New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Known Security Vulnerabilities to be fixed #4788

Open

dicaeffe opened this issue Dec 11, 2020 · 3 comments

dicaeffe commented Dec 11, 2020

Hello,
version 9.0 (and uppers) of Pentaho has few known CVEs (Common Vulnerabilities and Exposures) due to its dependencies.

Is possible to fix those security issues by updating the versions reported below?

Apache Axis2/Java

CVE - 2 issues: CVE-2010-1632, CVE-2010-0219
Used Version: 1.5
Fix Version: 1.5.2 (last minor: 1.5.6)

Apache Log4j - log4j

CVE - 2 issues: CVE-2020-9488, CVE-2019-17571
Used Version: 1.2.17
Fix Version: 2.13.2

jackson-databind

CVE - 32 issues: CVE-2020-9548, CVE-2020-9547,CVE-2020-9546, CVE-2020-8840, CVE-2020-24750, CVE-2020-24616, CVE-2020-14195, CVE-2020-14062, CVE-2020-14061, CVE-2020-14060, CVE-2020-11620, CVE-2020-11619, CVE-2020-11113, CVE-2020-11112, CVE-2020-11111, CVE-2020-10969, CVE-2020-10968, CVE-2020-10673, CVE-2020-10672, CVE-2019-12384, CVE-2019-12086, CVE-2018-7489, CVE-2018-5968, CVE-2018-19362, CVE-2018-19361, CVE-2018-19360, CVE-2018-14721, CVE-2018-14720, CVE-2018-14719, CVE-2018-14718, CVE-2018-11307, CVE-2018-1000873
Used Version: 2.9.10.2
Fix Version: 2.9.10.6 (last minor: 2.9.10.7)

karaf

CVE - 7 issues: CVE-2020-11980, CVE-2019-0226, CVE-2019-0191, CVE-2018-11788, CVE-2018-11786, CVE-2016-8750, CVE-2014-0219
Used Version: 1.9.1
Fix Version: 4.2.9 (last minor: 4.2.10)

org.apache.xmlgraphics:batik-bridge

CVE - 2 issues: CVE-2019-17566, CVE-2019-17566
Used Version: 1.9.1
Fix Version: 1.13

Author

dicaeffe commented Dec 11, 2020

note: Bootstrap is recommended to be updated to 3.4.1

dicaeffe mentioned this issue

Known Security Vulnerabilities to be fixed pentaho/pentaho-engineering-samples#110

Open

mariusssi commented Jan 12, 2022

Hi.
What about https://nvd.nist.gov/vuln/detail/CVE-2020-11987 ?
Fix: batik 1.14

mariusssi commented Jul 18, 2022

CVE-2022-21724 in postgresql, not fixed in 9.4.0.0-79

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment