gitimages.expertflow.com/license-mangement/license-manager:4.2 (alpine 3.12.3) ============================================================================== Total: 76 (UNKNOWN: 0, LOW: 10, MEDIUM: 20, HIGH: 40, CRITICAL: 6) +--------------+------------------+----------+-------------------+---------------+---------------------------------------+ | LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE | +--------------+------------------+----------+-------------------+---------------+---------------------------------------+ | apk-tools | CVE-2021-36159 | CRITICAL | 2.10.5-r1 | 2.10.7-r0 | libfetch: an out of | | | | | | | boundary read while libfetch | | | | | | | uses strtol to parse... | | | | | | | -->avd.aquasec.com/nvd/cve-2021-36159 | + +------------------+----------+ +---------------+---------------------------------------+ | | CVE-2021-30139 | HIGH | | 2.10.6-r0 | In Alpine Linux apk-tools | | | | | | | before 2.12.5, the tarball | | | | | | | parser allows a buffer... | | | | | | | -->avd.aquasec.com/nvd/cve-2021-30139 | +--------------+------------------+ +-------------------+---------------+---------------------------------------+ | busybox | CVE-2021-28831 | | 1.31.1-r19 | 1.31.1-r20 | busybox: invalid free or segmentation | | | | | | | fault via malformed gzip data | | | | | | | -->avd.aquasec.com/nvd/cve-2021-28831 | + +------------------+ + +---------------+---------------------------------------+ | | CVE-2021-42378 | | | 1.31.1-r21 | busybox: use-after-free in | | | | | | | awk applet leads to denial | | | | | | | of service and possibly... | | | | | | | -->avd.aquasec.com/nvd/cve-2021-42378 | + +------------------+ + + +---------------------------------------+ | | CVE-2021-42379 | | | | busybox: use-after-free in | | | | | | | awk applet leads to denial | | | | | | | of service and possibly... | | | | | | | -->avd.aquasec.com/nvd/cve-2021-42379 | + +------------------+ + + +---------------------------------------+ | | CVE-2021-42380 | | | | busybox: use-after-free in | | | | | | | awk applet leads to denial | | | | | | | of service and possibly... | | | | | | | -->avd.aquasec.com/nvd/cve-2021-42380 | + +------------------+ + + +---------------------------------------+ | | CVE-2021-42381 | | | | busybox: use-after-free in | | | | | | | awk applet leads to denial | | | | | | | of service and possibly... | | | | | | | -->avd.aquasec.com/nvd/cve-2021-42381 | + +------------------+ + + +---------------------------------------+ | | CVE-2021-42382 | | | | busybox: use-after-free in | | | | | | | awk applet leads to denial | | | | | | | of service and possibly... | | | | | | | -->avd.aquasec.com/nvd/cve-2021-42382 | + +------------------+ + + +---------------------------------------+ | | CVE-2021-42383 | | | | busybox: use-after-free in | | | | | | | awk applet leads to denial | | | | | | | of service and possibly... | | | | | | | -->avd.aquasec.com/nvd/cve-2021-42383 | + +------------------+ + + +---------------------------------------+ | | CVE-2021-42384 | | | | busybox: use-after-free in | | | | | | | awk applet leads to denial | | | | | | | of service and possibly... | | | | | | | -->avd.aquasec.com/nvd/cve-2021-42384 | + +------------------+ + + +---------------------------------------+ | | CVE-2021-42385 | | | | busybox: use-after-free in | | | | | | | awk applet leads to denial | | | | | | | of service and possibly... | | | | | | | -->avd.aquasec.com/nvd/cve-2021-42385 | + +------------------+ + + +---------------------------------------+ | | CVE-2021-42386 | | | | busybox: use-after-free in | | | | | | | awk applet leads to denial | | | | | | | of service and possibly... | | | | | | | -->avd.aquasec.com/nvd/cve-2021-42386 | + +------------------+ + +---------------+---------------------------------------+ | | CVE-2022-28391 | | | 1.31.1-r22 | busybox: remote attackers may execute | | | | | | | arbitrary code if netstat is used | | | | | | | -->avd.aquasec.com/nvd/cve-2022-28391 | + +------------------+----------+ +---------------+---------------------------------------+ | | CVE-2021-42374 | MEDIUM | | 1.31.1-r21 | busybox: out-of-bounds read | | | | | | | in unlzma applet leads to | | | | | | | information leak and denial... | | | | | | | -->avd.aquasec.com/nvd/cve-2021-42374 | +--------------+------------------+----------+-------------------+---------------+---------------------------------------+ | curl | CVE-2021-22945 | CRITICAL | 7.69.1-r3 | 7.79.0-r0 | curl: use-after-free and | | | | | | | double-free in MQTT sending | | | | | | | -->avd.aquasec.com/nvd/cve-2021-22945 | + +------------------+----------+ +---------------+---------------------------------------+ | | CVE-2021-22901 | HIGH | | 7.77.0-r0 | curl: Use-after-free in | | | | | | | TLS session handling when | | | | | | | using OpenSSL TLS backend | | | | | | | -->avd.aquasec.com/nvd/cve-2021-22901 | + +------------------+ + +---------------+---------------------------------------+ | | CVE-2021-22946 | | | 7.79.0-r0 | curl: Requirement to use | | | | | | | TLS not properly enforced | | | | | | | for IMAP, POP3, and... | | | | | | | -->avd.aquasec.com/nvd/cve-2021-22946 | + +------------------+ + +---------------+---------------------------------------+ | | CVE-2022-22576 | | | 7.79.1-r1 | curl: OAUTH2 bearer bypass | | | | | | | in connection re-use | | | | | | | -->avd.aquasec.com/nvd/cve-2022-22576 | + +------------------+ + + +---------------------------------------+ | | CVE-2022-27775 | | | | curl: bad local IPv6 connection reuse | | | | | | | -->avd.aquasec.com/nvd/cve-2022-27775 | + +------------------+----------+ +---------------+---------------------------------------+ | | CVE-2021-22876 | MEDIUM | | 7.76.0-r0 | curl: Leak of authentication | | | | | | | credentials in URL | | | | | | | via automatic Referer | | | | | | | -->avd.aquasec.com/nvd/cve-2021-22876 | + +------------------+ + +---------------+---------------------------------------+ | | CVE-2021-22922 | | | 7.78.0-r0 | curl: Content not matching hash | | | | | | | in Metalink is not being discarded | | | | | | | -->avd.aquasec.com/nvd/cve-2021-22922 | + +------------------+ + + +---------------------------------------+ | | CVE-2021-22923 | | | | curl: Metalink download | | | | | | | sends credentials | | | | | | | -->avd.aquasec.com/nvd/cve-2021-22923 | + +------------------+ + + +---------------------------------------+ | | CVE-2021-22925 | | | | curl: Incorrect fix for | | | | | | | CVE-2021-22898 TELNET | | | | | | | stack contents disclosure | | | | | | | -->avd.aquasec.com/nvd/cve-2021-22925 | + +------------------+ + +---------------+---------------------------------------+ | | CVE-2021-22947 | | | 7.79.0-r0 | curl: Server responses | | | | | | | received before STARTTLS | | | | | | | processed after TLS handshake | | | | | | | -->avd.aquasec.com/nvd/cve-2021-22947 | + +------------------+ + +---------------+---------------------------------------+ | | CVE-2022-27774 | | | 7.79.1-r1 | curl: credential leak on redirect | | | | | | | -->avd.aquasec.com/nvd/cve-2022-27774 | + +------------------+ + + +---------------------------------------+ | | CVE-2022-27776 | | | | curl: auth/cookie leak on redirect | | | | | | | -->avd.aquasec.com/nvd/cve-2022-27776 | + +------------------+----------+ +---------------+---------------------------------------+ | | CVE-2020-8284 | LOW | | 7.74.0-r0 | curl: FTP PASV command | | | | | | | response can cause curl | | | | | | | to connect to arbitrary... | | | | | | | -->avd.aquasec.com/nvd/cve-2020-8284 | + +------------------+ + +---------------+---------------------------------------+ | | CVE-2021-22890 | | | 7.76.0-r0 | curl: TLS 1.3 session ticket | | | | | | | mix-up with HTTPS proxy host | | | | | | | -->avd.aquasec.com/nvd/cve-2021-22890 | + +------------------+ + +---------------+---------------------------------------+ | | CVE-2021-22898 | | | 7.77.0-r0 | curl: TELNET stack | | | | | | | contents disclosure | | | | | | | -->avd.aquasec.com/nvd/cve-2021-22898 | + +------------------+ + +---------------+---------------------------------------+ | | CVE-2021-22924 | | | 7.78.0-r0 | curl: Bad connection reuse | | | | | | | due to flawed path name checks | | | | | | | -->avd.aquasec.com/nvd/cve-2021-22924 | +--------------+------------------+----------+-------------------+---------------+---------------------------------------+ | libcrypto1.1 | CVE-2021-3711 | CRITICAL | 1.1.1i-r0 | 1.1.1l-r0 | openssl: SM2 Decryption | | | | | | | Buffer Overflow | | | | | | | -->avd.aquasec.com/nvd/cve-2021-3711 | + +------------------+----------+ +---------------+---------------------------------------+ | | CVE-2021-23840 | HIGH | | 1.1.1j-r0 | openssl: integer | | | | | | | overflow in CipherUpdate | | | | | | | -->avd.aquasec.com/nvd/cve-2021-23840 | + +------------------+ + +---------------+---------------------------------------+ | | CVE-2021-3450 | | | 1.1.1k-r0 | openssl: CA certificate check | | | | | | | bypass with X509_V_FLAG_X509_STRICT | | | | | | | -->avd.aquasec.com/nvd/cve-2021-3450 | + +------------------+ + +---------------+---------------------------------------+ | | CVE-2021-3712 | | | 1.1.1l-r0 | openssl: Read buffer overruns | | | | | | | processing ASN.1 strings | | | | | | | -->avd.aquasec.com/nvd/cve-2021-3712 | + +------------------+ + +---------------+---------------------------------------+ | | CVE-2022-0778 | | | 1.1.1n-r0 | openssl: Infinite loop in | | | | | | | BN_mod_sqrt() reachable | | | | | | | when parsing certificates | | | | | | | -->avd.aquasec.com/nvd/cve-2022-0778 | + +------------------+----------+ +---------------+---------------------------------------+ | | CVE-2021-23841 | MEDIUM | | 1.1.1j-r0 | openssl: NULL pointer dereference | | | | | | | in X509_issuer_and_serial_hash() | | | | | | | -->avd.aquasec.com/nvd/cve-2021-23841 | + +------------------+ + +---------------+---------------------------------------+ | | CVE-2021-3449 | | | 1.1.1k-r0 | openssl: NULL pointer dereference | | | | | | | in signature_algorithms processing | | | | | | | -->avd.aquasec.com/nvd/cve-2021-3449 | + +------------------+----------+ +---------------+---------------------------------------+ | | CVE-2021-23839 | LOW | | 1.1.1j-r0 | openssl: incorrect SSLv2 | | | | | | | rollback protection | | | | | | | -->avd.aquasec.com/nvd/cve-2021-23839 | +--------------+------------------+----------+-------------------+---------------+---------------------------------------+ | libcurl | CVE-2021-22945 | CRITICAL | 7.69.1-r3 | 7.79.0-r0 | curl: use-after-free and | | | | | | | double-free in MQTT sending | | | | | | | -->avd.aquasec.com/nvd/cve-2021-22945 | + +------------------+----------+ +---------------+---------------------------------------+ | | CVE-2021-22901 | HIGH | | 7.77.0-r0 | curl: Use-after-free in | | | | | | | TLS session handling when | | | | | | | using OpenSSL TLS backend | | | | | | | -->avd.aquasec.com/nvd/cve-2021-22901 | + +------------------+ + +---------------+---------------------------------------+ | | CVE-2021-22946 | | | 7.79.0-r0 | curl: Requirement to use | | | | | | | TLS not properly enforced | | | | | | | for IMAP, POP3, and... | | | | | | | -->avd.aquasec.com/nvd/cve-2021-22946 | + +------------------+ + +---------------+---------------------------------------+ | | CVE-2022-22576 | | | 7.79.1-r1 | curl: OAUTH2 bearer bypass | | | | | | | in connection re-use | | | | | | | -->avd.aquasec.com/nvd/cve-2022-22576 | + +------------------+ + + +---------------------------------------+ | | CVE-2022-27775 | | | | curl: bad local IPv6 connection reuse | | | | | | | -->avd.aquasec.com/nvd/cve-2022-27775 | + +------------------+----------+ +---------------+---------------------------------------+ | | CVE-2021-22876 | MEDIUM | | 7.76.0-r0 | curl: Leak of authentication | | | | | | | credentials in URL | | | | | | | via automatic Referer | | | | | | | -->avd.aquasec.com/nvd/cve-2021-22876 | + +------------------+ + +---------------+---------------------------------------+ | | CVE-2021-22922 | | | 7.78.0-r0 | curl: Content not matching hash | | | | | | | in Metalink is not being discarded | | | | | | | -->avd.aquasec.com/nvd/cve-2021-22922 | + +------------------+ + + +---------------------------------------+ | | CVE-2021-22923 | | | | curl: Metalink download | | | | | | | sends credentials | | | | | | | -->avd.aquasec.com/nvd/cve-2021-22923 | + +------------------+ + + +---------------------------------------+ | | CVE-2021-22925 | | | | curl: Incorrect fix for | | | | | | | CVE-2021-22898 TELNET | | | | | | | stack contents disclosure | | | | | | | -->avd.aquasec.com/nvd/cve-2021-22925 | + +------------------+ + +---------------+---------------------------------------+ | | CVE-2021-22947 | | | 7.79.0-r0 | curl: Server responses | | | | | | | received before STARTTLS | | | | | | | processed after TLS handshake | | | | | | | -->avd.aquasec.com/nvd/cve-2021-22947 | + +------------------+ + +---------------+---------------------------------------+ | | CVE-2022-27774 | | | 7.79.1-r1 | curl: credential leak on redirect | | | | | | | -->avd.aquasec.com/nvd/cve-2022-27774 | + +------------------+ + + +---------------------------------------+ | | CVE-2022-27776 | | | | curl: auth/cookie leak on redirect | | | | | | | -->avd.aquasec.com/nvd/cve-2022-27776 | + +------------------+----------+ +---------------+---------------------------------------+ | | CVE-2020-8284 | LOW | | 7.74.0-r0 | curl: FTP PASV command | | | | | | | response can cause curl | | | | | | | to connect to arbitrary... | | | | | | | -->avd.aquasec.com/nvd/cve-2020-8284 | + +------------------+ + +---------------+---------------------------------------+ | | CVE-2021-22890 | | | 7.76.0-r0 | curl: TLS 1.3 session ticket | | | | | | | mix-up with HTTPS proxy host | | | | | | | -->avd.aquasec.com/nvd/cve-2021-22890 | + +------------------+ + +---------------+---------------------------------------+ | | CVE-2021-22898 | | | 7.77.0-r0 | curl: TELNET stack | | | | | | | contents disclosure | | | | | | | -->avd.aquasec.com/nvd/cve-2021-22898 | + +------------------+ + +---------------+---------------------------------------+ | | CVE-2021-22924 | | | 7.78.0-r0 | curl: Bad connection reuse | | | | | | | due to flawed path name checks | | | | | | | -->avd.aquasec.com/nvd/cve-2021-22924 | +--------------+------------------+----------+-------------------+---------------+---------------------------------------+ | libssl1.1 | CVE-2021-3711 | CRITICAL | 1.1.1i-r0 | 1.1.1l-r0 | openssl: SM2 Decryption | | | | | | | Buffer Overflow | | | | | | | -->avd.aquasec.com/nvd/cve-2021-3711 | + +------------------+----------+ +---------------+---------------------------------------+ | | CVE-2021-23840 | HIGH | | 1.1.1j-r0 | openssl: integer | | | | | | | overflow in CipherUpdate | | | | | | | -->avd.aquasec.com/nvd/cve-2021-23840 | + +------------------+ + +---------------+---------------------------------------+ | | CVE-2021-3450 | | | 1.1.1k-r0 | openssl: CA certificate check | | | | | | | bypass with X509_V_FLAG_X509_STRICT | | | | | | | -->avd.aquasec.com/nvd/cve-2021-3450 | + +------------------+ + +---------------+---------------------------------------+ | | CVE-2021-3712 | | | 1.1.1l-r0 | openssl: Read buffer overruns | | | | | | | processing ASN.1 strings | | | | | | | -->avd.aquasec.com/nvd/cve-2021-3712 | + +------------------+ + +---------------+---------------------------------------+ | | CVE-2022-0778 | | | 1.1.1n-r0 | openssl: Infinite loop in | | | | | | | BN_mod_sqrt() reachable | | | | | | | when parsing certificates | | | | | | | -->avd.aquasec.com/nvd/cve-2022-0778 | + +------------------+----------+ +---------------+---------------------------------------+ | | CVE-2021-23841 | MEDIUM | | 1.1.1j-r0 | openssl: NULL pointer dereference | | | | | | | in X509_issuer_and_serial_hash() | | | | | | | -->avd.aquasec.com/nvd/cve-2021-23841 | + +------------------+ + +---------------+---------------------------------------+ | | CVE-2021-3449 | | | 1.1.1k-r0 | openssl: NULL pointer dereference | | | | | | | in signature_algorithms processing | | | | | | | -->avd.aquasec.com/nvd/cve-2021-3449 | + +------------------+----------+ +---------------+---------------------------------------+ | | CVE-2021-23839 | LOW | | 1.1.1j-r0 | openssl: incorrect SSLv2 | | | | | | | rollback protection | | | | | | | -->avd.aquasec.com/nvd/cve-2021-23839 | +--------------+------------------+----------+-------------------+---------------+---------------------------------------+ | ssl_client | CVE-2021-28831 | HIGH | 1.31.1-r19 | 1.31.1-r20 | busybox: invalid free or segmentation | | | | | | | fault via malformed gzip data | | | | | | | -->avd.aquasec.com/nvd/cve-2021-28831 | + +------------------+ + +---------------+---------------------------------------+ | | CVE-2021-42378 | | | 1.31.1-r21 | busybox: use-after-free in | | | | | | | awk applet leads to denial | | | | | | | of service and possibly... | | | | | | | -->avd.aquasec.com/nvd/cve-2021-42378 | + +------------------+ + + +---------------------------------------+ | | CVE-2021-42379 | | | | busybox: use-after-free in | | | | | | | awk applet leads to denial | | | | | | | of service and possibly... | | | | | | | -->avd.aquasec.com/nvd/cve-2021-42379 | + +------------------+ + + +---------------------------------------+ | | CVE-2021-42380 | | | | busybox: use-after-free in | | | | | | | awk applet leads to denial | | | | | | | of service and possibly... | | | | | | | -->avd.aquasec.com/nvd/cve-2021-42380 | + +------------------+ + + +---------------------------------------+ | | CVE-2021-42381 | | | | busybox: use-after-free in | | | | | | | awk applet leads to denial | | | | | | | of service and possibly... | | | | | | | -->avd.aquasec.com/nvd/cve-2021-42381 | + +------------------+ + + +---------------------------------------+ | | CVE-2021-42382 | | | | busybox: use-after-free in | | | | | | | awk applet leads to denial | | | | | | | of service and possibly... | | | | | | | -->avd.aquasec.com/nvd/cve-2021-42382 | + +------------------+ + + +---------------------------------------+ | | CVE-2021-42383 | | | | busybox: use-after-free in | | | | | | | awk applet leads to denial | | | | | | | of service and possibly... | | | | | | | -->avd.aquasec.com/nvd/cve-2021-42383 | + +------------------+ + + +---------------------------------------+ | | CVE-2021-42384 | | | | busybox: use-after-free in | | | | | | | awk applet leads to denial | | | | | | | of service and possibly... | | | | | | | -->avd.aquasec.com/nvd/cve-2021-42384 | + +------------------+ + + +---------------------------------------+ | | CVE-2021-42385 | | | | busybox: use-after-free in | | | | | | | awk applet leads to denial | | | | | | | of service and possibly... | | | | | | | -->avd.aquasec.com/nvd/cve-2021-42385 | + +------------------+ + + +---------------------------------------+ | | CVE-2021-42386 | | | | busybox: use-after-free in | | | | | | | awk applet leads to denial | | | | | | | of service and possibly... | | | | | | | -->avd.aquasec.com/nvd/cve-2021-42386 | + +------------------+ + +---------------+---------------------------------------+ | | CVE-2022-28391 | | | 1.31.1-r22 | busybox: remote attackers may execute | | | | | | | arbitrary code if netstat is used | | | | | | | -->avd.aquasec.com/nvd/cve-2022-28391 | + +------------------+----------+ +---------------+---------------------------------------+ | | CVE-2021-42374 | MEDIUM | | 1.31.1-r21 | busybox: out-of-bounds read | | | | | | | in unlzma applet leads to | | | | | | | information leak and denial... | | | | | | | -->avd.aquasec.com/nvd/cve-2021-42374 | +--------------+------------------+----------+-------------------+---------------+---------------------------------------+ | zlib | CVE-2022-37434 | CRITICAL | 1.2.11-r3 | 1.2.12-r2 | zlib: heap-based buffer | | | | | | | over-read and overflow in | | | | | | | inflate() in inflate.c via a... | | | | | | | -->avd.aquasec.com/nvd/cve-2022-37434 | + +------------------+----------+ +---------------+---------------------------------------+ | | CVE-2018-25032 | HIGH | | 1.2.12-r0 | zlib: A flaw found in | | | | | | | zlib when compressing (not | | | | | | | decompressing) certain inputs... | | | | | | | -->avd.aquasec.com/nvd/cve-2018-25032 | +--------------+------------------+----------+-------------------+---------------+---------------------------------------+ Java (jar) ========== Total: 70 (UNKNOWN: 0, LOW: 1, MEDIUM: 23, HIGH: 33, CRITICAL: 13) +----------------------------------------------------+------------------+----------+-------------------+--------------------------------+----------------------------------------------------------------+ | LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE | +----------------------------------------------------+------------------+----------+-------------------+--------------------------------+----------------------------------------------------------------+ | ch.qos.logback:logback-classic | CVE-2023-6378 | HIGH | 1.2.3 | 1.3.12, 1.4.12, 1.2.13 | logback: serialization | | | | | | | vulnerability in logback receiver | | | | | | | -->avd.aquasec.com/nvd/cve-2023-6378 | +----------------------------------------------------+ + + + + + | ch.qos.logback:logback-core | | | | | | | | | | | | | | | | | | | | + +------------------+----------+ +--------------------------------+----------------------------------------------------------------+ | | CVE-2021-42550 | MEDIUM | | 1.2.9 | logback: remote code execution | | | | | | | through JNDI call from within | | | | | | | its configuration file... | | | | | | | -->avd.aquasec.com/nvd/cve-2021-42550 | +----------------------------------------------------+------------------+----------+-------------------+--------------------------------+----------------------------------------------------------------+ | com.fasterxml.jackson.core:jackson-databind | CVE-2020-36518 | HIGH | 2.11.2 | 2.13.2.1, 2.12.6.1 | jackson-databind: denial of service | | | | | | | via a large depth of nested objects | | | | | | | -->avd.aquasec.com/nvd/cve-2020-36518 | + +------------------+ + +--------------------------------+----------------------------------------------------------------+ | | CVE-2021-46877 | | | 2.12.6, 2.13.1 | jackson-databind: Possible | | | | | | | DoS if using JDK serialization | | | | | | | to serialize JsonNode | | | | | | | -->avd.aquasec.com/nvd/cve-2021-46877 | + +------------------+ + +--------------------------------+----------------------------------------------------------------+ | | CVE-2022-42003 | | | 2.12.7.1, 2.13.4.2 | jackson-databind: deep | | | | | | | wrapper array nesting wrt | | | | | | | UNWRAP_SINGLE_VALUE_ARRAYS | | | | | | | -->avd.aquasec.com/nvd/cve-2022-42003 | + +------------------+ + +--------------------------------+----------------------------------------------------------------+ | | CVE-2022-42004 | | | 2.12.7.1, 2.13.4 | jackson-databind: use | | | | | | | of deeply nested arrays | | | | | | | -->avd.aquasec.com/nvd/cve-2022-42004 | +----------------------------------------------------+------------------+----------+-------------------+--------------------------------+----------------------------------------------------------------+ | com.google.guava:guava | CVE-2020-8908 | LOW | r08 | 32.0.0-android | guava: local information | | | | | | | disclosure via temporary directory | | | | | | | created with unsafe permissions | | | | | | | -->avd.aquasec.com/nvd/cve-2020-8908 | +----------------------------------------------------+------------------+----------+-------------------+--------------------------------+----------------------------------------------------------------+ | com.squareup.okio:okio | CVE-2023-3635 | MEDIUM | 2.8.0 | 3.4.0, 1.17.6 | okio: GzipSource class | | | | | | | improper exception handling | | | | | | | -->avd.aquasec.com/nvd/cve-2023-3635 | +----------------------------------------------------+------------------+----------+-------------------+--------------------------------+----------------------------------------------------------------+ | commons-collections:commons-collections | CVE-2015-7501 | CRITICAL | 3.2.1 | 3.2.2 | apache-commons-collections: | | | | | | | InvokerTransformer code | | | | | | | execution during deserialisation | | | | | | | -->avd.aquasec.com/nvd/cve-2015-7501 | + +------------------+----------+ + +----------------------------------------------------------------+ | | CVE-2015-6420 | HIGH | | | Insecure Deserialization in | | | | | | | Apache Commons Collection | | | | | | | -->avd.aquasec.com/nvd/cve-2015-6420 | +----------------------------------------------------+------------------+----------+-------------------+--------------------------------+----------------------------------------------------------------+ | log4j:log4j | CVE-2019-17571 | CRITICAL | 1.2.17 | | log4j: deserialization of | | | | | | | untrusted data in SocketServer | | | | | | | -->avd.aquasec.com/nvd/cve-2019-17571 | + +------------------+ + +--------------------------------+----------------------------------------------------------------+ | | CVE-2022-23305 | | | | log4j: SQL injection in | | | | | | | Log4j 1.x when application | | | | | | | is configured to use... | | | | | | | -->avd.aquasec.com/nvd/cve-2022-23305 | + +------------------+ + +--------------------------------+----------------------------------------------------------------+ | | CVE-2022-23307 | | | | log4j: Unsafe deserialization | | | | | | | flaw in Chainsaw log viewer | | | | | | | -->avd.aquasec.com/nvd/cve-2022-23307 | + +------------------+----------+ +--------------------------------+----------------------------------------------------------------+ | | CVE-2021-4104 | HIGH | | | log4j: Remote code execution | | | | | | | in Log4j 1.x when application | | | | | | | is configured to... | | | | | | | -->avd.aquasec.com/nvd/cve-2021-4104 | + +------------------+ + +--------------------------------+----------------------------------------------------------------+ | | CVE-2022-23302 | | | | log4j: Remote code execution | | | | | | | in Log4j 1.x when application | | | | | | | is configured to... | | | | | | | -->avd.aquasec.com/nvd/cve-2022-23302 | +----------------------------------------------------+------------------+----------+-------------------+--------------------------------+----------------------------------------------------------------+ | org.apache.activemq:activemq-client | CVE-2023-46604 | CRITICAL | 5.15.2 | 5.15.16, 5.16.7, 5.17.6, | activemq-openwire: OpenWire Module: | | | | | | 5.18.3 | Unbounded deserialization causes | | | | | | | ActiveMQ to be vulnerable to a... | | | | | | | -->avd.aquasec.com/nvd/cve-2023-46604 | + +------------------+----------+ +--------------------------------+----------------------------------------------------------------+ | | CVE-2018-11775 | HIGH | | 5.15.6 | activemq: ActiveMQ Client | | | | | | | Missing TLS Hostname Verification | | | | | | | -->avd.aquasec.com/nvd/cve-2018-11775 | + +------------------+ + +--------------------------------+----------------------------------------------------------------+ | | CVE-2019-0222 | | | 5.15.9 | activemq: Corrupt MQTT frame | | | | | | | can cause broker shutdown | | | | | | | -->avd.aquasec.com/nvd/cve-2019-0222 | +----------------------------------------------------+------------------+----------+ +--------------------------------+----------------------------------------------------------------+ | org.apache.activemq:activemq-openwire-legacy | CVE-2023-46604 | CRITICAL | | 5.15.16, 5.16.7, 5.17.6, | activemq-openwire: OpenWire Module: | | | | | | 5.18.3 | Unbounded deserialization causes | | | | | | | ActiveMQ to be vulnerable to a... | | | | | | | -->avd.aquasec.com/nvd/cve-2023-46604 | +----------------------------------------------------+------------------+----------+-------------------+--------------------------------+----------------------------------------------------------------+ | org.apache.camel:camel-core | CVE-2019-0188 | HIGH | 2.19.3 | 2.24.0 | camel-xmljson: XML external | | | | | | | entity injection vulnerability | | | | | | | inoutdated JSON-lib library | | | | | | | -->avd.aquasec.com/nvd/cve-2019-0188 | + +------------------+ + +--------------------------------+----------------------------------------------------------------+ | | CVE-2020-11971 | | | 3.2.0 | camel: DNS Rebinding in JMX | | | | | | | Connector could result in | | | | | | | remote command execution... | | | | | | | -->avd.aquasec.com/nvd/cve-2020-11971 | +----------------------------------------------------+------------------+----------+-------------------+--------------------------------+----------------------------------------------------------------+ | org.apache.cassandra:cassandra-all | CVE-2021-44521 | CRITICAL | 0.8.1 | 3.0.26, 3.11.12, 4.0.2 | cassandra: RCE for scripted UDFs | | | | | | | -->avd.aquasec.com/nvd/cve-2021-44521 | +----------------------------------------------------+------------------+----------+-------------------+--------------------------------+----------------------------------------------------------------+ | org.apache.httpcomponents:httpclient | CVE-2020-13956 | MEDIUM | 4.5.12 | 4.5.13, 5.0.3 | apache-httpclient: incorrect | | | | | | | handling of malformed authority | | | | | | | component in request URIs | | | | | | | -->avd.aquasec.com/nvd/cve-2020-13956 | +----------------------------------------------------+------------------+----------+-------------------+--------------------------------+----------------------------------------------------------------+ | org.apache.thrift:libthrift | CVE-2018-1320 | HIGH | 0.6.1 | 0.9.3-1, 0.12.0 | thrift: SASL negotiation | | | | | | | isComplete validation bypass in the | | | | | | | org.apache.thrift.transport.TSaslTransport | | | | | | | class -->avd.aquasec.com/nvd/cve-2018-1320 | + +------------------+ + +--------------------------------+----------------------------------------------------------------+ | | CVE-2019-0205 | | | 0.13.0 | thrift: Endless loop when | | | | | | | feed with specific input data | | | | | | | -->avd.aquasec.com/nvd/cve-2019-0205 | +----------------------------------------------------+------------------+ +-------------------+--------------------------------+----------------------------------------------------------------+ | org.apache.tomcat.embed:tomcat-embed-core | CVE-2021-25122 | | 9.0.37 | 10.0.2, 9.0.43, 8.5.63 | tomcat: Request mix-up with h2c | | | | | | | -->avd.aquasec.com/nvd/cve-2021-25122 | + +------------------+ + +--------------------------------+----------------------------------------------------------------+ | | CVE-2021-25329 | | | 10.0.2, 9.0.41, 8.5.61, | tomcat: Incomplete fix | | | | | | 7.0.108 | for CVE-2020-9484 (RCE | | | | | | | via session persistence) | | | | | | | -->avd.aquasec.com/nvd/cve-2021-25329 | + +------------------+ + +--------------------------------+----------------------------------------------------------------+ | | CVE-2022-42252 | | | 8.5.83, 9.0.68, 10.0.27, | tomcat: request smuggling | | | | | | 10.1.1 | -->avd.aquasec.com/nvd/cve-2022-42252 | + +------------------+ + +--------------------------------+----------------------------------------------------------------+ | | CVE-2023-24998 | | | 10.1.5, 11.0.0-M5, 8.5.88, | Apache Commons FileUpload: | | | | | | 9.0.71 | FileUpload DoS with excessive parts | | | | | | | -->avd.aquasec.com/nvd/cve-2023-24998 | + +------------------+ + +--------------------------------+----------------------------------------------------------------+ | | CVE-2023-46589 | | | 11.0.0-M11, 10.1.16, 9.0.83, | tomcat: HTTP request smuggling | | | | | | 8.5.96 | via malformed trailer headers | | | | | | | -->avd.aquasec.com/nvd/cve-2023-46589 | + +------------------+----------+ +--------------------------------+----------------------------------------------------------------+ | | CVE-2021-24122 | MEDIUM | | 10.0.0-M10, 9.0.40, 8.5.60, | tomcat: Information disclosure | | | | | | 7.0.107 | when using NTFS file system | | | | | | | -->avd.aquasec.com/nvd/cve-2021-24122 | + +------------------+ + +--------------------------------+----------------------------------------------------------------+ | | CVE-2023-41080 | | | 8.5.93, 9.0.80, 10.1.13, | tomcat: Open Redirect vulnerability | | | | | | 11.0.0-M11 | in FORM authentication | | | | | | | -->avd.aquasec.com/nvd/cve-2023-41080 | + +------------------+ + +--------------------------------+----------------------------------------------------------------+ | | CVE-2023-42795 | | | 11.0.0-M12, 10.1.14, 9.0.81, | tomcat: improper cleaning | | | | | | 8.5.94 | of recycled objects could | | | | | | | lead to information leak | | | | | | | -->avd.aquasec.com/nvd/cve-2023-42795 | + +------------------+ + + +----------------------------------------------------------------+ | | CVE-2023-44487 | | | | HTTP/2: Multiple HTTP/2 | | | | | | | enabled web servers are | | | | | | | vulnerable to a DDoS attack... | | | | | | | -->avd.aquasec.com/nvd/cve-2023-44487 | + +------------------+ + + +----------------------------------------------------------------+ | | CVE-2023-45648 | | | | tomcat: incorrectly parsed | | | | | | | http trailer headers can | | | | | | | cause request smuggling | | | | | | | -->avd.aquasec.com/nvd/cve-2023-45648 | + +------------------+ + +--------------------------------+----------------------------------------------------------------+ | | CVE-2024-24549 | | | 8.5.99, 9.0.86, 10.1.19, | : Apache Tomcat: HTTP/2 | | | | | | 11.0.0-M17 | header handling DoS | | | | | | | -->avd.aquasec.com/nvd/cve-2024-24549 | +----------------------------------------------------+------------------+ + +--------------------------------+----------------------------------------------------------------+ | org.apache.tomcat.embed:tomcat-embed-websocket | CVE-2024-23672 | | | 11.0.0-M17, 10.1.19, 9.0.86, | Apache Tomcat: WebSocket DoS | | | | | | 8.5.99 | with incomplete closing handshake | | | | | | | -->avd.aquasec.com/nvd/cve-2024-23672 | +----------------------------------------------------+------------------+----------+-------------------+--------------------------------+----------------------------------------------------------------+ | org.codehaus.jackson:jackson-mapper-asl | CVE-2019-10202 | CRITICAL | 1.4.0 | | codehaus: incomplete fix for | | | | | | | unsafe deserialization in | | | | | | | jackson-databind vulnerabilities | | | | | | | -->avd.aquasec.com/nvd/cve-2019-10202 | + +------------------+----------+ +--------------------------------+----------------------------------------------------------------+ | | CVE-2019-10172 | HIGH | | | jackson-mapper-asl: XML external | | | | | | | entity similar to CVE-2016-3720 | | | | | | | -->avd.aquasec.com/nvd/cve-2019-10172 | +----------------------------------------------------+------------------+----------+-------------------+--------------------------------+----------------------------------------------------------------+ | org.jetbrains.kotlin:kotlin-stdlib | CVE-2020-29582 | MEDIUM | 1.3.72 | 1.4.21 | kotlin: vulnerable Java | | | | | | | API was used for temporary | | | | | | | file and folder creation... | | | | | | | -->avd.aquasec.com/nvd/cve-2020-29582 | + +------------------+ + +--------------------------------+----------------------------------------------------------------+ | | CVE-2022-24329 | | | 1.6.0 | kotlin: Not possible to | | | | | | | lock dependencies for | | | | | | | Multiplatform Gradle Projects | | | | | | | -->avd.aquasec.com/nvd/cve-2022-24329 | +----------------------------------------------------+------------------+----------+-------------------+--------------------------------+----------------------------------------------------------------+ | org.mortbay.jetty:jetty | CVE-2009-4611 | HIGH | 6.1.22 | 6.1.23, 7.0.2 | jetty: escape sequence | | | | | | | injection to stack traces | | | | | | | -->avd.aquasec.com/nvd/cve-2009-4611 | +----------------------------------------------------+------------------+----------+-------------------+--------------------------------+----------------------------------------------------------------+ | org.postgresql:postgresql | CVE-2024-1597 | CRITICAL | 42.3.6 | 42.2.28, 42.3.9, 42.4.4, | pgjdbc: PostgreSQL JDBC Driver | | | | | | 42.5.5, 42.6.1, 42.7.2 | allows attacker to inject SQL if | | | | | | | using PreferQueryMode=SIMPLE... | | | | | | | -->avd.aquasec.com/nvd/cve-2024-1597 | + +------------------+----------+ +--------------------------------+----------------------------------------------------------------+ | | CVE-2022-31197 | HIGH | | 42.2.26, 42.4.1, 42.3.7 | postgresql: SQL Injection | | | | | | | in ResultSet.refreshRow() | | | | | | | with malicious column names | | | | | | | -->avd.aquasec.com/nvd/cve-2022-31197 | + +------------------+----------+ +--------------------------------+----------------------------------------------------------------+ | | CVE-2022-41946 | MEDIUM | | 42.2.27, 42.3.8, 42.4.3, | postgresql-jdbc: Information leak | | | | | | 42.5.1 | of prepared statement data due | | | | | | | to insecure temporary file... | | | | | | | -->avd.aquasec.com/nvd/cve-2022-41946 | +----------------------------------------------------+------------------+ +-------------------+--------------------------------+----------------------------------------------------------------+ | org.springframework.boot:spring-boot | CVE-2023-34055 | | 2.3.3.RELEASE | 2.7.18, 3.0.13, 3.1.6 | spring-boot: | | | | | | | org.springframework.boot:spring-boot-actuator | | | | | | | class vulnerable to denial of service | | | | | | | -->avd.aquasec.com/nvd/cve-2023-34055 | +----------------------------------------------------+------------------+----------+ +--------------------------------+----------------------------------------------------------------+ | org.springframework.boot:spring-boot-autoconfigure | CVE-2023-20883 | HIGH | | 3.0.7, 2.7.12, 2.6.15, 2.5.15 | spring-boot: Spring Boot | | | | | | | Welcome Page DoS Vulnerability | | | | | | | -->avd.aquasec.com/nvd/cve-2023-20883 | +----------------------------------------------------+------------------+----------+ +--------------------------------+----------------------------------------------------------------+ | org.springframework.boot:spring-boot-starter-web | CVE-2022-22965 | CRITICAL | | 2.5.12, 2.6.6 | spring-framework: RCE via | | | | | | | Data Binding on JDK 9+ | | | | | | | -->avd.aquasec.com/nvd/cve-2022-22965 | +----------------------------------------------------+ + +-------------------+--------------------------------+ + | org.springframework:spring-beans | | | 5.2.8.RELEASE | 5.2.20.RELEASE, 5.3.18 | | | | | | | | | | | | | | | | + +------------------+----------+ +--------------------------------+----------------------------------------------------------------+ | | CVE-2022-22970 | HIGH | | 5.2.22.RELEASE, 5.3.20 | springframework: DoS via data binding | | | | | | | to multipartFile or servlet part | | | | | | | -->avd.aquasec.com/nvd/cve-2022-22970 | +----------------------------------------------------+------------------+ + +--------------------------------+----------------------------------------------------------------+ | org.springframework:spring-context | CVE-2022-22968 | | | 5.3.19, 5.2.21 | Spring Framework: Data | | | | | | | Binding Rules Vulnerability | | | | | | | -->avd.aquasec.com/nvd/cve-2022-22968 | +----------------------------------------------------+------------------+----------+ +--------------------------------+----------------------------------------------------------------+ | org.springframework:spring-core | CVE-2021-22060 | MEDIUM | | 5.3.14, 5.2.19 | springframework: Additional Log | | | | | | | Injection in Spring Framework | | | | | | | (follow-up to CVE-2021-22096) | | | | | | | -->avd.aquasec.com/nvd/cve-2021-22060 | + +------------------+ + +--------------------------------+----------------------------------------------------------------+ | | CVE-2021-22096 | | | 5.3.11, 5.2.18 | springframework: malicious | | | | | | | input leads to insertion | | | | | | | of additional log entries | | | | | | | -->avd.aquasec.com/nvd/cve-2021-22096 | +----------------------------------------------------+------------------+----------+ +--------------------------------+----------------------------------------------------------------+ | org.springframework:spring-expression | CVE-2023-20863 | HIGH | | 6.0.8, 5.3.27, 5.2.24.RELEASE | springframework: Spring | | | | | | | Expression DoS Vulnerability | | | | | | | -->avd.aquasec.com/nvd/cve-2023-20863 | + +------------------+----------+ +--------------------------------+----------------------------------------------------------------+ | | CVE-2022-22950 | MEDIUM | | 5.3.17, 5.2.20.RELEASE | spring-expression: Denial of service | | | | | | | via specially crafted SpEL expression | | | | | | | -->avd.aquasec.com/nvd/cve-2022-22950 | + +------------------+ + +--------------------------------+----------------------------------------------------------------+ | | CVE-2023-20861 | | | 6.0.7, 5.3.26, 5.2.23.RELEASE | springframework: Spring | | | | | | | Expression DoS Vulnerability | | | | | | | -->avd.aquasec.com/nvd/cve-2023-20861 | +----------------------------------------------------+------------------+----------+ +--------------------------------+----------------------------------------------------------------+ | org.springframework:spring-web | CVE-2016-1000027 | CRITICAL | | 6.0.0 | spring: HttpInvokerServiceExporter | | | | | | | readRemoteInvocation method | | | | | | | untrusted java deserialization | | | | | | | -->avd.aquasec.com/nvd/cve-2016-1000027 | + +------------------+----------+ +--------------------------------+----------------------------------------------------------------+ | | CVE-2021-22118 | HIGH | | 5.2.15, 5.3.7 | spring-web: (re)creating the | | | | | | | temporary storage directory | | | | | | | could result in a privilege... | | | | | | | -->avd.aquasec.com/nvd/cve-2021-22118 | + +------------------+ + +--------------------------------+----------------------------------------------------------------+ | | CVE-2024-22243 | | | 6.1.4, 6.0.17, 5.3.32 | springframework: URL | | | | | | | Parsing with Host Validation | | | | | | | -->avd.aquasec.com/nvd/cve-2024-22243 | + +------------------+ + +--------------------------------+----------------------------------------------------------------+ | | CVE-2024-22259 | | | 6.1.5, 6.0.18, 5.3.33 | springframework: URL | | | | | | | Parsing with Host Validation | | | | | | | -->avd.aquasec.com/nvd/cve-2024-22259 | + +------------------+ + +--------------------------------+----------------------------------------------------------------+ | | CVE-2024-22262 | | | 5.3.34, 6.0.19, 6.1.6 | springframework: URL | | | | | | | Parsing with Host Validation | | | | | | | -->avd.aquasec.com/nvd/cve-2024-22262 | +----------------------------------------------------+------------------+----------+ +--------------------------------+----------------------------------------------------------------+ | org.springframework:spring-webmvc | CVE-2022-22965 | CRITICAL | | 5.2.20.RELEASE, 5.3.18 | spring-framework: RCE via | | | | | | | Data Binding on JDK 9+ | | | | | | | -->avd.aquasec.com/nvd/cve-2022-22965 | +----------------------------------------------------+------------------+----------+-------------------+--------------------------------+----------------------------------------------------------------+ | org.yaml:snakeyaml | CVE-2022-1471 | HIGH | 1.26 | 2.0 | SnakeYaml: Constructor | | | | | | | Deserialization | | | | | | | Remote Code Execution | | | | | | | -->avd.aquasec.com/nvd/cve-2022-1471 | + +------------------+ + +--------------------------------+----------------------------------------------------------------+ | | CVE-2022-25857 | | | 1.31 | snakeyaml: Denial of Service | | | | | | | due to missing nested depth | | | | | | | limitation for collections... | | | | | | | -->avd.aquasec.com/nvd/cve-2022-25857 | + +------------------+----------+ + +----------------------------------------------------------------+ | | CVE-2022-38749 | MEDIUM | | | snakeyaml: Uncaught exception in | | | | | | | org.yaml.snakeyaml.composer.Composer.composeSequenceNode | | | | | | | -->avd.aquasec.com/nvd/cve-2022-38749 | + +------------------+ + + +----------------------------------------------------------------+ | | CVE-2022-38750 | | | | snakeyaml: Uncaught exception in | | | | | | | org.yaml.snakeyaml.constructor.BaseConstructor.constructObject | | | | | | | -->avd.aquasec.com/nvd/cve-2022-38750 | + +------------------+ + + +----------------------------------------------------------------+ | | CVE-2022-38751 | | | | snakeyaml: Uncaught exception in | | | | | | | java.base/java.util.regex.Pattern$Ques.match | | | | | | | -->avd.aquasec.com/nvd/cve-2022-38751 | + +------------------+ + +--------------------------------+----------------------------------------------------------------+ | | CVE-2022-38752 | | | 1.32 | snakeyaml: Uncaught exception in | | | | | | | java.base/java.util.ArrayList.hashCode | | | | | | | -->avd.aquasec.com/nvd/cve-2022-38752 | + +------------------+ + + +----------------------------------------------------------------+ | | CVE-2022-41854 | | | | dev-java/snakeyaml: | | | | | | | DoS via stack overflow | | | | | | | -->avd.aquasec.com/nvd/cve-2022-41854 | +----------------------------------------------------+------------------+----------+-------------------+--------------------------------+----------------------------------------------------------------+