search

ma1uta / ma1sd

Federated Matrix Identity Server (formerly fork of kamax/mxisd)
GNU Affero General Public License v3.0
167 stars 56 forks source link

Docker image / Maven/Gradle dependencies have security vulnerabilities #107

Open ginkel opened 2 years ago

ginkel commented 2 years ago

Hi there,

prompted by the recent log4shell CVE I have performed a security scan of the ma1sd Docker image as published on Docker Hub.

AFAICS both have misc vulnerabilities:

$ trivy i --ignore-unfixed ma1uta/ma1sd
2021-12-15T17:11:33.833+0100    INFO    Need to update DB
2021-12-15T17:11:33.834+0100    INFO    Downloading DB...
25.23 MiB / 25.23 MiB [--------------------------------------------------------------------------------------------------------------------------------------------------------] 100.00% 30.50 MiB p/s 1s
2021-12-15T17:11:36.602+0100    INFO    Detected OS: alpine
2021-12-15T17:11:36.602+0100    INFO    Detecting Alpine vulnerabilities...
2021-12-15T17:11:36.603+0100    INFO    Number of language-specific files: 1
2021-12-15T17:11:36.603+0100    INFO    Detecting jar vulnerabilities...
2021-12-15T17:11:36.605+0100    WARN    This OS version is no longer supported by the distribution: alpine 3.9.4
2021-12-15T17:11:36.605+0100    WARN    The vulnerability detection may be insufficient because security updates are not provided

ma1uta/ma1sd (alpine 3.9.4)
===========================
Total: 216 (UNKNOWN: 0, LOW: 106, MEDIUM: 79, HIGH: 27, CRITICAL: 4)

+-------------------+------------------+----------+-------------------+---------------+------------------------------------------+
|      LIBRARY      | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |                  TITLE                   |
+-------------------+------------------+----------+-------------------+---------------+------------------------------------------+
| freetype          | CVE-2020-15999   | MEDIUM   | 2.9.1-r2          | 2.9.1-r3      | freetype: Heap-based buffer              |
|                   |                  |          |                   |               | overflow due to integer                  |
|                   |                  |          |                   |               | truncation in Load_SBit_Png              |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-15999    |
+-------------------+------------------+----------+-------------------+---------------+------------------------------------------+
| krb5-libs         | CVE-2020-28196   | HIGH     | 1.15.5-r0         | 1.15.5-r1     | krb5: unbounded recursion via an         |
|                   |                  |          |                   |               | ASN.1-encoded Kerberos message           |
|                   |                  |          |                   |               | in lib/krb5/asn.1/asn1_encode.c          |
|                   |                  |          |                   |               | may lead...                              |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-28196    |
+-------------------+------------------+----------+-------------------+---------------+------------------------------------------+
| libbz2            | CVE-2019-12900   | CRITICAL | 1.0.6-r6          | 1.0.6-r7      | bzip2: out-of-bounds write               |
|                   |                  |          |                   |               | in function BZ2_decompress               |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-12900    |
+-------------------+------------------+----------+-------------------+---------------+------------------------------------------+
| libcom_err        | CVE-2019-5094    | MEDIUM   | 1.44.5-r0         | 1.44.5-r1     | e2fsprogs: Crafted ext4 partition        |
|                   |                  |          |                   |               | leads to out-of-bounds write             |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-5094     |
+                   +------------------+          +                   +---------------+------------------------------------------+
|                   | CVE-2019-5188    |          |                   | 1.44.5-r2     | e2fsprogs: Out-of-bounds                 |
|                   |                  |          |                   |               | write in e2fsck/rehash.c                 |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-5188     |
+-------------------+------------------+----------+-------------------+---------------+------------------------------------------+
| libcrypto1.1      | CVE-2020-1967    | HIGH     | 1.1.1b-r1         | 1.1.1g-r0     | openssl: Segmentation                    |
|                   |                  |          |                   |               | fault in SSL_check_chain                 |
|                   |                  |          |                   |               | causes denial of service                 |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-1967     |
+                   +------------------+          +                   +---------------+------------------------------------------+
|                   | CVE-2021-23840   |          |                   | 1.1.1j-r0     | openssl: integer                         |
|                   |                  |          |                   |               | overflow in CipherUpdate                 |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-23840    |
+                   +------------------+          +                   +---------------+------------------------------------------+
|                   | CVE-2021-3450    |          |                   | 1.1.1k-r0     | openssl: CA certificate check            |
|                   |                  |          |                   |               | bypass with X509_V_FLAG_X509_STRICT      |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-3450     |
+                   +------------------+----------+                   +---------------+------------------------------------------+
|                   | CVE-2019-1547    | MEDIUM   |                   | 1.1.1d-r0     | openssl: side-channel weak               |
|                   |                  |          |                   |               | encryption vulnerability                 |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-1547     |
+                   +------------------+          +                   +               +------------------------------------------+
|                   | CVE-2019-1549    |          |                   |               | openssl: information                     |
|                   |                  |          |                   |               | disclosure in fork()                     |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-1549     |
+                   +------------------+          +                   +---------------+------------------------------------------+
|                   | CVE-2019-1551    |          |                   | 1.1.1d-r2     | openssl: Integer overflow in RSAZ        |
|                   |                  |          |                   |               | modular exponentiation on x86_64         |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-1551     |
+                   +------------------+          +                   +---------------+------------------------------------------+
|                   | CVE-2020-1971    |          |                   | 1.1.1i-r0     | openssl: EDIPARTYNAME                    |
|                   |                  |          |                   |               | NULL pointer de-reference                |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-1971     |
+                   +------------------+          +                   +---------------+------------------------------------------+
|                   | CVE-2021-23841   |          |                   | 1.1.1j-r0     | openssl: NULL pointer dereference        |
|                   |                  |          |                   |               | in X509_issuer_and_serial_hash()         |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-23841    |
+                   +------------------+          +                   +---------------+------------------------------------------+
|                   | CVE-2021-3449    |          |                   | 1.1.1k-r0     | openssl: NULL pointer dereference        |
|                   |                  |          |                   |               | in signature_algorithms processing       |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-3449     |
+                   +------------------+----------+                   +---------------+------------------------------------------+
|                   | CVE-2019-1563    | LOW      |                   | 1.1.1d-r0     | openssl: information                     |
|                   |                  |          |                   |               | disclosure in PKCS7_dataDecode           |
|                   |                  |          |                   |               | and CMS_decrypt_set1_pkey                |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-1563     |
+                   +------------------+          +                   +---------------+------------------------------------------+
|                   | CVE-2021-23839   |          |                   | 1.1.1j-r0     | openssl: incorrect SSLv2                 |
|                   |                  |          |                   |               | rollback protection                      |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-23839    |
+-------------------+------------------+----------+-------------------+---------------+------------------------------------------+
| libjpeg-turbo     | CVE-2019-2201    | HIGH     | 1.5.3-r4          | 1.5.3-r6      | libjpeg-turbo: several integer           |
|                   |                  |          |                   |               | overflows and subsequent                 |
|                   |                  |          |                   |               | segfaults when attempting to             |
|                   |                  |          |                   |               | compress/decompress gigapixel...         |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-2201     |
+                   +------------------+----------+                   +---------------+------------------------------------------+
|                   | CVE-2018-14498   | MEDIUM   |                   | 1.5.3-r5      | libjpeg-turbo: heap-based buffer         |
|                   |                  |          |                   |               | over-read via crafted 8-bit BMP          |
|                   |                  |          |                   |               | in get_8bit_row in rdbmp.c...            |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2018-14498    |
+-------------------+------------------+----------+-------------------+---------------+------------------------------------------+
| libssl1.1         | CVE-2020-1967    | HIGH     | 1.1.1b-r1         | 1.1.1g-r0     | openssl: Segmentation                    |
|                   |                  |          |                   |               | fault in SSL_check_chain                 |
|                   |                  |          |                   |               | causes denial of service                 |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-1967     |
+                   +------------------+          +                   +---------------+------------------------------------------+
|                   | CVE-2021-23840   |          |                   | 1.1.1j-r0     | openssl: integer                         |
|                   |                  |          |                   |               | overflow in CipherUpdate                 |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-23840    |
+                   +------------------+          +                   +---------------+------------------------------------------+
|                   | CVE-2021-3450    |          |                   | 1.1.1k-r0     | openssl: CA certificate check            |
|                   |                  |          |                   |               | bypass with X509_V_FLAG_X509_STRICT      |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-3450     |
+                   +------------------+----------+                   +---------------+------------------------------------------+
|                   | CVE-2019-1547    | MEDIUM   |                   | 1.1.1d-r0     | openssl: side-channel weak               |
|                   |                  |          |                   |               | encryption vulnerability                 |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-1547     |
+                   +------------------+          +                   +               +------------------------------------------+
|                   | CVE-2019-1549    |          |                   |               | openssl: information                     |
|                   |                  |          |                   |               | disclosure in fork()                     |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-1549     |
+                   +------------------+          +                   +---------------+------------------------------------------+
|                   | CVE-2019-1551    |          |                   | 1.1.1d-r2     | openssl: Integer overflow in RSAZ        |
|                   |                  |          |                   |               | modular exponentiation on x86_64         |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-1551     |
+                   +------------------+          +                   +---------------+------------------------------------------+
|                   | CVE-2020-1971    |          |                   | 1.1.1i-r0     | openssl: EDIPARTYNAME                    |
|                   |                  |          |                   |               | NULL pointer de-reference                |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-1971     |
+                   +------------------+          +                   +---------------+------------------------------------------+
|                   | CVE-2021-23841   |          |                   | 1.1.1j-r0     | openssl: NULL pointer dereference        |
|                   |                  |          |                   |               | in X509_issuer_and_serial_hash()         |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-23841    |
+                   +------------------+          +                   +---------------+------------------------------------------+
|                   | CVE-2021-3449    |          |                   | 1.1.1k-r0     | openssl: NULL pointer dereference        |
|                   |                  |          |                   |               | in signature_algorithms processing       |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-3449     |
+                   +------------------+----------+                   +---------------+------------------------------------------+
|                   | CVE-2019-1563    | LOW      |                   | 1.1.1d-r0     | openssl: information                     |
|                   |                  |          |                   |               | disclosure in PKCS7_dataDecode           |
|                   |                  |          |                   |               | and CMS_decrypt_set1_pkey                |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-1563     |
+                   +------------------+          +                   +---------------+------------------------------------------+
|                   | CVE-2021-23839   |          |                   | 1.1.1j-r0     | openssl: incorrect SSLv2                 |
|                   |                  |          |                   |               | rollback protection                      |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-23839    |
+-------------------+------------------+----------+-------------------+---------------+------------------------------------------+
| libtasn1          | CVE-2018-1000654 | MEDIUM   | 4.13-r0           | 4.14-r0       | libtasn1: Infinite loop in               |
|                   |                  |          |                   |               | _asn1_expand_object_id(ptree)            |
|                   |                  |          |                   |               | leads to memory exhaustion               |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2018-1000654  |
+-------------------+------------------+----------+-------------------+---------------+------------------------------------------+
| libx11            | CVE-2020-14363   | HIGH     | 1.6.7-r0          | 1.6.12-r0     | libX11: integer overflow leads           |
|                   |                  |          |                   |               | to double free in locale handling        |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-14363    |
+                   +------------------+----------+                   +---------------+------------------------------------------+
|                   | CVE-2020-14344   | MEDIUM   |                   | 1.6.10-r0     | libX11: Heap overflow in                 |
|                   |                  |          |                   |               | the X input method client                |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-14344    |
+-------------------+------------------+----------+-------------------+---------------+------------------------------------------+
| musl              | CVE-2019-14697   | CRITICAL | 1.1.20-r4         | 1.1.20-r5     | musl libc through 1.1.23 has             |
|                   |                  |          |                   |               | an x87 floating-point stack              |
|                   |                  |          |                   |               | adjustment imbalance, related...         |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-14697    |
+                   +------------------+----------+                   +---------------+------------------------------------------+
|                   | CVE-2020-28928   | MEDIUM   |                   | 1.1.20-r6     | In musl libc through 1.2.1,              |
|                   |                  |          |                   |               | wcsnrtombs mishandles particular         |
|                   |                  |          |                   |               | combinations of destination buffer...    |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-28928    |
+-------------------+------------------+----------+                   +---------------+------------------------------------------+
| musl-utils        | CVE-2019-14697   | CRITICAL |                   | 1.1.20-r5     | musl libc through 1.1.23 has             |
|                   |                  |          |                   |               | an x87 floating-point stack              |
|                   |                  |          |                   |               | adjustment imbalance, related...         |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-14697    |
+                   +------------------+----------+                   +---------------+------------------------------------------+
|                   | CVE-2020-28928   | MEDIUM   |                   | 1.1.20-r6     | In musl libc through 1.2.1,              |
|                   |                  |          |                   |               | wcsnrtombs mishandles particular         |
|                   |                  |          |                   |               | combinations of destination buffer...    |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-28928    |
+-------------------+------------------+----------+-------------------+---------------+------------------------------------------+
| openjdk8-jre      | CVE-2020-14583   | HIGH     | 8.212.04-r0       | 8.272.10-r0   | OpenJDK: Bypass of boundary checks       |
|                   |                  |          |                   |               | in nio.Buffer via concurrent             |
|                   |                  |          |                   |               | access (Libraries, 8238920)...           |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-14583    |
+                   +------------------+          +                   +               +------------------------------------------+
|                   | CVE-2020-14593   |          |                   |               | OpenJDK: Incomplete bounds checks in     |
|                   |                  |          |                   |               | Affine Transformations (2D, 8240119)     |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-14593    |
+                   +------------------+          +                   +---------------+------------------------------------------+
|                   | CVE-2020-2604    |          |                   | 8.242.08-r0   | OpenJDK: Serialization filter            |
|                   |                  |          |                   |               | changes via jdk.serialFilter             |
|                   |                  |          |                   |               | property modification                    |
|                   |                  |          |                   |               | (Serialization, 8231422)                 |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-2604     |
+                   +------------------+          +                   +---------------+------------------------------------------+
|                   | CVE-2020-2803    |          |                   | 8.252.09-r0   | OpenJDK: Incorrect bounds checks         |
|                   |                  |          |                   |               | in NIO Buffers (Libraries, 8234841)      |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-2803     |
+                   +------------------+          +                   +               +------------------------------------------+
|                   | CVE-2020-2805    |          |                   |               | OpenJDK: Incorrect type checks           |
|                   |                  |          |                   |               | in MethodType.readObject()               |
|                   |                  |          |                   |               | (Libraries, 8235274)                     |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-2805     |
+                   +------------------+----------+                   +---------------+------------------------------------------+
|                   | CVE-2019-2745    | MEDIUM   |                   | 8.222.10-r0   | OpenJDK: Side-channel attack             |
|                   |                  |          |                   |               | risks in Elliptic Curve (EC)             |
|                   |                  |          |                   |               | cryptography (Security, 8208698)         |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-2745     |
+                   +------------------+          +                   +               +------------------------------------------+
|                   | CVE-2019-2762    |          |                   |               | OpenJDK: Insufficient checks             |
|                   |                  |          |                   |               | of suppressed exceptions in              |
|                   |                  |          |                   |               | deserialization (Utilities, 8212328)     |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-2762     |
+                   +------------------+          +                   +               +------------------------------------------+
|                   | CVE-2019-2769    |          |                   |               | OpenJDK: Unbounded memory                |
|                   |                  |          |                   |               | allocation during deserialization        |
|                   |                  |          |                   |               | in Collections (Utilities, 8213432)      |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-2769     |
+                   +------------------+          +                   +               +------------------------------------------+
|                   | CVE-2019-2816    |          |                   |               | OpenJDK: Missing URL format              |
|                   |                  |          |                   |               | validation (Networking, 8221518)         |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-2816     |
+                   +------------------+          +                   +---------------+------------------------------------------+
|                   | CVE-2019-2949    |          |                   | 8.232.09-r0   | OpenJDK: Improper handling               |
|                   |                  |          |                   |               | of Kerberos proxy credentials            |
|                   |                  |          |                   |               | (Kerberos, 8220302)                      |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-2949     |
+                   +------------------+          +                   +               +------------------------------------------+
|                   | CVE-2019-2958    |          |                   |               | OpenJDK: Incorrect                       |
|                   |                  |          |                   |               | escaping of command line                 |
|                   |                  |          |                   |               | arguments in ProcessImpl                 |
|                   |                  |          |                   |               | on Windows (Libraries,...                |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-2958     |
+                   +------------------+          +                   +               +------------------------------------------+
|                   | CVE-2019-2975    |          |                   |               | OpenJDK: Unexpected exception thrown     |
|                   |                  |          |                   |               | during regular expression processing     |
|                   |                  |          |                   |               | in Nashorn (Scripting, 8223518)...       |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-2975     |
+                   +------------------+          +                   +               +------------------------------------------+
|                   | CVE-2019-2989    |          |                   |               | OpenJDK: Incorrect handling of HTTP      |
|                   |                  |          |                   |               | proxy responses in HttpURLConnection     |
|                   |                  |          |                   |               | (Networking, 8225298)                    |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-2989     |
+                   +------------------+          +                   +               +------------------------------------------+
|                   | CVE-2019-2999    |          |                   |               | OpenJDK: Insufficient filtering          |
|                   |                  |          |                   |               | of HTML event attributes in              |
|                   |                  |          |                   |               | Javadoc (Javadoc, 8226765)               |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-2999     |
+                   +------------------+          +                   +---------------+------------------------------------------+
|                   | CVE-2019-7317    |          |                   | 8.222.10-r0   | libpng: use-after-free in                |
|                   |                  |          |                   |               | png_image_free in png.c                  |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-7317     |
+                   +------------------+          +                   +---------------+------------------------------------------+
|                   | CVE-2020-14556   |          |                   | 8.272.10-r0   | OpenJDK: Incorrect handling              |
|                   |                  |          |                   |               | of access control context in             |
|                   |                  |          |                   |               | ForkJoinPool (Libraries, 8237117)        |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-14556    |
+                   +------------------+          +                   +               +------------------------------------------+
|                   | CVE-2020-14621   |          |                   |               | OpenJDK: XML validation manipulation     |
|                   |                  |          |                   |               | due to incomplete application of         |
|                   |                  |          |                   |               | the use-grammar-pool-only feature...     |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-14621    |
+                   +------------------+          +                   +               +------------------------------------------+
|                   | CVE-2020-14792   |          |                   |               | OpenJDK: Integer overflow                |
|                   |                  |          |                   |               | leading to out-of-bounds                 |
|                   |                  |          |                   |               | access (Hotspot, 8241114)                |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-14792    |
+                   +------------------+          +                   +               +------------------------------------------+
|                   | CVE-2020-14803   |          |                   |               | OpenJDK: Race condition in NIO Buffer    |
|                   |                  |          |                   |               | boundary checks (Libraries, 8244136)     |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-14803    |
+                   +------------------+          +                   +---------------+------------------------------------------+
|                   | CVE-2020-2593    |          |                   | 8.242.08-r0   | OpenJDK: Incorrect                       |
|                   |                  |          |                   |               | isBuiltinStreamHandler check             |
|                   |                  |          |                   |               | causing URL normalization                |
|                   |                  |          |                   |               | issues (Networking, 8228548)             |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-2593     |
+                   +------------------+          +                   +               +------------------------------------------+
|                   | CVE-2020-2601    |          |                   |               | OpenJDK: Use of unsafe                   |
|                   |                  |          |                   |               | RSA-MD5 checksum in Kerberos             |
|                   |                  |          |                   |               | TGS (Security, 8229951)                  |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-2601     |
+                   +------------------+          +                   +---------------+------------------------------------------+
|                   | CVE-2020-2781    |          |                   | 8.252.09-r0   | OpenJDK: Re-use of single                |
|                   |                  |          |                   |               | TLS session for new                      |
|                   |                  |          |                   |               | connections (JSSE, 8234408)              |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-2781     |
+                   +------------------+          +                   +               +------------------------------------------+
|                   | CVE-2020-2800    |          |                   |               | OpenJDK: CRLF injection into HTTP        |
|                   |                  |          |                   |               | headers in HttpServer (Lightweight       |
|                   |                  |          |                   |               | HTTP Server, 8234825)...                 |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-2800     |
+                   +------------------+          +                   +               +------------------------------------------+
|                   | CVE-2020-2830    |          |                   |               | OpenJDK: Regular expression DoS          |
|                   |                  |          |                   |               | in Scanner (Concurrency, 8236201)        |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-2830     |
+                   +------------------+----------+                   +---------------+------------------------------------------+
|                   | CVE-2019-2766    | LOW      |                   | 8.222.10-r0   | OpenJDK: Insufficient permission         |
|                   |                  |          |                   |               | checks for file:// URLs on               |
|                   |                  |          |                   |               | Windows (Networking, 8213431)            |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-2766     |
+                   +------------------+          +                   +               +------------------------------------------+
|                   | CVE-2019-2786    |          |                   |               | OpenJDK: Insufficient                    |
|                   |                  |          |                   |               | restriction of privileges in             |
|                   |                  |          |                   |               | AccessController (Security, 8216381)     |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-2786     |
+                   +------------------+          +                   +               +------------------------------------------+
|                   | CVE-2019-2842    |          |                   |               | OpenJDK: Missing array bounds check      |
|                   |                  |          |                   |               | in crypto providers (JCE, 8223511)       |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-2842     |
+                   +------------------+          +                   +---------------+------------------------------------------+
|                   | CVE-2019-2894    |          |                   | 8.232.09-r0   | OpenJDK: Side-channel                    |
|                   |                  |          |                   |               | vulnerability in the ECDSA               |
|                   |                  |          |                   |               | implementation (Security, 8228825)       |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-2894     |
+                   +------------------+          +                   +               +------------------------------------------+
|                   | CVE-2019-2933    |          |                   |               | OpenJDK: FilePermission checks           |
|                   |                  |          |                   |               | not preformed correctly on               |
|                   |                  |          |                   |               | Windows (Libraries, 8213429)             |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-2933     |
+                   +------------------+          +                   +               +------------------------------------------+
|                   | CVE-2019-2945    |          |                   |               | OpenJDK: Missing restrictions            |
|                   |                  |          |                   |               | on use of custom SocketImpl              |
|                   |                  |          |                   |               | (Networking, 8218573)                    |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-2945     |
+                   +------------------+          +                   +               +------------------------------------------+
|                   | CVE-2019-2962    |          |                   |               | OpenJDK: NULL pointer dereference        |
|                   |                  |          |                   |               | in DrawGlyphList (2D, 8222690)           |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-2962     |
+                   +------------------+          +                   +               +------------------------------------------+
|                   | CVE-2019-2964    |          |                   |               | OpenJDK: Unexpected exception            |
|                   |                  |          |                   |               | thrown by Pattern processing             |
|                   |                  |          |                   |               | crafted regular expression               |
|                   |                  |          |                   |               | (Concurrency, 8222684)...                |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-2964     |
+                   +------------------+          +                   +               +------------------------------------------+
|                   | CVE-2019-2973    |          |                   |               | OpenJDK: Unexpected exception thrown     |
|                   |                  |          |                   |               | by XPathParser processing crafted        |
|                   |                  |          |                   |               | XPath expression (JAXP, 8223505)...      |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-2973     |
+                   +------------------+          +                   +               +------------------------------------------+
|                   | CVE-2019-2978    |          |                   |               | OpenJDK: Incorrect handling              |
|                   |                  |          |                   |               | of nested jar: URLs in Jar               |
|                   |                  |          |                   |               | URL handler (Networking,...              |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-2978     |
+                   +------------------+          +                   +               +------------------------------------------+
|                   | CVE-2019-2981    |          |                   |               | OpenJDK: Unexpected exception            |
|                   |                  |          |                   |               | thrown by XPath processing crafted       |
|                   |                  |          |                   |               | XPath expression (JAXP, 8224532)...      |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-2981     |
+                   +------------------+          +                   +               +------------------------------------------+
|                   | CVE-2019-2983    |          |                   |               | OpenJDK: Unexpected exception thrown     |
|                   |                  |          |                   |               | during Font object deserialization       |
|                   |                  |          |                   |               | (Serialization, 8224915)                 |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-2983     |
+                   +------------------+          +                   +               +------------------------------------------+
|                   | CVE-2019-2987    |          |                   |               | OpenJDK: Missing glyph bitmap            |
|                   |                  |          |                   |               | image dimension check in                 |
|                   |                  |          |                   |               | FreetypeFontScaler (2D, 8225286)         |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-2987     |
+                   +------------------+          +                   +               +------------------------------------------+
|                   | CVE-2019-2988    |          |                   |               | OpenJDK: Integer overflow in bounds      |
|                   |                  |          |                   |               | check in SunGraphics2D (2D, 8225292)     |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-2988     |
+                   +------------------+          +                   +               +------------------------------------------+
|                   | CVE-2019-2992    |          |                   |               | OpenJDK: Excessive memory                |
|                   |                  |          |                   |               | allocation in CMap when reading          |
|                   |                  |          |                   |               | TrueType font (2D, 8225597)...           |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-2992     |
+                   +------------------+          +                   +---------------+------------------------------------------+
|                   | CVE-2020-14577   |          |                   | 8.272.10-r0   | OpenJDK: HostnameChecker does            |
|                   |                  |          |                   |               | not ensure X.509 certificate             |
|                   |                  |          |                   |               | names are in normalized form...          |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-14577    |
+                   +------------------+          +                   +               +------------------------------------------+
|                   | CVE-2020-14578   |          |                   |               | OpenJDK: Unexpected exception            |
|                   |                  |          |                   |               | raised by DerInputStream                 |
|                   |                  |          |                   |               | (Libraries, 8237731)                     |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-14578    |
+                   +------------------+          +                   +               +------------------------------------------+
|                   | CVE-2020-14579   |          |                   |               | OpenJDK: Unexpected exception            |
|                   |                  |          |                   |               | raised by DerValue.equals()              |
|                   |                  |          |                   |               | (Libraries, 8237736)                     |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-14579    |
+                   +------------------+          +                   +               +------------------------------------------+
|                   | CVE-2020-14581   |          |                   |               | OpenJDK: Information disclosure          |
|                   |                  |          |                   |               | in color management (2D, 8238002)        |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-14581    |
+                   +------------------+          +                   +               +------------------------------------------+
|                   | CVE-2020-14779   |          |                   |               | OpenJDK: High memory usage               |
|                   |                  |          |                   |               | during deserialization of Proxy          |
|                   |                  |          |                   |               | class with many interfaces...            |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-14779    |
+                   +------------------+          +                   +               +------------------------------------------+
|                   | CVE-2020-14781   |          |                   |               | OpenJDK: Credentials sent                |
|                   |                  |          |                   |               | over unencrypted LDAP                    |
|                   |                  |          |                   |               | connection (JNDI, 8237990)               |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-14781    |
+                   +------------------+          +                   +               +------------------------------------------+
|                   | CVE-2020-14782   |          |                   |               | OpenJDK: Certificate blacklist           |
|                   |                  |          |                   |               | bypass via alternate certificate         |
|                   |                  |          |                   |               | encodings (Libraries, 8237995)           |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-14782    |
+                   +------------------+          +                   +               +------------------------------------------+
|                   | CVE-2020-14796   |          |                   |               | OpenJDK: Missing permission              |
|                   |                  |          |                   |               | check in path to URI                     |
|                   |                  |          |                   |               | conversion (Libraries, 8242680)          |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-14796    |
+                   +------------------+          +                   +               +------------------------------------------+
|                   | CVE-2020-14797   |          |                   |               | OpenJDK: Incomplete check for            |
|                   |                  |          |                   |               | invalid characters in URI to             |
|                   |                  |          |                   |               | path conversion (Libraries,...           |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-14797    |
+                   +------------------+          +                   +               +------------------------------------------+
|                   | CVE-2020-14798   |          |                   |               | OpenJDK: Missing maximum length check in |
|                   |                  |          |                   |               | WindowsNativeDispatcher.asNativeBuffer() |
|                   |                  |          |                   |               | (Libraries, 8242695)                     |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-14798    |
+                   +------------------+          +                   +---------------+------------------------------------------+
|                   | CVE-2020-2583    |          |                   | 8.242.08-r0   | OpenJDK: Incorrect exception             |
|                   |                  |          |                   |               | processing during deserialization        |
|                   |                  |          |                   |               | in BeanContextSupport                    |
|                   |                  |          |                   |               | (Serialization, 8224909)                 |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-2583     |
+                   +------------------+          +                   +               +------------------------------------------+
|                   | CVE-2020-2590    |          |                   |               | OpenJDK: Improper checks of              |
|                   |                  |          |                   |               | SASL message properties in               |
|                   |                  |          |                   |               | GssKrb5Base (Security, 8226352)          |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-2590     |
+                   +------------------+          +                   +               +------------------------------------------+
|                   | CVE-2020-2654    |          |                   |               | OpenJDK: Excessive memory usage          |
|                   |                  |          |                   |               | in OID processing in X.509               |
|                   |                  |          |                   |               | certificate parsing (Libraries,...       |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-2654     |
+                   +------------------+          +                   +               +------------------------------------------+
|                   | CVE-2020-2659    |          |                   |               | OpenJDK: Incomplete enforcement          |
|                   |                  |          |                   |               | of maxDatagramSockets limit              |
|                   |                  |          |                   |               | in DatagramChannelImpl                   |
|                   |                  |          |                   |               | (Networking, 8231795)                    |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-2659     |
+                   +------------------+          +                   +---------------+------------------------------------------+
|                   | CVE-2020-2754    |          |                   | 8.252.09-r0   | OpenJDK: Misplaced regular               |
|                   |                  |          |                   |               | expression syntax error check in         |
|                   |                  |          |                   |               | RegExpScanner (Scripting, 8223898)       |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-2754     |
+                   +------------------+          +                   +               +------------------------------------------+
|                   | CVE-2020-2755    |          |                   |               | OpenJDK: Incorrect handling of           |
|                   |                  |          |                   |               | empty string nodes in regular            |
|                   |                  |          |                   |               | expression Parser (Scripting,...         |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-2755     |
+                   +------------------+          +                   +               +------------------------------------------+
|                   | CVE-2020-2756    |          |                   |               | OpenJDK: Incorrect handling              |
|                   |                  |          |                   |               | of references to uninitialized           |
|                   |                  |          |                   |               | class descriptors during                 |
|                   |                  |          |                   |               | deserialization (Serialization,...       |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-2756     |
+                   +------------------+          +                   +               +------------------------------------------+
|                   | CVE-2020-2757    |          |                   |               | OpenJDK: Uncaught InstantiationError     |
|                   |                  |          |                   |               | exception in ObjectStreamClass           |
|                   |                  |          |                   |               | (Serialization, 8224549)                 |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-2757     |
+                   +------------------+          +                   +               +------------------------------------------+
|                   | CVE-2020-2773    |          |                   |               | OpenJDK: Unexpected exceptions           |
|                   |                  |          |                   |               | raised by DOMKeyInfoFactory              |
|                   |                  |          |                   |               | and DOMXMLSignatureFactory               |
|                   |                  |          |                   |               | (Security, 8231415)                      |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-2773     |
+-------------------+------------------+----------+                   +---------------+------------------------------------------+
| openjdk8-jre-base | CVE-2020-14583   | HIGH     |                   | 8.272.10-r0   | OpenJDK: Bypass of boundary checks       |
|                   |                  |          |                   |               | in nio.Buffer via concurrent             |
|                   |                  |          |                   |               | access (Libraries, 8238920)...           |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-14583    |
+                   +------------------+          +                   +               +------------------------------------------+
|                   | CVE-2020-14593   |          |                   |               | OpenJDK: Incomplete bounds checks in     |
|                   |                  |          |                   |               | Affine Transformations (2D, 8240119)     |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-14593    |
+                   +------------------+          +                   +---------------+------------------------------------------+
|                   | CVE-2020-2604    |          |                   | 8.242.08-r0   | OpenJDK: Serialization filter            |
|                   |                  |          |                   |               | changes via jdk.serialFilter             |
|                   |                  |          |                   |               | property modification                    |
|                   |                  |          |                   |               | (Serialization, 8231422)                 |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-2604     |
+                   +------------------+          +                   +---------------+------------------------------------------+
|                   | CVE-2020-2803    |          |                   | 8.252.09-r0   | OpenJDK: Incorrect bounds checks         |
|                   |                  |          |                   |               | in NIO Buffers (Libraries, 8234841)      |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-2803     |
+                   +------------------+          +                   +               +------------------------------------------+
|                   | CVE-2020-2805    |          |                   |               | OpenJDK: Incorrect type checks           |
|                   |                  |          |                   |               | in MethodType.readObject()               |
|                   |                  |          |                   |               | (Libraries, 8235274)                     |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-2805     |
+                   +------------------+----------+                   +---------------+------------------------------------------+
|                   | CVE-2019-2745    | MEDIUM   |                   | 8.222.10-r0   | OpenJDK: Side-channel attack             |
|                   |                  |          |                   |               | risks in Elliptic Curve (EC)             |
|                   |                  |          |                   |               | cryptography (Security, 8208698)         |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-2745     |
+                   +------------------+          +                   +               +------------------------------------------+
|                   | CVE-2019-2762    |          |                   |               | OpenJDK: Insufficient checks             |
|                   |                  |          |                   |               | of suppressed exceptions in              |
|                   |                  |          |                   |               | deserialization (Utilities, 8212328)     |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-2762     |
+                   +------------------+          +                   +               +------------------------------------------+
|                   | CVE-2019-2769    |          |                   |               | OpenJDK: Unbounded memory                |
|                   |                  |          |                   |               | allocation during deserialization        |
|                   |                  |          |                   |               | in Collections (Utilities, 8213432)      |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-2769     |
+                   +------------------+          +                   +               +------------------------------------------+
|                   | CVE-2019-2816    |          |                   |               | OpenJDK: Missing URL format              |
|                   |                  |          |                   |               | validation (Networking, 8221518)         |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-2816     |
+                   +------------------+          +                   +---------------+------------------------------------------+
|                   | CVE-2019-2949    |          |                   | 8.232.09-r0   | OpenJDK: Improper handling               |
|                   |                  |          |                   |               | of Kerberos proxy credentials            |
|                   |                  |          |                   |               | (Kerberos, 8220302)                      |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-2949     |
+                   +------------------+          +                   +               +------------------------------------------+
|                   | CVE-2019-2958    |          |                   |               | OpenJDK: Incorrect                       |
|                   |                  |          |                   |               | escaping of command line                 |
|                   |                  |          |                   |               | arguments in ProcessImpl                 |
|                   |                  |          |                   |               | on Windows (Libraries,...                |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-2958     |
+                   +------------------+          +                   +               +------------------------------------------+
|                   | CVE-2019-2975    |          |                   |               | OpenJDK: Unexpected exception thrown     |
|                   |                  |          |                   |               | during regular expression processing     |
|                   |                  |          |                   |               | in Nashorn (Scripting, 8223518)...       |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-2975     |
+                   +------------------+          +                   +               +------------------------------------------+
|                   | CVE-2019-2989    |          |                   |               | OpenJDK: Incorrect handling of HTTP      |
|                   |                  |          |                   |               | proxy responses in HttpURLConnection     |
|                   |                  |          |                   |               | (Networking, 8225298)                    |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-2989     |
+                   +------------------+          +                   +               +------------------------------------------+
|                   | CVE-2019-2999    |          |                   |               | OpenJDK: Insufficient filtering          |
|                   |                  |          |                   |               | of HTML event attributes in              |
|                   |                  |          |                   |               | Javadoc (Javadoc, 8226765)               |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-2999     |
+                   +------------------+          +                   +---------------+------------------------------------------+
|                   | CVE-2019-7317    |          |                   | 8.222.10-r0   | libpng: use-after-free in                |
|                   |                  |          |                   |               | png_image_free in png.c                  |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-7317     |
+                   +------------------+          +                   +---------------+------------------------------------------+
|                   | CVE-2020-14556   |          |                   | 8.272.10-r0   | OpenJDK: Incorrect handling              |
|                   |                  |          |                   |               | of access control context in             |
|                   |                  |          |                   |               | ForkJoinPool (Libraries, 8237117)        |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-14556    |
+                   +------------------+          +                   +               +------------------------------------------+
|                   | CVE-2020-14621   |          |                   |               | OpenJDK: XML validation manipulation     |
|                   |                  |          |                   |               | due to incomplete application of         |
|                   |                  |          |                   |               | the use-grammar-pool-only feature...     |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-14621    |
+                   +------------------+          +                   +               +------------------------------------------+
|                   | CVE-2020-14792   |          |                   |               | OpenJDK: Integer overflow                |
|                   |                  |          |                   |               | leading to out-of-bounds                 |
|                   |                  |          |                   |               | access (Hotspot, 8241114)                |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-14792    |
+                   +------------------+          +                   +               +------------------------------------------+
|                   | CVE-2020-14803   |          |                   |               | OpenJDK: Race condition in NIO Buffer    |
|                   |                  |          |                   |               | boundary checks (Libraries, 8244136)     |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-14803    |
+                   +------------------+          +                   +---------------+------------------------------------------+
|                   | CVE-2020-2593    |          |                   | 8.242.08-r0   | OpenJDK: Incorrect                       |
|                   |                  |          |                   |               | isBuiltinStreamHandler check             |
|                   |                  |          |                   |               | causing URL normalization                |
|                   |                  |          |                   |               | issues (Networking, 8228548)             |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-2593     |
+                   +------------------+          +                   +               +------------------------------------------+
|                   | CVE-2020-2601    |          |                   |               | OpenJDK: Use of unsafe                   |
|                   |                  |          |                   |               | RSA-MD5 checksum in Kerberos             |
|                   |                  |          |                   |               | TGS (Security, 8229951)                  |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-2601     |
+                   +------------------+          +                   +---------------+------------------------------------------+
|                   | CVE-2020-2781    |          |                   | 8.252.09-r0   | OpenJDK: Re-use of single                |
|                   |                  |          |                   |               | TLS session for new                      |
|                   |                  |          |                   |               | connections (JSSE, 8234408)              |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-2781     |
+                   +------------------+          +                   +               +------------------------------------------+
|                   | CVE-2020-2800    |          |                   |               | OpenJDK: CRLF injection into HTTP        |
|                   |                  |          |                   |               | headers in HttpServer (Lightweight       |
|                   |                  |          |                   |               | HTTP Server, 8234825)...                 |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-2800     |
+                   +------------------+          +                   +               +------------------------------------------+
|                   | CVE-2020-2830    |          |                   |               | OpenJDK: Regular expression DoS          |
|                   |                  |          |                   |               | in Scanner (Concurrency, 8236201)        |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-2830     |
+                   +------------------+----------+                   +---------------+------------------------------------------+
|                   | CVE-2019-2766    | LOW      |                   | 8.222.10-r0   | OpenJDK: Insufficient permission         |
|                   |                  |          |                   |               | checks for file:// URLs on               |
|                   |                  |          |                   |               | Windows (Networking, 8213431)            |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-2766     |
+                   +------------------+          +                   +               +------------------------------------------+
|                   | CVE-2019-2786    |          |                   |               | OpenJDK: Insufficient                    |
|                   |                  |          |                   |               | restriction of privileges in             |
|                   |                  |          |                   |               | AccessController (Security, 8216381)     |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-2786     |
+                   +------------------+          +                   +               +------------------------------------------+
|                   | CVE-2019-2842    |          |                   |               | OpenJDK: Missing array bounds check      |
|                   |                  |          |                   |               | in crypto providers (JCE, 8223511)       |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-2842     |
+                   +------------------+          +                   +---------------+------------------------------------------+
|                   | CVE-2019-2894    |          |                   | 8.232.09-r0   | OpenJDK: Side-channel                    |
|                   |                  |          |                   |               | vulnerability in the ECDSA               |
|                   |                  |          |                   |               | implementation (Security, 8228825)       |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-2894     |
+                   +------------------+          +                   +               +------------------------------------------+
|                   | CVE-2019-2933    |          |                   |               | OpenJDK: FilePermission checks           |
|                   |                  |          |                   |               | not preformed correctly on               |
|                   |                  |          |                   |               | Windows (Libraries, 8213429)             |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-2933     |
+                   +------------------+          +                   +               +------------------------------------------+
|                   | CVE-2019-2945    |          |                   |               | OpenJDK: Missing restrictions            |
|                   |                  |          |                   |               | on use of custom SocketImpl              |
|                   |                  |          |                   |               | (Networking, 8218573)                    |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-2945     |
+                   +------------------+          +                   +               +------------------------------------------+
|                   | CVE-2019-2962    |          |                   |               | OpenJDK: NULL pointer dereference        |
|                   |                  |          |                   |               | in DrawGlyphList (2D, 8222690)           |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-2962     |
+                   +------------------+          +                   +               +------------------------------------------+
|                   | CVE-2019-2964    |          |                   |               | OpenJDK: Unexpected exception            |
|                   |                  |          |                   |               | thrown by Pattern processing             |
|                   |                  |          |                   |               | crafted regular expression               |
|                   |                  |          |                   |               | (Concurrency, 8222684)...                |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-2964     |
+                   +------------------+          +                   +               +------------------------------------------+
|                   | CVE-2019-2973    |          |                   |               | OpenJDK: Unexpected exception thrown     |
|                   |                  |          |                   |               | by XPathParser processing crafted        |
|                   |                  |          |                   |               | XPath expression (JAXP, 8223505)...      |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-2973     |
+                   +------------------+          +                   +               +------------------------------------------+
|                   | CVE-2019-2978    |          |                   |               | OpenJDK: Incorrect handling              |
|                   |                  |          |                   |               | of nested jar: URLs in Jar               |
|                   |                  |          |                   |               | URL handler (Networking,...              |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-2978     |
+                   +------------------+          +                   +               +------------------------------------------+
|                   | CVE-2019-2981    |          |                   |               | OpenJDK: Unexpected exception            |
|                   |                  |          |                   |               | thrown by XPath processing crafted       |
|                   |                  |          |                   |               | XPath expression (JAXP, 8224532)...      |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-2981     |
+                   +------------------+          +                   +               +------------------------------------------+
|                   | CVE-2019-2983    |          |                   |               | OpenJDK: Unexpected exception thrown     |
|                   |                  |          |                   |               | during Font object deserialization       |
|                   |                  |          |                   |               | (Serialization, 8224915)                 |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-2983     |
+                   +------------------+          +                   +               +------------------------------------------+
|                   | CVE-2019-2987    |          |                   |               | OpenJDK: Missing glyph bitmap            |
|                   |                  |          |                   |               | image dimension check in                 |
|                   |                  |          |                   |               | FreetypeFontScaler (2D, 8225286)         |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-2987     |
+                   +------------------+          +                   +               +------------------------------------------+
|                   | CVE-2019-2988    |          |                   |               | OpenJDK: Integer overflow in bounds      |
|                   |                  |          |                   |               | check in SunGraphics2D (2D, 8225292)     |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-2988     |
+                   +------------------+          +                   +               +------------------------------------------+
|                   | CVE-2019-2992    |          |                   |               | OpenJDK: Excessive memory                |
|                   |                  |          |                   |               | allocation in CMap when reading          |
|                   |                  |          |                   |               | TrueType font (2D, 8225597)...           |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-2992     |
+                   +------------------+          +                   +---------------+------------------------------------------+
|                   | CVE-2020-14577   |          |                   | 8.272.10-r0   | OpenJDK: HostnameChecker does            |
|                   |                  |          |                   |               | not ensure X.509 certificate             |
|                   |                  |          |                   |               | names are in normalized form...          |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-14577    |
+                   +------------------+          +                   +               +------------------------------------------+
|                   | CVE-2020-14578   |          |                   |               | OpenJDK: Unexpected exception            |
|                   |                  |          |                   |               | raised by DerInputStream                 |
|                   |                  |          |                   |               | (Libraries, 8237731)                     |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-14578    |
+                   +------------------+          +                   +               +------------------------------------------+
|                   | CVE-2020-14579   |          |                   |               | OpenJDK: Unexpected exception            |
|                   |                  |          |                   |               | raised by DerValue.equals()              |
|                   |                  |          |                   |               | (Libraries, 8237736)                     |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-14579    |
+                   +------------------+          +                   +               +------------------------------------------+
|                   | CVE-2020-14581   |          |                   |               | OpenJDK: Information disclosure          |
|                   |                  |          |                   |               | in color management (2D, 8238002)        |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-14581    |
+                   +------------------+          +                   +               +------------------------------------------+
|                   | CVE-2020-14779   |          |                   |               | OpenJDK: High memory usage               |
|                   |                  |          |                   |               | during deserialization of Proxy          |
|                   |                  |          |                   |               | class with many interfaces...            |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-14779    |
+                   +------------------+          +                   +               +------------------------------------------+
|                   | CVE-2020-14781   |          |                   |               | OpenJDK: Credentials sent                |
|                   |                  |          |                   |               | over unencrypted LDAP                    |
|                   |                  |          |                   |               | connection (JNDI, 8237990)               |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-14781    |
+                   +------------------+          +                   +               +------------------------------------------+
|                   | CVE-2020-14782   |          |                   |               | OpenJDK: Certificate blacklist           |
|                   |                  |          |                   |               | bypass via alternate certificate         |
|                   |                  |          |                   |               | encodings (Libraries, 8237995)           |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-14782    |
+                   +------------------+          +                   +               +------------------------------------------+
|                   | CVE-2020-14796   |          |                   |               | OpenJDK: Missing permission              |
|                   |                  |          |                   |               | check in path to URI                     |
|                   |                  |          |                   |               | conversion (Libraries, 8242680)          |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-14796    |
+                   +------------------+          +                   +               +------------------------------------------+
|                   | CVE-2020-14797   |          |                   |               | OpenJDK: Incomplete check for            |
|                   |                  |          |                   |               | invalid characters in URI to             |
|                   |                  |          |                   |               | path conversion (Libraries,...           |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-14797    |
+                   +------------------+          +                   +               +------------------------------------------+
|                   | CVE-2020-14798   |          |                   |               | OpenJDK: Missing maximum length check in |
|                   |                  |          |                   |               | WindowsNativeDispatcher.asNativeBuffer() |
|                   |                  |          |                   |               | (Libraries, 8242695)                     |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-14798    |
+                   +------------------+          +                   +---------------+------------------------------------------+
|                   | CVE-2020-2583    |          |                   | 8.242.08-r0   | OpenJDK: Incorrect exception             |
|                   |                  |          |                   |               | processing during deserialization        |
|                   |                  |          |                   |               | in BeanContextSupport                    |
|                   |                  |          |                   |               | (Serialization, 8224909)                 |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-2583     |
+                   +------------------+          +                   +               +------------------------------------------+
|                   | CVE-2020-2590    |          |                   |               | OpenJDK: Improper checks of              |
|                   |                  |          |                   |               | SASL message properties in               |
|                   |                  |          |                   |               | GssKrb5Base (Security, 8226352)          |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-2590     |
+                   +------------------+          +                   +               +------------------------------------------+
|                   | CVE-2020-2654    |          |                   |               | OpenJDK: Excessive memory usage          |
|                   |                  |          |                   |               | in OID processing in X.509               |
|                   |                  |          |                   |               | certificate parsing (Libraries,...       |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-2654     |
+                   +------------------+          +                   +               +------------------------------------------+
|                   | CVE-2020-2659    |          |                   |               | OpenJDK: Incomplete enforcement          |
|                   |                  |          |                   |               | of maxDatagramSockets limit              |
|                   |                  |          |                   |               | in DatagramChannelImpl                   |
|                   |                  |          |                   |               | (Networking, 8231795)                    |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-2659     |
+                   +------------------+          +                   +---------------+------------------------------------------+
|                   | CVE-2020-2754    |          |                   | 8.252.09-r0   | OpenJDK: Misplaced regular               |
|                   |                  |          |                   |               | expression syntax error check in         |
|                   |                  |          |                   |               | RegExpScanner (Scripting, 8223898)       |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-2754     |
+                   +------------------+          +                   +               +------------------------------------------+
|                   | CVE-2020-2755    |          |                   |               | OpenJDK: Incorrect handling of           |
|                   |                  |          |                   |               | empty string nodes in regular            |
|                   |                  |          |                   |               | expression Parser (Scripting,...         |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-2755     |
+                   +------------------+          +                   +               +------------------------------------------+
|                   | CVE-2020-2756    |          |                   |               | OpenJDK: Incorrect handling              |
|                   |                  |          |                   |               | of references to uninitialized           |
|                   |                  |          |                   |               | class descriptors during                 |
|                   |                  |          |                   |               | deserialization (Serialization,...       |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-2756     |
+                   +------------------+          +                   +               +------------------------------------------+
|                   | CVE-2020-2757    |          |                   |               | OpenJDK: Uncaught InstantiationError     |
|                   |                  |          |                   |               | exception in ObjectStreamClass           |
|                   |                  |          |                   |               | (Serialization, 8224549)                 |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-2757     |
+                   +------------------+          +                   +               +------------------------------------------+
|                   | CVE-2020-2773    |          |                   |               | OpenJDK: Unexpected exceptions           |
|                   |                  |          |                   |               | raised by DOMKeyInfoFactory              |
|                   |                  |          |                   |               | and DOMXMLSignatureFactory               |
|                   |                  |          |                   |               | (Security, 8231415)                      |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-2773     |
+-------------------+------------------+----------+                   +---------------+------------------------------------------+
| openjdk8-jre-lib  | CVE-2020-14583   | HIGH     |                   | 8.272.10-r0   | OpenJDK: Bypass of boundary checks       |
|                   |                  |          |                   |               | in nio.Buffer via concurrent             |
|                   |                  |          |                   |               | access (Libraries, 8238920)...           |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-14583    |
+                   +------------------+          +                   +               +------------------------------------------+
|                   | CVE-2020-14593   |          |                   |               | OpenJDK: Incomplete bounds checks in     |
|                   |                  |          |                   |               | Affine Transformations (2D, 8240119)     |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-14593    |
+                   +------------------+          +                   +---------------+------------------------------------------+
|                   | CVE-2020-2604    |          |                   | 8.242.08-r0   | OpenJDK: Serialization filter            |
|                   |                  |          |                   |               | changes via jdk.serialFilter             |
|                   |                  |          |                   |               | property modification                    |
|                   |                  |          |                   |               | (Serialization, 8231422)                 |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-2604     |
+                   +------------------+          +                   +---------------+------------------------------------------+
|                   | CVE-2020-2803    |          |                   | 8.252.09-r0   | OpenJDK: Incorrect bounds checks         |
|                   |                  |          |                   |               | in NIO Buffers (Libraries, 8234841)      |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-2803     |
+                   +------------------+          +                   +               +------------------------------------------+
|                   | CVE-2020-2805    |          |                   |               | OpenJDK: Incorrect type checks           |
|                   |                  |          |                   |               | in MethodType.readObject()               |
|                   |                  |          |                   |               | (Libraries, 8235274)                     |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-2805     |
+                   +------------------+----------+                   +---------------+------------------------------------------+
|                   | CVE-2019-2745    | MEDIUM   |                   | 8.222.10-r0   | OpenJDK: Side-channel attack             |
|                   |                  |          |                   |               | risks in Elliptic Curve (EC)             |
|                   |                  |          |                   |               | cryptography (Security, 8208698)         |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-2745     |
+                   +------------------+          +                   +               +------------------------------------------+
|                   | CVE-2019-2762    |          |                   |               | OpenJDK: Insufficient checks             |
|                   |                  |          |                   |               | of suppressed exceptions in              |
|                   |                  |          |                   |               | deserialization (Utilities, 8212328)     |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-2762     |
+                   +------------------+          +                   +               +------------------------------------------+
|                   | CVE-2019-2769    |          |                   |               | OpenJDK: Unbounded memory                |
|                   |                  |          |                   |               | allocation during deserialization        |
|                   |                  |          |                   |               | in Collections (Utilities, 8213432)      |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-2769     |
+                   +------------------+          +                   +               +------------------------------------------+
|                   | CVE-2019-2816    |          |                   |               | OpenJDK: Missing URL format              |
|                   |                  |          |                   |               | validation (Networking, 8221518)         |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-2816     |
+                   +------------------+          +                   +---------------+------------------------------------------+
|                   | CVE-2019-2949    |          |                   | 8.232.09-r0   | OpenJDK: Improper handling               |
|                   |                  |          |                   |               | of Kerberos proxy credentials            |
|                   |                  |          |                   |               | (Kerberos, 8220302)                      |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-2949     |
+                   +------------------+          +                   +               +------------------------------------------+
|                   | CVE-2019-2958    |          |                   |               | OpenJDK: Incorrect                       |
|                   |                  |          |                   |               | escaping of command line                 |
|                   |                  |          |                   |               | arguments in ProcessImpl                 |
|                   |                  |          |                   |               | on Windows (Libraries,...                |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-2958     |
+                   +------------------+          +                   +               +------------------------------------------+
|                   | CVE-2019-2975    |          |                   |               | OpenJDK: Unexpected exception thrown     |
|                   |                  |          |                   |               | during regular expression processing     |
|                   |                  |          |                   |               | in Nashorn (Scripting, 8223518)...       |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-2975     |
+                   +------------------+          +                   +               +------------------------------------------+
|                   | CVE-2019-2989    |          |                   |               | OpenJDK: Incorrect handling of HTTP      |
|                   |                  |          |                   |               | proxy responses in HttpURLConnection     |
|                   |                  |          |                   |               | (Networking, 8225298)                    |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-2989     |
+                   +------------------+          +                   +               +------------------------------------------+
|                   | CVE-2019-2999    |          |                   |               | OpenJDK: Insufficient filtering          |
|                   |                  |          |                   |               | of HTML event attributes in              |
|                   |                  |          |                   |               | Javadoc (Javadoc, 8226765)               |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-2999     |
+                   +------------------+          +                   +---------------+------------------------------------------+
|                   | CVE-2019-7317    |          |                   | 8.222.10-r0   | libpng: use-after-free in                |
|                   |                  |          |                   |               | png_image_free in png.c                  |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-7317     |
+                   +------------------+          +                   +---------------+------------------------------------------+
|                   | CVE-2020-14556   |          |                   | 8.272.10-r0   | OpenJDK: Incorrect handling              |
|                   |                  |          |                   |               | of access control context in             |
|                   |                  |          |                   |               | ForkJoinPool (Libraries, 8237117)        |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-14556    |
+                   +------------------+          +                   +               +------------------------------------------+
|                   | CVE-2020-14621   |          |                   |               | OpenJDK: XML validation manipulation     |
|                   |                  |          |                   |               | due to incomplete application of         |
|                   |                  |          |                   |               | the use-grammar-pool-only feature...     |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-14621    |
+                   +------------------+          +                   +               +------------------------------------------+
|                   | CVE-2020-14792   |          |                   |               | OpenJDK: Integer overflow                |
|                   |                  |          |                   |               | leading to out-of-bounds                 |
|                   |                  |          |                   |               | access (Hotspot, 8241114)                |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-14792    |
+                   +------------------+          +                   +               +------------------------------------------+
|                   | CVE-2020-14803   |          |                   |               | OpenJDK: Race condition in NIO Buffer    |
|                   |                  |          |                   |               | boundary checks (Libraries, 8244136)     |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-14803    |
+                   +------------------+          +                   +---------------+------------------------------------------+
|                   | CVE-2020-2593    |          |                   | 8.242.08-r0   | OpenJDK: Incorrect                       |
|                   |                  |          |                   |               | isBuiltinStreamHandler check             |
|                   |                  |          |                   |               | causing URL normalization                |
|                   |                  |          |                   |               | issues (Networking, 8228548)             |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-2593     |
+                   +------------------+          +                   +               +------------------------------------------+
|                   | CVE-2020-2601    |          |                   |               | OpenJDK: Use of unsafe                   |
|                   |                  |          |                   |               | RSA-MD5 checksum in Kerberos             |
|                   |                  |          |                   |               | TGS (Security, 8229951)                  |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-2601     |
+                   +------------------+          +                   +---------------+------------------------------------------+
|                   | CVE-2020-2781    |          |                   | 8.252.09-r0   | OpenJDK: Re-use of single                |
|                   |                  |          |                   |               | TLS session for new                      |
|                   |                  |          |                   |               | connections (JSSE, 8234408)              |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-2781     |
+                   +------------------+          +                   +               +------------------------------------------+
|                   | CVE-2020-2800    |          |                   |               | OpenJDK: CRLF injection into HTTP        |
|                   |                  |          |                   |               | headers in HttpServer (Lightweight       |
|                   |                  |          |                   |               | HTTP Server, 8234825)...                 |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-2800     |
+                   +------------------+          +                   +               +------------------------------------------+
|                   | CVE-2020-2830    |          |                   |               | OpenJDK: Regular expression DoS          |
|                   |                  |          |                   |               | in Scanner (Concurrency, 8236201)        |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-2830     |
+                   +------------------+----------+                   +---------------+------------------------------------------+
|                   | CVE-2019-2766    | LOW      |                   | 8.222.10-r0   | OpenJDK: Insufficient permission         |
|                   |                  |          |                   |               | checks for file:// URLs on               |
|                   |                  |          |                   |               | Windows (Networking, 8213431)            |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-2766     |
+                   +------------------+          +                   +               +------------------------------------------+
|                   | CVE-2019-2786    |          |                   |               | OpenJDK: Insufficient                    |
|                   |                  |          |                   |               | restriction of privileges in             |
|                   |                  |          |                   |               | AccessController (Security, 8216381)     |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-2786     |
+                   +------------------+          +                   +               +------------------------------------------+
|                   | CVE-2019-2842    |          |                   |               | OpenJDK: Missing array bounds check      |
|                   |                  |          |                   |               | in crypto providers (JCE, 8223511)       |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-2842     |
+                   +------------------+          +                   +---------------+------------------------------------------+
|                   | CVE-2019-2894    |          |                   | 8.232.09-r0   | OpenJDK: Side-channel                    |
|                   |                  |          |                   |               | vulnerability in the ECDSA               |
|                   |                  |          |                   |               | implementation (Security, 8228825)       |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-2894     |
+                   +------------------+          +                   +               +------------------------------------------+
|                   | CVE-2019-2933    |          |                   |               | OpenJDK: FilePermission checks           |
|                   |                  |          |                   |               | not preformed correctly on               |
|                   |                  |          |                   |               | Windows (Libraries, 8213429)             |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-2933     |
+                   +------------------+          +                   +               +------------------------------------------+
|                   | CVE-2019-2945    |          |                   |               | OpenJDK: Missing restrictions            |
|                   |                  |          |                   |               | on use of custom SocketImpl              |
|                   |                  |          |                   |               | (Networking, 8218573)                    |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-2945     |
+                   +------------------+          +                   +               +------------------------------------------+
|                   | CVE-2019-2962    |          |                   |               | OpenJDK: NULL pointer dereference        |
|                   |                  |          |                   |               | in DrawGlyphList (2D, 8222690)           |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-2962     |
+                   +------------------+          +                   +               +------------------------------------------+
|                   | CVE-2019-2964    |          |                   |               | OpenJDK: Unexpected exception            |
|                   |                  |          |                   |               | thrown by Pattern processing             |
|                   |                  |          |                   |               | crafted regular expression               |
|                   |                  |          |                   |               | (Concurrency, 8222684)...                |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-2964     |
+                   +------------------+          +                   +               +------------------------------------------+
|                   | CVE-2019-2973    |          |                   |               | OpenJDK: Unexpected exception thrown     |
|                   |                  |          |                   |               | by XPathParser processing crafted        |
|                   |                  |          |                   |               | XPath expression (JAXP, 8223505)...      |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-2973     |
+                   +------------------+          +                   +               +------------------------------------------+
|                   | CVE-2019-2978    |          |                   |               | OpenJDK: Incorrect handling              |
|                   |                  |          |                   |               | of nested jar: URLs in Jar               |
|                   |                  |          |                   |               | URL handler (Networking,...              |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-2978     |
+                   +------------------+          +                   +               +------------------------------------------+
|                   | CVE-2019-2981    |          |                   |               | OpenJDK: Unexpected exception            |
|                   |                  |          |                   |               | thrown by XPath processing crafted       |
|                   |                  |          |                   |               | XPath expression (JAXP, 8224532)...      |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-2981     |
+                   +------------------+          +                   +               +------------------------------------------+
|                   | CVE-2019-2983    |          |                   |               | OpenJDK: Unexpected exception thrown     |
|                   |                  |          |                   |               | during Font object deserialization       |
|                   |                  |          |                   |               | (Serialization, 8224915)                 |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-2983     |
+                   +------------------+          +                   +               +------------------------------------------+
|                   | CVE-2019-2987    |          |                   |               | OpenJDK: Missing glyph bitmap            |
|                   |                  |          |                   |               | image dimension check in                 |
|                   |                  |          |                   |               | FreetypeFontScaler (2D, 8225286)         |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-2987     |
+                   +------------------+          +                   +               +------------------------------------------+
|                   | CVE-2019-2988    |          |                   |               | OpenJDK: Integer overflow in bounds      |
|                   |                  |          |                   |               | check in SunGraphics2D (2D, 8225292)     |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-2988     |
+                   +------------------+          +                   +               +------------------------------------------+
|                   | CVE-2019-2992    |          |                   |               | OpenJDK: Excessive memory                |
|                   |                  |          |                   |               | allocation in CMap when reading          |
|                   |                  |          |                   |               | TrueType font (2D, 8225597)...           |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-2992     |
+                   +------------------+          +                   +---------------+------------------------------------------+
|                   | CVE-2020-14577   |          |                   | 8.272.10-r0   | OpenJDK: HostnameChecker does            |
|                   |                  |          |                   |               | not ensure X.509 certificate             |
|                   |                  |          |                   |               | names are in normalized form...          |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-14577    |
+                   +------------------+          +                   +               +------------------------------------------+
|                   | CVE-2020-14578   |          |                   |               | OpenJDK: Unexpected exception            |
|                   |                  |          |                   |               | raised by DerInputStream                 |
|                   |                  |          |                   |               | (Libraries, 8237731)                     |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-14578    |
+                   +------------------+          +                   +               +------------------------------------------+
|                   | CVE-2020-14579   |          |                   |               | OpenJDK: Unexpected exception            |
|                   |                  |          |                   |               | raised by DerValue.equals()              |
|                   |                  |          |                   |               | (Libraries, 8237736)                     |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-14579    |
+                   +------------------+          +                   +               +------------------------------------------+
|                   | CVE-2020-14581   |          |                   |               | OpenJDK: Information disclosure          |
|                   |                  |          |                   |               | in color management (2D, 8238002)        |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-14581    |
+                   +------------------+          +                   +               +------------------------------------------+
|                   | CVE-2020-14779   |          |                   |               | OpenJDK: High memory usage               |
|                   |                  |          |                   |               | during deserialization of Proxy          |
|                   |                  |          |                   |               | class with many interfaces...            |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-14779    |
+                   +------------------+          +                   +               +------------------------------------------+
|                   | CVE-2020-14781   |          |                   |               | OpenJDK: Credentials sent                |
|                   |                  |          |                   |               | over unencrypted LDAP                    |
|                   |                  |          |                   |               | connection (JNDI, 8237990)               |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-14781    |
+                   +------------------+          +                   +               +------------------------------------------+
|                   | CVE-2020-14782   |          |                   |               | OpenJDK: Certificate blacklist           |
|                   |                  |          |                   |               | bypass via alternate certificate         |
|                   |                  |          |                   |               | encodings (Libraries, 8237995)           |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-14782    |
+                   +------------------+          +                   +               +------------------------------------------+
|                   | CVE-2020-14796   |          |                   |               | OpenJDK: Missing permission              |
|                   |                  |          |                   |               | check in path to URI                     |
|                   |                  |          |                   |               | conversion (Libraries, 8242680)          |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-14796    |
+                   +------------------+          +                   +               +------------------------------------------+
|                   | CVE-2020-14797   |          |                   |               | OpenJDK: Incomplete check for            |
|                   |                  |          |                   |               | invalid characters in URI to             |
|                   |                  |          |                   |               | path conversion (Libraries,...           |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-14797    |
+                   +------------------+          +                   +               +------------------------------------------+
|                   | CVE-2020-14798   |          |                   |               | OpenJDK: Missing maximum length check in |
|                   |                  |          |                   |               | WindowsNativeDispatcher.asNativeBuffer() |
|                   |                  |          |                   |               | (Libraries, 8242695)                     |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-14798    |
+                   +------------------+          +                   +---------------+------------------------------------------+
|                   | CVE-2020-2583    |          |                   | 8.242.08-r0   | OpenJDK: Incorrect exception             |
|                   |                  |          |                   |               | processing during deserialization        |
|                   |                  |          |                   |               | in BeanContextSupport                    |
|                   |                  |          |                   |               | (Serialization, 8224909)                 |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-2583     |
+                   +------------------+          +                   +               +------------------------------------------+
|                   | CVE-2020-2590    |          |                   |               | OpenJDK: Improper checks of              |
|                   |                  |          |                   |               | SASL message properties in               |
|                   |                  |          |                   |               | GssKrb5Base (Security, 8226352)          |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-2590     |
+                   +------------------+          +                   +               +------------------------------------------+
|                   | CVE-2020-2654    |          |                   |               | OpenJDK: Excessive memory usage          |
|                   |                  |          |                   |               | in OID processing in X.509               |
|                   |                  |          |                   |               | certificate parsing (Libraries,...       |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-2654     |
+                   +------------------+          +                   +               +------------------------------------------+
|                   | CVE-2020-2659    |          |                   |               | OpenJDK: Incomplete enforcement          |
|                   |                  |          |                   |               | of maxDatagramSockets limit              |
|                   |                  |          |                   |               | in DatagramChannelImpl                   |
|                   |                  |          |                   |               | (Networking, 8231795)                    |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-2659     |
+                   +------------------+          +                   +---------------+------------------------------------------+
|                   | CVE-2020-2754    |          |                   | 8.252.09-r0   | OpenJDK: Misplaced regular               |
|                   |                  |          |                   |               | expression syntax error check in         |
|                   |                  |          |                   |               | RegExpScanner (Scripting, 8223898)       |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-2754     |
+                   +------------------+          +                   +               +------------------------------------------+
|                   | CVE-2020-2755    |          |                   |               | OpenJDK: Incorrect handling of           |
|                   |                  |          |                   |               | empty string nodes in regular            |
|                   |                  |          |                   |               | expression Parser (Scripting,...         |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-2755     |
+                   +------------------+          +                   +               +------------------------------------------+
|                   | CVE-2020-2756    |          |                   |               | OpenJDK: Incorrect handling              |
|                   |                  |          |                   |               | of references to uninitialized           |
|                   |                  |          |                   |               | class descriptors during                 |
|                   |                  |          |                   |               | deserialization (Serialization,...       |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-2756     |
+                   +------------------+          +                   +               +------------------------------------------+
|                   | CVE-2020-2757    |          |                   |               | OpenJDK: Uncaught InstantiationError     |
|                   |                  |          |                   |               | exception in ObjectStreamClass           |
|                   |                  |          |                   |               | (Serialization, 8224549)                 |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-2757     |
+                   +------------------+          +                   +               +------------------------------------------+
|                   | CVE-2020-2773    |          |                   |               | OpenJDK: Unexpected exceptions           |
|                   |                  |          |                   |               | raised by DOMKeyInfoFactory              |
|                   |                  |          |                   |               | and DOMXMLSignatureFactory               |
|                   |                  |          |                   |               | (Security, 8231415)                      |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-2773     |
+-------------------+------------------+----------+-------------------+---------------+------------------------------------------+
| sqlite-libs       | CVE-2019-8457    | CRITICAL | 3.26.0-r3         | 3.28.0-r0     | sqlite: heap out-of-bound                |
|                   |                  |          |                   |               | read in function rtreenode()             |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-8457     |
+                   +------------------+----------+                   +---------------+------------------------------------------+
|                   | CVE-2019-19244   | HIGH     |                   | 3.28.0-r2     | sqlite: allows a crash                   |
|                   |                  |          |                   |               | if a sub-select uses both                |
|                   |                  |          |                   |               | DISTINCT and window...                   |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-19244    |
+                   +------------------+          +                   +---------------+------------------------------------------+
|                   | CVE-2019-5018    |          |                   | 3.28.0-r0     | sqlite: Use-after-free in                |
|                   |                  |          |                   |               | window function leading                  |
|                   |                  |          |                   |               | to remote code execution                 |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-5018     |
+                   +------------------+          +                   +---------------+------------------------------------------+
|                   | CVE-2020-11655   |          |                   | 3.28.0-r3     | sqlite: malformed window-function        |
|                   |                  |          |                   |               | query leads to DoS                       |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-11655    |
+                   +------------------+----------+                   +---------------+------------------------------------------+
|                   | CVE-2019-16168   | MEDIUM   |                   | 3.28.0-r1     | sqlite: Division by zero in              |
|                   |                  |          |                   |               | whereLoopAddBtreeIndex in sqlite3.c      |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-16168    |
+                   +------------------+          +                   +---------------+------------------------------------------+
|                   | CVE-2019-19242   |          |                   | 3.28.0-r2     | sqlite: SQL injection in                 |
|                   |                  |          |                   |               | sqlite3ExprCodeTarget in expr.c          |
|                   |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2019-19242    |
+-------------------+------------------+----------+-------------------+---------------+------------------------------------------+

Java (jar)
==========
Total: 58 (UNKNOWN: 0, LOW: 1, MEDIUM: 6, HIGH: 36, CRITICAL: 15)

+---------------------------------------------+------------------+----------+-------------------+-----------------------------+---------------------------------------------------------------------------------+
|                   LIBRARY                   | VULNERABILITY ID | SEVERITY | INSTALLED VERSION |        FIXED VERSION        |                                      TITLE                                      |
+---------------------------------------------+------------------+----------+-------------------+-----------------------------+---------------------------------------------------------------------------------+
| com.fasterxml.jackson.core:jackson-databind | CVE-2019-14379   | CRITICAL | 2.9.9.1           | 2.7.9.6, 2.8.11.4, 2.9.9.2  | jackson-databind: default                                                       |
|                                             |                  |          |                   |                             | typing mishandling leading                                                      |
|                                             |                  |          |                   |                             | to remote code execution                                                        |
|                                             |                  |          |                   |                             | -->avd.aquasec.com/nvd/cve-2019-14379                                           |
+                                             +------------------+          +                   +-----------------------------+---------------------------------------------------------------------------------+
|                                             | CVE-2019-14540   |          |                   | 2.9.10                      | jackson-databind:                                                               |
|                                             |                  |          |                   |                             | Serialization gadgets in                                                        |
|                                             |                  |          |                   |                             | com.zaxxer.hikari.HikariConfig                                                  |
|                                             |                  |          |                   |                             | -->avd.aquasec.com/nvd/cve-2019-14540                                           |
+                                             +------------------+          +                   +-----------------------------+---------------------------------------------------------------------------------+
|                                             | CVE-2019-14892   |          |                   | 2.6.7.3, 2.8.11.5, 2.9.10   | jackson-databind: Serialization                                                 |
|                                             |                  |          |                   |                             | gadgets in classes of the                                                       |
|                                             |                  |          |                   |                             | commons-configuration package                                                   |
|                                             |                  |          |                   |                             | -->avd.aquasec.com/nvd/cve-2019-14892                                           |
+                                             +------------------+          +                   +-----------------------------+---------------------------------------------------------------------------------+
|                                             | CVE-2019-14893   |          |                   | 2.8.11.5, 2.9.10            | jackson-databind:                                                               |
|                                             |                  |          |                   |                             | Serialization gadgets in                                                        |
|                                             |                  |          |                   |                             | classes of the xalan package                                                    |
|                                             |                  |          |                   |                             | -->avd.aquasec.com/nvd/cve-2019-14893                                           |
+                                             +------------------+          +                   +-----------------------------+---------------------------------------------------------------------------------+
|                                             | CVE-2019-16335   |          |                   | 2.9.10                      | jackson-databind:                                                               |
|                                             |                  |          |                   |                             | Serialization gadgets in                                                        |
|                                             |                  |          |                   |                             | com.zaxxer.hikari.HikariDataSource                                              |
|                                             |                  |          |                   |                             | -->avd.aquasec.com/nvd/cve-2019-16335                                           |
+                                             +------------------+          +                   +-----------------------------+---------------------------------------------------------------------------------+
|                                             | CVE-2019-16942   |          |                   | 2.9.10.1                    | jackson-databind:                                                               |
|                                             |                  |          |                   |                             | Serialization gadgets in                                                        |
|                                             |                  |          |                   |                             | org.apache.commons.dbcp.datasources.*                                           |
|                                             |                  |          |                   |                             | -->avd.aquasec.com/nvd/cve-2019-16942                                           |
+                                             +------------------+          +                   +                             +---------------------------------------------------------------------------------+
|                                             | CVE-2019-16943   |          |                   |                             | jackson-databind:                                                               |
|                                             |                  |          |                   |                             | Serialization gadgets in                                                        |
|                                             |                  |          |                   |                             | com.p6spy.engine.spy.P6DataSource                                               |
|                                             |                  |          |                   |                             | -->avd.aquasec.com/nvd/cve-2019-16943                                           |
+                                             +------------------+          +                   +-----------------------------+---------------------------------------------------------------------------------+
|                                             | CVE-2019-17267   |          |                   | 2.9.10                      | jackson-databind: Serialization                                                 |
|                                             |                  |          |                   |                             | gadgets in classes of                                                           |
|                                             |                  |          |                   |                             | the ehcache package                                                             |
|                                             |                  |          |                   |                             | -->avd.aquasec.com/nvd/cve-2019-17267                                           |
+                                             +------------------+          +                   +-----------------------------+---------------------------------------------------------------------------------+
|                                             | CVE-2019-17531   |          |                   | 2.9.10.1                    | jackson-databind:                                                               |
|                                             |                  |          |                   |                             | Serialization gadgets in                                                        |
|                                             |                  |          |                   |                             | org.apache.log4j.receivers.db.*                                                 |
|                                             |                  |          |                   |                             | -->avd.aquasec.com/nvd/cve-2019-17531                                           |
+                                             +------------------+          +                   +-----------------------------+---------------------------------------------------------------------------------+
|                                             | CVE-2019-20330   |          |                   | 2.9.10.2, 2.8.11.5          | jackson-databind: lacks                                                         |
|                                             |                  |          |                   |                             | certain net.sf.ehcache blocking                                                 |
|                                             |                  |          |                   |                             | -->avd.aquasec.com/nvd/cve-2019-20330                                           |
+                                             +------------------+          +                   +-----------------------------+---------------------------------------------------------------------------------+
|                                             | CVE-2020-8840    |          |                   | 2.7.9.7, 2.8.11.5, 2.9.10.3 | jackson-databind: Lacks certain                                                 |
|                                             |                  |          |                   |                             | xbean-reflect/JNDI blocking                                                     |
|                                             |                  |          |                   |                             | -->avd.aquasec.com/nvd/cve-2020-8840                                            |
+                                             +------------------+          +                   +-----------------------------+---------------------------------------------------------------------------------+
|                                             | CVE-2020-9546    |          |                   | 2.7.9.7, 2.8.11.6, 2.9.10.4 | jackson-databind: Serialization                                                 |
|                                             |                  |          |                   |                             | gadgets in shaded-hikari-config                                                 |
|                                             |                  |          |                   |                             | -->avd.aquasec.com/nvd/cve-2020-9546                                            |
+                                             +------------------+          +                   +                             +---------------------------------------------------------------------------------+
|                                             | CVE-2020-9547    |          |                   |                             | jackson-databind: Serialization                                                 |
|                                             |                  |          |                   |                             | gadgets in ibatis-sqlmap                                                        |
|                                             |                  |          |                   |                             | -->avd.aquasec.com/nvd/cve-2020-9547                                            |
+                                             +------------------+          +                   +                             +---------------------------------------------------------------------------------+
|                                             | CVE-2020-9548    |          |                   |                             | jackson-databind: Serialization                                                 |
|                                             |                  |          |                   |                             | gadgets in anteros-core                                                         |
|                                             |                  |          |                   |                             | -->avd.aquasec.com/nvd/cve-2020-9548                                            |
+                                             +------------------+----------+                   +-----------------------------+---------------------------------------------------------------------------------+
|                                             | CVE-2019-14439   | HIGH     |                   | 2.7.9.6, 2.8.11.4, 2.9.9.2  | jackson-databind: Polymorphic                                                   |
|                                             |                  |          |                   |                             | typing issue related to logback/JNDI                                            |
|                                             |                  |          |                   |                             | -->avd.aquasec.com/nvd/cve-2019-14439                                           |
+                                             +------------------+          +                   +-----------------------------+---------------------------------------------------------------------------------+
|                                             | CVE-2020-10672   |          |                   | 2.9.10.4                    | jackson-databind: mishandles                                                    |
|                                             |                  |          |                   |                             | the interaction between                                                         |
|                                             |                  |          |                   |                             | serialization gadgets and                                                       |
|                                             |                  |          |                   |                             | typing which could result...                                                    |
|                                             |                  |          |                   |                             | -->avd.aquasec.com/nvd/cve-2020-10672                                           |
+                                             +------------------+          +                   +-----------------------------+---------------------------------------------------------------------------------+
|                                             | CVE-2020-10673   |          |                   | 2.6.7.4, 2.9.10.4           | jackson-databind: mishandles                                                    |
|                                             |                  |          |                   |                             | the interaction between                                                         |
|                                             |                  |          |                   |                             | serialization gadgets and                                                       |
|                                             |                  |          |                   |                             | typing which could result...                                                    |
|                                             |                  |          |                   |                             | -->avd.aquasec.com/nvd/cve-2020-10673                                           |
+                                             +------------------+          +                   +-----------------------------+---------------------------------------------------------------------------------+
|                                             | CVE-2020-10968   |          |                   | 2.9.10.4                    | jackson-databind:                                                               |
|                                             |                  |          |                   |                             | Serialization gadgets in                                                        |
|                                             |                  |          |                   |                             | org.aoju.bus.proxy.provider.*.RmiProvider                                       |
|                                             |                  |          |                   |                             | -->avd.aquasec.com/nvd/cve-2020-10968                                           |
+                                             +------------------+          +                   +-----------------------------+---------------------------------------------------------------------------------+
|                                             | CVE-2020-10969   |          |                   | 2.7.9.7, 2.8.11.6, 2.9.10.4 | jackson-databind: Serialization                                                 |
|                                             |                  |          |                   |                             | gadgets in javax.swing.JEditorPane                                              |
|                                             |                  |          |                   |                             | -->avd.aquasec.com/nvd/cve-2020-10969                                           |
+                                             +------------------+          +                   +-----------------------------+---------------------------------------------------------------------------------+
|                                             | CVE-2020-11111   |          |                   | 2.9.10.4                    | jackson-databind: Serialization gadgets in                                      |
|                                             |                  |          |                   |                             | org.apache.activemq.jms.pool.XaPooledConnectionFactory                          |
|                                             |                  |          |                   |                             | -->avd.aquasec.com/nvd/cve-2020-11111                                           |
+                                             +------------------+          +                   +                             +---------------------------------------------------------------------------------+
|                                             | CVE-2020-11112   |          |                   |                             | jackson-databind: Serialization gadgets in                                      |
|                                             |                  |          |                   |                             | org.apache.commons.proxy.provider.remoting.RmiProvider                          |
|                                             |                  |          |                   |                             | -->avd.aquasec.com/nvd/cve-2020-11112                                           |
+                                             +------------------+          +                   +                             +---------------------------------------------------------------------------------+
|                                             | CVE-2020-11113   |          |                   |                             | jackson-databind: Serialization gadgets in                                      |
|                                             |                  |          |                   |                             | org.apache.openjpa.ee.WASRegistryManagedRuntime                                 |
|                                             |                  |          |                   |                             | -->avd.aquasec.com/nvd/cve-2020-11113                                           |
+                                             +------------------+          +                   +                             +---------------------------------------------------------------------------------+
|                                             | CVE-2020-11619   |          |                   |                             | jackson-databind:                                                               |
|                                             |                  |          |                   |                             | Serialization gadgets in                                                        |
|                                             |                  |          |                   |                             | org.springframework:spring-aop                                                  |
|                                             |                  |          |                   |                             | -->avd.aquasec.com/nvd/cve-2020-11619                                           |
+                                             +------------------+          +                   +                             +---------------------------------------------------------------------------------+
|                                             | CVE-2020-11620   |          |                   |                             | jackson-databind:                                                               |
|                                             |                  |          |                   |                             | Serialization gadgets in                                                        |
|                                             |                  |          |                   |                             | commons-jelly:commons-jelly                                                     |
|                                             |                  |          |                   |                             | -->avd.aquasec.com/nvd/cve-2020-11620                                           |
+                                             +------------------+          +                   +-----------------------------+---------------------------------------------------------------------------------+
|                                             | CVE-2020-14060   |          |                   | 2.9.10.5                    | jackson-databind: serialization in                                              |
|                                             |                  |          |                   |                             | oadd.org.apache.xalan.lib.sql.JNDIConnectionPool                                |
|                                             |                  |          |                   |                             | -->avd.aquasec.com/nvd/cve-2020-14060                                           |
+                                             +------------------+          +                   +                             +---------------------------------------------------------------------------------+
|                                             | CVE-2020-14061   |          |                   |                             | jackson-databind: serialization                                                 |
|                                             |                  |          |                   |                             | in weblogic/oracle-aqjms                                                        |
|                                             |                  |          |                   |                             | -->avd.aquasec.com/nvd/cve-2020-14061                                           |
+                                             +------------------+          +                   +                             +---------------------------------------------------------------------------------+
|                                             | CVE-2020-14062   |          |                   |                             | jackson-databind: serialization in                                              |
|                                             |                  |          |                   |                             | com.sun.org.apache.xalan.internal.lib.sql.JNDIConnectionPool                    |
|                                             |                  |          |                   |                             | -->avd.aquasec.com/nvd/cve-2020-14062                                           |
+                                             +------------------+          +                   +                             +---------------------------------------------------------------------------------+
|                                             | CVE-2020-14195   |          |                   |                             | jackson-databind: serialization in                                              |
|                                             |                  |          |                   |                             | org.jsecurity.realm.jndi.JndiRealmFactory                                       |
|                                             |                  |          |                   |                             | -->avd.aquasec.com/nvd/cve-2020-14195                                           |
+                                             +------------------+          +                   +-----------------------------+---------------------------------------------------------------------------------+
|                                             | CVE-2020-24616   |          |                   | 2.9.10.6                    | jackson-databind: mishandles the                                                |
|                                             |                  |          |                   |                             | interaction between serialization                                               |
|                                             |                  |          |                   |                             | gadgets and typing, related to                                                  |
|                                             |                  |          |                   |                             | br.com.anteros.dbcp.AnterosDBCPDataSource...                                    |
|                                             |                  |          |                   |                             | -->avd.aquasec.com/nvd/cve-2020-24616                                           |
+                                             +------------------+          +                   +                             +---------------------------------------------------------------------------------+
|                                             | CVE-2020-24750   |          |                   |                             | jackson-databind: Serialization gadgets in                                      |
|                                             |                  |          |                   |                             | com.pastdev.httpcomponents.configuration.JndiConfiguration                      |
|                                             |                  |          |                   |                             | -->avd.aquasec.com/nvd/cve-2020-24750                                           |
+                                             +------------------+          +                   +-----------------------------+---------------------------------------------------------------------------------+
|                                             | CVE-2020-25649   |          |                   | 2.6.7.4, 2.9.10.7, 2.10.5.1 | jackson-databind: FasterXML                                                     |
|                                             |                  |          |                   |                             | DOMDeserializer insecure                                                        |
|                                             |                  |          |                   |                             | entity expansion is vulnerable                                                  |
|                                             |                  |          |                   |                             | to XML external entity...                                                       |
|                                             |                  |          |                   |                             | -->avd.aquasec.com/nvd/cve-2020-25649                                           |
+                                             +------------------+          +                   +-----------------------------+---------------------------------------------------------------------------------+
|                                             | CVE-2020-35490   |          |                   | 2.9.10.8                    | jackson-databind: mishandles the interaction                                    |
|                                             |                  |          |                   |                             | between serialization gadgets and typing, related to                            |
|                                             |                  |          |                   |                             | org.apache.commons.dbcp2.datasources.PerUserPoolDataSource...                   |
|                                             |                  |          |                   |                             | -->avd.aquasec.com/nvd/cve-2020-35490                                           |
+                                             +------------------+          +                   +                             +---------------------------------------------------------------------------------+
|                                             | CVE-2020-35491   |          |                   |                             | jackson-databind: mishandles the interaction                                    |
|                                             |                  |          |                   |                             | between serialization gadgets and typing, related to                            |
|                                             |                  |          |                   |                             | org.apache.commons.dbcp2.datasources.SharedPoolDataSource...                    |
|                                             |                  |          |                   |                             | -->avd.aquasec.com/nvd/cve-2020-35491                                           |
+                                             +------------------+          +                   +                             +---------------------------------------------------------------------------------+
|                                             | CVE-2020-35728   |          |                   |                             | jackson-databind: mishandles the interaction                                    |
|                                             |                  |          |                   |                             | between serialization gadgets and typing, related to                            |
|                                             |                  |          |                   |                             | com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool...            |
|                                             |                  |          |                   |                             | -->avd.aquasec.com/nvd/cve-2020-35728                                           |
+                                             +------------------+          +                   +                             +---------------------------------------------------------------------------------+
|                                             | CVE-2020-36179   |          |                   |                             | jackson-databind: mishandles the interaction                                    |
|                                             |                  |          |                   |                             | between serialization gadgets and typing, related to                            |
|                                             |                  |          |                   |                             | oadd.org.apache.commons.dbcp.cpdsadapter.DriverAdapterCPDS...                   |
|                                             |                  |          |                   |                             | -->avd.aquasec.com/nvd/cve-2020-36179                                           |
+                                             +------------------+          +                   +                             +---------------------------------------------------------------------------------+
|                                             | CVE-2020-36180   |          |                   |                             | jackson-databind: mishandles the interaction                                    |
|                                             |                  |          |                   |                             | between serialization gadgets and typing, related to                            |
|                                             |                  |          |                   |                             | org.apache.commons.dbcp2.cpdsadapter.DriverAdapterCPDS...                       |
|                                             |                  |          |                   |                             | -->avd.aquasec.com/nvd/cve-2020-36180                                           |
+                                             +------------------+          +                   +                             +---------------------------------------------------------------------------------+
|                                             | CVE-2020-36181   |          |                   |                             | jackson-databind: mishandles the interaction                                    |
|                                             |                  |          |                   |                             | between serialization gadgets and typing, related to                            |
|                                             |                  |          |                   |                             | org.apache.tomcat.dbcp.dbcp.cpdsadapter.DriverAdapterCPDS...                    |
|                                             |                  |          |                   |                             | -->avd.aquasec.com/nvd/cve-2020-36181                                           |
+                                             +------------------+          +                   +                             +---------------------------------------------------------------------------------+
|                                             | CVE-2020-36182   |          |                   |                             | jackson-databind: mishandles the interaction                                    |
|                                             |                  |          |                   |                             | between serialization gadgets and typing, related to                            |
|                                             |                  |          |                   |                             | org.apache.tomcat.dbcp.dbcp2.cpdsadapter.DriverAdapterCPDS...                   |
|                                             |                  |          |                   |                             | -->avd.aquasec.com/nvd/cve-2020-36182                                           |
+                                             +------------------+          +                   +                             +---------------------------------------------------------------------------------+
|                                             | CVE-2020-36183   |          |                   |                             | jackson-databind: mishandles the interaction                                    |
|                                             |                  |          |                   |                             | between serialization gadgets and typing, related to                            |
|                                             |                  |          |                   |                             | org.docx4j.org.apache.xalan.lib.sql.JNDIConnectionPool...                       |
|                                             |                  |          |                   |                             | -->avd.aquasec.com/nvd/cve-2020-36183                                           |
+                                             +------------------+          +                   +                             +---------------------------------------------------------------------------------+
|                                             | CVE-2020-36184   |          |                   |                             | jackson-databind: mishandles the interaction                                    |
|                                             |                  |          |                   |                             | between serialization gadgets and typing, related to                            |
|                                             |                  |          |                   |                             | org.apache.tomcat.dbcp.dbcp2.datasources.PerUserPoolDataSource...               |
|                                             |                  |          |                   |                             | -->avd.aquasec.com/nvd/cve-2020-36184                                           |
+                                             +------------------+          +                   +                             +---------------------------------------------------------------------------------+
|                                             | CVE-2020-36185   |          |                   |                             | jackson-databind: mishandles the interaction                                    |
|                                             |                  |          |                   |                             | between serialization gadgets and typing, related to                            |
|                                             |                  |          |                   |                             | org.apache.tomcat.dbcp.dbcp2.datasources.SharedPoolDataSource...                |
|                                             |                  |          |                   |                             | -->avd.aquasec.com/nvd/cve-2020-36185                                           |
+                                             +------------------+          +                   +                             +---------------------------------------------------------------------------------+
|                                             | CVE-2020-36186   |          |                   |                             | jackson-databind: mishandles the interaction                                    |
|                                             |                  |          |                   |                             | between serialization gadgets and typing, related to                            |
|                                             |                  |          |                   |                             | org.apache.tomcat.dbcp.dbcp.datasources.PerUserPoolDataSource...                |
|                                             |                  |          |                   |                             | -->avd.aquasec.com/nvd/cve-2020-36186                                           |
+                                             +------------------+          +                   +                             +---------------------------------------------------------------------------------+
|                                             | CVE-2020-36187   |          |                   |                             | jackson-databind: mishandles the interaction                                    |
|                                             |                  |          |                   |                             | between serialization gadgets and typing, related to                            |
|                                             |                  |          |                   |                             | org.apache.tomcat.dbcp.dbcp.datasources.SharedPoolDataSource...                 |
|                                             |                  |          |                   |                             | -->avd.aquasec.com/nvd/cve-2020-36187                                           |
+                                             +------------------+          +                   +                             +---------------------------------------------------------------------------------+
|                                             | CVE-2020-36188   |          |                   |                             | jackson-databind: mishandles the interaction                                    |
|                                             |                  |          |                   |                             | between serialization gadgets and typing, related to                            |
|                                             |                  |          |                   |                             | com.newrelic.agent.deps.ch.qos.logback.core.db.JNDIConnectionSource...          |
|                                             |                  |          |                   |                             | -->avd.aquasec.com/nvd/cve-2020-36188                                           |
+                                             +------------------+          +                   +                             +---------------------------------------------------------------------------------+
|                                             | CVE-2020-36189   |          |                   |                             | jackson-databind: mishandles the interaction                                    |
|                                             |                  |          |                   |                             | between serialization gadgets and typing, related to                            |
|                                             |                  |          |                   |                             | com.newrelic.agent.deps.ch.qos.logback.core.db.DriverManagerConnectionSource... |
|                                             |                  |          |                   |                             | -->avd.aquasec.com/nvd/cve-2020-36189                                           |
+                                             +------------------+          +                   +-----------------------------+---------------------------------------------------------------------------------+
|                                             | CVE-2021-20190   |          |                   | 2.9.10.7                    | jackson-databind: mishandles                                                    |
|                                             |                  |          |                   |                             | the interaction between                                                         |
|                                             |                  |          |                   |                             | serialization gadgets and                                                       |
|                                             |                  |          |                   |                             | typing, related to javax.swing...                                               |
|                                             |                  |          |                   |                             | -->avd.aquasec.com/nvd/cve-2021-20190                                           |
+---------------------------------------------+------------------+----------+-------------------+-----------------------------+---------------------------------------------------------------------------------+
| com.google.guava:guava                      | CVE-2020-8908    | LOW      | 28.0-android      |                        30.0 | guava: local information                                                        |
|                                             |                  |          |                   |                             | disclosure via temporary directory                                              |
|                                             |                  |          |                   |                             | created with unsafe permissions                                                 |
|                                             |                  |          |                   |                             | -->avd.aquasec.com/nvd/cve-2020-8908                                            |
+---------------------------------------------+------------------+----------+-------------------+-----------------------------+---------------------------------------------------------------------------------+
| commons-io:commons-io                       | CVE-2021-29425   | MEDIUM   |               2.6 |                         2.7 | apache-commons-io: Limited                                                      |
|                                             |                  |          |                   |                             | path traversal in Apache                                                        |
|                                             |                  |          |                   |                             | Commons IO 2.2 to 2.6                                                           |
|                                             |                  |          |                   |                             | -->avd.aquasec.com/nvd/cve-2021-29425                                           |
+---------------------------------------------+------------------+----------+-------------------+-----------------------------+---------------------------------------------------------------------------------+
| io.undertow:undertow-core                   | CVE-2020-1745    | CRITICAL | 2.0.27.Final      | 2.0.30.Final                | undertow: AJP File                                                              |
|                                             |                  |          |                   |                             | Read/Inclusion Vulnerability                                                    |
|                                             |                  |          |                   |                             | -->avd.aquasec.com/nvd/cve-2020-1745                                            |
+                                             +------------------+----------+                   +-----------------------------+---------------------------------------------------------------------------------+
|                                             | CVE-2019-14888   | HIGH     |                   | 2.0.29.Final                | undertow: possible Denial                                                       |
|                                             |                  |          |                   |                             | Of Service (DOS) in Undertow                                                    |
|                                             |                  |          |                   |                             | HTTP server listening on...                                                     |
|                                             |                  |          |                   |                             | -->avd.aquasec.com/nvd/cve-2019-14888                                           |
+                                             +------------------+          +                   +-----------------------------+---------------------------------------------------------------------------------+
|                                             | CVE-2020-10705   |          |                   | 2.1.1.Final                 | undertow: Memory exhaustion                                                     |
|                                             |                  |          |                   |                             | issue in HttpReadListener via                                                   |
|                                             |                  |          |                   |                             | "Expect: 100-continue" header                                                   |
|                                             |                  |          |                   |                             | -->avd.aquasec.com/nvd/cve-2020-10705                                           |
+                                             +------------------+          +                   +-----------------------------+---------------------------------------------------------------------------------+
|                                             | CVE-2020-1757    |          |                   | 2.1.0.Final                 | undertow: servletPath is normalized                                             |
|                                             |                  |          |                   |                             | incorrectly leading to dangerous                                                |
|                                             |                  |          |                   |                             | application mapping which could...                                              |
|                                             |                  |          |                   |                             | -->avd.aquasec.com/nvd/cve-2020-1757                                            |
+                                             +------------------+----------+                   +-----------------------------+---------------------------------------------------------------------------------+
|                                             | CVE-2020-10687   | MEDIUM   |                   | 2.2.0.Final                 | Undertow: Incomplete fix for                                                    |
|                                             |                  |          |                   |                             | CVE-2017-2666 due to permitting                                                 |
|                                             |                  |          |                   |                             | invalid characters in HTTP...                                                   |
|                                             |                  |          |                   |                             | -->avd.aquasec.com/nvd/cve-2020-10687                                           |
+                                             +------------------+          +                   +-----------------------------+---------------------------------------------------------------------------------+
|                                             | CVE-2020-10719   |          |                   | 2.1.1.Final                 | undertow: invalid HTTP                                                          |
|                                             |                  |          |                   |                             | request with large chunk size                                                   |
|                                             |                  |          |                   |                             | -->avd.aquasec.com/nvd/cve-2020-10719                                           |
+                                             +------------------+          +                   +-----------------------------+---------------------------------------------------------------------------------+
|                                             | CVE-2021-20220   |          |                   | 2.0.34.Final, 2.1.6.Final   | undertow: Possible regression                                                   |
|                                             |                  |          |                   |                             | in fix for CVE-2020-10687                                                       |
|                                             |                  |          |                   |                             | -->avd.aquasec.com/nvd/cve-2021-20220                                           |
+---------------------------------------------+------------------+          +-------------------+-----------------------------+---------------------------------------------------------------------------------+
| org.apache.httpcomponents:httpclient        | CVE-2020-13956   |          | 4.5.10            | 4.5.13                      | apache-httpclient: incorrect                                                    |
|                                             |                  |          |                   |                             | handling of malformed authority                                                 |
|                                             |                  |          |                   |                             | component in request URIs                                                       |
|                                             |                  |          |                   |                             | -->avd.aquasec.com/nvd/cve-2020-13956                                           |
+---------------------------------------------+------------------+          +-------------------+-----------------------------+---------------------------------------------------------------------------------+
| org.apache.mina:mina-core                   | CVE-2021-41973   |          | 2.0.21            | 2.1.5                       | mina-core: infinite                                                             |
|                                             |                  |          |                   |                             | loop may lead to DoS                                                            |
|                                             |                  |          |                   |                             | -->avd.aquasec.com/nvd/cve-2021-41973                                           |
+---------------------------------------------+------------------+----------+-------------------+-----------------------------+---------------------------------------------------------------------------------+
| org.yaml:snakeyaml                          | CVE-2017-18640   | HIGH     |              1.25 |                        1.26 | snakeyaml: Billion laughs                                                       |
|                                             |                  |          |                   |                             | attack via alias feature                                                        |
|                                             |                  |          |                   |                             | -->avd.aquasec.com/nvd/cve-2017-18640                                           |
+---------------------------------------------+------------------+----------+-------------------+-----------------------------+---------------------------------------------------------------------------------+

What do you think about regular dependency and Docker image updates?

Thanks, Thilo

ginkel commented 2 years ago

I've got automatic dependency updates & a CI build running over at https://github.com/tgbyte/ma1sd/tree/feature/ci-dependency-updates, would you be interested in a PR?

Edit: If anyone is looking for an up-to-date image: I am maintaining the fork at https://github.com/tgbyte/ma1sd with respect to dependency and security updates. A docker image is published as tgbyte/ma1sd.