[#QB-4083] CVE/GHSA vulnerability alerts

QuickBuild

CVE/GHSA vulnerability alerts

Created: 01/Apr/24 06:58 PM Updated: 09/Apr/24 11:40 PM

Component/s:

None

Affects Version/s:

14.0.7

Fix Version/s:

None

Original Estimate:	Unknown	Remaining Estimate:	Unknown	Time Spent:	Unknown
Environment:	Linux

Description

« Hide

Our security experts have flagged our usage of QuickBuild for having several Critical and High security alerts and are urging them to be fixed or stop using QuickBuild.

Could you take a look and fix them if possible, please?

Doing a simple scan with the grype tool (https://github.com/anchore/grype) of the quickbuild install directory yields the following security alerts for version 14.0.7:

NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
ant 1.9.3 1.10.9 java-archive GHSA-f62v-xpxf-3v68 High
ant 1.9.3 1.9.16 java-archive GHSA-q5r4-cfpx-h6fh Medium
ant 1.9.3 1.9.16 java-archive GHSA-5v34-g2px-j4fw Medium
ant 1.9.3 1.9.15 java-archive GHSA-4p6w-m9wc-c9c9 Medium
aws-java-sdk-s3 1.11.1034 1.12.261 java-archive GHSA-c28r-hw5m-5gv3 High
axis 1.4 java-archive GHSA-rmqp-9w4c-gc7w Critical
axis 1.4 java-archive GHSA-h9gj-rqrw-x4fq High
axis 1.4 java-archive GHSA-r53v-vm87-f72c Medium
axis 1.4 java-archive GHSA-96jq-75wh-2658 Medium
axis 1.4 java-archive GHSA-55w9-c3g2-4rrh Medium
c3p0 0.9.2.1 0.9.5.3 java-archive GHSA-q485-j897-qc27 Critical
c3p0 0.9.2.1 0.9.5.4 java-archive GHSA-84p2-vf58-xhxv High
commons-beanutils 1.8.2 1.9.2 java-archive GHSA-p66x-2cv9-qq3v High
commons-beanutils 1.8.2 1.9.4 java-archive GHSA-6phf-73q6-gh87 High
commons-compress 1.4.1 1.21 java-archive GHSA-xqfj-vm6h-2x34 High
commons-compress 1.4.1 1.21 java-archive GHSA-mc84-pj99-q6hh High
commons-compress 1.4.1 1.21 java-archive GHSA-crv7-7245-f45f High
commons-compress 1.4.1 1.21 java-archive GHSA-7hfm-57qf-j43q High
commons-compress 1.4.1 1.26.0 java-archive GHSA-4g9r-vxhx-9pgx High
commons-compress 1.4.1 1.18 java-archive GHSA-hrmr-f5m6-m9pq Medium
commons-email 1.3.3 1.5 java-archive GHSA-v7cm-w955-pj6g High
commons-email 1.3.3 1.5 java-archive GHSA-p7vm-phxx-g722 High
commons-io 1.4 2.7 java-archive GHSA-gwrp-pvrq-jmwv Medium
commons-net 3.2 3.9.0 java-archive GHSA-cgp8-4m63-fhh5 Medium
google-oauth-client 1.31.5 1.33.3 java-archive GHSA-xh97-72ww-2w58 High
gson 2.8.0 2.8.9 java-archive GHSA-4jrv-ppp4-jm57 High
guava 13.0.1 24.1.1-android java-archive GHSA-mvr2-9pj6-7w5j Medium
guava 13.0.1 32.0.0-android java-archive GHSA-7g45-4rm6-3mm3 Medium
guava 13.0.1 32.0.0-android java-archive GHSA-5mg8-w23w-74h3 Low
guava 20.0 24.1.1-android java-archive GHSA-mvr2-9pj6-7w5j Medium
guava 20.0 32.0.0-android java-archive GHSA-7g45-4rm6-3mm3 Medium
guava 20.0 32.0.0-android java-archive GHSA-5mg8-w23w-74h3 Low
hibernate-core 4.3.11.Final 5.3.20.Final java-archive GHSA-j8jw-g6fq-mp7h High
hibernate-validator 5.2.2.Final 5.2.5.Final java-archive GHSA-xxgp-pcfc-3vgc High
jackson-databind 2.10.2 2.12.7.1 java-archive GHSA-rgv9-q543-rqg4 High
jackson-databind 2.10.2 2.12.7.1 java-archive GHSA-jjjh-jjxp-wpff High
jackson-databind 2.10.2 2.12.6.1 java-archive GHSA-57j2-w4cx-62h2 High
jackson-databind 2.10.2 2.12.6 java-archive GHSA-3x8x-79m2-3w2w High
jackson-databind 2.10.2 2.10.5.1 java-archive GHSA-288c-cq4h-88gq High
jdom 1.1 java-archive GHSA-2363-cqg2-863c High
jettison 1.1 1.5.2 java-archive GHSA-x27m-9w8j-5vcw High
jettison 1.1 1.5.4 java-archive GHSA-q6g2-g7f3-rr83 High
jettison 1.1 1.5.2 java-archive GHSA-grr4-wv38-f68w High
jettison 1.1 1.5.2 java-archive GHSA-7rf3-mqpx-h7xg High
jettison 1.1 1.5.1 java-archive GHSA-56h3-78gp-v83r Medium
jetty-http 9.4.46.v20220331 9.4.52 java-archive GHSA-hmr7-m48g-48f6 Medium
jetty-http 9.4.46.v20220331 9.4.47 java-archive GHSA-cj7v-27pg-wf7q Low
jetty-server 9.4.46.v20220331 9.4.51.v20230217 java-archive GHSA-qw69-rqj8-6qw8 Medium
jetty-server 9.4.46.v20220331 9.4.51.v20230217 java-archive GHSA-p26g-97m4-6q7c Low
jetty-servlets 9.4.46.v20220331 9.4.52 java-archive GHSA-3gh6-v5v9-6v9j Low
jetty-xml 9.4.46.v20220331 9.4.52 java-archive GHSA-58qw-p7qm-5rvh Low
json-smart 1.3.1 1.3.3 java-archive GHSA-fg2v-w576-w4v3 High
json-smart 1.3.1 2.4.9 java-archive GHSA-493p-pfq6-5258 High
json-smart 1.3.1 1.3.2 java-archive GHSA-v528-7hrm-frqp Medium
json-smart 2.3 2.4.9 java-archive GHSA-493p-pfq6-5258 High
json-smart 2.3 2.3.1 java-archive GHSA-v528-7hrm-frqp Medium
junit 4.10 4.13.1 java-archive GHSA-269g-pwp5-87pp Medium
log4j 1.2.15 java-archive GHSA-f7vh-qwp3-x37m Critical
log4j 1.2.15 java-archive GHSA-65fg-84f6-3jq3 Critical
log4j 1.2.15 java-archive GHSA-2qrg-x229-3v8q Critical
log4j 1.2.15 java-archive GHSA-w9p3-5cr8-m3jj High
log4j 1.2.15 java-archive GHSA-fp5r-v3w9-4333 High
nimbus-jose-jwt 9.5 9.37.2 java-archive GHSA-gvpg-vgmx-xg6w Medium
ognl 2.6.7 3.0.12 java-archive GHSA-383p-xqxx-rrmp Medium
okio 1.15.0 1.17.6 java-archive GHSA-w33c-445m-f8w7 Medium
quartz 1.8.3 2.3.2 java-archive GHSA-9qcf-c26r-x5rf Critical
snakeyaml 1.23 1.26 java-archive GHSA-rvwf-54qp-4r6v High
snakeyaml 1.23 2.0 java-archive GHSA-mjmj-j48q-9wg2 High
snakeyaml 1.23 1.31 java-archive GHSA-3mc7-4q67-w48m High
snakeyaml 1.23 1.32 java-archive GHSA-w37g-rhq8-7m4j Medium
snakeyaml 1.23 1.31 java-archive GHSA-hhhw-99gj-p3c3 Medium
snakeyaml 1.23 1.31 java-archive GHSA-c4r9-r8fh-9vj2 Medium
snakeyaml 1.23 1.32 java-archive GHSA-9w3m-gqgf-c4p9 Medium
snakeyaml 1.23 1.31 java-archive GHSA-98wm-3w3q-mw94 Medium
spring-beans 2.5.6 5.2.20.RELEASE java-archive GHSA-36p3-wjmg-h94x Critical
spring-beans 2.5.6 5.2.22.RELEASE java-archive GHSA-hh26-6xwr-ggv7 High
spring-context 2.5.6 5.2.21 java-archive GHSA-g5mm-vmx4-3rg7 High
spring-core 2.5.6.SEC01 4.3.16 java-archive GHSA-p5hg-3xm3-gcjg Critical
spring-core 2.5.6.SEC01 4.3.16 java-archive GHSA-3rmv-2pg5-xvqj Critical
spring-core 2.5.6.SEC01 2.5.6.SEC03 java-archive GHSA-wv88-pf73-x22p High
spring-core 2.5.6.SEC01 3.2.15 java-archive GHSA-pgf9-h69p-pcgf High
spring-core 2.5.6.SEC01 4.3.20 java-archive GHSA-ffvq-7w96-97p7 High
spring-core 2.5.6.SEC01 4.3.1 java-archive GHSA-8crv-49fr-2h6j High
spring-core 2.5.6.SEC01 4.3.15 java-archive GHSA-4487-x383-qpph High
spring-core 2.5.6.SEC01 4.3.17 java-archive GHSA-rcpf-vj53-7h2m Medium
spring-core 2.5.6.SEC01 4.3.15 java-archive GHSA-g8hw-794c-4j9g Medium
velocity 1.7 java-archive GHSA-59j4-wjwp-mw9m High
velocity-tools 2.0 java-archive GHSA-fh63-4r66-jc7v Medium
wicket-core 1.5.0 1.5.12 java-archive GHSA-q7wx-mhx4-jr8q High
wicket-core 1.5.0 7.18.0 java-archive GHSA-hmhg-95wh-r699 High
wicket-core 1.5.0 7.17.0 java-archive GHSA-64gv-3pqv-299h High
xmlrpc-common 3.1.3 java-archive GHSA-r2pg-w96p-pcpj Medium
xmlsec 2.1.4 2.1.7 java-archive GHSA-j8wc-gxx9-82hx High
xmlsec 2.1.4 2.2.6 java-archive GHSA-xfrj-6vvc-3xm2 Medium
xstream 1.3.1 1.4.11 java-archive GHSA-hf23-9pf7-388p Critical
xstream 1.3.1 1.4.7 java-archive GHSA-f554-x222-wgf7 Critical
xstream 1.3.1 1.4.18 java-archive GHSA-xw4p-crpj-vjx2 High
xstream 1.3.1 1.4.19 java-archive GHSA-rmr5-cpv2-vgjf High
xstream 1.3.1 1.4.9 java-archive GHSA-rgh3-987h-wpmw High
xstream 1.3.1 1.4.18 java-archive GHSA-qrx8-8545-4wg2 High
xstream 1.3.1 1.4.18 java-archive GHSA-p8pq-r894-fm8f High
xstream 1.3.1 1.4.14-jdk7 java-archive GHSA-mw36-7c6c-q4q2 High
xstream 1.3.1 1.4.18 java-archive GHSA-j9h8-phrw-h4fh High
xstream 1.3.1 1.4.20 java-archive GHSA-j563-grx4-pjpv High
xstream 1.3.1 1.4.18 java-archive GHSA-hph2-m3g5-xxv4 High
xstream 1.3.1 1.4.18 java-archive GHSA-h7v4-7xg3-hxcc High
xstream 1.3.1 1.4.18 java-archive GHSA-g5w6-mrj7-75h2 High
xstream 1.3.1 1.4.20 java-archive GHSA-f8cc-g7j8-xxpm High
xstream 1.3.1 1.4.18 java-archive GHSA-cxfm-5m4g-x7xp High
xstream 1.3.1 1.4.18 java-archive GHSA-8jrj-525p-826v High
xstream 1.3.1 1.4.10 java-archive GHSA-7hwc-46rm-65jh High
xstream 1.3.1 1.4.17 java-archive GHSA-7chv-rrw6-w6fc High
xstream 1.3.1 1.4.18 java-archive GHSA-6w62-hx7r-mw68 High
xstream 1.3.1 1.4.18 java-archive GHSA-64xx-cq4q-mf44 High
xstream 1.3.1 1.4.15 java-archive GHSA-4cch-wxpw-8p28 High
xstream 1.3.1 1.4.18 java-archive GHSA-3ccq-5vw3-2p6x High
xstream 1.3.1 1.4.18 java-archive GHSA-2q8x-2p7f-574v High
xstream 1.3.1 1.4.16 java-archive GHSA-2p3x-qw9c-25hh High
xstream 1.3.1 1.4.16 java-archive GHSA-qpfq-ph7r-qv6f Medium
xstream 1.3.1 1.4.15 java-archive GHSA-jfvx-7wrx-43fh Medium
xstream 1.3.1 1.4.16 java-archive GHSA-hwpc-8xqv-jvj4 Medium
xstream 1.3.1 1.4.16 java-archive GHSA-hvv8-336g-rx3m Medium
xstream 1.3.1 1.4.16 java-archive GHSA-hrcp-8f3q-4w2c Medium
xstream 1.3.1 1.4.16 java-archive GHSA-f6hm-88x3-mfjv Medium
xstream 1.3.1 1.4.16 java-archive GHSA-74cv-f58x-f9wf Medium
xstream 1.3.1 1.4.18 java-archive GHSA-6wf9-jmg9-vxcc Medium
xstream 1.3.1 1.4.16 java-archive GHSA-59jw-jqf4-3wq3 Medium
xstream 1.3.1 1.4.16 java-archive GHSA-56p8-3fh9-4cvq Medium
xstream 1.3.1 1.4.16 java-archive GHSA-4hrm-m67v-5cxr Medium
xstream 1.3.1 1.4.16 java-archive GHSA-43gc-mjxg-gvrq Medium

Description

Our security experts have flagged our usage of QuickBuild for having several Critical and High security alerts and are urging them to be fixed or stop using QuickBuild. Could you take a look and fix them if possible, please? Doing a simple scan with the grype tool (https://github.com/anchore/grype) of the quickbuild install directory yields the following security alerts for version 14.0.7: NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY ant 1.9.3 1.10.9 java-archive GHSA-f62v-xpxf-3v68 High ant 1.9.3 1.9.16 java-archive GHSA-q5r4-cfpx-h6fh Medium ant 1.9.3 1.9.16 java-archive GHSA-5v34-g2px-j4fw Medium ant 1.9.3 1.9.15 java-archive GHSA-4p6w-m9wc-c9c9 Medium aws-java-sdk-s3 1.11.1034 1.12.261 java-archive GHSA-c28r-hw5m-5gv3 High axis 1.4 java-archive GHSA-rmqp-9w4c-gc7w Critical axis 1.4 java-archive GHSA-h9gj-rqrw-x4fq High axis 1.4 java-archive GHSA-r53v-vm87-f72c Medium axis 1.4 java-archive GHSA-96jq-75wh-2658 Medium axis 1.4 java-archive GHSA-55w9-c3g2-4rrh Medium c3p0 0.9.2.1 0.9.5.3 java-archive GHSA-q485-j897-qc27 Critical c3p0 0.9.2.1 0.9.5.4 java-archive GHSA-84p2-vf58-xhxv High commons-beanutils 1.8.2 1.9.2 java-archive GHSA-p66x-2cv9-qq3v High commons-beanutils 1.8.2 1.9.4 java-archive GHSA-6phf-73q6-gh87 High commons-compress 1.4.1 1.21 java-archive GHSA-xqfj-vm6h-2x34 High commons-compress 1.4.1 1.21 java-archive GHSA-mc84-pj99-q6hh High commons-compress 1.4.1 1.21 java-archive GHSA-crv7-7245-f45f High commons-compress 1.4.1 1.21 java-archive GHSA-7hfm-57qf-j43q High commons-compress 1.4.1 1.26.0 java-archive GHSA-4g9r-vxhx-9pgx High commons-compress 1.4.1 1.18 java-archive GHSA-hrmr-f5m6-m9pq Medium commons-email 1.3.3 1.5 java-archive GHSA-v7cm-w955-pj6g High commons-email 1.3.3 1.5 java-archive GHSA-p7vm-phxx-g722 High commons-io 1.4 2.7 java-archive GHSA-gwrp-pvrq-jmwv Medium commons-net 3.2 3.9.0 java-archive GHSA-cgp8-4m63-fhh5 Medium google-oauth-client 1.31.5 1.33.3 java-archive GHSA-xh97-72ww-2w58 High gson 2.8.0 2.8.9 java-archive GHSA-4jrv-ppp4-jm57 High guava 13.0.1 24.1.1-android java-archive GHSA-mvr2-9pj6-7w5j Medium guava 13.0.1 32.0.0-android java-archive GHSA-7g45-4rm6-3mm3 Medium guava 13.0.1 32.0.0-android java-archive GHSA-5mg8-w23w-74h3 Low guava 20.0 24.1.1-android java-archive GHSA-mvr2-9pj6-7w5j Medium guava 20.0 32.0.0-android java-archive GHSA-7g45-4rm6-3mm3 Medium guava 20.0 32.0.0-android java-archive GHSA-5mg8-w23w-74h3 Low hibernate-core 4.3.11.Final 5.3.20.Final java-archive GHSA-j8jw-g6fq-mp7h High hibernate-validator 5.2.2.Final 5.2.5.Final java-archive GHSA-xxgp-pcfc-3vgc High jackson-databind 2.10.2 2.12.7.1 java-archive GHSA-rgv9-q543-rqg4 High jackson-databind 2.10.2 2.12.7.1 java-archive GHSA-jjjh-jjxp-wpff High jackson-databind 2.10.2 2.12.6.1 java-archive GHSA-57j2-w4cx-62h2 High jackson-databind 2.10.2 2.12.6 java-archive GHSA-3x8x-79m2-3w2w High jackson-databind 2.10.2 2.10.5.1 java-archive GHSA-288c-cq4h-88gq High jdom 1.1 java-archive GHSA-2363-cqg2-863c High jettison 1.1 1.5.2 java-archive GHSA-x27m-9w8j-5vcw High jettison 1.1 1.5.4 java-archive GHSA-q6g2-g7f3-rr83 High jettison 1.1 1.5.2 java-archive GHSA-grr4-wv38-f68w High jettison 1.1 1.5.2 java-archive GHSA-7rf3-mqpx-h7xg High jettison 1.1 1.5.1 java-archive GHSA-56h3-78gp-v83r Medium jetty-http 9.4.46.v20220331 9.4.52 java-archive GHSA-hmr7-m48g-48f6 Medium jetty-http 9.4.46.v20220331 9.4.47 java-archive GHSA-cj7v-27pg-wf7q Low jetty-server 9.4.46.v20220331 9.4.51.v20230217 java-archive GHSA-qw69-rqj8-6qw8 Medium jetty-server 9.4.46.v20220331 9.4.51.v20230217 java-archive GHSA-p26g-97m4-6q7c Low jetty-servlets 9.4.46.v20220331 9.4.52 java-archive GHSA-3gh6-v5v9-6v9j Low jetty-xml 9.4.46.v20220331 9.4.52 java-archive GHSA-58qw-p7qm-5rvh Low json-smart 1.3.1 1.3.3 java-archive GHSA-fg2v-w576-w4v3 High json-smart 1.3.1 2.4.9 java-archive GHSA-493p-pfq6-5258 High json-smart 1.3.1 1.3.2 java-archive GHSA-v528-7hrm-frqp Medium json-smart 2.3 2.4.9 java-archive GHSA-493p-pfq6-5258 High json-smart 2.3 2.3.1 java-archive GHSA-v528-7hrm-frqp Medium junit 4.10 4.13.1 java-archive GHSA-269g-pwp5-87pp Medium log4j 1.2.15 java-archive GHSA-f7vh-qwp3-x37m Critical log4j 1.2.15 java-archive GHSA-65fg-84f6-3jq3 Critical log4j 1.2.15 java-archive GHSA-2qrg-x229-3v8q Critical log4j 1.2.15 java-archive GHSA-w9p3-5cr8-m3jj High log4j 1.2.15 java-archive GHSA-fp5r-v3w9-4333 High nimbus-jose-jwt 9.5 9.37.2 java-archive GHSA-gvpg-vgmx-xg6w Medium ognl 2.6.7 3.0.12 java-archive GHSA-383p-xqxx-rrmp Medium okio 1.15.0 1.17.6 java-archive GHSA-w33c-445m-f8w7 Medium quartz 1.8.3 2.3.2 java-archive GHSA-9qcf-c26r-x5rf Critical snakeyaml 1.23 1.26 java-archive GHSA-rvwf-54qp-4r6v High snakeyaml 1.23 2.0 java-archive GHSA-mjmj-j48q-9wg2 High snakeyaml 1.23 1.31 java-archive GHSA-3mc7-4q67-w48m High snakeyaml 1.23 1.32 java-archive GHSA-w37g-rhq8-7m4j Medium snakeyaml 1.23 1.31 java-archive GHSA-hhhw-99gj-p3c3 Medium snakeyaml 1.23 1.31 java-archive GHSA-c4r9-r8fh-9vj2 Medium snakeyaml 1.23 1.32 java-archive GHSA-9w3m-gqgf-c4p9 Medium snakeyaml 1.23 1.31 java-archive GHSA-98wm-3w3q-mw94 Medium spring-beans 2.5.6 5.2.20.RELEASE java-archive GHSA-36p3-wjmg-h94x Critical spring-beans 2.5.6 5.2.22.RELEASE java-archive GHSA-hh26-6xwr-ggv7 High spring-context 2.5.6 5.2.21 java-archive GHSA-g5mm-vmx4-3rg7 High spring-core 2.5.6.SEC01 4.3.16 java-archive GHSA-p5hg-3xm3-gcjg Critical spring-core 2.5.6.SEC01 4.3.16 java-archive GHSA-3rmv-2pg5-xvqj Critical spring-core 2.5.6.SEC01 2.5.6.SEC03 java-archive GHSA-wv88-pf73-x22p High spring-core 2.5.6.SEC01 3.2.15 java-archive GHSA-pgf9-h69p-pcgf High spring-core 2.5.6.SEC01 4.3.20 java-archive GHSA-ffvq-7w96-97p7 High spring-core 2.5.6.SEC01 4.3.1 java-archive GHSA-8crv-49fr-2h6j High spring-core 2.5.6.SEC01 4.3.15 java-archive GHSA-4487-x383-qpph High spring-core 2.5.6.SEC01 4.3.17 java-archive GHSA-rcpf-vj53-7h2m Medium spring-core 2.5.6.SEC01 4.3.15 java-archive GHSA-g8hw-794c-4j9g Medium velocity 1.7 java-archive GHSA-59j4-wjwp-mw9m High velocity-tools 2.0 java-archive GHSA-fh63-4r66-jc7v Medium wicket-core 1.5.0 1.5.12 java-archive GHSA-q7wx-mhx4-jr8q High wicket-core 1.5.0 7.18.0 java-archive GHSA-hmhg-95wh-r699 High wicket-core 1.5.0 7.17.0 java-archive GHSA-64gv-3pqv-299h High xmlrpc-common 3.1.3 java-archive GHSA-r2pg-w96p-pcpj Medium xmlsec 2.1.4 2.1.7 java-archive GHSA-j8wc-gxx9-82hx High xmlsec 2.1.4 2.2.6 java-archive GHSA-xfrj-6vvc-3xm2 Medium xstream 1.3.1 1.4.11 java-archive GHSA-hf23-9pf7-388p Critical xstream 1.3.1 1.4.7 java-archive GHSA-f554-x222-wgf7 Critical xstream 1.3.1 1.4.18 java-archive GHSA-xw4p-crpj-vjx2 High xstream 1.3.1 1.4.19 java-archive GHSA-rmr5-cpv2-vgjf High xstream 1.3.1 1.4.9 java-archive GHSA-rgh3-987h-wpmw High xstream 1.3.1 1.4.18 java-archive GHSA-qrx8-8545-4wg2 High xstream 1.3.1 1.4.18 java-archive GHSA-p8pq-r894-fm8f High xstream 1.3.1 1.4.14-jdk7 java-archive GHSA-mw36-7c6c-q4q2 High xstream 1.3.1 1.4.18 java-archive GHSA-j9h8-phrw-h4fh High xstream 1.3.1 1.4.20 java-archive GHSA-j563-grx4-pjpv High xstream 1.3.1 1.4.18 java-archive GHSA-hph2-m3g5-xxv4 High xstream 1.3.1 1.4.18 java-archive GHSA-h7v4-7xg3-hxcc High xstream 1.3.1 1.4.18 java-archive GHSA-g5w6-mrj7-75h2 High xstream 1.3.1 1.4.20 java-archive GHSA-f8cc-g7j8-xxpm High xstream 1.3.1 1.4.18 java-archive GHSA-cxfm-5m4g-x7xp High xstream 1.3.1 1.4.18 java-archive GHSA-8jrj-525p-826v High xstream 1.3.1 1.4.10 java-archive GHSA-7hwc-46rm-65jh High xstream 1.3.1 1.4.17 java-archive GHSA-7chv-rrw6-w6fc High xstream 1.3.1 1.4.18 java-archive GHSA-6w62-hx7r-mw68 High xstream 1.3.1 1.4.18 java-archive GHSA-64xx-cq4q-mf44 High xstream 1.3.1 1.4.15 java-archive GHSA-4cch-wxpw-8p28 High xstream 1.3.1 1.4.18 java-archive GHSA-3ccq-5vw3-2p6x High xstream 1.3.1 1.4.18 java-archive GHSA-2q8x-2p7f-574v High xstream 1.3.1 1.4.16 java-archive GHSA-2p3x-qw9c-25hh High xstream 1.3.1 1.4.16 java-archive GHSA-qpfq-ph7r-qv6f Medium xstream 1.3.1 1.4.15 java-archive GHSA-jfvx-7wrx-43fh Medium xstream 1.3.1 1.4.16 java-archive GHSA-hwpc-8xqv-jvj4 Medium xstream 1.3.1 1.4.16 java-archive GHSA-hvv8-336g-rx3m Medium xstream 1.3.1 1.4.16 java-archive GHSA-hrcp-8f3q-4w2c Medium xstream 1.3.1 1.4.16 java-archive GHSA-f6hm-88x3-mfjv Medium xstream 1.3.1 1.4.16 java-archive GHSA-74cv-f58x-f9wf Medium xstream 1.3.1 1.4.18 java-archive GHSA-6wf9-jmg9-vxcc Medium xstream 1.3.1 1.4.16 java-archive GHSA-59jw-jqf4-3wq3 Medium xstream 1.3.1 1.4.16 java-archive GHSA-56p8-3fh9-4cvq Medium xstream 1.3.1 1.4.16 java-archive GHSA-4hrm-m67v-5cxr Medium xstream 1.3.1 1.4.16 java-archive GHSA-43gc-mjxg-gvrq Medium

Show »

All

Comments

Work Log

Change History

Sort Order:

[ Permlink | « Hide ]

Robin Shen [02/Apr/24 12:04 AM]

Most of the high and critical issues are related to read input from untrusted input which is not possible in QB. For instance, "https://github.com/advisories/GHSA-hf23-9pf7-388p" is about deseriazing from user supplied XML, and in QB only adminsitrator can do that when restore database from XML. Some other high severity issues are related to XSS attack, which is tolerable in QB as it should be used behind firewall in a trusted environment, with trusted users. For instance, QB users can commit code to get arbitrary logic being executed and this is evitable for every CI system running shell builds. Also QB users can run arbitrary scripts via scripting support, etc.

[ Permlink | « Hide ]

U. Artie Eoff [02/Apr/24 03:14 AM]

I see. So does that mean the flagged "java-archive" packages included in Quickbuild cannot be updated to the "Fixed-in" versions specified in the scan results?

[ Permlink | « Hide ]

U. Artie Eoff [02/Apr/24 03:17 AM]

... that is, if updated to "fixed-in" versions, would it break the functionality that you described?

[ Permlink | « Hide ]

Robin Shen [02/Apr/24 03:28 AM]

Yes, it may break QB functionalities (some code base is nearly 20 years). We'd rather not to upgrade unless absolutely necessary.

[ Permlink | « Hide ]

U. Artie Eoff [08/Apr/24 02:59 PM]

Unfortunately, our security team is going to force us to stop using QB if the following packages aren't patched to fix some critical vulnerabilities, citing that QB would be too insecure to use on a daily basis even in our secure environment. It would be unfortunate for us to have to stop using such a powerful, good CI platform such as QB... we have invested ~10 years using it already.

- c3p0
- commons-beanutils
- commons-compress
- commons-email
- gson 2.8.0
- hibernate-validator 5.2.2.Final
- jackson-databind 2.10.2
- jettison 1.1
- json-smart 2.3
- quartz 1.8.3
- snakeyaml 1.23
- spring_framework 2.5.6.SEC01
- wicket 1.5.0
- xmlsec-java 2.1.4
- xstream 1.3.1

[ Permlink | « Hide ]

Robin Shen [08/Apr/24 11:37 PM]

Sorry to hear this... I do understand your security team's concerns. We will try to upgrade these libraries. Since the change is big and may cause backward incompatiblities, we need to do that in the yearly big release which is planned early next year.

[ Permlink | « Hide ]

U. Artie Eoff [09/Apr/24 02:20 PM]

Thank you for your support. It is greatly appreciated! Looking forward to the next big release. In the meantime, we will discuss your commitment with our security team to try and work something out ;)

[ Permlink | « Hide ]

Robin Shen [09/Apr/24 11:40 PM]

We will try our best to upgrade outdated libraries, but it is not a commitment... due to long history of QB code base. Just hope that you can postpone the decision to next big release...