Known Security Vulnerabilities to be fixed - Githubissues

pentaho / pentaho-platform

Pentaho BA Server Core

http://www.pentaho.com

Other

473 stars 724 forks source link

Known Security Vulnerabilities to be fixed #4788

Open dicaeffe opened 3 years ago

dicaeffe commented 3 years ago

Hello, version 9.0 (and uppers) of Pentaho has few known CVEs (Common Vulnerabilities and Exposures) due to its dependencies.

Is possible to fix those security issues by updating the versions reported below?

Apache Axis2/Java

CVE - 2 issues: CVE-2010-1632, CVE-2010-0219
Used Version: 1.5
Fix Version: 1.5.2 (last minor: 1.5.6)

Apache Log4j - log4j

CVE - 2 issues: CVE-2020-9488, CVE-2019-17571
Used Version: 1.2.17
Fix Version: 2.13.2

jackson-databind

CVE - 32 issues: CVE-2020-9548, CVE-2020-9547,CVE-2020-9546, CVE-2020-8840, CVE-2020-24750, CVE-2020-24616, CVE-2020-14195, CVE-2020-14062, CVE-2020-14061, CVE-2020-14060, CVE-2020-11620, CVE-2020-11619, CVE-2020-11113, CVE-2020-11112, CVE-2020-11111, CVE-2020-10969, CVE-2020-10968, CVE-2020-10673, CVE-2020-10672, CVE-2019-12384, CVE-2019-12086, CVE-2018-7489, CVE-2018-5968, CVE-2018-19362, CVE-2018-19361, CVE-2018-19360, CVE-2018-14721, CVE-2018-14720, CVE-2018-14719, CVE-2018-14718, CVE-2018-11307, CVE-2018-1000873
Used Version: 2.9.10.2
Fix Version: 2.9.10.6 (last minor: 2.9.10.7)

karaf

CVE - 7 issues: CVE-2020-11980, CVE-2019-0226, CVE-2019-0191, CVE-2018-11788, CVE-2018-11786, CVE-2016-8750, CVE-2014-0219
Used Version: 1.9.1
Fix Version: 4.2.9 (last minor: 4.2.10)

org.apache.xmlgraphics:batik-bridge

CVE - 2 issues: CVE-2019-17566, CVE-2019-17566
Used Version: 1.9.1
Fix Version: 1.13

dicaeffe commented 3 years ago

note: Bootstrap is recommended to be updated to 3.4.1

mariusssi commented 2 years ago

Hi. What about https://nvd.nist.gov/vuln/detail/CVE-2020-11987 ? Fix: batik 1.14

mariusssi commented 2 years ago

CVE-2022-21724 in postgresql, not fixed in 9.4.0.0-79