nifi-accumulo-services-1.15.0-SNAPSHOT.jar: 15 vulnerabilities (highest severity is: 10.0) - autoclosed

Vulnerable Library - nifi-accumulo-services-1.15.0-SNAPSHOT.jar

Path to dependency file: /nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services-nar/pom.xml

Path to vulnerable library: /nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services-nar/pom.xml,/nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services-api-nar/pom.xml,/nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services-api/pom.xml,/nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-nar/pom.xml,/nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services/pom.xml

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (nifi-accumulo-services version)	Remediation Possible**
CVE-2020-1953	Critical	10.0	commons-configuration2-2.5.jar	Transitive	N/A*	❌
CVE-2022-42889	Critical	9.8	commons-text-1.6.jar	Transitive	N/A*	❌
CVE-2022-33980	Critical	9.8	commons-configuration2-2.5.jar	Transitive	N/A*	❌
CVE-2022-25168	Critical	9.8	hadoop-client-api-3.1.1.jar	Transitive	N/A*	❌
CVE-2023-44981	Critical	9.1	zookeeper-3.4.14.jar	Transitive	N/A*	❌
CVE-2019-20444	Critical	9.1	netty-3.10.6.Final.jar	Transitive	N/A*	❌
CVE-2020-9492	High	8.8	hadoop-client-api-3.1.1.jar	Transitive	N/A*	❌
WS-2019-0490	High	8.1	jcommander-1.72.jar	Transitive	N/A*	❌
CVE-2024-7254	High	7.5	protobuf-java-3.7.1.jar	Transitive	N/A*	❌
CVE-2022-3509	High	7.5	protobuf-java-3.7.1.jar	Transitive	N/A*	❌
CVE-2021-22569	High	7.5	protobuf-java-3.7.1.jar	Transitive	N/A*	❌
CVE-2019-0205	High	7.5	libthrift-0.12.0.jar	Transitive	N/A*	❌
CVE-2024-29131	High	7.3	commons-configuration2-2.5.jar	Transitive	N/A*	❌
CVE-2024-29133	Medium	4.4	commons-configuration2-2.5.jar	Transitive	N/A*	❌
CVE-2022-3171	Medium	4.3	protobuf-java-3.7.1.jar	Transitive	N/A*	❌

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2020-1953

### Vulnerable Library - commons-configuration2-2.5.jar

Tools to assist in the reading of configuration/preferences files in various formats

Library home page: https://www.apache.org/

Path to dependency file: /nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services-api/pom.xml

Path to vulnerable library: /nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services-api/pom.xml,/nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services-api-nar/pom.xml,/nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-nar/pom.xml,/nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services/pom.xml,/nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services-nar/pom.xml

Dependency Hierarchy: - nifi-accumulo-services-1.15.0-SNAPSHOT.jar (Root Library) - accumulo-core-2.0.1.jar - accumulo-start-2.0.1.jar - :x: **commons-configuration2-2.5.jar** (Vulnerable Library)

Found in base branch: main

### Vulnerability Details

Apache Commons Configuration uses a third-party library to parse YAML files which by default allows the instantiation of classes if the YAML includes special statements. Apache Commons Configuration versions 2.2, 2.3, 2.4, 2.5, 2.6 did not change the default settings of this library. So if a YAML file was loaded from an untrusted source, it could therefore load and execute code out of the control of the host application.

Publish Date: 2020-03-13

URL: CVE-2020-1953

### CVSS 3 Score Details (10.0)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Changed - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1953

Release Date: 2020-03-13

Fix Resolution: org.apache.commons:commons-configuration2:2.7

CVE-2022-42889

### Vulnerable Library - commons-text-1.6.jar

Apache Commons Text is a library focused on algorithms working on strings.

Library home page: https://www.apache.org/

Path to dependency file: /nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services-api-nar/pom.xml

Path to vulnerable library: /nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services-api-nar/pom.xml,/nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-nar/pom.xml,/nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services-api/pom.xml,/nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services-nar/pom.xml,/nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services/pom.xml

Dependency Hierarchy: - nifi-accumulo-services-1.15.0-SNAPSHOT.jar (Root Library) - accumulo-core-2.0.1.jar - accumulo-start-2.0.1.jar - commons-configuration2-2.5.jar - :x: **commons-text-1.6.jar** (Vulnerable Library)

Found in base branch: main

### Vulnerability Details

Apache Commons Text performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is "${prefix:name}", where "prefix" is used to locate an instance of org.apache.commons.text.lookup.StringLookup that performs the interpolation. Starting with version 1.5 and continuing through 1.9, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers. These lookups are: - "script" - execute expressions using the JVM script execution engine (javax.script) - "dns" - resolve dns records - "url" - load values from urls, including from remote servers Applications using the interpolation defaults in the affected versions may be vulnerable to remote code execution or unintentional contact with remote servers if untrusted configuration values are used. Users are recommended to upgrade to Apache Commons Text 1.10.0, which disables the problematic interpolators by default.

Publish Date: 2022-10-13

URL: CVE-2022-42889

### CVSS 3 Score Details (9.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://www.openwall.com/lists/oss-security/2022/10/13/4

Release Date: 2022-10-13

Fix Resolution: org.apache.commons:commons-text:1.10.0

CVE-2022-33980

### Vulnerable Library - commons-configuration2-2.5.jar

Tools to assist in the reading of configuration/preferences files in various formats

Library home page: https://www.apache.org/

Path to dependency file: /nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services-api/pom.xml

Dependency Hierarchy: - nifi-accumulo-services-1.15.0-SNAPSHOT.jar (Root Library) - accumulo-core-2.0.1.jar - accumulo-start-2.0.1.jar - :x: **commons-configuration2-2.5.jar** (Vulnerable Library)

Found in base branch: main

### Vulnerability Details

Apache Commons Configuration performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is "${prefix:name}", where "prefix" is used to locate an instance of org.apache.commons.configuration2.interpol.Lookup that performs the interpolation. Starting with version 2.4 and continuing through 2.7, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers. These lookups are: - "script" - execute expressions using the JVM script execution engine (javax.script) - "dns" - resolve dns records - "url" - load values from urls, including from remote servers Applications using the interpolation defaults in the affected versions may be vulnerable to remote code execution or unintentional contact with remote servers if untrusted configuration values are used. Users are recommended to upgrade to Apache Commons Configuration 2.8.0, which disables the problematic interpolators by default.

Publish Date: 2022-07-06

URL: CVE-2022-33980

### CVSS 3 Score Details (9.8)

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://lists.apache.org/thread/tdf5n7j80lfxdhs2764vn0xmpfodm87s

Release Date: 2022-07-06

Fix Resolution: org.apache.commons:commons-configuration2:2.8.0

CVE-2022-25168

### Vulnerable Library - hadoop-client-api-3.1.1.jar

Apache Hadoop Client

Library home page: http://www.apache.org

Path to dependency file: /nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-nar/pom.xml

Path to vulnerable library: /nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-nar/pom.xml,/nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services-nar/pom.xml,/nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services-api/pom.xml,/nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services-api-nar/pom.xml,/nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services/pom.xml

Dependency Hierarchy: - nifi-accumulo-services-1.15.0-SNAPSHOT.jar (Root Library) - accumulo-core-2.0.1.jar - accumulo-start-2.0.1.jar - :x: **hadoop-client-api-3.1.1.jar** (Vulnerable Library)

Found in base branch: main

### Vulnerability Details

Apache Hadoop's FileUtil.unTar(File, File) API does not escape the input file name before being passed to the shell. An attacker can inject arbitrary commands. This is only used in Hadoop 3.3 InMemoryAliasMap.completeBootstrapTransfer, which is only ever run by a local user. It has been used in Hadoop 2.x for yarn localization, which does enable remote code execution. It is used in Apache Spark, from the SQL command ADD ARCHIVE. As the ADD ARCHIVE command adds new binaries to the classpath, being able to execute shell scripts does not confer new permissions to the caller. SPARK-38305. "Check existence of file before untarring/zipping", which is included in 3.3.0, 3.1.4, 3.2.2, prevents shell commands being executed, regardless of which version of the hadoop libraries are in use. Users should upgrade to Apache Hadoop 2.10.2, 3.2.4, 3.3.3 or upper (including HADOOP-18136).

Publish Date: 2022-08-04

URL: CVE-2022-25168

### CVSS 3 Score Details (9.8)

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://lists.apache.org/thread/mxqnb39jfrwgs3j6phwvlrfq4mlox130

Release Date: 2022-08-04

Fix Resolution: org.apache.hadoop:hadoop-common:2.10.2,3.2.4,3.3.3;org.apache.hadoop:hadoop-core:2.10.2,3.2.4,3.3.3;org.apache.hadoop:hadoop-client-api:2.10.2,3.2.4,3.3.3

CVE-2023-44981

### Vulnerable Library - zookeeper-3.4.14.jar

Path to dependency file: /nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services-nar/pom.xml

Dependency Hierarchy: - nifi-accumulo-services-1.15.0-SNAPSHOT.jar (Root Library) - accumulo-core-2.0.1.jar - :x: **zookeeper-3.4.14.jar** (Vulnerable Library)

Found in base branch: main

### Vulnerability Details

Authorization Bypass Through User-Controlled Key vulnerability in Apache ZooKeeper. If SASL Quorum Peer authentication is enabled in ZooKeeper (quorum.auth.enableSasl=true), the authorization is done by verifying that the instance part in SASL authentication ID is listed in zoo.cfg server list. The instance part in SASL auth ID is optional and if it's missing, like 'eve@EXAMPLE.COM', the authorization check will be skipped. As a result an arbitrary endpoint could join the cluster and begin propagating counterfeit changes to the leader, essentially giving it complete read-write access to the data tree. Quorum Peer authentication is not enabled by default. Users are recommended to upgrade to version 3.9.1, 3.8.3, 3.7.2, which fixes the issue. Alternately ensure the ensemble election/quorum communication is protected by a firewall as this will mitigate the issue. See the documentation for more details on correct cluster administration.

Publish Date: 2023-10-11

URL: CVE-2023-44981

### CVSS 3 Score Details (9.1)

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://lists.apache.org/thread/wf0yrk84dg1942z1o74kd8nycg6pgm5b

Release Date: 2023-10-11

Fix Resolution: org.apache.zookeeper:zookeeper:3.7.2,3.8.3,3.9.1

CVE-2019-20444

### Vulnerable Library - netty-3.10.6.Final.jar

The Netty project is an effort to provide an asynchronous event-driven network application framework and tools for rapid development of maintainable high performance and high scalability protocol servers and clients. In other words, Netty is a NIO client server framework which enables quick and easy development of network applications such as protocol servers and clients. It greatly simplifies and streamlines network programming such as TCP and UDP socket server.

Library home page: http://netty.io/

Path to dependency file: /nifi-registry/nifi-registry-extensions/nifi-registry-ranger/nifi-registry-ranger-plugin/pom.xml

Path to vulnerable library: /nifi-registry/nifi-registry-extensions/nifi-registry-ranger/nifi-registry-ranger-plugin/pom.xml,/nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services/pom.xml,/nifi-nar-bundles/nifi-elasticsearch-bundle/nifi-elasticsearch-5-processors/pom.xml,/nifi-nar-bundles/nifi-elasticsearch-bundle/nifi-elasticsearch-5-nar/pom.xml,/nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-nar/pom.xml,/nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services-api/pom.xml,/nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services-api-nar/pom.xml,/nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services-nar/pom.xml

Dependency Hierarchy: - nifi-accumulo-services-1.15.0-SNAPSHOT.jar (Root Library) - accumulo-core-2.0.1.jar - zookeeper-3.4.14.jar - :x: **netty-3.10.6.Final.jar** (Vulnerable Library)

Found in base branch: main

### Vulnerability Details

HttpObjectDecoder.java in Netty before 4.1.44 allows an HTTP header that lacks a colon, which might be interpreted as a separate header with an incorrect syntax, or might be interpreted as an "invalid fold."

Publish Date: 2020-01-29

URL: CVE-2019-20444

### CVSS 3 Score Details (9.1)

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20444

Release Date: 2020-01-29

Fix Resolution: io.netty:netty-all:4.1.44.Final

CVE-2020-9492

### Vulnerable Library - hadoop-client-api-3.1.1.jar

Apache Hadoop Client

Library home page: http://www.apache.org

Path to dependency file: /nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-nar/pom.xml

Dependency Hierarchy: - nifi-accumulo-services-1.15.0-SNAPSHOT.jar (Root Library) - accumulo-core-2.0.1.jar - accumulo-start-2.0.1.jar - :x: **hadoop-client-api-3.1.1.jar** (Vulnerable Library)

Found in base branch: main

### Vulnerability Details

In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.0, WebHDFS client might send SPNEGO authorization header to remote URL without proper verification.

Publish Date: 2021-01-26

URL: CVE-2020-9492

### CVSS 3 Score Details (8.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://lists.apache.org/thread.html/rca4516b00b55b347905df45e5d0432186248223f30497db87aba8710@%3Cannounce.apache.org%3E

Release Date: 2024-09-03

Fix Resolution: org.apache.hadoop:hadoop-hdfs-client:2.10.1,org.apache.hadoop:hadoop-hdfs-client:3.1.4,org.apache.hadoop:hadoop-hdfs-client:3.2.2

WS-2019-0490

### Vulnerable Library - jcommander-1.72.jar

Command line parsing

Library home page: http://jcommander.org

Path to dependency file: /nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services/pom.xml

Path to vulnerable library: /nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services/pom.xml,/nifi-nar-bundles/nifi-scripting-bundle/nifi-scripting-nar/pom.xml,/nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services-nar/pom.xml,/nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services-api-nar/pom.xml,/nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services-api/pom.xml,/nifi-nar-bundles/nifi-groovyx-bundle/nifi-groovyx-nar/pom.xml,/nifi-toolkit/nifi-toolkit-admin/pom.xml,/nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-nar/pom.xml,/nifi-toolkit/nifi-toolkit-encrypt-config/pom.xml

Dependency Hierarchy: - nifi-accumulo-services-1.15.0-SNAPSHOT.jar (Root Library) - accumulo-core-2.0.1.jar - :x: **jcommander-1.72.jar** (Vulnerable Library)

Found in base branch: main

### Vulnerability Details

Inclusion of Functionality from Untrusted Control Sphere vulnerability found in jcommander before 1.75. jcommander resolving dependencies over HTTP instead of HTTPS.

Publish Date: 2019-02-19

URL: WS-2019-0490

### CVSS 3 Score Details (8.1)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Release Date: 2019-02-19

Fix Resolution: com.beust:jcommander:1.75

CVE-2024-7254

### Vulnerable Library - protobuf-java-3.7.1.jar

Core Protocol Buffers library. Protocol Buffers are a way of encoding structured data in an efficient yet extensible format.

Library home page: https://developers.google.com/protocol-buffers/

Path to dependency file: /nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services-api/pom.xml

Path to vulnerable library: /nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services-api/pom.xml,/nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-nar/pom.xml,/nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services-api-nar/pom.xml,/nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services-nar/pom.xml,/nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services/pom.xml

Dependency Hierarchy: - nifi-accumulo-services-1.15.0-SNAPSHOT.jar (Root Library) - accumulo-core-2.0.1.jar - :x: **protobuf-java-3.7.1.jar** (Vulnerable Library)

Found in base branch: main

### Vulnerability Details

Any project that parses untrusted Protocol Buffers data containing an arbitrary number of nested groups / series of SGROUP tags can corrupted by exceeding the stack limit i.e. StackOverflow. Parsing nested groups as unknown fields with DiscardUnknownFieldsParser or Java Protobuf Lite parser, or against Protobuf map fields, creates unbounded recursions that can be abused by an attacker.

