Details
Description
The following libraries have the following vulnerabilities that will fail Nexus security scans. They are deemed as threats of level 7 and higher on the Sonatype/Nexus scale. Many of them can be fixed by upgrading the dependencies as the are fixed in subsequent releases.
[Update - still present]com.fasterxml.woodstox : woodstox-core : 5.0.3 * https://github.com/FasterXML/woodstox/issues/50
[Update - still present]com.nimbusds : nimbus-jose-jwt : 4.41.1 * https://bitbucket.org/connect2id/nimbus-jose-jwt/src/master/SECURITY-CHANGELOG.txt
[Update - still present]Log4j : log4j : 1.2.17
SocketServer class that is vulnerable to deserialization of untrusted data: * https://issues.apache.org/jira/browse/LOG4J2-1863
- https://lists.apache.org/thread.html/84cc4266238e057b95eb95dfd8b29d46a2592e7672c12c92f68b2917%40%3Cannounce.apache.org%3E
- https://bugzilla.redhat.com/show_bug.cgi?id=1785616
Dynamic-link Library (DLL) Preloading:
[Fixed]-apache-xerces : xercesImpl : 2.9.1 * hash table collisions -> https://issues.apache.org/jira/browse/XERCESJ-1685-
https://mail-archives.apache.org/mod_mbox/xerces-j-dev/201410.mbox/%3COF3B40F5F7.E6552A8B-ON85257D73.00699ED7-85257D73.006A999B@ca.ibm.com%3E- [-https://bugzilla.redhat.com/show_bug.cgi?id=1019176-]
[Update - still present]com.fasterxml.jackson.core : jackson-databind : 2.10.0 * https://github.com/FasterXML/jackson-databind/issues/2589
[Update - still present ]commons-beanutils : commons-beanutils : 1.9.3 * http://www.rapid7.com/db/modules/exploit/multi/http/struts_code_exec_classloader
[Update - still present ]commons-io : commons-io : 2.5 * https://github.com/apache/commons-io/pull/52
[Upgraded to 4.1.51.Final still with vulnerabilities, see new below]io.netty : netty-all : 4.1.47.Final * https://github.com/netty/netty/issues/10351
- [-https://github.com/netty/netty/pull/10560-]
[Update - still present]org.apache.commons : commons-compress : 1.18 * https://commons.apache.org/proper/commons-compress/security-reports.html#Apache_Commons_Compress_Security_Vulnerabilities
[Update - changed to
org.apache.hadoop : hadoop-hdfs-client : 3.2.0 see new below
]org.apache.hadoop : hadoop-hdfs : 2.7.4 * https://lists.apache.org/thread.html/rca4516b00b55b347905df45e5d0432186248223f30497db87aba8710@%3Cannounce.apache.org%3E
https://lists.apache.org/thread.html/caacbbba2dcc1105163f76f3dfee5fbd22e0417e0783212787086378@%3Cgeneral.hadoop.apache.org%3Ehttps://hadoop.apache.org/cve_list.htmlhttps://www.openwall.com/lists/oss-security/2019/01/24/3
--
org.apache.hadoop : hadoop-mapreduce-client-core : 2.7.4 * https://bugzilla.redhat.com/show_bug.cgi?id=1516399https://lists.apache.org/thread.html/2e16689b44bdd1976b6368c143a4017fc7159d1f2d02a5d54fe9310f@%3Cgeneral.hadoop.apache.org%3E
[Update - still present]org.codehaus.jackson : jackson-mapper-asl : 1.9.13 * https://github.com/FasterXML/jackson-databind/issues/1599
- https://blog.sonatype.com/jackson-databind-remote-code-execution
- https://blog.sonatype.com/jackson-databind-the-end-of-the-blacklist
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7525
- https://access.redhat.com/security/cve/cve-2019-10172
- https://bugzilla.redhat.com/show_bug.cgi?id=1715075
- https://nvd.nist.gov/vuln/detail/CVE-2019-10172
[Update - still present]org.eclipse.jetty : jetty-http : 9.3.24.v20180605: * https://bugs.eclipse.org/bugs/show_bug.cgi?id=538096
[Update -still present]org.eclipse.jetty : jetty-webapp : 9.3.24.v20180605 * https://bugs.eclipse.org/bugs/show_bug.cgi?id=567921
- https://github.com/eclipse/jetty.project/issues/5451
- [https://github.com/eclipse/jetty.project/security/advisories/GHSA-g3wg-6mcf-8jj6
]
New:
datatables 1.10.7
jquery 3.3.1
- https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/
- https://github.com/cbeust/testng/issues/2150
net.minidev : json-smart : 2.3 * https://github.com/netplex/json-smart-v1/issues/7
org.apache.hadoop : hadoop-yarn-common : 3.2.0 * https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/
- https://github.com/cbeust/testng/issues/2150
- https://github.com/DataTables/Dist-DataTables/commit/e2e19eac7e5a6f140d7eefca5c7deba165b357eb#diff-e7d8309f017dd2ef6385fa8cdc1539a2R2765
com.squareup.okhttp : okhttp : 2.7.5 * https://source.android.com/security/bulletin/2021-02-01#android-runtime
io.netty : netty-all : 4.1.51.Final * https://github.com/netty/netty/issues/10351
org.apache.hadoop : hadoop-hdfs-client : 3.2.0