Which version and edition of Flyway are you using?
flyway/flyway:7.8.2-alpine
If this is not the latest version, can you reproduce the issue with the latest one as well? (Many bugs are fixed in newer releases and upgrading will often resolve the issue)
Using the latest docker tag
Which client are you using? (Command-line, Java API, Maven plugin, Gradle plugin)
command-line
Which database are you using? (Type & version)
PostgreSQL using docker image postgres:10.16-alpine
Which operating system are you using?
Inside the docker container: alpine linux
Externally:
Windows 10
Github Actions, runs-on: ubuntu-latest
Ubuntu linux
What did you do? (Please include the content causing the issue, any relevant configuration settings, the SQL statement(s) that failed (if any), and the command you ran)
Using JFrog Xray to scan the docker image for violations finds a violation.
Details
Summary:
Oauth 2.0 sdk with openid connect extensions saml2/saml2assertionvalidator.java xml external entity (xxe) injection issue
Description:
Oauth 2.0 sdk with openid connect extensions contains an xxe (xml external entity) injection flaw in nimbusds/oauth2/sdk/assertions/saml2/saml2assertionvalidator.java that is triggered during the parsing of xml data. the issue is due to an incorrectly configured xml parser accepting xml external entities from an untrusted source. with specially crafted xml data, a context-dependent attacker can potentially consume excessive system resources or disclose sensitive information.
Which version and edition of Flyway are you using?
flyway/flyway:7.8.2-alpine
If this is not the latest version, can you reproduce the issue with the latest one as well? (Many bugs are fixed in newer releases and upgrading will often resolve the issue)
Using the latest docker tag
Which client are you using? (Command-line, Java API, Maven plugin, Gradle plugin)
command-line
Which database are you using? (Type & version)
PostgreSQL using docker image postgres:10.16-alpine
Which operating system are you using?
Inside the docker container: alpine linux Externally:
What did you do? (Please include the content causing the issue, any relevant configuration settings, the SQL statement(s) that failed (if any), and the command you ran)
Using JFrog Xray to scan the docker image for violations finds a violation.
Details
Summary: Oauth 2.0 sdk with openid connect extensions saml2/saml2assertionvalidator.java xml external entity (xxe) injection issue
Description: Oauth 2.0 sdk with openid connect extensions contains an xxe (xml external entity) injection flaw in nimbusds/oauth2/sdk/assertions/saml2/saml2assertionvalidator.java that is triggered during the parsing of xml data. the issue is due to an incorrectly configured xml parser accepting xml external entities from an untrusted source. with specially crafted xml data, a context-dependent attacker can potentially consume excessive system resources or disclose sensitive information.
Infected Component: Com.nimbusds:oauth2-oidc-sdk
Severity: Medium
Fix Version: 9.3.1, 8.36.2
References: https://bitbucket.org/connect2id/oauth-2.0-sdk-with-openid-connect-extensions/commits/bfd95d5e2679f601b728ee506e1a376dfe5da391 https://bitbucket.org/connect2id/oauth-2.0-sdk-with-openid-connect-extensions/issues/356 https://bitbucket.org/connect2id/oauth-2.0-sdk-with-openid-connect-extensions/src/9.3.1/CHANGELOG.txt
What did you expect to see?
Expected to so zero violations.
What did you see instead?
A violation was found.
Steps to reproduce.
scan image using jFrog Xray or similar tool.