-
Task
-
Resolution: Done
-
Neutral
-
None
-
None
-
None
-
-
Empty show more show less
-
Empty show more show less
-
Yes
We received a report compiled against Magnolia 6.2.33 with CVEs allegedly affecting the 3rd party Oracle NoSQL Database Server (com.sleepycat:je:18.3.12)
This library would come transitively via
[INFO] +- info.magnolia.solr:magnolia-content-indexer:jar:6.1.4:compile [INFO] | +- edu.uci.ics:crawler4j:jar:4.4.1-magnolia:compile [INFO] | \- com.sleepycat:je:jar:18.3.12:compile
The mismatch happens because com.sleepycat:je:18.3.12 erroneously matches cpe:2.3:a:oracle:nosql_database:::::::: which actually concerns later versions of Oracle NoSQL db (not used by Magnolia).
All the CVEs mentioned in the report actually affect 3rd party libraries/versions, none of which is shipped with Magnolia.
The Oracle NoSQL db version inherited by the Magnolia Solr module has no 3rd party dependencies.
| CVE | Affects | Magnolia 6.2.33 ships with |
|---|---|---|
| https://nvd.nist.gov/vuln/detail/CVE-2018-1000873 | Fasterxml before 2.9.7 | Fasterxml 2.13.5 |
| https://nvd.nist.gov/vuln/detail/CVE-2018-1320 | Apache Thrift | no such library |
| https://nvd.nist.gov/vuln/detail/CVE-2020-11612 | ZlibDecoders | no such library |
| https://nvd.nist.gov/vuln/detail/CVE-2021-22883 https://nvd.nist.gov/vuln/detail/CVE-2021-22884 |
Node.js | no such library |
| https://nvd.nist.gov/vuln/detail/CVE-2021-23840 | OpenSSL | no such library |
| https://nvd.nist.gov/vuln/detail/CVE-2019-10219 | Hibernate-Validator | no such library |
| https://nvd.nist.gov/vuln/detail/CVE-2021-21409 | Netty before 4.1.61 | Netty 4.1.86 |
| https://nvd.nist.gov/vuln/detail/CVE-2021-21290 | Netty before 4.1.59 | Netty 4.1.86 |
| https://nvd.nist.gov/vuln/detail/CVE-2020-13956 | Apache HttpClient before 4.5.13 | HttpClient 4.5.14 |
| https://nvd.nist.gov/vuln/detail/CVE-2020-8908 | Guava before 30.0 | Guava 31.1 |
Acceptance criteria
