Skip to content

Lots of vulnerabilities in dependencies #13000

New issue
New issue
Closed
#13007
Closed
Lots of vulnerabilities in dependencies#13000
#13007
@markAtAthena

Description

@markAtAthena
markAtAthena
opened on Jan 6, 2025

Describe the bug

Scan Results: fe56677a-a9df-4370-bce6-d2cfe71debba

Scan Results for Scan ID: fe56677a-a9df-4370-bce6-d2cfe71debba

CRITICAL Findings: 1

Maven-org.simpleframework:simple-xml-2.7.1
CVE: CVE-2017-1000190
Locations: lib/opentelemetry-javaagent-2.11.0/inst/META-INF/maven/com.azure/azure-core-tracing-opentelemetry/pom.xml
Dependency Paths: Maven-com.azure:azure-identity-1.3.1, Maven-org.linguafranca.pwdb:KeePassJava2-2.1.4, Maven-org.linguafranca.pwdb:KeePassJava2-simple-2.1.4, Maven-org.simpleframework:simple-xml-2.7.1

HIGH Findings: 24

Maven-io.netty:netty-resolver-dns-4.1.63.Final
CVE: CVE-2024-47535
Locations: lib/opentelemetry-javaagent-2.11.0/inst/META-INF/maven/com.azure/azure-core-tracing-opentelemetry/pom.xml
Dependency Paths: Maven-com.azure:azure-core-http-netty-1.10.1, Maven-io.projectreactor.netty:reactor-netty-1.0.7, Maven-io.projectreactor.netty:reactor-netty-core-1.0.7, Maven-io.netty:netty-resolver-dns-4.1.63.Final

Maven-io.netty:netty-common-4.1.65.Final
CVE: CVE-2024-47535
Locations: lib/opentelemetry-javaagent-2.11.0/inst/META-INF/maven/com.azure/azure-core-tracing-opentelemetry/pom.xml
Dependency Paths: Maven-com.azure:azure-core-http-netty-1.10.1, Maven-io.netty:netty-handler-4.1.65.Final, Maven-io.netty:netty-common-4.1.65.Final

Maven-com.fasterxml.jackson.core:jackson-databind-2.12.3
CVE: CVE-2020-36518
Locations: lib/opentelemetry-javaagent-2.11.0/inst/META-INF/maven/com.azure/azure-core-tracing-opentelemetry/pom.xml
Dependency Paths: Maven-com.azure:azure-core-1.18.0, Maven-com.fasterxml.jackson.core:jackson-databind-2.12.3
Maven-com.azure:azure-core-http-netty-1.10.1, Maven-com.azure:azure-core-1.18.0, Maven-com.fasterxml.jackson.core:jackson-databind-2.12.3

Maven-net.minidev:json-smart-2.4.2
CVE: CVE-2021-31684
Locations: lib/opentelemetry-javaagent-2.11.0/inst/META-INF/maven/com.azure/azure-core-tracing-opentelemetry/pom.xml
Dependency Paths: Maven-com.azure:azure-identity-1.3.1, Maven-com.microsoft.azure:msal4j-1.10.0, Maven-com.nimbusds:oauth2-oidc-sdk-9.4, Maven-net.minidev:json-smart-2.4.2

Maven-io.netty:netty-codec-4.1.65.Final
CVE: CVE-2021-37136
Locations: lib/opentelemetry-javaagent-2.11.0/inst/META-INF/maven/com.azure/azure-core-tracing-opentelemetry/pom.xml
Dependency Paths: Maven-com.azure:azure-core-http-netty-1.10.1, Maven-io.netty:netty-handler-4.1.65.Final, Maven-io.netty:netty-codec-4.1.65.Final

Maven-io.netty:netty-codec-4.1.65.Final
CVE: CVE-2021-37137
Locations: lib/opentelemetry-javaagent-2.11.0/inst/META-INF/maven/com.azure/azure-core-tracing-opentelemetry/pom.xml
Dependency Paths: Maven-com.azure:azure-core-http-netty-1.10.1, Maven-io.netty:netty-handler-4.1.65.Final, Maven-io.netty:netty-codec-4.1.65.Final

Maven-com.fasterxml.jackson.core:jackson-databind-2.12.3
CVE: CVE-2021-46877
Locations: lib/opentelemetry-javaagent-2.11.0/inst/META-INF/maven/com.azure/azure-core-tracing-opentelemetry/pom.xml
Dependency Paths: Maven-com.azure:azure-core-1.18.0, Maven-com.fasterxml.jackson.core:jackson-databind-2.12.3
Maven-com.azure:azure-core-http-netty-1.10.1, Maven-com.azure:azure-core-1.18.0, Maven-com.fasterxml.jackson.core:jackson-databind-2.12.3

Maven-com.google.code.gson:gson-2.8.6
CVE: CVE-2022-25647
Locations: lib/opentelemetry-javaagent-2.11.0/inst/META-INF/maven/com.azure/azure-core-tracing-opentelemetry/pom.xml
Dependency Paths: Maven-io.opentelemetry:opentelemetry-exporter-jaeger-1.0.0, Maven-com.google.protobuf:protobuf-java-util-3.14.0, Maven-com.google.code.gson:gson-2.8.6

Maven-com.google.protobuf:protobuf-java-3.14.0
CVE: CVE-2022-3171
Locations: lib/opentelemetry-javaagent-2.11.0/inst/META-INF/maven/com.azure/azure-core-tracing-opentelemetry/pom.xml
Dependency Paths: Maven-io.opentelemetry:opentelemetry-exporter-jaeger-1.0.0, Maven-com.google.protobuf:protobuf-java-3.14.0

Maven-com.google.protobuf:protobuf-java-3.14.0
CVE: CVE-2022-3509
Locations: lib/opentelemetry-javaagent-2.11.0/inst/META-INF/maven/com.azure/azure-core-tracing-opentelemetry/pom.xml
Dependency Paths: Maven-io.opentelemetry:opentelemetry-exporter-jaeger-1.0.0, Maven-com.google.protobuf:protobuf-java-3.14.0

Maven-com.google.protobuf:protobuf-java-3.14.0
CVE: CVE-2022-3510
Locations: lib/opentelemetry-javaagent-2.11.0/inst/META-INF/maven/com.azure/azure-core-tracing-opentelemetry/pom.xml
Dependency Paths: Maven-io.opentelemetry:opentelemetry-exporter-jaeger-1.0.0, Maven-com.google.protobuf:protobuf-java-3.14.0

Maven-com.fasterxml.woodstox:woodstox-core-6.2.4
CVE: CVE-2022-40152
Locations: lib/opentelemetry-javaagent-2.11.0/inst/META-INF/maven/com.azure/azure-core-tracing-opentelemetry/pom.xml
Dependency Paths: Maven-com.azure:azure-core-1.18.0, Maven-com.fasterxml.jackson.dataformat:jackson-dataformat-xml-2.12.3, Maven-com.fasterxml.woodstox:woodstox-core-6.2.4
Maven-com.azure:azure-core-http-netty-1.10.1, Maven-com.azure:azure-core-1.18.0, Maven-com.fasterxml.jackson.dataformat:jackson-dataformat-xml-2.12.3, Maven-com.fasterxml.woodstox:woodstox-core-6.2.4

Maven-com.fasterxml.jackson.core:jackson-databind-2.12.3
CVE: CVE-2022-42003
Locations: lib/opentelemetry-javaagent-2.11.0/inst/META-INF/maven/com.azure/azure-core-tracing-opentelemetry/pom.xml
Dependency Paths: Maven-com.azure:azure-core-1.18.0, Maven-com.fasterxml.jackson.core:jackson-databind-2.12.3
Maven-com.azure:azure-core-http-netty-1.10.1, Maven-com.azure:azure-core-1.18.0, Maven-com.fasterxml.jackson.core:jackson-databind-2.12.3

Maven-com.fasterxml.jackson.core:jackson-databind-2.12.3
CVE: CVE-2022-42004
Locations: lib/opentelemetry-javaagent-2.11.0/inst/META-INF/maven/com.azure/azure-core-tracing-opentelemetry/pom.xml
Dependency Paths: Maven-com.azure:azure-core-1.18.0, Maven-com.fasterxml.jackson.core:jackson-databind-2.12.3
Maven-com.azure:azure-core-http-netty-1.10.1, Maven-com.azure:azure-core-1.18.0, Maven-com.fasterxml.jackson.core:jackson-databind-2.12.3

Maven-net.minidev:json-smart-2.4.2
CVE: CVE-2023-1370
Locations: lib/opentelemetry-javaagent-2.11.0/inst/META-INF/maven/com.azure/azure-core-tracing-opentelemetry/pom.xml
Dependency Paths: Maven-com.azure:azure-identity-1.3.1, Maven-com.microsoft.azure:msal4j-1.10.0, Maven-com.nimbusds:oauth2-oidc-sdk-9.4, Maven-net.minidev:json-smart-2.4.2

Maven-io.projectreactor.netty:reactor-netty-core-1.0.7
CVE: CVE-2023-34054
Locations: lib/opentelemetry-javaagent-2.11.0/inst/META-INF/maven/com.azure/azure-core-tracing-opentelemetry/pom.xml
Dependency Paths: Maven-com.azure:azure-core-http-netty-1.10.1, Maven-io.projectreactor.netty:reactor-netty-1.0.7, Maven-io.projectreactor.netty:reactor-netty-core-1.0.7

Maven-io.projectreactor.netty:reactor-netty-http-1.0.7
CVE: CVE-2023-34062
Locations: lib/opentelemetry-javaagent-2.11.0/inst/META-INF/maven/com.azure/azure-core-tracing-opentelemetry/pom.xml
Dependency Paths: Maven-com.azure:azure-core-http-netty-1.10.1, Maven-io.projectreactor.netty:reactor-netty-1.0.7, Maven-io.projectreactor.netty:reactor-netty-http-1.0.7

Maven-io.netty:netty-codec-http2-4.1.65.Final
CVE: CVE-2023-44487
Locations: lib/opentelemetry-javaagent-2.11.0/inst/META-INF/maven/com.azure/azure-core-tracing-opentelemetry/pom.xml
Dependency Paths: Maven-com.azure:azure-core-http-netty-1.10.1, Maven-io.netty:netty-codec-http2-4.1.65.Final

Maven-com.nimbusds:nimbus-jose-jwt-9.8.1
CVE: CVE-2023-52428
Locations: lib/opentelemetry-javaagent-2.11.0/inst/META-INF/maven/com.azure/azure-core-tracing-opentelemetry/pom.xml
Dependency Paths: Maven-com.azure:azure-identity-1.3.1, Maven-com.microsoft.azure:msal4j-1.10.0, Maven-com.nimbusds:oauth2-oidc-sdk-9.4, Maven-com.nimbusds:nimbus-jose-jwt-9.8.1

Maven-org.springframework:spring-webmvc-6.1.13
CVE: CVE-2024-38819
Locations: pom.xml
Dependency Paths: Maven-org.springframework:spring-webmvc-6.1.13

Maven-com.google.protobuf:protobuf-java-3.14.0
CVE: CVE-2024-7254
Locations: lib/opentelemetry-javaagent-2.11.0/inst/META-INF/maven/com.azure/azure-core-tracing-opentelemetry/pom.xml
Dependency Paths: Maven-io.opentelemetry:opentelemetry-exporter-jaeger-1.0.0, Maven-com.google.protobuf:protobuf-java-3.14.0

Maven-commons-collections:commons-collections-3.2.2
CVE: Cx78f40514-81ff
Locations: pom.xml
Dependency Paths: Maven-org.apache.maven.plugins:maven-site-plugin-4.0.0-M15, Maven-org.apache.maven.doxia:doxia-site-renderer-2.0.0-M19, Maven-org.apache.velocity.tools:velocity-tools-generic-3.1, Maven-commons-beanutils:commons-beanutils-1.9.4, Maven-commons-collections:commons-collections-3.2.2

Maven-com.google.guava:guava-31.1-jre
CVE: CVE-2023-2976
Locations: lib/opentelemetry-javaagent-2.11.0/inst/META-INF/maven/com.fasterxml.jackson.core/jackson-databind/pom.xml, lib/opentelemetry-javaagent-2.11.0/inst/META-INF/maven/org.jctools/jctools-core/pom.xml
Dependency Paths: Maven-com.google.guava:guava-testlib-31.1-jre, Maven-com.google.guava:guava-31.1-jre

Maven-com.google.guava:guava-30.0-android
CVE: CVE-2023-2976
Locations: lib/opentelemetry-javaagent-2.11.0/inst/META-INF/maven/com.azure/azure-core-tracing-opentelemetry/pom.xml
Dependency Paths: Maven-io.opentelemetry:opentelemetry-exporter-jaeger-1.0.0, Maven-io.grpc:grpc-api-1.35.0, Maven-com.google.guava:guava-30.0-android

MEDIUM Findings: 11

LOW Findings: 10

Steps to reproduce

Run vulnerability scanner

Expected behavior

Ideally few if any issues

Actual behavior

a lot of high and one critical issue

Javaagent or library instrumentation version

2.11.0

Environment

JDK:
OS:

Additional context

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions