Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Critical and High security vulnerabilities in reaper 3.6.0 #1529

Open
kapilgit123 opened this issue Nov 20, 2024 · 1 comment
Open

Critical and High security vulnerabilities in reaper 3.6.0 #1529

kapilgit123 opened this issue Nov 20, 2024 · 1 comment

Comments

@kapilgit123
Copy link

kapilgit123 commented Nov 20, 2024

Project board link

Our security scans for reaper 3.6.0 had figured out following vulnerabilities, will these be addressed in upcoming versions of reaper like 3.7.0 if yes what is the timeline for the new release. Also is reaper actually vulnerable to these CVE's.

Component name - snappy-java
Component version name - 1.1.1.7
CVE-2023-34453
CVE-2023-34454
CVE-2023-34455
CVE-2023-43642
CVE-2023-34453
CVSS - 7.5 (High)

Component name - google-guava
Component version name - v24.1.1
CVE - CVE-2023-2976 (BDSA-2016-1748)
CVE-2020-8908
CVSS - 7.1 (High)

Apache HttpClient versions prior to version 4.5.13 and 5.0.3 can misinterpret malformed authority component in request URIs passed to the library as java.net.URI object and pick the wrong target host for request execution.
CVE-2020-13956 BDSA-2020-2701
CVSS - 5.3 (Medium)

The Apache Thrift Go client library exposed the potential during code generation for command injection due to using an external formatting tool. Affected Apache Thrift 0.9.3 and older, Fixed in Apache Thrift 0.10.0.
CVE-2016-5397 BDSA-2017-3861
CVE-2018-1320 BDSA-2018-4637
CVE-2019-0205 BDSA-2019-3340
CVE-2015-3254
CVE-2018-11798 BDSA-2018-4640
CVSS - 8.8 (Critical)

cassandra-all-2.2.12.jar
CVE-2021-44521,
CVE-2020-17516 BDSA-2021-0273,
CVE-2019-2684,
CVE-2020-13946 BDSA-2020-2259
CVSS - 9.1 (Critical)

squareokio - 3.0.0
CVE-2023-3635 BDSA-2023-2206

SnakeYAML-1.31
CVE-2022-1471
CVE-2022-41854
CVE-2022-38752

CVE-2023-35116
jackson-databind through 2.15.2 allows attackers to cause a denial of service or other unspecified impact via a crafted object that uses cyclic dependencies. NOTE: the vendor's perspective is that this is not a valid vulnerability report, because the steps of constructing a cyclic data structure and trying to serialize it cannot be achieved by an external attacker.

Netty Project 4.1.94.Final
CVE-2023-44487 BDSA-2023-2732
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.

┆Issue is synchronized with this Jira Story by Unito
┆Issue Number: REAP-193

@kapilgit123
Copy link
Author

@adejanovski Could you please clarify if reaper is vulnerable to the above CVE's

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant