search

snowdensb / nifi

Apache NiFi
https://nifi.apache.org/
Apache License 2.0
0 stars 0 forks source link

hbc-core-2.2.0.jar: 3 vulnerabilities (highest severity is: 5.3) - autoclosed #639

Closed mend-for-github-com[bot] closed 4 weeks ago

mend-for-github-com[bot] commented 1 month ago
Vulnerable Library - hbc-core-2.2.0.jar

Path to dependency file: /nifi-nar-bundles/nifi-social-media-bundle/nifi-twitter-processors/pom.xml

Path to vulnerable library: /nifi-nar-bundles/nifi-standard-services/nifi-hbase_1_1_2-client-service-bundle/nifi-hbase_1_1_2-client-service/pom.xml,/nifi-nar-bundles/nifi-hive-bundle/nifi-hive_1_1-nar/pom.xml,/nifi-nar-bundles/nifi-standard-services/nifi-hbase_1_1_2-client-service-bundle/nifi-hbase_1_1_2-client-service-nar/pom.xml,/nifi-nar-bundles/nifi-social-media-bundle/nifi-twitter-processors/pom.xml,/nifi-nar-bundles/nifi-hive-bundle/nifi-hive_1_1-processors/pom.xml,/nifi-nar-bundles/nifi-social-media-bundle/nifi-social-media-nar/pom.xml

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (hbc-core version) Remediation Possible** Reachability
WS-2017-3734 Medium 5.3 httpclient-4.2.5.jar Transitive N/A*
CVE-2020-13956 Medium 5.3 httpclient-4.2.5.jar Transitive N/A*
CVE-2014-3577 Medium 4.8 httpclient-4.2.5.jar Transitive N/A*

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

WS-2017-3734 ### Vulnerable Library - httpclient-4.2.5.jar

HttpComponents Client (base module)

Library home page: http://www.apache.org/

Path to dependency file: /nifi-nar-bundles/nifi-standard-services/nifi-hbase_1_1_2-client-service-bundle/nifi-hbase_1_1_2-client-service/pom.xml

Path to vulnerable library: /nifi-nar-bundles/nifi-standard-services/nifi-hbase_1_1_2-client-service-bundle/nifi-hbase_1_1_2-client-service/pom.xml,/nifi-nar-bundles/nifi-hive-bundle/nifi-hive_1_1-nar/pom.xml,/nifi-nar-bundles/nifi-standard-services/nifi-hbase_1_1_2-client-service-bundle/nifi-hbase_1_1_2-client-service-nar/pom.xml,/nifi-nar-bundles/nifi-social-media-bundle/nifi-twitter-processors/pom.xml,/nifi-nar-bundles/nifi-hive-bundle/nifi-hive_1_1-processors/pom.xml,/nifi-nar-bundles/nifi-social-media-bundle/nifi-social-media-nar/pom.xml

Dependency Hierarchy: - hbc-core-2.2.0.jar (Root Library) - :x: **httpclient-4.2.5.jar** (Vulnerable Library)

Found in base branch: main

### Vulnerability Details

Apache httpclient before 4.5.3 are vulnerable to Directory Traversal. The user-provided path was able to override the specified host, resulting in giving network access to a sensitive environment.

Publish Date: 2017-01-21

URL: WS-2017-3734

### CVSS 3 Score Details (5.3)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: None - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://issues.apache.org/jira/browse/HTTPCLIENT-1803

Release Date: 2017-01-21

Fix Resolution: org.apache.httpcomponents:httpclient:4.5.3

CVE-2020-13956 ### Vulnerable Library - httpclient-4.2.5.jar

HttpComponents Client (base module)

Library home page: http://www.apache.org/

Path to dependency file: /nifi-nar-bundles/nifi-standard-services/nifi-hbase_1_1_2-client-service-bundle/nifi-hbase_1_1_2-client-service/pom.xml

Path to vulnerable library: /nifi-nar-bundles/nifi-standard-services/nifi-hbase_1_1_2-client-service-bundle/nifi-hbase_1_1_2-client-service/pom.xml,/nifi-nar-bundles/nifi-hive-bundle/nifi-hive_1_1-nar/pom.xml,/nifi-nar-bundles/nifi-standard-services/nifi-hbase_1_1_2-client-service-bundle/nifi-hbase_1_1_2-client-service-nar/pom.xml,/nifi-nar-bundles/nifi-social-media-bundle/nifi-twitter-processors/pom.xml,/nifi-nar-bundles/nifi-hive-bundle/nifi-hive_1_1-processors/pom.xml,/nifi-nar-bundles/nifi-social-media-bundle/nifi-social-media-nar/pom.xml

Dependency Hierarchy: - hbc-core-2.2.0.jar (Root Library) - :x: **httpclient-4.2.5.jar** (Vulnerable Library)

Found in base branch: main

### Vulnerability Details

Apache HttpClient versions prior to version 4.5.13 and 5.0.3 can misinterpret malformed authority component in request URIs passed to the library as java.net.URI object and pick the wrong target host for request execution.

Publish Date: 2020-12-02

URL: CVE-2020-13956

### CVSS 3 Score Details (5.3)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: Low - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-13956

Release Date: 2020-12-02

Fix Resolution: org.apache.httpcomponents:httpclient:4.5.13;org.apache.httpcomponents:httpclient-osgi:4.5.13;org.apache.httpcomponents.client5:httpclient5:5.0.3;org.apache.httpcomponents.client5:httpclient5-osgi:5.0.3

CVE-2014-3577 ### Vulnerable Library - httpclient-4.2.5.jar

HttpComponents Client (base module)

Library home page: http://www.apache.org/

Path to dependency file: /nifi-nar-bundles/nifi-standard-services/nifi-hbase_1_1_2-client-service-bundle/nifi-hbase_1_1_2-client-service/pom.xml

Path to vulnerable library: /nifi-nar-bundles/nifi-standard-services/nifi-hbase_1_1_2-client-service-bundle/nifi-hbase_1_1_2-client-service/pom.xml,/nifi-nar-bundles/nifi-hive-bundle/nifi-hive_1_1-nar/pom.xml,/nifi-nar-bundles/nifi-standard-services/nifi-hbase_1_1_2-client-service-bundle/nifi-hbase_1_1_2-client-service-nar/pom.xml,/nifi-nar-bundles/nifi-social-media-bundle/nifi-twitter-processors/pom.xml,/nifi-nar-bundles/nifi-hive-bundle/nifi-hive_1_1-processors/pom.xml,/nifi-nar-bundles/nifi-social-media-bundle/nifi-social-media-nar/pom.xml

Dependency Hierarchy: - hbc-core-2.2.0.jar (Root Library) - :x: **httpclient-4.2.5.jar** (Vulnerable Library)

Found in base branch: main

### Vulnerability Details

org.apache.http.conn.ssl.AbstractVerifier in Apache HttpComponents HttpClient before 4.3.5 and HttpAsyncClient before 4.0.2 does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a "CN=" string in a field in the distinguished name (DN) of a certificate, as demonstrated by the "foo,CN=www.apache.org" string in the O field.

Publish Date: 2014-08-21

URL: CVE-2014-3577

### CVSS 3 Score Details (4.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Release Date: 2014-08-21

Fix Resolution: org.apache.httpcomponents:httpasyncclient:4.0.2, org.apache.httpcomponents:httpclient:4.3.5

mend-for-github-com[bot] commented 4 weeks ago

:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.