[root@ur-test-docker ~]# trivy bytest-harbor.ur.com.cn/api-project/api-esb-test:v1.0.172021-11-10T13:56:26.570+0800 INFO Detected OS: alpine2021-11-10T13:56:26.570+0800 INFO Detecting Alpine vulnerabilities...2021-11-10T13:56:26.879+0800 INFO Number of language-specific files: 12021-11-10T13:56:26.879+0800 INFO Detecting jar vulnerabilities...2021-11-10T13:56:28.428+0800 WARN maven constraint error ([10.5-alpha0,10.5.3.0_1]): failed to new comparer: 2 errors occurred:* improper constraint: [10.5-alpha0,10.5.3.0_1]* improper requirements: []bytest-harbor.ur.com.cn/api-project/api-esb-test:v1.0.17 (alpine 3.13.5)========================================================================Total: 5 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 2, CRITICAL: 3)+--------------+------------------+----------+-------------------+---------------+---------------------------------------+| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |+--------------+------------------+----------+-------------------+---------------+---------------------------------------+| apk-tools | CVE-2021-36159 | CRITICAL | 2.12.5-r0 | 2.12.6-r0 | libfetch before 2021-07-26, as || | | | | | used in apk-tools, xbps, and || | | | | | other products, mishandles... || | | | | | -->avd.aquasec.com/nvd/cve-2021-36159 |+--------------+------------------+ +-------------------+---------------+---------------------------------------+| libcrypto1.1 | CVE-2021-3711 | | 1.1.1k-r0 | 1.1.1l-r0 | openssl: SM2 Decryption || | | | | | Buffer Overflow || | | | | | -->avd.aquasec.com/nvd/cve-2021-3711 |+ +------------------+----------+ + +---------------------------------------+| | CVE-2021-3712 | HIGH | | | openssl: Read buffer overruns || | | | | | processing ASN.1 strings || | | | | | -->avd.aquasec.com/nvd/cve-2021-3712 |+--------------+------------------+----------+ + +---------------------------------------+| libssl1.1 | CVE-2021-3711 | CRITICAL | | | openssl: SM2 Decryption || | | | | | Buffer Overflow || | | | | | -->avd.aquasec.com/nvd/cve-2021-3711 |+ +------------------+----------+ + +---------------------------------------+| | CVE-2021-3712 | HIGH | | | openssl: Read buffer overruns || | | | | | processing ASN.1 strings || | | | | | -->avd.aquasec.com/nvd/cve-2021-3712 |+--------------+------------------+----------+-------------------+---------------+---------------------------------------+Java (jar)==========Total: 139 (UNKNOWN: 0, LOW: 7, MEDIUM: 41, HIGH: 57, CRITICAL: 34)+--------------------------------------------------------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------------------------------+| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |+--------------------------------------------------------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------------------------------+| com.fasterxml.jackson.core:jackson-databind | CVE-2020-25649 | HIGH | 2.10.0 | 2.10.5.1, 2.9.10.7, 2.6.7.4 | jackson-databind: FasterXML || | | | | | DOMDeserializer insecure || | | | | | entity expansion is vulnerable || | | | | | to XML external entity... || | | | | | -->avd.aquasec.com/nvd/cve-2020-25649 |+ +------------------+----------+-------------------+--------------------------------+---------------------------------------------------------------+| | CVE-2017-15095 | CRITICAL | 2.4.0 | 2.9.4, 2.8.11 | jackson-databind: Unsafe || | | | | | deserialization due to || | | | | | incomplete black list (incomplete || | | | | | fix for CVE-2017-7525)... || | | | | | -->avd.aquasec.com/nvd/cve-2017-15095 |+ +------------------+ + +--------------------------------+---------------------------------------------------------------+| | CVE-2017-17485 | | | 2.8.11, 2.9.4 | jackson-databind: Unsafe || | | | | | deserialization due to || | | | | | incomplete black list (incomplete || | | | | | fix for CVE-2017-15095)... || | | | | | -->avd.aquasec.com/nvd/cve-2017-17485 |+ +------------------+ + +--------------------------------+---------------------------------------------------------------+| | CVE-2017-7525 | | | 2.7.9.1, 2.6.7.1, 2.8.9 | jackson-databind: Deserialization || | | | | | vulnerability via readValue || | | | | | method of ObjectMapper || | | | | | -->avd.aquasec.com/nvd/cve-2017-7525 |+ +------------------+ + +--------------------------------+---------------------------------------------------------------+| | CVE-2018-11307 | | | 2.8.11.2, 2.7.9.4, 2.9.6 | jackson-databind: Potential || | | | | | information exfiltration with || | | | | | default typing, serialization || | | | | | gadget from MyBatis || | | | | | -->avd.aquasec.com/nvd/cve-2018-11307 |+ +------------------+ + +--------------------------------+---------------------------------------------------------------+| | CVE-2018-14718 | | | 2.7.9.5, 2.8.11.3, 2.9.7 | jackson-databind: arbitrary code || | | | | | execution in slf4j-ext class || | | | | | -->avd.aquasec.com/nvd/cve-2018-14718 |+ +------------------+ + + +---------------------------------------------------------------+| | CVE-2018-14719 | | | | jackson-databind: arbitrary || | | | | | code execution in blaze-ds-opt || | | | | | and blaze-ds-core classes || | | | | | -->avd.aquasec.com/nvd/cve-2018-14719 |+ +------------------+ + +--------------------------------+---------------------------------------------------------------+| | CVE-2018-7489 | | | 2.8.11.1, 2.9.5 | jackson-databind: incomplete fix || | | | | | for CVE-2017-7525 permits unsafe || | | | | | serialization via c3p0 libraries || | | | | | -->avd.aquasec.com/nvd/cve-2018-7489 |+ +------------------+ + +--------------------------------+---------------------------------------------------------------+| | CVE-2019-14379 | | | 2.9.9.2 | jackson-databind: default || | | | | | typing mishandling leading || | | | | | to remote code execution || | | | | | -->avd.aquasec.com/nvd/cve-2019-14379 |+ +------------------+ + +--------------------------------+---------------------------------------------------------------+| | CVE-2019-14540 | | | 2.9.10 | jackson-databind: || | | | | | Serialization gadgets in || | | | | | com.zaxxer.hikari.HikariConfig || | | | | | -->avd.aquasec.com/nvd/cve-2019-14540 |+ +------------------+ + +--------------------------------+---------------------------------------------------------------+| | CVE-2019-14892 | | | 2.9.10, 2.8.11.5, 2.6.7.3 | jackson-databind: Serialization || | | | | | gadgets in classes of the || | | | | | commons-configuration package || | | | | | -->avd.aquasec.com/nvd/cve-2019-14892 |+ +------------------+ + +--------------------------------+---------------------------------------------------------------+| | CVE-2019-14893 | | | 2.8.11.5, 2.9.10 | jackson-databind: || | | | | | Serialization gadgets in || | | | | | classes of the xalan package || | | | | | -->avd.aquasec.com/nvd/cve-2019-14893 |+ +------------------+ + +--------------------------------+---------------------------------------------------------------+| | CVE-2019-16335 | | | 2.9.10 | jackson-databind: || | | | | | Serialization gadgets in || | | | | | com.zaxxer.hikari.HikariDataSource || | | | | | -->avd.aquasec.com/nvd/cve-2019-16335 |+ +------------------+ + +--------------------------------+---------------------------------------------------------------+| | CVE-2019-16942 | | | 2.9.10.1 | jackson-databind: || | | | | | Serialization gadgets in || | | | | | org.apache.commons.dbcp.datasources.* || | | | | | -->avd.aquasec.com/nvd/cve-2019-16942 |+ +------------------+ + + +---------------------------------------------------------------+| | CVE-2019-16943 | | | | jackson-databind: || | | | | | Serialization gadgets in || | | | | | com.p6spy.engine.spy.P6DataSource || | | | | | -->avd.aquasec.com/nvd/cve-2019-16943 |+ +------------------+ + +--------------------------------+---------------------------------------------------------------+| | CVE-2019-17267 | | | 2.9.10 | jackson-databind: Serialization || | | | | | gadgets in classes of || | | | | | the ehcache package || | | | | | -->avd.aquasec.com/nvd/cve-2019-17267 |+ +------------------+ + +--------------------------------+---------------------------------------------------------------+| | CVE-2019-17531 | | | 2.9.10.1 | jackson-databind: || | | | | | Serialization gadgets in || | | | | | org.apache.log4j.receivers.db.* || | | | | | -->avd.aquasec.com/nvd/cve-2019-17531 |+ +------------------+ + +--------------------------------+---------------------------------------------------------------+| | CVE-2019-20330 | | | 2.9.10.2, 2.8.11.5 | jackson-databind: lacks || | | | | | certain net.sf.ehcache blocking || | | | | | -->avd.aquasec.com/nvd/cve-2019-20330 |+ +------------------+ + +--------------------------------+---------------------------------------------------------------+| | CVE-2020-8840 | | | 2.9.10.3, 2.8.11.5 | jackson-databind: Lacks certain || | | | | | xbean-reflect/JNDI blocking || | | | | | -->avd.aquasec.com/nvd/cve-2020-8840 |+ +------------------+ + +--------------------------------+---------------------------------------------------------------+| | CVE-2020-9547 | | | 2.9.10.4 | jackson-databind: Serialization || | | | | | gadgets in ibatis-sqlmap || | | | | | -->avd.aquasec.com/nvd/cve-2020-9547 |+ +------------------+ + + +---------------------------------------------------------------+| | CVE-2020-9548 | | | | jackson-databind: Serialization || | | | | | gadgets in anteros-core || | | | | | -->avd.aquasec.com/nvd/cve-2020-9548 |+ +------------------+----------+ +--------------------------------+---------------------------------------------------------------+| | CVE-2018-12022 | HIGH | | 2.8.11.2, 2.7.9.4, 2.9.6 | jackson-databind: improper || | | | | | polymorphic deserialization || | | | | | of types from Jodd-db library || | | | | | -->avd.aquasec.com/nvd/cve-2018-12022 |+ +------------------+ + +--------------------------------+---------------------------------------------------------------+| | CVE-2018-5968 | | | 2.9.4, 2.8.11 | jackson-databind: unsafe || | | | | | deserialization due to incomplete || | | | | | blacklist (incomplete fix || | | | | | for CVE-2017-7525 and... || | | | | | -->avd.aquasec.com/nvd/cve-2018-5968 |+ +------------------+ + +--------------------------------+---------------------------------------------------------------+| | CVE-2019-12086 | | | 2.9.9 | jackson-databind: polymorphic || | | | | | typing issue allows attacker to || | | | | | read arbitrary local files on... || | | | | | -->avd.aquasec.com/nvd/cve-2019-12086 |+ +------------------+ + +--------------------------------+---------------------------------------------------------------+| | CVE-2019-14439 | | | 2.9.9.2 | jackson-databind: Polymorphic || | | | | | typing issue related to logback/JNDI || | | | | | -->avd.aquasec.com/nvd/cve-2019-14439 |+ +------------------+ + +--------------------------------+---------------------------------------------------------------+| | CVE-2020-10673 | | | 2.9.10.4 | jackson-databind: mishandles || | | | | | the interaction between || | | | | | serialization gadgets and || | | | | | typing which could result... || | | | | | -->avd.aquasec.com/nvd/cve-2020-10673 |+ +------------------+ + +--------------------------------+---------------------------------------------------------------+| | CVE-2020-25649 | | | 2.10.5.1, 2.9.10.7, 2.6.7.4 | jackson-databind: FasterXML || | | | | | DOMDeserializer insecure || | | | | | entity expansion is vulnerable || | | | | | to XML external entity... || | | | | | -->avd.aquasec.com/nvd/cve-2020-25649 |+ +------------------+ + +--------------------------------+---------------------------------------------------------------+| | CVE-2020-35490 | | | 2.9.10.8 | jackson-databind: mishandles the interaction || | | | | | between serialization gadgets and typing, related to || | | | | | org.apache.commons.dbcp2.datasources.PerUserPoolDataSource... || | | | | | -->avd.aquasec.com/nvd/cve-2020-35490 |+ +------------------+ + + +---------------------------------------------------------------+| | CVE-2020-35491 | | | | jackson-databind: mishandles the interaction || | | | | | between serialization gadgets and typing, related to || | | | | | org.apache.commons.dbcp2.datasources.SharedPoolDataSource... || | | | | | -->avd.aquasec.com/nvd/cve-2020-35491 |+ +------------------+ + +--------------------------------+---------------------------------------------------------------+| | CVE-2021-20190 | | | 2.9.10.7 | jackson-databind: mishandles || | | | | | the interaction between || | | | | | serialization gadgets and || | | | | | typing, related to javax.swing... || | | | | | -->avd.aquasec.com/nvd/cve-2021-20190 |+ +------------------+----------+ +--------------------------------+---------------------------------------------------------------+| | CVE-2018-1000873 | MEDIUM | | 2.9.8 | jackson-modules-java8: DoS due || | | | | | to an Improper Input Validation || | | | | | -->avd.aquasec.com/nvd/cve-2018-1000873 |+ +------------------+ + +--------------------------------+---------------------------------------------------------------+| | CVE-2019-12384 | | | 2.9.9.1 | jackson-databind: failure || | | | | | to block the logback-core || | | | | | class from polymorphic || | | | | | deserialization leading to... || | | | | | -->avd.aquasec.com/nvd/cve-2019-12384 |+ +------------------+ + + +---------------------------------------------------------------+| | CVE-2019-12814 | | | | jackson-databind: polymorphic || | | | | | typing issue allows attacker to || | | | | | read arbitrary local files on... || | | | | | -->avd.aquasec.com/nvd/cve-2019-12814 |+--------------------------------------------------------------------+------------------+ +-------------------+--------------------------------+---------------------------------------------------------------+| com.google.guava:guava | CVE-2018-10237 | | 19.0 | 24.1.1 | guava: Unbounded memory || | | | | | allocation in AtomicDoubleArray || | | | | | and CompoundOrdering classes || | | | | | allow remote attackers... || | | | | | -->avd.aquasec.com/nvd/cve-2018-10237 |+ +------------------+----------+ +--------------------------------+---------------------------------------------------------------+| | CVE-2020-8908 | LOW | | 30.0-jre | guava: local information || | | | | | disclosure via temporary directory || | | | | | created with unsafe permissions || | | | | | -->avd.aquasec.com/nvd/cve-2020-8908 |+ +------------------+----------+-------------------+--------------------------------+---------------------------------------------------------------+| | CVE-2018-10237 | MEDIUM | 22.0 | 24.1.1 | guava: Unbounded memory || | | | | | allocation in AtomicDoubleArray || | | | | | and CompoundOrdering classes || | | | | | allow remote attackers... || | | | | | -->avd.aquasec.com/nvd/cve-2018-10237 |+ +------------------+----------+ +--------------------------------+---------------------------------------------------------------+| | CVE-2020-8908 | LOW | | 30.0-jre | guava: local information || | | | | | disclosure via temporary directory || | | | | | created with unsafe permissions || | | | | | -->avd.aquasec.com/nvd/cve-2020-8908 |+--------------------------------------------------------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------------------------------+| com.googlecode.owasp-java-html-sanitizer:owasp-java-html-sanitizer | CVE-2021-42575 | CRITICAL | r239 | 20211018.1 | Policies not properly enforced || | | | | | in OWASP Java HTML Sanitizer || | | | | | -->avd.aquasec.com/nvd/cve-2021-42575 |+--------------------------------------------------------------------+------------------+ +-------------------+--------------------------------+---------------------------------------------------------------+| com.mchange:c3p0 | CVE-2018-20433 | | 0.9.5.2 | 0.9.5.3 | c3p0: XML external entity processing || | | | | | in extractXmlConfigFromInputStream || | | | | | -->avd.aquasec.com/nvd/cve-2018-20433 |+ +------------------+----------+ +--------------------------------+---------------------------------------------------------------+| | CVE-2019-5427 | HIGH | | 0.9.5.4 | c3p0: loading XML configuration || | | | | | leads to denial of service || | | | | | -->avd.aquasec.com/nvd/cve-2019-5427 |+--------------------------------------------------------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------------------------------+| com.squareup.okhttp3:okhttp | CVE-2018-20200 | MEDIUM | 3.10.0 | 3.12.1 | okhttp: certificate pinning bypass || | | | | | -->avd.aquasec.com/nvd/cve-2018-20200 |+--------------------------------------------------------------------+------------------+ +-------------------+--------------------------------+---------------------------------------------------------------+| com.squareup.okhttp:okhttp | CVE-2016-2402 | | 2.7.5 | 3.1.2 | Improper Certificate Validation || | | | | | -->avd.aquasec.com/nvd/cve-2016-2402 |+--------------------------------------------------------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------------------------------+| commons-beanutils:commons-beanutils | CVE-2019-10086 | HIGH | 1.9.3 | 1.9.4 | apache-commons-beanutils: does || | | | | | not suppresses the class property || | | | | | in PropertyUtilsBean by default || | | | | | -->avd.aquasec.com/nvd/cve-2019-10086 |+--------------------------------------------------------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------------------------------+| commons-fileupload:commons-fileupload | CVE-2016-1000031 | CRITICAL | 1.3.1 | 1.3.3 | Apache Commons FileUpload: || | | | | | DiskFileItem file manipulation || | | | | | -->avd.aquasec.com/nvd/cve-2016-1000031 |+ +------------------+----------+ +--------------------------------+---------------------------------------------------------------+| | CVE-2016-3092 | HIGH | | 1.3.2 | tomcat: Usage of vulnerable || | | | | | FileUpload package can result || | | | | | in denial of service... || | | | | | -->avd.aquasec.com/nvd/cve-2016-3092 |+--------------------------------------------------------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------------------------------+| commons-httpclient:commons-httpclient | CVE-2012-5783 | MEDIUM | 3.1 | | jakarta-commons-httpclient: || | | | | | missing connection hostname check || | | | | | against X.509 certificate name || | | | | | -->avd.aquasec.com/nvd/cve-2012-5783 |+--------------------------------------------------------------------+------------------+ +-------------------+--------------------------------+---------------------------------------------------------------+| commons-io:commons-io | CVE-2021-29425 | | 2.5 | 2.7 | apache-commons-io: Limited || | | | | | path traversal in Apache || | | | | | Commons IO 2.2 to 2.6 || | | | | | -->avd.aquasec.com/nvd/cve-2021-29425 |+--------------------------------------------------------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------------------------------+| io.netty:netty | CVE-2019-20444 | CRITICAL | 3.7.0.Final | 4.1.44.Final | netty: HTTP request smuggling || | | | | | -->avd.aquasec.com/nvd/cve-2019-20444 |+ +------------------+ + + +---------------------------------------------------------------+| | CVE-2019-20445 | | | | netty: HttpObjectDecoder.java allows || | | | | | Content-Length header to accompanied || | | | | | by second Content-Length header || | | | | | -->avd.aquasec.com/nvd/cve-2019-20445 |+ +------------------+----------+ +--------------------------------+---------------------------------------------------------------+| | CVE-2019-16869 | HIGH | | 4.1.42.Final | netty: HTTP request smuggling || | | | | | by mishandled whitespace || | | | | | before the colon in HTTP... || | | | | | -->avd.aquasec.com/nvd/cve-2019-16869 |+ +------------------+----------+ +--------------------------------+---------------------------------------------------------------+| | CVE-2021-21290 | MEDIUM | | 4.1.59.Final | netty: Information disclosure via || | | | | | the local system temporary directory || | | | | | -->avd.aquasec.com/nvd/cve-2021-21290 |+ +------------------+ + +--------------------------------+---------------------------------------------------------------+| | CVE-2021-21295 | | | 4.1.60.Final | netty: possible request smuggling || | | | | | in HTTP/2 due missing validation || | | | | | -->avd.aquasec.com/nvd/cve-2021-21295 |+ +------------------+ + +--------------------------------+---------------------------------------------------------------+| | CVE-2021-21409 | | | 4.1.61.Final | netty: Request smuggling || | | | | | via content-length header || | | | | | -->avd.aquasec.com/nvd/cve-2021-21409 |+--------------------------------------------------------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------------------------------+| io.netty:netty-all | CVE-2019-16869 | HIGH | 4.1.17.Final | 4.1.42 | netty: HTTP request smuggling || | | | | | by mishandled whitespace || | | | | | before the colon in HTTP... || | | | | | -->avd.aquasec.com/nvd/cve-2019-16869 |+--------------------------------------------------------------------+------------------+ +-------------------+--------------------------------+---------------------------------------------------------------+| io.netty:netty-codec | CVE-2021-37136 | | 4.1.42.Final | 4.1.68.Final | netty-codec: Bzip2Decoder || | | | | | doesn't allow setting size || | | | | | restrictions for decompressed data || | | | | | -->avd.aquasec.com/nvd/cve-2021-37136 |+ +------------------+ + + +---------------------------------------------------------------+| | CVE-2021-37137 | | | | netty-codec: SnappyFrameDecoder || | | | | | doesn't restrict chunk length and || | | | | | may buffer skippable chunks in... || | | | | | -->avd.aquasec.com/nvd/cve-2021-37137 |+--------------------------------------------------------------------+------------------+----------+ +--------------------------------+---------------------------------------------------------------+| io.netty:netty-codec-http | CVE-2021-21290 | MEDIUM | | 4.1.59.Final | netty: Information disclosure via || | | | | | the local system temporary directory || | | | | | -->avd.aquasec.com/nvd/cve-2021-21290 |+--------------------------------------------------------------------+------------------+----------+ +--------------------------------+---------------------------------------------------------------+| io.netty:netty-handler | CVE-2019-20444 | CRITICAL | | 4.1.44 | netty: HTTP request smuggling || | | | | | -->avd.aquasec.com/nvd/cve-2019-20444 |+ +------------------+ + +--------------------------------+---------------------------------------------------------------+| | CVE-2019-20445 | | | 4.1.45 | netty: HttpObjectDecoder.java allows || | | | | | Content-Length header to accompanied || | | | | | by second Content-Length header || | | | | | -->avd.aquasec.com/nvd/cve-2019-20445 |+ +------------------+----------+ +--------------------------------+---------------------------------------------------------------+| | CVE-2020-11612 | HIGH | | 4.1.46 | netty: compression/decompression || | | | | | codecs don't enforce limits || | | | | | on buffer allocation sizes || | | | | | -->avd.aquasec.com/nvd/cve-2020-11612 |+--------------------------------------------------------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------------------------------+| jline:jline | CVE-2010-1330 | MEDIUM | 0.9.94 | 1.4.1 | jruby: XSS in the regular || | | | | | expression engine when || | | | | | processing invalid UTF-8 byte... || | | | | | -->avd.aquasec.com/nvd/cve-2010-1330 |+ +------------------+ + +--------------------------------+---------------------------------------------------------------+| | CVE-2013-2035 | | | 2.11 | HawtJNI: predictable temporary || | | | | | file name leading to local || | | | | | arbitrary code execution || | | | | | -->avd.aquasec.com/nvd/cve-2013-2035 |+--------------------------------------------------------------------+------------------+ +-------------------+--------------------------------+---------------------------------------------------------------+| junit:junit | CVE-2020-15250 | | 4.12 | 4.13.1 | junit4: TemporaryFolder is || | | | | | shared between all users across || | | | | | system which could result... || | | | | | -->avd.aquasec.com/nvd/cve-2020-15250 |+--------------------------------------------------------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------------------------------+| log4j:log4j | CVE-2019-17571 | CRITICAL | 1.2.16 | | log4j: deserialization of || | | | | | untrusted data in SocketServer || | | | | | -->avd.aquasec.com/nvd/cve-2019-17571 |+ +------------------+----------+ +--------------------------------+---------------------------------------------------------------+| | CVE-2020-9488 | LOW | | 2.13.2 | log4j: improper validation || | | | | | of certificate with host || | | | | | mismatch in SMTP appender || | | | | | -->avd.aquasec.com/nvd/cve-2020-9488 |+--------------------------------------------------------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------------------------------+| mysql:mysql-connector-java | CVE-2020-2934 | MEDIUM | 8.0.18 | 5.1.49, 8.0.20 | mysql-connector-java: allows || | | | | | unauthenticated attacker with || | | | | | network access via multiple || | | | | | protocols to compromise... || | | | | | -->avd.aquasec.com/nvd/cve-2020-2934 |+--------------------------------------------------------------------+------------------+ +-------------------+--------------------------------+---------------------------------------------------------------+| org.apache.activemq:activemq-broker | CVE-2020-13947 | | 5.15.10 | 5.15.14, 5.16.1 | Cross-site Scripting || | | | | | -->avd.aquasec.com/nvd/cve-2020-13947 |+--------------------------------------------------------------------+ + + + + +| org.apache.activemq:activemq-client | | | | | || | | | | | |+--------------------------------------------------------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------------------------------+| org.apache.ant:ant | CVE-2020-11979 | HIGH | 1.9.1 | 1.10.9 | ant: insecure temporary file || | | | | | -->avd.aquasec.com/nvd/cve-2020-11979 |+ +------------------+----------+ +--------------------------------+---------------------------------------------------------------+| | CVE-2020-1945 | MEDIUM | | 1.10.8, 1.9.15 | ant: insecure temporary || | | | | | file vulnerability || | | | | | -->avd.aquasec.com/nvd/cve-2020-1945 |+ +------------------+ + +--------------------------------+---------------------------------------------------------------+| | CVE-2021-36373 | | | 1.10.11, 1.9.16 | ant: excessive memory || | | | | | allocation when reading a || | | | | | specially crafted TAR archive || | | | | | -->avd.aquasec.com/nvd/cve-2021-36373 |+ +------------------+ + + +---------------------------------------------------------------+| | CVE-2021-36374 | | | | ant: excessive memory allocation || | | | | | when reading a specially || | | | | | crafted ZIP archive or... || | | | | | -->avd.aquasec.com/nvd/cve-2021-36374 |+--------------------------------------------------------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------------------------------+| org.apache.commons:commons-compress | CVE-2021-35515 | HIGH | 1.4.1 | 1.21 | apache-commons-compress: || | | | | | infinite loop when reading a || | | | | | specially crafted 7Z archive || | | | | | -->avd.aquasec.com/nvd/cve-2021-35515 |+ +------------------+ + + +---------------------------------------------------------------+| | CVE-2021-35516 | | | | apache-commons-compress: excessive || | | | | | memory allocation when reading || | | | | | a specially crafted 7Z archive || | | | | | -->avd.aquasec.com/nvd/cve-2021-35516 |+ +------------------+ + + +---------------------------------------------------------------+| | CVE-2021-35517 | | | | apache-commons-compress: excessive || | | | | | memory allocation when reading || | | | | | a specially crafted TAR archive || | | | | | -->avd.aquasec.com/nvd/cve-2021-35517 |+ +------------------+ + + +---------------------------------------------------------------+| | CVE-2021-36090 | | | | apache-commons-compress: excessive || | | | | | memory allocation when reading || | | | | | a specially crafted ZIP archive || | | | | | -->avd.aquasec.com/nvd/cve-2021-36090 |+ +------------------+----------+ +--------------------------------+---------------------------------------------------------------+| | CVE-2018-11771 | MEDIUM | | 1.18 | apache-commons-compress: || | | | | | ZipArchiveInputStream.read() || | | | | | fails to identify correct EOF || | | | | | allowing for DoS via crafted... || | | | | | -->avd.aquasec.com/nvd/cve-2018-11771 |+--------------------------------------------------------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------------------------------+| org.apache.hadoop:hadoop-common | CVE-2018-8009 | HIGH | 2.7.4 | 2.7.7, 2.8.5, 2.9.2, 3.1.1 | hadoop: arbitrary file write || | | | | | vulnerability / arbitrary code || | | | | | execution using a specially... || | | | | | -->avd.aquasec.com/nvd/cve-2018-8009 |+ +------------------+ + +--------------------------------+---------------------------------------------------------------+| | CVE-2018-8029 | | | 2.8.5, 2.9.2, 3.1.1 | hadoop: a user who can escalate || | | | | | to yarn user can possibly run... || | | | | | -->avd.aquasec.com/nvd/cve-2018-8029 |+ +------------------+----------+ +--------------------------------+---------------------------------------------------------------+| | CVE-2017-15713 | MEDIUM | | 2.8.3, 3.0.1 | Moderate severity vulnerability that || | | | | | affects org.apache.hadoop:hadoop-main || | | | | | -->avd.aquasec.com/nvd/cve-2017-15713 |+--------------------------------------------------------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------------------------------+| org.apache.hive:hive-jdbc | CVE-2018-1282 | CRITICAL | 1.1.0 | 2.3.3 | hive: Improper input validation || | | | | | in jdbc/HivePreparedStatement.java || | | | | | allows for SQL injection || | | | | | -->avd.aquasec.com/nvd/cve-2018-1282 |+ +------------------+----------+ +--------------------------------+---------------------------------------------------------------+| | CVE-2018-1314 | MEDIUM | | 3.1.1, 2.3.4 | Py-hiverunner 5.0.0 updates the || | | | | | default supported Hive version || | | | | | to 2.3.4 because version... || | | | | | -->avd.aquasec.com/nvd/cve-2018-1314 |+--------------------------------------------------------------------+------------------+----------+ +--------------------------------+---------------------------------------------------------------+| org.apache.hive:hive-service | CVE-2015-1772 | HIGH | | 1.1.1, 1.0.1 | Apache Hive: authentication || | | | | | vulnerability in HiveServer2 || | | | | | -->avd.aquasec.com/nvd/cve-2015-1772 |+ +------------------+ + +--------------------------------+---------------------------------------------------------------+| | CVE-2015-7521 | | | 1.2.2 | High severity vulnerability that || | | | | | affects org.apache.hive:hive, || | | | | | org.apache.hive:hive-exec, and || | | | | | org.apache.hive:hive-service || | | | | | -->avd.aquasec.com/nvd/cve-2015-7521 |+ +------------------+ + +--------------------------------+---------------------------------------------------------------+| | CVE-2016-3083 | | | 2.0.1, 1.2.2 | Moderate severity vulnerability || | | | | | that affects org.apache.hive:hive, || | | | | | org.apache.hive:hive-exec, and || | | | | | org.apache.hive:hive-service || | | | | | -->avd.aquasec.com/nvd/cve-2016-3083 |+ +------------------+----------+ +--------------------------------+---------------------------------------------------------------+| | CVE-2018-1284 | LOW | | 2.3.3 | hive: Mishandled input in || | | | | | UDFXPathUtil.java allows users || | | | | | to access arbitrary files via... || | | | | | -->avd.aquasec.com/nvd/cve-2018-1284 |+--------------------------------------------------------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------------------------------+| org.apache.httpcomponents:httpclient | CVE-2020-13956 | MEDIUM | 4.5.10 | 5.0.3, 4.5.13 | apache-httpclient: incorrect || | | | | | handling of malformed authority || | | | | | component in request URIs || | | | | | -->avd.aquasec.com/nvd/cve-2020-13956 |+--------------------------------------------------------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------------------------------+| org.apache.logging.log4j:log4j-core | CVE-2020-9488 | LOW | 2.12.1 | 2.13.2 | log4j: improper validation || | | | | | of certificate with host || | | | | | mismatch in SMTP appender || | | | | | -->avd.aquasec.com/nvd/cve-2020-9488 |+--------------------------------------------------------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------------------------------+| org.apache.poi:poi | CVE-2019-12415 | MEDIUM | 3.17 | 4.1.1 | poi: a specially crafted || | | | | | Microsoft Excel document allows || | | | | | attacker to read files... || | | | | | -->avd.aquasec.com/nvd/cve-2019-12415 |+--------------------------------------------------------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------------------------------+| org.apache.thrift:libthrift | CVE-2018-1320 | HIGH | 0.9.2 | 0.12.0 | thrift: SASL negotiation || | | | | | isComplete validation bypass in the || | | | | | org.apache.thrift.transport.TSaslTransport || | | | | | class -->avd.aquasec.com/nvd/cve-2018-1320 |+ +------------------+ + +--------------------------------+---------------------------------------------------------------+| | CVE-2019-0205 | | | 0.13.0 | thrift: Endless loop when || | | | | | feed with specific input data || | | | | | -->avd.aquasec.com/nvd/cve-2019-0205 |+ +------------------+----------+ +--------------------------------+---------------------------------------------------------------+| | CVE-2015-3254 | MEDIUM | | 0.9.3 | thrift: Infinite recursion via || | | | | | vectors involving the skip function || | | | | | -->avd.aquasec.com/nvd/cve-2015-3254 |+ +------------------+ + +--------------------------------+---------------------------------------------------------------+| | CVE-2018-11798 | | | 0.12.0 | thrift: Improper Access || | | | | | Control grants access to files || | | | | | outside the webservers... || | | | | | -->avd.aquasec.com/nvd/cve-2018-11798 |+--------------------------------------------------------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------------------------------+| org.apache.tomcat.embed:tomcat-embed-core | CVE-2020-1938 | CRITICAL | 9.0.27 | 7.0.100, 8.5.51, 9.0.31 | tomcat: Apache Tomcat AJP File || | | | | | Read/Inclusion Vulnerability || | | | | | -->avd.aquasec.com/nvd/cve-2020-1938 |+ +------------------+----------+ +--------------------------------+---------------------------------------------------------------+| | CVE-2019-12418 | HIGH | | 9.0.29, 8.5.49, 7.0.99 | tomcat: local privilege escalation || | | | | | -->avd.aquasec.com/nvd/cve-2019-12418 |+ +------------------+ + +--------------------------------+---------------------------------------------------------------+| | CVE-2019-17563 | | | 9.0.30, 8.5.50, 7.0.99 | tomcat: Session fixation when || | | | | | using FORM authentication || | | | | | -->avd.aquasec.com/nvd/cve-2019-17563 |+ +------------------+ + +--------------------------------+---------------------------------------------------------------+| | CVE-2020-13934 | | | 8.5.57, 9.0.37 | tomcat: OutOfMemoryException || | | | | | caused by HTTP/2 connection || | | | | | leak could lead to DoS || | | | | | -->avd.aquasec.com/nvd/cve-2020-13934 |+ +------------------+ + +--------------------------------+---------------------------------------------------------------+| | CVE-2020-17527 | | | 8.5.60, 9.0.40, 10.0.2 | tomcat: HTTP/2 request header mix-up || | | | | | -->avd.aquasec.com/nvd/cve-2020-17527 |+ +------------------+ + +--------------------------------+---------------------------------------------------------------+| | CVE-2020-9484 | | | 7.0.104, 8.5.55, 9.0.35, | tomcat: deserialization || | | | | 10.0.0-M5 | flaw in session persistence || | | | | | storage leading to RCE || | | | | | -->avd.aquasec.com/nvd/cve-2020-9484 |+ +------------------+ + +--------------------------------+---------------------------------------------------------------+| | CVE-2021-25122 | | | 8.5.63, 9.0.43, 10.0.2 | tomcat: Request mix-up with h2c || | | | | | -->avd.aquasec.com/nvd/cve-2021-25122 |+ +------------------+ + +--------------------------------+---------------------------------------------------------------+| | CVE-2021-25329 | | | 7.0.108, 8.5.61, 9.0.41, | tomcat: Incomplete fix || | | | | 10.0.2 | for CVE-2020-9484 (RCE || | | | | | via session persistence) || | | | | | -->avd.aquasec.com/nvd/cve-2021-25329 |+ +------------------+----------+ +--------------------------------+---------------------------------------------------------------+| | CVE-2020-1935 | MEDIUM | | 9.0.31, 8.5.51, 7.0.100 | tomcat: Mishandling of || | | | | | Transfer-Encoding header allows || | | | | | for HTTP request smuggling || | | | | | -->avd.aquasec.com/nvd/cve-2020-1935 |+ +------------------+ + +--------------------------------+---------------------------------------------------------------+| | CVE-2021-24122 | | | 7.0.107, 8.5.60, 9.0.40, | tomcat: Information disclosure || | | | | 10.0.0-M10 | when using NTFS file system || | | | | | -->avd.aquasec.com/nvd/cve-2021-24122 |+--------------------------------------------------------------------+------------------+----------+ +--------------------------------+---------------------------------------------------------------+| org.apache.tomcat.embed:tomcat-embed-websocket | CVE-2020-13935 | HIGH | | 7.0.105, 8.5.57, 9.0.37, | tomcat: multiple requests || | | | | 10.0.2 | with invalid payload length || | | | | | in a WebSocket frame could... || | | | | | -->avd.aquasec.com/nvd/cve-2020-13935 |+ +------------------+----------+ +--------------------------------+---------------------------------------------------------------+| | CVE-2021-24122 | MEDIUM | | 10.0.0-M10, 9.0.40, 8.5.60, | tomcat: Information disclosure || | | | | 7.0.107 | when using NTFS file system || | | | | | -->avd.aquasec.com/nvd/cve-2021-24122 |+--------------------------------------------------------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------------------------------+| org.apache.xmlbeans:xmlbeans | CVE-2021-23926 | CRITICAL | 2.6.0 | 3.0.0 | xmlbeans: allowed malicious || | | | | | XML input may lead to XML || | | | | | Entity Expansion attack... || | | | | | -->avd.aquasec.com/nvd/cve-2021-23926 |+--------------------------------------------------------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------------------------------+| org.apache.zookeeper:zookeeper | CVE-2017-5637 | HIGH | 3.4.6 | 3.4.10, 3.5.3 | zookeeper: Incorrect || | | | | | input validation with || | | | | | wchp/wchc four letter words || | | | | | -->avd.aquasec.com/nvd/cve-2017-5637 |+ +------------------+ + +--------------------------------+---------------------------------------------------------------+| | CVE-2018-8012 | | | 3.4.10, 3.5.4 | zookeeper: No authentication || | | | | | or authorization is enforced || | | | | | when a server joins a... || | | | | | -->avd.aquasec.com/nvd/cve-2018-8012 |+ +------------------+----------+ +--------------------------------+---------------------------------------------------------------+| | CVE-2019-0201 | MEDIUM | | 3.5.5, 3.4.14 | zookeeper: Information || | | | | | disclosure in Apache ZooKeeper || | | | | | -->avd.aquasec.com/nvd/cve-2019-0201 |+--------------------------------------------------------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------------------------------+| org.codehaus.jackson:jackson-mapper-asl | CVE-2019-10172 | HIGH | 1.9.13 | | jackson-mapper-asl: XML external || | | | | | entity similar to CVE-2016-3720 || | | | | | -->avd.aquasec.com/nvd/cve-2019-10172 |+--------------------------------------------------------------------+------------------+ +-------------------+--------------------------------+---------------------------------------------------------------+| org.eclipse.jetty:jetty-http | CVE-2020-27216 | | 8.1.14.v20131031 | 9.3.29.v20201019, | jetty: local temporary directory || | | | | 9.4.32.v20200930, 11.0.1 | hijacking vulnerability || | | | | | -->avd.aquasec.com/nvd/cve-2020-27216 |+ +------------------+ + +--------------------------------+---------------------------------------------------------------+| | CVE-2021-28165 | | | 9.4.39.v20210325, 10.0.2, | jetty: Resource exhaustion when || | | | | 11.0.2 | receiving an invalid large TLS frame || | | | | | -->avd.aquasec.com/nvd/cve-2021-28165 |+ +------------------+----------+ +--------------------------------+---------------------------------------------------------------+| | CVE-2019-10247 | MEDIUM | | 9.2.28.v20190418, | jetty: error path || | | | | 9.3.27.v20190418, | information disclosure || | | | | 9.4.17.v20190418 | -->avd.aquasec.com/nvd/cve-2019-10247 |+--------------------------------------------------------------------+------------------+----------+ +--------------------------------+---------------------------------------------------------------+| org.eclipse.jetty:jetty-io | CVE-2021-28165 | HIGH | | 10.0.2, 9.4.39, 11.0.2 | jetty: Resource exhaustion when || | | | | | receiving an invalid large TLS frame || | | | | | -->avd.aquasec.com/nvd/cve-2021-28165 |+--------------------------------------------------------------------+------------------+----------+ +--------------------------------+---------------------------------------------------------------+| org.eclipse.jetty:jetty-server | CVE-2017-7657 | CRITICAL | | 9.3.24.v20180605, | jetty: HTTP request smuggling || | | | | 9.2.25.v20180606 | -->avd.aquasec.com/nvd/cve-2017-7657 |+ +------------------+ + +--------------------------------+---------------------------------------------------------------+| | CVE-2017-7658 | | | 9.2.26.v20180806, | jetty: Incorrect header handling || | | | | 9.3.24.v20180605, | -->avd.aquasec.com/nvd/cve-2017-7658 || | | | | 9.4.11.v20180605 | |+ +------------------+----------+ +--------------------------------+---------------------------------------------------------------+| | CVE-2015-2080 | HIGH | | 9.2.9.v20150224 | jetty: remote unauthenticated || | | | | | credential exposure || | | | | | -->avd.aquasec.com/nvd/cve-2015-2080 |+ +------------------+ + +--------------------------------+---------------------------------------------------------------+| | CVE-2017-7656 | | | 9.4.11.v20180605, | jetty: HTTP request smuggling || | | | | 9.3.24.v20180605 | using the range header || | | | | | -->avd.aquasec.com/nvd/cve-2017-7656 |+ +------------------+ + +--------------------------------+---------------------------------------------------------------+| | CVE-2020-27216 | | | 9.3.29.v20201019, | jetty: local temporary directory || | | | | 9.4.32.v20200930, 11.0.1 | hijacking vulnerability || | | | | | -->avd.aquasec.com/nvd/cve-2020-27216 |+ +------------------+ + +--------------------------------+---------------------------------------------------------------+| | CVE-2021-28165 | | | 9.4.39.v20210325, 10.0.2, | jetty: Resource exhaustion when || | | | | 11.0.2 | receiving an invalid large TLS frame || | | | | | -->avd.aquasec.com/nvd/cve-2021-28165 |+ +------------------+----------+ +--------------------------------+---------------------------------------------------------------+| | CVE-2019-10241 | MEDIUM | | 9.4.16.v20190411, | jetty: using specially formatted || | | | | 9.3.26.v20190403, | URL against DefaultServlet or || | | | | 9.2.27.v20190403 | ResourceHandler leads to XSS... || | | | | | -->avd.aquasec.com/nvd/cve-2019-10241 |+ +------------------+ + +--------------------------------+---------------------------------------------------------------+| | CVE-2019-10247 | | | 9.4.17.v20190418, | jetty: error path || | | | | 9.3.27.v20190418, | information disclosure || | | | | 9.2.28.v20190418 | -->avd.aquasec.com/nvd/cve-2019-10247 |+ +------------------+----------+ +--------------------------------+---------------------------------------------------------------+| | CVE-2021-34428 | LOW | | 11.0.3, 10.0.3, 9.4.41 | jetty: SessionListener can || | | | | | prevent a session from being || | | | | | invalidated breaking logout || | | | | | -->avd.aquasec.com/nvd/cve-2021-34428 |+--------------------------------------------------------------------+------------------+----------+ +--------------------------------+---------------------------------------------------------------+| org.eclipse.jetty:jetty-util | CVE-2017-9735 | HIGH | | 9.4.6.v20170531 | jetty: Timing channel attack || | | | | | in util/security/Password.java || | | | | | -->avd.aquasec.com/nvd/cve-2017-9735 |+ +------------------+ + +--------------------------------+---------------------------------------------------------------+| | CVE-2020-27216 | | | 9.3.29.v20201019, | jetty: local temporary directory || | | | | 9.4.32.v20200930, 11.0.1 | hijacking vulnerability || | | | | | -->avd.aquasec.com/nvd/cve-2020-27216 |+ +------------------+ + +--------------------------------+---------------------------------------------------------------+| | CVE-2021-28165 | | | 9.4.39.v20210325, 10.0.2, | jetty: Resource exhaustion when || | | | | 11.0.2 | receiving an invalid large TLS frame || | | | | | -->avd.aquasec.com/nvd/cve-2021-28165 |+--------------------------------------------------------------------+------------------+ +-------------------+--------------------------------+---------------------------------------------------------------+| org.eclipse.paho:org.eclipse.paho.client.mqttv3 | CVE-2019-11777 | | 1.2.0 | 1.2.1 | org.eclipse.paho.client.mqttv3: || | | | | | Improper hostname validation || | | | | | in the MQTT library || | | | | | -->avd.aquasec.com/nvd/cve-2019-11777 |+--------------------------------------------------------------------+------------------+ +-------------------+--------------------------------+---------------------------------------------------------------+| org.elasticsearch:elasticsearch | CVE-2020-7014 | | 6.8.3 | 7.6.2, 6.8.8 | elasticsearch: Incomplete fix || | | | | | for CVE-2020-7009 could result || | | | | | in generating API key with... || | | | | | -->avd.aquasec.com/nvd/cve-2020-7014 |+ +------------------+----------+ +--------------------------------+---------------------------------------------------------------+| | CVE-2021-22135 | MEDIUM | | 6.8.15, 7.11.2 | elasticsearch: Document disclosure || | | | | | flaw in the Elasticsearch suggester || | | | | | -->avd.aquasec.com/nvd/cve-2021-22135 |+ +------------------+ + +--------------------------------+---------------------------------------------------------------+| | CVE-2021-22144 | | | 7.13.3, 6.8.17 | elasticsearch: uncontrolled || | | | | | recursion in Grok parser || | | | | | -->avd.aquasec.com/nvd/cve-2021-22144 |+ +------------------+----------+ +--------------------------------+---------------------------------------------------------------+| | CVE-2020-7020 | LOW | | 7.9.2, 6.8.13 | elasticsearch: not properly || | | | | | preserving security || | | | | | permissions when executing || | | | | | complex queries may lead... || | | | | | -->avd.aquasec.com/nvd/cve-2020-7020 |+--------------------------------------------------------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------------------------------+| org.hibernate.validator:hibernate-validator | CVE-2019-10219 | MEDIUM | 6.0.17.Final | 6.0.18 | hibernate-validator: || | | | | | safeHTML validator allows XSS || | | | | | -->avd.aquasec.com/nvd/cve-2019-10219 |+ +------------------+ + +--------------------------------+---------------------------------------------------------------+| | CVE-2020-10693 | | | 6.0.20.Final, 6.1.5.Final | hibernate-validator: Improper input || | | | | | validation in the interpolation || | | | | | of constraint error messages || | | | | | -->avd.aquasec.com/nvd/cve-2020-10693 |+--------------------------------------------------------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------------------------------+| org.jdom:jdom2 | CVE-2021-33813 | HIGH | 2.0.6 | | jdom: XXE allows attackers to || | | | | | cause a DoS via a crafted HTTP... || | | | | | -->avd.aquasec.com/nvd/cve-2021-33813 |+--------------------------------------------------------------------+------------------+ +-------------------+--------------------------------+---------------------------------------------------------------+| org.mybatis:mybatis | CVE-2020-26945 | | 3.5.0 | 3.5.6 | mybatis: mishandles deserialization || | | | | | of object streams which could || | | | | | result in remote code... || | | | | | -->avd.aquasec.com/nvd/cve-2020-26945 |+--------------------------------------------------------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------------------------------+| org.quartz-scheduler:quartz | CVE-2019-13990 | CRITICAL | 2.3.1 | 2.3.2 | libquartz: XXE attacks || | | | | | via job description || | | | | | -->avd.aquasec.com/nvd/cve-2019-13990 |+--------------------------------------------------------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------------------------------+| org.springframework:spring-webmvc | CVE-2020-5398 | HIGH | 5.2.0.RELEASE | 5.0.16, 5.1.13, 5.2.3 | springframework: RFD attack via || | | | | | Content-Disposition Header sourced || | | | | | from request input by Spring... || | | | | | -->avd.aquasec.com/nvd/cve-2020-5398 |+ +------------------+----------+ +--------------------------------+---------------------------------------------------------------+| | CVE-2020-5397 | MEDIUM | | 5.2.3 | springframework: CSRF attack || | | | | | via CORS Preflight Requests || | | | | | with Spring MVC or Spring... || | | | | | -->avd.aquasec.com/nvd/cve-2020-5397 |+--------------------------------------------------------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------------------------------+| org.yaml:snakeyaml | CVE-2017-18640 | HIGH | 1.25 | 1.26 | snakeyaml: Billion laughs || | | | | | attack via alias feature || | | | | | -->avd.aquasec.com/nvd/cve-2017-18640 |+--------------------------------------------------------------------+------------------+----------+-------------------+--------------------------------+---------------------------------------------------------------+[root@ur-test-docker ~]#
若有收获,就点个赞吧
0 人点赞
