an easy-to-use dynamic service discovery, configuration and service management platform for building cloud native applications.
30.28k
stars
12.84k
forks
source link
nacos server 2.3.2 dose not pass xray vulnerability scanning #12124
Closed
HotSince91 closed 4 months ago
cves are listed below for lastest nacos version 2.3.2. could we upgrade those jars some time next version.
<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:x="urn:schemas-microsoft-com:office:excel" xmlns="http://www.w3.org/TR/REC-html40">
Severity | Component | CVES | impact_paths -- | -- | -- | -- High | commons-io:commons-io:2.7 | XRAY-125253(High) fixVersion: [2.8.0-RC1] | nacos-server.jar/BOOT-INF/lib/commons-io-2.7.jar High | org.springframework.security:spring-security-core:5.7.11 | CVE-2024-22257(High) fixVersion: [5.7.12]\|[5.8.11]\|[6.1.8]\|[6.2.3] | nacos-server.jar/BOOT-INF/lib/spring-security-core-5.7.11.jar Medium | org.apache.tomcat.embed:tomcat-embed-websocket:9.0.83 | CVE-2024-23672(Medium) fixVersion: [10.1.19]\|[11.0.0-M17]\|[8.5.99]\|[9.0.86] | nacos-server.jar/BOOT-INF/lib/tomcat-embed-websocket-9.0.83.jar Medium | com.fasterxml.jackson.core:jackson-databind:2.13.5 | CVE-2023-35116(Medium) | nacos-server.jar/BOOT-INF/lib/jackson-databind-2.13.5.jar Critical | org.apache.derby:derby:10.14.2.0 | CVE-2022-46337(Critical) fixVersion: [10.14.3]\|[10.15.2.1]\|[10.16.1.2]\|[10.17.1.0] | nacos-server.jar/BOOT-INF/lib/derby-10.14.2.0.jar Critical | org.springframework:spring-web:5.3.33 | CVE-2016-1000027(Critical) fixVersion: [6.0.0] CVE-2024-22262(High) fixVersion: [5.3.34]\|[6.0.19]\|[6.1.6] | nacos-server.jar/BOOT-INF/lib/spring-web-5.3.33.jar High | com.mysql:mysql-connector-j:8.0.33 | CVE-2023-22102(High) | nacos-server.jar/BOOT-INF/lib/mysql-connector-j-8.0.33.jar Medium | org.apache.tomcat.embed:tomcat-embed-core:9.0.83 | CVE-2024-24549(Medium) fixVersion: [10.1.19]\|[11.0.0-M17]\|[8.5.99]\|[9.0.86] | nacos-server.jar/BOOT-INF/lib/tomcat-embed-core-9.0.83.jar