[jira] [Created] (ZOOKEEPER-4513) ZK 3.6 jar vulnerabilities

Wed, 06 Apr 2022 03:31:04 -0700 

Ramya Rohidas created ZOOKEEPER-4513:
----------------------------------------

             Summary: ZK 3.6 jar vulnerabilities 
                 Key: ZOOKEEPER-4513
                 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-4513
             Project: ZooKeeper
          Issue Type: Bug
            Reporter: Ramya Rohidas


Java (jar) ========== Total: 7 (UNKNOWN: 1, LOW: 2, MEDIUM: 0, HIGH: 3, 
CRITICAL: 1) 
+---------------------------------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------+
 | LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | 
TITLE | 
+---------------------------------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------+
 | com.fasterxml.jackson.core:jackson-databind | CVE-2020-36518 | HIGH | 
2.10.5.1 | 2.12.6.1, 2.13.2.1 | jackson-databind: denial of service | | | | | | 
| via a large depth of nested objects | | | | | | | 
-->avd.aquasec.com/nvd/cve-2020-36518 | 
+---------------------------------------------+------------------+ 
+-------------------+--------------------------------+---------------------------------------+
 | io.netty:netty-codec | CVE-2021-37136 | | 4.1.63.Final | 4.1.68.Final | 
netty-codec: Bzip2Decoder | | | | | | | doesn't allow setting size | | | | | | 
| restrictions for decompressed data | | | | | | | 
-->avd.aquasec.com/nvd/cve-2021-37136 | + +------------------+ + + 
+---------------------------------------+ | | CVE-2021-37137 | | | | 
netty-codec: SnappyFrameDecoder | | | | | | | doesn't restrict chunk length and 
| | | | | | | may buffer skippable chunks in... | | | | | | | 
-->avd.aquasec.com/nvd/cve-2021-37137 | 
+---------------------------------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------+
 | log4j:log4j | CVE-2019-17571 | CRITICAL | 1.2.17 | 2.0-alpha1 | log4j: 
deserialization of | | | | | | | untrusted data in SocketServer | | | | | | | 
-->avd.aquasec.com/nvd/cve-2019-17571 | + +------------------+----------+ 
+--------------------------------+---------------------------------------+ | | 
CVE-2020-9488 | LOW | | 2.13.2 | log4j: improper validation | | | | | | | of 
certificate with host | | | | | | | mismatch in SMTP appender | | | | | | | 
-->avd.aquasec.com/nvd/cve-2020-9488 | + +------------------+----------+ 
+--------------------------------+---------------------------------------+ | | 
GMS-2021-5 | UNKNOWN | | 2.15.0-rc1 | Improper Neutralization | | | | | | | of 
Special Elements in | | | | | | | Output Used by a Downstream | | | | | | | 
Component... | 
+---------------------------------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------+
 | org.eclipse.jetty:jetty-server | CVE-2021-34428 | LOW | 9.4.39.v20210325 | 
9.4.40.v20210413, 10.0.3, | jetty: SessionListener can | | | | | | 11.0.3 | 
prevent a session from being | | | | | | | invalidated breaking logout | | | | 
| | | -->avd.aquasec.com/nvd/cve-2021-34428 | 
+---------------------------------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------+



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

Reply via email to