Fabrizio Fortino created OAK-10548: -------------------------------------- Summary: oak-solr-osgi embeds vulnerable Zookeeper 3.4.14 Key: OAK-10548 URL: https://issues.apache.org/jira/browse/OAK-10548 Project: Jackrabbit Oak Issue Type: Task Components: indexing Reporter: Fabrizio Fortino Assignee: Fabrizio Fortino Fix For: 1.58.0
This artifact embeds Apache ZooKeeper 3.4.10 which contains the following vulnerabilitie(s): * *BDSA-2013-0048* in version 3.4.10 (CVSS 7.5 High): Apache ZooKeeper contains an information disclosure vulnerability due to a missing permission check within the `getACL` command. An attacker could exploit this to obtain hashes for authentication, if Digest Authentication is in use. * *CVE-2020-10663* in version 3.4.10 (CVSS 7.5 High): The JSON gem through 2.2.0 for Ruby, as used in Ruby 2.4 through 2.4.9, 2.5 through 2.5.7, and 2.6 through 2.6.5, has an Unsafe Object Creation Vulnerability. This is quite similar to CVE-2013-0269, but does not rely on poor garbage-collection behavior within Ruby. Specifically, use of JSON parsing methods can lead to creation of a malicious object within the interpreter, with adverse effects that are application-dependent. -- This message was sent by Atlassian Jira (v8.20.10#820010)