gitimages.expertflow.com/cti/hc_smpp_connector:4.4 (oracle 8.7) =============================================================== Total: 76 (UNKNOWN: 0, LOW: 8, MEDIUM: 48, HIGH: 20, CRITICAL: 0) +------------------------+------------------+----------+----------------------+--------------------------+---------------------------------------+ | LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE | +------------------------+------------------+----------+----------------------+--------------------------+---------------------------------------+ | binutils | CVE-2022-4285 | MEDIUM | 2.30-117.0.3.el8 | 2.30-119.0.2.el8_8.2 | binutils: NULL | | | | | | | pointer dereference in | | | | | | | _bfd_elf_get_symbol_version_string | | | | | | | leads to segfault | | | | | | | -->avd.aquasec.com/nvd/cve-2022-4285 | +------------------------+------------------+ +----------------------+--------------------------+---------------------------------------+ | curl | CVE-2023-23916 | | 7.61.1-25.el8_7.1 | 7.61.1-25.el8_7.3 | curl: HTTP multi-header | | | | | | | compression denial of service | | | | | | | -->avd.aquasec.com/nvd/cve-2023-23916 | + +------------------+ + +--------------------------+---------------------------------------+ | | CVE-2023-27535 | | | 7.61.1-30.el8_8.2 | curl: FTP too eager connection reuse | | | | | | | -->avd.aquasec.com/nvd/cve-2023-27535 | + +------------------+ + +--------------------------+---------------------------------------+ | | CVE-2023-27536 | | | 7.61.1-30.el8_8.3 | curl: GSS delegation too | | | | | | | eager connection re-use | | | | | | | -->avd.aquasec.com/nvd/cve-2023-27536 | + +------------------+ + + +---------------------------------------+ | | CVE-2023-28321 | | | | curl: IDN wildcard match may lead | | | | | | | to Improper Cerificate Validation | | | | | | | -->avd.aquasec.com/nvd/cve-2023-28321 | + +------------------+ + +--------------------------+---------------------------------------+ | | CVE-2023-28322 | | | 7.61.1-33.el8_9.5 | curl: more POST-after-PUT confusion | | | | | | | -->avd.aquasec.com/nvd/cve-2023-28322 | + +------------------+ + + +---------------------------------------+ | | CVE-2023-38546 | | | | curl: cookie injection with none file | | | | | | | -->avd.aquasec.com/nvd/cve-2023-38546 | + +------------------+ + + +---------------------------------------+ | | CVE-2023-46218 | | | | curl: information disclosure | | | | | | | by exploiting a mixed case flaw | | | | | | | -->avd.aquasec.com/nvd/cve-2023-46218 | + +------------------+----------+ +--------------------------+---------------------------------------+ | | CVE-2022-35252 | LOW | | 7.61.1-30.el8 | curl: Incorrect handling of | | | | | | | control code characters in cookies | | | | | | | -->avd.aquasec.com/nvd/cve-2022-35252 | + +------------------+ + + +---------------------------------------+ | | CVE-2022-43552 | | | | curl: Use-after-free triggered | | | | | | | by an HTTP proxy deny response | | | | | | | -->avd.aquasec.com/nvd/cve-2022-43552 | +------------------------+------------------+----------+----------------------+--------------------------+---------------------------------------+ | expat | CVE-2023-52425 | MEDIUM | 2.2.5-10.0.1.el8_7.1 | 2.2.5-11.0.1.el8_9.1 | expat: parsing large tokens | | | | | | | can trigger a denial of service | | | | | | | -->avd.aquasec.com/nvd/cve-2023-52425 | +------------------------+------------------+----------+----------------------+--------------------------+---------------------------------------+ | glibc | CVE-2023-4527 | HIGH | 2.28-211.0.1.el8 | 2.28-225.0.4.el8_8.6 | glibc: Stack read overflow in | | | | | | | getaddrinfo in no-aaaa mode | | | | | | | -->avd.aquasec.com/nvd/cve-2023-4527 | + +------------------+ + + +---------------------------------------+ | | CVE-2023-4806 | | | | glibc: potential | | | | | | | use-after-free in getaddrinfo() | | | | | | | -->avd.aquasec.com/nvd/cve-2023-4806 | + +------------------+ + + +---------------------------------------+ | | CVE-2023-4813 | | | | glibc: potential | | | | | | | use-after-free in gaih_inet() | | | | | | | -->avd.aquasec.com/nvd/cve-2023-4813 | + +------------------+ + + +---------------------------------------+ | | CVE-2023-4911 | | | | glibc: buffer overflow in ld.so | | | | | | | leading to privilege escalation | | | | | | | -->avd.aquasec.com/nvd/cve-2023-4911 | +------------------------+------------------+ + + +---------------------------------------+ | glibc-common | CVE-2023-4527 | | | | glibc: Stack read overflow in | | | | | | | getaddrinfo in no-aaaa mode | | | | | | | -->avd.aquasec.com/nvd/cve-2023-4527 | + +------------------+ + + +---------------------------------------+ | | CVE-2023-4806 | | | | glibc: potential | | | | | | | use-after-free in getaddrinfo() | | | | | | | -->avd.aquasec.com/nvd/cve-2023-4806 | + +------------------+ + + +---------------------------------------+ | | CVE-2023-4813 | | | | glibc: potential | | | | | | | use-after-free in gaih_inet() | | | | | | | -->avd.aquasec.com/nvd/cve-2023-4813 | + +------------------+ + + +---------------------------------------+ | | CVE-2023-4911 | | | | glibc: buffer overflow in ld.so | | | | | | | leading to privilege escalation | | | | | | | -->avd.aquasec.com/nvd/cve-2023-4911 | +------------------------+------------------+ + + +---------------------------------------+ | glibc-minimal-langpack | CVE-2023-4527 | | | | glibc: Stack read overflow in | | | | | | | getaddrinfo in no-aaaa mode | | | | | | | -->avd.aquasec.com/nvd/cve-2023-4527 | + +------------------+ + + +---------------------------------------+ | | CVE-2023-4806 | | | | glibc: potential | | | | | | | use-after-free in getaddrinfo() | | | | | | | -->avd.aquasec.com/nvd/cve-2023-4806 | + +------------------+ + + +---------------------------------------+ | | CVE-2023-4813 | | | | glibc: potential | | | | | | | use-after-free in gaih_inet() | | | | | | | -->avd.aquasec.com/nvd/cve-2023-4813 | + +------------------+ + + +---------------------------------------+ | | CVE-2023-4911 | | | | glibc: buffer overflow in ld.so | | | | | | | leading to privilege escalation | | | | | | | -->avd.aquasec.com/nvd/cve-2023-4911 | +------------------------+------------------+----------+----------------------+--------------------------+---------------------------------------+ | gnutls | CVE-2021-20231 | MEDIUM | 3.6.16-5.el8_6 | 10:3.6.16-4.0.1.el8_fips | gnutls: Use after free in | | | | | | | client key_share extension | | | | | | | -->avd.aquasec.com/nvd/cve-2021-20231 | + +------------------+ + + +---------------------------------------+ | | CVE-2021-20232 | | | | gnutls: Use after free | | | | | | | in client_send_params in | | | | | | | lib/ext/pre_shared_key.c | | | | | | | -->avd.aquasec.com/nvd/cve-2021-20232 | + +------------------+ + + +---------------------------------------+ | | CVE-2021-3580 | | | | nettle: Remote crash | | | | | | | in RSA decryption via | | | | | | | manipulated ciphertext | | | | | | | -->avd.aquasec.com/nvd/cve-2021-3580 | + +------------------+ + +--------------------------+---------------------------------------+ | | CVE-2023-0361 | | | 3.6.16-6.el8_7 | gnutls: timing side-channel in | | | | | | | the TLS RSA key exchange code | | | | | | | -->avd.aquasec.com/nvd/cve-2023-0361 | + +------------------+ + +--------------------------+---------------------------------------+ | | CVE-2023-5981 | | | 3.6.16-8.el8_9 | gnutls: timing side-channel | | | | | | | in the RSA-PSK authentication | | | | | | | -->avd.aquasec.com/nvd/cve-2023-5981 | + +------------------+ + +--------------------------+---------------------------------------+ | | CVE-2024-0553 | | | 10:3.6.16-8.el8_9.1_fips | gnutls: incomplete | | | | | | | fix for CVE-2023-5981 | | | | | | | -->avd.aquasec.com/nvd/cve-2024-0553 | + +------------------+ + +--------------------------+---------------------------------------+ | | CVE-2024-28834 | | | 3.6.16-8.el8_9.3 | gnutls: vulnerable to Minerva | | | | | | | side-channel information leak | | | | | | | -->avd.aquasec.com/nvd/cve-2024-28834 | +------------------------+------------------+----------+----------------------+--------------------------+---------------------------------------+ | libarchive | CVE-2022-36227 | LOW | 3.3.3-4.el8 | 3.3.3-5.el8 | libarchive: NULL pointer | | | | | | | dereference in archive_write.c | | | | | | | -->avd.aquasec.com/nvd/cve-2022-36227 | +------------------------+------------------+----------+----------------------+--------------------------+---------------------------------------+ | libcap | CVE-2023-2602 | MEDIUM | 2.48-4.el8 | 2.48-5.el8_8 | libcap: Memory Leak on | | | | | | | pthread_create() Error | | | | | | | -->avd.aquasec.com/nvd/cve-2023-2602 | + +------------------+ + + +---------------------------------------+ | | CVE-2023-2603 | | | | libcap: Integer Overflow | | | | | | | in _libcap_strdup() | | | | | | | -->avd.aquasec.com/nvd/cve-2023-2603 | +------------------------+------------------+ +----------------------+--------------------------+---------------------------------------+ | libcurl | CVE-2023-23916 | | 7.61.1-25.el8_7.1 | 7.61.1-25.el8_7.3 | curl: HTTP multi-header | | | | | | | compression denial of service | | | | | | | -->avd.aquasec.com/nvd/cve-2023-23916 | + +------------------+ + +--------------------------+---------------------------------------+ | | CVE-2023-27535 | | | 7.61.1-30.el8_8.2 | curl: FTP too eager connection reuse | | | | | | | -->avd.aquasec.com/nvd/cve-2023-27535 | + +------------------+ + +--------------------------+---------------------------------------+ | | CVE-2023-27536 | | | 7.61.1-30.el8_8.3 | curl: GSS delegation too | | | | | | | eager connection re-use | | | | | | | -->avd.aquasec.com/nvd/cve-2023-27536 | + +------------------+ + + +---------------------------------------+ | | CVE-2023-28321 | | | | curl: IDN wildcard match may lead | | | | | | | to Improper Cerificate Validation | | | | | | | -->avd.aquasec.com/nvd/cve-2023-28321 | + +------------------+ + +--------------------------+---------------------------------------+ | | CVE-2023-28322 | | | 7.61.1-33.el8_9.5 | curl: more POST-after-PUT confusion | | | | | | | -->avd.aquasec.com/nvd/cve-2023-28322 | + +------------------+ + + +---------------------------------------+ | | CVE-2023-38546 | | | | curl: cookie injection with none file | | | | | | | -->avd.aquasec.com/nvd/cve-2023-38546 | + +------------------+ + + +---------------------------------------+ | | CVE-2023-46218 | | | | curl: information disclosure | | | | | | | by exploiting a mixed case flaw | | | | | | | -->avd.aquasec.com/nvd/cve-2023-46218 | + +------------------+----------+ +--------------------------+---------------------------------------+ | | CVE-2022-35252 | LOW | | 7.61.1-30.el8 | curl: Incorrect handling of | | | | | | | control code characters in cookies | | | | | | | -->avd.aquasec.com/nvd/cve-2022-35252 | + +------------------+ + + +---------------------------------------+ | | CVE-2022-43552 | | | | curl: Use-after-free triggered | | | | | | | by an HTTP proxy deny response | | | | | | | -->avd.aquasec.com/nvd/cve-2022-43552 | +------------------------+------------------+----------+----------------------+--------------------------+---------------------------------------+ | libgcc | CVE-2022-40982 | HIGH | 8.5.0-16.0.2.el8_7 | 8.5.0-18.0.5.el8 | hw: Intel: Gather Data Sampling | | | | | | | (GDS) side channel vulnerability | | | | | | | -->avd.aquasec.com/nvd/cve-2022-40982 | + +------------------+----------+ + +---------------------------------------+ | | CVE-2023-4039 | LOW | | | gcc: -fstack-protector | | | | | | | fails to guard dynamic | | | | | | | stack allocations on ARM64 | | | | | | | -->avd.aquasec.com/nvd/cve-2023-4039 | +------------------------+------------------+----------+----------------------+--------------------------+---------------------------------------+ | libgcrypt | CVE-2021-40528 | HIGH | 1.8.5-7.el8_6 | 10:1.8.5-7.el8_6_fips | libgcrypt: ElGamal implementation | | | | | | | allows plaintext recovery | | | | | | | -->avd.aquasec.com/nvd/cve-2021-40528 | + +------------------+----------+ +--------------------------+---------------------------------------+ | | CVE-2021-33560 | MEDIUM | | 10:1.8.5-6.el8_fips | libgcrypt: mishandles ElGamal | | | | | | | encryption because it lacks | | | | | | | exponent blinding to address a... | | | | | | | -->avd.aquasec.com/nvd/cve-2021-33560 | +------------------------+------------------+----------+----------------------+--------------------------+---------------------------------------+ | libnghttp2 | CVE-2023-44487 | HIGH | 1.33.0-3.el8_2.1 | 1.33.0-5.el8_8 | HTTP/2: Multiple HTTP/2 | | | | | | | enabled web servers are | | | | | | | vulnerable to a DDoS attack... | | | | | | | -->avd.aquasec.com/nvd/cve-2023-44487 | +------------------------+------------------+----------+----------------------+--------------------------+---------------------------------------+ | libssh | CVE-2023-1667 | MEDIUM | 0.9.6-3.el8 | 0.9.6-10.el8_8 | libssh: NULL pointer | | | | | | | dereference during rekeying | | | | | | | with algorithm guessing | | | | | | | -->avd.aquasec.com/nvd/cve-2023-1667 | + +------------------+ + + +---------------------------------------+ | | CVE-2023-2283 | | | | libssh: authorization bypass | | | | | | | in pki_verify_data_signature | | | | | | | -->avd.aquasec.com/nvd/cve-2023-2283 | + +------------------+ + +--------------------------+---------------------------------------+ | | CVE-2023-48795 | | | 0.9.6-13.el8_9 | ssh: Prefix truncation attack | | | | | | | on Binary Packet Protocol (BPP) | | | | | | | -->avd.aquasec.com/nvd/cve-2023-48795 | +------------------------+------------------+ + +--------------------------+---------------------------------------+ | libssh-config | CVE-2023-1667 | | | 0.9.6-10.el8_8 | libssh: NULL pointer | | | | | | | dereference during rekeying | | | | | | | with algorithm guessing | | | | | | | -->avd.aquasec.com/nvd/cve-2023-1667 | + +------------------+ + + +---------------------------------------+ | | CVE-2023-2283 | | | | libssh: authorization bypass | | | | | | | in pki_verify_data_signature | | | | | | | -->avd.aquasec.com/nvd/cve-2023-2283 | + +------------------+ + +--------------------------+---------------------------------------+ | | CVE-2023-48795 | | | 0.9.6-13.el8_9 | ssh: Prefix truncation attack | | | | | | | on Binary Packet Protocol (BPP) | | | | | | | -->avd.aquasec.com/nvd/cve-2023-48795 | +------------------------+------------------+----------+----------------------+--------------------------+---------------------------------------+ | libstdc++ | CVE-2022-40982 | HIGH | 8.5.0-16.0.2.el8_7 | 8.5.0-18.0.5.el8 | hw: Intel: Gather Data Sampling | | | | | | | (GDS) side channel vulnerability | | | | | | | -->avd.aquasec.com/nvd/cve-2022-40982 | + +------------------+----------+ + +---------------------------------------+ | | CVE-2023-4039 | LOW | | | gcc: -fstack-protector | | | | | | | fails to guard dynamic | | | | | | | stack allocations on ARM64 | | | | | | | -->avd.aquasec.com/nvd/cve-2023-4039 | +------------------------+------------------+----------+----------------------+--------------------------+---------------------------------------+ | libxml2 | CVE-2023-28484 | MEDIUM | 2.9.7-15.el8_7.1 | 2.9.7-16.el8_8.1 | libxml2: NULL dereference | | | | | | | in xmlSchemaFixupComplexType | | | | | | | -->avd.aquasec.com/nvd/cve-2023-28484 | + +------------------+ + + +---------------------------------------+ | | CVE-2023-29469 | | | | libxml2: Hashing of empty dict | | | | | | | strings isn't deterministic | | | | | | | -->avd.aquasec.com/nvd/cve-2023-29469 | + +------------------+ + +--------------------------+---------------------------------------+ | | CVE-2023-39615 | | | 2.9.7-18.el8_9 | libxml2: crafted xml can | | | | | | | cause global buffer overflow | | | | | | | -->avd.aquasec.com/nvd/cve-2023-39615 | +------------------------+------------------+ +----------------------+--------------------------+---------------------------------------+ | ncurses-base | CVE-2023-29491 | | 6.1-9.20180224.el8 | 6.1-9.20180224.el8_8.1 | ncurses: Local users can | | | | | | | trigger security-relevant memory | | | | | | | corruption via malformed data | | | | | | | -->avd.aquasec.com/nvd/cve-2023-29491 | +------------------------+ + + + + + | ncurses-libs | | | | | | | | | | | | | | | | | | | | | | | | | | | +------------------------+------------------+----------+----------------------+--------------------------+---------------------------------------+ | openssl-libs | CVE-2022-4304 | HIGH | 1:1.1.1k-7.el8_6 | 1:1.1.1k-9.el8_7 | openssl: timing attack in | | | | | | | RSA Decryption implementation | | | | | | | -->avd.aquasec.com/nvd/cve-2022-4304 | + +------------------+ + + +---------------------------------------+ | | CVE-2022-4450 | | | | openssl: double free after | | | | | | | calling PEM_read_bio_ex | | | | | | | -->avd.aquasec.com/nvd/cve-2022-4450 | + +------------------+ + + +---------------------------------------+ | | CVE-2023-0215 | | | | openssl: use-after-free | | | | | | | following BIO_new_NDEF | | | | | | | -->avd.aquasec.com/nvd/cve-2023-0215 | + +------------------+ + + +---------------------------------------+ | | CVE-2023-0286 | | | | openssl: X.400 address type | | | | | | | confusion in X.509 GeneralName | | | | | | | -->avd.aquasec.com/nvd/cve-2023-0286 | +------------------------+------------------+----------+----------------------+--------------------------+---------------------------------------+ | rpm | CVE-2021-35937 | MEDIUM | 4.14.3-24.el8_7 | 4.14.3-28.0.2.el8_9 | rpm: TOCTOU race in | | | | | | | checks for unsafe symlinks | | | | | | | -->avd.aquasec.com/nvd/cve-2021-35937 | + +------------------+ + + +---------------------------------------+ | | CVE-2021-35938 | | | | rpm: races with | | | | | | | chown/chmod/capabilities | | | | | | | calls during installation | | | | | | | -->avd.aquasec.com/nvd/cve-2021-35938 | + +------------------+ + + +---------------------------------------+ | | CVE-2021-35939 | | | | rpm: checks for unsafe | | | | | | | symlinks are not performed | | | | | | | for intermediary directories | | | | | | | -->avd.aquasec.com/nvd/cve-2021-35939 | +------------------------+------------------+ + + +---------------------------------------+ | rpm-libs | CVE-2021-35937 | | | | rpm: TOCTOU race in | | | | | | | checks for unsafe symlinks | | | | | | | -->avd.aquasec.com/nvd/cve-2021-35937 | + +------------------+ + + +---------------------------------------+ | | CVE-2021-35938 | | | | rpm: races with | | | | | | | chown/chmod/capabilities | | | | | | | calls during installation | | | | | | | -->avd.aquasec.com/nvd/cve-2021-35938 | + +------------------+ + + +---------------------------------------+ | | CVE-2021-35939 | | | | rpm: checks for unsafe | | | | | | | symlinks are not performed | | | | | | | for intermediary directories | | | | | | | -->avd.aquasec.com/nvd/cve-2021-35939 | +------------------------+------------------+----------+----------------------+--------------------------+---------------------------------------+ | shadow-utils | CVE-2023-4641 | LOW | 2:4.6-17.el8 | 2:4.6-19.el8 | shadow-utils: possible password | | | | | | | leak during passwd(1) change | | | | | | | -->avd.aquasec.com/nvd/cve-2023-4641 | +------------------------+------------------+----------+----------------------+--------------------------+---------------------------------------+ | sqlite-libs | CVE-2020-24736 | MEDIUM | 3.26.0-17.el8_7 | 3.26.0-18.0.1.el8_8 | sqlite: Crash due to | | | | | | | misuse of window functions. | | | | | | | -->avd.aquasec.com/nvd/cve-2020-24736 | + +------------------+ + +--------------------------+---------------------------------------+ | | CVE-2023-7104 | | | 3.26.0-19.0.1.el8_9 | sqlite: heap-buffer-overflow | | | | | | | at sessionfuzz | | | | | | | -->avd.aquasec.com/nvd/cve-2023-7104 | +------------------------+------------------+ +----------------------+--------------------------+---------------------------------------+ | systemd-libs | CVE-2022-4415 | | 239-68.0.2.el8_7.2 | 239-68.0.2.el8_7.4 | systemd: local information leak due | | | | | | | to systemd-coredump not respecting | | | | | | | fs.suid_dumpable kernel setting... | | | | | | | -->avd.aquasec.com/nvd/cve-2022-4415 | + +------------------+ + +--------------------------+---------------------------------------+ | | CVE-2023-26604 | | | 239-74.0.4.el8_8.2 | systemd: privilege | | | | | | | escalation via the less pager | | | | | | | -->avd.aquasec.com/nvd/cve-2023-26604 | +------------------------+------------------+ +----------------------+--------------------------+---------------------------------------+ | tar | CVE-2022-48303 | | 2:1.30-6.el8 | 2:1.30-6.el8_7.1 | tar: heap buffer overflow at | | | | | | | from_header() in list.c via | | | | | | | specially crafted checksum... | | | | | | | -->avd.aquasec.com/nvd/cve-2022-48303 | +------------------------+------------------+----------+----------------------+--------------------------+---------------------------------------+ Java (jar) ========== Total: 52 (UNKNOWN: 0, LOW: 0, MEDIUM: 19, HIGH: 25, CRITICAL: 8) +----------------------------------------------------+------------------+----------+-------------------+--------------------------------+----------------------------------------------------------------+ | LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE | +----------------------------------------------------+------------------+----------+-------------------+--------------------------------+----------------------------------------------------------------+ | ch.qos.logback:logback-classic | CVE-2023-6378 | HIGH | 1.2.3 | 1.3.12, 1.4.12, 1.2.13 | logback: serialization | | | | | | | vulnerability in logback receiver | | | | | | | -->avd.aquasec.com/nvd/cve-2023-6378 | +----------------------------------------------------+ + + + + + | ch.qos.logback:logback-core | | | | | | | | | | | | | | | | | | | | + +------------------+----------+ +--------------------------------+----------------------------------------------------------------+ | | CVE-2021-42550 | MEDIUM | | 1.2.9 | logback: remote code execution | | | | | | | through JNDI call from within | | | | | | | its configuration file... | | | | | | | -->avd.aquasec.com/nvd/cve-2021-42550 | +----------------------------------------------------+------------------+----------+-------------------+--------------------------------+----------------------------------------------------------------+ | com.fasterxml.jackson.core:jackson-databind | CVE-2020-36518 | HIGH | 2.11.2 | 2.13.2.1, 2.12.6.1 | jackson-databind: denial of service | | | | | | | via a large depth of nested objects | | | | | | | -->avd.aquasec.com/nvd/cve-2020-36518 | + +------------------+ + +--------------------------------+----------------------------------------------------------------+ | | CVE-2021-46877 | | | 2.12.6, 2.13.1 | jackson-databind: Possible | | | | | | | DoS if using JDK serialization | | | | | | | to serialize JsonNode | | | | | | | -->avd.aquasec.com/nvd/cve-2021-46877 | + +------------------+ + +--------------------------------+----------------------------------------------------------------+ | | CVE-2022-42003 | | | 2.12.7.1, 2.13.4.2 | jackson-databind: deep | | | | | | | wrapper array nesting wrt | | | | | | | UNWRAP_SINGLE_VALUE_ARRAYS | | | | | | | -->avd.aquasec.com/nvd/cve-2022-42003 | + +------------------+ + +--------------------------------+----------------------------------------------------------------+ | | CVE-2022-42004 | | | 2.12.7.1, 2.13.4 | jackson-databind: use | | | | | | | of deeply nested arrays | | | | | | | -->avd.aquasec.com/nvd/cve-2022-42004 | +----------------------------------------------------+------------------+----------+-------------------+--------------------------------+----------------------------------------------------------------+ | com.squareup.okio:okio | CVE-2023-3635 | MEDIUM | 1.11.0 | 3.4.0, 1.17.6 | okio: GzipSource class | | | | | | | improper exception handling | | | | | | | -->avd.aquasec.com/nvd/cve-2023-3635 | +----------------------------------------------------+------------------+----------+-------------------+--------------------------------+----------------------------------------------------------------+ | log4j:log4j | CVE-2019-17571 | CRITICAL | 1.2.17 | | log4j: deserialization of | | | | | | | untrusted data in SocketServer | | | | | | | -->avd.aquasec.com/nvd/cve-2019-17571 | + +------------------+ + +--------------------------------+----------------------------------------------------------------+ | | CVE-2022-23305 | | | | log4j: SQL injection in | | | | | | | Log4j 1.x when application | | | | | | | is configured to use... | | | | | | | -->avd.aquasec.com/nvd/cve-2022-23305 | + +------------------+ + +--------------------------------+----------------------------------------------------------------+ | | CVE-2022-23307 | | | | log4j: Unsafe deserialization | | | | | | | flaw in Chainsaw log viewer | | | | | | | -->avd.aquasec.com/nvd/cve-2022-23307 | + +------------------+----------+ +--------------------------------+----------------------------------------------------------------+ | | CVE-2021-4104 | HIGH | | | log4j: Remote code execution | | | | | | | in Log4j 1.x when application | | | | | | | is configured to... | | | | | | | -->avd.aquasec.com/nvd/cve-2021-4104 | + +------------------+ + +--------------------------------+----------------------------------------------------------------+ | | CVE-2022-23302 | | | | log4j: Remote code execution | | | | | | | in Log4j 1.x when application | | | | | | | is configured to... | | | | | | | -->avd.aquasec.com/nvd/cve-2022-23302 | +----------------------------------------------------+------------------+ +-------------------+--------------------------------+----------------------------------------------------------------+ | org.apache.tomcat.embed:tomcat-embed-core | CVE-2021-25122 | | 9.0.37 | 10.0.2, 9.0.43, 8.5.63 | tomcat: Request mix-up with h2c | | | | | | | -->avd.aquasec.com/nvd/cve-2021-25122 | + +------------------+ + +--------------------------------+----------------------------------------------------------------+ | | CVE-2021-25329 | | | 10.0.2, 9.0.41, 8.5.61, | tomcat: Incomplete fix | | | | | | 7.0.108 | for CVE-2020-9484 (RCE | | | | | | | via session persistence) | | | | | | | -->avd.aquasec.com/nvd/cve-2021-25329 | + +------------------+ + +--------------------------------+----------------------------------------------------------------+ | | CVE-2022-42252 | | | 8.5.83, 9.0.68, 10.0.27, | tomcat: request smuggling | | | | | | 10.1.1 | -->avd.aquasec.com/nvd/cve-2022-42252 | + +------------------+ + +--------------------------------+----------------------------------------------------------------+ | | CVE-2023-24998 | | | 10.1.5, 11.0.0-M5, 8.5.88, | Apache Commons FileUpload: | | | | | | 9.0.71 | FileUpload DoS with excessive parts | | | | | | | -->avd.aquasec.com/nvd/cve-2023-24998 | + +------------------+ + +--------------------------------+----------------------------------------------------------------+ | | CVE-2023-46589 | | | 11.0.0-M11, 10.1.16, 9.0.83, | tomcat: HTTP request smuggling | | | | | | 8.5.96 | via malformed trailer headers | | | | | | | -->avd.aquasec.com/nvd/cve-2023-46589 | + +------------------+----------+ +--------------------------------+----------------------------------------------------------------+ | | CVE-2021-24122 | MEDIUM | | 10.0.0-M10, 9.0.40, 8.5.60, | tomcat: Information disclosure | | | | | | 7.0.107 | when using NTFS file system | | | | | | | -->avd.aquasec.com/nvd/cve-2021-24122 | + +------------------+ + +--------------------------------+----------------------------------------------------------------+ | | CVE-2023-41080 | | | 8.5.93, 9.0.80, 10.1.13, | tomcat: Open Redirect vulnerability | | | | | | 11.0.0-M11 | in FORM authentication | | | | | | | -->avd.aquasec.com/nvd/cve-2023-41080 | + +------------------+ + +--------------------------------+----------------------------------------------------------------+ | | CVE-2023-42795 | | | 11.0.0-M12, 10.1.14, 9.0.81, | tomcat: improper cleaning | | | | | | 8.5.94 | of recycled objects could | | | | | | | lead to information leak | | | | | | | -->avd.aquasec.com/nvd/cve-2023-42795 | + +------------------+ + + +----------------------------------------------------------------+ | | CVE-2023-44487 | | | | HTTP/2: Multiple HTTP/2 | | | | | | | enabled web servers are | | | | | | | vulnerable to a DDoS attack... | | | | | | | -->avd.aquasec.com/nvd/cve-2023-44487 | + +------------------+ + + +----------------------------------------------------------------+ | | CVE-2023-45648 | | | | tomcat: incorrectly parsed | | | | | | | http trailer headers can | | | | | | | cause request smuggling | | | | | | | -->avd.aquasec.com/nvd/cve-2023-45648 | + +------------------+ + +--------------------------------+----------------------------------------------------------------+ | | CVE-2024-24549 | | | 8.5.99, 9.0.86, 10.1.19, | : Apache Tomcat: HTTP/2 | | | | | | 11.0.0-M17 | header handling DoS | | | | | | | -->avd.aquasec.com/nvd/cve-2024-24549 | +----------------------------------------------------+------------------+ + +--------------------------------+----------------------------------------------------------------+ | org.apache.tomcat.embed:tomcat-embed-websocket | CVE-2024-23672 | | | 11.0.0-M17, 10.1.19, 9.0.86, | Apache Tomcat: WebSocket DoS | | | | | | 8.5.99 | with incomplete closing handshake | | | | | | | -->avd.aquasec.com/nvd/cve-2024-23672 | +----------------------------------------------------+------------------+----------+-------------------+--------------------------------+----------------------------------------------------------------+ | org.json:json | CVE-2022-45688 | HIGH | 20190722 | 20230227 | json stack overflow vulnerability | | | | | | | -->avd.aquasec.com/nvd/cve-2022-45688 | + +------------------+ + +--------------------------------+----------------------------------------------------------------+ | | CVE-2023-5072 | | | 20231013 | JSON-java: parser | | | | | | | confusion leads to OOM | | | | | | | -->avd.aquasec.com/nvd/cve-2023-5072 | +----------------------------------------------------+------------------+----------+-------------------+--------------------------------+----------------------------------------------------------------+ | org.springframework.boot:spring-boot | CVE-2023-34055 | MEDIUM | 2.3.3.RELEASE | 2.7.18, 3.0.13, 3.1.6 | spring-boot: | | | | | | | org.springframework.boot:spring-boot-actuator | | | | | | | class vulnerable to denial of service | | | | | | | -->avd.aquasec.com/nvd/cve-2023-34055 | +----------------------------------------------------+------------------+----------+ +--------------------------------+----------------------------------------------------------------+ | org.springframework.boot:spring-boot-autoconfigure | CVE-2023-20883 | HIGH | | 3.0.7, 2.7.12, 2.6.15, 2.5.15 | spring-boot: Spring Boot | | | | | | | Welcome Page DoS Vulnerability | | | | | | | -->avd.aquasec.com/nvd/cve-2023-20883 | +----------------------------------------------------+------------------+----------+ +--------------------------------+----------------------------------------------------------------+ | org.springframework.boot:spring-boot-starter-web | CVE-2022-22965 | CRITICAL | | 2.5.12, 2.6.6 | spring-framework: RCE via | | | | | | | Data Binding on JDK 9+ | | | | | | | -->avd.aquasec.com/nvd/cve-2022-22965 | +----------------------------------------------------+------------------+ +-------------------+--------------------------------+----------------------------------------------------------------+ | org.springframework.data:spring-data-mongodb | CVE-2022-22980 | | 3.0.3.RELEASE | 3.4.1, 3.3.5 | Spring Data MongoDB: SpEL in | | | | | | | query methods allow code injection | | | | | | | -->avd.aquasec.com/nvd/cve-2022-22980 | +----------------------------------------------------+------------------+ +-------------------+--------------------------------+----------------------------------------------------------------+ | org.springframework:spring-beans | CVE-2022-22965 | | 5.2.8.RELEASE | 5.2.20.RELEASE, 5.3.18 | spring-framework: RCE via | | | | | | | Data Binding on JDK 9+ | | | | | | | -->avd.aquasec.com/nvd/cve-2022-22965 | + +------------------+----------+ +--------------------------------+----------------------------------------------------------------+ | | CVE-2022-22970 | HIGH | | 5.2.22.RELEASE, 5.3.20 | springframework: DoS via data binding | | | | | | | to multipartFile or servlet part | | | | | | | -->avd.aquasec.com/nvd/cve-2022-22970 | +----------------------------------------------------+------------------+ + +--------------------------------+----------------------------------------------------------------+ | org.springframework:spring-context | CVE-2022-22968 | | | 5.3.19, 5.2.21 | Spring Framework: Data | | | | | | | Binding Rules Vulnerability | | | | | | | -->avd.aquasec.com/nvd/cve-2022-22968 | +----------------------------------------------------+------------------+----------+ +--------------------------------+----------------------------------------------------------------+ | org.springframework:spring-core | CVE-2021-22060 | MEDIUM | | 5.3.14, 5.2.19 | springframework: Additional Log | | | | | | | Injection in Spring Framework | | | | | | | (follow-up to CVE-2021-22096) | | | | | | | -->avd.aquasec.com/nvd/cve-2021-22060 | + +------------------+ + +--------------------------------+----------------------------------------------------------------+ | | CVE-2021-22096 | | | 5.3.11, 5.2.18 | springframework: malicious | | | | | | | input leads to insertion | | | | | | | of additional log entries | | | | | | | -->avd.aquasec.com/nvd/cve-2021-22096 | +----------------------------------------------------+------------------+----------+ +--------------------------------+----------------------------------------------------------------+ | org.springframework:spring-expression | CVE-2023-20863 | HIGH | | 6.0.8, 5.3.27, 5.2.24.RELEASE | springframework: Spring | | | | | | | Expression DoS Vulnerability | | | | | | | -->avd.aquasec.com/nvd/cve-2023-20863 | + +------------------+----------+ +--------------------------------+----------------------------------------------------------------+ | | CVE-2022-22950 | MEDIUM | | 5.3.17, 5.2.20.RELEASE | spring-expression: Denial of service | | | | | | | via specially crafted SpEL expression | | | | | | | -->avd.aquasec.com/nvd/cve-2022-22950 | + +------------------+ + +--------------------------------+----------------------------------------------------------------+ | | CVE-2023-20861 | | | 6.0.7, 5.3.26, 5.2.23.RELEASE | springframework: Spring | | | | | | | Expression DoS Vulnerability | | | | | | | -->avd.aquasec.com/nvd/cve-2023-20861 | +----------------------------------------------------+------------------+----------+ +--------------------------------+----------------------------------------------------------------+ | org.springframework:spring-web | CVE-2016-1000027 | CRITICAL | | 6.0.0 | spring: HttpInvokerServiceExporter | | | | | | | readRemoteInvocation method | | | | | | | untrusted java deserialization | | | | | | | -->avd.aquasec.com/nvd/cve-2016-1000027 | + +------------------+----------+ +--------------------------------+----------------------------------------------------------------+ | | CVE-2021-22118 | HIGH | | 5.2.15, 5.3.7 | spring-web: (re)creating the | | | | | | | temporary storage directory | | | | | | | could result in a privilege... | | | | | | | -->avd.aquasec.com/nvd/cve-2021-22118 | + +------------------+ + +--------------------------------+----------------------------------------------------------------+ | | CVE-2024-22243 | | | 6.1.4, 6.0.17, 5.3.32 | springframework: URL | | | | | | | Parsing with Host Validation | | | | | | | -->avd.aquasec.com/nvd/cve-2024-22243 | + +------------------+ + +--------------------------------+----------------------------------------------------------------+ | | CVE-2024-22259 | | | 6.1.5, 6.0.18, 5.3.33 | springframework: URL | | | | | | | Parsing with Host Validation | | | | | | | -->avd.aquasec.com/nvd/cve-2024-22259 | + +------------------+ + +--------------------------------+----------------------------------------------------------------+ | | CVE-2024-22262 | | | 5.3.34, 6.0.19, 6.1.6 | springframework: URL | | | | | | | Parsing with Host Validation | | | | | | | -->avd.aquasec.com/nvd/cve-2024-22262 | +----------------------------------------------------+------------------+----------+ +--------------------------------+----------------------------------------------------------------+ | org.springframework:spring-webmvc | CVE-2022-22965 | CRITICAL | | 5.2.20.RELEASE, 5.3.18 | spring-framework: RCE via | | | | | | | Data Binding on JDK 9+ | | | | | | | -->avd.aquasec.com/nvd/cve-2022-22965 | +----------------------------------------------------+------------------+----------+-------------------+--------------------------------+----------------------------------------------------------------+ | org.yaml:snakeyaml | CVE-2022-1471 | HIGH | 1.26 | 2.0 | SnakeYaml: Constructor | | | | | | | Deserialization | | | | | | | Remote Code Execution | | | | | | | -->avd.aquasec.com/nvd/cve-2022-1471 | + +------------------+ + +--------------------------------+----------------------------------------------------------------+ | | CVE-2022-25857 | | | 1.31 | snakeyaml: Denial of Service | | | | | | | due to missing nested depth | | | | | | | limitation for collections... | | | | | | | -->avd.aquasec.com/nvd/cve-2022-25857 | + +------------------+----------+ + +----------------------------------------------------------------+ | | CVE-2022-38749 | MEDIUM | | | snakeyaml: Uncaught exception in | | | | | | | org.yaml.snakeyaml.composer.Composer.composeSequenceNode | | | | | | | -->avd.aquasec.com/nvd/cve-2022-38749 | + +------------------+ + + +----------------------------------------------------------------+ | | CVE-2022-38750 | | | | snakeyaml: Uncaught exception in | | | | | | | org.yaml.snakeyaml.constructor.BaseConstructor.constructObject | | | | | | | -->avd.aquasec.com/nvd/cve-2022-38750 | + +------------------+ + + +----------------------------------------------------------------+ | | CVE-2022-38751 | | | | snakeyaml: Uncaught exception in | | | | | | | java.base/java.util.regex.Pattern$Ques.match | | | | | | | -->avd.aquasec.com/nvd/cve-2022-38751 | + +------------------+ + +--------------------------------+----------------------------------------------------------------+ | | CVE-2022-38752 | | | 1.32 | snakeyaml: Uncaught exception in | | | | | | | java.base/java.util.ArrayList.hashCode | | | | | | | -->avd.aquasec.com/nvd/cve-2022-38752 | + +------------------+ + + +----------------------------------------------------------------+ | | CVE-2022-41854 | | | | dev-java/snakeyaml: | | | | | | | DoS via stack overflow | | | | | | | -->avd.aquasec.com/nvd/cve-2022-41854 | +----------------------------------------------------+------------------+----------+-------------------+--------------------------------+----------------------------------------------------------------+