Uploaded image for project: 'Jackrabbit Oak'
  1. Jackrabbit Oak
  2. OAK-9491

Address vulnerabilities found by dependency checker plugin

    XMLWordPrintableJSON

Details

    • Task
    • Status: Closed
    • Major
    • Resolution: Fixed
    • 1.40.0, 1.22.7
    • 1.58.0
    • None
    • None

    Description

      One or more dependencies were identified with known vulnerabilities in Jackrabbit Oak:aggs-matrix-stats-client-7.1.1.jar (pkg:maven/org.elasticsearch.plugin/aggs-matrix-stats-client@7.1.1, cpe:2.3:a:elastic:elasticsearch:7.1.1:*:*:*:*:*:*:*, cpe:2.3:a:elasticsearch:elasticsearch:7.1.1:*:*:*:*:*:*:*) : CVE-2019-7614, CVE-2019-7619, CVE-2020-7009, CVE-2020-7014, CVE-2020-7019, CVE-2020-7020, CVE-2020-7021
      bcprov-jdk15on-1.65.jar (pkg:maven/org.bouncycastle/bcprov-jdk15on@1.65, cpe:2.3:a:bouncycastle:legion-of-the-bouncy-castle-java-crytography-api:1.65:*:*:*:*:*:*:*) : CVE-2020-28052
      commons-io-2.6.jar (pkg:maven/commons-io/commons-io@2.6, cpe:2.3:a:apache:commons_io:2.6:*:*:*:*:*:*:*) : CVE-2021-29425
      cxf-core-3.3.6.jar (pkg:maven/org.apache.cxf/cxf-core@3.3.6, cpe:2.3:a:apache:cxf:3.3.6:*:*:*:*:*:*:*) : CVE-2020-13954, CVE-2021-22696, CVE-2021-30468
      elasticsearch-core-7.1.1.jar (pkg:maven/org.elasticsearch/elasticsearch-core@7.1.1, cpe:2.3:a:elastic:elasticsearch:7.1.1:*:*:*:*:*:*:*, cpe:2.3:a:elasticsearch:elasticsearch:7.1.1:*:*:*:*:*:*:*) : CVE-2019-7614, CVE-2019-7619, CVE-2020-7009, CVE-2020-7014, CVE-2020-7019, CVE-2020-7020, CVE-2020-7021
      fluent-hc-4.5.12.jar (pkg:maven/org.apache.httpcomponents/fluent-hc@4.5.12, cpe:2.3:a:apache:httpclient:4.5.12:*:*:*:*:*:*:*) : CVE-2020-13956
      groovy-2.5.2.jar (pkg:maven/org.codehaus.groovy/groovy@2.5.2, cpe:2.3:a:apache:groovy:2.5.2:*:*:*:*:*:*:*) : CVE-2020-17521
      groovy-all-2.4.17.jar (pkg:maven/org.codehaus.groovy/groovy-all@2.4.17, cpe:2.3:a:apache:groovy:2.4.17:*:*:*:*:*:*:*) : CVE-2020-17521
      guava-15.0.jar (pkg:maven/com.google.guava/guava@15.0, cpe:2.3:a:google:guava:15.0:*:*:*:*:*:*:*) : CVE-2018-10237, CVE-2020-8908
      guava-18.0.jar (pkg:maven/com.google.guava/guava@18.0, cpe:2.3:a:google:guava:18.0:*:*:*:*:*:*:*) : CVE-2018-10237, CVE-2020-8908
      hibernate-validator-5.3.6.Final.jar (pkg:maven/org.hibernate/hibernate-validator@5.3.6.Final, cpe:2.3:a:hibernate:hibernate-validator:5.3.6:*:*:*:*:*:*:*, cpe:2.3:a:redhat:hibernate_validator:5.3.6:*:*:*:*:*:*:*) : CVE-2020-10693
      http2-client-9.4.27.v20200227.jar (pkg:maven/org.eclipse.jetty.http2/http2-client@9.4.27.v20200227, cpe:2.3:a:eclipse:jetty:9.4.27:20200227:*:*:*:*:*:*, cpe:2.3:a:jetty:jetty:9.4.27:20200227:*:*:*:*:*:*, cpe:2.3:a:mortbay_jetty:jetty:9.4.27:20200227:*:*:*:*:*:*) : CVE-2019-17638, CVE-2020-27216, CVE-2020-27218, CVE-2020-27223, CVE-2021-28165, CVE-2021-28169, CVE-2021-34428
      httpclient-4.5.12.jar (pkg:maven/org.apache.httpcomponents/httpclient@4.5.12, cpe:2.3:a:apache:httpclient:4.5.12:*:*:*:*:*:*:*) : CVE-2020-13956
      httpclient-osgi-4.5.12.jar/META-INF/maven/org.apache.httpcomponents/httpclient-cache/pom.xml (pkg:maven/org.apache.httpcomponents/httpclient-cache@4.5.12, cpe:2.3:a:apache:httpclient:4.5.12:*:*:*:*:*:*:*) : CVE-2020-13956
      jackson-databind-2.10.3.jar (pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.10.3, cpe:2.3:a:fasterxml:jackson-databind:2.10.3:*:*:*:*:*:*:*) : CVE-2020-25649
      java-xmlbuilder-1.1.jar (pkg:maven/com.jamesmurty.utils/java-xmlbuilder@1.1) : CWE-611: Improper Restriction of XML External Entity Reference ('XXE')
      javax-websocket-server-impl-9.4.18.v20190429.jar (pkg:maven/org.eclipse.jetty.websocket/javax-websocket-server-impl@9.4.18.v20190429, cpe:2.3:a:eclipse:jetty:9.4.18:20190429:*:*:*:*:*:*, cpe:2.3:a:java-websocket_project:java-websocket:9.4.18:20190429:*:*:*:*:*:*, cpe:2.3:a:jetty:jetty:9.4.18:20190429:*:*:*:*:*:*, cpe:2.3:a:mortbay_jetty:jetty:9.4.18:20190429:*:*:*:*:*:*) : CVE-2020-27216, CVE-2020-27218, CVE-2020-27223, CVE-2021-28165, CVE-2021-28169, CVE-2021-34428
      javax.servlet-3.0.0.v201112011016.jar (pkg:maven/org.eclipse.jetty.orbit/javax.servlet@3.0.0.v201112011016, cpe:2.3:a:eclipse:jetty:3.0.0:201112011016:*:*:*:*:*:*, cpe:2.3:a:jetty:jetty:3.0.0:201112011016:*:*:*:*:*:*) : CVE-2009-5045, CVE-2009-5046, CVE-2017-7656, CVE-2017-7657, CVE-2017-7658, CVE-2020-27216, CVE-2021-28169, CVE-2021-34428
      javax.websocket-api-1.0.jar (pkg:maven/javax.websocket/javax.websocket-api@1.0, cpe:2.3:a:java-websocket_project:java-websocket:1.0:*:*:*:*:*:*:*) : CVE-2020-11050
      jdom2-2.0.6.jar (pkg:maven/org.jdom/jdom2@2.0.6, cpe:2.3:a:jdom:jdom:2.0.6:*:*:*:*:*:*:*) : CVE-2021-33813
      jetty-http-9.4.27.v20200227.jar (pkg:maven/org.eclipse.jetty/jetty-http@9.4.27.v20200227, cpe:2.3:a:eclipse:jetty:9.4.27:20200227:*:*:*:*:*:*, cpe:2.3:a:jetty:jetty:9.4.27:20200227:*:*:*:*:*:*, cpe:2.3:a:mortbay_jetty:jetty:9.4.27:20200227:*:*:*:*:*:*) : CVE-2019-17638, CVE-2020-27216, CVE-2020-27218, CVE-2020-27223, CVE-2021-28165, CVE-2021-28169, CVE-2021-34428
      jetty-io-8.2.0.v20160908.jar (pkg:maven/org.eclipse.jetty/jetty-io@8.2.0.v20160908, cpe:2.3:a:mortbay_jetty:jetty:8.2.0:20160908:*:*:*:*:*:*) : CVE-2021-28165
      jetty-io-9.4.18.v20190429.jar (pkg:maven/org.eclipse.jetty/jetty-io@9.4.18.v20190429, cpe:2.3:a:mortbay_jetty:jetty:9.4.18:20190429:*:*:*:*:*:*) : CVE-2021-28165
      jetty-io-9.4.27.v20200227.jar (pkg:maven/org.eclipse.jetty/jetty-io@9.4.27.v20200227, cpe:2.3:a:mortbay_jetty:jetty:9.4.27:20200227:*:*:*:*:*:*) : CVE-2021-28165
      jetty-server-8.2.0.v20160908.jar (pkg:maven/org.eclipse.jetty/jetty-server@8.2.0.v20160908, cpe:2.3:a:eclipse:jetty:8.2.0:20160908:*:*:*:*:*:*, cpe:2.3:a:jetty:jetty:8.2.0:20160908:*:*:*:*:*:*, cpe:2.3:a:mortbay_jetty:jetty:8.2.0:20160908:*:*:*:*:*:*) : CVE-2017-7656, CVE-2017-7657, CVE-2017-7658, CVE-2017-9735, CVE-2019-10241, CVE-2019-10247, CVE-2020-27216, CVE-2021-28165, CVE-2021-28169, CVE-2021-34428
      jetty-server-9.4.18.v20190429.jar (pkg:maven/org.eclipse.jetty/jetty-server@9.4.18.v20190429, cpe:2.3:a:eclipse:jetty:9.4.18:20190429:*:*:*:*:*:*, cpe:2.3:a:jetty:jetty:9.4.18:20190429:*:*:*:*:*:*, cpe:2.3:a:mortbay_jetty:jetty:9.4.18:20190429:*:*:*:*:*:*) : CVE-2020-27216, CVE-2020-27218, CVE-2020-27223, CVE-2021-28165, CVE-2021-28169, CVE-2021-34428
      jetty-util-8.2.0.v20160908.jar (pkg:maven/org.eclipse.jetty/jetty-util@8.2.0.v20160908, cpe:2.3:a:eclipse:jetty:8.2.0:20160908:*:*:*:*:*:*, cpe:2.3:a:jetty:jetty:8.2.0:20160908:*:*:*:*:*:*, cpe:2.3:a:mortbay_jetty:jetty:8.2.0:20160908:*:*:*:*:*:*) : CVE-2017-7656, CVE-2017-7657, CVE-2017-7658, CVE-2019-10247, CVE-2020-27216, CVE-2021-28165, CVE-2021-28169, CVE-2021-34428
      junit-4.12.jar (pkg:maven/junit/junit@4.12) : CVE-2020-15250
      lang-mustache-client-7.1.1.jar (pkg:maven/org.elasticsearch.plugin/lang-mustache-client@7.1.1, cpe:2.3:a:elastic:elasticsearch:7.1.1:*:*:*:*:*:*:*, cpe:2.3:a:elasticsearch:elasticsearch:7.1.1:*:*:*:*:*:*:*) : CVE-2019-7614, CVE-2019-7619, CVE-2020-7009, CVE-2020-7014, CVE-2020-7019, CVE-2020-7020, CVE-2020-7021
      log4j-1.2.16.jar (pkg:maven/log4j/log4j@1.2.16, cpe:2.3:a:apache:log4j:1.2.16:*:*:*:*:*:*:*) : CVE-2019-17571, CVE-2020-9488
      log4j-1.2.17.jar (pkg:maven/log4j/log4j@1.2.17, cpe:2.3:a:apache:log4j:1.2.17:*:*:*:*:*:*:*) : CVE-2019-17571, CVE-2020-9488
      log4j-api-2.11.1.jar (pkg:maven/org.apache.logging.log4j/log4j-api@2.11.1, cpe:2.3:a:apache:log4j:2.11.1:*:*:*:*:*:*:*) : CVE-2020-9488
      log4j-over-slf4j-1.7.30.jar (pkg:maven/org.slf4j/log4j-over-slf4j@1.7.30, cpe:2.3:a:apache:log4j:1.7.30:*:*:*:*:*:*:*) : CVE-2020-9488
      mongo-java-driver-3.12.7.jar (pkg:maven/org.mongodb/mongo-java-driver@3.12.7, cpe:2.3:a:mongodb:java_driver:3.12.7:*:*:*:*:*:*:*) : CVE-2021-20328
      netty-3.7.0.Final.jar (pkg:maven/io.netty/netty@3.7.0.Final, cpe:2.3:a:netty:netty:3.7.0:*:*:*:*:*:*:*) : CVE-2014-0193, CVE-2014-3488, CVE-2015-2156, CVE-2019-16869, CVE-2019-20444, CVE-2019-20445, CVE-2021-21290, CVE-2021-21295, CVE-2021-21409, POODLE vulnerability in SSLv3.0 support
      netty-transport-4.1.47.Final.jar (pkg:maven/io.netty/netty-transport@4.1.47.Final, cpe:2.3:a:netty:netty:4.1.47:*:*:*:*:*:*:*) : CVE-2021-21290, CVE-2021-21295, CVE-2021-21409
      netty-transport-4.1.52.Final.jar (pkg:maven/io.netty/netty-transport@4.1.52.Final, cpe:2.3:a:netty:netty:4.1.52:*:*:*:*:*:*:*) : CVE-2021-21290, CVE-2021-21295, CVE-2021-21409
      oak-jackrabbit-api-1.34.0.jar (pkg:maven/org.apache.jackrabbit/oak-jackrabbit-api@1.34.0, cpe:2.3:a:apache:jackrabbit:1.34.0:*:*:*:*:*:*:*, cpe:2.3:a:apache:jackrabbit_oak:1.34.0:*:*:*:*:*:*:*) : CVE-2015-1833
      oak-segment-1.6.0.jar (pkg:maven/org.apache.jackrabbit/oak-segment@1.6.0, cpe:2.3:a:apache:jackrabbit:1.6.0:*:*:*:*:*:*:*, cpe:2.3:a:apache:jackrabbit_oak:1.6.0:*:*:*:*:*:*:*) : CVE-2015-1833, CVE-2020-1940
      org.apache.felix.webconsole-4.2.10-all.jar: jquery-1.8.3.js (pkg:javascript/jquery@1.8.3) : CVE-2012-6708, CVE-2015-9251, CVE-2019-11358, CVE-2020-11022, CVE-2020-11023
      org.apache.felix.webconsole-4.2.10-all.jar: jquery-ui-1.9.2.js (pkg:javascript/jquery-ui-dialog@1.9.2, pkg:javascript/jquery-ui-tooltip@1.9.2) : CVE-2010-5312, CVE-2012-6662, CVE-2016-7103
      pom.xml (pkg:maven/org.apache.jackrabbit/oak-jackrabbit-api@1.22.8-SNAPSHOT, cpe:2.3:a:apache:jackrabbit:1.22.8:snapshot:*:*:*:*:*:*, cpe:2.3:a:apache:jackrabbit_oak:1.22.8:snapshot:*:*:*:*:*:*) : CVE-2015-1833
      pom.xml (pkg:maven/org.apache.jackrabbit/oak-solr-core@1.22.8-SNAPSHOT, cpe:2.3:a:apache:jackrabbit_oak:1.22.8:snapshot:*:*:*:*:*:*, cpe:2.3:a:apache:solr:1.22.8:snapshot:*:*:*:*:*:*) : CVE-2012-6612, CVE-2013-6397, CVE-2013-6407, CVE-2013-6408, CVE-2015-8795, CVE-2015-8796, CVE-2015-8797, CVE-2017-3163, CVE-2017-3164, CVE-2018-11802, CVE-2018-1308, CVE-2019-0193, CVE-2020-13941, CVE-2021-27905, CVE-2021-29262, CVE-2021-29943
