ryanhamilton
commented
7 months ago | Component origin id | Component origin version name | Vulnerability id | Description |
|---|---|---|---|
| com.h2database:h2:1.4.200 | 1.4.200 | BDSA-2018-2507 | H2 Database's backup function contains an arbitrary file read flaw due to insecure file permissions. This could be exploited by an attacker supplying a specially crafted database file which triggers a symlink attack. If successfully exploited, the user could read protected files on the system without valid permissions. |
| com.h2database:h2:1.4.200 | 1.4.200 | CVE-2021-23463 (BDSA-2021-3744) | The package com.h2database:h2 from 1.4.198 and before 2.0.202 are vulnerable to XML External Entity (XXE) Injection via the org.h2.jdbc.JdbcSQLXML class object, when it receives parsed string data from org.h2.jdbc.JdbcResultSet.getSQLXML() method. If it executes the getSource() method when the parameter is DOMSource.class it will trigger the vulnerability. |
| com.h2database:h2:1.4.200 | 1.4.200 | CVE-2021-42392 (BDSA-2022-0048) | The org.h2.util.JdbcUtils.getConnection method of the H2 database takes as parameters the class name of the driver and URL of the database. An attacker may pass a JNDI driver name and a URL leading to a LDAP or RMI servers, causing remote code execution. This can be exploited through various attack vectors, most notably through the H2 Console which leads to unauthenticated remote code execution. |
| com.h2database:h2:1.4.200 | 1.4.200 | CVE-2022-23221 (BDSA-2022-0186) | H2 Console before 2.1.210 allows remote attackers to execute arbitrary code via a jdbc:h2:mem JDBC URL containing the IGNORE_UNKNOWN_SETTINGS=TRUE;FORBID_CREATION=FALSE;INIT=RUNSCRIPT substring, a different vulnerability than CVE-2021-42392. |
| com.h2database:h2:1.4.200 | 1.4.200 | CVE-2022-45868 (BDSA-2022-3649) | The web-based admin console in H2 Database Engine before 2.2.220 can be started via the CLI with the argument -webAdminPassword, which allows the user to specify the password in cleartext for the web admin console. Consequently, a local user (or an attacker that has obtained local access through some means) would be able to discover the password by listing processes and their arguments. NOTE: the vendor states "This is not a vulnerability of H2 Console ... Passwords should never be passed on the command line and every qualified DBA or system administrator is expected to know that." Nonetheless, the issue was fixed in 2.2.220. |
| org.json:json:20211205 | 20211205 | CVE-2022-45688 (BDSA-2022-4165) | A stack overflow in the XML.toJSONObject component of hutool-json v5.8.10 allows attackers to cause a Denial of Service (DoS) via crafted JSON or XML data. |
| org.json:json:20211205 | 20211205 | CVE-2023-5072 (BDSA-2023-2760) | Denial of Service in JSON-Java versions up to and including 20230618. Â A bug in the parser means that an input string of modest size can lead to indefinite amounts of memory being used. |
| ch.qos.logback:logback-classic:1.3.13 | 1.3.13 | BDSA-2023-3307 | Logback contains a denial-of-service (DoS) vulnerability. An attacker could exploit this issue by connecting to a receiver and sending maliciously crafted data, which could in turn allow them to slow the logging of events or crash the application. Successful exploitation of this vulnerability requires that logback-receiver component is enabled and also reachable by the attacker. |
| ch.qos.logback:logback-classic:1.3.13 | 1.3.13 | CVE-2023-6481 (BDSA-2023-3341) | A serialization vulnerability in logback receiver component part of logback version 1.4.13, 1.3.13 and 1.2.12 allows an attacker to mount a Denial-Of-Service attack by sending poisoned data. |
| com.mysql:mysql-connector-j:8.0.31 | 8.0.31 | CVE-2023-21971 (BDSA-2023-0906) | Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 8.0.32 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Connectors as well as unauthorized update, insert or delete access to some of MySQL Connectors accessible data and unauthorized read access to a subset of MySQL Connectors accessible data. CVSS 3.1 Base Score 5.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:H). |
| com.mysql:mysql-connector-j:8.0.31 | 8.0.31 | CVE-2023-22102 | Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 8.1.0 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in MySQL Connectors, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of MySQL Connectors. CVSS 3.1 Base Score 8.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H). |
| com.mysql:mysql-connector-j:8.0.31 | 8.0.31 | BDSA-2024-4581 | Oracle MySQL Connectors contains a vulnerability within the Connector/Python component. A low privileged remote attacker could exploit this vulnerability via MySQL protocol in order to disclose sensitive information, damage the application's integrity, or cause a denial-of-service (DoS) condition. |
| io.netty:netty-common:4.1.107.Final | 4.1.107.Final | BDSA-2024-0720 | Netty is vulnerable to denial-of-service (DoS) due to insufficient restrictions on the amount of memory that is allocated in the HttpPostRequestDecoder component. An attacker could exploit this by sending maliciously crafted data in order to cause an out-of-memory (OOM) error and a denial-of-service (DoS). Note: The vendor has mentioned that any Netty based HTTP server that uses the HttpPostRequestDecoder to decode a form is impacted. |
| io.netty:netty-common:4.1.107.Final | 4.1.107.Final | BDSA-2024-8565 | Netty when in use in a Windows application is vulnerable to a denial-of-service (DoS) issue due to a lack of sufficient validation of environment files that are read during the Netty startup sequence. During the startup sequence, Netty has not yet verified what operating system is in use and attempts to access directories that are not normally present on Windows. An attacker with access to the system on which Netty is running could place large crafted files in the directories that Netty attempts to load and trigger a Java out-of-memory error that results in a crash of the Java based application using Netty. |
| org.postgresql:postgresql:42.5.0 | 42.5.0 | CVE-2022-41946 (BDSA-2022-3347) | pgjdbc is an open source postgresql JDBC Driver. In affected versions a prepared statement using either PreparedStatement.setText(int, InputStream) or PreparedStatemet.setBytea(int, InputStream) will create a temporary file if the InputStream is larger than 2k. This will create a temporary file which is readable by other users on Unix like systems, but not MacOS. On Unix like systems, the system's temporary directory is shared between all users on that system. Because of this, when files and directories are written into this directory they are, by default, readable by other users on that same system. This vulnerability does not allow other users to overwrite the contents of these directories or files. This is purely an information disclosure vulnerability. Because certain JDK file system APIs were only added in JDK 1.7, this this fix is dependent upon the version of the JDK you are using. Java 1.7 and higher users: this vulnerability is fixed in 4.5.0. Java 1.6 and lower users: no patch is available. If you are unable to patch, or are stuck running on Java 1.6, specifying the java.io.tmpdir system environment variable to a directory that is exclusively owned by the executing user will mitigate this vulnerability. |
| org.postgresql:postgresql:42.5.0 | 42.5.0 | CVE-2024-1597 (BDSA-2024-0368) | pgjdbc, the PostgreSQL JDBC Driver, allows attacker to inject SQL if using PreferQueryMode=SIMPLE. Note this is not the default. In the default mode there is no vulnerability. A placeholder for a numeric value must be immediately preceded by a minus. There must be a second placeholder for a string value after the first placeholder; both must be on the same line. By constructing a matching string payload, the attacker can inject SQL to alter the query,bypassing the protections that parameterized queries bring against SQL Injection attacks. Versions before 42.7.2, 42.6.1, 42.5.5, 42.4.4, 42.3.9, and 42.2.28 are affected. |
user-sit user-rd Would like blackduck scan to pass.
282 Upgrade MySQL
283 Upgrade postgres
Examining the details, many of the vulnerabilities are not real but upgrading may be the easiest to resolve.