search

nextgenhealthcare / connect-docker

Official Dockerfiles for Connect https://hub.docker.com/r/nextgenhealthcare/connect
Mozilla Public License 2.0
78 stars 51 forks source link

Security Vulnerabilities: Total: 208 (UNKNOWN: 2, LOW: 113, MEDIUM: 50, HIGH: 20, CRITICAL: 23) #16

Closed MichaelLeeHobbs closed 2 years ago

MichaelLeeHobbs commented 2 years ago

Scan was completed with https://github.com/aquasecurity/trivy

Scanned

All returned the same result on the Java scan and various for the OS.

Java (jar)

Total: 89 (UNKNOWN: 1, LOW: 4, MEDIUM: 38, HIGH: 42, CRITICAL: 4)

+----------------------------------------------------------+------------------+----------+-------------------+--------------------------------+-----------------------------------------------------------+
|                         LIBRARY                          | VULNERABILITY ID | SEVERITY | INSTALLED VERSION |         FIXED VERSION          |                           TITLE                           |
+----------------------------------------------------------+------------------+----------+-------------------+--------------------------------+-----------------------------------------------------------+
| com.fasterxml.jackson.dataformat:jackson-dataformat-cbor | CVE-2020-28491   | HIGH     | 2.11.3            | 2.11.4, 2.12.1                 | jackson-dataformat-cbor:  Unchecked                       |
|                                                          |                  |          |                   |                                | allocation of byte buffer can                             |
|                                                          |                  |          |                   |                                | cause a java.lang.OutOfMemoryError                        |
|                                                          |                  |          |                   |                                | exception...                                              |
|                                                          |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2020-28491                     |
+----------------------------------------------------------+------------------+----------+-------------------+--------------------------------+-----------------------------------------------------------+
| com.google.guava:guava                                   | CVE-2020-8908    | LOW      | 28.2-jre          |                           30.0 | guava: local information                                  |
|                                                          |                  |          |                   |                                | disclosure via temporary directory                        |
|                                                          |                  |          |                   |                                | created with unsafe permissions                           |
|                                                          |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2020-8908                      |
+----------------------------------------------------------+------------------+----------+-------------------+--------------------------------+-----------------------------------------------------------+
| com.thoughtworks.xstream:xstream                         | CVE-2020-26217   | HIGH     | 1.4.12            | 1.4.14                         | XStream: remote code                                      |
|                                                          |                  |          |                   |                                | execution due to insecure XML                             |
|                                                          |                  |          |                   |                                | deserialization when relying on...                        |
|                                                          |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2020-26217                     |
+                                                          +------------------+          +                   +--------------------------------+-----------------------------------------------------------+
|                                                          | CVE-2020-26258   |          |                   | 1.4.15                         | XStream: Server-Side Forgery                              |
|                                                          |                  |          |                   |                                | Request vulnerability can be                              |
|                                                          |                  |          |                   |                                | activated when unmarshalling                              |
|                                                          |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2020-26258                     |
+                                                          +------------------+          +                   +--------------------------------+-----------------------------------------------------------+
|                                                          | CVE-2021-21341   |          |                   | 1.4.16                         | XStream: allow a remote attacker to                       |
|                                                          |                  |          |                   |                                | cause DoS only by manipulating the...                     |
|                                                          |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2021-21341                     |
+                                                          +------------------+          +                   +--------------------------------+-----------------------------------------------------------+
|                                                          | CVE-2021-29505   |          |                   | 1.4.17                         | XStream: remote command                                   |
|                                                          |                  |          |                   |                                | execution attack by manipulating                          |
|                                                          |                  |          |                   |                                | the processed input stream                                |
|                                                          |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2021-29505                     |
+                                                          +------------------+          +                   +--------------------------------+-----------------------------------------------------------+
|                                                          | CVE-2021-39139   |          |                   | 1.4.18                         | xstream: Arbitrary code execution                         |
|                                                          |                  |          |                   |                                | via unsafe deserialization of                             |
|                                                          |                  |          |                   |                                | Xalan xsltc.trax.TemplatesImpl                            |
|                                                          |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2021-39139                     |
+                                                          +------------------+          +                   +                                +-----------------------------------------------------------+
|                                                          | CVE-2021-39141   |          |                   |                                | xstream: Arbitrary code execution                         |
|                                                          |                  |          |                   |                                | via unsafe deserialization of                             |
|                                                          |                  |          |                   |                                | com.sun.xml.internal.ws.client.sei.*                      |
|                                                          |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2021-39141                     |
+                                                          +------------------+          +                   +                                +-----------------------------------------------------------+
|                                                          | CVE-2021-39144   |          |                   |                                | xstream: Arbitrary code                                   |
|                                                          |                  |          |                   |                                | execution via unsafe                                      |
|                                                          |                  |          |                   |                                | deserialization of sun.tracing.*                          |
|                                                          |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2021-39144                     |
+                                                          +------------------+          +                   +                                +-----------------------------------------------------------+
|                                                          | CVE-2021-39145   |          |                   |                                | xstream: Arbitrary code execution                         |
|                                                          |                  |          |                   |                                | via unsafe deserialization of                             |
|                                                          |                  |          |                   |                                | com.sun.jndi.ldap.LdapBindingEnumeration                  |
|                                                          |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2021-39145                     |
+                                                          +------------------+          +                   +                                +-----------------------------------------------------------+
|                                                          | CVE-2021-39146   |          |                   |                                | xstream: Arbitrary code execution                         |
|                                                          |                  |          |                   |                                | via unsafe deserialization of                             |
|                                                          |                  |          |                   |                                | javax.swing.UIDefaults$ProxyLazyValue                     |
|                                                          |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2021-39146                     |
+                                                          +------------------+          +                   +                                +-----------------------------------------------------------+
|                                                          | CVE-2021-39147   |          |                   |                                | xstream: Arbitrary code execution                         |
|                                                          |                  |          |                   |                                | via unsafe deserialization of                             |
|                                                          |                  |          |                   |                                | com.sun.jndi.ldap.LdapSearchEnumeration                   |
|                                                          |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2021-39147                     |
+                                                          +------------------+          +                   +                                +-----------------------------------------------------------+
|                                                          | CVE-2021-39148   |          |                   |                                | xstream: Arbitrary code execution                         |
|                                                          |                  |          |                   |                                | via unsafe deserialization of                             |
|                                                          |                  |          |                   |                                | com.sun.jndi.toolkit.dir.ContextEnumerator                |
|                                                          |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2021-39148                     |
+                                                          +------------------+          +                   +                                +-----------------------------------------------------------+
|                                                          | CVE-2021-39149   |          |                   |                                | xstream: Arbitrary code                                   |
|                                                          |                  |          |                   |                                | execution via unsafe                                      |
|                                                          |                  |          |                   |                                | deserialization of com.sun.corba.*                        |
|                                                          |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2021-39149                     |
+                                                          +------------------+          +                   +                                +-----------------------------------------------------------+
|                                                          | CVE-2021-39150   |          |                   |                                | xstream: Server-side request forgery                      |
|                                                          |                  |          |                   |                                | (SSRF) via unsafe deserialization of                      |
|                                                          |                  |          |                   |                                | com.sun.xml.internal.ws.client.sei.*                      |
|                                                          |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2021-39150                     |
+                                                          +------------------+          +                   +                                +-----------------------------------------------------------+
|                                                          | CVE-2021-39151   |          |                   |                                | xstream: Arbitrary code execution                         |
|                                                          |                  |          |                   |                                | via unsafe deserialization of                             |
|                                                          |                  |          |                   |                                | com.sun.jndi.ldap.LdapBindingEnumeration                  |
|                                                          |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2021-39151                     |
+                                                          +------------------+          +                   +                                +-----------------------------------------------------------+
|                                                          | CVE-2021-39152   |          |                   |                                | xstream: Server-side request forgery                      |
|                                                          |                  |          |                   |                                | (SSRF) via unsafe deserialization of                      |
|                                                          |                  |          |                   |                                | jdk.nashorn.internal.runtime.Source$URLData               |
|                                                          |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2021-39152                     |
+                                                          +------------------+          +                   +                                +-----------------------------------------------------------+
|                                                          | CVE-2021-39153   |          |                   |                                | xstream: Arbitrary code execution                         |
|                                                          |                  |          |                   |                                | via unsafe deserialization of                             |
|                                                          |                  |          |                   |                                | Xalan xsltc.trax.TemplatesImpl                            |
|                                                          |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2021-39153                     |
+                                                          +------------------+          +                   +                                +-----------------------------------------------------------+
|                                                          | CVE-2021-39154   |          |                   |                                | xstream: Arbitrary code execution                         |
|                                                          |                  |          |                   |                                | via unsafe deserialization of                             |
|                                                          |                  |          |                   |                                | javax.swing.UIDefaults$ProxyLazyValue                     |
|                                                          |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2021-39154                     |
+                                                          +------------------+----------+                   +--------------------------------+-----------------------------------------------------------+
|                                                          | CVE-2020-26259   | MEDIUM   |                   | 1.4.15                         | XStream: arbitrary file deletion on                       |
|                                                          |                  |          |                   |                                | the local host when unmarshalling                         |
|                                                          |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2020-26259                     |
+                                                          +------------------+          +                   +--------------------------------+-----------------------------------------------------------+
|                                                          | CVE-2021-21342   |          |                   | 1.4.16                         | XStream: SSRF via                                         |
|                                                          |                  |          |                   |                                | crafted input stream                                      |
|                                                          |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2021-21342                     |
+                                                          +------------------+          +                   +                                +-----------------------------------------------------------+
|                                                          | CVE-2021-21343   |          |                   |                                | XStream: arbitrary file                                   |
|                                                          |                  |          |                   |                                | deletion on the local host                                |
|                                                          |                  |          |                   |                                | via crafted input stream...                               |
|                                                          |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2021-21343                     |
+                                                          +------------------+          +                   +                                +-----------------------------------------------------------+
|                                                          | CVE-2021-21344   |          |                   |                                | XStream: Unsafe deserizaliation                           |
|                                                          |                  |          |                   |                                | of javax.sql.rowset.BaseRowSet                            |
|                                                          |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2021-21344                     |
+                                                          +------------------+          +                   +                                +-----------------------------------------------------------+
|                                                          | CVE-2021-21345   |          |                   |                                | XStream: Unsafe deserizaliation of                        |
|                                                          |                  |          |                   |                                | com.sun.corba.se.impl.activation.ServerTableEntry         |
|                                                          |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2021-21345                     |
+                                                          +------------------+          +                   +                                +-----------------------------------------------------------+
|                                                          | CVE-2021-21346   |          |                   |                                | XStream: Unsafe deserizaliation                           |
|                                                          |                  |          |                   |                                | of sun.swing.SwingLazyValue                               |
|                                                          |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2021-21346                     |
+                                                          +------------------+          +                   +                                +-----------------------------------------------------------+
|                                                          | CVE-2021-21347   |          |                   |                                | XStream: Unsafe deserizaliation of                        |
|                                                          |                  |          |                   |                                | com.sun.tools.javac.processing.JavacProcessingEnvironment |
|                                                          |                  |          |                   |                                | NameProcessIterator -->avd.aquasec.com/nvd/cve-2021-21347 |
+                                                          +------------------+          +                   +                                +-----------------------------------------------------------+
|                                                          | CVE-2021-21348   |          |                   |                                | XStream: ReDoS vulnerability                              |
|                                                          |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2021-21348                     |
+                                                          +------------------+          +                   +                                +-----------------------------------------------------------+
|                                                          | CVE-2021-21349   |          |                   |                                | XStream: SSRF can be activated                            |
|                                                          |                  |          |                   |                                | unmarshalling with XStream                                |
|                                                          |                  |          |                   |                                | to access data streams...                                 |
|                                                          |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2021-21349                     |
+                                                          +------------------+          +                   +                                +-----------------------------------------------------------+
|                                                          | CVE-2021-21350   |          |                   |                                | XStream: Unsafe deserizaliation of                        |
|                                                          |                  |          |                   |                                | com.sun.org.apache.bcel.internal.util.ClassLoader         |
|                                                          |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2021-21350                     |
+                                                          +------------------+          +                   +                                +-----------------------------------------------------------+
|                                                          | CVE-2021-21351   |          |                   |                                | XStream: allow a remote                                   |
|                                                          |                  |          |                   |                                | attacker to load and execute                              |
|                                                          |                  |          |                   |                                | arbitrary code from...                                    |
|                                                          |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2021-21351                     |
+                                                          +------------------+          +                   +--------------------------------+-----------------------------------------------------------+
|                                                          | CVE-2021-39140   |          |                   | 1.4.18                         | xstream: Infinite loop DoS                                |
|                                                          |                  |          |                   |                                | via unsafe deserialization of                             |
|                                                          |                  |          |                   |                                | sun.reflect.annotation.AnnotationInvocationHandler        |
|                                                          |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2021-39140                     |
+----------------------------------------------------------+------------------+----------+-------------------+--------------------------------+-----------------------------------------------------------+
| commons-beanutils:commons-beanutils                      | CVE-2019-10086   | HIGH     | 1.9.3             | 1.9.4                          | apache-commons-beanutils: does                            |
|                                                          |                  |          |                   |                                | not suppresses the class property                         |
|                                                          |                  |          |                   |                                | in PropertyUtilsBean by default                           |
|                                                          |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2019-10086                     |
+----------------------------------------------------------+------------------+----------+-------------------+--------------------------------+-----------------------------------------------------------+
| commons-fileupload:commons-fileupload                    | CVE-2016-1000031 | CRITICAL | 1.2.1             | 1.3.3                          | Apache Commons FileUpload:                                |
|                                                          |                  |          |                   |                                | DiskFileItem file manipulation                            |
|                                                          |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2016-1000031                   |
+                                                          +------------------+----------+                   +--------------------------------+-----------------------------------------------------------+
|                                                          | CVE-2013-2186    | HIGH     |                   | 1.3.1                          | Apache commons-fileupload: Arbitrary                      |
|                                                          |                  |          |                   |                                | file upload via deserialization                           |
|                                                          |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2013-2186                      |
+                                                          +------------------+          +                   +                                +-----------------------------------------------------------+
|                                                          | CVE-2014-0050    |          |                   |                                | apache-commons-fileupload: denial                         |
|                                                          |                  |          |                   |                                | of service due to too-small buffer                        |
|                                                          |                  |          |                   |                                | size used by MultipartStream...                           |
|                                                          |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2014-0050                      |
+                                                          +------------------+          +                   +--------------------------------+-----------------------------------------------------------+
|                                                          | CVE-2016-3092    |          |                   | 1.3.2                          | tomcat: Usage of vulnerable                               |
|                                                          |                  |          |                   |                                | FileUpload package can result                             |
|                                                          |                  |          |                   |                                | in denial of service...                                   |
|                                                          |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2016-3092                      |
+                                                          +------------------+----------+                   +--------------------------------+-----------------------------------------------------------+
|                                                          | CVE-2013-0248    | LOW      |                   |                            1.3 | jakarta-commons-fileupload,                               |
|                                                          |                  |          |                   |                                | apache-commons-fileupload: /tmp                           |
|                                                          |                  |          |                   |                                | directory used by default for                             |
|                                                          |                  |          |                   |                                | uploaded files (possibility to...                         |
|                                                          |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2013-0248                      |
+----------------------------------------------------------+------------------+----------+-------------------+--------------------------------+-----------------------------------------------------------+
| commons-httpclient:commons-httpclient                    | CVE-2012-5783    | MEDIUM   | 3.0.1             |                                | jakarta-commons-httpclient:                               |
|                                                          |                  |          |                   |                                | missing connection hostname check                         |
|                                                          |                  |          |                   |                                | against X.509 certificate name                            |
|                                                          |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2012-5783                      |
+----------------------------------------------------------+------------------+          +-------------------+--------------------------------+-----------------------------------------------------------+
| commons-io:commons-io                                    | CVE-2021-29425   |          |               2.6 |                            2.7 | apache-commons-io: Limited                                |
|                                                          |                  |          |                   |                                | path traversal in Apache                                  |
|                                                          |                  |          |                   |                                | Commons IO 2.2 to 2.6                                     |
|                                                          |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2021-29425                     |
+----------------------------------------------------------+------------------+          +-------------------+--------------------------------+-----------------------------------------------------------+
| io.netty:netty-codec                                     | CVE-2021-37136   |          | 4.1.53.Final      | 4.1.68.Final                   | netty-codec: Bzip2Decoder                                 |
|                                                          |                  |          |                   |                                | doesn't allow setting size                                |
|                                                          |                  |          |                   |                                | restrictions for decompressed data                        |
|                                                          |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2021-37136                     |
+                                                          +------------------+          +                   +                                +-----------------------------------------------------------+
|                                                          | CVE-2021-37137   |          |                   |                                | netty-codec: SnappyFrameDecoder                           |
|                                                          |                  |          |                   |                                | doesn't restrict chunk length and                         |
|                                                          |                  |          |                   |                                | may buffer skippable chunks in...                         |
|                                                          |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2021-37137                     |
+----------------------------------------------------------+------------------+          +                   +--------------------------------+-----------------------------------------------------------+
| io.netty:netty-codec-http                                | CVE-2021-21290   |          |                   | 4.1.59.Final                   | netty: Information disclosure via                         |
|                                                          |                  |          |                   |                                | the local system temporary directory                      |
|                                                          |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2021-21290                     |
+                                                          +------------------+          +                   +--------------------------------+-----------------------------------------------------------+
|                                                          | CVE-2021-43797   |          |                   | 4.1.71.Final                   | netty: control chars in header names                      |
|                                                          |                  |          |                   |                                | may lead to HTTP request smuggling...                     |
|                                                          |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2021-43797                     |
+----------------------------------------------------------+------------------+          +                   +--------------------------------+-----------------------------------------------------------+
| io.netty:netty-codec-http2                               | CVE-2021-21295   |          |                   | 4.1.60.Final                   | netty: possible request smuggling                         |
|                                                          |                  |          |                   |                                | in HTTP/2 due missing validation                          |
|                                                          |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2021-21295                     |
+                                                          +------------------+          +                   +--------------------------------+-----------------------------------------------------------+
|                                                          | CVE-2021-21409   |          |                   | 4.1.61.Final                   | netty: Request smuggling                                  |
|                                                          |                  |          |                   |                                | via content-length header                                 |
|                                                          |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2021-21409                     |
+----------------------------------------------------------+------------------+----------+-------------------+--------------------------------+-----------------------------------------------------------+
| log4j:log4j                                              | CVE-2019-17571   | CRITICAL | 1.2.16            | 2.0-alpha1                     | log4j: deserialization of                                 |
|                                                          |                  |          |                   |                                | untrusted data in SocketServer                            |
|                                                          |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2019-17571                     |
+                                                          +------------------+          +                   +--------------------------------+-----------------------------------------------------------+
|                                                          | CVE-2022-23307   |          |                   |                                | log4j: Unsafe deserialization                             |
|                                                          |                  |          |                   |                                | flaw in Chainsaw log viewer                               |
|                                                          |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2022-23307                     |
+                                                          +------------------+----------+                   +--------------------------------+-----------------------------------------------------------+
|                                                          | CVE-2021-4104    | HIGH     |                   |                                | log4j: Remote code execution                              |
|                                                          |                  |          |                   |                                | in Log4j 1.x when application                             |
|                                                          |                  |          |                   |                                | is configured to...                                       |
|                                                          |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2021-4104                      |
+                                                          +------------------+----------+                   +--------------------------------+-----------------------------------------------------------+
|                                                          | CVE-2022-23302   | MEDIUM   |                   |                                | log4j: Remote code execution                              |
|                                                          |                  |          |                   |                                | in Log4j 1.x when application                             |
|                                                          |                  |          |                   |                                | is configured to...                                       |
|                                                          |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2022-23302                     |
+                                                          +------------------+          +                   +--------------------------------+-----------------------------------------------------------+
|                                                          | CVE-2022-23305   |          |                   |                                | log4j: SQL injection in                                   |
|                                                          |                  |          |                   |                                | Log4j 1.x when application                                |
|                                                          |                  |          |                   |                                | is configured to use...                                   |
|                                                          |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2022-23305                     |
+                                                          +------------------+----------+                   +--------------------------------+-----------------------------------------------------------+
|                                                          | CVE-2020-9488    | LOW      |                   | 2.13.2                         | log4j: improper validation                                |
|                                                          |                  |          |                   |                                | of certificate with host                                  |
|                                                          |                  |          |                   |                                | mismatch in SMTP appender                                 |
|                                                          |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2020-9488                      |
+                                                          +------------------+----------+                   +--------------------------------+-----------------------------------------------------------+
|                                                          | GMS-2021-5       | UNKNOWN  |                   | 2.15.0-rc1                     | Improper Neutralization                                   |
|                                                          |                  |          |                   |                                | of Special Elements in                                    |
|                                                          |                  |          |                   |                                | Output Used by a Downstream                               |
|                                                          |                  |          |                   |                                | Component...                                              |
+----------------------------------------------------------+------------------+----------+-------------------+--------------------------------+-----------------------------------------------------------+
| mysql:mysql-connector-java                               | CVE-2020-2934    | MEDIUM   | 8.0.16            | 5.1.49, 8.0.20                 | mysql-connector-java: allows                              |
|                                                          |                  |          |                   |                                | unauthenticated attacker with                             |
|                                                          |                  |          |                   |                                | network access via multiple                               |
|                                                          |                  |          |                   |                                | protocols to compromise...                                |
|                                                          |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2020-2934                      |
+----------------------------------------------------------+------------------+----------+-------------------+--------------------------------+-----------------------------------------------------------+
| org.apache.commons:commons-compress                      | CVE-2019-12402   | HIGH     |              1.17 |                           1.19 | apache-commons-compress: Infinite                         |
|                                                          |                  |          |                   |                                | loop in name encoding algorithm                           |
|                                                          |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2019-12402                     |
+                                                          +------------------+          +                   +--------------------------------+-----------------------------------------------------------+
|                                                          | CVE-2021-35515   |          |                   |                           1.21 | apache-commons-compress:                                  |
|                                                          |                  |          |                   |                                | infinite loop when reading a                              |
|                                                          |                  |          |                   |                                | specially crafted 7Z archive                              |
|                                                          |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2021-35515                     |
+                                                          +------------------+          +                   +                                +-----------------------------------------------------------+
|                                                          | CVE-2021-35516   |          |                   |                                | apache-commons-compress: excessive                        |
|                                                          |                  |          |                   |                                | memory allocation when reading                            |
|                                                          |                  |          |                   |                                | a specially crafted 7Z archive                            |
|                                                          |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2021-35516                     |
+                                                          +------------------+          +                   +                                +-----------------------------------------------------------+
|                                                          | CVE-2021-35517   |          |                   |                                | apache-commons-compress: excessive                        |
|                                                          |                  |          |                   |                                | memory allocation when reading                            |
|                                                          |                  |          |                   |                                | a specially crafted TAR archive                           |
|                                                          |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2021-35517                     |
+                                                          +------------------+          +                   +                                +-----------------------------------------------------------+
|                                                          | CVE-2021-36090   |          |                   |                                | apache-commons-compress: excessive                        |
|                                                          |                  |          |                   |                                | memory allocation when reading                            |
|                                                          |                  |          |                   |                                | a specially crafted ZIP archive                           |
|                                                          |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2021-36090                     |
+                                                          +------------------+----------+                   +--------------------------------+-----------------------------------------------------------+
|                                                          | CVE-2018-11771   | MEDIUM   |                   |                           1.18 | apache-commons-compress:                                  |
|                                                          |                  |          |                   |                                | ZipArchiveInputStream.read()                              |
|                                                          |                  |          |                   |                                | fails to identify correct EOF                             |
|                                                          |                  |          |                   |                                | allowing for DoS via crafted...                           |
|                                                          |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2018-11771                     |
+----------------------------------------------------------+------------------+----------+-------------------+--------------------------------+-----------------------------------------------------------+
| org.apache.commons:commons-email                         | CVE-2017-9801    | HIGH     | 1.3.1             |                            1.5 | SMTP header injection vulnerabilty                        |
|                                                          |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2017-9801                      |
+                                                          +------------------+          +                   +                                +-----------------------------------------------------------+
|                                                          | CVE-2018-1294    |          |                   |                                | Improper Input Validation                                 |
|                                                          |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2018-1294                      |
+----------------------------------------------------------+------------------+----------+-------------------+--------------------------------+-----------------------------------------------------------+
| org.apache.derby:derby                                   | CVE-2015-1832    | CRITICAL | 10.10.2.0         | 10.12.1.1                      | Apache Derby: XXE attack possible by                      |
|                                                          |                  |          |                   |                                | using XmlVTI and the XML datatype...                      |
|                                                          |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2015-1832                      |
+                                                          +------------------+----------+                   +--------------------------------+-----------------------------------------------------------+
|                                                          | CVE-2018-1313    | MEDIUM   |                   | 10.14.2.0                      | derby: Externally-controlled                              |
|                                                          |                  |          |                   |                                | input vulnerability allows remote                         |
|                                                          |                  |          |                   |                                | attacker to boot a database under...                      |
|                                                          |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2018-1313                      |
+----------------------------------------------------------+------------------+----------+-------------------+--------------------------------+-----------------------------------------------------------+
| org.apache.velocity:velocity-engine-core                 | CVE-2020-13936   | HIGH     |               2.2 |                            2.3 | velocity: arbitrary code                                  |
|                                                          |                  |          |                   |                                | execution when attacker is                                |
|                                                          |                  |          |                   |                                | able to modify templates                                  |
|                                                          |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2020-13936                     |
+----------------------------------------------------------+------------------+----------+-------------------+--------------------------------+-----------------------------------------------------------+
| org.bouncycastle:bcprov-ext-jdk15on                      | CVE-2020-15522   | MEDIUM   |              1.57 |                           1.66 | bouncycastle: Timing issue                                |
|                                                          |                  |          |                   |                                | within the EC math library                                |
|                                                          |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2020-15522                     |
+----------------------------------------------------------+                  +          +                   +                                +                                                           +
| org.bouncycastle:bcprov-jdk15on                          |                  |          |                   |                                |                                                           |
|                                                          |                  |          |                   |                                |                                                           |
|                                                          |                  |          |                   |                                |                                                           |
+----------------------------------------------------------+                  +          +-------------------+                                +                                                           +
| org.bouncycastle:bcprov-jdk16                            |                  |          |              1.44 |                                |                                                           |
|                                                          |                  |          |                   |                                |                                                           |
|                                                          |                  |          |                   |                                |                                                           |
+                                                          +------------------+          +                   +--------------------------------+-----------------------------------------------------------+
|                                                          | CVE-2020-26939   |          |                   |                           1.61 | Observable Differences in Behavior                        |
|                                                          |                  |          |                   |                                | to Error Inputs in Bouncy Castle                          |
|                                                          |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2020-26939                     |
+----------------------------------------------------------+------------------+----------+-------------------+--------------------------------+-----------------------------------------------------------+
| org.eclipse.jetty:jetty-http                             | CVE-2020-27216   | HIGH     | 9.4.21.v20190926  | 9.3.29.v20201019,              | jetty: local temporary directory                          |
|                                                          |                  |          |                   | 9.4.32.v20200930, 11.0.1       | hijacking vulnerability                                   |
|                                                          |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2020-27216                     |
+                                                          +------------------+          +                   +--------------------------------+-----------------------------------------------------------+
|                                                          | CVE-2021-28165   |          |                   | 9.4.39.v20210325, 10.0.2,      | jetty: Resource exhaustion when                           |
|                                                          |                  |          |                   | 11.0.2                         | receiving an invalid large TLS frame                      |
|                                                          |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2021-28165                     |
+                                                          +------------------+----------+                   +--------------------------------+-----------------------------------------------------------+
|                                                          | CVE-2019-17632   | MEDIUM   |                   | 9.4.24.v20191120               | jetty: generation of default                              |
|                                                          |                  |          |                   |                                | unhandled error response content                          |
|                                                          |                  |          |                   |                                | does not escape exception...                              |
|                                                          |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2019-17632                     |
+                                                          +------------------+          +                   +--------------------------------+-----------------------------------------------------------+
|                                                          | CVE-2020-27223   |          |                   | 9.4.36.v20210114, 11.0.1       | jetty: request containing                                 |
|                                                          |                  |          |                   |                                | multiple Accept headers with                              |
|                                                          |                  |          |                   |                                | a large number of "quality"...                            |
|                                                          |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2020-27223                     |
+----------------------------------------------------------+------------------+----------+                   +--------------------------------+-----------------------------------------------------------+
| org.eclipse.jetty:jetty-io                               | CVE-2021-28165   | HIGH     |                   | 9.4.39.v20210325, 10.0.2,      | jetty: Resource exhaustion when                           |
|                                                          |                  |          |                   | 11.0.2                         | receiving an invalid large TLS frame                      |
|                                                          |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2021-28165                     |
+----------------------------------------------------------+------------------+          +                   +--------------------------------+-----------------------------------------------------------+
| org.eclipse.jetty:jetty-server                           | CVE-2020-27216   |          |                   | 9.3.29.v20201019,              | jetty: local temporary directory                          |
|                                                          |                  |          |                   | 9.4.32.v20200930, 11.0.1       | hijacking vulnerability                                   |
|                                                          |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2020-27216                     |
+                                                          +------------------+          +                   +--------------------------------+-----------------------------------------------------------+
|                                                          | CVE-2021-28165   |          |                   | 9.4.39.v20210325, 10.0.2,      | jetty: Resource exhaustion when                           |
|                                                          |                  |          |                   | 11.0.2                         | receiving an invalid large TLS frame                      |
|                                                          |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2021-28165                     |
+                                                          +------------------+----------+                   +--------------------------------+-----------------------------------------------------------+
|                                                          | CVE-2019-17632   | MEDIUM   |                   | 9.4.24.v20191120               | jetty: generation of default                              |
|                                                          |                  |          |                   |                                | unhandled error response content                          |
|                                                          |                  |          |                   |                                | does not escape exception...                              |
|                                                          |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2019-17632                     |
+                                                          +------------------+          +                   +--------------------------------+-----------------------------------------------------------+
|                                                          | CVE-2020-27218   |          |                   | 9.4.35.v20201120, 11.0.1       | jetty: buffer not correctly                               |
|                                                          |                  |          |                   |                                | recycled in Gzip Request inflation                        |
|                                                          |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2020-27218                     |
+                                                          +------------------+          +                   +--------------------------------+-----------------------------------------------------------+
|                                                          | CVE-2020-27223   |          |                   | 9.4.36.v20210114, 11.0.1       | jetty: request containing                                 |
|                                                          |                  |          |                   |                                | multiple Accept headers with                              |
|                                                          |                  |          |                   |                                | a large number of "quality"...                            |
|                                                          |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2020-27223                     |
+                                                          +------------------+----------+                   +--------------------------------+-----------------------------------------------------------+
|                                                          | CVE-2021-34428   | LOW      |                   | 9.4.40.v20210413, 10.0.3,      | jetty: SessionListener can                                |
|                                                          |                  |          |                   | 11.0.3                         | prevent a session from being                              |
|                                                          |                  |          |                   |                                | invalidated breaking logout                               |
|                                                          |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2021-34428                     |
+----------------------------------------------------------+------------------+----------+                   +--------------------------------+-----------------------------------------------------------+
| org.eclipse.jetty:jetty-util                             | CVE-2020-27216   | HIGH     |                   | 9.3.29.v20201019,              | jetty: local temporary directory                          |
|                                                          |                  |          |                   | 9.4.32.v20200930, 11.0.1       | hijacking vulnerability                                   |
|                                                          |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2020-27216                     |
+                                                          +------------------+          +                   +--------------------------------+-----------------------------------------------------------+
|                                                          | CVE-2021-28165   |          |                   | 9.4.39.v20210325, 10.0.2,      | jetty: Resource exhaustion when                           |
|                                                          |                  |          |                   | 11.0.2                         | receiving an invalid large TLS frame                      |
|                                                          |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2021-28165                     |
+                                                          +------------------+----------+                   +--------------------------------+-----------------------------------------------------------+
|                                                          | CVE-2020-27223   | MEDIUM   |                   | 9.4.36.v20210114, 10.0.1,      | jetty: request containing                                 |
|                                                          |                  |          |                   | 11.0.1                         | multiple Accept headers with                              |
|                                                          |                  |          |                   |                                | a large number of "quality"...                            |
|                                                          |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2020-27223                     |
+----------------------------------------------------------+------------------+----------+                   +--------------------------------+-----------------------------------------------------------+
| org.eclipse.jetty:jetty-webapp                           | CVE-2020-27216   | HIGH     |                   | 9.3.29, 9.4.33, 11.0.1         | jetty: local temporary directory                          |
|                                                          |                  |          |                   |                                | hijacking vulnerability                                   |
|                                                          |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2020-27216                     |
+                                                          +------------------+----------+                   +--------------------------------+-----------------------------------------------------------+
|                                                          | CVE-2020-27218   | MEDIUM   |                   | 9.4.35.v20201120, 11.0.1       | jetty: buffer not correctly                               |
|                                                          |                  |          |                   |                                | recycled in Gzip Request inflation                        |
|                                                          |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2020-27218                     |
+----------------------------------------------------------+------------------+----------+-------------------+--------------------------------+-----------------------------------------------------------+
| org.mybatis:mybatis                                      | CVE-2020-26945   | HIGH     | 3.1.1             | 3.5.6                          | mybatis: mishandles deserialization                       |
|                                                          |                  |          |                   |                                | of object streams which could                             |
|                                                          |                  |          |                   |                                | result in remote code...                                  |
|                                                          |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2020-26945                     |
+----------------------------------------------------------+------------------+          +-------------------+--------------------------------+-----------------------------------------------------------+
| xerces:xercesImpl                                        | CVE-2012-0881    |          | 2.9.1             | 2.12.0                         | xml: xerces-j2 hash table collisions                      |
|                                                          |                  |          |                   |                                | CPU usage DoS (oCERT-2011-003)                            |
|                                                          |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2012-0881                      |
+                                                          +------------------+          +                   +                                +-----------------------------------------------------------+
|                                                          | CVE-2013-4002    |          |                   |                                | Xerces-J2 OpenJDK: XML parsing                            |
|                                                          |                  |          |                   |                                | Denial of Service (JAXP, 8017298)                         |
|                                                          |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2013-4002                      |
+                                                          +------------------+----------+                   +--------------------------------+-----------------------------------------------------------+
|                                                          | CVE-2009-2625    | MEDIUM   |                   | 2.10.0                         | xerces-j2, JDK: XML parsing                               |
|                                                          |                  |          |                   |                                | Denial-Of-Service (6845701)                               |
|                                                          |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2009-2625                      |
+                                                          +------------------+          +                   +--------------------------------+-----------------------------------------------------------+
|                                                          | CVE-2022-23437   |          |                   | 2.12.2                         | xerces-j2: infinite loop                                  |
|                                                          |                  |          |                   |                                | when handling specially                                   |
|                                                          |                  |          |                   |                                | crafted XML document payloads                             |
|                                                          |                  |          |                   |                                | -->avd.aquasec.com/nvd/cve-2022-23437                     |
+----------------------------------------------------------+------------------+----------+-------------------+--------------------------------+-----------------------------------------------------------+
cturczynskyj commented 2 years ago

First, thanks for the info. These don't seem specific to the Dockerized Connect images as the scan is run on Connect's included libraries so it seems like a better place may be the Connect open source GitHub repo. Second, there's no way we will address every CVE in this ticket so if there are specific CVEs or libraries you are concerned about, please open an issue or discussion in the Connect GitHub repo for each separately.