This table represents the known exploitable and non-exploitable vulnerabilities in third party packages used in the project.
Repository | Group | Impact Analysis | Action |
---|---|---|---|
sdnc/apps, sdnc/oam | ch.qos.logback | Most likely false positive, since this vulnerability only applies to remote socket connections, which do not apply (since we do not log to remote server). However, should be addressed anyway. | |
sdnc/oam | com.fasterxml | Should be upgraded to jackson-databind version 2.9.8 | |
sdnc/oam | com.fasterxml | Should be upgraded to jackson-databind version 2.9.8 | |
sdnc/apps | com.fasterxml.jackson.core | Fixed in version 2.8.6 | |
sdnc/apps | com.fasterxml.jackson.core | Fixed in version 2.9.8 | |
sdnc/apps | com.fasterxml.jackson.core | Fixed in version 2.9.8 | |
sdnc/apps | com.fasterxml.jackson.core | Fixed in version 2.9.8 | |
sdnc/apps | com.fasterxml.jackson.core | There is no non-vulnerable version, but there is a documented workaround. | |
sdnc/northbound | com.fasterxml.jackson.core | Fixed in version 2.9.8 | |
sdnc/oam | com.fasterxml.jackson.core | There is no non-vulnerable version, but there is a documented workaround. | |
sdnc/apps | com.fasterxml.jackson.core | There is no non-vulnerable version, but there is a documented workaround. | |
sdnc/apps | com.fasterxml.jackson.datatype | Fixed in version 2.9.8 | |
sdnc/northbound | com.fasterxml.jackson.datatype | Fixed in version 2.9.8 | |
sdnc/apps, sdnc/northbound | com.google.guava | Fixed in version 23.6.1 | |
sdnc/oam | dom4j | Fixed in version 2.1.1 | |
sdnc/oam | javax.servlet | Fixed in version 1.2.3 | |
sdnc/northbound | javax.mail | Fixed in version 1.5.3 | |
sdnc/northbound, sdnc/oam | org.apache.karaf.jaas | Inherited from OpenDaylight Fluorine release | Must be fixed in upstream OpenDaylight |
sdnc/northbound, sdnc/oam | org.apache.karaf.jaas | Inherited from OpenDaylight Fluorine release | Must be fixed in upstream OpenDaylight |
sdnc/northbound, sdnc/oam | org.apache.karaf.jaas | Inherited from OpenDaylight Fluorine release | Must be fixed in upstream OpenDaylight |
sdnc/northbound, sdnc/oam | org.apache.karaf.jaas | Inherited from OpenDaylight Fluorine release | Must be fixed in upstream OpenDaylight |
sdnc/northbound, sdnn/oam | org.apache.karaf.shell | Inherited from OpenDaylight Fluorine release | Must be fixed in upstream OpenDaylight |
sdnc/northbound, sdnn/oam | org.apache.karaf.shell | Inherited from OpenDaylight Fluorine release | Must be fixed in upstream OpenDaylight |
sdnc/oam | org.apache.logging.log4j | Fixed in version 2.8.2 | |
sdnc/oam | org.apache.tomcat.embed | Upgrade to version 8.5.32 | |
sdnc/oam | org.apache.tomcat.embed | Upgrade to version 8.5.32 | |
sdnc/oam | org.apache.tomcat.embed | Upgrade to version 8.5.32 | |
sdnc/oam | org.apache.tomcat.embed | Upgrade to version 8.5.32 | |
sdnc/oam | org.apache.tomcat.embed | Upgrade to version 8.5.32 | |
sdnc/oam | org.apache.tomcat.embed | Upgrade to version 8.5.32 | |
sdnc/oam | org.apache.tomcat.embed | Upgrade to version 8.5.32 | |
sdnc/oam | org.apache.tomcat.embed | Upgrade to version 8.5.32 | |
sdnc/oam | org.apache.tomcat.embed | Upgrade to version 8.5.32 | |
sdnc/oam | org.apache.tomcat.embed | Upgrade to version 8.5.32 | |
sdnc/oam | org.codehaus.jackson | There is no non-vulnerable version, but there is a documented workaround. | |
sdnc/oam | org.hibernate | Upgrade to version 5.3.6.Final or above | |
sdnc/apps, sdnc/northbound | org.springframework | Fixed in version 4.3.15.RELEASE | |
sdnc/apps, sdnc/northbound | org.springframework | Fixed in version 4.3.15.RELEASE | |
sdnc/apps, sdnc/northbound | org.springframework | Fixed in version 4.3.15.RELEASE | |
sdnc/apps, sdnc/northbound | org.springframework | Fixed in version 4.3.20.RELEASE | |
sdnc/apps, sdnc/northbound | org.springframework | Fixed in version 4.3.18.RELEASE | |
sdnc/apps, sdnc/northbound | org.springframework | Fixed in version 4.3.18.RELEASE | |
sdnc/oam | org.springframework | Fixed in version 4.3.20.RELEASE | |
sdnc/oam | org.springframework | Fixed in version 4.3.18.RELEASE | |
sdnc/oam | org.springframework | Fixed in version 4.3.18.RELEASE | |
sdnc/oam | org.springframework | Fixed in version 4.3.18.RELEASE | |
sdnc/oam | org.springframework | Fixed in version 4.3.18.RELEASE | |
sdnc/oam | org.springframework.data | Fixed in version 1.13.11 | |
sdnc/oam | org.springframework.data | Fixed in version 1.13.12 | |
sdnc/oam | org.springframework.data | Fixed in version 1.13.10 | |
sdnc/oam | org.webjars | Fixed in version 4.0.0 and above | |
sdnc/oam | org.webjars | Fixed in version 3.4.0 and above | |
sdnc/oam | org.webjars | Fixed in version 3.4.0 and above | |
sdnc/oam | org.webjars | Fixed in version 4.1.2 and above | |
sdnc/oam | org.webjars | Fixed in jQuery version 3.0.0 | |
sdnc/oam | org.webjars | Fixed in jQuery version 3.0.0 | |
sdnc/oam | bootstrap | Fixed in version 4.1.2 | |
sdnc/oam | bootstrap | Fixed in version 4.1.2 | |
sdnc/oam | bootstrap | Fixed in version 4.1.2 | |
sdnc/oam | bootstrap | Fixed in version 4.1.2 | |
sdnc/oam | bootstrap-table | Needs further research - problem description is poor, as usual with these (says to upgrade to version that does not have vulnerability without stating what version that might be) | |
sdnc/apps | handlebars | Workaround is to ensure "handlebars" (double braces - e.g {{ hello there }}) are inside single quotes (e.g. '{{hello there}}') | |
sdnc/oam | jquery | Fixed in jQuery version 3.0.0 | |
sdnc/oam | jquery | Fixed in jQuery version 3.0.0 | |
sdnc/oam | jquery | Fixed in jQuery version 3.0.0 | |
sdnc/oam | jquery | Fixed in jQuery version 3.0.0 | |
sdnc/apps | uikit | Appears to have been fixed in 2016, but unclear what version. This is a recurrent theme in SONATYPE vulnerabilities - the problem description generally says "upgrade to a version that does not have this vulnerability" without specifying that version - only a link to the change in GitHub, which does not tell you what version it applies to. |