CVE Security Report - SICS Search Solr-node
The report contains data retrieved from the National Vulnerability Database: https://nvd.nist.gov, NPM Public Advisories: https://www.npmjs.com/advisories, and the RetireJS community.
| Name | Description | CWE | CVSS v2.0 Severity | CVSS v3.0 Severity | Dependency |
|---|---|---|---|---|---|
| CVE-2020-7676 | angular.js prior to 1.8.0 allows cross site scripting. The regex-based input HTML replacement may turn sanitized code into unsanitized one. Wrapping '<option>' elements in '<select>' ones changes parsing behavior, leading to possibly unsanitizing code. | CWE-79 | LOW | MEDIUM | angular-cookies.min.js |
| CVE-2020-7676 | angular.js prior to 1.8.0 allows cross site scripting. The regex-based input HTML replacement may turn sanitized code into unsanitized one. Wrapping '<option>' elements in '<select>' ones changes parsing behavior, leading to possibly unsanitizing code. | CWE-79 | LOW | MEDIUM | angular-resource.min.js |
| CVE-2020-7676 | angular.js prior to 1.8.0 allows cross site scripting. The regex-based input HTML replacement may turn sanitized code into unsanitized one. Wrapping '<option>' elements in '<select>' ones changes parsing behavior, leading to possibly unsanitizing code. | CWE-79 | LOW | MEDIUM | angular-route.min.js |
| CVE-2020-7676 | angular.js prior to 1.8.0 allows cross site scripting. The regex-based input HTML replacement may turn sanitized code into unsanitized one. Wrapping '<option>' elements in '<select>' ones changes parsing behavior, leading to possibly unsanitizing code. | CWE-79 | LOW | MEDIUM | angular-sanitize.min.js |
| CVE-2020-7676 | angular.js prior to 1.8.0 allows cross site scripting. The regex-based input HTML replacement may turn sanitized code into unsanitized one. Wrapping '<option>' elements in '<select>' ones changes parsing behavior, leading to possibly unsanitizing code. | CWE-79 | LOW | MEDIUM | angular.min.js |
| CVE-2020-13955 | HttpUtils#getURLConnection method disables explicitly hostname verification for HTTPS connections making clients vulnerable to man-in-the-middle attacks. Calcite uses internally this method to connect with Druid and Splunk so information leakage may happen when using the respective Calcite adapters. The method itself is in a utility class so people may use it to create vulnerable HTTPS connections for other applications. From Apache Calcite 1.26 onwards, the hostname verification will be performed using the default JVM truststore. | CWE-306 | MEDIUM | MEDIUM | avatica-core-1.13.0.jar |
| CVE-2020-28052 | An issue was discovered in Legion of the Bouncy Castle BC Java 1.65 and 1.66. The OpenBSDBCrypt.checkPassword utility method compared incorrect data when checking the password, allowing incorrect passwords to indicate they were matching with previously hashed ones that were different. | NVD-CWE-Other | MEDIUM | HIGH | bcprov-jdk15on-1.65.jar |
| CVE-2020-13955 | HttpUtils#getURLConnection method disables explicitly hostname verification for HTTPS connections making clients vulnerable to man-in-the-middle attacks. Calcite uses internally this method to connect with Druid and Splunk so information leakage may happen when using the respective Calcite adapters. The method itself is in a utility class so people may use it to create vulnerable HTTPS connections for other applications. From Apache Calcite 1.26 onwards, the hostname verification will be performed using the default JVM truststore. | CWE-306 | MEDIUM | MEDIUM | calcite-core-1.18.0.jar |
| CVE-2018-10237 | Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attacks against servers that depend on this library and deserialize attacker-provided data, because the AtomicDoubleArray class (when serialized with Java serialization) and the CompoundOrdering class (when serialized with GWT serialization) perform eager allocation without appropriate checks on what a client has sent and whether the data size is reasonable. | CWE-770 | MEDIUM | MEDIUM | carrot2-guava-18.0.jar |
