-
Notifications
You must be signed in to change notification settings - Fork 826
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security issues with v76.6.0 (2 Critical, 7 High, 2 Medium) #2213
Comments
We have created an issue in Pivotal Tracker to manage this: https://www.pivotaltracker.com/story/show/184582601 The labels on this github issue will be updated when the story is started. |
There are false-positives, because they are related to UAA itself. They may be a result because at this time UAA has a different versioning to uaa-release. Everything inside https://github.com/cloudfoundry/uaa/blob/develop/uaa/slate/Gemfile.lock is not an issue in UAA runtime, because UAA is a java based application, but it is an issue in creating the API documentation https://docs.cloudfoundry.org/api/uaa |
CVE-2017-4960 : An issue was discovered in Cloud Foundry release v247 through v252, UAA stand-alone release v3.9.0 through v3.11.0, and UAA Bosh Release v21 through v26. There is a potential to subject the UAA OAuth clients to a denial of service attack. |
CVE-2017-4973 An issue was discovered in Cloud Foundry Foundation cf-release versions prior to v257; UAA release 2.x versions prior to v2.7.4.14, 3.6.x versions prior to v3.6.8, 3.9.x versions prior to v3.9.10, and other versions prior to v3.15.0; and UAA bosh release (uaa-release) 13.x versions prior to v13.12, 24.x versions prior to v24.7, and other versions prior to v30. A vulnerability has been identified with the groups endpoint in UAA allowing users to elevate their privileges. |
both issues solved with 76.5.0 |
Both are detected with latest version 76.5.0 |
I dont know why but both are false positives , e.g. Fixes were done with - see release notes @bruce-ricard about https://github.com/cloudfoundry/uaa/releases/tag/3.12.0 we may should discuss about format |
For me, the most convincing are the top fix recommendations:
these are very old versions that are already being used. |
all reported issues here should be solved now, last one with #2257 |
close it now, solved with 76.11.0 |
Hi guys,
Our osscan system has detected some critical outdate d libs that coming from https://github.com/cloudfoundry/uaa/blob/develop/uaa/slate/Gemfile.lock
CVE-2020-14001 kramdown-1.13.2.gem
CVE-2014-10077 i18n-0.7.0.gem
WS-2017-0158 haml-4.0.7.gem
CVE-2017-1002201 haml-4.0.7.gem
CVE-2020-8165 activesupport-5.0.1.gem
CVE-2023-22796 activesupport-5.0.1.gem
CVE-2022-44572 rack-2.0.9.1.gem
CVE-2022-44571 rack-2.0.9.1.gem
CVE-2022-44570 rack-2.0.9.1.gem
CVE-2017-4960 uaa-v76.5.0
CVE-2017-4973 uaa-v76.5.0
Any planning on fixing them on your roadmap ?
Appreciate your help on this.
Nguyen
The text was updated successfully, but these errors were encountered: