Details
-
Improvement
-
Status: Closed
-
Critical
-
Resolution: Fixed
-
None
-
None
-
None
Description
After running against VersionEye, the system shows that Kylin has "14 known security vulnerabilities. ". They are from commons-fileupload, commons-email, xercesImpl, spring-webmvc, spring jdbc, spring aop, spring-context-support, spring-test, spring-security-core, tomcat-catalina, spring-core libraries. Upgrade to newer version will fix the vulnerabilities.
Following is the detail report:
commons-fileupload : 1.3.1
2016-3092
Apache Commons Fileupload: Denial of Service
https://bugzilla.redhat.com/show_bug.cgi?id=1349475
http://mail-archives.us.apache.org/mod_mbox/www-announce/201606.mbox/%3C6223ece6-2b41-ef4f-22f9-d3481e492832@apache.org%3E
http://tomcat.apache.org/security.html
http://svn.apache.org/viewvc/commons/proper/fileupload/trunk/RELEASE-NOTES.txt?r1=1745717&r2=1749637&diff_format=h
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3092
Affected versions: <=1.3.1,1.3 && <=1.2.2,1.2
Mute this security issue
CVE-2016-3092
CVE-2016-3092
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05324759
Affected versions: 1.3.1
Mute this security issue
2016-1000031
Apache Commons FileUpload Deserialization Gadget
https://www.tenable.com/security/research/tra-2016-12
https://issues.apache.org/jira/browse/FILEUPLOAD-279
https://nvd.nist.gov/vuln/detail/CVE-2016-1000031
Affected versions: <=1.3.2
Mute this security issue
commons-email : 1.4
2017-9801
SMTP header injection vulnerabilty
https://commons.apache.org/proper/commons-email/security-reports.html
https://nvd.nist.gov/vuln/detail/CVE-2017-9801
Affected versions: <=1.4
Mute this security issue
xercesImpl : 2.11.0
2013-4002
Apache Xerces: XMLScanner resource exhaustion
https://bugzilla.redhat.com/CVE-2013-4002
http://svn.apache.org/viewvc?view=revision&revision=1499506
Affected versions: <=2.11.0
Mute this security issue
spring-webmvc : 4.2.8.RELEASE
CVE-2016-9878
CVE-2016-9878
https://pivotal.io/security/cve-2016-9878
Affected versions: 4.3.2, 4.2.3, 4.3.0, 4.2.1, 3.2.8, 4.2.0, 4.3.4, 4.2.5, 4.3.1, 4.2.2, 3.2.9, 4.3.3, 4.2.4, 3.2.7, 3.2.0, 4.2.6, 3.2.16, 3.2.5, 3.2.13, 3.2.6, 4.2.8, 3.2.3, 3.2.15, 3.2.12, 3.2.1, 4.2.7, 3.2.2, 3.2.14, 3.2.11, 3.2.10, 3.2.4, 3.2.17
Mute this security issue
spring-jdbc : 4.2.8.RELEASE
CVE-2016-9878
CVE-2016-9878
https://pivotal.io/security/cve-2016-9878
Affected versions: 4.3.2, 4.2.3, 4.3.0, 4.2.1, 3.2.8, 4.2.0, 4.3.4, 4.2.5, 4.3.1, 4.2.2, 3.2.9, 4.3.3, 4.2.4, 3.2.7, 3.2.0, 4.2.6, 3.2.16, 3.2.5, 3.2.13, 3.2.6, 4.2.8, 3.2.3, 3.2.15, 3.2.12, 3.2.1, 4.2.7, 3.2.2, 3.2.14, 3.2.11, 3.2.10, 3.2.4, 3.2.17
Mute this security issue
spring-aop : 4.2.8.RELEASE
CVE-2016-9878
CVE-2016-9878
https://pivotal.io/security/cve-2016-9878
Affected versions: 4.3.2, 4.2.3, 4.3.0, 4.2.1, 3.2.8, 4.2.0, 4.3.4, 4.2.5, 4.3.1, 4.2.2, 3.2.9, 4.3.3, 4.2.4, 3.2.7, 3.2.0, 4.2.6, 3.2.16, 3.2.5, 3.2.13, 3.2.6, 4.2.8, 3.2.3, 3.2.15, 3.2.12, 3.2.1, 4.2.7, 3.2.2, 3.2.14, 3.2.11, 3.2.10, 3.2.4, 3.2.17
Mute this security issue
spring-context-support : 4.2.8.RELEASE
CVE-2016-9878
CVE-2016-9878
https://pivotal.io/security/cve-2016-9878
Affected versions: 4.3.2, 4.2.3, 4.3.0, 4.2.1, 3.2.8, 4.2.0, 4.3.4, 4.2.5, 4.3.1, 4.2.2, 3.2.9, 4.3.3, 4.2.4, 3.2.7, 3.2.0, 4.2.6, 3.2.16, 3.2.5, 3.2.13, 3.2.6, 4.2.8, 3.2.3, 3.2.15, 3.2.12, 3.2.1, 4.2.7, 3.2.2, 3.2.14, 3.2.11, 3.2.10, 3.2.4, 3.2.17
Mute this security issue
spring-test : 4.2.8.RELEASE
CVE-2016-9878
CVE-2016-9878
https://pivotal.io/security/cve-2016-9878
Affected versions: 4.3.2, 4.2.3, 4.3.0, 4.2.1, 3.2.8, 4.2.0, 4.3.4, 4.2.5, 4.3.1, 4.2.2, 3.2.9, 4.3.3, 4.2.4, 3.2.7, 3.2.0, 4.2.6, 3.2.16, 3.2.5, 3.2.13, 3.2.6, 4.2.8, 3.2.3, 3.2.15, 3.2.12, 3.2.1, 4.2.7, 3.2.2, 3.2.14, 3.2.11, 3.2.10, 3.2.4, 3.2.17
Mute this security issue
spring-security-core : 4.0.4.RELEASE
2016-5007
Spring Security / MVC Path Matching Inconsistency
https://pivotal.io/security/cve-2016-5007
Affected versions: <=4.1.0.RELEASE
Mute this security issue
tomcat-catalina : 7.0.69
2016-3092
Apache Commons Fileupload: Denial of Service
https://bugzilla.redhat.com/show_bug.cgi?id=1349475
http://mail-archives.us.apache.org/mod_mbox/www-announce/201606.mbox/%3C6223ece6-2b41-ef4f-22f9-d3481e492832@apache.org%3E
http://tomcat.apache.org/security.html
http://svn.apache.org/viewvc/commons/proper/fileupload/trunk/RELEASE-NOTES.txt?r1=1745717&r2=1749637&diff_format=h
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3092
Affected versions: <=9.0.0.M7,9 && <=8.5.2,8.5 && <=8.0.35,8.0 && <=7.0.69,7