You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Path to vulnerable library: /nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-cluster/pom.xml,/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/pom.xml,/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-optimistic-locking/pom.xml,/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-file-authorizer/pom.xml,/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-site-to-site/pom.xml,/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-core/pom.xml,/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-jetty/pom.xml,/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-cluster-protocol/pom.xml,/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-administration/pom.xml,/nifi-nar-bundles/nifi-framework-bundle/nifi-framework-nar/pom.xml
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
JSON (JavaScript Object Notation) is a lightweight data-interchange format.
It is easy for humans to read and write. It is easy for machines to parse and generate.
It is based on a subset of the JavaScript Programming Language, Standard ECMA-262 3rd Edition
- December 1999. JSON is a text format that is completely language independent but uses
conventions that are familiar to programmers of the C-family of languages, including C, C++, C#,
Java, JavaScript, Perl, Python, and many others.
These properties make JSON an ideal data-interchange language.
Path to dependency file: /nifi-nar-bundles/nifi-framework-bundle/nifi-framework-nar/pom.xml
Path to vulnerable library: /nifi-nar-bundles/nifi-framework-bundle/nifi-framework-nar/pom.xml,/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-site-to-site/pom.xml,/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-file-authorizer/pom.xml,/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-core-api/pom.xml,/nifi-mock/pom.xml,/nifi-bootstrap/pom.xml,/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-cluster-protocol/pom.xml,/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-core/pom.xml,/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-administration/pom.xml,/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-authorization/pom.xml,/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-jetty/pom.xml,/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/pom.xml,/nifi-commons/nifi-expression-language/pom.xml,/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-cluster/pom.xml,/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-optimistic-locking/pom.xml,/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-authorizer/pom.xml,/nifi-nar-bundles/nifi-standard-services/nifi-record-serialization-services-bundle/nifi-record-serialization-services/pom.xml
Json-smart is a performance focused, JSON processor lib.
When reaching a ‘[‘ or ‘{‘ character in the JSON input, the code parses an array or an object respectively.
It was discovered that the code does not have any limit to the nesting of such arrays or objects. Since the parsing of nested arrays and objects is done recursively, nesting too many of them can cause a stack exhaustion (stack overflow) and crash the software.
Path to dependency file: /nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-cluster/pom.xml
Path to vulnerable library: /nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-cluster/pom.xml,/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/pom.xml,/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-optimistic-locking/pom.xml,/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-file-authorizer/pom.xml,/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-site-to-site/pom.xml,/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-core/pom.xml,/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-jetty/pom.xml,/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-cluster-protocol/pom.xml,/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-administration/pom.xml,/nifi-nar-bundles/nifi-framework-bundle/nifi-framework-nar/pom.xml
In spring framework versions prior to 5.2.24 release+ ,5.3.27+ and 6.0.8+ , it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service (DoS) condition.
Path to dependency file: /nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-cluster/pom.xml
Path to vulnerable library: /nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-cluster/pom.xml,/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/pom.xml,/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-optimistic-locking/pom.xml,/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-file-authorizer/pom.xml,/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-site-to-site/pom.xml,/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-core/pom.xml,/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-jetty/pom.xml,/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-cluster-protocol/pom.xml,/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-administration/pom.xml,/nifi-nar-bundles/nifi-framework-bundle/nifi-framework-nar/pom.xml
In Spring Framework versions 6.0.0 - 6.0.6, 5.3.0 - 5.3.25, 5.2.0.RELEASE - 5.2.22.RELEASE, and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service (DoS) condition.
Path to dependency file: /nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-cluster/pom.xml
Path to vulnerable library: /nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-cluster/pom.xml,/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/pom.xml,/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-optimistic-locking/pom.xml,/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-file-authorizer/pom.xml,/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-site-to-site/pom.xml,/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-core/pom.xml,/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-jetty/pom.xml,/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-cluster-protocol/pom.xml,/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-administration/pom.xml,/nifi-nar-bundles/nifi-framework-bundle/nifi-framework-nar/pom.xml
n Spring Framework versions 5.3.0 - 5.3.16 and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial of service condition.
JSON (JavaScript Object Notation) is a lightweight data-interchange format.
It is easy for humans to read and write. It is easy for machines to parse and generate.
It is based on a subset of the JavaScript Programming Language, Standard ECMA-262 3rd Edition
- December 1999. JSON is a text format that is completely language independent but uses
conventions that are familiar to programmers of the C-family of languages, including C, C++, C#,
Java, JavaScript, Perl, Python, and many others.
These properties make JSON an ideal data-interchange language.
Path to dependency file: /nifi-nar-bundles/nifi-framework-bundle/nifi-framework-nar/pom.xml
Path to vulnerable library: /nifi-nar-bundles/nifi-framework-bundle/nifi-framework-nar/pom.xml,/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-site-to-site/pom.xml,/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-file-authorizer/pom.xml,/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-core-api/pom.xml,/nifi-mock/pom.xml,/nifi-bootstrap/pom.xml,/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-cluster-protocol/pom.xml,/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-core/pom.xml,/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-administration/pom.xml,/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-authorization/pom.xml,/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-jetty/pom.xml,/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/pom.xml,/nifi-commons/nifi-expression-language/pom.xml,/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-cluster/pom.xml,/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-optimistic-locking/pom.xml,/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-authorizer/pom.xml,/nifi-nar-bundles/nifi-standard-services/nifi-record-serialization-services-bundle/nifi-record-serialization-services/pom.xml
An issue was discovered in netplex json-smart-v1 through 2015-10-23 and json-smart-v2 through 2.4. An exception is thrown from a function, but it is not caught, as demonstrated by NumberFormatException. When it is not caught, it may cause programs using the library to crash or expose sensitive information.
Path to dependency file: /nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/pom.xml
Path to vulnerable library: /nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/pom.xml,/nifi-commons/nifi-expression-language/pom.xml,/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-cluster/pom.xml,/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-authorization/pom.xml,/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-administration/pom.xml,/nifi-nar-bundles/nifi-standard-services/nifi-lookup-services-bundle/nifi-lookup-services/pom.xml,/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-file-authorizer/pom.xml,/nifi-nar-bundles/nifi-framework-bundle/nifi-framework-nar/pom.xml,/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-site-to-site/pom.xml,/nifi-mock/pom.xml,/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-optimistic-locking/pom.xml,/nifi-nar-bundles/nifi-standard-services/nifi-record-serialization-services-bundle/nifi-record-serialization-services/pom.xml,/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-jetty/pom.xml,/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-core/pom.xml,/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-cluster-protocol/pom.xml,/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-authorizer/pom.xml,/nifi-bootstrap/pom.xml,/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-core-api/pom.xml
OutOfMemoryError when writing BigDecimal In Jackson Core before version 2.7.7.
When enabled the WRITE_BIGDECIMAL_AS_PLAIN setting, Jackson will attempt to write out the whole number, no matter how large the exponent.
Path to dependency file: /nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/pom.xml
Path to vulnerable library: /nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/pom.xml,/nifi-commons/nifi-expression-language/pom.xml,/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-cluster/pom.xml,/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-authorization/pom.xml,/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-administration/pom.xml,/nifi-nar-bundles/nifi-standard-services/nifi-lookup-services-bundle/nifi-lookup-services/pom.xml,/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-file-authorizer/pom.xml,/nifi-nar-bundles/nifi-framework-bundle/nifi-framework-nar/pom.xml,/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-site-to-site/pom.xml,/nifi-mock/pom.xml,/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-optimistic-locking/pom.xml,/nifi-nar-bundles/nifi-standard-services/nifi-record-serialization-services-bundle/nifi-record-serialization-services/pom.xml,/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-jetty/pom.xml,/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-core/pom.xml,/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-cluster-protocol/pom.xml,/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-authorizer/pom.xml,/nifi-bootstrap/pom.xml,/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-core-api/pom.xml
In Jackson Core before version 2.8.6 if the REST endpoint consumes POST requests with JSON or XML data and data are invalid, the first unrecognized token is printed to server.log. If the first token is word of length 10MB, the whole word is printed. This is potentially dangerous and can be used to attack the server by filling the disk with logs.
Path to dependency file: /nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-cluster/pom.xml
Path to vulnerable library: /nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-cluster/pom.xml,/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/pom.xml,/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-optimistic-locking/pom.xml,/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-file-authorizer/pom.xml,/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-site-to-site/pom.xml,/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-core/pom.xml,/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-jetty/pom.xml,/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-cluster-protocol/pom.xml,/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-administration/pom.xml,/nifi-nar-bundles/nifi-framework-bundle/nifi-framework-nar/pom.xml
In Spring Framework versions 5.3.0 - 5.3.38 and older unsupported versions, it is possible for a user to provide a specially crafted Spring Expression Language (SpEL) expression that may cause a denial of service (DoS) condition.
Specifically, an application is vulnerable when the following is true:
The application evaluates user-supplied SpEL expressions.
mend-for-github-combot
changed the title
nifi-administration-1.4.0-SNAPSHOT.jar: 7 vulnerabilities (highest severity is: 7.5)
nifi-administration-1.4.0-SNAPSHOT.jar: 8 vulnerabilities (highest severity is: 7.5)
Aug 15, 2024
Vulnerable Library - nifi-administration-1.4.0-SNAPSHOT.jar
Path to vulnerable library: /nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-cluster/pom.xml,/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/pom.xml,/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-optimistic-locking/pom.xml,/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-file-authorizer/pom.xml,/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-site-to-site/pom.xml,/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-core/pom.xml,/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-jetty/pom.xml,/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-cluster-protocol/pom.xml,/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-administration/pom.xml,/nifi-nar-bundles/nifi-framework-bundle/nifi-framework-nar/pom.xml
Found in HEAD commit: 2a508ccd928df4b0618ce585803bc393b7d5b8b3
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2023-1370
Vulnerable Library - json-smart-2.1.1.jar
JSON (JavaScript Object Notation) is a lightweight data-interchange format. It is easy for humans to read and write. It is easy for machines to parse and generate. It is based on a subset of the JavaScript Programming Language, Standard ECMA-262 3rd Edition - December 1999. JSON is a text format that is completely language independent but uses conventions that are familiar to programmers of the C-family of languages, including C, C++, C#, Java, JavaScript, Perl, Python, and many others. These properties make JSON an ideal data-interchange language.
Library home page: http://www.minidev.net/
Path to dependency file: /nifi-nar-bundles/nifi-framework-bundle/nifi-framework-nar/pom.xml
Path to vulnerable library: /nifi-nar-bundles/nifi-framework-bundle/nifi-framework-nar/pom.xml,/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-site-to-site/pom.xml,/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-file-authorizer/pom.xml,/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-core-api/pom.xml,/nifi-mock/pom.xml,/nifi-bootstrap/pom.xml,/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-cluster-protocol/pom.xml,/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-core/pom.xml,/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-administration/pom.xml,/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-authorization/pom.xml,/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-jetty/pom.xml,/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/pom.xml,/nifi-commons/nifi-expression-language/pom.xml,/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-cluster/pom.xml,/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-optimistic-locking/pom.xml,/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-authorizer/pom.xml,/nifi-nar-bundles/nifi-standard-services/nifi-record-serialization-services-bundle/nifi-record-serialization-services/pom.xml
Dependency Hierarchy:
Found in HEAD commit: 2a508ccd928df4b0618ce585803bc393b7d5b8b3
Found in base branch: master
Vulnerability Details
Json-smart is a performance focused, JSON processor lib.
