Uploaded image for project: 'James Server'
  1. James Server
  2. JAMES-3223

Bump guava and bean-utils to fix vulnerability

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 3.5.0
    • Fix Version/s: 3.5.0
    • Component/s: None
    • Labels:
      None

      Description

      CVE-2018-10237

      moderate severity
      Vulnerable versions: > 11.0, < 24.1.1
      Patched version: 24.1.1
      Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attacks against servers that depend on this library and deserialize attacker-provided data, because the AtomicDoubleArray class (when serialized with Java serialization) and the CompoundOrdering class (when serialized with GWT serialization) perform eager allocation without appropriate checks on what a client has sent and whether the data size is reasonable.

      CVE-2019-10086

      high severity
      Vulnerable versions: < 1.9.4
      Patched version: 1.9.4
      In Apache Commons Beanutils 1.9.2, a special BeanIntrospector class was added which allows suppressing the ability for an attacker to access the classloader via the class property available on all Java objects. We, however were not using this by default characteristic of the PropertyUtilsBean.

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              remi_kowalski RĂ©mi Kowalski
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: