View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0006626 | SymmetricDS | Bug | public | 2024-10-25 20:44 | 2024-10-28 13:49 |
| Reporter | pmarzullo | Assigned To | pmarzullo | ||
| Priority | normal | ||||
| Status | assigned | Resolution | open | ||
| Product Version | 3.14.17 | ||||
| Target Version | 3.14.18 | ||||
| Summary | 0006626: Security vulnerabilities | ||||
| Description | org.springframework/spring-web-5.3.37.jar - CVE-2016-1000027, CVE-2024-38809 org.springframework/spring-webmvc-5.3.37.jar - CVE-2024-38816 org.springframework/spring-expression-5.3.37.jar - CVE-2024-38808 org.springframework/spring-context-5.3.37.jar - CVE-2024-38820 com.nimbusds/nimbus-jose-jwt-9.31.jar - CVE-2023-52428 a-name/moment-2.20.1 (JavaScript) - CVE-2022-24785, CVE-2022-31129 CVE-2016-1000027 - deserialization of untrusted data SymmetricDS does not serialize/deserialize untrusted data. CVE-2024-38809 - Applications that parse ETags from "If-Match" or "If-None-Match" request headers are vulnerable to DoS attack SymmetricDS does not parse these request header tags. CVE-2024-38816 - Applications serving static resources through the functional web frameworks WebMvc.fn or WebFlux.fn are vulnerable to path traversal attacks SymmetricDS does not use the Spring to deliver static resources. CVE-2024-38808 - it is possible for a user to provide a specially crafted Spring Expression Language (SpEL) expression that may cause a denial of service (DoS) condition SymmetricDS does not allow users to provide SpEL expressions for evaluation. CVE-2024-38820 - The fix for CVE-2022-22968 made disallowedFields patterns in DataBinder case insensitive. However, String.toLowerCase() has some Locale dependent exceptions that could potentially result in fields not protected as expected. SymmetricDS does not use the DataBinder functionality from Spring. CVE-2023-52428 - an attacker can cause a denial of service (resource consumption) via a large JWE p2c header value (aka iteration count) for the PasswordBasedDecrypter (PBKDF2) component. SymmetricDS does not use the PasswordBasedDecrypter component. CVE-2022-24785 - A path traversal vulnerability impacts npm (server) users of Moment.js between versions 1.0.1 and 2.29.1, especially if a user-provided locale string is directly used to switch moment locale. SymmetricDS does not use the npm server in production. CVE-2022-31129 - Users who pass user-provided strings without sanity length checks to moment constructor are vulnerable to (Re)DoS attacks SymmetricDS does not allow users to provide strings for parsing when parsing dates. | ||||
| Tags | security | ||||
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2024-10-25 20:44 | pmarzullo | New Issue | |
| 2024-10-25 20:44 | pmarzullo | Tag Attached: security | |
| 2024-10-25 20:44 | pmarzullo | File Added: image.png | |
| 2024-10-25 20:44 | pmarzullo | File Added: image-2.png | |
| 2024-10-25 20:44 | pmarzullo | File Added: image-3.png | |
| 2024-10-25 20:44 | pmarzullo | File Added: image-4.png | |
| 2024-10-25 20:46 | pmarzullo | File Deleted: image.png | |
| 2024-10-25 20:46 | pmarzullo | File Deleted: image-2.png | |
| 2024-10-25 20:46 | pmarzullo | File Deleted: image-3.png | |
| 2024-10-25 20:46 | pmarzullo | File Deleted: image-4.png | |
| 2024-10-25 21:09 | pmarzullo | Description Updated | View Revisions |
| 2024-10-25 21:30 | pmarzullo | Description Updated | View Revisions |
| 2024-10-28 13:48 | pmarzullo | Note Added: 0002515 | |
| 2024-10-28 13:49 | pmarzullo | Assigned To | => pmarzullo |
| 2024-10-28 13:49 | pmarzullo | Status | new => assigned |
| 2024-10-28 13:49 | pmarzullo | Target Version | => 3.14.18 |