| CVE-2020-8908 | A temp directory creation vulnerability exists in all versions of Guava, allowing an attacker with access to the machine to potentially access data in a temporary directory created by the Guava API com.google.common.io.Files.createTempDir(). By default, on unix-like systems, the created directory is world-readable (readable by an attacker with access to the system). The method in question has been marked @Deprecated in versions 30.0 and later and should not be used. For Android developers, we recommend choosing a temporary directory API provided by Android, such as context.getCacheDir(). For other Java developers, we recommend migrating to the Java 7 API java.nio.file.Files.createTempDirectory() which explicitly configures permissions of 700, or configuring the Java runtime's java.io.tmpdir system property to point to a location whose permissions are appropriately configured. | CWE-732 | LOW | LOW | carrot2-guava-18.0.jar |
| CVE-2018-10237 | Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attacks against servers that depend on this library and deserialize attacker-provided data, because the AtomicDoubleArray class (when serialized with Java serialization) and the CompoundOrdering class (when serialized with GWT serialization) perform eager allocation without appropriate checks on what a client has sent and whether the data size is reasonable. | CWE-770 | MEDIUM | MEDIUM | carrot2-guava-18.0.jar (shaded: com.google.guava:guava:18.0) |
| CVE-2020-8908 | A temp directory creation vulnerability exists in all versions of Guava, allowing an attacker with access to the machine to potentially access data in a temporary directory created by the Guava API com.google.common.io.Files.createTempDir(). By default, on unix-like systems, the created directory is world-readable (readable by an attacker with access to the system). The method in question has been marked @Deprecated in versions 30.0 and later and should not be used. For Android developers, we recommend choosing a temporary directory API provided by Android, such as context.getCacheDir(). For other Java developers, we recommend migrating to the Java 7 API java.nio.file.Files.createTempDirectory() which explicitly configures permissions of 700, or configuring the Java runtime's java.io.tmpdir system property to point to a location whose permissions are appropriately configured. | CWE-732 | LOW | LOW | carrot2-guava-18.0.jar (shaded: com.google.guava:guava:18.0) |
| CVE-2021-35515 | When reading a specially crafted 7Z archive, the construction of the list of codecs that decompress an entry can result in an infinite loop. This could be used to mount a denial of service attack against services that use Compress' sevenz package. | CWE-834 | MEDIUM | HIGH | commons-compress-1.20.jar |
| CVE-2021-35516 | When reading a specially crafted 7Z archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' sevenz package. | NVD-CWE-Other | MEDIUM | HIGH | commons-compress-1.20.jar |
| CVE-2021-35517 | When reading a specially crafted TAR archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' tar package. | NVD-CWE-Other | MEDIUM | HIGH | commons-compress-1.20.jar |
| CVE-2021-36090 | When reading a specially crafted ZIP archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' zip package. | NVD-CWE-Other | MEDIUM | HIGH | commons-compress-1.20.jar |
| CVE-2020-8908 | A temp directory creation vulnerability exists in all versions of Guava, allowing an attacker with access to the machine to potentially access data in a temporary directory created by the Guava API com.google.common.io.Files.createTempDir(). By default, on unix-like systems, the created directory is world-readable (readable by an attacker with access to the system). The method in question has been marked @Deprecated in versions 30.0 and later and should not be used. For Android developers, we recommend choosing a temporary directory API provided by Android, such as context.getCacheDir(). For other Java developers, we recommend migrating to the Java 7 API java.nio.file.Files.createTempDirectory() which explicitly configures permissions of 700, or configuring the Java runtime's java.io.tmpdir system property to point to a location whose permissions are appropriately configured. | CWE-732 | LOW | LOW | guava-25.1-jre.jar |
