-
Story
-
Resolution: Done
-
Medium
-
None
-
None
-
DCAE R4 Sprint 5
Following vulnerabilities were identified in CLM scan.
| onap-dcaegen2-services-pm-mapper | io.undertow : undertow-core : 2.0.16.Final | Description from CVE Get requests in JBoss Enterprise Application Platform (EAP) 7 disclose internal IP addresses to remote attackers. Explanation The undertow-core package is vulnerable to Information Exposure. The getHostAndPort() method in the HttpServerExchange class exposes an internal IP address via the Location header during a 302 redirect if the host header field is not set. A remote attacker can exploit this issue by submitting a GET request that results in a 302 redirect response. The attacker can leverage this vulnerability to exfiltrate an internal IP address that can potentially be used for further attacks. | No non-vulnerable version available; to be assessed if risk noted is valid or if dependency can be removed. Exception Requested |
||
| onap-dcaegen2-services-pm-mapper | io.undertow : undertow-core : 2.0.16.Final | Description from CVE An information leak vulnerability was found in Undertow. If all headers are not written out in the first write() call then the code that handles flushing the buffer will always write out the full contents of the writevBuffer buffer, which may contain data from previous requests. Explanation The undertow package is vulnerable to Denial-of-Service (DoS). The processWrite() method in the HttpResponseConduit Java class file does not restrict the buffer allocation size. An attacker can exploit this vulnerability by crafting a request that consists of a large header size and sending it to the server. The request, once processed, would exceed the allocated buffer size resulting in an application crash or unintended behavior. | No non-vulnerable version available; to be assessed if risk noted is valid or if dependency can be removed. Exception Requested |
||
| onap-dcaegen2-services-pm-mapper | org.jboss.gwt.elemento : elemento-testsuite-standalone : 0.9 | Description from CVE Get requests in JBoss Enterprise Application Platform (EAP) 7 disclose internal IP addresses to remote attackers. Explanation The undertow-core package is vulnerable to Information Exposure. The getHostAndPort() method in the HttpServerExchange class exposes an internal IP address via the Location header during a 302 redirect if the host header field is not set. A remote attacker can exploit this issue by submitting a GET request that results in a 302 redirect response. The attacker can leverage this vulnerability to exfiltrate an internal IP address that can potentially be used for further attacks. | No non-vulnerable version available; to be assessed if risk noted is valid or if dependency can be removed. Exception Requested |
||
| onap-dcaegen2-services-pm-mapper | org.jboss.gwt.elemento : elemento-testsuite-standalone : 0. | Description from CVE An information leak vulnerability was found in Undertow. If all headers are not written out in the first write() call then the code that handles flushing the buffer will always write out the full contents of the writevBuffer buffer, which may contain data from previous requests. Explanation The undertow package is vulnerable to Denial-of-Service (DoS). The processWrite() method in the HttpResponseConduit Java class file does not restrict the buffer allocation size. An attacker can exploit this vulnerability by crafting a request that consists of a large header size and sending it to the server. The request, once processed, would exceed the allocated buffer size resulting in an application crash or unintended behavior. | No non-vulnerable version available; to be assessed if risk noted is valid or if dependency can be removed. Exception Requested |
Pls assess if the vulnerabilities identified are indeed applicable. Or if the library/version noted dependency can be removed from pm-mapper