[DERBY-7135] Does derby 10.14.2.0 contain the CVE-2020-13949 vulnerability? - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Blocker
Resolution: Not A Problem
Affects Version/s: 10.14.2.0
Fix Version/s: None
Component/s: None
Labels:
None

Urgency:
Blocker
Language:
- Java

Description

Use a security tool to scan the derby 10.14.2.0 installation package. The result shows that derbynet.jar contains the CVE-2020-13949 vulnerability. The vulnerability is related to Hive and Thrift, but no reference is found in the derby 10.14.2.0 source code.

Is it a false positive? Which of the following application scenarios will be affected if the vulnerability is involved?

For details about the scanning result, see the attachment.

Vulnerability Details:

https://nvd.nist.gov/vuln/detail/CVE-2020-13949

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

Snipaste_2022-03-22_00-43-37.png
21/Mar/22 16:44
52 kB
JenickLee
Snipaste_2022-03-22_00-51-12.png
21/Mar/22 16:52
82 kB
JenickLee

Activity

People

Assignee:: Unassigned

Reporter:: JenickLee

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 21/Mar/22 16:49

Updated:: 22/Mar/22 13:42

Resolved:: 22/Mar/22 13:42