-
Type:
Bug
-
Status: Open
-
Priority:
Critical
-
Resolution: Unresolved
-
Affects Version/s: None
-
Fix Version/s: None
-
Component/s: Aspera Connector, NEV, Security
-
Tags:
-
Backlog priority:900
-
Sprint:Connectors update
Below are listed all the vulnerabilities for "nuxeo-arender-ui" image:
Package - com.google.code.gson:gson : upgrade from 2.8.5 to 2.8.9
Package Version - 2.8.5
Vendor status - fixed in 2.8.9
Package Path - /usr/local/tomcat/webapps/ROOT/WEB-INF/lib/gson-2.8.5.jar
CVE link - https://nvd.nist.gov/vuln/detail/CVE-2022-25647
Package - hazelcast-all
hazelcast-all 4.2 includes com.google.guava:guava 30.1-jre => it must be upgraded to a version which includes com.google.guava:guava 32.0.0
Package Version - 30.1-jre
Vendor status - fixed in 32.0.0
Package Path - /usr/local/tomcat/webapps/ROOT/WEB-INF/lib/hazelcast-all-4.2.jar
CVE link - https://nvd.nist.gov/vuln/detail/CVE-2023-2976
Package gwt-servlet
gwt-servlet 2.9.0 includes com.google.protobuf_protobuf-java 2.5.0 => it must be upgraded to a version which includes com.google.protobuf_protobuf-java 3.19.2| 3.18.2| 3.16.1
Package Version - 2.5.0
Vendor status - fixed in 3.19.2| 3.18.2| 3.16.1
Package Path - /usr/local/tomcat/webapps/ROOT/WEB-INF/lib/gwt-servlet-2.9.0.jar
CVE link - https://nvd.nist.gov/vuln/detail/CVE-2021-22569
Package - com.thoughtworks.xstream:xstream
Package Version - 1.4.17
Vendor status - fixed in 1.4.18
Package Path - /usr/local/tomcat/webapps/ROOT/WEB-INF/lib/xstream-1.4.17.jar
CVE links:
https://nvd.nist.gov/vuln/detail/CVE-2021-39139
https://nvd.nist.gov/vuln/detail/CVE-2021-39141
https://nvd.nist.gov/vuln/detail/CVE-2021-39144
https://nvd.nist.gov/vuln/detail/CVE-2021-39145
https://nvd.nist.gov/vuln/detail/CVE-2021-39146
https://nvd.nist.gov/vuln/detail/CVE-2021-39147
https://nvd.nist.gov/vuln/detail/CVE-2021-39148
https://nvd.nist.gov/vuln/detail/CVE-2021-39149
https://nvd.nist.gov/vuln/detail/CVE-2021-39150
https://nvd.nist.gov/vuln/detail/CVE-2021-39151
https://nvd.nist.gov/vuln/detail/CVE-2021-39152
https://nvd.nist.gov/vuln/detail/CVE-2021-39153
https://nvd.nist.gov/vuln/detail/CVE-2021-39154
Package - io.netty:netty-codec
Package Version - 4.1.58.Final
Vendor status - fixed in 4.1.68.Final
Package Path - /usr/local/tomcat/webapps/ROOT/WEB-INF/lib/netty-codec-4.1.45.Final.jar
CVE link - https://nvd.nist.gov/vuln/detail/CVE-2021-37137
Package - java
Package Version - 11.0.11
Vendor status - fixed in 18.0.1| 17.0.3| 11.0.15|...
Package Path - /opt/java/openjdk/bin/java
CVE link - https://nvd.nist.gov/vuln/detail/CVE-2022-21476
Package - org.apache.commons:commons-text
Package Version - 1.6
Vendor status - fixed in 1.10.0
Package Path - /usr/local/tomcat/webapps/ROOT/WEB-INF/lib/commons-text-1.6.jar
CVE link - https://nvd.nist.gov/vuln/detail/CVE-2022-42889
Package - tomcat-util
Package Version - 9.0.43
fixed in 10.1.0-M10| 10.0.16| 9.0.58| 8.5.75
Package Path - /usr/local/tomcat/lib/tomcat-util.jar
CVE links:
https://nvd.nist.gov/vuln/detail/CVE-2022-23181
https://nvd.nist.gov/vuln/detail/CVE-2021-42340