Skip to content

[Snyk] Security upgrade io.kubernetes:client-java from 7.0.0 to 11.0.3 #8

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

[Snyk] Security upgrade io.kubernetes:client-java from 7.0.0 to 11.0.3 #8

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion pom.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@
<dependency>
Copy link

@sonatype-lift sonatype-lift bot May 28, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Critical OSS Vulnerability:

pkg:maven/io.kubernetes/client-java@11.0.3

6 Critical, 1 Severe, 2 Moderate, 0 Unknown vulnerabilities have been found across 6 dependencies

Components
    pkg:maven/org.apache.commons/commons-compress@1.20
      CRITICAL Vulnerabilities (4)
        CVE-2021-35515

        [CVE-2021-35515] CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop')

        When reading a specially crafted 7Z archive, the construction of the list of codecs that decompress an entry can result in an infinite loop. This could be used to mount a denial of service attack against services that use Compress' sevenz package.

        CVSS Score: 7.5

        CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

        CWE: CWE-835

        CVE-2021-35516

        [CVE-2021-35516] CWE-770: Allocation of Resources Without Limits or Throttling

        When reading a specially crafted 7Z archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' sevenz package.

        CVSS Score: 7.5

        CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

        CWE: CWE-770

        CVE-2021-35517

        [CVE-2021-35517] CWE-770: Allocation of Resources Without Limits or Throttling

        When reading a specially crafted TAR archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' tar package.

        CVSS Score: 7.5

        CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

        CWE: CWE-770

        CVE-2021-36090

        [CVE-2021-36090] CWE-130: Improper Handling of Length Parameter Inconsistency

        When reading a specially crafted ZIP archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' zip package.

        CVSS Score: 7.5

        CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

        CWE: CWE-130

    pkg:maven/com.google.protobuf/protobuf-java@3.14.0
      SEVERE Vulnerabilities (1)

        [CVE-2021-22569] CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')

        An issue in protobuf-java allowed the interleaving of com.google.protobuf.UnknownFieldSet fields in such a way that would be processed out of order. A small malicious payload can occupy the parser for several minutes by creating large numbers of short-lived objects that cause frequent, repeated pauses. We recommend upgrading libraries beyond the vulnerable versions.

        CVSS Score: 5.5

        CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

        CWE: CWE-400

    pkg:maven/org.bouncycastle/bcprov-jdk15on@1.69
      MODERATE Vulnerabilities (1)

        [sonatype-2019-0673] CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')

        BouncyCastle - Denial of Service (DoS)

        The software does not properly restrict the size or amount of resources that are requested or influenced by an actor, which can be used to consume more resources than intended.

        CVSS Score: 3.7

        CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

        CWE: CWE-400

    pkg:maven/com.squareup.okhttp3/okhttp@3.14.9
      CRITICAL Vulnerabilities (1)

        [CVE-2021-0341] CWE-295: Improper Certificate Validation

        In verifyHostName of OkHostnameVerifier.java, there is a possible way to accept a certificate for the wrong domain due to improperly used crypto. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-8.1 Android-9 Android-10 Android-11Android ID: A-171980069

        CVSS Score: 7.5

        CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

        CWE: CWE-295

    pkg:maven/org.bouncycastle/bcprov-ext-jdk15on@1.69
      MODERATE Vulnerabilities (1)

        [sonatype-2019-0673] CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')

        BouncyCastle - Denial of Service (DoS)

        The software does not properly restrict the size or amount of resources that are requested or influenced by an actor, which can be used to consume more resources than intended.

        CVSS Score: 3.7

        CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

        CWE: CWE-400

    pkg:maven/com.google.code.gson/gson@2.8.6
      CRITICAL Vulnerabilities (1)

        [sonatype-2021-1694] CWE-502: Deserialization of Untrusted Data

        gson - Deserialization of Untrusted Data

        The application deserializes untrusted data without sufficiently verifying that the resulting data will be valid.

        CVSS Score: 7.5

        CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

        CWE: CWE-502

(at-me in a reply with help or ignore)

Was this a good recommendation?
[ 🙁 Not relevant ] - [ 😕 Won't fix ] - [ 😑 Not critical, will fix ] - [ 🙂 Critical, will fix ] - [ 😊 Critical, fixing now ]

<groupId>io.kubernetes</groupId>
<artifactId>client-java</artifactId>
<version>7.0.0</version>
<version>11.0.3</version>
</dependency>
</dependencies>

Expand Down