False Positive - we are not using the Jackson code in the manner that exposes the vulnerability.
Request exception
Request exception
policy/api
policy/pap
policy/drools-pdp
policy/xacml-pdp
policy/drools-applications
policy/engine
policy/distribution
False Positive - flagged due to inheritance of policy/common above.
Request exception
policy/api
policy/pap
policy/drools-pdp
policy/xacml-pdp
policy/drools-applications
policy/engine
policy/distribution
False Positive - flagged due to inheritance of policy/common above.
Request exception
This is both a security and a license issue due to Drools v6.5.0.Final including and using this dependency.
Upgrading to 7.x version would not clear this issue and would result in multiple other license exceptions that are not clearable.
Request exception
This is a security issue due to Drools v6.5.0.Final including this dependency.
Upgrading to 7.x version would not clear this issue and would result in multiple other new license exceptions that are not clearable.
Request exception
This is a security issue due to Drools v6.5.0.Final including this dependency.
Upgrading to 7.x version would clear this issue, but would then consequently result in multiple other new license exceptions that are not clearable.
Request exception
This dependency is pulled in by org.apache.avro. We are using the latest version of Avro.
We are using Avro to deserialize events. Avro uses jackson-mapper-asl for its Json decoding. The schema for the events we are decoding is controlled in policy models and prevents executable code being specified. Therefore this vulnerability cannot be exploited.
Request exception
This dependency brings in the Jython (Python) interpreter for executing scripts written in Python under the control of Apex.
There are two vulnerabilities, both concerning adding extra modules to the Python libraries on a host running Python scripts under Jython.
- The setup.py and build_py.py files allow extra python packages to be installed on the host during the startup of Jython. This mechanism uses the setuptools mechanism to install those packages. That mechanism does not enforce path traversal restrictions, allowing malicious packages to access protected areas on the host.
- Jython uses packages installed with the python pip utility. Pip is vulnerable to Path Traversal attacks, malicious packages installed with pip can access protected areas on the host
The solution is to warn developers not to install malicious extra Python packages.
Request Exception
The apex-pdp documentation for the Jython plugin is updated to warn developers that they must ensure that extra python packages they add at install time with PIP or using the setup.py/build_py.py mechanisms must be checked and certified by them as not being malicious.
This dependency is pulled in by hibernate-core. We are using the latest release of Hibernate.
The XML schema of incoming events is controlled in Apex and arbitrary code even if it was injected cannot be executed.
Request exception
Liam Fallon - can you take a quick look at the impact?
False positive
The code is not using jackson in the manner described in the vulnerability.
Request exception
- This is a large amount of work to clear Jackson from this repository. It may not be worth the effort as we will be deprecating the repo in the next 2 or 3 releases.
Request exception
Request exception
Request exception
angularjs
angular
angular.min.js
angular-ui-grid.js
angular-sanitize
Request exception
Request exception
Request exception
moment
moment
Request exception
Request exception
Request exception
Request exception
Request exception
Request exception
Request exception
Request exception