This table represents the known exploitable and non-exploitable vulnerabilities in third party packages used in the project.
| Repository | Group | Problem Code | Effective/Ineffective | Resolvable by Project | Impact Analysis | Action |
|---|---|---|---|---|---|---|
| logging-analytics | org.springframework | CVE-2018-15756 | effective | yes | Spring Framework, version 5.1, versions 5.0.x prior to 5.0.10, versions 4.3.x prior to 4.3.20, and older unsupported versions on the 4.2.x branch provide support for range requests when serving static resources through the ResourceHttpRequestHandler, or starting in 5.0 when an annotated controller returns an org.springframework.core.io.Resource. A malicious user (or attacker) can add a range header with a high number of ranges, or with wide ranges that overlap, or both, for a denial of service attack. This vulnerability affects applications that depend on either spring-webmvc or spring-webflux. Such applications must also have a registration for serving static resources (e.g. JS, CSS, images, and others), or have an annotated controller that returns an org.springframework.core.io.Resource. Spring Boot applications that depend on spring-boot-starter-web or spring-boot-starter-webflux are ready to serve static resources out of the box and are therefore vulnerable. | Tracked by LOG-1159 - Getting issue details... STATUS for Frankfurt. |
| Repository | Group | Problem Code | Effective/Ineffective | Resolvable by Project | Impact Analysis | Action |
|---|---|---|---|---|---|---|
| logging-analytics-pomba-pomba-aai-context-builder | com.fasterxml.jackson.core | N/A | effective |
| Currently no good version can be upgraded to. Further investigation is needed. Tracked by LOG-1160 - Getting issue details... STATUS to investigate further in Frankfurt. | |
| logging-analytics-pomba-pomba-aai-context-builder | com.fasterxml.jackson.core | CVE-2019-12384 | effective | FasterXML jackson-databind 2.x before 2.9.9.1 might allow attackers to have a variety of impacts by leveraging failure to block the logback-core class from polymorphic deserialization. Depending on the classpath content, remote code execution may be possible. | Currently no good version can be upgraded to. Further investigation is needed. Tracked by LOG-1160 - Getting issue details... STATUS to investigate further in Frankfurt. | |
| logging-analytics-pomba-pomba-aai-context-builder | com.fasterxml.jackson.core | CVE-2019-12814 | effective | A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x through 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has JDOM 1.x or 2.x jar in the classpath, an attacker can send a specifically crafted JSON message that allows them to read arbitrary local files on the server. | Currently no good version can be upgraded to. Further investigation is needed. Tracked by LOG-1160 - Getting issue details... STATUS to investigate further in Frankfurt. |
| Repository | Group | Problem Code | Effective/Ineffective | Resolvable by Project | Impact Analysis | Action |
|---|---|---|---|---|---|---|
| logging-analytics-pomba-pomba-context-aggreator | com.fasterxml.jackson.core | N/A | effective |
| Currently no good version can be upgraded to. Further investigation is needed. Tracked by LOG-1160 - Getting issue details... STATUS to investigate further in Frankfurt. | |
| logging-analytics-pomba-pomba-context-aggregator | com.fasterxml.jackson.core | CVE-2019-12384 | effective | FasterXML jackson-databind 2.x before 2.9.9.1 might allow attackers to have a variety of impacts by leveraging failure to block the logback-core class from polymorphic deserialization. Depending on the classpath content, remote code execution may be possible. | Currently no good version can be upgraded to. Further investigation is needed. Tracked by LOG-1160 - Getting issue details... STATUS to investigate further in Frankfurt. | |
| logging-analytics-pomba-pomba-context-aggregator | com.fasterxml.jackson.core | CVE-2019-12814 | effective | A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x through 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has JDOM 1.x or 2.x jar in the classpath, an attacker can send a specifically crafted JSON message that allows them to read arbitrary local files on the server. | Currently no good version can be upgraded to. Further investigation is needed. Tracked by LOG-1160 - Getting issue details... STATUS to investigate further in Frankfurt. |
| Repository | Group | Problem Code | Effective/Ineffective | Resolvable by Project | Impact Analysis | Action |
|---|---|---|---|---|---|---|
| logging-analytics-pomba-pomba-network-discovery-context-builder | com.fasterxml.jackson.core | N/A | effective |
| Currently no good version can be upgraded to. Further investigation is needed. Tracked by LOG-1160 - Getting issue details... STATUS to investigate further in Frankfurt. | |
| logging-analytics-pomba-pomba-network-discovery-context-builder | com.fasterxml.jackson.core | CVE-2019-12384 | effective | FasterXML jackson-databind 2.x before 2.9.9.1 might allow attackers to have a variety of impacts by leveraging failure to block the logback-core class from polymorphic deserialization. Depending on the classpath content, remote code execution may be possible. | Currently no good version can be upgraded to. Further investigation is needed. Tracked by LOG-1160 - Getting issue details... STATUS to investigate further in Frankfurt. | |
| logging-analytics-pomba-pomba-network-discovery-context-builder | com.fasterxml.jackson.core | CVE-2019-12814 | effective | A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x through 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has JDOM 1.x or 2.x jar in the classpath, an attacker can send a specifically crafted JSON message that allows them to read arbitrary local files on the server. | Currently no good version can be upgraded to. Further investigation is needed. Tracked by LOG-1160 - Getting issue details... STATUS to investigate further in Frankfurt. | |
| logging-analytics-pomba-pomba-network-discovery-context-builder | handlebars | N/A | effective - pulled in by swagger | no | The handlebars package is vulnerable to Remote Code Execution (RCE). Several functions in several files, as listed below, contain a “lookup” helper which does not properly verify object types. If a remote attacker is able to influence the object instance, they can execute arbitrary code on the target system. | Pulled in by swagger, no solution yet. LOG-827 - Getting issue details... STATUS |
| logging-analytics-pomba-pomba-network-discovery-context-builder | handlebars | N/A | ineffective - no javascript | no | The handlebars package is vulnerable to Prototype Pollution. The JavaScriptCompiler() function in the javascript-compiler.js file fails to restrict access to the constructor from templates. A remote attacker with the ability to inject templates into the handlebars setup can exploit this vulnerability by supplying a template containing malicious JavaScript. The attacker can leverage this issue to inject malicious JavaScript into the constructor property, resulting in script execution when the application processes the template. | Pulled in by swagger, no solution yet. LOG-827 - Getting issue details... STATUS |
| logging-analytics-pomba-pomba-network-discovery-context-builder | handlebars | N/A | ineffective - no javascript | no | The handlebars package is vulnerable to Cross-Site Scripting (XSS). The file utils.js contains the method escapeExpression() and its helper method escapeChar(). The method escapeExpression(), via escapeChar(), only escapes > < and `, " or ' (back tick, double quote, single quote) characters and not the = equal sign. Cross-Site Scripting attacks with equals characters will be accepted. The escapeExpression() method is invoked in two ways. (1) It can be called directly as a utility method and/or (2) the framework invokes it when double curly braces are used (as opposed to the triple curly which preforms no escaping). A consumer of this library, either through use of double curly brackets or by calling the escapeExpression() method, expects the returned string to be safe for output to a HTML page. If this functionality is used with user controllable data, an attacker can exploit this vulnerability by crafting an input that injects JavaScript into the page leading to an XSS attack. | Pulled in by swagger, no solution yet. LOG-827 - Getting issue details... STATUS |
| logging-analytics-pomba-pomba-network-discovery-context-builder | js-yaml | N/A | pulled in by swagger | No | The js-yaml package is vulnerable to Remote Code Execution (RCE). The storeMappingPair() function in the loader.js file allows for the execution of code contained within a toString property in provided yaml data. A remote attacker can exploit this vulnerability by submitting malicious yaml data with a toString property that contains malicious code. This will result in the execution of the attacker-provided code when the application attempts to process the yaml data. | Track by LOG-1118 - Getting issue details... STATUS |
| logging-analytics-pomba-pomba-network-discovery-context-builder | js-yaml | N/A | pulled in by swagger | No | The js-yaml package is vulnerable to a Denial of Service (DoS) attack. The storeMappingPair() function in the loader.js file fails to disallow nested arrays as map keys. A remote attacker can exploit this vulnerability by submitting malicious yaml containing deeply nested data structures that reference each other. This will result in exponential expansion and ultimately a DoS condition when the application attempts to process the provided yaml. | Track by LOG-1118 - Getting issue details... STATUS |
| logging-analytics-pomba-pomba-network-discovery-context-builder | uikit | N/A | pulled in by swagger | The uikit package is vulnerable to Regular Expression Denial of Service (ReDoS). The htmleditor.html file uses an old version of the marked package that has a ReDoS vulnerability in it. A remote attacker can exploit this vulnerability by crafting a malicious regular expression and sending it to the vulnerable server which can result in the event loop getting blocked for excessive amounts of time and will potentially consume all available CPU resources. | Track by LOG-1117 - Getting issue details... STATUS |
| Repository | Group | Problem Code | Effective/Ineffective | Resolvable by Project | Impact Analysis | Action |
|---|---|---|---|---|---|---|
| logging-analytics-pomba-pomba-sdc-context-builder | com.fasterxml.jackson.core | N/A | effective |
| Currently no good version can be upgraded to. Further investigation is needed. Tracked by LOG-1160 - Getting issue details... STATUS to investigate further in Frankfurt. | |
| logging-analytics-pomba-pomba-sdc-context-builder | com.fasterxml.jackson.core | CVE-2019-12384 | effective | FasterXML jackson-databind 2.x before 2.9.9.1 might allow attackers to have a variety of impacts by leveraging failure to block the logback-core class from polymorphic deserialization. Depending on the classpath content, remote code execution may be possible. | Currently no good version can be upgraded to. Further investigation is needed. Tracked by LOG-1160 - Getting issue details... STATUS to investigate further in Frankfurt. | |
| logging-analytics-pomba-pomba-sdc-context-builder | com.fasterxml.jackson.core | CVE-2019-12814 | effective | A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x through 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has JDOM 1.x or 2.x jar in the classpath, an attacker can send a specifically crafted JSON message that allows them to read arbitrary local files on the server. | Currently no good version can be upgraded to. Further investigation is needed. Tracked by LOG-1160 - Getting issue details... STATUS to investigate further in Frankfurt. | |
| logging-analytics-pomba-pomba-sdc-context-builder | jQuery | N/A | effective | yes | The jquery package is vulnerable to Prototype Pollution. The jQuery.extend and jQuery.fn.extend functions defined in many files allow an untrusted object to extend Object.prototype. An attacker can modify and add prototype properties to JavaScript objects and can potentially leverage those changes to crash the application or execute remote code. | pulled in by swagger, upgrade to version 3.x LOG-1101 - Getting issue details... STATUS |
| logging-analytics-pomba-pomba-sdc-context-builder | jQuery | N/A | effective | yes | The jQuery package is vulnerable to Cross-Site Scripting (XSS). The parseHTML() function in the parseHTML.js, jquery.js files allow JavaScript to be executed immediately when it's embedded within the event attributes. An attacker can exploit this vulnerability by injecting malicious JavaScript containing events handlers which, when rendered, results in the execution of arbitrary script. | pulled in by swagger, upgrade to version 3.x LOG-1101 - Getting issue details... STATUS |
| logging-analytics-pomba-pomba-sdc-context-builder | commons-codec | N/A | ineffective - only used in JUnit | no | The Apache commons-codec package contains an Improper Input Validation vulnerability. The decode() method in the Base32, Base64, and BCodec classes fails to reject malformed Base32 and Base64 encoded strings and consequently decodes them into arbitrary values. A remote attacker can leverage this vulnerability to potentially tunnel additional information via seemingly legitimate Base32 or Base64 encoded strings. | pulled in by <groupId>org.onap.sdc.sdc-tosca</groupId> Depends on SDC |
| Repository | Group | Problem Code | Effective/Ineffective | Resolvable by Project | Impact Analysis | Action |
|---|---|---|---|---|---|---|
| logging-analytics-pomba-pomba-sdnc-context-builder | com.fasterxml.jackson.core | N/A | effective |
| Currently no good version can be upgraded to. Further investigation is needed. Tracked by LOG-1160 - Getting issue details... STATUS to investigate further in Frankfurt. | |
| logging-analytics-pomba-pomba-sdnc-context-builder | com.fasterxml.jackson.core | CVE-2019-12384 | effective | FasterXML jackson-databind 2.x before 2.9.9.1 might allow attackers to have a variety of impacts by leveraging failure to block the logback-core class from polymorphic deserialization. Depending on the classpath content, remote code execution may be possible. | Currently no good version can be upgraded to. Further investigation is needed. Tracked by LOG-1160 - Getting issue details... STATUS to investigate further in Frankfurt. | |
| logging-analytics-pomba-pomba-sdnc-context-builder | com.fasterxml.jackson.core | CVE-2019-12814 | effective | A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x through 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has JDOM 1.x or 2.x jar in the classpath, an attacker can send a specifically crafted JSON message that allows them to read arbitrary local files on the server. | Currently no good version can be upgraded to. Further investigation is needed. Tracked by LOG-1160 - Getting issue details... STATUS to investigate further in Frankfurt. | |
| logging-analytics-pomba-pomba-sdnc-context-builder | handlebars | N/A | effective - pulled in by swagger | no | The handlebars package is vulnerable to Remote Code Execution (RCE). Several functions in several files, as listed below, contain a “lookup” helper which does not properly verify object types. If a remote attacker is able to influence the object instance, they can execute arbitrary code on the target system. | Pulled in by swagger, no solution yet. LOG-827 - Getting issue details... STATUS |
| logging-analytics-pomba-pomba-sdnc-context-builder | handlebars | N/A | ineffective - no javascript | no | The handlebars package is vulnerable to Prototype Pollution. The JavaScriptCompiler() function in the javascript-compiler.js file fails to restrict access to the constructor from templates. A remote attacker with the ability to inject templates into the handlebars setup can exploit this vulnerability by supplying a template containing malicious JavaScript. The attacker can leverage this issue to inject malicious JavaScript into the constructor property, resulting in script execution when the application processes the template. | Pulled in by swagger, no solution yet. LOG-827 - Getting issue details... STATUS |
| logging-analytics-pomba-pomba-sdnc-context-builder | handlebars | N/A | ineffective - no javascript | no | The handlebars package is vulnerable to Cross-Site Scripting (XSS). The file utils.js contains the method escapeExpression() and its helper method escapeChar(). The method escapeExpression(), via escapeChar(), only escapes > < and `, " or ' (back tick, double quote, single quote) characters and not the = equal sign. Cross-Site Scripting attacks with equals characters will be accepted. The escapeExpression() method is invoked in two ways. (1) It can be called directly as a utility method and/or (2) the framework invokes it when double curly braces are used (as opposed to the triple curly which preforms no escaping). A consumer of this library, either through use of double curly brackets or by calling the escapeExpression() method, expects the returned string to be safe for output to a HTML page. If this functionality is used with user controllable data, an attacker can exploit this vulnerability by crafting an input that injects JavaScript into the page leading to an XSS attack. | Pulled in by swagger, no solution yet. LOG-827 - Getting issue details... STATUS |
| logging-analytics-pomba-pomba-sdnc-context-builder | js-yaml | N/A | pulled in by swagger | The js-yaml package is vulnerable to Remote Code Execution (RCE). The storeMappingPair() function in the loader.js file allows for the execution of code contained within a toString property in provided yaml data. A remote attacker can exploit this vulnerability by submitting malicious yaml data with a toString property that contains malicious code. This will result in the execution of the attacker-provided code when the application attempts to process the yaml data. The application is vulnerable by using the load() function in this component to process user-supplied yaml data. | Track by LOG-1118 - Getting issue details... STATUS | |
| logging-analytics-pomba-pomba-sdnc-context-builder | js-yaml | N/A | pulled in by swagger | The js-yaml package is vulnerable to a Denial of Service (DoS) attack. The storeMappingPair() function in the loader.js file fails to disallow nested arrays as map keys. A remote attacker can exploit this vulnerability by submitting malicious yaml containing deeply nested data structures that reference each other. This will result in exponential expansion and ultimately a DoS condition when the application attempts to process the provided yaml. | Track by LOG-1118 - Getting issue details... STATUS | |
| logging-analytics-pomba-pomba-sdnc-context-builder | uikit | N/A | pulled in by swagger | The uikit package is vulnerable to Regular Expression Denial of Service (ReDoS). The htmleditor.html file uses an old version of the marked package that has a ReDoS vulnerability in it. A remote attacker can exploit this vulnerability by crafting a malicious regular expression and sending it to the vulnerable server which can result in the event loop getting blocked for excessive amounts of time and will potentially consume all available CPU resources.Tr | Track by LOG-1117 - Getting issue details... STATUS |