Publish Date: 2024-09-19

URL: CVE-2024-7254

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2024-7254

Release Date: 2024-09-19

Fix Resolution: com.google.protobuf:protobuf-javalite - 3.25.5,4.28.2,4.27.5;com.google.protobuf:protobuf-java - 4.27.5,3.25.5,4.28.2

CVE-2022-3509

### Vulnerable Library - protobuf-java-3.7.1.jar

Core Protocol Buffers library. Protocol Buffers are a way of encoding structured data in an efficient yet extensible format.

Library home page: https://developers.google.com/protocol-buffers/

Path to dependency file: /nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services-api/pom.xml

Path to vulnerable library: /nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services-api/pom.xml,/nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-nar/pom.xml,/nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services-api-nar/pom.xml,/nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services-nar/pom.xml,/nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services/pom.xml

Dependency Hierarchy: - nifi-accumulo-services-1.15.0-SNAPSHOT.jar (Root Library) - accumulo-core-2.0.1.jar - :x: **protobuf-java-3.7.1.jar** (Vulnerable Library)

Found in base branch: main

### Vulnerability Details

A parsing issue similar to CVE-2022-3171, but with textformat in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.

Publish Date: 2022-11-01

URL: CVE-2022-3509

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3509

Release Date: 2022-11-01

Fix Resolution: com.google.protobuf:protobuf-java:3.16.3,3.19.6,3.20.3,3.21.7

CVE-2021-22569

### Vulnerable Library - protobuf-java-3.7.1.jar

Core Protocol Buffers library. Protocol Buffers are a way of encoding structured data in an efficient yet extensible format.

Library home page: https://developers.google.com/protocol-buffers/

Path to dependency file: /nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services-api/pom.xml

Path to vulnerable library: /nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services-api/pom.xml,/nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-nar/pom.xml,/nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services-api-nar/pom.xml,/nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services-nar/pom.xml,/nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services/pom.xml

Dependency Hierarchy: - nifi-accumulo-services-1.15.0-SNAPSHOT.jar (Root Library) - accumulo-core-2.0.1.jar - :x: **protobuf-java-3.7.1.jar** (Vulnerable Library)

Found in base branch: main

### Vulnerability Details

An issue in protobuf-java allowed the interleaving of com.google.protobuf.UnknownFieldSet fields in such a way that would be processed out of order. A small malicious payload can occupy the parser for several minutes by creating large numbers of short-lived objects that cause frequent, repeated pauses. We recommend upgrading libraries beyond the vulnerable versions.

Publish Date: 2022-01-07

URL: CVE-2021-22569

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/advisories/GHSA-wrvw-hg22-4m67

Release Date: 2022-01-07

Fix Resolution: com.google.protobuf:protobuf-java:3.16.1,3.18.2,3.19.2; com.google.protobuf:protobuf-kotlin:3.18.2,3.19.2; google-protobuf - 3.19.2

CVE-2019-0205

### Vulnerable Library - libthrift-0.12.0.jar

Thrift is a software framework for scalable cross-language services development.

Library home page: http://thrift.apache.org

Path to dependency file: /nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-nar/pom.xml

Path to vulnerable library: /nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-nar/pom.xml,/nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services-api-nar/pom.xml,/nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services-nar/pom.xml,/nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services-api/pom.xml,/nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services/pom.xml

Dependency Hierarchy: - nifi-accumulo-services-1.15.0-SNAPSHOT.jar (Root Library) - accumulo-core-2.0.1.jar - :x: **libthrift-0.12.0.jar** (Vulnerable Library)

Found in base branch: main

### Vulnerability Details

In Apache Thrift all versions up to and including 0.12.0, a server or client may run into an endless loop when feed with specific input data. Because the issue had already been partially fixed in version 0.11.0, depending on the installed version it affects only certain language bindings.

