chore(findings): aiml/apache/nifi
Summary
aiml/apache/nifi has 143 new findings discovered during continuous monitoring.
| id | source | severity | package |
|---|---|---|---|
| CVE-2022-25647 | twistlock_cve | High | com.google.code.gson_gson-2.7 |
| CVE-2022-23457 | twistlock_cve | High | org.owasp.esapi_esapi-2.2.0.0 |
| CVE-2022-22970 | twistlock_cve | High | org.springframework_spring-core-5.3.19 |
| CVE-2021-40690 | twistlock_cve | High | org.apache.santuario_xmlsec-1.5.8 |
| CVE-2021-22569 | twistlock_cve | High | com.google.protobuf_protobuf-java-3.19.1 |
| CVE-2022-24891 | twistlock_cve | Medium | org.owasp.esapi_esapi-2.2.0.0 |
| CVE-2022-23437 | twistlock_cve | Medium | xerces_xercesImpl-2.12.0 |
| CVE-2022-22971 | twistlock_cve | Medium | org.springframework_spring-core-5.3.19 |
| CVE-2020-14338 | twistlock_cve | Medium | xerces_xercesImpl-2.12.0 |
| CVE-2022-33140 | anchore_cve | High | nifi-registry-properties-1.16.1 |
| CVE-2022-33140 | anchore_cve | High | nifi-registry-flow-diff-1.16.1 |
| CVE-2022-33140 | anchore_cve | High | nifi-framework-components-1.16.1 |
| CVE-2022-33140 | anchore_cve | High | nifi-toolkit-cli-1.16.1 |
| CVE-2022-33140 | anchore_cve | High | nifi-security-utils-1.16.1 |
| CVE-2022-33140 | anchore_cve | High | nifi-registry-revision-entity-model-1.16.1 |
| CVE-2022-33140 | anchore_cve | High | nifi-xml-processing-1.16.1 |
| CVE-2022-33140 | anchore_cve | High | nifi-property-protection-azure-1.16.1 |
| CVE-2022-33140 | anchore_cve | High | nifi-framework-authorization-providers-1.16.1 |
| CVE-2022-33140 | anchore_cve | High | nifi-property-utils-1.16.1 |
| CVE-2022-33140 | anchore_cve | High | nifi-toolkit-s2s-1.16.1 |
| CVE-2022-33140 | anchore_cve | High | nifi-write-ahead-log-1.16.1 |
| CVE-2022-33140 | anchore_cve | High | nifi-runtime-manifest-core-1.16.1 |
| CVE-2022-33140 | anchore_cve | High | nifi-web-utils-1.16.1 |
| CVE-2022-33140 | anchore_cve | High | nifi-server-api-1.16.1 |
| CVE-2022-33140 | anchore_cve | High | nifi-security-utils-api-1.16.1 |
| CVE-2022-33140 | anchore_cve | High | nifi-uuid5-1.16.1 |
| CVE-2022-33140 | anchore_cve | High | nifi-runtime-1.16.1 |
| CVE-2022-33140 | anchore_cve | High | nifi-security-kerberos-api-1.16.1 |
| CVE-2022-33140 | anchore_cve | High | nifi-property-protection-api-1.16.1 |
| CVE-2022-33140 | anchore_cve | High | nifi-schema-utils-1.16.1 |
| CVE-2022-33140 | anchore_cve | High | nifi-properties-1.16.1 |
| CVE-2022-33140 | anchore_cve | High | nifi-user-actions-1.16.1 |
| CVE-2022-33140 | anchore_cve | High | nifi-property-encryptor-1.16.1 |
| CVE-2022-33140 | anchore_cve | High | nifi-toolkit-admin-1.16.1 |
| CVE-2022-33140 | anchore_cve | High | nifi-bootstrap-1.16.1 |
| CVE-2022-33140 | anchore_cve | High | nifi-site-to-site-client-1.16.1 |
| CVE-2022-33140 | anchore_cve | High | nifi-stateless-bootstrap-1.16.1 |
| CVE-2022-33140 | anchore_cve | High | nifi-property-utils-1.16.1 |
| CVE-2022-33140 | anchore_cve | High | nifi-property-protection-cipher-1.16.1 |
| CVE-2022-33140 | anchore_cve | High | nifi-h2-database-migrator-1.16.1 |
| CVE-2022-33140 | anchore_cve | High | nifi-xml-processing-1.16.1 |
| CVE-2022-33140 | anchore_cve | High | nifi-security-kms-1.16.1 |
| CVE-2022-33140 | anchore_cve | High | nifi-api-1.16.1 |
| CVE-2022-33140 | anchore_cve | High | nifi-api-1.16.1 |
| CVE-2022-33140 | anchore_cve | High | nifi-framework-api-1.16.1 |
| CVE-2022-33140 | anchore_cve | High | nifi-property-protection-gcp-1.16.1 |
| CVE-2022-33140 | anchore_cve | High | nifi-framework-core-api-1.16.1 |
| CVE-2022-33140 | anchore_cve | High | nifi-property-protection-cipher-1.16.1 |
| CVE-2022-33140 | anchore_cve | High | nifi-framework-cluster-protocol-1.16.1 |
| CVE-2022-33140 | anchore_cve | High | nifi-extension-manifest-model-1.16.1 |
| CVE-2022-33140 | anchore_cve | High | nifi-property-protection-aws-1.16.1 |
| CVE-2022-33140 | anchore_cve | High | nifi-h2-database-1.16.1 |
| CVE-2022-33140 | anchore_cve | High | nifi-framework-core-1.16.1 |
| CVE-2022-33140 | anchore_cve | High | nifi-data-provenance-utils-1.16.1 |
| CVE-2022-33140 | anchore_cve | High | nifi-toolkit-tls-1.16.1 |
| CVE-2022-33140 | anchore_cve | High | nifi-property-protection-factory-1.16.1 |
| CVE-2022-33140 | anchore_cve | High | nifi-nar-utils-1.16.1 |
| CVE-2022-33140 | anchore_cve | High | nifi-repository-models-1.16.1 |
| CVE-2022-33140 | anchore_cve | High | nifi-parameter-1.16.1 |
| CVE-2022-33140 | anchore_cve | High | nifi-property-protection-azure-1.16.1 |
| CVE-2022-33140 | anchore_cve | High | nifi-bootstrap-utils-1.16.1 |
| CVE-2022-33140 | anchore_cve | High | nifi-security-utils-api-1.16.1 |
| CVE-2022-33140 | anchore_cve | High | nifi-property-protection-hashicorp-1.16.1 |
| CVE-2022-33140 | anchore_cve | High | nifi-flow-encryptor-1.16.1 |
| CVE-2022-33140 | anchore_cve | High | nifi-property-protection-shared-1.16.1 |
| CVE-2022-33140 | anchore_cve | High | nifi-web-security-1.16.1 |
| CVE-2022-33140 | anchore_cve | High | nifi-registry-client-1.16.1 |
| CVE-2022-33140 | anchore_cve | High | nifi-stateless-api-1.16.1 |
| CVE-2022-33140 | anchore_cve | High | nifi-properties-1.16.1 |
| CVE-2022-33140 | anchore_cve | High | nifi-extension-manifest-parser-1.16.1 |
| CVE-2022-33140 | anchore_cve | High | nifi-rocksdb-utils-1.16.1 |
| CVE-2022-33140 | anchore_cve | High | nifi-property-encryptor-1.16.1 |
| CVE-2022-33140 | anchore_cve | High | nifi-single-user-utils-1.16.1 |
| CVE-2022-33140 | anchore_cve | High | nifi-property-protection-api-1.16.1 |
| CVE-2022-33140 | anchore_cve | High | nifi-logging-utils-1.16.1 |
| CVE-2022-33140 | anchore_cve | High | nifi-properties-loader-1.16.1 |
| CVE-2022-33140 | anchore_cve | High | nifi-toolkit-zookeeper-migrator-1.16.1 |
| CVE-2022-33140 | anchore_cve | High | nifi-security-utils-1.16.1 |
| CVE-2022-33140 | anchore_cve | High | nifi-vault-utils-1.16.1 |
| CVE-2022-33140 | anchore_cve | High | nifi-site-to-site-1.16.1 |
| CVE-2022-33140 | anchore_cve | High | nifi-property-protection-factory-1.16.1 |
| CVE-2022-33140 | anchore_cve | High | nifi-property-protection-hashicorp-1.16.1 |
| CVE-2022-33140 | anchore_cve | High | nifi-repository-encryption-1.16.1 |
| CVE-2022-33140 | anchore_cve | High | nifi-toolkit-encrypt-config-1.16.1 |
| CVE-2022-33140 | anchore_cve | High | nifi-property-protection-shared-1.16.1 |
| CVE-2022-33140 | anchore_cve | High | nifi-api-1.16.1 |
| CVE-2022-33140 | anchore_cve | High | nifi-expression-language-1.16.1 |
| CVE-2022-33140 | anchore_cve | High | nifi-flowfile-repo-serialization-1.16.1 |
| CVE-2022-33140 | anchore_cve | High | nifi-framework-authorization-1.16.1 |
| CVE-2022-33140 | anchore_cve | High | nifi-property-protection-aws-1.16.1 |
| CVE-2022-33140 | anchore_cve | High | nifi-property-protection-gcp-1.16.1 |
| CVE-2022-33140 | anchore_cve | High | nifi-property-protection-loader-1.16.1 |
| CVE-2022-33140 | anchore_cve | High | nifi-utils-1.16.1 |
| CVE-2022-33140 | anchore_cve | High | nifi-authorizer-1.16.1 |
| CVE-2022-33140 | anchore_cve | High | nifi-property-protection-loader-1.16.1 |
| CVE-2022-33140 | anchore_cve | High | nifi-administration-1.16.1 |
| CVE-2022-33140 | anchore_cve | High | nifi-properties-loader-1.16.1 |
| CVE-2022-33140 | anchore_cve | High | nifi-registry-data-model-1.16.1 |
| CVE-2022-33140 | anchore_cve | High | nifi-framework-api-1.16.1 |
| CVE-2022-33140 | anchore_cve | High | nifi-expression-language-1.16.1 |
| CVE-2022-33140 | anchore_cve | High | nifi-flow-encryptor-1.16.1 |
| CVE-2022-33140 | anchore_cve | High | nifi-socket-utils-1.16.1 |
| CVE-2022-33140 | anchore_cve | High | nifi-uuid5-1.16.1 |
| CVE-2022-33140 | anchore_cve | High | nifi-client-dto-1.16.1 |
| CVE-2022-33140 | anchore_cve | High | nifi-security-kerberos-1.16.1 |
| CVE-2022-33140 | anchore_cve | High | nifi-vault-utils-1.16.1 |
| CVE-2022-33140 | anchore_cve | High | nifi-utils-1.16.1 |
| CVE-2022-33140 | anchore_cve | High | nifi-framework-nar-utils-1.16.1 |
| CVE-2022-33140 | anchore_cve | High | nifi-parameter-1.16.1 |
| CVE-2022-33140 | anchore_cve | High | nifi-toolkit-flowanalyzer-1.16.1 |
| CVE-2022-33140 | anchore_cve | High | nifi-registry-security-utils-1.16.1 |
| CVE-2022-33980 | twistlock_cve | Critical | org.apache.commons_commons-configuration2-2.7 |
| CVE-2022-2047 | twistlock_cve | Low | org.eclipse.jetty_jetty-http-9.4.46.v20220331 |
| GHSA-cj7v-27pg-wf7q | anchore_cve | Low | jetty-http-9.4.46.v20220331 |
| GHSA-xj57-8qj4-c4m6 | anchore_cve | Critical | commons-configuration2-2.7 |
| CVE-2022-2048 | twistlock_cve | High | org.eclipse.jetty_jetty-io-9.4.46.v20220331 |
| CVE-2022-2048 | anchore_cve | High | jetty-util-9.4.46.v20220331 |
| CVE-2022-2048 | anchore_cve | High | jetty-schemas-5.2 |
| CVE-2022-2048 | anchore_cve | High | jetty-server-9.4.46.v20220331 |
| CVE-2022-2048 | anchore_cve | High | jetty-http-9.4.46.v20220331 |
| CVE-2022-2047 | anchore_cve | Low | jetty-schemas-5.2 |
| CVE-2022-2048 | anchore_cve | High | jetty-io-9.4.46.v20220331 |
| CVE-2022-22971 | anchore_cve | Medium | spring-core-5.3.19 |
| CVE-2022-22971 | anchore_cve | Medium | spring-core-5.3.19 |
| CVE-2022-22970 | anchore_cve | Medium | spring-core-5.3.19 |
| CVE-2022-22970 | anchore_cve | Medium | spring-core-5.3.19 |
| CVE-2016-1000027 | anchore_cve | Critical | spring-core-5.3.19 |
| CVE-2016-1000027 | anchore_cve | Critical | spring-core-5.3.19 |
| CVE-2016-4607 | twistlock_cve | Medium | libxslt-1.1.32-6.el8 |
| CVE-2019-13118 | twistlock_cve | Low | libxslt-1.1.32-6.el8 |
| CVE-2018-1121 | twistlock_cve | Low | procps-ng-3.3.15-6.el8 |
| CVE-2019-13117 | twistlock_cve | Low | libxslt-1.1.32-6.el8 |
| CVE-2022-2946 | twistlock_cve | Low | vim-minimal-8.0.1763-19.el8_6.4 |
| CVE-2022-2923 | twistlock_cve | Low | vim-minimal-8.0.1763-19.el8_6.4 |
| CVE-2022-2182 | anchore_cve | Low | vim-minimal-2:8.0.1763-19.el8_6.4 |
| CVE-2021-28861 | anchore_cve | High | python-3.8.13 |
| CVE-2022-2819 | anchore_cve | Low | vim-minimal-2:8.0.1763-19.el8_6.4 |
| CVE-2022-2862 | twistlock_cve | Low | vim-minimal-8.0.1763-19.el8_6.4 |
| CVE-2022-2849 | twistlock_cve | Low | vim-minimal-8.0.1763-19.el8_6.4 |
| CVE-2020-35538 | twistlock_cve | Low | libjpeg-turbo-1.5.3-12.el8 |
| CVE-2020-35537 | twistlock_cve | Low | libgcc-8.5.0-10.1.el8_6 |
| CVE-2020-35537 | twistlock_cve | Low | libstdc++-8.5.0-10.1.el8_6 |
| CVE-2022-2526 | oscap_comp | Medium |
VAT: https://vat.dso.mil/vat/container/19332?branch=master
More information can be found in the failed pipeline located here: https://repo1.dso.mil/dsop/aiml/apache/nifi/-/jobs/12993217
Tasks
Contributor:
-
Provide justifications for findings in the VAT (docs) -
Apply the ~"Approval" label to this issue and wait for feedback
Iron Bank:
-
Review findings and justifications -
Send approval request to Authorizing Official -
Close issue after approval from Authorizing Official
Note: If the above approval process is rejected for any reason, the
Approvallabel will be removed and the issue will be sent back toOpen. Any comments will be listed in this issue for you to address. Once they have been addressed, you must re-add theApprovallabel.
Questions?
Contact the Iron Bank team by commenting on this issue with your questions or concerns. If you do not receive a response, add /cc @ironbank-notifications/onboarding.
Additionally, Iron Bank hosts an AMA working session every Wednesday from 1630-1730EST to answer questions.
Edited by Ghost User