Dependency upgrades 4.0 #240
Conversation
![sonatype-lift[bot]](https://avatars.githubusercontent.com/in/9843?s=60&v=4){kind=small}
| </dependency> | ||
|
|
||
| <!-- https://mvnrepository.com/artifact/log4j/log4j --> | ||
| <dependency> |
There was a problem hiding this comment.
Critical OSS Vulnerability:
pkg:maven/log4j/log4j@1.2.17
1 Critical, 0 Severe, 1 Moderate and 0 Unknown vulnerabilities have been found in a direct dependency
CRITICAL Vulnerabilities (1)
CVE-2019-17571
[CVE-2019-17571] Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserializat...
Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17.
CVSS Score: 9.8
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
MODERATE Vulnerabilities (1)
CVE-2020-9488
[CVE-2020-9488] Improper validation of certificate with host mismatch in Apache Log4j SMTP appen...
Improper validation of certificate with host mismatch in Apache Log4j SMTP appender. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent through that appender.
CVSS Score: 3.7
CVSS Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
(at-me in a reply with help or ignore)
|
Updates made to reflect issues with log4j |
| <artifactId>log4j-api</artifactId> | ||
| <version>${log4j2.version}</version> | ||
| </dependency> | ||
| <dependency> |
There was a problem hiding this comment.
Critical OSS Vulnerability:
pkg:maven/org.apache.commons/commons-compress@1.20
4 Critical, 0 Severe, 0 Moderate and 0 Unknown vulnerabilities have been found in a transitive dependency of pkg:maven/org.apache.logging.log4j/log4j-core@2.14.1
CRITICAL Vulnerabilities (4)
CVE-2021-36090
[CVE-2021-36090] When reading a specially crafted ZIP archive, Compress can be made to allocate l...
When reading a specially crafted ZIP archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' zip package.
CVSS Score: 7.5
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVE-2021-35517
[CVE-2021-35517] When reading a specially crafted TAR archive, Compress can be made to allocate l...
When reading a specially crafted TAR archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' tar package.
CVSS Score: 7.5
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVE-2021-35515
[CVE-2021-35515] When reading a specially crafted 7Z archive, the construction of the list of cod...
When reading a specially crafted 7Z archive, the construction of the list of codecs that decompress an entry can result in an infinite loop. This could be used to mount a denial of service attack against services that use Compress' sevenz package.
CVSS Score: 7.5
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVE-2021-35516
[CVE-2021-35516] When reading a specially crafted 7Z archive, Compress can be made to allocate la...
When reading a specially crafted 7Z archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' sevenz package.
CVSS Score: 7.5
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
(at-me in a reply with help or ignore)
|
I have updated the issues in the project please review |
|
Raghav, any updates on this? |
|
@rvema Is there an issue pending here? It relies on the new Hygieia core still pending as well |
Referenced PR: hygieia/hygieia-core#329 |
Affects: <api-version-number>.