zookeeper-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Enrico Olivelli (JIRA)" <j...@apache.org>
Subject [jira] [Created] (ZOOKEEPER-3262) Update dependencies flagged by OWASP report
Date Wed, 30 Jan 2019 20:51:00 GMT
Enrico Olivelli created ZOOKEEPER-3262:
------------------------------------------

             Summary: Update dependencies flagged by OWASP report
                 Key: ZOOKEEPER-3262
                 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-3262
             Project: ZooKeeper
          Issue Type: Improvement
          Components: security
    Affects Versions: 3.6.0, 3.5.5, 3.4.14
            Reporter: Enrico Olivelli
            Assignee: Enrico Olivelli
             Fix For: 3.6.0, 3.5.5, 3.4.14


Currently OWASP plugin is reporting these vulnerabilities:
|[CVE-2018-14719|http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-14719]|CWE-502 Deserialization
of Untrusted Data|High(7.5)|jackson-databind-2.9.5.jar|
|[CVE-2018-14720|http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-14720]|CWE-611 Improper
Restriction of XML External Entity Reference ('XXE')|High(7.5)|jackson-databind-2.9.5.jar|
|[CVE-2018-14721|http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-14721]|CWE-918 Server-Side
Request Forgery (SSRF)|High(7.5)|jackson-databind-2.9.5.jar|
|[CVE-2018-19360|http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-19360]|CWE-502 Deserialization
of Untrusted Data|High(7.5)|jackson-databind-2.9.5.jar|
|[CVE-2018-19361|http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-19361]|CWE-502 Deserialization
of Untrusted Data|High(7.5)|jackson-databind-2.9.5.jar|
|[CVE-2018-19362|http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-19362]|CWE-502 Deserialization
of Untrusted Data|High(7.5)|jackson-databind-2.9.5.jar|
|[CVE-2017-7657|http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-7657]|CWE-190 Integer
Overflow or Wraparound|High(7.5)|jetty-http-9.4.10.v20180503.jar   |
|[CVE-2017-7658|http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-7658]|CWE-19 Data
Processing Errors|High(7.5)|jetty-http-9.4.10.v20180503.jar   |
|[CVE-2018-1000873|http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-1000873]|CWE-20
Improper Input Validation|Medium(5.0)|jackson-databind-2.9.5.jar|
|[CVE-2017-7656|http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-7656]|CWE-284 Improper
Access Control|Medium(5.0)|jetty-http-9.4.10.v20180503.jar   |
|[CVE-2018-12536|http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-12536]|CWE-200 Information
Exposure|Medium(5.0)|jetty-http-9.4.10.v20180503.jar   |
|[CVE-2018-12056|http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-12056]|CWE-338 Use
of Cryptographically Weak Pseudo-Random Number Generator (PRNG)|Medium(5.0)|netty-all-4.1.29.Final.jar|

We have to upgrade all of them or add suppressions



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Mime
View raw message