Path to dependency file: /nifi-nar-bundles/nifi-framework-bundle/nifi-framework-nar/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty/3.7.0.Final/netty-3.7.0.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty/3.7.0.Final/netty-3.7.0.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty/3.7.0.Final/netty-3.7.0.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty/3.7.0.Final/netty-3.7.0.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty/3.7.0.Final/netty-3.7.0.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty/3.7.0.Final/netty-3.7.0.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty/3.7.0.Final/netty-3.7.0.Final.jar
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Partial details (17 vulnerabilities) are displayed below due to a content size limitation in GitHub. To view information on the remaining vulnerabilities, navigate to the Mend Application.
Path to dependency file: /nifi-nar-bundles/nifi-framework-bundle/nifi-framework-nar/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar
By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converters from PatternLayout. The message converter, %m, is likely to always be included. This allows attackers to manipulate the SQL by entering crafted strings into input fields or headers of an application that are logged allowing unintended SQL queries to be executed. Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default. Beginning in version 2.0-beta8, the JDBCAppender was re-introduced with proper support for parameterized SQL queries and further customization over the columns written to in logs. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.
Path to dependency file: /nifi-nar-bundles/nifi-framework-bundle/nifi-framework-nar/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar
Path to dependency file: /nifi-nar-bundles/nifi-framework-bundle/nifi-framework-nar/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar
Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17.
The Netty project is an effort to provide an asynchronous event-driven
network application framework and tools for rapid development of
maintainable high performance and high scalability protocol servers and
clients. In other words, Netty is a NIO client server framework which
enables quick and easy development of network applications such as protocol
servers and clients. It greatly simplifies and streamlines network
programming such as TCP and UDP socket server.
Path to dependency file: /nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-cluster/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty/3.7.0.Final/netty-3.7.0.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty/3.7.0.Final/netty-3.7.0.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty/3.7.0.Final/netty-3.7.0.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty/3.7.0.Final/netty-3.7.0.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty/3.7.0.Final/netty-3.7.0.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty/3.7.0.Final/netty-3.7.0.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty/3.7.0.Final/netty-3.7.0.Final.jar
HttpObjectDecoder.java in Netty before 4.1.44 allows an HTTP header that lacks a colon, which might be interpreted as a separate header with an incorrect syntax, or might be interpreted as an "invalid fold."
Path to dependency file: /nifi-nar-bundles/nifi-framework-bundle/nifi-framework-nar/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar
CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw V2.0 Chainsaw was a component of Apache Log4j 1.2.x where the same issue exists.
Path to dependency file: /nifi-nar-bundles/nifi-framework-bundle/nifi-framework-nar/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar
JMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration or if the configuration references an LDAP service the attacker has access to. The attacker can provide a TopicConnectionFactoryBindingName configuration causing JMSSink to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-4104. Note this issue only affects Log4j 1.x when specifically configured to use JMSSink, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.
Path to dependency file: /nifi-nar-bundles/nifi-framework-bundle/nifi-framework-nar/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar
** UNSUPPORTED WHEN ASSIGNED **
When using the Chainsaw or SocketAppender components with Log4j 1.x on JRE less than 1.7, an attacker that manages to cause a logging entry involving a specially-crafted (ie, deeply nested)
hashmap or hashtable (depending on which logging component is in use) to be processed could exhaust the available memory in the virtual machine and achieve Denial of Service when the object is deserialized.
This issue affects Apache Log4j before 2. Affected users are recommended to update to Log4j 2.x.
NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
JSON (JavaScript Object Notation) is a lightweight data-interchange format.
It is easy for humans to read and write. It is easy for machines to parse and generate.
It is based on a subset of the JavaScript Programming Language, Standard ECMA-262 3rd Edition
- December 1999. JSON is a text format that is completely language independent but uses
conventions that are familiar to programmers of the C-family of languages, including C, C++, C#,
Java, JavaScript, Perl, Python, and many others.
These properties make JSON an ideal data-interchange language.
Path to vulnerable library: /home/wss-scanner/.m2/repository/net/minidev/json-smart/2.1.1/json-smart-2.1.1.jar,/home/wss-scanner/.m2/repository/net/minidev/json-smart/2.1.1/json-smart-2.1.1.jar,/home/wss-scanner/.m2/repository/net/minidev/json-smart/2.1.1/json-smart-2.1.1.jar,/home/wss-scanner/.m2/repository/net/minidev/json-smart/2.1.1/json-smart-2.1.1.jar,/home/wss-scanner/.m2/repository/net/minidev/json-smart/2.1.1/json-smart-2.1.1.jar,/home/wss-scanner/.m2/repository/net/minidev/json-smart/2.1.1/json-smart-2.1.1.jar,/home/wss-scanner/.m2/repository/net/minidev/json-smart/2.1.1/json-smart-2.1.1.jar,/home/wss-scanner/.m2/repository/net/minidev/json-smart/2.1.1/json-smart-2.1.1.jar,/home/wss-scanner/.m2/repository/net/minidev/json-smart/2.1.1/json-smart-2.1.1.jar,/home/wss-scanner/.m2/repository/net/minidev/json-smart/2.1.1/json-smart-2.1.1.jar,/home/wss-scanner/.m2/repository/net/minidev/json-smart/2.1.1/json-smart-2.1.1.jar,/home/wss-scanner/.m2/repository/net/minidev/json-smart/2.1.1/json-smart-2.1.1.jar,/home/wss-scanner/.m2/repository/net/minidev/json-smart/2.1.1/json-smart-2.1.1.jar,/home/wss-scanner/.m2/repository/net/minidev/json-smart/2.1.1/json-smart-2.1.1.jar,/home/wss-scanner/.m2/repository/net/minidev/json-smart/2.1.1/json-smart-2.1.1.jar,/home/wss-scanner/.m2/repository/net/minidev/json-smart/2.1.1/json-smart-2.1.1.jar,/home/wss-scanner/.m2/repository/net/minidev/json-smart/2.1.1/json-smart-2.1.1.jar
[Json-smart](https://netplex.github.io/json-smart/) is a performance focused, JSON processor lib.
When reaching a ‘[‘ or ‘{‘ character in the JSON input, the code parses an array or an object respectively.
It was discovered that the code does not have any limit to the nesting of such arrays or objects. Since the parsing of nested arrays and objects is done recursively, nesting too many of them can cause a stack exhaustion (stack overflow) and crash the software.
Path to dependency file: /nifi-nar-bundles/nifi-framework-bundle/nifi-framework-nar/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar
JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.
The Netty project is an effort to provide an asynchronous event-driven
network application framework and tools for rapid development of
maintainable high performance and high scalability protocol servers and
clients. In other words, Netty is a NIO client server framework which
enables quick and easy development of network applications such as protocol
servers and clients. It greatly simplifies and streamlines network
programming such as TCP and UDP socket server.
Path to dependency file: /nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-cluster/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty/3.7.0.Final/netty-3.7.0.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty/3.7.0.Final/netty-3.7.0.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty/3.7.0.Final/netty-3.7.0.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty/3.7.0.Final/netty-3.7.0.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty/3.7.0.Final/netty-3.7.0.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty/3.7.0.Final/netty-3.7.0.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty/3.7.0.Final/netty-3.7.0.Final.jar
Netty before 3.9.8.Final, 3.10.x before 3.10.3.Final, 4.0.x before 4.0.28.Final, and 4.1.x before 4.1.0.Beta5 and Play Framework 2.x before 2.3.9 might allow remote attackers to bypass the httpOnly flag on cookies and obtain sensitive information by leveraging improper validation of cookie name and value characters.
Path to dependency file: /nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-file-authorizer/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar
A serialization vulnerability in logback receiver component part of
logback version 1.4.13, 1.3.13 and 1.2.12 allows an attacker to mount a Denial-Of-Service
attack by sending poisoned data.
Path to dependency file: /nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-file-authorizer/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar
In logback version 1.2.7 and prior versions, an attacker with the required privileges to edit configurations files could craft a malicious configuration allowing to execute arbitrary code loaded from LDAP servers.
Mend Note: Converted from WS-2021-0491, on 2022-11-07.
Path to dependency file: /nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-expression/4.2.4.RELEASE/spring-expression-4.2.4.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/4.2.4.RELEASE/spring-expression-4.2.4.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/4.2.4.RELEASE/spring-expression-4.2.4.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/4.2.4.RELEASE/spring-expression-4.2.4.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/4.2.4.RELEASE/spring-expression-4.2.4.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/4.2.4.RELEASE/spring-expression-4.2.4.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/4.2.4.RELEASE/spring-expression-4.2.4.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/4.2.4.RELEASE/spring-expression-4.2.4.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/4.2.4.RELEASE/spring-expression-4.2.4.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/4.2.4.RELEASE/spring-expression-4.2.4.RELEASE.jar
In spring framework versions prior to 5.2.24 release+ ,5.3.27+ and 6.0.8+ , it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service (DoS) condition.
Path to dependency file: /nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-expression/4.2.4.RELEASE/spring-expression-4.2.4.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/4.2.4.RELEASE/spring-expression-4.2.4.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/4.2.4.RELEASE/spring-expression-4.2.4.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/4.2.4.RELEASE/spring-expression-4.2.4.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/4.2.4.RELEASE/spring-expression-4.2.4.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/4.2.4.RELEASE/spring-expression-4.2.4.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/4.2.4.RELEASE/spring-expression-4.2.4.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/4.2.4.RELEASE/spring-expression-4.2.4.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/4.2.4.RELEASE/spring-expression-4.2.4.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/4.2.4.RELEASE/spring-expression-4.2.4.RELEASE.jar
In Spring Framework versions 6.0.0 - 6.0.6, 5.3.0 - 5.3.25, 5.2.0.RELEASE - 5.2.22.RELEASE, and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service (DoS) condition.
Path to dependency file: /nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-expression/4.2.4.RELEASE/spring-expression-4.2.4.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/4.2.4.RELEASE/spring-expression-4.2.4.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/4.2.4.RELEASE/spring-expression-4.2.4.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/4.2.4.RELEASE/spring-expression-4.2.4.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/4.2.4.RELEASE/spring-expression-4.2.4.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/4.2.4.RELEASE/spring-expression-4.2.4.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/4.2.4.RELEASE/spring-expression-4.2.4.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/4.2.4.RELEASE/spring-expression-4.2.4.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/4.2.4.RELEASE/spring-expression-4.2.4.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/4.2.4.RELEASE/spring-expression-4.2.4.RELEASE.jar
n Spring Framework versions 5.3.0 - 5.3.16 and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial of service condition.
JSON (JavaScript Object Notation) is a lightweight data-interchange format.
It is easy for humans to read and write. It is easy for machines to parse and generate.
It is based on a subset of the JavaScript Programming Language, Standard ECMA-262 3rd Edition
- December 1999. JSON is a text format that is completely language independent but uses
conventions that are familiar to programmers of the C-family of languages, including C, C++, C#,
Java, JavaScript, Perl, Python, and many others.
These properties make JSON an ideal data-interchange language.
Path to vulnerable library: /home/wss-scanner/.m2/repository/net/minidev/json-smart/2.1.1/json-smart-2.1.1.jar,/home/wss-scanner/.m2/repository/net/minidev/json-smart/2.1.1/json-smart-2.1.1.jar,/home/wss-scanner/.m2/repository/net/minidev/json-smart/2.1.1/json-smart-2.1.1.jar,/home/wss-scanner/.m2/repository/net/minidev/json-smart/2.1.1/json-smart-2.1.1.jar,/home/wss-scanner/.m2/repository/net/minidev/json-smart/2.1.1/json-smart-2.1.1.jar,/home/wss-scanner/.m2/repository/net/minidev/json-smart/2.1.1/json-smart-2.1.1.jar,/home/wss-scanner/.m2/repository/net/minidev/json-smart/2.1.1/json-smart-2.1.1.jar,/home/wss-scanner/.m2/repository/net/minidev/json-smart/2.1.1/json-smart-2.1.1.jar,/home/wss-scanner/.m2/repository/net/minidev/json-smart/2.1.1/json-smart-2.1.1.jar,/home/wss-scanner/.m2/repository/net/minidev/json-smart/2.1.1/json-smart-2.1.1.jar,/home/wss-scanner/.m2/repository/net/minidev/json-smart/2.1.1/json-smart-2.1.1.jar,/home/wss-scanner/.m2/repository/net/minidev/json-smart/2.1.1/json-smart-2.1.1.jar,/home/wss-scanner/.m2/repository/net/minidev/json-smart/2.1.1/json-smart-2.1.1.jar,/home/wss-scanner/.m2/repository/net/minidev/json-smart/2.1.1/json-smart-2.1.1.jar,/home/wss-scanner/.m2/repository/net/minidev/json-smart/2.1.1/json-smart-2.1.1.jar,/home/wss-scanner/.m2/repository/net/minidev/json-smart/2.1.1/json-smart-2.1.1.jar,/home/wss-scanner/.m2/repository/net/minidev/json-smart/2.1.1/json-smart-2.1.1.jar
An issue was discovered in netplex json-smart-v1 through 2015-10-23 and json-smart-v2 through 2.4. An exception is thrown from a function, but it is not caught, as demonstrated by NumberFormatException. When it is not caught, it may cause programs using the library to crash or expose sensitive information.
Guava is a suite of core and expanded libraries that include
utility classes, google's collections, io classes, and much
much more.
Guava has only one code dependency - javax.annotation,
per the JSR-305 spec.
Path to dependency file: /nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-cluster/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/google/guava/guava/18.0/guava-18.0.jar,/home/wss-scanner/.m2/repository/com/google/guava/guava/18.0/guava-18.0.jar,/home/wss-scanner/.m2/repository/com/google/guava/guava/18.0/guava-18.0.jar,/home/wss-scanner/.m2/repository/com/google/guava/guava/18.0/guava-18.0.jar,/home/wss-scanner/.m2/repository/com/google/guava/guava/18.0/guava-18.0.jar,/home/wss-scanner/.m2/repository/com/google/guava/guava/18.0/guava-18.0.jar,/home/wss-scanner/.m2/repository/com/google/guava/guava/18.0/guava-18.0.jar
Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attacks against servers that depend on this library and deserialize attacker-provided data, because the AtomicDoubleArray class (when serialized with Java serialization) and the CompoundOrdering class (when serialized with GWT serialization) perform eager allocation without appropriate checks on what a client has sent and whether the data size is reasonable.
Path to dependency file: /nifi-nar-bundles/nifi-framework-bundle/nifi-framework-nar/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty/3.7.0.Final/netty-3.7.0.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty/3.7.0.Final/netty-3.7.0.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty/3.7.0.Final/netty-3.7.0.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty/3.7.0.Final/netty-3.7.0.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty/3.7.0.Final/netty-3.7.0.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty/3.7.0.Final/netty-3.7.0.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty/3.7.0.Final/netty-3.7.0.Final.jar
Found in HEAD commit: 0707e245fb382da58db8bb8ec5ccff5d9ae55c39
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2022-23305
### Vulnerable Library - log4j-1.2.16.jarApache Log4j 1.2
Library home page: http://www.apache.org
Path to dependency file: /nifi-nar-bundles/nifi-framework-bundle/nifi-framework-nar/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar
Dependency Hierarchy: - nifi-jetty-1.4.0-SNAPSHOT.jar (Root Library) - nifi-web-security-1.4.0-SNAPSHOT.jar - nifi-framework-core-1.4.0-SNAPSHOT.jar - zookeeper-3.4.6.jar - slf4j-log4j12-1.7.25.jar - :x: **log4j-1.2.16.jar** (Vulnerable Library)
Found in HEAD commit: 0707e245fb382da58db8bb8ec5ccff5d9ae55c39
Found in base branch: master
### Vulnerability DetailsBy design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converters from PatternLayout. The message converter, %m, is likely to always be included. This allows attackers to manipulate the SQL by entering crafted strings into input fields or headers of an application that are logged allowing unintended SQL queries to be executed. Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default. Beginning in version 2.0-beta8, the JDBCAppender was re-introduced with proper support for parameterized SQL queries and further customization over the columns written to in logs. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.
Publish Date: 2022-01-18
URL: CVE-2022-23305
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://reload4j.qos.ch/
Release Date: 2022-01-18
Fix Resolution: ch.qos.reload4j:reload4j:1.2.18.2
CVE-2020-9493
### Vulnerable Library - log4j-1.2.16.jarApache Log4j 1.2
Library home page: http://www.apache.org
Path to dependency file: /nifi-nar-bundles/nifi-framework-bundle/nifi-framework-nar/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar
Dependency Hierarchy: - nifi-jetty-1.4.0-SNAPSHOT.jar (Root Library) - nifi-web-security-1.4.0-SNAPSHOT.jar - nifi-framework-core-1.4.0-SNAPSHOT.jar - zookeeper-3.4.6.jar - slf4j-log4j12-1.7.25.jar - :x: **log4j-1.2.16.jar** (Vulnerable Library)
Found in HEAD commit: 0707e245fb382da58db8bb8ec5ccff5d9ae55c39
Found in base branch: master
### Vulnerability DetailsA deserialization flaw was found in Apache Chainsaw versions prior to 2.1.0 which could lead to malicious code execution.
Publish Date: 2021-06-16
URL: CVE-2020-9493
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://www.openwall.com/lists/oss-security/2021/06/16/1
Release Date: 2021-06-16
Fix Resolution: ch.qos.reload4j:reload4j:1.2.18.1
CVE-2019-17571
### Vulnerable Library - log4j-1.2.16.jarApache Log4j 1.2
Library home page: http://www.apache.org
Path to dependency file: /nifi-nar-bundles/nifi-framework-bundle/nifi-framework-nar/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar
Dependency Hierarchy: - nifi-jetty-1.4.0-SNAPSHOT.jar (Root Library) - nifi-web-security-1.4.0-SNAPSHOT.jar - nifi-framework-core-1.4.0-SNAPSHOT.jar - zookeeper-3.4.6.jar - slf4j-log4j12-1.7.25.jar - :x: **log4j-1.2.16.jar** (Vulnerable Library)
Found in HEAD commit: 0707e245fb382da58db8bb8ec5ccff5d9ae55c39
Found in base branch: master
### Vulnerability DetailsIncluded in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17.
Publish Date: 2019-12-20
URL: CVE-2019-17571
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://lists.apache.org/thread.html/eea03d504b36e8f870e8321d908e1def1addda16adda04327fe7c125%40%3Cdev.logging.apache.org%3E
Release Date: 2019-12-20
Fix Resolution: log4j-manual - 1.2.17-16;log4j-javadoc - 1.2.17-16;log4j - 1.2.17-16,1.2.17-16
CVE-2019-20444
### Vulnerable Library - netty-3.7.0.Final.jarThe Netty project is an effort to provide an asynchronous event-driven network application framework and tools for rapid development of maintainable high performance and high scalability protocol servers and clients. In other words, Netty is a NIO client server framework which enables quick and easy development of network applications such as protocol servers and clients. It greatly simplifies and streamlines network programming such as TCP and UDP socket server.
Library home page: http://netty.io/
Path to dependency file: /nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-cluster/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty/3.7.0.Final/netty-3.7.0.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty/3.7.0.Final/netty-3.7.0.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty/3.7.0.Final/netty-3.7.0.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty/3.7.0.Final/netty-3.7.0.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty/3.7.0.Final/netty-3.7.0.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty/3.7.0.Final/netty-3.7.0.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty/3.7.0.Final/netty-3.7.0.Final.jar
Dependency Hierarchy: - nifi-jetty-1.4.0-SNAPSHOT.jar (Root Library) - nifi-web-security-1.4.0-SNAPSHOT.jar - nifi-framework-core-1.4.0-SNAPSHOT.jar - zookeeper-3.4.6.jar - :x: **netty-3.7.0.Final.jar** (Vulnerable Library)
Found in HEAD commit: 0707e245fb382da58db8bb8ec5ccff5d9ae55c39
Found in base branch: master
### Vulnerability DetailsHttpObjectDecoder.java in Netty before 4.1.44 allows an HTTP header that lacks a colon, which might be interpreted as a separate header with an incorrect syntax, or might be interpreted as an "invalid fold."
Publish Date: 2020-01-29
URL: CVE-2019-20444
### CVSS 3 Score Details (9.1)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20444
Release Date: 2020-01-29
Fix Resolution: io.netty:netty-all:4.1.44.Final
CVE-2022-23307
### Vulnerable Library - log4j-1.2.16.jarApache Log4j 1.2
Library home page: http://www.apache.org
Path to dependency file: /nifi-nar-bundles/nifi-framework-bundle/nifi-framework-nar/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar
Dependency Hierarchy: - nifi-jetty-1.4.0-SNAPSHOT.jar (Root Library) - nifi-web-security-1.4.0-SNAPSHOT.jar - nifi-framework-core-1.4.0-SNAPSHOT.jar - zookeeper-3.4.6.jar - slf4j-log4j12-1.7.25.jar - :x: **log4j-1.2.16.jar** (Vulnerable Library)
Found in HEAD commit: 0707e245fb382da58db8bb8ec5ccff5d9ae55c39
Found in base branch: master
### Vulnerability DetailsCVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw V2.0 Chainsaw was a component of Apache Log4j 1.2.x where the same issue exists.
Publish Date: 2022-01-18
URL: CVE-2022-23307
### CVSS 3 Score Details (8.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2022-01-18
Fix Resolution: ch.qos.reload4j:reload4j:1.2.18.1
CVE-2022-23302
### Vulnerable Library - log4j-1.2.16.jarApache Log4j 1.2
Library home page: http://www.apache.org
Path to dependency file: /nifi-nar-bundles/nifi-framework-bundle/nifi-framework-nar/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar
Dependency Hierarchy: - nifi-jetty-1.4.0-SNAPSHOT.jar (Root Library) - nifi-web-security-1.4.0-SNAPSHOT.jar - nifi-framework-core-1.4.0-SNAPSHOT.jar - zookeeper-3.4.6.jar - slf4j-log4j12-1.7.25.jar - :x: **log4j-1.2.16.jar** (Vulnerable Library)
Found in HEAD commit: 0707e245fb382da58db8bb8ec5ccff5d9ae55c39
Found in base branch: master
### Vulnerability DetailsJMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration or if the configuration references an LDAP service the attacker has access to. The attacker can provide a TopicConnectionFactoryBindingName configuration causing JMSSink to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-4104. Note this issue only affects Log4j 1.x when specifically configured to use JMSSink, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.
Publish Date: 2022-01-18
URL: CVE-2022-23302
### CVSS 3 Score Details (8.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://reload4j.qos.ch/
Release Date: 2022-01-18
Fix Resolution: ch.qos.reload4j:reload4j:1.2.18.1
CVE-2023-26464
### Vulnerable Library - log4j-1.2.16.jarApache Log4j 1.2
Library home page: http://www.apache.org
Path to dependency file: /nifi-nar-bundles/nifi-framework-bundle/nifi-framework-nar/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar
Dependency Hierarchy: - nifi-jetty-1.4.0-SNAPSHOT.jar (Root Library) - nifi-web-security-1.4.0-SNAPSHOT.jar - nifi-framework-core-1.4.0-SNAPSHOT.jar - zookeeper-3.4.6.jar - slf4j-log4j12-1.7.25.jar - :x: **log4j-1.2.16.jar** (Vulnerable Library)
Found in HEAD commit: 0707e245fb382da58db8bb8ec5ccff5d9ae55c39
Found in base branch: master
### Vulnerability Details** UNSUPPORTED WHEN ASSIGNED ** When using the Chainsaw or SocketAppender components with Log4j 1.x on JRE less than 1.7, an attacker that manages to cause a logging entry involving a specially-crafted (ie, deeply nested) hashmap or hashtable (depending on which logging component is in use) to be processed could exhaust the available memory in the virtual machine and achieve Denial of Service when the object is deserialized. This issue affects Apache Log4j before 2. Affected users are recommended to update to Log4j 2.x. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
Publish Date: 2023-03-10
URL: CVE-2023-26464
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-vp98-w2p3-mv35
Release Date: 2023-03-10
Fix Resolution: org.apache.logging.log4j:log4j-core:2.0
CVE-2023-1370
### Vulnerable Library - json-smart-2.1.1.jarJSON (JavaScript Object Notation) is a lightweight data-interchange format. It is easy for humans to read and write. It is easy for machines to parse and generate. It is based on a subset of the JavaScript Programming Language, Standard ECMA-262 3rd Edition - December 1999. JSON is a text format that is completely language independent but uses conventions that are familiar to programmers of the C-family of languages, including C, C++, C#, Java, JavaScript, Perl, Python, and many others. These properties make JSON an ideal data-interchange language.
Library home page: http://www.minidev.net/
Path to dependency file: /nifi-bootstrap/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/net/minidev/json-smart/2.1.1/json-smart-2.1.1.jar,/home/wss-scanner/.m2/repository/net/minidev/json-smart/2.1.1/json-smart-2.1.1.jar,/home/wss-scanner/.m2/repository/net/minidev/json-smart/2.1.1/json-smart-2.1.1.jar,/home/wss-scanner/.m2/repository/net/minidev/json-smart/2.1.1/json-smart-2.1.1.jar,/home/wss-scanner/.m2/repository/net/minidev/json-smart/2.1.1/json-smart-2.1.1.jar,/home/wss-scanner/.m2/repository/net/minidev/json-smart/2.1.1/json-smart-2.1.1.jar,/home/wss-scanner/.m2/repository/net/minidev/json-smart/2.1.1/json-smart-2.1.1.jar,/home/wss-scanner/.m2/repository/net/minidev/json-smart/2.1.1/json-smart-2.1.1.jar,/home/wss-scanner/.m2/repository/net/minidev/json-smart/2.1.1/json-smart-2.1.1.jar,/home/wss-scanner/.m2/repository/net/minidev/json-smart/2.1.1/json-smart-2.1.1.jar,/home/wss-scanner/.m2/repository/net/minidev/json-smart/2.1.1/json-smart-2.1.1.jar,/home/wss-scanner/.m2/repository/net/minidev/json-smart/2.1.1/json-smart-2.1.1.jar,/home/wss-scanner/.m2/repository/net/minidev/json-smart/2.1.1/json-smart-2.1.1.jar,/home/wss-scanner/.m2/repository/net/minidev/json-smart/2.1.1/json-smart-2.1.1.jar,/home/wss-scanner/.m2/repository/net/minidev/json-smart/2.1.1/json-smart-2.1.1.jar,/home/wss-scanner/.m2/repository/net/minidev/json-smart/2.1.1/json-smart-2.1.1.jar,/home/wss-scanner/.m2/repository/net/minidev/json-smart/2.1.1/json-smart-2.1.1.jar
Dependency Hierarchy: - nifi-jetty-1.4.0-SNAPSHOT.jar (Root Library) - nifi-web-security-1.4.0-SNAPSHOT.jar - nifi-administration-1.4.0-SNAPSHOT.jar - nifi-framework-core-api-1.4.0-SNAPSHOT.jar - nifi-framework-authorization-1.4.0-SNAPSHOT.jar - nifi-expression-language-1.4.0-SNAPSHOT.jar - json-path-2.0.0.jar - :x: **json-smart-2.1.1.jar** (Vulnerable Library)
Found in HEAD commit: 0707e245fb382da58db8bb8ec5ccff5d9ae55c39
Found in base branch: master
### Vulnerability Details[Json-smart](https://netplex.github.io/json-smart/) is a performance focused, JSON processor lib. When reaching a ‘[‘ or ‘{‘ character in the JSON input, the code parses an array or an object respectively. It was discovered that the code does not have any limit to the nesting of such arrays or objects. Since the parsing of nested arrays and objects is done recursively, nesting too many of them can cause a stack exhaustion (stack overflow) and crash the software.
Publish Date: 2023-03-13
URL: CVE-2023-1370
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://research.jfrog.com/vulnerabilities/stack-exhaustion-in-json-smart-leads-to-denial-of-service-when-parsing-malformed-json-xray-427633/
Release Date: 2023-03-22
Fix Resolution: net.minidev:json-smart:2.4.9
CVE-2021-4104
### Vulnerable Library - log4j-1.2.16.jarApache Log4j 1.2
Library home page: http://www.apache.org
Path to dependency file: /nifi-nar-bundles/nifi-framework-bundle/nifi-framework-nar/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar
Dependency Hierarchy: - nifi-jetty-1.4.0-SNAPSHOT.jar (Root Library) - nifi-web-security-1.4.0-SNAPSHOT.jar - nifi-framework-core-1.4.0-SNAPSHOT.jar - zookeeper-3.4.6.jar - slf4j-log4j12-1.7.25.jar - :x: **log4j-1.2.16.jar** (Vulnerable Library)
Found in HEAD commit: 0707e245fb382da58db8bb8ec5ccff5d9ae55c39
Found in base branch: master
### Vulnerability DetailsJMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.
Publish Date: 2021-12-14
URL: CVE-2021-4104
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-4104
Release Date: 2021-12-14
Fix Resolution: uom-parent - 1.0.3-3.module,1.0.3-3.module;uom-se-javadoc - 1.0.4-3.module;parfait-examples - 0.5.4-4.module;log4j-manual - 1.2.17-16;si-units-javadoc - 0.6.5-2.module;unit-api - 1.0-5.module,1.0-5.module;unit-api-javadoc - 1.0-5.module;parfait - 0.5.4-4.module,0.5.4-4.module;log4j-javadoc - 1.2.17-16;uom-systems-javadoc - 0.7-1.module;uom-lib-javadoc - 1.0.1-6.module;uom-systems - 0.7-1.module,0.7-1.module;log4j - 1.2.17-16,1.2.17-16;uom-se - 1.0.4-3.module,1.0.4-3.module;uom-lib - 1.0.1-6.module,1.0.1-6.module;parfait-javadoc - 0.5.4-4.module;pcp-parfait-agent - 0.5.4-4.module;si-units - 0.6.5-2.module,0.6.5-2.module
CVE-2015-2156
### Vulnerable Library - netty-3.7.0.Final.jarThe Netty project is an effort to provide an asynchronous event-driven network application framework and tools for rapid development of maintainable high performance and high scalability protocol servers and clients. In other words, Netty is a NIO client server framework which enables quick and easy development of network applications such as protocol servers and clients. It greatly simplifies and streamlines network programming such as TCP and UDP socket server.
Library home page: http://netty.io/
Path to dependency file: /nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-cluster/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty/3.7.0.Final/netty-3.7.0.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty/3.7.0.Final/netty-3.7.0.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty/3.7.0.Final/netty-3.7.0.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty/3.7.0.Final/netty-3.7.0.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty/3.7.0.Final/netty-3.7.0.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty/3.7.0.Final/netty-3.7.0.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty/3.7.0.Final/netty-3.7.0.Final.jar
Dependency Hierarchy: - nifi-jetty-1.4.0-SNAPSHOT.jar (Root Library) - nifi-web-security-1.4.0-SNAPSHOT.jar - nifi-framework-core-1.4.0-SNAPSHOT.jar - zookeeper-3.4.6.jar - :x: **netty-3.7.0.Final.jar** (Vulnerable Library)
Found in HEAD commit: 0707e245fb382da58db8bb8ec5ccff5d9ae55c39
Found in base branch: master
### Vulnerability DetailsNetty before 3.9.8.Final, 3.10.x before 3.10.3.Final, 4.0.x before 4.0.28.Final, and 4.1.x before 4.1.0.Beta5 and Play Framework 2.x before 2.3.9 might allow remote attackers to bypass the httpOnly flag on cookies and obtain sensitive information by leveraging improper validation of cookie name and value characters.
Publish Date: 2017-10-18
URL: CVE-2015-2156
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2156
Release Date: 2017-10-18
Fix Resolution: io.netty:netty:3.9.8.Final,io.netty:netty:3.10.3.Final,io.netty:netty-all:4.0.28.Final,io.netty:netty-codec-http:4.0.28.Final,io.netty:netty-codec-http:4.1.0.Beta5
CVE-2023-6481
### Vulnerable Library - logback-core-1.2.3.jarlogback-core module
Library home page: http://www.qos.ch
Path to dependency file: /nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-file-authorizer/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar
Dependency Hierarchy: - nifi-jetty-1.4.0-SNAPSHOT.jar (Root Library) - nifi-web-security-1.4.0-SNAPSHOT.jar - nifi-framework-core-1.4.0-SNAPSHOT.jar - nifi-properties-loader-1.4.0-SNAPSHOT.jar - logback-classic-1.2.3.jar - :x: **logback-core-1.2.3.jar** (Vulnerable Library)
Found in HEAD commit: 0707e245fb382da58db8bb8ec5ccff5d9ae55c39
Found in base branch: master
### Vulnerability DetailsA serialization vulnerability in logback receiver component part of logback version 1.4.13, 1.3.13 and 1.2.12 allows an attacker to mount a Denial-Of-Service attack by sending poisoned data.
Publish Date: 2023-12-04
URL: CVE-2023-6481
### CVSS 3 Score Details (7.1)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Changed - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-6481
Release Date: 2023-12-04
Fix Resolution: ch.qos.logback:logback-core:1.2.13,1.3.14,1.4.14
CVE-2021-42550
### Vulnerable Library - logback-core-1.2.3.jarlogback-core module
Library home page: http://www.qos.ch
Path to dependency file: /nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-file-authorizer/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar
Dependency Hierarchy: - nifi-jetty-1.4.0-SNAPSHOT.jar (Root Library) - nifi-web-security-1.4.0-SNAPSHOT.jar - nifi-framework-core-1.4.0-SNAPSHOT.jar - nifi-properties-loader-1.4.0-SNAPSHOT.jar - logback-classic-1.2.3.jar - :x: **logback-core-1.2.3.jar** (Vulnerable Library)
Found in HEAD commit: 0707e245fb382da58db8bb8ec5ccff5d9ae55c39
Found in base branch: master
### Vulnerability DetailsIn logback version 1.2.7 and prior versions, an attacker with the required privileges to edit configurations files could craft a malicious configuration allowing to execute arbitrary code loaded from LDAP servers. Mend Note: Converted from WS-2021-0491, on 2022-11-07.
