-
Notifications
You must be signed in to change notification settings - Fork 202
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CVE-2023-38493 (High) detected in armeria-1.22.1.jar, armeria-1.15.0.jar #3069
Labels
Mend: dependency security vulnerability
Security vulnerability detected by WhiteSource
Milestone
Comments
mend-for-github-com
bot
added
the
Mend: dependency security vulnerability
Security vulnerability detected by WhiteSource
label
Jul 26, 2023
dlvenable
added a commit
to dlvenable/data-prepper
that referenced
this issue
Sep 18, 2023
…gies which fix some dependencies to specific versions. Instead, use dependency version requirements which allow for using newer versions. Resolves opensearch-project#3069. Signed-off-by: David Venable <dlv@amazon.com>
dlvenable
added a commit
that referenced
this issue
Sep 20, 2023
Updates Armeria to 1.25.2. This also removes a Gradle resolution strategy which fixes some dependencies to specific versions. Instead, use a dependency version requirement which allows for using newer versions. Resolves #3069. Signed-off-by: David Venable <dlv@amazon.com>
github-project-automation
bot
moved this from Unplanned
to Done
in Data Prepper Tracking Board
Sep 20, 2023
opensearch-trigger-bot bot
pushed a commit
that referenced
this issue
Sep 20, 2023
Updates Armeria to 1.25.2. This also removes a Gradle resolution strategy which fixes some dependencies to specific versions. Instead, use a dependency version requirement which allows for using newer versions. Resolves #3069. Signed-off-by: David Venable <dlv@amazon.com> (cherry picked from commit a016b7a)
dlvenable
added a commit
that referenced
this issue
Sep 20, 2023
Updates Armeria to 1.25.2. This also removes a Gradle resolution strategy which fixes some dependencies to specific versions. Instead, use a dependency version requirement which allows for using newer versions. Resolves #3069. Signed-off-by: David Venable <dlv@amazon.com> (cherry picked from commit a016b7a) Co-authored-by: David Venable <dlv@amazon.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
CVE-2023-38493 - High Severity Vulnerability
Vulnerable Libraries - armeria-1.22.1.jar, armeria-1.15.0.jar
armeria-1.22.1.jar
Asynchronous HTTP/2 RPC/REST client/server library built on top of Java 8, Netty, Thrift and gRPC (armeria)
Library home page: https://armeria.dev/
Path to dependency file: /data-prepper-plugins/otel-logs-source/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.linecorp.armeria/armeria/1.22.1/9e34f008f55d4095f01f00ac90edf05e8c9f711a/armeria-1.22.1.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.linecorp.armeria/armeria/1.22.1/9e34f008f55d4095f01f00ac90edf05e8c9f711a/armeria-1.22.1.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.linecorp.armeria/armeria/1.22.1/9e34f008f55d4095f01f00ac90edf05e8c9f711a/armeria-1.22.1.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.linecorp.armeria/armeria/1.22.1/9e34f008f55d4095f01f00ac90edf05e8c9f711a/armeria-1.22.1.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.linecorp.armeria/armeria/1.22.1/9e34f008f55d4095f01f00ac90edf05e8c9f711a/armeria-1.22.1.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.linecorp.armeria/armeria/1.22.1/9e34f008f55d4095f01f00ac90edf05e8c9f711a/armeria-1.22.1.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.linecorp.armeria/armeria/1.22.1/9e34f008f55d4095f01f00ac90edf05e8c9f711a/armeria-1.22.1.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.linecorp.armeria/armeria/1.22.1/9e34f008f55d4095f01f00ac90edf05e8c9f711a/armeria-1.22.1.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.linecorp.armeria/armeria/1.22.1/9e34f008f55d4095f01f00ac90edf05e8c9f711a/armeria-1.22.1.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.linecorp.armeria/armeria/1.22.1/9e34f008f55d4095f01f00ac90edf05e8c9f711a/armeria-1.22.1.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.linecorp.armeria/armeria/1.22.1/9e34f008f55d4095f01f00ac90edf05e8c9f711a/armeria-1.22.1.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.linecorp.armeria/armeria/1.22.1/9e34f008f55d4095f01f00ac90edf05e8c9f711a/armeria-1.22.1.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.linecorp.armeria/armeria/1.22.1/9e34f008f55d4095f01f00ac90edf05e8c9f711a/armeria-1.22.1.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.linecorp.armeria/armeria/1.22.1/9e34f008f55d4095f01f00ac90edf05e8c9f711a/armeria-1.22.1.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.linecorp.armeria/armeria/1.22.1/9e34f008f55d4095f01f00ac90edf05e8c9f711a/armeria-1.22.1.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.linecorp.armeria/armeria/1.22.1/9e34f008f55d4095f01f00ac90edf05e8c9f711a/armeria-1.22.1.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.linecorp.armeria/armeria/1.22.1/9e34f008f55d4095f01f00ac90edf05e8c9f711a/armeria-1.22.1.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.linecorp.armeria/armeria/1.22.1/9e34f008f55d4095f01f00ac90edf05e8c9f711a/armeria-1.22.1.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.linecorp.armeria/armeria/1.22.1/9e34f008f55d4095f01f00ac90edf05e8c9f711a/armeria-1.22.1.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.linecorp.armeria/armeria/1.22.1/9e34f008f55d4095f01f00ac90edf05e8c9f711a/armeria-1.22.1.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.linecorp.armeria/armeria/1.22.1/9e34f008f55d4095f01f00ac90edf05e8c9f711a/armeria-1.22.1.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.linecorp.armeria/armeria/1.22.1/9e34f008f55d4095f01f00ac90edf05e8c9f711a/armeria-1.22.1.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.linecorp.armeria/armeria/1.22.1/9e34f008f55d4095f01f00ac90edf05e8c9f711a/armeria-1.22.1.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.linecorp.armeria/armeria/1.22.1/9e34f008f55d4095f01f00ac90edf05e8c9f711a/armeria-1.22.1.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.linecorp.armeria/armeria/1.22.1/9e34f008f55d4095f01f00ac90edf05e8c9f711a/armeria-1.22.1.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.linecorp.armeria/armeria/1.22.1/9e34f008f55d4095f01f00ac90edf05e8c9f711a/armeria-1.22.1.jar
Dependency Hierarchy:
armeria-1.15.0.jar
Asynchronous HTTP/2 RPC/REST client/server library built on top of Java 8, Netty, Thrift and gRPC (armeria)
Library home page: https://armeria.dev/
Path to dependency file: /data-prepper-plugins/otel-logs-source/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.linecorp.armeria/armeria/1.15.0/6c26d009aa047e14edb8b99926772d441ab75cf0/armeria-1.15.0.jar
Dependency Hierarchy:
Found in HEAD commit: 90bdaa7e7833bdd504c817e49d4434b4d8880f56
Found in base branch: main
Vulnerability Details
Armeria is a microservice framework Spring supports Matrix variables. When Spring integration is used, Armeria calls Spring controllers via
TomcatService
orJettyService
with the path that may contain matrix variables. Prior to version 1.24.3, the Armeria decorators might not invoked because of the matrix variables. If an attacker sends a specially crafted request, the request may bypass the authorizer. Version 1.24.3 contains a patch for this issue.Publish Date: 2023-07-25
URL: CVE-2023-38493
CVSS 3 Score Details (7.5)
Base Score Metrics:
The text was updated successfully, but these errors were encountered: