Spring Vulnerabilities

17 views
Skip to first unread message

Greg Luck

unread,
Nov 6, 2018, 6:32:59 PM11/6/18
to jsr107, Vassilis Bekiaris
Guys

We might want to upgrade to avoid this even though it is the RI. Could do without the project getting flagged.

Regards

Greg Luck

skype: gregrluck

Begin forwarded message:

From: GitHub <nor...@github.com>
Subject: Your GitHub security alerts for the week of Oct 30 - Nov 6
Date: 7 November 2018 at 5:48:12 am AEST
To: Greg Luck <gl...@gregluck.com>

GitHub security alerts

GitHub security alert digest

gregrluck’s repository security updates from the week of Oct 30 - Nov 6

JSR107 - Java Caching organization

Warning!

jsr107 / RI

Known security vulnerabilities detected

Dependencyorg.springframework:spring-coreVersion< 3.2.14Upgrade to~> 3.2.14
Vulnerabilities
CVE-2018-1270 High severity
CVE-2018-1275 High severity
CVE-2015-3192 Moderate severity
CVE-2016-5007 Moderate severity
CVE-2018-1257 Moderate severity
View 3 more
Defined inpom.xml
Review all vulnerable dependencies

Cloud Foundry Community organization

Warning!

cloudfoundry-community / java-nats

Known security vulnerabilities detected

Dependencycom.fasterxml.jackson.core:jackson-databindVersion< 2.6.7.1Upgrade to~> 2.6.7.1
Vulnerabilities
CVE-2017-7525 High severity
CVE-2018-7489 High severity
CVE-2017-17485 High severity
Defined inpom.xml
Review all vulnerable dependencies
Warning!

cloudfoundry-community / cf-java-component

Known security vulnerabilities detected

Dependencycom.fasterxml.jackson.core:jackson-databindVersion< 2.6.7.1Upgrade to~> 2.6.7.1
Vulnerabilities
CVE-2017-7525 High severity
CVE-2018-7489 High severity
CVE-2017-17485 High severity
Defined inpom.xml
Dependencyorg.apache.httpcomponents:httpclientVersion< 4.3.6Upgrade to~> 4.3.6
Vulnerabilities
CVE-2015-5262 Moderate severity
Defined inpom.xml
Review all vulnerable dependencies
Warning!

cloudfoundry-community / cf-docs-contrib

Known security vulnerabilities detected

DependencyactivesupportVersion>= 3.2.0< 3.2.13Upgrade to~> 3.2.13
Vulnerabilities
CVE-2013-1856 Moderate severity
CVE-2015-3226 Moderate severity
CVE-2015-3227 Moderate severity
Defined inGemfile.lock
DependencyrackVersion< 1.5.4Upgrade to~> 1.5.4
Vulnerabilities
CVE-2015-3225 Moderate severity
Defined inGemfile.lock
DependencysprocketsVersion>= 2.4.0< 2.4.6Upgrade to~> 2.4.6
Vulnerabilities
CVE-2018-3760 High severity
CVE-2014-7819 Moderate severity
Defined inGemfile.lock
Dependencyi18nVersion< 0.6.6Upgrade to~> 0.6.6
Vulnerabilities
CVE-2013-4492 Moderate severity
Defined inGemfile.lock
Dependencyyajl-rubyVersion< 1.3.1Upgrade to~> 1.3.1
Vulnerabilities
CVE-2017-16516 High severity
Defined inGemfile.lock
Dependencyrack-protectionVersion< 1.5.5Upgrade to~> 1.5.5
Vulnerabilities
CVE-2018-1000119 Moderate severity
Defined inGemfile.lock
DependencyffiVersion< 1.9.24Upgrade to~> 1.9.24
Vulnerabilities
CVE-2018-1000201 Moderate severity
Defined inGemfile.lock
Review all vulnerable dependencies
Warning!

cloudfoundry-community / cf_demoapp_ruby_rack

Known security vulnerabilities detected

DependencyrackVersion< 1.5.4Upgrade to~> 1.5.4
Vulnerabilities
CVE-2015-3225 Moderate severity
Defined inGemfile.lock
Review all vulnerable dependencies
Warning!

cloudfoundry-community / trybosh-web

Known security vulnerabilities detected

DependencyactivesupportVersion>= 3.0.0< 3.2.22.4Upgrade to~> 3.2.22.5
Vulnerabilities
CVE-2015-3226 Moderate severity
CVE-2015-3227 Moderate severity
Defined inGemfile.lock
DependencysprocketsVersion>= 2.2.0< 2.2.3Upgrade to~> 2.2.3
Vulnerabilities
CVE-2018-3760 High severity
CVE-2014-7819 Moderate severity
Defined inGemfile.lock
DependencyactiverecordVersion>= 2.0.0< 3.2.19Upgrade to~> 3.2.19
Vulnerabilities
CVE-2014-3482 High severity
CVE-2015-7577 Moderate severity
Defined inGemfile.lock
DependencyrackVersion< 1.5.4Upgrade to~> 1.5.4
Vulnerabilities
CVE-2015-3225 Moderate severity
Defined inGemfile.lock
DependencyactionpackVersion>= 3.1.0< 3.2.22.1Upgrade to~> 3.2.22.1
Vulnerabilities
CVE-2016-2098 High severity
CVE-2015-7576 Moderate severity
CVE-2016-0751 Moderate severity
CVE-2014-7818 Moderate severity
CVE-2014-0130 Moderate severity
View 6 more
Defined inGemfile.lock
Dependencyrack-sslVersion< 1.4.0Upgrade to~> 1.4.0
Vulnerabilities
CVE-2014-2538 Moderate severity
Defined inGemfile.lock
DependencyrailsVersion>= 3.0.0< 3.2.17Upgrade to~> 3.2.17
Vulnerabilities
CVE-2014-0081 Moderate severity
Defined inGemfile.lock
Dependencyi18nVersion< 0.6.6Upgrade to~> 0.6.6
Vulnerabilities
CVE-2013-4492 Moderate severity
Defined inGemfile.lock
DependencyactionmailerVersion>= 3.0.0< 3.2.15Upgrade to~> 3.2.15
Vulnerabilities
CVE-2013-4389 Moderate severity
Defined inGemfile.lock
Dependencyjquery-railsVersion< 3.1.3Upgrade to~> 3.1.3
Vulnerabilities
CVE-2015-1840 Moderate severity
Defined inGemfile.lock
DependencymailVersion< 2.5.5Upgrade to~> 2.5.5
Vulnerabilities
CVE-2015-9097 Moderate severity
Defined inGemfile.lock
DependencynokogiriVersion< 1.8.1Upgrade to~> 1.8.1
Vulnerabilities
CVE-2017-9050 Critical severity
CVE-2015-5312 High severity
CVE-2016-4658 High severity
CVE-2017-5029 Low severity
CVE-2017-18258 Moderate severity
View 2 more
Defined inGemfile.lock
Dependencyrack-protectionVersion< 1.5.5Upgrade to~> 1.5.5
Vulnerabilities
CVE-2018-1000119 Moderate severity
Defined inGemfile.lock
Review all vulnerable dependencies
Warning!

cloudfoundry-community / share-my-cloudfoundry

Known security vulnerabilities detected

Dependencyomniauth-oauth2Version< 1.1.2Upgrade to~> 1.1.2
Vulnerabilities
CVE-2012-6134 Moderate severity
Defined inGemfile.lock
DependencyrubyzipVersion< 1.2.1Upgrade to~> 1.2.1
Vulnerabilities
CVE-2017-5946 High severity
CVE-2018-1000544 Moderate severity
Defined inGemfile.lock
DependencyactivesupportVersion>= 3.0.0< 3.2.22.4Upgrade to~> 3.2.22.5
Vulnerabilities
CVE-2015-3226 Moderate severity
CVE-2015-3227 Moderate severity
Defined inGemfile.lock
DependencyactionpackVersion>= 3.1.0< 3.2.22.1Upgrade to~> 3.2.22.1
Vulnerabilities
CVE-2016-2098 High severity
CVE-2015-7576 Moderate severity
CVE-2016-0751 Moderate severity
CVE-2014-7829 Moderate severity
CVE-2014-7818 Moderate severity
View 6 more
Defined inGemfile.lock
DependencyactiverecordVersion>= 2.0.0< 3.2.19Upgrade to~> 3.2.19
Vulnerabilities
CVE-2014-3482 High severity
CVE-2015-7577 Moderate severity
Defined inGemfile.lock
DependencyrackVersion< 1.5.4Upgrade to~> 1.5.4
Vulnerabilities
CVE-2015-3225 Moderate severity
Defined inGemfile.lock
Dependencyjquery-railsVersion< 3.1.3Upgrade to~> 3.1.3
Vulnerabilities
CVE-2015-1840 Moderate severity
Defined inGemfile.lock
Dependencyrack-sslVersion< 1.4.0Upgrade to~> 1.4.0
Vulnerabilities
CVE-2014-2538 Moderate severity
Defined inGemfile.lock
Dependencyomniauth-facebookVersion>= 1.4.1< 1.5.0Upgrade to~> 1.5.0
Vulnerabilities
CVE-2013-4562 Moderate severity
Defined inGemfile.lock
DependencyrailsVersion>= 3.0.0< 3.2.17Upgrade to~> 3.2.17
Vulnerabilities
CVE-2014-0081 Moderate severity
Defined inGemfile.lock
Dependencyi18nVersion< 0.6.6Upgrade to~> 0.6.6
Vulnerabilities
CVE-2013-4492 Moderate severity
Defined inGemfile.lock
DependencyactionmailerVersion>= 3.0.0< 3.2.15Upgrade to~> 3.2.15
Vulnerabilities
CVE-2013-4389 Moderate severity
Defined inGemfile.lock
DependencysprocketsVersion>= 2.2.0< 2.2.3Upgrade to~> 2.2.3
Vulnerabilities
CVE-2018-3760 High severity
CVE-2014-7819 Moderate severity
Defined inGemfile.lock
DependencymailVersion< 2.5.5Upgrade to~> 2.5.5
Vulnerabilities
CVE-2015-9097 Moderate severity
Defined inGemfile.lock
DependencyomniauthVersion< 1.3.2Upgrade to~> 1.3.2
Vulnerabilities
CVE-2017-18076 Moderate severity
Defined inGemfile.lock
Dependencyrack-protectionVersion< 1.5.5Upgrade to~> 1.5.5
Vulnerabilities
CVE-2018-1000119 Moderate severity
Defined inGemfile.lock
Review all vulnerable dependencies
Warning!

cloudfoundry-community / cf_cli_install

Known security vulnerabilities detected

DependencyrackVersion< 1.5.4Upgrade to~> 1.5.4
Vulnerabilities
CVE-2015-3225 Moderate severity
Defined inGemfile.lock
Dependencyrack-protectionVersion< 1.5.5Upgrade to~> 1.5.5
Vulnerabilities
CVE-2018-1000119 Moderate severity
Defined inGemfile.lock
Review all vulnerable dependencies
Warning!

cloudfoundry-community / spiff_cli_install

Known security vulnerabilities detected

DependencyrackVersion< 1.5.4Upgrade to~> 1.5.4
Vulnerabilities
CVE-2015-3225 Moderate severity
Defined inGemfile.lock
Dependencyrack-protectionVersion< 1.5.5Upgrade to~> 1.5.5
Vulnerabilities
CVE-2018-1000119 Moderate severity
Defined inGemfile.lock
Review all vulnerable dependencies

hazelcast organization

Warning!

hazelcast / hazelcast-code-samples

Known security vulnerabilities detected

Dependencyorg.springframework:spring-coreVersion>= 4.0.0< 4.1.7Upgrade to~> 4.1.7
Vulnerabilities
CVE-2015-5211 High severity
CVE-2018-1270 High severity
CVE-2018-1275 High severity
CVE-2018-1270 High severity
CVE-2018-1275 High severity
View 58 more
Defined inpom.xml
Dependencycom.fasterxml.jackson.core:jackson-databindVersion< 2.6.7.1Upgrade to~> 2.6.7.1
Vulnerabilities
CVE-2017-7525 High severity
CVE-2018-7489 High severity
CVE-2017-15095 High severity
CVE-2017-17485 High severity
Defined inpom.xml
Review all vulnerable dependencies

Always verify the validity and compatibility of suggestions with your codebase.

GitHub, Inc.
88 Colin P Kelly Jr St.
San Francisco, CA 94107


Vassilis Bekiaris

unread,
Nov 8, 2018, 6:40:13 AM11/8/18
to jsr107
Thanks Greg, created an issue to track this: https://github.com/jsr107/RI/issues/70

I already have an open PR on RI repository that touches the RI's pom.xml (upgrades the maven-javadoc-plugin so the build can work on JDK >= 10). I pushed another commit in this PR to upgrade to the latest available Spring version in the 3.x line. https://github.com/jsr107/RI/pull/69

Vassilis
Reply all
Reply to author
Forward
0 new messages