Open mend-for-github-com[bot] opened 1 year ago
mend-for-github-com[bot]
commented
1 year ago :heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.
mend-for-github-com[bot]
commented
1 year ago :information_source: This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory.
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/security/spring-security-web/5.4.9/spring-security-web-5.4.9.jar
Found in HEAD commit: 314b51cb1b7d33fcceac08ef7ce60aea3f6c3923
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2024-1597
### Vulnerable Library - postgresql-42.1.4.jarJava JDBC 4.2 (JRE 8+) driver for PostgreSQL database
Library home page: https://jdbc.postgresql.org/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/postgresql/postgresql/42.1.4/postgresql-42.1.4.jar
Dependency Hierarchy: - seata-server-1.5.0.jar (Root Library) - :x: **postgresql-42.1.4.jar** (Vulnerable Library)
Found in HEAD commit: 314b51cb1b7d33fcceac08ef7ce60aea3f6c3923
Found in base branch: main
### Vulnerability Detailspgjdbc, the PostgreSQL JDBC Driver, allows attacker to inject SQL if using PreferQueryMode=SIMPLE. Note this is not the default. In the default mode there is no vulnerability. A placeholder for a numeric value must be immediately preceded by a minus. There must be a second placeholder for a string value after the first placeholder; both must be on the same line. By constructing a matching string payload, the attacker can inject SQL to alter the query,bypassing the protections that parameterized queries bring against SQL Injection attacks. Versions before 42.7.2, 42.6.1, 42.5.5, 42.4.4, 42.3.9, and 42.2.28 are affected.
Publish Date: 2024-02-19
URL: CVE-2024-1597
### CVSS 3 Score Details (10.0)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Changed - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2024-1597
Release Date: 2024-02-19
Fix Resolution (org.postgresql:postgresql): 42.2.7.jre6
Direct dependency fix Resolution (io.seata:seata-server): 1.6.1
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
WS-2022-0080
### Vulnerable Library - postgresql-42.1.4.jarJava JDBC 4.2 (JRE 8+) driver for PostgreSQL database
Library home page: https://jdbc.postgresql.org/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/postgresql/postgresql/42.1.4/postgresql-42.1.4.jar
Dependency Hierarchy: - seata-server-1.5.0.jar (Root Library) - :x: **postgresql-42.1.4.jar** (Vulnerable Library)
Found in HEAD commit: 314b51cb1b7d33fcceac08ef7ce60aea3f6c3923
Found in base branch: main
### Vulnerability DetailsIn org.postgresql:postgresql before 42.3.3 the connection properties for configuring a pgjdbc connection are not meant to be exposed to an unauthenticated attacker. While allowing an attacker to specify arbitrary connection properties could lead to a compromise of a system, that's a defect of an application that allows unauthenticated attackers that level of control.
Publish Date: 2024-11-03
URL: WS-2022-0080
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-673j-qm5f-xpv8
Release Date: 2024-11-03
Fix Resolution: org.postgresql:postgresql:42.3.3
CVE-2024-46983
### Vulnerable Library - hessian-3.3.6.jarAn internal improved version of Hessian powered by Ant Financial.
Library home page: http://www.antfin.com/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/alipay/sofa/hessian/3.3.6/hessian-3.3.6.jar
Dependency Hierarchy: - seata-server-1.5.0.jar (Root Library) - seata-discovery-all-1.5.0.jar - seata-discovery-sofa-1.5.0.jar - registry-client-all-5.2.0.jar - :x: **hessian-3.3.6.jar** (Vulnerable Library)
Found in HEAD commit: 314b51cb1b7d33fcceac08ef7ce60aea3f6c3923
Found in base branch: main
### Vulnerability Detailssofa-hessian is an internal improved version of Hessian3/4 powered by Ant Group CO., Ltd. The SOFA Hessian protocol uses a blacklist mechanism to restrict deserialization of potentially dangerous classes for security protection. But there is a gadget chain that can bypass the SOFA Hessian blacklist protection mechanism, and this gadget chain only relies on JDK and does not rely on any third-party components. This issue is fixed by an update to the blacklist, users can upgrade to sofahessian version 3.5.5 to avoid this issue. Users unable to upgrade may maintain a blacklist themselves in the directory `external/serialize.blacklist`.
Publish Date: 2024-09-19
URL: CVE-2024-46983
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/sofastack/sofa-hessian/security/advisories/GHSA-c459-2m73-67hj
Release Date: 2024-09-19
Fix Resolution: com.alipay.sofa:hessian:3.5.5
CVE-2022-23305
### Vulnerable Library - log4j-1.2.17.jarApache Log4j 1.2
Library home page: http://www.apache.org
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.jar
Dependency Hierarchy: - seata-server-1.5.0.jar (Root Library) - seata-config-all-1.5.0.jar - seata-config-zk-1.5.0.jar - zkclient-0.11.jar - zookeeper-3.4.13.jar - :x: **log4j-1.2.17.jar** (Vulnerable Library)
Found in HEAD commit: 314b51cb1b7d33fcceac08ef7ce60aea3f6c3923
Found in base branch: main
### Vulnerability DetailsBy design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converters from PatternLayout. The message converter, %m, is likely to always be included. This allows attackers to manipulate the SQL by entering crafted strings into input fields or headers of an application that are logged allowing unintended SQL queries to be executed. Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default. Beginning in version 2.0-beta8, the JDBCAppender was re-introduced with proper support for parameterized SQL queries and further customization over the columns written to in logs. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.
Publish Date: 2022-01-18
URL: CVE-2022-23305
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://reload4j.qos.ch/
Release Date: 2022-01-18
Fix Resolution: ch.qos.reload4j:reload4j:1.2.18.2
CVE-2022-23221
### Vulnerable Library - h2-1.4.181.jarH2 Database Engine
Library home page: http://www.h2database.com
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/h2database/h2/1.4.181/h2-1.4.181.jar
Dependency Hierarchy: - seata-server-1.5.0.jar (Root Library) - :x: **h2-1.4.181.jar** (Vulnerable Library)
Found in HEAD commit: 314b51cb1b7d33fcceac08ef7ce60aea3f6c3923
Found in base branch: main
### Vulnerability DetailsH2 Console before 2.1.210 allows remote attackers to execute arbitrary code via a jdbc:h2:mem JDBC URL containing the IGNORE_UNKNOWN_SETTINGS=TRUE;FORBID_CREATION=FALSE;INIT=RUNSCRIPT substring, a different vulnerability than CVE-2021-42392.
Publish Date: 2022-01-19
URL: CVE-2022-23221
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2022-01-19
Fix Resolution: com.h2database:h2:2.1.210
CVE-2022-22978
### Vulnerable Library - spring-security-web-5.4.9.jarspring-security-web
Library home page: https://spring.io/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/security/spring-security-web/5.4.9/spring-security-web-5.4.9.jar
Dependency Hierarchy: - seata-server-1.5.0.jar (Root Library) - seata-console-1.5.0.jar - spring-boot-starter-security-2.4.13.jar - :x: **spring-security-web-5.4.9.jar** (Vulnerable Library)
Found in HEAD commit: 314b51cb1b7d33fcceac08ef7ce60aea3f6c3923
Found in base branch: main
### Vulnerability DetailsIn spring security versions prior to 5.4.11+, 5.5.7+ , 5.6.4+ and older unsupported versions, RegexRequestMatcher can easily be misconfigured to be bypassed on some servlet containers. Applications using RegexRequestMatcher with `.` in the regular expression are possibly vulnerable to an authorization bypass.
Publish Date: 2022-05-19
URL: CVE-2022-22978
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://spring.io/security/cve-2022-22978/
Release Date: 2022-05-19
Fix Resolution (org.springframework.security:spring-security-web): 5.4.11
Direct dependency fix Resolution (io.seata:seata-server): 1.6.0
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2022-22965
### Vulnerable Library - spring-beans-5.3.13.jarSpring Beans
Library home page: https://spring.io/projects/spring-framework
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-beans/5.3.13/spring-beans-5.3.13.jar
Dependency Hierarchy: - seata-server-1.5.0.jar (Root Library) - spring-boot-starter-web-2.4.13.jar - spring-boot-starter-2.4.13.jar - spring-boot-2.4.13.jar - spring-context-5.3.13.jar - spring-aop-5.3.13.jar - :x: **spring-beans-5.3.13.jar** (Vulnerable Library)
Found in HEAD commit: 314b51cb1b7d33fcceac08ef7ce60aea3f6c3923
Found in base branch: main
### Vulnerability DetailsA Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it. Mend Note: Converted from WS-2022-0107, on 2022-11-07.
Publish Date: 2022-04-01
URL: CVE-2022-22965
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement
Release Date: 2022-04-01
Fix Resolution (org.springframework:spring-beans): 5.3.18
Direct dependency fix Resolution (io.seata:seata-server): 1.6.0
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2021-42392
### Vulnerable Library - h2-1.4.181.jarH2 Database Engine
Library home page: http://www.h2database.com
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/h2database/h2/1.4.181/h2-1.4.181.jar
Dependency Hierarchy: - seata-server-1.5.0.jar (Root Library) - :x: **h2-1.4.181.jar** (Vulnerable Library)
Found in HEAD commit: 314b51cb1b7d33fcceac08ef7ce60aea3f6c3923
Found in base branch: main
### Vulnerability DetailsThe org.h2.util.JdbcUtils.getConnection method of the H2 database takes as parameters the class name of the driver and URL of the database. An attacker may pass a JNDI driver name and a URL leading to a LDAP or RMI servers, causing remote code execution. This can be exploited through various attack vectors, most notably through the H2 Console which leads to unauthenticated remote code execution.
Publish Date: 2022-01-07
URL: CVE-2021-42392
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/h2database/h2database/security/advisories/GHSA-h376-j262-vhq6
Release Date: 2022-01-07
Fix Resolution: com.h2database:h2:2.0.206
CVE-2020-9493
### Vulnerable Library - log4j-1.2.17.jarApache Log4j 1.2
Library home page: http://www.apache.org
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.jar
Dependency Hierarchy: - seata-server-1.5.0.jar (Root Library) - seata-config-all-1.5.0.jar - seata-config-zk-1.5.0.jar - zkclient-0.11.jar - zookeeper-3.4.13.jar - :x: **log4j-1.2.17.jar** (Vulnerable Library)
Found in HEAD commit: 314b51cb1b7d33fcceac08ef7ce60aea3f6c3923
Found in base branch: main
### Vulnerability DetailsA deserialization flaw was found in Apache Chainsaw versions prior to 2.1.0 which could lead to malicious code execution.
Publish Date: 2021-06-16
URL: CVE-2020-9493
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://www.openwall.com/lists/oss-security/2021/06/16/1
Release Date: 2021-06-16
Fix Resolution: ch.qos.reload4j:reload4j:1.2.18.1
CVE-2019-17571
### Vulnerable Library - log4j-1.2.17.jarApache Log4j 1.2
Library home page: http://www.apache.org
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.jar
Dependency Hierarchy: - seata-server-1.5.0.jar (Root Library) - seata-config-all-1.5.0.jar - seata-config-zk-1.5.0.jar - zkclient-0.11.jar - zookeeper-3.4.13.jar - :x: **log4j-1.2.17.jar** (Vulnerable Library)
Found in HEAD commit: 314b51cb1b7d33fcceac08ef7ce60aea3f6c3923
Found in base branch: main
### Vulnerability DetailsIncluded in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17.
Publish Date: 2019-12-20
URL: CVE-2019-17571
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://lists.apache.org/thread.html/eea03d504b36e8f870e8321d908e1def1addda16adda04327fe7c125%40%3Cdev.logging.apache.org%3E
Release Date: 2019-12-20
Fix Resolution: log4j-manual - 1.2.17-16;log4j-javadoc - 1.2.17-16;log4j - 1.2.17-16,1.2.17-16
CVE-2016-1000027
### Vulnerable Library - spring-web-5.3.13.jarSpring Web
Library home page: https://spring.io/projects/spring-framework
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-web/5.3.13/spring-web-5.3.13.jar
Dependency Hierarchy: - seata-server-1.5.0.jar (Root Library) - spring-boot-starter-web-2.4.13.jar - spring-boot-starter-json-2.4.13.jar - :x: **spring-web-5.3.13.jar** (Vulnerable Library)
Found in HEAD commit: 314b51cb1b7d33fcceac08ef7ce60aea3f6c3923
Found in base branch: main
### Vulnerability DetailsPivotal Spring Framework through 5.3.16 suffers from a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data. Depending on how the library is implemented within a product, this issue may or not occur, and authentication may be required. NOTE: the vendor's position is that untrusted data is not an intended use case. The product's behavior will not be changed because some users rely on deserialization of trusted data. Mend Note: After conducting further research, Mend has determined that all versions of spring-web up to version 6.0.0 are vulnerable to CVE-2016-1000027.
Publish Date: 2020-01-02
URL: CVE-2016-1000027
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-4wrc-f8pq-fpqp
Release Date: 2020-01-02
Fix Resolution: org.springframework:spring-web:6.0.0
CVE-2024-38821
### Vulnerable Library - spring-security-web-5.4.9.jarspring-security-web
Library home page: https://spring.io/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/security/spring-security-web/5.4.9/spring-security-web-5.4.9.jar
Dependency Hierarchy: - seata-server-1.5.0.jar (Root Library) - seata-console-1.5.0.jar - spring-boot-starter-security-2.4.13.jar - :x: **spring-security-web-5.4.9.jar** (Vulnerable Library)
Found in HEAD commit: 314b51cb1b7d33fcceac08ef7ce60aea3f6c3923
Found in base branch: main
### Vulnerability DetailsSpring WebFlux applications that have Spring Security authorization rules on static resources can be bypassed under certain circumstances. For this to impact an application, all of the following must be true: It must be a WebFlux application, It must be using Spring's static resources support, and it must have a non-permitAll authorization rule applied to the static resources support.
Publish Date: 2024-10-28
URL: CVE-2024-38821
### CVSS 3 Score Details (9.1)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://spring.io/security/cve-2024-38821
Release Date: 2024-06-20
Fix Resolution: org.springframework.security:spring-security-web:5.7.13,5.8.15,6.0.13,6.1.11,6.2.7,6.3.4
CVE-2023-44981
### Vulnerable Library - zookeeper-3.4.13.jarPath to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/zookeeper/zookeeper/3.4.13/zookeeper-3.4.13.jar
Dependency Hierarchy: - seata-server-1.5.0.jar (Root Library) - seata-config-all-1.5.0.jar - seata-config-zk-1.5.0.jar - zkclient-0.11.jar - :x: **zookeeper-3.4.13.jar** (Vulnerable Library)
Found in HEAD commit: 314b51cb1b7d33fcceac08ef7ce60aea3f6c3923
Found in base branch: main
### Vulnerability DetailsAuthorization Bypass Through User-Controlled Key vulnerability in Apache ZooKeeper. If SASL Quorum Peer authentication is enabled in ZooKeeper (quorum.auth.enableSasl=true), the authorization is done by verifying that the instance part in SASL authentication ID is listed in zoo.cfg server list. The instance part in SASL auth ID is optional and if it's missing, like 'eve@EXAMPLE.COM', the authorization check will be skipped. As a result an arbitrary endpoint could join the cluster and begin propagating counterfeit changes to the leader, essentially giving it complete read-write access to the data tree. Quorum Peer authentication is not enabled by default. Users are recommended to upgrade to version 3.9.1, 3.8.3, 3.7.2, which fixes the issue. Alternately ensure the ensemble election/quorum communication is protected by a firewall as this will mitigate the issue. See the documentation for more details on correct cluster administration.
Publish Date: 2023-10-11
URL: CVE-2023-44981
### CVSS 3 Score Details (9.1)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://lists.apache.org/thread/wf0yrk84dg1942z1o74kd8nycg6pgm5b
Release Date: 2023-10-11
Fix Resolution: org.apache.zookeeper:zookeeper:3.7.2,3.8.3,3.9.1
CVE-2022-23307
### Vulnerable Library - log4j-1.2.17.jarApache Log4j 1.2
Library home page: http://www.apache.org
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.jar
Dependency Hierarchy: - seata-server-1.5.0.jar (Root Library) - seata-config-all-1.5.0.jar - seata-config-zk-1.5.0.jar - zkclient-0.11.jar - zookeeper-3.4.13.jar - :x: **log4j-1.2.17.jar** (Vulnerable Library)
Found in HEAD commit: 314b51cb1b7d33fcceac08ef7ce60aea3f6c3923
Found in base branch: main
### Vulnerability DetailsCVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw V2.0 Chainsaw was a component of Apache Log4j 1.2.x where the same issue exists.
Publish Date: 2022-01-18
URL: CVE-2022-23307
### CVSS 3 Score Details (8.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2022-01-18
Fix Resolution: ch.qos.reload4j:reload4j:1.2.18.1
:rescue_worker_helmet:Automatic Remediation will be attempted for this issue.