Sonatype扫描到了很多CVE
heywiorld opened this issue · 3 comments
heywiorld commented
Bug report
To help us debug your issue please explain:
- 使用openrasp 打包docker 镜像之后,使用sonatype进行了扫描
- 发现了很多CVE
- 希望能有修复计划 或者cve是否需要修复的说明
- 具体cve见如下表格
And please include the following information:
- Operating system type and architecture
- Application server type and version
- For Java based web application servers, provide JDK version
- 1.3.7
| COMPONENT | LICENSE | SECURITY ISSUE | CVSS SCORE |
|---|---|---|---|
| com.fasterxml.jackson.core : jackson-databind : 2.9.5 | Apache-2.0, No Source License | CVE-2018-11307 | 9.8 |
| com.jsoniter : jsoniter : 0.9.23 | MIT, BSD-3-Clause | CVE-2021-23441 | 9.8 |
| log4j : log4j : 1.2.17 | Apache-2.0 | CVE-2019-17571 | 9.8 |
| log4j : log4j : 1.2.17 | Apache-2.0 | CVE-2022-23305 | 9.8 |
| log4j : log4j : 1.2.17 | Apache-2.0 | CVE-2022-23302 | 8.8 |
| log4j : log4j : 1.2.17 | Apache-2.0 | CVE-2022-23307 | 8.8 |
| log4j : log4j : 1.2.17 | Apache-2.0 | sonatype-2010-0053 | 7.8 |
| com.fasterxml.jackson.core : jackson-databind : 2.9.5 | Apache-2.0, No Source License | CVE-2018-12022 | 7.5 |
| com.fasterxml.jackson.core : jackson-databind : 2.9.5 | Apache-2.0, No Source License | CVE-2018-12023 | 7.5 |
| com.fasterxml.jackson.core : jackson-databind : 2.9.5 | Apache-2.0, No Source License | CVE-2020-25649 | 7.5 |
| com.fasterxml.jackson.core : jackson-databind : 2.9.5 | Apache-2.0, No Source License | CVE-2020-36518 | 7.5 |
| com.google.code.gson : gson : 2.8.3 | Apache-2.0 | sonatype-2021-1694 | 7.5 |
| com.google.code.gson : gson : 2.8.5 | Apache-2.0 | sonatype-2021-1694 | 7.5 |
| log4j : log4j : 1.2.17 | Apache-2.0 | CVE-2021-4104 | 7.5 |
Feature Request
Please replace this section with:
- 希望有一个cve的修复计划或者说明
heywiorld commented
sonatype-2021-1694
Explanation The gson package is vulnerable Deserialization of Untrusted Data. The serializable LazilyParsedNumber, LinkedHashTreeMap, and LinkedTreeMap classes permit unsafe deserialization due to use of the default Serializable.readObject() implementation. A remote attacker can exploit this vulnerability by serializing and supplying any of the aforementioned objects to an affected application. This will result in a Denial of Service (DoS) condition or other unexpected behavior when the malicious object is deserialized.CaledoniaProject commented
请参考 #376 (comment)
heywiorld commented
请参考 #376 (comment)
好的 谢谢