Giter VIP home page Giter VIP logo

bucketfs-document-files-virtual-schema's People

Contributors

ckunki avatar jakobbraun avatar kaklakariada avatar morazow avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar

Forkers

rohankumardubey

bucketfs-document-files-virtual-schema's Issues

๐Ÿ” CVE-2024-29025: io.netty:netty-codec-http:jar:4.1.107.Final:test

Summary

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. The HttpPostRequestDecoder can be tricked to accumulate data. While the decoder can store items on the disk if configured so, there are no limits to the number of fields the form can have, an attacher can send a chunked post consisting of many small fields that will be accumulated in the bodyListHttpData list. The decoder cumulates bytes in the undecodedChunk buffer until it can decode a field, this field can cumulate data without limits. This vulnerability is fixed in 4.1.108.Final.

CVE: CVE-2024-29025
CWE: CWE-770

References

๐Ÿ” CVE-2024-26308: org.apache.commons:commons-compress:jar:1.24.0:compile

Summary

Allocation of Resources Without Limits or Throttling vulnerability in Apache Commons Compress.This issue affects Apache Commons Compress: from 1.21 before 1.26.

Users are recommended to upgrade to version 1.26, which fixes the issue.

CVE: CVE-2024-26308
CWE: CWE-770

References

Fix vulnerabilities

Failed to execute goal org.sonatype.ossindex.maven:ossindex-maven-plugin:3.2.0:audit (default-cli) on project bucketfs-document-files-virtual-schema: Detected 3 vulnerable components:

Additionally check, if currently the following vulnerability still needs to remain excluded:
- 1 vulnerability found (6.2); https://ossindex.sonatype.org/vulnerability/sonatype-2020-0926

๐Ÿ” CVE-2024-25710: org.apache.commons:commons-compress:jar:1.24.0:compile

Summary

Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in Apache Commons Compress.This issue affects Apache Commons Compress: from 1.3 through 1.25.0.

Users are recommended to upgrade to version 1.26.0 which fixes the issue.

CVE: CVE-2024-25710
CWE: CWE-835

References

๐Ÿ” CVE-2023-52428: com.nimbusds:nimbus-jose-jwt:jar:9.8.1:compile

Summary

In Connect2id Nimbus JOSE+JWT before 9.37.2, an attacker can cause a denial of service (resource consumption) via a large JWE p2c header value (aka iteration count) for the PasswordBasedDecrypter (PBKDF2) component.

CVE: CVE-2023-52428
CWE: CWE-400

References

TS(9) support in BucketFS VS

Situation

We introduce nanosecond precision in virtual-schema-common-document.

This needs to be propagated to BucketFS Document Virtual Schema by updating the dependency.

Dependencies

Acceptance Criteria

  • An integration test (coming from VSCD) proves that TS(9) is supported with CSV files
  • An integration test (coming from VSCD) proves that TS(9) is supported with JSON files
  • An integration test (coming from VSCD) proves that TS(9) is supported with Parquet files

๐Ÿ” CVE-2024-29131: org.apache.commons:commons-configuration2:jar:2.8.0:compile

Summary

Out-of-bounds Write vulnerability in Apache Commons Configuration.This issue affects Apache Commons Configuration: from 2.0 before 2.10.1.

Users are recommended to upgrade to version 2.10.1, which fixes the issue.

CVE: CVE-2024-29131
CWE: CWE-787

References

VSBFS Dependency upgrade

See log messages from build job Dependency Check:

Excluded vulnerabilities:

Fix CVE-2023-42503 and CVE-2023-43642 

Error:  Failed to execute goal org.sonatype.ossindex.maven:ossindex-maven-plugin:3.2.0:audit (default-cli) on project bucketfs-document-files-virtual-schema: Detected 3 vulnerable components:
Error:    org.apache.commons:commons-compress:jar:1.22:compile; https://ossindex.sonatype.org/component/pkg:maven/org.apache.commons/[email protected]?utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
Error:      * [CVE-2023-42503] CWE-20: Improper Input Validation (5.5); https://ossindex.sonatype.org/vulnerability/CVE-2023-42503?component-type=maven&component-name=org.apache.commons%2Fcommons-compress&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
Error:    io.netty:netty-handler:jar:4.1.94.Final:test; https://ossindex.sonatype.org/component/pkg:maven/io.netty/[email protected]?utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
Error:      * [CVE-2023-4586] CWE-300: Channel Accessible by Non-Endpoint ('Man-in-the-Middle') (6.5); https://ossindex.sonatype.org/vulnerability/CVE-2023-4586?component-type=maven&component-name=io.netty%2Fnetty-handler&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
Error:    org.xerial.snappy:snappy-java:jar:1.1.10.1:compile; https://ossindex.sonatype.org/component/pkg:maven/org.xerial.snappy/[email protected]?utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
Error:      * [CVE-2023-43642] CWE-770: Allocation of Resources Without Limits or Throttling (7.5); https://ossindex.sonatype.org/vulnerability/CVE-2023-43642?component-type=maven&component-name=org.xerial.snappy%2Fsnappy-java&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1

Fix CVE-2023-39410 in org.apache.avro:avro 

Error:  Failed to execute goal org.sonatype.ossindex.maven:ossindex-maven-plugin:3.2.0:audit (default-cli) on project bucketfs-document-files-virtual-schema: Detected 1 vulnerable components:
Error:    org.apache.avro:avro:jar:1.7.7:compile; https://ossindex.sonatype.org/component/pkg:maven/org.apache.avro/[email protected]?utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
Error:      * [CVE-2023-39410] CWE-502: Deserialization of Untrusted Data (7.5); https://ossindex.sonatype.org/vulnerability/CVE-2023-39410?component-type=maven&component-name=org.apache.avro%2Favro&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1

๐Ÿ” CVE-2024-29133: org.apache.commons:commons-configuration2:jar:2.8.0:compile

Summary

Out-of-bounds Write vulnerability in Apache Commons Configuration.This issue affects Apache Commons Configuration: from 2.0 before 2.10.1.

Users are recommended to upgrade to version 2.10.1, which fixes the issue.

CVE: CVE-2024-29133
CWE: CWE-787

References

ossindex-maven-plugin fails with vulnerabilities found in dependencies 

Error:  Failed to execute goal org.sonatype.ossindex.maven:ossindex-maven-plugin:3.2.0:audit (default-cli) on project bucketfs-document-files-virtual-schema: Detected 11 vulnerable components:
Error:    com.squareup.okhttp:okhttp:jar:2.7.5:compile; https://ossindex.sonatype.org/component/pkg:maven/com.squareup.okhttp/[email protected]?utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
Error:      * [CVE-2021-0341] CWE-295: Improper Certificate Validation (7.5); https://ossindex.sonatype.org/vulnerability/CVE-2021-0341?component-type=maven&component-name=com.squareup.okhttp%2Fokhttp&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
Error:      * 1 vulnerability found (5.9); https://ossindex.sonatype.org/vulnerability/sonatype-2018-0035
Error:    com.fasterxml.jackson.core:jackson-databind:jar:2.13.0:compile; https://ossindex.sonatype.org/component/pkg:maven/com.fasterxml.jackson.core/[email protected]?utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
Error:      * [CVE-2020-36518] CWE-787: Out-of-bounds Write (7.5); https://ossindex.sonatype.org/vulnerability/CVE-2020-36518?component-type=maven&component-name=com.fasterxml.jackson.core%2Fjackson-databind&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
Error:      * 1 vulnerability found (7.5); https://ossindex.sonatype.org/vulnerability/sonatype-2021-4682
Error:    io.netty:netty-common:jar:4.1.72.Final:runtime; https://ossindex.sonatype.org/component/pkg:maven/io.netty/[email protected]?utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
Error:      * [CVE-2022-24823] CWE-378: Creation of Temporary File With Insecure Permissions (5.5); https://ossindex.sonatype.org/vulnerability/CVE-2022-24823?component-type=maven&component-name=io.netty%2Fnetty-common&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
Error:    org.apache.hadoop:hadoop-common:jar:3.3.1:compile; https://ossindex.sonatype.org/component/pkg:maven/org.apache.hadoop/[email protected]?utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
Error:      * [CVE-2022-26612] CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (9.8); https://ossindex.sonatype.org/vulnerability/CVE-2022-26612?component-type=maven&component-name=org.apache.hadoop%2Fhadoop-common&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
Error:    com.google.guava:guava:jar:31.0.1-jre:compile; https://ossindex.sonatype.org/component/pkg:maven/com.google.guava/[email protected]?utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
Error:      * 1 vulnerability found (6.2); https://ossindex.sonatype.org/vulnerability/sonatype-2020-0926
Error:    io.netty:netty-handler:jar:4.1.72.Final:runtime; https://ossindex.sonatype.org/component/pkg:maven/io.netty/[email protected]?utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
Error:      * 1 vulnerability found (6.5); https://ossindex.sonatype.org/vulnerability/sonatype-2020-0026
Error:    org.apache.xmlrpc:xmlrpc-common:jar:3.1.3:compile; https://ossindex.sonatype.org/component/pkg:maven/org.apache.xmlrpc/[email protected]?utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
Error:      * [CVE-2016-5003] CWE-502: Deserialization of Untrusted Data (9.8); https://ossindex.sonatype.org/vulnerability/CVE-2016-5003?component-type=maven&component-name=org.apache.xmlrpc%2Fxmlrpc-common&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
Error:      * [CVE-2016-5002] CWE-611: Improper Restriction of XML External Entity Reference ('XXE') (7.8); https://ossindex.sonatype.org/vulnerability/CVE-2016-5002?component-type=maven&component-name=org.apache.xmlrpc%2Fxmlrpc-common&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
Error:    com.google.protobuf:protobuf-java:jar:2.5.0:compile; https://ossindex.sonatype.org/component/pkg:maven/com.google.protobuf/[email protected]?utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
Error:      * [CVE-2021-22569] CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion') (5.5); https://ossindex.sonatype.org/vulnerability/CVE-2021-22569?component-type=maven&component-name=com.google.protobuf%2Fprotobuf-java&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
Error:    commons-codec:commons-codec:jar:1.11:compile; https://ossindex.sonatype.org/component/pkg:maven/commons-codec/[email protected]?utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
Error:      * 1 vulnerability found (5.3); https://ossindex.sonatype.org/vulnerability/sonatype-2012-0050
Error:    org.apache.xmlrpc:xmlrpc-client:jar:3.1.3:compile; https://ossindex.sonatype.org/component/pkg:maven/org.apache.xmlrpc/[email protected]?utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
Error:      * [CVE-2016-5004] CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion') (6.5); https://ossindex.sonatype.org/vulnerability/CVE-2016-5004?component-type=maven&component-name=org.apache.xmlrpc%2Fxmlrpc-client&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
Error:    com.google.code.gson:gson:jar:2.2.4:compile; https://ossindex.sonatype.org/component/pkg:maven/com.google.code.gson/[email protected]?utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
Error:      * 1 vulnerability found (7.5); https://ossindex.sonatype.org/vulnerability/sonatype-2021-1694

Allow configuring base path

In versions before 1.0.0 you could specify a base path in the connection:

CREATE CONNECTION BUCKETFS_CONNECTION
    TO '/bfsdefault/default/'
    USER ''
    IDENTIFIED BY '';

This configuration was lost in version 1.0.0, see #24. That's why we should allow configuring the base path again using the new connection parameter specification, e.g.

CREATE CONNECTION BUCKETFS_CONNECTION
    TO '/bfsdefault/default/'
    USER ''
    IDENTIFIED BY '{"basePath": "/bfsdefault/default/"}';

See old description from the user guide:

The path you define in the CONNECTION is the base path for the file names you define in the mapping definition. The adapter will concatenate the base path and the path defined in the mapping definition. For security reasons you can however not navigate to directories outside of the base path (using ../).

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.