[
https://issues.apache.org/jira/browse/GEODE-10415?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17602560#comment-17602560
]
Kirk Lund commented on GEODE-10415:
-----------------------------------
All of these issues should be resolvable by bumping dependencies.
* JGroups
[GHSA-rc7h-x6cq-988q|https://deps.dev/advisory/ghsa/GHSA-rc7h-x6cq-988q] aka
[CVE-2016-2141|https://nvd.nist.gov/vuln/detail/CVE-2016-2141] refers to
“Improper Input Validation in JGroups”
* Jetty [CVE-2022-2048|https://nvd.nist.gov/vuln/detail/CVE-2022-2048] refers
to “An invalid HTTP/2 request that can be used for Denial of Service”
* Shiro [CVE-2022-32532|https://nvd.nist.gov/vuln/detail/CVE-2022-32532] refers
to “RegexRequestMatcher misconfigured resulting in bypassing authorization”
* Spring [CVE-2016-1000027|https://nvd.nist.gov/vuln/detail/CVE-2016-1000027]
refers to “Potential RCE for Java deserialization of untrusted data” (sound
familiar?)
> CVEs detected in latest geode
> -----------------------------
>
> Key: GEODE-10415
> URL: https://issues.apache.org/jira/browse/GEODE-10415
> Project: Geode
> Issue Type: Bug
> Affects Versions: 1.15.0
> Reporter: Shruti
> Assignee: Weijie Xu
> Priority: Blocker
> Labels: needsTriage
>
> We are detecting the following CVEs with geode
> 💥 High or critical vulnerabilities: 21
> The spring-core is likely Not Affected. But we would like to know about the
> rest of these listed CVEs. Any info is appreciated
> {{ }}
> {{NAME INSTALLED FIXED-IN TYPE
> VULNERABILITY SEVERITY}}
> {{jetty-security 9.4.46.v20220331
> java-archive CVE-2022-2048 High}}
> {{jetty-server 9.4.46.v20220331
> java-archive CVE-2022-2048 High}}
> {{jetty-servlet 9.4.46.v20220331
> java-archive CVE-2022-2048 High}}
> {{jetty-util 9.4.46.v20220331
> java-archive CVE-2022-2048 High}}
> {{jetty-util-ajax 9.4.46.v20220331
> java-archive CVE-2022-2048 High}}
> {{jetty-webapp 9.4.46.v20220331
> java-archive CVE-2022-2048 High}}
> {{jetty-xml 9.4.46.v20220331
> java-archive CVE-2022-2048 High}}
> {{jgroups 3.6.14.Final 4.0.0
> java-archive GHSA-rc7h-x6cq-988q Critical}}
> {{shiro-cache 1.9.0
> java-archive CVE-2022-32532 Critical}}
> {{shiro-config-core 1.9.0
> java-archive CVE-2022-32532 Critical}}
> {{shiro-config-ogdl 1.9.0
> java-archive CVE-2022-32532 Critical}}
> {{shiro-core 1.9.0 1.9.1
> java-archive GHSA-4cf5-xmhp-3xj7 Critical}}
> {{shiro-core 1.9.0
> java-archive CVE-2022-32532 Critical}}
> {{shiro-crypto-cipher 1.9.0
> java-archive CVE-2022-32532 Critical}}
> {{shiro-crypto-core 1.9.0
> java-archive CVE-2022-32532 Critical}}
> {{shiro-crypto-hash 1.9.0
> java-archive CVE-2022-32532 Critical}}
> {{shiro-event 1.9.0
> java-archive CVE-2022-32532 Critical}}
> {{shiro-lang 1.9.0
> java-archive CVE-2022-32532 Critical}}
> {{spring-core 5.3.20
> java-archive CVE-2016-1000027 Critical}}
> {{jetty-http 9.4.46.v20220331
> java-archive CVE-2022-2048 High}}
> {{jetty-io 9.4.46.v20220331
> java-archive CVE-2022-2048 High}}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