Publish Date: 2021-12-16
URL: CVE-2021-42550
### CVSS 3 Score Details (6.6)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: High - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=VE-2021-42550
Release Date: 2021-12-16
Fix Resolution: ch.qos.logback:logback-classic:1.2.9;ch.qos.logback:logback-core:1.2.9
CVE-2023-20863
### Vulnerable Library - spring-expression-4.2.4.RELEASE.jarSpring Expression Language (SpEL)
Library home page: http://projects.spring.io/spring-framework
Path to dependency file: /nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-expression/4.2.4.RELEASE/spring-expression-4.2.4.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/4.2.4.RELEASE/spring-expression-4.2.4.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/4.2.4.RELEASE/spring-expression-4.2.4.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/4.2.4.RELEASE/spring-expression-4.2.4.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/4.2.4.RELEASE/spring-expression-4.2.4.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/4.2.4.RELEASE/spring-expression-4.2.4.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/4.2.4.RELEASE/spring-expression-4.2.4.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/4.2.4.RELEASE/spring-expression-4.2.4.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/4.2.4.RELEASE/spring-expression-4.2.4.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/4.2.4.RELEASE/spring-expression-4.2.4.RELEASE.jar
Dependency Hierarchy: - nifi-jetty-1.4.0-SNAPSHOT.jar (Root Library) - nifi-web-security-1.4.0-SNAPSHOT.jar - nifi-administration-1.4.0-SNAPSHOT.jar - spring-context-4.2.4.RELEASE.jar - :x: **spring-expression-4.2.4.RELEASE.jar** (Vulnerable Library)
Found in HEAD commit: 0707e245fb382da58db8bb8ec5ccff5d9ae55c39
Found in base branch: master
### Vulnerability DetailsIn spring framework versions prior to 5.2.24 release+ ,5.3.27+ and 6.0.8+ , it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service (DoS) condition.
Publish Date: 2023-04-13
URL: CVE-2023-20863
### CVSS 3 Score Details (6.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://spring.io/security/cve-2023-20863
Release Date: 2023-04-13
Fix Resolution: org.springframework:spring-expression - 5.2.24.RELEASE,5.3.27,6.0.8
CVE-2023-20861
### Vulnerable Library - spring-expression-4.2.4.RELEASE.jarSpring Expression Language (SpEL)
Library home page: http://projects.spring.io/spring-framework
Path to dependency file: /nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-expression/4.2.4.RELEASE/spring-expression-4.2.4.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/4.2.4.RELEASE/spring-expression-4.2.4.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/4.2.4.RELEASE/spring-expression-4.2.4.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/4.2.4.RELEASE/spring-expression-4.2.4.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/4.2.4.RELEASE/spring-expression-4.2.4.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/4.2.4.RELEASE/spring-expression-4.2.4.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/4.2.4.RELEASE/spring-expression-4.2.4.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/4.2.4.RELEASE/spring-expression-4.2.4.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/4.2.4.RELEASE/spring-expression-4.2.4.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/4.2.4.RELEASE/spring-expression-4.2.4.RELEASE.jar
Dependency Hierarchy: - nifi-jetty-1.4.0-SNAPSHOT.jar (Root Library) - nifi-web-security-1.4.0-SNAPSHOT.jar - nifi-administration-1.4.0-SNAPSHOT.jar - spring-context-4.2.4.RELEASE.jar - :x: **spring-expression-4.2.4.RELEASE.jar** (Vulnerable Library)
Found in HEAD commit: 0707e245fb382da58db8bb8ec5ccff5d9ae55c39
Found in base branch: master
### Vulnerability DetailsIn Spring Framework versions 6.0.0 - 6.0.6, 5.3.0 - 5.3.25, 5.2.0.RELEASE - 5.2.22.RELEASE, and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service (DoS) condition.
Publish Date: 2023-03-23
URL: CVE-2023-20861
### CVSS 3 Score Details (6.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://spring.io/security/cve-2023-20861
Release Date: 2023-03-23
Fix Resolution: org.springframework:spring-expression:x5.2.23.RELEASE,5.3.26,6.0.7
CVE-2022-22950
### Vulnerable Library - spring-expression-4.2.4.RELEASE.jarSpring Expression Language (SpEL)
Library home page: http://projects.spring.io/spring-framework
Path to dependency file: /nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-expression/4.2.4.RELEASE/spring-expression-4.2.4.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/4.2.4.RELEASE/spring-expression-4.2.4.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/4.2.4.RELEASE/spring-expression-4.2.4.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/4.2.4.RELEASE/spring-expression-4.2.4.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/4.2.4.RELEASE/spring-expression-4.2.4.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/4.2.4.RELEASE/spring-expression-4.2.4.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/4.2.4.RELEASE/spring-expression-4.2.4.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/4.2.4.RELEASE/spring-expression-4.2.4.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/4.2.4.RELEASE/spring-expression-4.2.4.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/4.2.4.RELEASE/spring-expression-4.2.4.RELEASE.jar
Dependency Hierarchy: - nifi-jetty-1.4.0-SNAPSHOT.jar (Root Library) - nifi-web-security-1.4.0-SNAPSHOT.jar - nifi-administration-1.4.0-SNAPSHOT.jar - spring-context-4.2.4.RELEASE.jar - :x: **spring-expression-4.2.4.RELEASE.jar** (Vulnerable Library)
Found in HEAD commit: 0707e245fb382da58db8bb8ec5ccff5d9ae55c39
Found in base branch: master
### Vulnerability Detailsn Spring Framework versions 5.3.0 - 5.3.16 and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial of service condition.
Publish Date: 2022-04-01
URL: CVE-2022-22950
### CVSS 3 Score Details (6.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://tanzu.vmware.com/security/cve-2022-22950
Release Date: 2022-04-01
Fix Resolution: org.springframework:spring-expression:5.2.20,5.3.17
CVE-2021-27568
### Vulnerable Library - json-smart-2.1.1.jarJSON (JavaScript Object Notation) is a lightweight data-interchange format. It is easy for humans to read and write. It is easy for machines to parse and generate. It is based on a subset of the JavaScript Programming Language, Standard ECMA-262 3rd Edition - December 1999. JSON is a text format that is completely language independent but uses conventions that are familiar to programmers of the C-family of languages, including C, C++, C#, Java, JavaScript, Perl, Python, and many others. These properties make JSON an ideal data-interchange language.
Library home page: http://www.minidev.net/
Path to dependency file: /nifi-bootstrap/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/net/minidev/json-smart/2.1.1/json-smart-2.1.1.jar,/home/wss-scanner/.m2/repository/net/minidev/json-smart/2.1.1/json-smart-2.1.1.jar,/home/wss-scanner/.m2/repository/net/minidev/json-smart/2.1.1/json-smart-2.1.1.jar,/home/wss-scanner/.m2/repository/net/minidev/json-smart/2.1.1/json-smart-2.1.1.jar,/home/wss-scanner/.m2/repository/net/minidev/json-smart/2.1.1/json-smart-2.1.1.jar,/home/wss-scanner/.m2/repository/net/minidev/json-smart/2.1.1/json-smart-2.1.1.jar,/home/wss-scanner/.m2/repository/net/minidev/json-smart/2.1.1/json-smart-2.1.1.jar,/home/wss-scanner/.m2/repository/net/minidev/json-smart/2.1.1/json-smart-2.1.1.jar,/home/wss-scanner/.m2/repository/net/minidev/json-smart/2.1.1/json-smart-2.1.1.jar,/home/wss-scanner/.m2/repository/net/minidev/json-smart/2.1.1/json-smart-2.1.1.jar,/home/wss-scanner/.m2/repository/net/minidev/json-smart/2.1.1/json-smart-2.1.1.jar,/home/wss-scanner/.m2/repository/net/minidev/json-smart/2.1.1/json-smart-2.1.1.jar,/home/wss-scanner/.m2/repository/net/minidev/json-smart/2.1.1/json-smart-2.1.1.jar,/home/wss-scanner/.m2/repository/net/minidev/json-smart/2.1.1/json-smart-2.1.1.jar,/home/wss-scanner/.m2/repository/net/minidev/json-smart/2.1.1/json-smart-2.1.1.jar,/home/wss-scanner/.m2/repository/net/minidev/json-smart/2.1.1/json-smart-2.1.1.jar,/home/wss-scanner/.m2/repository/net/minidev/json-smart/2.1.1/json-smart-2.1.1.jar
Dependency Hierarchy: - nifi-jetty-1.4.0-SNAPSHOT.jar (Root Library) - nifi-web-security-1.4.0-SNAPSHOT.jar - nifi-administration-1.4.0-SNAPSHOT.jar - nifi-framework-core-api-1.4.0-SNAPSHOT.jar - nifi-framework-authorization-1.4.0-SNAPSHOT.jar - nifi-expression-language-1.4.0-SNAPSHOT.jar - json-path-2.0.0.jar - :x: **json-smart-2.1.1.jar** (Vulnerable Library)
Found in HEAD commit: 0707e245fb382da58db8bb8ec5ccff5d9ae55c39
Found in base branch: master
### Vulnerability DetailsAn issue was discovered in netplex json-smart-v1 through 2015-10-23 and json-smart-v2 through 2.4. An exception is thrown from a function, but it is not caught, as demonstrated by NumberFormatException. When it is not caught, it may cause programs using the library to crash or expose sensitive information.
Publish Date: 2021-02-23
URL: CVE-2021-27568
### CVSS 3 Score Details (5.9)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2021-02-23
Fix Resolution: net.minidev:json-smart-mini:1.3.2;net.minidev:json-smart:1.3.2,2.3.1,2.4.2;net.minidev:json-smart-action:2.3.1,2.4.2
CVE-2018-10237
### Vulnerable Library - guava-18.0.jarGuava is a suite of core and expanded libraries that include utility classes, google's collections, io classes, and much much more. Guava has only one code dependency - javax.annotation, per the JSR-305 spec.
Library home page: http://code.google.com/p/guava-libraries
Path to dependency file: /nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-cluster/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/google/guava/guava/18.0/guava-18.0.jar,/home/wss-scanner/.m2/repository/com/google/guava/guava/18.0/guava-18.0.jar,/home/wss-scanner/.m2/repository/com/google/guava/guava/18.0/guava-18.0.jar,/home/wss-scanner/.m2/repository/com/google/guava/guava/18.0/guava-18.0.jar,/home/wss-scanner/.m2/repository/com/google/guava/guava/18.0/guava-18.0.jar,/home/wss-scanner/.m2/repository/com/google/guava/guava/18.0/guava-18.0.jar,/home/wss-scanner/.m2/repository/com/google/guava/guava/18.0/guava-18.0.jar
Dependency Hierarchy: - nifi-jetty-1.4.0-SNAPSHOT.jar (Root Library) - nifi-web-security-1.4.0-SNAPSHOT.jar - nifi-framework-core-1.4.0-SNAPSHOT.jar - curator-framework-2.11.0.jar - curator-client-2.11.0.jar - :x: **guava-18.0.jar** (Vulnerable Library)
Found in HEAD commit: 0707e245fb382da58db8bb8ec5ccff5d9ae55c39
Found in base branch: master
### Vulnerability DetailsUnbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attacks against servers that depend on this library and deserialize attacker-provided data, because the AtomicDoubleArray class (when serialized with Java serialization) and the CompoundOrdering class (when serialized with GWT serialization) perform eager allocation without appropriate checks on what a client has sent and whether the data size is reasonable.
Publish Date: 2018-04-26
URL: CVE-2018-10237
### CVSS 3 Score Details (5.9)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-10237
Release Date: 2018-04-26
Fix Resolution: 24.1.1-jre, 24.1.1-android