nifi-persistent-provenance-repository-1.15.0-SNAPSHOT.jar: 15 vulnerabilities (highest severity is: 9.8) - autoclosed

Vulnerable Library - nifi-persistent-provenance-repository-1.15.0-SNAPSHOT.jar

Path to dependency file: /nifi-nar-bundles/nifi-provenance-repository-bundle/nifi-provenance-repository-nar/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/jetbrains/kotlin/kotlin-stdlib/1.4.10/kotlin-stdlib-1.4.10.jar,/home/wss-scanner/.m2/repository/org/jetbrains/kotlin/kotlin-stdlib/1.4.10/kotlin-stdlib-1.4.10.jar,/home/wss-scanner/.m2/repository/org/jetbrains/kotlin/kotlin-stdlib/1.4.10/kotlin-stdlib-1.4.10.jar,/home/wss-scanner/.m2/repository/org/jetbrains/kotlin/kotlin-stdlib/1.4.10/kotlin-stdlib-1.4.10.jar,/home/wss-scanner/.m2/repository/org/jetbrains/kotlin/kotlin-stdlib/1.4.10/kotlin-stdlib-1.4.10.jar,/home/wss-scanner/.m2/repository/org/jetbrains/kotlin/kotlin-stdlib/1.4.10/kotlin-stdlib-1.4.10.jar,/home/wss-scanner/.m2/repository/org/jetbrains/kotlin/kotlin-stdlib/1.4.10/kotlin-stdlib-1.4.10.jar,/home/wss-scanner/.m2/repository/org/jetbrains/kotlin/kotlin-stdlib/1.4.10/kotlin-stdlib-1.4.10.jar,/home/wss-scanner/.m2/repository/org/jetbrains/kotlin/kotlin-stdlib/1.4.10/kotlin-stdlib-1.4.10.jar,/home/wss-scanner/.m2/repository/org/jetbrains/kotlin/kotlin-stdlib/1.4.10/kotlin-stdlib-1.4.10.jar,/home/wss-scanner/.m2/repository/org/jetbrains/kotlin/kotlin-stdlib/1.4.10/kotlin-stdlib-1.4.10.jar,/home/wss-scanner/.m2/repository/org/jetbrains/kotlin/kotlin-stdlib/1.4.10/kotlin-stdlib-1.4.10.jar,/home/wss-scanner/.m2/repository/org/jetbrains/kotlin/kotlin-stdlib/1.4.10/kotlin-stdlib-1.4.10.jar,/home/wss-scanner/.m2/repository/org/jetbrains/kotlin/kotlin-stdlib/1.4.10/kotlin-stdlib-1.4.10.jar,/home/wss-scanner/.m2/repository/org/jetbrains/kotlin/kotlin-stdlib/1.4.10/kotlin-stdlib-1.4.10.jar,/home/wss-scanner/.m2/repository/org/jetbrains/kotlin/kotlin-stdlib/1.4.10/kotlin-stdlib-1.4.10.jar,/home/wss-scanner/.m2/repository/org/jetbrains/kotlin/kotlin-stdlib/1.4.10/kotlin-stdlib-1.4.10.jar,/home/wss-scanner/.m2/repository/org/jetbrains/kotlin/kotlin-stdlib/1.4.10/kotlin-stdlib-1.4.10.jar,/home/wss-scanner/.m2/repository/org/jetbrains/kotlin/kotlin-stdlib/1.4.10/kotlin-stdlib-1.4.10.jar,/home/wss-scanner/.m2/repository/org/jetbrains/kotlin/kotlin-stdlib/1.4.10/kotlin-stdlib-1.4.10.jar,/home/wss-scanner/.m2/repository/org/jetbrains/kotlin/kotlin-stdlib/1.4.10/kotlin-stdlib-1.4.10.jar,/home/wss-scanner/.m2/repository/org/jetbrains/kotlin/kotlin-stdlib/1.4.10/kotlin-stdlib-1.4.10.jar,/home/wss-scanner/.m2/repository/org/jetbrains/kotlin/kotlin-stdlib/1.4.10/kotlin-stdlib-1.4.10.jar,/home/wss-scanner/.m2/repository/org/jetbrains/kotlin/kotlin-stdlib/1.4.10/kotlin-stdlib-1.4.10.jar,/home/wss-scanner/.m2/repository/org/jetbrains/kotlin/kotlin-stdlib/1.4.10/kotlin-stdlib-1.4.10.jar,/home/wss-scanner/.m2/repository/org/jetbrains/kotlin/kotlin-stdlib/1.4.10/kotlin-stdlib-1.4.10.jar,/home/wss-scanner/.m2/repository/org/jetbrains/kotlin/kotlin-stdlib/1.4.10/kotlin-stdlib-1.4.10.jar,/home/wss-scanner/.m2/repository/org/jetbrains/kotlin/kotlin-stdlib/1.4.10/kotlin-stdlib-1.4.10.jar,/home/wss-scanner/.m2/repository/org/jetbrains/kotlin/kotlin-stdlib/1.4.10/kotlin-stdlib-1.4.10.jar,/home/wss-scanner/.m2/repository/org/jetbrains/kotlin/kotlin-stdlib/1.4.10/kotlin-stdlib-1.4.10.jar,/home/wss-scanner/.m2/repository/org/jetbrains/kotlin/kotlin-stdlib/1.4.10/kotlin-stdlib-1.4.10.jar,/home/wss-scanner/.m2/repository/org/jetbrains/kotlin/kotlin-stdlib/1.4.10/kotlin-stdlib-1.4.10.jar,/home/wss-scanner/.m2/repository/org/jetbrains/kotlin/kotlin-stdlib/1.4.10/kotlin-stdlib-1.4.10.jar,/home/wss-scanner/.m2/repository/org/jetbrains/kotlin/kotlin-stdlib/1.4.10/kotlin-stdlib-1.4.10.jar

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (nifi-persistent-provenance-repository version)	Remediation Possible**
CVE-2016-1000027	Critical	9.8	spring-web-5.3.9.jar	Transitive	N/A*	❌
CVE-2024-22262	High	8.1	spring-web-5.3.9.jar	Transitive	N/A*	❌
CVE-2024-22259	High	8.1	spring-web-5.3.9.jar	Transitive	N/A*	❌
CVE-2024-22243	High	8.1	spring-web-5.3.9.jar	Transitive	N/A*	❌
CVE-2022-42004	High	7.5	jackson-databind-2.12.2.jar	Transitive	N/A*	❌
CVE-2022-42003	High	7.5	jackson-databind-2.12.2.jar	Transitive	N/A*	❌
CVE-2021-46877	High	7.5	jackson-databind-2.12.2.jar	Transitive	N/A*	❌
CVE-2020-36518	High	7.5	jackson-databind-2.12.2.jar	Transitive	N/A*	❌
WS-2021-0616	Medium	5.9	jackson-databind-2.12.2.jar	Transitive	N/A*	❌
CVE-2023-3635	Medium	5.9	okio-2.8.0.jar	Transitive	N/A*	❌
CVE-2024-38809	Medium	5.3	spring-web-5.3.9.jar	Transitive	N/A*	❌
CVE-2022-24329	Medium	5.3	kotlin-stdlib-1.4.10.jar	Transitive	N/A*	❌
CVE-2020-29582	Medium	5.3	kotlin-stdlib-1.4.10.jar	Transitive	N/A*	❌
CVE-2021-22096	Medium	4.3	spring-web-5.3.9.jar	Transitive	N/A*	❌
CVE-2021-22060	Medium	4.3	spring-web-5.3.9.jar	Transitive	N/A*	❌

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

Partial details (13 vulnerabilities) are displayed below due to a content size limitation in GitHub. To view information on the remaining vulnerabilities, navigate to the Mend Application.

CVE-2016-1000027

### Vulnerable Library - spring-web-5.3.9.jar

Spring Web

Library home page: https://spring.io/projects/spring-framework

Path to dependency file: /nifi-registry/nifi-registry-core/nifi-registry-properties/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-web/5.3.9/spring-web-5.3.9.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/5.3.9/spring-web-5.3.9.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/5.3.9/spring-web-5.3.9.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/5.3.9/spring-web-5.3.9.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/5.3.9/spring-web-5.3.9.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/5.3.9/spring-web-5.3.9.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/5.3.9/spring-web-5.3.9.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/5.3.9/spring-web-5.3.9.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/5.3.9/spring-web-5.3.9.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/5.3.9/spring-web-5.3.9.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/5.3.9/spring-web-5.3.9.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/5.3.9/spring-web-5.3.9.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/5.3.9/spring-web-5.3.9.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/5.3.9/spring-web-5.3.9.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/5.3.9/spring-web-5.3.9.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/5.3.9/spring-web-5.3.9.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/5.3.9/spring-web-5.3.9.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/5.3.9/spring-web-5.3.9.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/5.3.9/spring-web-5.3.9.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/5.3.9/spring-web-5.3.9.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/5.3.9/spring-web-5.3.9.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/5.3.9/spring-web-5.3.9.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/5.3.9/spring-web-5.3.9.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/5.3.9/spring-web-5.3.9.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/5.3.9/spring-web-5.3.9.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/5.3.9/spring-web-5.3.9.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/5.3.9/spring-web-5.3.9.jar

Dependency Hierarchy: - nifi-persistent-provenance-repository-1.15.0-SNAPSHOT.jar (Root Library) - nifi-properties-loader-1.15.0-SNAPSHOT.jar - nifi-sensitive-property-provider-1.15.0-SNAPSHOT.jar - nifi-vault-utils-1.15.0-SNAPSHOT.jar - spring-vault-core-2.3.2.jar - :x: **spring-web-5.3.9.jar** (Vulnerable Library)

Found in base branch: main

### Vulnerability Details

Pivotal Spring Framework through 5.3.16 suffers from a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data. Depending on how the library is implemented within a product, this issue may or not occur, and authentication may be required. NOTE: the vendor's position is that untrusted data is not an intended use case. The product's behavior will not be changed because some users rely on deserialization of trusted data. Mend Note: After conducting further research, Mend has determined that all versions of spring-web up to version 6.0.0 are vulnerable to CVE-2016-1000027.

Publish Date: 2020-01-02

URL: CVE-2016-1000027

### CVSS 3 Score Details (9.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/advisories/GHSA-4wrc-f8pq-fpqp

Release Date: 2020-01-02

Fix Resolution: org.springframework:spring-web:6.0.0

CVE-2024-22262

### Vulnerable Library - spring-web-5.3.9.jar

Spring Web

Library home page: https://spring.io/projects/spring-framework

Path to dependency file: /nifi-registry/nifi-registry-core/nifi-registry-properties/pom.xml

Found in base branch: main

### Vulnerability Details

Applications that use UriComponentsBuilder to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect https://cwe.mitre.org/data/definitions/601.html attack or to a SSRF attack if the URL is used after passing validation checks. This is the same as CVE-2024-22259 https://spring.io/security/cve-2024-22259 and CVE-2024-22243 https://spring.io/security/cve-2024-22243 , but with different input.

Publish Date: 2024-04-16

URL: CVE-2024-22262

### CVSS 3 Score Details (8.1)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://spring.io/security/cve-2024-22262

Release Date: 2024-04-16

Fix Resolution: org.springframework:spring-web:5.3.34;6.0.19,6.1.6

CVE-2024-22259

### Vulnerable Library - spring-web-5.3.9.jar

Spring Web

Library home page: https://spring.io/projects/spring-framework

Path to dependency file: /nifi-registry/nifi-registry-core/nifi-registry-properties/pom.xml

Found in base branch: main

### Vulnerability Details

Applications that use UriComponentsBuilder in Spring Framework to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect https://cwe.mitre.org/data/definitions/601.html attack or to a SSRF attack if the URL is used after passing validation checks. This is the same as CVE-2024-22243 https://spring.io/security/cve-2024-22243 , but with different input.

Publish Date: 2024-03-16

URL: CVE-2024-22259

### CVSS 3 Score Details (8.1)

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://spring.io/security/cve-2024-22259

Release Date: 2024-03-16

Fix Resolution: org.springframework:spring-web:5.3.33,6.0.18,6.1.5

CVE-2024-22243

### Vulnerable Library - spring-web-5.3.9.jar

Spring Web

Library home page: https://spring.io/projects/spring-framework

Path to dependency file: /nifi-registry/nifi-registry-core/nifi-registry-properties/pom.xml

Found in base branch: main

### Vulnerability Details

Publish Date: 2024-02-23

URL: CVE-2024-22243

### CVSS 3 Score Details (8.1)

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://spring.io/security/cve-2024-22243

Release Date: 2024-02-23

Fix Resolution: org.springframework:spring-web:5.3.32,6.0.17,6.1.4

CVE-2022-42004

### Vulnerable Library - jackson-databind-2.12.2.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://fasterxml.com/

Path to dependency file: /nifi-commons/nifi-vault-utils/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.12.2/jackson-databind-2.12.2.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.12.2/jackson-databind-2.12.2.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.12.2/jackson-databind-2.12.2.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.12.2/jackson-databind-2.12.2.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.12.2/jackson-databind-2.12.2.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.12.2/jackson-databind-2.12.2.jar

Found in base branch: main

### Vulnerability Details

In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An application is vulnerable only with certain customized choices for deserialization.

Publish Date: 2022-10-02

URL: CVE-2022-42004

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Release Date: 2022-10-02

Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.13.4

CVE-2022-42003

### Vulnerable Library - jackson-databind-2.12.2.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://fasterxml.com/

Path to dependency file: /nifi-commons/nifi-vault-utils/pom.xml

Found in base branch: main

### Vulnerability Details

In FasterXML jackson-databind before versions 2.13.4.1 and 2.12.17.1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled. Mend Note: For 2.13.4.x, the vulnerability is fixed in 2.13.4.1. A micro-patch was added in 2.13.4.2 to address issues for Gradle users.

Publish Date: 2022-10-02

URL: CVE-2022-42003

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/advisories/GHSA-jjjh-jjxp-wpff

Release Date: 2022-10-02

Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.12.7.1,2.13.4.2

CVE-2021-46877

### Vulnerable Library - jackson-databind-2.12.2.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://fasterxml.com/

Path to dependency file: /nifi-commons/nifi-vault-utils/pom.xml

Found in base branch: main

### Vulnerability Details

jackson-databind 2.10.x through 2.12.x before 2.12.6 and 2.13.x before 2.13.1 allows attackers to cause a denial of service (2 GB transient heap usage per read) in uncommon situations involving JsonNode JDK serialization.

Publish Date: 2023-03-18

URL: CVE-2021-46877

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2021-46877

Release Date: 2023-03-18

Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.12.6,2.13.1

CVE-2020-36518

### Vulnerable Library - jackson-databind-2.12.2.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://fasterxml.com/

Path to dependency file: /nifi-commons/nifi-vault-utils/pom.xml

Found in base branch: main

### Vulnerability Details

jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects. Mend Note: After conducting further research, Mend has determined that all versions of com.fasterxml.jackson.core:jackson-databind up to version 2.13.2 are vulnerable to CVE-2020-36518.

Publish Date: 2022-03-11

URL: CVE-2020-36518

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Release Date: 2022-03-11

Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.12.6.1,2.13.2.1

WS-2021-0616

### Vulnerable Library - jackson-databind-2.12.2.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://fasterxml.com/

Path to dependency file: /nifi-commons/nifi-vault-utils/pom.xml

Found in base branch: main

### Vulnerability Details

FasterXML jackson-databind before 2.12.6 and 2.13.1 there is DoS when using JDK serialization to serialize JsonNode.

Publish Date: 2021-11-20

URL: WS-2021-0616

### CVSS 3 Score Details (5.9)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Release Date: 2021-11-20

Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.12.6, 2.13.1; com.fasterxml.jackson.core:jackson-core:2.12.6, 2.13.1

CVE-2023-3635

### Vulnerable Library - okio-2.8.0.jar

A modern I/O API for Java

Library home page: https://github.com/square/okio/

Path to dependency file: /nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-optimistic-locking/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/squareup/okio/okio/2.8.0/okio-2.8.0.jar,/home/wss-scanner/.m2/repository/com/squareup/okio/okio/2.8.0/okio-2.8.0.jar,/home/wss-scanner/.m2/repository/com/squareup/okio/okio/2.8.0/okio-2.8.0.jar,/home/wss-scanner/.m2/repository/com/squareup/okio/okio/2.8.0/okio-2.8.0.jar,/home/wss-scanner/.m2/repository/com/squareup/okio/okio/2.8.0/okio-2.8.0.jar,/home/wss-scanner/.m2/repository/com/squareup/okio/okio/2.8.0/okio-2.8.0.jar,/home/wss-scanner/.m2/repository/com/squareup/okio/okio/2.8.0/okio-2.8.0.jar,/home/wss-scanner/.m2/repository/com/squareup/okio/okio/2.8.0/okio-2.8.0.jar,/home/wss-scanner/.m2/repository/com/squareup/okio/okio/2.8.0/okio-2.8.0.jar,/home/wss-scanner/.m2/repository/com/squareup/okio/okio/2.8.0/okio-2.8.0.jar,/home/wss-scanner/.m2/repository/com/squareup/okio/okio/2.8.0/okio-2.8.0.jar,/home/wss-scanner/.m2/repository/com/squareup/okio/okio/2.8.0/okio-2.8.0.jar,/home/wss-scanner/.m2/repository/com/squareup/okio/okio/2.8.0/okio-2.8.0.jar,/home/wss-scanner/.m2/repository/com/squareup/okio/okio/2.8.0/okio-2.8.0.jar,/home/wss-scanner/.m2/repository/com/squareup/okio/okio/2.8.0/okio-2.8.0.jar,/home/wss-scanner/.m2/repository/com/squareup/okio/okio/2.8.0/okio-2.8.0.jar,/home/wss-scanner/.m2/repository/com/squareup/okio/okio/2.8.0/okio-2.8.0.jar,/home/wss-scanner/.m2/repository/com/squareup/okio/okio/2.8.0/okio-2.8.0.jar,/home/wss-scanner/.m2/repository/com/squareup/okio/okio/2.8.0/okio-2.8.0.jar,/home/wss-scanner/.m2/repository/com/squareup/okio/okio/2.8.0/okio-2.8.0.jar,/home/wss-scanner/.m2/repository/com/squareup/okio/okio/2.8.0/okio-2.8.0.jar,/home/wss-scanner/.m2/repository/com/squareup/okio/okio/2.8.0/okio-2.8.0.jar,/home/wss-scanner/.m2/repository/com/squareup/okio/okio/2.8.0/okio-2.8.0.jar,/home/wss-scanner/.m2/repository/com/squareup/okio/okio/2.8.0/okio-2.8.0.jar,/home/wss-scanner/.m2/repository/com/squareup/okio/okio/2.8.0/okio-2.8.0.jar,/home/wss-scanner/.m2/repository/com/squareup/okio/okio/2.8.0/okio-2.8.0.jar,/home/wss-scanner/.m2/repository/com/squareup/okio/okio/2.8.0/okio-2.8.0.jar,/home/wss-scanner/.m2/repository/com/squareup/okio/okio/2.8.0/okio-2.8.0.jar,/home/wss-scanner/.m2/repository/com/squareup/okio/okio/2.8.0/okio-2.8.0.jar,/home/wss-scanner/.m2/repository/com/squareup/okio/okio/2.8.0/okio-2.8.0.jar,/home/wss-scanner/.m2/repository/com/squareup/okio/okio/2.8.0/okio-2.8.0.jar,/home/wss-scanner/.m2/repository/com/squareup/okio/okio/2.8.0/okio-2.8.0.jar,/home/wss-scanner/.m2/repository/com/squareup/okio/okio/2.8.0/okio-2.8.0.jar,/home/wss-scanner/.m2/repository/com/squareup/okio/okio/2.8.0/okio-2.8.0.jar

Dependency Hierarchy: - nifi-persistent-provenance-repository-1.15.0-SNAPSHOT.jar (Root Library) - nifi-properties-loader-1.15.0-SNAPSHOT.jar - nifi-sensitive-property-provider-1.15.0-SNAPSHOT.jar - nifi-vault-utils-1.15.0-SNAPSHOT.jar - okhttp-4.9.1.jar - :x: **okio-2.8.0.jar** (Vulnerable Library)

Found in base branch: main

### Vulnerability Details

GzipSource does not handle an exception that might be raised when parsing a malformed gzip buffer. This may lead to denial of service of the Okio client when handling a crafted GZIP archive, by using the GzipSource class.

Publish Date: 2023-07-12

URL: CVE-2023-3635

### CVSS 3 Score Details (5.9)

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-3635

Release Date: 2023-07-12

Fix Resolution: com.squareup.okio:okio-jvm:3.4.0

CVE-2024-38809

### Vulnerable Library - spring-web-5.3.9.jar

Spring Web

Library home page: https://spring.io/projects/spring-framework

Path to dependency file: /nifi-registry/nifi-registry-core/nifi-registry-properties/pom.xml

Found in base branch: main

### Vulnerability Details

Applications that parse ETags from "If-Match" or "If-None-Match" request headers are vulnerable to DoS attack. Users of affected versions should upgrade to the corresponding fixed version. Users of older, unsupported versions could enforce a size limit on "If-Match" and "If-None-Match" headers, e.g. through a Filter.

Publish Date: 2024-09-27

URL: CVE-2024-38809

### CVSS 3 Score Details (5.3)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: Low

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://spring.io/security/cve-2024-38809

Release Date: 2024-09-27

Fix Resolution: org.springframework:spring-web:5.3.38,6.0.23,6.1.12

CVE-2022-24329

### Vulnerable Library - kotlin-stdlib-1.4.10.jar

Kotlin Standard Library for JVM

Path to dependency file: /nifi-toolkit/nifi-toolkit-admin/pom.xml

Dependency Hierarchy: - nifi-persistent-provenance-repository-1.15.0-SNAPSHOT.jar (Root Library) - nifi-properties-loader-1.15.0-SNAPSHOT.jar - nifi-sensitive-property-provider-1.15.0-SNAPSHOT.jar - nifi-vault-utils-1.15.0-SNAPSHOT.jar - okhttp-4.9.1.jar - okio-2.8.0.jar - :x: **kotlin-stdlib-1.4.10.jar** (Vulnerable Library)

Found in base branch: main

### Vulnerability Details

In JetBrains Kotlin before 1.6.0, it was not possible to lock dependencies for Multiplatform Gradle Projects.

Publish Date: 2022-02-25

URL: CVE-2022-24329

### CVSS 3 Score Details (5.3)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: Low - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/advisories/GHSA-2qp4-g3q3-f92w

Release Date: 2022-02-25

Fix Resolution: org.jetbrains.kotlin:kotlin-stdlib:1.6.0

CVE-2020-29582

### Vulnerable Library - kotlin-stdlib-1.4.10.jar

Kotlin Standard Library for JVM

Path to dependency file: /nifi-toolkit/nifi-toolkit-admin/pom.xml

Dependency Hierarchy: - nifi-persistent-provenance-repository-1.15.0-SNAPSHOT.jar (Root Library) - nifi-properties-loader-1.15.0-SNAPSHOT.jar - nifi-sensitive-property-provider-1.15.0-SNAPSHOT.jar - nifi-vault-utils-1.15.0-SNAPSHOT.jar - okhttp-4.9.1.jar - okio-2.8.0.jar - :x: **kotlin-stdlib-1.4.10.jar** (Vulnerable Library)

Found in base branch: main

### Vulnerability Details

In JetBrains Kotlin before 1.4.21, a vulnerable Java API was used for temporary file and folder creation. An attacker was able to read data from such files and list directories due to insecure permissions.

Publish Date: 2021-02-03

URL: CVE-2020-29582

### CVSS 3 Score Details (5.3)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: None - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/advisories/GHSA-cqj8-47ch-rvvq

Release Date: 2021-02-03

Fix Resolution: org.jetbrains.kotlin:kotlin-stdlib:1.4.21

snowdensb / nifi

nifi-persistent-provenance-repository-1.15.0-SNAPSHOT.jar: 15 vulnerabilities (highest severity is: 9.8) - autoclosed #588

Vulnerabilities

Details