Benjamin Kenner created an issue |
Issue Type: |
Bug |
---|---|
Affects Versions: |
2.21.2 |
Assignee: |
Unassigned |
Created: |
17/Nov/22 11:34 AM |
Priority: |
Medium |
Reporter: |
Hi all, we are running Geoserver 2.21.2. on top of the kartoza container image. As we do regular vulnerability scans within our container environment with Aqua we discovered a few vulnerabilities related to the geoserver source code especially jar libraries included in the geoserver code base.
The following vulnerabilities (only high or critical rated ones) are identified by the mentioned solution. Some of the findings include a recommendation for remediation.
Vulnerability Name |
Severity |
Resource |
Resource Path |
Solution |
CVE-2022-41853 |
critical |
hsqldb |
…/geoserver/WEB-INF/lib/hsqldb-2.4.1.jar |
Upgrade package hsqldb to version 2.7.1 or above. |
CVE-2022-41852 |
critical |
commons-jxpath |
…/geoserver/WEB-INF/lib/commons-jxpath-1.3.jar |
No Vendor fix available |
CVE-2020-8441 |
critical |
jyaml |
…/geoserver/WEB-INF/lib/jyaml-1.3.jar |
No Vendor fix available |
CVE-2022-22978 |
critical |
spring-security-core |
…/geoserver/WEB-INF/lib/spring-security-core-5.1.13.RELEASE.jar |
Upgrade package spring-security-core to version 5.5.7 or above. |
CVE-2020-15232 |
critical |
print-lib |
…/geoserver/WEB-INF/lib/print-lib-2.1.5.jar |
Upgrade package print-lib to version 3.24 or above. |
CVE-2022-25647 |
high |
gson |
…/geoserver/WEB-INF/lib/gson-2.3.1.jar |
Upgrade package gson to version 2.8.9 or above. |
CVE-2022-40149 |
high |
jettison |
…/geoserver/WEB-INF/lib/jettison-1.4.1.jar |
Upgrade package jettison to version 1.5.1 or above. |
CVE-2022-40150 |
high |
jettison |
…/geoserver/WEB-INF/lib/jettison-1.4.1.jar |
No Vendor fix available |
CVE-2022-40151 |
high |
xstream |
…/geoserver/WEB-INF/lib/xstream-1.4.19.jar |
No Vendor fix available |
CVE-2022-40152 |
high |
xstream |
…/geoserver/WEB-INF/lib/xstream-1.4.19.jar |
No Vendor fix available |
CVE-2022-40153 |
high |
xstream |
…/geoserver/WEB-INF/lib/xstream-1.4.19.jar |
No Vendor fix available |
CVE-2022-40154 |
high |
xstream |
…/geoserver/WEB-INF/lib/xstream-1.4.19.jar |
No Vendor fix available |
CVE-2022-40155 |
high |
xstream |
…/geoserver/WEB-INF/lib/xstream-1.4.19.jar |
No Vendor fix available |
CVE-2022-40156 |
high |
xstream |
…/geoserver/WEB-INF/lib/xstream-1.4.19.jar |
No Vendor fix available |
CVE-2021-22112 |
high |
spring-security-web |
…/geoserver/WEB-INF/lib/spring-security-web-5.1.13.RELEASE.jar |
Upgrade package spring-security-web to version 5.2.9 or above. |
CVE-2022-3171 |
high |
protobuf-java |
…/geoserver/WEB-INF/lib/protobuf-java-3.9.1.jar |
Upgrade package protobuf-java to version 3.16.3 or above. |
CVE-2022-22950 |
high |
spring-core |
…/geoserver/WEB-INF/lib/spring-core-5.2.22.RELEASE.jar |
Upgrade package spring-core to version 5.3.17 or above. |
May you are able to mitigate the vulnerabilities by follow the recommendation and update the corresponding packages within your code base?
Are these vulnerabilities already known and is remediation on the roadmap of future releases? Are there any dependencies that make it impossible to address this vulnerabilities?
Many thanks for your support and great work!
Get Jira notifications on your phone! Download the Jira Cloud app for Android or iOS |
|
This message was sent by Atlassian Jira (v1001.0.0-SNAPSHOT#100210-sha1:9b34d7c) |