mend-for-github-com[bot]
commented
3 weeks ago :heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.
Path to vulnerable library: /nifi-nar-bundles/nifi-druid-bundle/nifi-druid-controller-service-api-nar/pom.xml,/nifi-nar-bundles/nifi-druid-bundle/nifi-druid-controller-service-api/pom.xml
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2022-23221
### Vulnerable Library - h2-1.3.158.jarH2 Database Engine
Library home page: http://www.h2database.com
Path to dependency file: /nifi-nar-bundles/nifi-druid-bundle/nifi-druid-controller-service-api/pom.xml
Path to vulnerable library: /nifi-nar-bundles/nifi-druid-bundle/nifi-druid-controller-service-api/pom.xml,/nifi-nar-bundles/nifi-druid-bundle/nifi-druid-controller-service-api-nar/pom.xml
Dependency Hierarchy: - nifi-druid-controller-service-api-1.15.0-SNAPSHOT.jar (Root Library) - tranquility-core_2.11-0.8.2.jar - scala-util_2.11-1.11.6.jar - :x: **h2-1.3.158.jar** (Vulnerable Library)
Found in base branch: main
### Vulnerability DetailsH2 Console before 2.1.210 allows remote attackers to execute arbitrary code via a jdbc:h2:mem JDBC URL containing the IGNORE_UNKNOWN_SETTINGS=TRUE;FORBID_CREATION=FALSE;INIT=RUNSCRIPT substring, a different vulnerability than CVE-2021-42392.
Publish Date: 2022-01-19
URL: CVE-2022-23221
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2022-01-19
Fix Resolution: com.h2database:h2:2.1.210
CVE-2021-42392
### Vulnerable Library - h2-1.3.158.jarH2 Database Engine
Library home page: http://www.h2database.com
Path to dependency file: /nifi-nar-bundles/nifi-druid-bundle/nifi-druid-controller-service-api/pom.xml
Path to vulnerable library: /nifi-nar-bundles/nifi-druid-bundle/nifi-druid-controller-service-api/pom.xml,/nifi-nar-bundles/nifi-druid-bundle/nifi-druid-controller-service-api-nar/pom.xml
Dependency Hierarchy: - nifi-druid-controller-service-api-1.15.0-SNAPSHOT.jar (Root Library) - tranquility-core_2.11-0.8.2.jar - scala-util_2.11-1.11.6.jar - :x: **h2-1.3.158.jar** (Vulnerable Library)
Found in base branch: main
### Vulnerability DetailsThe org.h2.util.JdbcUtils.getConnection method of the H2 database takes as parameters the class name of the driver and URL of the database. An attacker may pass a JNDI driver name and a URL leading to a LDAP or RMI servers, causing remote code execution. This can be exploited through various attack vectors, most notably through the H2 Console which leads to unauthenticated remote code execution.
Publish Date: 2022-01-07
URL: CVE-2021-42392
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/h2database/h2database/security/advisories/GHSA-h376-j262-vhq6
Release Date: 2022-01-07
Fix Resolution: com.h2database:h2:2.0.206
CVE-2023-44981
### Vulnerable Library - zookeeper-3.4.5.jarPath to dependency file: /nifi-nar-bundles/nifi-druid-bundle/nifi-druid-controller-service-api/pom.xml
Path to vulnerable library: /nifi-nar-bundles/nifi-druid-bundle/nifi-druid-controller-service-api/pom.xml,/nifi-nar-bundles/nifi-druid-bundle/nifi-druid-controller-service-api-nar/pom.xml
Dependency Hierarchy: - nifi-druid-controller-service-api-1.15.0-SNAPSHOT.jar (Root Library) - tranquility-core_2.11-0.8.2.jar - scala-util_2.11-1.11.6.jar - :x: **zookeeper-3.4.5.jar** (Vulnerable Library)
Found in base branch: main
### Vulnerability DetailsAuthorization Bypass Through User-Controlled Key vulnerability in Apache ZooKeeper. If SASL Quorum Peer authentication is enabled in ZooKeeper (quorum.auth.enableSasl=true), the authorization is done by verifying that the instance part in SASL authentication ID is listed in zoo.cfg server list. The instance part in SASL auth ID is optional and if it's missing, like 'eve@EXAMPLE.COM', the authorization check will be skipped. As a result an arbitrary endpoint could join the cluster and begin propagating counterfeit changes to the leader, essentially giving it complete read-write access to the data tree. Quorum Peer authentication is not enabled by default. Users are recommended to upgrade to version 3.9.1, 3.8.3, 3.7.2, which fixes the issue. Alternately ensure the ensemble election/quorum communication is protected by a firewall as this will mitigate the issue. See the documentation for more details on correct cluster administration.
Publish Date: 2023-10-11
URL: CVE-2023-44981
### CVSS 3 Score Details (9.1)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://lists.apache.org/thread/wf0yrk84dg1942z1o74kd8nycg6pgm5b
Release Date: 2023-10-11
Fix Resolution: org.apache.zookeeper:zookeeper:3.7.2,3.8.3,3.9.1
CVE-2018-8012
### Vulnerable Library - zookeeper-3.4.5.jarPath to dependency file: /nifi-nar-bundles/nifi-druid-bundle/nifi-druid-controller-service-api/pom.xml
Path to vulnerable library: /nifi-nar-bundles/nifi-druid-bundle/nifi-druid-controller-service-api/pom.xml,/nifi-nar-bundles/nifi-druid-bundle/nifi-druid-controller-service-api-nar/pom.xml
Dependency Hierarchy: - nifi-druid-controller-service-api-1.15.0-SNAPSHOT.jar (Root Library) - tranquility-core_2.11-0.8.2.jar - scala-util_2.11-1.11.6.jar - :x: **zookeeper-3.4.5.jar** (Vulnerable Library)
Found in base branch: main
### Vulnerability DetailsNo authentication/authorization is enforced when a server attempts to join a quorum in Apache ZooKeeper before 3.4.10, and 3.5.0-alpha through 3.5.3-beta. As a result an arbitrary end point could join the cluster and begin propagating counterfeit changes to the leader.
Publish Date: 2018-05-21
URL: CVE-2018-8012
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: High - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8012
Release Date: 2018-05-21
Fix Resolution: 3.4.10,3.5.4-beta
CVE-2017-5637
### Vulnerable Library - zookeeper-3.4.5.jarPath to dependency file: /nifi-nar-bundles/nifi-druid-bundle/nifi-druid-controller-service-api/pom.xml
Path to vulnerable library: /nifi-nar-bundles/nifi-druid-bundle/nifi-druid-controller-service-api/pom.xml,/nifi-nar-bundles/nifi-druid-bundle/nifi-druid-controller-service-api-nar/pom.xml
Dependency Hierarchy: - nifi-druid-controller-service-api-1.15.0-SNAPSHOT.jar (Root Library) - tranquility-core_2.11-0.8.2.jar - scala-util_2.11-1.11.6.jar - :x: **zookeeper-3.4.5.jar** (Vulnerable Library)
Found in base branch: main
### Vulnerability DetailsTwo four letter word commands "wchp/wchc" are CPU intensive and could cause spike of CPU utilization on Apache ZooKeeper server if abused, which leads to the server unable to serve legitimate client requests. Apache ZooKeeper thru version 3.4.9 and 3.5.2 suffer from this issue, fixed in 3.4.10, 3.5.3, and later.
Publish Date: 2017-10-10
URL: CVE-2017-5637
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5637
Release Date: 2017-10-09
Fix Resolution: org.apache.zookeeper:zookeeper - 3.4.10,3.5.3-beta
CVE-2019-0201
### Vulnerable Library - zookeeper-3.4.5.jarPath to dependency file: /nifi-nar-bundles/nifi-druid-bundle/nifi-druid-controller-service-api/pom.xml
Path to vulnerable library: /nifi-nar-bundles/nifi-druid-bundle/nifi-druid-controller-service-api/pom.xml,/nifi-nar-bundles/nifi-druid-bundle/nifi-druid-controller-service-api-nar/pom.xml
Dependency Hierarchy: - nifi-druid-controller-service-api-1.15.0-SNAPSHOT.jar (Root Library) - tranquility-core_2.11-0.8.2.jar - scala-util_2.11-1.11.6.jar - :x: **zookeeper-3.4.5.jar** (Vulnerable Library)
Found in base branch: main
### Vulnerability DetailsAn issue is present in Apache ZooKeeper 1.0.0 to 3.4.13 and 3.5.0-alpha to 3.5.4-beta. ZooKeeper’s getACL() command doesn’t check any permission when retrieves the ACLs of the requested node and returns all information contained in the ACL Id field as plaintext string. DigestAuthenticationProvider overloads the Id field with the hash value that is used for user authentication. As a consequence, if Digest Authentication is in use, the unsalted hash value will be disclosed by getACL() request for unauthenticated or unprivileged users.
Publish Date: 2019-05-23
URL: CVE-2019-0201
### CVSS 3 Score Details (5.9)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://zookeeper.apache.org/security.html
Release Date: 2019-05-23
Fix Resolution: 3.4.14, 3.5.5
WS-2017-3734
### Vulnerable Library - httpclient-4.3.3.jarHttpComponents Client
Library home page: http://www.apache.org/
Path to dependency file: /nifi-nar-bundles/nifi-druid-bundle/nifi-druid-controller-service-api-nar/pom.xml
Path to vulnerable library: /nifi-nar-bundles/nifi-druid-bundle/nifi-druid-controller-service-api-nar/pom.xml,/nifi-nar-bundles/nifi-druid-bundle/nifi-druid-controller-service-api/pom.xml
Dependency Hierarchy: - nifi-druid-controller-service-api-1.15.0-SNAPSHOT.jar (Root Library) - tranquility-core_2.11-0.8.2.jar - :x: **httpclient-4.3.3.jar** (Vulnerable Library)
Found in base branch: main
### Vulnerability DetailsApache httpclient before 4.5.3 are vulnerable to Directory Traversal. The user-provided path was able to override the specified host, resulting in giving network access to a sensitive environment.
Publish Date: 2017-01-21
URL: WS-2017-3734
### CVSS 3 Score Details (5.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://issues.apache.org/jira/browse/HTTPCLIENT-1803
Release Date: 2017-01-21
Fix Resolution: org.apache.httpcomponents:httpclient:4.5.3
CVE-2020-13956
### Vulnerable Library - httpclient-4.3.3.jarHttpComponents Client
Library home page: http://www.apache.org/
Path to dependency file: /nifi-nar-bundles/nifi-druid-bundle/nifi-druid-controller-service-api-nar/pom.xml
Path to vulnerable library: /nifi-nar-bundles/nifi-druid-bundle/nifi-druid-controller-service-api-nar/pom.xml,/nifi-nar-bundles/nifi-druid-bundle/nifi-druid-controller-service-api/pom.xml
Dependency Hierarchy: - nifi-druid-controller-service-api-1.15.0-SNAPSHOT.jar (Root Library) - tranquility-core_2.11-0.8.2.jar - :x: **httpclient-4.3.3.jar** (Vulnerable Library)
Found in base branch: main
### Vulnerability DetailsApache HttpClient versions prior to version 4.5.13 and 5.0.3 can misinterpret malformed authority component in request URIs passed to the library as java.net.URI object and pick the wrong target host for request execution.
Publish Date: 2020-12-02
URL: CVE-2020-13956
### CVSS 3 Score Details (5.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-13956
Release Date: 2020-12-02
Fix Resolution: org.apache.httpcomponents:httpclient:4.5.13;org.apache.httpcomponents:httpclient-osgi:4.5.13;org.apache.httpcomponents.client5:httpclient5:5.0.3;org.apache.httpcomponents.client5:httpclient5-osgi:5.0.3
CVE-2014-3577
### Vulnerable Library - httpclient-4.3.3.jarHttpComponents Client
Library home page: http://www.apache.org/
Path to dependency file: /nifi-nar-bundles/nifi-druid-bundle/nifi-druid-controller-service-api-nar/pom.xml
Path to vulnerable library: /nifi-nar-bundles/nifi-druid-bundle/nifi-druid-controller-service-api-nar/pom.xml,/nifi-nar-bundles/nifi-druid-bundle/nifi-druid-controller-service-api/pom.xml
Dependency Hierarchy: - nifi-druid-controller-service-api-1.15.0-SNAPSHOT.jar (Root Library) - tranquility-core_2.11-0.8.2.jar - :x: **httpclient-4.3.3.jar** (Vulnerable Library)
Found in base branch: main
### Vulnerability Detailsorg.apache.http.conn.ssl.AbstractVerifier in Apache HttpComponents HttpClient before 4.3.5 and HttpAsyncClient before 4.0.2 does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a "CN=" string in a field in the distinguished name (DN) of a certificate, as demonstrated by the "foo,CN=www.apache.org" string in the O field.
Publish Date: 2014-08-21
URL: CVE-2014-3577
### CVSS 3 Score Details (4.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2014-08-21
Fix Resolution: org.apache.httpcomponents:httpasyncclient:4.0.2, org.apache.httpcomponents:httpclient:4.3.5
CVE-2015-5262
### Vulnerable Library - httpclient-4.3.3.jarHttpComponents Client
Library home page: http://www.apache.org/
Path to dependency file: /nifi-nar-bundles/nifi-druid-bundle/nifi-druid-controller-service-api-nar/pom.xml
Path to vulnerable library: /nifi-nar-bundles/nifi-druid-bundle/nifi-druid-controller-service-api-nar/pom.xml,/nifi-nar-bundles/nifi-druid-bundle/nifi-druid-controller-service-api/pom.xml
Dependency Hierarchy: - nifi-druid-controller-service-api-1.15.0-SNAPSHOT.jar (Root Library) - tranquility-core_2.11-0.8.2.jar - :x: **httpclient-4.3.3.jar** (Vulnerable Library)
Found in base branch: main
### Vulnerability Detailshttp/conn/ssl/SSLConnectionSocketFactory.java in Apache HttpComponents HttpClient before 4.3.6 ignores the http.socket.timeout configuration setting during an SSL handshake, which allows remote attackers to cause a denial of service (HTTPS call hang) via unspecified vectors.
Publish Date: 2015-10-27
URL: CVE-2015-5262
### CVSS 3 Score Details (3.7)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: Low
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5262
Release Date: 2015-10-27
Fix Resolution: org.apache.httpcomponents:httpclient:4.3.6