      org.apache.servicemix.bundles.dom4j-2.1.1_1.jar (pkg:maven/org.apache.servicemix.bundles/org.apache.servicemix.bundles.dom4j@2.1.1_1, cpe:2.3:a:dom4j_project:dom4j:2.1.1.1:*:*:*:*:*:*:*) : CVE-2020-10683
      org.apache.sling.commons.logservice-1.0.4.jar (pkg:maven/org.apache.sling/org.apache.sling.commons.logservice@1.0.4, cpe:2.3:a:apache:sling:1.0.4:*:*:*:*:*:*:*) : CVE-2016-5394, CVE-2016-6798
      parent-join-client-7.1.1.jar (pkg:maven/org.elasticsearch.plugin/parent-join-client@7.1.1, cpe:2.3:a:elastic:elasticsearch:7.1.1:*:*:*:*:*:*:*, cpe:2.3:a:elasticsearch:elasticsearch:7.1.1:*:*:*:*:*:*:*) : CVE-2019-7614, CVE-2019-7619, CVE-2020-7009, CVE-2020-7014, CVE-2020-7019, CVE-2020-7020, CVE-2020-7021
      pdfbox-2.0.19.jar (pkg:maven/org.apache.pdfbox/pdfbox@2.0.19, cpe:2.3:a:apache:pdfbox:2.0.19:*:*:*:*:*:*:*) : CVE-2021-27807, CVE-2021-27906, CVE-2021-31811, CVE-2021-31812
      preflight-2.0.19.jar (pkg:maven/org.apache.pdfbox/preflight@2.0.19, cpe:2.3:a:apache:pdfbox:2.0.19:*:*:*:*:*:*:*) : CVE-2021-27807, CVE-2021-27906, CVE-2021-31811, CVE-2021-31812
      rank-eval-client-7.1.1.jar (pkg:maven/org.elasticsearch.plugin/rank-eval-client@7.1.1, cpe:2.3:a:elastic:elasticsearch:7.1.1:*:*:*:*:*:*:*, cpe:2.3:a:elasticsearch:elasticsearch:7.1.1:*:*:*:*:*:*:*) : CVE-2019-7614, CVE-2019-7619, CVE-2020-7009, CVE-2020-7014, CVE-2020-7019, CVE-2020-7020, CVE-2020-7021
      sentiment-analysis-parser-0.1.jar (pkg:maven/edu.usc.ir/sentiment-analysis-parser@0.1, cpe:2.3:a:data_tools_project:data_tools:0.1:*:*:*:*:*:*:*) : CVE-2018-18749
      sis-netcdf-1.0.jar (pkg:maven/org.apache.sis.storage/sis-netcdf@1.0, cpe:2.3:a:storage_project:storage:1.0:*:*:*:*:*:*:*) : CVE-2021-20291
      snakeyaml-1.17.jar (pkg:maven/org.yaml/snakeyaml@1.17, cpe:2.3:a:snakeyaml_project:snakeyaml:1.17:*:*:*:*:*:*:*) : CVE-2017-18640
      solr-solrj-8.6.3.jar (pkg:maven/org.apache.solr/solr-solrj@8.6.3, cpe:2.3:a:apache:solr:8.6.3:*:*:*:*:*:*:*) : CVE-2021-27905, CVE-2021-29262, CVE-2021-29943