Publish Date: 2019-10-28

URL: CVE-2019-0205

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0205

Release Date: 2019-10-28

Fix Resolution: org.apache.thrift:libthrift:0.13.0

CVE-2024-29131

### Vulnerable Library - commons-configuration2-2.5.jar

Tools to assist in the reading of configuration/preferences files in various formats

Library home page: https://www.apache.org/

Path to dependency file: /nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services-api/pom.xml

Dependency Hierarchy: - nifi-accumulo-services-1.15.0-SNAPSHOT.jar (Root Library) - accumulo-core-2.0.1.jar - accumulo-start-2.0.1.jar - :x: **commons-configuration2-2.5.jar** (Vulnerable Library)

Found in base branch: main

### Vulnerability Details

Out-of-bounds Write vulnerability in Apache Commons Configuration.This issue affects Apache Commons Configuration: from 2.0 before 2.10.1. Users are recommended to upgrade to version 2.10.1, which fixes the issue.

Publish Date: 2024-03-21

URL: CVE-2024-29131

### CVSS 3 Score Details (7.3)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: Low

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://lists.apache.org/thread/03nzzzjn4oknyw5y0871tw7ltj0t3r37

Release Date: 2024-03-21

Fix Resolution: org.apache.commons:commons-configuration2:2.10.1

CVE-2024-29133

### Vulnerable Library - commons-configuration2-2.5.jar

Tools to assist in the reading of configuration/preferences files in various formats

Library home page: https://www.apache.org/

Path to dependency file: /nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services-api/pom.xml

Dependency Hierarchy: - nifi-accumulo-services-1.15.0-SNAPSHOT.jar (Root Library) - accumulo-core-2.0.1.jar - accumulo-start-2.0.1.jar - :x: **commons-configuration2-2.5.jar** (Vulnerable Library)

Found in base branch: main

### Vulnerability Details

Publish Date: 2024-03-21

URL: CVE-2024-29133

### CVSS 3 Score Details (4.4)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: Low - Availability Impact: Low

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://lists.apache.org/thread/ccb9w15bscznh6tnp3wsvrrj9crbszh2

Release Date: 2024-03-21

Fix Resolution: org.apache.commons:commons-configuration2:2.10.1

CVE-2022-3171

### Vulnerable Library - protobuf-java-3.7.1.jar

Core Protocol Buffers library. Protocol Buffers are a way of encoding structured data in an efficient yet extensible format.

Library home page: https://developers.google.com/protocol-buffers/

Path to dependency file: /nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services-api/pom.xml

Path to vulnerable library: /nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services-api/pom.xml,/nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-nar/pom.xml,/nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services-api-nar/pom.xml,/nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services-nar/pom.xml,/nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services/pom.xml

Dependency Hierarchy: - nifi-accumulo-services-1.15.0-SNAPSHOT.jar (Root Library) - accumulo-core-2.0.1.jar - :x: **protobuf-java-3.7.1.jar** (Vulnerable Library)

Found in base branch: main

### Vulnerability Details

A parsing issue with binary data in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.

Publish Date: 2022-10-12

URL: CVE-2022-3171

### CVSS 3 Score Details (4.3)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Adjacent - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: Low

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/advisories/GHSA-h4h5-3hr4-j3g2

Release Date: 2022-10-12

Fix Resolution: com.google.protobuf:protobuf-java:3.16.3,3.19.6,3.20.3,3.21.7;com.google.protobuf:protobuf-javalite:3.16.3,3.19.6,3.20.3,3.21.7;com.google.protobuf:protobuf-kotlin:3.19.6,3.20.3,3.21.7;com.google.protobuf:protobuf-kotlin-lite:3.19.6,3.20.3,3.21.7;google-protobuf - 3.19.6,3.20.3,3.21.7

snowdensb / nifi

nifi-accumulo-services-1.15.0-SNAPSHOT.jar: 15 vulnerabilities (highest severity is: 10.0) - autoclosed #579

Vulnerabilities

Details