| CVE-2020-9492 | In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.0, WebHDFS client might send SPNEGO authorization header to remote URL without proper verification. | CWE-269 | MEDIUM | HIGH | hadoop-auth-3.2.0.jar |
| CVE-2020-35490 | FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.datasources.PerUserPoolDataSource. | HIGH | htrace-core4-4.1.0-incubating.jar (shaded: com.fasterxml.jackson.core:jackson-databind:2.4.0) | ||
| CVE-2020-35491 | FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.datasources.SharedPoolDataSource. | HIGH | htrace-core4-4.1.0-incubating.jar (shaded: com.fasterxml.jackson.core:jackson-databind:2.4.0) | ||
| CVE-2020-13956 | Apache HttpClient versions prior to version 4.5.13 and 5.0.3 can misinterpret malformed authority component in request URIs passed to the library as java.net.URI object and pick the wrong target host for request execution. | NVD-CWE-noinfo | MEDIUM | MEDIUM | httpclient-4.5.12.jar |
| CVE-2021-33813 | An XXE issue in SAXBuilder in JDOM through 2.0.6 allows attackers to cause a denial of service via a crafted HTTP request. | CWE-611 | MEDIUM | HIGH | jdom2-2.0.6.jar |
| CVE-2021-21290 | Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty before version 4.1.59.Final there is a vulnerability on Unix-like systems involving an insecure temp file. When netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. On unix-like systems, the temporary directory is shared between all user. As such, writing to this directory using APIs that do not explicitly set the file/directory permissions can lead to information disclosure. Of note, this does not impact modern MacOS Operating Systems. The method 'File.createTempFile' on unix-like systems creates a random file, but, by default will create this file with the permissions '-rw-r--r--'. Thus, if sensitive information is written to this file, other local users can read this information. This is the case in netty's 'AbstractDiskHttpData' is vulnerable. This has been fixed in version 4.1.59.Final. As a workaround, one may specify your own 'java.io.tmpdir' when you start the JVM or use 'DefaultHttpDataFactory.setBaseDir(...)' to set the directory to something that is only readable by the current user. | CWE-378 | LOW | MEDIUM | netty-transport-4.1.50.Final.jar |
| CVE-2021-21295 | Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.60.Final there is a vulnerability that enables request smuggling. If a Content-Length header is present in the original HTTP/2 request, the field is not validated by `Http2MultiplexHandler` as it is propagated up. This is fine as long as the request is not proxied through as HTTP/1.1. If the request comes in as an HTTP/2 stream, gets converted into the HTTP/1.1 domain objects (`HttpRequest`, `HttpContent`, etc.) via `Http2StreamFrameToHttpObjectCodec `and then sent up to the child channel's pipeline and proxied through a remote peer as HTTP/1.1 this may result in request smuggling. In a proxy case, users may assume the content-length is validated somehow, which is not the case. If the request is forwarded to a backend channel that is a HTTP/1.1 connection, the Content-Length now has meaning and needs to be checked. An attacker can smuggle requests inside the body as it gets downgraded from HTTP/2 to HTTP/1.1. For an example attack refer to the linked GitHub Advisory. Users are only affected if all of this is true: `HTTP2MultiplexCodec` or `Http2FrameCodec` is used, `Http2StreamFrameToHttpObjectCodec` is used to convert to HTTP/1.1 objects, and these HTTP/1.1 objects are forwarded to another remote peer. This has been patched in 4.1.60.Final As a workaround, the user can do the validation by themselves by implementing a custom `ChannelInboundHandler` that is put in the `ChannelPipeline` behind `Http2StreamFrameToHttpObjectCodec`. | CWE-444 | LOW | MEDIUM | netty-transport-4.1.50.Final.jar |
| CVE-2021-21409 | Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.61.Final there is a vulnerability that enables request smuggling. The content-length header is not correctly validated if the request only uses a single Http2HeaderFrame with the endStream set to to true. This could lead to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. This is a followup of GHSA-wm47-8v5p-wjpj/CVE-2021-21295 which did miss to fix this one case. This was fixed as part of 4.1.61.Final. | CWE-444 | MEDIUM | MEDIUM | netty-transport-4.1.50.Final.jar |
| CVE-2021-27807 | A carefully crafted PDF file can trigger an infinite loop while loading the file. This issue affects Apache PDFBox version 2.0.22 and prior 2.0.x versions. | CWE-834 | MEDIUM | MEDIUM | pdfbox-2.0.19.jar |
| CVE-2021-27906 | A carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file. This issue affects Apache PDFBox version 2.0.22 and prior 2.0.x versions. | NVD-CWE-Other | MEDIUM | MEDIUM | pdfbox-2.0.19.jar |
| CVE-2021-31811 | In Apache PDFBox, a carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions. | NVD-CWE-Other | MEDIUM | MEDIUM | pdfbox-2.0.19.jar |
| CVE-2021-31812 | In Apache PDFBox, a carefully crafted PDF file can trigger an infinite loop while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions. | CWE-834 | MEDIUM | MEDIUM | pdfbox-2.0.19.jar |
| CVE-2017-1000190 | SimpleXML (latest version 2.7.1) is vulnerable to an XXE vulnerability resulting SSRF, information disclosure, DoS and so on. | CWE-611 | MEDIUM | CRITICAL | simple-xml-safe-2.7.1.jar |
| CVE-2021-27905 | The ReplicationHandler (normally registered at '/replication' under a Solr core) in Apache Solr has a 'masterUrl' (also 'leaderUrl' alias) parameter that is used to designate another ReplicationHandler on another Solr core to replicate index data into the local core. To prevent a SSRF vulnerability, Solr ought to check these parameters against a similar configuration it uses for the 'shards' parameter. Prior to this bug getting fixed, it did not. This problem affects essentially all Solr versions prior to it getting fixed in 8.8.2. | CWE-918 | HIGH | CRITICAL | solr-core-8.7.0.jar |
| CVE-2021-29262 | When starting Apache Solr versions prior to 8.8.2, configured with the SaslZkACLProvider or VMParamsAllAndReadonlyDigestZkACLProvider and no existing security.json znode, if the optional read-only user is configured then Solr would not treat that node as a sensitive path and would allow it to be readable. Additionally, with any ZkACLProvider, if the security.json is already present, Solr will not automatically update the ACLs. | CWE-522 | MEDIUM | HIGH | solr-core-8.7.0.jar |
| CVE-2021-29943 | When using ConfigurableInternodeAuthHadoopPlugin for authentication, Apache Solr versions prior to 8.8.2 would forward/proxy distributed requests using server credentials instead of original client credentials. This would result in incorrect authorization resolution on the receiving hosts. | CWE-863 | MEDIUM | CRITICAL | solr-core-8.7.0.jar |
| CVE-2020-29242 | dhowden tag before 2020-11-19 allows 'panic: runtime error: index out of range' via readPICFrame. | CWE-129 | MEDIUM | MEDIUM | tagsoup-1.2.1.jar |
| CVE-2020-29243 | dhowden tag before 2020-11-19 allows 'panic: runtime error: index out of range' via readAPICFrame. | CWE-129 | MEDIUM | MEDIUM | tagsoup-1.2.1.jar |
| CVE-2020-29244 | dhowden tag before 2020-11-19 allows 'panic: runtime error: slice bounds out of range' via readTextWithDescrFrame. | CWE-129 | MEDIUM | MEDIUM | tagsoup-1.2.1.jar |
| CVE-2020-29245 | dhowden tag before 2020-11-19 allows 'panic: runtime error: slice bounds out of range' via readAtomData. | CWE-129 | MEDIUM | MEDIUM | tagsoup-1.2.1.jar |
| CVE-2021-28657 | A carefully crafted or corrupt file may trigger an infinite loop in Tika's MP3Parser up to and including Tika 1.25. Apache Tika users should upgrade to 1.26 or later. | CWE-835 | MEDIUM | MEDIUM | tika-core-1.24.1.jar |
| CVE-2018-1000823 | exist version <= 5.0.0-RC4 contains a XML External Entity (XXE) vulnerability in XML Parser for REST Server that can result in Disclosure of confidential data, denial of service, SSRF, port scanning. | CWE-611 | HIGH | CRITICAL | xercesImpl-2.12.0.jar |
This report was generated 22.09.2021, 06:15:32 UTC, using dependency-check version: 6.0.3.