3Cannounce.apache.org%3E" 40113 }, 40114 { 40115 "type": "WEB", 40116 "url": "https://lists.apache.org/thread.html/714c6ac1b1b50f8557e7342903ef45f1538a7bc60a0b47d6e48c273d@%3Ccommits.tinkerpop.apache.org%3E" 40117 }, 40118 { 40119 "type": "WEB", 40120 "url": "https://lists.apache.org/thread.html/6c79965066c30d4e330e04d911d3761db41b82c89ae38d9a6b37a6f1@%3Cdev.tinkerpop.apache.org%3E" 40121 }, 40122 { 40123 "type": "WEB", 40124 "url": "https://lists.apache.org/thread.html/35f60d6d0407c13c39411038ba1aca71d92595ed7041beff4d07f2ee@%3Ccommits.tinkerpop.apache.org%3E" 40125 }, 40126 { 40127 "type": "WEB", 40128 "url": "https://lists.apache.org/thread.html/3565494c263dfeb4dcb2a71cb24d09a1ca285cd6ac74edc025a3af8a@%3Ccommits.tinkerpop.apache.org%3E" 40129 }, 40130 { 40131 "type": "WEB", 40132 "url": "https://lists.apache.org/thread.html/0adb631517766e793e18a59723e2df08ced41eb9a57478f14781c9f7@%3Cdev.tinkerpop.apache.org%3E" 40133 }, 40134 { 40135 "type": "PACKAGE", 40136 "url": "https://github.com/apache/commons-compress" 40137 }, 40138 { 40139 "type": "WEB", 40140 "url": "http://www.securityfocus.com/bid/105139" 40141 }, 40142 { 40143 "type": "WEB", 40144 "url": "http://www.securitytracker.com/id/1041503" 40145 } 40146 ], 40147 "schema_version": "1.6.0", 40148 "severity": [ 40149 { 40150 "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", 40151 "type": "CVSS_V3" 40152 } 40153 ], 40154 "summary": "Moderate severity vulnerability that affects org.apache.commons:commons-compress" 40155 }, 40156 { 40157 "affected": [ 40158 { 40159 "database_specific": { 40160 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-mc84-pj99-q6hh/GHSA-mc84-pj99-q6hh.json" 40161 }, 40162 "package": { 40163 "ecosystem": "Maven", 40164 "name": "org.apache.commons:commons-compress", 40165 "purl": "pkg:maven/org.apache.commons/commons-compress" 40166 }, 40167 "ranges": [ 40168 { 40169 "events": [ 40170 { 40171 "introduced": "0" 40172 }, 40173 { 40174 "fixed": "1.21" 40175 } 40176 ], 40177 "type": "ECOSYSTEM" 40178 } 40179 ], 40180 "versions": [ 40181 "1.0", 40182 "1.1", 40183 "1.10", 40184 "1.11", 40185 "1.12", 40186 "1.13", 40187 "1.14", 40188 "1.15", 40189 "1.16", 40190 "1.16.1", 40191 "1.17", 40192 "1.18", 40193 "1.19", 40194 "1.2", 40195 "1.20", 40196 "1.3", 40197 "1.4", 40198 "1.4.1", 40199 "1.5", 40200 "1.6", 40201 "1.7", 40202 "1.8", 40203 "1.8.1", 40204 "1.9" 40205 ] 40206 } 40207 ], 40208 "aliases": [ 40209 "CVE-2021-36090" 40210 ], 40211 "database_specific": { 40212 "cwe_ids": [ 40213 "CWE-130" 40214 ], 40215 "github_reviewed": true, 40216 "github_reviewed_at": "2021-07-14T19:37:10Z", 40217 "nvd_published_at": "2021-07-13T08:15:00Z", 40218 "severity": "HIGH" 40219 }, 40220 "details": "When reading a specially crafted ZIP archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' zip package.", 40221 "id": "GHSA-mc84-pj99-q6hh", 40222 "modified": "2024-03-08T05:19:48.954731Z", 40223 "published": "2021-08-02T16:55:53Z", 40224 "references": [ 40225 { 40226 "type": "ADVISORY", 40227 "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-36090" 40228 }, 40229 { 40230 "type": "WEB", 40231 "url": "https://commons.apache.org/proper/commons-compress/security-reports.html" 40232 }, 40233 { 40234 "type": "WEB", 40235 "url": "https://lists.apache.org/thread.html/rbbf42642c3e4167788a7c13763d192ee049604d099681f765385d99d@%3Cdev.drill.apache.org%3E" 40236 }, 40237 { 40238 "type": "WEB", 40239 "url": "https://lists.apache.org/thread.html/rbe91c512c5385181149ab087b6c909825d34299f5c491c6482a2ed57@%3Ccommits.druid.apache.org%3E" 40240 }, 40241 { 40242 "type": "WEB", 40243 "url": "https://lists.apache.org/thread.html/rc4134026d7d7b053d4f9f2205531122732405012c8804fd850a9b26f%40%3Cuser.commons.apache.org%3E" 40244 }, 40245 { 40246 "type": "WEB", 40247 "url": "https://lists.apache.org/thread.html/rc7df4c2f0bbe2028a1498a46d322c91184f7a369e3e4c57d9518cacf@%3Cdev.drill.apache.org%3E" 40248 }, 40249 { 40250 "type": "WEB", 40251 "url": "https://lists.apache.org/thread.html/rd4332baaf6debd03d60deb7ec93bee49e5fdbe958cb6800dff7fb00e@%3Cnotifications.skywalking.apache.org%3E" 40252 }, 40253 { 40254 "type": "WEB", 40255 "url": "https://lists.apache.org/thread.html/rdd5412a5b9a25aed2a02c3317052d38a97128314d50bc1ed36e81d38@%3Cuser.ant.apache.org%3E" 40256 }, 40257 { 40258 "type": "WEB", 40259 "url": "https://lists.apache.org/thread.html/rf2f4d7940371a7c7c5b679f50e28fc7fcc82cd00670ced87e013ac88@%3Ccommits.druid.apache.org%3E" 40260 }, 40261 { 40262 "type": "WEB", 40263 "url": "https://lists.apache.org/thread.html/rf3f0a09fee197168a813966c5816157f6c600a47313a0d6813148ea6@%3Cissues.drill.apache.org%3E" 40264 }, 40265 { 40266 "type": "WEB", 40267 "url": "https://lists.apache.org/thread.html/rf93b6bb267580e01deb7f3696f7eaca00a290c66189a658cf7230a1a@%3Cissues.drill.apache.org%3E" 40268 }, 40269 { 40270 "type": "WEB", 40271 "url": "https://lists.apache.org/thread.html/rfba19167efc785ad3561e7ef29f340d65ac8f0d897aed00e0731e742@%3Cnotifications.skywalking.apache.org%3E" 40272 }, 40273 { 40274 "type": "WEB", 40275 "url": "https://security.netapp.com/advisory/ntap-20211022-0001" 40276 }, 40277 { 40278 "type": "WEB", 40279 "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" 40280 }, 40281 { 40282 "type": "WEB", 40283 "url": "https://www.oracle.com/security-alerts/cpujan2022.html" 40284 }, 40285 { 40286 "type": "WEB", 40287 "url": "https://www.oracle.com/security-alerts/cpujul2022.html" 40288 }, 40289 { 40290 "type": "WEB", 40291 "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" 40292 }, 40293 { 40294 "type": "WEB", 40295 "url": "https://lists.apache.org/thread.html/r0e87177f8e78b4ee453cd4d3d8f4ddec6f10d2c27707dd71e12cafc9@%3Cannounce.apache.org%3E" 40296 }, 40297 { 40298 "type": "WEB", 40299 "url": "https://lists.apache.org/thread.html/r25f4c44616045085bc3cf901bb7e68e445eee53d1966fc08998fc456@%3Cdev.drill.apache.org%3E" 40300 }, 40301 { 40302 "type": "WEB", 40303 "url": "https://lists.apache.org/thread.html/r3227b1287e5bd8db6523b862c22676b046ad8f4fc96433225f46a2bd@%3Cissues.drill.apache.org%3E" 40304 }, 40305 { 40306 "type": "WEB", 40307 "url": "https://lists.apache.org/thread.html/r4f03c5de923e3f2a8c316248681258125140514ef3307bfe1538e1ab@%3Cdev.drill.apache.org%3E" 40308 }, 40309 { 40310 "type": "WEB", 40311 "url": "https://lists.apache.org/thread.html/r54049b66afbca766b6763c7531e9fe7a20293a112bcb65462a134949@%3Ccommits.drill.apache.org%3E" 40312 }, 40313 { 40314 "type": "WEB", 40315 "url": "https://lists.apache.org/thread.html/r67ef3c07fe3b8c1b02d48012149d280ad6da8e4cec253b527520fb2b@%3Cdev.poi.apache.org%3E" 40316 }, 40317 { 40318 "type": "WEB", 40319 "url": "https://lists.apache.org/thread.html/r75ffc7a461e7e7ae77690fa75bd47bb71365c732e0fbcc44da4f8ff5@%3Cdev.tomcat.apache.org%3E" 40320 }, 40321 { 40322 "type": "WEB", 40323 "url": "https://lists.apache.org/thread.html/r9a23d4dbf4e34d498664080bff59f2893b855eb16dae33e4aa92fa53@%3Cannounce.apache.org%3E" 40324 }, 40325 { 40326 "type": "WEB", 40327 "url": "https://lists.apache.org/thread.html/r9f54c0caa462267e0cc68b49f141e91432b36b23348d18c65bd0d040@%3Cnotifications.skywalking.apache.org%3E" 40328 }, 40329 { 40330 "type": "WEB", 40331 "url": "https://lists.apache.org/thread.html/rab292091eadd1ecc63c516e9541a7f241091cf2e652b8185a6059945@%3Ccommits.druid.apache.org%3E" 40332 }, 40333 { 40334 "type": "WEB", 40335 "url": "https://lists.apache.org/thread.html/racd0c0381c8404f298b226cd9db2eaae965b14c9c568224aa3f437ae@%3Cnotifications.skywalking.apache.org%3E" 40336 }, 40337 { 40338 "type": "WEB", 40339 "url": "https://lists.apache.org/thread.html/rb064d705fdfa44b5dae4c366b369ef6597951083196321773b983e71@%3Ccommits.pulsar.apache.org%3E" 40340 }, 40341 { 40342 "type": "WEB", 40343 "url": "https://lists.apache.org/thread.html/rb5fa2ee61828fa2e42361b58468717e84902dd71c4aea8dc0b865df7@%3Cnotifications.james.apache.org%3E" 40344 }, 40345 { 40346 "type": "WEB", 40347 "url": "https://lists.apache.org/thread.html/rb6e1fa80d34e5ada45f72655d84bfd90db0ca44ef19236a49198c88c@%3Cnotifications.skywalking.apache.org%3E" 40348 }, 40349 { 40350 "type": "WEB", 40351 "url": "https://lists.apache.org/thread.html/rb7adf3e55359819e77230b4586521e5c6874ce5ed93384bdc14d6aee@%3Cnotifications.skywalking.apache.org%3E" 40352 }, 40353 { 40354 "type": "WEB", 40355 "url": "https://lists.apache.org/thread.html/rba65ed5ddb0586f5b12598f55ec7db3633e7b7fede60466367fbf86a@%3Cnotifications.skywalking.apache.org%3E" 40356 }, 40357 { 40358 "type": "WEB", 40359 "url": "http://www.openwall.com/lists/oss-security/2021/07/13/4" 40360 }, 40361 { 40362 "type": "WEB", 40363 "url": "http://www.openwall.com/lists/oss-security/2021/07/13/6" 40364 } 40365 ], 40366 "schema_version": "1.6.0", 40367 "severity": [ 40368 { 40369 "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", 40370 "type": "CVSS_V3" 40371 } 40372 ], 40373 "summary": "Improper Handling of Length Parameter Inconsistency in Compress" 40374 }, 40375 { 40376 "affected": [ 40377 { 40378 "database_specific": { 40379 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-xqfj-vm6h-2x34/GHSA-xqfj-vm6h-2x34.json" 40380 }, 40381 "package": { 40382 "ecosystem": "Maven", 40383 "name": "org.apache.commons:commons-compress", 40384 "purl": "pkg:maven/org.apache.commons/commons-compress" 40385 }, 40386 "ranges": [ 40387 { 40388 "events": [ 40389 { 40390 "introduced": "0" 40391 }, 40392 { 40393 "fixed": "1.21" 40394 } 40395 ], 40396 "type": "ECOSYSTEM" 40397 } 40398 ], 40399 "versions": [ 40400 "1.0", 40401 "1.1", 40402 "1.10", 40403 "1.11", 40404 "1.12", 40405 "1.13", 40406 "1.14", 40407 "1.15", 40408 "1.16", 40409 "1.16.1", 40410 "1.17", 40411 "1.18", 40412 "1.19", 40413 "1.2", 40414 "1.20", 40415 "1.3", 40416 "1.4", 40417 "1.4.1", 40418 "1.5", 40419 "1.6", 40420 "1.7", 40421 "1.8", 40422 "1.8.1", 40423 "1.9" 40424 ] 40425 } 40426 ], 40427 "aliases": [ 40428 "CVE-2021-35517" 40429 ], 40430 "database_specific": { 40431 "cwe_ids": [ 40432 "CWE-130", 40433 "CWE-770" 40434 ], 40435 "github_reviewed": true, 40436 "github_reviewed_at": "2021-07-14T18:12:57Z", 40437 "nvd_published_at": "2021-07-13T08:15:00Z", 40438 "severity": "HIGH" 40439 }, 40440 "details": "When reading a specially crafted TAR archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' tar package.", 40441 "id": "GHSA-xqfj-vm6h-2x34", 40442 "modified": "2024-03-08T05:19:25.295269Z", 40443 "published": "2021-08-02T16:55:39Z", 40444 "references": [ 40445 { 40446 "type": "ADVISORY", 40447 "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-35517" 40448 }, 40449 { 40450 "type": "WEB", 40451 "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" 40452 }, 40453 { 40454 "type": "WEB", 40455 "url": "https://www.oracle.com/security-alerts/cpujul2022.html" 40456 }, 40457 { 40458 "type": "WEB", 40459 "url": "https://www.oracle.com/security-alerts/cpujan2022.html" 40460 }, 40461 { 40462 "type": "WEB", 40463 "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" 40464 }, 40465 { 40466 "type": "WEB", 40467 "url": "https://security.netapp.com/advisory/ntap-20211022-0001" 40468 }, 40469 { 40470 "type": "WEB", 40471 "url": "https://lists.apache.org/thread.html/rfba19167efc785ad3561e7ef29f340d65ac8f0d897aed00e0731e742@%3Cnotifications.skywalking.apache.org%3E" 40472 }, 40473 { 40474 "type": "WEB", 40475 "url": "https://lists.apache.org/thread.html/rd4332baaf6debd03d60deb7ec93bee49e5fdbe958cb6800dff7fb00e@%3Cnotifications.skywalking.apache.org%3E" 40476 }, 40477 { 40478 "type": "WEB", 40479 "url": "https://lists.apache.org/thread.html/rba65ed5ddb0586f5b12598f55ec7db3633e7b7fede60466367fbf86a@%3Cnotifications.skywalking.apache.org%3E" 40480 }, 40481 { 40482 "type": "WEB", 40483 "url": "https://lists.apache.org/thread.html/rb7adf3e55359819e77230b4586521e5c6874ce5ed93384bdc14d6aee@%3Cnotifications.skywalking.apache.org%3E" 40484 }, 40485 { 40486 "type": "WEB", 40487 "url": "https://lists.apache.org/thread.html/rb6e1fa80d34e5ada45f72655d84bfd90db0ca44ef19236a49198c88c@%3Cnotifications.skywalking.apache.org%3E" 40488 }, 40489 { 40490 "type": "WEB", 40491 "url": "https://lists.apache.org/thread.html/rb064d705fdfa44b5dae4c366b369ef6597951083196321773b983e71@%3Ccommits.pulsar.apache.org%3E" 40492 }, 40493 { 40494 "type": "WEB", 40495 "url": "https://lists.apache.org/thread.html/racd0c0381c8404f298b226cd9db2eaae965b14c9c568224aa3f437ae@%3Cnotifications.skywalking.apache.org%3E" 40496 }, 40497 { 40498 "type": "WEB", 40499 "url": "https://lists.apache.org/thread.html/ra393ffdc7c90a4a37ea023946f390285693795013a642d80fba20203@%3Cannounce.apache.org%3E" 40500 }, 40501 { 40502 "type": "WEB", 40503 "url": "https://lists.apache.org/thread.html/r9f54c0caa462267e0cc68b49f141e91432b36b23348d18c65bd0d040@%3Cnotifications.skywalking.apache.org%3E" 40504 }, 40505 { 40506 "type": "WEB", 40507 "url": "https://lists.apache.org/thread.html/r67ef3c07fe3b8c1b02d48012149d280ad6da8e4cec253b527520fb2b@%3Cdev.poi.apache.org%3E" 40508 }, 40509 { 40510 "type": "WEB", 40511 "url": "https://lists.apache.org/thread.html/r605d906b710b95f1bbe0036a53ac6968f667f2c249b6fbabada9a940%40%3Cuser.commons.apache.org%3E" 40512 }, 40513 { 40514 "type": "WEB", 40515 "url": "https://lists.apache.org/thread.html/r54afdab05e01de970649c2d91a993f68a6b00cd73e6e34e16c832d46@%3Cuser.ant.apache.org%3E" 40516 }, 40517 { 40518 "type": "WEB", 40519 "url": "https://lists.apache.org/thread.html/r457b2ed564860996b20d938566fe8bd4bfb7c37be8e205448ccb5975@%3Cannounce.apache.org%3E" 40520 }, 40521 { 40522 "type": "WEB", 40523 "url": "https://lists.apache.org/thread.html/r31f75743ac173b0a606f8ea6ea53f351f386c44e7bcf78ae04007c29@%3Cissues.flink.apache.org%3E" 40524 }, 40525 { 40526 "type": "WEB", 40527 "url": "https://commons.apache.org/proper/commons-compress/security-reports.html" 40528 }, 40529 { 40530 "type": "WEB", 40531 "url": "http://www.openwall.com/lists/oss-security/2021/07/13/3" 40532 }, 40533 { 40534 "type": "WEB", 40535 "url": "http://www.openwall.com/lists/oss-security/2021/07/13/5" 40536 } 40537 ], 40538 "schema_version": "1.6.0", 40539 "severity": [ 40540 { 40541 "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", 40542 "type": "CVSS_V3" 40543 } 40544 ], 40545 "summary": "Improper Handling of Length Parameter Inconsistency in Compress" 40546 }, 40547 { 40548 "affected": [ 40549 { 40550 "database_specific": { 40551 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/05/GHSA-7qx4-pp76-vrqh/GHSA-7qx4-pp76-vrqh.json" 40552 }, 40553 "package": { 40554 "ecosystem": "Maven", 40555 "name": "org.apache.commons:commons-configuration2", 40556 "purl": "pkg:maven/org.apache.commons/commons-configuration2" 40557 }, 40558 "ranges": [ 40559 { 40560 "events": [ 40561 { 40562 "introduced": "2.2" 40563 }, 40564 { 40565 "fixed": "2.7" 40566 } 40567 ], 40568 "type": "ECOSYSTEM" 40569 } 40570 ], 40571 "versions": [ 40572 "2.2", 40573 "2.3", 40574 "2.4", 40575 "2.5", 40576 "2.6" 40577 ] 40578 } 40579 ], 40580 "aliases": [ 40581 "CVE-2020-1953" 40582 ], 40583 "database_specific": { 40584 "cwe_ids": [ 40585 "CWE-20" 40586 ], 40587 "github_reviewed": true, 40588 "github_reviewed_at": "2020-05-21T17:12:19Z", 40589 "nvd_published_at": "2020-03-13T15:15:00Z", 40590 "severity": "CRITICAL" 40591 }, 40592 "details": "Apache Commons Configuration uses a third-party library to parse YAML files which by default allows the instantiation of classes if the YAML includes special statements. Apache Commons Configuration versions 2.2, 2.3, 2.4, 2.5, 2.6 did not change the default settings of this library. So if a YAML file was loaded from an untrusted source, it could therefore load and execute code out of the control of the host application.", 40593 "id": "GHSA-7qx4-pp76-vrqh", 40594 "modified": "2023-11-08T04:02:46.926629Z", 40595 "published": "2020-05-21T19:08:08Z", 40596 "references": [ 40597 { 40598 "type": "ADVISORY", 40599 "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-1953" 40600 }, 40601 { 40602 "type": "WEB", 40603 "url": "https://github.com/apache/commons-configuration/commit/add7375cf37fd316d4838c6c56b054fc293b4641" 40604 }, 40605 { 40606 "type": "WEB", 40607 "url": "https://lists.apache.org/thread.html/d0e00f2e147a9e9b13a6829133092f349b2882bf6860397368a52600@%3Cannounce.tomcat.apache.org%3E" 40608 }, 40609 { 40610 "type": "WEB", 40611 "url": "https://lists.apache.org/thread.html/r16a2e949e35780c8974cf66104e812410f3904f752df6b66bf292269@%3Ccommits.servicecomb.apache.org%3E" 40612 }, 40613 { 40614 "type": "WEB", 40615 "url": "https://lists.apache.org/thread.html/rde2186ad6ac0d6ed8d51af7509244adcf1ce0f9a3b7e1d1dd3b64676@%3Ccommits.camel.apache.org%3E" 40616 }, 40617 { 40618 "type": "WEB", 40619 "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" 40620 } 40621 ], 40622 "schema_version": "1.6.0", 40623 "severity": [ 40624 { 40625 "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", 40626 "type": "CVSS_V3" 40627 } 40628 ], 40629 "summary": "Remote code execution in Apache Commons Configuration" 40630 }, 40631 { 40632 "affected": [ 40633 { 40634 "database_specific": { 40635 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/03/GHSA-9w38-p64v-xpmv/GHSA-9w38-p64v-xpmv.json" 40636 }, 40637 "package": { 40638 "ecosystem": "Maven", 40639 "name": "org.apache.commons:commons-configuration2", 40640 "purl": "pkg:maven/org.apache.commons/commons-configuration2" 40641 }, 40642 "ranges": [ 40643 { 40644 "events": [ 40645 { 40646 "introduced": "2.0" 40647 }, 40648 { 40649 "fixed": "2.10.1" 40650 } 40651 ], 40652 "type": "ECOSYSTEM" 40653 } 40654 ], 40655 "versions": [ 40656 "2.0", 40657 "2.1", 40658 "2.1.1", 40659 "2.10.0", 40660 "2.2", 40661 "2.3", 40662 "2.4", 40663 "2.5", 40664 "2.6", 40665 "2.7", 40666 "2.8.0", 40667 "2.9.0" 40668 ] 40669 } 40670 ], 40671 "aliases": [ 40672 "CVE-2024-29133" 40673 ], 40674 "database_specific": { 40675 "cwe_ids": [ 40676 "CWE-787" 40677 ], 40678 "github_reviewed": true, 40679 "github_reviewed_at": "2024-03-21T18:59:08Z", 40680 "nvd_published_at": "2024-03-21T09:15:07Z", 40681 "severity": "MODERATE" 40682 }, 40683 "details": "This Out-of-bounds Write vulnerability in Apache Commons Configuration affects Apache Commons Configuration: from 2.0 before 2.10.1. User can see this as a 'StackOverflowError' calling 'ListDelimiterHandler.flatten(Object, int)' with a cyclical object tree.\nUsers are recommended to upgrade to version 2.10.1, which fixes the issue. \n\n", 40684 "id": "GHSA-9w38-p64v-xpmv", 40685 "modified": "2024-05-02T19:01:50.467813Z", 40686 "published": "2024-03-21T09:31:14Z", 40687 "references": [ 40688 { 40689 "type": "ADVISORY", 40690 "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-29133" 40691 }, 40692 { 40693 "type": "WEB", 40694 "url": "https://github.com/apache/commons-configuration/commit/43f4dab021e9acb8db390db2ae80aa0cee4f9ee4" 40695 }, 40696 { 40697 "type": "WEB", 40698 "url": "https://issues.apache.org/jira/browse/CONFIGURATION-841" 40699 }, 40700 { 40701 "type": "WEB", 40702 "url": "https://lists.apache.org/thread/ccb9w15bscznh6tnp3wsvrrj9crbszh2" 40703 }, 40704 { 40705 "type": "WEB", 40706 "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SNKDKEEKZNL5FGCTZKJ6CFXFVWFL5FJ7" 40707 }, 40708 { 40709 "type": "WEB", 40710 "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YD4AFTIIQW662LUAQRMWS6BBKYSZG3YS" 40711 }, 40712 { 40713 "type": "PACKAGE", 40714 "url": "apache/commons-configuration" 40715 }, 40716 { 40717 "type": "WEB", 40718 "url": "http://www.openwall.com/lists/oss-security/2024/03/20/3" 40719 } 40720 ], 40721 "related": [ 40722 "CGA-9pcx-658r-q6cc", 40723 "CGA-f8w3-v8cw-rc4q", 40724 "CGA-gxrv-2q36-c76g", 40725 "CGA-p5h5-jmpp-wgq6" 40726 ], 40727 "schema_version": "1.6.0", 40728 "severity": [ 40729 { 40730 "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L", 40731 "type": "CVSS_V3" 40732 } 40733 ], 40734 "summary": "Apache Commons Configuration: StackOverflowError calling ListDelimiterHandler.flatten(Object, int) with a cyclical object tree" 40735 }, 40736 { 40737 "affected": [ 40738 { 40739 "database_specific": { 40740 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/07/GHSA-xj57-8qj4-c4m6/GHSA-xj57-8qj4-c4m6.json" 40741 }, 40742 "package": { 40743 "ecosystem": "Maven", 40744 "name": "org.apache.commons:commons-configuration2", 40745 "purl": "pkg:maven/org.apache.commons/commons-configuration2" 40746 }, 40747 "ranges": [ 40748 { 40749 "events": [ 40750 { 40751 "introduced": "2.4" 40752 }, 40753 { 40754 "fixed": "2.8.0" 40755 } 40756 ], 40757 "type": "ECOSYSTEM" 40758 } 40759 ], 40760 "versions": [ 40761 "2.4", 40762 "2.5", 40763 "2.6", 40764 "2.7" 40765 ] 40766 } 40767 ], 40768 "aliases": [ 40769 "CVE-2022-33980" 40770 ], 40771 "database_specific": { 40772 "cwe_ids": [ 40773 "CWE-74" 40774 ], 40775 "github_reviewed": true, 40776 "github_reviewed_at": "2022-07-07T16:56:07Z", 40777 "nvd_published_at": "2022-07-06T13:15:00Z", 40778 "severity": "CRITICAL" 40779 }, 40780 "details": "Apache Commons Configuration performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is \"${prefix:name}\", where \"prefix\" is used to locate an instance of org.apache.commons.configuration2.interpol.Lookup that performs the interpolation. Starting with version 2.4 and continuing through 2.7, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers. These lookups are: - \"script\" - execute expressions using the JVM script execution engine (javax.script) - \"dns\" - resolve dns records - \"url\" - load values from urls, including from remote servers Applications using the interpolation defaults in the affected versions may be vulnerable to remote code execution or unintentional contact with remote servers if untrusted configuration values are used. Users are recommended to upgrade to Apache Commons Configuration 2.8.0, which disables the problematic interpolators by default.", 40781 "id": "GHSA-xj57-8qj4-c4m6", 40782 "modified": "2024-02-17T05:33:18.672687Z", 40783 "published": "2022-07-07T00:00:26Z", 40784 "references": [ 40785 { 40786 "type": "ADVISORY", 40787 "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-33980" 40788 }, 40789 { 40790 "type": "WEB", 40791 "url": "https://commons.apache.org/proper/commons-configuration/changes-report.html#a2.8.0" 40792 }, 40793 { 40794 "type": "PACKAGE", 40795 "url": "https://github.com/apache/commons-configuration" 40796 }, 40797 { 40798 "type": "WEB", 40799 "url": "https://issues.apache.org/jira/browse/CONFIGURATION-753" 40800 }, 40801 { 40802 "type": "WEB", 40803 "url": "https://issues.apache.org/jira/browse/CONFIGURATION-764" 40804 }, 40805 { 40806 "type": "WEB", 40807 "url": "https://lists.apache.org/thread/tdf5n7j80lfxdhs2764vn0xmpfodm87s" 40808 }, 40809 { 40810 "type": "WEB", 40811 "url": "https://security.netapp.com/advisory/ntap-20221028-0015" 40812 }, 40813 { 40814 "type": "WEB", 40815 "url": "https://www.debian.org/security/2022/dsa-5290" 40816 }, 40817 { 40818 "type": "WEB", 40819 "url": "http://www.openwall.com/lists/oss-security/2022/07/06/5" 40820 }, 40821 { 40822 "type": "WEB", 40823 "url": "http://www.openwall.com/lists/oss-security/2022/11/15/4" 40824 } 40825 ], 40826 "schema_version": "1.6.0", 40827 "severity": [ 40828 { 40829 "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", 40830 "type": "CVSS_V3" 40831 } 40832 ], 40833 "summary": "Code injection in Apache Commons Configuration" 40834 }, 40835 { 40836 "affected": [ 40837 { 40838 "database_specific": { 40839 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/03/GHSA-xjp4-hw94-mvp5/GHSA-xjp4-hw94-mvp5.json" 40840 }, 40841 "package": { 40842 "ecosystem": "Maven", 40843 "name": "org.apache.commons:commons-configuration2", 40844 "purl": "pkg:maven/org.apache.commons/commons-configuration2" 40845 }, 40846 "ranges": [ 40847 { 40848 "events": [ 40849 { 40850 "introduced": "2.0" 40851 }, 40852 { 40853 "fixed": "2.10.1" 40854 } 40855 ], 40856 "type": "ECOSYSTEM" 40857 } 40858 ], 40859 "versions": [ 40860 "2.0", 40861 "2.1", 40862 "2.1.1", 40863 "2.10.0", 40864 "2.2", 40865 "2.3", 40866 "2.4", 40867 "2.5", 40868 "2.6", 40869 "2.7", 40870 "2.8.0", 40871 "2.9.0" 40872 ] 40873 } 40874 ], 40875 "aliases": [ 40876 "CVE-2024-29131" 40877 ], 40878 "database_specific": { 40879 "cwe_ids": [ 40880 "CWE-787" 40881 ], 40882 "github_reviewed": true, 40883 "github_reviewed_at": "2024-03-21T18:58:52Z", 40884 "nvd_published_at": "2024-03-21T09:15:07Z", 40885 "severity": "MODERATE" 40886 }, 40887 "details": "This Out-of-bounds Write vulnerability in Apache Commons Configuration affects Apache Commons Configuration: from 2.0 before 2.10.1. User can see this as a 'StackOverflowError' when adding a property in 'AbstractListDelimiterHandler.flattenIterator()'.\nUsers are recommended to upgrade to version 2.10.1, which fixes the issue. \n\n", 40888 "id": "GHSA-xjp4-hw94-mvp5", 40889 "modified": "2024-05-02T19:03:02.271426Z", 40890 "published": "2024-03-21T09:31:14Z", 40891 "references": [ 40892 { 40893 "type": "ADVISORY", 40894 "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-29131" 40895 }, 40896 { 40897 "type": "WEB", 40898 "url": "https://github.com/apache/commons-configuration/commit/56b5c4dcdffbde27870df5a3105d6a5f9b22f554" 40899 }, 40900 { 40901 "type": "PACKAGE", 40902 "url": "https://github.com/apache/commons-configuration" 40903 }, 40904 { 40905 "type": "WEB", 40906 "url": "https://issues.apache.org/jira/browse/CONFIGURATION-840" 40907 }, 40908 { 40909 "type": "WEB", 40910 "url": "https://lists.apache.org/thread/03nzzzjn4oknyw5y0871tw7ltj0t3r37" 40911 }, 40912 { 40913 "type": "WEB", 40914 "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SNKDKEEKZNL5FGCTZKJ6CFXFVWFL5FJ7" 40915 }, 40916 { 40917 "type": "WEB", 40918 "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YD4AFTIIQW662LUAQRMWS6BBKYSZG3YS" 40919 }, 40920 { 40921 "type": "WEB", 40922 "url": "http://www.openwall.com/lists/oss-security/2024/03/20/4" 40923 } 40924 ], 40925 "related": [ 40926 "CGA-2v4p-jwqh-9wqp", 40927 "CGA-grw7-f4vj-7jvv", 40928 "CGA-pg3h-88pr-x67h", 40929 "CGA-qh6m-p54c-m273" 40930 ], 40931 "schema_version": "1.6.0", 40932 "severity": [ 40933 { 40934 "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L", 40935 "type": "CVSS_V3" 40936 } 40937 ], 40938 "summary": "Apache Commons Configuration: StackOverflowError adding property in AbstractListDelimiterHandler.flattenIterator()" 40939 }, 40940 { 40941 "affected": [ 40942 { 40943 "database_specific": { 40944 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/10/GHSA-599f-7c49-w659/GHSA-599f-7c49-w659.json" 40945 }, 40946 "package": { 40947 "ecosystem": "Maven", 40948 "name": "org.apache.commons:commons-text", 40949 "purl": "pkg:maven/org.apache.commons/commons-text" 40950 }, 40951 "ranges": [ 40952 { 40953 "events": [ 40954 { 40955 "introduced": "1.5" 40956 }, 40957 { 40958 "fixed": "1.10.0" 40959 } 40960 ], 40961 "type": "ECOSYSTEM" 40962 } 40963 ], 40964 "versions": [ 40965 "1.5", 40966 "1.6", 40967 "1.7", 40968 "1.8", 40969 "1.9" 40970 ] 40971 }, 40972 { 40973 "database_specific": { 40974 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/10/GHSA-599f-7c49-w659/GHSA-599f-7c49-w659.json" 40975 }, 40976 "package": { 40977 "ecosystem": "Maven", 40978 "name": "com.guicedee.services:commons-text", 40979 "purl": "pkg:maven/com.guicedee.services/commons-text" 40980 }, 40981 "ranges": [ 40982 { 40983 "events": [ 40984 { 40985 "introduced": "0" 40986 }, 40987 { 40988 "last_affected": "1.2.2.1-jre17" 40989 } 40990 ], 40991 "type": "ECOSYSTEM" 40992 } 40993 ], 40994 "versions": [ 40995 "0.70.0.1", 40996 "0.70.0.1-rc1", 40997 "0.70.0.1-rc13", 40998 "0.70.0.1-rc14", 40999 "0.70.0.1-rc15", 41000 "0.70.0.1-rc2", 41001 "0.70.0.1-rc3", 41002 "0.70.0.1-rc4", 41003 "0.70.0.1-rc5", 41004 "0.70.0.2", 41005 "0.70.0.3", 41006 "0.70.0.4", 41007 "0.70.0.5", 41008 "0.70.0.6", 41009 "0.70.0.7", 41010 "1.0.0.0", 41011 "1.0.1.0", 41012 "1.0.1.0-jre12", 41013 "1.0.1.0-jre13", 41014 "1.0.1.0-jre8", 41015 "1.0.1.1", 41016 "1.0.1.1-jre12", 41017 "1.0.1.1-jre13", 41018 "1.0.1.1-jre8", 41019 "1.0.1.2", 41020 "1.0.1.3", 41021 "1.0.1.3-jre12", 41022 "1.0.1.3-jre13", 41023 "1.0.1.3-jre8", 41024 "1.0.1.4", 41025 "1.0.1.4-jre12", 41026 "1.0.1.4-jre13", 41027 "1.0.1.4-jre8", 41028 "1.0.1.5", 41029 "1.0.1.5-jre12", 41030 "1.0.1.5-jre13", 41031 "1.0.1.5-jre8", 41032 "1.0.1.6", 41033 "1.0.1.6-jre12", 41034 "1.0.1.6-jre13", 41035 "1.0.1.7", 41036 "1.0.1.7-jre12", 41037 "1.0.1.7-jre13", 41038 "1.0.1.7-jre8", 41039 "1.0.10.0", 41040 "1.0.10.0-jre13", 41041 "1.0.10.0-jre14", 41042 "1.0.10.1", 41043 "1.0.10.1-jre14", 41044 "1.0.10.3", 41045 "1.0.10.3-jre14", 41046 "1.0.10.4", 41047 "1.0.10.4-jre12", 41048 "1.0.10.4-jre13", 41049 "1.0.10.4-jre14", 41050 "1.0.11.0-jre14", 41051 "1.0.11.2-jre14", 41052 "1.0.11.5", 41053 "1.0.11.5-jre12", 41054 "1.0.11.5-jre14", 41055 "1.0.11.6-jre14", 41056 "1.0.11.7", 41057 "1.0.11.7-jre12", 41058 "1.0.11.7-jre14", 41059 "1.0.12.0", 41060 "1.0.12.0-jre12", 41061 "1.0.12.0-jre13", 41062 "1.0.12.0-jre14", 41063 "1.0.12.0-jre8", 41064 "1.0.12.1", 41065 "1.0.12.1-jre12", 41066 "1.0.12.1-jre14", 41067 "1.0.12.2", 41068 "1.0.12.2-jre12", 41069 "1.0.12.2-jre14", 41070 "1.0.12.3", 41071 "1.0.12.3-jre12", 41072 "1.0.12.3-jre13", 41073 "1.0.12.3-jre14", 41074 "1.0.12.4", 41075 "1.0.12.4-jre12", 41076 "1.0.12.4-jre13", 41077 "1.0.12.4-jre14", 41078 "1.0.12.4-jre8", 41079 "1.0.12.5", 41080 "1.0.12.5-jre14", 41081 "1.0.13.0", 41082 "1.0.13.0-jre12", 41083 "1.0.13.0-jre13", 41084 "1.0.13.0-jre14", 41085 "1.0.13.0-jre8", 41086 "1.0.13.1", 41087 "1.0.13.1-jre13", 41088 "1.0.13.1-jre14", 41089 "1.0.13.1-jre8", 41090 "1.0.13.2", 41091 "1.0.13.2-jre12", 41092 "1.0.13.2-jre13", 41093 "1.0.13.2-jre14", 41094 "1.0.13.2-jre8", 41095 "1.0.13.3", 41096 "1.0.13.3-jre14", 41097 "1.0.13.4", 41098 "1.0.13.4-jre12", 41099 "1.0.13.4-jre13", 41100 "1.0.13.4-jre14", 41101 "1.0.13.5", 41102 "1.0.13.5-jre12", 41103 "1.0.13.5-jre14", 41104 "1.0.13.5-jre8", 41105 "1.0.14.0-RC1-jre14", 41106 "1.0.14.0-RC1-jre8", 41107 "1.0.14.1", 41108 "1.0.14.1-jre12", 41109 "1.0.14.1-jre13", 41110 "1.0.14.1-jre14", 41111 "1.0.14.1-jre8", 41112 "1.0.14.3-jre8", 41113 "1.0.14.4-jre14", 41114 "1.0.14.4-jre8", 41115 "1.0.15.1", 41116 "1.0.15.1-jre12", 41117 "1.0.15.1-jre13", 41118 "1.0.15.1-jre14", 41119 "1.0.15.1-jre8", 41120 "1.0.15.2", 41121 "1.0.15.2-jre12", 41122 "1.0.15.2-jre14", 41123 "1.0.15.2-jre8", 41124 "1.0.15.3-jre14", 41125 "1.0.15.3-jre8", 41126 "1.0.15.4", 41127 "1.0.15.4-jre14", 41128 "1.0.15.4-jre8", 41129 "1.0.15.5", 41130 "1.0.15.5-jre14", 41131 "1.0.15.5-jre8", 41132 "1.0.16.0", 41133 "1.0.16.0-jre14", 41134 "1.0.16.0-jre8", 41135 "1.0.17.0", 41136 "1.0.17.0-jre14", 41137 "1.0.17.1", 41138 "1.0.17.1-jre14", 41139 "1.0.17.1-jre8", 41140 "1.0.18.0", 41141 "1.0.18.0-jre14", 41142 "1.0.18.0-jre15", 41143 "1.0.18.0-jre8", 41144 "1.0.18.1", 41145 "1.0.18.1-jre14", 41146 "1.0.18.1-jre15", 41147 "1.0.18.1-jre8", 41148 "1.0.19.0", 41149 "1.0.19.0-jre14", 41150 "1.0.19.0-jre15", 41151 "1.0.19.1", 41152 "1.0.19.1-jre12", 41153 "1.0.19.1-jre13", 41154 "1.0.19.1-jre14", 41155 "1.0.19.1-jre15", 41156 "1.0.19.1-jre8", 41157 "1.0.19.10", 41158 "1.0.19.10-jre12", 41159 "1.0.19.10-jre14", 41160 "1.0.19.10-jre15", 41161 "1.0.19.10-jre8", 41162 "1.0.19.11", 41163 "1.0.19.11-jre14", 41164 "1.0.19.11-jre8", 41165 "1.0.19.12-jre14", 41166 "1.0.19.12-jre8", 41167 "1.0.19.13", 41168 "1.0.19.13-jre14", 41169 "1.0.19.13-jre15", 41170 "1.0.19.13-jre8", 41171 "1.0.19.2", 41172 "1.0.19.2-jre13", 41173 "1.0.19.2-jre14", 41174 "1.0.19.2-jre15", 41175 "1.0.19.2-jre8", 41176 "1.0.19.3", 41177 "1.0.19.3-jre13", 41178 "1.0.19.3-jre14", 41179 "1.0.19.3-jre15", 41180 "1.0.19.3-jre8", 41181 "1.0.19.4", 41182 "1.0.19.4-jre14", 41183 "1.0.19.4-jre15", 41184 "1.0.19.4-jre8", 41185 "1.0.19.5", 41186 "1.0.19.5-jre14", 41187 "1.0.19.5-jre15", 41188 "1.0.19.5-jre8", 41189 "1.0.19.6", 41190 "1.0.19.6-jre14", 41191 "1.0.19.6-jre8", 41192 "1.0.19.7-jre14", 41193 "1.0.19.7-jre8", 41194 "1.0.19.8-jre8", 41195 "1.0.19.9", 41196 "1.0.19.9-jre13", 41197 "1.0.19.9-jre14", 41198 "1.0.19.9-jre15", 41199 "1.0.19.9-jre8", 41200 "1.0.2.0", 41201 "1.0.2.0-jre12", 41202 "1.0.2.0-jre13", 41203 "1.0.2.0-jre8", 41204 "1.0.2.1", 41205 "1.0.2.1-jre12", 41206 "1.0.2.1-jre13", 41207 "1.0.2.10", 41208 "1.0.2.10-jre12", 41209 "1.0.2.10-jre13", 41210 "1.0.2.11", 41211 "1.0.2.11-jre13", 41212 "1.0.2.12", 41213 "1.0.2.12-jre13", 41214 "1.0.2.13", 41215 "1.0.2.13-jre13", 41216 "1.0.2.14", 41217 "1.0.2.14-jre13", 41218 "1.0.2.15", 41219 "1.0.2.15-jre13", 41220 "1.0.2.16-jre13", 41221 "1.0.2.17-jre13", 41222 "1.0.2.18", 41223 "1.0.2.18-jre12", 41224 "1.0.2.18-jre13", 41225 "1.0.2.2", 41226 "1.0.2.2-jre12", 41227 "1.0.2.2-jre13", 41228 "1.0.2.2-jre8", 41229 "1.0.2.3", 41230 "1.0.2.3-jre12", 41231 "1.0.2.3-jre13", 41232 "1.0.2.3-jre8", 41233 "1.0.2.4", 41234 "1.0.2.4-jre12", 41235 "1.0.2.4-jre13", 41236 "1.0.2.6-jre13", 41237 "1.0.2.7-jre12", 41238 "1.0.2.7-jre13", 41239 "1.0.2.8", 41240 "1.0.2.8-jre12", 41241 "1.0.2.8-jre13", 41242 "1.0.2.9-jre12", 41243 "1.0.2.9-jre13", 41244 "1.0.20.0", 41245 "1.0.20.0-jre14", 41246 "1.0.20.0-jre15", 41247 "1.0.20.0-jre8", 41248 "1.0.20.1", 41249 "1.0.20.1-jre14", 41250 "1.0.20.1-jre15", 41251 "1.0.20.1-jre8", 41252 "1.0.20.2", 41253 "1.0.20.2-jre14", 41254 "1.0.20.2-jre15", 41255 "1.0.20.2-jre8", 41256 "1.0.3.1-jre13", 41257 "1.0.3.2", 41258 "1.0.3.2-jre13", 41259 "1.0.3.3", 41260 "1.0.3.3-jre12", 41261 "1.0.3.3-jre13", 41262 "1.0.4.1-jre13", 41263 "1.0.4.2", 41264 "1.0.4.2-jre13", 41265 "1.0.4.3-jre13", 41266 "1.0.4.4", 41267 "1.0.4.4-jre13", 41268 "1.0.5.0", 41269 "1.0.5.0-jre13", 41270 "1.0.5.1", 41271 "1.0.5.1-jre12", 41272 "1.0.5.1-jre13", 41273 "1.0.5.2", 41274 "1.0.5.2-jre12", 41275 "1.0.5.2-jre13", 41276 "1.0.5.3", 41277 "1.0.5.3-jre12", 41278 "1.0.5.3-jre13", 41279 "1.0.5.4-jre13", 41280 "1.0.5.4-jre14", 41281 "1.0.5.5", 41282 "1.0.5.5-jre12", 41283 "1.0.5.5-jre13", 41284 "1.0.5.5-jre14", 41285 "1.0.6.1", 41286 "1.0.6.1-jre12", 41287 "1.0.6.1-jre13", 41288 "1.0.6.1-jre14", 41289 "1.0.6.2", 41290 "1.0.6.2-jre12", 41291 "1.0.6.2-jre13", 41292 "1.0.6.2-jre14", 41293 "1.0.6.3", 41294 "1.0.6.3-jre12", 41295 "1.0.6.3-jre13", 41296 "1.0.6.3-jre14", 41297 "1.0.6.4-jre14", 41298 "1.0.6.5", 41299 "1.0.6.5-jre12", 41300 "1.0.6.5-jre13", 41301 "1.0.6.5-jre14", 41302 "1.0.6.7", 41303 "1.0.6.7-jre14", 41304 "1.0.7.0", 41305 "1.0.7.0-jre12", 41306 "1.0.7.0-jre13", 41307 "1.0.7.0-jre14", 41308 "1.0.7.1", 41309 "1.0.7.1-jre13", 41310 "1.0.7.1-jre14", 41311 "1.0.7.10", 41312 "1.0.7.10-jre13", 41313 "1.0.7.10-jre14", 41314 "1.0.7.11", 41315 "1.0.7.11-jre14", 41316 "1.0.7.12", 41317 "1.0.7.12-jre12", 41318 "1.0.7.12-jre13", 41319 "1.0.7.12-jre14", 41320 "1.0.7.2-jre14", 41321 "1.0.7.3", 41322 "1.0.7.3-jre13", 41323 "1.0.7.3-jre14", 41324 "1.0.7.4", 41325 "1.0.7.4-jre14", 41326 "1.0.7.5", 41327 "1.0.7.5-jre14", 41328 "1.0.7.6", 41329 "1.0.7.6-jre14", 41330 "1.0.7.9", 41331 "1.0.7.9-jre14", 41332 "1.0.8.1", 41333 "1.0.8.1-jre14", 41334 "1.0.8.12", 41335 "1.0.8.12-jre12", 41336 "1.0.8.12-jre14", 41337 "1.0.8.16", 41338 "1.0.8.16-jre14", 41339 "1.0.8.18", 41340 "1.0.8.18-jre14", 41341 "1.0.8.2", 41342 "1.0.8.2-jre13", 41343 "1.0.8.2-jre14", 41344 "1.0.8.3", 41345 "1.0.8.3-jre13", 41346 "1.0.8.3-jre14", 41347 "1.0.8.4", 41348 "1.0.8.4-jre12", 41349 "1.0.8.4-jre13", 41350 "1.0.8.4-jre14", 41351 "1.0.8.5", 41352 "1.0.8.5-jre12", 41353 "1.0.8.5-jre13", 41354 "1.0.8.5-jre14", 41355 "1.0.8.6-jre14", 41356 "1.0.9.0", 41357 "1.0.9.0-jre14", 41358 "1.0.9.1", 41359 "1.0.9.1-jre14", 41360 "1.0.9.10", 41361 "1.0.9.10-jre14", 41362 "1.0.9.11", 41363 "1.0.9.11-jre14", 41364 "1.0.9.13", 41365 "1.0.9.13-jre14", 41366 "1.0.9.14", 41367 "1.0.9.14-jre14", 41368 "1.0.9.2", 41369 "1.0.9.2-jre14", 41370 "1.0.9.3-jre14", 41371 "1.0.9.4-jre14", 41372 "1.0.9.5-jre14", 41373 "1.0.9.7-jre14", 41374 "1.1.0.0-jre15", 41375 "1.1.0.1", 41376 "1.1.0.1-jre14", 41377 "1.1.0.1-jre15", 41378 "1.1.0.2", 41379 "1.1.0.2-jre14", 41380 "1.1.0.2-jre15", 41381 "1.1.0.3", 41382 "1.1.0.3-jre14", 41383 "1.1.0.3-jre15", 41384 "1.1.0.3-jre8", 41385 "1.1.0.4-jre14", 41386 "1.1.0.4-jre15", 41387 "1.1.0.4-jre8", 41388 "1.1.0.5-jre14", 41389 "1.1.0.5-jre15", 41390 "1.1.0.6", 41391 "1.1.0.6-jre14", 41392 "1.1.0.6-jre15", 41393 "1.1.0.7", 41394 "1.1.0.7-jre14", 41395 "1.1.0.7-jre15", 41396 "1.1.0.7-jre8", 41397 "1.1.0.8-SNAPSHOT-jre14", 41398 "1.1.1.0", 41399 "1.1.1.0-SNAPSHOT-jre14", 41400 "1.1.1.0-SNAPSHOT-jre15", 41401 "1.1.1.0-SNAPSHOT-jre8", 41402 "1.1.1.0-jre14", 41403 "1.1.1.0-jre15", 41404 "1.1.1.0-jre8", 41405 "1.1.1.1-SP1", 41406 "1.1.1.1-jre14-SP1", 41407 "1.1.1.1-jre15-SP1", 41408 "1.1.1.2", 41409 "1.1.1.2-jre14", 41410 "1.1.1.2-jre15", 41411 "1.1.1.3", 41412 "1.1.1.3-jre14", 41413 "1.1.1.3-jre15", 41414 "1.1.1.3-jre16", 41415 "1.1.1.3-jre8", 41416 "1.1.1.4", 41417 "1.1.1.4-jre14", 41418 "1.1.1.4-jre15", 41419 "1.1.1.4-jre16", 41420 "1.1.1.4-jre8", 41421 "1.1.1.5-jre15", 41422 "1.1.1.7", 41423 "1.1.1.7-jre15", 41424 "1.1.1.7-jre16", 41425 "1.1.1.7-jre8", 41426 "1.1.1.8-jre15", 41427 "1.1.1.8-jre16", 41428 "1.1.1.9-jre15", 41429 "1.1.1.9-jre16", 41430 "1.2.0.0-jre16", 41431 "1.2.0.1-jre11", 41432 "1.2.0.1-jre15", 41433 "1.2.0.1-jre16", 41434 "1.2.0.2-jre16", 41435 "1.2.0.3-jre17-rc1", 41436 "1.2.1.1-jre17", 41437 "1.2.1.2-jre17", 41438 "1.2.2.1", 41439 "1.2.2.1-jre17" 41440 ] 41441 } 41442 ], 41443 "aliases": [ 41444 "CVE-2022-42889" 41445 ], 41446 "database_specific": { 41447 "cwe_ids": [ 41448 "CWE-94" 41449 ], 41450 "github_reviewed": true, 41451 "github_reviewed_at": "2022-10-13T20:22:17Z", 41452 "nvd_published_at": "2022-10-13T13:15:00Z", 41453 "severity": "CRITICAL" 41454 }, 41455 "details": "Apache Commons Text performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is \"${prefix:name}\", where \"prefix\" is used to locate an instance of org.apache.commons.text.lookup.StringLookup that performs the interpolation. Starting with version 1.5 and continuing through 1.9, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers. These lookups are: - \"script\" - execute expressions using the JVM script execution engine (javax.script) - \"dns\" - resolve dns records - \"url\" - load values from urls, including from remote servers Applications using the interpolation defaults in the affected versions may be vulnerable to remote code execution or unintentional contact with remote servers if untrusted configuration values are used. Users are recommended to upgrade to Apache Commons Text 1.10.0, which disables the problematic interpolators by default.", 41456 "id": "GHSA-599f-7c49-w659", 41457 "modified": "2024-02-16T08:09:06.872889Z", 41458 "published": "2022-10-13T19:00:17Z", 41459 "references": [ 41460 { 41461 "type": "ADVISORY", 41462 "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42889" 41463 }, 41464 { 41465 "type": "WEB", 41466 "url": "https://arxiv.org/pdf/2306.05534" 41467 }, 41468 { 41469 "type": "PACKAGE", 41470 "url": "https://github.com/apache/commons-text" 41471 }, 41472 { 41473 "type": "WEB", 41474 "url": "https://lists.apache.org/thread/n2bd4vdsgkqh2tm14l1wyc3jyol7s1om" 41475 }, 41476 { 41477 "type": "WEB", 41478 "url": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0022" 41479 }, 41480 { 41481 "type": "WEB", 41482 "url": "https://security.gentoo.org/glsa/202301-05" 41483 }, 41484 { 41485 "type": "WEB", 41486 "url": "https://security.netapp.com/advisory/ntap-20221020-0004" 41487 }, 41488 { 41489 "type": "ADVISORY", 41490 "url": "https://securitylab.github.com/advisories/GHSL-2022-018_Apache_Commons_Text" 41491 }, 41492 { 41493 "type": "WEB", 41494 "url": "http://packetstormsecurity.com/files/171003/OX-App-Suite-Cross-Site-Scripting-Server-Side-Request-Forgery.html" 41495 }, 41496 { 41497 "type": "WEB", 41498 "url": "http://packetstormsecurity.com/files/176650/Apache-Commons-Text-1.9-Remote-Code-Execution.html" 41499 }, 41500 { 41501 "type": "WEB", 41502 "url": "http://seclists.org/fulldisclosure/2023/Feb/3" 41503 }, 41504 { 41505 "type": "WEB", 41506 "url": "http://www.openwall.com/lists/oss-security/2022/10/13/4" 41507 }, 41508 { 41509 "type": "WEB", 41510 "url": "http://www.openwall.com/lists/oss-security/2022/10/18/1" 41511 } 41512 ], 41513 "schema_version": "1.6.0", 41514 "severity": [ 41515 { 41516 "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", 41517 "type": "CVSS_V3" 41518 } 41519 ], 41520 "summary": "Arbitrary code execution in Apache Commons Text" 41521 }, 41522 { 41523 "affected": [ 41524 { 41525 "database_specific": { 41526 "last_known_affected_version_range": "\u003c= 1.0.0-M30", 41527 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-cx3q-cv6w-mx4h/GHSA-cx3q-cv6w-mx4h.json" 41528 }, 41529 "package": { 41530 "ecosystem": "Maven", 41531 "name": "org.apache.directory.api:api-ldap-model", 41532 "purl": "pkg:maven/org.apache.directory.api/api-ldap-model" 41533 }, 41534 "ranges": [ 41535 { 41536 "events": [ 41537 { 41538 "introduced": "0" 41539 }, 41540 { 41541 "fixed": "1.0.0-M31" 41542 } 41543 ], 41544 "type": "ECOSYSTEM" 41545 } 41546 ], 41547 "versions": [ 41548 "1.0.0-M14", 41549 "1.0.0-M15", 41550 "1.0.0-M16", 41551 "1.0.0-M17", 41552 "1.0.0-M18", 41553 "1.0.0-M19", 41554 "1.0.0-M20", 41555 "1.0.0-M21", 41556 "1.0.0-M22", 41557 "1.0.0-M23", 41558 "1.0.0-M24", 41559 "1.0.0-M25", 41560 "1.0.0-M26", 41561 "1.0.0-M27", 41562 "1.0.0-M28", 41563 "1.0.0-M29", 41564 "1.0.0-M30" 41565 ] 41566 } 41567 ], 41568 "aliases": [ 41569 "CVE-2015-3250" 41570 ], 41571 "database_specific": { 41572 "cwe_ids": [ 41573 "CWE-200" 41574 ], 41575 "github_reviewed": true, 41576 "github_reviewed_at": "2022-07-06T20:17:29Z", 41577 "nvd_published_at": "2017-09-07T13:29:00Z", 41578 "severity": "HIGH" 41579 }, 41580 "details": "Apache Directory LDAP API before 1.0.0-M31 allows attackers to conduct timing attacks via unspecified vectors.", 41581 "id": "GHSA-cx3q-cv6w-mx4h", 41582 "modified": "2023-11-08T03:57:53.766909Z", 41583 "published": "2022-05-17T00:51:52Z", 41584 "references": [ 41585 { 41586 "type": "ADVISORY", 41587 "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-3250" 41588 }, 41589 { 41590 "type": "WEB", 41591 "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1241163" 41592 }, 41593 { 41594 "type": "WEB", 41595 "url": "http://directory.apache.org/api/#news_1" 41596 }, 41597 { 41598 "type": "WEB", 41599 "url": "http://www.openwall.com/lists/oss-security/2015/07/07/11" 41600 }, 41601 { 41602 "type": "WEB", 41603 "url": "http://www.openwall.com/lists/oss-security/2015/07/07/5" 41604 } 41605 ], 41606 "schema_version": "1.6.0", 41607 "severity": [ 41608 { 41609 "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", 41610 "type": "CVSS_V3" 41611 } 41612 ], 41613 "summary": "Exposure of Sensitive Information to an Unauthorized Actor in Apache Directory LDAP API" 41614 }, 41615 { 41616 "affected": [ 41617 { 41618 "database_specific": { 41619 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-jpmf-8cj2-595g/GHSA-jpmf-8cj2-595g.json" 41620 }, 41621 "package": { 41622 "ecosystem": "Maven", 41623 "name": "org.apache.hadoop:hadoop-client", 41624 "purl": "pkg:maven/org.apache.hadoop/hadoop-client" 41625 }, 41626 "ranges": [ 41627 { 41628 "events": [ 41629 { 41630 "introduced": "0.23.0" 41631 }, 41632 { 41633 "fixed": "1.0.1" 41634 } 41635 ], 41636 "type": "ECOSYSTEM" 41637 } 41638 ], 41639 "versions": [ 41640 "0.23.1", 41641 "0.23.10", 41642 "0.23.11", 41643 "0.23.3", 41644 "0.23.4", 41645 "0.23.5", 41646 "0.23.6", 41647 "0.23.7", 41648 "0.23.8", 41649 "0.23.9" 41650 ] 41651 }, 41652 { 41653 "database_specific": { 41654 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-jpmf-8cj2-595g/GHSA-jpmf-8cj2-595g.json" 41655 }, 41656 "package": { 41657 "ecosystem": "Maven", 41658 "name": "org.apache.hadoop:hadoop-client", 41659 "purl": "pkg:maven/org.apache.hadoop/hadoop-client" 41660 }, 41661 "ranges": [ 41662 { 41663 "events": [ 41664 { 41665 "introduced": "2.0.0" 41666 }, 41667 { 41668 "fixed": "2.5.2" 41669 } 41670 ], 41671 "type": "ECOSYSTEM" 41672 } 41673 ], 41674 "versions": [ 41675 "2.0.1-alpha", 41676 "2.0.2-alpha", 41677 "2.0.3-alpha", 41678 "2.0.4-alpha", 41679 "2.0.5-alpha", 41680 "2.0.6-alpha", 41681 "2.1.0-beta", 41682 "2.1.1-beta", 41683 "2.2.0", 41684 "2.3.0", 41685 "2.4.0", 41686 "2.4.1", 41687 "2.5.0", 41688 "2.5.1" 41689 ] 41690 } 41691 ], 41692 "aliases": [ 41693 "CVE-2014-3627" 41694 ], 41695 "database_specific": { 41696 "cwe_ids": [ 41697 "CWE-59" 41698 ], 41699 "github_reviewed": true, 41700 "github_reviewed_at": "2022-07-07T22:33:19Z", 41701 "nvd_published_at": "2014-12-05T16:59:00Z", 41702 "severity": "MODERATE" 41703 }, 41704 "details": "The YARN NodeManager daemon in Apache Hadoop 0.23.0 through 0.23.11 and 2.x before 2.5.2, when using Kerberos authentication, allows remote cluster users to change the permissions of certain files to world-readable via a symlink attack in a public tar archive, which is not properly handled during localization, related to distributed cache.", 41705 "id": "GHSA-jpmf-8cj2-595g", 41706 "modified": "2023-11-08T03:57:39.881301Z", 41707 "published": "2022-05-17T04:20:31Z", 41708 "references": [ 41709 { 41710 "type": "ADVISORY", 41711 "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-3627" 41712 }, 41713 { 41714 "type": "WEB", 41715 "url": "http://mail-archives.apache.org/mod_mbox/hadoop-general/201411.mbox/%3CCALwhT97dOi04aC3VbekaB+zn2UAS_OZV2EAiP78GmjnMzfp2Ug@mail.gmail.com%3E" 41716 } 41717 ], 41718 "schema_version": "1.6.0", 41719 "summary": "Improper Link Resolution Before File Access in Apache Hadoop" 41720 }, 41721 { 41722 "affected": [ 41723 { 41724 "database_specific": { 41725 "last_known_affected_version_range": "\u003c= 2.6.5", 41726 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-pr9x-qmp5-j3rr/GHSA-pr9x-qmp5-j3rr.json" 41727 }, 41728 "package": { 41729 "ecosystem": "Maven", 41730 "name": "org.apache.hadoop:hadoop-client", 41731 "purl": "pkg:maven/org.apache.hadoop/hadoop-client" 41732 }, 41733 "ranges": [ 41734 { 41735 "events": [ 41736 { 41737 "introduced": "0" 41738 }, 41739 { 41740 "fixed": "2.7.0" 41741 } 41742 ], 41743 "type": "ECOSYSTEM" 41744 } 41745 ], 41746 "versions": [ 41747 "0.23.1", 41748 "0.23.10", 41749 "0.23.11", 41750 "0.23.3", 41751 "0.23.4", 41752 "0.23.5", 41753 "0.23.6", 41754 "0.23.7", 41755 "0.23.8", 41756 "0.23.9", 41757 "1.0.1", 41758 "1.0.2", 41759 "1.0.3", 41760 "1.0.4", 41761 "1.1.0", 41762 "1.1.1", 41763 "1.1.2", 41764 "1.2.0", 41765 "1.2.1", 41766 "2.0.0-alpha", 41767 "2.0.1-alpha", 41768 "2.0.2-alpha", 41769 "2.0.3-alpha", 41770 "2.0.4-alpha", 41771 "2.0.5-alpha", 41772 "2.0.6-alpha", 41773 "2.1.0-beta", 41774 "2.1.1-beta", 41775 "2.2.0", 41776 "2.3.0", 41777 "2.4.0", 41778 "2.4.1", 41779 "2.5.0", 41780 "2.5.1", 41781 "2.5.2", 41782 "2.6.0", 41783 "2.6.1", 41784 "2.6.2", 41785 "2.6.3", 41786 "2.6.4", 41787 "2.6.5" 41788 ] 41789 } 41790 ], 41791 "aliases": [ 41792 "CVE-2017-3162" 41793 ], 41794 "database_specific": { 41795 "cwe_ids": [ 41796 "CWE-20" 41797 ], 41798 "github_reviewed": true, 41799 "github_reviewed_at": "2022-07-01T17:31:15Z", 41800 "nvd_published_at": "2017-04-26T20:59:00Z", 41801 "severity": "HIGH" 41802 }, 41803 "details": "HDFS clients interact with a servlet on the DataNode to browse the HDFS namespace. The NameNode is provided as a query parameter that is not validated in Apache Hadoop before 2.7.0.", 41804 "id": "GHSA-pr9x-qmp5-j3rr", 41805 "modified": "2023-11-08T03:59:20.588772Z", 41806 "published": "2022-05-13T01:08:56Z", 41807 "references": [ 41808 { 41809 "type": "ADVISORY", 41810 "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-3162" 41811 }, 41812 { 41813 "type": "WEB", 41814 "url": "https://lists.apache.org/thread.html/r127f75748fcabc63bc5a1bec6885753eb9b2bed803b6ed7bd46f965b@%3Cuser.hadoop.apache.org%3E" 41815 }, 41816 { 41817 "type": "WEB", 41818 "url": "https://lists.apache.org/thread.html/r66de86b9a608c1da70b2d27d765c11ec88edf6e5dd6f379ab33e072a@%3Cuser.flink.apache.org%3E" 41819 }, 41820 { 41821 "type": "WEB", 41822 "url": "https://s.apache.org/k2ss" 41823 }, 41824 { 41825 "type": "WEB", 41826 "url": "http://www.securityfocus.com/bid/98017" 41827 } 41828 ], 41829 "schema_version": "1.6.0", 41830 "severity": [ 41831 { 41832 "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", 41833 "type": "CVSS_V3" 41834 } 41835 ], 41836 "summary": "Improper Input Validation in Apache Hadoop" 41837 }, 41838 { 41839 "affected": [ 41840 { 41841 "database_specific": { 41842 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-q46v-cj5v-hvg6/GHSA-q46v-cj5v-hvg6.json" 41843 }, 41844 "package": { 41845 "ecosystem": "Maven", 41846 "name": "org.apache.hadoop:hadoop-client", 41847 "purl": "pkg:maven/org.apache.hadoop/hadoop-client" 41848 }, 41849 "ranges": [ 41850 { 41851 "events": [ 41852 { 41853 "introduced": "0" 41854 }, 41855 { 41856 "fixed": "0.23.4" 41857 } 41858 ], 41859 "type": "ECOSYSTEM" 41860 } 41861 ], 41862 "versions": [ 41863 "0.23.1", 41864 "0.23.3" 41865 ] 41866 }, 41867 { 41868 "database_specific": { 41869 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-q46v-cj5v-hvg6/GHSA-q46v-cj5v-hvg6.json" 41870 }, 41871 "package": { 41872 "ecosystem": "Maven", 41873 "name": "org.apache.hadoop:hadoop-client", 41874 "purl": "pkg:maven/org.apache.hadoop/hadoop-client" 41875 }, 41876 "ranges": [ 41877 { 41878 "events": [ 41879 { 41880 "introduced": "1.0.0" 41881 }, 41882 { 41883 "fixed": "1.0.4" 41884 } 41885 ], 41886 "type": "ECOSYSTEM" 41887 } 41888 ], 41889 "versions": [ 41890 "1.0.1", 41891 "1.0.2", 41892 "1.0.3" 41893 ] 41894 }, 41895 { 41896 "database_specific": { 41897 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-q46v-cj5v-hvg6/GHSA-q46v-cj5v-hvg6.json" 41898 }, 41899 "package": { 41900 "ecosystem": "Maven", 41901 "name": "org.apache.hadoop:hadoop-client", 41902 "purl": "pkg:maven/org.apache.hadoop/hadoop-client" 41903 }, 41904 "ranges": [ 41905 { 41906 "events": [ 41907 { 41908 "introduced": "2.0.0" 41909 }, 41910 { 41911 "fixed": "2.0.2" 41912 } 41913 ], 41914 "type": "ECOSYSTEM" 41915 } 41916 ], 41917 "versions": [ 41918 "2.0.1-alpha", 41919 "2.0.2-alpha" 41920 ] 41921 } 41922 ], 41923 "aliases": [ 41924 "CVE-2012-4449" 41925 ], 41926 "database_specific": { 41927 "cwe_ids": [ 41928 "CWE-327" 41929 ], 41930 "github_reviewed": true, 41931 "github_reviewed_at": "2022-07-13T15:47:55Z", 41932 "nvd_published_at": "2017-10-30T19:29:00Z", 41933 "severity": "CRITICAL" 41934 }, 41935 "details": "Apache Hadoop before 0.23.4, 1.x before 1.0.4, and 2.x before 2.0.2 generate token passwords using a 20-bit secret when Kerberos security features are enabled, which makes it easier for context-dependent attackers to crack secret keys via a brute-force attack.", 41936 "id": "GHSA-q46v-cj5v-hvg6", 41937 "modified": "2023-11-08T03:57:07.826616Z", 41938 "published": "2022-05-17T00:22:31Z", 41939 "references": [ 41940 { 41941 "type": "ADVISORY", 41942 "url": "https://nvd.nist.gov/vuln/detail/CVE-2012-4449" 41943 }, 41944 { 41945 "type": "WEB", 41946 "url": "https://www.cloudera.com/documentation/other/security-bulletins/topics/csb_topic_1.html#topic_1_0" 41947 }, 41948 { 41949 "type": "WEB", 41950 "url": "http://mail-archives.apache.org/mod_mbox/hadoop-general/201210.mbox/%3CCA+z3+9FYdPmzBEaMZ71SUqzRx=eU=o4mSHUsbrpzgR9X_F1c0Q@mail.gmail.com%3E" 41951 } 41952 ], 41953 "schema_version": "1.6.0", 41954 "severity": [ 41955 { 41956 "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", 41957 "type": "CVSS_V3" 41958 } 41959 ], 41960 "summary": "Use of a Broken or Risky Cryptographic Algorithm in Apache Hadoop" 41961 }, 41962 { 41963 "affected": [ 41964 { 41965 "database_specific": { 41966 "last_known_affected_version_range": "\u003c= 2.6.5", 41967 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-qm7f-r83w-3p46/GHSA-qm7f-r83w-3p46.json" 41968 }, 41969 "package": { 41970 "ecosystem": "Maven", 41971 "name": "org.apache.hadoop:hadoop-client", 41972 "purl": "pkg:maven/org.apache.hadoop/hadoop-client" 41973 }, 41974 "ranges": [ 41975 { 41976 "events": [ 41977 { 41978 "introduced": "0" 41979 }, 41980 { 41981 "fixed": "2.7.0" 41982 } 41983 ], 41984 "type": "ECOSYSTEM" 41985 } 41986 ], 41987 "versions": [ 41988 "0.23.1", 41989 "0.23.10", 41990 "0.23.11", 41991 "0.23.3", 41992 "0.23.4", 41993 "0.23.5", 41994 "0.23.6", 41995 "0.23.7", 41996 "0.23.8", 41997 "0.23.9", 41998 "1.0.1", 41999 "1.0.2", 42000 "1.0.3", 42001 "1.0.4", 42002 "1.1.0", 42003 "1.1.1", 42004 "1.1.2", 42005 "1.2.0", 42006 "1.2.1", 42007 "2.0.0-alpha", 42008 "2.0.1-alpha", 42009 "2.0.2-alpha", 42010 "2.0.3-alpha", 42011 "2.0.4-alpha", 42012 "2.0.5-alpha", 42013 "2.0.6-alpha", 42014 "2.1.0-beta", 42015 "2.1.1-beta", 42016 "2.2.0", 42017 "2.3.0", 42018 "2.4.0", 42019 "2.4.1", 42020 "2.5.0", 42021 "2.5.1", 42022 "2.5.2", 42023 "2.6.0", 42024 "2.6.1", 42025 "2.6.2", 42026 "2.6.3", 42027 "2.6.4", 42028 "2.6.5" 42029 ] 42030 } 42031 ], 42032 "aliases": [ 42033 "CVE-2017-3161" 42034 ], 42035 "database_specific": { 42036 "cwe_ids": [ 42037 "CWE-79" 42038 ], 42039 "github_reviewed": true, 42040 "github_reviewed_at": "2022-07-01T17:31:59Z", 42041 "nvd_published_at": "2017-04-26T20:59:00Z", 42042 "severity": "MODERATE" 42043 }, 42044 "details": "The HDFS web UI in Apache Hadoop before 2.7.0 is vulnerable to a cross-site scripting (XSS) attack through an unescaped query parameter.", 42045 "id": "GHSA-qm7f-r83w-3p46", 42046 "modified": "2023-11-08T03:59:20.528031Z", 42047 "published": "2022-05-13T01:08:56Z", 42048 "references": [ 42049 { 42050 "type": "ADVISORY", 42051 "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-3161" 42052 }, 42053 { 42054 "type": "WEB", 42055 "url": "https://lists.apache.org/thread.html/r127f75748fcabc63bc5a1bec6885753eb9b2bed803b6ed7bd46f965b@%3Cuser.hadoop.apache.org%3E" 42056 }, 42057 { 42058 "type": "WEB", 42059 "url": "https://lists.apache.org/thread.html/r66de86b9a608c1da70b2d27d765c11ec88edf6e5dd6f379ab33e072a@%3Cuser.flink.apache.org%3E" 42060 }, 42061 { 42062 "type": "WEB", 42063 "url": "https://s.apache.org/4MQm" 42064 }, 42065 { 42066 "type": "WEB", 42067 "url": "http://www.securityfocus.com/bid/98025" 42068 } 42069 ], 42070 "schema_version": "1.6.0", 42071 "severity": [ 42072 { 42073 "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", 42074 "type": "CVSS_V3" 42075 } 42076 ], 42077 "summary": "Improper Neutralization of Input During Web Page Generation in Apache Hadoop" 42078 }, 42079 { 42080 "affected": [ 42081 { 42082 "database_specific": { 42083 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-qmh2-h7r6-gm6q/GHSA-qmh2-h7r6-gm6q.json" 42084 }, 42085 "package": { 42086 "ecosystem": "Maven", 42087 "name": "org.apache.hadoop:hadoop-client", 42088 "purl": "pkg:maven/org.apache.hadoop/hadoop-client" 42089 }, 42090 "ranges": [ 42091 { 42092 "events": [ 42093 { 42094 "introduced": "2.0.0-alpha" 42095 }, 42096 { 42097 "fixed": "2.0.1-alpha" 42098 } 42099 ], 42100 "type": "ECOSYSTEM" 42101 } 42102 ], 42103 "versions": [ 42104 "2.0.0-alpha" 42105 ] 42106 } 42107 ], 42108 "aliases": [ 42109 "CVE-2012-3376" 42110 ], 42111 "database_specific": { 42112 "cwe_ids": [], 42113 "github_reviewed": true, 42114 "github_reviewed_at": "2022-07-13T21:25:16Z", 42115 "nvd_published_at": "2012-07-12T19:55:00Z", 42116 "severity": "HIGH" 42117 }, 42118 "details": "DataNodes in Apache Hadoop 2.0.0 alpha does not check the BlockTokens of clients when Kerberos is enabled and the DataNode has checked out the same BlockPool twice from a NodeName, which might allow remote clients to read arbitrary blocks, write to blocks to which they only have read access, and have other unspecified impacts.", 42119 "id": "GHSA-qmh2-h7r6-gm6q", 42120 "modified": "2023-11-08T03:57:05.91736Z", 42121 "published": "2022-05-17T02:54:07Z", 42122 "references": [ 42123 { 42124 "type": "ADVISORY", 42125 "url": "https://nvd.nist.gov/vuln/detail/CVE-2012-3376" 42126 }, 42127 { 42128 "type": "PACKAGE", 42129 "url": "https://github.com/apache/hadoop" 42130 }, 42131 { 42132 "type": "WEB", 42133 "url": "https://seclists.org/fulldisclosure/2012/Jul/78" 42134 }, 42135 { 42136 "type": "WEB", 42137 "url": "https://www.cloudera.com/documentation/other/security-bulletins/topics/csb_topic_1.html" 42138 }, 42139 { 42140 "type": "WEB", 42141 "url": "http://archives.neohapsis.com/archives/bugtraq/2012-07/0049.html" 42142 } 42143 ], 42144 "schema_version": "1.6.0", 42145 "summary": "Client BlockTokens not checked in Apache Hadoop" 42146 }, 42147 { 42148 "affected": [ 42149 { 42150 "database_specific": { 42151 "last_known_affected_version_range": "\u003c= 2.6.4", 42152 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-7q56-mp4c-gggg/GHSA-7q56-mp4c-gggg.json" 42153 }, 42154 "package": { 42155 "ecosystem": "Maven", 42156 "name": "org.apache.hadoop:hadoop-common", 42157 "purl": "pkg:maven/org.apache.hadoop/hadoop-common" 42158 }, 42159 "ranges": [ 42160 { 42161 "events": [ 42162 { 42163 "introduced": "2.6.0" 42164 }, 42165 { 42166 "fixed": "2.6.5" 42167 } 42168 ], 42169 "type": "ECOSYSTEM" 42170 } 42171 ], 42172 "versions": [ 42173 "2.6.0", 42174 "2.6.1", 42175 "2.6.2", 42176 "2.6.3", 42177 "2.6.4" 42178 ] 42179 }, 42180 { 42181 "database_specific": { 42182 "last_known_affected_version_range": "\u003c= 2.7.2", 42183 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-7q56-mp4c-gggg/GHSA-7q56-mp4c-gggg.json" 42184 }, 42185 "package": { 42186 "ecosystem": "Maven", 42187 "name": "org.apache.hadoop:hadoop-common", 42188 "purl": "pkg:maven/org.apache.hadoop/hadoop-common" 42189 }, 42190 "ranges": [ 42191 { 42192 "events": [ 42193 { 42194 "introduced": "2.7.0" 42195 }, 42196 { 42197 "fixed": "2.7.3" 42198 } 42199 ], 42200 "type": "ECOSYSTEM" 42201 } 42202 ], 42203 "versions": [ 42204 "2.7.0", 42205 "2.7.1", 42206 "2.7.2" 42207 ] 42208 } 42209 ], 42210 "aliases": [ 42211 "CVE-2016-5393" 42212 ], 42213 "database_specific": { 42214 "cwe_ids": [ 42215 "CWE-284" 42216 ], 42217 "github_reviewed": true, 42218 "github_reviewed_at": "2022-07-06T19:44:12Z", 42219 "nvd_published_at": "2016-11-29T06:59:00Z", 42220 "severity": "HIGH" 42221 }, 42222 "details": "In Apache Hadoop 2.6.x before 2.6.5 and 2.7.x before 2.7.3, a remote user who can authenticate with the HDFS NameNode can possibly run arbitrary commands with the same privileges as the HDFS service.", 42223 "id": "GHSA-7q56-mp4c-gggg", 42224 "modified": "2023-11-08T03:58:31.207186Z", 42225 "published": "2022-05-17T03:35:31Z", 42226 "references": [ 42227 { 42228 "type": "ADVISORY", 42229 "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-5393" 42230 }, 42231 { 42232 "type": "WEB", 42233 "url": "http://mail-archives.apache.org/mod_mbox/hadoop-general/201611.mbox/%3CCAA0W1bTbUmUUSF1rjRpX-2DvWutcrPt7TJSWUcSLg1F0gyHG1Q%40mail.gmail.com%3E" 42234 }, 42235 { 42236 "type": "WEB", 42237 "url": "http://www.securityfocus.com/bid/94574" 42238 } 42239 ], 42240 "schema_version": "1.6.0", 42241 "severity": [ 42242 { 42243 "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", 42244 "type": "CVSS_V3" 42245 } 42246 ], 42247 "summary": "Improper Access Control in Apache Hadoop" 42248 }, 42249 { 42250 "affected": [ 42251 { 42252 "database_specific": { 42253 "last_known_affected_version_range": "\u003c= 2.6.3", 42254 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-8r28-r8cp-g6cp/GHSA-8r28-r8cp-g6cp.json" 42255 }, 42256 "package": { 42257 "ecosystem": "Maven", 42258 "name": "org.apache.hadoop:hadoop-common", 42259 "purl": "pkg:maven/org.apache.hadoop/hadoop-common" 42260 }, 42261 "ranges": [ 42262 { 42263 "events": [ 42264 { 42265 "introduced": "0" 42266 }, 42267 { 42268 "fixed": "2.6.4" 42269 } 42270 ], 42271 "type": "ECOSYSTEM" 42272 } 42273 ], 42274 "versions": [ 42275 "0.22.0", 42276 "0.23.1", 42277 "0.23.10", 42278 "0.23.11", 42279 "0.23.3", 42280 "0.23.4", 42281 "0.23.5", 42282 "0.23.6", 42283 "0.23.7", 42284 "0.23.8", 42285 "0.23.9", 42286 "2.0.0-alpha", 42287 "2.0.1-alpha", 42288 "2.0.2-alpha", 42289 "2.0.3-alpha", 42290 "2.0.4-alpha", 42291 "2.0.5-alpha", 42292 "2.0.6-alpha", 42293 "2.1.0-beta", 42294 "2.1.1-beta", 42295 "2.2.0", 42296 "2.3.0", 42297 "2.4.0", 42298 "2.4.1", 42299 "2.5.0", 42300 "2.5.1", 42301 "2.5.2", 42302 "2.6.0", 42303 "2.6.1", 42304 "2.6.2", 42305 "2.6.3" 42306 ] 42307 }, 42308 { 42309 "database_specific": { 42310 "last_known_affected_version_range": "\u003c= 2.7.1", 42311 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-8r28-r8cp-g6cp/GHSA-8r28-r8cp-g6cp.json" 42312 }, 42313 "package": { 42314 "ecosystem": "Maven", 42315 "name": "org.apache.hadoop:hadoop-common", 42316 "purl": "pkg:maven/org.apache.hadoop/hadoop-common" 42317 }, 42318 "ranges": [ 42319 { 42320 "events": [ 42321 { 42322 "introduced": "2.7.0" 42323 }, 42324 { 42325 "fixed": "2.7.2" 42326 } 42327 ], 42328 "type": "ECOSYSTEM" 42329 } 42330 ], 42331 "versions": [ 42332 "2.7.0", 42333 "2.7.1" 42334 ] 42335 } 42336 ], 42337 "aliases": [ 42338 "CVE-2016-5001" 42339 ], 42340 "database_specific": { 42341 "cwe_ids": [ 42342 "CWE-200" 42343 ], 42344 "github_reviewed": true, 42345 "github_reviewed_at": "2022-07-06T19:43:24Z", 42346 "nvd_published_at": "2017-08-30T19:29:00Z", 42347 "severity": "MODERATE" 42348 }, 42349 "details": "This is an information disclosure vulnerability in Apache Hadoop before 2.6.4 and 2.7.x before 2.7.2 in the short-circuit reads feature of HDFS. A local user on an HDFS DataNode may be able to craft a block token that grants unauthorized read access to random files by guessing certain fields in the token.", 42350 "id": "GHSA-8r28-r8cp-g6cp", 42351 "modified": "2023-11-08T03:58:30.347713Z", 42352 "published": "2022-05-13T01:08:56Z", 42353 "references": [ 42354 { 42355 "type": "ADVISORY", 42356 "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-5001" 42357 }, 42358 { 42359 "type": "WEB", 42360 "url": "https://lists.apache.org/thread.html/r66de86b9a608c1da70b2d27d765c11ec88edf6e5dd6f379ab33e072a@%3Cuser.flink.apache.org%3E" 42361 }, 42362 { 42363 "type": "WEB", 42364 "url": "http://seclists.org/oss-sec/2016/q4/698" 42365 } 42366 ], 42367 "schema_version": "1.6.0", 42368 "severity": [ 42369 { 42370 "score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", 42371 "type": "CVSS_V3" 42372 } 42373 ], 42374 "summary": "Exposure of Sensitive Information to an Unauthorized Actor in Apache Hadoop" 42375 }, 42376 { 42377 "affected": [ 42378 { 42379 "database_specific": { 42380 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/08/GHSA-8wm5-8h9c-47pc/GHSA-8wm5-8h9c-47pc.json" 42381 }, 42382 "package": { 42383 "ecosystem": "Maven", 42384 "name": "org.apache.hadoop:hadoop-common", 42385 "purl": "pkg:maven/org.apache.hadoop/hadoop-common" 42386 }, 42387 "ranges": [ 42388 { 42389 "events": [ 42390 { 42391 "introduced": "2.0.0" 42392 }, 42393 { 42394 "fixed": "2.10.2" 42395 } 42396 ], 42397 "type": "ECOSYSTEM" 42398 } 42399 ], 42400 "versions": [ 42401 "2.0.1-alpha", 42402 "2.0.2-alpha", 42403 "2.0.3-alpha", 42404 "2.0.4-alpha", 42405 "2.0.5-alpha", 42406 "2.0.6-alpha", 42407 "2.1.0-beta", 42408 "2.1.1-beta", 42409 "2.10.0", 42410 "2.10.1", 42411 "2.2.0", 42412 "2.3.0", 42413 "2.4.0", 42414 "2.4.1", 42415 "2.5.0", 42416 "2.5.1", 42417 "2.5.2", 42418 "2.6.0", 42419 "2.6.1", 42420 "2.6.2", 42421 "2.6.3", 42422 "2.6.4", 42423 "2.6.5", 42424 "2.7.0", 42425 "2.7.1", 42426 "2.7.2", 42427 "2.7.3", 42428 "2.7.4", 42429 "2.7.5", 42430 "2.7.6", 42431 "2.7.7", 42432 "2.8.0", 42433 "2.8.1", 42434 "2.8.2", 42435 "2.8.3", 42436 "2.8.4", 42437 "2.8.5", 42438 "2.9.0", 42439 "2.9.1", 42440 "2.9.2" 42441 ] 42442 }, 42443 { 42444 "database_specific": { 42445 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/08/GHSA-8wm5-8h9c-47pc/GHSA-8wm5-8h9c-47pc.json" 42446 }, 42447 "package": { 42448 "ecosystem": "Maven", 42449 "name": "org.apache.hadoop:hadoop-common", 42450 "purl": "pkg:maven/org.apache.hadoop/hadoop-common" 42451 }, 42452 "ranges": [ 42453 { 42454 "events": [ 42455 { 42456 "introduced": "3.0.0-alpha" 42457 }, 42458 { 42459 "fixed": "3.2.4" 42460 } 42461 ], 42462 "type": "ECOSYSTEM" 42463 } 42464 ], 42465 "versions": [ 42466 "3.0.0", 42467 "3.0.0-alpha1", 42468 "3.0.0-alpha2", 42469 "3.0.0-alpha3", 42470 "3.0.0-alpha4", 42471 "3.0.0-beta1", 42472 "3.0.1", 42473 "3.0.2", 42474 "3.0.3", 42475 "3.1.0", 42476 "3.1.1", 42477 "3.1.2", 42478 "3.1.3", 42479 "3.1.4", 42480 "3.2.0", 42481 "3.2.1", 42482 "3.2.2", 42483 "3.2.3" 42484 ] 42485 }, 42486 { 42487 "database_specific": { 42488 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/08/GHSA-8wm5-8h9c-47pc/GHSA-8wm5-8h9c-47pc.json" 42489 }, 42490 "package": { 42491 "ecosystem": "Maven", 42492 "name": "org.apache.hadoop:hadoop-common", 42493 "purl": "pkg:maven/org.apache.hadoop/hadoop-common" 42494 }, 42495 "ranges": [ 42496 { 42497 "events": [ 42498 { 42499 "introduced": "3.3.0" 42500 }, 42501 { 42502 "fixed": "3.3.3" 42503 } 42504 ], 42505 "type": "ECOSYSTEM" 42506 } 42507 ], 42508 "versions": [ 42509 "3.3.0", 42510 "3.3.1", 42511 "3.3.2" 42512 ] 42513 } 42514 ], 42515 "aliases": [ 42516 "CVE-2022-25168" 42517 ], 42518 "database_specific": { 42519 "cwe_ids": [ 42520 "CWE-78", 42521 "CWE-88" 42522 ], 42523 "github_reviewed": true, 42524 "github_reviewed_at": "2022-08-11T21:14:19Z", 42525 "nvd_published_at": "2022-08-04T15:15:00Z", 42526 "severity": "CRITICAL" 42527 }, 42528 "details": "Apache Hadoop's `FileUtil.unTar(File, File)` API does not escape the input file name before being passed to the shell. An attacker can inject arbitrary commands. This is only used in Hadoop 3.3 InMemoryAliasMap.completeBootstrapTransfer, which is only ever run by a local user. It has been used in Hadoop 2.x for yarn localization, which does enable remote code execution. It is used in Apache Spark, from the SQL command ADD ARCHIVE. As the ADD ARCHIVE command adds new binaries to the classpath, being able to execute shell scripts does not confer new permissions to the caller. SPARK-38305. \"Check existence of file before untarring/zipping\", which is included in 3.3.0, 3.1.4, 3.2.2, prevents shell commands being executed, regardless of which version of the hadoop libraries are in use. Users should upgrade to Apache Hadoop 2.10.2, 3.2.4, 3.3.3 or upper (including HADOOP-18136).", 42529 "id": "GHSA-8wm5-8h9c-47pc", 42530 "modified": "2024-02-21T05:29:29.300541Z", 42531 "published": "2022-08-05T00:00:24Z", 42532 "references": [ 42533 { 42534 "type": "ADVISORY", 42535 "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25168" 42536 }, 42537 { 42538 "type": "WEB", 42539 "url": "https://github.com/apache/hadoop/commit/cae749b076f35f0be13a926ee8cfbb7ce4402746" 42540 }, 42541 { 42542 "type": "PACKAGE", 42543 "url": "https://github.com/apache/hadoop" 42544 }, 42545 { 42546 "type": "WEB", 42547 "url": "https://lists.apache.org/thread/mxqnb39jfrwgs3j6phwvlrfq4mlox130" 42548 }, 42549 { 42550 "type": "WEB", 42551 "url": "https://security.netapp.com/advisory/ntap-20220915-0007" 42552 } 42553 ], 42554 "schema_version": "1.6.0", 42555 "severity": [ 42556 { 42557 "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", 42558 "type": "CVSS_V3" 42559 } 42560 ], 42561 "summary": "Apache Hadoop argument injection vulnerability" 42562 }, 42563 { 42564 "affected": [ 42565 { 42566 "database_specific": { 42567 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-9r7g-325h-mxrm/GHSA-9r7g-325h-mxrm.json" 42568 }, 42569 "package": { 42570 "ecosystem": "Maven", 42571 "name": "org.apache.hadoop:hadoop-common", 42572 "purl": "pkg:maven/org.apache.hadoop/hadoop-common" 42573 }, 42574 "ranges": [ 42575 { 42576 "events": [ 42577 { 42578 "introduced": "0.23.0" 42579 }, 42580 { 42581 "fixed": "0.23.11" 42582 } 42583 ], 42584 "type": "ECOSYSTEM" 42585 } 42586 ], 42587 "versions": [ 42588 "0.23.1", 42589 "0.23.10", 42590 "0.23.3", 42591 "0.23.4", 42592 "0.23.5", 42593 "0.23.6", 42594 "0.23.7", 42595 "0.23.8", 42596 "0.23.9" 42597 ] 42598 }, 42599 { 42600 "database_specific": { 42601 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-9r7g-325h-mxrm/GHSA-9r7g-325h-mxrm.json" 42602 }, 42603 "package": { 42604 "ecosystem": "Maven", 42605 "name": "org.apache.hadoop:hadoop-common", 42606 "purl": "pkg:maven/org.apache.hadoop/hadoop-common" 42607 }, 42608 "ranges": [ 42609 { 42610 "events": [ 42611 { 42612 "introduced": "2.0.0" 42613 }, 42614 { 42615 "fixed": "2.4.1" 42616 } 42617 ], 42618 "type": "ECOSYSTEM" 42619 } 42620 ], 42621 "versions": [ 42622 "2.0.1-alpha", 42623 "2.0.2-alpha", 42624 "2.0.3-alpha", 42625 "2.0.4-alpha", 42626 "2.0.5-alpha", 42627 "2.0.6-alpha", 42628 "2.1.0-beta", 42629 "2.1.1-beta", 42630 "2.2.0", 42631 "2.3.0", 42632 "2.4.0" 42633 ] 42634 } 42635 ], 42636 "aliases": [ 42637 "CVE-2014-0229" 42638 ], 42639 "database_specific": { 42640 "cwe_ids": [ 42641 "CWE-287" 42642 ], 42643 "github_reviewed": true, 42644 "github_reviewed_at": "2022-07-07T22:54:01Z", 42645 "nvd_published_at": "2017-03-23T20:59:00Z", 42646 "severity": "MODERATE" 42647 }, 42648 "details": "Apache Hadoop 0.23.x before 0.23.11 and 2.x before 2.4.1, as used in Cloudera CDH 5.0.x before 5.0.2, do not check authorization for the (1) refreshNamenodes, (2) deleteBlockPool, and (3) shutdownDatanode HDFS admin commands, which allows remote authenticated users to cause a denial of service (DataNodes shutdown) or perform unnecessary operations by issuing a command.", 42649 "id": "GHSA-9r7g-325h-mxrm", 42650 "modified": "2023-11-08T03:57:32.986597Z", 42651 "published": "2022-05-17T02:53:20Z", 42652 "references": [ 42653 { 42654 "type": "ADVISORY", 42655 "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-0229" 42656 }, 42657 { 42658 "type": "WEB", 42659 "url": "https://www.cloudera.com/documentation/other/security-bulletins/topics/csb_topic_1.html#concept_i1q_xvk_2r" 42660 } 42661 ], 42662 "schema_version": "1.6.0", 42663 "severity": [ 42664 { 42665 "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", 42666 "type": "CVSS_V3" 42667 } 42668 ], 42669 "summary": "Improper Authentication in Apache Hadoop" 42670 }, 42671 { 42672 "affected": [ 42673 { 42674 "database_specific": { 42675 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/02/GHSA-f8vc-wfc8-hxqh/GHSA-f8vc-wfc8-hxqh.json" 42676 }, 42677 "package": { 42678 "ecosystem": "Maven", 42679 "name": "org.apache.hadoop:hadoop-common", 42680 "purl": "pkg:maven/org.apache.hadoop/hadoop-common" 42681 }, 42682 "ranges": [ 42683 { 42684 "events": [ 42685 { 42686 "introduced": "3.2.0" 42687 }, 42688 { 42689 "fixed": "3.2.2" 42690 } 42691 ], 42692 "type": "ECOSYSTEM" 42693 } 42694 ], 42695 "versions": [ 42696 "3.2.0", 42697 "3.2.1" 42698 ] 42699 }, 42700 { 42701 "database_specific": { 42702 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/02/GHSA-f8vc-wfc8-hxqh/GHSA-f8vc-wfc8-hxqh.json" 42703 }, 42704 "package": { 42705 "ecosystem": "Maven", 42706 "name": "org.apache.hadoop:hadoop-common", 42707 "purl": "pkg:maven/org.apache.hadoop/hadoop-common" 42708 }, 42709 "ranges": [ 42710 { 42711 "events": [ 42712 { 42713 "introduced": "3.0.0" 42714 }, 42715 { 42716 "fixed": "3.1.4" 42717 } 42718 ], 42719 "type": "ECOSYSTEM" 42720 } 42721 ], 42722 "versions": [ 42723 "3.0.0", 42724 "3.0.1", 42725 "3.0.2", 42726 "3.0.3", 42727 "3.1.0", 42728 "3.1.1", 42729 "3.1.2", 42730 "3.1.3" 42731 ] 42732 }, 42733 { 42734 "database_specific": { 42735 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/02/GHSA-f8vc-wfc8-hxqh/GHSA-f8vc-wfc8-hxqh.json" 42736 }, 42737 "package": { 42738 "ecosystem": "Maven", 42739 "name": "org.apache.hadoop:hadoop-common", 42740 "purl": "pkg:maven/org.apache.hadoop/hadoop-common" 42741 }, 42742 "ranges": [ 42743 { 42744 "events": [ 42745 { 42746 "introduced": "2.0.0" 42747 }, 42748 { 42749 "fixed": "2.10.1" 42750 } 42751 ], 42752 "type": "ECOSYSTEM" 42753 } 42754 ], 42755 "versions": [ 42756 "2.0.1-alpha", 42757 "2.0.2-alpha", 42758 "2.0.3-alpha", 42759 "2.0.4-alpha", 42760 "2.0.5-alpha", 42761 "2.0.6-alpha", 42762 "2.1.0-beta", 42763 "2.1.1-beta", 42764 "2.10.0", 42765 "2.2.0", 42766 "2.3.0", 42767 "2.4.0", 42768 "2.4.1", 42769 "2.5.0", 42770 "2.5.1", 42771 "2.5.2", 42772 "2.6.0", 42773 "2.6.1", 42774 "2.6.2", 42775 "2.6.3", 42776 "2.6.4", 42777 "2.6.5", 42778 "2.7.0", 42779 "2.7.1", 42780 "2.7.2", 42781 "2.7.3", 42782 "2.7.4", 42783 "2.7.5", 42784 "2.7.6", 42785 "2.7.7", 42786 "2.8.0", 42787 "2.8.1", 42788 "2.8.2", 42789 "2.8.3", 42790 "2.8.4", 42791 "2.8.5", 42792 "2.9.0", 42793 "2.9.1", 42794 "2.9.2" 42795 ] 42796 } 42797 ], 42798 "aliases": [ 42799 "BIT-solr-2020-9492", 42800 "CVE-2020-9492" 42801 ], 42802 "database_specific": { 42803 "cwe_ids": [ 42804 "CWE-269", 42805 "CWE-863" 42806 ], 42807 "github_reviewed": true, 42808 "github_reviewed_at": "2021-04-06T18:29:12Z", 42809 "nvd_published_at": "2021-01-26T18:16:00Z", 42810 "severity": "HIGH" 42811 }, 42812 "details": "In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.0, WebHDFS client might send SPNEGO authorization header to remote URL without proper verification.", 42813 "id": "GHSA-f8vc-wfc8-hxqh", 42814 "modified": "2024-03-08T05:20:12.847694Z", 42815 "published": "2022-02-09T22:17:38Z", 42816 "references": [ 42817 { 42818 "type": "ADVISORY", 42819 "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-9492" 42820 }, 42821 { 42822 "type": "WEB", 42823 "url": "https://github.com/apache/hadoop/commit/ca65409836d2949e9a9408d40bec0177b414cd5d" 42824 }, 42825 { 42826 "type": "WEB", 42827 "url": "https://www.oracle.com/security-alerts/cpujul2022.html" 42828 }, 42829 { 42830 "type": "WEB", 42831 "url": "https://security.netapp.com/advisory/ntap-20210304-0001" 42832 }, 42833 { 42834 "type": "WEB", 42835 "url": "https://lists.apache.org/thread.html/re4129c6b9e0410848bbd3761187ce9c19bc1cd491037b253007df99e@%3Cissues.solr.apache.org%3E" 42836 }, 42837 { 42838 "type": "WEB", 42839 "url": "https://lists.apache.org/thread.html/rca4516b00b55b347905df45e5d0432186248223f30497db87aba8710@%3Cannounce.apache.org%3E" 42840 }, 42841 { 42842 "type": "WEB", 42843 "url": "https://lists.apache.org/thread.html/rc0057ebf32b646ab47f7f5744a8948332e015c39044cbb9d87ea76cd@%3Ccommits.druid.apache.org%3E" 42844 }, 42845 { 42846 "type": "WEB", 42847 "url": "https://lists.apache.org/thread.html/rb12afaa421d483863c4175e42e5dbd0673917a3cff73f3fca4f8275f@%3Cissues.solr.apache.org%3E" 42848 }, 42849 { 42850 "type": "WEB", 42851 "url": "https://lists.apache.org/thread.html/r941e9be04efe0f455d20aeac88516c0848decd7e7b1d93d5687060f4@%3Ccommits.druid.apache.org%3E" 42852 }, 42853 { 42854 "type": "WEB", 42855 "url": "https://lists.apache.org/thread.html/r9328eb49305e4cacc80e182bfd8a2efd8e640d940e24f5bfd7d5cb26@%3Cissues.solr.apache.org%3E" 42856 }, 42857 { 42858 "type": "WEB", 42859 "url": "https://lists.apache.org/thread.html/r79323adac584edab99fd5e4b52a013844b784a5d4b600da0662b33d6@%3Ccommits.druid.apache.org%3E" 42860 }, 42861 { 42862 "type": "WEB", 42863 "url": "https://lists.apache.org/thread.html/r79201a209df9a4e7f761e537434131b4e39eabec4369a7d668904df4@%3Cissues.solr.apache.org%3E" 42864 }, 42865 { 42866 "type": "WEB", 42867 "url": "https://lists.apache.org/thread.html/r6c2fa7949738e9d39606f1d7cd890c93a2633e3357c9aeaf886ea9a6@%3Cissues.solr.apache.org%3E" 42868 }, 42869 { 42870 "type": "WEB", 42871 "url": "https://lists.apache.org/thread.html/r6341f2a468ced8872a71997aa1786ce036242413484f0fa68dc9ca02@%3Cissues.solr.apache.org%3E" 42872 }, 42873 { 42874 "type": "WEB", 42875 "url": "https://lists.apache.org/thread.html/r513758942356ccd0d14538ba18a09903fc72716d74be1cb727ea91ff%40%3Cgeneral.hadoop.apache.org%3E" 42876 }, 42877 { 42878 "type": "WEB", 42879 "url": "https://lists.apache.org/thread.html/r4a57de5215494c35c8304cf114be75d42df7abc6c0c54bf163c3e370@%3Cissues.solr.apache.org%3E" 42880 }, 42881 { 42882 "type": "WEB", 42883 "url": "https://lists.apache.org/thread.html/r49c9ab444ab1107c6a8be8a0d66602dec32a16d96c2631fec8d309fb@%3Cissues.solr.apache.org%3E" 42884 }, 42885 { 42886 "type": "WEB", 42887 "url": "https://lists.apache.org/thread.html/r0a534f1cde7555f7208e9f9b791c1ab396d215eaaef283b3a9153429@%3Ccommits.druid.apache.org%3E" 42888 }, 42889 { 42890 "type": "PACKAGE", 42891 "url": "https://github.com/apache/hadoop" 42892 } 42893 ], 42894 "schema_version": "1.6.0", 42895 "severity": [ 42896 { 42897 "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", 42898 "type": "CVSS_V3" 42899 } 42900 ], 42901 "summary": "Improper Privilege Management in Apache Hadoop" 42902 }, 42903 { 42904 "affected": [ 42905 { 42906 "database_specific": { 42907 "last_known_affected_version_range": "\u003c= 2.6.4", 42908 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-g48f-ff5h-5f64/GHSA-g48f-ff5h-5f64.json" 42909 }, 42910 "package": { 42911 "ecosystem": "Maven", 42912 "name": "org.apache.hadoop:hadoop-common", 42913 "purl": "pkg:maven/org.apache.hadoop/hadoop-common" 42914 }, 42915 "ranges": [ 42916 { 42917 "events": [ 42918 { 42919 "introduced": "2.6.0" 42920 }, 42921 { 42922 "fixed": "2.6.5" 42923 } 42924 ], 42925 "type": "ECOSYSTEM" 42926 } 42927 ], 42928 "versions": [ 42929 "2.6.0", 42930 "2.6.1", 42931 "2.6.2", 42932 "2.6.3", 42933 "2.6.4" 42934 ] 42935 } 42936 ], 42937 "aliases": [ 42938 "CVE-2015-1776" 42939 ], 42940 "database_specific": { 42941 "cwe_ids": [ 42942 "CWE-200" 42943 ], 42944 "github_reviewed": true, 42945 "github_reviewed_at": "2022-07-06T20:26:12Z", 42946 "nvd_published_at": "2016-04-19T21:59:00Z", 42947 "severity": "MODERATE" 42948 }, 42949 "details": "Apache Hadoop 2.6.x encrypts intermediate data generated by a MapReduce job and stores it along with the encryption key in a credentials file on disk when the Intermediate data encryption feature is enabled, which allows local users to obtain sensitive information by reading the file.", 42950 "id": "GHSA-g48f-ff5h-5f64", 42951 "modified": "2023-11-08T03:57:50.385135Z", 42952 "published": "2022-05-17T03:44:57Z", 42953 "references": [ 42954 { 42955 "type": "ADVISORY", 42956 "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-1776" 42957 }, 42958 { 42959 "type": "WEB", 42960 "url": "http://mail-archives.apache.org/mod_mbox/hadoop-general/201602.mbox/%3CCAGCyb56CPgQMcxZ7jP87SfM5OKGx+E49DtrzCTQ6+nQf2a4nSA@mail.gmail.com%3E" 42961 } 42962 ], 42963 "schema_version": "1.6.0", 42964 "severity": [ 42965 { 42966 "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", 42967 "type": "CVSS_V3" 42968 } 42969 ], 42970 "summary": "Exposure of Sensitive Information to an Unauthorized Actor in Apache Hadoop" 42971 }, 42972 { 42973 "affected": [ 42974 { 42975 "database_specific": { 42976 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/04/GHSA-gx2c-fvhc-ph4j/GHSA-gx2c-fvhc-ph4j.json" 42977 }, 42978 "package": { 42979 "ecosystem": "Maven", 42980 "name": "org.apache.hadoop:hadoop-common", 42981 "purl": "pkg:maven/org.apache.hadoop/hadoop-common" 42982 }, 42983 "ranges": [ 42984 { 42985 "events": [ 42986 { 42987 "introduced": "0" 42988 }, 42989 { 42990 "fixed": "3.2.3" 42991 } 42992 ], 42993 "type": "ECOSYSTEM" 42994 } 42995 ], 42996 "versions": [ 42997 "0.22.0", 42998 "0.23.1", 42999 "0.23.10", 43000 "0.23.11", 43001 "0.23.3", 43002 "0.23.4", 43003 "0.23.5", 43004 "0.23.6", 43005 "0.23.7", 43006 "0.23.8", 43007 "0.23.9", 43008 "2.0.0-alpha", 43009 "2.0.1-alpha", 43010 "2.0.2-alpha", 43011 "2.0.3-alpha", 43012 "2.0.4-alpha", 43013 "2.0.5-alpha", 43014 "2.0.6-alpha", 43015 "2.1.0-beta", 43016 "2.1.1-beta", 43017 "2.10.0", 43018 "2.10.1", 43019 "2.10.2", 43020 "2.2.0", 43021 "2.3.0", 43022 "2.4.0", 43023 "2.4.1", 43024 "2.5.0", 43025 "2.5.1", 43026 "2.5.2", 43027 "2.6.0", 43028 "2.6.1", 43029 "2.6.2", 43030 "2.6.3", 43031 "2.6.4", 43032 "2.6.5", 43033 "2.7.0", 43034 "2.7.1", 43035 "2.7.2", 43036 "2.7.3", 43037 "2.7.4", 43038 "2.7.5", 43039 "2.7.6", 43040 "2.7.7", 43041 "2.8.0", 43042 "2.8.1", 43043 "2.8.2", 43044 "2.8.3", 43045 "2.8.4", 43046 "2.8.5", 43047 "2.9.0", 43048 "2.9.1", 43049 "2.9.2", 43050 "3.0.0", 43051 "3.0.0-alpha1", 43052 "3.0.0-alpha2", 43053 "3.0.0-alpha3", 43054 "3.0.0-alpha4", 43055 "3.0.0-beta1", 43056 "3.0.1", 43057 "3.0.2", 43058 "3.0.3", 43059 "3.1.0", 43060 "3.1.1", 43061 "3.1.2", 43062 "3.1.3", 43063 "3.1.4", 43064 "3.2.0", 43065 "3.2.1", 43066 "3.2.2" 43067 ] 43068 } 43069 ], 43070 "aliases": [ 43071 "CVE-2022-26612" 43072 ], 43073 "database_specific": { 43074 "cwe_ids": [ 43075 "CWE-22" 43076 ], 43077 "github_reviewed": true, 43078 "github_reviewed_at": "2022-04-08T22:06:47Z", 43079 "nvd_published_at": "2022-04-07T19:15:00Z", 43080 "severity": "CRITICAL" 43081 }, 43082 "details": "In Apache Hadoop, The unTar function uses unTarUsingJava function on Windows and the built-in tar utility on Unix and other OSes. As a result, a TAR entry may create a symlink under the expected extraction directory which points to an external directory. A subsequent TAR entry may extract an arbitrary file into the external directory using the symlink name. This however would be caught by the same targetDirPath check on Unix because of the getCanonicalPath call. However on Windows, getCanonicalPath doesn't resolve symbolic links, which bypasses the check. unpackEntries during TAR extraction follows symbolic links which allows writing outside expected base directory on Windows. This was addressed in Apache Hadoop 3.2.3", 43083 "id": "GHSA-gx2c-fvhc-ph4j", 43084 "modified": "2024-02-20T05:34:19.79641Z", 43085 "published": "2022-04-08T00:00:21Z", 43086 "references": [ 43087 { 43088 "type": "ADVISORY", 43089 "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-26612" 43090 }, 43091 { 43092 "type": "PACKAGE", 43093 "url": "https://github.com/apache/hadoop" 43094 }, 43095 { 43096 "type": "WEB", 43097 "url": "https://lists.apache.org/thread/hslo7wzw2449gv1jyjk8g6ttd7935fyz" 43098 }, 43099 { 43100 "type": "WEB", 43101 "url": "https://security.netapp.com/advisory/ntap-20220519-0004" 43102 } 43103 ], 43104 "schema_version": "1.6.0", 43105 "severity": [ 43106 { 43107 "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", 43108 "type": "CVSS_V3" 43109 } 43110 ], 43111 "summary": "Path traversal in Hadoop" 43112 }, 43113 { 43114 "affected": [ 43115 { 43116 "database_specific": { 43117 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-h24p-qwf4-84q8/GHSA-h24p-qwf4-84q8.json" 43118 }, 43119 "package": { 43120 "ecosystem": "Maven", 43121 "name": "org.apache.hadoop:hadoop-common", 43122 "purl": "pkg:maven/org.apache.hadoop/hadoop-common" 43123 }, 43124 "ranges": [ 43125 { 43126 "events": [ 43127 { 43128 "introduced": "0" 43129 }, 43130 { 43131 "fixed": "2.8.1" 43132 } 43133 ], 43134 "type": "ECOSYSTEM" 43135 } 43136 ], 43137 "versions": [ 43138 "0.22.0", 43139 "0.23.1", 43140 "0.23.10", 43141 "0.23.11", 43142 "0.23.3", 43143 "0.23.4", 43144 "0.23.5", 43145 "0.23.6", 43146 "0.23.7", 43147 "0.23.8", 43148 "0.23.9", 43149 "2.0.0-alpha", 43150 "2.0.1-alpha", 43151 "2.0.2-alpha", 43152 "2.0.3-alpha", 43153 "2.0.4-alpha", 43154 "2.0.5-alpha", 43155 "2.0.6-alpha", 43156 "2.1.0-beta", 43157 "2.1.1-beta", 43158 "2.2.0", 43159 "2.3.0", 43160 "2.4.0", 43161 "2.4.1", 43162 "2.5.0", 43163 "2.5.1", 43164 "2.5.2", 43165 "2.6.0", 43166 "2.6.1", 43167 "2.6.2", 43168 "2.6.3", 43169 "2.6.4", 43170 "2.6.5", 43171 "2.7.0", 43172 "2.7.1", 43173 "2.7.2", 43174 "2.7.3", 43175 "2.7.4", 43176 "2.7.5", 43177 "2.7.6", 43178 "2.7.7", 43179 "2.8.0" 43180 ] 43181 }, 43182 { 43183 "database_specific": { 43184 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-h24p-qwf4-84q8/GHSA-h24p-qwf4-84q8.json" 43185 }, 43186 "package": { 43187 "ecosystem": "Maven", 43188 "name": "org.apache.hadoop:hadoop-common", 43189 "purl": "pkg:maven/org.apache.hadoop/hadoop-common" 43190 }, 43191 "ranges": [ 43192 { 43193 "events": [ 43194 { 43195 "introduced": "3.0.0-alpha1" 43196 }, 43197 { 43198 "fixed": "3.0.0-alpha3" 43199 } 43200 ], 43201 "type": "ECOSYSTEM" 43202 } 43203 ], 43204 "versions": [ 43205 "3.0.0-alpha1", 43206 "3.0.0-alpha2" 43207 ] 43208 } 43209 ], 43210 "aliases": [ 43211 "CVE-2017-7669" 43212 ], 43213 "database_specific": { 43214 "cwe_ids": [ 43215 "CWE-20" 43216 ], 43217 "github_reviewed": true, 43218 "github_reviewed_at": "2022-11-22T18:47:34Z", 43219 "nvd_published_at": "2017-06-05T01:29:00Z", 43220 "severity": "HIGH" 43221 }, 43222 "details": "In Apache Hadoop 2.8.0, 3.0.0-alpha1, and 3.0.0-alpha2, the LinuxContainerExecutor runs docker commands as root with insufficient input validation. When the docker feature is enabled, authenticated users can run commands as root. This issue is fixed in versions 2.8.1 and 3.0.0-alpha3.", 43223 "id": "GHSA-h24p-qwf4-84q8", 43224 "modified": "2023-11-08T03:59:26.035253Z", 43225 "published": "2022-05-17T02:41:57Z", 43226 "references": [ 43227 { 43228 "type": "ADVISORY", 43229 "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-7669" 43230 }, 43231 { 43232 "type": "WEB", 43233 "url": "https://mail-archives.apache.org/mod_mbox/hadoop-user/201706.mbox/%3C4A2FDA56-491B-4C2A-915F-C9D4A4BDB92A%40apache.org%3E" 43234 }, 43235 { 43236 "type": "WEB", 43237 "url": "http://www.securityfocus.com/bid/98795" 43238 } 43239 ], 43240 "schema_version": "1.6.0", 43241 "severity": [ 43242 { 43243 "score": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", 43244 "type": "CVSS_V3" 43245 } 43246 ], 43247 "summary": "Apache Hadoop's LinuxContainerExecutor runs docker commands as root with insufficient input validation" 43248 }, 43249 { 43250 "affected": [ 43251 { 43252 "database_specific": { 43253 "last_known_affected_version_range": "\u003c= 2.7.3", 43254 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-mf7c-35mq-75pj/GHSA-mf7c-35mq-75pj.json" 43255 }, 43256 "package": { 43257 "ecosystem": "Maven", 43258 "name": "org.apache.hadoop:hadoop-common", 43259 "purl": "pkg:maven/org.apache.hadoop/hadoop-common" 43260 }, 43261 "ranges": [ 43262 { 43263 "events": [ 43264 { 43265 "introduced": "2.0.0-alpha" 43266 }, 43267 { 43268 "fixed": "2.7.4" 43269 } 43270 ], 43271 "type": "ECOSYSTEM" 43272 } 43273 ], 43274 "versions": [ 43275 "2.0.0-alpha", 43276 "2.0.1-alpha", 43277 "2.0.2-alpha", 43278 "2.0.3-alpha", 43279 "2.0.4-alpha", 43280 "2.0.5-alpha", 43281 "2.0.6-alpha", 43282 "2.1.0-beta", 43283 "2.1.1-beta", 43284 "2.2.0", 43285 "2.3.0", 43286 "2.4.0", 43287 "2.4.1", 43288 "2.5.0", 43289 "2.5.1", 43290 "2.5.2", 43291 "2.6.0", 43292 "2.6.1", 43293 "2.6.2", 43294 "2.6.3", 43295 "2.6.4", 43296 "2.6.5", 43297 "2.7.0", 43298 "2.7.1", 43299 "2.7.2", 43300 "2.7.3" 43301 ] 43302 } 43303 ], 43304 "aliases": [ 43305 "CVE-2016-6811" 43306 ], 43307 "database_specific": { 43308 "cwe_ids": [ 43309 "CWE-277" 43310 ], 43311 "github_reviewed": true, 43312 "github_reviewed_at": "2022-07-06T19:45:49Z", 43313 "nvd_published_at": "2017-04-11T14:59:00Z", 43314 "severity": "HIGH" 43315 }, 43316 "details": "In Apache Hadoop 2.x before 2.7.4, a user who can escalate to yarn user can possibly run arbitrary commands as root user.", 43317 "id": "GHSA-mf7c-35mq-75pj", 43318 "modified": "2023-11-08T03:58:33.830753Z", 43319 "published": "2022-05-14T03:24:59Z", 43320 "references": [ 43321 { 43322 "type": "ADVISORY", 43323 "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-6811" 43324 }, 43325 { 43326 "type": "WEB", 43327 "url": "https://lists.apache.org/thread.html/9ba3c12bbdfd5b2cae60909e48f92608e00c8d99196390b8cfeca307@%3Cgeneral.hadoop.apache.org%3E" 43328 } 43329 ], 43330 "schema_version": "1.6.0", 43331 "severity": [ 43332 { 43333 "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", 43334 "type": "CVSS_V3" 43335 } 43336 ], 43337 "summary": "Insecure Inherited Permissions in Apache Hadoop" 43338 }, 43339 { 43340 "affected": [ 43341 { 43342 "database_specific": { 43343 "last_known_affected_version_range": "\u003c= 2.0.5-alpha", 43344 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-pxv5-5vmp-3jj4/GHSA-pxv5-5vmp-3jj4.json" 43345 }, 43346 "package": { 43347 "ecosystem": "Maven", 43348 "name": "org.apache.hadoop:hadoop-common", 43349 "purl": "pkg:maven/org.apache.hadoop/hadoop-common" 43350 }, 43351 "ranges": [ 43352 { 43353 "events": [ 43354 { 43355 "introduced": "2.0.0" 43356 }, 43357 { 43358 "fixed": "2.0.6-alpha" 43359 } 43360 ], 43361 "type": "ECOSYSTEM" 43362 } 43363 ], 43364 "versions": [ 43365 "2.0.1-alpha", 43366 "2.0.2-alpha", 43367 "2.0.3-alpha", 43368 "2.0.4-alpha", 43369 "2.0.5-alpha" 43370 ] 43371 }, 43372 { 43373 "database_specific": { 43374 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-pxv5-5vmp-3jj4/GHSA-pxv5-5vmp-3jj4.json" 43375 }, 43376 "package": { 43377 "ecosystem": "Maven", 43378 "name": "org.apache.hadoop:hadoop-common", 43379 "purl": "pkg:maven/org.apache.hadoop/hadoop-common" 43380 }, 43381 "ranges": [ 43382 { 43383 "events": [ 43384 { 43385 "introduced": "0.23.0" 43386 }, 43387 { 43388 "fixed": "0.23.9" 43389 } 43390 ], 43391 "type": "ECOSYSTEM" 43392 } 43393 ], 43394 "versions": [ 43395 "0.23.1", 43396 "0.23.3", 43397 "0.23.4", 43398 "0.23.5", 43399 "0.23.6", 43400 "0.23.7", 43401 "0.23.8" 43402 ] 43403 } 43404 ], 43405 "aliases": [ 43406 "CVE-2013-2192" 43407 ], 43408 "database_specific": { 43409 "cwe_ids": [ 43410 "CWE-287" 43411 ], 43412 "github_reviewed": true, 43413 "github_reviewed_at": "2022-07-08T19:10:34Z", 43414 "nvd_published_at": "2014-01-24T18:55:00Z", 43415 "severity": "LOW" 43416 }, 43417 "details": "The RPC protocol implementation in Apache Hadoop 2.x before 2.0.6-alpha, 0.23.x before 0.23.9, and 1.x before 1.2.1, when the Kerberos security features are enabled, allows man-in-the-middle attackers to disable bidirectional authentication and obtain sensitive information by forcing a downgrade to simple authentication.", 43418 "id": "GHSA-pxv5-5vmp-3jj4", 43419 "modified": "2023-11-08T03:57:18.469327Z", 43420 "published": "2022-05-17T02:54:07Z", 43421 "references": [ 43422 { 43423 "type": "ADVISORY", 43424 "url": "https://nvd.nist.gov/vuln/detail/CVE-2013-2192" 43425 }, 43426 { 43427 "type": "WEB", 43428 "url": "https://www.cloudera.com/documentation/other/security-bulletins/topics/csb_topic_1.html" 43429 }, 43430 { 43431 "type": "WEB", 43432 "url": "http://rhn.redhat.com/errata/RHSA-2014-0037.html" 43433 }, 43434 { 43435 "type": "WEB", 43436 "url": "http://rhn.redhat.com/errata/RHSA-2014-0400.html" 43437 }, 43438 { 43439 "type": "WEB", 43440 "url": "http://seclists.org/fulldisclosure/2013/Aug/251" 43441 } 43442 ], 43443 "schema_version": "1.6.0", 43444 "summary": "Improper Authentication in Apache Hadoop" 43445 }, 43446 { 43447 "affected": [ 43448 { 43449 "database_specific": { 43450 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/06/GHSA-rmpj-7c96-mrg8/GHSA-rmpj-7c96-mrg8.json" 43451 }, 43452 "package": { 43453 "ecosystem": "Maven", 43454 "name": "org.apache.hadoop:hadoop-common", 43455 "purl": "pkg:maven/org.apache.hadoop/hadoop-common" 43456 }, 43457 "ranges": [ 43458 { 43459 "events": [ 43460 { 43461 "introduced": "3.3.0" 43462 }, 43463 { 43464 "fixed": "3.3.2" 43465 } 43466 ], 43467 "type": "ECOSYSTEM" 43468 } 43469 ], 43470 "versions": [ 43471 "3.3.0", 43472 "3.3.1" 43473 ] 43474 }, 43475 { 43476 "database_specific": { 43477 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/06/GHSA-rmpj-7c96-mrg8/GHSA-rmpj-7c96-mrg8.json" 43478 }, 43479 "package": { 43480 "ecosystem": "Maven", 43481 "name": "org.apache.hadoop:hadoop-common", 43482 "purl": "pkg:maven/org.apache.hadoop/hadoop-common" 43483 }, 43484 "ranges": [ 43485 { 43486 "events": [ 43487 { 43488 "introduced": "3.0.0" 43489 }, 43490 { 43491 "fixed": "3.2.3" 43492 } 43493 ], 43494 "type": "ECOSYSTEM" 43495 } 43496 ], 43497 "versions": [ 43498 "3.0.0", 43499 "3.0.1", 43500 "3.0.2", 43501 "3.0.3", 43502 "3.1.0", 43503 "3.1.1", 43504 "3.1.2", 43505 "3.1.3", 43506 "3.1.4", 43507 "3.2.0", 43508 "3.2.1", 43509 "3.2.2" 43510 ] 43511 }, 43512 { 43513 "database_specific": { 43514 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/06/GHSA-rmpj-7c96-mrg8/GHSA-rmpj-7c96-mrg8.json" 43515 }, 43516 "package": { 43517 "ecosystem": "Maven", 43518 "name": "org.apache.hadoop:hadoop-common", 43519 "purl": "pkg:maven/org.apache.hadoop/hadoop-common" 43520 }, 43521 "ranges": [ 43522 { 43523 "events": [ 43524 { 43525 "introduced": "0" 43526 }, 43527 { 43528 "fixed": "2.10.2" 43529 } 43530 ], 43531 "type": "ECOSYSTEM" 43532 } 43533 ], 43534 "versions": [ 43535 "0.22.0", 43536 "0.23.1", 43537 "0.23.10", 43538 "0.23.11", 43539 "0.23.3", 43540 "0.23.4", 43541 "0.23.5", 43542 "0.23.6", 43543 "0.23.7", 43544 "0.23.8", 43545 "0.23.9", 43546 "2.0.0-alpha", 43547 "2.0.1-alpha", 43548 "2.0.2-alpha", 43549 "2.0.3-alpha", 43550 "2.0.4-alpha", 43551 "2.0.5-alpha", 43552 "2.0.6-alpha", 43553 "2.1.0-beta", 43554 "2.1.1-beta", 43555 "2.10.0", 43556 "2.10.1", 43557 "2.2.0", 43558 "2.3.0", 43559 "2.4.0", 43560 "2.4.1", 43561 "2.5.0", 43562 "2.5.1", 43563 "2.5.2", 43564 "2.6.0", 43565 "2.6.1", 43566 "2.6.2", 43567 "2.6.3", 43568 "2.6.4", 43569 "2.6.5", 43570 "2.7.0", 43571 "2.7.1", 43572 "2.7.2", 43573 "2.7.3", 43574 "2.7.4", 43575 "2.7.5", 43576 "2.7.6", 43577 "2.7.7", 43578 "2.8.0", 43579 "2.8.1", 43580 "2.8.2", 43581 "2.8.3", 43582 "2.8.4", 43583 "2.8.5", 43584 "2.9.0", 43585 "2.9.1", 43586 "2.9.2" 43587 ] 43588 } 43589 ], 43590 "aliases": [ 43591 "CVE-2021-37404" 43592 ], 43593 "database_specific": { 43594 "cwe_ids": [ 43595 "CWE-120", 43596 "CWE-131", 43597 "CWE-787" 43598 ], 43599 "github_reviewed": true, 43600 "github_reviewed_at": "2022-06-17T01:09:36Z", 43601 "nvd_published_at": "2022-06-13T07:15:00Z", 43602 "severity": "CRITICAL" 43603 }, 43604 "details": "There is a potential heap buffer overflow in Apache Hadoop libhdfs native code. Opening a file path provided by user without validation may result in a denial of service or arbitrary code execution. Users should upgrade to Apache Hadoop 2.10.2, 3.2.3, 3.3.2 or higher.", 43605 "id": "GHSA-rmpj-7c96-mrg8", 43606 "modified": "2024-02-22T05:34:28.037449Z", 43607 "published": "2022-06-14T00:00:37Z", 43608 "references": [ 43609 { 43610 "type": "ADVISORY", 43611 "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-37404" 43612 }, 43613 { 43614 "type": "PACKAGE", 43615 "url": "https://github.com/apache/hadoop" 43616 }, 43617 { 43618 "type": "WEB", 43619 "url": "https://lists.apache.org/thread/2h56ztcj3ojc66qzf1nno88vjw9vd4wo" 43620 }, 43621 { 43622 "type": "WEB", 43623 "url": "https://security.netapp.com/advisory/ntap-20220715-0007" 43624 } 43625 ], 43626 "schema_version": "1.6.0", 43627 "severity": [ 43628 { 43629 "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", 43630 "type": "CVSS_V3" 43631 } 43632 ], 43633 "summary": "Apache Hadoop heap overflow before v2.10.2, v3.2.3, v3.3.2" 43634 }, 43635 { 43636 "affected": [ 43637 { 43638 "database_specific": { 43639 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/05/GHSA-37pw-qw47-4jxm/GHSA-37pw-qw47-4jxm.json" 43640 }, 43641 "package": { 43642 "ecosystem": "Maven", 43643 "name": "org.apache.hadoop:hadoop-main", 43644 "purl": "pkg:maven/org.apache.hadoop/hadoop-main" 43645 }, 43646 "ranges": [ 43647 { 43648 "events": [ 43649 { 43650 "introduced": "2.2.0" 43651 }, 43652 { 43653 "fixed": "2.8.4" 43654 } 43655 ], 43656 "type": "ECOSYSTEM" 43657 } 43658 ], 43659 "versions": [ 43660 "2.2.0", 43661 "2.3.0", 43662 "2.4.0", 43663 "2.4.1", 43664 "2.5.0", 43665 "2.5.1", 43666 "2.5.2", 43667 "2.6.0", 43668 "2.6.1", 43669 "2.6.2", 43670 "2.6.3", 43671 "2.6.4", 43672 "2.6.5", 43673 "2.7.0", 43674 "2.7.1", 43675 "2.7.2", 43676 "2.7.3", 43677 "2.7.4", 43678 "2.7.5", 43679 "2.7.6", 43680 "2.7.7", 43681 "2.8.0", 43682 "2.8.1", 43683 "2.8.2", 43684 "2.8.3" 43685 ] 43686 }, 43687 { 43688 "database_specific": { 43689 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/05/GHSA-37pw-qw47-4jxm/GHSA-37pw-qw47-4jxm.json" 43690 }, 43691 "package": { 43692 "ecosystem": "Maven", 43693 "name": "org.apache.hadoop:hadoop-main", 43694 "purl": "pkg:maven/org.apache.hadoop/hadoop-main" 43695 }, 43696 "ranges": [ 43697 { 43698 "events": [ 43699 { 43700 "introduced": "2.9.0" 43701 }, 43702 { 43703 "fixed": "2.9.2" 43704 } 43705 ], 43706 "type": "ECOSYSTEM" 43707 } 43708 ], 43709 "versions": [ 43710 "2.9.0", 43711 "2.9.1" 43712 ] 43713 }, 43714 { 43715 "database_specific": { 43716 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/05/GHSA-37pw-qw47-4jxm/GHSA-37pw-qw47-4jxm.json" 43717 }, 43718 "package": { 43719 "ecosystem": "Maven", 43720 "name": "org.apache.hadoop:hadoop-main", 43721 "purl": "pkg:maven/org.apache.hadoop/hadoop-main" 43722 }, 43723 "ranges": [ 43724 { 43725 "events": [ 43726 { 43727 "introduced": "3.0.0" 43728 }, 43729 { 43730 "fixed": "3.1.1" 43731 } 43732 ], 43733 "type": "ECOSYSTEM" 43734 } 43735 ], 43736 "versions": [ 43737 "3.0.0", 43738 "3.0.1", 43739 "3.0.2", 43740 "3.0.3", 43741 "3.1.0" 43742 ] 43743 } 43744 ], 43745 "aliases": [ 43746 "CVE-2018-8029" 43747 ], 43748 "database_specific": { 43749 "cwe_ids": [ 43750 "CWE-285" 43751 ], 43752 "github_reviewed": true, 43753 "github_reviewed_at": "2019-05-31T16:08:38Z", 43754 "nvd_published_at": null, 43755 "severity": "HIGH" 43756 }, 43757 "details": "In Apache Hadoop versions 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, and 2.2.0 to 2.8.4, a user who can escalate to yarn user can possibly run arbitrary commands as root user.", 43758 "id": "GHSA-37pw-qw47-4jxm", 43759 "modified": "2024-02-16T08:05:28.334834Z", 43760 "published": "2019-05-31T16:09:15Z", 43761 "references": [ 43762 { 43763 "type": "ADVISORY", 43764 "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-8029" 43765 }, 43766 { 43767 "type": "WEB", 43768 "url": "https://lists.apache.org/thread.html/0b8d58e02dbd0fb8bf7320c514fe58da1d6728bdc150f1ba04e0d9fc@%3Cissues.hbase.apache.org%3E" 43769 }, 43770 { 43771 "type": "WEB", 43772 "url": "https://lists.apache.org/thread.html/17084c09e6dedf60efe08028b429c92ffd28aacc28454e4fa924578a@%3Cgeneral.hadoop.apache.org%3E" 43773 }, 43774 { 43775 "type": "WEB", 43776 "url": "https://lists.apache.org/thread.html/a0164b87660223a2d491f83c88f905fe1a9fa8dc795148d9b0d968c8@%3Cdev.hbase.apache.org%3E" 43777 }, 43778 { 43779 "type": "WEB", 43780 "url": "https://lists.apache.org/thread.html/a97c53a81e639ca2fc7b8f61a4fcd1842c2a78544041244a7c624727@%3Cissues.hbase.apache.org%3E" 43781 }, 43782 { 43783 "type": "WEB", 43784 "url": "https://lists.apache.org/thread.html/r4dddf1705dbedfa94392913b2dad1cd2d1d89040facd389eea0b3510@%3Ccommits.druid.apache.org%3E" 43785 }, 43786 { 43787 "type": "WEB", 43788 "url": "https://lists.apache.org/thread.html/rb21df54a4e39732ce653d2aa5672e36a792b59eb6717f2a06bb8d02a@%3Ccommits.druid.apache.org%3E" 43789 }, 43790 { 43791 "type": "WEB", 43792 "url": "https://security.netapp.com/advisory/ntap-20190617-0001" 43793 }, 43794 { 43795 "type": "WEB", 43796 "url": "http://www.securityfocus.com/bid/108518" 43797 } 43798 ], 43799 "schema_version": "1.6.0", 43800 "severity": [ 43801 { 43802 "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", 43803 "type": "CVSS_V3" 43804 } 43805 ], 43806 "summary": "Privilege escalation vulnerability in Apache Hadoop" 43807 }, 43808 { 43809 "affected": [ 43810 { 43811 "database_specific": { 43812 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/12/GHSA-3v44-382q-55f4/GHSA-3v44-382q-55f4.json" 43813 }, 43814 "package": { 43815 "ecosystem": "Maven", 43816 "name": "org.apache.hadoop:hadoop-main", 43817 "purl": "pkg:maven/org.apache.hadoop/hadoop-main" 43818 }, 43819 "ranges": [ 43820 { 43821 "events": [ 43822 { 43823 "introduced": "0" 43824 }, 43825 { 43826 "fixed": "2.7.5" 43827 } 43828 ], 43829 "type": "ECOSYSTEM" 43830 } 43831 ], 43832 "versions": [ 43833 "0.23.1", 43834 "0.23.10", 43835 "0.23.11", 43836 "0.23.3", 43837 "0.23.4", 43838 "0.23.5", 43839 "0.23.6", 43840 "0.23.7", 43841 "0.23.8", 43842 "0.23.9", 43843 "2.0.0-alpha", 43844 "2.0.1-alpha", 43845 "2.0.2-alpha", 43846 "2.0.3-alpha", 43847 "2.0.4-alpha", 43848 "2.0.5-alpha", 43849 "2.0.6-alpha", 43850 "2.1.0-beta", 43851 "2.1.1-beta", 43852 "2.2.0", 43853 "2.3.0", 43854 "2.4.0", 43855 "2.4.1", 43856 "2.5.0", 43857 "2.5.1", 43858 "2.5.2", 43859 "2.6.0", 43860 "2.6.1", 43861 "2.6.2", 43862 "2.6.3", 43863 "2.6.4", 43864 "2.6.5", 43865 "2.7.0", 43866 "2.7.1", 43867 "2.7.2", 43868 "2.7.3", 43869 "2.7.4" 43870 ] 43871 }, 43872 { 43873 "database_specific": { 43874 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/12/GHSA-3v44-382q-55f4/GHSA-3v44-382q-55f4.json" 43875 }, 43876 "package": { 43877 "ecosystem": "Maven", 43878 "name": "org.apache.hadoop:hadoop-main", 43879 "purl": "pkg:maven/org.apache.hadoop/hadoop-main" 43880 }, 43881 "ranges": [ 43882 { 43883 "events": [ 43884 { 43885 "introduced": "2.8.0" 43886 }, 43887 { 43888 "fixed": "2.8.3" 43889 } 43890 ], 43891 "type": "ECOSYSTEM" 43892 } 43893 ], 43894 "versions": [ 43895 "2.8.0", 43896 "2.8.1", 43897 "2.8.2" 43898 ] 43899 } 43900 ], 43901 "aliases": [ 43902 "CVE-2017-15713" 43903 ], 43904 "database_specific": { 43905 "cwe_ids": [ 43906 "CWE-200" 43907 ], 43908 "github_reviewed": true, 43909 "github_reviewed_at": "2020-06-16T20:56:25Z", 43910 "nvd_published_at": null, 43911 "severity": "MODERATE" 43912 }, 43913 "details": "Vulnerability in Apache Hadoop 0.23.x, 2.x before 2.7.5, 2.8.x before 2.8.3, and 3.0.0-alpha through 3.0.0-beta1 allows a cluster user to expose private files owned by the user running the MapReduce job history server process. The malicious user can construct a configuration file containing XML directives that reference sensitive files on the MapReduce job history server host.", 43914 "id": "GHSA-3v44-382q-55f4", 43915 "modified": "2023-11-08T03:58:58.547397Z", 43916 "published": "2018-12-21T17:50:13Z", 43917 "references": [ 43918 { 43919 "type": "ADVISORY", 43920 "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-15713" 43921 }, 43922 { 43923 "type": "ADVISORY", 43924 "url": "https://github.com/advisories/GHSA-3v44-382q-55f4" 43925 }, 43926 { 43927 "type": "WEB", 43928 "url": "https://lists.apache.org/thread.html/a790a251ace7213bde9f69777dedb453b1a01a6d18289c14a61d4f91@%3Cgeneral.hadoop.apache.org%3E" 43929 } 43930 ], 43931 "schema_version": "1.6.0", 43932 "severity": [ 43933 { 43934 "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", 43935 "type": "CVSS_V3" 43936 } 43937 ], 43938 "summary": "Moderate severity vulnerability that affects org.apache.hadoop:hadoop-main" 43939 }, 43940 { 43941 "affected": [ 43942 { 43943 "database_specific": { 43944 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/02/GHSA-4fh8-pm7g-pmxq/GHSA-4fh8-pm7g-pmxq.json" 43945 }, 43946 "package": { 43947 "ecosystem": "Maven", 43948 "name": "org.apache.hadoop:hadoop-main", 43949 "purl": "pkg:maven/org.apache.hadoop/hadoop-main" 43950 }, 43951 "ranges": [ 43952 { 43953 "events": [ 43954 { 43955 "introduced": "3.0.0-alpha4" 43956 }, 43957 { 43958 "fixed": "3.0.1" 43959 } 43960 ], 43961 "type": "ECOSYSTEM" 43962 } 43963 ], 43964 "versions": [ 43965 "3.0.0-alpha4", 43966 "3.0.0", 43967 "3.0.0-beta1" 43968 ] 43969 }, 43970 { 43971 "database_specific": { 43972 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/02/GHSA-4fh8-pm7g-pmxq/GHSA-4fh8-pm7g-pmxq.json" 43973 }, 43974 "package": { 43975 "ecosystem": "Maven", 43976 "name": "org.apache.hadoop:hadoop-main", 43977 "purl": "pkg:maven/org.apache.hadoop/hadoop-main" 43978 }, 43979 "ranges": [ 43980 { 43981 "events": [ 43982 { 43983 "introduced": "3.0.0-beta1" 43984 }, 43985 { 43986 "fixed": "3.0.1" 43987 } 43988 ], 43989 "type": "ECOSYSTEM" 43990 } 43991 ], 43992 "versions": [ 43993 "3.0.0-beta1", 43994 "3.0.0" 43995 ] 43996 }, 43997 { 43998 "database_specific": { 43999 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/02/GHSA-4fh8-pm7g-pmxq/GHSA-4fh8-pm7g-pmxq.json" 44000 }, 44001 "package": { 44002 "ecosystem": "Maven", 44003 "name": "org.apache.hadoop:hadoop-main", 44004 "purl": "pkg:maven/org.apache.hadoop/hadoop-main" 44005 }, 44006 "ranges": [ 44007 { 44008 "events": [ 44009 { 44010 "introduced": "3.0.0" 44011 }, 44012 { 44013 "fixed": "3.0.1" 44014 } 44015 ], 44016 "type": "ECOSYSTEM" 44017 } 44018 ], 44019 "versions": [ 44020 "3.0.0" 44021 ] 44022 } 44023 ], 44024 "aliases": [ 44025 "CVE-2018-11764" 44026 ], 44027 "database_specific": { 44028 "cwe_ids": [ 44029 "CWE-306" 44030 ], 44031 "github_reviewed": true, 44032 "github_reviewed_at": "2021-04-22T21:44:53Z", 44033 "nvd_published_at": "2020-10-21T19:15:00Z", 44034 "severity": "HIGH" 44035 }, 44036 "details": "Web endpoint authentication check is broken in Apache Hadoop 3.0.0-alpha4, 3.0.0-beta1, and 3.0.0. Authenticated users may impersonate any user even if no proxy user is configured.", 44037 "id": "GHSA-4fh8-pm7g-pmxq", 44038 "modified": "2024-02-17T05:29:43.227712Z", 44039 "published": "2022-02-10T20:28:06Z", 44040 "references": [ 44041 { 44042 "type": "ADVISORY", 44043 "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-11764" 44044 }, 44045 { 44046 "type": "WEB", 44047 "url": "https://lists.apache.org/thread.html/r790ad0a049cde713b93589ecfd4dd2766fda0fc6807eedb6cf69f5c1%40%3Cgeneral.hadoop.apache.org%3E" 44048 }, 44049 { 44050 "type": "WEB", 44051 "url": "https://security.netapp.com/advisory/ntap-20201103-0003" 44052 } 44053 ], 44054 "schema_version": "1.6.0", 44055 "severity": [ 44056 { 44057 "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", 44058 "type": "CVSS_V3" 44059 } 44060 ], 44061 "summary": "Authentication bypass in Apache Hadoop" 44062 }, 44063 { 44064 "affected": [ 44065 { 44066 "database_specific": { 44067 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/03/GHSA-5cf4-jqwp-584g/GHSA-5cf4-jqwp-584g.json" 44068 }, 44069 "package": { 44070 "ecosystem": "Maven", 44071 "name": "org.apache.hadoop:hadoop-main", 44072 "purl": "pkg:maven/org.apache.hadoop/hadoop-main" 44073 }, 44074 "ranges": [ 44075 { 44076 "events": [ 44077 { 44078 "introduced": "2.7.5" 44079 }, 44080 { 44081 "fixed": "2.7.7" 44082 } 44083 ], 44084 "type": "ECOSYSTEM" 44085 } 44086 ], 44087 "versions": [ 44088 "2.7.5", 44089 "2.7.6" 44090 ] 44091 }, 44092 { 44093 "database_specific": { 44094 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/03/GHSA-5cf4-jqwp-584g/GHSA-5cf4-jqwp-584g.json" 44095 }, 44096 "package": { 44097 "ecosystem": "Maven", 44098 "name": "org.apache.hadoop:hadoop-main", 44099 "purl": "pkg:maven/org.apache.hadoop/hadoop-main" 44100 }, 44101 "ranges": [ 44102 { 44103 "events": [ 44104 { 44105 "introduced": "2.8.3" 44106 }, 44107 { 44108 "fixed": "2.8.5" 44109 } 44110 ], 44111 "type": "ECOSYSTEM" 44112 } 44113 ], 44114 "versions": [ 44115 "2.8.3", 44116 "2.8.4" 44117 ] 44118 }, 44119 { 44120 "database_specific": { 44121 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/03/GHSA-5cf4-jqwp-584g/GHSA-5cf4-jqwp-584g.json" 44122 }, 44123 "package": { 44124 "ecosystem": "Maven", 44125 "name": "org.apache.hadoop:hadoop-main", 44126 "purl": "pkg:maven/org.apache.hadoop/hadoop-main" 44127 }, 44128 "ranges": [ 44129 { 44130 "events": [ 44131 { 44132 "introduced": "2.9.0" 44133 }, 44134 { 44135 "fixed": "2.9.2" 44136 } 44137 ], 44138 "type": "ECOSYSTEM" 44139 } 44140 ], 44141 "versions": [ 44142 "2.9.0", 44143 "2.9.1" 44144 ] 44145 } 44146 ], 44147 "aliases": [ 44148 "CVE-2018-11767" 44149 ], 44150 "database_specific": { 44151 "cwe_ids": [ 44152 "CWE-269" 44153 ], 44154 "github_reviewed": true, 44155 "github_reviewed_at": "2020-06-16T21:00:30Z", 44156 "nvd_published_at": null, 44157 "severity": "HIGH" 44158 }, 44159 "details": "In Apache Hadoop 2.9.0 to 2.9.1, 2.8.3 to 2.8.4, 2.7.5 to 2.7.6, KMS blocking users or granting access to users incorrectly, if the system uses non-default groups mapping mechanisms.", 44160 "id": "GHSA-5cf4-jqwp-584g", 44161 "modified": "2024-02-19T05:28:21.165145Z", 44162 "published": "2019-03-25T16:17:32Z", 44163 "references": [ 44164 { 44165 "type": "ADVISORY", 44166 "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-11767" 44167 }, 44168 { 44169 "type": "ADVISORY", 44170 "url": "https://github.com/advisories/GHSA-5cf4-jqwp-584g" 44171 }, 44172 { 44173 "type": "WEB", 44174 "url": "https://lists.apache.org/thread.html/246cf223e7dc0c1dff90b78dccb6c3fe94e1a044dbf98e2333393302@%3Ccommon-issues.hadoop.apache.org%3E" 44175 }, 44176 { 44177 "type": "WEB", 44178 "url": "https://lists.apache.org/thread.html/5a44590b4eedc5e25f5bd3081d1631b52c174b5b99157f7950ddc270@%3Ccommon-dev.hadoop.apache.org%3E" 44179 }, 44180 { 44181 "type": "WEB", 44182 "url": "https://lists.apache.org/thread.html/5fb771f66946dd5c99a8a5713347c24873846f555d716f9ac17bccca@%3Cgeneral.hadoop.apache.org%3E" 44183 }, 44184 { 44185 "type": "WEB", 44186 "url": "https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe@%3Ccommits.druid.apache.org%3E" 44187 }, 44188 { 44189 "type": "WEB", 44190 "url": "https://security.netapp.com/advisory/ntap-20190416-0009" 44191 } 44192 ], 44193 "schema_version": "1.6.0", 44194 "severity": [ 44195 { 44196 "score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H", 44197 "type": "CVSS_V3" 44198 } 44199 ], 44200 "summary": "Improper Privilege Management in org.apache.hadoop:hadoop-main" 44201 }, 44202 { 44203 "affected": [ 44204 { 44205 "database_specific": { 44206 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/12/GHSA-6x48-j4x4-cqw3/GHSA-6x48-j4x4-cqw3.json" 44207 }, 44208 "package": { 44209 "ecosystem": "Maven", 44210 "name": "org.apache.hadoop:hadoop-main", 44211 "purl": "pkg:maven/org.apache.hadoop/hadoop-main" 44212 }, 44213 "ranges": [ 44214 { 44215 "events": [ 44216 { 44217 "introduced": "3.1.0" 44218 }, 44219 { 44220 "fixed": "3.1.1" 44221 } 44222 ], 44223 "type": "ECOSYSTEM" 44224 } 44225 ], 44226 "versions": [ 44227 "3.1.0" 44228 ] 44229 }, 44230 { 44231 "database_specific": { 44232 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/12/GHSA-6x48-j4x4-cqw3/GHSA-6x48-j4x4-cqw3.json" 44233 }, 44234 "package": { 44235 "ecosystem": "Maven", 44236 "name": "org.apache.hadoop:hadoop-main", 44237 "purl": "pkg:maven/org.apache.hadoop/hadoop-main" 44238 }, 44239 "ranges": [ 44240 { 44241 "events": [ 44242 { 44243 "introduced": "3.0.0" 44244 }, 44245 { 44246 "fixed": "3.0.3" 44247 } 44248 ], 44249 "type": "ECOSYSTEM" 44250 } 44251 ], 44252 "versions": [ 44253 "3.0.0", 44254 "3.0.1", 44255 "3.0.2" 44256 ] 44257 }, 44258 { 44259 "database_specific": { 44260 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/12/GHSA-6x48-j4x4-cqw3/GHSA-6x48-j4x4-cqw3.json" 44261 }, 44262 "package": { 44263 "ecosystem": "Maven", 44264 "name": "org.apache.hadoop:hadoop-main", 44265 "purl": "pkg:maven/org.apache.hadoop/hadoop-main" 44266 }, 44267 "ranges": [ 44268 { 44269 "events": [ 44270 { 44271 "introduced": "2.9.0" 44272 }, 44273 { 44274 "fixed": "2.9.2" 44275 } 44276 ], 44277 "type": "ECOSYSTEM" 44278 } 44279 ], 44280 "versions": [ 44281 "2.9.0", 44282 "2.9.1" 44283 ] 44284 }, 44285 { 44286 "database_specific": { 44287 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/12/GHSA-6x48-j4x4-cqw3/GHSA-6x48-j4x4-cqw3.json" 44288 }, 44289 "package": { 44290 "ecosystem": "Maven", 44291 "name": "org.apache.hadoop:hadoop-main", 44292 "purl": "pkg:maven/org.apache.hadoop/hadoop-main" 44293 }, 44294 "ranges": [ 44295 { 44296 "events": [ 44297 { 44298 "introduced": "2.8.0" 44299 }, 44300 { 44301 "fixed": "2.8.5" 44302 } 44303 ], 44304 "type": "ECOSYSTEM" 44305 } 44306 ], 44307 "versions": [ 44308 "2.8.0", 44309 "2.8.1", 44310 "2.8.2", 44311 "2.8.3", 44312 "2.8.4" 44313 ] 44314 }, 44315 { 44316 "database_specific": { 44317 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/12/GHSA-6x48-j4x4-cqw3/GHSA-6x48-j4x4-cqw3.json" 44318 }, 44319 "package": { 44320 "ecosystem": "Maven", 44321 "name": "org.apache.hadoop:hadoop-main", 44322 "purl": "pkg:maven/org.apache.hadoop/hadoop-main" 44323 }, 44324 "ranges": [ 44325 { 44326 "events": [ 44327 { 44328 "introduced": "0" 44329 }, 44330 { 44331 "fixed": "2.7.7" 44332 } 44333 ], 44334 "type": "ECOSYSTEM" 44335 } 44336 ], 44337 "versions": [ 44338 "0.23.1", 44339 "0.23.10", 44340 "0.23.11", 44341 "0.23.3", 44342 "0.23.4", 44343 "0.23.5", 44344 "0.23.6", 44345 "0.23.7", 44346 "0.23.8", 44347 "0.23.9", 44348 "2.0.0-alpha", 44349 "2.0.1-alpha", 44350 "2.0.2-alpha", 44351 "2.0.3-alpha", 44352 "2.0.4-alpha", 44353 "2.0.5-alpha", 44354 "2.0.6-alpha", 44355 "2.1.0-beta", 44356 "2.1.1-beta", 44357 "2.2.0", 44358 "2.3.0", 44359 "2.4.0", 44360 "2.4.1", 44361 "2.5.0", 44362 "2.5.1", 44363 "2.5.2", 44364 "2.6.0", 44365 "2.6.1", 44366 "2.6.2", 44367 "2.6.3", 44368 "2.6.4", 44369 "2.6.5", 44370 "2.7.0", 44371 "2.7.1", 44372 "2.7.2", 44373 "2.7.3", 44374 "2.7.4", 44375 "2.7.5", 44376 "2.7.6" 44377 ] 44378 } 44379 ], 44380 "aliases": [ 44381 "CVE-2018-8009" 44382 ], 44383 "database_specific": { 44384 "cwe_ids": [ 44385 "CWE-22" 44386 ], 44387 "github_reviewed": true, 44388 "github_reviewed_at": "2020-06-16T21:20:31Z", 44389 "nvd_published_at": null, 44390 "severity": "HIGH" 44391 }, 44392 "details": "Apache Hadoop 3.1.0, 3.0.0-alpha to 3.0.2, 2.9.0 to 2.9.1, 2.8.0 to 2.8.4, 2.0.0-alpha to 2.7.6, 0.23.0 to 0.23.11 is exploitable via the zip slip vulnerability in places that accept a zip file.", 44393 "id": "GHSA-6x48-j4x4-cqw3", 44394 "modified": "2024-03-04T23:01:37.312585Z", 44395 "published": "2018-12-21T17:50:29Z", 44396 "references": [ 44397 { 44398 "type": "ADVISORY", 44399 "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-8009" 44400 }, 44401 { 44402 "type": "WEB", 44403 "url": "https://github.com/apache/hadoop/commit/12258c7cff8d32710fbd8b9088a930e3ce27432" 44404 }, 44405 { 44406 "type": "WEB", 44407 "url": "https://github.com/apache/hadoop/commit/45a1c680c276c4501402f7bc4cebcf85a6fbc7f" 44408 }, 44409 { 44410 "type": "WEB", 44411 "url": "https://github.com/apache/hadoop/commit/65e55097da2bb3f2fbdf9ba1946da25fe58bec9" 44412 }, 44413 { 44414 "type": "WEB", 44415 "url": "https://github.com/apache/hadoop/commit/6a4ae6f6eeed1392a4828a5721fa1499f65bdde" 44416 }, 44417 { 44418 "type": "WEB", 44419 "url": "https://github.com/apache/hadoop/commit/fc4c20fc3469674cb584a4fb98bac7e3c2277c9" 44420 }, 44421 { 44422 "type": "WEB", 44423 "url": "https://access.redhat.com/errata/RHSA-2019:3892" 44424 }, 44425 { 44426 "type": "ADVISORY", 44427 "url": "https://github.com/advisories/GHSA-6x48-j4x4-cqw3" 44428 }, 44429 { 44430 "type": "PACKAGE", 44431 "url": "https://github.com/apache/hadoop" 44432 }, 44433 { 44434 "type": "WEB", 44435 "url": "https://hadoop.apache.org/cve_list.html#cve-2018-8009-http-cve-mitre-org-cgi-bin-cvename-cgi-name-cve-2018-8009-zip-slip-impact-on-apache-hadoop" 44436 }, 44437 { 44438 "type": "WEB", 44439 "url": "https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451@%3Csolr-user.lucene.apache.org%3E" 44440 }, 44441 { 44442 "type": "WEB", 44443 "url": "https://lists.apache.org/thread.html/a1c227745ce30acbcf388c5b0cc8423e8bf495d619cd0fa973f7f38d@%3Cuser.hadoop.apache.org%3E" 44444 }, 44445 { 44446 "type": "WEB", 44447 "url": "https://lists.apache.org/thread.html/r4dddf1705dbedfa94392913b2dad1cd2d1d89040facd389eea0b3510@%3Ccommits.druid.apache.org%3E" 44448 }, 44449 { 44450 "type": "WEB", 44451 "url": "https://lists.apache.org/thread.html/rb21df54a4e39732ce653d2aa5672e36a792b59eb6717f2a06bb8d02a@%3Ccommits.druid.apache.org%3E" 44452 }, 44453 { 44454 "type": "WEB", 44455 "url": "https://snyk.io/research/zip-slip-vulnerability" 44456 }, 44457 { 44458 "type": "WEB", 44459 "url": "http://www.securityfocus.com/bid/105927" 44460 } 44461 ], 44462 "schema_version": "1.6.0", 44463 "severity": [ 44464 { 44465 "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", 44466 "type": "CVSS_V3" 44467 } 44468 ], 44469 "summary": "Path Traversal in Hadoop" 44470 }, 44471 { 44472 "affected": [ 44473 { 44474 "database_specific": { 44475 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/12/GHSA-99qr-9cc9-fv2x/GHSA-99qr-9cc9-fv2x.json" 44476 }, 44477 "package": { 44478 "ecosystem": "Maven", 44479 "name": "org.apache.hadoop:hadoop-main", 44480 "purl": "pkg:maven/org.apache.hadoop/hadoop-main" 44481 }, 44482 "ranges": [ 44483 { 44484 "events": [ 44485 { 44486 "introduced": "0" 44487 }, 44488 { 44489 "fixed": "2.7.3" 44490 } 44491 ], 44492 "type": "ECOSYSTEM" 44493 } 44494 ], 44495 "versions": [ 44496 "0.23.1", 44497 "0.23.10", 44498 "0.23.11", 44499 "0.23.3", 44500 "0.23.4", 44501 "0.23.5", 44502 "0.23.6", 44503 "0.23.7", 44504 "0.23.8", 44505 "0.23.9", 44506 "2.0.0-alpha", 44507 "2.0.1-alpha", 44508 "2.0.2-alpha", 44509 "2.0.3-alpha", 44510 "2.0.4-alpha", 44511 "2.0.5-alpha", 44512 "2.0.6-alpha", 44513 "2.1.0-beta", 44514 "2.1.1-beta", 44515 "2.2.0", 44516 "2.3.0", 44517 "2.4.0", 44518 "2.4.1", 44519 "2.5.0", 44520 "2.5.1", 44521 "2.5.2", 44522 "2.6.0", 44523 "2.6.1", 44524 "2.6.2", 44525 "2.6.3", 44526 "2.6.4", 44527 "2.6.5", 44528 "2.7.0", 44529 "2.7.1", 44530 "2.7.2" 44531 ] 44532 } 44533 ], 44534 "aliases": [ 44535 "CVE-2017-3166" 44536 ], 44537 "database_specific": { 44538 "cwe_ids": [ 44539 "CWE-732" 44540 ], 44541 "github_reviewed": true, 44542 "github_reviewed_at": "2020-06-16T21:28:07Z", 44543 "nvd_published_at": null, 44544 "severity": "MODERATE" 44545 }, 44546 "details": "In Apache Hadoop versions 2.6.1 to 2.6.5, 2.7.0 to 2.7.3, and 3.0.0-alpha1, if a file in an encryption zone with access permissions that make it world readable is localized via YARN's localization mechanism, that file will be stored in a world-readable location and can be shared freely with any application that requests to localize that file.", 44547 "id": "GHSA-99qr-9cc9-fv2x", 44548 "modified": "2023-11-08T03:59:20.833209Z", 44549 "published": "2018-12-21T17:50:03Z", 44550 "references": [ 44551 { 44552 "type": "ADVISORY", 44553 "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-3166" 44554 }, 44555 { 44556 "type": "ADVISORY", 44557 "url": "https://github.com/advisories/GHSA-99qr-9cc9-fv2x" 44558 }, 44559 { 44560 "type": "WEB", 44561 "url": "https://lists.apache.org/thread.html/2e16689b44bdd1976b6368c143a4017fc7159d1f2d02a5d54fe9310f@%3Cgeneral.hadoop.apache.org%3E" 44562 }, 44563 { 44564 "type": "WEB", 44565 "url": "https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe@%3Ccommits.druid.apache.org%3E" 44566 } 44567 ], 44568 "schema_version": "1.6.0", 44569 "severity": [ 44570 { 44571 "score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", 44572 "type": "CVSS_V3" 44573 } 44574 ], 44575 "summary": "Moderate severity vulnerability that affects org.apache.hadoop:hadoop-main" 44576 }, 44577 { 44578 "affected": [ 44579 { 44580 "database_specific": { 44581 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-c6f9-4pmv-m7m6/GHSA-c6f9-4pmv-m7m6.json" 44582 }, 44583 "package": { 44584 "ecosystem": "Maven", 44585 "name": "org.apache.hadoop:hadoop-main", 44586 "purl": "pkg:maven/org.apache.hadoop/hadoop-main" 44587 }, 44588 "ranges": [ 44589 { 44590 "events": [ 44591 { 44592 "introduced": "0.23" 44593 }, 44594 { 44595 "fixed": "0.23.2" 44596 } 44597 ], 44598 "type": "ECOSYSTEM" 44599 } 44600 ], 44601 "versions": [ 44602 "0.23.1" 44603 ] 44604 }, 44605 { 44606 "database_specific": { 44607 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-c6f9-4pmv-m7m6/GHSA-c6f9-4pmv-m7m6.json" 44608 }, 44609 "package": { 44610 "ecosystem": "Maven", 44611 "name": "org.apache.hadoop:hadoop-main", 44612 "purl": "pkg:maven/org.apache.hadoop/hadoop-main" 44613 }, 44614 "ranges": [ 44615 { 44616 "events": [ 44617 { 44618 "introduced": "1.0" 44619 }, 44620 { 44621 "fixed": "1.0.2" 44622 } 44623 ], 44624 "type": "ECOSYSTEM" 44625 } 44626 ] 44627 } 44628 ], 44629 "aliases": [ 44630 "CVE-2012-1574" 44631 ], 44632 "database_specific": { 44633 "cwe_ids": [ 44634 "CWE-287" 44635 ], 44636 "github_reviewed": true, 44637 "github_reviewed_at": "2023-08-29T21:08:04Z", 44638 "nvd_published_at": "2012-04-12T10:45:00Z", 44639 "severity": "MODERATE" 44640 }, 44641 "details": "The Kerberos/MapReduce security functionality in Apache Hadoop 0.20.203.0 through 0.20.205.0, 0.23.x before 0.23.2, and 1.0.x before 1.0.2, as used in Cloudera CDH CDH3u0 through CDH3u2, Cloudera hadoop-0.20-sbin before 0.20.2+923.197, and other products, allows remote authenticated users to impersonate arbitrary cluster user accounts via unspecified vectors.", 44642 "id": "GHSA-c6f9-4pmv-m7m6", 44643 "modified": "2024-02-16T08:21:18.139729Z", 44644 "published": "2022-05-17T02:54:07Z", 44645 "references": [ 44646 { 44647 "type": "ADVISORY", 44648 "url": "https://nvd.nist.gov/vuln/detail/CVE-2012-1574" 44649 }, 44650 { 44651 "type": "PACKAGE", 44652 "url": "https://github.com/apache/hadoop" 44653 }, 44654 { 44655 "type": "WEB", 44656 "url": "https://seclists.org/fulldisclosure/2012/Apr/70" 44657 }, 44658 { 44659 "type": "WEB", 44660 "url": "https://web.archive.org/web/20120720041621/https://ccp.cloudera.com/display/DOC/Cloudera+Security+Bulletin#ClouderaSecurityBulletin-MapReducewithSecurity" 44661 }, 44662 { 44663 "type": "WEB", 44664 "url": "https://web.archive.org/web/20151001135054/http://archives.neohapsis.com/archives/bugtraq/2012-04/0051.html" 44665 }, 44666 { 44667 "type": "WEB", 44668 "url": "https://web.archive.org/web/20161215212154/https://www.cloudera.com/documentation/other/security-bulletins/topics/csb_topic_1.html#topic_1_0_2" 44669 }, 44670 { 44671 "type": "WEB", 44672 "url": "https://web.archive.org/web/20200229125105/http://www.securityfocus.com/bid/52939" 44673 } 44674 ], 44675 "schema_version": "1.6.0", 44676 "summary": "Apache Hadoop allows impersonation of arbitrary cluster user accounts" 44677 }, 44678 { 44679 "affected": [ 44680 { 44681 "database_specific": { 44682 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/11/GHSA-hx83-rpqf-m267/GHSA-hx83-rpqf-m267.json" 44683 }, 44684 "package": { 44685 "ecosystem": "Maven", 44686 "name": "org.apache.hadoop:hadoop-main", 44687 "purl": "pkg:maven/org.apache.hadoop/hadoop-main" 44688 }, 44689 "ranges": [ 44690 { 44691 "events": [ 44692 { 44693 "introduced": "2.2.0" 44694 }, 44695 { 44696 "fixed": "2.8.5" 44697 } 44698 ], 44699 "type": "ECOSYSTEM" 44700 } 44701 ], 44702 "versions": [ 44703 "2.2.0", 44704 "2.3.0", 44705 "2.4.0", 44706 "2.4.1", 44707 "2.5.0", 44708 "2.5.1", 44709 "2.5.2", 44710 "2.6.0", 44711 "2.6.1", 44712 "2.6.2", 44713 "2.6.3", 44714 "2.6.4", 44715 "2.6.5", 44716 "2.7.0", 44717 "2.7.1", 44718 "2.7.2", 44719 "2.7.3", 44720 "2.7.4", 44721 "2.7.5", 44722 "2.7.6", 44723 "2.7.7", 44724 "2.8.0", 44725 "2.8.1", 44726 "2.8.2", 44727 "2.8.3", 44728 "2.8.4" 44729 ] 44730 }, 44731 { 44732 "database_specific": { 44733 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/11/GHSA-hx83-rpqf-m267/GHSA-hx83-rpqf-m267.json" 44734 }, 44735 "package": { 44736 "ecosystem": "Maven", 44737 "name": "org.apache.hadoop:hadoop-main", 44738 "purl": "pkg:maven/org.apache.hadoop/hadoop-main" 44739 }, 44740 "ranges": [ 44741 { 44742 "events": [ 44743 { 44744 "introduced": "2.9.0" 44745 }, 44746 { 44747 "fixed": "2.9.2" 44748 } 44749 ], 44750 "type": "ECOSYSTEM" 44751 } 44752 ], 44753 "versions": [ 44754 "2.9.0", 44755 "2.9.1" 44756 ] 44757 }, 44758 { 44759 "database_specific": { 44760 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/11/GHSA-hx83-rpqf-m267/GHSA-hx83-rpqf-m267.json" 44761 }, 44762 "package": { 44763 "ecosystem": "Maven", 44764 "name": "org.apache.hadoop:hadoop-main", 44765 "purl": "pkg:maven/org.apache.hadoop/hadoop-main" 44766 }, 44767 "ranges": [ 44768 { 44769 "events": [ 44770 { 44771 "introduced": "3.0.0" 44772 }, 44773 { 44774 "fixed": "3.1.1" 44775 } 44776 ], 44777 "type": "ECOSYSTEM" 44778 } 44779 ], 44780 "versions": [ 44781 "3.0.0", 44782 "3.0.1", 44783 "3.0.2", 44784 "3.0.3", 44785 "3.1.0" 44786 ] 44787 } 44788 ], 44789 "aliases": [ 44790 "CVE-2018-11768" 44791 ], 44792 "database_specific": { 44793 "cwe_ids": [ 44794 "CWE-119" 44795 ], 44796 "github_reviewed": true, 44797 "github_reviewed_at": "2019-11-19T03:28:12Z", 44798 "nvd_published_at": null, 44799 "severity": "HIGH" 44800 }, 44801 "details": "In Apache Hadoop 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, and 2.0.0-alpha to 2.8.4, the user/group information can be corrupted across storing in fsimage and reading back from fsimage.", 44802 "id": "GHSA-hx83-rpqf-m267", 44803 "modified": "2023-11-08T03:59:47.193372Z", 44804 "published": "2019-11-20T01:38:00Z", 44805 "references": [ 44806 { 44807 "type": "ADVISORY", 44808 "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-11768" 44809 }, 44810 { 44811 "type": "WEB", 44812 "url": "https://hadoop.apache.org/cve_list.html" 44813 }, 44814 { 44815 "type": "WEB", 44816 "url": "https://lists.apache.org/thread.html/2067a797b330530a6932f4b08f703b3173253d0a2b7c8c524e54adaf@%3Cgeneral.hadoop.apache.org%3E" 44817 }, 44818 { 44819 "type": "WEB", 44820 "url": "https://lists.apache.org/thread.html/2c9cc65864be0058a5d5ed2025dfb9c700bf23d352b0c826c36ff96a@%3Chdfs-dev.hadoop.apache.org%3E" 44821 }, 44822 { 44823 "type": "WEB", 44824 "url": "https://lists.apache.org/thread.html/72ca514e01cd5f08151e74f9929799b4cbe1b6e9e6cd24faa72ffcc6@%3Cdev.lucene.apache.org%3E" 44825 }, 44826 { 44827 "type": "WEB", 44828 "url": "https://lists.apache.org/thread.html/9b609d4392d886711e694cf40d86f770022baf42a1b1aa97e8244c87@%3Cdev.lucene.apache.org%3E" 44829 }, 44830 { 44831 "type": "WEB", 44832 "url": "https://lists.apache.org/thread.html/caacbbba2dcc1105163f76f3dfee5fbd22e0417e0783212787086378@%3Cgeneral.hadoop.apache.org%3E" 44833 }, 44834 { 44835 "type": "WEB", 44836 "url": "https://lists.apache.org/thread.html/ceb16af9139ab0fea24aef935b6321581976887df7ad632e9a515dda@%3Cdev.lucene.apache.org%3E" 44837 }, 44838 { 44839 "type": "WEB", 44840 "url": "https://lists.apache.org/thread.html/ea6d2dfbefab8ebe46be18b05136b83ae53b7866f1bc60c680a2b600@%3Chdfs-dev.hadoop.apache.org%3E" 44841 }, 44842 { 44843 "type": "WEB", 44844 "url": "https://lists.apache.org/thread.html/f20bb4e055d8394fc525cc7772fb84096f706389043e76220c8a29a4@%3Chdfs-dev.hadoop.apache.org%3E" 44845 }, 44846 { 44847 "type": "WEB", 44848 "url": "https://lists.apache.org/thread.html/r02e39d7beb32eebcdbb4b516e95f67d71c90d5d462b26f4078d21eeb@%3Cdev.flink.apache.org%3E" 44849 }, 44850 { 44851 "type": "WEB", 44852 "url": "https://lists.apache.org/thread.html/r02e39d7beb32eebcdbb4b516e95f67d71c90d5d462b26f4078d21eeb@%3Cuser.flink.apache.org%3E" 44853 } 44854 ], 44855 "schema_version": "1.6.0", 44856 "severity": [ 44857 { 44858 "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", 44859 "type": "CVSS_V3" 44860 } 44861 ], 44862 "summary": "user/group information can be corrupted across storing in fsimage and reading back from fsimage" 44863 }, 44864 { 44865 "affected": [ 44866 { 44867 "database_specific": { 44868 "last_known_affected_version_range": "\u003c= 2.7.4", 44869 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/12/GHSA-mq8p-h798-xcrp/GHSA-mq8p-h798-xcrp.json" 44870 }, 44871 "package": { 44872 "ecosystem": "Maven", 44873 "name": "org.apache.hadoop:hadoop-main", 44874 "purl": "pkg:maven/org.apache.hadoop/hadoop-main" 44875 }, 44876 "ranges": [ 44877 { 44878 "events": [ 44879 { 44880 "introduced": "2.7.3" 44881 }, 44882 { 44883 "fixed": "2.7.5" 44884 } 44885 ], 44886 "type": "ECOSYSTEM" 44887 } 44888 ], 44889 "versions": [ 44890 "2.7.3", 44891 "2.7.4" 44892 ] 44893 } 44894 ], 44895 "aliases": [ 44896 "CVE-2017-15718" 44897 ], 44898 "database_specific": { 44899 "cwe_ids": [ 44900 "CWE-200" 44901 ], 44902 "github_reviewed": true, 44903 "github_reviewed_at": "2020-06-16T21:47:00Z", 44904 "nvd_published_at": null, 44905 "severity": "CRITICAL" 44906 }, 44907 "details": "The YARN NodeManager in Apache Hadoop 2.7.3 and 2.7.4 can leak the password for credential store provider used by the NodeManager to YARN Applications.", 44908 "id": "GHSA-mq8p-h798-xcrp", 44909 "modified": "2023-11-08T03:58:58.669059Z", 44910 "published": "2018-12-21T17:50:20Z", 44911 "references": [ 44912 { 44913 "type": "ADVISORY", 44914 "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-15718" 44915 }, 44916 { 44917 "type": "ADVISORY", 44918 "url": "https://github.com/advisories/GHSA-mq8p-h798-xcrp" 44919 }, 44920 { 44921 "type": "WEB", 44922 "url": "https://lists.apache.org/thread.html/773c93c2d8a6a52bbe97610c2b1c2ad205b970e1b8c04fb5b2fccad6@%3Cgeneral.hadoop.apache.org%3E" 44923 } 44924 ], 44925 "schema_version": "1.6.0", 44926 "severity": [ 44927 { 44928 "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", 44929 "type": "CVSS_V3" 44930 } 44931 ], 44932 "summary": "Exposure of Sensitive Information in Hadoop" 44933 }, 44934 { 44935 "affected": [ 44936 { 44937 "database_specific": { 44938 "last_known_affected_version_range": "\u003c= 3.0.0", 44939 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-rhh9-cm65-3w54/GHSA-rhh9-cm65-3w54.json" 44940 }, 44941 "package": { 44942 "ecosystem": "Maven", 44943 "name": "org.apache.hadoop:hadoop-main", 44944 "purl": "pkg:maven/org.apache.hadoop/hadoop-main" 44945 }, 44946 "ranges": [ 44947 { 44948 "events": [ 44949 { 44950 "introduced": "3.0.0-alpha2" 44951 }, 44952 { 44953 "fixed": "3.0.1" 44954 } 44955 ], 44956 "type": "ECOSYSTEM" 44957 } 44958 ], 44959 "versions": [ 44960 "3.0.0", 44961 "3.0.0-alpha2", 44962 "3.0.0-alpha3", 44963 "3.0.0-alpha4", 44964 "3.0.0-beta1" 44965 ] 44966 }, 44967 { 44968 "database_specific": { 44969 "last_known_affected_version_range": "\u003c= 2.9.2", 44970 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-rhh9-cm65-3w54/GHSA-rhh9-cm65-3w54.json" 44971 }, 44972 "package": { 44973 "ecosystem": "Maven", 44974 "name": "org.apache.hadoop:hadoop-main", 44975 "purl": "pkg:maven/org.apache.hadoop/hadoop-main" 44976 }, 44977 "ranges": [ 44978 { 44979 "events": [ 44980 { 44981 "introduced": "2.9.0" 44982 }, 44983 { 44984 "fixed": "2.9.3" 44985 } 44986 ], 44987 "type": "ECOSYSTEM" 44988 } 44989 ], 44990 "versions": [ 44991 "2.9.0", 44992 "2.9.1", 44993 "2.9.2" 44994 ] 44995 }, 44996 { 44997 "database_specific": { 44998 "last_known_affected_version_range": "\u003c= 2.8.5", 44999 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-rhh9-cm65-3w54/GHSA-rhh9-cm65-3w54.json" 45000 }, 45001 "package": { 45002 "ecosystem": "Maven", 45003 "name": "org.apache.hadoop:hadoop-main", 45004 "purl": "pkg:maven/org.apache.hadoop/hadoop-main" 45005 }, 45006 "ranges": [ 45007 { 45008 "events": [ 45009 { 45010 "introduced": "2.8.0" 45011 }, 45012 { 45013 "fixed": "2.8.6" 45014 } 45015 ], 45016 "type": "ECOSYSTEM" 45017 } 45018 ], 45019 "versions": [ 45020 "2.8.0", 45021 "2.8.1", 45022 "2.8.2", 45023 "2.8.3", 45024 "2.8.4", 45025 "2.8.5" 45026 ] 45027 } 45028 ], 45029 "aliases": [ 45030 "CVE-2018-11765" 45031 ], 45032 "database_specific": { 45033 "cwe_ids": [ 45034 "CWE-287" 45035 ], 45036 "github_reviewed": true, 45037 "github_reviewed_at": "2021-04-27T21:56:41Z", 45038 "nvd_published_at": "2020-09-30T18:15:00Z", 45039 "severity": "HIGH" 45040 }, 45041 "details": "In Apache Hadoop versions 3.0.0-alpha2 to 3.0.0, 2.9.0 to 2.9.2, 2.8.0 to 2.8.5, any users can access some servlets without authentication when Kerberos authentication is enabled and SPNEGO through HTTP is not enabled.", 45042 "id": "GHSA-rhh9-cm65-3w54", 45043 "modified": "2024-02-17T05:34:33.603105Z", 45044 "published": "2021-04-30T17:29:30Z", 45045 "references": [ 45046 { 45047 "type": "ADVISORY", 45048 "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-11765" 45049 }, 45050 { 45051 "type": "WEB", 45052 "url": "https://lists.apache.org/thread.html/r17d94d132b207dad221595fd8b8b18628f5f5ec7e3f5be939ecd8928@%3Ccommits.druid.apache.org%3E" 45053 }, 45054 { 45055 "type": "WEB", 45056 "url": "https://lists.apache.org/thread.html/r2c7f899911a04164ed1707083fcd4135f8427e04778c87d83509b0da%40%3Cgeneral.hadoop.apache.org%3E" 45057 }, 45058 { 45059 "type": "WEB", 45060 "url": "https://lists.apache.org/thread.html/r46447f38ea8c89421614e9efd7de5e656186d35e10fc97cf88477a01@%3Ccommits.druid.apache.org%3E" 45061 }, 45062 { 45063 "type": "WEB", 45064 "url": "https://lists.apache.org/thread.html/r4dddf1705dbedfa94392913b2dad1cd2d1d89040facd389eea0b3510@%3Ccommits.druid.apache.org%3E" 45065 }, 45066 { 45067 "type": "WEB", 45068 "url": "https://lists.apache.org/thread.html/r74825601e93582167eb7cdc2f764c74c9c6d8006fa90018562fda60f@%3Ccommits.druid.apache.org%3E" 45069 }, 45070 { 45071 "type": "WEB", 45072 "url": "https://lists.apache.org/thread.html/r79b15c5b66c6df175d01d7560adf0cd5c369129b9a161905e0339927@%3Ccommits.druid.apache.org%3E" 45073 }, 45074 { 45075 "type": "WEB", 45076 "url": "https://lists.apache.org/thread.html/rb21df54a4e39732ce653d2aa5672e36a792b59eb6717f2a06bb8d02a@%3Ccommits.druid.apache.org%3E" 45077 }, 45078 { 45079 "type": "WEB", 45080 "url": "https://lists.apache.org/thread.html/rb241464d83baa3749b08cd3dabc8dba70a9a9027edcef3b5d4c24ef4@%3Ccommits.druid.apache.org%3E" 45081 }, 45082 { 45083 "type": "WEB", 45084 "url": "https://lists.apache.org/thread.html/rbe25cac0f499374f8ae17a4a44a8404927b56de28d4c41940d82b7a4@%3Ccommits.druid.apache.org%3E" 45085 }, 45086 { 45087 "type": "WEB", 45088 "url": "https://lists.apache.org/thread.html/reea5eb8622afbfbfca46bc758f79db83d90a3263a906c4d1acba4971@%3Ccommits.druid.apache.org%3E" 45089 }, 45090 { 45091 "type": "WEB", 45092 "url": "https://lists.apache.org/thread.html/rf9dfa8b77585c9227db9637552eebb2ab029255a0db4eb76c2b6c4cf@%3Cdev.druid.apache.org%3E" 45093 }, 45094 { 45095 "type": "WEB", 45096 "url": "https://security.netapp.com/advisory/ntap-20201016-0005" 45097 } 45098 ], 45099 "schema_version": "1.6.0", 45100 "severity": [ 45101 { 45102 "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", 45103 "type": "CVSS_V3" 45104 } 45105 ], 45106 "summary": "Improper Authentication in Apache Hadoop" 45107 }, 45108 { 45109 "affected": [ 45110 { 45111 "database_specific": { 45112 "last_known_affected_version_range": "\u003c= 2.7.6", 45113 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/12/GHSA-rqj9-cq6j-958r/GHSA-rqj9-cq6j-958r.json" 45114 }, 45115 "package": { 45116 "ecosystem": "Maven", 45117 "name": "org.apache.hadoop:hadoop-main", 45118 "purl": "pkg:maven/org.apache.hadoop/hadoop-main" 45119 }, 45120 "ranges": [ 45121 { 45122 "events": [ 45123 { 45124 "introduced": "2.7.4" 45125 }, 45126 { 45127 "fixed": "2.7.7" 45128 } 45129 ], 45130 "type": "ECOSYSTEM" 45131 } 45132 ], 45133 "versions": [ 45134 "2.7.4", 45135 "2.7.5", 45136 "2.7.6" 45137 ] 45138 } 45139 ], 45140 "aliases": [ 45141 "CVE-2018-11766" 45142 ], 45143 "database_specific": { 45144 "cwe_ids": [], 45145 "github_reviewed": true, 45146 "github_reviewed_at": "2020-06-16T21:55:32Z", 45147 "nvd_published_at": null, 45148 "severity": "HIGH" 45149 }, 45150 "details": "In Apache Hadoop 2.7.4 to 2.7.6, the security fix for CVE-2016-6811 is incomplete. A user who can escalate to yarn user can possibly run arbitrary commands as root user.", 45151 "id": "GHSA-rqj9-cq6j-958r", 45152 "modified": "2023-11-08T03:59:47.071659Z", 45153 "published": "2018-12-21T17:50:26Z", 45154 "references": [ 45155 { 45156 "type": "ADVISORY", 45157 "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-11766" 45158 }, 45159 { 45160 "type": "ADVISORY", 45161 "url": "https://github.com/advisories/GHSA-rqj9-cq6j-958r" 45162 }, 45163 { 45164 "type": "WEB", 45165 "url": "https://lists.apache.org/thread.html/ff37bbbe09d5f03090e2dd2c3dea95de16ef4249e731f19b8959ce4c@%3Cgeneral.hadoop.apache.org%3E" 45166 }, 45167 { 45168 "type": "WEB", 45169 "url": "http://www.securityfocus.com/bid/106035" 45170 } 45171 ], 45172 "schema_version": "1.6.0", 45173 "severity": [ 45174 { 45175 "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", 45176 "type": "CVSS_V3" 45177 } 45178 ], 45179 "summary": "Arbitrary Command Execution in Hadoop" 45180 }, 45181 { 45182 "affected": [ 45183 { 45184 "database_specific": { 45185 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/02/GHSA-v569-g72v-q434/GHSA-v569-g72v-q434.json" 45186 }, 45187 "package": { 45188 "ecosystem": "Maven", 45189 "name": "org.apache.hadoop:hadoop-main", 45190 "purl": "pkg:maven/org.apache.hadoop/hadoop-main" 45191 }, 45192 "ranges": [ 45193 { 45194 "events": [ 45195 { 45196 "introduced": "0" 45197 }, 45198 { 45199 "fixed": "2.7.6" 45200 } 45201 ], 45202 "type": "ECOSYSTEM" 45203 } 45204 ], 45205 "versions": [ 45206 "0.23.1", 45207 "0.23.10", 45208 "0.23.11", 45209 "0.23.3", 45210 "0.23.4", 45211 "0.23.5", 45212 "0.23.6", 45213 "0.23.7", 45214 "0.23.8", 45215 "0.23.9", 45216 "2.0.0-alpha", 45217 "2.0.1-alpha", 45218 "2.0.2-alpha", 45219 "2.0.3-alpha", 45220 "2.0.4-alpha", 45221 "2.0.5-alpha", 45222 "2.0.6-alpha", 45223 "2.1.0-beta", 45224 "2.1.1-beta", 45225 "2.2.0", 45226 "2.3.0", 45227 "2.4.0", 45228 "2.4.1", 45229 "2.5.0", 45230 "2.5.1", 45231 "2.5.2", 45232 "2.6.0", 45233 "2.6.1", 45234 "2.6.2", 45235 "2.6.3", 45236 "2.6.4", 45237 "2.6.5", 45238 "2.7.0", 45239 "2.7.1", 45240 "2.7.2", 45241 "2.7.3", 45242 "2.7.4", 45243 "2.7.5" 45244 ] 45245 }, 45246 { 45247 "database_specific": { 45248 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/02/GHSA-v569-g72v-q434/GHSA-v569-g72v-q434.json" 45249 }, 45250 "package": { 45251 "ecosystem": "Maven", 45252 "name": "org.apache.hadoop:hadoop-main", 45253 "purl": "pkg:maven/org.apache.hadoop/hadoop-main" 45254 }, 45255 "ranges": [ 45256 { 45257 "events": [ 45258 { 45259 "introduced": "2.8.0" 45260 }, 45261 { 45262 "fixed": "2.8.4" 45263 } 45264 ], 45265 "type": "ECOSYSTEM" 45266 } 45267 ], 45268 "versions": [ 45269 "2.8.0", 45270 "2.8.1", 45271 "2.8.2", 45272 "2.8.3" 45273 ] 45274 }, 45275 { 45276 "database_specific": { 45277 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/02/GHSA-v569-g72v-q434/GHSA-v569-g72v-q434.json" 45278 }, 45279 "package": { 45280 "ecosystem": "Maven", 45281 "name": "org.apache.hadoop:hadoop-main", 45282 "purl": "pkg:maven/org.apache.hadoop/hadoop-main" 45283 }, 45284 "ranges": [ 45285 { 45286 "events": [ 45287 { 45288 "introduced": "2.9.0" 45289 }, 45290 { 45291 "fixed": "2.9.1" 45292 } 45293 ], 45294 "type": "ECOSYSTEM" 45295 } 45296 ], 45297 "versions": [ 45298 "2.9.0" 45299 ] 45300 } 45301 ], 45302 "aliases": [ 45303 "CVE-2018-1296" 45304 ], 45305 "database_specific": { 45306 "cwe_ids": [ 45307 "CWE-200" 45308 ], 45309 "github_reviewed": true, 45310 "github_reviewed_at": "2020-06-16T21:56:41Z", 45311 "nvd_published_at": null, 45312 "severity": "HIGH" 45313 }, 45314 "details": "In Apache Hadoop 3.0.0-alpha1 to 3.0.0, 2.9.0, 2.8.0 to 2.8.3, and 2.5.0 to 2.7.5, HDFS exposes extended attribute key/value pairs during listXAttrs, verifying only path-level search access to the directory rather than path-level read permission to the referent.", 45315 "id": "GHSA-v569-g72v-q434", 45316 "modified": "2023-11-08T03:59:51.778695Z", 45317 "published": "2019-02-12T17:26:12Z", 45318 "references": [ 45319 { 45320 "type": "ADVISORY", 45321 "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1296" 45322 }, 45323 { 45324 "type": "ADVISORY", 45325 "url": "https://github.com/advisories/GHSA-v569-g72v-q434" 45326 }, 45327 { 45328 "type": "WEB", 45329 "url": "https://lists.apache.org/thread.html/a5b15bc76fbdad2ee40761aacf954a13aeef67e305f86d483f267e8e@%3Cuser.hadoop.apache.org%3E" 45330 }, 45331 { 45332 "type": "WEB", 45333 "url": "http://www.securityfocus.com/bid/106764" 45334 } 45335 ], 45336 "schema_version": "1.6.0", 45337 "severity": [ 45338 { 45339 "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", 45340 "type": "CVSS_V3" 45341 } 45342 ], 45343 "summary": "Exposure of Sensitive Information to an Unauthorized Actor in Hadoop" 45344 }, 45345 { 45346 "affected": [ 45347 { 45348 "database_specific": { 45349 "last_known_affected_version_range": "\u003c= 1.0.3", 45350 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/04/GHSA-v5c9-98f7-2h54/GHSA-v5c9-98f7-2h54.json" 45351 }, 45352 "package": { 45353 "ecosystem": "Maven", 45354 "name": "org.apache.hadoop:hadoop-main", 45355 "purl": "pkg:maven/org.apache.hadoop/hadoop-main" 45356 }, 45357 "ranges": [ 45358 { 45359 "events": [ 45360 { 45361 "introduced": "0" 45362 }, 45363 { 45364 "fixed": "1.0.4" 45365 } 45366 ], 45367 "type": "ECOSYSTEM" 45368 } 45369 ], 45370 "versions": [ 45371 "0.23.1", 45372 "0.23.10", 45373 "0.23.11", 45374 "0.23.3", 45375 "0.23.4", 45376 "0.23.5", 45377 "0.23.6", 45378 "0.23.7", 45379 "0.23.8", 45380 "0.23.9" 45381 ] 45382 } 45383 ], 45384 "aliases": [ 45385 "CVE-2012-2945" 45386 ], 45387 "database_specific": { 45388 "cwe_ids": [ 45389 "CWE-377", 45390 "CWE-59" 45391 ], 45392 "github_reviewed": true, 45393 "github_reviewed_at": "2023-08-29T19:54:42Z", 45394 "nvd_published_at": "2019-10-29T19:15:00Z", 45395 "severity": "HIGH" 45396 }, 45397 "details": "Hadoop 1.0.3 contains a symlink vulnerability as a result of storing pid files in the shared `/tmp` directory by default.", 45398 "id": "GHSA-v5c9-98f7-2h54", 45399 "modified": "2024-02-16T08:24:21.090651Z", 45400 "published": "2022-04-23T00:40:07Z", 45401 "references": [ 45402 { 45403 "type": "ADVISORY", 45404 "url": "https://nvd.nist.gov/vuln/detail/CVE-2012-2945" 45405 }, 45406 { 45407 "type": "WEB", 45408 "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=535861" 45409 }, 45410 { 45411 "type": "PACKAGE", 45412 "url": "https://github.com/apache/hadoop" 45413 }, 45414 { 45415 "type": "WEB", 45416 "url": "https://seclists.org/fulldisclosure/2012/Jul/3" 45417 }, 45418 { 45419 "type": "WEB", 45420 "url": "https://security-tracker.debian.org/tracker/CVE-2012-2945" 45421 } 45422 ], 45423 "schema_version": "1.6.0", 45424 "severity": [ 45425 { 45426 "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", 45427 "type": "CVSS_V3" 45428 } 45429 ], 45430 "summary": "Hadoop symlink vulnerability" 45431 }, 45432 { 45433 "affected": [ 45434 { 45435 "database_specific": { 45436 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/08/GHSA-rr2m-gffv-mgrj/GHSA-rr2m-gffv-mgrj.json" 45437 }, 45438 "package": { 45439 "ecosystem": "Maven", 45440 "name": "org.apache.hadoop:hadoop-yarn-server", 45441 "purl": "pkg:maven/org.apache.hadoop/hadoop-yarn-server" 45442 }, 45443 "ranges": [ 45444 { 45445 "events": [ 45446 { 45447 "introduced": "0" 45448 }, 45449 { 45450 "fixed": "2.10.2" 45451 } 45452 ], 45453 "type": "ECOSYSTEM" 45454 } 45455 ], 45456 "versions": [ 45457 "0.23.1", 45458 "0.23.10", 45459 "0.23.11", 45460 "0.23.3", 45461 "0.23.4", 45462 "0.23.5", 45463 "0.23.6", 45464 "0.23.7", 45465 "0.23.8", 45466 "0.23.9", 45467 "2.0.0-alpha", 45468 "2.0.1-alpha", 45469 "2.0.2-alpha", 45470 "2.0.3-alpha", 45471 "2.0.4-alpha", 45472 "2.0.5-alpha", 45473 "2.0.6-alpha", 45474 "2.1.0-beta", 45475 "2.1.1-beta", 45476 "2.10.0", 45477 "2.10.1", 45478 "2.2.0", 45479 "2.3.0", 45480 "2.4.0", 45481 "2.4.1", 45482 "2.5.0", 45483 "2.5.1", 45484 "2.5.2", 45485 "2.6.0", 45486 "2.6.1", 45487 "2.6.2", 45488 "2.6.3", 45489 "2.6.4", 45490 "2.6.5", 45491 "2.7.0", 45492 "2.7.1", 45493 "2.7.2", 45494 "2.7.3", 45495 "2.7.4", 45496 "2.7.5", 45497 "2.7.6", 45498 "2.7.7", 45499 "2.8.0", 45500 "2.8.1", 45501 "2.8.2", 45502 "2.8.3", 45503 "2.8.4", 45504 "2.8.5", 45505 "2.9.0", 45506 "2.9.1", 45507 "2.9.2" 45508 ] 45509 }, 45510 { 45511 "database_specific": { 45512 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/08/GHSA-rr2m-gffv-mgrj/GHSA-rr2m-gffv-mgrj.json" 45513 }, 45514 "package": { 45515 "ecosystem": "Maven", 45516 "name": "org.apache.hadoop:hadoop-yarn-server", 45517 "purl": "pkg:maven/org.apache.hadoop/hadoop-yarn-server" 45518 }, 45519 "ranges": [ 45520 { 45521 "events": [ 45522 { 45523 "introduced": "3.0.0" 45524 }, 45525 { 45526 "fixed": "3.2.4" 45527 } 45528 ], 45529 "type": "ECOSYSTEM" 45530 } 45531 ], 45532 "versions": [ 45533 "3.0.0", 45534 "3.0.1", 45535 "3.0.2", 45536 "3.0.3", 45537 "3.1.0", 45538 "3.1.1", 45539 "3.1.2", 45540 "3.1.3", 45541 "3.1.4", 45542 "3.2.0", 45543 "3.2.1", 45544 "3.2.2", 45545 "3.2.3" 45546 ] 45547 }, 45548 { 45549 "database_specific": { 45550 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/08/GHSA-rr2m-gffv-mgrj/GHSA-rr2m-gffv-mgrj.json" 45551 }, 45552 "package": { 45553 "ecosystem": "Maven", 45554 "name": "org.apache.hadoop:hadoop-yarn-server", 45555 "purl": "pkg:maven/org.apache.hadoop/hadoop-yarn-server" 45556 }, 45557 "ranges": [ 45558 { 45559 "events": [ 45560 { 45561 "introduced": "3.3.0" 45562 }, 45563 { 45564 "fixed": "3.3.4" 45565 } 45566 ], 45567 "type": "ECOSYSTEM" 45568 } 45569 ], 45570 "versions": [ 45571 "3.3.0", 45572 "3.3.1", 45573 "3.3.2", 45574 "3.3.3" 45575 ] 45576 } 45577 ], 45578 "aliases": [ 45579 "CVE-2021-25642" 45580 ], 45581 "database_specific": { 45582 "cwe_ids": [ 45583 "CWE-502" 45584 ], 45585 "github_reviewed": true, 45586 "github_reviewed_at": "2022-08-30T20:55:27Z", 45587 "nvd_published_at": "2022-08-25T14:15:00Z", 45588 "severity": "HIGH" 45589 }, 45590 "details": "ZKConfigurationStore which is optionally used by CapacityScheduler of Apache Hadoop YARN deserializes data obtained from ZooKeeper without validation. An attacker having access to ZooKeeper can run arbitrary commands as YARN user by exploiting this. Users should upgrade to Apache Hadoop 2.10.2, 3.2.4, 3.3.4 or later (containing YARN-11126) if ZKConfigurationStore is used.", 45591 "id": "GHSA-rr2m-gffv-mgrj", 45592 "modified": "2024-02-22T05:43:15.326359Z", 45593 "published": "2022-08-26T00:03:33Z", 45594 "references": [ 45595 { 45596 "type": "ADVISORY", 45597 "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-25642" 45598 }, 45599 { 45600 "type": "WEB", 45601 "url": "https://github.com/apache/hadoop/commit/5e2f4339fadc88f20543915fc9b0aaeaf4f9e7bf" 45602 }, 45603 { 45604 "type": "PACKAGE", 45605 "url": "https://github.com/apache/hadoop" 45606 }, 45607 { 45608 "type": "WEB", 45609 "url": "https://lists.apache.org/thread/g6vf2h4wdgzzdgk91mqozhs58wotq150" 45610 }, 45611 { 45612 "type": "WEB", 45613 "url": "https://security.netapp.com/advisory/ntap-20221201-0003" 45614 } 45615 ], 45616 "schema_version": "1.6.0", 45617 "severity": [ 45618 { 45619 "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", 45620 "type": "CVSS_V3" 45621 } 45622 ], 45623 "summary": "Deserialization of Untrusted Data in Apache Hadoop YARN" 45624 }, 45625 { 45626 "affected": [ 45627 { 45628 "database_specific": { 45629 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/06/GHSA-58jx-f5rf-qgqf/GHSA-58jx-f5rf-qgqf.json" 45630 }, 45631 "package": { 45632 "ecosystem": "Maven", 45633 "name": "org.apache.hadoop:hadoop-yarn-server-common", 45634 "purl": "pkg:maven/org.apache.hadoop/hadoop-yarn-server-common" 45635 }, 45636 "ranges": [ 45637 { 45638 "events": [ 45639 { 45640 "introduced": "2.2.0" 45641 }, 45642 { 45643 "fixed": "2.10.2" 45644 } 45645 ], 45646 "type": "ECOSYSTEM" 45647 } 45648 ], 45649 "versions": [ 45650 "2.10.0", 45651 "2.10.1", 45652 "2.2.0", 45653 "2.3.0", 45654 "2.4.0", 45655 "2.4.1", 45656 "2.5.0", 45657 "2.5.1", 45658 "2.5.2", 45659 "2.6.0", 45660 "2.6.1", 45661 "2.6.2", 45662 "2.6.3", 45663 "2.6.4", 45664 "2.6.5", 45665 "2.7.0", 45666 "2.7.1", 45667 "2.7.2", 45668 "2.7.3", 45669 "2.7.4", 45670 "2.7.5", 45671 "2.7.6", 45672 "2.7.7", 45673 "2.8.0", 45674 "2.8.1", 45675 "2.8.2", 45676 "2.8.3", 45677 "2.8.4", 45678 "2.8.5", 45679 "2.9.0", 45680 "2.9.1", 45681 "2.9.2" 45682 ] 45683 }, 45684 { 45685 "database_specific": { 45686 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/06/GHSA-58jx-f5rf-qgqf/GHSA-58jx-f5rf-qgqf.json" 45687 }, 45688 "package": { 45689 "ecosystem": "Maven", 45690 "name": "org.apache.hadoop:hadoop-yarn-server-common", 45691 "purl": "pkg:maven/org.apache.hadoop/hadoop-yarn-server-common" 45692 }, 45693 "ranges": [ 45694 { 45695 "events": [ 45696 { 45697 "introduced": "3.0.0" 45698 }, 45699 { 45700 "fixed": "3.2.3" 45701 } 45702 ], 45703 "type": "ECOSYSTEM" 45704 } 45705 ], 45706 "versions": [ 45707 "3.0.0", 45708 "3.0.1", 45709 "3.0.2", 45710 "3.0.3", 45711 "3.1.0", 45712 "3.1.1", 45713 "3.1.2", 45714 "3.1.3", 45715 "3.1.4", 45716 "3.2.0", 45717 "3.2.1", 45718 "3.2.2" 45719 ] 45720 }, 45721 { 45722 "database_specific": { 45723 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/06/GHSA-58jx-f5rf-qgqf/GHSA-58jx-f5rf-qgqf.json" 45724 }, 45725 "package": { 45726 "ecosystem": "Maven", 45727 "name": "org.apache.hadoop:hadoop-yarn-server-common", 45728 "purl": "pkg:maven/org.apache.hadoop/hadoop-yarn-server-common" 45729 }, 45730 "ranges": [ 45731 { 45732 "events": [ 45733 { 45734 "introduced": "3.3.0" 45735 }, 45736 { 45737 "fixed": "3.3.2" 45738 } 45739 ], 45740 "type": "ECOSYSTEM" 45741 } 45742 ], 45743 "versions": [ 45744 "3.3.0", 45745 "3.3.1" 45746 ] 45747 } 45748 ], 45749 "aliases": [ 45750 "CVE-2021-33036" 45751 ], 45752 "database_specific": { 45753 "cwe_ids": [ 45754 "CWE-22", 45755 "CWE-502" 45756 ], 45757 "github_reviewed": true, 45758 "github_reviewed_at": "2022-06-17T21:46:01Z", 45759 "nvd_published_at": "2022-06-15T15:15:00Z", 45760 "severity": "HIGH" 45761 }, 45762 "details": "In Apache Hadoop 2.2.0 to 2.10.1, 3.0.0-alpha1 to 3.1.4, 3.2.0 to 3.2.2, and 3.3.0 to 3.3.1, a user who can escalate to yarn user can possibly run arbitrary commands as root user. Users should upgrade to Apache Hadoop 2.10.2, 3.2.3, 3.3.2 or higher.", 45763 "id": "GHSA-58jx-f5rf-qgqf", 45764 "modified": "2024-02-21T05:31:52.226908Z", 45765 "published": "2022-06-16T00:00:21Z", 45766 "references": [ 45767 { 45768 "type": "ADVISORY", 45769 "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-33036" 45770 }, 45771 { 45772 "type": "WEB", 45773 "url": "https://github.com/apache/hadoop/commit/227d64ab59e8aa6477769b2542ad0cd7a6d855cb" 45774 }, 45775 { 45776 "type": "WEB", 45777 "url": "https://github.com/apache/hadoop/commit/45801fba8b00257ab32c02a7d1a05948ba687a49" 45778 }, 45779 { 45780 "type": "WEB", 45781 "url": "https://github.com/apache/hadoop/commit/ba041fe6d34215f075e0a7b2078d7273147e14b7" 45782 }, 45783 { 45784 "type": "PACKAGE", 45785 "url": "https://github.com/apache/hadoop" 45786 }, 45787 { 45788 "type": "WEB", 45789 "url": "https://lists.apache.org/thread/ctr84rmo3xd2tzqcx2b277c8z692vhl5" 45790 }, 45791 { 45792 "type": "WEB", 45793 "url": "https://security.netapp.com/advisory/ntap-20220722-0003" 45794 }, 45795 { 45796 "type": "WEB", 45797 "url": "http://www.openwall.com/lists/oss-security/2022/06/15/2" 45798 } 45799 ], 45800 "schema_version": "1.6.0", 45801 "severity": [ 45802 { 45803 "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", 45804 "type": "CVSS_V3" 45805 } 45806 ], 45807 "summary": "User account escalation in Apache Hadoop" 45808 }, 45809 { 45810 "affected": [ 45811 { 45812 "database_specific": { 45813 "last_known_affected_version_range": "\u003c= 2.6.4", 45814 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-895m-ww55-59vw/GHSA-895m-ww55-59vw.json" 45815 }, 45816 "package": { 45817 "ecosystem": "Maven", 45818 "name": "org.apache.hadoop:hadoop-yarn-server-nodemanager", 45819 "purl": "pkg:maven/org.apache.hadoop/hadoop-yarn-server-nodemanager" 45820 }, 45821 "ranges": [ 45822 { 45823 "events": [ 45824 { 45825 "introduced": "2.6.0" 45826 }, 45827 { 45828 "fixed": "2.6.5" 45829 } 45830 ], 45831 "type": "ECOSYSTEM" 45832 } 45833 ], 45834 "versions": [ 45835 "2.6.0", 45836 "2.6.1", 45837 "2.6.2", 45838 "2.6.3", 45839 "2.6.4" 45840 ] 45841 }, 45842 { 45843 "database_specific": { 45844 "last_known_affected_version_range": "\u003c= 2.7.2", 45845 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-895m-ww55-59vw/GHSA-895m-ww55-59vw.json" 45846 }, 45847 "package": { 45848 "ecosystem": "Maven", 45849 "name": "org.apache.hadoop:hadoop-yarn-server-nodemanager", 45850 "purl": "pkg:maven/org.apache.hadoop/hadoop-yarn-server-nodemanager" 45851 }, 45852 "ranges": [ 45853 { 45854 "events": [ 45855 { 45856 "introduced": "2.7.0" 45857 }, 45858 { 45859 "fixed": "2.7.3" 45860 } 45861 ], 45862 "type": "ECOSYSTEM" 45863 } 45864 ], 45865 "versions": [ 45866 "2.7.0", 45867 "2.7.1", 45868 "2.7.2" 45869 ] 45870 } 45871 ], 45872 "aliases": [ 45873 "CVE-2016-3086" 45874 ], 45875 "database_specific": { 45876 "cwe_ids": [ 45877 "CWE-200" 45878 ], 45879 "github_reviewed": true, 45880 "github_reviewed_at": "2022-07-06T19:57:06Z", 45881 "nvd_published_at": "2017-09-05T13:29:00Z", 45882 "severity": "CRITICAL" 45883 }, 45884 "details": "The YARN NodeManager in Apache Hadoop 2.6.x before 2.6.5 and 2.7.x before 2.7.3 can leak the password for credential store provider used by the NodeManager to YARN Applications.", 45885 "id": "GHSA-895m-ww55-59vw", 45886 "modified": "2023-11-08T03:58:25.259101Z", 45887 "published": "2022-05-17T01:08:00Z", 45888 "references": [ 45889 { 45890 "type": "ADVISORY", 45891 "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-3086" 45892 }, 45893 { 45894 "type": "WEB", 45895 "url": "http://mail-archives.apache.org/mod_mbox/hadoop-general/201701.mbox/%3C0ed32746-5a53-9051-5877-2b1abd88beb6%40apache.org%3E" 45896 }, 45897 { 45898 "type": "WEB", 45899 "url": "http://www.securityfocus.com/bid/95335" 45900 } 45901 ], 45902 "schema_version": "1.6.0", 45903 "severity": [ 45904 { 45905 "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", 45906 "type": "CVSS_V3" 45907 } 45908 ], 45909 "summary": "Exposure of Sensitive Information to an Unauthorized Actor in Apache Hadoop" 45910 }, 45911 { 45912 "affected": [ 45913 { 45914 "database_specific": { 45915 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-2x83-r56g-cv47/GHSA-2x83-r56g-cv47.json" 45916 }, 45917 "package": { 45918 "ecosystem": "Maven", 45919 "name": "org.apache.httpcomponents:httpclient", 45920 "purl": "pkg:maven/org.apache.httpcomponents/httpclient" 45921 }, 45922 "ranges": [ 45923 { 45924 "events": [ 45925 { 45926 "introduced": "0" 45927 }, 45928 { 45929 "fixed": "4.2.3" 45930 } 45931 ], 45932 "type": "ECOSYSTEM" 45933 } 45934 ], 45935 "versions": [ 45936 "4.0", 45937 "4.0-alpha1", 45938 "4.0-alpha2", 45939 "4.0-alpha3", 45940 "4.0-alpha4", 45941 "4.0-beta1", 45942 "4.0-beta2", 45943 "4.0.1", 45944 "4.0.2", 45945 "4.0.3", 45946 "4.1", 45947 "4.1-alpha1", 45948 "4.1-alpha2", 45949 "4.1-beta1", 45950 "4.1.1", 45951 "4.1.2", 45952 "4.1.3", 45953 "4.2", 45954 "4.2-alpha1", 45955 "4.2-beta1", 45956 "4.2.1", 45957 "4.2.2" 45958 ] 45959 } 45960 ], 45961 "aliases": [ 45962 "CVE-2012-6153" 45963 ], 45964 "database_specific": { 45965 "cwe_ids": [ 45966 "CWE-20" 45967 ], 45968 "github_reviewed": true, 45969 "github_reviewed_at": "2020-06-16T20:53:18Z", 45970 "nvd_published_at": null, 45971 "severity": "HIGH" 45972 }, 45973 "details": "http/conn/ssl/AbstractVerifier.java in Apache Commons HttpClient before 4.2.3 does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a certificate with a subject that specifies a common name in a field that is not the CN field. NOTE: this issue exists because of an incomplete fix for CVE-2012-5783.", 45974 "id": "GHSA-2x83-r56g-cv47", 45975 "modified": "2024-03-05T19:01:43.163298Z", 45976 "published": "2018-10-17T00:05:15Z", 45977 "references": [ 45978 { 45979 "type": "ADVISORY", 45980 "url": "https://nvd.nist.gov/vuln/detail/CVE-2012-6153" 45981 }, 45982 { 45983 "type": "WEB", 45984 "url": "https://github.com/apache/httpcomponents-client/commit/6e14fc146a66e0f3eb362f45f95d1a58ee18886a" 45985 }, 45986 { 45987 "type": "WEB", 45988 "url": "https://github.com/apache/httpcomponents-client/commit/b930227f907af1198765fc47beabbddae344ca7b" 45989 }, 45990 { 45991 "type": "WEB", 45992 "url": "https://access.redhat.com/solutions/1165533" 45993 }, 45994 { 45995 "type": "WEB", 45996 "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1129916" 45997 }, 45998 { 45999 "type": "ADVISORY", 46000 "url": "https://github.com/advisories/GHSA-2x83-r56g-cv47" 46001 }, 46002 { 46003 "type": "WEB", 46004 "url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05103564" 46005 }, 46006 { 46007 "type": "WEB", 46008 "url": "http://rhn.redhat.com/errata/RHSA-2014-1098.html" 46009 }, 46010 { 46011 "type": "WEB", 46012 "url": "http://rhn.redhat.com/errata/RHSA-2014-1833.html" 46013 }, 46014 { 46015 "type": "WEB", 46016 "url": "http://rhn.redhat.com/errata/RHSA-2014-1834.html" 46017 }, 46018 { 46019 "type": "WEB", 46020 "url": "http://rhn.redhat.com/errata/RHSA-2014-1835.html" 46021 }, 46022 { 46023 "type": "WEB", 46024 "url": "http://rhn.redhat.com/errata/RHSA-2014-1836.html" 46025 }, 46026 { 46027 "type": "WEB", 46028 "url": "http://rhn.redhat.com/errata/RHSA-2014-1891.html" 46029 }, 46030 { 46031 "type": "WEB", 46032 "url": "http://rhn.redhat.com/errata/RHSA-2014-1892.html" 46033 }, 46034 { 46035 "type": "WEB", 46036 "url": "http://rhn.redhat.com/errata/RHSA-2015-0125.html" 46037 }, 46038 { 46039 "type": "WEB", 46040 "url": "http://rhn.redhat.com/errata/RHSA-2015-0158.html" 46041 }, 46042 { 46043 "type": "WEB", 46044 "url": "http://rhn.redhat.com/errata/RHSA-2015-0675.html" 46045 }, 46046 { 46047 "type": "WEB", 46048 "url": "http://rhn.redhat.com/errata/RHSA-2015-0720.html" 46049 }, 46050 { 46051 "type": "WEB", 46052 "url": "http://rhn.redhat.com/errata/RHSA-2015-0765.html" 46053 }, 46054 { 46055 "type": "WEB", 46056 "url": "http://rhn.redhat.com/errata/RHSA-2015-0850.html" 46057 }, 46058 { 46059 "type": "WEB", 46060 "url": "http://rhn.redhat.com/errata/RHSA-2015-0851.html" 46061 }, 46062 { 46063 "type": "WEB", 46064 "url": "http://rhn.redhat.com/errata/RHSA-2015-1888.html" 46065 }, 46066 { 46067 "type": "WEB", 46068 "url": "http://svn.apache.org/viewvc?view=revision\u0026revision=1411705" 46069 }, 46070 { 46071 "type": "WEB", 46072 "url": "http://www.ubuntu.com/usn/USN-2769-1" 46073 } 46074 ], 46075 "schema_version": "1.6.0", 46076 "summary": "Improper certificate validation in org.apache.httpcomponents:httpclient" 46077 }, 46078 { 46079 "affected": [ 46080 { 46081 "database_specific": { 46082 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/06/GHSA-7r82-7xv7-xcpj/GHSA-7r82-7xv7-xcpj.json" 46083 }, 46084 "package": { 46085 "ecosystem": "Maven", 46086 "name": "org.apache.httpcomponents:httpclient", 46087 "purl": "pkg:maven/org.apache.httpcomponents/httpclient" 46088 }, 46089 "ranges": [ 46090 { 46091 "events": [ 46092 { 46093 "introduced": "0" 46094 }, 46095 { 46096 "fixed": "4.5.13" 46097 } 46098 ], 46099 "type": "ECOSYSTEM" 46100 } 46101 ], 46102 "versions": [ 46103 "4.0", 46104 "4.0-alpha1", 46105 "4.0-alpha2", 46106 "4.0-alpha3", 46107 "4.0-alpha4", 46108 "4.0-beta1", 46109 "4.0-beta2", 46110 "4.0.1", 46111 "4.0.2", 46112 "4.0.3", 46113 "4.1", 46114 "4.1-alpha1", 46115 "4.1-alpha2", 46116 "4.1-beta1", 46117 "4.1.1", 46118 "4.1.2", 46119 "4.1.3", 46120 "4.2", 46121 "4.2-alpha1", 46122 "4.2-beta1", 46123 "4.2.1", 46124 "4.2.2", 46125 "4.2.3", 46126 "4.2.4", 46127 "4.2.5", 46128 "4.2.6", 46129 "4.3", 46130 "4.3-alpha1", 46131 "4.3-beta1", 46132 "4.3-beta2", 46133 "4.3.1", 46134 "4.3.2", 46135 "4.3.3", 46136 "4.3.4", 46137 "4.3.5", 46138 "4.3.6", 46139 "4.4", 46140 "4.4-alpha1", 46141 "4.4-beta1", 46142 "4.4.1", 46143 "4.5", 46144 "4.5.1", 46145 "4.5.10", 46146 "4.5.11", 46147 "4.5.12", 46148 "4.5.2", 46149 "4.5.3", 46150 "4.5.4", 46151 "4.5.5", 46152 "4.5.6", 46153 "4.5.7", 46154 "4.5.8", 46155 "4.5.9" 46156 ] 46157 }, 46158 { 46159 "database_specific": { 46160 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/06/GHSA-7r82-7xv7-xcpj/GHSA-7r82-7xv7-xcpj.json" 46161 }, 46162 "package": { 46163 "ecosystem": "Maven", 46164 "name": "org.apache.httpcomponents:httpclient", 46165 "purl": "pkg:maven/org.apache.httpcomponents/httpclient" 46166 }, 46167 "ranges": [ 46168 { 46169 "events": [ 46170 { 46171 "introduced": "5.0.0" 46172 }, 46173 { 46174 "fixed": "5.0.3" 46175 } 46176 ], 46177 "type": "ECOSYSTEM" 46178 } 46179 ] 46180 } 46181 ], 46182 "aliases": [ 46183 "CVE-2020-13956" 46184 ], 46185 "database_specific": { 46186 "cwe_ids": [ 46187 "CWE-79" 46188 ], 46189 "github_reviewed": true, 46190 "github_reviewed_at": "2021-04-12T22:25:52Z", 46191 "nvd_published_at": "2020-12-02T17:15:00Z", 46192 "severity": "MODERATE" 46193 }, 46194 "details": "Apache HttpClient versions prior to version 4.5.13 and 5.0.3 can misinterpret malformed authority component in request URIs passed to the library as java.net.URI object and pick the wrong target host for request execution.", 46195 "id": "GHSA-7r82-7xv7-xcpj", 46196 "modified": "2024-03-15T05:19:17.323914Z", 46197 "published": "2021-06-03T23:40:23Z", 46198 "references": [ 46199 { 46200 "type": "ADVISORY", 46201 "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-13956" 46202 }, 46203 { 46204 "type": "WEB", 46205 "url": "https://lists.apache.org/thread.html/re504acd4d63b8df2a7353658f45c9a3137e5f80e41cf7de50058b2c1@%3Cissues.solr.apache.org%3E" 46206 }, 46207 { 46208 "type": "WEB", 46209 "url": "https://lists.apache.org/thread.html/rd5ab56beb2ac6879f6ab427bc4e5f7691aed8362d17b713f61779858@%3Cissues.hive.apache.org%3E" 46210 }, 46211 { 46212 "type": "WEB", 46213 "url": "https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26@%3Ccommits.pulsar.apache.org%3E" 46214 }, 46215 { 46216 "type": "WEB", 46217 "url": "https://lists.apache.org/thread.html/rcd9ad5dda60c82ab0d0c9bd3e9cb1dc740804451fc20c7f451ef5cc4@%3Cgitbox.hive.apache.org%3E" 46218 }, 46219 { 46220 "type": "WEB", 46221 "url": "https://lists.apache.org/thread.html/rcced7ed3237c29cd19c1e9bf465d0038b8b2e967b99fc283db7ca553@%3Cdev.ranger.apache.org%3E" 46222 }, 46223 { 46224 "type": "WEB", 46225 "url": "https://lists.apache.org/thread.html/rc990e2462ec32b09523deafb2c73606208599e196fa2d7f50bdbc587@%3Cissues.maven.apache.org%3E" 46226 }, 46227 { 46228 "type": "WEB", 46229 "url": "https://lists.apache.org/thread.html/rc5c6ccb86d2afe46bbd4b71573f0448dc1f87bbcd5a0d8c7f8f904b2@%3Cissues.lucene.apache.org%3E" 46230 }, 46231 { 46232 "type": "WEB", 46233 "url": "https://lists.apache.org/thread.html/rc505fee574fe8d18f9b0c655a4d120b0ae21bb6a73b96003e1d9be35@%3Cissues.solr.apache.org%3E" 46234 }, 46235 { 46236 "type": "WEB", 46237 "url": "https://lists.apache.org/thread.html/rc3739e0ad4bcf1888c6925233bfc37dd71156bbc8416604833095c42@%3Cdev.drill.apache.org%3E" 46238 }, 46239 { 46240 "type": "WEB", 46241 "url": "https://lists.apache.org/thread.html/rc0863892ccfd9fd0d0ae10091f24ee769fb39b8957fe4ebabfc11f17@%3Cdev.jackrabbit.apache.org%3E" 46242 }, 46243 { 46244 "type": "WEB", 46245 "url": "https://lists.apache.org/thread.html/rb725052404fabffbe093c83b2c46f3f87e12c3193a82379afbc529f8@%3Csolr-user.lucene.apache.org%3E" 46246 }, 46247 { 46248 "type": "WEB", 46249 "url": "https://lists.apache.org/thread.html/rb4ba262d6f08ab9cf8b1ebbcd9b00b0368ffe90dad7ad7918b4b56fc@%3Cdev.drill.apache.org%3E" 46250 }, 46251 { 46252 "type": "WEB", 46253 "url": "https://lists.apache.org/thread.html/rb33212dab7beccaf1ffef9b88610047c644f644c7a0ebdc44d77e381@%3Ccommits.turbine.apache.org%3E" 46254 }, 46255 { 46256 "type": "WEB", 46257 "url": "https://lists.apache.org/thread.html/rae14ae25ff4a60251e3ba2629c082c5ba3851dfd4d21218b99b56652@%3Cissues.solr.apache.org%3E" 46258 }, 46259 { 46260 "type": "WEB", 46261 "url": "https://lists.apache.org/thread.html/rad6222134183046f3928f733bf680919e0c390739bfbfe6c90049673@%3Cissues.drill.apache.org%3E" 46262 }, 46263 { 46264 "type": "WEB", 46265 "url": "https://lists.apache.org/thread.html/ra8bc6b61c5df301a6fe5a716315528ecd17ccb8a7f907e24a47a1a5e@%3Cissues.lucene.apache.org%3E" 46266 }, 46267 { 46268 "type": "WEB", 46269 "url": "https://lists.apache.org/thread.html/rea3dbf633dde5008d38bf6600a3738b9216e733e03f9ff7becf79625@%3Cissues.drill.apache.org%3E" 46270 }, 46271 { 46272 "type": "WEB", 46273 "url": "https://lists.apache.org/thread.html/ree942561f4620313c75982a4e5f3b74fe6f7062b073210779648eec2@%3Cissues.lucene.apache.org%3E" 46274 }, 46275 { 46276 "type": "WEB", 46277 "url": "https://lists.apache.org/thread.html/reef569c2419705754a3acf42b5f19b2a158153cef0e448158bc54917@%3Cdev.drill.apache.org%3E" 46278 }, 46279 { 46280 "type": "WEB", 46281 "url": "https://lists.apache.org/thread.html/rf03228972e56cb4a03e6d9558188c2938078cf3ceb23a3fead87c9ca@%3Cissues.bookkeeper.apache.org%3E" 46282 }, 46283 { 46284 "type": "WEB", 46285 "url": "https://lists.apache.org/thread.html/rf43d17ed0d1fb4fb79036b582810ef60b18b1ef3add0d5dea825af1e@%3Cissues.lucene.apache.org%3E" 46286 }, 46287 { 46288 "type": "WEB", 46289 "url": "https://lists.apache.org/thread.html/rf4db88c22e1be9eb60c7dc623d0528642c045fb196a24774ac2fa3a3@%3Cissues.lucene.apache.org%3E" 46290 }, 46291 { 46292 "type": "WEB", 46293 "url": "https://lists.apache.org/thread.html/rf7ca60f78f05b772cc07d27e31bcd112f9910a05caf9095e38ee150f@%3Cdev.ranger.apache.org%3E" 46294 }, 46295 { 46296 "type": "WEB", 46297 "url": "https://lists.apache.org/thread.html/rfb35f6db9ba1f1e061b63769a4eff5abadcc254ebfefc280e5a0dcf1@%3Ccommits.creadur.apache.org%3E" 46298 }, 46299 { 46300 "type": "WEB", 46301 "url": "https://lists.apache.org/thread.html/rfbedcb586a1e7dfce87ee03c720e583fc2ceeafa05f35c542cecc624@%3Cissues.solr.apache.org%3E" 46302 }, 46303 { 46304 "type": "WEB", 46305 "url": "https://lists.apache.org/thread.html/rfc00884c7b7ca878297bffe45fcb742c362b00b26ba37070706d44c3@%3Cissues.hive.apache.org%3E" 46306 }, 46307 { 46308 "type": "WEB", 46309 "url": "https://security.netapp.com/advisory/ntap-20220210-0002" 46310 }, 46311 { 46312 "type": "WEB", 46313 "url": "https://www.oracle.com//security-alerts/cpujul2021.html" 46314 }, 46315 { 46316 "type": "WEB", 46317 "url": "https://www.oracle.com/security-alerts/cpuApr2021.html" 46318 }, 46319 { 46320 "type": "WEB", 46321 "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" 46322 }, 46323 { 46324 "type": "WEB", 46325 "url": "https://www.oracle.com/security-alerts/cpujan2022.html" 46326 }, 46327 { 46328 "type": "WEB", 46329 "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" 46330 }, 46331 { 46332 "type": "WEB", 46333 "url": "https://lists.apache.org/thread.html/r4850b3fbaea02fde2886e461005e4af8d37c80a48b3ce2a6edca0e30@%3Cissues.solr.apache.org%3E" 46334 }, 46335 { 46336 "type": "WEB", 46337 "url": "https://lists.apache.org/thread.html/r3f740e4c38bba1face49078aa5cbeeb558c27be601cc9712ad2dcd1e@%3Ccommits.creadur.apache.org%3E" 46338 }, 46339 { 46340 "type": "WEB", 46341 "url": "https://lists.apache.org/thread.html/r3cecd59fba74404cbf4eb430135e1080897fb376f111406a78bed13a@%3Cissues.lucene.apache.org%3E" 46342 }, 46343 { 46344 "type": "WEB", 46345 "url": "https://lists.apache.org/thread.html/r34efec51cb817397ccf9f86e25a75676d435ba5f83ee7b2eabdad707@%3Ccommits.creadur.apache.org%3E" 46346 }, 46347 { 46348 "type": "WEB", 46349 "url": "https://lists.apache.org/thread.html/r34178ab6ef106bc940665fd3f4ba5026fac3603b3fa2aefafa0b619d@%3Cdev.ranger.apache.org%3E" 46350 }, 46351 { 46352 "type": "WEB", 46353 "url": "https://lists.apache.org/thread.html/r2dc7930b43eadc78220d269b79e13ecd387e4bee52db67b2f47d4303@%3Cgitbox.hive.apache.org%3E" 46354 }, 46355 { 46356 "type": "WEB", 46357 "url": "https://lists.apache.org/thread.html/r2a03dc210231d7e852ef73015f71792ac0fcaca6cccc024c522ef17d@%3Ccommits.creadur.apache.org%3E" 46358 }, 46359 { 46360 "type": "WEB", 46361 "url": "https://lists.apache.org/thread.html/r2835543ef0f91adcc47da72389b816e36936f584c7be584d2314fac3@%3Cissues.lucene.apache.org%3E" 46362 }, 46363 { 46364 "type": "WEB", 46365 "url": "https://lists.apache.org/thread.html/r132e4c6a560cfc519caa1aaee63bdd4036327610eadbd89f76dd5457@%3Cdev.creadur.apache.org%3E" 46366 }, 46367 { 46368 "type": "WEB", 46369 "url": "https://lists.apache.org/thread.html/r12cb62751b35bdcda0ae2a08b67877d665a1f4d41eee0fa7367169e0@%3Cdev.ranger.apache.org%3E" 46370 }, 46371 { 46372 "type": "WEB", 46373 "url": "https://lists.apache.org/thread.html/r0bebe6f9808ac7bdf572873b4fa96a29c6398c90dab29f131f3ebffe@%3Cissues.solr.apache.org%3E" 46374 }, 46375 { 46376 "type": "WEB", 46377 "url": "https://lists.apache.org/thread.html/r0a75b8f0f72f3e18442dc56d33f3827b905f2fe5b7ba48997436f5d1@%3Cissues.solr.apache.org%3E" 46378 }, 46379 { 46380 "type": "WEB", 46381 "url": "https://lists.apache.org/thread.html/r06cf3ca5c8ceb94b39cd24a73d4e96153b485a7dac88444dd876accb@%3Cissues.drill.apache.org%3E" 46382 }, 46383 { 46384 "type": "WEB", 46385 "url": "https://lists.apache.org/thread.html/r043a75acdeb52b15dd5e9524cdadef4202e6a5228644206acf9363f9@%3Cdev.hive.apache.org%3E" 46386 }, 46387 { 46388 "type": "WEB", 46389 "url": "https://lists.apache.org/thread.html/r03bbc318c81be21f5c8a9b85e34f2ecc741aa804a8e43b0ef2c37749@%3Cissues.maven.apache.org%3E" 46390 }, 46391 { 46392 "type": "PACKAGE", 46393 "url": "https://github.com/apache/httpcomponents-client" 46394 }, 46395 { 46396 "type": "WEB", 46397 "url": "https://lists.apache.org/thread.html/ra539f20ef0fb0c27ee39945b5f56bf162e5c13d1c60f7344dab8de3b@%3Cissues.maven.apache.org%3E" 46398 }, 46399 { 46400 "type": "WEB", 46401 "url": "https://lists.apache.org/thread.html/r9e52a6c72c8365000ecd035e48cc9fee5a677a150350d4420c46443d@%3Cdev.drill.apache.org%3E" 46402 }, 46403 { 46404 "type": "WEB", 46405 "url": "https://lists.apache.org/thread.html/r8aa1e5c343b89aec5b69961471950e862f15246cb6392910161c389b@%3Cissues.maven.apache.org%3E" 46406 }, 46407 { 46408 "type": "WEB", 46409 "url": "https://lists.apache.org/thread.html/r87ddc09295c27f25471269ad0a79433a91224045988b88f0413a97ec@%3Cissues.bookkeeper.apache.org%3E" 46410 }, 46411 { 46412 "type": "WEB", 46413 "url": "https://lists.apache.org/thread.html/r70c429923100c5a4fae8e5bc71c8a2d39af3de4888f50a0ac3755e6f@%3Ccommits.creadur.apache.org%3E" 46414 }, 46415 { 46416 "type": "WEB", 46417 "url": "https://lists.apache.org/thread.html/r6eb2dae157dbc9af1f30d1f64e9c60d4ebef618f3dce4a0e32d6ea4d@%3Ccommits.drill.apache.org%3E" 46418 }, 46419 { 46420 "type": "WEB", 46421 "url": "https://lists.apache.org/thread.html/r6dab7da30f8bf075f79ee189e33b45a197502e2676481bb8787fc0d7%40%3Cdev.hc.apache.org%3E" 46422 }, 46423 { 46424 "type": "WEB", 46425 "url": "https://lists.apache.org/thread.html/r6d672b46622842e565e00f6ef6bef83eb55d8792aac2bee75bff9a2a@%3Cissues.lucene.apache.org%3E" 46426 }, 46427 { 46428 "type": "WEB", 46429 "url": "https://lists.apache.org/thread.html/r6a3cda38d050ebe13c1bc9a28d0a8ec38945095d07eca49046bcb89f@%3Cissues.solr.apache.org%3E" 46430 }, 46431 { 46432 "type": "WEB", 46433 "url": "https://lists.apache.org/thread.html/r69a94e2f302d1b778bdfefe90fcb4b8c50b226438c3c8c1d0de85a19@%3Cdev.ranger.apache.org%3E" 46434 }, 46435 { 46436 "type": "WEB", 46437 "url": "https://lists.apache.org/thread.html/r63296c45d5d84447babaf39bd1487329d8a80d8d563e67a4b6f3d8a7@%3Cdev.ranger.apache.org%3E" 46438 }, 46439 { 46440 "type": "WEB", 46441 "url": "https://lists.apache.org/thread.html/r5fec9c1d67f928179adf484b01e7becd7c0a6fdfe3a08f92ea743b90@%3Cissues.hive.apache.org%3E" 46442 }, 46443 { 46444 "type": "WEB", 46445 "url": "https://lists.apache.org/thread.html/r5de3d3808e7b5028df966e45115e006456c4e8931dc1e29036f17927@%3Cissues.solr.apache.org%3E" 46446 }, 46447 { 46448 "type": "WEB", 46449 "url": "https://lists.apache.org/thread.html/r5b55f65c123a7481104d663a915ec45a0d103e6aaa03f42ed1c07a89@%3Cdev.jackrabbit.apache.org%3E" 46450 }, 46451 { 46452 "type": "WEB", 46453 "url": "https://lists.apache.org/thread.html/r55b2a1d1e9b1ec9db792b93da8f0f99a4fd5a5310b02673359d9b4d1@%3Cdev.drill.apache.org%3E" 46454 }, 46455 { 46456 "type": "WEB", 46457 "url": "https://lists.apache.org/thread.html/r549ac8c159bf0c568c19670bedeb8d7c0074beded951d34b1c1d0d05@%3Cdev.drill.apache.org%3E" 46458 } 46459 ], 46460 "related": [ 46461 "CGA-6936-26rm-54qh", 46462 "CGA-7v36-x4w2-722q" 46463 ], 46464 "schema_version": "1.6.0", 46465 "severity": [ 46466 { 46467 "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", 46468 "type": "CVSS_V3" 46469 } 46470 ], 46471 "summary": "Cross-site scripting in Apache HttpClient" 46472 }, 46473 { 46474 "affected": [ 46475 { 46476 "database_specific": { 46477 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-cfh5-3ghh-wfjx/GHSA-cfh5-3ghh-wfjx.json" 46478 }, 46479 "package": { 46480 "ecosystem": "Maven", 46481 "name": "org.apache.httpcomponents:httpclient", 46482 "purl": "pkg:maven/org.apache.httpcomponents/httpclient" 46483 }, 46484 "ranges": [ 46485 { 46486 "events": [ 46487 { 46488 "introduced": "0" 46489 }, 46490 { 46491 "fixed": "4.3.5" 46492 } 46493 ], 46494 "type": "ECOSYSTEM" 46495 } 46496 ], 46497 "versions": [ 46498 "4.0", 46499 "4.0-alpha1", 46500 "4.0-alpha2", 46501 "4.0-alpha3", 46502 "4.0-alpha4", 46503 "4.0-beta1", 46504 "4.0-beta2", 46505 "4.0.1", 46506 "4.0.2", 46507 "4.0.3", 46508 "4.1", 46509 "4.1-alpha1", 46510 "4.1-alpha2", 46511 "4.1-beta1", 46512 "4.1.1", 46513 "4.1.2", 46514 "4.1.3", 46515 "4.2", 46516 "4.2-alpha1", 46517 "4.2-beta1", 46518 "4.2.1", 46519 "4.2.2", 46520 "4.2.3", 46521 "4.2.4", 46522 "4.2.5", 46523 "4.2.6", 46524 "4.3", 46525 "4.3-alpha1", 46526 "4.3-beta1", 46527 "4.3-beta2", 46528 "4.3.1", 46529 "4.3.2", 46530 "4.3.3", 46531 "4.3.4" 46532 ] 46533 } 46534 ], 46535 "aliases": [ 46536 "CVE-2014-3577" 46537 ], 46538 "database_specific": { 46539 "cwe_ids": [ 46540 "CWE-347" 46541 ], 46542 "github_reviewed": true, 46543 "github_reviewed_at": "2020-06-16T21:31:17Z", 46544 "nvd_published_at": "2014-08-21T14:55:00Z", 46545 "severity": "MODERATE" 46546 }, 46547 "details": "org.apache.http.conn.ssl.AbstractVerifier in Apache HttpComponents HttpClient before 4.3.5 and HttpAsyncClient before 4.0.2 does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a \"CN=\" string in a field in the distinguished name (DN) of a certificate, as demonstrated by the \"foo,CN=www.apache.org\" string in the O field.", 46548 "id": "GHSA-cfh5-3ghh-wfjx", 46549 "modified": "2024-04-12T22:16:00.435748Z", 46550 "published": "2018-10-17T00:05:06Z", 46551 "references": [ 46552 { 46553 "type": "ADVISORY", 46554 "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-3577" 46555 }, 46556 { 46557 "type": "WEB", 46558 "url": "https://github.com/apache/httpcomponents-client/commit/51cc67567765d67f878f0dcef61b5ded454d3122" 46559 }, 46560 { 46561 "type": "WEB", 46562 "url": "https://svn.apache.org/viewvc?view=revision\u0026revision=1614064" 46563 }, 46564 { 46565 "type": "WEB", 46566 "url": "https://security.netapp.com/advisory/ntap-20231027-0003" 46567 }, 46568 { 46569 "type": "WEB", 46570 "url": "https://lists.apache.org/thread.html/rff42cfa5e7d75b7c1af0e37589140a8f1999e578a75738740b244bd4@%3Ccommits.cxf.apache.org%3E" 46571 }, 46572 { 46573 "type": "WEB", 46574 "url": "https://lists.apache.org/thread.html/rfb87e0bf3995e7d560afeed750fac9329ff5f1ad49da365129b7f89e@%3Ccommits.cxf.apache.org%3E" 46575 }, 46576 { 46577 "type": "WEB", 46578 "url": "https://lists.apache.org/thread.html/rec7160382badd3ef4ad017a22f64a266c7188b9ba71394f0d321e2d4@%3Ccommits.cxf.apache.org%3E" 46579 }, 46580 { 46581 "type": "WEB", 46582 "url": "https://lists.apache.org/thread.html/rd49aabd984ed540c8ff7916d4d79405f3fa311d2fdbcf9ed307839a6@%3Ccommits.cxf.apache.org%3E" 46583 }, 46584 { 46585 "type": "WEB", 46586 "url": "https://lists.apache.org/thread.html/rc774278135816e7afc943dc9fc78eb0764f2c84a2b96470a0187315c@%3Ccommits.cxf.apache.org%3E" 46587 }, 46588 { 46589 "type": "WEB", 46590 "url": "https://lists.apache.org/thread.html/r36e44ffc1a9b365327df62cdfaabe85b9a5637de102cea07d79b2dbf@%3Ccommits.cxf.apache.org%3E" 46591 }, 46592 { 46593 "type": "WEB", 46594 "url": "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E" 46595 }, 46596 { 46597 "type": "WEB", 46598 "url": "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E" 46599 }, 46600 { 46601 "type": "WEB", 46602 "url": "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E" 46603 }, 46604 { 46605 "type": "PACKAGE", 46606 "url": "https://github.com/apache/httpcomponents-client" 46607 }, 46608 { 46609 "type": "ADVISORY", 46610 "url": "https://github.com/advisories/GHSA-cfh5-3ghh-wfjx" 46611 }, 46612 { 46613 "type": "WEB", 46614 "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/95327" 46615 }, 46616 { 46617 "type": "WEB", 46618 "url": "https://access.redhat.com/solutions/1165533" 46619 }, 46620 { 46621 "type": "WEB", 46622 "url": "http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00032.html" 46623 }, 46624 { 46625 "type": "WEB", 46626 "url": "http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00033.html" 46627 }, 46628 { 46629 "type": "WEB", 46630 "url": "http://packetstormsecurity.com/files/127913/Apache-HttpComponents-Man-In-The-Middle.html" 46631 }, 46632 { 46633 "type": "WEB", 46634 "url": "http://rhn.redhat.com/errata/RHSA-2014-1146.html" 46635 }, 46636 { 46637 "type": "WEB", 46638 "url": "http://rhn.redhat.com/errata/RHSA-2014-1166.html" 46639 }, 46640 { 46641 "type": "WEB", 46642 "url": "http://rhn.redhat.com/errata/RHSA-2014-1833.html" 46643 }, 46644 { 46645 "type": "WEB", 46646 "url": "http://rhn.redhat.com/errata/RHSA-2014-1834.html" 46647 }, 46648 { 46649 "type": "WEB", 46650 "url": "http://rhn.redhat.com/errata/RHSA-2014-1835.html" 46651 }, 46652 { 46653 "type": "WEB", 46654 "url": "http://rhn.redhat.com/errata/RHSA-2014-1836.html" 46655 }, 46656 { 46657 "type": "WEB", 46658 "url": "http://rhn.redhat.com/errata/RHSA-2014-1891.html" 46659 }, 46660 { 46661 "type": "WEB", 46662 "url": "http://rhn.redhat.com/errata/RHSA-2014-1892.html" 46663 }, 46664 { 46665 "type": "WEB", 46666 "url": "http://rhn.redhat.com/errata/RHSA-2015-0125.html" 46667 }, 46668 { 46669 "type": "WEB", 46670 "url": "http://rhn.redhat.com/errata/RHSA-2015-0158.html" 46671 }, 46672 { 46673 "type": "WEB", 46674 "url": "http://rhn.redhat.com/errata/RHSA-2015-0675.html" 46675 }, 46676 { 46677 "type": "WEB", 46678 "url": "http://rhn.redhat.com/errata/RHSA-2015-0720.html" 46679 }, 46680 { 46681 "type": "WEB", 46682 "url": "http://rhn.redhat.com/errata/RHSA-2015-0765.html" 46683 }, 46684 { 46685 "type": "WEB", 46686 "url": "http://rhn.redhat.com/errata/RHSA-2015-0850.html" 46687 }, 46688 { 46689 "type": "WEB", 46690 "url": "http://rhn.redhat.com/errata/RHSA-2015-0851.html" 46691 }, 46692 { 46693 "type": "WEB", 46694 "url": "http://rhn.redhat.com/errata/RHSA-2015-1176.html" 46695 }, 46696 { 46697 "type": "WEB", 46698 "url": "http://rhn.redhat.com/errata/RHSA-2015-1177.html" 46699 }, 46700 { 46701 "type": "WEB", 46702 "url": "http://rhn.redhat.com/errata/RHSA-2015-1888.html" 46703 }, 46704 { 46705 "type": "WEB", 46706 "url": "http://rhn.redhat.com/errata/RHSA-2016-1773.html" 46707 }, 46708 { 46709 "type": "WEB", 46710 "url": "http://rhn.redhat.com/errata/RHSA-2016-1931.html" 46711 }, 46712 { 46713 "type": "WEB", 46714 "url": "http://seclists.org/fulldisclosure/2014/Aug/48" 46715 }, 46716 { 46717 "type": "WEB", 46718 "url": "http://www.openwall.com/lists/oss-security/2021/10/06/1" 46719 }, 46720 { 46721 "type": "WEB", 46722 "url": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html" 46723 }, 46724 { 46725 "type": "WEB", 46726 "url": "http://www.ubuntu.com/usn/USN-2769-1" 46727 } 46728 ], 46729 "schema_version": "1.6.0", 46730 "summary": "Improper Verification of Cryptographic Signature in org.apache.httpcomponents:httpclient" 46731 }, 46732 { 46733 "affected": [ 46734 { 46735 "database_specific": { 46736 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-fmj5-wv96-r2ch/GHSA-fmj5-wv96-r2ch.json" 46737 }, 46738 "package": { 46739 "ecosystem": "Maven", 46740 "name": "org.apache.httpcomponents:httpclient", 46741 "purl": "pkg:maven/org.apache.httpcomponents/httpclient" 46742 }, 46743 "ranges": [ 46744 { 46745 "events": [ 46746 { 46747 "introduced": "0" 46748 }, 46749 { 46750 "fixed": "4.3.6" 46751 } 46752 ], 46753 "type": "ECOSYSTEM" 46754 } 46755 ], 46756 "versions": [ 46757 "4.0", 46758 "4.0-alpha1", 46759 "4.0-alpha2", 46760 "4.0-alpha3", 46761 "4.0-alpha4", 46762 "4.0-beta1", 46763 "4.0-beta2", 46764 "4.0.1", 46765 "4.0.2", 46766 "4.0.3", 46767 "4.1", 46768 "4.1-alpha1", 46769 "4.1-alpha2", 46770 "4.1-beta1", 46771 "4.1.1", 46772 "4.1.2", 46773 "4.1.3", 46774 "4.2", 46775 "4.2-alpha1", 46776 "4.2-beta1", 46777 "4.2.1", 46778 "4.2.2", 46779 "4.2.3", 46780 "4.2.4", 46781 "4.2.5", 46782 "4.2.6", 46783 "4.3", 46784 "4.3-alpha1", 46785 "4.3-beta1", 46786 "4.3-beta2", 46787 "4.3.1", 46788 "4.3.2", 46789 "4.3.3", 46790 "4.3.4", 46791 "4.3.5" 46792 ] 46793 } 46794 ], 46795 "aliases": [ 46796 "CVE-2015-5262" 46797 ], 46798 "database_specific": { 46799 "cwe_ids": [], 46800 "github_reviewed": true, 46801 "github_reviewed_at": "2020-06-16T21:34:55Z", 46802 "nvd_published_at": "2015-10-27T16:59:00Z", 46803 "severity": "MODERATE" 46804 }, 46805 "details": "http/conn/ssl/SSLConnectionSocketFactory.java in Apache HttpComponents HttpClient before 4.3.6 ignores the http.socket.timeout configuration setting during an SSL handshake, which allows remote attackers to cause a denial of service (HTTPS call hang) via unspecified vectors.", 46806 "id": "GHSA-fmj5-wv96-r2ch", 46807 "modified": "2024-02-22T05:42:22.050973Z", 46808 "published": "2018-10-17T00:05:29Z", 46809 "references": [ 46810 { 46811 "type": "ADVISORY", 46812 "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-5262" 46813 }, 46814 { 46815 "type": "WEB", 46816 "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1261538" 46817 }, 46818 { 46819 "type": "ADVISORY", 46820 "url": "https://github.com/advisories/GHSA-fmj5-wv96-r2ch" 46821 }, 46822 { 46823 "type": "WEB", 46824 "url": "https://issues.apache.org/jira/browse/HTTPCLIENT-1478" 46825 }, 46826 { 46827 "type": "WEB", 46828 "url": "https://jenkins.io/security/advisory/2018-02-26" 46829 }, 46830 { 46831 "type": "WEB", 46832 "url": "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E" 46833 }, 46834 { 46835 "type": "WEB", 46836 "url": "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E" 46837 }, 46838 { 46839 "type": "WEB", 46840 "url": "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E" 46841 }, 46842 { 46843 "type": "WEB", 46844 "url": "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E" 46845 }, 46846 { 46847 "type": "WEB", 46848 "url": "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E" 46849 }, 46850 { 46851 "type": "WEB", 46852 "url": "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E" 46853 }, 46854 { 46855 "type": "WEB", 46856 "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-October/167962.html" 46857 }, 46858 { 46859 "type": "WEB", 46860 "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-October/167999.html" 46861 }, 46862 { 46863 "type": "WEB", 46864 "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-October/168030.html" 46865 }, 46866 { 46867 "type": "WEB", 46868 "url": "http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00032.html" 46869 }, 46870 { 46871 "type": "WEB", 46872 "url": "http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00033.html" 46873 }, 46874 { 46875 "type": "WEB", 46876 "url": "http://svn.apache.org/viewvc?view=revision\u0026revision=1626784" 46877 }, 46878 { 46879 "type": "WEB", 46880 "url": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html" 46881 }, 46882 { 46883 "type": "WEB", 46884 "url": "http://www.securitytracker.com/id/1033743" 46885 }, 46886 { 46887 "type": "WEB", 46888 "url": "http://www.ubuntu.com/usn/USN-2769-1" 46889 } 46890 ], 46891 "schema_version": "1.6.0", 46892 "summary": "Denial of service vulnerability in org.apache.httpcomponents:httpclient" 46893 }, 46894 { 46895 "affected": [ 46896 { 46897 "database_specific": { 46898 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-gw85-4gmf-m7rh/GHSA-gw85-4gmf-m7rh.json" 46899 }, 46900 "package": { 46901 "ecosystem": "Maven", 46902 "name": "org.apache.httpcomponents:httpclient", 46903 "purl": "pkg:maven/org.apache.httpcomponents/httpclient" 46904 }, 46905 "ranges": [ 46906 { 46907 "events": [ 46908 { 46909 "introduced": "4.0.0" 46910 }, 46911 { 46912 "fixed": "4.1.1" 46913 } 46914 ], 46915 "type": "ECOSYSTEM" 46916 } 46917 ], 46918 "versions": [ 46919 "4.0", 46920 "4.0.1", 46921 "4.0.2", 46922 "4.0.3", 46923 "4.1", 46924 "4.1-alpha1", 46925 "4.1-alpha2", 46926 "4.1-beta1" 46927 ] 46928 } 46929 ], 46930 "aliases": [ 46931 "CVE-2011-1498" 46932 ], 46933 "database_specific": { 46934 "cwe_ids": [ 46935 "CWE-200" 46936 ], 46937 "github_reviewed": true, 46938 "github_reviewed_at": "2022-07-13T17:20:15Z", 46939 "nvd_published_at": "2011-07-07T21:55:00Z", 46940 "severity": "MODERATE" 46941 }, 46942 "details": "Apache HttpClient 4.x before 4.1.1 in Apache HttpComponents, when used with an authenticating proxy server, sends the Proxy-Authorization header to the origin server, which allows remote web servers to obtain sensitive information by logging this header.", 46943 "id": "GHSA-gw85-4gmf-m7rh", 46944 "modified": "2024-03-05T19:16:07.039655Z", 46945 "published": "2022-05-17T05:39:03Z", 46946 "references": [ 46947 { 46948 "type": "ADVISORY", 46949 "url": "https://nvd.nist.gov/vuln/detail/CVE-2011-1498" 46950 }, 46951 { 46952 "type": "WEB", 46953 "url": "https://github.com/apache/httpcomponents-client/commit/a572756592c969affd0ce87885724e74839176fb" 46954 }, 46955 { 46956 "type": "WEB", 46957 "url": "https://bugzilla.redhat.com/show_bug.cgi?id=709531" 46958 }, 46959 { 46960 "type": "PACKAGE", 46961 "url": "https://github.com/apache/httpcomponents-client" 46962 }, 46963 { 46964 "type": "WEB", 46965 "url": "https://issues.apache.org/jira/browse/HTTPCLIENT-1061" 46966 }, 46967 { 46968 "type": "WEB", 46969 "url": "http://lists.fedoraproject.org/pipermail/package-announce/2011-June/061440.html" 46970 }, 46971 { 46972 "type": "WEB", 46973 "url": "http://marc.info/?l=httpclient-users\u0026m=129853896315461\u0026w=2" 46974 }, 46975 { 46976 "type": "WEB", 46977 "url": "http://marc.info/?l=httpclient-users\u0026m=129856318011586\u0026w=2" 46978 }, 46979 { 46980 "type": "WEB", 46981 "url": "http://marc.info/?l=httpclient-users\u0026m=129857589129183\u0026w=2" 46982 }, 46983 { 46984 "type": "WEB", 46985 "url": "http://marc.info/?l=httpclient-users\u0026m=129858274406594\u0026w=2" 46986 }, 46987 { 46988 "type": "WEB", 46989 "url": "http://marc.info/?l=httpclient-users\u0026m=129858299106950\u0026w=2" 46990 }, 46991 { 46992 "type": "WEB", 46993 "url": "http://openwall.com/lists/oss-security/2011/04/07/7" 46994 }, 46995 { 46996 "type": "WEB", 46997 "url": "http://openwall.com/lists/oss-security/2011/04/08/1" 46998 }, 46999 { 47000 "type": "WEB", 47001 "url": "http://securityreason.com/securityalert/8298" 47002 } 47003 ], 47004 "schema_version": "1.6.0", 47005 "summary": "Exposure of Sensitive Information to an Unauthorized Actor in Apache HttpClient" 47006 }, 47007 { 47008 "affected": [ 47009 { 47010 "database_specific": { 47011 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-pqwh-44jj-p5rm/GHSA-pqwh-44jj-p5rm.json" 47012 }, 47013 "package": { 47014 "ecosystem": "Maven", 47015 "name": "org.apache.httpcomponents:httpclient", 47016 "purl": "pkg:maven/org.apache.httpcomponents/httpclient" 47017 }, 47018 "ranges": [ 47019 { 47020 "events": [ 47021 { 47022 "introduced": "4.3" 47023 }, 47024 { 47025 "fixed": "4.3.1" 47026 } 47027 ], 47028 "type": "ECOSYSTEM" 47029 } 47030 ], 47031 "versions": [ 47032 "4.3" 47033 ] 47034 } 47035 ], 47036 "aliases": [ 47037 "CVE-2013-4366" 47038 ], 47039 "database_specific": { 47040 "cwe_ids": [ 47041 "CWE-20" 47042 ], 47043 "github_reviewed": true, 47044 "github_reviewed_at": "2022-06-09T22:47:59Z", 47045 "nvd_published_at": "2017-10-30T19:29:00Z", 47046 "severity": "CRITICAL" 47047 }, 47048 "details": "http/impl/client/HttpClientBuilder.java in Apache HttpClient 4.3.x before 4.3.1 does not ensure that X509HostnameVerifier is not null, which allows attackers to have unspecified impact via vectors involving hostname verification.", 47049 "id": "GHSA-pqwh-44jj-p5rm", 47050 "modified": "2024-03-05T17:33:19.157465Z", 47051 "published": "2022-05-13T01:25:03Z", 47052 "references": [ 47053 { 47054 "type": "ADVISORY", 47055 "url": "https://nvd.nist.gov/vuln/detail/CVE-2013-4366" 47056 }, 47057 { 47058 "type": "WEB", 47059 "url": "https://github.com/apache/httpcomponents-client/commit/08140864e3e4c0994e094c4cf0507932baf6a66" 47060 }, 47061 { 47062 "type": "WEB", 47063 "url": "http://svn.apache.org/r1528614" 47064 }, 47065 { 47066 "type": "WEB", 47067 "url": "http://www.apache.org/dist/httpcomponents/httpclient/RELEASE_NOTES-4.3.x.txt" 47068 } 47069 ], 47070 "schema_version": "1.6.0", 47071 "severity": [ 47072 { 47073 "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", 47074 "type": "CVSS_V3" 47075 } 47076 ], 47077 "summary": "Hostname verification in Apache HttpClient 4.3 was disabled by default" 47078 }, 47079 { 47080 "affected": [ 47081 { 47082 "database_specific": { 47083 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-9fc7-rhq3-wm7x/GHSA-9fc7-rhq3-wm7x.json" 47084 }, 47085 "package": { 47086 "ecosystem": "Maven", 47087 "name": "org.apache.jackrabbit:jackrabbit-webdav", 47088 "purl": "pkg:maven/org.apache.jackrabbit/jackrabbit-webdav" 47089 }, 47090 "ranges": [ 47091 { 47092 "events": [ 47093 { 47094 "introduced": "2.4.0" 47095 }, 47096 { 47097 "fixed": "2.4.6" 47098 } 47099 ], 47100 "type": "ECOSYSTEM" 47101 } 47102 ], 47103 "versions": [ 47104 "2.4.0", 47105 "2.4.1", 47106 "2.4.2", 47107 "2.4.3", 47108 "2.4.4", 47109 "2.4.5" 47110 ] 47111 }, 47112 { 47113 "database_specific": { 47114 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-9fc7-rhq3-wm7x/GHSA-9fc7-rhq3-wm7x.json" 47115 }, 47116 "package": { 47117 "ecosystem": "Maven", 47118 "name": "org.apache.jackrabbit:jackrabbit-webdav", 47119 "purl": "pkg:maven/org.apache.jackrabbit/jackrabbit-webdav" 47120 }, 47121 "ranges": [ 47122 { 47123 "events": [ 47124 { 47125 "introduced": "2.6.0" 47126 }, 47127 { 47128 "fixed": "2.6.6" 47129 } 47130 ], 47131 "type": "ECOSYSTEM" 47132 } 47133 ], 47134 "versions": [ 47135 "2.6.0", 47136 "2.6.1", 47137 "2.6.2", 47138 "2.6.3", 47139 "2.6.4", 47140 "2.6.5" 47141 ] 47142 }, 47143 { 47144 "database_specific": { 47145 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-9fc7-rhq3-wm7x/GHSA-9fc7-rhq3-wm7x.json" 47146 }, 47147 "package": { 47148 "ecosystem": "Maven", 47149 "name": "org.apache.jackrabbit:jackrabbit-webdav", 47150 "purl": "pkg:maven/org.apache.jackrabbit/jackrabbit-webdav" 47151 }, 47152 "ranges": [ 47153 { 47154 "events": [ 47155 { 47156 "introduced": "2.8.0" 47157 }, 47158 { 47159 "fixed": "2.8.3" 47160 } 47161 ], 47162 "type": "ECOSYSTEM" 47163 } 47164 ], 47165 "versions": [ 47166 "2.8.0", 47167 "2.8.1", 47168 "2.8.2" 47169 ] 47170 }, 47171 { 47172 "database_specific": { 47173 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-9fc7-rhq3-wm7x/GHSA-9fc7-rhq3-wm7x.json" 47174 }, 47175 "package": { 47176 "ecosystem": "Maven", 47177 "name": "org.apache.jackrabbit:jackrabbit-webdav", 47178 "purl": "pkg:maven/org.apache.jackrabbit/jackrabbit-webdav" 47179 }, 47180 "ranges": [ 47181 { 47182 "events": [ 47183 { 47184 "introduced": "2.10.0" 47185 }, 47186 { 47187 "fixed": "2.10.4" 47188 } 47189 ], 47190 "type": "ECOSYSTEM" 47191 } 47192 ], 47193 "versions": [ 47194 "2.10.0", 47195 "2.10.1", 47196 "2.10.2", 47197 "2.10.3" 47198 ] 47199 }, 47200 { 47201 "database_specific": { 47202 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-9fc7-rhq3-wm7x/GHSA-9fc7-rhq3-wm7x.json" 47203 }, 47204 "package": { 47205 "ecosystem": "Maven", 47206 "name": "org.apache.jackrabbit:jackrabbit-webdav", 47207 "purl": "pkg:maven/org.apache.jackrabbit/jackrabbit-webdav" 47208 }, 47209 "ranges": [ 47210 { 47211 "events": [ 47212 { 47213 "introduced": "2.12.0" 47214 }, 47215 { 47216 "fixed": "2.12.4" 47217 } 47218 ], 47219 "type": "ECOSYSTEM" 47220 } 47221 ], 47222 "versions": [ 47223 "2.12.0", 47224 "2.12.1", 47225 "2.12.2", 47226 "2.12.3" 47227 ] 47228 }, 47229 { 47230 "database_specific": { 47231 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-9fc7-rhq3-wm7x/GHSA-9fc7-rhq3-wm7x.json" 47232 }, 47233 "package": { 47234 "ecosystem": "Maven", 47235 "name": "org.apache.jackrabbit:jackrabbit-webdav", 47236 "purl": "pkg:maven/org.apache.jackrabbit/jackrabbit-webdav" 47237 }, 47238 "ranges": [ 47239 { 47240 "events": [ 47241 { 47242 "introduced": "2.13.0" 47243 }, 47244 { 47245 "fixed": "2.13.3" 47246 } 47247 ], 47248 "type": "ECOSYSTEM" 47249 } 47250 ], 47251 "versions": [ 47252 "2.13.0", 47253 "2.13.1", 47254 "2.13.2" 47255 ] 47256 } 47257 ], 47258 "aliases": [ 47259 "CVE-2016-6801" 47260 ], 47261 "database_specific": { 47262 "cwe_ids": [ 47263 "CWE-352" 47264 ], 47265 "github_reviewed": true, 47266 "github_reviewed_at": "2023-07-31T22:54:02Z", 47267 "nvd_published_at": "2016-09-21T14:25:00Z", 47268 "severity": "HIGH" 47269 }, 47270 "details": "Cross-site request forgery (CSRF) vulnerability in the CSRF content-type check in Jackrabbit-Webdav in Apache Jackrabbit 2.4.x before 2.4.6, 2.6.x before 2.6.6, 2.8.x before 2.8.3, 2.10.x before 2.10.4, 2.12.x before 2.12.4, and 2.13.x before 2.13.3 allows remote attackers to hijack the authentication of unspecified victims for requests that create a resource via an HTTP POST request with a (1) missing or (2) crafted Content-Type header.", 47271 "id": "GHSA-9fc7-rhq3-wm7x", 47272 "modified": "2024-02-16T08:06:20.90686Z", 47273 "published": "2022-05-17T03:48:02Z", 47274 "references": [ 47275 { 47276 "type": "ADVISORY", 47277 "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-6801" 47278 }, 47279 { 47280 "type": "WEB", 47281 "url": "https://github.com/apache/jackrabbit/commit/16f2f02fcaef6202a2bf24c449d4fd10eb98f08d" 47282 }, 47283 { 47284 "type": "WEB", 47285 "url": "https://github.com/apache/jackrabbit/commit/ea75d7c2aeaafecd9ab97736bf81c5616f703244" 47286 }, 47287 { 47288 "type": "WEB", 47289 "url": "https://github.com/apache/jackrabbit/commit/eae001a54aae9c243ac06b5c8f711b2cb2038700" 47290 }, 47291 { 47292 "type": "PACKAGE", 47293 "url": "https://github.com/apache/jackrabbit" 47294 }, 47295 { 47296 "type": "WEB", 47297 "url": "https://issues.apache.org/jira/browse/JCR-4009" 47298 }, 47299 { 47300 "type": "WEB", 47301 "url": "https://web.archive.org/web/20210123170657/http://www.securityfocus.com/bid/92966" 47302 }, 47303 { 47304 "type": "WEB", 47305 "url": "http://www.debian.org/security/2016/dsa-3679" 47306 }, 47307 { 47308 "type": "WEB", 47309 "url": "http://www.openwall.com/lists/oss-security/2016/09/14/6" 47310 } 47311 ], 47312 "schema_version": "1.6.0", 47313 "severity": [ 47314 { 47315 "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", 47316 "type": "CVSS_V3" 47317 } 47318 ], 47319 "summary": "Apache Jackrabbit Authentication Hijacking Vulnerability" 47320 }, 47321 { 47322 "affected": [ 47323 { 47324 "database_specific": { 47325 "last_known_affected_version_range": "\u003c= 2.0.20", 47326 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-5h29-qq92-wj7f/GHSA-5h29-qq92-wj7f.json" 47327 }, 47328 "package": { 47329 "ecosystem": "Maven", 47330 "name": "org.apache.mina:mina-core", 47331 "purl": "pkg:maven/org.apache.mina/mina-core" 47332 }, 47333 "ranges": [ 47334 { 47335 "events": [ 47336 { 47337 "introduced": "0" 47338 }, 47339 { 47340 "fixed": "2.0.21" 47341 } 47342 ], 47343 "type": "ECOSYSTEM" 47344 } 47345 ], 47346 "versions": [ 47347 "1.0.0", 47348 "1.0.1", 47349 "1.0.10", 47350 "1.0.2", 47351 "1.0.3", 47352 "1.0.4", 47353 "1.0.5", 47354 "1.0.6", 47355 "1.0.7", 47356 "1.0.8", 47357 "1.0.9", 47358 "1.1.0", 47359 "1.1.1", 47360 "1.1.2", 47361 "1.1.3", 47362 "1.1.4", 47363 "1.1.5", 47364 "1.1.6", 47365 "1.1.7", 47366 "2.0.0", 47367 "2.0.0-M1", 47368 "2.0.0-M2", 47369 "2.0.0-M3", 47370 "2.0.0-M4", 47371 "2.0.0-M5", 47372 "2.0.0-M6", 47373 "2.0.0-RC1", 47374 "2.0.1", 47375 "2.0.10", 47376 "2.0.11", 47377 "2.0.12", 47378 "2.0.13", 47379 "2.0.14", 47380 "2.0.15", 47381 "2.0.16", 47382 "2.0.17", 47383 "2.0.18", 47384 "2.0.19", 47385 "2.0.2", 47386 "2.0.20", 47387 "2.0.3", 47388 "2.0.4", 47389 "2.0.5", 47390 "2.0.6", 47391 "2.0.7", 47392 "2.0.8", 47393 "2.0.9" 47394 ] 47395 }, 47396 { 47397 "database_specific": { 47398 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-5h29-qq92-wj7f/GHSA-5h29-qq92-wj7f.json" 47399 }, 47400 "package": { 47401 "ecosystem": "Maven", 47402 "name": "org.apache.mina:mina-core", 47403 "purl": "pkg:maven/org.apache.mina/mina-core" 47404 }, 47405 "ranges": [ 47406 { 47407 "events": [ 47408 { 47409 "introduced": "2.1.0" 47410 }, 47411 { 47412 "fixed": "2.1.1" 47413 } 47414 ], 47415 "type": "ECOSYSTEM" 47416 } 47417 ], 47418 "versions": [ 47419 "2.1.0" 47420 ] 47421 } 47422 ], 47423 "aliases": [ 47424 "CVE-2019-0231" 47425 ], 47426 "database_specific": { 47427 "cwe_ids": [ 47428 "CWE-319" 47429 ], 47430 "github_reviewed": true, 47431 "github_reviewed_at": "2022-06-29T15:48:56Z", 47432 "nvd_published_at": "2019-10-01T20:15:00Z", 47433 "severity": "HIGH" 47434 }, 47435 "details": "Handling of the close_notify SSL/TLS message does not lead to a connection closure, leading the server to retain the socket opened and to have the client potentially receive clear text messages afterward. Mitigation: 2.0.20 users should migrate to 2.0.21, 2.1.0 users should migrate to 2.1.1. This issue affects: Apache MINA.", 47436 "id": "GHSA-5h29-qq92-wj7f", 47437 "modified": "2023-11-08T04:00:32.405493Z", 47438 "published": "2022-05-24T16:57:28Z", 47439 "references": [ 47440 { 47441 "type": "ADVISORY", 47442 "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-0231" 47443 }, 47444 { 47445 "type": "WEB", 47446 "url": "http://mina.apache.org/mina-project/index.html#mina-211-mina-2021-released-posted-on-april-14-2019" 47447 } 47448 ], 47449 "schema_version": "1.6.0", 47450 "severity": [ 47451 { 47452 "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", 47453 "type": "CVSS_V3" 47454 } 47455 ], 47456 "summary": "Cleartext Transmission of Sensitive Information in Apache MINA" 47457 }, 47458 { 47459 "affected": [ 47460 { 47461 "database_specific": { 47462 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/11/GHSA-6mcm-j9cj-3vc3/GHSA-6mcm-j9cj-3vc3.json" 47463 }, 47464 "package": { 47465 "ecosystem": "Maven", 47466 "name": "org.apache.mina:mina-core", 47467 "purl": "pkg:maven/org.apache.mina/mina-core" 47468 }, 47469 "ranges": [ 47470 { 47471 "events": [ 47472 { 47473 "introduced": "2.1.0" 47474 }, 47475 { 47476 "fixed": "2.1.5" 47477 } 47478 ], 47479 "type": "ECOSYSTEM" 47480 } 47481 ], 47482 "versions": [ 47483 "2.1.0", 47484 "2.1.1", 47485 "2.1.2", 47486 "2.1.3", 47487 "2.1.4" 47488 ] 47489 }, 47490 { 47491 "database_specific": { 47492 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/11/GHSA-6mcm-j9cj-3vc3/GHSA-6mcm-j9cj-3vc3.json" 47493 }, 47494 "package": { 47495 "ecosystem": "Maven", 47496 "name": "org.apache.mina:mina-core", 47497 "purl": "pkg:maven/org.apache.mina/mina-core" 47498 }, 47499 "ranges": [ 47500 { 47501 "events": [ 47502 { 47503 "introduced": "0" 47504 }, 47505 { 47506 "fixed": "2.0.22" 47507 } 47508 ], 47509 "type": "ECOSYSTEM" 47510 } 47511 ], 47512 "versions": [ 47513 "1.0.0", 47514 "1.0.1", 47515 "1.0.10", 47516 "1.0.2", 47517 "1.0.3", 47518 "1.0.4", 47519 "1.0.5", 47520 "1.0.6", 47521 "1.0.7", 47522 "1.0.8", 47523 "1.0.9", 47524 "1.1.0", 47525 "1.1.1", 47526 "1.1.2", 47527 "1.1.3", 47528 "1.1.4", 47529 "1.1.5", 47530 "1.1.6", 47531 "1.1.7", 47532 "2.0.0", 47533 "2.0.0-M1", 47534 "2.0.0-M2", 47535 "2.0.0-M3", 47536 "2.0.0-M4", 47537 "2.0.0-M5", 47538 "2.0.0-M6", 47539 "2.0.0-RC1", 47540 "2.0.1", 47541 "2.0.10", 47542 "2.0.11", 47543 "2.0.12", 47544 "2.0.13", 47545 "2.0.14", 47546 "2.0.15", 47547 "2.0.16", 47548 "2.0.17", 47549 "2.0.18", 47550 "2.0.19", 47551 "2.0.2", 47552 "2.0.20", 47553 "2.0.21", 47554 "2.0.3", 47555 "2.0.4", 47556 "2.0.5", 47557 "2.0.6", 47558 "2.0.7", 47559 "2.0.8", 47560 "2.0.9" 47561 ] 47562 } 47563 ], 47564 "aliases": [ 47565 "CVE-2021-41973" 47566 ], 47567 "database_specific": { 47568 "cwe_ids": [ 47569 "CWE-835" 47570 ], 47571 "github_reviewed": true, 47572 "github_reviewed_at": "2021-11-02T19:48:48Z", 47573 "nvd_published_at": "2021-11-01T09:15:00Z", 47574 "severity": "MODERATE" 47575 }, 47576 "details": "In Apache MINA, a specifically crafted, malformed HTTP request may cause the HTTP Header decoder to loop indefinitely. The decoder assumed that the HTTP Header begins at the beginning of the buffer and loops if there is more data than expected. Please update MINA to 2.1.5 or greater.", 47577 "id": "GHSA-6mcm-j9cj-3vc3", 47578 "modified": "2023-11-08T04:07:03.734341Z", 47579 "published": "2021-11-03T17:30:35Z", 47580 "references": [ 47581 { 47582 "type": "ADVISORY", 47583 "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41973" 47584 }, 47585 { 47586 "type": "WEB", 47587 "url": "https://lists.apache.org/thread.html/r0b907da9340d5ff4e6c1a4798ef4e79700a668657f27cca8a39e9250%40%3Cdev.mina.apache.org%3E" 47588 }, 47589 { 47590 "type": "WEB", 47591 "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" 47592 }, 47593 { 47594 "type": "WEB", 47595 "url": "http://www.openwall.com/lists/oss-security/2021/11/01/2" 47596 }, 47597 { 47598 "type": "WEB", 47599 "url": "http://www.openwall.com/lists/oss-security/2021/11/01/8" 47600 } 47601 ], 47602 "schema_version": "1.6.0", 47603 "severity": [ 47604 { 47605 "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", 47606 "type": "CVSS_V3" 47607 } 47608 ], 47609 "summary": "Infinite loop in Apache MINA" 47610 }, 47611 { 47612 "affected": [ 47613 { 47614 "database_specific": { 47615 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/06/GHSA-2h3j-m7gr-25xj/GHSA-2h3j-m7gr-25xj.json" 47616 }, 47617 "package": { 47618 "ecosystem": "Maven", 47619 "name": "org.apache.pdfbox:pdfbox", 47620 "purl": "pkg:maven/org.apache.pdfbox/pdfbox" 47621 }, 47622 "ranges": [ 47623 { 47624 "events": [ 47625 { 47626 "introduced": "2.0.0" 47627 }, 47628 { 47629 "fixed": "2.0.23" 47630 } 47631 ], 47632 "type": "ECOSYSTEM" 47633 } 47634 ], 47635 "versions": [ 47636 "2.0.0", 47637 "2.0.1", 47638 "2.0.10", 47639 "2.0.11", 47640 "2.0.12", 47641 "2.0.13", 47642 "2.0.14", 47643 "2.0.15", 47644 "2.0.16", 47645 "2.0.17", 47646 "2.0.18", 47647 "2.0.19", 47648 "2.0.2", 47649 "2.0.20", 47650 "2.0.21", 47651 "2.0.22", 47652 "2.0.3", 47653 "2.0.4", 47654 "2.0.5", 47655 "2.0.6", 47656 "2.0.7", 47657 "2.0.8", 47658 "2.0.9" 47659 ] 47660 } 47661 ], 47662 "aliases": [ 47663 "CVE-2021-27807" 47664 ], 47665 "database_specific": { 47666 "cwe_ids": [ 47667 "CWE-834" 47668 ], 47669 "github_reviewed": true, 47670 "github_reviewed_at": "2021-03-22T18:45:15Z", 47671 "nvd_published_at": "2021-03-19T16:15:00Z", 47672 "severity": "MODERATE" 47673 }, 47674 "details": "A carefully crafted PDF file can trigger an infinite loop while loading the file. This issue affects Apache PDFBox version 2.0.22 and prior 2.0.x versions.", 47675 "id": "GHSA-2h3j-m7gr-25xj", 47676 "modified": "2024-03-15T05:17:16.776669Z", 47677 "published": "2021-06-16T17:56:46Z", 47678 "references": [ 47679 { 47680 "type": "ADVISORY", 47681 "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-27807" 47682 }, 47683 { 47684 "type": "WEB", 47685 "url": "https://github.com/apache/pdfbox/commit/5c5a837140fbb4ef78bb5ef9f29ad537c872c83e" 47686 }, 47687 { 47688 "type": "WEB", 47689 "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" 47690 }, 47691 { 47692 "type": "WEB", 47693 "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" 47694 }, 47695 { 47696 "type": "WEB", 47697 "url": "https://www.oracle.com//security-alerts/cpujul2021.html" 47698 }, 47699 { 47700 "type": "WEB", 47701 "url": "https://svn.apache.org/viewvc?view=revision\u0026revision=1886911" 47702 }, 47703 { 47704 "type": "WEB", 47705 "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6PT72QOFDXLJ7PLTN66EMG5EHPTE7TFZ" 47706 }, 47707 { 47708 "type": "WEB", 47709 "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6KDA2U4KL2N3XT3PM4ZJEBBA6JJIH2G4" 47710 }, 47711 { 47712 "type": "WEB", 47713 "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2AVLKAHFMPH72TTP25INPZPGX5FODK3H" 47714 }, 47715 { 47716 "type": "WEB", 47717 "url": "https://lists.apache.org/thread.html/re1e35881482e07dc2be6058d9b44483457f36133cac67956686ad9b9@%3Cnotifications.ofbiz.apache.org%3E" 47718 }, 47719 { 47720 "type": "WEB", 47721 "url": "https://lists.apache.org/thread.html/rc69140d894c6a9c67a8097a25656cce59b46a5620c354ceba10543c3@%3Cnotifications.ofbiz.apache.org%3E" 47722 }, 47723 { 47724 "type": "WEB", 47725 "url": "https://lists.apache.org/thread.html/raa35746227f3f8d50fff1db9899524423a718f6f35cd39bd4769fa6c@%3Cnotifications.ofbiz.apache.org%3E" 47726 }, 47727 { 47728 "type": "WEB", 47729 "url": "https://lists.apache.org/thread.html/r9ffe179385637b0b5cbdabd0246118005b4b8232909d2d14cd68ccd3@%3Ccommits.ofbiz.apache.org%3E" 47730 }, 47731 { 47732 "type": "WEB", 47733 "url": "https://lists.apache.org/thread.html/r818058ff1e4b9f6bef4e5a2e74faff38cb3d3885c1e2db398bc55cfb@%3Cusers.pdfbox.apache.org%3E" 47734 }, 47735 { 47736 "type": "WEB", 47737 "url": "https://lists.apache.org/thread.html/r818058ff1e4b9f6bef4e5a2e74faff38cb3d3885c1e2db398bc55cfb%40%3Cusers.pdfbox.apache.org%3E" 47738 }, 47739 { 47740 "type": "WEB", 47741 "url": "https://lists.apache.org/thread.html/r7ee634c21816c69ce829d0c41f35afa2a53a99bdd3c7cce8644fdc0e@%3Cnotifications.ofbiz.apache.org%3E" 47742 }, 47743 { 47744 "type": "WEB", 47745 "url": "https://lists.apache.org/thread.html/r6e067a6d83ccb6892d0ff867bd216704f21fb0b6a854dea34be04f12@%3Cnotifications.ofbiz.apache.org%3E" 47746 }, 47747 { 47748 "type": "WEB", 47749 "url": "https://lists.apache.org/thread.html/r5c8e2125d18af184c80f7a986fbe47eaf0d30457cd450133adc235ac@%3Ccommits.ofbiz.apache.org%3E" 47750 }, 47751 { 47752 "type": "WEB", 47753 "url": "https://lists.apache.org/thread.html/r54594251369e14c185da9662a5340a52afbbdf75d61c9c3a69c8f2e8@%3Cdev.pdfbox.apache.org%3E" 47754 }, 47755 { 47756 "type": "WEB", 47757 "url": "https://lists.apache.org/thread.html/r4cbc3f6981cd0a1a482531df9d44e4c42a7f63342a7ba78b7bff8a1b@%3Cnotifications.james.apache.org%3E" 47758 }, 47759 { 47760 "type": "WEB", 47761 "url": "https://lists.apache.org/thread.html/r4717f902f8bc36d47b3fa978552a25e4ed3ddc2fffb52b94fbc4ab36@%3Cusers.pdfbox.apache.org%3E" 47762 }, 47763 { 47764 "type": "WEB", 47765 "url": "https://lists.apache.org/thread.html/r1d268642f8b52456ee8f876b888b8ed7a9e9568c7770789f3ded7f9e@%3Ccommits.ofbiz.apache.org%3E" 47766 }, 47767 { 47768 "type": "WEB", 47769 "url": "https://lists.apache.org/thread.html/r1218e60c32829f76943ecaca79237120c2ec1ab266459d711a578b50@%3Cdev.pdfbox.apache.org%3E" 47770 }, 47771 { 47772 "type": "WEB", 47773 "url": "https://lists.apache.org/thread.html/r043edc5dcf9199f7f882ed7906b41cb816753766e88b8792dbf319a9@%3Cannounce.apache.org%3E" 47774 }, 47775 { 47776 "type": "WEB", 47777 "url": "https://issues.apache.org/jira/browse/PDFBOX-4892" 47778 }, 47779 { 47780 "type": "PACKAGE", 47781 "url": "https://github.com/apache/pdfbox" 47782 }, 47783 { 47784 "type": "WEB", 47785 "url": "http://www.openwall.com/lists/oss-security/2021/03/19/9" 47786 } 47787 ], 47788 "schema_version": "1.6.0", 47789 "severity": [ 47790 { 47791 "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", 47792 "type": "CVSS_V3" 47793 } 47794 ], 47795 "summary": "Excessive Iteration Denial of Service in Apache PDFBox" 47796 }, 47797 { 47798 "affected": [ 47799 { 47800 "database_specific": { 47801 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-4c32-xmgj-2g98/GHSA-4c32-xmgj-2g98.json" 47802 }, 47803 "package": { 47804 "ecosystem": "Maven", 47805 "name": "org.apache.pdfbox:pdfbox", 47806 "purl": "pkg:maven/org.apache.pdfbox/pdfbox" 47807 }, 47808 "ranges": [ 47809 { 47810 "events": [ 47811 { 47812 "introduced": "0" 47813 }, 47814 { 47815 "fixed": "1.8.12" 47816 } 47817 ], 47818 "type": "ECOSYSTEM" 47819 } 47820 ], 47821 "versions": [ 47822 "0.8.0-incubating", 47823 "0.8.0-incubator", 47824 "1.0.0", 47825 "1.1.0", 47826 "1.2.0", 47827 "1.2.1", 47828 "1.3.1", 47829 "1.4.0", 47830 "1.5.0", 47831 "1.6.0", 47832 "1.7.0", 47833 "1.7.1", 47834 "1.8.0", 47835 "1.8.1", 47836 "1.8.10", 47837 "1.8.11", 47838 "1.8.2", 47839 "1.8.3", 47840 "1.8.4", 47841 "1.8.5", 47842 "1.8.6", 47843 "1.8.7", 47844 "1.8.8", 47845 "1.8.9" 47846 ] 47847 }, 47848 { 47849 "database_specific": { 47850 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-4c32-xmgj-2g98/GHSA-4c32-xmgj-2g98.json" 47851 }, 47852 "package": { 47853 "ecosystem": "Maven", 47854 "name": "org.apache.pdfbox:pdfbox", 47855 "purl": "pkg:maven/org.apache.pdfbox/pdfbox" 47856 }, 47857 "ranges": [ 47858 { 47859 "events": [ 47860 { 47861 "introduced": "2.0.0" 47862 }, 47863 { 47864 "fixed": "2.0.1" 47865 } 47866 ], 47867 "type": "ECOSYSTEM" 47868 } 47869 ], 47870 "versions": [ 47871 "2.0.0" 47872 ] 47873 } 47874 ], 47875 "aliases": [ 47876 "CVE-2016-2175" 47877 ], 47878 "database_specific": { 47879 "cwe_ids": [ 47880 "CWE-611" 47881 ], 47882 "github_reviewed": true, 47883 "github_reviewed_at": "2020-06-16T20:58:03Z", 47884 "nvd_published_at": null, 47885 "severity": "HIGH" 47886 }, 47887 "details": "Apache PDFBox before 1.8.12 and 2.x before 2.0.1 does not properly initialize the XML parsers, which allows context-dependent attackers to conduct XML External Entity (XXE) attacks via a crafted PDF.", 47888 "id": "GHSA-4c32-xmgj-2g98", 47889 "modified": "2023-11-08T03:58:24.099687Z", 47890 "published": "2018-10-17T18:22:15Z", 47891 "references": [ 47892 { 47893 "type": "ADVISORY", 47894 "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-2175" 47895 }, 47896 { 47897 "type": "ADVISORY", 47898 "url": "https://github.com/advisories/GHSA-4c32-xmgj-2g98" 47899 }, 47900 { 47901 "type": "WEB", 47902 "url": "https://lists.apache.org/thread.html/ad5fbc86c1d1821ae1b963e8561ab6d6a5f66b2848e84f5a31477f54@%3Ccommits.tika.apache.org%3E" 47903 }, 47904 { 47905 "type": "WEB", 47906 "url": "http://mail-archives.us.apache.org/mod_mbox/www-announce/201605.mbox/%3C83a03bcf-f86b-4688-37b5-615c080291d8@apache.org%3E" 47907 }, 47908 { 47909 "type": "WEB", 47910 "url": "http://packetstormsecurity.com/files/137214/Apache-PDFBox-1.8.11-2.0.0-XML-Injection.html" 47911 }, 47912 { 47913 "type": "WEB", 47914 "url": "http://rhn.redhat.com/errata/RHSA-2017-0179.html" 47915 }, 47916 { 47917 "type": "WEB", 47918 "url": "http://rhn.redhat.com/errata/RHSA-2017-0248.html" 47919 }, 47920 { 47921 "type": "WEB", 47922 "url": "http://rhn.redhat.com/errata/RHSA-2017-0249.html" 47923 }, 47924 { 47925 "type": "WEB", 47926 "url": "http://rhn.redhat.com/errata/RHSA-2017-0272.html" 47927 }, 47928 { 47929 "type": "WEB", 47930 "url": "http://svn.apache.org/viewvc?view=revision\u0026revision=1739564" 47931 }, 47932 { 47933 "type": "WEB", 47934 "url": "http://svn.apache.org/viewvc?view=revision\u0026revision=1739565" 47935 }, 47936 { 47937 "type": "WEB", 47938 "url": "http://www.debian.org/security/2016/dsa-3606" 47939 }, 47940 { 47941 "type": "WEB", 47942 "url": "http://www.securityfocus.com/archive/1/538503/100/0/threaded" 47943 }, 47944 { 47945 "type": "WEB", 47946 "url": "http://www.securityfocus.com/bid/90902" 47947 } 47948 ], 47949 "schema_version": "1.6.0", 47950 "severity": [ 47951 { 47952 "score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", 47953 "type": "CVSS_V3" 47954 } 47955 ], 47956 "summary": "High severity vulnerability that affects org.apache.pdfbox:pdfbox" 47957 }, 47958 { 47959 "affected": [ 47960 { 47961 "database_specific": { 47962 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-6vqp-h455-42mr/GHSA-6vqp-h455-42mr.json" 47963 }, 47964 "package": { 47965 "ecosystem": "Maven", 47966 "name": "org.apache.pdfbox:pdfbox", 47967 "purl": "pkg:maven/org.apache.pdfbox/pdfbox" 47968 }, 47969 "ranges": [ 47970 { 47971 "events": [ 47972 { 47973 "introduced": "2.0.0" 47974 }, 47975 { 47976 "fixed": "2.0.23" 47977 } 47978 ], 47979 "type": "ECOSYSTEM" 47980 } 47981 ], 47982 "versions": [ 47983 "2.0.0", 47984 "2.0.1", 47985 "2.0.10", 47986 "2.0.11", 47987 "2.0.12", 47988 "2.0.13", 47989 "2.0.14", 47990 "2.0.15", 47991 "2.0.16", 47992 "2.0.17", 47993 "2.0.18", 47994 "2.0.19", 47995 "2.0.2", 47996 "2.0.20", 47997 "2.0.21", 47998 "2.0.22", 47999 "2.0.3", 48000 "2.0.4", 48001 "2.0.5", 48002 "2.0.6", 48003 "2.0.7", 48004 "2.0.8", 48005 "2.0.9" 48006 ] 48007 } 48008 ], 48009 "aliases": [ 48010 "CVE-2021-27906" 48011 ], 48012 "database_specific": { 48013 "cwe_ids": [ 48014 "CWE-789" 48015 ], 48016 "github_reviewed": true, 48017 "github_reviewed_at": "2021-03-22T18:36:26Z", 48018 "nvd_published_at": "2021-03-19T16:15:00Z", 48019 "severity": "MODERATE" 48020 }, 48021 "details": "A carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file. This issue affects Apache PDFBox version 2.0.22 and prior 2.0.x versions.", 48022 "id": "GHSA-6vqp-h455-42mr", 48023 "modified": "2024-03-15T05:36:23.028589Z", 48024 "published": "2021-05-13T22:30:13Z", 48025 "references": [ 48026 { 48027 "type": "ADVISORY", 48028 "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-27906" 48029 }, 48030 { 48031 "type": "WEB", 48032 "url": "https://github.com/apache/pdfbox/commit/8c47be1011c11dc47300faecffd8ab32fba3646f" 48033 }, 48034 { 48035 "type": "WEB", 48036 "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" 48037 }, 48038 { 48039 "type": "WEB", 48040 "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" 48041 }, 48042 { 48043 "type": "WEB", 48044 "url": "https://www.oracle.com//security-alerts/cpujul2021.html" 48045 }, 48046 { 48047 "type": "WEB", 48048 "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6PT72QOFDXLJ7PLTN66EMG5EHPTE7TFZ" 48049 }, 48050 { 48051 "type": "WEB", 48052 "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6KDA2U4KL2N3XT3PM4ZJEBBA6JJIH2G4" 48053 }, 48054 { 48055 "type": "WEB", 48056 "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2AVLKAHFMPH72TTP25INPZPGX5FODK3H" 48057 }, 48058 { 48059 "type": "WEB", 48060 "url": "https://lists.apache.org/thread.html/rf35026148ccc0e1af133501c0d003d052883fcc65107b3ff5d3b61cd@%3Cusers.pdfbox.apache.org%3E" 48061 }, 48062 { 48063 "type": "WEB", 48064 "url": "https://lists.apache.org/thread.html/rf35026148ccc0e1af133501c0d003d052883fcc65107b3ff5d3b61cd%40%3Cusers.pdfbox.apache.org%3E" 48065 }, 48066 { 48067 "type": "WEB", 48068 "url": "https://lists.apache.org/thread.html/re1e35881482e07dc2be6058d9b44483457f36133cac67956686ad9b9@%3Cnotifications.ofbiz.apache.org%3E" 48069 }, 48070 { 48071 "type": "WEB", 48072 "url": "https://lists.apache.org/thread.html/rdf78aef4793362e778e21e34328b0456e302bde4b7e74f229df0ee04@%3Cannounce.apache.org%3E" 48073 }, 48074 { 48075 "type": "WEB", 48076 "url": "https://lists.apache.org/thread.html/rc69140d894c6a9c67a8097a25656cce59b46a5620c354ceba10543c3@%3Cnotifications.ofbiz.apache.org%3E" 48077 }, 48078 { 48079 "type": "WEB", 48080 "url": "https://lists.apache.org/thread.html/raa35746227f3f8d50fff1db9899524423a718f6f35cd39bd4769fa6c@%3Cnotifications.ofbiz.apache.org%3E" 48081 }, 48082 { 48083 "type": "WEB", 48084 "url": "https://lists.apache.org/thread.html/r9ffe179385637b0b5cbdabd0246118005b4b8232909d2d14cd68ccd3@%3Ccommits.ofbiz.apache.org%3E" 48085 }, 48086 { 48087 "type": "WEB", 48088 "url": "https://lists.apache.org/thread.html/r7ee634c21816c69ce829d0c41f35afa2a53a99bdd3c7cce8644fdc0e@%3Cnotifications.ofbiz.apache.org%3E" 48089 }, 48090 { 48091 "type": "WEB", 48092 "url": "https://lists.apache.org/thread.html/r6e067a6d83ccb6892d0ff867bd216704f21fb0b6a854dea34be04f12@%3Cnotifications.ofbiz.apache.org%3E" 48093 }, 48094 { 48095 "type": "WEB", 48096 "url": "https://lists.apache.org/thread.html/r64982b768c8a2220b07aaf813bd099a9863de0d13eb212fd4efe208f@%3Cusers.pdfbox.apache.org%3E" 48097 }, 48098 { 48099 "type": "WEB", 48100 "url": "https://lists.apache.org/thread.html/r5c8e2125d18af184c80f7a986fbe47eaf0d30457cd450133adc235ac@%3Ccommits.ofbiz.apache.org%3E" 48101 }, 48102 { 48103 "type": "WEB", 48104 "url": "https://lists.apache.org/thread.html/r54594251369e14c185da9662a5340a52afbbdf75d61c9c3a69c8f2e8@%3Cdev.pdfbox.apache.org%3E" 48105 }, 48106 { 48107 "type": "WEB", 48108 "url": "https://lists.apache.org/thread.html/r4cbc3f6981cd0a1a482531df9d44e4c42a7f63342a7ba78b7bff8a1b@%3Cnotifications.james.apache.org%3E" 48109 }, 48110 { 48111 "type": "WEB", 48112 "url": "https://lists.apache.org/thread.html/r1d268642f8b52456ee8f876b888b8ed7a9e9568c7770789f3ded7f9e@%3Ccommits.ofbiz.apache.org%3E" 48113 }, 48114 { 48115 "type": "WEB", 48116 "url": "https://lists.apache.org/thread.html/r1218e60c32829f76943ecaca79237120c2ec1ab266459d711a578b50@%3Cdev.pdfbox.apache.org%3E" 48117 }, 48118 { 48119 "type": "WEB", 48120 "url": "https://issues.apache.org/jira/browse/PDFBOX-5112" 48121 }, 48122 { 48123 "type": "PACKAGE", 48124 "url": "https://github.com/apache/pdfbox" 48125 }, 48126 { 48127 "type": "WEB", 48128 "url": "http://www.openwall.com/lists/oss-security/2021/03/19/10" 48129 } 48130 ], 48131 "schema_version": "1.6.0", 48132 "severity": [ 48133 { 48134 "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", 48135 "type": "CVSS_V3" 48136 } 48137 ], 48138 "summary": "Uncontrolled Memory Allocation in Apache PDFBox" 48139 }, 48140 { 48141 "affected": [ 48142 { 48143 "database_specific": { 48144 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/06/GHSA-7grw-6pjh-jpc9/GHSA-7grw-6pjh-jpc9.json" 48145 }, 48146 "package": { 48147 "ecosystem": "Maven", 48148 "name": "org.apache.pdfbox:pdfbox", 48149 "purl": "pkg:maven/org.apache.pdfbox/pdfbox" 48150 }, 48151 "ranges": [ 48152 { 48153 "events": [ 48154 { 48155 "introduced": "2.0.0" 48156 }, 48157 { 48158 "fixed": "2.0.24" 48159 } 48160 ], 48161 "type": "ECOSYSTEM" 48162 } 48163 ], 48164 "versions": [ 48165 "2.0.0", 48166 "2.0.1", 48167 "2.0.10", 48168 "2.0.11", 48169 "2.0.12", 48170 "2.0.13", 48171 "2.0.14", 48172 "2.0.15", 48173 "2.0.16", 48174 "2.0.17", 48175 "2.0.18", 48176 "2.0.19", 48177 "2.0.2", 48178 "2.0.20", 48179 "2.0.21", 48180 "2.0.22", 48181 "2.0.23", 48182 "2.0.3", 48183 "2.0.4", 48184 "2.0.5", 48185 "2.0.6", 48186 "2.0.7", 48187 "2.0.8", 48188 "2.0.9" 48189 ] 48190 }, 48191 { 48192 "database_specific": { 48193 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/06/GHSA-7grw-6pjh-jpc9/GHSA-7grw-6pjh-jpc9.json" 48194 }, 48195 "package": { 48196 "ecosystem": "Maven", 48197 "name": "org.apache.pdfbox:pdfbox-parent", 48198 "purl": "pkg:maven/org.apache.pdfbox/pdfbox-parent" 48199 }, 48200 "ranges": [ 48201 { 48202 "events": [ 48203 { 48204 "introduced": "2.0.0" 48205 }, 48206 { 48207 "fixed": "2.0.24" 48208 } 48209 ], 48210 "type": "ECOSYSTEM" 48211 } 48212 ], 48213 "versions": [ 48214 "2.0.0", 48215 "2.0.1", 48216 "2.0.10", 48217 "2.0.11", 48218 "2.0.12", 48219 "2.0.13", 48220 "2.0.14", 48221 "2.0.15", 48222 "2.0.16", 48223 "2.0.17", 48224 "2.0.18", 48225 "2.0.19", 48226 "2.0.2", 48227 "2.0.20", 48228 "2.0.21", 48229 "2.0.22", 48230 "2.0.23", 48231 "2.0.3", 48232 "2.0.4", 48233 "2.0.5", 48234 "2.0.6", 48235 "2.0.7", 48236 "2.0.8", 48237 "2.0.9" 48238 ] 48239 } 48240 ], 48241 "aliases": [ 48242 "CVE-2021-31812" 48243 ], 48244 "database_specific": { 48245 "cwe_ids": [ 48246 "CWE-834", 48247 "CWE-835" 48248 ], 48249 "github_reviewed": true, 48250 "github_reviewed_at": "2021-06-14T19:41:33Z", 48251 "nvd_published_at": "2021-06-12T10:15:00Z", 48252 "severity": "MODERATE" 48253 }, 48254 "details": "In Apache PDFBox, a carefully crafted PDF file can trigger an infinite loop while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.", 48255 "id": "GHSA-7grw-6pjh-jpc9", 48256 "modified": "2024-03-08T05:18:50.960251Z", 48257 "published": "2021-06-15T15:54:29Z", 48258 "references": [ 48259 { 48260 "type": "ADVISORY", 48261 "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-31812" 48262 }, 48263 { 48264 "type": "WEB", 48265 "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" 48266 }, 48267 { 48268 "type": "WEB", 48269 "url": "https://www.oracle.com/security-alerts/cpujul2022.html" 48270 }, 48271 { 48272 "type": "WEB", 48273 "url": "https://www.oracle.com/security-alerts/cpujan2022.html" 48274 }, 48275 { 48276 "type": "WEB", 48277 "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" 48278 }, 48279 { 48280 "type": "WEB", 48281 "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MDJKJQOMVFDFIDS27OQJXNOYHV2O273D" 48282 }, 48283 { 48284 "type": "WEB", 48285 "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7HHWJRFXZ3PTKLJCOM7WJEYZFKFWMNSV" 48286 }, 48287 { 48288 "type": "WEB", 48289 "url": "https://lists.apache.org/thread.html/rfe26bcaba564deb505c32711ba68df7ec589797dcd96ff3389a8aaba@%3Cnotifications.ofbiz.apache.org%3E" 48290 }, 48291 { 48292 "type": "WEB", 48293 "url": "https://lists.apache.org/thread.html/rf251f6c358087107f8c23473468b279d59d50a75db6b4768165c78d3@%3Cannounce.apache.org%3E" 48294 }, 48295 { 48296 "type": "WEB", 48297 "url": "https://lists.apache.org/thread.html/re0cacd3fb337cdf8469853913ed2b4ddd8f8bfc52ff0ddbe61c1dfba@%3Ccommits.ofbiz.apache.org%3E" 48298 }, 48299 { 48300 "type": "WEB", 48301 "url": "https://lists.apache.org/thread.html/rd4b6db6c3b8ab3c70f1c3bbd725a40920896453ffc2744ade6afd9fb@%3Cnotifications.ofbiz.apache.org%3E" 48302 }, 48303 { 48304 "type": "WEB", 48305 "url": "https://lists.apache.org/thread.html/ra2ab0ce69ce8aaff0773b8c1036438387ce004c2afc6f066626e205e@%3Cusers.pdfbox.apache.org%3E" 48306 }, 48307 { 48308 "type": "WEB", 48309 "url": "https://lists.apache.org/thread.html/ra2ab0ce69ce8aaff0773b8c1036438387ce004c2afc6f066626e205e%40%3Cusers.pdfbox.apache.org%3E" 48310 }, 48311 { 48312 "type": "WEB", 48313 "url": "https://lists.apache.org/thread.html/r2090789e4dcc2c87aacbd87d5f18e2d64dcb9f6eb7c47f5cf7d293cb@%3Cnotifications.ofbiz.apache.org%3E" 48314 }, 48315 { 48316 "type": "WEB", 48317 "url": "https://lists.apache.org/thread.html/r179cc3b6822c167702ab35fe36093d5da4c99af44238c8a754c6860f@%3Ccommits.ofbiz.apache.org%3E" 48318 }, 48319 { 48320 "type": "WEB", 48321 "url": "https://lists.apache.org/thread.html/r143fd8445e0e778f4a85187bd79438630b96b8040e9401751fdb8aea@%3Ccommits.ofbiz.apache.org%3E" 48322 }, 48323 { 48324 "type": "WEB", 48325 "url": "https://lists.apache.org/thread.html/r132e9dbbe0ebdc08b39583d8be0a575fdba573d60a42d940228bceff@%3Cnotifications.ofbiz.apache.org%3E" 48326 }, 48327 { 48328 "type": "WEB", 48329 "url": "http://www.openwall.com/lists/oss-security/2021/06/12/1" 48330 } 48331 ], 48332 "schema_version": "1.6.0", 48333 "severity": [ 48334 { 48335 "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", 48336 "type": "CVSS_V3" 48337 } 48338 ], 48339 "summary": "Infinite Loop in Apache PDFBox" 48340 }, 48341 { 48342 "affected": [ 48343 { 48344 "database_specific": { 48345 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/07/GHSA-c9jj-3wvg-q65h/GHSA-c9jj-3wvg-q65h.json" 48346 }, 48347 "package": { 48348 "ecosystem": "Maven", 48349 "name": "org.apache.pdfbox:pdfbox", 48350 "purl": "pkg:maven/org.apache.pdfbox/pdfbox" 48351 }, 48352 "ranges": [ 48353 { 48354 "events": [ 48355 { 48356 "introduced": "2.0.14" 48357 }, 48358 { 48359 "fixed": "2.0.15" 48360 } 48361 ], 48362 "type": "ECOSYSTEM" 48363 } 48364 ], 48365 "versions": [ 48366 "2.0.14" 48367 ] 48368 } 48369 ], 48370 "aliases": [ 48371 "CVE-2019-0228" 48372 ], 48373 "database_specific": { 48374 "cwe_ids": [ 48375 "CWE-611" 48376 ], 48377 "github_reviewed": true, 48378 "github_reviewed_at": "2020-06-16T21:30:58Z", 48379 "nvd_published_at": "2019-04-17T15:29:00Z", 48380 "severity": "CRITICAL" 48381 }, 48382 "details": "Apache PDFBox 2.0.14 does not properly initialize the XML parser, which allows context-dependent attackers to conduct XML External Entity (XXE) attacks via a crafted XFDF.", 48383 "id": "GHSA-c9jj-3wvg-q65h", 48384 "modified": "2024-02-16T08:10:43.804701Z", 48385 "published": "2019-07-05T21:12:54Z", 48386 "references": [ 48387 { 48388 "type": "ADVISORY", 48389 "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-0228" 48390 }, 48391 { 48392 "type": "ADVISORY", 48393 "url": "https://github.com/advisories/GHSA-c9jj-3wvg-q65h" 48394 }, 48395 { 48396 "type": "WEB", 48397 "url": "https://lists.apache.org/thread.html/1a3756557f8cb02790b7183ccf7665ae23f608a421c4f723113bca79@%3Cusers.pdfbox.apache.org%3E" 48398 }, 48399 { 48400 "type": "WEB", 48401 "url": "https://lists.apache.org/thread.html/8a19bd6d43e359913341043c2a114f91f9e4ae170059539ad1f5673c@%3Ccommits.tika.apache.org%3E" 48402 }, 48403 { 48404 "type": "WEB", 48405 "url": "https://lists.apache.org/thread.html/bc8db1bf459f1ad909da47350ed554ee745abe9f25f2b50cad4e06dd@%3Cserver-dev.james.apache.org%3E" 48406 }, 48407 { 48408 "type": "WEB", 48409 "url": "https://lists.apache.org/thread.html/be86fcd7cd423a3fe6b73a3cb9d7cac0b619d0deb99e6b5d172c98f4@%3Ccommits.tika.apache.org%3E" 48410 }, 48411 { 48412 "type": "WEB", 48413 "url": "https://lists.apache.org/thread.html/r0a2141abeddae66dd57025f1681c8425834062b7c0c7e0b1d830a95d@%3Cusers.pdfbox.apache.org%3E" 48414 }, 48415 { 48416 "type": "WEB", 48417 "url": "https://lists.apache.org/thread.html/r32b8102392a174b17fd19509a9e76047f74852b77b7bf46af95e45a2@%3Cserver-dev.james.apache.org%3E" 48418 }, 48419 { 48420 "type": "WEB", 48421 "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6HKVPTJWZGUB4MH4AAOWMRJHRDBYFHGJ" 48422 }, 48423 { 48424 "type": "WEB", 48425 "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/POPOGHJ5CVMUVCRQU7APBAN5IVZGZFDX" 48426 }, 48427 { 48428 "type": "WEB", 48429 "url": "https://www.oracle.com//security-alerts/cpujul2021.html" 48430 }, 48431 { 48432 "type": "WEB", 48433 "url": "https://www.oracle.com/security-alerts/cpuApr2021.html" 48434 }, 48435 { 48436 "type": "WEB", 48437 "url": "https://www.oracle.com/security-alerts/cpuapr2020.html" 48438 }, 48439 { 48440 "type": "WEB", 48441 "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" 48442 } 48443 ], 48444 "schema_version": "1.6.0", 48445 "severity": [ 48446 { 48447 "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", 48448 "type": "CVSS_V3" 48449 } 48450 ], 48451 "summary": "Vulnerability that affects org.apache.pdfbox:pdfbox" 48452 }, 48453 { 48454 "affected": [ 48455 { 48456 "database_specific": { 48457 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/06/GHSA-fg3j-q579-v8x4/GHSA-fg3j-q579-v8x4.json" 48458 }, 48459 "package": { 48460 "ecosystem": "Maven", 48461 "name": "org.apache.pdfbox:pdfbox", 48462 "purl": "pkg:maven/org.apache.pdfbox/pdfbox" 48463 }, 48464 "ranges": [ 48465 { 48466 "events": [ 48467 { 48468 "introduced": "2.0.0" 48469 }, 48470 { 48471 "fixed": "2.0.24" 48472 } 48473 ], 48474 "type": "ECOSYSTEM" 48475 } 48476 ], 48477 "versions": [ 48478 "2.0.0", 48479 "2.0.1", 48480 "2.0.10", 48481 "2.0.11", 48482 "2.0.12", 48483 "2.0.13", 48484 "2.0.14", 48485 "2.0.15", 48486 "2.0.16", 48487 "2.0.17", 48488 "2.0.18", 48489 "2.0.19", 48490 "2.0.2", 48491 "2.0.20", 48492 "2.0.21", 48493 "2.0.22", 48494 "2.0.23", 48495 "2.0.3", 48496 "2.0.4", 48497 "2.0.5", 48498 "2.0.6", 48499 "2.0.7", 48500 "2.0.8", 48501 "2.0.9" 48502 ] 48503 }, 48504 { 48505 "database_specific": { 48506 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/06/GHSA-fg3j-q579-v8x4/GHSA-fg3j-q579-v8x4.json" 48507 }, 48508 "package": { 48509 "ecosystem": "Maven", 48510 "name": "org.apache.pdfbox:pdfbox-parent", 48511 "purl": "pkg:maven/org.apache.pdfbox/pdfbox-parent" 48512 }, 48513 "ranges": [ 48514 { 48515 "events": [ 48516 { 48517 "introduced": "2.0.0" 48518 }, 48519 { 48520 "fixed": "2.0.24" 48521 } 48522 ], 48523 "type": "ECOSYSTEM" 48524 } 48525 ], 48526 "versions": [ 48527 "2.0.0", 48528 "2.0.1", 48529 "2.0.10", 48530 "2.0.11", 48531 "2.0.12", 48532 "2.0.13", 48533 "2.0.14", 48534 "2.0.15", 48535 "2.0.16", 48536 "2.0.17", 48537 "2.0.18", 48538 "2.0.19", 48539 "2.0.2", 48540 "2.0.20", 48541 "2.0.21", 48542 "2.0.22", 48543 "2.0.23", 48544 "2.0.3", 48545 "2.0.4", 48546 "2.0.5", 48547 "2.0.6", 48548 "2.0.7", 48549 "2.0.8", 48550 "2.0.9" 48551 ] 48552 } 48553 ], 48554 "aliases": [ 48555 "CVE-2021-31811" 48556 ], 48557 "database_specific": { 48558 "cwe_ids": [ 48559 "CWE-770", 48560 "CWE-789" 48561 ], 48562 "github_reviewed": true, 48563 "github_reviewed_at": "2021-06-14T19:39:19Z", 48564 "nvd_published_at": "2021-06-12T10:15:00Z", 48565 "severity": "MODERATE" 48566 }, 48567 "details": "In Apache PDFBox, a carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.", 48568 "id": "GHSA-fg3j-q579-v8x4", 48569 "modified": "2024-03-08T05:34:54.801835Z", 48570 "published": "2021-06-15T15:54:32Z", 48571 "references": [ 48572 { 48573 "type": "ADVISORY", 48574 "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-31811" 48575 }, 48576 { 48577 "type": "WEB", 48578 "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" 48579 }, 48580 { 48581 "type": "WEB", 48582 "url": "https://www.oracle.com/security-alerts/cpujul2022.html" 48583 }, 48584 { 48585 "type": "WEB", 48586 "url": "https://www.oracle.com/security-alerts/cpujan2022.html" 48587 }, 48588 { 48589 "type": "WEB", 48590 "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" 48591 }, 48592 { 48593 "type": "WEB", 48594 "url": "https://www.oracle.com//security-alerts/cpujul2021.html" 48595 }, 48596 { 48597 "type": "WEB", 48598 "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MDJKJQOMVFDFIDS27OQJXNOYHV2O273D" 48599 }, 48600 { 48601 "type": "WEB", 48602 "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7HHWJRFXZ3PTKLJCOM7WJEYZFKFWMNSV" 48603 }, 48604 { 48605 "type": "WEB", 48606 "url": "https://lists.apache.org/thread.html/rfe26bcaba564deb505c32711ba68df7ec589797dcd96ff3389a8aaba@%3Cnotifications.ofbiz.apache.org%3E" 48607 }, 48608 { 48609 "type": "WEB", 48610 "url": "https://lists.apache.org/thread.html/rf937c2236e6c79cdb99f76a70690dd345e53dbe0707cb506a202e43e@%3Cannounce.apache.org%3E" 48611 }, 48612 { 48613 "type": "WEB", 48614 "url": "https://lists.apache.org/thread.html/re3bd16f0cc8f1fbda46b06a4b8241cd417f71402809baa81548fc20e@%3Cusers.pdfbox.apache.org%3E" 48615 }, 48616 { 48617 "type": "WEB", 48618 "url": "https://lists.apache.org/thread.html/re3bd16f0cc8f1fbda46b06a4b8241cd417f71402809baa81548fc20e%40%3Cusers.pdfbox.apache.org%3E" 48619 }, 48620 { 48621 "type": "WEB", 48622 "url": "https://lists.apache.org/thread.html/re0cacd3fb337cdf8469853913ed2b4ddd8f8bfc52ff0ddbe61c1dfba@%3Ccommits.ofbiz.apache.org%3E" 48623 }, 48624 { 48625 "type": "WEB", 48626 "url": "https://lists.apache.org/thread.html/rd4b6db6c3b8ab3c70f1c3bbd725a40920896453ffc2744ade6afd9fb@%3Cnotifications.ofbiz.apache.org%3E" 48627 }, 48628 { 48629 "type": "WEB", 48630 "url": "https://lists.apache.org/thread.html/r2090789e4dcc2c87aacbd87d5f18e2d64dcb9f6eb7c47f5cf7d293cb@%3Cnotifications.ofbiz.apache.org%3E" 48631 }, 48632 { 48633 "type": "WEB", 48634 "url": "https://lists.apache.org/thread.html/r179cc3b6822c167702ab35fe36093d5da4c99af44238c8a754c6860f@%3Ccommits.ofbiz.apache.org%3E" 48635 }, 48636 { 48637 "type": "WEB", 48638 "url": "https://lists.apache.org/thread.html/r143fd8445e0e778f4a85187bd79438630b96b8040e9401751fdb8aea@%3Ccommits.ofbiz.apache.org%3E" 48639 }, 48640 { 48641 "type": "WEB", 48642 "url": "https://lists.apache.org/thread.html/r132e9dbbe0ebdc08b39583d8be0a575fdba573d60a42d940228bceff@%3Cnotifications.ofbiz.apache.org%3E" 48643 }, 48644 { 48645 "type": "WEB", 48646 "url": "http://www.openwall.com/lists/oss-security/2021/06/12/2" 48647 } 48648 ], 48649 "schema_version": "1.6.0", 48650 "severity": [ 48651 { 48652 "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", 48653 "type": "CVSS_V3" 48654 } 48655 ], 48656 "summary": "Uncontrolled memory consumption" 48657 }, 48658 { 48659 "affected": [ 48660 { 48661 "database_specific": { 48662 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-gx96-vgf7-hwfg/GHSA-gx96-vgf7-hwfg.json" 48663 }, 48664 "package": { 48665 "ecosystem": "Maven", 48666 "name": "org.apache.pdfbox:pdfbox", 48667 "purl": "pkg:maven/org.apache.pdfbox/pdfbox" 48668 }, 48669 "ranges": [ 48670 { 48671 "events": [ 48672 { 48673 "introduced": "1.8.0" 48674 }, 48675 { 48676 "fixed": "1.8.16" 48677 } 48678 ], 48679 "type": "ECOSYSTEM" 48680 } 48681 ], 48682 "versions": [ 48683 "1.8.0", 48684 "1.8.1", 48685 "1.8.10", 48686 "1.8.11", 48687 "1.8.12", 48688 "1.8.13", 48689 "1.8.14", 48690 "1.8.15", 48691 "1.8.2", 48692 "1.8.3", 48693 "1.8.4", 48694 "1.8.5", 48695 "1.8.6", 48696 "1.8.7", 48697 "1.8.8", 48698 "1.8.9" 48699 ] 48700 }, 48701 { 48702 "database_specific": { 48703 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-gx96-vgf7-hwfg/GHSA-gx96-vgf7-hwfg.json" 48704 }, 48705 "package": { 48706 "ecosystem": "Maven", 48707 "name": "org.apache.pdfbox:pdfbox", 48708 "purl": "pkg:maven/org.apache.pdfbox/pdfbox" 48709 }, 48710 "ranges": [ 48711 { 48712 "events": [ 48713 { 48714 "introduced": "2.0.0" 48715 }, 48716 { 48717 "fixed": "2.0.12" 48718 } 48719 ], 48720 "type": "ECOSYSTEM" 48721 } 48722 ], 48723 "versions": [ 48724 "2.0.0", 48725 "2.0.1", 48726 "2.0.10", 48727 "2.0.11", 48728 "2.0.2", 48729 "2.0.3", 48730 "2.0.4", 48731 "2.0.5", 48732 "2.0.6", 48733 "2.0.7", 48734 "2.0.8", 48735 "2.0.9" 48736 ] 48737 } 48738 ], 48739 "aliases": [ 48740 "CVE-2018-11797" 48741 ], 48742 "database_specific": { 48743 "cwe_ids": [ 48744 "CWE-400" 48745 ], 48746 "github_reviewed": true, 48747 "github_reviewed_at": "2020-06-16T21:38:16Z", 48748 "nvd_published_at": "2018-10-05T20:29:00Z", 48749 "severity": "MODERATE" 48750 }, 48751 "details": "In Apache PDFBox 1.8.0 to 1.8.15 and 2.0.0RC1 to 2.0.11, a carefully crafted PDF file can trigger an extremely long running computation when parsing the page tree.", 48752 "id": "GHSA-gx96-vgf7-hwfg", 48753 "modified": "2024-02-16T08:14:19.885368Z", 48754 "published": "2018-10-17T18:22:29Z", 48755 "references": [ 48756 { 48757 "type": "ADVISORY", 48758 "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-11797" 48759 }, 48760 { 48761 "type": "ADVISORY", 48762 "url": "https://github.com/advisories/GHSA-gx96-vgf7-hwfg" 48763 }, 48764 { 48765 "type": "WEB", 48766 "url": "https://lists.apache.org/thread.html/645574bc50b886d39c20b4065d51ccb1cd5d3a6b4750a22edbb565eb@%3Cannounce.apache.org%3E" 48767 }, 48768 { 48769 "type": "WEB", 48770 "url": "https://lists.apache.org/thread.html/a9760973a873522f4d4c0a99916ceb74f361d91006b663a0a418d34a@%3Cannounce.apache.org%3E" 48771 }, 48772 { 48773 "type": "WEB", 48774 "url": "https://lists.apache.org/thread.html/r54594251369e14c185da9662a5340a52afbbdf75d61c9c3a69c8f2e8@%3Cdev.pdfbox.apache.org%3E" 48775 }, 48776 { 48777 "type": "WEB", 48778 "url": "https://lists.debian.org/debian-lts-announce/2018/10/msg00008.html" 48779 }, 48780 { 48781 "type": "WEB", 48782 "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6HKVPTJWZGUB4MH4AAOWMRJHRDBYFHGJ" 48783 }, 48784 { 48785 "type": "WEB", 48786 "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/POPOGHJ5CVMUVCRQU7APBAN5IVZGZFDX" 48787 }, 48788 { 48789 "type": "WEB", 48790 "url": "https://www.oracle.com/security-alerts/cpuapr2020.html" 48791 } 48792 ], 48793 "schema_version": "1.6.0", 48794 "severity": [ 48795 { 48796 "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", 48797 "type": "CVSS_V3" 48798 } 48799 ], 48800 "summary": "In Apache PDFBox a carefully crafted PDF file can trigger an extremely long running computation" 48801 }, 48802 { 48803 "affected": [ 48804 { 48805 "database_specific": { 48806 "last_known_affected_version_range": "\u003c= 1.8.14", 48807 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-j2xq-pfff-mvgg/GHSA-j2xq-pfff-mvgg.json" 48808 }, 48809 "package": { 48810 "ecosystem": "Maven", 48811 "name": "org.apache.pdfbox:pdfbox", 48812 "purl": "pkg:maven/org.apache.pdfbox/pdfbox" 48813 }, 48814 "ranges": [ 48815 { 48816 "events": [ 48817 { 48818 "introduced": "1.8.0" 48819 }, 48820 { 48821 "fixed": "1.8.15" 48822 } 48823 ], 48824 "type": "ECOSYSTEM" 48825 } 48826 ], 48827 "versions": [ 48828 "1.8.0", 48829 "1.8.1", 48830 "1.8.10", 48831 "1.8.11", 48832 "1.8.12", 48833 "1.8.13", 48834 "1.8.14", 48835 "1.8.2", 48836 "1.8.3", 48837 "1.8.4", 48838 "1.8.5", 48839 "1.8.6", 48840 "1.8.7", 48841 "1.8.8", 48842 "1.8.9" 48843 ] 48844 }, 48845 { 48846 "database_specific": { 48847 "last_known_affected_version_range": "\u003c= 2.0.10", 48848 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-j2xq-pfff-mvgg/GHSA-j2xq-pfff-mvgg.json" 48849 }, 48850 "package": { 48851 "ecosystem": "Maven", 48852 "name": "org.apache.pdfbox:pdfbox", 48853 "purl": "pkg:maven/org.apache.pdfbox/pdfbox" 48854 }, 48855 "ranges": [ 48856 { 48857 "events": [ 48858 { 48859 "introduced": "2.0.0RC1" 48860 }, 48861 { 48862 "fixed": "2.0.11" 48863 } 48864 ], 48865 "type": "ECOSYSTEM" 48866 } 48867 ], 48868 "versions": [ 48869 "2.0.0", 48870 "2.0.0-RC1", 48871 "2.0.0-RC2", 48872 "2.0.0-RC3", 48873 "2.0.1", 48874 "2.0.10", 48875 "2.0.2", 48876 "2.0.3", 48877 "2.0.4", 48878 "2.0.5", 48879 "2.0.6", 48880 "2.0.7", 48881 "2.0.8", 48882 "2.0.9" 48883 ] 48884 } 48885 ], 48886 "aliases": [ 48887 "CVE-2018-8036" 48888 ], 48889 "database_specific": { 48890 "cwe_ids": [ 48891 "CWE-835" 48892 ], 48893 "github_reviewed": true, 48894 "github_reviewed_at": "2022-06-29T18:54:14Z", 48895 "nvd_published_at": "2018-07-03T20:29:00Z", 48896 "severity": "MODERATE" 48897 }, 48898 "details": "In Apache PDFBox 1.8.0 to 1.8.14 and 2.0.0RC1 to 2.0.10, a carefully crafted (or fuzzed) file can trigger an infinite loop which leads to an out of memory exception in Apache PDFBox's AFMParser.", 48899 "id": "GHSA-j2xq-pfff-mvgg", 48900 "modified": "2024-02-20T05:34:40.059516Z", 48901 "published": "2022-05-13T01:53:29Z", 48902 "references": [ 48903 { 48904 "type": "ADVISORY", 48905 "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-8036" 48906 }, 48907 { 48908 "type": "WEB", 48909 "url": "https://access.redhat.com/errata/RHSA-2018:2669" 48910 }, 48911 { 48912 "type": "WEB", 48913 "url": "https://lists.apache.org/thread.html/9f62f742fd4fcd81654a9533b8a71349b064250840592bcd502dcfb6@%3Cusers.pdfbox.apache.org%3E" 48914 }, 48915 { 48916 "type": "WEB", 48917 "url": "https://lists.apache.org/thread.html/r43491b25b2e5c368c34b106a82eff910a5cea3e90de82ad75cc16540@%3Cdev.syncope.apache.org%3E" 48918 }, 48919 { 48920 "type": "WEB", 48921 "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6HKVPTJWZGUB4MH4AAOWMRJHRDBYFHGJ" 48922 }, 48923 { 48924 "type": "WEB", 48925 "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/POPOGHJ5CVMUVCRQU7APBAN5IVZGZFDX" 48926 }, 48927 { 48928 "type": "WEB", 48929 "url": "https://www.oracle.com/security-alerts/cpuapr2020.html" 48930 } 48931 ], 48932 "schema_version": "1.6.0", 48933 "severity": [ 48934 { 48935 "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", 48936 "type": "CVSS_V3" 48937 } 48938 ], 48939 "summary": "Loop with Unreachable Exit Condition in Apache PDFBox" 48940 }, 48941 { 48942 "affected": [ 48943 { 48944 "database_specific": { 48945 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-26gr-cvq3-qxgf/GHSA-26gr-cvq3-qxgf.json" 48946 }, 48947 "package": { 48948 "ecosystem": "Maven", 48949 "name": "org.apache.shiro:shiro-core", 48950 "purl": "pkg:maven/org.apache.shiro/shiro-core" 48951 }, 48952 "ranges": [ 48953 { 48954 "events": [ 48955 { 48956 "introduced": "0" 48957 }, 48958 { 48959 "fixed": "1.5.2" 48960 } 48961 ], 48962 "type": "ECOSYSTEM" 48963 } 48964 ], 48965 "versions": [ 48966 "1.0.0-incubating", 48967 "1.1.0", 48968 "1.2.0", 48969 "1.2.1", 48970 "1.2.2", 48971 "1.2.3", 48972 "1.2.4", 48973 "1.2.5", 48974 "1.2.6", 48975 "1.3.0", 48976 "1.3.1", 48977 "1.3.2", 48978 "1.4.0", 48979 "1.4.0-RC2", 48980 "1.4.1", 48981 "1.4.2", 48982 "1.5.0", 48983 "1.5.1" 48984 ] 48985 } 48986 ], 48987 "aliases": [ 48988 "CVE-2020-1957" 48989 ], 48990 "database_specific": { 48991 "cwe_ids": [ 48992 "CWE-287" 48993 ], 48994 "github_reviewed": true, 48995 "github_reviewed_at": "2021-05-06T20:05:12Z", 48996 "nvd_published_at": "2020-03-25T16:15:00Z", 48997 "severity": "CRITICAL" 48998 }, 48999 "details": "Apache Shiro before 1.5.2, when using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass.", 49000 "id": "GHSA-26gr-cvq3-qxgf", 49001 "modified": "2023-11-08T04:02:47.183256Z", 49002 "published": "2021-05-07T15:53:18Z", 49003 "references": [ 49004 { 49005 "type": "ADVISORY", 49006 "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-1957" 49007 }, 49008 { 49009 "type": "PACKAGE", 49010 "url": "https://github.com/apache/shiro" 49011 }, 49012 { 49013 "type": "WEB", 49014 "url": "https://lists.apache.org/thread.html/r17f371fc89d34df2d0c8131473fbc68154290e1be238895648f5a1e6%40%3Cdev.shiro.apache.org%3E" 49015 }, 49016 { 49017 "type": "WEB", 49018 "url": "https://lists.apache.org/thread.html/r2d2612c034ab21a3a19d2132d47d3e4aa70105008dd58af62b653040@%3Ccommits.shiro.apache.org%3E" 49019 }, 49020 { 49021 "type": "WEB", 49022 "url": "https://lists.apache.org/thread.html/rab1972d6b177f7b5c3dde9cfb0a40f03bca75f0eaf1d8311e5762cb3@%3Ccommits.shiro.apache.org%3E" 49023 }, 49024 { 49025 "type": "WEB", 49026 "url": "https://lists.apache.org/thread.html/rb3982edf8bc8fcaa7a308e25a12d294fb4aac1f1e9d4e14fda639e77@%3Cdev.geode.apache.org%3E" 49027 }, 49028 { 49029 "type": "WEB", 49030 "url": "https://lists.apache.org/thread.html/rc64fb2336683feff3580c3c3a8b28e80525077621089641f2f386b63@%3Ccommits.camel.apache.org%3E" 49031 }, 49032 { 49033 "type": "WEB", 49034 "url": "https://lists.apache.org/thread.html/rc8b39ea8b3ef71ddc1cd74ffc866546182683c8adecf19c263fe7ac0@%3Ccommits.shiro.apache.org%3E" 49035 }, 49036 { 49037 "type": "WEB", 49038 "url": "https://lists.debian.org/debian-lts-announce/2020/04/msg00014.html" 49039 } 49040 ], 49041 "schema_version": "1.6.0", 49042 "severity": [ 49043 { 49044 "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", 49045 "type": "CVSS_V3" 49046 } 49047 ], 49048 "summary": "Improper Authentication in Apache Shiro" 49049 }, 49050 { 49051 "affected": [ 49052 { 49053 "database_specific": { 49054 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-2vgm-wxr3-6w2j/GHSA-2vgm-wxr3-6w2j.json" 49055 }, 49056 "package": { 49057 "ecosystem": "Maven", 49058 "name": "org.apache.shiro:shiro-core", 49059 "purl": "pkg:maven/org.apache.shiro/shiro-core" 49060 }, 49061 "ranges": [ 49062 { 49063 "events": [ 49064 { 49065 "introduced": "0" 49066 }, 49067 { 49068 "fixed": "1.6.0" 49069 } 49070 ], 49071 "type": "ECOSYSTEM" 49072 } 49073 ], 49074 "versions": [ 49075 "1.0.0-incubating", 49076 "1.1.0", 49077 "1.2.0", 49078 "1.2.1", 49079 "1.2.2", 49080 "1.2.3", 49081 "1.2.4", 49082 "1.2.5", 49083 "1.2.6", 49084 "1.3.0", 49085 "1.3.1", 49086 "1.3.2", 49087 "1.4.0", 49088 "1.4.0-RC2", 49089 "1.4.1", 49090 "1.4.2", 49091 "1.5.0", 49092 "1.5.1", 49093 "1.5.2", 49094 "1.5.3" 49095 ] 49096 } 49097 ], 49098 "aliases": [ 49099 "CVE-2020-13933" 49100 ], 49101 "database_specific": { 49102 "cwe_ids": [ 49103 "CWE-287" 49104 ], 49105 "github_reviewed": true, 49106 "github_reviewed_at": "2021-05-05T21:37:50Z", 49107 "nvd_published_at": "2020-08-17T21:15:00Z", 49108 "severity": "HIGH" 49109 }, 49110 "details": "Apache Shiro before 1.6.0, when using Apache Shiro, a specially crafted HTTP request may cause an authentication bypass.", 49111 "id": "GHSA-2vgm-wxr3-6w2j", 49112 "modified": "2024-03-15T05:20:51.873553Z", 49113 "published": "2021-05-07T15:54:23Z", 49114 "references": [ 49115 { 49116 "type": "ADVISORY", 49117 "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-13933" 49118 }, 49119 { 49120 "type": "WEB", 49121 "url": "https://lists.debian.org/debian-lts-announce/2021/08/msg00002.html" 49122 }, 49123 { 49124 "type": "WEB", 49125 "url": "https://lists.apache.org/thread.html/re25b8317b00a50272a7252c4552cf1a81a97984cc2111ef7728e48e0@%3Cdev.shiro.apache.org%3E" 49126 }, 49127 { 49128 "type": "WEB", 49129 "url": "https://lists.apache.org/thread.html/rb5edf49cd1451475dbcf53826ba6ef1bb7872dd6493d6112eb0c2bad@%3Cdev.shiro.apache.org%3E" 49130 }, 49131 { 49132 "type": "WEB", 49133 "url": "https://lists.apache.org/thread.html/rb47d88af224e396ee34ffb88ee99fb6d04510de5722cf14b7137e6bc@%3Cdev.shiro.apache.org%3E" 49134 }, 49135 { 49136 "type": "WEB", 49137 "url": "https://lists.apache.org/thread.html/r9ea6d8560d6354d41433ad006069904f0ed083527aa348b5999261a7@%3Cdev.geode.apache.org%3E" 49138 }, 49139 { 49140 "type": "WEB", 49141 "url": "https://lists.apache.org/thread.html/r9d93dfb5df016b1a71a808486bc8f9fbafebbdbc8533625f91253f1d@%3Cdev.shiro.apache.org%3E" 49142 }, 49143 { 49144 "type": "WEB", 49145 "url": "https://lists.apache.org/thread.html/r852971e28f54cafa7d325bd7033115c67d613b112a2a1076817390ac@%3Cdev.shiro.apache.org%3E" 49146 }, 49147 { 49148 "type": "WEB", 49149 "url": "https://lists.apache.org/thread.html/r8097b81905f2a113ebdf925bcbc6d8c9d6863c807c9ee42e1e7c9293@%3Cdev.shiro.apache.org%3E" 49150 }, 49151 { 49152 "type": "WEB", 49153 "url": "https://lists.apache.org/thread.html/r70b907ccb306e9391145e2b10f56cc6914a245f91720a17a486c020a@%3Cdev.shiro.apache.org%3E" 49154 }, 49155 { 49156 "type": "WEB", 49157 "url": "https://lists.apache.org/thread.html/r70098e336d02047ce4d4e69293fe8d558cd68cde06f6430398959bc4@%3Cdev.shiro.apache.org%3E" 49158 }, 49159 { 49160 "type": "WEB", 49161 "url": "https://lists.apache.org/thread.html/r6ea0224c1971a91dc6ade1f22508119a9c3bd56cef656f0c44bbfabb@%3Cdev.shiro.apache.org%3E" 49162 }, 49163 { 49164 "type": "WEB", 49165 "url": "https://lists.apache.org/thread.html/r575301804bfac87a064359cf4b4ae9d514f2d10db7d44120765f4129@%3Cdev.shiro.apache.org%3E" 49166 }, 49167 { 49168 "type": "WEB", 49169 "url": "https://lists.apache.org/thread.html/r539f87706094e79c5da0826030384373f0041068936912876856835f%40%3Cdev.shiro.apache.org%3E" 49170 }, 49171 { 49172 "type": "WEB", 49173 "url": "https://lists.apache.org/thread.html/r4c1e1249e9e1acb868db0c80728c13f448d07333da06a0f1603c0a33@%3Cdev.shiro.apache.org%3E" 49174 }, 49175 { 49176 "type": "WEB", 49177 "url": "https://lists.apache.org/thread.html/r4506cedc401d6b8de83787f8436aac83956e411d66848c84785db46d@%3Cdev.shiro.apache.org%3E" 49178 }, 49179 { 49180 "type": "WEB", 49181 "url": "https://lists.apache.org/thread.html/r18b45d560d76c4260813c802771cc9678aa651fb8340e09366bfa198@%3Cdev.geode.apache.org%3E" 49182 }, 49183 { 49184 "type": "PACKAGE", 49185 "url": "https://github.com/apache/shiro" 49186 } 49187 ], 49188 "schema_version": "1.6.0", 49189 "severity": [ 49190 { 49191 "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", 49192 "type": "CVSS_V3" 49193 } 49194 ], 49195 "summary": "Authentication bypass in Apache Shiro" 49196 }, 49197 { 49198 "affected": [ 49199 { 49200 "database_specific": { 49201 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/10/GHSA-45x9-q6vj-cqgq/GHSA-45x9-q6vj-cqgq.json" 49202 }, 49203 "package": { 49204 "ecosystem": "Maven", 49205 "name": "org.apache.shiro:shiro-core", 49206 "purl": "pkg:maven/org.apache.shiro/shiro-core" 49207 }, 49208 "ranges": [ 49209 { 49210 "events": [ 49211 { 49212 "introduced": "0" 49213 }, 49214 { 49215 "fixed": "1.10.0" 49216 } 49217 ], 49218 "type": "ECOSYSTEM" 49219 } 49220 ], 49221 "versions": [ 49222 "1.0.0-incubating", 49223 "1.1.0", 49224 "1.2.0", 49225 "1.2.1", 49226 "1.2.2", 49227 "1.2.3", 49228 "1.2.4", 49229 "1.2.5", 49230 "1.2.6", 49231 "1.3.0", 49232 "1.3.1", 49233 "1.3.2", 49234 "1.4.0", 49235 "1.4.0-RC2", 49236 "1.4.1", 49237 "1.4.2", 49238 "1.5.0", 49239 "1.5.1", 49240 "1.5.2", 49241 "1.5.3", 49242 "1.6.0", 49243 "1.7.0", 49244 "1.7.1", 49245 "1.8.0", 49246 "1.9.0", 49247 "1.9.1" 49248 ] 49249 } 49250 ], 49251 "aliases": [ 49252 "CVE-2022-40664" 49253 ], 49254 "database_specific": { 49255 "cwe_ids": [ 49256 "CWE-287" 49257 ], 49258 "github_reviewed": true, 49259 "github_reviewed_at": "2022-10-12T19:43:15Z", 49260 "nvd_published_at": "2022-10-12T07:15:00Z", 49261 "severity": "CRITICAL" 49262 }, 49263 "details": "Apache Shiro before 1.10.0, Authentication Bypass Vulnerability in Shiro when forwarding or including via RequestDispatcher.", 49264 "id": "GHSA-45x9-q6vj-cqgq", 49265 "modified": "2024-02-16T07:57:10.787044Z", 49266 "published": "2022-10-12T12:00:16Z", 49267 "references": [ 49268 { 49269 "type": "ADVISORY", 49270 "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40664" 49271 }, 49272 { 49273 "type": "PACKAGE", 49274 "url": "https://github.com/apache/shiro" 49275 }, 49276 { 49277 "type": "WEB", 49278 "url": "https://lists.apache.org/thread/loc2ktxng32xpy7lfwxto13k4lvnhjwg" 49279 }, 49280 { 49281 "type": "WEB", 49282 "url": "https://security.netapp.com/advisory/ntap-20221118-0005" 49283 }, 49284 { 49285 "type": "WEB", 49286 "url": "https://shiro.apache.org/blog/2022/10/10/2022/apache-shiro-1101-released.html" 49287 }, 49288 { 49289 "type": "WEB", 49290 "url": "http://www.openwall.com/lists/oss-security/2022/10/12/1" 49291 }, 49292 { 49293 "type": "WEB", 49294 "url": "http://www.openwall.com/lists/oss-security/2022/10/12/2" 49295 }, 49296 { 49297 "type": "WEB", 49298 "url": "http://www.openwall.com/lists/oss-security/2022/10/13/1" 49299 } 49300 ], 49301 "schema_version": "1.6.0", 49302 "severity": [ 49303 { 49304 "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", 49305 "type": "CVSS_V3" 49306 } 49307 ], 49308 "summary": "Apache Shiro Authentication Bypass vulnerability" 49309 }, 49310 { 49311 "affected": [ 49312 { 49313 "database_specific": { 49314 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/06/GHSA-4cf5-xmhp-3xj7/GHSA-4cf5-xmhp-3xj7.json" 49315 }, 49316 "package": { 49317 "ecosystem": "Maven", 49318 "name": "org.apache.shiro:shiro-core", 49319 "purl": "pkg:maven/org.apache.shiro/shiro-core" 49320 }, 49321 "ranges": [ 49322 { 49323 "events": [ 49324 { 49325 "introduced": "0" 49326 }, 49327 { 49328 "fixed": "1.9.1" 49329 } 49330 ], 49331 "type": "ECOSYSTEM" 49332 } 49333 ], 49334 "versions": [ 49335 "1.0.0-incubating", 49336 "1.1.0", 49337 "1.2.0", 49338 "1.2.1", 49339 "1.2.2", 49340 "1.2.3", 49341 "1.2.4", 49342 "1.2.5", 49343 "1.2.6", 49344 "1.3.0", 49345 "1.3.1", 49346 "1.3.2", 49347 "1.4.0", 49348 "1.4.0-RC2", 49349 "1.4.1", 49350 "1.4.2", 49351 "1.5.0", 49352 "1.5.1", 49353 "1.5.2", 49354 "1.5.3", 49355 "1.6.0", 49356 "1.7.0", 49357 "1.7.1", 49358 "1.8.0", 49359 "1.9.0" 49360 ] 49361 } 49362 ], 49363 "aliases": [ 49364 "CVE-2022-32532" 49365 ], 49366 "database_specific": { 49367 "cwe_ids": [ 49368 "CWE-285", 49369 "CWE-863" 49370 ], 49371 "github_reviewed": true, 49372 "github_reviewed_at": "2022-07-06T19:52:31Z", 49373 "nvd_published_at": "2022-06-29T00:15:00Z", 49374 "severity": "CRITICAL" 49375 }, 49376 "details": "Apache Shiro before 1.9.1, A RegexRequestMatcher can be misconfigured to be bypassed on some servlet containers. Applications using RegExPatternMatcher with `.` in the regular expression are possibly vulnerable to an authorization bypass.", 49377 "id": "GHSA-4cf5-xmhp-3xj7", 49378 "modified": "2023-11-08T04:09:36.762135Z", 49379 "published": "2022-06-30T00:00:41Z", 49380 "references": [ 49381 { 49382 "type": "ADVISORY", 49383 "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-32532" 49384 }, 49385 { 49386 "type": "PACKAGE", 49387 "url": "https://github.com/apache/shiro" 49388 }, 49389 { 49390 "type": "WEB", 49391 "url": "https://lists.apache.org/thread/y8260dw8vbm99oq7zv6y3mzn5ovk90xh" 49392 } 49393 ], 49394 "schema_version": "1.6.0", 49395 "severity": [ 49396 { 49397 "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", 49398 "type": "CVSS_V3" 49399 } 49400 ], 49401 "summary": "Improper Authorization in Apache Shiro" 49402 }, 49403 { 49404 "affected": [ 49405 { 49406 "database_specific": { 49407 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-72w9-fcj5-3fcg/GHSA-72w9-fcj5-3fcg.json" 49408 }, 49409 "package": { 49410 "ecosystem": "Maven", 49411 "name": "org.apache.shiro:shiro-core", 49412 "purl": "pkg:maven/org.apache.shiro/shiro-core" 49413 }, 49414 "ranges": [ 49415 { 49416 "events": [ 49417 { 49418 "introduced": "0" 49419 }, 49420 { 49421 "fixed": "1.5.3" 49422 } 49423 ], 49424 "type": "ECOSYSTEM" 49425 } 49426 ], 49427 "versions": [ 49428 "1.0.0-incubating", 49429 "1.1.0", 49430 "1.2.0", 49431 "1.2.1", 49432 "1.2.2", 49433 "1.2.3", 49434 "1.2.4", 49435 "1.2.5", 49436 "1.2.6", 49437 "1.3.0", 49438 "1.3.1", 49439 "1.3.2", 49440 "1.4.0", 49441 "1.4.0-RC2", 49442 "1.4.1", 49443 "1.4.2", 49444 "1.5.0", 49445 "1.5.1", 49446 "1.5.2" 49447 ] 49448 } 49449 ], 49450 "aliases": [ 49451 "CVE-2020-11989" 49452 ], 49453 "database_specific": { 49454 "cwe_ids": [ 49455 "CWE-287" 49456 ], 49457 "github_reviewed": true, 49458 "github_reviewed_at": "2021-05-06T20:07:20Z", 49459 "nvd_published_at": "2020-06-22T19:15:00Z", 49460 "severity": "CRITICAL" 49461 }, 49462 "details": "Apache Shiro is a powerful and easy-to-use Java security framework that performs authentication, authorization, cryptography, and session management. Apache Shiro before 1.5.3, when using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass.", 49463 "id": "GHSA-72w9-fcj5-3fcg", 49464 "modified": "2023-11-08T04:02:08.91663Z", 49465 "published": "2021-05-07T15:53:10Z", 49466 "references": [ 49467 { 49468 "type": "ADVISORY", 49469 "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11989" 49470 }, 49471 { 49472 "type": "PACKAGE", 49473 "url": "https://github.com/apache/shiro" 49474 }, 49475 { 49476 "type": "WEB", 49477 "url": "https://lists.apache.org/thread.html/r2d2612c034ab21a3a19d2132d47d3e4aa70105008dd58af62b653040@%3Ccommits.shiro.apache.org%3E" 49478 }, 49479 { 49480 "type": "WEB", 49481 "url": "https://lists.apache.org/thread.html/r408fe60bc8fdfd7c74135249d646d7abadb807ebf90f6fd2b014df21@%3Cdev.geode.apache.org%3E" 49482 }, 49483 { 49484 "type": "WEB", 49485 "url": "https://lists.apache.org/thread.html/r72815a124a119c450b86189767d06848e0d380b1795c6c511d54a675%40%3Cuser.shiro.apache.org%3E" 49486 }, 49487 { 49488 "type": "WEB", 49489 "url": "https://lists.apache.org/thread.html/r72815a124a119c450b86189767d06848e0d380b1795c6c511d54a675@%3Cdev.shiro.apache.org%3E" 49490 }, 49491 { 49492 "type": "WEB", 49493 "url": "https://lists.apache.org/thread.html/r72815a124a119c450b86189767d06848e0d380b1795c6c511d54a675@%3Cuser.shiro.apache.org%3E" 49494 }, 49495 { 49496 "type": "WEB", 49497 "url": "https://lists.apache.org/thread.html/rab1972d6b177f7b5c3dde9cfb0a40f03bca75f0eaf1d8311e5762cb3@%3Ccommits.shiro.apache.org%3E" 49498 }, 49499 { 49500 "type": "WEB", 49501 "url": "https://lists.apache.org/thread.html/rc8b39ea8b3ef71ddc1cd74ffc866546182683c8adecf19c263fe7ac0@%3Ccommits.shiro.apache.org%3E" 49502 }, 49503 { 49504 "type": "WEB", 49505 "url": "https://lists.apache.org/thread.html/rcf3d8041e1232201fe5d74fc612a193e435784d64002409b448b58fe@%3Cdev.geode.apache.org%3E" 49506 } 49507 ], 49508 "schema_version": "1.6.0", 49509 "severity": [ 49510 { 49511 "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", 49512 "type": "CVSS_V3" 49513 } 49514 ], 49515 "summary": "Improper Authentication in Apache Shiro" 49516 }, 49517 { 49518 "affected": [ 49519 { 49520 "database_specific": { 49521 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/09/GHSA-f6jp-j6w3-w9hm/GHSA-f6jp-j6w3-w9hm.json" 49522 }, 49523 "package": { 49524 "ecosystem": "Maven", 49525 "name": "org.apache.shiro:shiro-core", 49526 "purl": "pkg:maven/org.apache.shiro/shiro-core" 49527 }, 49528 "ranges": [ 49529 { 49530 "events": [ 49531 { 49532 "introduced": "0" 49533 }, 49534 { 49535 "fixed": "1.8.0" 49536 } 49537 ], 49538 "type": "ECOSYSTEM" 49539 } 49540 ], 49541 "versions": [ 49542 "1.0.0-incubating", 49543 "1.1.0", 49544 "1.2.0", 49545 "1.2.1", 49546 "1.2.2", 49547 "1.2.3", 49548 "1.2.4", 49549 "1.2.5", 49550 "1.2.6", 49551 "1.3.0", 49552 "1.3.1", 49553 "1.3.2", 49554 "1.4.0", 49555 "1.4.0-RC2", 49556 "1.4.1", 49557 "1.4.2", 49558 "1.5.0", 49559 "1.5.1", 49560 "1.5.2", 49561 "1.5.3", 49562 "1.6.0", 49563 "1.7.0", 49564 "1.7.1" 49565 ] 49566 } 49567 ], 49568 "aliases": [ 49569 "CVE-2021-41303" 49570 ], 49571 "database_specific": { 49572 "cwe_ids": [ 49573 "CWE-287" 49574 ], 49575 "github_reviewed": true, 49576 "github_reviewed_at": "2021-09-20T19:17:39Z", 49577 "nvd_published_at": "2021-09-17T09:15:00Z", 49578 "severity": "CRITICAL" 49579 }, 49580 "details": "Apache Shiro before 1.8.0, when using Apache Shiro with Spring Boot, a specially crafted HTTP request may cause an authentication bypass. Users should update to Apache Shiro 1.8.0.", 49581 "id": "GHSA-f6jp-j6w3-w9hm", 49582 "modified": "2024-02-19T05:32:19.684337Z", 49583 "published": "2021-09-20T20:18:11Z", 49584 "references": [ 49585 { 49586 "type": "ADVISORY", 49587 "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41303" 49588 }, 49589 { 49590 "type": "WEB", 49591 "url": "https://lists.apache.org/thread.html/raae98bb934e4bde304465896ea02d9798e257e486d04a42221e2c41b@%3Cuser.shiro.apache.org%3E" 49592 }, 49593 { 49594 "type": "WEB", 49595 "url": "https://lists.apache.org/thread.html/re470be1ffea44bca28ccb0e67a4cf5d744e2d2b981d00fdbbf5abc13%40%3Cannounce.shiro.apache.org%3E" 49596 }, 49597 { 49598 "type": "WEB", 49599 "url": "https://security.netapp.com/advisory/ntap-20220609-0001" 49600 }, 49601 { 49602 "type": "WEB", 49603 "url": "https://www.oracle.com/security-alerts/cpujul2022.html" 49604 } 49605 ], 49606 "schema_version": "1.6.0", 49607 "severity": [ 49608 { 49609 "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", 49610 "type": "CVSS_V3" 49611 } 49612 ], 49613 "summary": "Apache Shiro vulnerable to a specially crafted HTTP request causing an authentication bypass" 49614 }, 49615 { 49616 "affected": [ 49617 { 49618 "database_specific": { 49619 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/01/GHSA-jc7h-c423-mpjc/GHSA-jc7h-c423-mpjc.json" 49620 }, 49621 "package": { 49622 "ecosystem": "Maven", 49623 "name": "org.apache.shiro:shiro-core", 49624 "purl": "pkg:maven/org.apache.shiro/shiro-core" 49625 }, 49626 "ranges": [ 49627 { 49628 "events": [ 49629 { 49630 "introduced": "0" 49631 }, 49632 { 49633 "fixed": "1.13.0" 49634 } 49635 ], 49636 "type": "ECOSYSTEM" 49637 } 49638 ], 49639 "versions": [ 49640 "1.0.0-incubating", 49641 "1.1.0", 49642 "1.10.0", 49643 "1.10.1", 49644 "1.11.0", 49645 "1.12.0", 49646 "1.2.0", 49647 "1.2.1", 49648 "1.2.2", 49649 "1.2.3", 49650 "1.2.4", 49651 "1.2.5", 49652 "1.2.6", 49653 "1.3.0", 49654 "1.3.1", 49655 "1.3.2", 49656 "1.4.0", 49657 "1.4.0-RC2", 49658 "1.4.1", 49659 "1.4.2", 49660 "1.5.0", 49661 "1.5.1", 49662 "1.5.2", 49663 "1.5.3", 49664 "1.6.0", 49665 "1.7.0", 49666 "1.7.1", 49667 "1.8.0", 49668 "1.9.0", 49669 "1.9.1" 49670 ] 49671 }, 49672 { 49673 "database_specific": { 49674 "last_known_affected_version_range": "\u003c 2.0.0alpha4", 49675 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/01/GHSA-jc7h-c423-mpjc/GHSA-jc7h-c423-mpjc.json" 49676 }, 49677 "package": { 49678 "ecosystem": "Maven", 49679 "name": "org.apache.shiro:shiro-core", 49680 "purl": "pkg:maven/org.apache.shiro/shiro-core" 49681 }, 49682 "ranges": [ 49683 { 49684 "events": [ 49685 { 49686 "introduced": "2.0.0alpha1" 49687 }, 49688 { 49689 "fixed": "2.0.0-alpha4" 49690 } 49691 ], 49692 "type": "ECOSYSTEM" 49693 } 49694 ], 49695 "versions": [ 49696 "2.0.0-alpha-1", 49697 "2.0.0-alpha-2", 49698 "2.0.0-alpha-3" 49699 ] 49700 } 49701 ], 49702 "aliases": [ 49703 "CVE-2023-46749" 49704 ], 49705 "database_specific": { 49706 "cwe_ids": [ 49707 "CWE-22" 49708 ], 49709 "github_reviewed": true, 49710 "github_reviewed_at": "2024-01-16T20:34:50Z", 49711 "nvd_published_at": "2024-01-15T10:15:26Z", 49712 "severity": "MODERATE" 49713 }, 49714 "details": "Apache Shiro before 1.130 or 2.0.0-alpha-4, may be susceptible to a path traversal attack that results in an authentication bypass when used together with path rewriting \n\nMitigation: Update to Apache Shiro 1.13.0+ or 2.0.0-alpha-4+, or ensure `blockSemicolon` is enabled (this is the default).\n\n", 49715 "id": "GHSA-jc7h-c423-mpjc", 49716 "modified": "2024-02-16T08:22:28.165745Z", 49717 "published": "2024-01-15T12:30:19Z", 49718 "references": [ 49719 { 49720 "type": "ADVISORY", 49721 "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46749" 49722 }, 49723 { 49724 "type": "WEB", 49725 "url": "https://lists.apache.org/thread/mdv7ftz7k4488rzloxo2fb0p9shnp9wm" 49726 } 49727 ], 49728 "schema_version": "1.6.0", 49729 "severity": [ 49730 { 49731 "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", 49732 "type": "CVSS_V3" 49733 } 49734 ], 49735 "summary": "Apache Shiro vulnerable to path traversal" 49736 }, 49737 { 49738 "affected": [ 49739 { 49740 "database_specific": { 49741 "last_known_affected_version_range": "\u003c= 1.2.4", 49742 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-p836-389h-j692/GHSA-p836-389h-j692.json" 49743 }, 49744 "package": { 49745 "ecosystem": "Maven", 49746 "name": "org.apache.shiro:shiro-core", 49747 "purl": "pkg:maven/org.apache.shiro/shiro-core" 49748 }, 49749 "ranges": [ 49750 { 49751 "events": [ 49752 { 49753 "introduced": "0" 49754 }, 49755 { 49756 "fixed": "1.2.5" 49757 } 49758 ], 49759 "type": "ECOSYSTEM" 49760 } 49761 ], 49762 "versions": [ 49763 "1.0.0-incubating", 49764 "1.1.0", 49765 "1.2.0", 49766 "1.2.1", 49767 "1.2.2", 49768 "1.2.3", 49769 "1.2.4" 49770 ] 49771 } 49772 ], 49773 "aliases": [ 49774 "CVE-2016-4437" 49775 ], 49776 "database_specific": { 49777 "cwe_ids": [ 49778 "CWE-284" 49779 ], 49780 "github_reviewed": true, 49781 "github_reviewed_at": "2022-07-06T19:56:32Z", 49782 "nvd_published_at": "2016-06-07T14:06:00Z", 49783 "severity": "CRITICAL" 49784 }, 49785 "details": "Apache Shiro before 1.2.5, when a cipher key has not been configured for the \"remember me\" feature, allows remote attackers to execute arbitrary code or bypass intended access restrictions via an unspecified request parameter.", 49786 "id": "GHSA-p836-389h-j692", 49787 "modified": "2024-07-25T14:31:37.024678Z", 49788 "published": "2022-05-14T02:46:17Z", 49789 "references": [ 49790 { 49791 "type": "ADVISORY", 49792 "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-4437" 49793 }, 49794 { 49795 "type": "WEB", 49796 "url": "https://lists.apache.org/thread.html/ef3a800c7d727a00e04b78e2f06c5cd8960f09ca28c9b69d94c3c4c4%40%3Cannouncements.aurora.apache.org%3E" 49797 }, 49798 { 49799 "type": "WEB", 49800 "url": "https://lists.apache.org/thread.html/ef3a800c7d727a00e04b78e2f06c5cd8960f09ca28c9b69d94c3c4c4@%3Cannouncements.aurora.apache.org%3E" 49801 }, 49802 { 49803 "type": "WEB", 49804 "url": "http://packetstormsecurity.com/files/137310/Apache-Shiro-1.2.4-Information-Disclosure.html" 49805 }, 49806 { 49807 "type": "WEB", 49808 "url": "http://packetstormsecurity.com/files/157497/Apache-Shiro-1.2.4-Remote-Code-Execution.html" 49809 }, 49810 { 49811 "type": "WEB", 49812 "url": "http://rhn.redhat.com/errata/RHSA-2016-2035.html" 49813 }, 49814 { 49815 "type": "WEB", 49816 "url": "http://rhn.redhat.com/errata/RHSA-2016-2036.html" 49817 }, 49818 { 49819 "type": "WEB", 49820 "url": "http://www.securityfocus.com/archive/1/538570/100/0/threaded" 49821 }, 49822 { 49823 "type": "WEB", 49824 "url": "http://www.securityfocus.com/bid/91024" 49825 } 49826 ], 49827 "schema_version": "1.6.0", 49828 "severity": [ 49829 { 49830 "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", 49831 "type": "CVSS_V3" 49832 } 49833 ], 49834 "summary": "Improper Access Control in Apache Shiro" 49835 }, 49836 { 49837 "affected": [ 49838 { 49839 "database_specific": { 49840 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/02/GHSA-r679-m633-g7wc/GHSA-r679-m633-g7wc.json" 49841 }, 49842 "package": { 49843 "ecosystem": "Maven", 49844 "name": "org.apache.shiro:shiro-core", 49845 "purl": "pkg:maven/org.apache.shiro/shiro-core" 49846 }, 49847 "ranges": [ 49848 { 49849 "events": [ 49850 { 49851 "introduced": "0" 49852 }, 49853 { 49854 "fixed": "1.4.2" 49855 } 49856 ], 49857 "type": "ECOSYSTEM" 49858 } 49859 ], 49860 "versions": [ 49861 "1.0.0-incubating", 49862 "1.1.0", 49863 "1.2.0", 49864 "1.2.1", 49865 "1.2.2", 49866 "1.2.3", 49867 "1.2.4", 49868 "1.2.5", 49869 "1.2.6", 49870 "1.3.0", 49871 "1.3.1", 49872 "1.3.2", 49873 "1.4.0", 49874 "1.4.0-RC2", 49875 "1.4.1" 49876 ] 49877 } 49878 ], 49879 "aliases": [ 49880 "CVE-2019-12422" 49881 ], 49882 "database_specific": { 49883 "cwe_ids": [], 49884 "github_reviewed": true, 49885 "github_reviewed_at": "2020-02-04T21:49:59Z", 49886 "nvd_published_at": "2019-11-18T23:15:00Z", 49887 "severity": "HIGH" 49888 }, 49889 "details": "Apache Shiro before 1.4.2, when using the default \"remember me\" configuration, cookies could be susceptible to a padding attack.", 49890 "id": "GHSA-r679-m633-g7wc", 49891 "modified": "2023-11-08T04:01:05.150202Z", 49892 "published": "2020-02-04T22:36:36Z", 49893 "references": [ 49894 { 49895 "type": "ADVISORY", 49896 "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-12422" 49897 }, 49898 { 49899 "type": "WEB", 49900 "url": "https://lists.apache.org/thread.html/c9db14cfebfb8e74205884ed2bf2e2b30790ce24b7dde9191c82572c@%3Cdev.shiro.apache.org%3E" 49901 }, 49902 { 49903 "type": "WEB", 49904 "url": "https://lists.apache.org/thread.html/r2d2612c034ab21a3a19d2132d47d3e4aa70105008dd58af62b653040@%3Ccommits.shiro.apache.org%3E" 49905 } 49906 ], 49907 "schema_version": "1.6.0", 49908 "severity": [ 49909 { 49910 "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", 49911 "type": "CVSS_V3" 49912 } 49913 ], 49914 "summary": "Improper input validation in Apache Shiro" 49915 }, 49916 { 49917 "affected": [ 49918 { 49919 "database_specific": { 49920 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-3jx9-mgwx-4q83/GHSA-3jx9-mgwx-4q83.json" 49921 }, 49922 "package": { 49923 "ecosystem": "Maven", 49924 "name": "org.apache.shiro:shiro-root", 49925 "purl": "pkg:maven/org.apache.shiro/shiro-root" 49926 }, 49927 "ranges": [ 49928 { 49929 "events": [ 49930 { 49931 "introduced": "0" 49932 }, 49933 { 49934 "fixed": "1.1.0" 49935 } 49936 ], 49937 "type": "ECOSYSTEM" 49938 } 49939 ], 49940 "versions": [ 49941 "1.0.0-incubating" 49942 ] 49943 } 49944 ], 49945 "aliases": [ 49946 "CVE-2010-3863" 49947 ], 49948 "database_specific": { 49949 "cwe_ids": [ 49950 "CWE-22" 49951 ], 49952 "github_reviewed": true, 49953 "github_reviewed_at": "2024-02-07T22:57:26Z", 49954 "nvd_published_at": "2010-11-05T17:00:00Z", 49955 "severity": "MODERATE" 49956 }, 49957 "details": "Apache Shiro before 1.1.0, and JSecurity 0.9.x, does not canonicalize URI paths before comparing them to entries in the shiro.ini file, which allows remote attackers to bypass intended access restrictions via a crafted request, as demonstrated by the /./account/index.jsp URI.", 49958 "id": "GHSA-3jx9-mgwx-4q83", 49959 "modified": "2024-02-16T08:20:45.984208Z", 49960 "published": "2022-05-14T02:42:51Z", 49961 "references": [ 49962 { 49963 "type": "ADVISORY", 49964 "url": "https://nvd.nist.gov/vuln/detail/CVE-2010-3863" 49965 }, 49966 { 49967 "type": "WEB", 49968 "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/62959" 49969 }, 49970 { 49971 "type": "PACKAGE", 49972 "url": "https://github.com/apache/shiro" 49973 }, 49974 { 49975 "type": "WEB", 49976 "url": "https://web.archive.org/web/20101120091718/http://www.vupen.com/english/advisories/2010/2888" 49977 }, 49978 { 49979 "type": "WEB", 49980 "url": "https://web.archive.org/web/20101129043410/http://secunia.com/advisories/41989" 49981 }, 49982 { 49983 "type": "WEB", 49984 "url": "https://web.archive.org/web/20110929165859/http://www.securityfocus.com/bid/44616" 49985 }, 49986 { 49987 "type": "WEB", 49988 "url": "https://web.archive.org/web/20161017000748/http://www.securityfocus.com/archive/1/514616/100/0/threaded" 49989 }, 49990 { 49991 "type": "WEB", 49992 "url": "http://archives.neohapsis.com/archives/fulldisclosure/2010-11/0020.html" 49993 } 49994 ], 49995 "schema_version": "1.6.0", 49996 "summary": "Apache Shiro Path Traversal vulnerability" 49997 }, 49998 { 49999 "affected": [ 50000 { 50001 "database_specific": { 50002 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/01/GHSA-7cxr-h8wm-fg4c/GHSA-7cxr-h8wm-fg4c.json" 50003 }, 50004 "package": { 50005 "ecosystem": "Maven", 50006 "name": "org.apache.shiro:shiro-root", 50007 "purl": "pkg:maven/org.apache.shiro/shiro-root" 50008 }, 50009 "ranges": [ 50010 { 50011 "events": [ 50012 { 50013 "introduced": "0" 50014 }, 50015 { 50016 "fixed": "1.11.0" 50017 } 50018 ], 50019 "type": "ECOSYSTEM" 50020 } 50021 ], 50022 "versions": [ 50023 "1.0.0-incubating", 50024 "1.1.0", 50025 "1.10.0", 50026 "1.10.1", 50027 "1.2.0", 50028 "1.2.1", 50029 "1.2.2", 50030 "1.2.3", 50031 "1.2.4", 50032 "1.2.5", 50033 "1.2.6", 50034 "1.3.0", 50035 "1.3.1", 50036 "1.3.2", 50037 "1.4.0", 50038 "1.4.0-RC2", 50039 "1.4.1", 50040 "1.4.2", 50041 "1.5.0", 50042 "1.5.1", 50043 "1.5.2", 50044 "1.5.3", 50045 "1.6.0", 50046 "1.7.0", 50047 "1.7.1", 50048 "1.8.0", 50049 "1.9.0", 50050 "1.9.1" 50051 ] 50052 } 50053 ], 50054 "aliases": [ 50055 "CVE-2023-22602" 50056 ], 50057 "database_specific": { 50058 "cwe_ids": [ 50059 "CWE-436" 50060 ], 50061 "github_reviewed": true, 50062 "github_reviewed_at": "2023-01-20T21:50:25Z", 50063 "nvd_published_at": "2023-01-14T10:15:00Z", 50064 "severity": "HIGH" 50065 }, 50066 "details": "When using Apache Shiro before 1.11.0 together with Spring Boot 2.6+, a specially crafted HTTP request may cause an authentication bypass. The authentication bypass occurs when Shiro and Spring Boot are using different pattern-matching techniques. Both Shiro and Spring Boot \u003c 2.6 default to Ant style pattern matching. Mitigation: Update to Apache Shiro 1.11.0, or set the following Spring Boot configuration value: `spring.mvc.pathmatch.matching-strategy = ant_path_matcher` ", 50067 "id": "GHSA-7cxr-h8wm-fg4c", 50068 "modified": "2024-02-16T08:23:48.417435Z", 50069 "published": "2023-01-14T12:30:23Z", 50070 "references": [ 50071 { 50072 "type": "ADVISORY", 50073 "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22602" 50074 }, 50075 { 50076 "type": "PACKAGE", 50077 "url": "https://github.com/apache/shiro" 50078 }, 50079 { 50080 "type": "WEB", 50081 "url": "https://lists.apache.org/thread/dzj0k2smpzzgj6g666hrbrgsrlf9yhkl" 50082 } 50083 ], 50084 "schema_version": "1.6.0", 50085 "severity": [ 50086 { 50087 "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", 50088 "type": "CVSS_V3" 50089 } 50090 ], 50091 "summary": "Apache Shiro Interpretation Conflict vulnerability" 50092 }, 50093 { 50094 "affected": [ 50095 { 50096 "database_specific": { 50097 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-4q2v-j639-cp7p/GHSA-4q2v-j639-cp7p.json" 50098 }, 50099 "package": { 50100 "ecosystem": "Maven", 50101 "name": "org.apache.shiro:shiro-all", 50102 "purl": "pkg:maven/org.apache.shiro/shiro-all" 50103 }, 50104 "ranges": [ 50105 { 50106 "events": [ 50107 { 50108 "introduced": "0" 50109 }, 50110 { 50111 "fixed": "1.3.2" 50112 } 50113 ], 50114 "type": "ECOSYSTEM" 50115 } 50116 ], 50117 "versions": [ 50118 "1.0.0-incubating", 50119 "1.1.0", 50120 "1.2.0", 50121 "1.2.1", 50122 "1.2.2", 50123 "1.2.3", 50124 "1.2.4", 50125 "1.2.5", 50126 "1.2.6", 50127 "1.3.0", 50128 "1.3.1" 50129 ] 50130 }, 50131 { 50132 "database_specific": { 50133 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-4q2v-j639-cp7p/GHSA-4q2v-j639-cp7p.json" 50134 }, 50135 "package": { 50136 "ecosystem": "Maven", 50137 "name": "org.apache.shiro:shiro-web", 50138 "purl": "pkg:maven/org.apache.shiro/shiro-web" 50139 }, 50140 "ranges": [ 50141 { 50142 "events": [ 50143 { 50144 "introduced": "0" 50145 }, 50146 { 50147 "fixed": "1.3.2" 50148 } 50149 ], 50150 "type": "ECOSYSTEM" 50151 } 50152 ], 50153 "versions": [ 50154 "1.0.0-incubating", 50155 "1.1.0", 50156 "1.2.0", 50157 "1.2.1", 50158 "1.2.2", 50159 "1.2.3", 50160 "1.2.4", 50161 "1.2.5", 50162 "1.2.6", 50163 "1.3.0", 50164 "1.3.1" 50165 ] 50166 } 50167 ], 50168 "aliases": [ 50169 "CVE-2016-6802" 50170 ], 50171 "database_specific": { 50172 "cwe_ids": [ 50173 "CWE-284" 50174 ], 50175 "github_reviewed": true, 50176 "github_reviewed_at": "2022-11-04T22:45:53Z", 50177 "nvd_published_at": "2016-09-20T19:59:00Z", 50178 "severity": "HIGH" 50179 }, 50180 "details": "Apache Shiro before 1.3.2 allows attackers to bypass intended servlet filters and gain access by leveraging use of a non-root servlet context path.", 50181 "id": "GHSA-4q2v-j639-cp7p", 50182 "modified": "2023-11-08T03:58:33.527856Z", 50183 "published": "2022-05-14T02:46:12Z", 50184 "references": [ 50185 { 50186 "type": "ADVISORY", 50187 "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-6802" 50188 }, 50189 { 50190 "type": "WEB", 50191 "url": "https://github.com/apache/shiro/commit/b15ab927709ca18ea4a02538be01919a19ab65af" 50192 }, 50193 { 50194 "type": "WEB", 50195 "url": "https://issues.apache.org/jira/browse/SHIRO-584" 50196 }, 50197 { 50198 "type": "WEB", 50199 "url": "https://packetstormsecurity.com/files/138709/Apache-Shiro-Filter-Bypass.html" 50200 } 50201 ], 50202 "schema_version": "1.6.0", 50203 "severity": [ 50204 { 50205 "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", 50206 "type": "CVSS_V3" 50207 } 50208 ], 50209 "summary": "Improper Access Control in Apache Shiro" 50210 }, 50211 { 50212 "affected": [ 50213 { 50214 "database_specific": { 50215 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/12/GHSA-hhw5-c326-822h/GHSA-hhw5-c326-822h.json" 50216 }, 50217 "package": { 50218 "ecosystem": "Maven", 50219 "name": "org.apache.shiro:shiro-web", 50220 "purl": "pkg:maven/org.apache.shiro/shiro-web" 50221 }, 50222 "ranges": [ 50223 { 50224 "events": [ 50225 { 50226 "introduced": "0" 50227 }, 50228 { 50229 "fixed": "1.13.0" 50230 } 50231 ], 50232 "type": "ECOSYSTEM" 50233 } 50234 ], 50235 "versions": [ 50236 "1.0.0-incubating", 50237 "1.1.0", 50238 "1.10.0", 50239 "1.10.1", 50240 "1.11.0", 50241 "1.12.0", 50242 "1.2.0", 50243 "1.2.1", 50244 "1.2.2", 50245 "1.2.3", 50246 "1.2.4", 50247 "1.2.5", 50248 "1.2.6", 50249 "1.3.0", 50250 "1.3.1", 50251 "1.3.2", 50252 "1.4.0", 50253 "1.4.0-RC2", 50254 "1.4.1", 50255 "1.4.2", 50256 "1.5.0", 50257 "1.5.1", 50258 "1.5.2", 50259 "1.5.3", 50260 "1.6.0", 50261 "1.7.0", 50262 "1.7.1", 50263 "1.8.0", 50264 "1.9.0", 50265 "1.9.1" 50266 ] 50267 }, 50268 { 50269 "database_specific": { 50270 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/12/GHSA-hhw5-c326-822h/GHSA-hhw5-c326-822h.json" 50271 }, 50272 "package": { 50273 "ecosystem": "Maven", 50274 "name": "org.apache.shiro:shiro-web", 50275 "purl": "pkg:maven/org.apache.shiro/shiro-web" 50276 }, 50277 "ranges": [ 50278 { 50279 "events": [ 50280 { 50281 "introduced": "2.0.0-alpha-1" 50282 }, 50283 { 50284 "fixed": "2.0.0-alpha-4" 50285 } 50286 ], 50287 "type": "ECOSYSTEM" 50288 } 50289 ], 50290 "versions": [ 50291 "2.0.0-alpha-1", 50292 "2.0.0-alpha-2", 50293 "2.0.0-alpha-3" 50294 ] 50295 } 50296 ], 50297 "aliases": [ 50298 "CVE-2023-46750" 50299 ], 50300 "database_specific": { 50301 "cwe_ids": [ 50302 "CWE-601" 50303 ], 50304 "github_reviewed": true, 50305 "github_reviewed_at": "2023-12-15T03:11:05Z", 50306 "nvd_published_at": "2023-12-14T09:15:42Z", 50307 "severity": "MODERATE" 50308 }, 50309 "details": "URL Redirection to Untrusted Site ('Open Redirect') vulnerability when \"form\" authentication is used in Apache Shiro.\nMitigation: Update to Apache Shiro 1.13.0+ or 2.0.0-alpha-4+.\n", 50310 "id": "GHSA-hhw5-c326-822h", 50311 "modified": "2024-02-16T08:13:45.335614Z", 50312 "published": "2023-12-14T09:30:19Z", 50313 "references": [ 50314 { 50315 "type": "ADVISORY", 50316 "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46750" 50317 }, 50318 { 50319 "type": "WEB", 50320 "url": "https://github.com/apache/shiro/commit/3b80f5c8e5a95ba31e92e4825ecc0ba3148b555a" 50321 }, 50322 { 50323 "type": "WEB", 50324 "url": "https://github.com/apache/shiro/commit/8400d08d5eac0bc4fae99d28c5adc82dd8a86eda" 50325 }, 50326 { 50327 "type": "PACKAGE", 50328 "url": "https://github.com/apache/shiro" 50329 }, 50330 { 50331 "type": "WEB", 50332 "url": "https://lists.apache.org/thread/hoc9zdyzmmrfj1zhctsvvtx844tcq6w9" 50333 } 50334 ], 50335 "schema_version": "1.6.0", 50336 "severity": [ 50337 { 50338 "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", 50339 "type": "CVSS_V3" 50340 } 50341 ], 50342 "summary": "Open redirect in Apache Shiro" 50343 }, 50344 { 50345 "affected": [ 50346 { 50347 "database_specific": { 50348 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-pmhc-2g4f-85cg/GHSA-pmhc-2g4f-85cg.json" 50349 }, 50350 "package": { 50351 "ecosystem": "Maven", 50352 "name": "org.apache.shiro:shiro-web", 50353 "purl": "pkg:maven/org.apache.shiro/shiro-web" 50354 }, 50355 "ranges": [ 50356 { 50357 "events": [ 50358 { 50359 "introduced": "0" 50360 }, 50361 { 50362 "fixed": "1.12.0" 50363 } 50364 ], 50365 "type": "ECOSYSTEM" 50366 } 50367 ], 50368 "versions": [ 50369 "1.0.0-incubating", 50370 "1.1.0", 50371 "1.10.0", 50372 "1.10.1", 50373 "1.11.0", 50374 "1.2.0", 50375 "1.2.1", 50376 "1.2.2", 50377 "1.2.3", 50378 "1.2.4", 50379 "1.2.5", 50380 "1.2.6", 50381 "1.3.0", 50382 "1.3.1", 50383 "1.3.2", 50384 "1.4.0", 50385 "1.4.0-RC2", 50386 "1.4.1", 50387 "1.4.2", 50388 "1.5.0", 50389 "1.5.1", 50390 "1.5.2", 50391 "1.5.3", 50392 "1.6.0", 50393 "1.7.0", 50394 "1.7.1", 50395 "1.8.0", 50396 "1.9.0", 50397 "1.9.1" 50398 ] 50399 }, 50400 { 50401 "database_specific": { 50402 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-pmhc-2g4f-85cg/GHSA-pmhc-2g4f-85cg.json" 50403 }, 50404 "package": { 50405 "ecosystem": "Maven", 50406 "name": "org.apache.shiro:shiro-web", 50407 "purl": "pkg:maven/org.apache.shiro/shiro-web" 50408 }, 50409 "ranges": [ 50410 { 50411 "events": [ 50412 { 50413 "introduced": "2.0.0-alpha-1" 50414 }, 50415 { 50416 "fixed": "2.0.0-alpha-3" 50417 } 50418 ], 50419 "type": "ECOSYSTEM" 50420 } 50421 ], 50422 "versions": [ 50423 "2.0.0-alpha-1", 50424 "2.0.0-alpha-2" 50425 ] 50426 } 50427 ], 50428 "aliases": [ 50429 "CVE-2023-34478" 50430 ], 50431 "database_specific": { 50432 "cwe_ids": [ 50433 "CWE-22" 50434 ], 50435 "github_reviewed": true, 50436 "github_reviewed_at": "2023-07-25T13:51:45Z", 50437 "nvd_published_at": "2023-07-24T19:15:10Z", 50438 "severity": "CRITICAL" 50439 }, 50440 "details": "Apache Shiro, before 1.12.0 or 2.0.0-alpha-3, may be susceptible to a path traversal attack that results in an authentication bypass when used together with APIs or other web frameworks that route requests based on non-normalized requests.\n\nMitigation: Update to Apache Shiro 1.12.0+ or 2.0.0-alpha-3+\n", 50441 "id": "GHSA-pmhc-2g4f-85cg", 50442 "modified": "2024-02-20T05:31:25.133983Z", 50443 "published": "2023-07-24T21:30:39Z", 50444 "references": [ 50445 { 50446 "type": "ADVISORY", 50447 "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34478" 50448 }, 50449 { 50450 "type": "WEB", 50451 "url": "https://github.com/apache/shiro/commit/c3ede3f94efb442acb0795714a022c2c121d1da0" 50452 }, 50453 { 50454 "type": "PACKAGE", 50455 "url": "https://github.com/apache/shiro" 50456 }, 50457 { 50458 "type": "WEB", 50459 "url": "https://lists.apache.org/thread/mbv26onkgw9o35rldh7vmq11wpv2t2qk" 50460 }, 50461 { 50462 "type": "WEB", 50463 "url": "https://security.netapp.com/advisory/ntap-20230915-0005" 50464 }, 50465 { 50466 "type": "WEB", 50467 "url": "http://www.openwall.com/lists/oss-security/2023/07/24/4" 50468 } 50469 ], 50470 "schema_version": "1.6.0", 50471 "severity": [ 50472 { 50473 "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", 50474 "type": "CVSS_V3" 50475 } 50476 ], 50477 "summary": "Path Traversal in Apache Shiro" 50478 }, 50479 { 50480 "affected": [ 50481 { 50482 "database_specific": { 50483 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/02/GHSA-v98j-7crc-wvrj/GHSA-v98j-7crc-wvrj.json" 50484 }, 50485 "package": { 50486 "ecosystem": "Maven", 50487 "name": "org.apache.shiro:shiro-web", 50488 "purl": "pkg:maven/org.apache.shiro/shiro-web" 50489 }, 50490 "ranges": [ 50491 { 50492 "events": [ 50493 { 50494 "introduced": "0" 50495 }, 50496 { 50497 "fixed": "1.7.1" 50498 } 50499 ], 50500 "type": "ECOSYSTEM" 50501 } 50502 ], 50503 "versions": [ 50504 "1.0.0-incubating", 50505 "1.1.0", 50506 "1.2.0", 50507 "1.2.1", 50508 "1.2.2", 50509 "1.2.3", 50510 "1.2.4", 50511 "1.2.5", 50512 "1.2.6", 50513 "1.3.0", 50514 "1.3.1", 50515 "1.3.2", 50516 "1.4.0", 50517 "1.4.0-RC2", 50518 "1.4.1", 50519 "1.4.2", 50520 "1.5.0", 50521 "1.5.1", 50522 "1.5.2", 50523 "1.5.3", 50524 "1.6.0", 50525 "1.7.0" 50526 ] 50527 }, 50528 { 50529 "database_specific": { 50530 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/02/GHSA-v98j-7crc-wvrj/GHSA-v98j-7crc-wvrj.json" 50531 }, 50532 "package": { 50533 "ecosystem": "Maven", 50534 "name": "org.apache.shiro:shiro-spring", 50535 "purl": "pkg:maven/org.apache.shiro/shiro-spring" 50536 }, 50537 "ranges": [ 50538 { 50539 "events": [ 50540 { 50541 "introduced": "0" 50542 }, 50543 { 50544 "fixed": "1.7.1" 50545 } 50546 ], 50547 "type": "ECOSYSTEM" 50548 } 50549 ], 50550 "versions": [ 50551 "1.0.0-incubating", 50552 "1.1.0", 50553 "1.2.0", 50554 "1.2.1", 50555 "1.2.2", 50556 "1.2.3", 50557 "1.2.4", 50558 "1.2.5", 50559 "1.2.6", 50560 "1.3.0", 50561 "1.3.1", 50562 "1.3.2", 50563 "1.4.0", 50564 "1.4.0-RC2", 50565 "1.4.1", 50566 "1.4.2", 50567 "1.5.0", 50568 "1.5.1", 50569 "1.5.2", 50570 "1.5.3", 50571 "1.6.0", 50572 "1.7.0" 50573 ] 50574 }, 50575 { 50576 "database_specific": { 50577 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/02/GHSA-v98j-7crc-wvrj/GHSA-v98j-7crc-wvrj.json" 50578 }, 50579 "package": { 50580 "ecosystem": "Maven", 50581 "name": "org.apache.shiro:shiro-spring-boot-starter", 50582 "purl": "pkg:maven/org.apache.shiro/shiro-spring-boot-starter" 50583 }, 50584 "ranges": [ 50585 { 50586 "events": [ 50587 { 50588 "introduced": "0" 50589 }, 50590 { 50591 "fixed": "1.7.1" 50592 } 50593 ], 50594 "type": "ECOSYSTEM" 50595 } 50596 ], 50597 "versions": [ 50598 "1.4.0", 50599 "1.4.0-RC2", 50600 "1.4.1", 50601 "1.4.2", 50602 "1.5.0", 50603 "1.5.1", 50604 "1.5.2", 50605 "1.5.3", 50606 "1.6.0", 50607 "1.7.0" 50608 ] 50609 } 50610 ], 50611 "aliases": [ 50612 "CVE-2020-17523" 50613 ], 50614 "database_specific": { 50615 "cwe_ids": [ 50616 "CWE-287" 50617 ], 50618 "github_reviewed": true, 50619 "github_reviewed_at": "2021-04-05T21:20:26Z", 50620 "nvd_published_at": "2021-02-03T17:15:00Z", 50621 "severity": "CRITICAL" 50622 }, 50623 "details": "Apache Shiro before 1.7.1, when using Apache Shiro with Spring, a specially crafted HTTP request may cause an authentication bypass.", 50624 "id": "GHSA-v98j-7crc-wvrj", 50625 "modified": "2023-11-08T04:02:42.580112Z", 50626 "published": "2022-02-09T22:03:57Z", 50627 "references": [ 50628 { 50629 "type": "ADVISORY", 50630 "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-17523" 50631 }, 50632 { 50633 "type": "WEB", 50634 "url": "https://github.com/apache/shiro/pull/263" 50635 }, 50636 { 50637 "type": "WEB", 50638 "url": "https://issues.apache.org/jira/browse/SHIRO-797" 50639 }, 50640 { 50641 "type": "WEB", 50642 "url": "https://lists.apache.org/thread.html/r5b93ddf97e2c4cda779d22fab30539bdec454cfa5baec4ad0ffae235@%3Cgitbox.activemq.apache.org%3E" 50643 }, 50644 { 50645 "type": "WEB", 50646 "url": "https://lists.apache.org/thread.html/r679ca97813384bdb1a4c087810ba44d9ad9c7c11583979bb7481d196@%3Cdev.shiro.apache.org%3E" 50647 }, 50648 { 50649 "type": "WEB", 50650 "url": "https://lists.apache.org/thread.html/r8244fd0831db894d5e89911ded9c72196d395a90ae655414d23ed0dd@%3Cusers.activemq.apache.org%3E" 50651 }, 50652 { 50653 "type": "WEB", 50654 "url": "https://lists.apache.org/thread.html/r852971e28f54cafa7d325bd7033115c67d613b112a2a1076817390ac@%3Cdev.shiro.apache.org%3E" 50655 }, 50656 { 50657 "type": "WEB", 50658 "url": "https://lists.apache.org/thread.html/r9d93dfb5df016b1a71a808486bc8f9fbafebbdbc8533625f91253f1d@%3Cdev.shiro.apache.org%3E" 50659 }, 50660 { 50661 "type": "WEB", 50662 "url": "https://lists.apache.org/thread.html/rce5943430a6136d37a1f2fc201d245fe094e2727a0bc27e3b2d43a39%40%3Cdev.shiro.apache.org%3E" 50663 }, 50664 { 50665 "type": "WEB", 50666 "url": "https://lists.apache.org/thread.html/rd4b613e121438b97e3eb263cac3137caddb1dbd8f648b73a4f1898a6@%3Cissues.activemq.apache.org%3E" 50667 }, 50668 { 50669 "type": "WEB", 50670 "url": "https://lists.apache.org/thread.html/re25b8317b00a50272a7252c4552cf1a81a97984cc2111ef7728e48e0@%3Cdev.shiro.apache.org%3E" 50671 }, 50672 { 50673 "type": "WEB", 50674 "url": "http://shiro.apache.org/download.html" 50675 } 50676 ], 50677 "schema_version": "1.6.0", 50678 "severity": [ 50679 { 50680 "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", 50681 "type": "CVSS_V3" 50682 } 50683 ], 50684 "summary": "Authentication bypass in Apache Shiro" 50685 }, 50686 { 50687 "affected": [ 50688 { 50689 "database_specific": { 50690 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/09/GHSA-6x4w-8w53-xrvv/GHSA-6x4w-8w53-xrvv.json" 50691 }, 50692 "package": { 50693 "ecosystem": "Maven", 50694 "name": "org.apache.taglibs:taglibs-standard", 50695 "purl": "pkg:maven/org.apache.taglibs/taglibs-standard" 50696 }, 50697 "ranges": [ 50698 { 50699 "events": [ 50700 { 50701 "introduced": "0" 50702 }, 50703 { 50704 "fixed": "1.2.3" 50705 } 50706 ], 50707 "type": "ECOSYSTEM" 50708 } 50709 ], 50710 "versions": [ 50711 "1.2.1" 50712 ] 50713 }, 50714 { 50715 "database_specific": { 50716 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/09/GHSA-6x4w-8w53-xrvv/GHSA-6x4w-8w53-xrvv.json" 50717 }, 50718 "package": { 50719 "ecosystem": "Maven", 50720 "name": "org.apache.taglibs:taglibs-standard-impl", 50721 "purl": "pkg:maven/org.apache.taglibs/taglibs-standard-impl" 50722 }, 50723 "ranges": [ 50724 { 50725 "events": [ 50726 { 50727 "introduced": "0" 50728 }, 50729 { 50730 "fixed": "1.2.3" 50731 } 50732 ], 50733 "type": "ECOSYSTEM" 50734 } 50735 ], 50736 "versions": [ 50737 "1.2.1" 50738 ] 50739 } 50740 ], 50741 "aliases": [ 50742 "CVE-2015-0254" 50743 ], 50744 "database_specific": { 50745 "cwe_ids": [ 50746 "CWE-611" 50747 ], 50748 "github_reviewed": true, 50749 "github_reviewed_at": "2020-09-14T18:42:48Z", 50750 "nvd_published_at": "2015-03-09T14:59:00Z", 50751 "severity": "HIGH" 50752 }, 50753 "details": "Apache Standard Taglibs before 1.2.3 allows remote attackers to execute arbitrary code or conduct external XML entity (XXE) attacks via a crafted XSLT extension in a (1) \u003cx:parse\u003e or (2) \u003cx:transform\u003e JSTL XML tag.", 50754 "id": "GHSA-6x4w-8w53-xrvv", 50755 "modified": "2023-11-08T03:57:48.103924Z", 50756 "published": "2020-09-14T18:44:01Z", 50757 "references": [ 50758 { 50759 "type": "ADVISORY", 50760 "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-0254" 50761 }, 50762 { 50763 "type": "WEB", 50764 "url": "https://access.redhat.com/errata/RHSA-2016:1376" 50765 }, 50766 { 50767 "type": "WEB", 50768 "url": "https://lists.apache.org/thread.html/8a20e48acb2a40be5130df91cf9d39d8ad93181989413d4abcaa4914@%3Cdev.tomcat.apache.org%3E" 50769 }, 50770 { 50771 "type": "WEB", 50772 "url": "https://lists.apache.org/thread.html/f8e0814e11c7f21f42224b6de111cb3f5e5ab5c15b78924c516d4ec2@%3Cdev.tomcat.apache.org%3E" 50773 }, 50774 { 50775 "type": "WEB", 50776 "url": "https://lists.apache.org/thread.html/r6c93d8ade3788dbc00f5a37238bc278e7d859f2446b885460783a16f@%3Cpluto-dev.portals.apache.org%3E" 50777 }, 50778 { 50779 "type": "WEB", 50780 "url": "https://lists.apache.org/thread.html/rc1686f6196bb9063bf26577a21b8033c19c1a30e5a9159869c8f3d38@%3Cpluto-dev.portals.apache.org%3E" 50781 }, 50782 { 50783 "type": "WEB", 50784 "url": "https://lists.apache.org/thread.html/re3b72cbb13e1dfe85c4a06959a3b6ca6d939b407ecca80db12b54220@%3Cdev.tomcat.apache.org%3E" 50785 }, 50786 { 50787 "type": "WEB", 50788 "url": "https://lists.apache.org/thread.html/rf1179e6971bc46f0f68879a9a10cc97ad4424451b0889aeef04c8077@%3Cpluto-scm.portals.apache.org%3E" 50789 }, 50790 { 50791 "type": "WEB", 50792 "url": "https://lists.apache.org/thread.html/rfc2bfd99c340dafd501676693cd889c1f9f838b97bdd0776a8f5557d@%3Cdev.tomcat.apache.org%3E" 50793 }, 50794 { 50795 "type": "WEB", 50796 "url": "https://www.oracle.com/security-alerts/cpuapr2020.html" 50797 }, 50798 { 50799 "type": "WEB", 50800 "url": "http://lists.opensuse.org/opensuse-updates/2015-10/msg00033.html" 50801 }, 50802 { 50803 "type": "WEB", 50804 "url": "http://mail-archives.apache.org/mod_mbox/tomcat-taglibs-user/201502.mbox/%3C82207A16-6348-4DEE-877E-F7B87292576A%40apache.org%3E" 50805 }, 50806 { 50807 "type": "WEB", 50808 "url": "http://packetstormsecurity.com/files/130575/Apache-Standard-Taglibs-1.2.1-XXE-Remote-Command-Execution.html" 50809 }, 50810 { 50811 "type": "WEB", 50812 "url": "http://rhn.redhat.com/errata/RHSA-2015-1695.html" 50813 }, 50814 { 50815 "type": "WEB", 50816 "url": "http://rhn.redhat.com/errata/RHSA-2016-1838.html" 50817 }, 50818 { 50819 "type": "WEB", 50820 "url": "http://rhn.redhat.com/errata/RHSA-2016-1839.html" 50821 }, 50822 { 50823 "type": "WEB", 50824 "url": "http://rhn.redhat.com/errata/RHSA-2016-1840.html" 50825 }, 50826 { 50827 "type": "WEB", 50828 "url": "http://rhn.redhat.com/errata/RHSA-2016-1841.html" 50829 }, 50830 { 50831 "type": "WEB", 50832 "url": "http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html" 50833 }, 50834 { 50835 "type": "WEB", 50836 "url": "http://www.securityfocus.com/archive/1/534772/100/0/threaded" 50837 }, 50838 { 50839 "type": "WEB", 50840 "url": "http://www.securityfocus.com/bid/72809" 50841 }, 50842 { 50843 "type": "WEB", 50844 "url": "http://www.securitytracker.com/id/1034934" 50845 }, 50846 { 50847 "type": "WEB", 50848 "url": "http://www.ubuntu.com/usn/USN-2551-1" 50849 } 50850 ], 50851 "schema_version": "1.6.0", 50852 "summary": "XXE in Apache Standard Taglibs" 50853 }, 50854 { 50855 "affected": [ 50856 { 50857 "database_specific": { 50858 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/03/GHSA-g2fg-mr77-6vrm/GHSA-g2fg-mr77-6vrm.json" 50859 }, 50860 "package": { 50861 "ecosystem": "Maven", 50862 "name": "org.apache.thrift:libthrift", 50863 "purl": "pkg:maven/org.apache.thrift/libthrift" 50864 }, 50865 "ranges": [ 50866 { 50867 "events": [ 50868 { 50869 "introduced": "0.9.3" 50870 }, 50871 { 50872 "fixed": "0.14.0" 50873 } 50874 ], 50875 "type": "ECOSYSTEM" 50876 } 50877 ], 50878 "versions": [ 50879 "0.10.0", 50880 "0.11.0", 50881 "0.12.0", 50882 "0.13.0", 50883 "0.9.3", 50884 "0.9.3-1" 50885 ] 50886 } 50887 ], 50888 "aliases": [ 50889 "CVE-2020-13949" 50890 ], 50891 "database_specific": { 50892 "cwe_ids": [ 50893 "CWE-400" 50894 ], 50895 "github_reviewed": true, 50896 "github_reviewed_at": "2021-03-12T19:44:27Z", 50897 "nvd_published_at": "2021-02-12T20:15:00Z", 50898 "severity": "HIGH" 50899 }, 50900 "details": "In Apache Thrift 0.9.3 to 0.13.0, malicious RPC clients could send short messages which would result in a large memory allocation, potentially leading to denial of service.", 50901 "id": "GHSA-g2fg-mr77-6vrm", 50902 "modified": "2024-03-15T05:31:48.921973Z", 50903 "published": "2021-03-12T21:33:55Z", 50904 "references": [ 50905 { 50906 "type": "ADVISORY", 50907 "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-13949" 50908 }, 50909 { 50910 "type": "WEB", 50911 "url": "https://github.com/apache/hbase/pull/2958" 50912 }, 50913 { 50914 "type": "WEB", 50915 "url": "https://lists.apache.org/thread.html/rb3574bc1036b577b265be510e6b208f0a5d5d84cd7198347dc8482df@%3Cissues.hbase.apache.org%3E" 50916 }, 50917 { 50918 "type": "WEB", 50919 "url": "https://lists.apache.org/thread.html/raea1bb8cf2eb39c5e10543f547bdbbdbb563c2ac6377652f161d4e37@%3Ccommits.druid.apache.org%3E" 50920 }, 50921 { 50922 "type": "WEB", 50923 "url": "https://lists.apache.org/thread.html/rae95c2234b6644bfd666b2671a1b42a09f38514d0f27cca3c7d5d55a@%3Cissues.hbase.apache.org%3E" 50924 }, 50925 { 50926 "type": "WEB", 50927 "url": "https://lists.apache.org/thread.html/rada9d2244a66ede0be29afc5d5f178a209f9988db56b9b845d955741@%3Ccommits.hbase.apache.org%3E" 50928 }, 50929 { 50930 "type": "WEB", 50931 "url": "https://lists.apache.org/thread.html/rad635e16b300cf434280001ee6ecd2ed2c70987bf16eb862bfa86e02@%3Cissues.hbase.apache.org%3E" 50932 }, 50933 { 50934 "type": "WEB", 50935 "url": "https://lists.apache.org/thread.html/race178e9500ab8a5a6112667d27c48559150cadb60f2814bc67c40af@%3Cissues.hbase.apache.org%3E" 50936 }, 50937 { 50938 "type": "WEB", 50939 "url": "https://lists.apache.org/thread.html/ra9f7c755790313e1adb95d29794043fb102029e803daf4212ae18063@%3Cissues.solr.apache.org%3E" 50940 }, 50941 { 50942 "type": "WEB", 50943 "url": "https://lists.apache.org/thread.html/ra7371efd8363c1cd0f5331aafd359a808cf7277472b8616d7b392128@%3Cissues.hbase.apache.org%3E" 50944 }, 50945 { 50946 "type": "WEB", 50947 "url": "https://lists.apache.org/thread.html/ra3f7f06a1759c8e2985ed24ae2f5483393c744c1956d661adc873f2c@%3Cissues.hbase.apache.org%3E" 50948 }, 50949 { 50950 "type": "WEB", 50951 "url": "https://lists.apache.org/thread.html/r9ec75f690dd60fec8621ba992290962705d5b7f0d8fd0a42fab0ac9f@%3Cissues.solr.apache.org%3E" 50952 }, 50953 { 50954 "type": "WEB", 50955 "url": "https://lists.apache.org/thread.html/r9b51e7c253cb0989b4c03ed9f4e5f0478e427473357209ccc4d08ebf@%3Cissues.hbase.apache.org%3E" 50956 }, 50957 { 50958 "type": "WEB", 50959 "url": "https://lists.apache.org/thread.html/r995b945cc8f6ec976d8c52d42ba931a688b45fb32cbdde715b6a816a@%3Cuser.thrift.apache.org%3E" 50960 }, 50961 { 50962 "type": "WEB", 50963 "url": "https://lists.apache.org/thread.html/r950ced188d62320fdb84d9e2c6ba896328194952eff7430c4f55e4b0@%3Cissues.hive.apache.org%3E" 50964 }, 50965 { 50966 "type": "WEB", 50967 "url": "https://lists.apache.org/thread.html/r93f23f74315e009f4fb68ef7fc794dceee42cf87fe6613814dcd8c70@%3Cissues.hbase.apache.org%3E" 50968 }, 50969 { 50970 "type": "WEB", 50971 "url": "https://lists.apache.org/thread.html/r90b4473950e26607ed77f3d70f120166f6a36a3f80888e4eeabcaf91@%3Cissues.solr.apache.org%3E" 50972 }, 50973 { 50974 "type": "WEB", 50975 "url": "https://lists.apache.org/thread.html/r8dfbefcd606af6737b62461a45a9af9222040b62eab474ff2287cf75@%3Cissues.hbase.apache.org%3E" 50976 }, 50977 { 50978 "type": "WEB", 50979 "url": "https://lists.apache.org/thread.html/r89fdd39965efb7c6d22bc21c286d203252cea476e1782724aca0748e@%3Cuser.thrift.apache.org%3E" 50980 }, 50981 { 50982 "type": "WEB", 50983 "url": "https://lists.apache.org/thread.html/r890b8ec5203d70a59a6b1289420d46938d9029ed706aa724978789be@%3Cissues.hbase.apache.org%3E" 50984 }, 50985 { 50986 "type": "WEB", 50987 "url": "https://lists.apache.org/thread.html/r8897a41f50d4eb19b268bde99328e943ba586f77779efa6de720c39f@%3Ccommits.druid.apache.org%3E" 50988 }, 50989 { 50990 "type": "WEB", 50991 "url": "https://lists.apache.org/thread.html/r886b6d9a89b6fa0aafbf0a8f8f14351548d6c6f027886a3646dbd075@%3Cissues.solr.apache.org%3E" 50992 }, 50993 { 50994 "type": "WEB", 50995 "url": "https://lists.apache.org/thread.html/r869331422580d35b4e65bd74cf3090298c4651bf4f31bfb19ae769da@%3Cissues.solr.apache.org%3E" 50996 }, 50997 { 50998 "type": "WEB", 50999 "url": "https://lists.apache.org/thread.html/r850522c56c05aa06391546bdb530bb8fc3437f2b77d16e571ae73309@%3Cissues.hbase.apache.org%3E" 51000 }, 51001 { 51002 "type": "WEB", 51003 "url": "https://lists.apache.org/thread.html/r812915ecfa541ad2ca65c68a97b2c014dc87141dfaefc4de85049681@%3Ccommits.camel.apache.org%3E" 51004 }, 51005 { 51006 "type": "WEB", 51007 "url": "https://lists.apache.org/thread.html/r7ae909438ff5a2ffed9211e6ab0bd926396fd0b1fc33f31a406ee704@%3Cissues.hbase.apache.org%3E" 51008 }, 51009 { 51010 "type": "WEB", 51011 "url": "https://lists.apache.org/thread.html/r7597683cc8b87a31ec864835225a543dad112d7841bf1f17bf7eb8db@%3Cissues.hbase.apache.org%3E" 51012 }, 51013 { 51014 "type": "WEB", 51015 "url": "https://lists.apache.org/thread.html/r74eb88b422421c65514c23cb9c2b2216efb9254317ea1b6a264fe6dc@%3Ccommits.hbase.apache.org%3E" 51016 }, 51017 { 51018 "type": "WEB", 51019 "url": "https://lists.apache.org/thread.html/r741364444c3b238ab4a161f67f0d3a8f68acc517a39e6a93aa85d753@%3Cissues.hive.apache.org%3E" 51020 }, 51021 { 51022 "type": "WEB", 51023 "url": "https://www.oracle.com/security-alerts/cpujan2022.html" 51024 }, 51025 { 51026 "type": "WEB", 51027 "url": "https://www.oracle.com//security-alerts/cpujul2021.html" 51028 }, 51029 { 51030 "type": "WEB", 51031 "url": "https://security.gentoo.org/glsa/202107-32" 51032 }, 51033 { 51034 "type": "WEB", 51035 "url": "https://lists.apache.org/thread.html/rfbb01bb85cdc2022f3b96bdc416dbfcb49a2855b3a340aa88b2e1de9@%3Ccommits.druid.apache.org%3E" 51036 }, 51037 { 51038 "type": "WEB", 51039 "url": "https://lists.apache.org/thread.html/rf75979ae0ffd526f3afa935a8f0ee13c82808ea8b2bc0325eb9dcd90@%3Ccommits.camel.apache.org%3E" 51040 }, 51041 { 51042 "type": "WEB", 51043 "url": "https://lists.apache.org/thread.html/rf741d08c7e0ab1542c81ea718467422bd01159ed284796a36ad88311@%3Cissues.hbase.apache.org%3E" 51044 }, 51045 { 51046 "type": "WEB", 51047 "url": "https://lists.apache.org/thread.html/rf65df763f630163a3f620887efec082080555cee1adb0b8eaf2c7ddb@%3Cissues.hbase.apache.org%3E" 51048 }, 51049 { 51050 "type": "WEB", 51051 "url": "https://lists.apache.org/thread.html/rf603d25213cfff81d6727c259328846b366fd32a43107637527c9768@%3Cissues.hbase.apache.org%3E" 51052 }, 51053 { 51054 "type": "WEB", 51055 "url": "https://lists.apache.org/thread.html/rf568168e7f83871969928c0379813da6d034485f8b20fa73884816d6@%3Cissues.hbase.apache.org%3E" 51056 }, 51057 { 51058 "type": "WEB", 51059 "url": "https://lists.apache.org/thread.html/rdcf00186c34d69826d9c6b1f010136c98b00a586136de0061f7d267e@%3Cissues.hbase.apache.org%3E" 51060 }, 51061 { 51062 "type": "WEB", 51063 "url": "https://lists.apache.org/thread.html/rdc8e0f92d06decaee5db58de4ded16d80016a7db2240a8db17225c49@%3Cissues.hbase.apache.org%3E" 51064 }, 51065 { 51066 "type": "WEB", 51067 "url": "https://lists.apache.org/thread.html/rd78cdd87d84499a404202f015f55935db3658bd0983ecec81e6b18c6@%3Cissues.hbase.apache.org%3E" 51068 }, 51069 { 51070 "type": "WEB", 51071 "url": "https://lists.apache.org/thread.html/rd49d53b146d94a7d3a135f6b505589655ffec24ea470e345d31351bb@%3Cissues.hbase.apache.org%3E" 51072 }, 51073 { 51074 "type": "WEB", 51075 "url": "https://lists.apache.org/thread.html/rd370fdb419652c5219409b315a6349b07a7e479bd3f151e9a5671774@%3Ccommits.hbase.apache.org%3E" 51076 }, 51077 { 51078 "type": "WEB", 51079 "url": "https://lists.apache.org/thread.html/rd0734d91f16d5b050f0bcff78b4719300042a34fadf5e52d0edf898e@%3Cissues.solr.apache.org%3E" 51080 }, 51081 { 51082 "type": "WEB", 51083 "url": "https://lists.apache.org/thread.html/rcdf62ecd36e39e4ff9c61802eee4927ce9ecff1602eed1493977ef4c@%3Cuser.thrift.apache.org%3E" 51084 }, 51085 { 51086 "type": "WEB", 51087 "url": "https://lists.apache.org/thread.html/rcae4c66f67e701db44d742156dee1f3e5e4e07ad7ce10c740a76b669@%3Cissues.hive.apache.org%3E" 51088 }, 51089 { 51090 "type": "WEB", 51091 "url": "https://lists.apache.org/thread.html/rcace846f74ea9e2af2f7c30cef0796724aa74089f109c8029b850163@%3Cdev.hive.apache.org%3E" 51092 }, 51093 { 51094 "type": "WEB", 51095 "url": "https://lists.apache.org/thread.html/rc896ce7761999b088f3adabcb99dde2102b6a66130b8eec6c8265eab@%3Cissues.hbase.apache.org%3E" 51096 }, 51097 { 51098 "type": "WEB", 51099 "url": "https://lists.apache.org/thread.html/rc7a79b08822337c68705f16ee7ddcfd352313b836e78a4b86c7a7e3d@%3Cissues.hbase.apache.org%3E" 51100 }, 51101 { 51102 "type": "WEB", 51103 "url": "https://lists.apache.org/thread.html/rc7a241e0af086b226ff9ccabc4a243d206f0f887037994bfd8fcaaeb@%3Ccommits.druid.apache.org%3E" 51104 }, 51105 { 51106 "type": "WEB", 51107 "url": "https://lists.apache.org/thread.html/rc48ab5455bdece9a4afab53ca0f1e4f742d5baacb241323454a87b4e@%3Cissues.hbase.apache.org%3E" 51108 }, 51109 { 51110 "type": "WEB", 51111 "url": "https://lists.apache.org/thread.html/rbfbb81e7fb5d5009caf25798f02f42a7bd064a316097303ba2f9ed76@%3Ccommits.druid.apache.org%3E" 51112 }, 51113 { 51114 "type": "WEB", 51115 "url": "https://lists.apache.org/thread.html/rbc5cad06a46d23253a3c819229efedecfc05f89ef53f5fdde77a86d6@%3Cuser.thrift.apache.org%3E" 51116 }, 51117 { 51118 "type": "WEB", 51119 "url": "https://lists.apache.org/thread.html/rb91c32194eb5006f0b0c8bcdbd512c13495a1b277d4d51d45687f036@%3Cissues.solr.apache.org%3E" 51120 }, 51121 { 51122 "type": "WEB", 51123 "url": "https://lists.apache.org/thread.html/rb51977d392b01434b0b5df5c19b9ad5b6178cfea59e676c14f24c053@%3Cissues.hive.apache.org%3E" 51124 }, 51125 { 51126 "type": "WEB", 51127 "url": "https://lists.apache.org/thread.html/rb44ec04e5a9b1f87fef97bb5f054010cbfaa3b8586472a3a38a16fca@%3Cissues.hbase.apache.org%3E" 51128 }, 51129 { 51130 "type": "WEB", 51131 "url": "https://lists.apache.org/thread.html/r72c3d1582d50b2ca7dd1ee97e81c847a5cf3458be26d42653c39d7a6@%3Ccommits.camel.apache.org%3E" 51132 }, 51133 { 51134 "type": "WEB", 51135 "url": "https://lists.apache.org/thread.html/r298a25228868ebc0943d56c8f3641212a0962d2dbcf1507d5860038e@%3Cissues.hbase.apache.org%3E" 51136 }, 51137 { 51138 "type": "WEB", 51139 "url": "https://lists.apache.org/thread.html/r286e9a13d3ab0550042997219101cb87871834b8d5ec293b0c60f009@%3Cissues.hbase.apache.org%3E" 51140 }, 51141 { 51142 "type": "WEB", 51143 "url": "https://lists.apache.org/thread.html/r27b7d3d95ffa8498899ef1c9de553d469f8fe857640a3f6e58dba640@%3Cissues.hbase.apache.org%3E" 51144 }, 51145 { 51146 "type": "WEB", 51147 "url": "https://lists.apache.org/thread.html/r278e96edc4bc13efb2cb1620a73e48f569162b833c6bda3e6ea18b80@%3Cissues.hbase.apache.org%3E" 51148 }, 51149 { 51150 "type": "WEB", 51151 "url": "https://lists.apache.org/thread.html/r20f6f8f8cf07986dc5304baed3bf4d8a1c4cf135ff6fe3640be4d7ec@%3Cissues.solr.apache.org%3E" 51152 }, 51153 { 51154 "type": "WEB", 51155 "url": "https://lists.apache.org/thread.html/r1fb2d26b81c64ce96c4fd42b9e6842ff315b02c36518213b6c057350@%3Cissues.hbase.apache.org%3E" 51156 }, 51157 { 51158 "type": "WEB", 51159 "url": "https://lists.apache.org/thread.html/r1dea91f0562e0a960b45b1c5635b2a47b258b77171334276bcf260a7@%3Cissues.hbase.apache.org%3E" 51160 }, 51161 { 51162 "type": "WEB", 51163 "url": "https://lists.apache.org/thread.html/r1d4a247329a8478073163567bbc8c8cb6b49c6bfc2bf58153a857af1@%3Ccommits.druid.apache.org%3E" 51164 }, 51165 { 51166 "type": "WEB", 51167 "url": "https://lists.apache.org/thread.html/r196409cc4df929d540a2e66169104f2b3b258d8bd96b5f083c59ee51@%3Ccommits.camel.apache.org%3E" 51168 }, 51169 { 51170 "type": "WEB", 51171 "url": "https://lists.apache.org/thread.html/r191a9279e2863b68e5496ee4ecd8be0d4fe43b324b934f0d1f106e1d@%3Cissues.hbase.apache.org%3E" 51172 }, 51173 { 51174 "type": "WEB", 51175 "url": "https://lists.apache.org/thread.html/r18732bb1343894143d68db58fe4c8f56d9cd221b37f1378ed7373372@%3Cissues.hbase.apache.org%3E" 51176 }, 51177 { 51178 "type": "WEB", 51179 "url": "https://lists.apache.org/thread.html/r17cca685ad53bc8300ee7fcfe874cb784a222343f217dd076e7dc1b6@%3Ccommits.camel.apache.org%3E" 51180 }, 51181 { 51182 "type": "WEB", 51183 "url": "https://lists.apache.org/thread.html/r179119bbfb5610499286a84c316f6789c5afbfa5340edec6eb28d027@%3Ccommits.druid.apache.org%3E" 51184 }, 51185 { 51186 "type": "WEB", 51187 "url": "https://lists.apache.org/thread.html/r15eed5d21e16a5cce810c1e096ffcffc36cd08c2f78ce2f9b24b4a6a@%3Cissues.hive.apache.org%3E" 51188 }, 51189 { 51190 "type": "WEB", 51191 "url": "https://lists.apache.org/thread.html/r1504886a550426d3c05772c47b1a6350c3235e51fd1fdffbec43e974@%3Cuser.thrift.apache.org%3E" 51192 }, 51193 { 51194 "type": "WEB", 51195 "url": "https://lists.apache.org/thread.html/r1456eab5f3768be69436d5b0a68b483eb316eb85eb3ef6eba156a302@%3Cissues.hbase.apache.org%3E" 51196 }, 51197 { 51198 "type": "WEB", 51199 "url": "https://lists.apache.org/thread.html/r143ca388b0c83fe659db14be76889d50b453b0ee06f423181f736933@%3Cissues.hbase.apache.org%3E" 51200 }, 51201 { 51202 "type": "WEB", 51203 "url": "https://lists.apache.org/thread.html/r13f40151513ff095a44a86556c65597a7e55c00f5e19764a05530266@%3Cissues.hbase.apache.org%3E" 51204 }, 51205 { 51206 "type": "WEB", 51207 "url": "https://lists.apache.org/thread.html/r12090c81b67d21a814de6cf54428934a5e5613fde222759bbb05e99b@%3Cissues.hive.apache.org%3E" 51208 }, 51209 { 51210 "type": "WEB", 51211 "url": "https://lists.apache.org/thread.html/r117d5d2b08d505b69558a2a31b0a1cf8990cd0385060b147e70e76a9@%3Cissues.hbase.apache.org%3E" 51212 }, 51213 { 51214 "type": "WEB", 51215 "url": "https://lists.apache.org/thread.html/r1084a911dff90b2733b442ee0f5929d19b168035d447f2d25f534fe4@%3Cissues.solr.apache.org%3E" 51216 }, 51217 { 51218 "type": "WEB", 51219 "url": "https://lists.apache.org/thread.html/r08a7bd19470ef8950d58cc9d9e7b02bc69c43f56c601989a7729cce5@%3Cissues.hbase.apache.org%3E" 51220 }, 51221 { 51222 "type": "WEB", 51223 "url": "https://lists.apache.org/thread.html/r0372f0af2dad0b76fbd7a6cfdaad29d50384ad48dda475a5026ff9a3@%3Cissues.hbase.apache.org%3E" 51224 }, 51225 { 51226 "type": "WEB", 51227 "url": "https://lists.apache.org/thread.html/r02f7771863383ae993eb83cdfb70c3cb65a355c913242c850f61f1b8@%3Cissues.hbase.apache.org%3E" 51228 }, 51229 { 51230 "type": "WEB", 51231 "url": "https://lists.apache.org/thread.html/r02ba8db500d15a5949e9a7742815438002ba1cf1b361bdda52ed40ca@%3Cissues.hbase.apache.org%3E" 51232 }, 51233 { 51234 "type": "WEB", 51235 "url": "https://lists.apache.org/thread.html/r01b34416677f1ba869525e1b891ac66fa6f88c024ee4d7cdea6b456b@%3Cissues.hbase.apache.org%3E" 51236 }, 51237 { 51238 "type": "PACKAGE", 51239 "url": "https://github.com/apache/hbase" 51240 }, 51241 { 51242 "type": "WEB", 51243 "url": "https://lists.apache.org/thread.html/r6c5b7324274fd361b038c5cc316e99344b7ae20beae7163214fac14d@%3Cissues.hbase.apache.org%3E" 51244 }, 51245 { 51246 "type": "WEB", 51247 "url": "https://lists.apache.org/thread.html/r6ba4f0817f98bf7c1cb314301cb7a24ba11a0b3e7a5be8b0ae3190b0@%3Cissues.solr.apache.org%3E" 51248 }, 51249 { 51250 "type": "WEB", 51251 "url": "https://lists.apache.org/thread.html/r6ae3c68b0bfe430fb32f24236475276b6302bed625b23f53b68748b5@%3Cuser.thrift.apache.org%3E" 51252 }, 51253 { 51254 "type": "WEB", 51255 "url": "https://lists.apache.org/thread.html/r699c031e6921b0ad0f943848e7ba1d0e88c953619d47908618998f76@%3Cissues.hbase.apache.org%3E" 51256 }, 51257 { 51258 "type": "WEB", 51259 "url": "https://lists.apache.org/thread.html/r6990c849aeafe65366794bfd002febd47b7ffa8cf3c059b400bbb11d@%3Cissues.hbase.apache.org%3E" 51260 }, 51261 { 51262 "type": "WEB", 51263 "url": "https://lists.apache.org/thread.html/r668aed02e287c93403e0b8df16089011ee4a96afc8f479809f1fc07f@%3Cissues.hbase.apache.org%3E" 51264 }, 51265 { 51266 "type": "WEB", 51267 "url": "https://lists.apache.org/thread.html/r635133a74fa07ef3331cae49a9a088365922266edd58099a6162a5d3@%3Cissues.hive.apache.org%3E" 51268 }, 51269 { 51270 "type": "WEB", 51271 "url": "https://lists.apache.org/thread.html/r62aa6d07b23095d980f348d330ed766560f9a9e940fec051f534ce37@%3Cissues.hive.apache.org%3E" 51272 }, 51273 { 51274 "type": "WEB", 51275 "url": "https://lists.apache.org/thread.html/r587b4a5bcbc290269df0906bafba074f3fe4e50d4e959212f56fa7ea@%3Cissues.hbase.apache.org%3E" 51276 }, 51277 { 51278 "type": "WEB", 51279 "url": "https://lists.apache.org/thread.html/r533a172534ae67f6f17c4d33a1b814d3d5ada9ccd4eb442249f33fa2@%3Ccommits.camel.apache.org%3E" 51280 }, 51281 { 51282 "type": "WEB", 51283 "url": "https://lists.apache.org/thread.html/r515e01a30443cfa2dbb355c44c63149869afd684fb7b0344c58fa67b@%3Cissues.hbase.apache.org%3E" 51284 }, 51285 { 51286 "type": "WEB", 51287 "url": "https://lists.apache.org/thread.html/r4fa53eacca2ac38904f38dc226caebb3f2f668b2da887f2fd416f4a7@%3Cissues.hbase.apache.org%3E" 51288 }, 51289 { 51290 "type": "WEB", 51291 "url": "https://lists.apache.org/thread.html/r4d90b6d8de9697beb38814596d3a0d4994fa9aba1f6731a2c648d3ae@%3Cissues.solr.apache.org%3E" 51292 }, 51293 { 51294 "type": "WEB", 51295 "url": "https://lists.apache.org/thread.html/r449288f6a941a2585262e0f4454fdefe169d5faee33314f6f89fab30@%3Cissues.hbase.apache.org%3E" 51296 }, 51297 { 51298 "type": "WEB", 51299 "url": "https://lists.apache.org/thread.html/r43dc2b2e928e9d845b07ac075634cb759d91bb852421dc282f87a74a%40%3Cdev.thrift.apache.org%3E" 51300 }, 51301 { 51302 "type": "WEB", 51303 "url": "https://lists.apache.org/thread.html/r421a9a76811c1aed7637b5fe5376ab14c09ccdd7b70d5211d6e76d1e@%3Cissues.hbase.apache.org%3E" 51304 }, 51305 { 51306 "type": "WEB", 51307 "url": "https://lists.apache.org/thread.html/r409e296c890753296c544a74d4de0d4a3ce719207a5878262fa2bd71@%3Ccommits.hbase.apache.org%3E" 51308 }, 51309 { 51310 "type": "WEB", 51311 "url": "https://lists.apache.org/thread.html/r3f97dbbbb1b2a7324521208bb595392853714e141a37b8f68d395835@%3Cnotifications.thrift.apache.org%3E" 51312 }, 51313 { 51314 "type": "WEB", 51315 "url": "https://lists.apache.org/thread.html/r3f3e1d562c528b4bafef2dde51f79dd444a4b68ef24920d68068b6f9@%3Cissues.hbase.apache.org%3E" 51316 }, 51317 { 51318 "type": "WEB", 51319 "url": "https://lists.apache.org/thread.html/r3e31ec7e8c39db7553be4f4fd4d27cf27c41f1ba9c985995c4ea9c5a@%3Cnotifications.thrift.apache.org%3E" 51320 }, 51321 { 51322 "type": "WEB", 51323 "url": "https://lists.apache.org/thread.html/r3de0e0c26d4bd00dd28cab27fb44fba11d1c1d20275f7cce71393dd1@%3Cissues.hbase.apache.org%3E" 51324 }, 51325 { 51326 "type": "WEB", 51327 "url": "https://lists.apache.org/thread.html/r3a1291a7ab8ee43db87cb0253371489810877028fc6e7c68dc640926@%3Cissues.hbase.apache.org%3E" 51328 }, 51329 { 51330 "type": "WEB", 51331 "url": "https://lists.apache.org/thread.html/r36581cc7047f007dd6aadbdd34e18545ec2c1eb7ccdae6dd47a877a9@%3Ccommits.pulsar.apache.org%3E" 51332 }, 51333 { 51334 "type": "WEB", 51335 "url": "https://lists.apache.org/thread.html/r3550b61639688e0efbc253c6c3e6358851c1f053109f1c149330b535@%3Cissues.hbase.apache.org%3E" 51336 }, 51337 { 51338 "type": "WEB", 51339 "url": "https://lists.apache.org/thread.html/r2f6a547f226579f542eb08793631d1f2d47d7aed7e2f9d11a4e6af9f@%3Cissues.hbase.apache.org%3E" 51340 }, 51341 { 51342 "type": "WEB", 51343 "url": "https://lists.apache.org/thread.html/r2ed66a3823990306b742b281af1834b9bc85f98259c870b8ffb13d93@%3Cissues.hbase.apache.org%3E" 51344 }, 51345 { 51346 "type": "WEB", 51347 "url": "https://lists.apache.org/thread.html/r2d180180f37c2ab5cebd711d080d01d8452efa8ad43c5d9cd7064621@%3Cissues.hbase.apache.org%3E" 51348 } 51349 ], 51350 "related": [ 51351 "CGA-3pv7-5j5f-w8rx", 51352 "CGA-7fjw-8fvm-77hc" 51353 ], 51354 "schema_version": "1.6.0", 51355 "severity": [ 51356 { 51357 "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", 51358 "type": "CVSS_V3" 51359 } 51360 ], 51361 "summary": "Uncontrolled Resource Consumption in Apache Thrift" 51362 }, 51363 { 51364 "affected": [ 51365 { 51366 "database_specific": { 51367 "last_known_affected_version_range": "\u003c= 0.12.0", 51368 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-rj7p-rfgp-852x/GHSA-rj7p-rfgp-852x.json" 51369 }, 51370 "package": { 51371 "ecosystem": "Maven", 51372 "name": "org.apache.thrift:libthrift", 51373 "purl": "pkg:maven/org.apache.thrift/libthrift" 51374 }, 51375 "ranges": [ 51376 { 51377 "events": [ 51378 { 51379 "introduced": "0" 51380 }, 51381 { 51382 "fixed": "0.13.0" 51383 } 51384 ], 51385 "type": "ECOSYSTEM" 51386 } 51387 ], 51388 "versions": [ 51389 "0.10.0", 51390 "0.11.0", 51391 "0.12.0", 51392 "0.6.1", 51393 "0.7.0", 51394 "0.8.0", 51395 "0.9.0", 51396 "0.9.1", 51397 "0.9.2", 51398 "0.9.3", 51399 "0.9.3-1" 51400 ] 51401 } 51402 ], 51403 "aliases": [ 51404 "CVE-2019-0205" 51405 ], 51406 "database_specific": { 51407 "cwe_ids": [ 51408 "CWE-835" 51409 ], 51410 "github_reviewed": true, 51411 "github_reviewed_at": "2022-06-27T16:12:09Z", 51412 "nvd_published_at": "2019-10-29T19:15:00Z", 51413 "severity": "HIGH" 51414 }, 51415 "details": "In Apache Thrift all versions up to and including 0.12.0, a server or client may run into an endless loop when feed with specific input data. Because the issue had already been partially fixed in version 0.11.0, depending on the installed version it affects only certain language bindings.", 51416 "id": "GHSA-rj7p-rfgp-852x", 51417 "modified": "2024-03-10T05:16:21.459619Z", 51418 "published": "2022-05-24T17:00:01Z", 51419 "references": [ 51420 { 51421 "type": "ADVISORY", 51422 "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-0205" 51423 }, 51424 { 51425 "type": "WEB", 51426 "url": "https://lists.apache.org/thread.html/r4633082b834eebccd0d322697651d931ab10ca9c51ee7ef18e1f60f4@%3Cdev.thrift.apache.org%3E" 51427 }, 51428 { 51429 "type": "WEB", 51430 "url": "https://lists.apache.org/thread.html/r4d3f1d3e333d9c2b2f6e6ae8ed8750d4de03410ac294bcd12c7eefa3@%3Ccommits.cassandra.apache.org%3E" 51431 }, 51432 { 51433 "type": "WEB", 51434 "url": "https://lists.apache.org/thread.html/r50bf84c60867574238d18cdad5da9f303b618114c35566a3a001ae08@%3Cdev.hive.apache.org%3E" 51435 }, 51436 { 51437 "type": "WEB", 51438 "url": "https://lists.apache.org/thread.html/r53c03e1c979b9c628d0d65e0f49dd9a9f9d7572838727ad11b750575@%3Cuser.cassandra.apache.org%3E" 51439 }, 51440 { 51441 "type": "WEB", 51442 "url": "https://lists.apache.org/thread.html/r55609613abab203a1f2c1f3de050b63ae8f5c4a024df0d848d6915ff@%3Ccommits.pulsar.apache.org%3E" 51443 }, 51444 { 51445 "type": "WEB", 51446 "url": "https://lists.apache.org/thread.html/r569b2b3da41ff45bfacfca6787a4a8728edd556e185b69b140181d9d@%3Cdev.thrift.apache.org%3E" 51447 }, 51448 { 51449 "type": "WEB", 51450 "url": "https://lists.apache.org/thread.html/r573029c2f8632e3174b9eea7cd57f9c9df33f2f706450e23fc57750a@%3Ccommits.thrift.apache.org%3E" 51451 }, 51452 { 51453 "type": "WEB", 51454 "url": "https://lists.apache.org/thread.html/r67a704213d13326771f46c84bbd84c8281bb93946e155e0e40abcb4c@%3Ccommits.cassandra.apache.org%3E" 51455 }, 51456 { 51457 "type": "WEB", 51458 "url": "https://lists.apache.org/thread.html/r73a3c8b80765e3d2430ff51f22b778d0c917919f01815b69ed16cf9d@%3Cissues.hive.apache.org%3E" 51459 }, 51460 { 51461 "type": "WEB", 51462 "url": "https://lists.apache.org/thread.html/r7859e767c90c8f4971dec50f801372aa64e88f143c3e8a265a36f9b4@%3Cuser.cassandra.apache.org%3E" 51463 }, 51464 { 51465 "type": "WEB", 51466 "url": "https://lists.apache.org/thread.html/r92b7771afee2625209c36727fefdc77033964e9a1daa81ec3327e625@%3Cuser.cassandra.apache.org%3E" 51467 }, 51468 { 51469 "type": "WEB", 51470 "url": "https://lists.apache.org/thread.html/r934f312dd5add7276ac2de684d8b237554ff9f34479a812df5fd6aee@%3Ccommits.cassandra.apache.org%3E" 51471 }, 51472 { 51473 "type": "WEB", 51474 "url": "https://lists.apache.org/thread.html/rab740e5c70424ef79fd095a4b076e752109aeee41c4256c2e5e5e142@%3Ccommits.pulsar.apache.org%3E" 51475 }, 51476 { 51477 "type": "WEB", 51478 "url": "https://lists.apache.org/thread.html/rb139fa1d2714822d8c6e6f3bd6f5d5c91844d313201185c409288fd9@%3Ccommits.cassandra.apache.org%3E" 51479 }, 51480 { 51481 "type": "WEB", 51482 "url": "https://lists.apache.org/thread.html/rba61c1f3a3b1960a6a694775b1a437751eba0825f30188f69387fe90@%3Cdev.thrift.apache.org%3E" 51483 }, 51484 { 51485 "type": "WEB", 51486 "url": "https://lists.apache.org/thread.html/rce0d368a78b42c545f26c2e6e91e2b8a91b27b60d0cb45fe1911d337@%3Cnotifications.thrift.apache.org%3E" 51487 }, 51488 { 51489 "type": "WEB", 51490 "url": "https://lists.apache.org/thread.html/re387dc6ca11cb0b0ce4de8e800bb91ca50fee054b80105f5cd34adcb@%3Cdev.thrift.apache.org%3E" 51491 }, 51492 { 51493 "type": "WEB", 51494 "url": "https://lists.apache.org/thread.html/rf359e5cc6a185494fc0cfe837fe82f7db2ef49242d35cbf3895aebce@%3Cdev.thrift.apache.org%3E" 51495 }, 51496 { 51497 "type": "WEB", 51498 "url": "https://security.gentoo.org/glsa/202107-32" 51499 }, 51500 { 51501 "type": "WEB", 51502 "url": "https://www.oracle.com//security-alerts/cpujul2021.html" 51503 }, 51504 { 51505 "type": "WEB", 51506 "url": "https://access.redhat.com/errata/RHSA-2020:0804" 51507 }, 51508 { 51509 "type": "WEB", 51510 "url": "https://access.redhat.com/errata/RHSA-2020:0805" 51511 }, 51512 { 51513 "type": "WEB", 51514 "url": "https://access.redhat.com/errata/RHSA-2020:0806" 51515 }, 51516 { 51517 "type": "WEB", 51518 "url": "https://access.redhat.com/errata/RHSA-2020:0811" 51519 }, 51520 { 51521 "type": "WEB", 51522 "url": "https://lists.apache.org/thread.html/003ac686189e6ce7b99267784d04bf60059a8c323eeda5a79a0309b8@%3Ccommits.cassandra.apache.org%3E" 51523 }, 51524 { 51525 "type": "WEB", 51526 "url": "https://lists.apache.org/thread.html/07bd68ad237a5d513751d6d2731a8828f902c738ea57d85c1a72bad3@%3Cdev.thrift.apache.org%3E" 51527 }, 51528 { 51529 "type": "WEB", 51530 "url": "https://lists.apache.org/thread.html/0d058e1bfd11727c4f2e2adf4b6e403a47c38e22431ab20066a1ac79@%3Cdev.thrift.apache.org%3E" 51531 }, 51532 { 51533 "type": "WEB", 51534 "url": "https://lists.apache.org/thread.html/1193444c17f499f92cd198d464a2c1ffc92182c83487345a854914b3@%3Cuser.thrift.apache.org%3E" 51535 }, 51536 { 51537 "type": "WEB", 51538 "url": "https://lists.apache.org/thread.html/1c18ec6ebfea0a9211992be952e8b33d0fda202c077979b84a5e09a8@%3Cuser.thrift.apache.org%3E" 51539 }, 51540 { 51541 "type": "WEB", 51542 "url": "https://lists.apache.org/thread.html/3dfa054b89274c9109c26ed1843ca15a14c03786f4016d26773878ae@%3Cdev.thrift.apache.org%3E" 51543 }, 51544 { 51545 "type": "WEB", 51546 "url": "https://lists.apache.org/thread.html/928cae83d20d8d8196c26118f7084aa37573e1d31162381fb9454fb5@%3Cdev.thrift.apache.org%3E" 51547 }, 51548 { 51549 "type": "WEB", 51550 "url": "https://lists.apache.org/thread.html/9f7150d0b02e72d1154721a412e80cf797f1b7cfa295fcefc67b1381@%3Ccommits.cassandra.apache.org%3E" 51551 }, 51552 { 51553 "type": "WEB", 51554 "url": "https://lists.apache.org/thread.html/a9669756befaeb0f8e08766d3f4d410a0fce85da3a570506f71f0b67@%3Cdev.thrift.apache.org%3E" 51555 }, 51556 { 51557 "type": "WEB", 51558 "url": "https://lists.apache.org/thread.html/r0c606d4be9aa163d132edf8edd8eb55e7b9464063b99acbbf6e9e287@%3Cissues.hive.apache.org%3E" 51559 }, 51560 { 51561 "type": "WEB", 51562 "url": "https://lists.apache.org/thread.html/r0d08f5576286f4a042aabde13ecf58979644f6dc210f25aa9a4d469b@%3Cdev.thrift.apache.org%3E" 51563 }, 51564 { 51565 "type": "WEB", 51566 "url": "https://lists.apache.org/thread.html/r137753c9df8dd9065bea27a26af49aadc406b5a57fc584fefa008afd@%3Cdev.thrift.apache.org%3E" 51567 }, 51568 { 51569 "type": "WEB", 51570 "url": "https://lists.apache.org/thread.html/r1b1a92c229ead94d53b3bcde9e624d002b54f1c6fdb830b9f4da20e1@%3Cdev.thrift.apache.org%3E" 51571 }, 51572 { 51573 "type": "WEB", 51574 "url": "https://lists.apache.org/thread.html/r228ac842260c2c516af7b09f3cf4cf76e5b9c002e359954a203ab5a5@%3Cdev.thrift.apache.org%3E" 51575 }, 51576 { 51577 "type": "WEB", 51578 "url": "https://lists.apache.org/thread.html/r2832722c31d78bef7526e2c701ba4b046736e4c851473194a247392f@%3Ccommits.pulsar.apache.org%3E" 51579 }, 51580 { 51581 "type": "WEB", 51582 "url": "https://lists.apache.org/thread.html/r36581cc7047f007dd6aadbdd34e18545ec2c1eb7ccdae6dd47a877a9@%3Ccommits.pulsar.apache.org%3E" 51583 }, 51584 { 51585 "type": "WEB", 51586 "url": "https://lists.apache.org/thread.html/r3887b48b183b6fa43e59398bd170a99239c0a16264cb5175b5b689d0@%3Ccommits.cassandra.apache.org%3E" 51587 }, 51588 { 51589 "type": "WEB", 51590 "url": "http://mail-archives.apache.org/mod_mbox/thrift-dev/201910.mbox/%3CVI1PR0101MB2142E0EA19F582429C3AEBCBB1920%40VI1PR0101MB2142.eurprd01.prod.exchangelabs.com%3E" 51591 } 51592 ], 51593 "related": [ 51594 "CGA-3p6j-9f2g-h7xg" 51595 ], 51596 "schema_version": "1.6.0", 51597 "severity": [ 51598 { 51599 "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", 51600 "type": "CVSS_V3" 51601 } 51602 ], 51603 "summary": "Loop with Unreachable Exit Condition in Apache Thrift" 51604 }, 51605 { 51606 "affected": [ 51607 { 51608 "database_specific": { 51609 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/01/GHSA-vx85-mj8c-4qm6/GHSA-vx85-mj8c-4qm6.json" 51610 }, 51611 "package": { 51612 "ecosystem": "Maven", 51613 "name": "org.apache.thrift:libthrift", 51614 "purl": "pkg:maven/org.apache.thrift/libthrift" 51615 }, 51616 "ranges": [ 51617 { 51618 "events": [ 51619 { 51620 "introduced": "0.9.2" 51621 }, 51622 { 51623 "fixed": "0.12.0" 51624 } 51625 ], 51626 "type": "ECOSYSTEM" 51627 } 51628 ], 51629 "versions": [ 51630 "0.10.0", 51631 "0.11.0", 51632 "0.9.2", 51633 "0.9.3", 51634 "0.9.3-1" 51635 ] 51636 } 51637 ], 51638 "aliases": [ 51639 "CVE-2018-11798" 51640 ], 51641 "database_specific": { 51642 "cwe_ids": [ 51643 "CWE-538" 51644 ], 51645 "github_reviewed": true, 51646 "github_reviewed_at": "2020-06-16T21:58:46Z", 51647 "nvd_published_at": null, 51648 "severity": "MODERATE" 51649 }, 51650 "details": "The Apache Thrift Node.js static web server in versions 0.9.2 through 0.11.0 have been determined to contain a security vulnerability in which a remote user has the ability to access files outside the set webservers docroot path.", 51651 "id": "GHSA-vx85-mj8c-4qm6", 51652 "modified": "2024-02-16T08:22:18.795904Z", 51653 "published": "2019-01-17T13:56:33Z", 51654 "references": [ 51655 { 51656 "type": "ADVISORY", 51657 "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-11798" 51658 }, 51659 { 51660 "type": "WEB", 51661 "url": "https://github.com/apache/thrift/pull/1606" 51662 }, 51663 { 51664 "type": "WEB", 51665 "url": "https://github.com/apache/thrift/commit/2a2b72f6c8aef200ecee4984f011e06052288ff2" 51666 }, 51667 { 51668 "type": "WEB", 51669 "url": "https://access.redhat.com/errata/RHSA-2019:1545" 51670 }, 51671 { 51672 "type": "WEB", 51673 "url": "https://access.redhat.com/errata/RHSA-2019:3140" 51674 }, 51675 { 51676 "type": "ADVISORY", 51677 "url": "https://github.com/advisories/GHSA-vx85-mj8c-4qm6" 51678 }, 51679 { 51680 "type": "WEB", 51681 "url": "https://issues.apache.org/jira/browse/THRIFT-4647" 51682 }, 51683 { 51684 "type": "WEB", 51685 "url": "https://lists.apache.org/thread.html/6e9edd282684896cedf615fb67a02bebfe6007f2d5baf03ba52e34fd@%3Cuser.thrift.apache.org%3E" 51686 }, 51687 { 51688 "type": "WEB", 51689 "url": "https://web.archive.org/web/20200227094236/http://www.securityfocus.com/bid/106501" 51690 }, 51691 { 51692 "type": "WEB", 51693 "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html" 51694 } 51695 ], 51696 "related": [ 51697 "CGA-pmq8-4h9g-36mm" 51698 ], 51699 "schema_version": "1.6.0", 51700 "severity": [ 51701 { 51702 "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", 51703 "type": "CVSS_V3" 51704 } 51705 ], 51706 "summary": "Apache Thrift Node.js static web server sandbox escape" 51707 }, 51708 { 51709 "affected": [ 51710 { 51711 "database_specific": { 51712 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/01/GHSA-wjxj-f8rg-99wx/GHSA-wjxj-f8rg-99wx.json" 51713 }, 51714 "package": { 51715 "ecosystem": "Maven", 51716 "name": "org.apache.thrift:libthrift", 51717 "purl": "pkg:maven/org.apache.thrift/libthrift" 51718 }, 51719 "ranges": [ 51720 { 51721 "events": [ 51722 { 51723 "introduced": "0.5.0" 51724 }, 51725 { 51726 "fixed": "0.9.3-1" 51727 } 51728 ], 51729 "type": "ECOSYSTEM" 51730 } 51731 ], 51732 "versions": [ 51733 "0.6.1", 51734 "0.7.0", 51735 "0.8.0", 51736 "0.9.0", 51737 "0.9.1", 51738 "0.9.2", 51739 "0.9.3" 51740 ] 51741 }, 51742 { 51743 "database_specific": { 51744 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/01/GHSA-wjxj-f8rg-99wx/GHSA-wjxj-f8rg-99wx.json" 51745 }, 51746 "package": { 51747 "ecosystem": "Maven", 51748 "name": "org.apache.thrift:libthrift", 51749 "purl": "pkg:maven/org.apache.thrift/libthrift" 51750 }, 51751 "ranges": [ 51752 { 51753 "events": [ 51754 { 51755 "introduced": "0.10.0" 51756 }, 51757 { 51758 "fixed": "0.12.0" 51759 } 51760 ], 51761 "type": "ECOSYSTEM" 51762 } 51763 ], 51764 "versions": [ 51765 "0.10.0", 51766 "0.11.0" 51767 ] 51768 } 51769 ], 51770 "aliases": [ 51771 "CVE-2018-1320" 51772 ], 51773 "database_specific": { 51774 "cwe_ids": [ 51775 "CWE-20", 51776 "CWE-295" 51777 ], 51778 "github_reviewed": true, 51779 "github_reviewed_at": "2020-06-16T22:00:45Z", 51780 "nvd_published_at": "2019-01-07T17:29:00Z", 51781 "severity": "HIGH" 51782 }, 51783 "details": "Apache Thrift Java client library versions 0.5.0 prior to 0.9.3-1 and 0.10.0 prior to 0.12.0 can bypass SASL negotiation isComplete validation in the org.apache.thrift.transport.TSaslTransport class. An assert used to determine if the SASL handshake had successfully completed could be disabled in production settings making the validation incomplete.", 51784 "id": "GHSA-wjxj-f8rg-99wx", 51785 "modified": "2024-03-14T05:20:15.449375Z", 51786 "published": "2019-01-17T13:56:40Z", 51787 "references": [ 51788 { 51789 "type": "ADVISORY", 51790 "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1320" 51791 }, 51792 { 51793 "type": "WEB", 51794 "url": "https://github.com/apache/thrift/commit/7489ed6ac8bad64e72fa83ec9d53e1eeddca6c23" 51795 }, 51796 { 51797 "type": "WEB", 51798 "url": "https://github.com/apache/thrift/commit/d973409661f820d80d72c0034d06a12348c8705e" 51799 }, 51800 { 51801 "type": "WEB", 51802 "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html" 51803 }, 51804 { 51805 "type": "WEB", 51806 "url": "https://www.oracle.com/security-alerts/cpuapr2020.html" 51807 }, 51808 { 51809 "type": "WEB", 51810 "url": "https://web.archive.org/web/20200227094237/http://www.securityfocus.com/bid/106551" 51811 }, 51812 { 51813 "type": "WEB", 51814 "url": "https://support.f5.com/csp/article/K36361684" 51815 }, 51816 { 51817 "type": "WEB", 51818 "url": "https://lists.debian.org/debian-lts-announce/2019/02/msg00008.html" 51819 }, 51820 { 51821 "type": "WEB", 51822 "url": "https://lists.apache.org/thread.html/r4d3f1d3e333d9c2b2f6e6ae8ed8750d4de03410ac294bcd12c7eefa3@%3Ccommits.cassandra.apache.org%3E" 51823 }, 51824 { 51825 "type": "WEB", 51826 "url": "https://lists.apache.org/thread.html/r3d71a6dbb063aa61ba81278fe622b20bfe7501bb3821c27695641ac3@%3Ccommits.cassandra.apache.org%3E" 51827 }, 51828 { 51829 "type": "WEB", 51830 "url": "https://lists.apache.org/thread.html/r261972a3b14cf6f1dcd94b1b265e9ef644a38ccdf0d0238fa0c4d459@%3Ccommits.cassandra.apache.org%3E" 51831 }, 51832 { 51833 "type": "WEB", 51834 "url": "https://lists.apache.org/thread.html/r2278846f7ab06ec07a0aa31457235e0ded9191b216cba55f3f315f16@%3Ccommits.cassandra.apache.org%3E" 51835 }, 51836 { 51837 "type": "WEB", 51838 "url": "https://lists.apache.org/thread.html/r1015eaadef8314daa9348aa423086a732cfeb998ceb5d42605c9b0b5@%3Ccommits.cassandra.apache.org%3E" 51839 }, 51840 { 51841 "type": "WEB", 51842 "url": "https://lists.apache.org/thread.html/r09c3dcdccf4b74ad13bda79b354e6b793255ccfe245cca1b8cee23f5@%3Ccommits.cassandra.apache.org%3E" 51843 }, 51844 { 51845 "type": "WEB", 51846 "url": "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E" 51847 }, 51848 { 51849 "type": "WEB", 51850 "url": "https://lists.apache.org/thread.html/e825ff2f4e129c0ecdb6a19030b53c1ccdf810a8980667628d0c6a80@%3Cannounce.apache.org%3E" 51851 }, 51852 { 51853 "type": "WEB", 51854 "url": "https://lists.apache.org/thread.html/dfee89880c84874058c6a584d8128468f8d3c2ac25068ded91073adc@%3Cuser.storm.apache.org%3E" 51855 }, 51856 { 51857 "type": "WEB", 51858 "url": "https://lists.apache.org/thread.html/dbe3a39b48900318ad44494e8721f786901ba4520cd412c7698f534f@%3Cdev.storm.apache.org%3E" 51859 }, 51860 { 51861 "type": "WEB", 51862 "url": "https://lists.apache.org/thread.html/da5234b5e78f1c99190407f791dfe1bf6c58de8d30d15974a9669be3@%3Cuser.thrift.apache.org%3E" 51863 }, 51864 { 51865 "type": "WEB", 51866 "url": "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E" 51867 }, 51868 { 51869 "type": "WEB", 51870 "url": "https://lists.apache.org/thread.html/8be5b16c02567fff61b1284e5df433a4e38617bc7de4804402bf62be@%3Ccommits.cassandra.apache.org%3E" 51871 }, 51872 { 51873 "type": "WEB", 51874 "url": "https://lists.apache.org/thread.html/6b07f6f618155c777191b4fad8ade0f0cf4ed4c12a1a746ce903d816@%3Ccommits.cassandra.apache.org%3E" 51875 }, 51876 { 51877 "type": "WEB", 51878 "url": "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E" 51879 }, 51880 { 51881 "type": "WEB", 51882 "url": "https://lists.apache.org/thread.html/3d3b6849fcf4cd1e87703b3dde0d57aabeb9ba0193dc0cf3c97f545d@%3Ccommits.cassandra.apache.org%3E" 51883 }, 51884 { 51885 "type": "WEB", 51886 "url": "https://lists.apache.org/thread.html/187684ac8b94d55256253f5220cb55e8bd568afdf9a8a86e9bbb66c9@%3Cdevnull.infra.apache.org%3E" 51887 }, 51888 { 51889 "type": "WEB", 51890 "url": "https://lists.apache.org/thread.html/07c3cd5a2953a4b253eee4437b1397b1603d0f886437e19b657d2c54@%3Ccommits.cassandra.apache.org%3E" 51891 }, 51892 { 51893 "type": "WEB", 51894 "url": "https://issues.apache.org/jira/browse/THRIFT-4506" 51895 }, 51896 { 51897 "type": "WEB", 51898 "url": "https://github.com/apache/thrift/releases/tag/0.9.3.1" 51899 }, 51900 { 51901 "type": "PACKAGE", 51902 "url": "https://github.com/apache/thrift" 51903 }, 51904 { 51905 "type": "WEB", 51906 "url": "https://access.redhat.com/errata/RHSA-2019:2413" 51907 }, 51908 { 51909 "type": "WEB", 51910 "url": "http://www.openwall.com/lists/oss-security/2019/07/24/3" 51911 }, 51912 { 51913 "type": "WEB", 51914 "url": "http://www.securityfocus.com/bid/106551" 51915 } 51916 ], 51917 "schema_version": "1.6.0", 51918 "severity": [ 51919 { 51920 "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", 51921 "type": "CVSS_V3" 51922 } 51923 ], 51924 "summary": "Improper Input Validation in Apache Thrift" 51925 }, 51926 { 51927 "affected": [ 51928 { 51929 "database_specific": { 51930 "last_known_affected_version_range": "\u003c= 10.0.0-M9", 51931 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-2rvv-w9r2-rg7m/GHSA-2rvv-w9r2-rg7m.json" 51932 }, 51933 "package": { 51934 "ecosystem": "Maven", 51935 "name": "org.apache.tomcat.embed:tomcat-embed-core", 51936 "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" 51937 }, 51938 "ranges": [ 51939 { 51940 "events": [ 51941 { 51942 "introduced": "10.0.0-M1" 51943 }, 51944 { 51945 "fixed": "10.0.0-M10" 51946 } 51947 ], 51948 "type": "ECOSYSTEM" 51949 } 51950 ], 51951 "versions": [ 51952 "10.0.0-M1", 51953 "10.0.0-M3", 51954 "10.0.0-M4", 51955 "10.0.0-M5", 51956 "10.0.0-M6", 51957 "10.0.0-M7", 51958 "10.0.0-M8", 51959 "10.0.0-M9" 51960 ] 51961 }, 51962 { 51963 "database_specific": { 51964 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-2rvv-w9r2-rg7m/GHSA-2rvv-w9r2-rg7m.json" 51965 }, 51966 "package": { 51967 "ecosystem": "Maven", 51968 "name": "org.apache.tomcat.embed:tomcat-embed-core", 51969 "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" 51970 }, 51971 "ranges": [ 51972 { 51973 "events": [ 51974 { 51975 "introduced": "9.0.0" 51976 }, 51977 { 51978 "fixed": "9.0.40" 51979 } 51980 ], 51981 "type": "ECOSYSTEM" 51982 } 51983 ], 51984 "versions": [ 51985 "9.0.1", 51986 "9.0.10", 51987 "9.0.11", 51988 "9.0.12", 51989 "9.0.13", 51990 "9.0.14", 51991 "9.0.16", 51992 "9.0.17", 51993 "9.0.19", 51994 "9.0.2", 51995 "9.0.20", 51996 "9.0.21", 51997 "9.0.22", 51998 "9.0.24", 51999 "9.0.26", 52000 "9.0.27", 52001 "9.0.29", 52002 "9.0.30", 52003 "9.0.31", 52004 "9.0.33", 52005 "9.0.34", 52006 "9.0.35", 52007 "9.0.36", 52008 "9.0.37", 52009 "9.0.38", 52010 "9.0.39", 52011 "9.0.4", 52012 "9.0.5", 52013 "9.0.6", 52014 "9.0.7", 52015 "9.0.8" 52016 ] 52017 }, 52018 { 52019 "database_specific": { 52020 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-2rvv-w9r2-rg7m/GHSA-2rvv-w9r2-rg7m.json" 52021 }, 52022 "package": { 52023 "ecosystem": "Maven", 52024 "name": "org.apache.tomcat.embed:tomcat-embed-core", 52025 "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" 52026 }, 52027 "ranges": [ 52028 { 52029 "events": [ 52030 { 52031 "introduced": "8.5.0" 52032 }, 52033 { 52034 "fixed": "8.5.60" 52035 } 52036 ], 52037 "type": "ECOSYSTEM" 52038 } 52039 ], 52040 "versions": [ 52041 "8.5.0", 52042 "8.5.11", 52043 "8.5.12", 52044 "8.5.13", 52045 "8.5.14", 52046 "8.5.15", 52047 "8.5.16", 52048 "8.5.19", 52049 "8.5.2", 52050 "8.5.20", 52051 "8.5.21", 52052 "8.5.23", 52053 "8.5.24", 52054 "8.5.27", 52055 "8.5.28", 52056 "8.5.29", 52057 "8.5.3", 52058 "8.5.30", 52059 "8.5.31", 52060 "8.5.32", 52061 "8.5.33", 52062 "8.5.34", 52063 "8.5.35", 52064 "8.5.37", 52065 "8.5.38", 52066 "8.5.39", 52067 "8.5.4", 52068 "8.5.40", 52069 "8.5.41", 52070 "8.5.42", 52071 "8.5.43", 52072 "8.5.45", 52073 "8.5.46", 52074 "8.5.47", 52075 "8.5.49", 52076 "8.5.5", 52077 "8.5.50", 52078 "8.5.51", 52079 "8.5.53", 52080 "8.5.54", 52081 "8.5.55", 52082 "8.5.56", 52083 "8.5.57", 52084 "8.5.58", 52085 "8.5.59", 52086 "8.5.6", 52087 "8.5.8", 52088 "8.5.9" 52089 ] 52090 }, 52091 { 52092 "database_specific": { 52093 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-2rvv-w9r2-rg7m/GHSA-2rvv-w9r2-rg7m.json" 52094 }, 52095 "package": { 52096 "ecosystem": "Maven", 52097 "name": "org.apache.tomcat.embed:tomcat-embed-core", 52098 "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" 52099 }, 52100 "ranges": [ 52101 { 52102 "events": [ 52103 { 52104 "introduced": "7.0.0" 52105 }, 52106 { 52107 "fixed": "7.0.107" 52108 } 52109 ], 52110 "type": "ECOSYSTEM" 52111 } 52112 ], 52113 "versions": [ 52114 "7.0.0", 52115 "7.0.100", 52116 "7.0.103", 52117 "7.0.104", 52118 "7.0.105", 52119 "7.0.106", 52120 "7.0.11", 52121 "7.0.12", 52122 "7.0.14", 52123 "7.0.16", 52124 "7.0.19", 52125 "7.0.2", 52126 "7.0.20", 52127 "7.0.21", 52128 "7.0.22", 52129 "7.0.23", 52130 "7.0.25", 52131 "7.0.26", 52132 "7.0.27", 52133 "7.0.28", 52134 "7.0.29", 52135 "7.0.30", 52136 "7.0.32", 52137 "7.0.33", 52138 "7.0.34", 52139 "7.0.35", 52140 "7.0.37", 52141 "7.0.39", 52142 "7.0.4", 52143 "7.0.40", 52144 "7.0.41", 52145 "7.0.42", 52146 "7.0.47", 52147 "7.0.5", 52148 "7.0.50", 52149 "7.0.52", 52150 "7.0.53", 52151 "7.0.54", 52152 "7.0.55", 52153 "7.0.56", 52154 "7.0.57", 52155 "7.0.59", 52156 "7.0.6", 52157 "7.0.61", 52158 "7.0.62", 52159 "7.0.63", 52160 "7.0.64", 52161 "7.0.65", 52162 "7.0.67", 52163 "7.0.68", 52164 "7.0.69", 52165 "7.0.70", 52166 "7.0.72", 52167 "7.0.73", 52168 "7.0.75", 52169 "7.0.76", 52170 "7.0.77", 52171 "7.0.78", 52172 "7.0.79", 52173 "7.0.8", 52174 "7.0.81", 52175 "7.0.82", 52176 "7.0.84", 52177 "7.0.85", 52178 "7.0.86", 52179 "7.0.88", 52180 "7.0.90", 52181 "7.0.91", 52182 "7.0.92", 52183 "7.0.93", 52184 "7.0.94", 52185 "7.0.96", 52186 "7.0.99" 52187 ] 52188 } 52189 ], 52190 "aliases": [ 52191 "BIT-tomcat-2021-24122", 52192 "CVE-2021-24122" 52193 ], 52194 "database_specific": { 52195 "cwe_ids": [ 52196 "CWE-200", 52197 "CWE-706" 52198 ], 52199 "github_reviewed": true, 52200 "github_reviewed_at": "2021-04-06T21:27:31Z", 52201 "nvd_published_at": "2021-01-14T15:15:00Z", 52202 "severity": "MODERATE" 52203 }, 52204 "details": "When serving resources from a network location using the NTFS file system, Apache Tomcat versions 10.0.0-M1 to 10.0.0-M9, 9.0.0.M1 to 9.0.39, 8.5.0 to 8.5.59 and 7.0.0 to 7.0.106 were susceptible to JSP source code disclosure in some configurations. The root cause was the unexpected behaviour of the JRE API File.getCanonicalPath() which in turn was caused by the inconsistent behaviour of the Windows API (FindFirstFileW) in some circumstances.", 52205 "id": "GHSA-2rvv-w9r2-rg7m", 52206 "modified": "2024-03-11T16:46:40.808422Z", 52207 "published": "2021-05-13T22:30:02Z", 52208 "references": [ 52209 { 52210 "type": "ADVISORY", 52211 "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-24122" 52212 }, 52213 { 52214 "type": "WEB", 52215 "url": "https://github.com/apache/tomcat/commit/7f004ac4531c45f9a2a2d1470561fe135cf27bc2" 52216 }, 52217 { 52218 "type": "WEB", 52219 "url": "https://github.com/apache/tomcat/commit/800b03140e640f8892f27021e681645e8e320177" 52220 }, 52221 { 52222 "type": "WEB", 52223 "url": "https://github.com/apache/tomcat/commit/920dddbdb981f92e8d5872a4bb126a10af5ca8a9" 52224 }, 52225 { 52226 "type": "WEB", 52227 "url": "https://github.com/apache/tomcat/commit/935fc5582dc25ae10bab6f9d5629ff8d996cb533" 52228 }, 52229 { 52230 "type": "WEB", 52231 "url": "https://www.oracle.com//security-alerts/cpujul2021.html" 52232 }, 52233 { 52234 "type": "WEB", 52235 "url": "https://tomcat.apache.org/security-9.html" 52236 }, 52237 { 52238 "type": "WEB", 52239 "url": "https://tomcat.apache.org/security-8.html" 52240 }, 52241 { 52242 "type": "WEB", 52243 "url": "https://tomcat.apache.org/security-7.html" 52244 }, 52245 { 52246 "type": "WEB", 52247 "url": "https://tomcat.apache.org/security-10.html" 52248 }, 52249 { 52250 "type": "WEB", 52251 "url": "https://security.netapp.com/advisory/ntap-20210212-0008" 52252 }, 52253 { 52254 "type": "WEB", 52255 "url": "https://lists.debian.org/debian-lts-announce/2021/03/msg00018.html" 52256 }, 52257 { 52258 "type": "WEB", 52259 "url": "https://lists.apache.org/thread.html/rca833c6d42b7b9ce1563488c0929f29fcc95947d86e5e740258c8937@%3Cdev.tomcat.apache.org%3E" 52260 }, 52261 { 52262 "type": "WEB", 52263 "url": "https://lists.apache.org/thread.html/rb32a73b7cb919d4f44a2596b6b951274c0004fc8b0e393d6829a45f9@%3Cusers.tomcat.apache.org%3E" 52264 }, 52265 { 52266 "type": "WEB", 52267 "url": "https://lists.apache.org/thread.html/r7e0bb9ea415724550e2b325e143b23e269579e54d66fcd7754bd0c20@%3Cdev.tomcat.apache.org%3E" 52268 }, 52269 { 52270 "type": "WEB", 52271 "url": "https://lists.apache.org/thread.html/r776c64337495bf28b7d5597268114a888e3fad6045c40a0da0c66d4d@%3Cdev.tomee.apache.org%3E" 52272 }, 52273 { 52274 "type": "WEB", 52275 "url": "https://lists.apache.org/thread.html/r7382e1e35b9bc7c8f320b90ad77e74c13172d08034e20c18000fe710@%3Cdev.tomee.apache.org%3E" 52276 }, 52277 { 52278 "type": "WEB", 52279 "url": "https://lists.apache.org/thread.html/r1595889b083e05986f42b944dc43060d6b083022260b6ea64d2cec52@%3Cannounce.tomcat.apache.org%3E" 52280 }, 52281 { 52282 "type": "WEB", 52283 "url": "https://lists.apache.org/thread.html/r1595889b083e05986f42b944dc43060d6b083022260b6ea64d2cec52@%3Cannounce.apache.org%3E" 52284 }, 52285 { 52286 "type": "WEB", 52287 "url": "https://lists.apache.org/thread.html/r1595889b083e05986f42b944dc43060d6b083022260b6ea64d2cec52%40%3Cannounce.tomcat.apache.org%3E" 52288 }, 52289 { 52290 "type": "PACKAGE", 52291 "url": "https://github.com/apache/tomcat" 52292 }, 52293 { 52294 "type": "WEB", 52295 "url": "http://www.openwall.com/lists/oss-security/2021/01/14/1" 52296 } 52297 ], 52298 "related": [ 52299 "CGA-9cx5-82vv-8fp2" 52300 ], 52301 "schema_version": "1.6.0", 52302 "severity": [ 52303 { 52304 "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", 52305 "type": "CVSS_V3" 52306 } 52307 ], 52308 "summary": "Information Disclosure in Apache Tomcat" 52309 }, 52310 { 52311 "affected": [ 52312 { 52313 "database_specific": { 52314 "last_known_affected_version_range": "\u003c= 9.0.0.M17", 52315 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-3vx3-xf6q-r5xp/GHSA-3vx3-xf6q-r5xp.json" 52316 }, 52317 "package": { 52318 "ecosystem": "Maven", 52319 "name": "org.apache.tomcat:tomcat-catalina", 52320 "purl": "pkg:maven/org.apache.tomcat/tomcat-catalina" 52321 }, 52322 "ranges": [ 52323 { 52324 "events": [ 52325 { 52326 "introduced": "9.0.0.M1" 52327 }, 52328 { 52329 "fixed": "9.0.0.M18" 52330 } 52331 ], 52332 "type": "ECOSYSTEM" 52333 } 52334 ], 52335 "versions": [ 52336 "9.0.0.M1", 52337 "9.0.0.M10", 52338 "9.0.0.M11", 52339 "9.0.0.M13", 52340 "9.0.0.M15", 52341 "9.0.0.M17", 52342 "9.0.0.M3", 52343 "9.0.0.M4", 52344 "9.0.0.M6", 52345 "9.0.0.M8", 52346 "9.0.0.M9" 52347 ] 52348 }, 52349 { 52350 "database_specific": { 52351 "last_known_affected_version_range": "\u003c= 8.5.12", 52352 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-3vx3-xf6q-r5xp/GHSA-3vx3-xf6q-r5xp.json" 52353 }, 52354 "package": { 52355 "ecosystem": "Maven", 52356 "name": "org.apache.tomcat:tomcat-catalina", 52357 "purl": "pkg:maven/org.apache.tomcat/tomcat-catalina" 52358 }, 52359 "ranges": [ 52360 { 52361 "events": [ 52362 { 52363 "introduced": "8.5.0" 52364 }, 52365 { 52366 "fixed": "8.5.13" 52367 } 52368 ], 52369 "type": "ECOSYSTEM" 52370 } 52371 ], 52372 "versions": [ 52373 "8.5.0", 52374 "8.5.11", 52375 "8.5.12", 52376 "8.5.2", 52377 "8.5.3", 52378 "8.5.4", 52379 "8.5.5", 52380 "8.5.6", 52381 "8.5.8", 52382 "8.5.9" 52383 ] 52384 }, 52385 { 52386 "database_specific": { 52387 "last_known_affected_version_range": "\u003c= 8.0.41", 52388 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-3vx3-xf6q-r5xp/GHSA-3vx3-xf6q-r5xp.json" 52389 }, 52390 "package": { 52391 "ecosystem": "Maven", 52392 "name": "org.apache.tomcat:tomcat-catalina", 52393 "purl": "pkg:maven/org.apache.tomcat/tomcat-catalina" 52394 }, 52395 "ranges": [ 52396 { 52397 "events": [ 52398 { 52399 "introduced": "8.0.0" 52400 }, 52401 { 52402 "fixed": "8.0.42" 52403 } 52404 ], 52405 "type": "ECOSYSTEM" 52406 } 52407 ], 52408 "versions": [ 52409 "8.0.1", 52410 "8.0.11", 52411 "8.0.12", 52412 "8.0.14", 52413 "8.0.15", 52414 "8.0.17", 52415 "8.0.18", 52416 "8.0.20", 52417 "8.0.21", 52418 "8.0.22", 52419 "8.0.23", 52420 "8.0.24", 52421 "8.0.26", 52422 "8.0.27", 52423 "8.0.28", 52424 "8.0.29", 52425 "8.0.3", 52426 "8.0.30", 52427 "8.0.32", 52428 "8.0.33", 52429 "8.0.35", 52430 "8.0.36", 52431 "8.0.37", 52432 "8.0.38", 52433 "8.0.39", 52434 "8.0.41", 52435 "8.0.5", 52436 "8.0.8", 52437 "8.0.9" 52438 ] 52439 }, 52440 { 52441 "database_specific": { 52442 "last_known_affected_version_range": "\u003c= 7.0.75", 52443 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-3vx3-xf6q-r5xp/GHSA-3vx3-xf6q-r5xp.json" 52444 }, 52445 "package": { 52446 "ecosystem": "Maven", 52447 "name": "org.apache.tomcat:tomcat-catalina", 52448 "purl": "pkg:maven/org.apache.tomcat/tomcat-catalina" 52449 }, 52450 "ranges": [ 52451 { 52452 "events": [ 52453 { 52454 "introduced": "7.0.0" 52455 }, 52456 { 52457 "fixed": "7.0.76" 52458 } 52459 ], 52460 "type": "ECOSYSTEM" 52461 } 52462 ], 52463 "versions": [ 52464 "7.0.0", 52465 "7.0.11", 52466 "7.0.12", 52467 "7.0.14", 52468 "7.0.16", 52469 "7.0.19", 52470 "7.0.2", 52471 "7.0.20", 52472 "7.0.21", 52473 "7.0.22", 52474 "7.0.23", 52475 "7.0.25", 52476 "7.0.26", 52477 "7.0.27", 52478 "7.0.28", 52479 "7.0.29", 52480 "7.0.30", 52481 "7.0.32", 52482 "7.0.33", 52483 "7.0.34", 52484 "7.0.35", 52485 "7.0.37", 52486 "7.0.39", 52487 "7.0.4", 52488 "7.0.40", 52489 "7.0.41", 52490 "7.0.42", 52491 "7.0.47", 52492 "7.0.5", 52493 "7.0.50", 52494 "7.0.52", 52495 "7.0.53", 52496 "7.0.54", 52497 "7.0.55", 52498 "7.0.56", 52499 "7.0.57", 52500 "7.0.59", 52501 "7.0.6", 52502 "7.0.61", 52503 "7.0.62", 52504 "7.0.63", 52505 "7.0.64", 52506 "7.0.65", 52507 "7.0.67", 52508 "7.0.68", 52509 "7.0.69", 52510 "7.0.70", 52511 "7.0.72", 52512 "7.0.73", 52513 "7.0.75", 52514 "7.0.8" 52515 ] 52516 }, 52517 { 52518 "database_specific": { 52519 "last_known_affected_version_range": "\u003c= 9.0.0.M17", 52520 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-3vx3-xf6q-r5xp/GHSA-3vx3-xf6q-r5xp.json" 52521 }, 52522 "package": { 52523 "ecosystem": "Maven", 52524 "name": "org.apache.tomcat.embed:tomcat-embed-core", 52525 "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" 52526 }, 52527 "ranges": [ 52528 { 52529 "events": [ 52530 { 52531 "introduced": "9.0.0.M1" 52532 }, 52533 { 52534 "fixed": "9.0.0.M18" 52535 } 52536 ], 52537 "type": "ECOSYSTEM" 52538 } 52539 ], 52540 "versions": [ 52541 "9.0.0.M1", 52542 "9.0.0.M10", 52543 "9.0.0.M11", 52544 "9.0.0.M13", 52545 "9.0.0.M15", 52546 "9.0.0.M17", 52547 "9.0.0.M3", 52548 "9.0.0.M4", 52549 "9.0.0.M6", 52550 "9.0.0.M8", 52551 "9.0.0.M9" 52552 ] 52553 }, 52554 { 52555 "database_specific": { 52556 "last_known_affected_version_range": "\u003c= 8.5.12", 52557 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-3vx3-xf6q-r5xp/GHSA-3vx3-xf6q-r5xp.json" 52558 }, 52559 "package": { 52560 "ecosystem": "Maven", 52561 "name": "org.apache.tomcat.embed:tomcat-embed-core", 52562 "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" 52563 }, 52564 "ranges": [ 52565 { 52566 "events": [ 52567 { 52568 "introduced": "8.5.0" 52569 }, 52570 { 52571 "fixed": "8.5.13" 52572 } 52573 ], 52574 "type": "ECOSYSTEM" 52575 } 52576 ], 52577 "versions": [ 52578 "8.5.0", 52579 "8.5.11", 52580 "8.5.12", 52581 "8.5.2", 52582 "8.5.3", 52583 "8.5.4", 52584 "8.5.5", 52585 "8.5.6", 52586 "8.5.8", 52587 "8.5.9" 52588 ] 52589 }, 52590 { 52591 "database_specific": { 52592 "last_known_affected_version_range": "\u003c= 8.0.41", 52593 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-3vx3-xf6q-r5xp/GHSA-3vx3-xf6q-r5xp.json" 52594 }, 52595 "package": { 52596 "ecosystem": "Maven", 52597 "name": "org.apache.tomcat.embed:tomcat-embed-core", 52598 "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" 52599 }, 52600 "ranges": [ 52601 { 52602 "events": [ 52603 { 52604 "introduced": "8.0.0" 52605 }, 52606 { 52607 "fixed": "8.0.42" 52608 } 52609 ], 52610 "type": "ECOSYSTEM" 52611 } 52612 ], 52613 "versions": [ 52614 "8.0.1", 52615 "8.0.11", 52616 "8.0.12", 52617 "8.0.14", 52618 "8.0.15", 52619 "8.0.17", 52620 "8.0.18", 52621 "8.0.20", 52622 "8.0.21", 52623 "8.0.22", 52624 "8.0.23", 52625 "8.0.24", 52626 "8.0.26", 52627 "8.0.27", 52628 "8.0.28", 52629 "8.0.29", 52630 "8.0.3", 52631 "8.0.30", 52632 "8.0.32", 52633 "8.0.33", 52634 "8.0.35", 52635 "8.0.36", 52636 "8.0.37", 52637 "8.0.38", 52638 "8.0.39", 52639 "8.0.41", 52640 "8.0.5", 52641 "8.0.8", 52642 "8.0.9" 52643 ] 52644 }, 52645 { 52646 "database_specific": { 52647 "last_known_affected_version_range": "\u003c= 7.0.75", 52648 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-3vx3-xf6q-r5xp/GHSA-3vx3-xf6q-r5xp.json" 52649 }, 52650 "package": { 52651 "ecosystem": "Maven", 52652 "name": "org.apache.tomcat.embed:tomcat-embed-core", 52653 "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" 52654 }, 52655 "ranges": [ 52656 { 52657 "events": [ 52658 { 52659 "introduced": "7.0.0" 52660 }, 52661 { 52662 "fixed": "7.0.76" 52663 } 52664 ], 52665 "type": "ECOSYSTEM" 52666 } 52667 ], 52668 "versions": [ 52669 "7.0.0", 52670 "7.0.11", 52671 "7.0.12", 52672 "7.0.14", 52673 "7.0.16", 52674 "7.0.19", 52675 "7.0.2", 52676 "7.0.20", 52677 "7.0.21", 52678 "7.0.22", 52679 "7.0.23", 52680 "7.0.25", 52681 "7.0.26", 52682 "7.0.27", 52683 "7.0.28", 52684 "7.0.29", 52685 "7.0.30", 52686 "7.0.32", 52687 "7.0.33", 52688 "7.0.34", 52689 "7.0.35", 52690 "7.0.37", 52691 "7.0.39", 52692 "7.0.4", 52693 "7.0.40", 52694 "7.0.41", 52695 "7.0.42", 52696 "7.0.47", 52697 "7.0.5", 52698 "7.0.50", 52699 "7.0.52", 52700 "7.0.53", 52701 "7.0.54", 52702 "7.0.55", 52703 "7.0.56", 52704 "7.0.57", 52705 "7.0.59", 52706 "7.0.6", 52707 "7.0.61", 52708 "7.0.62", 52709 "7.0.63", 52710 "7.0.64", 52711 "7.0.65", 52712 "7.0.67", 52713 "7.0.68", 52714 "7.0.69", 52715 "7.0.70", 52716 "7.0.72", 52717 "7.0.73", 52718 "7.0.75", 52719 "7.0.8" 52720 ] 52721 } 52722 ], 52723 "aliases": [ 52724 "CVE-2017-5648" 52725 ], 52726 "database_specific": { 52727 "cwe_ids": [ 52728 "CWE-668" 52729 ], 52730 "github_reviewed": true, 52731 "github_reviewed_at": "2022-07-01T13:57:54Z", 52732 "nvd_published_at": "2017-04-17T16:59:00Z", 52733 "severity": "CRITICAL" 52734 }, 52735 "details": "While investigating bug 60718, it was noticed that some calls to application listeners in Apache Tomcat 9.0.0.M1 to 9.0.0.M17, 8.5.0 to 8.5.11, 8.0.0.RC1 to 8.0.41, and 7.0.0 to 7.0.75 did not use the appropriate facade object. When running an untrusted application under a SecurityManager, it was therefore possible for that untrusted application to retain a reference to the request or response object and thereby access and/or modify information associated with another web application.", 52736 "id": "GHSA-3vx3-xf6q-r5xp", 52737 "modified": "2024-04-18T17:16:06.618052Z", 52738 "published": "2022-05-13T01:25:13Z", 52739 "references": [ 52740 { 52741 "type": "ADVISORY", 52742 "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-5648" 52743 }, 52744 { 52745 "type": "WEB", 52746 "url": "https://github.com/apache/tomcat/commit/0f7b9465d594b9814e1853d1e3a6e3aa51a21610" 52747 }, 52748 { 52749 "type": "WEB", 52750 "url": "https://github.com/apache/tomcat/commit/6bb36dfdf6444efda074893dff493b9eb3648808" 52751 }, 52752 { 52753 "type": "WEB", 52754 "url": "https://github.com/apache/tomcat/commit/dfa40863421d7681fed893b4256666491887e38c" 52755 }, 52756 { 52757 "type": "WEB", 52758 "url": "https://github.com/apache/tomcat80/commit/6d73b079c55ee25dea1bbd0556bb568a4247dacd" 52759 }, 52760 { 52761 "type": "WEB", 52762 "url": "https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a@%3Cdev.tomcat.apache.org%3E" 52763 }, 52764 { 52765 "type": "WEB", 52766 "url": "https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc%40%3Cdev.tomcat.apache.org%3E" 52767 }, 52768 { 52769 "type": "WEB", 52770 "url": "https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc@%3Cdev.tomcat.apache.org%3E" 52771 }, 52772 { 52773 "type": "WEB", 52774 "url": "https://lists.apache.org/thread.html/d0e00f2e147a9e9b13a6829133092f349b2882bf6860397368a52600%40%3Cannounce.tomcat.apache.org%3E" 52775 }, 52776 { 52777 "type": "WEB", 52778 "url": "https://lists.apache.org/thread.html/d0e00f2e147a9e9b13a6829133092f349b2882bf6860397368a52600@%3Cannounce.tomcat.apache.org%3E" 52779 }, 52780 { 52781 "type": "WEB", 52782 "url": "https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d%40%3Cdev.tomcat.apache.org%3E" 52783 }, 52784 { 52785 "type": "WEB", 52786 "url": "https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d@%3Cdev.tomcat.apache.org%3E" 52787 }, 52788 { 52789 "type": "WEB", 52790 "url": "https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0%40%3Cdev.tomcat.apache.org%3E" 52791 }, 52792 { 52793 "type": "WEB", 52794 "url": "https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0@%3Cdev.tomcat.apache.org%3E" 52795 }, 52796 { 52797 "type": "WEB", 52798 "url": "https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E" 52799 }, 52800 { 52801 "type": "WEB", 52802 "url": "https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c@%3Cdev.tomcat.apache.org%3E" 52803 }, 52804 { 52805 "type": "WEB", 52806 "url": "https://security.gentoo.org/glsa/201705-09" 52807 }, 52808 { 52809 "type": "WEB", 52810 "url": "https://security.netapp.com/advisory/ntap-20180614-0001" 52811 }, 52812 { 52813 "type": "WEB", 52814 "url": "https://web.archive.org/web/20170417124117/http://www.securityfocus.com/bid/97530" 52815 }, 52816 { 52817 "type": "WEB", 52818 "url": "https://web.archive.org/web/20170420115120/http://www.securitytracker.com/id/1038220" 52819 }, 52820 { 52821 "type": "WEB", 52822 "url": "https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a%40%3Cdev.tomcat.apache.org%3E" 52823 }, 52824 { 52825 "type": "WEB", 52826 "url": "https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424@%3Cdev.tomcat.apache.org%3E" 52827 }, 52828 { 52829 "type": "WEB", 52830 "url": "https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424%40%3Cdev.tomcat.apache.org%3E" 52831 }, 52832 { 52833 "type": "WEB", 52834 "url": "https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3@%3Cdev.tomcat.apache.org%3E" 52835 }, 52836 { 52837 "type": "WEB", 52838 "url": "https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3%40%3Cdev.tomcat.apache.org%3E" 52839 }, 52840 { 52841 "type": "WEB", 52842 "url": "https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7@%3Cdev.tomcat.apache.org%3E" 52843 }, 52844 { 52845 "type": "WEB", 52846 "url": "https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7%40%3Cdev.tomcat.apache.org%3E" 52847 }, 52848 { 52849 "type": "WEB", 52850 "url": "https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708@%3Cdev.tomcat.apache.org%3E" 52851 }, 52852 { 52853 "type": "WEB", 52854 "url": "https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708%40%3Cdev.tomcat.apache.org%3E" 52855 }, 52856 { 52857 "type": "WEB", 52858 "url": "https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551@%3Cdev.tomcat.apache.org%3E" 52859 }, 52860 { 52861 "type": "WEB", 52862 "url": "https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551%40%3Cdev.tomcat.apache.org%3E" 52863 }, 52864 { 52865 "type": "PACKAGE", 52866 "url": "https://github.com/apache/tomcat" 52867 }, 52868 { 52869 "type": "WEB", 52870 "url": "https://access.redhat.com/errata/RHSA-2017:1809" 52871 }, 52872 { 52873 "type": "WEB", 52874 "url": "https://access.redhat.com/errata/RHSA-2017:1802" 52875 }, 52876 { 52877 "type": "WEB", 52878 "url": "https://access.redhat.com/errata/RHSA-2017:1801" 52879 }, 52880 { 52881 "type": "WEB", 52882 "url": "http://www.debian.org/security/2017/dsa-3842" 52883 }, 52884 { 52885 "type": "WEB", 52886 "url": "http://www.debian.org/security/2017/dsa-3843" 52887 }, 52888 { 52889 "type": "WEB", 52890 "url": "http://www.openwall.com/lists/oss-security/2020/07/20/8" 52891 } 52892 ], 52893 "schema_version": "1.6.0", 52894 "severity": [ 52895 { 52896 "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", 52897 "type": "CVSS_V3" 52898 } 52899 ], 52900 "summary": "Exposure of Resource to Wrong Sphere in Apache Tomcat" 52901 }, 52902 { 52903 "affected": [ 52904 { 52905 "database_specific": { 52906 "last_known_affected_version_range": "\u003c= 9.0.9", 52907 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-46j3-r4pj-4835/GHSA-46j3-r4pj-4835.json" 52908 }, 52909 "package": { 52910 "ecosystem": "Maven", 52911 "name": "org.apache.tomcat.embed:tomcat-embed-core", 52912 "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" 52913 }, 52914 "ranges": [ 52915 { 52916 "events": [ 52917 { 52918 "introduced": "9.0.0" 52919 }, 52920 { 52921 "fixed": "9.0.10" 52922 } 52923 ], 52924 "type": "ECOSYSTEM" 52925 } 52926 ], 52927 "versions": [ 52928 "9.0.1", 52929 "9.0.2", 52930 "9.0.4", 52931 "9.0.5", 52932 "9.0.6", 52933 "9.0.7", 52934 "9.0.8" 52935 ] 52936 }, 52937 { 52938 "database_specific": { 52939 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-46j3-r4pj-4835/GHSA-46j3-r4pj-4835.json" 52940 }, 52941 "package": { 52942 "ecosystem": "Maven", 52943 "name": "org.apache.tomcat.embed:tomcat-embed-core", 52944 "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" 52945 }, 52946 "ranges": [ 52947 { 52948 "events": [ 52949 { 52950 "introduced": "8.5.0" 52951 }, 52952 { 52953 "fixed": "8.5.32" 52954 } 52955 ], 52956 "type": "ECOSYSTEM" 52957 } 52958 ], 52959 "versions": [ 52960 "8.5.0", 52961 "8.5.11", 52962 "8.5.12", 52963 "8.5.13", 52964 "8.5.14", 52965 "8.5.15", 52966 "8.5.16", 52967 "8.5.19", 52968 "8.5.2", 52969 "8.5.20", 52970 "8.5.21", 52971 "8.5.23", 52972 "8.5.24", 52973 "8.5.27", 52974 "8.5.28", 52975 "8.5.29", 52976 "8.5.3", 52977 "8.5.30", 52978 "8.5.31", 52979 "8.5.4", 52980 "8.5.5", 52981 "8.5.6", 52982 "8.5.8", 52983 "8.5.9" 52984 ] 52985 }, 52986 { 52987 "database_specific": { 52988 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-46j3-r4pj-4835/GHSA-46j3-r4pj-4835.json" 52989 }, 52990 "package": { 52991 "ecosystem": "Maven", 52992 "name": "org.apache.tomcat.embed:tomcat-embed-core", 52993 "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" 52994 }, 52995 "ranges": [ 52996 { 52997 "events": [ 52998 { 52999 "introduced": "8.0.0" 53000 }, 53001 { 53002 "fixed": "8.0.53" 53003 } 53004 ], 53005 "type": "ECOSYSTEM" 53006 } 53007 ], 53008 "versions": [ 53009 "8.0.1", 53010 "8.0.11", 53011 "8.0.12", 53012 "8.0.14", 53013 "8.0.15", 53014 "8.0.17", 53015 "8.0.18", 53016 "8.0.20", 53017 "8.0.21", 53018 "8.0.22", 53019 "8.0.23", 53020 "8.0.24", 53021 "8.0.26", 53022 "8.0.27", 53023 "8.0.28", 53024 "8.0.29", 53025 "8.0.3", 53026 "8.0.30", 53027 "8.0.32", 53028 "8.0.33", 53029 "8.0.35", 53030 "8.0.36", 53031 "8.0.37", 53032 "8.0.38", 53033 "8.0.39", 53034 "8.0.41", 53035 "8.0.42", 53036 "8.0.43", 53037 "8.0.44", 53038 "8.0.45", 53039 "8.0.46", 53040 "8.0.47", 53041 "8.0.48", 53042 "8.0.49", 53043 "8.0.5", 53044 "8.0.50", 53045 "8.0.51", 53046 "8.0.52", 53047 "8.0.8", 53048 "8.0.9" 53049 ] 53050 }, 53051 { 53052 "database_specific": { 53053 "last_known_affected_version_range": "\u003c= 7.0.88", 53054 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-46j3-r4pj-4835/GHSA-46j3-r4pj-4835.json" 53055 }, 53056 "package": { 53057 "ecosystem": "Maven", 53058 "name": "org.apache.tomcat.embed:tomcat-embed-core", 53059 "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" 53060 }, 53061 "ranges": [ 53062 { 53063 "events": [ 53064 { 53065 "introduced": "7.0.35" 53066 }, 53067 { 53068 "fixed": "7.0.90" 53069 } 53070 ], 53071 "type": "ECOSYSTEM" 53072 } 53073 ], 53074 "versions": [ 53075 "7.0.35", 53076 "7.0.37", 53077 "7.0.39", 53078 "7.0.40", 53079 "7.0.41", 53080 "7.0.42", 53081 "7.0.47", 53082 "7.0.50", 53083 "7.0.52", 53084 "7.0.53", 53085 "7.0.54", 53086 "7.0.55", 53087 "7.0.56", 53088 "7.0.57", 53089 "7.0.59", 53090 "7.0.61", 53091 "7.0.62", 53092 "7.0.63", 53093 "7.0.64", 53094 "7.0.65", 53095 "7.0.67", 53096 "7.0.68", 53097 "7.0.69", 53098 "7.0.70", 53099 "7.0.72", 53100 "7.0.73", 53101 "7.0.75", 53102 "7.0.76", 53103 "7.0.77", 53104 "7.0.78", 53105 "7.0.79", 53106 "7.0.81", 53107 "7.0.82", 53108 "7.0.84", 53109 "7.0.85", 53110 "7.0.86", 53111 "7.0.88" 53112 ] 53113 } 53114 ], 53115 "aliases": [ 53116 "CVE-2018-8034" 53117 ], 53118 "database_specific": { 53119 "cwe_ids": [ 53120 "CWE-295" 53121 ], 53122 "github_reviewed": true, 53123 "github_reviewed_at": "2020-06-16T20:57:40Z", 53124 "nvd_published_at": "2018-08-01T18:29:00Z", 53125 "severity": "HIGH" 53126 }, 53127 "details": "The host name verification when using TLS with the WebSocket client was missing. It is now enabled by default. Versions Affected: Apache Tomcat 9.0.0.M1 to 9.0.9, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, and 7.0.35 to 7.0.88.", 53128 "id": "GHSA-46j3-r4pj-4835", 53129 "modified": "2024-03-11T05:31:02.653591Z", 53130 "published": "2018-10-17T16:32:43Z", 53131 "references": [ 53132 { 53133 "type": "ADVISORY", 53134 "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-8034" 53135 }, 53136 { 53137 "type": "WEB", 53138 "url": "https://github.com/apache/tomcat/commit/2c522795166c930741a9cecca76797bf48cb1634" 53139 }, 53140 { 53141 "type": "WEB", 53142 "url": "https://github.com/apache/tomcat/commit/2835bb4e030c1c741ed0847bb3b9c3822e4fbc8a" 53143 }, 53144 { 53145 "type": "WEB", 53146 "url": "https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E" 53147 }, 53148 { 53149 "type": "WEB", 53150 "url": "https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9@%3Cdev.tomcat.apache.org%3E" 53151 }, 53152 { 53153 "type": "WEB", 53154 "url": "https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9%40%3Cdev.tomcat.apache.org%3E" 53155 }, 53156 { 53157 "type": "WEB", 53158 "url": "https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0@%3Cdev.tomcat.apache.org%3E" 53159 }, 53160 { 53161 "type": "WEB", 53162 "url": "https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0%40%3Cdev.tomcat.apache.org%3E" 53163 }, 53164 { 53165 "type": "WEB", 53166 "url": "https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d@%3Cdev.tomcat.apache.org%3E" 53167 }, 53168 { 53169 "type": "WEB", 53170 "url": "https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d%40%3Cdev.tomcat.apache.org%3E" 53171 }, 53172 { 53173 "type": "WEB", 53174 "url": "https://lists.apache.org/thread.html/eb6efa8d59c45a7a9eff94c4b925467d3b3fec8ba7697f3daa314b04@%3Cdev.tomcat.apache.org%3E" 53175 }, 53176 { 53177 "type": "WEB", 53178 "url": "https://lists.apache.org/thread.html/eb6efa8d59c45a7a9eff94c4b925467d3b3fec8ba7697f3daa314b04%40%3Cdev.tomcat.apache.org%3E" 53179 }, 53180 { 53181 "type": "WEB", 53182 "url": "https://lists.apache.org/thread.html/e85e83e9954f169bbb77b44baae5a33d8de878df557bb32b7f793661@%3Cdev.tomcat.apache.org%3E" 53183 }, 53184 { 53185 "type": "WEB", 53186 "url": "https://lists.apache.org/thread.html/e85e83e9954f169bbb77b44baae5a33d8de878df557bb32b7f793661%40%3Cdev.tomcat.apache.org%3E" 53187 }, 53188 { 53189 "type": "WEB", 53190 "url": "https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc@%3Cdev.tomcat.apache.org%3E" 53191 }, 53192 { 53193 "type": "WEB", 53194 "url": "https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc%40%3Cdev.tomcat.apache.org%3E" 53195 }, 53196 { 53197 "type": "WEB", 53198 "url": "https://lists.apache.org/thread.html/ac51944aef91dd5006b8510b0bef337adaccfe962fb90e7af9c22db4@%3Cissues.activemq.apache.org%3E" 53199 }, 53200 { 53201 "type": "WEB", 53202 "url": "https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c@%3Cdev.tomcat.apache.org%3E" 53203 }, 53204 { 53205 "type": "WEB", 53206 "url": "https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a%40%3Cdev.tomcat.apache.org%3E" 53207 }, 53208 { 53209 "type": "WEB", 53210 "url": "https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a@%3Cdev.tomcat.apache.org%3E" 53211 }, 53212 { 53213 "type": "WEB", 53214 "url": "https://lists.debian.org/debian-lts-announce/2018/07/msg00047.html" 53215 }, 53216 { 53217 "type": "WEB", 53218 "url": "https://lists.debian.org/debian-lts-announce/2018/09/msg00001.html" 53219 }, 53220 { 53221 "type": "WEB", 53222 "url": "https://security.netapp.com/advisory/ntap-20180817-0001" 53223 }, 53224 { 53225 "type": "WEB", 53226 "url": "https://usn.ubuntu.com/3723-1" 53227 }, 53228 { 53229 "type": "WEB", 53230 "url": "https://web.archive.org/web/20200227102810/http://www.securityfocus.com/bid/104895" 53231 }, 53232 { 53233 "type": "WEB", 53234 "url": "https://web.archive.org/web/20200517032514/http://www.securitytracker.com/id/1041374" 53235 }, 53236 { 53237 "type": "WEB", 53238 "url": "https://www.debian.org/security/2018/dsa-4281" 53239 }, 53240 { 53241 "type": "WEB", 53242 "url": "https://www.oracle.com/security-alerts/cpuapr2020.html" 53243 }, 53244 { 53245 "type": "WEB", 53246 "url": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html" 53247 }, 53248 { 53249 "type": "WEB", 53250 "url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html" 53251 }, 53252 { 53253 "type": "WEB", 53254 "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html" 53255 }, 53256 { 53257 "type": "WEB", 53258 "url": "https://access.redhat.com/errata/RHSA-2019:0130" 53259 }, 53260 { 53261 "type": "WEB", 53262 "url": "https://access.redhat.com/errata/RHSA-2019:0131" 53263 }, 53264 { 53265 "type": "WEB", 53266 "url": "https://access.redhat.com/errata/RHSA-2019:0450" 53267 }, 53268 { 53269 "type": "WEB", 53270 "url": "https://access.redhat.com/errata/RHSA-2019:0451" 53271 }, 53272 { 53273 "type": "WEB", 53274 "url": "https://access.redhat.com/errata/RHSA-2019:1159" 53275 }, 53276 { 53277 "type": "WEB", 53278 "url": "https://access.redhat.com/errata/RHSA-2019:1160" 53279 }, 53280 { 53281 "type": "WEB", 53282 "url": "https://access.redhat.com/errata/RHSA-2019:1161" 53283 }, 53284 { 53285 "type": "WEB", 53286 "url": "https://access.redhat.com/errata/RHSA-2019:1162" 53287 }, 53288 { 53289 "type": "WEB", 53290 "url": "https://access.redhat.com/errata/RHSA-2019:1529" 53291 }, 53292 { 53293 "type": "WEB", 53294 "url": "https://access.redhat.com/errata/RHSA-2019:2205" 53295 }, 53296 { 53297 "type": "WEB", 53298 "url": "https://access.redhat.com/errata/RHSA-2019:3892" 53299 }, 53300 { 53301 "type": "PACKAGE", 53302 "url": "https://github.com/apache/tomcat" 53303 }, 53304 { 53305 "type": "WEB", 53306 "url": "https://lists.apache.org/thread.html/1dd0a59c1295cc08ce4c9e7edae5ad2268acc9ba55adcefa0532e5ba%40%3Cdev.tomcat.apache.org%3E" 53307 }, 53308 { 53309 "type": "WEB", 53310 "url": "https://lists.apache.org/thread.html/1dd0a59c1295cc08ce4c9e7edae5ad2268acc9ba55adcefa0532e5ba@%3Cdev.tomcat.apache.org%3E" 53311 }, 53312 { 53313 "type": "WEB", 53314 "url": "https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551%40%3Cdev.tomcat.apache.org%3E" 53315 }, 53316 { 53317 "type": "WEB", 53318 "url": "https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551@%3Cdev.tomcat.apache.org%3E" 53319 }, 53320 { 53321 "type": "WEB", 53322 "url": "https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708%40%3Cdev.tomcat.apache.org%3E" 53323 }, 53324 { 53325 "type": "WEB", 53326 "url": "https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708@%3Cdev.tomcat.apache.org%3E" 53327 }, 53328 { 53329 "type": "WEB", 53330 "url": "https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7%40%3Cdev.tomcat.apache.org%3E" 53331 }, 53332 { 53333 "type": "WEB", 53334 "url": "https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7@%3Cdev.tomcat.apache.org%3E" 53335 }, 53336 { 53337 "type": "WEB", 53338 "url": "https://lists.apache.org/thread.html/5c0e00fd31efc11e147bf99d0f03c00a734447d3b131ab0818644cdb%40%3Cdev.tomcat.apache.org%3E" 53339 }, 53340 { 53341 "type": "WEB", 53342 "url": "https://lists.apache.org/thread.html/5c0e00fd31efc11e147bf99d0f03c00a734447d3b131ab0818644cdb@%3Cdev.tomcat.apache.org%3E" 53343 }, 53344 { 53345 "type": "WEB", 53346 "url": "https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3%40%3Cdev.tomcat.apache.org%3E" 53347 }, 53348 { 53349 "type": "WEB", 53350 "url": "https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3@%3Cdev.tomcat.apache.org%3E" 53351 }, 53352 { 53353 "type": "WEB", 53354 "url": "https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424%40%3Cdev.tomcat.apache.org%3E" 53355 }, 53356 { 53357 "type": "WEB", 53358 "url": "https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424@%3Cdev.tomcat.apache.org%3E" 53359 }, 53360 { 53361 "type": "WEB", 53362 "url": "https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a%40%3Cdev.tomcat.apache.org%3E" 53363 }, 53364 { 53365 "type": "WEB", 53366 "url": "https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a@%3Cdev.tomcat.apache.org%3E" 53367 }, 53368 { 53369 "type": "WEB", 53370 "url": "https://lists.apache.org/thread.html/ac51944aef91dd5006b8510b0bef337adaccfe962fb90e7af9c22db4%40%3Cissues.activemq.apache.org%3E" 53371 }, 53372 { 53373 "type": "WEB", 53374 "url": "http://mail-archives.us.apache.org/mod_mbox/www-announce/201807.mbox/%3C20180722091057.GA70283%40minotaur.apache.org%3E" 53375 }, 53376 { 53377 "type": "WEB", 53378 "url": "http://mail-archives.us.apache.org/mod_mbox/www-announce/201807.mbox/%3C20180722091057.GA70283@minotaur.apache.org%3E" 53379 }, 53380 { 53381 "type": "WEB", 53382 "url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html" 53383 } 53384 ], 53385 "schema_version": "1.6.0", 53386 "severity": [ 53387 { 53388 "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", 53389 "type": "CVSS_V3" 53390 } 53391 ], 53392 "summary": "The host name verification missing in Apache Tomcat" 53393 }, 53394 { 53395 "affected": [ 53396 { 53397 "database_specific": { 53398 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-5q99-f34m-67gc/GHSA-5q99-f34m-67gc.json" 53399 }, 53400 "package": { 53401 "ecosystem": "Maven", 53402 "name": "org.apache.tomcat.embed:tomcat-embed-core", 53403 "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" 53404 }, 53405 "ranges": [ 53406 { 53407 "events": [ 53408 { 53409 "introduced": "8.5.0" 53410 }, 53411 { 53412 "fixed": "8.5.34" 53413 } 53414 ], 53415 "type": "ECOSYSTEM" 53416 } 53417 ], 53418 "versions": [ 53419 "8.5.0", 53420 "8.5.11", 53421 "8.5.12", 53422 "8.5.13", 53423 "8.5.14", 53424 "8.5.15", 53425 "8.5.16", 53426 "8.5.19", 53427 "8.5.2", 53428 "8.5.20", 53429 "8.5.21", 53430 "8.5.23", 53431 "8.5.24", 53432 "8.5.27", 53433 "8.5.28", 53434 "8.5.29", 53435 "8.5.3", 53436 "8.5.30", 53437 "8.5.31", 53438 "8.5.32", 53439 "8.5.33", 53440 "8.5.4", 53441 "8.5.5", 53442 "8.5.6", 53443 "8.5.8", 53444 "8.5.9" 53445 ] 53446 }, 53447 { 53448 "database_specific": { 53449 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-5q99-f34m-67gc/GHSA-5q99-f34m-67gc.json" 53450 }, 53451 "package": { 53452 "ecosystem": "Maven", 53453 "name": "org.apache.tomcat.embed:tomcat-embed-core", 53454 "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" 53455 }, 53456 "ranges": [ 53457 { 53458 "events": [ 53459 { 53460 "introduced": "7.0.23" 53461 }, 53462 { 53463 "fixed": "7.0.91" 53464 } 53465 ], 53466 "type": "ECOSYSTEM" 53467 } 53468 ], 53469 "versions": [ 53470 "7.0.23", 53471 "7.0.25", 53472 "7.0.26", 53473 "7.0.27", 53474 "7.0.28", 53475 "7.0.29", 53476 "7.0.30", 53477 "7.0.32", 53478 "7.0.33", 53479 "7.0.34", 53480 "7.0.35", 53481 "7.0.37", 53482 "7.0.39", 53483 "7.0.40", 53484 "7.0.41", 53485 "7.0.42", 53486 "7.0.47", 53487 "7.0.50", 53488 "7.0.52", 53489 "7.0.53", 53490 "7.0.54", 53491 "7.0.55", 53492 "7.0.56", 53493 "7.0.57", 53494 "7.0.59", 53495 "7.0.61", 53496 "7.0.62", 53497 "7.0.63", 53498 "7.0.64", 53499 "7.0.65", 53500 "7.0.67", 53501 "7.0.68", 53502 "7.0.69", 53503 "7.0.70", 53504 "7.0.72", 53505 "7.0.73", 53506 "7.0.75", 53507 "7.0.76", 53508 "7.0.77", 53509 "7.0.78", 53510 "7.0.79", 53511 "7.0.81", 53512 "7.0.82", 53513 "7.0.84", 53514 "7.0.85", 53515 "7.0.86", 53516 "7.0.88", 53517 "7.0.90" 53518 ] 53519 }, 53520 { 53521 "database_specific": { 53522 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-5q99-f34m-67gc/GHSA-5q99-f34m-67gc.json" 53523 }, 53524 "package": { 53525 "ecosystem": "Maven", 53526 "name": "org.apache.tomcat.embed:tomcat-embed-core", 53527 "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" 53528 }, 53529 "ranges": [ 53530 { 53531 "events": [ 53532 { 53533 "introduced": "9.0.0" 53534 }, 53535 { 53536 "fixed": "9.0.12" 53537 } 53538 ], 53539 "type": "ECOSYSTEM" 53540 } 53541 ], 53542 "versions": [ 53543 "9.0.1", 53544 "9.0.10", 53545 "9.0.11", 53546 "9.0.2", 53547 "9.0.4", 53548 "9.0.5", 53549 "9.0.6", 53550 "9.0.7", 53551 "9.0.8" 53552 ] 53553 } 53554 ], 53555 "aliases": [ 53556 "CVE-2018-11784" 53557 ], 53558 "database_specific": { 53559 "cwe_ids": [ 53560 "CWE-601" 53561 ], 53562 "github_reviewed": true, 53563 "github_reviewed_at": "2020-06-16T21:17:07Z", 53564 "nvd_published_at": "2018-10-04T13:29:00Z", 53565 "severity": "MODERATE" 53566 }, 53567 "details": "When the default servlet in Apache Tomcat versions 9.0.0.M1 to 9.0.11, 8.5.0 to 8.5.33 and 7.0.23 to 7.0.90 returned a redirect to a directory (e.g. redirecting to '/foo/' when the user requested '/foo') a specially crafted URL could be used to cause the redirect to be generated to any URI of the attackers choice.", 53568 "id": "GHSA-5q99-f34m-67gc", 53569 "modified": "2024-03-11T05:31:33.810503Z", 53570 "published": "2018-10-17T16:31:02Z", 53571 "references": [ 53572 { 53573 "type": "ADVISORY", 53574 "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-11784" 53575 }, 53576 { 53577 "type": "WEB", 53578 "url": "https://github.com/apache/tomcat/commit/b76e1dfb3dec3789cc700f8d022c872eb947a221" 53579 }, 53580 { 53581 "type": "WEB", 53582 "url": "https://github.com/apache/tomcat/commit/efb860b3ff8ebcf606199b8d0d432f76898040da" 53583 }, 53584 { 53585 "type": "WEB", 53586 "url": "https://github.com/apache/tomcat/commit/f9f147359b7c95511b64cd99bbc47917c01b3879" 53587 }, 53588 { 53589 "type": "WEB", 53590 "url": "https://lists.debian.org/debian-lts-announce/2018/10/msg00005.html" 53591 }, 53592 { 53593 "type": "WEB", 53594 "url": "https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a@%3Cdev.tomcat.apache.org%3E" 53595 }, 53596 { 53597 "type": "WEB", 53598 "url": "https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a%40%3Cdev.tomcat.apache.org%3E" 53599 }, 53600 { 53601 "type": "WEB", 53602 "url": "https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c@%3Cdev.tomcat.apache.org%3E" 53603 }, 53604 { 53605 "type": "WEB", 53606 "url": "https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E" 53607 }, 53608 { 53609 "type": "WEB", 53610 "url": "https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9@%3Cdev.tomcat.apache.org%3E" 53611 }, 53612 { 53613 "type": "WEB", 53614 "url": "https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9%40%3Cdev.tomcat.apache.org%3E" 53615 }, 53616 { 53617 "type": "WEB", 53618 "url": "https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0@%3Cdev.tomcat.apache.org%3E" 53619 }, 53620 { 53621 "type": "WEB", 53622 "url": "https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0%40%3Cdev.tomcat.apache.org%3E" 53623 }, 53624 { 53625 "type": "WEB", 53626 "url": "https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d@%3Cdev.tomcat.apache.org%3E" 53627 }, 53628 { 53629 "type": "WEB", 53630 "url": "https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d%40%3Cdev.tomcat.apache.org%3E" 53631 }, 53632 { 53633 "type": "WEB", 53634 "url": "https://lists.apache.org/thread.html/eb6efa8d59c45a7a9eff94c4b925467d3b3fec8ba7697f3daa314b04@%3Cdev.tomcat.apache.org%3E" 53635 }, 53636 { 53637 "type": "WEB", 53638 "url": "https://lists.apache.org/thread.html/eb6efa8d59c45a7a9eff94c4b925467d3b3fec8ba7697f3daa314b04%40%3Cdev.tomcat.apache.org%3E" 53639 }, 53640 { 53641 "type": "WEB", 53642 "url": "https://access.redhat.com/errata/RHSA-2019:0130" 53643 }, 53644 { 53645 "type": "WEB", 53646 "url": "https://lists.debian.org/debian-lts-announce/2018/10/msg00006.html" 53647 }, 53648 { 53649 "type": "WEB", 53650 "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BZ4PX4B3QTKRM35VJAVIEOPZAF76RPBP" 53651 }, 53652 { 53653 "type": "WEB", 53654 "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BZ4PX4B3QTKRM35VJAVIEOPZAF76RPBP" 53655 }, 53656 { 53657 "type": "WEB", 53658 "url": "https://seclists.org/bugtraq/2019/Dec/43" 53659 }, 53660 { 53661 "type": "WEB", 53662 "url": "https://security.netapp.com/advisory/ntap-20181014-0002" 53663 }, 53664 { 53665 "type": "WEB", 53666 "url": "https://usn.ubuntu.com/3787-1" 53667 }, 53668 { 53669 "type": "WEB", 53670 "url": "https://web.archive.org/web/20200227030058/http://www.securityfocus.com/bid/105524" 53671 }, 53672 { 53673 "type": "WEB", 53674 "url": "https://www.debian.org/security/2019/dsa-4596" 53675 }, 53676 { 53677 "type": "WEB", 53678 "url": "https://www.oracle.com/security-alerts/cpuapr2020.html" 53679 }, 53680 { 53681 "type": "WEB", 53682 "url": "https://www.oracle.com/security-alerts/cpujan2020.html" 53683 }, 53684 { 53685 "type": "WEB", 53686 "url": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html" 53687 }, 53688 { 53689 "type": "WEB", 53690 "url": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html" 53691 }, 53692 { 53693 "type": "WEB", 53694 "url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html" 53695 }, 53696 { 53697 "type": "WEB", 53698 "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html" 53699 }, 53700 { 53701 "type": "WEB", 53702 "url": "https://access.redhat.com/errata/RHSA-2019:0131" 53703 }, 53704 { 53705 "type": "WEB", 53706 "url": "https://access.redhat.com/errata/RHSA-2019:0485" 53707 }, 53708 { 53709 "type": "WEB", 53710 "url": "https://access.redhat.com/errata/RHSA-2019:1529" 53711 }, 53712 { 53713 "type": "ADVISORY", 53714 "url": "https://github.com/advisories/GHSA-5q99-f34m-67gc" 53715 }, 53716 { 53717 "type": "PACKAGE", 53718 "url": "https://github.com/apache/tomcat" 53719 }, 53720 { 53721 "type": "WEB", 53722 "url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10284" 53723 }, 53724 { 53725 "type": "WEB", 53726 "url": "https://lists.apache.org/thread.html/1dd0a59c1295cc08ce4c9e7edae5ad2268acc9ba55adcefa0532e5ba%40%3Cdev.tomcat.apache.org%3E" 53727 }, 53728 { 53729 "type": "WEB", 53730 "url": "https://lists.apache.org/thread.html/1dd0a59c1295cc08ce4c9e7edae5ad2268acc9ba55adcefa0532e5ba@%3Cdev.tomcat.apache.org%3E" 53731 }, 53732 { 53733 "type": "WEB", 53734 "url": "https://lists.apache.org/thread.html/23134c9b5a23892a205dc140cdd8c9c0add233600f76b313dda6bd75%40%3Cannounce.tomcat.apache.org%3E" 53735 }, 53736 { 53737 "type": "WEB", 53738 "url": "https://lists.apache.org/thread.html/23134c9b5a23892a205dc140cdd8c9c0add233600f76b313dda6bd75@%3Cannounce.tomcat.apache.org%3E" 53739 }, 53740 { 53741 "type": "WEB", 53742 "url": "https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551%40%3Cdev.tomcat.apache.org%3E" 53743 }, 53744 { 53745 "type": "WEB", 53746 "url": "https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551@%3Cdev.tomcat.apache.org%3E" 53747 }, 53748 { 53749 "type": "WEB", 53750 "url": "https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708%40%3Cdev.tomcat.apache.org%3E" 53751 }, 53752 { 53753 "type": "WEB", 53754 "url": "https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708@%3Cdev.tomcat.apache.org%3E" 53755 }, 53756 { 53757 "type": "WEB", 53758 "url": "https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7%40%3Cdev.tomcat.apache.org%3E" 53759 }, 53760 { 53761 "type": "WEB", 53762 "url": "https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7@%3Cdev.tomcat.apache.org%3E" 53763 }, 53764 { 53765 "type": "WEB", 53766 "url": "https://lists.apache.org/thread.html/5c0e00fd31efc11e147bf99d0f03c00a734447d3b131ab0818644cdb%40%3Cdev.tomcat.apache.org%3E" 53767 }, 53768 { 53769 "type": "WEB", 53770 "url": "https://lists.apache.org/thread.html/5c0e00fd31efc11e147bf99d0f03c00a734447d3b131ab0818644cdb@%3Cdev.tomcat.apache.org%3E" 53771 }, 53772 { 53773 "type": "WEB", 53774 "url": "https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3%40%3Cdev.tomcat.apache.org%3E" 53775 }, 53776 { 53777 "type": "WEB", 53778 "url": "https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3@%3Cdev.tomcat.apache.org%3E" 53779 }, 53780 { 53781 "type": "WEB", 53782 "url": "https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424%40%3Cdev.tomcat.apache.org%3E" 53783 }, 53784 { 53785 "type": "WEB", 53786 "url": "https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424@%3Cdev.tomcat.apache.org%3E" 53787 }, 53788 { 53789 "type": "WEB", 53790 "url": "https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a%40%3Cdev.tomcat.apache.org%3E" 53791 }, 53792 { 53793 "type": "WEB", 53794 "url": "https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a@%3Cdev.tomcat.apache.org%3E" 53795 }, 53796 { 53797 "type": "WEB", 53798 "url": "https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc%40%3Cdev.tomcat.apache.org%3E" 53799 }, 53800 { 53801 "type": "WEB", 53802 "url": "https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc@%3Cdev.tomcat.apache.org%3E" 53803 }, 53804 { 53805 "type": "WEB", 53806 "url": "https://lists.apache.org/thread.html/e85e83e9954f169bbb77b44baae5a33d8de878df557bb32b7f793661%40%3Cdev.tomcat.apache.org%3E" 53807 }, 53808 { 53809 "type": "WEB", 53810 "url": "https://lists.apache.org/thread.html/e85e83e9954f169bbb77b44baae5a33d8de878df557bb32b7f793661@%3Cdev.tomcat.apache.org%3E" 53811 }, 53812 { 53813 "type": "WEB", 53814 "url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00030.html" 53815 }, 53816 { 53817 "type": "WEB", 53818 "url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00056.html" 53819 }, 53820 { 53821 "type": "WEB", 53822 "url": "http://packetstormsecurity.com/files/163456/Apache-Tomcat-9.0.0M1-Open-Redirect.html" 53823 } 53824 ], 53825 "schema_version": "1.6.0", 53826 "severity": [ 53827 { 53828 "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", 53829 "type": "CVSS_V3" 53830 } 53831 ], 53832 "summary": "Apache Tomcat Open Redirect vulnerability" 53833 }, 53834 { 53835 "affected": [ 53836 { 53837 "database_specific": { 53838 "last_known_affected_version_range": "\u003c= 9.0.4", 53839 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-6rxj-58jh-436r/GHSA-6rxj-58jh-436r.json" 53840 }, 53841 "package": { 53842 "ecosystem": "Maven", 53843 "name": "org.apache.tomcat.embed:tomcat-embed-core", 53844 "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" 53845 }, 53846 "ranges": [ 53847 { 53848 "events": [ 53849 { 53850 "introduced": "9.0.0" 53851 }, 53852 { 53853 "fixed": "9.0.5" 53854 } 53855 ], 53856 "type": "ECOSYSTEM" 53857 } 53858 ], 53859 "versions": [ 53860 "9.0.1", 53861 "9.0.2", 53862 "9.0.4" 53863 ] 53864 }, 53865 { 53866 "database_specific": { 53867 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-6rxj-58jh-436r/GHSA-6rxj-58jh-436r.json" 53868 }, 53869 "package": { 53870 "ecosystem": "Maven", 53871 "name": "org.apache.tomcat.embed:tomcat-embed-core", 53872 "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" 53873 }, 53874 "ranges": [ 53875 { 53876 "events": [ 53877 { 53878 "introduced": "8.5.0" 53879 }, 53880 { 53881 "fixed": "8.5.28" 53882 } 53883 ], 53884 "type": "ECOSYSTEM" 53885 } 53886 ], 53887 "versions": [ 53888 "8.5.0", 53889 "8.5.11", 53890 "8.5.12", 53891 "8.5.13", 53892 "8.5.14", 53893 "8.5.15", 53894 "8.5.16", 53895 "8.5.19", 53896 "8.5.2", 53897 "8.5.20", 53898 "8.5.21", 53899 "8.5.23", 53900 "8.5.24", 53901 "8.5.27", 53902 "8.5.3", 53903 "8.5.4", 53904 "8.5.5", 53905 "8.5.6", 53906 "8.5.8", 53907 "8.5.9" 53908 ] 53909 }, 53910 { 53911 "database_specific": { 53912 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-6rxj-58jh-436r/GHSA-6rxj-58jh-436r.json" 53913 }, 53914 "package": { 53915 "ecosystem": "Maven", 53916 "name": "org.apache.tomcat.embed:tomcat-embed-core", 53917 "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" 53918 }, 53919 "ranges": [ 53920 { 53921 "events": [ 53922 { 53923 "introduced": "8.0.0" 53924 }, 53925 { 53926 "fixed": "8.0.51" 53927 } 53928 ], 53929 "type": "ECOSYSTEM" 53930 } 53931 ], 53932 "versions": [ 53933 "8.0.1", 53934 "8.0.11", 53935 "8.0.12", 53936 "8.0.14", 53937 "8.0.15", 53938 "8.0.17", 53939 "8.0.18", 53940 "8.0.20", 53941 "8.0.21", 53942 "8.0.22", 53943 "8.0.23", 53944 "8.0.24", 53945 "8.0.26", 53946 "8.0.27", 53947 "8.0.28", 53948 "8.0.29", 53949 "8.0.3", 53950 "8.0.30", 53951 "8.0.32", 53952 "8.0.33", 53953 "8.0.35", 53954 "8.0.36", 53955 "8.0.37", 53956 "8.0.38", 53957 "8.0.39", 53958 "8.0.41", 53959 "8.0.42", 53960 "8.0.43", 53961 "8.0.44", 53962 "8.0.45", 53963 "8.0.46", 53964 "8.0.47", 53965 "8.0.48", 53966 "8.0.49", 53967 "8.0.5", 53968 "8.0.50", 53969 "8.0.8", 53970 "8.0.9" 53971 ] 53972 }, 53973 { 53974 "database_specific": { 53975 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-6rxj-58jh-436r/GHSA-6rxj-58jh-436r.json" 53976 }, 53977 "package": { 53978 "ecosystem": "Maven", 53979 "name": "org.apache.tomcat.embed:tomcat-embed-core", 53980 "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" 53981 }, 53982 "ranges": [ 53983 { 53984 "events": [ 53985 { 53986 "introduced": "7.0.0" 53987 }, 53988 { 53989 "fixed": "7.0.86" 53990 } 53991 ], 53992 "type": "ECOSYSTEM" 53993 } 53994 ], 53995 "versions": [ 53996 "7.0.0", 53997 "7.0.11", 53998 "7.0.12", 53999 "7.0.14", 54000 "7.0.16", 54001 "7.0.19", 54002 "7.0.2", 54003 "7.0.20", 54004 "7.0.21", 54005 "7.0.22", 54006 "7.0.23", 54007 "7.0.25", 54008 "7.0.26", 54009 "7.0.27", 54010 "7.0.28", 54011 "7.0.29", 54012 "7.0.30", 54013 "7.0.32", 54014 "7.0.33", 54015 "7.0.34", 54016 "7.0.35", 54017 "7.0.37", 54018 "7.0.39", 54019 "7.0.4", 54020 "7.0.40", 54021 "7.0.41", 54022 "7.0.42", 54023 "7.0.47", 54024 "7.0.5", 54025 "7.0.50", 54026 "7.0.52", 54027 "7.0.53", 54028 "7.0.54", 54029 "7.0.55", 54030 "7.0.56", 54031 "7.0.57", 54032 "7.0.59", 54033 "7.0.6", 54034 "7.0.61", 54035 "7.0.62", 54036 "7.0.63", 54037 "7.0.64", 54038 "7.0.65", 54039 "7.0.67", 54040 "7.0.68", 54041 "7.0.69", 54042 "7.0.70", 54043 "7.0.72", 54044 "7.0.73", 54045 "7.0.75", 54046 "7.0.76", 54047 "7.0.77", 54048 "7.0.78", 54049 "7.0.79", 54050 "7.0.8", 54051 "7.0.81", 54052 "7.0.82", 54053 "7.0.84", 54054 "7.0.85" 54055 ] 54056 } 54057 ], 54058 "aliases": [ 54059 "CVE-2018-1304" 54060 ], 54061 "database_specific": { 54062 "cwe_ids": [], 54063 "github_reviewed": true, 54064 "github_reviewed_at": "2020-06-16T21:20:10Z", 54065 "nvd_published_at": "2018-02-28T20:29:00Z", 54066 "severity": "MODERATE" 54067 }, 54068 "details": "The URL pattern of \"\" (the empty string) which exactly maps to the context root was not correctly handled in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 when used as part of a security constraint definition. This caused the constraint to be ignored. It was, therefore, possible for unauthorised users to gain access to web application resources that should have been protected. Only security constraints with a URL pattern of the empty string were affected.", 54069 "id": "GHSA-6rxj-58jh-436r", 54070 "modified": "2024-03-12T05:33:06.196997Z", 54071 "published": "2018-10-17T16:31:17Z", 54072 "references": [ 54073 { 54074 "type": "ADVISORY", 54075 "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1304" 54076 }, 54077 { 54078 "type": "WEB", 54079 "url": "https://github.com/apache/tomcat80/commit/9e700b93e3bf5c605267d20568a964169f9e0b79" 54080 }, 54081 { 54082 "type": "WEB", 54083 "url": "https://github.com/apache/tomcat/commit/723ea6a5bc5e7bc49e5ef84273c3b3c164a6a4fd" 54084 }, 54085 { 54086 "type": "WEB", 54087 "url": "https://github.com/apache/tomcat/commit/5af7c13cff7cc8366c5997418e820989fabb8f48" 54088 }, 54089 { 54090 "type": "WEB", 54091 "url": "https://github.com/apache/tomcat/commit/2d69fde135302e8cff984bb2131ec69f2e396964" 54092 }, 54093 { 54094 "type": "WEB", 54095 "url": "https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E" 54096 }, 54097 { 54098 "type": "WEB", 54099 "url": "https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9@%3Cdev.tomcat.apache.org%3E" 54100 }, 54101 { 54102 "type": "WEB", 54103 "url": "https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9%40%3Cdev.tomcat.apache.org%3E" 54104 }, 54105 { 54106 "type": "WEB", 54107 "url": "https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0@%3Cdev.tomcat.apache.org%3E" 54108 }, 54109 { 54110 "type": "WEB", 54111 "url": "https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0%40%3Cdev.tomcat.apache.org%3E" 54112 }, 54113 { 54114 "type": "WEB", 54115 "url": "https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d@%3Cdev.tomcat.apache.org%3E" 54116 }, 54117 { 54118 "type": "WEB", 54119 "url": "https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d%40%3Cdev.tomcat.apache.org%3E" 54120 }, 54121 { 54122 "type": "WEB", 54123 "url": "https://lists.apache.org/thread.html/eb6efa8d59c45a7a9eff94c4b925467d3b3fec8ba7697f3daa314b04@%3Cdev.tomcat.apache.org%3E" 54124 }, 54125 { 54126 "type": "WEB", 54127 "url": "https://lists.apache.org/thread.html/eb6efa8d59c45a7a9eff94c4b925467d3b3fec8ba7697f3daa314b04%40%3Cdev.tomcat.apache.org%3E" 54128 }, 54129 { 54130 "type": "WEB", 54131 "url": "https://lists.apache.org/thread.html/e85e83e9954f169bbb77b44baae5a33d8de878df557bb32b7f793661@%3Cdev.tomcat.apache.org%3E" 54132 }, 54133 { 54134 "type": "WEB", 54135 "url": "https://lists.apache.org/thread.html/e85e83e9954f169bbb77b44baae5a33d8de878df557bb32b7f793661%40%3Cdev.tomcat.apache.org%3E" 54136 }, 54137 { 54138 "type": "WEB", 54139 "url": "https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc@%3Cdev.tomcat.apache.org%3E" 54140 }, 54141 { 54142 "type": "WEB", 54143 "url": "https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc%40%3Cdev.tomcat.apache.org%3E" 54144 }, 54145 { 54146 "type": "WEB", 54147 "url": "https://lists.apache.org/thread.html/b1d7e2425d6fd2cebed40d318f9365b44546077e10949b01b1f8a0fb@%3Cannounce.tomcat.apache.org%3E" 54148 }, 54149 { 54150 "type": "WEB", 54151 "url": "https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c@%3Cdev.tomcat.apache.org%3E" 54152 }, 54153 { 54154 "type": "WEB", 54155 "url": "https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a%40%3Cdev.tomcat.apache.org%3E" 54156 }, 54157 { 54158 "type": "WEB", 54159 "url": "https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a@%3Cdev.tomcat.apache.org%3E" 54160 }, 54161 { 54162 "type": "WEB", 54163 "url": "https://lists.debian.org/debian-lts-announce/2018/03/msg00004.html" 54164 }, 54165 { 54166 "type": "WEB", 54167 "url": "https://lists.debian.org/debian-lts-announce/2018/06/msg00008.html" 54168 }, 54169 { 54170 "type": "WEB", 54171 "url": "https://lists.debian.org/debian-lts-announce/2018/07/msg00044.html" 54172 }, 54173 { 54174 "type": "WEB", 54175 "url": "https://security.netapp.com/advisory/ntap-20180706-0001" 54176 }, 54177 { 54178 "type": "WEB", 54179 "url": "https://usn.ubuntu.com/3665-1" 54180 }, 54181 { 54182 "type": "WEB", 54183 "url": "https://web.archive.org/web/20200227102806/http://www.securityfocus.com/bid/103170" 54184 }, 54185 { 54186 "type": "WEB", 54187 "url": "https://web.archive.org/web/20200516074457/http://www.securitytracker.com/id/1040427" 54188 }, 54189 { 54190 "type": "WEB", 54191 "url": "https://www.debian.org/security/2018/dsa-4281" 54192 }, 54193 { 54194 "type": "WEB", 54195 "url": "https://www.oracle.com/security-alerts/cpuapr2020.html" 54196 }, 54197 { 54198 "type": "WEB", 54199 "url": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html" 54200 }, 54201 { 54202 "type": "WEB", 54203 "url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html" 54204 }, 54205 { 54206 "type": "WEB", 54207 "url": "https://access.redhat.com/errata/RHSA-2018:0465" 54208 }, 54209 { 54210 "type": "WEB", 54211 "url": "https://access.redhat.com/errata/RHSA-2018:0466" 54212 }, 54213 { 54214 "type": "WEB", 54215 "url": "https://access.redhat.com/errata/RHSA-2018:1320" 54216 }, 54217 { 54218 "type": "WEB", 54219 "url": "https://access.redhat.com/errata/RHSA-2018:1447" 54220 }, 54221 { 54222 "type": "WEB", 54223 "url": "https://access.redhat.com/errata/RHSA-2018:1448" 54224 }, 54225 { 54226 "type": "WEB", 54227 "url": "https://access.redhat.com/errata/RHSA-2018:1449" 54228 }, 54229 { 54230 "type": "WEB", 54231 "url": "https://access.redhat.com/errata/RHSA-2018:1450" 54232 }, 54233 { 54234 "type": "WEB", 54235 "url": "https://access.redhat.com/errata/RHSA-2018:1451" 54236 }, 54237 { 54238 "type": "WEB", 54239 "url": "https://access.redhat.com/errata/RHSA-2018:2939" 54240 }, 54241 { 54242 "type": "WEB", 54243 "url": "https://access.redhat.com/errata/RHSA-2019:2205" 54244 }, 54245 { 54246 "type": "ADVISORY", 54247 "url": "https://github.com/advisories/GHSA-6rxj-58jh-436r" 54248 }, 54249 { 54250 "type": "PACKAGE", 54251 "url": "https://github.com/apache/tomcat" 54252 }, 54253 { 54254 "type": "WEB", 54255 "url": "https://lists.apache.org/thread.html/1dd0a59c1295cc08ce4c9e7edae5ad2268acc9ba55adcefa0532e5ba%40%3Cdev.tomcat.apache.org%3E" 54256 }, 54257 { 54258 "type": "WEB", 54259 "url": "https://lists.apache.org/thread.html/1dd0a59c1295cc08ce4c9e7edae5ad2268acc9ba55adcefa0532e5ba@%3Cdev.tomcat.apache.org%3E" 54260 }, 54261 { 54262 "type": "WEB", 54263 "url": "https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551%40%3Cdev.tomcat.apache.org%3E" 54264 }, 54265 { 54266 "type": "WEB", 54267 "url": "https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551@%3Cdev.tomcat.apache.org%3E" 54268 }, 54269 { 54270 "type": "WEB", 54271 "url": "https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708%40%3Cdev.tomcat.apache.org%3E" 54272 }, 54273 { 54274 "type": "WEB", 54275 "url": "https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708@%3Cdev.tomcat.apache.org%3E" 54276 }, 54277 { 54278 "type": "WEB", 54279 "url": "https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7%40%3Cdev.tomcat.apache.org%3E" 54280 }, 54281 { 54282 "type": "WEB", 54283 "url": "https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7@%3Cdev.tomcat.apache.org%3E" 54284 }, 54285 { 54286 "type": "WEB", 54287 "url": "https://lists.apache.org/thread.html/5c0e00fd31efc11e147bf99d0f03c00a734447d3b131ab0818644cdb%40%3Cdev.tomcat.apache.org%3E" 54288 }, 54289 { 54290 "type": "WEB", 54291 "url": "https://lists.apache.org/thread.html/5c0e00fd31efc11e147bf99d0f03c00a734447d3b131ab0818644cdb@%3Cdev.tomcat.apache.org%3E" 54292 }, 54293 { 54294 "type": "WEB", 54295 "url": "https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3%40%3Cdev.tomcat.apache.org%3E" 54296 }, 54297 { 54298 "type": "WEB", 54299 "url": "https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3@%3Cdev.tomcat.apache.org%3E" 54300 }, 54301 { 54302 "type": "WEB", 54303 "url": "https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424%40%3Cdev.tomcat.apache.org%3E" 54304 }, 54305 { 54306 "type": "WEB", 54307 "url": "https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424@%3Cdev.tomcat.apache.org%3E" 54308 }, 54309 { 54310 "type": "WEB", 54311 "url": "https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a%40%3Cdev.tomcat.apache.org%3E" 54312 }, 54313 { 54314 "type": "WEB", 54315 "url": "https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a@%3Cdev.tomcat.apache.org%3E" 54316 }, 54317 { 54318 "type": "WEB", 54319 "url": "https://lists.apache.org/thread.html/b1d7e2425d6fd2cebed40d318f9365b44546077e10949b01b1f8a0fb%40%3Cannounce.tomcat.apache.org%3E" 54320 }, 54321 { 54322 "type": "WEB", 54323 "url": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html" 54324 }, 54325 { 54326 "type": "WEB", 54327 "url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html" 54328 } 54329 ], 54330 "schema_version": "1.6.0", 54331 "severity": [ 54332 { 54333 "score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", 54334 "type": "CVSS_V3" 54335 } 54336 ], 54337 "summary": "Apache Tomcat unauthorized access vulnerability" 54338 }, 54339 { 54340 "affected": [ 54341 { 54342 "database_specific": { 54343 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-6v52-mj5r-7j2m/GHSA-6v52-mj5r-7j2m.json" 54344 }, 54345 "package": { 54346 "ecosystem": "Maven", 54347 "name": "org.apache.tomcat.embed:tomcat-embed-core", 54348 "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" 54349 }, 54350 "ranges": [ 54351 { 54352 "events": [ 54353 { 54354 "introduced": "9.0.0.M9" 54355 }, 54356 { 54357 "fixed": "9.0.10" 54358 } 54359 ], 54360 "type": "ECOSYSTEM" 54361 } 54362 ], 54363 "versions": [ 54364 "9.0.0.M10", 54365 "9.0.0.M11", 54366 "9.0.0.M13", 54367 "9.0.0.M15", 54368 "9.0.0.M17", 54369 "9.0.0.M18", 54370 "9.0.0.M19", 54371 "9.0.0.M20", 54372 "9.0.0.M21", 54373 "9.0.0.M22", 54374 "9.0.0.M25", 54375 "9.0.0.M26", 54376 "9.0.0.M27", 54377 "9.0.0.M9", 54378 "9.0.1", 54379 "9.0.2", 54380 "9.0.4", 54381 "9.0.5", 54382 "9.0.6", 54383 "9.0.7", 54384 "9.0.8" 54385 ] 54386 }, 54387 { 54388 "database_specific": { 54389 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-6v52-mj5r-7j2m/GHSA-6v52-mj5r-7j2m.json" 54390 }, 54391 "package": { 54392 "ecosystem": "Maven", 54393 "name": "org.apache.tomcat.embed:tomcat-embed-core", 54394 "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" 54395 }, 54396 "ranges": [ 54397 { 54398 "events": [ 54399 { 54400 "introduced": "8.5.5" 54401 }, 54402 { 54403 "fixed": "8.5.32" 54404 } 54405 ], 54406 "type": "ECOSYSTEM" 54407 } 54408 ], 54409 "versions": [ 54410 "8.5.11", 54411 "8.5.12", 54412 "8.5.13", 54413 "8.5.14", 54414 "8.5.15", 54415 "8.5.16", 54416 "8.5.19", 54417 "8.5.20", 54418 "8.5.21", 54419 "8.5.23", 54420 "8.5.24", 54421 "8.5.27", 54422 "8.5.28", 54423 "8.5.29", 54424 "8.5.30", 54425 "8.5.31", 54426 "8.5.5", 54427 "8.5.6", 54428 "8.5.8", 54429 "8.5.9" 54430 ] 54431 } 54432 ], 54433 "aliases": [ 54434 "CVE-2018-8037" 54435 ], 54436 "database_specific": { 54437 "cwe_ids": [ 54438 "CWE-362" 54439 ], 54440 "github_reviewed": true, 54441 "github_reviewed_at": "2020-06-16T21:20:12Z", 54442 "nvd_published_at": "2018-08-02T14:29:00Z", 54443 "severity": "MODERATE" 54444 }, 54445 "details": "If an async request was completed by the application at the same time as the container triggered the async timeout, a race condition existed that could result in a user seeing a response intended for a different user. An additional issue was present in the NIO and NIO2 connectors that did not correctly track the closure of the connection when an async request was completed by the application and timed out by the container at the same time. This could also result in a user seeing a response intended for another user. Versions Affected: Apache Tomcat 9.0.0.M9 to 9.0.9 and 8.5.5 to 8.5.31.", 54446 "id": "GHSA-6v52-mj5r-7j2m", 54447 "modified": "2024-03-11T05:32:05.311159Z", 54448 "published": "2018-10-17T16:33:02Z", 54449 "references": [ 54450 { 54451 "type": "ADVISORY", 54452 "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-8037" 54453 }, 54454 { 54455 "type": "WEB", 54456 "url": "https://github.com/apache/tomcat/commit/4c04369c287233ea2e8e5135f6c31d02e2d76293" 54457 }, 54458 { 54459 "type": "WEB", 54460 "url": "https://github.com/apache/tomcat/commit/ccf2e6bf5205561ad18c2300153e9173ec509d73" 54461 }, 54462 { 54463 "type": "WEB", 54464 "url": "https://github.com/apache/tomcat/commit/ed4b9d791f9470e4c3de691dd0153a9ce431701b" 54465 }, 54466 { 54467 "type": "WEB", 54468 "url": "https://github.com/apache/tomcat/commit/f94eedf02b5973598ab3dbbd4504da588e9ba6cb" 54469 }, 54470 { 54471 "type": "WEB", 54472 "url": "https://access.redhat.com/errata/RHSA-2018:2867" 54473 }, 54474 { 54475 "type": "WEB", 54476 "url": "https://lists.apache.org/thread.html/e85e83e9954f169bbb77b44baae5a33d8de878df557bb32b7f793661%40%3Cdev.tomcat.apache.org%3E" 54477 }, 54478 { 54479 "type": "WEB", 54480 "url": "https://lists.apache.org/thread.html/e85e83e9954f169bbb77b44baae5a33d8de878df557bb32b7f793661@%3Cdev.tomcat.apache.org%3E" 54481 }, 54482 { 54483 "type": "WEB", 54484 "url": "https://lists.apache.org/thread.html/eb6efa8d59c45a7a9eff94c4b925467d3b3fec8ba7697f3daa314b04%40%3Cdev.tomcat.apache.org%3E" 54485 }, 54486 { 54487 "type": "WEB", 54488 "url": "https://lists.apache.org/thread.html/eb6efa8d59c45a7a9eff94c4b925467d3b3fec8ba7697f3daa314b04@%3Cdev.tomcat.apache.org%3E" 54489 }, 54490 { 54491 "type": "WEB", 54492 "url": "https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d%40%3Cdev.tomcat.apache.org%3E" 54493 }, 54494 { 54495 "type": "WEB", 54496 "url": "https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d@%3Cdev.tomcat.apache.org%3E" 54497 }, 54498 { 54499 "type": "WEB", 54500 "url": "https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0%40%3Cdev.tomcat.apache.org%3E" 54501 }, 54502 { 54503 "type": "WEB", 54504 "url": "https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0@%3Cdev.tomcat.apache.org%3E" 54505 }, 54506 { 54507 "type": "WEB", 54508 "url": "https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9%40%3Cdev.tomcat.apache.org%3E" 54509 }, 54510 { 54511 "type": "WEB", 54512 "url": "https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9@%3Cdev.tomcat.apache.org%3E" 54513 }, 54514 { 54515 "type": "WEB", 54516 "url": "https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a%40%3Cdev.tomcat.apache.org%3E" 54517 }, 54518 { 54519 "type": "WEB", 54520 "url": "https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a@%3Cdev.tomcat.apache.org%3E" 54521 }, 54522 { 54523 "type": "WEB", 54524 "url": "https://security.netapp.com/advisory/ntap-20180817-0001" 54525 }, 54526 { 54527 "type": "WEB", 54528 "url": "https://web.archive.org/web/20200227102808/http://www.securityfocus.com/bid/104894" 54529 }, 54530 { 54531 "type": "WEB", 54532 "url": "https://web.archive.org/web/20200515223903/http://www.securitytracker.com/id/1041376" 54533 }, 54534 { 54535 "type": "WEB", 54536 "url": "https://www.debian.org/security/2018/dsa-4281" 54537 }, 54538 { 54539 "type": "WEB", 54540 "url": "https://www.oracle.com/security-alerts/cpuapr2020.html" 54541 }, 54542 { 54543 "type": "WEB", 54544 "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html" 54545 }, 54546 { 54547 "type": "WEB", 54548 "url": "https://access.redhat.com/errata/RHSA-2018:2868" 54549 }, 54550 { 54551 "type": "WEB", 54552 "url": "https://access.redhat.com/errata/RHSA-2019:1529" 54553 }, 54554 { 54555 "type": "PACKAGE", 54556 "url": "https://github.com/apache/tomcat" 54557 }, 54558 { 54559 "type": "WEB", 54560 "url": "https://lists.apache.org/thread.html/1dd0a59c1295cc08ce4c9e7edae5ad2268acc9ba55adcefa0532e5ba%40%3Cdev.tomcat.apache.org%3E" 54561 }, 54562 { 54563 "type": "WEB", 54564 "url": "https://lists.apache.org/thread.html/1dd0a59c1295cc08ce4c9e7edae5ad2268acc9ba55adcefa0532e5ba@%3Cdev.tomcat.apache.org%3E" 54565 }, 54566 { 54567 "type": "WEB", 54568 "url": "https://lists.apache.org/thread.html/2ee3af8a43cb019e7898c9330cc8e73306553a27f2e4735dfb522d39%40%3Cusers.tomcat.apache.org%3E" 54569 }, 54570 { 54571 "type": "WEB", 54572 "url": "https://lists.apache.org/thread.html/2ee3af8a43cb019e7898c9330cc8e73306553a27f2e4735dfb522d39@%3Cusers.tomcat.apache.org%3E" 54573 }, 54574 { 54575 "type": "WEB", 54576 "url": "https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551%40%3Cdev.tomcat.apache.org%3E" 54577 }, 54578 { 54579 "type": "WEB", 54580 "url": "https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551@%3Cdev.tomcat.apache.org%3E" 54581 }, 54582 { 54583 "type": "WEB", 54584 "url": "https://lists.apache.org/thread.html/5c0e00fd31efc11e147bf99d0f03c00a734447d3b131ab0818644cdb%40%3Cdev.tomcat.apache.org%3E" 54585 }, 54586 { 54587 "type": "WEB", 54588 "url": "https://lists.apache.org/thread.html/5c0e00fd31efc11e147bf99d0f03c00a734447d3b131ab0818644cdb@%3Cdev.tomcat.apache.org%3E" 54589 }, 54590 { 54591 "type": "WEB", 54592 "url": "https://lists.apache.org/thread.html/5d15316dfb4adf75d96d394745f8037533fa3bcc1ac8f619bf5c044c%40%3Cusers.tomcat.apache.org%3E" 54593 }, 54594 { 54595 "type": "WEB", 54596 "url": "https://lists.apache.org/thread.html/5d15316dfb4adf75d96d394745f8037533fa3bcc1ac8f619bf5c044c@%3Cusers.tomcat.apache.org%3E" 54597 }, 54598 { 54599 "type": "WEB", 54600 "url": "https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3%40%3Cdev.tomcat.apache.org%3E" 54601 }, 54602 { 54603 "type": "WEB", 54604 "url": "https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3@%3Cdev.tomcat.apache.org%3E" 54605 }, 54606 { 54607 "type": "WEB", 54608 "url": "https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a%40%3Cdev.tomcat.apache.org%3E" 54609 }, 54610 { 54611 "type": "WEB", 54612 "url": "https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a@%3Cdev.tomcat.apache.org%3E" 54613 }, 54614 { 54615 "type": "WEB", 54616 "url": "https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc%40%3Cdev.tomcat.apache.org%3E" 54617 }, 54618 { 54619 "type": "WEB", 54620 "url": "https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc@%3Cdev.tomcat.apache.org%3E" 54621 }, 54622 { 54623 "type": "WEB", 54624 "url": "http://mail-archives.us.apache.org/mod_mbox/www-announce/201807.mbox/%3C20180722090623.GA92700%40minotaur.apache.org%3E" 54625 }, 54626 { 54627 "type": "WEB", 54628 "url": "http://mail-archives.us.apache.org/mod_mbox/www-announce/201808.mbox/%3C0c616b4d-4e81-e7f8-b81d-1bb4c575aa33%40apache.org%3E" 54629 }, 54630 { 54631 "type": "WEB", 54632 "url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html" 54633 } 54634 ], 54635 "schema_version": "1.6.0", 54636 "severity": [ 54637 { 54638 "score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", 54639 "type": "CVSS_V3" 54640 } 54641 ], 54642 "summary": "Apache Tomcat Race Condition vulnerability" 54643 }, 54644 { 54645 "affected": [ 54646 { 54647 "database_specific": { 54648 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/02/GHSA-767j-jfh2-jvrc/GHSA-767j-jfh2-jvrc.json" 54649 }, 54650 "package": { 54651 "ecosystem": "Maven", 54652 "name": "org.apache.tomcat.embed:tomcat-embed-core", 54653 "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" 54654 }, 54655 "ranges": [ 54656 { 54657 "events": [ 54658 { 54659 "introduced": "7.0.98" 54660 }, 54661 { 54662 "fixed": "7.0.100" 54663 } 54664 ], 54665 "type": "ECOSYSTEM" 54666 } 54667 ], 54668 "versions": [ 54669 "7.0.99" 54670 ] 54671 }, 54672 { 54673 "database_specific": { 54674 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/02/GHSA-767j-jfh2-jvrc/GHSA-767j-jfh2-jvrc.json" 54675 }, 54676 "package": { 54677 "ecosystem": "Maven", 54678 "name": "org.apache.tomcat.embed:tomcat-embed-core", 54679 "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" 54680 }, 54681 "ranges": [ 54682 { 54683 "events": [ 54684 { 54685 "introduced": "8.5.48" 54686 }, 54687 { 54688 "fixed": "8.5.51" 54689 } 54690 ], 54691 "type": "ECOSYSTEM" 54692 } 54693 ], 54694 "versions": [ 54695 "8.5.49", 54696 "8.5.50" 54697 ] 54698 }, 54699 { 54700 "database_specific": { 54701 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/02/GHSA-767j-jfh2-jvrc/GHSA-767j-jfh2-jvrc.json" 54702 }, 54703 "package": { 54704 "ecosystem": "Maven", 54705 "name": "org.apache.tomcat.embed:tomcat-embed-core", 54706 "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" 54707 }, 54708 "ranges": [ 54709 { 54710 "events": [ 54711 { 54712 "introduced": "9.0.28" 54713 }, 54714 { 54715 "fixed": "9.0.31" 54716 } 54717 ], 54718 "type": "ECOSYSTEM" 54719 } 54720 ], 54721 "versions": [ 54722 "9.0.29", 54723 "9.0.30" 54724 ] 54725 }, 54726 { 54727 "database_specific": { 54728 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/02/GHSA-767j-jfh2-jvrc/GHSA-767j-jfh2-jvrc.json" 54729 }, 54730 "package": { 54731 "ecosystem": "Maven", 54732 "name": "org.apache.tomcat:tomcat", 54733 "purl": "pkg:maven/org.apache.tomcat/tomcat" 54734 }, 54735 "ranges": [ 54736 { 54737 "events": [ 54738 { 54739 "introduced": "7.0.98" 54740 }, 54741 { 54742 "fixed": "7.0.100" 54743 } 54744 ], 54745 "type": "ECOSYSTEM" 54746 } 54747 ], 54748 "versions": [ 54749 "7.0.99" 54750 ] 54751 }, 54752 { 54753 "database_specific": { 54754 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/02/GHSA-767j-jfh2-jvrc/GHSA-767j-jfh2-jvrc.json" 54755 }, 54756 "package": { 54757 "ecosystem": "Maven", 54758 "name": "org.apache.tomcat:tomcat", 54759 "purl": "pkg:maven/org.apache.tomcat/tomcat" 54760 }, 54761 "ranges": [ 54762 { 54763 "events": [ 54764 { 54765 "introduced": "8.5.48" 54766 }, 54767 { 54768 "fixed": "8.5.51" 54769 } 54770 ], 54771 "type": "ECOSYSTEM" 54772 } 54773 ], 54774 "versions": [ 54775 "8.5.49", 54776 "8.5.50" 54777 ] 54778 }, 54779 { 54780 "database_specific": { 54781 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/02/GHSA-767j-jfh2-jvrc/GHSA-767j-jfh2-jvrc.json" 54782 }, 54783 "package": { 54784 "ecosystem": "Maven", 54785 "name": "org.apache.tomcat:tomcat", 54786 "purl": "pkg:maven/org.apache.tomcat/tomcat" 54787 }, 54788 "ranges": [ 54789 { 54790 "events": [ 54791 { 54792 "introduced": "9.0.28" 54793 }, 54794 { 54795 "fixed": "9.0.31" 54796 } 54797 ], 54798 "type": "ECOSYSTEM" 54799 } 54800 ], 54801 "versions": [ 54802 "9.0.29", 54803 "9.0.30" 54804 ] 54805 } 54806 ], 54807 "aliases": [ 54808 "CVE-2019-17569" 54809 ], 54810 "database_specific": { 54811 "cwe_ids": [ 54812 "CWE-444" 54813 ], 54814 "github_reviewed": true, 54815 "github_reviewed_at": "2020-02-25T16:19:11Z", 54816 "nvd_published_at": "2020-02-24T22:15:00Z", 54817 "severity": "MODERATE" 54818 }, 54819 "details": "The refactoring present in Apache Tomcat versions 9.0.28 to 9.0.30, 8.5.48 to 8.5.50 and 7.0.98 to 7.0.99 introduced a regression. The result of the regression was that invalid Transfer-Encoding headers were incorrectly processed leading to a possibility of HTTP Request Smuggling if Tomcat was located behind a reverse proxy that incorrectly handled the invalid Transfer-Encoding header in a particular manner. Such a reverse proxy is considered unlikely.", 54820 "id": "GHSA-767j-jfh2-jvrc", 54821 "modified": "2024-02-21T05:31:17.449525Z", 54822 "published": "2020-02-28T01:10:58Z", 54823 "references": [ 54824 { 54825 "type": "ADVISORY", 54826 "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-17569" 54827 }, 54828 { 54829 "type": "WEB", 54830 "url": "https://lists.apache.org/thread.html/r7bc994c965a34876bd94d5ff15b4e1e30b6220a15eb9b47c81915b78@%3Ccommits.tomee.apache.org%3E" 54831 }, 54832 { 54833 "type": "WEB", 54834 "url": "https://lists.apache.org/thread.html/r88def002c5c78534674ca67472e035099fbe088813d50062094a1390%40%3Cannounce.tomcat.apache.org%3E" 54835 }, 54836 { 54837 "type": "WEB", 54838 "url": "https://lists.apache.org/thread.html/rc31cbabb46cdc58bbdd8519a8f64b6236b2635a3922bbeba0f0e3743@%3Ccommits.tomee.apache.org%3E" 54839 }, 54840 { 54841 "type": "WEB", 54842 "url": "https://lists.debian.org/debian-lts-announce/2020/03/msg00006.html" 54843 }, 54844 { 54845 "type": "WEB", 54846 "url": "https://security.netapp.com/advisory/ntap-20200327-0005" 54847 }, 54848 { 54849 "type": "WEB", 54850 "url": "https://www.debian.org/security/2020/dsa-4673" 54851 }, 54852 { 54853 "type": "WEB", 54854 "url": "https://www.debian.org/security/2020/dsa-4680" 54855 }, 54856 { 54857 "type": "WEB", 54858 "url": "https://www.oracle.com/security-alerts/cpujan2021.html" 54859 }, 54860 { 54861 "type": "WEB", 54862 "url": "https://www.oracle.com/security-alerts/cpujul2020.html" 54863 }, 54864 { 54865 "type": "WEB", 54866 "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" 54867 }, 54868 { 54869 "type": "WEB", 54870 "url": "http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00025.html" 54871 } 54872 ], 54873 "schema_version": "1.6.0", 54874 "severity": [ 54875 { 54876 "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", 54877 "type": "CVSS_V3" 54878 } 54879 ], 54880 "summary": "Potential HTTP request smuggling in Apache Tomcat" 54881 }, 54882 { 54883 "affected": [ 54884 { 54885 "database_specific": { 54886 "last_known_affected_version_range": "\u003c= 11.0.0-M16", 54887 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/03/GHSA-7w75-32cg-r6g2/GHSA-7w75-32cg-r6g2.json" 54888 }, 54889 "package": { 54890 "ecosystem": "Maven", 54891 "name": "org.apache.tomcat:tomcat-coyote", 54892 "purl": "pkg:maven/org.apache.tomcat/tomcat-coyote" 54893 }, 54894 "ranges": [ 54895 { 54896 "events": [ 54897 { 54898 "introduced": "11.0.0-M1" 54899 }, 54900 { 54901 "fixed": "11.0.0-M17" 54902 } 54903 ], 54904 "type": "ECOSYSTEM" 54905 } 54906 ], 54907 "versions": [ 54908 "11.0.0-M1", 54909 "11.0.0-M10", 54910 "11.0.0-M11", 54911 "11.0.0-M12", 54912 "11.0.0-M13", 54913 "11.0.0-M14", 54914 "11.0.0-M15", 54915 "11.0.0-M16", 54916 "11.0.0-M3", 54917 "11.0.0-M4", 54918 "11.0.0-M5", 54919 "11.0.0-M6", 54920 "11.0.0-M7", 54921 "11.0.0-M9" 54922 ] 54923 }, 54924 { 54925 "database_specific": { 54926 "last_known_affected_version_range": "\u003c= 10.1.18", 54927 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/03/GHSA-7w75-32cg-r6g2/GHSA-7w75-32cg-r6g2.json" 54928 }, 54929 "package": { 54930 "ecosystem": "Maven", 54931 "name": "org.apache.tomcat:tomcat-coyote", 54932 "purl": "pkg:maven/org.apache.tomcat/tomcat-coyote" 54933 }, 54934 "ranges": [ 54935 { 54936 "events": [ 54937 { 54938 "introduced": "10.1.0-M1" 54939 }, 54940 { 54941 "fixed": "10.1.19" 54942 } 54943 ], 54944 "type": "ECOSYSTEM" 54945 } 54946 ], 54947 "versions": [ 54948 "10.1.0", 54949 "10.1.0-M1", 54950 "10.1.0-M10", 54951 "10.1.0-M11", 54952 "10.1.0-M12", 54953 "10.1.0-M14", 54954 "10.1.0-M15", 54955 "10.1.0-M16", 54956 "10.1.0-M17", 54957 "10.1.0-M2", 54958 "10.1.0-M4", 54959 "10.1.0-M5", 54960 "10.1.0-M6", 54961 "10.1.0-M7", 54962 "10.1.0-M8", 54963 "10.1.1", 54964 "10.1.10", 54965 "10.1.11", 54966 "10.1.12", 54967 "10.1.13", 54968 "10.1.14", 54969 "10.1.15", 54970 "10.1.16", 54971 "10.1.17", 54972 "10.1.18", 54973 "10.1.2", 54974 "10.1.4", 54975 "10.1.5", 54976 "10.1.6", 54977 "10.1.7", 54978 "10.1.8", 54979 "10.1.9" 54980 ] 54981 }, 54982 { 54983 "database_specific": { 54984 "last_known_affected_version_range": "\u003c= 9.0.85", 54985 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/03/GHSA-7w75-32cg-r6g2/GHSA-7w75-32cg-r6g2.json" 54986 }, 54987 "package": { 54988 "ecosystem": "Maven", 54989 "name": "org.apache.tomcat:tomcat-coyote", 54990 "purl": "pkg:maven/org.apache.tomcat/tomcat-coyote" 54991 }, 54992 "ranges": [ 54993 { 54994 "events": [ 54995 { 54996 "introduced": "9.0.0-M1" 54997 }, 54998 { 54999 "fixed": "9.0.86" 55000 } 55001 ], 55002 "type": "ECOSYSTEM" 55003 } 55004 ], 55005 "versions": [ 55006 "9.0.0.M1", 55007 "9.0.0.M10", 55008 "9.0.0.M11", 55009 "9.0.0.M13", 55010 "9.0.0.M15", 55011 "9.0.0.M17", 55012 "9.0.0.M18", 55013 "9.0.0.M19", 55014 "9.0.0.M20", 55015 "9.0.0.M21", 55016 "9.0.0.M22", 55017 "9.0.0.M25", 55018 "9.0.0.M26", 55019 "9.0.0.M27", 55020 "9.0.0.M3", 55021 "9.0.0.M4", 55022 "9.0.0.M6", 55023 "9.0.0.M8", 55024 "9.0.0.M9", 55025 "9.0.1", 55026 "9.0.10", 55027 "9.0.11", 55028 "9.0.12", 55029 "9.0.13", 55030 "9.0.14", 55031 "9.0.16", 55032 "9.0.17", 55033 "9.0.19", 55034 "9.0.2", 55035 "9.0.20", 55036 "9.0.21", 55037 "9.0.22", 55038 "9.0.24", 55039 "9.0.26", 55040 "9.0.27", 55041 "9.0.29", 55042 "9.0.30", 55043 "9.0.31", 55044 "9.0.33", 55045 "9.0.34", 55046 "9.0.35", 55047 "9.0.36", 55048 "9.0.37", 55049 "9.0.38", 55050 "9.0.39", 55051 "9.0.4", 55052 "9.0.40", 55053 "9.0.41", 55054 "9.0.43", 55055 "9.0.44", 55056 "9.0.45", 55057 "9.0.46", 55058 "9.0.48", 55059 "9.0.5", 55060 "9.0.50", 55061 "9.0.52", 55062 "9.0.53", 55063 "9.0.54", 55064 "9.0.55", 55065 "9.0.56", 55066 "9.0.58", 55067 "9.0.59", 55068 "9.0.6", 55069 "9.0.60", 55070 "9.0.62", 55071 "9.0.63", 55072 "9.0.64", 55073 "9.0.65", 55074 "9.0.67", 55075 "9.0.68", 55076 "9.0.69", 55077 "9.0.7", 55078 "9.0.70", 55079 "9.0.71", 55080 "9.0.72", 55081 "9.0.73", 55082 "9.0.74", 55083 "9.0.75", 55084 "9.0.76", 55085 "9.0.78", 55086 "9.0.79", 55087 "9.0.8", 55088 "9.0.80", 55089 "9.0.81", 55090 "9.0.82", 55091 "9.0.83", 55092 "9.0.84", 55093 "9.0.85" 55094 ] 55095 }, 55096 { 55097 "database_specific": { 55098 "last_known_affected_version_range": "\u003c= 8.5.98", 55099 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/03/GHSA-7w75-32cg-r6g2/GHSA-7w75-32cg-r6g2.json" 55100 }, 55101 "package": { 55102 "ecosystem": "Maven", 55103 "name": "org.apache.tomcat:tomcat-coyote", 55104 "purl": "pkg:maven/org.apache.tomcat/tomcat-coyote" 55105 }, 55106 "ranges": [ 55107 { 55108 "events": [ 55109 { 55110 "introduced": "8.5.0" 55111 }, 55112 { 55113 "fixed": "8.5.99" 55114 } 55115 ], 55116 "type": "ECOSYSTEM" 55117 } 55118 ], 55119 "versions": [ 55120 "8.5.0", 55121 "8.5.11", 55122 "8.5.12", 55123 "8.5.13", 55124 "8.5.14", 55125 "8.5.15", 55126 "8.5.16", 55127 "8.5.19", 55128 "8.5.2", 55129 "8.5.20", 55130 "8.5.21", 55131 "8.5.23", 55132 "8.5.24", 55133 "8.5.27", 55134 "8.5.28", 55135 "8.5.29", 55136 "8.5.3", 55137 "8.5.30", 55138 "8.5.31", 55139 "8.5.32", 55140 "8.5.33", 55141 "8.5.34", 55142 "8.5.35", 55143 "8.5.37", 55144 "8.5.38", 55145 "8.5.39", 55146 "8.5.4", 55147 "8.5.40", 55148 "8.5.41", 55149 "8.5.42", 55150 "8.5.43", 55151 "8.5.45", 55152 "8.5.46", 55153 "8.5.47", 55154 "8.5.49", 55155 "8.5.5", 55156 "8.5.50", 55157 "8.5.51", 55158 "8.5.53", 55159 "8.5.54", 55160 "8.5.55", 55161 "8.5.56", 55162 "8.5.57", 55163 "8.5.58", 55164 "8.5.59", 55165 "8.5.6", 55166 "8.5.60", 55167 "8.5.61", 55168 "8.5.63", 55169 "8.5.64", 55170 "8.5.65", 55171 "8.5.66", 55172 "8.5.68", 55173 "8.5.69", 55174 "8.5.70", 55175 "8.5.71", 55176 "8.5.72", 55177 "8.5.73", 55178 "8.5.75", 55179 "8.5.76", 55180 "8.5.77", 55181 "8.5.78", 55182 "8.5.79", 55183 "8.5.8", 55184 "8.5.81", 55185 "8.5.82", 55186 "8.5.83", 55187 "8.5.84", 55188 "8.5.85", 55189 "8.5.86", 55190 "8.5.87", 55191 "8.5.88", 55192 "8.5.89", 55193 "8.5.9", 55194 "8.5.90", 55195 "8.5.91", 55196 "8.5.92", 55197 "8.5.93", 55198 "8.5.94", 55199 "8.5.95", 55200 "8.5.96", 55201 "8.5.97", 55202 "8.5.98" 55203 ] 55204 }, 55205 { 55206 "database_specific": { 55207 "last_known_affected_version_range": "\u003c= 8.5.98", 55208 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/03/GHSA-7w75-32cg-r6g2/GHSA-7w75-32cg-r6g2.json" 55209 }, 55210 "package": { 55211 "ecosystem": "Maven", 55212 "name": "org.apache.tomcat.embed:tomcat-embed-core", 55213 "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" 55214 }, 55215 "ranges": [ 55216 { 55217 "events": [ 55218 { 55219 "introduced": "8.5.0" 55220 }, 55221 { 55222 "fixed": "8.5.99" 55223 } 55224 ], 55225 "type": "ECOSYSTEM" 55226 } 55227 ], 55228 "versions": [ 55229 "8.5.0", 55230 "8.5.11", 55231 "8.5.12", 55232 "8.5.13", 55233 "8.5.14", 55234 "8.5.15", 55235 "8.5.16", 55236 "8.5.19", 55237 "8.5.2", 55238 "8.5.20", 55239 "8.5.21", 55240 "8.5.23", 55241 "8.5.24", 55242 "8.5.27", 55243 "8.5.28", 55244 "8.5.29", 55245 "8.5.3", 55246 "8.5.30", 55247 "8.5.31", 55248 "8.5.32", 55249 "8.5.33", 55250 "8.5.34", 55251 "8.5.35", 55252 "8.5.37", 55253 "8.5.38", 55254 "8.5.39", 55255 "8.5.4", 55256 "8.5.40", 55257 "8.5.41", 55258 "8.5.42", 55259 "8.5.43", 55260 "8.5.45", 55261 "8.5.46", 55262 "8.5.47", 55263 "8.5.49", 55264 "8.5.5", 55265 "8.5.50", 55266 "8.5.51", 55267 "8.5.53", 55268 "8.5.54", 55269 "8.5.55", 55270 "8.5.56", 55271 "8.5.57", 55272 "8.5.58", 55273 "8.5.59", 55274 "8.5.6", 55275 "8.5.60", 55276 "8.5.61", 55277 "8.5.63", 55278 "8.5.64", 55279 "8.5.65", 55280 "8.5.66", 55281 "8.5.68", 55282 "8.5.69", 55283 "8.5.70", 55284 "8.5.71", 55285 "8.5.72", 55286 "8.5.73", 55287 "8.5.75", 55288 "8.5.76", 55289 "8.5.77", 55290 "8.5.78", 55291 "8.5.79", 55292 "8.5.8", 55293 "8.5.81", 55294 "8.5.82", 55295 "8.5.83", 55296 "8.5.84", 55297 "8.5.85", 55298 "8.5.86", 55299 "8.5.87", 55300 "8.5.88", 55301 "8.5.89", 55302 "8.5.9", 55303 "8.5.90", 55304 "8.5.91", 55305 "8.5.92", 55306 "8.5.93", 55307 "8.5.94", 55308 "8.5.95", 55309 "8.5.96", 55310 "8.5.97", 55311 "8.5.98" 55312 ] 55313 }, 55314 { 55315 "database_specific": { 55316 "last_known_affected_version_range": "\u003c= 9.0.85", 55317 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/03/GHSA-7w75-32cg-r6g2/GHSA-7w75-32cg-r6g2.json" 55318 }, 55319 "package": { 55320 "ecosystem": "Maven", 55321 "name": "org.apache.tomcat.embed:tomcat-embed-core", 55322 "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" 55323 }, 55324 "ranges": [ 55325 { 55326 "events": [ 55327 { 55328 "introduced": "9.0.0-M1" 55329 }, 55330 { 55331 "fixed": "9.0.86" 55332 } 55333 ], 55334 "type": "ECOSYSTEM" 55335 } 55336 ], 55337 "versions": [ 55338 "9.0.0.M1", 55339 "9.0.0.M10", 55340 "9.0.0.M11", 55341 "9.0.0.M13", 55342 "9.0.0.M15", 55343 "9.0.0.M17", 55344 "9.0.0.M18", 55345 "9.0.0.M19", 55346 "9.0.0.M20", 55347 "9.0.0.M21", 55348 "9.0.0.M22", 55349 "9.0.0.M25", 55350 "9.0.0.M26", 55351 "9.0.0.M27", 55352 "9.0.0.M3", 55353 "9.0.0.M4", 55354 "9.0.0.M6", 55355 "9.0.0.M8", 55356 "9.0.0.M9", 55357 "9.0.1", 55358 "9.0.10", 55359 "9.0.11", 55360 "9.0.12", 55361 "9.0.13", 55362 "9.0.14", 55363 "9.0.16", 55364 "9.0.17", 55365 "9.0.19", 55366 "9.0.2", 55367 "9.0.20", 55368 "9.0.21", 55369 "9.0.22", 55370 "9.0.24", 55371 "9.0.26", 55372 "9.0.27", 55373 "9.0.29", 55374 "9.0.30", 55375 "9.0.31", 55376 "9.0.33", 55377 "9.0.34", 55378 "9.0.35", 55379 "9.0.36", 55380 "9.0.37", 55381 "9.0.38", 55382 "9.0.39", 55383 "9.0.4", 55384 "9.0.40", 55385 "9.0.41", 55386 "9.0.43", 55387 "9.0.44", 55388 "9.0.45", 55389 "9.0.46", 55390 "9.0.48", 55391 "9.0.5", 55392 "9.0.50", 55393 "9.0.52", 55394 "9.0.53", 55395 "9.0.54", 55396 "9.0.55", 55397 "9.0.56", 55398 "9.0.58", 55399 "9.0.59", 55400 "9.0.6", 55401 "9.0.60", 55402 "9.0.62", 55403 "9.0.63", 55404 "9.0.64", 55405 "9.0.65", 55406 "9.0.67", 55407 "9.0.68", 55408 "9.0.69", 55409 "9.0.7", 55410 "9.0.70", 55411 "9.0.71", 55412 "9.0.72", 55413 "9.0.73", 55414 "9.0.74", 55415 "9.0.75", 55416 "9.0.76", 55417 "9.0.78", 55418 "9.0.79", 55419 "9.0.8", 55420 "9.0.80", 55421 "9.0.81", 55422 "9.0.82", 55423 "9.0.83", 55424 "9.0.84", 55425 "9.0.85" 55426 ] 55427 }, 55428 { 55429 "database_specific": { 55430 "last_known_affected_version_range": "\u003c= 10.1.18", 55431 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/03/GHSA-7w75-32cg-r6g2/GHSA-7w75-32cg-r6g2.json" 55432 }, 55433 "package": { 55434 "ecosystem": "Maven", 55435 "name": "org.apache.tomcat.embed:tomcat-embed-core", 55436 "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" 55437 }, 55438 "ranges": [ 55439 { 55440 "events": [ 55441 { 55442 "introduced": "10.1.0-M1" 55443 }, 55444 { 55445 "fixed": "10.1.19" 55446 } 55447 ], 55448 "type": "ECOSYSTEM" 55449 } 55450 ], 55451 "versions": [ 55452 "10.1.0", 55453 "10.1.0-M1", 55454 "10.1.0-M10", 55455 "10.1.0-M11", 55456 "10.1.0-M12", 55457 "10.1.0-M14", 55458 "10.1.0-M15", 55459 "10.1.0-M16", 55460 "10.1.0-M17", 55461 "10.1.0-M2", 55462 "10.1.0-M4", 55463 "10.1.0-M5", 55464 "10.1.0-M6", 55465 "10.1.0-M7", 55466 "10.1.0-M8", 55467 "10.1.1", 55468 "10.1.10", 55469 "10.1.11", 55470 "10.1.12", 55471 "10.1.13", 55472 "10.1.14", 55473 "10.1.15", 55474 "10.1.16", 55475 "10.1.17", 55476 "10.1.18", 55477 "10.1.2", 55478 "10.1.4", 55479 "10.1.5", 55480 "10.1.6", 55481 "10.1.7", 55482 "10.1.8", 55483 "10.1.9" 55484 ] 55485 }, 55486 { 55487 "database_specific": { 55488 "last_known_affected_version_range": "\u003c= 11.0.0-M16", 55489 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/03/GHSA-7w75-32cg-r6g2/GHSA-7w75-32cg-r6g2.json" 55490 }, 55491 "package": { 55492 "ecosystem": "Maven", 55493 "name": "org.apache.tomcat.embed:tomcat-embed-core", 55494 "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" 55495 }, 55496 "ranges": [ 55497 { 55498 "events": [ 55499 { 55500 "introduced": "11.0.0-M1" 55501 }, 55502 { 55503 "fixed": "11.0.0-M17" 55504 } 55505 ], 55506 "type": "ECOSYSTEM" 55507 } 55508 ], 55509 "versions": [ 55510 "11.0.0-M1", 55511 "11.0.0-M10", 55512 "11.0.0-M11", 55513 "11.0.0-M12", 55514 "11.0.0-M13", 55515 "11.0.0-M14", 55516 "11.0.0-M15", 55517 "11.0.0-M16", 55518 "11.0.0-M3", 55519 "11.0.0-M4", 55520 "11.0.0-M5", 55521 "11.0.0-M6", 55522 "11.0.0-M7", 55523 "11.0.0-M9" 55524 ] 55525 } 55526 ], 55527 "aliases": [ 55528 "BIT-tomcat-2024-24549", 55529 "CVE-2024-24549" 55530 ], 55531 "database_specific": { 55532 "cwe_ids": [ 55533 "CWE-20" 55534 ], 55535 "github_reviewed": true, 55536 "github_reviewed_at": "2024-03-15T16:27:53Z", 55537 "nvd_published_at": "2024-03-13T16:15:29Z", 55538 "severity": "MODERATE" 55539 }, 55540 "details": "Denial of Service due to improper input validation vulnerability for HTTP/2 requests in Apache Tomcat. When processing an HTTP/2 request, if the request exceeded any of the configured limits for headers, the associated HTTP/2 stream was not reset until after all of the headers had been processed.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M16, from 10.1.0-M1 through 10.1.18, from 9.0.0-M1 through 9.0.85, from 8.5.0 through 8.5.98.\n\nUsers are recommended to upgrade to version 11.0.0-M17, 10.1.19, 9.0.86 or 8.5.99 which fix the issue.\n\n", 55541 "id": "GHSA-7w75-32cg-r6g2", 55542 "modified": "2024-06-25T02:30:05.155818Z", 55543 "published": "2024-03-13T18:31:34Z", 55544 "references": [ 55545 { 55546 "type": "ADVISORY", 55547 "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24549" 55548 }, 55549 { 55550 "type": "WEB", 55551 "url": "https://github.com/apache/tomcat/commit/0cac540a882220231ba7a82330483cbd5f6b1f96" 55552 }, 55553 { 55554 "type": "WEB", 55555 "url": "https://github.com/apache/tomcat/commit/810f49d5ff6d64b704af85d5b8d0aab9ec3c83f5" 55556 }, 55557 { 55558 "type": "WEB", 55559 "url": "https://github.com/apache/tomcat/commit/8e03be9f2698f2da9027d40b9e9c0c9429b74dc0" 55560 }, 55561 { 55562 "type": "WEB", 55563 "url": "https://github.com/apache/tomcat/commit/d07c82194edb69d99b438828fe2cbfadbb207843" 55564 }, 55565 { 55566 "type": "PACKAGE", 55567 "url": "https://github.com/apache/tomcat" 55568 }, 55569 { 55570 "type": "WEB", 55571 "url": "https://lists.apache.org/thread/4c50rmomhbbsdgfjsgwlb51xdwfjdcvg" 55572 }, 55573 { 55574 "type": "WEB", 55575 "url": "https://lists.debian.org/debian-lts-announce/2024/04/msg00001.html" 55576 }, 55577 { 55578 "type": "WEB", 55579 "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3UWIS5MMGYDZBLJYT674ZI5AWFHDZ46B" 55580 }, 55581 { 55582 "type": "WEB", 55583 "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/736G4GPZWS2DSQO5WKXO3G6OMZKFEK55" 55584 }, 55585 { 55586 "type": "WEB", 55587 "url": "https://security.netapp.com/advisory/ntap-20240402-0002" 55588 }, 55589 { 55590 "type": "WEB", 55591 "url": "http://www.openwall.com/lists/oss-security/2024/03/13/3" 55592 } 55593 ], 55594 "related": [ 55595 "CGA-g2x6-g84w-c6fq", 55596 "CGA-g7h3-55hg-6wrj", 55597 "CGA-mr75-947f-r7wp" 55598 ], 55599 "schema_version": "1.6.0", 55600 "summary": "Apache Tomcat Denial of Service due to improper input validation vulnerability for HTTP/2 requests" 55601 }, 55602 { 55603 "affected": [ 55604 { 55605 "database_specific": { 55606 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/04/GHSA-8vmx-qmch-mpqg/GHSA-8vmx-qmch-mpqg.json" 55607 }, 55608 "package": { 55609 "ecosystem": "Maven", 55610 "name": "org.apache.tomcat.embed:tomcat-embed-core", 55611 "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" 55612 }, 55613 "ranges": [ 55614 { 55615 "events": [ 55616 { 55617 "introduced": "9.0.0.M1" 55618 }, 55619 { 55620 "fixed": "9.0.17" 55621 } 55622 ], 55623 "type": "ECOSYSTEM" 55624 } 55625 ], 55626 "versions": [ 55627 "9.0.0.M1", 55628 "9.0.0.M10", 55629 "9.0.0.M11", 55630 "9.0.0.M13", 55631 "9.0.0.M15", 55632 "9.0.0.M17", 55633 "9.0.0.M18", 55634 "9.0.0.M19", 55635 "9.0.0.M20", 55636 "9.0.0.M21", 55637 "9.0.0.M22", 55638 "9.0.0.M25", 55639 "9.0.0.M26", 55640 "9.0.0.M27", 55641 "9.0.0.M3", 55642 "9.0.0.M4", 55643 "9.0.0.M6", 55644 "9.0.0.M8", 55645 "9.0.0.M9", 55646 "9.0.1", 55647 "9.0.10", 55648 "9.0.11", 55649 "9.0.12", 55650 "9.0.13", 55651 "9.0.14", 55652 "9.0.16", 55653 "9.0.2", 55654 "9.0.4", 55655 "9.0.5", 55656 "9.0.6", 55657 "9.0.7", 55658 "9.0.8" 55659 ] 55660 }, 55661 { 55662 "database_specific": { 55663 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/04/GHSA-8vmx-qmch-mpqg/GHSA-8vmx-qmch-mpqg.json" 55664 }, 55665 "package": { 55666 "ecosystem": "Maven", 55667 "name": "org.apache.tomcat.embed:tomcat-embed-core", 55668 "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" 55669 }, 55670 "ranges": [ 55671 { 55672 "events": [ 55673 { 55674 "introduced": "8.0.0" 55675 }, 55676 { 55677 "fixed": "8.5.40" 55678 } 55679 ], 55680 "type": "ECOSYSTEM" 55681 } 55682 ], 55683 "versions": [ 55684 "8.0.1", 55685 "8.0.11", 55686 "8.0.12", 55687 "8.0.14", 55688 "8.0.15", 55689 "8.0.17", 55690 "8.0.18", 55691 "8.0.20", 55692 "8.0.21", 55693 "8.0.22", 55694 "8.0.23", 55695 "8.0.24", 55696 "8.0.26", 55697 "8.0.27", 55698 "8.0.28", 55699 "8.0.29", 55700 "8.0.3", 55701 "8.0.30", 55702 "8.0.32", 55703 "8.0.33", 55704 "8.0.35", 55705 "8.0.36", 55706 "8.0.37", 55707 "8.0.38", 55708 "8.0.39", 55709 "8.0.41", 55710 "8.0.42", 55711 "8.0.43", 55712 "8.0.44", 55713 "8.0.45", 55714 "8.0.46", 55715 "8.0.47", 55716 "8.0.48", 55717 "8.0.49", 55718 "8.0.5", 55719 "8.0.50", 55720 "8.0.51", 55721 "8.0.52", 55722 "8.0.53", 55723 "8.0.8", 55724 "8.0.9", 55725 "8.5.0", 55726 "8.5.11", 55727 "8.5.12", 55728 "8.5.13", 55729 "8.5.14", 55730 "8.5.15", 55731 "8.5.16", 55732 "8.5.19", 55733 "8.5.2", 55734 "8.5.20", 55735 "8.5.21", 55736 "8.5.23", 55737 "8.5.24", 55738 "8.5.27", 55739 "8.5.28", 55740 "8.5.29", 55741 "8.5.3", 55742 "8.5.30", 55743 "8.5.31", 55744 "8.5.32", 55745 "8.5.33", 55746 "8.5.34", 55747 "8.5.35", 55748 "8.5.37", 55749 "8.5.38", 55750 "8.5.39", 55751 "8.5.4", 55752 "8.5.5", 55753 "8.5.6", 55754 "8.5.8", 55755 "8.5.9" 55756 ] 55757 }, 55758 { 55759 "database_specific": { 55760 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/04/GHSA-8vmx-qmch-mpqg/GHSA-8vmx-qmch-mpqg.json" 55761 }, 55762 "package": { 55763 "ecosystem": "Maven", 55764 "name": "org.apache.tomcat.embed:tomcat-embed-core", 55765 "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" 55766 }, 55767 "ranges": [ 55768 { 55769 "events": [ 55770 { 55771 "introduced": "7.0.0" 55772 }, 55773 { 55774 "fixed": "7.0.94" 55775 } 55776 ], 55777 "type": "ECOSYSTEM" 55778 } 55779 ], 55780 "versions": [ 55781 "7.0.0", 55782 "7.0.11", 55783 "7.0.12", 55784 "7.0.14", 55785 "7.0.16", 55786 "7.0.19", 55787 "7.0.2", 55788 "7.0.20", 55789 "7.0.21", 55790 "7.0.22", 55791 "7.0.23", 55792 "7.0.25", 55793 "7.0.26", 55794 "7.0.27", 55795 "7.0.28", 55796 "7.0.29", 55797 "7.0.30", 55798 "7.0.32", 55799 "7.0.33", 55800 "7.0.34", 55801 "7.0.35", 55802 "7.0.37", 55803 "7.0.39", 55804 "7.0.4", 55805 "7.0.40", 55806 "7.0.41", 55807 "7.0.42", 55808 "7.0.47", 55809 "7.0.5", 55810 "7.0.50", 55811 "7.0.52", 55812 "7.0.53", 55813 "7.0.54", 55814 "7.0.55", 55815 "7.0.56", 55816 "7.0.57", 55817 "7.0.59", 55818 "7.0.6", 55819 "7.0.61", 55820 "7.0.62", 55821 "7.0.63", 55822 "7.0.64", 55823 "7.0.65", 55824 "7.0.67", 55825 "7.0.68", 55826 "7.0.69", 55827 "7.0.70", 55828 "7.0.72", 55829 "7.0.73", 55830 "7.0.75", 55831 "7.0.76", 55832 "7.0.77", 55833 "7.0.78", 55834 "7.0.79", 55835 "7.0.8", 55836 "7.0.81", 55837 "7.0.82", 55838 "7.0.84", 55839 "7.0.85", 55840 "7.0.86", 55841 "7.0.88", 55842 "7.0.90", 55843 "7.0.91", 55844 "7.0.92", 55845 "7.0.93" 55846 ] 55847 } 55848 ], 55849 "aliases": [ 55850 "CVE-2019-0232" 55851 ], 55852 "database_specific": { 55853 "cwe_ids": [ 55854 "CWE-78" 55855 ], 55856 "github_reviewed": true, 55857 "github_reviewed_at": "2020-06-16T21:26:43Z", 55858 "nvd_published_at": "2019-04-15T15:29:00Z", 55859 "severity": "HIGH" 55860 }, 55861 "details": "When running on Windows with enableCmdLineArguments enabled, the CGI Servlet in Apache Tomcat 9.0.0.M1 to 9.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 is vulnerable to Remote Code Execution due to a bug in the way the JRE passes command line arguments to Windows. The CGI Servlet is disabled by default. The CGI option enableCmdLineArguments is disable by default in Tomcat 9.0.x (and will be disabled by default in all versions in response to this vulnerability). For a detailed explanation of the JRE behaviour, see Markus Wulftange's blog (https://codewhitesec.blogspot.com/2016/02/java-and-command-line-injections-in-windows.html) and this archived MSDN blog (https://web.archive.org/web/20161228144344/https://blogs.msdn.microsoft.com/twistylittlepassagesallalike/2011/04/23/everyone-quotes-command-line-arguments-the-wrong-way/).", 55862 "id": "GHSA-8vmx-qmch-mpqg", 55863 "modified": "2024-03-16T05:19:17.739703Z", 55864 "published": "2019-04-18T14:27:35Z", 55865 "references": [ 55866 { 55867 "type": "ADVISORY", 55868 "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-0232" 55869 }, 55870 { 55871 "type": "WEB", 55872 "url": "https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d%40%3Cdev.tomcat.apache.org%3E" 55873 }, 55874 { 55875 "type": "WEB", 55876 "url": "https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d@%3Cdev.tomcat.apache.org%3E" 55877 }, 55878 { 55879 "type": "WEB", 55880 "url": "https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0%40%3Cdev.tomcat.apache.org%3E" 55881 }, 55882 { 55883 "type": "WEB", 55884 "url": "https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0@%3Cdev.tomcat.apache.org%3E" 55885 }, 55886 { 55887 "type": "WEB", 55888 "url": "https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9%40%3Cdev.tomcat.apache.org%3E" 55889 }, 55890 { 55891 "type": "WEB", 55892 "url": "https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9@%3Cdev.tomcat.apache.org%3E" 55893 }, 55894 { 55895 "type": "WEB", 55896 "url": "https://lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc0c6a2d3cc92ed0c%40%3Cannounce.apache.org%3E" 55897 }, 55898 { 55899 "type": "WEB", 55900 "url": "https://lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc0c6a2d3cc92ed0c@%3Cannounce.apache.org%3E" 55901 }, 55902 { 55903 "type": "WEB", 55904 "url": "https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E" 55905 }, 55906 { 55907 "type": "WEB", 55908 "url": "https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c@%3Cdev.tomcat.apache.org%3E" 55909 }, 55910 { 55911 "type": "WEB", 55912 "url": "https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a%40%3Cdev.tomcat.apache.org%3E" 55913 }, 55914 { 55915 "type": "WEB", 55916 "url": "https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a@%3Cdev.tomcat.apache.org%3E" 55917 }, 55918 { 55919 "type": "WEB", 55920 "url": "https://security.netapp.com/advisory/ntap-20190419-0001" 55921 }, 55922 { 55923 "type": "WEB", 55924 "url": "https://web.archive.org/web/20161228144344/https://blogs.msdn.microsoft.com/twistylittlepassagesallalike/2011/04/23/everyone-quotes-command-line-arguments-the-wrong-way" 55925 }, 55926 { 55927 "type": "WEB", 55928 "url": "https://web.archive.org/web/20200227030103/http://www.securityfocus.com/bid/107906" 55929 }, 55930 { 55931 "type": "WEB", 55932 "url": "https://www.broadcom.com/support/fibre-channel-networking/security-advisories/brocade-security-advisory-2019-784" 55933 }, 55934 { 55935 "type": "WEB", 55936 "url": "https://www.oracle.com/security-alerts/cpuApr2021.html" 55937 }, 55938 { 55939 "type": "WEB", 55940 "url": "https://www.oracle.com/security-alerts/cpuapr2020.html" 55941 }, 55942 { 55943 "type": "WEB", 55944 "url": "https://www.oracle.com/security-alerts/cpujan2020.html" 55945 }, 55946 { 55947 "type": "WEB", 55948 "url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html" 55949 }, 55950 { 55951 "type": "WEB", 55952 "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html" 55953 }, 55954 { 55955 "type": "WEB", 55956 "url": "https://www.synology.com/security/advisory/Synology_SA_19_17" 55957 }, 55958 { 55959 "type": "WEB", 55960 "url": "https://wwws.nightwatchcybersecurity.com/2019/04/30/remote-code-execution-rce-in-cgi-servlet-apache-tomcat-on-windows-cve-2019-0232" 55961 }, 55962 { 55963 "type": "WEB", 55964 "url": "https://access.redhat.com/errata/RHSA-2019:1712" 55965 }, 55966 { 55967 "type": "WEB", 55968 "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/uncovering-cve-2019-0232-a-remote-code-execution-vulnerability-in-apache-tomcat" 55969 }, 55970 { 55971 "type": "WEB", 55972 "url": "https://codewhitesec.blogspot.com/2016/02/java-and-command-line-injections-in-windows.html" 55973 }, 55974 { 55975 "type": "PACKAGE", 55976 "url": "https://github.com/apache/tomcat" 55977 }, 55978 { 55979 "type": "WEB", 55980 "url": "https://lists.apache.org/thread.html/1dd0a59c1295cc08ce4c9e7edae5ad2268acc9ba55adcefa0532e5ba%40%3Cdev.tomcat.apache.org%3E" 55981 }, 55982 { 55983 "type": "WEB", 55984 "url": "https://lists.apache.org/thread.html/1dd0a59c1295cc08ce4c9e7edae5ad2268acc9ba55adcefa0532e5ba@%3Cdev.tomcat.apache.org%3E" 55985 }, 55986 { 55987 "type": "WEB", 55988 "url": "https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7%40%3Cdev.tomcat.apache.org%3E" 55989 }, 55990 { 55991 "type": "WEB", 55992 "url": "https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7@%3Cdev.tomcat.apache.org%3E" 55993 }, 55994 { 55995 "type": "WEB", 55996 "url": "https://lists.apache.org/thread.html/52ffb9fbf661245386a83a661183d13f1de2e5779fa23837a08e02ac%40%3Ccommits.ofbiz.apache.org%3E" 55997 }, 55998 { 55999 "type": "WEB", 56000 "url": "https://lists.apache.org/thread.html/52ffb9fbf661245386a83a661183d13f1de2e5779fa23837a08e02ac@%3Ccommits.ofbiz.apache.org%3E" 56001 }, 56002 { 56003 "type": "WEB", 56004 "url": "https://lists.apache.org/thread.html/5f297a4b9080b5f65a05bc139596d0e437d6a539b25e31d29d028767%40%3Cannounce.tomcat.apache.org%3E" 56005 }, 56006 { 56007 "type": "WEB", 56008 "url": "https://lists.apache.org/thread.html/5f297a4b9080b5f65a05bc139596d0e437d6a539b25e31d29d028767@%3Cannounce.tomcat.apache.org%3E" 56009 }, 56010 { 56011 "type": "WEB", 56012 "url": "https://lists.apache.org/thread.html/673b6148d92cd7bc99ea2dcf85ad75d57da44fc322d51f37fb529a2a%40%3Ccommits.ofbiz.apache.org%3E" 56013 }, 56014 { 56015 "type": "WEB", 56016 "url": "https://lists.apache.org/thread.html/673b6148d92cd7bc99ea2dcf85ad75d57da44fc322d51f37fb529a2a@%3Ccommits.ofbiz.apache.org%3E" 56017 }, 56018 { 56019 "type": "WEB", 56020 "url": "https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3%40%3Cdev.tomcat.apache.org%3E" 56021 }, 56022 { 56023 "type": "WEB", 56024 "url": "https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3@%3Cdev.tomcat.apache.org%3E" 56025 }, 56026 { 56027 "type": "WEB", 56028 "url": "https://lists.apache.org/thread.html/96849486813a95dfd542e1618b7923ca945508aaf4a4341f674d83e3%40%3Cnotifications.ofbiz.apache.org%3E" 56029 }, 56030 { 56031 "type": "WEB", 56032 "url": "https://lists.apache.org/thread.html/96849486813a95dfd542e1618b7923ca945508aaf4a4341f674d83e3@%3Cnotifications.ofbiz.apache.org%3E" 56033 }, 56034 { 56035 "type": "WEB", 56036 "url": "https://lists.apache.org/thread.html/a6c87a09a71162fd563ab1c4e70a08a103e0b7c199fc391f1c9c4c35%40%3Ccommits.ofbiz.apache.org%3E" 56037 }, 56038 { 56039 "type": "WEB", 56040 "url": "https://lists.apache.org/thread.html/a6c87a09a71162fd563ab1c4e70a08a103e0b7c199fc391f1c9c4c35@%3Ccommits.ofbiz.apache.org%3E" 56041 }, 56042 { 56043 "type": "WEB", 56044 "url": "https://lists.apache.org/thread.html/dd4b325cdb261183dbf5ce913c102920a8f09c26dae666a98309165b%40%3Cnotifications.ofbiz.apache.org%3E" 56045 }, 56046 { 56047 "type": "WEB", 56048 "url": "https://lists.apache.org/thread.html/dd4b325cdb261183dbf5ce913c102920a8f09c26dae666a98309165b@%3Cnotifications.ofbiz.apache.org%3E" 56049 }, 56050 { 56051 "type": "WEB", 56052 "url": "https://lists.apache.org/thread.html/f4d48b32ef2b6aa49c8830241a9475da5b46e451f964b291c7a0a715%40%3Cdev.tomcat.apache.org%3E" 56053 }, 56054 { 56055 "type": "WEB", 56056 "url": "https://lists.apache.org/thread.html/f4d48b32ef2b6aa49c8830241a9475da5b46e451f964b291c7a0a715@%3Cdev.tomcat.apache.org%3E" 56057 }, 56058 { 56059 "type": "WEB", 56060 "url": "http://packetstormsecurity.com/files/153506/Apache-Tomcat-CGIServlet-enableCmdLineArguments-Remote-Code-Execution.html" 56061 }, 56062 { 56063 "type": "WEB", 56064 "url": "http://seclists.org/fulldisclosure/2019/May/4" 56065 } 56066 ], 56067 "schema_version": "1.6.0", 56068 "severity": [ 56069 { 56070 "score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", 56071 "type": "CVSS_V3" 56072 } 56073 ], 56074 "summary": "Apache Tomcat OS Command Injection vulnerability" 56075 }, 56076 { 56077 "affected": [ 56078 { 56079 "database_specific": { 56080 "last_known_affected_version_range": "\u003c= 9.0.0.M18", 56081 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-9hg2-395j-83rm/GHSA-9hg2-395j-83rm.json" 56082 }, 56083 "package": { 56084 "ecosystem": "Maven", 56085 "name": "org.apache.tomcat:tomcat-coyote", 56086 "purl": "pkg:maven/org.apache.tomcat/tomcat-coyote" 56087 }, 56088 "ranges": [ 56089 { 56090 "events": [ 56091 { 56092 "introduced": "9.0.0.M1" 56093 }, 56094 { 56095 "fixed": "9.0.0.M19" 56096 } 56097 ], 56098 "type": "ECOSYSTEM" 56099 } 56100 ], 56101 "versions": [ 56102 "9.0.0.M1", 56103 "9.0.0.M10", 56104 "9.0.0.M11", 56105 "9.0.0.M13", 56106 "9.0.0.M15", 56107 "9.0.0.M17", 56108 "9.0.0.M18", 56109 "9.0.0.M3", 56110 "9.0.0.M4", 56111 "9.0.0.M6", 56112 "9.0.0.M8", 56113 "9.0.0.M9" 56114 ] 56115 }, 56116 { 56117 "database_specific": { 56118 "last_known_affected_version_range": "\u003c= 8.5.12", 56119 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-9hg2-395j-83rm/GHSA-9hg2-395j-83rm.json" 56120 }, 56121 "package": { 56122 "ecosystem": "Maven", 56123 "name": "org.apache.tomcat:tomcat-coyote", 56124 "purl": "pkg:maven/org.apache.tomcat/tomcat-coyote" 56125 }, 56126 "ranges": [ 56127 { 56128 "events": [ 56129 { 56130 "introduced": "8.5.0" 56131 }, 56132 { 56133 "fixed": "8.5.13" 56134 } 56135 ], 56136 "type": "ECOSYSTEM" 56137 } 56138 ], 56139 "versions": [ 56140 "8.5.0", 56141 "8.5.11", 56142 "8.5.12", 56143 "8.5.2", 56144 "8.5.3", 56145 "8.5.4", 56146 "8.5.5", 56147 "8.5.6", 56148 "8.5.8", 56149 "8.5.9" 56150 ] 56151 }, 56152 { 56153 "database_specific": { 56154 "last_known_affected_version_range": "\u003c= 9.0.0.M18", 56155 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-9hg2-395j-83rm/GHSA-9hg2-395j-83rm.json" 56156 }, 56157 "package": { 56158 "ecosystem": "Maven", 56159 "name": "org.apache.tomcat.embed:tomcat-embed-core", 56160 "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" 56161 }, 56162 "ranges": [ 56163 { 56164 "events": [ 56165 { 56166 "introduced": "9.0.0.M1" 56167 }, 56168 { 56169 "fixed": "9.0.0.M19" 56170 } 56171 ], 56172 "type": "ECOSYSTEM" 56173 } 56174 ], 56175 "versions": [ 56176 "9.0.0.M1", 56177 "9.0.0.M10", 56178 "9.0.0.M11", 56179 "9.0.0.M13", 56180 "9.0.0.M15", 56181 "9.0.0.M17", 56182 "9.0.0.M18", 56183 "9.0.0.M3", 56184 "9.0.0.M4", 56185 "9.0.0.M6", 56186 "9.0.0.M8", 56187 "9.0.0.M9" 56188 ] 56189 }, 56190 { 56191 "database_specific": { 56192 "last_known_affected_version_range": "\u003c= 8.5.12", 56193 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-9hg2-395j-83rm/GHSA-9hg2-395j-83rm.json" 56194 }, 56195 "package": { 56196 "ecosystem": "Maven", 56197 "name": "org.apache.tomcat.embed:tomcat-embed-core", 56198 "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" 56199 }, 56200 "ranges": [ 56201 { 56202 "events": [ 56203 { 56204 "introduced": "8.5.0" 56205 }, 56206 { 56207 "fixed": "8.5.13" 56208 } 56209 ], 56210 "type": "ECOSYSTEM" 56211 } 56212 ], 56213 "versions": [ 56214 "8.5.0", 56215 "8.5.11", 56216 "8.5.12", 56217 "8.5.2", 56218 "8.5.3", 56219 "8.5.4", 56220 "8.5.5", 56221 "8.5.6", 56222 "8.5.8", 56223 "8.5.9" 56224 ] 56225 } 56226 ], 56227 "aliases": [ 56228 "CVE-2017-5651" 56229 ], 56230 "database_specific": { 56231 "cwe_ids": [ 56232 "CWE-440" 56233 ], 56234 "github_reviewed": true, 56235 "github_reviewed_at": "2022-07-01T13:44:41Z", 56236 "nvd_published_at": "2017-04-17T16:59:00Z", 56237 "severity": "CRITICAL" 56238 }, 56239 "details": "In Apache Tomcat 9.0.0.M1 to 9.0.0.M18 and 8.5.0 to 8.5.12, the refactoring of the HTTP connectors introduced a regression in the send file processing. If the send file processing completed quickly, it was possible for the Processor to be added to the processor cache twice. This could result in the same Processor being used for multiple requests which in turn could lead to unexpected errors and/or response mix-up.", 56240 "id": "GHSA-9hg2-395j-83rm", 56241 "modified": "2024-04-18T17:16:24.017955Z", 56242 "published": "2022-05-13T01:46:13Z", 56243 "references": [ 56244 { 56245 "type": "ADVISORY", 56246 "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-5651" 56247 }, 56248 { 56249 "type": "WEB", 56250 "url": "https://github.com/apache/tomcat/commit/494429ca210641b6b7affe89a2b0a6c0ff70109b" 56251 }, 56252 { 56253 "type": "WEB", 56254 "url": "https://github.com/apache/tomcat/commit/9233d9d6a018be4415d4d7d6cb4fe01176adf1a8" 56255 }, 56256 { 56257 "type": "WEB", 56258 "url": "https://web.archive.org/web/20170420113605/http://www.securitytracker.com/id/1038219" 56259 }, 56260 { 56261 "type": "WEB", 56262 "url": "https://web.archive.org/web/20170417124228/http://www.securityfocus.com/bid/97544" 56263 }, 56264 { 56265 "type": "WEB", 56266 "url": "https://security.netapp.com/advisory/ntap-20180614-0001" 56267 }, 56268 { 56269 "type": "WEB", 56270 "url": "https://security.gentoo.org/glsa/201705-09" 56271 }, 56272 { 56273 "type": "WEB", 56274 "url": "https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0@%3Cdev.tomcat.apache.org%3E" 56275 }, 56276 { 56277 "type": "WEB", 56278 "url": "https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0%40%3Cdev.tomcat.apache.org%3E" 56279 }, 56280 { 56281 "type": "WEB", 56282 "url": "https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d@%3Cdev.tomcat.apache.org%3E" 56283 }, 56284 { 56285 "type": "WEB", 56286 "url": "https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d%40%3Cdev.tomcat.apache.org%3E" 56287 }, 56288 { 56289 "type": "WEB", 56290 "url": "https://lists.apache.org/thread.html/eb6efa8d59c45a7a9eff94c4b925467d3b3fec8ba7697f3daa314b04@%3Cdev.tomcat.apache.org%3E" 56291 }, 56292 { 56293 "type": "WEB", 56294 "url": "https://lists.apache.org/thread.html/eb6efa8d59c45a7a9eff94c4b925467d3b3fec8ba7697f3daa314b04%40%3Cdev.tomcat.apache.org%3E" 56295 }, 56296 { 56297 "type": "WEB", 56298 "url": "https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc@%3Cdev.tomcat.apache.org%3E" 56299 }, 56300 { 56301 "type": "WEB", 56302 "url": "https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc%40%3Cdev.tomcat.apache.org%3E" 56303 }, 56304 { 56305 "type": "WEB", 56306 "url": "https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a@%3Cdev.tomcat.apache.org%3E" 56307 }, 56308 { 56309 "type": "WEB", 56310 "url": "https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a%40%3Cdev.tomcat.apache.org%3E" 56311 }, 56312 { 56313 "type": "WEB", 56314 "url": "https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3@%3Cdev.tomcat.apache.org%3E" 56315 }, 56316 { 56317 "type": "WEB", 56318 "url": "https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3%40%3Cdev.tomcat.apache.org%3E" 56319 }, 56320 { 56321 "type": "WEB", 56322 "url": "https://lists.apache.org/thread.html/6694538826b87522fb723d2dcedd537e14ebe0a381d92e5525a531d8@%3Cannounce.tomcat.apache.org%3E" 56323 }, 56324 { 56325 "type": "WEB", 56326 "url": "https://lists.apache.org/thread.html/6694538826b87522fb723d2dcedd537e14ebe0a381d92e5525a531d8%40%3Cannounce.tomcat.apache.org%3E" 56327 }, 56328 { 56329 "type": "WEB", 56330 "url": "https://lists.apache.org/thread.html/5c0e00fd31efc11e147bf99d0f03c00a734447d3b131ab0818644cdb@%3Cdev.tomcat.apache.org%3E" 56331 }, 56332 { 56333 "type": "WEB", 56334 "url": "https://lists.apache.org/thread.html/5c0e00fd31efc11e147bf99d0f03c00a734447d3b131ab0818644cdb%40%3Cdev.tomcat.apache.org%3E" 56335 }, 56336 { 56337 "type": "WEB", 56338 "url": "https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551@%3Cdev.tomcat.apache.org%3E" 56339 }, 56340 { 56341 "type": "WEB", 56342 "url": "https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551%40%3Cdev.tomcat.apache.org%3E" 56343 }, 56344 { 56345 "type": "WEB", 56346 "url": "https://github.com/search?q=repo%3Aapache%2Ftomcat+apache.coyote+path%3A%2F%5Eres%5C%2Fbnd%5C%2F%2F\u0026type=code" 56347 }, 56348 { 56349 "type": "PACKAGE", 56350 "url": "https://github.com/apache/tomcat" 56351 }, 56352 { 56353 "type": "WEB", 56354 "url": "https://bz.apache.org/bugzilla/show_bug.cgi?id=60918" 56355 }, 56356 { 56357 "type": "WEB", 56358 "url": "http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html" 56359 } 56360 ], 56361 "schema_version": "1.6.0", 56362 "severity": [ 56363 { 56364 "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", 56365 "type": "CVSS_V3" 56366 } 56367 ], 56368 "summary": "Expected Behavior Violation in Apache Tomcat" 56369 }, 56370 { 56371 "affected": [ 56372 { 56373 "database_specific": { 56374 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/12/GHSA-9xcj-c8cr-8c3c/GHSA-9xcj-c8cr-8c3c.json" 56375 }, 56376 "package": { 56377 "ecosystem": "Maven", 56378 "name": "org.apache.tomcat.embed:tomcat-embed-core", 56379 "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" 56380 }, 56381 "ranges": [ 56382 { 56383 "events": [ 56384 { 56385 "introduced": "0" 56386 }, 56387 { 56388 "fixed": "7.0.99" 56389 } 56390 ], 56391 "type": "ECOSYSTEM" 56392 } 56393 ], 56394 "versions": [ 56395 "7.0.0", 56396 "7.0.11", 56397 "7.0.12", 56398 "7.0.14", 56399 "7.0.16", 56400 "7.0.19", 56401 "7.0.2", 56402 "7.0.20", 56403 "7.0.21", 56404 "7.0.22", 56405 "7.0.23", 56406 "7.0.25", 56407 "7.0.26", 56408 "7.0.27", 56409 "7.0.28", 56410 "7.0.29", 56411 "7.0.30", 56412 "7.0.32", 56413 "7.0.33", 56414 "7.0.34", 56415 "7.0.35", 56416 "7.0.37", 56417 "7.0.39", 56418 "7.0.4", 56419 "7.0.40", 56420 "7.0.41", 56421 "7.0.42", 56422 "7.0.47", 56423 "7.0.5", 56424 "7.0.50", 56425 "7.0.52", 56426 "7.0.53", 56427 "7.0.54", 56428 "7.0.55", 56429 "7.0.56", 56430 "7.0.57", 56431 "7.0.59", 56432 "7.0.6", 56433 "7.0.61", 56434 "7.0.62", 56435 "7.0.63", 56436 "7.0.64", 56437 "7.0.65", 56438 "7.0.67", 56439 "7.0.68", 56440 "7.0.69", 56441 "7.0.70", 56442 "7.0.72", 56443 "7.0.73", 56444 "7.0.75", 56445 "7.0.76", 56446 "7.0.77", 56447 "7.0.78", 56448 "7.0.79", 56449 "7.0.8", 56450 "7.0.81", 56451 "7.0.82", 56452 "7.0.84", 56453 "7.0.85", 56454 "7.0.86", 56455 "7.0.88", 56456 "7.0.90", 56457 "7.0.91", 56458 "7.0.92", 56459 "7.0.93", 56460 "7.0.94", 56461 "7.0.96" 56462 ] 56463 }, 56464 { 56465 "database_specific": { 56466 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/12/GHSA-9xcj-c8cr-8c3c/GHSA-9xcj-c8cr-8c3c.json" 56467 }, 56468 "package": { 56469 "ecosystem": "Maven", 56470 "name": "org.apache.tomcat.embed:tomcat-embed-core", 56471 "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" 56472 }, 56473 "ranges": [ 56474 { 56475 "events": [ 56476 { 56477 "introduced": "8.0.0" 56478 }, 56479 { 56480 "fixed": "8.5.50" 56481 } 56482 ], 56483 "type": "ECOSYSTEM" 56484 } 56485 ], 56486 "versions": [ 56487 "8.0.1", 56488 "8.0.11", 56489 "8.0.12", 56490 "8.0.14", 56491 "8.0.15", 56492 "8.0.17", 56493 "8.0.18", 56494 "8.0.20", 56495 "8.0.21", 56496 "8.0.22", 56497 "8.0.23", 56498 "8.0.24", 56499 "8.0.26", 56500 "8.0.27", 56501 "8.0.28", 56502 "8.0.29", 56503 "8.0.3", 56504 "8.0.30", 56505 "8.0.32", 56506 "8.0.33", 56507 "8.0.35", 56508 "8.0.36", 56509 "8.0.37", 56510 "8.0.38", 56511 "8.0.39", 56512 "8.0.41", 56513 "8.0.42", 56514 "8.0.43", 56515 "8.0.44", 56516 "8.0.45", 56517 "8.0.46", 56518 "8.0.47", 56519 "8.0.48", 56520 "8.0.49", 56521 "8.0.5", 56522 "8.0.50", 56523 "8.0.51", 56524 "8.0.52", 56525 "8.0.53", 56526 "8.0.8", 56527 "8.0.9", 56528 "8.5.0", 56529 "8.5.11", 56530 "8.5.12", 56531 "8.5.13", 56532 "8.5.14", 56533 "8.5.15", 56534 "8.5.16", 56535 "8.5.19", 56536 "8.5.2", 56537 "8.5.20", 56538 "8.5.21", 56539 "8.5.23", 56540 "8.5.24", 56541 "8.5.27", 56542 "8.5.28", 56543 "8.5.29", 56544 "8.5.3", 56545 "8.5.30", 56546 "8.5.31", 56547 "8.5.32", 56548 "8.5.33", 56549 "8.5.34", 56550 "8.5.35", 56551 "8.5.37", 56552 "8.5.38", 56553 "8.5.39", 56554 "8.5.4", 56555 "8.5.40", 56556 "8.5.41", 56557 "8.5.42", 56558 "8.5.43", 56559 "8.5.45", 56560 "8.5.46", 56561 "8.5.47", 56562 "8.5.49", 56563 "8.5.5", 56564 "8.5.6", 56565 "8.5.8", 56566 "8.5.9" 56567 ] 56568 }, 56569 { 56570 "database_specific": { 56571 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/12/GHSA-9xcj-c8cr-8c3c/GHSA-9xcj-c8cr-8c3c.json" 56572 }, 56573 "package": { 56574 "ecosystem": "Maven", 56575 "name": "org.apache.tomcat.embed:tomcat-embed-core", 56576 "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" 56577 }, 56578 "ranges": [ 56579 { 56580 "events": [ 56581 { 56582 "introduced": "9.0.0" 56583 }, 56584 { 56585 "fixed": "9.0.30" 56586 } 56587 ], 56588 "type": "ECOSYSTEM" 56589 } 56590 ], 56591 "versions": [ 56592 "9.0.1", 56593 "9.0.10", 56594 "9.0.11", 56595 "9.0.12", 56596 "9.0.13", 56597 "9.0.14", 56598 "9.0.16", 56599 "9.0.17", 56600 "9.0.19", 56601 "9.0.2", 56602 "9.0.20", 56603 "9.0.21", 56604 "9.0.22", 56605 "9.0.24", 56606 "9.0.26", 56607 "9.0.27", 56608 "9.0.29", 56609 "9.0.4", 56610 "9.0.5", 56611 "9.0.6", 56612 "9.0.7", 56613 "9.0.8" 56614 ] 56615 } 56616 ], 56617 "aliases": [ 56618 "CVE-2019-17563" 56619 ], 56620 "database_specific": { 56621 "cwe_ids": [ 56622 "CWE-384" 56623 ], 56624 "github_reviewed": true, 56625 "github_reviewed_at": "2019-12-26T18:22:01Z", 56626 "nvd_published_at": "2019-12-23T17:15:00Z", 56627 "severity": "HIGH" 56628 }, 56629 "details": "When using FORM authentication with Apache Tomcat 9.0.0.M1 to 9.0.29, 8.5.0 to 8.5.49 and 7.0.0 to 7.0.98 there was a narrow window where an attacker could perform a session fixation attack. The window was considered too narrow for an exploit to be practical but, erring on the side of caution, this issue has been treated as a security vulnerability.", 56630 "id": "GHSA-9xcj-c8cr-8c3c", 56631 "modified": "2024-03-10T05:19:10.199468Z", 56632 "published": "2019-12-26T18:22:26Z", 56633 "references": [ 56634 { 56635 "type": "ADVISORY", 56636 "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-17563" 56637 }, 56638 { 56639 "type": "WEB", 56640 "url": "https://www.oracle.com/security-alerts/cpujul2020.html" 56641 }, 56642 { 56643 "type": "WEB", 56644 "url": "https://www.oracle.com/security-alerts/cpujan2021.html" 56645 }, 56646 { 56647 "type": "WEB", 56648 "url": "https://www.oracle.com/security-alerts/cpuapr2020.html" 56649 }, 56650 { 56651 "type": "WEB", 56652 "url": "https://www.debian.org/security/2020/dsa-4680" 56653 }, 56654 { 56655 "type": "WEB", 56656 "url": "https://www.debian.org/security/2019/dsa-4596" 56657 }, 56658 { 56659 "type": "WEB", 56660 "url": "https://usn.ubuntu.com/4251-1" 56661 }, 56662 { 56663 "type": "WEB", 56664 "url": "https://security.netapp.com/advisory/ntap-20200107-0001" 56665 }, 56666 { 56667 "type": "WEB", 56668 "url": "https://security.gentoo.org/glsa/202003-43" 56669 }, 56670 { 56671 "type": "WEB", 56672 "url": "https://seclists.org/bugtraq/2019/Dec/43" 56673 }, 56674 { 56675 "type": "WEB", 56676 "url": "https://lists.debian.org/debian-lts-announce/2020/05/msg00026.html" 56677 }, 56678 { 56679 "type": "WEB", 56680 "url": "https://lists.debian.org/debian-lts-announce/2020/01/msg00024.html" 56681 }, 56682 { 56683 "type": "WEB", 56684 "url": "https://lists.apache.org/thread.html/reb9a66f176df29b9a832caa95ebd9ffa3284e8f4922ec4fa3ad8eb2e@%3Cissues.cxf.apache.org%3E" 56685 }, 56686 { 56687 "type": "WEB", 56688 "url": "https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a@%3Cdev.tomcat.apache.org%3E" 56689 }, 56690 { 56691 "type": "WEB", 56692 "url": "https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c@%3Cdev.tomcat.apache.org%3E" 56693 }, 56694 { 56695 "type": "WEB", 56696 "url": "https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9@%3Cdev.tomcat.apache.org%3E" 56697 }, 56698 { 56699 "type": "WEB", 56700 "url": "https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0@%3Cdev.tomcat.apache.org%3E" 56701 }, 56702 { 56703 "type": "WEB", 56704 "url": "https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d@%3Cdev.tomcat.apache.org%3E" 56705 }, 56706 { 56707 "type": "WEB", 56708 "url": "https://lists.apache.org/thread.html/8b4c1db8300117b28a0f3f743c0b9e3f964687a690cdf9662a884bbd%40%3Cannounce.tomcat.apache.org%3E" 56709 }, 56710 { 56711 "type": "PACKAGE", 56712 "url": "https://github.com/apache/tomcat" 56713 }, 56714 { 56715 "type": "WEB", 56716 "url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00013.html" 56717 } 56718 ], 56719 "related": [ 56720 "CGA-76c4-v9xm-9m69" 56721 ], 56722 "schema_version": "1.6.0", 56723 "severity": [ 56724 { 56725 "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", 56726 "type": "CVSS_V3" 56727 } 56728 ], 56729 "summary": "In Apache Tomcat, when using FORM authentication there was a narrow window where an attacker could perform a session fixation attack" 56730 }, 56731 { 56732 "affected": [ 56733 { 56734 "database_specific": { 56735 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-c9hw-wf7x-jp9j/GHSA-c9hw-wf7x-jp9j.json" 56736 }, 56737 "package": { 56738 "ecosystem": "Maven", 56739 "name": "org.apache.tomcat.embed:tomcat-embed-core", 56740 "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" 56741 }, 56742 "ranges": [ 56743 { 56744 "events": [ 56745 { 56746 "introduced": "9.0.0" 56747 }, 56748 { 56749 "fixed": "9.0.31" 56750 } 56751 ], 56752 "type": "ECOSYSTEM" 56753 } 56754 ], 56755 "versions": [ 56756 "9.0.1", 56757 "9.0.10", 56758 "9.0.11", 56759 "9.0.12", 56760 "9.0.13", 56761 "9.0.14", 56762 "9.0.16", 56763 "9.0.17", 56764 "9.0.19", 56765 "9.0.2", 56766 "9.0.20", 56767 "9.0.21", 56768 "9.0.22", 56769 "9.0.24", 56770 "9.0.26", 56771 "9.0.27", 56772 "9.0.29", 56773 "9.0.30", 56774 "9.0.4", 56775 "9.0.5", 56776 "9.0.6", 56777 "9.0.7", 56778 "9.0.8" 56779 ] 56780 }, 56781 { 56782 "database_specific": { 56783 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-c9hw-wf7x-jp9j/GHSA-c9hw-wf7x-jp9j.json" 56784 }, 56785 "package": { 56786 "ecosystem": "Maven", 56787 "name": "org.apache.tomcat.embed:tomcat-embed-core", 56788 "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" 56789 }, 56790 "ranges": [ 56791 { 56792 "events": [ 56793 { 56794 "introduced": "8.0.0" 56795 }, 56796 { 56797 "fixed": "8.5.51" 56798 } 56799 ], 56800 "type": "ECOSYSTEM" 56801 } 56802 ], 56803 "versions": [ 56804 "8.0.1", 56805 "8.0.11", 56806 "8.0.12", 56807 "8.0.14", 56808 "8.0.15", 56809 "8.0.17", 56810 "8.0.18", 56811 "8.0.20", 56812 "8.0.21", 56813 "8.0.22", 56814 "8.0.23", 56815 "8.0.24", 56816 "8.0.26", 56817 "8.0.27", 56818 "8.0.28", 56819 "8.0.29", 56820 "8.0.3", 56821 "8.0.30", 56822 "8.0.32", 56823 "8.0.33", 56824 "8.0.35", 56825 "8.0.36", 56826 "8.0.37", 56827 "8.0.38", 56828 "8.0.39", 56829 "8.0.41", 56830 "8.0.42", 56831 "8.0.43", 56832 "8.0.44", 56833 "8.0.45", 56834 "8.0.46", 56835 "8.0.47", 56836 "8.0.48", 56837 "8.0.49", 56838 "8.0.5", 56839 "8.0.50", 56840 "8.0.51", 56841 "8.0.52", 56842 "8.0.53", 56843 "8.0.8", 56844 "8.0.9", 56845 "8.5.0", 56846 "8.5.11", 56847 "8.5.12", 56848 "8.5.13", 56849 "8.5.14", 56850 "8.5.15", 56851 "8.5.16", 56852 "8.5.19", 56853 "8.5.2", 56854 "8.5.20", 56855 "8.5.21", 56856 "8.5.23", 56857 "8.5.24", 56858 "8.5.27", 56859 "8.5.28", 56860 "8.5.29", 56861 "8.5.3", 56862 "8.5.30", 56863 "8.5.31", 56864 "8.5.32", 56865 "8.5.33", 56866 "8.5.34", 56867 "8.5.35", 56868 "8.5.37", 56869 "8.5.38", 56870 "8.5.39", 56871 "8.5.4", 56872 "8.5.40", 56873 "8.5.41", 56874 "8.5.42", 56875 "8.5.43", 56876 "8.5.45", 56877 "8.5.46", 56878 "8.5.47", 56879 "8.5.49", 56880 "8.5.5", 56881 "8.5.50", 56882 "8.5.6", 56883 "8.5.8", 56884 "8.5.9" 56885 ] 56886 }, 56887 { 56888 "database_specific": { 56889 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-c9hw-wf7x-jp9j/GHSA-c9hw-wf7x-jp9j.json" 56890 }, 56891 "package": { 56892 "ecosystem": "Maven", 56893 "name": "org.apache.tomcat.embed:tomcat-embed-core", 56894 "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" 56895 }, 56896 "ranges": [ 56897 { 56898 "events": [ 56899 { 56900 "introduced": "7.0.0" 56901 }, 56902 { 56903 "fixed": "7.0.100" 56904 } 56905 ], 56906 "type": "ECOSYSTEM" 56907 } 56908 ], 56909 "versions": [ 56910 "7.0.0", 56911 "7.0.11", 56912 "7.0.12", 56913 "7.0.14", 56914 "7.0.16", 56915 "7.0.19", 56916 "7.0.2", 56917 "7.0.20", 56918 "7.0.21", 56919 "7.0.22", 56920 "7.0.23", 56921 "7.0.25", 56922 "7.0.26", 56923 "7.0.27", 56924 "7.0.28", 56925 "7.0.29", 56926 "7.0.30", 56927 "7.0.32", 56928 "7.0.33", 56929 "7.0.34", 56930 "7.0.35", 56931 "7.0.37", 56932 "7.0.39", 56933 "7.0.4", 56934 "7.0.40", 56935 "7.0.41", 56936 "7.0.42", 56937 "7.0.47", 56938 "7.0.5", 56939 "7.0.50", 56940 "7.0.52", 56941 "7.0.53", 56942 "7.0.54", 56943 "7.0.55", 56944 "7.0.56", 56945 "7.0.57", 56946 "7.0.59", 56947 "7.0.6", 56948 "7.0.61", 56949 "7.0.62", 56950 "7.0.63", 56951 "7.0.64", 56952 "7.0.65", 56953 "7.0.67", 56954 "7.0.68", 56955 "7.0.69", 56956 "7.0.70", 56957 "7.0.72", 56958 "7.0.73", 56959 "7.0.75", 56960 "7.0.76", 56961 "7.0.77", 56962 "7.0.78", 56963 "7.0.79", 56964 "7.0.8", 56965 "7.0.81", 56966 "7.0.82", 56967 "7.0.84", 56968 "7.0.85", 56969 "7.0.86", 56970 "7.0.88", 56971 "7.0.90", 56972 "7.0.91", 56973 "7.0.92", 56974 "7.0.93", 56975 "7.0.94", 56976 "7.0.96", 56977 "7.0.99" 56978 ] 56979 } 56980 ], 56981 "aliases": [ 56982 "BIT-tomcat-2020-1938", 56983 "CVE-2020-1938" 56984 ], 56985 "database_specific": { 56986 "cwe_ids": [ 56987 "CWE-269" 56988 ], 56989 "github_reviewed": true, 56990 "github_reviewed_at": "2020-06-15T16:10:05Z", 56991 "nvd_published_at": "2020-02-24T22:15:00Z", 56992 "severity": "CRITICAL" 56993 }, 56994 "details": "When using the Apache JServ Protocol (AJP), care must be taken when trusting incoming connections to Apache Tomcat. Tomcat treats AJP connections as having higher trust than, for example, a similar HTTP connection. If such connections are available to an attacker, they can be exploited in ways that may be surprising. In Apache Tomcat 9.0.0.M1 to 9.0.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99, Tomcat shipped with an AJP Connector enabled by default that listened on all configured IP addresses. It was expected (and recommended in the security guide) that this Connector would be disabled if not required. This vulnerability report identified a mechanism that allowed: returning arbitrary files from anywhere in the web application, processing any file in the web application as a JSP Further, if the web application allowed file upload and stored those files within the web application (or the attacker was able to control the content of the web application by some other means) then this, along with the ability to process a file as a JSP, made remote code execution possible. It is important to note that mitigation is only required if an AJP port is accessible to untrusted users. Users wishing to take a defence-in-depth approach and block the vector that permits returning arbitrary files and execution as JSP may upgrade to Apache Tomcat 9.0.31, 8.5.51 or 7.0.100 or later. A number of changes were made to the default AJP Connector configuration in 9.0.31 to harden the default configuration. It is likely that users upgrading to 9.0.31, 8.5.51 or 7.0.100 or later will need to make small changes to their configurations.", 56995 "id": "GHSA-c9hw-wf7x-jp9j", 56996 "modified": "2024-07-25T13:49:21.465219Z", 56997 "published": "2020-06-15T18:51:21Z", 56998 "references": [ 56999 { 57000 "type": "ADVISORY", 57001 "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-1938" 57002 }, 57003 { 57004 "type": "WEB", 57005 "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" 57006 }, 57007 { 57008 "type": "WEB", 57009 "url": "https://lists.apache.org/thread.html/re5eecbe5bf967439bafeeaa85987b3a43f0e6efe06b6976ee768cde2%40%3Cusers.tomcat.apache.org%3E" 57010 }, 57011 { 57012 "type": "WEB", 57013 "url": "https://lists.apache.org/thread.html/rd50baccd1bbb96c2327d5a8caa25a49692b3d68d96915bd1cfbb9f8b@%3Cusers.tomcat.apache.org%3E" 57014 }, 57015 { 57016 "type": "WEB", 57017 "url": "https://lists.apache.org/thread.html/rd50baccd1bbb96c2327d5a8caa25a49692b3d68d96915bd1cfbb9f8b%40%3Cusers.tomcat.apache.org%3E" 57018 }, 57019 { 57020 "type": "WEB", 57021 "url": "https://lists.apache.org/thread.html/rd0774c95699d5aeb5e16e9a600fb2ea296e81175e30a62094e27e3e7@%3Ccommits.ofbiz.apache.org%3E" 57022 }, 57023 { 57024 "type": "WEB", 57025 "url": "https://lists.apache.org/thread.html/rd0774c95699d5aeb5e16e9a600fb2ea296e81175e30a62094e27e3e7%40%3Ccommits.ofbiz.apache.org%3E" 57026 }, 57027 { 57028 "type": "WEB", 57029 "url": "https://lists.apache.org/thread.html/rce2af55f6e144ffcdc025f997eddceb315dfbc0b230e3d750a7f7425@%3Cnotifications.ofbiz.apache.org%3E" 57030 }, 57031 { 57032 "type": "WEB", 57033 "url": "https://lists.apache.org/thread.html/rce2af55f6e144ffcdc025f997eddceb315dfbc0b230e3d750a7f7425%40%3Cnotifications.ofbiz.apache.org%3E" 57034 }, 57035 { 57036 "type": "WEB", 57037 "url": "https://lists.apache.org/thread.html/rcd5cd301e9e7e39f939baf2f5d58704750be07a5e2d3393e40ca7194@%3Ccommits.tomee.apache.org%3E" 57038 }, 57039 { 57040 "type": "WEB", 57041 "url": "https://lists.apache.org/thread.html/rcd5cd301e9e7e39f939baf2f5d58704750be07a5e2d3393e40ca7194%40%3Ccommits.tomee.apache.org%3E" 57042 }, 57043 { 57044 "type": "WEB", 57045 "url": "https://lists.apache.org/thread.html/rc068e824654c4b8bd4f2490bec869e29edbfcd5dfe02d47cbf7433b2@%3Cdev.tomee.apache.org%3E" 57046 }, 57047 { 57048 "type": "WEB", 57049 "url": "https://lists.apache.org/thread.html/rc068e824654c4b8bd4f2490bec869e29edbfcd5dfe02d47cbf7433b2%40%3Cdev.tomee.apache.org%3E" 57050 }, 57051 { 57052 "type": "WEB", 57053 "url": "https://lists.apache.org/thread.html/rbdb1d2b651a3728f0ceba9e0853575b6f90296a94a71836a15f7364a@%3Cdev.tomee.apache.org%3E" 57054 }, 57055 { 57056 "type": "WEB", 57057 "url": "https://lists.apache.org/thread.html/rbdb1d2b651a3728f0ceba9e0853575b6f90296a94a71836a15f7364a%40%3Cdev.tomee.apache.org%3E" 57058 }, 57059 { 57060 "type": "WEB", 57061 "url": "https://lists.apache.org/thread.html/rb2fc890bef23cbc7f343900005fe1edd3b091cf18dada455580258f9@%3Cusers.tomcat.apache.org%3E" 57062 }, 57063 { 57064 "type": "WEB", 57065 "url": "https://lists.apache.org/thread.html/rb2fc890bef23cbc7f343900005fe1edd3b091cf18dada455580258f9%40%3Cusers.tomcat.apache.org%3E" 57066 }, 57067 { 57068 "type": "WEB", 57069 "url": "https://lists.apache.org/thread.html/rb1c0fb105ce2b93b7ec6fc1b77dd208022621a91c12d1f580813cfed@%3Cdev.tomcat.apache.org%3E" 57070 }, 57071 { 57072 "type": "WEB", 57073 "url": "https://lists.apache.org/thread.html/rb1c0fb105ce2b93b7ec6fc1b77dd208022621a91c12d1f580813cfed%40%3Cdev.tomcat.apache.org%3E" 57074 }, 57075 { 57076 "type": "WEB", 57077 "url": "https://lists.apache.org/thread.html/rad36ec6a1ffc9e43266b030c22ceeea569243555d34fb4187ff08522@%3Cnotifications.ofbiz.apache.org%3E" 57078 }, 57079 { 57080 "type": "WEB", 57081 "url": "https://lists.apache.org/thread.html/rad36ec6a1ffc9e43266b030c22ceeea569243555d34fb4187ff08522%40%3Cnotifications.ofbiz.apache.org%3E" 57082 }, 57083 { 57084 "type": "WEB", 57085 "url": "https://lists.apache.org/thread.html/ra7092f7492569b39b04ec0decf52628ba86c51f15efb38f5853e2760@%3Cnotifications.ofbiz.apache.org%3E" 57086 }, 57087 { 57088 "type": "WEB", 57089 "url": "https://lists.apache.org/thread.html/r5e2f1201b92ee05a0527cfc076a81ea0c270be299b87895c0ddbe02b@%3Cusers.tomcat.apache.org%3E" 57090 }, 57091 { 57092 "type": "WEB", 57093 "url": "https://www.oracle.com/security-alerts/cpujul2020.html" 57094 }, 57095 { 57096 "type": "WEB", 57097 "url": "https://www.oracle.com/security-alerts/cpujan2021.html" 57098 }, 57099 { 57100 "type": "WEB", 57101 "url": "https://www.debian.org/security/2020/dsa-4680" 57102 }, 57103 { 57104 "type": "WEB", 57105 "url": "https://www.debian.org/security/2020/dsa-4673" 57106 }, 57107 { 57108 "type": "WEB", 57109 "url": "https://security.netapp.com/advisory/ntap-20200226-0002" 57110 }, 57111 { 57112 "type": "WEB", 57113 "url": "https://security.gentoo.org/glsa/202003-43" 57114 }, 57115 { 57116 "type": "WEB", 57117 "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L46WJIV6UV3FWA5O5YEY6XLA73RYD53B" 57118 }, 57119 { 57120 "type": "WEB", 57121 "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/K3IPNHCKFVUKSHDTM45UL4Q765EHHTFG" 57122 }, 57123 { 57124 "type": "WEB", 57125 "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2XFLQB3O5QVP4ZBIPVIXBEZV7F2R7ZMS" 57126 }, 57127 { 57128 "type": "WEB", 57129 "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L46WJIV6UV3FWA5O5YEY6XLA73RYD53B" 57130 }, 57131 { 57132 "type": "WEB", 57133 "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/K3IPNHCKFVUKSHDTM45UL4Q765EHHTFG" 57134 }, 57135 { 57136 "type": "WEB", 57137 "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2XFLQB3O5QVP4ZBIPVIXBEZV7F2R7ZMS" 57138 }, 57139 { 57140 "type": "WEB", 57141 "url": "https://lists.debian.org/debian-lts-announce/2020/05/msg00026.html" 57142 }, 57143 { 57144 "type": "WEB", 57145 "url": "https://lists.debian.org/debian-lts-announce/2020/03/msg00006.html" 57146 }, 57147 { 57148 "type": "WEB", 57149 "url": "https://lists.apache.org/thread.html/rf992c5adf376294af31378a70aa8a158388a41d7039668821be28df3@%3Ccommits.tomee.apache.org%3E" 57150 }, 57151 { 57152 "type": "WEB", 57153 "url": "https://lists.apache.org/thread.html/rf992c5adf376294af31378a70aa8a158388a41d7039668821be28df3%40%3Ccommits.tomee.apache.org%3E" 57154 }, 57155 { 57156 "type": "WEB", 57157 "url": "https://lists.apache.org/thread.html/rf26663f42e7f1a1d1cac732469fb5e92c89908a48b61ec546dbb79ca@%3Cbugs.httpd.apache.org%3E" 57158 }, 57159 { 57160 "type": "WEB", 57161 "url": "https://lists.apache.org/thread.html/rf26663f42e7f1a1d1cac732469fb5e92c89908a48b61ec546dbb79ca%40%3Cbugs.httpd.apache.org%3E" 57162 }, 57163 { 57164 "type": "WEB", 57165 "url": "https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3E" 57166 }, 57167 { 57168 "type": "WEB", 57169 "url": "https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2%40%3Cissues.geode.apache.org%3E" 57170 }, 57171 { 57172 "type": "WEB", 57173 "url": "https://lists.apache.org/thread.html/re5eecbe5bf967439bafeeaa85987b3a43f0e6efe06b6976ee768cde2@%3Cusers.tomcat.apache.org%3E" 57174 }, 57175 { 57176 "type": "WEB", 57177 "url": "https://lists.apache.org/thread.html/r5e2f1201b92ee05a0527cfc076a81ea0c270be299b87895c0ddbe02b%40%3Cusers.tomcat.apache.org%3E" 57178 }, 57179 { 57180 "type": "WEB", 57181 "url": "https://lists.apache.org/thread.html/r57f5e4ced436ace518a9e222fabe27fb785f09f5bf974814cc48ca97@%3Ccommits.tomee.apache.org%3E" 57182 }, 57183 { 57184 "type": "WEB", 57185 "url": "https://lists.apache.org/thread.html/r57f5e4ced436ace518a9e222fabe27fb785f09f5bf974814cc48ca97%40%3Ccommits.tomee.apache.org%3E" 57186 }, 57187 { 57188 "type": "WEB", 57189 "url": "https://lists.apache.org/thread.html/r549b43509e387a42656f0641fa311bf27c127c244fe02007d5b8d6f6@%3Cdev.tomcat.apache.org%3E" 57190 }, 57191 { 57192 "type": "WEB", 57193 "url": "https://lists.apache.org/thread.html/r549b43509e387a42656f0641fa311bf27c127c244fe02007d5b8d6f6%40%3Cdev.tomcat.apache.org%3E" 57194 }, 57195 { 57196 "type": "WEB", 57197 "url": "https://lists.apache.org/thread.html/r4f86cb260196e5cfcbbe782822c225ddcc70f54560f14a8f11c6926f@%3Cusers.tomcat.apache.org%3E" 57198 }, 57199 { 57200 "type": "WEB", 57201 "url": "https://lists.apache.org/thread.html/r4f86cb260196e5cfcbbe782822c225ddcc70f54560f14a8f11c6926f%40%3Cusers.tomcat.apache.org%3E" 57202 }, 57203 { 57204 "type": "WEB", 57205 "url": "https://lists.apache.org/thread.html/r4afa11e0464408e68f0e9560e90b185749363a66398b1491254f7864@%3Cusers.tomcat.apache.org%3E" 57206 }, 57207 { 57208 "type": "WEB", 57209 "url": "https://lists.apache.org/thread.html/r4afa11e0464408e68f0e9560e90b185749363a66398b1491254f7864%40%3Cusers.tomcat.apache.org%3E" 57210 }, 57211 { 57212 "type": "WEB", 57213 "url": "https://lists.apache.org/thread.html/r47caef01f663106c2bb81d116b8380d62beac9e543dd3f3bc2c2beda@%3Ccommits.tomee.apache.org%3E" 57214 }, 57215 { 57216 "type": "WEB", 57217 "url": "https://lists.apache.org/thread.html/r47caef01f663106c2bb81d116b8380d62beac9e543dd3f3bc2c2beda%40%3Ccommits.tomee.apache.org%3E" 57218 }, 57219 { 57220 "type": "WEB", 57221 "url": "https://lists.apache.org/thread.html/r43faacf64570b1d9a4bada407a5af3b2738b0c007b905f1b6b608c65@%3Cusers.tomcat.apache.org%3E" 57222 }, 57223 { 57224 "type": "WEB", 57225 "url": "https://lists.apache.org/thread.html/r43faacf64570b1d9a4bada407a5af3b2738b0c007b905f1b6b608c65%40%3Cusers.tomcat.apache.org%3E" 57226 }, 57227 { 57228 "type": "WEB", 57229 "url": "https://lists.apache.org/thread.html/r38a5b7943b9a62ecb853acc22ef08ff586a7b3c66e08f949f0396ab1@%3Cusers.tomcat.apache.org%3E" 57230 }, 57231 { 57232 "type": "WEB", 57233 "url": "https://lists.apache.org/thread.html/r38a5b7943b9a62ecb853acc22ef08ff586a7b3c66e08f949f0396ab1%40%3Cusers.tomcat.apache.org%3E" 57234 }, 57235 { 57236 "type": "WEB", 57237 "url": "https://lists.apache.org/thread.html/r17aaa3a05b5b7fe9075613dd0c681efa60a4f8c8fbad152c61371b6e@%3Cusers.tomcat.apache.org%3E" 57238 }, 57239 { 57240 "type": "WEB", 57241 "url": "https://lists.apache.org/thread.html/r17aaa3a05b5b7fe9075613dd0c681efa60a4f8c8fbad152c61371b6e%40%3Cusers.tomcat.apache.org%3E" 57242 }, 57243 { 57244 "type": "WEB", 57245 "url": "https://lists.apache.org/thread.html/r1125f3044a0946d1e7e6f125a6170b58d413ebd4a95157e4608041c7@%3Cannounce.apache.org%3E" 57246 }, 57247 { 57248 "type": "WEB", 57249 "url": "https://lists.apache.org/thread.html/r1125f3044a0946d1e7e6f125a6170b58d413ebd4a95157e4608041c7%40%3Cannounce.apache.org%3E" 57250 }, 57251 { 57252 "type": "WEB", 57253 "url": "https://lists.apache.org/thread.html/r089dc67c0358a1556dd279c762c74f32d7a254a54836b7ee2d839d8e@%3Cdev.tomee.apache.org%3E" 57254 }, 57255 { 57256 "type": "WEB", 57257 "url": "https://lists.apache.org/thread.html/r089dc67c0358a1556dd279c762c74f32d7a254a54836b7ee2d839d8e%40%3Cdev.tomee.apache.org%3E" 57258 }, 57259 { 57260 "type": "WEB", 57261 "url": "https://lists.apache.org/thread.html/ra7092f7492569b39b04ec0decf52628ba86c51f15efb38f5853e2760%40%3Cnotifications.ofbiz.apache.org%3E" 57262 }, 57263 { 57264 "type": "WEB", 57265 "url": "https://lists.apache.org/thread.html/r9f119d9ce9239114022e13dbfe385b3de7c972f24f05d6dbd35c1a2f@%3Cusers.tomcat.apache.org%3E" 57266 }, 57267 { 57268 "type": "WEB", 57269 "url": "https://lists.apache.org/thread.html/r9f119d9ce9239114022e13dbfe385b3de7c972f24f05d6dbd35c1a2f%40%3Cusers.tomcat.apache.org%3E" 57270 }, 57271 { 57272 "type": "WEB", 57273 "url": "https://lists.apache.org/thread.html/r92d78655c068d0bc991d1edbdfb24f9c5134603e647cade1113d4e0a@%3Cusers.tomee.apache.org%3E" 57274 }, 57275 { 57276 "type": "WEB", 57277 "url": "https://lists.apache.org/thread.html/r92d78655c068d0bc991d1edbdfb24f9c5134603e647cade1113d4e0a%40%3Cusers.tomee.apache.org%3E" 57278 }, 57279 { 57280 "type": "WEB", 57281 "url": "https://lists.apache.org/thread.html/r90890afea72a9571d666820b2fe5942a0a5f86be406fa31da3dd0922@%3Cannounce.apache.org%3E" 57282 }, 57283 { 57284 "type": "WEB", 57285 "url": "https://lists.apache.org/thread.html/r90890afea72a9571d666820b2fe5942a0a5f86be406fa31da3dd0922%40%3Cannounce.apache.org%3E" 57286 }, 57287 { 57288 "type": "WEB", 57289 "url": "https://lists.apache.org/thread.html/r8f7484589454638af527182ae55ef5b628ba00c05c5b11887c922fb1@%3Cnotifications.ofbiz.apache.org%3E" 57290 }, 57291 { 57292 "type": "WEB", 57293 "url": "https://lists.apache.org/thread.html/r8f7484589454638af527182ae55ef5b628ba00c05c5b11887c922fb1%40%3Cnotifications.ofbiz.apache.org%3E" 57294 }, 57295 { 57296 "type": "WEB", 57297 "url": "https://lists.apache.org/thread.html/r856cdd87eda7af40b50278d6de80ee4b42d63adeb433a34a7bdaf9db@%3Cnotifications.ofbiz.apache.org%3E" 57298 }, 57299 { 57300 "type": "WEB", 57301 "url": "https://lists.apache.org/thread.html/r856cdd87eda7af40b50278d6de80ee4b42d63adeb433a34a7bdaf9db%40%3Cnotifications.ofbiz.apache.org%3E" 57302 }, 57303 { 57304 "type": "WEB", 57305 "url": "https://lists.apache.org/thread.html/r7c6f492fbd39af34a68681dbbba0468490ff1a97a1bd79c6a53610ef%40%3Cannounce.tomcat.apache.org%3E" 57306 }, 57307 { 57308 "type": "WEB", 57309 "url": "https://lists.apache.org/thread.html/r772335e6851ad33ddb076218fa4ff70de1bf398d5b43e2ddf0130e5d@%3Cdev.tomcat.apache.org%3E" 57310 }, 57311 { 57312 "type": "WEB", 57313 "url": "https://lists.apache.org/thread.html/r772335e6851ad33ddb076218fa4ff70de1bf398d5b43e2ddf0130e5d%40%3Cdev.tomcat.apache.org%3E" 57314 }, 57315 { 57316 "type": "WEB", 57317 "url": "https://lists.apache.org/thread.html/r75113652e46c4dee687236510649acfb70d2c63e074152049c3f399d@%3Cnotifications.ofbiz.apache.org%3E" 57318 }, 57319 { 57320 "type": "WEB", 57321 "url": "https://lists.apache.org/thread.html/r75113652e46c4dee687236510649acfb70d2c63e074152049c3f399d%40%3Cnotifications.ofbiz.apache.org%3E" 57322 }, 57323 { 57324 "type": "WEB", 57325 "url": "https://lists.apache.org/thread.html/r74328b178f9f37fe759dffbc9c1f2793e66d79d7a8a20d3836551794@%3Cnotifications.ofbiz.apache.org%3E" 57326 }, 57327 { 57328 "type": "WEB", 57329 "url": "https://lists.apache.org/thread.html/r74328b178f9f37fe759dffbc9c1f2793e66d79d7a8a20d3836551794%40%3Cnotifications.ofbiz.apache.org%3E" 57330 }, 57331 { 57332 "type": "WEB", 57333 "url": "https://lists.apache.org/thread.html/r6a5633cad1b560a1e51f5b425f02918bdf30e090fdf18c5f7c2617eb@%3Ccommits.tomee.apache.org%3E" 57334 }, 57335 { 57336 "type": "WEB", 57337 "url": "https://lists.apache.org/thread.html/r6a5633cad1b560a1e51f5b425f02918bdf30e090fdf18c5f7c2617eb%40%3Ccommits.tomee.apache.org%3E" 57338 }, 57339 { 57340 "type": "WEB", 57341 "url": "https://lists.apache.org/thread.html/r61f280a76902b594692f0b24a1dbf647bb5a4c197b9395e9a6796e7c@%3Cusers.tomcat.apache.org%3E" 57342 }, 57343 { 57344 "type": "WEB", 57345 "url": "https://lists.apache.org/thread.html/r61f280a76902b594692f0b24a1dbf647bb5a4c197b9395e9a6796e7c%40%3Cusers.tomcat.apache.org%3E" 57346 }, 57347 { 57348 "type": "WEB", 57349 "url": "http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00025.html" 57350 }, 57351 { 57352 "type": "WEB", 57353 "url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00002.html" 57354 }, 57355 { 57356 "type": "WEB", 57357 "url": "http://support.blackberry.com/kb/articleDetail?articleNumber=000062739" 57358 } 57359 ], 57360 "related": [ 57361 "CGA-w63f-vc82-fh9w" 57362 ], 57363 "schema_version": "1.6.0", 57364 "severity": [ 57365 { 57366 "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", 57367 "type": "CVSS_V3" 57368 } 57369 ], 57370 "summary": "Improper Privilege Management in Tomcat" 57371 }, 57372 { 57373 "affected": [ 57374 { 57375 "database_specific": { 57376 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-cx6h-86xw-9x34/GHSA-cx6h-86xw-9x34.json" 57377 }, 57378 "package": { 57379 "ecosystem": "Maven", 57380 "name": "org.apache.tomcat.embed:tomcat-embed-core", 57381 "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" 57382 }, 57383 "ranges": [ 57384 { 57385 "events": [ 57386 { 57387 "introduced": "11.0.0-M2" 57388 }, 57389 { 57390 "fixed": "11.0.0-M5" 57391 } 57392 ], 57393 "type": "ECOSYSTEM" 57394 } 57395 ], 57396 "versions": [ 57397 "11.0.0-M3", 57398 "11.0.0-M4" 57399 ] 57400 }, 57401 { 57402 "database_specific": { 57403 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-cx6h-86xw-9x34/GHSA-cx6h-86xw-9x34.json" 57404 }, 57405 "package": { 57406 "ecosystem": "Maven", 57407 "name": "org.apache.tomcat.embed:tomcat-embed-core", 57408 "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" 57409 }, 57410 "ranges": [ 57411 { 57412 "events": [ 57413 { 57414 "introduced": "10.1.5" 57415 }, 57416 { 57417 "fixed": "10.1.8" 57418 } 57419 ], 57420 "type": "ECOSYSTEM" 57421 } 57422 ], 57423 "versions": [ 57424 "10.1.5", 57425 "10.1.6", 57426 "10.1.7" 57427 ] 57428 }, 57429 { 57430 "database_specific": { 57431 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-cx6h-86xw-9x34/GHSA-cx6h-86xw-9x34.json" 57432 }, 57433 "package": { 57434 "ecosystem": "Maven", 57435 "name": "org.apache.tomcat.embed:tomcat-embed-core", 57436 "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" 57437 }, 57438 "ranges": [ 57439 { 57440 "events": [ 57441 { 57442 "introduced": "9.0.71" 57443 }, 57444 { 57445 "fixed": "9.0.74" 57446 } 57447 ], 57448 "type": "ECOSYSTEM" 57449 } 57450 ], 57451 "versions": [ 57452 "9.0.71", 57453 "9.0.72", 57454 "9.0.73" 57455 ] 57456 }, 57457 { 57458 "database_specific": { 57459 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-cx6h-86xw-9x34/GHSA-cx6h-86xw-9x34.json" 57460 }, 57461 "package": { 57462 "ecosystem": "Maven", 57463 "name": "org.apache.tomcat:tomcat-coyote", 57464 "purl": "pkg:maven/org.apache.tomcat/tomcat-coyote" 57465 }, 57466 "ranges": [ 57467 { 57468 "events": [ 57469 { 57470 "introduced": "8.5.85" 57471 }, 57472 { 57473 "fixed": "8.5.88" 57474 } 57475 ], 57476 "type": "ECOSYSTEM" 57477 } 57478 ], 57479 "versions": [ 57480 "8.5.85", 57481 "8.5.86", 57482 "8.5.87" 57483 ] 57484 } 57485 ], 57486 "aliases": [ 57487 "BIT-tomcat-2023-28709", 57488 "CVE-2023-28709" 57489 ], 57490 "database_specific": { 57491 "cwe_ids": [ 57492 "CWE-193" 57493 ], 57494 "github_reviewed": true, 57495 "github_reviewed_at": "2023-07-06T23:34:50Z", 57496 "nvd_published_at": "2023-05-22T11:15:09Z", 57497 "severity": "HIGH" 57498 }, 57499 "details": "The fix for CVE-2023-24998 was incomplete. If non-default HTTP connector settings were used such that the maxParameterCount could be reached using query string parameters and a request was submitted that supplied exactly maxParameterCount parameters in the query string, the limit for uploaded request parts could be bypassed with the potential for a denial of service to occur.", 57500 "id": "GHSA-cx6h-86xw-9x34", 57501 "modified": "2024-04-24T19:31:03.102779Z", 57502 "published": "2023-07-06T21:14:59Z", 57503 "references": [ 57504 { 57505 "type": "ADVISORY", 57506 "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28709" 57507 }, 57508 { 57509 "type": "WEB", 57510 "url": "https://github.com/apache/tomcat/commit/5badf94e79e5de206fc0ef3054fd536b1bb787cd" 57511 }, 57512 { 57513 "type": "WEB", 57514 "url": "https://github.com/apache/tomcat/commit/ba848da71c523d94950d3c53c19ea155189df9dc" 57515 }, 57516 { 57517 "type": "WEB", 57518 "url": "https://github.com/apache/tomcat/commit/d53d8e7f77042cc32a3b98f589496a1ef5088e38" 57519 }, 57520 { 57521 "type": "WEB", 57522 "url": "https://github.com/apache/tomcat/commit/fbd81421629afe8b8a3922d59020cde81caea861" 57523 }, 57524 { 57525 "type": "PACKAGE", 57526 "url": "https://github.com/apache/tomcat" 57527 }, 57528 { 57529 "type": "WEB", 57530 "url": "https://lists.apache.org/thread/7wvxonzwb7k9hx9jt3q33cmy7j97jo3j" 57531 }, 57532 { 57533 "type": "WEB", 57534 "url": "https://security.gentoo.org/glsa/202305-37" 57535 }, 57536 { 57537 "type": "WEB", 57538 "url": "https://security.netapp.com/advisory/ntap-20230616-0004" 57539 }, 57540 { 57541 "type": "WEB", 57542 "url": "https://tomcat.apache.org/security-10.html" 57543 }, 57544 { 57545 "type": "WEB", 57546 "url": "https://tomcat.apache.org/security-11.html" 57547 }, 57548 { 57549 "type": "WEB", 57550 "url": "https://tomcat.apache.org/security-8.html" 57551 }, 57552 { 57553 "type": "WEB", 57554 "url": "https://tomcat.apache.org/security-9.html" 57555 }, 57556 { 57557 "type": "WEB", 57558 "url": "https://www.debian.org/security/2023/dsa-5521" 57559 }, 57560 { 57561 "type": "WEB", 57562 "url": "http://www.openwall.com/lists/oss-security/2023/05/22/1" 57563 } 57564 ], 57565 "schema_version": "1.6.0", 57566 "severity": [ 57567 { 57568 "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", 57569 "type": "CVSS_V3" 57570 } 57571 ], 57572 "summary": "Apache Tomcat - Fix for CVE-2023-24998 was incomplete" 57573 }, 57574 { 57575 "affected": [ 57576 { 57577 "database_specific": { 57578 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/01/GHSA-f4qf-m5gf-8jm8/GHSA-f4qf-m5gf-8jm8.json" 57579 }, 57580 "package": { 57581 "ecosystem": "Maven", 57582 "name": "org.apache.tomcat:tomcat-coyote", 57583 "purl": "pkg:maven/org.apache.tomcat/tomcat-coyote" 57584 }, 57585 "ranges": [ 57586 { 57587 "events": [ 57588 { 57589 "introduced": "9.0.0-M11" 57590 }, 57591 { 57592 "fixed": "9.0.44" 57593 } 57594 ], 57595 "type": "ECOSYSTEM" 57596 } 57597 ], 57598 "versions": [ 57599 "9.0.0.M1", 57600 "9.0.0.M10", 57601 "9.0.0.M11", 57602 "9.0.0.M13", 57603 "9.0.0.M15", 57604 "9.0.0.M17", 57605 "9.0.0.M18", 57606 "9.0.0.M19", 57607 "9.0.0.M20", 57608 "9.0.0.M21", 57609 "9.0.0.M22", 57610 "9.0.0.M25", 57611 "9.0.0.M26", 57612 "9.0.0.M27", 57613 "9.0.0.M3", 57614 "9.0.0.M4", 57615 "9.0.0.M6", 57616 "9.0.0.M8", 57617 "9.0.0.M9", 57618 "9.0.1", 57619 "9.0.10", 57620 "9.0.11", 57621 "9.0.12", 57622 "9.0.13", 57623 "9.0.14", 57624 "9.0.16", 57625 "9.0.17", 57626 "9.0.19", 57627 "9.0.2", 57628 "9.0.20", 57629 "9.0.21", 57630 "9.0.22", 57631 "9.0.24", 57632 "9.0.26", 57633 "9.0.27", 57634 "9.0.29", 57635 "9.0.30", 57636 "9.0.31", 57637 "9.0.33", 57638 "9.0.34", 57639 "9.0.35", 57640 "9.0.36", 57641 "9.0.37", 57642 "9.0.38", 57643 "9.0.39", 57644 "9.0.4", 57645 "9.0.40", 57646 "9.0.41", 57647 "9.0.43", 57648 "9.0.5", 57649 "9.0.6", 57650 "9.0.7", 57651 "9.0.8" 57652 ] 57653 }, 57654 { 57655 "database_specific": { 57656 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/01/GHSA-f4qf-m5gf-8jm8/GHSA-f4qf-m5gf-8jm8.json" 57657 }, 57658 "package": { 57659 "ecosystem": "Maven", 57660 "name": "org.apache.tomcat.embed:tomcat-embed-core", 57661 "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" 57662 }, 57663 "ranges": [ 57664 { 57665 "events": [ 57666 { 57667 "introduced": "8.5.7" 57668 }, 57669 { 57670 "fixed": "8.5.64" 57671 } 57672 ], 57673 "type": "ECOSYSTEM" 57674 } 57675 ], 57676 "versions": [ 57677 "8.5.11", 57678 "8.5.12", 57679 "8.5.13", 57680 "8.5.14", 57681 "8.5.15", 57682 "8.5.16", 57683 "8.5.19", 57684 "8.5.20", 57685 "8.5.21", 57686 "8.5.23", 57687 "8.5.24", 57688 "8.5.27", 57689 "8.5.28", 57690 "8.5.29", 57691 "8.5.30", 57692 "8.5.31", 57693 "8.5.32", 57694 "8.5.33", 57695 "8.5.34", 57696 "8.5.35", 57697 "8.5.37", 57698 "8.5.38", 57699 "8.5.39", 57700 "8.5.40", 57701 "8.5.41", 57702 "8.5.42", 57703 "8.5.43", 57704 "8.5.45", 57705 "8.5.46", 57706 "8.5.47", 57707 "8.5.49", 57708 "8.5.50", 57709 "8.5.51", 57710 "8.5.53", 57711 "8.5.54", 57712 "8.5.55", 57713 "8.5.56", 57714 "8.5.57", 57715 "8.5.58", 57716 "8.5.59", 57717 "8.5.60", 57718 "8.5.61", 57719 "8.5.63", 57720 "8.5.8", 57721 "8.5.9" 57722 ] 57723 } 57724 ], 57725 "aliases": [ 57726 "BIT-tomcat-2024-21733", 57727 "CVE-2024-21733" 57728 ], 57729 "database_specific": { 57730 "cwe_ids": [ 57731 "CWE-209" 57732 ], 57733 "github_reviewed": true, 57734 "github_reviewed_at": "2024-01-29T22:30:43Z", 57735 "nvd_published_at": "2024-01-19T11:15:08Z", 57736 "severity": "MODERATE" 57737 }, 57738 "details": "Generation of Error Message Containing Sensitive Information vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 8.5.7 through 8.5.63, from 9.0.0-M11 through 9.0.43.\n\nUsers are recommended to upgrade to version 8.5.64 onwards or 9.0.44 onwards, which contain a fix for the issue.\n\n", 57739 "id": "GHSA-f4qf-m5gf-8jm8", 57740 "modified": "2024-04-23T22:01:15.527056Z", 57741 "published": "2024-01-19T12:30:18Z", 57742 "references": [ 57743 { 57744 "type": "ADVISORY", 57745 "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21733" 57746 }, 57747 { 57748 "type": "WEB", 57749 "url": "https://github.com/apache/tomcat/commit/86ccc43940861703c2be96a5f35384407522125a" 57750 }, 57751 { 57752 "type": "WEB", 57753 "url": "https://github.com/apache/tomcat/commit/ce4b154e7b48f66bd98858626347747cd2514311" 57754 }, 57755 { 57756 "type": "PACKAGE", 57757 "url": "https://github.com/apache/tomcat" 57758 }, 57759 { 57760 "type": "WEB", 57761 "url": "https://lists.apache.org/thread/h9bjqdd0odj6lhs2o96qgowcc6hb0cfz" 57762 }, 57763 { 57764 "type": "WEB", 57765 "url": "https://security.netapp.com/advisory/ntap-20240216-0005" 57766 }, 57767 { 57768 "type": "WEB", 57769 "url": "https://tomcat.apache.org/security-8.html" 57770 }, 57771 { 57772 "type": "WEB", 57773 "url": "https://tomcat.apache.org/security-9.html" 57774 }, 57775 { 57776 "type": "WEB", 57777 "url": "http://packetstormsecurity.com/files/176951/Apache-Tomcat-8.5.63-9.0.43-HTTP-Response-Smuggling.html" 57778 }, 57779 { 57780 "type": "WEB", 57781 "url": "http://www.openwall.com/lists/oss-security/2024/01/19/2" 57782 } 57783 ], 57784 "schema_version": "1.6.0", 57785 "severity": [ 57786 { 57787 "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", 57788 "type": "CVSS_V3" 57789 } 57790 ], 57791 "summary": "Apache Tomcat vulnerable to Generation of Error Message Containing Sensitive Information" 57792 }, 57793 { 57794 "affected": [ 57795 { 57796 "database_specific": { 57797 "last_known_affected_version_range": "\u003c= 5.5.26", 57798 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-f98p-9pp6-7q6c/GHSA-f98p-9pp6-7q6c.json" 57799 }, 57800 "package": { 57801 "ecosystem": "Maven", 57802 "name": "org.apache.tomcat:tomcat", 57803 "purl": "pkg:maven/org.apache.tomcat/tomcat" 57804 }, 57805 "ranges": [ 57806 { 57807 "events": [ 57808 { 57809 "introduced": "5.5.9" 57810 }, 57811 { 57812 "fixed": "5.5.27" 57813 } 57814 ], 57815 "type": "ECOSYSTEM" 57816 } 57817 ] 57818 }, 57819 { 57820 "database_specific": { 57821 "last_known_affected_version_range": "\u003c= 6.0.16", 57822 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-f98p-9pp6-7q6c/GHSA-f98p-9pp6-7q6c.json" 57823 }, 57824 "package": { 57825 "ecosystem": "Maven", 57826 "name": "org.apache.tomcat:tomcat", 57827 "purl": "pkg:maven/org.apache.tomcat/tomcat" 57828 }, 57829 "ranges": [ 57830 { 57831 "events": [ 57832 { 57833 "introduced": "6.0.0" 57834 }, 57835 { 57836 "fixed": "6.0.18" 57837 } 57838 ], 57839 "type": "ECOSYSTEM" 57840 } 57841 ] 57842 }, 57843 { 57844 "database_specific": { 57845 "last_known_affected_version_range": "\u003c= 5.5.26", 57846 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-f98p-9pp6-7q6c/GHSA-f98p-9pp6-7q6c.json" 57847 }, 57848 "package": { 57849 "ecosystem": "Maven", 57850 "name": "org.apache.tomcat.embed:tomcat-embed-core", 57851 "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" 57852 }, 57853 "ranges": [ 57854 { 57855 "events": [ 57856 { 57857 "introduced": "5.5.9" 57858 }, 57859 { 57860 "fixed": "5.5.27" 57861 } 57862 ], 57863 "type": "ECOSYSTEM" 57864 } 57865 ] 57866 }, 57867 { 57868 "database_specific": { 57869 "last_known_affected_version_range": "\u003c= 6.0.16", 57870 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-f98p-9pp6-7q6c/GHSA-f98p-9pp6-7q6c.json" 57871 }, 57872 "package": { 57873 "ecosystem": "Maven", 57874 "name": "org.apache.tomcat.embed:tomcat-embed-core", 57875 "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" 57876 }, 57877 "ranges": [ 57878 { 57879 "events": [ 57880 { 57881 "introduced": "6.0.0" 57882 }, 57883 { 57884 "fixed": "6.0.18" 57885 } 57886 ], 57887 "type": "ECOSYSTEM" 57888 } 57889 ] 57890 } 57891 ], 57892 "aliases": [ 57893 "CVE-2008-1947" 57894 ], 57895 "database_specific": { 57896 "cwe_ids": [ 57897 "CWE-79" 57898 ], 57899 "github_reviewed": true, 57900 "github_reviewed_at": "2024-01-08T22:33:18Z", 57901 "nvd_published_at": "2008-06-04T19:32:00Z", 57902 "severity": "MODERATE" 57903 }, 57904 "details": "Cross-site scripting (XSS) vulnerability in Apache Tomcat 5.5.9 through 5.5.26 and 6.0.0 through 6.0.16 allows remote attackers to inject arbitrary web script or HTML via the name parameter (aka the hostname attribute) to `host-manager/html/add`.", 57905 "id": "GHSA-f98p-9pp6-7q6c", 57906 "modified": "2024-03-05T18:53:37Z", 57907 "published": "2022-05-01T23:45:13Z", 57908 "references": [ 57909 { 57910 "type": "ADVISORY", 57911 "url": "https://nvd.nist.gov/vuln/detail/CVE-2008-1947" 57912 }, 57913 { 57914 "type": "WEB", 57915 "url": "https://github.com/apache/tomcat/commit/ab6a6c41ac972c845717c9d639f0335865afab4d" 57916 }, 57917 { 57918 "type": "WEB", 57919 "url": "https://github.com/apache/tomcat/commit/78ad0fcbe29c824f1f2e45a4e2716247b033250a" 57920 }, 57921 { 57922 "type": "WEB", 57923 "url": "https://github.com/apache/tomcat/commit/49c71fc59c1b8f8da77aea9eb53e61db168aebab" 57924 }, 57925 { 57926 "type": "WEB", 57927 "url": "https://github.com/apache/tomcat/commit/5f00d434c8dc11bd49ce0b4b56fe889839056030" 57928 }, 57929 { 57930 "type": "WEB", 57931 "url": "https://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf%40%3Cdev.tomcat.apache.org%3E" 57932 }, 57933 { 57934 "type": "WEB", 57935 "url": "https://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf@%3Cdev.tomcat.apache.org%3E" 57936 }, 57937 { 57938 "type": "WEB", 57939 "url": "https://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5%40%3Cdev.tomcat.apache.org%3E" 57940 }, 57941 { 57942 "type": "WEB", 57943 "url": "https://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5@%3Cdev.tomcat.apache.org%3E" 57944 }, 57945 { 57946 "type": "WEB", 57947 "url": "https://lists.apple.com/archives/security-announce/2008/Oct/msg00001.html" 57948 }, 57949 { 57950 "type": "WEB", 57951 "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11534" 57952 }, 57953 { 57954 "type": "WEB", 57955 "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6009" 57956 }, 57957 { 57958 "type": "WEB", 57959 "url": "https://web.archive.org/web/20200514224656/http://www.securityfocus.com/archive/1/507985/100/0/threaded" 57960 }, 57961 { 57962 "type": "WEB", 57963 "url": "https://web.archive.org/web/20201208011750/http://www.securityfocus.com/archive/1/492958/100/0/threaded" 57964 }, 57965 { 57966 "type": "WEB", 57967 "url": "https://www.redhat.com/archives/fedora-package-announce/2008-September/msg00712.html" 57968 }, 57969 { 57970 "type": "WEB", 57971 "url": "https://www.redhat.com/archives/fedora-package-announce/2008-September/msg00859.html" 57972 }, 57973 { 57974 "type": "WEB", 57975 "url": "https://www.redhat.com/archives/fedora-package-announce/2008-September/msg00889.html" 57976 }, 57977 { 57978 "type": "WEB", 57979 "url": "https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa@%3Cdev.tomcat.apache.org%3E" 57980 }, 57981 { 57982 "type": "WEB", 57983 "url": "https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa%40%3Cdev.tomcat.apache.org%3E" 57984 }, 57985 { 57986 "type": "WEB", 57987 "url": "https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e@%3Cdev.tomcat.apache.org%3E" 57988 }, 57989 { 57990 "type": "WEB", 57991 "url": "https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e%40%3Cdev.tomcat.apache.org%3E" 57992 }, 57993 { 57994 "type": "PACKAGE", 57995 "url": "https://github.com/apache/tomcat" 57996 }, 57997 { 57998 "type": "WEB", 57999 "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/42816" 58000 }, 58001 { 58002 "type": "WEB", 58003 "url": "https://bugzilla.redhat.com/show_bug.cgi?id=446393" 58004 }, 58005 { 58006 "type": "WEB", 58007 "url": "https://access.redhat.com/security/cve/CVE-2008-1947" 58008 }, 58009 { 58010 "type": "WEB", 58011 "url": "https://access.redhat.com/errata/RHSA-2008:1007" 58012 }, 58013 { 58014 "type": "WEB", 58015 "url": "https://access.redhat.com/errata/RHSA-2008:0864" 58016 }, 58017 { 58018 "type": "WEB", 58019 "url": "https://access.redhat.com/errata/RHSA-2008:0862" 58020 }, 58021 { 58022 "type": "WEB", 58023 "url": "https://access.redhat.com/errata/RHSA-2008:0648" 58024 }, 58025 { 58026 "type": "WEB", 58027 "url": "http://lists.opensuse.org/opensuse-security-announce/2008-07/msg00001.html" 58028 }, 58029 { 58030 "type": "WEB", 58031 "url": "http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html" 58032 }, 58033 { 58034 "type": "WEB", 58035 "url": "http://marc.info/?l=bugtraq\u0026m=123376588623823\u0026w=2" 58036 }, 58037 { 58038 "type": "WEB", 58039 "url": "http://marc.info/?l=bugtraq\u0026m=139344343412337\u0026w=2" 58040 }, 58041 { 58042 "type": "WEB", 58043 "url": "http://marc.info/?l=tomcat-user\u0026m=121244319501278\u0026w=2" 58044 }, 58045 { 58046 "type": "WEB", 58047 "url": "http://support.apple.com/kb/HT3216" 58048 }, 58049 { 58050 "type": "WEB", 58051 "url": "http://support.avaya.com/elmodocs2/security/ASA-2008-401.htm" 58052 }, 58053 { 58054 "type": "WEB", 58055 "url": "http://tomcat.apache.org/security-5.html" 58056 }, 58057 { 58058 "type": "WEB", 58059 "url": "http://tomcat.apache.org/security-6.html" 58060 }, 58061 { 58062 "type": "WEB", 58063 "url": "http://www.debian.org/security/2008/dsa-1593" 58064 }, 58065 { 58066 "type": "WEB", 58067 "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2008:188" 58068 }, 58069 { 58070 "type": "WEB", 58071 "url": "http://www.redhat.com/support/errata/RHSA-2008-0648.html" 58072 }, 58073 { 58074 "type": "WEB", 58075 "url": "http://www.redhat.com/support/errata/RHSA-2008-0862.html" 58076 }, 58077 { 58078 "type": "WEB", 58079 "url": "http://www.redhat.com/support/errata/RHSA-2008-0864.html" 58080 }, 58081 { 58082 "type": "WEB", 58083 "url": "http://www.vmware.com/security/advisories/VMSA-2009-0002.html" 58084 }, 58085 { 58086 "type": "WEB", 58087 "url": "http://www.vmware.com/security/advisories/VMSA-2009-0016.html" 58088 } 58089 ], 58090 "schema_version": "1.6.0", 58091 "summary": "Apache Tomcat Cross-site scripting (XSS) vulnerability" 58092 }, 58093 { 58094 "affected": [ 58095 { 58096 "database_specific": { 58097 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/11/GHSA-fccv-jmmp-qg76/GHSA-fccv-jmmp-qg76.json" 58098 }, 58099 "package": { 58100 "ecosystem": "Maven", 58101 "name": "org.apache.tomcat:tomcat-catalina", 58102 "purl": "pkg:maven/org.apache.tomcat/tomcat-catalina" 58103 }, 58104 "ranges": [ 58105 { 58106 "events": [ 58107 { 58108 "introduced": "11.0.0-M1" 58109 }, 58110 { 58111 "fixed": "11.0.0-M11" 58112 } 58113 ], 58114 "type": "ECOSYSTEM" 58115 } 58116 ], 58117 "versions": [ 58118 "11.0.0-M1", 58119 "11.0.0-M10", 58120 "11.0.0-M3", 58121 "11.0.0-M4", 58122 "11.0.0-M5", 58123 "11.0.0-M6", 58124 "11.0.0-M7", 58125 "11.0.0-M9" 58126 ] 58127 }, 58128 { 58129 "database_specific": { 58130 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/11/GHSA-fccv-jmmp-qg76/GHSA-fccv-jmmp-qg76.json" 58131 }, 58132 "package": { 58133 "ecosystem": "Maven", 58134 "name": "org.apache.tomcat:tomcat-catalina", 58135 "purl": "pkg:maven/org.apache.tomcat/tomcat-catalina" 58136 }, 58137 "ranges": [ 58138 { 58139 "events": [ 58140 { 58141 "introduced": "10.1.0-M1" 58142 }, 58143 { 58144 "fixed": "10.1.16" 58145 } 58146 ], 58147 "type": "ECOSYSTEM" 58148 } 58149 ], 58150 "versions": [ 58151 "10.1.0", 58152 "10.1.0-M1", 58153 "10.1.0-M10", 58154 "10.1.0-M11", 58155 "10.1.0-M12", 58156 "10.1.0-M14", 58157 "10.1.0-M15", 58158 "10.1.0-M16", 58159 "10.1.0-M17", 58160 "10.1.0-M2", 58161 "10.1.0-M4", 58162 "10.1.0-M5", 58163 "10.1.0-M6", 58164 "10.1.0-M7", 58165 "10.1.0-M8", 58166 "10.1.1", 58167 "10.1.10", 58168 "10.1.11", 58169 "10.1.12", 58170 "10.1.13", 58171 "10.1.14", 58172 "10.1.15", 58173 "10.1.2", 58174 "10.1.4", 58175 "10.1.5", 58176 "10.1.6", 58177 "10.1.7", 58178 "10.1.8", 58179 "10.1.9" 58180 ] 58181 }, 58182 { 58183 "database_specific": { 58184 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/11/GHSA-fccv-jmmp-qg76/GHSA-fccv-jmmp-qg76.json" 58185 }, 58186 "package": { 58187 "ecosystem": "Maven", 58188 "name": "org.apache.tomcat:tomcat-catalina", 58189 "purl": "pkg:maven/org.apache.tomcat/tomcat-catalina" 58190 }, 58191 "ranges": [ 58192 { 58193 "events": [ 58194 { 58195 "introduced": "9.0.0-M1" 58196 }, 58197 { 58198 "fixed": "9.0.83" 58199 } 58200 ], 58201 "type": "ECOSYSTEM" 58202 } 58203 ], 58204 "versions": [ 58205 "9.0.0.M1", 58206 "9.0.0.M10", 58207 "9.0.0.M11", 58208 "9.0.0.M13", 58209 "9.0.0.M15", 58210 "9.0.0.M17", 58211 "9.0.0.M18", 58212 "9.0.0.M19", 58213 "9.0.0.M20", 58214 "9.0.0.M21", 58215 "9.0.0.M22", 58216 "9.0.0.M25", 58217 "9.0.0.M26", 58218 "9.0.0.M27", 58219 "9.0.0.M3", 58220 "9.0.0.M4", 58221 "9.0.0.M6", 58222 "9.0.0.M8", 58223 "9.0.0.M9", 58224 "9.0.1", 58225 "9.0.10", 58226 "9.0.11", 58227 "9.0.12", 58228 "9.0.13", 58229 "9.0.14", 58230 "9.0.16", 58231 "9.0.17", 58232 "9.0.19", 58233 "9.0.2", 58234 "9.0.20", 58235 "9.0.21", 58236 "9.0.22", 58237 "9.0.24", 58238 "9.0.26", 58239 "9.0.27", 58240 "9.0.29", 58241 "9.0.30", 58242 "9.0.31", 58243 "9.0.33", 58244 "9.0.34", 58245 "9.0.35", 58246 "9.0.36", 58247 "9.0.37", 58248 "9.0.38", 58249 "9.0.39", 58250 "9.0.4", 58251 "9.0.40", 58252 "9.0.41", 58253 "9.0.43", 58254 "9.0.44", 58255 "9.0.45", 58256 "9.0.46", 58257 "9.0.48", 58258 "9.0.5", 58259 "9.0.50", 58260 "9.0.52", 58261 "9.0.53", 58262 "9.0.54", 58263 "9.0.55", 58264 "9.0.56", 58265 "9.0.58", 58266 "9.0.59", 58267 "9.0.6", 58268 "9.0.60", 58269 "9.0.62", 58270 "9.0.63", 58271 "9.0.64", 58272 "9.0.65", 58273 "9.0.67", 58274 "9.0.68", 58275 "9.0.69", 58276 "9.0.7", 58277 "9.0.70", 58278 "9.0.71", 58279 "9.0.72", 58280 "9.0.73", 58281 "9.0.74", 58282 "9.0.75", 58283 "9.0.76", 58284 "9.0.78", 58285 "9.0.79", 58286 "9.0.8", 58287 "9.0.80", 58288 "9.0.81", 58289 "9.0.82" 58290 ] 58291 }, 58292 { 58293 "database_specific": { 58294 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/11/GHSA-fccv-jmmp-qg76/GHSA-fccv-jmmp-qg76.json" 58295 }, 58296 "package": { 58297 "ecosystem": "Maven", 58298 "name": "org.apache.tomcat:tomcat-catalina", 58299 "purl": "pkg:maven/org.apache.tomcat/tomcat-catalina" 58300 }, 58301 "ranges": [ 58302 { 58303 "events": [ 58304 { 58305 "introduced": "8.5.0" 58306 }, 58307 { 58308 "fixed": "8.5.96" 58309 } 58310 ], 58311 "type": "ECOSYSTEM" 58312 } 58313 ], 58314 "versions": [ 58315 "8.5.0", 58316 "8.5.11", 58317 "8.5.12", 58318 "8.5.13", 58319 "8.5.14", 58320 "8.5.15", 58321 "8.5.16", 58322 "8.5.19", 58323 "8.5.2", 58324 "8.5.20", 58325 "8.5.21", 58326 "8.5.23", 58327 "8.5.24", 58328 "8.5.27", 58329 "8.5.28", 58330 "8.5.29", 58331 "8.5.3", 58332 "8.5.30", 58333 "8.5.31", 58334 "8.5.32", 58335 "8.5.33", 58336 "8.5.34", 58337 "8.5.35", 58338 "8.5.37", 58339 "8.5.38", 58340 "8.5.39", 58341 "8.5.4", 58342 "8.5.40", 58343 "8.5.41", 58344 "8.5.42", 58345 "8.5.43", 58346 "8.5.45", 58347 "8.5.46", 58348 "8.5.47", 58349 "8.5.49", 58350 "8.5.5", 58351 "8.5.50", 58352 "8.5.51", 58353 "8.5.53", 58354 "8.5.54", 58355 "8.5.55", 58356 "8.5.56", 58357 "8.5.57", 58358 "8.5.58", 58359 "8.5.59", 58360 "8.5.6", 58361 "8.5.60", 58362 "8.5.61", 58363 "8.5.63", 58364 "8.5.64", 58365 "8.5.65", 58366 "8.5.66", 58367 "8.5.68", 58368 "8.5.69", 58369 "8.5.70", 58370 "8.5.71", 58371 "8.5.72", 58372 "8.5.73", 58373 "8.5.75", 58374 "8.5.76", 58375 "8.5.77", 58376 "8.5.78", 58377 "8.5.79", 58378 "8.5.8", 58379 "8.5.81", 58380 "8.5.82", 58381 "8.5.83", 58382 "8.5.84", 58383 "8.5.85", 58384 "8.5.86", 58385 "8.5.87", 58386 "8.5.88", 58387 "8.5.89", 58388 "8.5.9", 58389 "8.5.90", 58390 "8.5.91", 58391 "8.5.92", 58392 "8.5.93", 58393 "8.5.94", 58394 "8.5.95" 58395 ] 58396 }, 58397 { 58398 "database_specific": { 58399 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/11/GHSA-fccv-jmmp-qg76/GHSA-fccv-jmmp-qg76.json" 58400 }, 58401 "package": { 58402 "ecosystem": "Maven", 58403 "name": "org.apache.tomcat.embed:tomcat-embed-core", 58404 "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" 58405 }, 58406 "ranges": [ 58407 { 58408 "events": [ 58409 { 58410 "introduced": "11.0.0-M1" 58411 }, 58412 { 58413 "fixed": "11.0.0-M11" 58414 } 58415 ], 58416 "type": "ECOSYSTEM" 58417 } 58418 ], 58419 "versions": [ 58420 "11.0.0-M1", 58421 "11.0.0-M10", 58422 "11.0.0-M3", 58423 "11.0.0-M4", 58424 "11.0.0-M5", 58425 "11.0.0-M6", 58426 "11.0.0-M7", 58427 "11.0.0-M9" 58428 ] 58429 }, 58430 { 58431 "database_specific": { 58432 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/11/GHSA-fccv-jmmp-qg76/GHSA-fccv-jmmp-qg76.json" 58433 }, 58434 "package": { 58435 "ecosystem": "Maven", 58436 "name": "org.apache.tomcat.embed:tomcat-embed-core", 58437 "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" 58438 }, 58439 "ranges": [ 58440 { 58441 "events": [ 58442 { 58443 "introduced": "10.1.0-M1" 58444 }, 58445 { 58446 "fixed": "10.1.16" 58447 } 58448 ], 58449 "type": "ECOSYSTEM" 58450 } 58451 ], 58452 "versions": [ 58453 "10.1.0", 58454 "10.1.0-M1", 58455 "10.1.0-M10", 58456 "10.1.0-M11", 58457 "10.1.0-M12", 58458 "10.1.0-M14", 58459 "10.1.0-M15", 58460 "10.1.0-M16", 58461 "10.1.0-M17", 58462 "10.1.0-M2", 58463 "10.1.0-M4", 58464 "10.1.0-M5", 58465 "10.1.0-M6", 58466 "10.1.0-M7", 58467 "10.1.0-M8", 58468 "10.1.1", 58469 "10.1.10", 58470 "10.1.11", 58471 "10.1.12", 58472 "10.1.13", 58473 "10.1.14", 58474 "10.1.15", 58475 "10.1.2", 58476 "10.1.4", 58477 "10.1.5", 58478 "10.1.6", 58479 "10.1.7", 58480 "10.1.8", 58481 "10.1.9" 58482 ] 58483 }, 58484 { 58485 "database_specific": { 58486 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/11/GHSA-fccv-jmmp-qg76/GHSA-fccv-jmmp-qg76.json" 58487 }, 58488 "package": { 58489 "ecosystem": "Maven", 58490 "name": "org.apache.tomcat.embed:tomcat-embed-core", 58491 "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" 58492 }, 58493 "ranges": [ 58494 { 58495 "events": [ 58496 { 58497 "introduced": "9.0.0-M1" 58498 }, 58499 { 58500 "fixed": "9.0.83" 58501 } 58502 ], 58503 "type": "ECOSYSTEM" 58504 } 58505 ], 58506 "versions": [ 58507 "9.0.0.M1", 58508 "9.0.0.M10", 58509 "9.0.0.M11", 58510 "9.0.0.M13", 58511 "9.0.0.M15", 58512 "9.0.0.M17", 58513 "9.0.0.M18", 58514 "9.0.0.M19", 58515 "9.0.0.M20", 58516 "9.0.0.M21", 58517 "9.0.0.M22", 58518 "9.0.0.M25", 58519 "9.0.0.M26", 58520 "9.0.0.M27", 58521 "9.0.0.M3", 58522 "9.0.0.M4", 58523 "9.0.0.M6", 58524 "9.0.0.M8", 58525 "9.0.0.M9", 58526 "9.0.1", 58527 "9.0.10", 58528 "9.0.11", 58529 "9.0.12", 58530 "9.0.13", 58531 "9.0.14", 58532 "9.0.16", 58533 "9.0.17", 58534 "9.0.19", 58535 "9.0.2", 58536 "9.0.20", 58537 "9.0.21", 58538 "9.0.22", 58539 "9.0.24", 58540 "9.0.26", 58541 "9.0.27", 58542 "9.0.29", 58543 "9.0.30", 58544 "9.0.31", 58545 "9.0.33", 58546 "9.0.34", 58547 "9.0.35", 58548 "9.0.36", 58549 "9.0.37", 58550 "9.0.38", 58551 "9.0.39", 58552 "9.0.4", 58553 "9.0.40", 58554 "9.0.41", 58555 "9.0.43", 58556 "9.0.44", 58557 "9.0.45", 58558 "9.0.46", 58559 "9.0.48", 58560 "9.0.5", 58561 "9.0.50", 58562 "9.0.52", 58563 "9.0.53", 58564 "9.0.54", 58565 "9.0.55", 58566 "9.0.56", 58567 "9.0.58", 58568 "9.0.59", 58569 "9.0.6", 58570 "9.0.60", 58571 "9.0.62", 58572 "9.0.63", 58573 "9.0.64", 58574 "9.0.65", 58575 "9.0.67", 58576 "9.0.68", 58577 "9.0.69", 58578 "9.0.7", 58579 "9.0.70", 58580 "9.0.71", 58581 "9.0.72", 58582 "9.0.73", 58583 "9.0.74", 58584 "9.0.75", 58585 "9.0.76", 58586 "9.0.78", 58587 "9.0.79", 58588 "9.0.8", 58589 "9.0.80", 58590 "9.0.81", 58591 "9.0.82" 58592 ] 58593 }, 58594 { 58595 "database_specific": { 58596 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/11/GHSA-fccv-jmmp-qg76/GHSA-fccv-jmmp-qg76.json" 58597 }, 58598 "package": { 58599 "ecosystem": "Maven", 58600 "name": "org.apache.tomcat.embed:tomcat-embed-core", 58601 "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" 58602 }, 58603 "ranges": [ 58604 { 58605 "events": [ 58606 { 58607 "introduced": "8.5.0" 58608 }, 58609 { 58610 "fixed": "8.5.96" 58611 } 58612 ], 58613 "type": "ECOSYSTEM" 58614 } 58615 ], 58616 "versions": [ 58617 "8.5.0", 58618 "8.5.11", 58619 "8.5.12", 58620 "8.5.13", 58621 "8.5.14", 58622 "8.5.15", 58623 "8.5.16", 58624 "8.5.19", 58625 "8.5.2", 58626 "8.5.20", 58627 "8.5.21", 58628 "8.5.23", 58629 "8.5.24", 58630 "8.5.27", 58631 "8.5.28", 58632 "8.5.29", 58633 "8.5.3", 58634 "8.5.30", 58635 "8.5.31", 58636 "8.5.32", 58637 "8.5.33", 58638 "8.5.34", 58639 "8.5.35", 58640 "8.5.37", 58641 "8.5.38", 58642 "8.5.39", 58643 "8.5.4", 58644 "8.5.40", 58645 "8.5.41", 58646 "8.5.42", 58647 "8.5.43", 58648 "8.5.45", 58649 "8.5.46", 58650 "8.5.47", 58651 "8.5.49", 58652 "8.5.5", 58653 "8.5.50", 58654 "8.5.51", 58655 "8.5.53", 58656 "8.5.54", 58657 "8.5.55", 58658 "8.5.56", 58659 "8.5.57", 58660 "8.5.58", 58661 "8.5.59", 58662 "8.5.6", 58663 "8.5.60", 58664 "8.5.61", 58665 "8.5.63", 58666 "8.5.64", 58667 "8.5.65", 58668 "8.5.66", 58669 "8.5.68", 58670 "8.5.69", 58671 "8.5.70", 58672 "8.5.71", 58673 "8.5.72", 58674 "8.5.73", 58675 "8.5.75", 58676 "8.5.76", 58677 "8.5.77", 58678 "8.5.78", 58679 "8.5.79", 58680 "8.5.8", 58681 "8.5.81", 58682 "8.5.82", 58683 "8.5.83", 58684 "8.5.84", 58685 "8.5.85", 58686 "8.5.86", 58687 "8.5.87", 58688 "8.5.88", 58689 "8.5.89", 58690 "8.5.9", 58691 "8.5.90", 58692 "8.5.91", 58693 "8.5.92", 58694 "8.5.93", 58695 "8.5.94", 58696 "8.5.95" 58697 ] 58698 } 58699 ], 58700 "aliases": [ 58701 "BIT-tomcat-2023-46589", 58702 "CVE-2023-46589" 58703 ], 58704 "database_specific": { 58705 "cwe_ids": [ 58706 "CWE-20", 58707 "CWE-444" 58708 ], 58709 "github_reviewed": true, 58710 "github_reviewed_at": "2023-11-28T23:28:54Z", 58711 "nvd_published_at": "2023-11-28T16:15:06Z", 58712 "severity": "HIGH" 58713 }, 58714 "details": "Improper Input Validation vulnerability in Apache Tomcat. Tomcat from 11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.1.15, from 9.0.0-M1 through 9.0.82, and from 8.5.0 through 8.5.95 did not correctly parse HTTP trailer headers. A trailer header that exceeded the header size limit could cause Tomcat to treat a single request as multiple requests leading to the possibility of request smuggling when behind a reverse proxy.\n\nUsers are recommended to upgrade to version 11.0.0-M11 onwards, 10.1.16 onwards, 9.0.83 onwards or 8.5.96 onwards, which fix the issue.", 58715 "id": "GHSA-fccv-jmmp-qg76", 58716 "modified": "2024-07-12T19:22:06.840813Z", 58717 "published": "2023-11-28T18:30:23Z", 58718 "references": [ 58719 { 58720 "type": "ADVISORY", 58721 "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46589" 58722 }, 58723 { 58724 "type": "WEB", 58725 "url": "https://github.com/apache/tomcat/commit/6f181e1062a472bc5f0234980f66cbde42c1041b" 58726 }, 58727 { 58728 "type": "WEB", 58729 "url": "https://github.com/apache/tomcat/commit/7a2d8818fcea0b51747a67af9510ce7977245ebd" 58730 }, 58731 { 58732 "type": "WEB", 58733 "url": "https://github.com/apache/tomcat/commit/aa92971e879a519384c517febc39fd04c48d4642" 58734 }, 58735 { 58736 "type": "WEB", 58737 "url": "https://github.com/apache/tomcat/commit/b5776d769bffeade865061bc8ecbeb2b56167b08" 58738 }, 58739 { 58740 "type": "PACKAGE", 58741 "url": "https://github.com/apache/tomcat" 58742 }, 58743 { 58744 "type": "WEB", 58745 "url": "https://lists.apache.org/thread/0rqq6ktozqc42ro8hhxdmmdjm1k1tpxr" 58746 }, 58747 { 58748 "type": "WEB", 58749 "url": "https://lists.debian.org/debian-lts-announce/2024/01/msg00001.html" 58750 }, 58751 { 58752 "type": "WEB", 58753 "url": "https://security.netapp.com/advisory/ntap-20231214-0009" 58754 }, 58755 { 58756 "type": "WEB", 58757 "url": "https://tomcat.apache.org/security-10.html" 58758 }, 58759 { 58760 "type": "WEB", 58761 "url": "https://tomcat.apache.org/security-11.html" 58762 }, 58763 { 58764 "type": "WEB", 58765 "url": "https://tomcat.apache.org/security-8.html" 58766 }, 58767 { 58768 "type": "WEB", 58769 "url": "https://tomcat.apache.org/security-9.html" 58770 }, 58771 { 58772 "type": "WEB", 58773 "url": "https://www.openwall.com/lists/oss-security/2023/11/28/2" 58774 }, 58775 { 58776 "type": "WEB", 58777 "url": "http://www.openwall.com/lists/oss-security/2023/11/28/2" 58778 } 58779 ], 58780 "related": [ 58781 "CGA-3336-vxcr-qh26", 58782 "CGA-x5p2-8fvm-5gv3" 58783 ], 58784 "schema_version": "1.6.0", 58785 "severity": [ 58786 { 58787 "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", 58788 "type": "CVSS_V3" 58789 } 58790 ], 58791 "summary": "Apache Tomcat Improper Input Validation vulnerability" 58792 }, 58793 { 58794 "affected": [ 58795 { 58796 "database_specific": { 58797 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-g8pj-r55q-5c2v/GHSA-g8pj-r55q-5c2v.json" 58798 }, 58799 "package": { 58800 "ecosystem": "Maven", 58801 "name": "org.apache.tomcat:tomcat", 58802 "purl": "pkg:maven/org.apache.tomcat/tomcat" 58803 }, 58804 "ranges": [ 58805 { 58806 "events": [ 58807 { 58808 "introduced": "11.0.0-M1" 58809 }, 58810 { 58811 "fixed": "11.0.0-M12" 58812 } 58813 ], 58814 "type": "ECOSYSTEM" 58815 } 58816 ], 58817 "versions": [ 58818 "11.0.0-M1", 58819 "11.0.0-M10", 58820 "11.0.0-M11", 58821 "11.0.0-M3", 58822 "11.0.0-M4", 58823 "11.0.0-M5", 58824 "11.0.0-M6", 58825 "11.0.0-M7", 58826 "11.0.0-M9" 58827 ] 58828 }, 58829 { 58830 "database_specific": { 58831 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-g8pj-r55q-5c2v/GHSA-g8pj-r55q-5c2v.json" 58832 }, 58833 "package": { 58834 "ecosystem": "Maven", 58835 "name": "org.apache.tomcat:tomcat", 58836 "purl": "pkg:maven/org.apache.tomcat/tomcat" 58837 }, 58838 "ranges": [ 58839 { 58840 "events": [ 58841 { 58842 "introduced": "10.1.0-M1" 58843 }, 58844 { 58845 "fixed": "10.1.14" 58846 } 58847 ], 58848 "type": "ECOSYSTEM" 58849 } 58850 ], 58851 "versions": [ 58852 "10.1.0", 58853 "10.1.0-M1", 58854 "10.1.0-M10", 58855 "10.1.0-M11", 58856 "10.1.0-M12", 58857 "10.1.0-M14", 58858 "10.1.0-M15", 58859 "10.1.0-M16", 58860 "10.1.0-M17", 58861 "10.1.0-M2", 58862 "10.1.0-M4", 58863 "10.1.0-M5", 58864 "10.1.0-M6", 58865 "10.1.0-M7", 58866 "10.1.0-M8", 58867 "10.1.1", 58868 "10.1.10", 58869 "10.1.11", 58870 "10.1.12", 58871 "10.1.13", 58872 "10.1.2", 58873 "10.1.4", 58874 "10.1.5", 58875 "10.1.6", 58876 "10.1.7", 58877 "10.1.8", 58878 "10.1.9" 58879 ] 58880 }, 58881 { 58882 "database_specific": { 58883 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-g8pj-r55q-5c2v/GHSA-g8pj-r55q-5c2v.json" 58884 }, 58885 "package": { 58886 "ecosystem": "Maven", 58887 "name": "org.apache.tomcat:tomcat", 58888 "purl": "pkg:maven/org.apache.tomcat/tomcat" 58889 }, 58890 "ranges": [ 58891 { 58892 "events": [ 58893 { 58894 "introduced": "9.0.0-M1" 58895 }, 58896 { 58897 "fixed": "9.0.81" 58898 } 58899 ], 58900 "type": "ECOSYSTEM" 58901 } 58902 ], 58903 "versions": [ 58904 "9.0.0.M1", 58905 "9.0.0.M10", 58906 "9.0.0.M11", 58907 "9.0.0.M13", 58908 "9.0.0.M15", 58909 "9.0.0.M17", 58910 "9.0.0.M18", 58911 "9.0.0.M19", 58912 "9.0.0.M20", 58913 "9.0.0.M21", 58914 "9.0.0.M22", 58915 "9.0.0.M25", 58916 "9.0.0.M26", 58917 "9.0.0.M27", 58918 "9.0.0.M3", 58919 "9.0.0.M4", 58920 "9.0.0.M6", 58921 "9.0.0.M8", 58922 "9.0.0.M9", 58923 "9.0.1", 58924 "9.0.10", 58925 "9.0.11", 58926 "9.0.12", 58927 "9.0.13", 58928 "9.0.14", 58929 "9.0.16", 58930 "9.0.17", 58931 "9.0.19", 58932 "9.0.2", 58933 "9.0.20", 58934 "9.0.21", 58935 "9.0.22", 58936 "9.0.24", 58937 "9.0.26", 58938 "9.0.27", 58939 "9.0.29", 58940 "9.0.30", 58941 "9.0.31", 58942 "9.0.33", 58943 "9.0.34", 58944 "9.0.35", 58945 "9.0.36", 58946 "9.0.37", 58947 "9.0.38", 58948 "9.0.39", 58949 "9.0.4", 58950 "9.0.40", 58951 "9.0.41", 58952 "9.0.43", 58953 "9.0.44", 58954 "9.0.45", 58955 "9.0.46", 58956 "9.0.48", 58957 "9.0.5", 58958 "9.0.50", 58959 "9.0.52", 58960 "9.0.53", 58961 "9.0.54", 58962 "9.0.55", 58963 "9.0.56", 58964 "9.0.58", 58965 "9.0.59", 58966 "9.0.6", 58967 "9.0.60", 58968 "9.0.62", 58969 "9.0.63", 58970 "9.0.64", 58971 "9.0.65", 58972 "9.0.67", 58973 "9.0.68", 58974 "9.0.69", 58975 "9.0.7", 58976 "9.0.70", 58977 "9.0.71", 58978 "9.0.72", 58979 "9.0.73", 58980 "9.0.74", 58981 "9.0.75", 58982 "9.0.76", 58983 "9.0.78", 58984 "9.0.79", 58985 "9.0.8", 58986 "9.0.80" 58987 ] 58988 }, 58989 { 58990 "database_specific": { 58991 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-g8pj-r55q-5c2v/GHSA-g8pj-r55q-5c2v.json" 58992 }, 58993 "package": { 58994 "ecosystem": "Maven", 58995 "name": "org.apache.tomcat:tomcat", 58996 "purl": "pkg:maven/org.apache.tomcat/tomcat" 58997 }, 58998 "ranges": [ 58999 { 59000 "events": [ 59001 { 59002 "introduced": "8.5.0" 59003 }, 59004 { 59005 "fixed": "8.5.94" 59006 } 59007 ], 59008 "type": "ECOSYSTEM" 59009 } 59010 ], 59011 "versions": [ 59012 "8.5.0", 59013 "8.5.11", 59014 "8.5.12", 59015 "8.5.13", 59016 "8.5.14", 59017 "8.5.15", 59018 "8.5.16", 59019 "8.5.19", 59020 "8.5.2", 59021 "8.5.20", 59022 "8.5.21", 59023 "8.5.23", 59024 "8.5.24", 59025 "8.5.27", 59026 "8.5.28", 59027 "8.5.29", 59028 "8.5.3", 59029 "8.5.30", 59030 "8.5.31", 59031 "8.5.32", 59032 "8.5.33", 59033 "8.5.34", 59034 "8.5.35", 59035 "8.5.37", 59036 "8.5.38", 59037 "8.5.39", 59038 "8.5.4", 59039 "8.5.40", 59040 "8.5.41", 59041 "8.5.42", 59042 "8.5.43", 59043 "8.5.45", 59044 "8.5.46", 59045 "8.5.47", 59046 "8.5.49", 59047 "8.5.5", 59048 "8.5.50", 59049 "8.5.51", 59050 "8.5.53", 59051 "8.5.54", 59052 "8.5.55", 59053 "8.5.56", 59054 "8.5.57", 59055 "8.5.58", 59056 "8.5.59", 59057 "8.5.6", 59058 "8.5.60", 59059 "8.5.61", 59060 "8.5.63", 59061 "8.5.64", 59062 "8.5.65", 59063 "8.5.66", 59064 "8.5.68", 59065 "8.5.69", 59066 "8.5.70", 59067 "8.5.71", 59068 "8.5.72", 59069 "8.5.73", 59070 "8.5.75", 59071 "8.5.76", 59072 "8.5.77", 59073 "8.5.78", 59074 "8.5.79", 59075 "8.5.8", 59076 "8.5.81", 59077 "8.5.82", 59078 "8.5.83", 59079 "8.5.84", 59080 "8.5.85", 59081 "8.5.86", 59082 "8.5.87", 59083 "8.5.88", 59084 "8.5.89", 59085 "8.5.9", 59086 "8.5.90", 59087 "8.5.91", 59088 "8.5.92", 59089 "8.5.93" 59090 ] 59091 }, 59092 { 59093 "database_specific": { 59094 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-g8pj-r55q-5c2v/GHSA-g8pj-r55q-5c2v.json" 59095 }, 59096 "package": { 59097 "ecosystem": "Maven", 59098 "name": "org.apache.tomcat.embed:tomcat-embed-core", 59099 "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" 59100 }, 59101 "ranges": [ 59102 { 59103 "events": [ 59104 { 59105 "introduced": "11.0.0-M1" 59106 }, 59107 { 59108 "fixed": "11.0.0-M12" 59109 } 59110 ], 59111 "type": "ECOSYSTEM" 59112 } 59113 ], 59114 "versions": [ 59115 "11.0.0-M1", 59116 "11.0.0-M10", 59117 "11.0.0-M11", 59118 "11.0.0-M3", 59119 "11.0.0-M4", 59120 "11.0.0-M5", 59121 "11.0.0-M6", 59122 "11.0.0-M7", 59123 "11.0.0-M9" 59124 ] 59125 }, 59126 { 59127 "database_specific": { 59128 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-g8pj-r55q-5c2v/GHSA-g8pj-r55q-5c2v.json" 59129 }, 59130 "package": { 59131 "ecosystem": "Maven", 59132 "name": "org.apache.tomcat.embed:tomcat-embed-core", 59133 "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" 59134 }, 59135 "ranges": [ 59136 { 59137 "events": [ 59138 { 59139 "introduced": "10.1.0-M1" 59140 }, 59141 { 59142 "fixed": "10.1.14" 59143 } 59144 ], 59145 "type": "ECOSYSTEM" 59146 } 59147 ], 59148 "versions": [ 59149 "10.1.0", 59150 "10.1.0-M1", 59151 "10.1.0-M10", 59152 "10.1.0-M11", 59153 "10.1.0-M12", 59154 "10.1.0-M14", 59155 "10.1.0-M15", 59156 "10.1.0-M16", 59157 "10.1.0-M17", 59158 "10.1.0-M2", 59159 "10.1.0-M4", 59160 "10.1.0-M5", 59161 "10.1.0-M6", 59162 "10.1.0-M7", 59163 "10.1.0-M8", 59164 "10.1.1", 59165 "10.1.10", 59166 "10.1.11", 59167 "10.1.12", 59168 "10.1.13", 59169 "10.1.2", 59170 "10.1.4", 59171 "10.1.5", 59172 "10.1.6", 59173 "10.1.7", 59174 "10.1.8", 59175 "10.1.9" 59176 ] 59177 }, 59178 { 59179 "database_specific": { 59180 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-g8pj-r55q-5c2v/GHSA-g8pj-r55q-5c2v.json" 59181 }, 59182 "package": { 59183 "ecosystem": "Maven", 59184 "name": "org.apache.tomcat.embed:tomcat-embed-core", 59185 "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" 59186 }, 59187 "ranges": [ 59188 { 59189 "events": [ 59190 { 59191 "introduced": "9.0.0-M1" 59192 }, 59193 { 59194 "fixed": "9.0.81" 59195 } 59196 ], 59197 "type": "ECOSYSTEM" 59198 } 59199 ], 59200 "versions": [ 59201 "9.0.0.M1", 59202 "9.0.0.M10", 59203 "9.0.0.M11", 59204 "9.0.0.M13", 59205 "9.0.0.M15", 59206 "9.0.0.M17", 59207 "9.0.0.M18", 59208 "9.0.0.M19", 59209 "9.0.0.M20", 59210 "9.0.0.M21", 59211 "9.0.0.M22", 59212 "9.0.0.M25", 59213 "9.0.0.M26", 59214 "9.0.0.M27", 59215 "9.0.0.M3", 59216 "9.0.0.M4", 59217 "9.0.0.M6", 59218 "9.0.0.M8", 59219 "9.0.0.M9", 59220 "9.0.1", 59221 "9.0.10", 59222 "9.0.11", 59223 "9.0.12", 59224 "9.0.13", 59225 "9.0.14", 59226 "9.0.16", 59227 "9.0.17", 59228 "9.0.19", 59229 "9.0.2", 59230 "9.0.20", 59231 "9.0.21", 59232 "9.0.22", 59233 "9.0.24", 59234 "9.0.26", 59235 "9.0.27", 59236 "9.0.29", 59237 "9.0.30", 59238 "9.0.31", 59239 "9.0.33", 59240 "9.0.34", 59241 "9.0.35", 59242 "9.0.36", 59243 "9.0.37", 59244 "9.0.38", 59245 "9.0.39", 59246 "9.0.4", 59247 "9.0.40", 59248 "9.0.41", 59249 "9.0.43", 59250 "9.0.44", 59251 "9.0.45", 59252 "9.0.46", 59253 "9.0.48", 59254 "9.0.5", 59255 "9.0.50", 59256 "9.0.52", 59257 "9.0.53", 59258 "9.0.54", 59259 "9.0.55", 59260 "9.0.56", 59261 "9.0.58", 59262 "9.0.59", 59263 "9.0.6", 59264 "9.0.60", 59265 "9.0.62", 59266 "9.0.63", 59267 "9.0.64", 59268 "9.0.65", 59269 "9.0.67", 59270 "9.0.68", 59271 "9.0.69", 59272 "9.0.7", 59273 "9.0.70", 59274 "9.0.71", 59275 "9.0.72", 59276 "9.0.73", 59277 "9.0.74", 59278 "9.0.75", 59279 "9.0.76", 59280 "9.0.78", 59281 "9.0.79", 59282 "9.0.8", 59283 "9.0.80" 59284 ] 59285 }, 59286 { 59287 "database_specific": { 59288 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-g8pj-r55q-5c2v/GHSA-g8pj-r55q-5c2v.json" 59289 }, 59290 "package": { 59291 "ecosystem": "Maven", 59292 "name": "org.apache.tomcat.embed:tomcat-embed-core", 59293 "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" 59294 }, 59295 "ranges": [ 59296 { 59297 "events": [ 59298 { 59299 "introduced": "8.5.0" 59300 }, 59301 { 59302 "fixed": "8.5.94" 59303 } 59304 ], 59305 "type": "ECOSYSTEM" 59306 } 59307 ], 59308 "versions": [ 59309 "8.5.0", 59310 "8.5.11", 59311 "8.5.12", 59312 "8.5.13", 59313 "8.5.14", 59314 "8.5.15", 59315 "8.5.16", 59316 "8.5.19", 59317 "8.5.2", 59318 "8.5.20", 59319 "8.5.21", 59320 "8.5.23", 59321 "8.5.24", 59322 "8.5.27", 59323 "8.5.28", 59324 "8.5.29", 59325 "8.5.3", 59326 "8.5.30", 59327 "8.5.31", 59328 "8.5.32", 59329 "8.5.33", 59330 "8.5.34", 59331 "8.5.35", 59332 "8.5.37", 59333 "8.5.38", 59334 "8.5.39", 59335 "8.5.4", 59336 "8.5.40", 59337 "8.5.41", 59338 "8.5.42", 59339 "8.5.43", 59340 "8.5.45", 59341 "8.5.46", 59342 "8.5.47", 59343 "8.5.49", 59344 "8.5.5", 59345 "8.5.50", 59346 "8.5.51", 59347 "8.5.53", 59348 "8.5.54", 59349 "8.5.55", 59350 "8.5.56", 59351 "8.5.57", 59352 "8.5.58", 59353 "8.5.59", 59354 "8.5.6", 59355 "8.5.60", 59356 "8.5.61", 59357 "8.5.63", 59358 "8.5.64", 59359 "8.5.65", 59360 "8.5.66", 59361 "8.5.68", 59362 "8.5.69", 59363 "8.5.70", 59364 "8.5.71", 59365 "8.5.72", 59366 "8.5.73", 59367 "8.5.75", 59368 "8.5.76", 59369 "8.5.77", 59370 "8.5.78", 59371 "8.5.79", 59372 "8.5.8", 59373 "8.5.81", 59374 "8.5.82", 59375 "8.5.83", 59376 "8.5.84", 59377 "8.5.85", 59378 "8.5.86", 59379 "8.5.87", 59380 "8.5.88", 59381 "8.5.89", 59382 "8.5.9", 59383 "8.5.90", 59384 "8.5.91", 59385 "8.5.92", 59386 "8.5.93" 59387 ] 59388 } 59389 ], 59390 "aliases": [ 59391 "BIT-tomcat-2023-42795", 59392 "CVE-2023-42795" 59393 ], 59394 "database_specific": { 59395 "cwe_ids": [ 59396 "CWE-459" 59397 ], 59398 "github_reviewed": true, 59399 "github_reviewed_at": "2023-10-10T22:30:05Z", 59400 "nvd_published_at": "2023-10-10T18:15:18Z", 59401 "severity": "MODERATE" 59402 }, 59403 "details": "Incomplete Cleanup vulnerability in Apache Tomcat.\n\nWhen recycling various internal objects in Apache Tomcat from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0.80 and from 8.5.0 through 8.5.93, an error could cause Tomcat to skip some parts of the recycling process leading to information leaking from the current request/response to the next.\n\nUsers are recommended to upgrade to version 11.0.0-M12 onwards, 10.1.14 onwards, 9.0.81 onwards or 8.5.94 onwards, which fixes the issue.", 59404 "id": "GHSA-g8pj-r55q-5c2v", 59405 "modified": "2024-04-25T22:34:10.373884Z", 59406 "published": "2023-10-10T18:31:35Z", 59407 "references": [ 59408 { 59409 "type": "ADVISORY", 59410 "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-42795" 59411 }, 59412 { 59413 "type": "WEB", 59414 "url": "https://github.com/apache/tomcat/commit/30f8063d7a9b4c43ae4722f5e382a76af1d7a6bf" 59415 }, 59416 { 59417 "type": "WEB", 59418 "url": "https://github.com/apache/tomcat/commit/44d05d75d696ca10ce251e4e370511e38f20ae75" 59419 }, 59420 { 59421 "type": "WEB", 59422 "url": "https://github.com/apache/tomcat/commit/9375d67106f8df9eb9d7b360b2bef052fe67d3d4" 59423 }, 59424 { 59425 "type": "WEB", 59426 "url": "https://github.com/apache/tomcat/commit/d6db22e411307c97ddf78315c15d5889356eca38" 59427 }, 59428 { 59429 "type": "PACKAGE", 59430 "url": "https://github.com/apache/tomcat" 59431 }, 59432 { 59433 "type": "WEB", 59434 "url": "https://lists.apache.org/thread/065jfyo583490r9j2v73nhpyxdob56lw" 59435 }, 59436 { 59437 "type": "WEB", 59438 "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00020.html" 59439 }, 59440 { 59441 "type": "WEB", 59442 "url": "https://security.netapp.com/advisory/ntap-20231103-0007" 59443 }, 59444 { 59445 "type": "WEB", 59446 "url": "https://www.debian.org/security/2023/dsa-5521" 59447 }, 59448 { 59449 "type": "WEB", 59450 "url": "https://www.debian.org/security/2023/dsa-5522" 59451 }, 59452 { 59453 "type": "WEB", 59454 "url": "http://www.openwall.com/lists/oss-security/2023/10/10/9" 59455 } 59456 ], 59457 "schema_version": "1.6.0", 59458 "severity": [ 59459 { 59460 "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", 59461 "type": "CVSS_V3" 59462 } 59463 ], 59464 "summary": "Apache Tomcat Incomplete Cleanup vulnerability" 59465 }, 59466 { 59467 "affected": [ 59468 { 59469 "database_specific": { 59470 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-hfrx-6qgj-fp6c/GHSA-hfrx-6qgj-fp6c.json" 59471 }, 59472 "package": { 59473 "ecosystem": "Maven", 59474 "name": "commons-fileupload:commons-fileupload", 59475 "purl": "pkg:maven/commons-fileupload/commons-fileupload" 59476 }, 59477 "ranges": [ 59478 { 59479 "events": [ 59480 { 59481 "introduced": "0" 59482 }, 59483 { 59484 "fixed": "1.5" 59485 } 59486 ], 59487 "type": "ECOSYSTEM" 59488 } 59489 ], 59490 "versions": [ 59491 "1.0", 59492 "1.0-beta-1", 59493 "1.0-rc1", 59494 "1.1", 59495 "1.1.1", 59496 "1.2", 59497 "1.2.1", 59498 "1.2.2", 59499 "1.3", 59500 "1.3.1", 59501 "1.3.1-jenkins-1", 59502 "1.3.1-jenkins-2", 59503 "1.3.2", 59504 "1.3.3", 59505 "1.4" 59506 ] 59507 }, 59508 { 59509 "database_specific": { 59510 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-hfrx-6qgj-fp6c/GHSA-hfrx-6qgj-fp6c.json" 59511 }, 59512 "package": { 59513 "ecosystem": "Maven", 59514 "name": "org.apache.tomcat:tomcat-coyote", 59515 "purl": "pkg:maven/org.apache.tomcat/tomcat-coyote" 59516 }, 59517 "ranges": [ 59518 { 59519 "events": [ 59520 { 59521 "introduced": "10.1.0-M1" 59522 }, 59523 { 59524 "fixed": "10.1.5" 59525 } 59526 ], 59527 "type": "ECOSYSTEM" 59528 } 59529 ], 59530 "versions": [ 59531 "10.1.0", 59532 "10.1.0-M1", 59533 "10.1.0-M10", 59534 "10.1.0-M11", 59535 "10.1.0-M12", 59536 "10.1.0-M14", 59537 "10.1.0-M15", 59538 "10.1.0-M16", 59539 "10.1.0-M17", 59540 "10.1.0-M2", 59541 "10.1.0-M4", 59542 "10.1.0-M5", 59543 "10.1.0-M6", 59544 "10.1.0-M7", 59545 "10.1.0-M8", 59546 "10.1.1", 59547 "10.1.2", 59548 "10.1.4" 59549 ] 59550 }, 59551 { 59552 "database_specific": { 59553 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-hfrx-6qgj-fp6c/GHSA-hfrx-6qgj-fp6c.json" 59554 }, 59555 "package": { 59556 "ecosystem": "Maven", 59557 "name": "org.apache.tomcat:tomcat-coyote", 59558 "purl": "pkg:maven/org.apache.tomcat/tomcat-coyote" 59559 }, 59560 "ranges": [ 59561 { 59562 "events": [ 59563 { 59564 "introduced": "11.0.0-M2" 59565 }, 59566 { 59567 "fixed": "11.0.0-M5" 59568 } 59569 ], 59570 "type": "ECOSYSTEM" 59571 } 59572 ], 59573 "versions": [ 59574 "11.0.0-M3", 59575 "11.0.0-M4" 59576 ] 59577 }, 59578 { 59579 "database_specific": { 59580 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-hfrx-6qgj-fp6c/GHSA-hfrx-6qgj-fp6c.json" 59581 }, 59582 "package": { 59583 "ecosystem": "Maven", 59584 "name": "org.apache.tomcat:tomcat-coyote", 59585 "purl": "pkg:maven/org.apache.tomcat/tomcat-coyote" 59586 }, 59587 "ranges": [ 59588 { 59589 "events": [ 59590 { 59591 "introduced": "8.5.85" 59592 }, 59593 { 59594 "fixed": "8.5.88" 59595 } 59596 ], 59597 "type": "ECOSYSTEM" 59598 } 59599 ], 59600 "versions": [ 59601 "8.5.85", 59602 "8.5.86", 59603 "8.5.87" 59604 ] 59605 }, 59606 { 59607 "database_specific": { 59608 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-hfrx-6qgj-fp6c/GHSA-hfrx-6qgj-fp6c.json" 59609 }, 59610 "package": { 59611 "ecosystem": "Maven", 59612 "name": "org.apache.tomcat:tomcat-coyote", 59613 "purl": "pkg:maven/org.apache.tomcat/tomcat-coyote" 59614 }, 59615 "ranges": [ 59616 { 59617 "events": [ 59618 { 59619 "introduced": "9.0.0-M1" 59620 }, 59621 { 59622 "fixed": "9.0.71" 59623 } 59624 ], 59625 "type": "ECOSYSTEM" 59626 } 59627 ], 59628 "versions": [ 59629 "9.0.0.M1", 59630 "9.0.0.M10", 59631 "9.0.0.M11", 59632 "9.0.0.M13", 59633 "9.0.0.M15", 59634 "9.0.0.M17", 59635 "9.0.0.M18", 59636 "9.0.0.M19", 59637 "9.0.0.M20", 59638 "9.0.0.M21", 59639 "9.0.0.M22", 59640 "9.0.0.M25", 59641 "9.0.0.M26", 59642 "9.0.0.M27", 59643 "9.0.0.M3", 59644 "9.0.0.M4", 59645 "9.0.0.M6", 59646 "9.0.0.M8", 59647 "9.0.0.M9", 59648 "9.0.1", 59649 "9.0.10", 59650 "9.0.11", 59651 "9.0.12", 59652 "9.0.13", 59653 "9.0.14", 59654 "9.0.16", 59655 "9.0.17", 59656 "9.0.19", 59657 "9.0.2", 59658 "9.0.20", 59659 "9.0.21", 59660 "9.0.22", 59661 "9.0.24", 59662 "9.0.26", 59663 "9.0.27", 59664 "9.0.29", 59665 "9.0.30", 59666 "9.0.31", 59667 "9.0.33", 59668 "9.0.34", 59669 "9.0.35", 59670 "9.0.36", 59671 "9.0.37", 59672 "9.0.38", 59673 "9.0.39", 59674 "9.0.4", 59675 "9.0.40", 59676 "9.0.41", 59677 "9.0.43", 59678 "9.0.44", 59679 "9.0.45", 59680 "9.0.46", 59681 "9.0.48", 59682 "9.0.5", 59683 "9.0.50", 59684 "9.0.52", 59685 "9.0.53", 59686 "9.0.54", 59687 "9.0.55", 59688 "9.0.56", 59689 "9.0.58", 59690 "9.0.59", 59691 "9.0.6", 59692 "9.0.60", 59693 "9.0.62", 59694 "9.0.63", 59695 "9.0.64", 59696 "9.0.65", 59697 "9.0.67", 59698 "9.0.68", 59699 "9.0.69", 59700 "9.0.7", 59701 "9.0.70", 59702 "9.0.8" 59703 ] 59704 }, 59705 { 59706 "database_specific": { 59707 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-hfrx-6qgj-fp6c/GHSA-hfrx-6qgj-fp6c.json" 59708 }, 59709 "package": { 59710 "ecosystem": "Maven", 59711 "name": "org.apache.tomcat.embed:tomcat-embed-core", 59712 "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" 59713 }, 59714 "ranges": [ 59715 { 59716 "events": [ 59717 { 59718 "introduced": "10.1.0-M1" 59719 }, 59720 { 59721 "fixed": "10.1.5" 59722 } 59723 ], 59724 "type": "ECOSYSTEM" 59725 } 59726 ], 59727 "versions": [ 59728 "10.1.0", 59729 "10.1.0-M1", 59730 "10.1.0-M10", 59731 "10.1.0-M11", 59732 "10.1.0-M12", 59733 "10.1.0-M14", 59734 "10.1.0-M15", 59735 "10.1.0-M16", 59736 "10.1.0-M17", 59737 "10.1.0-M2", 59738 "10.1.0-M4", 59739 "10.1.0-M5", 59740 "10.1.0-M6", 59741 "10.1.0-M7", 59742 "10.1.0-M8", 59743 "10.1.1", 59744 "10.1.2", 59745 "10.1.4" 59746 ] 59747 }, 59748 { 59749 "database_specific": { 59750 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-hfrx-6qgj-fp6c/GHSA-hfrx-6qgj-fp6c.json" 59751 }, 59752 "package": { 59753 "ecosystem": "Maven", 59754 "name": "org.apache.tomcat.embed:tomcat-embed-core", 59755 "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" 59756 }, 59757 "ranges": [ 59758 { 59759 "events": [ 59760 { 59761 "introduced": "11.0.0-M2" 59762 }, 59763 { 59764 "fixed": "11.0.0-M5" 59765 } 59766 ], 59767 "type": "ECOSYSTEM" 59768 } 59769 ], 59770 "versions": [ 59771 "11.0.0-M3", 59772 "11.0.0-M4" 59773 ] 59774 }, 59775 { 59776 "database_specific": { 59777 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-hfrx-6qgj-fp6c/GHSA-hfrx-6qgj-fp6c.json" 59778 }, 59779 "package": { 59780 "ecosystem": "Maven", 59781 "name": "org.apache.tomcat.embed:tomcat-embed-core", 59782 "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" 59783 }, 59784 "ranges": [ 59785 { 59786 "events": [ 59787 { 59788 "introduced": "8.5.85" 59789 }, 59790 { 59791 "fixed": "8.5.88" 59792 } 59793 ], 59794 "type": "ECOSYSTEM" 59795 } 59796 ], 59797 "versions": [ 59798 "8.5.85", 59799 "8.5.86", 59800 "8.5.87" 59801 ] 59802 }, 59803 { 59804 "database_specific": { 59805 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-hfrx-6qgj-fp6c/GHSA-hfrx-6qgj-fp6c.json" 59806 }, 59807 "package": { 59808 "ecosystem": "Maven", 59809 "name": "org.apache.tomcat.embed:tomcat-embed-core", 59810 "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" 59811 }, 59812 "ranges": [ 59813 { 59814 "events": [ 59815 { 59816 "introduced": "9.0.0-M1" 59817 }, 59818 { 59819 "fixed": "9.0.71" 59820 } 59821 ], 59822 "type": "ECOSYSTEM" 59823 } 59824 ], 59825 "versions": [ 59826 "9.0.0.M1", 59827 "9.0.0.M10", 59828 "9.0.0.M11", 59829 "9.0.0.M13", 59830 "9.0.0.M15", 59831 "9.0.0.M17", 59832 "9.0.0.M18", 59833 "9.0.0.M19", 59834 "9.0.0.M20", 59835 "9.0.0.M21", 59836 "9.0.0.M22", 59837 "9.0.0.M25", 59838 "9.0.0.M26", 59839 "9.0.0.M27", 59840 "9.0.0.M3", 59841 "9.0.0.M4", 59842 "9.0.0.M6", 59843 "9.0.0.M8", 59844 "9.0.0.M9", 59845 "9.0.1", 59846 "9.0.10", 59847 "9.0.11", 59848 "9.0.12", 59849 "9.0.13", 59850 "9.0.14", 59851 "9.0.16", 59852 "9.0.17", 59853 "9.0.19", 59854 "9.0.2", 59855 "9.0.20", 59856 "9.0.21", 59857 "9.0.22", 59858 "9.0.24", 59859 "9.0.26", 59860 "9.0.27", 59861 "9.0.29", 59862 "9.0.30", 59863 "9.0.31", 59864 "9.0.33", 59865 "9.0.34", 59866 "9.0.35", 59867 "9.0.36", 59868 "9.0.37", 59869 "9.0.38", 59870 "9.0.39", 59871 "9.0.4", 59872 "9.0.40", 59873 "9.0.41", 59874 "9.0.43", 59875 "9.0.44", 59876 "9.0.45", 59877 "9.0.46", 59878 "9.0.48", 59879 "9.0.5", 59880 "9.0.50", 59881 "9.0.52", 59882 "9.0.53", 59883 "9.0.54", 59884 "9.0.55", 59885 "9.0.56", 59886 "9.0.58", 59887 "9.0.59", 59888 "9.0.6", 59889 "9.0.60", 59890 "9.0.62", 59891 "9.0.63", 59892 "9.0.64", 59893 "9.0.65", 59894 "9.0.67", 59895 "9.0.68", 59896 "9.0.69", 59897 "9.0.7", 59898 "9.0.70", 59899 "9.0.8" 59900 ] 59901 } 59902 ], 59903 "aliases": [ 59904 "CVE-2023-24998" 59905 ], 59906 "database_specific": { 59907 "cwe_ids": [ 59908 "CWE-770" 59909 ], 59910 "github_reviewed": true, 59911 "github_reviewed_at": "2023-02-22T00:12:07Z", 59912 "nvd_published_at": "2023-02-20T16:15:00Z", 59913 "severity": "HIGH" 59914 }, 59915 "details": "Apache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads. Note that, like all of the file upload limits, the new configuration option (FileUploadBase#setFileCountMax) is not enabled by default and must be explicitly configured.", 59916 "id": "GHSA-hfrx-6qgj-fp6c", 59917 "modified": "2024-04-18T17:16:23.151022Z", 59918 "published": "2023-02-20T18:30:17Z", 59919 "references": [ 59920 { 59921 "type": "ADVISORY", 59922 "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-24998" 59923 }, 59924 { 59925 "type": "WEB", 59926 "url": "https://github.com/apache/commons-fileupload/commit/e20c04990f7420ca917e96a84cec58b13a1b3d17" 59927 }, 59928 { 59929 "type": "WEB", 59930 "url": "https://github.com/apache/tomcat/commit/8a2285f13affa961cc65595aad999db5efae45ce" 59931 }, 59932 { 59933 "type": "WEB", 59934 "url": "https://github.com/apache/tomcat/commit/9ca96c8c1eba86c0aaa2e6be581ba2a7d4d4ae6e" 59935 }, 59936 { 59937 "type": "WEB", 59938 "url": "https://github.com/apache/tomcat/commit/cf77cc545de0488fb89e24294151504a7432df74" 59939 }, 59940 { 59941 "type": "WEB", 59942 "url": "https://github.com/apache/tomcat/commit/d53d8e7f77042cc32a3b98f589496a1ef5088e38" 59943 }, 59944 { 59945 "type": "WEB", 59946 "url": "https://www.debian.org/security/2023/dsa-5522" 59947 }, 59948 { 59949 "type": "WEB", 59950 "url": "https://tomcat.apache.org/security-9.html" 59951 }, 59952 { 59953 "type": "WEB", 59954 "url": "https://tomcat.apache.org/security-8.html" 59955 }, 59956 { 59957 "type": "WEB", 59958 "url": "https://tomcat.apache.org/security-11.html" 59959 }, 59960 { 59961 "type": "WEB", 59962 "url": "https://tomcat.apache.org/security-10.html" 59963 }, 59964 { 59965 "type": "WEB", 59966 "url": "https://security.gentoo.org/glsa/202305-37" 59967 }, 59968 { 59969 "type": "WEB", 59970 "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00020.html" 59971 }, 59972 { 59973 "type": "WEB", 59974 "url": "https://lists.apache.org/thread/4xl4l09mhwg4vgsk7dxqogcjrobrrdoy" 59975 }, 59976 { 59977 "type": "WEB", 59978 "url": "https://github.com/search?q=repo%3Aapache%2Ftomcat+util.http+path%3A%2F%5Eres%5C%2Fbnd%5C%2F%2F\u0026type=code" 59979 }, 59980 { 59981 "type": "PACKAGE", 59982 "url": "https://github.com/apache/commons-fileupload" 59983 }, 59984 { 59985 "type": "WEB", 59986 "url": "https://commons.apache.org/proper/commons-fileupload/security-reports.html" 59987 }, 59988 { 59989 "type": "WEB", 59990 "url": "http://www.openwall.com/lists/oss-security/2023/05/22/1" 59991 } 59992 ], 59993 "related": [ 59994 "CGA-vhv7-2gww-h7x4" 59995 ], 59996 "schema_version": "1.6.0", 59997 "severity": [ 59998 { 59999 "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", 60000 "type": "CVSS_V3" 60001 } 60002 ], 60003 "summary": "Apache Commons FileUpload denial of service vulnerability" 60004 }, 60005 { 60006 "affected": [ 60007 { 60008 "database_specific": { 60009 "last_known_affected_version_range": "\u003c 7.0.98", 60010 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/12/GHSA-hh3j-x4mc-g48r/GHSA-hh3j-x4mc-g48r.json" 60011 }, 60012 "package": { 60013 "ecosystem": "Maven", 60014 "name": "org.apache.tomcat.embed:tomcat-embed-core", 60015 "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" 60016 }, 60017 "ranges": [ 60018 { 60019 "events": [ 60020 { 60021 "introduced": "0" 60022 }, 60023 { 60024 "fixed": "7.0.99" 60025 } 60026 ], 60027 "type": "ECOSYSTEM" 60028 } 60029 ], 60030 "versions": [ 60031 "7.0.0", 60032 "7.0.11", 60033 "7.0.12", 60034 "7.0.14", 60035 "7.0.16", 60036 "7.0.19", 60037 "7.0.2", 60038 "7.0.20", 60039 "7.0.21", 60040 "7.0.22", 60041 "7.0.23", 60042 "7.0.25", 60043 "7.0.26", 60044 "7.0.27", 60045 "7.0.28", 60046 "7.0.29", 60047 "7.0.30", 60048 "7.0.32", 60049 "7.0.33", 60050 "7.0.34", 60051 "7.0.35", 60052 "7.0.37", 60053 "7.0.39", 60054 "7.0.4", 60055 "7.0.40", 60056 "7.0.41", 60057 "7.0.42", 60058 "7.0.47", 60059 "7.0.5", 60060 "7.0.50", 60061 "7.0.52", 60062 "7.0.53", 60063 "7.0.54", 60064 "7.0.55", 60065 "7.0.56", 60066 "7.0.57", 60067 "7.0.59", 60068 "7.0.6", 60069 "7.0.61", 60070 "7.0.62", 60071 "7.0.63", 60072 "7.0.64", 60073 "7.0.65", 60074 "7.0.67", 60075 "7.0.68", 60076 "7.0.69", 60077 "7.0.70", 60078 "7.0.72", 60079 "7.0.73", 60080 "7.0.75", 60081 "7.0.76", 60082 "7.0.77", 60083 "7.0.78", 60084 "7.0.79", 60085 "7.0.8", 60086 "7.0.81", 60087 "7.0.82", 60088 "7.0.84", 60089 "7.0.85", 60090 "7.0.86", 60091 "7.0.88", 60092 "7.0.90", 60093 "7.0.91", 60094 "7.0.92", 60095 "7.0.93", 60096 "7.0.94", 60097 "7.0.96" 60098 ] 60099 }, 60100 { 60101 "database_specific": { 60102 "last_known_affected_version_range": "\u003c 8.5.48", 60103 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/12/GHSA-hh3j-x4mc-g48r/GHSA-hh3j-x4mc-g48r.json" 60104 }, 60105 "package": { 60106 "ecosystem": "Maven", 60107 "name": "org.apache.tomcat.embed:tomcat-embed-core", 60108 "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" 60109 }, 60110 "ranges": [ 60111 { 60112 "events": [ 60113 { 60114 "introduced": "8.0.0" 60115 }, 60116 { 60117 "fixed": "8.5.49" 60118 } 60119 ], 60120 "type": "ECOSYSTEM" 60121 } 60122 ], 60123 "versions": [ 60124 "8.0.1", 60125 "8.0.11", 60126 "8.0.12", 60127 "8.0.14", 60128 "8.0.15", 60129 "8.0.17", 60130 "8.0.18", 60131 "8.0.20", 60132 "8.0.21", 60133 "8.0.22", 60134 "8.0.23", 60135 "8.0.24", 60136 "8.0.26", 60137 "8.0.27", 60138 "8.0.28", 60139 "8.0.29", 60140 "8.0.3", 60141 "8.0.30", 60142 "8.0.32", 60143 "8.0.33", 60144 "8.0.35", 60145 "8.0.36", 60146 "8.0.37", 60147 "8.0.38", 60148 "8.0.39", 60149 "8.0.41", 60150 "8.0.42", 60151 "8.0.43", 60152 "8.0.44", 60153 "8.0.45", 60154 "8.0.46", 60155 "8.0.47", 60156 "8.0.48", 60157 "8.0.49", 60158 "8.0.5", 60159 "8.0.50", 60160 "8.0.51", 60161 "8.0.52", 60162 "8.0.53", 60163 "8.0.8", 60164 "8.0.9", 60165 "8.5.0", 60166 "8.5.11", 60167 "8.5.12", 60168 "8.5.13", 60169 "8.5.14", 60170 "8.5.15", 60171 "8.5.16", 60172 "8.5.19", 60173 "8.5.2", 60174 "8.5.20", 60175 "8.5.21", 60176 "8.5.23", 60177 "8.5.24", 60178 "8.5.27", 60179 "8.5.28", 60180 "8.5.29", 60181 "8.5.3", 60182 "8.5.30", 60183 "8.5.31", 60184 "8.5.32", 60185 "8.5.33", 60186 "8.5.34", 60187 "8.5.35", 60188 "8.5.37", 60189 "8.5.38", 60190 "8.5.39", 60191 "8.5.4", 60192 "8.5.40", 60193 "8.5.41", 60194 "8.5.42", 60195 "8.5.43", 60196 "8.5.45", 60197 "8.5.46", 60198 "8.5.47", 60199 "8.5.5", 60200 "8.5.6", 60201 "8.5.8", 60202 "8.5.9" 60203 ] 60204 }, 60205 { 60206 "database_specific": { 60207 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/12/GHSA-hh3j-x4mc-g48r/GHSA-hh3j-x4mc-g48r.json" 60208 }, 60209 "package": { 60210 "ecosystem": "Maven", 60211 "name": "org.apache.tomcat.embed:tomcat-embed-core", 60212 "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" 60213 }, 60214 "ranges": [ 60215 { 60216 "events": [ 60217 { 60218 "introduced": "9.0.0" 60219 }, 60220 { 60221 "fixed": "9.0.29" 60222 } 60223 ], 60224 "type": "ECOSYSTEM" 60225 } 60226 ], 60227 "versions": [ 60228 "9.0.1", 60229 "9.0.10", 60230 "9.0.11", 60231 "9.0.12", 60232 "9.0.13", 60233 "9.0.14", 60234 "9.0.16", 60235 "9.0.17", 60236 "9.0.19", 60237 "9.0.2", 60238 "9.0.20", 60239 "9.0.21", 60240 "9.0.22", 60241 "9.0.24", 60242 "9.0.26", 60243 "9.0.27", 60244 "9.0.4", 60245 "9.0.5", 60246 "9.0.6", 60247 "9.0.7", 60248 "9.0.8" 60249 ] 60250 } 60251 ], 60252 "aliases": [ 60253 "CVE-2019-12418" 60254 ], 60255 "database_specific": { 60256 "cwe_ids": [ 60257 "CWE-522" 60258 ], 60259 "github_reviewed": true, 60260 "github_reviewed_at": "2019-12-26T18:22:10Z", 60261 "nvd_published_at": "2019-12-23T18:15:00Z", 60262 "severity": "HIGH" 60263 }, 60264 "details": "When Apache Tomcat 9.0.0.M1 to 9.0.28, 8.5.0 to 8.5.47, 7.0.0 and 7.0.97 is configured with the JMX Remote Lifecycle Listener, a local attacker without access to the Tomcat process or configuration files is able to manipulate the RMI registry to perform a man-in-the-middle attack to capture user names and passwords used to access the JMX interface. The attacker can then use these credentials to access the JMX interface and gain complete control over the Tomcat instance.", 60265 "id": "GHSA-hh3j-x4mc-g48r", 60266 "modified": "2024-03-14T05:19:45.437799Z", 60267 "published": "2019-12-26T18:22:36Z", 60268 "references": [ 60269 { 60270 "type": "ADVISORY", 60271 "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-12418" 60272 }, 60273 { 60274 "type": "WEB", 60275 "url": "https://www.oracle.com/security-alerts/cpuapr2020.html" 60276 }, 60277 { 60278 "type": "WEB", 60279 "url": "https://www.debian.org/security/2020/dsa-4680" 60280 }, 60281 { 60282 "type": "WEB", 60283 "url": "https://www.debian.org/security/2019/dsa-4596" 60284 }, 60285 { 60286 "type": "WEB", 60287 "url": "https://usn.ubuntu.com/4251-1" 60288 }, 60289 { 60290 "type": "WEB", 60291 "url": "https://support.f5.com/csp/article/K10107360?utm_source=f5support\u0026amp;utm_medium=RSS" 60292 }, 60293 { 60294 "type": "WEB", 60295 "url": "https://security.netapp.com/advisory/ntap-20200107-0001" 60296 }, 60297 { 60298 "type": "WEB", 60299 "url": "https://security.gentoo.org/glsa/202003-43" 60300 }, 60301 { 60302 "type": "WEB", 60303 "url": "https://seclists.org/bugtraq/2019/Dec/43" 60304 }, 60305 { 60306 "type": "WEB", 60307 "url": "https://lists.debian.org/debian-lts-announce/2020/03/msg00029.html" 60308 }, 60309 { 60310 "type": "WEB", 60311 "url": "https://lists.debian.org/debian-lts-announce/2020/01/msg00024.html" 60312 }, 60313 { 60314 "type": "WEB", 60315 "url": "https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a@%3Cdev.tomcat.apache.org%3E" 60316 }, 60317 { 60318 "type": "WEB", 60319 "url": "https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c@%3Cdev.tomcat.apache.org%3E" 60320 }, 60321 { 60322 "type": "WEB", 60323 "url": "https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9@%3Cdev.tomcat.apache.org%3E" 60324 }, 60325 { 60326 "type": "WEB", 60327 "url": "https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0@%3Cdev.tomcat.apache.org%3E" 60328 }, 60329 { 60330 "type": "WEB", 60331 "url": "https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d@%3Cdev.tomcat.apache.org%3E" 60332 }, 60333 { 60334 "type": "WEB", 60335 "url": "https://lists.apache.org/thread.html/43530b91506e2e0c11cfbe691173f5df8c48f51b98262426d7493b67%40%3Cannounce.tomcat.apache.org%3E" 60336 }, 60337 { 60338 "type": "WEB", 60339 "url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00013.html" 60340 } 60341 ], 60342 "related": [ 60343 "CGA-8w25-pmjp-vrmj" 60344 ], 60345 "schema_version": "1.6.0", 60346 "severity": [ 60347 { 60348 "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", 60349 "type": "CVSS_V3" 60350 } 60351 ], 60352 "summary": "Insufficiently Protected Credentials in Apache Tomcat" 60353 }, 60354 { 60355 "affected": [ 60356 { 60357 "database_specific": { 60358 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/06/GHSA-j39c-c8hj-x4j3/GHSA-j39c-c8hj-x4j3.json" 60359 }, 60360 "package": { 60361 "ecosystem": "Maven", 60362 "name": "org.apache.tomcat.embed:tomcat-embed-core", 60363 "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" 60364 }, 60365 "ranges": [ 60366 { 60367 "events": [ 60368 { 60369 "introduced": "10.0.0" 60370 }, 60371 { 60372 "fixed": "10.0.2" 60373 } 60374 ], 60375 "type": "ECOSYSTEM" 60376 } 60377 ], 60378 "versions": [ 60379 "10.0.0" 60380 ] 60381 }, 60382 { 60383 "database_specific": { 60384 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/06/GHSA-j39c-c8hj-x4j3/GHSA-j39c-c8hj-x4j3.json" 60385 }, 60386 "package": { 60387 "ecosystem": "Maven", 60388 "name": "org.apache.tomcat.embed:tomcat-embed-core", 60389 "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" 60390 }, 60391 "ranges": [ 60392 { 60393 "events": [ 60394 { 60395 "introduced": "9.0.0" 60396 }, 60397 { 60398 "fixed": "9.0.43" 60399 } 60400 ], 60401 "type": "ECOSYSTEM" 60402 } 60403 ], 60404 "versions": [ 60405 "9.0.1", 60406 "9.0.10", 60407 "9.0.11", 60408 "9.0.12", 60409 "9.0.13", 60410 "9.0.14", 60411 "9.0.16", 60412 "9.0.17", 60413 "9.0.19", 60414 "9.0.2", 60415 "9.0.20", 60416 "9.0.21", 60417 "9.0.22", 60418 "9.0.24", 60419 "9.0.26", 60420 "9.0.27", 60421 "9.0.29", 60422 "9.0.30", 60423 "9.0.31", 60424 "9.0.33", 60425 "9.0.34", 60426 "9.0.35", 60427 "9.0.36", 60428 "9.0.37", 60429 "9.0.38", 60430 "9.0.39", 60431 "9.0.4", 60432 "9.0.40", 60433 "9.0.41", 60434 "9.0.5", 60435 "9.0.6", 60436 "9.0.7", 60437 "9.0.8" 60438 ] 60439 }, 60440 { 60441 "database_specific": { 60442 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/06/GHSA-j39c-c8hj-x4j3/GHSA-j39c-c8hj-x4j3.json" 60443 }, 60444 "package": { 60445 "ecosystem": "Maven", 60446 "name": "org.apache.tomcat.embed:tomcat-embed-core", 60447 "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" 60448 }, 60449 "ranges": [ 60450 { 60451 "events": [ 60452 { 60453 "introduced": "8.5.0" 60454 }, 60455 { 60456 "fixed": "8.5.63" 60457 } 60458 ], 60459 "type": "ECOSYSTEM" 60460 } 60461 ], 60462 "versions": [ 60463 "8.5.0", 60464 "8.5.11", 60465 "8.5.12", 60466 "8.5.13", 60467 "8.5.14", 60468 "8.5.15", 60469 "8.5.16", 60470 "8.5.19", 60471 "8.5.2", 60472 "8.5.20", 60473 "8.5.21", 60474 "8.5.23", 60475 "8.5.24", 60476 "8.5.27", 60477 "8.5.28", 60478 "8.5.29", 60479 "8.5.3", 60480 "8.5.30", 60481 "8.5.31", 60482 "8.5.32", 60483 "8.5.33", 60484 "8.5.34", 60485 "8.5.35", 60486 "8.5.37", 60487 "8.5.38", 60488 "8.5.39", 60489 "8.5.4", 60490 "8.5.40", 60491 "8.5.41", 60492 "8.5.42", 60493 "8.5.43", 60494 "8.5.45", 60495 "8.5.46", 60496 "8.5.47", 60497 "8.5.49", 60498 "8.5.5", 60499 "8.5.50", 60500 "8.5.51", 60501 "8.5.53", 60502 "8.5.54", 60503 "8.5.55", 60504 "8.5.56", 60505 "8.5.57", 60506 "8.5.58", 60507 "8.5.59", 60508 "8.5.6", 60509 "8.5.60", 60510 "8.5.61", 60511 "8.5.8", 60512 "8.5.9" 60513 ] 60514 } 60515 ], 60516 "aliases": [ 60517 "BIT-tomcat-2021-25122", 60518 "CVE-2021-25122" 60519 ], 60520 "database_specific": { 60521 "cwe_ids": [ 60522 "CWE-200" 60523 ], 60524 "github_reviewed": true, 60525 "github_reviewed_at": "2021-03-24T19:53:13Z", 60526 "nvd_published_at": "2021-03-01T12:15:00Z", 60527 "severity": "HIGH" 60528 }, 60529 "details": "When responding to new h2c connection requests, Apache Tomcat versions 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41 and 8.5.0 to 8.5.61 could duplicate request headers and a limited amount of request body from one request to another meaning user A and user B could both see the results of user A's request.", 60530 "id": "GHSA-j39c-c8hj-x4j3", 60531 "modified": "2024-02-19T05:31:44.331997Z", 60532 "published": "2021-06-16T17:45:29Z", 60533 "references": [ 60534 { 60535 "type": "ADVISORY", 60536 "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-25122" 60537 }, 60538 { 60539 "type": "WEB", 60540 "url": "https://lists.apache.org/thread.html/r7b95bc248603360501f18c8eb03bb6001ec0ee3296205b34b07105b7%40%3Cannounce.tomcat.apache.org%3E" 60541 }, 60542 { 60543 "type": "WEB", 60544 "url": "https://lists.apache.org/thread.html/r7b95bc248603360501f18c8eb03bb6001ec0ee3296205b34b07105b7@%3Cannounce.apache.org%3E" 60545 }, 60546 { 60547 "type": "WEB", 60548 "url": "https://lists.apache.org/thread.html/r7b95bc248603360501f18c8eb03bb6001ec0ee3296205b34b07105b7@%3Cannounce.tomcat.apache.org%3E" 60549 }, 60550 { 60551 "type": "WEB", 60552 "url": "https://lists.apache.org/thread.html/r7b95bc248603360501f18c8eb03bb6001ec0ee3296205b34b07105b7@%3Cdev.tomcat.apache.org%3E" 60553 }, 60554 { 60555 "type": "WEB", 60556 "url": "https://lists.apache.org/thread.html/r7b95bc248603360501f18c8eb03bb6001ec0ee3296205b34b07105b7@%3Cusers.tomcat.apache.org%3E" 60557 }, 60558 { 60559 "type": "WEB", 60560 "url": "https://lists.apache.org/thread.html/rcd90bf36b1877e1310b87ecd14ed7bbb15da52b297efd9f0e7253a3b@%3Cusers.tomcat.apache.org%3E" 60561 }, 60562 { 60563 "type": "WEB", 60564 "url": "https://lists.apache.org/thread.html/rd0463f9a5cbc02a485404c4b990f0da452e5ac5c237808edba11c947@%3Cusers.tomcat.apache.org%3E" 60565 }, 60566 { 60567 "type": "WEB", 60568 "url": "https://lists.apache.org/thread.html/rf6d5d57b114678d8898005faef31e9fd6d7c981fcc4ccfc3bc272fc9@%3Cdev.tomcat.apache.org%3E" 60569 }, 60570 { 60571 "type": "WEB", 60572 "url": "https://lists.debian.org/debian-lts-announce/2021/03/msg00018.html" 60573 }, 60574 { 60575 "type": "WEB", 60576 "url": "https://security.gentoo.org/glsa/202208-34" 60577 }, 60578 { 60579 "type": "WEB", 60580 "url": "https://security.netapp.com/advisory/ntap-20210409-0002" 60581 }, 60582 { 60583 "type": "WEB", 60584 "url": "https://www.debian.org/security/2021/dsa-4891" 60585 }, 60586 { 60587 "type": "WEB", 60588 "url": "https://www.oracle.com//security-alerts/cpujul2021.html" 60589 }, 60590 { 60591 "type": "WEB", 60592 "url": "https://www.oracle.com/security-alerts/cpujan2022.html" 60593 }, 60594 { 60595 "type": "WEB", 60596 "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" 60597 }, 60598 { 60599 "type": "WEB", 60600 "url": "http://www.openwall.com/lists/oss-security/2021/03/01/1" 60601 } 60602 ], 60603 "related": [ 60604 "CGA-vhqv-jhjv-679r" 60605 ], 60606 "schema_version": "1.6.0", 60607 "severity": [ 60608 { 60609 "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", 60610 "type": "CVSS_V3" 60611 } 60612 ], 60613 "summary": "Exposure of Sensitive Information to an Unauthorized Actor in Apache Tomcat" 60614 }, 60615 { 60616 "affected": [ 60617 { 60618 "database_specific": { 60619 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/03/GHSA-jgwr-3qm3-26f3/GHSA-jgwr-3qm3-26f3.json" 60620 }, 60621 "package": { 60622 "ecosystem": "Maven", 60623 "name": "org.apache.tomcat.embed:tomcat-embed-core", 60624 "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" 60625 }, 60626 "ranges": [ 60627 { 60628 "events": [ 60629 { 60630 "introduced": "10.0.0-M1" 60631 }, 60632 { 60633 "fixed": "10.0.2" 60634 } 60635 ], 60636 "type": "ECOSYSTEM" 60637 } 60638 ], 60639 "versions": [ 60640 "10.0.0", 60641 "10.0.0-M1", 60642 "10.0.0-M10", 60643 "10.0.0-M3", 60644 "10.0.0-M4", 60645 "10.0.0-M5", 60646 "10.0.0-M6", 60647 "10.0.0-M7", 60648 "10.0.0-M8", 60649 "10.0.0-M9" 60650 ] 60651 }, 60652 { 60653 "database_specific": { 60654 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/03/GHSA-jgwr-3qm3-26f3/GHSA-jgwr-3qm3-26f3.json" 60655 }, 60656 "package": { 60657 "ecosystem": "Maven", 60658 "name": "org.apache.tomcat.embed:tomcat-embed-core", 60659 "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" 60660 }, 60661 "ranges": [ 60662 { 60663 "events": [ 60664 { 60665 "introduced": "9.0.0" 60666 }, 60667 { 60668 "fixed": "9.0.41" 60669 } 60670 ], 60671 "type": "ECOSYSTEM" 60672 } 60673 ], 60674 "versions": [ 60675 "9.0.1", 60676 "9.0.10", 60677 "9.0.11", 60678 "9.0.12", 60679 "9.0.13", 60680 "9.0.14", 60681 "9.0.16", 60682 "9.0.17", 60683 "9.0.19", 60684 "9.0.2", 60685 "9.0.20", 60686 "9.0.21", 60687 "9.0.22", 60688 "9.0.24", 60689 "9.0.26", 60690 "9.0.27", 60691 "9.0.29", 60692 "9.0.30", 60693 "9.0.31", 60694 "9.0.33", 60695 "9.0.34", 60696 "9.0.35", 60697 "9.0.36", 60698 "9.0.37", 60699 "9.0.38", 60700 "9.0.39", 60701 "9.0.4", 60702 "9.0.40", 60703 "9.0.5", 60704 "9.0.6", 60705 "9.0.7", 60706 "9.0.8" 60707 ] 60708 }, 60709 { 60710 "database_specific": { 60711 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/03/GHSA-jgwr-3qm3-26f3/GHSA-jgwr-3qm3-26f3.json" 60712 }, 60713 "package": { 60714 "ecosystem": "Maven", 60715 "name": "org.apache.tomcat.embed:tomcat-embed-core", 60716 "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" 60717 }, 60718 "ranges": [ 60719 { 60720 "events": [ 60721 { 60722 "introduced": "8.0.0" 60723 }, 60724 { 60725 "fixed": "8.5.61" 60726 } 60727 ], 60728 "type": "ECOSYSTEM" 60729 } 60730 ], 60731 "versions": [ 60732 "8.0.1", 60733 "8.0.11", 60734 "8.0.12", 60735 "8.0.14", 60736 "8.0.15", 60737 "8.0.17", 60738 "8.0.18", 60739 "8.0.20", 60740 "8.0.21", 60741 "8.0.22", 60742 "8.0.23", 60743 "8.0.24", 60744 "8.0.26", 60745 "8.0.27", 60746 "8.0.28", 60747 "8.0.29", 60748 "8.0.3", 60749 "8.0.30", 60750 "8.0.32", 60751 "8.0.33", 60752 "8.0.35", 60753 "8.0.36", 60754 "8.0.37", 60755 "8.0.38", 60756 "8.0.39", 60757 "8.0.41", 60758 "8.0.42", 60759 "8.0.43", 60760 "8.0.44", 60761 "8.0.45", 60762 "8.0.46", 60763 "8.0.47", 60764 "8.0.48", 60765 "8.0.49", 60766 "8.0.5", 60767 "8.0.50", 60768 "8.0.51", 60769 "8.0.52", 60770 "8.0.53", 60771 "8.0.8", 60772 "8.0.9", 60773 "8.5.0", 60774 "8.5.11", 60775 "8.5.12", 60776 "8.5.13", 60777 "8.5.14", 60778 "8.5.15", 60779 "8.5.16", 60780 "8.5.19", 60781 "8.5.2", 60782 "8.5.20", 60783 "8.5.21", 60784 "8.5.23", 60785 "8.5.24", 60786 "8.5.27", 60787 "8.5.28", 60788 "8.5.29", 60789 "8.5.3", 60790 "8.5.30", 60791 "8.5.31", 60792 "8.5.32", 60793 "8.5.33", 60794 "8.5.34", 60795 "8.5.35", 60796 "8.5.37", 60797 "8.5.38", 60798 "8.5.39", 60799 "8.5.4", 60800 "8.5.40", 60801 "8.5.41", 60802 "8.5.42", 60803 "8.5.43", 60804 "8.5.45", 60805 "8.5.46", 60806 "8.5.47", 60807 "8.5.49", 60808 "8.5.5", 60809 "8.5.50", 60810 "8.5.51", 60811 "8.5.53", 60812 "8.5.54", 60813 "8.5.55", 60814 "8.5.56", 60815 "8.5.57", 60816 "8.5.58", 60817 "8.5.59", 60818 "8.5.6", 60819 "8.5.60", 60820 "8.5.8", 60821 "8.5.9" 60822 ] 60823 }, 60824 { 60825 "database_specific": { 60826 "last_known_affected_version_range": "\u003c 7.0.107", 60827 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/03/GHSA-jgwr-3qm3-26f3/GHSA-jgwr-3qm3-26f3.json" 60828 }, 60829 "package": { 60830 "ecosystem": "Maven", 60831 "name": "org.apache.tomcat.embed:tomcat-embed-core", 60832 "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" 60833 }, 60834 "ranges": [ 60835 { 60836 "events": [ 60837 { 60838 "introduced": "7.0.0" 60839 }, 60840 { 60841 "fixed": "7.0.108" 60842 } 60843 ], 60844 "type": "ECOSYSTEM" 60845 } 60846 ], 60847 "versions": [ 60848 "7.0.0", 60849 "7.0.100", 60850 "7.0.103", 60851 "7.0.104", 60852 "7.0.105", 60853 "7.0.106", 60854 "7.0.107", 60855 "7.0.11", 60856 "7.0.12", 60857 "7.0.14", 60858 "7.0.16", 60859 "7.0.19", 60860 "7.0.2", 60861 "7.0.20", 60862 "7.0.21", 60863 "7.0.22", 60864 "7.0.23", 60865 "7.0.25", 60866 "7.0.26", 60867 "7.0.27", 60868 "7.0.28", 60869 "7.0.29", 60870 "7.0.30", 60871 "7.0.32", 60872 "7.0.33", 60873 "7.0.34", 60874 "7.0.35", 60875 "7.0.37", 60876 "7.0.39", 60877 "7.0.4", 60878 "7.0.40", 60879 "7.0.41", 60880 "7.0.42", 60881 "7.0.47", 60882 "7.0.5", 60883 "7.0.50", 60884 "7.0.52", 60885 "7.0.53", 60886 "7.0.54", 60887 "7.0.55", 60888 "7.0.56", 60889 "7.0.57", 60890 "7.0.59", 60891 "7.0.6", 60892 "7.0.61", 60893 "7.0.62", 60894 "7.0.63", 60895 "7.0.64", 60896 "7.0.65", 60897 "7.0.67", 60898 "7.0.68", 60899 "7.0.69", 60900 "7.0.70", 60901 "7.0.72", 60902 "7.0.73", 60903 "7.0.75", 60904 "7.0.76", 60905 "7.0.77", 60906 "7.0.78", 60907 "7.0.79", 60908 "7.0.8", 60909 "7.0.81", 60910 "7.0.82", 60911 "7.0.84", 60912 "7.0.85", 60913 "7.0.86", 60914 "7.0.88", 60915 "7.0.90", 60916 "7.0.91", 60917 "7.0.92", 60918 "7.0.93", 60919 "7.0.94", 60920 "7.0.96", 60921 "7.0.99" 60922 ] 60923 } 60924 ], 60925 "aliases": [ 60926 "BIT-tomcat-2021-25329", 60927 "CVE-2021-25329" 60928 ], 60929 "database_specific": { 60930 "cwe_ids": [ 60931 "CWE-502" 60932 ], 60933 "github_reviewed": true, 60934 "github_reviewed_at": "2021-03-19T20:10:56Z", 60935 "nvd_published_at": "2021-03-01T12:15:00Z", 60936 "severity": "HIGH" 60937 }, 60938 "details": "The fix for CVE-2020-9484 was incomplete. When using Apache Tomcat 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41, 8.5.0 to 8.5.61 or 7.0.0. to 7.0.107 with a configuration edge case that was highly unlikely to be used, the Tomcat instance was still vulnerable to CVE-2020-9494. Note that both the previously published prerequisites for CVE-2020-9484 and the previously published mitigations for CVE-2020-9484 also apply to this issue.", 60939 "id": "GHSA-jgwr-3qm3-26f3", 60940 "modified": "2024-03-08T05:18:06.945365Z", 60941 "published": "2021-03-19T20:11:13Z", 60942 "references": [ 60943 { 60944 "type": "ADVISORY", 60945 "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-25329" 60946 }, 60947 { 60948 "type": "WEB", 60949 "url": "https://github.com/apache/tomcat/commit/6d66e99ef85da93e4d2c2a536ca51aa3418bfaf4" 60950 }, 60951 { 60952 "type": "WEB", 60953 "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" 60954 }, 60955 { 60956 "type": "WEB", 60957 "url": "https://www.oracle.com/security-alerts/cpujan2022.html" 60958 }, 60959 { 60960 "type": "WEB", 60961 "url": "https://www.oracle.com//security-alerts/cpujul2021.html" 60962 }, 60963 { 60964 "type": "WEB", 60965 "url": "https://www.debian.org/security/2021/dsa-4891" 60966 }, 60967 { 60968 "type": "WEB", 60969 "url": "https://security.netapp.com/advisory/ntap-20210409-0002" 60970 }, 60971 { 60972 "type": "WEB", 60973 "url": "https://security.gentoo.org/glsa/202208-34" 60974 }, 60975 { 60976 "type": "WEB", 60977 "url": "https://lists.debian.org/debian-lts-announce/2021/03/msg00018.html" 60978 }, 60979 { 60980 "type": "WEB", 60981 "url": "https://lists.apache.org/thread.html/rfe62fbf9d4c314f166fe8c668e50e5d9dd882a99447f26f0367474bf@%3Cusers.tomcat.apache.org%3E" 60982 }, 60983 { 60984 "type": "WEB", 60985 "url": "https://lists.apache.org/thread.html/rfe62fbf9d4c314f166fe8c668e50e5d9dd882a99447f26f0367474bf@%3Cdev.tomcat.apache.org%3E" 60986 }, 60987 { 60988 "type": "WEB", 60989 "url": "https://lists.apache.org/thread.html/rfe62fbf9d4c314f166fe8c668e50e5d9dd882a99447f26f0367474bf@%3Cannounce.tomcat.apache.org%3E" 60990 }, 60991 { 60992 "type": "WEB", 60993 "url": "https://lists.apache.org/thread.html/rfe62fbf9d4c314f166fe8c668e50e5d9dd882a99447f26f0367474bf@%3Cannounce.apache.org%3E" 60994 }, 60995 { 60996 "type": "WEB", 60997 "url": "https://lists.apache.org/thread.html/rfe62fbf9d4c314f166fe8c668e50e5d9dd882a99447f26f0367474bf%40%3Cannounce.tomcat.apache.org%3E" 60998 }, 60999 { 61000 "type": "WEB", 61001 "url": "https://lists.apache.org/thread.html/rf6d5d57b114678d8898005faef31e9fd6d7c981fcc4ccfc3bc272fc9@%3Cdev.tomcat.apache.org%3E" 61002 }, 61003 { 61004 "type": "WEB", 61005 "url": "https://lists.apache.org/thread.html/rb51ccd58b2152fc75125b2406fc93e04ca9d34e737263faa6ff0f41f@%3Cusers.tomcat.apache.org%3E" 61006 }, 61007 { 61008 "type": "WEB", 61009 "url": "https://lists.apache.org/thread.html/r8a2ac0e476dbfc1e6440b09dcc782d444ad635d6da26f0284725a5dc@%3Cusers.tomcat.apache.org%3E" 61010 }, 61011 { 61012 "type": "WEB", 61013 "url": "https://lists.apache.org/thread.html/r732b2ca289dc02df2de820e8775559abd6c207f159e39f559547a085@%3Cusers.tomcat.apache.org%3E" 61014 }, 61015 { 61016 "type": "WEB", 61017 "url": "https://lists.apache.org/thread.html/r11ce01e8a4c7269b88f88212f21830edf73558997ac7744f37769b77@%3Cusers.tomcat.apache.org%3E" 61018 }, 61019 { 61020 "type": "PACKAGE", 61021 "url": "https://github.com/apache/tomcat" 61022 }, 61023 { 61024 "type": "WEB", 61025 "url": "http://www.openwall.com/lists/oss-security/2021/03/01/2" 61026 } 61027 ], 61028 "related": [ 61029 "CGA-457j-5q26-g4hx" 61030 ], 61031 "schema_version": "1.6.0", 61032 "severity": [ 61033 { 61034 "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", 61035 "type": "CVSS_V3" 61036 } 61037 ], 61038 "summary": "Potential remote code execution in Apache Tomcat" 61039 }, 61040 { 61041 "affected": [ 61042 { 61043 "database_specific": { 61044 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/05/GHSA-jjpq-gp5q-8q6w/GHSA-jjpq-gp5q-8q6w.json" 61045 }, 61046 "package": { 61047 "ecosystem": "Maven", 61048 "name": "org.apache.tomcat.embed:tomcat-embed-core", 61049 "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" 61050 }, 61051 "ranges": [ 61052 { 61053 "events": [ 61054 { 61055 "introduced": "9.0.0" 61056 }, 61057 { 61058 "fixed": "9.0.17" 61059 } 61060 ], 61061 "type": "ECOSYSTEM" 61062 } 61063 ], 61064 "versions": [ 61065 "9.0.1", 61066 "9.0.10", 61067 "9.0.11", 61068 "9.0.12", 61069 "9.0.13", 61070 "9.0.14", 61071 "9.0.16", 61072 "9.0.2", 61073 "9.0.4", 61074 "9.0.5", 61075 "9.0.6", 61076 "9.0.7", 61077 "9.0.8" 61078 ] 61079 }, 61080 { 61081 "database_specific": { 61082 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/05/GHSA-jjpq-gp5q-8q6w/GHSA-jjpq-gp5q-8q6w.json" 61083 }, 61084 "package": { 61085 "ecosystem": "Maven", 61086 "name": "org.apache.tomcat.embed:tomcat-embed-core", 61087 "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" 61088 }, 61089 "ranges": [ 61090 { 61091 "events": [ 61092 { 61093 "introduced": "8.0.0" 61094 }, 61095 { 61096 "fixed": "8.5.40" 61097 } 61098 ], 61099 "type": "ECOSYSTEM" 61100 } 61101 ], 61102 "versions": [ 61103 "8.0.1", 61104 "8.0.11", 61105 "8.0.12", 61106 "8.0.14", 61107 "8.0.15", 61108 "8.0.17", 61109 "8.0.18", 61110 "8.0.20", 61111 "8.0.21", 61112 "8.0.22", 61113 "8.0.23", 61114 "8.0.24", 61115 "8.0.26", 61116 "8.0.27", 61117 "8.0.28", 61118 "8.0.29", 61119 "8.0.3", 61120 "8.0.30", 61121 "8.0.32", 61122 "8.0.33", 61123 "8.0.35", 61124 "8.0.36", 61125 "8.0.37", 61126 "8.0.38", 61127 "8.0.39", 61128 "8.0.41", 61129 "8.0.42", 61130 "8.0.43", 61131 "8.0.44", 61132 "8.0.45", 61133 "8.0.46", 61134 "8.0.47", 61135 "8.0.48", 61136 "8.0.49", 61137 "8.0.5", 61138 "8.0.50", 61139 "8.0.51", 61140 "8.0.52", 61141 "8.0.53", 61142 "8.0.8", 61143 "8.0.9", 61144 "8.5.0", 61145 "8.5.11", 61146 "8.5.12", 61147 "8.5.13", 61148 "8.5.14", 61149 "8.5.15", 61150 "8.5.16", 61151 "8.5.19", 61152 "8.5.2", 61153 "8.5.20", 61154 "8.5.21", 61155 "8.5.23", 61156 "8.5.24", 61157 "8.5.27", 61158 "8.5.28", 61159 "8.5.29", 61160 "8.5.3", 61161 "8.5.30", 61162 "8.5.31", 61163 "8.5.32", 61164 "8.5.33", 61165 "8.5.34", 61166 "8.5.35", 61167 "8.5.37", 61168 "8.5.38", 61169 "8.5.39", 61170 "8.5.4", 61171 "8.5.5", 61172 "8.5.6", 61173 "8.5.8", 61174 "8.5.9" 61175 ] 61176 }, 61177 { 61178 "database_specific": { 61179 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/05/GHSA-jjpq-gp5q-8q6w/GHSA-jjpq-gp5q-8q6w.json" 61180 }, 61181 "package": { 61182 "ecosystem": "Maven", 61183 "name": "org.apache.tomcat.embed:tomcat-embed-core", 61184 "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" 61185 }, 61186 "ranges": [ 61187 { 61188 "events": [ 61189 { 61190 "introduced": "7.0.0" 61191 }, 61192 { 61193 "fixed": "7.0.94" 61194 } 61195 ], 61196 "type": "ECOSYSTEM" 61197 } 61198 ], 61199 "versions": [ 61200 "7.0.0", 61201 "7.0.11", 61202 "7.0.12", 61203 "7.0.14", 61204 "7.0.16", 61205 "7.0.19", 61206 "7.0.2", 61207 "7.0.20", 61208 "7.0.21", 61209 "7.0.22", 61210 "7.0.23", 61211 "7.0.25", 61212 "7.0.26", 61213 "7.0.27", 61214 "7.0.28", 61215 "7.0.29", 61216 "7.0.30", 61217 "7.0.32", 61218 "7.0.33", 61219 "7.0.34", 61220 "7.0.35", 61221 "7.0.37", 61222 "7.0.39", 61223 "7.0.4", 61224 "7.0.40", 61225 "7.0.41", 61226 "7.0.42", 61227 "7.0.47", 61228 "7.0.5", 61229 "7.0.50", 61230 "7.0.52", 61231 "7.0.53", 61232 "7.0.54", 61233 "7.0.55", 61234 "7.0.56", 61235 "7.0.57", 61236 "7.0.59", 61237 "7.0.6", 61238 "7.0.61", 61239 "7.0.62", 61240 "7.0.63", 61241 "7.0.64", 61242 "7.0.65", 61243 "7.0.67", 61244 "7.0.68", 61245 "7.0.69", 61246 "7.0.70", 61247 "7.0.72", 61248 "7.0.73", 61249 "7.0.75", 61250 "7.0.76", 61251 "7.0.77", 61252 "7.0.78", 61253 "7.0.79", 61254 "7.0.8", 61255 "7.0.81", 61256 "7.0.82", 61257 "7.0.84", 61258 "7.0.85", 61259 "7.0.86", 61260 "7.0.88", 61261 "7.0.90", 61262 "7.0.91", 61263 "7.0.92", 61264 "7.0.93" 61265 ] 61266 } 61267 ], 61268 "aliases": [ 61269 "CVE-2019-0221" 61270 ], 61271 "database_specific": { 61272 "cwe_ids": [ 61273 "CWE-79" 61274 ], 61275 "github_reviewed": true, 61276 "github_reviewed_at": "2019-05-30T03:30:07Z", 61277 "nvd_published_at": "2019-05-28T22:29:00Z", 61278 "severity": "MODERATE" 61279 }, 61280 "details": "The SSI printenv command in Apache Tomcat 9.0.0.M1 to 9.0.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 echoes user provided data without escaping and is, therefore, vulnerable to XSS. SSI is disabled by default. The printenv command is intended for debugging and is unlikely to be present in a production website.", 61281 "id": "GHSA-jjpq-gp5q-8q6w", 61282 "modified": "2024-03-11T14:57:09.068862Z", 61283 "published": "2019-05-30T03:30:42Z", 61284 "references": [ 61285 { 61286 "type": "ADVISORY", 61287 "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-0221" 61288 }, 61289 { 61290 "type": "WEB", 61291 "url": "https://github.com/apache/tomcat/commit/15fcd166ea2c1bb79e8541b8e1a43da9c452ceea" 61292 }, 61293 { 61294 "type": "WEB", 61295 "url": "https://github.com/apache/tomcat/commit/44ec74c44dcd05cd7e90967c04d40b51440ecd7e" 61296 }, 61297 { 61298 "type": "WEB", 61299 "url": "https://github.com/apache/tomcat/commit/4fcdf706f3ecf35912a600242f89637f5acb32da" 61300 }, 61301 { 61302 "type": "WEB", 61303 "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZQTZ5BJ5F4KV6N53SGNKSW3UY5DBIQ46" 61304 }, 61305 { 61306 "type": "WEB", 61307 "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NPHQEL5AQ6LZSZD2Y6TYZ4RC3WI7NXJ3" 61308 }, 61309 { 61310 "type": "WEB", 61311 "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZQTZ5BJ5F4KV6N53SGNKSW3UY5DBIQ46" 61312 }, 61313 { 61314 "type": "WEB", 61315 "url": "https://seclists.org/bugtraq/2019/Dec/43" 61316 }, 61317 { 61318 "type": "WEB", 61319 "url": "https://security.gentoo.org/glsa/202003-43" 61320 }, 61321 { 61322 "type": "WEB", 61323 "url": "https://security.netapp.com/advisory/ntap-20190606-0001" 61324 }, 61325 { 61326 "type": "WEB", 61327 "url": "https://support.f5.com/csp/article/K13184144?utm_source=f5support\u0026amp%3Butm_medium=RSS" 61328 }, 61329 { 61330 "type": "WEB", 61331 "url": "https://support.f5.com/csp/article/K13184144?utm_source=f5support\u0026amp;utm_medium=RSS" 61332 }, 61333 { 61334 "type": "WEB", 61335 "url": "https://tomcat.apache.org/security-7.html" 61336 }, 61337 { 61338 "type": "WEB", 61339 "url": "https://tomcat.apache.org/security-8.html" 61340 }, 61341 { 61342 "type": "WEB", 61343 "url": "https://tomcat.apache.org/security-9.html" 61344 }, 61345 { 61346 "type": "WEB", 61347 "url": "https://usn.ubuntu.com/4128-1" 61348 }, 61349 { 61350 "type": "WEB", 61351 "url": "https://usn.ubuntu.com/4128-2" 61352 }, 61353 { 61354 "type": "WEB", 61355 "url": "https://web.archive.org/web/20200227055048/http://www.securityfocus.com/bid/108545" 61356 }, 61357 { 61358 "type": "WEB", 61359 "url": "https://www.debian.org/security/2019/dsa-4596" 61360 }, 61361 { 61362 "type": "WEB", 61363 "url": "https://www.oracle.com/security-alerts/cpuApr2021.html" 61364 }, 61365 { 61366 "type": "WEB", 61367 "url": "https://www.oracle.com/security-alerts/cpuapr2020.html" 61368 }, 61369 { 61370 "type": "WEB", 61371 "url": "https://www.oracle.com/security-alerts/cpujan2020.html" 61372 }, 61373 { 61374 "type": "WEB", 61375 "url": "https://wwws.nightwatchcybersecurity.com/2019/05/27/xss-in-ssi-printenv-command-apache-tomcat-cve-2019-0221" 61376 }, 61377 { 61378 "type": "WEB", 61379 "url": "https://access.redhat.com/errata/RHSA-2019:3929" 61380 }, 61381 { 61382 "type": "WEB", 61383 "url": "https://access.redhat.com/errata/RHSA-2019:3931" 61384 }, 61385 { 61386 "type": "PACKAGE", 61387 "url": "https://github.com/apache/tomcat" 61388 }, 61389 { 61390 "type": "WEB", 61391 "url": "https://lists.apache.org/thread.html/6e6e9eacf7b28fd63d249711e9d3ccd4e0a83f556e324aee37be5a8c%40%3Cannounce.tomcat.apache.org%3E" 61392 }, 61393 { 61394 "type": "WEB", 61395 "url": "https://lists.apache.org/thread.html/6e6e9eacf7b28fd63d249711e9d3ccd4e0a83f556e324aee37be5a8c@%3Cannounce.tomcat.apache.org%3E" 61396 }, 61397 { 61398 "type": "WEB", 61399 "url": "https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d%40%3Cdev.tomcat.apache.org%3E" 61400 }, 61401 { 61402 "type": "WEB", 61403 "url": "https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d@%3Cdev.tomcat.apache.org%3E" 61404 }, 61405 { 61406 "type": "WEB", 61407 "url": "https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0%40%3Cdev.tomcat.apache.org%3E" 61408 }, 61409 { 61410 "type": "WEB", 61411 "url": "https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0@%3Cdev.tomcat.apache.org%3E" 61412 }, 61413 { 61414 "type": "WEB", 61415 "url": "https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9%40%3Cdev.tomcat.apache.org%3E" 61416 }, 61417 { 61418 "type": "WEB", 61419 "url": "https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9@%3Cdev.tomcat.apache.org%3E" 61420 }, 61421 { 61422 "type": "WEB", 61423 "url": "https://lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc0c6a2d3cc92ed0c%40%3Cannounce.apache.org%3E" 61424 }, 61425 { 61426 "type": "WEB", 61427 "url": "https://lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc0c6a2d3cc92ed0c@%3Cannounce.apache.org%3E" 61428 }, 61429 { 61430 "type": "WEB", 61431 "url": "https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E" 61432 }, 61433 { 61434 "type": "WEB", 61435 "url": "https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c@%3Cdev.tomcat.apache.org%3E" 61436 }, 61437 { 61438 "type": "WEB", 61439 "url": "https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a%40%3Cdev.tomcat.apache.org%3E" 61440 }, 61441 { 61442 "type": "WEB", 61443 "url": "https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a@%3Cdev.tomcat.apache.org%3E" 61444 }, 61445 { 61446 "type": "WEB", 61447 "url": "https://lists.debian.org/debian-lts-announce/2019/05/msg00044.html" 61448 }, 61449 { 61450 "type": "WEB", 61451 "url": "https://lists.debian.org/debian-lts-announce/2019/08/msg00015.html" 61452 }, 61453 { 61454 "type": "WEB", 61455 "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NPHQEL5AQ6LZSZD2Y6TYZ4RC3WI7NXJ3" 61456 }, 61457 { 61458 "type": "WEB", 61459 "url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00090.html" 61460 }, 61461 { 61462 "type": "WEB", 61463 "url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00054.html" 61464 }, 61465 { 61466 "type": "WEB", 61467 "url": "http://packetstormsecurity.com/files/163457/Apache-Tomcat-9.0.0.M1-Cross-Site-Scripting.html" 61468 }, 61469 { 61470 "type": "WEB", 61471 "url": "http://seclists.org/fulldisclosure/2019/May/50" 61472 } 61473 ], 61474 "schema_version": "1.6.0", 61475 "severity": [ 61476 { 61477 "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", 61478 "type": "CVSS_V3" 61479 } 61480 ], 61481 "summary": "Cross-site scripting in Apache Tomcat" 61482 }, 61483 { 61484 "affected": [ 61485 { 61486 "database_specific": { 61487 "last_known_affected_version_range": "\u003c= 9.0.4", 61488 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-jx6h-3fjx-cgv5/GHSA-jx6h-3fjx-cgv5.json" 61489 }, 61490 "package": { 61491 "ecosystem": "Maven", 61492 "name": "org.apache.tomcat.embed:tomcat-embed-core", 61493 "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" 61494 }, 61495 "ranges": [ 61496 { 61497 "events": [ 61498 { 61499 "introduced": "9.0.0M1" 61500 }, 61501 { 61502 "fixed": "9.0.5" 61503 } 61504 ], 61505 "type": "ECOSYSTEM" 61506 } 61507 ], 61508 "versions": [ 61509 "9.0.0.M1", 61510 "9.0.0.M10", 61511 "9.0.0.M11", 61512 "9.0.0.M13", 61513 "9.0.0.M15", 61514 "9.0.0.M17", 61515 "9.0.0.M18", 61516 "9.0.0.M19", 61517 "9.0.0.M20", 61518 "9.0.0.M21", 61519 "9.0.0.M22", 61520 "9.0.0.M25", 61521 "9.0.0.M26", 61522 "9.0.0.M27", 61523 "9.0.0.M3", 61524 "9.0.0.M4", 61525 "9.0.0.M6", 61526 "9.0.0.M8", 61527 "9.0.0.M9", 61528 "9.0.1", 61529 "9.0.2", 61530 "9.0.4" 61531 ] 61532 }, 61533 { 61534 "database_specific": { 61535 "last_known_affected_version_range": "\u003c= 8.5.27", 61536 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-jx6h-3fjx-cgv5/GHSA-jx6h-3fjx-cgv5.json" 61537 }, 61538 "package": { 61539 "ecosystem": "Maven", 61540 "name": "org.apache.tomcat.embed:tomcat-embed-core", 61541 "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" 61542 }, 61543 "ranges": [ 61544 { 61545 "events": [ 61546 { 61547 "introduced": "8.5.0" 61548 }, 61549 { 61550 "fixed": "8.5.28" 61551 } 61552 ], 61553 "type": "ECOSYSTEM" 61554 } 61555 ], 61556 "versions": [ 61557 "8.5.0", 61558 "8.5.11", 61559 "8.5.12", 61560 "8.5.13", 61561 "8.5.14", 61562 "8.5.15", 61563 "8.5.16", 61564 "8.5.19", 61565 "8.5.2", 61566 "8.5.20", 61567 "8.5.21", 61568 "8.5.23", 61569 "8.5.24", 61570 "8.5.27", 61571 "8.5.3", 61572 "8.5.4", 61573 "8.5.5", 61574 "8.5.6", 61575 "8.5.8", 61576 "8.5.9" 61577 ] 61578 }, 61579 { 61580 "database_specific": { 61581 "last_known_affected_version_range": "\u003c= 7.0.84", 61582 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-jx6h-3fjx-cgv5/GHSA-jx6h-3fjx-cgv5.json" 61583 }, 61584 "package": { 61585 "ecosystem": "Maven", 61586 "name": "org.apache.tomcat.embed:tomcat-embed-core", 61587 "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" 61588 }, 61589 "ranges": [ 61590 { 61591 "events": [ 61592 { 61593 "introduced": "7.0.0" 61594 }, 61595 { 61596 "fixed": "7.0.85" 61597 } 61598 ], 61599 "type": "ECOSYSTEM" 61600 } 61601 ], 61602 "versions": [ 61603 "7.0.0", 61604 "7.0.11", 61605 "7.0.12", 61606 "7.0.14", 61607 "7.0.16", 61608 "7.0.19", 61609 "7.0.2", 61610 "7.0.20", 61611 "7.0.21", 61612 "7.0.22", 61613 "7.0.23", 61614 "7.0.25", 61615 "7.0.26", 61616 "7.0.27", 61617 "7.0.28", 61618 "7.0.29", 61619 "7.0.30", 61620 "7.0.32", 61621 "7.0.33", 61622 "7.0.34", 61623 "7.0.35", 61624 "7.0.37", 61625 "7.0.39", 61626 "7.0.4", 61627 "7.0.40", 61628 "7.0.41", 61629 "7.0.42", 61630 "7.0.47", 61631 "7.0.5", 61632 "7.0.50", 61633 "7.0.52", 61634 "7.0.53", 61635 "7.0.54", 61636 "7.0.55", 61637 "7.0.56", 61638 "7.0.57", 61639 "7.0.59", 61640 "7.0.6", 61641 "7.0.61", 61642 "7.0.62", 61643 "7.0.63", 61644 "7.0.64", 61645 "7.0.65", 61646 "7.0.67", 61647 "7.0.68", 61648 "7.0.69", 61649 "7.0.70", 61650 "7.0.72", 61651 "7.0.73", 61652 "7.0.75", 61653 "7.0.76", 61654 "7.0.77", 61655 "7.0.78", 61656 "7.0.79", 61657 "7.0.8", 61658 "7.0.81", 61659 "7.0.82", 61660 "7.0.84" 61661 ] 61662 } 61663 ], 61664 "aliases": [ 61665 "CVE-2018-1305" 61666 ], 61667 "database_specific": { 61668 "cwe_ids": [], 61669 "github_reviewed": true, 61670 "github_reviewed_at": "2020-06-16T21:44:18Z", 61671 "nvd_published_at": "2018-02-23T23:29:00Z", 61672 "severity": "MODERATE" 61673 }, 61674 "details": "Security constraints defined by annotations of Servlets in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 were only applied once a Servlet had been loaded. Because security constraints defined in this way apply to the URL pattern and any URLs below that point, it was possible - depending on the order Servlets were loaded - for some security constraints not to be applied. This could have exposed resources to users who were not authorised to access them.", 61675 "id": "GHSA-jx6h-3fjx-cgv5", 61676 "modified": "2024-03-12T05:32:21.508504Z", 61677 "published": "2018-10-17T16:31:48Z", 61678 "references": [ 61679 { 61680 "type": "ADVISORY", 61681 "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1305" 61682 }, 61683 { 61684 "type": "WEB", 61685 "url": "https://github.com/apache/tomcat/commit/2349801827f09fb6582a8afdeca704294106ad9a" 61686 }, 61687 { 61688 "type": "WEB", 61689 "url": "https://github.com/apache/tomcat/commit/2aac69f694d42d9219eb27018b3da0ae1bdd73ab" 61690 }, 61691 { 61692 "type": "WEB", 61693 "url": "https://github.com/apache/tomcat/commit/3e54b2a6314eda11617ff7a7b899c251e222b1a1" 61694 }, 61695 { 61696 "type": "WEB", 61697 "url": "https://github.com/apache/tomcat/commit/4d637bc3986e5d09b9363e2144b8ba74fa6eac3a" 61698 }, 61699 { 61700 "type": "WEB", 61701 "url": "https://github.com/apache/tomcat/commit/c63b96d72cd39287e17b2ba698f4eee0ba508073" 61702 }, 61703 { 61704 "type": "WEB", 61705 "url": "https://github.com/apache/tomcat/commit/de6b4fd58b64828f374503b9ec76a12017b92895" 61706 }, 61707 { 61708 "type": "WEB", 61709 "url": "https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a%40%3Cdev.tomcat.apache.org%3E" 61710 }, 61711 { 61712 "type": "WEB", 61713 "url": "https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c@%3Cdev.tomcat.apache.org%3E" 61714 }, 61715 { 61716 "type": "WEB", 61717 "url": "https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E" 61718 }, 61719 { 61720 "type": "WEB", 61721 "url": "https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9@%3Cdev.tomcat.apache.org%3E" 61722 }, 61723 { 61724 "type": "WEB", 61725 "url": "https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9%40%3Cdev.tomcat.apache.org%3E" 61726 }, 61727 { 61728 "type": "WEB", 61729 "url": "https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0@%3Cdev.tomcat.apache.org%3E" 61730 }, 61731 { 61732 "type": "WEB", 61733 "url": "https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0%40%3Cdev.tomcat.apache.org%3E" 61734 }, 61735 { 61736 "type": "WEB", 61737 "url": "https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d@%3Cdev.tomcat.apache.org%3E" 61738 }, 61739 { 61740 "type": "WEB", 61741 "url": "https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d%40%3Cdev.tomcat.apache.org%3E" 61742 }, 61743 { 61744 "type": "WEB", 61745 "url": "https://lists.apache.org/thread.html/eb6efa8d59c45a7a9eff94c4b925467d3b3fec8ba7697f3daa314b04@%3Cdev.tomcat.apache.org%3E" 61746 }, 61747 { 61748 "type": "WEB", 61749 "url": "https://lists.apache.org/thread.html/eb6efa8d59c45a7a9eff94c4b925467d3b3fec8ba7697f3daa314b04%40%3Cdev.tomcat.apache.org%3E" 61750 }, 61751 { 61752 "type": "WEB", 61753 "url": "https://lists.apache.org/thread.html/e85e83e9954f169bbb77b44baae5a33d8de878df557bb32b7f793661@%3Cdev.tomcat.apache.org%3E" 61754 }, 61755 { 61756 "type": "WEB", 61757 "url": "https://lists.apache.org/thread.html/e85e83e9954f169bbb77b44baae5a33d8de878df557bb32b7f793661%40%3Cdev.tomcat.apache.org%3E" 61758 }, 61759 { 61760 "type": "WEB", 61761 "url": "https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a@%3Cdev.tomcat.apache.org%3E" 61762 }, 61763 { 61764 "type": "WEB", 61765 "url": "https://lists.debian.org/debian-lts-announce/2018/03/msg00004.html" 61766 }, 61767 { 61768 "type": "WEB", 61769 "url": "https://lists.debian.org/debian-lts-announce/2018/06/msg00008.html" 61770 }, 61771 { 61772 "type": "WEB", 61773 "url": "https://lists.debian.org/debian-lts-announce/2018/07/msg00044.html" 61774 }, 61775 { 61776 "type": "WEB", 61777 "url": "https://security.netapp.com/advisory/ntap-20180706-0001" 61778 }, 61779 { 61780 "type": "WEB", 61781 "url": "https://usn.ubuntu.com/3665-1" 61782 }, 61783 { 61784 "type": "WEB", 61785 "url": "https://web.archive.org/web/20200227030042/http://www.securityfocus.com/bid/103144" 61786 }, 61787 { 61788 "type": "WEB", 61789 "url": "https://web.archive.org/web/20200516094320/http://www.securitytracker.com/id/1040428" 61790 }, 61791 { 61792 "type": "WEB", 61793 "url": "https://www.debian.org/security/2018/dsa-4281" 61794 }, 61795 { 61796 "type": "WEB", 61797 "url": "https://www.oracle.com/security-alerts/cpuapr2020.html" 61798 }, 61799 { 61800 "type": "WEB", 61801 "url": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html" 61802 }, 61803 { 61804 "type": "WEB", 61805 "url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html" 61806 }, 61807 { 61808 "type": "WEB", 61809 "url": "https://access.redhat.com/errata/RHSA-2018:0465" 61810 }, 61811 { 61812 "type": "WEB", 61813 "url": "https://access.redhat.com/errata/RHSA-2018:0466" 61814 }, 61815 { 61816 "type": "WEB", 61817 "url": "https://access.redhat.com/errata/RHSA-2018:1320" 61818 }, 61819 { 61820 "type": "WEB", 61821 "url": "https://access.redhat.com/errata/RHSA-2018:2939" 61822 }, 61823 { 61824 "type": "WEB", 61825 "url": "https://access.redhat.com/errata/RHSA-2019:2205" 61826 }, 61827 { 61828 "type": "PACKAGE", 61829 "url": "https://github.com/apache/tomcat" 61830 }, 61831 { 61832 "type": "WEB", 61833 "url": "https://lists.apache.org/thread.html/1dd0a59c1295cc08ce4c9e7edae5ad2268acc9ba55adcefa0532e5ba%40%3Cdev.tomcat.apache.org%3E" 61834 }, 61835 { 61836 "type": "WEB", 61837 "url": "https://lists.apache.org/thread.html/1dd0a59c1295cc08ce4c9e7edae5ad2268acc9ba55adcefa0532e5ba@%3Cdev.tomcat.apache.org%3E" 61838 }, 61839 { 61840 "type": "WEB", 61841 "url": "https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551%40%3Cdev.tomcat.apache.org%3E" 61842 }, 61843 { 61844 "type": "WEB", 61845 "url": "https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551@%3Cdev.tomcat.apache.org%3E" 61846 }, 61847 { 61848 "type": "WEB", 61849 "url": "https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708%40%3Cdev.tomcat.apache.org%3E" 61850 }, 61851 { 61852 "type": "WEB", 61853 "url": "https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708@%3Cdev.tomcat.apache.org%3E" 61854 }, 61855 { 61856 "type": "WEB", 61857 "url": "https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7%40%3Cdev.tomcat.apache.org%3E" 61858 }, 61859 { 61860 "type": "WEB", 61861 "url": "https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7@%3Cdev.tomcat.apache.org%3E" 61862 }, 61863 { 61864 "type": "WEB", 61865 "url": "https://lists.apache.org/thread.html/5c0e00fd31efc11e147bf99d0f03c00a734447d3b131ab0818644cdb%40%3Cdev.tomcat.apache.org%3E" 61866 }, 61867 { 61868 "type": "WEB", 61869 "url": "https://lists.apache.org/thread.html/5c0e00fd31efc11e147bf99d0f03c00a734447d3b131ab0818644cdb@%3Cdev.tomcat.apache.org%3E" 61870 }, 61871 { 61872 "type": "WEB", 61873 "url": "https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3%40%3Cdev.tomcat.apache.org%3E" 61874 }, 61875 { 61876 "type": "WEB", 61877 "url": "https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3@%3Cdev.tomcat.apache.org%3E" 61878 }, 61879 { 61880 "type": "WEB", 61881 "url": "https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424%40%3Cdev.tomcat.apache.org%3E" 61882 }, 61883 { 61884 "type": "WEB", 61885 "url": "https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424@%3Cdev.tomcat.apache.org%3E" 61886 }, 61887 { 61888 "type": "WEB", 61889 "url": "https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a%40%3Cdev.tomcat.apache.org%3E" 61890 }, 61891 { 61892 "type": "WEB", 61893 "url": "https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a@%3Cdev.tomcat.apache.org%3E" 61894 }, 61895 { 61896 "type": "WEB", 61897 "url": "https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc%40%3Cdev.tomcat.apache.org%3E" 61898 }, 61899 { 61900 "type": "WEB", 61901 "url": "https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc@%3Cdev.tomcat.apache.org%3E" 61902 }, 61903 { 61904 "type": "WEB", 61905 "url": "https://lists.apache.org/thread.html/d3354bb0a4eda4acc0a66f3eb24a213fdb75d12c7d16060b23e65781%40%3Cannounce.tomcat.apache.org%3E" 61906 }, 61907 { 61908 "type": "WEB", 61909 "url": "https://lists.apache.org/thread.html/d3354bb0a4eda4acc0a66f3eb24a213fdb75d12c7d16060b23e65781@%3Cannounce.tomcat.apache.org%3E" 61910 }, 61911 { 61912 "type": "WEB", 61913 "url": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html" 61914 }, 61915 { 61916 "type": "WEB", 61917 "url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html" 61918 } 61919 ], 61920 "schema_version": "1.6.0", 61921 "severity": [ 61922 { 61923 "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", 61924 "type": "CVSS_V3" 61925 } 61926 ], 61927 "summary": "Apache Tomcat information exposure vulnerability" 61928 }, 61929 { 61930 "affected": [ 61931 { 61932 "database_specific": { 61933 "last_known_affected_version_range": "\u003c= 9.0.7", 61934 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-m59c-jpc8-m2x4/GHSA-m59c-jpc8-m2x4.json" 61935 }, 61936 "package": { 61937 "ecosystem": "Maven", 61938 "name": "org.apache.tomcat.embed:tomcat-embed-core", 61939 "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" 61940 }, 61941 "ranges": [ 61942 { 61943 "events": [ 61944 { 61945 "introduced": "9.0.0.M9" 61946 }, 61947 { 61948 "fixed": "9.0.8" 61949 } 61950 ], 61951 "type": "ECOSYSTEM" 61952 } 61953 ], 61954 "versions": [ 61955 "9.0.0.M10", 61956 "9.0.0.M11", 61957 "9.0.0.M13", 61958 "9.0.0.M15", 61959 "9.0.0.M17", 61960 "9.0.0.M18", 61961 "9.0.0.M19", 61962 "9.0.0.M20", 61963 "9.0.0.M21", 61964 "9.0.0.M22", 61965 "9.0.0.M25", 61966 "9.0.0.M26", 61967 "9.0.0.M27", 61968 "9.0.0.M9", 61969 "9.0.1", 61970 "9.0.2", 61971 "9.0.4", 61972 "9.0.5", 61973 "9.0.6", 61974 "9.0.7" 61975 ] 61976 }, 61977 { 61978 "database_specific": { 61979 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-m59c-jpc8-m2x4/GHSA-m59c-jpc8-m2x4.json" 61980 }, 61981 "package": { 61982 "ecosystem": "Maven", 61983 "name": "org.apache.tomcat.embed:tomcat-embed-core", 61984 "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" 61985 }, 61986 "ranges": [ 61987 { 61988 "events": [ 61989 { 61990 "introduced": "8.5.0" 61991 }, 61992 { 61993 "fixed": "8.5.31" 61994 } 61995 ], 61996 "type": "ECOSYSTEM" 61997 } 61998 ], 61999 "versions": [ 62000 "8.5.0", 62001 "8.5.11", 62002 "8.5.12", 62003 "8.5.13", 62004 "8.5.14", 62005 "8.5.15", 62006 "8.5.16", 62007 "8.5.19", 62008 "8.5.2", 62009 "8.5.20", 62010 "8.5.21", 62011 "8.5.23", 62012 "8.5.24", 62013 "8.5.27", 62014 "8.5.28", 62015 "8.5.29", 62016 "8.5.3", 62017 "8.5.30", 62018 "8.5.4", 62019 "8.5.5", 62020 "8.5.6", 62021 "8.5.8", 62022 "8.5.9" 62023 ] 62024 }, 62025 { 62026 "database_specific": { 62027 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-m59c-jpc8-m2x4/GHSA-m59c-jpc8-m2x4.json" 62028 }, 62029 "package": { 62030 "ecosystem": "Maven", 62031 "name": "org.apache.tomcat.embed:tomcat-embed-core", 62032 "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" 62033 }, 62034 "ranges": [ 62035 { 62036 "events": [ 62037 { 62038 "introduced": "8.0.0RC1" 62039 }, 62040 { 62041 "fixed": "8.0.51" 62042 } 62043 ], 62044 "type": "ECOSYSTEM" 62045 } 62046 ], 62047 "versions": [ 62048 "8.0.0-RC1", 62049 "8.0.0-RC10", 62050 "8.0.0-RC3", 62051 "8.0.0-RC5", 62052 "8.0.1", 62053 "8.0.11", 62054 "8.0.12", 62055 "8.0.14", 62056 "8.0.15", 62057 "8.0.17", 62058 "8.0.18", 62059 "8.0.20", 62060 "8.0.21", 62061 "8.0.22", 62062 "8.0.23", 62063 "8.0.24", 62064 "8.0.26", 62065 "8.0.27", 62066 "8.0.28", 62067 "8.0.29", 62068 "8.0.3", 62069 "8.0.30", 62070 "8.0.32", 62071 "8.0.33", 62072 "8.0.35", 62073 "8.0.36", 62074 "8.0.37", 62075 "8.0.38", 62076 "8.0.39", 62077 "8.0.41", 62078 "8.0.42", 62079 "8.0.43", 62080 "8.0.44", 62081 "8.0.45", 62082 "8.0.46", 62083 "8.0.47", 62084 "8.0.48", 62085 "8.0.49", 62086 "8.0.5", 62087 "8.0.50", 62088 "8.0.8", 62089 "8.0.9" 62090 ] 62091 }, 62092 { 62093 "database_specific": { 62094 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-m59c-jpc8-m2x4/GHSA-m59c-jpc8-m2x4.json" 62095 }, 62096 "package": { 62097 "ecosystem": "Maven", 62098 "name": "org.apache.tomcat.embed:tomcat-embed-core", 62099 "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" 62100 }, 62101 "ranges": [ 62102 { 62103 "events": [ 62104 { 62105 "introduced": "7.0.28" 62106 }, 62107 { 62108 "fixed": "7.0.87" 62109 } 62110 ], 62111 "type": "ECOSYSTEM" 62112 } 62113 ], 62114 "versions": [ 62115 "7.0.28", 62116 "7.0.29", 62117 "7.0.30", 62118 "7.0.32", 62119 "7.0.33", 62120 "7.0.34", 62121 "7.0.35", 62122 "7.0.37", 62123 "7.0.39", 62124 "7.0.40", 62125 "7.0.41", 62126 "7.0.42", 62127 "7.0.47", 62128 "7.0.50", 62129 "7.0.52", 62130 "7.0.53", 62131 "7.0.54", 62132 "7.0.55", 62133 "7.0.56", 62134 "7.0.57", 62135 "7.0.59", 62136 "7.0.61", 62137 "7.0.62", 62138 "7.0.63", 62139 "7.0.64", 62140 "7.0.65", 62141 "7.0.67", 62142 "7.0.68", 62143 "7.0.69", 62144 "7.0.70", 62145 "7.0.72", 62146 "7.0.73", 62147 "7.0.75", 62148 "7.0.76", 62149 "7.0.77", 62150 "7.0.78", 62151 "7.0.79", 62152 "7.0.81", 62153 "7.0.82", 62154 "7.0.84", 62155 "7.0.85", 62156 "7.0.86" 62157 ] 62158 } 62159 ], 62160 "aliases": [ 62161 "CVE-2018-1336" 62162 ], 62163 "database_specific": { 62164 "cwe_ids": [ 62165 "CWE-835" 62166 ], 62167 "github_reviewed": true, 62168 "github_reviewed_at": "2020-06-16T21:44:57Z", 62169 "nvd_published_at": "2018-08-02T14:29:00Z", 62170 "severity": "HIGH" 62171 }, 62172 "details": "An improper handing of overflow in the UTF-8 decoder with supplementary characters can lead to an infinite loop in the decoder causing a Denial of Service. Versions Affected: Apache Tomcat 9.0.0.M9 to 9.0.7, 8.5.0 to 8.5.30, 8.0.0.RC1 to 8.0.51, and 7.0.28 to 7.0.86.", 62173 "id": "GHSA-m59c-jpc8-m2x4", 62174 "modified": "2024-03-12T05:33:41.550174Z", 62175 "published": "2018-10-17T16:32:18Z", 62176 "references": [ 62177 { 62178 "type": "ADVISORY", 62179 "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1336" 62180 }, 62181 { 62182 "type": "WEB", 62183 "url": "https://github.com/apache/tomcat80/commit/9e9b7fe1b5732277a26e437f1d32155de6208ef2" 62184 }, 62185 { 62186 "type": "WEB", 62187 "url": "https://github.com/apache/tomcat/commit/e00812b94e5830b2be3de04f4ae4ade38a700074" 62188 }, 62189 { 62190 "type": "WEB", 62191 "url": "https://github.com/apache/tomcat/commit/92cd494555598e99dd691712e8ee426a2f9c2e93" 62192 }, 62193 { 62194 "type": "WEB", 62195 "url": "https://github.com/apache/tomcat/commit/156d76a6afeef440d14044a560d6ad1d029361c4" 62196 }, 62197 { 62198 "type": "WEB", 62199 "url": "https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9@%3Cdev.tomcat.apache.org%3E" 62200 }, 62201 { 62202 "type": "WEB", 62203 "url": "https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9%40%3Cdev.tomcat.apache.org%3E" 62204 }, 62205 { 62206 "type": "WEB", 62207 "url": "https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0@%3Cdev.tomcat.apache.org%3E" 62208 }, 62209 { 62210 "type": "WEB", 62211 "url": "https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0%40%3Cdev.tomcat.apache.org%3E" 62212 }, 62213 { 62214 "type": "WEB", 62215 "url": "https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d@%3Cdev.tomcat.apache.org%3E" 62216 }, 62217 { 62218 "type": "WEB", 62219 "url": "https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d%40%3Cdev.tomcat.apache.org%3E" 62220 }, 62221 { 62222 "type": "WEB", 62223 "url": "https://lists.apache.org/thread.html/eb6efa8d59c45a7a9eff94c4b925467d3b3fec8ba7697f3daa314b04@%3Cdev.tomcat.apache.org%3E" 62224 }, 62225 { 62226 "type": "WEB", 62227 "url": "https://lists.apache.org/thread.html/eb6efa8d59c45a7a9eff94c4b925467d3b3fec8ba7697f3daa314b04%40%3Cdev.tomcat.apache.org%3E" 62228 }, 62229 { 62230 "type": "WEB", 62231 "url": "https://lists.apache.org/thread.html/e85e83e9954f169bbb77b44baae5a33d8de878df557bb32b7f793661@%3Cdev.tomcat.apache.org%3E" 62232 }, 62233 { 62234 "type": "WEB", 62235 "url": "https://lists.apache.org/thread.html/e85e83e9954f169bbb77b44baae5a33d8de878df557bb32b7f793661%40%3Cdev.tomcat.apache.org%3E" 62236 }, 62237 { 62238 "type": "WEB", 62239 "url": "https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc@%3Cdev.tomcat.apache.org%3E" 62240 }, 62241 { 62242 "type": "WEB", 62243 "url": "https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc%40%3Cdev.tomcat.apache.org%3E" 62244 }, 62245 { 62246 "type": "WEB", 62247 "url": "https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a@%3Cdev.tomcat.apache.org%3E" 62248 }, 62249 { 62250 "type": "WEB", 62251 "url": "https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a%40%3Cdev.tomcat.apache.org%3E" 62252 }, 62253 { 62254 "type": "WEB", 62255 "url": "https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E" 62256 }, 62257 { 62258 "type": "WEB", 62259 "url": "https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c@%3Cdev.tomcat.apache.org%3E" 62260 }, 62261 { 62262 "type": "WEB", 62263 "url": "https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a%40%3Cdev.tomcat.apache.org%3E" 62264 }, 62265 { 62266 "type": "WEB", 62267 "url": "https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a@%3Cdev.tomcat.apache.org%3E" 62268 }, 62269 { 62270 "type": "WEB", 62271 "url": "https://lists.debian.org/debian-lts-announce/2018/09/msg00001.html" 62272 }, 62273 { 62274 "type": "WEB", 62275 "url": "https://security.netapp.com/advisory/ntap-20180817-0001" 62276 }, 62277 { 62278 "type": "WEB", 62279 "url": "https://support.f5.com/csp/article/K73008537?utm_source=f5support\u0026amp%3Butm_medium=RSS" 62280 }, 62281 { 62282 "type": "WEB", 62283 "url": "https://support.f5.com/csp/article/K73008537?utm_source=f5support\u0026amp;utm_medium=RSS" 62284 }, 62285 { 62286 "type": "WEB", 62287 "url": "https://usn.ubuntu.com/3723-1" 62288 }, 62289 { 62290 "type": "WEB", 62291 "url": "https://web.archive.org/web/20190703075545/http://www.securitytracker.com/id/1041375" 62292 }, 62293 { 62294 "type": "WEB", 62295 "url": "https://web.archive.org/web/20200227102810/http://www.securityfocus.com/bid/104898" 62296 }, 62297 { 62298 "type": "WEB", 62299 "url": "https://www.debian.org/security/2018/dsa-4281" 62300 }, 62301 { 62302 "type": "WEB", 62303 "url": "https://www.oracle.com/security-alerts/cpuapr2020.html" 62304 }, 62305 { 62306 "type": "WEB", 62307 "url": "https://access.redhat.com/errata/RHEA-2018:2188" 62308 }, 62309 { 62310 "type": "WEB", 62311 "url": "https://access.redhat.com/errata/RHEA-2018:2189" 62312 }, 62313 { 62314 "type": "WEB", 62315 "url": "https://access.redhat.com/errata/RHSA-2018:2700" 62316 }, 62317 { 62318 "type": "WEB", 62319 "url": "https://access.redhat.com/errata/RHSA-2018:2701" 62320 }, 62321 { 62322 "type": "WEB", 62323 "url": "https://access.redhat.com/errata/RHSA-2018:2740" 62324 }, 62325 { 62326 "type": "WEB", 62327 "url": "https://access.redhat.com/errata/RHSA-2018:2741" 62328 }, 62329 { 62330 "type": "WEB", 62331 "url": "https://access.redhat.com/errata/RHSA-2018:2742" 62332 }, 62333 { 62334 "type": "WEB", 62335 "url": "https://access.redhat.com/errata/RHSA-2018:2743" 62336 }, 62337 { 62338 "type": "WEB", 62339 "url": "https://access.redhat.com/errata/RHSA-2018:2921" 62340 }, 62341 { 62342 "type": "WEB", 62343 "url": "https://access.redhat.com/errata/RHSA-2018:2930" 62344 }, 62345 { 62346 "type": "WEB", 62347 "url": "https://access.redhat.com/errata/RHSA-2018:2939" 62348 }, 62349 { 62350 "type": "WEB", 62351 "url": "https://access.redhat.com/errata/RHSA-2018:2945" 62352 }, 62353 { 62354 "type": "WEB", 62355 "url": "https://access.redhat.com/errata/RHSA-2018:3768" 62356 }, 62357 { 62358 "type": "PACKAGE", 62359 "url": "https://github.com/apache/tomcat" 62360 }, 62361 { 62362 "type": "WEB", 62363 "url": "https://lists.apache.org/thread.html/1dd0a59c1295cc08ce4c9e7edae5ad2268acc9ba55adcefa0532e5ba%40%3Cdev.tomcat.apache.org%3E" 62364 }, 62365 { 62366 "type": "WEB", 62367 "url": "https://lists.apache.org/thread.html/1dd0a59c1295cc08ce4c9e7edae5ad2268acc9ba55adcefa0532e5ba@%3Cdev.tomcat.apache.org%3E" 62368 }, 62369 { 62370 "type": "WEB", 62371 "url": "https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551%40%3Cdev.tomcat.apache.org%3E" 62372 }, 62373 { 62374 "type": "WEB", 62375 "url": "https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551@%3Cdev.tomcat.apache.org%3E" 62376 }, 62377 { 62378 "type": "WEB", 62379 "url": "https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708%40%3Cdev.tomcat.apache.org%3E" 62380 }, 62381 { 62382 "type": "WEB", 62383 "url": "https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708@%3Cdev.tomcat.apache.org%3E" 62384 }, 62385 { 62386 "type": "WEB", 62387 "url": "https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7%40%3Cdev.tomcat.apache.org%3E" 62388 }, 62389 { 62390 "type": "WEB", 62391 "url": "https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7@%3Cdev.tomcat.apache.org%3E" 62392 }, 62393 { 62394 "type": "WEB", 62395 "url": "https://lists.apache.org/thread.html/5c0e00fd31efc11e147bf99d0f03c00a734447d3b131ab0818644cdb%40%3Cdev.tomcat.apache.org%3E" 62396 }, 62397 { 62398 "type": "WEB", 62399 "url": "https://lists.apache.org/thread.html/5c0e00fd31efc11e147bf99d0f03c00a734447d3b131ab0818644cdb@%3Cdev.tomcat.apache.org%3E" 62400 }, 62401 { 62402 "type": "WEB", 62403 "url": "https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3%40%3Cdev.tomcat.apache.org%3E" 62404 }, 62405 { 62406 "type": "WEB", 62407 "url": "https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3@%3Cdev.tomcat.apache.org%3E" 62408 }, 62409 { 62410 "type": "WEB", 62411 "url": "https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424%40%3Cdev.tomcat.apache.org%3E" 62412 }, 62413 { 62414 "type": "WEB", 62415 "url": "https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424@%3Cdev.tomcat.apache.org%3E" 62416 }, 62417 { 62418 "type": "WEB", 62419 "url": "http://mail-archives.us.apache.org/mod_mbox/www-announce/201807.mbox/%3C20180722090435.GA60759%40minotaur.apache.org%3E" 62420 } 62421 ], 62422 "schema_version": "1.6.0", 62423 "severity": [ 62424 { 62425 "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", 62426 "type": "CVSS_V3" 62427 } 62428 ], 62429 "summary": "In Apache Tomcat there is an improper handing of overflow in the UTF-8 decoder " 62430 }, 62431 { 62432 "affected": [ 62433 { 62434 "database_specific": { 62435 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/06/GHSA-mppv-79ch-vw6q/GHSA-mppv-79ch-vw6q.json" 62436 }, 62437 "package": { 62438 "ecosystem": "Maven", 62439 "name": "org.apache.tomcat.embed:tomcat-embed-core", 62440 "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" 62441 }, 62442 "ranges": [ 62443 { 62444 "events": [ 62445 { 62446 "introduced": "11.0.0-M5" 62447 }, 62448 { 62449 "fixed": "11.0.0-M6" 62450 } 62451 ], 62452 "type": "ECOSYSTEM" 62453 } 62454 ], 62455 "versions": [ 62456 "11.0.0-M5" 62457 ] 62458 }, 62459 { 62460 "database_specific": { 62461 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/06/GHSA-mppv-79ch-vw6q/GHSA-mppv-79ch-vw6q.json" 62462 }, 62463 "package": { 62464 "ecosystem": "Maven", 62465 "name": "org.apache.tomcat.embed:tomcat-embed-core", 62466 "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" 62467 }, 62468 "ranges": [ 62469 { 62470 "events": [ 62471 { 62472 "introduced": "10.1.8" 62473 }, 62474 { 62475 "fixed": "10.1.9" 62476 } 62477 ], 62478 "type": "ECOSYSTEM" 62479 } 62480 ], 62481 "versions": [ 62482 "10.1.8" 62483 ] 62484 }, 62485 { 62486 "database_specific": { 62487 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/06/GHSA-mppv-79ch-vw6q/GHSA-mppv-79ch-vw6q.json" 62488 }, 62489 "package": { 62490 "ecosystem": "Maven", 62491 "name": "org.apache.tomcat.embed:tomcat-embed-core", 62492 "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" 62493 }, 62494 "ranges": [ 62495 { 62496 "events": [ 62497 { 62498 "introduced": "9.0.74" 62499 }, 62500 { 62501 "fixed": "9.0.75" 62502 } 62503 ], 62504 "type": "ECOSYSTEM" 62505 } 62506 ], 62507 "versions": [ 62508 "9.0.74" 62509 ] 62510 }, 62511 { 62512 "database_specific": { 62513 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/06/GHSA-mppv-79ch-vw6q/GHSA-mppv-79ch-vw6q.json" 62514 }, 62515 "package": { 62516 "ecosystem": "Maven", 62517 "name": "org.apache.tomcat:tomcat-coyote", 62518 "purl": "pkg:maven/org.apache.tomcat/tomcat-coyote" 62519 }, 62520 "ranges": [ 62521 { 62522 "events": [ 62523 { 62524 "introduced": "8.5.88" 62525 }, 62526 { 62527 "fixed": "8.5.89" 62528 } 62529 ], 62530 "type": "ECOSYSTEM" 62531 } 62532 ], 62533 "versions": [ 62534 "8.5.88" 62535 ] 62536 } 62537 ], 62538 "aliases": [ 62539 "BIT-tomcat-2023-34981", 62540 "CVE-2023-34981" 62541 ], 62542 "database_specific": { 62543 "cwe_ids": [], 62544 "github_reviewed": true, 62545 "github_reviewed_at": "2023-06-21T22:06:39Z", 62546 "nvd_published_at": "2023-06-21T11:15:09Z", 62547 "severity": "HIGH" 62548 }, 62549 "details": "A regression in the fix for bug 66512 in Apache Tomcat 11.0.0-M5, 10.1.8, 9.0.74 and 8.5.88 meant that, if a response did not include any HTTP headers no AJP SEND_HEADERS message would be sent for the response which in turn meant that at least one AJP proxy (mod_proxy_ajp) would use the response headers from the previous request leading to an information leak.", 62550 "id": "GHSA-mppv-79ch-vw6q", 62551 "modified": "2024-04-24T19:44:03Z", 62552 "published": "2023-06-21T12:30:19Z", 62553 "references": [ 62554 { 62555 "type": "ADVISORY", 62556 "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34981" 62557 }, 62558 { 62559 "type": "WEB", 62560 "url": "https://github.com/apache/tomcat/commit/2214c8030522aa9b2a367dfa5d9acff1a03666ae" 62561 }, 62562 { 62563 "type": "WEB", 62564 "url": "https://github.com/apache/tomcat/commit/2f0ca2378415f4cf0748f4bc8fa955f41f803fa5" 62565 }, 62566 { 62567 "type": "WEB", 62568 "url": "https://github.com/apache/tomcat/commit/739c7381aed22b7636351caf885ddc519ab6b442" 62569 }, 62570 { 62571 "type": "WEB", 62572 "url": "https://github.com/apache/tomcat/commit/f0742f47b98aca943097f7f88e0d1163f57527e3" 62573 }, 62574 { 62575 "type": "WEB", 62576 "url": "https://bz.apache.org/bugzilla/show_bug.cgi?id=66512" 62577 }, 62578 { 62579 "type": "WEB", 62580 "url": "https://bz.apache.org/bugzilla/show_bug.cgi?id=66591" 62581 }, 62582 { 62583 "type": "PACKAGE", 62584 "url": "https://github.com/apache/tomcat" 62585 }, 62586 { 62587 "type": "WEB", 62588 "url": "https://lists.apache.org/thread/j1ksjh9m9gx1q60rtk1sbzmxhvj5h5qz" 62589 }, 62590 { 62591 "type": "WEB", 62592 "url": "https://security.netapp.com/advisory/ntap-20230714-0003" 62593 }, 62594 { 62595 "type": "WEB", 62596 "url": "https://tomcat.apache.org/security-10.html" 62597 }, 62598 { 62599 "type": "WEB", 62600 "url": "https://tomcat.apache.org/security-11.html" 62601 }, 62602 { 62603 "type": "WEB", 62604 "url": "https://tomcat.apache.org/security-8.html" 62605 }, 62606 { 62607 "type": "WEB", 62608 "url": "https://tomcat.apache.org/security-9.html" 62609 } 62610 ], 62611 "schema_version": "1.6.0", 62612 "severity": [ 62613 { 62614 "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", 62615 "type": "CVSS_V3" 62616 } 62617 ], 62618 "summary": "Apache Tomcat vulnerable to information leak" 62619 }, 62620 { 62621 "affected": [ 62622 { 62623 "database_specific": { 62624 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/11/GHSA-p22x-g9px-3945/GHSA-p22x-g9px-3945.json" 62625 }, 62626 "package": { 62627 "ecosystem": "Maven", 62628 "name": "org.apache.tomcat.embed:tomcat-embed-core", 62629 "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" 62630 }, 62631 "ranges": [ 62632 { 62633 "events": [ 62634 { 62635 "introduced": "8.5.0" 62636 }, 62637 { 62638 "fixed": "8.5.83" 62639 } 62640 ], 62641 "type": "ECOSYSTEM" 62642 } 62643 ], 62644 "versions": [ 62645 "8.5.0", 62646 "8.5.11", 62647 "8.5.12", 62648 "8.5.13", 62649 "8.5.14", 62650 "8.5.15", 62651 "8.5.16", 62652 "8.5.19", 62653 "8.5.2", 62654 "8.5.20", 62655 "8.5.21", 62656 "8.5.23", 62657 "8.5.24", 62658 "8.5.27", 62659 "8.5.28", 62660 "8.5.29", 62661 "8.5.3", 62662 "8.5.30", 62663 "8.5.31", 62664 "8.5.32", 62665 "8.5.33", 62666 "8.5.34", 62667 "8.5.35", 62668 "8.5.37", 62669 "8.5.38", 62670 "8.5.39", 62671 "8.5.4", 62672 "8.5.40", 62673 "8.5.41", 62674 "8.5.42", 62675 "8.5.43", 62676 "8.5.45", 62677 "8.5.46", 62678 "8.5.47", 62679 "8.5.49", 62680 "8.5.5", 62681 "8.5.50", 62682 "8.5.51", 62683 "8.5.53", 62684 "8.5.54", 62685 "8.5.55", 62686 "8.5.56", 62687 "8.5.57", 62688 "8.5.58", 62689 "8.5.59", 62690 "8.5.6", 62691 "8.5.60", 62692 "8.5.61", 62693 "8.5.63", 62694 "8.5.64", 62695 "8.5.65", 62696 "8.5.66", 62697 "8.5.68", 62698 "8.5.69", 62699 "8.5.70", 62700 "8.5.71", 62701 "8.5.72", 62702 "8.5.73", 62703 "8.5.75", 62704 "8.5.76", 62705 "8.5.77", 62706 "8.5.78", 62707 "8.5.79", 62708 "8.5.8", 62709 "8.5.81", 62710 "8.5.82", 62711 "8.5.9" 62712 ] 62713 }, 62714 { 62715 "database_specific": { 62716 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/11/GHSA-p22x-g9px-3945/GHSA-p22x-g9px-3945.json" 62717 }, 62718 "package": { 62719 "ecosystem": "Maven", 62720 "name": "org.apache.tomcat.embed:tomcat-embed-core", 62721 "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" 62722 }, 62723 "ranges": [ 62724 { 62725 "events": [ 62726 { 62727 "introduced": "9.0.0-M1" 62728 }, 62729 { 62730 "fixed": "9.0.68" 62731 } 62732 ], 62733 "type": "ECOSYSTEM" 62734 } 62735 ], 62736 "versions": [ 62737 "9.0.0.M1", 62738 "9.0.0.M10", 62739 "9.0.0.M11", 62740 "9.0.0.M13", 62741 "9.0.0.M15", 62742 "9.0.0.M17", 62743 "9.0.0.M18", 62744 "9.0.0.M19", 62745 "9.0.0.M20", 62746 "9.0.0.M21", 62747 "9.0.0.M22", 62748 "9.0.0.M25", 62749 "9.0.0.M26", 62750 "9.0.0.M27", 62751 "9.0.0.M3", 62752 "9.0.0.M4", 62753 "9.0.0.M6", 62754 "9.0.0.M8", 62755 "9.0.0.M9", 62756 "9.0.1", 62757 "9.0.10", 62758 "9.0.11", 62759 "9.0.12", 62760 "9.0.13", 62761 "9.0.14", 62762 "9.0.16", 62763 "9.0.17", 62764 "9.0.19", 62765 "9.0.2", 62766 "9.0.20", 62767 "9.0.21", 62768 "9.0.22", 62769 "9.0.24", 62770 "9.0.26", 62771 "9.0.27", 62772 "9.0.29", 62773 "9.0.30", 62774 "9.0.31", 62775 "9.0.33", 62776 "9.0.34", 62777 "9.0.35", 62778 "9.0.36", 62779 "9.0.37", 62780 "9.0.38", 62781 "9.0.39", 62782 "9.0.4", 62783 "9.0.40", 62784 "9.0.41", 62785 "9.0.43", 62786 "9.0.44", 62787 "9.0.45", 62788 "9.0.46", 62789 "9.0.48", 62790 "9.0.5", 62791 "9.0.50", 62792 "9.0.52", 62793 "9.0.53", 62794 "9.0.54", 62795 "9.0.55", 62796 "9.0.56", 62797 "9.0.58", 62798 "9.0.59", 62799 "9.0.6", 62800 "9.0.60", 62801 "9.0.62", 62802 "9.0.63", 62803 "9.0.64", 62804 "9.0.65", 62805 "9.0.67", 62806 "9.0.7", 62807 "9.0.8" 62808 ] 62809 }, 62810 { 62811 "database_specific": { 62812 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/11/GHSA-p22x-g9px-3945/GHSA-p22x-g9px-3945.json" 62813 }, 62814 "package": { 62815 "ecosystem": "Maven", 62816 "name": "org.apache.tomcat.embed:tomcat-embed-core", 62817 "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" 62818 }, 62819 "ranges": [ 62820 { 62821 "events": [ 62822 { 62823 "introduced": "10.0.0-M1" 62824 }, 62825 { 62826 "fixed": "10.0.27" 62827 } 62828 ], 62829 "type": "ECOSYSTEM" 62830 } 62831 ], 62832 "versions": [ 62833 "10.0.0", 62834 "10.0.0-M1", 62835 "10.0.0-M10", 62836 "10.0.0-M3", 62837 "10.0.0-M4", 62838 "10.0.0-M5", 62839 "10.0.0-M6", 62840 "10.0.0-M7", 62841 "10.0.0-M8", 62842 "10.0.0-M9", 62843 "10.0.10", 62844 "10.0.11", 62845 "10.0.12", 62846 "10.0.13", 62847 "10.0.14", 62848 "10.0.16", 62849 "10.0.17", 62850 "10.0.18", 62851 "10.0.2", 62852 "10.0.20", 62853 "10.0.21", 62854 "10.0.22", 62855 "10.0.23", 62856 "10.0.26", 62857 "10.0.4", 62858 "10.0.5", 62859 "10.0.6", 62860 "10.0.7", 62861 "10.0.8" 62862 ] 62863 }, 62864 { 62865 "database_specific": { 62866 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/11/GHSA-p22x-g9px-3945/GHSA-p22x-g9px-3945.json" 62867 }, 62868 "package": { 62869 "ecosystem": "Maven", 62870 "name": "org.apache.tomcat.embed:tomcat-embed-core", 62871 "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" 62872 }, 62873 "ranges": [ 62874 { 62875 "events": [ 62876 { 62877 "introduced": "10.1.0-M1" 62878 }, 62879 { 62880 "fixed": "10.1.1" 62881 } 62882 ], 62883 "type": "ECOSYSTEM" 62884 } 62885 ], 62886 "versions": [ 62887 "10.1.0", 62888 "10.1.0-M1", 62889 "10.1.0-M10", 62890 "10.1.0-M11", 62891 "10.1.0-M12", 62892 "10.1.0-M14", 62893 "10.1.0-M15", 62894 "10.1.0-M16", 62895 "10.1.0-M17", 62896 "10.1.0-M2", 62897 "10.1.0-M4", 62898 "10.1.0-M5", 62899 "10.1.0-M6", 62900 "10.1.0-M7", 62901 "10.1.0-M8" 62902 ] 62903 }, 62904 { 62905 "database_specific": { 62906 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/11/GHSA-p22x-g9px-3945/GHSA-p22x-g9px-3945.json" 62907 }, 62908 "package": { 62909 "ecosystem": "Maven", 62910 "name": "org.apache.tomcat:tomcat-coyote", 62911 "purl": "pkg:maven/org.apache.tomcat/tomcat-coyote" 62912 }, 62913 "ranges": [ 62914 { 62915 "events": [ 62916 { 62917 "introduced": "9.0.0-M1" 62918 }, 62919 { 62920 "fixed": "9.0.68" 62921 } 62922 ], 62923 "type": "ECOSYSTEM" 62924 } 62925 ], 62926 "versions": [ 62927 "9.0.0.M1", 62928 "9.0.0.M10", 62929 "9.0.0.M11", 62930 "9.0.0.M13", 62931 "9.0.0.M15", 62932 "9.0.0.M17", 62933 "9.0.0.M18", 62934 "9.0.0.M19", 62935 "9.0.0.M20", 62936 "9.0.0.M21", 62937 "9.0.0.M22", 62938 "9.0.0.M25", 62939 "9.0.0.M26", 62940 "9.0.0.M27", 62941 "9.0.0.M3", 62942 "9.0.0.M4", 62943 "9.0.0.M6", 62944 "9.0.0.M8", 62945 "9.0.0.M9", 62946 "9.0.1", 62947 "9.0.10", 62948 "9.0.11", 62949 "9.0.12", 62950 "9.0.13", 62951 "9.0.14", 62952 "9.0.16", 62953 "9.0.17", 62954 "9.0.19", 62955 "9.0.2", 62956 "9.0.20", 62957 "9.0.21", 62958 "9.0.22", 62959 "9.0.24", 62960 "9.0.26", 62961 "9.0.27", 62962 "9.0.29", 62963 "9.0.30", 62964 "9.0.31", 62965 "9.0.33", 62966 "9.0.34", 62967 "9.0.35", 62968 "9.0.36", 62969 "9.0.37", 62970 "9.0.38", 62971 "9.0.39", 62972 "9.0.4", 62973 "9.0.40", 62974 "9.0.41", 62975 "9.0.43", 62976 "9.0.44", 62977 "9.0.45", 62978 "9.0.46", 62979 "9.0.48", 62980 "9.0.5", 62981 "9.0.50", 62982 "9.0.52", 62983 "9.0.53", 62984 "9.0.54", 62985 "9.0.55", 62986 "9.0.56", 62987 "9.0.58", 62988 "9.0.59", 62989 "9.0.6", 62990 "9.0.60", 62991 "9.0.62", 62992 "9.0.63", 62993 "9.0.64", 62994 "9.0.65", 62995 "9.0.67", 62996 "9.0.7", 62997 "9.0.8" 62998 ] 62999 }, 63000 { 63001 "database_specific": { 63002 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/11/GHSA-p22x-g9px-3945/GHSA-p22x-g9px-3945.json" 63003 }, 63004 "package": { 63005 "ecosystem": "Maven", 63006 "name": "org.apache.tomcat:tomcat-coyote", 63007 "purl": "pkg:maven/org.apache.tomcat/tomcat-coyote" 63008 }, 63009 "ranges": [ 63010 { 63011 "events": [ 63012 { 63013 "introduced": "10.0.0-M1" 63014 }, 63015 { 63016 "fixed": "10.0.27" 63017 } 63018 ], 63019 "type": "ECOSYSTEM" 63020 } 63021 ], 63022 "versions": [ 63023 "10.0.0", 63024 "10.0.0-M1", 63025 "10.0.0-M10", 63026 "10.0.0-M3", 63027 "10.0.0-M4", 63028 "10.0.0-M5", 63029 "10.0.0-M6", 63030 "10.0.0-M7", 63031 "10.0.0-M8", 63032 "10.0.0-M9", 63033 "10.0.10", 63034 "10.0.11", 63035 "10.0.12", 63036 "10.0.13", 63037 "10.0.14", 63038 "10.0.16", 63039 "10.0.17", 63040 "10.0.18", 63041 "10.0.2", 63042 "10.0.20", 63043 "10.0.21", 63044 "10.0.22", 63045 "10.0.23", 63046 "10.0.26", 63047 "10.0.4", 63048 "10.0.5", 63049 "10.0.6", 63050 "10.0.7", 63051 "10.0.8" 63052 ] 63053 }, 63054 { 63055 "database_specific": { 63056 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/11/GHSA-p22x-g9px-3945/GHSA-p22x-g9px-3945.json" 63057 }, 63058 "package": { 63059 "ecosystem": "Maven", 63060 "name": "org.apache.tomcat:tomcat-coyote", 63061 "purl": "pkg:maven/org.apache.tomcat/tomcat-coyote" 63062 }, 63063 "ranges": [ 63064 { 63065 "events": [ 63066 { 63067 "introduced": "10.1.0-M1" 63068 }, 63069 { 63070 "fixed": "10.1.1" 63071 } 63072 ], 63073 "type": "ECOSYSTEM" 63074 } 63075 ], 63076 "versions": [ 63077 "10.1.0", 63078 "10.1.0-M1", 63079 "10.1.0-M10", 63080 "10.1.0-M11", 63081 "10.1.0-M12", 63082 "10.1.0-M14", 63083 "10.1.0-M15", 63084 "10.1.0-M16", 63085 "10.1.0-M17", 63086 "10.1.0-M2", 63087 "10.1.0-M4", 63088 "10.1.0-M5", 63089 "10.1.0-M6", 63090 "10.1.0-M7", 63091 "10.1.0-M8" 63092 ] 63093 } 63094 ], 63095 "aliases": [ 63096 "BIT-tomcat-2022-42252", 63097 "CVE-2022-42252" 63098 ], 63099 "database_specific": { 63100 "cwe_ids": [ 63101 "CWE-20", 63102 "CWE-444" 63103 ], 63104 "github_reviewed": true, 63105 "github_reviewed_at": "2022-11-01T18:37:42Z", 63106 "nvd_published_at": "2022-11-01T09:15:00Z", 63107 "severity": "HIGH" 63108 }, 63109 "details": "If Apache Tomcat 8.5.0 to 8.5.82, 9.0.0-M1 to 9.0.67, 10.0.0-M1 to 10.0.26 or 10.1.0-M1 to 10.1.0 was configured to ignore invalid HTTP headers via setting rejectIllegalHeader to false (the default for 8.5.x only), Tomcat did not reject a request containing an invalid Content-Length header making a request smuggling attack possible if Tomcat was located behind a reverse proxy that also failed to reject the request with the invalid header.", 63110 "id": "GHSA-p22x-g9px-3945", 63111 "modified": "2024-04-23T20:46:15.447071Z", 63112 "published": "2022-11-01T12:00:30Z", 63113 "references": [ 63114 { 63115 "type": "ADVISORY", 63116 "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42252" 63117 }, 63118 { 63119 "type": "WEB", 63120 "url": "https://github.com/apache/tomcat/commit/0d089a15047faf9cb3c82f80f4d28febd4798920" 63121 }, 63122 { 63123 "type": "WEB", 63124 "url": "https://github.com/apache/tomcat/commit/4c7f4fd09d2cc1692112ef70b8ee23a7a037ae77" 63125 }, 63126 { 63127 "type": "WEB", 63128 "url": "https://github.com/apache/tomcat/commit/a1c07906d8dcaf7957e5cc97f5cdbac7d18a205a" 63129 }, 63130 { 63131 "type": "WEB", 63132 "url": "https://github.com/apache/tomcat/commit/c9fe754e5d17e262dfbd3eab2a03ca96ff372dc3" 63133 }, 63134 { 63135 "type": "PACKAGE", 63136 "url": "https://github.com/apache/tomcat" 63137 }, 63138 { 63139 "type": "WEB", 63140 "url": "https://lists.apache.org/thread/zzcxzvqfdqn515zfs3dxb7n8gty589sq" 63141 }, 63142 { 63143 "type": "WEB", 63144 "url": "https://security.gentoo.org/glsa/202305-37" 63145 }, 63146 { 63147 "type": "WEB", 63148 "url": "https://tomcat.apache.org/security-10.html" 63149 }, 63150 { 63151 "type": "WEB", 63152 "url": "https://tomcat.apache.org/security-8.html" 63153 }, 63154 { 63155 "type": "WEB", 63156 "url": "https://tomcat.apache.org/security-9.html" 63157 } 63158 ], 63159 "schema_version": "1.6.0", 63160 "severity": [ 63161 { 63162 "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", 63163 "type": "CVSS_V3" 63164 } 63165 ], 63166 "summary": "Apache Tomcat may reject request containing invalid Content-Length header" 63167 }, 63168 { 63169 "affected": [ 63170 { 63171 "database_specific": { 63172 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-pjfr-qf3p-3q25/GHSA-pjfr-qf3p-3q25.json" 63173 }, 63174 "package": { 63175 "ecosystem": "Maven", 63176 "name": "org.apache.tomcat.embed:tomcat-embed-core", 63177 "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" 63178 }, 63179 "ranges": [ 63180 { 63181 "events": [ 63182 { 63183 "introduced": "7.0.0" 63184 }, 63185 { 63186 "fixed": "7.0.79" 63187 } 63188 ], 63189 "type": "ECOSYSTEM" 63190 } 63191 ], 63192 "versions": [ 63193 "7.0.0", 63194 "7.0.11", 63195 "7.0.12", 63196 "7.0.14", 63197 "7.0.16", 63198 "7.0.19", 63199 "7.0.2", 63200 "7.0.20", 63201 "7.0.21", 63202 "7.0.22", 63203 "7.0.23", 63204 "7.0.25", 63205 "7.0.26", 63206 "7.0.27", 63207 "7.0.28", 63208 "7.0.29", 63209 "7.0.30", 63210 "7.0.32", 63211 "7.0.33", 63212 "7.0.34", 63213 "7.0.35", 63214 "7.0.37", 63215 "7.0.39", 63216 "7.0.4", 63217 "7.0.40", 63218 "7.0.41", 63219 "7.0.42", 63220 "7.0.47", 63221 "7.0.5", 63222 "7.0.50", 63223 "7.0.52", 63224 "7.0.53", 63225 "7.0.54", 63226 "7.0.55", 63227 "7.0.56", 63228 "7.0.57", 63229 "7.0.59", 63230 "7.0.6", 63231 "7.0.61", 63232 "7.0.62", 63233 "7.0.63", 63234 "7.0.64", 63235 "7.0.65", 63236 "7.0.67", 63237 "7.0.68", 63238 "7.0.69", 63239 "7.0.70", 63240 "7.0.72", 63241 "7.0.73", 63242 "7.0.75", 63243 "7.0.76", 63244 "7.0.77", 63245 "7.0.78", 63246 "7.0.8" 63247 ] 63248 } 63249 ], 63250 "aliases": [ 63251 "CVE-2017-12615" 63252 ], 63253 "database_specific": { 63254 "cwe_ids": [ 63255 "CWE-434" 63256 ], 63257 "github_reviewed": true, 63258 "github_reviewed_at": "2020-06-16T21:49:21Z", 63259 "nvd_published_at": "2017-09-19T13:29:00Z", 63260 "severity": "HIGH" 63261 }, 63262 "details": "When running Apache Tomcat 7.0.0 to 7.0.79 on Windows with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.", 63263 "id": "GHSA-pjfr-qf3p-3q25", 63264 "modified": "2024-07-16T20:21:40.622627Z", 63265 "published": "2018-10-17T16:30:31Z", 63266 "references": [ 63267 { 63268 "type": "ADVISORY", 63269 "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-12615" 63270 }, 63271 { 63272 "type": "WEB", 63273 "url": "https://www.synology.com/support/security/Synology_SA_17_54_Tomcat" 63274 }, 63275 { 63276 "type": "WEB", 63277 "url": "https://www.exploit-db.com/exploits/42953" 63278 }, 63279 { 63280 "type": "WEB", 63281 "url": "https://security.netapp.com/advisory/ntap-20171018-0001" 63282 }, 63283 { 63284 "type": "WEB", 63285 "url": "https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c@%3Cdev.tomcat.apache.org%3E" 63286 }, 63287 { 63288 "type": "WEB", 63289 "url": "https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E" 63290 }, 63291 { 63292 "type": "WEB", 63293 "url": "https://lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc0c6a2d3cc92ed0c@%3Cannounce.apache.org%3E" 63294 }, 63295 { 63296 "type": "WEB", 63297 "url": "https://lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc0c6a2d3cc92ed0c%40%3Cannounce.apache.org%3E" 63298 }, 63299 { 63300 "type": "WEB", 63301 "url": "https://lists.apache.org/thread.html/8fcb1e2d5895413abcf266f011b9918ae03e0b7daceb118ffbf23f8c@%3Cannounce.tomcat.apache.org%3E" 63302 }, 63303 { 63304 "type": "WEB", 63305 "url": "https://lists.apache.org/thread.html/8fcb1e2d5895413abcf266f011b9918ae03e0b7daceb118ffbf23f8c%40%3Cannounce.tomcat.apache.org%3E" 63306 }, 63307 { 63308 "type": "WEB", 63309 "url": "https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424@%3Cdev.tomcat.apache.org%3E" 63310 }, 63311 { 63312 "type": "WEB", 63313 "url": "https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424%40%3Cdev.tomcat.apache.org%3E" 63314 }, 63315 { 63316 "type": "WEB", 63317 "url": "https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7@%3Cdev.tomcat.apache.org%3E" 63318 }, 63319 { 63320 "type": "WEB", 63321 "url": "https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7%40%3Cdev.tomcat.apache.org%3E" 63322 }, 63323 { 63324 "type": "WEB", 63325 "url": "https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708@%3Cdev.tomcat.apache.org%3E" 63326 }, 63327 { 63328 "type": "WEB", 63329 "url": "https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708%40%3Cdev.tomcat.apache.org%3E" 63330 }, 63331 { 63332 "type": "WEB", 63333 "url": "https://github.com/breaktoprotect/CVE-2017-12615" 63334 }, 63335 { 63336 "type": "ADVISORY", 63337 "url": "https://github.com/advisories/GHSA-pjfr-qf3p-3q25" 63338 }, 63339 { 63340 "type": "WEB", 63341 "url": "https://access.redhat.com/errata/RHSA-2018:0466" 63342 }, 63343 { 63344 "type": "WEB", 63345 "url": "https://access.redhat.com/errata/RHSA-2018:0465" 63346 }, 63347 { 63348 "type": "WEB", 63349 "url": "https://access.redhat.com/errata/RHSA-2017:3114" 63350 }, 63351 { 63352 "type": "WEB", 63353 "url": "https://access.redhat.com/errata/RHSA-2017:3113" 63354 }, 63355 { 63356 "type": "WEB", 63357 "url": "https://access.redhat.com/errata/RHSA-2017:3081" 63358 }, 63359 { 63360 "type": "WEB", 63361 "url": "https://access.redhat.com/errata/RHSA-2017:3080" 63362 }, 63363 { 63364 "type": "WEB", 63365 "url": "http://breaktoprotect.blogspot.com/2017/09/the-case-of-cve-2017-12615-tomcat-7-put.html" 63366 }, 63367 { 63368 "type": "WEB", 63369 "url": "http://www.securityfocus.com/bid/100901" 63370 }, 63371 { 63372 "type": "WEB", 63373 "url": "http://www.securitytracker.com/id/1039392" 63374 } 63375 ], 63376 "schema_version": "1.6.0", 63377 "severity": [ 63378 { 63379 "score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", 63380 "type": "CVSS_V3" 63381 } 63382 ], 63383 "summary": "When running Apache Tomcat on Windows with HTTP PUTs enabled it was possible to upload a JSP file to the server" 63384 }, 63385 { 63386 "affected": [ 63387 { 63388 "database_specific": { 63389 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/08/GHSA-q3mw-pvr8-9ggc/GHSA-q3mw-pvr8-9ggc.json" 63390 }, 63391 "package": { 63392 "ecosystem": "Maven", 63393 "name": "org.apache.tomcat:tomcat", 63394 "purl": "pkg:maven/org.apache.tomcat/tomcat" 63395 }, 63396 "ranges": [ 63397 { 63398 "events": [ 63399 { 63400 "introduced": "11.0.0-M1" 63401 }, 63402 { 63403 "fixed": "11.0.0-M11" 63404 } 63405 ], 63406 "type": "ECOSYSTEM" 63407 } 63408 ], 63409 "versions": [ 63410 "11.0.0-M1", 63411 "11.0.0-M10", 63412 "11.0.0-M3", 63413 "11.0.0-M4", 63414 "11.0.0-M5", 63415 "11.0.0-M6", 63416 "11.0.0-M7", 63417 "11.0.0-M9" 63418 ] 63419 }, 63420 { 63421 "database_specific": { 63422 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/08/GHSA-q3mw-pvr8-9ggc/GHSA-q3mw-pvr8-9ggc.json" 63423 }, 63424 "package": { 63425 "ecosystem": "Maven", 63426 "name": "org.apache.tomcat:tomcat", 63427 "purl": "pkg:maven/org.apache.tomcat/tomcat" 63428 }, 63429 "ranges": [ 63430 { 63431 "events": [ 63432 { 63433 "introduced": "10.1.0-M1" 63434 }, 63435 { 63436 "fixed": "10.1.13" 63437 } 63438 ], 63439 "type": "ECOSYSTEM" 63440 } 63441 ], 63442 "versions": [ 63443 "10.1.0", 63444 "10.1.0-M1", 63445 "10.1.0-M10", 63446 "10.1.0-M11", 63447 "10.1.0-M12", 63448 "10.1.0-M14", 63449 "10.1.0-M15", 63450 "10.1.0-M16", 63451 "10.1.0-M17", 63452 "10.1.0-M2", 63453 "10.1.0-M4", 63454 "10.1.0-M5", 63455 "10.1.0-M6", 63456 "10.1.0-M7", 63457 "10.1.0-M8", 63458 "10.1.1", 63459 "10.1.10", 63460 "10.1.11", 63461 "10.1.12", 63462 "10.1.2", 63463 "10.1.4", 63464 "10.1.5", 63465 "10.1.6", 63466 "10.1.7", 63467 "10.1.8", 63468 "10.1.9" 63469 ] 63470 }, 63471 { 63472 "database_specific": { 63473 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/08/GHSA-q3mw-pvr8-9ggc/GHSA-q3mw-pvr8-9ggc.json" 63474 }, 63475 "package": { 63476 "ecosystem": "Maven", 63477 "name": "org.apache.tomcat:tomcat", 63478 "purl": "pkg:maven/org.apache.tomcat/tomcat" 63479 }, 63480 "ranges": [ 63481 { 63482 "events": [ 63483 { 63484 "introduced": "9.0.0-M1" 63485 }, 63486 { 63487 "fixed": "9.0.80" 63488 } 63489 ], 63490 "type": "ECOSYSTEM" 63491 } 63492 ], 63493 "versions": [ 63494 "9.0.0.M1", 63495 "9.0.0.M10", 63496 "9.0.0.M11", 63497 "9.0.0.M13", 63498 "9.0.0.M15", 63499 "9.0.0.M17", 63500 "9.0.0.M18", 63501 "9.0.0.M19", 63502 "9.0.0.M20", 63503 "9.0.0.M21", 63504 "9.0.0.M22", 63505 "9.0.0.M25", 63506 "9.0.0.M26", 63507 "9.0.0.M27", 63508 "9.0.0.M3", 63509 "9.0.0.M4", 63510 "9.0.0.M6", 63511 "9.0.0.M8", 63512 "9.0.0.M9", 63513 "9.0.1", 63514 "9.0.10", 63515 "9.0.11", 63516 "9.0.12", 63517 "9.0.13", 63518 "9.0.14", 63519 "9.0.16", 63520 "9.0.17", 63521 "9.0.19", 63522 "9.0.2", 63523 "9.0.20", 63524 "9.0.21", 63525 "9.0.22", 63526 "9.0.24", 63527 "9.0.26", 63528 "9.0.27", 63529 "9.0.29", 63530 "9.0.30", 63531 "9.0.31", 63532 "9.0.33", 63533 "9.0.34", 63534 "9.0.35", 63535 "9.0.36", 63536 "9.0.37", 63537 "9.0.38", 63538 "9.0.39", 63539 "9.0.4", 63540 "9.0.40", 63541 "9.0.41", 63542 "9.0.43", 63543 "9.0.44", 63544 "9.0.45", 63545 "9.0.46", 63546 "9.0.48", 63547 "9.0.5", 63548 "9.0.50", 63549 "9.0.52", 63550 "9.0.53", 63551 "9.0.54", 63552 "9.0.55", 63553 "9.0.56", 63554 "9.0.58", 63555 "9.0.59", 63556 "9.0.6", 63557 "9.0.60", 63558 "9.0.62", 63559 "9.0.63", 63560 "9.0.64", 63561 "9.0.65", 63562 "9.0.67", 63563 "9.0.68", 63564 "9.0.69", 63565 "9.0.7", 63566 "9.0.70", 63567 "9.0.71", 63568 "9.0.72", 63569 "9.0.73", 63570 "9.0.74", 63571 "9.0.75", 63572 "9.0.76", 63573 "9.0.78", 63574 "9.0.79", 63575 "9.0.8" 63576 ] 63577 }, 63578 { 63579 "database_specific": { 63580 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/08/GHSA-q3mw-pvr8-9ggc/GHSA-q3mw-pvr8-9ggc.json" 63581 }, 63582 "package": { 63583 "ecosystem": "Maven", 63584 "name": "org.apache.tomcat:tomcat", 63585 "purl": "pkg:maven/org.apache.tomcat/tomcat" 63586 }, 63587 "ranges": [ 63588 { 63589 "events": [ 63590 { 63591 "introduced": "8.5.0" 63592 }, 63593 { 63594 "fixed": "8.5.93" 63595 } 63596 ], 63597 "type": "ECOSYSTEM" 63598 } 63599 ], 63600 "versions": [ 63601 "8.5.0", 63602 "8.5.11", 63603 "8.5.12", 63604 "8.5.13", 63605 "8.5.14", 63606 "8.5.15", 63607 "8.5.16", 63608 "8.5.19", 63609 "8.5.2", 63610 "8.5.20", 63611 "8.5.21", 63612 "8.5.23", 63613 "8.5.24", 63614 "8.5.27", 63615 "8.5.28", 63616 "8.5.29", 63617 "8.5.3", 63618 "8.5.30", 63619 "8.5.31", 63620 "8.5.32", 63621 "8.5.33", 63622 "8.5.34", 63623 "8.5.35", 63624 "8.5.37", 63625 "8.5.38", 63626 "8.5.39", 63627 "8.5.4", 63628 "8.5.40", 63629 "8.5.41", 63630 "8.5.42", 63631 "8.5.43", 63632 "8.5.45", 63633 "8.5.46", 63634 "8.5.47", 63635 "8.5.49", 63636 "8.5.5", 63637 "8.5.50", 63638 "8.5.51", 63639 "8.5.53", 63640 "8.5.54", 63641 "8.5.55", 63642 "8.5.56", 63643 "8.5.57", 63644 "8.5.58", 63645 "8.5.59", 63646 "8.5.6", 63647 "8.5.60", 63648 "8.5.61", 63649 "8.5.63", 63650 "8.5.64", 63651 "8.5.65", 63652 "8.5.66", 63653 "8.5.68", 63654 "8.5.69", 63655 "8.5.70", 63656 "8.5.71", 63657 "8.5.72", 63658 "8.5.73", 63659 "8.5.75", 63660 "8.5.76", 63661 "8.5.77", 63662 "8.5.78", 63663 "8.5.79", 63664 "8.5.8", 63665 "8.5.81", 63666 "8.5.82", 63667 "8.5.83", 63668 "8.5.84", 63669 "8.5.85", 63670 "8.5.86", 63671 "8.5.87", 63672 "8.5.88", 63673 "8.5.89", 63674 "8.5.9", 63675 "8.5.90", 63676 "8.5.91", 63677 "8.5.92" 63678 ] 63679 }, 63680 { 63681 "database_specific": { 63682 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/08/GHSA-q3mw-pvr8-9ggc/GHSA-q3mw-pvr8-9ggc.json" 63683 }, 63684 "package": { 63685 "ecosystem": "Maven", 63686 "name": "org.apache.tomcat.embed:tomcat-embed-core", 63687 "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" 63688 }, 63689 "ranges": [ 63690 { 63691 "events": [ 63692 { 63693 "introduced": "8.5.0" 63694 }, 63695 { 63696 "fixed": "8.5.93" 63697 } 63698 ], 63699 "type": "ECOSYSTEM" 63700 } 63701 ], 63702 "versions": [ 63703 "8.5.0", 63704 "8.5.11", 63705 "8.5.12", 63706 "8.5.13", 63707 "8.5.14", 63708 "8.5.15", 63709 "8.5.16", 63710 "8.5.19", 63711 "8.5.2", 63712 "8.5.20", 63713 "8.5.21", 63714 "8.5.23", 63715 "8.5.24", 63716 "8.5.27", 63717 "8.5.28", 63718 "8.5.29", 63719 "8.5.3", 63720 "8.5.30", 63721 "8.5.31", 63722 "8.5.32", 63723 "8.5.33", 63724 "8.5.34", 63725 "8.5.35", 63726 "8.5.37", 63727 "8.5.38", 63728 "8.5.39", 63729 "8.5.4", 63730 "8.5.40", 63731 "8.5.41", 63732 "8.5.42", 63733 "8.5.43", 63734 "8.5.45", 63735 "8.5.46", 63736 "8.5.47", 63737 "8.5.49", 63738 "8.5.5", 63739 "8.5.50", 63740 "8.5.51", 63741 "8.5.53", 63742 "8.5.54", 63743 "8.5.55", 63744 "8.5.56", 63745 "8.5.57", 63746 "8.5.58", 63747 "8.5.59", 63748 "8.5.6", 63749 "8.5.60", 63750 "8.5.61", 63751 "8.5.63", 63752 "8.5.64", 63753 "8.5.65", 63754 "8.5.66", 63755 "8.5.68", 63756 "8.5.69", 63757 "8.5.70", 63758 "8.5.71", 63759 "8.5.72", 63760 "8.5.73", 63761 "8.5.75", 63762 "8.5.76", 63763 "8.5.77", 63764 "8.5.78", 63765 "8.5.79", 63766 "8.5.8", 63767 "8.5.81", 63768 "8.5.82", 63769 "8.5.83", 63770 "8.5.84", 63771 "8.5.85", 63772 "8.5.86", 63773 "8.5.87", 63774 "8.5.88", 63775 "8.5.89", 63776 "8.5.9", 63777 "8.5.90", 63778 "8.5.91", 63779 "8.5.92" 63780 ] 63781 }, 63782 { 63783 "database_specific": { 63784 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/08/GHSA-q3mw-pvr8-9ggc/GHSA-q3mw-pvr8-9ggc.json" 63785 }, 63786 "package": { 63787 "ecosystem": "Maven", 63788 "name": "org.apache.tomcat.embed:tomcat-embed-core", 63789 "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" 63790 }, 63791 "ranges": [ 63792 { 63793 "events": [ 63794 { 63795 "introduced": "9.0.0-M1" 63796 }, 63797 { 63798 "fixed": "9.0.80" 63799 } 63800 ], 63801 "type": "ECOSYSTEM" 63802 } 63803 ], 63804 "versions": [ 63805 "9.0.0.M1", 63806 "9.0.0.M10", 63807 "9.0.0.M11", 63808 "9.0.0.M13", 63809 "9.0.0.M15", 63810 "9.0.0.M17", 63811 "9.0.0.M18", 63812 "9.0.0.M19", 63813 "9.0.0.M20", 63814 "9.0.0.M21", 63815 "9.0.0.M22", 63816 "9.0.0.M25", 63817 "9.0.0.M26", 63818 "9.0.0.M27", 63819 "9.0.0.M3", 63820 "9.0.0.M4", 63821 "9.0.0.M6", 63822 "9.0.0.M8", 63823 "9.0.0.M9", 63824 "9.0.1", 63825 "9.0.10", 63826 "9.0.11", 63827 "9.0.12", 63828 "9.0.13", 63829 "9.0.14", 63830 "9.0.16", 63831 "9.0.17", 63832 "9.0.19", 63833 "9.0.2", 63834 "9.0.20", 63835 "9.0.21", 63836 "9.0.22", 63837 "9.0.24", 63838 "9.0.26", 63839 "9.0.27", 63840 "9.0.29", 63841 "9.0.30", 63842 "9.0.31", 63843 "9.0.33", 63844 "9.0.34", 63845 "9.0.35", 63846 "9.0.36", 63847 "9.0.37", 63848 "9.0.38", 63849 "9.0.39", 63850 "9.0.4", 63851 "9.0.40", 63852 "9.0.41", 63853 "9.0.43", 63854 "9.0.44", 63855 "9.0.45", 63856 "9.0.46", 63857 "9.0.48", 63858 "9.0.5", 63859 "9.0.50", 63860 "9.0.52", 63861 "9.0.53", 63862 "9.0.54", 63863 "9.0.55", 63864 "9.0.56", 63865 "9.0.58", 63866 "9.0.59", 63867 "9.0.6", 63868 "9.0.60", 63869 "9.0.62", 63870 "9.0.63", 63871 "9.0.64", 63872 "9.0.65", 63873 "9.0.67", 63874 "9.0.68", 63875 "9.0.69", 63876 "9.0.7", 63877 "9.0.70", 63878 "9.0.71", 63879 "9.0.72", 63880 "9.0.73", 63881 "9.0.74", 63882 "9.0.75", 63883 "9.0.76", 63884 "9.0.78", 63885 "9.0.79", 63886 "9.0.8" 63887 ] 63888 }, 63889 { 63890 "database_specific": { 63891 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/08/GHSA-q3mw-pvr8-9ggc/GHSA-q3mw-pvr8-9ggc.json" 63892 }, 63893 "package": { 63894 "ecosystem": "Maven", 63895 "name": "org.apache.tomcat.embed:tomcat-embed-core", 63896 "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" 63897 }, 63898 "ranges": [ 63899 { 63900 "events": [ 63901 { 63902 "introduced": "10.1.0-M1" 63903 }, 63904 { 63905 "fixed": "10.1.13" 63906 } 63907 ], 63908 "type": "ECOSYSTEM" 63909 } 63910 ], 63911 "versions": [ 63912 "10.1.0", 63913 "10.1.0-M1", 63914 "10.1.0-M10", 63915 "10.1.0-M11", 63916 "10.1.0-M12", 63917 "10.1.0-M14", 63918 "10.1.0-M15", 63919 "10.1.0-M16", 63920 "10.1.0-M17", 63921 "10.1.0-M2", 63922 "10.1.0-M4", 63923 "10.1.0-M5", 63924 "10.1.0-M6", 63925 "10.1.0-M7", 63926 "10.1.0-M8", 63927 "10.1.1", 63928 "10.1.10", 63929 "10.1.11", 63930 "10.1.12", 63931 "10.1.2", 63932 "10.1.4", 63933 "10.1.5", 63934 "10.1.6", 63935 "10.1.7", 63936 "10.1.8", 63937 "10.1.9" 63938 ] 63939 }, 63940 { 63941 "database_specific": { 63942 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/08/GHSA-q3mw-pvr8-9ggc/GHSA-q3mw-pvr8-9ggc.json" 63943 }, 63944 "package": { 63945 "ecosystem": "Maven", 63946 "name": "org.apache.tomcat.embed:tomcat-embed-core", 63947 "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" 63948 }, 63949 "ranges": [ 63950 { 63951 "events": [ 63952 { 63953 "introduced": "11.0.0-M1" 63954 }, 63955 { 63956 "fixed": "11.0.0-M11" 63957 } 63958 ], 63959 "type": "ECOSYSTEM" 63960 } 63961 ], 63962 "versions": [ 63963 "11.0.0-M1", 63964 "11.0.0-M10", 63965 "11.0.0-M3", 63966 "11.0.0-M4", 63967 "11.0.0-M5", 63968 "11.0.0-M6", 63969 "11.0.0-M7", 63970 "11.0.0-M9" 63971 ] 63972 } 63973 ], 63974 "aliases": [ 63975 "BIT-tomcat-2023-41080", 63976 "CVE-2023-41080" 63977 ], 63978 "database_specific": { 63979 "cwe_ids": [ 63980 "CWE-601" 63981 ], 63982 "github_reviewed": true, 63983 "github_reviewed_at": "2023-08-25T22:05:01Z", 63984 "nvd_published_at": "2023-08-25T21:15:09Z", 63985 "severity": "MODERATE" 63986 }, 63987 "details": "URL Redirection to Untrusted Site ('Open Redirect') vulnerability in FORM authentication feature Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.0.12, from 9.0.0-M1 through 9.0.79 and from 8.5.0 through 8.5.92.\n\nThe vulnerability is limited to the ROOT (default) web application.", 63988 "id": "GHSA-q3mw-pvr8-9ggc", 63989 "modified": "2024-02-17T05:31:37.094178Z", 63990 "published": "2023-08-25T21:30:48Z", 63991 "references": [ 63992 { 63993 "type": "ADVISORY", 63994 "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-41080" 63995 }, 63996 { 63997 "type": "WEB", 63998 "url": "https://github.com/apache/tomcat/commit/4998ad745b67edeadefe541c94ed029b53933d3b" 63999 }, 64000 { 64001 "type": "WEB", 64002 "url": "https://github.com/apache/tomcat/commit/77c0ce2d169efa248b64b992e547aad549ec906b" 64003 }, 64004 { 64005 "type": "WEB", 64006 "url": "https://github.com/apache/tomcat/commit/bb4624a9f3e69d495182ebfa68d7983076407a27" 64007 }, 64008 { 64009 "type": "WEB", 64010 "url": "https://github.com/apache/tomcat/commit/e3703c9abb8fe0d5602f6ba8a8f11d4b6940815a" 64011 }, 64012 { 64013 "type": "PACKAGE", 64014 "url": "https://github.com/apache/tomcat" 64015 }, 64016 { 64017 "type": "WEB", 64018 "url": "https://lists.apache.org/thread/71wvwprtx2j2m54fovq9zr7gbm2wow2f" 64019 }, 64020 { 64021 "type": "WEB", 64022 "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00020.html" 64023 }, 64024 { 64025 "type": "WEB", 64026 "url": "https://security.netapp.com/advisory/ntap-20230921-0006" 64027 }, 64028 { 64029 "type": "WEB", 64030 "url": "https://www.debian.org/security/2023/dsa-5521" 64031 }, 64032 { 64033 "type": "WEB", 64034 "url": "https://www.debian.org/security/2023/dsa-5522" 64035 } 64036 ], 64037 "related": [ 64038 "CGA-chc4-69mh-93g6" 64039 ], 64040 "schema_version": "1.6.0", 64041 "severity": [ 64042 { 64043 "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", 64044 "type": "CVSS_V3" 64045 } 64046 ], 64047 "summary": "Apache Tomcat Open Redirect vulnerability" 64048 }, 64049 { 64050 "affected": [ 64051 { 64052 "database_specific": { 64053 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/06/GHSA-q4hg-rmq2-52q9/GHSA-q4hg-rmq2-52q9.json" 64054 }, 64055 "package": { 64056 "ecosystem": "Maven", 64057 "name": "org.apache.tomcat.embed:tomcat-embed-core", 64058 "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" 64059 }, 64060 "ranges": [ 64061 { 64062 "events": [ 64063 { 64064 "introduced": "9.0.0.M1" 64065 }, 64066 { 64067 "fixed": "9.0.20" 64068 } 64069 ], 64070 "type": "ECOSYSTEM" 64071 } 64072 ], 64073 "versions": [ 64074 "9.0.0.M1", 64075 "9.0.0.M10", 64076 "9.0.0.M11", 64077 "9.0.0.M13", 64078 "9.0.0.M15", 64079 "9.0.0.M17", 64080 "9.0.0.M18", 64081 "9.0.0.M19", 64082 "9.0.0.M20", 64083 "9.0.0.M21", 64084 "9.0.0.M22", 64085 "9.0.0.M25", 64086 "9.0.0.M26", 64087 "9.0.0.M27", 64088 "9.0.0.M3", 64089 "9.0.0.M4", 64090 "9.0.0.M6", 64091 "9.0.0.M8", 64092 "9.0.0.M9", 64093 "9.0.1", 64094 "9.0.10", 64095 "9.0.11", 64096 "9.0.12", 64097 "9.0.13", 64098 "9.0.14", 64099 "9.0.16", 64100 "9.0.17", 64101 "9.0.19", 64102 "9.0.2", 64103 "9.0.4", 64104 "9.0.5", 64105 "9.0.6", 64106 "9.0.7", 64107 "9.0.8" 64108 ] 64109 }, 64110 { 64111 "database_specific": { 64112 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/06/GHSA-q4hg-rmq2-52q9/GHSA-q4hg-rmq2-52q9.json" 64113 }, 64114 "package": { 64115 "ecosystem": "Maven", 64116 "name": "org.apache.tomcat.embed:tomcat-embed-core", 64117 "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" 64118 }, 64119 "ranges": [ 64120 { 64121 "events": [ 64122 { 64123 "introduced": "8.5.0" 64124 }, 64125 { 64126 "fixed": "8.5.41" 64127 } 64128 ], 64129 "type": "ECOSYSTEM" 64130 } 64131 ], 64132 "versions": [ 64133 "8.5.0", 64134 "8.5.11", 64135 "8.5.12", 64136 "8.5.13", 64137 "8.5.14", 64138 "8.5.15", 64139 "8.5.16", 64140 "8.5.19", 64141 "8.5.2", 64142 "8.5.20", 64143 "8.5.21", 64144 "8.5.23", 64145 "8.5.24", 64146 "8.5.27", 64147 "8.5.28", 64148 "8.5.29", 64149 "8.5.3", 64150 "8.5.30", 64151 "8.5.31", 64152 "8.5.32", 64153 "8.5.33", 64154 "8.5.34", 64155 "8.5.35", 64156 "8.5.37", 64157 "8.5.38", 64158 "8.5.39", 64159 "8.5.4", 64160 "8.5.40", 64161 "8.5.5", 64162 "8.5.6", 64163 "8.5.8", 64164 "8.5.9" 64165 ] 64166 } 64167 ], 64168 "aliases": [ 64169 "CVE-2019-10072" 64170 ], 64171 "database_specific": { 64172 "cwe_ids": [ 64173 "CWE-667" 64174 ], 64175 "github_reviewed": true, 64176 "github_reviewed_at": "2019-06-26T00:56:45Z", 64177 "nvd_published_at": "2019-06-21T18:15:00Z", 64178 "severity": "HIGH" 64179 }, 64180 "details": "The fix for CVE-2019-0199 was incomplete and did not address HTTP/2 connection window exhaustion on write in Apache Tomcat versions 9.0.0.M1 to 9.0.19 and 8.5.0 to 8.5.40 . By not sending WINDOW_UPDATE messages for the connection window (stream 0) clients were able to cause server-side threads to block eventually leading to thread exhaustion and a DoS.", 64181 "id": "GHSA-q4hg-rmq2-52q9", 64182 "modified": "2024-03-11T15:55:43.65767Z", 64183 "published": "2019-06-26T01:09:40Z", 64184 "references": [ 64185 { 64186 "type": "ADVISORY", 64187 "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10072" 64188 }, 64189 { 64190 "type": "WEB", 64191 "url": "https://github.com/apache/tomcat/commit/0bcd69c9dd8ae0ff424f2cd46de51583510b7f35" 64192 }, 64193 { 64194 "type": "WEB", 64195 "url": "https://github.com/apache/tomcat/commit/7f748eb6bfaba5207c89dbd7d5adf50fae847145" 64196 }, 64197 { 64198 "type": "WEB", 64199 "url": "https://github.com/apache/tomcat/commit/8d14c6f21d29768a39be4b6b9517060dc6606758" 64200 }, 64201 { 64202 "type": "WEB", 64203 "url": "https://github.com/apache/tomcat/commit/ada725a50a60867af3422c8e612aecaeea856a9a" 64204 }, 64205 { 64206 "type": "WEB", 64207 "url": "https://security.netapp.com/advisory/ntap-20190625-0002" 64208 }, 64209 { 64210 "type": "WEB", 64211 "url": "https://support.f5.com/csp/article/K17321505" 64212 }, 64213 { 64214 "type": "WEB", 64215 "url": "https://tomcat.apache.org/security-8.html" 64216 }, 64217 { 64218 "type": "WEB", 64219 "url": "https://tomcat.apache.org/security-9.html" 64220 }, 64221 { 64222 "type": "WEB", 64223 "url": "https://usn.ubuntu.com/4128-1" 64224 }, 64225 { 64226 "type": "WEB", 64227 "url": "https://usn.ubuntu.com/4128-2" 64228 }, 64229 { 64230 "type": "WEB", 64231 "url": "https://web.archive.org/web/20200227033743/http://www.securityfocus.com/bid/108874" 64232 }, 64233 { 64234 "type": "WEB", 64235 "url": "https://www.debian.org/security/2020/dsa-4680" 64236 }, 64237 { 64238 "type": "WEB", 64239 "url": "https://www.oracle.com/security-alerts/cpuApr2021.html" 64240 }, 64241 { 64242 "type": "WEB", 64243 "url": "https://www.oracle.com/security-alerts/cpuapr2020.html" 64244 }, 64245 { 64246 "type": "WEB", 64247 "url": "https://www.oracle.com/security-alerts/cpujan2020.html" 64248 }, 64249 { 64250 "type": "WEB", 64251 "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" 64252 }, 64253 { 64254 "type": "WEB", 64255 "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html" 64256 }, 64257 { 64258 "type": "WEB", 64259 "url": "https://www.synology.com/security/advisory/Synology_SA_19_29" 64260 }, 64261 { 64262 "type": "WEB", 64263 "url": "https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a@%3Cdev.tomcat.apache.org%3E" 64264 }, 64265 { 64266 "type": "WEB", 64267 "url": "https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a%40%3Cdev.tomcat.apache.org%3E" 64268 }, 64269 { 64270 "type": "WEB", 64271 "url": "https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9@%3Cdev.tomcat.apache.org%3E" 64272 }, 64273 { 64274 "type": "WEB", 64275 "url": "https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9%40%3Cdev.tomcat.apache.org%3E" 64276 }, 64277 { 64278 "type": "WEB", 64279 "url": "https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0@%3Cdev.tomcat.apache.org%3E" 64280 }, 64281 { 64282 "type": "WEB", 64283 "url": "https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0%40%3Cdev.tomcat.apache.org%3E" 64284 }, 64285 { 64286 "type": "WEB", 64287 "url": "https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d@%3Cdev.tomcat.apache.org%3E" 64288 }, 64289 { 64290 "type": "WEB", 64291 "url": "https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d%40%3Cdev.tomcat.apache.org%3E" 64292 }, 64293 { 64294 "type": "WEB", 64295 "url": "https://lists.apache.org/thread.html/df1a2c1b87c8a6c500ecdbbaf134c7f1491c8d79d98b48c6b9f0fa6a@%3Cannounce.tomcat.apache.org%3E" 64296 }, 64297 { 64298 "type": "WEB", 64299 "url": "https://lists.apache.org/thread.html/df1a2c1b87c8a6c500ecdbbaf134c7f1491c8d79d98b48c6b9f0fa6a%40%3Cannounce.tomcat.apache.org%3E" 64300 }, 64301 { 64302 "type": "PACKAGE", 64303 "url": "https://github.com/apache/tomcat" 64304 }, 64305 { 64306 "type": "WEB", 64307 "url": "https://access.redhat.com/errata/RHSA-2019:3931" 64308 }, 64309 { 64310 "type": "WEB", 64311 "url": "https://access.redhat.com/errata/RHSA-2019:3929" 64312 }, 64313 { 64314 "type": "WEB", 64315 "url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00013.html" 64316 } 64317 ], 64318 "schema_version": "1.6.0", 64319 "severity": [ 64320 { 64321 "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", 64322 "type": "CVSS_V3" 64323 } 64324 ], 64325 "summary": "Improper Locking in Apache Tomcat" 64326 }, 64327 { 64328 "affected": [ 64329 { 64330 "database_specific": { 64331 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-qcxh-w3j9-58qr/GHSA-qcxh-w3j9-58qr.json" 64332 }, 64333 "package": { 64334 "ecosystem": "Maven", 64335 "name": "org.apache.tomcat.embed:tomcat-embed-core", 64336 "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" 64337 }, 64338 "ranges": [ 64339 { 64340 "events": [ 64341 { 64342 "introduced": "9.0.0" 64343 }, 64344 { 64345 "fixed": "9.0.16" 64346 } 64347 ], 64348 "type": "ECOSYSTEM" 64349 } 64350 ], 64351 "versions": [ 64352 "9.0.1", 64353 "9.0.10", 64354 "9.0.11", 64355 "9.0.12", 64356 "9.0.13", 64357 "9.0.14", 64358 "9.0.2", 64359 "9.0.4", 64360 "9.0.5", 64361 "9.0.6", 64362 "9.0.7", 64363 "9.0.8" 64364 ] 64365 }, 64366 { 64367 "database_specific": { 64368 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-qcxh-w3j9-58qr/GHSA-qcxh-w3j9-58qr.json" 64369 }, 64370 "package": { 64371 "ecosystem": "Maven", 64372 "name": "org.apache.tomcat.embed:tomcat-embed-core", 64373 "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" 64374 }, 64375 "ranges": [ 64376 { 64377 "events": [ 64378 { 64379 "introduced": "8.0.0" 64380 }, 64381 { 64382 "fixed": "8.5.38" 64383 } 64384 ], 64385 "type": "ECOSYSTEM" 64386 } 64387 ], 64388 "versions": [ 64389 "8.0.1", 64390 "8.0.11", 64391 "8.0.12", 64392 "8.0.14", 64393 "8.0.15", 64394 "8.0.17", 64395 "8.0.18", 64396 "8.0.20", 64397 "8.0.21", 64398 "8.0.22", 64399 "8.0.23", 64400 "8.0.24", 64401 "8.0.26", 64402 "8.0.27", 64403 "8.0.28", 64404 "8.0.29", 64405 "8.0.3", 64406 "8.0.30", 64407 "8.0.32", 64408 "8.0.33", 64409 "8.0.35", 64410 "8.0.36", 64411 "8.0.37", 64412 "8.0.38", 64413 "8.0.39", 64414 "8.0.41", 64415 "8.0.42", 64416 "8.0.43", 64417 "8.0.44", 64418 "8.0.45", 64419 "8.0.46", 64420 "8.0.47", 64421 "8.0.48", 64422 "8.0.49", 64423 "8.0.5", 64424 "8.0.50", 64425 "8.0.51", 64426 "8.0.52", 64427 "8.0.53", 64428 "8.0.8", 64429 "8.0.9", 64430 "8.5.0", 64431 "8.5.11", 64432 "8.5.12", 64433 "8.5.13", 64434 "8.5.14", 64435 "8.5.15", 64436 "8.5.16", 64437 "8.5.19", 64438 "8.5.2", 64439 "8.5.20", 64440 "8.5.21", 64441 "8.5.23", 64442 "8.5.24", 64443 "8.5.27", 64444 "8.5.28", 64445 "8.5.29", 64446 "8.5.3", 64447 "8.5.30", 64448 "8.5.31", 64449 "8.5.32", 64450 "8.5.33", 64451 "8.5.34", 64452 "8.5.35", 64453 "8.5.37", 64454 "8.5.4", 64455 "8.5.5", 64456 "8.5.6", 64457 "8.5.8", 64458 "8.5.9" 64459 ] 64460 } 64461 ], 64462 "aliases": [ 64463 "CVE-2019-0199" 64464 ], 64465 "database_specific": { 64466 "cwe_ids": [ 64467 "CWE-400" 64468 ], 64469 "github_reviewed": true, 64470 "github_reviewed_at": "2020-06-15T16:43:54Z", 64471 "nvd_published_at": "2019-04-10T15:29:00Z", 64472 "severity": "HIGH" 64473 }, 64474 "details": "The HTTP/2 implementation in Apache Tomcat 9.0.0.M1 to 9.0.14 and 8.5.0 to 8.5.37 accepted streams with excessive numbers of SETTINGS frames and also permitted clients to keep streams open without reading/writing request/response data. By keeping streams open for requests that utilised the Servlet API's blocking I/O, clients were able to cause server-side threads to block eventually leading to thread exhaustion and a DoS.", 64475 "id": "GHSA-qcxh-w3j9-58qr", 64476 "modified": "2024-03-16T05:16:48.960226Z", 64477 "published": "2020-06-15T18:51:09Z", 64478 "references": [ 64479 { 64480 "type": "ADVISORY", 64481 "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-0199" 64482 }, 64483 { 64484 "type": "WEB", 64485 "url": "https://lists.apache.org/thread.html/e1b0b273b6e8ddcc72c9023bc2394b1276fc72664144bf21d0a87995@%3Cannounce.tomcat.apache.org%3E" 64486 }, 64487 { 64488 "type": "WEB", 64489 "url": "https://lists.apache.org/thread.html/e56886e1bac9319ecce81b3612dd7a1a43174a3a741a1c805e16880e%40%3Ccommits.tomee.apache.org%3E" 64490 }, 64491 { 64492 "type": "WEB", 64493 "url": "https://lists.apache.org/thread.html/e56886e1bac9319ecce81b3612dd7a1a43174a3a741a1c805e16880e@%3Ccommits.tomee.apache.org%3E" 64494 }, 64495 { 64496 "type": "WEB", 64497 "url": "https://lists.apache.org/thread.html/e85e83e9954f169bbb77b44baae5a33d8de878df557bb32b7f793661%40%3Cdev.tomcat.apache.org%3E" 64498 }, 64499 { 64500 "type": "WEB", 64501 "url": "https://lists.apache.org/thread.html/e85e83e9954f169bbb77b44baae5a33d8de878df557bb32b7f793661@%3Cdev.tomcat.apache.org%3E" 64502 }, 64503 { 64504 "type": "WEB", 64505 "url": "https://lists.apache.org/thread.html/e87733036e8c84ea648cdcdca3098f3c8a897e2652c33062b2b1535c%40%3Cusers.tomcat.apache.org%3E" 64506 }, 64507 { 64508 "type": "WEB", 64509 "url": "https://lists.apache.org/thread.html/e87733036e8c84ea648cdcdca3098f3c8a897e2652c33062b2b1535c@%3Cusers.tomcat.apache.org%3E" 64510 }, 64511 { 64512 "type": "WEB", 64513 "url": "https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d%40%3Cdev.tomcat.apache.org%3E" 64514 }, 64515 { 64516 "type": "WEB", 64517 "url": "https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d@%3Cdev.tomcat.apache.org%3E" 64518 }, 64519 { 64520 "type": "WEB", 64521 "url": "https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0%40%3Cdev.tomcat.apache.org%3E" 64522 }, 64523 { 64524 "type": "WEB", 64525 "url": "https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0@%3Cdev.tomcat.apache.org%3E" 64526 }, 64527 { 64528 "type": "WEB", 64529 "url": "https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9%40%3Cdev.tomcat.apache.org%3E" 64530 }, 64531 { 64532 "type": "WEB", 64533 "url": "https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9@%3Cdev.tomcat.apache.org%3E" 64534 }, 64535 { 64536 "type": "WEB", 64537 "url": "https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a%40%3Cdev.tomcat.apache.org%3E" 64538 }, 64539 { 64540 "type": "WEB", 64541 "url": "https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a@%3Cdev.tomcat.apache.org%3E" 64542 }, 64543 { 64544 "type": "WEB", 64545 "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NPHQEL5AQ6LZSZD2Y6TYZ4RC3WI7NXJ3" 64546 }, 64547 { 64548 "type": "WEB", 64549 "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZQTZ5BJ5F4KV6N53SGNKSW3UY5DBIQ46" 64550 }, 64551 { 64552 "type": "WEB", 64553 "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NPHQEL5AQ6LZSZD2Y6TYZ4RC3WI7NXJ3" 64554 }, 64555 { 64556 "type": "WEB", 64557 "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZQTZ5BJ5F4KV6N53SGNKSW3UY5DBIQ46" 64558 }, 64559 { 64560 "type": "WEB", 64561 "url": "https://seclists.org/bugtraq/2019/Dec/43" 64562 }, 64563 { 64564 "type": "WEB", 64565 "url": "https://security.netapp.com/advisory/ntap-20190419-0001" 64566 }, 64567 { 64568 "type": "WEB", 64569 "url": "https://support.f5.com/csp/article/K17321505" 64570 }, 64571 { 64572 "type": "WEB", 64573 "url": "https://web.archive.org/web/20200227030041/http://www.securityfocus.com/bid/107674" 64574 }, 64575 { 64576 "type": "WEB", 64577 "url": "https://www.debian.org/security/2019/dsa-4596" 64578 }, 64579 { 64580 "type": "WEB", 64581 "url": "https://www.oracle.com/security-alerts/cpuapr2020.html" 64582 }, 64583 { 64584 "type": "WEB", 64585 "url": "https://www.oracle.com/security-alerts/cpujan2020.html" 64586 }, 64587 { 64588 "type": "WEB", 64589 "url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html" 64590 }, 64591 { 64592 "type": "WEB", 64593 "url": "https://access.redhat.com/errata/RHSA-2019:3929" 64594 }, 64595 { 64596 "type": "WEB", 64597 "url": "https://access.redhat.com/errata/RHSA-2019:3931" 64598 }, 64599 { 64600 "type": "PACKAGE", 64601 "url": "https://github.com/apache/tomcat" 64602 }, 64603 { 64604 "type": "WEB", 64605 "url": "https://lists.apache.org/thread.html/158ab719cf60448ddbb074798f09152fdb572fc8f781e70a56118d1a%40%3Cdev.tomcat.apache.org%3E" 64606 }, 64607 { 64608 "type": "WEB", 64609 "url": "https://lists.apache.org/thread.html/158ab719cf60448ddbb074798f09152fdb572fc8f781e70a56118d1a@%3Cdev.tomcat.apache.org%3E" 64610 }, 64611 { 64612 "type": "WEB", 64613 "url": "https://lists.apache.org/thread.html/1dd0a59c1295cc08ce4c9e7edae5ad2268acc9ba55adcefa0532e5ba%40%3Cdev.tomcat.apache.org%3E" 64614 }, 64615 { 64616 "type": "WEB", 64617 "url": "https://lists.apache.org/thread.html/1dd0a59c1295cc08ce4c9e7edae5ad2268acc9ba55adcefa0532e5ba@%3Cdev.tomcat.apache.org%3E" 64618 }, 64619 { 64620 "type": "WEB", 64621 "url": "https://lists.apache.org/thread.html/4c438fa4c78cb1ce8979077f668ab7145baf83e7c59f2faf7eccf094%40%3Cdev.tomcat.apache.org%3E" 64622 }, 64623 { 64624 "type": "WEB", 64625 "url": "https://lists.apache.org/thread.html/4c438fa4c78cb1ce8979077f668ab7145baf83e7c59f2faf7eccf094@%3Cdev.tomcat.apache.org%3E" 64626 }, 64627 { 64628 "type": "WEB", 64629 "url": "https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3%40%3Cdev.tomcat.apache.org%3E" 64630 }, 64631 { 64632 "type": "WEB", 64633 "url": "https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3@%3Cdev.tomcat.apache.org%3E" 64634 }, 64635 { 64636 "type": "WEB", 64637 "url": "https://lists.apache.org/thread.html/7bb193bc68b28d21ff1c726fd38bea164deb6333b59eec2eb3661da6%40%3Cusers.tomcat.apache.org%3E" 64638 }, 64639 { 64640 "type": "WEB", 64641 "url": "https://lists.apache.org/thread.html/7bb193bc68b28d21ff1c726fd38bea164deb6333b59eec2eb3661da6@%3Cusers.tomcat.apache.org%3E" 64642 }, 64643 { 64644 "type": "WEB", 64645 "url": "https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a%40%3Cdev.tomcat.apache.org%3E" 64646 }, 64647 { 64648 "type": "WEB", 64649 "url": "https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a@%3Cdev.tomcat.apache.org%3E" 64650 }, 64651 { 64652 "type": "WEB", 64653 "url": "https://lists.apache.org/thread.html/9fe25f98bac6d66f8a663a15c37a98bc2d8f8bbed1d408791a3e4067%40%3Cusers.tomcat.apache.org%3E" 64654 }, 64655 { 64656 "type": "WEB", 64657 "url": "https://lists.apache.org/thread.html/9fe25f98bac6d66f8a663a15c37a98bc2d8f8bbed1d408791a3e4067@%3Cusers.tomcat.apache.org%3E" 64658 }, 64659 { 64660 "type": "WEB", 64661 "url": "https://lists.apache.org/thread.html/a7a201bd23e67fd3326c9b22b814dd0537d3270b3b54a768e2e7ef50%40%3Cdev.tomcat.apache.org%3E" 64662 }, 64663 { 64664 "type": "WEB", 64665 "url": "https://lists.apache.org/thread.html/a7a201bd23e67fd3326c9b22b814dd0537d3270b3b54a768e2e7ef50@%3Cdev.tomcat.apache.org%3E" 64666 }, 64667 { 64668 "type": "WEB", 64669 "url": "https://lists.apache.org/thread.html/ac0185ce240a711b542a55bccf9349ab0c2f343d70cf7835e08fabc9%40%3Cannounce.apache.org%3E" 64670 }, 64671 { 64672 "type": "WEB", 64673 "url": "https://lists.apache.org/thread.html/ac0185ce240a711b542a55bccf9349ab0c2f343d70cf7835e08fabc9@%3Cannounce.apache.org%3E" 64674 }, 64675 { 64676 "type": "WEB", 64677 "url": "https://lists.apache.org/thread.html/cf4eb2bd2083cebb3602a293c653f9a7faa96c86f672c876f25b37ef%40%3Cannounce.apache.org%3E" 64678 }, 64679 { 64680 "type": "WEB", 64681 "url": "https://lists.apache.org/thread.html/cf4eb2bd2083cebb3602a293c653f9a7faa96c86f672c876f25b37ef@%3Cannounce.apache.org%3E" 64682 }, 64683 { 64684 "type": "WEB", 64685 "url": "https://lists.apache.org/thread.html/dddb3590bac28fbe89f69f5ccbe26283d014ddc691abdd042de14600%40%3Cannounce.tomcat.apache.org%3E" 64686 }, 64687 { 64688 "type": "WEB", 64689 "url": "https://lists.apache.org/thread.html/dddb3590bac28fbe89f69f5ccbe26283d014ddc691abdd042de14600@%3Cannounce.tomcat.apache.org%3E" 64690 }, 64691 { 64692 "type": "WEB", 64693 "url": "https://lists.apache.org/thread.html/df1a2c1b87c8a6c500ecdbbaf134c7f1491c8d79d98b48c6b9f0fa6a%40%3Cannounce.tomcat.apache.org%3E" 64694 }, 64695 { 64696 "type": "WEB", 64697 "url": "https://lists.apache.org/thread.html/df1a2c1b87c8a6c500ecdbbaf134c7f1491c8d79d98b48c6b9f0fa6a@%3Cannounce.tomcat.apache.org%3E" 64698 }, 64699 { 64700 "type": "WEB", 64701 "url": "https://lists.apache.org/thread.html/e1b0b273b6e8ddcc72c9023bc2394b1276fc72664144bf21d0a87995%40%3Cannounce.tomcat.apache.org%3E" 64702 }, 64703 { 64704 "type": "WEB", 64705 "url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00090.html" 64706 }, 64707 { 64708 "type": "WEB", 64709 "url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00013.html" 64710 }, 64711 { 64712 "type": "WEB", 64713 "url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00054.html" 64714 } 64715 ], 64716 "schema_version": "1.6.0", 64717 "severity": [ 64718 { 64719 "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", 64720 "type": "CVSS_V3" 64721 } 64722 ], 64723 "summary": "Apache Tomcat Denial of Service vulnerability" 64724 }, 64725 { 64726 "affected": [ 64727 { 64728 "database_specific": { 64729 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-qppj-fm5r-hxr3/GHSA-qppj-fm5r-hxr3.json" 64730 }, 64731 "package": { 64732 "ecosystem": "SwiftURL", 64733 "name": "github.com/apple/swift-nio-http2" 64734 }, 64735 "ranges": [ 64736 { 64737 "events": [ 64738 { 64739 "introduced": "0" 64740 }, 64741 { 64742 "fixed": "1.28.0" 64743 } 64744 ], 64745 "type": "SEMVER" 64746 } 64747 ] 64748 }, 64749 { 64750 "database_specific": { 64751 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-qppj-fm5r-hxr3/GHSA-qppj-fm5r-hxr3.json" 64752 }, 64753 "package": { 64754 "ecosystem": "Go", 64755 "name": "golang.org/x/net", 64756 "purl": "pkg:golang/golang.org/x/net" 64757 }, 64758 "ranges": [ 64759 { 64760 "events": [ 64761 { 64762 "introduced": "0" 64763 }, 64764 { 64765 "fixed": "0.17.0" 64766 } 64767 ], 64768 "type": "SEMVER" 64769 } 64770 ] 64771 }, 64772 { 64773 "database_specific": { 64774 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-qppj-fm5r-hxr3/GHSA-qppj-fm5r-hxr3.json" 64775 }, 64776 "package": { 64777 "ecosystem": "Go", 64778 "name": "google.golang.org/grpc", 64779 "purl": "pkg:golang/google.golang.org/grpc" 64780 }, 64781 "ranges": [ 64782 { 64783 "events": [ 64784 { 64785 "introduced": "1.58.0" 64786 }, 64787 { 64788 "fixed": "1.58.3" 64789 } 64790 ], 64791 "type": "SEMVER" 64792 } 64793 ] 64794 }, 64795 { 64796 "database_specific": { 64797 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-qppj-fm5r-hxr3/GHSA-qppj-fm5r-hxr3.json" 64798 }, 64799 "package": { 64800 "ecosystem": "Go", 64801 "name": "google.golang.org/grpc", 64802 "purl": "pkg:golang/google.golang.org/grpc" 64803 }, 64804 "ranges": [ 64805 { 64806 "events": [ 64807 { 64808 "introduced": "1.57.0" 64809 }, 64810 { 64811 "fixed": "1.57.1" 64812 } 64813 ], 64814 "type": "SEMVER" 64815 } 64816 ] 64817 }, 64818 { 64819 "database_specific": { 64820 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-qppj-fm5r-hxr3/GHSA-qppj-fm5r-hxr3.json" 64821 }, 64822 "package": { 64823 "ecosystem": "Go", 64824 "name": "google.golang.org/grpc", 64825 "purl": "pkg:golang/google.golang.org/grpc" 64826 }, 64827 "ranges": [ 64828 { 64829 "events": [ 64830 { 64831 "introduced": "0" 64832 }, 64833 { 64834 "fixed": "1.56.3" 64835 } 64836 ], 64837 "type": "SEMVER" 64838 } 64839 ] 64840 }, 64841 { 64842 "database_specific": { 64843 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-qppj-fm5r-hxr3/GHSA-qppj-fm5r-hxr3.json" 64844 }, 64845 "package": { 64846 "ecosystem": "Maven", 64847 "name": "org.apache.tomcat:tomcat-coyote", 64848 "purl": "pkg:maven/org.apache.tomcat/tomcat-coyote" 64849 }, 64850 "ranges": [ 64851 { 64852 "events": [ 64853 { 64854 "introduced": "11.0.0-M1" 64855 }, 64856 { 64857 "fixed": "11.0.0-M12" 64858 } 64859 ], 64860 "type": "ECOSYSTEM" 64861 } 64862 ], 64863 "versions": [ 64864 "11.0.0-M1", 64865 "11.0.0-M10", 64866 "11.0.0-M11", 64867 "11.0.0-M3", 64868 "11.0.0-M4", 64869 "11.0.0-M5", 64870 "11.0.0-M6", 64871 "11.0.0-M7", 64872 "11.0.0-M9" 64873 ] 64874 }, 64875 { 64876 "database_specific": { 64877 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-qppj-fm5r-hxr3/GHSA-qppj-fm5r-hxr3.json" 64878 }, 64879 "package": { 64880 "ecosystem": "Maven", 64881 "name": "org.apache.tomcat:tomcat-coyote", 64882 "purl": "pkg:maven/org.apache.tomcat/tomcat-coyote" 64883 }, 64884 "ranges": [ 64885 { 64886 "events": [ 64887 { 64888 "introduced": "10.0.0" 64889 }, 64890 { 64891 "fixed": "10.1.14" 64892 } 64893 ], 64894 "type": "ECOSYSTEM" 64895 } 64896 ], 64897 "versions": [ 64898 "10.0.0", 64899 "10.0.10", 64900 "10.0.11", 64901 "10.0.12", 64902 "10.0.13", 64903 "10.0.14", 64904 "10.0.16", 64905 "10.0.17", 64906 "10.0.18", 64907 "10.0.2", 64908 "10.0.20", 64909 "10.0.21", 64910 "10.0.22", 64911 "10.0.23", 64912 "10.0.26", 64913 "10.0.27", 64914 "10.0.4", 64915 "10.0.5", 64916 "10.0.6", 64917 "10.0.7", 64918 "10.0.8", 64919 "10.1.0", 64920 "10.1.0-M1", 64921 "10.1.0-M10", 64922 "10.1.0-M11", 64923 "10.1.0-M12", 64924 "10.1.0-M14", 64925 "10.1.0-M15", 64926 "10.1.0-M16", 64927 "10.1.0-M17", 64928 "10.1.0-M2", 64929 "10.1.0-M4", 64930 "10.1.0-M5", 64931 "10.1.0-M6", 64932 "10.1.0-M7", 64933 "10.1.0-M8", 64934 "10.1.1", 64935 "10.1.10", 64936 "10.1.11", 64937 "10.1.12", 64938 "10.1.13", 64939 "10.1.2", 64940 "10.1.4", 64941 "10.1.5", 64942 "10.1.6", 64943 "10.1.7", 64944 "10.1.8", 64945 "10.1.9" 64946 ] 64947 }, 64948 { 64949 "database_specific": { 64950 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-qppj-fm5r-hxr3/GHSA-qppj-fm5r-hxr3.json" 64951 }, 64952 "package": { 64953 "ecosystem": "Maven", 64954 "name": "org.apache.tomcat:tomcat-coyote", 64955 "purl": "pkg:maven/org.apache.tomcat/tomcat-coyote" 64956 }, 64957 "ranges": [ 64958 { 64959 "events": [ 64960 { 64961 "introduced": "9.0.0" 64962 }, 64963 { 64964 "fixed": "9.0.81" 64965 } 64966 ], 64967 "type": "ECOSYSTEM" 64968 } 64969 ], 64970 "versions": [ 64971 "9.0.1", 64972 "9.0.10", 64973 "9.0.11", 64974 "9.0.12", 64975 "9.0.13", 64976 "9.0.14", 64977 "9.0.16", 64978 "9.0.17", 64979 "9.0.19", 64980 "9.0.2", 64981 "9.0.20", 64982 "9.0.21", 64983 "9.0.22", 64984 "9.0.24", 64985 "9.0.26", 64986 "9.0.27", 64987 "9.0.29", 64988 "9.0.30", 64989 "9.0.31", 64990 "9.0.33", 64991 "9.0.34", 64992 "9.0.35", 64993 "9.0.36", 64994 "9.0.37", 64995 "9.0.38", 64996 "9.0.39", 64997 "9.0.4", 64998 "9.0.40", 64999 "9.0.41", 65000 "9.0.43", 65001 "9.0.44", 65002 "9.0.45", 65003 "9.0.46", 65004 "9.0.48", 65005 "9.0.5", 65006 "9.0.50", 65007 "9.0.52", 65008 "9.0.53", 65009 "9.0.54", 65010 "9.0.55", 65011 "9.0.56", 65012 "9.0.58", 65013 "9.0.59", 65014 "9.0.6", 65015 "9.0.60", 65016 "9.0.62", 65017 "9.0.63", 65018 "9.0.64", 65019 "9.0.65", 65020 "9.0.67", 65021 "9.0.68", 65022 "9.0.69", 65023 "9.0.7", 65024 "9.0.70", 65025 "9.0.71", 65026 "9.0.72", 65027 "9.0.73", 65028 "9.0.74", 65029 "9.0.75", 65030 "9.0.76", 65031 "9.0.78", 65032 "9.0.79", 65033 "9.0.8", 65034 "9.0.80" 65035 ] 65036 }, 65037 { 65038 "database_specific": { 65039 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-qppj-fm5r-hxr3/GHSA-qppj-fm5r-hxr3.json" 65040 }, 65041 "package": { 65042 "ecosystem": "Maven", 65043 "name": "org.apache.tomcat:tomcat-coyote", 65044 "purl": "pkg:maven/org.apache.tomcat/tomcat-coyote" 65045 }, 65046 "ranges": [ 65047 { 65048 "events": [ 65049 { 65050 "introduced": "8.5.0" 65051 }, 65052 { 65053 "fixed": "8.5.94" 65054 } 65055 ], 65056 "type": "ECOSYSTEM" 65057 } 65058 ], 65059 "versions": [ 65060 "8.5.0", 65061 "8.5.11", 65062 "8.5.12", 65063 "8.5.13", 65064 "8.5.14", 65065 "8.5.15", 65066 "8.5.16", 65067 "8.5.19", 65068 "8.5.2", 65069 "8.5.20", 65070 "8.5.21", 65071 "8.5.23", 65072 "8.5.24", 65073 "8.5.27", 65074 "8.5.28", 65075 "8.5.29", 65076 "8.5.3", 65077 "8.5.30", 65078 "8.5.31", 65079 "8.5.32", 65080 "8.5.33", 65081 "8.5.34", 65082 "8.5.35", 65083 "8.5.37", 65084 "8.5.38", 65085 "8.5.39", 65086 "8.5.4", 65087 "8.5.40", 65088 "8.5.41", 65089 "8.5.42", 65090 "8.5.43", 65091 "8.5.45", 65092 "8.5.46", 65093 "8.5.47", 65094 "8.5.49", 65095 "8.5.5", 65096 "8.5.50", 65097 "8.5.51", 65098 "8.5.53", 65099 "8.5.54", 65100 "8.5.55", 65101 "8.5.56", 65102 "8.5.57", 65103 "8.5.58", 65104 "8.5.59", 65105 "8.5.6", 65106 "8.5.60", 65107 "8.5.61", 65108 "8.5.63", 65109 "8.5.64", 65110 "8.5.65", 65111 "8.5.66", 65112 "8.5.68", 65113 "8.5.69", 65114 "8.5.70", 65115 "8.5.71", 65116 "8.5.72", 65117 "8.5.73", 65118 "8.5.75", 65119 "8.5.76", 65120 "8.5.77", 65121 "8.5.78", 65122 "8.5.79", 65123 "8.5.8", 65124 "8.5.81", 65125 "8.5.82", 65126 "8.5.83", 65127 "8.5.84", 65128 "8.5.85", 65129 "8.5.86", 65130 "8.5.87", 65131 "8.5.88", 65132 "8.5.89", 65133 "8.5.9", 65134 "8.5.90", 65135 "8.5.91", 65136 "8.5.92", 65137 "8.5.93" 65138 ] 65139 }, 65140 { 65141 "database_specific": { 65142 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-qppj-fm5r-hxr3/GHSA-qppj-fm5r-hxr3.json" 65143 }, 65144 "package": { 65145 "ecosystem": "Maven", 65146 "name": "org.apache.tomcat.embed:tomcat-embed-core", 65147 "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" 65148 }, 65149 "ranges": [ 65150 { 65151 "events": [ 65152 { 65153 "introduced": "11.0.0-M1" 65154 }, 65155 { 65156 "fixed": "11.0.0-M12" 65157 } 65158 ], 65159 "type": "ECOSYSTEM" 65160 } 65161 ], 65162 "versions": [ 65163 "11.0.0-M1", 65164 "11.0.0-M10", 65165 "11.0.0-M11", 65166 "11.0.0-M3", 65167 "11.0.0-M4", 65168 "11.0.0-M5", 65169 "11.0.0-M6", 65170 "11.0.0-M7", 65171 "11.0.0-M9" 65172 ] 65173 }, 65174 { 65175 "database_specific": { 65176 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-qppj-fm5r-hxr3/GHSA-qppj-fm5r-hxr3.json" 65177 }, 65178 "package": { 65179 "ecosystem": "Maven", 65180 "name": "org.apache.tomcat.embed:tomcat-embed-core", 65181 "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" 65182 }, 65183 "ranges": [ 65184 { 65185 "events": [ 65186 { 65187 "introduced": "10.0.0" 65188 }, 65189 { 65190 "fixed": "10.1.14" 65191 } 65192 ], 65193 "type": "ECOSYSTEM" 65194 } 65195 ], 65196 "versions": [ 65197 "10.0.0", 65198 "10.0.10", 65199 "10.0.11", 65200 "10.0.12", 65201 "10.0.13", 65202 "10.0.14", 65203 "10.0.16", 65204 "10.0.17", 65205 "10.0.18", 65206 "10.0.2", 65207 "10.0.20", 65208 "10.0.21", 65209 "10.0.22", 65210 "10.0.23", 65211 "10.0.26", 65212 "10.0.27", 65213 "10.0.4", 65214 "10.0.5", 65215 "10.0.6", 65216 "10.0.7", 65217 "10.0.8", 65218 "10.1.0", 65219 "10.1.0-M1", 65220 "10.1.0-M10", 65221 "10.1.0-M11", 65222 "10.1.0-M12", 65223 "10.1.0-M14", 65224 "10.1.0-M15", 65225 "10.1.0-M16", 65226 "10.1.0-M17", 65227 "10.1.0-M2", 65228 "10.1.0-M4", 65229 "10.1.0-M5", 65230 "10.1.0-M6", 65231 "10.1.0-M7", 65232 "10.1.0-M8", 65233 "10.1.1", 65234 "10.1.10", 65235 "10.1.11", 65236 "10.1.12", 65237 "10.1.13", 65238 "10.1.2", 65239 "10.1.4", 65240 "10.1.5", 65241 "10.1.6", 65242 "10.1.7", 65243 "10.1.8", 65244 "10.1.9" 65245 ] 65246 }, 65247 { 65248 "database_specific": { 65249 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-qppj-fm5r-hxr3/GHSA-qppj-fm5r-hxr3.json" 65250 }, 65251 "package": { 65252 "ecosystem": "Maven", 65253 "name": "org.apache.tomcat.embed:tomcat-embed-core", 65254 "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" 65255 }, 65256 "ranges": [ 65257 { 65258 "events": [ 65259 { 65260 "introduced": "9.0.0" 65261 }, 65262 { 65263 "fixed": "9.0.81" 65264 } 65265 ], 65266 "type": "ECOSYSTEM" 65267 } 65268 ], 65269 "versions": [ 65270 "9.0.1", 65271 "9.0.10", 65272 "9.0.11", 65273 "9.0.12", 65274 "9.0.13", 65275 "9.0.14", 65276 "9.0.16", 65277 "9.0.17", 65278 "9.0.19", 65279 "9.0.2", 65280 "9.0.20", 65281 "9.0.21", 65282 "9.0.22", 65283 "9.0.24", 65284 "9.0.26", 65285 "9.0.27", 65286 "9.0.29", 65287 "9.0.30", 65288 "9.0.31", 65289 "9.0.33", 65290 "9.0.34", 65291 "9.0.35", 65292 "9.0.36", 65293 "9.0.37", 65294 "9.0.38", 65295 "9.0.39", 65296 "9.0.4", 65297 "9.0.40", 65298 "9.0.41", 65299 "9.0.43", 65300 "9.0.44", 65301 "9.0.45", 65302 "9.0.46", 65303 "9.0.48", 65304 "9.0.5", 65305 "9.0.50", 65306 "9.0.52", 65307 "9.0.53", 65308 "9.0.54", 65309 "9.0.55", 65310 "9.0.56", 65311 "9.0.58", 65312 "9.0.59", 65313 "9.0.6", 65314 "9.0.60", 65315 "9.0.62", 65316 "9.0.63", 65317 "9.0.64", 65318 "9.0.65", 65319 "9.0.67", 65320 "9.0.68", 65321 "9.0.69", 65322 "9.0.7", 65323 "9.0.70", 65324 "9.0.71", 65325 "9.0.72", 65326 "9.0.73", 65327 "9.0.74", 65328 "9.0.75", 65329 "9.0.76", 65330 "9.0.78", 65331 "9.0.79", 65332 "9.0.8", 65333 "9.0.80" 65334 ] 65335 }, 65336 { 65337 "database_specific": { 65338 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-qppj-fm5r-hxr3/GHSA-qppj-fm5r-hxr3.json" 65339 }, 65340 "package": { 65341 "ecosystem": "Maven", 65342 "name": "org.apache.tomcat.embed:tomcat-embed-core", 65343 "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" 65344 }, 65345 "ranges": [ 65346 { 65347 "events": [ 65348 { 65349 "introduced": "8.5.0" 65350 }, 65351 { 65352 "fixed": "8.5.94" 65353 } 65354 ], 65355 "type": "ECOSYSTEM" 65356 } 65357 ], 65358 "versions": [ 65359 "8.5.0", 65360 "8.5.11", 65361 "8.5.12", 65362 "8.5.13", 65363 "8.5.14", 65364 "8.5.15", 65365 "8.5.16", 65366 "8.5.19", 65367 "8.5.2", 65368 "8.5.20", 65369 "8.5.21", 65370 "8.5.23", 65371 "8.5.24", 65372 "8.5.27", 65373 "8.5.28", 65374 "8.5.29", 65375 "8.5.3", 65376 "8.5.30", 65377 "8.5.31", 65378 "8.5.32", 65379 "8.5.33", 65380 "8.5.34", 65381 "8.5.35", 65382 "8.5.37", 65383 "8.5.38", 65384 "8.5.39", 65385 "8.5.4", 65386 "8.5.40", 65387 "8.5.41", 65388 "8.5.42", 65389 "8.5.43", 65390 "8.5.45", 65391 "8.5.46", 65392 "8.5.47", 65393 "8.5.49", 65394 "8.5.5", 65395 "8.5.50", 65396 "8.5.51", 65397 "8.5.53", 65398 "8.5.54", 65399 "8.5.55", 65400 "8.5.56", 65401 "8.5.57", 65402 "8.5.58", 65403 "8.5.59", 65404 "8.5.6", 65405 "8.5.60", 65406 "8.5.61", 65407 "8.5.63", 65408 "8.5.64", 65409 "8.5.65", 65410 "8.5.66", 65411 "8.5.68", 65412 "8.5.69", 65413 "8.5.70", 65414 "8.5.71", 65415 "8.5.72", 65416 "8.5.73", 65417 "8.5.75", 65418 "8.5.76", 65419 "8.5.77", 65420 "8.5.78", 65421 "8.5.79", 65422 "8.5.8", 65423 "8.5.81", 65424 "8.5.82", 65425 "8.5.83", 65426 "8.5.84", 65427 "8.5.85", 65428 "8.5.86", 65429 "8.5.87", 65430 "8.5.88", 65431 "8.5.89", 65432 "8.5.9", 65433 "8.5.90", 65434 "8.5.91", 65435 "8.5.92", 65436 "8.5.93" 65437 ] 65438 }, 65439 { 65440 "database_specific": { 65441 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-qppj-fm5r-hxr3/GHSA-qppj-fm5r-hxr3.json" 65442 }, 65443 "package": { 65444 "ecosystem": "Maven", 65445 "name": "org.eclipse.jetty.http2:http2-common", 65446 "purl": "pkg:maven/org.eclipse.jetty.http2/http2-common" 65447 }, 65448 "ranges": [ 65449 { 65450 "events": [ 65451 { 65452 "introduced": "9.3.0" 65453 }, 65454 { 65455 "fixed": "9.4.53" 65456 } 65457 ], 65458 "type": "ECOSYSTEM" 65459 } 65460 ], 65461 "versions": [ 65462 "9.3.0.v20150612", 65463 "9.3.1.v20150714", 65464 "9.3.10.M0", 65465 "9.3.10.v20160621", 65466 "9.3.11.M0", 65467 "9.3.11.v20160721", 65468 "9.3.12.v20160915", 65469 "9.3.13.M0", 65470 "9.3.13.v20161014", 65471 "9.3.14.v20161028", 65472 "9.3.15.v20161220", 65473 "9.3.16.v20170120", 65474 "9.3.17.RC0", 65475 "9.3.17.v20170317", 65476 "9.3.18.v20170406", 65477 "9.3.19.v20170502", 65478 "9.3.2.v20150730", 65479 "9.3.20.v20170531", 65480 "9.3.21.M0", 65481 "9.3.21.RC0", 65482 "9.3.21.v20170918", 65483 "9.3.22.v20171030", 65484 "9.3.23.v20180228", 65485 "9.3.24.v20180605", 65486 "9.3.25.v20180904", 65487 "9.3.26.v20190403", 65488 "9.3.27.v20190418", 65489 "9.3.28.v20191105", 65490 "9.3.29.v20201019", 65491 "9.3.3.v20150827", 65492 "9.3.30.v20211001", 65493 "9.3.4.RC0", 65494 "9.3.4.RC1", 65495 "9.3.4.v20151007", 65496 "9.3.5.v20151012", 65497 "9.3.6.v20151106", 65498 "9.3.7.RC0", 65499 "9.3.7.RC1", 65500 "9.3.7.v20160115", 65501 "9.3.8.RC0", 65502 "9.3.8.v20160314", 65503 "9.3.9.M0", 65504 "9.3.9.M1", 65505 "9.3.9.v20160517", 65506 "9.4.0.M0", 65507 "9.4.0.M1", 65508 "9.4.0.RC0", 65509 "9.4.0.RC1", 65510 "9.4.0.RC2", 65511 "9.4.0.RC3", 65512 "9.4.0.v20161208", 65513 "9.4.0.v20180619", 65514 "9.4.1.v20170120", 65515 "9.4.1.v20180619", 65516 "9.4.10.RC0", 65517 "9.4.10.RC1", 65518 "9.4.10.v20180503", 65519 "9.4.11.v20180605", 65520 "9.4.12.RC0", 65521 "9.4.12.RC1", 65522 "9.4.12.RC2", 65523 "9.4.12.v20180830", 65524 "9.4.13.v20181111", 65525 "9.4.14.v20181114", 65526 "9.4.15.v20190215", 65527 "9.4.16.v20190411", 65528 "9.4.17.v20190418", 65529 "9.4.18.v20190429", 65530 "9.4.19.v20190610", 65531 "9.4.2.v20170220", 65532 "9.4.2.v20180619", 65533 "9.4.20.v20190813", 65534 "9.4.21.v20190926", 65535 "9.4.22.v20191022", 65536 "9.4.23.v20191118", 65537 "9.4.24.v20191120", 65538 "9.4.25.v20191220", 65539 "9.4.26.v20200117", 65540 "9.4.27.v20200227", 65541 "9.4.28.v20200408", 65542 "9.4.29.v20200521", 65543 "9.4.3.v20170317", 65544 "9.4.3.v20180619", 65545 "9.4.30.v20200611", 65546 "9.4.31.v20200723", 65547 "9.4.32.v20200930", 65548 "9.4.33.v20201020", 65549 "9.4.34.v20201102", 65550 "9.4.35.v20201120", 65551 "9.4.36.v20210114", 65552 "9.4.37.v20210219", 65553 "9.4.38.v20210224", 65554 "9.4.39.v20210325", 65555 "9.4.4.v20170414", 65556 "9.4.4.v20180619", 65557 "9.4.40.v20210413", 65558 "9.4.41.v20210516", 65559 "9.4.42.v20210604", 65560 "9.4.43.v20210629", 65561 "9.4.44.v20210927", 65562 "9.4.45.v20220203", 65563 "9.4.46.v20220331", 65564 "9.4.47.v20220610", 65565 "9.4.48.v20220622", 65566 "9.4.49.v20220914", 65567 "9.4.5.v20170502", 65568 "9.4.5.v20180619", 65569 "9.4.50.v20221201", 65570 "9.4.51.v20230217", 65571 "9.4.52.v20230823", 65572 "9.4.6.v20170531", 65573 "9.4.6.v20180619", 65574 "9.4.7.RC0", 65575 "9.4.7.v20170914", 65576 "9.4.7.v20180619", 65577 "9.4.8.v20171121", 65578 "9.4.8.v20180619", 65579 "9.4.9.v20180320" 65580 ] 65581 }, 65582 { 65583 "database_specific": { 65584 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-qppj-fm5r-hxr3/GHSA-qppj-fm5r-hxr3.json" 65585 }, 65586 "package": { 65587 "ecosystem": "Maven", 65588 "name": "org.eclipse.jetty.http2:http2-common", 65589 "purl": "pkg:maven/org.eclipse.jetty.http2/http2-common" 65590 }, 65591 "ranges": [ 65592 { 65593 "events": [ 65594 { 65595 "introduced": "10.0.0" 65596 }, 65597 { 65598 "fixed": "10.0.17" 65599 } 65600 ], 65601 "type": "ECOSYSTEM" 65602 } 65603 ], 65604 "versions": [ 65605 "10.0.0", 65606 "10.0.1", 65607 "10.0.10", 65608 "10.0.11", 65609 "10.0.12", 65610 "10.0.13", 65611 "10.0.14", 65612 "10.0.15", 65613 "10.0.16", 65614 "10.0.2", 65615 "10.0.3", 65616 "10.0.4", 65617 "10.0.5", 65618 "10.0.6", 65619 "10.0.7", 65620 "10.0.8", 65621 "10.0.9" 65622 ] 65623 }, 65624 { 65625 "database_specific": { 65626 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-qppj-fm5r-hxr3/GHSA-qppj-fm5r-hxr3.json" 65627 }, 65628 "package": { 65629 "ecosystem": "Maven", 65630 "name": "org.eclipse.jetty.http2:http2-common", 65631 "purl": "pkg:maven/org.eclipse.jetty.http2/http2-common" 65632 }, 65633 "ranges": [ 65634 { 65635 "events": [ 65636 { 65637 "introduced": "11.0.0" 65638 }, 65639 { 65640 "fixed": "11.0.17" 65641 } 65642 ], 65643 "type": "ECOSYSTEM" 65644 } 65645 ], 65646 "versions": [ 65647 "11.0.0", 65648 "11.0.1", 65649 "11.0.10", 65650 "11.0.11", 65651 "11.0.12", 65652 "11.0.13", 65653 "11.0.14", 65654 "11.0.15", 65655 "11.0.16", 65656 "11.0.2", 65657 "11.0.3", 65658 "11.0.4", 65659 "11.0.5", 65660 "11.0.6", 65661 "11.0.7", 65662 "11.0.8", 65663 "11.0.9" 65664 ] 65665 }, 65666 { 65667 "database_specific": { 65668 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-qppj-fm5r-hxr3/GHSA-qppj-fm5r-hxr3.json" 65669 }, 65670 "package": { 65671 "ecosystem": "Maven", 65672 "name": "org.eclipse.jetty.http2:http2-server", 65673 "purl": "pkg:maven/org.eclipse.jetty.http2/http2-server" 65674 }, 65675 "ranges": [ 65676 { 65677 "events": [ 65678 { 65679 "introduced": "9.3.0" 65680 }, 65681 { 65682 "fixed": "9.4.53" 65683 } 65684 ], 65685 "type": "ECOSYSTEM" 65686 } 65687 ], 65688 "versions": [ 65689 "9.3.0.v20150612", 65690 "9.3.1.v20150714", 65691 "9.3.10.M0", 65692 "9.3.10.v20160621", 65693 "9.3.11.M0", 65694 "9.3.11.v20160721", 65695 "9.3.12.v20160915", 65696 "9.3.13.M0", 65697 "9.3.13.v20161014", 65698 "9.3.14.v20161028", 65699 "9.3.15.v20161220", 65700 "9.3.16.v20170120", 65701 "9.3.17.RC0", 65702 "9.3.17.v20170317", 65703 "9.3.18.v20170406", 65704 "9.3.19.v20170502", 65705 "9.3.2.v20150730", 65706 "9.3.20.v20170531", 65707 "9.3.21.M0", 65708 "9.3.21.RC0", 65709 "9.3.21.v20170918", 65710 "9.3.22.v20171030", 65711 "9.3.23.v20180228", 65712 "9.3.24.v20180605", 65713 "9.3.25.v20180904", 65714 "9.3.26.v20190403", 65715 "9.3.27.v20190418", 65716 "9.3.28.v20191105", 65717 "9.3.29.v20201019", 65718 "9.3.3.v20150827", 65719 "9.3.30.v20211001", 65720 "9.3.4.RC0", 65721 "9.3.4.RC1", 65722 "9.3.4.v20151007", 65723 "9.3.5.v20151012", 65724 "9.3.6.v20151106", 65725 "9.3.7.RC0", 65726 "9.3.7.RC1", 65727 "9.3.7.v20160115", 65728 "9.3.8.RC0", 65729 "9.3.8.v20160314", 65730 "9.3.9.M0", 65731 "9.3.9.M1", 65732 "9.3.9.v20160517", 65733 "9.4.0.M0", 65734 "9.4.0.M1", 65735 "9.4.0.RC0", 65736 "9.4.0.RC1", 65737 "9.4.0.RC2", 65738 "9.4.0.RC3", 65739 "9.4.0.v20161208", 65740 "9.4.0.v20180619", 65741 "9.4.1.v20170120", 65742 "9.4.1.v20180619", 65743 "9.4.10.RC0", 65744 "9.4.10.RC1", 65745 "9.4.10.v20180503", 65746 "9.4.11.v20180605", 65747 "9.4.12.RC0", 65748 "9.4.12.RC1", 65749 "9.4.12.RC2", 65750 "9.4.12.v20180830", 65751 "9.4.13.v20181111", 65752 "9.4.14.v20181114", 65753 "9.4.15.v20190215", 65754 "9.4.16.v20190411", 65755 "9.4.17.v20190418", 65756 "9.4.18.v20190429", 65757 "9.4.19.v20190610", 65758 "9.4.2.v20170220", 65759 "9.4.2.v20180619", 65760 "9.4.20.v20190813", 65761 "9.4.21.v20190926", 65762 "9.4.22.v20191022", 65763 "9.4.23.v20191118", 65764 "9.4.24.v20191120", 65765 "9.4.25.v20191220", 65766 "9.4.26.v20200117", 65767 "9.4.27.v20200227", 65768 "9.4.28.v20200408", 65769 "9.4.29.v20200521", 65770 "9.4.3.v20170317", 65771 "9.4.3.v20180619", 65772 "9.4.30.v20200611", 65773 "9.4.31.v20200723", 65774 "9.4.32.v20200930", 65775 "9.4.33.v20201020", 65776 "9.4.34.v20201102", 65777 "9.4.35.v20201120", 65778 "9.4.36.v20210114", 65779 "9.4.37.v20210219", 65780 "9.4.38.v20210224", 65781 "9.4.39.v20210325", 65782 "9.4.4.v20170414", 65783 "9.4.4.v20180619", 65784 "9.4.40.v20210413", 65785 "9.4.41.v20210516", 65786 "9.4.42.v20210604", 65787 "9.4.43.v20210629", 65788 "9.4.44.v20210927", 65789 "9.4.45.v20220203", 65790 "9.4.46.v20220331", 65791 "9.4.47.v20220610", 65792 "9.4.48.v20220622", 65793 "9.4.49.v20220914", 65794 "9.4.5.v20170502", 65795 "9.4.5.v20180619", 65796 "9.4.50.v20221201", 65797 "9.4.51.v20230217", 65798 "9.4.52.v20230823", 65799 "9.4.6.v20170531", 65800 "9.4.6.v20180619", 65801 "9.4.7.RC0", 65802 "9.4.7.v20170914", 65803 "9.4.7.v20180619", 65804 "9.4.8.v20171121", 65805 "9.4.8.v20180619", 65806 "9.4.9.v20180320" 65807 ] 65808 }, 65809 { 65810 "database_specific": { 65811 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-qppj-fm5r-hxr3/GHSA-qppj-fm5r-hxr3.json" 65812 }, 65813 "package": { 65814 "ecosystem": "Maven", 65815 "name": "org.eclipse.jetty.http2:http2-server", 65816 "purl": "pkg:maven/org.eclipse.jetty.http2/http2-server" 65817 }, 65818 "ranges": [ 65819 { 65820 "events": [ 65821 { 65822 "introduced": "10.0.0" 65823 }, 65824 { 65825 "fixed": "10.0.17" 65826 } 65827 ], 65828 "type": "ECOSYSTEM" 65829 } 65830 ], 65831 "versions": [ 65832 "10.0.0", 65833 "10.0.1", 65834 "10.0.10", 65835 "10.0.11", 65836 "10.0.12", 65837 "10.0.13", 65838 "10.0.14", 65839 "10.0.15", 65840 "10.0.16", 65841 "10.0.2", 65842 "10.0.3", 65843 "10.0.4", 65844 "10.0.5", 65845 "10.0.6", 65846 "10.0.7", 65847 "10.0.8", 65848 "10.0.9" 65849 ] 65850 }, 65851 { 65852 "database_specific": { 65853 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-qppj-fm5r-hxr3/GHSA-qppj-fm5r-hxr3.json" 65854 }, 65855 "package": { 65856 "ecosystem": "Maven", 65857 "name": "org.eclipse.jetty.http2:http2-server", 65858 "purl": "pkg:maven/org.eclipse.jetty.http2/http2-server" 65859 }, 65860 "ranges": [ 65861 { 65862 "events": [ 65863 { 65864 "introduced": "11.0.0" 65865 }, 65866 { 65867 "fixed": "11.0.17" 65868 } 65869 ], 65870 "type": "ECOSYSTEM" 65871 } 65872 ], 65873 "versions": [ 65874 "11.0.0", 65875 "11.0.1", 65876 "11.0.10", 65877 "11.0.11", 65878 "11.0.12", 65879 "11.0.13", 65880 "11.0.14", 65881 "11.0.15", 65882 "11.0.16", 65883 "11.0.2", 65884 "11.0.3", 65885 "11.0.4", 65886 "11.0.5", 65887 "11.0.6", 65888 "11.0.7", 65889 "11.0.8", 65890 "11.0.9" 65891 ] 65892 }, 65893 { 65894 "database_specific": { 65895 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-qppj-fm5r-hxr3/GHSA-qppj-fm5r-hxr3.json" 65896 }, 65897 "package": { 65898 "ecosystem": "Maven", 65899 "name": "org.eclipse.jetty.http2:jetty-http2-common", 65900 "purl": "pkg:maven/org.eclipse.jetty.http2/jetty-http2-common" 65901 }, 65902 "ranges": [ 65903 { 65904 "events": [ 65905 { 65906 "introduced": "12.0.0" 65907 }, 65908 { 65909 "fixed": "12.0.2" 65910 } 65911 ], 65912 "type": "ECOSYSTEM" 65913 } 65914 ], 65915 "versions": [ 65916 "12.0.0", 65917 "12.0.1" 65918 ] 65919 }, 65920 { 65921 "database_specific": { 65922 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-qppj-fm5r-hxr3/GHSA-qppj-fm5r-hxr3.json" 65923 }, 65924 "package": { 65925 "ecosystem": "Maven", 65926 "name": "org.eclipse.jetty.http2:jetty-http2-server", 65927 "purl": "pkg:maven/org.eclipse.jetty.http2/jetty-http2-server" 65928 }, 65929 "ranges": [ 65930 { 65931 "events": [ 65932 { 65933 "introduced": "12.0.0" 65934 }, 65935 { 65936 "fixed": "12.0.2" 65937 } 65938 ], 65939 "type": "ECOSYSTEM" 65940 } 65941 ], 65942 "versions": [ 65943 "12.0.0", 65944 "12.0.1" 65945 ] 65946 }, 65947 { 65948 "database_specific": { 65949 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-qppj-fm5r-hxr3/GHSA-qppj-fm5r-hxr3.json" 65950 }, 65951 "package": { 65952 "ecosystem": "Maven", 65953 "name": "com.typesafe.akka:akka-http-core", 65954 "purl": "pkg:maven/com.typesafe.akka/akka-http-core" 65955 }, 65956 "ranges": [ 65957 { 65958 "events": [ 65959 { 65960 "introduced": "0" 65961 }, 65962 { 65963 "fixed": "10.5.3" 65964 } 65965 ], 65966 "type": "ECOSYSTEM" 65967 } 65968 ], 65969 "versions": [ 65970 "3.0.0-RC1" 65971 ] 65972 }, 65973 { 65974 "database_specific": { 65975 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-qppj-fm5r-hxr3/GHSA-qppj-fm5r-hxr3.json" 65976 }, 65977 "package": { 65978 "ecosystem": "Maven", 65979 "name": "com.typesafe.akka:akka-http-core_2.13", 65980 "purl": "pkg:maven/com.typesafe.akka/akka-http-core_2.13" 65981 }, 65982 "ranges": [ 65983 { 65984 "events": [ 65985 { 65986 "introduced": "0" 65987 }, 65988 { 65989 "fixed": "10.5.3" 65990 } 65991 ], 65992 "type": "ECOSYSTEM" 65993 } 65994 ], 65995 "versions": [ 65996 "10.1.10", 65997 "10.1.11", 65998 "10.1.12", 65999 "10.1.13", 66000 "10.1.14", 66001 "10.1.15", 66002 "10.1.8", 66003 "10.1.9", 66004 "10.2.0", 66005 "10.2.0-M1", 66006 "10.2.0-RC1", 66007 "10.2.0-RC2", 66008 "10.2.1", 66009 "10.2.10", 66010 "10.2.2", 66011 "10.2.3", 66012 "10.2.4", 66013 "10.2.5", 66014 "10.2.5-M1", 66015 "10.2.5-M2", 66016 "10.2.6", 66017 "10.2.7", 66018 "10.2.8", 66019 "10.2.9", 66020 "10.4.0", 66021 "10.4.0-M1", 66022 "10.4.0-M2", 66023 "10.5.0", 66024 "10.5.0-M1", 66025 "10.5.1", 66026 "10.5.2" 66027 ] 66028 }, 66029 { 66030 "database_specific": { 66031 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-qppj-fm5r-hxr3/GHSA-qppj-fm5r-hxr3.json" 66032 }, 66033 "package": { 66034 "ecosystem": "Maven", 66035 "name": "com.typesafe.akka:akka-http-core_2.12", 66036 "purl": "pkg:maven/com.typesafe.akka/akka-http-core_2.12" 66037 }, 66038 "ranges": [ 66039 { 66040 "events": [ 66041 { 66042 "introduced": "0" 66043 }, 66044 { 66045 "fixed": "10.5.3" 66046 } 66047 ], 66048 "type": "ECOSYSTEM" 66049 } 66050 ], 66051 "versions": [ 66052 "10.0.0", 66053 "10.0.0-RC2", 66054 "10.0.1", 66055 "10.0.10", 66056 "10.0.11", 66057 "10.0.12", 66058 "10.0.13", 66059 "10.0.14", 66060 "10.0.15", 66061 "10.0.2", 66062 "10.0.3", 66063 "10.0.4", 66064 "10.0.5", 66065 "10.0.6", 66066 "10.0.6+7-e2ba6752", 66067 "10.0.7", 66068 "10.0.8", 66069 "10.0.9", 66070 "10.1.0", 66071 "10.1.0-RC1", 66072 "10.1.0-RC2", 66073 "10.1.1", 66074 "10.1.10", 66075 "10.1.11", 66076 "10.1.12", 66077 "10.1.13", 66078 "10.1.14", 66079 "10.1.15", 66080 "10.1.2", 66081 "10.1.3", 66082 "10.1.4", 66083 "10.1.5", 66084 "10.1.6", 66085 "10.1.7", 66086 "10.1.8", 66087 "10.1.9", 66088 "10.2.0", 66089 "10.2.0-M1", 66090 "10.2.0-RC1", 66091 "10.2.0-RC2", 66092 "10.2.1", 66093 "10.2.10", 66094 "10.2.2", 66095 "10.2.3", 66096 "10.2.4", 66097 "10.2.5", 66098 "10.2.5-M1", 66099 "10.2.5-M2", 66100 "10.2.6", 66101 "10.2.7", 66102 "10.2.8", 66103 "10.2.9", 66104 "10.4.0", 66105 "10.4.0-M1", 66106 "10.4.0-M2", 66107 "10.5.0", 66108 "10.5.0-M1", 66109 "10.5.1", 66110 "10.5.2" 66111 ] 66112 }, 66113 { 66114 "database_specific": { 66115 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-qppj-fm5r-hxr3/GHSA-qppj-fm5r-hxr3.json" 66116 }, 66117 "package": { 66118 "ecosystem": "Maven", 66119 "name": "com.typesafe.akka:akka-http-core_2.11", 66120 "purl": "pkg:maven/com.typesafe.akka/akka-http-core_2.11" 66121 }, 66122 "ranges": [ 66123 { 66124 "events": [ 66125 { 66126 "introduced": "0" 66127 }, 66128 { 66129 "last_affected": "10.1.15" 66130 } 66131 ], 66132 "type": "ECOSYSTEM" 66133 } 66134 ], 66135 "versions": [ 66136 "10.0.0", 66137 "10.0.0-RC2", 66138 "10.0.1", 66139 "10.0.10", 66140 "10.0.11", 66141 "10.0.12", 66142 "10.0.13", 66143 "10.0.14", 66144 "10.0.15", 66145 "10.0.2", 66146 "10.0.3", 66147 "10.0.4", 66148 "10.0.5", 66149 "10.0.6", 66150 "10.0.6+7-e2ba6752", 66151 "10.0.7", 66152 "10.0.8", 66153 "10.0.9", 66154 "10.1.0", 66155 "10.1.0-RC1", 66156 "10.1.0-RC2", 66157 "10.1.1", 66158 "10.1.10", 66159 "10.1.11", 66160 "10.1.12", 66161 "10.1.13", 66162 "10.1.14", 66163 "10.1.15", 66164 "10.1.2", 66165 "10.1.3", 66166 "10.1.4", 66167 "10.1.5", 66168 "10.1.6", 66169 "10.1.7", 66170 "10.1.8", 66171 "10.1.9", 66172 "2.4-ARTERY-M1", 66173 "2.4-ARTERY-M2", 66174 "2.4-ARTERY-M3", 66175 "2.4-ARTERY-M4", 66176 "2.4.10", 66177 "2.4.11", 66178 "2.4.11.1", 66179 "2.4.11.2", 66180 "2.4.2", 66181 "2.4.2-RC1", 66182 "2.4.2-RC2", 66183 "2.4.2-RC3", 66184 "2.4.3", 66185 "2.4.4", 66186 "2.4.5", 66187 "2.4.6", 66188 "2.4.7", 66189 "2.4.8", 66190 "2.4.9", 66191 "2.4.9-RC1", 66192 "2.4.9-RC2", 66193 "3.0.0-RC1" 66194 ] 66195 } 66196 ], 66197 "aliases": [ 66198 "BIT-apisix-2023-44487", 66199 "BIT-aspnet-core-2023-44487", 66200 "BIT-contour-2023-44487", 66201 "BIT-dotnet-2023-44487", 66202 "BIT-dotnet-sdk-2023-44487", 66203 "BIT-envoy-2023-44487", 66204 "BIT-golang-2023-44487", 66205 "BIT-jenkins-2023-44487", 66206 "BIT-kong-2023-44487", 66207 "BIT-nginx-2023-44487", 66208 "BIT-nginx-ingress-controller-2023-44487", 66209 "BIT-node-2023-44487", 66210 "BIT-solr-2023-44487", 66211 "BIT-tomcat-2023-44487", 66212 "BIT-varnish-2023-44487", 66213 "CVE-2023-44487" 66214 ], 66215 "database_specific": { 66216 "cwe_ids": [ 66217 "CWE-400" 66218 ], 66219 "github_reviewed": true, 66220 "github_reviewed_at": "2023-10-10T21:28:24Z", 66221 "nvd_published_at": "2023-10-10T14:15:10Z", 66222 "severity": "MODERATE" 66223 }, 66224 "details": "## HTTP/2 Rapid reset attack\nThe HTTP/2 protocol allows clients to indicate to the server that a previous stream should be canceled by sending a RST_STREAM frame. The protocol does not require the client and server to coordinate the cancellation in any way, the client may do it unilaterally. The client may also assume that the cancellation will take effect immediately when the server receives the RST_STREAM frame, before any other data from that TCP connection is processed.\n\nAbuse of this feature is called a Rapid Reset attack because it relies on the ability for an endpoint to send a RST_STREAM frame immediately after sending a request frame, which makes the other endpoint start working and then rapidly resets the request. The request is canceled, but leaves the HTTP/2 connection open. \n\nThe HTTP/2 Rapid Reset attack built on this capability is simple: The client opens a large number of streams at once as in the standard HTTP/2 attack, but rather than waiting for a response to each request stream from the server or proxy, the client cancels each request immediately.\n\nThe ability to reset streams immediately allows each connection to have an indefinite number of requests in flight. By explicitly canceling the requests, the attacker never exceeds the limit on the number of concurrent open streams. The number of in-flight requests is no longer dependent on the round-trip time (RTT), but only on the available network bandwidth.\n\nIn a typical HTTP/2 server implementation, the server will still have to do significant amounts of work for canceled requests, such as allocating new stream data structures, parsing the query and doing header decompression, and mapping the URL to a resource. For reverse proxy implementations, the request may be proxied to the backend server before the RST_STREAM frame is processed. The client on the other hand paid almost no costs for sending the requests. This creates an exploitable cost asymmetry between the server and the client.\n\nMultiple software artifacts implementing HTTP/2 are affected. This advisory was originally ingested from the `swift-nio-http2` repo advisory and their original conent follows.\n\n## swift-nio-http2 specific advisory\nswift-nio-http2 is vulnerable to a denial-of-service vulnerability in which a malicious client can create and then reset a large number of HTTP/2 streams in a short period of time. This causes swift-nio-http2 to commit to a large amount of expensive work which it then throws away, including creating entirely new `Channel`s to serve the traffic. This can easily overwhelm an `EventLoop` and prevent it from making forward progress.\n\nswift-nio-http2 1.28 contains a remediation for this issue that applies reset counter using a sliding window. This constrains the number of stream resets that may occur in a given window of time. Clients violating this limit will have their connections torn down. This allows clients to continue to cancel streams for legitimate reasons, while constraining malicious actors.", 66225 "id": "GHSA-qppj-fm5r-hxr3", 66226 "modified": "2024-08-07T20:01:43.272899Z", 66227 "published": "2023-10-10T21:28:24Z", 66228 "references": [ 66229 { 66230 "type": "WEB", 66231 "url": "https://github.com/apple/swift-nio-http2/security/advisories/GHSA-qppj-fm5r-hxr3" 66232 }, 66233 { 66234 "type": "WEB", 66235 "url": "https://github.com/h2o/h2o/security/advisories/GHSA-2m7v-gc89-fjqf" 66236 }, 66237 { 66238 "type": "ADVISORY", 66239 "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-44487" 66240 }, 66241 { 66242 "type": "WEB", 66243 "url": "https://github.com/apache/apisix/issues/10320" 66244 }, 66245 { 66246 "type": "WEB", 66247 "url": "https://github.com/alibaba/tengine/issues/1872" 66248 }, 66249 { 66250 "type": "WEB", 66251 "url": "https://github.com/caddyserver/caddy/issues/5877" 66252 }, 66253 { 66254 "type": "WEB", 66255 "url": "https://github.com/akka/akka-http/issues/4323" 66256 }, 66257 { 66258 "type": "WEB", 66259 "url": "https://github.com/dotnet/announcements/issues/277" 66260 }, 66261 { 66262 "type": "WEB", 66263 "url": "https://github.com/varnishcache/varnish-cache/issues/3996" 66264 }, 66265 { 66266 "type": "WEB", 66267 "url": "https://github.com/eclipse/jetty.project/issues/10679" 66268 }, 66269 { 66270 "type": "WEB", 66271 "url": "https://github.com/Azure/AKS/issues/3947" 66272 }, 66273 { 66274 "type": "WEB", 66275 "url": "https://github.com/etcd-io/etcd/issues/16740" 66276 }, 66277 { 66278 "type": "WEB", 66279 "url": "https://github.com/golang/go/issues/63417" 66280 }, 66281 { 66282 "type": "WEB", 66283 "url": "https://github.com/tempesta-tech/tempesta/issues/1986" 66284 }, 66285 { 66286 "type": "WEB", 66287 "url": "https://github.com/haproxy/haproxy/issues/2312" 66288 }, 66289 { 66290 "type": "WEB", 66291 "url": "https://github.com/hyperium/hyper/issues/3337" 66292 }, 66293 { 66294 "type": "WEB", 66295 "url": "https://github.com/openresty/openresty/issues/930" 66296 }, 66297 { 66298 "type": "WEB", 66299 "url": "https://github.com/ninenines/cowboy/issues/1615" 66300 }, 66301 { 66302 "type": "WEB", 66303 "url": "https://github.com/junkurihara/rust-rpxy/issues/97" 66304 }, 66305 { 66306 "type": "WEB", 66307 "url": "https://github.com/kazu-yamamoto/http2/issues/93" 66308 }, 66309 { 66310 "type": "WEB", 66311 "url": "https://github.com/opensearch-project/data-prepper/issues/3474" 66312 }, 66313 { 66314 "type": "WEB", 66315 "url": "https://github.com/apache/trafficserver/pull/10564" 66316 }, 66317 { 66318 "type": "WEB", 66319 "url": "https://github.com/nodejs/node/pull/50121" 66320 }, 66321 { 66322 "type": "WEB", 66323 "url": "https://github.com/nghttp2/nghttp2/pull/1961" 66324 }, 66325 { 66326 "type": "WEB", 66327 "url": "https://github.com/microsoft/CBL-Mariner/pull/6381" 66328 }, 66329 { 66330 "type": "WEB", 66331 "url": "https://github.com/linkerd/website/pull/1695/commits/4b9c6836471bc8270ab48aae6fd2181bc73fd632" 66332 }, 66333 { 66334 "type": "WEB", 66335 "url": "https://github.com/line/armeria/pull/5232" 66336 }, 66337 { 66338 "type": "WEB", 66339 "url": "https://github.com/kubernetes/kubernetes/pull/121120" 66340 }, 66341 { 66342 "type": "WEB", 66343 "url": "https://github.com/envoyproxy/envoy/pull/30055" 66344 }, 66345 { 66346 "type": "WEB", 66347 "url": "https://github.com/facebook/proxygen/pull/466" 66348 }, 66349 { 66350 "type": "WEB", 66351 "url": "https://github.com/projectcontour/contour/pull/5826" 66352 }, 66353 { 66354 "type": "WEB", 66355 "url": "https://github.com/grpc/grpc-go/pull/6703" 66356 }, 66357 { 66358 "type": "WEB", 66359 "url": "https://github.com/h2o/h2o/pull/3291" 66360 }, 66361 { 66362 "type": "WEB", 66363 "url": "https://github.com/apache/httpd-site/pull/10" 66364 }, 66365 { 66366 "type": "WEB", 66367 "url": "https://github.com/akka/akka-http/pull/4325" 66368 }, 66369 { 66370 "type": "WEB", 66371 "url": "https://github.com/akka/akka-http/pull/4324" 66372 }, 66373 { 66374 "type": "WEB", 66375 "url": "https://github.com/apache/tomcat/commit/944332bb15bd2f3bf76ec2caeb1ff0a58a3bc628" 66376 }, 66377 { 66378 "type": "WEB", 66379 "url": "https://github.com/kazu-yamamoto/http2/commit/f61d41a502bd0f60eb24e1ce14edc7b6df6722a1" 66380 }, 66381 { 66382 "type": "WEB", 66383 "url": "https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61" 66384 }, 66385 { 66386 "type": "WEB", 66387 "url": "https://lists.w3.org/Archives/Public/ietf-http-wg/2023OctDec/0025.html" 66388 }, 66389 { 66390 "type": "WEB", 66391 "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HT7T2R4MQKLIF4ODV4BDLPARWFPCJ5CZ" 66392 }, 66393 { 66394 "type": "WEB", 66395 "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FNA62Q767CFAFHBCDKYNPBMZWB7TWYVU" 66396 }, 66397 { 66398 "type": "WEB", 66399 "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E72T67UPDRXHIDLO3OROR25YAMN4GGW5" 66400 }, 66401 { 66402 "type": "WEB", 66403 "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CLB4TW7KALB3EEQWNWCN7OUIWWVWWCG2" 66404 }, 66405 { 66406 "type": "WEB", 66407 "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BFQD3KUEMFBHPAPBGLWQC34L4OWL5HAZ" 66408 }, 66409 { 66410 "type": "WEB", 66411 "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3N4NJ7FR4X4FPZUGNTQAPSTVB2HB2Y4A" 66412 }, 66413 { 66414 "type": "WEB", 66415 "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZLU6U2R2IC2K64NDPNMV55AUAO65MAF4" 66416 }, 66417 { 66418 "type": "WEB", 66419 "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-44487" 66420 }, 66421 { 66422 "type": "WEB", 66423 "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZKQSIKIAT5TJ3WSLU3RDBQ35YX4GY4V3" 66424 }, 66425 { 66426 "type": "WEB", 66427 "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZB43REMKRQR62NJEI7I5NQ4FSXNLBKRT" 66428 }, 66429 { 66430 "type": "WEB", 66431 "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XFOIBB4YFICHDM7IBOP7PWXW3FX4HLL2" 66432 }, 66433 { 66434 "type": "WEB", 66435 "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X6QXN4ORIVF6XBW4WWFE7VNPVC74S45Y" 66436 }, 66437 { 66438 "type": "WEB", 66439 "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WLPRQ5TWUQQXYWBJM7ECYDAIL2YVKIUH" 66440 }, 66441 { 66442 "type": "WEB", 66443 "url": "https://discuss.hashicorp.com/t/hcsec-2023-32-vault-consul-and-boundary-affected-by-http-2-rapid-reset-denial-of-service-vulnerability-cve-2023-44487/59715" 66444 }, 66445 { 66446 "type": "WEB", 66447 "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZLU6U2R2IC2K64NDPNMV55AUAO65MAF4" 66448 }, 66449 { 66450 "type": "WEB", 66451 "url": "https://mailman.nginx.org/pipermail/nginx-devel/2023-October/S36Q5HBXR7CAIMPLLPRSSSYR4PCMWILK.html" 66452 }, 66453 { 66454 "type": "WEB", 66455 "url": "https://martinthomson.github.io/h2-stream-limits/draft-thomson-httpbis-h2-stream-limits.html" 66456 }, 66457 { 66458 "type": "WEB", 66459 "url": "https://msrc.microsoft.com/blog/2023/10/microsoft-response-to-distributed-denial-of-service-ddos-attacks-against-http/2" 66460 }, 66461 { 66462 "type": "WEB", 66463 "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZKQSIKIAT5TJ3WSLU3RDBQ35YX4GY4V3" 66464 }, 66465 { 66466 "type": "WEB", 66467 "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZB43REMKRQR62NJEI7I5NQ4FSXNLBKRT" 66468 }, 66469 { 66470 "type": "WEB", 66471 "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XFOIBB4YFICHDM7IBOP7PWXW3FX4HLL2" 66472 }, 66473 { 66474 "type": "WEB", 66475 "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X6QXN4ORIVF6XBW4WWFE7VNPVC74S45Y" 66476 }, 66477 { 66478 "type": "WEB", 66479 "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WLPRQ5TWUQQXYWBJM7ECYDAIL2YVKIUH" 66480 }, 66481 { 66482 "type": "WEB", 66483 "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VSRDIV77HNKUSM7SJC5BKE5JSHLHU2NK" 66484 }, 66485 { 66486 "type": "WEB", 66487 "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VHUHTSXLXGXS7JYKBXTA3VINUPHTNGVU" 66488 }, 66489 { 66490 "type": "WEB", 66491 "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LNMZJCDHGLJJLXO4OXWJMTVQRNWOC7UL" 66492 }, 66493 { 66494 "type": "WEB", 66495 "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LKYHSZQFDNR7RSA7LHVLLIAQMVYCUGBG" 66496 }, 66497 { 66498 "type": "WEB", 66499 "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KSEGD2IWKNUO3DWY4KQGUQM5BISRWHQE" 66500 }, 66501 { 66502 "type": "WEB", 66503 "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JMEXY22BFG5Q64HQCM5CK2Q7KDKVV4TY" 66504 }, 66505 { 66506 "type": "WEB", 66507 "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JIZSEFC3YKCGABA2BZW6ZJRMDZJMB7PJ" 66508 }, 66509 { 66510 "type": "WEB", 66511 "url": "https://my.f5.com/manage/s/article/K000137106" 66512 }, 66513 { 66514 "type": "WEB", 66515 "url": "https://ubuntu.com/security/CVE-2023-44487" 66516 }, 66517 { 66518 "type": "WEB", 66519 "url": "https://www.bleepingcomputer.com/news/security/new-http-2-rapid-reset-zero-day-attack-breaks-ddos-records" 66520 }, 66521 { 66522 "type": "WEB", 66523 "url": "https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487" 66524 }, 66525 { 66526 "type": "WEB", 66527 "url": "https://www.darkreading.com/cloud/internet-wide-zero-day-bug-fuels-largest-ever-ddos-event" 66528 }, 66529 { 66530 "type": "WEB", 66531 "url": "https://www.debian.org/security/2023/dsa-5521" 66532 }, 66533 { 66534 "type": "WEB", 66535 "url": "https://www.debian.org/security/2023/dsa-5522" 66536 }, 66537 { 66538 "type": "WEB", 66539 "url": "https://www.debian.org/security/2023/dsa-5540" 66540 }, 66541 { 66542 "type": "WEB", 66543 "url": "https://www.debian.org/security/2023/dsa-5549" 66544 }, 66545 { 66546 "type": "WEB", 66547 "url": "https://www.debian.org/security/2023/dsa-5558" 66548 }, 66549 { 66550 "type": "WEB", 66551 "url": "https://www.debian.org/security/2023/dsa-5570" 66552 }, 66553 { 66554 "type": "WEB", 66555 "url": "https://www.eclipse.org/lists/jetty-announce/msg00181.html" 66556 }, 66557 { 66558 "type": "WEB", 66559 "url": "https://www.haproxy.com/blog/haproxy-is-not-affected-by-the-http-2-rapid-reset-attack-cve-2023-44487" 66560 }, 66561 { 66562 "type": "WEB", 66563 "url": "https://www.netlify.com/blog/netlify-successfully-mitigates-cve-2023-44487" 66564 }, 66565 { 66566 "type": "WEB", 66567 "url": "https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products" 66568 }, 66569 { 66570 "type": "WEB", 66571 "url": "https://www.openwall.com/lists/oss-security/2023/10/10/6" 66572 }, 66573 { 66574 "type": "WEB", 66575 "url": "https://www.phoronix.com/news/HTTP2-Rapid-Reset-Attack" 66576 }, 66577 { 66578 "type": "WEB", 66579 "url": "https://www.theregister.com/2023/10/10/http2_rapid_reset_zeroday" 66580 }, 66581 { 66582 "type": "WEB", 66583 "url": "https://netty.io/news/2023/10/10/4-1-100-Final.html" 66584 }, 66585 { 66586 "type": "WEB", 66587 "url": "https://news.ycombinator.com/item?id=37830987" 66588 }, 66589 { 66590 "type": "WEB", 66591 "url": "https://news.ycombinator.com/item?id=37830998" 66592 }, 66593 { 66594 "type": "WEB", 66595 "url": "https://news.ycombinator.com/item?id=37831062" 66596 }, 66597 { 66598 "type": "WEB", 66599 "url": "https://news.ycombinator.com/item?id=37837043" 66600 }, 66601 { 66602 "type": "WEB", 66603 "url": "https://openssf.org/blog/2023/10/10/http-2-rapid-reset-vulnerability-highlights-need-for-rapid-response" 66604 }, 66605 { 66606 "type": "WEB", 66607 "url": "https://seanmonstar.com/post/730794151136935936/hyper-http2-rapid-reset-unaffected" 66608 }, 66609 { 66610 "type": "WEB", 66611 "url": "https://security.gentoo.org/glsa/202311-09" 66612 }, 66613 { 66614 "type": "WEB", 66615 "url": "https://security.netapp.com/advisory/ntap-20231016-0001" 66616 }, 66617 { 66618 "type": "WEB", 66619 "url": "https://security.netapp.com/advisory/ntap-20240426-0007" 66620 }, 66621 { 66622 "type": "WEB", 66623 "url": "https://security.netapp.com/advisory/ntap-20240621-0006" 66624 }, 66625 { 66626 "type": "WEB", 66627 "url": "https://security.netapp.com/advisory/ntap-20240621-0007" 66628 }, 66629 { 66630 "type": "WEB", 66631 "url": "https://security.paloaltonetworks.com/CVE-2023-44487" 66632 }, 66633 { 66634 "type": "WEB", 66635 "url": "https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.14" 66636 }, 66637 { 66638 "type": "WEB", 66639 "url": "https://tomcat.apache.org/security-11.html#Fixed_in_Apache_Tomcat_11.0.0-M12" 66640 }, 66641 { 66642 "type": "WEB", 66643 "url": "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.94" 66644 }, 66645 { 66646 "type": "WEB", 66647 "url": "https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.81" 66648 }, 66649 { 66650 "type": "WEB", 66651 "url": "https://edg.io/lp/blog/resets-leaks-ddos-and-the-tale-of-a-hidden-cve" 66652 }, 66653 { 66654 "type": "WEB", 66655 "url": "https://forums.swift.org/t/swift-nio-http2-security-update-cve-2023-44487-http-2-dos/67764" 66656 }, 66657 { 66658 "type": "WEB", 66659 "url": "https://gist.github.com/adulau/7c2bfb8e9cdbe4b35a5e131c66a0c088" 66660 }, 66661 { 66662 "type": "WEB", 66663 "url": "https://github.com/Kong/kong/discussions/11741" 66664 }, 66665 { 66666 "type": "ADVISORY", 66667 "url": "https://github.com/advisories/GHSA-qppj-fm5r-hxr3" 66668 }, 66669 { 66670 "type": "ADVISORY", 66671 "url": "https://github.com/advisories/GHSA-vx74-f528-fxqg" 66672 }, 66673 { 66674 "type": "ADVISORY", 66675 "url": "https://github.com/advisories/GHSA-xpw8-rcwv-8f8p" 66676 }, 66677 { 66678 "type": "WEB", 66679 "url": "https://github.com/apache/httpd/blob/afcdbeebbff4b0c50ea26cdd16e178c0d1f24152/modules/http2/h2_mplx.c#L1101-L1113" 66680 }, 66681 { 66682 "type": "WEB", 66683 "url": "https://github.com/apache/tomcat/tree/main/java/org/apache/coyote/http2" 66684 }, 66685 { 66686 "type": "PACKAGE", 66687 "url": "https://github.com/apple/swift-nio-http2" 66688 }, 66689 { 66690 "type": "WEB", 66691 "url": "https://github.com/arkrwn/PoC/tree/main/CVE-2023-44487" 66692 }, 66693 { 66694 "type": "WEB", 66695 "url": "https://github.com/bcdannyboy/CVE-2023-44487" 66696 }, 66697 { 66698 "type": "WEB", 66699 "url": "https://github.com/caddyserver/caddy/releases/tag/v2.7.5" 66700 }, 66701 { 66702 "type": "WEB", 66703 "url": "https://github.com/dotnet/core/blob/e4613450ea0da7fd2fc6b61dfb2c1c1dec1ce9ec/release-notes/6.0/6.0.23/6.0.23.md?plain=1#L73" 66704 }, 66705 { 66706 "type": "WEB", 66707 "url": "https://github.com/grpc/grpc-go/releases" 66708 }, 66709 { 66710 "type": "WEB", 66711 "url": "https://lists.debian.org/debian-lts-announce/2023/11/msg00001.html" 66712 }, 66713 { 66714 "type": "WEB", 66715 "url": "https://access.redhat.com/security/cve/cve-2023-44487" 66716 }, 66717 { 66718 "type": "WEB", 66719 "url": "https://akka.io/security/akka-http-cve-2023-44487.html" 66720 }, 66721 { 66722 "type": "WEB", 66723 "url": "https://arstechnica.com/security/2023/10/how-ddosers-used-the-http-2-protocol-to-deliver-attacks-of-unprecedented-size" 66724 }, 66725 { 66726 "type": "WEB", 66727 "url": "https://aws.amazon.com/security/security-bulletins/AWS-2023-011" 66728 }, 66729 { 66730 "type": "WEB", 66731 "url": "https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack" 66732 }, 66733 { 66734 "type": "WEB", 66735 "url": "https://blog.cloudflare.com/zero-day-rapid-reset-http2-record-breaking-ddos-attack" 66736 }, 66737 { 66738 "type": "WEB", 66739 "url": "https://blog.litespeedtech.com/2023/10/11/rapid-reset-http-2-vulnerablilty" 66740 }, 66741 { 66742 "type": "WEB", 66743 "url": "https://blog.qualys.com/vulnerabilities-threat-research/2023/10/10/cve-2023-44487-http-2-rapid-reset-attack" 66744 }, 66745 { 66746 "type": "WEB", 66747 "url": "https://blog.vespa.ai/cve-2023-44487" 66748 }, 66749 { 66750 "type": "WEB", 66751 "url": "https://bugzilla.proxmox.com/show_bug.cgi?id=4988" 66752 }, 66753 { 66754 "type": "WEB", 66755 "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2242803" 66756 }, 66757 { 66758 "type": "WEB", 66759 "url": "https://bugzilla.suse.com/show_bug.cgi?id=1216123" 66760 }, 66761 { 66762 "type": "WEB", 66763 "url": "https://cgit.freebsd.org/ports/commit/?id=c64c329c2c1752f46b73e3e6ce9f4329be6629f9" 66764 }, 66765 { 66766 "type": "WEB", 66767 "url": "https://chaos.social/@icing/111210915918780532" 66768 }, 66769 { 66770 "type": "WEB", 66771 "url": "https://cloud.google.com/blog/products/identity-security/google-cloud-mitigated-largest-ddos-attack-peaking-above-398-million-rps" 66772 }, 66773 { 66774 "type": "WEB", 66775 "url": "https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack" 66776 }, 66777 { 66778 "type": "WEB", 66779 "url": "https://community.traefik.io/t/is-traefik-vulnerable-to-cve-2023-44487/20125" 66780 }, 66781 { 66782 "type": "WEB", 66783 "url": "https://lists.debian.org/debian-lts-announce/2023/11/msg00012.html" 66784 }, 66785 { 66786 "type": "WEB", 66787 "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2MBEPPC36UBVOZZNAXFHKLFGSLCMN5LI" 66788 }, 66789 { 66790 "type": "WEB", 66791 "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3N4NJ7FR4X4FPZUGNTQAPSTVB2HB2Y4A" 66792 }, 66793 { 66794 "type": "WEB", 66795 "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BFQD3KUEMFBHPAPBGLWQC34L4OWL5HAZ" 66796 }, 66797 { 66798 "type": "WEB", 66799 "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CLB4TW7KALB3EEQWNWCN7OUIWWVWWCG2" 66800 }, 66801 { 66802 "type": "WEB", 66803 "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/E72T67UPDRXHIDLO3OROR25YAMN4GGW5" 66804 }, 66805 { 66806 "type": "WEB", 66807 "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FNA62Q767CFAFHBCDKYNPBMZWB7TWYVU" 66808 }, 66809 { 66810 "type": "WEB", 66811 "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HT7T2R4MQKLIF4ODV4BDLPARWFPCJ5CZ" 66812 }, 66813 { 66814 "type": "WEB", 66815 "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JIZSEFC3YKCGABA2BZW6ZJRMDZJMB7PJ" 66816 }, 66817 { 66818 "type": "WEB", 66819 "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JMEXY22BFG5Q64HQCM5CK2Q7KDKVV4TY" 66820 }, 66821 { 66822 "type": "WEB", 66823 "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KSEGD2IWKNUO3DWY4KQGUQM5BISRWHQE" 66824 }, 66825 { 66826 "type": "WEB", 66827 "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LKYHSZQFDNR7RSA7LHVLLIAQMVYCUGBG" 66828 }, 66829 { 66830 "type": "WEB", 66831 "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LNMZJCDHGLJJLXO4OXWJMTVQRNWOC7UL" 66832 }, 66833 { 66834 "type": "WEB", 66835 "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VHUHTSXLXGXS7JYKBXTA3VINUPHTNGVU" 66836 }, 66837 { 66838 "type": "WEB", 66839 "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VSRDIV77HNKUSM7SJC5BKE5JSHLHU2NK" 66840 }, 66841 { 66842 "type": "WEB", 66843 "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WE2I52RHNNU42PX6NZ2RBUHSFFJ2LVZX" 66844 }, 66845 { 66846 "type": "WEB", 66847 "url": "https://github.com/icing/mod_h2/blob/0a864782af0a942aa2ad4ed960a6b32cd35bcf0a/mod_http2/README.md?plain=1#L239-L244" 66848 }, 66849 { 66850 "type": "WEB", 66851 "url": "https://github.com/micrictor/http2-rst-stream" 66852 }, 66853 { 66854 "type": "WEB", 66855 "url": "https://github.com/nghttp2/nghttp2/releases/tag/v1.57.0" 66856 }, 66857 { 66858 "type": "WEB", 66859 "url": "https://github.com/oqtane/oqtane.framework/discussions/3367" 66860 }, 66861 { 66862 "type": "WEB", 66863 "url": "https://go.dev/cl/534215" 66864 }, 66865 { 66866 "type": "WEB", 66867 "url": "https://go.dev/cl/534235" 66868 }, 66869 { 66870 "type": "WEB", 66871 "url": "https://go.dev/issue/63417" 66872 }, 66873 { 66874 "type": "WEB", 66875 "url": "https://groups.google.com/g/golang-announce/c/iNNxDTCjZvo" 66876 }, 66877 { 66878 "type": "WEB", 66879 "url": "https://groups.google.com/g/golang-announce/c/iNNxDTCjZvo/m/UDd7VKQuAAAJ" 66880 }, 66881 { 66882 "type": "WEB", 66883 "url": "https://istio.io/latest/news/security/istio-security-2023-004" 66884 }, 66885 { 66886 "type": "WEB", 66887 "url": "https://linkerd.io/2023/10/12/linkerd-cve-2023-44487" 66888 }, 66889 { 66890 "type": "WEB", 66891 "url": "https://lists.apache.org/thread/5py8h42mxfsn8l1wy6o41xwhsjlsd87q" 66892 }, 66893 { 66894 "type": "WEB", 66895 "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00020.html" 66896 }, 66897 { 66898 "type": "WEB", 66899 "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00023.html" 66900 }, 66901 { 66902 "type": "WEB", 66903 "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00024.html" 66904 }, 66905 { 66906 "type": "WEB", 66907 "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00045.html" 66908 }, 66909 { 66910 "type": "WEB", 66911 "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00047.html" 66912 }, 66913 { 66914 "type": "WEB", 66915 "url": "http://www.openwall.com/lists/oss-security/2023/10/13/4" 66916 }, 66917 { 66918 "type": "WEB", 66919 "url": "http://www.openwall.com/lists/oss-security/2023/10/13/9" 66920 }, 66921 { 66922 "type": "WEB", 66923 "url": "http://www.openwall.com/lists/oss-security/2023/10/18/4" 66924 }, 66925 { 66926 "type": "WEB", 66927 "url": "http://www.openwall.com/lists/oss-security/2023/10/18/8" 66928 }, 66929 { 66930 "type": "WEB", 66931 "url": "http://www.openwall.com/lists/oss-security/2023/10/19/6" 66932 }, 66933 { 66934 "type": "WEB", 66935 "url": "http://www.openwall.com/lists/oss-security/2023/10/20/8" 66936 } 66937 ], 66938 "related": [ 66939 "CGA-2299-p283-6754", 66940 "CGA-229m-7869-rw4v", 66941 "CGA-24hx-83pv-289x", 66942 "CGA-2pcr-mcjf-2wpx", 66943 "CGA-2qwx-p2mj-2vg9", 66944 "CGA-2rv9-rcgf-5jmv", 66945 "CGA-2v87-m46r-gjch", 66946 "CGA-2v95-w62h-qj34", 66947 "CGA-2vjm-8pmg-xm38", 66948 "CGA-2wf3-5p85-5cjv", 66949 "CGA-2xxq-x97g-5x4g", 66950 "CGA-349p-pq36-fxj6", 66951 "CGA-376q-594m-cg5h", 66952 "CGA-38xr-m6w5-7mjr", 66953 "CGA-3cjr-qphr-4q8c", 66954 "CGA-3g58-8vg4-j962", 66955 "CGA-3hw4-xp7w-mf8r", 66956 "CGA-3m7w-768w-7c63", 66957 "CGA-3qc4-4rpc-fw57", 66958 "CGA-3wv3-c8pc-vfc7", 66959 "CGA-42pp-gwp5-q5p4", 66960 "CGA-45r2-9m23-x9g6", 66961 "CGA-4779-25p4-j7h2", 66962 "CGA-4c3m-883j-8695", 66963 "CGA-4cgp-vvw6-j596", 66964 "CGA-4pfq-mx97-263v", 66965 "CGA-4qr9-f5q2-prfp", 66966 "CGA-4r3q-fgcw-49c7", 66967 "CGA-4rc6-3vhf-qf99", 66968 "CGA-4wwj-8m9v-fq8x", 66969 "CGA-5454-884w-3j88", 66970 "CGA-556h-c5fj-3w99", 66971 "CGA-56q4-xqhh-mfwx", 66972 "CGA-583h-35v8-3832", 66973 "CGA-59pp-cfxf-c3rf", 66974 "CGA-5gg6-x7qp-xxv4", 66975 "CGA-5m9g-9jqg-pxgg", 66976 "CGA-5q2w-xhwc-rwxc", 66977 "CGA-5rgp-q5p7-2mf5", 66978 "CGA-6642-55rh-hw42", 66979 "CGA-6ggm-gwjp-2q55", 66980 "CGA-6v26-8q96-376f", 66981 "CGA-6w85-h2rp-4xf2", 66982 "CGA-72wg-cw63-gf9v", 66983 "CGA-765w-qmch-926x", 66984 "CGA-76j5-w627-hxq8", 66985 "CGA-7942-4mrf-v638", 66986 "CGA-7h6v-hgj5-rc6j", 66987 "CGA-7qcv-pmxr-hc3p", 66988 "CGA-7xrp-cfgv-p96p", 66989 "CGA-824v-jhv4-f4mw", 66990 "CGA-828f-q9xr-h575", 66991 "CGA-85m7-vwm2-3rgx", 66992 "CGA-87mj-vfr9-8342", 66993 "CGA-8893-2h9f-wpwr", 66994 "CGA-88pw-g8rx-54fw", 66995 "CGA-8ff8-px3p-27h2", 66996 "CGA-8gmp-6559-9h7f", 66997 "CGA-8h6j-5683-hj2p", 66998 "CGA-8ph8-2ph8-9526", 66999 "CGA-8qxj-xqxm-g9rj", 67000 "CGA-8w2g-p32j-34q7", 67001 "CGA-92p6-frjm-h6wh", 67002 "CGA-9336-v7qg-9pxr", 67003 "CGA-9653-v8w4-9j5m", 67004 "CGA-98pg-rvgm-vq7w", 67005 "CGA-9j94-gc38-2m2j", 67006 "CGA-9q26-2wgq-q8jq", 67007 "CGA-c2wj-qvw6-v5cc", 67008 "CGA-c4c9-566q-j9f8", 67009 "CGA-c5rg-gjw6-jhf5", 67010 "CGA-cc75-jr7m-v4rg", 67011 "CGA-cfmf-v2vf-446r", 67012 "CGA-cfpj-5fv4-gmqx", 67013 "CGA-crjx-p8j7-7mfq", 67014 "CGA-cxxg-fmvh-x664", 67015 "CGA-f5x2-3vrj-9h9j", 67016 "CGA-fh68-3rxp-2rr4", 67017 "CGA-fjj9-cf2q-279r", 67018 "CGA-fqmp-xrf6-2pq9", 67019 "CGA-g76q-386m-vw9c", 67020 "CGA-g8fr-g5rp-4g53", 67021 "CGA-gg7w-54jm-jc98", 67022 "CGA-gwxw-7hx6-fhc6", 67023 "CGA-gxgw-6wgc-3c72", 67024 "CGA-h2hr-q994-g57w", 67025 "CGA-h3hf-wvxm-w8fq", 67026 "CGA-h4hq-pj3g-852q", 67027 "CGA-h5p7-g2cp-wxvq", 67028 "CGA-h8xj-6f7x-vgcr", 67029 "CGA-hfrv-xx9v-v78g", 67030 "CGA-hg38-7g2w-6w7q", 67031 "CGA-hp8r-x64x-9wx8", 67032 "CGA-hq25-jj7j-2jhx", 67033 "CGA-hwq5-r477-jpjj", 67034 "CGA-hwwr-q8hg-7w7m", 67035 "CGA-hxgw-r76p-5q9f", 67036 "CGA-hxx6-782j-x2rg", 67037 "CGA-j7cc-x379-65f6", 67038 "CGA-j822-fhmp-r464", 67039 "CGA-j978-jw6m-g3m2", 67040 "CGA-j9wj-m9g4-3cqr", 67041 "CGA-jchg-g7m5-gx9j", 67042 "CGA-jfxc-mh76-f83w", 67043 "CGA-jm66-m52h-37p8", 67044 "CGA-jp5v-pxgv-mwxm", 67045 "CGA-jpm5-jx7m-gj52", 67046 "CGA-jqqv-mcm2-xfhf", 67047 "CGA-jrm6-4p39-vv8f", 67048 "CGA-m2rg-gw8g-jq3g", 67049 "CGA-m2vf-6j9c-q44v", 67050 "CGA-m2xm-59pf-m2w9", 67051 "CGA-m4ph-vwfq-6p88", 67052 "CGA-m6q6-3rm7-v7r7", 67053 "CGA-m929-58m9-46x7", 67054 "CGA-m96g-hjv2-7739", 67055 "CGA-mfww-9mm5-5q9p", 67056 "CGA-mh7x-f999-qfgr", 67057 "CGA-mh9m-rvrx-x78q", 67058 "CGA-mrg3-v5p6-fcrc", 67059 "CGA-mw67-9v22-xhfj", 67060 "CGA-mxmj-hx3p-86mr", 67061 "CGA-p3wv-wqgx-5f9g", 67062 "CGA-p488-4rp7-4vcq", 67063 "CGA-pm5v-cpg9-6pjv", 67064 "CGA-ppff-fghc-fmx2", 67065 "CGA-ppp5-rgx9-7cp5", 67066 "CGA-pvf6-v7vv-5pm8", 67067 "CGA-pwwr-2v47-j82m", 67068 "CGA-q2g4-fr75-mfgw", 67069 "CGA-q883-c6c7-5mrg", 67070 "CGA-q8f4-cjcq-pvcw", 67071 "CGA-q9x3-54qc-w4vx", 67072 "CGA-qf93-qqgg-57pp", 67073 "CGA-qg2x-rjrq-27j7", 67074 "CGA-qg4w-crjp-pm66", 67075 "CGA-qgcq-r8vq-cj48", 67076 "CGA-qj23-2j5c-346p", 67077 "CGA-qj39-h7mv-wvvr", 67078 "CGA-qqq4-xppr-35gx", 67079 "CGA-qrj8-7hhv-5fqr", 67080 "CGA-r3jw-5855-vm4v", 67081 "CGA-r3vf-8xgf-j7xf", 67082 "CGA-r65x-gccm-c3h9", 67083 "CGA-r672-cm53-wqp9", 67084 "CGA-r67v-7r7m-7mjm", 67085 "CGA-r6pc-j2w2-hg9j", 67086 "CGA-r83c-wr9j-cf47", 67087 "CGA-r8fq-45qw-f82f", 67088 "CGA-rfpm-7c5c-2jr7", 67089 "CGA-rh6x-pqw3-m94h", 67090 "CGA-rwg6-qrw3-mq94", 67091 "CGA-rwv7-vh72-vwm9", 67092 "CGA-rx36-6r58-w9cv", 67093 "CGA-v2x5-f8g9-xwxg", 67094 "CGA-v33m-mhpg-r9vc", 67095 "CGA-v69x-6w5f-9788", 67096 "CGA-v8m6-hgvj-q9jx", 67097 "CGA-vg2f-7w94-hc6j", 67098 "CGA-vhg8-353g-xgjq", 67099 "CGA-vmv2-mcvh-c322", 67100 "CGA-vrwc-ghcx-vgf2", 67101 "CGA-vxx9-w3rw-hmm8", 67102 "CGA-w32j-65w7-364f", 67103 "CGA-w6jr-m8cm-cm2q", 67104 "CGA-w8w4-2885-pj8c", 67105 "CGA-w93r-jjhq-mrfj", 67106 "CGA-wcpm-f328-p4gm", 67107 "CGA-wcvh-j92g-4jf2", 67108 "CGA-wv77-q28p-3ccr", 67109 "CGA-wx95-wrvj-5fxq", 67110 "CGA-wxpj-97pc-mhgh", 67111 "CGA-x3c3-mgmr-7hfc", 67112 "CGA-x3gh-rmf6-3wm3", 67113 "CGA-x477-6cc3-862v", 67114 "CGA-x678-9j63-wf4w", 67115 "CGA-x7vm-wxp7-c7p6", 67116 "CGA-x866-fvq6-vg5f", 67117 "CGA-x87p-5crv-79j5", 67118 "CGA-x8gx-4p34-286q", 67119 "CGA-xfch-66rw-37j9", 67120 "CGA-xffp-8jxx-qx99", 67121 "CGA-xj77-2fg4-p9xh", 67122 "CGA-xq7r-vg65-qvmc", 67123 "CGA-xqpr-wh63-xxmp", 67124 "CGA-xr5x-637v-fqgc", 67125 "CGA-xxmc-xq95-99j2" 67126 ], 67127 "schema_version": "1.6.0", 67128 "severity": [ 67129 { 67130 "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", 67131 "type": "CVSS_V3" 67132 }, 67133 { 67134 "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N", 67135 "type": "CVSS_V4" 67136 } 67137 ], 67138 "summary": "HTTP/2 Stream Cancellation Attack" 67139 }, 67140 { 67141 "affected": [ 67142 { 67143 "database_specific": { 67144 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/02/GHSA-qxf4-chvg-4r8r/GHSA-qxf4-chvg-4r8r.json" 67145 }, 67146 "package": { 67147 "ecosystem": "Maven", 67148 "name": "org.apache.tomcat.embed:tomcat-embed-core", 67149 "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" 67150 }, 67151 "ranges": [ 67152 { 67153 "events": [ 67154 { 67155 "introduced": "0" 67156 }, 67157 { 67158 "fixed": "7.0.100" 67159 } 67160 ], 67161 "type": "ECOSYSTEM" 67162 } 67163 ], 67164 "versions": [ 67165 "7.0.0", 67166 "7.0.11", 67167 "7.0.12", 67168 "7.0.14", 67169 "7.0.16", 67170 "7.0.19", 67171 "7.0.2", 67172 "7.0.20", 67173 "7.0.21", 67174 "7.0.22", 67175 "7.0.23", 67176 "7.0.25", 67177 "7.0.26", 67178 "7.0.27", 67179 "7.0.28", 67180 "7.0.29", 67181 "7.0.30", 67182 "7.0.32", 67183 "7.0.33", 67184 "7.0.34", 67185 "7.0.35", 67186 "7.0.37", 67187 "7.0.39", 67188 "7.0.4", 67189 "7.0.40", 67190 "7.0.41", 67191 "7.0.42", 67192 "7.0.47", 67193 "7.0.5", 67194 "7.0.50", 67195 "7.0.52", 67196 "7.0.53", 67197 "7.0.54", 67198 "7.0.55", 67199 "7.0.56", 67200 "7.0.57", 67201 "7.0.59", 67202 "7.0.6", 67203 "7.0.61", 67204 "7.0.62", 67205 "7.0.63", 67206 "7.0.64", 67207 "7.0.65", 67208 "7.0.67", 67209 "7.0.68", 67210 "7.0.69", 67211 "7.0.70", 67212 "7.0.72", 67213 "7.0.73", 67214 "7.0.75", 67215 "7.0.76", 67216 "7.0.77", 67217 "7.0.78", 67218 "7.0.79", 67219 "7.0.8", 67220 "7.0.81", 67221 "7.0.82", 67222 "7.0.84", 67223 "7.0.85", 67224 "7.0.86", 67225 "7.0.88", 67226 "7.0.90", 67227 "7.0.91", 67228 "7.0.92", 67229 "7.0.93", 67230 "7.0.94", 67231 "7.0.96", 67232 "7.0.99" 67233 ] 67234 }, 67235 { 67236 "database_specific": { 67237 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/02/GHSA-qxf4-chvg-4r8r/GHSA-qxf4-chvg-4r8r.json" 67238 }, 67239 "package": { 67240 "ecosystem": "Maven", 67241 "name": "org.apache.tomcat.embed:tomcat-embed-core", 67242 "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" 67243 }, 67244 "ranges": [ 67245 { 67246 "events": [ 67247 { 67248 "introduced": "8.0.0" 67249 }, 67250 { 67251 "fixed": "8.5.51" 67252 } 67253 ], 67254 "type": "ECOSYSTEM" 67255 } 67256 ], 67257 "versions": [ 67258 "8.0.1", 67259 "8.0.11", 67260 "8.0.12", 67261 "8.0.14", 67262 "8.0.15", 67263 "8.0.17", 67264 "8.0.18", 67265 "8.0.20", 67266 "8.0.21", 67267 "8.0.22", 67268 "8.0.23", 67269 "8.0.24", 67270 "8.0.26", 67271 "8.0.27", 67272 "8.0.28", 67273 "8.0.29", 67274 "8.0.3", 67275 "8.0.30", 67276 "8.0.32", 67277 "8.0.33", 67278 "8.0.35", 67279 "8.0.36", 67280 "8.0.37", 67281 "8.0.38", 67282 "8.0.39", 67283 "8.0.41", 67284 "8.0.42", 67285 "8.0.43", 67286 "8.0.44", 67287 "8.0.45", 67288 "8.0.46", 67289 "8.0.47", 67290 "8.0.48", 67291 "8.0.49", 67292 "8.0.5", 67293 "8.0.50", 67294 "8.0.51", 67295 "8.0.52", 67296 "8.0.53", 67297 "8.0.8", 67298 "8.0.9", 67299 "8.5.0", 67300 "8.5.11", 67301 "8.5.12", 67302 "8.5.13", 67303 "8.5.14", 67304 "8.5.15", 67305 "8.5.16", 67306 "8.5.19", 67307 "8.5.2", 67308 "8.5.20", 67309 "8.5.21", 67310 "8.5.23", 67311 "8.5.24", 67312 "8.5.27", 67313 "8.5.28", 67314 "8.5.29", 67315 "8.5.3", 67316 "8.5.30", 67317 "8.5.31", 67318 "8.5.32", 67319 "8.5.33", 67320 "8.5.34", 67321 "8.5.35", 67322 "8.5.37", 67323 "8.5.38", 67324 "8.5.39", 67325 "8.5.4", 67326 "8.5.40", 67327 "8.5.41", 67328 "8.5.42", 67329 "8.5.43", 67330 "8.5.45", 67331 "8.5.46", 67332 "8.5.47", 67333 "8.5.49", 67334 "8.5.5", 67335 "8.5.50", 67336 "8.5.6", 67337 "8.5.8", 67338 "8.5.9" 67339 ] 67340 }, 67341 { 67342 "database_specific": { 67343 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/02/GHSA-qxf4-chvg-4r8r/GHSA-qxf4-chvg-4r8r.json" 67344 }, 67345 "package": { 67346 "ecosystem": "Maven", 67347 "name": "org.apache.tomcat.embed:tomcat-embed-core", 67348 "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" 67349 }, 67350 "ranges": [ 67351 { 67352 "events": [ 67353 { 67354 "introduced": "9.0.0" 67355 }, 67356 { 67357 "fixed": "9.0.31" 67358 } 67359 ], 67360 "type": "ECOSYSTEM" 67361 } 67362 ], 67363 "versions": [ 67364 "9.0.1", 67365 "9.0.10", 67366 "9.0.11", 67367 "9.0.12", 67368 "9.0.13", 67369 "9.0.14", 67370 "9.0.16", 67371 "9.0.17", 67372 "9.0.19", 67373 "9.0.2", 67374 "9.0.20", 67375 "9.0.21", 67376 "9.0.22", 67377 "9.0.24", 67378 "9.0.26", 67379 "9.0.27", 67380 "9.0.29", 67381 "9.0.30", 67382 "9.0.4", 67383 "9.0.5", 67384 "9.0.6", 67385 "9.0.7", 67386 "9.0.8" 67387 ] 67388 }, 67389 { 67390 "database_specific": { 67391 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/02/GHSA-qxf4-chvg-4r8r/GHSA-qxf4-chvg-4r8r.json" 67392 }, 67393 "package": { 67394 "ecosystem": "Maven", 67395 "name": "org.apache.tomcat:tomcat", 67396 "purl": "pkg:maven/org.apache.tomcat/tomcat" 67397 }, 67398 "ranges": [ 67399 { 67400 "events": [ 67401 { 67402 "introduced": "0" 67403 }, 67404 { 67405 "fixed": "7.0.100" 67406 } 67407 ], 67408 "type": "ECOSYSTEM" 67409 } 67410 ], 67411 "versions": [ 67412 "7.0.35", 67413 "7.0.37", 67414 "7.0.39", 67415 "7.0.40", 67416 "7.0.41", 67417 "7.0.42", 67418 "7.0.47", 67419 "7.0.50", 67420 "7.0.52", 67421 "7.0.53", 67422 "7.0.54", 67423 "7.0.55", 67424 "7.0.56", 67425 "7.0.57", 67426 "7.0.59", 67427 "7.0.61", 67428 "7.0.62", 67429 "7.0.63", 67430 "7.0.64", 67431 "7.0.65", 67432 "7.0.67", 67433 "7.0.68", 67434 "7.0.69", 67435 "7.0.70", 67436 "7.0.72", 67437 "7.0.73", 67438 "7.0.75", 67439 "7.0.76", 67440 "7.0.77", 67441 "7.0.78", 67442 "7.0.79", 67443 "7.0.81", 67444 "7.0.82", 67445 "7.0.84", 67446 "7.0.85", 67447 "7.0.86", 67448 "7.0.88", 67449 "7.0.90", 67450 "7.0.91", 67451 "7.0.92", 67452 "7.0.93", 67453 "7.0.94", 67454 "7.0.96", 67455 "7.0.99" 67456 ] 67457 }, 67458 { 67459 "database_specific": { 67460 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/02/GHSA-qxf4-chvg-4r8r/GHSA-qxf4-chvg-4r8r.json" 67461 }, 67462 "package": { 67463 "ecosystem": "Maven", 67464 "name": "org.apache.tomcat:tomcat", 67465 "purl": "pkg:maven/org.apache.tomcat/tomcat" 67466 }, 67467 "ranges": [ 67468 { 67469 "events": [ 67470 { 67471 "introduced": "8.0.0" 67472 }, 67473 { 67474 "fixed": "8.5.51" 67475 } 67476 ], 67477 "type": "ECOSYSTEM" 67478 } 67479 ], 67480 "versions": [ 67481 "8.0.1", 67482 "8.0.11", 67483 "8.0.12", 67484 "8.0.14", 67485 "8.0.15", 67486 "8.0.17", 67487 "8.0.18", 67488 "8.0.20", 67489 "8.0.21", 67490 "8.0.22", 67491 "8.0.23", 67492 "8.0.24", 67493 "8.0.26", 67494 "8.0.27", 67495 "8.0.28", 67496 "8.0.29", 67497 "8.0.3", 67498 "8.0.30", 67499 "8.0.32", 67500 "8.0.33", 67501 "8.0.35", 67502 "8.0.36", 67503 "8.0.37", 67504 "8.0.38", 67505 "8.0.39", 67506 "8.0.41", 67507 "8.0.42", 67508 "8.0.43", 67509 "8.0.44", 67510 "8.0.45", 67511 "8.0.46", 67512 "8.0.47", 67513 "8.0.48", 67514 "8.0.49", 67515 "8.0.5", 67516 "8.0.50", 67517 "8.0.51", 67518 "8.0.52", 67519 "8.0.53", 67520 "8.0.8", 67521 "8.0.9", 67522 "8.5.0", 67523 "8.5.11", 67524 "8.5.12", 67525 "8.5.13", 67526 "8.5.14", 67527 "8.5.15", 67528 "8.5.16", 67529 "8.5.19", 67530 "8.5.2", 67531 "8.5.20", 67532 "8.5.21", 67533 "8.5.23", 67534 "8.5.24", 67535 "8.5.27", 67536 "8.5.28", 67537 "8.5.29", 67538 "8.5.3", 67539 "8.5.30", 67540 "8.5.31", 67541 "8.5.32", 67542 "8.5.33", 67543 "8.5.34", 67544 "8.5.35", 67545 "8.5.37", 67546 "8.5.38", 67547 "8.5.39", 67548 "8.5.4", 67549 "8.5.40", 67550 "8.5.41", 67551 "8.5.42", 67552 "8.5.43", 67553 "8.5.45", 67554 "8.5.46", 67555 "8.5.47", 67556 "8.5.49", 67557 "8.5.5", 67558 "8.5.50", 67559 "8.5.6", 67560 "8.5.8", 67561 "8.5.9" 67562 ] 67563 }, 67564 { 67565 "database_specific": { 67566 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/02/GHSA-qxf4-chvg-4r8r/GHSA-qxf4-chvg-4r8r.json" 67567 }, 67568 "package": { 67569 "ecosystem": "Maven", 67570 "name": "org.apache.tomcat:tomcat", 67571 "purl": "pkg:maven/org.apache.tomcat/tomcat" 67572 }, 67573 "ranges": [ 67574 { 67575 "events": [ 67576 { 67577 "introduced": "9.0.0" 67578 }, 67579 { 67580 "fixed": "9.0.31" 67581 } 67582 ], 67583 "type": "ECOSYSTEM" 67584 } 67585 ], 67586 "versions": [ 67587 "9.0.1", 67588 "9.0.10", 67589 "9.0.11", 67590 "9.0.12", 67591 "9.0.13", 67592 "9.0.14", 67593 "9.0.16", 67594 "9.0.17", 67595 "9.0.19", 67596 "9.0.2", 67597 "9.0.20", 67598 "9.0.21", 67599 "9.0.22", 67600 "9.0.24", 67601 "9.0.26", 67602 "9.0.27", 67603 "9.0.29", 67604 "9.0.30", 67605 "9.0.4", 67606 "9.0.5", 67607 "9.0.6", 67608 "9.0.7", 67609 "9.0.8" 67610 ] 67611 } 67612 ], 67613 "aliases": [ 67614 "BIT-tomcat-2020-1935", 67615 "CVE-2020-1935" 67616 ], 67617 "database_specific": { 67618 "cwe_ids": [ 67619 "CWE-444" 67620 ], 67621 "github_reviewed": true, 67622 "github_reviewed_at": "2020-02-25T16:18:59Z", 67623 "nvd_published_at": "2020-02-24T22:15:00Z", 67624 "severity": "MODERATE" 67625 }, 67626 "details": "In Apache Tomcat 9.0.0.M1 to 9.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99 the HTTP header parsing code used an approach to end-of-line parsing that allowed some invalid HTTP headers to be parsed as valid. This led to a possibility of HTTP Request Smuggling if Tomcat was located behind a reverse proxy that incorrectly handled the invalid Transfer-Encoding header in a particular manner. Such a reverse proxy is considered unlikely.", 67627 "id": "GHSA-qxf4-chvg-4r8r", 67628 "modified": "2024-03-14T05:17:09.684982Z", 67629 "published": "2020-02-28T01:10:48Z", 67630 "references": [ 67631 { 67632 "type": "ADVISORY", 67633 "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-1935" 67634 }, 67635 { 67636 "type": "WEB", 67637 "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" 67638 }, 67639 { 67640 "type": "WEB", 67641 "url": "https://www.oracle.com/security-alerts/cpujul2020.html" 67642 }, 67643 { 67644 "type": "WEB", 67645 "url": "https://www.oracle.com/security-alerts/cpujan2021.html" 67646 }, 67647 { 67648 "type": "WEB", 67649 "url": "https://www.debian.org/security/2020/dsa-4680" 67650 }, 67651 { 67652 "type": "WEB", 67653 "url": "https://www.debian.org/security/2020/dsa-4673" 67654 }, 67655 { 67656 "type": "WEB", 67657 "url": "https://usn.ubuntu.com/4448-1" 67658 }, 67659 { 67660 "type": "WEB", 67661 "url": "https://security.netapp.com/advisory/ntap-20200327-0005" 67662 }, 67663 { 67664 "type": "WEB", 67665 "url": "https://lists.debian.org/debian-lts-announce/2020/05/msg00026.html" 67666 }, 67667 { 67668 "type": "WEB", 67669 "url": "https://lists.debian.org/debian-lts-announce/2020/03/msg00006.html" 67670 }, 67671 { 67672 "type": "WEB", 67673 "url": "https://lists.apache.org/thread.html/rd547be0c9d821b4b1000a694b8e58ef9f5e2d66db03a31dfe77c4b18@%3Cusers.tomcat.apache.org%3E" 67674 }, 67675 { 67676 "type": "WEB", 67677 "url": "https://lists.apache.org/thread.html/rc31cbabb46cdc58bbdd8519a8f64b6236b2635a3922bbeba0f0e3743@%3Ccommits.tomee.apache.org%3E" 67678 }, 67679 { 67680 "type": "WEB", 67681 "url": "https://lists.apache.org/thread.html/ra5dee390ad2d60307b8362505c059cd6a726de4d146d63dfce1e05e7@%3Cusers.tomcat.apache.org%3E" 67682 }, 67683 { 67684 "type": "WEB", 67685 "url": "https://lists.apache.org/thread.html/r9ce7918faf347e7aac32be930bf26c233b0b140fe37af0bb294158b6@%3Cdev.tomcat.apache.org%3E" 67686 }, 67687 { 67688 "type": "WEB", 67689 "url": "https://lists.apache.org/thread.html/r80e9c8417c77d52c62809168b96912bda70ddf7748f19f8210f745b1@%3Cusers.tomcat.apache.org%3E" 67690 }, 67691 { 67692 "type": "WEB", 67693 "url": "https://lists.apache.org/thread.html/r7bc994c965a34876bd94d5ff15b4e1e30b6220a15eb9b47c81915b78@%3Ccommits.tomee.apache.org%3E" 67694 }, 67695 { 67696 "type": "WEB", 67697 "url": "https://lists.apache.org/thread.html/r660cd379afe346f10d72c0eaa8459ccc95d83aff181671b7e9076919@%3Cusers.tomcat.apache.org%3E" 67698 }, 67699 { 67700 "type": "WEB", 67701 "url": "https://lists.apache.org/thread.html/r441c1f30a252bf14b07396286f6abd8089ce4240e91323211f1a2d75@%3Cusers.tomcat.apache.org%3E" 67702 }, 67703 { 67704 "type": "WEB", 67705 "url": "https://lists.apache.org/thread.html/r127f76181aceffea2bd4711b03c595d0f115f63e020348fe925a916c%40%3Cannounce.tomcat.apache.org%3E" 67706 }, 67707 { 67708 "type": "WEB", 67709 "url": "http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00025.html" 67710 } 67711 ], 67712 "related": [ 67713 "CGA-m48x-5w5p-h4vm" 67714 ], 67715 "schema_version": "1.6.0", 67716 "severity": [ 67717 { 67718 "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", 67719 "type": "CVSS_V3" 67720 } 67721 ], 67722 "summary": "Potential HTTP request smuggling in Apache Tomcat" 67723 }, 67724 { 67725 "affected": [ 67726 { 67727 "database_specific": { 67728 "last_known_affected_version_range": "\u003c= 9.0.8", 67729 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-r4x2-3cq5-hqvp/GHSA-r4x2-3cq5-hqvp.json" 67730 }, 67731 "package": { 67732 "ecosystem": "Maven", 67733 "name": "org.apache.tomcat.embed:tomcat-embed-core", 67734 "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" 67735 }, 67736 "ranges": [ 67737 { 67738 "events": [ 67739 { 67740 "introduced": "9.0.0.M1" 67741 }, 67742 { 67743 "fixed": "9.0.9" 67744 } 67745 ], 67746 "type": "ECOSYSTEM" 67747 } 67748 ], 67749 "versions": [ 67750 "9.0.0.M1", 67751 "9.0.0.M10", 67752 "9.0.0.M11", 67753 "9.0.0.M13", 67754 "9.0.0.M15", 67755 "9.0.0.M17", 67756 "9.0.0.M18", 67757 "9.0.0.M19", 67758 "9.0.0.M20", 67759 "9.0.0.M21", 67760 "9.0.0.M22", 67761 "9.0.0.M25", 67762 "9.0.0.M26", 67763 "9.0.0.M27", 67764 "9.0.0.M3", 67765 "9.0.0.M4", 67766 "9.0.0.M6", 67767 "9.0.0.M8", 67768 "9.0.0.M9", 67769 "9.0.1", 67770 "9.0.2", 67771 "9.0.4", 67772 "9.0.5", 67773 "9.0.6", 67774 "9.0.7", 67775 "9.0.8" 67776 ] 67777 }, 67778 { 67779 "database_specific": { 67780 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-r4x2-3cq5-hqvp/GHSA-r4x2-3cq5-hqvp.json" 67781 }, 67782 "package": { 67783 "ecosystem": "Maven", 67784 "name": "org.apache.tomcat.embed:tomcat-embed-core", 67785 "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" 67786 }, 67787 "ranges": [ 67788 { 67789 "events": [ 67790 { 67791 "introduced": "8.5.0" 67792 }, 67793 { 67794 "fixed": "8.5.32" 67795 } 67796 ], 67797 "type": "ECOSYSTEM" 67798 } 67799 ], 67800 "versions": [ 67801 "8.5.0", 67802 "8.5.11", 67803 "8.5.12", 67804 "8.5.13", 67805 "8.5.14", 67806 "8.5.15", 67807 "8.5.16", 67808 "8.5.19", 67809 "8.5.2", 67810 "8.5.20", 67811 "8.5.21", 67812 "8.5.23", 67813 "8.5.24", 67814 "8.5.27", 67815 "8.5.28", 67816 "8.5.29", 67817 "8.5.3", 67818 "8.5.30", 67819 "8.5.31", 67820 "8.5.4", 67821 "8.5.5", 67822 "8.5.6", 67823 "8.5.8", 67824 "8.5.9" 67825 ] 67826 }, 67827 { 67828 "database_specific": { 67829 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-r4x2-3cq5-hqvp/GHSA-r4x2-3cq5-hqvp.json" 67830 }, 67831 "package": { 67832 "ecosystem": "Maven", 67833 "name": "org.apache.tomcat.embed:tomcat-embed-core", 67834 "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" 67835 }, 67836 "ranges": [ 67837 { 67838 "events": [ 67839 { 67840 "introduced": "8.0.0RC1" 67841 }, 67842 { 67843 "fixed": "8.0.53" 67844 } 67845 ], 67846 "type": "ECOSYSTEM" 67847 } 67848 ], 67849 "versions": [ 67850 "8.0.0-RC1", 67851 "8.0.0-RC10", 67852 "8.0.0-RC3", 67853 "8.0.0-RC5", 67854 "8.0.1", 67855 "8.0.11", 67856 "8.0.12", 67857 "8.0.14", 67858 "8.0.15", 67859 "8.0.17", 67860 "8.0.18", 67861 "8.0.20", 67862 "8.0.21", 67863 "8.0.22", 67864 "8.0.23", 67865 "8.0.24", 67866 "8.0.26", 67867 "8.0.27", 67868 "8.0.28", 67869 "8.0.29", 67870 "8.0.3", 67871 "8.0.30", 67872 "8.0.32", 67873 "8.0.33", 67874 "8.0.35", 67875 "8.0.36", 67876 "8.0.37", 67877 "8.0.38", 67878 "8.0.39", 67879 "8.0.41", 67880 "8.0.42", 67881 "8.0.43", 67882 "8.0.44", 67883 "8.0.45", 67884 "8.0.46", 67885 "8.0.47", 67886 "8.0.48", 67887 "8.0.49", 67888 "8.0.5", 67889 "8.0.50", 67890 "8.0.51", 67891 "8.0.52", 67892 "8.0.8", 67893 "8.0.9" 67894 ] 67895 }, 67896 { 67897 "database_specific": { 67898 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-r4x2-3cq5-hqvp/GHSA-r4x2-3cq5-hqvp.json" 67899 }, 67900 "package": { 67901 "ecosystem": "Maven", 67902 "name": "org.apache.tomcat.embed:tomcat-embed-core", 67903 "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" 67904 }, 67905 "ranges": [ 67906 { 67907 "events": [ 67908 { 67909 "introduced": "7.0.41" 67910 }, 67911 { 67912 "fixed": "7.0.88" 67913 } 67914 ], 67915 "type": "ECOSYSTEM" 67916 } 67917 ], 67918 "versions": [ 67919 "7.0.41", 67920 "7.0.42", 67921 "7.0.47", 67922 "7.0.50", 67923 "7.0.52", 67924 "7.0.53", 67925 "7.0.54", 67926 "7.0.55", 67927 "7.0.56", 67928 "7.0.57", 67929 "7.0.59", 67930 "7.0.61", 67931 "7.0.62", 67932 "7.0.63", 67933 "7.0.64", 67934 "7.0.65", 67935 "7.0.67", 67936 "7.0.68", 67937 "7.0.69", 67938 "7.0.70", 67939 "7.0.72", 67940 "7.0.73", 67941 "7.0.75", 67942 "7.0.76", 67943 "7.0.77", 67944 "7.0.78", 67945 "7.0.79", 67946 "7.0.81", 67947 "7.0.82", 67948 "7.0.84", 67949 "7.0.85", 67950 "7.0.86" 67951 ] 67952 } 67953 ], 67954 "aliases": [ 67955 "CVE-2018-8014" 67956 ], 67957 "database_specific": { 67958 "cwe_ids": [ 67959 "CWE-1188" 67960 ], 67961 "github_reviewed": true, 67962 "github_reviewed_at": "2020-06-16T21:53:40Z", 67963 "nvd_published_at": "2018-05-16T16:29:00Z", 67964 "severity": "CRITICAL" 67965 }, 67966 "details": "The defaults settings for the CORS filter provided in Apache Tomcat 9.0.0.M1 to 9.0.8, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, 7.0.41 to 7.0.88 are insecure and enable 'supportsCredentials' for all origins. It is expected that users of the CORS filter will have configured it appropriately for their environment rather than using it in the default configuration. Therefore, it is expected that most users will not be impacted by this issue.", 67967 "id": "GHSA-r4x2-3cq5-hqvp", 67968 "modified": "2024-03-12T05:32:05.31046Z", 67969 "published": "2018-10-17T16:32:32Z", 67970 "references": [ 67971 { 67972 "type": "ADVISORY", 67973 "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-8014" 67974 }, 67975 { 67976 "type": "WEB", 67977 "url": "https://github.com/apache/tomcat80/commit/2c9d8433bd3247a2856d4b2555447108758e813e" 67978 }, 67979 { 67980 "type": "WEB", 67981 "url": "https://github.com/apache/tomcat/commit/d83a76732e6804739b81d8b2056365307637b42d" 67982 }, 67983 { 67984 "type": "WEB", 67985 "url": "https://github.com/apache/tomcat/commit/5877390a9605f56d9bd6859a54ccbfb16374a78b" 67986 }, 67987 { 67988 "type": "WEB", 67989 "url": "https://github.com/apache/tomcat/commit/60f596a21fd6041335a3a1a4015d4512439cecb5" 67990 }, 67991 { 67992 "type": "WEB", 67993 "url": "https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E" 67994 }, 67995 { 67996 "type": "WEB", 67997 "url": "https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9@%3Cdev.tomcat.apache.org%3E" 67998 }, 67999 { 68000 "type": "WEB", 68001 "url": "https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9%40%3Cdev.tomcat.apache.org%3E" 68002 }, 68003 { 68004 "type": "WEB", 68005 "url": "https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0@%3Cdev.tomcat.apache.org%3E" 68006 }, 68007 { 68008 "type": "WEB", 68009 "url": "https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0%40%3Cdev.tomcat.apache.org%3E" 68010 }, 68011 { 68012 "type": "WEB", 68013 "url": "https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d@%3Cdev.tomcat.apache.org%3E" 68014 }, 68015 { 68016 "type": "WEB", 68017 "url": "https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d%40%3Cdev.tomcat.apache.org%3E" 68018 }, 68019 { 68020 "type": "WEB", 68021 "url": "https://lists.apache.org/thread.html/fbfb713e4f8a4c0f81089b89450828011343593800cae3fb629192b1@%3Cannounce.tomcat.apache.org%3E" 68022 }, 68023 { 68024 "type": "WEB", 68025 "url": "https://lists.apache.org/thread.html/fbfb713e4f8a4c0f81089b89450828011343593800cae3fb629192b1%40%3Cannounce.tomcat.apache.org%3E" 68026 }, 68027 { 68028 "type": "WEB", 68029 "url": "https://lists.apache.org/thread.html/eb6efa8d59c45a7a9eff94c4b925467d3b3fec8ba7697f3daa314b04@%3Cdev.tomcat.apache.org%3E" 68030 }, 68031 { 68032 "type": "WEB", 68033 "url": "https://lists.apache.org/thread.html/eb6efa8d59c45a7a9eff94c4b925467d3b3fec8ba7697f3daa314b04%40%3Cdev.tomcat.apache.org%3E" 68034 }, 68035 { 68036 "type": "WEB", 68037 "url": "https://lists.apache.org/thread.html/e85e83e9954f169bbb77b44baae5a33d8de878df557bb32b7f793661@%3Cdev.tomcat.apache.org%3E" 68038 }, 68039 { 68040 "type": "WEB", 68041 "url": "https://lists.apache.org/thread.html/e85e83e9954f169bbb77b44baae5a33d8de878df557bb32b7f793661%40%3Cdev.tomcat.apache.org%3E" 68042 }, 68043 { 68044 "type": "WEB", 68045 "url": "https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc@%3Cdev.tomcat.apache.org%3E" 68046 }, 68047 { 68048 "type": "WEB", 68049 "url": "https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c@%3Cdev.tomcat.apache.org%3E" 68050 }, 68051 { 68052 "type": "WEB", 68053 "url": "https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a%40%3Cdev.tomcat.apache.org%3E" 68054 }, 68055 { 68056 "type": "WEB", 68057 "url": "https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a@%3Cdev.tomcat.apache.org%3E" 68058 }, 68059 { 68060 "type": "WEB", 68061 "url": "https://lists.debian.org/debian-lts-announce/2018/06/msg00008.html" 68062 }, 68063 { 68064 "type": "WEB", 68065 "url": "https://lists.debian.org/debian-lts-announce/2019/08/msg00015.html" 68066 }, 68067 { 68068 "type": "WEB", 68069 "url": "https://seclists.org/bugtraq/2019/Dec/43" 68070 }, 68071 { 68072 "type": "WEB", 68073 "url": "https://security.netapp.com/advisory/ntap-20181018-0002" 68074 }, 68075 { 68076 "type": "WEB", 68077 "url": "https://usn.ubuntu.com/3665-1" 68078 }, 68079 { 68080 "type": "WEB", 68081 "url": "https://web.archive.org/web/20181017143233/http://www.securityfocus.com/bid/104203" 68082 }, 68083 { 68084 "type": "WEB", 68085 "url": "https://web.archive.org/web/20201207080723/http://www.securitytracker.com/id/1041888" 68086 }, 68087 { 68088 "type": "WEB", 68089 "url": "https://web.archive.org/web/20201207101131/http://www.securitytracker.com/id/1040998" 68090 }, 68091 { 68092 "type": "WEB", 68093 "url": "https://www.debian.org/security/2019/dsa-4596" 68094 }, 68095 { 68096 "type": "WEB", 68097 "url": "https://www.oracle.com/security-alerts/cpuapr2020.html" 68098 }, 68099 { 68100 "type": "WEB", 68101 "url": "https://access.redhat.com/errata/RHSA-2018:2469" 68102 }, 68103 { 68104 "type": "WEB", 68105 "url": "https://access.redhat.com/errata/RHSA-2018:2470" 68106 }, 68107 { 68108 "type": "WEB", 68109 "url": "https://access.redhat.com/errata/RHSA-2018:3768" 68110 }, 68111 { 68112 "type": "WEB", 68113 "url": "https://access.redhat.com/errata/RHSA-2019:0450" 68114 }, 68115 { 68116 "type": "WEB", 68117 "url": "https://access.redhat.com/errata/RHSA-2019:0451" 68118 }, 68119 { 68120 "type": "WEB", 68121 "url": "https://access.redhat.com/errata/RHSA-2019:1529" 68122 }, 68123 { 68124 "type": "WEB", 68125 "url": "https://access.redhat.com/errata/RHSA-2019:2205" 68126 }, 68127 { 68128 "type": "ADVISORY", 68129 "url": "https://github.com/advisories/GHSA-r4x2-3cq5-hqvp" 68130 }, 68131 { 68132 "type": "PACKAGE", 68133 "url": "https://github.com/apache/tomcat" 68134 }, 68135 { 68136 "type": "WEB", 68137 "url": "https://lists.apache.org/thread.html/1dd0a59c1295cc08ce4c9e7edae5ad2268acc9ba55adcefa0532e5ba%40%3Cdev.tomcat.apache.org%3E" 68138 }, 68139 { 68140 "type": "WEB", 68141 "url": "https://lists.apache.org/thread.html/1dd0a59c1295cc08ce4c9e7edae5ad2268acc9ba55adcefa0532e5ba@%3Cdev.tomcat.apache.org%3E" 68142 }, 68143 { 68144 "type": "WEB", 68145 "url": "https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551%40%3Cdev.tomcat.apache.org%3E" 68146 }, 68147 { 68148 "type": "WEB", 68149 "url": "https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551@%3Cdev.tomcat.apache.org%3E" 68150 }, 68151 { 68152 "type": "WEB", 68153 "url": "https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708%40%3Cdev.tomcat.apache.org%3E" 68154 }, 68155 { 68156 "type": "WEB", 68157 "url": "https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708@%3Cdev.tomcat.apache.org%3E" 68158 }, 68159 { 68160 "type": "WEB", 68161 "url": "https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7%40%3Cdev.tomcat.apache.org%3E" 68162 }, 68163 { 68164 "type": "WEB", 68165 "url": "https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7@%3Cdev.tomcat.apache.org%3E" 68166 }, 68167 { 68168 "type": "WEB", 68169 "url": "https://lists.apache.org/thread.html/5c0e00fd31efc11e147bf99d0f03c00a734447d3b131ab0818644cdb%40%3Cdev.tomcat.apache.org%3E" 68170 }, 68171 { 68172 "type": "WEB", 68173 "url": "https://lists.apache.org/thread.html/5c0e00fd31efc11e147bf99d0f03c00a734447d3b131ab0818644cdb@%3Cdev.tomcat.apache.org%3E" 68174 }, 68175 { 68176 "type": "WEB", 68177 "url": "https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3%40%3Cdev.tomcat.apache.org%3E" 68178 }, 68179 { 68180 "type": "WEB", 68181 "url": "https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3@%3Cdev.tomcat.apache.org%3E" 68182 }, 68183 { 68184 "type": "WEB", 68185 "url": "https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424%40%3Cdev.tomcat.apache.org%3E" 68186 }, 68187 { 68188 "type": "WEB", 68189 "url": "https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424@%3Cdev.tomcat.apache.org%3E" 68190 }, 68191 { 68192 "type": "WEB", 68193 "url": "https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a%40%3Cdev.tomcat.apache.org%3E" 68194 }, 68195 { 68196 "type": "WEB", 68197 "url": "https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a@%3Cdev.tomcat.apache.org%3E" 68198 }, 68199 { 68200 "type": "WEB", 68201 "url": "https://lists.apache.org/thread.html/ac51944aef91dd5006b8510b0bef337adaccfe962fb90e7af9c22db4%40%3Cissues.activemq.apache.org%3E" 68202 }, 68203 { 68204 "type": "WEB", 68205 "url": "https://lists.apache.org/thread.html/ac51944aef91dd5006b8510b0bef337adaccfe962fb90e7af9c22db4@%3Cissues.activemq.apache.org%3E" 68206 }, 68207 { 68208 "type": "WEB", 68209 "url": "https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc%40%3Cdev.tomcat.apache.org%3E" 68210 }, 68211 { 68212 "type": "WEB", 68213 "url": "http://tomcat.apache.org/security-7.html" 68214 }, 68215 { 68216 "type": "WEB", 68217 "url": "http://tomcat.apache.org/security-8.html" 68218 }, 68219 { 68220 "type": "WEB", 68221 "url": "http://tomcat.apache.org/security-9.html" 68222 }, 68223 { 68224 "type": "WEB", 68225 "url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html" 68226 } 68227 ], 68228 "schema_version": "1.6.0", 68229 "severity": [ 68230 { 68231 "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", 68232 "type": "CVSS_V3" 68233 } 68234 ], 68235 "summary": "The defaults settings for the CORS filter provided in Apache Tomcat are insecure and enable 'supportsCredentials' for all origins" 68236 }, 68237 { 68238 "affected": [ 68239 { 68240 "database_specific": { 68241 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-r6j3-px5g-cq3x/GHSA-r6j3-px5g-cq3x.json" 68242 }, 68243 "package": { 68244 "ecosystem": "Maven", 68245 "name": "org.apache.tomcat:tomcat", 68246 "purl": "pkg:maven/org.apache.tomcat/tomcat" 68247 }, 68248 "ranges": [ 68249 { 68250 "events": [ 68251 { 68252 "introduced": "11.0.0-M1" 68253 }, 68254 { 68255 "fixed": "11.0.0-M12" 68256 } 68257 ], 68258 "type": "ECOSYSTEM" 68259 } 68260 ], 68261 "versions": [ 68262 "11.0.0-M1", 68263 "11.0.0-M10", 68264 "11.0.0-M11", 68265 "11.0.0-M3", 68266 "11.0.0-M4", 68267 "11.0.0-M5", 68268 "11.0.0-M6", 68269 "11.0.0-M7", 68270 "11.0.0-M9" 68271 ] 68272 }, 68273 { 68274 "database_specific": { 68275 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-r6j3-px5g-cq3x/GHSA-r6j3-px5g-cq3x.json" 68276 }, 68277 "package": { 68278 "ecosystem": "Maven", 68279 "name": "org.apache.tomcat:tomcat", 68280 "purl": "pkg:maven/org.apache.tomcat/tomcat" 68281 }, 68282 "ranges": [ 68283 { 68284 "events": [ 68285 { 68286 "introduced": "10.1.0-M1" 68287 }, 68288 { 68289 "fixed": "10.1.14" 68290 } 68291 ], 68292 "type": "ECOSYSTEM" 68293 } 68294 ], 68295 "versions": [ 68296 "10.1.0", 68297 "10.1.0-M1", 68298 "10.1.0-M10", 68299 "10.1.0-M11", 68300 "10.1.0-M12", 68301 "10.1.0-M14", 68302 "10.1.0-M15", 68303 "10.1.0-M16", 68304 "10.1.0-M17", 68305 "10.1.0-M2", 68306 "10.1.0-M4", 68307 "10.1.0-M5", 68308 "10.1.0-M6", 68309 "10.1.0-M7", 68310 "10.1.0-M8", 68311 "10.1.1", 68312 "10.1.10", 68313 "10.1.11", 68314 "10.1.12", 68315 "10.1.13", 68316 "10.1.2", 68317 "10.1.4", 68318 "10.1.5", 68319 "10.1.6", 68320 "10.1.7", 68321 "10.1.8", 68322 "10.1.9" 68323 ] 68324 }, 68325 { 68326 "database_specific": { 68327 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-r6j3-px5g-cq3x/GHSA-r6j3-px5g-cq3x.json" 68328 }, 68329 "package": { 68330 "ecosystem": "Maven", 68331 "name": "org.apache.tomcat:tomcat", 68332 "purl": "pkg:maven/org.apache.tomcat/tomcat" 68333 }, 68334 "ranges": [ 68335 { 68336 "events": [ 68337 { 68338 "introduced": "9.0.0-M1" 68339 }, 68340 { 68341 "fixed": "9.0.81" 68342 } 68343 ], 68344 "type": "ECOSYSTEM" 68345 } 68346 ], 68347 "versions": [ 68348 "9.0.0.M1", 68349 "9.0.0.M10", 68350 "9.0.0.M11", 68351 "9.0.0.M13", 68352 "9.0.0.M15", 68353 "9.0.0.M17", 68354 "9.0.0.M18", 68355 "9.0.0.M19", 68356 "9.0.0.M20", 68357 "9.0.0.M21", 68358 "9.0.0.M22", 68359 "9.0.0.M25", 68360 "9.0.0.M26", 68361 "9.0.0.M27", 68362 "9.0.0.M3", 68363 "9.0.0.M4", 68364 "9.0.0.M6", 68365 "9.0.0.M8", 68366 "9.0.0.M9", 68367 "9.0.1", 68368 "9.0.10", 68369 "9.0.11", 68370 "9.0.12", 68371 "9.0.13", 68372 "9.0.14", 68373 "9.0.16", 68374 "9.0.17", 68375 "9.0.19", 68376 "9.0.2", 68377 "9.0.20", 68378 "9.0.21", 68379 "9.0.22", 68380 "9.0.24", 68381 "9.0.26", 68382 "9.0.27", 68383 "9.0.29", 68384 "9.0.30", 68385 "9.0.31", 68386 "9.0.33", 68387 "9.0.34", 68388 "9.0.35", 68389 "9.0.36", 68390 "9.0.37", 68391 "9.0.38", 68392 "9.0.39", 68393 "9.0.4", 68394 "9.0.40", 68395 "9.0.41", 68396 "9.0.43", 68397 "9.0.44", 68398 "9.0.45", 68399 "9.0.46", 68400 "9.0.48", 68401 "9.0.5", 68402 "9.0.50", 68403 "9.0.52", 68404 "9.0.53", 68405 "9.0.54", 68406 "9.0.55", 68407 "9.0.56", 68408 "9.0.58", 68409 "9.0.59", 68410 "9.0.6", 68411 "9.0.60", 68412 "9.0.62", 68413 "9.0.63", 68414 "9.0.64", 68415 "9.0.65", 68416 "9.0.67", 68417 "9.0.68", 68418 "9.0.69", 68419 "9.0.7", 68420 "9.0.70", 68421 "9.0.71", 68422 "9.0.72", 68423 "9.0.73", 68424 "9.0.74", 68425 "9.0.75", 68426 "9.0.76", 68427 "9.0.78", 68428 "9.0.79", 68429 "9.0.8", 68430 "9.0.80" 68431 ] 68432 }, 68433 { 68434 "database_specific": { 68435 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-r6j3-px5g-cq3x/GHSA-r6j3-px5g-cq3x.json" 68436 }, 68437 "package": { 68438 "ecosystem": "Maven", 68439 "name": "org.apache.tomcat:tomcat", 68440 "purl": "pkg:maven/org.apache.tomcat/tomcat" 68441 }, 68442 "ranges": [ 68443 { 68444 "events": [ 68445 { 68446 "introduced": "8.5.0" 68447 }, 68448 { 68449 "fixed": "8.5.94" 68450 } 68451 ], 68452 "type": "ECOSYSTEM" 68453 } 68454 ], 68455 "versions": [ 68456 "8.5.0", 68457 "8.5.11", 68458 "8.5.12", 68459 "8.5.13", 68460 "8.5.14", 68461 "8.5.15", 68462 "8.5.16", 68463 "8.5.19", 68464 "8.5.2", 68465 "8.5.20", 68466 "8.5.21", 68467 "8.5.23", 68468 "8.5.24", 68469 "8.5.27", 68470 "8.5.28", 68471 "8.5.29", 68472 "8.5.3", 68473 "8.5.30", 68474 "8.5.31", 68475 "8.5.32", 68476 "8.5.33", 68477 "8.5.34", 68478 "8.5.35", 68479 "8.5.37", 68480 "8.5.38", 68481 "8.5.39", 68482 "8.5.4", 68483 "8.5.40", 68484 "8.5.41", 68485 "8.5.42", 68486 "8.5.43", 68487 "8.5.45", 68488 "8.5.46", 68489 "8.5.47", 68490 "8.5.49", 68491 "8.5.5", 68492 "8.5.50", 68493 "8.5.51", 68494 "8.5.53", 68495 "8.5.54", 68496 "8.5.55", 68497 "8.5.56", 68498 "8.5.57", 68499 "8.5.58", 68500 "8.5.59", 68501 "8.5.6", 68502 "8.5.60", 68503 "8.5.61", 68504 "8.5.63", 68505 "8.5.64", 68506 "8.5.65", 68507 "8.5.66", 68508 "8.5.68", 68509 "8.5.69", 68510 "8.5.70", 68511 "8.5.71", 68512 "8.5.72", 68513 "8.5.73", 68514 "8.5.75", 68515 "8.5.76", 68516 "8.5.77", 68517 "8.5.78", 68518 "8.5.79", 68519 "8.5.8", 68520 "8.5.81", 68521 "8.5.82", 68522 "8.5.83", 68523 "8.5.84", 68524 "8.5.85", 68525 "8.5.86", 68526 "8.5.87", 68527 "8.5.88", 68528 "8.5.89", 68529 "8.5.9", 68530 "8.5.90", 68531 "8.5.91", 68532 "8.5.92", 68533 "8.5.93" 68534 ] 68535 }, 68536 { 68537 "database_specific": { 68538 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-r6j3-px5g-cq3x/GHSA-r6j3-px5g-cq3x.json" 68539 }, 68540 "package": { 68541 "ecosystem": "Maven", 68542 "name": "org.apache.tomcat.embed:tomcat-embed-core", 68543 "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" 68544 }, 68545 "ranges": [ 68546 { 68547 "events": [ 68548 { 68549 "introduced": "11.0.0-M1" 68550 }, 68551 { 68552 "fixed": "11.0.0-M12" 68553 } 68554 ], 68555 "type": "ECOSYSTEM" 68556 } 68557 ], 68558 "versions": [ 68559 "11.0.0-M1", 68560 "11.0.0-M10", 68561 "11.0.0-M11", 68562 "11.0.0-M3", 68563 "11.0.0-M4", 68564 "11.0.0-M5", 68565 "11.0.0-M6", 68566 "11.0.0-M7", 68567 "11.0.0-M9" 68568 ] 68569 }, 68570 { 68571 "database_specific": { 68572 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-r6j3-px5g-cq3x/GHSA-r6j3-px5g-cq3x.json" 68573 }, 68574 "package": { 68575 "ecosystem": "Maven", 68576 "name": "org.apache.tomcat.embed:tomcat-embed-core", 68577 "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" 68578 }, 68579 "ranges": [ 68580 { 68581 "events": [ 68582 { 68583 "introduced": "10.1.0-M1" 68584 }, 68585 { 68586 "fixed": "10.1.14" 68587 } 68588 ], 68589 "type": "ECOSYSTEM" 68590 } 68591 ], 68592 "versions": [ 68593 "10.1.0", 68594 "10.1.0-M1", 68595 "10.1.0-M10", 68596 "10.1.0-M11", 68597 "10.1.0-M12", 68598 "10.1.0-M14", 68599 "10.1.0-M15", 68600 "10.1.0-M16", 68601 "10.1.0-M17", 68602 "10.1.0-M2", 68603 "10.1.0-M4", 68604 "10.1.0-M5", 68605 "10.1.0-M6", 68606 "10.1.0-M7", 68607 "10.1.0-M8", 68608 "10.1.1", 68609 "10.1.10", 68610 "10.1.11", 68611 "10.1.12", 68612 "10.1.13", 68613 "10.1.2", 68614 "10.1.4", 68615 "10.1.5", 68616 "10.1.6", 68617 "10.1.7", 68618 "10.1.8", 68619 "10.1.9" 68620 ] 68621 }, 68622 { 68623 "database_specific": { 68624 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-r6j3-px5g-cq3x/GHSA-r6j3-px5g-cq3x.json" 68625 }, 68626 "package": { 68627 "ecosystem": "Maven", 68628 "name": "org.apache.tomcat.embed:tomcat-embed-core", 68629 "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" 68630 }, 68631 "ranges": [ 68632 { 68633 "events": [ 68634 { 68635 "introduced": "9.0.0-M1" 68636 }, 68637 { 68638 "fixed": "9.0.81" 68639 } 68640 ], 68641 "type": "ECOSYSTEM" 68642 } 68643 ], 68644 "versions": [ 68645 "9.0.0.M1", 68646 "9.0.0.M10", 68647 "9.0.0.M11", 68648 "9.0.0.M13", 68649 "9.0.0.M15", 68650 "9.0.0.M17", 68651 "9.0.0.M18", 68652 "9.0.0.M19", 68653 "9.0.0.M20", 68654 "9.0.0.M21", 68655 "9.0.0.M22", 68656 "9.0.0.M25", 68657 "9.0.0.M26", 68658 "9.0.0.M27", 68659 "9.0.0.M3", 68660 "9.0.0.M4", 68661 "9.0.0.M6", 68662 "9.0.0.M8", 68663 "9.0.0.M9", 68664 "9.0.1", 68665 "9.0.10", 68666 "9.0.11", 68667 "9.0.12", 68668 "9.0.13", 68669 "9.0.14", 68670 "9.0.16", 68671 "9.0.17", 68672 "9.0.19", 68673 "9.0.2", 68674 "9.0.20", 68675 "9.0.21", 68676 "9.0.22", 68677 "9.0.24", 68678 "9.0.26", 68679 "9.0.27", 68680 "9.0.29", 68681 "9.0.30", 68682 "9.0.31", 68683 "9.0.33", 68684 "9.0.34", 68685 "9.0.35", 68686 "9.0.36", 68687 "9.0.37", 68688 "9.0.38", 68689 "9.0.39", 68690 "9.0.4", 68691 "9.0.40", 68692 "9.0.41", 68693 "9.0.43", 68694 "9.0.44", 68695 "9.0.45", 68696 "9.0.46", 68697 "9.0.48", 68698 "9.0.5", 68699 "9.0.50", 68700 "9.0.52", 68701 "9.0.53", 68702 "9.0.54", 68703 "9.0.55", 68704 "9.0.56", 68705 "9.0.58", 68706 "9.0.59", 68707 "9.0.6", 68708 "9.0.60", 68709 "9.0.62", 68710 "9.0.63", 68711 "9.0.64", 68712 "9.0.65", 68713 "9.0.67", 68714 "9.0.68", 68715 "9.0.69", 68716 "9.0.7", 68717 "9.0.70", 68718 "9.0.71", 68719 "9.0.72", 68720 "9.0.73", 68721 "9.0.74", 68722 "9.0.75", 68723 "9.0.76", 68724 "9.0.78", 68725 "9.0.79", 68726 "9.0.8", 68727 "9.0.80" 68728 ] 68729 }, 68730 { 68731 "database_specific": { 68732 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-r6j3-px5g-cq3x/GHSA-r6j3-px5g-cq3x.json" 68733 }, 68734 "package": { 68735 "ecosystem": "Maven", 68736 "name": "org.apache.tomcat.embed:tomcat-embed-core", 68737 "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" 68738 }, 68739 "ranges": [ 68740 { 68741 "events": [ 68742 { 68743 "introduced": "8.5.0" 68744 }, 68745 { 68746 "fixed": "8.5.94" 68747 } 68748 ], 68749 "type": "ECOSYSTEM" 68750 } 68751 ], 68752 "versions": [ 68753 "8.5.0", 68754 "8.5.11", 68755 "8.5.12", 68756 "8.5.13", 68757 "8.5.14", 68758 "8.5.15", 68759 "8.5.16", 68760 "8.5.19", 68761 "8.5.2", 68762 "8.5.20", 68763 "8.5.21", 68764 "8.5.23", 68765 "8.5.24", 68766 "8.5.27", 68767 "8.5.28", 68768 "8.5.29", 68769 "8.5.3", 68770 "8.5.30", 68771 "8.5.31", 68772 "8.5.32", 68773 "8.5.33", 68774 "8.5.34", 68775 "8.5.35", 68776 "8.5.37", 68777 "8.5.38", 68778 "8.5.39", 68779 "8.5.4", 68780 "8.5.40", 68781 "8.5.41", 68782 "8.5.42", 68783 "8.5.43", 68784 "8.5.45", 68785 "8.5.46", 68786 "8.5.47", 68787 "8.5.49", 68788 "8.5.5", 68789 "8.5.50", 68790 "8.5.51", 68791 "8.5.53", 68792 "8.5.54", 68793 "8.5.55", 68794 "8.5.56", 68795 "8.5.57", 68796 "8.5.58", 68797 "8.5.59", 68798 "8.5.6", 68799 "8.5.60", 68800 "8.5.61", 68801 "8.5.63", 68802 "8.5.64", 68803 "8.5.65", 68804 "8.5.66", 68805 "8.5.68", 68806 "8.5.69", 68807 "8.5.70", 68808 "8.5.71", 68809 "8.5.72", 68810 "8.5.73", 68811 "8.5.75", 68812 "8.5.76", 68813 "8.5.77", 68814 "8.5.78", 68815 "8.5.79", 68816 "8.5.8", 68817 "8.5.81", 68818 "8.5.82", 68819 "8.5.83", 68820 "8.5.84", 68821 "8.5.85", 68822 "8.5.86", 68823 "8.5.87", 68824 "8.5.88", 68825 "8.5.89", 68826 "8.5.9", 68827 "8.5.90", 68828 "8.5.91", 68829 "8.5.92", 68830 "8.5.93" 68831 ] 68832 } 68833 ], 68834 "aliases": [ 68835 "BIT-tomcat-2023-45648", 68836 "CVE-2023-45648" 68837 ], 68838 "database_specific": { 68839 "cwe_ids": [ 68840 "CWE-20" 68841 ], 68842 "github_reviewed": true, 68843 "github_reviewed_at": "2023-10-10T22:29:58Z", 68844 "nvd_published_at": "2023-10-10T19:15:09Z", 68845 "severity": "MODERATE" 68846 }, 68847 "details": "Improper Input Validation vulnerability in Apache Tomcat.\n\nTomcat from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0.81 and from 8.5.0 through 8.5.93 did not correctly parse HTTP trailer headers. A specially crafted, invalid trailer header could cause Tomcat to treat a single \nrequest as multiple requests leading to the possibility of request smuggling when behind a reverse proxy.\n\nUsers are recommended to upgrade to version 11.0.0-M12 onwards, 10.1.14 onwards, 9.0.81 onwards or 8.5.94 onwards, which fix the issue.", 68848 "id": "GHSA-r6j3-px5g-cq3x", 68849 "modified": "2024-04-24T15:46:02.04756Z", 68850 "published": "2023-10-10T21:31:12Z", 68851 "references": [ 68852 { 68853 "type": "ADVISORY", 68854 "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45648" 68855 }, 68856 { 68857 "type": "WEB", 68858 "url": "https://github.com/apache/tomcat/commit/59583245639d8c42ae0009f4a4a70464d3ea70a0" 68859 }, 68860 { 68861 "type": "WEB", 68862 "url": "https://github.com/apache/tomcat/commit/8ecff306507be8e4fd3adee1ae5de1ea6661a8f4" 68863 }, 68864 { 68865 "type": "WEB", 68866 "url": "https://github.com/apache/tomcat/commit/c83fe47725f7ae9ae213568d9039171124fb7ec6" 68867 }, 68868 { 68869 "type": "WEB", 68870 "url": "https://github.com/apache/tomcat/commit/eb5c094e5560764cda436362254997511a3ca1f6" 68871 }, 68872 { 68873 "type": "PACKAGE", 68874 "url": "https://github.com/apache/tomcat" 68875 }, 68876 { 68877 "type": "WEB", 68878 "url": "https://lists.apache.org/thread/2pv8yz1pyp088tsxfb7ogltk9msk0jdp" 68879 }, 68880 { 68881 "type": "WEB", 68882 "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00020.html" 68883 }, 68884 { 68885 "type": "WEB", 68886 "url": "https://security.netapp.com/advisory/ntap-20231103-0007" 68887 }, 68888 { 68889 "type": "WEB", 68890 "url": "https://www.debian.org/security/2023/dsa-5521" 68891 }, 68892 { 68893 "type": "WEB", 68894 "url": "https://www.debian.org/security/2023/dsa-5522" 68895 }, 68896 { 68897 "type": "WEB", 68898 "url": "http://www.openwall.com/lists/oss-security/2023/10/10/10" 68899 } 68900 ], 68901 "schema_version": "1.6.0", 68902 "severity": [ 68903 { 68904 "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", 68905 "type": "CVSS_V3" 68906 } 68907 ], 68908 "summary": "Apache Tomcat Improper Input Validation vulnerability" 68909 }, 68910 { 68911 "affected": [ 68912 { 68913 "database_specific": { 68914 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/01/GHSA-rq2w-37h9-vg94/GHSA-rq2w-37h9-vg94.json" 68915 }, 68916 "package": { 68917 "ecosystem": "Maven", 68918 "name": "org.apache.tomcat.embed:tomcat-embed-core", 68919 "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" 68920 }, 68921 "ranges": [ 68922 { 68923 "events": [ 68924 { 68925 "introduced": "8.5.83" 68926 }, 68927 { 68928 "fixed": "8.5.84" 68929 } 68930 ], 68931 "type": "ECOSYSTEM" 68932 } 68933 ], 68934 "versions": [ 68935 "8.5.83" 68936 ] 68937 }, 68938 { 68939 "database_specific": { 68940 "last_known_affected_version_range": "\u003c= 9.0.68", 68941 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/01/GHSA-rq2w-37h9-vg94/GHSA-rq2w-37h9-vg94.json" 68942 }, 68943 "package": { 68944 "ecosystem": "Maven", 68945 "name": "org.apache.tomcat.embed:tomcat-embed-core", 68946 "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" 68947 }, 68948 "ranges": [ 68949 { 68950 "events": [ 68951 { 68952 "introduced": "9.0.40" 68953 }, 68954 { 68955 "fixed": "9.0.69" 68956 } 68957 ], 68958 "type": "ECOSYSTEM" 68959 } 68960 ], 68961 "versions": [ 68962 "9.0.40", 68963 "9.0.41", 68964 "9.0.43", 68965 "9.0.44", 68966 "9.0.45", 68967 "9.0.46", 68968 "9.0.48", 68969 "9.0.50", 68970 "9.0.52", 68971 "9.0.53", 68972 "9.0.54", 68973 "9.0.55", 68974 "9.0.56", 68975 "9.0.58", 68976 "9.0.59", 68977 "9.0.60", 68978 "9.0.62", 68979 "9.0.63", 68980 "9.0.64", 68981 "9.0.65", 68982 "9.0.67", 68983 "9.0.68" 68984 ] 68985 }, 68986 { 68987 "database_specific": { 68988 "last_known_affected_version_range": "\u003c= 10.1.1", 68989 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/01/GHSA-rq2w-37h9-vg94/GHSA-rq2w-37h9-vg94.json" 68990 }, 68991 "package": { 68992 "ecosystem": "Maven", 68993 "name": "org.apache.tomcat.embed:tomcat-embed-core", 68994 "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" 68995 }, 68996 "ranges": [ 68997 { 68998 "events": [ 68999 { 69000 "introduced": "10.1.0" 69001 }, 69002 { 69003 "fixed": "10.1.2" 69004 } 69005 ], 69006 "type": "ECOSYSTEM" 69007 } 69008 ], 69009 "versions": [ 69010 "10.1.0", 69011 "10.1.1" 69012 ] 69013 }, 69014 { 69015 "database_specific": { 69016 "last_known_affected_version_range": "\u003c= 10.1.1", 69017 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/01/GHSA-rq2w-37h9-vg94/GHSA-rq2w-37h9-vg94.json" 69018 }, 69019 "package": { 69020 "ecosystem": "Maven", 69021 "name": "org.apache.tomcat:tomcat-catalina", 69022 "purl": "pkg:maven/org.apache.tomcat/tomcat-catalina" 69023 }, 69024 "ranges": [ 69025 { 69026 "events": [ 69027 { 69028 "introduced": "10.1.0" 69029 }, 69030 { 69031 "fixed": "10.1.2" 69032 } 69033 ], 69034 "type": "ECOSYSTEM" 69035 } 69036 ], 69037 "versions": [ 69038 "10.1.0", 69039 "10.1.1" 69040 ] 69041 }, 69042 { 69043 "database_specific": { 69044 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/01/GHSA-rq2w-37h9-vg94/GHSA-rq2w-37h9-vg94.json" 69045 }, 69046 "package": { 69047 "ecosystem": "Maven", 69048 "name": "org.apache.tomcat:tomcat-util", 69049 "purl": "pkg:maven/org.apache.tomcat/tomcat-util" 69050 }, 69051 "ranges": [ 69052 { 69053 "events": [ 69054 { 69055 "introduced": "8.5.83" 69056 }, 69057 { 69058 "fixed": "8.5.84" 69059 } 69060 ], 69061 "type": "ECOSYSTEM" 69062 } 69063 ], 69064 "versions": [ 69065 "8.5.83" 69066 ] 69067 }, 69068 { 69069 "database_specific": { 69070 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/01/GHSA-rq2w-37h9-vg94/GHSA-rq2w-37h9-vg94.json" 69071 }, 69072 "package": { 69073 "ecosystem": "Maven", 69074 "name": "org.apache.tomcat:tomcat-util", 69075 "purl": "pkg:maven/org.apache.tomcat/tomcat-util" 69076 }, 69077 "ranges": [ 69078 { 69079 "events": [ 69080 { 69081 "introduced": "9.0.40" 69082 }, 69083 { 69084 "fixed": "9.0.69" 69085 } 69086 ], 69087 "type": "ECOSYSTEM" 69088 } 69089 ], 69090 "versions": [ 69091 "9.0.40", 69092 "9.0.41", 69093 "9.0.43", 69094 "9.0.44", 69095 "9.0.45", 69096 "9.0.46", 69097 "9.0.48", 69098 "9.0.50", 69099 "9.0.52", 69100 "9.0.53", 69101 "9.0.54", 69102 "9.0.55", 69103 "9.0.56", 69104 "9.0.58", 69105 "9.0.59", 69106 "9.0.60", 69107 "9.0.62", 69108 "9.0.63", 69109 "9.0.64", 69110 "9.0.65", 69111 "9.0.67", 69112 "9.0.68" 69113 ] 69114 } 69115 ], 69116 "aliases": [ 69117 "BIT-tomcat-2022-45143", 69118 "CVE-2022-45143" 69119 ], 69120 "database_specific": { 69121 "cwe_ids": [ 69122 "CWE-116", 69123 "CWE-74" 69124 ], 69125 "github_reviewed": true, 69126 "github_reviewed_at": "2023-01-05T12:02:50Z", 69127 "nvd_published_at": "2023-01-03T19:15:00Z", 69128 "severity": "HIGH" 69129 }, 69130 "details": "The `JsonErrorReportValve` in Apache Tomcat 8.5.83, 9.0.40 to 9.0.68 and 10.1.0-M1 to 10.1.1 does not escape the `type`, `message` or `description` values. In some circumstances these are constructed from user provided data and it was therefore possible for users to supply values that invalidated or manipulated the JSON output.", 69131 "id": "GHSA-rq2w-37h9-vg94", 69132 "modified": "2024-04-23T22:00:59.346897Z", 69133 "published": "2023-01-03T21:30:21Z", 69134 "references": [ 69135 { 69136 "type": "ADVISORY", 69137 "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45143" 69138 }, 69139 { 69140 "type": "WEB", 69141 "url": "https://github.com/apache/tomcat/commit/0cab3a56bd89f70e7481bb0d68395dc7e130dbbf" 69142 }, 69143 { 69144 "type": "WEB", 69145 "url": "https://github.com/apache/tomcat/commit/6a0ac6a438cbbb66b6e9c5223842f53bf0cb50aa" 69146 }, 69147 { 69148 "type": "WEB", 69149 "url": "https://github.com/apache/tomcat/commit/b336f4e58893ea35114f1e4a415657f723b1298e" 69150 }, 69151 { 69152 "type": "PACKAGE", 69153 "url": "https://github.com/apache/tomcat" 69154 }, 69155 { 69156 "type": "WEB", 69157 "url": "https://lists.apache.org/thread/yqkd183xrw3wqvnpcg3osbcryq85fkzj" 69158 }, 69159 { 69160 "type": "WEB", 69161 "url": "https://security.gentoo.org/glsa/202305-37" 69162 } 69163 ], 69164 "schema_version": "1.6.0", 69165 "severity": [ 69166 { 69167 "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", 69168 "type": "CVSS_V3" 69169 } 69170 ], 69171 "summary": "Apache Tomcat improperly escapes input from JsonErrorReportValve" 69172 }, 69173 { 69174 "affected": [ 69175 { 69176 "database_specific": { 69177 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-wf5v-jhxj-q632/GHSA-wf5v-jhxj-q632.json" 69178 }, 69179 "package": { 69180 "ecosystem": "Maven", 69181 "name": "org.apache.tomcat:tomcat-coyote", 69182 "purl": "pkg:maven/org.apache.tomcat/tomcat-coyote" 69183 }, 69184 "ranges": [ 69185 { 69186 "events": [ 69187 { 69188 "introduced": "8.0.0-RC1" 69189 }, 69190 { 69191 "fixed": "8.0.4" 69192 } 69193 ], 69194 "type": "ECOSYSTEM" 69195 } 69196 ], 69197 "versions": [ 69198 "8.0.0-RC1", 69199 "8.0.0-RC10", 69200 "8.0.0-RC3", 69201 "8.0.0-RC5", 69202 "8.0.1", 69203 "8.0.3" 69204 ] 69205 }, 69206 { 69207 "database_specific": { 69208 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-wf5v-jhxj-q632/GHSA-wf5v-jhxj-q632.json" 69209 }, 69210 "package": { 69211 "ecosystem": "Maven", 69212 "name": "org.apache.tomcat.embed:tomcat-embed-core", 69213 "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" 69214 }, 69215 "ranges": [ 69216 { 69217 "events": [ 69218 { 69219 "introduced": "8.0.0-RC1" 69220 }, 69221 { 69222 "fixed": "8.0.4" 69223 } 69224 ], 69225 "type": "ECOSYSTEM" 69226 } 69227 ], 69228 "versions": [ 69229 "8.0.0-RC1", 69230 "8.0.0-RC10", 69231 "8.0.0-RC3", 69232 "8.0.0-RC5", 69233 "8.0.1", 69234 "8.0.3" 69235 ] 69236 } 69237 ], 69238 "aliases": [ 69239 "CVE-2014-0095" 69240 ], 69241 "database_specific": { 69242 "cwe_ids": [ 69243 "CWE-20" 69244 ], 69245 "github_reviewed": true, 69246 "github_reviewed_at": "2024-01-08T20:19:10Z", 69247 "nvd_published_at": "2014-05-31T11:17:00Z", 69248 "severity": "MODERATE" 69249 }, 69250 "details": "java/org/apache/coyote/ajp/AbstractAjpProcessor.java in Apache Tomcat 8.x before 8.0.4 allows remote attackers to cause a denial of service (thread consumption) by using a \"Content-Length: 0\" AJP request to trigger a hang in request processing.", 69251 "id": "GHSA-wf5v-jhxj-q632", 69252 "modified": "2024-02-22T16:49:15.848607Z", 69253 "published": "2022-05-17T00:24:30Z", 69254 "references": [ 69255 { 69256 "type": "ADVISORY", 69257 "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-0095" 69258 }, 69259 { 69260 "type": "WEB", 69261 "url": "https://github.com/apache/tomcat/commit/8884dae60ace77a87ed9385442ce429e98c3a479" 69262 }, 69263 { 69264 "type": "WEB", 69265 "url": "https://github.com/apache/tomcat80/commit/77590c897f0e542fe363d70efdf3b82209510aee" 69266 }, 69267 { 69268 "type": "PACKAGE", 69269 "url": "https://github.com/apache/tomcat" 69270 }, 69271 { 69272 "type": "WEB", 69273 "url": "https://web.archive.org/web/20140713043210/http://www.securitytracker.com/id/1030300" 69274 }, 69275 { 69276 "type": "WEB", 69277 "url": "https://web.archive.org/web/20141126170141/http://www.securityfocus.com/bid/67673" 69278 }, 69279 { 69280 "type": "WEB", 69281 "url": "https://web.archive.org/web/20151017043748/http://secunia.com/advisories/60729" 69282 }, 69283 { 69284 "type": "WEB", 69285 "url": "https://web.archive.org/web/20161024215453/http://secunia.com/advisories/59873" 69286 }, 69287 { 69288 "type": "WEB", 69289 "url": "http://seclists.org/fulldisclosure/2014/May/134" 69290 }, 69291 { 69292 "type": "WEB", 69293 "url": "http://svn.apache.org/viewvc?view=revision\u0026revision=1578392" 69294 }, 69295 { 69296 "type": "WEB", 69297 "url": "http://tomcat.apache.org/security-8.html" 69298 }, 69299 { 69300 "type": "WEB", 69301 "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21678231" 69302 }, 69303 { 69304 "type": "WEB", 69305 "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21681528" 69306 }, 69307 { 69308 "type": "WEB", 69309 "url": "http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html" 69310 } 69311 ], 69312 "schema_version": "1.6.0", 69313 "summary": "Denial of service in Apache Tomcat" 69314 }, 69315 { 69316 "affected": [ 69317 { 69318 "database_specific": { 69319 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/07/GHSA-wm9w-rjj3-j356/GHSA-wm9w-rjj3-j356.json" 69320 }, 69321 "package": { 69322 "ecosystem": "Maven", 69323 "name": "org.apache.tomcat.embed:tomcat-embed-core", 69324 "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" 69325 }, 69326 "ranges": [ 69327 { 69328 "events": [ 69329 { 69330 "introduced": "11.0.0-M1" 69331 }, 69332 { 69333 "fixed": "11.0.0-M21" 69334 } 69335 ], 69336 "type": "ECOSYSTEM" 69337 } 69338 ], 69339 "versions": [ 69340 "11.0.0-M1", 69341 "11.0.0-M10", 69342 "11.0.0-M11", 69343 "11.0.0-M12", 69344 "11.0.0-M13", 69345 "11.0.0-M14", 69346 "11.0.0-M15", 69347 "11.0.0-M16", 69348 "11.0.0-M17", 69349 "11.0.0-M18", 69350 "11.0.0-M19", 69351 "11.0.0-M20", 69352 "11.0.0-M3", 69353 "11.0.0-M4", 69354 "11.0.0-M5", 69355 "11.0.0-M6", 69356 "11.0.0-M7", 69357 "11.0.0-M9" 69358 ] 69359 }, 69360 { 69361 "database_specific": { 69362 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/07/GHSA-wm9w-rjj3-j356/GHSA-wm9w-rjj3-j356.json" 69363 }, 69364 "package": { 69365 "ecosystem": "Maven", 69366 "name": "org.apache.tomcat.embed:tomcat-embed-core", 69367 "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" 69368 }, 69369 "ranges": [ 69370 { 69371 "events": [ 69372 { 69373 "introduced": "10.1.0-M1" 69374 }, 69375 { 69376 "fixed": "10.1.25" 69377 } 69378 ], 69379 "type": "ECOSYSTEM" 69380 } 69381 ], 69382 "versions": [ 69383 "10.1.0", 69384 "10.1.0-M1", 69385 "10.1.0-M10", 69386 "10.1.0-M11", 69387 "10.1.0-M12", 69388 "10.1.0-M14", 69389 "10.1.0-M15", 69390 "10.1.0-M16", 69391 "10.1.0-M17", 69392 "10.1.0-M2", 69393 "10.1.0-M4", 69394 "10.1.0-M5", 69395 "10.1.0-M6", 69396 "10.1.0-M7", 69397 "10.1.0-M8", 69398 "10.1.1", 69399 "10.1.10", 69400 "10.1.11", 69401 "10.1.12", 69402 "10.1.13", 69403 "10.1.14", 69404 "10.1.15", 69405 "10.1.16", 69406 "10.1.17", 69407 "10.1.18", 69408 "10.1.19", 69409 "10.1.2", 69410 "10.1.20", 69411 "10.1.23", 69412 "10.1.24", 69413 "10.1.4", 69414 "10.1.5", 69415 "10.1.6", 69416 "10.1.7", 69417 "10.1.8", 69418 "10.1.9" 69419 ] 69420 }, 69421 { 69422 "database_specific": { 69423 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/07/GHSA-wm9w-rjj3-j356/GHSA-wm9w-rjj3-j356.json" 69424 }, 69425 "package": { 69426 "ecosystem": "Maven", 69427 "name": "org.apache.tomcat.embed:tomcat-embed-core", 69428 "purl": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core" 69429 }, 69430 "ranges": [ 69431 { 69432 "events": [ 69433 { 69434 "introduced": "9.0.0-M1" 69435 }, 69436 { 69437 "fixed": "9.0.90" 69438 } 69439 ], 69440 "type": "ECOSYSTEM" 69441 } 69442 ], 69443 "versions": [ 69444 "9.0.0.M1", 69445 "9.0.0.M10", 69446 "9.0.0.M11", 69447 "9.0.0.M13", 69448 "9.0.0.M15", 69449 "9.0.0.M17", 69450 "9.0.0.M18", 69451 "9.0.0.M19", 69452 "9.0.0.M20", 69453 "9.0.0.M21", 69454 "9.0.0.M22", 69455 "9.0.0.M25", 69456 "9.0.0.M26", 69457 "9.0.0.M27", 69458 "9.0.0.M3", 69459 "9.0.0.M4", 69460 "9.0.0.M6", 69461 "9.0.0.M8", 69462 "9.0.0.M9", 69463 "9.0.1", 69464 "9.0.10", 69465 "9.0.11", 69466 "9.0.12", 69467 "9.0.13", 69468 "9.0.14", 69469 "9.0.16", 69470 "9.0.17", 69471 "9.0.19", 69472 "9.0.2", 69473 "9.0.20", 69474 "9.0.21", 69475 "9.0.22", 69476 "9.0.24", 69477 "9.0.26", 69478 "9.0.27", 69479 "9.0.29", 69480 "9.0.30", 69481 "9.0.31", 69482 "9.0.33", 69483 "9.0.34", 69484 "9.0.35", 69485 "9.0.36", 69486 "9.0.37", 69487 "9.0.38", 69488 "9.0.39", 69489 "9.0.4", 69490 "9.0.40", 69491 "9.0.41", 69492 "9.0.43", 69493 "9.0.44", 69494 "9.0.45", 69495 "9.0.46", 69496 "9.0.48", 69497 "9.0.5", 69498 "9.0.50", 69499 "9.0.52", 69500 "9.0.53", 69501 "9.0.54", 69502 "9.0.55", 69503 "9.0.56", 69504 "9.0.58", 69505 "9.0.59", 69506 "9.0.6", 69507 "9.0.60", 69508 "9.0.62", 69509 "9.0.63", 69510 "9.0.64", 69511 "9.0.65", 69512 "9.0.67", 69513 "9.0.68", 69514 "9.0.69", 69515 "9.0.7", 69516 "9.0.70", 69517 "9.0.71", 69518 "9.0.72", 69519 "9.0.73", 69520 "9.0.74", 69521 "9.0.75", 69522 "9.0.76", 69523 "9.0.78", 69524 "9.0.79", 69525 "9.0.8", 69526 "9.0.80", 69527 "9.0.81", 69528 "9.0.82", 69529 "9.0.83", 69530 "9.0.84", 69531 "9.0.85", 69532 "9.0.86", 69533 "9.0.87", 69534 "9.0.88", 69535 "9.0.89" 69536 ] 69537 }, 69538 { 69539 "database_specific": { 69540 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/07/GHSA-wm9w-rjj3-j356/GHSA-wm9w-rjj3-j356.json" 69541 }, 69542 "package": { 69543 "ecosystem": "Maven", 69544 "name": "org.apache.tomcat:tomcat-coyote", 69545 "purl": "pkg:maven/org.apache.tomcat/tomcat-coyote" 69546 }, 69547 "ranges": [ 69548 { 69549 "events": [ 69550 { 69551 "introduced": "11.0.0-M1" 69552 }, 69553 { 69554 "fixed": "11.0.0-M21" 69555 } 69556 ], 69557 "type": "ECOSYSTEM" 69558 } 69559 ], 69560 "versions": [ 69561 "11.0.0-M1", 69562 "11.0.0-M10", 69563 "11.0.0-M11", 69564 "11.0.0-M12", 69565 "11.0.0-M13", 69566 "11.0.0-M14", 69567 "11.0.0-M15", 69568 "11.0.0-M16", 69569 "11.0.0-M17", 69570 "11.0.0-M18", 69571 "11.0.0-M19", 69572 "11.0.0-M20", 69573 "11.0.0-M3", 69574 "11.0.0-M4", 69575 "11.0.0-M5", 69576 "11.0.0-M6", 69577 "11.0.0-M7", 69578 "11.0.0-M9" 69579 ] 69580 }, 69581 { 69582 "database_specific": { 69583 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/07/GHSA-wm9w-rjj3-j356/GHSA-wm9w-rjj3-j356.json" 69584 }, 69585 "package": { 69586 "ecosystem": "Maven", 69587 "name": "org.apache.tomcat:tomcat-coyote", 69588 "purl": "pkg:maven/org.apache.tomcat/tomcat-coyote" 69589 }, 69590 "ranges": [ 69591 { 69592 "events": [ 69593 { 69594 "introduced": "10.1.0-M1" 69595 }, 69596 { 69597 "fixed": "10.1.25" 69598 } 69599 ], 69600 "type": "ECOSYSTEM" 69601 } 69602 ], 69603 "versions": [ 69604 "10.1.0", 69605 "10.1.0-M1", 69606 "10.1.0-M10", 69607 "10.1.0-M11", 69608 "10.1.0-M12", 69609 "10.1.0-M14", 69610 "10.1.0-M15", 69611 "10.1.0-M16", 69612 "10.1.0-M17", 69613 "10.1.0-M2", 69614 "10.1.0-M4", 69615 "10.1.0-M5", 69616 "10.1.0-M6", 69617 "10.1.0-M7", 69618 "10.1.0-M8", 69619 "10.1.1", 69620 "10.1.10", 69621 "10.1.11", 69622 "10.1.12", 69623 "10.1.13", 69624 "10.1.14", 69625 "10.1.15", 69626 "10.1.16", 69627 "10.1.17", 69628 "10.1.18", 69629 "10.1.19", 69630 "10.1.2", 69631 "10.1.20", 69632 "10.1.23", 69633 "10.1.24", 69634 "10.1.4", 69635 "10.1.5", 69636 "10.1.6", 69637 "10.1.7", 69638 "10.1.8", 69639 "10.1.9" 69640 ] 69641 }, 69642 { 69643 "database_specific": { 69644 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/07/GHSA-wm9w-rjj3-j356/GHSA-wm9w-rjj3-j356.json" 69645 }, 69646 "package": { 69647 "ecosystem": "Maven", 69648 "name": "org.apache.tomcat:tomcat-coyote", 69649 "purl": "pkg:maven/org.apache.tomcat/tomcat-coyote" 69650 }, 69651 "ranges": [ 69652 { 69653 "events": [ 69654 { 69655 "introduced": "9.0.0-M1" 69656 }, 69657 { 69658 "fixed": "9.0.90" 69659 } 69660 ], 69661 "type": "ECOSYSTEM" 69662 } 69663 ], 69664 "versions": [ 69665 "9.0.0.M1", 69666 "9.0.0.M10", 69667 "9.0.0.M11", 69668 "9.0.0.M13", 69669 "9.0.0.M15", 69670 "9.0.0.M17", 69671 "9.0.0.M18", 69672 "9.0.0.M19", 69673 "9.0.0.M20", 69674 "9.0.0.M21", 69675 "9.0.0.M22", 69676 "9.0.0.M25", 69677 "9.0.0.M26", 69678 "9.0.0.M27", 69679 "9.0.0.M3", 69680 "9.0.0.M4", 69681 "9.0.0.M6", 69682 "9.0.0.M8", 69683 "9.0.0.M9", 69684 "9.0.1", 69685 "9.0.10", 69686 "9.0.11", 69687 "9.0.12", 69688 "9.0.13", 69689 "9.0.14", 69690 "9.0.16", 69691 "9.0.17", 69692 "9.0.19", 69693 "9.0.2", 69694 "9.0.20", 69695 "9.0.21", 69696 "9.0.22", 69697 "9.0.24", 69698 "9.0.26", 69699 "9.0.27", 69700 "9.0.29", 69701 "9.0.30", 69702 "9.0.31", 69703 "9.0.33", 69704 "9.0.34", 69705 "9.0.35", 69706 "9.0.36", 69707 "9.0.37", 69708 "9.0.38", 69709 "9.0.39", 69710 "9.0.4", 69711 "9.0.40", 69712 "9.0.41", 69713 "9.0.43", 69714 "9.0.44", 69715 "9.0.45", 69716 "9.0.46", 69717 "9.0.48", 69718 "9.0.5", 69719 "9.0.50", 69720 "9.0.52", 69721 "9.0.53", 69722 "9.0.54", 69723 "9.0.55", 69724 "9.0.56", 69725 "9.0.58", 69726 "9.0.59", 69727 "9.0.6", 69728 "9.0.60", 69729 "9.0.62", 69730 "9.0.63", 69731 "9.0.64", 69732 "9.0.65", 69733 "9.0.67", 69734 "9.0.68", 69735 "9.0.69", 69736 "9.0.7", 69737 "9.0.70", 69738 "9.0.71", 69739 "9.0.72", 69740 "9.0.73", 69741 "9.0.74", 69742 "9.0.75", 69743 "9.0.76", 69744 "9.0.78", 69745 "9.0.79", 69746 "9.0.8", 69747 "9.0.80", 69748 "9.0.81", 69749 "9.0.82", 69750 "9.0.83", 69751 "9.0.84", 69752 "9.0.85", 69753 "9.0.86", 69754 "9.0.87", 69755 "9.0.88", 69756 "9.0.89" 69757 ] 69758 } 69759 ], 69760 "aliases": [ 69761 "CVE-2024-34750" 69762 ], 69763 "database_specific": { 69764 "cwe_ids": [ 69765 "CWE-400", 69766 "CWE-755" 69767 ], 69768 "github_reviewed": true, 69769 "github_reviewed_at": "2024-07-05T20:39:41Z", 69770 "nvd_published_at": "2024-07-03T20:15:04Z", 69771 "severity": "HIGH" 69772 }, 69773 "details": "Improper Handling of Exceptional Conditions, Uncontrolled Resource Consumption vulnerability in Apache Tomcat. When processing an HTTP/2 stream, Tomcat did not handle some cases of excessive HTTP headers correctly. This led to a miscounting of active HTTP/2 streams which in turn led to the use of an incorrect infinite timeout which allowed connections to remain open which should have been closed.\n\nThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M20, from 10.1.0-M1 through 10.1.24, from 9.0.0-M1 through 9.0.89.\n\nUsers are recommended to upgrade to version 11.0.0-M21, 10.1.25 or 9.0.90, which fixes the issue.\n\n", 69774 "id": "GHSA-wm9w-rjj3-j356", 69775 "modified": "2024-07-05T20:57:34.262116Z", 69776 "published": "2024-07-03T21:39:44Z", 69777 "references": [ 69778 { 69779 "type": "ADVISORY", 69780 "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-34750" 69781 }, 69782 { 69783 "type": "WEB", 69784 "url": "https://github.com/apache/tomcat/commit/2344a4c0d03e307ba6b8ab6dc8b894cc8bac63f2" 69785 }, 69786 { 69787 "type": "WEB", 69788 "url": "https://github.com/apache/tomcat/commit/2afae300c9ac9c0e516e2e9de580847d925365c3" 69789 }, 69790 { 69791 "type": "WEB", 69792 "url": "https://github.com/apache/tomcat/commit/9fec9a82887853402833a80b584e3762c7423f5f" 69793 }, 69794 { 69795 "type": "PACKAGE", 69796 "url": "https://github.com/apache/tomcat" 69797 }, 69798 { 69799 "type": "WEB", 69800 "url": "https://lists.apache.org/thread/4kqf0bc9gxymjc2x7v3p7dvplnl77y8l" 69801 }, 69802 { 69803 "type": "WEB", 69804 "url": "https://tomcat.apache.org/security-10.html" 69805 }, 69806 { 69807 "type": "WEB", 69808 "url": "https://tomcat.apache.org/security-11.html" 69809 }, 69810 { 69811 "type": "WEB", 69812 "url": "https://tomcat.apache.org/security-9.html" 69813 } 69814 ], 69815 "schema_version": "1.6.0", 69816 "severity": [ 69817 { 69818 "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", 69819 "type": "CVSS_V3" 69820 }, 69821 { 69822 "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N", 69823 "type": "CVSS_V4" 69824 } 69825 ], 69826 "summary": "Apache Tomcat - Denial of Service" 69827 }, 69828 { 69829 "affected": [ 69830 { 69831 "database_specific": { 69832 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/09/GHSA-4qw8-pgpr-p9mq/GHSA-4qw8-pgpr-p9mq.json" 69833 }, 69834 "package": { 69835 "ecosystem": "Maven", 69836 "name": "org.apache.zeppelin:zeppelin", 69837 "purl": "pkg:maven/org.apache.zeppelin/zeppelin" 69838 }, 69839 "ranges": [ 69840 { 69841 "events": [ 69842 { 69843 "introduced": "0" 69844 }, 69845 { 69846 "fixed": "0.10.0" 69847 } 69848 ], 69849 "type": "ECOSYSTEM" 69850 } 69851 ], 69852 "versions": [ 69853 "0.5.0-incubating", 69854 "0.6.0", 69855 "0.6.1", 69856 "0.6.2", 69857 "0.7.0", 69858 "0.7.1", 69859 "0.7.2", 69860 "0.7.3", 69861 "0.8.0", 69862 "0.8.1", 69863 "0.8.2", 69864 "0.9.0", 69865 "0.9.0-preview1", 69866 "0.9.0-preview2" 69867 ] 69868 } 69869 ], 69870 "aliases": [ 69871 "CVE-2019-10095" 69872 ], 69873 "database_specific": { 69874 "cwe_ids": [ 69875 "CWE-77", 69876 "CWE-78" 69877 ], 69878 "github_reviewed": true, 69879 "github_reviewed_at": "2021-09-03T20:16:11Z", 69880 "nvd_published_at": "2021-09-02T17:15:00Z", 69881 "severity": "CRITICAL" 69882 }, 69883 "details": "bash command injection vulnerability in Apache Zeppelin allows an attacker to inject system commands into Spark interpreter settings. This issue affects Apache Zeppelin Apache Zeppelin version 0.9.0 and prior versions.", 69884 "id": "GHSA-4qw8-pgpr-p9mq", 69885 "modified": "2024-02-16T08:17:18.8158Z", 69886 "published": "2021-09-07T22:56:43Z", 69887 "references": [ 69888 { 69889 "type": "ADVISORY", 69890 "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10095" 69891 }, 69892 { 69893 "type": "PACKAGE", 69894 "url": "https://github.com/apache/zeppelin" 69895 }, 69896 { 69897 "type": "WEB", 69898 "url": "https://lists.apache.org/thread.html/rd56389ba9cab30a6c976b9a4a6df0f85cbe8fba6a60a3cf6e3ba716b%40%3Cusers.zeppelin.apache.org%3E" 69899 }, 69900 { 69901 "type": "WEB", 69902 "url": "https://lists.apache.org/thread.html/rd56389ba9cab30a6c976b9a4a6df0f85cbe8fba6a60a3cf6e3ba716b@%3Cusers.zeppelin.apache.org%3E" 69903 }, 69904 { 69905 "type": "WEB", 69906 "url": "https://lists.apache.org/thread.html/rdf06e8423833b3daadc30c56a2ff47c48920864d5199476daa897208%40%3Cannounce.apache.org%3E" 69907 }, 69908 { 69909 "type": "WEB", 69910 "url": "https://lists.apache.org/thread.html/rdf06e8423833b3daadc30c56a2ff47c48920864d5199476daa897208%40%3Cusers.zeppelin.apache.org%3E" 69911 }, 69912 { 69913 "type": "WEB", 69914 "url": "https://lists.apache.org/thread.html/rdf06e8423833b3daadc30c56a2ff47c48920864d5199476daa897208@%3Cannounce.apache.org%3E" 69915 }, 69916 { 69917 "type": "WEB", 69918 "url": "https://lists.apache.org/thread.html/rdf06e8423833b3daadc30c56a2ff47c48920864d5199476daa897208@%3Cusers.zeppelin.apache.org%3E" 69919 }, 69920 { 69921 "type": "WEB", 69922 "url": "https://security.gentoo.org/glsa/202311-04" 69923 }, 69924 { 69925 "type": "WEB", 69926 "url": "http://www.openwall.com/lists/oss-security/2021/09/02/1" 69927 } 69928 ], 69929 "schema_version": "1.6.0", 69930 "severity": [ 69931 { 69932 "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", 69933 "type": "CVSS_V3" 69934 } 69935 ], 69936 "summary": "Bash command injection in Apache Zeppelin" 69937 }, 69938 { 69939 "affected": [ 69940 { 69941 "database_specific": { 69942 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/09/GHSA-87p2-cvhq-q4mv/GHSA-87p2-cvhq-q4mv.json" 69943 }, 69944 "package": { 69945 "ecosystem": "Maven", 69946 "name": "org.apache.zeppelin:zeppelin", 69947 "purl": "pkg:maven/org.apache.zeppelin/zeppelin" 69948 }, 69949 "ranges": [ 69950 { 69951 "events": [ 69952 { 69953 "introduced": "0" 69954 }, 69955 { 69956 "fixed": "0.10.0" 69957 } 69958 ], 69959 "type": "ECOSYSTEM" 69960 } 69961 ], 69962 "versions": [ 69963 "0.5.0-incubating", 69964 "0.6.0", 69965 "0.6.1", 69966 "0.6.2", 69967 "0.7.0", 69968 "0.7.1", 69969 "0.7.2", 69970 "0.7.3", 69971 "0.8.0", 69972 "0.8.1", 69973 "0.8.2", 69974 "0.9.0", 69975 "0.9.0-preview1", 69976 "0.9.0-preview2" 69977 ] 69978 } 69979 ], 69980 "aliases": [ 69981 "CVE-2020-13929" 69982 ], 69983 "database_specific": { 69984 "cwe_ids": [ 69985 "CWE-287" 69986 ], 69987 "github_reviewed": true, 69988 "github_reviewed_at": "2021-09-03T20:16:12Z", 69989 "nvd_published_at": "2021-09-02T17:15:00Z", 69990 "severity": "HIGH" 69991 }, 69992 "details": "Authentication bypass vulnerability in Apache Zeppelin allows an attacker to bypass Zeppelin authentication mechanism to act as another user. This issue affects Apache Zeppelin Apache Zeppelin version 0.9.0 and prior versions.", 69993 "id": "GHSA-87p2-cvhq-q4mv", 69994 "modified": "2024-02-16T08:20:33.71896Z", 69995 "published": "2021-09-07T22:56:56Z", 69996 "references": [ 69997 { 69998 "type": "ADVISORY", 69999 "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-13929" 70000 }, 70001 { 70002 "type": "PACKAGE", 70003 "url": "https://github.com/apache/zeppelin" 70004 }, 70005 { 70006 "type": "WEB", 70007 "url": "https://lists.apache.org/thread.html/r768800925d6407a6a87ccae0ec98776b7bda50c0e3ed3d0130dad028%40%3Cannounce.apache.org%3E" 70008 }, 70009 { 70010 "type": "WEB", 70011 "url": "https://lists.apache.org/thread.html/r768800925d6407a6a87ccae0ec98776b7bda50c0e3ed3d0130dad028%40%3Cusers.zeppelin.apache.org%3E" 70012 }, 70013 { 70014 "type": "WEB", 70015 "url": "https://lists.apache.org/thread.html/r768800925d6407a6a87ccae0ec98776b7bda50c0e3ed3d0130dad028@%3Cannounce.apache.org%3E" 70016 }, 70017 { 70018 "type": "WEB", 70019 "url": "https://lists.apache.org/thread.html/r768800925d6407a6a87ccae0ec98776b7bda50c0e3ed3d0130dad028@%3Cusers.zeppelin.apache.org%3E" 70020 }, 70021 { 70022 "type": "WEB", 70023 "url": "https://lists.apache.org/thread.html/r99529e175a7c1c9a26bd41a02802c8af7aa97319fe561874627eb999%40%3Cusers.zeppelin.apache.org%3E" 70024 }, 70025 { 70026 "type": "WEB", 70027 "url": "https://lists.apache.org/thread.html/r99529e175a7c1c9a26bd41a02802c8af7aa97319fe561874627eb999@%3Cusers.zeppelin.apache.org%3E" 70028 }, 70029 { 70030 "type": "WEB", 70031 "url": "https://security.gentoo.org/glsa/202311-04" 70032 }, 70033 { 70034 "type": "WEB", 70035 "url": "http://www.openwall.com/lists/oss-security/2021/09/02/2" 70036 } 70037 ], 70038 "schema_version": "1.6.0", 70039 "severity": [ 70040 { 70041 "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", 70042 "type": "CVSS_V3" 70043 } 70044 ], 70045 "summary": "Authentication bypass in Apache Zeppelin" 70046 }, 70047 { 70048 "affected": [ 70049 { 70050 "database_specific": { 70051 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-9p8j-hrgf-jc2g/GHSA-9p8j-hrgf-jc2g.json" 70052 }, 70053 "package": { 70054 "ecosystem": "Maven", 70055 "name": "org.apache.zeppelin:zeppelin", 70056 "purl": "pkg:maven/org.apache.zeppelin/zeppelin" 70057 }, 70058 "ranges": [ 70059 { 70060 "events": [ 70061 { 70062 "introduced": "0" 70063 }, 70064 { 70065 "fixed": "0.8.2" 70066 } 70067 ], 70068 "type": "ECOSYSTEM" 70069 } 70070 ], 70071 "versions": [ 70072 "0.5.0-incubating", 70073 "0.6.0", 70074 "0.6.1", 70075 "0.6.2", 70076 "0.7.0", 70077 "0.7.1", 70078 "0.7.2", 70079 "0.7.3", 70080 "0.8.0", 70081 "0.8.1" 70082 ] 70083 } 70084 ], 70085 "aliases": [ 70086 "CVE-2022-46870" 70087 ], 70088 "database_specific": { 70089 "cwe_ids": [ 70090 "CWE-79" 70091 ], 70092 "github_reviewed": true, 70093 "github_reviewed_at": "2022-12-20T22:10:26Z", 70094 "nvd_published_at": "2022-12-16T13:15:00Z", 70095 "severity": "MODERATE" 70096 }, 70097 "details": "An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Apache Zeppelin allows logged-in users to execute arbitrary javascript in other users' browsers. This issue affects Apache Zeppelin before 0.8.2. Users are recommended to upgrade to a supported version of Zeppelin.", 70098 "id": "GHSA-9p8j-hrgf-jc2g", 70099 "modified": "2023-11-08T04:10:58.147637Z", 70100 "published": "2022-12-20T21:30:19Z", 70101 "references": [ 70102 { 70103 "type": "ADVISORY", 70104 "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46870" 70105 }, 70106 { 70107 "type": "PACKAGE", 70108 "url": "https://github.com/apache/zeppelin" 70109 }, 70110 { 70111 "type": "WEB", 70112 "url": "https://lists.apache.org/thread/gb1wdnrm1095xw6qznpsycfrht4lwbwc" 70113 } 70114 ], 70115 "schema_version": "1.6.0", 70116 "severity": [ 70117 { 70118 "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", 70119 "type": "CVSS_V3" 70120 } 70121 ], 70122 "summary": "Apache Zeppelin Cross-site Scripting vulnerability" 70123 }, 70124 { 70125 "affected": [ 70126 { 70127 "database_specific": { 70128 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/04/GHSA-9x2h-hvg6-4r5p/GHSA-9x2h-hvg6-4r5p.json" 70129 }, 70130 "package": { 70131 "ecosystem": "Maven", 70132 "name": "org.apache.zeppelin:zeppelin", 70133 "purl": "pkg:maven/org.apache.zeppelin/zeppelin" 70134 }, 70135 "ranges": [ 70136 { 70137 "events": [ 70138 { 70139 "introduced": "0" 70140 }, 70141 { 70142 "fixed": "0.8.0" 70143 } 70144 ], 70145 "type": "ECOSYSTEM" 70146 } 70147 ], 70148 "versions": [ 70149 "0.5.0-incubating", 70150 "0.6.0", 70151 "0.6.1", 70152 "0.6.2", 70153 "0.7.0", 70154 "0.7.1", 70155 "0.7.2", 70156 "0.7.3" 70157 ] 70158 } 70159 ], 70160 "aliases": [ 70161 "CVE-2018-1317" 70162 ], 70163 "database_specific": { 70164 "cwe_ids": [ 70165 "CWE-287" 70166 ], 70167 "github_reviewed": true, 70168 "github_reviewed_at": "2019-04-24T16:07:02Z", 70169 "nvd_published_at": "2019-04-23T15:29:00Z", 70170 "severity": "HIGH" 70171 }, 70172 "details": "In Apache Zeppelin prior to 0.8.0 the cron scheduler was enabled by default and could allow users to run paragraphs as other users without authentication.", 70173 "id": "GHSA-9x2h-hvg6-4r5p", 70174 "modified": "2023-11-08T03:59:52.831613Z", 70175 "published": "2019-04-24T16:06:52Z", 70176 "references": [ 70177 { 70178 "type": "ADVISORY", 70179 "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1317" 70180 }, 70181 { 70182 "type": "WEB", 70183 "url": "https://lists.apache.org/thread.html/ff6b995a5a3ba8db4d6b14b4d9dd487e7bf2e3bdd5b375b64a25fd06@%3Cusers.zeppelin.apache.org%3E" 70184 }, 70185 { 70186 "type": "WEB", 70187 "url": "https://zeppelin.apache.org/releases/zeppelin-release-0.8.0.html" 70188 }, 70189 { 70190 "type": "WEB", 70191 "url": "http://www.openwall.com/lists/oss-security/2019/04/23/1" 70192 } 70193 ], 70194 "schema_version": "1.6.0", 70195 "severity": [ 70196 { 70197 "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", 70198 "type": "CVSS_V3" 70199 } 70200 ], 70201 "summary": "Improper Authentication in Apache Zeppelin" 70202 }, 70203 { 70204 "affected": [ 70205 { 70206 "database_specific": { 70207 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/04/GHSA-c538-924g-99q4/GHSA-c538-924g-99q4.json" 70208 }, 70209 "package": { 70210 "ecosystem": "Maven", 70211 "name": "org.apache.zeppelin:zeppelin", 70212 "purl": "pkg:maven/org.apache.zeppelin/zeppelin" 70213 }, 70214 "ranges": [ 70215 { 70216 "events": [ 70217 { 70218 "introduced": "0" 70219 }, 70220 { 70221 "fixed": "0.7.3" 70222 } 70223 ], 70224 "type": "ECOSYSTEM" 70225 } 70226 ], 70227 "versions": [ 70228 "0.5.0-incubating", 70229 "0.6.0", 70230 "0.6.1", 70231 "0.6.2", 70232 "0.7.0", 70233 "0.7.1", 70234 "0.7.2" 70235 ] 70236 } 70237 ], 70238 "aliases": [ 70239 "CVE-2017-12619" 70240 ], 70241 "database_specific": { 70242 "cwe_ids": [ 70243 "CWE-384" 70244 ], 70245 "github_reviewed": true, 70246 "github_reviewed_at": "2019-04-24T16:04:01Z", 70247 "nvd_published_at": "2019-04-23T15:29:00Z", 70248 "severity": "HIGH" 70249 }, 70250 "details": "Apache Zeppelin prior to 0.7.3 was vulnerable to session fixation which allowed an attacker to hijack a valid user session. Issue was reported by \"stone lone\".", 70251 "id": "GHSA-c538-924g-99q4", 70252 "modified": "2023-11-08T03:58:53.247281Z", 70253 "published": "2019-04-24T16:06:59Z", 70254 "references": [ 70255 { 70256 "type": "ADVISORY", 70257 "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-12619" 70258 }, 70259 { 70260 "type": "WEB", 70261 "url": "https://lists.apache.org/thread.html/ff6b995a5a3ba8db4d6b14b4d9dd487e7bf2e3bdd5b375b64a25fd06@%3Cusers.zeppelin.apache.org%3E" 70262 }, 70263 { 70264 "type": "WEB", 70265 "url": "https://zeppelin.apache.org/releases/zeppelin-release-0.7.3.html" 70266 }, 70267 { 70268 "type": "WEB", 70269 "url": "http://www.openwall.com/lists/oss-security/2019/04/23/1" 70270 } 70271 ], 70272 "schema_version": "1.6.0", 70273 "severity": [ 70274 { 70275 "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", 70276 "type": "CVSS_V3" 70277 } 70278 ], 70279 "summary": "Session Fixation in Apache Zeppelin" 70280 }, 70281 { 70282 "affected": [ 70283 { 70284 "database_specific": { 70285 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-gm67-h5wr-w3cv/GHSA-gm67-h5wr-w3cv.json" 70286 }, 70287 "package": { 70288 "ecosystem": "Maven", 70289 "name": "org.apache.zeppelin:zeppelin", 70290 "purl": "pkg:maven/org.apache.zeppelin/zeppelin" 70291 }, 70292 "ranges": [ 70293 { 70294 "events": [ 70295 { 70296 "introduced": "0" 70297 }, 70298 { 70299 "fixed": "0.10.0" 70300 } 70301 ], 70302 "type": "ECOSYSTEM" 70303 } 70304 ], 70305 "versions": [ 70306 "0.5.0-incubating", 70307 "0.6.0", 70308 "0.6.1", 70309 "0.6.2", 70310 "0.7.0", 70311 "0.7.1", 70312 "0.7.2", 70313 "0.7.3", 70314 "0.8.0", 70315 "0.8.1", 70316 "0.8.2", 70317 "0.9.0", 70318 "0.9.0-preview1", 70319 "0.9.0-preview2" 70320 ] 70321 } 70322 ], 70323 "aliases": [ 70324 "CVE-2021-28655" 70325 ], 70326 "database_specific": { 70327 "cwe_ids": [ 70328 "CWE-20" 70329 ], 70330 "github_reviewed": true, 70331 "github_reviewed_at": "2023-07-06T21:44:43Z", 70332 "nvd_published_at": "2022-12-16T13:15:00Z", 70333 "severity": "MODERATE" 70334 }, 70335 "details": "The improper Input Validation vulnerability in `Move folder to Trash` feature of Apache Zeppelin allows an attacker to delete the arbitrary files. This issue affects Apache Zeppelin Apache Zeppelin version 0.9.0 and prior versions.", 70336 "id": "GHSA-gm67-h5wr-w3cv", 70337 "modified": "2024-02-16T08:14:41.034081Z", 70338 "published": "2023-07-06T19:24:05Z", 70339 "references": [ 70340 { 70341 "type": "ADVISORY", 70342 "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-28655" 70343 }, 70344 { 70345 "type": "PACKAGE", 70346 "url": "https://github.com/apache/zeppelin" 70347 }, 70348 { 70349 "type": "WEB", 70350 "url": "https://lists.apache.org/thread/bxs056g3xlsofz0jb3wny9dw4llwptd2" 70351 } 70352 ], 70353 "schema_version": "1.6.0", 70354 "severity": [ 70355 { 70356 "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L", 70357 "type": "CVSS_V3" 70358 } 70359 ], 70360 "summary": "Apache Zeppelin Improper Input Validation vulnerability" 70361 }, 70362 { 70363 "affected": [ 70364 { 70365 "database_specific": { 70366 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/09/GHSA-mf7q-gw5f-q8jj/GHSA-mf7q-gw5f-q8jj.json" 70367 }, 70368 "package": { 70369 "ecosystem": "Maven", 70370 "name": "org.apache.zeppelin:zeppelin", 70371 "purl": "pkg:maven/org.apache.zeppelin/zeppelin" 70372 }, 70373 "ranges": [ 70374 { 70375 "events": [ 70376 { 70377 "introduced": "0" 70378 }, 70379 { 70380 "fixed": "0.9.0" 70381 } 70382 ], 70383 "type": "ECOSYSTEM" 70384 } 70385 ], 70386 "versions": [ 70387 "0.5.0-incubating", 70388 "0.6.0", 70389 "0.6.1", 70390 "0.6.2", 70391 "0.7.0", 70392 "0.7.1", 70393 "0.7.2", 70394 "0.7.3", 70395 "0.8.0", 70396 "0.8.1", 70397 "0.8.2" 70398 ] 70399 } 70400 ], 70401 "aliases": [ 70402 "CVE-2021-27578" 70403 ], 70404 "database_specific": { 70405 "cwe_ids": [ 70406 "CWE-79" 70407 ], 70408 "github_reviewed": true, 70409 "github_reviewed_at": "2021-09-03T20:16:10Z", 70410 "nvd_published_at": "2021-09-02T17:15:00Z", 70411 "severity": "MODERATE" 70412 }, 70413 "details": "Cross Site Scripting vulnerability in markdown interpreter of Apache Zeppelin allows an attacker to inject malicious scripts. This issue affects Apache Zeppelin Apache Zeppelin versions prior to 0.9.0.", 70414 "id": "GHSA-mf7q-gw5f-q8jj", 70415 "modified": "2024-02-16T08:08:39.299528Z", 70416 "published": "2021-09-07T22:55:56Z", 70417 "references": [ 70418 { 70419 "type": "ADVISORY", 70420 "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-27578" 70421 }, 70422 { 70423 "type": "PACKAGE", 70424 "url": "https://github.com/apache/zeppelin" 70425 }, 70426 { 70427 "type": "WEB", 70428 "url": "https://lists.apache.org/thread.html/r31012f2c8e39a5e12e14c1de030012cb8b51c037d953d73b291b7b50%40%3Cusers.zeppelin.apache.org%3E" 70429 }, 70430 { 70431 "type": "WEB", 70432 "url": "https://lists.apache.org/thread.html/r31012f2c8e39a5e12e14c1de030012cb8b51c037d953d73b291b7b50@%3Cusers.zeppelin.apache.org%3E" 70433 }, 70434 { 70435 "type": "WEB", 70436 "url": "https://lists.apache.org/thread.html/r90590aa5ea788128ecc2e822e1e64d5200b4cb92b06707b38da4cb3d%40%3Cannounce.apache.org%3E" 70437 }, 70438 { 70439 "type": "WEB", 70440 "url": "https://lists.apache.org/thread.html/r90590aa5ea788128ecc2e822e1e64d5200b4cb92b06707b38da4cb3d%40%3Cusers.zeppelin.apache.org%3E" 70441 }, 70442 { 70443 "type": "WEB", 70444 "url": "https://lists.apache.org/thread.html/r90590aa5ea788128ecc2e822e1e64d5200b4cb92b06707b38da4cb3d@%3Cannounce.apache.org%3E" 70445 }, 70446 { 70447 "type": "WEB", 70448 "url": "https://lists.apache.org/thread.html/r90590aa5ea788128ecc2e822e1e64d5200b4cb92b06707b38da4cb3d@%3Cusers.zeppelin.apache.org%3E" 70449 }, 70450 { 70451 "type": "WEB", 70452 "url": "https://security.gentoo.org/glsa/202311-04" 70453 }, 70454 { 70455 "type": "WEB", 70456 "url": "http://www.openwall.com/lists/oss-security/2021/09/02/3" 70457 } 70458 ], 70459 "schema_version": "1.6.0", 70460 "severity": [ 70461 { 70462 "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", 70463 "type": "CVSS_V3" 70464 } 70465 ], 70466 "summary": "Cross-site Scripting in Apache Zeppelin" 70467 }, 70468 { 70469 "affected": [ 70470 { 70471 "database_specific": { 70472 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/04/GHSA-r2v5-5vcr-h3vq/GHSA-r2v5-5vcr-h3vq.json" 70473 }, 70474 "package": { 70475 "ecosystem": "Maven", 70476 "name": "org.apache.zeppelin:zeppelin", 70477 "purl": "pkg:maven/org.apache.zeppelin/zeppelin" 70478 }, 70479 "ranges": [ 70480 { 70481 "events": [ 70482 { 70483 "introduced": "0" 70484 }, 70485 { 70486 "fixed": "0.8.0" 70487 } 70488 ], 70489 "type": "ECOSYSTEM" 70490 } 70491 ], 70492 "versions": [ 70493 "0.5.0-incubating", 70494 "0.6.0", 70495 "0.6.1", 70496 "0.6.2", 70497 "0.7.0", 70498 "0.7.1", 70499 "0.7.2", 70500 "0.7.3" 70501 ] 70502 } 70503 ], 70504 "aliases": [ 70505 "CVE-2018-1328" 70506 ], 70507 "database_specific": { 70508 "cwe_ids": [ 70509 "CWE-79" 70510 ], 70511 "github_reviewed": true, 70512 "github_reviewed_at": "2019-04-24T16:03:49Z", 70513 "nvd_published_at": "2019-04-23T15:29:00Z", 70514 "severity": "MODERATE" 70515 }, 70516 "details": "Apache Zeppelin prior to 0.8.0 had a stored XSS issue via Note permissions. Issue reported by \"Josna Joseph\".", 70517 "id": "GHSA-r2v5-5vcr-h3vq", 70518 "modified": "2023-11-08T03:59:53.255873Z", 70519 "published": "2019-04-24T16:07:36Z", 70520 "references": [ 70521 { 70522 "type": "ADVISORY", 70523 "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1328" 70524 }, 70525 { 70526 "type": "WEB", 70527 "url": "https://lists.apache.org/thread.html/ff6b995a5a3ba8db4d6b14b4d9dd487e7bf2e3bdd5b375b64a25fd06@%3Cusers.zeppelin.apache.org%3E" 70528 }, 70529 { 70530 "type": "WEB", 70531 "url": "https://zeppelin.apache.org/releases/zeppelin-release-0.8.0.html" 70532 }, 70533 { 70534 "type": "WEB", 70535 "url": "http://www.openwall.com/lists/oss-security/2019/04/23/1" 70536 } 70537 ], 70538 "schema_version": "1.6.0", 70539 "severity": [ 70540 { 70541 "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", 70542 "type": "CVSS_V3" 70543 } 70544 ], 70545 "summary": "Cross-site Scripting in Apache Zeppelin" 70546 }, 70547 { 70548 "affected": [ 70549 { 70550 "database_specific": { 70551 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/04/GHSA-86jx-wr74-xr74/GHSA-86jx-wr74-xr74.json" 70552 }, 70553 "package": { 70554 "ecosystem": "Maven", 70555 "name": "org.apache.zeppelin:zeppelin-interpreter", 70556 "purl": "pkg:maven/org.apache.zeppelin/zeppelin-interpreter" 70557 }, 70558 "ranges": [ 70559 { 70560 "events": [ 70561 { 70562 "introduced": "0.8.2" 70563 }, 70564 { 70565 "fixed": "0.11.1" 70566 } 70567 ], 70568 "type": "ECOSYSTEM" 70569 } 70570 ], 70571 "versions": [ 70572 "0.10.0", 70573 "0.10.1", 70574 "0.11.0", 70575 "0.8.2", 70576 "0.9.0", 70577 "0.9.0-preview1", 70578 "0.9.0-preview2" 70579 ] 70580 } 70581 ], 70582 "aliases": [ 70583 "CVE-2024-31866" 70584 ], 70585 "database_specific": { 70586 "cwe_ids": [ 70587 "CWE-116" 70588 ], 70589 "github_reviewed": true, 70590 "github_reviewed_at": "2024-05-24T20:11:32Z", 70591 "nvd_published_at": "2024-04-09T16:15:08Z", 70592 "severity": "CRITICAL" 70593 }, 70594 "details": "Improper Encoding or Escaping of Output vulnerability in Apache Zeppelin.\n\nThe attackers can execute shell scripts or malicious code by overriding configuration like ZEPPELIN_INTP_CLASSPATH_OVERRIDES.\nThis issue affects Apache Zeppelin: from 0.8.2 before 0.11.1.\n\nUsers are recommended to upgrade to version 0.11.1, which fixes the issue.", 70595 "id": "GHSA-86jx-wr74-xr74", 70596 "modified": "2024-08-21T19:06:54.380122Z", 70597 "published": "2024-04-09T18:30:22Z", 70598 "references": [ 70599 { 70600 "type": "ADVISORY", 70601 "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-31866" 70602 }, 70603 { 70604 "type": "WEB", 70605 "url": "https://github.com/apache/zeppelin/pull/4715" 70606 }, 70607 { 70608 "type": "WEB", 70609 "url": "https://github.com/apache/zeppelin/commit/dd08a3966ef3b0b40f13d0291d7cac5ec3dd9f9c" 70610 }, 70611 { 70612 "type": "PACKAGE", 70613 "url": "https://github.com/apache/zeppelin" 70614 }, 70615 { 70616 "type": "WEB", 70617 "url": "https://lists.apache.org/thread/jpkbq3oktopt34x2n5wnhzc2r1410ddd" 70618 }, 70619 { 70620 "type": "WEB", 70621 "url": "http://www.openwall.com/lists/oss-security/2024/04/09/10" 70622 } 70623 ], 70624 "schema_version": "1.6.0", 70625 "severity": [ 70626 { 70627 "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", 70628 "type": "CVSS_V3" 70629 }, 70630 { 70631 "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", 70632 "type": "CVSS_V4" 70633 } 70634 ], 70635 "summary": "Improper escaping in Apache Zeppelin" 70636 }, 70637 { 70638 "affected": [ 70639 { 70640 "database_specific": { 70641 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/04/GHSA-rrvf-5w4r-3x7v/GHSA-rrvf-5w4r-3x7v.json" 70642 }, 70643 "package": { 70644 "ecosystem": "Maven", 70645 "name": "org.apache.zeppelin:zeppelin-interpreter", 70646 "purl": "pkg:maven/org.apache.zeppelin/zeppelin-interpreter" 70647 }, 70648 "ranges": [ 70649 { 70650 "events": [ 70651 { 70652 "introduced": "0.8.2" 70653 }, 70654 { 70655 "fixed": "0.11.1" 70656 } 70657 ], 70658 "type": "ECOSYSTEM" 70659 } 70660 ], 70661 "versions": [ 70662 "0.10.0", 70663 "0.10.1", 70664 "0.11.0", 70665 "0.8.2", 70666 "0.9.0", 70667 "0.9.0-preview1", 70668 "0.9.0-preview2" 70669 ] 70670 } 70671 ], 70672 "aliases": [ 70673 "CVE-2024-31868" 70674 ], 70675 "database_specific": { 70676 "cwe_ids": [ 70677 "CWE-116", 70678 "CWE-79" 70679 ], 70680 "github_reviewed": true, 70681 "github_reviewed_at": "2024-04-11T20:13:12Z", 70682 "nvd_published_at": "2024-04-09T16:15:08Z", 70683 "severity": "MODERATE" 70684 }, 70685 "details": "Improper Encoding or Escaping of Output vulnerability in Apache Zeppelin.\n\nAttackers can modify `helium.json` and perform cross-site scripting attacks on normal users. This issue affects Apache Zeppelin: from 0.8.2 before 0.11.1.\n\nUsers are recommended to upgrade to version 0.11.1, which fixes the issue.\n\n", 70686 "id": "GHSA-rrvf-5w4r-3x7v", 70687 "modified": "2024-05-01T20:31:00.734193Z", 70688 "published": "2024-04-09T18:30:22Z", 70689 "references": [ 70690 { 70691 "type": "ADVISORY", 70692 "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-31868" 70693 }, 70694 { 70695 "type": "WEB", 70696 "url": "https://github.com/apache/zeppelin/pull/4728" 70697 }, 70698 { 70699 "type": "PACKAGE", 70700 "url": "https://github.com/apache/zeppelin" 70701 }, 70702 { 70703 "type": "WEB", 70704 "url": "https://lists.apache.org/thread/55mqs673plsxmgnq7fdf2flftpllyf11" 70705 }, 70706 { 70707 "type": "WEB", 70708 "url": "http://www.openwall.com/lists/oss-security/2024/04/09/11" 70709 } 70710 ], 70711 "schema_version": "1.6.0", 70712 "severity": [ 70713 { 70714 "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", 70715 "type": "CVSS_V3" 70716 } 70717 ], 70718 "summary": "Apache Zeppelin vulnerable to cross-site scripting in the helium module" 70719 }, 70720 { 70721 "affected": [ 70722 { 70723 "database_specific": { 70724 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/05/GHSA-2hw2-62cp-p9p7/GHSA-2hw2-62cp-p9p7.json" 70725 }, 70726 "package": { 70727 "ecosystem": "Maven", 70728 "name": "org.apache.zookeeper:zookeeper", 70729 "purl": "pkg:maven/org.apache.zookeeper/zookeeper" 70730 }, 70731 "ranges": [ 70732 { 70733 "events": [ 70734 { 70735 "introduced": "1.0.0" 70736 }, 70737 { 70738 "fixed": "3.4.14" 70739 } 70740 ], 70741 "type": "ECOSYSTEM" 70742 } 70743 ], 70744 "versions": [ 70745 "3.3.0", 70746 "3.3.1", 70747 "3.3.2", 70748 "3.3.3", 70749 "3.3.4", 70750 "3.3.5", 70751 "3.3.6", 70752 "3.4.0", 70753 "3.4.1", 70754 "3.4.10", 70755 "3.4.11", 70756 "3.4.12", 70757 "3.4.13", 70758 "3.4.2", 70759 "3.4.3", 70760 "3.4.4", 70761 "3.4.5", 70762 "3.4.6", 70763 "3.4.7", 70764 "3.4.8", 70765 "3.4.9" 70766 ] 70767 }, 70768 { 70769 "database_specific": { 70770 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/05/GHSA-2hw2-62cp-p9p7/GHSA-2hw2-62cp-p9p7.json" 70771 }, 70772 "package": { 70773 "ecosystem": "Maven", 70774 "name": "org.apache.zookeeper:zookeeper", 70775 "purl": "pkg:maven/org.apache.zookeeper/zookeeper" 70776 }, 70777 "ranges": [ 70778 { 70779 "events": [ 70780 { 70781 "introduced": "3.5.0" 70782 }, 70783 { 70784 "fixed": "3.5.5" 70785 } 70786 ], 70787 "type": "ECOSYSTEM" 70788 } 70789 ], 70790 "versions": [ 70791 "3.5.1-alpha", 70792 "3.5.2-alpha", 70793 "3.5.3-beta", 70794 "3.5.4-beta" 70795 ] 70796 } 70797 ], 70798 "aliases": [ 70799 "CVE-2019-0201" 70800 ], 70801 "database_specific": { 70802 "cwe_ids": [ 70803 "CWE-862" 70804 ], 70805 "github_reviewed": true, 70806 "github_reviewed_at": "2019-05-29T18:53:55Z", 70807 "nvd_published_at": "2019-05-23T14:29:00Z", 70808 "severity": "MODERATE" 70809 }, 70810 "details": "An issue is present in Apache ZooKeeper 1.0.0 to 3.4.13 and 3.5.0-alpha to 3.5.4-beta. ZooKeeper?s getACL() command doesn?t check any permission when retrieves the ACLs of the requested node and returns all information contained in the ACL Id field as plaintext string. DigestAuthenticationProvider overloads the Id field with the hash value that is used for user authentication. As a consequence, if Digest Authentication is in use, the unsalted hash value will be disclosed by getACL() request for unauthenticated or unprivileged users.", 70811 "id": "GHSA-2hw2-62cp-p9p7", 70812 "modified": "2024-03-14T05:19:59.559879Z", 70813 "published": "2019-05-29T18:54:11Z", 70814 "references": [ 70815 { 70816 "type": "ADVISORY", 70817 "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-0201" 70818 }, 70819 { 70820 "type": "WEB", 70821 "url": "https://zookeeper.apache.org/security.html#CVE-2019-0201" 70822 }, 70823 { 70824 "type": "WEB", 70825 "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" 70826 }, 70827 { 70828 "type": "WEB", 70829 "url": "https://www.oracle.com/security-alerts/cpujul2020.html" 70830 }, 70831 { 70832 "type": "WEB", 70833 "url": "https://www.oracle.com//security-alerts/cpujul2021.html" 70834 }, 70835 { 70836 "type": "WEB", 70837 "url": "https://www.debian.org/security/2019/dsa-4461" 70838 }, 70839 { 70840 "type": "WEB", 70841 "url": "https://security.netapp.com/advisory/ntap-20190619-0001" 70842 }, 70843 { 70844 "type": "WEB", 70845 "url": "https://seclists.org/bugtraq/2019/Jun/13" 70846 }, 70847 { 70848 "type": "WEB", 70849 "url": "https://lists.debian.org/debian-lts-announce/2019/05/msg00033.html" 70850 }, 70851 { 70852 "type": "WEB", 70853 "url": "https://lists.apache.org/thread.html/r40f32125c1d97ad82404cc918171d9e0fcf78e534256674e9da1eb4b@%3Ccommon-issues.hadoop.apache.org%3E" 70854 }, 70855 { 70856 "type": "WEB", 70857 "url": "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E" 70858 }, 70859 { 70860 "type": "WEB", 70861 "url": "https://lists.apache.org/thread.html/f6112882e30a31992a79e0a8c31ac179e9d0de7c708de3a9258d4391@%3Cissues.bookkeeper.apache.org%3E" 70862 }, 70863 { 70864 "type": "WEB", 70865 "url": "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E" 70866 }, 70867 { 70868 "type": "WEB", 70869 "url": "https://lists.apache.org/thread.html/5d9a1cf41a5880557bf680b7321b4ab9a4d206c601ffb15fef6f196a@%3Ccommits.accumulo.apache.org%3E" 70870 }, 70871 { 70872 "type": "WEB", 70873 "url": "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E" 70874 }, 70875 { 70876 "type": "WEB", 70877 "url": "https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272@%3Cissues.activemq.apache.org%3E" 70878 }, 70879 { 70880 "type": "WEB", 70881 "url": "https://issues.apache.org/jira/browse/ZOOKEEPER-1392" 70882 }, 70883 { 70884 "type": "WEB", 70885 "url": "https://access.redhat.com/errata/RHSA-2019:4352" 70886 }, 70887 { 70888 "type": "WEB", 70889 "url": "https://access.redhat.com/errata/RHSA-2019:3892" 70890 }, 70891 { 70892 "type": "WEB", 70893 "url": "https://access.redhat.com/errata/RHSA-2019:3140" 70894 }, 70895 { 70896 "type": "WEB", 70897 "url": "http://www.securityfocus.com/bid/108427" 70898 } 70899 ], 70900 "schema_version": "1.6.0", 70901 "severity": [ 70902 { 70903 "score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", 70904 "type": "CVSS_V3" 70905 } 70906 ], 70907 "summary": "Access control bypass in Apache ZooKeeper" 70908 }, 70909 { 70910 "affected": [ 70911 { 70912 "database_specific": { 70913 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-7286-pgfv-vxvh/GHSA-7286-pgfv-vxvh.json" 70914 }, 70915 "package": { 70916 "ecosystem": "Maven", 70917 "name": "org.apache.zookeeper:zookeeper", 70918 "purl": "pkg:maven/org.apache.zookeeper/zookeeper" 70919 }, 70920 "ranges": [ 70921 { 70922 "events": [ 70923 { 70924 "introduced": "0" 70925 }, 70926 { 70927 "fixed": "3.7.2" 70928 } 70929 ], 70930 "type": "ECOSYSTEM" 70931 } 70932 ], 70933 "versions": [ 70934 "3.3.0", 70935 "3.3.1", 70936 "3.3.2", 70937 "3.3.3", 70938 "3.3.4", 70939 "3.3.5", 70940 "3.3.6", 70941 "3.4.0", 70942 "3.4.1", 70943 "3.4.10", 70944 "3.4.11", 70945 "3.4.12", 70946 "3.4.13", 70947 "3.4.14", 70948 "3.4.2", 70949 "3.4.3", 70950 "3.4.4", 70951 "3.4.5", 70952 "3.4.6", 70953 "3.4.7", 70954 "3.4.8", 70955 "3.4.9", 70956 "3.5.0-alpha", 70957 "3.5.1-alpha", 70958 "3.5.10", 70959 "3.5.2-alpha", 70960 "3.5.3-beta", 70961 "3.5.4-beta", 70962 "3.5.5", 70963 "3.5.6", 70964 "3.5.7", 70965 "3.5.8", 70966 "3.5.9", 70967 "3.6.0", 70968 "3.6.1", 70969 "3.6.2", 70970 "3.6.3", 70971 "3.6.4", 70972 "3.7.0", 70973 "3.7.1" 70974 ] 70975 }, 70976 { 70977 "database_specific": { 70978 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-7286-pgfv-vxvh/GHSA-7286-pgfv-vxvh.json" 70979 }, 70980 "package": { 70981 "ecosystem": "Maven", 70982 "name": "org.apache.zookeeper:zookeeper", 70983 "purl": "pkg:maven/org.apache.zookeeper/zookeeper" 70984 }, 70985 "ranges": [ 70986 { 70987 "events": [ 70988 { 70989 "introduced": "3.8.0" 70990 }, 70991 { 70992 "fixed": "3.8.3" 70993 } 70994 ], 70995 "type": "ECOSYSTEM" 70996 } 70997 ], 70998 "versions": [ 70999 "3.8.0", 71000 "3.8.1", 71001 "3.8.2" 71002 ] 71003 }, 71004 { 71005 "database_specific": { 71006 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-7286-pgfv-vxvh/GHSA-7286-pgfv-vxvh.json" 71007 }, 71008 "package": { 71009 "ecosystem": "Maven", 71010 "name": "org.apache.zookeeper:zookeeper", 71011 "purl": "pkg:maven/org.apache.zookeeper/zookeeper" 71012 }, 71013 "ranges": [ 71014 { 71015 "events": [ 71016 { 71017 "introduced": "3.9.0" 71018 }, 71019 { 71020 "fixed": "3.9.1" 71021 } 71022 ], 71023 "type": "ECOSYSTEM" 71024 } 71025 ], 71026 "versions": [ 71027 "3.9.0" 71028 ] 71029 } 71030 ], 71031 "aliases": [ 71032 "BIT-zookeeper-2023-44981", 71033 "CVE-2023-44981" 71034 ], 71035 "database_specific": { 71036 "cwe_ids": [ 71037 "CWE-639" 71038 ], 71039 "github_reviewed": true, 71040 "github_reviewed_at": "2023-10-11T20:36:50Z", 71041 "nvd_published_at": "2023-10-11T12:15:11Z", 71042 "severity": "CRITICAL" 71043 }, 71044 "details": "Authorization Bypass Through User-Controlled Key vulnerability in Apache ZooKeeper. If SASL Quorum Peer authentication is enabled in ZooKeeper (quorum.auth.enableSasl=true), the authorization is done by verifying that the instance part in SASL authentication ID is listed in zoo.cfg server list. The instance part in SASL auth ID is optional and if it's missing, like 'eve@EXAMPLE.COM', the authorization check will be skipped. As a result an arbitrary endpoint could join the cluster and begin propagating counterfeit changes to the leader, essentially giving it complete read-write access to the data tree. Quorum Peer authentication is not enabled by default.\n\nUsers are recommended to upgrade to version 3.9.1, 3.8.3, 3.7.2, which fixes the issue.\n\nAlternately ensure the ensemble election/quorum communication is protected by a firewall as this will mitigate the issue.\n\nSee the documentation for more details on correct cluster administration.\n", 71045 "id": "GHSA-7286-pgfv-vxvh", 71046 "modified": "2024-06-25T02:32:48.154078Z", 71047 "published": "2023-10-11T12:30:27Z", 71048 "references": [ 71049 { 71050 "type": "ADVISORY", 71051 "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-44981" 71052 }, 71053 { 71054 "type": "PACKAGE", 71055 "url": "https://github.com/apache/zookeeper" 71056 }, 71057 { 71058 "type": "WEB", 71059 "url": "https://lists.apache.org/thread/wf0yrk84dg1942z1o74kd8nycg6pgm5b" 71060 }, 71061 { 71062 "type": "WEB", 71063 "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00029.html" 71064 }, 71065 { 71066 "type": "WEB", 71067 "url": "https://security.netapp.com/advisory/ntap-20240621-0007" 71068 }, 71069 { 71070 "type": "WEB", 71071 "url": "https://www.debian.org/security/2023/dsa-5544" 71072 }, 71073 { 71074 "type": "WEB", 71075 "url": "http://www.openwall.com/lists/oss-security/2023/10/11/4" 71076 } 71077 ], 71078 "related": [ 71079 "CGA-r4gp-jw3v-m8j8" 71080 ], 71081 "schema_version": "1.6.0", 71082 "severity": [ 71083 { 71084 "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", 71085 "type": "CVSS_V3" 71086 } 71087 ], 71088 "summary": "Authorization Bypass Through User-Controlled Key vulnerability in Apache ZooKeeper" 71089 }, 71090 { 71091 "affected": [ 71092 { 71093 "database_specific": { 71094 "last_known_affected_version_range": "\u003c= 3.4.9", 71095 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-7cwj-j333-x7f7/GHSA-7cwj-j333-x7f7.json" 71096 }, 71097 "package": { 71098 "ecosystem": "Maven", 71099 "name": "org.apache.zookeeper:zookeeper", 71100 "purl": "pkg:maven/org.apache.zookeeper/zookeeper" 71101 }, 71102 "ranges": [ 71103 { 71104 "events": [ 71105 { 71106 "introduced": "3.4.0" 71107 }, 71108 { 71109 "fixed": "3.4.10" 71110 } 71111 ], 71112 "type": "ECOSYSTEM" 71113 } 71114 ], 71115 "versions": [ 71116 "3.4.0", 71117 "3.4.1", 71118 "3.4.2", 71119 "3.4.3", 71120 "3.4.4", 71121 "3.4.5", 71122 "3.4.6", 71123 "3.4.7", 71124 "3.4.8", 71125 "3.4.9" 71126 ] 71127 }, 71128 { 71129 "database_specific": { 71130 "last_known_affected_version_range": "\u003c= 3.5.2", 71131 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-7cwj-j333-x7f7/GHSA-7cwj-j333-x7f7.json" 71132 }, 71133 "package": { 71134 "ecosystem": "Maven", 71135 "name": "org.apache.zookeeper:zookeeper", 71136 "purl": "pkg:maven/org.apache.zookeeper/zookeeper" 71137 }, 71138 "ranges": [ 71139 { 71140 "events": [ 71141 { 71142 "introduced": "3.5.0" 71143 }, 71144 { 71145 "fixed": "3.5.3" 71146 } 71147 ], 71148 "type": "ECOSYSTEM" 71149 } 71150 ], 71151 "versions": [ 71152 "3.5.1-alpha", 71153 "3.5.2-alpha", 71154 "3.5.3-beta" 71155 ] 71156 } 71157 ], 71158 "aliases": [ 71159 "CVE-2017-5637" 71160 ], 71161 "database_specific": { 71162 "cwe_ids": [ 71163 "CWE-400" 71164 ], 71165 "github_reviewed": true, 71166 "github_reviewed_at": "2022-07-01T16:58:11Z", 71167 "nvd_published_at": "2017-10-10T01:30:00Z", 71168 "severity": "HIGH" 71169 }, 71170 "details": "Two four letter word commands \"wchp/wchc\" are CPU intensive and could cause spike of CPU utilization on Apache ZooKeeper server if abused, which leads to the server unable to serve legitimate client requests. Apache ZooKeeper thru version 3.4.9 and 3.5.2 suffer from this issue, fixed in 3.4.10, 3.5.3, and later.", 71171 "id": "GHSA-7cwj-j333-x7f7", 71172 "modified": "2023-11-08T03:59:22.246576Z", 71173 "published": "2022-05-13T01:08:23Z", 71174 "references": [ 71175 { 71176 "type": "ADVISORY", 71177 "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-5637" 71178 }, 71179 { 71180 "type": "WEB", 71181 "url": "https://access.redhat.com/errata/RHSA-2017:2477" 71182 }, 71183 { 71184 "type": "WEB", 71185 "url": "https://access.redhat.com/errata/RHSA-2017:3354" 71186 }, 71187 { 71188 "type": "WEB", 71189 "url": "https://access.redhat.com/errata/RHSA-2017:3355" 71190 }, 71191 { 71192 "type": "WEB", 71193 "url": "https://issues.apache.org/jira/browse/ZOOKEEPER-2693" 71194 }, 71195 { 71196 "type": "WEB", 71197 "url": "https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272@%3Cissues.activemq.apache.org%3E" 71198 }, 71199 { 71200 "type": "WEB", 71201 "url": "https://lists.apache.org/thread.html/58170aeb7a681d462b7fa31cae81110cbb749d2dc83c5736a0bb8370@%3Cdev.zookeeper.apache.org%3E" 71202 }, 71203 { 71204 "type": "WEB", 71205 "url": "https://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3@%3Ccommits.nifi.apache.org%3E" 71206 }, 71207 { 71208 "type": "WEB", 71209 "url": "https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b@%3Ccommits.nifi.apache.org%3E" 71210 }, 71211 { 71212 "type": "WEB", 71213 "url": "https://www.oracle.com//security-alerts/cpujul2021.html" 71214 }, 71215 { 71216 "type": "WEB", 71217 "url": "https://www.oracle.com/security-alerts/cpujul2020.html" 71218 }, 71219 { 71220 "type": "WEB", 71221 "url": "http://www.debian.org/security/2017/dsa-3871" 71222 }, 71223 { 71224 "type": "WEB", 71225 "url": "http://www.securityfocus.com/bid/98814" 71226 } 71227 ], 71228 "schema_version": "1.6.0", 71229 "severity": [ 71230 { 71231 "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", 71232 "type": "CVSS_V3" 71233 } 71234 ], 71235 "summary": "Uncontrolled Resource Consumption in Apache ZooKeeper" 71236 }, 71237 { 71238 "affected": [ 71239 { 71240 "database_specific": { 71241 "last_known_affected_version_range": "\u003c= 3.4.9", 71242 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-ccqf-c5hq-77mp/GHSA-ccqf-c5hq-77mp.json" 71243 }, 71244 "package": { 71245 "ecosystem": "Maven", 71246 "name": "org.apache.zookeeper:zookeeper", 71247 "purl": "pkg:maven/org.apache.zookeeper/zookeeper" 71248 }, 71249 "ranges": [ 71250 { 71251 "events": [ 71252 { 71253 "introduced": "0" 71254 }, 71255 { 71256 "fixed": "3.4.10" 71257 } 71258 ], 71259 "type": "ECOSYSTEM" 71260 } 71261 ], 71262 "versions": [ 71263 "3.3.0", 71264 "3.3.1", 71265 "3.3.2", 71266 "3.3.3", 71267 "3.3.4", 71268 "3.3.5", 71269 "3.3.6", 71270 "3.4.0", 71271 "3.4.1", 71272 "3.4.2", 71273 "3.4.3", 71274 "3.4.4", 71275 "3.4.5", 71276 "3.4.6", 71277 "3.4.7", 71278 "3.4.8", 71279 "3.4.9" 71280 ] 71281 }, 71282 { 71283 "database_specific": { 71284 "last_known_affected_version_range": "\u003c= 3.5.3-beta", 71285 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-ccqf-c5hq-77mp/GHSA-ccqf-c5hq-77mp.json" 71286 }, 71287 "package": { 71288 "ecosystem": "Maven", 71289 "name": "org.apache.zookeeper:zookeeper", 71290 "purl": "pkg:maven/org.apache.zookeeper/zookeeper" 71291 }, 71292 "ranges": [ 71293 { 71294 "events": [ 71295 { 71296 "introduced": "3.5.0-alpha" 71297 }, 71298 { 71299 "fixed": "3.5.4-beta" 71300 } 71301 ], 71302 "type": "ECOSYSTEM" 71303 } 71304 ], 71305 "versions": [ 71306 "3.5.0-alpha", 71307 "3.5.1-alpha", 71308 "3.5.2-alpha", 71309 "3.5.3-beta" 71310 ] 71311 } 71312 ], 71313 "aliases": [ 71314 "CVE-2018-8012" 71315 ], 71316 "database_specific": { 71317 "cwe_ids": [ 71318 "CWE-862" 71319 ], 71320 "github_reviewed": true, 71321 "github_reviewed_at": "2022-06-29T19:03:52Z", 71322 "nvd_published_at": "2018-05-21T19:29:00Z", 71323 "severity": "HIGH" 71324 }, 71325 "details": "No authentication/authorization is enforced when a server attempts to join a quorum in Apache ZooKeeper before 3.4.10, and 3.5.0-alpha through 3.5.3-beta. As a result an arbitrary end point could join the cluster and begin propagating counterfeit changes to the leader.", 71326 "id": "GHSA-ccqf-c5hq-77mp", 71327 "modified": "2023-11-08T04:00:23.872615Z", 71328 "published": "2022-05-13T01:05:57Z", 71329 "references": [ 71330 { 71331 "type": "ADVISORY", 71332 "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-8012" 71333 }, 71334 { 71335 "type": "WEB", 71336 "url": "https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272@%3Cissues.activemq.apache.org%3E" 71337 }, 71338 { 71339 "type": "WEB", 71340 "url": "https://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3@%3Ccommits.nifi.apache.org%3E" 71341 }, 71342 { 71343 "type": "WEB", 71344 "url": "https://lists.apache.org/thread.html/c75147028c1c79bdebd4f8fa5db2b77da85de2b05ecc0d54d708b393@%3Cdev.zookeeper.apache.org%3E" 71345 }, 71346 { 71347 "type": "WEB", 71348 "url": "https://lists.apache.org/thread.html/r73daf1fc5d85677d9a854707e1908d14e174b7bbb0c603709c0ab33f@%3Coak-commits.jackrabbit.apache.org%3E" 71349 }, 71350 { 71351 "type": "WEB", 71352 "url": "https://lists.apache.org/thread.html/r8f0d920805af93033c488af89104e2d682662bacfb8406db865d5e14@%3Cdev.jackrabbit.apache.org%3E" 71353 }, 71354 { 71355 "type": "WEB", 71356 "url": "https://lists.apache.org/thread.html/rc5bc4ddb0deabf8cfb69378cecee56fcdc76929bea9e6373cb863870@%3Cdev.jackrabbit.apache.org%3E" 71357 }, 71358 { 71359 "type": "WEB", 71360 "url": "https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b@%3Ccommits.nifi.apache.org%3E" 71361 }, 71362 { 71363 "type": "WEB", 71364 "url": "https://lists.apache.org/thread.html/re3a4048e9515d4afea416df907a612ed384a16c57cf99e97ee4a12f2@%3Cdev.jackrabbit.apache.org%3E" 71365 }, 71366 { 71367 "type": "WEB", 71368 "url": "https://www.debian.org/security/2018/dsa-4214" 71369 }, 71370 { 71371 "type": "WEB", 71372 "url": "https://www.oracle.com/security-alerts/cpujul2020.html" 71373 }, 71374 { 71375 "type": "WEB", 71376 "url": "http://www.securityfocus.com/bid/104253" 71377 }, 71378 { 71379 "type": "WEB", 71380 "url": "http://www.securitytracker.com/id/1040948" 71381 } 71382 ], 71383 "schema_version": "1.6.0", 71384 "severity": [ 71385 { 71386 "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", 71387 "type": "CVSS_V3" 71388 } 71389 ], 71390 "summary": "Missing Authorization in Apache ZooKeeper" 71391 }, 71392 { 71393 "affected": [ 71394 { 71395 "database_specific": { 71396 "last_known_affected_version_range": "\u003c= 3.8.3", 71397 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/03/GHSA-r978-9m6m-6gm6/GHSA-r978-9m6m-6gm6.json" 71398 }, 71399 "package": { 71400 "ecosystem": "Maven", 71401 "name": "org.apache.zookeeper:zookeeper", 71402 "purl": "pkg:maven/org.apache.zookeeper/zookeeper" 71403 }, 71404 "ranges": [ 71405 { 71406 "events": [ 71407 { 71408 "introduced": "3.8.0" 71409 }, 71410 { 71411 "fixed": "3.8.4" 71412 } 71413 ], 71414 "type": "ECOSYSTEM" 71415 } 71416 ], 71417 "versions": [ 71418 "3.8.0", 71419 "3.8.1", 71420 "3.8.2", 71421 "3.8.3" 71422 ] 71423 }, 71424 { 71425 "database_specific": { 71426 "last_known_affected_version_range": "\u003c= 3.9.1", 71427 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/03/GHSA-r978-9m6m-6gm6/GHSA-r978-9m6m-6gm6.json" 71428 }, 71429 "package": { 71430 "ecosystem": "Maven", 71431 "name": "org.apache.zookeeper:zookeeper", 71432 "purl": "pkg:maven/org.apache.zookeeper/zookeeper" 71433 }, 71434 "ranges": [ 71435 { 71436 "events": [ 71437 { 71438 "introduced": "3.9.0" 71439 }, 71440 { 71441 "fixed": "3.9.2" 71442 } 71443 ], 71444 "type": "ECOSYSTEM" 71445 } 71446 ], 71447 "versions": [ 71448 "3.9.0", 71449 "3.9.1" 71450 ] 71451 }, 71452 { 71453 "database_specific": { 71454 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/03/GHSA-r978-9m6m-6gm6/GHSA-r978-9m6m-6gm6.json" 71455 }, 71456 "package": { 71457 "ecosystem": "Maven", 71458 "name": "org.apache.zookeeper:zookeeper", 71459 "purl": "pkg:maven/org.apache.zookeeper/zookeeper" 71460 }, 71461 "ranges": [ 71462 { 71463 "events": [ 71464 { 71465 "introduced": "3.6.0" 71466 }, 71467 { 71468 "last_affected": "3.7.2" 71469 } 71470 ], 71471 "type": "ECOSYSTEM" 71472 } 71473 ], 71474 "versions": [ 71475 "3.6.0", 71476 "3.6.1", 71477 "3.6.2", 71478 "3.6.3", 71479 "3.6.4", 71480 "3.7.0", 71481 "3.7.1", 71482 "3.7.2" 71483 ] 71484 } 71485 ], 71486 "aliases": [ 71487 "BIT-zookeeper-2024-23944", 71488 "CVE-2024-23944" 71489 ], 71490 "database_specific": { 71491 "cwe_ids": [ 71492 "CWE-200" 71493 ], 71494 "github_reviewed": true, 71495 "github_reviewed_at": "2024-03-15T19:35:37Z", 71496 "nvd_published_at": "2024-03-15T11:15:08Z", 71497 "severity": "MODERATE" 71498 }, 71499 "details": "Information disclosure in persistent watchers handling in Apache ZooKeeper due to missing ACL check. It allows an attacker to monitor child znodes by attaching a persistent watcher (addWatch command) to a parent which the attacker has already access to. ZooKeeper server doesn't do ACL check when the persistent watcher is triggered and as a consequence, the full path of znodes that a watch event gets triggered upon is exposed to the owner of the watcher. It's important to note that only the path is exposed by this vulnerability, not the data of znode, but since znode path can contain sensitive information like user name or login ID, this issue is potentially critical.\n\nUsers are recommended to upgrade to version 3.9.2, 3.8.4 which fixes the issue.\n", 71500 "id": "GHSA-r978-9m6m-6gm6", 71501 "modified": "2024-05-02T19:03:17.317514Z", 71502 "published": "2024-03-15T12:30:37Z", 71503 "references": [ 71504 { 71505 "type": "ADVISORY", 71506 "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23944" 71507 }, 71508 { 71509 "type": "WEB", 71510 "url": "https://github.com/apache/zookeeper/commit/29c7b9462681f47c2ac12e609341cf9f52abac5c" 71511 }, 71512 { 71513 "type": "WEB", 71514 "url": "https://github.com/apache/zookeeper/commit/65b91d2d9a56157285c2a86b106e67c26520b01d" 71515 }, 71516 { 71517 "type": "WEB", 71518 "url": "https://github.com/apache/zookeeper/commit/daf7cfd04005cff1a4f7cab5ab13d41db88d0cd8" 71519 }, 71520 { 71521 "type": "PACKAGE", 71522 "url": "https://github.com/apache/zookeeper" 71523 }, 71524 { 71525 "type": "WEB", 71526 "url": "https://lists.apache.org/thread/96s5nqssj03rznz9hv58txdb2k1lr79k" 71527 }, 71528 { 71529 "type": "WEB", 71530 "url": "http://www.openwall.com/lists/oss-security/2024/03/14/2" 71531 } 71532 ], 71533 "related": [ 71534 "CGA-7x45-jmmj-p4h3", 71535 "CGA-h562-6hp9-9x2q", 71536 "CGA-mrr6-55fr-72mh", 71537 "CGA-rgr4-3vcx-cj8x", 71538 "CGA-wvcw-6w45-h72m" 71539 ], 71540 "schema_version": "1.6.0", 71541 "summary": "Apache ZooKeeper vulnerable to information disclosure in persistent watchers handling" 71542 }, 71543 { 71544 "affected": [ 71545 { 71546 "database_specific": { 71547 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-93jq-624g-4p9p/GHSA-93jq-624g-4p9p.json" 71548 }, 71549 "package": { 71550 "ecosystem": "Maven", 71551 "name": "org.asynchttpclient:async-http-client", 71552 "purl": "pkg:maven/org.asynchttpclient/async-http-client" 71553 }, 71554 "ranges": [ 71555 { 71556 "events": [ 71557 { 71558 "introduced": "0" 71559 }, 71560 { 71561 "fixed": "2.0.35" 71562 } 71563 ], 71564 "type": "ECOSYSTEM" 71565 } 71566 ], 71567 "versions": [ 71568 "2.0.0", 71569 "2.0.0-RC1", 71570 "2.0.0-RC10", 71571 "2.0.0-RC11", 71572 "2.0.0-RC12", 71573 "2.0.0-RC13", 71574 "2.0.0-RC14", 71575 "2.0.0-RC15", 71576 "2.0.0-RC16", 71577 "2.0.0-RC17", 71578 "2.0.0-RC18", 71579 "2.0.0-RC19", 71580 "2.0.0-RC2", 71581 "2.0.0-RC20", 71582 "2.0.0-RC21", 71583 "2.0.0-RC3", 71584 "2.0.0-RC4", 71585 "2.0.0-RC5", 71586 "2.0.0-RC6", 71587 "2.0.0-RC7", 71588 "2.0.0-RC8", 71589 "2.0.0-RC9", 71590 "2.0.0-alpha13", 71591 "2.0.0-alpha14", 71592 "2.0.0-alpha15", 71593 "2.0.0-alpha16", 71594 "2.0.0-alpha17", 71595 "2.0.0-alpha18", 71596 "2.0.0-alpha19", 71597 "2.0.0-alpha20", 71598 "2.0.0-alpha21", 71599 "2.0.0-alpha22", 71600 "2.0.0-alpha23", 71601 "2.0.0-alpha24", 71602 "2.0.0-alpha25", 71603 "2.0.0-alpha26", 71604 "2.0.0-alpha27", 71605 "2.0.1", 71606 "2.0.10", 71607 "2.0.11", 71608 "2.0.12", 71609 "2.0.13", 71610 "2.0.14", 71611 "2.0.15", 71612 "2.0.16", 71613 "2.0.17", 71614 "2.0.18", 71615 "2.0.19", 71616 "2.0.2", 71617 "2.0.20", 71618 "2.0.21", 71619 "2.0.22", 71620 "2.0.23", 71621 "2.0.24", 71622 "2.0.25", 71623 "2.0.26", 71624 "2.0.27", 71625 "2.0.28", 71626 "2.0.29", 71627 "2.0.3", 71628 "2.0.30", 71629 "2.0.31", 71630 "2.0.32", 71631 "2.0.33", 71632 "2.0.34", 71633 "2.0.4", 71634 "2.0.5", 71635 "2.0.6", 71636 "2.0.7", 71637 "2.0.8", 71638 "2.0.9" 71639 ] 71640 } 71641 ], 71642 "aliases": [ 71643 "CVE-2017-14063" 71644 ], 71645 "database_specific": { 71646 "cwe_ids": [ 71647 "CWE-20" 71648 ], 71649 "github_reviewed": true, 71650 "github_reviewed_at": "2020-06-16T21:27:19Z", 71651 "nvd_published_at": null, 71652 "severity": "HIGH" 71653 }, 71654 "details": "Async Http Client (aka async-http-client) before 2.0.35 can be tricked into connecting to a host different from the one extracted by java.net.URI if a '?' character occurs in a fragment identifier. Similar bugs were previously identified in cURL (CVE-2016-8624) and Oracle Java 8 java.net.URL.", 71655 "id": "GHSA-93jq-624g-4p9p", 71656 "modified": "2024-03-14T05:32:17.618778Z", 71657 "published": "2018-10-19T16:50:50Z", 71658 "references": [ 71659 { 71660 "type": "ADVISORY", 71661 "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-14063" 71662 }, 71663 { 71664 "type": "WEB", 71665 "url": "https://github.com/AsyncHttpClient/async-http-client/issues/1455" 71666 }, 71667 { 71668 "type": "WEB", 71669 "url": "https://lists.apache.org/thread.html/rfe55d83e4070bcc9285bbbf6bc39635dbcbba6d14d89aab0f339c83a@%3Ccommits.tez.apache.org%3E" 71670 }, 71671 { 71672 "type": "WEB", 71673 "url": "https://lists.apache.org/thread.html/rfd823a733b02cffbef5a69953fdcbed2d1d0afad5e1ea4e96ff6bf0a@%3Cissues.tez.apache.org%3E" 71674 }, 71675 { 71676 "type": "WEB", 71677 "url": "https://lists.apache.org/thread.html/rfaa4d578587f52a9c4d176af516a681a712c664e3be440a4163691d5@%3Ccommits.pulsar.apache.org%3E" 71678 }, 71679 { 71680 "type": "WEB", 71681 "url": "https://lists.apache.org/thread.html/re7367895ccbf64523efcd39a9181baf2eaa30b069d8d6496852fba56@%3Cissues.tez.apache.org%3E" 71682 }, 71683 { 71684 "type": "WEB", 71685 "url": "https://lists.apache.org/thread.html/re2510852c4a1f635b14b35e5dfd7597076928e723ab08559ede575e0@%3Ccommits.pulsar.apache.org%3E" 71686 }, 71687 { 71688 "type": "WEB", 71689 "url": "https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26@%3Ccommits.pulsar.apache.org%3E" 71690 }, 71691 { 71692 "type": "WEB", 71693 "url": "https://lists.apache.org/thread.html/rcb46acc25917e01ebecca132e870da9ab935d5796686ed8a2785b026@%3Cissues.tez.apache.org%3E" 71694 }, 71695 { 71696 "type": "WEB", 71697 "url": "https://lists.apache.org/thread.html/rc550b8955b37b40fee18db99f167337c41c930d8c3763b9631e01dda@%3Cissues.tez.apache.org%3E" 71698 }, 71699 { 71700 "type": "WEB", 71701 "url": "https://lists.apache.org/thread.html/rbc4fbb06ccb10e26e6064f57f6bd4935eabe2d18a0cb9a7183699396@%3Cissues.tez.apache.org%3E" 71702 }, 71703 { 71704 "type": "WEB", 71705 "url": "https://lists.apache.org/thread.html/rbbad61e1ba5b21e234a6664963618acfee237af754eb20300d938e1e@%3Cissues.tez.apache.org%3E" 71706 }, 71707 { 71708 "type": "WEB", 71709 "url": "https://lists.apache.org/thread.html/r9ea5d489e004b40baf73880c4e11dd4de24b799d15e091e1f4017108@%3Cissues.tez.apache.org%3E" 71710 }, 71711 { 71712 "type": "WEB", 71713 "url": "https://lists.apache.org/thread.html/r868875e67494a18d31e88cba2672f45c3fc6708ffdde445723004da4@%3Cissues.tez.apache.org%3E" 71714 }, 71715 { 71716 "type": "WEB", 71717 "url": "https://lists.apache.org/thread.html/r79d9bab405414af45568c4683386f5e9fd02c10ca87ffa2ee33512dc@%3Ccommits.pulsar.apache.org%3E" 71718 }, 71719 { 71720 "type": "WEB", 71721 "url": "https://lists.apache.org/thread.html/r7879a48644f708be0529bd39f0679ad3ad951f3dc24442878a008fd8@%3Cissues.tez.apache.org%3E" 71722 }, 71723 { 71724 "type": "WEB", 71725 "url": "https://lists.apache.org/thread.html/r7046a51116207588e36ca8c2e291327e391dae40712d267117475a98@%3Cdev.tez.apache.org%3E" 71726 }, 71727 { 71728 "type": "WEB", 71729 "url": "https://lists.apache.org/thread.html/r683d78c6d7a15659f2bb82dd4120dab8c45a870eaa7f1a15cce4ed3b@%3Cissues.tez.apache.org%3E" 71730 }, 71731 { 71732 "type": "WEB", 71733 "url": "https://lists.apache.org/thread.html/r5f794dc07913c5f2ec08f540813b40e61b562d36f8b1f916e8705c56@%3Cissues.tez.apache.org%3E" 71734 }, 71735 { 71736 "type": "WEB", 71737 "url": "https://lists.apache.org/thread.html/r5f07c30721503d4c02d5451f77a611a1a0bb2a94ddcdf071c9485ea3@%3Cissues.tez.apache.org%3E" 71738 }, 71739 { 71740 "type": "WEB", 71741 "url": "https://lists.apache.org/thread.html/r5b8666c4414500ff6e993bfa69cb6afa19b1b67c4585a045c0c21662@%3Cissues.tez.apache.org%3E" 71742 }, 71743 { 71744 "type": "WEB", 71745 "url": "https://lists.apache.org/thread.html/r4ebb9596d890f3528630492bd78237b3eef06f093bac238a0da9b630@%3Cissues.tez.apache.org%3E" 71746 }, 71747 { 71748 "type": "WEB", 71749 "url": "https://lists.apache.org/thread.html/r41a0e2c36f7d1854a4d56cb1e4aa720ef501782d887ece1c9b1e2d60@%3Cissues.tez.apache.org%3E" 71750 }, 71751 { 71752 "type": "WEB", 71753 "url": "https://lists.apache.org/thread.html/r3df4b7ccc363b4850a24842138117aa4451b875bc4773a845b828fc6@%3Cissues.tez.apache.org%3E" 71754 }, 71755 { 71756 "type": "WEB", 71757 "url": "https://lists.apache.org/thread.html/r14a74d204f285dd3a4fa203de6dbb4e741ddb7fdfff7915590e5b3db@%3Cdev.tez.apache.org%3E" 71758 }, 71759 { 71760 "type": "WEB", 71761 "url": "https://lists.apache.org/thread.html/r0a6b6429a7558051dbb70bd06584b4b1c334a80ec9203d3d39b7045a@%3Ccommits.tez.apache.org%3E" 71762 }, 71763 { 71764 "type": "WEB", 71765 "url": "https://lists.apache.org/thread.html/r04b15fd898a6b1612153543375daaa8145a0fd1804ec9fa2e0d95c97@%3Cissues.tez.apache.org%3E" 71766 }, 71767 { 71768 "type": "ADVISORY", 71769 "url": "https://github.com/advisories/GHSA-93jq-624g-4p9p" 71770 }, 71771 { 71772 "type": "PACKAGE", 71773 "url": "https://github.com/AsyncHttpClient/async-http-client" 71774 }, 71775 { 71776 "type": "WEB", 71777 "url": "https://access.redhat.com/errata/RHSA-2018:2669" 71778 }, 71779 { 71780 "type": "WEB", 71781 "url": "http://openwall.com/lists/oss-security/2017/08/31/4" 71782 } 71783 ], 71784 "schema_version": "1.6.0", 71785 "severity": [ 71786 { 71787 "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", 71788 "type": "CVSS_V3" 71789 } 71790 ], 71791 "summary": "Improper Input Validation in async-http-client" 71792 }, 71793 { 71794 "affected": [ 71795 { 71796 "database_specific": { 71797 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-4446-656p-f54g/GHSA-4446-656p-f54g.json" 71798 }, 71799 "package": { 71800 "ecosystem": "Maven", 71801 "name": "org.bouncycastle:bcprov-jdk15on", 71802 "purl": "pkg:maven/org.bouncycastle/bcprov-jdk15on" 71803 }, 71804 "ranges": [ 71805 { 71806 "events": [ 71807 { 71808 "introduced": "1.57" 71809 }, 71810 { 71811 "fixed": "1.60" 71812 } 71813 ], 71814 "type": "ECOSYSTEM" 71815 } 71816 ], 71817 "versions": [ 71818 "1.57", 71819 "1.58", 71820 "1.59" 71821 ] 71822 } 71823 ], 71824 "aliases": [ 71825 "CVE-2018-1000613" 71826 ], 71827 "database_specific": { 71828 "cwe_ids": [ 71829 "CWE-470", 71830 "CWE-502" 71831 ], 71832 "github_reviewed": true, 71833 "github_reviewed_at": "2020-06-16T20:57:10Z", 71834 "nvd_published_at": "2018-07-09T20:29:00Z", 71835 "severity": "CRITICAL" 71836 }, 71837 "details": "Legion of the Bouncy Castle Java Cryptography APIs starting in version 1.57 and prior to version 1.60 contains a CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') vulnerability in XMSS/XMSS^MT private key deserialization that can result in Deserializing an XMSS/XMSS^MT private key can result in the execution of unexpected code. This attack appear to be exploitable via A handcrafted private key can include references to unexpected classes which will be picked up from the class path for the executing application. \n\nThis vulnerability appears to have been fixed in 1.60 and later.", 71838 "id": "GHSA-4446-656p-f54g", 71839 "modified": "2024-02-22T05:44:11.786609Z", 71840 "published": "2018-10-17T16:23:12Z", 71841 "references": [ 71842 { 71843 "type": "ADVISORY", 71844 "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000613" 71845 }, 71846 { 71847 "type": "WEB", 71848 "url": "https://github.com/bcgit/bc-java/commit/4092ede58da51af9a21e4825fbad0d9a3ef5a223#diff-2c06e2edef41db889ee14899e12bd574" 71849 }, 71850 { 71851 "type": "WEB", 71852 "url": "https://github.com/bcgit/bc-java/commit/cc9f91c41be67e88fca4e38f4872418448950fd9" 71853 }, 71854 { 71855 "type": "WEB", 71856 "url": "https://github.com/bcgit/bc-java/commit/cd98322b171b15b3f88c5ec871175147893c31e6#diff-148a6c098af0199192d6aede960f45dc" 71857 }, 71858 { 71859 "type": "ADVISORY", 71860 "url": "https://github.com/advisories/GHSA-4446-656p-f54g" 71861 }, 71862 { 71863 "type": "PACKAGE", 71864 "url": "https://github.com/bcgit/bc-java" 71865 }, 71866 { 71867 "type": "WEB", 71868 "url": "https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2%40%3Cissues.geode.apache.org%3E" 71869 }, 71870 { 71871 "type": "WEB", 71872 "url": "https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3E" 71873 }, 71874 { 71875 "type": "WEB", 71876 "url": "https://security.netapp.com/advisory/ntap-20190204-0003" 71877 }, 71878 { 71879 "type": "WEB", 71880 "url": "https://www.oracle.com/security-alerts/cpuApr2021.html" 71881 }, 71882 { 71883 "type": "WEB", 71884 "url": "https://www.oracle.com/security-alerts/cpuapr2020.html" 71885 }, 71886 { 71887 "type": "WEB", 71888 "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" 71889 }, 71890 { 71891 "type": "WEB", 71892 "url": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html" 71893 }, 71894 { 71895 "type": "WEB", 71896 "url": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html" 71897 }, 71898 { 71899 "type": "WEB", 71900 "url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html" 71901 }, 71902 { 71903 "type": "WEB", 71904 "url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00011.html" 71905 } 71906 ], 71907 "schema_version": "1.6.0", 71908 "severity": [ 71909 { 71910 "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", 71911 "type": "CVSS_V3" 71912 } 71913 ], 71914 "summary": "Deserialization of Untrusted Data in Bouncy castle" 71915 }, 71916 { 71917 "affected": [ 71918 { 71919 "database_specific": { 71920 "last_known_affected_version_range": "\u003c= 1.0.2", 71921 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-6xx3-rg99-gc3p/GHSA-6xx3-rg99-gc3p.json" 71922 }, 71923 "package": { 71924 "ecosystem": "Maven", 71925 "name": "org.bouncycastle:bc-fips", 71926 "purl": "pkg:maven/org.bouncycastle/bc-fips" 71927 }, 71928 "ranges": [ 71929 { 71930 "events": [ 71931 { 71932 "introduced": "0" 71933 }, 71934 { 71935 "fixed": "1.0.2.1" 71936 } 71937 ], 71938 "type": "ECOSYSTEM" 71939 } 71940 ], 71941 "versions": [ 71942 "1.0.0", 71943 "1.0.1", 71944 "1.0.2" 71945 ] 71946 }, 71947 { 71948 "database_specific": { 71949 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-6xx3-rg99-gc3p/GHSA-6xx3-rg99-gc3p.json" 71950 }, 71951 "package": { 71952 "ecosystem": "Maven", 71953 "name": "org.bouncycastle:bcprov-ext-jdk15on", 71954 "purl": "pkg:maven/org.bouncycastle/bcprov-ext-jdk15on" 71955 }, 71956 "ranges": [ 71957 { 71958 "events": [ 71959 { 71960 "introduced": "0" 71961 }, 71962 { 71963 "fixed": "1.66" 71964 } 71965 ], 71966 "type": "ECOSYSTEM" 71967 } 71968 ], 71969 "versions": [ 71970 "1.46", 71971 "1.47", 71972 "1.48", 71973 "1.49", 71974 "1.50", 71975 "1.51", 71976 "1.52", 71977 "1.53", 71978 "1.54", 71979 "1.55", 71980 "1.56", 71981 "1.57", 71982 "1.58", 71983 "1.59", 71984 "1.60", 71985 "1.61", 71986 "1.62", 71987 "1.63", 71988 "1.64", 71989 "1.65" 71990 ] 71991 }, 71992 { 71993 "database_specific": { 71994 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-6xx3-rg99-gc3p/GHSA-6xx3-rg99-gc3p.json" 71995 }, 71996 "package": { 71997 "ecosystem": "Maven", 71998 "name": "org.bouncycastle:bcprov-ext-jdk16", 71999 "purl": "pkg:maven/org.bouncycastle/bcprov-ext-jdk16" 72000 }, 72001 "ranges": [ 72002 { 72003 "events": [ 72004 { 72005 "introduced": "0" 72006 }, 72007 { 72008 "fixed": "1.66" 72009 } 72010 ], 72011 "type": "ECOSYSTEM" 72012 } 72013 ], 72014 "versions": [ 72015 "1.45", 72016 "1.46" 72017 ] 72018 }, 72019 { 72020 "database_specific": { 72021 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-6xx3-rg99-gc3p/GHSA-6xx3-rg99-gc3p.json" 72022 }, 72023 "package": { 72024 "ecosystem": "Maven", 72025 "name": "org.bouncycastle:bcprov-jdk14", 72026 "purl": "pkg:maven/org.bouncycastle/bcprov-jdk14" 72027 }, 72028 "ranges": [ 72029 { 72030 "events": [ 72031 { 72032 "introduced": "0" 72033 }, 72034 { 72035 "fixed": "1.66" 72036 } 72037 ], 72038 "type": "ECOSYSTEM" 72039 } 72040 ], 72041 "versions": [ 72042 "1.38", 72043 "1.43", 72044 "1.44", 72045 "1.45", 72046 "1.46", 72047 "1.47", 72048 "1.48", 72049 "1.49", 72050 "1.50", 72051 "1.51", 72052 "1.53", 72053 "1.54", 72054 "1.55", 72055 "1.56", 72056 "1.57", 72057 "1.58", 72058 "1.59", 72059 "1.60", 72060 "1.61", 72061 "1.62", 72062 "1.63", 72063 "1.64", 72064 "1.65" 72065 ] 72066 }, 72067 { 72068 "database_specific": { 72069 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-6xx3-rg99-gc3p/GHSA-6xx3-rg99-gc3p.json" 72070 }, 72071 "package": { 72072 "ecosystem": "Maven", 72073 "name": "org.bouncycastle:bcprov-jdk15", 72074 "purl": "pkg:maven/org.bouncycastle/bcprov-jdk15" 72075 }, 72076 "ranges": [ 72077 { 72078 "events": [ 72079 { 72080 "introduced": "0" 72081 }, 72082 { 72083 "fixed": "1.66" 72084 } 72085 ], 72086 "type": "ECOSYSTEM" 72087 } 72088 ], 72089 "versions": [ 72090 "1.32", 72091 "1.38", 72092 "1.40", 72093 "1.43", 72094 "1.44", 72095 "1.45", 72096 "1.46" 72097 ] 72098 }, 72099 { 72100 "database_specific": { 72101 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-6xx3-rg99-gc3p/GHSA-6xx3-rg99-gc3p.json" 72102 }, 72103 "package": { 72104 "ecosystem": "Maven", 72105 "name": "org.bouncycastle:bcprov-jdk15on", 72106 "purl": "pkg:maven/org.bouncycastle/bcprov-jdk15on" 72107 }, 72108 "ranges": [ 72109 { 72110 "events": [ 72111 { 72112 "introduced": "0" 72113 }, 72114 { 72115 "fixed": "1.66" 72116 } 72117 ], 72118 "type": "ECOSYSTEM" 72119 } 72120 ], 72121 "versions": [ 72122 "1.46", 72123 "1.47", 72124 "1.48", 72125 "1.49", 72126 "1.50", 72127 "1.51", 72128 "1.52", 72129 "1.53", 72130 "1.54", 72131 "1.55", 72132 "1.56", 72133 "1.57", 72134 "1.58", 72135 "1.59", 72136 "1.60", 72137 "1.61", 72138 "1.62", 72139 "1.63", 72140 "1.64", 72141 "1.65", 72142 "1.65.01" 72143 ] 72144 }, 72145 { 72146 "database_specific": { 72147 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-6xx3-rg99-gc3p/GHSA-6xx3-rg99-gc3p.json" 72148 }, 72149 "package": { 72150 "ecosystem": "Maven", 72151 "name": "org.bouncycastle:bcprov-jdk15to18", 72152 "purl": "pkg:maven/org.bouncycastle/bcprov-jdk15to18" 72153 }, 72154 "ranges": [ 72155 { 72156 "events": [ 72157 { 72158 "introduced": "0" 72159 }, 72160 { 72161 "fixed": "1.66" 72162 } 72163 ], 72164 "type": "ECOSYSTEM" 72165 } 72166 ], 72167 "versions": [ 72168 "1.63", 72169 "1.64", 72170 "1.65" 72171 ] 72172 }, 72173 { 72174 "database_specific": { 72175 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-6xx3-rg99-gc3p/GHSA-6xx3-rg99-gc3p.json" 72176 }, 72177 "package": { 72178 "ecosystem": "Maven", 72179 "name": "org.bouncycastle:bcprov-jdk16", 72180 "purl": "pkg:maven/org.bouncycastle/bcprov-jdk16" 72181 }, 72182 "ranges": [ 72183 { 72184 "events": [ 72185 { 72186 "introduced": "0" 72187 }, 72188 { 72189 "fixed": "1.66" 72190 } 72191 ], 72192 "type": "ECOSYSTEM" 72193 } 72194 ], 72195 "versions": [ 72196 "1.38", 72197 "1.40", 72198 "1.43", 72199 "1.44", 72200 "1.45", 72201 "1.46" 72202 ] 72203 }, 72204 { 72205 "database_specific": { 72206 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-6xx3-rg99-gc3p/GHSA-6xx3-rg99-gc3p.json" 72207 }, 72208 "package": { 72209 "ecosystem": "NuGet", 72210 "name": "BouncyCastle", 72211 "purl": "pkg:nuget/BouncyCastle" 72212 }, 72213 "ranges": [ 72214 { 72215 "events": [ 72216 { 72217 "introduced": "0" 72218 }, 72219 { 72220 "fixed": "1.8.7" 72221 } 72222 ], 72223 "type": "ECOSYSTEM" 72224 } 72225 ], 72226 "versions": [ 72227 "1.7.0", 72228 "1.8.1", 72229 "1.8.2", 72230 "1.8.3", 72231 "1.8.3.1", 72232 "1.8.4", 72233 "1.8.5", 72234 "1.8.6", 72235 "1.8.6.1" 72236 ] 72237 } 72238 ], 72239 "aliases": [ 72240 "CVE-2020-15522" 72241 ], 72242 "database_specific": { 72243 "cwe_ids": [ 72244 "CWE-203", 72245 "CWE-362" 72246 ], 72247 "github_reviewed": true, 72248 "github_reviewed_at": "2021-05-21T17:50:36Z", 72249 "nvd_published_at": "2021-05-20T12:15:00Z", 72250 "severity": "MODERATE" 72251 }, 72252 "details": "Bouncy Castle BC Java before 1.66, BC C# .NET before 1.8.7, BC-FJA before 1.0.2.1, BC before 1.66, BC-FNA before 1.0.1.1 have a timing issue within the EC math library that can expose information about the private key when an attacker is able to observe timing information for the generation of multiple deterministic ECDSA signatures.", 72253 "id": "GHSA-6xx3-rg99-gc3p", 72254 "modified": "2024-02-17T05:52:01.093029Z", 72255 "published": "2021-08-13T15:22:31Z", 72256 "references": [ 72257 { 72258 "type": "ADVISORY", 72259 "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-15522" 72260 }, 72261 { 72262 "type": "WEB", 72263 "url": "https://github.com/bcgit/bc-csharp/wiki/CVE-2020-15522" 72264 }, 72265 { 72266 "type": "WEB", 72267 "url": "https://github.com/bcgit/bc-java/wiki/CVE-2020-15522" 72268 }, 72269 { 72270 "type": "WEB", 72271 "url": "https://security.netapp.com/advisory/ntap-20210622-0007" 72272 }, 72273 { 72274 "type": "WEB", 72275 "url": "https://www.bouncycastle.org/releasenotes.html" 72276 } 72277 ], 72278 "related": [ 72279 "CGA-3544-c7xc-jx43", 72280 "CGA-p736-f9r6-77r7" 72281 ], 72282 "schema_version": "1.6.0", 72283 "severity": [ 72284 { 72285 "score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", 72286 "type": "CVSS_V3" 72287 } 72288 ], 72289 "summary": "Timing based private key exposure in Bouncy Castle" 72290 }, 72291 { 72292 "affected": [ 72293 { 72294 "database_specific": { 72295 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-72m5-fvvv-55m6/GHSA-72m5-fvvv-55m6.json" 72296 }, 72297 "package": { 72298 "ecosystem": "Maven", 72299 "name": "org.bouncycastle:bcprov-jdk14", 72300 "purl": "pkg:maven/org.bouncycastle/bcprov-jdk14" 72301 }, 72302 "ranges": [ 72303 { 72304 "events": [ 72305 { 72306 "introduced": "0" 72307 }, 72308 { 72309 "fixed": "1.61" 72310 } 72311 ], 72312 "type": "ECOSYSTEM" 72313 } 72314 ], 72315 "versions": [ 72316 "1.38", 72317 "1.43", 72318 "1.44", 72319 "1.45", 72320 "1.46", 72321 "1.47", 72322 "1.48", 72323 "1.49", 72324 "1.50", 72325 "1.51", 72326 "1.53", 72327 "1.54", 72328 "1.55", 72329 "1.56", 72330 "1.57", 72331 "1.58", 72332 "1.59", 72333 "1.60" 72334 ] 72335 }, 72336 { 72337 "database_specific": { 72338 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-72m5-fvvv-55m6/GHSA-72m5-fvvv-55m6.json" 72339 }, 72340 "package": { 72341 "ecosystem": "Maven", 72342 "name": "org.bouncycastle:bcprov-jdk15", 72343 "purl": "pkg:maven/org.bouncycastle/bcprov-jdk15" 72344 }, 72345 "ranges": [ 72346 { 72347 "events": [ 72348 { 72349 "introduced": "0" 72350 }, 72351 { 72352 "fixed": "1.61" 72353 } 72354 ], 72355 "type": "ECOSYSTEM" 72356 } 72357 ], 72358 "versions": [ 72359 "1.32", 72360 "1.38", 72361 "1.40", 72362 "1.43", 72363 "1.44", 72364 "1.45", 72365 "1.46" 72366 ] 72367 }, 72368 { 72369 "database_specific": { 72370 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-72m5-fvvv-55m6/GHSA-72m5-fvvv-55m6.json" 72371 }, 72372 "package": { 72373 "ecosystem": "Maven", 72374 "name": "org.bouncycastle:bcprov-jdk16", 72375 "purl": "pkg:maven/org.bouncycastle/bcprov-jdk16" 72376 }, 72377 "ranges": [ 72378 { 72379 "events": [ 72380 { 72381 "introduced": "0" 72382 }, 72383 { 72384 "fixed": "1.61" 72385 } 72386 ], 72387 "type": "ECOSYSTEM" 72388 } 72389 ], 72390 "versions": [ 72391 "1.38", 72392 "1.40", 72393 "1.43", 72394 "1.44", 72395 "1.45", 72396 "1.46" 72397 ] 72398 }, 72399 { 72400 "database_specific": { 72401 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-72m5-fvvv-55m6/GHSA-72m5-fvvv-55m6.json" 72402 }, 72403 "package": { 72404 "ecosystem": "Maven", 72405 "name": "org.bouncycastle:bc-fips", 72406 "purl": "pkg:maven/org.bouncycastle/bc-fips" 72407 }, 72408 "ranges": [ 72409 { 72410 "events": [ 72411 { 72412 "introduced": "0" 72413 }, 72414 { 72415 "fixed": "1.0.2" 72416 } 72417 ], 72418 "type": "ECOSYSTEM" 72419 } 72420 ], 72421 "versions": [ 72422 "1.0.0", 72423 "1.0.1" 72424 ] 72425 }, 72426 { 72427 "database_specific": { 72428 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-72m5-fvvv-55m6/GHSA-72m5-fvvv-55m6.json" 72429 }, 72430 "package": { 72431 "ecosystem": "Maven", 72432 "name": "org.bouncycastle:bcprov-ext-jdk15on", 72433 "purl": "pkg:maven/org.bouncycastle/bcprov-ext-jdk15on" 72434 }, 72435 "ranges": [ 72436 { 72437 "events": [ 72438 { 72439 "introduced": "0" 72440 }, 72441 { 72442 "fixed": "1.61" 72443 } 72444 ], 72445 "type": "ECOSYSTEM" 72446 } 72447 ], 72448 "versions": [ 72449 "1.46", 72450 "1.47", 72451 "1.48", 72452 "1.49", 72453 "1.50", 72454 "1.51", 72455 "1.52", 72456 "1.53", 72457 "1.54", 72458 "1.55", 72459 "1.56", 72460 "1.57", 72461 "1.58", 72462 "1.59", 72463 "1.60" 72464 ] 72465 }, 72466 { 72467 "database_specific": { 72468 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-72m5-fvvv-55m6/GHSA-72m5-fvvv-55m6.json" 72469 }, 72470 "package": { 72471 "ecosystem": "Maven", 72472 "name": "org.bouncycastle:bcprov-ext-jdk16", 72473 "purl": "pkg:maven/org.bouncycastle/bcprov-ext-jdk16" 72474 }, 72475 "ranges": [ 72476 { 72477 "events": [ 72478 { 72479 "introduced": "0" 72480 }, 72481 { 72482 "fixed": "1.61" 72483 } 72484 ], 72485 "type": "ECOSYSTEM" 72486 } 72487 ], 72488 "versions": [ 72489 "1.45", 72490 "1.46" 72491 ] 72492 }, 72493 { 72494 "database_specific": { 72495 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-72m5-fvvv-55m6/GHSA-72m5-fvvv-55m6.json" 72496 }, 72497 "package": { 72498 "ecosystem": "Maven", 72499 "name": "org.bouncycastle:bcprov-jdk15on", 72500 "purl": "pkg:maven/org.bouncycastle/bcprov-jdk15on" 72501 }, 72502 "ranges": [ 72503 { 72504 "events": [ 72505 { 72506 "introduced": "0" 72507 }, 72508 { 72509 "fixed": "1.61" 72510 } 72511 ], 72512 "type": "ECOSYSTEM" 72513 } 72514 ], 72515 "versions": [ 72516 "1.46", 72517 "1.47", 72518 "1.48", 72519 "1.49", 72520 "1.50", 72521 "1.51", 72522 "1.52", 72523 "1.53", 72524 "1.54", 72525 "1.55", 72526 "1.56", 72527 "1.57", 72528 "1.58", 72529 "1.59", 72530 "1.60" 72531 ] 72532 }, 72533 { 72534 "database_specific": { 72535 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-72m5-fvvv-55m6/GHSA-72m5-fvvv-55m6.json" 72536 }, 72537 "package": { 72538 "ecosystem": "Maven", 72539 "name": "org.bouncycastle:bcprov-jdk15to18", 72540 "purl": "pkg:maven/org.bouncycastle/bcprov-jdk15to18" 72541 }, 72542 "ranges": [ 72543 { 72544 "events": [ 72545 { 72546 "introduced": "0" 72547 }, 72548 { 72549 "fixed": "1.61" 72550 } 72551 ], 72552 "type": "ECOSYSTEM" 72553 } 72554 ] 72555 } 72556 ], 72557 "aliases": [ 72558 "CVE-2020-26939" 72559 ], 72560 "database_specific": { 72561 "cwe_ids": [ 72562 "CWE-203" 72563 ], 72564 "github_reviewed": true, 72565 "github_reviewed_at": "2021-04-20T16:59:30Z", 72566 "nvd_published_at": "2020-11-02T22:15:00Z", 72567 "severity": "MODERATE" 72568 }, 72569 "details": "In Legion of the Bouncy Castle BC before 1.55 and BC-FJA before 1.0.2, attackers can obtain sensitive information about a private exponent because of Observable Differences in Behavior to Error Inputs. This occurs in org.bouncycastle.crypto.encodings.OAEPEncoding. Sending invalid ciphertext that decrypts to a short payload in the OAEP Decoder could result in the throwing of an early exception, potentially leaking some information about the private exponent of the RSA private key performing the encryption.", 72570 "id": "GHSA-72m5-fvvv-55m6", 72571 "modified": "2024-03-14T22:16:19.509843Z", 72572 "published": "2021-04-22T16:16:49Z", 72573 "references": [ 72574 { 72575 "type": "ADVISORY", 72576 "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-26939" 72577 }, 72578 { 72579 "type": "WEB", 72580 "url": "https://github.com/bcgit/bc-java/commit/930f8b274c4f1f3a46e68b5441f1e7fadb57e8c1" 72581 }, 72582 { 72583 "type": "WEB", 72584 "url": "https://github.com/bcgit/bc-java/wiki/CVE-2020-26939" 72585 }, 72586 { 72587 "type": "WEB", 72588 "url": "https://lists.apache.org/thread.html/r8c36ba34e80e05eecb1f80071cc834d705616f315b634ec0c7d8f42e@%3Cissues.solr.apache.org%3E" 72589 }, 72590 { 72591 "type": "WEB", 72592 "url": "https://lists.debian.org/debian-lts-announce/2020/11/msg00007.html" 72593 }, 72594 { 72595 "type": "WEB", 72596 "url": "https://security.netapp.com/advisory/ntap-20201202-0005" 72597 } 72598 ], 72599 "schema_version": "1.6.0", 72600 "severity": [ 72601 { 72602 "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", 72603 "type": "CVSS_V3" 72604 } 72605 ], 72606 "summary": "Observable Differences in Behavior to Error Inputs in Bouncy Castle" 72607 }, 72608 { 72609 "affected": [ 72610 { 72611 "database_specific": { 72612 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-73xv-w5gp-frxh/GHSA-73xv-w5gp-frxh.json" 72613 }, 72614 "package": { 72615 "ecosystem": "Maven", 72616 "name": "org.bouncycastle:bcprov-jdk15to18", 72617 "purl": "pkg:maven/org.bouncycastle/bcprov-jdk15to18" 72618 }, 72619 "ranges": [ 72620 { 72621 "events": [ 72622 { 72623 "introduced": "1.65" 72624 }, 72625 { 72626 "fixed": "1.67" 72627 } 72628 ], 72629 "type": "ECOSYSTEM" 72630 } 72631 ], 72632 "versions": [ 72633 "1.65", 72634 "1.66" 72635 ] 72636 }, 72637 { 72638 "database_specific": { 72639 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-73xv-w5gp-frxh/GHSA-73xv-w5gp-frxh.json" 72640 }, 72641 "package": { 72642 "ecosystem": "Maven", 72643 "name": "org.bouncycastle:bcprov-jdk15", 72644 "purl": "pkg:maven/org.bouncycastle/bcprov-jdk15" 72645 }, 72646 "ranges": [ 72647 { 72648 "events": [ 72649 { 72650 "introduced": "1.65" 72651 }, 72652 { 72653 "fixed": "1.67" 72654 } 72655 ], 72656 "type": "ECOSYSTEM" 72657 } 72658 ] 72659 }, 72660 { 72661 "database_specific": { 72662 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-73xv-w5gp-frxh/GHSA-73xv-w5gp-frxh.json" 72663 }, 72664 "package": { 72665 "ecosystem": "Maven", 72666 "name": "org.bouncycastle:bcprov-jdk15on", 72667 "purl": "pkg:maven/org.bouncycastle/bcprov-jdk15on" 72668 }, 72669 "ranges": [ 72670 { 72671 "events": [ 72672 { 72673 "introduced": "1.65" 72674 }, 72675 { 72676 "fixed": "1.67" 72677 } 72678 ], 72679 "type": "ECOSYSTEM" 72680 } 72681 ], 72682 "versions": [ 72683 "1.65", 72684 "1.65.01", 72685 "1.66" 72686 ] 72687 }, 72688 { 72689 "database_specific": { 72690 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-73xv-w5gp-frxh/GHSA-73xv-w5gp-frxh.json" 72691 }, 72692 "package": { 72693 "ecosystem": "Maven", 72694 "name": "org.bouncycastle:bcprov-ext-jdk15on", 72695 "purl": "pkg:maven/org.bouncycastle/bcprov-ext-jdk15on" 72696 }, 72697 "ranges": [ 72698 { 72699 "events": [ 72700 { 72701 "introduced": "1.65" 72702 }, 72703 { 72704 "fixed": "1.67" 72705 } 72706 ], 72707 "type": "ECOSYSTEM" 72708 } 72709 ], 72710 "versions": [ 72711 "1.65", 72712 "1.66" 72713 ] 72714 }, 72715 { 72716 "database_specific": { 72717 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-73xv-w5gp-frxh/GHSA-73xv-w5gp-frxh.json" 72718 }, 72719 "package": { 72720 "ecosystem": "Maven", 72721 "name": "org.bouncycastle:bcprov-jdk14", 72722 "purl": "pkg:maven/org.bouncycastle/bcprov-jdk14" 72723 }, 72724 "ranges": [ 72725 { 72726 "events": [ 72727 { 72728 "introduced": "1.65" 72729 }, 72730 { 72731 "fixed": "1.67" 72732 } 72733 ], 72734 "type": "ECOSYSTEM" 72735 } 72736 ], 72737 "versions": [ 72738 "1.65" 72739 ] 72740 }, 72741 { 72742 "database_specific": { 72743 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-73xv-w5gp-frxh/GHSA-73xv-w5gp-frxh.json" 72744 }, 72745 "package": { 72746 "ecosystem": "Maven", 72747 "name": "org.bouncycastle:bcprov-jdk16", 72748 "purl": "pkg:maven/org.bouncycastle/bcprov-jdk16" 72749 }, 72750 "ranges": [ 72751 { 72752 "events": [ 72753 { 72754 "introduced": "1.65" 72755 }, 72756 { 72757 "fixed": "1.67" 72758 } 72759 ], 72760 "type": "ECOSYSTEM" 72761 } 72762 ] 72763 }, 72764 { 72765 "database_specific": { 72766 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-73xv-w5gp-frxh/GHSA-73xv-w5gp-frxh.json" 72767 }, 72768 "package": { 72769 "ecosystem": "Maven", 72770 "name": "org.bouncycastle:bcprov-ext-jdk16", 72771 "purl": "pkg:maven/org.bouncycastle/bcprov-ext-jdk16" 72772 }, 72773 "ranges": [ 72774 { 72775 "events": [ 72776 { 72777 "introduced": "1.65" 72778 }, 72779 { 72780 "fixed": "1.67" 72781 } 72782 ], 72783 "type": "ECOSYSTEM" 72784 } 72785 ] 72786 } 72787 ], 72788 "aliases": [ 72789 "CVE-2020-28052" 72790 ], 72791 "database_specific": { 72792 "cwe_ids": [ 72793 "CWE-670" 72794 ], 72795 "github_reviewed": true, 72796 "github_reviewed_at": "2021-03-19T00:15:55Z", 72797 "nvd_published_at": "2020-12-18T01:15:00Z", 72798 "severity": "HIGH" 72799 }, 72800 "details": "An issue was discovered in Legion of the Bouncy Castle BC Java 1.65 and 1.66. The OpenBSDBCrypt.checkPassword utility method compared incorrect data when checking the password, allowing incorrect passwords to indicate they were matching with previously hashed ones that were different.", 72801 "id": "GHSA-73xv-w5gp-frxh", 72802 "modified": "2024-03-08T05:18:41.838529Z", 72803 "published": "2021-04-30T16:14:15Z", 72804 "references": [ 72805 { 72806 "type": "ADVISORY", 72807 "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-28052" 72808 }, 72809 { 72810 "type": "WEB", 72811 "url": "https://github.com/bcgit/bc-java/commit/97578f9b7ed277e6ecb58834e85e3d18385a4219" 72812 }, 72813 { 72814 "type": "WEB", 72815 "url": "https://www.synopsys.com/blogs/software-security/cve-2020-28052-bouncy-castle" 72816 }, 72817 { 72818 "type": "WEB", 72819 "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" 72820 }, 72821 { 72822 "type": "WEB", 72823 "url": "https://www.oracle.com/security-alerts/cpujul2022.html" 72824 }, 72825 { 72826 "type": "WEB", 72827 "url": "https://www.oracle.com/security-alerts/cpujan2022.html" 72828 }, 72829 { 72830 "type": "WEB", 72831 "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" 72832 }, 72833 { 72834 "type": "WEB", 72835 "url": "https://www.oracle.com/security-alerts/cpuApr2021.html" 72836 }, 72837 { 72838 "type": "WEB", 72839 "url": "https://www.oracle.com//security-alerts/cpujul2021.html" 72840 }, 72841 { 72842 "type": "WEB", 72843 "url": "https://www.bouncycastle.org/releasenotes.html" 72844 }, 72845 { 72846 "type": "WEB", 72847 "url": "https://lists.apache.org/thread.html/rfc0db1f3c375087e69a239f9284ded72d04fbb55849eadde58fa9dc2@%3Cissues.karaf.apache.org%3E" 72848 }, 72849 { 72850 "type": "WEB", 72851 "url": "https://lists.apache.org/thread.html/rf9abfc0223747a56694825c050cc6b66627a293a32ea926b3de22402@%3Cissues.karaf.apache.org%3E" 72852 }, 72853 { 72854 "type": "WEB", 72855 "url": "https://lists.apache.org/thread.html/rdfd2901b8b697a3f6e2c9c6ecc688fd90d7f881937affb5144d61d6e@%3Ccommits.druid.apache.org%3E" 72856 }, 72857 { 72858 "type": "WEB", 72859 "url": "https://lists.apache.org/thread.html/rddd2237b8636a48d573869006ee809262525efb2b6ffa6eff50d2a2d@%3Cjira.kafka.apache.org%3E" 72860 }, 72861 { 72862 "type": "WEB", 72863 "url": "https://lists.apache.org/thread.html/rdcbad6d8ce72c79827ed8c635f9a62dd919bb21c94a0b64cab2efc31@%3Cissues.karaf.apache.org%3E" 72864 }, 72865 { 72866 "type": "WEB", 72867 "url": "https://lists.apache.org/thread.html/rcd37d9214b08067a2e8f2b5b4fd123a1f8cb6008698d11ef44028c21@%3Cissues.karaf.apache.org%3E" 72868 }, 72869 { 72870 "type": "WEB", 72871 "url": "https://lists.apache.org/thread.html/rc9e441c1576bdc4375d32526d5cf457226928e9c87b9f54ded26271c@%3Cissues.karaf.apache.org%3E" 72872 }, 72873 { 72874 "type": "WEB", 72875 "url": "https://lists.apache.org/thread.html/r954d80fd18e9dafef6e813963eb7e08c228151c2b6268ecd63b35d1f@%3Ccommits.druid.apache.org%3E" 72876 }, 72877 { 72878 "type": "WEB", 72879 "url": "https://lists.apache.org/thread.html/r8c36ba34e80e05eecb1f80071cc834d705616f315b634ec0c7d8f42e@%3Cissues.solr.apache.org%3E" 72880 }, 72881 { 72882 "type": "WEB", 72883 "url": "https://lists.apache.org/thread.html/r77af3ac7c3bfbd5454546e13faf7aec21d627bdcf36c9ca240436b94@%3Cissues.karaf.apache.org%3E" 72884 }, 72885 { 72886 "type": "WEB", 72887 "url": "https://lists.apache.org/thread.html/r4e1619cfefcd031fac62064a3858f5c9229eef907bd5d8ef14c594fc@%3Cissues.karaf.apache.org%3E" 72888 }, 72889 { 72890 "type": "WEB", 72891 "url": "https://lists.apache.org/thread.html/r37d332c0bf772f4982d1fdeeb2f88dd71dab6451213e69e43734eadc@%3Ccommits.pulsar.apache.org%3E" 72892 }, 72893 { 72894 "type": "WEB", 72895 "url": "https://lists.apache.org/thread.html/r30a139c165b3da6e0d5536434ab1550534011b1fdfcd2f5d95892c5b@%3Cissues.karaf.apache.org%3E" 72896 }, 72897 { 72898 "type": "WEB", 72899 "url": "https://lists.apache.org/thread.html/r2ddabd06d94b60cfb0141e4abb23201c628ab925e30742f61a04d013@%3Cissues.karaf.apache.org%3E" 72900 }, 72901 { 72902 "type": "WEB", 72903 "url": "https://lists.apache.org/thread.html/r25d53acd06f29244b8a103781b0339c5e7efee9099a4d52f0c230e4a@%3Ccommits.druid.apache.org%3E" 72904 }, 72905 { 72906 "type": "WEB", 72907 "url": "https://lists.apache.org/thread.html/r175f5a25d100dbe2b1bd3459b3ce882a84c3ff91b120ed4ff2d57b53@%3Ccommits.pulsar.apache.org%3E" 72908 }, 72909 { 72910 "type": "WEB", 72911 "url": "https://lists.apache.org/thread.html/r167dbc42ef7c59802c2ca1ac14735ef9cf687c25208229993d6206fe@%3Cissues.karaf.apache.org%3E" 72912 }, 72913 { 72914 "type": "WEB", 72915 "url": "https://github.com/bcgit/bc-java/wiki/CVE-2020-28052" 72916 }, 72917 { 72918 "type": "PACKAGE", 72919 "url": "https://github.com/bcgit/bc-java" 72920 } 72921 ], 72922 "schema_version": "1.6.0", 72923 "severity": [ 72924 { 72925 "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", 72926 "type": "CVSS_V3" 72927 } 72928 ], 72929 "summary": "Logic error in Legion of the Bouncy Castle BC Java" 72930 }, 72931 { 72932 "affected": [ 72933 { 72934 "database_specific": { 72935 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-8353-fgcr-xfhx/GHSA-8353-fgcr-xfhx.json" 72936 }, 72937 "package": { 72938 "ecosystem": "Maven", 72939 "name": "org.bouncycastle:bcprov-jdk15on", 72940 "purl": "pkg:maven/org.bouncycastle/bcprov-jdk15on" 72941 }, 72942 "ranges": [ 72943 { 72944 "events": [ 72945 { 72946 "introduced": "0" 72947 }, 72948 { 72949 "fixed": "1.48" 72950 } 72951 ], 72952 "type": "ECOSYSTEM" 72953 } 72954 ], 72955 "versions": [ 72956 "1.46", 72957 "1.47" 72958 ] 72959 } 72960 ], 72961 "aliases": [ 72962 "CVE-2013-1624" 72963 ], 72964 "database_specific": { 72965 "cwe_ids": [ 72966 "CWE-20" 72967 ], 72968 "github_reviewed": true, 72969 "github_reviewed_at": "2022-07-08T18:59:52Z", 72970 "nvd_published_at": "2013-02-08T19:55:00Z", 72971 "severity": "MODERATE" 72972 }, 72973 "details": "The TLS implementation in the Bouncy Castle Java library before 1.48 and C# library before 1.8 does not properly consider timing side-channel attacks on a noncompliant MAC check operation during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, a related issue to CVE-2013-0169.", 72974 "id": "GHSA-8353-fgcr-xfhx", 72975 "modified": "2023-11-08T03:57:14.341835Z", 72976 "published": "2022-05-14T02:14:04Z", 72977 "references": [ 72978 { 72979 "type": "ADVISORY", 72980 "url": "https://nvd.nist.gov/vuln/detail/CVE-2013-1624" 72981 }, 72982 { 72983 "type": "WEB", 72984 "url": "http://openwall.com/lists/oss-security/2013/02/05/24" 72985 }, 72986 { 72987 "type": "WEB", 72988 "url": "http://rhn.redhat.com/errata/RHSA-2014-0371.html" 72989 }, 72990 { 72991 "type": "WEB", 72992 "url": "http://rhn.redhat.com/errata/RHSA-2014-0372.html" 72993 }, 72994 { 72995 "type": "WEB", 72996 "url": "http://secunia.com/advisories/57716" 72997 }, 72998 { 72999 "type": "WEB", 73000 "url": "http://secunia.com/advisories/57719" 73001 }, 73002 { 73003 "type": "WEB", 73004 "url": "http://www.isg.rhul.ac.uk/tls/TLStiming.pdf" 73005 } 73006 ], 73007 "schema_version": "1.6.0", 73008 "summary": "Improper Input Validation in Bouncy Castle" 73009 }, 73010 { 73011 "affected": [ 73012 { 73013 "database_specific": { 73014 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-8477-3v39-ggpm/GHSA-8477-3v39-ggpm.json" 73015 }, 73016 "package": { 73017 "ecosystem": "Maven", 73018 "name": "org.bouncycastle:bcprov-jdk15on", 73019 "purl": "pkg:maven/org.bouncycastle/bcprov-jdk15on" 73020 }, 73021 "ranges": [ 73022 { 73023 "events": [ 73024 { 73025 "introduced": "0" 73026 }, 73027 { 73028 "fixed": "1.50" 73029 } 73030 ], 73031 "type": "ECOSYSTEM" 73032 } 73033 ], 73034 "versions": [ 73035 "1.46", 73036 "1.47", 73037 "1.48", 73038 "1.49" 73039 ] 73040 } 73041 ], 73042 "aliases": [ 73043 "CVE-2018-5382" 73044 ], 73045 "database_specific": { 73046 "cwe_ids": [ 73047 "CWE-354" 73048 ], 73049 "github_reviewed": true, 73050 "github_reviewed_at": "2022-06-28T23:51:50Z", 73051 "nvd_published_at": "2018-04-16T14:29:00Z", 73052 "severity": "MODERATE" 73053 }, 73054 "details": "The default BKS keystore use an HMAC that is only 16 bits long, which can allow an attacker to compromise the integrity of a BKS keystore. Bouncy Castle release 1.47 changes the BKS format to a format which uses a 160 bit HMAC instead. This applies to any BKS keystore generated prior to BC 1.47. For situations where people need to create the files for legacy reasons a specific keystore type \"BKS-V1\" was introduced in 1.49. It should be noted that the use of \"BKS-V1\" is discouraged by the library authors and should only be used where it is otherwise safe to do so, as in where the use of a 16 bit checksum for the file integrity check is not going to cause a security issue in itself.", 73055 "id": "GHSA-8477-3v39-ggpm", 73056 "modified": "2023-11-08T04:00:20.719699Z", 73057 "published": "2022-05-13T01:01:01Z", 73058 "references": [ 73059 { 73060 "type": "ADVISORY", 73061 "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-5382" 73062 }, 73063 { 73064 "type": "WEB", 73065 "url": "https://access.redhat.com/errata/RHSA-2018:2927" 73066 }, 73067 { 73068 "type": "WEB", 73069 "url": "https://www.bouncycastle.org/releasenotes.html" 73070 }, 73071 { 73072 "type": "WEB", 73073 "url": "https://www.kb.cert.org/vuls/id/306792" 73074 }, 73075 { 73076 "type": "WEB", 73077 "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" 73078 }, 73079 { 73080 "type": "WEB", 73081 "url": "http://www.securityfocus.com/bid/103453" 73082 } 73083 ], 73084 "schema_version": "1.6.0", 73085 "severity": [ 73086 { 73087 "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", 73088 "type": "CVSS_V3" 73089 } 73090 ], 73091 "summary": "Improper Validation of Integrity Check Value in Bouncy Castle" 73092 }, 73093 { 73094 "affected": [ 73095 { 73096 "database_specific": { 73097 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-8xfc-gm6g-vgpv/GHSA-8xfc-gm6g-vgpv.json" 73098 }, 73099 "package": { 73100 "ecosystem": "Maven", 73101 "name": "org.bouncycastle:bcprov-jdk18on", 73102 "purl": "pkg:maven/org.bouncycastle/bcprov-jdk18on" 73103 }, 73104 "ranges": [ 73105 { 73106 "events": [ 73107 { 73108 "introduced": "0" 73109 }, 73110 { 73111 "fixed": "1.78" 73112 } 73113 ], 73114 "type": "ECOSYSTEM" 73115 } 73116 ], 73117 "versions": [ 73118 "1.71", 73119 "1.71.1", 73120 "1.72", 73121 "1.73", 73122 "1.74", 73123 "1.75", 73124 "1.76", 73125 "1.77" 73126 ] 73127 }, 73128 { 73129 "database_specific": { 73130 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-8xfc-gm6g-vgpv/GHSA-8xfc-gm6g-vgpv.json" 73131 }, 73132 "package": { 73133 "ecosystem": "Maven", 73134 "name": "org.bouncycastle:bcprov-jdk15on", 73135 "purl": "pkg:maven/org.bouncycastle/bcprov-jdk15on" 73136 }, 73137 "ranges": [ 73138 { 73139 "events": [ 73140 { 73141 "introduced": "0" 73142 }, 73143 { 73144 "fixed": "1.78" 73145 } 73146 ], 73147 "type": "ECOSYSTEM" 73148 } 73149 ], 73150 "versions": [ 73151 "1.46", 73152 "1.47", 73153 "1.48", 73154 "1.49", 73155 "1.50", 73156 "1.51", 73157 "1.52", 73158 "1.53", 73159 "1.54", 73160 "1.55", 73161 "1.56", 73162 "1.57", 73163 "1.58", 73164 "1.59", 73165 "1.60", 73166 "1.61", 73167 "1.62", 73168 "1.63", 73169 "1.64", 73170 "1.65", 73171 "1.65.01", 73172 "1.66", 73173 "1.67", 73174 "1.68", 73175 "1.69", 73176 "1.70" 73177 ] 73178 }, 73179 { 73180 "database_specific": { 73181 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-8xfc-gm6g-vgpv/GHSA-8xfc-gm6g-vgpv.json" 73182 }, 73183 "package": { 73184 "ecosystem": "Maven", 73185 "name": "org.bouncycastle:bcprov-jdk15to18", 73186 "purl": "pkg:maven/org.bouncycastle/bcprov-jdk15to18" 73187 }, 73188 "ranges": [ 73189 { 73190 "events": [ 73191 { 73192 "introduced": "0" 73193 }, 73194 { 73195 "fixed": "1.78" 73196 } 73197 ], 73198 "type": "ECOSYSTEM" 73199 } 73200 ], 73201 "versions": [ 73202 "1.63", 73203 "1.64", 73204 "1.65", 73205 "1.66", 73206 "1.67", 73207 "1.68", 73208 "1.69", 73209 "1.70", 73210 "1.71", 73211 "1.72", 73212 "1.73", 73213 "1.74", 73214 "1.75", 73215 "1.76", 73216 "1.77" 73217 ] 73218 }, 73219 { 73220 "database_specific": { 73221 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-8xfc-gm6g-vgpv/GHSA-8xfc-gm6g-vgpv.json" 73222 }, 73223 "package": { 73224 "ecosystem": "Maven", 73225 "name": "org.bouncycastle:bcprov-jdk14", 73226 "purl": "pkg:maven/org.bouncycastle/bcprov-jdk14" 73227 }, 73228 "ranges": [ 73229 { 73230 "events": [ 73231 { 73232 "introduced": "0" 73233 }, 73234 { 73235 "fixed": "1.78" 73236 } 73237 ], 73238 "type": "ECOSYSTEM" 73239 } 73240 ], 73241 "versions": [ 73242 "1.38", 73243 "1.43", 73244 "1.44", 73245 "1.45", 73246 "1.46", 73247 "1.47", 73248 "1.48", 73249 "1.49", 73250 "1.50", 73251 "1.51", 73252 "1.53", 73253 "1.54", 73254 "1.55", 73255 "1.56", 73256 "1.57", 73257 "1.58", 73258 "1.59", 73259 "1.60", 73260 "1.61", 73261 "1.62", 73262 "1.63", 73263 "1.64", 73264 "1.65", 73265 "1.67", 73266 "1.68", 73267 "1.69", 73268 "1.70", 73269 "1.71", 73270 "1.72", 73271 "1.73", 73272 "1.74", 73273 "1.75", 73274 "1.76", 73275 "1.77" 73276 ] 73277 }, 73278 { 73279 "database_specific": { 73280 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-8xfc-gm6g-vgpv/GHSA-8xfc-gm6g-vgpv.json" 73281 }, 73282 "package": { 73283 "ecosystem": "Maven", 73284 "name": "org.bouncycastle:bctls-jdk18on", 73285 "purl": "pkg:maven/org.bouncycastle/bctls-jdk18on" 73286 }, 73287 "ranges": [ 73288 { 73289 "events": [ 73290 { 73291 "introduced": "0" 73292 }, 73293 { 73294 "fixed": "1.78" 73295 } 73296 ], 73297 "type": "ECOSYSTEM" 73298 } 73299 ], 73300 "versions": [ 73301 "1.71", 73302 "1.71.1", 73303 "1.72", 73304 "1.73", 73305 "1.74", 73306 "1.75", 73307 "1.76", 73308 "1.77" 73309 ] 73310 }, 73311 { 73312 "database_specific": { 73313 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-8xfc-gm6g-vgpv/GHSA-8xfc-gm6g-vgpv.json" 73314 }, 73315 "package": { 73316 "ecosystem": "Maven", 73317 "name": "org.bouncycastle:bctls-jdk14", 73318 "purl": "pkg:maven/org.bouncycastle/bctls-jdk14" 73319 }, 73320 "ranges": [ 73321 { 73322 "events": [ 73323 { 73324 "introduced": "0" 73325 }, 73326 { 73327 "fixed": "1.78" 73328 } 73329 ], 73330 "type": "ECOSYSTEM" 73331 } 73332 ], 73333 "versions": [ 73334 "1.61", 73335 "1.62", 73336 "1.63", 73337 "1.64", 73338 "1.65", 73339 "1.67", 73340 "1.68", 73341 "1.69", 73342 "1.70", 73343 "1.71", 73344 "1.72", 73345 "1.73", 73346 "1.74", 73347 "1.75", 73348 "1.76", 73349 "1.77" 73350 ] 73351 }, 73352 { 73353 "database_specific": { 73354 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-8xfc-gm6g-vgpv/GHSA-8xfc-gm6g-vgpv.json" 73355 }, 73356 "package": { 73357 "ecosystem": "Maven", 73358 "name": "org.bouncycastle:bctls-jdk15to18", 73359 "purl": "pkg:maven/org.bouncycastle/bctls-jdk15to18" 73360 }, 73361 "ranges": [ 73362 { 73363 "events": [ 73364 { 73365 "introduced": "0" 73366 }, 73367 { 73368 "fixed": "1.78" 73369 } 73370 ], 73371 "type": "ECOSYSTEM" 73372 } 73373 ], 73374 "versions": [ 73375 "1.63", 73376 "1.64", 73377 "1.65", 73378 "1.66", 73379 "1.67", 73380 "1.68", 73381 "1.69", 73382 "1.70", 73383 "1.71", 73384 "1.72", 73385 "1.73", 73386 "1.74", 73387 "1.75", 73388 "1.76", 73389 "1.77" 73390 ] 73391 }, 73392 { 73393 "database_specific": { 73394 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-8xfc-gm6g-vgpv/GHSA-8xfc-gm6g-vgpv.json" 73395 }, 73396 "package": { 73397 "ecosystem": "Maven", 73398 "name": "org.bouncycastle:bcpkix-jdk18on", 73399 "purl": "pkg:maven/org.bouncycastle/bcpkix-jdk18on" 73400 }, 73401 "ranges": [ 73402 { 73403 "events": [ 73404 { 73405 "introduced": "0" 73406 }, 73407 { 73408 "fixed": "1.78" 73409 } 73410 ], 73411 "type": "ECOSYSTEM" 73412 } 73413 ], 73414 "versions": [ 73415 "1.71", 73416 "1.71.1", 73417 "1.72", 73418 "1.73", 73419 "1.74", 73420 "1.75", 73421 "1.76", 73422 "1.77" 73423 ] 73424 }, 73425 { 73426 "database_specific": { 73427 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-8xfc-gm6g-vgpv/GHSA-8xfc-gm6g-vgpv.json" 73428 }, 73429 "package": { 73430 "ecosystem": "Maven", 73431 "name": "org.bouncycastle:bcpkix-jdk15to18", 73432 "purl": "pkg:maven/org.bouncycastle/bcpkix-jdk15to18" 73433 }, 73434 "ranges": [ 73435 { 73436 "events": [ 73437 { 73438 "introduced": "0" 73439 }, 73440 { 73441 "fixed": "1.78" 73442 } 73443 ], 73444 "type": "ECOSYSTEM" 73445 } 73446 ], 73447 "versions": [ 73448 "1.63", 73449 "1.64", 73450 "1.65", 73451 "1.66", 73452 "1.67", 73453 "1.68", 73454 "1.69", 73455 "1.70", 73456 "1.71", 73457 "1.72", 73458 "1.73", 73459 "1.74", 73460 "1.75", 73461 "1.76", 73462 "1.77" 73463 ] 73464 }, 73465 { 73466 "database_specific": { 73467 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-8xfc-gm6g-vgpv/GHSA-8xfc-gm6g-vgpv.json" 73468 }, 73469 "package": { 73470 "ecosystem": "Maven", 73471 "name": "org.bouncycastle:bcpkix-jdk14", 73472 "purl": "pkg:maven/org.bouncycastle/bcpkix-jdk14" 73473 }, 73474 "ranges": [ 73475 { 73476 "events": [ 73477 { 73478 "introduced": "0" 73479 }, 73480 { 73481 "fixed": "1.78" 73482 } 73483 ], 73484 "type": "ECOSYSTEM" 73485 } 73486 ], 73487 "versions": [ 73488 "1.47", 73489 "1.48", 73490 "1.49", 73491 "1.50", 73492 "1.51", 73493 "1.53", 73494 "1.54", 73495 "1.55", 73496 "1.56", 73497 "1.57", 73498 "1.58", 73499 "1.59", 73500 "1.60", 73501 "1.61", 73502 "1.62", 73503 "1.63", 73504 "1.64", 73505 "1.65", 73506 "1.67", 73507 "1.68", 73508 "1.69", 73509 "1.70", 73510 "1.71", 73511 "1.72", 73512 "1.73", 73513 "1.74", 73514 "1.75", 73515 "1.76", 73516 "1.77" 73517 ] 73518 }, 73519 { 73520 "database_specific": { 73521 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-8xfc-gm6g-vgpv/GHSA-8xfc-gm6g-vgpv.json" 73522 }, 73523 "package": { 73524 "ecosystem": "Maven", 73525 "name": "org.bouncycastle:bc-fips", 73526 "purl": "pkg:maven/org.bouncycastle/bc-fips" 73527 }, 73528 "ranges": [ 73529 { 73530 "events": [ 73531 { 73532 "introduced": "0" 73533 }, 73534 { 73535 "fixed": "1.0.2.5" 73536 } 73537 ], 73538 "type": "ECOSYSTEM" 73539 } 73540 ], 73541 "versions": [ 73542 "1.0.0", 73543 "1.0.1", 73544 "1.0.2", 73545 "1.0.2.1", 73546 "1.0.2.3", 73547 "1.0.2.4" 73548 ] 73549 }, 73550 { 73551 "database_specific": { 73552 "last_known_affected_version_range": "\u003c 2.3.1", 73553 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-8xfc-gm6g-vgpv/GHSA-8xfc-gm6g-vgpv.json" 73554 }, 73555 "package": { 73556 "ecosystem": "NuGet", 73557 "name": "BouncyCastle", 73558 "purl": "pkg:nuget/BouncyCastle" 73559 }, 73560 "ranges": [ 73561 { 73562 "events": [ 73563 { 73564 "introduced": "0" 73565 } 73566 ], 73567 "type": "ECOSYSTEM" 73568 } 73569 ], 73570 "versions": [ 73571 "1.7.0", 73572 "1.8.1", 73573 "1.8.2", 73574 "1.8.3", 73575 "1.8.3.1", 73576 "1.8.4", 73577 "1.8.5", 73578 "1.8.6", 73579 "1.8.6.1", 73580 "1.8.9" 73581 ] 73582 }, 73583 { 73584 "database_specific": { 73585 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-8xfc-gm6g-vgpv/GHSA-8xfc-gm6g-vgpv.json" 73586 }, 73587 "package": { 73588 "ecosystem": "NuGet", 73589 "name": "BouncyCastle.Cryptography", 73590 "purl": "pkg:nuget/BouncyCastle.Cryptography" 73591 }, 73592 "ranges": [ 73593 { 73594 "events": [ 73595 { 73596 "introduced": "0" 73597 }, 73598 { 73599 "fixed": "2.3.1" 73600 } 73601 ], 73602 "type": "ECOSYSTEM" 73603 } 73604 ], 73605 "versions": [ 73606 "2.0.0", 73607 "2.1.0", 73608 "2.1.1", 73609 "2.2.0", 73610 "2.2.1", 73611 "2.3.0" 73612 ] 73613 } 73614 ], 73615 "aliases": [ 73616 "CVE-2024-29857" 73617 ], 73618 "database_specific": { 73619 "cwe_ids": [ 73620 "CWE-125", 73621 "CWE-400" 73622 ], 73623 "github_reviewed": true, 73624 "github_reviewed_at": "2024-05-14T20:22:01Z", 73625 "nvd_published_at": "2024-05-14T15:17:02Z", 73626 "severity": "MODERATE" 73627 }, 73628 "details": "An issue was discovered in ECCurve.java and ECCurve.cs in Bouncy Castle Java (BC Java) before 1.78, BC Java LTS before 2.73.6, BC-FJA before 1.0.2.5, and BC C# .Net before 2.3.1. Importing an EC certificate with crafted F2m parameters can lead to excessive CPU consumption during the evaluation of the curve parameters.", 73629 "id": "GHSA-8xfc-gm6g-vgpv", 73630 "modified": "2024-08-15T21:47:00.695044Z", 73631 "published": "2024-05-14T15:32:54Z", 73632 "references": [ 73633 { 73634 "type": "ADVISORY", 73635 "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-29857" 73636 }, 73637 { 73638 "type": "WEB", 73639 "url": "https://github.com/bcgit/bc-csharp/commit/56daa6eac526f165416d17f661422d60de0dfd63" 73640 }, 73641 { 73642 "type": "WEB", 73643 "url": "https://github.com/bcgit/bc-java/commit/fee80dd230e7fba132d03a34f1dd1d6aae0d0281" 73644 }, 73645 { 73646 "type": "WEB", 73647 "url": "https://github.com/bcgit/bc-csharp/wiki/CVE%E2%80%902024%E2%80%9029857" 73648 }, 73649 { 73650 "type": "WEB", 73651 "url": "https://github.com/bcgit/bc-java/wiki/CVE%E2%80%902024%E2%80%9029857" 73652 }, 73653 { 73654 "type": "WEB", 73655 "url": "https://www.bouncycastle.org/latest_releases.html" 73656 } 73657 ], 73658 "related": [ 73659 "CGA-448v-pf2r-j83m", 73660 "CGA-4ph3-8p4p-wr86", 73661 "CGA-5hp5-r4pg-f3p7", 73662 "CGA-89h2-vv89-63r8", 73663 "CGA-f25f-36f8-w45w", 73664 "CGA-p93x-49fc-v5m3", 73665 "CGA-pfv3-x3hq-59qp", 73666 "CGA-xx3m-cg2g-f46r" 73667 ], 73668 "schema_version": "1.6.0", 73669 "severity": [ 73670 { 73671 "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", 73672 "type": "CVSS_V3" 73673 } 73674 ], 73675 "summary": "Bouncy Castle certificate parsing issues cause high CPU usage during parameter evaluation." 73676 }, 73677 { 73678 "affected": [ 73679 { 73680 "database_specific": { 73681 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-hr8g-6v94-x4m9/GHSA-hr8g-6v94-x4m9.json" 73682 }, 73683 "package": { 73684 "ecosystem": "Maven", 73685 "name": "org.bouncycastle:bcprov-jdk18on", 73686 "purl": "pkg:maven/org.bouncycastle/bcprov-jdk18on" 73687 }, 73688 "ranges": [ 73689 { 73690 "events": [ 73691 { 73692 "introduced": "0" 73693 }, 73694 { 73695 "fixed": "1.74" 73696 } 73697 ], 73698 "type": "ECOSYSTEM" 73699 } 73700 ], 73701 "versions": [ 73702 "1.71", 73703 "1.71.1", 73704 "1.72", 73705 "1.73" 73706 ] 73707 }, 73708 { 73709 "database_specific": { 73710 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-hr8g-6v94-x4m9/GHSA-hr8g-6v94-x4m9.json" 73711 }, 73712 "package": { 73713 "ecosystem": "Maven", 73714 "name": "org.bouncycastle:bcprov-jdk15to18", 73715 "purl": "pkg:maven/org.bouncycastle/bcprov-jdk15to18" 73716 }, 73717 "ranges": [ 73718 { 73719 "events": [ 73720 { 73721 "introduced": "0" 73722 }, 73723 { 73724 "fixed": "1.74" 73725 } 73726 ], 73727 "type": "ECOSYSTEM" 73728 } 73729 ], 73730 "versions": [ 73731 "1.63", 73732 "1.64", 73733 "1.65", 73734 "1.66", 73735 "1.67", 73736 "1.68", 73737 "1.69", 73738 "1.70", 73739 "1.71", 73740 "1.72", 73741 "1.73" 73742 ] 73743 }, 73744 { 73745 "database_specific": { 73746 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-hr8g-6v94-x4m9/GHSA-hr8g-6v94-x4m9.json" 73747 }, 73748 "package": { 73749 "ecosystem": "Maven", 73750 "name": "org.bouncycastle:bcprov-jdk14", 73751 "purl": "pkg:maven/org.bouncycastle/bcprov-jdk14" 73752 }, 73753 "ranges": [ 73754 { 73755 "events": [ 73756 { 73757 "introduced": "1.49" 73758 }, 73759 { 73760 "fixed": "1.74" 73761 } 73762 ], 73763 "type": "ECOSYSTEM" 73764 } 73765 ], 73766 "versions": [ 73767 "1.49", 73768 "1.50", 73769 "1.51", 73770 "1.53", 73771 "1.54", 73772 "1.55", 73773 "1.56", 73774 "1.57", 73775 "1.58", 73776 "1.59", 73777 "1.60", 73778 "1.61", 73779 "1.62", 73780 "1.63", 73781 "1.64", 73782 "1.65", 73783 "1.67", 73784 "1.68", 73785 "1.69", 73786 "1.70", 73787 "1.71", 73788 "1.72", 73789 "1.73" 73790 ] 73791 }, 73792 { 73793 "database_specific": { 73794 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-hr8g-6v94-x4m9/GHSA-hr8g-6v94-x4m9.json" 73795 }, 73796 "package": { 73797 "ecosystem": "Maven", 73798 "name": "org.bouncycastle:bcprov-ext-jdk14", 73799 "purl": "pkg:maven/org.bouncycastle/bcprov-ext-jdk14" 73800 }, 73801 "ranges": [ 73802 { 73803 "events": [ 73804 { 73805 "introduced": "1.49" 73806 }, 73807 { 73808 "fixed": "1.74" 73809 } 73810 ], 73811 "type": "ECOSYSTEM" 73812 } 73813 ], 73814 "versions": [ 73815 "1.49", 73816 "1.50", 73817 "1.51", 73818 "1.53", 73819 "1.54", 73820 "1.56", 73821 "1.57", 73822 "1.58", 73823 "1.60", 73824 "1.64", 73825 "1.65", 73826 "1.67", 73827 "1.68", 73828 "1.69", 73829 "1.70", 73830 "1.71", 73831 "1.72", 73832 "1.73" 73833 ] 73834 }, 73835 { 73836 "database_specific": { 73837 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-hr8g-6v94-x4m9/GHSA-hr8g-6v94-x4m9.json" 73838 }, 73839 "package": { 73840 "ecosystem": "Maven", 73841 "name": "org.bouncycastle:bcprov-ext-jdk15to18", 73842 "purl": "pkg:maven/org.bouncycastle/bcprov-ext-jdk15to18" 73843 }, 73844 "ranges": [ 73845 { 73846 "events": [ 73847 { 73848 "introduced": "0" 73849 }, 73850 { 73851 "fixed": "1.74" 73852 } 73853 ], 73854 "type": "ECOSYSTEM" 73855 } 73856 ], 73857 "versions": [ 73858 "1.64", 73859 "1.67", 73860 "1.68", 73861 "1.69", 73862 "1.70", 73863 "1.71", 73864 "1.72", 73865 "1.73" 73866 ] 73867 }, 73868 { 73869 "database_specific": { 73870 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-hr8g-6v94-x4m9/GHSA-hr8g-6v94-x4m9.json" 73871 }, 73872 "package": { 73873 "ecosystem": "Maven", 73874 "name": "org.bouncycastle:bcprov-ext-jdk18on", 73875 "purl": "pkg:maven/org.bouncycastle/bcprov-ext-jdk18on" 73876 }, 73877 "ranges": [ 73878 { 73879 "events": [ 73880 { 73881 "introduced": "0" 73882 }, 73883 { 73884 "fixed": "1.74" 73885 } 73886 ], 73887 "type": "ECOSYSTEM" 73888 } 73889 ], 73890 "versions": [ 73891 "1.71", 73892 "1.72", 73893 "1.73" 73894 ] 73895 }, 73896 { 73897 "database_specific": { 73898 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-hr8g-6v94-x4m9/GHSA-hr8g-6v94-x4m9.json" 73899 }, 73900 "package": { 73901 "ecosystem": "Maven", 73902 "name": "org.bouncycastle:bcprov-debug-jdk14", 73903 "purl": "pkg:maven/org.bouncycastle/bcprov-debug-jdk14" 73904 }, 73905 "ranges": [ 73906 { 73907 "events": [ 73908 { 73909 "introduced": "1.49" 73910 }, 73911 { 73912 "fixed": "1.74" 73913 } 73914 ], 73915 "type": "ECOSYSTEM" 73916 } 73917 ], 73918 "versions": [ 73919 "1.55", 73920 "1.59", 73921 "1.60", 73922 "1.64", 73923 "1.68", 73924 "1.69", 73925 "1.70", 73926 "1.71", 73927 "1.72", 73928 "1.73" 73929 ] 73930 }, 73931 { 73932 "database_specific": { 73933 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-hr8g-6v94-x4m9/GHSA-hr8g-6v94-x4m9.json" 73934 }, 73935 "package": { 73936 "ecosystem": "Maven", 73937 "name": "org.bouncycastle:bcprov-debug-jdk15to18", 73938 "purl": "pkg:maven/org.bouncycastle/bcprov-debug-jdk15to18" 73939 }, 73940 "ranges": [ 73941 { 73942 "events": [ 73943 { 73944 "introduced": "0" 73945 }, 73946 { 73947 "fixed": "1.74" 73948 } 73949 ], 73950 "type": "ECOSYSTEM" 73951 } 73952 ], 73953 "versions": [ 73954 "1.64", 73955 "1.68", 73956 "1.69", 73957 "1.70", 73958 "1.71", 73959 "1.72", 73960 "1.73" 73961 ] 73962 }, 73963 { 73964 "database_specific": { 73965 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-hr8g-6v94-x4m9/GHSA-hr8g-6v94-x4m9.json" 73966 }, 73967 "package": { 73968 "ecosystem": "Maven", 73969 "name": "org.bouncycastle:bcprov-debug-jdk18on", 73970 "purl": "pkg:maven/org.bouncycastle/bcprov-debug-jdk18on" 73971 }, 73972 "ranges": [ 73973 { 73974 "events": [ 73975 { 73976 "introduced": "0" 73977 }, 73978 { 73979 "fixed": "1.74" 73980 } 73981 ], 73982 "type": "ECOSYSTEM" 73983 } 73984 ], 73985 "versions": [ 73986 "1.71", 73987 "1.72", 73988 "1.73" 73989 ] 73990 }, 73991 { 73992 "database_specific": { 73993 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-hr8g-6v94-x4m9/GHSA-hr8g-6v94-x4m9.json" 73994 }, 73995 "package": { 73996 "ecosystem": "Maven", 73997 "name": "org.bouncycastle:bcprov-jdk15on", 73998 "purl": "pkg:maven/org.bouncycastle/bcprov-jdk15on" 73999 }, 74000 "ranges": [ 74001 { 74002 "events": [ 74003 { 74004 "introduced": "1.49" 74005 }, 74006 { 74007 "last_affected": "1.70" 74008 } 74009 ], 74010 "type": "ECOSYSTEM" 74011 } 74012 ], 74013 "versions": [ 74014 "1.49", 74015 "1.50", 74016 "1.51", 74017 "1.52", 74018 "1.53", 74019 "1.54", 74020 "1.55", 74021 "1.56", 74022 "1.57", 74023 "1.58", 74024 "1.59", 74025 "1.60", 74026 "1.61", 74027 "1.62", 74028 "1.63", 74029 "1.64", 74030 "1.65", 74031 "1.65.01", 74032 "1.66", 74033 "1.67", 74034 "1.68", 74035 "1.69", 74036 "1.70" 74037 ] 74038 }, 74039 { 74040 "database_specific": { 74041 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-hr8g-6v94-x4m9/GHSA-hr8g-6v94-x4m9.json" 74042 }, 74043 "package": { 74044 "ecosystem": "Maven", 74045 "name": "org.bouncycastle:bcprov-ext-jdk15on", 74046 "purl": "pkg:maven/org.bouncycastle/bcprov-ext-jdk15on" 74047 }, 74048 "ranges": [ 74049 { 74050 "events": [ 74051 { 74052 "introduced": "1.49" 74053 }, 74054 { 74055 "last_affected": "1.70" 74056 } 74057 ], 74058 "type": "ECOSYSTEM" 74059 } 74060 ], 74061 "versions": [ 74062 "1.49", 74063 "1.50", 74064 "1.51", 74065 "1.52", 74066 "1.53", 74067 "1.54", 74068 "1.55", 74069 "1.56", 74070 "1.57", 74071 "1.58", 74072 "1.59", 74073 "1.60", 74074 "1.61", 74075 "1.62", 74076 "1.63", 74077 "1.64", 74078 "1.65", 74079 "1.66", 74080 "1.67", 74081 "1.68", 74082 "1.69", 74083 "1.70" 74084 ] 74085 }, 74086 { 74087 "database_specific": { 74088 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-hr8g-6v94-x4m9/GHSA-hr8g-6v94-x4m9.json" 74089 }, 74090 "package": { 74091 "ecosystem": "Maven", 74092 "name": "org.bouncycastle:bcprov-debug-jdk15on", 74093 "purl": "pkg:maven/org.bouncycastle/bcprov-debug-jdk15on" 74094 }, 74095 "ranges": [ 74096 { 74097 "events": [ 74098 { 74099 "introduced": "1.49" 74100 }, 74101 { 74102 "last_affected": "1.70" 74103 } 74104 ], 74105 "type": "ECOSYSTEM" 74106 } 74107 ], 74108 "versions": [ 74109 "1.52", 74110 "1.53", 74111 "1.55", 74112 "1.56", 74113 "1.57", 74114 "1.58", 74115 "1.59", 74116 "1.60", 74117 "1.61", 74118 "1.62", 74119 "1.63", 74120 "1.64", 74121 "1.65", 74122 "1.66", 74123 "1.67", 74124 "1.68", 74125 "1.69", 74126 "1.70" 74127 ] 74128 } 74129 ], 74130 "aliases": [ 74131 "CVE-2023-33201" 74132 ], 74133 "database_specific": { 74134 "cwe_ids": [ 74135 "CWE-295" 74136 ], 74137 "github_reviewed": true, 74138 "github_reviewed_at": "2023-07-06T15:40:29Z", 74139 "nvd_published_at": "2023-07-05T03:15:09Z", 74140 "severity": "MODERATE" 74141 }, 74142 "details": "Bouncy Castle provides the `X509LDAPCertStoreSpi.java` class which can be used in conjunction with the CertPath API for validating certificate paths. Pre-1.73 the implementation did not check the X.500 name of any certificate, subject, or issuer being passed in for LDAP wild cards, meaning the presence of a wild car may lead to Information Disclosure.\n\nA potential attack would be to generate a self-signed certificate with a subject name that contains special characters, e.g: `CN=Subject*)(objectclass=`. This will be included into the filter and provides the attacker ability to specify additional attributes in the search query. This can be exploited as a blind LDAP injection: an attacker can enumerate valid attribute values using the boolean blind injection technique. The exploitation depends on the structure of the target LDAP directory, as well as what kind of errors are exposed to the user.\n\nChanges to the `X509LDAPCertStoreSpi.java` class add the additional checking of any X.500 name used to correctly escape wild card characters.", 74143 "id": "GHSA-hr8g-6v94-x4m9", 74144 "modified": "2024-02-18T05:32:43.784092Z", 74145 "published": "2023-07-05T03:30:23Z", 74146 "references": [ 74147 { 74148 "type": "ADVISORY", 74149 "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-33201" 74150 }, 74151 { 74152 "type": "WEB", 74153 "url": "https://github.com/bcgit/bc-java/commit/ccf93ca736b89250ff4ce079a5aa56f5cbf0ebbd" 74154 }, 74155 { 74156 "type": "WEB", 74157 "url": "https://github.com/bcgit/bc-java/commit/e8c409a8389c815ea3fda5e8b94c92fdfe583bcc" 74158 }, 74159 { 74160 "type": "WEB", 74161 "url": "https://bouncycastle.org" 74162 }, 74163 { 74164 "type": "WEB", 74165 "url": "https://bouncycastle.org/releasenotes.html#r1rv74" 74166 }, 74167 { 74168 "type": "PACKAGE", 74169 "url": "https://github.com/bcgit/bc-java" 74170 }, 74171 { 74172 "type": "WEB", 74173 "url": "https://github.com/bcgit/bc-java/commits/main/prov/src/main/java/org/bouncycastle/jce/provider/X509LDAPCertStoreSpi.java" 74174 }, 74175 { 74176 "type": "WEB", 74177 "url": "https://github.com/bcgit/bc-java/wiki/CVE-2023-33201" 74178 }, 74179 { 74180 "type": "WEB", 74181 "url": "https://lists.debian.org/debian-lts-announce/2023/08/msg00000.html" 74182 }, 74183 { 74184 "type": "WEB", 74185 "url": "https://security.netapp.com/advisory/ntap-20230824-0008" 74186 } 74187 ], 74188 "related": [ 74189 "CGA-38pq-3m5v-j985", 74190 "CGA-g7rp-wcpp-h755", 74191 "CGA-h3hg-g6x6-9xjh", 74192 "CGA-w3f3-pcfm-c69g" 74193 ], 74194 "schema_version": "1.6.0", 74195 "severity": [ 74196 { 74197 "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", 74198 "type": "CVSS_V3" 74199 } 74200 ], 74201 "summary": "Bouncy Castle For Java LDAP injection vulnerability" 74202 }, 74203 { 74204 "affected": [ 74205 { 74206 "database_specific": { 74207 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-m44j-cfrm-g8qc/GHSA-m44j-cfrm-g8qc.json" 74208 }, 74209 "package": { 74210 "ecosystem": "Maven", 74211 "name": "org.bouncycastle:bcprov-jdk18on", 74212 "purl": "pkg:maven/org.bouncycastle/bcprov-jdk18on" 74213 }, 74214 "ranges": [ 74215 { 74216 "events": [ 74217 { 74218 "introduced": "0" 74219 }, 74220 { 74221 "fixed": "1.78" 74222 } 74223 ], 74224 "type": "ECOSYSTEM" 74225 } 74226 ], 74227 "versions": [ 74228 "1.71", 74229 "1.71.1", 74230 "1.72", 74231 "1.73", 74232 "1.74", 74233 "1.75", 74234 "1.76", 74235 "1.77" 74236 ] 74237 }, 74238 { 74239 "database_specific": { 74240 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-m44j-cfrm-g8qc/GHSA-m44j-cfrm-g8qc.json" 74241 }, 74242 "package": { 74243 "ecosystem": "Maven", 74244 "name": "org.bouncycastle:bcprov-jdk15on", 74245 "purl": "pkg:maven/org.bouncycastle/bcprov-jdk15on" 74246 }, 74247 "ranges": [ 74248 { 74249 "events": [ 74250 { 74251 "introduced": "0" 74252 }, 74253 { 74254 "fixed": "1.78" 74255 } 74256 ], 74257 "type": "ECOSYSTEM" 74258 } 74259 ], 74260 "versions": [ 74261 "1.46", 74262 "1.47", 74263 "1.48", 74264 "1.49", 74265 "1.50", 74266 "1.51", 74267 "1.52", 74268 "1.53", 74269 "1.54", 74270 "1.55", 74271 "1.56", 74272 "1.57", 74273 "1.58", 74274 "1.59", 74275 "1.60", 74276 "1.61", 74277 "1.62", 74278 "1.63", 74279 "1.64", 74280 "1.65", 74281 "1.65.01", 74282 "1.66", 74283 "1.67", 74284 "1.68", 74285 "1.69", 74286 "1.70" 74287 ] 74288 }, 74289 { 74290 "database_specific": { 74291 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-m44j-cfrm-g8qc/GHSA-m44j-cfrm-g8qc.json" 74292 }, 74293 "package": { 74294 "ecosystem": "Maven", 74295 "name": "org.bouncycastle:bcprov-jdk15to18", 74296 "purl": "pkg:maven/org.bouncycastle/bcprov-jdk15to18" 74297 }, 74298 "ranges": [ 74299 { 74300 "events": [ 74301 { 74302 "introduced": "0" 74303 }, 74304 { 74305 "fixed": "1.78" 74306 } 74307 ], 74308 "type": "ECOSYSTEM" 74309 } 74310 ], 74311 "versions": [ 74312 "1.63", 74313 "1.64", 74314 "1.65", 74315 "1.66", 74316 "1.67", 74317 "1.68", 74318 "1.69", 74319 "1.70", 74320 "1.71", 74321 "1.72", 74322 "1.73", 74323 "1.74", 74324 "1.75", 74325 "1.76", 74326 "1.77" 74327 ] 74328 }, 74329 { 74330 "database_specific": { 74331 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-m44j-cfrm-g8qc/GHSA-m44j-cfrm-g8qc.json" 74332 }, 74333 "package": { 74334 "ecosystem": "Maven", 74335 "name": "org.bouncycastle:bcprov-jdk14", 74336 "purl": "pkg:maven/org.bouncycastle/bcprov-jdk14" 74337 }, 74338 "ranges": [ 74339 { 74340 "events": [ 74341 { 74342 "introduced": "0" 74343 }, 74344 { 74345 "fixed": "1.78" 74346 } 74347 ], 74348 "type": "ECOSYSTEM" 74349 } 74350 ], 74351 "versions": [ 74352 "1.38", 74353 "1.43", 74354 "1.44", 74355 "1.45", 74356 "1.46", 74357 "1.47", 74358 "1.48", 74359 "1.49", 74360 "1.50", 74361 "1.51", 74362 "1.53", 74363 "1.54", 74364 "1.55", 74365 "1.56", 74366 "1.57", 74367 "1.58", 74368 "1.59", 74369 "1.60", 74370 "1.61", 74371 "1.62", 74372 "1.63", 74373 "1.64", 74374 "1.65", 74375 "1.67", 74376 "1.68", 74377 "1.69", 74378 "1.70", 74379 "1.71", 74380 "1.72", 74381 "1.73", 74382 "1.74", 74383 "1.75", 74384 "1.76", 74385 "1.77" 74386 ] 74387 }, 74388 { 74389 "database_specific": { 74390 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-m44j-cfrm-g8qc/GHSA-m44j-cfrm-g8qc.json" 74391 }, 74392 "package": { 74393 "ecosystem": "Maven", 74394 "name": "org.bouncycastle:bctls-jdk18on", 74395 "purl": "pkg:maven/org.bouncycastle/bctls-jdk18on" 74396 }, 74397 "ranges": [ 74398 { 74399 "events": [ 74400 { 74401 "introduced": "0" 74402 }, 74403 { 74404 "fixed": "1.78" 74405 } 74406 ], 74407 "type": "ECOSYSTEM" 74408 } 74409 ], 74410 "versions": [ 74411 "1.71", 74412 "1.71.1", 74413 "1.72", 74414 "1.73", 74415 "1.74", 74416 "1.75", 74417 "1.76", 74418 "1.77" 74419 ] 74420 }, 74421 { 74422 "database_specific": { 74423 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-m44j-cfrm-g8qc/GHSA-m44j-cfrm-g8qc.json" 74424 }, 74425 "package": { 74426 "ecosystem": "Maven", 74427 "name": "org.bouncycastle:bctls-jdk14", 74428 "purl": "pkg:maven/org.bouncycastle/bctls-jdk14" 74429 }, 74430 "ranges": [ 74431 { 74432 "events": [ 74433 { 74434 "introduced": "0" 74435 }, 74436 { 74437 "fixed": "1.78" 74438 } 74439 ], 74440 "type": "ECOSYSTEM" 74441 } 74442 ], 74443 "versions": [ 74444 "1.61", 74445 "1.62", 74446 "1.63", 74447 "1.64", 74448 "1.65", 74449 "1.67", 74450 "1.68", 74451 "1.69", 74452 "1.70", 74453 "1.71", 74454 "1.72", 74455 "1.73", 74456 "1.74", 74457 "1.75", 74458 "1.76", 74459 "1.77" 74460 ] 74461 }, 74462 { 74463 "database_specific": { 74464 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-m44j-cfrm-g8qc/GHSA-m44j-cfrm-g8qc.json" 74465 }, 74466 "package": { 74467 "ecosystem": "Maven", 74468 "name": "org.bouncycastle:bctls-jdk15to18", 74469 "purl": "pkg:maven/org.bouncycastle/bctls-jdk15to18" 74470 }, 74471 "ranges": [ 74472 { 74473 "events": [ 74474 { 74475 "introduced": "0" 74476 }, 74477 { 74478 "fixed": "1.78" 74479 } 74480 ], 74481 "type": "ECOSYSTEM" 74482 } 74483 ], 74484 "versions": [ 74485 "1.63", 74486 "1.64", 74487 "1.65", 74488 "1.66", 74489 "1.67", 74490 "1.68", 74491 "1.69", 74492 "1.70", 74493 "1.71", 74494 "1.72", 74495 "1.73", 74496 "1.74", 74497 "1.75", 74498 "1.76", 74499 "1.77" 74500 ] 74501 }, 74502 { 74503 "database_specific": { 74504 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-m44j-cfrm-g8qc/GHSA-m44j-cfrm-g8qc.json" 74505 }, 74506 "package": { 74507 "ecosystem": "Maven", 74508 "name": "org.bouncycastle:bcpkix-jdk18on", 74509 "purl": "pkg:maven/org.bouncycastle/bcpkix-jdk18on" 74510 }, 74511 "ranges": [ 74512 { 74513 "events": [ 74514 { 74515 "introduced": "0" 74516 }, 74517 { 74518 "fixed": "1.78" 74519 } 74520 ], 74521 "type": "ECOSYSTEM" 74522 } 74523 ], 74524 "versions": [ 74525 "1.71", 74526 "1.71.1", 74527 "1.72", 74528 "1.73", 74529 "1.74", 74530 "1.75", 74531 "1.76", 74532 "1.77" 74533 ] 74534 }, 74535 { 74536 "database_specific": { 74537 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-m44j-cfrm-g8qc/GHSA-m44j-cfrm-g8qc.json" 74538 }, 74539 "package": { 74540 "ecosystem": "Maven", 74541 "name": "org.bouncycastle:bcpkix-jdk15to18", 74542 "purl": "pkg:maven/org.bouncycastle/bcpkix-jdk15to18" 74543 }, 74544 "ranges": [ 74545 { 74546 "events": [ 74547 { 74548 "introduced": "0" 74549 }, 74550 { 74551 "fixed": "1.78" 74552 } 74553 ], 74554 "type": "ECOSYSTEM" 74555 } 74556 ], 74557 "versions": [ 74558 "1.63", 74559 "1.64", 74560 "1.65", 74561 "1.66", 74562 "1.67", 74563 "1.68", 74564 "1.69", 74565 "1.70", 74566 "1.71", 74567 "1.72", 74568 "1.73", 74569 "1.74", 74570 "1.75", 74571 "1.76", 74572 "1.77" 74573 ] 74574 }, 74575 { 74576 "database_specific": { 74577 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-m44j-cfrm-g8qc/GHSA-m44j-cfrm-g8qc.json" 74578 }, 74579 "package": { 74580 "ecosystem": "Maven", 74581 "name": "org.bouncycastle:bcpkix-jdk14", 74582 "purl": "pkg:maven/org.bouncycastle/bcpkix-jdk14" 74583 }, 74584 "ranges": [ 74585 { 74586 "events": [ 74587 { 74588 "introduced": "0" 74589 }, 74590 { 74591 "fixed": "1.78" 74592 } 74593 ], 74594 "type": "ECOSYSTEM" 74595 } 74596 ], 74597 "versions": [ 74598 "1.47", 74599 "1.48", 74600 "1.49", 74601 "1.50", 74602 "1.51", 74603 "1.53", 74604 "1.54", 74605 "1.55", 74606 "1.56", 74607 "1.57", 74608 "1.58", 74609 "1.59", 74610 "1.60", 74611 "1.61", 74612 "1.62", 74613 "1.63", 74614 "1.64", 74615 "1.65", 74616 "1.67", 74617 "1.68", 74618 "1.69", 74619 "1.70", 74620 "1.71", 74621 "1.72", 74622 "1.73", 74623 "1.74", 74624 "1.75", 74625 "1.76", 74626 "1.77" 74627 ] 74628 }, 74629 { 74630 "database_specific": { 74631 "last_known_affected_version_range": "\u003c 2.3.1", 74632 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-m44j-cfrm-g8qc/GHSA-m44j-cfrm-g8qc.json" 74633 }, 74634 "package": { 74635 "ecosystem": "NuGet", 74636 "name": "BouncyCastle", 74637 "purl": "pkg:nuget/BouncyCastle" 74638 }, 74639 "ranges": [ 74640 { 74641 "events": [ 74642 { 74643 "introduced": "0" 74644 } 74645 ], 74646 "type": "ECOSYSTEM" 74647 } 74648 ], 74649 "versions": [ 74650 "1.7.0", 74651 "1.8.1", 74652 "1.8.2", 74653 "1.8.3", 74654 "1.8.3.1", 74655 "1.8.4", 74656 "1.8.5", 74657 "1.8.6", 74658 "1.8.6.1", 74659 "1.8.9" 74660 ] 74661 }, 74662 { 74663 "database_specific": { 74664 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-m44j-cfrm-g8qc/GHSA-m44j-cfrm-g8qc.json" 74665 }, 74666 "package": { 74667 "ecosystem": "NuGet", 74668 "name": "BouncyCastle.Cryptography", 74669 "purl": "pkg:nuget/BouncyCastle.Cryptography" 74670 }, 74671 "ranges": [ 74672 { 74673 "events": [ 74674 { 74675 "introduced": "0" 74676 }, 74677 { 74678 "fixed": "2.3.1" 74679 } 74680 ], 74681 "type": "ECOSYSTEM" 74682 } 74683 ], 74684 "versions": [ 74685 "2.0.0", 74686 "2.1.0", 74687 "2.1.1", 74688 "2.2.0", 74689 "2.2.1", 74690 "2.3.0" 74691 ] 74692 } 74693 ], 74694 "aliases": [ 74695 "CVE-2024-30172" 74696 ], 74697 "database_specific": { 74698 "cwe_ids": [ 74699 "CWE-835" 74700 ], 74701 "github_reviewed": true, 74702 "github_reviewed_at": "2024-05-14T20:22:06Z", 74703 "nvd_published_at": "2024-05-14T15:21:53Z", 74704 "severity": "MODERATE" 74705 }, 74706 "details": "An issue was discovered in Bouncy Castle Java Cryptography APIs before 1.78. An Ed25519 verification code infinite loop can occur via a crafted signature and public key.", 74707 "id": "GHSA-m44j-cfrm-g8qc", 74708 "modified": "2024-07-15T22:12:27.684338Z", 74709 "published": "2024-05-14T15:32:54Z", 74710 "references": [ 74711 { 74712 "type": "ADVISORY", 74713 "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-30172" 74714 }, 74715 { 74716 "type": "WEB", 74717 "url": "https://github.com/bcgit/bc-csharp/wiki/CVE%E2%80%902024%E2%80%9030172" 74718 }, 74719 { 74720 "type": "WEB", 74721 "url": "https://github.com/bcgit/bc-java/wiki/CVE%E2%80%902024%E2%80%9030172" 74722 }, 74723 { 74724 "type": "WEB", 74725 "url": "https://security.netapp.com/advisory/ntap-20240614-0007" 74726 }, 74727 { 74728 "type": "WEB", 74729 "url": "https://www.bouncycastle.org/latest_releases.html" 74730 } 74731 ], 74732 "related": [ 74733 "CGA-3433-jrrm-rh79", 74734 "CGA-35wp-w6c8-232q", 74735 "CGA-449w-qfjv-79c5", 74736 "CGA-9j68-hcjr-5xfx", 74737 "CGA-gmqh-qfr2-ph66", 74738 "CGA-gqpv-r8gf-85p6", 74739 "CGA-h5mh-gq4v-54j6", 74740 "CGA-vxwq-f5f4-5vmj" 74741 ], 74742 "schema_version": "1.6.0", 74743 "severity": [ 74744 { 74745 "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", 74746 "type": "CVSS_V3" 74747 } 74748 ], 74749 "summary": "Bouncy Castle crafted signature and public key can be used to trigger an infinite loop" 74750 }, 74751 { 74752 "affected": [ 74753 { 74754 "database_specific": { 74755 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-v435-xc8x-wvr9/GHSA-v435-xc8x-wvr9.json" 74756 }, 74757 "package": { 74758 "ecosystem": "Maven", 74759 "name": "org.bouncycastle:bctls-fips", 74760 "purl": "pkg:maven/org.bouncycastle/bctls-fips" 74761 }, 74762 "ranges": [ 74763 { 74764 "events": [ 74765 { 74766 "introduced": "0" 74767 }, 74768 { 74769 "fixed": "1.0.19" 74770 } 74771 ], 74772 "type": "ECOSYSTEM" 74773 } 74774 ], 74775 "versions": [ 74776 "1.0.0", 74777 "1.0.1", 74778 "1.0.10", 74779 "1.0.10.1", 74780 "1.0.10.2", 74781 "1.0.10.3", 74782 "1.0.11", 74783 "1.0.11.1", 74784 "1.0.11.2", 74785 "1.0.11.3", 74786 "1.0.11.4", 74787 "1.0.12", 74788 "1.0.12.1", 74789 "1.0.12.2", 74790 "1.0.12.3", 74791 "1.0.13", 74792 "1.0.14", 74793 "1.0.14.1", 74794 "1.0.16", 74795 "1.0.17", 74796 "1.0.18", 74797 "1.0.2", 74798 "1.0.3", 74799 "1.0.4", 74800 "1.0.5", 74801 "1.0.6", 74802 "1.0.7", 74803 "1.0.8", 74804 "1.0.9" 74805 ] 74806 }, 74807 { 74808 "database_specific": { 74809 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-v435-xc8x-wvr9/GHSA-v435-xc8x-wvr9.json" 74810 }, 74811 "package": { 74812 "ecosystem": "Maven", 74813 "name": "org.bouncycastle:bcprov-jdk18on", 74814 "purl": "pkg:maven/org.bouncycastle/bcprov-jdk18on" 74815 }, 74816 "ranges": [ 74817 { 74818 "events": [ 74819 { 74820 "introduced": "0" 74821 }, 74822 { 74823 "fixed": "1.78" 74824 } 74825 ], 74826 "type": "ECOSYSTEM" 74827 } 74828 ], 74829 "versions": [ 74830 "1.71", 74831 "1.71.1", 74832 "1.72", 74833 "1.73", 74834 "1.74", 74835 "1.75", 74836 "1.76", 74837 "1.77" 74838 ] 74839 }, 74840 { 74841 "database_specific": { 74842 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-v435-xc8x-wvr9/GHSA-v435-xc8x-wvr9.json" 74843 }, 74844 "package": { 74845 "ecosystem": "Maven", 74846 "name": "org.bouncycastle:bcprov-jdk15on", 74847 "purl": "pkg:maven/org.bouncycastle/bcprov-jdk15on" 74848 }, 74849 "ranges": [ 74850 { 74851 "events": [ 74852 { 74853 "introduced": "0" 74854 }, 74855 { 74856 "fixed": "1.78" 74857 } 74858 ], 74859 "type": "ECOSYSTEM" 74860 } 74861 ], 74862 "versions": [ 74863 "1.46", 74864 "1.47", 74865 "1.48", 74866 "1.49", 74867 "1.50", 74868 "1.51", 74869 "1.52", 74870 "1.53", 74871 "1.54", 74872 "1.55", 74873 "1.56", 74874 "1.57", 74875 "1.58", 74876 "1.59", 74877 "1.60", 74878 "1.61", 74879 "1.62", 74880 "1.63", 74881 "1.64", 74882 "1.65", 74883 "1.65.01", 74884 "1.66", 74885 "1.67", 74886 "1.68", 74887 "1.69", 74888 "1.70" 74889 ] 74890 }, 74891 { 74892 "database_specific": { 74893 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-v435-xc8x-wvr9/GHSA-v435-xc8x-wvr9.json" 74894 }, 74895 "package": { 74896 "ecosystem": "Maven", 74897 "name": "org.bouncycastle:bcprov-jdk15to18", 74898 "purl": "pkg:maven/org.bouncycastle/bcprov-jdk15to18" 74899 }, 74900 "ranges": [ 74901 { 74902 "events": [ 74903 { 74904 "introduced": "0" 74905 }, 74906 { 74907 "fixed": "1.78" 74908 } 74909 ], 74910 "type": "ECOSYSTEM" 74911 } 74912 ], 74913 "versions": [ 74914 "1.63", 74915 "1.64", 74916 "1.65", 74917 "1.66", 74918 "1.67", 74919 "1.68", 74920 "1.69", 74921 "1.70", 74922 "1.71", 74923 "1.72", 74924 "1.73", 74925 "1.74", 74926 "1.75", 74927 "1.76", 74928 "1.77" 74929 ] 74930 }, 74931 { 74932 "database_specific": { 74933 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-v435-xc8x-wvr9/GHSA-v435-xc8x-wvr9.json" 74934 }, 74935 "package": { 74936 "ecosystem": "Maven", 74937 "name": "org.bouncycastle:bcprov-jdk14", 74938 "purl": "pkg:maven/org.bouncycastle/bcprov-jdk14" 74939 }, 74940 "ranges": [ 74941 { 74942 "events": [ 74943 { 74944 "introduced": "0" 74945 }, 74946 { 74947 "fixed": "1.78" 74948 } 74949 ], 74950 "type": "ECOSYSTEM" 74951 } 74952 ], 74953 "versions": [ 74954 "1.38", 74955 "1.43", 74956 "1.44", 74957 "1.45", 74958 "1.46", 74959 "1.47", 74960 "1.48", 74961 "1.49", 74962 "1.50", 74963 "1.51", 74964 "1.53", 74965 "1.54", 74966 "1.55", 74967 "1.56", 74968 "1.57", 74969 "1.58", 74970 "1.59", 74971 "1.60", 74972 "1.61", 74973 "1.62", 74974 "1.63", 74975 "1.64", 74976 "1.65", 74977 "1.67", 74978 "1.68", 74979 "1.69", 74980 "1.70", 74981 "1.71", 74982 "1.72", 74983 "1.73", 74984 "1.74", 74985 "1.75", 74986 "1.76", 74987 "1.77" 74988 ] 74989 }, 74990 { 74991 "database_specific": { 74992 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-v435-xc8x-wvr9/GHSA-v435-xc8x-wvr9.json" 74993 }, 74994 "package": { 74995 "ecosystem": "Maven", 74996 "name": "org.bouncycastle:bctls-jdk18on", 74997 "purl": "pkg:maven/org.bouncycastle/bctls-jdk18on" 74998 }, 74999 "ranges": [ 75000 { 75001 "events": [ 75002 { 75003 "introduced": "0" 75004 }, 75005 { 75006 "fixed": "1.78" 75007 } 75008 ], 75009 "type": "ECOSYSTEM" 75010 } 75011 ], 75012 "versions": [ 75013 "1.71", 75014 "1.71.1", 75015 "1.72", 75016 "1.73", 75017 "1.74", 75018 "1.75", 75019 "1.76", 75020 "1.77" 75021 ] 75022 }, 75023 { 75024 "database_specific": { 75025 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-v435-xc8x-wvr9/GHSA-v435-xc8x-wvr9.json" 75026 }, 75027 "package": { 75028 "ecosystem": "Maven", 75029 "name": "org.bouncycastle:bctls-jdk14", 75030 "purl": "pkg:maven/org.bouncycastle/bctls-jdk14" 75031 }, 75032 "ranges": [ 75033 { 75034 "events": [ 75035 { 75036 "introduced": "0" 75037 }, 75038 { 75039 "fixed": "1.78" 75040 } 75041 ], 75042 "type": "ECOSYSTEM" 75043 } 75044 ], 75045 "versions": [ 75046 "1.61", 75047 "1.62", 75048 "1.63", 75049 "1.64", 75050 "1.65", 75051 "1.67", 75052 "1.68", 75053 "1.69", 75054 "1.70", 75055 "1.71", 75056 "1.72", 75057 "1.73", 75058 "1.74", 75059 "1.75", 75060 "1.76", 75061 "1.77" 75062 ] 75063 }, 75064 { 75065 "database_specific": { 75066 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-v435-xc8x-wvr9/GHSA-v435-xc8x-wvr9.json" 75067 }, 75068 "package": { 75069 "ecosystem": "Maven", 75070 "name": "org.bouncycastle:bctls-jdk15to18", 75071 "purl": "pkg:maven/org.bouncycastle/bctls-jdk15to18" 75072 }, 75073 "ranges": [ 75074 { 75075 "events": [ 75076 { 75077 "introduced": "0" 75078 }, 75079 { 75080 "fixed": "1.78" 75081 } 75082 ], 75083 "type": "ECOSYSTEM" 75084 } 75085 ], 75086 "versions": [ 75087 "1.63", 75088 "1.64", 75089 "1.65", 75090 "1.66", 75091 "1.67", 75092 "1.68", 75093 "1.69", 75094 "1.70", 75095 "1.71", 75096 "1.72", 75097 "1.73", 75098 "1.74", 75099 "1.75", 75100 "1.76", 75101 "1.77" 75102 ] 75103 }, 75104 { 75105 "database_specific": { 75106 "last_known_affected_version_range": "\u003c 2.3.1", 75107 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-v435-xc8x-wvr9/GHSA-v435-xc8x-wvr9.json" 75108 }, 75109 "package": { 75110 "ecosystem": "NuGet", 75111 "name": "BouncyCastle", 75112 "purl": "pkg:nuget/BouncyCastle" 75113 }, 75114 "ranges": [ 75115 { 75116 "events": [ 75117 { 75118 "introduced": "0" 75119 } 75120 ], 75121 "type": "ECOSYSTEM" 75122 } 75123 ], 75124 "versions": [ 75125 "1.7.0", 75126 "1.8.1", 75127 "1.8.2", 75128 "1.8.3", 75129 "1.8.3.1", 75130 "1.8.4", 75131 "1.8.5", 75132 "1.8.6", 75133 "1.8.6.1", 75134 "1.8.9" 75135 ] 75136 }, 75137 { 75138 "database_specific": { 75139 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-v435-xc8x-wvr9/GHSA-v435-xc8x-wvr9.json" 75140 }, 75141 "package": { 75142 "ecosystem": "NuGet", 75143 "name": "BouncyCastle.Cryptography", 75144 "purl": "pkg:nuget/BouncyCastle.Cryptography" 75145 }, 75146 "ranges": [ 75147 { 75148 "events": [ 75149 { 75150 "introduced": "0" 75151 }, 75152 { 75153 "fixed": "2.3.1" 75154 } 75155 ], 75156 "type": "ECOSYSTEM" 75157 } 75158 ], 75159 "versions": [ 75160 "2.0.0", 75161 "2.1.0", 75162 "2.1.1", 75163 "2.2.0", 75164 "2.2.1", 75165 "2.3.0" 75166 ] 75167 }, 75168 { 75169 "database_specific": { 75170 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-v435-xc8x-wvr9/GHSA-v435-xc8x-wvr9.json" 75171 }, 75172 "package": { 75173 "ecosystem": "Maven", 75174 "name": "org.bouncycastle:bcpkix-jdk18on", 75175 "purl": "pkg:maven/org.bouncycastle/bcpkix-jdk18on" 75176 }, 75177 "ranges": [ 75178 { 75179 "events": [ 75180 { 75181 "introduced": "0" 75182 }, 75183 { 75184 "fixed": "1.78" 75185 } 75186 ], 75187 "type": "ECOSYSTEM" 75188 } 75189 ], 75190 "versions": [ 75191 "1.71", 75192 "1.71.1", 75193 "1.72", 75194 "1.73", 75195 "1.74", 75196 "1.75", 75197 "1.76", 75198 "1.77" 75199 ] 75200 }, 75201 { 75202 "database_specific": { 75203 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-v435-xc8x-wvr9/GHSA-v435-xc8x-wvr9.json" 75204 }, 75205 "package": { 75206 "ecosystem": "Maven", 75207 "name": "org.bouncycastle:bcpkix-jdk15to18", 75208 "purl": "pkg:maven/org.bouncycastle/bcpkix-jdk15to18" 75209 }, 75210 "ranges": [ 75211 { 75212 "events": [ 75213 { 75214 "introduced": "0" 75215 }, 75216 { 75217 "fixed": "1.78" 75218 } 75219 ], 75220 "type": "ECOSYSTEM" 75221 } 75222 ], 75223 "versions": [ 75224 "1.63", 75225 "1.64", 75226 "1.65", 75227 "1.66", 75228 "1.67", 75229 "1.68", 75230 "1.69", 75231 "1.70", 75232 "1.71", 75233 "1.72", 75234 "1.73", 75235 "1.74", 75236 "1.75", 75237 "1.76", 75238 "1.77" 75239 ] 75240 }, 75241 { 75242 "database_specific": { 75243 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-v435-xc8x-wvr9/GHSA-v435-xc8x-wvr9.json" 75244 }, 75245 "package": { 75246 "ecosystem": "Maven", 75247 "name": "org.bouncycastle:bcpkix-jdk14", 75248 "purl": "pkg:maven/org.bouncycastle/bcpkix-jdk14" 75249 }, 75250 "ranges": [ 75251 { 75252 "events": [ 75253 { 75254 "introduced": "0" 75255 }, 75256 { 75257 "fixed": "1.78" 75258 } 75259 ], 75260 "type": "ECOSYSTEM" 75261 } 75262 ], 75263 "versions": [ 75264 "1.47", 75265 "1.48", 75266 "1.49", 75267 "1.50", 75268 "1.51", 75269 "1.53", 75270 "1.54", 75271 "1.55", 75272 "1.56", 75273 "1.57", 75274 "1.58", 75275 "1.59", 75276 "1.60", 75277 "1.61", 75278 "1.62", 75279 "1.63", 75280 "1.64", 75281 "1.65", 75282 "1.67", 75283 "1.68", 75284 "1.69", 75285 "1.70", 75286 "1.71", 75287 "1.72", 75288 "1.73", 75289 "1.74", 75290 "1.75", 75291 "1.76", 75292 "1.77" 75293 ] 75294 } 75295 ], 75296 "aliases": [ 75297 "CVE-2024-30171" 75298 ], 75299 "database_specific": { 75300 "cwe_ids": [ 75301 "CWE-203" 75302 ], 75303 "github_reviewed": true, 75304 "github_reviewed_at": "2024-05-14T20:22:03Z", 75305 "nvd_published_at": "2024-05-14T15:21:52Z", 75306 "severity": "MODERATE" 75307 }, 75308 "details": "An issue was discovered in Bouncy Castle Java TLS API and JSSE Provider before 1.78. Timing-based leakage may occur in RSA based handshakes because of exception processing.", 75309 "id": "GHSA-v435-xc8x-wvr9", 75310 "modified": "2024-07-15T22:12:27.602994Z", 75311 "published": "2024-05-14T15:32:54Z", 75312 "references": [ 75313 { 75314 "type": "ADVISORY", 75315 "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-30171" 75316 }, 75317 { 75318 "type": "WEB", 75319 "url": "https://github.com/bcgit/bc-csharp/commit/c984b8bfd8544dfc55dba91a02cbbbb9c580c217" 75320 }, 75321 { 75322 "type": "WEB", 75323 "url": "https://github.com/bcgit/bc-java/commit/d7d5e735abd64bf0f413f54fd9e495fc02400fb0" 75324 }, 75325 { 75326 "type": "WEB", 75327 "url": "https://github.com/bcgit/bc-java/commit/e0569dcb1dea9d421d84fc4c5c5688fe101afa2d" 75328 }, 75329 { 75330 "type": "WEB", 75331 "url": "https://github.com/bcgit/bc-csharp/wiki/CVE%E2%80%902024%E2%80%9030171" 75332 }, 75333 { 75334 "type": "WEB", 75335 "url": "https://github.com/bcgit/bc-java/wiki/CVE%E2%80%902024%E2%80%9030171" 75336 }, 75337 { 75338 "type": "WEB", 75339 "url": "https://security.netapp.com/advisory/ntap-20240614-0008" 75340 }, 75341 { 75342 "type": "WEB", 75343 "url": "https://www.bouncycastle.org/latest_releases.html" 75344 } 75345 ], 75346 "related": [ 75347 "CGA-38cm-jrfp-jgjm", 75348 "CGA-9727-f845-q3xw", 75349 "CGA-9c2c-7969-vffw", 75350 "CGA-9vcm-5pxq-pvv5", 75351 "CGA-fcmx-xq2g-xppj", 75352 "CGA-g4x8-993m-grwh", 75353 "CGA-gfj5-2q78-6f2f", 75354 "CGA-j49x-3x3f-7v84", 75355 "CGA-vwqh-4f8x-m5r2" 75356 ], 75357 "schema_version": "1.6.0", 75358 "severity": [ 75359 { 75360 "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", 75361 "type": "CVSS_V3" 75362 } 75363 ], 75364 "summary": "Bouncy Castle affected by timing side-channel for RSA key exchange (\"The Marvin Attack\")" 75365 }, 75366 { 75367 "affected": [ 75368 { 75369 "database_specific": { 75370 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/11/GHSA-wjxj-5m7g-mg7q/GHSA-wjxj-5m7g-mg7q.json" 75371 }, 75372 "package": { 75373 "ecosystem": "Maven", 75374 "name": "org.bouncycastle:bcprov-ext-jdk16", 75375 "purl": "pkg:maven/org.bouncycastle/bcprov-ext-jdk16" 75376 }, 75377 "ranges": [ 75378 { 75379 "events": [ 75380 { 75381 "introduced": "0" 75382 }, 75383 { 75384 "fixed": "1.73" 75385 } 75386 ], 75387 "type": "ECOSYSTEM" 75388 } 75389 ], 75390 "versions": [ 75391 "1.45", 75392 "1.46" 75393 ] 75394 }, 75395 { 75396 "database_specific": { 75397 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/11/GHSA-wjxj-5m7g-mg7q/GHSA-wjxj-5m7g-mg7q.json" 75398 }, 75399 "package": { 75400 "ecosystem": "Maven", 75401 "name": "org.bouncycastle:bcprov-jdk14", 75402 "purl": "pkg:maven/org.bouncycastle/bcprov-jdk14" 75403 }, 75404 "ranges": [ 75405 { 75406 "events": [ 75407 { 75408 "introduced": "0" 75409 }, 75410 { 75411 "fixed": "1.73" 75412 } 75413 ], 75414 "type": "ECOSYSTEM" 75415 } 75416 ], 75417 "versions": [ 75418 "1.38", 75419 "1.43", 75420 "1.44", 75421 "1.45", 75422 "1.46", 75423 "1.47", 75424 "1.48", 75425 "1.49", 75426 "1.50", 75427 "1.51", 75428 "1.53", 75429 "1.54", 75430 "1.55", 75431 "1.56", 75432 "1.57", 75433 "1.58", 75434 "1.59", 75435 "1.60", 75436 "1.61", 75437 "1.62", 75438 "1.63", 75439 "1.64", 75440 "1.65", 75441 "1.67", 75442 "1.68", 75443 "1.69", 75444 "1.70", 75445 "1.71", 75446 "1.72" 75447 ] 75448 }, 75449 { 75450 "database_specific": { 75451 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/11/GHSA-wjxj-5m7g-mg7q/GHSA-wjxj-5m7g-mg7q.json" 75452 }, 75453 "package": { 75454 "ecosystem": "Maven", 75455 "name": "org.bouncycastle:bcprov-jdk15", 75456 "purl": "pkg:maven/org.bouncycastle/bcprov-jdk15" 75457 }, 75458 "ranges": [ 75459 { 75460 "events": [ 75461 { 75462 "introduced": "0" 75463 }, 75464 { 75465 "fixed": "1.73" 75466 } 75467 ], 75468 "type": "ECOSYSTEM" 75469 } 75470 ], 75471 "versions": [ 75472 "1.32", 75473 "1.38", 75474 "1.40", 75475 "1.43", 75476 "1.44", 75477 "1.45", 75478 "1.46" 75479 ] 75480 }, 75481 { 75482 "database_specific": { 75483 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/11/GHSA-wjxj-5m7g-mg7q/GHSA-wjxj-5m7g-mg7q.json" 75484 }, 75485 "package": { 75486 "ecosystem": "Maven", 75487 "name": "org.bouncycastle:bcprov-jdk15to18", 75488 "purl": "pkg:maven/org.bouncycastle/bcprov-jdk15to18" 75489 }, 75490 "ranges": [ 75491 { 75492 "events": [ 75493 { 75494 "introduced": "0" 75495 }, 75496 { 75497 "fixed": "1.73" 75498 } 75499 ], 75500 "type": "ECOSYSTEM" 75501 } 75502 ], 75503 "versions": [ 75504 "1.63", 75505 "1.64", 75506 "1.65", 75507 "1.66", 75508 "1.67", 75509 "1.68", 75510 "1.69", 75511 "1.70", 75512 "1.71", 75513 "1.72" 75514 ] 75515 }, 75516 { 75517 "database_specific": { 75518 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/11/GHSA-wjxj-5m7g-mg7q/GHSA-wjxj-5m7g-mg7q.json" 75519 }, 75520 "package": { 75521 "ecosystem": "Maven", 75522 "name": "org.bouncycastle:bcprov-jdk16", 75523 "purl": "pkg:maven/org.bouncycastle/bcprov-jdk16" 75524 }, 75525 "ranges": [ 75526 { 75527 "events": [ 75528 { 75529 "introduced": "0" 75530 }, 75531 { 75532 "fixed": "1.73" 75533 } 75534 ], 75535 "type": "ECOSYSTEM" 75536 } 75537 ], 75538 "versions": [ 75539 "1.38", 75540 "1.40", 75541 "1.43", 75542 "1.44", 75543 "1.45", 75544 "1.46" 75545 ] 75546 }, 75547 { 75548 "database_specific": { 75549 "last_known_affected_version_range": "\u003c 1.70", 75550 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/11/GHSA-wjxj-5m7g-mg7q/GHSA-wjxj-5m7g-mg7q.json" 75551 }, 75552 "package": { 75553 "ecosystem": "Maven", 75554 "name": "org.bouncycastle:bcprov-jdk15on", 75555 "purl": "pkg:maven/org.bouncycastle/bcprov-jdk15on" 75556 }, 75557 "ranges": [ 75558 { 75559 "events": [ 75560 { 75561 "introduced": "0" 75562 } 75563 ], 75564 "type": "ECOSYSTEM" 75565 } 75566 ], 75567 "versions": [ 75568 "1.46", 75569 "1.47", 75570 "1.48", 75571 "1.49", 75572 "1.50", 75573 "1.51", 75574 "1.52", 75575 "1.53", 75576 "1.54", 75577 "1.55", 75578 "1.56", 75579 "1.57", 75580 "1.58", 75581 "1.59", 75582 "1.60", 75583 "1.61", 75584 "1.62", 75585 "1.63", 75586 "1.64", 75587 "1.65", 75588 "1.65.01", 75589 "1.66", 75590 "1.67", 75591 "1.68", 75592 "1.69", 75593 "1.70" 75594 ] 75595 }, 75596 { 75597 "database_specific": { 75598 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/11/GHSA-wjxj-5m7g-mg7q/GHSA-wjxj-5m7g-mg7q.json" 75599 }, 75600 "package": { 75601 "ecosystem": "Maven", 75602 "name": "org.bouncycastle:bcpkix-jdk18on", 75603 "purl": "pkg:maven/org.bouncycastle/bcpkix-jdk18on" 75604 }, 75605 "ranges": [ 75606 { 75607 "events": [ 75608 { 75609 "introduced": "0" 75610 }, 75611 { 75612 "fixed": "1.73" 75613 } 75614 ], 75615 "type": "ECOSYSTEM" 75616 } 75617 ], 75618 "versions": [ 75619 "1.71", 75620 "1.71.1", 75621 "1.72" 75622 ] 75623 }, 75624 { 75625 "database_specific": { 75626 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/11/GHSA-wjxj-5m7g-mg7q/GHSA-wjxj-5m7g-mg7q.json" 75627 }, 75628 "package": { 75629 "ecosystem": "Maven", 75630 "name": "org.bouncycastle:bcprov-ext-jdk15on", 75631 "purl": "pkg:maven/org.bouncycastle/bcprov-ext-jdk15on" 75632 }, 75633 "ranges": [ 75634 { 75635 "events": [ 75636 { 75637 "introduced": "0" 75638 }, 75639 { 75640 "fixed": "1.73" 75641 } 75642 ], 75643 "type": "ECOSYSTEM" 75644 } 75645 ], 75646 "versions": [ 75647 "1.46", 75648 "1.47", 75649 "1.48", 75650 "1.49", 75651 "1.50", 75652 "1.51", 75653 "1.52", 75654 "1.53", 75655 "1.54", 75656 "1.55", 75657 "1.56", 75658 "1.57", 75659 "1.58", 75660 "1.59", 75661 "1.60", 75662 "1.61", 75663 "1.62", 75664 "1.63", 75665 "1.64", 75666 "1.65", 75667 "1.66", 75668 "1.67", 75669 "1.68", 75670 "1.69", 75671 "1.70" 75672 ] 75673 }, 75674 { 75675 "database_specific": { 75676 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/11/GHSA-wjxj-5m7g-mg7q/GHSA-wjxj-5m7g-mg7q.json" 75677 }, 75678 "package": { 75679 "ecosystem": "Maven", 75680 "name": "org.bouncycastle:bcprov-jdk18on", 75681 "purl": "pkg:maven/org.bouncycastle/bcprov-jdk18on" 75682 }, 75683 "ranges": [ 75684 { 75685 "events": [ 75686 { 75687 "introduced": "0" 75688 }, 75689 { 75690 "fixed": "1.73" 75691 } 75692 ], 75693 "type": "ECOSYSTEM" 75694 } 75695 ], 75696 "versions": [ 75697 "1.71", 75698 "1.71.1", 75699 "1.72" 75700 ] 75701 } 75702 ], 75703 "aliases": [ 75704 "CVE-2023-33202" 75705 ], 75706 "database_specific": { 75707 "cwe_ids": [ 75708 "CWE-400" 75709 ], 75710 "github_reviewed": true, 75711 "github_reviewed_at": "2023-11-24T16:54:01Z", 75712 "nvd_published_at": "2023-11-23T16:15:07Z", 75713 "severity": "MODERATE" 75714 }, 75715 "details": "Bouncy Castle for Java before 1.73 contains a potential Denial of Service (DoS) issue within the Bouncy Castle org.bouncycastle.openssl.PEMParser class. This class parses OpenSSL PEM encoded streams containing X.509 certificates, PKCS8 encoded keys, and PKCS7 objects. Parsing a file that has crafted ASN.1 data through the PEMParser causes an OutOfMemoryError, which can enable a denial of service attack.", 75716 "id": "GHSA-wjxj-5m7g-mg7q", 75717 "modified": "2024-05-23T21:16:05.53245Z", 75718 "published": "2023-11-23T18:30:33Z", 75719 "references": [ 75720 { 75721 "type": "ADVISORY", 75722 "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-33202" 75723 }, 75724 { 75725 "type": "WEB", 75726 "url": "https://github.com/bcgit/bc-java/commit/0c576892862ed41894f49a8f639112e8d66d229c" 75727 }, 75728 { 75729 "type": "PACKAGE", 75730 "url": "https://github.com/bcgit/bc-java" 75731 }, 75732 { 75733 "type": "WEB", 75734 "url": "https://github.com/bcgit/bc-java/wiki/CVE-2023-33202" 75735 }, 75736 { 75737 "type": "WEB", 75738 "url": "https://security.netapp.com/advisory/ntap-20240125-0001" 75739 } 75740 ], 75741 "related": [ 75742 "CGA-hq55-qp37-gwm6" 75743 ], 75744 "schema_version": "1.6.0", 75745 "severity": [ 75746 { 75747 "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", 75748 "type": "CVSS_V3" 75749 } 75750 ], 75751 "summary": "Bouncy Castle Denial of Service (DoS)" 75752 }, 75753 { 75754 "affected": [ 75755 { 75756 "database_specific": { 75757 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-wrwf-pmmj-w989/GHSA-wrwf-pmmj-w989.json" 75758 }, 75759 "package": { 75760 "ecosystem": "Maven", 75761 "name": "org.bouncycastle:bcprov-jdk15on", 75762 "purl": "pkg:maven/org.bouncycastle/bcprov-jdk15on" 75763 }, 75764 "ranges": [ 75765 { 75766 "events": [ 75767 { 75768 "introduced": "0" 75769 }, 75770 { 75771 "fixed": "1.0.3" 75772 } 75773 ], 75774 "type": "ECOSYSTEM" 75775 } 75776 ] 75777 } 75778 ], 75779 "aliases": [ 75780 "CVE-2017-13098" 75781 ], 75782 "database_specific": { 75783 "cwe_ids": [ 75784 "CWE-203" 75785 ], 75786 "github_reviewed": true, 75787 "github_reviewed_at": "2022-07-01T20:14:25Z", 75788 "nvd_published_at": "2017-12-13T01:29:00Z", 75789 "severity": "MODERATE" 75790 }, 75791 "details": "BouncyCastle TLS prior to version 1.0.3, when configured to use the JCE (Java Cryptography Extension) for cryptographic functions, provides a weak Bleichenbacher oracle when any TLS cipher suite using RSA key exchange is negotiated. An attacker can recover the private key from a vulnerable application. This vulnerability is referred to as \"ROBOT.\"", 75792 "id": "GHSA-wrwf-pmmj-w989", 75793 "modified": "2023-11-08T03:58:54.947561Z", 75794 "published": "2022-05-13T01:14:24Z", 75795 "references": [ 75796 { 75797 "type": "ADVISORY", 75798 "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-13098" 75799 }, 75800 { 75801 "type": "WEB", 75802 "url": "https://github.com/bcgit/bc-java/commit/a00b684465b38d722ca9a3543b8af8568e6bad5c" 75803 }, 75804 { 75805 "type": "PACKAGE", 75806 "url": "https://github.com/bcgit/bc-java" 75807 }, 75808 { 75809 "type": "WEB", 75810 "url": "https://robotattack.org" 75811 }, 75812 { 75813 "type": "WEB", 75814 "url": "https://security.netapp.com/advisory/ntap-20171222-0001" 75815 }, 75816 { 75817 "type": "WEB", 75818 "url": "https://www.debian.org/security/2017/dsa-4072" 75819 }, 75820 { 75821 "type": "WEB", 75822 "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" 75823 }, 75824 { 75825 "type": "WEB", 75826 "url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00011.html" 75827 }, 75828 { 75829 "type": "WEB", 75830 "url": "http://www.kb.cert.org/vuls/id/144389" 75831 } 75832 ], 75833 "schema_version": "1.6.0", 75834 "severity": [ 75835 { 75836 "score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", 75837 "type": "CVSS_V3" 75838 } 75839 ], 75840 "summary": "Observable Discrepancy in BouncyCastle" 75841 }, 75842 { 75843 "affected": [ 75844 { 75845 "database_specific": { 75846 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-4h8f-2wvx-gg5w/GHSA-4h8f-2wvx-gg5w.json" 75847 }, 75848 "package": { 75849 "ecosystem": "Maven", 75850 "name": "org.bouncycastle:bcprov-jdk18on", 75851 "purl": "pkg:maven/org.bouncycastle/bcprov-jdk18on" 75852 }, 75853 "ranges": [ 75854 { 75855 "events": [ 75856 { 75857 "introduced": "1.61" 75858 }, 75859 { 75860 "fixed": "1.78" 75861 } 75862 ], 75863 "type": "ECOSYSTEM" 75864 } 75865 ], 75866 "versions": [ 75867 "1.71", 75868 "1.71.1", 75869 "1.72", 75870 "1.73", 75871 "1.74", 75872 "1.75", 75873 "1.76", 75874 "1.77" 75875 ] 75876 }, 75877 { 75878 "database_specific": { 75879 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-4h8f-2wvx-gg5w/GHSA-4h8f-2wvx-gg5w.json" 75880 }, 75881 "package": { 75882 "ecosystem": "Maven", 75883 "name": "org.bouncycastle:bcprov-jdk15to18", 75884 "purl": "pkg:maven/org.bouncycastle/bcprov-jdk15to18" 75885 }, 75886 "ranges": [ 75887 { 75888 "events": [ 75889 { 75890 "introduced": "1.61" 75891 }, 75892 { 75893 "fixed": "1.78" 75894 } 75895 ], 75896 "type": "ECOSYSTEM" 75897 } 75898 ], 75899 "versions": [ 75900 "1.63", 75901 "1.64", 75902 "1.65", 75903 "1.66", 75904 "1.67", 75905 "1.68", 75906 "1.69", 75907 "1.70", 75908 "1.71", 75909 "1.72", 75910 "1.73", 75911 "1.74", 75912 "1.75", 75913 "1.76", 75914 "1.77" 75915 ] 75916 }, 75917 { 75918 "database_specific": { 75919 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-4h8f-2wvx-gg5w/GHSA-4h8f-2wvx-gg5w.json" 75920 }, 75921 "package": { 75922 "ecosystem": "Maven", 75923 "name": "org.bouncycastle:bcprov-jdk14", 75924 "purl": "pkg:maven/org.bouncycastle/bcprov-jdk14" 75925 }, 75926 "ranges": [ 75927 { 75928 "events": [ 75929 { 75930 "introduced": "1.61" 75931 }, 75932 { 75933 "fixed": "1.78" 75934 } 75935 ], 75936 "type": "ECOSYSTEM" 75937 } 75938 ], 75939 "versions": [ 75940 "1.61", 75941 "1.62", 75942 "1.63", 75943 "1.64", 75944 "1.65", 75945 "1.67", 75946 "1.68", 75947 "1.69", 75948 "1.70", 75949 "1.71", 75950 "1.72", 75951 "1.73", 75952 "1.74", 75953 "1.75", 75954 "1.76", 75955 "1.77" 75956 ] 75957 }, 75958 { 75959 "database_specific": { 75960 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-4h8f-2wvx-gg5w/GHSA-4h8f-2wvx-gg5w.json" 75961 }, 75962 "package": { 75963 "ecosystem": "Maven", 75964 "name": "org.bouncycastle:bcprov-jdk13", 75965 "purl": "pkg:maven/org.bouncycastle/bcprov-jdk13" 75966 }, 75967 "ranges": [ 75968 { 75969 "events": [ 75970 { 75971 "introduced": "1.61" 75972 }, 75973 { 75974 "fixed": "1.78" 75975 } 75976 ], 75977 "type": "ECOSYSTEM" 75978 } 75979 ] 75980 }, 75981 { 75982 "database_specific": { 75983 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-4h8f-2wvx-gg5w/GHSA-4h8f-2wvx-gg5w.json" 75984 }, 75985 "package": { 75986 "ecosystem": "Maven", 75987 "name": "org.bouncycastle:bcprov-jdk12", 75988 "purl": "pkg:maven/org.bouncycastle/bcprov-jdk12" 75989 }, 75990 "ranges": [ 75991 { 75992 "events": [ 75993 { 75994 "introduced": "1.61" 75995 }, 75996 { 75997 "fixed": "1.78" 75998 } 75999 ], 76000 "type": "ECOSYSTEM" 76001 } 76002 ] 76003 } 76004 ], 76005 "aliases": [ 76006 "CVE-2024-34447" 76007 ], 76008 "database_specific": { 76009 "cwe_ids": [], 76010 "github_reviewed": true, 76011 "github_reviewed_at": "2024-05-03T20:34:32Z", 76012 "nvd_published_at": "2024-05-03T16:15:11Z", 76013 "severity": "LOW" 76014 }, 76015 "details": "An issue was discovered in Bouncy Castle Java Cryptography APIs before BC 1.78. When endpoint identification is enabled in the BCJSSE and an SSL socket is created without an explicit hostname (as happens with HttpsURLConnection), hostname verification could be performed against a DNS-resolved IP address in some situations, opening up a possibility of DNS poisoning.", 76016 "id": "GHSA-4h8f-2wvx-gg5w", 76017 "modified": "2024-07-15T22:12:27.837144Z", 76018 "published": "2024-05-03T18:30:37Z", 76019 "references": [ 76020 { 76021 "type": "ADVISORY", 76022 "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-34447" 76023 }, 76024 { 76025 "type": "WEB", 76026 "url": "https://github.com/bcgit/bc-java/issues/1656" 76027 }, 76028 { 76029 "type": "PACKAGE", 76030 "url": "https://github.com/bcgit/bc-java" 76031 }, 76032 { 76033 "type": "WEB", 76034 "url": "https://github.com/bcgit/bc-java/wiki/CVE%E2%80%902024%E2%80%9034447" 76035 }, 76036 { 76037 "type": "WEB", 76038 "url": "https://security.netapp.com/advisory/ntap-20240614-0007" 76039 }, 76040 { 76041 "type": "WEB", 76042 "url": "https://www.bouncycastle.org/latest_releases.html" 76043 } 76044 ], 76045 "related": [ 76046 "CGA-7xqh-m7hm-wmh3", 76047 "CGA-f55c-xq37-f8v2", 76048 "CGA-fw2f-x94j-v2g6", 76049 "CGA-gw6c-wgp5-wr4c", 76050 "CGA-j6q8-vx5q-hw34", 76051 "CGA-wvcg-3cjq-8wjm", 76052 "CGA-x85m-654w-mjcj" 76053 ], 76054 "schema_version": "1.6.0", 76055 "summary": "Bouncy Castle Java Cryptography API vulnerable to DNS poisoning" 76056 }, 76057 { 76058 "affected": [ 76059 { 76060 "database_specific": { 76061 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-c27h-mcmw-48hv/GHSA-c27h-mcmw-48hv.json" 76062 }, 76063 "package": { 76064 "ecosystem": "Maven", 76065 "name": "org.codehaus.jackson:jackson-mapper-asl", 76066 "purl": "pkg:maven/org.codehaus.jackson/jackson-mapper-asl" 76067 }, 76068 "ranges": [ 76069 { 76070 "events": [ 76071 { 76072 "introduced": "0" 76073 }, 76074 { 76075 "last_affected": "1.9.13" 76076 } 76077 ], 76078 "type": "ECOSYSTEM" 76079 } 76080 ], 76081 "versions": [ 76082 "0.9.6", 76083 "0.9.7", 76084 "0.9.8", 76085 "0.9.9", 76086 "0.9.9-2", 76087 "0.9.9-3", 76088 "0.9.9-4", 76089 "0.9.9-5", 76090 "0.9.9-6", 76091 "1.0.0", 76092 "1.0.1", 76093 "1.1.0", 76094 "1.1.1", 76095 "1.1.2", 76096 "1.2.0", 76097 "1.2.1", 76098 "1.3.0", 76099 "1.3.1", 76100 "1.3.2", 76101 "1.3.3", 76102 "1.3.4", 76103 "1.3.5", 76104 "1.4.0", 76105 "1.4.1", 76106 "1.4.2", 76107 "1.4.3", 76108 "1.4.4", 76109 "1.4.5", 76110 "1.5.0", 76111 "1.5.1", 76112 "1.5.2", 76113 "1.5.3", 76114 "1.5.4", 76115 "1.5.5", 76116 "1.5.6", 76117 "1.5.7", 76118 "1.5.8", 76119 "1.6.0", 76120 "1.6.1", 76121 "1.6.2", 76122 "1.6.3", 76123 "1.6.4", 76124 "1.6.5", 76125 "1.6.6", 76126 "1.6.7", 76127 "1.6.9", 76128 "1.7.0", 76129 "1.7.1", 76130 "1.7.2", 76131 "1.7.3", 76132 "1.7.4", 76133 "1.7.5", 76134 "1.7.6", 76135 "1.7.7", 76136 "1.7.8", 76137 "1.7.9", 76138 "1.8.0", 76139 "1.8.1", 76140 "1.8.10", 76141 "1.8.11", 76142 "1.8.2", 76143 "1.8.3", 76144 "1.8.4", 76145 "1.8.5", 76146 "1.8.6", 76147 "1.8.7", 76148 "1.8.8", 76149 "1.8.9", 76150 "1.9.0", 76151 "1.9.1", 76152 "1.9.10", 76153 "1.9.11", 76154 "1.9.12", 76155 "1.9.13", 76156 "1.9.2", 76157 "1.9.3", 76158 "1.9.4", 76159 "1.9.5", 76160 "1.9.6", 76161 "1.9.7", 76162 "1.9.8", 76163 "1.9.9" 76164 ] 76165 } 76166 ], 76167 "aliases": [ 76168 "CVE-2019-10202" 76169 ], 76170 "database_specific": { 76171 "cwe_ids": [ 76172 "CWE-502" 76173 ], 76174 "github_reviewed": true, 76175 "github_reviewed_at": "2023-02-14T00:56:25Z", 76176 "nvd_published_at": "2019-10-01T15:15:00Z", 76177 "severity": "CRITICAL" 76178 }, 76179 "details": "A series of deserialization vulnerabilities have been discovered in Codehaus 1.9.x implemented in EAP 7. This CVE fixes CVE-2017-17485, CVE-2017-7525, CVE-2017-15095, CVE-2018-5968, CVE-2018-7489, CVE-2018-1000873, CVE-2019-12086 reported for FasterXML jackson-databind by implementing a whitelist approach that will mitigate these vulnerabilities and future ones alike.", 76180 "id": "GHSA-c27h-mcmw-48hv", 76181 "modified": "2024-03-11T05:32:32.87973Z", 76182 "published": "2022-05-24T16:57:28Z", 76183 "references": [ 76184 { 76185 "type": "ADVISORY", 76186 "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10202" 76187 }, 76188 { 76189 "type": "WEB", 76190 "url": "https://lists.apache.org/thread.html/refea6018a2c4e9eb7838cab567ed219c3f726dcd83a5472fbb80d8d9@%3Cissues.flume.apache.org%3E" 76191 }, 76192 { 76193 "type": "WEB", 76194 "url": "https://lists.apache.org/thread.html/refea6018a2c4e9eb7838cab567ed219c3f726dcd83a5472fbb80d8d9%40%3Cissues.flume.apache.org%3E" 76195 }, 76196 { 76197 "type": "WEB", 76198 "url": "https://lists.apache.org/thread.html/rce00a1c60f7df4b10e72fa87827c102f55b074bb91993631df2c21f9@%3Cdev.hive.apache.org%3E" 76199 }, 76200 { 76201 "type": "WEB", 76202 "url": "https://lists.apache.org/thread.html/rce00a1c60f7df4b10e72fa87827c102f55b074bb91993631df2c21f9%40%3Cdev.hive.apache.org%3E" 76203 }, 76204 { 76205 "type": "WEB", 76206 "url": "https://lists.apache.org/thread.html/r6dea2a887f5eb1d68f124d64b14cd1a04f682f06de8cd01b7e4214e0@%3Cissues.hive.apache.org%3E" 76207 }, 76208 { 76209 "type": "WEB", 76210 "url": "https://lists.apache.org/thread.html/r6dea2a887f5eb1d68f124d64b14cd1a04f682f06de8cd01b7e4214e0%40%3Cissues.hive.apache.org%3E" 76211 }, 76212 { 76213 "type": "WEB", 76214 "url": "https://lists.apache.org/thread.html/r5f16a1bd31a7e94ca78eda686179930781aa3a4a990cd55986703581@%3Cdev.hive.apache.org%3E" 76215 }, 76216 { 76217 "type": "WEB", 76218 "url": "https://lists.apache.org/thread.html/r5f16a1bd31a7e94ca78eda686179930781aa3a4a990cd55986703581%40%3Cdev.hive.apache.org%3E" 76219 }, 76220 { 76221 "type": "WEB", 76222 "url": "https://lists.apache.org/thread.html/r500867b74f42230a3d65b8aec31fc93ac390eeae737c91a759ab94cb@%3Cissues.hive.apache.org%3E" 76223 }, 76224 { 76225 "type": "WEB", 76226 "url": "https://lists.apache.org/thread.html/r500867b74f42230a3d65b8aec31fc93ac390eeae737c91a759ab94cb%40%3Cissues.hive.apache.org%3E" 76227 }, 76228 { 76229 "type": "WEB", 76230 "url": "https://lists.apache.org/thread.html/r356592d9874ab4bc9da4754592f8aa6edc894c95e17e58484bc2af7a@%3Cissues.hive.apache.org%3E" 76231 }, 76232 { 76233 "type": "WEB", 76234 "url": "https://lists.apache.org/thread.html/r356592d9874ab4bc9da4754592f8aa6edc894c95e17e58484bc2af7a%40%3Cissues.hive.apache.org%3E" 76235 }, 76236 { 76237 "type": "WEB", 76238 "url": "https://lists.apache.org/thread.html/r1edabcfacdad42d3c830464e9cf07a9a489059a7b7a8642cf055542d@%3Cissues.hive.apache.org%3E" 76239 }, 76240 { 76241 "type": "WEB", 76242 "url": "https://lists.apache.org/thread.html/r1edabcfacdad42d3c830464e9cf07a9a489059a7b7a8642cf055542d%40%3Cissues.hive.apache.org%3E" 76243 }, 76244 { 76245 "type": "WEB", 76246 "url": "https://lists.apache.org/thread.html/r0fbf2c60967bc9f73d7f5a62ad3b955789f9a14b950f42e99fca9b4e@%3Cissues.hive.apache.org%3E" 76247 }, 76248 { 76249 "type": "WEB", 76250 "url": "https://lists.apache.org/thread.html/r0fbf2c60967bc9f73d7f5a62ad3b955789f9a14b950f42e99fca9b4e%40%3Cissues.hive.apache.org%3E" 76251 }, 76252 { 76253 "type": "WEB", 76254 "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10202" 76255 } 76256 ], 76257 "related": [ 76258 "CGA-5q42-fr7m-wmqh" 76259 ], 76260 "schema_version": "1.6.0", 76261 "severity": [ 76262 { 76263 "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", 76264 "type": "CVSS_V3" 76265 } 76266 ], 76267 "summary": "Deserialization of Untrusted Data in org.codehaus.jackson:jackson-mapper-asl" 76268 }, 76269 { 76270 "affected": [ 76271 { 76272 "database_specific": { 76273 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/02/GHSA-r6j9-8759-g62w/GHSA-r6j9-8759-g62w.json" 76274 }, 76275 "package": { 76276 "ecosystem": "Maven", 76277 "name": "org.codehaus.jackson:jackson-mapper-asl", 76278 "purl": "pkg:maven/org.codehaus.jackson/jackson-mapper-asl" 76279 }, 76280 "ranges": [ 76281 { 76282 "events": [ 76283 { 76284 "introduced": "0" 76285 }, 76286 { 76287 "last_affected": "1.9.13" 76288 } 76289 ], 76290 "type": "ECOSYSTEM" 76291 } 76292 ], 76293 "versions": [ 76294 "0.9.6", 76295 "0.9.7", 76296 "0.9.8", 76297 "0.9.9", 76298 "0.9.9-2", 76299 "0.9.9-3", 76300 "0.9.9-4", 76301 "0.9.9-5", 76302 "0.9.9-6", 76303 "1.0.0", 76304 "1.0.1", 76305 "1.1.0", 76306 "1.1.1", 76307 "1.1.2", 76308 "1.2.0", 76309 "1.2.1", 76310 "1.3.0", 76311 "1.3.1", 76312 "1.3.2", 76313 "1.3.3", 76314 "1.3.4", 76315 "1.3.5", 76316 "1.4.0", 76317 "1.4.1", 76318 "1.4.2", 76319 "1.4.3", 76320 "1.4.4", 76321 "1.4.5", 76322 "1.5.0", 76323 "1.5.1", 76324 "1.5.2", 76325 "1.5.3", 76326 "1.5.4", 76327 "1.5.5", 76328 "1.5.6", 76329 "1.5.7", 76330 "1.5.8", 76331 "1.6.0", 76332 "1.6.1", 76333 "1.6.2", 76334 "1.6.3", 76335 "1.6.4", 76336 "1.6.5", 76337 "1.6.6", 76338 "1.6.7", 76339 "1.6.9", 76340 "1.7.0", 76341 "1.7.1", 76342 "1.7.2", 76343 "1.7.3", 76344 "1.7.4", 76345 "1.7.5", 76346 "1.7.6", 76347 "1.7.7", 76348 "1.7.8", 76349 "1.7.9", 76350 "1.8.0", 76351 "1.8.1", 76352 "1.8.10", 76353 "1.8.11", 76354 "1.8.2", 76355 "1.8.3", 76356 "1.8.4", 76357 "1.8.5", 76358 "1.8.6", 76359 "1.8.7", 76360 "1.8.8", 76361 "1.8.9", 76362 "1.9.0", 76363 "1.9.1", 76364 "1.9.10", 76365 "1.9.11", 76366 "1.9.12", 76367 "1.9.13", 76368 "1.9.2", 76369 "1.9.3", 76370 "1.9.4", 76371 "1.9.5", 76372 "1.9.6", 76373 "1.9.7", 76374 "1.9.8", 76375 "1.9.9" 76376 ] 76377 } 76378 ], 76379 "aliases": [ 76380 "CVE-2019-10172" 76381 ], 76382 "database_specific": { 76383 "cwe_ids": [ 76384 "CWE-611" 76385 ], 76386 "github_reviewed": true, 76387 "github_reviewed_at": "2020-02-04T20:42:17Z", 76388 "nvd_published_at": "2019-11-18T17:15:00Z", 76389 "severity": "HIGH" 76390 }, 76391 "details": "A flaw was found in org.codehaus.jackson:jackson-mapper-asl:1.9.x libraries. XML external entity vulnerabilities similar to CVE-2016-3720 also affects codehaus jackson-mapper-asl libraries but in different classes.", 76392 "id": "GHSA-r6j9-8759-g62w", 76393 "modified": "2024-03-13T05:36:14.612715Z", 76394 "published": "2020-02-04T22:39:19Z", 76395 "references": [ 76396 { 76397 "type": "ADVISORY", 76398 "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10172" 76399 }, 76400 { 76401 "type": "WEB", 76402 "url": "https://lists.debian.org/debian-lts-announce/2020/08/msg00039.html" 76403 }, 76404 { 76405 "type": "WEB", 76406 "url": "https://lists.apache.org/thread.html/ra37700b842790883b9082e6b281fb7596f571b13078a4856cd38f2c2@%3Ccommits.cassandra.apache.org%3E" 76407 }, 76408 { 76409 "type": "WEB", 76410 "url": "https://lists.apache.org/thread.html/ra37700b842790883b9082e6b281fb7596f571b13078a4856cd38f2c2%40%3Ccommits.cassandra.apache.org%3E" 76411 }, 76412 { 76413 "type": "WEB", 76414 "url": "https://lists.apache.org/thread.html/r80e8882c86c9c17a57396a5ef7c4f08878d629a0291243411be0de3a@%3Ccommits.cassandra.apache.org%3E" 76415 }, 76416 { 76417 "type": "WEB", 76418 "url": "https://lists.apache.org/thread.html/r80e8882c86c9c17a57396a5ef7c4f08878d629a0291243411be0de3a%40%3Ccommits.cassandra.apache.org%3E" 76419 }, 76420 { 76421 "type": "WEB", 76422 "url": "https://lists.apache.org/thread.html/r6dea2a887f5eb1d68f124d64b14cd1a04f682f06de8cd01b7e4214e0@%3Cissues.hive.apache.org%3E" 76423 }, 76424 { 76425 "type": "WEB", 76426 "url": "https://lists.apache.org/thread.html/r6dea2a887f5eb1d68f124d64b14cd1a04f682f06de8cd01b7e4214e0%40%3Cissues.hive.apache.org%3E" 76427 }, 76428 { 76429 "type": "WEB", 76430 "url": "https://lists.apache.org/thread.html/r68acf97f4526ba59a33cc6e592261ea4f85d890f99e79c82d57dd589@%3Cissues.spark.apache.org%3E" 76431 }, 76432 { 76433 "type": "WEB", 76434 "url": "https://lists.apache.org/thread.html/r68acf97f4526ba59a33cc6e592261ea4f85d890f99e79c82d57dd589%40%3Cissues.spark.apache.org%3E" 76435 }, 76436 { 76437 "type": "WEB", 76438 "url": "https://lists.apache.org/thread.html/r634468eb3218ab02713128ff6f4818c618622b2b3de4d958138dde49@%3Ccommits.cassandra.apache.org%3E" 76439 }, 76440 { 76441 "type": "WEB", 76442 "url": "https://lists.apache.org/thread.html/r634468eb3218ab02713128ff6f4818c618622b2b3de4d958138dde49%40%3Ccommits.cassandra.apache.org%3E" 76443 }, 76444 { 76445 "type": "WEB", 76446 "url": "https://lists.apache.org/thread.html/r5f16a1bd31a7e94ca78eda686179930781aa3a4a990cd55986703581@%3Cdev.hive.apache.org%3E" 76447 }, 76448 { 76449 "type": "WEB", 76450 "url": "https://lists.apache.org/thread.html/r5f16a1bd31a7e94ca78eda686179930781aa3a4a990cd55986703581%40%3Cdev.hive.apache.org%3E" 76451 }, 76452 { 76453 "type": "WEB", 76454 "url": "https://lists.apache.org/thread.html/r500867b74f42230a3d65b8aec31fc93ac390eeae737c91a759ab94cb@%3Cissues.hive.apache.org%3E" 76455 }, 76456 { 76457 "type": "WEB", 76458 "url": "https://lists.apache.org/thread.html/r500867b74f42230a3d65b8aec31fc93ac390eeae737c91a759ab94cb%40%3Cissues.hive.apache.org%3E" 76459 }, 76460 { 76461 "type": "WEB", 76462 "url": "https://lists.apache.org/thread.html/r4bbfa1439d7a4e1712e260bfc3d90f7cf997abfd641cccde6432d4ab@%3Ccommits.cassandra.apache.org%3E" 76463 }, 76464 { 76465 "type": "WEB", 76466 "url": "https://lists.apache.org/thread.html/r4bbfa1439d7a4e1712e260bfc3d90f7cf997abfd641cccde6432d4ab%40%3Ccommits.cassandra.apache.org%3E" 76467 }, 76468 { 76469 "type": "WEB", 76470 "url": "https://lists.apache.org/thread.html/r48a32f2dd6976d33f7a12b7e09ec7ea1895f8facba82b565587c28ac@%3Ccommon-issues.hadoop.apache.org%3E" 76471 }, 76472 { 76473 "type": "WEB", 76474 "url": "https://lists.debian.org/debian-lts-announce/2020/01/msg00037.html" 76475 }, 76476 { 76477 "type": "WEB", 76478 "url": "https://lists.apache.org/thread.html/re646dcc2739d92117bf9a76a33c600ed3b65e8b4e9b6f441e366b72b@%3Ccommits.cassandra.apache.org%3E" 76479 }, 76480 { 76481 "type": "WEB", 76482 "url": "https://lists.apache.org/thread.html/re646dcc2739d92117bf9a76a33c600ed3b65e8b4e9b6f441e366b72b%40%3Ccommits.cassandra.apache.org%3E" 76483 }, 76484 { 76485 "type": "WEB", 76486 "url": "https://lists.apache.org/thread.html/re07c51a8026c11e6e5513bfdc66d52d1c1027053e480fb8073356257@%3Ccommits.cassandra.apache.org%3E" 76487 }, 76488 { 76489 "type": "WEB", 76490 "url": "https://lists.apache.org/thread.html/re07c51a8026c11e6e5513bfdc66d52d1c1027053e480fb8073356257%40%3Ccommits.cassandra.apache.org%3E" 76491 }, 76492 { 76493 "type": "WEB", 76494 "url": "https://lists.apache.org/thread.html/rd3a34d663e2a25b9ab1e8a1a94712cd5f100f098578aec79af48161e@%3Ccommon-dev.hadoop.apache.org%3E" 76495 }, 76496 { 76497 "type": "WEB", 76498 "url": "https://lists.apache.org/thread.html/rd3a34d663e2a25b9ab1e8a1a94712cd5f100f098578aec79af48161e%40%3Ccommon-dev.hadoop.apache.org%3E" 76499 }, 76500 { 76501 "type": "WEB", 76502 "url": "https://lists.apache.org/thread.html/rd27730cfc3066dfcf15927c8e800603728d5dedf17eee1f8c6e3507c@%3Ccommon-issues.hadoop.apache.org%3E" 76503 }, 76504 { 76505 "type": "WEB", 76506 "url": "https://lists.apache.org/thread.html/rd27730cfc3066dfcf15927c8e800603728d5dedf17eee1f8c6e3507c%40%3Ccommon-issues.hadoop.apache.org%3E" 76507 }, 76508 { 76509 "type": "WEB", 76510 "url": "https://lists.apache.org/thread.html/rce00a1c60f7df4b10e72fa87827c102f55b074bb91993631df2c21f9@%3Cdev.hive.apache.org%3E" 76511 }, 76512 { 76513 "type": "WEB", 76514 "url": "https://lists.apache.org/thread.html/rce00a1c60f7df4b10e72fa87827c102f55b074bb91993631df2c21f9%40%3Cdev.hive.apache.org%3E" 76515 }, 76516 { 76517 "type": "WEB", 76518 "url": "https://lists.apache.org/thread.html/rb8c09b14fd57d855dc21e0a037dc29258c2cbe9c1966bfff453a02e4@%3Ccommon-issues.hadoop.apache.org%3E" 76519 }, 76520 { 76521 "type": "WEB", 76522 "url": "https://lists.apache.org/thread.html/rb8c09b14fd57d855dc21e0a037dc29258c2cbe9c1966bfff453a02e4%40%3Ccommon-issues.hadoop.apache.org%3E" 76523 }, 76524 { 76525 "type": "WEB", 76526 "url": "https://lists.apache.org/thread.html/rb47911c179c9f3e8ea3f134b5645e63cd20c6fc63bd0b43ab5864bd1@%3Ccommits.cassandra.apache.org%3E" 76527 }, 76528 { 76529 "type": "WEB", 76530 "url": "https://lists.apache.org/thread.html/rb47911c179c9f3e8ea3f134b5645e63cd20c6fc63bd0b43ab5864bd1%40%3Ccommits.cassandra.apache.org%3E" 76531 }, 76532 { 76533 "type": "WEB", 76534 "url": "https://lists.apache.org/thread.html/rb036bf32e4dacc49335e3bdc1be8e53d6f54df692ac8e2251a6884bd@%3Ccommon-issues.hadoop.apache.org%3E" 76535 }, 76536 { 76537 "type": "WEB", 76538 "url": "https://lists.apache.org/thread.html/rb036bf32e4dacc49335e3bdc1be8e53d6f54df692ac8e2251a6884bd%40%3Ccommon-issues.hadoop.apache.org%3E" 76539 }, 76540 { 76541 "type": "WEB", 76542 "url": "https://lists.apache.org/thread.html/r21ac3570ce865b8f1e5d26e492aeb714a6aaa53a0c9a6f72ef181556%40%3Ccommits.cassandra.apache.org%3E" 76543 }, 76544 { 76545 "type": "WEB", 76546 "url": "https://lists.apache.org/thread.html/r1f07e61b3ebabd3e5b4aa97bf1b26d98b793fdfa29a23dac60633f55@%3Ccommon-issues.hadoop.apache.org%3E" 76547 }, 76548 { 76549 "type": "WEB", 76550 "url": "https://lists.apache.org/thread.html/r1f07e61b3ebabd3e5b4aa97bf1b26d98b793fdfa29a23dac60633f55%40%3Ccommon-issues.hadoop.apache.org%3E" 76551 }, 76552 { 76553 "type": "WEB", 76554 "url": "https://lists.apache.org/thread.html/r1edabcfacdad42d3c830464e9cf07a9a489059a7b7a8642cf055542d@%3Cissues.hive.apache.org%3E" 76555 }, 76556 { 76557 "type": "WEB", 76558 "url": "https://lists.apache.org/thread.html/r1edabcfacdad42d3c830464e9cf07a9a489059a7b7a8642cf055542d%40%3Cissues.hive.apache.org%3E" 76559 }, 76560 { 76561 "type": "WEB", 76562 "url": "https://lists.apache.org/thread.html/r1cc8bce2cf3dfce08a64c4fa20bf38d33b56ad995cee2e382f522f83@%3Ccommon-issues.hadoop.apache.org%3E" 76563 }, 76564 { 76565 "type": "WEB", 76566 "url": "https://lists.apache.org/thread.html/r1cc8bce2cf3dfce08a64c4fa20bf38d33b56ad995cee2e382f522f83%40%3Ccommon-issues.hadoop.apache.org%3E" 76567 }, 76568 { 76569 "type": "WEB", 76570 "url": "https://lists.apache.org/thread.html/r0fbf2c60967bc9f73d7f5a62ad3b955789f9a14b950f42e99fca9b4e@%3Cissues.hive.apache.org%3E" 76571 }, 76572 { 76573 "type": "WEB", 76574 "url": "https://lists.apache.org/thread.html/r0fbf2c60967bc9f73d7f5a62ad3b955789f9a14b950f42e99fca9b4e%40%3Cissues.hive.apache.org%3E" 76575 }, 76576 { 76577 "type": "WEB", 76578 "url": "https://lists.apache.org/thread.html/r0d8c3e32a0a2d8a0b6118f5b3487d363afdda80c996d7b930097383d@%3Ccommon-issues.hadoop.apache.org%3E" 76579 }, 76580 { 76581 "type": "WEB", 76582 "url": "https://lists.apache.org/thread.html/r0d8c3e32a0a2d8a0b6118f5b3487d363afdda80c996d7b930097383d%40%3Ccommon-issues.hadoop.apache.org%3E" 76583 }, 76584 { 76585 "type": "WEB", 76586 "url": "https://lists.apache.org/thread.html/r08e1b73fabd986dcd2ddd7d09480504d1472264bed2f19b1d2002a9c@%3Ccommon-issues.hadoop.apache.org%3E" 76587 }, 76588 { 76589 "type": "WEB", 76590 "url": "https://lists.apache.org/thread.html/r08e1b73fabd986dcd2ddd7d09480504d1472264bed2f19b1d2002a9c%40%3Ccommon-issues.hadoop.apache.org%3E" 76591 }, 76592 { 76593 "type": "WEB", 76594 "url": "https://lists.apache.org/thread.html/r04ecadefb27cda84b699130b11b96427f1d8a7a4066d8292f7f15ed8@%3Ccommon-issues.hadoop.apache.org%3E" 76595 }, 76596 { 76597 "type": "WEB", 76598 "url": "https://lists.apache.org/thread.html/r04ecadefb27cda84b699130b11b96427f1d8a7a4066d8292f7f15ed8%40%3Ccommon-issues.hadoop.apache.org%3E" 76599 }, 76600 { 76601 "type": "WEB", 76602 "url": "https://lists.apache.org/thread.html/r0066c1e862613de402fee04e81cbe00bcd64b64a2711beb9a13c3b25@%3Ccommits.cassandra.apache.org%3E" 76603 }, 76604 { 76605 "type": "WEB", 76606 "url": "https://lists.apache.org/thread.html/r0066c1e862613de402fee04e81cbe00bcd64b64a2711beb9a13c3b25%40%3Ccommits.cassandra.apache.org%3E" 76607 }, 76608 { 76609 "type": "WEB", 76610 "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10172" 76611 }, 76612 { 76613 "type": "WEB", 76614 "url": "https://lists.apache.org/thread.html/r48a32f2dd6976d33f7a12b7e09ec7ea1895f8facba82b565587c28ac%40%3Ccommon-issues.hadoop.apache.org%3E" 76615 }, 76616 { 76617 "type": "WEB", 76618 "url": "https://lists.apache.org/thread.html/r43c6f75d203b8afc4fbd6c3200db0384a18a11c59d085b1a9bb0ccfe@%3Cuser.hadoop.apache.org%3E" 76619 }, 76620 { 76621 "type": "WEB", 76622 "url": "https://lists.apache.org/thread.html/r43c6f75d203b8afc4fbd6c3200db0384a18a11c59d085b1a9bb0ccfe%40%3Cuser.hadoop.apache.org%3E" 76623 }, 76624 { 76625 "type": "WEB", 76626 "url": "https://lists.apache.org/thread.html/r4176155240cdc36aad7869932d9c29551742c7fa630f209fb4a8e649@%3Ccommon-issues.hadoop.apache.org%3E" 76627 }, 76628 { 76629 "type": "WEB", 76630 "url": "https://lists.apache.org/thread.html/r4176155240cdc36aad7869932d9c29551742c7fa630f209fb4a8e649%40%3Ccommon-issues.hadoop.apache.org%3E" 76631 }, 76632 { 76633 "type": "WEB", 76634 "url": "https://lists.apache.org/thread.html/r386966780034aadee69ffd82d44555117c9339545b9ce990fe490a3e@%3Ccommits.cassandra.apache.org%3E" 76635 }, 76636 { 76637 "type": "WEB", 76638 "url": "https://lists.apache.org/thread.html/r386966780034aadee69ffd82d44555117c9339545b9ce990fe490a3e%40%3Ccommits.cassandra.apache.org%3E" 76639 }, 76640 { 76641 "type": "WEB", 76642 "url": "https://lists.apache.org/thread.html/r385c35a7c6f4acaacf37fe22922bb8e2aed9d322d0fa6dc1d45acddb@%3Ccommits.cassandra.apache.org%3E" 76643 }, 76644 { 76645 "type": "WEB", 76646 "url": "https://lists.apache.org/thread.html/r385c35a7c6f4acaacf37fe22922bb8e2aed9d322d0fa6dc1d45acddb%40%3Ccommits.cassandra.apache.org%3E" 76647 }, 76648 { 76649 "type": "WEB", 76650 "url": "https://lists.apache.org/thread.html/r37eb6579fa0bf94a72b6c978e2fee96f68a2b1b3ac1b1ce60aee86cf@%3Ccommits.cassandra.apache.org%3E" 76651 }, 76652 { 76653 "type": "WEB", 76654 "url": "https://lists.apache.org/thread.html/r37eb6579fa0bf94a72b6c978e2fee96f68a2b1b3ac1b1ce60aee86cf%40%3Ccommits.cassandra.apache.org%3E" 76655 }, 76656 { 76657 "type": "WEB", 76658 "url": "https://lists.apache.org/thread.html/r356592d9874ab4bc9da4754592f8aa6edc894c95e17e58484bc2af7a@%3Cissues.hive.apache.org%3E" 76659 }, 76660 { 76661 "type": "WEB", 76662 "url": "https://lists.apache.org/thread.html/r356592d9874ab4bc9da4754592f8aa6edc894c95e17e58484bc2af7a%40%3Cissues.hive.apache.org%3E" 76663 }, 76664 { 76665 "type": "WEB", 76666 "url": "https://lists.apache.org/thread.html/r33d25a342af84102903cd9dec8338a5bcba3ecfce10505bdfe793b92@%3Ccommon-issues.hadoop.apache.org%3E" 76667 }, 76668 { 76669 "type": "WEB", 76670 "url": "https://lists.apache.org/thread.html/r33d25a342af84102903cd9dec8338a5bcba3ecfce10505bdfe793b92%40%3Ccommon-issues.hadoop.apache.org%3E" 76671 }, 76672 { 76673 "type": "WEB", 76674 "url": "https://lists.apache.org/thread.html/r25e25973e9577c62fd0221b4b52990851adf11cbe33036bd67d4b13d@%3Ccommits.cassandra.apache.org%3E" 76675 }, 76676 { 76677 "type": "WEB", 76678 "url": "https://lists.apache.org/thread.html/r25e25973e9577c62fd0221b4b52990851adf11cbe33036bd67d4b13d%40%3Ccommits.cassandra.apache.org%3E" 76679 }, 76680 { 76681 "type": "WEB", 76682 "url": "https://lists.apache.org/thread.html/r21ac3570ce865b8f1e5d26e492aeb714a6aaa53a0c9a6f72ef181556@%3Ccommits.cassandra.apache.org%3E" 76683 } 76684 ], 76685 "related": [ 76686 "CGA-2wfh-9vp6-5hj5" 76687 ], 76688 "schema_version": "1.6.0", 76689 "severity": [ 76690 { 76691 "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", 76692 "type": "CVSS_V3" 76693 } 76694 ], 76695 "summary": "Improper Restriction of XML External Entity Reference in jackson-mapper-asl" 76696 }, 76697 { 76698 "affected": [ 76699 { 76700 "database_specific": { 76701 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/09/GHSA-56h3-78gp-v83r/GHSA-56h3-78gp-v83r.json" 76702 }, 76703 "package": { 76704 "ecosystem": "Maven", 76705 "name": "org.codehaus.jettison:jettison", 76706 "purl": "pkg:maven/org.codehaus.jettison/jettison" 76707 }, 76708 "ranges": [ 76709 { 76710 "events": [ 76711 { 76712 "introduced": "0" 76713 }, 76714 { 76715 "fixed": "1.5.1" 76716 } 76717 ], 76718 "type": "ECOSYSTEM" 76719 } 76720 ], 76721 "versions": [ 76722 "1.0", 76723 "1.0-RC1", 76724 "1.0-RC2", 76725 "1.0-alpha-1", 76726 "1.0-beta-1", 76727 "1.0.1", 76728 "1.1", 76729 "1.2", 76730 "1.3", 76731 "1.3.1", 76732 "1.3.2", 76733 "1.3.3", 76734 "1.3.4", 76735 "1.3.5", 76736 "1.3.6", 76737 "1.3.7", 76738 "1.3.8", 76739 "1.4.0", 76740 "1.4.1", 76741 "1.5.0" 76742 ] 76743 } 76744 ], 76745 "aliases": [ 76746 "CVE-2022-40149" 76747 ], 76748 "database_specific": { 76749 "cwe_ids": [ 76750 "CWE-121", 76751 "CWE-787" 76752 ], 76753 "github_reviewed": true, 76754 "github_reviewed_at": "2022-09-20T21:22:04Z", 76755 "nvd_published_at": "2022-09-16T10:15:00Z", 76756 "severity": "MODERATE" 76757 }, 76758 "details": "Those using Jettison to parse untrusted XML or JSON data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial of service attack.", 76759 "id": "GHSA-56h3-78gp-v83r", 76760 "modified": "2023-11-08T04:10:22.798161Z", 76761 "published": "2022-09-17T00:00:41Z", 76762 "references": [ 76763 { 76764 "type": "ADVISORY", 76765 "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40149" 76766 }, 76767 { 76768 "type": "WEB", 76769 "url": "https://github.com/jettison-json/jettison/issues/45" 76770 }, 76771 { 76772 "type": "WEB", 76773 "url": "https://github.com/jettison-json/jettison/pull/49/files" 76774 }, 76775 { 76776 "type": "WEB", 76777 "url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=46538" 76778 }, 76779 { 76780 "type": "PACKAGE", 76781 "url": "https://github.com/jettison-json/jettison" 76782 }, 76783 { 76784 "type": "WEB", 76785 "url": "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1" 76786 }, 76787 { 76788 "type": "WEB", 76789 "url": "https://lists.debian.org/debian-lts-announce/2022/11/msg00011.html" 76790 }, 76791 { 76792 "type": "WEB", 76793 "url": "https://www.debian.org/security/2023/dsa-5312" 76794 } 76795 ], 76796 "schema_version": "1.6.0", 76797 "severity": [ 76798 { 76799 "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", 76800 "type": "CVSS_V3" 76801 } 76802 ], 76803 "summary": "Jettison parser crash by stackoverflow" 76804 }, 76805 { 76806 "affected": [ 76807 { 76808 "database_specific": { 76809 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-7rf3-mqpx-h7xg/GHSA-7rf3-mqpx-h7xg.json" 76810 }, 76811 "package": { 76812 "ecosystem": "Maven", 76813 "name": "org.codehaus.jettison:jettison", 76814 "purl": "pkg:maven/org.codehaus.jettison/jettison" 76815 }, 76816 "ranges": [ 76817 { 76818 "events": [ 76819 { 76820 "introduced": "0" 76821 }, 76822 { 76823 "fixed": "1.5.2" 76824 } 76825 ], 76826 "type": "ECOSYSTEM" 76827 } 76828 ], 76829 "versions": [ 76830 "1.0", 76831 "1.0-RC1", 76832 "1.0-RC2", 76833 "1.0-alpha-1", 76834 "1.0-beta-1", 76835 "1.0.1", 76836 "1.1", 76837 "1.2", 76838 "1.3", 76839 "1.3.1", 76840 "1.3.2", 76841 "1.3.3", 76842 "1.3.4", 76843 "1.3.5", 76844 "1.3.6", 76845 "1.3.7", 76846 "1.3.8", 76847 "1.4.0", 76848 "1.4.1", 76849 "1.5.0", 76850 "1.5.1" 76851 ] 76852 } 76853 ], 76854 "aliases": [ 76855 "CVE-2022-45685" 76856 ], 76857 "database_specific": { 76858 "cwe_ids": [ 76859 "CWE-787" 76860 ], 76861 "github_reviewed": true, 76862 "github_reviewed_at": "2023-01-04T14:27:01Z", 76863 "nvd_published_at": "2022-12-13T15:15:00Z", 76864 "severity": "HIGH" 76865 }, 76866 "details": "A stack overflow in Jettison before v1.5.2 allows attackers to cause a Denial of Service (DoS) via crafted JSON data.", 76867 "id": "GHSA-7rf3-mqpx-h7xg", 76868 "modified": "2023-11-08T04:10:53.332746Z", 76869 "published": "2022-12-13T15:30:26Z", 76870 "references": [ 76871 { 76872 "type": "ADVISORY", 76873 "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45685" 76874 }, 76875 { 76876 "type": "WEB", 76877 "url": "https://github.com/jettison-json/jettison/issues/54" 76878 }, 76879 { 76880 "type": "PACKAGE", 76881 "url": "https://github.com/jettison-json/jettison" 76882 }, 76883 { 76884 "type": "WEB", 76885 "url": "https://lists.debian.org/debian-lts-announce/2022/12/msg00045.html" 76886 }, 76887 { 76888 "type": "WEB", 76889 "url": "https://www.debian.org/security/2023/dsa-5312" 76890 } 76891 ], 76892 "schema_version": "1.6.0", 76893 "severity": [ 76894 { 76895 "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", 76896 "type": "CVSS_V3" 76897 } 76898 ], 76899 "summary": "Jettison Out-of-bounds Write vulnerability" 76900 }, 76901 { 76902 "affected": [ 76903 { 76904 "database_specific": { 76905 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-grr4-wv38-f68w/GHSA-grr4-wv38-f68w.json" 76906 }, 76907 "package": { 76908 "ecosystem": "Maven", 76909 "name": "org.codehaus.jettison:jettison", 76910 "purl": "pkg:maven/org.codehaus.jettison/jettison" 76911 }, 76912 "ranges": [ 76913 { 76914 "events": [ 76915 { 76916 "introduced": "0" 76917 }, 76918 { 76919 "fixed": "1.5.2" 76920 } 76921 ], 76922 "type": "ECOSYSTEM" 76923 } 76924 ], 76925 "versions": [ 76926 "1.0", 76927 "1.0-RC1", 76928 "1.0-RC2", 76929 "1.0-alpha-1", 76930 "1.0-beta-1", 76931 "1.0.1", 76932 "1.1", 76933 "1.2", 76934 "1.3", 76935 "1.3.1", 76936 "1.3.2", 76937 "1.3.3", 76938 "1.3.4", 76939 "1.3.5", 76940 "1.3.6", 76941 "1.3.7", 76942 "1.3.8", 76943 "1.4.0", 76944 "1.4.1", 76945 "1.5.0", 76946 "1.5.1" 76947 ] 76948 } 76949 ], 76950 "aliases": [ 76951 "CVE-2022-45693" 76952 ], 76953 "database_specific": { 76954 "cwe_ids": [ 76955 "CWE-787" 76956 ], 76957 "github_reviewed": true, 76958 "github_reviewed_at": "2023-01-04T14:25:45Z", 76959 "nvd_published_at": "2022-12-13T15:15:00Z", 76960 "severity": "HIGH" 76961 }, 76962 "details": "Jettison before v1.5.2 was discovered to contain a stack overflow via the map parameter. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted string.", 76963 "id": "GHSA-grr4-wv38-f68w", 76964 "modified": "2023-11-08T04:10:53.577855Z", 76965 "published": "2022-12-13T15:30:27Z", 76966 "references": [ 76967 { 76968 "type": "ADVISORY", 76969 "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45693" 76970 }, 76971 { 76972 "type": "WEB", 76973 "url": "https://github.com/jettison-json/jettison/issues/52" 76974 }, 76975 { 76976 "type": "PACKAGE", 76977 "url": "https://github.com/jettison-json/jettison" 76978 }, 76979 { 76980 "type": "WEB", 76981 "url": "https://lists.debian.org/debian-lts-announce/2022/12/msg00045.html" 76982 }, 76983 { 76984 "type": "WEB", 76985 "url": "https://www.debian.org/security/2023/dsa-5312" 76986 } 76987 ], 76988 "schema_version": "1.6.0", 76989 "severity": [ 76990 { 76991 "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", 76992 "type": "CVSS_V3" 76993 } 76994 ], 76995 "summary": "Jettison Out-of-bounds Write vulnerability" 76996 }, 76997 { 76998 "affected": [ 76999 { 77000 "database_specific": { 77001 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/03/GHSA-q6g2-g7f3-rr83/GHSA-q6g2-g7f3-rr83.json" 77002 }, 77003 "package": { 77004 "ecosystem": "Maven", 77005 "name": "org.codehaus.jettison:jettison", 77006 "purl": "pkg:maven/org.codehaus.jettison/jettison" 77007 }, 77008 "ranges": [ 77009 { 77010 "events": [ 77011 { 77012 "introduced": "0" 77013 }, 77014 { 77015 "fixed": "1.5.4" 77016 } 77017 ], 77018 "type": "ECOSYSTEM" 77019 } 77020 ], 77021 "versions": [ 77022 "1.0", 77023 "1.0-RC1", 77024 "1.0-RC2", 77025 "1.0-alpha-1", 77026 "1.0-beta-1", 77027 "1.0.1", 77028 "1.1", 77029 "1.2", 77030 "1.3", 77031 "1.3.1", 77032 "1.3.2", 77033 "1.3.3", 77034 "1.3.4", 77035 "1.3.5", 77036 "1.3.6", 77037 "1.3.7", 77038 "1.3.8", 77039 "1.4.0", 77040 "1.4.1", 77041 "1.5.0", 77042 "1.5.1", 77043 "1.5.2", 77044 "1.5.3" 77045 ] 77046 } 77047 ], 77048 "aliases": [ 77049 "CVE-2023-1436" 77050 ], 77051 "database_specific": { 77052 "cwe_ids": [ 77053 "CWE-674" 77054 ], 77055 "github_reviewed": true, 77056 "github_reviewed_at": "2023-03-22T21:23:09Z", 77057 "nvd_published_at": "2023-03-22T06:15:00Z", 77058 "severity": "HIGH" 77059 }, 77060 "details": "An infinite recursion is triggered in Jettison when constructing a JSONArray from a Collection that contains a self-reference in one of its elements. This leads to a StackOverflowError exception being thrown.", 77061 "id": "GHSA-q6g2-g7f3-rr83", 77062 "modified": "2024-02-20T05:34:09.671471Z", 77063 "published": "2023-03-22T06:30:21Z", 77064 "references": [ 77065 { 77066 "type": "ADVISORY", 77067 "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1436" 77068 }, 77069 { 77070 "type": "WEB", 77071 "url": "https://github.com/jettison-json/jettison/issues/60" 77072 }, 77073 { 77074 "type": "WEB", 77075 "url": "https://github.com/jettison-json/jettison/pull/62" 77076 }, 77077 { 77078 "type": "PACKAGE", 77079 "url": "https://github.com/jettison-json/jettison" 77080 }, 77081 { 77082 "type": "WEB", 77083 "url": "https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.4" 77084 }, 77085 { 77086 "type": "WEB", 77087 "url": "https://research.jfrog.com/vulnerabilities/jettison-json-array-dos-xray-427911" 77088 } 77089 ], 77090 "schema_version": "1.6.0", 77091 "severity": [ 77092 { 77093 "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", 77094 "type": "CVSS_V3" 77095 } 77096 ], 77097 "summary": "Jettison vulnerable to infinite recursion" 77098 }, 77099 { 77100 "affected": [ 77101 { 77102 "database_specific": { 77103 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/09/GHSA-x27m-9w8j-5vcw/GHSA-x27m-9w8j-5vcw.json" 77104 }, 77105 "package": { 77106 "ecosystem": "Maven", 77107 "name": "org.codehaus.jettison:jettison", 77108 "purl": "pkg:maven/org.codehaus.jettison/jettison" 77109 }, 77110 "ranges": [ 77111 { 77112 "events": [ 77113 { 77114 "introduced": "0" 77115 }, 77116 { 77117 "fixed": "1.5.2" 77118 } 77119 ], 77120 "type": "ECOSYSTEM" 77121 } 77122 ], 77123 "versions": [ 77124 "1.0", 77125 "1.0-RC1", 77126 "1.0-RC2", 77127 "1.0-alpha-1", 77128 "1.0-beta-1", 77129 "1.0.1", 77130 "1.1", 77131 "1.2", 77132 "1.3", 77133 "1.3.1", 77134 "1.3.2", 77135 "1.3.3", 77136 "1.3.4", 77137 "1.3.5", 77138 "1.3.6", 77139 "1.3.7", 77140 "1.3.8", 77141 "1.4.0", 77142 "1.4.1", 77143 "1.5.0", 77144 "1.5.1" 77145 ] 77146 } 77147 ], 77148 "aliases": [ 77149 "CVE-2022-40150" 77150 ], 77151 "database_specific": { 77152 "cwe_ids": [ 77153 "CWE-400", 77154 "CWE-674" 77155 ], 77156 "github_reviewed": true, 77157 "github_reviewed_at": "2022-09-20T21:20:42Z", 77158 "nvd_published_at": "2022-09-16T10:15:00Z", 77159 "severity": "HIGH" 77160 }, 77161 "details": "Those using Jettison to parse untrusted XML or JSON data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by Out of memory. This effect may support a denial of service attack.", 77162 "id": "GHSA-x27m-9w8j-5vcw", 77163 "modified": "2024-02-16T08:08:08.5959Z", 77164 "published": "2022-09-17T00:00:41Z", 77165 "references": [ 77166 { 77167 "type": "ADVISORY", 77168 "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40150" 77169 }, 77170 { 77171 "type": "WEB", 77172 "url": "https://github.com/jettison-json/jettison/issues/45" 77173 }, 77174 { 77175 "type": "WEB", 77176 "url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=46549" 77177 }, 77178 { 77179 "type": "PACKAGE", 77180 "url": "https://github.com/jettison-json/jettison" 77181 }, 77182 { 77183 "type": "WEB", 77184 "url": "https://lists.debian.org/debian-lts-announce/2022/12/msg00045.html" 77185 }, 77186 { 77187 "type": "WEB", 77188 "url": "https://www.debian.org/security/2023/dsa-5312" 77189 } 77190 ], 77191 "schema_version": "1.6.0", 77192 "severity": [ 77193 { 77194 "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", 77195 "type": "CVSS_V3" 77196 } 77197 ], 77198 "summary": "Jettison memory exhaustion" 77199 }, 77200 { 77201 "affected": [ 77202 { 77203 "database_specific": { 77204 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-8vhq-qq4p-grq3/GHSA-8vhq-qq4p-grq3.json" 77205 }, 77206 "package": { 77207 "ecosystem": "Maven", 77208 "name": "org.codehaus.plexus:plexus-utils", 77209 "purl": "pkg:maven/org.codehaus.plexus/plexus-utils" 77210 }, 77211 "ranges": [ 77212 { 77213 "events": [ 77214 { 77215 "introduced": "0" 77216 }, 77217 { 77218 "fixed": "3.0.16" 77219 } 77220 ], 77221 "type": "ECOSYSTEM" 77222 } 77223 ], 77224 "versions": [ 77225 "1.0.4", 77226 "1.0.5", 77227 "1.1", 77228 "1.2", 77229 "1.3", 77230 "1.4", 77231 "1.4-alpha-1", 77232 "1.4.1", 77233 "1.4.2", 77234 "1.4.3", 77235 "1.4.4", 77236 "1.4.5", 77237 "1.4.6", 77238 "1.4.7", 77239 "1.4.8", 77240 "1.4.9", 77241 "1.5", 77242 "1.5.1", 77243 "1.5.10", 77244 "1.5.11", 77245 "1.5.12", 77246 "1.5.13", 77247 "1.5.14", 77248 "1.5.15", 77249 "1.5.2", 77250 "1.5.3", 77251 "1.5.4", 77252 "1.5.5", 77253 "1.5.6", 77254 "1.5.7", 77255 "1.5.8", 77256 "1.5.9", 77257 "2.0.0", 77258 "2.0.1", 77259 "2.0.2", 77260 "2.0.3", 77261 "2.0.4", 77262 "2.0.5", 77263 "2.0.6", 77264 "2.0.7", 77265 "2.1", 77266 "3.0", 77267 "3.0.1", 77268 "3.0.10", 77269 "3.0.11", 77270 "3.0.12", 77271 "3.0.13", 77272 "3.0.14", 77273 "3.0.15", 77274 "3.0.2", 77275 "3.0.3", 77276 "3.0.4", 77277 "3.0.5", 77278 "3.0.6", 77279 "3.0.7", 77280 "3.0.8", 77281 "3.0.9" 77282 ] 77283 } 77284 ], 77285 "aliases": [ 77286 "CVE-2017-1000487", 77287 "SNYK-JAVA-ORGCODEHAUSPLEXUS-31522" 77288 ], 77289 "database_specific": { 77290 "cwe_ids": [ 77291 "CWE-78" 77292 ], 77293 "github_reviewed": true, 77294 "github_reviewed_at": "2022-07-01T21:47:32Z", 77295 "nvd_published_at": "2018-01-03T20:29:00Z", 77296 "severity": "CRITICAL" 77297 }, 77298 "details": "Plexus-utils before 3.0.16 is vulnerable to command injection because it does not correctly process the contents of double quoted strings.", 77299 "id": "GHSA-8vhq-qq4p-grq3", 77300 "modified": "2024-08-01T07:41:35.626959Z", 77301 "published": "2022-05-13T01:11:53Z", 77302 "references": [ 77303 { 77304 "type": "ADVISORY", 77305 "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000487" 77306 }, 77307 { 77308 "type": "WEB", 77309 "url": "https://github.com/codehaus-plexus/plexus-utils/commit/b38a1b3a4352303e4312b2bb601a0d7ec6e28f41" 77310 }, 77311 { 77312 "type": "WEB", 77313 "url": "https://access.redhat.com/errata/RHSA-2018:1322" 77314 }, 77315 { 77316 "type": "PACKAGE", 77317 "url": "https://github.com/codehaus-plexus/plexus-utils" 77318 }, 77319 { 77320 "type": "WEB", 77321 "url": "https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe@%3Ccommits.druid.apache.org%3E" 77322 }, 77323 { 77324 "type": "WEB", 77325 "url": "https://lists.apache.org/thread.html/r2e94f72f53df432302d359fd66cfa9e9efb8d42633d54579a4377e62@%3Cdev.avro.apache.org%3E" 77326 }, 77327 { 77328 "type": "WEB", 77329 "url": "https://lists.apache.org/thread.html/r9584c4304c888f651d214341a939bd264ed30c9e3d0d30fe85097ecf@%3Ccommits.pulsar.apache.org%3E" 77330 }, 77331 { 77332 "type": "WEB", 77333 "url": "https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26@%3Ccommits.pulsar.apache.org%3E" 77334 }, 77335 { 77336 "type": "WEB", 77337 "url": "https://lists.debian.org/debian-lts-announce/2018/01/msg00010.html" 77338 }, 77339 { 77340 "type": "WEB", 77341 "url": "https://lists.debian.org/debian-lts-announce/2018/01/msg00011.html" 77342 }, 77343 { 77344 "type": "WEB", 77345 "url": "https://snyk.io/vuln/SNYK-JAVA-ORGCODEHAUSPLEXUS-31522" 77346 }, 77347 { 77348 "type": "WEB", 77349 "url": "https://www.debian.org/security/2018/dsa-4146" 77350 }, 77351 { 77352 "type": "WEB", 77353 "url": "https://www.debian.org/security/2018/dsa-4149" 77354 } 77355 ], 77356 "schema_version": "1.6.0", 77357 "severity": [ 77358 { 77359 "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", 77360 "type": "CVSS_V3" 77361 } 77362 ], 77363 "summary": "OS Command Injection in Plexus-utils" 77364 }, 77365 { 77366 "affected": [ 77367 { 77368 "database_specific": { 77369 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/09/GHSA-g6ph-x5wf-g337/GHSA-g6ph-x5wf-g337.json" 77370 }, 77371 "package": { 77372 "ecosystem": "Maven", 77373 "name": "org.codehaus.plexus:plexus-utils", 77374 "purl": "pkg:maven/org.codehaus.plexus/plexus-utils" 77375 }, 77376 "ranges": [ 77377 { 77378 "events": [ 77379 { 77380 "introduced": "0" 77381 }, 77382 { 77383 "fixed": "3.0.24" 77384 } 77385 ], 77386 "type": "ECOSYSTEM" 77387 } 77388 ], 77389 "versions": [ 77390 "1.0.4", 77391 "1.0.5", 77392 "1.1", 77393 "1.2", 77394 "1.3", 77395 "1.4", 77396 "1.4-alpha-1", 77397 "1.4.1", 77398 "1.4.2", 77399 "1.4.3", 77400 "1.4.4", 77401 "1.4.5", 77402 "1.4.6", 77403 "1.4.7", 77404 "1.4.8", 77405 "1.4.9", 77406 "1.5", 77407 "1.5.1", 77408 "1.5.10", 77409 "1.5.11", 77410 "1.5.12", 77411 "1.5.13", 77412 "1.5.14", 77413 "1.5.15", 77414 "1.5.2", 77415 "1.5.3", 77416 "1.5.4", 77417 "1.5.5", 77418 "1.5.6", 77419 "1.5.7", 77420 "1.5.8", 77421 "1.5.9", 77422 "2.0.0", 77423 "2.0.1", 77424 "2.0.2", 77425 "2.0.3", 77426 "2.0.4", 77427 "2.0.5", 77428 "2.0.6", 77429 "2.0.7", 77430 "2.1", 77431 "3.0", 77432 "3.0.1", 77433 "3.0.10", 77434 "3.0.11", 77435 "3.0.12", 77436 "3.0.13", 77437 "3.0.14", 77438 "3.0.15", 77439 "3.0.16", 77440 "3.0.17", 77441 "3.0.18", 77442 "3.0.19", 77443 "3.0.2", 77444 "3.0.20", 77445 "3.0.21", 77446 "3.0.22", 77447 "3.0.23", 77448 "3.0.3", 77449 "3.0.4", 77450 "3.0.5", 77451 "3.0.6", 77452 "3.0.7", 77453 "3.0.8", 77454 "3.0.9" 77455 ] 77456 } 77457 ], 77458 "aliases": [ 77459 "CVE-2022-4244" 77460 ], 77461 "database_specific": { 77462 "cwe_ids": [ 77463 "CWE-22" 77464 ], 77465 "github_reviewed": true, 77466 "github_reviewed_at": "2023-09-26T17:59:40Z", 77467 "nvd_published_at": "2023-09-25T20:15:10Z", 77468 "severity": "HIGH" 77469 }, 77470 "details": "A flaw was found in plexus-codehaus. A directory traversal attack (also known as path traversal) aims to access files and directories stored outside the intended folder. By manipulating files with dot-dot-slash (`../`) sequences and their variations or by using absolute file paths, it may be possible to access arbitrary files and directories stored on the file system, including application source code, configuration, and other critical system files. ", 77471 "id": "GHSA-g6ph-x5wf-g337", 77472 "modified": "2024-05-03T20:31:38.024044Z", 77473 "published": "2023-09-25T21:30:26Z", 77474 "references": [ 77475 { 77476 "type": "ADVISORY", 77477 "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4244" 77478 }, 77479 { 77480 "type": "WEB", 77481 "url": "https://github.com/codehaus-plexus/plexus-utils/issues/4" 77482 }, 77483 { 77484 "type": "WEB", 77485 "url": "https://github.com/codehaus-plexus/plexus-utils/commit/33a2853df8185b4519b1b8bfae284f03392618ef" 77486 }, 77487 { 77488 "type": "WEB", 77489 "url": "https://access.redhat.com/errata/RHSA-2023:2135" 77490 }, 77491 { 77492 "type": "WEB", 77493 "url": "https://access.redhat.com/errata/RHSA-2023:3906" 77494 }, 77495 { 77496 "type": "WEB", 77497 "url": "https://access.redhat.com/security/cve/CVE-2022-4244" 77498 }, 77499 { 77500 "type": "WEB", 77501 "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2149841" 77502 }, 77503 { 77504 "type": "WEB", 77505 "url": "https://security.snyk.io/vuln/SNYK-JAVA-ORGCODEHAUSPLEXUS-31521" 77506 } 77507 ], 77508 "schema_version": "1.6.0", 77509 "severity": [ 77510 { 77511 "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", 77512 "type": "CVSS_V3" 77513 } 77514 ], 77515 "summary": "plexus-codehaus vulnerable to directory traversal" 77516 }, 77517 { 77518 "affected": [ 77519 { 77520 "database_specific": { 77521 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/09/GHSA-jcwr-x25h-x5fh/GHSA-jcwr-x25h-x5fh.json" 77522 }, 77523 "package": { 77524 "ecosystem": "Maven", 77525 "name": "org.codehaus.plexus:plexus-utils", 77526 "purl": "pkg:maven/org.codehaus.plexus/plexus-utils" 77527 }, 77528 "ranges": [ 77529 { 77530 "events": [ 77531 { 77532 "introduced": "0" 77533 }, 77534 { 77535 "fixed": "3.0.24" 77536 } 77537 ], 77538 "type": "ECOSYSTEM" 77539 } 77540 ], 77541 "versions": [ 77542 "1.0.4", 77543 "1.0.5", 77544 "1.1", 77545 "1.2", 77546 "1.3", 77547 "1.4", 77548 "1.4-alpha-1", 77549 "1.4.1", 77550 "1.4.2", 77551 "1.4.3", 77552 "1.4.4", 77553 "1.4.5", 77554 "1.4.6", 77555 "1.4.7", 77556 "1.4.8", 77557 "1.4.9", 77558 "1.5", 77559 "1.5.1", 77560 "1.5.10", 77561 "1.5.11", 77562 "1.5.12", 77563 "1.5.13", 77564 "1.5.14", 77565 "1.5.15", 77566 "1.5.2", 77567 "1.5.3", 77568 "1.5.4", 77569 "1.5.5", 77570 "1.5.6", 77571 "1.5.7", 77572 "1.5.8", 77573 "1.5.9", 77574 "2.0.0", 77575 "2.0.1", 77576 "2.0.2", 77577 "2.0.3", 77578 "2.0.4", 77579 "2.0.5", 77580 "2.0.6", 77581 "2.0.7", 77582 "2.1", 77583 "3.0", 77584 "3.0.1", 77585 "3.0.10", 77586 "3.0.11", 77587 "3.0.12", 77588 "3.0.13", 77589 "3.0.14", 77590 "3.0.15", 77591 "3.0.16", 77592 "3.0.17", 77593 "3.0.18", 77594 "3.0.19", 77595 "3.0.2", 77596 "3.0.20", 77597 "3.0.21", 77598 "3.0.22", 77599 "3.0.23", 77600 "3.0.3", 77601 "3.0.4", 77602 "3.0.5", 77603 "3.0.6", 77604 "3.0.7", 77605 "3.0.8", 77606 "3.0.9" 77607 ] 77608 } 77609 ], 77610 "aliases": [ 77611 "CVE-2022-4245" 77612 ], 77613 "database_specific": { 77614 "cwe_ids": [ 77615 "CWE-611", 77616 "CWE-91" 77617 ], 77618 "github_reviewed": true, 77619 "github_reviewed_at": "2023-09-26T19:38:53Z", 77620 "nvd_published_at": "2023-09-25T20:15:10Z", 77621 "severity": "MODERATE" 77622 }, 77623 "details": "A flaw was found in codehaus-plexus. The `org.codehaus.plexus.util.xml.XmlWriterUtil#writeComment` fails to sanitize comments for a `--\u003e` sequence. This issue means that text contained in the command string could be interpreted as XML and allow for XML injection. ", 77624 "id": "GHSA-jcwr-x25h-x5fh", 77625 "modified": "2024-05-03T20:32:52.547057Z", 77626 "published": "2023-09-25T21:30:26Z", 77627 "references": [ 77628 { 77629 "type": "ADVISORY", 77630 "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4245" 77631 }, 77632 { 77633 "type": "WEB", 77634 "url": "https://github.com/codehaus-plexus/plexus-utils/issues/3" 77635 }, 77636 { 77637 "type": "WEB", 77638 "url": "https://github.com/codehaus-plexus/plexus-utils/commit/f933e5e78dc2637e485447ed821fe14904f110de" 77639 }, 77640 { 77641 "type": "WEB", 77642 "url": "https://access.redhat.com/errata/RHSA-2023:2135" 77643 }, 77644 { 77645 "type": "WEB", 77646 "url": "https://access.redhat.com/errata/RHSA-2023:3906" 77647 }, 77648 { 77649 "type": "WEB", 77650 "url": "https://access.redhat.com/security/cve/CVE-2022-4245" 77651 }, 77652 { 77653 "type": "WEB", 77654 "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2149843" 77655 }, 77656 { 77657 "type": "PACKAGE", 77658 "url": "https://github.com/codehaus-plexus/plexus-utils" 77659 }, 77660 { 77661 "type": "WEB", 77662 "url": "https://security.snyk.io/vuln/SNYK-JAVA-ORGCODEHAUSPLEXUS-461102" 77663 } 77664 ], 77665 "schema_version": "1.6.0", 77666 "severity": [ 77667 { 77668 "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", 77669 "type": "CVSS_V3" 77670 } 77671 ], 77672 "summary": "codehaus-plexus vulnerable to XML injection" 77673 }, 77674 { 77675 "affected": [ 77676 { 77677 "database_specific": { 77678 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/07/GHSA-cj7v-27pg-wf7q/GHSA-cj7v-27pg-wf7q.json" 77679 }, 77680 "package": { 77681 "ecosystem": "Maven", 77682 "name": "org.eclipse.jetty:jetty-http", 77683 "purl": "pkg:maven/org.eclipse.jetty/jetty-http" 77684 }, 77685 "ranges": [ 77686 { 77687 "events": [ 77688 { 77689 "introduced": "0" 77690 }, 77691 { 77692 "fixed": "9.4.47" 77693 } 77694 ], 77695 "type": "ECOSYSTEM" 77696 } 77697 ], 77698 "versions": [ 77699 "7.0.0.M0", 77700 "7.0.0.M1", 77701 "7.0.0.M2", 77702 "7.0.0.M3", 77703 "7.0.0.M4", 77704 "7.0.0.RC0", 77705 "7.0.0.RC1", 77706 "7.0.0.RC2", 77707 "7.0.0.RC3", 77708 "7.0.0.RC4", 77709 "7.0.0.RC5", 77710 "7.0.0.RC6", 77711 "7.0.0.v20091005", 77712 "7.0.1.v20091125", 77713 "7.0.2.RC0", 77714 "7.0.2.v20100331", 77715 "7.1.0.RC0", 77716 "7.1.0.RC1", 77717 "7.1.0.v20100505", 77718 "7.1.1.v20100517", 77719 "7.1.2.v20100523", 77720 "7.1.3.v20100526", 77721 "7.1.4.v20100610", 77722 "7.1.5.v20100705", 77723 "7.1.6.v20100715", 77724 "7.2.0.RC0", 77725 "7.2.0.v20101020", 77726 "7.2.1.v20101111", 77727 "7.2.2.v20101205", 77728 "7.3.0.v20110203", 77729 "7.3.1.v20110307", 77730 "7.4.0.RC0", 77731 "7.4.0.v20110414", 77732 "7.4.1.v20110513", 77733 "7.4.2.v20110526", 77734 "7.4.3.v20110701", 77735 "7.4.4.v20110707", 77736 "7.4.5.v20110725", 77737 "7.5.0.RC0", 77738 "7.5.0.RC1", 77739 "7.5.0.RC2", 77740 "7.5.0.v20110901", 77741 "7.5.1.v20110908", 77742 "7.5.2.v20111006", 77743 "7.5.3.v20111011", 77744 "7.5.4.v20111024", 77745 "7.6.0.RC0", 77746 "7.6.0.RC1", 77747 "7.6.0.RC2", 77748 "7.6.0.RC3", 77749 "7.6.0.RC4", 77750 "7.6.0.RC5", 77751 "7.6.0.v20120127", 77752 "7.6.1.v20120215", 77753 "7.6.10.v20130312", 77754 "7.6.11.v20130520", 77755 "7.6.12.v20130726", 77756 "7.6.13.v20130916", 77757 "7.6.14.v20131031", 77758 "7.6.15.v20140411", 77759 "7.6.16.v20140903", 77760 "7.6.17.v20150415", 77761 "7.6.18.v20150929", 77762 "7.6.19.v20160209", 77763 "7.6.2.v20120308", 77764 "7.6.20.v20160902", 77765 "7.6.21.v20160908", 77766 "7.6.3.v20120416", 77767 "7.6.4.v20120524", 77768 "7.6.5.v20120716", 77769 "7.6.6.v20120903", 77770 "7.6.7.v20120910", 77771 "7.6.8.v20121106", 77772 "7.6.9.v20130131", 77773 "8.0.0.M0", 77774 "8.0.0.M1", 77775 "8.0.0.M2", 77776 "8.0.0.M3", 77777 "8.0.0.RC0", 77778 "8.0.0.v20110901", 77779 "8.0.1.v20110908", 77780 "8.0.2.v20111006", 77781 "8.0.3.v20111011", 77782 "8.0.4.v20111024", 77783 "8.1.0.RC0", 77784 "8.1.0.RC1", 77785 "8.1.0.RC2", 77786 "8.1.0.RC4", 77787 "8.1.0.RC5", 77788 "8.1.0.v20120127", 77789 "8.1.1.v20120215", 77790 "8.1.10.v20130312", 77791 "8.1.11.v20130520", 77792 "8.1.12.v20130726", 77793 "8.1.13.v20130916", 77794 "8.1.14.v20131031", 77795 "8.1.15.v20140411", 77796 "8.1.16.v20140903", 77797 "8.1.17.v20150415", 77798 "8.1.18.v20150929", 77799 "8.1.19.v20160209", 77800 "8.1.2.v20120308", 77801 "8.1.20.v20160902", 77802 "8.1.21.v20160908", 77803 "8.1.22.v20160922", 77804 "8.1.3.v20120416", 77805 "8.1.4.v20120524", 77806 "8.1.5.v20120716", 77807 "8.1.6.v20120903", 77808 "8.1.7.v20120910", 77809 "8.1.8.v20121106", 77810 "8.1.9.v20130131", 77811 "8.2.0.v20160908", 77812 "9.0.0.M0", 77813 "9.0.0.M1", 77814 "9.0.0.M2", 77815 "9.0.0.M3", 77816 "9.0.0.M4", 77817 "9.0.0.M5", 77818 "9.0.0.RC0", 77819 "9.0.0.RC1", 77820 "9.0.0.RC2", 77821 "9.0.0.v20130308", 77822 "9.0.1.v20130408", 77823 "9.0.2.v20130417", 77824 "9.0.3.v20130506", 77825 "9.0.4.v20130625", 77826 "9.0.5.v20130815", 77827 "9.0.6.v20130930", 77828 "9.0.7.v20131107", 77829 "9.1.0.M0", 77830 "9.1.0.RC0", 77831 "9.1.0.RC1", 77832 "9.1.0.RC2", 77833 "9.1.0.v20131115", 77834 "9.1.1.v20140108", 77835 "9.1.2.v20140210", 77836 "9.1.3.v20140225", 77837 "9.1.4.v20140401", 77838 "9.1.5.v20140505", 77839 "9.1.6.v20160112", 77840 "9.2.0.M0", 77841 "9.2.0.M1", 77842 "9.2.0.RC0", 77843 "9.2.0.v20140526", 77844 "9.2.1.v20140609", 77845 "9.2.10.v20150310", 77846 "9.2.11.M0", 77847 "9.2.11.v20150529", 77848 "9.2.12.M0", 77849 "9.2.12.v20150709", 77850 "9.2.13.v20150730", 77851 "9.2.14.v20151106", 77852 "9.2.15.v20160210", 77853 "9.2.16.v20160414", 77854 "9.2.17.v20160517", 77855 "9.2.18.v20160721", 77856 "9.2.19.v20160908", 77857 "9.2.2.v20140723", 77858 "9.2.20.v20161216", 77859 "9.2.21.v20170120", 77860 "9.2.22.v20170606", 77861 "9.2.23.v20171218", 77862 "9.2.24.v20180105", 77863 "9.2.25.v20180606", 77864 "9.2.26.v20180806", 77865 "9.2.27.v20190403", 77866 "9.2.28.v20190418", 77867 "9.2.29.v20191105", 77868 "9.2.3.v20140905", 77869 "9.2.30.v20200428", 77870 "9.2.4.v20141103", 77871 "9.2.5.v20141112", 77872 "9.2.6.v20141205", 77873 "9.2.7.v20150116", 77874 "9.2.8.v20150217", 77875 "9.2.9.v20150224", 77876 "9.3.0.M0", 77877 "9.3.0.M1", 77878 "9.3.0.M2", 77879 "9.3.0.RC0", 77880 "9.3.0.RC1", 77881 "9.3.0.v20150612", 77882 "9.3.1.v20150714", 77883 "9.3.10.M0", 77884 "9.3.10.v20160621", 77885 "9.3.11.M0", 77886 "9.3.11.v20160721", 77887 "9.3.12.v20160915", 77888 "9.3.13.M0", 77889 "9.3.13.v20161014", 77890 "9.3.14.v20161028", 77891 "9.3.15.v20161220", 77892 "9.3.16.v20170120", 77893 "9.3.17.RC0", 77894 "9.3.17.v20170317", 77895 "9.3.18.v20170406", 77896 "9.3.19.v20170502", 77897 "9.3.2.v20150730", 77898 "9.3.20.v20170531", 77899 "9.3.21.M0", 77900 "9.3.21.RC0", 77901 "9.3.21.v20170918", 77902 "9.3.22.v20171030", 77903 "9.3.23.v20180228", 77904 "9.3.24.v20180605", 77905 "9.3.25.v20180904", 77906 "9.3.26.v20190403", 77907 "9.3.27.v20190418", 77908 "9.3.28.v20191105", 77909 "9.3.29.v20201019", 77910 "9.3.3.v20150827", 77911 "9.3.30.v20211001", 77912 "9.3.4.RC0", 77913 "9.3.4.RC1", 77914 "9.3.4.v20151007", 77915 "9.3.5.v20151012", 77916 "9.3.6.v20151106", 77917 "9.3.7.RC0", 77918 "9.3.7.RC1", 77919 "9.3.7.v20160115", 77920 "9.3.8.RC0", 77921 "9.3.8.v20160314", 77922 "9.3.9.M0", 77923 "9.3.9.M1", 77924 "9.3.9.v20160517", 77925 "9.4.0.M0", 77926 "9.4.0.M1", 77927 "9.4.0.RC0", 77928 "9.4.0.RC1", 77929 "9.4.0.RC2", 77930 "9.4.0.RC3", 77931 "9.4.0.v20161208", 77932 "9.4.0.v20180619", 77933 "9.4.1.v20170120", 77934 "9.4.1.v20180619", 77935 "9.4.10.RC0", 77936 "9.4.10.RC1", 77937 "9.4.10.v20180503", 77938 "9.4.11.v20180605", 77939 "9.4.12.RC0", 77940 "9.4.12.RC1", 77941 "9.4.12.RC2", 77942 "9.4.12.v20180830", 77943 "9.4.13.v20181111", 77944 "9.4.14.v20181114", 77945 "9.4.15.v20190215", 77946 "9.4.16.v20190411", 77947 "9.4.17.v20190418", 77948 "9.4.18.v20190429", 77949 "9.4.19.v20190610", 77950 "9.4.2.v20170220", 77951 "9.4.2.v20180619", 77952 "9.4.20.v20190813", 77953 "9.4.21.v20190926", 77954 "9.4.22.v20191022", 77955 "9.4.23.v20191118", 77956 "9.4.24.v20191120", 77957 "9.4.25.v20191220", 77958 "9.4.26.v20200117", 77959 "9.4.27.v20200227", 77960 "9.4.28.v20200408", 77961 "9.4.29.v20200521", 77962 "9.4.3.v20170317", 77963 "9.4.3.v20180619", 77964 "9.4.30.v20200611", 77965 "9.4.31.v20200723", 77966 "9.4.32.v20200930", 77967 "9.4.33.v20201020", 77968 "9.4.34.v20201102", 77969 "9.4.35.v20201120", 77970 "9.4.36.v20210114", 77971 "9.4.37.v20210219", 77972 "9.4.38.v20210224", 77973 "9.4.39.v20210325", 77974 "9.4.4.v20170414", 77975 "9.4.4.v20180619", 77976 "9.4.40.v20210413", 77977 "9.4.41.v20210516", 77978 "9.4.42.v20210604", 77979 "9.4.43.v20210629", 77980 "9.4.44.v20210927", 77981 "9.4.45.v20220203", 77982 "9.4.46.v20220331", 77983 "9.4.5.v20170502", 77984 "9.4.5.v20180619", 77985 "9.4.6.v20170531", 77986 "9.4.6.v20180619", 77987 "9.4.7.RC0", 77988 "9.4.7.v20170914", 77989 "9.4.7.v20180619", 77990 "9.4.8.v20171121", 77991 "9.4.8.v20180619", 77992 "9.4.9.v20180320" 77993 ] 77994 }, 77995 { 77996 "database_specific": { 77997 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/07/GHSA-cj7v-27pg-wf7q/GHSA-cj7v-27pg-wf7q.json" 77998 }, 77999 "package": { 78000 "ecosystem": "Maven", 78001 "name": "org.eclipse.jetty:jetty-http", 78002 "purl": "pkg:maven/org.eclipse.jetty/jetty-http" 78003 }, 78004 "ranges": [ 78005 { 78006 "events": [ 78007 { 78008 "introduced": "10.0.0" 78009 }, 78010 { 78011 "fixed": "10.0.10" 78012 } 78013 ], 78014 "type": "ECOSYSTEM" 78015 } 78016 ], 78017 "versions": [ 78018 "10.0.0", 78019 "10.0.1", 78020 "10.0.2", 78021 "10.0.3", 78022 "10.0.4", 78023 "10.0.5", 78024 "10.0.6", 78025 "10.0.7", 78026 "10.0.8", 78027 "10.0.9" 78028 ] 78029 }, 78030 { 78031 "database_specific": { 78032 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/07/GHSA-cj7v-27pg-wf7q/GHSA-cj7v-27pg-wf7q.json" 78033 }, 78034 "package": { 78035 "ecosystem": "Maven", 78036 "name": "org.eclipse.jetty:jetty-http", 78037 "purl": "pkg:maven/org.eclipse.jetty/jetty-http" 78038 }, 78039 "ranges": [ 78040 { 78041 "events": [ 78042 { 78043 "introduced": "11.0.0" 78044 }, 78045 { 78046 "fixed": "11.0.10" 78047 } 78048 ], 78049 "type": "ECOSYSTEM" 78050 } 78051 ], 78052 "versions": [ 78053 "11.0.0", 78054 "11.0.1", 78055 "11.0.2", 78056 "11.0.3", 78057 "11.0.4", 78058 "11.0.5", 78059 "11.0.6", 78060 "11.0.7", 78061 "11.0.8", 78062 "11.0.9" 78063 ] 78064 } 78065 ], 78066 "aliases": [ 78067 "CVE-2022-2047" 78068 ], 78069 "database_specific": { 78070 "cwe_ids": [ 78071 "CWE-20" 78072 ], 78073 "github_reviewed": true, 78074 "github_reviewed_at": "2022-07-07T20:55:34Z", 78075 "nvd_published_at": "2022-07-07T21:15:00Z", 78076 "severity": "LOW" 78077 }, 78078 "details": "### Description\nURI use within Jetty's `HttpURI` class can parse invalid URIs such as `http://localhost;/path` as having an authority with a host of `localhost;`.\n\nA URIs of the type `http://localhost;/path` should be interpreted to be either invalid or as `localhost;` to be the userinfo and no host.\nHowever, `HttpURI.host` returns `localhost;` which is definitely wrong.\n\n### Impact\nThis can lead to errors with Jetty's `HttpClient`, and Jetty's `ProxyServlet` / `AsyncProxyServlet` / `AsyncMiddleManServlet` wrongly interpreting an authority with no host as one with a host.\n\n### Patches\nPatched in PR [#8146](https://github.com/eclipse/jetty.project/pull/8146) for Jetty version 9.4.47.\nPatched in PR [#8014](https://github.com/eclipse/jetty.project/pull/8015) for Jetty versions 10.0.10, and 11.0.10\n\n### Workarounds\nNone.\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Email us at security@webtide.com.", 78079 "id": "GHSA-cj7v-27pg-wf7q", 78080 "modified": "2024-02-16T08:00:47.277184Z", 78081 "published": "2022-07-07T20:55:34Z", 78082 "references": [ 78083 { 78084 "type": "WEB", 78085 "url": "https://github.com/eclipse/jetty.project/security/advisories/GHSA-cj7v-27pg-wf7q" 78086 }, 78087 { 78088 "type": "ADVISORY", 78089 "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2047" 78090 }, 78091 { 78092 "type": "PACKAGE", 78093 "url": "https://github.com/eclipse/jetty.project" 78094 }, 78095 { 78096 "type": "WEB", 78097 "url": "https://lists.debian.org/debian-lts-announce/2022/08/msg00011.html" 78098 }, 78099 { 78100 "type": "WEB", 78101 "url": "https://security.netapp.com/advisory/ntap-20220901-0006" 78102 }, 78103 { 78104 "type": "WEB", 78105 "url": "https://www.debian.org/security/2022/dsa-5198" 78106 } 78107 ], 78108 "schema_version": "1.6.0", 78109 "severity": [ 78110 { 78111 "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N", 78112 "type": "CVSS_V3" 78113 } 78114 ], 78115 "summary": "Jetty invalid URI parsing may produce invalid HttpURI.authority" 78116 }, 78117 { 78118 "affected": [ 78119 { 78120 "database_specific": { 78121 "last_known_affected_version_range": "\u003c= 9.4.51", 78122 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/09/GHSA-hmr7-m48g-48f6/GHSA-hmr7-m48g-48f6.json" 78123 }, 78124 "package": { 78125 "ecosystem": "Maven", 78126 "name": "org.eclipse.jetty:jetty-http", 78127 "purl": "pkg:maven/org.eclipse.jetty/jetty-http" 78128 }, 78129 "ranges": [ 78130 { 78131 "events": [ 78132 { 78133 "introduced": "9.0.0" 78134 }, 78135 { 78136 "fixed": "9.4.52" 78137 } 78138 ], 78139 "type": "ECOSYSTEM" 78140 } 78141 ], 78142 "versions": [ 78143 "9.0.0.v20130308", 78144 "9.0.1.v20130408", 78145 "9.0.2.v20130417", 78146 "9.0.3.v20130506", 78147 "9.0.4.v20130625", 78148 "9.0.5.v20130815", 78149 "9.0.6.v20130930", 78150 "9.0.7.v20131107", 78151 "9.1.0.M0", 78152 "9.1.0.RC0", 78153 "9.1.0.RC1", 78154 "9.1.0.RC2", 78155 "9.1.0.v20131115", 78156 "9.1.1.v20140108", 78157 "9.1.2.v20140210", 78158 "9.1.3.v20140225", 78159 "9.1.4.v20140401", 78160 "9.1.5.v20140505", 78161 "9.1.6.v20160112", 78162 "9.2.0.M0", 78163 "9.2.0.M1", 78164 "9.2.0.RC0", 78165 "9.2.0.v20140526", 78166 "9.2.1.v20140609", 78167 "9.2.10.v20150310", 78168 "9.2.11.M0", 78169 "9.2.11.v20150529", 78170 "9.2.12.M0", 78171 "9.2.12.v20150709", 78172 "9.2.13.v20150730", 78173 "9.2.14.v20151106", 78174 "9.2.15.v20160210", 78175 "9.2.16.v20160414", 78176 "9.2.17.v20160517", 78177 "9.2.18.v20160721", 78178 "9.2.19.v20160908", 78179 "9.2.2.v20140723", 78180 "9.2.20.v20161216", 78181 "9.2.21.v20170120", 78182 "9.2.22.v20170606", 78183 "9.2.23.v20171218", 78184 "9.2.24.v20180105", 78185 "9.2.25.v20180606", 78186 "9.2.26.v20180806", 78187 "9.2.27.v20190403", 78188 "9.2.28.v20190418", 78189 "9.2.29.v20191105", 78190 "9.2.3.v20140905", 78191 "9.2.30.v20200428", 78192 "9.2.4.v20141103", 78193 "9.2.5.v20141112", 78194 "9.2.6.v20141205", 78195 "9.2.7.v20150116", 78196 "9.2.8.v20150217", 78197 "9.2.9.v20150224", 78198 "9.3.0.M0", 78199 "9.3.0.M1", 78200 "9.3.0.M2", 78201 "9.3.0.RC0", 78202 "9.3.0.RC1", 78203 "9.3.0.v20150612", 78204 "9.3.1.v20150714", 78205 "9.3.10.M0", 78206 "9.3.10.v20160621", 78207 "9.3.11.M0", 78208 "9.3.11.v20160721", 78209 "9.3.12.v20160915", 78210 "9.3.13.M0", 78211 "9.3.13.v20161014", 78212 "9.3.14.v20161028", 78213 "9.3.15.v20161220", 78214 "9.3.16.v20170120", 78215 "9.3.17.RC0", 78216 "9.3.17.v20170317", 78217 "9.3.18.v20170406", 78218 "9.3.19.v20170502", 78219 "9.3.2.v20150730", 78220 "9.3.20.v20170531", 78221 "9.3.21.M0", 78222 "9.3.21.RC0", 78223 "9.3.21.v20170918", 78224 "9.3.22.v20171030", 78225 "9.3.23.v20180228", 78226 "9.3.24.v20180605", 78227 "9.3.25.v20180904", 78228 "9.3.26.v20190403", 78229 "9.3.27.v20190418", 78230 "9.3.28.v20191105", 78231 "9.3.29.v20201019", 78232 "9.3.3.v20150827", 78233 "9.3.30.v20211001", 78234 "9.3.4.RC0", 78235 "9.3.4.RC1", 78236 "9.3.4.v20151007", 78237 "9.3.5.v20151012", 78238 "9.3.6.v20151106", 78239 "9.3.7.RC0", 78240 "9.3.7.RC1", 78241 "9.3.7.v20160115", 78242 "9.3.8.RC0", 78243 "9.3.8.v20160314", 78244 "9.3.9.M0", 78245 "9.3.9.M1", 78246 "9.3.9.v20160517", 78247 "9.4.0.M0", 78248 "9.4.0.M1", 78249 "9.4.0.RC0", 78250 "9.4.0.RC1", 78251 "9.4.0.RC2", 78252 "9.4.0.RC3", 78253 "9.4.0.v20161208", 78254 "9.4.0.v20180619", 78255 "9.4.1.v20170120", 78256 "9.4.1.v20180619", 78257 "9.4.10.RC0", 78258 "9.4.10.RC1", 78259 "9.4.10.v20180503", 78260 "9.4.11.v20180605", 78261 "9.4.12.RC0", 78262 "9.4.12.RC1", 78263 "9.4.12.RC2", 78264 "9.4.12.v20180830", 78265 "9.4.13.v20181111", 78266 "9.4.14.v20181114", 78267 "9.4.15.v20190215", 78268 "9.4.16.v20190411", 78269 "9.4.17.v20190418", 78270 "9.4.18.v20190429", 78271 "9.4.19.v20190610", 78272 "9.4.2.v20170220", 78273 "9.4.2.v20180619", 78274 "9.4.20.v20190813", 78275 "9.4.21.v20190926", 78276 "9.4.22.v20191022", 78277 "9.4.23.v20191118", 78278 "9.4.24.v20191120", 78279 "9.4.25.v20191220", 78280 "9.4.26.v20200117", 78281 "9.4.27.v20200227", 78282 "9.4.28.v20200408", 78283 "9.4.29.v20200521", 78284 "9.4.3.v20170317", 78285 "9.4.3.v20180619", 78286 "9.4.30.v20200611", 78287 "9.4.31.v20200723", 78288 "9.4.32.v20200930", 78289 "9.4.33.v20201020", 78290 "9.4.34.v20201102", 78291 "9.4.35.v20201120", 78292 "9.4.36.v20210114", 78293 "9.4.37.v20210219", 78294 "9.4.38.v20210224", 78295 "9.4.39.v20210325", 78296 "9.4.4.v20170414", 78297 "9.4.4.v20180619", 78298 "9.4.40.v20210413", 78299 "9.4.41.v20210516", 78300 "9.4.42.v20210604", 78301 "9.4.43.v20210629", 78302 "9.4.44.v20210927", 78303 "9.4.45.v20220203", 78304 "9.4.46.v20220331", 78305 "9.4.47.v20220610", 78306 "9.4.48.v20220622", 78307 "9.4.49.v20220914", 78308 "9.4.5.v20170502", 78309 "9.4.5.v20180619", 78310 "9.4.50.v20221201", 78311 "9.4.51.v20230217", 78312 "9.4.6.v20170531", 78313 "9.4.6.v20180619", 78314 "9.4.7.RC0", 78315 "9.4.7.v20170914", 78316 "9.4.7.v20180619", 78317 "9.4.8.v20171121", 78318 "9.4.8.v20180619", 78319 "9.4.9.v20180320" 78320 ] 78321 }, 78322 { 78323 "database_specific": { 78324 "last_known_affected_version_range": "\u003c= 10.0.15", 78325 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/09/GHSA-hmr7-m48g-48f6/GHSA-hmr7-m48g-48f6.json" 78326 }, 78327 "package": { 78328 "ecosystem": "Maven", 78329 "name": "org.eclipse.jetty:jetty-http", 78330 "purl": "pkg:maven/org.eclipse.jetty/jetty-http" 78331 }, 78332 "ranges": [ 78333 { 78334 "events": [ 78335 { 78336 "introduced": "10.0.0" 78337 }, 78338 { 78339 "fixed": "10.0.16" 78340 } 78341 ], 78342 "type": "ECOSYSTEM" 78343 } 78344 ], 78345 "versions": [ 78346 "10.0.0", 78347 "10.0.1", 78348 "10.0.10", 78349 "10.0.11", 78350 "10.0.12", 78351 "10.0.13", 78352 "10.0.14", 78353 "10.0.15", 78354 "10.0.2", 78355 "10.0.3", 78356 "10.0.4", 78357 "10.0.5", 78358 "10.0.6", 78359 "10.0.7", 78360 "10.0.8", 78361 "10.0.9" 78362 ] 78363 }, 78364 { 78365 "database_specific": { 78366 "last_known_affected_version_range": "\u003c= 11.0.15", 78367 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/09/GHSA-hmr7-m48g-48f6/GHSA-hmr7-m48g-48f6.json" 78368 }, 78369 "package": { 78370 "ecosystem": "Maven", 78371 "name": "org.eclipse.jetty:jetty-http", 78372 "purl": "pkg:maven/org.eclipse.jetty/jetty-http" 78373 }, 78374 "ranges": [ 78375 { 78376 "events": [ 78377 { 78378 "introduced": "11.0.0" 78379 }, 78380 { 78381 "fixed": "11.0.16" 78382 } 78383 ], 78384 "type": "ECOSYSTEM" 78385 } 78386 ], 78387 "versions": [ 78388 "11.0.0", 78389 "11.0.1", 78390 "11.0.10", 78391 "11.0.11", 78392 "11.0.12", 78393 "11.0.13", 78394 "11.0.14", 78395 "11.0.15", 78396 "11.0.2", 78397 "11.0.3", 78398 "11.0.4", 78399 "11.0.5", 78400 "11.0.6", 78401 "11.0.7", 78402 "11.0.8", 78403 "11.0.9" 78404 ] 78405 }, 78406 { 78407 "database_specific": { 78408 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/09/GHSA-hmr7-m48g-48f6/GHSA-hmr7-m48g-48f6.json" 78409 }, 78410 "package": { 78411 "ecosystem": "Maven", 78412 "name": "org.eclipse.jetty:jetty-http", 78413 "purl": "pkg:maven/org.eclipse.jetty/jetty-http" 78414 }, 78415 "ranges": [ 78416 { 78417 "events": [ 78418 { 78419 "introduced": "12.0.0" 78420 }, 78421 { 78422 "fixed": "12.0.1" 78423 } 78424 ], 78425 "type": "ECOSYSTEM" 78426 } 78427 ], 78428 "versions": [ 78429 "12.0.0" 78430 ] 78431 } 78432 ], 78433 "aliases": [ 78434 "CVE-2023-40167" 78435 ], 78436 "database_specific": { 78437 "cwe_ids": [ 78438 "CWE-130" 78439 ], 78440 "github_reviewed": true, 78441 "github_reviewed_at": "2023-09-14T16:17:27Z", 78442 "nvd_published_at": "2023-09-15T20:15:09Z", 78443 "severity": "MODERATE" 78444 }, 78445 "details": "### Impact\n\nJetty accepts the '+' character proceeding the content-length value in a HTTP/1 header field. This is more permissive than allowed by the RFC and other servers routinely reject such requests with 400 responses. There is no known exploit scenario, but it is conceivable that request smuggling could result if jetty is used in combination with a server that does not close the connection after sending such a 400 response.\n\n### Workarounds\n\nThere is no workaround as there is no known exploit scenario. \n\n### Original Report \n\n[RFC 9110 Secion 8.6](https://www.rfc-editor.org/rfc/rfc9110#section-8.6) defined the value of Content-Length header should be a string of 0-9 digits. However we found that Jetty accepts \"+\" prefixed Content-Length, which could lead to potential HTTP request smuggling.\n\nPayload:\n\n```\n POST / HTTP/1.1\n Host: a.com\n Content-Length: +16\n Connection: close\n \n 0123456789abcdef\n```\n\nWhen sending this payload to Jetty, it can successfully parse and identify the length.\n\nWhen sending this payload to NGINX, Apache HTTPd or other HTTP servers/parsers, they will return 400 bad request.\n\nThis behavior can lead to HTTP request smuggling and can be leveraged to bypass WAF or IDS.", 78446 "id": "GHSA-hmr7-m48g-48f6", 78447 "modified": "2024-02-16T07:59:58.440241Z", 78448 "published": "2023-09-14T16:17:27Z", 78449 "references": [ 78450 { 78451 "type": "WEB", 78452 "url": "https://github.com/eclipse/jetty.project/security/advisories/GHSA-hmr7-m48g-48f6" 78453 }, 78454 { 78455 "type": "ADVISORY", 78456 "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-40167" 78457 }, 78458 { 78459 "type": "PACKAGE", 78460 "url": "https://github.com/eclipse/jetty.project" 78461 }, 78462 { 78463 "type": "WEB", 78464 "url": "https://lists.debian.org/debian-lts-announce/2023/09/msg00039.html" 78465 }, 78466 { 78467 "type": "WEB", 78468 "url": "https://www.debian.org/security/2023/dsa-5507" 78469 }, 78470 { 78471 "type": "WEB", 78472 "url": "https://www.rfc-editor.org/rfc/rfc9110#section-8.6" 78473 } 78474 ], 78475 "related": [ 78476 "CGA-j3h8-74jw-2w8w", 78477 "CGA-vqpm-qwj8-mfq5" 78478 ], 78479 "schema_version": "1.6.0", 78480 "severity": [ 78481 { 78482 "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", 78483 "type": "CVSS_V3" 78484 } 78485 ], 78486 "summary": "Jetty accepts \"+\" prefixed value in Content-Length" 78487 }, 78488 { 78489 "affected": [ 78490 { 78491 "database_specific": { 78492 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-26vr-8j45-3r4w/GHSA-26vr-8j45-3r4w.json" 78493 }, 78494 "package": { 78495 "ecosystem": "Maven", 78496 "name": "org.eclipse.jetty:jetty-server", 78497 "purl": "pkg:maven/org.eclipse.jetty/jetty-server" 78498 }, 78499 "ranges": [ 78500 { 78501 "events": [ 78502 { 78503 "introduced": "7.2.2" 78504 }, 78505 { 78506 "fixed": "9.4.39" 78507 } 78508 ], 78509 "type": "ECOSYSTEM" 78510 } 78511 ], 78512 "versions": [ 78513 "7.2.2.v20101205", 78514 "7.3.0.v20110203", 78515 "7.3.1.v20110307", 78516 "7.4.0.RC0", 78517 "7.4.0.v20110414", 78518 "7.4.1.v20110513", 78519 "7.4.2.v20110526", 78520 "7.4.3.v20110701", 78521 "7.4.4.v20110707", 78522 "7.4.5.v20110725", 78523 "7.5.0.RC0", 78524 "7.5.0.RC1", 78525 "7.5.0.RC2", 78526 "7.5.0.v20110901", 78527 "7.5.1.v20110908", 78528 "7.5.2.v20111006", 78529 "7.5.3.v20111011", 78530 "7.5.4.v20111024", 78531 "7.6.0.RC0", 78532 "7.6.0.RC1", 78533 "7.6.0.RC2", 78534 "7.6.0.RC3", 78535 "7.6.0.RC4", 78536 "7.6.0.RC5", 78537 "7.6.0.v20120127", 78538 "7.6.1.v20120215", 78539 "7.6.10.v20130312", 78540 "7.6.11.v20130520", 78541 "7.6.12.v20130726", 78542 "7.6.13.v20130916", 78543 "7.6.14.v20131031", 78544 "7.6.15.v20140411", 78545 "7.6.16.v20140903", 78546 "7.6.17.v20150415", 78547 "7.6.18.v20150929", 78548 "7.6.19.v20160209", 78549 "7.6.2.v20120308", 78550 "7.6.20.v20160902", 78551 "7.6.21.v20160908", 78552 "7.6.3.v20120416", 78553 "7.6.4.v20120524", 78554 "7.6.5.v20120716", 78555 "7.6.6.v20120903", 78556 "7.6.7.v20120910", 78557 "7.6.8.v20121106", 78558 "7.6.9.v20130131", 78559 "8.0.0.M0", 78560 "8.0.0.M1", 78561 "8.0.0.M2", 78562 "8.0.0.M3", 78563 "8.0.0.RC0", 78564 "8.0.0.v20110901", 78565 "8.0.1.v20110908", 78566 "8.0.2.v20111006", 78567 "8.0.3.v20111011", 78568 "8.0.4.v20111024", 78569 "8.1.0.RC0", 78570 "8.1.0.RC1", 78571 "8.1.0.RC2", 78572 "8.1.0.RC4", 78573 "8.1.0.RC5", 78574 "8.1.0.v20120127", 78575 "8.1.1.v20120215", 78576 "8.1.10.v20130312", 78577 "8.1.11.v20130520", 78578 "8.1.12.v20130726", 78579 "8.1.13.v20130916", 78580 "8.1.14.v20131031", 78581 "8.1.15.v20140411", 78582 "8.1.16.v20140903", 78583 "8.1.17.v20150415", 78584 "8.1.18.v20150929", 78585 "8.1.19.v20160209", 78586 "8.1.2.v20120308", 78587 "8.1.20.v20160902", 78588 "8.1.21.v20160908", 78589 "8.1.22.v20160922", 78590 "8.1.3.v20120416", 78591 "8.1.4.v20120524", 78592 "8.1.5.v20120716", 78593 "8.1.6.v20120903", 78594 "8.1.7.v20120910", 78595 "8.1.8.v20121106", 78596 "8.1.9.v20130131", 78597 "8.2.0.v20160908", 78598 "9.0.0.M0", 78599 "9.0.0.M1", 78600 "9.0.0.M2", 78601 "9.0.0.M3", 78602 "9.0.0.M4", 78603 "9.0.0.M5", 78604 "9.0.0.RC0", 78605 "9.0.0.RC1", 78606 "9.0.0.RC2", 78607 "9.0.0.v20130308", 78608 "9.0.1.v20130408", 78609 "9.0.2.v20130417", 78610 "9.0.3.v20130506", 78611 "9.0.4.v20130625", 78612 "9.0.5.v20130815", 78613 "9.0.6.v20130930", 78614 "9.0.7.v20131107", 78615 "9.1.0.M0", 78616 "9.1.0.RC0", 78617 "9.1.0.RC1", 78618 "9.1.0.RC2", 78619 "9.1.0.v20131115", 78620 "9.1.1.v20140108", 78621 "9.1.2.v20140210", 78622 "9.1.3.v20140225", 78623 "9.1.4.v20140401", 78624 "9.1.5.v20140505", 78625 "9.1.6.v20160112", 78626 "9.2.0.M0", 78627 "9.2.0.M1", 78628 "9.2.0.RC0", 78629 "9.2.0.v20140526", 78630 "9.2.1.v20140609", 78631 "9.2.10.v20150310", 78632 "9.2.11.M0", 78633 "9.2.11.v20150529", 78634 "9.2.12.M0", 78635 "9.2.12.v20150709", 78636 "9.2.13.v20150730", 78637 "9.2.14.v20151106", 78638 "9.2.15.v20160210", 78639 "9.2.16.v20160414", 78640 "9.2.17.v20160517", 78641 "9.2.18.v20160721", 78642 "9.2.19.v20160908", 78643 "9.2.2.v20140723", 78644 "9.2.20.v20161216", 78645 "9.2.21.v20170120", 78646 "9.2.22.v20170606", 78647 "9.2.23.v20171218", 78648 "9.2.24.v20180105", 78649 "9.2.25.v20180606", 78650 "9.2.26.v20180806", 78651 "9.2.27.v20190403", 78652 "9.2.28.v20190418", 78653 "9.2.29.v20191105", 78654 "9.2.3.v20140905", 78655 "9.2.30.v20200428", 78656 "9.2.4.v20141103", 78657 "9.2.5.v20141112", 78658 "9.2.6.v20141205", 78659 "9.2.7.v20150116", 78660 "9.2.8.v20150217", 78661 "9.2.9.v20150224", 78662 "9.3.0.M0", 78663 "9.3.0.M1", 78664 "9.3.0.M2", 78665 "9.3.0.RC0", 78666 "9.3.0.RC1", 78667 "9.3.0.v20150612", 78668 "9.3.1.v20150714", 78669 "9.3.10.M0", 78670 "9.3.10.v20160621", 78671 "9.3.11.M0", 78672 "9.3.11.v20160721", 78673 "9.3.12.v20160915", 78674 "9.3.13.M0", 78675 "9.3.13.v20161014", 78676 "9.3.14.v20161028", 78677 "9.3.15.v20161220", 78678 "9.3.16.v20170120", 78679 "9.3.17.RC0", 78680 "9.3.17.v20170317", 78681 "9.3.18.v20170406", 78682 "9.3.19.v20170502", 78683 "9.3.2.v20150730", 78684 "9.3.20.v20170531", 78685 "9.3.21.M0", 78686 "9.3.21.RC0", 78687 "9.3.21.v20170918", 78688 "9.3.22.v20171030", 78689 "9.3.23.v20180228", 78690 "9.3.24.v20180605", 78691 "9.3.25.v20180904", 78692 "9.3.26.v20190403", 78693 "9.3.27.v20190418", 78694 "9.3.28.v20191105", 78695 "9.3.29.v20201019", 78696 "9.3.3.v20150827", 78697 "9.3.30.v20211001", 78698 "9.3.4.RC0", 78699 "9.3.4.RC1", 78700 "9.3.4.v20151007", 78701 "9.3.5.v20151012", 78702 "9.3.6.v20151106", 78703 "9.3.7.RC0", 78704 "9.3.7.RC1", 78705 "9.3.7.v20160115", 78706 "9.3.8.RC0", 78707 "9.3.8.v20160314", 78708 "9.3.9.M0", 78709 "9.3.9.M1", 78710 "9.3.9.v20160517", 78711 "9.4.0.M0", 78712 "9.4.0.M1", 78713 "9.4.0.RC0", 78714 "9.4.0.RC1", 78715 "9.4.0.RC2", 78716 "9.4.0.RC3", 78717 "9.4.0.v20161208", 78718 "9.4.0.v20180619", 78719 "9.4.1.v20170120", 78720 "9.4.1.v20180619", 78721 "9.4.10.RC0", 78722 "9.4.10.RC1", 78723 "9.4.10.v20180503", 78724 "9.4.11.v20180605", 78725 "9.4.12.RC0", 78726 "9.4.12.RC1", 78727 "9.4.12.RC2", 78728 "9.4.12.v20180830", 78729 "9.4.13.v20181111", 78730 "9.4.14.v20181114", 78731 "9.4.15.v20190215", 78732 "9.4.16.v20190411", 78733 "9.4.17.v20190418", 78734 "9.4.18.v20190429", 78735 "9.4.19.v20190610", 78736 "9.4.2.v20170220", 78737 "9.4.2.v20180619", 78738 "9.4.20.v20190813", 78739 "9.4.21.v20190926", 78740 "9.4.22.v20191022", 78741 "9.4.23.v20191118", 78742 "9.4.24.v20191120", 78743 "9.4.25.v20191220", 78744 "9.4.26.v20200117", 78745 "9.4.27.v20200227", 78746 "9.4.28.v20200408", 78747 "9.4.29.v20200521", 78748 "9.4.3.v20170317", 78749 "9.4.3.v20180619", 78750 "9.4.30.v20200611", 78751 "9.4.31.v20200723", 78752 "9.4.32.v20200930", 78753 "9.4.33.v20201020", 78754 "9.4.34.v20201102", 78755 "9.4.35.v20201120", 78756 "9.4.36.v20210114", 78757 "9.4.37.v20210219", 78758 "9.4.38.v20210224", 78759 "9.4.4.v20170414", 78760 "9.4.4.v20180619", 78761 "9.4.5.v20170502", 78762 "9.4.5.v20180619", 78763 "9.4.6.v20170531", 78764 "9.4.6.v20180619", 78765 "9.4.7.RC0", 78766 "9.4.7.v20170914", 78767 "9.4.7.v20180619", 78768 "9.4.8.v20171121", 78769 "9.4.8.v20180619", 78770 "9.4.9.v20180320" 78771 ] 78772 }, 78773 { 78774 "database_specific": { 78775 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-26vr-8j45-3r4w/GHSA-26vr-8j45-3r4w.json" 78776 }, 78777 "package": { 78778 "ecosystem": "Maven", 78779 "name": "org.eclipse.jetty:jetty-server", 78780 "purl": "pkg:maven/org.eclipse.jetty/jetty-server" 78781 }, 78782 "ranges": [ 78783 { 78784 "events": [ 78785 { 78786 "introduced": "10.0.0" 78787 }, 78788 { 78789 "fixed": "10.0.2" 78790 } 78791 ], 78792 "type": "ECOSYSTEM" 78793 } 78794 ], 78795 "versions": [ 78796 "10.0.0", 78797 "10.0.1" 78798 ] 78799 }, 78800 { 78801 "database_specific": { 78802 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-26vr-8j45-3r4w/GHSA-26vr-8j45-3r4w.json" 78803 }, 78804 "package": { 78805 "ecosystem": "Maven", 78806 "name": "org.eclipse.jetty:jetty-server", 78807 "purl": "pkg:maven/org.eclipse.jetty/jetty-server" 78808 }, 78809 "ranges": [ 78810 { 78811 "events": [ 78812 { 78813 "introduced": "11.0.0" 78814 }, 78815 { 78816 "fixed": "11.0.2" 78817 } 78818 ], 78819 "type": "ECOSYSTEM" 78820 } 78821 ], 78822 "versions": [ 78823 "11.0.0", 78824 "11.0.1" 78825 ] 78826 } 78827 ], 78828 "aliases": [ 78829 "BIT-jenkins-2021-28165", 78830 "CVE-2021-28165" 78831 ], 78832 "database_specific": { 78833 "cwe_ids": [ 78834 "CWE-400", 78835 "CWE-551", 78836 "CWE-755" 78837 ], 78838 "github_reviewed": true, 78839 "github_reviewed_at": "2021-04-02T23:02:13Z", 78840 "nvd_published_at": "2021-04-01T15:15:00Z", 78841 "severity": "HIGH" 78842 }, 78843 "details": "### Impact\nWhen using SSL/TLS with Jetty, either with HTTP/1.1, HTTP/2, or WebSocket, the server may receive an invalid large (greater than 17408) TLS frame that is incorrectly handled, causing CPU resources to eventually reach 100% usage.\n\n### Workarounds\n\nThe problem can be worked around by compiling the following class:\n```java\npackage org.eclipse.jetty.server.ssl.fix6072;\n\nimport java.nio.ByteBuffer;\nimport javax.net.ssl.SSLEngine;\nimport javax.net.ssl.SSLEngineResult;\nimport javax.net.ssl.SSLException;\nimport javax.net.ssl.SSLHandshakeException;\n\nimport org.eclipse.jetty.io.EndPoint;\nimport org.eclipse.jetty.io.ssl.SslConnection;\nimport org.eclipse.jetty.server.Connector;\nimport org.eclipse.jetty.server.SslConnectionFactory;\nimport org.eclipse.jetty.util.BufferUtil;\nimport org.eclipse.jetty.util.annotation.Name;\nimport org.eclipse.jetty.util.ssl.SslContextFactory;\n\npublic class SpaceCheckingSslConnectionFactory extends SslConnectionFactory\n{\n public SpaceCheckingSslConnectionFactory(@Name(\"sslContextFactory\") SslContextFactory factory, @Name(\"next\") String nextProtocol)\n {\n super(factory, nextProtocol);\n }\n\n @Override\n protected SslConnection newSslConnection(Connector connector, EndPoint endPoint, SSLEngine engine)\n {\n return new SslConnection(connector.getByteBufferPool(), connector.getExecutor(), endPoint, engine, isDirectBuffersForEncryption(), isDirectBuffersForDecryption())\n {\n @Override\n protected SSLEngineResult unwrap(SSLEngine sslEngine, ByteBuffer input, ByteBuffer output) throws SSLException\n {\n SSLEngineResult results = super.unwrap(sslEngine, input, output);\n\n if ((results.getStatus() == SSLEngineResult.Status.BUFFER_UNDERFLOW ||\n results.getStatus() == SSLEngineResult.Status.OK \u0026\u0026 results.bytesConsumed() == 0 \u0026\u0026 results.bytesProduced() == 0) \u0026\u0026\n BufferUtil.space(input) == 0)\n {\n BufferUtil.clear(input);\n throw new SSLHandshakeException(\"Encrypted buffer max length exceeded\");\n }\n return results;\n }\n };\n }\n}\n```\nThis class can be deployed by:\n + The resulting class file should be put into a jar file (eg sslfix6072.jar)\n + The jar file should be made available to the server. For a normal distribution this can be done by putting the file into ${jetty.base}/lib\n + Copy the file `${jetty.home}/modules/ssl.mod` to `${jetty.base}/modules`\n + Edit the `${jetty.base}/modules/ssl.mod` file to have the following section:\n\n```\n[lib]\nlib/sslfix6072.jar\n```\n\n+ Copy the file `${jetty.home}/etc/jetty-https.xml` and`${jetty.home}/etc/jetty-http2.xml` to `${jetty.base}/etc`\n+ Edit files `${jetty.base}/etc/jetty-https.xml` and `${jetty.base}/etc/jetty-http2.xml`, changing any reference of `org.eclipse.jetty.server.SslConnectionFactory` to `org.eclipse.jetty.server.ssl.fix6072.SpaceCheckingSslConnectionFactory`. For example:\n```xml\n \u003cCall name=\"addIfAbsentConnectionFactory\"\u003e\n \u003cArg\u003e\n \u003cNew class=\"org.eclipse.jetty.server.ssl.fix6072.SpaceCheckingSslConnectionFactory\"\u003e\n \u003cArg name=\"next\"\u003ehttp/1.1\u003c/Arg\u003e\n \u003cArg name=\"sslContextFactory\"\u003e\u003cRef refid=\"sslContextFactory\"/\u003e\u003c/Arg\u003e\n \u003c/New\u003e\n \u003c/Arg\u003e\n \u003c/Call\u003e\n```\n+ Restart Jetty", 78844 "id": "GHSA-26vr-8j45-3r4w", 78845 "modified": "2024-03-11T05:36:57.484846Z", 78846 "published": "2021-04-06T17:31:30Z", 78847 "references": [ 78848 { 78849 "type": "WEB", 78850 "url": "https://github.com/eclipse/jetty.project/security/advisories/GHSA-26vr-8j45-3r4w" 78851 }, 78852 { 78853 "type": "ADVISORY", 78854 "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-28165" 78855 }, 78856 { 78857 "type": "WEB", 78858 "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" 78859 }, 78860 { 78861 "type": "WEB", 78862 "url": "https://lists.apache.org/thread.html/rc907ed7b089828364437de5ed57fa062330970dc1bc5cd214b711f77@%3Ccommits.zookeeper.apache.org%3E" 78863 }, 78864 { 78865 "type": "WEB", 78866 "url": "https://lists.apache.org/thread.html/rc6c43c3180c0efe00497c73dd374cd34b62036cb67987ad42c1f2dce@%3Creviews.spark.apache.org%3E" 78867 }, 78868 { 78869 "type": "WEB", 78870 "url": "https://lists.apache.org/thread.html/rc4dbc9907b0bdd634200ac90a15283d9c143c11af66e7ec72128d020@%3Cjira.kafka.apache.org%3E" 78871 }, 78872 { 78873 "type": "WEB", 78874 "url": "https://lists.apache.org/thread.html/rc4779abc1cface47e956cf9f8910f15d79c24477e7b1ac9be076a825@%3Cjira.kafka.apache.org%3E" 78875 }, 78876 { 78877 "type": "WEB", 78878 "url": "https://lists.apache.org/thread.html/rbd9a837a18ca57ac0d9b4165a6eec95ee132f55d025666fe41099f33@%3Creviews.spark.apache.org%3E" 78879 }, 78880 { 78881 "type": "WEB", 78882 "url": "https://lists.apache.org/thread.html/rbcd7b477df55857bb6cae21fcc4404683ac98aac1a47551f0dc55486@%3Cissues.zookeeper.apache.org%3E" 78883 }, 78884 { 78885 "type": "WEB", 78886 "url": "https://lists.apache.org/thread.html/rbc075a4ac85e7a8e47420b7383f16ffa0af3b792b8423584735f369f@%3Cissues.solr.apache.org%3E" 78887 }, 78888 { 78889 "type": "WEB", 78890 "url": "https://lists.apache.org/thread.html/rbba0b02a3287e34af328070dd58f7828612f96e2e64992137f4dc63d@%3Cnotifications.zookeeper.apache.org%3E" 78891 }, 78892 { 78893 "type": "WEB", 78894 "url": "https://lists.apache.org/thread.html/rbab9e67ec97591d063905bc7d4743e6a673f1bc457975fc0445ac97f@%3Cissues.hbase.apache.org%3E" 78895 }, 78896 { 78897 "type": "WEB", 78898 "url": "https://lists.apache.org/thread.html/rb8f5a6ded384eb00608e6137e87110e7dd7d5054cc34561cb89b81af@%3Creviews.spark.apache.org%3E" 78899 }, 78900 { 78901 "type": "WEB", 78902 "url": "https://lists.apache.org/thread.html/rb66ed0b4bb74836add60dd5ddf9172016380b2aeefb7f96fe348537b@%3Creviews.spark.apache.org%3E" 78903 }, 78904 { 78905 "type": "WEB", 78906 "url": "https://lists.apache.org/thread.html/rb2d34abb67cdf525945fe4b821c5cdbca29a78d586ae1f9f505a311c@%3Creviews.spark.apache.org%3E" 78907 }, 78908 { 78909 "type": "WEB", 78910 "url": "https://lists.apache.org/thread.html/rb1624b9777a3070135e94331a428c6653a6a1edccd56fa9fb7a547f2@%3Creviews.spark.apache.org%3E" 78911 }, 78912 { 78913 "type": "WEB", 78914 "url": "https://lists.apache.org/thread.html/rb11a13e623218c70b9f2a2d0d122fdaaf905e04a2edcd23761894464@%3Cnotifications.zookeeper.apache.org%3E" 78915 }, 78916 { 78917 "type": "WEB", 78918 "url": "https://lists.apache.org/thread.html/rb00345f6b1620b553d2cc1acaf3017aa75cea3776b911e024fa3b187@%3Creviews.spark.apache.org%3E" 78919 }, 78920 { 78921 "type": "WEB", 78922 "url": "https://lists.apache.org/thread.html/raea6e820644e8c5a577f77d4e2044f8ab52183c2536b00c56738beef@%3Creviews.spark.apache.org%3E" 78923 }, 78924 { 78925 "type": "WEB", 78926 "url": "https://lists.apache.org/thread.html/rae8bbc5a516f3e21b8a55e61ff6ad0ced03bdbd116d2170a3eed9f5c@%3Creviews.spark.apache.org%3E" 78927 }, 78928 { 78929 "type": "WEB", 78930 "url": "https://lists.apache.org/thread.html/ra9dd15ba8a4fb7e42c7fe948a6d6b3868fd6bbf8e3fb37fcf33b2cd0@%3Cnotifications.zookeeper.apache.org%3E" 78931 }, 78932 { 78933 "type": "WEB", 78934 "url": "https://lists.apache.org/thread.html/ra50519652b0b7f869a14fbfb4be9758a29171d7fe561bb7e036e8449@%3Cissues.hbase.apache.org%3E" 78935 }, 78936 { 78937 "type": "WEB", 78938 "url": "https://lists.apache.org/thread.html/ra21b3e6bd9669377139fe33fb46edf6fece3f31375bc42a0dcc964b2@%3Cnotifications.zookeeper.apache.org%3E" 78939 }, 78940 { 78941 "type": "WEB", 78942 "url": "https://lists.apache.org/thread.html/ra210e38ae0bf615084390b26ba01bb5d66c0a76f232277446ae0948a@%3Cnotifications.zookeeper.apache.org%3E" 78943 }, 78944 { 78945 "type": "WEB", 78946 "url": "https://lists.apache.org/thread.html/r9fae5a4087d9ed1c9d4f0c7493b6981a4741cfb4bebb2416da638424@%3Cissues.spark.apache.org%3E" 78947 }, 78948 { 78949 "type": "WEB", 78950 "url": "https://lists.apache.org/thread.html/r9db72e9c33b93eba45a214af588f1d553839b5c3080fc913854a49ab@%3Cnotifications.zookeeper.apache.org%3E" 78951 }, 78952 { 78953 "type": "WEB", 78954 "url": "https://lists.apache.org/thread.html/r9b793db9f395b546e66fb9c44fe1cd75c7755029e944dfee31b8b779@%3Creviews.spark.apache.org%3E" 78955 }, 78956 { 78957 "type": "WEB", 78958 "url": "https://lists.apache.org/thread.html/r9974f64723875052e02787b2a5eda689ac5247c71b827d455e5dc9a6@%3Cissues.solr.apache.org%3E" 78959 }, 78960 { 78961 "type": "WEB", 78962 "url": "https://lists.apache.org/thread.html/r4abbd760d24bab2b8f1294c5c9216ae915100099c4391ad64e9ae38b@%3Cdev.hbase.apache.org%3E" 78963 }, 78964 { 78965 "type": "WEB", 78966 "url": "https://www.oracle.com/security-alerts/cpujan2022.html" 78967 }, 78968 { 78969 "type": "WEB", 78970 "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" 78971 }, 78972 { 78973 "type": "WEB", 78974 "url": "https://www.oracle.com//security-alerts/cpujul2021.html" 78975 }, 78976 { 78977 "type": "WEB", 78978 "url": "https://www.debian.org/security/2021/dsa-4949" 78979 }, 78980 { 78981 "type": "WEB", 78982 "url": "https://security.netapp.com/advisory/ntap-20210611-0006" 78983 }, 78984 { 78985 "type": "WEB", 78986 "url": "https://lists.apache.org/thread.html/rfd3ff6e66b6bbcfb2fefa9f5a20328937c0369b2e142e3e1c6774743@%3Creviews.spark.apache.org%3E" 78987 }, 78988 { 78989 "type": "WEB", 78990 "url": "https://lists.apache.org/thread.html/rfc9f51b4e21022b3cd6cb6f90791a6a6999560212e519b5f09db0aed@%3Ccommits.pulsar.apache.org%3E" 78991 }, 78992 { 78993 "type": "WEB", 78994 "url": "https://lists.apache.org/thread.html/rf99f9a25ca24fe519c9346388f61b5b3a09be31b800bf37f01473ad7@%3Cnotifications.zookeeper.apache.org%3E" 78995 }, 78996 { 78997 "type": "WEB", 78998 "url": "https://lists.apache.org/thread.html/rf6de4c249bd74007f5f66f683c110535f46e719d2f83a41e8faf295f@%3Creviews.spark.apache.org%3E" 78999 }, 79000 { 79001 "type": "WEB", 79002 "url": "https://lists.apache.org/thread.html/rf1b02dfccd27b8bbc3afd119b212452fa32e9ed7d506be9357a3a7ec@%3Creviews.spark.apache.org%3E" 79003 }, 79004 { 79005 "type": "WEB", 79006 "url": "https://lists.apache.org/thread.html/ree1895a256a9db951e0d97a76222909c2e1f28c1a3d89933173deed6@%3Creviews.spark.apache.org%3E" 79007 }, 79008 { 79009 "type": "WEB", 79010 "url": "https://lists.apache.org/thread.html/re6614b4fe7dbb945409daadb9e1cc73c02383df68bf9334736107a6e@%3Cdev.zookeeper.apache.org%3E" 79011 }, 79012 { 79013 "type": "WEB", 79014 "url": "https://lists.apache.org/thread.html/re577736ca7da51952c910b345a500b7676ea9931c9b19709b87f292b@%3Cissues.zookeeper.apache.org%3E" 79015 }, 79016 { 79017 "type": "WEB", 79018 "url": "https://lists.apache.org/thread.html/re3a1617d16a7367f767b8209b2151f4c19958196354b39568c532f26@%3Creviews.spark.apache.org%3E" 79019 }, 79020 { 79021 "type": "WEB", 79022 "url": "https://lists.apache.org/thread.html/re0545ecced2d468c94ce4dcfa37d40a9573cc68ef5f6839ffca9c1c1@%3Ccommits.hbase.apache.org%3E" 79023 }, 79024 { 79025 "type": "WEB", 79026 "url": "https://lists.apache.org/thread.html/rdfe5f1c071ba9dadba18d7fb0ff13ea6ecb33da624250c559999eaeb@%3Creviews.spark.apache.org%3E" 79027 }, 79028 { 79029 "type": "WEB", 79030 "url": "https://lists.apache.org/thread.html/rdf4fe435891e8c35e70ea5da033b4c3da78760f15a8c4212fad89d9f@%3Ccommits.zookeeper.apache.org%3E" 79031 }, 79032 { 79033 "type": "WEB", 79034 "url": "https://lists.apache.org/thread.html/rdde34d53aa80193cda016272d61e6749f8a9044ccb37a30768938f7e@%3Creviews.spark.apache.org%3E" 79035 }, 79036 { 79037 "type": "WEB", 79038 "url": "https://lists.apache.org/thread.html/rdbf2a2cd1800540ae50dd78b57411229223a6172117d62b8e57596aa@%3Cissues.hbase.apache.org%3E" 79039 }, 79040 { 79041 "type": "WEB", 79042 "url": "https://lists.apache.org/thread.html/rd9ea411a58925cc82c32e15f541ead23cb25b4b2d57a2bdb0341536e@%3Cjira.kafka.apache.org%3E" 79043 }, 79044 { 79045 "type": "WEB", 79046 "url": "https://lists.apache.org/thread.html/rd7c8fb305a8637480dc943ba08424c8992dccad018cd1405eb2afe0e@%3Cdev.ignite.apache.org%3E" 79047 }, 79048 { 79049 "type": "WEB", 79050 "url": "https://lists.apache.org/thread.html/rd755dfe5f658c42704540ad7950cebd136739089c3231658e398cf38@%3Cjira.kafka.apache.org%3E" 79051 }, 79052 { 79053 "type": "WEB", 79054 "url": "https://lists.apache.org/thread.html/rd6c1eb9a8a94b3ac8a525d74d792924e8469f201b77e1afcf774e7a6@%3Creviews.spark.apache.org%3E" 79055 }, 79056 { 79057 "type": "WEB", 79058 "url": "https://lists.apache.org/thread.html/rd24d8a059233167b4a5aebda4b3534ca1d86caa8a85b10a73403ee97@%3Ccommits.spark.apache.org%3E" 79059 }, 79060 { 79061 "type": "WEB", 79062 "url": "https://lists.apache.org/thread.html/rd0471252aeb3384c3cfa6d131374646d4641b80dd313e7b476c47a9c@%3Cissues.solr.apache.org%3E" 79063 }, 79064 { 79065 "type": "WEB", 79066 "url": "https://lists.apache.org/thread.html/rcdea97f4d3233298296aabc103c9fcefbf629425418c2b69bb16745f@%3Ccommits.pulsar.apache.org%3E" 79067 }, 79068 { 79069 "type": "WEB", 79070 "url": "https://lists.apache.org/thread.html/r4a66bfbf62281e31bc1345ebecbfd96f35199eecd77bfe4e903e906f@%3Cissues.ignite.apache.org%3E" 79071 }, 79072 { 79073 "type": "WEB", 79074 "url": "https://lists.apache.org/thread.html/r4891d45625cc522fe0eb764ac50d48bcca9c0db4805ea4a998d4c225@%3Cissues.hbase.apache.org%3E" 79075 }, 79076 { 79077 "type": "WEB", 79078 "url": "https://lists.apache.org/thread.html/r47a7542ab61da865fff3db0fe74bfe76c89a37b6e6d2c2a423f8baee@%3Creviews.spark.apache.org%3E" 79079 }, 79080 { 79081 "type": "WEB", 79082 "url": "https://lists.apache.org/thread.html/r411d75dc6bcefadaaea246549dd18e8d391a880ddf28a796f09ce152@%3Creviews.spark.apache.org%3E" 79083 }, 79084 { 79085 "type": "WEB", 79086 "url": "https://lists.apache.org/thread.html/r401b1c592f295b811608010a70792b11c91885b72af9f9410cffbe35@%3Creviews.spark.apache.org%3E" 79087 }, 79088 { 79089 "type": "WEB", 79090 "url": "https://lists.apache.org/thread.html/r40136c2010fccf4fb2818a965e5d7ecca470e5f525c232ec5b8eb83a@%3Cjira.kafka.apache.org%3E" 79091 }, 79092 { 79093 "type": "WEB", 79094 "url": "https://lists.apache.org/thread.html/r33eb3889ca0aa12720355e64fc2f8f1e8c0c28a4d55b3b4b8891becb@%3Ccommits.zookeeper.apache.org%3E" 79095 }, 79096 { 79097 "type": "WEB", 79098 "url": "https://lists.apache.org/thread.html/r31f591a0deac927ede8ccc3eac4bb92697ee2361bf01549f9e3440ca@%3Creviews.spark.apache.org%3E" 79099 }, 79100 { 79101 "type": "WEB", 79102 "url": "https://lists.apache.org/thread.html/r2f2d9c3b7cc750a6763d6388bcf5db0c7b467bd8be6ac4d6aea4f0cf@%3Creviews.spark.apache.org%3E" 79103 }, 79104 { 79105 "type": "WEB", 79106 "url": "https://lists.apache.org/thread.html/r2ea2f0541121f17e470a0184843720046c59d4bde6d42bf5ca6fad81@%3Cissues.solr.apache.org%3E" 79107 }, 79108 { 79109 "type": "WEB", 79110 "url": "https://lists.apache.org/thread.html/r2afc72af069a7fe89ca2de847f3ab3971cb1d668a9497c999946cd78@%3Ccommits.spark.apache.org%3E" 79111 }, 79112 { 79113 "type": "WEB", 79114 "url": "https://lists.apache.org/thread.html/r23785214d47673b811ef119ca3a40f729801865ea1e891572d15faa6@%3Creviews.spark.apache.org%3E" 79115 }, 79116 { 79117 "type": "WEB", 79118 "url": "https://lists.apache.org/thread.html/r17e26cf9a1e3cbc09522d15ece5d7c7a00cdced7641b92a22a783287@%3Cissues.zookeeper.apache.org%3E" 79119 }, 79120 { 79121 "type": "WEB", 79122 "url": "https://lists.apache.org/thread.html/r111f1ce28b133a8090ca4f809a1bdf18a777426fc058dc3a16c39c66@%3Cissues.solr.apache.org%3E" 79123 }, 79124 { 79125 "type": "WEB", 79126 "url": "https://lists.apache.org/thread.html/r0f02034a33076fd7243cf3a8807d2766e373f5cb2e7fd0c9a78f97c4@%3Cissues.hbase.apache.org%3E" 79127 }, 79128 { 79129 "type": "WEB", 79130 "url": "https://lists.apache.org/thread.html/r0cd1a5e3f4ad4770b44f8aa96572fc09d5b35bec149c0cc247579c42@%3Creviews.spark.apache.org%3E" 79131 }, 79132 { 79133 "type": "WEB", 79134 "url": "https://lists.apache.org/thread.html/r0bf3aa065abd23960fc8bdc8090d6bc00d5e391cf94ec4e1f4537ae3@%3Cjira.kafka.apache.org%3E" 79135 }, 79136 { 79137 "type": "WEB", 79138 "url": "https://lists.apache.org/thread.html/r0a4797ba6ceea8074f47574a4f3cc11493d514c1fab8203ebd212add@%3Creviews.spark.apache.org%3E" 79139 }, 79140 { 79141 "type": "WEB", 79142 "url": "https://lists.apache.org/thread.html/r0a241b0649beef90d422b42a26a2470d336e59e66970eafd54f9c3e2@%3Ccommits.zookeeper.apache.org%3E" 79143 }, 79144 { 79145 "type": "WEB", 79146 "url": "https://lists.apache.org/thread.html/r0841b06b48324cfc81325de3c05a92e53f997185f9d71ff47734d961@%3Cissues.solr.apache.org%3E" 79147 }, 79148 { 79149 "type": "WEB", 79150 "url": "https://lists.apache.org/thread.html/r077b76cafb61520c14c87c4fc76419ed664002da0ddac5ad851ae7e7@%3Cjira.kafka.apache.org%3E" 79151 }, 79152 { 79153 "type": "WEB", 79154 "url": "https://lists.apache.org/thread.html/r06d54a297cb8217c66e5190912a955fb870ba47da164002bf2baffe5@%3Creviews.spark.apache.org%3E" 79155 }, 79156 { 79157 "type": "WEB", 79158 "url": "https://lists.apache.org/thread.html/r05db8e0ef01e1280cc7543575ae0fa1c2b4d06a8b928916ef65dd2ad@%3Creviews.spark.apache.org%3E" 79159 }, 79160 { 79161 "type": "WEB", 79162 "url": "https://lists.apache.org/thread.html/r03ca0b69db1e3e5f72fe484b71370d537cd711cbf334e2913332730a@%3Cissues.spark.apache.org%3E" 79163 }, 79164 { 79165 "type": "WEB", 79166 "url": "https://lists.apache.org/thread.html/r002258611ed0c35b82b839d284b43db9dcdec120db8afc1c993137dc@%3Cnotifications.zookeeper.apache.org%3E" 79167 }, 79168 { 79169 "type": "PACKAGE", 79170 "url": "https://github.com/eclipse/jetty.project" 79171 }, 79172 { 79173 "type": "WEB", 79174 "url": "https://lists.apache.org/thread.html/r942f4a903d0abb25ac75c592e57df98dea51350e8589269a72fd7913@%3Cissues.spark.apache.org%3E" 79175 }, 79176 { 79177 "type": "WEB", 79178 "url": "https://lists.apache.org/thread.html/r940f15db77a96f6aea92d830bc94d8d95f26cc593394d144755824da@%3Creviews.spark.apache.org%3E" 79179 }, 79180 { 79181 "type": "WEB", 79182 "url": "https://lists.apache.org/thread.html/r90327f55db8f1d079f9a724aabf1f5eb3c00c1de49dc7fd04cad1ebc@%3Ccommits.pulsar.apache.org%3E" 79183 }, 79184 { 79185 "type": "WEB", 79186 "url": "https://lists.apache.org/thread.html/r83453ec252af729996476e5839d0b28f07294959d60fea1bd76f7d81@%3Cissues.spark.apache.org%3E" 79187 }, 79188 { 79189 "type": "WEB", 79190 "url": "https://lists.apache.org/thread.html/r81748d56923882543f5be456043c67daef84d631cf54899082058ef1@%3Cjira.kafka.apache.org%3E" 79191 }, 79192 { 79193 "type": "WEB", 79194 "url": "https://lists.apache.org/thread.html/r7c40fb3a66a39b6e6c83b0454bc6917ffe6c69e3131322be9c07a1da@%3Cissues.spark.apache.org%3E" 79195 }, 79196 { 79197 "type": "WEB", 79198 "url": "https://lists.apache.org/thread.html/r7bf7004c18c914fae3d5a6a0191d477e5b6408d95669b3afbf6efa36@%3Ccommits.zookeeper.apache.org%3E" 79199 }, 79200 { 79201 "type": "WEB", 79202 "url": "https://lists.apache.org/thread.html/r780c3c210a05c5bf7b4671303f46afc3fe56758e92864e1a5f0590d0@%3Cjira.kafka.apache.org%3E" 79203 }, 79204 { 79205 "type": "WEB", 79206 "url": "https://lists.apache.org/thread.html/r769155244ca2da2948a44091bb3bb9a56e7e1c71ecc720b8ecf281f0@%3Creviews.spark.apache.org%3E" 79207 }, 79208 { 79209 "type": "WEB", 79210 "url": "https://lists.apache.org/thread.html/r746434be6abff9ad321ff54ecae09e1f09c1c7c139021f40a5774090@%3Creviews.spark.apache.org%3E" 79211 }, 79212 { 79213 "type": "WEB", 79214 "url": "https://lists.apache.org/thread.html/r72bf813ed4737196ea3ed26494e949577be587fd5939fe8be09907c7@%3Creviews.spark.apache.org%3E" 79215 }, 79216 { 79217 "type": "WEB", 79218 "url": "https://lists.apache.org/thread.html/r7189bf41cb0c483629917a01cf296f9fbdbda3987084595192e3845d@%3Cissues.hbase.apache.org%3E" 79219 }, 79220 { 79221 "type": "WEB", 79222 "url": "https://lists.apache.org/thread.html/r71031d0acb1de55c9ab32f4750c50ce2f28543252e887ca03bd5621e@%3Creviews.spark.apache.org%3E" 79223 }, 79224 { 79225 "type": "WEB", 79226 "url": "https://lists.apache.org/thread.html/r6f256a1d15505f79f4050a69bb8f27b34cb353604dd2f765c9da5df7@%3Cjira.kafka.apache.org%3E" 79227 }, 79228 { 79229 "type": "WEB", 79230 "url": "https://lists.apache.org/thread.html/r6ce2907b2691c025250ba010bc797677ef78d5994d08507a2e5477c9@%3Creviews.spark.apache.org%3E" 79231 }, 79232 { 79233 "type": "WEB", 79234 "url": "https://lists.apache.org/thread.html/r6b070441871a4e6ce8bb63e190c879bb60da7c5e15023de29ebd4f9f@%3Cjira.kafka.apache.org%3E" 79235 }, 79236 { 79237 "type": "WEB", 79238 "url": "https://lists.apache.org/thread.html/r6ac9e263129328c0db9940d72b4a6062e703c58918dd34bd22cdf8dd@%3Cissues.ignite.apache.org%3E" 79239 }, 79240 { 79241 "type": "WEB", 79242 "url": "https://lists.apache.org/thread.html/r694e57d74fcaa48818a03c282aecfa13ae68340c798dfcb55cb7acc7@%3Cdev.kafka.apache.org%3E" 79243 }, 79244 { 79245 "type": "WEB", 79246 "url": "https://lists.apache.org/thread.html/r65daad30d13f7c56eb5c3d7733ad8dddbf62c469175410777a78d812@%3Cjira.kafka.apache.org%3E" 79247 }, 79248 { 79249 "type": "WEB", 79250 "url": "https://lists.apache.org/thread.html/r6535b2beddf0ed2d263ab64ff365a5f790df135a1a2f45786417adb7@%3Cdev.kafka.apache.org%3E" 79251 }, 79252 { 79253 "type": "WEB", 79254 "url": "https://lists.apache.org/thread.html/r64ff94118f6c80e6c085c6e2d51bbb490eaefad0642db8c936e4f0b7@%3Creviews.spark.apache.org%3E" 79255 }, 79256 { 79257 "type": "WEB", 79258 "url": "https://lists.apache.org/thread.html/r5f172f2dd8fb02f032ef4437218fd4f610605a3dd4f2a024c1e43b94@%3Cissues.zookeeper.apache.org%3E" 79259 }, 79260 { 79261 "type": "WEB", 79262 "url": "https://lists.apache.org/thread.html/r5d1f16dca2e010193840068f1a1ec17b7015e91acc646607cbc0a4da@%3Creviews.spark.apache.org%3E" 79263 }, 79264 { 79265 "type": "WEB", 79266 "url": "https://lists.apache.org/thread.html/r5b3693da7ecb8a75c0e930b4ca26a5f97aa0207d9dae4aa8cc65fe6b@%3Cissues.ignite.apache.org%3E" 79267 }, 79268 { 79269 "type": "WEB", 79270 "url": "https://lists.apache.org/thread.html/r56e5568ac73daedcb3b5affbb4b908999f03d3c1b1ada3920b01e959@%3Cdev.zookeeper.apache.org%3E" 79271 }, 79272 { 79273 "type": "WEB", 79274 "url": "https://lists.apache.org/thread.html/r520c56519b8820955a86966f499e7a0afcbcf669d6f7da59ef1eb155@%3Ccommits.pulsar.apache.org%3E" 79275 }, 79276 { 79277 "type": "WEB", 79278 "url": "https://lists.apache.org/thread.html/r4b1fef117bccc7f5fd4c45fd2cabc26838df823fe5ca94bc42a4fd46@%3Cissues.ignite.apache.org%3E" 79279 }, 79280 { 79281 "type": "WEB", 79282 "url": "http://www.openwall.com/lists/oss-security/2021/04/20/3" 79283 } 79284 ], 79285 "schema_version": "1.6.0", 79286 "severity": [ 79287 { 79288 "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", 79289 "type": "CVSS_V3" 79290 } 79291 ], 79292 "summary": "Jetty vulnerable to incorrect handling of invalid large TLS frame, exhausting CPU resources" 79293 }, 79294 { 79295 "affected": [ 79296 { 79297 "database_specific": { 79298 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/12/GHSA-5h9j-q6j2-253f/GHSA-5h9j-q6j2-253f.json" 79299 }, 79300 "package": { 79301 "ecosystem": "Maven", 79302 "name": "org.eclipse.jetty:jetty-server", 79303 "purl": "pkg:maven/org.eclipse.jetty/jetty-server" 79304 }, 79305 "ranges": [ 79306 { 79307 "events": [ 79308 { 79309 "introduced": "9.4.21.v20190926" 79310 }, 79311 { 79312 "fixed": "9.4.24.v20191120" 79313 } 79314 ], 79315 "type": "ECOSYSTEM" 79316 } 79317 ], 79318 "versions": [ 79319 "9.4.21.v20190926", 79320 "9.4.22.v20191022", 79321 "9.4.23.v20191118" 79322 ] 79323 }, 79324 { 79325 "database_specific": { 79326 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/12/GHSA-5h9j-q6j2-253f/GHSA-5h9j-q6j2-253f.json" 79327 }, 79328 "package": { 79329 "ecosystem": "Maven", 79330 "name": "org.eclipse.jetty:jetty-server", 79331 "purl": "pkg:maven/org.eclipse.jetty/jetty-server" 79332 }, 79333 "ranges": [ 79334 { 79335 "events": [ 79336 { 79337 "introduced": "9.4.22.v20191022" 79338 }, 79339 { 79340 "fixed": "9.4.24.v20191120" 79341 } 79342 ], 79343 "type": "ECOSYSTEM" 79344 } 79345 ], 79346 "versions": [ 79347 "9.4.22.v20191022", 79348 "9.4.23.v20191118" 79349 ] 79350 }, 79351 { 79352 "database_specific": { 79353 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/12/GHSA-5h9j-q6j2-253f/GHSA-5h9j-q6j2-253f.json" 79354 }, 79355 "package": { 79356 "ecosystem": "Maven", 79357 "name": "org.eclipse.jetty:jetty-server", 79358 "purl": "pkg:maven/org.eclipse.jetty/jetty-server" 79359 }, 79360 "ranges": [ 79361 { 79362 "events": [ 79363 { 79364 "introduced": "9.4.23.v20191118" 79365 }, 79366 { 79367 "fixed": "9.4.24.v20191120" 79368 } 79369 ], 79370 "type": "ECOSYSTEM" 79371 } 79372 ], 79373 "versions": [ 79374 "9.4.23.v20191118" 79375 ] 79376 } 79377 ], 79378 "aliases": [ 79379 "CVE-2019-17632" 79380 ], 79381 "database_specific": { 79382 "cwe_ids": [ 79383 "CWE-79" 79384 ], 79385 "github_reviewed": true, 79386 "github_reviewed_at": "2019-12-02T01:09:14Z", 79387 "nvd_published_at": "2019-11-25T22:15:00Z", 79388 "severity": "MODERATE" 79389 }, 79390 "details": "In Eclipse Jetty versions 9.4.21.v20190926, 9.4.22.v20191022, and 9.4.23.v20191118, the generation of default unhandled Error response content (in text/html and text/json Content-Type) does not escape Exception messages in stacktraces included in error output.", 79391 "id": "GHSA-5h9j-q6j2-253f", 79392 "modified": "2024-02-16T08:16:10.159901Z", 79393 "published": "2019-12-02T18:13:28Z", 79394 "references": [ 79395 { 79396 "type": "ADVISORY", 79397 "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-17632" 79398 }, 79399 { 79400 "type": "WEB", 79401 "url": "https://bugs.eclipse.org/bugs/show_bug.cgi?id=553443" 79402 }, 79403 { 79404 "type": "WEB", 79405 "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SAITZ27GKPD2CCNHGT2VBT4VWIBUJJNS" 79406 }, 79407 { 79408 "type": "WEB", 79409 "url": "https://www.oracle.com/security-alerts/cpuApr2021.html" 79410 }, 79411 { 79412 "type": "WEB", 79413 "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" 79414 } 79415 ], 79416 "schema_version": "1.6.0", 79417 "severity": [ 79418 { 79419 "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", 79420 "type": "CVSS_V3" 79421 } 79422 ], 79423 "summary": "Unescaped exception messages in error responses in Jetty" 79424 }, 79425 { 79426 "affected": [ 79427 { 79428 "database_specific": { 79429 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-6x9x-8qw9-9pp6/GHSA-6x9x-8qw9-9pp6.json" 79430 }, 79431 "package": { 79432 "ecosystem": "Maven", 79433 "name": "org.eclipse.jetty:jetty-server", 79434 "purl": "pkg:maven/org.eclipse.jetty/jetty-server" 79435 }, 79436 "ranges": [ 79437 { 79438 "events": [ 79439 { 79440 "introduced": "0" 79441 }, 79442 { 79443 "fixed": "9.2.25.v20180606" 79444 } 79445 ], 79446 "type": "ECOSYSTEM" 79447 } 79448 ], 79449 "versions": [ 79450 "7.0.0.M0", 79451 "7.0.0.M1", 79452 "7.0.0.M2", 79453 "7.0.0.M3", 79454 "7.0.0.M4", 79455 "7.0.0.RC0", 79456 "7.0.0.RC1", 79457 "7.0.0.RC2", 79458 "7.0.0.RC3", 79459 "7.0.0.RC4", 79460 "7.0.0.RC5", 79461 "7.0.0.RC6", 79462 "7.0.0.v20091005", 79463 "7.0.1.v20091125", 79464 "7.0.2.RC0", 79465 "7.0.2.v20100331", 79466 "7.1.0.RC0", 79467 "7.1.0.RC1", 79468 "7.1.0.v20100505", 79469 "7.1.1.v20100517", 79470 "7.1.2.v20100523", 79471 "7.1.3.v20100526", 79472 "7.1.4.v20100610", 79473 "7.1.5.v20100705", 79474 "7.1.6.v20100715", 79475 "7.2.0.RC0", 79476 "7.2.0.v20101020", 79477 "7.2.1.v20101111", 79478 "7.2.2.v20101205", 79479 "7.3.0.v20110203", 79480 "7.3.1.v20110307", 79481 "7.4.0.RC0", 79482 "7.4.0.v20110414", 79483 "7.4.1.v20110513", 79484 "7.4.2.v20110526", 79485 "7.4.3.v20110701", 79486 "7.4.4.v20110707", 79487 "7.4.5.v20110725", 79488 "7.5.0.RC0", 79489 "7.5.0.RC1", 79490 "7.5.0.RC2", 79491 "7.5.0.v20110901", 79492 "7.5.1.v20110908", 79493 "7.5.2.v20111006", 79494 "7.5.3.v20111011", 79495 "7.5.4.v20111024", 79496 "7.6.0.RC0", 79497 "7.6.0.RC1", 79498 "7.6.0.RC2", 79499 "7.6.0.RC3", 79500 "7.6.0.RC4", 79501 "7.6.0.RC5", 79502 "7.6.0.v20120127", 79503 "7.6.1.v20120215", 79504 "7.6.10.v20130312", 79505 "7.6.11.v20130520", 79506 "7.6.12.v20130726", 79507 "7.6.13.v20130916", 79508 "7.6.14.v20131031", 79509 "7.6.15.v20140411", 79510 "7.6.16.v20140903", 79511 "7.6.17.v20150415", 79512 "7.6.18.v20150929", 79513 "7.6.19.v20160209", 79514 "7.6.2.v20120308", 79515 "7.6.20.v20160902", 79516 "7.6.21.v20160908", 79517 "7.6.3.v20120416", 79518 "7.6.4.v20120524", 79519 "7.6.5.v20120716", 79520 "7.6.6.v20120903", 79521 "7.6.7.v20120910", 79522 "7.6.8.v20121106", 79523 "7.6.9.v20130131", 79524 "8.0.0.M0", 79525 "8.0.0.M1", 79526 "8.0.0.M2", 79527 "8.0.0.M3", 79528 "8.0.0.RC0", 79529 "8.0.0.v20110901", 79530 "8.0.1.v20110908", 79531 "8.0.2.v20111006", 79532 "8.0.3.v20111011", 79533 "8.0.4.v20111024", 79534 "8.1.0.RC0", 79535 "8.1.0.RC1", 79536 "8.1.0.RC2", 79537 "8.1.0.RC4", 79538 "8.1.0.RC5", 79539 "8.1.0.v20120127", 79540 "8.1.1.v20120215", 79541 "8.1.10.v20130312", 79542 "8.1.11.v20130520", 79543 "8.1.12.v20130726", 79544 "8.1.13.v20130916", 79545 "8.1.14.v20131031", 79546 "8.1.15.v20140411", 79547 "8.1.16.v20140903", 79548 "8.1.17.v20150415", 79549 "8.1.18.v20150929", 79550 "8.1.19.v20160209", 79551 "8.1.2.v20120308", 79552 "8.1.20.v20160902", 79553 "8.1.21.v20160908", 79554 "8.1.22.v20160922", 79555 "8.1.3.v20120416", 79556 "8.1.4.v20120524", 79557 "8.1.5.v20120716", 79558 "8.1.6.v20120903", 79559 "8.1.7.v20120910", 79560 "8.1.8.v20121106", 79561 "8.1.9.v20130131", 79562 "8.2.0.v20160908", 79563 "9.0.0.M0", 79564 "9.0.0.M1", 79565 "9.0.0.M2", 79566 "9.0.0.M3", 79567 "9.0.0.M4", 79568 "9.0.0.M5", 79569 "9.0.0.RC0", 79570 "9.0.0.RC1", 79571 "9.0.0.RC2", 79572 "9.0.0.v20130308", 79573 "9.0.1.v20130408", 79574 "9.0.2.v20130417", 79575 "9.0.3.v20130506", 79576 "9.0.4.v20130625", 79577 "9.0.5.v20130815", 79578 "9.0.6.v20130930", 79579 "9.0.7.v20131107", 79580 "9.1.0.M0", 79581 "9.1.0.RC0", 79582 "9.1.0.RC1", 79583 "9.1.0.RC2", 79584 "9.1.0.v20131115", 79585 "9.1.1.v20140108", 79586 "9.1.2.v20140210", 79587 "9.1.3.v20140225", 79588 "9.1.4.v20140401", 79589 "9.1.5.v20140505", 79590 "9.1.6.v20160112", 79591 "9.2.0.M0", 79592 "9.2.0.M1", 79593 "9.2.0.RC0", 79594 "9.2.0.v20140526", 79595 "9.2.1.v20140609", 79596 "9.2.10.v20150310", 79597 "9.2.11.M0", 79598 "9.2.11.v20150529", 79599 "9.2.12.M0", 79600 "9.2.12.v20150709", 79601 "9.2.13.v20150730", 79602 "9.2.14.v20151106", 79603 "9.2.15.v20160210", 79604 "9.2.16.v20160414", 79605 "9.2.17.v20160517", 79606 "9.2.18.v20160721", 79607 "9.2.19.v20160908", 79608 "9.2.2.v20140723", 79609 "9.2.20.v20161216", 79610 "9.2.21.v20170120", 79611 "9.2.22.v20170606", 79612 "9.2.23.v20171218", 79613 "9.2.24.v20180105", 79614 "9.2.3.v20140905", 79615 "9.2.4.v20141103", 79616 "9.2.5.v20141112", 79617 "9.2.6.v20141205", 79618 "9.2.7.v20150116", 79619 "9.2.8.v20150217", 79620 "9.2.9.v20150224" 79621 ] 79622 }, 79623 { 79624 "database_specific": { 79625 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-6x9x-8qw9-9pp6/GHSA-6x9x-8qw9-9pp6.json" 79626 }, 79627 "package": { 79628 "ecosystem": "Maven", 79629 "name": "org.eclipse.jetty:jetty-server", 79630 "purl": "pkg:maven/org.eclipse.jetty/jetty-server" 79631 }, 79632 "ranges": [ 79633 { 79634 "events": [ 79635 { 79636 "introduced": "9.3.0" 79637 }, 79638 { 79639 "fixed": "9.3.24.v20180605" 79640 } 79641 ], 79642 "type": "ECOSYSTEM" 79643 } 79644 ], 79645 "versions": [ 79646 "9.3.0.v20150612", 79647 "9.3.1.v20150714", 79648 "9.3.10.M0", 79649 "9.3.10.v20160621", 79650 "9.3.11.M0", 79651 "9.3.11.v20160721", 79652 "9.3.12.v20160915", 79653 "9.3.13.M0", 79654 "9.3.13.v20161014", 79655 "9.3.14.v20161028", 79656 "9.3.15.v20161220", 79657 "9.3.16.v20170120", 79658 "9.3.17.RC0", 79659 "9.3.17.v20170317", 79660 "9.3.18.v20170406", 79661 "9.3.19.v20170502", 79662 "9.3.2.v20150730", 79663 "9.3.20.v20170531", 79664 "9.3.21.M0", 79665 "9.3.21.RC0", 79666 "9.3.21.v20170918", 79667 "9.3.22.v20171030", 79668 "9.3.23.v20180228", 79669 "9.3.3.v20150827", 79670 "9.3.4.RC0", 79671 "9.3.4.RC1", 79672 "9.3.4.v20151007", 79673 "9.3.5.v20151012", 79674 "9.3.6.v20151106", 79675 "9.3.7.RC0", 79676 "9.3.7.RC1", 79677 "9.3.7.v20160115", 79678 "9.3.8.RC0", 79679 "9.3.8.v20160314", 79680 "9.3.9.M0", 79681 "9.3.9.M1", 79682 "9.3.9.v20160517" 79683 ] 79684 }, 79685 { 79686 "database_specific": { 79687 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-6x9x-8qw9-9pp6/GHSA-6x9x-8qw9-9pp6.json" 79688 }, 79689 "package": { 79690 "ecosystem": "Maven", 79691 "name": "org.eclipse.jetty:jetty-server", 79692 "purl": "pkg:maven/org.eclipse.jetty/jetty-server" 79693 }, 79694 "ranges": [ 79695 { 79696 "events": [ 79697 { 79698 "introduced": "9.4.0" 79699 }, 79700 { 79701 "fixed": "9.4.11.v20180605" 79702 } 79703 ], 79704 "type": "ECOSYSTEM" 79705 } 79706 ], 79707 "versions": [ 79708 "9.4.0.v20161208", 79709 "9.4.0.v20180619", 79710 "9.4.1.v20170120", 79711 "9.4.1.v20180619", 79712 "9.4.10.RC0", 79713 "9.4.10.RC1", 79714 "9.4.10.v20180503", 79715 "9.4.2.v20170220", 79716 "9.4.2.v20180619", 79717 "9.4.3.v20170317", 79718 "9.4.3.v20180619", 79719 "9.4.4.v20170414", 79720 "9.4.4.v20180619", 79721 "9.4.5.v20170502", 79722 "9.4.5.v20180619", 79723 "9.4.6.v20170531", 79724 "9.4.6.v20180619", 79725 "9.4.7.RC0", 79726 "9.4.7.v20170914", 79727 "9.4.7.v20180619", 79728 "9.4.8.v20171121", 79729 "9.4.8.v20180619", 79730 "9.4.9.v20180320" 79731 ] 79732 } 79733 ], 79734 "aliases": [ 79735 "CVE-2017-7658" 79736 ], 79737 "database_specific": { 79738 "cwe_ids": [ 79739 "CWE-444" 79740 ], 79741 "github_reviewed": true, 79742 "github_reviewed_at": "2020-06-16T21:20:39Z", 79743 "nvd_published_at": "2018-06-26T17:29:00Z", 79744 "severity": "CRITICAL" 79745 }, 79746 "details": "Eclipse Jetty Server versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), are vulnerable to HTTP Request Smuggling when presented with two content-lengths headers, allowing authorization bypass. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decides on the shorter length, but still passes on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary is imposing authorization, the fake pipelined request bypasses that authorization.", 79747 "id": "GHSA-6x9x-8qw9-9pp6", 79748 "modified": "2024-02-16T08:16:22.832624Z", 79749 "published": "2018-10-19T16:16:38Z", 79750 "references": [ 79751 { 79752 "type": "ADVISORY", 79753 "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-7658" 79754 }, 79755 { 79756 "type": "WEB", 79757 "url": "https://bugs.eclipse.org/bugs/show_bug.cgi?id=535669" 79758 }, 79759 { 79760 "type": "ADVISORY", 79761 "url": "https://github.com/advisories/GHSA-6x9x-8qw9-9pp6" 79762 }, 79763 { 79764 "type": "WEB", 79765 "url": "https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272@%3Cissues.activemq.apache.org%3E" 79766 }, 79767 { 79768 "type": "WEB", 79769 "url": "https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451@%3Csolr-user.lucene.apache.org%3E" 79770 }, 79771 { 79772 "type": "WEB", 79773 "url": "https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe@%3Ccommits.druid.apache.org%3E" 79774 }, 79775 { 79776 "type": "WEB", 79777 "url": "https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0@%3Cissues.bookkeeper.apache.org%3E" 79778 }, 79779 { 79780 "type": "WEB", 79781 "url": "https://lists.apache.org/thread.html/r41af10c4adec8d34a969abeb07fd0d6ad0c86768b751464f1cdd23e8@%3Ccommits.druid.apache.org%3E" 79782 }, 79783 { 79784 "type": "WEB", 79785 "url": "https://lists.apache.org/thread.html/r9159c9e7ec9eac1613da2dbaddbc15691a13d4dbb2c8be974f42e6ae@%3Ccommits.druid.apache.org%3E" 79786 }, 79787 { 79788 "type": "WEB", 79789 "url": "https://lists.apache.org/thread.html/ra6f956ed4ec2855583b2d0c8b4802b450f593d37b77509b48cd5d574@%3Ccommits.druid.apache.org%3E" 79790 }, 79791 { 79792 "type": "WEB", 79793 "url": "https://security.netapp.com/advisory/ntap-20181014-0001" 79794 }, 79795 { 79796 "type": "WEB", 79797 "url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbst03953en_us" 79798 }, 79799 { 79800 "type": "WEB", 79801 "url": "https://www.debian.org/security/2018/dsa-4278" 79802 }, 79803 { 79804 "type": "WEB", 79805 "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" 79806 }, 79807 { 79808 "type": "WEB", 79809 "url": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html" 79810 }, 79811 { 79812 "type": "WEB", 79813 "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html" 79814 }, 79815 { 79816 "type": "WEB", 79817 "url": "http://www.securityfocus.com/bid/106566" 79818 }, 79819 { 79820 "type": "WEB", 79821 "url": "http://www.securitytracker.com/id/1041194" 79822 } 79823 ], 79824 "schema_version": "1.6.0", 79825 "severity": [ 79826 { 79827 "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", 79828 "type": "CVSS_V3" 79829 } 79830 ], 79831 "summary": "Jetty vulnerable to authorization bypass due to inconsistent HTTP request handling (HTTP Request Smuggling)" 79832 }, 79833 { 79834 "affected": [ 79835 { 79836 "database_specific": { 79837 "last_known_affected_version_range": "\u003c= 9.2.26.v20180806", 79838 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/04/GHSA-7vx9-xjhr-rw6h/GHSA-7vx9-xjhr-rw6h.json" 79839 }, 79840 "package": { 79841 "ecosystem": "Maven", 79842 "name": "org.eclipse.jetty:jetty-server", 79843 "purl": "pkg:maven/org.eclipse.jetty/jetty-server" 79844 }, 79845 "ranges": [ 79846 { 79847 "events": [ 79848 { 79849 "introduced": "0" 79850 }, 79851 { 79852 "fixed": "9.2.27.v20190403" 79853 } 79854 ], 79855 "type": "ECOSYSTEM" 79856 } 79857 ], 79858 "versions": [ 79859 "7.0.0.M0", 79860 "7.0.0.M1", 79861 "7.0.0.M2", 79862 "7.0.0.M3", 79863 "7.0.0.M4", 79864 "7.0.0.RC0", 79865 "7.0.0.RC1", 79866 "7.0.0.RC2", 79867 "7.0.0.RC3", 79868 "7.0.0.RC4", 79869 "7.0.0.RC5", 79870 "7.0.0.RC6", 79871 "7.0.0.v20091005", 79872 "7.0.1.v20091125", 79873 "7.0.2.RC0", 79874 "7.0.2.v20100331", 79875 "7.1.0.RC0", 79876 "7.1.0.RC1", 79877 "7.1.0.v20100505", 79878 "7.1.1.v20100517", 79879 "7.1.2.v20100523", 79880 "7.1.3.v20100526", 79881 "7.1.4.v20100610", 79882 "7.1.5.v20100705", 79883 "7.1.6.v20100715", 79884 "7.2.0.RC0", 79885 "7.2.0.v20101020", 79886 "7.2.1.v20101111", 79887 "7.2.2.v20101205", 79888 "7.3.0.v20110203", 79889 "7.3.1.v20110307", 79890 "7.4.0.RC0", 79891 "7.4.0.v20110414", 79892 "7.4.1.v20110513", 79893 "7.4.2.v20110526", 79894 "7.4.3.v20110701", 79895 "7.4.4.v20110707", 79896 "7.4.5.v20110725", 79897 "7.5.0.RC0", 79898 "7.5.0.RC1", 79899 "7.5.0.RC2", 79900 "7.5.0.v20110901", 79901 "7.5.1.v20110908", 79902 "7.5.2.v20111006", 79903 "7.5.3.v20111011", 79904 "7.5.4.v20111024", 79905 "7.6.0.RC0", 79906 "7.6.0.RC1", 79907 "7.6.0.RC2", 79908 "7.6.0.RC3", 79909 "7.6.0.RC4", 79910 "7.6.0.RC5", 79911 "7.6.0.v20120127", 79912 "7.6.1.v20120215", 79913 "7.6.10.v20130312", 79914 "7.6.11.v20130520", 79915 "7.6.12.v20130726", 79916 "7.6.13.v20130916", 79917 "7.6.14.v20131031", 79918 "7.6.15.v20140411", 79919 "7.6.16.v20140903", 79920 "7.6.17.v20150415", 79921 "7.6.18.v20150929", 79922 "7.6.19.v20160209", 79923 "7.6.2.v20120308", 79924 "7.6.20.v20160902", 79925 "7.6.21.v20160908", 79926 "7.6.3.v20120416", 79927 "7.6.4.v20120524", 79928 "7.6.5.v20120716", 79929 "7.6.6.v20120903", 79930 "7.6.7.v20120910", 79931 "7.6.8.v20121106", 79932 "7.6.9.v20130131", 79933 "8.0.0.M0", 79934 "8.0.0.M1", 79935 "8.0.0.M2", 79936 "8.0.0.M3", 79937 "8.0.0.RC0", 79938 "8.0.0.v20110901", 79939 "8.0.1.v20110908", 79940 "8.0.2.v20111006", 79941 "8.0.3.v20111011", 79942 "8.0.4.v20111024", 79943 "8.1.0.RC0", 79944 "8.1.0.RC1", 79945 "8.1.0.RC2", 79946 "8.1.0.RC4", 79947 "8.1.0.RC5", 79948 "8.1.0.v20120127", 79949 "8.1.1.v20120215", 79950 "8.1.10.v20130312", 79951 "8.1.11.v20130520", 79952 "8.1.12.v20130726", 79953 "8.1.13.v20130916", 79954 "8.1.14.v20131031", 79955 "8.1.15.v20140411", 79956 "8.1.16.v20140903", 79957 "8.1.17.v20150415", 79958 "8.1.18.v20150929", 79959 "8.1.19.v20160209", 79960 "8.1.2.v20120308", 79961 "8.1.20.v20160902", 79962 "8.1.21.v20160908", 79963 "8.1.22.v20160922", 79964 "8.1.3.v20120416", 79965 "8.1.4.v20120524", 79966 "8.1.5.v20120716", 79967 "8.1.6.v20120903", 79968 "8.1.7.v20120910", 79969 "8.1.8.v20121106", 79970 "8.1.9.v20130131", 79971 "8.2.0.v20160908", 79972 "9.0.0.M0", 79973 "9.0.0.M1", 79974 "9.0.0.M2", 79975 "9.0.0.M3", 79976 "9.0.0.M4", 79977 "9.0.0.M5", 79978 "9.0.0.RC0", 79979 "9.0.0.RC1", 79980 "9.0.0.RC2", 79981 "9.0.0.v20130308", 79982 "9.0.1.v20130408", 79983 "9.0.2.v20130417", 79984 "9.0.3.v20130506", 79985 "9.0.4.v20130625", 79986 "9.0.5.v20130815", 79987 "9.0.6.v20130930", 79988 "9.0.7.v20131107", 79989 "9.1.0.M0", 79990 "9.1.0.RC0", 79991 "9.1.0.RC1", 79992 "9.1.0.RC2", 79993 "9.1.0.v20131115", 79994 "9.1.1.v20140108", 79995 "9.1.2.v20140210", 79996 "9.1.3.v20140225", 79997 "9.1.4.v20140401", 79998 "9.1.5.v20140505", 79999 "9.1.6.v20160112", 80000 "9.2.0.M0", 80001 "9.2.0.M1", 80002 "9.2.0.RC0", 80003 "9.2.0.v20140526", 80004 "9.2.1.v20140609", 80005 "9.2.10.v20150310", 80006 "9.2.11.M0", 80007 "9.2.11.v20150529", 80008 "9.2.12.M0", 80009 "9.2.12.v20150709", 80010 "9.2.13.v20150730", 80011 "9.2.14.v20151106", 80012 "9.2.15.v20160210", 80013 "9.2.16.v20160414", 80014 "9.2.17.v20160517", 80015 "9.2.18.v20160721", 80016 "9.2.19.v20160908", 80017 "9.2.2.v20140723", 80018 "9.2.20.v20161216", 80019 "9.2.21.v20170120", 80020 "9.2.22.v20170606", 80021 "9.2.23.v20171218", 80022 "9.2.24.v20180105", 80023 "9.2.25.v20180606", 80024 "9.2.26.v20180806", 80025 "9.2.3.v20140905", 80026 "9.2.4.v20141103", 80027 "9.2.5.v20141112", 80028 "9.2.6.v20141205", 80029 "9.2.7.v20150116", 80030 "9.2.8.v20150217", 80031 "9.2.9.v20150224" 80032 ] 80033 }, 80034 { 80035 "database_specific": { 80036 "last_known_affected_version_range": "\u003c= 9.3.25.v20180904", 80037 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/04/GHSA-7vx9-xjhr-rw6h/GHSA-7vx9-xjhr-rw6h.json" 80038 }, 80039 "package": { 80040 "ecosystem": "Maven", 80041 "name": "org.eclipse.jetty:jetty-server", 80042 "purl": "pkg:maven/org.eclipse.jetty/jetty-server" 80043 }, 80044 "ranges": [ 80045 { 80046 "events": [ 80047 { 80048 "introduced": "9.3.0" 80049 }, 80050 { 80051 "fixed": "9.3.26.v20190403" 80052 } 80053 ], 80054 "type": "ECOSYSTEM" 80055 } 80056 ], 80057 "versions": [ 80058 "9.3.0.v20150612", 80059 "9.3.1.v20150714", 80060 "9.3.10.M0", 80061 "9.3.10.v20160621", 80062 "9.3.11.M0", 80063 "9.3.11.v20160721", 80064 "9.3.12.v20160915", 80065 "9.3.13.M0", 80066 "9.3.13.v20161014", 80067 "9.3.14.v20161028", 80068 "9.3.15.v20161220", 80069 "9.3.16.v20170120", 80070 "9.3.17.RC0", 80071 "9.3.17.v20170317", 80072 "9.3.18.v20170406", 80073 "9.3.19.v20170502", 80074 "9.3.2.v20150730", 80075 "9.3.20.v20170531", 80076 "9.3.21.M0", 80077 "9.3.21.RC0", 80078 "9.3.21.v20170918", 80079 "9.3.22.v20171030", 80080 "9.3.23.v20180228", 80081 "9.3.24.v20180605", 80082 "9.3.25.v20180904", 80083 "9.3.3.v20150827", 80084 "9.3.4.RC0", 80085 "9.3.4.RC1", 80086 "9.3.4.v20151007", 80087 "9.3.5.v20151012", 80088 "9.3.6.v20151106", 80089 "9.3.7.RC0", 80090 "9.3.7.RC1", 80091 "9.3.7.v20160115", 80092 "9.3.8.RC0", 80093 "9.3.8.v20160314", 80094 "9.3.9.M0", 80095 "9.3.9.M1", 80096 "9.3.9.v20160517" 80097 ] 80098 }, 80099 { 80100 "database_specific": { 80101 "last_known_affected_version_range": "\u003c= 9.4.15.v20190215", 80102 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/04/GHSA-7vx9-xjhr-rw6h/GHSA-7vx9-xjhr-rw6h.json" 80103 }, 80104 "package": { 80105 "ecosystem": "Maven", 80106 "name": "org.eclipse.jetty:jetty-server", 80107 "purl": "pkg:maven/org.eclipse.jetty/jetty-server" 80108 }, 80109 "ranges": [ 80110 { 80111 "events": [ 80112 { 80113 "introduced": "9.4.0" 80114 }, 80115 { 80116 "fixed": "9.4.16.v20190411" 80117 } 80118 ], 80119 "type": "ECOSYSTEM" 80120 } 80121 ], 80122 "versions": [ 80123 "9.4.0.v20161208", 80124 "9.4.0.v20180619", 80125 "9.4.1.v20170120", 80126 "9.4.1.v20180619", 80127 "9.4.10.RC0", 80128 "9.4.10.RC1", 80129 "9.4.10.v20180503", 80130 "9.4.11.v20180605", 80131 "9.4.12.RC0", 80132 "9.4.12.RC1", 80133 "9.4.12.RC2", 80134 "9.4.12.v20180830", 80135 "9.4.13.v20181111", 80136 "9.4.14.v20181114", 80137 "9.4.15.v20190215", 80138 "9.4.2.v20170220", 80139 "9.4.2.v20180619", 80140 "9.4.3.v20170317", 80141 "9.4.3.v20180619", 80142 "9.4.4.v20170414", 80143 "9.4.4.v20180619", 80144 "9.4.5.v20170502", 80145 "9.4.5.v20180619", 80146 "9.4.6.v20170531", 80147 "9.4.6.v20180619", 80148 "9.4.7.RC0", 80149 "9.4.7.v20170914", 80150 "9.4.7.v20180619", 80151 "9.4.8.v20171121", 80152 "9.4.8.v20180619", 80153 "9.4.9.v20180320" 80154 ] 80155 } 80156 ], 80157 "aliases": [ 80158 "CVE-2019-10241" 80159 ], 80160 "database_specific": { 80161 "cwe_ids": [ 80162 "CWE-79" 80163 ], 80164 "github_reviewed": true, 80165 "github_reviewed_at": "2019-04-23T16:02:04Z", 80166 "nvd_published_at": "2019-04-22T20:29:00Z", 80167 "severity": "MODERATE" 80168 }, 80169 "details": "In Eclipse Jetty version 9.2.26 and older, 9.3.25 and older, and 9.4.15 and older, the server is vulnerable to XSS conditions if a remote client USES a specially formatted URL against the DefaultServlet or ResourceHandler that is configured for showing a Listing of directory contents.", 80170 "id": "GHSA-7vx9-xjhr-rw6h", 80171 "modified": "2024-02-16T08:16:44.502362Z", 80172 "published": "2019-04-23T16:06:02Z", 80173 "references": [ 80174 { 80175 "type": "ADVISORY", 80176 "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10241" 80177 }, 80178 { 80179 "type": "WEB", 80180 "url": "https://bugs.eclipse.org/bugs/show_bug.cgi?id=546121" 80181 }, 80182 { 80183 "type": "WEB", 80184 "url": "https://lists.apache.org/thread.html/01e004c3f7c7365863a27e7038b7f32dae56ccf3a496b277c9b7f7b6@%3Cjira.kafka.apache.org%3E" 80185 }, 80186 { 80187 "type": "WEB", 80188 "url": "https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272@%3Cissues.activemq.apache.org%3E" 80189 }, 80190 { 80191 "type": "WEB", 80192 "url": "https://lists.apache.org/thread.html/464892b514c029dfc0c8656a93e1c0de983c473df70fdadbd224e09f@%3Cjira.kafka.apache.org%3E" 80193 }, 80194 { 80195 "type": "WEB", 80196 "url": "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E" 80197 }, 80198 { 80199 "type": "WEB", 80200 "url": "https://lists.apache.org/thread.html/8bff534863c7aaf09bb17c3d0532777258dd3a5c7ddda34198cc2742@%3Cdev.kafka.apache.org%3E" 80201 }, 80202 { 80203 "type": "WEB", 80204 "url": "https://lists.apache.org/thread.html/ac51944aef91dd5006b8510b0bef337adaccfe962fb90e7af9c22db4@%3Cissues.activemq.apache.org%3E" 80205 }, 80206 { 80207 "type": "WEB", 80208 "url": "https://lists.apache.org/thread.html/bcfb37bfba7b3d7e9c7808b5e5a38a98d6bb714d52cf5162bdd48e32@%3Cjira.kafka.apache.org%3E" 80209 }, 80210 { 80211 "type": "WEB", 80212 "url": "https://lists.apache.org/thread.html/d7c4a664a34853f57c2163ab562f39802df5cf809523ea40c97289c1@%3Cdev.kafka.apache.org%3E" 80213 }, 80214 { 80215 "type": "WEB", 80216 "url": "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E" 80217 }, 80218 { 80219 "type": "WEB", 80220 "url": "https://lists.debian.org/debian-lts-announce/2021/05/msg00016.html" 80221 }, 80222 { 80223 "type": "WEB", 80224 "url": "https://security.netapp.com/advisory/ntap-20190509-0003" 80225 }, 80226 { 80227 "type": "WEB", 80228 "url": "https://www.debian.org/security/2021/dsa-4949" 80229 }, 80230 { 80231 "type": "WEB", 80232 "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" 80233 }, 80234 { 80235 "type": "WEB", 80236 "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html" 80237 } 80238 ], 80239 "schema_version": "1.6.0", 80240 "severity": [ 80241 { 80242 "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", 80243 "type": "CVSS_V3" 80244 } 80245 ], 80246 "summary": "Cross-site Scripting in Eclipse Jetty" 80247 }, 80248 { 80249 "affected": [ 80250 { 80251 "database_specific": { 80252 "last_known_affected_version_range": "\u003c= 9.3.23.v20180228", 80253 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-84q7-p226-4x5w/GHSA-84q7-p226-4x5w.json" 80254 }, 80255 "package": { 80256 "ecosystem": "Maven", 80257 "name": "org.eclipse.jetty:jetty-server", 80258 "purl": "pkg:maven/org.eclipse.jetty/jetty-server" 80259 }, 80260 "ranges": [ 80261 { 80262 "events": [ 80263 { 80264 "introduced": "0" 80265 }, 80266 { 80267 "fixed": "9.3.24.v20180605" 80268 } 80269 ], 80270 "type": "ECOSYSTEM" 80271 } 80272 ], 80273 "versions": [ 80274 "7.0.0.M0", 80275 "7.0.0.M1", 80276 "7.0.0.M2", 80277 "7.0.0.M3", 80278 "7.0.0.M4", 80279 "7.0.0.RC0", 80280 "7.0.0.RC1", 80281 "7.0.0.RC2", 80282 "7.0.0.RC3", 80283 "7.0.0.RC4", 80284 "7.0.0.RC5", 80285 "7.0.0.RC6", 80286 "7.0.0.v20091005", 80287 "7.0.1.v20091125", 80288 "7.0.2.RC0", 80289 "7.0.2.v20100331", 80290 "7.1.0.RC0", 80291 "7.1.0.RC1", 80292 "7.1.0.v20100505", 80293 "7.1.1.v20100517", 80294 "7.1.2.v20100523", 80295 "7.1.3.v20100526", 80296 "7.1.4.v20100610", 80297 "7.1.5.v20100705", 80298 "7.1.6.v20100715", 80299 "7.2.0.RC0", 80300 "7.2.0.v20101020", 80301 "7.2.1.v20101111", 80302 "7.2.2.v20101205", 80303 "7.3.0.v20110203", 80304 "7.3.1.v20110307", 80305 "7.4.0.RC0", 80306 "7.4.0.v20110414", 80307 "7.4.1.v20110513", 80308 "7.4.2.v20110526", 80309 "7.4.3.v20110701", 80310 "7.4.4.v20110707", 80311 "7.4.5.v20110725", 80312 "7.5.0.RC0", 80313 "7.5.0.RC1", 80314 "7.5.0.RC2", 80315 "7.5.0.v20110901", 80316 "7.5.1.v20110908", 80317 "7.5.2.v20111006", 80318 "7.5.3.v20111011", 80319 "7.5.4.v20111024", 80320 "7.6.0.RC0", 80321 "7.6.0.RC1", 80322 "7.6.0.RC2", 80323 "7.6.0.RC3", 80324 "7.6.0.RC4", 80325 "7.6.0.RC5", 80326 "7.6.0.v20120127", 80327 "7.6.1.v20120215", 80328 "7.6.10.v20130312", 80329 "7.6.11.v20130520", 80330 "7.6.12.v20130726", 80331 "7.6.13.v20130916", 80332 "7.6.14.v20131031", 80333 "7.6.15.v20140411", 80334 "7.6.16.v20140903", 80335 "7.6.17.v20150415", 80336 "7.6.18.v20150929", 80337 "7.6.19.v20160209", 80338 "7.6.2.v20120308", 80339 "7.6.20.v20160902", 80340 "7.6.21.v20160908", 80341 "7.6.3.v20120416", 80342 "7.6.4.v20120524", 80343 "7.6.5.v20120716", 80344 "7.6.6.v20120903", 80345 "7.6.7.v20120910", 80346 "7.6.8.v20121106", 80347 "7.6.9.v20130131", 80348 "8.0.0.M0", 80349 "8.0.0.M1", 80350 "8.0.0.M2", 80351 "8.0.0.M3", 80352 "8.0.0.RC0", 80353 "8.0.0.v20110901", 80354 "8.0.1.v20110908", 80355 "8.0.2.v20111006", 80356 "8.0.3.v20111011", 80357 "8.0.4.v20111024", 80358 "8.1.0.RC0", 80359 "8.1.0.RC1", 80360 "8.1.0.RC2", 80361 "8.1.0.RC4", 80362 "8.1.0.RC5", 80363 "8.1.0.v20120127", 80364 "8.1.1.v20120215", 80365 "8.1.10.v20130312", 80366 "8.1.11.v20130520", 80367 "8.1.12.v20130726", 80368 "8.1.13.v20130916", 80369 "8.1.14.v20131031", 80370 "8.1.15.v20140411", 80371 "8.1.16.v20140903", 80372 "8.1.17.v20150415", 80373 "8.1.18.v20150929", 80374 "8.1.19.v20160209", 80375 "8.1.2.v20120308", 80376 "8.1.20.v20160902", 80377 "8.1.21.v20160908", 80378 "8.1.22.v20160922", 80379 "8.1.3.v20120416", 80380 "8.1.4.v20120524", 80381 "8.1.5.v20120716", 80382 "8.1.6.v20120903", 80383 "8.1.7.v20120910", 80384 "8.1.8.v20121106", 80385 "8.1.9.v20130131", 80386 "8.2.0.v20160908", 80387 "9.0.0.M0", 80388 "9.0.0.M1", 80389 "9.0.0.M2", 80390 "9.0.0.M3", 80391 "9.0.0.M4", 80392 "9.0.0.M5", 80393 "9.0.0.RC0", 80394 "9.0.0.RC1", 80395 "9.0.0.RC2", 80396 "9.0.0.v20130308", 80397 "9.0.1.v20130408", 80398 "9.0.2.v20130417", 80399 "9.0.3.v20130506", 80400 "9.0.4.v20130625", 80401 "9.0.5.v20130815", 80402 "9.0.6.v20130930", 80403 "9.0.7.v20131107", 80404 "9.1.0.M0", 80405 "9.1.0.RC0", 80406 "9.1.0.RC1", 80407 "9.1.0.RC2", 80408 "9.1.0.v20131115", 80409 "9.1.1.v20140108", 80410 "9.1.2.v20140210", 80411 "9.1.3.v20140225", 80412 "9.1.4.v20140401", 80413 "9.1.5.v20140505", 80414 "9.1.6.v20160112", 80415 "9.2.0.M0", 80416 "9.2.0.M1", 80417 "9.2.0.RC0", 80418 "9.2.0.v20140526", 80419 "9.2.1.v20140609", 80420 "9.2.10.v20150310", 80421 "9.2.11.M0", 80422 "9.2.11.v20150529", 80423 "9.2.12.M0", 80424 "9.2.12.v20150709", 80425 "9.2.13.v20150730", 80426 "9.2.14.v20151106", 80427 "9.2.15.v20160210", 80428 "9.2.16.v20160414", 80429 "9.2.17.v20160517", 80430 "9.2.18.v20160721", 80431 "9.2.19.v20160908", 80432 "9.2.2.v20140723", 80433 "9.2.20.v20161216", 80434 "9.2.21.v20170120", 80435 "9.2.22.v20170606", 80436 "9.2.23.v20171218", 80437 "9.2.24.v20180105", 80438 "9.2.25.v20180606", 80439 "9.2.26.v20180806", 80440 "9.2.27.v20190403", 80441 "9.2.28.v20190418", 80442 "9.2.29.v20191105", 80443 "9.2.3.v20140905", 80444 "9.2.30.v20200428", 80445 "9.2.4.v20141103", 80446 "9.2.5.v20141112", 80447 "9.2.6.v20141205", 80448 "9.2.7.v20150116", 80449 "9.2.8.v20150217", 80450 "9.2.9.v20150224", 80451 "9.3.0.M0", 80452 "9.3.0.M1", 80453 "9.3.0.M2", 80454 "9.3.0.RC0", 80455 "9.3.0.RC1", 80456 "9.3.0.v20150612", 80457 "9.3.1.v20150714", 80458 "9.3.10.M0", 80459 "9.3.10.v20160621", 80460 "9.3.11.M0", 80461 "9.3.11.v20160721", 80462 "9.3.12.v20160915", 80463 "9.3.13.M0", 80464 "9.3.13.v20161014", 80465 "9.3.14.v20161028", 80466 "9.3.15.v20161220", 80467 "9.3.16.v20170120", 80468 "9.3.17.RC0", 80469 "9.3.17.v20170317", 80470 "9.3.18.v20170406", 80471 "9.3.19.v20170502", 80472 "9.3.2.v20150730", 80473 "9.3.20.v20170531", 80474 "9.3.21.M0", 80475 "9.3.21.RC0", 80476 "9.3.21.v20170918", 80477 "9.3.22.v20171030", 80478 "9.3.23.v20180228", 80479 "9.3.3.v20150827", 80480 "9.3.4.RC0", 80481 "9.3.4.RC1", 80482 "9.3.4.v20151007", 80483 "9.3.5.v20151012", 80484 "9.3.6.v20151106", 80485 "9.3.7.RC0", 80486 "9.3.7.RC1", 80487 "9.3.7.v20160115", 80488 "9.3.8.RC0", 80489 "9.3.8.v20160314", 80490 "9.3.9.M0", 80491 "9.3.9.M1", 80492 "9.3.9.v20160517" 80493 ] 80494 }, 80495 { 80496 "database_specific": { 80497 "last_known_affected_version_range": "\u003c= 9.4.10.v20180503", 80498 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-84q7-p226-4x5w/GHSA-84q7-p226-4x5w.json" 80499 }, 80500 "package": { 80501 "ecosystem": "Maven", 80502 "name": "org.eclipse.jetty:jetty-server", 80503 "purl": "pkg:maven/org.eclipse.jetty/jetty-server" 80504 }, 80505 "ranges": [ 80506 { 80507 "events": [ 80508 { 80509 "introduced": "9.4.0" 80510 }, 80511 { 80512 "fixed": "9.4.11.v20180605" 80513 } 80514 ], 80515 "type": "ECOSYSTEM" 80516 } 80517 ], 80518 "versions": [ 80519 "9.4.0.v20161208", 80520 "9.4.0.v20180619", 80521 "9.4.1.v20170120", 80522 "9.4.1.v20180619", 80523 "9.4.10.RC0", 80524 "9.4.10.RC1", 80525 "9.4.10.v20180503", 80526 "9.4.2.v20170220", 80527 "9.4.2.v20180619", 80528 "9.4.3.v20170317", 80529 "9.4.3.v20180619", 80530 "9.4.4.v20170414", 80531 "9.4.4.v20180619", 80532 "9.4.5.v20170502", 80533 "9.4.5.v20180619", 80534 "9.4.6.v20170531", 80535 "9.4.6.v20180619", 80536 "9.4.7.RC0", 80537 "9.4.7.v20170914", 80538 "9.4.7.v20180619", 80539 "9.4.8.v20171121", 80540 "9.4.8.v20180619", 80541 "9.4.9.v20180320" 80542 ] 80543 } 80544 ], 80545 "aliases": [ 80546 "CVE-2017-7656" 80547 ], 80548 "database_specific": { 80549 "cwe_ids": [ 80550 "CWE-444" 80551 ], 80552 "github_reviewed": true, 80553 "github_reviewed_at": "2020-06-16T21:24:19Z", 80554 "nvd_published_at": "2018-06-26T15:29:00Z", 80555 "severity": "HIGH" 80556 }, 80557 "details": "Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), contain an HTTP Request Smuggling Vulnerability that can result in cache poisoning.", 80558 "id": "GHSA-84q7-p226-4x5w", 80559 "modified": "2024-02-16T08:17:36.03635Z", 80560 "published": "2018-10-19T16:16:27Z", 80561 "references": [ 80562 { 80563 "type": "ADVISORY", 80564 "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-7656" 80565 }, 80566 { 80567 "type": "WEB", 80568 "url": "https://bugs.eclipse.org/bugs/show_bug.cgi?id=535667" 80569 }, 80570 { 80571 "type": "ADVISORY", 80572 "url": "https://github.com/advisories/GHSA-84q7-p226-4x5w" 80573 }, 80574 { 80575 "type": "WEB", 80576 "url": "https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272@%3Cissues.activemq.apache.org%3E" 80577 }, 80578 { 80579 "type": "WEB", 80580 "url": "https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451@%3Csolr-user.lucene.apache.org%3E" 80581 }, 80582 { 80583 "type": "WEB", 80584 "url": "https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe@%3Ccommits.druid.apache.org%3E" 80585 }, 80586 { 80587 "type": "WEB", 80588 "url": "https://lists.apache.org/thread.html/rbf4565a0b63f9c8b07fab29352a97bbffe76ecafed8b8555c15b83c6@%3Cissues.maven.apache.org%3E" 80589 }, 80590 { 80591 "type": "WEB", 80592 "url": "https://security.netapp.com/advisory/ntap-20181014-0001" 80593 }, 80594 { 80595 "type": "WEB", 80596 "url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbst03953en_us" 80597 }, 80598 { 80599 "type": "WEB", 80600 "url": "https://www.debian.org/security/2018/dsa-4278" 80601 }, 80602 { 80603 "type": "WEB", 80604 "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" 80605 }, 80606 { 80607 "type": "WEB", 80608 "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html" 80609 }, 80610 { 80611 "type": "WEB", 80612 "url": "http://www.securitytracker.com/id/1041194" 80613 } 80614 ], 80615 "schema_version": "1.6.0", 80616 "severity": [ 80617 { 80618 "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", 80619 "type": "CVSS_V3" 80620 } 80621 ], 80622 "summary": "Jetty vulnerable to cache poisoning due to inconsistent HTTP request handling (HTTP Request Smuggling)" 80623 }, 80624 { 80625 "affected": [ 80626 { 80627 "database_specific": { 80628 "last_known_affected_version_range": "\u003c= 9.4.34", 80629 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/12/GHSA-86wm-rrjm-8wh8/GHSA-86wm-rrjm-8wh8.json" 80630 }, 80631 "package": { 80632 "ecosystem": "Maven", 80633 "name": "org.eclipse.jetty:jetty-server", 80634 "purl": "pkg:maven/org.eclipse.jetty/jetty-server" 80635 }, 80636 "ranges": [ 80637 { 80638 "events": [ 80639 { 80640 "introduced": "9.4.0" 80641 }, 80642 { 80643 "fixed": "9.4.35.v20201120" 80644 } 80645 ], 80646 "type": "ECOSYSTEM" 80647 } 80648 ], 80649 "versions": [ 80650 "9.4.0.v20161208", 80651 "9.4.0.v20180619", 80652 "9.4.1.v20170120", 80653 "9.4.1.v20180619", 80654 "9.4.10.RC0", 80655 "9.4.10.RC1", 80656 "9.4.10.v20180503", 80657 "9.4.11.v20180605", 80658 "9.4.12.RC0", 80659 "9.4.12.RC1", 80660 "9.4.12.RC2", 80661 "9.4.12.v20180830", 80662 "9.4.13.v20181111", 80663 "9.4.14.v20181114", 80664 "9.4.15.v20190215", 80665 "9.4.16.v20190411", 80666 "9.4.17.v20190418", 80667 "9.4.18.v20190429", 80668 "9.4.19.v20190610", 80669 "9.4.2.v20170220", 80670 "9.4.2.v20180619", 80671 "9.4.20.v20190813", 80672 "9.4.21.v20190926", 80673 "9.4.22.v20191022", 80674 "9.4.23.v20191118", 80675 "9.4.24.v20191120", 80676 "9.4.25.v20191220", 80677 "9.4.26.v20200117", 80678 "9.4.27.v20200227", 80679 "9.4.28.v20200408", 80680 "9.4.29.v20200521", 80681 "9.4.3.v20170317", 80682 "9.4.3.v20180619", 80683 "9.4.30.v20200611", 80684 "9.4.31.v20200723", 80685 "9.4.32.v20200930", 80686 "9.4.33.v20201020", 80687 "9.4.34.v20201102", 80688 "9.4.4.v20170414", 80689 "9.4.4.v20180619", 80690 "9.4.5.v20170502", 80691 "9.4.5.v20180619", 80692 "9.4.6.v20170531", 80693 "9.4.6.v20180619", 80694 "9.4.7.RC0", 80695 "9.4.7.v20170914", 80696 "9.4.7.v20180619", 80697 "9.4.8.v20171121", 80698 "9.4.8.v20180619", 80699 "9.4.9.v20180320" 80700 ] 80701 } 80702 ], 80703 "aliases": [ 80704 "BIT-kafka-2020-27218", 80705 "BIT-spark-2020-27218", 80706 "CVE-2020-27218" 80707 ], 80708 "database_specific": { 80709 "cwe_ids": [ 80710 "CWE-226" 80711 ], 80712 "github_reviewed": true, 80713 "github_reviewed_at": "2020-12-02T02:25:41Z", 80714 "nvd_published_at": "2020-11-28T01:15:00Z", 80715 "severity": "MODERATE" 80716 }, 80717 "details": "### Impact\nIf GZIP request body inflation is enabled and requests from different clients are multiplexed onto a single connection and if an \nattacker can send a request with a body that is received entirely by not consumed by the application, then a subsequent request\non the same connection will see that body prepended to it's body.\n\nThe attacker will not see any data, but may inject data into the body of the subsequent request\n\nCVE score is [4.8 AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L\u0026version=3.1)\n\n### Workarounds\nThe problem can be worked around by either:\n- Disabling compressed request body inflation by GzipHandler.\n- By always fully consuming the request content before sending a response.\n- By adding a `Connection: close` to any response where the servlet does not fully consume request content.", 80718 "id": "GHSA-86wm-rrjm-8wh8", 80719 "modified": "2024-03-10T05:31:38.566956Z", 80720 "published": "2020-12-02T18:28:18Z", 80721 "references": [ 80722 { 80723 "type": "WEB", 80724 "url": "https://github.com/eclipse/jetty.project/security/advisories/GHSA-86wm-rrjm-8wh8" 80725 }, 80726 { 80727 "type": "ADVISORY", 80728 "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-27218" 80729 }, 80730 { 80731 "type": "WEB", 80732 "url": "https://lists.apache.org/thread.html/rbbd003149f929b0e2fe58fb315de1658e98377225632e7e4239323fb@%3Ccommits.kafka.apache.org%3E" 80733 }, 80734 { 80735 "type": "WEB", 80736 "url": "https://lists.apache.org/thread.html/rbbd003149f929b0e2fe58fb315de1658e98377225632e7e4239323fb%40%3Ccommits.kafka.apache.org%3E" 80737 }, 80738 { 80739 "type": "WEB", 80740 "url": "https://lists.apache.org/thread.html/rba4bca48d2cdfa8c08afc368a9cc4572ec85a5915ba29b8a194bf505@%3Creviews.spark.apache.org%3E" 80741 }, 80742 { 80743 "type": "WEB", 80744 "url": "https://lists.apache.org/thread.html/rba4bca48d2cdfa8c08afc368a9cc4572ec85a5915ba29b8a194bf505%40%3Creviews.spark.apache.org%3E" 80745 }, 80746 { 80747 "type": "WEB", 80748 "url": "https://lists.apache.org/thread.html/rb8f413dc923070919b09db3ac87d079a2dcc6f0adfbb029e206a7930@%3Cnotifications.zookeeper.apache.org%3E" 80749 }, 80750 { 80751 "type": "WEB", 80752 "url": "https://lists.apache.org/thread.html/rb8f413dc923070919b09db3ac87d079a2dcc6f0adfbb029e206a7930%40%3Cnotifications.zookeeper.apache.org%3E" 80753 }, 80754 { 80755 "type": "WEB", 80756 "url": "https://lists.apache.org/thread.html/rb6a3866c02ac4446451c7d9dceab2373b6d32fb058f9085c6143de30@%3Creviews.spark.apache.org%3E" 80757 }, 80758 { 80759 "type": "WEB", 80760 "url": "https://lists.apache.org/thread.html/rb6a3866c02ac4446451c7d9dceab2373b6d32fb058f9085c6143de30%40%3Creviews.spark.apache.org%3E" 80761 }, 80762 { 80763 "type": "WEB", 80764 "url": "https://lists.apache.org/thread.html/rb4ca79d1af5237108ce8770b7c46ca78095f62ef21331d9d06142388@%3Cjira.kafka.apache.org%3E" 80765 }, 80766 { 80767 "type": "WEB", 80768 "url": "https://lists.apache.org/thread.html/rb4ca79d1af5237108ce8770b7c46ca78095f62ef21331d9d06142388%40%3Cjira.kafka.apache.org%3E" 80769 }, 80770 { 80771 "type": "WEB", 80772 "url": "https://lists.apache.org/thread.html/racf9e6ad2482cb9b1e3e1b2c1b443d9d5cf14055fb54dec3d2dcce91@%3Creviews.spark.apache.org%3E" 80773 }, 80774 { 80775 "type": "WEB", 80776 "url": "https://lists.apache.org/thread.html/racf9e6ad2482cb9b1e3e1b2c1b443d9d5cf14055fb54dec3d2dcce91%40%3Creviews.spark.apache.org%3E" 80777 }, 80778 { 80779 "type": "WEB", 80780 "url": "https://lists.apache.org/thread.html/racd55c9b704aa68cfb4436f17739b612b5d4f887155e04ed521a4b67@%3Cdev.kafka.apache.org%3E" 80781 }, 80782 { 80783 "type": "WEB", 80784 "url": "https://lists.apache.org/thread.html/racd55c9b704aa68cfb4436f17739b612b5d4f887155e04ed521a4b67%40%3Cdev.kafka.apache.org%3E" 80785 }, 80786 { 80787 "type": "WEB", 80788 "url": "https://bugs.eclipse.org/bugs/show_bug.cgi?id=568892" 80789 }, 80790 { 80791 "type": "WEB", 80792 "url": "https://lists.apache.org/thread.html/rbc5a8d7a0a13bc8152d427a7e9097cdeb139c6cfe111b2f00f26d16b%40%3Cissues.zookeeper.apache.org%3E" 80793 }, 80794 { 80795 "type": "WEB", 80796 "url": "https://lists.apache.org/thread.html/rbc5a8d7a0a13bc8152d427a7e9097cdeb139c6cfe111b2f00f26d16b@%3Cissues.zookeeper.apache.org%3E" 80797 }, 80798 { 80799 "type": "WEB", 80800 "url": "https://lists.apache.org/thread.html/rbe3f2e0a3c38ed9cbef81507b7cc6e523341865e30dc15c7503adc76%40%3Cissues.spark.apache.org%3E" 80801 }, 80802 { 80803 "type": "WEB", 80804 "url": "https://lists.apache.org/thread.html/rbe3f2e0a3c38ed9cbef81507b7cc6e523341865e30dc15c7503adc76@%3Cissues.spark.apache.org%3E" 80805 }, 80806 { 80807 "type": "WEB", 80808 "url": "https://lists.apache.org/thread.html/rbea4d456d88b043be86739ab0200ad06ba5a7921064411c098f79831%40%3Cjira.kafka.apache.org%3E" 80809 }, 80810 { 80811 "type": "WEB", 80812 "url": "https://lists.apache.org/thread.html/rbea4d456d88b043be86739ab0200ad06ba5a7921064411c098f79831@%3Cjira.kafka.apache.org%3E" 80813 }, 80814 { 80815 "type": "WEB", 80816 "url": "https://lists.apache.org/thread.html/rc0e35f4e8a8a36127e3ae7a67f325a3a6a4dbe05034130fb04b6f3b6%40%3Cnotifications.zookeeper.apache.org%3E" 80817 }, 80818 { 80819 "type": "WEB", 80820 "url": "https://lists.apache.org/thread.html/rc0e35f4e8a8a36127e3ae7a67f325a3a6a4dbe05034130fb04b6f3b6@%3Cnotifications.zookeeper.apache.org%3E" 80821 }, 80822 { 80823 "type": "WEB", 80824 "url": "https://lists.apache.org/thread.html/rc1de630c6ed9a958d9f811e816d6d8efb6ca94aed0869bc5cda9d7f8%40%3Cissues.zookeeper.apache.org%3E" 80825 }, 80826 { 80827 "type": "WEB", 80828 "url": "https://lists.apache.org/thread.html/rc1de630c6ed9a958d9f811e816d6d8efb6ca94aed0869bc5cda9d7f8@%3Cissues.zookeeper.apache.org%3E" 80829 }, 80830 { 80831 "type": "WEB", 80832 "url": "https://lists.apache.org/thread.html/rc2b603b7fa7f8dbfe0b3b59a6140b4d66868db3bf4b29d69a772d72a%40%3Cdev.kafka.apache.org%3E" 80833 }, 80834 { 80835 "type": "WEB", 80836 "url": "https://lists.apache.org/thread.html/rc2b603b7fa7f8dbfe0b3b59a6140b4d66868db3bf4b29d69a772d72a@%3Cdev.kafka.apache.org%3E" 80837 }, 80838 { 80839 "type": "WEB", 80840 "url": "https://lists.apache.org/thread.html/rc91c405c08b529b7292c75d9bd497849db700a1297fe3432990f6774%40%3Cnotifications.zookeeper.apache.org%3E" 80841 }, 80842 { 80843 "type": "WEB", 80844 "url": "https://lists.apache.org/thread.html/rc91c405c08b529b7292c75d9bd497849db700a1297fe3432990f6774@%3Cnotifications.zookeeper.apache.org%3E" 80845 }, 80846 { 80847 "type": "WEB", 80848 "url": "https://lists.apache.org/thread.html/r8ed14a84656fa0bb8df3bf9373c5be80f47ceac1e2ff068ee734fdb3%40%3Creviews.spark.apache.org%3E" 80849 }, 80850 { 80851 "type": "WEB", 80852 "url": "https://lists.apache.org/thread.html/r8ed14a84656fa0bb8df3bf9373c5be80f47ceac1e2ff068ee734fdb3@%3Creviews.spark.apache.org%3E" 80853 }, 80854 { 80855 "type": "WEB", 80856 "url": "https://lists.apache.org/thread.html/r8eea4c7797e701f6494c72942dd89f471cda4c2c6e9abbaf05d113d8%40%3Creviews.spark.apache.org%3E" 80857 }, 80858 { 80859 "type": "WEB", 80860 "url": "https://lists.apache.org/thread.html/r8eea4c7797e701f6494c72942dd89f471cda4c2c6e9abbaf05d113d8@%3Creviews.spark.apache.org%3E" 80861 }, 80862 { 80863 "type": "WEB", 80864 "url": "https://lists.apache.org/thread.html/r8f5b144e7a7c2b338f01139d891abbaba12a8173ee01110d21bd0b4d%40%3Cnotifications.zookeeper.apache.org%3E" 80865 }, 80866 { 80867 "type": "WEB", 80868 "url": "https://lists.apache.org/thread.html/r8f5b144e7a7c2b338f01139d891abbaba12a8173ee01110d21bd0b4d@%3Cnotifications.zookeeper.apache.org%3E" 80869 }, 80870 { 80871 "type": "WEB", 80872 "url": "https://lists.apache.org/thread.html/r8fee46fd9f1254150cc55eecf1ea6a448fca1f7cf1d1e7f9c4803fdb%40%3Cnotifications.zookeeper.apache.org%3E" 80873 }, 80874 { 80875 "type": "WEB", 80876 "url": "https://lists.apache.org/thread.html/r8fee46fd9f1254150cc55eecf1ea6a448fca1f7cf1d1e7f9c4803fdb@%3Cnotifications.zookeeper.apache.org%3E" 80877 }, 80878 { 80879 "type": "WEB", 80880 "url": "https://lists.apache.org/thread.html/r94230f46b91c364d39922a8ba0cfe12b8dba1556b14792719a7d921f%40%3Creviews.spark.apache.org%3E" 80881 }, 80882 { 80883 "type": "WEB", 80884 "url": "https://lists.apache.org/thread.html/r94230f46b91c364d39922a8ba0cfe12b8dba1556b14792719a7d921f@%3Creviews.spark.apache.org%3E" 80885 }, 80886 { 80887 "type": "WEB", 80888 "url": "https://lists.apache.org/thread.html/r942e21ee90e2617a00a08b17b0ac2db961959bec969b91df61584d38%40%3Cdev.kafka.apache.org%3E" 80889 }, 80890 { 80891 "type": "WEB", 80892 "url": "https://lists.apache.org/thread.html/r942e21ee90e2617a00a08b17b0ac2db961959bec969b91df61584d38@%3Cdev.kafka.apache.org%3E" 80893 }, 80894 { 80895 "type": "WEB", 80896 "url": "https://lists.apache.org/thread.html/r964d226dd08527fddd7a44410c50daa9d34d398e5c4793f1d7e19da8%40%3Ccommits.zookeeper.apache.org%3E" 80897 }, 80898 { 80899 "type": "WEB", 80900 "url": "https://lists.apache.org/thread.html/r964d226dd08527fddd7a44410c50daa9d34d398e5c4793f1d7e19da8@%3Ccommits.zookeeper.apache.org%3E" 80901 }, 80902 { 80903 "type": "WEB", 80904 "url": "https://lists.apache.org/thread.html/r96ef6d20c5bd3d42dab500bac56a427e1dce00cf85b083987617643d%40%3Cissues.hbase.apache.org%3E" 80905 }, 80906 { 80907 "type": "WEB", 80908 "url": "https://lists.apache.org/thread.html/r96ef6d20c5bd3d42dab500bac56a427e1dce00cf85b083987617643d@%3Cissues.hbase.apache.org%3E" 80909 }, 80910 { 80911 "type": "WEB", 80912 "url": "https://lists.apache.org/thread.html/r990e0296b188d4530d1053882f687fa4f938f108425db2999a180944%40%3Ccommits.kafka.apache.org%3E" 80913 }, 80914 { 80915 "type": "WEB", 80916 "url": "https://lists.apache.org/thread.html/r990e0296b188d4530d1053882f687fa4f938f108425db2999a180944@%3Ccommits.kafka.apache.org%3E" 80917 }, 80918 { 80919 "type": "WEB", 80920 "url": "https://lists.apache.org/thread.html/r9b46505868794fba04d401956304e63e4d8e39bdc118d30e5e87dcd9%40%3Creviews.spark.apache.org%3E" 80921 }, 80922 { 80923 "type": "WEB", 80924 "url": "https://lists.apache.org/thread.html/r9b46505868794fba04d401956304e63e4d8e39bdc118d30e5e87dcd9@%3Creviews.spark.apache.org%3E" 80925 }, 80926 { 80927 "type": "WEB", 80928 "url": "https://lists.apache.org/thread.html/r9d7a86fb0b45e5b1855d4df83a5820eef813d55eae3edf224f3d5055%40%3Cnotifications.zookeeper.apache.org%3E" 80929 }, 80930 { 80931 "type": "WEB", 80932 "url": "https://lists.apache.org/thread.html/r9d7a86fb0b45e5b1855d4df83a5820eef813d55eae3edf224f3d5055@%3Cnotifications.zookeeper.apache.org%3E" 80933 }, 80934 { 80935 "type": "WEB", 80936 "url": "https://lists.apache.org/thread.html/r9f571b086965b35d4e91e47fb67c27b42b62762248b4900ba723599f%40%3Cnotifications.zookeeper.apache.org%3E" 80937 }, 80938 { 80939 "type": "WEB", 80940 "url": "https://lists.apache.org/thread.html/r9f571b086965b35d4e91e47fb67c27b42b62762248b4900ba723599f@%3Cnotifications.zookeeper.apache.org%3E" 80941 }, 80942 { 80943 "type": "WEB", 80944 "url": "https://lists.apache.org/thread.html/ra09a653997cbf10aab8c0deabc0fa49f5a8a8ce4305ce9089b98485f%40%3Creviews.spark.apache.org%3E" 80945 }, 80946 { 80947 "type": "WEB", 80948 "url": "https://lists.apache.org/thread.html/ra09a653997cbf10aab8c0deabc0fa49f5a8a8ce4305ce9089b98485f@%3Creviews.spark.apache.org%3E" 80949 }, 80950 { 80951 "type": "WEB", 80952 "url": "https://lists.apache.org/thread.html/ra1c234f045871827f73e4d68326b067e72d3139e109207345fa57d9e%40%3Cdev.kafka.apache.org%3E" 80953 }, 80954 { 80955 "type": "WEB", 80956 "url": "https://lists.apache.org/thread.html/ra1c234f045871827f73e4d68326b067e72d3139e109207345fa57d9e@%3Cdev.kafka.apache.org%3E" 80957 }, 80958 { 80959 "type": "WEB", 80960 "url": "https://lists.apache.org/thread.html/re4ae7ada52c5ecfe805eb86ddc0af399ec8a57bfb0d8c632b8723b88%40%3Cdev.hbase.apache.org%3E" 80961 }, 80962 { 80963 "type": "WEB", 80964 "url": "https://lists.apache.org/thread.html/re4ae7ada52c5ecfe805eb86ddc0af399ec8a57bfb0d8c632b8723b88@%3Cdev.hbase.apache.org%3E" 80965 }, 80966 { 80967 "type": "WEB", 80968 "url": "https://lists.apache.org/thread.html/re4e67541a0a25a8589e89f52f8cd163c863fe04b59e048f9f1a04958%40%3Ccommits.hbase.apache.org%3E" 80969 }, 80970 { 80971 "type": "WEB", 80972 "url": "https://lists.apache.org/thread.html/re4e67541a0a25a8589e89f52f8cd163c863fe04b59e048f9f1a04958@%3Ccommits.hbase.apache.org%3E" 80973 }, 80974 { 80975 "type": "WEB", 80976 "url": "https://lists.apache.org/thread.html/re86a6ba09dc74e709db843e3561ead923c8fd1cba32343656dd8c44b%40%3Cnotifications.zookeeper.apache.org%3E" 80977 }, 80978 { 80979 "type": "WEB", 80980 "url": "https://lists.apache.org/thread.html/re86a6ba09dc74e709db843e3561ead923c8fd1cba32343656dd8c44b@%3Cnotifications.zookeeper.apache.org%3E" 80981 }, 80982 { 80983 "type": "WEB", 80984 "url": "https://lists.apache.org/thread.html/re9214a4232b7ae204288c283bcee4e39f07da6cc34798e9217ba4eb6%40%3Cissues.hbase.apache.org%3E" 80985 }, 80986 { 80987 "type": "WEB", 80988 "url": "https://lists.apache.org/thread.html/re9214a4232b7ae204288c283bcee4e39f07da6cc34798e9217ba4eb6@%3Cissues.hbase.apache.org%3E" 80989 }, 80990 { 80991 "type": "WEB", 80992 "url": "https://lists.apache.org/thread.html/reb75282901d0969ba6582725ce8672070715d0773f6ff54dedd60156%40%3Creviews.spark.apache.org%3E" 80993 }, 80994 { 80995 "type": "WEB", 80996 "url": "https://lists.apache.org/thread.html/reb75282901d0969ba6582725ce8672070715d0773f6ff54dedd60156@%3Creviews.spark.apache.org%3E" 80997 }, 80998 { 80999 "type": "WEB", 81000 "url": "https://lists.apache.org/thread.html/ree677ff289ba9a90850f2e3ba7279555df1a170263ba39c5272db236%40%3Cnotifications.zookeeper.apache.org%3E" 81001 }, 81002 { 81003 "type": "WEB", 81004 "url": "https://lists.apache.org/thread.html/ree677ff289ba9a90850f2e3ba7279555df1a170263ba39c5272db236@%3Cnotifications.zookeeper.apache.org%3E" 81005 }, 81006 { 81007 "type": "WEB", 81008 "url": "https://lists.apache.org/thread.html/rf0181750e321518c8afa8001e0529d50a9447714ef4f58d98af57904%40%3Creviews.spark.apache.org%3E" 81009 }, 81010 { 81011 "type": "WEB", 81012 "url": "https://lists.apache.org/thread.html/rf0181750e321518c8afa8001e0529d50a9447714ef4f58d98af57904@%3Creviews.spark.apache.org%3E" 81013 }, 81014 { 81015 "type": "WEB", 81016 "url": "https://lists.apache.org/thread.html/rf273267fa2e49314643af3141cec239f97d41de8a59be4ef7e10c65a%40%3Creviews.spark.apache.org%3E" 81017 }, 81018 { 81019 "type": "WEB", 81020 "url": "https://lists.apache.org/thread.html/rf273267fa2e49314643af3141cec239f97d41de8a59be4ef7e10c65a@%3Creviews.spark.apache.org%3E" 81021 }, 81022 { 81023 "type": "WEB", 81024 "url": "https://lists.apache.org/thread.html/rf31e24700f725ef81bc5a2e0444a60e1f295ed0a54c0098362a7bdfa%40%3Creviews.spark.apache.org%3E" 81025 }, 81026 { 81027 "type": "WEB", 81028 "url": "https://lists.apache.org/thread.html/rf31e24700f725ef81bc5a2e0444a60e1f295ed0a54c0098362a7bdfa@%3Creviews.spark.apache.org%3E" 81029 }, 81030 { 81031 "type": "WEB", 81032 "url": "https://lists.apache.org/thread.html/rfa34d2a3e423421a4a1354cf457edba2ce78cee2d3ebd8aab151a559%40%3Cdev.kafka.apache.org%3E" 81033 }, 81034 { 81035 "type": "WEB", 81036 "url": "https://lists.apache.org/thread.html/rfa34d2a3e423421a4a1354cf457edba2ce78cee2d3ebd8aab151a559@%3Cdev.kafka.apache.org%3E" 81037 }, 81038 { 81039 "type": "WEB", 81040 "url": "https://lists.apache.org/thread.html/rfa8879a713480b206c152334419499e6af0878c36217abcc9ab4f0d1%40%3Cnotifications.zookeeper.apache.org%3E" 81041 }, 81042 { 81043 "type": "WEB", 81044 "url": "https://lists.apache.org/thread.html/rfa8879a713480b206c152334419499e6af0878c36217abcc9ab4f0d1@%3Cnotifications.zookeeper.apache.org%3E" 81045 }, 81046 { 81047 "type": "WEB", 81048 "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00045.html" 81049 }, 81050 { 81051 "type": "WEB", 81052 "url": "https://security.netapp.com/advisory/ntap-20201218-0003" 81053 }, 81054 { 81055 "type": "WEB", 81056 "url": "https://www.oracle.com//security-alerts/cpujul2021.html" 81057 }, 81058 { 81059 "type": "WEB", 81060 "url": "https://www.oracle.com/security-alerts/cpuApr2021.html" 81061 }, 81062 { 81063 "type": "WEB", 81064 "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" 81065 }, 81066 { 81067 "type": "WEB", 81068 "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" 81069 }, 81070 { 81071 "type": "WEB", 81072 "url": "https://lists.apache.org/thread.html/rcbc408088ae99dc3167ea293a562a3a9a7295a20e9a1bfc93e43ae1b%40%3Cissues.hbase.apache.org%3E" 81073 }, 81074 { 81075 "type": "WEB", 81076 "url": "https://lists.apache.org/thread.html/rcbc408088ae99dc3167ea293a562a3a9a7295a20e9a1bfc93e43ae1b@%3Cissues.hbase.apache.org%3E" 81077 }, 81078 { 81079 "type": "WEB", 81080 "url": "https://lists.apache.org/thread.html/rccc7ba8c51d662e13496df20466d27dbab54d7001e9e7b2f31468a9e%40%3Cissues.hbase.apache.org%3E" 81081 }, 81082 { 81083 "type": "WEB", 81084 "url": "https://lists.apache.org/thread.html/rccc7ba8c51d662e13496df20466d27dbab54d7001e9e7b2f31468a9e@%3Cissues.hbase.apache.org%3E" 81085 }, 81086 { 81087 "type": "WEB", 81088 "url": "https://lists.apache.org/thread.html/rce9e232a663d8405c003fe83d5c86c27d1ed65561f3690e824717bc4%40%3Cissues.hbase.apache.org%3E" 81089 }, 81090 { 81091 "type": "WEB", 81092 "url": "https://lists.apache.org/thread.html/rce9e232a663d8405c003fe83d5c86c27d1ed65561f3690e824717bc4@%3Cissues.hbase.apache.org%3E" 81093 }, 81094 { 81095 "type": "WEB", 81096 "url": "https://lists.apache.org/thread.html/rcf7b5818f71bb97fd695eb0f54f8f4f69e15cc5f9ec761ea8be0d0d3%40%3Creviews.spark.apache.org%3E" 81097 }, 81098 { 81099 "type": "WEB", 81100 "url": "https://lists.apache.org/thread.html/rcf7b5818f71bb97fd695eb0f54f8f4f69e15cc5f9ec761ea8be0d0d3@%3Creviews.spark.apache.org%3E" 81101 }, 81102 { 81103 "type": "WEB", 81104 "url": "https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26%40%3Ccommits.pulsar.apache.org%3E" 81105 }, 81106 { 81107 "type": "WEB", 81108 "url": "https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26@%3Ccommits.pulsar.apache.org%3E" 81109 }, 81110 { 81111 "type": "WEB", 81112 "url": "https://lists.apache.org/thread.html/rd20651e102cb6742a9d9322ea7b5fc3ab60a7ffecb50fa9157cbf176%40%3Cjira.kafka.apache.org%3E" 81113 }, 81114 { 81115 "type": "WEB", 81116 "url": "https://lists.apache.org/thread.html/rd20651e102cb6742a9d9322ea7b5fc3ab60a7ffecb50fa9157cbf176@%3Cjira.kafka.apache.org%3E" 81117 }, 81118 { 81119 "type": "WEB", 81120 "url": "https://lists.apache.org/thread.html/rd8e24a3e482e5984bc8c5492dc790413e4fdc1234e3debb94515796b%40%3Cjira.kafka.apache.org%3E" 81121 }, 81122 { 81123 "type": "WEB", 81124 "url": "https://lists.apache.org/thread.html/rd8e24a3e482e5984bc8c5492dc790413e4fdc1234e3debb94515796b@%3Cjira.kafka.apache.org%3E" 81125 }, 81126 { 81127 "type": "WEB", 81128 "url": "https://lists.apache.org/thread.html/rd9a960429741406f6557fa344a13d50a0c9976dac2e4c46bb54b32d7%40%3Creviews.spark.apache.org%3E" 81129 }, 81130 { 81131 "type": "WEB", 81132 "url": "https://lists.apache.org/thread.html/rd9a960429741406f6557fa344a13d50a0c9976dac2e4c46bb54b32d7@%3Creviews.spark.apache.org%3E" 81133 }, 81134 { 81135 "type": "WEB", 81136 "url": "https://lists.apache.org/thread.html/rdbdbb4e51f8857e082b464cd128decd7263cf0fb8557f12993562c56%40%3Creviews.spark.apache.org%3E" 81137 }, 81138 { 81139 "type": "WEB", 81140 "url": "https://lists.apache.org/thread.html/rdbdbb4e51f8857e082b464cd128decd7263cf0fb8557f12993562c56@%3Creviews.spark.apache.org%3E" 81141 }, 81142 { 81143 "type": "WEB", 81144 "url": "https://lists.apache.org/thread.html/rdde0ad0a03eec962c56b46e70e225918ea2368dcc3fd3488741fad53%40%3Cnotifications.zookeeper.apache.org%3E" 81145 }, 81146 { 81147 "type": "WEB", 81148 "url": "https://lists.apache.org/thread.html/rdde0ad0a03eec962c56b46e70e225918ea2368dcc3fd3488741fad53@%3Cnotifications.zookeeper.apache.org%3E" 81149 }, 81150 { 81151 "type": "WEB", 81152 "url": "https://lists.apache.org/thread.html/rde11c433675143d8d27551c3d9e821fe1955f1551a518033d3716553%40%3Cdev.zookeeper.apache.org%3E" 81153 }, 81154 { 81155 "type": "WEB", 81156 "url": "https://lists.apache.org/thread.html/rde11c433675143d8d27551c3d9e821fe1955f1551a518033d3716553@%3Cdev.zookeeper.apache.org%3E" 81157 }, 81158 { 81159 "type": "WEB", 81160 "url": "https://lists.apache.org/thread.html/re014afaa14f4df9d33912ab64dc57249e1c170c7448d7175c6d014ff%40%3Cissues.spark.apache.org%3E" 81161 }, 81162 { 81163 "type": "WEB", 81164 "url": "https://lists.apache.org/thread.html/re014afaa14f4df9d33912ab64dc57249e1c170c7448d7175c6d014ff@%3Cissues.spark.apache.org%3E" 81165 }, 81166 { 81167 "type": "WEB", 81168 "url": "https://lists.apache.org/thread.html/re03a566114435a8cc8eb72158242b0f560c5eeccbb4ee98d22de8373%40%3Cnotifications.zookeeper.apache.org%3E" 81169 }, 81170 { 81171 "type": "WEB", 81172 "url": "https://lists.apache.org/thread.html/re03a566114435a8cc8eb72158242b0f560c5eeccbb4ee98d22de8373@%3Cnotifications.zookeeper.apache.org%3E" 81173 }, 81174 { 81175 "type": "WEB", 81176 "url": "https://lists.apache.org/thread.html/re3918edd403b0d3857a13ef2ccf3d2bc0231f3b8758e2a5777ea1cd3%40%3Creviews.spark.apache.org%3E" 81177 }, 81178 { 81179 "type": "WEB", 81180 "url": "https://lists.apache.org/thread.html/re3918edd403b0d3857a13ef2ccf3d2bc0231f3b8758e2a5777ea1cd3@%3Creviews.spark.apache.org%3E" 81181 }, 81182 { 81183 "type": "WEB", 81184 "url": "https://lists.apache.org/thread.html/r2a57c7bbf36afc87f8ad9e1dd2f53a08e85a1b531283fc2efce4fe17@%3Ccommits.zookeeper.apache.org%3E" 81185 }, 81186 { 81187 "type": "WEB", 81188 "url": "https://lists.apache.org/thread.html/r2f168fd22c071bdd95ec696e45d2a01e928b9fcadbe94fbabeb1549d%40%3Cissues.hbase.apache.org%3E" 81189 }, 81190 { 81191 "type": "WEB", 81192 "url": "https://lists.apache.org/thread.html/r2f168fd22c071bdd95ec696e45d2a01e928b9fcadbe94fbabeb1549d@%3Cissues.hbase.apache.org%3E" 81193 }, 81194 { 81195 "type": "WEB", 81196 "url": "https://lists.apache.org/thread.html/r2fda4dab73097051977f2ab818f75e04fbcb15bb1003c8530eac1059%40%3Cjira.kafka.apache.org%3E" 81197 }, 81198 { 81199 "type": "WEB", 81200 "url": "https://lists.apache.org/thread.html/r2fda4dab73097051977f2ab818f75e04fbcb15bb1003c8530eac1059@%3Cjira.kafka.apache.org%3E" 81201 }, 81202 { 81203 "type": "WEB", 81204 "url": "https://lists.apache.org/thread.html/r2ffe719224cbe5897f2d06dd22fc77fa12377c39efe9de0c3bf3f837%40%3Cissues.hbase.apache.org%3E" 81205 }, 81206 { 81207 "type": "WEB", 81208 "url": "https://lists.apache.org/thread.html/r2ffe719224cbe5897f2d06dd22fc77fa12377c39efe9de0c3bf3f837@%3Cissues.hbase.apache.org%3E" 81209 }, 81210 { 81211 "type": "WEB", 81212 "url": "https://lists.apache.org/thread.html/r306c8e5aad1b9afc0c9278430fb571950fbb3ab7dd5d369eb618ffa4%40%3Cissues.spark.apache.org%3E" 81213 }, 81214 { 81215 "type": "WEB", 81216 "url": "https://lists.apache.org/thread.html/r306c8e5aad1b9afc0c9278430fb571950fbb3ab7dd5d369eb618ffa4@%3Cissues.spark.apache.org%3E" 81217 }, 81218 { 81219 "type": "WEB", 81220 "url": "https://lists.apache.org/thread.html/r32a25679d97bf5969d130f8e9b3a3fc54110095397d89952e93dbeb0%40%3Creviews.spark.apache.org%3E" 81221 }, 81222 { 81223 "type": "WEB", 81224 "url": "https://lists.apache.org/thread.html/r32a25679d97bf5969d130f8e9b3a3fc54110095397d89952e93dbeb0@%3Creviews.spark.apache.org%3E" 81225 }, 81226 { 81227 "type": "WEB", 81228 "url": "https://lists.apache.org/thread.html/r352e40ca9874d1beb4ad95403792adca7eb295e6bc3bd7b65fabcc21%40%3Ccommits.samza.apache.org%3E" 81229 }, 81230 { 81231 "type": "WEB", 81232 "url": "https://lists.apache.org/thread.html/r352e40ca9874d1beb4ad95403792adca7eb295e6bc3bd7b65fabcc21@%3Ccommits.samza.apache.org%3E" 81233 }, 81234 { 81235 "type": "WEB", 81236 "url": "https://lists.apache.org/thread.html/r3554a4f192db6008c03f2c6c3e0f1691a9b0d615ce955ef67a876ff7%40%3Cjira.kafka.apache.org%3E" 81237 }, 81238 { 81239 "type": "WEB", 81240 "url": "https://lists.apache.org/thread.html/r3554a4f192db6008c03f2c6c3e0f1691a9b0d615ce955ef67a876ff7@%3Cjira.kafka.apache.org%3E" 81241 }, 81242 { 81243 "type": "WEB", 81244 "url": "https://lists.apache.org/thread.html/r3807b1c54066797c4870e03bd2376bdcce9c7c4e6143499f53cd9ca2%40%3Cissues.hbase.apache.org%3E" 81245 }, 81246 { 81247 "type": "WEB", 81248 "url": "https://lists.apache.org/thread.html/r3807b1c54066797c4870e03bd2376bdcce9c7c4e6143499f53cd9ca2@%3Cissues.hbase.apache.org%3E" 81249 }, 81250 { 81251 "type": "WEB", 81252 "url": "https://lists.apache.org/thread.html/r380e9257bacb8551ee6fcf2c59890ae9477b2c78e553fa9ea08e9d9a%40%3Ccommits.nifi.apache.org%3E" 81253 }, 81254 { 81255 "type": "WEB", 81256 "url": "https://lists.apache.org/thread.html/r380e9257bacb8551ee6fcf2c59890ae9477b2c78e553fa9ea08e9d9a@%3Ccommits.nifi.apache.org%3E" 81257 }, 81258 { 81259 "type": "WEB", 81260 "url": "https://lists.apache.org/thread.html/r391d20ab6ec03d6becc7a9f0c5e0f45a7ad8af6b996ae0a49839f6bd%40%3Cjira.kafka.apache.org%3E" 81261 }, 81262 { 81263 "type": "WEB", 81264 "url": "https://lists.apache.org/thread.html/r391d20ab6ec03d6becc7a9f0c5e0f45a7ad8af6b996ae0a49839f6bd@%3Cjira.kafka.apache.org%3E" 81265 }, 81266 { 81267 "type": "WEB", 81268 "url": "https://lists.apache.org/thread.html/r39f1b1be8e5c0935f7c515eedf907909474bad15185125daacb36d50%40%3Creviews.spark.apache.org%3E" 81269 }, 81270 { 81271 "type": "WEB", 81272 "url": "https://lists.apache.org/thread.html/r39f1b1be8e5c0935f7c515eedf907909474bad15185125daacb36d50@%3Creviews.spark.apache.org%3E" 81273 }, 81274 { 81275 "type": "WEB", 81276 "url": "https://lists.apache.org/thread.html/r3b7c8bc7a1cb8acdcf7753f436564d289d22f2906e934d1b11de3a40%40%3Creviews.spark.apache.org%3E" 81277 }, 81278 { 81279 "type": "WEB", 81280 "url": "https://lists.apache.org/thread.html/r3b7c8bc7a1cb8acdcf7753f436564d289d22f2906e934d1b11de3a40@%3Creviews.spark.apache.org%3E" 81281 }, 81282 { 81283 "type": "WEB", 81284 "url": "https://lists.apache.org/thread.html/r3d43529452c5a16338e8267eb911e8aedc64c3241624302e673961c1%40%3Cdev.hbase.apache.org%3E" 81285 }, 81286 { 81287 "type": "WEB", 81288 "url": "https://lists.apache.org/thread.html/r3d43529452c5a16338e8267eb911e8aedc64c3241624302e673961c1@%3Cdev.hbase.apache.org%3E" 81289 }, 81290 { 81291 "type": "WEB", 81292 "url": "https://lists.apache.org/thread.html/r46589f4228aabd5fb16135ff5bef0f77f06cdef64f9785ac3349fa02%40%3Cnotifications.zookeeper.apache.org%3E" 81293 }, 81294 { 81295 "type": "PACKAGE", 81296 "url": "https://github.com/eclipse/jetty.project" 81297 }, 81298 { 81299 "type": "WEB", 81300 "url": "https://lists.apache.org/thread.html/r00858fe27ee35ac8fa0e1549d67e0efb789d63b791b5300390bd8480%40%3Cjira.kafka.apache.org%3E" 81301 }, 81302 { 81303 "type": "WEB", 81304 "url": "https://lists.apache.org/thread.html/r00858fe27ee35ac8fa0e1549d67e0efb789d63b791b5300390bd8480@%3Cjira.kafka.apache.org%3E" 81305 }, 81306 { 81307 "type": "WEB", 81308 "url": "https://lists.apache.org/thread.html/r01806ad8c9cb0590584baf5b1a60237ad92e4ad5bba082ca04d98179%40%3Creviews.spark.apache.org%3E" 81309 }, 81310 { 81311 "type": "WEB", 81312 "url": "https://lists.apache.org/thread.html/r01806ad8c9cb0590584baf5b1a60237ad92e4ad5bba082ca04d98179@%3Creviews.spark.apache.org%3E" 81313 }, 81314 { 81315 "type": "WEB", 81316 "url": "https://lists.apache.org/thread.html/r05b7ffde2b8c180709e14bc9ca036407bea3ed9f09b32c4705d23a4a%40%3Cjira.kafka.apache.org%3E" 81317 }, 81318 { 81319 "type": "WEB", 81320 "url": "https://lists.apache.org/thread.html/r05b7ffde2b8c180709e14bc9ca036407bea3ed9f09b32c4705d23a4a@%3Cjira.kafka.apache.org%3E" 81321 }, 81322 { 81323 "type": "WEB", 81324 "url": "https://lists.apache.org/thread.html/r078c1203e48089b2c934b9f86b61bebe8c049e0ea6273b124f349988%40%3Cissues.hbase.apache.org%3E" 81325 }, 81326 { 81327 "type": "WEB", 81328 "url": "https://lists.apache.org/thread.html/r078c1203e48089b2c934b9f86b61bebe8c049e0ea6273b124f349988@%3Cissues.hbase.apache.org%3E" 81329 }, 81330 { 81331 "type": "WEB", 81332 "url": "https://lists.apache.org/thread.html/r0d2de2ab5558da68b504bd30db74da1d97dc152a857f5b7e462288ab%40%3Cissues.spark.apache.org%3E" 81333 }, 81334 { 81335 "type": "WEB", 81336 "url": "https://lists.apache.org/thread.html/r0d2de2ab5558da68b504bd30db74da1d97dc152a857f5b7e462288ab@%3Cissues.spark.apache.org%3E" 81337 }, 81338 { 81339 "type": "WEB", 81340 "url": "https://lists.apache.org/thread.html/r153fbefc27a1b2033692f32ef728ca909a7c7bcc1d21b6c35b38bdd5%40%3Creviews.spark.apache.org%3E" 81341 }, 81342 { 81343 "type": "WEB", 81344 "url": "https://lists.apache.org/thread.html/r153fbefc27a1b2033692f32ef728ca909a7c7bcc1d21b6c35b38bdd5@%3Creviews.spark.apache.org%3E" 81345 }, 81346 { 81347 "type": "WEB", 81348 "url": "https://lists.apache.org/thread.html/r15500b77c52390e2ec048cea4a6b45edf907ea61cd13259193ff8601%40%3Creviews.spark.apache.org%3E" 81349 }, 81350 { 81351 "type": "WEB", 81352 "url": "https://lists.apache.org/thread.html/r15500b77c52390e2ec048cea4a6b45edf907ea61cd13259193ff8601@%3Creviews.spark.apache.org%3E" 81353 }, 81354 { 81355 "type": "WEB", 81356 "url": "https://lists.apache.org/thread.html/r186748e676e5aeb4eb603361e6367555ae4daecbde55cfd69fa68ec6%40%3Cissues.hbase.apache.org%3E" 81357 }, 81358 { 81359 "type": "WEB", 81360 "url": "https://lists.apache.org/thread.html/r186748e676e5aeb4eb603361e6367555ae4daecbde55cfd69fa68ec6@%3Cissues.hbase.apache.org%3E" 81361 }, 81362 { 81363 "type": "WEB", 81364 "url": "https://lists.apache.org/thread.html/r1dd302323c6fe1a542d0371de66a484918fa6c2831ae70d924974bea%40%3Cnotifications.zookeeper.apache.org%3E" 81365 }, 81366 { 81367 "type": "WEB", 81368 "url": "https://lists.apache.org/thread.html/r1dd302323c6fe1a542d0371de66a484918fa6c2831ae70d924974bea@%3Cnotifications.zookeeper.apache.org%3E" 81369 }, 81370 { 81371 "type": "WEB", 81372 "url": "https://lists.apache.org/thread.html/r22776d06582985cca5bd2a92519a2b13b4cae2d8e087318da03c036d%40%3Cnotifications.zookeeper.apache.org%3E" 81373 }, 81374 { 81375 "type": "WEB", 81376 "url": "https://lists.apache.org/thread.html/r22776d06582985cca5bd2a92519a2b13b4cae2d8e087318da03c036d@%3Cnotifications.zookeeper.apache.org%3E" 81377 }, 81378 { 81379 "type": "WEB", 81380 "url": "https://lists.apache.org/thread.html/r23ce6b8965e30808daa77a80fcd69833b1fc632d80465d0419eff619%40%3Cissues.zookeeper.apache.org%3E" 81381 }, 81382 { 81383 "type": "WEB", 81384 "url": "https://lists.apache.org/thread.html/r23ce6b8965e30808daa77a80fcd69833b1fc632d80465d0419eff619@%3Cissues.zookeeper.apache.org%3E" 81385 }, 81386 { 81387 "type": "WEB", 81388 "url": "https://lists.apache.org/thread.html/r25a47cd06750ebb4b0f23a9b7a57c209702c8566a4c970a41ac088df%40%3Creviews.spark.apache.org%3E" 81389 }, 81390 { 81391 "type": "WEB", 81392 "url": "https://lists.apache.org/thread.html/r25a47cd06750ebb4b0f23a9b7a57c209702c8566a4c970a41ac088df@%3Creviews.spark.apache.org%3E" 81393 }, 81394 { 81395 "type": "WEB", 81396 "url": "https://lists.apache.org/thread.html/r2a541f08bf5f847394297c13a5305c2f76c11e46504ce2a49653890a%40%3Creviews.spark.apache.org%3E" 81397 }, 81398 { 81399 "type": "WEB", 81400 "url": "https://lists.apache.org/thread.html/r2a541f08bf5f847394297c13a5305c2f76c11e46504ce2a49653890a@%3Creviews.spark.apache.org%3E" 81401 }, 81402 { 81403 "type": "WEB", 81404 "url": "https://lists.apache.org/thread.html/r2a57c7bbf36afc87f8ad9e1dd2f53a08e85a1b531283fc2efce4fe17%40%3Ccommits.zookeeper.apache.org%3E" 81405 }, 81406 { 81407 "type": "WEB", 81408 "url": "https://lists.apache.org/thread.html/r46589f4228aabd5fb16135ff5bef0f77f06cdef64f9785ac3349fa02@%3Cnotifications.zookeeper.apache.org%3E" 81409 }, 81410 { 81411 "type": "WEB", 81412 "url": "https://lists.apache.org/thread.html/r706562cbbdda569cc556d8a7983d1f9229606e7b51337b820785af26%40%3Creviews.spark.apache.org%3E" 81413 }, 81414 { 81415 "type": "WEB", 81416 "url": "https://lists.apache.org/thread.html/r706562cbbdda569cc556d8a7983d1f9229606e7b51337b820785af26@%3Creviews.spark.apache.org%3E" 81417 }, 81418 { 81419 "type": "WEB", 81420 "url": "https://lists.apache.org/thread.html/r70940cb30356642f0c49af49259680d6bd866f51c4e8de0f8a498fb0%40%3Cnotifications.zookeeper.apache.org%3E" 81421 }, 81422 { 81423 "type": "WEB", 81424 "url": "https://lists.apache.org/thread.html/r70940cb30356642f0c49af49259680d6bd866f51c4e8de0f8a498fb0@%3Cnotifications.zookeeper.apache.org%3E" 81425 }, 81426 { 81427 "type": "WEB", 81428 "url": "https://lists.apache.org/thread.html/r74ab0f5a5f16ca01eb145403ab753df5b348b8c1656d7c8501d0bfc6%40%3Creviews.spark.apache.org%3E" 81429 }, 81430 { 81431 "type": "WEB", 81432 "url": "https://lists.apache.org/thread.html/r74ab0f5a5f16ca01eb145403ab753df5b348b8c1656d7c8501d0bfc6@%3Creviews.spark.apache.org%3E" 81433 }, 81434 { 81435 "type": "WEB", 81436 "url": "https://lists.apache.org/thread.html/r7669dab41f2b34d56bb67700d869dc9c025ff72e9468204799f5ac29%40%3Ccommits.spark.apache.org%3E" 81437 }, 81438 { 81439 "type": "WEB", 81440 "url": "https://lists.apache.org/thread.html/r7669dab41f2b34d56bb67700d869dc9c025ff72e9468204799f5ac29@%3Ccommits.spark.apache.org%3E" 81441 }, 81442 { 81443 "type": "WEB", 81444 "url": "https://lists.apache.org/thread.html/r769e1ba36c607772f7403e7ef2a8ae14d9ddcab4a844f9b28bcf7959%40%3Cdev.kafka.apache.org%3E" 81445 }, 81446 { 81447 "type": "WEB", 81448 "url": "https://lists.apache.org/thread.html/r769e1ba36c607772f7403e7ef2a8ae14d9ddcab4a844f9b28bcf7959@%3Cdev.kafka.apache.org%3E" 81449 }, 81450 { 81451 "type": "WEB", 81452 "url": "https://lists.apache.org/thread.html/r7d37d33f2d68912985daf40203182e3d86f3e81266b7a7f350689eeb%40%3Cjira.kafka.apache.org%3E" 81453 }, 81454 { 81455 "type": "WEB", 81456 "url": "https://lists.apache.org/thread.html/r7d37d33f2d68912985daf40203182e3d86f3e81266b7a7f350689eeb@%3Cjira.kafka.apache.org%3E" 81457 }, 81458 { 81459 "type": "WEB", 81460 "url": "https://lists.apache.org/thread.html/r81f82ab8ecb83568bafbecf9ce0e73be73980ac1e2af6baf0f344a59%40%3Creviews.spark.apache.org%3E" 81461 }, 81462 { 81463 "type": "WEB", 81464 "url": "https://lists.apache.org/thread.html/r81f82ab8ecb83568bafbecf9ce0e73be73980ac1e2af6baf0f344a59@%3Creviews.spark.apache.org%3E" 81465 }, 81466 { 81467 "type": "WEB", 81468 "url": "https://lists.apache.org/thread.html/r821bbffb64da0f062b4e72d1aa600b91e26bc82a28298ab159121215%40%3Cnotifications.zookeeper.apache.org%3E" 81469 }, 81470 { 81471 "type": "WEB", 81472 "url": "https://lists.apache.org/thread.html/r821bbffb64da0f062b4e72d1aa600b91e26bc82a28298ab159121215@%3Cnotifications.zookeeper.apache.org%3E" 81473 }, 81474 { 81475 "type": "WEB", 81476 "url": "https://lists.apache.org/thread.html/r850d1d0413716e8ba6d910cae7b01a0e560636e17d664769b5080ca5%40%3Creviews.spark.apache.org%3E" 81477 }, 81478 { 81479 "type": "WEB", 81480 "url": "https://lists.apache.org/thread.html/r850d1d0413716e8ba6d910cae7b01a0e560636e17d664769b5080ca5@%3Creviews.spark.apache.org%3E" 81481 }, 81482 { 81483 "type": "WEB", 81484 "url": "https://lists.apache.org/thread.html/r870bc5e6e354c3e28ea029cb5726c9e8dd2b88cb0f5f7de1d4e3133d%40%3Creviews.spark.apache.org%3E" 81485 }, 81486 { 81487 "type": "WEB", 81488 "url": "https://lists.apache.org/thread.html/r870bc5e6e354c3e28ea029cb5726c9e8dd2b88cb0f5f7de1d4e3133d@%3Creviews.spark.apache.org%3E" 81489 }, 81490 { 81491 "type": "WEB", 81492 "url": "https://lists.apache.org/thread.html/r8b2271909dabb45f0f1482ef35ffe106ae4b0cf8e877eb514e9cd421%40%3Cissues.hbase.apache.org%3E" 81493 }, 81494 { 81495 "type": "WEB", 81496 "url": "https://lists.apache.org/thread.html/r8b2271909dabb45f0f1482ef35ffe106ae4b0cf8e877eb514e9cd421@%3Cissues.hbase.apache.org%3E" 81497 }, 81498 { 81499 "type": "WEB", 81500 "url": "https://lists.apache.org/thread.html/r8be8c6f0e404a3179d988eb8afed03ede5f2d5ce986d3f709fb82610%40%3Cnotifications.zookeeper.apache.org%3E" 81501 }, 81502 { 81503 "type": "WEB", 81504 "url": "https://lists.apache.org/thread.html/r8be8c6f0e404a3179d988eb8afed03ede5f2d5ce986d3f709fb82610@%3Cnotifications.zookeeper.apache.org%3E" 81505 }, 81506 { 81507 "type": "WEB", 81508 "url": "https://lists.apache.org/thread.html/r8c22aad0711321537183ccddcade7274ebf9dcbdcdacc6c4f90f43de%40%3Creviews.spark.apache.org%3E" 81509 }, 81510 { 81511 "type": "WEB", 81512 "url": "https://lists.apache.org/thread.html/r8c22aad0711321537183ccddcade7274ebf9dcbdcdacc6c4f90f43de@%3Creviews.spark.apache.org%3E" 81513 }, 81514 { 81515 "type": "WEB", 81516 "url": "https://lists.apache.org/thread.html/r8c839a0d88cd6504abbe72c260371094f47014b2ba08d8d2c0232e3c%40%3Cnotifications.zookeeper.apache.org%3E" 81517 }, 81518 { 81519 "type": "WEB", 81520 "url": "https://lists.apache.org/thread.html/r8c839a0d88cd6504abbe72c260371094f47014b2ba08d8d2c0232e3c@%3Cnotifications.zookeeper.apache.org%3E" 81521 }, 81522 { 81523 "type": "WEB", 81524 "url": "https://lists.apache.org/thread.html/r489dfc3e259ad3837141985dd9291b93e6b40496cdf58808915d67e9%40%3Creviews.spark.apache.org%3E" 81525 }, 81526 { 81527 "type": "WEB", 81528 "url": "https://lists.apache.org/thread.html/r489dfc3e259ad3837141985dd9291b93e6b40496cdf58808915d67e9@%3Creviews.spark.apache.org%3E" 81529 }, 81530 { 81531 "type": "WEB", 81532 "url": "https://lists.apache.org/thread.html/r4981622ba15e8be1657d30b7c85044c7aabe89751fa7324f8604b834%40%3Cnotifications.zookeeper.apache.org%3E" 81533 }, 81534 { 81535 "type": "WEB", 81536 "url": "https://lists.apache.org/thread.html/r4981622ba15e8be1657d30b7c85044c7aabe89751fa7324f8604b834@%3Cnotifications.zookeeper.apache.org%3E" 81537 }, 81538 { 81539 "type": "WEB", 81540 "url": "https://lists.apache.org/thread.html/r4aff5ca6bc94a6f13ff77914fd960185ab70cd6cebe96fffd74543ac%40%3Creviews.spark.apache.org%3E" 81541 }, 81542 { 81543 "type": "WEB", 81544 "url": "https://lists.apache.org/thread.html/r4aff5ca6bc94a6f13ff77914fd960185ab70cd6cebe96fffd74543ac@%3Creviews.spark.apache.org%3E" 81545 }, 81546 { 81547 "type": "WEB", 81548 "url": "https://lists.apache.org/thread.html/r4b2e7417a76e3dd4dc9855c6c138c49484080754a09927454f6d89f0%40%3Cissues.spark.apache.org%3E" 81549 }, 81550 { 81551 "type": "WEB", 81552 "url": "https://lists.apache.org/thread.html/r4b2e7417a76e3dd4dc9855c6c138c49484080754a09927454f6d89f0@%3Cissues.spark.apache.org%3E" 81553 }, 81554 { 81555 "type": "WEB", 81556 "url": "https://lists.apache.org/thread.html/r500e22d0aedba1866d0b5e76429b76652a473a0209fa8bf66c9f7aab%40%3Ccommits.spark.apache.org%3E" 81557 }, 81558 { 81559 "type": "WEB", 81560 "url": "https://lists.apache.org/thread.html/r500e22d0aedba1866d0b5e76429b76652a473a0209fa8bf66c9f7aab@%3Ccommits.spark.apache.org%3E" 81561 }, 81562 { 81563 "type": "WEB", 81564 "url": "https://lists.apache.org/thread.html/r51ec0120b6c849d12fb7fef34db87ef0bf79fcfcd3d703a9800afbba%40%3Creviews.spark.apache.org%3E" 81565 }, 81566 { 81567 "type": "WEB", 81568 "url": "https://lists.apache.org/thread.html/r51ec0120b6c849d12fb7fef34db87ef0bf79fcfcd3d703a9800afbba@%3Creviews.spark.apache.org%3E" 81569 }, 81570 { 81571 "type": "WEB", 81572 "url": "https://lists.apache.org/thread.html/r543ea0a861a78d84c22656fb76880d7ab327048cf7ee3ccc7281375d%40%3Creviews.spark.apache.org%3E" 81573 }, 81574 { 81575 "type": "WEB", 81576 "url": "https://lists.apache.org/thread.html/r543ea0a861a78d84c22656fb76880d7ab327048cf7ee3ccc7281375d@%3Creviews.spark.apache.org%3E" 81577 }, 81578 { 81579 "type": "WEB", 81580 "url": "https://lists.apache.org/thread.html/r5464405909eb0e1059d5dd57d10c435b9f19325fdebbadb4f1126997%40%3Creviews.spark.apache.org%3E" 81581 }, 81582 { 81583 "type": "WEB", 81584 "url": "https://lists.apache.org/thread.html/r5464405909eb0e1059d5dd57d10c435b9f19325fdebbadb4f1126997@%3Creviews.spark.apache.org%3E" 81585 }, 81586 { 81587 "type": "WEB", 81588 "url": "https://lists.apache.org/thread.html/r5c64173663c71f222ea40617ab362d7a590935fb75c18817fdec377e%40%3Ccommits.spark.apache.org%3E" 81589 }, 81590 { 81591 "type": "WEB", 81592 "url": "https://lists.apache.org/thread.html/r5c64173663c71f222ea40617ab362d7a590935fb75c18817fdec377e@%3Ccommits.spark.apache.org%3E" 81593 }, 81594 { 81595 "type": "WEB", 81596 "url": "https://lists.apache.org/thread.html/r5e5cb33b545548ec4684d33bd88b05a0ae89c4d7cac93eb63255f58f%40%3Cnotifications.zookeeper.apache.org%3E" 81597 }, 81598 { 81599 "type": "WEB", 81600 "url": "https://lists.apache.org/thread.html/r5e5cb33b545548ec4684d33bd88b05a0ae89c4d7cac93eb63255f58f@%3Cnotifications.zookeeper.apache.org%3E" 81601 }, 81602 { 81603 "type": "WEB", 81604 "url": "https://lists.apache.org/thread.html/r602683484f607cd1b9598caf3e549fbb01c43fd46a582a32cc3bb545%40%3Cnotifications.zookeeper.apache.org%3E" 81605 }, 81606 { 81607 "type": "WEB", 81608 "url": "https://lists.apache.org/thread.html/r602683484f607cd1b9598caf3e549fbb01c43fd46a582a32cc3bb545@%3Cnotifications.zookeeper.apache.org%3E" 81609 }, 81610 { 81611 "type": "WEB", 81612 "url": "https://lists.apache.org/thread.html/r6493e43007f41e34cdbbb66622307fa235374dd2ec5bf52c61075a68%40%3Cissues.spark.apache.org%3E" 81613 }, 81614 { 81615 "type": "WEB", 81616 "url": "https://lists.apache.org/thread.html/r6493e43007f41e34cdbbb66622307fa235374dd2ec5bf52c61075a68@%3Cissues.spark.apache.org%3E" 81617 }, 81618 { 81619 "type": "WEB", 81620 "url": "https://lists.apache.org/thread.html/r66456df852de06a0eed2c0a50252a2c8d360b8a5c005f63c0b1e3d25%40%3Ccommits.kafka.apache.org%3E" 81621 }, 81622 { 81623 "type": "WEB", 81624 "url": "https://lists.apache.org/thread.html/r66456df852de06a0eed2c0a50252a2c8d360b8a5c005f63c0b1e3d25@%3Ccommits.kafka.apache.org%3E" 81625 }, 81626 { 81627 "type": "WEB", 81628 "url": "https://lists.apache.org/thread.html/r6d5bb60a13e8b539600f86cb72097967b951de5c7ef1e4005cda74a7%40%3Cnotifications.zookeeper.apache.org%3E" 81629 }, 81630 { 81631 "type": "WEB", 81632 "url": "https://lists.apache.org/thread.html/r6d5bb60a13e8b539600f86cb72097967b951de5c7ef1e4005cda74a7@%3Cnotifications.zookeeper.apache.org%3E" 81633 } 81634 ], 81635 "schema_version": "1.6.0", 81636 "severity": [ 81637 { 81638 "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L", 81639 "type": "CVSS_V3" 81640 } 81641 ], 81642 "summary": "Buffer not correctly recycled in Gzip Request inflation" 81643 }, 81644 { 81645 "affected": [ 81646 { 81647 "database_specific": { 81648 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-872g-2h8h-362q/GHSA-872g-2h8h-362q.json" 81649 }, 81650 "package": { 81651 "ecosystem": "Maven", 81652 "name": "org.eclipse.jetty:jetty-server", 81653 "purl": "pkg:maven/org.eclipse.jetty/jetty-server" 81654 }, 81655 "ranges": [ 81656 { 81657 "events": [ 81658 { 81659 "introduced": "9.3.0" 81660 }, 81661 { 81662 "fixed": "9.3.9" 81663 } 81664 ], 81665 "type": "ECOSYSTEM" 81666 } 81667 ], 81668 "versions": [ 81669 "9.3.0.v20150612", 81670 "9.3.1.v20150714", 81671 "9.3.2.v20150730", 81672 "9.3.3.v20150827", 81673 "9.3.4.RC0", 81674 "9.3.4.RC1", 81675 "9.3.4.v20151007", 81676 "9.3.5.v20151012", 81677 "9.3.6.v20151106", 81678 "9.3.7.RC0", 81679 "9.3.7.RC1", 81680 "9.3.7.v20160115", 81681 "9.3.8.RC0", 81682 "9.3.8.v20160314", 81683 "9.3.9.M0", 81684 "9.3.9.M1" 81685 ] 81686 } 81687 ], 81688 "aliases": [ 81689 "CVE-2016-4800" 81690 ], 81691 "database_specific": { 81692 "cwe_ids": [ 81693 "CWE-284" 81694 ], 81695 "github_reviewed": true, 81696 "github_reviewed_at": "2020-06-16T21:24:37Z", 81697 "nvd_published_at": null, 81698 "severity": "CRITICAL" 81699 }, 81700 "details": "The path normalization mechanism in PathResource class in Eclipse Jetty 9.3.x before 9.3.9 on Windows allows remote attackers to bypass protected resource restrictions and other security constraints via a URL with certain escaped characters, related to backslashes.", 81701 "id": "GHSA-872g-2h8h-362q", 81702 "modified": "2024-02-16T08:22:06.138962Z", 81703 "published": "2018-10-19T16:16:16Z", 81704 "references": [ 81705 { 81706 "type": "ADVISORY", 81707 "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-4800" 81708 }, 81709 { 81710 "type": "ADVISORY", 81711 "url": "https://github.com/advisories/GHSA-872g-2h8h-362q" 81712 }, 81713 { 81714 "type": "WEB", 81715 "url": "https://security.netapp.com/advisory/ntap-20190307-0006" 81716 }, 81717 { 81718 "type": "WEB", 81719 "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" 81720 }, 81721 { 81722 "type": "WEB", 81723 "url": "http://dev.eclipse.org/mhonarc/lists/jetty-announce/msg00092.html" 81724 }, 81725 { 81726 "type": "WEB", 81727 "url": "http://www.ocert.org/advisories/ocert-2016-001.html" 81728 }, 81729 { 81730 "type": "WEB", 81731 "url": "http://www.securityfocus.com/bid/90945" 81732 }, 81733 { 81734 "type": "WEB", 81735 "url": "http://www.zerodayinitiative.com/advisories/ZDI-16-362" 81736 } 81737 ], 81738 "schema_version": "1.6.0", 81739 "severity": [ 81740 { 81741 "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", 81742 "type": "CVSS_V3" 81743 } 81744 ], 81745 "summary": "Jetty contains an alias issue that could allow unauthenticated remote code execution due to specially crafted request" 81746 }, 81747 { 81748 "affected": [ 81749 { 81750 "database_specific": { 81751 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/07/GHSA-8mpp-f3f7-xc28/GHSA-8mpp-f3f7-xc28.json" 81752 }, 81753 "package": { 81754 "ecosystem": "Maven", 81755 "name": "org.eclipse.jetty:jetty-server", 81756 "purl": "pkg:maven/org.eclipse.jetty/jetty-server" 81757 }, 81758 "ranges": [ 81759 { 81760 "events": [ 81761 { 81762 "introduced": "10.0.0" 81763 }, 81764 { 81765 "fixed": "10.0.10" 81766 } 81767 ], 81768 "type": "ECOSYSTEM" 81769 } 81770 ], 81771 "versions": [ 81772 "10.0.0", 81773 "10.0.1", 81774 "10.0.2", 81775 "10.0.3", 81776 "10.0.4", 81777 "10.0.5", 81778 "10.0.6", 81779 "10.0.7", 81780 "10.0.8", 81781 "10.0.9" 81782 ] 81783 }, 81784 { 81785 "database_specific": { 81786 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/07/GHSA-8mpp-f3f7-xc28/GHSA-8mpp-f3f7-xc28.json" 81787 }, 81788 "package": { 81789 "ecosystem": "Maven", 81790 "name": "org.eclipse.jetty:jetty-server", 81791 "purl": "pkg:maven/org.eclipse.jetty/jetty-server" 81792 }, 81793 "ranges": [ 81794 { 81795 "events": [ 81796 { 81797 "introduced": "11.0.0" 81798 }, 81799 { 81800 "fixed": "11.0.10" 81801 } 81802 ], 81803 "type": "ECOSYSTEM" 81804 } 81805 ], 81806 "versions": [ 81807 "11.0.0", 81808 "11.0.1", 81809 "11.0.2", 81810 "11.0.3", 81811 "11.0.4", 81812 "11.0.5", 81813 "11.0.6", 81814 "11.0.7", 81815 "11.0.8", 81816 "11.0.9" 81817 ] 81818 } 81819 ], 81820 "aliases": [ 81821 "CVE-2022-2191" 81822 ], 81823 "database_specific": { 81824 "cwe_ids": [ 81825 "CWE-404" 81826 ], 81827 "github_reviewed": true, 81828 "github_reviewed_at": "2022-07-07T20:55:37Z", 81829 "nvd_published_at": "2022-07-07T21:15:00Z", 81830 "severity": "HIGH" 81831 }, 81832 "details": "### Impact\n`SslConnection` does not release `ByteBuffer`s in case of error code paths.\nFor example, TLS handshakes that require client-auth with clients that send expired certificates will trigger a TLS handshake errors and the `ByteBuffer`s used to process the TLS handshake will be leaked.\n\n### Workarounds\nConfigure explicitly a `RetainableByteBufferPool` with `max[Heap|Direct]Memory` to limit the amount of memory that is leaked.\nEventually the pool will be full of \"active\" entries (the leaked ones) and will provide `ByteBuffer`s that will be GCed normally.\n\n_With embedded-jetty_\n\n``` java\nint maxBucketSize = 1000;\nlong maxHeapMemory = 128 * 1024L * 1024L; // 128 MB\nlong maxDirectMemory = 128 * 1024L * 1024L; // 128 MB\nRetainableByteBufferPool rbbp = new ArrayRetainableByteBufferPool(0, -1, -1, maxBucketSize, maxHeapMemory, maxDirectMemory);\n\nserver.addBean(rbbp); // make sure the ArrayRetainableByteBufferPool is added before the server is started\nserver.start();\n```\n\n_With jetty-home/jetty-base_\n\nCreate a `${jetty.base}/etc/retainable-byte-buffer-config.xml`\n\n``` xml\n\u003c?xml version=\"1.0\"?\u003e\n\u003c!DOCTYPE Configure PUBLIC \"-//Jetty//Configure//EN\" \"https://www.eclipse.org/jetty/configure_10_0.dtd\"\u003e\n\n\u003cConfigure id=\"Server\" class=\"org.eclipse.jetty.server.Server\"\u003e\n \u003cCall name=\"addBean\"\u003e\n \u003cArg\u003e\n \u003cNew class=\"org.eclipse.jetty.io.ArrayRetainableByteBufferPool\"\u003e\n \u003cArg type=\"int\"\u003e\u003cProperty name=\"jetty.byteBufferPool.minCapacity\" default=\"0\"/\u003e\u003c/Arg\u003e\n \u003cArg type=\"int\"\u003e\u003cProperty name=\"jetty.byteBufferPool.factor\" default=\"-1\"/\u003e\u003c/Arg\u003e\n \u003cArg type=\"int\"\u003e\u003cProperty name=\"jetty.byteBufferPool.maxCapacity\" default=\"-1\"/\u003e\u003c/Arg\u003e\n \u003cArg type=\"int\"\u003e\u003cProperty name=\"jetty.byteBufferPool.maxBucketSize\" default=\"1000\"/\u003e\u003c/Arg\u003e\n \u003cArg type=\"long\"\u003e\u003cProperty name=\"jetty.byteBufferPool.maxHeapMemory\" default=\"128000000\"/\u003e\u003c/Arg\u003e\n \u003cArg type=\"long\"\u003e\u003cProperty name=\"jetty.byteBufferPool.maxDirectMemory\" default=\"128000000\"/\u003e\u003c/Arg\u003e\n \u003c/New\u003e\n \u003c/Arg\u003e\n \u003c/Call\u003e\n\u003c/Configure\u003e\n```\n\nAnd then reference it in `${jetty.base}/start.d/retainable-byte-buffer-config.ini`\n\n```\netc/retainable-byte-buffer-config.xml\n```\n\n\n### References\nhttps://github.com/eclipse/jetty.project/issues/8161\n\n### For more information\n* Email us at [security@webtide.com](mailto:security@webtide.com)\n", 81833 "id": "GHSA-8mpp-f3f7-xc28", 81834 "modified": "2024-02-22T05:18:31.237834Z", 81835 "published": "2022-07-07T20:55:37Z", 81836 "references": [ 81837 { 81838 "type": "WEB", 81839 "url": "https://github.com/eclipse/jetty.project/security/advisories/GHSA-8mpp-f3f7-xc28" 81840 }, 81841 { 81842 "type": "ADVISORY", 81843 "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2191" 81844 }, 81845 { 81846 "type": "WEB", 81847 "url": "https://github.com/eclipse/jetty.project/issues/8161" 81848 }, 81849 { 81850 "type": "WEB", 81851 "url": "https://github.com/eclipse/jetty.project" 81852 }, 81853 { 81854 "type": "WEB", 81855 "url": "https://security.netapp.com/advisory/ntap-20220909-0003" 81856 } 81857 ], 81858 "schema_version": "1.6.0", 81859 "severity": [ 81860 { 81861 "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", 81862 "type": "CVSS_V3" 81863 } 81864 ], 81865 "summary": "Jetty SslConnection does not release pooled ByteBuffers in case of errors" 81866 }, 81867 { 81868 "affected": [ 81869 { 81870 "database_specific": { 81871 "last_known_affected_version_range": "\u003c= 9.4.10.v20180503", 81872 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-9rgv-h7x4-qw8g/GHSA-9rgv-h7x4-qw8g.json" 81873 }, 81874 "package": { 81875 "ecosystem": "Maven", 81876 "name": "org.eclipse.jetty:jetty-server", 81877 "purl": "pkg:maven/org.eclipse.jetty/jetty-server" 81878 }, 81879 "ranges": [ 81880 { 81881 "events": [ 81882 { 81883 "introduced": "9.4.0" 81884 }, 81885 { 81886 "fixed": "9.4.11.v20180605" 81887 } 81888 ], 81889 "type": "ECOSYSTEM" 81890 } 81891 ], 81892 "versions": [ 81893 "9.4.0.v20161208", 81894 "9.4.0.v20180619", 81895 "9.4.1.v20170120", 81896 "9.4.1.v20180619", 81897 "9.4.10.RC0", 81898 "9.4.10.RC1", 81899 "9.4.10.v20180503", 81900 "9.4.2.v20170220", 81901 "9.4.2.v20180619", 81902 "9.4.3.v20170317", 81903 "9.4.3.v20180619", 81904 "9.4.4.v20170414", 81905 "9.4.4.v20180619", 81906 "9.4.5.v20170502", 81907 "9.4.5.v20180619", 81908 "9.4.6.v20170531", 81909 "9.4.6.v20180619", 81910 "9.4.7.RC0", 81911 "9.4.7.v20170914", 81912 "9.4.7.v20180619", 81913 "9.4.8.v20171121", 81914 "9.4.8.v20180619", 81915 "9.4.9.v20180320" 81916 ] 81917 }, 81918 { 81919 "database_specific": { 81920 "last_known_affected_version_range": "\u003c= 9.3.23.v20180228", 81921 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-9rgv-h7x4-qw8g/GHSA-9rgv-h7x4-qw8g.json" 81922 }, 81923 "package": { 81924 "ecosystem": "Maven", 81925 "name": "org.eclipse.jetty:jetty-server", 81926 "purl": "pkg:maven/org.eclipse.jetty/jetty-server" 81927 }, 81928 "ranges": [ 81929 { 81930 "events": [ 81931 { 81932 "introduced": "9.0.0" 81933 }, 81934 { 81935 "fixed": "9.3.24.v20180605" 81936 } 81937 ], 81938 "type": "ECOSYSTEM" 81939 } 81940 ], 81941 "versions": [ 81942 "9.0.0.v20130308", 81943 "9.0.1.v20130408", 81944 "9.0.2.v20130417", 81945 "9.0.3.v20130506", 81946 "9.0.4.v20130625", 81947 "9.0.5.v20130815", 81948 "9.0.6.v20130930", 81949 "9.0.7.v20131107", 81950 "9.1.0.M0", 81951 "9.1.0.RC0", 81952 "9.1.0.RC1", 81953 "9.1.0.RC2", 81954 "9.1.0.v20131115", 81955 "9.1.1.v20140108", 81956 "9.1.2.v20140210", 81957 "9.1.3.v20140225", 81958 "9.1.4.v20140401", 81959 "9.1.5.v20140505", 81960 "9.1.6.v20160112", 81961 "9.2.0.M0", 81962 "9.2.0.M1", 81963 "9.2.0.RC0", 81964 "9.2.0.v20140526", 81965 "9.2.1.v20140609", 81966 "9.2.10.v20150310", 81967 "9.2.11.M0", 81968 "9.2.11.v20150529", 81969 "9.2.12.M0", 81970 "9.2.12.v20150709", 81971 "9.2.13.v20150730", 81972 "9.2.14.v20151106", 81973 "9.2.15.v20160210", 81974 "9.2.16.v20160414", 81975 "9.2.17.v20160517", 81976 "9.2.18.v20160721", 81977 "9.2.19.v20160908", 81978 "9.2.2.v20140723", 81979 "9.2.20.v20161216", 81980 "9.2.21.v20170120", 81981 "9.2.22.v20170606", 81982 "9.2.23.v20171218", 81983 "9.2.24.v20180105", 81984 "9.2.25.v20180606", 81985 "9.2.26.v20180806", 81986 "9.2.27.v20190403", 81987 "9.2.28.v20190418", 81988 "9.2.29.v20191105", 81989 "9.2.3.v20140905", 81990 "9.2.30.v20200428", 81991 "9.2.4.v20141103", 81992 "9.2.5.v20141112", 81993 "9.2.6.v20141205", 81994 "9.2.7.v20150116", 81995 "9.2.8.v20150217", 81996 "9.2.9.v20150224", 81997 "9.3.0.M0", 81998 "9.3.0.M1", 81999 "9.3.0.M2", 82000 "9.3.0.RC0", 82001 "9.3.0.RC1", 82002 "9.3.0.v20150612", 82003 "9.3.1.v20150714", 82004 "9.3.10.M0", 82005 "9.3.10.v20160621", 82006 "9.3.11.M0", 82007 "9.3.11.v20160721", 82008 "9.3.12.v20160915", 82009 "9.3.13.M0", 82010 "9.3.13.v20161014", 82011 "9.3.14.v20161028", 82012 "9.3.15.v20161220", 82013 "9.3.16.v20170120", 82014 "9.3.17.RC0", 82015 "9.3.17.v20170317", 82016 "9.3.18.v20170406", 82017 "9.3.19.v20170502", 82018 "9.3.2.v20150730", 82019 "9.3.20.v20170531", 82020 "9.3.21.M0", 82021 "9.3.21.RC0", 82022 "9.3.21.v20170918", 82023 "9.3.22.v20171030", 82024 "9.3.23.v20180228", 82025 "9.3.3.v20150827", 82026 "9.3.4.RC0", 82027 "9.3.4.RC1", 82028 "9.3.4.v20151007", 82029 "9.3.5.v20151012", 82030 "9.3.6.v20151106", 82031 "9.3.7.RC0", 82032 "9.3.7.RC1", 82033 "9.3.7.v20160115", 82034 "9.3.8.RC0", 82035 "9.3.8.v20160314", 82036 "9.3.9.M0", 82037 "9.3.9.M1", 82038 "9.3.9.v20160517" 82039 ] 82040 } 82041 ], 82042 "aliases": [ 82043 "CVE-2018-12536" 82044 ], 82045 "database_specific": { 82046 "cwe_ids": [ 82047 "CWE-209" 82048 ], 82049 "github_reviewed": true, 82050 "github_reviewed_at": "2020-06-16T21:29:36Z", 82051 "nvd_published_at": "2018-06-27T17:29:00Z", 82052 "severity": "MODERATE" 82053 }, 82054 "details": "In Eclipse Jetty Server, all 9.x versions, on webapps deployed using default Error Handling, when an intentionally bad query arrives that doesn't match a dynamic url-pattern, and is eventually handled by the DefaultServlet's static file serving, the bad characters can trigger a java.nio.file.InvalidPathException which includes the full path to the base resource directory that the DefaultServlet and/or webapp is using. If this InvalidPathException is then handled by the default Error Handler, the InvalidPathException message is included in the error response, revealing the full server path to the requesting system.", 82055 "id": "GHSA-9rgv-h7x4-qw8g", 82056 "modified": "2024-02-16T08:16:39.738843Z", 82057 "published": "2018-10-19T16:15:56Z", 82058 "references": [ 82059 { 82060 "type": "ADVISORY", 82061 "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-12536" 82062 }, 82063 { 82064 "type": "WEB", 82065 "url": "https://bugs.eclipse.org/bugs/show_bug.cgi?id=535670" 82066 }, 82067 { 82068 "type": "PACKAGE", 82069 "url": "https://github.com/eclipse/jetty.project" 82070 }, 82071 { 82072 "type": "WEB", 82073 "url": "https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272@%3Cissues.activemq.apache.org%3E" 82074 }, 82075 { 82076 "type": "WEB", 82077 "url": "https://lists.debian.org/debian-lts-announce/2021/05/msg00016.html" 82078 }, 82079 { 82080 "type": "WEB", 82081 "url": "https://security.netapp.com/advisory/ntap-20181014-0001" 82082 }, 82083 { 82084 "type": "WEB", 82085 "url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbst03953en_us" 82086 }, 82087 { 82088 "type": "WEB", 82089 "url": "https://web.archive.org/web/20200516001904/http://www.securitytracker.com/id/1041194" 82090 }, 82091 { 82092 "type": "WEB", 82093 "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" 82094 }, 82095 { 82096 "type": "WEB", 82097 "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html" 82098 } 82099 ], 82100 "schema_version": "1.6.0", 82101 "severity": [ 82102 { 82103 "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", 82104 "type": "CVSS_V3" 82105 } 82106 ], 82107 "summary": "Eclipse Jetty Server generates error message containing sensitive information" 82108 }, 82109 { 82110 "affected": [ 82111 { 82112 "database_specific": { 82113 "last_known_affected_version_range": "\u003c= 9.2.8.v20150217", 82114 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/11/GHSA-ghgj-3xqr-6jfm/GHSA-ghgj-3xqr-6jfm.json" 82115 }, 82116 "package": { 82117 "ecosystem": "Maven", 82118 "name": "org.eclipse.jetty:jetty-server", 82119 "purl": "pkg:maven/org.eclipse.jetty/jetty-server" 82120 }, 82121 "ranges": [ 82122 { 82123 "events": [ 82124 { 82125 "introduced": "0" 82126 }, 82127 { 82128 "fixed": "9.2.9.v20150224" 82129 } 82130 ], 82131 "type": "ECOSYSTEM" 82132 } 82133 ], 82134 "versions": [ 82135 "7.0.0.M0", 82136 "7.0.0.M1", 82137 "7.0.0.M2", 82138 "7.0.0.M3", 82139 "7.0.0.M4", 82140 "7.0.0.RC0", 82141 "7.0.0.RC1", 82142 "7.0.0.RC2", 82143 "7.0.0.RC3", 82144 "7.0.0.RC4", 82145 "7.0.0.RC5", 82146 "7.0.0.RC6", 82147 "7.0.0.v20091005", 82148 "7.0.1.v20091125", 82149 "7.0.2.RC0", 82150 "7.0.2.v20100331", 82151 "7.1.0.RC0", 82152 "7.1.0.RC1", 82153 "7.1.0.v20100505", 82154 "7.1.1.v20100517", 82155 "7.1.2.v20100523", 82156 "7.1.3.v20100526", 82157 "7.1.4.v20100610", 82158 "7.1.5.v20100705", 82159 "7.1.6.v20100715", 82160 "7.2.0.RC0", 82161 "7.2.0.v20101020", 82162 "7.2.1.v20101111", 82163 "7.2.2.v20101205", 82164 "7.3.0.v20110203", 82165 "7.3.1.v20110307", 82166 "7.4.0.RC0", 82167 "7.4.0.v20110414", 82168 "7.4.1.v20110513", 82169 "7.4.2.v20110526", 82170 "7.4.3.v20110701", 82171 "7.4.4.v20110707", 82172 "7.4.5.v20110725", 82173 "7.5.0.RC0", 82174 "7.5.0.RC1", 82175 "7.5.0.RC2", 82176 "7.5.0.v20110901", 82177 "7.5.1.v20110908", 82178 "7.5.2.v20111006", 82179 "7.5.3.v20111011", 82180 "7.5.4.v20111024", 82181 "7.6.0.RC0", 82182 "7.6.0.RC1", 82183 "7.6.0.RC2", 82184 "7.6.0.RC3", 82185 "7.6.0.RC4", 82186 "7.6.0.RC5", 82187 "7.6.0.v20120127", 82188 "7.6.1.v20120215", 82189 "7.6.10.v20130312", 82190 "7.6.11.v20130520", 82191 "7.6.12.v20130726", 82192 "7.6.13.v20130916", 82193 "7.6.14.v20131031", 82194 "7.6.15.v20140411", 82195 "7.6.16.v20140903", 82196 "7.6.17.v20150415", 82197 "7.6.18.v20150929", 82198 "7.6.19.v20160209", 82199 "7.6.2.v20120308", 82200 "7.6.20.v20160902", 82201 "7.6.21.v20160908", 82202 "7.6.3.v20120416", 82203 "7.6.4.v20120524", 82204 "7.6.5.v20120716", 82205 "7.6.6.v20120903", 82206 "7.6.7.v20120910", 82207 "7.6.8.v20121106", 82208 "7.6.9.v20130131", 82209 "8.0.0.M0", 82210 "8.0.0.M1", 82211 "8.0.0.M2", 82212 "8.0.0.M3", 82213 "8.0.0.RC0", 82214 "8.0.0.v20110901", 82215 "8.0.1.v20110908", 82216 "8.0.2.v20111006", 82217 "8.0.3.v20111011", 82218 "8.0.4.v20111024", 82219 "8.1.0.RC0", 82220 "8.1.0.RC1", 82221 "8.1.0.RC2", 82222 "8.1.0.RC4", 82223 "8.1.0.RC5", 82224 "8.1.0.v20120127", 82225 "8.1.1.v20120215", 82226 "8.1.10.v20130312", 82227 "8.1.11.v20130520", 82228 "8.1.12.v20130726", 82229 "8.1.13.v20130916", 82230 "8.1.14.v20131031", 82231 "8.1.15.v20140411", 82232 "8.1.16.v20140903", 82233 "8.1.17.v20150415", 82234 "8.1.18.v20150929", 82235 "8.1.19.v20160209", 82236 "8.1.2.v20120308", 82237 "8.1.20.v20160902", 82238 "8.1.21.v20160908", 82239 "8.1.22.v20160922", 82240 "8.1.3.v20120416", 82241 "8.1.4.v20120524", 82242 "8.1.5.v20120716", 82243 "8.1.6.v20120903", 82244 "8.1.7.v20120910", 82245 "8.1.8.v20121106", 82246 "8.1.9.v20130131", 82247 "8.2.0.v20160908", 82248 "9.0.0.M0", 82249 "9.0.0.M1", 82250 "9.0.0.M2", 82251 "9.0.0.M3", 82252 "9.0.0.M4", 82253 "9.0.0.M5", 82254 "9.0.0.RC0", 82255 "9.0.0.RC1", 82256 "9.0.0.RC2", 82257 "9.0.0.v20130308", 82258 "9.0.1.v20130408", 82259 "9.0.2.v20130417", 82260 "9.0.3.v20130506", 82261 "9.0.4.v20130625", 82262 "9.0.5.v20130815", 82263 "9.0.6.v20130930", 82264 "9.0.7.v20131107", 82265 "9.1.0.M0", 82266 "9.1.0.RC0", 82267 "9.1.0.RC1", 82268 "9.1.0.RC2", 82269 "9.1.0.v20131115", 82270 "9.1.1.v20140108", 82271 "9.1.2.v20140210", 82272 "9.1.3.v20140225", 82273 "9.1.4.v20140401", 82274 "9.1.5.v20140505", 82275 "9.1.6.v20160112", 82276 "9.2.0.M0", 82277 "9.2.0.M1", 82278 "9.2.0.RC0", 82279 "9.2.0.v20140526", 82280 "9.2.1.v20140609", 82281 "9.2.2.v20140723", 82282 "9.2.3.v20140905", 82283 "9.2.4.v20141103", 82284 "9.2.5.v20141112", 82285 "9.2.6.v20141205", 82286 "9.2.7.v20150116", 82287 "9.2.8.v20150217" 82288 ] 82289 } 82290 ], 82291 "aliases": [ 82292 "CVE-2015-2080" 82293 ], 82294 "database_specific": { 82295 "cwe_ids": [ 82296 "CWE-200" 82297 ], 82298 "github_reviewed": true, 82299 "github_reviewed_at": "2020-06-16T21:37:23Z", 82300 "nvd_published_at": null, 82301 "severity": "HIGH" 82302 }, 82303 "details": "The exception handling code in Eclipse Jetty prior to 9.2.9.v20150224 allows remote attackers to obtain sensitive information from process memory via illegal characters in an HTTP header, aka JetLeak.", 82304 "id": "GHSA-ghgj-3xqr-6jfm", 82305 "modified": "2024-02-16T08:18:50.53471Z", 82306 "published": "2018-11-09T17:50:00Z", 82307 "references": [ 82308 { 82309 "type": "ADVISORY", 82310 "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-2080" 82311 }, 82312 { 82313 "type": "WEB", 82314 "url": "https://blog.gdssecurity.com/labs/2015/2/25/jetleak-vulnerability-remote-leakage-of-shared-buffers-in-je.html" 82315 }, 82316 { 82317 "type": "ADVISORY", 82318 "url": "https://github.com/advisories/GHSA-ghgj-3xqr-6jfm" 82319 }, 82320 { 82321 "type": "WEB", 82322 "url": "https://github.com/eclipse/jetty.project/blob/jetty-9.2.x/advisories/2015-02-24-httpparser-error-buffer-bleed.md" 82323 }, 82324 { 82325 "type": "WEB", 82326 "url": "https://security.netapp.com/advisory/ntap-20190307-0005" 82327 }, 82328 { 82329 "type": "WEB", 82330 "url": "http://dev.eclipse.org/mhonarc/lists/jetty-announce/msg00074.html" 82331 }, 82332 { 82333 "type": "WEB", 82334 "url": "http://dev.eclipse.org/mhonarc/lists/jetty-announce/msg00075.html" 82335 }, 82336 { 82337 "type": "WEB", 82338 "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-March/151804.html" 82339 }, 82340 { 82341 "type": "WEB", 82342 "url": "http://packetstormsecurity.com/files/130567/Jetty-9.2.8-Shared-Buffer-Leakage.html" 82343 }, 82344 { 82345 "type": "WEB", 82346 "url": "http://seclists.org/fulldisclosure/2015/Mar/12" 82347 }, 82348 { 82349 "type": "WEB", 82350 "url": "http://www.securityfocus.com/archive/1/534755/100/1600/threaded" 82351 }, 82352 { 82353 "type": "WEB", 82354 "url": "http://www.securityfocus.com/bid/72768" 82355 }, 82356 { 82357 "type": "WEB", 82358 "url": "http://www.securitytracker.com/id/1031800" 82359 } 82360 ], 82361 "schema_version": "1.6.0", 82362 "severity": [ 82363 { 82364 "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", 82365 "type": "CVSS_V3" 82366 } 82367 ], 82368 "summary": "Jetty vulnerable to exposure of sensitive information to unauthenticated remote users" 82369 }, 82370 { 82371 "affected": [ 82372 { 82373 "database_specific": { 82374 "last_known_affected_version_range": "\u003c= 9.4.12.RC2", 82375 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/03/GHSA-h2f4-v4c4-6wx4/GHSA-h2f4-v4c4-6wx4.json" 82376 }, 82377 "package": { 82378 "ecosystem": "Maven", 82379 "name": "org.eclipse.jetty:jetty-server", 82380 "purl": "pkg:maven/org.eclipse.jetty/jetty-server" 82381 }, 82382 "ranges": [ 82383 { 82384 "events": [ 82385 { 82386 "introduced": "9.4.0" 82387 }, 82388 { 82389 "fixed": "9.4.12.v20180830" 82390 } 82391 ], 82392 "type": "ECOSYSTEM" 82393 } 82394 ], 82395 "versions": [ 82396 "9.4.0.v20161208", 82397 "9.4.0.v20180619", 82398 "9.4.1.v20170120", 82399 "9.4.1.v20180619", 82400 "9.4.10.RC0", 82401 "9.4.10.RC1", 82402 "9.4.10.v20180503", 82403 "9.4.11.v20180605", 82404 "9.4.12.RC0", 82405 "9.4.12.RC1", 82406 "9.4.12.RC2", 82407 "9.4.2.v20170220", 82408 "9.4.2.v20180619", 82409 "9.4.3.v20170317", 82410 "9.4.3.v20180619", 82411 "9.4.4.v20170414", 82412 "9.4.4.v20180619", 82413 "9.4.5.v20170502", 82414 "9.4.5.v20180619", 82415 "9.4.6.v20170531", 82416 "9.4.6.v20180619", 82417 "9.4.7.RC0", 82418 "9.4.7.v20170914", 82419 "9.4.7.v20180619", 82420 "9.4.8.v20171121", 82421 "9.4.8.v20180619", 82422 "9.4.9.v20180320" 82423 ] 82424 }, 82425 { 82426 "database_specific": { 82427 "last_known_affected_version_range": "\u003c= 9.3.24.v20180605", 82428 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/03/GHSA-h2f4-v4c4-6wx4/GHSA-h2f4-v4c4-6wx4.json" 82429 }, 82430 "package": { 82431 "ecosystem": "Maven", 82432 "name": "org.eclipse.jetty:jetty-server", 82433 "purl": "pkg:maven/org.eclipse.jetty/jetty-server" 82434 }, 82435 "ranges": [ 82436 { 82437 "events": [ 82438 { 82439 "introduced": "9.3.0" 82440 }, 82441 { 82442 "fixed": "9.3.25.v20180904" 82443 } 82444 ], 82445 "type": "ECOSYSTEM" 82446 } 82447 ], 82448 "versions": [ 82449 "9.3.0.v20150612", 82450 "9.3.1.v20150714", 82451 "9.3.10.M0", 82452 "9.3.10.v20160621", 82453 "9.3.11.M0", 82454 "9.3.11.v20160721", 82455 "9.3.12.v20160915", 82456 "9.3.13.M0", 82457 "9.3.13.v20161014", 82458 "9.3.14.v20161028", 82459 "9.3.15.v20161220", 82460 "9.3.16.v20170120", 82461 "9.3.17.RC0", 82462 "9.3.17.v20170317", 82463 "9.3.18.v20170406", 82464 "9.3.19.v20170502", 82465 "9.3.2.v20150730", 82466 "9.3.20.v20170531", 82467 "9.3.21.M0", 82468 "9.3.21.RC0", 82469 "9.3.21.v20170918", 82470 "9.3.22.v20171030", 82471 "9.3.23.v20180228", 82472 "9.3.24.v20180605", 82473 "9.3.3.v20150827", 82474 "9.3.4.RC0", 82475 "9.3.4.RC1", 82476 "9.3.4.v20151007", 82477 "9.3.5.v20151012", 82478 "9.3.6.v20151106", 82479 "9.3.7.RC0", 82480 "9.3.7.RC1", 82481 "9.3.7.v20160115", 82482 "9.3.8.RC0", 82483 "9.3.8.v20160314", 82484 "9.3.9.M0", 82485 "9.3.9.M1", 82486 "9.3.9.v20160517" 82487 ] 82488 } 82489 ], 82490 "aliases": [ 82491 "CVE-2018-12545" 82492 ], 82493 "database_specific": { 82494 "cwe_ids": [ 82495 "CWE-400" 82496 ], 82497 "github_reviewed": true, 82498 "github_reviewed_at": "2020-06-16T21:38:26Z", 82499 "nvd_published_at": null, 82500 "severity": "HIGH" 82501 }, 82502 "details": "In Eclipse Jetty version 9.3.x and 9.4.x, the server is vulnerable to Denial of Service conditions if a remote client sends either large SETTINGs frames container containing many settings, or many small SETTINGs frames. The vulnerability is due to the additional CPU and memory allocations required to handle changed settings.", 82503 "id": "GHSA-h2f4-v4c4-6wx4", 82504 "modified": "2024-02-19T05:52:03.950097Z", 82505 "published": "2019-03-28T18:33:38Z", 82506 "references": [ 82507 { 82508 "type": "ADVISORY", 82509 "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-12545" 82510 }, 82511 { 82512 "type": "WEB", 82513 "url": "https://bugs.eclipse.org/bugs/show_bug.cgi?id=538096" 82514 }, 82515 { 82516 "type": "ADVISORY", 82517 "url": "https://github.com/advisories/GHSA-h2f4-v4c4-6wx4" 82518 }, 82519 { 82520 "type": "WEB", 82521 "url": "https://lists.apache.org/thread.html/13f5241048ec0bf966a6ddd306feaf40de5b20e1f09096b9cddeddf2@%3Ccommits.accumulo.apache.org%3E" 82522 }, 82523 { 82524 "type": "WEB", 82525 "url": "https://lists.apache.org/thread.html/70744fe4faba8e2fa7e50a7fc794dd03cb28dad8b21e08ee59bb1606@%3Cdevnull.infra.apache.org%3E" 82526 }, 82527 { 82528 "type": "WEB", 82529 "url": "https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe@%3Ccommits.druid.apache.org%3E" 82530 }, 82531 { 82532 "type": "WEB", 82533 "url": "https://lists.apache.org/thread.html/febc94ffec9275dcda64633e0276a1400cd318e571009e4cda9b7a79@%3Cnotifications.accumulo.apache.org%3E" 82534 }, 82535 { 82536 "type": "WEB", 82537 "url": "https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8@%3Ccommits.pulsar.apache.org%3E" 82538 }, 82539 { 82540 "type": "WEB", 82541 "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CIS4LALKZNLF5X5IGNGRSKERG7FY4QG6" 82542 }, 82543 { 82544 "type": "WEB", 82545 "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" 82546 }, 82547 { 82548 "type": "WEB", 82549 "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html" 82550 } 82551 ], 82552 "schema_version": "1.6.0", 82553 "severity": [ 82554 { 82555 "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", 82556 "type": "CVSS_V3" 82557 } 82558 ], 82559 "summary": "Uncontrolled Resource Consumption in org.eclipse.jetty:jetty-server" 82560 }, 82561 { 82562 "affected": [ 82563 { 82564 "database_specific": { 82565 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-jg2x-r643-w2ch/GHSA-jg2x-r643-w2ch.json" 82566 }, 82567 "package": { 82568 "ecosystem": "Maven", 82569 "name": "org.eclipse.jetty:jetty-server", 82570 "purl": "pkg:maven/org.eclipse.jetty/jetty-server" 82571 }, 82572 "ranges": [ 82573 { 82574 "events": [ 82575 { 82576 "introduced": "0" 82577 }, 82578 { 82579 "fixed": "4.2.27" 82580 } 82581 ], 82582 "type": "ECOSYSTEM" 82583 } 82584 ] 82585 }, 82586 { 82587 "database_specific": { 82588 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-jg2x-r643-w2ch/GHSA-jg2x-r643-w2ch.json" 82589 }, 82590 "package": { 82591 "ecosystem": "Maven", 82592 "name": "org.eclipse.jetty:jetty-server", 82593 "purl": "pkg:maven/org.eclipse.jetty/jetty-server" 82594 }, 82595 "ranges": [ 82596 { 82597 "events": [ 82598 { 82599 "introduced": "5.1.0" 82600 }, 82601 { 82602 "fixed": "5.1.12" 82603 } 82604 ], 82605 "type": "ECOSYSTEM" 82606 } 82607 ] 82608 }, 82609 { 82610 "database_specific": { 82611 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-jg2x-r643-w2ch/GHSA-jg2x-r643-w2ch.json" 82612 }, 82613 "package": { 82614 "ecosystem": "Maven", 82615 "name": "org.eclipse.jetty:jetty-server", 82616 "purl": "pkg:maven/org.eclipse.jetty/jetty-server" 82617 }, 82618 "ranges": [ 82619 { 82620 "events": [ 82621 { 82622 "introduced": "6.0.0" 82623 }, 82624 { 82625 "fixed": "6.0.2" 82626 } 82627 ], 82628 "type": "ECOSYSTEM" 82629 } 82630 ] 82631 }, 82632 { 82633 "database_specific": { 82634 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-jg2x-r643-w2ch/GHSA-jg2x-r643-w2ch.json" 82635 }, 82636 "package": { 82637 "ecosystem": "Maven", 82638 "name": "org.eclipse.jetty:jetty-server", 82639 "purl": "pkg:maven/org.eclipse.jetty/jetty-server" 82640 }, 82641 "ranges": [ 82642 { 82643 "events": [ 82644 { 82645 "introduced": "6.1.0pre1" 82646 }, 82647 { 82648 "fixed": "6.1.0pre3" 82649 } 82650 ], 82651 "type": "ECOSYSTEM" 82652 } 82653 ] 82654 } 82655 ], 82656 "aliases": [ 82657 "CVE-2006-6969" 82658 ], 82659 "database_specific": { 82660 "cwe_ids": [ 82661 "CWE-330" 82662 ], 82663 "github_reviewed": true, 82664 "github_reviewed_at": "2024-02-12T16:20:55Z", 82665 "nvd_published_at": "2007-02-07T11:28:00Z", 82666 "severity": "MODERATE" 82667 }, 82668 "details": "Jetty before 4.2.27, 5.1 before 5.1.12, 6.0 before 6.0.2, and 6.1 before 6.1.0pre3 generates predictable session identifiers using java.util.random, which makes it easier for remote attackers to guess a session identifier through brute force attacks, bypass authentication requirements, and possibly conduct cross-site request forgery attacks.", 82669 "id": "GHSA-jg2x-r643-w2ch", 82670 "modified": "2024-02-12T16:41:58.146447Z", 82671 "published": "2022-05-01T07:43:29Z", 82672 "references": [ 82673 { 82674 "type": "ADVISORY", 82675 "url": "https://nvd.nist.gov/vuln/detail/CVE-2006-6969" 82676 }, 82677 { 82678 "type": "WEB", 82679 "url": "https://github.com/jetty-project/codehaus-jetty6/commit/36f81d2e7058b012f6718bc2f1e2786694a8a4a1" 82680 }, 82681 { 82682 "type": "WEB", 82683 "url": "https://github.com/jetty-project/codehaus-jetty6/commit/b31f606bf8058a38ab6253aa8dc2dfe6a7f83c78" 82684 }, 82685 { 82686 "type": "WEB", 82687 "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/32240" 82688 }, 82689 { 82690 "type": "PACKAGE", 82691 "url": "https://github.com/jetty-project/codehaus-jetty6" 82692 }, 82693 { 82694 "type": "WEB", 82695 "url": "https://web.archive.org/web/20070208112816/http://fisheye.codehaus.org/changelog/jetty/?cs=1274" 82696 }, 82697 { 82698 "type": "WEB", 82699 "url": "https://web.archive.org/web/20070602184857/http://archives.neohapsis.com/archives/bugtraq/2007-02/0070.html" 82700 }, 82701 { 82702 "type": "WEB", 82703 "url": "https://web.archive.org/web/20121019131825/http://www.securityfocus.com/archive/1/459164/100/0/threaded" 82704 }, 82705 { 82706 "type": "WEB", 82707 "url": "https://web.archive.org/web/20200228100052/http://www.securityfocus.com/bid/22405" 82708 } 82709 ], 82710 "schema_version": "1.6.0", 82711 "summary": "Jetty Uses Predictable Session Identifiers" 82712 }, 82713 { 82714 "affected": [ 82715 { 82716 "database_specific": { 82717 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/03/GHSA-m394-8rww-3jr7/GHSA-m394-8rww-3jr7.json" 82718 }, 82719 "package": { 82720 "ecosystem": "Maven", 82721 "name": "org.eclipse.jetty:jetty-server", 82722 "purl": "pkg:maven/org.eclipse.jetty/jetty-server" 82723 }, 82724 "ranges": [ 82725 { 82726 "events": [ 82727 { 82728 "introduced": "9.4.6" 82729 }, 82730 { 82731 "fixed": "9.4.37" 82732 } 82733 ], 82734 "type": "ECOSYSTEM" 82735 } 82736 ], 82737 "versions": [ 82738 "9.4.10.RC0", 82739 "9.4.10.RC1", 82740 "9.4.10.v20180503", 82741 "9.4.11.v20180605", 82742 "9.4.12.RC0", 82743 "9.4.12.RC1", 82744 "9.4.12.RC2", 82745 "9.4.12.v20180830", 82746 "9.4.13.v20181111", 82747 "9.4.14.v20181114", 82748 "9.4.15.v20190215", 82749 "9.4.16.v20190411", 82750 "9.4.17.v20190418", 82751 "9.4.18.v20190429", 82752 "9.4.19.v20190610", 82753 "9.4.20.v20190813", 82754 "9.4.21.v20190926", 82755 "9.4.22.v20191022", 82756 "9.4.23.v20191118", 82757 "9.4.24.v20191120", 82758 "9.4.25.v20191220", 82759 "9.4.26.v20200117", 82760 "9.4.27.v20200227", 82761 "9.4.28.v20200408", 82762 "9.4.29.v20200521", 82763 "9.4.30.v20200611", 82764 "9.4.31.v20200723", 82765 "9.4.32.v20200930", 82766 "9.4.33.v20201020", 82767 "9.4.34.v20201102", 82768 "9.4.35.v20201120", 82769 "9.4.36.v20210114", 82770 "9.4.6.v20170531", 82771 "9.4.6.v20180619", 82772 "9.4.7.RC0", 82773 "9.4.7.v20170914", 82774 "9.4.7.v20180619", 82775 "9.4.8.v20171121", 82776 "9.4.8.v20180619", 82777 "9.4.9.v20180320" 82778 ] 82779 }, 82780 { 82781 "database_specific": { 82782 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/03/GHSA-m394-8rww-3jr7/GHSA-m394-8rww-3jr7.json" 82783 }, 82784 "package": { 82785 "ecosystem": "Maven", 82786 "name": "org.eclipse.jetty:jetty-server", 82787 "purl": "pkg:maven/org.eclipse.jetty/jetty-server" 82788 }, 82789 "ranges": [ 82790 { 82791 "events": [ 82792 { 82793 "introduced": "10.0.0" 82794 }, 82795 { 82796 "fixed": "10.0.1" 82797 } 82798 ], 82799 "type": "ECOSYSTEM" 82800 } 82801 ], 82802 "versions": [ 82803 "10.0.0" 82804 ] 82805 }, 82806 { 82807 "database_specific": { 82808 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/03/GHSA-m394-8rww-3jr7/GHSA-m394-8rww-3jr7.json" 82809 }, 82810 "package": { 82811 "ecosystem": "Maven", 82812 "name": "org.eclipse.jetty:jetty-server", 82813 "purl": "pkg:maven/org.eclipse.jetty/jetty-server" 82814 }, 82815 "ranges": [ 82816 { 82817 "events": [ 82818 { 82819 "introduced": "11.0.0" 82820 }, 82821 { 82822 "fixed": "11.0.1" 82823 } 82824 ], 82825 "type": "ECOSYSTEM" 82826 } 82827 ], 82828 "versions": [ 82829 "11.0.0" 82830 ] 82831 } 82832 ], 82833 "aliases": [ 82834 "BIT-solr-2020-27223", 82835 "BIT-spark-2020-27223", 82836 "CVE-2020-27223" 82837 ], 82838 "database_specific": { 82839 "cwe_ids": [ 82840 "CWE-400" 82841 ], 82842 "github_reviewed": true, 82843 "github_reviewed_at": "2021-03-10T03:46:22Z", 82844 "nvd_published_at": "2021-02-26T22:15:00Z", 82845 "severity": "MODERATE" 82846 }, 82847 "details": "### Impact\nWhen Jetty handles a request containing request headers with a large number of “quality” (i.e. q) parameters (such as what are seen on the `Accept`, `Accept-Encoding`, and `Accept-Language` request headers), the server may enter a denial of service (DoS) state due to high CPU usage while sorting the list of values based on their quality values. A single request can easily consume minutes of CPU time before it is even dispatched to the application.\n\nThe only features within Jetty that can trigger this behavior are:\n\n- Default Error Handling - the `Accept` request header with the `QuotedQualityCSV` is used to determine what kind of content to send back to the client (html, text, json, xml, etc)\n- `StatisticsServlet` - uses the `Accept` request header with the `QuotedQualityCSV` to determine what kind of content to send back to the client (xml, json, text, html, etc)\n- `HttpServletRequest.getLocale()` - uses the `Accept-Language` request header with the `QuotedQualityCSV` to determine which “preferred” language is returned on this call.\n- `HttpservletRequest.getLocales()` - is similar to the above, but returns an ordered list of locales based on the quality values on the `Accept-Language` request header.\n- `DefaultServlet` - uses the `Accept-Encoding` request header with the `QuotedQualityCSV` to determine which kind of pre-compressed content should be sent back for static content (content that is not matched against a url-pattern in your web app)\n\n### Versions\n`QuotedQualityCSV` was introduced to Jetty 9.3.9.v20160517 and the bug that introduced the vulnerability was in 9.4.6.v20170531. \n\nCurrently, known vulnerable versions include:\n\n- 9.4.6.v20170531 thru to 9.4.36.v20210114\n- 10.0.0\n- 11.0.0\n\n### Workarounds\n\nQuality ordered values are used infrequently by jetty so they can be avoided by:\n\n * Do not use the default error page/handler.\n * Do not deploy the `StatisticsServlet` exposed to the network\n * Do not call `getLocale` API\n * Do not enable precompressed static content in the `DefaultServlet` \n\n### Patches\n\nAll patches are available for download from the Eclipse Jetty website at [https://www.eclipse.org/jetty/download.php](https://www.eclipse.org/jetty/download.php)\n- 9.4.37.v20210219 and greater\n- 10.0.1 and greater \n- 11.0.1 and greater", 82848 "id": "GHSA-m394-8rww-3jr7", 82849 "modified": "2024-03-15T05:20:16.796889Z", 82850 "published": "2021-03-10T03:46:47Z", 82851 "references": [ 82852 { 82853 "type": "WEB", 82854 "url": "https://github.com/eclipse/jetty.project/security/advisories/GHSA-m394-8rww-3jr7" 82855 }, 82856 { 82857 "type": "ADVISORY", 82858 "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-27223" 82859 }, 82860 { 82861 "type": "WEB", 82862 "url": "https://lists.apache.org/thread.html/rd666e187ebea2fda8624683ab51e2a5ad2108f762d21bf1a383d7502@%3Creviews.spark.apache.org%3E" 82863 }, 82864 { 82865 "type": "WEB", 82866 "url": "https://lists.apache.org/thread.html/rc721fe2910533bffb6bd4d69ea8ff4f36066d260dbcd2d14e041614a@%3Cissues.spark.apache.org%3E" 82867 }, 82868 { 82869 "type": "WEB", 82870 "url": "https://lists.apache.org/thread.html/rc052fd4e9e9c01bead74c0b5680355ea5dc3b72d46f253cb65d03e43@%3Ccommits.druid.apache.org%3E" 82871 }, 82872 { 82873 "type": "WEB", 82874 "url": "https://lists.apache.org/thread.html/rb79b62ac3085e05656e41865f5a7efcbdc7dcd7843abed9c5fe0fef8@%3Cnotifications.zookeeper.apache.org%3E" 82875 }, 82876 { 82877 "type": "WEB", 82878 "url": "https://lists.apache.org/thread.html/raa6d60b00b67c0550672b4f506f0df75b323dcd25cf574e91e2f2dff@%3Cissues.zookeeper.apache.org%3E" 82879 }, 82880 { 82881 "type": "WEB", 82882 "url": "https://lists.apache.org/thread.html/ra47a26c008487b0a739a368c846e168de06c3cd118d31ecedafa679a@%3Cdev.kafka.apache.org%3E" 82883 }, 82884 { 82885 "type": "WEB", 82886 "url": "https://lists.apache.org/thread.html/ra40a88a2301a3da86e25b501ff4bc88124f2b816c2917d5f3497f8f0@%3Cnotifications.zookeeper.apache.org%3E" 82887 }, 82888 { 82889 "type": "WEB", 82890 "url": "https://lists.apache.org/thread.html/ra384892bab8c03a60613a6a9d5e9cae0a2b800fd882792a55520115e@%3Ccommits.kafka.apache.org%3E" 82891 }, 82892 { 82893 "type": "WEB", 82894 "url": "https://lists.apache.org/thread.html/ra2f529da674f25a7351543544f7d621b5227c49a0745913b1194d11e@%3Creviews.spark.apache.org%3E" 82895 }, 82896 { 82897 "type": "WEB", 82898 "url": "https://lists.apache.org/thread.html/r8dc1b13b80d39fbf4a9d158850e15cd868f0460c2f364f13dca7050b@%3Cnotifications.zookeeper.apache.org%3E" 82899 }, 82900 { 82901 "type": "WEB", 82902 "url": "https://lists.apache.org/thread.html/r8b1963f16d6cb1230ca7ee73b6ec4f5c48f344191dbb1caabd265ee4@%3Cnotifications.zookeeper.apache.org%3E" 82903 }, 82904 { 82905 "type": "WEB", 82906 "url": "https://lists.apache.org/thread.html/r897a6a14d03eab09e89b809d2a650f3765065201da5bc3db9a4dd6e8@%3Ccommits.zookeeper.apache.org%3E" 82907 }, 82908 { 82909 "type": "WEB", 82910 "url": "https://lists.apache.org/thread.html/r857b31ad16c6e76002bc6cca73c83358ed2595477e288286ee82c48d@%3Cnotifications.zookeeper.apache.org%3E" 82911 }, 82912 { 82913 "type": "WEB", 82914 "url": "https://lists.apache.org/thread.html/r855b24a3bde3674256152edfc53fb8c9000f9b59db3fecbbde33b211@%3Cissues.solr.apache.org%3E" 82915 }, 82916 { 82917 "type": "WEB", 82918 "url": "https://lists.apache.org/thread.html/r7ffd050d3bd7c90d95f4933560b5f4f15971ab9a5f5322fdce116243@%3Cdev.lucene.apache.org%3E" 82919 }, 82920 { 82921 "type": "WEB", 82922 "url": "https://lists.apache.org/thread.html/r7fbdb7880be1566f943d80fbbeefde2115c086eba1bef3115350a388@%3Cjira.kafka.apache.org%3E" 82923 }, 82924 { 82925 "type": "WEB", 82926 "url": "https://lists.apache.org/thread.html/rd8e24a3e482e5984bc8c5492dc790413e4fdc1234e3debb94515796b@%3Cjira.kafka.apache.org%3E" 82927 }, 82928 { 82929 "type": "WEB", 82930 "url": "https://lists.apache.org/thread.html/rdd6c47321db1bfe12c68a898765bf3b6f97e2afa6a501254ed4feaed@%3Cjira.kafka.apache.org%3E" 82931 }, 82932 { 82933 "type": "WEB", 82934 "url": "https://lists.apache.org/thread.html/re03a4dbc15df6f390a2f8c0a071c31c8324dbef007e59fdc2592091a@%3Ccommits.zookeeper.apache.org%3E" 82935 }, 82936 { 82937 "type": "WEB", 82938 "url": "https://lists.apache.org/thread.html/re0d38cc2b5da28f708fc89de49036f3ace052c47a1202f7d70291614@%3Cdev.kafka.apache.org%3E" 82939 }, 82940 { 82941 "type": "WEB", 82942 "url": "https://lists.apache.org/thread.html/re19fa47ec901cc3cf6d7784027198e8113f8bc2dbfd6c9d6d13f5447@%3Cnotifications.zookeeper.apache.org%3E" 82943 }, 82944 { 82945 "type": "WEB", 82946 "url": "https://lists.apache.org/thread.html/re3bd4f831f9be49871cb6adb997289b5dbcd6fe4bc5cb08223254080@%3Cdev.lucene.apache.org%3E" 82947 }, 82948 { 82949 "type": "WEB", 82950 "url": "https://lists.apache.org/thread.html/re43768896273c0b5f1a03d7f0a9d370852074489d51825fdc0d77f0f@%3Cnotifications.zookeeper.apache.org%3E" 82951 }, 82952 { 82953 "type": "WEB", 82954 "url": "https://lists.apache.org/thread.html/re819198d4732804dc01fca8b5b144689a118ede49f6128968773595c@%3Ccommits.kafka.apache.org%3E" 82955 }, 82956 { 82957 "type": "WEB", 82958 "url": "https://lists.apache.org/thread.html/reb3c6dc050c7ee18ea154cd94dba85d99aa6b02b84c4bb2138a4abf2@%3Creviews.spark.apache.org%3E" 82959 }, 82960 { 82961 "type": "WEB", 82962 "url": "https://lists.apache.org/thread.html/reca91f217f9e1ce607ce6e19a1c0b3db82b5b1b58cf39a84d6434695@%3Cnotifications.zookeeper.apache.org%3E" 82963 }, 82964 { 82965 "type": "WEB", 82966 "url": "https://lists.apache.org/thread.html/rf190d1d28e1367d1664ef6bc2f71227566d7b6b39209817a5364da1f@%3Cissues.solr.apache.org%3E" 82967 }, 82968 { 82969 "type": "WEB", 82970 "url": "https://lists.apache.org/thread.html/rf6c2efa3137bc8c22707e550a1f9b80f74bca62b9c8a6f768f2c6b86@%3Cnotifications.zookeeper.apache.org%3E" 82971 }, 82972 { 82973 "type": "WEB", 82974 "url": "https://lists.apache.org/thread.html/rf77f4c4583669f1133d58cc4f1964367e253818ed8db986bb2732f7c@%3Cnotifications.zookeeper.apache.org%3E" 82975 }, 82976 { 82977 "type": "WEB", 82978 "url": "https://lists.apache.org/thread.html/rff630ce92a4d1bb494fc1a3f9b57a3d60819b436505bcd8c6ccc713c@%3Ccommits.kafka.apache.org%3E" 82979 }, 82980 { 82981 "type": "WEB", 82982 "url": "https://security.netapp.com/advisory/ntap-20210401-0005" 82983 }, 82984 { 82985 "type": "WEB", 82986 "url": "https://www.oracle.com/security-alerts/cpuApr2021.html" 82987 }, 82988 { 82989 "type": "WEB", 82990 "url": "https://lists.apache.org/thread.html/r2c947376491a20d1cf143bf3c21ed74113e099d806cfe4c490a45ad8@%3Creviews.spark.apache.org%3E" 82991 }, 82992 { 82993 "type": "WEB", 82994 "url": "https://lists.apache.org/thread.html/r2c2c7b2971360fb946bbf062c58d7245927dd1ce9150fc9987f65409@%3Cjira.kafka.apache.org%3E" 82995 }, 82996 { 82997 "type": "WEB", 82998 "url": "https://lists.apache.org/thread.html/r27ad7843d060762cc942820566eeaa9639f75371afedf8124b943283@%3Cissues.spark.apache.org%3E" 82999 }, 83000 { 83001 "type": "WEB", 83002 "url": "https://lists.apache.org/thread.html/r26d9196f4d2afb9bec2784bcb6fc183aca82e4119bf41bdc613eec01@%3Cnotifications.zookeeper.apache.org%3E" 83003 }, 83004 { 83005 "type": "WEB", 83006 "url": "https://lists.apache.org/thread.html/r1b803e6ebdac5f670708878fb1b27cd7a0ce9d774a60e797e58cee6f@%3Cissues.nifi.apache.org%3E" 83007 }, 83008 { 83009 "type": "WEB", 83010 "url": "https://lists.apache.org/thread.html/r1b7ed296a865e3f1337a96ee9cd51f6d154d881a30da36020ca72a4b@%3Cjira.kafka.apache.org%3E" 83011 }, 83012 { 83013 "type": "WEB", 83014 "url": "https://lists.apache.org/thread.html/r1414ab2b3f4bb4c0e736caff6dc8d15f93f6264f0cca5c47710d7bb3@%3Creviews.spark.apache.org%3E" 83015 }, 83016 { 83017 "type": "WEB", 83018 "url": "https://lists.apache.org/thread.html/r105f4e52feb051faeb9141ef78f909aaf5129d6ed1fc52e099c79463@%3Cissues.spark.apache.org%3E" 83019 }, 83020 { 83021 "type": "WEB", 83022 "url": "https://lists.apache.org/thread.html/r0e25cdf3722a24c53049d37396f0da8502cb4b7cdc481650dc601dbc@%3Cgitbox.activemq.apache.org%3E" 83023 }, 83024 { 83025 "type": "WEB", 83026 "url": "https://lists.apache.org/thread.html/r0cdab13815fc419805a332278c8d27e354e78560944fc36db0bdc760@%3Cnotifications.zookeeper.apache.org%3E" 83027 }, 83028 { 83029 "type": "WEB", 83030 "url": "https://lists.apache.org/thread.html/r0c6eced465950743f3041b03767a32b2e98d19731bd72277fc7ea428@%3Ccommits.zookeeper.apache.org%3E" 83031 }, 83032 { 83033 "type": "WEB", 83034 "url": "https://lists.apache.org/thread.html/r0b639bd9bfaea265022125d18acd2fc6456044b76609ec74772c9567@%3Cissues.zookeeper.apache.org%3E" 83035 }, 83036 { 83037 "type": "WEB", 83038 "url": "https://lists.apache.org/thread.html/r07aedcb1ece62969c406cb84c8f0e22cec7e42cdc272f3176e473320@%3Cusers.solr.apache.org%3E" 83039 }, 83040 { 83041 "type": "WEB", 83042 "url": "https://lists.apache.org/thread.html/r068dfd35ce2193f6af28b74ff29ab148c2b2cacb235995576f5bea78@%3Cissues.solr.apache.org%3E" 83043 }, 83044 { 83045 "type": "PACKAGE", 83046 "url": "https://github.com/eclipse/jetty.project" 83047 }, 83048 { 83049 "type": "WEB", 83050 "url": "https://bugs.eclipse.org/bugs/show_bug.cgi?id=571128" 83051 }, 83052 { 83053 "type": "WEB", 83054 "url": "https://lists.apache.org/thread.html/r7f4ad5eec0bce2821c308bb23cac53df5c94eb84de1c58de9b95c176@%3Ccommits.zookeeper.apache.org%3E" 83055 }, 83056 { 83057 "type": "WEB", 83058 "url": "https://lists.apache.org/thread.html/r75ee2a529edb892ac59110cb3f6f91844a932c5034e16c8317f5668d@%3Ccommits.zookeeper.apache.org%3E" 83059 }, 83060 { 83061 "type": "WEB", 83062 "url": "https://lists.apache.org/thread.html/r734f996149bb9b1796740385fcbdf3e093eb9aabedc0f20a48ea1d68@%3Cissues.zookeeper.apache.org%3E" 83063 }, 83064 { 83065 "type": "WEB", 83066 "url": "https://lists.apache.org/thread.html/r601f15f3de7ae3a7bbcd780c19155075c56443c2cdc1d193c03b4182@%3Cissues.spark.apache.org%3E" 83067 }, 83068 { 83069 "type": "WEB", 83070 "url": "https://lists.apache.org/thread.html/r5b7cc6ac733e0b35816751cf45d152ae246a3f40e0b1e62b101c9522@%3Cdev.zookeeper.apache.org%3E" 83071 }, 83072 { 83073 "type": "WEB", 83074 "url": "https://lists.apache.org/thread.html/r562a0cbc5c8cac4d000a27b2854a8ab1b924aa9dd45f8ffbea98e5ad@%3Cjira.kafka.apache.org%3E" 83075 }, 83076 { 83077 "type": "WEB", 83078 "url": "https://lists.apache.org/thread.html/r5612dc69e1f79c421faf9764ffbc92591e2a69ea417c04cba57f49ea@%3Cuser.karaf.apache.org%3E" 83079 }, 83080 { 83081 "type": "WEB", 83082 "url": "https://lists.apache.org/thread.html/r521a077885ce79c44a799118c878589e81e525cab72d368e5cfb6f61@%3Cissues.spark.apache.org%3E" 83083 }, 83084 { 83085 "type": "WEB", 83086 "url": "https://lists.apache.org/thread.html/r51f8975ef47c12a46fbfd7da9efea7f08e1d307fe1dc3042514659ae@%3Cnotifications.zookeeper.apache.org%3E" 83087 }, 83088 { 83089 "type": "WEB", 83090 "url": "https://lists.apache.org/thread.html/r4c92ea39167c0f7b096ae8268db496b5451d69606f0304b7c8a994c7@%3Cissues.nifi.apache.org%3E" 83091 }, 83092 { 83093 "type": "WEB", 83094 "url": "https://lists.apache.org/thread.html/r4a456d89a83752a012d88a60ff4b21def6c9f650b9e69ea9fa11c9f9@%3Cissues.spark.apache.org%3E" 83095 }, 83096 { 83097 "type": "WEB", 83098 "url": "https://lists.apache.org/thread.html/r492cff8488a7f6eb96700afb5d137b719ddb80a833e77f971d2691c6@%3Cnotifications.zookeeper.apache.org%3E" 83099 }, 83100 { 83101 "type": "WEB", 83102 "url": "https://lists.apache.org/thread.html/r463b12b27264c5e1e3c48c8c2cc5d33813d2f0d981102548fb3102fb@%3Cissues.nifi.apache.org%3E" 83103 }, 83104 { 83105 "type": "WEB", 83106 "url": "https://lists.apache.org/thread.html/r409ee2bae66bfff6aa89e6c74aff535e6248260d3afcb42bfb3b316b@%3Cnotifications.zookeeper.apache.org%3E" 83107 }, 83108 { 83109 "type": "WEB", 83110 "url": "https://lists.apache.org/thread.html/r3ce0e31b25ad4ee8f7c42b62cfdc72d1b586f5d6accd23f5295b6dd1@%3Cdev.kafka.apache.org%3E" 83111 }, 83112 { 83113 "type": "WEB", 83114 "url": "https://lists.apache.org/thread.html/r35ab810c0f3016b3fd3a3fa9088a2d2781b354a810780ce74d022b6c@%3Cdev.kafka.apache.org%3E" 83115 } 83116 ], 83117 "schema_version": "1.6.0", 83118 "severity": [ 83119 { 83120 "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", 83121 "type": "CVSS_V3" 83122 } 83123 ], 83124 "summary": "DOS vulnerability for Quoted Quality CSV headers" 83125 }, 83126 { 83127 "affected": [ 83128 { 83129 "database_specific": { 83130 "last_known_affected_version_range": "\u003c= 9.4.40", 83131 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/06/GHSA-m6cp-vxjx-65j6/GHSA-m6cp-vxjx-65j6.json" 83132 }, 83133 "package": { 83134 "ecosystem": "Maven", 83135 "name": "org.eclipse.jetty:jetty-server", 83136 "purl": "pkg:maven/org.eclipse.jetty/jetty-server" 83137 }, 83138 "ranges": [ 83139 { 83140 "events": [ 83141 { 83142 "introduced": "0" 83143 }, 83144 { 83145 "fixed": "9.4.41" 83146 } 83147 ], 83148 "type": "ECOSYSTEM" 83149 } 83150 ], 83151 "versions": [ 83152 "7.0.0.M0", 83153 "7.0.0.M1", 83154 "7.0.0.M2", 83155 "7.0.0.M3", 83156 "7.0.0.M4", 83157 "7.0.0.RC0", 83158 "7.0.0.RC1", 83159 "7.0.0.RC2", 83160 "7.0.0.RC3", 83161 "7.0.0.RC4", 83162 "7.0.0.RC5", 83163 "7.0.0.RC6", 83164 "7.0.0.v20091005", 83165 "7.0.1.v20091125", 83166 "7.0.2.RC0", 83167 "7.0.2.v20100331", 83168 "7.1.0.RC0", 83169 "7.1.0.RC1", 83170 "7.1.0.v20100505", 83171 "7.1.1.v20100517", 83172 "7.1.2.v20100523", 83173 "7.1.3.v20100526", 83174 "7.1.4.v20100610", 83175 "7.1.5.v20100705", 83176 "7.1.6.v20100715", 83177 "7.2.0.RC0", 83178 "7.2.0.v20101020", 83179 "7.2.1.v20101111", 83180 "7.2.2.v20101205", 83181 "7.3.0.v20110203", 83182 "7.3.1.v20110307", 83183 "7.4.0.RC0", 83184 "7.4.0.v20110414", 83185 "7.4.1.v20110513", 83186 "7.4.2.v20110526", 83187 "7.4.3.v20110701", 83188 "7.4.4.v20110707", 83189 "7.4.5.v20110725", 83190 "7.5.0.RC0", 83191 "7.5.0.RC1", 83192 "7.5.0.RC2", 83193 "7.5.0.v20110901", 83194 "7.5.1.v20110908", 83195 "7.5.2.v20111006", 83196 "7.5.3.v20111011", 83197 "7.5.4.v20111024", 83198 "7.6.0.RC0", 83199 "7.6.0.RC1", 83200 "7.6.0.RC2", 83201 "7.6.0.RC3", 83202 "7.6.0.RC4", 83203 "7.6.0.RC5", 83204 "7.6.0.v20120127", 83205 "7.6.1.v20120215", 83206 "7.6.10.v20130312", 83207 "7.6.11.v20130520", 83208 "7.6.12.v20130726", 83209 "7.6.13.v20130916", 83210 "7.6.14.v20131031", 83211 "7.6.15.v20140411", 83212 "7.6.16.v20140903", 83213 "7.6.17.v20150415", 83214 "7.6.18.v20150929", 83215 "7.6.19.v20160209", 83216 "7.6.2.v20120308", 83217 "7.6.20.v20160902", 83218 "7.6.21.v20160908", 83219 "7.6.3.v20120416", 83220 "7.6.4.v20120524", 83221 "7.6.5.v20120716", 83222 "7.6.6.v20120903", 83223 "7.6.7.v20120910", 83224 "7.6.8.v20121106", 83225 "7.6.9.v20130131", 83226 "8.0.0.M0", 83227 "8.0.0.M1", 83228 "8.0.0.M2", 83229 "8.0.0.M3", 83230 "8.0.0.RC0", 83231 "8.0.0.v20110901", 83232 "8.0.1.v20110908", 83233 "8.0.2.v20111006", 83234 "8.0.3.v20111011", 83235 "8.0.4.v20111024", 83236 "8.1.0.RC0", 83237 "8.1.0.RC1", 83238 "8.1.0.RC2", 83239 "8.1.0.RC4", 83240 "8.1.0.RC5", 83241 "8.1.0.v20120127", 83242 "8.1.1.v20120215", 83243 "8.1.10.v20130312", 83244 "8.1.11.v20130520", 83245 "8.1.12.v20130726", 83246 "8.1.13.v20130916", 83247 "8.1.14.v20131031", 83248 "8.1.15.v20140411", 83249 "8.1.16.v20140903", 83250 "8.1.17.v20150415", 83251 "8.1.18.v20150929", 83252 "8.1.19.v20160209", 83253 "8.1.2.v20120308", 83254 "8.1.20.v20160902", 83255 "8.1.21.v20160908", 83256 "8.1.22.v20160922", 83257 "8.1.3.v20120416", 83258 "8.1.4.v20120524", 83259 "8.1.5.v20120716", 83260 "8.1.6.v20120903", 83261 "8.1.7.v20120910", 83262 "8.1.8.v20121106", 83263 "8.1.9.v20130131", 83264 "8.2.0.v20160908", 83265 "9.0.0.M0", 83266 "9.0.0.M1", 83267 "9.0.0.M2", 83268 "9.0.0.M3", 83269 "9.0.0.M4", 83270 "9.0.0.M5", 83271 "9.0.0.RC0", 83272 "9.0.0.RC1", 83273 "9.0.0.RC2", 83274 "9.0.0.v20130308", 83275 "9.0.1.v20130408", 83276 "9.0.2.v20130417", 83277 "9.0.3.v20130506", 83278 "9.0.4.v20130625", 83279 "9.0.5.v20130815", 83280 "9.0.6.v20130930", 83281 "9.0.7.v20131107", 83282 "9.1.0.M0", 83283 "9.1.0.RC0", 83284 "9.1.0.RC1", 83285 "9.1.0.RC2", 83286 "9.1.0.v20131115", 83287 "9.1.1.v20140108", 83288 "9.1.2.v20140210", 83289 "9.1.3.v20140225", 83290 "9.1.4.v20140401", 83291 "9.1.5.v20140505", 83292 "9.1.6.v20160112", 83293 "9.2.0.M0", 83294 "9.2.0.M1", 83295 "9.2.0.RC0", 83296 "9.2.0.v20140526", 83297 "9.2.1.v20140609", 83298 "9.2.10.v20150310", 83299 "9.2.11.M0", 83300 "9.2.11.v20150529", 83301 "9.2.12.M0", 83302 "9.2.12.v20150709", 83303 "9.2.13.v20150730", 83304 "9.2.14.v20151106", 83305 "9.2.15.v20160210", 83306 "9.2.16.v20160414", 83307 "9.2.17.v20160517", 83308 "9.2.18.v20160721", 83309 "9.2.19.v20160908", 83310 "9.2.2.v20140723", 83311 "9.2.20.v20161216", 83312 "9.2.21.v20170120", 83313 "9.2.22.v20170606", 83314 "9.2.23.v20171218", 83315 "9.2.24.v20180105", 83316 "9.2.25.v20180606", 83317 "9.2.26.v20180806", 83318 "9.2.27.v20190403", 83319 "9.2.28.v20190418", 83320 "9.2.29.v20191105", 83321 "9.2.3.v20140905", 83322 "9.2.30.v20200428", 83323 "9.2.4.v20141103", 83324 "9.2.5.v20141112", 83325 "9.2.6.v20141205", 83326 "9.2.7.v20150116", 83327 "9.2.8.v20150217", 83328 "9.2.9.v20150224", 83329 "9.3.0.M0", 83330 "9.3.0.M1", 83331 "9.3.0.M2", 83332 "9.3.0.RC0", 83333 "9.3.0.RC1", 83334 "9.3.0.v20150612", 83335 "9.3.1.v20150714", 83336 "9.3.10.M0", 83337 "9.3.10.v20160621", 83338 "9.3.11.M0", 83339 "9.3.11.v20160721", 83340 "9.3.12.v20160915", 83341 "9.3.13.M0", 83342 "9.3.13.v20161014", 83343 "9.3.14.v20161028", 83344 "9.3.15.v20161220", 83345 "9.3.16.v20170120", 83346 "9.3.17.RC0", 83347 "9.3.17.v20170317", 83348 "9.3.18.v20170406", 83349 "9.3.19.v20170502", 83350 "9.3.2.v20150730", 83351 "9.3.20.v20170531", 83352 "9.3.21.M0", 83353 "9.3.21.RC0", 83354 "9.3.21.v20170918", 83355 "9.3.22.v20171030", 83356 "9.3.23.v20180228", 83357 "9.3.24.v20180605", 83358 "9.3.25.v20180904", 83359 "9.3.26.v20190403", 83360 "9.3.27.v20190418", 83361 "9.3.28.v20191105", 83362 "9.3.29.v20201019", 83363 "9.3.3.v20150827", 83364 "9.3.30.v20211001", 83365 "9.3.4.RC0", 83366 "9.3.4.RC1", 83367 "9.3.4.v20151007", 83368 "9.3.5.v20151012", 83369 "9.3.6.v20151106", 83370 "9.3.7.RC0", 83371 "9.3.7.RC1", 83372 "9.3.7.v20160115", 83373 "9.3.8.RC0", 83374 "9.3.8.v20160314", 83375 "9.3.9.M0", 83376 "9.3.9.M1", 83377 "9.3.9.v20160517", 83378 "9.4.0.M0", 83379 "9.4.0.M1", 83380 "9.4.0.RC0", 83381 "9.4.0.RC1", 83382 "9.4.0.RC2", 83383 "9.4.0.RC3", 83384 "9.4.0.v20161208", 83385 "9.4.0.v20180619", 83386 "9.4.1.v20170120", 83387 "9.4.1.v20180619", 83388 "9.4.10.RC0", 83389 "9.4.10.RC1", 83390 "9.4.10.v20180503", 83391 "9.4.11.v20180605", 83392 "9.4.12.RC0", 83393 "9.4.12.RC1", 83394 "9.4.12.RC2", 83395 "9.4.12.v20180830", 83396 "9.4.13.v20181111", 83397 "9.4.14.v20181114", 83398 "9.4.15.v20190215", 83399 "9.4.16.v20190411", 83400 "9.4.17.v20190418", 83401 "9.4.18.v20190429", 83402 "9.4.19.v20190610", 83403 "9.4.2.v20170220", 83404 "9.4.2.v20180619", 83405 "9.4.20.v20190813", 83406 "9.4.21.v20190926", 83407 "9.4.22.v20191022", 83408 "9.4.23.v20191118", 83409 "9.4.24.v20191120", 83410 "9.4.25.v20191220", 83411 "9.4.26.v20200117", 83412 "9.4.27.v20200227", 83413 "9.4.28.v20200408", 83414 "9.4.29.v20200521", 83415 "9.4.3.v20170317", 83416 "9.4.3.v20180619", 83417 "9.4.30.v20200611", 83418 "9.4.31.v20200723", 83419 "9.4.32.v20200930", 83420 "9.4.33.v20201020", 83421 "9.4.34.v20201102", 83422 "9.4.35.v20201120", 83423 "9.4.36.v20210114", 83424 "9.4.37.v20210219", 83425 "9.4.38.v20210224", 83426 "9.4.39.v20210325", 83427 "9.4.4.v20170414", 83428 "9.4.4.v20180619", 83429 "9.4.40.v20210413", 83430 "9.4.5.v20170502", 83431 "9.4.5.v20180619", 83432 "9.4.6.v20170531", 83433 "9.4.6.v20180619", 83434 "9.4.7.RC0", 83435 "9.4.7.v20170914", 83436 "9.4.7.v20180619", 83437 "9.4.8.v20171121", 83438 "9.4.8.v20180619", 83439 "9.4.9.v20180320" 83440 ] 83441 }, 83442 { 83443 "database_specific": { 83444 "last_known_affected_version_range": "\u003c= 10.0.2", 83445 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/06/GHSA-m6cp-vxjx-65j6/GHSA-m6cp-vxjx-65j6.json" 83446 }, 83447 "package": { 83448 "ecosystem": "Maven", 83449 "name": "org.eclipse.jetty:jetty-server", 83450 "purl": "pkg:maven/org.eclipse.jetty/jetty-server" 83451 }, 83452 "ranges": [ 83453 { 83454 "events": [ 83455 { 83456 "introduced": "10.0.0" 83457 }, 83458 { 83459 "fixed": "10.0.3" 83460 } 83461 ], 83462 "type": "ECOSYSTEM" 83463 } 83464 ], 83465 "versions": [ 83466 "10.0.0", 83467 "10.0.1", 83468 "10.0.2" 83469 ] 83470 }, 83471 { 83472 "database_specific": { 83473 "last_known_affected_version_range": "\u003c= 11.0.2", 83474 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/06/GHSA-m6cp-vxjx-65j6/GHSA-m6cp-vxjx-65j6.json" 83475 }, 83476 "package": { 83477 "ecosystem": "Maven", 83478 "name": "org.eclipse.jetty:jetty-server", 83479 "purl": "pkg:maven/org.eclipse.jetty/jetty-server" 83480 }, 83481 "ranges": [ 83482 { 83483 "events": [ 83484 { 83485 "introduced": "11.0.0" 83486 }, 83487 { 83488 "fixed": "11.0.3" 83489 } 83490 ], 83491 "type": "ECOSYSTEM" 83492 } 83493 ], 83494 "versions": [ 83495 "11.0.0", 83496 "11.0.1", 83497 "11.0.2" 83498 ] 83499 } 83500 ], 83501 "aliases": [ 83502 "CVE-2021-34428" 83503 ], 83504 "database_specific": { 83505 "cwe_ids": [ 83506 "CWE-613" 83507 ], 83508 "github_reviewed": true, 83509 "github_reviewed_at": "2021-06-22T16:41:00Z", 83510 "nvd_published_at": "2021-06-22T15:15:00Z", 83511 "severity": "LOW" 83512 }, 83513 "details": "### Impact\nIf an exception is thrown from the `SessionListener#sessionDestroyed()` method, then the session ID is not invalidated in the session ID manager. On deployments with clustered sessions and multiple contexts this can result in a session not being invalidated. This can result in an application used on a shared computer being left logged in.\n\nThere is no known path for an attacker to induce such an exception to be thrown, thus they must rely on an application to throw such an exception. The OP has also identified that during the call to `sessionDestroyed`, the `getLastAccessedTime()` throws an `IllegalStateException`, which potentially contrary to the servlet spec, so applications calling this method may always throw and fail to log out. If such an application was only tested on a non clustered test environment, then it may be deployed on a clustered environment with multiple contexts and fail to log out.\n\n### Workarounds\nThe application should catch all Throwables within their `SessionListener#sessionDestroyed()` implementations.\n", 83514 "id": "GHSA-m6cp-vxjx-65j6", 83515 "modified": "2024-02-17T05:34:59.415608Z", 83516 "published": "2021-06-23T20:23:04Z", 83517 "references": [ 83518 { 83519 "type": "WEB", 83520 "url": "https://github.com/eclipse/jetty.project/security/advisories/GHSA-m6cp-vxjx-65j6" 83521 }, 83522 { 83523 "type": "ADVISORY", 83524 "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-34428" 83525 }, 83526 { 83527 "type": "WEB", 83528 "url": "https://github.com/eclipse/jetty.project" 83529 }, 83530 { 83531 "type": "WEB", 83532 "url": "https://lists.apache.org/thread.html/r67c4f90658fde875521c949448c54c98517beecdc7f618f902c620ec@%3Cissues.zookeeper.apache.org%3E" 83533 }, 83534 { 83535 "type": "WEB", 83536 "url": "https://lists.apache.org/thread.html/r8a1a332899a1f92c8118b0895b144b27a78e3f25b9d58a34dd5eb084@%3Cnotifications.zookeeper.apache.org%3E" 83537 }, 83538 { 83539 "type": "WEB", 83540 "url": "https://lists.apache.org/thread.html/rbefa055282d52d6b58d29a79fbb0be65ab0a38d25f00bd29eaf5e6fd@%3Cnotifications.zookeeper.apache.org%3E" 83541 }, 83542 { 83543 "type": "WEB", 83544 "url": "https://lists.apache.org/thread.html/rddbb4f8d5db23265bb63d14ef4b3723b438abc1589f877db11d35450@%3Cissues.zookeeper.apache.org%3E" 83545 }, 83546 { 83547 "type": "WEB", 83548 "url": "https://lists.apache.org/thread.html/ref1c161a1621504e673f9197b49e6efe5a33ce3f0e6d8f1f804fc695@%3Cjira.kafka.apache.org%3E" 83549 }, 83550 { 83551 "type": "WEB", 83552 "url": "https://lists.apache.org/thread.html/rf36f1114e84a3379b20587063686148e2d5a39abc0b8a66ff2a9087a@%3Cissues.zookeeper.apache.org%3E" 83553 }, 83554 { 83555 "type": "WEB", 83556 "url": "https://security.netapp.com/advisory/ntap-20210813-0003" 83557 }, 83558 { 83559 "type": "WEB", 83560 "url": "https://www.debian.org/security/2021/dsa-4949" 83561 }, 83562 { 83563 "type": "WEB", 83564 "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" 83565 }, 83566 { 83567 "type": "WEB", 83568 "url": "https://www.oracle.com/security-alerts/cpujan2022.html" 83569 }, 83570 { 83571 "type": "WEB", 83572 "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" 83573 } 83574 ], 83575 "schema_version": "1.6.0", 83576 "severity": [ 83577 { 83578 "score": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", 83579 "type": "CVSS_V3" 83580 } 83581 ], 83582 "summary": "SessionListener can prevent a session from being invalidated breaking logout" 83583 }, 83584 { 83585 "affected": [ 83586 { 83587 "database_specific": { 83588 "last_known_affected_version_range": "\u003c= 9.4.10.v20180503", 83589 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-mwcx-532g-8pq3/GHSA-mwcx-532g-8pq3.json" 83590 }, 83591 "package": { 83592 "ecosystem": "Maven", 83593 "name": "org.eclipse.jetty:jetty-server", 83594 "purl": "pkg:maven/org.eclipse.jetty/jetty-server" 83595 }, 83596 "ranges": [ 83597 { 83598 "events": [ 83599 { 83600 "introduced": "9.4.0" 83601 }, 83602 { 83603 "fixed": "9.4.11.v20180605" 83604 } 83605 ], 83606 "type": "ECOSYSTEM" 83607 } 83608 ], 83609 "versions": [ 83610 "9.4.0.v20161208", 83611 "9.4.0.v20180619", 83612 "9.4.1.v20170120", 83613 "9.4.1.v20180619", 83614 "9.4.10.RC0", 83615 "9.4.10.RC1", 83616 "9.4.10.v20180503", 83617 "9.4.2.v20170220", 83618 "9.4.2.v20180619", 83619 "9.4.3.v20170317", 83620 "9.4.3.v20180619", 83621 "9.4.4.v20170414", 83622 "9.4.4.v20180619", 83623 "9.4.5.v20170502", 83624 "9.4.5.v20180619", 83625 "9.4.6.v20170531", 83626 "9.4.6.v20180619", 83627 "9.4.7.RC0", 83628 "9.4.7.v20170914", 83629 "9.4.7.v20180619", 83630 "9.4.8.v20171121", 83631 "9.4.8.v20180619", 83632 "9.4.9.v20180320" 83633 ] 83634 } 83635 ], 83636 "aliases": [ 83637 "CVE-2018-12538" 83638 ], 83639 "database_specific": { 83640 "cwe_ids": [ 83641 "CWE-384", 83642 "CWE-6" 83643 ], 83644 "github_reviewed": true, 83645 "github_reviewed_at": "2020-06-16T21:47:31Z", 83646 "nvd_published_at": null, 83647 "severity": "HIGH" 83648 }, 83649 "details": "In Eclipse Jetty versions 9.4.0 through 9.4.8, when using the optional Jetty provided FileSessionDataStore for persistent storage of HttpSession details, it is possible for a malicious user to access/hijack other HttpSessions and even delete unmatched HttpSessions present in the FileSystem's storage for the FileSessionDataStore.", 83650 "id": "GHSA-mwcx-532g-8pq3", 83651 "modified": "2024-02-17T05:43:52.147542Z", 83652 "published": "2018-10-16T17:44:11Z", 83653 "references": [ 83654 { 83655 "type": "ADVISORY", 83656 "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-12538" 83657 }, 83658 { 83659 "type": "WEB", 83660 "url": "https://bugs.eclipse.org/bugs/show_bug.cgi?id=536018" 83661 }, 83662 { 83663 "type": "ADVISORY", 83664 "url": "https://github.com/advisories/GHSA-mwcx-532g-8pq3" 83665 }, 83666 { 83667 "type": "WEB", 83668 "url": "https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0@%3Cissues.bookkeeper.apache.org%3E" 83669 }, 83670 { 83671 "type": "WEB", 83672 "url": "https://security.netapp.com/advisory/ntap-20181014-0001" 83673 }, 83674 { 83675 "type": "WEB", 83676 "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" 83677 }, 83678 { 83679 "type": "WEB", 83680 "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html" 83681 }, 83682 { 83683 "type": "WEB", 83684 "url": "http://www.securitytracker.com/id/1041194" 83685 } 83686 ], 83687 "schema_version": "1.6.0", 83688 "severity": [ 83689 { 83690 "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", 83691 "type": "CVSS_V3" 83692 } 83693 ], 83694 "summary": "Access and integrity issue within Eclipse Jetty" 83695 }, 83696 { 83697 "affected": [ 83698 { 83699 "database_specific": { 83700 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/04/GHSA-p26g-97m4-6q7c/GHSA-p26g-97m4-6q7c.json" 83701 }, 83702 "package": { 83703 "ecosystem": "Maven", 83704 "name": "org.eclipse.jetty:jetty-server", 83705 "purl": "pkg:maven/org.eclipse.jetty/jetty-server" 83706 }, 83707 "ranges": [ 83708 { 83709 "events": [ 83710 { 83711 "introduced": "0" 83712 }, 83713 { 83714 "fixed": "9.4.51.v20230217" 83715 } 83716 ], 83717 "type": "ECOSYSTEM" 83718 } 83719 ], 83720 "versions": [ 83721 "7.0.0.M0", 83722 "7.0.0.M1", 83723 "7.0.0.M2", 83724 "7.0.0.M3", 83725 "7.0.0.M4", 83726 "7.0.0.RC0", 83727 "7.0.0.RC1", 83728 "7.0.0.RC2", 83729 "7.0.0.RC3", 83730 "7.0.0.RC4", 83731 "7.0.0.RC5", 83732 "7.0.0.RC6", 83733 "7.0.0.v20091005", 83734 "7.0.1.v20091125", 83735 "7.0.2.RC0", 83736 "7.0.2.v20100331", 83737 "7.1.0.RC0", 83738 "7.1.0.RC1", 83739 "7.1.0.v20100505", 83740 "7.1.1.v20100517", 83741 "7.1.2.v20100523", 83742 "7.1.3.v20100526", 83743 "7.1.4.v20100610", 83744 "7.1.5.v20100705", 83745 "7.1.6.v20100715", 83746 "7.2.0.RC0", 83747 "7.2.0.v20101020", 83748 "7.2.1.v20101111", 83749 "7.2.2.v20101205", 83750 "7.3.0.v20110203", 83751 "7.3.1.v20110307", 83752 "7.4.0.RC0", 83753 "7.4.0.v20110414", 83754 "7.4.1.v20110513", 83755 "7.4.2.v20110526", 83756 "7.4.3.v20110701", 83757 "7.4.4.v20110707", 83758 "7.4.5.v20110725", 83759 "7.5.0.RC0", 83760 "7.5.0.RC1", 83761 "7.5.0.RC2", 83762 "7.5.0.v20110901", 83763 "7.5.1.v20110908", 83764 "7.5.2.v20111006", 83765 "7.5.3.v20111011", 83766 "7.5.4.v20111024", 83767 "7.6.0.RC0", 83768 "7.6.0.RC1", 83769 "7.6.0.RC2", 83770 "7.6.0.RC3", 83771 "7.6.0.RC4", 83772 "7.6.0.RC5", 83773 "7.6.0.v20120127", 83774 "7.6.1.v20120215", 83775 "7.6.10.v20130312", 83776 "7.6.11.v20130520", 83777 "7.6.12.v20130726", 83778 "7.6.13.v20130916", 83779 "7.6.14.v20131031", 83780 "7.6.15.v20140411", 83781 "7.6.16.v20140903", 83782 "7.6.17.v20150415", 83783 "7.6.18.v20150929", 83784 "7.6.19.v20160209", 83785 "7.6.2.v20120308", 83786 "7.6.20.v20160902", 83787 "7.6.21.v20160908", 83788 "7.6.3.v20120416", 83789 "7.6.4.v20120524", 83790 "7.6.5.v20120716", 83791 "7.6.6.v20120903", 83792 "7.6.7.v20120910", 83793 "7.6.8.v20121106", 83794 "7.6.9.v20130131", 83795 "8.0.0.M0", 83796 "8.0.0.M1", 83797 "8.0.0.M2", 83798 "8.0.0.M3", 83799 "8.0.0.RC0", 83800 "8.0.0.v20110901", 83801 "8.0.1.v20110908", 83802 "8.0.2.v20111006", 83803 "8.0.3.v20111011", 83804 "8.0.4.v20111024", 83805 "8.1.0.RC0", 83806 "8.1.0.RC1", 83807 "8.1.0.RC2", 83808 "8.1.0.RC4", 83809 "8.1.0.RC5", 83810 "8.1.0.v20120127", 83811 "8.1.1.v20120215", 83812 "8.1.10.v20130312", 83813 "8.1.11.v20130520", 83814 "8.1.12.v20130726", 83815 "8.1.13.v20130916", 83816 "8.1.14.v20131031", 83817 "8.1.15.v20140411", 83818 "8.1.16.v20140903", 83819 "8.1.17.v20150415", 83820 "8.1.18.v20150929", 83821 "8.1.19.v20160209", 83822 "8.1.2.v20120308", 83823 "8.1.20.v20160902", 83824 "8.1.21.v20160908", 83825 "8.1.22.v20160922", 83826 "8.1.3.v20120416", 83827 "8.1.4.v20120524", 83828 "8.1.5.v20120716", 83829 "8.1.6.v20120903", 83830 "8.1.7.v20120910", 83831 "8.1.8.v20121106", 83832 "8.1.9.v20130131", 83833 "8.2.0.v20160908", 83834 "9.0.0.M0", 83835 "9.0.0.M1", 83836 "9.0.0.M2", 83837 "9.0.0.M3", 83838 "9.0.0.M4", 83839 "9.0.0.M5", 83840 "9.0.0.RC0", 83841 "9.0.0.RC1", 83842 "9.0.0.RC2", 83843 "9.0.0.v20130308", 83844 "9.0.1.v20130408", 83845 "9.0.2.v20130417", 83846 "9.0.3.v20130506", 83847 "9.0.4.v20130625", 83848 "9.0.5.v20130815", 83849 "9.0.6.v20130930", 83850 "9.0.7.v20131107", 83851 "9.1.0.M0", 83852 "9.1.0.RC0", 83853 "9.1.0.RC1", 83854 "9.1.0.RC2", 83855 "9.1.0.v20131115", 83856 "9.1.1.v20140108", 83857 "9.1.2.v20140210", 83858 "9.1.3.v20140225", 83859 "9.1.4.v20140401", 83860 "9.1.5.v20140505", 83861 "9.1.6.v20160112", 83862 "9.2.0.M0", 83863 "9.2.0.M1", 83864 "9.2.0.RC0", 83865 "9.2.0.v20140526", 83866 "9.2.1.v20140609", 83867 "9.2.10.v20150310", 83868 "9.2.11.M0", 83869 "9.2.11.v20150529", 83870 "9.2.12.M0", 83871 "9.2.12.v20150709", 83872 "9.2.13.v20150730", 83873 "9.2.14.v20151106", 83874 "9.2.15.v20160210", 83875 "9.2.16.v20160414", 83876 "9.2.17.v20160517", 83877 "9.2.18.v20160721", 83878 "9.2.19.v20160908", 83879 "9.2.2.v20140723", 83880 "9.2.20.v20161216", 83881 "9.2.21.v20170120", 83882 "9.2.22.v20170606", 83883 "9.2.23.v20171218", 83884 "9.2.24.v20180105", 83885 "9.2.25.v20180606", 83886 "9.2.26.v20180806", 83887 "9.2.27.v20190403", 83888 "9.2.28.v20190418", 83889 "9.2.29.v20191105", 83890 "9.2.3.v20140905", 83891 "9.2.30.v20200428", 83892 "9.2.4.v20141103", 83893 "9.2.5.v20141112", 83894 "9.2.6.v20141205", 83895 "9.2.7.v20150116", 83896 "9.2.8.v20150217", 83897 "9.2.9.v20150224", 83898 "9.3.0.M0", 83899 "9.3.0.M1", 83900 "9.3.0.M2", 83901 "9.3.0.RC0", 83902 "9.3.0.RC1", 83903 "9.3.0.v20150612", 83904 "9.3.1.v20150714", 83905 "9.3.10.M0", 83906 "9.3.10.v20160621", 83907 "9.3.11.M0", 83908 "9.3.11.v20160721", 83909 "9.3.12.v20160915", 83910 "9.3.13.M0", 83911 "9.3.13.v20161014", 83912 "9.3.14.v20161028", 83913 "9.3.15.v20161220", 83914 "9.3.16.v20170120", 83915 "9.3.17.RC0", 83916 "9.3.17.v20170317", 83917 "9.3.18.v20170406", 83918 "9.3.19.v20170502", 83919 "9.3.2.v20150730", 83920 "9.3.20.v20170531", 83921 "9.3.21.M0", 83922 "9.3.21.RC0", 83923 "9.3.21.v20170918", 83924 "9.3.22.v20171030", 83925 "9.3.23.v20180228", 83926 "9.3.24.v20180605", 83927 "9.3.25.v20180904", 83928 "9.3.26.v20190403", 83929 "9.3.27.v20190418", 83930 "9.3.28.v20191105", 83931 "9.3.29.v20201019", 83932 "9.3.3.v20150827", 83933 "9.3.30.v20211001", 83934 "9.3.4.RC0", 83935 "9.3.4.RC1", 83936 "9.3.4.v20151007", 83937 "9.3.5.v20151012", 83938 "9.3.6.v20151106", 83939 "9.3.7.RC0", 83940 "9.3.7.RC1", 83941 "9.3.7.v20160115", 83942 "9.3.8.RC0", 83943 "9.3.8.v20160314", 83944 "9.3.9.M0", 83945 "9.3.9.M1", 83946 "9.3.9.v20160517", 83947 "9.4.0.M0", 83948 "9.4.0.M1", 83949 "9.4.0.RC0", 83950 "9.4.0.RC1", 83951 "9.4.0.RC2", 83952 "9.4.0.RC3", 83953 "9.4.0.v20161208", 83954 "9.4.0.v20180619", 83955 "9.4.1.v20170120", 83956 "9.4.1.v20180619", 83957 "9.4.10.RC0", 83958 "9.4.10.RC1", 83959 "9.4.10.v20180503", 83960 "9.4.11.v20180605", 83961 "9.4.12.RC0", 83962 "9.4.12.RC1", 83963 "9.4.12.RC2", 83964 "9.4.12.v20180830", 83965 "9.4.13.v20181111", 83966 "9.4.14.v20181114", 83967 "9.4.15.v20190215", 83968 "9.4.16.v20190411", 83969 "9.4.17.v20190418", 83970 "9.4.18.v20190429", 83971 "9.4.19.v20190610", 83972 "9.4.2.v20170220", 83973 "9.4.2.v20180619", 83974 "9.4.20.v20190813", 83975 "9.4.21.v20190926", 83976 "9.4.22.v20191022", 83977 "9.4.23.v20191118", 83978 "9.4.24.v20191120", 83979 "9.4.25.v20191220", 83980 "9.4.26.v20200117", 83981 "9.4.27.v20200227", 83982 "9.4.28.v20200408", 83983 "9.4.29.v20200521", 83984 "9.4.3.v20170317", 83985 "9.4.3.v20180619", 83986 "9.4.30.v20200611", 83987 "9.4.31.v20200723", 83988 "9.4.32.v20200930", 83989 "9.4.33.v20201020", 83990 "9.4.34.v20201102", 83991 "9.4.35.v20201120", 83992 "9.4.36.v20210114", 83993 "9.4.37.v20210219", 83994 "9.4.38.v20210224", 83995 "9.4.39.v20210325", 83996 "9.4.4.v20170414", 83997 "9.4.4.v20180619", 83998 "9.4.40.v20210413", 83999 "9.4.41.v20210516", 84000 "9.4.42.v20210604", 84001 "9.4.43.v20210629", 84002 "9.4.44.v20210927", 84003 "9.4.45.v20220203", 84004 "9.4.46.v20220331", 84005 "9.4.47.v20220610", 84006 "9.4.48.v20220622", 84007 "9.4.49.v20220914", 84008 "9.4.5.v20170502", 84009 "9.4.5.v20180619", 84010 "9.4.50.v20221201", 84011 "9.4.6.v20170531", 84012 "9.4.6.v20180619", 84013 "9.4.7.RC0", 84014 "9.4.7.v20170914", 84015 "9.4.7.v20180619", 84016 "9.4.8.v20171121", 84017 "9.4.8.v20180619", 84018 "9.4.9.v20180320" 84019 ] 84020 }, 84021 { 84022 "database_specific": { 84023 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/04/GHSA-p26g-97m4-6q7c/GHSA-p26g-97m4-6q7c.json" 84024 }, 84025 "package": { 84026 "ecosystem": "Maven", 84027 "name": "org.eclipse.jetty:jetty-server", 84028 "purl": "pkg:maven/org.eclipse.jetty/jetty-server" 84029 }, 84030 "ranges": [ 84031 { 84032 "events": [ 84033 { 84034 "introduced": "10.0.0" 84035 }, 84036 { 84037 "fixed": "10.0.14" 84038 } 84039 ], 84040 "type": "ECOSYSTEM" 84041 } 84042 ], 84043 "versions": [ 84044 "10.0.0", 84045 "10.0.1", 84046 "10.0.10", 84047 "10.0.11", 84048 "10.0.12", 84049 "10.0.13", 84050 "10.0.2", 84051 "10.0.3", 84052 "10.0.4", 84053 "10.0.5", 84054 "10.0.6", 84055 "10.0.7", 84056 "10.0.8", 84057 "10.0.9" 84058 ] 84059 }, 84060 { 84061 "database_specific": { 84062 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/04/GHSA-p26g-97m4-6q7c/GHSA-p26g-97m4-6q7c.json" 84063 }, 84064 "package": { 84065 "ecosystem": "Maven", 84066 "name": "org.eclipse.jetty:jetty-server", 84067 "purl": "pkg:maven/org.eclipse.jetty/jetty-server" 84068 }, 84069 "ranges": [ 84070 { 84071 "events": [ 84072 { 84073 "introduced": "11.0.0" 84074 }, 84075 { 84076 "fixed": "11.0.14" 84077 } 84078 ], 84079 "type": "ECOSYSTEM" 84080 } 84081 ], 84082 "versions": [ 84083 "11.0.0", 84084 "11.0.1", 84085 "11.0.10", 84086 "11.0.11", 84087 "11.0.12", 84088 "11.0.13", 84089 "11.0.2", 84090 "11.0.3", 84091 "11.0.4", 84092 "11.0.5", 84093 "11.0.6", 84094 "11.0.7", 84095 "11.0.8", 84096 "11.0.9" 84097 ] 84098 }, 84099 { 84100 "database_specific": { 84101 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/04/GHSA-p26g-97m4-6q7c/GHSA-p26g-97m4-6q7c.json" 84102 }, 84103 "package": { 84104 "ecosystem": "Maven", 84105 "name": "org.eclipse.jetty:jetty-server", 84106 "purl": "pkg:maven/org.eclipse.jetty/jetty-server" 84107 }, 84108 "ranges": [ 84109 { 84110 "events": [ 84111 { 84112 "introduced": "12.0.0alpha0" 84113 }, 84114 { 84115 "fixed": "12.0.0.beta0" 84116 } 84117 ], 84118 "type": "ECOSYSTEM" 84119 } 84120 ], 84121 "versions": [ 84122 "12.0.0.alpha0", 84123 "12.0.0.alpha1", 84124 "12.0.0.alpha2", 84125 "12.0.0.alpha3" 84126 ] 84127 } 84128 ], 84129 "aliases": [ 84130 "CVE-2023-26049" 84131 ], 84132 "database_specific": { 84133 "cwe_ids": [ 84134 "CWE-200" 84135 ], 84136 "github_reviewed": true, 84137 "github_reviewed_at": "2023-04-18T22:19:57Z", 84138 "nvd_published_at": "2023-04-18T21:15:09Z", 84139 "severity": "LOW" 84140 }, 84141 "details": "Nonstandard cookie parsing in Jetty may allow an attacker to smuggle cookies within other cookies, or otherwise perform unintended behavior by tampering with the cookie parsing mechanism.\n\nIf Jetty sees a cookie VALUE that starts with `\"` (double quote), it will continue to read the cookie string until it sees a closing quote -- even if a semicolon is encountered.\n\nSo, a cookie header such as:\n\n`DISPLAY_LANGUAGE=\"b; JSESSIONID=1337; c=d\"` will be parsed as one cookie, with the name `DISPLAY_LANGUAGE` and a value of `b; JSESSIONID=1337; c=d`\n\ninstead of 3 separate cookies.\n\n### Impact\nThis has security implications because if, say, `JSESSIONID` is an `HttpOnly` cookie, and the `DISPLAY_LANGUAGE` cookie value is rendered on the page, an attacker can smuggle the `JSESSIONID` cookie into the `DISPLAY_LANGUAGE` cookie and thereby exfiltrate it. This is significant when an intermediary is enacting some policy based on cookies, so a smuggled cookie can bypass that policy yet still be seen by the Jetty server.\n\n### Patches\n* 9.4.51.v20230217 - via PR #9352\n* 10.0.15 - via PR #9339\n* 11.0.15 - via PR #9339\n\n### Workarounds\nNo workarounds\n\n### References\n* https://www.rfc-editor.org/rfc/rfc2965\n* https://www.rfc-editor.org/rfc/rfc6265\n", 84142 "id": "GHSA-p26g-97m4-6q7c", 84143 "modified": "2024-02-20T05:30:22.058149Z", 84144 "published": "2023-04-18T22:19:57Z", 84145 "references": [ 84146 { 84147 "type": "WEB", 84148 "url": "https://github.com/eclipse/jetty.project/security/advisories/GHSA-p26g-97m4-6q7c" 84149 }, 84150 { 84151 "type": "ADVISORY", 84152 "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-26049" 84153 }, 84154 { 84155 "type": "WEB", 84156 "url": "https://github.com/eclipse/jetty.project/pull/9339" 84157 }, 84158 { 84159 "type": "WEB", 84160 "url": "https://github.com/eclipse/jetty.project/pull/9352" 84161 }, 84162 { 84163 "type": "PACKAGE", 84164 "url": "https://github.com/eclipse/jetty.project" 84165 }, 84166 { 84167 "type": "WEB", 84168 "url": "https://github.com/eclipse/jetty.project/releases/tag/jetty-9.4.51.v20230217" 84169 }, 84170 { 84171 "type": "WEB", 84172 "url": "https://lists.debian.org/debian-lts-announce/2023/09/msg00039.html" 84173 }, 84174 { 84175 "type": "WEB", 84176 "url": "https://security.netapp.com/advisory/ntap-20230526-0001" 84177 }, 84178 { 84179 "type": "WEB", 84180 "url": "https://www.debian.org/security/2023/dsa-5507" 84181 }, 84182 { 84183 "type": "WEB", 84184 "url": "https://www.rfc-editor.org/rfc/rfc2965" 84185 }, 84186 { 84187 "type": "WEB", 84188 "url": "https://www.rfc-editor.org/rfc/rfc6265" 84189 } 84190 ], 84191 "related": [ 84192 "CGA-6jj8-gqq9-qj3c" 84193 ], 84194 "schema_version": "1.6.0", 84195 "severity": [ 84196 { 84197 "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N", 84198 "type": "CVSS_V3" 84199 } 84200 ], 84201 "summary": "Eclipse Jetty's cookie parsing of quoted values can exfiltrate values from other cookies" 84202 }, 84203 { 84204 "affected": [ 84205 { 84206 "database_specific": { 84207 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/04/GHSA-qw69-rqj8-6qw8/GHSA-qw69-rqj8-6qw8.json" 84208 }, 84209 "package": { 84210 "ecosystem": "Maven", 84211 "name": "org.eclipse.jetty:jetty-server", 84212 "purl": "pkg:maven/org.eclipse.jetty/jetty-server" 84213 }, 84214 "ranges": [ 84215 { 84216 "events": [ 84217 { 84218 "introduced": "0" 84219 }, 84220 { 84221 "fixed": "9.4.51.v20230217" 84222 } 84223 ], 84224 "type": "ECOSYSTEM" 84225 } 84226 ], 84227 "versions": [ 84228 "7.0.0.M0", 84229 "7.0.0.M1", 84230 "7.0.0.M2", 84231 "7.0.0.M3", 84232 "7.0.0.M4", 84233 "7.0.0.RC0", 84234 "7.0.0.RC1", 84235 "7.0.0.RC2", 84236 "7.0.0.RC3", 84237 "7.0.0.RC4", 84238 "7.0.0.RC5", 84239 "7.0.0.RC6", 84240 "7.0.0.v20091005", 84241 "7.0.1.v20091125", 84242 "7.0.2.RC0", 84243 "7.0.2.v20100331", 84244 "7.1.0.RC0", 84245 "7.1.0.RC1", 84246 "7.1.0.v20100505", 84247 "7.1.1.v20100517", 84248 "7.1.2.v20100523", 84249 "7.1.3.v20100526", 84250 "7.1.4.v20100610", 84251 "7.1.5.v20100705", 84252 "7.1.6.v20100715", 84253 "7.2.0.RC0", 84254 "7.2.0.v20101020", 84255 "7.2.1.v20101111", 84256 "7.2.2.v20101205", 84257 "7.3.0.v20110203", 84258 "7.3.1.v20110307", 84259 "7.4.0.RC0", 84260 "7.4.0.v20110414", 84261 "7.4.1.v20110513", 84262 "7.4.2.v20110526", 84263 "7.4.3.v20110701", 84264 "7.4.4.v20110707", 84265 "7.4.5.v20110725", 84266 "7.5.0.RC0", 84267 "7.5.0.RC1", 84268 "7.5.0.RC2", 84269 "7.5.0.v20110901", 84270 "7.5.1.v20110908", 84271 "7.5.2.v20111006", 84272 "7.5.3.v20111011", 84273 "7.5.4.v20111024", 84274 "7.6.0.RC0", 84275 "7.6.0.RC1", 84276 "7.6.0.RC2", 84277 "7.6.0.RC3", 84278 "7.6.0.RC4", 84279 "7.6.0.RC5", 84280 "7.6.0.v20120127", 84281 "7.6.1.v20120215", 84282 "7.6.10.v20130312", 84283 "7.6.11.v20130520", 84284 "7.6.12.v20130726", 84285 "7.6.13.v20130916", 84286 "7.6.14.v20131031", 84287 "7.6.15.v20140411", 84288 "7.6.16.v20140903", 84289 "7.6.17.v20150415", 84290 "7.6.18.v20150929", 84291 "7.6.19.v20160209", 84292 "7.6.2.v20120308", 84293 "7.6.20.v20160902", 84294 "7.6.21.v20160908", 84295 "7.6.3.v20120416", 84296 "7.6.4.v20120524", 84297 "7.6.5.v20120716", 84298 "7.6.6.v20120903", 84299 "7.6.7.v20120910", 84300 "7.6.8.v20121106", 84301 "7.6.9.v20130131", 84302 "8.0.0.M0", 84303 "8.0.0.M1", 84304 "8.0.0.M2", 84305 "8.0.0.M3", 84306 "8.0.0.RC0", 84307 "8.0.0.v20110901", 84308 "8.0.1.v20110908", 84309 "8.0.2.v20111006", 84310 "8.0.3.v20111011", 84311 "8.0.4.v20111024", 84312 "8.1.0.RC0", 84313 "8.1.0.RC1", 84314 "8.1.0.RC2", 84315 "8.1.0.RC4", 84316 "8.1.0.RC5", 84317 "8.1.0.v20120127", 84318 "8.1.1.v20120215", 84319 "8.1.10.v20130312", 84320 "8.1.11.v20130520", 84321 "8.1.12.v20130726", 84322 "8.1.13.v20130916", 84323 "8.1.14.v20131031", 84324 "8.1.15.v20140411", 84325 "8.1.16.v20140903", 84326 "8.1.17.v20150415", 84327 "8.1.18.v20150929", 84328 "8.1.19.v20160209", 84329 "8.1.2.v20120308", 84330 "8.1.20.v20160902", 84331 "8.1.21.v20160908", 84332 "8.1.22.v20160922", 84333 "8.1.3.v20120416", 84334 "8.1.4.v20120524", 84335 "8.1.5.v20120716", 84336 "8.1.6.v20120903", 84337 "8.1.7.v20120910", 84338 "8.1.8.v20121106", 84339 "8.1.9.v20130131", 84340 "8.2.0.v20160908", 84341 "9.0.0.M0", 84342 "9.0.0.M1", 84343 "9.0.0.M2", 84344 "9.0.0.M3", 84345 "9.0.0.M4", 84346 "9.0.0.M5", 84347 "9.0.0.RC0", 84348 "9.0.0.RC1", 84349 "9.0.0.RC2", 84350 "9.0.0.v20130308", 84351 "9.0.1.v20130408", 84352 "9.0.2.v20130417", 84353 "9.0.3.v20130506", 84354 "9.0.4.v20130625", 84355 "9.0.5.v20130815", 84356 "9.0.6.v20130930", 84357 "9.0.7.v20131107", 84358 "9.1.0.M0", 84359 "9.1.0.RC0", 84360 "9.1.0.RC1", 84361 "9.1.0.RC2", 84362 "9.1.0.v20131115", 84363 "9.1.1.v20140108", 84364 "9.1.2.v20140210", 84365 "9.1.3.v20140225", 84366 "9.1.4.v20140401", 84367 "9.1.5.v20140505", 84368 "9.1.6.v20160112", 84369 "9.2.0.M0", 84370 "9.2.0.M1", 84371 "9.2.0.RC0", 84372 "9.2.0.v20140526", 84373 "9.2.1.v20140609", 84374 "9.2.10.v20150310", 84375 "9.2.11.M0", 84376 "9.2.11.v20150529", 84377 "9.2.12.M0", 84378 "9.2.12.v20150709", 84379 "9.2.13.v20150730", 84380 "9.2.14.v20151106", 84381 "9.2.15.v20160210", 84382 "9.2.16.v20160414", 84383 "9.2.17.v20160517", 84384 "9.2.18.v20160721", 84385 "9.2.19.v20160908", 84386 "9.2.2.v20140723", 84387 "9.2.20.v20161216", 84388 "9.2.21.v20170120", 84389 "9.2.22.v20170606", 84390 "9.2.23.v20171218", 84391 "9.2.24.v20180105", 84392 "9.2.25.v20180606", 84393 "9.2.26.v20180806", 84394 "9.2.27.v20190403", 84395 "9.2.28.v20190418", 84396 "9.2.29.v20191105", 84397 "9.2.3.v20140905", 84398 "9.2.30.v20200428", 84399 "9.2.4.v20141103", 84400 "9.2.5.v20141112", 84401 "9.2.6.v20141205", 84402 "9.2.7.v20150116", 84403 "9.2.8.v20150217", 84404 "9.2.9.v20150224", 84405 "9.3.0.M0", 84406 "9.3.0.M1", 84407 "9.3.0.M2", 84408 "9.3.0.RC0", 84409 "9.3.0.RC1", 84410 "9.3.0.v20150612", 84411 "9.3.1.v20150714", 84412 "9.3.10.M0", 84413 "9.3.10.v20160621", 84414 "9.3.11.M0", 84415 "9.3.11.v20160721", 84416 "9.3.12.v20160915", 84417 "9.3.13.M0", 84418 "9.3.13.v20161014", 84419 "9.3.14.v20161028", 84420 "9.3.15.v20161220", 84421 "9.3.16.v20170120", 84422 "9.3.17.RC0", 84423 "9.3.17.v20170317", 84424 "9.3.18.v20170406", 84425 "9.3.19.v20170502", 84426 "9.3.2.v20150730", 84427 "9.3.20.v20170531", 84428 "9.3.21.M0", 84429 "9.3.21.RC0", 84430 "9.3.21.v20170918", 84431 "9.3.22.v20171030", 84432 "9.3.23.v20180228", 84433 "9.3.24.v20180605", 84434 "9.3.25.v20180904", 84435 "9.3.26.v20190403", 84436 "9.3.27.v20190418", 84437 "9.3.28.v20191105", 84438 "9.3.29.v20201019", 84439 "9.3.3.v20150827", 84440 "9.3.30.v20211001", 84441 "9.3.4.RC0", 84442 "9.3.4.RC1", 84443 "9.3.4.v20151007", 84444 "9.3.5.v20151012", 84445 "9.3.6.v20151106", 84446 "9.3.7.RC0", 84447 "9.3.7.RC1", 84448 "9.3.7.v20160115", 84449 "9.3.8.RC0", 84450 "9.3.8.v20160314", 84451 "9.3.9.M0", 84452 "9.3.9.M1", 84453 "9.3.9.v20160517", 84454 "9.4.0.M0", 84455 "9.4.0.M1", 84456 "9.4.0.RC0", 84457 "9.4.0.RC1", 84458 "9.4.0.RC2", 84459 "9.4.0.RC3", 84460 "9.4.0.v20161208", 84461 "9.4.0.v20180619", 84462 "9.4.1.v20170120", 84463 "9.4.1.v20180619", 84464 "9.4.10.RC0", 84465 "9.4.10.RC1", 84466 "9.4.10.v20180503", 84467 "9.4.11.v20180605", 84468 "9.4.12.RC0", 84469 "9.4.12.RC1", 84470 "9.4.12.RC2", 84471 "9.4.12.v20180830", 84472 "9.4.13.v20181111", 84473 "9.4.14.v20181114", 84474 "9.4.15.v20190215", 84475 "9.4.16.v20190411", 84476 "9.4.17.v20190418", 84477 "9.4.18.v20190429", 84478 "9.4.19.v20190610", 84479 "9.4.2.v20170220", 84480 "9.4.2.v20180619", 84481 "9.4.20.v20190813", 84482 "9.4.21.v20190926", 84483 "9.4.22.v20191022", 84484 "9.4.23.v20191118", 84485 "9.4.24.v20191120", 84486 "9.4.25.v20191220", 84487 "9.4.26.v20200117", 84488 "9.4.27.v20200227", 84489 "9.4.28.v20200408", 84490 "9.4.29.v20200521", 84491 "9.4.3.v20170317", 84492 "9.4.3.v20180619", 84493 "9.4.30.v20200611", 84494 "9.4.31.v20200723", 84495 "9.4.32.v20200930", 84496 "9.4.33.v20201020", 84497 "9.4.34.v20201102", 84498 "9.4.35.v20201120", 84499 "9.4.36.v20210114", 84500 "9.4.37.v20210219", 84501 "9.4.38.v20210224", 84502 "9.4.39.v20210325", 84503 "9.4.4.v20170414", 84504 "9.4.4.v20180619", 84505 "9.4.40.v20210413", 84506 "9.4.41.v20210516", 84507 "9.4.42.v20210604", 84508 "9.4.43.v20210629", 84509 "9.4.44.v20210927", 84510 "9.4.45.v20220203", 84511 "9.4.46.v20220331", 84512 "9.4.47.v20220610", 84513 "9.4.48.v20220622", 84514 "9.4.49.v20220914", 84515 "9.4.5.v20170502", 84516 "9.4.5.v20180619", 84517 "9.4.50.v20221201", 84518 "9.4.6.v20170531", 84519 "9.4.6.v20180619", 84520 "9.4.7.RC0", 84521 "9.4.7.v20170914", 84522 "9.4.7.v20180619", 84523 "9.4.8.v20171121", 84524 "9.4.8.v20180619", 84525 "9.4.9.v20180320" 84526 ] 84527 }, 84528 { 84529 "database_specific": { 84530 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/04/GHSA-qw69-rqj8-6qw8/GHSA-qw69-rqj8-6qw8.json" 84531 }, 84532 "package": { 84533 "ecosystem": "Maven", 84534 "name": "org.eclipse.jetty:jetty-server", 84535 "purl": "pkg:maven/org.eclipse.jetty/jetty-server" 84536 }, 84537 "ranges": [ 84538 { 84539 "events": [ 84540 { 84541 "introduced": "10.0.0" 84542 }, 84543 { 84544 "fixed": "10.0.14" 84545 } 84546 ], 84547 "type": "ECOSYSTEM" 84548 } 84549 ], 84550 "versions": [ 84551 "10.0.0", 84552 "10.0.1", 84553 "10.0.10", 84554 "10.0.11", 84555 "10.0.12", 84556 "10.0.13", 84557 "10.0.2", 84558 "10.0.3", 84559 "10.0.4", 84560 "10.0.5", 84561 "10.0.6", 84562 "10.0.7", 84563 "10.0.8", 84564 "10.0.9" 84565 ] 84566 }, 84567 { 84568 "database_specific": { 84569 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/04/GHSA-qw69-rqj8-6qw8/GHSA-qw69-rqj8-6qw8.json" 84570 }, 84571 "package": { 84572 "ecosystem": "Maven", 84573 "name": "org.eclipse.jetty:jetty-server", 84574 "purl": "pkg:maven/org.eclipse.jetty/jetty-server" 84575 }, 84576 "ranges": [ 84577 { 84578 "events": [ 84579 { 84580 "introduced": "11.0.0" 84581 }, 84582 { 84583 "fixed": "11.0.14" 84584 } 84585 ], 84586 "type": "ECOSYSTEM" 84587 } 84588 ], 84589 "versions": [ 84590 "11.0.0", 84591 "11.0.1", 84592 "11.0.10", 84593 "11.0.11", 84594 "11.0.12", 84595 "11.0.13", 84596 "11.0.2", 84597 "11.0.3", 84598 "11.0.4", 84599 "11.0.5", 84600 "11.0.6", 84601 "11.0.7", 84602 "11.0.8", 84603 "11.0.9" 84604 ] 84605 } 84606 ], 84607 "aliases": [ 84608 "CVE-2023-26048" 84609 ], 84610 "database_specific": { 84611 "cwe_ids": [ 84612 "CWE-400", 84613 "CWE-770" 84614 ], 84615 "github_reviewed": true, 84616 "github_reviewed_at": "2023-04-19T18:15:45Z", 84617 "nvd_published_at": "2023-04-18T21:15:08Z", 84618 "severity": "MODERATE" 84619 }, 84620 "details": "### Impact\nServlets with multipart support (e.g. annotated with `@MultipartConfig`) that call `HttpServletRequest.getParameter()` or `HttpServletRequest.getParts()` may cause `OutOfMemoryError` when the client sends a multipart request with a part that has a name but no filename and a very large content.\n\nThis happens even with the default settings of `fileSizeThreshold=0` which should stream the whole part content to disk.\n\nAn attacker client may send a large multipart request and cause the server to throw `OutOfMemoryError`.\nHowever, the server may be able to recover after the `OutOfMemoryError` and continue its service -- although it may take some time.\n\nA very large number of parts may cause the same problem.\n\n### Patches\nPatched in Jetty versions\n\n* 9.4.51.v20230217 - via PR #9345\n* 10.0.14 - via PR #9344\n* 11.0.14 - via PR #9344\n\n### Workarounds\nMultipart parameter `maxRequestSize` must be set to a non-negative value, so the whole multipart content is limited (although still read into memory).\nLimiting multipart parameter `maxFileSize` won't be enough because an attacker can send a large number of parts that summed up will cause memory issues.\n\n### References\n* https://github.com/eclipse/jetty.project/issues/9076\n* https://github.com/jakartaee/servlet/blob/6.0.0/spec/src/main/asciidoc/servlet-spec-body.adoc#32-file-upload\n", 84621 "id": "GHSA-qw69-rqj8-6qw8", 84622 "modified": "2024-02-20T05:33:41.250857Z", 84623 "published": "2023-04-19T18:15:45Z", 84624 "references": [ 84625 { 84626 "type": "WEB", 84627 "url": "https://github.com/eclipse/jetty.project/security/advisories/GHSA-qw69-rqj8-6qw8" 84628 }, 84629 { 84630 "type": "ADVISORY", 84631 "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-26048" 84632 }, 84633 { 84634 "type": "WEB", 84635 "url": "https://github.com/eclipse/jetty.project/issues/9076" 84636 }, 84637 { 84638 "type": "WEB", 84639 "url": "https://github.com/eclipse/jetty.project/pull/9344" 84640 }, 84641 { 84642 "type": "WEB", 84643 "url": "https://github.com/eclipse/jetty.project/pull/9345" 84644 }, 84645 { 84646 "type": "PACKAGE", 84647 "url": "https://github.com/eclipse/jetty.project" 84648 }, 84649 { 84650 "type": "WEB", 84651 "url": "https://github.com/eclipse/jetty.project/releases/tag/jetty-9.4.51.v20230217" 84652 }, 84653 { 84654 "type": "WEB", 84655 "url": "https://github.com/jakartaee/servlet/blob/6.0.0/spec/src/main/asciidoc/servlet-spec-body.adoc#32-file-upload" 84656 }, 84657 { 84658 "type": "WEB", 84659 "url": "https://lists.debian.org/debian-lts-announce/2023/09/msg00039.html" 84660 }, 84661 { 84662 "type": "WEB", 84663 "url": "https://security.netapp.com/advisory/ntap-20230526-0001" 84664 }, 84665 { 84666 "type": "WEB", 84667 "url": "https://www.debian.org/security/2023/dsa-5507" 84668 } 84669 ], 84670 "related": [ 84671 "CGA-q672-cgj3-7q4g" 84672 ], 84673 "schema_version": "1.6.0", 84674 "severity": [ 84675 { 84676 "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", 84677 "type": "CVSS_V3" 84678 } 84679 ], 84680 "summary": "OutOfMemoryError for large multipart without filename in Eclipse Jetty" 84681 }, 84682 { 84683 "affected": [ 84684 { 84685 "database_specific": { 84686 "last_known_affected_version_range": "\u003c= 8.1.0.RC2", 84687 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-qxp4-27vx-xmm3/GHSA-qxp4-27vx-xmm3.json" 84688 }, 84689 "package": { 84690 "ecosystem": "Maven", 84691 "name": "org.eclipse.jetty:jetty-server", 84692 "purl": "pkg:maven/org.eclipse.jetty/jetty-server" 84693 }, 84694 "ranges": [ 84695 { 84696 "events": [ 84697 { 84698 "introduced": "0" 84699 }, 84700 { 84701 "fixed": "8.1.0.RC4" 84702 } 84703 ], 84704 "type": "ECOSYSTEM" 84705 } 84706 ], 84707 "versions": [ 84708 "7.0.0.M0", 84709 "7.0.0.M1", 84710 "7.0.0.M2", 84711 "7.0.0.M3", 84712 "7.0.0.M4", 84713 "7.0.0.RC0", 84714 "7.0.0.RC1", 84715 "7.0.0.RC2", 84716 "7.0.0.RC3", 84717 "7.0.0.RC4", 84718 "7.0.0.RC5", 84719 "7.0.0.RC6", 84720 "7.0.0.v20091005", 84721 "7.0.1.v20091125", 84722 "7.0.2.RC0", 84723 "7.0.2.v20100331", 84724 "7.1.0.RC0", 84725 "7.1.0.RC1", 84726 "7.1.0.v20100505", 84727 "7.1.1.v20100517", 84728 "7.1.2.v20100523", 84729 "7.1.3.v20100526", 84730 "7.1.4.v20100610", 84731 "7.1.5.v20100705", 84732 "7.1.6.v20100715", 84733 "7.2.0.RC0", 84734 "7.2.0.v20101020", 84735 "7.2.1.v20101111", 84736 "7.2.2.v20101205", 84737 "7.3.0.v20110203", 84738 "7.3.1.v20110307", 84739 "7.4.0.RC0", 84740 "7.4.0.v20110414", 84741 "7.4.1.v20110513", 84742 "7.4.2.v20110526", 84743 "7.4.3.v20110701", 84744 "7.4.4.v20110707", 84745 "7.4.5.v20110725", 84746 "7.5.0.RC0", 84747 "7.5.0.RC1", 84748 "7.5.0.RC2", 84749 "7.5.0.v20110901", 84750 "7.5.1.v20110908", 84751 "7.5.2.v20111006", 84752 "7.5.3.v20111011", 84753 "7.5.4.v20111024", 84754 "7.6.0.RC0", 84755 "7.6.0.RC1", 84756 "7.6.0.RC2", 84757 "7.6.0.RC3", 84758 "7.6.0.RC4", 84759 "7.6.0.RC5", 84760 "7.6.0.v20120127", 84761 "7.6.1.v20120215", 84762 "7.6.10.v20130312", 84763 "7.6.11.v20130520", 84764 "7.6.12.v20130726", 84765 "7.6.13.v20130916", 84766 "7.6.14.v20131031", 84767 "7.6.15.v20140411", 84768 "7.6.16.v20140903", 84769 "7.6.17.v20150415", 84770 "7.6.18.v20150929", 84771 "7.6.19.v20160209", 84772 "7.6.2.v20120308", 84773 "7.6.20.v20160902", 84774 "7.6.21.v20160908", 84775 "7.6.3.v20120416", 84776 "7.6.4.v20120524", 84777 "7.6.5.v20120716", 84778 "7.6.6.v20120903", 84779 "7.6.7.v20120910", 84780 "7.6.8.v20121106", 84781 "7.6.9.v20130131", 84782 "8.0.0.M0", 84783 "8.0.0.M1", 84784 "8.0.0.M2", 84785 "8.0.0.M3", 84786 "8.0.0.RC0", 84787 "8.0.0.v20110901", 84788 "8.0.1.v20110908", 84789 "8.0.2.v20111006", 84790 "8.0.3.v20111011", 84791 "8.0.4.v20111024", 84792 "8.1.0.RC0", 84793 "8.1.0.RC1", 84794 "8.1.0.RC2" 84795 ] 84796 } 84797 ], 84798 "aliases": [ 84799 "CVE-2011-4461" 84800 ], 84801 "database_specific": { 84802 "cwe_ids": [ 84803 "CWE-20" 84804 ], 84805 "github_reviewed": true, 84806 "github_reviewed_at": "2022-07-13T18:07:02Z", 84807 "nvd_published_at": "2011-12-30T01:55:00Z", 84808 "severity": "MODERATE" 84809 }, 84810 "details": "Jetty 8.1.0.RC2 and earlier computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters.", 84811 "id": "GHSA-qxp4-27vx-xmm3", 84812 "modified": "2024-04-19T19:16:17.73217Z", 84813 "published": "2022-05-14T01:27:35Z", 84814 "references": [ 84815 { 84816 "type": "ADVISORY", 84817 "url": "https://nvd.nist.gov/vuln/detail/CVE-2011-4461" 84818 }, 84819 { 84820 "type": "WEB", 84821 "url": "https://github.com/eclipse/jetty.project/commit/085c79d7d6cfbccc02821ffdb64968593df3e0bf" 84822 }, 84823 { 84824 "type": "WEB", 84825 "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/72017" 84826 }, 84827 { 84828 "type": "PACKAGE", 84829 "url": "https://github.com/eclipse/jetty.project" 84830 }, 84831 { 84832 "type": "WEB", 84833 "url": "https://security.netapp.com/advisory/ntap-20190307-0004" 84834 }, 84835 { 84836 "type": "WEB", 84837 "url": "http://marc.info/?l=bugtraq\u0026m=143387688830075\u0026w=2" 84838 }, 84839 { 84840 "type": "WEB", 84841 "url": "http://www.kb.cert.org/vuls/id/903934" 84842 }, 84843 { 84844 "type": "WEB", 84845 "url": "http://www.ocert.org/advisories/ocert-2011-003.html" 84846 }, 84847 { 84848 "type": "WEB", 84849 "url": "http://www.oracle.com/technetwork/security-advisory/cpuapr2016v3-2985753.html" 84850 }, 84851 { 84852 "type": "WEB", 84853 "url": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html" 84854 }, 84855 { 84856 "type": "WEB", 84857 "url": "http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html" 84858 }, 84859 { 84860 "type": "WEB", 84861 "url": "http://www.ubuntu.com/usn/USN-1429-1" 84862 } 84863 ], 84864 "schema_version": "1.6.0", 84865 "severity": [ 84866 { 84867 "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", 84868 "type": "CVSS_V3" 84869 } 84870 ], 84871 "summary": "Improper Input Validation in Jetty" 84872 }, 84873 { 84874 "affected": [ 84875 { 84876 "database_specific": { 84877 "last_known_affected_version_range": "\u003c= 9.2.27.v20190403", 84878 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/04/GHSA-r28m-g6j9-r2h5/GHSA-r28m-g6j9-r2h5.json" 84879 }, 84880 "package": { 84881 "ecosystem": "Maven", 84882 "name": "org.eclipse.jetty:jetty-server", 84883 "purl": "pkg:maven/org.eclipse.jetty/jetty-server" 84884 }, 84885 "ranges": [ 84886 { 84887 "events": [ 84888 { 84889 "introduced": "9.2.0" 84890 }, 84891 { 84892 "fixed": "9.2.28.v20190418" 84893 } 84894 ], 84895 "type": "ECOSYSTEM" 84896 } 84897 ], 84898 "versions": [ 84899 "9.2.0.v20140526", 84900 "9.2.1.v20140609", 84901 "9.2.10.v20150310", 84902 "9.2.11.M0", 84903 "9.2.11.v20150529", 84904 "9.2.12.M0", 84905 "9.2.12.v20150709", 84906 "9.2.13.v20150730", 84907 "9.2.14.v20151106", 84908 "9.2.15.v20160210", 84909 "9.2.16.v20160414", 84910 "9.2.17.v20160517", 84911 "9.2.18.v20160721", 84912 "9.2.19.v20160908", 84913 "9.2.2.v20140723", 84914 "9.2.20.v20161216", 84915 "9.2.21.v20170120", 84916 "9.2.22.v20170606", 84917 "9.2.23.v20171218", 84918 "9.2.24.v20180105", 84919 "9.2.25.v20180606", 84920 "9.2.26.v20180806", 84921 "9.2.27.v20190403", 84922 "9.2.3.v20140905", 84923 "9.2.4.v20141103", 84924 "9.2.5.v20141112", 84925 "9.2.6.v20141205", 84926 "9.2.7.v20150116", 84927 "9.2.8.v20150217", 84928 "9.2.9.v20150224" 84929 ] 84930 }, 84931 { 84932 "database_specific": { 84933 "last_known_affected_version_range": "\u003c= 9.3.26.v20190403", 84934 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/04/GHSA-r28m-g6j9-r2h5/GHSA-r28m-g6j9-r2h5.json" 84935 }, 84936 "package": { 84937 "ecosystem": "Maven", 84938 "name": "org.eclipse.jetty:jetty-server", 84939 "purl": "pkg:maven/org.eclipse.jetty/jetty-server" 84940 }, 84941 "ranges": [ 84942 { 84943 "events": [ 84944 { 84945 "introduced": "9.3.0" 84946 }, 84947 { 84948 "fixed": "9.3.27.v20190418" 84949 } 84950 ], 84951 "type": "ECOSYSTEM" 84952 } 84953 ], 84954 "versions": [ 84955 "9.3.0.v20150612", 84956 "9.3.1.v20150714", 84957 "9.3.10.M0", 84958 "9.3.10.v20160621", 84959 "9.3.11.M0", 84960 "9.3.11.v20160721", 84961 "9.3.12.v20160915", 84962 "9.3.13.M0", 84963 "9.3.13.v20161014", 84964 "9.3.14.v20161028", 84965 "9.3.15.v20161220", 84966 "9.3.16.v20170120", 84967 "9.3.17.RC0", 84968 "9.3.17.v20170317", 84969 "9.3.18.v20170406", 84970 "9.3.19.v20170502", 84971 "9.3.2.v20150730", 84972 "9.3.20.v20170531", 84973 "9.3.21.M0", 84974 "9.3.21.RC0", 84975 "9.3.21.v20170918", 84976 "9.3.22.v20171030", 84977 "9.3.23.v20180228", 84978 "9.3.24.v20180605", 84979 "9.3.25.v20180904", 84980 "9.3.26.v20190403", 84981 "9.3.3.v20150827", 84982 "9.3.4.RC0", 84983 "9.3.4.RC1", 84984 "9.3.4.v20151007", 84985 "9.3.5.v20151012", 84986 "9.3.6.v20151106", 84987 "9.3.7.RC0", 84988 "9.3.7.RC1", 84989 "9.3.7.v20160115", 84990 "9.3.8.RC0", 84991 "9.3.8.v20160314", 84992 "9.3.9.M0", 84993 "9.3.9.M1", 84994 "9.3.9.v20160517" 84995 ] 84996 }, 84997 { 84998 "database_specific": { 84999 "last_known_affected_version_range": "\u003c= 9.4.16.v20190411", 85000 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/04/GHSA-r28m-g6j9-r2h5/GHSA-r28m-g6j9-r2h5.json" 85001 }, 85002 "package": { 85003 "ecosystem": "Maven", 85004 "name": "org.eclipse.jetty:jetty-server", 85005 "purl": "pkg:maven/org.eclipse.jetty/jetty-server" 85006 }, 85007 "ranges": [ 85008 { 85009 "events": [ 85010 { 85011 "introduced": "9.4.0" 85012 }, 85013 { 85014 "fixed": "9.4.17.v20190418" 85015 } 85016 ], 85017 "type": "ECOSYSTEM" 85018 } 85019 ], 85020 "versions": [ 85021 "9.4.0.v20161208", 85022 "9.4.0.v20180619", 85023 "9.4.1.v20170120", 85024 "9.4.1.v20180619", 85025 "9.4.10.RC0", 85026 "9.4.10.RC1", 85027 "9.4.10.v20180503", 85028 "9.4.11.v20180605", 85029 "9.4.12.RC0", 85030 "9.4.12.RC1", 85031 "9.4.12.RC2", 85032 "9.4.12.v20180830", 85033 "9.4.13.v20181111", 85034 "9.4.14.v20181114", 85035 "9.4.15.v20190215", 85036 "9.4.16.v20190411", 85037 "9.4.2.v20170220", 85038 "9.4.2.v20180619", 85039 "9.4.3.v20170317", 85040 "9.4.3.v20180619", 85041 "9.4.4.v20170414", 85042 "9.4.4.v20180619", 85043 "9.4.5.v20170502", 85044 "9.4.5.v20180619", 85045 "9.4.6.v20170531", 85046 "9.4.6.v20180619", 85047 "9.4.7.RC0", 85048 "9.4.7.v20170914", 85049 "9.4.7.v20180619", 85050 "9.4.8.v20171121", 85051 "9.4.8.v20180619", 85052 "9.4.9.v20180320" 85053 ] 85054 } 85055 ], 85056 "aliases": [ 85057 "CVE-2019-10246" 85058 ], 85059 "database_specific": { 85060 "cwe_ids": [ 85061 "CWE-200", 85062 "CWE-213" 85063 ], 85064 "github_reviewed": true, 85065 "github_reviewed_at": "2019-04-23T16:03:54Z", 85066 "nvd_published_at": "2019-04-22T20:29:00Z", 85067 "severity": "MODERATE" 85068 }, 85069 "details": "In Eclipse Jetty version 9.2.27, 9.3.26, and 9.4.16, the server running on Windows is vulnerable to exposure of the fully qualified Base Resource directory name on Windows to a remote client when it is configured for showing a Listing of directory contents. This information reveal is restricted to only the content in the configured base resource directories.", 85070 "id": "GHSA-r28m-g6j9-r2h5", 85071 "modified": "2024-02-16T08:10:20.837486Z", 85072 "published": "2019-04-23T16:07:18Z", 85073 "references": [ 85074 { 85075 "type": "ADVISORY", 85076 "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10246" 85077 }, 85078 { 85079 "type": "WEB", 85080 "url": "https://bugs.eclipse.org/bugs/show_bug.cgi?id=546576" 85081 }, 85082 { 85083 "type": "WEB", 85084 "url": "https://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3@%3Ccommits.nifi.apache.org%3E" 85085 }, 85086 { 85087 "type": "WEB", 85088 "url": "https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b@%3Ccommits.nifi.apache.org%3E" 85089 }, 85090 { 85091 "type": "WEB", 85092 "url": "https://security.netapp.com/advisory/ntap-20190509-0003" 85093 }, 85094 { 85095 "type": "WEB", 85096 "url": "https://www.oracle.com/security-alerts/cpuApr2021.html" 85097 }, 85098 { 85099 "type": "WEB", 85100 "url": "https://www.oracle.com/security-alerts/cpuapr2020.html" 85101 }, 85102 { 85103 "type": "WEB", 85104 "url": "https://www.oracle.com/security-alerts/cpujan2020.html" 85105 }, 85106 { 85107 "type": "WEB", 85108 "url": "https://www.oracle.com/security-alerts/cpujan2021.html" 85109 }, 85110 { 85111 "type": "WEB", 85112 "url": "https://www.oracle.com/security-alerts/cpujul2020.html" 85113 }, 85114 { 85115 "type": "WEB", 85116 "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" 85117 }, 85118 { 85119 "type": "WEB", 85120 "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html" 85121 } 85122 ], 85123 "schema_version": "1.6.0", 85124 "severity": [ 85125 { 85126 "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", 85127 "type": "CVSS_V3" 85128 } 85129 ], 85130 "summary": "Information Exposure vulnerability in Eclipse Jetty" 85131 }, 85132 { 85133 "affected": [ 85134 { 85135 "database_specific": { 85136 "last_known_affected_version_range": "\u003c= 9.2.25.v20180105", 85137 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-vgg8-72f2-qm23/GHSA-vgg8-72f2-qm23.json" 85138 }, 85139 "package": { 85140 "ecosystem": "Maven", 85141 "name": "org.eclipse.jetty:jetty-server", 85142 "purl": "pkg:maven/org.eclipse.jetty/jetty-server" 85143 }, 85144 "ranges": [ 85145 { 85146 "events": [ 85147 { 85148 "introduced": "0" 85149 }, 85150 { 85151 "fixed": "9.2.25.v20180606" 85152 } 85153 ], 85154 "type": "ECOSYSTEM" 85155 } 85156 ], 85157 "versions": [ 85158 "7.0.0.M0", 85159 "7.0.0.M1", 85160 "7.0.0.M2", 85161 "7.0.0.M3", 85162 "7.0.0.M4", 85163 "7.0.0.RC0", 85164 "7.0.0.RC1", 85165 "7.0.0.RC2", 85166 "7.0.0.RC3", 85167 "7.0.0.RC4", 85168 "7.0.0.RC5", 85169 "7.0.0.RC6", 85170 "7.0.0.v20091005", 85171 "7.0.1.v20091125", 85172 "7.0.2.RC0", 85173 "7.0.2.v20100331", 85174 "7.1.0.RC0", 85175 "7.1.0.RC1", 85176 "7.1.0.v20100505", 85177 "7.1.1.v20100517", 85178 "7.1.2.v20100523", 85179 "7.1.3.v20100526", 85180 "7.1.4.v20100610", 85181 "7.1.5.v20100705", 85182 "7.1.6.v20100715", 85183 "7.2.0.RC0", 85184 "7.2.0.v20101020", 85185 "7.2.1.v20101111", 85186 "7.2.2.v20101205", 85187 "7.3.0.v20110203", 85188 "7.3.1.v20110307", 85189 "7.4.0.RC0", 85190 "7.4.0.v20110414", 85191 "7.4.1.v20110513", 85192 "7.4.2.v20110526", 85193 "7.4.3.v20110701", 85194 "7.4.4.v20110707", 85195 "7.4.5.v20110725", 85196 "7.5.0.RC0", 85197 "7.5.0.RC1", 85198 "7.5.0.RC2", 85199 "7.5.0.v20110901", 85200 "7.5.1.v20110908", 85201 "7.5.2.v20111006", 85202 "7.5.3.v20111011", 85203 "7.5.4.v20111024", 85204 "7.6.0.RC0", 85205 "7.6.0.RC1", 85206 "7.6.0.RC2", 85207 "7.6.0.RC3", 85208 "7.6.0.RC4", 85209 "7.6.0.RC5", 85210 "7.6.0.v20120127", 85211 "7.6.1.v20120215", 85212 "7.6.10.v20130312", 85213 "7.6.11.v20130520", 85214 "7.6.12.v20130726", 85215 "7.6.13.v20130916", 85216 "7.6.14.v20131031", 85217 "7.6.15.v20140411", 85218 "7.6.16.v20140903", 85219 "7.6.17.v20150415", 85220 "7.6.18.v20150929", 85221 "7.6.19.v20160209", 85222 "7.6.2.v20120308", 85223 "7.6.20.v20160902", 85224 "7.6.21.v20160908", 85225 "7.6.3.v20120416", 85226 "7.6.4.v20120524", 85227 "7.6.5.v20120716", 85228 "7.6.6.v20120903", 85229 "7.6.7.v20120910", 85230 "7.6.8.v20121106", 85231 "7.6.9.v20130131", 85232 "8.0.0.M0", 85233 "8.0.0.M1", 85234 "8.0.0.M2", 85235 "8.0.0.M3", 85236 "8.0.0.RC0", 85237 "8.0.0.v20110901", 85238 "8.0.1.v20110908", 85239 "8.0.2.v20111006", 85240 "8.0.3.v20111011", 85241 "8.0.4.v20111024", 85242 "8.1.0.RC0", 85243 "8.1.0.RC1", 85244 "8.1.0.RC2", 85245 "8.1.0.RC4", 85246 "8.1.0.RC5", 85247 "8.1.0.v20120127", 85248 "8.1.1.v20120215", 85249 "8.1.10.v20130312", 85250 "8.1.11.v20130520", 85251 "8.1.12.v20130726", 85252 "8.1.13.v20130916", 85253 "8.1.14.v20131031", 85254 "8.1.15.v20140411", 85255 "8.1.16.v20140903", 85256 "8.1.17.v20150415", 85257 "8.1.18.v20150929", 85258 "8.1.19.v20160209", 85259 "8.1.2.v20120308", 85260 "8.1.20.v20160902", 85261 "8.1.21.v20160908", 85262 "8.1.22.v20160922", 85263 "8.1.3.v20120416", 85264 "8.1.4.v20120524", 85265 "8.1.5.v20120716", 85266 "8.1.6.v20120903", 85267 "8.1.7.v20120910", 85268 "8.1.8.v20121106", 85269 "8.1.9.v20130131", 85270 "8.2.0.v20160908", 85271 "9.0.0.M0", 85272 "9.0.0.M1", 85273 "9.0.0.M2", 85274 "9.0.0.M3", 85275 "9.0.0.M4", 85276 "9.0.0.M5", 85277 "9.0.0.RC0", 85278 "9.0.0.RC1", 85279 "9.0.0.RC2", 85280 "9.0.0.v20130308", 85281 "9.0.1.v20130408", 85282 "9.0.2.v20130417", 85283 "9.0.3.v20130506", 85284 "9.0.4.v20130625", 85285 "9.0.5.v20130815", 85286 "9.0.6.v20130930", 85287 "9.0.7.v20131107", 85288 "9.1.0.M0", 85289 "9.1.0.RC0", 85290 "9.1.0.RC1", 85291 "9.1.0.RC2", 85292 "9.1.0.v20131115", 85293 "9.1.1.v20140108", 85294 "9.1.2.v20140210", 85295 "9.1.3.v20140225", 85296 "9.1.4.v20140401", 85297 "9.1.5.v20140505", 85298 "9.1.6.v20160112", 85299 "9.2.0.M0", 85300 "9.2.0.M1", 85301 "9.2.0.RC0", 85302 "9.2.0.v20140526", 85303 "9.2.1.v20140609", 85304 "9.2.10.v20150310", 85305 "9.2.11.M0", 85306 "9.2.11.v20150529", 85307 "9.2.12.M0", 85308 "9.2.12.v20150709", 85309 "9.2.13.v20150730", 85310 "9.2.14.v20151106", 85311 "9.2.15.v20160210", 85312 "9.2.16.v20160414", 85313 "9.2.17.v20160517", 85314 "9.2.18.v20160721", 85315 "9.2.19.v20160908", 85316 "9.2.2.v20140723", 85317 "9.2.20.v20161216", 85318 "9.2.21.v20170120", 85319 "9.2.22.v20170606", 85320 "9.2.23.v20171218", 85321 "9.2.24.v20180105", 85322 "9.2.3.v20140905", 85323 "9.2.4.v20141103", 85324 "9.2.5.v20141112", 85325 "9.2.6.v20141205", 85326 "9.2.7.v20150116", 85327 "9.2.8.v20150217", 85328 "9.2.9.v20150224" 85329 ] 85330 }, 85331 { 85332 "database_specific": { 85333 "last_known_affected_version_range": "\u003c= 9.3.23.v20180228", 85334 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-vgg8-72f2-qm23/GHSA-vgg8-72f2-qm23.json" 85335 }, 85336 "package": { 85337 "ecosystem": "Maven", 85338 "name": "org.eclipse.jetty:jetty-server", 85339 "purl": "pkg:maven/org.eclipse.jetty/jetty-server" 85340 }, 85341 "ranges": [ 85342 { 85343 "events": [ 85344 { 85345 "introduced": "9.3.0" 85346 }, 85347 { 85348 "fixed": "9.3.24.v20180605" 85349 } 85350 ], 85351 "type": "ECOSYSTEM" 85352 } 85353 ], 85354 "versions": [ 85355 "9.3.0.v20150612", 85356 "9.3.1.v20150714", 85357 "9.3.10.M0", 85358 "9.3.10.v20160621", 85359 "9.3.11.M0", 85360 "9.3.11.v20160721", 85361 "9.3.12.v20160915", 85362 "9.3.13.M0", 85363 "9.3.13.v20161014", 85364 "9.3.14.v20161028", 85365 "9.3.15.v20161220", 85366 "9.3.16.v20170120", 85367 "9.3.17.RC0", 85368 "9.3.17.v20170317", 85369 "9.3.18.v20170406", 85370 "9.3.19.v20170502", 85371 "9.3.2.v20150730", 85372 "9.3.20.v20170531", 85373 "9.3.21.M0", 85374 "9.3.21.RC0", 85375 "9.3.21.v20170918", 85376 "9.3.22.v20171030", 85377 "9.3.23.v20180228", 85378 "9.3.3.v20150827", 85379 "9.3.4.RC0", 85380 "9.3.4.RC1", 85381 "9.3.4.v20151007", 85382 "9.3.5.v20151012", 85383 "9.3.6.v20151106", 85384 "9.3.7.RC0", 85385 "9.3.7.RC1", 85386 "9.3.7.v20160115", 85387 "9.3.8.RC0", 85388 "9.3.8.v20160314", 85389 "9.3.9.M0", 85390 "9.3.9.M1", 85391 "9.3.9.v20160517" 85392 ] 85393 } 85394 ], 85395 "aliases": [ 85396 "CVE-2017-7657" 85397 ], 85398 "database_specific": { 85399 "cwe_ids": [ 85400 "CWE-190", 85401 "CWE-444" 85402 ], 85403 "github_reviewed": true, 85404 "github_reviewed_at": "2020-06-16T21:57:40Z", 85405 "nvd_published_at": "2018-06-26T16:29:00Z", 85406 "severity": "CRITICAL" 85407 }, 85408 "details": "In Eclipse Jetty, versions 9.2.x and older, 9.3.x, transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interpreted as a pipelined request. If Jetty was deployed behind an intermediary that imposed some authorization and that intermediary allowed arbitrarily large chunks to be passed on unchanged, then this flaw could be used to bypass the authorization imposed by the intermediary as the fake pipelined request would not be interpreted by the intermediary as a request.", 85409 "id": "GHSA-vgg8-72f2-qm23", 85410 "modified": "2024-02-17T05:36:15.08082Z", 85411 "published": "2018-10-19T16:15:34Z", 85412 "references": [ 85413 { 85414 "type": "ADVISORY", 85415 "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-7657" 85416 }, 85417 { 85418 "type": "WEB", 85419 "url": "https://access.redhat.com/errata/RHSA-2019:0910" 85420 }, 85421 { 85422 "type": "WEB", 85423 "url": "https://bugs.eclipse.org/bugs/show_bug.cgi?id=535668" 85424 }, 85425 { 85426 "type": "ADVISORY", 85427 "url": "https://github.com/advisories/GHSA-vgg8-72f2-qm23" 85428 }, 85429 { 85430 "type": "WEB", 85431 "url": "https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272@%3Cissues.activemq.apache.org%3E" 85432 }, 85433 { 85434 "type": "WEB", 85435 "url": "https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451@%3Csolr-user.lucene.apache.org%3E" 85436 }, 85437 { 85438 "type": "WEB", 85439 "url": "https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe@%3Ccommits.druid.apache.org%3E" 85440 }, 85441 { 85442 "type": "WEB", 85443 "url": "https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0@%3Cissues.bookkeeper.apache.org%3E" 85444 }, 85445 { 85446 "type": "WEB", 85447 "url": "https://lists.apache.org/thread.html/r41af10c4adec8d34a969abeb07fd0d6ad0c86768b751464f1cdd23e8@%3Ccommits.druid.apache.org%3E" 85448 }, 85449 { 85450 "type": "WEB", 85451 "url": "https://lists.apache.org/thread.html/r9159c9e7ec9eac1613da2dbaddbc15691a13d4dbb2c8be974f42e6ae@%3Ccommits.druid.apache.org%3E" 85452 }, 85453 { 85454 "type": "WEB", 85455 "url": "https://lists.apache.org/thread.html/ra6f956ed4ec2855583b2d0c8b4802b450f593d37b77509b48cd5d574@%3Ccommits.druid.apache.org%3E" 85456 }, 85457 { 85458 "type": "WEB", 85459 "url": "https://security.netapp.com/advisory/ntap-20181014-0001" 85460 }, 85461 { 85462 "type": "WEB", 85463 "url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbst03953en_us" 85464 }, 85465 { 85466 "type": "WEB", 85467 "url": "https://www.debian.org/security/2018/dsa-4278" 85468 }, 85469 { 85470 "type": "WEB", 85471 "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" 85472 }, 85473 { 85474 "type": "WEB", 85475 "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html" 85476 }, 85477 { 85478 "type": "WEB", 85479 "url": "http://www.securitytracker.com/id/1041194" 85480 } 85481 ], 85482 "schema_version": "1.6.0", 85483 "severity": [ 85484 { 85485 "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", 85486 "type": "CVSS_V3" 85487 } 85488 ], 85489 "summary": "Critical severity vulnerability that affects org.eclipse.jetty:jetty-server" 85490 }, 85491 { 85492 "affected": [ 85493 { 85494 "database_specific": { 85495 "last_known_affected_version_range": "\u003c= 9.4.5.v20170502", 85496 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-wfcc-pff6-rgc5/GHSA-wfcc-pff6-rgc5.json" 85497 }, 85498 "package": { 85499 "ecosystem": "Maven", 85500 "name": "org.eclipse.jetty:jetty-server", 85501 "purl": "pkg:maven/org.eclipse.jetty/jetty-server" 85502 }, 85503 "ranges": [ 85504 { 85505 "events": [ 85506 { 85507 "introduced": "9.4.0" 85508 }, 85509 { 85510 "fixed": "9.4.6.v20170531" 85511 } 85512 ], 85513 "type": "ECOSYSTEM" 85514 } 85515 ], 85516 "versions": [ 85517 "9.4.0.v20161208", 85518 "9.4.0.v20180619", 85519 "9.4.1.v20170120", 85520 "9.4.1.v20180619", 85521 "9.4.2.v20170220", 85522 "9.4.2.v20180619", 85523 "9.4.3.v20170317", 85524 "9.4.3.v20180619", 85525 "9.4.4.v20170414", 85526 "9.4.4.v20180619", 85527 "9.4.5.v20170502", 85528 "9.4.5.v20180619" 85529 ] 85530 }, 85531 { 85532 "database_specific": { 85533 "last_known_affected_version_range": "\u003c= 9.3.19.v20170502", 85534 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-wfcc-pff6-rgc5/GHSA-wfcc-pff6-rgc5.json" 85535 }, 85536 "package": { 85537 "ecosystem": "Maven", 85538 "name": "org.eclipse.jetty:jetty-server", 85539 "purl": "pkg:maven/org.eclipse.jetty/jetty-server" 85540 }, 85541 "ranges": [ 85542 { 85543 "events": [ 85544 { 85545 "introduced": "9.3.0" 85546 }, 85547 { 85548 "fixed": "9.3.20.v20170531" 85549 } 85550 ], 85551 "type": "ECOSYSTEM" 85552 } 85553 ], 85554 "versions": [ 85555 "9.3.0.v20150612", 85556 "9.3.1.v20150714", 85557 "9.3.10.M0", 85558 "9.3.10.v20160621", 85559 "9.3.11.M0", 85560 "9.3.11.v20160721", 85561 "9.3.12.v20160915", 85562 "9.3.13.M0", 85563 "9.3.13.v20161014", 85564 "9.3.14.v20161028", 85565 "9.3.15.v20161220", 85566 "9.3.16.v20170120", 85567 "9.3.17.RC0", 85568 "9.3.17.v20170317", 85569 "9.3.18.v20170406", 85570 "9.3.19.v20170502", 85571 "9.3.2.v20150730", 85572 "9.3.3.v20150827", 85573 "9.3.4.RC0", 85574 "9.3.4.RC1", 85575 "9.3.4.v20151007", 85576 "9.3.5.v20151012", 85577 "9.3.6.v20151106", 85578 "9.3.7.RC0", 85579 "9.3.7.RC1", 85580 "9.3.7.v20160115", 85581 "9.3.8.RC0", 85582 "9.3.8.v20160314", 85583 "9.3.9.M0", 85584 "9.3.9.M1", 85585 "9.3.9.v20160517" 85586 ] 85587 }, 85588 { 85589 "database_specific": { 85590 "last_known_affected_version_range": "\u003c= 9.2.21.v20170120", 85591 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-wfcc-pff6-rgc5/GHSA-wfcc-pff6-rgc5.json" 85592 }, 85593 "package": { 85594 "ecosystem": "Maven", 85595 "name": "org.eclipse.jetty:jetty-server", 85596 "purl": "pkg:maven/org.eclipse.jetty/jetty-server" 85597 }, 85598 "ranges": [ 85599 { 85600 "events": [ 85601 { 85602 "introduced": "0" 85603 }, 85604 { 85605 "fixed": "9.2.22.v20170606" 85606 } 85607 ], 85608 "type": "ECOSYSTEM" 85609 } 85610 ], 85611 "versions": [ 85612 "7.0.0.M0", 85613 "7.0.0.M1", 85614 "7.0.0.M2", 85615 "7.0.0.M3", 85616 "7.0.0.M4", 85617 "7.0.0.RC0", 85618 "7.0.0.RC1", 85619 "7.0.0.RC2", 85620 "7.0.0.RC3", 85621 "7.0.0.RC4", 85622 "7.0.0.RC5", 85623 "7.0.0.RC6", 85624 "7.0.0.v20091005", 85625 "7.0.1.v20091125", 85626 "7.0.2.RC0", 85627 "7.0.2.v20100331", 85628 "7.1.0.RC0", 85629 "7.1.0.RC1", 85630 "7.1.0.v20100505", 85631 "7.1.1.v20100517", 85632 "7.1.2.v20100523", 85633 "7.1.3.v20100526", 85634 "7.1.4.v20100610", 85635 "7.1.5.v20100705", 85636 "7.1.6.v20100715", 85637 "7.2.0.RC0", 85638 "7.2.0.v20101020", 85639 "7.2.1.v20101111", 85640 "7.2.2.v20101205", 85641 "7.3.0.v20110203", 85642 "7.3.1.v20110307", 85643 "7.4.0.RC0", 85644 "7.4.0.v20110414", 85645 "7.4.1.v20110513", 85646 "7.4.2.v20110526", 85647 "7.4.3.v20110701", 85648 "7.4.4.v20110707", 85649 "7.4.5.v20110725", 85650 "7.5.0.RC0", 85651 "7.5.0.RC1", 85652 "7.5.0.RC2", 85653 "7.5.0.v20110901", 85654 "7.5.1.v20110908", 85655 "7.5.2.v20111006", 85656 "7.5.3.v20111011", 85657 "7.5.4.v20111024", 85658 "7.6.0.RC0", 85659 "7.6.0.RC1", 85660 "7.6.0.RC2", 85661 "7.6.0.RC3", 85662 "7.6.0.RC4", 85663 "7.6.0.RC5", 85664 "7.6.0.v20120127", 85665 "7.6.1.v20120215", 85666 "7.6.10.v20130312", 85667 "7.6.11.v20130520", 85668 "7.6.12.v20130726", 85669 "7.6.13.v20130916", 85670 "7.6.14.v20131031", 85671 "7.6.15.v20140411", 85672 "7.6.16.v20140903", 85673 "7.6.17.v20150415", 85674 "7.6.18.v20150929", 85675 "7.6.19.v20160209", 85676 "7.6.2.v20120308", 85677 "7.6.20.v20160902", 85678 "7.6.21.v20160908", 85679 "7.6.3.v20120416", 85680 "7.6.4.v20120524", 85681 "7.6.5.v20120716", 85682 "7.6.6.v20120903", 85683 "7.6.7.v20120910", 85684 "7.6.8.v20121106", 85685 "7.6.9.v20130131", 85686 "8.0.0.M0", 85687 "8.0.0.M1", 85688 "8.0.0.M2", 85689 "8.0.0.M3", 85690 "8.0.0.RC0", 85691 "8.0.0.v20110901", 85692 "8.0.1.v20110908", 85693 "8.0.2.v20111006", 85694 "8.0.3.v20111011", 85695 "8.0.4.v20111024", 85696 "8.1.0.RC0", 85697 "8.1.0.RC1", 85698 "8.1.0.RC2", 85699 "8.1.0.RC4", 85700 "8.1.0.RC5", 85701 "8.1.0.v20120127", 85702 "8.1.1.v20120215", 85703 "8.1.10.v20130312", 85704 "8.1.11.v20130520", 85705 "8.1.12.v20130726", 85706 "8.1.13.v20130916", 85707 "8.1.14.v20131031", 85708 "8.1.15.v20140411", 85709 "8.1.16.v20140903", 85710 "8.1.17.v20150415", 85711 "8.1.18.v20150929", 85712 "8.1.19.v20160209", 85713 "8.1.2.v20120308", 85714 "8.1.20.v20160902", 85715 "8.1.21.v20160908", 85716 "8.1.22.v20160922", 85717 "8.1.3.v20120416", 85718 "8.1.4.v20120524", 85719 "8.1.5.v20120716", 85720 "8.1.6.v20120903", 85721 "8.1.7.v20120910", 85722 "8.1.8.v20121106", 85723 "8.1.9.v20130131", 85724 "8.2.0.v20160908", 85725 "9.0.0.M0", 85726 "9.0.0.M1", 85727 "9.0.0.M2", 85728 "9.0.0.M3", 85729 "9.0.0.M4", 85730 "9.0.0.M5", 85731 "9.0.0.RC0", 85732 "9.0.0.RC1", 85733 "9.0.0.RC2", 85734 "9.0.0.v20130308", 85735 "9.0.1.v20130408", 85736 "9.0.2.v20130417", 85737 "9.0.3.v20130506", 85738 "9.0.4.v20130625", 85739 "9.0.5.v20130815", 85740 "9.0.6.v20130930", 85741 "9.0.7.v20131107", 85742 "9.1.0.M0", 85743 "9.1.0.RC0", 85744 "9.1.0.RC1", 85745 "9.1.0.RC2", 85746 "9.1.0.v20131115", 85747 "9.1.1.v20140108", 85748 "9.1.2.v20140210", 85749 "9.1.3.v20140225", 85750 "9.1.4.v20140401", 85751 "9.1.5.v20140505", 85752 "9.1.6.v20160112", 85753 "9.2.0.M0", 85754 "9.2.0.M1", 85755 "9.2.0.RC0", 85756 "9.2.0.v20140526", 85757 "9.2.1.v20140609", 85758 "9.2.10.v20150310", 85759 "9.2.11.M0", 85760 "9.2.11.v20150529", 85761 "9.2.12.M0", 85762 "9.2.12.v20150709", 85763 "9.2.13.v20150730", 85764 "9.2.14.v20151106", 85765 "9.2.15.v20160210", 85766 "9.2.16.v20160414", 85767 "9.2.17.v20160517", 85768 "9.2.18.v20160721", 85769 "9.2.19.v20160908", 85770 "9.2.2.v20140723", 85771 "9.2.20.v20161216", 85772 "9.2.21.v20170120", 85773 "9.2.3.v20140905", 85774 "9.2.4.v20141103", 85775 "9.2.5.v20141112", 85776 "9.2.6.v20141205", 85777 "9.2.7.v20150116", 85778 "9.2.8.v20150217", 85779 "9.2.9.v20150224" 85780 ] 85781 } 85782 ], 85783 "aliases": [ 85784 "CVE-2017-9735" 85785 ], 85786 "database_specific": { 85787 "cwe_ids": [ 85788 "CWE-200", 85789 "CWE-203" 85790 ], 85791 "github_reviewed": true, 85792 "github_reviewed_at": "2020-06-16T22:00:10Z", 85793 "nvd_published_at": "2017-06-16T21:29:00Z", 85794 "severity": "HIGH" 85795 }, 85796 "details": "Jetty through 9.4.x contains a timing channel attack in `util/security/Password.java`, which allows attackers to obtain access by observing elapsed times before rejection of incorrect passwords.", 85797 "id": "GHSA-wfcc-pff6-rgc5", 85798 "modified": "2024-02-16T08:22:10.602897Z", 85799 "published": "2018-10-19T16:15:46Z", 85800 "references": [ 85801 { 85802 "type": "ADVISORY", 85803 "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-9735" 85804 }, 85805 { 85806 "type": "WEB", 85807 "url": "https://github.com/eclipse/jetty.project/issues/1556" 85808 }, 85809 { 85810 "type": "WEB", 85811 "url": "https://github.com/eclipse/jetty.project/commit/042f325f1cd6e7891d72c7e668f5947b5457dc02" 85812 }, 85813 { 85814 "type": "WEB", 85815 "url": "https://bugs.debian.org/864631" 85816 }, 85817 { 85818 "type": "PACKAGE", 85819 "url": "https://github.com/eclipse/jetty.project" 85820 }, 85821 { 85822 "type": "WEB", 85823 "url": "https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272@%3Cissues.activemq.apache.org%3E" 85824 }, 85825 { 85826 "type": "WEB", 85827 "url": "https://lists.apache.org/thread.html/36870f6c51f5bc25e6f7bb1fcace0e57e81f1524019b11f466738559@%3Ccommon-dev.hadoop.apache.org%3E" 85828 }, 85829 { 85830 "type": "WEB", 85831 "url": "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E" 85832 }, 85833 { 85834 "type": "WEB", 85835 "url": "https://lists.apache.org/thread.html/f887a5978f5e4c62b9cfe876336628385cff429e796962649649ec8a@%3Ccommon-issues.hadoop.apache.org%3E" 85836 }, 85837 { 85838 "type": "WEB", 85839 "url": "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E" 85840 }, 85841 { 85842 "type": "WEB", 85843 "url": "https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8@%3Ccommits.pulsar.apache.org%3E" 85844 }, 85845 { 85846 "type": "WEB", 85847 "url": "https://lists.debian.org/debian-lts-announce/2021/05/msg00016.html" 85848 }, 85849 { 85850 "type": "WEB", 85851 "url": "https://web.archive.org/web/20170826163336/http://www.securityfocus.com/bid/99104" 85852 }, 85853 { 85854 "type": "WEB", 85855 "url": "https://www.oracle.com//security-alerts/cpujul2021.html" 85856 }, 85857 { 85858 "type": "WEB", 85859 "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" 85860 }, 85861 { 85862 "type": "WEB", 85863 "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html" 85864 } 85865 ], 85866 "schema_version": "1.6.0", 85867 "severity": [ 85868 { 85869 "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", 85870 "type": "CVSS_V3" 85871 } 85872 ], 85873 "summary": "Jetty vulnerable to exposure of sensitive information due to observable discrepancy" 85874 }, 85875 { 85876 "affected": [ 85877 { 85878 "database_specific": { 85879 "last_known_affected_version_range": "\u003c= 9.4.30.v20200610", 85880 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/08/GHSA-x3rh-m7vp-35f2/GHSA-x3rh-m7vp-35f2.json" 85881 }, 85882 "package": { 85883 "ecosystem": "Maven", 85884 "name": "org.eclipse.jetty:jetty-server", 85885 "purl": "pkg:maven/org.eclipse.jetty/jetty-server" 85886 }, 85887 "ranges": [ 85888 { 85889 "events": [ 85890 { 85891 "introduced": "9.4.27" 85892 }, 85893 { 85894 "fixed": "9.4.30.v20200611" 85895 } 85896 ], 85897 "type": "ECOSYSTEM" 85898 } 85899 ], 85900 "versions": [ 85901 "9.4.27.v20200227", 85902 "9.4.28.v20200408", 85903 "9.4.29.v20200521" 85904 ] 85905 } 85906 ], 85907 "aliases": [ 85908 "CVE-2019-17638" 85909 ], 85910 "database_specific": { 85911 "cwe_ids": [ 85912 "CWE-672", 85913 "CWE-675" 85914 ], 85915 "github_reviewed": true, 85916 "github_reviewed_at": "2020-08-03T20:11:29Z", 85917 "nvd_published_at": "2020-07-09T18:15:00Z", 85918 "severity": "CRITICAL" 85919 }, 85920 "details": "In Eclipse Jetty, versions 9.4.27.v20200227 to 9.4.29.v20200521, in case of too large response headers, Jetty throws an exception to produce an HTTP 431 error. When this happens, the ByteBuffer containing the HTTP response headers is released back to the ByteBufferPool twice. Because of this double release, two threads can acquire the same ByteBuffer from the pool and while thread1 is about to use the ByteBuffer to write response1 data, thread2 fills the ByteBuffer with response2 data. Thread1 then proceeds to write the buffer that now contains response2 data. This results in client1, which issued request1 and expects responses, to see response2 which could contain sensitive data belonging to client2 (HTTP session ids, authentication credentials, etc.).", 85921 "id": "GHSA-x3rh-m7vp-35f2", 85922 "modified": "2024-03-14T05:49:04.832402Z", 85923 "published": "2020-08-05T14:52:59Z", 85924 "references": [ 85925 { 85926 "type": "ADVISORY", 85927 "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-17638" 85928 }, 85929 { 85930 "type": "WEB", 85931 "url": "https://github.com/eclipse/jetty.project/issues/4936" 85932 }, 85933 { 85934 "type": "WEB", 85935 "url": "https://github.com/eclipse/jetty.project/commit/ff8ae56fa939c3477a0cdd1ff56ce3d902f08fba" 85936 }, 85937 { 85938 "type": "WEB", 85939 "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" 85940 }, 85941 { 85942 "type": "WEB", 85943 "url": "https://www.oracle.com/security-alerts/cpuApr2021.html" 85944 }, 85945 { 85946 "type": "WEB", 85947 "url": "https://snyk.io/vuln/SNYK-JAVA-ORGECLIPSEJETTY-575561" 85948 }, 85949 { 85950 "type": "WEB", 85951 "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XE6US6VPZHOWFMUSFGDS5V2DNQPY5MKB" 85952 }, 85953 { 85954 "type": "WEB", 85955 "url": "https://lists.apache.org/thread.html/rd98cfd012490cb02caa1a11aaa0cc38bff2d43bcce9b20c2f01063dd@%3Ccommits.pulsar.apache.org%3E" 85956 }, 85957 { 85958 "type": "WEB", 85959 "url": "https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26@%3Ccommits.pulsar.apache.org%3E" 85960 }, 85961 { 85962 "type": "WEB", 85963 "url": "https://lists.apache.org/thread.html/rbe1f230e87ea947593145d0072d0097ddb0af10fee1161db8ca1546c@%3Ccommits.pulsar.apache.org%3E" 85964 }, 85965 { 85966 "type": "WEB", 85967 "url": "https://lists.apache.org/thread.html/ra8661fc8c69c647cb06153c1485d48484a833d873f75dfe45937e9de@%3Ccommits.pulsar.apache.org%3E" 85968 }, 85969 { 85970 "type": "WEB", 85971 "url": "https://lists.apache.org/thread.html/r9a2cfa56d30782a0c17a5deb951a622d1f5c8de48e1c3b578ffc2a84@%3Ccommits.pulsar.apache.org%3E" 85972 }, 85973 { 85974 "type": "WEB", 85975 "url": "https://lists.apache.org/thread.html/r9584c4304c888f651d214341a939bd264ed30c9e3d0d30fe85097ecf@%3Ccommits.pulsar.apache.org%3E" 85976 }, 85977 { 85978 "type": "WEB", 85979 "url": "https://lists.apache.org/thread.html/r81f58591fb4716fb867b36956f30c7c8ad4ab3f23abc952d9d86a2a0@%3Ccommits.pulsar.apache.org%3E" 85980 }, 85981 { 85982 "type": "WEB", 85983 "url": "https://lists.apache.org/thread.html/r7fc5f2ed49641ea91c433e3cd0fc3d31c0278c87b82b15c33b881415@%3Ccommits.pulsar.apache.org%3E" 85984 }, 85985 { 85986 "type": "WEB", 85987 "url": "https://lists.apache.org/thread.html/r521168299e023fb075b57afe33d17ff1d09e8a10e0fd8c775ea0e028@%3Ccommits.pulsar.apache.org%3E" 85988 }, 85989 { 85990 "type": "WEB", 85991 "url": "https://lists.apache.org/thread.html/r4bdd3f7bb6820a79f9416b6667d718a06d269018619a75ce4b759318@%3Ccommits.pulsar.apache.org%3E" 85992 }, 85993 { 85994 "type": "WEB", 85995 "url": "https://lists.apache.org/thread.html/r378e4cdec15e132575aa1dcb6296ffeff2a896745a8991522e266ad4@%3Ccommits.pulsar.apache.org%3E" 85996 }, 85997 { 85998 "type": "WEB", 85999 "url": "https://lists.apache.org/thread.html/r29073905dc9139d0d7a146595694bf57bb9e35e5ec6aa73eb9c8443a@%3Ccommits.pulsar.apache.org%3E" 86000 }, 86001 { 86002 "type": "WEB", 86003 "url": "https://bugs.eclipse.org/bugs/show_bug.cgi?id=564984" 86004 }, 86005 { 86006 "type": "WEB", 86007 "url": "http://www.openwall.com/lists/oss-security/2020/08/17/1" 86008 } 86009 ], 86010 "schema_version": "1.6.0", 86011 "severity": [ 86012 { 86013 "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L", 86014 "type": "CVSS_V3" 86015 } 86016 ], 86017 "summary": "Operation on a Resource after Expiration or Release in Jetty Server" 86018 }, 86019 { 86020 "affected": [ 86021 { 86022 "database_specific": { 86023 "last_known_affected_version_range": "\u003c= 9.2.27.v20190403", 86024 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/04/GHSA-xc67-hjx6-cgg6/GHSA-xc67-hjx6-cgg6.json" 86025 }, 86026 "package": { 86027 "ecosystem": "Maven", 86028 "name": "org.eclipse.jetty:jetty-server", 86029 "purl": "pkg:maven/org.eclipse.jetty/jetty-server" 86030 }, 86031 "ranges": [ 86032 { 86033 "events": [ 86034 { 86035 "introduced": "7.0.0" 86036 }, 86037 { 86038 "fixed": "9.2.28.v20190418" 86039 } 86040 ], 86041 "type": "ECOSYSTEM" 86042 } 86043 ], 86044 "versions": [ 86045 "7.0.0.v20091005", 86046 "7.0.1.v20091125", 86047 "7.0.2.RC0", 86048 "7.0.2.v20100331", 86049 "7.1.0.RC0", 86050 "7.1.0.RC1", 86051 "7.1.0.v20100505", 86052 "7.1.1.v20100517", 86053 "7.1.2.v20100523", 86054 "7.1.3.v20100526", 86055 "7.1.4.v20100610", 86056 "7.1.5.v20100705", 86057 "7.1.6.v20100715", 86058 "7.2.0.RC0", 86059 "7.2.0.v20101020", 86060 "7.2.1.v20101111", 86061 "7.2.2.v20101205", 86062 "7.3.0.v20110203", 86063 "7.3.1.v20110307", 86064 "7.4.0.RC0", 86065 "7.4.0.v20110414", 86066 "7.4.1.v20110513", 86067 "7.4.2.v20110526", 86068 "7.4.3.v20110701", 86069 "7.4.4.v20110707", 86070 "7.4.5.v20110725", 86071 "7.5.0.RC0", 86072 "7.5.0.RC1", 86073 "7.5.0.RC2", 86074 "7.5.0.v20110901", 86075 "7.5.1.v20110908", 86076 "7.5.2.v20111006", 86077 "7.5.3.v20111011", 86078 "7.5.4.v20111024", 86079 "7.6.0.RC0", 86080 "7.6.0.RC1", 86081 "7.6.0.RC2", 86082 "7.6.0.RC3", 86083 "7.6.0.RC4", 86084 "7.6.0.RC5", 86085 "7.6.0.v20120127", 86086 "7.6.1.v20120215", 86087 "7.6.10.v20130312", 86088 "7.6.11.v20130520", 86089 "7.6.12.v20130726", 86090 "7.6.13.v20130916", 86091 "7.6.14.v20131031", 86092 "7.6.15.v20140411", 86093 "7.6.16.v20140903", 86094 "7.6.17.v20150415", 86095 "7.6.18.v20150929", 86096 "7.6.19.v20160209", 86097 "7.6.2.v20120308", 86098 "7.6.20.v20160902", 86099 "7.6.21.v20160908", 86100 "7.6.3.v20120416", 86101 "7.6.4.v20120524", 86102 "7.6.5.v20120716", 86103 "7.6.6.v20120903", 86104 "7.6.7.v20120910", 86105 "7.6.8.v20121106", 86106 "7.6.9.v20130131", 86107 "8.0.0.M0", 86108 "8.0.0.M1", 86109 "8.0.0.M2", 86110 "8.0.0.M3", 86111 "8.0.0.RC0", 86112 "8.0.0.v20110901", 86113 "8.0.1.v20110908", 86114 "8.0.2.v20111006", 86115 "8.0.3.v20111011", 86116 "8.0.4.v20111024", 86117 "8.1.0.RC0", 86118 "8.1.0.RC1", 86119 "8.1.0.RC2", 86120 "8.1.0.RC4", 86121 "8.1.0.RC5", 86122 "8.1.0.v20120127", 86123 "8.1.1.v20120215", 86124 "8.1.10.v20130312", 86125 "8.1.11.v20130520", 86126 "8.1.12.v20130726", 86127 "8.1.13.v20130916", 86128 "8.1.14.v20131031", 86129 "8.1.15.v20140411", 86130 "8.1.16.v20140903", 86131 "8.1.17.v20150415", 86132 "8.1.18.v20150929", 86133 "8.1.19.v20160209", 86134 "8.1.2.v20120308", 86135 "8.1.20.v20160902", 86136 "8.1.21.v20160908", 86137 "8.1.22.v20160922", 86138 "8.1.3.v20120416", 86139 "8.1.4.v20120524", 86140 "8.1.5.v20120716", 86141 "8.1.6.v20120903", 86142 "8.1.7.v20120910", 86143 "8.1.8.v20121106", 86144 "8.1.9.v20130131", 86145 "8.2.0.v20160908", 86146 "9.0.0.M0", 86147 "9.0.0.M1", 86148 "9.0.0.M2", 86149 "9.0.0.M3", 86150 "9.0.0.M4", 86151 "9.0.0.M5", 86152 "9.0.0.RC0", 86153 "9.0.0.RC1", 86154 "9.0.0.RC2", 86155 "9.0.0.v20130308", 86156 "9.0.1.v20130408", 86157 "9.0.2.v20130417", 86158 "9.0.3.v20130506", 86159 "9.0.4.v20130625", 86160 "9.0.5.v20130815", 86161 "9.0.6.v20130930", 86162 "9.0.7.v20131107", 86163 "9.1.0.M0", 86164 "9.1.0.RC0", 86165 "9.1.0.RC1", 86166 "9.1.0.RC2", 86167 "9.1.0.v20131115", 86168 "9.1.1.v20140108", 86169 "9.1.2.v20140210", 86170 "9.1.3.v20140225", 86171 "9.1.4.v20140401", 86172 "9.1.5.v20140505", 86173 "9.1.6.v20160112", 86174 "9.2.0.M0", 86175 "9.2.0.M1", 86176 "9.2.0.RC0", 86177 "9.2.0.v20140526", 86178 "9.2.1.v20140609", 86179 "9.2.10.v20150310", 86180 "9.2.11.M0", 86181 "9.2.11.v20150529", 86182 "9.2.12.M0", 86183 "9.2.12.v20150709", 86184 "9.2.13.v20150730", 86185 "9.2.14.v20151106", 86186 "9.2.15.v20160210", 86187 "9.2.16.v20160414", 86188 "9.2.17.v20160517", 86189 "9.2.18.v20160721", 86190 "9.2.19.v20160908", 86191 "9.2.2.v20140723", 86192 "9.2.20.v20161216", 86193 "9.2.21.v20170120", 86194 "9.2.22.v20170606", 86195 "9.2.23.v20171218", 86196 "9.2.24.v20180105", 86197 "9.2.25.v20180606", 86198 "9.2.26.v20180806", 86199 "9.2.27.v20190403", 86200 "9.2.3.v20140905", 86201 "9.2.4.v20141103", 86202 "9.2.5.v20141112", 86203 "9.2.6.v20141205", 86204 "9.2.7.v20150116", 86205 "9.2.8.v20150217", 86206 "9.2.9.v20150224" 86207 ] 86208 }, 86209 { 86210 "database_specific": { 86211 "last_known_affected_version_range": "\u003c= 9.3.26.v20190403", 86212 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/04/GHSA-xc67-hjx6-cgg6/GHSA-xc67-hjx6-cgg6.json" 86213 }, 86214 "package": { 86215 "ecosystem": "Maven", 86216 "name": "org.eclipse.jetty:jetty-server", 86217 "purl": "pkg:maven/org.eclipse.jetty/jetty-server" 86218 }, 86219 "ranges": [ 86220 { 86221 "events": [ 86222 { 86223 "introduced": "9.3.0" 86224 }, 86225 { 86226 "fixed": "9.3.27.v20190418" 86227 } 86228 ], 86229 "type": "ECOSYSTEM" 86230 } 86231 ], 86232 "versions": [ 86233 "9.3.0.v20150612", 86234 "9.3.1.v20150714", 86235 "9.3.10.M0", 86236 "9.3.10.v20160621", 86237 "9.3.11.M0", 86238 "9.3.11.v20160721", 86239 "9.3.12.v20160915", 86240 "9.3.13.M0", 86241 "9.3.13.v20161014", 86242 "9.3.14.v20161028", 86243 "9.3.15.v20161220", 86244 "9.3.16.v20170120", 86245 "9.3.17.RC0", 86246 "9.3.17.v20170317", 86247 "9.3.18.v20170406", 86248 "9.3.19.v20170502", 86249 "9.3.2.v20150730", 86250 "9.3.20.v20170531", 86251 "9.3.21.M0", 86252 "9.3.21.RC0", 86253 "9.3.21.v20170918", 86254 "9.3.22.v20171030", 86255 "9.3.23.v20180228", 86256 "9.3.24.v20180605", 86257 "9.3.25.v20180904", 86258 "9.3.26.v20190403", 86259 "9.3.3.v20150827", 86260 "9.3.4.RC0", 86261 "9.3.4.RC1", 86262 "9.3.4.v20151007", 86263 "9.3.5.v20151012", 86264 "9.3.6.v20151106", 86265 "9.3.7.RC0", 86266 "9.3.7.RC1", 86267 "9.3.7.v20160115", 86268 "9.3.8.RC0", 86269 "9.3.8.v20160314", 86270 "9.3.9.M0", 86271 "9.3.9.M1", 86272 "9.3.9.v20160517" 86273 ] 86274 }, 86275 { 86276 "database_specific": { 86277 "last_known_affected_version_range": "\u003c= 9.4.16.v20190411", 86278 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/04/GHSA-xc67-hjx6-cgg6/GHSA-xc67-hjx6-cgg6.json" 86279 }, 86280 "package": { 86281 "ecosystem": "Maven", 86282 "name": "org.eclipse.jetty:jetty-server", 86283 "purl": "pkg:maven/org.eclipse.jetty/jetty-server" 86284 }, 86285 "ranges": [ 86286 { 86287 "events": [ 86288 { 86289 "introduced": "9.4.0" 86290 }, 86291 { 86292 "fixed": "9.4.17.v20190418" 86293 } 86294 ], 86295 "type": "ECOSYSTEM" 86296 } 86297 ], 86298 "versions": [ 86299 "9.4.0.v20161208", 86300 "9.4.0.v20180619", 86301 "9.4.1.v20170120", 86302 "9.4.1.v20180619", 86303 "9.4.10.RC0", 86304 "9.4.10.RC1", 86305 "9.4.10.v20180503", 86306 "9.4.11.v20180605", 86307 "9.4.12.RC0", 86308 "9.4.12.RC1", 86309 "9.4.12.RC2", 86310 "9.4.12.v20180830", 86311 "9.4.13.v20181111", 86312 "9.4.14.v20181114", 86313 "9.4.15.v20190215", 86314 "9.4.16.v20190411", 86315 "9.4.2.v20170220", 86316 "9.4.2.v20180619", 86317 "9.4.3.v20170317", 86318 "9.4.3.v20180619", 86319 "9.4.4.v20170414", 86320 "9.4.4.v20180619", 86321 "9.4.5.v20170502", 86322 "9.4.5.v20180619", 86323 "9.4.6.v20170531", 86324 "9.4.6.v20180619", 86325 "9.4.7.RC0", 86326 "9.4.7.v20170914", 86327 "9.4.7.v20180619", 86328 "9.4.8.v20171121", 86329 "9.4.8.v20180619", 86330 "9.4.9.v20180320" 86331 ] 86332 } 86333 ], 86334 "aliases": [ 86335 "CVE-2019-10247" 86336 ], 86337 "database_specific": { 86338 "cwe_ids": [ 86339 "CWE-200", 86340 "CWE-213" 86341 ], 86342 "github_reviewed": true, 86343 "github_reviewed_at": "2019-04-23T16:04:31Z", 86344 "nvd_published_at": "2019-04-22T20:29:00Z", 86345 "severity": "MODERATE" 86346 }, 86347 "details": "In Eclipse Jetty version 7.x, 8.x, 9.2.27 and older, 9.3.26 and older, and 9.4.16 and older, the server running on any OS and Jetty version combination will reveal the configured fully qualified directory base resource location on the output of the 404 error for not finding a Context that matches the requested path. The default server behavior on jetty-distribution and jetty-home will include at the end of the Handler tree a DefaultHandler, which is responsible for reporting this 404 error, it presents the various configured contexts as HTML for users to click through to. This produced HTML includes output that contains the configured fully qualified directory base resource location for each context.", 86348 "id": "GHSA-xc67-hjx6-cgg6", 86349 "modified": "2024-03-14T05:20:28.01192Z", 86350 "published": "2019-04-23T16:07:12Z", 86351 "references": [ 86352 { 86353 "type": "ADVISORY", 86354 "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10247" 86355 }, 86356 { 86357 "type": "WEB", 86358 "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html" 86359 }, 86360 { 86361 "type": "WEB", 86362 "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" 86363 }, 86364 { 86365 "type": "WEB", 86366 "url": "https://www.oracle.com/security-alerts/cpujul2020.html" 86367 }, 86368 { 86369 "type": "WEB", 86370 "url": "https://www.oracle.com/security-alerts/cpujan2021.html" 86371 }, 86372 { 86373 "type": "WEB", 86374 "url": "https://www.oracle.com/security-alerts/cpujan2020.html" 86375 }, 86376 { 86377 "type": "WEB", 86378 "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" 86379 }, 86380 { 86381 "type": "WEB", 86382 "url": "https://www.oracle.com/security-alerts/cpuapr2020.html" 86383 }, 86384 { 86385 "type": "WEB", 86386 "url": "https://www.oracle.com/security-alerts/cpuApr2021.html" 86387 }, 86388 { 86389 "type": "WEB", 86390 "url": "https://www.debian.org/security/2021/dsa-4949" 86391 }, 86392 { 86393 "type": "WEB", 86394 "url": "https://security.netapp.com/advisory/ntap-20190509-0003" 86395 }, 86396 { 86397 "type": "WEB", 86398 "url": "https://lists.debian.org/debian-lts-announce/2021/05/msg00016.html" 86399 }, 86400 { 86401 "type": "WEB", 86402 "url": "https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b@%3Ccommits.nifi.apache.org%3E" 86403 }, 86404 { 86405 "type": "WEB", 86406 "url": "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E" 86407 }, 86408 { 86409 "type": "WEB", 86410 "url": "https://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3@%3Ccommits.nifi.apache.org%3E" 86411 }, 86412 { 86413 "type": "WEB", 86414 "url": "https://lists.apache.org/thread.html/ac51944aef91dd5006b8510b0bef337adaccfe962fb90e7af9c22db4@%3Cissues.activemq.apache.org%3E" 86415 }, 86416 { 86417 "type": "WEB", 86418 "url": "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E" 86419 }, 86420 { 86421 "type": "WEB", 86422 "url": "https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272@%3Cissues.activemq.apache.org%3E" 86423 }, 86424 { 86425 "type": "WEB", 86426 "url": "https://bugs.eclipse.org/bugs/show_bug.cgi?id=546577" 86427 } 86428 ], 86429 "schema_version": "1.6.0", 86430 "severity": [ 86431 { 86432 "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", 86433 "type": "CVSS_V3" 86434 } 86435 ], 86436 "summary": "Installation information leak in Eclipse Jetty" 86437 }, 86438 { 86439 "affected": [ 86440 { 86441 "database_specific": { 86442 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/11/GHSA-g3wg-6mcf-8jj6/GHSA-g3wg-6mcf-8jj6.json" 86443 }, 86444 "package": { 86445 "ecosystem": "Maven", 86446 "name": "org.eclipse.jetty:jetty-webapp", 86447 "purl": "pkg:maven/org.eclipse.jetty/jetty-webapp" 86448 }, 86449 "ranges": [ 86450 { 86451 "events": [ 86452 { 86453 "introduced": "0" 86454 }, 86455 { 86456 "fixed": "9.4.33.v20201020" 86457 } 86458 ], 86459 "type": "ECOSYSTEM" 86460 } 86461 ], 86462 "versions": [ 86463 "7.0.0.M0", 86464 "7.0.0.M1", 86465 "7.0.0.M2", 86466 "7.0.0.M3", 86467 "7.0.0.M4", 86468 "7.0.0.RC0", 86469 "7.0.0.RC1", 86470 "7.0.0.RC2", 86471 "7.0.0.RC3", 86472 "7.0.0.RC4", 86473 "7.0.0.RC5", 86474 "7.0.0.RC6", 86475 "7.0.0.v20091005", 86476 "7.0.1.v20091125", 86477 "7.0.2.RC0", 86478 "7.0.2.v20100331", 86479 "7.1.0.RC0", 86480 "7.1.0.RC1", 86481 "7.1.0.v20100505", 86482 "7.1.1.v20100517", 86483 "7.1.2.v20100523", 86484 "7.1.3.v20100526", 86485 "7.1.4.v20100610", 86486 "7.1.5.v20100705", 86487 "7.1.6.v20100715", 86488 "7.2.0.RC0", 86489 "7.2.0.v20101020", 86490 "7.2.1.v20101111", 86491 "7.2.2.v20101205", 86492 "7.3.0.v20110203", 86493 "7.3.1.v20110307", 86494 "7.4.0.RC0", 86495 "7.4.0.v20110414", 86496 "7.4.1.v20110513", 86497 "7.4.2.v20110526", 86498 "7.4.3.v20110701", 86499 "7.4.4.v20110707", 86500 "7.4.5.v20110725", 86501 "7.5.0.RC0", 86502 "7.5.0.RC1", 86503 "7.5.0.RC2", 86504 "7.5.0.v20110901", 86505 "7.5.1.v20110908", 86506 "7.5.2.v20111006", 86507 "7.5.3.v20111011", 86508 "7.5.4.v20111024", 86509 "7.6.0.RC0", 86510 "7.6.0.RC1", 86511 "7.6.0.RC2", 86512 "7.6.0.RC3", 86513 "7.6.0.RC4", 86514 "7.6.0.RC5", 86515 "7.6.0.v20120127", 86516 "7.6.1.v20120215", 86517 "7.6.10.v20130312", 86518 "7.6.11.v20130520", 86519 "7.6.12.v20130726", 86520 "7.6.13.v20130916", 86521 "7.6.14.v20131031", 86522 "7.6.15.v20140411", 86523 "7.6.16.v20140903", 86524 "7.6.17.v20150415", 86525 "7.6.18.v20150929", 86526 "7.6.19.v20160209", 86527 "7.6.2.v20120308", 86528 "7.6.20.v20160902", 86529 "7.6.21.v20160908", 86530 "7.6.3.v20120416", 86531 "7.6.4.v20120524", 86532 "7.6.5.v20120716", 86533 "7.6.6.v20120903", 86534 "7.6.7.v20120910", 86535 "7.6.8.v20121106", 86536 "7.6.9.v20130131", 86537 "8.0.0.M0", 86538 "8.0.0.M1", 86539 "8.0.0.M2", 86540 "8.0.0.M3", 86541 "8.0.0.RC0", 86542 "8.0.0.v20110901", 86543 "8.0.1.v20110908", 86544 "8.0.2.v20111006", 86545 "8.0.3.v20111011", 86546 "8.0.4.v20111024", 86547 "8.1.0.RC0", 86548 "8.1.0.RC1", 86549 "8.1.0.RC2", 86550 "8.1.0.RC4", 86551 "8.1.0.RC5", 86552 "8.1.0.v20120127", 86553 "8.1.1.v20120215", 86554 "8.1.10.v20130312", 86555 "8.1.11.v20130520", 86556 "8.1.12.v20130726", 86557 "8.1.13.v20130916", 86558 "8.1.14.v20131031", 86559 "8.1.15.v20140411", 86560 "8.1.16.v20140903", 86561 "8.1.17.v20150415", 86562 "8.1.18.v20150929", 86563 "8.1.19.v20160209", 86564 "8.1.2.v20120308", 86565 "8.1.20.v20160902", 86566 "8.1.21.v20160908", 86567 "8.1.22.v20160922", 86568 "8.1.3.v20120416", 86569 "8.1.4.v20120524", 86570 "8.1.5.v20120716", 86571 "8.1.6.v20120903", 86572 "8.1.7.v20120910", 86573 "8.1.8.v20121106", 86574 "8.1.9.v20130131", 86575 "8.2.0.v20160908", 86576 "9.0.0.M0", 86577 "9.0.0.M1", 86578 "9.0.0.M2", 86579 "9.0.0.M3", 86580 "9.0.0.M4", 86581 "9.0.0.M5", 86582 "9.0.0.RC0", 86583 "9.0.0.RC1", 86584 "9.0.0.RC2", 86585 "9.0.0.v20130308", 86586 "9.0.1.v20130408", 86587 "9.0.2.v20130417", 86588 "9.0.3.v20130506", 86589 "9.0.4.v20130625", 86590 "9.0.5.v20130815", 86591 "9.0.6.v20130930", 86592 "9.0.7.v20131107", 86593 "9.1.0.M0", 86594 "9.1.0.RC0", 86595 "9.1.0.RC1", 86596 "9.1.0.RC2", 86597 "9.1.0.v20131115", 86598 "9.1.1.v20140108", 86599 "9.1.2.v20140210", 86600 "9.1.3.v20140225", 86601 "9.1.4.v20140401", 86602 "9.1.5.v20140505", 86603 "9.1.6.v20160112", 86604 "9.2.0.M0", 86605 "9.2.0.M1", 86606 "9.2.0.RC0", 86607 "9.2.0.v20140526", 86608 "9.2.1.v20140609", 86609 "9.2.10.v20150310", 86610 "9.2.11.M0", 86611 "9.2.11.v20150529", 86612 "9.2.12.M0", 86613 "9.2.12.v20150709", 86614 "9.2.13.v20150730", 86615 "9.2.14.v20151106", 86616 "9.2.15.v20160210", 86617 "9.2.16.v20160414", 86618 "9.2.17.v20160517", 86619 "9.2.18.v20160721", 86620 "9.2.19.v20160908", 86621 "9.2.2.v20140723", 86622 "9.2.20.v20161216", 86623 "9.2.21.v20170120", 86624 "9.2.22.v20170606", 86625 "9.2.23.v20171218", 86626 "9.2.24.v20180105", 86627 "9.2.25.v20180606", 86628 "9.2.26.v20180806", 86629 "9.2.27.v20190403", 86630 "9.2.28.v20190418", 86631 "9.2.29.v20191105", 86632 "9.2.3.v20140905", 86633 "9.2.30.v20200428", 86634 "9.2.4.v20141103", 86635 "9.2.5.v20141112", 86636 "9.2.6.v20141205", 86637 "9.2.7.v20150116", 86638 "9.2.8.v20150217", 86639 "9.2.9.v20150224", 86640 "9.3.0.M0", 86641 "9.3.0.M1", 86642 "9.3.0.M2", 86643 "9.3.0.RC0", 86644 "9.3.0.RC1", 86645 "9.3.0.v20150612", 86646 "9.3.1.v20150714", 86647 "9.3.10.M0", 86648 "9.3.10.v20160621", 86649 "9.3.11.M0", 86650 "9.3.11.v20160721", 86651 "9.3.12.v20160915", 86652 "9.3.13.M0", 86653 "9.3.13.v20161014", 86654 "9.3.14.v20161028", 86655 "9.3.15.v20161220", 86656 "9.3.16.v20170120", 86657 "9.3.17.RC0", 86658 "9.3.17.v20170317", 86659 "9.3.18.v20170406", 86660 "9.3.19.v20170502", 86661 "9.3.2.v20150730", 86662 "9.3.20.v20170531", 86663 "9.3.21.M0", 86664 "9.3.21.RC0", 86665 "9.3.21.v20170918", 86666 "9.3.22.v20171030", 86667 "9.3.23.v20180228", 86668 "9.3.24.v20180605", 86669 "9.3.25.v20180904", 86670 "9.3.26.v20190403", 86671 "9.3.27.v20190418", 86672 "9.3.28.v20191105", 86673 "9.3.29.v20201019", 86674 "9.3.3.v20150827", 86675 "9.3.30.v20211001", 86676 "9.3.4.RC0", 86677 "9.3.4.RC1", 86678 "9.3.4.v20151007", 86679 "9.3.5.v20151012", 86680 "9.3.6.v20151106", 86681 "9.3.7.RC0", 86682 "9.3.7.RC1", 86683 "9.3.7.v20160115", 86684 "9.3.8.RC0", 86685 "9.3.8.v20160314", 86686 "9.3.9.M0", 86687 "9.3.9.M1", 86688 "9.3.9.v20160517", 86689 "9.4.0.M0", 86690 "9.4.0.M1", 86691 "9.4.0.RC0", 86692 "9.4.0.RC1", 86693 "9.4.0.RC2", 86694 "9.4.0.RC3", 86695 "9.4.0.v20161208", 86696 "9.4.0.v20180619", 86697 "9.4.1.v20170120", 86698 "9.4.1.v20180619", 86699 "9.4.10.RC0", 86700 "9.4.10.RC1", 86701 "9.4.10.v20180503", 86702 "9.4.11.v20180605", 86703 "9.4.12.RC0", 86704 "9.4.12.RC1", 86705 "9.4.12.RC2", 86706 "9.4.12.v20180830", 86707 "9.4.13.v20181111", 86708 "9.4.14.v20181114", 86709 "9.4.15.v20190215", 86710 "9.4.16.v20190411", 86711 "9.4.17.v20190418", 86712 "9.4.18.v20190429", 86713 "9.4.19.v20190610", 86714 "9.4.2.v20170220", 86715 "9.4.2.v20180619", 86716 "9.4.20.v20190813", 86717 "9.4.21.v20190926", 86718 "9.4.22.v20191022", 86719 "9.4.23.v20191118", 86720 "9.4.24.v20191120", 86721 "9.4.25.v20191220", 86722 "9.4.26.v20200117", 86723 "9.4.27.v20200227", 86724 "9.4.28.v20200408", 86725 "9.4.29.v20200521", 86726 "9.4.3.v20170317", 86727 "9.4.3.v20180619", 86728 "9.4.30.v20200611", 86729 "9.4.31.v20200723", 86730 "9.4.32.v20200930", 86731 "9.4.4.v20170414", 86732 "9.4.4.v20180619", 86733 "9.4.5.v20170502", 86734 "9.4.5.v20180619", 86735 "9.4.6.v20170531", 86736 "9.4.6.v20180619", 86737 "9.4.7.RC0", 86738 "9.4.7.v20170914", 86739 "9.4.7.v20180619", 86740 "9.4.8.v20171121", 86741 "9.4.8.v20180619", 86742 "9.4.9.v20180320" 86743 ] 86744 }, 86745 { 86746 "database_specific": { 86747 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/11/GHSA-g3wg-6mcf-8jj6/GHSA-g3wg-6mcf-8jj6.json" 86748 }, 86749 "package": { 86750 "ecosystem": "Maven", 86751 "name": "org.mortbay.jetty:jetty-webapp", 86752 "purl": "pkg:maven/org.mortbay.jetty/jetty-webapp" 86753 }, 86754 "ranges": [ 86755 { 86756 "events": [ 86757 { 86758 "introduced": "0" 86759 }, 86760 { 86761 "fixed": "9.4.33" 86762 } 86763 ], 86764 "type": "ECOSYSTEM" 86765 } 86766 ], 86767 "versions": [ 86768 "7.0.0.pre4", 86769 "7.0.0.pre5" 86770 ] 86771 }, 86772 { 86773 "database_specific": { 86774 "last_known_affected_version_range": "\u003c= 10.0.0.beta2", 86775 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/11/GHSA-g3wg-6mcf-8jj6/GHSA-g3wg-6mcf-8jj6.json" 86776 }, 86777 "package": { 86778 "ecosystem": "Maven", 86779 "name": "org.eclipse.jetty:jetty-webapp", 86780 "purl": "pkg:maven/org.eclipse.jetty/jetty-webapp" 86781 }, 86782 "ranges": [ 86783 { 86784 "events": [ 86785 { 86786 "introduced": "10.0.0.beta1" 86787 }, 86788 { 86789 "fixed": "10.0.0.beta3" 86790 } 86791 ], 86792 "type": "ECOSYSTEM" 86793 } 86794 ], 86795 "versions": [ 86796 "10.0.0.beta1", 86797 "10.0.0.beta2" 86798 ] 86799 }, 86800 { 86801 "database_specific": { 86802 "last_known_affected_version_range": "\u003c= 10.0.0.beta2", 86803 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/11/GHSA-g3wg-6mcf-8jj6/GHSA-g3wg-6mcf-8jj6.json" 86804 }, 86805 "package": { 86806 "ecosystem": "Maven", 86807 "name": "org.mortbay.jetty:jetty-webapp", 86808 "purl": "pkg:maven/org.mortbay.jetty/jetty-webapp" 86809 }, 86810 "ranges": [ 86811 { 86812 "events": [ 86813 { 86814 "introduced": "10.0.0.beta1" 86815 }, 86816 { 86817 "fixed": "10.0.0.beta3" 86818 } 86819 ], 86820 "type": "ECOSYSTEM" 86821 } 86822 ] 86823 }, 86824 { 86825 "database_specific": { 86826 "last_known_affected_version_range": "\u003c= 11.0.0.beta2", 86827 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/11/GHSA-g3wg-6mcf-8jj6/GHSA-g3wg-6mcf-8jj6.json" 86828 }, 86829 "package": { 86830 "ecosystem": "Maven", 86831 "name": "org.eclipse.jetty:jetty-webapp", 86832 "purl": "pkg:maven/org.eclipse.jetty/jetty-webapp" 86833 }, 86834 "ranges": [ 86835 { 86836 "events": [ 86837 { 86838 "introduced": "11.0.0.beta1" 86839 }, 86840 { 86841 "fixed": "11.0.0.beta3" 86842 } 86843 ], 86844 "type": "ECOSYSTEM" 86845 } 86846 ], 86847 "versions": [ 86848 "11.0.0.beta1", 86849 "11.0.0.beta2" 86850 ] 86851 }, 86852 { 86853 "database_specific": { 86854 "last_known_affected_version_range": "\u003c= 11.0.0.beta2", 86855 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/11/GHSA-g3wg-6mcf-8jj6/GHSA-g3wg-6mcf-8jj6.json" 86856 }, 86857 "package": { 86858 "ecosystem": "Maven", 86859 "name": "org.mortbay.jetty:jetty-webapp", 86860 "purl": "pkg:maven/org.mortbay.jetty/jetty-webapp" 86861 }, 86862 "ranges": [ 86863 { 86864 "events": [ 86865 { 86866 "introduced": "11.0.0.beta1" 86867 }, 86868 { 86869 "fixed": "11.0.0.beta3" 86870 } 86871 ], 86872 "type": "ECOSYSTEM" 86873 } 86874 ] 86875 } 86876 ], 86877 "aliases": [ 86878 "CVE-2020-27216" 86879 ], 86880 "database_specific": { 86881 "cwe_ids": [ 86882 "CWE-378", 86883 "CWE-379", 86884 "CWE-552" 86885 ], 86886 "github_reviewed": true, 86887 "github_reviewed_at": "2020-11-04T17:48:31Z", 86888 "nvd_published_at": "2020-10-23T13:15:00Z", 86889 "severity": "HIGH" 86890 }, 86891 "details": "### Impact\nOn Unix like systems, the system's temporary directory is shared between all users on that system. A collocated user can observe the process of creating a temporary sub directory in the shared temporary directory and race to complete the creation of the temporary subdirectory. If the attacker wins the race then they will have read and write permission to the subdirectory used to unpack web applications, including their WEB-INF/lib jar files and JSP files. If any code is ever executed out of this temporary directory, this can lead to a local privilege escalation vulnerability.\n\nAdditionally, any user code uses of [WebAppContext::getTempDirectory](https://www.eclipse.org/jetty/javadoc/9.4.31.v20200723/org/eclipse/jetty/webapp/WebAppContext.html#getTempDirectory()) would similarly be vulnerable.\n\nAdditionally, any user application code using the `ServletContext` attribute for the tempdir will also be impacted.\nSee: https://javaee.github.io/javaee-spec/javadocs/javax/servlet/ServletContext.html#TEMPDIR\n\nFor example:\n```java\nimport java.io.File;\nimport java.io.IOException;\nimport javax.servlet.ServletContext;\nimport javax.servlet.ServletException;\nimport javax.servlet.http.HttpServlet;\nimport javax.servlet.http.HttpServletRequest;\nimport javax.servlet.http.HttpServletResponse;\n\npublic class ExampleServlet extends HttpServlet {\n @Override\n protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {\n File tempDir = (File)getServletContext().getAttribute(ServletContext.TEMPDIR); // Potentially compromised\n // do something with that temp dir\n }\n}\n```\n\nExample: The JSP library itself will use the container temp directory for compiling the JSP source into Java classes before executing them.\n\n### CVSSv3.1 Evaluation\n\nThis vulnerability has been calculated to have a [CVSSv3.1 score of 7.8/10 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\u0026version=3.1)\n\n### Patches\nFixes were applied to the 9.4.x branch with:\n- https://github.com/eclipse/jetty.project/commit/53e0e0e9b25a6309bf24ee3b10984f4145701edb\n- https://github.com/eclipse/jetty.project/commit/9ad6beb80543b392c91653f6bfce233fc75b9d5f\n\nThese will be included in releases: 9.4.33, 10.0.0.beta3, 11.0.0.beta3\n\n### Workarounds\n\nA work around is to set a temporary directory, either for the server or the context, to a directory outside of the shared temporary file system.\nFor recent releases, a temporary directory can be created simple by creating a directory called `work` in the ${jetty.base} directory (the parent directory of the `webapps` directory).\nAlternately the java temporary directory can be set with the System Property `java.io.tmpdir`. A more detailed description of how jetty selects a temporary directory is below.\n\nThe Jetty search order for finding a temporary directory is as follows:\n\n1. If the [`WebAppContext` has a temp directory specified](https://www.eclipse.org/jetty/javadoc/current/org/eclipse/jetty/webapp/WebAppContext.html#setTempDirectory(java.io.File)), use it.\n2. If the `ServletContext` has the `javax.servlet.context.tempdir` attribute set, and if directory exists, use it.\n3. If a `${jetty.base}/work` directory exists, use it (since Jetty 9.1)\n4. If a `ServletContext` has the `org.eclipse.jetty.webapp.basetempdir` attribute set, and if the directory exists, use it.\n5. Use `System.getProperty(\"java.io.tmpdir\")` and use it.\n\nJetty will end traversal at the first successful step.\nTo mitigate this vulnerability the directory must be set to one that is not writable by an attacker. To avoid information leakage, the directory should also not be readable by an attacker.\n\n#### Setting a Jetty server temporary directory.\n\nChoices 3 and 5 apply to the server level, and will impact all deployed webapps on the server.\n\nFor choice 3 just create that work directory underneath your `${jetty.base}` and restart Jetty.\n\nFor choice 5, just specify your own `java.io.tmpdir` when you start the JVM for Jetty.\n\n``` shell\n[jetty-distribution]$ java -Djava.io.tmpdir=/var/web/work -jar start.jar\n```\n\n#### Setting a Context specific temporary directory.\n\nThe rest of the choices require you to configure the context for that deployed webapp (seen as `${jetty.base}/webapps/\u003ccontext\u003e.xml`)\n\nExample (excluding the DTD which is version specific):\n\n``` xml\n\u003cConfigure class=\"org.eclipse.jetty.webapp.WebAppContext\"\u003e\n \u003cSet name=\"contextPath\"\u003e\u003cProperty name=\"foo\"/\u003e\u003c/Set\u003e\n \u003cSet name=\"war\"\u003e/var/web/webapps/foo.war\u003c/Set\u003e\n \u003cSet name=\"tempDirectory\"\u003e/var/web/work/foo\u003c/Set\u003e\n\u003c/Configure\u003e\n```\n\n### References\n \n - https://github.com/eclipse/jetty.project/issues/5451\n - [CWE-378: Creation of Temporary File With Insecure Permissions](https://cwe.mitre.org/data/definitions/378.html)\n - [CWE-379: Creation of Temporary File in Directory with Insecure Permissions](https://cwe.mitre.org/data/definitions/379.html)\n - [CodeQL Query PR To Detect Similar Vulnerabilities](https://github.com/github/codeql/pull/4473)\n\n### Similar Vulnerabilities\n\nSimilar, but not the same.\n\n - JUnit 4 - https://github.com/junit-team/junit4/security/advisories/GHSA-269g-pwp5-87pp\n - Google Guava - https://github.com/google/guava/issues/4011\n - Apache Ant - https://nvd.nist.gov/vuln/detail/CVE-2020-1945\n - JetBrains Kotlin Compiler - https://nvd.nist.gov/vuln/detail/CVE-2020-15824\n\n### For more information\n\nThe original report of this vulnerability is below:\n\n\u003e On Thu, 15 Oct 2020 at 21:14, Jonathan Leitschuh \u003cjonathan.leitschuh@gmail.com\u003e wrote:\n\u003e Hi WebTide Security Team,\n\u003e\n\u003e I'm a security researcher writing some custom CodeQL queries to find Local Temporary Directory Hijacking Vulnerabilities. One of my queries flagged an issue in Jetty.\n\u003e\n\u003e https://lgtm.com/query/5615014766184643449/\n\u003e\n\u003e I've recently been looking into security vulnerabilities involving the temporary directory because on unix-like systems, the system temporary directory is shared between all users.\n\u003e There exists a race condition between the deletion of the temporary file and the creation of the directory.\n\u003e\n\u003e ```java\n\u003e // ensure file will always be unique by appending random digits\n\u003e tmpDir = File.createTempFile(temp, \".dir\", parent); // Attacker knows the full path of the file that will be generated\n\u003e // delete the file that was created\n\u003e tmpDir.delete(); // Attacker sees file is deleted and begins a race to create their own directory before Jetty.\n\u003e // and make a directory of the same name\n\u003e // SECURITY VULNERABILITY: Race Condition! - Attacker beats Jetty and now owns this directory\n\u003e tmpDir.mkdirs();\n\u003e ```\n\u003e\n\u003e https://github.com/eclipse/jetty.project/blob/1b59672b7f668b8a421690154b98b4b2b03f254b/jetty-webapp/src/main/java/org/eclipse/jetty/webapp/WebInfConfiguration.java#L511-L518\n\u003e\n\u003e In several cases the `parent` parameter will not be the system temporary directory. However, there is one case where it will be, as the last fallback.\n\u003e\n\u003e\n\u003e https://github.com/eclipse/jetty.project/blob/1b59672b7f668b8a421690154b98b4b2b03f254b/jetty-webapp/src/main/java/org/eclipse/jetty/webapp/WebInfConfiguration.java#L467-L468\n\u003e\n\u003e If any code is ever executed out of this temporary directory, this can lead to a local privilege escalation vulnerability.\n\u003e\n\u003e Would your team be willing to open a GitHub security advisory to continue the discussion and disclosure there? https://github.com/eclipse/jetty.project/security/advisories\n\u003e\n\u003e **This vulnerability disclosure follows Google's [90-day vulnerability disclosure policy](https://www.google.com/about/appsecurity/) (I'm not an employee of Google, I just like their policy). Full disclosure will occur either at the end of the 90-day deadline or whenever a patch is made widely available, whichever occurs first.**\n\u003e\n\u003e Cheers,\n\u003e Jonathan Leitschuh\n\n\n", 86892 "id": "GHSA-g3wg-6mcf-8jj6", 86893 "modified": "2024-03-13T05:33:39.122153Z", 86894 "published": "2020-11-04T17:50:24Z", 86895 "references": [ 86896 { 86897 "type": "WEB", 86898 "url": "https://github.com/eclipse/jetty.project/security/advisories/GHSA-g3wg-6mcf-8jj6" 86899 }, 86900 { 86901 "type": "WEB", 86902 "url": "https://github.com/eclipse/jetty.project/security/advisories/GHSA-g3wg-6mcf-8jj6#advisory-comment-63053" 86903 }, 86904 { 86905 "type": "ADVISORY", 86906 "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-27216" 86907 }, 86908 { 86909 "type": "WEB", 86910 "url": "https://github.com/eclipse/jetty.project/issues/5451" 86911 }, 86912 { 86913 "type": "WEB", 86914 "url": "https://github.com/github/codeql/pull/4473" 86915 }, 86916 { 86917 "type": "WEB", 86918 "url": "https://lists.apache.org/thread.html/raa9c370ab42d737e93bc1795bb6a2187d7c60210cd5e3b3ce8f3c484@%3Cissues.beam.apache.org%3E" 86919 }, 86920 { 86921 "type": "WEB", 86922 "url": "https://lists.apache.org/thread.html/rad255c736fad46135f1339408cb0147d0671e45c376c3be85ceeec1a@%3Cnotifications.zookeeper.apache.org%3E" 86923 }, 86924 { 86925 "type": "WEB", 86926 "url": "https://lists.apache.org/thread.html/rae15d73cabef55bad148e4e6449b05da95646a2a8db3fc938e858dff@%3Cissues.beam.apache.org%3E" 86927 }, 86928 { 86929 "type": "WEB", 86930 "url": "https://lists.apache.org/thread.html/raf9c581b793c30ff8f55f2415c7bd337eb69775aae607bf9ed1b16fb@%3Cdev.zookeeper.apache.org%3E" 86931 }, 86932 { 86933 "type": "WEB", 86934 "url": "https://lists.apache.org/thread.html/rafb023a7c61180a1027819678eb2068b0b60cd5c2559cb8490e26c81@%3Cissues.zookeeper.apache.org%3E" 86935 }, 86936 { 86937 "type": "WEB", 86938 "url": "https://lists.apache.org/thread.html/rb077d35f2940191daeefca0d6449cddb2e9d06bcf8f5af4da2df3ca2@%3Cissues.beam.apache.org%3E" 86939 }, 86940 { 86941 "type": "WEB", 86942 "url": "https://lists.apache.org/thread.html/rb5f2558ea2ac63633dfb04db1e8a6ea6bb1a2b8614899095e16c6233@%3Cissues.beam.apache.org%3E" 86943 }, 86944 { 86945 "type": "WEB", 86946 "url": "https://lists.apache.org/thread.html/rb69b1d7008a4b3de5ce5867e41a455693907026bc70ead06867aa323@%3Cissues.beam.apache.org%3E" 86947 }, 86948 { 86949 "type": "WEB", 86950 "url": "https://lists.apache.org/thread.html/rb7e159636b26156f6ef2b2a1a79b3ec9a026923b5456713e68f7c18e@%3Cissues.beam.apache.org%3E" 86951 }, 86952 { 86953 "type": "WEB", 86954 "url": "https://lists.apache.org/thread.html/rb81a018f83fe02c95a2138a7bb4f1e1677bd7e1fc1e7024280c2292d@%3Cissues.beam.apache.org%3E" 86955 }, 86956 { 86957 "type": "WEB", 86958 "url": "https://lists.apache.org/thread.html/rb8ad3745cb94c60d44cc369aff436eaf03dbc93112cefc86a2ed53ba@%3Cissues.beam.apache.org%3E" 86959 }, 86960 { 86961 "type": "WEB", 86962 "url": "https://lists.apache.org/thread.html/rb8c007f87dc57731a7b9a3b05364530422535b7e0bc6a0c5b68d4d55@%3Cdev.felix.apache.org%3E" 86963 }, 86964 { 86965 "type": "WEB", 86966 "url": "https://lists.apache.org/thread.html/rbc5a622401924fadab61e07393235838918228b3d8a1a6704295b032@%3Cissues.beam.apache.org%3E" 86967 }, 86968 { 86969 "type": "WEB", 86970 "url": "https://lists.apache.org/thread.html/rbc5a8d7a0a13bc8152d427a7e9097cdeb139c6cfe111b2f00f26d16b@%3Cissues.zookeeper.apache.org%3E" 86971 }, 86972 { 86973 "type": "WEB", 86974 "url": "https://lists.apache.org/thread.html/rbf99e4495461099cad9aa62e0164f8f25a7f97b791b4ace56e375f8d@%3Cissues.beam.apache.org%3E" 86975 }, 86976 { 86977 "type": "WEB", 86978 "url": "https://lists.apache.org/thread.html/rc1646894341450fdc4f7e96a88f5e2cf18d8004714f98aec6b831b3e@%3Cissues.beam.apache.org%3E" 86979 }, 86980 { 86981 "type": "WEB", 86982 "url": "https://lists.apache.org/thread.html/rc1d9b8e9d17749d4d2b9abaaa72c422d090315bd6bc0ae73a16abc1c@%3Cissues.beam.apache.org%3E" 86983 }, 86984 { 86985 "type": "WEB", 86986 "url": "https://lists.apache.org/thread.html/re08b03cd1754b32f342664eead415af48092c630c8e3e0deba862a26@%3Ccommits.shiro.apache.org%3E" 86987 }, 86988 { 86989 "type": "WEB", 86990 "url": "https://lists.apache.org/thread.html/r1d45051310b11c6d6476f20d71b08ea97cb76846cbf61d196bac1c3f@%3Cdev.zookeeper.apache.org%3E" 86991 }, 86992 { 86993 "type": "WEB", 86994 "url": "https://lists.apache.org/thread.html/r8cacf91ae1b17cc6531d20953c52fa52f6fd3191deb3383446086ab7@%3Cissues.beam.apache.org%3E" 86995 }, 86996 { 86997 "type": "WEB", 86998 "url": "https://lists.apache.org/thread.html/r8dd01541fc49d24ec223365a9974231cbd7378b749247a89b0a52210@%3Cissues.beam.apache.org%3E" 86999 }, 87000 { 87001 "type": "WEB", 87002 "url": "https://lists.apache.org/thread.html/r8fead0144bb84d8714695c43607dca9c5101aa028a431ec695882fe5@%3Cissues.beam.apache.org%3E" 87003 }, 87004 { 87005 "type": "WEB", 87006 "url": "https://lists.apache.org/thread.html/r90b5ac6e2bf190a5297bda58c7ec76d01cd86ff050b2470fcd9f4b35@%3Cissues.beam.apache.org%3E" 87007 }, 87008 { 87009 "type": "WEB", 87010 "url": "https://lists.apache.org/thread.html/r911c1879258ebf98bca172c0673350eb7ea6569ca1735888d4cb7adc@%3Cissues.beam.apache.org%3E" 87011 }, 87012 { 87013 "type": "WEB", 87014 "url": "https://lists.apache.org/thread.html/r916b6542bd5b15a8a7ff8fc14a0e0331e8e3e9d682f22768ae71d775@%3Cissues.beam.apache.org%3E" 87015 }, 87016 { 87017 "type": "WEB", 87018 "url": "https://lists.apache.org/thread.html/r93b240be16e642579ed794325bae31b040e1af896ecc12466642e19d@%3Cissues.beam.apache.org%3E" 87019 }, 87020 { 87021 "type": "WEB", 87022 "url": "https://lists.apache.org/thread.html/r93d5e81e879120d8d87925dbdd4045cb3afa9b066f4370f60b626ce3@%3Ccommits.druid.apache.org%3E" 87023 }, 87024 { 87025 "type": "WEB", 87026 "url": "https://lists.apache.org/thread.html/r9b790fe3a93121199f41258474222f15002b2f729495aa7ecbf90718@%3Cissues.beam.apache.org%3E" 87027 }, 87028 { 87029 "type": "WEB", 87030 "url": "https://lists.apache.org/thread.html/r9c010b79140452294292379183e7fe8e3533c5bb4db3f3fb39a6df61@%3Cissues.beam.apache.org%3E" 87031 }, 87032 { 87033 "type": "WEB", 87034 "url": "https://lists.apache.org/thread.html/r9cc76b98f87738791b8ec3736755f92444d3c8cb26bd4e4ffdb5c1cc@%3Cissues.beam.apache.org%3E" 87035 }, 87036 { 87037 "type": "WEB", 87038 "url": "https://lists.apache.org/thread.html/r9cd444f944241dc26d9b8b007fe8971ed7f005b56befef7a4f4fb827@%3Cissues.beam.apache.org%3E" 87039 }, 87040 { 87041 "type": "WEB", 87042 "url": "https://lists.apache.org/thread.html/r9d9b4b93df7f92cdf1147db0fc169be1776c93d1fbc63bc65721fffd@%3Cdev.knox.apache.org%3E" 87043 }, 87044 { 87045 "type": "WEB", 87046 "url": "https://lists.apache.org/thread.html/r9f8c45a2a4540911cd8bd0485f67e8091883c9234d7a3aeb349c46c1@%3Creviews.iotdb.apache.org%3E" 87047 }, 87048 { 87049 "type": "WEB", 87050 "url": "https://lists.apache.org/thread.html/ra1f19625cc67ac1b459c558f2ea5647d71ce51c6fe4f4cb03baec849@%3Cnotifications.zookeeper.apache.org%3E" 87051 }, 87052 { 87053 "type": "WEB", 87054 "url": "https://lists.apache.org/thread.html/ra55e04d5a73afcb8383f4386e2b26832c6e3972e53827021ab885943@%3Ccommits.shiro.apache.org%3E" 87055 }, 87056 { 87057 "type": "WEB", 87058 "url": "https://lists.apache.org/thread.html/ra5b7313d8cc9411db6790adfba33f2cf0665cb77adb7b02043c95867@%3Cdev.felix.apache.org%3E" 87059 }, 87060 { 87061 "type": "WEB", 87062 "url": "https://lists.apache.org/thread.html/re5706141ca397587f7ee0f500a39ccc590a41f802fc125fc135cb92f@%3Cnotifications.zookeeper.apache.org%3E" 87063 }, 87064 { 87065 "type": "WEB", 87066 "url": "https://lists.apache.org/thread.html/ree506849c4f04376793b1a3076bc017da60b8a2ef2702dc214ff826f@%3Cissues.beam.apache.org%3E" 87067 }, 87068 { 87069 "type": "WEB", 87070 "url": "https://lists.apache.org/thread.html/refbbb0eb65c185d1fa491cee08ac8ed32708ce3b269133a6da264317@%3Cissues.beam.apache.org%3E" 87071 }, 87072 { 87073 "type": "WEB", 87074 "url": "https://lists.apache.org/thread.html/rf00ea6376f3d0e8b8f62cf6d4a4f28b24e27193acd2c851f618aa41e@%3Cissues.beam.apache.org%3E" 87075 }, 87076 { 87077 "type": "WEB", 87078 "url": "https://lists.apache.org/thread.html/rf3bc023a7cc729aeac72f482e2eeeab9008aa6b1dadbeb3f45320cae@%3Cissues.beam.apache.org%3E" 87079 }, 87080 { 87081 "type": "WEB", 87082 "url": "https://lists.apache.org/thread.html/rfd9f102864a039f7fda64a580dfe1a342d65d7b723ca06dc9fbceb31@%3Cissues.beam.apache.org%3E" 87083 }, 87084 { 87085 "type": "WEB", 87086 "url": "https://lists.apache.org/thread.html/rfe5caef1fd6cf4b8ceac1b63c33195f2908517b665c946c020d3fbd6@%3Cissues.beam.apache.org%3E" 87087 }, 87088 { 87089 "type": "WEB", 87090 "url": "https://lists.apache.org/thread.html/rfe6ba83d14545e982400dea89e68b10113cb5202a3dcb558ce64842d@%3Cissues.zookeeper.apache.org%3E" 87091 }, 87092 { 87093 "type": "WEB", 87094 "url": "https://lists.apache.org/thread.html/rff0ad6a7dac2182421e2db2407e44fbb61a89904adfd91538f21fbf8@%3Cissues.beam.apache.org%3E" 87095 }, 87096 { 87097 "type": "WEB", 87098 "url": "https://lists.debian.org/debian-lts-announce/2021/05/msg00016.html" 87099 }, 87100 { 87101 "type": "WEB", 87102 "url": "https://security.netapp.com/advisory/ntap-20201123-0005" 87103 }, 87104 { 87105 "type": "WEB", 87106 "url": "https://www.debian.org/security/2021/dsa-4949" 87107 }, 87108 { 87109 "type": "WEB", 87110 "url": "https://www.oracle.com//security-alerts/cpujul2021.html" 87111 }, 87112 { 87113 "type": "WEB", 87114 "url": "https://www.oracle.com/security-alerts/cpuApr2021.html" 87115 }, 87116 { 87117 "type": "WEB", 87118 "url": "https://www.oracle.com/security-alerts/cpujan2021.html" 87119 }, 87120 { 87121 "type": "WEB", 87122 "url": "https://www.oracle.com/security-alerts/cpujan2022.html" 87123 }, 87124 { 87125 "type": "WEB", 87126 "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" 87127 }, 87128 { 87129 "type": "WEB", 87130 "url": "https://lists.apache.org/thread.html/rc2e24756d28580eeac811c5c6a12012c9f424b6e5bffb89f98ee3d03@%3Cdev.felix.apache.org%3E" 87131 }, 87132 { 87133 "type": "WEB", 87134 "url": "https://lists.apache.org/thread.html/rc44d1147f78496ec9932a38b28795ff4fd0c4fa6e3b6f5cc33c14d29@%3Cissues.beam.apache.org%3E" 87135 }, 87136 { 87137 "type": "WEB", 87138 "url": "https://lists.apache.org/thread.html/rc4b972ea10c5a65c6a88a6e233778718ab9af7f484affdd5e5de0cff@%3Ccommits.felix.apache.org%3E" 87139 }, 87140 { 87141 "type": "WEB", 87142 "url": "https://lists.apache.org/thread.html/rc77918636d8744d50312e4f67ba2e01f47db3ec5144540df8745cb38@%3Cissues.beam.apache.org%3E" 87143 }, 87144 { 87145 "type": "WEB", 87146 "url": "https://lists.apache.org/thread.html/rc8dd95802be0cca8d7d0929c0c8484ede384ecb966b2a9dc7197b089@%3Creviews.iotdb.apache.org%3E" 87147 }, 87148 { 87149 "type": "WEB", 87150 "url": "https://lists.apache.org/thread.html/rc9d2ab8a6c7835182f20b01104798e67c75db655c869733a0713a590@%3Cissues.beam.apache.org%3E" 87151 }, 87152 { 87153 "type": "WEB", 87154 "url": "https://lists.apache.org/thread.html/rccedec4cfd5df6761255b71349e3b7c27ee0745bd33698a71b1775cf@%3Cissues.beam.apache.org%3E" 87155 }, 87156 { 87157 "type": "WEB", 87158 "url": "https://lists.apache.org/thread.html/rcdcf32952397c83a1d617a8c9cd5c15c98b8d0d38a607972956bde7e@%3Cissues.beam.apache.org%3E" 87159 }, 87160 { 87161 "type": "WEB", 87162 "url": "https://lists.apache.org/thread.html/rcdd56ab4255801a0964dcce3285e87f2c6994e6469e189f6836f34e3@%3Cnotifications.iotdb.apache.org%3E" 87163 }, 87164 { 87165 "type": "WEB", 87166 "url": "https://lists.apache.org/thread.html/rcfb95a7c69c4b9c082ea1918e812dfc45aa0d1e120fd47f68251a336@%3Cissues.beam.apache.org%3E" 87167 }, 87168 { 87169 "type": "WEB", 87170 "url": "https://lists.apache.org/thread.html/rcff5caebfd535195276aaabc1b631fd55a4ff6b14e2bdfe33f18ff91@%3Creviews.iotdb.apache.org%3E" 87171 }, 87172 { 87173 "type": "WEB", 87174 "url": "https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26@%3Ccommits.pulsar.apache.org%3E" 87175 }, 87176 { 87177 "type": "WEB", 87178 "url": "https://lists.apache.org/thread.html/rd58b60ab2e49ebf21022e59e280feb25899ff785c88f31fe314aa5b9@%3Ccommits.shiro.apache.org%3E" 87179 }, 87180 { 87181 "type": "WEB", 87182 "url": "https://lists.apache.org/thread.html/rd7e62e2972a41c2658f41a824b8bdd15644d80fcadc51fe7b7c855de@%3Cissues.beam.apache.org%3E" 87183 }, 87184 { 87185 "type": "WEB", 87186 "url": "https://lists.apache.org/thread.html/rdbf1cd0ab330c032f3a09b453cb6405dccc905ad53765323bddab957@%3Cissues.zookeeper.apache.org%3E" 87187 }, 87188 { 87189 "type": "WEB", 87190 "url": "https://lists.apache.org/thread.html/rdddb4b06e86fd58a1beda132f22192af2f9b56aae8849cb3767ccd55@%3Cissues.beam.apache.org%3E" 87191 }, 87192 { 87193 "type": "WEB", 87194 "url": "https://lists.apache.org/thread.html/rde11c433675143d8d27551c3d9e821fe1955f1551a518033d3716553@%3Cdev.zookeeper.apache.org%3E" 87195 }, 87196 { 87197 "type": "WEB", 87198 "url": "https://lists.apache.org/thread.html/rde782fd8e133f7e04e50c8aaa4774df524367764eb5b85bf60d96747@%3Cnotifications.zookeeper.apache.org%3E" 87199 }, 87200 { 87201 "type": "WEB", 87202 "url": "https://lists.apache.org/thread.html/r1dbb87c9255ecefadd8de514fa1d35c1d493c0527d7672cf40505d04@%3Ccommits.zookeeper.apache.org%3E" 87203 }, 87204 { 87205 "type": "WEB", 87206 "url": "https://lists.apache.org/thread.html/r1ed79516bd6d248ea9f0e704dbfd7de740d5a75b71c7be8699fec824@%3Cnotifications.zookeeper.apache.org%3E" 87207 }, 87208 { 87209 "type": "WEB", 87210 "url": "https://lists.apache.org/thread.html/r1ef28b89ff0281c87ba3a7659058789bf28a99b8074191f1c3678db8@%3Cissues.beam.apache.org%3E" 87211 }, 87212 { 87213 "type": "WEB", 87214 "url": "https://lists.apache.org/thread.html/r1fe31643fc34b4a33ae3d416d92c271aa97663f1782767d25e1d9ff8@%3Cissues.beam.apache.org%3E" 87215 }, 87216 { 87217 "type": "WEB", 87218 "url": "https://lists.apache.org/thread.html/r2122537d3f9beb0ce59f44371a951b226406719919656ed000984bd0@%3Cissues.beam.apache.org%3E" 87219 }, 87220 { 87221 "type": "WEB", 87222 "url": "https://lists.apache.org/thread.html/r279254a1bd6434c943da52000476f307e62b6910755387aeca1ec9a1@%3Cissues.beam.apache.org%3E" 87223 }, 87224 { 87225 "type": "WEB", 87226 "url": "https://lists.apache.org/thread.html/r2aa316d008dab9ae48350b330d15dc1b863ea2a933558fbfc42b91a6@%3Cissues.beam.apache.org%3E" 87227 }, 87228 { 87229 "type": "WEB", 87230 "url": "https://lists.apache.org/thread.html/r2d17b2a4803096ba427f3575599ea29b55f5cf9dbc1f12ba044cae1a@%3Cnotifications.zookeeper.apache.org%3E" 87231 }, 87232 { 87233 "type": "WEB", 87234 "url": "https://lists.apache.org/thread.html/r2e02700f7cfecb213de50be83e066086bea90278cd753db7fdc2ccff@%3Cissues.beam.apache.org%3E" 87235 }, 87236 { 87237 "type": "WEB", 87238 "url": "https://lists.apache.org/thread.html/r2f732ee49d00610683ab5ddb4692ab25136b00bfd132ca3a590218a9@%3Cissues.beam.apache.org%3E" 87239 }, 87240 { 87241 "type": "WEB", 87242 "url": "https://lists.apache.org/thread.html/r3042a9dd2973aa229e52d022df7813e4d74b67df73bfa6d97bb0caf8@%3Cissues.beam.apache.org%3E" 87243 }, 87244 { 87245 "type": "WEB", 87246 "url": "https://lists.apache.org/thread.html/r336b1694a01858111e4625fb9ab2b07ad43a64a525cf6402e06aa6bf@%3Cissues.beam.apache.org%3E" 87247 }, 87248 { 87249 "type": "WEB", 87250 "url": "https://lists.apache.org/thread.html/r351298dd39fc1ab63303be94b0c0d08acd72b17448e0346d7386189b@%3Cissues.beam.apache.org%3E" 87251 }, 87252 { 87253 "type": "WEB", 87254 "url": "https://lists.apache.org/thread.html/r352e40ca9874d1beb4ad95403792adca7eb295e6bc3bd7b65fabcc21@%3Ccommits.samza.apache.org%3E" 87255 }, 87256 { 87257 "type": "WEB", 87258 "url": "https://lists.apache.org/thread.html/r382870d6ccfd60533eb0d980688261723ed8a0704dafa691c4e9aa68@%3Ccommits.iotdb.apache.org%3E" 87259 }, 87260 { 87261 "type": "WEB", 87262 "url": "https://lists.apache.org/thread.html/r3a763de620be72b6d74f46ec4bf39c9f35f8a0b39993212c0ac778ec@%3Ccommits.zookeeper.apache.org%3E" 87263 }, 87264 { 87265 "type": "WEB", 87266 "url": "https://lists.apache.org/thread.html/r3b0ce1549a1ccdd7e51ec66daf8d54d46f1571edbda88ed09c96d7da@%3Cissues.beam.apache.org%3E" 87267 }, 87268 { 87269 "type": "WEB", 87270 "url": "https://bugs.eclipse.org/bugs/show_bug.cgi?id=567921" 87271 }, 87272 { 87273 "type": "WEB", 87274 "url": "https://cwe.mitre.org/data/definitions/378.html" 87275 }, 87276 { 87277 "type": "WEB", 87278 "url": "https://cwe.mitre.org/data/definitions/379.html" 87279 }, 87280 { 87281 "type": "PACKAGE", 87282 "url": "https://github.com/eclipse/jetty.project" 87283 }, 87284 { 87285 "type": "WEB", 87286 "url": "https://lists.apache.org/thread.html/r0259b14ae69b87821e27fed1f5333ea86018294fd31aab16b1fac84e@%3Cissues.beam.apache.org%3E" 87287 }, 87288 { 87289 "type": "WEB", 87290 "url": "https://lists.apache.org/thread.html/r07525dc424ed69b3919618599e762f9ac03791490ca9d724f2241442@%3Cdev.felix.apache.org%3E" 87291 }, 87292 { 87293 "type": "WEB", 87294 "url": "https://lists.apache.org/thread.html/r09b345099b4f88d2bed7f195a96145849243fb4e53661aa3bcf4c176@%3Cissues.zookeeper.apache.org%3E" 87295 }, 87296 { 87297 "type": "WEB", 87298 "url": "https://lists.apache.org/thread.html/r0d7ad4f02c44d5d53a9ffcbca7ff4a8138241322da9c5c35b5429630@%3Cissues.beam.apache.org%3E" 87299 }, 87300 { 87301 "type": "WEB", 87302 "url": "https://lists.apache.org/thread.html/r0d95e01f52667f44835c40f6dea72bb4397f33cd70a564ea74f3836d@%3Cissues.beam.apache.org%3E" 87303 }, 87304 { 87305 "type": "WEB", 87306 "url": "https://lists.apache.org/thread.html/r0df8fe10fc36028cf6d0381ab66510917d0d68bc5ef7042001d03830@%3Cdev.zookeeper.apache.org%3E" 87307 }, 87308 { 87309 "type": "WEB", 87310 "url": "https://lists.apache.org/thread.html/r0e9efe032cc65433251ee6470c66c334d4e7db9101e24cf91a3961f2@%3Ccommits.directory.apache.org%3E" 87311 }, 87312 { 87313 "type": "WEB", 87314 "url": "https://lists.apache.org/thread.html/r0f5e9b93133ef3aaf31484bc3e15cc4b85f8af0fe4de2dacd9379d72@%3Cdev.felix.apache.org%3E" 87315 }, 87316 { 87317 "type": "WEB", 87318 "url": "https://lists.apache.org/thread.html/r100c5c7586a23a19fdb54d8a32e17cd0944bdaa46277b35c397056f6@%3Cnotifications.zookeeper.apache.org%3E" 87319 }, 87320 { 87321 "type": "WEB", 87322 "url": "https://lists.apache.org/thread.html/r171846414347ec5fed38241a9f8a009bd2c89d902154c6102b1fb39a@%3Cissues.beam.apache.org%3E" 87323 }, 87324 { 87325 "type": "WEB", 87326 "url": "https://lists.apache.org/thread.html/r185d10aae8161c08726f3ba9a1f1c47dfb97624ea6212fa217173204@%3Cissues.beam.apache.org%3E" 87327 }, 87328 { 87329 "type": "WEB", 87330 "url": "https://lists.apache.org/thread.html/r18b6f10d9939419bae9c225d5058c97533cb376c9d6d0a0733ddd48d@%3Cnotifications.zookeeper.apache.org%3E" 87331 }, 87332 { 87333 "type": "WEB", 87334 "url": "https://lists.apache.org/thread.html/r19e8b338af511641d211ff45c43646fe1ae19dc9897d69939c09cabe@%3Cissues.beam.apache.org%3E" 87335 }, 87336 { 87337 "type": "WEB", 87338 "url": "https://lists.apache.org/thread.html/r1d40368a309f9d835dcdd900249966e4fcbdf98c1cc4c84db2cd9964@%3Cissues.beam.apache.org%3E" 87339 }, 87340 { 87341 "type": "WEB", 87342 "url": "https://lists.apache.org/thread.html/r6b83ca85c8f9a6794b1f85bc70d1385ed7bc1ad07750d0977537154a@%3Cissues.beam.apache.org%3E" 87343 }, 87344 { 87345 "type": "WEB", 87346 "url": "https://lists.apache.org/thread.html/r6dfa64ecc3d67c1a71c08bfa04064549179d499f8e20a8285c57bd51@%3Cissues.beam.apache.org%3E" 87347 }, 87348 { 87349 "type": "WEB", 87350 "url": "https://lists.apache.org/thread.html/r6f51a654ac2e67e3d1c65a8957cbbb127c3f15b64b4fcd626df03633@%3Cissues.beam.apache.org%3E" 87351 }, 87352 { 87353 "type": "WEB", 87354 "url": "https://lists.apache.org/thread.html/r70f8bcccd304bd66c1aca657dbfc2bf11f73add9032571b01f1f733d@%3Cissues.beam.apache.org%3E" 87355 }, 87356 { 87357 "type": "WEB", 87358 "url": "https://lists.apache.org/thread.html/r71da5f51ef04cb95abae560425dce9667740cbd567920f516f76efb7@%3Cissues.beam.apache.org%3E" 87359 }, 87360 { 87361 "type": "WEB", 87362 "url": "https://lists.apache.org/thread.html/r73b5a9b677b707bbb7c1469ea746312c47838b312603bada9e382bba@%3Cissues.beam.apache.org%3E" 87363 }, 87364 { 87365 "type": "WEB", 87366 "url": "https://lists.apache.org/thread.html/r761a52f1e214efec286ee80045d0012e955eebaa72395ad62cccbcfc@%3Cissues.beam.apache.org%3E" 87367 }, 87368 { 87369 "type": "WEB", 87370 "url": "https://lists.apache.org/thread.html/r769411eb43dd9ef77665700deb7fc491fc3ceb532914260c90b56f2f@%3Cissues.beam.apache.org%3E" 87371 }, 87372 { 87373 "type": "WEB", 87374 "url": "https://lists.apache.org/thread.html/r77dd041d8025a869156481d2268c67ad17121f64e31f9b4a1a220145@%3Cissues.beam.apache.org%3E" 87375 }, 87376 { 87377 "type": "WEB", 87378 "url": "https://lists.apache.org/thread.html/r7bdc83513c12db1827b79b8d57a7a0975a25d28bc6c5efe590ec1e02@%3Cissues.beam.apache.org%3E" 87379 }, 87380 { 87381 "type": "WEB", 87382 "url": "https://lists.apache.org/thread.html/r7da5ae60d7973e8894cfe92f49ecb5b47417eefab4c77cc87514d3cf@%3Cdev.felix.apache.org%3E" 87383 }, 87384 { 87385 "type": "WEB", 87386 "url": "https://lists.apache.org/thread.html/r8045eedd6bb74efcd8e01130796adbab98ee4a0d1273509fb1f2077a@%3Cissues.beam.apache.org%3E" 87387 }, 87388 { 87389 "type": "WEB", 87390 "url": "https://lists.apache.org/thread.html/r819857361f5a156e90d6d06ccf6c41026bc99030d60d0804be3a9957@%3Cissues.beam.apache.org%3E" 87391 }, 87392 { 87393 "type": "WEB", 87394 "url": "https://lists.apache.org/thread.html/r827d17bf6900eddc686f4b6ee16fc5e52ca0070f8df7612222c40ac5@%3Cissues.beam.apache.org%3E" 87395 }, 87396 { 87397 "type": "WEB", 87398 "url": "https://lists.apache.org/thread.html/r874688141495df766e62be095f1dfb0bf4a24ca0340d8e0215c03fab@%3Cissues.zookeeper.apache.org%3E" 87399 }, 87400 { 87401 "type": "WEB", 87402 "url": "https://lists.apache.org/thread.html/r87b0c69fef09277333a7e1716926d1f237d462e143a335854ddd922f@%3Cissues.beam.apache.org%3E" 87403 }, 87404 { 87405 "type": "WEB", 87406 "url": "https://lists.apache.org/thread.html/r87d8337300a635d66f0bb838bf635cdfcbba6b92c608a7813adbf4f4@%3Cissues.beam.apache.org%3E" 87407 }, 87408 { 87409 "type": "WEB", 87410 "url": "https://lists.apache.org/thread.html/r8866f0cd2a3b319288b7eea20ac137b9f260c813d10ee2db88b65d32@%3Cissues.beam.apache.org%3E" 87411 }, 87412 { 87413 "type": "WEB", 87414 "url": "https://lists.apache.org/thread.html/r3e05ab0922876e74fea975d70af82b98580f4c14ba643c4f8a9e3a94@%3Cissues.beam.apache.org%3E" 87415 }, 87416 { 87417 "type": "WEB", 87418 "url": "https://lists.apache.org/thread.html/r3f32cb4965239399c22497a0aabb015b28b2372d4897185a6ef0ccd7@%3Cissues.beam.apache.org%3E" 87419 }, 87420 { 87421 "type": "WEB", 87422 "url": "https://lists.apache.org/thread.html/r407c316f6113dfc76f7bb3cb1693f08274c521064a92e5214197548e@%3Cissues.beam.apache.org%3E" 87423 }, 87424 { 87425 "type": "WEB", 87426 "url": "https://lists.apache.org/thread.html/r4179c71908778cc0598ee8ee1eaed9b88fc5483c65373f45e087f650@%3Cissues.beam.apache.org%3E" 87427 }, 87428 { 87429 "type": "WEB", 87430 "url": "https://lists.apache.org/thread.html/r44115ebfbf3b7d294d7a75f2d30bcc822dab186ebbcc2dce11915ca9@%3Cissues.beam.apache.org%3E" 87431 }, 87432 { 87433 "type": "WEB", 87434 "url": "https://lists.apache.org/thread.html/r4946ffd86ad6eb7cb7863311235c914cb41232380de8d9dcdb3c115c@%3Cissues.beam.apache.org%3E" 87435 }, 87436 { 87437 "type": "WEB", 87438 "url": "https://lists.apache.org/thread.html/r4f29fb24639ebc5d15fc477656ebc2b3aa00fcfbe197000009c26b40@%3Cissues.zookeeper.apache.org%3E" 87439 }, 87440 { 87441 "type": "WEB", 87442 "url": "https://lists.apache.org/thread.html/r503045a75f4419d083cb63ac89e765d6fb8b10c7dacc0c54fce07cff@%3Creviews.iotdb.apache.org%3E" 87443 }, 87444 { 87445 "type": "WEB", 87446 "url": "https://lists.apache.org/thread.html/r547bb14c88c5da2588d853ed3030be0109efa537dd797877dff14afd@%3Cissues.beam.apache.org%3E" 87447 }, 87448 { 87449 "type": "WEB", 87450 "url": "https://lists.apache.org/thread.html/r5494fdaf4a0a42a15c49841ba7ae577d466d09239ee1050458da0f29@%3Cjira.kafka.apache.org%3E" 87451 }, 87452 { 87453 "type": "WEB", 87454 "url": "https://lists.apache.org/thread.html/r556787f1ab14da034d79dfff0c123c05877bbe89ef163fd359b4564c@%3Cissues.beam.apache.org%3E" 87455 }, 87456 { 87457 "type": "WEB", 87458 "url": "https://lists.apache.org/thread.html/r568d354961fa88f206dc345411fb11d245c6dc1a8da3e80187fc6706@%3Cdev.zookeeper.apache.org%3E" 87459 }, 87460 { 87461 "type": "WEB", 87462 "url": "https://lists.apache.org/thread.html/r58f5b14dc5ae43583db3a7e872419aca97ebe47bcd7f7334f4128016@%3Cissues.beam.apache.org%3E" 87463 }, 87464 { 87465 "type": "WEB", 87466 "url": "https://lists.apache.org/thread.html/r59e0878013d329dcc481eeafebdb0ee445b1e2852d0c4827b1ddaff2@%3Cissues.beam.apache.org%3E" 87467 }, 87468 { 87469 "type": "WEB", 87470 "url": "https://lists.apache.org/thread.html/r5a07f274f355c914054c7357ad6d3456ffaca064f26cd780acb90a9a@%3Cissues.beam.apache.org%3E" 87471 }, 87472 { 87473 "type": "WEB", 87474 "url": "https://lists.apache.org/thread.html/r5a9462096c71593e771602beb0e69357adb5175d9a5c18d5181e0ab4@%3Cissues.beam.apache.org%3E" 87475 }, 87476 { 87477 "type": "WEB", 87478 "url": "https://lists.apache.org/thread.html/r6236ae4adc401e3b2f2575c22865f2f6c6ea9ff1d7b264b40d9602af@%3Cissues.beam.apache.org%3E" 87479 }, 87480 { 87481 "type": "WEB", 87482 "url": "https://lists.apache.org/thread.html/r66e99d973fd79ddbcb3fbdb24f4767fe9b911f5b0abb05d7b6f65801@%3Ccommits.zookeeper.apache.org%3E" 87483 } 87484 ], 87485 "schema_version": "1.6.0", 87486 "severity": [ 87487 { 87488 "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", 87489 "type": "CVSS_V3" 87490 } 87491 ], 87492 "summary": "Local Temp Directory Hijacking Vulnerability" 87493 }, 87494 { 87495 "affected": [ 87496 { 87497 "database_specific": { 87498 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-v7ff-8wcx-gmc5/GHSA-v7ff-8wcx-gmc5.json" 87499 }, 87500 "package": { 87501 "ecosystem": "Maven", 87502 "name": "org.eclipse.jetty:jetty-webapp", 87503 "purl": "pkg:maven/org.eclipse.jetty/jetty-webapp" 87504 }, 87505 "ranges": [ 87506 { 87507 "events": [ 87508 { 87509 "introduced": "9.4.37" 87510 }, 87511 { 87512 "fixed": "9.4.39" 87513 } 87514 ], 87515 "type": "ECOSYSTEM" 87516 } 87517 ], 87518 "versions": [ 87519 "9.4.37.v20210219", 87520 "9.4.38.v20210224" 87521 ] 87522 } 87523 ], 87524 "aliases": [ 87525 "CVE-2021-28164" 87526 ], 87527 "database_specific": { 87528 "cwe_ids": [ 87529 "CWE-200", 87530 "CWE-551", 87531 "CWE-863" 87532 ], 87533 "github_reviewed": true, 87534 "github_reviewed_at": "2021-04-02T20:28:10Z", 87535 "nvd_published_at": "2021-04-01T15:15:00Z", 87536 "severity": "MODERATE" 87537 }, 87538 "details": "Release 9.4.37 introduced a more precise implementation of [RFC3986](https://tools.ietf.org/html/rfc3986#section-3.3) with regards to URI decoding, together with some new compliance modes to optionally allow support of some URI that may have ambiguous interpretation within the Servlet specified API methods behaviours. The default mode allowed % encoded . characters to be excluded for URI normalisation, which is correct by the RFC, but is not assumed by common Servlet implementations. The default compliance mode allows requests with URIs that contain `%2e` or `%2e%2e` segments to access protected resources within the `WEB-INF` directory. For example a request to `/context/%2e/WEB-INF/web.xml` can retrieve the `web.xml` file. This can reveal sensitive information regarding the implementation of a web application. Workarounds found by HttpCompliance mode RFC7230_NO_AMBIGUOUS_URIS can be enabled by updating `start.d/http.ini` to include: jetty.http.compliance=RFC7230_NO_AMBIGUOUS_URIS.", 87539 "id": "GHSA-v7ff-8wcx-gmc5", 87540 "modified": "2024-03-15T05:19:57.447892Z", 87541 "published": "2021-04-06T17:31:01Z", 87542 "references": [ 87543 { 87544 "type": "WEB", 87545 "url": "https://github.com/eclipse/jetty.project/security/advisories/GHSA-v7ff-8wcx-gmc5" 87546 }, 87547 { 87548 "type": "ADVISORY", 87549 "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-28164" 87550 }, 87551 { 87552 "type": "WEB", 87553 "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" 87554 }, 87555 { 87556 "type": "WEB", 87557 "url": "https://www.oracle.com/security-alerts/cpujan2022.html" 87558 }, 87559 { 87560 "type": "WEB", 87561 "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" 87562 }, 87563 { 87564 "type": "WEB", 87565 "url": "https://security.netapp.com/advisory/ntap-20210611-0006" 87566 }, 87567 { 87568 "type": "WEB", 87569 "url": "https://lists.apache.org/thread.html/rd7c8fb305a8637480dc943ba08424c8992dccad018cd1405eb2afe0e@%3Cdev.ignite.apache.org%3E" 87570 }, 87571 { 87572 "type": "WEB", 87573 "url": "https://lists.apache.org/thread.html/rd0471252aeb3384c3cfa6d131374646d4641b80dd313e7b476c47a9c@%3Cissues.solr.apache.org%3E" 87574 }, 87575 { 87576 "type": "WEB", 87577 "url": "https://lists.apache.org/thread.html/rcea249eb7a0d243f21696e4985de33f3780399bf7b31ea1f6d489b8b@%3Cissues.zookeeper.apache.org%3E" 87578 }, 87579 { 87580 "type": "WEB", 87581 "url": "https://lists.apache.org/thread.html/rbc075a4ac85e7a8e47420b7383f16ffa0af3b792b8423584735f369f@%3Cissues.solr.apache.org%3E" 87582 }, 87583 { 87584 "type": "WEB", 87585 "url": "https://lists.apache.org/thread.html/r9974f64723875052e02787b2a5eda689ac5247c71b827d455e5dc9a6@%3Cissues.solr.apache.org%3E" 87586 }, 87587 { 87588 "type": "WEB", 87589 "url": "https://lists.apache.org/thread.html/r90e7b4c42a96d74c219e448bee6a329ab0cd3205c44b63471d96c3ab@%3Cissues.zookeeper.apache.org%3E" 87590 }, 87591 { 87592 "type": "WEB", 87593 "url": "https://lists.apache.org/thread.html/r8e6c116628c1277c3cf132012a66c46a0863fa2a3037c0707d4640d4@%3Cissues.zookeeper.apache.org%3E" 87594 }, 87595 { 87596 "type": "WEB", 87597 "url": "https://lists.apache.org/thread.html/r7dd079fa0ac6f47ba1ad0af98d7d0276547b8a4e005f034fb1016951@%3Cissues.zookeeper.apache.org%3E" 87598 }, 87599 { 87600 "type": "WEB", 87601 "url": "https://lists.apache.org/thread.html/r780c3c210a05c5bf7b4671303f46afc3fe56758e92864e1a5f0590d0@%3Cjira.kafka.apache.org%3E" 87602 }, 87603 { 87604 "type": "WEB", 87605 "url": "https://lists.apache.org/thread.html/r763840320a80e515331cbc1e613fa93f25faf62e991974171a325c82@%3Cdev.zookeeper.apache.org%3E" 87606 }, 87607 { 87608 "type": "WEB", 87609 "url": "https://lists.apache.org/thread.html/r6ac9e263129328c0db9940d72b4a6062e703c58918dd34bd22cdf8dd@%3Cissues.ignite.apache.org%3E" 87610 }, 87611 { 87612 "type": "WEB", 87613 "url": "https://lists.apache.org/thread.html/r5b3693da7ecb8a75c0e930b4ca26a5f97aa0207d9dae4aa8cc65fe6b@%3Cissues.ignite.apache.org%3E" 87614 }, 87615 { 87616 "type": "WEB", 87617 "url": "https://lists.apache.org/thread.html/r4b1fef117bccc7f5fd4c45fd2cabc26838df823fe5ca94bc42a4fd46@%3Cissues.ignite.apache.org%3E" 87618 }, 87619 { 87620 "type": "WEB", 87621 "url": "https://lists.apache.org/thread.html/r4a66bfbf62281e31bc1345ebecbfd96f35199eecd77bfe4e903e906f@%3Cissues.ignite.apache.org%3E" 87622 }, 87623 { 87624 "type": "WEB", 87625 "url": "https://lists.apache.org/thread.html/r3c55b0baa4dc38958ae147b2f216e212605f1071297f845e14477d36@%3Cissues.zookeeper.apache.org%3E" 87626 }, 87627 { 87628 "type": "WEB", 87629 "url": "https://lists.apache.org/thread.html/r2ea2f0541121f17e470a0184843720046c59d4bde6d42bf5ca6fad81@%3Cissues.solr.apache.org%3E" 87630 }, 87631 { 87632 "type": "WEB", 87633 "url": "https://lists.apache.org/thread.html/r2a3ea27cca2ac7352d392b023b72e824387bc9ff16ba245ec663bdc6@%3Cissues.zookeeper.apache.org%3E" 87634 }, 87635 { 87636 "type": "WEB", 87637 "url": "https://lists.apache.org/thread.html/r111f1ce28b133a8090ca4f809a1bdf18a777426fc058dc3a16c39c66@%3Cissues.solr.apache.org%3E" 87638 }, 87639 { 87640 "type": "WEB", 87641 "url": "https://lists.apache.org/thread.html/r0841b06b48324cfc81325de3c05a92e53f997185f9d71ff47734d961@%3Cissues.solr.apache.org%3E" 87642 }, 87643 { 87644 "type": "PACKAGE", 87645 "url": "https://github.com/eclipse/jetty.project" 87646 }, 87647 { 87648 "type": "WEB", 87649 "url": "http://packetstormsecurity.com/files/164590/Jetty-9.4.37.v20210219-Information-Disclosure.html" 87650 } 87651 ], 87652 "schema_version": "1.6.0", 87653 "severity": [ 87654 { 87655 "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", 87656 "type": "CVSS_V3" 87657 } 87658 ], 87659 "summary": "Authorization Before Parsing and Canonicalization in jetty" 87660 }, 87661 { 87662 "affected": [ 87663 { 87664 "database_specific": { 87665 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/07/GHSA-vjv5-gp2w-65vm/GHSA-vjv5-gp2w-65vm.json" 87666 }, 87667 "package": { 87668 "ecosystem": "Maven", 87669 "name": "org.eclipse.jetty:jetty-webapp", 87670 "purl": "pkg:maven/org.eclipse.jetty/jetty-webapp" 87671 }, 87672 "ranges": [ 87673 { 87674 "events": [ 87675 { 87676 "introduced": "9.4.37" 87677 }, 87678 { 87679 "fixed": "9.4.43" 87680 } 87681 ], 87682 "type": "ECOSYSTEM" 87683 } 87684 ], 87685 "versions": [ 87686 "9.4.37.v20210219", 87687 "9.4.38.v20210224", 87688 "9.4.39.v20210325", 87689 "9.4.40.v20210413", 87690 "9.4.41.v20210516", 87691 "9.4.42.v20210604" 87692 ] 87693 }, 87694 { 87695 "database_specific": { 87696 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/07/GHSA-vjv5-gp2w-65vm/GHSA-vjv5-gp2w-65vm.json" 87697 }, 87698 "package": { 87699 "ecosystem": "Maven", 87700 "name": "org.eclipse.jetty:jetty-webapp", 87701 "purl": "pkg:maven/org.eclipse.jetty/jetty-webapp" 87702 }, 87703 "ranges": [ 87704 { 87705 "events": [ 87706 { 87707 "introduced": "10.0.1" 87708 }, 87709 { 87710 "fixed": "10.0.6" 87711 } 87712 ], 87713 "type": "ECOSYSTEM" 87714 } 87715 ], 87716 "versions": [ 87717 "10.0.1", 87718 "10.0.2", 87719 "10.0.3", 87720 "10.0.4", 87721 "10.0.5" 87722 ] 87723 }, 87724 { 87725 "database_specific": { 87726 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/07/GHSA-vjv5-gp2w-65vm/GHSA-vjv5-gp2w-65vm.json" 87727 }, 87728 "package": { 87729 "ecosystem": "Maven", 87730 "name": "org.eclipse.jetty:jetty-webapp", 87731 "purl": "pkg:maven/org.eclipse.jetty/jetty-webapp" 87732 }, 87733 "ranges": [ 87734 { 87735 "events": [ 87736 { 87737 "introduced": "11.0.1" 87738 }, 87739 { 87740 "fixed": "11.0.6" 87741 } 87742 ], 87743 "type": "ECOSYSTEM" 87744 } 87745 ], 87746 "versions": [ 87747 "11.0.1", 87748 "11.0.2", 87749 "11.0.3", 87750 "11.0.4", 87751 "11.0.5" 87752 ] 87753 } 87754 ], 87755 "aliases": [ 87756 "CVE-2021-34429" 87757 ], 87758 "database_specific": { 87759 "cwe_ids": [ 87760 "CWE-200", 87761 "CWE-551", 87762 "CWE-863" 87763 ], 87764 "github_reviewed": true, 87765 "github_reviewed_at": "2021-07-15T21:33:21Z", 87766 "nvd_published_at": "2021-07-15T17:15:00Z", 87767 "severity": "MODERATE" 87768 }, 87769 "details": "### Description\nURIs can be crafted using some encoded characters to access the content of the `WEB-INF` directory and/or bypass some security constraints.\nThis is a variation of the vulnerability reported in [CVE-2021-28164](https://nvd.nist.gov/vuln/detail/CVE-2021-28164)/[GHSA-v7ff-8wcx-gmc5](https://github.com/eclipse/jetty.project/security/advisories/GHSA-v7ff-8wcx-gmc5).\n\n### Impact\nThe default compliance mode allows requests with URIs that contain a %u002e segment to access protected resources within the WEB-INF directory. For example, a request to `/%u002e/WEB-INF/web.xml` can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application. Similarly, an encoded null character can prevent correct normalization so that /.%00/WEB-INF/web.xml cal also retrieve the web.xml file.\n\n### Workarounds\nSome Jetty [rewrite rules](https://www.eclipse.org/jetty/documentation/jetty-9/index.html#rewrite-handler) can be deployed to rewrite any request containing encoded dot segments or null characters in the raw request URI, to a known not found resource:\n```xml\n\u003cCall name=\"addRule\"\u003e\n \u003cArg\u003e\n \u003cNew class=\"org.eclipse.jetty.rewrite.handler.RewriteRegexRule\"\u003e\n \u003cSet name=\"regex\"\u003e.*/(?:\\.+/)+.*\u003c/Set\u003e\n \u003cSet name=\"replacement\"\u003e/WEB-INF/Not-Found\u003c/Set\u003e\n \u003c/New\u003e\n \u003c/Arg\u003e\n\u003c/Call\u003e\n\u003cCall name=\"addRule\"\u003e\n \u003cArg\u003e\n \u003cNew class=\"org.eclipse.jetty.rewrite.handler.ValidUrlRule\"/\u003e\n \u003c/Arg\u003e\n\u003c/Call\u003e\n```\n\n### Analysis\nPrior to 9.4.37, Jetty was protected from this style of attack by two lines of defense:\n + URIs were decoded first and then normalized for `.` and `..` sequences. Whilst this is not according to the RFC, it did remove relative segments that were encoded or parameterized and made the resulting URI paths safe from any repeated normalization (often done by URI manipulation and file system mapping).\n + The `FileResource` class treated any difference between absolute path and canonical path of a resource as an alias, and thus the resource would not be served by default.\n\nPrior to 9.4.37, the `FileResource` class was replaced by the `PathResource` class that did not treat normalization differences as aliases. Then release 9.4.37 updated the URI parsing to be compliant with the RFC, in that normalization is done before decoding. This allowed various encodings or adornments to relative path segments that would not be normalized by the pure RFC URI normalization, but were normalized by the file system, thus allowing protected resources to be accessed via an alias. Specifically by decoding URIs after normalization, it left them vulnerable to any subsequent normalization (potentially after checking security constraints) changing the URI singificantly. Such extra normalization is often down by URI manipulation code and file systems.\n\nWith Jetty releases 9.4.43, 10.0.6, 11.0.6, we have restored several lines of defense:\n + URIs are first decoded and then normalized which is not strictly according to the current RFC. Since the normalization is done after decoding, the URI paths produced are safe from further normalisation and the referenced resource cannot easily be so changed after passing security constraints.\n + During URI parsing checks are made for some specific segments/characters that are possible to be seen ambiguously by an application (e.g. encode dot segments, encoded separators, empty segments, parameterized dot segments and/or null characters). So even though Jetty code handles these URIs correctly, there is a risk that an application may not do so, thus such requests are rejected with a 400 Bad Request unless a specific compliance mode is set.\n + Once decoded and normalized by initial URI processing, Jetty will not decode or normalize a received URI again within its own resource handling. This avoids to possibility of double decode attacks.\n + The `ContextHandler.getResource(String path)` method always checks that the passed path is normalized, only accepting a non normal path if approved by an AliasChecker. This is the method that is directly used by Jetty resource serving.\n + The API methods like `ServletContext.getResource(String path)` will normalize the prior to calling `ContextHandler.getResource(String path)`. This allows applications to use non normal paths.\n + The `PathResource` class now considers any difference in normal/canonical name between a request resource name and the found resource name to be an alias, which will only be served if approved by an explicit `AliasChecker`\n\nIn summary, the defense is a front line of detection of specific known URI alias attacks, with the last line defense of not allowing any aliasing of resources.\n\nMany thanks to @cangqingzhe from @CloverSecLabs for reporting this issue. ", 87770 "id": "GHSA-vjv5-gp2w-65vm", 87771 "modified": "2024-03-08T05:16:35.196736Z", 87772 "published": "2021-07-19T15:15:24Z", 87773 "references": [ 87774 { 87775 "type": "WEB", 87776 "url": "https://github.com/eclipse/jetty.project/security/advisories/GHSA-vjv5-gp2w-65vm" 87777 }, 87778 { 87779 "type": "ADVISORY", 87780 "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-34429" 87781 }, 87782 { 87783 "type": "WEB", 87784 "url": "https://lists.apache.org/thread.html/r763840320a80e515331cbc1e613fa93f25faf62e991974171a325c82@%3Cdev.zookeeper.apache.org%3E" 87785 }, 87786 { 87787 "type": "WEB", 87788 "url": "https://lists.apache.org/thread.html/r7dd079fa0ac6f47ba1ad0af98d7d0276547b8a4e005f034fb1016951@%3Cissues.zookeeper.apache.org%3E" 87789 }, 87790 { 87791 "type": "WEB", 87792 "url": "https://lists.apache.org/thread.html/r833a4c8bdbbfeb8a2cd38238e7b59f83edd5c1a0e508b587fc551a46@%3Cissues.hbase.apache.org%3E" 87793 }, 87794 { 87795 "type": "WEB", 87796 "url": "https://lists.apache.org/thread.html/r8e6c116628c1277c3cf132012a66c46a0863fa2a3037c0707d4640d4@%3Cissues.zookeeper.apache.org%3E" 87797 }, 87798 { 87799 "type": "WEB", 87800 "url": "https://lists.apache.org/thread.html/r90e7b4c42a96d74c219e448bee6a329ab0cd3205c44b63471d96c3ab@%3Cissues.zookeeper.apache.org%3E" 87801 }, 87802 { 87803 "type": "WEB", 87804 "url": "https://lists.apache.org/thread.html/r9d245c6c884bbc804a472116d730c1a01676bf24f93206a34923fc64@%3Ccommits.kafka.apache.org%3E" 87805 }, 87806 { 87807 "type": "WEB", 87808 "url": "https://lists.apache.org/thread.html/r9e6158d72ef25077c2dc59fbddade2eacf7d259a2556c97a989f2fe8@%3Ccommits.pulsar.apache.org%3E" 87809 }, 87810 { 87811 "type": "WEB", 87812 "url": "https://lists.apache.org/thread.html/rb33d65c3e5686f2e3b9bb8a032a44163b2f2ad9d31a8727338f213c1@%3Ccommits.pulsar.apache.org%3E" 87813 }, 87814 { 87815 "type": "WEB", 87816 "url": "https://lists.apache.org/thread.html/rc26807be68748b3347decdcd03ae183622244b0b4cb09223d4b7e500@%3Ccommits.pulsar.apache.org%3E" 87817 }, 87818 { 87819 "type": "WEB", 87820 "url": "https://lists.apache.org/thread.html/rcb157f55b9ae41b3076801de927c6fca1669c6d8eaf11a9df5dbeb46@%3Cnotifications.zookeeper.apache.org%3E" 87821 }, 87822 { 87823 "type": "WEB", 87824 "url": "https://lists.apache.org/thread.html/rcea249eb7a0d243f21696e4985de33f3780399bf7b31ea1f6d489b8b@%3Cissues.zookeeper.apache.org%3E" 87825 }, 87826 { 87827 "type": "WEB", 87828 "url": "https://lists.apache.org/thread.html/re01890eef49d4201018f2c97e26536e3e75f441ecdbcf91986c3bc17@%3Cjira.kafka.apache.org%3E" 87829 }, 87830 { 87831 "type": "WEB", 87832 "url": "https://lists.apache.org/thread.html/re3de01414ccf682fe0951205f806dd8e94440798fd64c55a4941de3e@%3Cjira.kafka.apache.org%3E" 87833 }, 87834 { 87835 "type": "WEB", 87836 "url": "https://lists.apache.org/thread.html/re5e9bb535db779506013ef8799dc2a299e77cdad6668aa94c456dba6@%3Cjira.kafka.apache.org%3E" 87837 }, 87838 { 87839 "type": "WEB", 87840 "url": "https://lists.apache.org/thread.html/re850203ef8700cb826534dd4a1cb9f5b07bb8f6f973b39ff7838d3ba@%3Cissues.hbase.apache.org%3E" 87841 }, 87842 { 87843 "type": "WEB", 87844 "url": "https://security.netapp.com/advisory/ntap-20210819-0006" 87845 }, 87846 { 87847 "type": "WEB", 87848 "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" 87849 }, 87850 { 87851 "type": "WEB", 87852 "url": "https://www.oracle.com/security-alerts/cpujan2022.html" 87853 }, 87854 { 87855 "type": "WEB", 87856 "url": "https://www.oracle.com/security-alerts/cpujul2022.html" 87857 }, 87858 { 87859 "type": "PACKAGE", 87860 "url": "https://github.com/eclipse/jetty.project" 87861 }, 87862 { 87863 "type": "WEB", 87864 "url": "https://github.com/eclipse/jetty.project/releases/tag/jetty-9.4.43.v20210629" 87865 }, 87866 { 87867 "type": "WEB", 87868 "url": "https://lists.apache.org/thread.html/r029c0c6833c8bb6acb094733fd7b75029d633f47a92f1c9d14391fc0@%3Cnotifications.zookeeper.apache.org%3E" 87869 }, 87870 { 87871 "type": "WEB", 87872 "url": "https://lists.apache.org/thread.html/r02f940c27e997a277ff14e79e84551382e1081e8978b417e0c2b0857@%3Ccommits.kafka.apache.org%3E" 87873 }, 87874 { 87875 "type": "WEB", 87876 "url": "https://lists.apache.org/thread.html/r0626f279ebf65506110a897e3a57ccd4072803ee5434b2503e070398@%3Ccommits.zookeeper.apache.org%3E" 87877 }, 87878 { 87879 "type": "WEB", 87880 "url": "https://lists.apache.org/thread.html/r2a3ea27cca2ac7352d392b023b72e824387bc9ff16ba245ec663bdc6@%3Cissues.zookeeper.apache.org%3E" 87881 }, 87882 { 87883 "type": "WEB", 87884 "url": "https://lists.apache.org/thread.html/r2e32390cb7aedb39069e5b18aa130ca53e766258518faee63c31d3ea@%3Cnotifications.zookeeper.apache.org%3E" 87885 }, 87886 { 87887 "type": "WEB", 87888 "url": "https://lists.apache.org/thread.html/r3aefe613abce594c71ace50088d2529bbde65d08b8e7ff2c2723aaa1@%3Cdev.santuario.apache.org%3E" 87889 }, 87890 { 87891 "type": "WEB", 87892 "url": "https://lists.apache.org/thread.html/r3c55b0baa4dc38958ae147b2f216e212605f1071297f845e14477d36@%3Cissues.zookeeper.apache.org%3E" 87893 }, 87894 { 87895 "type": "WEB", 87896 "url": "https://lists.apache.org/thread.html/r44ea39ca8110de7353bfec88f58aa3aa58a42bb324b8772512ee190c@%3Ccommits.zookeeper.apache.org%3E" 87897 }, 87898 { 87899 "type": "WEB", 87900 "url": "https://lists.apache.org/thread.html/r46900f74dbb7d168aeac43bf0e7f64825376bb7eb74d31a5b33344ce@%3Cjira.kafka.apache.org%3E" 87901 }, 87902 { 87903 "type": "WEB", 87904 "url": "https://lists.apache.org/thread.html/r46f748c1dc9cf9b6c1c18f6b5bfc3a869907f68f72e17666f2f30f24@%3Cnotifications.zookeeper.apache.org%3E" 87905 }, 87906 { 87907 "type": "WEB", 87908 "url": "https://lists.apache.org/thread.html/r4727d282b5c2d951057845a46065d59f6e33132edc0a14f41c26b01e@%3Cdev.kafka.apache.org%3E" 87909 }, 87910 { 87911 "type": "WEB", 87912 "url": "https://lists.apache.org/thread.html/r48a93f2bc025acd7c7e341ed3864bfdeb75f0c768d41bc247e1a1f63@%3Cnotifications.zookeeper.apache.org%3E" 87913 }, 87914 { 87915 "type": "WEB", 87916 "url": "https://lists.apache.org/thread.html/r5678d994d4dd8e7c838eed3bbc1a83a7f6bc62724b0cce67e8892a45@%3Cnotifications.zookeeper.apache.org%3E" 87917 }, 87918 { 87919 "type": "WEB", 87920 "url": "https://lists.apache.org/thread.html/r679d96f981d4c92724090ed2d5e8565a1d655a72bb315550489f052e@%3Cjira.kafka.apache.org%3E" 87921 }, 87922 { 87923 "type": "WEB", 87924 "url": "https://lists.apache.org/thread.html/r6e6f50c1ce1fb592cb43e913f5be23df104d50751465f8f1952ace0c@%3Cjira.kafka.apache.org%3E" 87925 }, 87926 { 87927 "type": "WEB", 87928 "url": "https://lists.apache.org/thread.html/r721ab6a5fa8d45bec76714b674f5d4caed2ebfeca69ad1d6d4caae6c@%3Cdev.hbase.apache.org%3E" 87929 }, 87930 { 87931 "type": "WEB", 87932 "url": "https://lists.apache.org/thread.html/r74fdc446df551fe89a0a16957a1bfdaad19380e0c1afd30625685a9c@%3Cjira.kafka.apache.org%3E" 87933 }, 87934 { 87935 "type": "WEB", 87936 "url": "https://lists.apache.org/thread.html/r756443e9d50af7e8c3df82e2c45105f452c8e8195ddbc0c00f58d5fe@%3Ccommits.kafka.apache.org%3E" 87937 } 87938 ], 87939 "schema_version": "1.6.0", 87940 "severity": [ 87941 { 87942 "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", 87943 "type": "CVSS_V3" 87944 } 87945 ], 87946 "summary": "Encoded URIs can access WEB-INF directory in Eclipse Jetty" 87947 }, 87948 { 87949 "affected": [ 87950 { 87951 "database_specific": { 87952 "last_known_affected_version_range": "\u003c= 10.0.15", 87953 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-58qw-p7qm-5rvh/GHSA-58qw-p7qm-5rvh.json" 87954 }, 87955 "package": { 87956 "ecosystem": "Maven", 87957 "name": "org.eclipse.jetty:jetty-xml", 87958 "purl": "pkg:maven/org.eclipse.jetty/jetty-xml" 87959 }, 87960 "ranges": [ 87961 { 87962 "events": [ 87963 { 87964 "introduced": "10.0.0-alpha0" 87965 }, 87966 { 87967 "fixed": "10.0.16" 87968 } 87969 ], 87970 "type": "ECOSYSTEM" 87971 } 87972 ], 87973 "versions": [ 87974 "10.0.0", 87975 "10.0.0-alpha0", 87976 "10.0.0.alpha1", 87977 "10.0.0.alpha2", 87978 "10.0.0.beta0", 87979 "10.0.0.beta1", 87980 "10.0.0.beta2", 87981 "10.0.0.beta3", 87982 "10.0.1", 87983 "10.0.10", 87984 "10.0.11", 87985 "10.0.12", 87986 "10.0.13", 87987 "10.0.14", 87988 "10.0.15", 87989 "10.0.2", 87990 "10.0.3", 87991 "10.0.4", 87992 "10.0.5", 87993 "10.0.6", 87994 "10.0.7", 87995 "10.0.8", 87996 "10.0.9" 87997 ] 87998 }, 87999 { 88000 "database_specific": { 88001 "last_known_affected_version_range": "\u003c= 11.0.15", 88002 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-58qw-p7qm-5rvh/GHSA-58qw-p7qm-5rvh.json" 88003 }, 88004 "package": { 88005 "ecosystem": "Maven", 88006 "name": "org.eclipse.jetty:jetty-xml", 88007 "purl": "pkg:maven/org.eclipse.jetty/jetty-xml" 88008 }, 88009 "ranges": [ 88010 { 88011 "events": [ 88012 { 88013 "introduced": "11.0.0-alpha0" 88014 }, 88015 { 88016 "fixed": "11.0.16" 88017 } 88018 ], 88019 "type": "ECOSYSTEM" 88020 } 88021 ], 88022 "versions": [ 88023 "11.0.0", 88024 "11.0.0-alpha0", 88025 "11.0.0.beta1", 88026 "11.0.0.beta2", 88027 "11.0.0.beta3", 88028 "11.0.1", 88029 "11.0.10", 88030 "11.0.11", 88031 "11.0.12", 88032 "11.0.13", 88033 "11.0.14", 88034 "11.0.15", 88035 "11.0.2", 88036 "11.0.3", 88037 "11.0.4", 88038 "11.0.5", 88039 "11.0.6", 88040 "11.0.7", 88041 "11.0.8", 88042 "11.0.9" 88043 ] 88044 }, 88045 { 88046 "database_specific": { 88047 "last_known_affected_version_range": "\u003c= 12.0.0.beta4", 88048 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-58qw-p7qm-5rvh/GHSA-58qw-p7qm-5rvh.json" 88049 }, 88050 "package": { 88051 "ecosystem": "Maven", 88052 "name": "org.eclipse.jetty:jetty-xml", 88053 "purl": "pkg:maven/org.eclipse.jetty/jetty-xml" 88054 }, 88055 "ranges": [ 88056 { 88057 "events": [ 88058 { 88059 "introduced": "12.0.0.alpha0" 88060 }, 88061 { 88062 "fixed": "12.0.0" 88063 } 88064 ], 88065 "type": "ECOSYSTEM" 88066 } 88067 ], 88068 "versions": [ 88069 "12.0.0.alpha0", 88070 "12.0.0.alpha1", 88071 "12.0.0.alpha2", 88072 "12.0.0.alpha3", 88073 "12.0.0.beta0", 88074 "12.0.0.beta1", 88075 "12.0.0.beta2", 88076 "12.0.0.beta3", 88077 "12.0.0.beta4" 88078 ] 88079 }, 88080 { 88081 "database_specific": { 88082 "last_known_affected_version_range": "\u003c= 9.4.51", 88083 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-58qw-p7qm-5rvh/GHSA-58qw-p7qm-5rvh.json" 88084 }, 88085 "package": { 88086 "ecosystem": "Maven", 88087 "name": "org.eclipse.jetty:jetty-xml", 88088 "purl": "pkg:maven/org.eclipse.jetty/jetty-xml" 88089 }, 88090 "ranges": [ 88091 { 88092 "events": [ 88093 { 88094 "introduced": "0" 88095 }, 88096 { 88097 "fixed": "9.4.52" 88098 } 88099 ], 88100 "type": "ECOSYSTEM" 88101 } 88102 ], 88103 "versions": [ 88104 "7.0.0.M0", 88105 "7.0.0.M1", 88106 "7.0.0.M2", 88107 "7.0.0.M3", 88108 "7.0.0.M4", 88109 "7.0.0.RC0", 88110 "7.0.0.RC1", 88111 "7.0.0.RC2", 88112 "7.0.0.RC3", 88113 "7.0.0.RC4", 88114 "7.0.0.RC5", 88115 "7.0.0.RC6", 88116 "7.0.0.v20091005", 88117 "7.0.1.v20091125", 88118 "7.0.2.RC0", 88119 "7.0.2.v20100331", 88120 "7.1.0.RC0", 88121 "7.1.0.RC1", 88122 "7.1.0.v20100505", 88123 "7.1.1.v20100517", 88124 "7.1.2.v20100523", 88125 "7.1.3.v20100526", 88126 "7.1.4.v20100610", 88127 "7.1.5.v20100705", 88128 "7.1.6.v20100715", 88129 "7.2.0.RC0", 88130 "7.2.0.v20101020", 88131 "7.2.1.v20101111", 88132 "7.2.2.v20101205", 88133 "7.3.0.v20110203", 88134 "7.3.1.v20110307", 88135 "7.4.0.RC0", 88136 "7.4.0.v20110414", 88137 "7.4.1.v20110513", 88138 "7.4.2.v20110526", 88139 "7.4.3.v20110701", 88140 "7.4.4.v20110707", 88141 "7.4.5.v20110725", 88142 "7.5.0.RC0", 88143 "7.5.0.RC1", 88144 "7.5.0.RC2", 88145 "7.5.0.v20110901", 88146 "7.5.1.v20110908", 88147 "7.5.2.v20111006", 88148 "7.5.3.v20111011", 88149 "7.5.4.v20111024", 88150 "7.6.0.RC0", 88151 "7.6.0.RC1", 88152 "7.6.0.RC2", 88153 "7.6.0.RC3", 88154 "7.6.0.RC4", 88155 "7.6.0.RC5", 88156 "7.6.0.v20120127", 88157 "7.6.1.v20120215", 88158 "7.6.10.v20130312", 88159 "7.6.11.v20130520", 88160 "7.6.12.v20130726", 88161 "7.6.13.v20130916", 88162 "7.6.14.v20131031", 88163 "7.6.15.v20140411", 88164 "7.6.16.v20140903", 88165 "7.6.17.v20150415", 88166 "7.6.18.v20150929", 88167 "7.6.19.v20160209", 88168 "7.6.2.v20120308", 88169 "7.6.20.v20160902", 88170 "7.6.21.v20160908", 88171 "7.6.3.v20120416", 88172 "7.6.4.v20120524", 88173 "7.6.5.v20120716", 88174 "7.6.6.v20120903", 88175 "7.6.7.v20120910", 88176 "7.6.8.v20121106", 88177 "7.6.9.v20130131", 88178 "8.0.0.M0", 88179 "8.0.0.M1", 88180 "8.0.0.M2", 88181 "8.0.0.M3", 88182 "8.0.0.RC0", 88183 "8.0.0.v20110901", 88184 "8.0.1.v20110908", 88185 "8.0.2.v20111006", 88186 "8.0.3.v20111011", 88187 "8.0.4.v20111024", 88188 "8.1.0.RC0", 88189 "8.1.0.RC1", 88190 "8.1.0.RC2", 88191 "8.1.0.RC4", 88192 "8.1.0.RC5", 88193 "8.1.0.v20120127", 88194 "8.1.1.v20120215", 88195 "8.1.10.v20130312", 88196 "8.1.11.v20130520", 88197 "8.1.12.v20130726", 88198 "8.1.13.v20130916", 88199 "8.1.14.v20131031", 88200 "8.1.15.v20140411", 88201 "8.1.16.v20140903", 88202 "8.1.17.v20150415", 88203 "8.1.18.v20150929", 88204 "8.1.19.v20160209", 88205 "8.1.2.v20120308", 88206 "8.1.20.v20160902", 88207 "8.1.21.v20160908", 88208 "8.1.22.v20160922", 88209 "8.1.3.v20120416", 88210 "8.1.4.v20120524", 88211 "8.1.5.v20120716", 88212 "8.1.6.v20120903", 88213 "8.1.7.v20120910", 88214 "8.1.8.v20121106", 88215 "8.1.9.v20130131", 88216 "8.2.0.v20160908", 88217 "9.0.0.M0", 88218 "9.0.0.M1", 88219 "9.0.0.M2", 88220 "9.0.0.M3", 88221 "9.0.0.M4", 88222 "9.0.0.M5", 88223 "9.0.0.RC0", 88224 "9.0.0.RC1", 88225 "9.0.0.RC2", 88226 "9.0.0.v20130308", 88227 "9.0.1.v20130408", 88228 "9.0.2.v20130417", 88229 "9.0.3.v20130506", 88230 "9.0.4.v20130625", 88231 "9.0.5.v20130815", 88232 "9.0.6.v20130930", 88233 "9.0.7.v20131107", 88234 "9.1.0.M0", 88235 "9.1.0.RC0", 88236 "9.1.0.RC1", 88237 "9.1.0.RC2", 88238 "9.1.0.v20131115", 88239 "9.1.1.v20140108", 88240 "9.1.2.v20140210", 88241 "9.1.3.v20140225", 88242 "9.1.4.v20140401", 88243 "9.1.5.v20140505", 88244 "9.1.6.v20160112", 88245 "9.2.0.M0", 88246 "9.2.0.M1", 88247 "9.2.0.RC0", 88248 "9.2.0.v20140526", 88249 "9.2.1.v20140609", 88250 "9.2.10.v20150310", 88251 "9.2.11.M0", 88252 "9.2.11.v20150529", 88253 "9.2.12.M0", 88254 "9.2.12.v20150709", 88255 "9.2.13.v20150730", 88256 "9.2.14.v20151106", 88257 "9.2.15.v20160210", 88258 "9.2.16.v20160414", 88259 "9.2.17.v20160517", 88260 "9.2.18.v20160721", 88261 "9.2.19.v20160908", 88262 "9.2.2.v20140723", 88263 "9.2.20.v20161216", 88264 "9.2.21.v20170120", 88265 "9.2.22.v20170606", 88266 "9.2.23.v20171218", 88267 "9.2.24.v20180105", 88268 "9.2.25.v20180606", 88269 "9.2.26.v20180806", 88270 "9.2.27.v20190403", 88271 "9.2.28.v20190418", 88272 "9.2.29.v20191105", 88273 "9.2.3.v20140905", 88274 "9.2.30.v20200428", 88275 "9.2.4.v20141103", 88276 "9.2.5.v20141112", 88277 "9.2.6.v20141205", 88278 "9.2.7.v20150116", 88279 "9.2.8.v20150217", 88280 "9.2.9.v20150224", 88281 "9.3.0.M0", 88282 "9.3.0.M1", 88283 "9.3.0.M2", 88284 "9.3.0.RC0", 88285 "9.3.0.RC1", 88286 "9.3.0.v20150612", 88287 "9.3.1.v20150714", 88288 "9.3.10.M0", 88289 "9.3.10.v20160621", 88290 "9.3.11.M0", 88291 "9.3.11.v20160721", 88292 "9.3.12.v20160915", 88293 "9.3.13.M0", 88294 "9.3.13.v20161014", 88295 "9.3.14.v20161028", 88296 "9.3.15.v20161220", 88297 "9.3.16.v20170120", 88298 "9.3.17.RC0", 88299 "9.3.17.v20170317", 88300 "9.3.18.v20170406", 88301 "9.3.19.v20170502", 88302 "9.3.2.v20150730", 88303 "9.3.20.v20170531", 88304 "9.3.21.M0", 88305 "9.3.21.RC0", 88306 "9.3.21.v20170918", 88307 "9.3.22.v20171030", 88308 "9.3.23.v20180228", 88309 "9.3.24.v20180605", 88310 "9.3.25.v20180904", 88311 "9.3.26.v20190403", 88312 "9.3.27.v20190418", 88313 "9.3.28.v20191105", 88314 "9.3.29.v20201019", 88315 "9.3.3.v20150827", 88316 "9.3.30.v20211001", 88317 "9.3.4.RC0", 88318 "9.3.4.RC1", 88319 "9.3.4.v20151007", 88320 "9.3.5.v20151012", 88321 "9.3.6.v20151106", 88322 "9.3.7.RC0", 88323 "9.3.7.RC1", 88324 "9.3.7.v20160115", 88325 "9.3.8.RC0", 88326 "9.3.8.v20160314", 88327 "9.3.9.M0", 88328 "9.3.9.M1", 88329 "9.3.9.v20160517", 88330 "9.4.0.M0", 88331 "9.4.0.M1", 88332 "9.4.0.RC0", 88333 "9.4.0.RC1", 88334 "9.4.0.RC2", 88335 "9.4.0.RC3", 88336 "9.4.0.v20161208", 88337 "9.4.0.v20180619", 88338 "9.4.1.v20170120", 88339 "9.4.1.v20180619", 88340 "9.4.10.RC0", 88341 "9.4.10.RC1", 88342 "9.4.10.v20180503", 88343 "9.4.11.v20180605", 88344 "9.4.12.RC0", 88345 "9.4.12.RC1", 88346 "9.4.12.RC2", 88347 "9.4.12.v20180830", 88348 "9.4.13.v20181111", 88349 "9.4.14.v20181114", 88350 "9.4.15.v20190215", 88351 "9.4.16.v20190411", 88352 "9.4.17.v20190418", 88353 "9.4.18.v20190429", 88354 "9.4.19.v20190610", 88355 "9.4.2.v20170220", 88356 "9.4.2.v20180619", 88357 "9.4.20.v20190813", 88358 "9.4.21.v20190926", 88359 "9.4.22.v20191022", 88360 "9.4.23.v20191118", 88361 "9.4.24.v20191120", 88362 "9.4.25.v20191220", 88363 "9.4.26.v20200117", 88364 "9.4.27.v20200227", 88365 "9.4.28.v20200408", 88366 "9.4.29.v20200521", 88367 "9.4.3.v20170317", 88368 "9.4.3.v20180619", 88369 "9.4.30.v20200611", 88370 "9.4.31.v20200723", 88371 "9.4.32.v20200930", 88372 "9.4.33.v20201020", 88373 "9.4.34.v20201102", 88374 "9.4.35.v20201120", 88375 "9.4.36.v20210114", 88376 "9.4.37.v20210219", 88377 "9.4.38.v20210224", 88378 "9.4.39.v20210325", 88379 "9.4.4.v20170414", 88380 "9.4.4.v20180619", 88381 "9.4.40.v20210413", 88382 "9.4.41.v20210516", 88383 "9.4.42.v20210604", 88384 "9.4.43.v20210629", 88385 "9.4.44.v20210927", 88386 "9.4.45.v20220203", 88387 "9.4.46.v20220331", 88388 "9.4.47.v20220610", 88389 "9.4.48.v20220622", 88390 "9.4.49.v20220914", 88391 "9.4.5.v20170502", 88392 "9.4.5.v20180619", 88393 "9.4.50.v20221201", 88394 "9.4.51.v20230217", 88395 "9.4.6.v20170531", 88396 "9.4.6.v20180619", 88397 "9.4.7.RC0", 88398 "9.4.7.v20170914", 88399 "9.4.7.v20180619", 88400 "9.4.8.v20171121", 88401 "9.4.8.v20180619", 88402 "9.4.9.v20180320" 88403 ] 88404 } 88405 ], 88406 "database_specific": { 88407 "cwe_ids": [ 88408 "CWE-611" 88409 ], 88410 "github_reviewed": true, 88411 "github_reviewed_at": "2023-07-10T21:52:39Z", 88412 "nvd_published_at": null, 88413 "severity": "LOW" 88414 }, 88415 "details": "### From the reporter\n\n\u003e `XmlParser` is vulnerable to XML external entity (XXE) vulnerability.\n\u003e XmlParser is being used when parsing Jetty’s xml configuration files. An attacker might exploit\n\u003e this vulnerability in order to achieve SSRF or cause a denial of service.\n\u003e One possible scenario is importing a (remote) malicious WAR into a Jetty’s server, while the\n\u003e WAR includes a malicious web.xml.\n\n### Impact\nThere are no circumstances in a normally deployed Jetty server where potentially hostile XML is given to the XmlParser class without the attacker already having arbitrary access to the server. I.e. in order to exploit `XmlParser` the attacker would already have the ability to deploy and execute hostile code. Specifically, Jetty has no protection against malicious web application and potentially hostile web applications should only be run on an isolated virtualisation. \n\nThus this is not considered a vulnerability of the Jetty server itself, as any such usage of the jetty XmlParser is equally vulnerable as a direct usage of the JVM supplied SAX parser. No CVE will be allocated to this advisory.\n\nHowever, any direct usage of the `XmlParser` class by an application may be vulnerable. The impact would greatly depend on how the application uses `XmlParser`, but it could be a denial of service due to large entity expansion, or possibly the revealing local files if the XML results are accessible remotely.\n\n### Patches\nAbility to configure the SAXParserFactory to fit the needs of your particular XML parser implementation have been merged as part of PR #10067\n\n### Workarounds\nDon't use `XmlParser` to parse data from users.\n\n\n", 88416 "id": "GHSA-58qw-p7qm-5rvh", 88417 "modified": "2024-02-16T08:04:34.090965Z", 88418 "published": "2023-07-10T21:52:39Z", 88419 "references": [ 88420 { 88421 "type": "WEB", 88422 "url": "https://github.com/eclipse/jetty.project/security/advisories/GHSA-58qw-p7qm-5rvh" 88423 }, 88424 { 88425 "type": "WEB", 88426 "url": "https://github.com/eclipse/jetty.project/pull/10067" 88427 }, 88428 { 88429 "type": "PACKAGE", 88430 "url": "https://github.com/eclipse/jetty.project" 88431 }, 88432 { 88433 "type": "WEB", 88434 "url": "https://github.com/eclipse/jetty.project/releases/tag/jetty-10.0.16" 88435 }, 88436 { 88437 "type": "WEB", 88438 "url": "https://github.com/eclipse/jetty.project/releases/tag/jetty-11.0.16" 88439 }, 88440 { 88441 "type": "WEB", 88442 "url": "https://github.com/eclipse/jetty.project/releases/tag/jetty-12.0.0" 88443 }, 88444 { 88445 "type": "WEB", 88446 "url": "https://github.com/eclipse/jetty.project/releases/tag/jetty-9.4.52.v20230823" 88447 } 88448 ], 88449 "related": [ 88450 "CGA-cvc4-35r3-qcp6" 88451 ], 88452 "schema_version": "1.6.0", 88453 "severity": [ 88454 { 88455 "score": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L", 88456 "type": "CVSS_V3" 88457 } 88458 ], 88459 "summary": "Eclipse Jetty XmlParser allows arbitrary DOCTYPE declarations" 88460 }, 88461 { 88462 "affected": [ 88463 { 88464 "database_specific": { 88465 "last_known_affected_version_range": "\u003c= 6.6.0.202305301015-r", 88466 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/09/GHSA-3p86-9955-h393/GHSA-3p86-9955-h393.json" 88467 }, 88468 "package": { 88469 "ecosystem": "Maven", 88470 "name": "org.eclipse.jgit:org.eclipse.jgit", 88471 "purl": "pkg:maven/org.eclipse.jgit/org.eclipse.jgit" 88472 }, 88473 "ranges": [ 88474 { 88475 "events": [ 88476 { 88477 "introduced": "6.0.0.202111291000-r" 88478 }, 88479 { 88480 "fixed": "6.6.1.202309021850-r" 88481 } 88482 ], 88483 "type": "ECOSYSTEM" 88484 } 88485 ], 88486 "versions": [ 88487 "6.0.0.202111291000-r", 88488 "6.1.0.202203080745-r", 88489 "6.2.0.202206071550-r", 88490 "6.3.0.202209071007-r", 88491 "6.4.0.202211300538-r", 88492 "6.5.0.202303070854-r", 88493 "6.6.0.202305301015-r" 88494 ] 88495 }, 88496 { 88497 "database_specific": { 88498 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/09/GHSA-3p86-9955-h393/GHSA-3p86-9955-h393.json" 88499 }, 88500 "package": { 88501 "ecosystem": "Maven", 88502 "name": "org.eclipse.jgit:org.eclipse.jgit", 88503 "purl": "pkg:maven/org.eclipse.jgit/org.eclipse.jgit" 88504 }, 88505 "ranges": [ 88506 { 88507 "events": [ 88508 { 88509 "introduced": "0" 88510 }, 88511 { 88512 "fixed": "5.13.3.202401111512-r" 88513 } 88514 ], 88515 "type": "ECOSYSTEM" 88516 } 88517 ], 88518 "versions": [ 88519 "1.2.0.201112221803-r", 88520 "1.3.0.201202151440-r", 88521 "2.0.0.201206130900-r", 88522 "2.1.0.201209190230-r", 88523 "2.2.0.201212191850-r", 88524 "2.3.1.201302201838-r", 88525 "3.0.0.201306101825-r", 88526 "3.1.0.201310021548-r", 88527 "3.2.0.201312181205-r", 88528 "3.3.0.201403021825-r", 88529 "3.3.1.201403241930-r", 88530 "3.3.2.201404171909-r", 88531 "3.4.0.201405051725-m7", 88532 "3.4.0.201405211411-rc1", 88533 "3.4.0.201405281120-rc2", 88534 "3.4.0.201406041058-rc3", 88535 "3.4.0.201406110918-r", 88536 "3.4.1.201406201815-r", 88537 "3.4.2.201412180340-r", 88538 "3.5.0.201409071800-rc1", 88539 "3.5.0.201409260305-r", 88540 "3.5.1.201410131835-r", 88541 "3.5.2.201411120430-r", 88542 "3.5.3.201412180710-r", 88543 "3.6.0.201411121045-m1", 88544 "3.6.0.201412230720-r", 88545 "3.6.1.201501031845-r", 88546 "3.6.2.201501210735-r", 88547 "3.7.0.201502260915-r", 88548 "3.7.1.201504261725-r", 88549 "4.0.0.201505050340-m2", 88550 "4.0.0.201505260635-rc2", 88551 "4.0.0.201506020755-rc3", 88552 "4.0.0.201506090130-r", 88553 "4.0.1.201506240215-r", 88554 "4.0.2.201509141540-r", 88555 "4.0.3.201509231615-r", 88556 "4.1.0.201509280440-r", 88557 "4.1.1.201511131810-r", 88558 "4.1.2.201602141800-r", 88559 "4.10.0.201712302008-r", 88560 "4.11.0.201803080745-r", 88561 "4.11.1.201807311124-r", 88562 "4.11.2.201809100523-r", 88563 "4.11.3.201809181037-r", 88564 "4.11.4.201810060650-r", 88565 "4.11.5.201810191925-r", 88566 "4.11.6.201812241910-r", 88567 "4.11.7.201903122105-r", 88568 "4.11.8.201904181247-r", 88569 "4.11.9.201909030838-r", 88570 "4.2.0.201601211800-r", 88571 "4.3.0.201604071810-r", 88572 "4.3.1.201605051710-r", 88573 "4.4.0.201605250940-rc1", 88574 "4.4.0.201606070830-r", 88575 "4.4.1.201607150455-r", 88576 "4.5.0.201609210915-r", 88577 "4.5.1.201703201650-r", 88578 "4.5.2.201704071617-r", 88579 "4.5.3.201708160445-r", 88580 "4.5.4.201711221230-r", 88581 "4.5.5.201812240535-r", 88582 "4.5.6.201903121547-r", 88583 "4.5.7.201904151645-r", 88584 "4.6.0.201612231935-r", 88585 "4.6.1.201703071140-r", 88586 "4.7.0.201704051617-r", 88587 "4.7.1.201706071930-r", 88588 "4.7.2.201807261330-r", 88589 "4.7.3.201809090215-r", 88590 "4.7.4.201809180905-r", 88591 "4.7.5.201810051826-r", 88592 "4.7.6.201810191618-r", 88593 "4.7.7.201812240805-r", 88594 "4.7.8.201903121755-r", 88595 "4.7.9.201904161809-r", 88596 "4.8.0.201705170830-rc1", 88597 "4.8.0.201706111038-r", 88598 "4.9.0.201710071750-r", 88599 "4.9.1.201712030800-r", 88600 "4.9.10.201904181027-r", 88601 "4.9.2.201712150930-r", 88602 "4.9.3.201807311005-r", 88603 "4.9.4.201809090327-r", 88604 "4.9.5.201809180939-r", 88605 "4.9.6.201810051924-r", 88606 "4.9.7.201810191756-r", 88607 "4.9.8.201812241815-r", 88608 "4.9.9.201903122025-r", 88609 "5.0.0.201805151920-m7", 88610 "5.0.0.201805221745-rc1", 88611 "5.0.0.201805301535-rc2", 88612 "5.0.0.201806131550-r", 88613 "5.0.1.201806211838-r", 88614 "5.0.2.201807311906-r", 88615 "5.0.3.201809091024-r", 88616 "5.1.0.201809111528-r", 88617 "5.1.1.201809181055-r", 88618 "5.1.10.201908230655-r", 88619 "5.1.11.201909031202-r", 88620 "5.1.12.201910011832-r", 88621 "5.1.13.202002110435-r", 88622 "5.1.14.202011251942-r", 88623 "5.1.15.202012011955-r", 88624 "5.1.16.202106041830-r", 88625 "5.1.2.201810061102-r", 88626 "5.1.3.201810200350-r", 88627 "5.1.5.201812261915-r", 88628 "5.1.6.201903130242-r", 88629 "5.1.7.201904200442-r", 88630 "5.1.8.201906050907-r", 88631 "5.1.9.201908210455-r", 88632 "5.10.0.202012080955-r", 88633 "5.11.0.202103091610-r", 88634 "5.11.1.202105131744-r", 88635 "5.12.0.202106070339-r", 88636 "5.13.0.202109080827-r", 88637 "5.13.1.202206130422-r", 88638 "5.13.2.202306221912-r", 88639 "5.2.0.201812061821-r", 88640 "5.2.1.201812262042-r", 88641 "5.2.2.201904231744-r", 88642 "5.3.0.201903130848-r", 88643 "5.3.1.201904271842-r", 88644 "5.3.2.201906051522-r", 88645 "5.3.4.201908231101-r", 88646 "5.3.5.201909031855-r", 88647 "5.3.6.201910020505-r", 88648 "5.3.7.202002110540-r", 88649 "5.3.8.202011260953-r", 88650 "5.3.9.202012012026-r", 88651 "5.4.0.201906121030-r", 88652 "5.4.2.201908231537-r", 88653 "5.4.3.201909031940-r", 88654 "5.5.0.201909110433-r", 88655 "5.5.1.201910021850-r", 88656 "5.6.0.201912101111-r", 88657 "5.6.1.202002131546-r", 88658 "5.7.0.202003090808-r", 88659 "5.7.0.202003110725-r", 88660 "5.8.0.202006091008-r", 88661 "5.8.1.202007141445-r", 88662 "5.9.0.202009080501-r" 88663 ] 88664 } 88665 ], 88666 "aliases": [ 88667 "CVE-2023-4759" 88668 ], 88669 "database_specific": { 88670 "cwe_ids": [ 88671 "CWE-178" 88672 ], 88673 "github_reviewed": true, 88674 "github_reviewed_at": "2023-09-18T19:17:54Z", 88675 "nvd_published_at": "2023-09-12T10:15:29Z", 88676 "severity": "HIGH" 88677 }, 88678 "details": "Arbitrary File Overwrite in Eclipse JGit \u003c= 6.6.0\n\nIn Eclipse JGit, all versions \u003c= 6.6.0.202305301015-r, a symbolic link present in a specially crafted git repository can be used to write a file to locations outside the working tree when this repository is cloned with JGit to a case-insensitive filesystem, or when a checkout from a clone of such a repository is performed on a case-insensitive filesystem.\n\nThis can happen on checkout (DirCacheCheckout), merge (ResolveMerger via its WorkingTreeUpdater), pull (PullCommand using merge), and when applying a patch (PatchApplier). This can be exploited for remote code execution (RCE), for instance if the file written outside the working tree is a git filter that gets executed on a subsequent git command.\n\nThe issue occurs only on case-insensitive filesystems, like the default filesystems on Windows and macOS. The user performing the clone or checkout must have the rights to create symbolic links for the problem to occur, and symbolic links must be enabled in the git configuration.\n\nSetting git configuration option core.symlinks = false before checking out avoids the problem.\n\nThe issue was fixed in Eclipse JGit version 6.6.1.202309021850-r and 6.7.0.202309050840-r, available via Maven Central https://repo1.maven.org/maven2/org/eclipse/jgit/ and repo.eclipse.org https://repo.eclipse.org/content/repositories/jgit-releases/ . A backport is available in 5.13.3 starting from 5.13.3.202401111512-r.\n\nThe JGit maintainers would like to thank RyotaK for finding and reporting this issue.\n\n\n\n", 88679 "id": "GHSA-3p86-9955-h393", 88680 "modified": "2024-04-11T19:46:07.697031Z", 88681 "published": "2023-09-18T15:30:18Z", 88682 "references": [ 88683 { 88684 "type": "ADVISORY", 88685 "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4759" 88686 }, 88687 { 88688 "type": "WEB", 88689 "url": "https://github.com/eclipse-jgit/jgit/issues/30" 88690 }, 88691 { 88692 "type": "PACKAGE", 88693 "url": "https://git.eclipse.org/c/jgit/jgit.git" 88694 }, 88695 { 88696 "type": "WEB", 88697 "url": "https://git.eclipse.org/c/jgit/jgit.git/commit/?id=9072103f3b3cf64dd12ad2949836ab98f62dabf1" 88698 }, 88699 { 88700 "type": "WEB", 88701 "url": "https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/11" 88702 }, 88703 { 88704 "type": "WEB", 88705 "url": "https://projects.eclipse.org/projects/technology.jgit/releases/5.13.3" 88706 }, 88707 { 88708 "type": "WEB", 88709 "url": "https://projects.eclipse.org/projects/technology.jgit/releases/6.6.1" 88710 } 88711 ], 88712 "related": [ 88713 "CGA-f3hc-jjwc-wwjp" 88714 ], 88715 "schema_version": "1.6.0", 88716 "severity": [ 88717 { 88718 "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", 88719 "type": "CVSS_V3" 88720 } 88721 ], 88722 "summary": "Arbitrary File Overwrite in Eclipse JGit " 88723 }, 88724 { 88725 "affected": [ 88726 { 88727 "database_specific": { 88728 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-6vvc-c2m3-cjf3/GHSA-6vvc-c2m3-cjf3.json" 88729 }, 88730 "package": { 88731 "ecosystem": "Maven", 88732 "name": "org.eclipse.jgit:org.eclipse.jgit", 88733 "purl": "pkg:maven/org.eclipse.jgit/org.eclipse.jgit" 88734 }, 88735 "ranges": [ 88736 { 88737 "events": [ 88738 { 88739 "introduced": "0" 88740 }, 88741 { 88742 "fixed": "3.5.3" 88743 } 88744 ], 88745 "type": "ECOSYSTEM" 88746 } 88747 ], 88748 "versions": [ 88749 "1.2.0.201112221803-r", 88750 "1.3.0.201202151440-r", 88751 "2.0.0.201206130900-r", 88752 "2.1.0.201209190230-r", 88753 "2.2.0.201212191850-r", 88754 "2.3.1.201302201838-r", 88755 "3.0.0.201306101825-r", 88756 "3.1.0.201310021548-r", 88757 "3.2.0.201312181205-r", 88758 "3.3.0.201403021825-r", 88759 "3.3.1.201403241930-r", 88760 "3.3.2.201404171909-r", 88761 "3.4.0.201405051725-m7", 88762 "3.4.0.201405211411-rc1", 88763 "3.4.0.201405281120-rc2", 88764 "3.4.0.201406041058-rc3", 88765 "3.4.0.201406110918-r", 88766 "3.4.1.201406201815-r", 88767 "3.4.2.201412180340-r", 88768 "3.5.0.201409071800-rc1", 88769 "3.5.0.201409260305-r", 88770 "3.5.1.201410131835-r", 88771 "3.5.2.201411120430-r" 88772 ] 88773 } 88774 ], 88775 "aliases": [ 88776 "CVE-2014-9390", 88777 "PYSEC-2020-217" 88778 ], 88779 "database_specific": { 88780 "cwe_ids": [ 88781 "CWE-20" 88782 ], 88783 "github_reviewed": true, 88784 "github_reviewed_at": "2023-01-26T23:53:52Z", 88785 "nvd_published_at": "2020-02-12T02:15:00Z", 88786 "severity": "CRITICAL" 88787 }, 88788 "details": "Git before 1.8.5.6, 1.9.x before 1.9.5, 2.0.x before 2.0.5, 2.1.x before 2.1.4, and 2.2.x before 2.2.1 on Windows and OS X; Mercurial before 3.2.3 on Windows and OS X; Apple Xcode before 6.2 beta 3; mine; libgit2; Egit; and JGit allow remote Git servers to execute arbitrary commands via a tree containing a crafted .git/config file with (1) an ignorable Unicode codepoint, (2) a git~1/config representation, or (3) mixed case that is improperly handled on a case-insensitive filesystem.", 88789 "id": "GHSA-6vvc-c2m3-cjf3", 88790 "modified": "2024-02-16T08:19:13.99228Z", 88791 "published": "2022-05-17T19:57:29Z", 88792 "references": [ 88793 { 88794 "type": "ADVISORY", 88795 "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-9390" 88796 }, 88797 { 88798 "type": "WEB", 88799 "url": "https://github.com/libgit2/libgit2/commit/928429c5c96a701bcbcafacb2421a82602b36915" 88800 }, 88801 { 88802 "type": "WEB", 88803 "url": "https://github.com/blog/1938-git-client-vulnerability-announced" 88804 }, 88805 { 88806 "type": "WEB", 88807 "url": "https://libgit2.org/security" 88808 }, 88809 { 88810 "type": "WEB", 88811 "url": "https://news.ycombinator.com/item?id=8769667" 88812 }, 88813 { 88814 "type": "WEB", 88815 "url": "https://projects.eclipse.org/projects/technology.jgit/releases/3.5.3" 88816 }, 88817 { 88818 "type": "WEB", 88819 "url": "https://web.archive.org/web/20211204220400/https://securitytracker.com/id?1031404" 88820 }, 88821 { 88822 "type": "WEB", 88823 "url": "http://article.gmane.org/gmane.linux.kernel/1853266" 88824 }, 88825 { 88826 "type": "WEB", 88827 "url": "http://git-blame.blogspot.com/2014/12/git-1856-195-205-214-and-221-and.html" 88828 }, 88829 { 88830 "type": "WEB", 88831 "url": "http://mercurial.selenic.com/wiki/WhatsNew" 88832 }, 88833 { 88834 "type": "WEB", 88835 "url": "http://support.apple.com/kb/HT204147" 88836 } 88837 ], 88838 "schema_version": "1.6.0", 88839 "severity": [ 88840 { 88841 "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", 88842 "type": "CVSS_V3" 88843 } 88844 ], 88845 "summary": "JGit Improper Input Validation vulnerability" 88846 }, 88847 { 88848 "affected": [ 88849 { 88850 "database_specific": { 88851 "last_known_affected_version_range": "\u003c= 2.33", 88852 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-c43q-5hpj-4crv/GHSA-c43q-5hpj-4crv.json" 88853 }, 88854 "package": { 88855 "ecosystem": "Maven", 88856 "name": "org.glassfish.jersey.core:jersey-common", 88857 "purl": "pkg:maven/org.glassfish.jersey.core/jersey-common" 88858 }, 88859 "ranges": [ 88860 { 88861 "events": [ 88862 { 88863 "introduced": "2.28" 88864 }, 88865 { 88866 "fixed": "2.34" 88867 } 88868 ], 88869 "type": "ECOSYSTEM" 88870 } 88871 ], 88872 "versions": [ 88873 "2.28", 88874 "2.29", 88875 "2.29.1", 88876 "2.30", 88877 "2.30.1", 88878 "2.31", 88879 "2.32", 88880 "2.33" 88881 ] 88882 }, 88883 { 88884 "database_specific": { 88885 "last_known_affected_version_range": "\u003c= 3.0.1", 88886 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-c43q-5hpj-4crv/GHSA-c43q-5hpj-4crv.json" 88887 }, 88888 "package": { 88889 "ecosystem": "Maven", 88890 "name": "org.glassfish.jersey.core:jersey-common", 88891 "purl": "pkg:maven/org.glassfish.jersey.core/jersey-common" 88892 }, 88893 "ranges": [ 88894 { 88895 "events": [ 88896 { 88897 "introduced": "3.0.0" 88898 }, 88899 { 88900 "fixed": "3.0.2" 88901 } 88902 ], 88903 "type": "ECOSYSTEM" 88904 } 88905 ], 88906 "versions": [ 88907 "3.0.0", 88908 "3.0.1" 88909 ] 88910 } 88911 ], 88912 "aliases": [ 88913 "CVE-2021-28168" 88914 ], 88915 "database_specific": { 88916 "cwe_ids": [ 88917 "CWE-378", 88918 "CWE-379", 88919 "CWE-668", 88920 "CWE-732" 88921 ], 88922 "github_reviewed": true, 88923 "github_reviewed_at": "2021-04-22T19:22:31Z", 88924 "nvd_published_at": "2021-04-22T18:15:00Z", 88925 "severity": "MODERATE" 88926 }, 88927 "details": "## Impact\nEclipse Jersey 2.28 - 2.33 and Eclipse Jersey 3.0.0 - 3.0.1 contains a local information disclosure vulnerability. This is due to the use of the `File.createTempFile` which creates a file inside of the system temporary directory with the permissions: `-rw-r--r--`. Thus the contents of this file are viewable by all other users locally on the system. As such, if the contents written is security sensitive, it can be disclosed to other local users.\n\n## Workaround\n\nThis issue can be mitigated by manually setting the `java.io.tmpdir` system property when launching the JVM.\n\n## Patches\n\nJersey 2.34 and 3.0.2 forward sets the correct permissions on the temporary file created by Jersey.\n\n### References\n \n - https://github.com/eclipse-ee4j/jersey/pull/4712\n - [CWE-378: Creation of Temporary File With Insecure Permissions](https://cwe.mitre.org/data/definitions/378.html)\n - [CWE-379: Creation of Temporary File in Directory with Insecure Permissions](https://cwe.mitre.org/data/definitions/379.html)\n\n## Similar Vulnerabilities\n\nSimilar, but not the same:\n\n - JUnit 4 - https://github.com/junit-team/junit4/security/advisories/GHSA-269g-pwp5-87pp\n - Google Guava - https://github.com/google/guava/issues/4011\n - Apache Ant - https://nvd.nist.gov/vuln/detail/CVE-2020-1945\n - JetBrains Kotlin Compiler - https://nvd.nist.gov/vuln/detail/CVE-2020-15824\n - Eclipse Jetty - https://github.com/eclipse/jetty.project/security/advisories/GHSA-g3wg-6mcf-8jj6\n\n\n---\n\nOriginal Disclosure:\n\n\u003e Hello Jersey Security Team,\n\u003e \n\u003e Utilizing a custom CodeQL query written as a part of the [GitHub Security Lab](https://securitylab.github.com/) [Bug Bounty program](https://securitylab.github.com/bounties), I've unearthed a local temporary file information disclosure vulnerability.\n\u003e \n\u003e You can see the custom CodeQL query utilized here:\n\u003e https://lgtm.com/query/8831016213790320486/\n\u003e \n\u003e This particular vulnerability exists because on unix-like systems (not including modern versions of MacOS) the system temporary directory is shared between all users. As such, failure to correctly set file permissions and/or verify exclusive creation of directories can lead to either local information disclosure, or local file hijacking by another user.\n\u003e \n\u003e This vulnerability impacts the following locations in this project's source:\n\u003e \n\u003e - https://github.com/eclipse-ee4j/jersey/blob/01c6a32a2064aeff2caa8133472e33affeb8a29a/core-common/src/main/java/org/glassfish/jersey/message/internal/FileProvider.java#L64-L73\n\u003e - https://github.com/eclipse-ee4j/jersey/blob/01c6a32a2064aeff2caa8133472e33affeb8a29a/media/multipart/src/main/java/org/glassfish/jersey/media/multipart/internal/FormDataParamValueParamProvider.java#L202-L208\n\u003e \n\u003e This vulnerability exists because of the vulnerability in the `Utils.createTempFile`:\n\u003e \n\u003e https://github.com/eclipse-ee4j/jersey/blob/01c6a32a2064aeff2caa8133472e33affeb8a29a/core-common/src/main/java/org/glassfish/jersey/message/internal/Utils.java#L42-L53\n\u003e \n\u003e This is because `File.createTempFile` creates a file inside of the system temporary directory with the permissions: `-rw-r--r--`. Thus the contents of this file are viewable by all other users locally on the system.\n\u003e \n\u003e If there is sensitive information written to these files, it is disclosed to other local users on this system.\n\u003e \n\u003e The fix for this vulnerability is to use the `Files` API (instead of the `File` API) to create temporary files/directories as this new API correctly sets the posix file permissions.", 88928 "id": "GHSA-c43q-5hpj-4crv", 88929 "modified": "2024-03-08T05:18:14.836767Z", 88930 "published": "2021-04-23T16:55:01Z", 88931 "references": [ 88932 { 88933 "type": "WEB", 88934 "url": "https://github.com/eclipse-ee4j/jersey/security/advisories/GHSA-c43q-5hpj-4crv" 88935 }, 88936 { 88937 "type": "ADVISORY", 88938 "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-28168" 88939 }, 88940 { 88941 "type": "WEB", 88942 "url": "https://github.com/eclipse-ee4j/jersey/pull/4712" 88943 }, 88944 { 88945 "type": "WEB", 88946 "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" 88947 }, 88948 { 88949 "type": "WEB", 88950 "url": "https://lists.apache.org/thread.html/rdff6939e6c8dd620e20b013d9a35f57d42b3cd19e1d0483d85dfa2fd@%3Cjira.kafka.apache.org%3E" 88951 }, 88952 { 88953 "type": "WEB", 88954 "url": "https://lists.apache.org/thread.html/rd54b42edccc1b993853a9c4943a9b16db763f5e2febf6e64b7d0fe3c@%3Cjira.kafka.apache.org%3E" 88955 }, 88956 { 88957 "type": "WEB", 88958 "url": "https://lists.apache.org/thread.html/rc6221670de35b819fe191e7d8f2d17bc000549bd554020cec644b71e@%3Cjira.kafka.apache.org%3E" 88959 }, 88960 { 88961 "type": "WEB", 88962 "url": "https://lists.apache.org/thread.html/rc288874c330b3af9e29a1a114c5e0d24fff7a79eaa341f551535c8c0@%3Cjira.kafka.apache.org%3E" 88963 }, 88964 { 88965 "type": "WEB", 88966 "url": "https://lists.apache.org/thread.html/rafc3c4cee534f478cbf8acf91e48373e291a21151f030e8132662a7b@%3Cjira.kafka.apache.org%3E" 88967 }, 88968 { 88969 "type": "WEB", 88970 "url": "https://lists.apache.org/thread.html/ra3d7cd37fc794981a885332af2f8df0d873753380ea19935d6d847fc@%3Cdev.kafka.apache.org%3E" 88971 }, 88972 { 88973 "type": "WEB", 88974 "url": "https://lists.apache.org/thread.html/ra3290fe51b4546fac195724c4187c4cb7fc5809bc596c2f7e97606f4@%3Cjira.kafka.apache.org%3E" 88975 }, 88976 { 88977 "type": "WEB", 88978 "url": "https://lists.apache.org/thread.html/ra2722171d569370a9e15147d9f3f6138ad9a188ee879c0156aa2d73a@%3Cjira.kafka.apache.org%3E" 88979 }, 88980 { 88981 "type": "WEB", 88982 "url": "https://lists.apache.org/thread.html/r96658b899fcdbf04947257d201dc5a0abdbb5fb0a8f4ec0a6c15e70f@%3Cjira.kafka.apache.org%3E" 88983 }, 88984 { 88985 "type": "WEB", 88986 "url": "https://lists.apache.org/thread.html/r6dadc8fe82071aba841d673ffadf34728bff4357796b1990a66e3af1@%3Ccommits.kafka.apache.org%3E" 88987 }, 88988 { 88989 "type": "WEB", 88990 "url": "https://lists.apache.org/thread.html/r454f38e85db149869c5a92c993c402260a4f8599bf283f6cfaada972@%3Cjira.kafka.apache.org%3E" 88991 }, 88992 { 88993 "type": "WEB", 88994 "url": "https://lists.apache.org/thread.html/r42fef440487a04cf5e487a9707ef5119d2dd5b809919f25ef4296fc4@%3Cjira.kafka.apache.org%3E" 88995 }, 88996 { 88997 "type": "WEB", 88998 "url": "https://lists.apache.org/thread.html/r4066176a7352e021d7a81af460044bde8d57f40e98f8e4a31923af3a@%3Cjira.kafka.apache.org%3E" 88999 }, 89000 { 89001 "type": "WEB", 89002 "url": "https://lists.apache.org/thread.html/r305fb82e5c005143c1e2ec986a19c0a44f42189ab2580344dc955359@%3Cdev.kafka.apache.org%3E" 89003 }, 89004 { 89005 "type": "WEB", 89006 "url": "https://lists.apache.org/thread.html/r280438f7cb4b3b1c9dfda9d7b05fa2a5cfab68618c6afee8169ecdaa@%3Ccommits.kafka.apache.org%3E" 89007 }, 89008 { 89009 "type": "WEB", 89010 "url": "https://lists.apache.org/thread.html/r2721aba31a8562639c4b937150897e24f78f747cdbda8641c0f659fe@%3Cusers.kafka.apache.org%3E" 89011 } 89012 ], 89013 "schema_version": "1.6.0", 89014 "severity": [ 89015 { 89016 "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", 89017 "type": "CVSS_V3" 89018 } 89019 ], 89020 "summary": "Local information disclosure via system temporary directory" 89021 }, 89022 { 89023 "affected": [ 89024 { 89025 "database_specific": { 89026 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/12/GHSA-2268-98wh-qfhf/GHSA-2268-98wh-qfhf.json" 89027 }, 89028 "package": { 89029 "ecosystem": "Maven", 89030 "name": "org.jline:jline-parent", 89031 "purl": "pkg:maven/org.jline/jline-parent" 89032 }, 89033 "ranges": [ 89034 { 89035 "events": [ 89036 { 89037 "introduced": "0" 89038 }, 89039 { 89040 "fixed": "3.25.0" 89041 } 89042 ], 89043 "type": "ECOSYSTEM" 89044 } 89045 ], 89046 "versions": [ 89047 "3.10.0", 89048 "3.11.0", 89049 "3.12.0", 89050 "3.12.1", 89051 "3.13.0", 89052 "3.13.1", 89053 "3.13.2", 89054 "3.13.3", 89055 "3.14.0", 89056 "3.14.1", 89057 "3.15.0", 89058 "3.16.0", 89059 "3.17.0", 89060 "3.17.1", 89061 "3.18.0", 89062 "3.19.0", 89063 "3.2.0", 89064 "3.20.0", 89065 "3.21.0", 89066 "3.22.0", 89067 "3.23.0", 89068 "3.24.0", 89069 "3.24.1", 89070 "3.3.0", 89071 "3.3.1", 89072 "3.4.0", 89073 "3.5.0", 89074 "3.5.1", 89075 "3.5.2", 89076 "3.6.0", 89077 "3.6.1", 89078 "3.6.2", 89079 "3.7.0", 89080 "3.7.1", 89081 "3.8.0", 89082 "3.8.1", 89083 "3.8.2", 89084 "3.9.0" 89085 ] 89086 } 89087 ], 89088 "aliases": [ 89089 "CVE-2023-50572" 89090 ], 89091 "database_specific": { 89092 "cwe_ids": [ 89093 "CWE-122", 89094 "CWE-787" 89095 ], 89096 "github_reviewed": true, 89097 "github_reviewed_at": "2023-12-29T20:08:20Z", 89098 "nvd_published_at": "2023-12-29T15:15:10Z", 89099 "severity": "MODERATE" 89100 }, 89101 "details": "An issue in the component `GroovyEngine.execute` of JLine v3.24.1 allows attackers to cause an out of memory (OOM) error exception.", 89102 "id": "GHSA-2268-98wh-qfhf", 89103 "modified": "2024-02-16T08:07:52.686694Z", 89104 "published": "2023-12-29T15:30:37Z", 89105 "references": [ 89106 { 89107 "type": "ADVISORY", 89108 "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50572" 89109 }, 89110 { 89111 "type": "WEB", 89112 "url": "https://github.com/jline/jline3/issues/909" 89113 }, 89114 { 89115 "type": "WEB", 89116 "url": "https://github.com/jline/jline3/commit/f3c60a3e6255e8e0c20d5043a4fe248446f292bb" 89117 }, 89118 { 89119 "type": "PACKAGE", 89120 "url": "https://github.com/jline/jline3" 89121 } 89122 ], 89123 "schema_version": "1.6.0", 89124 "severity": [ 89125 { 89126 "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", 89127 "type": "CVSS_V3" 89128 } 89129 ], 89130 "summary": "JLine vulnerable to out of memory error" 89131 }, 89132 { 89133 "affected": [ 89134 { 89135 "database_specific": { 89136 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-3vqj-43w4-2q58/GHSA-3vqj-43w4-2q58.json" 89137 }, 89138 "package": { 89139 "ecosystem": "Maven", 89140 "name": "cn.hutool:hutool-json", 89141 "purl": "pkg:maven/cn.hutool/hutool-json" 89142 }, 89143 "ranges": [ 89144 { 89145 "events": [ 89146 { 89147 "introduced": "0" 89148 }, 89149 { 89150 "fixed": "5.8.25" 89151 } 89152 ], 89153 "type": "ECOSYSTEM" 89154 } 89155 ], 89156 "versions": [ 89157 "4.0.0", 89158 "4.0.1", 89159 "4.0.10", 89160 "4.0.11", 89161 "4.0.12", 89162 "4.0.2", 89163 "4.0.3", 89164 "4.0.4", 89165 "4.0.5", 89166 "4.0.6", 89167 "4.0.7", 89168 "4.0.8", 89169 "4.0.9", 89170 "4.1.0", 89171 "4.1.1", 89172 "4.1.10", 89173 "4.1.11", 89174 "4.1.12", 89175 "4.1.13", 89176 "4.1.14", 89177 "4.1.15", 89178 "4.1.16", 89179 "4.1.17", 89180 "4.1.18", 89181 "4.1.19", 89182 "4.1.2", 89183 "4.1.20", 89184 "4.1.21", 89185 "4.1.3", 89186 "4.1.4", 89187 "4.1.5", 89188 "4.1.6", 89189 "4.1.7", 89190 "4.1.8", 89191 "4.1.9", 89192 "4.2.1", 89193 "4.3.0", 89194 "4.3.1", 89195 "4.3.2", 89196 "4.4.0", 89197 "4.4.1", 89198 "4.4.2", 89199 "4.4.3", 89200 "4.4.4", 89201 "4.4.5", 89202 "4.5.0", 89203 "4.5.1", 89204 "4.5.10", 89205 "4.5.11", 89206 "4.5.12", 89207 "4.5.13", 89208 "4.5.14", 89209 "4.5.15", 89210 "4.5.16", 89211 "4.5.17", 89212 "4.5.18", 89213 "4.5.2", 89214 "4.5.3", 89215 "4.5.4", 89216 "4.5.5", 89217 "4.5.6", 89218 "4.5.7", 89219 "4.5.8", 89220 "4.5.9", 89221 "4.6.0", 89222 "4.6.1", 89223 "4.6.10", 89224 "4.6.11", 89225 "4.6.12", 89226 "4.6.13", 89227 "4.6.14", 89228 "4.6.15", 89229 "4.6.16", 89230 "4.6.17", 89231 "4.6.2", 89232 "4.6.3", 89233 "4.6.4", 89234 "4.6.5", 89235 "4.6.6", 89236 "4.6.7", 89237 "4.6.8", 89238 "5.0.0", 89239 "5.0.1", 89240 "5.0.2", 89241 "5.0.3", 89242 "5.0.4", 89243 "5.0.5", 89244 "5.0.6", 89245 "5.0.7", 89246 "5.1.0", 89247 "5.1.1", 89248 "5.1.2", 89249 "5.1.3", 89250 "5.1.4", 89251 "5.1.5", 89252 "5.2.0", 89253 "5.2.1", 89254 "5.2.2", 89255 "5.2.3", 89256 "5.2.4", 89257 "5.2.5", 89258 "5.3.0", 89259 "5.3.1", 89260 "5.3.10", 89261 "5.3.2", 89262 "5.3.3", 89263 "5.3.4", 89264 "5.3.5", 89265 "5.3.6", 89266 "5.3.7", 89267 "5.3.8", 89268 "5.3.9", 89269 "5.4.0", 89270 "5.4.1", 89271 "5.4.2", 89272 "5.4.3", 89273 "5.4.4", 89274 "5.4.5", 89275 "5.4.6", 89276 "5.4.7", 89277 "5.5.0", 89278 "5.5.1", 89279 "5.5.2", 89280 "5.5.3", 89281 "5.5.4", 89282 "5.5.5", 89283 "5.5.6", 89284 "5.5.7", 89285 "5.5.8", 89286 "5.5.9", 89287 "5.6.0", 89288 "5.6.1", 89289 "5.6.2", 89290 "5.6.3", 89291 "5.6.4", 89292 "5.6.5", 89293 "5.6.6", 89294 "5.6.7", 89295 "5.7.0", 89296 "5.7.1", 89297 "5.7.10", 89298 "5.7.11", 89299 "5.7.12", 89300 "5.7.13", 89301 "5.7.14", 89302 "5.7.15", 89303 "5.7.16", 89304 "5.7.17", 89305 "5.7.18", 89306 "5.7.19", 89307 "5.7.2", 89308 "5.7.20", 89309 "5.7.21", 89310 "5.7.22", 89311 "5.7.3", 89312 "5.7.4", 89313 "5.7.5", 89314 "5.7.6", 89315 "5.7.7", 89316 "5.7.8", 89317 "5.7.9", 89318 "5.8.0", 89319 "5.8.0.M1", 89320 "5.8.0.M2", 89321 "5.8.0.M3", 89322 "5.8.0.M4", 89323 "5.8.1", 89324 "5.8.10", 89325 "5.8.11", 89326 "5.8.12", 89327 "5.8.13", 89328 "5.8.14", 89329 "5.8.15", 89330 "5.8.16", 89331 "5.8.17", 89332 "5.8.18", 89333 "5.8.19", 89334 "5.8.2", 89335 "5.8.20", 89336 "5.8.21", 89337 "5.8.22", 89338 "5.8.23", 89339 "5.8.24", 89340 "5.8.3", 89341 "5.8.4", 89342 "5.8.4.M1", 89343 "5.8.5", 89344 "5.8.6", 89345 "5.8.7", 89346 "5.8.8", 89347 "5.8.9" 89348 ] 89349 }, 89350 { 89351 "database_specific": { 89352 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-3vqj-43w4-2q58/GHSA-3vqj-43w4-2q58.json" 89353 }, 89354 "package": { 89355 "ecosystem": "Maven", 89356 "name": "org.json:json", 89357 "purl": "pkg:maven/org.json/json" 89358 }, 89359 "ranges": [ 89360 { 89361 "events": [ 89362 { 89363 "introduced": "0" 89364 }, 89365 { 89366 "fixed": "20230227" 89367 } 89368 ], 89369 "type": "ECOSYSTEM" 89370 } 89371 ], 89372 "versions": [ 89373 "20070829", 89374 "20080701", 89375 "20090211", 89376 "20131018", 89377 "20140107", 89378 "20141113", 89379 "20150729", 89380 "20151123", 89381 "20160212", 89382 "20160807", 89383 "20160810", 89384 "20170516", 89385 "20171018", 89386 "20180130", 89387 "20180813", 89388 "20190722", 89389 "20200518", 89390 "20201115", 89391 "20210307", 89392 "20211205", 89393 "20220320", 89394 "20220924" 89395 ] 89396 } 89397 ], 89398 "aliases": [ 89399 "CVE-2022-45688" 89400 ], 89401 "database_specific": { 89402 "cwe_ids": [ 89403 "CWE-787" 89404 ], 89405 "github_reviewed": true, 89406 "github_reviewed_at": "2022-12-13T19:25:03Z", 89407 "nvd_published_at": "2022-12-13T15:15:00Z", 89408 "severity": "HIGH" 89409 }, 89410 "details": "A stack overflow in the XML.toJSONObject component of hutool-json v5.8.10 and org.json:json before version 20230227 allows attackers to cause a Denial of Service (DoS) via crafted JSON or XML data.", 89411 "id": "GHSA-3vqj-43w4-2q58", 89412 "modified": "2024-04-15T20:32:09.9652Z", 89413 "published": "2022-12-13T15:30:26Z", 89414 "references": [ 89415 { 89416 "type": "ADVISORY", 89417 "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45688" 89418 }, 89419 { 89420 "type": "WEB", 89421 "url": "https://github.com/dromara/hutool/issues/2748" 89422 }, 89423 { 89424 "type": "WEB", 89425 "url": "https://github.com/stleary/JSON-java/issues/708" 89426 }, 89427 { 89428 "type": "WEB", 89429 "url": "https://github.com/dromara/hutool/commit/6a2b585de0a380e8c12016dbaa1620b69be11b8c" 89430 }, 89431 { 89432 "type": "WEB", 89433 "url": "https://github.com/stleary/JSON-java/commit/a6e412bded7a0ad605adfeca029318f184c32102" 89434 }, 89435 { 89436 "type": "WEB", 89437 "url": "https://github.com/dromara/hutool/releases/tag/5.8.25" 89438 } 89439 ], 89440 "schema_version": "1.6.0", 89441 "severity": [ 89442 { 89443 "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", 89444 "type": "CVSS_V3" 89445 } 89446 ], 89447 "summary": "json stack overflow vulnerability" 89448 }, 89449 { 89450 "affected": [ 89451 { 89452 "database_specific": { 89453 "last_known_affected_version_range": "\u003c= 20230618", 89454 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/11/GHSA-4jq9-2xhw-jpx7/GHSA-4jq9-2xhw-jpx7.json" 89455 }, 89456 "package": { 89457 "ecosystem": "Maven", 89458 "name": "org.json:json", 89459 "purl": "pkg:maven/org.json/json" 89460 }, 89461 "ranges": [ 89462 { 89463 "events": [ 89464 { 89465 "introduced": "0" 89466 }, 89467 { 89468 "fixed": "20231013" 89469 } 89470 ], 89471 "type": "ECOSYSTEM" 89472 } 89473 ], 89474 "versions": [ 89475 "20070829", 89476 "20080701", 89477 "20090211", 89478 "20131018", 89479 "20140107", 89480 "20141113", 89481 "20150729", 89482 "20151123", 89483 "20160212", 89484 "20160807", 89485 "20160810", 89486 "20170516", 89487 "20171018", 89488 "20180130", 89489 "20180813", 89490 "20190722", 89491 "20200518", 89492 "20201115", 89493 "20210307", 89494 "20211205", 89495 "20220320", 89496 "20220924", 89497 "20230227", 89498 "20230618" 89499 ] 89500 } 89501 ], 89502 "aliases": [ 89503 "CVE-2023-5072" 89504 ], 89505 "database_specific": { 89506 "cwe_ids": [ 89507 "CWE-358" 89508 ], 89509 "github_reviewed": true, 89510 "github_reviewed_at": "2023-11-14T22:24:08Z", 89511 "nvd_published_at": null, 89512 "severity": "HIGH" 89513 }, 89514 "details": "### Summary\nA denial of service vulnerability in JSON-Java was discovered by [ClusterFuzz](https://google.github.io/clusterfuzz/). A bug in the parser means that an input string of modest size can lead to indefinite amounts of memory being used. There are two issues: (1) the parser bug can be used to circumvent a check that is supposed to prevent the key in a JSON object from itself being another JSON object; (2) if a key does end up being a JSON object then it gets converted into a string, using `\\` to escape special characters, including `\\` itself. So by nesting JSON objects, with a key that is a JSON object that has a key that is a JSON object, and so on, we can get an exponential number of `\\` characters in the escaped string.\n\n### Severity\nHigh - Because this is an already-fixed DoS vulnerability, the only remaining impact possible is for existing binaries that have not been updated yet.\n\n### Proof of Concept\n```java\npackage orgjsonbug;\n\nimport org.json.JSONObject;\n\n/**\n * Illustrates a bug in JSON-Java.\n */\npublic class Bug {\n private static String makeNested(int depth) {\n if (depth == 0) {\n return \"{\\\"a\\\":1}\";\n }\n return \"{\\\"a\\\":1;\\t\\0\" + makeNested(depth - 1) + \":1}\";\n }\n\n public static void main(String[] args) {\n String input = makeNested(30);\n System.out.printf(\"Input string has length %d: %s\\n\", input.length(), input);\n JSONObject output = new JSONObject(input);\n System.out.printf(\"Output JSONObject has length %d: %s\\n\", output.toString().length(), output);\n }\n}\n```\nWhen run, this reports that the input string has length 367. Then, after a long pause, the program crashes inside new JSONObject with OutOfMemoryError.\n\n### Further Analysis\nThe issue is fixed by [this PR](https://github.com/stleary/JSON-java/pull/759).\n\n### Timeline\n**Date reported**: 07/14/2023\n**Date fixed**: \n**Date disclosed**: 10/12/2023", 89515 "id": "GHSA-4jq9-2xhw-jpx7", 89516 "modified": "2024-02-16T08:22:14.901634Z", 89517 "published": "2023-11-14T22:24:08Z", 89518 "references": [ 89519 { 89520 "type": "WEB", 89521 "url": "https://github.com/google/security-research/security/advisories/GHSA-4jq9-2xhw-jpx7" 89522 }, 89523 { 89524 "type": "ADVISORY", 89525 "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5072" 89526 }, 89527 { 89528 "type": "WEB", 89529 "url": "https://github.com/stleary/JSON-java/issues/758" 89530 }, 89531 { 89532 "type": "WEB", 89533 "url": "https://github.com/stleary/JSON-java/issues/771" 89534 }, 89535 { 89536 "type": "WEB", 89537 "url": "https://github.com/stleary/JSON-java/pull/759" 89538 }, 89539 { 89540 "type": "WEB", 89541 "url": "https://github.com/stleary/JSON-java/commit/60662e2f8384d3449822a3a1179bfe8de67b55bb" 89542 }, 89543 { 89544 "type": "PACKAGE", 89545 "url": "https://github.com/stleary/JSON-java" 89546 } 89547 ], 89548 "related": [ 89549 "CGA-7g9h-xgv7-r8j3" 89550 ], 89551 "schema_version": "1.6.0", 89552 "summary": "Java: DoS Vulnerability in JSON-JAVA" 89553 }, 89554 { 89555 "affected": [ 89556 { 89557 "database_specific": { 89558 "last_known_affected_version_range": "\u003c= 1.8.2", 89559 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-48rh-qgjr-xfj6/GHSA-48rh-qgjr-xfj6.json" 89560 }, 89561 "package": { 89562 "ecosystem": "Maven", 89563 "name": "org.jsoup:jsoup", 89564 "purl": "pkg:maven/org.jsoup/jsoup" 89565 }, 89566 "ranges": [ 89567 { 89568 "events": [ 89569 { 89570 "introduced": "1.6.0" 89571 }, 89572 { 89573 "fixed": "1.8.3" 89574 } 89575 ], 89576 "type": "ECOSYSTEM" 89577 } 89578 ], 89579 "versions": [ 89580 "1.6.0", 89581 "1.6.1", 89582 "1.6.2", 89583 "1.6.3", 89584 "1.7.1", 89585 "1.7.2", 89586 "1.7.3", 89587 "1.8.1", 89588 "1.8.2" 89589 ] 89590 } 89591 ], 89592 "aliases": [ 89593 "CVE-2015-6748" 89594 ], 89595 "database_specific": { 89596 "cwe_ids": [ 89597 "CWE-79" 89598 ], 89599 "github_reviewed": true, 89600 "github_reviewed_at": "2022-07-06T20:10:33Z", 89601 "nvd_published_at": "2017-09-25T17:29:00Z", 89602 "severity": "MODERATE" 89603 }, 89604 "details": "Cross-site scripting (XSS) vulnerability in jsoup before 1.8.3.", 89605 "id": "GHSA-48rh-qgjr-xfj6", 89606 "modified": "2024-05-15T03:18:35.036252Z", 89607 "published": "2022-05-13T01:28:44Z", 89608 "references": [ 89609 { 89610 "type": "ADVISORY", 89611 "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-6748" 89612 }, 89613 { 89614 "type": "WEB", 89615 "url": "https://github.com/jhy/jsoup/pull/582" 89616 }, 89617 { 89618 "type": "WEB", 89619 "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1258310" 89620 }, 89621 { 89622 "type": "WEB", 89623 "url": "https://hibernate.atlassian.net/browse/HV-1012" 89624 }, 89625 { 89626 "type": "WEB", 89627 "url": "https://issues.jboss.org/browse/WFLY-5223?_sscc=t" 89628 }, 89629 { 89630 "type": "WEB", 89631 "url": "https://lists.debian.org/debian-lts-announce/2020/01/msg00021.html" 89632 }, 89633 { 89634 "type": "WEB", 89635 "url": "http://www.openwall.com/lists/oss-security/2015/08/28/5" 89636 } 89637 ], 89638 "schema_version": "1.6.0", 89639 "severity": [ 89640 { 89641 "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", 89642 "type": "CVSS_V3" 89643 } 89644 ], 89645 "summary": "Improper Neutralization of Input During Web Page Generation in Jsoup" 89646 }, 89647 { 89648 "affected": [ 89649 { 89650 "database_specific": { 89651 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/09/GHSA-gp7f-rwcx-9369/GHSA-gp7f-rwcx-9369.json" 89652 }, 89653 "package": { 89654 "ecosystem": "Maven", 89655 "name": "org.jsoup:jsoup", 89656 "purl": "pkg:maven/org.jsoup/jsoup" 89657 }, 89658 "ranges": [ 89659 { 89660 "events": [ 89661 { 89662 "introduced": "0" 89663 }, 89664 { 89665 "fixed": "1.15.3" 89666 } 89667 ], 89668 "type": "ECOSYSTEM" 89669 } 89670 ], 89671 "versions": [ 89672 "0.2.1b", 89673 "0.2.2", 89674 "0.3.1", 89675 "1.1.1", 89676 "1.10.1", 89677 "1.10.2", 89678 "1.10.3", 89679 "1.11.1", 89680 "1.11.2", 89681 "1.11.3", 89682 "1.12.1", 89683 "1.12.2", 89684 "1.13.1", 89685 "1.14.1", 89686 "1.14.2", 89687 "1.14.3", 89688 "1.15.1", 89689 "1.15.2", 89690 "1.2.1", 89691 "1.2.2", 89692 "1.2.3", 89693 "1.3.1", 89694 "1.3.2", 89695 "1.3.3", 89696 "1.4.1", 89697 "1.5.1", 89698 "1.5.2", 89699 "1.6.0", 89700 "1.6.1", 89701 "1.6.2", 89702 "1.6.3", 89703 "1.7.1", 89704 "1.7.2", 89705 "1.7.3", 89706 "1.8.1", 89707 "1.8.2", 89708 "1.8.3", 89709 "1.9.1", 89710 "1.9.2" 89711 ] 89712 } 89713 ], 89714 "aliases": [ 89715 "CVE-2022-36033" 89716 ], 89717 "database_specific": { 89718 "cwe_ids": [ 89719 "CWE-79" 89720 ], 89721 "github_reviewed": true, 89722 "github_reviewed_at": "2022-09-01T22:14:57Z", 89723 "nvd_published_at": "2022-08-29T17:15:00Z", 89724 "severity": "MODERATE" 89725 }, 89726 "details": "jsoup may incorrectly sanitize HTML including `javascript:` URL expressions, which could allow cross-site scripting (XSS) attacks when a reader subsequently clicks that link. If the non-default `SafeList.preserveRelativeLinks` option is enabled, HTML including `javascript:` URLs that have been crafted with control characters will not be sanitized. If the site that this HTML is published on does not set a Content Security Policy, an XSS attack is then possible.\n\n### Impact\nSites that accept input HTML from users and use jsoup to sanitize that HTML, may be vulnerable to cross-site scripting (XSS) attacks, if they have enabled `SafeList.preserveRelativeLinks` and do not set an appropriate Content Security Policy.\n\n### Patches\nThis issue is patched in jsoup 1.15.3.\n\nUsers should upgrade to this version. Additionally, as the unsanitized input may have been persisted, old content should be cleaned again using the updated version.\n\n### Workarounds\nTo remediate this issue without immediately upgrading:\n\n- disable `SafeList.preserveRelativeLinks`, which will rewrite input URLs as absolute URLs\n- ensure an appropriate [Content Security Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP) is defined. (This should be used regardless of upgrading, as a defence-in-depth best practice.)\n\n### Background and root cause\njsoup includes a [Cleaner](https://jsoup.org/apidocs/org/jsoup/safety/Cleaner.html) component, which is designed to [sanitize input HTML](https://jsoup.org/cookbook/cleaning-html/safelist-sanitizer) against configurable safe-lists of acceptable tags, attributes, and attribute values.\n\nThis includes removing potentially malicious attributes such as `\u003ca href=\"javascript:...\"\u003e`, which may enable XSS attacks. It does this by validating URL attributes against allowed URL protocols (e.g. `http`, `https`).\n\nHowever, an attacker may be able to bypass this check by embedding control characters into the href attribute value. This causes the Java URL class, which is used to resolve relative URLs to absolute URLs before checking the URL's protocol, to treat the URL as a relative URL. It is then resolved into an absolute URL with the configured base URI.\n\nFor example, `java\\tscript:...` would resolve to `https://example.com/java\\tscript:...`.\n\nBy default, when using a safe-list that allows `a` tags, jsoup will rewrite any relative URLs (e.g. `/foo/`) to an absolute URL (e.g. `https://example.com/foo/`). Therefore, this attack attempt would be successfully mitigated. However, if the option [SafeList.preserveRelativeLinks](https://jsoup.org/apidocs/org/jsoup/safety/Safelist.html#preserveRelativeLinks(boolean)) is enabled (which does not rewrite relative links to absolute), the input is left as-is.\n\nWhile Java will treat a path like `java\\tscript:` as a relative path, as it does not match the allowed characters of a URL spec, browsers may normalize out the control characters, and subsequently evaluate it as a `javascript:` spec inline expression. That disparity then leads to an XSS opportunity.\n\nSites defining a Content Security Policy that does not allow javascript expressions in link URLs will not be impacted, as the policy will prevent the script's execution.\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [jsoup](https://github.com/jhy/jsoup)\n* Email the author of jsoup at [jonathan@hedley.net](mailto:jonathan@hedley.net)\n\n### Credits\nThanks to Jens Häderer, who reported this issue, and contributed to its resolution.", 89727 "id": "GHSA-gp7f-rwcx-9369", 89728 "modified": "2024-02-19T05:36:10.577248Z", 89729 "published": "2022-09-01T22:14:57Z", 89730 "references": [ 89731 { 89732 "type": "WEB", 89733 "url": "https://github.com/jhy/jsoup/security/advisories/GHSA-gp7f-rwcx-9369" 89734 }, 89735 { 89736 "type": "ADVISORY", 89737 "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-36033" 89738 }, 89739 { 89740 "type": "PACKAGE", 89741 "url": "https://github.com/jhy/jsoup" 89742 }, 89743 { 89744 "type": "WEB", 89745 "url": "https://github.com/jhy/jsoup/releases/tag/jsoup-1.15.3" 89746 }, 89747 { 89748 "type": "WEB", 89749 "url": "https://jsoup.org/news/release-1.15.3" 89750 }, 89751 { 89752 "type": "WEB", 89753 "url": "https://security.netapp.com/advisory/ntap-20221104-0006" 89754 } 89755 ], 89756 "related": [ 89757 "CGA-whvj-j3x7-6cwh" 89758 ], 89759 "schema_version": "1.6.0", 89760 "severity": [ 89761 { 89762 "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", 89763 "type": "CVSS_V3" 89764 } 89765 ], 89766 "summary": "jsoup may not sanitize code injection XSS attempts if SafeList.preserveRelativeLinks is enabled" 89767 }, 89768 { 89769 "affected": [ 89770 { 89771 "database_specific": { 89772 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-m72m-mhq2-9p6c/GHSA-m72m-mhq2-9p6c.json" 89773 }, 89774 "package": { 89775 "ecosystem": "Maven", 89776 "name": "org.jsoup:jsoup", 89777 "purl": "pkg:maven/org.jsoup/jsoup" 89778 }, 89779 "ranges": [ 89780 { 89781 "events": [ 89782 { 89783 "introduced": "0" 89784 }, 89785 { 89786 "fixed": "1.14.2" 89787 } 89788 ], 89789 "type": "ECOSYSTEM" 89790 } 89791 ], 89792 "versions": [ 89793 "0.2.1b", 89794 "0.2.2", 89795 "0.3.1", 89796 "1.1.1", 89797 "1.10.1", 89798 "1.10.2", 89799 "1.10.3", 89800 "1.11.1", 89801 "1.11.2", 89802 "1.11.3", 89803 "1.12.1", 89804 "1.12.2", 89805 "1.13.1", 89806 "1.14.1", 89807 "1.2.1", 89808 "1.2.2", 89809 "1.2.3", 89810 "1.3.1", 89811 "1.3.2", 89812 "1.3.3", 89813 "1.4.1", 89814 "1.5.1", 89815 "1.5.2", 89816 "1.6.0", 89817 "1.6.1", 89818 "1.6.2", 89819 "1.6.3", 89820 "1.7.1", 89821 "1.7.2", 89822 "1.7.3", 89823 "1.8.1", 89824 "1.8.2", 89825 "1.8.3", 89826 "1.9.1", 89827 "1.9.2" 89828 ] 89829 } 89830 ], 89831 "aliases": [ 89832 "CVE-2021-37714" 89833 ], 89834 "database_specific": { 89835 "cwe_ids": [ 89836 "CWE-248", 89837 "CWE-835" 89838 ], 89839 "github_reviewed": true, 89840 "github_reviewed_at": "2021-08-23T17:20:30Z", 89841 "nvd_published_at": "2021-08-18T15:15:00Z", 89842 "severity": "HIGH" 89843 }, 89844 "details": "### Impact\n_What kind of vulnerability is it? Who is impacted?_\nThose using jsoup to parse untrusted HTML or XML may be vulnerable to DOS attacks. If the parser is run on user supplied input, an attacker may supply content that causes the parser to get stuck (loop indefinitely until cancelled), to complete more slowly than usual, or to throw an unexpected exception. This effect may support a denial of service attack.\n\n### Patches\n_Has the problem been patched? What versions should users upgrade to?_\nUsers should upgrade to jsoup 1.14.2\n\n### Workarounds\n_Is there a way for users to fix or remediate the vulnerability without upgrading?_\nUsers may rate limit input parsing. Users should limit the size of inputs based on system resources. Users should implement thread watchdogs to cap and timeout parse runtimes.\n", 89845 "id": "GHSA-m72m-mhq2-9p6c", 89846 "modified": "2024-02-19T05:33:24.754681Z", 89847 "published": "2021-08-23T19:42:38Z", 89848 "references": [ 89849 { 89850 "type": "WEB", 89851 "url": "https://github.com/jhy/jsoup/security/advisories/GHSA-m72m-mhq2-9p6c" 89852 }, 89853 { 89854 "type": "ADVISORY", 89855 "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-37714" 89856 }, 89857 { 89858 "type": "PACKAGE", 89859 "url": "https://github.com/jhy/jsoup" 89860 }, 89861 { 89862 "type": "WEB", 89863 "url": "https://jsoup.org/news/release-1.14.1" 89864 }, 89865 { 89866 "type": "WEB", 89867 "url": "https://jsoup.org/news/release-1.14.2" 89868 }, 89869 { 89870 "type": "WEB", 89871 "url": "https://lists.apache.org/thread.html/r215009dbf7467a9f6506d0c0024cb36cad30071010e62c9352cfaaf0@%3Cissues.maven.apache.org%3E" 89872 }, 89873 { 89874 "type": "WEB", 89875 "url": "https://lists.apache.org/thread.html/r377b93d79817ce649e9e68b3456e6f499747ef1643fa987b342e082e@%3Cissues.maven.apache.org%3E" 89876 }, 89877 { 89878 "type": "WEB", 89879 "url": "https://lists.apache.org/thread.html/r3d71f18adb78e50f626dde689161ca63d3b7491bd9718fcddfaecba7@%3Cissues.maven.apache.org%3E" 89880 }, 89881 { 89882 "type": "WEB", 89883 "url": "https://lists.apache.org/thread.html/r50e9c9466c592ca9d707a5dea549524d19e3287da08d8392f643960e@%3Cissues.maven.apache.org%3E" 89884 }, 89885 { 89886 "type": "WEB", 89887 "url": "https://lists.apache.org/thread.html/r685c5235235ad0c26e86d0ee987fb802c9675de6081dbf0516464e0b@%3Cnotifications.james.apache.org%3E" 89888 }, 89889 { 89890 "type": "WEB", 89891 "url": "https://lists.apache.org/thread.html/r97404676a5cf591988faedb887d64e278f522adcaa823d89ca69defe@%3Cnotifications.james.apache.org%3E" 89892 }, 89893 { 89894 "type": "WEB", 89895 "url": "https://lists.apache.org/thread.html/rc3354080fc67fb50b45b3c2d12dc4ca2a3c1c78dad3d3ba012c038aa@%3Cnotifications.james.apache.org%3E" 89896 }, 89897 { 89898 "type": "WEB", 89899 "url": "https://security.netapp.com/advisory/ntap-20220210-0022" 89900 }, 89901 { 89902 "type": "WEB", 89903 "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" 89904 }, 89905 { 89906 "type": "WEB", 89907 "url": "https://www.oracle.com/security-alerts/cpujan2022.html" 89908 }, 89909 { 89910 "type": "WEB", 89911 "url": "https://www.oracle.com/security-alerts/cpujul2022.html" 89912 } 89913 ], 89914 "schema_version": "1.6.0", 89915 "severity": [ 89916 { 89917 "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", 89918 "type": "CVSS_V3" 89919 } 89920 ], 89921 "summary": "Uncaught Exception in jsoup" 89922 }, 89923 { 89924 "affected": [ 89925 { 89926 "database_specific": { 89927 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-x9rg-q5fx-fx66/GHSA-x9rg-q5fx-fx66.json" 89928 }, 89929 "package": { 89930 "ecosystem": "Maven", 89931 "name": "org.kohsuke:libpam4j", 89932 "purl": "pkg:maven/org.kohsuke/libpam4j" 89933 }, 89934 "ranges": [ 89935 { 89936 "events": [ 89937 { 89938 "introduced": "0" 89939 }, 89940 { 89941 "fixed": "1.10" 89942 } 89943 ], 89944 "type": "ECOSYSTEM" 89945 } 89946 ], 89947 "versions": [ 89948 "1.5", 89949 "1.6", 89950 "1.7", 89951 "1.8", 89952 "1.9" 89953 ] 89954 } 89955 ], 89956 "aliases": [ 89957 "CVE-2017-12197" 89958 ], 89959 "database_specific": { 89960 "cwe_ids": [ 89961 "CWE-20" 89962 ], 89963 "github_reviewed": true, 89964 "github_reviewed_at": "2022-07-01T21:27:13Z", 89965 "nvd_published_at": "2018-01-18T21:29:00Z", 89966 "severity": "MODERATE" 89967 }, 89968 "details": "It was found that libpam4j prior to 1.10 did not properly validate user accounts when authenticating. A user with a valid password for a disabled account would be able to bypass security restrictions and possibly access sensitive information.", 89969 "id": "GHSA-x9rg-q5fx-fx66", 89970 "modified": "2023-11-08T03:58:52.089972Z", 89971 "published": "2022-05-13T01:38:10Z", 89972 "references": [ 89973 { 89974 "type": "ADVISORY", 89975 "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-12197" 89976 }, 89977 { 89978 "type": "WEB", 89979 "url": "https://github.com/kohsuke/libpam4j/issues/18" 89980 }, 89981 { 89982 "type": "WEB", 89983 "url": "https://github.com/kohsuke/libpam4j/commit/02ffdff218283629ba4a902e7fe2fd44646abc21" 89984 }, 89985 { 89986 "type": "WEB", 89987 "url": "https://access.redhat.com/errata/RHSA-2017:2904" 89988 }, 89989 { 89990 "type": "WEB", 89991 "url": "https://access.redhat.com/errata/RHSA-2017:2905" 89992 }, 89993 { 89994 "type": "WEB", 89995 "url": "https://access.redhat.com/errata/RHSA-2017:2906" 89996 }, 89997 { 89998 "type": "WEB", 89999 "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1503103" 90000 }, 90001 { 90002 "type": "PACKAGE", 90003 "url": "https://github.com/kohsuke/libpam4j" 90004 }, 90005 { 90006 "type": "WEB", 90007 "url": "https://lists.debian.org/debian-lts-announce/2017/11/msg00008.html" 90008 }, 90009 { 90010 "type": "WEB", 90011 "url": "https://www.debian.org/security/2017/dsa-4025" 90012 } 90013 ], 90014 "schema_version": "1.6.0", 90015 "severity": [ 90016 { 90017 "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", 90018 "type": "CVSS_V3" 90019 } 90020 ], 90021 "summary": "Improper Input Validation in libpam4j" 90022 }, 90023 { 90024 "affected": [ 90025 { 90026 "database_specific": { 90027 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/07/GHSA-9qcf-c26r-x5rf/GHSA-9qcf-c26r-x5rf.json" 90028 }, 90029 "package": { 90030 "ecosystem": "Maven", 90031 "name": "org.quartz-scheduler:quartz", 90032 "purl": "pkg:maven/org.quartz-scheduler/quartz" 90033 }, 90034 "ranges": [ 90035 { 90036 "events": [ 90037 { 90038 "introduced": "0" 90039 }, 90040 { 90041 "fixed": "2.3.2" 90042 } 90043 ], 90044 "type": "ECOSYSTEM" 90045 } 90046 ], 90047 "versions": [ 90048 "1.7.2", 90049 "1.7.3", 90050 "1.8.0", 90051 "1.8.1", 90052 "1.8.2", 90053 "1.8.3", 90054 "1.8.4", 90055 "1.8.5", 90056 "1.8.6", 90057 "2.0.0", 90058 "2.0.1", 90059 "2.0.2", 90060 "2.1.0", 90061 "2.1.1", 90062 "2.1.2", 90063 "2.1.3", 90064 "2.1.4", 90065 "2.1.5", 90066 "2.1.6", 90067 "2.1.7", 90068 "2.2.0", 90069 "2.2.1", 90070 "2.2.2", 90071 "2.2.3", 90072 "2.3.0", 90073 "2.3.1" 90074 ] 90075 } 90076 ], 90077 "aliases": [ 90078 "CVE-2019-13990" 90079 ], 90080 "database_specific": { 90081 "cwe_ids": [ 90082 "CWE-611" 90083 ], 90084 "github_reviewed": true, 90085 "github_reviewed_at": "2020-07-01T17:54:54Z", 90086 "nvd_published_at": "2019-07-26T19:15:00Z", 90087 "severity": "CRITICAL" 90088 }, 90089 "details": "initDocumentParser in xml/XMLSchedulingDataProcessor.java in Terracotta Quartz Scheduler through 2.3.0 allows XXE attacks via a job description.", 90090 "id": "GHSA-9qcf-c26r-x5rf", 90091 "modified": "2024-03-12T05:34:13.564661Z", 90092 "published": "2020-07-01T17:55:03Z", 90093 "references": [ 90094 { 90095 "type": "ADVISORY", 90096 "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-13990" 90097 }, 90098 { 90099 "type": "WEB", 90100 "url": "https://github.com/quartz-scheduler/quartz/issues/467" 90101 }, 90102 { 90103 "type": "WEB", 90104 "url": "https://github.com/quartz-scheduler/quartz/pull/501" 90105 }, 90106 { 90107 "type": "WEB", 90108 "url": "https://github.com/quartz-scheduler/quartz/commit/13c1d45aa1db15d0fa0e4997139c99ba219be551" 90109 }, 90110 { 90111 "type": "WEB", 90112 "url": "https://lists.apache.org/thread.html/r21df13c8bd2c2eae4b9661aae814c4a2a814d1f7875c765b8b115c9a@%3Ccommits.tomee.apache.org%3E" 90113 }, 90114 { 90115 "type": "WEB", 90116 "url": "https://lists.apache.org/thread.html/r3a6884e8d819f32cde8c07b98934de3e80467859880f784950bf44cf%40%3Ccommits.tomee.apache.org%3E" 90117 }, 90118 { 90119 "type": "WEB", 90120 "url": "https://lists.apache.org/thread.html/r3a6884e8d819f32cde8c07b98934de3e80467859880f784950bf44cf@%3Ccommits.tomee.apache.org%3E" 90121 }, 90122 { 90123 "type": "WEB", 90124 "url": "https://lists.apache.org/thread.html/re9b56ac1934d7bf16afc83eac1c39c98c1b20b4b15891dce923bf8aa%40%3Ccommits.tomee.apache.org%3E" 90125 }, 90126 { 90127 "type": "WEB", 90128 "url": "https://lists.apache.org/thread.html/re9b56ac1934d7bf16afc83eac1c39c98c1b20b4b15891dce923bf8aa@%3Ccommits.tomee.apache.org%3E" 90129 }, 90130 { 90131 "type": "WEB", 90132 "url": "https://security.netapp.com/advisory/ntap-20221028-0002" 90133 }, 90134 { 90135 "type": "WEB", 90136 "url": "https://snyk.io/vuln/SNYK-JAVA-ORGQUARTZSCHEDULER-461170" 90137 }, 90138 { 90139 "type": "WEB", 90140 "url": "https://www.oracle.com//security-alerts/cpujul2021.html" 90141 }, 90142 { 90143 "type": "WEB", 90144 "url": "https://www.oracle.com/security-alerts/cpuapr2020.html" 90145 }, 90146 { 90147 "type": "WEB", 90148 "url": "https://www.oracle.com/security-alerts/cpujan2021.html" 90149 }, 90150 { 90151 "type": "WEB", 90152 "url": "https://www.oracle.com/security-alerts/cpujul2020.html" 90153 }, 90154 { 90155 "type": "WEB", 90156 "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" 90157 }, 90158 { 90159 "type": "WEB", 90160 "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" 90161 }, 90162 { 90163 "type": "WEB", 90164 "url": "https://lists.apache.org/thread.html/r21df13c8bd2c2eae4b9661aae814c4a2a814d1f7875c765b8b115c9a%40%3Ccommits.tomee.apache.org%3E" 90165 }, 90166 { 90167 "type": "WEB", 90168 "url": "https://lists.apache.org/thread.html/f74b170d3d58d7a24db1afd3908bb0ab58a3900e16e73275674cdfaf@%3Ccommits.tomee.apache.org%3E" 90169 }, 90170 { 90171 "type": "WEB", 90172 "url": "https://lists.apache.org/thread.html/f74b170d3d58d7a24db1afd3908bb0ab58a3900e16e73275674cdfaf%40%3Ccommits.tomee.apache.org%3E" 90173 }, 90174 { 90175 "type": "WEB", 90176 "url": "https://lists.apache.org/thread.html/e493e718a50f21201e05e82d42a8796b4046e83f0d286b90e58e0629@%3Cdev.tomee.apache.org%3E" 90177 }, 90178 { 90179 "type": "WEB", 90180 "url": "https://lists.apache.org/thread.html/e493e718a50f21201e05e82d42a8796b4046e83f0d286b90e58e0629%40%3Cdev.tomee.apache.org%3E" 90181 }, 90182 { 90183 "type": "WEB", 90184 "url": "https://lists.apache.org/thread.html/6b6e3480b19856365fb5eef03aa0915a4679de4b019a1e975502d949@%3Cdev.tomee.apache.org%3E" 90185 }, 90186 { 90187 "type": "WEB", 90188 "url": "https://lists.apache.org/thread.html/6b6e3480b19856365fb5eef03aa0915a4679de4b019a1e975502d949%40%3Cdev.tomee.apache.org%3E" 90189 }, 90190 { 90191 "type": "WEB", 90192 "url": "https://lists.apache.org/thread.html/1870324fea41ea68cff2fd1bf6ee2747432dc1d9d22a22cc681e0ec3@%3Cdev.tomee.apache.org%3E" 90193 }, 90194 { 90195 "type": "WEB", 90196 "url": "https://lists.apache.org/thread.html/1870324fea41ea68cff2fd1bf6ee2747432dc1d9d22a22cc681e0ec3%40%3Cdev.tomee.apache.org%3E" 90197 }, 90198 { 90199 "type": "WEB", 90200 "url": "https://lists.apache.org/thread.html/172d405e556e2f1204be126bb3eb28c5115af91bcc1651b4e870bb82@%3Cdev.tomee.apache.org%3E" 90201 }, 90202 { 90203 "type": "WEB", 90204 "url": "https://lists.apache.org/thread.html/172d405e556e2f1204be126bb3eb28c5115af91bcc1651b4e870bb82%40%3Cdev.tomee.apache.org%3E" 90205 }, 90206 { 90207 "type": "PACKAGE", 90208 "url": "https://github.com/quartz-scheduler/quartz" 90209 }, 90210 { 90211 "type": "WEB", 90212 "url": "https://confluence.atlassian.com/security/ssot-117-cve-2019-13990-xxe-xml-external-entity-injection-vulnerability-in-jira-service-management-data-center-and-jira-service-management-server-1295385959.html" 90213 } 90214 ], 90215 "schema_version": "1.6.0", 90216 "severity": [ 90217 { 90218 "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", 90219 "type": "CVSS_V3" 90220 } 90221 ], 90222 "summary": "XML external entity injection in Terracotta Quartz Scheduler" 90223 }, 90224 { 90225 "affected": [ 90226 { 90227 "database_specific": { 90228 "last_known_affected_version_range": "\u003c= 1.7.25", 90229 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-w77p-8cfg-2x43/GHSA-w77p-8cfg-2x43.json" 90230 }, 90231 "package": { 90232 "ecosystem": "Maven", 90233 "name": "org.slf4j:slf4j-ext", 90234 "purl": "pkg:maven/org.slf4j/slf4j-ext" 90235 }, 90236 "ranges": [ 90237 { 90238 "events": [ 90239 { 90240 "introduced": "0" 90241 }, 90242 { 90243 "fixed": "1.7.26" 90244 } 90245 ], 90246 "type": "ECOSYSTEM" 90247 } 90248 ], 90249 "versions": [ 90250 "1.0-alpha0", 90251 "1.5.10", 90252 "1.5.11", 90253 "1.5.4", 90254 "1.5.5", 90255 "1.5.6", 90256 "1.5.7", 90257 "1.5.8", 90258 "1.5.9-RC0", 90259 "1.5.9.RC1", 90260 "1.6.0", 90261 "1.6.0-RC0", 90262 "1.6.0-alpha2", 90263 "1.6.1", 90264 "1.6.2", 90265 "1.6.3", 90266 "1.6.4", 90267 "1.6.5", 90268 "1.6.6", 90269 "1.7.0", 90270 "1.7.1", 90271 "1.7.10", 90272 "1.7.11", 90273 "1.7.12", 90274 "1.7.13", 90275 "1.7.14", 90276 "1.7.15", 90277 "1.7.16", 90278 "1.7.18", 90279 "1.7.19", 90280 "1.7.2", 90281 "1.7.20", 90282 "1.7.21", 90283 "1.7.22", 90284 "1.7.23", 90285 "1.7.24", 90286 "1.7.25", 90287 "1.7.3", 90288 "1.7.4", 90289 "1.7.5", 90290 "1.7.6", 90291 "1.7.7", 90292 "1.7.8", 90293 "1.7.9" 90294 ] 90295 }, 90296 { 90297 "database_specific": { 90298 "last_known_affected_version_range": "\u003c= 1.8.0-beta2", 90299 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-w77p-8cfg-2x43/GHSA-w77p-8cfg-2x43.json" 90300 }, 90301 "package": { 90302 "ecosystem": "Maven", 90303 "name": "org.slf4j:slf4j-ext", 90304 "purl": "pkg:maven/org.slf4j/slf4j-ext" 90305 }, 90306 "ranges": [ 90307 { 90308 "events": [ 90309 { 90310 "introduced": "1.8.0-alpha0" 90311 }, 90312 { 90313 "fixed": "1.8.0-beta4" 90314 } 90315 ], 90316 "type": "ECOSYSTEM" 90317 } 90318 ], 90319 "versions": [ 90320 "1.8.0-alpha0", 90321 "1.8.0-alpha1", 90322 "1.8.0-alpha2", 90323 "1.8.0-beta0", 90324 "1.8.0-beta1", 90325 "1.8.0-beta2" 90326 ] 90327 } 90328 ], 90329 "aliases": [ 90330 "CVE-2018-8088" 90331 ], 90332 "database_specific": { 90333 "cwe_ids": [ 90334 "CWE-284" 90335 ], 90336 "github_reviewed": true, 90337 "github_reviewed_at": "2022-06-29T18:51:39Z", 90338 "nvd_published_at": "2018-03-20T16:29:00Z", 90339 "severity": "CRITICAL" 90340 }, 90341 "details": "org.slf4j.ext.EventData in the slf4j-ext module in QOS.CH SLF4J before `1.8.0-beta4` allows remote attackers to bypass intended access restrictions via crafted data. EventData in the slf4j-ext module in QOS.CH SLF4J, has been fixed in SLF4J version `1.7.26` and later and in the `2.0.x` series.\n\nNote that while the [fix commit](https://github.com/qos-ch/slf4j/commit/d2b27fba88e983f921558da27fc29b5f5d269405) is associated with the tag `1.8.0-beta3`, the versions in [Maven](https://mvnrepository.com/artifact/org.slf4j/slf4j-ext) go directly from `1.8.0-beta2` to `1.8.0-beta4`.", 90342 "id": "GHSA-w77p-8cfg-2x43", 90343 "modified": "2024-03-10T05:18:53.885836Z", 90344 "published": "2022-05-13T01:04:09Z", 90345 "references": [ 90346 { 90347 "type": "ADVISORY", 90348 "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-8088" 90349 }, 90350 { 90351 "type": "WEB", 90352 "url": "https://github.com/qos-ch/slf4j/commit/d2b27fba88e983f921558da27fc29b5f5d269405" 90353 }, 90354 { 90355 "type": "WEB", 90356 "url": "https://lists.apache.org/thread.html/rc378b97d52856f9f3c5ced14771fed8357e4187a3a0f9a2f0515931a@%3Cissues.zookeeper.apache.org%3E" 90357 }, 90358 { 90359 "type": "WEB", 90360 "url": "https://lists.apache.org/thread.html/rc378b97d52856f9f3c5ced14771fed8357e4187a3a0f9a2f0515931a%40%3Cissues.zookeeper.apache.org%3E" 90361 }, 90362 { 90363 "type": "WEB", 90364 "url": "https://lists.apache.org/thread.html/raabf1a00b2652575fca9fcb44166a828a0cab97a7d1594001eabc991@%3Ccommon-issues.hadoop.apache.org%3E" 90365 }, 90366 { 90367 "type": "WEB", 90368 "url": "https://lists.apache.org/thread.html/raabf1a00b2652575fca9fcb44166a828a0cab97a7d1594001eabc991%40%3Ccommon-issues.hadoop.apache.org%3E" 90369 }, 90370 { 90371 "type": "WEB", 90372 "url": "https://lists.apache.org/thread.html/r9e25496608036573736cee484d8d03dae400f09e443b0000b6adc042@%3Ccommits.iotdb.apache.org%3E" 90373 }, 90374 { 90375 "type": "WEB", 90376 "url": "https://lists.apache.org/thread.html/r9e25496608036573736cee484d8d03dae400f09e443b0000b6adc042%40%3Ccommits.iotdb.apache.org%3E" 90377 }, 90378 { 90379 "type": "WEB", 90380 "url": "https://lists.apache.org/thread.html/r99a6552e45ca6ba1082031421f51799a4a665eda905ab2c2aa9d6ffa@%3Cdev.flink.apache.org%3E" 90381 }, 90382 { 90383 "type": "WEB", 90384 "url": "https://lists.apache.org/thread.html/r99a6552e45ca6ba1082031421f51799a4a665eda905ab2c2aa9d6ffa%40%3Cdev.flink.apache.org%3E" 90385 }, 90386 { 90387 "type": "WEB", 90388 "url": "https://lists.apache.org/thread.html/r9584c4304c888f651d214341a939bd264ed30c9e3d0d30fe85097ecf@%3Ccommits.pulsar.apache.org%3E" 90389 }, 90390 { 90391 "type": "WEB", 90392 "url": "https://lists.apache.org/thread.html/r9584c4304c888f651d214341a939bd264ed30c9e3d0d30fe85097ecf%40%3Ccommits.pulsar.apache.org%3E" 90393 }, 90394 { 90395 "type": "WEB", 90396 "url": "https://lists.apache.org/thread.html/r891761d5014f9ffd79d9737482de832462de538b6c4bdcef21aad729@%3Cissues.flink.apache.org%3E" 90397 }, 90398 { 90399 "type": "WEB", 90400 "url": "https://lists.apache.org/thread.html/r891761d5014f9ffd79d9737482de832462de538b6c4bdcef21aad729%40%3Cissues.flink.apache.org%3E" 90401 }, 90402 { 90403 "type": "WEB", 90404 "url": "https://lists.apache.org/thread.html/r81711cde77c2c5742b7b8533c978e79771b700af0ef4d3149d70df25@%3Cnotifications.logging.apache.org%3E" 90405 }, 90406 { 90407 "type": "WEB", 90408 "url": "https://lists.apache.org/thread.html/r81711cde77c2c5742b7b8533c978e79771b700af0ef4d3149d70df25%40%3Cnotifications.logging.apache.org%3E" 90409 }, 90410 { 90411 "type": "WEB", 90412 "url": "https://lists.apache.org/thread.html/r767861f053c15f9e9201b939a0d508dd58475a072e76135eaaca17f0@%3Ccommon-issues.hadoop.apache.org%3E" 90413 }, 90414 { 90415 "type": "WEB", 90416 "url": "https://lists.apache.org/thread.html/r767861f053c15f9e9201b939a0d508dd58475a072e76135eaaca17f0%40%3Ccommon-issues.hadoop.apache.org%3E" 90417 }, 90418 { 90419 "type": "WEB", 90420 "url": "https://lists.apache.org/thread.html/r5cf87a035b297c19f4043a37b73c341576dd92f819bd3e4aa27de541@%3Cissues.flink.apache.org%3E" 90421 }, 90422 { 90423 "type": "WEB", 90424 "url": "https://lists.apache.org/thread.html/r5cf87a035b297c19f4043a37b73c341576dd92f819bd3e4aa27de541%40%3Cissues.flink.apache.org%3E" 90425 }, 90426 { 90427 "type": "WEB", 90428 "url": "https://lists.apache.org/thread.html/r573eb577a67503e72181eee637d9b0ac042197e632bcdfce76af06a3@%3Cissues.flink.apache.org%3E" 90429 }, 90430 { 90431 "type": "WEB", 90432 "url": "https://lists.apache.org/thread.html/r573eb577a67503e72181eee637d9b0ac042197e632bcdfce76af06a3%40%3Cissues.flink.apache.org%3E" 90433 }, 90434 { 90435 "type": "WEB", 90436 "url": "https://lists.apache.org/thread.html/r48247c12cf652e95a01fc94ee5aa8641f3ec481235774790e53eb55e@%3Creviews.iotdb.apache.org%3E" 90437 }, 90438 { 90439 "type": "WEB", 90440 "url": "https://www.slf4j.org/news.html" 90441 }, 90442 { 90443 "type": "WEB", 90444 "url": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html" 90445 }, 90446 { 90447 "type": "WEB", 90448 "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" 90449 }, 90450 { 90451 "type": "WEB", 90452 "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" 90453 }, 90454 { 90455 "type": "WEB", 90456 "url": "https://www.oracle.com/security-alerts/cpujul2020.html" 90457 }, 90458 { 90459 "type": "WEB", 90460 "url": "https://security.netapp.com/advisory/ntap-20231227-0010" 90461 }, 90462 { 90463 "type": "WEB", 90464 "url": "https://lists.apache.org/thread.html/rfe52b7cbba4dcba521e13130e5d28d5818b78d70db0af1b470fa0264@%3Ccommon-issues.hadoop.apache.org%3E" 90465 }, 90466 { 90467 "type": "WEB", 90468 "url": "https://lists.apache.org/thread.html/rfe52b7cbba4dcba521e13130e5d28d5818b78d70db0af1b470fa0264%40%3Ccommon-issues.hadoop.apache.org%3E" 90469 }, 90470 { 90471 "type": "WEB", 90472 "url": "https://lists.apache.org/thread.html/rfb45527bad7220ada9e30957762e1da254ce405e67cc3ddf6f3558d9@%3Creviews.iotdb.apache.org%3E" 90473 }, 90474 { 90475 "type": "WEB", 90476 "url": "https://lists.apache.org/thread.html/rfb45527bad7220ada9e30957762e1da254ce405e67cc3ddf6f3558d9%40%3Creviews.iotdb.apache.org%3E" 90477 }, 90478 { 90479 "type": "WEB", 90480 "url": "https://lists.apache.org/thread.html/rf58e1bee31d66665437dde9acd9abed53f8483034b69fa9ca7cde09c@%3Cdev.zookeeper.apache.org%3E" 90481 }, 90482 { 90483 "type": "WEB", 90484 "url": "https://lists.apache.org/thread.html/rf58e1bee31d66665437dde9acd9abed53f8483034b69fa9ca7cde09c%40%3Cdev.zookeeper.apache.org%3E" 90485 }, 90486 { 90487 "type": "WEB", 90488 "url": "https://lists.apache.org/thread.html/reb3eeb985afdead17fadb7c33d5d472c1015a85ea5c9b038ec77f378@%3Ccommon-dev.hadoop.apache.org%3E" 90489 }, 90490 { 90491 "type": "WEB", 90492 "url": "https://lists.apache.org/thread.html/reb3eeb985afdead17fadb7c33d5d472c1015a85ea5c9b038ec77f378%40%3Ccommon-dev.hadoop.apache.org%3E" 90493 }, 90494 { 90495 "type": "WEB", 90496 "url": "https://lists.apache.org/thread.html/re6fb6b0de9d679310437ff87fc94e39da5a14dce9c73864a41837462@%3Ccommon-commits.hadoop.apache.org%3E" 90497 }, 90498 { 90499 "type": "WEB", 90500 "url": "https://lists.apache.org/thread.html/re6fb6b0de9d679310437ff87fc94e39da5a14dce9c73864a41837462%40%3Ccommon-commits.hadoop.apache.org%3E" 90501 }, 90502 { 90503 "type": "WEB", 90504 "url": "https://lists.apache.org/thread.html/rd86db9679150e9297b5c0fcb6f0e80a8b81b54fcf423de5a914bca78@%3Ccommon-commits.hadoop.apache.org%3E" 90505 }, 90506 { 90507 "type": "WEB", 90508 "url": "https://lists.apache.org/thread.html/rd86db9679150e9297b5c0fcb6f0e80a8b81b54fcf423de5a914bca78%40%3Ccommon-commits.hadoop.apache.org%3E" 90509 }, 90510 { 90511 "type": "WEB", 90512 "url": "https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26@%3Ccommits.pulsar.apache.org%3E" 90513 }, 90514 { 90515 "type": "WEB", 90516 "url": "https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26%40%3Ccommits.pulsar.apache.org%3E" 90517 }, 90518 { 90519 "type": "WEB", 90520 "url": "https://lists.apache.org/thread.html/rc7de83170d3402af15bfed3d59f80aea20f250535bdce30e4cad24db@%3Cissues.flink.apache.org%3E" 90521 }, 90522 { 90523 "type": "WEB", 90524 "url": "https://lists.apache.org/thread.html/rc7de83170d3402af15bfed3d59f80aea20f250535bdce30e4cad24db%40%3Cissues.flink.apache.org%3E" 90525 }, 90526 { 90527 "type": "WEB", 90528 "url": "https://access.redhat.com/errata/RHSA-2018:2669" 90529 }, 90530 { 90531 "type": "WEB", 90532 "url": "https://access.redhat.com/errata/RHSA-2018:2420" 90533 }, 90534 { 90535 "type": "WEB", 90536 "url": "https://access.redhat.com/errata/RHSA-2018:2419" 90537 }, 90538 { 90539 "type": "WEB", 90540 "url": "https://access.redhat.com/errata/RHSA-2018:2143" 90541 }, 90542 { 90543 "type": "WEB", 90544 "url": "https://access.redhat.com/errata/RHSA-2018:1575" 90545 }, 90546 { 90547 "type": "WEB", 90548 "url": "https://access.redhat.com/errata/RHSA-2018:1525" 90549 }, 90550 { 90551 "type": "WEB", 90552 "url": "https://access.redhat.com/errata/RHSA-2018:1451" 90553 }, 90554 { 90555 "type": "WEB", 90556 "url": "https://access.redhat.com/errata/RHSA-2018:1450" 90557 }, 90558 { 90559 "type": "WEB", 90560 "url": "https://access.redhat.com/errata/RHSA-2018:1449" 90561 }, 90562 { 90563 "type": "WEB", 90564 "url": "https://access.redhat.com/errata/RHSA-2018:1448" 90565 }, 90566 { 90567 "type": "WEB", 90568 "url": "https://access.redhat.com/errata/RHSA-2018:1447" 90569 }, 90570 { 90571 "type": "WEB", 90572 "url": "https://access.redhat.com/errata/RHSA-2018:1323" 90573 }, 90574 { 90575 "type": "WEB", 90576 "url": "https://access.redhat.com/errata/RHSA-2018:1251" 90577 }, 90578 { 90579 "type": "WEB", 90580 "url": "https://access.redhat.com/errata/RHSA-2018:1249" 90581 }, 90582 { 90583 "type": "WEB", 90584 "url": "https://access.redhat.com/errata/RHSA-2018:1248" 90585 }, 90586 { 90587 "type": "WEB", 90588 "url": "https://access.redhat.com/errata/RHSA-2018:1247" 90589 }, 90590 { 90591 "type": "WEB", 90592 "url": "https://access.redhat.com/errata/RHSA-2018:0630" 90593 }, 90594 { 90595 "type": "WEB", 90596 "url": "https://access.redhat.com/errata/RHSA-2018:0629" 90597 }, 90598 { 90599 "type": "WEB", 90600 "url": "https://access.redhat.com/errata/RHSA-2018:0628" 90601 }, 90602 { 90603 "type": "WEB", 90604 "url": "https://access.redhat.com/errata/RHSA-2018:0627" 90605 }, 90606 { 90607 "type": "WEB", 90608 "url": "https://access.redhat.com/errata/RHSA-2018:0592" 90609 }, 90610 { 90611 "type": "WEB", 90612 "url": "https://access.redhat.com/errata/RHSA-2018:0582" 90613 }, 90614 { 90615 "type": "WEB", 90616 "url": "https://lists.apache.org/thread.html/r48247c12cf652e95a01fc94ee5aa8641f3ec481235774790e53eb55e%40%3Creviews.iotdb.apache.org%3E" 90617 }, 90618 { 90619 "type": "WEB", 90620 "url": "https://lists.apache.org/thread.html/r37644f0a00aca9fbcbc21c0f9a91f927b63153ec3607be469cd515e5@%3Creviews.iotdb.apache.org%3E" 90621 }, 90622 { 90623 "type": "WEB", 90624 "url": "https://lists.apache.org/thread.html/r37644f0a00aca9fbcbc21c0f9a91f927b63153ec3607be469cd515e5%40%3Creviews.iotdb.apache.org%3E" 90625 }, 90626 { 90627 "type": "WEB", 90628 "url": "https://lists.apache.org/thread.html/r32be21da011479df41468a62bc09d12f0d3b4e3a71679d33cb0e8c56@%3Cissues.zookeeper.apache.org%3E" 90629 }, 90630 { 90631 "type": "WEB", 90632 "url": "https://lists.apache.org/thread.html/r32be21da011479df41468a62bc09d12f0d3b4e3a71679d33cb0e8c56%40%3Cissues.zookeeper.apache.org%3E" 90633 }, 90634 { 90635 "type": "WEB", 90636 "url": "https://lists.apache.org/thread.html/r2d05924f903403927a2f4e78d9b1249a42f0bd09f69a7c1954d74a42@%3Creviews.iotdb.apache.org%3E" 90637 }, 90638 { 90639 "type": "WEB", 90640 "url": "https://lists.apache.org/thread.html/r2d05924f903403927a2f4e78d9b1249a42f0bd09f69a7c1954d74a42%40%3Creviews.iotdb.apache.org%3E" 90641 }, 90642 { 90643 "type": "WEB", 90644 "url": "https://lists.apache.org/thread.html/r17e7e6abc53d29c0e269153517d36f4bec2755b95900596e6df15cbe@%3Cnotifications.iotdb.apache.org%3E" 90645 }, 90646 { 90647 "type": "WEB", 90648 "url": "https://lists.apache.org/thread.html/r17e7e6abc53d29c0e269153517d36f4bec2755b95900596e6df15cbe%40%3Cnotifications.iotdb.apache.org%3E" 90649 }, 90650 { 90651 "type": "WEB", 90652 "url": "https://lists.apache.org/thread.html/r1660c72a660f0522947ca6ce329dcc74e1ee20c58bbe208472754489@%3Ccommon-issues.hadoop.apache.org%3E" 90653 }, 90654 { 90655 "type": "WEB", 90656 "url": "https://lists.apache.org/thread.html/r1660c72a660f0522947ca6ce329dcc74e1ee20c58bbe208472754489%40%3Ccommon-issues.hadoop.apache.org%3E" 90657 }, 90658 { 90659 "type": "WEB", 90660 "url": "https://lists.apache.org/thread.html/r0f376559fd39cf1a53ac3afbc1fc5d62649dcac9916d4697445a94fa@%3Cissues.zookeeper.apache.org%3E" 90661 }, 90662 { 90663 "type": "WEB", 90664 "url": "https://lists.apache.org/thread.html/r0f376559fd39cf1a53ac3afbc1fc5d62649dcac9916d4697445a94fa%40%3Cissues.zookeeper.apache.org%3E" 90665 }, 90666 { 90667 "type": "WEB", 90668 "url": "https://lists.apache.org/thread.html/95ce76613c869dbccf1d3d29327099ccc71aeec156f76c30853044fa@%3Cdevnull.infra.apache.org%3E" 90669 }, 90670 { 90671 "type": "WEB", 90672 "url": "https://lists.apache.org/thread.html/95ce76613c869dbccf1d3d29327099ccc71aeec156f76c30853044fa%40%3Cdevnull.infra.apache.org%3E" 90673 }, 90674 { 90675 "type": "WEB", 90676 "url": "https://lists.apache.org/thread.html/956ba8e76b6793a6670b2eb0129a5e3003ce2124ca3130fd57d48d0f@%3Cdevnull.infra.apache.org%3E" 90677 }, 90678 { 90679 "type": "WEB", 90680 "url": "https://lists.apache.org/thread.html/956ba8e76b6793a6670b2eb0129a5e3003ce2124ca3130fd57d48d0f%40%3Cdevnull.infra.apache.org%3E" 90681 }, 90682 { 90683 "type": "WEB", 90684 "url": "https://jira.qos.ch/browse/SLF4J-431" 90685 }, 90686 { 90687 "type": "WEB", 90688 "url": "https://jira.qos.ch/browse/SLF4J-430" 90689 }, 90690 { 90691 "type": "WEB", 90692 "url": "https://access.redhat.com/errata/RHSA-2019:3140" 90693 }, 90694 { 90695 "type": "WEB", 90696 "url": "https://access.redhat.com/errata/RHSA-2019:2413" 90697 }, 90698 { 90699 "type": "WEB", 90700 "url": "https://access.redhat.com/errata/RHSA-2018:2930" 90701 }, 90702 { 90703 "type": "WEB", 90704 "url": "http://www.securityfocus.com/bid/103737" 90705 }, 90706 { 90707 "type": "WEB", 90708 "url": "http://www.securitytracker.com/id/1040627" 90709 } 90710 ], 90711 "schema_version": "1.6.0", 90712 "severity": [ 90713 { 90714 "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", 90715 "type": "CVSS_V3" 90716 } 90717 ], 90718 "summary": "Improper Access Control in SLF4J" 90719 }, 90720 { 90721 "affected": [ 90722 { 90723 "database_specific": { 90724 "last_known_affected_version_range": "\u003c= 1.1.10.3", 90725 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/09/GHSA-55g7-9cwv-5qfv/GHSA-55g7-9cwv-5qfv.json" 90726 }, 90727 "package": { 90728 "ecosystem": "Maven", 90729 "name": "org.xerial.snappy:snappy-java", 90730 "purl": "pkg:maven/org.xerial.snappy/snappy-java" 90731 }, 90732 "ranges": [ 90733 { 90734 "events": [ 90735 { 90736 "introduced": "0" 90737 }, 90738 { 90739 "fixed": "1.1.10.4" 90740 } 90741 ], 90742 "type": "ECOSYSTEM" 90743 } 90744 ], 90745 "versions": [ 90746 "1.0.1-rc1", 90747 "1.0.1-rc2", 90748 "1.0.1-rc3", 90749 "1.0.1-rc4", 90750 "1.0.3", 90751 "1.0.3-rc1", 90752 "1.0.3-rc2", 90753 "1.0.3-rc3", 90754 "1.0.3-rc4", 90755 "1.0.3.1", 90756 "1.0.3.2", 90757 "1.0.3.3", 90758 "1.0.4", 90759 "1.0.4.1", 90760 "1.0.5", 90761 "1.0.5-M1", 90762 "1.0.5-M2", 90763 "1.0.5-M3", 90764 "1.0.5-M4", 90765 "1.0.5.1", 90766 "1.0.5.2", 90767 "1.0.5.3", 90768 "1.0.5.4", 90769 "1.1.0", 90770 "1.1.0-M1", 90771 "1.1.0-M2", 90772 "1.1.0-M3", 90773 "1.1.0-M4", 90774 "1.1.0.1", 90775 "1.1.1", 90776 "1.1.1-M1", 90777 "1.1.1-M2", 90778 "1.1.1-M3", 90779 "1.1.1-M4", 90780 "1.1.1.1", 90781 "1.1.1.2", 90782 "1.1.1.3", 90783 "1.1.1.4", 90784 "1.1.1.5", 90785 "1.1.1.6", 90786 "1.1.1.7", 90787 "1.1.10.0", 90788 "1.1.10.1", 90789 "1.1.10.2", 90790 "1.1.10.3", 90791 "1.1.2", 90792 "1.1.2-M1", 90793 "1.1.2-RC1", 90794 "1.1.2-RC2", 90795 "1.1.2-RC3", 90796 "1.1.2.1", 90797 "1.1.2.2", 90798 "1.1.2.3", 90799 "1.1.2.4", 90800 "1.1.2.5", 90801 "1.1.2.6", 90802 "1.1.3-M1", 90803 "1.1.3-M2", 90804 "1.1.4", 90805 "1.1.4-M1", 90806 "1.1.4-M2", 90807 "1.1.4-M3", 90808 "1.1.7", 90809 "1.1.7.1", 90810 "1.1.7.2", 90811 "1.1.7.3", 90812 "1.1.7.4", 90813 "1.1.7.5", 90814 "1.1.7.6", 90815 "1.1.7.7", 90816 "1.1.7.8", 90817 "1.1.8", 90818 "1.1.8.1", 90819 "1.1.8.2", 90820 "1.1.8.3", 90821 "1.1.8.4", 90822 "1.1.9.0", 90823 "1.1.9.1" 90824 ] 90825 } 90826 ], 90827 "aliases": [ 90828 "CVE-2023-43642" 90829 ], 90830 "database_specific": { 90831 "cwe_ids": [ 90832 "CWE-770" 90833 ], 90834 "github_reviewed": true, 90835 "github_reviewed_at": "2023-09-25T18:30:18Z", 90836 "nvd_published_at": "2023-09-25T20:15:11Z", 90837 "severity": "HIGH" 90838 }, 90839 "details": "### Summary\n\nsnappy-java is a data compression library in Java. Its SnappyInputStream was found to be vulnerable to Denial of Service (DoS) attacks when decompressing data with a too-large chunk size. Due to missing upper bound check on chunk length, an unrecoverable fatal error can occur. \n\n### Scope\n\nAll versions of snappy-java including the latest released version 1.1.10.3. A fix is applied in 1.1.10.4\n\n### Details\nWhile performing mitigation efforts related to [CVE-2023-34455](https://nvd.nist.gov/vuln/detail/CVE-2023-34455) in Confluent products, our Application Security team closely analyzed the fix that was accepted and merged into snappy-java version 1.1.10.1 in [this](https://github.com/xerial/snappy-java/commit/3bf67857fcf70d9eea56eed4af7c925671e8eaea) commit. The check on [line 421](https://github.com/xerial/snappy-java/commit/3bf67857fcf70d9eea56eed4af7c925671e8eaea#diff-c3e53610267092989965e8c7dd2d4417d355ff7f560f9e8075b365f32569079fR421) only attempts to check if chunkSize is not a negative value. We believe that this is an inadequate fix as it misses an upper-bounds check for overly positive values such as 0x7FFFFFFF (or (2,147,483,647 in decimal) before actually [attempting to allocate](https://github.com/xerial/snappy-java/commit/3bf67857fcf70d9eea56eed4af7c925671e8eaea#diff-c3e53610267092989965e8c7dd2d4417d355ff7f560f9e8075b365f32569079fR429) the provided unverified number of bytes via the “chunkSize” variable. This missing upper-bounds check can lead to the applications depending upon snappy-java to allocate an inappropriate number of bytes on the heap which can then cause an java.lang.OutOfMemoryError exception. Under some specific conditions and contexts, this can lead to a Denial-of-Service (DoS) attack with a direct impact on the availability of the dependent implementations based on the usage of the snappy-java library for compression/decompression needs.\n\n### PoC\nCompile and run the following code:\n```\npackage org.example;\nimport org.xerial.snappy.SnappyInputStream;\n\nimport java.io.*;\n\npublic class Main {\n\n public static void main(String[] args) throws IOException {\n byte[] data = {-126, 'S', 'N', 'A', 'P', 'P', 'Y', 0, 0, 0, 0, 0, 0, 0, 0, 0,(byte) 0x7f, (byte) 0xff, (byte) 0xff, (byte) 0xff};\n SnappyInputStream in = new SnappyInputStream(new ByteArrayInputStream(data));\n byte[] out = new byte[50];\n try {\n in.read(out);\n }\n catch (Exception ignored) {\n }\n }\n}\n```\n\n### Impact\nDenial of Service of applications dependent on snappy-java especially if `ExitOnOutOfMemoryError` or `CrashOnOutOfMemoryError` is configured on the JVM.\n\n### Credits\nJan Werner, Mukul Khullar and Bharadwaj Machiraju from Confluent's Application Security team. \n\nWe kindly request for a new CVE ID to be assigned once you acknowledge this vulnerability.", 90840 "id": "GHSA-55g7-9cwv-5qfv", 90841 "modified": "2024-02-16T08:07:08.591827Z", 90842 "published": "2023-09-25T18:30:18Z", 90843 "references": [ 90844 { 90845 "type": "WEB", 90846 "url": "https://github.com/xerial/snappy-java/security/advisories/GHSA-55g7-9cwv-5qfv" 90847 }, 90848 { 90849 "type": "ADVISORY", 90850 "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-43642" 90851 }, 90852 { 90853 "type": "WEB", 90854 "url": "https://github.com/xerial/snappy-java/commit/9f8c3cf74223ed0a8a834134be9c917b9f10ceb5" 90855 }, 90856 { 90857 "type": "PACKAGE", 90858 "url": "https://github.com/xerial/snappy-java" 90859 }, 90860 { 90861 "type": "WEB", 90862 "url": "https://github.com/xerial/snappy-java/releases/tag/v1.1.10.4" 90863 } 90864 ], 90865 "related": [ 90866 "CGA-82h8-5945-hf9h", 90867 "CGA-hp96-wjrq-9f66" 90868 ], 90869 "schema_version": "1.6.0", 90870 "severity": [ 90871 { 90872 "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", 90873 "type": "CVSS_V3" 90874 } 90875 ], 90876 "summary": "snappy-java's missing upper bound check on chunk length can lead to Denial of Service (DoS) impact" 90877 }, 90878 { 90879 "affected": [ 90880 { 90881 "database_specific": { 90882 "last_known_affected_version_range": "\u003c= 1.1.10.0", 90883 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/06/GHSA-fjpj-2g6w-x25r/GHSA-fjpj-2g6w-x25r.json" 90884 }, 90885 "package": { 90886 "ecosystem": "Maven", 90887 "name": "org.xerial.snappy:snappy-java", 90888 "purl": "pkg:maven/org.xerial.snappy/snappy-java" 90889 }, 90890 "ranges": [ 90891 { 90892 "events": [ 90893 { 90894 "introduced": "0" 90895 }, 90896 { 90897 "fixed": "1.1.10.1" 90898 } 90899 ], 90900 "type": "ECOSYSTEM" 90901 } 90902 ], 90903 "versions": [ 90904 "1.0.1-rc1", 90905 "1.0.1-rc2", 90906 "1.0.1-rc3", 90907 "1.0.1-rc4", 90908 "1.0.3", 90909 "1.0.3-rc1", 90910 "1.0.3-rc2", 90911 "1.0.3-rc3", 90912 "1.0.3-rc4", 90913 "1.0.3.1", 90914 "1.0.3.2", 90915 "1.0.3.3", 90916 "1.0.4", 90917 "1.0.4.1", 90918 "1.0.5", 90919 "1.0.5-M1", 90920 "1.0.5-M2", 90921 "1.0.5-M3", 90922 "1.0.5-M4", 90923 "1.0.5.1", 90924 "1.0.5.2", 90925 "1.0.5.3", 90926 "1.0.5.4", 90927 "1.1.0", 90928 "1.1.0-M1", 90929 "1.1.0-M2", 90930 "1.1.0-M3", 90931 "1.1.0-M4", 90932 "1.1.0.1", 90933 "1.1.1", 90934 "1.1.1-M1", 90935 "1.1.1-M2", 90936 "1.1.1-M3", 90937 "1.1.1-M4", 90938 "1.1.1.1", 90939 "1.1.1.2", 90940 "1.1.1.3", 90941 "1.1.1.4", 90942 "1.1.1.5", 90943 "1.1.1.6", 90944 "1.1.1.7", 90945 "1.1.10.0", 90946 "1.1.2", 90947 "1.1.2-M1", 90948 "1.1.2-RC1", 90949 "1.1.2-RC2", 90950 "1.1.2-RC3", 90951 "1.1.2.1", 90952 "1.1.2.2", 90953 "1.1.2.3", 90954 "1.1.2.4", 90955 "1.1.2.5", 90956 "1.1.2.6", 90957 "1.1.3-M1", 90958 "1.1.3-M2", 90959 "1.1.4", 90960 "1.1.4-M1", 90961 "1.1.4-M2", 90962 "1.1.4-M3", 90963 "1.1.7", 90964 "1.1.7.1", 90965 "1.1.7.2", 90966 "1.1.7.3", 90967 "1.1.7.4", 90968 "1.1.7.5", 90969 "1.1.7.6", 90970 "1.1.7.7", 90971 "1.1.7.8", 90972 "1.1.8", 90973 "1.1.8.1", 90974 "1.1.8.2", 90975 "1.1.8.3", 90976 "1.1.8.4", 90977 "1.1.9.0", 90978 "1.1.9.1" 90979 ] 90980 } 90981 ], 90982 "aliases": [ 90983 "CVE-2023-34454" 90984 ], 90985 "database_specific": { 90986 "cwe_ids": [ 90987 "CWE-190" 90988 ], 90989 "github_reviewed": true, 90990 "github_reviewed_at": "2023-06-15T16:28:08Z", 90991 "nvd_published_at": "2023-06-15T17:15:09Z", 90992 "severity": "MODERATE" 90993 }, 90994 "details": "## Summary\nDue to unchecked multiplications, an integer overflow may occur, causing an unrecoverable fatal error.\n## Impact\nDenial of Service\n## Description\nThe function [compress(char[] input)](https://github.com/xerial/snappy-java/blob/05c39b2ca9b5b7b39611529cc302d3d796329611/src/main/java/org/xerial/snappy/Snappy.java#L169) in the file [Snappy.java](https://github.com/xerial/snappy-java/blob/master/src/main/java/org/xerial/snappy/Snappy.java) receives an array of characters and compresses it. It does so by multiplying the length by 2 and passing it to the [rawCompress](https://github.com/xerial/snappy-java/blob/05c39b2ca9b5b7b39611529cc302d3d796329611/src/main/java/org/xerial/snappy/Snappy.java#L422) function.\n\n```java\npublic static byte[] compress(char[] input)\n throws IOException\n {\n return rawCompress(input, input.length * 2); // char uses 2 bytes\n }\n\n```\n\nSince the length is not tested, the multiplication by two can cause an integer overflow and become negative. The rawCompress function then uses the received length and passes it to the natively compiled maxCompressedLength function, using the returned value to allocate a byte array.\n\n```java\n public static byte[] rawCompress(Object data, int byteSize)\n throws IOException\n {\n byte[] buf = new byte[Snappy.maxCompressedLength(byteSize)];\n int compressedByteSize = impl.rawCompress(data, 0, byteSize, buf, 0);\n byte[] result = new byte[compressedByteSize];\n System.arraycopy(buf, 0, result, 0, compressedByteSize);\n return result;\n }\n\n```\n\nSince the maxCompressedLength function treats the length as an unsigned integer, it doesn’t care that it is negative, and it returns a valid value, which is casted to a signed integer by the Java engine. If the result is negative, a “java.lang.NegativeArraySizeException” exception will be raised while trying to allocate the array “buf”. On the other side, if the result is positive, the “buf” array will successfully be allocated, but its size might be too small to use for the compression, causing a fatal Access Violation error.\nThe same issue exists also when using the “compress” functions that receive double, float, int, long and short, each using a different multiplier that may cause the same issue. The issue most likely won’t occur when using a byte array, since creating a byte array of size 0x80000000 (or any other negative value) is impossible in the first place.\n\n\n## Steps To Reproduce\nCompile and run the following code:\n\n```java\npackage org.example;\nimport org.xerial.snappy.Snappy;\n\nimport java.io.*;\n\npublic class Main {\n\n public static void main(String[] args) throws IOException {\n char[] uncompressed = new char[0x40000000];\n byte[] compressed = Snappy.compress(uncompressed);\n }\n}\n\n```\n\nThe program will crash, creating crashdumps and showing the following error (or similar):\n\n```\n#\n# A fatal error has been detected by the Java Runtime Environment:\n#\n# EXCEPTION_ACCESS_VIOLATION (0xc0000005) at pc=0x0000000063a01c20, pid=21164, tid=508\n#\n.......\n```\n\n\nAlternatively - compile and run the following code:\n\n```java\npackage org.example;\nimport org.xerial.snappy.Snappy;\n\nimport java.io.*;\n\npublic class Main {\n\n public static void main(String[] args) throws IOException {\n char[] uncompressed = new char[0x3fffffff];\n byte[] compressed = Snappy.compress(uncompressed);\n }\n}\n```\n\nThe program will crash with the following error (or similar), since the maxCompressedLength returns a value that is interpreted as negative by java:\n\n```\nException in thread \"main\" java.lang.NegativeArraySizeException: -1789569677\n\tat org.xerial.snappy.Snappy.rawCompress(Snappy.java:425)\n\tat org.xerial.snappy.Snappy.compress(Snappy.java:172)\n\tat org.example.Main.main(Main.java:10)\n\n```", 90995 "id": "GHSA-fjpj-2g6w-x25r", 90996 "modified": "2024-02-16T08:21:07.894811Z", 90997 "published": "2023-06-15T16:28:08Z", 90998 "references": [ 90999 { 91000 "type": "WEB", 91001 "url": "https://github.com/xerial/snappy-java/security/advisories/GHSA-fjpj-2g6w-x25r" 91002 }, 91003 { 91004 "type": "ADVISORY", 91005 "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34454" 91006 }, 91007 { 91008 "type": "WEB", 91009 "url": "https://github.com/xerial/snappy-java/commit/d0042551e4a3509a725038eb9b2ad1f683674d94" 91010 }, 91011 { 91012 "type": "PACKAGE", 91013 "url": "https://github.com/xerial/snappy-java" 91014 }, 91015 { 91016 "type": "WEB", 91017 "url": "https://github.com/xerial/snappy-java/blob/05c39b2ca9b5b7b39611529cc302d3d796329611/src/main/java/org/xerial/snappy/Snappy.java#L169" 91018 }, 91019 { 91020 "type": "WEB", 91021 "url": "https://github.com/xerial/snappy-java/blob/05c39b2ca9b5b7b39611529cc302d3d796329611/src/main/java/org/xerial/snappy/Snappy.java#L422" 91022 }, 91023 { 91024 "type": "WEB", 91025 "url": "https://github.com/xerial/snappy-java/blob/master/src/main/java/org/xerial/snappy/Snappy.java" 91026 } 91027 ], 91028 "related": [ 91029 "CGA-4248-v6xc-823x" 91030 ], 91031 "schema_version": "1.6.0", 91032 "severity": [ 91033 { 91034 "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", 91035 "type": "CVSS_V3" 91036 } 91037 ], 91038 "summary": "snappy-java's Integer Overflow vulnerability in compress leads to DoS" 91039 }, 91040 { 91041 "affected": [ 91042 { 91043 "database_specific": { 91044 "last_known_affected_version_range": "\u003c= 1.1.10.0", 91045 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/06/GHSA-pqr6-cmr2-h8hf/GHSA-pqr6-cmr2-h8hf.json" 91046 }, 91047 "package": { 91048 "ecosystem": "Maven", 91049 "name": "org.xerial.snappy:snappy-java", 91050 "purl": "pkg:maven/org.xerial.snappy/snappy-java" 91051 }, 91052 "ranges": [ 91053 { 91054 "events": [ 91055 { 91056 "introduced": "0" 91057 }, 91058 { 91059 "fixed": "1.1.10.1" 91060 } 91061 ], 91062 "type": "ECOSYSTEM" 91063 } 91064 ], 91065 "versions": [ 91066 "1.0.1-rc1", 91067 "1.0.1-rc2", 91068 "1.0.1-rc3", 91069 "1.0.1-rc4", 91070 "1.0.3", 91071 "1.0.3-rc1", 91072 "1.0.3-rc2", 91073 "1.0.3-rc3", 91074 "1.0.3-rc4", 91075 "1.0.3.1", 91076 "1.0.3.2", 91077 "1.0.3.3", 91078 "1.0.4", 91079 "1.0.4.1", 91080 "1.0.5", 91081 "1.0.5-M1", 91082 "1.0.5-M2", 91083 "1.0.5-M3", 91084 "1.0.5-M4", 91085 "1.0.5.1", 91086 "1.0.5.2", 91087 "1.0.5.3", 91088 "1.0.5.4", 91089 "1.1.0", 91090 "1.1.0-M1", 91091 "1.1.0-M2", 91092 "1.1.0-M3", 91093 "1.1.0-M4", 91094 "1.1.0.1", 91095 "1.1.1", 91096 "1.1.1-M1", 91097 "1.1.1-M2", 91098 "1.1.1-M3", 91099 "1.1.1-M4", 91100 "1.1.1.1", 91101 "1.1.1.2", 91102 "1.1.1.3", 91103 "1.1.1.4", 91104 "1.1.1.5", 91105 "1.1.1.6", 91106 "1.1.1.7", 91107 "1.1.10.0", 91108 "1.1.2", 91109 "1.1.2-M1", 91110 "1.1.2-RC1", 91111 "1.1.2-RC2", 91112 "1.1.2-RC3", 91113 "1.1.2.1", 91114 "1.1.2.2", 91115 "1.1.2.3", 91116 "1.1.2.4", 91117 "1.1.2.5", 91118 "1.1.2.6", 91119 "1.1.3-M1", 91120 "1.1.3-M2", 91121 "1.1.4", 91122 "1.1.4-M1", 91123 "1.1.4-M2", 91124 "1.1.4-M3", 91125 "1.1.7", 91126 "1.1.7.1", 91127 "1.1.7.2", 91128 "1.1.7.3", 91129 "1.1.7.4", 91130 "1.1.7.5", 91131 "1.1.7.6", 91132 "1.1.7.7", 91133 "1.1.7.8", 91134 "1.1.8", 91135 "1.1.8.1", 91136 "1.1.8.2", 91137 "1.1.8.3", 91138 "1.1.8.4", 91139 "1.1.9.0", 91140 "1.1.9.1" 91141 ] 91142 } 91143 ], 91144 "aliases": [ 91145 "CVE-2023-34453" 91146 ], 91147 "database_specific": { 91148 "cwe_ids": [ 91149 "CWE-190" 91150 ], 91151 "github_reviewed": true, 91152 "github_reviewed_at": "2023-06-15T16:13:20Z", 91153 "nvd_published_at": "2023-06-15T17:15:09Z", 91154 "severity": "MODERATE" 91155 }, 91156 "details": "## Summary\nDue to unchecked multiplications, an integer overflow may occur, causing a fatal error.\n## Impact\nDenial of Service\n## Description\nThe function [shuffle(int[] input)](https://github.com/xerial/snappy-java/blob/05c39b2ca9b5b7b39611529cc302d3d796329611/src/main/java/org/xerial/snappy/BitShuffle.java#L107) in the file [BitShuffle.java](https://github.com/xerial/snappy-java/blob/master/src/main/java/org/xerial/snappy/BitShuffle.java) receives an array of integers and applies a bit shuffle on it. It does so by multiplying the length by 4 and passing it to the natively compiled shuffle function.\n\n```java\npublic static byte[] shuffle(int[] input) throws IOException {\n byte[] output = new byte[input.length * 4];\n int numProcessed = impl.shuffle(input, 0, 4, input.length * 4, output, 0);\n assert(numProcessed == input.length * 4);\n return output;\n }\n\n```\n\nSince the length is not tested, the multiplication by four can cause an integer overflow and become a smaller value than the true size, or even zero or negative. In the case of a negative value, a “java.lang.NegativeArraySizeException” exception will raise, which can crash the program. In a case of a value that is zero or too small, the code that afterwards references the shuffled array will assume a bigger size of the array, which might cause exceptions such as “java.lang.ArrayIndexOutOfBoundsException”.\nThe same issue exists also when using the “shuffle” functions that receive a double, float, long and short, each using a different multiplier that may cause the same issue.\n\n## Steps To Reproduce\nCompile and run the following code:\n\n```java\npackage org.example;\nimport org.xerial.snappy.BitShuffle;\n\nimport java.io.*;\n\n\npublic class Main {\n\n public static void main(String[] args) throws IOException {\n int[] original = new int[0x40000000];\n byte[] shuffled = BitShuffle.shuffle(original);\n System.out.println(shuffled[0]);\n }\n}\n\n```\nThe program will crash, showing the following error (or similar):\n\n```\nException in thread \"main\" java.lang.ArrayIndexOutOfBoundsException: Index 0 out of bounds for length 0\n\tat org.example.Main.main(Main.java:12)\n\nProcess finished with exit code 1\n\n```\n\nAlternatively - compile and run the following code:\n\n```java\npackage org.example;\nimport org.xerial.snappy.BitShuffle;\n\nimport java.io.*;\n\n\npublic class Main {\n\n public static void main(String[] args) throws IOException {\n int[] original = new int[0x20000000];\n byte[] shuffled = BitShuffle.shuffle(original);\n }\n}\n\n```\nThe program will crash with the following error (or similar):\n\n```\nException in thread \"main\" java.lang.NegativeArraySizeException: -2147483648\n\tat org.xerial.snappy.BitShuffle.shuffle(BitShuffle.java:108)\n\tat org.example.Main.main(Main.java:11)\n```", 91157 "id": "GHSA-pqr6-cmr2-h8hf", 91158 "modified": "2024-02-16T08:00:57.023897Z", 91159 "published": "2023-06-15T16:13:20Z", 91160 "references": [ 91161 { 91162 "type": "WEB", 91163 "url": "https://github.com/xerial/snappy-java/security/advisories/GHSA-pqr6-cmr2-h8hf" 91164 }, 91165 { 91166 "type": "ADVISORY", 91167 "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34453" 91168 }, 91169 { 91170 "type": "WEB", 91171 "url": "https://github.com/xerial/snappy-java/commit/820e2e074c58748b41dbd547f4edba9e108ad905" 91172 }, 91173 { 91174 "type": "PACKAGE", 91175 "url": "https://github.com/xerial/snappy-java" 91176 }, 91177 { 91178 "type": "WEB", 91179 "url": "https://github.com/xerial/snappy-java/blob/05c39b2ca9b5b7b39611529cc302d3d796329611/src/main/java/org/xerial/snappy/BitShuffle.java#L107" 91180 }, 91181 { 91182 "type": "WEB", 91183 "url": "https://github.com/xerial/snappy-java/blob/master/src/main/java/org/xerial/snappy/BitShuffle.java" 91184 } 91185 ], 91186 "related": [ 91187 "CGA-8pqj-995r-975g" 91188 ], 91189 "schema_version": "1.6.0", 91190 "severity": [ 91191 { 91192 "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", 91193 "type": "CVSS_V3" 91194 } 91195 ], 91196 "summary": "snappy-java's Integer Overflow vulnerability in shuffle leads to DoS" 91197 }, 91198 { 91199 "affected": [ 91200 { 91201 "database_specific": { 91202 "last_known_affected_version_range": "\u003c= 1.1.10.0", 91203 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/06/GHSA-qcwq-55hx-v3vh/GHSA-qcwq-55hx-v3vh.json" 91204 }, 91205 "package": { 91206 "ecosystem": "Maven", 91207 "name": "org.xerial.snappy:snappy-java", 91208 "purl": "pkg:maven/org.xerial.snappy/snappy-java" 91209 }, 91210 "ranges": [ 91211 { 91212 "events": [ 91213 { 91214 "introduced": "0" 91215 }, 91216 { 91217 "fixed": "1.1.10.1" 91218 } 91219 ], 91220 "type": "ECOSYSTEM" 91221 } 91222 ], 91223 "versions": [ 91224 "1.0.1-rc1", 91225 "1.0.1-rc2", 91226 "1.0.1-rc3", 91227 "1.0.1-rc4", 91228 "1.0.3", 91229 "1.0.3-rc1", 91230 "1.0.3-rc2", 91231 "1.0.3-rc3", 91232 "1.0.3-rc4", 91233 "1.0.3.1", 91234 "1.0.3.2", 91235 "1.0.3.3", 91236 "1.0.4", 91237 "1.0.4.1", 91238 "1.0.5", 91239 "1.0.5-M1", 91240 "1.0.5-M2", 91241 "1.0.5-M3", 91242 "1.0.5-M4", 91243 "1.0.5.1", 91244 "1.0.5.2", 91245 "1.0.5.3", 91246 "1.0.5.4", 91247 "1.1.0", 91248 "1.1.0-M1", 91249 "1.1.0-M2", 91250 "1.1.0-M3", 91251 "1.1.0-M4", 91252 "1.1.0.1", 91253 "1.1.1", 91254 "1.1.1-M1", 91255 "1.1.1-M2", 91256 "1.1.1-M3", 91257 "1.1.1-M4", 91258 "1.1.1.1", 91259 "1.1.1.2", 91260 "1.1.1.3", 91261 "1.1.1.4", 91262 "1.1.1.5", 91263 "1.1.1.6", 91264 "1.1.1.7", 91265 "1.1.10.0", 91266 "1.1.2", 91267 "1.1.2-M1", 91268 "1.1.2-RC1", 91269 "1.1.2-RC2", 91270 "1.1.2-RC3", 91271 "1.1.2.1", 91272 "1.1.2.2", 91273 "1.1.2.3", 91274 "1.1.2.4", 91275 "1.1.2.5", 91276 "1.1.2.6", 91277 "1.1.3-M1", 91278 "1.1.3-M2", 91279 "1.1.4", 91280 "1.1.4-M1", 91281 "1.1.4-M2", 91282 "1.1.4-M3", 91283 "1.1.7", 91284 "1.1.7.1", 91285 "1.1.7.2", 91286 "1.1.7.3", 91287 "1.1.7.4", 91288 "1.1.7.5", 91289 "1.1.7.6", 91290 "1.1.7.7", 91291 "1.1.7.8", 91292 "1.1.8", 91293 "1.1.8.1", 91294 "1.1.8.2", 91295 "1.1.8.3", 91296 "1.1.8.4", 91297 "1.1.9.0", 91298 "1.1.9.1" 91299 ] 91300 } 91301 ], 91302 "aliases": [ 91303 "CVE-2023-34455" 91304 ], 91305 "database_specific": { 91306 "cwe_ids": [ 91307 "CWE-770" 91308 ], 91309 "github_reviewed": true, 91310 "github_reviewed_at": "2023-06-15T17:15:06Z", 91311 "nvd_published_at": "2023-06-15T18:15:09Z", 91312 "severity": "HIGH" 91313 }, 91314 "details": "## Summary\nDue to use of an unchecked chunk length, an unrecoverable fatal error can occur.\n## Impact\nDenial of Service\n## Description\nThe code in the function [hasNextChunk](https://github.com/xerial/snappy-java/blob/05c39b2ca9b5b7b39611529cc302d3d796329611/src/main/java/org/xerial/snappy/SnappyInputStream.java#L388) in the file [SnappyInputStream.java](https://github.com/xerial/snappy-java/blob/master/src/main/java/org/xerial/snappy/SnappyInputStream.java) checks if a given stream has more chunks to read. It does that by attempting to read 4 bytes. If it wasn’t possible to read the 4 bytes, the function returns false. Otherwise, if 4 bytes were available, the code treats them as the length of the next chunk.\n\n\n\n```java\n int readBytes = readNext(header, 0, 4);\n if (readBytes \u003c 4) {\n return false;\n }\n\n int chunkSize = SnappyOutputStream.readInt(header, 0);\n if (chunkSize == SnappyCodec.MAGIC_HEADER_HEAD) {\n .........\n }\n\n // extend the compressed data buffer size\n if (compressed == null || chunkSize \u003e compressed.length) {\n compressed = new byte[chunkSize];\n }\n\n```\n\nIn the case that the “compressed” variable is null, a byte array is allocated with the size given by the input data. Since the code doesn’t test the legality of the “chunkSize” variable, it is possible to pass a negative number (such as 0xFFFFFFFF which is -1), which will cause the code to raise a “java.lang.NegativeArraySizeException” exception. A worse case would happen when passing a huge positive value (such as 0x7FFFFFFF), which would raise the fatal “java.lang.OutOfMemoryError” error.\n\n\n## Steps To Reproduce\nCompile and run the following code:\n\n```java\npackage org.example;\nimport org.xerial.snappy.SnappyInputStream;\n\nimport java.io.*;\n\npublic class Main {\n\n public static void main(String[] args) throws IOException {\n byte[] data = {-126, 'S', 'N', 'A', 'P', 'P', 'Y', 0, 0, 0, 0, 0, 0, 0, 0, 0,(byte) 0x7f, (byte) 0xff, (byte) 0xff, (byte) 0xff};\n SnappyInputStream in = new SnappyInputStream(new ByteArrayInputStream(data));\n byte[] out = new byte[50];\n try {\n in.read(out);\n }\n catch (Exception ignored) {\n\n }\n }\n}\n```\n\nThe program will crash with the following error (or similar), even though there is a catch clause, since “OutOfMemoryError” does not get caught by catching the “Exception” class:\n\n```\nException in thread \"main\" java.lang.OutOfMemoryError: Requested array size exceeds VM limit\n\tat org.xerial.snappy.SnappyInputStream.hasNextChunk(SnappyInputStream.java:422)\n\tat org.xerial.snappy.SnappyInputStream.read(SnappyInputStream.java:167)\n\tat java.base/java.io.InputStream.read(InputStream.java:217)\n\tat org.example.Main.main(Main.java:12)\n\n```\n\n\nAlternatively - compile and run the following code:\n\n```java\npackage org.example;\nimport org.xerial.snappy.SnappyInputStream;\n\nimport java.io.*;\n\npublic class Main {\n\n public static void main(String[] args) throws IOException {\n byte[] data = {-126, 'S', 'N', 'A', 'P', 'P', 'Y', 0, 0, 0, 0, 0, 0, 0, 0, 0,(byte) 0xff, (byte) 0xff, (byte) 0xff, (byte) 0xff};\n SnappyInputStream in = new SnappyInputStream(new ByteArrayInputStream(data));\n byte[] out = new byte[50];\n in.read(out);\n }\n}\n```\n\nThe program will crash with the following error (or similar):\n\n```\nException in thread \"main\" java.lang.NegativeArraySizeException: -1\n\tat org.xerial.snappy.SnappyInputStream.hasNextChunk(SnappyInputStream.java:422)\n\tat org.xerial.snappy.SnappyInputStream.read(SnappyInputStream.java:167)\n\tat java.base/java.io.InputStream.read(InputStream.java:217)\n\tat org.example.Main.main(Main.java:12)\n\n```\n\n\nIt is important to note that these examples were written by using a flow that is generally used by developers, and can be seen for example in the Apache project “flume”: https://github.com/apache/flume/blob/f9dbb2de255d59e35e3668a5c6c66a268a055207/flume-ng-channels/flume-file-channel/src/main/java/org/apache/flume/channel/file/Serialization.java#L278. Since they used try-catch, the “NegativeArraySizeException” exception won’t harm their users, but the “OutOfMemoryError” error can.", 91315 "id": "GHSA-qcwq-55hx-v3vh", 91316 "modified": "2024-02-17T05:36:43.827976Z", 91317 "published": "2023-06-15T17:15:06Z", 91318 "references": [ 91319 { 91320 "type": "WEB", 91321 "url": "https://github.com/xerial/snappy-java/security/advisories/GHSA-qcwq-55hx-v3vh" 91322 }, 91323 { 91324 "type": "ADVISORY", 91325 "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34455" 91326 }, 91327 { 91328 "type": "WEB", 91329 "url": "https://github.com/xerial/snappy-java/commit/3bf67857fcf70d9eea56eed4af7c925671e8eaea" 91330 }, 91331 { 91332 "type": "PACKAGE", 91333 "url": "https://github.com/xerial/snappy-java" 91334 }, 91335 { 91336 "type": "WEB", 91337 "url": "https://github.com/xerial/snappy-java/blob/05c39b2ca9b5b7b39611529cc302d3d796329611/src/main/java/org/xerial/snappy/SnappyInputStream.java#L388" 91338 }, 91339 { 91340 "type": "WEB", 91341 "url": "https://github.com/xerial/snappy-java/blob/master/src/main/java/org/xerial/snappy/SnappyInputStream.java" 91342 }, 91343 { 91344 "type": "WEB", 91345 "url": "https://security.netapp.com/advisory/ntap-20230818-0009" 91346 } 91347 ], 91348 "related": [ 91349 "CGA-644v-gq8j-xww8" 91350 ], 91351 "schema_version": "1.6.0", 91352 "severity": [ 91353 { 91354 "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", 91355 "type": "CVSS_V3" 91356 } 91357 ], 91358 "summary": "snappy-java's unchecked chunk length leads to DoS" 91359 }, 91360 { 91361 "affected": [ 91362 { 91363 "database_specific": { 91364 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/07/GHSA-9339-86wc-4qgf/GHSA-9339-86wc-4qgf.json" 91365 }, 91366 "package": { 91367 "ecosystem": "Maven", 91368 "name": "xalan:xalan", 91369 "purl": "pkg:maven/xalan/xalan" 91370 }, 91371 "ranges": [ 91372 { 91373 "events": [ 91374 { 91375 "introduced": "0" 91376 }, 91377 { 91378 "fixed": "2.7.3" 91379 } 91380 ], 91381 "type": "ECOSYSTEM" 91382 } 91383 ], 91384 "versions": [ 91385 "2.1.0", 91386 "2.3.1", 91387 "2.4.0", 91388 "2.4.1", 91389 "2.5.0", 91390 "2.5.1", 91391 "2.5.D1", 91392 "2.6.0", 91393 "2.7.0", 91394 "2.7.1", 91395 "2.7.2" 91396 ] 91397 } 91398 ], 91399 "aliases": [ 91400 "CVE-2022-34169" 91401 ], 91402 "database_specific": { 91403 "cwe_ids": [ 91404 "CWE-681" 91405 ], 91406 "github_reviewed": true, 91407 "github_reviewed_at": "2022-07-21T22:28:36Z", 91408 "nvd_published_at": "2022-07-19T18:15:00Z", 91409 "severity": "HIGH" 91410 }, 91411 "details": "The Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious XSLT stylesheets. This can be used to corrupt Java class files generated by the internal XSLTC compiler and execute arbitrary Java bytecode.\n\nA fix for this issue was published in September 2022 as part of an anticipated 2.7.3 release.", 91412 "id": "GHSA-9339-86wc-4qgf", 91413 "modified": "2024-06-25T02:34:59.864497Z", 91414 "published": "2022-07-20T00:00:18Z", 91415 "references": [ 91416 { 91417 "type": "ADVISORY", 91418 "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-34169" 91419 }, 91420 { 91421 "type": "WEB", 91422 "url": "https://xalan.apache.org" 91423 }, 91424 { 91425 "type": "WEB", 91426 "url": "https://www.oracle.com/security-alerts/cpujul2022.html" 91427 }, 91428 { 91429 "type": "WEB", 91430 "url": "https://www.debian.org/security/2022/dsa-5256" 91431 }, 91432 { 91433 "type": "WEB", 91434 "url": "https://www.debian.org/security/2022/dsa-5192" 91435 }, 91436 { 91437 "type": "WEB", 91438 "url": "https://www.debian.org/security/2022/dsa-5188" 91439 }, 91440 { 91441 "type": "WEB", 91442 "url": "https://security.netapp.com/advisory/ntap-20240621-0006" 91443 }, 91444 { 91445 "type": "WEB", 91446 "url": "https://security.netapp.com/advisory/ntap-20220729-0009" 91447 }, 91448 { 91449 "type": "WEB", 91450 "url": "https://security.gentoo.org/glsa/202401-25" 91451 }, 91452 { 91453 "type": "WEB", 91454 "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YULPNO3PAWMEQQZV2C54I3H3ZOXFZUTB" 91455 }, 91456 { 91457 "type": "WEB", 91458 "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L3XPOTPPBZIPFBZHQE5E7OW6PDACUMCJ" 91459 }, 91460 { 91461 "type": "WEB", 91462 "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KO3DXNKZ4EU3UZBT6AAR4XRKCD73KLMO" 91463 }, 91464 { 91465 "type": "WEB", 91466 "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JN3EVGR7FD3ZLV5SBTJXUIDCMSK4QUE2" 91467 }, 91468 { 91469 "type": "WEB", 91470 "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I5OZNAZJ4YHLOKRRRZSWRT5OJ25E4XLM" 91471 }, 91472 { 91473 "type": "WEB", 91474 "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/H4YNJSJ64NPCNKFPNBYITNZU5H3L4D6L" 91475 }, 91476 { 91477 "type": "WEB", 91478 "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YULPNO3PAWMEQQZV2C54I3H3ZOXFZUTB" 91479 }, 91480 { 91481 "type": "WEB", 91482 "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L3XPOTPPBZIPFBZHQE5E7OW6PDACUMCJ" 91483 }, 91484 { 91485 "type": "WEB", 91486 "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KO3DXNKZ4EU3UZBT6AAR4XRKCD73KLMO" 91487 }, 91488 { 91489 "type": "WEB", 91490 "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JN3EVGR7FD3ZLV5SBTJXUIDCMSK4QUE2" 91491 }, 91492 { 91493 "type": "WEB", 91494 "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/I5OZNAZJ4YHLOKRRRZSWRT5OJ25E4XLM" 91495 }, 91496 { 91497 "type": "WEB", 91498 "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H4YNJSJ64NPCNKFPNBYITNZU5H3L4D6L" 91499 }, 91500 { 91501 "type": "WEB", 91502 "url": "https://lists.debian.org/debian-lts-announce/2022/10/msg00024.html" 91503 }, 91504 { 91505 "type": "WEB", 91506 "url": "https://lists.apache.org/thread/x3f7xv3p1g32qj2hlg8wd57pwcpld471" 91507 }, 91508 { 91509 "type": "WEB", 91510 "url": "https://lists.apache.org/thread/2qvl7r43wb4t8p9dd9om1bnkssk07sn8" 91511 }, 91512 { 91513 "type": "WEB", 91514 "url": "https://lists.apache.org/thread/12pxy4phsry6c34x2ol4fft6xlho4kyw" 91515 }, 91516 { 91517 "type": "WEB", 91518 "url": "https://gitbox.apache.org/repos/asf?p=xalan-java.git;a=commit;h=da3e0d06b467247643ce04e88d3346739d119f21" 91519 }, 91520 { 91521 "type": "WEB", 91522 "url": "https://gitbox.apache.org/repos/asf?p=xalan-java.git;a=commit;h=ab57211e5d2e97cbed06786f919fa9b749c83573" 91523 }, 91524 { 91525 "type": "WEB", 91526 "url": "https://gitbox.apache.org/repos/asf?p=xalan-java.git;a=commit;h=2e60d0a9a5b822c4abf9051857973b1c6babfe81" 91527 }, 91528 { 91529 "type": "PACKAGE", 91530 "url": "https://gitbox.apache.org/repos/asf?p=xalan-java.git" 91531 }, 91532 { 91533 "type": "WEB", 91534 "url": "http://packetstormsecurity.com/files/168186/Xalan-J-XSLTC-Integer-Truncation.html" 91535 }, 91536 { 91537 "type": "WEB", 91538 "url": "http://www.openwall.com/lists/oss-security/2022/07/19/5" 91539 }, 91540 { 91541 "type": "WEB", 91542 "url": "http://www.openwall.com/lists/oss-security/2022/07/19/6" 91543 }, 91544 { 91545 "type": "WEB", 91546 "url": "http://www.openwall.com/lists/oss-security/2022/07/20/2" 91547 }, 91548 { 91549 "type": "WEB", 91550 "url": "http://www.openwall.com/lists/oss-security/2022/07/20/3" 91551 }, 91552 { 91553 "type": "WEB", 91554 "url": "http://www.openwall.com/lists/oss-security/2022/10/18/2" 91555 }, 91556 { 91557 "type": "WEB", 91558 "url": "http://www.openwall.com/lists/oss-security/2022/11/04/8" 91559 }, 91560 { 91561 "type": "WEB", 91562 "url": "http://www.openwall.com/lists/oss-security/2022/11/07/2" 91563 } 91564 ], 91565 "schema_version": "1.6.0", 91566 "severity": [ 91567 { 91568 "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", 91569 "type": "CVSS_V3" 91570 } 91571 ], 91572 "summary": "Apache Xalan Java XSLT library integer truncation issue when processing malicious XSLT stylesheets" 91573 }, 91574 { 91575 "affected": [ 91576 { 91577 "database_specific": { 91578 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-rc2w-r4jq-7pfx/GHSA-rc2w-r4jq-7pfx.json" 91579 }, 91580 "package": { 91581 "ecosystem": "Maven", 91582 "name": "xalan:xalan", 91583 "purl": "pkg:maven/xalan/xalan" 91584 }, 91585 "ranges": [ 91586 { 91587 "events": [ 91588 { 91589 "introduced": "0" 91590 }, 91591 { 91592 "fixed": "2.7.2" 91593 } 91594 ], 91595 "type": "ECOSYSTEM" 91596 } 91597 ], 91598 "versions": [ 91599 "2.1.0", 91600 "2.3.1", 91601 "2.4.0", 91602 "2.4.1", 91603 "2.5.0", 91604 "2.5.1", 91605 "2.5.D1", 91606 "2.6.0", 91607 "2.7.0", 91608 "2.7.1" 91609 ] 91610 } 91611 ], 91612 "aliases": [ 91613 "CVE-2014-0107" 91614 ], 91615 "database_specific": { 91616 "cwe_ids": [ 91617 "CWE-285" 91618 ], 91619 "github_reviewed": true, 91620 "github_reviewed_at": "2022-07-07T23:02:09Z", 91621 "nvd_published_at": "2014-04-15T23:13:00Z", 91622 "severity": "HIGH" 91623 }, 91624 "details": "The TransformerFactory in Apache Xalan-Java before 2.7.2 does not properly restrict access to certain properties when FEATURE_SECURE_PROCESSING is enabled, which allows remote attackers to bypass expected restrictions and load arbitrary classes or access external resources via a crafted (1) xalan:content-header, (2) xalan:entities, (3) xslt:content-header, or (4) xslt:entities property, or a Java property that is bound to the XSLT 1.0 system-property function.", 91625 "id": "GHSA-rc2w-r4jq-7pfx", 91626 "modified": "2023-11-08T03:57:31.444584Z", 91627 "published": "2022-05-13T01:05:38Z", 91628 "references": [ 91629 { 91630 "type": "ADVISORY", 91631 "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-0107" 91632 }, 91633 { 91634 "type": "WEB", 91635 "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/92023" 91636 }, 91637 { 91638 "type": "WEB", 91639 "url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05324755" 91640 }, 91641 { 91642 "type": "WEB", 91643 "url": "https://issues.apache.org/jira/browse/XALANJ-2435" 91644 }, 91645 { 91646 "type": "WEB", 91647 "url": "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E" 91648 }, 91649 { 91650 "type": "WEB", 91651 "url": "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E" 91652 }, 91653 { 91654 "type": "WEB", 91655 "url": "https://lists.apache.org/thread.html/r0c00afcab8f238562e27b3ae7b8af1913c62bc60838fb8b34c19e26b@%3Cdev.tomcat.apache.org%3E" 91656 }, 91657 { 91658 "type": "WEB", 91659 "url": "https://lists.apache.org/thread.html/r2900489bc665a2e32d021bb21f6ce2cb8e6bb5973490eebb9a346bca@%3Cdev.tomcat.apache.org%3E" 91660 }, 91661 { 91662 "type": "WEB", 91663 "url": "https://security.gentoo.org/glsa/201604-02" 91664 }, 91665 { 91666 "type": "WEB", 91667 "url": "https://www.oracle.com//security-alerts/cpujul2021.html" 91668 }, 91669 { 91670 "type": "WEB", 91671 "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" 91672 }, 91673 { 91674 "type": "WEB", 91675 "url": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html" 91676 }, 91677 { 91678 "type": "WEB", 91679 "url": "https://www.tenable.com/security/tns-2018-15" 91680 }, 91681 { 91682 "type": "WEB", 91683 "url": "http://rhn.redhat.com/errata/RHSA-2014-0348.html" 91684 }, 91685 { 91686 "type": "WEB", 91687 "url": "http://rhn.redhat.com/errata/RHSA-2014-1351.html" 91688 }, 91689 { 91690 "type": "WEB", 91691 "url": "http://rhn.redhat.com/errata/RHSA-2015-1888.html" 91692 }, 91693 { 91694 "type": "WEB", 91695 "url": "http://svn.apache.org/viewvc?view=revision\u0026revision=1581058" 91696 }, 91697 { 91698 "type": "WEB", 91699 "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21674334" 91700 }, 91701 { 91702 "type": "WEB", 91703 "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21676093" 91704 }, 91705 { 91706 "type": "WEB", 91707 "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21677145" 91708 }, 91709 { 91710 "type": "WEB", 91711 "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21680703" 91712 }, 91713 { 91714 "type": "WEB", 91715 "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21681933" 91716 }, 91717 { 91718 "type": "WEB", 91719 "url": "http://www.debian.org/security/2014/dsa-2886" 91720 }, 91721 { 91722 "type": "WEB", 91723 "url": "http://www.ibm.com/support/docview.wss?uid=swg21677967" 91724 }, 91725 { 91726 "type": "WEB", 91727 "url": "http://www.ocert.org/advisories/ocert-2014-002.html" 91728 }, 91729 { 91730 "type": "WEB", 91731 "url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html" 91732 }, 91733 { 91734 "type": "WEB", 91735 "url": "http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html" 91736 } 91737 ], 91738 "schema_version": "1.6.0", 91739 "summary": "Improper Authorization in Apache Xalan-Java" 91740 }, 91741 { 91742 "affected": [ 91743 { 91744 "database_specific": { 91745 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-334p-wv2m-w3vp/GHSA-334p-wv2m-w3vp.json" 91746 }, 91747 "package": { 91748 "ecosystem": "Maven", 91749 "name": "xerces:xercesImpl", 91750 "purl": "pkg:maven/xerces/xercesImpl" 91751 }, 91752 "ranges": [ 91753 { 91754 "events": [ 91755 { 91756 "introduced": "0" 91757 }, 91758 { 91759 "fixed": "2.10.0" 91760 } 91761 ], 91762 "type": "ECOSYSTEM" 91763 } 91764 ], 91765 "versions": [ 91766 "2.0.0", 91767 "2.0.2", 91768 "2.2.1", 91769 "2.3.0", 91770 "2.4.0", 91771 "2.5.0", 91772 "2.6.0", 91773 "2.6.1", 91774 "2.6.2", 91775 "2.6.2-jaxb-1.0.6", 91776 "2.7.1", 91777 "2.8.0", 91778 "2.8.1", 91779 "2.9.0", 91780 "2.9.1" 91781 ] 91782 } 91783 ], 91784 "aliases": [ 91785 "CVE-2009-2625" 91786 ], 91787 "database_specific": { 91788 "cwe_ids": [], 91789 "github_reviewed": true, 91790 "github_reviewed_at": "2020-06-15T15:55:30Z", 91791 "nvd_published_at": "2009-08-06T15:30:00Z", 91792 "severity": "MODERATE" 91793 }, 91794 "details": "XMLScanner.java in Apache Xerces2 Java, as used in Sun Java Runtime Environment (JRE) in JDK and JRE 6 before Update 15 and JDK and JRE 5.0 before Update 20, and in other products, allows remote attackers to cause a denial of service (infinite loop and application hang) via malformed XML input, as demonstrated by the Codenomicon XML fuzzing framework.", 91795 "id": "GHSA-334p-wv2m-w3vp", 91796 "modified": "2024-02-16T08:16:58.940507Z", 91797 "published": "2020-06-15T18:51:30Z", 91798 "references": [ 91799 { 91800 "type": "ADVISORY", 91801 "url": "https://nvd.nist.gov/vuln/detail/CVE-2009-2625" 91802 }, 91803 { 91804 "type": "WEB", 91805 "url": "https://github.com/apache/xerces2-j/commit/0bdf77af1d4fd26ec2e630fb6d12e2dfa77bc12b" 91806 }, 91807 { 91808 "type": "WEB", 91809 "url": "https://bugzilla.redhat.com/show_bug.cgi?id=512921" 91810 }, 91811 { 91812 "type": "WEB", 91813 "url": "https://lists.apache.org/thread.html/r204ba2a9ea750f38d789d2bb429cc0925ad6133deea7cbc3001d96b5@%3Csolr-user.lucene.apache.org%3E" 91814 }, 91815 { 91816 "type": "WEB", 91817 "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A8520" 91818 }, 91819 { 91820 "type": "WEB", 91821 "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9356" 91822 }, 91823 { 91824 "type": "WEB", 91825 "url": "https://rhn.redhat.com/errata/RHSA-2009-1199.html" 91826 }, 91827 { 91828 "type": "WEB", 91829 "url": "https://rhn.redhat.com/errata/RHSA-2009-1200.html" 91830 }, 91831 { 91832 "type": "WEB", 91833 "url": "https://rhn.redhat.com/errata/RHSA-2009-1201.html" 91834 }, 91835 { 91836 "type": "WEB", 91837 "url": "https://rhn.redhat.com/errata/RHSA-2009-1636.html" 91838 }, 91839 { 91840 "type": "WEB", 91841 "url": "https://rhn.redhat.com/errata/RHSA-2009-1637.html" 91842 }, 91843 { 91844 "type": "WEB", 91845 "url": "https://rhn.redhat.com/errata/RHSA-2009-1649.html" 91846 }, 91847 { 91848 "type": "WEB", 91849 "url": "https://rhn.redhat.com/errata/RHSA-2009-1650.html" 91850 }, 91851 { 91852 "type": "WEB", 91853 "url": "https://snyk.io/vuln/SNYK-JAVA-XERCES-32014" 91854 }, 91855 { 91856 "type": "WEB", 91857 "url": "https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00310.html" 91858 }, 91859 { 91860 "type": "WEB", 91861 "url": "https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00325.html" 91862 }, 91863 { 91864 "type": "WEB", 91865 "url": "http://lists.apple.com/archives/security-announce/2009/Sep/msg00000.html" 91866 }, 91867 { 91868 "type": "WEB", 91869 "url": "http://lists.opensuse.org/opensuse-security-announce/2009-10/msg00001.html" 91870 }, 91871 { 91872 "type": "WEB", 91873 "url": "http://lists.opensuse.org/opensuse-security-announce/2009-10/msg00004.html" 91874 }, 91875 { 91876 "type": "WEB", 91877 "url": "http://lists.opensuse.org/opensuse-security-announce/2009-11/msg00002.html" 91878 }, 91879 { 91880 "type": "WEB", 91881 "url": "http://lists.opensuse.org/opensuse-security-announce/2010-06/msg00001.html" 91882 }, 91883 { 91884 "type": "WEB", 91885 "url": "http://marc.info/?l=bugtraq\u0026m=125787273209737\u0026w=2" 91886 }, 91887 { 91888 "type": "WEB", 91889 "url": "http://rhn.redhat.com/errata/RHSA-2012-1232.html" 91890 }, 91891 { 91892 "type": "WEB", 91893 "url": "http://rhn.redhat.com/errata/RHSA-2012-1537.html" 91894 }, 91895 { 91896 "type": "WEB", 91897 "url": "http://secunia.com/advisories/36162" 91898 }, 91899 { 91900 "type": "WEB", 91901 "url": "http://secunia.com/advisories/36176" 91902 }, 91903 { 91904 "type": "WEB", 91905 "url": "http://secunia.com/advisories/36180" 91906 }, 91907 { 91908 "type": "WEB", 91909 "url": "http://secunia.com/advisories/36199" 91910 }, 91911 { 91912 "type": "WEB", 91913 "url": "http://secunia.com/advisories/37300" 91914 }, 91915 { 91916 "type": "WEB", 91917 "url": "http://secunia.com/advisories/37460" 91918 }, 91919 { 91920 "type": "WEB", 91921 "url": "http://secunia.com/advisories/37671" 91922 }, 91923 { 91924 "type": "WEB", 91925 "url": "http://secunia.com/advisories/37754" 91926 }, 91927 { 91928 "type": "WEB", 91929 "url": "http://secunia.com/advisories/38231" 91930 }, 91931 { 91932 "type": "WEB", 91933 "url": "http://secunia.com/advisories/38342" 91934 }, 91935 { 91936 "type": "WEB", 91937 "url": "http://secunia.com/advisories/43300" 91938 }, 91939 { 91940 "type": "WEB", 91941 "url": "http://secunia.com/advisories/50549" 91942 }, 91943 { 91944 "type": "WEB", 91945 "url": "http://slackware.com/security/viewer.php?l=slackware-security\u0026y=2011\u0026m=slackware-security.486026" 91946 }, 91947 { 91948 "type": "WEB", 91949 "url": "http://sunsolve.sun.com/search/document.do?assetkey=1-21-125136-16-1" 91950 }, 91951 { 91952 "type": "WEB", 91953 "url": "http://sunsolve.sun.com/search/document.do?assetkey=1-66-263489-1" 91954 }, 91955 { 91956 "type": "WEB", 91957 "url": "http://sunsolve.sun.com/search/document.do?assetkey=1-66-272209-1" 91958 }, 91959 { 91960 "type": "WEB", 91961 "url": "http://sunsolve.sun.com/search/document.do?assetkey=1-77-1021506.1-1" 91962 }, 91963 { 91964 "type": "WEB", 91965 "url": "http://svn.apache.org/viewvc/xerces/java/trunk/src/org/apache/xerces/impl/XMLScanner.java?r1=572055\u0026r2=787352\u0026pathrev=787353\u0026diff_format=h" 91966 }, 91967 { 91968 "type": "WEB", 91969 "url": "http://www.cert.fi/en/reports/2009/vulnerability2009085.html" 91970 }, 91971 { 91972 "type": "WEB", 91973 "url": "http://www.codenomicon.com/labs/xml" 91974 }, 91975 { 91976 "type": "WEB", 91977 "url": "http://www.debian.org/security/2010/dsa-1984" 91978 }, 91979 { 91980 "type": "WEB", 91981 "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2009:209" 91982 }, 91983 { 91984 "type": "WEB", 91985 "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2011:108" 91986 }, 91987 { 91988 "type": "WEB", 91989 "url": "http://www.networkworld.com/columnists/2009/080509-xml-flaw.html" 91990 }, 91991 { 91992 "type": "WEB", 91993 "url": "http://www.openwall.com/lists/oss-security/2009/09/06/1" 91994 }, 91995 { 91996 "type": "WEB", 91997 "url": "http://www.openwall.com/lists/oss-security/2009/10/22/9" 91998 }, 91999 { 92000 "type": "WEB", 92001 "url": "http://www.openwall.com/lists/oss-security/2009/10/23/6" 92002 }, 92003 { 92004 "type": "WEB", 92005 "url": "http://www.openwall.com/lists/oss-security/2009/10/26/3" 92006 }, 92007 { 92008 "type": "WEB", 92009 "url": "http://www.oracle.com/technetwork/topics/security/cpujan2010-084891.html" 92010 }, 92011 { 92012 "type": "WEB", 92013 "url": "http://www.oracle.com/technetwork/topics/security/cpuoct2009-096303.html" 92014 }, 92015 { 92016 "type": "WEB", 92017 "url": "http://www.redhat.com/support/errata/RHSA-2009-1615.html" 92018 }, 92019 { 92020 "type": "WEB", 92021 "url": "http://www.redhat.com/support/errata/RHSA-2011-0858.html" 92022 }, 92023 { 92024 "type": "WEB", 92025 "url": "http://www.securityfocus.com/archive/1/507985/100/0/threaded" 92026 }, 92027 { 92028 "type": "WEB", 92029 "url": "http://www.securityfocus.com/bid/35958" 92030 }, 92031 { 92032 "type": "WEB", 92033 "url": "http://www.securitytracker.com/id?1022680" 92034 }, 92035 { 92036 "type": "WEB", 92037 "url": "http://www.ubuntu.com/usn/USN-890-1" 92038 }, 92039 { 92040 "type": "WEB", 92041 "url": "http://www.us-cert.gov/cas/techalerts/TA09-294A.html" 92042 }, 92043 { 92044 "type": "WEB", 92045 "url": "http://www.us-cert.gov/cas/techalerts/TA10-012A.html" 92046 }, 92047 { 92048 "type": "WEB", 92049 "url": "http://www.vmware.com/security/advisories/VMSA-2009-0016.html" 92050 }, 92051 { 92052 "type": "WEB", 92053 "url": "http://www.vupen.com/english/advisories/2009/2543" 92054 }, 92055 { 92056 "type": "WEB", 92057 "url": "http://www.vupen.com/english/advisories/2009/3316" 92058 }, 92059 { 92060 "type": "WEB", 92061 "url": "http://www.vupen.com/english/advisories/2011/0359" 92062 } 92063 ], 92064 "schema_version": "1.6.0", 92065 "summary": "Denial of service in Apache Xerces2" 92066 }, 92067 { 92068 "affected": [ 92069 { 92070 "database_specific": { 92071 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-7j4h-8wpf-rqfh/GHSA-7j4h-8wpf-rqfh.json" 92072 }, 92073 "package": { 92074 "ecosystem": "Maven", 92075 "name": "xerces:xercesImpl", 92076 "purl": "pkg:maven/xerces/xercesImpl" 92077 }, 92078 "ranges": [ 92079 { 92080 "events": [ 92081 { 92082 "introduced": "0" 92083 }, 92084 { 92085 "fixed": "2.12.0" 92086 } 92087 ], 92088 "type": "ECOSYSTEM" 92089 } 92090 ], 92091 "versions": [ 92092 "2.0.0", 92093 "2.0.2", 92094 "2.10.0", 92095 "2.11.0", 92096 "2.2.1", 92097 "2.3.0", 92098 "2.4.0", 92099 "2.5.0", 92100 "2.6.0", 92101 "2.6.1", 92102 "2.6.2", 92103 "2.6.2-jaxb-1.0.6", 92104 "2.7.1", 92105 "2.8.0", 92106 "2.8.1", 92107 "2.9.0", 92108 "2.9.1" 92109 ] 92110 } 92111 ], 92112 "aliases": [ 92113 "CVE-2013-4002" 92114 ], 92115 "database_specific": { 92116 "cwe_ids": [ 92117 "CWE-112" 92118 ], 92119 "github_reviewed": true, 92120 "github_reviewed_at": "2022-07-08T19:14:49Z", 92121 "nvd_published_at": "2013-07-23T11:03:00Z", 92122 "severity": "HIGH" 92123 }, 92124 "details": "XMLscanner.java in Apache Xerces2 Java Parser before 2.12.0, as used in the Java Runtime Environment (JRE) in IBM Java 5.0 before 5.0 SR16-FP3, 6 before 6 SR14, 6.0.1 before 6.0.1 SR6, and 7 before 7 SR5 as well as Oracle Java SE 7u40 and earlier, Java SE 6u60 and earlier, Java SE 5.0u51 and earlier, JRockit R28.2.8 and earlier, JRockit R27.7.6 and earlier, Java SE Embedded 7u40 and earlier, and possibly other products allows remote attackers to cause a denial of service via vectors related to XML attribute names.", 92125 "id": "GHSA-7j4h-8wpf-rqfh", 92126 "modified": "2024-03-05T18:00:59.899628Z", 92127 "published": "2022-05-13T01:01:06Z", 92128 "references": [ 92129 { 92130 "type": "ADVISORY", 92131 "url": "https://nvd.nist.gov/vuln/detail/CVE-2013-4002" 92132 }, 92133 { 92134 "type": "WEB", 92135 "url": "https://github.com/apache/xerces2-j/commit/266e837852e0f0e3c8c1ad572b6fc4dbb4ded17" 92136 }, 92137 { 92138 "type": "WEB", 92139 "url": "https://access.redhat.com/errata/RHSA-2014:0414" 92140 }, 92141 { 92142 "type": "WEB", 92143 "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/85260" 92144 }, 92145 { 92146 "type": "PACKAGE", 92147 "url": "https://github.com/apache/xerces2-j" 92148 }, 92149 { 92150 "type": "WEB", 92151 "url": "https://issues.apache.org/jira/browse/XERCESJ-1679" 92152 }, 92153 { 92154 "type": "WEB", 92155 "url": "https://lists.apache.org/thread.html/49dc6702104a86ecbb40292dcd329ce9ae4c32b74733199ecab14a73@%3Cj-users.xerces.apache.org%3E" 92156 }, 92157 { 92158 "type": "WEB", 92159 "url": "https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451@%3Csolr-user.lucene.apache.org%3E" 92160 }, 92161 { 92162 "type": "WEB", 92163 "url": "https://lists.apache.org/thread.html/r204ba2a9ea750f38d789d2bb429cc0925ad6133deea7cbc3001d96b5@%3Csolr-user.lucene.apache.org%3E" 92164 }, 92165 { 92166 "type": "WEB", 92167 "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" 92168 }, 92169 { 92170 "type": "WEB", 92171 "url": "https://www.oracle.com/technetwork/topics/security/cpuoct2013-1899837.html" 92172 }, 92173 { 92174 "type": "WEB", 92175 "url": "http://lists.apple.com/archives/security-announce/2013/Oct/msg00001.html" 92176 }, 92177 { 92178 "type": "WEB", 92179 "url": "http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00026.html" 92180 }, 92181 { 92182 "type": "WEB", 92183 "url": "http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00027.html" 92184 }, 92185 { 92186 "type": "WEB", 92187 "url": "http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00028.html" 92188 }, 92189 { 92190 "type": "WEB", 92191 "url": "http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00029.html" 92192 }, 92193 { 92194 "type": "WEB", 92195 "url": "http://lists.opensuse.org/opensuse-security-announce/2013-08/msg00000.html" 92196 }, 92197 { 92198 "type": "WEB", 92199 "url": "http://lists.opensuse.org/opensuse-security-announce/2013-08/msg00003.html" 92200 }, 92201 { 92202 "type": "WEB", 92203 "url": "http://lists.opensuse.org/opensuse-security-announce/2013-11/msg00010.html" 92204 }, 92205 { 92206 "type": "WEB", 92207 "url": "http://lists.opensuse.org/opensuse-updates/2013-11/msg00023.html" 92208 }, 92209 { 92210 "type": "WEB", 92211 "url": "http://marc.info/?l=bugtraq\u0026m=138674031212883\u0026w=2" 92212 }, 92213 { 92214 "type": "WEB", 92215 "url": "http://marc.info/?l=bugtraq\u0026m=138674073720143\u0026w=2" 92216 }, 92217 { 92218 "type": "WEB", 92219 "url": "http://rhn.redhat.com/errata/RHSA-2013-1059.html" 92220 }, 92221 { 92222 "type": "WEB", 92223 "url": "http://rhn.redhat.com/errata/RHSA-2013-1060.html" 92224 }, 92225 { 92226 "type": "WEB", 92227 "url": "http://rhn.redhat.com/errata/RHSA-2013-1081.html" 92228 }, 92229 { 92230 "type": "WEB", 92231 "url": "http://rhn.redhat.com/errata/RHSA-2013-1440.html" 92232 }, 92233 { 92234 "type": "WEB", 92235 "url": "http://rhn.redhat.com/errata/RHSA-2013-1447.html" 92236 }, 92237 { 92238 "type": "WEB", 92239 "url": "http://rhn.redhat.com/errata/RHSA-2013-1451.html" 92240 }, 92241 { 92242 "type": "WEB", 92243 "url": "http://rhn.redhat.com/errata/RHSA-2013-1505.html" 92244 }, 92245 { 92246 "type": "WEB", 92247 "url": "http://rhn.redhat.com/errata/RHSA-2014-1818.html" 92248 }, 92249 { 92250 "type": "WEB", 92251 "url": "http://rhn.redhat.com/errata/RHSA-2014-1821.html" 92252 }, 92253 { 92254 "type": "WEB", 92255 "url": "http://rhn.redhat.com/errata/RHSA-2014-1822.html" 92256 }, 92257 { 92258 "type": "WEB", 92259 "url": "http://rhn.redhat.com/errata/RHSA-2014-1823.html" 92260 }, 92261 { 92262 "type": "WEB", 92263 "url": "http://rhn.redhat.com/errata/RHSA-2015-0675.html" 92264 }, 92265 { 92266 "type": "WEB", 92267 "url": "http://rhn.redhat.com/errata/RHSA-2015-0720.html" 92268 }, 92269 { 92270 "type": "WEB", 92271 "url": "http://rhn.redhat.com/errata/RHSA-2015-0765.html" 92272 }, 92273 { 92274 "type": "WEB", 92275 "url": "http://rhn.redhat.com/errata/RHSA-2015-0773.html" 92276 }, 92277 { 92278 "type": "WEB", 92279 "url": "http://security.gentoo.org/glsa/glsa-201406-32.xml" 92280 }, 92281 { 92282 "type": "WEB", 92283 "url": "http://support.apple.com/kb/HT5982" 92284 }, 92285 { 92286 "type": "WEB", 92287 "url": "http://svn.apache.org/viewvc/xerces/java/trunk/src/org/apache/xerces/impl/XMLScanner.java?r1=965250\u0026r2=1499506\u0026view=patch" 92288 }, 92289 { 92290 "type": "WEB", 92291 "url": "http://www-01.ibm.com/support/docview.wss?uid=swg1IC98015" 92292 }, 92293 { 92294 "type": "WEB", 92295 "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21644197" 92296 }, 92297 { 92298 "type": "WEB", 92299 "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21653371" 92300 }, 92301 { 92302 "type": "WEB", 92303 "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21657539" 92304 }, 92305 { 92306 "type": "WEB", 92307 "url": "http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/HS13-025/index.html" 92308 }, 92309 { 92310 "type": "WEB", 92311 "url": "http://www.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_ibm_filenet_content_manager_and_ibm_content_foundation_xml_4j_denial_of_service_attack_cve_2013_4002" 92312 }, 92313 { 92314 "type": "WEB", 92315 "url": "http://www.ibm.com/developerworks/java/jdk/alerts/#IBM_Security_Update_July_2013" 92316 }, 92317 { 92318 "type": "WEB", 92319 "url": "http://www.ibm.com/support/docview.wss?uid=swg21648172" 92320 }, 92321 { 92322 "type": "WEB", 92323 "url": "http://www.ubuntu.com/usn/USN-2033-1" 92324 }, 92325 { 92326 "type": "WEB", 92327 "url": "http://www.ubuntu.com/usn/USN-2089-1" 92328 } 92329 ], 92330 "schema_version": "1.6.0", 92331 "summary": "Missing XML Validation in Apache Xerces2" 92332 }, 92333 { 92334 "affected": [ 92335 { 92336 "database_specific": { 92337 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/01/GHSA-h65f-jvqw-m9fj/GHSA-h65f-jvqw-m9fj.json" 92338 }, 92339 "package": { 92340 "ecosystem": "Maven", 92341 "name": "xerces:xercesImpl", 92342 "purl": "pkg:maven/xerces/xercesImpl" 92343 }, 92344 "ranges": [ 92345 { 92346 "events": [ 92347 { 92348 "introduced": "0" 92349 }, 92350 { 92351 "fixed": "2.12.2" 92352 } 92353 ], 92354 "type": "ECOSYSTEM" 92355 } 92356 ], 92357 "versions": [ 92358 "2.0.0", 92359 "2.0.2", 92360 "2.10.0", 92361 "2.11.0", 92362 "2.12.0", 92363 "2.12.1", 92364 "2.2.1", 92365 "2.3.0", 92366 "2.4.0", 92367 "2.5.0", 92368 "2.6.0", 92369 "2.6.1", 92370 "2.6.2", 92371 "2.6.2-jaxb-1.0.6", 92372 "2.7.1", 92373 "2.8.0", 92374 "2.8.1", 92375 "2.9.0", 92376 "2.9.1" 92377 ] 92378 } 92379 ], 92380 "aliases": [ 92381 "CVE-2022-23437" 92382 ], 92383 "database_specific": { 92384 "cwe_ids": [ 92385 "CWE-91" 92386 ], 92387 "github_reviewed": true, 92388 "github_reviewed_at": "2022-01-25T20:46:16Z", 92389 "nvd_published_at": "2022-01-24T15:15:00Z", 92390 "severity": "MODERATE" 92391 }, 92392 "details": "There's a vulnerability within the Apache Xerces Java (XercesJ) XML parser when handling specially crafted XML document payloads. This causes, the XercesJ XML parser to wait in an infinite loop, which may sometimes consume system resources for prolonged duration. This vulnerability is present within XercesJ version 2.12.1 and the previous versions.", 92393 "id": "GHSA-h65f-jvqw-m9fj", 92394 "modified": "2024-02-16T08:21:32.697367Z", 92395 "published": "2022-01-27T16:13:07Z", 92396 "references": [ 92397 { 92398 "type": "ADVISORY", 92399 "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23437" 92400 }, 92401 { 92402 "type": "PACKAGE", 92403 "url": "https://github.com/jboss/xerces" 92404 }, 92405 { 92406 "type": "WEB", 92407 "url": "https://lists.apache.org/thread/6pjwm10bb69kq955fzr1n0nflnjd27dl" 92408 }, 92409 { 92410 "type": "WEB", 92411 "url": "https://security.netapp.com/advisory/ntap-20221028-0005" 92412 }, 92413 { 92414 "type": "WEB", 92415 "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" 92416 }, 92417 { 92418 "type": "WEB", 92419 "url": "https://www.oracle.com/security-alerts/cpujul2022.html" 92420 }, 92421 { 92422 "type": "WEB", 92423 "url": "http://www.openwall.com/lists/oss-security/2022/01/24/3" 92424 } 92425 ], 92426 "schema_version": "1.6.0", 92427 "severity": [ 92428 { 92429 "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", 92430 "type": "CVSS_V3" 92431 } 92432 ], 92433 "summary": "Infinite Loop in Apache Xerces Java" 92434 }, 92435 { 92436 "affected": [ 92437 { 92438 "database_specific": { 92439 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-vmqm-g3vh-847m/GHSA-vmqm-g3vh-847m.json" 92440 }, 92441 "package": { 92442 "ecosystem": "Maven", 92443 "name": "xerces:xercesImpl", 92444 "purl": "pkg:maven/xerces/xercesImpl" 92445 }, 92446 "ranges": [ 92447 { 92448 "events": [ 92449 { 92450 "introduced": "0" 92451 }, 92452 { 92453 "fixed": "2.12.0" 92454 } 92455 ], 92456 "type": "ECOSYSTEM" 92457 } 92458 ], 92459 "versions": [ 92460 "2.0.0", 92461 "2.0.2", 92462 "2.10.0", 92463 "2.11.0", 92464 "2.2.1", 92465 "2.3.0", 92466 "2.4.0", 92467 "2.5.0", 92468 "2.6.0", 92469 "2.6.1", 92470 "2.6.2", 92471 "2.6.2-jaxb-1.0.6", 92472 "2.7.1", 92473 "2.8.0", 92474 "2.8.1", 92475 "2.9.0", 92476 "2.9.1" 92477 ] 92478 } 92479 ], 92480 "aliases": [ 92481 "CVE-2012-0881" 92482 ], 92483 "database_specific": { 92484 "cwe_ids": [ 92485 "CWE-400" 92486 ], 92487 "github_reviewed": true, 92488 "github_reviewed_at": "2020-06-15T15:51:37Z", 92489 "nvd_published_at": "2017-10-30T16:29:00Z", 92490 "severity": "HIGH" 92491 }, 92492 "details": "Apache Xerces2 Java Parser before 2.12.0 allows remote attackers to cause a denial of service (CPU consumption) via a crafted message to an XML service, which triggers hash table collisions.", 92493 "id": "GHSA-vmqm-g3vh-847m", 92494 "modified": "2024-03-11T05:17:10.70103Z", 92495 "published": "2020-06-15T18:51:38Z", 92496 "references": [ 92497 { 92498 "type": "ADVISORY", 92499 "url": "https://nvd.nist.gov/vuln/detail/CVE-2012-0881" 92500 }, 92501 { 92502 "type": "WEB", 92503 "url": "https://github.com/apache/xerces2-j/commit/992b5d9c24102ad20330d36c0a71162753a37449" 92504 }, 92505 { 92506 "type": "WEB", 92507 "url": "https://www.oracle.com//security-alerts/cpujul2021.html" 92508 }, 92509 { 92510 "type": "WEB", 92511 "url": "https://www.openwall.com/lists/oss-security/2014/07/08/11" 92512 }, 92513 { 92514 "type": "WEB", 92515 "url": "https://lists.apache.org/thread.html/rea7b831dceeb2a2fa817be6f63b08722042e3647fb2d47c144370a56@%3Ccommon-issues.hadoop.apache.org%3E" 92516 }, 92517 { 92518 "type": "WEB", 92519 "url": "https://lists.apache.org/thread.html/rea7b831dceeb2a2fa817be6f63b08722042e3647fb2d47c144370a56%40%3Ccommon-issues.hadoop.apache.org%3E" 92520 }, 92521 { 92522 "type": "WEB", 92523 "url": "https://lists.apache.org/thread.html/r204ba2a9ea750f38d789d2bb429cc0925ad6133deea7cbc3001d96b5@%3Csolr-user.lucene.apache.org%3E" 92524 }, 92525 { 92526 "type": "WEB", 92527 "url": "https://lists.apache.org/thread.html/r204ba2a9ea750f38d789d2bb429cc0925ad6133deea7cbc3001d96b5%40%3Csolr-user.lucene.apache.org%3E" 92528 }, 92529 { 92530 "type": "WEB", 92531 "url": "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E" 92532 }, 92533 { 92534 "type": "WEB", 92535 "url": "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E" 92536 }, 92537 { 92538 "type": "WEB", 92539 "url": "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E" 92540 }, 92541 { 92542 "type": "WEB", 92543 "url": "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E" 92544 }, 92545 { 92546 "type": "WEB", 92547 "url": "https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451@%3Csolr-user.lucene.apache.org%3E" 92548 }, 92549 { 92550 "type": "WEB", 92551 "url": "https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451%40%3Csolr-user.lucene.apache.org%3E" 92552 }, 92553 { 92554 "type": "WEB", 92555 "url": "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E" 92556 }, 92557 { 92558 "type": "WEB", 92559 "url": "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E" 92560 }, 92561 { 92562 "type": "WEB", 92563 "url": "https://lists.apache.org/thread.html/49dc6702104a86ecbb40292dcd329ce9ae4c32b74733199ecab14a73@%3Cj-users.xerces.apache.org%3E" 92564 }, 92565 { 92566 "type": "WEB", 92567 "url": "https://lists.apache.org/thread.html/49dc6702104a86ecbb40292dcd329ce9ae4c32b74733199ecab14a73%40%3Cj-users.xerces.apache.org%3E" 92568 }, 92569 { 92570 "type": "WEB", 92571 "url": "https://issues.apache.org/jira/browse/XERCESJ-1685" 92572 }, 92573 { 92574 "type": "WEB", 92575 "url": "https://bugzilla.redhat.com/show_bug.cgi?id=787104" 92576 } 92577 ], 92578 "schema_version": "1.6.0", 92579 "severity": [ 92580 { 92581 "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", 92582 "type": "CVSS_V3" 92583 } 92584 ], 92585 "summary": "Denial of service in Apache Xerces2" 92586 }, 92587 { 92588 "affected": [ 92589 { 92590 "database_specific": { 92591 "last_known_affected_version_range": "\u003c= 2.12.0.sp2", 92592 "source": "https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/02/GHSA-w4jq-qh47-hvjq/GHSA-w4jq-qh47-hvjq.json" 92593 }, 92594 "package": { 92595 "ecosystem": "Maven", 92596 "name": "xerces:xercesImpl", 92597 "purl": "pkg:maven/xerces/xercesImpl" 92598 }, 92599 "ranges": [ 92600 { 92601 "events": [ 92602 { 92603 "introduced": "0" 92604 }, 92605 { 92606 "fixed": "2.12.0.sp3" 92607 } 92608 ], 92609 "type": "ECOSYSTEM" 92610 } 92611 ], 92612 "versions": [ 92613 "2.0.0", 92614 "2.0.2", 92615 "2.10.0", 92616 "2.11.0", 92617 "2.2.1", 92618 "2.3.0", 92619 "2.4.0", 92620 "2.5.0", 92621 "2.6.0", 92622 "2.6.1", 92623 "2.6.2", 92624 "2.6.2-jaxb-1.0.6", 92625 "2.7.1", 92626 "2.8.0", 92627 "2.8.1", 92628 "2.9.0", 92629 "2.9.1" 92630 ] 92631 } 92632 ], 92633 "aliases": [ 92634 "CVE-2020-14338" 92635 ], 92636 "database_specific": { 92637 "cwe_ids": [ 92638 "CWE-20" 92639 ], 92640 "github_reviewed": true, 92641 "github_reviewed_at": "2022-06-24T01:25:49Z", 92642 "nvd_published_at": "2020-09-17T15:15:00Z", 92643 "severity": "MODERATE" 92644 }, 92645 "details": "A flaw was found in Wildfly's implementation of Xerces, specifically in the way the XMLSchemaValidator class in the JAXP component of Wildfly enforced the \"use-grammar-pool-only\" feature. This flaw allows a specially-crafted XML file to manipulate the validation process in certain cases. This issue is the same flaw as CVE-2020-14621, which affected OpenJDK, and uses a similar code. All xerces jboss versions before 2.12.0.SP3.", 92646 "id": "GHSA-w4jq-qh47-hvjq", 92647 "modified": "2023-11-08T04:02:26.293474Z", 92648 "published": "2022-02-15T01:37:41Z", 92649 "references": [ 92650 { 92651 "type": "ADVISORY", 92652 "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-14338" 92653 }, 92654 { 92655 "type": "WEB", 92656 "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1860054" 92657 }, 92658 { 92659 "type": "WEB", 92660 "url": "https://lists.apache.org/thread.html/rf96c5afb26b596b4b97883aa90b6c0b0fc4c26aaeea7123c21912103@%3Cj-users.xerces.apache.org%3E" 92661 } 92662 ], 92663 "schema_version": "1.6.0", 92664 "severity": [ 92665 { 92666 "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", 92667 "type": "CVSS_V3" 92668 } 92669 ], 92670 "summary": "Improper Input Validation in Xerces" 92671 } 92672 ] 92673 }