      spring-core-4.3.24.RELEASE.jar (pkg:maven/org.springframework/spring-core@4.3.24.RELEASE, cpe:2.3:a:pivotal_software:spring_framework:4.3.24:release:*:*:*:*:*:*, cpe:2.3:a:springsource:spring_framework:4.3.24:release:*:*:*:*:*:*, cpe:2.3:a:vmware:spring_framework:4.3.24:release:*:*:*:*:*:*, cpe:2.3:a:vmware:springsource_spring_framework:4.3.24:release:*:*:*:*:*:*) : CVE-2020-5421
      tagsoup-1.2.1.jar (pkg:maven/org.ccil.cowan.tagsoup/tagsoup@1.2.1, cpe:2.3:a:tag_project:tag:1.2.1:*:*:*:*:*:*:*) : CVE-2020-29242, CVE-2020-29243, CVE-2020-29244, CVE-2020-29245
      tika-core-1.24.1.jar (pkg:maven/org.apache.tika/tika-core@1.24.1, cpe:2.3:a:apache:tika:1.24.1:*:*:*:*:*:*:*) : CVE-2021-28657
      vorbis-java-tika-0.8.jar (pkg:maven/org.gagravarr/vorbis-java-tika@0.8, cpe:2.3:a:flac_project:flac:0.8:*:*:*:*:*:*:*) : CVE-2017-6888
      websocket-common-9.4.18.v20190429.jar (pkg:maven/org.eclipse.jetty.websocket/websocket-common@9.4.18.v20190429, cpe:2.3:a:eclipse:jetty:9.4.18:20190429:*:*:*:*:*:*, cpe:2.3:a:java-websocket_project:java-websocket:9.4.18:20190429:*:*:*:*:*:*, cpe:2.3:a:jetty:jetty:9.4.18:20190429:*:*:*:*:*:*, cpe:2.3:a:mortbay_jetty:jetty:9.4.18:20190429:*:*:*:*:*:*, cpe:2.3:a:websocket-extensions_project:websocket-extensions:9.4.18:20190429:*:*:*:*:*:*) : CVE-2020-27216, CVE-2020-27218, CVE-2020-27223, CVE-2021-28165, CVE-2021-28169, CVE-2021-34428
      websocket-server-9.4.18.v20190429.jar (pkg:maven/org.eclipse.jetty.websocket/websocket-server@9.4.18.v20190429, cpe:2.3:a:eclipse:jetty:9.4.18:20190429:*:*:*:*:*:*, cpe:2.3:a:java-websocket_project:java-websocket:9.4.18:20190429:*:*:*:*:*:*, cpe:2.3:a:jetty:jetty:9.4.18:20190429:*:*:*:*:*:*, cpe:2.3:a:mortbay_jetty:jetty:9.4.18:20190429:*:*:*:*:*:*) : CVE-2020-27216, CVE-2020-27218, CVE-2020-27223, CVE-2021-28165, CVE-2021-28169, CVE-2021-34428
      xmpbox-2.0.19.jar (pkg:maven/org.apache.pdfbox/xmpbox@2.0.19, cpe:2.3:a:apache:pdfbox:2.0.19:*:*:*:*:*:*:*) : CVE-2021-27807, CVE-2021-27906, CVE-2021-31811, CVE-2021-31812
      zookeeper-3.4.6.jar (pkg:maven/org.apache.zookeeper/zookeeper@3.4.6, cpe:2.3:a:apache:zookeeper:3.4.6:*:*:*:*:*:*:*) : CVE-2016-5017, CVE-2017-5637, CVE-2018-8012, CVE-2019-0201, CVE-2021-21409
      zookeeper-3.5.7.jar (pkg:maven/org.apache.zookeeper/zookeeper@3.5.7, cpe:2.3:a:apache:zookeeper:3.5.7:*:*:*:*:*:*:*) : CVE-2021-21409
      -1,548 

      Attachments

        Issue Links

          Activity

            People

              reschke Julian Reschke
              adulceanu Andrei Dulceanu
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: