DX O2 2x Security Vulnerabilities that are False Positive
Article ID: 399116
Updated On:
Products
Issue/Introduction
This page lists security vulnerabilities against 20.x-25.x releases that are false positive.
Environment
DX O2 2*
Resolution
CVE-2019-9193 (HIGH) - postgres 10.16
CVE-2021-3393 (MEDIUM) - postgres 10.16
CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090 - commons-compress 1.9
CVE-2021-42340 (BDSA-2021-3085) (HIGH) - Apache Tomcat 9.0.48 in ACC
CVE-2022-42252 (BDSA-2022-3105) (HIGH) - Apache Tomcat 10.1.0-M17 in http-collector
CVE-2017-5645, CVE-2019-17571, CVE-2021-4104, CVE-2020-9488, CVE-2022-23302, CVE-2022-23305, CVE-2022-23307 (CRITICAL, HIGH, LOW) - custom log4j 1.x in APM agents
CVE-2022-23307, CVE-2020-9488 (CRITICAL) - Apache Log4j 1.2.x
CVE-2022-23302 (HIGH) - Apache Log4j 1.x
CVE-2022-23305 (CRITICAL) - Apache Log4j 1.2.x
CVE-2021-4104 (HIGH) - Apache Log4j 1.2.x
CVE-2019-17571 (CRITICAL) - Apache Log4j 1.2 up to 1.2.17
CVE-2017-5645 (CRITICAL) - Apache Log4j 2.x before 2.8.2
CVE-2022-22965 (CRITICAL) - Spring Framework RCE via Data Binding on JDK 9+
CVE-2022-21449 (HIGH) - Oracle Java - Improper ECDSA signature verification
CVE-2016-1000027 (CRITICAL) - Spring Framework - HTTP invoker
CVE-2022-34169 (CRITICAL) - Apache Xalan Java XSLT library
CVE-2022-42889 (CRITICAL) - Apache Commons Text (<1.10)
APM proprietary libraries mapping with OpenSource Libraries (AsyncHttpClient, Elasticsearch and Spring Boot)
CVE-2023-38545 (HIGH) - curl Vulnerable to Memory Corruption via Heap-Based Buffer Overflow in SOCKS5 Proxy Handshake
CVE-2023-38546 (LOW) - libcurl Vulnerable to Cookie Injection via Duplication of 'none' File Information in 'curl_easy_duphandle' Function
CVE-2023-46604 (CRITICAL) - Apache ActiveMQ Vulnerable to Remote Code Execution (RCE) via Unsafe Deserialization of OpenWire Protocol
CVE-2023-45960 (HIGH) - dom4.j allows a remote attacker to obtain sensitive information
CVE-2023-4586 (HIG) - Infinispan Vulnerable to Adversary-in-the-Middle (AitM) Attacks via 'HotRod Client'
BDSA-2018-4022 (MEDIUM) - Netty Vulnerable to Certificate Forgery via Missing Hostname Verification
CVE-2023-35116 (HIGH) - Jackson-Databind Vulnerable to Denial-of-Service (DoS) via Stack Overflow in 'map' Parameter (Jackson-Databind)
BDSA-2023-1804 (MEDIUM) - Thymeleaf Vulnerable to Sandbox Escape via Reflection Injection
CVE-2023-39017 (HIGH) - quartz-jobs Vulnerable to Remote Code Execution (RCE) via Dangerous URIs in 'JobDataMap' Object Used by 'SendQueueMessageJob.execute' Method
CVE-2024-6763 (HIGH) - Eclipse Jetty Vulnerable to Server-Side Request Forgery (SSRF) or URL Redirection via Insufficient Validation in 'HttpURI'
Feedback
