pentaho-platform
pentaho-platform copied to clipboard

Published 20 hours ago •

Reame
Issues

Known Security Vulnerabilities to be fixed

Open dicaeffe opened this issue 4 years ago • 3 comments

Hello, version 9.0 (and uppers) of Pentaho has few known CVEs (Common Vulnerabilities and Exposures) due to its dependencies.

Is possible to fix those security issues by updating the versions reported below?

Apache Axis2/Java

CVE - 2 issues: CVE-2010-1632, CVE-2010-0219
Used Version: 1.5
Fix Version: 1.5.2 (last minor: 1.5.6)

Apache Log4j - log4j

CVE - 2 issues: CVE-2020-9488, CVE-2019-17571
Used Version: 1.2.17
Fix Version: 2.13.2

jackson-databind

CVE - 32 issues: CVE-2020-9548, CVE-2020-9547,CVE-2020-9546, CVE-2020-8840, CVE-2020-24750, CVE-2020-24616, CVE-2020-14195, CVE-2020-14062, CVE-2020-14061, CVE-2020-14060, CVE-2020-11620, CVE-2020-11619, CVE-2020-11113, CVE-2020-11112, CVE-2020-11111, CVE-2020-10969, CVE-2020-10968, CVE-2020-10673, CVE-2020-10672, CVE-2019-12384, CVE-2019-12086, CVE-2018-7489, CVE-2018-5968, CVE-2018-19362, CVE-2018-19361, CVE-2018-19360, CVE-2018-14721, CVE-2018-14720, CVE-2018-14719, CVE-2018-14718, CVE-2018-11307, CVE-2018-1000873
Used Version: 2.9.10.2
Fix Version: 2.9.10.6 (last minor: 2.9.10.7)

karaf

CVE - 7 issues: CVE-2020-11980, CVE-2019-0226, CVE-2019-0191, CVE-2018-11788, CVE-2018-11786, CVE-2016-8750, CVE-2014-0219
Used Version: 1.9.1
Fix Version: 4.2.9 (last minor: 4.2.10)

org.apache.xmlgraphics:batik-bridge

CVE - 2 issues: CVE-2019-17566, CVE-2019-17566
Used Version: 1.9.1
Fix Version: 1.13

Dec 11 '20 10:12 dicaeffe

note: Bootstrap is recommended to be updated to 3.4.1

Dec 11 '20 10:12 dicaeffe

Hi. What about https://nvd.nist.gov/vuln/detail/CVE-2020-11987 ? Fix: batik 1.14

Jan 12 '22 11:01 mariusssi

CVE-2022-21724 in postgresql, not fixed in 9.4.0.0-79

Jul 18 '22 05:07 mariusssi