When reaching a ‘[‘ or ‘{‘ character in the JSON input, the code parses an array or an object respectively.
It was discovered that the code does not have any limit to the nesting of such arrays or objects. Since the parsing of nested arrays and objects is done recursively, nesting too many of them can cause a stack exhaustion (stack overflow) and crash the software.
Publish Date: 2023-03-13
URL: CVE-2023-1370
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://research.jfrog.com/vulnerabilities/stack-exhaustion-in-json-smart-leads-to-denial-of-service-when-parsing-malformed-json-xray-427633/
Release Date: 2023-03-22
Fix Resolution: net.minidev:json-smart:2.4.9
CVE-2023-20863
Vulnerable Library - spring-expression-4.2.4.RELEASE.jar
Spring Expression Language (SpEL)
Library home page: http://projects.spring.io/spring-framework
Path to dependency file: /nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-cluster/pom.xml
Path to vulnerable library: /nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-cluster/pom.xml,/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/pom.xml,/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-optimistic-locking/pom.xml,/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-file-authorizer/pom.xml,/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-site-to-site/pom.xml,/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-core/pom.xml,/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-jetty/pom.xml,/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-cluster-protocol/pom.xml,/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-administration/pom.xml,/nifi-nar-bundles/nifi-framework-bundle/nifi-framework-nar/pom.xml
Dependency Hierarchy:
Found in HEAD commit: 2a508ccd928df4b0618ce585803bc393b7d5b8b3
Found in base branch: master
Vulnerability Details
In spring framework versions prior to 5.2.24 release+ ,5.3.27+ and 6.0.8+ , it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service (DoS) condition.
Publish Date: 2023-04-13
URL: CVE-2023-20863
CVSS 3 Score Details (6.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://spring.io/security/cve-2023-20863
Release Date: 2023-04-13
Fix Resolution: org.springframework:spring-expression - 5.2.24.RELEASE,5.3.27,6.0.8
CVE-2023-20861
Vulnerable Library - spring-expression-4.2.4.RELEASE.jar
Spring Expression Language (SpEL)
Library home page: http://projects.spring.io/spring-framework
Path to dependency file: /nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-cluster/pom.xml
Path to vulnerable library: /nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-cluster/pom.xml,/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/pom.xml,/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-optimistic-locking/pom.xml,/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-file-authorizer/pom.xml,/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-site-to-site/pom.xml,/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-core/pom.xml,/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-jetty/pom.xml,/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-cluster-protocol/pom.xml,/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-administration/pom.xml,/nifi-nar-bundles/nifi-framework-bundle/nifi-framework-nar/pom.xml
Dependency Hierarchy:
Found in HEAD commit: 2a508ccd928df4b0618ce585803bc393b7d5b8b3
Found in base branch: master
Vulnerability Details
In Spring Framework versions 6.0.0 - 6.0.6, 5.3.0 - 5.3.25, 5.2.0.RELEASE - 5.2.22.RELEASE, and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service (DoS) condition.
Publish Date: 2023-03-23
URL: CVE-2023-20861
CVSS 3 Score Details (6.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://spring.io/security/cve-2023-20861
Release Date: 2023-03-23
Fix Resolution: org.springframework:spring-expression:x5.2.23.RELEASE,5.3.26,6.0.7
CVE-2022-22950
Vulnerable Library - spring-expression-4.2.4.RELEASE.jar
Spring Expression Language (SpEL)
Library home page: http://projects.spring.io/spring-framework
Path to dependency file: /nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-cluster/pom.xml
Path to vulnerable library: /nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-cluster/pom.xml,/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/pom.xml,/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-optimistic-locking/pom.xml,/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-file-authorizer/pom.xml,/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-site-to-site/pom.xml,/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-core/pom.xml,/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-jetty/pom.xml,/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-cluster-protocol/pom.xml,/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-administration/pom.xml,/nifi-nar-bundles/nifi-framework-bundle/nifi-framework-nar/pom.xml
Dependency Hierarchy:
Found in HEAD commit: 2a508ccd928df4b0618ce585803bc393b7d5b8b3
Found in base branch: master
Vulnerability Details
n Spring Framework versions 5.3.0 - 5.3.16 and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial of service condition.
Publish Date: 2022-04-01
URL: CVE-2022-22950
CVSS 3 Score Details (6.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://tanzu.vmware.com/security/cve-2022-22950
Release Date: 2022-04-01
Fix Resolution: org.springframework:spring-expression:5.2.20,5.3.17
CVE-2021-27568
Vulnerable Library - json-smart-2.1.1.jar
JSON (JavaScript Object Notation) is a lightweight data-interchange format. It is easy for humans to read and write. It is easy for machines to parse and generate. It is based on a subset of the JavaScript Programming Language, Standard ECMA-262 3rd Edition - December 1999. JSON is a text format that is completely language independent but uses conventions that are familiar to programmers of the C-family of languages, including C, C++, C#, Java, JavaScript, Perl, Python, and many others. These properties make JSON an ideal data-interchange language.
Library home page: http://www.minidev.net/
Path to dependency file: /nifi-nar-bundles/nifi-framework-bundle/nifi-framework-nar/pom.xml
Path to vulnerable library: /nifi-nar-bundles/nifi-framework-bundle/nifi-framework-nar/pom.xml,/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-site-to-site/pom.xml,/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-file-authorizer/pom.xml,/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-core-api/pom.xml,/nifi-mock/pom.xml,/nifi-bootstrap/pom.xml,/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-cluster-protocol/pom.xml,/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-core/pom.xml,/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-administration/pom.xml,/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-authorization/pom.xml,/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-jetty/pom.xml,/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/pom.xml,/nifi-commons/nifi-expression-language/pom.xml,/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-cluster/pom.xml,/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-optimistic-locking/pom.xml,/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-authorizer/pom.xml,/nifi-nar-bundles/nifi-standard-services/nifi-record-serialization-services-bundle/nifi-record-serialization-services/pom.xml
Dependency Hierarchy:
Found in HEAD commit: 2a508ccd928df4b0618ce585803bc393b7d5b8b3
Found in base branch: master
Vulnerability Details
An issue was discovered in netplex json-smart-v1 through 2015-10-23 and json-smart-v2 through 2.4. An exception is thrown from a function, but it is not caught, as demonstrated by NumberFormatException. When it is not caught, it may cause programs using the library to crash or expose sensitive information.
Publish Date: 2021-02-23
URL: CVE-2021-27568
CVSS 3 Score Details (5.9)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2021-02-23
Fix Resolution: net.minidev:json-smart-mini:1.3.2;net.minidev:json-smart:1.3.2,2.3.1,2.4.2;net.minidev:json-smart-action:2.3.1,2.4.2
WS-2018-0125
Vulnerable Library - jackson-core-2.6.1.jar
Core Jackson abstractions, basic JSON streaming API implementation
Library home page: http://fasterxml.com/
Path to dependency file: /nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/pom.xml
Path to vulnerable library: /nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/pom.xml,/nifi-commons/nifi-expression-language/pom.xml,/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-cluster/pom.xml,/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-authorization/pom.xml,/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-administration/pom.xml,/nifi-nar-bundles/nifi-standard-services/nifi-lookup-services-bundle/nifi-lookup-services/pom.xml,/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-file-authorizer/pom.xml,/nifi-nar-bundles/nifi-framework-bundle/nifi-framework-nar/pom.xml,/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-site-to-site/pom.xml,/nifi-mock/pom.xml,/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-optimistic-locking/pom.xml,/nifi-nar-bundles/nifi-standard-services/nifi-record-serialization-services-bundle/nifi-record-serialization-services/pom.xml,/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-jetty/pom.xml,/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-core/pom.xml,/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-cluster-protocol/pom.xml,/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-authorizer/pom.xml,/nifi-bootstrap/pom.xml,/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-core-api/pom.xml
Dependency Hierarchy:
Found in HEAD commit: 2a508ccd928df4b0618ce585803bc393b7d5b8b3
Found in base branch: master
Vulnerability Details
OutOfMemoryError when writing BigDecimal In Jackson Core before version 2.7.7.
When enabled the WRITE_BIGDECIMAL_AS_PLAIN setting, Jackson will attempt to write out the whole number, no matter how large the exponent.
Publish Date: 2016-08-25
URL: WS-2018-0125
CVSS 3 Score Details (5.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2016-08-25
Fix Resolution: com.fasterxml.jackson.core:jackson-core:2.7.7
WS-2018-0124
Vulnerable Library - jackson-core-2.6.1.jar
Core Jackson abstractions, basic JSON streaming API implementation
Library home page: http://fasterxml.com/
Path to dependency file: /nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/pom.xml
Path to vulnerable library: /nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/pom.xml,/nifi-commons/nifi-expression-language/pom.xml,/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-cluster/pom.xml,/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-authorization/pom.xml,/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-administration/pom.xml,/nifi-nar-bundles/nifi-standard-services/nifi-lookup-services-bundle/nifi-lookup-services/pom.xml,/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-file-authorizer/pom.xml,/nifi-nar-bundles/nifi-framework-bundle/nifi-framework-nar/pom.xml,/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-site-to-site/pom.xml,/nifi-mock/pom.xml,/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-optimistic-locking/pom.xml,/nifi-nar-bundles/nifi-standard-services/nifi-record-serialization-services-bundle/nifi-record-serialization-services/pom.xml,/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-jetty/pom.xml,/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-core/pom.xml,/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-cluster-protocol/pom.xml,/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-authorizer/pom.xml,/nifi-bootstrap/pom.xml,/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-core-api/pom.xml
Dependency Hierarchy:
Found in HEAD commit: 2a508ccd928df4b0618ce585803bc393b7d5b8b3
Found in base branch: master
Vulnerability Details
In Jackson Core before version 2.8.6 if the REST endpoint consumes POST requests with JSON or XML data and data are invalid, the first unrecognized token is printed to server.log. If the first token is word of length 10MB, the whole word is printed. This is potentially dangerous and can be used to attack the server by filling the disk with logs.
Publish Date: 2018-06-24
URL: WS-2018-0124
CVSS 3 Score Details (5.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=WS-2018-0124
Release Date: 2018-01-24
Fix Resolution: 2.8.6
CVE-2024-38808
Vulnerable Library - spring-expression-4.2.4.RELEASE.jar
Spring Expression Language (SpEL)
Library home page: http://projects.spring.io/spring-framework
Path to dependency file: /nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-cluster/pom.xml
Path to vulnerable library: /nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-cluster/pom.xml,/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-security/pom.xml,/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-optimistic-locking/pom.xml,/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-file-authorizer/pom.xml,/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-site-to-site/pom.xml,/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-core/pom.xml,/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-jetty/pom.xml,/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-framework-cluster-protocol/pom.xml,/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-administration/pom.xml,/nifi-nar-bundles/nifi-framework-bundle/nifi-framework-nar/pom.xml
Dependency Hierarchy:
Found in HEAD commit: 2a508ccd928df4b0618ce585803bc393b7d5b8b3
Found in base branch: master
Vulnerability Details
In Spring Framework versions 5.3.0 - 5.3.38 and older unsupported versions, it is possible for a user to provide a specially crafted Spring Expression Language (SpEL) expression that may cause a denial of service (DoS) condition.
Specifically, an application is vulnerable when the following is true:
Publish Date: 2024-08-20
URL: CVE-2024-38808
CVSS 3 Score Details (4.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://spring.io/security/cve-2024-38808
Release Date: 2024-08-20
Fix Resolution: org.springframework:spring-expression:5.3.39
The text was updated successfully, but these errors were encountered: