You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Our security scans for reaper 3.6.0 had figured out following vulnerabilities, will these be addressed in upcoming versions of reaper like 3.7.0 if yes what is the timeline for the new release. Also is reaper actually vulnerable to these CVE's.
Component name - google-guava
Component version name - v24.1.1
CVE - CVE-2023-2976 (BDSA-2016-1748) CVE-2020-8908
CVSS - 7.1 (High)
Apache HttpClient versions prior to version 4.5.13 and 5.0.3 can misinterpret malformed authority component in request URIs passed to the library as java.net.URI object and pick the wrong target host for request execution. CVE-2020-13956 BDSA-2020-2701
CVSS - 5.3 (Medium)
The Apache Thrift Go client library exposed the potential during code generation for command injection due to using an external formatting tool. Affected Apache Thrift 0.9.3 and older, Fixed in Apache Thrift 0.10.0. CVE-2016-5397 BDSA-2017-3861 CVE-2018-1320 BDSA-2018-4637 CVE-2019-0205 BDSA-2019-3340 CVE-2015-3254 CVE-2018-11798 BDSA-2018-4640
CVSS - 8.8 (Critical)
CVE-2023-35116
jackson-databind through 2.15.2 allows attackers to cause a denial of service or other unspecified impact via a crafted object that uses cyclic dependencies. NOTE: the vendor's perspective is that this is not a valid vulnerability report, because the steps of constructing a cyclic data structure and trying to serialize it cannot be achieved by an external attacker.
Netty Project 4.1.94.Final CVE-2023-44487 BDSA-2023-2732
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
┆Issue is synchronized with this Jira Story by Unito
┆Issue Number: REAP-193
The text was updated successfully, but these errors were encountered:
Project board link
Our security scans for reaper 3.6.0 had figured out following vulnerabilities, will these be addressed in upcoming versions of reaper like 3.7.0 if yes what is the timeline for the new release. Also is reaper actually vulnerable to these CVE's.
Component name - snappy-java
Component version name - 1.1.1.7
CVE-2023-34453
CVE-2023-34454
CVE-2023-34455
CVE-2023-43642
CVE-2023-34453
CVSS - 7.5 (High)
Component name - google-guava
Component version name - v24.1.1
CVE - CVE-2023-2976 (BDSA-2016-1748)
CVE-2020-8908
CVSS - 7.1 (High)
Apache HttpClient versions prior to version 4.5.13 and 5.0.3 can misinterpret malformed authority component in request URIs passed to the library as java.net.URI object and pick the wrong target host for request execution.
CVE-2020-13956 BDSA-2020-2701
CVSS - 5.3 (Medium)
The Apache Thrift Go client library exposed the potential during code generation for command injection due to using an external formatting tool. Affected Apache Thrift 0.9.3 and older, Fixed in Apache Thrift 0.10.0.
CVE-2016-5397 BDSA-2017-3861
CVE-2018-1320 BDSA-2018-4637
CVE-2019-0205 BDSA-2019-3340
CVE-2015-3254
CVE-2018-11798 BDSA-2018-4640
CVSS - 8.8 (Critical)
cassandra-all-2.2.12.jar
CVE-2021-44521,
CVE-2020-17516 BDSA-2021-0273,
CVE-2019-2684,
CVE-2020-13946 BDSA-2020-2259
CVSS - 9.1 (Critical)
squareokio - 3.0.0
CVE-2023-3635 BDSA-2023-2206
SnakeYAML-1.31
CVE-2022-1471
CVE-2022-41854
CVE-2022-38752
CVE-2023-35116
jackson-databind through 2.15.2 allows attackers to cause a denial of service or other unspecified impact via a crafted object that uses cyclic dependencies. NOTE: the vendor's perspective is that this is not a valid vulnerability report, because the steps of constructing a cyclic data structure and trying to serialize it cannot be achieved by an external attacker.
Netty Project 4.1.94.Final
CVE-2023-44487 BDSA-2023-2732
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
┆Issue is synchronized with this Jira Story by Unito
┆Issue Number: REAP-193
The text was updated successfully, but these errors were encountered: