El Alto CLI Security/Vulnerability Report

Owned by Amy Zwarico
Last updated: Dec 04, 2019 by Former user (Deleted)
4 min read

This table represents the known exploitable and non-exploitable vulnerabilities in third party packages used in the project.



Repository

Group

Problem Code

Effective/Ineffective

Resolvable by Project

Impact Analysis

Action

Repository

Group

Problem Code

Effective/Ineffective

Resolvable by Project

Impact Analysis

Action

cli

com.fasterxml.jackson.core

CVE-2018-7489

Ineffective

No

FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath. jackson-databind is vulnerable to Remote Code Execution (RCE). The validateSubType() function in the SubTypeValidator class allows untrusted Java objects to be deserialized. A remote attacker can exploit this by uploading a malicious serialized object that will result in RCE if the application attempts to deserialize it. Note: This vulnerability exists due to the incomplete fix for CVE-2017-7525, CVE-2017-15095, CVE-2017-17485, and CVE-2018-5968. The application is vulnerable by using this component, when default typing is enabled and passing in untrusted data to be deserialized.

None planned

cli

io.netty

CVE-2019-16869

Ineffective

No

Netty before 4.1.42.Final mishandles whitespace before the colon in HTTP headers (such as a "Transfer-Encoding : chunked" line), which leads to HTTP request smuggling.

None planned

cli

io.netty

CVE-2019-16869

Ineffective

No

Netty before 4.1.42.Final mishandles whitespace before the colon in HTTP headers (such as a "Transfer-Encoding : chunked" line), which leads to HTTP request smuggling.

None planned

cli

io.netty

CVE-2019-9512

Ineffective

No

Some HTTP/2 implementations are vulnerable to ping floods, potentially leading to a denial of service. The attacker sends continual pings to an HTTP/2 peer, causing the peer to build an internal queue of responses. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both.

None planned

cli

io.netty

CVE-2019-9514

Ineffective

No

Some HTTP/2 implementations are vulnerable to a reset flood, potentially leading to a denial of service. The attacker opens a number of streams and sends an invalid request over each stream that should solicit a stream of RST_STREAM frames from the peer. Depending on how the peer queues the RST_STREAM frames, this can consume excess memory, CPU, or both.

None planned

cli

io.netty

CVE-2019-9515

Ineffective

No

Some HTTP/2 implementations are vulnerable to a settings flood, potentially leading to a denial of service. The attacker sends a stream of SETTINGS frames to the peer. Since the RFC requires that the peer reply with one acknowledgement per SETTINGS frame, an empty SETTINGS frame is almost equivalent in behavior to a ping. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both.

None planned

cli

io.netty

CVE-2019-9518

Ineffective

No

Some HTTP/2 implementations are vulnerable to a flood of empty frames, potentially leading to a denial of service. The attacker sends a stream of frames with an empty payload and without the end-of-stream flag. These frames can be DATA, HEADERS, CONTINUATION and/or PUSH_PROMISE. The peer spends time processing each frame disproportionate to attack bandwidth. This can consume excess CPU.

None planned

cli

io.netty

CVE-2019-9518

Ineffective

No

Some HTTP/2 implementations are vulnerable to a flood of empty frames, potentially leading to a denial of service. The attacker sends a stream of frames with an empty payload and without the end-of-stream flag. These frames can be DATA, HEADERS, CONTINUATION and/or PUSH_PROMISE. The peer spends time processing each frame disproportionate to attack bandwidth. This can consume excess CPU.

None planned

cli

org.apache.httpcomponents

N/A

Ineffective

Yes



The Apache httpcomponents component is vulnerable to Directory Traversal. The normalizePath() function in the URIBuilder class allows directory traversal characters such as ../. An attacker can exploit this vulnerability by sending a specially crafted request containing this sequence in the URL path, allowing the attacker to traverse beyond the allowed directory and retrieve the contents of arbitrary files from the server, leading to information disclosure.

4.5.3 is available. Planned for F release.

cli

org.apache.httpcomponents

CVE-2015-5262

Ineffective

Yes



http/conn/ssl/SSLConnectionSocketFactory.java in Apache HttpComponents HttpClient before 4.3.6 ignores the http.socket.timeout configuration setting during an SSL handshake, which allows remote attackers to cause a denial of service (HTTPS call hang) via unspecified vectors.

Apache HttpComponents Client is vulnerable to a Denial of Service (DoS) attack. The connectSocket() method in SSLConnectionSocketFactory.java allows an initial HTTPS/SSL handshake without applying the timeout value mentioned in the configuration settings while connecting to the socket. Once the vulnerable HttpComponents Client connection is made, if the server does not properly handle and close the connection, the request will never expire. A remote attacker can exploit this vulnerability by establishing multiple connections in short intervals that do not close will make the HTTPS calls unresponsive, resulting in a DoS. Example for reproducing the issue is at: https://issues.apache.org/jira/browse/HTTPCLIENT-1478?focusedCommentId=15152242&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-15152242

4.5.3 is available. Planned for F release.

cli

commons-codec

N/A

Ineffective

No

The Apache commons-codec package contains an Improper Input Validation vulnerability. The decode() method in the Base32, Base64, and BCodec classes fails to reject malformed Base32 and Base64 encoded strings and consequently decodes them into arbitrary values. A remote attacker can leverage this vulnerability to potentially tunnel additional information via seemingly legitimate Base32 or Base64 encoded strings.

None planned

cli

commons-codec

N/A

Ineffective

No

The Apache commons-codec package contains an Improper Input Validation vulnerability. The decode() method in the Base32, Base64, and BCodec classes fails to reject malformed Base32 and Base64 encoded strings and consequently decodes them into arbitrary values. A remote attacker can leverage this vulnerability to potentially tunnel additional information via seemingly legitimate Base32 or Base64 encoded strings.

None planned

cli

jline

CVE-2013-2035

Ineffective

No

Race condition in hawtjni-runtime/src/main/java/org/fusesource/hawtjni/runtime/Library.java in HawtJNI before 1.8, when a custom library path is not specified, allows local users to execute arbitrary Java code by overwriting a temporary JAR file with a predictable name in /tmp. When the custom library path is omitted, HawtJNI Library writes the native libraries as temporary JAR files with predictable file names in /tmp. Taking advantage of the time window between the write and read by HawtJNI, a local attacker could overwrite a temporary JAR file with a malicious version that can result in arbitrary code execution. The application is vulnerable if the custom library path is omitted in the application code. The path is specified by setting a system property or  setting the java.io.tmpdir System property to a private directory.

plan to migrate to 2.14.3 in F release



CLM Vaulnerability report