forked from wolfi-dev/advisories
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathapicurio-registry.advisories.yaml
97 lines (93 loc) · 4.07 KB
/
apicurio-registry.advisories.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
schema-version: 2.0.2
package:
name: apicurio-registry
advisories:
- id: CGA-5hr5-g6v2-4w72
aliases:
- CVE-2024-47535
- GHSA-xq3w-v528-46rv
events:
- timestamp: 2024-12-02T09:29:58Z
type: detection
data:
type: scan/v1
data:
subpackageName: apicurio-registry
componentID: 5126e31e6af0c797
componentName: netty-common
componentVersion: 4.1.111.Final
componentType: java-archive
componentLocation: /usr/share/java/apicurio-registry/lib/io.netty.netty-common-4.1.111.Final.jar
scanner: grype
- timestamp: 2025-01-17T00:56:02Z
type: pending-upstream-fix
data:
note: |
netty is a transitive dependency of this project, and is affected by this CVE.
Remediating this CVE would require upgrading a chain of dependencies: (quarkus <-- quarkus-http <-- netty).
The latest version of quarkus-http (at the time of writing), still depends on an older, affected version of netty.
Regardless, attempting to upgrade netty results in build failures. Waiting for upstream to address in a future release.
- https://github.com/quarkusio/quarkus/blob/a98a3f91fc06c959672b67ece75516bb59b994cd/bom/application/pom.xml#L38
- https://github.com/Apicurio/apicurio-registry/blob/779f0994a1de5ebd48f617f476f3e3b7c5a36e48/pom.xml#L147
- https://github.com/quarkusio/quarkus-http/blob/314574122c3616e96d2e76edb15da2692036edc8/pom.xml#L67
- id: CGA-9vf2-8c9q-q94f
aliases:
- CVE-2024-12397
- GHSA-cxrx-q234-m22m
events:
- timestamp: 2024-12-13T07:03:43Z
type: detection
data:
type: scan/v1
data:
subpackageName: apicurio-registry
componentID: 103775bab44f729f
componentName: quarkus-http-core
componentVersion: 5.3.2
componentType: java-archive
componentLocation: /usr/share/java/apicurio-registry/lib/io.quarkus.http.quarkus-http-core-5.3.2.jar
scanner: grype
- timestamp: 2025-01-17T00:56:02Z
type: pending-upstream-fix
data:
note: |
apicurio-registry, depends on 'quarkus', which in turn depends on 'quarkus-http', affected by this CVE.
This is addressed in 'quarkus-http' v5.3.4, but the 'quarkus' version used by this project, depends on 'quarkus-http v5.3.2'.
Attempts to upgrade quarkus resulted in build errors. The project has noted caveats when bumping quarkus in the code base.
Waiting for upstream to address in a future release.
- https://github.com/quarkusio/quarkus/blob/a98a3f91fc06c959672b67ece75516bb59b994cd/bom/application/pom.xml#L38
- https://github.com/Apicurio/apicurio-registry/blob/779f0994a1de5ebd48f617f476f3e3b7c5a36e48/pom.xml#L147
- https://github.com/quarkusio/quarkus-http
- id: CGA-x2pj-p6gm-xpqp
aliases:
- CVE-2012-5783
- GHSA-3832-9276-x7gf
events:
- timestamp: 2024-12-03T09:26:09Z
type: detection
data:
type: scan/v1
data:
subpackageName: apicurio-registry
componentID: 3e0a7c38a5aed36d
componentName: commons-httpclient
componentVersion: "3.1"
componentType: java-archive
componentLocation: /usr/share/java/apicurio-registry/lib/commons-httpclient.commons-httpclient-3.1.jar
scanner: grype
- timestamp: 2025-01-27T11:03:07Z
type: fixed
data:
fixed-version: 3.0.6-r0
- timestamp: 2025-01-29T08:05:40Z
type: detection
data:
type: scan/v1
data:
subpackageName: apicurio-registry
componentID: 3e0a7c38a5aed36d
componentName: commons-httpclient
componentVersion: "3.1"
componentType: java-archive
componentLocation: /usr/share/java/apicurio-registry/lib/commons-httpclient.commons-httpclient-3.1.jar
scanner: grype