aditya-radhakrishnan
commented
2 years ago Hey there, would you be able to list out the vulnerabilities that you're seeing so we can take a look? Thanks!
Closed Vimpy closed 2 years ago
aditya-radhakrishnan
commented
2 years ago Hey there, would you be able to list out the vulnerabilities that you're seeing so we can take a look? Thanks!
Vimpy
commented
2 years ago https://mvnrepository.com/artifact/com.fasterxml.jackson.core/jackson-databind/2.4.0 CVE-2020-9546 CVE-2019-17267
Vimpy
commented
2 years ago There are around 30 vulnerabilities that are due to jackson-databind only
Vimpy
commented
2 years ago Hey in many datahub images we are getting many critical and high vulnerabilities so shall i share all the vulnerabilities list here or shall i raise different issue for each image?
JackPott
commented
2 years ago Its quite the laundry list of issues. I'm building a image FROM linkedin/datahub-ingestion:v0.8.36 and then extending by adding openjdk-11-jdk-headless (to support the Kafka Connect source). That means some of these might be from the JDK and its associated packages.
Nevertheless this is the full list of issues trivy reports, mainly down to outdated dependencies. Updating from 0.8.35 closed a couple but many still remain. Hope this helps:
.image/image.tar (debian 11.3)
==============================
Total: 0 (MEDIUM: 0)
Java (jar)
==========
Total: 14 (MEDIUM: 14)
+---------------------------------------------+------------------+----------+-------------------+--------------------------------+-----------------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
+---------------------------------------------+------------------+----------+-------------------+--------------------------------+-----------------------------------------+
| com.fasterxml.jackson.core:jackson-databind | CVE-2018-1000873 | MEDIUM | 2.4.0 | 2.9.8 | jackson-modules-java8: DoS due |
| | | | | | to an Improper Input Validation |
| | | | | | -->avd.aquasec.com/nvd/cve-2018-1000873 |
+ +------------------+ + +--------------------------------+-----------------------------------------+
| | CVE-2019-12384 | | | 2.9.9.1 | jackson-databind: failure |
| | | | | | to block the logback-core |
| | | | | | class from polymorphic |
| | | | | | deserialization leading to... |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-12384 |
+ +------------------+ + + +-----------------------------------------+
| | CVE-2019-12814 | | | | jackson-databind: polymorphic |
| | | | | | typing issue allows attacker to |
| | | | | | read arbitrary local files on... |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-12814 |
+---------------------------------------------+------------------+ +-------------------+--------------------------------+-----------------------------------------+
| com.google.guava:guava | CVE-2018-10237 | | 11.0.2 | 24.1.1 | guava: Unbounded memory |
| | | | | | allocation in AtomicDoubleArray |
| | | | | | and CompoundOrdering classes |
| | | | | | allow remote attackers... |
| | | | | | -->avd.aquasec.com/nvd/cve-2018-10237 |
+ + + +-------------------+ + +
| | | | 14.0.1 | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
+---------------------------------------------+------------------+ +-------------------+--------------------------------+-----------------------------------------+
| com.google.protobuf:protobuf-java | CVE-2021-22569 | | 2.5.0 | 3.19.2, 3.18.2, 3.16.1 | protobuf-java: potential DoS in the |
| | | | | | parsing procedure for binary data |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-22569 |
+ + + +-------------------+ + +
| | | | 3.3.0 | | |
| | | | | | |
| | | | | | |
+---------------------------------------------+------------------+ +-------------------+--------------------------------+-----------------------------------------+
| com.squareup.okhttp:okhttp | CVE-2016-2402 | | 2.7.5 | 3.1.2 | Improper Certificate Validation |
| | | | | | -->avd.aquasec.com/nvd/cve-2016-2402 |
+---------------------------------------------+------------------+ +-------------------+--------------------------------+-----------------------------------------+
| commons-io:commons-io | CVE-2021-29425 | | 2.4 | 2.7 | apache-commons-io: Limited |
| | | | | | path traversal in Apache |
| | | | | | Commons IO 2.2 to 2.6 |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-29425 |
+---------------------------------------------+------------------+ +-------------------+--------------------------------+-----------------------------------------+
| org.apache.derby:derby | CVE-2018-1313 | | 10.12.1.1 | 10.14.2.0 | derby: Externally-controlled |
| | | | | | input vulnerability allows remote |
| | | | | | attacker to boot a database under... |
| | | | | | -->avd.aquasec.com/nvd/cve-2018-1313 |
+---------------------------------------------+------------------+ +-------------------+--------------------------------+-----------------------------------------+
| org.apache.httpcomponents:httpclient | CVE-2020-13956 | | 4.5.6 | 5.0.3, 4.5.13 | apache-httpclient: incorrect |
| | | | | | handling of malformed authority |
| | | | | | component in request URIs |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-13956 |
+---------------------------------------------+------------------+ +-------------------+--------------------------------+-----------------------------------------+
| org.apache.mesos:mesos | CVE-2018-8023 | | 1.4.0 | 1.6.1, 1.5.2, 1.4.2 | mesos: Exposure of HMAC value |
| | | | | | via timing vulnerability |
| | | | | | in JWT validation... |
| | | | | | -->avd.aquasec.com/nvd/cve-2018-8023 |
+---------------------------------------------+------------------+ +-------------------+--------------------------------+-----------------------------------------+
| org.eclipse.jetty:jetty-servlets | CVE-2021-28169 | | 9.4.40.v20210413 | 9.4.41.v20210516, 10.0.3, | jetty: requests to the |
| | | | | 11.0.3 | ConcatServlet and WelcomeFilter |
| | | | | | are able to access protected... |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-28169 |
+---------------------------------------------+------------------+ +-------------------+--------------------------------+-----------------------------------------+
| org.glassfish.jersey.core:jersey-common | CVE-2021-28168 | | 2.30 | 3.0.2, 2.34 | jersey: Local information disclosure |
| | | | | | via system temporary directory |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-28168 |
+---------------------------------------------+------------------+----------+-------------------+--------------------------------+-----------------------------------------+
Node.js (node-pkg)
==================
Total: 0 (MEDIUM: 0)
Python (python-pkg)
===================
Total: 1 (MEDIUM: 1)
+----------------+------------------+----------+-------------------+---------------+---------------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
+----------------+------------------+----------+-------------------+---------------+---------------------------------------+
| apache-airflow | CVE-2021-23445 | MEDIUM | 2.2.5 | 2.3.0 | Apache-airflow 2.3.0 updates its |
| | | | | | NPM dependency 'datatables.net' |
| | | | | | to versions ^1.10.23 to include... |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-23445 |
+----------------+------------------+----------+-------------------+---------------+---------------------------------------+
.image/image.tar (debian 11.3)
==============================
Total: 0 (HIGH: 0, CRITICAL: 0)
Java (jar)
==========
Total: 63 (HIGH: 40, CRITICAL: 23)
+---------------------------------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------------------------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
+---------------------------------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------------------------------------------------+
| com.fasterxml.jackson.core:jackson-databind | CVE-2020-25649 | HIGH | 2.10.0 | 2.10.5.1, 2.9.10.7, 2.6.7.4 | jackson-databind: FasterXML |
| | | | | | DOMDeserializer insecure |
| | | | | | entity expansion is vulnerable |
| | | | | | to XML external entity... |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-25649 |
+ +------------------+ + +--------------------------------+---------------------------------------------------------------------------------+
| | CVE-2020-36518 | | | 2.12.6.1, 2.13.2.1 | jackson-databind: denial of service |
| | | | | | via a large depth of nested objects |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-36518 |
+ +------------------+----------+-------------------+--------------------------------+---------------------------------------------------------------------------------+
| | CVE-2017-15095 | CRITICAL | 2.4.0 | 2.9.4, 2.8.11 | jackson-databind: Unsafe |
| | | | | | deserialization due to |
| | | | | | incomplete black list (incomplete |
| | | | | | fix for CVE-2017-7525)... |
| | | | | | -->avd.aquasec.com/nvd/cve-2017-15095 |
+ +------------------+ + +--------------------------------+---------------------------------------------------------------------------------+
| | CVE-2017-17485 | | | 2.8.11, 2.9.4 | jackson-databind: Unsafe |
| | | | | | deserialization due to |
| | | | | | incomplete black list (incomplete |
| | | | | | fix for CVE-2017-15095)... |
| | | | | | -->avd.aquasec.com/nvd/cve-2017-17485 |
+ +------------------+ + +--------------------------------+---------------------------------------------------------------------------------+
| | CVE-2017-7525 | | | 2.7.9.1, 2.6.7.1, 2.8.9 | jackson-databind: Deserialization |
| | | | | | vulnerability via readValue |
| | | | | | method of ObjectMapper |
| | | | | | -->avd.aquasec.com/nvd/cve-2017-7525 |
+ +------------------+ + +--------------------------------+---------------------------------------------------------------------------------+
| | CVE-2018-11307 | | | 2.8.11.2, 2.7.9.4, 2.9.6 | jackson-databind: Potential |
| | | | | | information exfiltration with |
| | | | | | default typing, serialization |
| | | | | | gadget from MyBatis |
| | | | | | -->avd.aquasec.com/nvd/cve-2018-11307 |
+ +------------------+ + +--------------------------------+---------------------------------------------------------------------------------+
| | CVE-2018-14718 | | | 2.7.9.5, 2.8.11.3, 2.9.7 | jackson-databind: arbitrary code |
| | | | | | execution in slf4j-ext class |
| | | | | | -->avd.aquasec.com/nvd/cve-2018-14718 |
+ +------------------+ + + +---------------------------------------------------------------------------------+
| | CVE-2018-14719 | | | | jackson-databind: arbitrary |
| | | | | | code execution in blaze-ds-opt |
| | | | | | and blaze-ds-core classes |
| | | | | | -->avd.aquasec.com/nvd/cve-2018-14719 |
+ +------------------+ + +--------------------------------+---------------------------------------------------------------------------------+
| | CVE-2018-7489 | | | 2.8.11.1, 2.9.5 | jackson-databind: incomplete fix |
| | | | | | for CVE-2017-7525 permits unsafe |
| | | | | | serialization via c3p0 libraries |
| | | | | | -->avd.aquasec.com/nvd/cve-2018-7489 |
+ +------------------+ + +--------------------------------+---------------------------------------------------------------------------------+
| | CVE-2019-14379 | | | 2.9.9.2 | jackson-databind: default |
| | | | | | typing mishandling leading |
| | | | | | to remote code execution |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-14379 |
+ +------------------+ + +--------------------------------+---------------------------------------------------------------------------------+
| | CVE-2019-14540 | | | 2.9.10 | jackson-databind: |
| | | | | | Serialization gadgets in |
| | | | | | com.zaxxer.hikari.HikariConfig |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-14540 |
+ +------------------+ + +--------------------------------+---------------------------------------------------------------------------------+
| | CVE-2019-14892 | | | 2.9.10, 2.8.11.5, 2.6.7.3 | jackson-databind: Serialization |
| | | | | | gadgets in classes of the |
| | | | | | commons-configuration package |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-14892 |
+ +------------------+ + +--------------------------------+---------------------------------------------------------------------------------+
| | CVE-2019-14893 | | | 2.8.11.5, 2.9.10 | jackson-databind: |
| | | | | | Serialization gadgets in |
| | | | | | classes of the xalan package |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-14893 |
+ +------------------+ + +--------------------------------+---------------------------------------------------------------------------------+
| | CVE-2019-16335 | | | 2.9.10 | jackson-databind: |
| | | | | | Serialization gadgets in |
| | | | | | com.zaxxer.hikari.HikariDataSource |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-16335 |
+ +------------------+ + +--------------------------------+---------------------------------------------------------------------------------+
| | CVE-2019-16942 | | | 2.9.10.1 | jackson-databind: |
| | | | | | Serialization gadgets in |
| | | | | | org.apache.commons.dbcp.datasources.* |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-16942 |
+ +------------------+ + + +---------------------------------------------------------------------------------+
| | CVE-2019-16943 | | | | jackson-databind: |
| | | | | | Serialization gadgets in |
| | | | | | com.p6spy.engine.spy.P6DataSource |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-16943 |
+ +------------------+ + +--------------------------------+---------------------------------------------------------------------------------+
| | CVE-2019-17267 | | | 2.9.10 | jackson-databind: Serialization |
| | | | | | gadgets in classes of |
| | | | | | the ehcache package |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-17267 |
+ +------------------+ + +--------------------------------+---------------------------------------------------------------------------------+
| | CVE-2019-17531 | | | 2.9.10.1 | jackson-databind: |
| | | | | | Serialization gadgets in |
| | | | | | org.apache.log4j.receivers.db.* |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-17531 |
+ +------------------+ + +--------------------------------+---------------------------------------------------------------------------------+
| | CVE-2019-20330 | | | 2.6.7.4, 2.7.9.7, 2.9.10.2, | jackson-databind: lacks |
| | | | | 2.8.11.5 | certain net.sf.ehcache blocking |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-20330 |
+ +------------------+ + +--------------------------------+---------------------------------------------------------------------------------+
| | CVE-2020-8840 | | | 2.6.7.4, 2.7.9.7, 2.9.10.3, | jackson-databind: Lacks certain |
| | | | | 2.8.11.5 | xbean-reflect/JNDI blocking |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-8840 |
+ +------------------+ + +--------------------------------+---------------------------------------------------------------------------------+
| | CVE-2020-9547 | | | 2.9.10.4 | jackson-databind: Serialization |
| | | | | | gadgets in ibatis-sqlmap |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-9547 |
+ +------------------+ + + +---------------------------------------------------------------------------------+
| | CVE-2020-9548 | | | | jackson-databind: Serialization |
| | | | | | gadgets in anteros-core |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-9548 |
+ +------------------+----------+ +--------------------------------+---------------------------------------------------------------------------------+
| | CVE-2018-12022 | HIGH | | 2.8.11.2, 2.7.9.4, 2.9.6 | jackson-databind: improper |
| | | | | | polymorphic deserialization |
| | | | | | of types from Jodd-db library |
| | | | | | -->avd.aquasec.com/nvd/cve-2018-12022 |
+ +------------------+ + +--------------------------------+---------------------------------------------------------------------------------+
| | CVE-2018-5968 | | | 2.9.4, 2.8.11 | jackson-databind: unsafe |
| | | | | | deserialization due to incomplete |
| | | | | | blacklist (incomplete fix |
| | | | | | for CVE-2017-7525 and... |
| | | | | | -->avd.aquasec.com/nvd/cve-2018-5968 |
+ +------------------+ + +--------------------------------+---------------------------------------------------------------------------------+
| | CVE-2019-12086 | | | 2.9.9 | jackson-databind: polymorphic |
| | | | | | typing issue allows attacker to |
| | | | | | read arbitrary local files on... |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-12086 |
+ +------------------+ + +--------------------------------+---------------------------------------------------------------------------------+
| | CVE-2019-14439 | | | 2.9.9.2 | jackson-databind: Polymorphic |
| | | | | | typing issue related to logback/JNDI |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-14439 |
+ +------------------+ + +--------------------------------+---------------------------------------------------------------------------------+
| | CVE-2020-10673 | | | 2.9.10.4 | jackson-databind: mishandles |
| | | | | | the interaction between |
| | | | | | serialization gadgets and |
| | | | | | typing which could result... |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-10673 |
+ +------------------+ + +--------------------------------+---------------------------------------------------------------------------------+
| | CVE-2020-24616 | | | 2.9.10.6 | jackson-databind: mishandles the |
| | | | | | interaction between serialization |
| | | | | | gadgets and typing, related to |
| | | | | | br.com.anteros.dbcp.AnterosDBCPDataSource... |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-24616 |
+ +------------------+ + +--------------------------------+---------------------------------------------------------------------------------+
| | CVE-2020-24750 | | | 2.9.10.6, 2.6.7.5 | jackson-databind: Serialization gadgets in |
| | | | | | com.pastdev.httpcomponents.configuration.JndiConfiguration |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-24750 |
+ +------------------+ + +--------------------------------+---------------------------------------------------------------------------------+
| | CVE-2020-25649 | | | 2.10.5.1, 2.9.10.7, 2.6.7.4 | jackson-databind: FasterXML |
| | | | | | DOMDeserializer insecure |
| | | | | | entity expansion is vulnerable |
| | | | | | to XML external entity... |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-25649 |
+ +------------------+ + +--------------------------------+---------------------------------------------------------------------------------+
| | CVE-2020-35490 | | | 2.9.10.8 | jackson-databind: mishandles the interaction |
| | | | | | between serialization gadgets and typing, related to |
| | | | | | org.apache.commons.dbcp2.datasources.PerUserPoolDataSource... |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-35490 |
+ +------------------+ + + +---------------------------------------------------------------------------------+
| | CVE-2020-35491 | | | | jackson-databind: mishandles the interaction |
| | | | | | between serialization gadgets and typing, related to |
| | | | | | org.apache.commons.dbcp2.datasources.SharedPoolDataSource... |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-35491 |
+ +------------------+ + + +---------------------------------------------------------------------------------+
| | CVE-2020-36179 | | | | jackson-databind: mishandles the interaction |
| | | | | | between serialization gadgets and typing, related to |
| | | | | | oadd.org.apache.commons.dbcp.cpdsadapter.DriverAdapterCPDS... |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-36179 |
+ +------------------+ + + +---------------------------------------------------------------------------------+
| | CVE-2020-36180 | | | | jackson-databind: mishandles the interaction |
| | | | | | between serialization gadgets and typing, related to |
| | | | | | org.apache.commons.dbcp2.cpdsadapter.DriverAdapterCPDS... |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-36180 |
+ +------------------+ + + +---------------------------------------------------------------------------------+
| | CVE-2020-36181 | | | | jackson-databind: mishandles the interaction |
| | | | | | between serialization gadgets and typing, related to |
| | | | | | org.apache.tomcat.dbcp.dbcp.cpdsadapter.DriverAdapterCPDS... |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-36181 |
+ +------------------+ + + +---------------------------------------------------------------------------------+
| | CVE-2020-36182 | | | | jackson-databind: mishandles the interaction |
| | | | | | between serialization gadgets and typing, related to |
| | | | | | org.apache.tomcat.dbcp.dbcp2.cpdsadapter.DriverAdapterCPDS... |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-36182 |
+ +------------------+ + + +---------------------------------------------------------------------------------+
| | CVE-2020-36183 | | | | jackson-databind: mishandles the interaction |
| | | | | | between serialization gadgets and typing, related to |
| | | | | | org.docx4j.org.apache.xalan.lib.sql.JNDIConnectionPool... |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-36183 |
+ +------------------+ + + +---------------------------------------------------------------------------------+
| | CVE-2020-36184 | | | | jackson-databind: mishandles the interaction |
| | | | | | between serialization gadgets and typing, related to |
| | | | | | org.apache.tomcat.dbcp.dbcp2.datasources.PerUserPoolDataSource... |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-36184 |
+ +------------------+ + + +---------------------------------------------------------------------------------+
| | CVE-2020-36185 | | | | jackson-databind: mishandles the interaction |
| | | | | | between serialization gadgets and typing, related to |
| | | | | | org.apache.tomcat.dbcp.dbcp2.datasources.SharedPoolDataSource... |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-36185 |
+ +------------------+ + + +---------------------------------------------------------------------------------+
| | CVE-2020-36186 | | | | jackson-databind: mishandles the interaction |
| | | | | | between serialization gadgets and typing, related to |
| | | | | | org.apache.tomcat.dbcp.dbcp.datasources.PerUserPoolDataSource... |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-36186 |
+ +------------------+ + + +---------------------------------------------------------------------------------+
| | CVE-2020-36187 | | | | jackson-databind: mishandles the interaction |
| | | | | | between serialization gadgets and typing, related to |
| | | | | | org.apache.tomcat.dbcp.dbcp.datasources.SharedPoolDataSource... |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-36187 |
+ +------------------+ + + +---------------------------------------------------------------------------------+
| | CVE-2020-36188 | | | | jackson-databind: mishandles the interaction |
| | | | | | between serialization gadgets and typing, related to |
| | | | | | com.newrelic.agent.deps.ch.qos.logback.core.db.JNDIConnectionSource... |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-36188 |
+ +------------------+ + + +---------------------------------------------------------------------------------+
| | CVE-2020-36189 | | | | jackson-databind: mishandles the interaction |
| | | | | | between serialization gadgets and typing, related to |
| | | | | | com.newrelic.agent.deps.ch.qos.logback.core.db.DriverManagerConnectionSource... |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-36189 |
+ +------------------+ + +--------------------------------+---------------------------------------------------------------------------------+
| | CVE-2020-36518 | | | 2.12.6.1, 2.13.2.1 | jackson-databind: denial of service |
| | | | | | via a large depth of nested objects |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-36518 |
+ +------------------+ + +--------------------------------+---------------------------------------------------------------------------------+
| | CVE-2021-20190 | | | 2.9.10.7 | jackson-databind: mishandles |
| | | | | | the interaction between |
| | | | | | serialization gadgets and |
| | | | | | typing, related to javax.swing... |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-20190 |
+---------------------------------------------+------------------+ +-------------------+--------------------------------+---------------------------------------------------------------------------------+
| com.google.code.gson:gson | CVE-2022-25647 | | 2.2.4 | 2.8.9 | com.google.code.gson-gson: |
| | | | | | Deserialization of Untrusted |
| | | | | | Data in com.google.code.gson-gson |
| | | | | | -->avd.aquasec.com/nvd/cve-2022-25647 |
+---------------------------------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------------------------------------------------+
| com.nimbusds:nimbus-jose-jwt | CVE-2019-17195 | CRITICAL | 4.41.1 | 7.9 | nimbus-jose-jwt: Uncaught |
| | | | | | exceptions while parsing a JWT |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-17195 |
+---------------------------------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------------------------------------------------+
| io.fabric8:kubernetes-client | CVE-2021-20218 | HIGH | 4.9.2 | 4.7.2, 4.11.2, 4.13.2, 5.0.2 | fabric8-kubernetes-client: |
| | | | | | vulnerable to a path traversal |
| | | | | | leading to integrity and |
| | | | | | availability compromise... |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-20218 |
+---------------------------------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------------------------------------------------+
| net.minidev:json-smart | CVE-2021-27568 | CRITICAL | 2.3 | 2.3.1, 2.4.1, 1.3.2 | json-smart: uncaught |
| | | | | | exception may lead to crash |
| | | | | | or information disclosure |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-27568 |
+---------------------------------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------------------------------------------------+
| org.apache.commons:commons-compress | CVE-2021-35515 | HIGH | 1.20 | 1.21 | apache-commons-compress: |
| | | | | | infinite loop when reading a |
| | | | | | specially crafted 7Z archive |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-35515 |
+ +------------------+ + + +---------------------------------------------------------------------------------+
| | CVE-2021-35516 | | | | apache-commons-compress: excessive |
| | | | | | memory allocation when reading |
| | | | | | a specially crafted 7Z archive |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-35516 |
+ +------------------+ + + +---------------------------------------------------------------------------------+
| | CVE-2021-35517 | | | | apache-commons-compress: excessive |
| | | | | | memory allocation when reading |
| | | | | | a specially crafted TAR archive |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-35517 |
+ +------------------+ + + +---------------------------------------------------------------------------------+
| | CVE-2021-36090 | | | | apache-commons-compress: excessive |
| | | | | | memory allocation when reading |
| | | | | | a specially crafted ZIP archive |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-36090 |
+---------------------------------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------------------------------------------------+
| org.apache.hadoop:hadoop-common | CVE-2022-26612 | CRITICAL | 3.2.0 | 3.2.3 | hadoop: Arbitrary file write in |
| | | | | | FileUtil#unpackEntries on Windows |
| | | | | | -->avd.aquasec.com/nvd/cve-2022-26612 |
+ +------------------+----------+ +--------------------------------+---------------------------------------------------------------------------------+
| | CVE-2020-9492 | HIGH | | 3.1.4, 3.2.2, 2.10.1 | hadoop: WebHDFS client might |
| | | | | | send SPNEGO authorization header |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-9492 |
+---------------------------------------------+------------------+ +-------------------+--------------------------------+---------------------------------------------------------------------------------+
| org.apache.mesos:mesos | CVE-2018-11793 | | 1.4.0 | 1.7.1, 1.6.2, 1.5.2, 1.4.3 | mesos: stack overflow |
| | | | | | vulnerability in parser |
| | | | | | -->avd.aquasec.com/nvd/cve-2018-11793 |
+ +------------------+ + +--------------------------------+---------------------------------------------------------------------------------+
| | CVE-2018-1330 | | | 1.5.2, 1.6.1 | Improper Input Validation |
| | | | | | -->avd.aquasec.com/nvd/cve-2018-1330 |
+ +------------------+ + +--------------------------------+---------------------------------------------------------------------------------+
| | CVE-2019-0204 | | | 1.4.3, 1.5.3, 1.6.2, 1.7.2, | mesos: docker image code execution |
| | | | | 1.8.1 | -->avd.aquasec.com/nvd/cve-2019-0204 |
+ +------------------+ + +--------------------------------+---------------------------------------------------------------------------------+
| | CVE-2019-5736 | | | 1.7.1 | runc: Execution of malicious |
| | | | | | containers allows for container |
| | | | | | escape and access to... |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-5736 |
+---------------------------------------------+------------------+ +-------------------+--------------------------------+---------------------------------------------------------------------------------+
| org.apache.thrift:libthrift | CVE-2019-0205 | | 0.12.0 | 0.13.0 | thrift: Endless loop when |
| | | | | | feed with specific input data |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-0205 |
+ +------------------+ + + +---------------------------------------------------------------------------------+
| | CVE-2019-0210 | | | | thrift: Out-of-bounds read |
| | | | | | related to TJSONProtocol |
| | | | | | or TSimpleJSONProtocol |
| | | | | | -->avd.aquasec.com/nvd/cve-2019-0210 |
+ +------------------+ + +--------------------------------+---------------------------------------------------------------------------------+
| | CVE-2020-13949 | | | 0.14.0 | libthrift: potential DoS when |
| | | | | | processing untrusted payloads |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-13949 |
+---------------------------------------------+------------------+ +-------------------+--------------------------------+---------------------------------------------------------------------------------+
| org.yaml:snakeyaml | CVE-2017-18640 | | 1.24 | 1.26 | snakeyaml: Billion laughs |
| | | | | | attack via alias feature |
| | | | | | -->avd.aquasec.com/nvd/cve-2017-18640 |
+---------------------------------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------------------------------------------------+
Node.js (node-pkg)
==================
Total: 0 (HIGH: 0, CRITICAL: 0)
Python (python-pkg)
===================
Total: 5 (HIGH: 5, CRITICAL: 0)
+----------------+------------------+----------+-------------------+---------------+---------------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
+----------------+------------------+----------+-------------------+---------------+---------------------------------------+
| PyJWT | CVE-2022-29217 | HIGH | 1.7.1 | 2.4.0 | python-jwt: Key confusion through |
| | | | | | non-blocklisted public key formats |
| | | | | | -->avd.aquasec.com/nvd/cve-2022-29217 |
+----------------+------------------+ +-------------------+---------------+---------------------------------------+
| apache-airflow | CVE-2021-37701 | | 2.2.5 | 2.3.0 | nodejs-tar: Insufficient symlink |
| | | | | | protection due to directory cache |
| | | | | | poisoning using symbolic links... |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-37701 |
+ +------------------+ + + +---------------------------------------+
| | CVE-2021-37712 | | | | nodejs-tar: Insufficient symlink |
| | | | | | protection due to directory cache |
| | | | | | poisoning using symbolic links... |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-37712 |
+ +------------------+ + + +---------------------------------------+
| | CVE-2021-37713 | | | | nodejs-tar: Arbitrary |
| | | | | | File Creation/Overwrite on |
| | | | | | Windows via insufficient |
| | | | | | relative path sanitization |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-37713 |
+----------------+------------------+ +-------------------+---------------+---------------------------------------+
| pyspark | CVE-2021-38296 | | 3.0.3 | 3.1.3 | Authentication Bypass by |
| | | | | | Capture-replay in Apache Spark |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-38296 |
+----------------+------------------+----------+-------------------+---------------+---------------------------------------+
pedro93
commented
2 years ago Hello all,
We are aware of some of these vulnerabilities. You might have seen in the past couple of months a few commits precisely to address some of the security vulnerabilities. That said this is not something the core team is able to address alone. As such I would like to request your help in tackling these issues and open PRs to address them.
I welcome, encourage and will personally assist anyone that helps out in this endure to make DataHub more secure! :) Together I'm sure we can trim a lot of this.
Vimpy
commented
2 years ago Hey i am facing jackson databind package vulnerability. we have aquascanner thats showing the installed version of jackson databind as well as fixed version but I don’t know how to make change in war package how to build the war again. can you pls help me out? It would be great.
Vimpy
commented
2 years ago We are getting in many datahub open source images.
github-actions[bot]
commented
2 years ago This issue is stale because it has been open for 30 days with no activity. If you believe this is still an issue on the latest DataHub release please leave a comment with the version that you tested it with. If this is a question/discussion please head to https://slack.datahubproject.io. For feature requests please use https://feature-requests.datahubproject.io
github-actions[bot]
commented
2 years ago This issue was closed because it has been inactive for 30 days since being marked as stale.
Pulling acryldata/datahub-ingestion:v0.8.32 from docker.io In this image we have 25 jackson-databind package vulnerability and it has dependency on delphix engine: In the remediation the are suggested: Delphix will update the Jackson libraries co-packaged with its libraries using the latest stable release of Jackson.