flume-ng-core-1.6.0.jar: 8 vulnerabilities (highest severity is: 9.8) #7
Description
Vulnerable Library - flume-ng-core-1.6.0.jar
Path to dependency file: /log4j-samples/flume-embedded/pom.xml
Path to vulnerable library: /log4j-samples/flume-embedded/pom.xml,/log4j-flume-ng/pom.xml
Found in HEAD commit: f88f2ff835fc1aeaabbf10b8fc56b6e160acc6a2
Vulnerabilities
| Vulnerability | Severity |  CVSS |
Dependency | Type | Fixed in (flume-ng-core version) | Remediation Possible** |
|---|---|---|---|---|---|---|
| CVE-2024-52046 |  Critical |
9.8 | mina-core-2.0.4.jar | Transitive | N/A* | ❌ |
| WS-2021-0419 |  High |
7.7 | gson-2.2.2.jar | Transitive | N/A* | ❌ |
| CVE-2022-25647 | High |
7.7 | gson-2.2.2.jar | Transitive | N/A* | ❌ |
| CVE-2019-0231 | High |
7.5 | mina-core-2.0.4.jar | Transitive | N/A* | ❌ |
| CVE-2023-2976 |  Medium |
5.5 | guava-11.0.2.jar | Transitive | N/A* | ❌ |
| CVE-2021-29425 | Medium |
4.8 | commons-io-2.5.jar | Transitive | N/A* | ❌ |
| CVE-2024-47554 | Medium |
4.3 | commons-io-2.5.jar | Transitive | N/A* | ❌ |
| CVE-2020-8908 |  Low |
3.3 | guava-11.0.2.jar | Transitive | 1.10.0 | ✅ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2024-52046
Vulnerable Library - mina-core-2.0.4.jar
Apache MINA is a network application framework which helps users develop high performance and highly scalable network applications easily. It provides an abstract event-driven asynchronous API over various transports such as TCP/IP and UDP/IP via Java NIO.
Library home page: http://mina.apache.org/
Path to dependency file: /log4j-samples/flume-embedded/pom.xml
Path to vulnerable library: /log4j-samples/flume-embedded/pom.xml,/log4j-flume-ng/pom.xml
Dependency Hierarchy:
- flume-ng-core-1.6.0.jar (Root Library)
- ❌ mina-core-2.0.4.jar (Vulnerable Library)
Found in HEAD commit: f88f2ff835fc1aeaabbf10b8fc56b6e160acc6a2
Found in base branch: AutoCloseableLock
Vulnerability Details
The ObjectSerializationDecoder in Apache MINA uses Java’s native deserialization protocol to process
incoming serialized data but lacks the necessary security checks and defenses. This vulnerability allows
attackers to exploit the deserialization process by sending specially crafted malicious serialized data,
potentially leading to remote code execution (RCE) attacks.
This issue affects MINA core versions 2.0.X, 2.1.X and 2.2.X, and will be fixed by the releases 2.0.27, 2.1.10 and 2.2.4.
It's also important to note that an application using MINA core library will only be affected if the IoBuffer#getObject() method is called, and this specific method is potentially called when adding a ProtocolCodecFilter instance using the ObjectSerializationCodecFactory class in the filter chain. If your application is specifically using those classes, you have to upgrade to the latest version of MINA core library.
Upgrading will not be enough: you also need to explicitly allow the classes the decoder will accept in the ObjectSerializationDecoder instance, using one of the three new methods:
/**
* Accept class names where the supplied ClassNameMatcher matches for
- deserialization, unless they are otherwise rejected.
- @param classNameMatcher the matcher to use
/
public void accept(ClassNameMatcher classNameMatcher)
/* - Accept class names that match the supplied pattern for
- deserialization, unless they are otherwise rejected.
- @param pattern standard Java regexp
/
public void accept(Pattern pattern)
/* - Accept the wildcard specified classes for deserialization,
- unless they are otherwise rejected.
- @param patterns Wildcard file name patterns as defined by
-
{@link org.apache.commons.io.FilenameUtils#wildcardMatch(String, String) FilenameUtils.wildcardMatch}
*/
public void accept(String... patterns)
By default, the decoder will reject all classes that will be present in the incoming data.
Note: The FtpServer, SSHd and Vysper sub-project are not affected by this issue.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2024-12-25
URL: CVE-2024-52046
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://seclists.org/oss-sec/2024/q4/177
Release Date: 2024-12-25
Fix Resolution: org.apache.mina:mina-core:2.0.27,2.1.10,2.2.4
WS-2021-0419
Vulnerable Library - gson-2.2.2.jar
Google Gson library
Library home page: http://www.google.com
Path to dependency file: /log4j-flume-ng/pom.xml
Path to vulnerable library: /log4j-flume-ng/pom.xml,/log4j-samples/flume-embedded/pom.xml
Dependency Hierarchy:
- flume-ng-core-1.6.0.jar (Root Library)
- ❌ gson-2.2.2.jar (Vulnerable Library)
Found in HEAD commit: f88f2ff835fc1aeaabbf10b8fc56b6e160acc6a2
Found in base branch: AutoCloseableLock
Vulnerability Details
Denial of Service vulnerability was discovered in gson before 2.8.9 via the writeReplace() method.
Publish Date: 2021-10-11
URL: WS-2021-0419
CVSS 3 Score Details (7.7)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Release Date: 2021-10-11
Fix Resolution: com.google.code.gson:gson:2.8.9
CVE-2022-25647
Vulnerable Library - gson-2.2.2.jar
Google Gson library
Library home page: http://www.google.com
Path to dependency file: /log4j-flume-ng/pom.xml
Path to vulnerable library: /log4j-flume-ng/pom.xml,/log4j-samples/flume-embedded/pom.xml
Dependency Hierarchy:
- flume-ng-core-1.6.0.jar (Root Library)
- ❌ gson-2.2.2.jar (Vulnerable Library)
Found in HEAD commit: f88f2ff835fc1aeaabbf10b8fc56b6e160acc6a2
Found in base branch: AutoCloseableLock
Vulnerability Details
The package com.google.code.gson:gson before 2.8.9 are vulnerable to Deserialization of Untrusted Data via the writeReplace() method in internal classes, which may lead to DoS attacks.
Publish Date: 2022-05-01
URL: CVE-2022-25647
CVSS 3 Score Details (7.7)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25647`
Release Date: 2022-05-01
Fix Resolution: com.google.code.gson:gson:gson-parent-2.8.9
CVE-2019-0231
Vulnerable Library - mina-core-2.0.4.jar
Apache MINA is a network application framework which helps users develop high performance and highly scalable network applications easily. It provides an abstract event-driven asynchronous API over various transports such as TCP/IP and UDP/IP via Java NIO.
Library home page: http://mina.apache.org/
Path to dependency file: /log4j-samples/flume-embedded/pom.xml
Path to vulnerable library: /log4j-samples/flume-embedded/pom.xml,/log4j-flume-ng/pom.xml
Dependency Hierarchy:
- flume-ng-core-1.6.0.jar (Root Library)
- ❌ mina-core-2.0.4.jar (Vulnerable Library)
Found in HEAD commit: f88f2ff835fc1aeaabbf10b8fc56b6e160acc6a2
Found in base branch: AutoCloseableLock
Vulnerability Details
Handling of the close_notify SSL/TLS message does not lead to a connection closure, leading the server to retain the socket opened and to have the client potentially receive clear text messages afterward. Mitigation: 2.0.20 users should migrate to 2.0.21, 2.1.0 users should migrate to 2.1.1. This issue affects: Apache MINA.
Publish Date: 2019-10-01
URL: CVE-2019-0231
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-5h29-qq92-wj7f
Release Date: 2019-10-01
Fix Resolution: org.apache.mina:mina-core:2.0.21,2.1.1
CVE-2023-2976
Vulnerable Library - guava-11.0.2.jar
Guava is a suite of core and expanded libraries that include utility classes, google's collections, io classes, and much much more.
This project is a complete packaging of all the Guava libraries
into a single jar. Individual portions of Guava can be used
by downloading the appropriate module and its dependencies.
Guava (complete) has only one code dependency - javax.annotation,
per the JSR-305 spec.</p>
Library home page: http://code.google.com/p/guava-libraries
Path to dependency file: /log4j-samples/flume-embedded/pom.xml
Path to vulnerable library: /log4j-samples/flume-embedded/pom.xml,/log4j-flume-ng/pom.xml
Dependency Hierarchy:
- flume-ng-core-1.6.0.jar (Root Library)
- flume-ng-configuration-1.6.0.jar
- ❌ guava-11.0.2.jar (Vulnerable Library)
- flume-ng-configuration-1.6.0.jar
Found in HEAD commit: f88f2ff835fc1aeaabbf10b8fc56b6e160acc6a2
Found in base branch: AutoCloseableLock
Vulnerability Details
Use of Java's default temporary directory for file creation in "FileBackedOutputStream" in Google Guava versions 1.0 to 31.1 on Unix systems and Android Ice Cream Sandwich allows other users and apps on the machine with access to the default Java temporary directory to be able to access the files created by the class.
Even though the security vulnerability is fixed in version 32.0.0, we recommend using version 32.0.1 as version 32.0.0 breaks some functionality under Windows. Even though the security vulnerability is fixed in version 32.0.0, maintainers recommend using version 32.0.1 as version 32.0.0 breaks some functionality under Windows.
Publish Date: 2023-06-14
URL: CVE-2023-2976
CVSS 3 Score Details (5.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-7g45-4rm6-3mm3
Release Date: 2023-06-14
Fix Resolution: com.google.guava:guava:32.0.1-android,32.0.1-jre
CVE-2021-29425
Vulnerable Library - commons-io-2.5.jar
The Apache Commons IO library contains utility classes, stream implementations, file filters, file comparators, endian transformation classes, and much more.
Library home page: http://www.apache.org/
Dependency Hierarchy:
- flume-ng-core-1.6.0.jar (Root Library)
- ❌ commons-io-2.5.jar (Vulnerable Library)
Found in HEAD commit: f88f2ff835fc1aeaabbf10b8fc56b6e160acc6a2
Found in base branch: AutoCloseableLock
Vulnerability Details
In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper input string, like "//../foo", or "\..\foo", the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus "limited" path traversal), if the calling code would use the result to construct a path value.
Publish Date: 2021-04-13
URL: CVE-2021-29425
CVSS 3 Score Details (4.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29425
Release Date: 2021-04-13
Fix Resolution: commons-io:commons-io:2.7
CVE-2024-47554
Vulnerable Library - commons-io-2.5.jar
The Apache Commons IO library contains utility classes, stream implementations, file filters, file comparators, endian transformation classes, and much more.
Library home page: http://www.apache.org/
Dependency Hierarchy:
- flume-ng-core-1.6.0.jar (Root Library)
- ❌ commons-io-2.5.jar (Vulnerable Library)
Found in HEAD commit: f88f2ff835fc1aeaabbf10b8fc56b6e160acc6a2
Found in base branch: AutoCloseableLock
Vulnerability Details
Uncontrolled Resource Consumption vulnerability in Apache Commons IO.
The org.apache.commons.io.input.XmlStreamReader class may excessively consume CPU resources when processing maliciously crafted input.
This issue affects Apache Commons IO: from 2.0 before 2.14.0.
Users are recommended to upgrade to version 2.14.0 or later, which fixes the issue.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2024-10-03
URL: CVE-2024-47554
CVSS 3 Score Details (4.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Origin: https://lists.apache.org/thread/6ozr91rr9cj5lm0zyhv30bsp317hk5z1
Release Date: 2024-10-03
Fix Resolution: commons-io:commons-io:2.14.0
CVE-2020-8908
Vulnerable Library - guava-11.0.2.jar
Guava is a suite of core and expanded libraries that include utility classes, google's collections, io classes, and much much more.
This project is a complete packaging of all the Guava libraries
into a single jar. Individual portions of Guava can be used
by downloading the appropriate module and its dependencies.
Guava (complete) has only one code dependency - javax.annotation,
per the JSR-305 spec.</p>
Library home page: http://code.google.com/p/guava-libraries
Path to dependency file: /log4j-samples/flume-embedded/pom.xml
Path to vulnerable library: /log4j-samples/flume-embedded/pom.xml,/log4j-flume-ng/pom.xml
Dependency Hierarchy:
- flume-ng-core-1.6.0.jar (Root Library)
- flume-ng-configuration-1.6.0.jar
- ❌ guava-11.0.2.jar (Vulnerable Library)
- flume-ng-configuration-1.6.0.jar
Found in HEAD commit: f88f2ff835fc1aeaabbf10b8fc56b6e160acc6a2
Found in base branch: AutoCloseableLock
Vulnerability Details
A temp directory creation vulnerability exists in all versions of Guava, allowing an attacker with access to the machine to potentially access data in a temporary directory created by the Guava API com.google.common.io.Files.createTempDir(). By default, on unix-like systems, the created directory is world-readable (readable by an attacker with access to the system). The method in question has been marked @deprecated in versions 30.0 and later and should not be used. For Android developers, we recommend choosing a temporary directory API provided by Android, such as context.getCacheDir(). For other Java developers, we recommend migrating to the Java 7 API java.nio.file.Files.createTempDirectory() which explicitly configures permissions of 700, or configuring the Java runtime's java.io.tmpdir system property to point to a location whose permissions are appropriately configured.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2020-12-10
URL: CVE-2020-8908
CVSS 3 Score Details (3.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-5mg8-w23w-74h3
Release Date: 2020-12-10
Fix Resolution (com.google.guava:guava): 32.0.0-android
Direct dependency fix Resolution (org.apache.flume:flume-ng-core): 1.10.0
In order to enable automatic remediation, please create workflow rules
In order to enable automatic remediation for this issue, please create workflow rules