Path to dependency file: /nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services-nar/pom.xml
Path to vulnerable library: /nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services-nar/pom.xml,/nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services-api-nar/pom.xml,/nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services-api/pom.xml,/nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-nar/pom.xml,/nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services/pom.xml
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Path to dependency file: /nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services-api/pom.xml
Path to vulnerable library: /nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services-api/pom.xml,/nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services-api-nar/pom.xml,/nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-nar/pom.xml,/nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services/pom.xml,/nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services-nar/pom.xml
Apache Commons Configuration uses a third-party library to parse YAML files which by default allows the instantiation of classes if the YAML includes special statements. Apache Commons Configuration versions 2.2, 2.3, 2.4, 2.5, 2.6 did not change the default settings of this library. So if a YAML file was loaded from an untrusted source, it could therefore load and execute code out of the control of the host application.
Path to dependency file: /nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services-api-nar/pom.xml
Path to vulnerable library: /nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services-api-nar/pom.xml,/nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-nar/pom.xml,/nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services-api/pom.xml,/nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services-nar/pom.xml,/nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services/pom.xml
Apache Commons Text performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is "${prefix:name}", where "prefix" is used to locate an instance of org.apache.commons.text.lookup.StringLookup that performs the interpolation. Starting with version 1.5 and continuing through 1.9, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers. These lookups are: - "script" - execute expressions using the JVM script execution engine (javax.script) - "dns" - resolve dns records - "url" - load values from urls, including from remote servers Applications using the interpolation defaults in the affected versions may be vulnerable to remote code execution or unintentional contact with remote servers if untrusted configuration values are used. Users are recommended to upgrade to Apache Commons Text 1.10.0, which disables the problematic interpolators by default.
Path to dependency file: /nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services-api/pom.xml
Path to vulnerable library: /nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services-api/pom.xml,/nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services-api-nar/pom.xml,/nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-nar/pom.xml,/nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services/pom.xml,/nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services-nar/pom.xml
Apache Commons Configuration performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is "${prefix:name}", where "prefix" is used to locate an instance of org.apache.commons.configuration2.interpol.Lookup that performs the interpolation. Starting with version 2.4 and continuing through 2.7, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers. These lookups are: - "script" - execute expressions using the JVM script execution engine (javax.script) - "dns" - resolve dns records - "url" - load values from urls, including from remote servers Applications using the interpolation defaults in the affected versions may be vulnerable to remote code execution or unintentional contact with remote servers if untrusted configuration values are used. Users are recommended to upgrade to Apache Commons Configuration 2.8.0, which disables the problematic interpolators by default.
Path to dependency file: /nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-nar/pom.xml
Path to vulnerable library: /nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-nar/pom.xml,/nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services-nar/pom.xml,/nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services-api/pom.xml,/nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services-api-nar/pom.xml,/nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services/pom.xml
Apache Hadoop's FileUtil.unTar(File, File) API does not escape the input file name before being passed to the shell. An attacker can inject arbitrary commands. This is only used in Hadoop 3.3 InMemoryAliasMap.completeBootstrapTransfer, which is only ever run by a local user. It has been used in Hadoop 2.x for yarn localization, which does enable remote code execution. It is used in Apache Spark, from the SQL command ADD ARCHIVE. As the ADD ARCHIVE command adds new binaries to the classpath, being able to execute shell scripts does not confer new permissions to the caller. SPARK-38305. "Check existence of file before untarring/zipping", which is included in 3.3.0, 3.1.4, 3.2.2, prevents shell commands being executed, regardless of which version of the hadoop libraries are in use. Users should upgrade to Apache Hadoop 2.10.2, 3.2.4, 3.3.3 or upper (including HADOOP-18136).
Path to dependency file: /nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services-nar/pom.xml
Path to vulnerable library: /nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services-nar/pom.xml,/nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services-api-nar/pom.xml,/nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services-api/pom.xml,/nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-nar/pom.xml,/nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services/pom.xml
Authorization Bypass Through User-Controlled Key vulnerability in Apache ZooKeeper. If SASL Quorum Peer authentication is enabled in ZooKeeper (quorum.auth.enableSasl=true), the authorization is done by verifying that the instance part in SASL authentication ID is listed in zoo.cfg server list. The instance part in SASL auth ID is optional and if it's missing, like 'eve@EXAMPLE.COM', the authorization check will be skipped. As a result an arbitrary endpoint could join the cluster and begin propagating counterfeit changes to the leader, essentially giving it complete read-write access to the data tree. Quorum Peer authentication is not enabled by default.
Users are recommended to upgrade to version 3.9.1, 3.8.3, 3.7.2, which fixes the issue.
Alternately ensure the ensemble election/quorum communication is protected by a firewall as this will mitigate the issue.
See the documentation for more details on correct cluster administration.
The Netty project is an effort to provide an asynchronous event-driven
network application framework and tools for rapid development of
maintainable high performance and high scalability protocol servers and
clients. In other words, Netty is a NIO client server framework which
enables quick and easy development of network applications such as protocol
servers and clients. It greatly simplifies and streamlines network
programming such as TCP and UDP socket server.
Path to dependency file: /nifi-registry/nifi-registry-extensions/nifi-registry-ranger/nifi-registry-ranger-plugin/pom.xml
Path to vulnerable library: /nifi-registry/nifi-registry-extensions/nifi-registry-ranger/nifi-registry-ranger-plugin/pom.xml,/nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services/pom.xml,/nifi-nar-bundles/nifi-elasticsearch-bundle/nifi-elasticsearch-5-processors/pom.xml,/nifi-nar-bundles/nifi-elasticsearch-bundle/nifi-elasticsearch-5-nar/pom.xml,/nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-nar/pom.xml,/nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services-api/pom.xml,/nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services-api-nar/pom.xml,/nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services-nar/pom.xml
HttpObjectDecoder.java in Netty before 4.1.44 allows an HTTP header that lacks a colon, which might be interpreted as a separate header with an incorrect syntax, or might be interpreted as an "invalid fold."
Path to dependency file: /nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-nar/pom.xml
Path to vulnerable library: /nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-nar/pom.xml,/nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services-nar/pom.xml,/nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services-api/pom.xml,/nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services-api-nar/pom.xml,/nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services/pom.xml
In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.0, WebHDFS client might send SPNEGO authorization header to remote URL without proper verification.
Path to dependency file: /nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services/pom.xml
Path to vulnerable library: /nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services/pom.xml,/nifi-nar-bundles/nifi-scripting-bundle/nifi-scripting-nar/pom.xml,/nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services-nar/pom.xml,/nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services-api-nar/pom.xml,/nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services-api/pom.xml,/nifi-nar-bundles/nifi-groovyx-bundle/nifi-groovyx-nar/pom.xml,/nifi-toolkit/nifi-toolkit-admin/pom.xml,/nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-nar/pom.xml,/nifi-toolkit/nifi-toolkit-encrypt-config/pom.xml
Inclusion of Functionality from Untrusted Control Sphere vulnerability found in jcommander before 1.75. jcommander resolving dependencies over HTTP instead of HTTPS.
Path to dependency file: /nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services-api/pom.xml
Path to vulnerable library: /nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services-api/pom.xml,/nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-nar/pom.xml,/nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services-api-nar/pom.xml,/nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services-nar/pom.xml,/nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services/pom.xml
Any project that parses untrusted Protocol Buffers data containing an arbitrary number of nested groups / series of SGROUP tags can corrupted by exceeding the stack limit i.e. StackOverflow. Parsing nested groups as unknown fields with DiscardUnknownFieldsParser or Java Protobuf Lite parser, or against Protobuf map fields, creates unbounded recursions that can be abused by an attacker.
Path to dependency file: /nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services-api/pom.xml
Path to vulnerable library: /nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services-api/pom.xml,/nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-nar/pom.xml,/nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services-api-nar/pom.xml,/nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services-nar/pom.xml,/nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services/pom.xml
A parsing issue similar to CVE-2022-3171, but with textformat in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.
Path to dependency file: /nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services-api/pom.xml
Path to vulnerable library: /nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services-api/pom.xml,/nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-nar/pom.xml,/nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services-api-nar/pom.xml,/nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services-nar/pom.xml,/nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services/pom.xml
An issue in protobuf-java allowed the interleaving of com.google.protobuf.UnknownFieldSet fields in such a way that would be processed out of order. A small malicious payload can occupy the parser for several minutes by creating large numbers of short-lived objects that cause frequent, repeated pauses. We recommend upgrading libraries beyond the vulnerable versions.
Path to dependency file: /nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-nar/pom.xml
Path to vulnerable library: /nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-nar/pom.xml,/nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services-api-nar/pom.xml,/nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services-nar/pom.xml,/nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services-api/pom.xml,/nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services/pom.xml
In Apache Thrift all versions up to and including 0.12.0, a server or client may run into an endless loop when feed with specific input data. Because the issue had already been partially fixed in version 0.11.0, depending on the installed version it affects only certain language bindings.
Path to dependency file: /nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services-api/pom.xml
Path to vulnerable library: /nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services-api/pom.xml,/nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services-api-nar/pom.xml,/nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-nar/pom.xml,/nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services/pom.xml,/nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services-nar/pom.xml
Out-of-bounds Write vulnerability in Apache Commons Configuration.This issue affects Apache Commons Configuration: from 2.0 before 2.10.1.
Users are recommended to upgrade to version 2.10.1, which fixes the issue.
Path to dependency file: /nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services-api/pom.xml
Path to vulnerable library: /nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services-api/pom.xml,/nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services-api-nar/pom.xml,/nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-nar/pom.xml,/nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services/pom.xml,/nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services-nar/pom.xml
Out-of-bounds Write vulnerability in Apache Commons Configuration.This issue affects Apache Commons Configuration: from 2.0 before 2.10.1.
Users are recommended to upgrade to version 2.10.1, which fixes the issue.
Path to dependency file: /nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services-api/pom.xml
Path to vulnerable library: /nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services-api/pom.xml,/nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-nar/pom.xml,/nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services-api-nar/pom.xml,/nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services-nar/pom.xml,/nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services/pom.xml
A parsing issue with binary data in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.
:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.
Vulnerable Library - nifi-accumulo-services-1.15.0-SNAPSHOT.jar
Path to dependency file: /nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services-nar/pom.xml
Path to vulnerable library: /nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services-nar/pom.xml,/nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services-api-nar/pom.xml,/nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services-api/pom.xml,/nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-nar/pom.xml,/nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services/pom.xml
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2020-1953
### Vulnerable Library - commons-configuration2-2.5.jarTools to assist in the reading of configuration/preferences files in various formats
Library home page: https://www.apache.org/
Path to dependency file: /nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services-api/pom.xml
Path to vulnerable library: /nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services-api/pom.xml,/nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services-api-nar/pom.xml,/nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-nar/pom.xml,/nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services/pom.xml,/nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services-nar/pom.xml
Dependency Hierarchy: - nifi-accumulo-services-1.15.0-SNAPSHOT.jar (Root Library) - accumulo-core-2.0.1.jar - accumulo-start-2.0.1.jar - :x: **commons-configuration2-2.5.jar** (Vulnerable Library)
Found in base branch: main
### Vulnerability DetailsApache Commons Configuration uses a third-party library to parse YAML files which by default allows the instantiation of classes if the YAML includes special statements. Apache Commons Configuration versions 2.2, 2.3, 2.4, 2.5, 2.6 did not change the default settings of this library. So if a YAML file was loaded from an untrusted source, it could therefore load and execute code out of the control of the host application.
Publish Date: 2020-03-13
URL: CVE-2020-1953
### CVSS 3 Score Details (10.0)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Changed - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1953
Release Date: 2020-03-13
Fix Resolution: org.apache.commons:commons-configuration2:2.7
CVE-2022-42889
### Vulnerable Library - commons-text-1.6.jarApache Commons Text is a library focused on algorithms working on strings.
Library home page: https://www.apache.org/
Path to dependency file: /nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services-api-nar/pom.xml
Path to vulnerable library: /nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services-api-nar/pom.xml,/nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-nar/pom.xml,/nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services-api/pom.xml,/nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services-nar/pom.xml,/nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services/pom.xml
Dependency Hierarchy: - nifi-accumulo-services-1.15.0-SNAPSHOT.jar (Root Library) - accumulo-core-2.0.1.jar - accumulo-start-2.0.1.jar - commons-configuration2-2.5.jar - :x: **commons-text-1.6.jar** (Vulnerable Library)
Found in base branch: main
### Vulnerability DetailsApache Commons Text performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is "${prefix:name}", where "prefix" is used to locate an instance of org.apache.commons.text.lookup.StringLookup that performs the interpolation. Starting with version 1.5 and continuing through 1.9, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers. These lookups are: - "script" - execute expressions using the JVM script execution engine (javax.script) - "dns" - resolve dns records - "url" - load values from urls, including from remote servers Applications using the interpolation defaults in the affected versions may be vulnerable to remote code execution or unintentional contact with remote servers if untrusted configuration values are used. Users are recommended to upgrade to Apache Commons Text 1.10.0, which disables the problematic interpolators by default.
Publish Date: 2022-10-13
URL: CVE-2022-42889
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://www.openwall.com/lists/oss-security/2022/10/13/4
Release Date: 2022-10-13
Fix Resolution: org.apache.commons:commons-text:1.10.0
CVE-2022-33980
### Vulnerable Library - commons-configuration2-2.5.jarTools to assist in the reading of configuration/preferences files in various formats
Library home page: https://www.apache.org/
Path to dependency file: /nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services-api/pom.xml
Path to vulnerable library: /nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services-api/pom.xml,/nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services-api-nar/pom.xml,/nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-nar/pom.xml,/nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services/pom.xml,/nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services-nar/pom.xml
Dependency Hierarchy: - nifi-accumulo-services-1.15.0-SNAPSHOT.jar (Root Library) - accumulo-core-2.0.1.jar - accumulo-start-2.0.1.jar - :x: **commons-configuration2-2.5.jar** (Vulnerable Library)
Found in base branch: main
### Vulnerability DetailsApache Commons Configuration performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is "${prefix:name}", where "prefix" is used to locate an instance of org.apache.commons.configuration2.interpol.Lookup that performs the interpolation. Starting with version 2.4 and continuing through 2.7, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers. These lookups are: - "script" - execute expressions using the JVM script execution engine (javax.script) - "dns" - resolve dns records - "url" - load values from urls, including from remote servers Applications using the interpolation defaults in the affected versions may be vulnerable to remote code execution or unintentional contact with remote servers if untrusted configuration values are used. Users are recommended to upgrade to Apache Commons Configuration 2.8.0, which disables the problematic interpolators by default.
Publish Date: 2022-07-06
URL: CVE-2022-33980
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://lists.apache.org/thread/tdf5n7j80lfxdhs2764vn0xmpfodm87s
Release Date: 2022-07-06
Fix Resolution: org.apache.commons:commons-configuration2:2.8.0
CVE-2022-25168
### Vulnerable Library - hadoop-client-api-3.1.1.jarApache Hadoop Client
Library home page: http://www.apache.org
Path to dependency file: /nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-nar/pom.xml
Path to vulnerable library: /nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-nar/pom.xml,/nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services-nar/pom.xml,/nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services-api/pom.xml,/nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services-api-nar/pom.xml,/nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services/pom.xml
Dependency Hierarchy: - nifi-accumulo-services-1.15.0-SNAPSHOT.jar (Root Library) - accumulo-core-2.0.1.jar - accumulo-start-2.0.1.jar - :x: **hadoop-client-api-3.1.1.jar** (Vulnerable Library)
Found in base branch: main
### Vulnerability DetailsApache Hadoop's FileUtil.unTar(File, File) API does not escape the input file name before being passed to the shell. An attacker can inject arbitrary commands. This is only used in Hadoop 3.3 InMemoryAliasMap.completeBootstrapTransfer, which is only ever run by a local user. It has been used in Hadoop 2.x for yarn localization, which does enable remote code execution. It is used in Apache Spark, from the SQL command ADD ARCHIVE. As the ADD ARCHIVE command adds new binaries to the classpath, being able to execute shell scripts does not confer new permissions to the caller. SPARK-38305. "Check existence of file before untarring/zipping", which is included in 3.3.0, 3.1.4, 3.2.2, prevents shell commands being executed, regardless of which version of the hadoop libraries are in use. Users should upgrade to Apache Hadoop 2.10.2, 3.2.4, 3.3.3 or upper (including HADOOP-18136).
Publish Date: 2022-08-04
URL: CVE-2022-25168
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://lists.apache.org/thread/mxqnb39jfrwgs3j6phwvlrfq4mlox130
Release Date: 2022-08-04
Fix Resolution: org.apache.hadoop:hadoop-common:2.10.2,3.2.4,3.3.3;org.apache.hadoop:hadoop-core:2.10.2,3.2.4,3.3.3;org.apache.hadoop:hadoop-client-api:2.10.2,3.2.4,3.3.3
CVE-2023-44981
### Vulnerable Library - zookeeper-3.4.14.jarPath to dependency file: /nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services-nar/pom.xml
Path to vulnerable library: /nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services-nar/pom.xml,/nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services-api-nar/pom.xml,/nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services-api/pom.xml,/nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-nar/pom.xml,/nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services/pom.xml
Dependency Hierarchy: - nifi-accumulo-services-1.15.0-SNAPSHOT.jar (Root Library) - accumulo-core-2.0.1.jar - :x: **zookeeper-3.4.14.jar** (Vulnerable Library)
Found in base branch: main
### Vulnerability DetailsAuthorization Bypass Through User-Controlled Key vulnerability in Apache ZooKeeper. If SASL Quorum Peer authentication is enabled in ZooKeeper (quorum.auth.enableSasl=true), the authorization is done by verifying that the instance part in SASL authentication ID is listed in zoo.cfg server list. The instance part in SASL auth ID is optional and if it's missing, like 'eve@EXAMPLE.COM', the authorization check will be skipped. As a result an arbitrary endpoint could join the cluster and begin propagating counterfeit changes to the leader, essentially giving it complete read-write access to the data tree. Quorum Peer authentication is not enabled by default. Users are recommended to upgrade to version 3.9.1, 3.8.3, 3.7.2, which fixes the issue. Alternately ensure the ensemble election/quorum communication is protected by a firewall as this will mitigate the issue. See the documentation for more details on correct cluster administration.
Publish Date: 2023-10-11
URL: CVE-2023-44981
### CVSS 3 Score Details (9.1)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://lists.apache.org/thread/wf0yrk84dg1942z1o74kd8nycg6pgm5b
Release Date: 2023-10-11
Fix Resolution: org.apache.zookeeper:zookeeper:3.7.2,3.8.3,3.9.1
CVE-2019-20444
### Vulnerable Library - netty-3.10.6.Final.jarThe Netty project is an effort to provide an asynchronous event-driven network application framework and tools for rapid development of maintainable high performance and high scalability protocol servers and clients. In other words, Netty is a NIO client server framework which enables quick and easy development of network applications such as protocol servers and clients. It greatly simplifies and streamlines network programming such as TCP and UDP socket server.
Library home page: http://netty.io/
Path to dependency file: /nifi-registry/nifi-registry-extensions/nifi-registry-ranger/nifi-registry-ranger-plugin/pom.xml
Path to vulnerable library: /nifi-registry/nifi-registry-extensions/nifi-registry-ranger/nifi-registry-ranger-plugin/pom.xml,/nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services/pom.xml,/nifi-nar-bundles/nifi-elasticsearch-bundle/nifi-elasticsearch-5-processors/pom.xml,/nifi-nar-bundles/nifi-elasticsearch-bundle/nifi-elasticsearch-5-nar/pom.xml,/nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-nar/pom.xml,/nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services-api/pom.xml,/nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services-api-nar/pom.xml,/nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services-nar/pom.xml
Dependency Hierarchy: - nifi-accumulo-services-1.15.0-SNAPSHOT.jar (Root Library) - accumulo-core-2.0.1.jar - zookeeper-3.4.14.jar - :x: **netty-3.10.6.Final.jar** (Vulnerable Library)
Found in base branch: main
### Vulnerability DetailsHttpObjectDecoder.java in Netty before 4.1.44 allows an HTTP header that lacks a colon, which might be interpreted as a separate header with an incorrect syntax, or might be interpreted as an "invalid fold."
Publish Date: 2020-01-29
URL: CVE-2019-20444
### CVSS 3 Score Details (9.1)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20444
Release Date: 2020-01-29
Fix Resolution: io.netty:netty-all:4.1.44.Final
CVE-2020-9492
### Vulnerable Library - hadoop-client-api-3.1.1.jarApache Hadoop Client
Library home page: http://www.apache.org
Path to dependency file: /nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-nar/pom.xml
Path to vulnerable library: /nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-nar/pom.xml,/nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services-nar/pom.xml,/nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services-api/pom.xml,/nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services-api-nar/pom.xml,/nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services/pom.xml
Dependency Hierarchy: - nifi-accumulo-services-1.15.0-SNAPSHOT.jar (Root Library) - accumulo-core-2.0.1.jar - accumulo-start-2.0.1.jar - :x: **hadoop-client-api-3.1.1.jar** (Vulnerable Library)
Found in base branch: main
### Vulnerability DetailsIn Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.0, WebHDFS client might send SPNEGO authorization header to remote URL without proper verification.
Publish Date: 2021-01-26
URL: CVE-2020-9492
### CVSS 3 Score Details (8.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://lists.apache.org/thread.html/rca4516b00b55b347905df45e5d0432186248223f30497db87aba8710@%3Cannounce.apache.org%3E
Release Date: 2024-09-03
Fix Resolution: org.apache.hadoop:hadoop-hdfs-client:2.10.1,org.apache.hadoop:hadoop-hdfs-client:3.1.4,org.apache.hadoop:hadoop-hdfs-client:3.2.2
WS-2019-0490
### Vulnerable Library - jcommander-1.72.jarCommand line parsing
Library home page: http://jcommander.org
Path to dependency file: /nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services/pom.xml
Path to vulnerable library: /nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services/pom.xml,/nifi-nar-bundles/nifi-scripting-bundle/nifi-scripting-nar/pom.xml,/nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services-nar/pom.xml,/nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services-api-nar/pom.xml,/nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services-api/pom.xml,/nifi-nar-bundles/nifi-groovyx-bundle/nifi-groovyx-nar/pom.xml,/nifi-toolkit/nifi-toolkit-admin/pom.xml,/nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-nar/pom.xml,/nifi-toolkit/nifi-toolkit-encrypt-config/pom.xml
Dependency Hierarchy: - nifi-accumulo-services-1.15.0-SNAPSHOT.jar (Root Library) - accumulo-core-2.0.1.jar - :x: **jcommander-1.72.jar** (Vulnerable Library)
Found in base branch: main
### Vulnerability DetailsInclusion of Functionality from Untrusted Control Sphere vulnerability found in jcommander before 1.75. jcommander resolving dependencies over HTTP instead of HTTPS.
Publish Date: 2019-02-19
URL: WS-2019-0490
### CVSS 3 Score Details (8.1)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2019-02-19
Fix Resolution: com.beust:jcommander:1.75
CVE-2024-7254
### Vulnerable Library - protobuf-java-3.7.1.jarCore Protocol Buffers library. Protocol Buffers are a way of encoding structured data in an efficient yet extensible format.
Library home page: https://developers.google.com/protocol-buffers/
Path to dependency file: /nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services-api/pom.xml
Path to vulnerable library: /nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services-api/pom.xml,/nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-nar/pom.xml,/nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services-api-nar/pom.xml,/nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services-nar/pom.xml,/nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services/pom.xml
Dependency Hierarchy: - nifi-accumulo-services-1.15.0-SNAPSHOT.jar (Root Library) - accumulo-core-2.0.1.jar - :x: **protobuf-java-3.7.1.jar** (Vulnerable Library)
Found in base branch: main
### Vulnerability DetailsAny project that parses untrusted Protocol Buffers data containing an arbitrary number of nested groups / series of SGROUP tags can corrupted by exceeding the stack limit i.e. StackOverflow. Parsing nested groups as unknown fields with DiscardUnknownFieldsParser or Java Protobuf Lite parser, or against Protobuf map fields, creates unbounded recursions that can be abused by an attacker.
Publish Date: 2024-09-19
URL: CVE-2024-7254
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2024-7254
Release Date: 2024-09-19
Fix Resolution: com.google.protobuf:protobuf-javalite - 3.25.5,4.28.2,4.27.5;com.google.protobuf:protobuf-java - 4.27.5,3.25.5,4.28.2
CVE-2022-3509
### Vulnerable Library - protobuf-java-3.7.1.jarCore Protocol Buffers library. Protocol Buffers are a way of encoding structured data in an efficient yet extensible format.
Library home page: https://developers.google.com/protocol-buffers/
Path to dependency file: /nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services-api/pom.xml
Path to vulnerable library: /nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services-api/pom.xml,/nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-nar/pom.xml,/nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services-api-nar/pom.xml,/nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services-nar/pom.xml,/nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services/pom.xml
Dependency Hierarchy: - nifi-accumulo-services-1.15.0-SNAPSHOT.jar (Root Library) - accumulo-core-2.0.1.jar - :x: **protobuf-java-3.7.1.jar** (Vulnerable Library)
Found in base branch: main
### Vulnerability DetailsA parsing issue similar to CVE-2022-3171, but with textformat in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.
Publish Date: 2022-11-01
URL: CVE-2022-3509
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3509
Release Date: 2022-11-01
Fix Resolution: com.google.protobuf:protobuf-java:3.16.3,3.19.6,3.20.3,3.21.7
CVE-2021-22569
### Vulnerable Library - protobuf-java-3.7.1.jarCore Protocol Buffers library. Protocol Buffers are a way of encoding structured data in an efficient yet extensible format.
Library home page: https://developers.google.com/protocol-buffers/
Path to dependency file: /nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services-api/pom.xml
Path to vulnerable library: /nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services-api/pom.xml,/nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-nar/pom.xml,/nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services-api-nar/pom.xml,/nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services-nar/pom.xml,/nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services/pom.xml
Dependency Hierarchy: - nifi-accumulo-services-1.15.0-SNAPSHOT.jar (Root Library) - accumulo-core-2.0.1.jar - :x: **protobuf-java-3.7.1.jar** (Vulnerable Library)
Found in base branch: main
### Vulnerability DetailsAn issue in protobuf-java allowed the interleaving of com.google.protobuf.UnknownFieldSet fields in such a way that would be processed out of order. A small malicious payload can occupy the parser for several minutes by creating large numbers of short-lived objects that cause frequent, repeated pauses. We recommend upgrading libraries beyond the vulnerable versions.
Publish Date: 2022-01-07
URL: CVE-2021-22569
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-wrvw-hg22-4m67
Release Date: 2022-01-07
Fix Resolution: com.google.protobuf:protobuf-java:3.16.1,3.18.2,3.19.2; com.google.protobuf:protobuf-kotlin:3.18.2,3.19.2; google-protobuf - 3.19.2
CVE-2019-0205
### Vulnerable Library - libthrift-0.12.0.jarThrift is a software framework for scalable cross-language services development.
Library home page: http://thrift.apache.org
Path to dependency file: /nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-nar/pom.xml
Path to vulnerable library: /nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-nar/pom.xml,/nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services-api-nar/pom.xml,/nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services-nar/pom.xml,/nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services-api/pom.xml,/nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services/pom.xml
Dependency Hierarchy: - nifi-accumulo-services-1.15.0-SNAPSHOT.jar (Root Library) - accumulo-core-2.0.1.jar - :x: **libthrift-0.12.0.jar** (Vulnerable Library)
Found in base branch: main
### Vulnerability DetailsIn Apache Thrift all versions up to and including 0.12.0, a server or client may run into an endless loop when feed with specific input data. Because the issue had already been partially fixed in version 0.11.0, depending on the installed version it affects only certain language bindings.
Publish Date: 2019-10-28
URL: CVE-2019-0205
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0205
Release Date: 2019-10-28
Fix Resolution: org.apache.thrift:libthrift:0.13.0
CVE-2024-29131
### Vulnerable Library - commons-configuration2-2.5.jarTools to assist in the reading of configuration/preferences files in various formats
Library home page: https://www.apache.org/
Path to dependency file: /nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services-api/pom.xml
Path to vulnerable library: /nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services-api/pom.xml,/nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services-api-nar/pom.xml,/nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-nar/pom.xml,/nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services/pom.xml,/nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services-nar/pom.xml
Dependency Hierarchy: - nifi-accumulo-services-1.15.0-SNAPSHOT.jar (Root Library) - accumulo-core-2.0.1.jar - accumulo-start-2.0.1.jar - :x: **commons-configuration2-2.5.jar** (Vulnerable Library)
Found in base branch: main
### Vulnerability DetailsOut-of-bounds Write vulnerability in Apache Commons Configuration.This issue affects Apache Commons Configuration: from 2.0 before 2.10.1. Users are recommended to upgrade to version 2.10.1, which fixes the issue.
Publish Date: 2024-03-21
URL: CVE-2024-29131
### CVSS 3 Score Details (7.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: Low
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://lists.apache.org/thread/03nzzzjn4oknyw5y0871tw7ltj0t3r37
Release Date: 2024-03-21
Fix Resolution: org.apache.commons:commons-configuration2:2.10.1
CVE-2024-29133
### Vulnerable Library - commons-configuration2-2.5.jarTools to assist in the reading of configuration/preferences files in various formats
Library home page: https://www.apache.org/
Path to dependency file: /nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services-api/pom.xml
Path to vulnerable library: /nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services-api/pom.xml,/nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services-api-nar/pom.xml,/nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-nar/pom.xml,/nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services/pom.xml,/nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services-nar/pom.xml
Dependency Hierarchy: - nifi-accumulo-services-1.15.0-SNAPSHOT.jar (Root Library) - accumulo-core-2.0.1.jar - accumulo-start-2.0.1.jar - :x: **commons-configuration2-2.5.jar** (Vulnerable Library)
Found in base branch: main
### Vulnerability DetailsOut-of-bounds Write vulnerability in Apache Commons Configuration.This issue affects Apache Commons Configuration: from 2.0 before 2.10.1. Users are recommended to upgrade to version 2.10.1, which fixes the issue.
Publish Date: 2024-03-21
URL: CVE-2024-29133
### CVSS 3 Score Details (4.4)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: Low - Availability Impact: Low
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://lists.apache.org/thread/ccb9w15bscznh6tnp3wsvrrj9crbszh2
Release Date: 2024-03-21
Fix Resolution: org.apache.commons:commons-configuration2:2.10.1
CVE-2022-3171
### Vulnerable Library - protobuf-java-3.7.1.jarCore Protocol Buffers library. Protocol Buffers are a way of encoding structured data in an efficient yet extensible format.
Library home page: https://developers.google.com/protocol-buffers/
Path to dependency file: /nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services-api/pom.xml
Path to vulnerable library: /nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services-api/pom.xml,/nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-nar/pom.xml,/nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services-api-nar/pom.xml,/nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services-nar/pom.xml,/nifi-nar-bundles/nifi-accumulo-bundle/nifi-accumulo-services/pom.xml
Dependency Hierarchy: - nifi-accumulo-services-1.15.0-SNAPSHOT.jar (Root Library) - accumulo-core-2.0.1.jar - :x: **protobuf-java-3.7.1.jar** (Vulnerable Library)
Found in base branch: main
### Vulnerability DetailsA parsing issue with binary data in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.
Publish Date: 2022-10-12
URL: CVE-2022-3171
### CVSS 3 Score Details (4.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Adjacent - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: Low
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-h4h5-3hr4-j3g2
Release Date: 2022-10-12
Fix Resolution: com.google.protobuf:protobuf-java:3.16.3,3.19.6,3.20.3,3.21.7;com.google.protobuf:protobuf-javalite:3.16.3,3.19.6,3.20.3,3.21.7;com.google.protobuf:protobuf-kotlin:3.19.6,3.20.3,3.21.7;com.google.protobuf:protobuf-kotlin-lite:3.19.6,3.20.3,3.21.7;google-protobuf - 3.19.6,3.20.3,3.21.7