[Snyk] Security upgrade io.kubernetes:client-java from 7.0.0 to 11.0.3 #8
Conversation
The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JAVA-ORGBOUNCYCASTLE-2841508 - https://snyk.io/vuln/SNYK-JAVA-ORGBOUNCYCASTLE-2848003
![sonatype-lift[bot]](https://avatars.githubusercontent.com/in/9843?s=60&v=4){kind=small}
| <groupId>org.springframework.boot</groupId> | ||
| <artifactId>spring-boot-starter</artifactId> | ||
| </dependency> | ||
| <dependency> |
There was a problem hiding this comment.
Critical OSS Vulnerability:
pkg:maven/io.kubernetes/client-java@11.0.3
6 Critical, 1 Severe, 2 Moderate, 0 Unknown vulnerabilities have been found across 6 dependencies
Components
pkg:maven/org.apache.commons/commons-compress@1.20
CRITICAL Vulnerabilities (4)
CVE-2021-35515
[CVE-2021-35515] CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop')
When reading a specially crafted 7Z archive, the construction of the list of codecs that decompress an entry can result in an infinite loop. This could be used to mount a denial of service attack against services that use Compress' sevenz package.
CVSS Score: 7.5
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-835
CVE-2021-35516
[CVE-2021-35516] CWE-770: Allocation of Resources Without Limits or Throttling
When reading a specially crafted 7Z archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' sevenz package.
CVSS Score: 7.5
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-770
CVE-2021-35517
[CVE-2021-35517] CWE-770: Allocation of Resources Without Limits or Throttling
When reading a specially crafted TAR archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' tar package.
CVSS Score: 7.5
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-770
CVE-2021-36090
[CVE-2021-36090] CWE-130: Improper Handling of Length Parameter Inconsistency
When reading a specially crafted ZIP archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' zip package.
CVSS Score: 7.5
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-130
pkg:maven/com.google.protobuf/protobuf-java@3.14.0
SEVERE Vulnerabilities (1)
[CVE-2021-22569] CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')
An issue in protobuf-java allowed the interleaving of com.google.protobuf.UnknownFieldSet fields in such a way that would be processed out of order. A small malicious payload can occupy the parser for several minutes by creating large numbers of short-lived objects that cause frequent, repeated pauses. We recommend upgrading libraries beyond the vulnerable versions.
CVSS Score: 5.5
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
CWE: CWE-400
pkg:maven/org.bouncycastle/bcprov-jdk15on@1.69
MODERATE Vulnerabilities (1)
[sonatype-2019-0673] CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')
BouncyCastle - Denial of Service (DoS)
The software does not properly restrict the size or amount of resources that are requested or influenced by an actor, which can be used to consume more resources than intended.
CVSS Score: 3.7
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
CWE: CWE-400
pkg:maven/com.squareup.okhttp3/okhttp@3.14.9
CRITICAL Vulnerabilities (1)
[CVE-2021-0341] CWE-295: Improper Certificate Validation
In verifyHostName of OkHostnameVerifier.java, there is a possible way to accept a certificate for the wrong domain due to improperly used crypto. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-8.1 Android-9 Android-10 Android-11Android ID: A-171980069
CVSS Score: 7.5
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE: CWE-295
pkg:maven/org.bouncycastle/bcprov-ext-jdk15on@1.69
MODERATE Vulnerabilities (1)
[sonatype-2019-0673] CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')
BouncyCastle - Denial of Service (DoS)
The software does not properly restrict the size or amount of resources that are requested or influenced by an actor, which can be used to consume more resources than intended.
CVSS Score: 3.7
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
CWE: CWE-400
pkg:maven/com.google.code.gson/gson@2.8.6
CRITICAL Vulnerabilities (1)
[sonatype-2021-1694] CWE-502: Deserialization of Untrusted Data
gson - Deserialization of Untrusted Data
The application deserializes untrusted data without sufficiently verifying that the resulting data will be valid.
CVSS Score: 7.5
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-502
(at-me in a reply with help or ignore)
Was this a good recommendation?
[ 🙁 Not relevant ] - [ 😕 Won't fix ] - [ 😑 Not critical, will fix ] - [ 🙂 Critical, will fix ] - [ 😊 Critical, fixing now ]
This PR was automatically created by Snyk using the credentials of a real user.
Snyk has created this PR to fix one or more vulnerable packages in the `maven` dependencies of this project.
Changes included in this PR
Vulnerabilities that will be fixed
With an upgrade:
Why? Proof of Concept exploit, Recently disclosed, Has a fix available, CVSS 4.8
SNYK-JAVA-ORGBOUNCYCASTLE-2841508
io.kubernetes:client-java:7.0.0 -> 11.0.3Why? Proof of Concept exploit, Recently disclosed, Has a fix available, CVSS 4.8
SNYK-JAVA-ORGBOUNCYCASTLE-2848003
io.kubernetes:client-java:7.0.0 -> 11.0.3(*) Note that the real score may have changed since the PR was raised.
Check the changes in this PR to ensure they won't cause issues with your project.
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
🛠 Adjust project settings
📚 Read more about Snyk's upgrade and patch logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Learn about vulnerability in an interactive lesson of Snyk Learn.