Uploaded image for project: 'Jackrabbit Oak'
  1. Jackrabbit Oak
  2. OAK-10449

oak-solr-osgi embeds vulnerable Zookeeper

    XMLWordPrintableJSON

Details

    • Task
    • Status: Closed
    • Major
    • Resolution: Fixed
    • None
    • 1.58.0
    • indexing
    • None

    Description

      This artifact embeds Apache ZooKeeper 3.4.10 which contains the following vulnerabilitie(s):

      • BDSA-2013-0048 in version 3.4.10 (CVSS 7.5 High): Apache ZooKeeper contains an information disclosure vulnerability due to a missing permission check within the `getACL` command. An attacker could exploit this to obtain hashes for authentication, if Digest Authentication is in use.
      • CVE-2020-10663 in version 3.4.10 (CVSS 7.5 High): The JSON gem through 2.2.0 for Ruby, as used in Ruby 2.4 through 2.4.9, 2.5 through 2.5.7, and 2.6 through 2.6.5, has an Unsafe Object Creation Vulnerability. This is quite similar to CVE-2013-0269, but does not rely on poor garbage-collection behavior within Ruby. Specifically, use of JSON parsing methods can lead to creation of a malicious object within the interpreter, with adverse effects that are application-dependent.

      Attachments

        Issue Links

          is cloned by

          Task - A task that needs to be done. OAK-10548 oak-solr-osgi embeds vulnerable Zookeeper 3.4.14

          • Major - Major loss of function.
          • Closed
          links to

          Web Link GitHub Pull Request #1127

          Activity

            People

              fortino Fabrizio Fortino
              fortino Fabrizio Fortino
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: