-
Type:
Bug
-
Status: Open
-
Priority:
Critical
-
Resolution: Unresolved
-
Affects Version/s: None
-
Fix Version/s: None
-
Component/s: Aspera Connector, NEV, Security
-
Tags:
-
Backlog priority:900
-
Sprint:Connectors update
Below are listed all the vulnerabilities for "nuxeo-arender-document-xxx" images:
Package - com.google.code.gson:gson
Package Version - 2.8.5
Vendor status - fixed in 2.8.9
Package Path - /app/libs/gson-2.8.5.jar
CVE link - https://nvd.nist.gov/vuln/detail/CVE-2022-25647
Package - com.google.guava:guava
Package Version - 30.1-jre (specific to rendition-renderer container)
Package Version - 29.0.0.jre (other containers)
Vendor status - fixed in 32.0.0
Package Path - /app/libs/guava-29.0-jre.jar
CVE link - https://nvd.nist.gov/vuln/detail/CVE-2023-2976
Package - com.google.protobuf:protobuf-java (rendition-broker container)
Package Version - 3.14.0
Vendor status - fixed in 3.19.2| 3.18.2| 3.16.1
Package Path - /app/libs/protobuf-java-3.14.0.jar
CVE link - https://nvd.nist.gov/vuln/detail/CVE-2021-22569
Package - com.thoughtworks.xstream:xstream (rendition-converter container)
Package Version - 1.4.17
Vendor status - fixed in 1.4.18
Package Path - /app/libs/xstream-1.4.17.jar
CVE links:
https://nvd.nist.gov/vuln/detail/CVE-2021-39139
https://nvd.nist.gov/vuln/detail/CVE-2021-39141
https://nvd.nist.gov/vuln/detail/CVE-2021-39144
https://nvd.nist.gov/vuln/detail/CVE-2021-39145
https://nvd.nist.gov/vuln/detail/CVE-2021-39146
https://nvd.nist.gov/vuln/detail/CVE-2021-39147
https://nvd.nist.gov/vuln/detail/CVE-2021-39148
https://nvd.nist.gov/vuln/detail/CVE-2021-39149
https://nvd.nist.gov/vuln/detail/CVE-2021-39150
https://nvd.nist.gov/vuln/detail/CVE-2021-39151
https://nvd.nist.gov/vuln/detail/CVE-2021-39152
https://nvd.nist.gov/vuln/detail/CVE-2021-39153
https://nvd.nist.gov/vuln/detail/CVE-2021-39154
Package - io.netty:netty-codec
Package Version - 4.1.58.Final
Vendor status - fixed in 4.1.68.Final
Package Path - /app/libs/netty-codec-4.1.58.Final.jar
CVE link - https://nvd.nist.gov/vuln/detail/CVE-2021-37137
Package - java
Package Version - 11.0.11
Vendor status - fixed in 18.0.1| 17.0.3| 11.0.15|...
Package Path - /opt/java/openjdk/bin/java
CVE link - https://nvd.nist.gov/vuln/detail/CVE-2022-21476
Package - org.apache.commons:commons-text (rendition-converter container)
Package Version - 1.8
Vendor status - fixed in 1.10.0
Package Path - /app/libs/commons-text-1.8.jar
CVE link - https://nvd.nist.gov/vuln/detail/CVE-2022-42889
Package - org.jsoup:jsoup (rendition-converter container)
Package Version - 1.12.2
Vendor status - fixed in 1.14.2
Package Path - /app/libs/jsoup-1.12.2.jar
CVE link - https://nvd.nist.gov/vuln/detail/CVE-2021-37714
Package - spring-core (rendition-renderer and rendition-converter containers)
Package Version - 5.2.12.RELEASE
Vendor status - fixed in 5.3.18| 5.2.20
Package Path - /app/libs/spring-core-5.2.12.RELEASE.jar
CVE link - https://nvd.nist.gov/vuln/detail/CVE-2022-22965
Package - spring-webmvc (rendition-broker and rendition-handler containers)
Package Version - 5.2.12.RELEASE
Vendor status - fixed in 5.3.18| 5.2.20.RELEASE
Package Path - /app/libs/spring-webmvc-5.2.12.RELEASE.jar
CVE link - https://nvd.nist.gov/vuln/detail/CVE-2022-22965
Package - tomcat-embed-core
Package Version - 9.0.41
fixed in 10.0.12| 9.0.54| 8.5.72
Package Path - /app/libs/tomcat-embed-core-9.0.41.jar
CVE links:
https://nvd.nist.gov/vuln/detail/CVE-2020-9484
https://nvd.nist.gov/vuln/detail/CVE-2022-23181
https://nvd.nist.gov/vuln/detail/CVE-2021-42340