-
Notifications
You must be signed in to change notification settings - Fork 66
/
Copy pathapicurio-registry.advisories.yaml
156 lines (149 loc) · 5.94 KB
/
apicurio-registry.advisories.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
schema-version: 2.0.2
package:
name: apicurio-registry
advisories:
- id: CGA-5hr5-g6v2-4w72
aliases:
- CVE-2024-47535
- GHSA-xq3w-v528-46rv
events:
- timestamp: 2024-12-02T09:29:58Z
type: detection
data:
type: scan/v1
data:
subpackageName: apicurio-registry
componentID: 5126e31e6af0c797
componentName: netty-common
componentVersion: 4.1.111.Final
componentType: java-archive
componentLocation: /usr/share/java/apicurio-registry/lib/io.netty.netty-common-4.1.111.Final.jar
scanner: grype
- timestamp: 2025-01-17T00:56:02Z
type: pending-upstream-fix
data:
note: |
netty is a transitive dependency of this project, and is affected by this CVE.
Remediating this CVE would require upgrading a chain of dependencies: (quarkus <-- quarkus-http <-- netty).
The latest version of quarkus-http (at the time of writing), still depends on an older, affected version of netty.
Regardless, attempting to upgrade netty results in build failures. Waiting for upstream to address in a future release.
- https://github.com/quarkusio/quarkus/blob/a98a3f91fc06c959672b67ece75516bb59b994cd/bom/application/pom.xml#L38
- https://github.com/Apicurio/apicurio-registry/blob/779f0994a1de5ebd48f617f476f3e3b7c5a36e48/pom.xml#L147
- https://github.com/quarkusio/quarkus-http/blob/314574122c3616e96d2e76edb15da2692036edc8/pom.xml#L67
- id: CGA-6xxq-cf3f-jrfr
aliases:
- CVE-2025-24970
- GHSA-4g8c-wm8x-jfhw
events:
- timestamp: 2025-02-11T09:14:59Z
type: detection
data:
type: scan/v1
data:
subpackageName: apicurio-registry
componentID: 2dd43f83df045348
componentName: netty-handler
componentVersion: 4.1.111.Final
componentType: java-archive
componentLocation: /usr/share/java/apicurio-registry/lib/io.netty.netty-handler-4.1.111.Final.jar
scanner: grype
- id: CGA-83rw-p5wh-p5v5
aliases:
- CVE-2025-25193
- GHSA-389x-839f-4rhx
events:
- timestamp: 2025-02-11T09:14:57Z
type: detection
data:
type: scan/v1
data:
subpackageName: apicurio-registry
componentID: 5126e31e6af0c797
componentName: netty-common
componentVersion: 4.1.111.Final
componentType: java-archive
componentLocation: /usr/share/java/apicurio-registry/lib/io.netty.netty-common-4.1.111.Final.jar
scanner: grype
- timestamp: 2025-02-13T19:41:51Z
type: false-positive-determination
data:
type: vulnerable-code-cannot-be-controlled-by-adversary
note: Vulnerability affects only Windows systems.
- id: CGA-9vf2-8c9q-q94f
aliases:
- CVE-2024-12397
- GHSA-cxrx-q234-m22m
events:
- timestamp: 2024-12-13T07:03:43Z
type: detection
data:
type: scan/v1
data:
subpackageName: apicurio-registry
componentID: 103775bab44f729f
componentName: quarkus-http-core
componentVersion: 5.3.2
componentType: java-archive
componentLocation: /usr/share/java/apicurio-registry/lib/io.quarkus.http.quarkus-http-core-5.3.2.jar
scanner: grype
- timestamp: 2025-01-17T00:56:02Z
type: pending-upstream-fix
data:
note: |
apicurio-registry, depends on 'quarkus', which in turn depends on 'quarkus-http', affected by this CVE.
This is addressed in 'quarkus-http' v5.3.4, but the 'quarkus' version used by this project, depends on 'quarkus-http v5.3.2'.
Attempts to upgrade quarkus resulted in build errors. The project has noted caveats when bumping quarkus in the code base.
Waiting for upstream to address in a future release.
- https://github.com/quarkusio/quarkus/blob/a98a3f91fc06c959672b67ece75516bb59b994cd/bom/application/pom.xml#L38
- https://github.com/Apicurio/apicurio-registry/blob/779f0994a1de5ebd48f617f476f3e3b7c5a36e48/pom.xml#L147
- https://github.com/quarkusio/quarkus-http
- id: CGA-fr9m-mrh7-gwv4
aliases:
- CVE-2024-57699
- GHSA-pq2g-wx69-c263
events:
- timestamp: 2025-02-07T07:36:46Z
type: detection
data:
type: scan/v1
data:
subpackageName: apicurio-registry
componentID: fe5710a8afcf02ab
componentName: json-smart
componentVersion: 2.5.0
componentType: java-archive
componentLocation: /usr/share/java/apicurio-registry/lib/net.minidev.json-smart-2.5.0.jar
scanner: grype
- id: CGA-x2pj-p6gm-xpqp
aliases:
- CVE-2012-5783
- GHSA-3832-9276-x7gf
events:
- timestamp: 2024-12-03T09:26:09Z
type: detection
data:
type: scan/v1
data:
subpackageName: apicurio-registry
componentID: 3e0a7c38a5aed36d
componentName: commons-httpclient
componentVersion: "3.1"
componentType: java-archive
componentLocation: /usr/share/java/apicurio-registry/lib/commons-httpclient.commons-httpclient-3.1.jar
scanner: grype
- timestamp: 2025-01-27T11:03:07Z
type: fixed
data:
fixed-version: 3.0.6-r0
- timestamp: 2025-01-29T08:05:40Z
type: detection
data:
type: scan/v1
data:
subpackageName: apicurio-registry
componentID: 3e0a7c38a5aed36d
componentName: commons-httpclient
componentVersion: "3.1"
componentType: java-archive
componentLocation: /usr/share/java/apicurio-registry/lib/commons-httpclient.commons-httpclient-3.1.jar
scanner: grype