Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Vulnerability found in che-server image #19650

Closed
jenia90 opened this issue Apr 22, 2021 · 3 comments
Closed

Vulnerability found in che-server image #19650

jenia90 opened this issue Apr 22, 2021 · 3 comments
Labels
area/che-server kind/bug Outline of a bug - must adhere to the bug report template. severity/P1 Has a major impact to usage or development of the system.
Milestone
7.30

Comments

@jenia90
Copy link

jenia90 commented Apr 22, 2021

Describe the bug

In addition to issues #19646 and #19649 there's another vulnerability found in che-server image:
Type: VULNERABILITY
Name: CVE-2016-3720
CVSS Score v3: 9.8
Severity: critical
Description: XML external entity (XXE) vulnerability in XmlMapper in the Data format extension for Jackson (aka jackson-dataformat-xml) allows attackers to have unspecified impact via unknown vectors.. Impacted Image File(s): /home/user/eclipse-che/tomcat/webapps/api.war:WEB-INF/lib/swagger-core-1.5.9.jar
@jenia90 jenia90 added the kind/bug Outline of a bug - must adhere to the bug report template. label Apr 22, 2021
@che-bot che-bot added the status/need-triage An issue that needs to be prioritized by the curator responsible for the triage. See https://github. label Apr 22, 2021
@skabashnyuk skabashnyuk added severity/P1 Has a major impact to usage or development of the system. area/che-server and removed status/need-triage An issue that needs to be prioritized by the curator responsible for the triage. See https://github. labels Apr 27, 2021
@skabashnyuk
Copy link
Contributor

Che is not affected because we override com.fasterxml.jackson.dataformat:jackson-dataformat-xml https://github.com/eclipse/che/blob/7035a9d2115054178628db25b2b32c4731eabb5c/pom.xml#L487-L490 to https://github.com/eclipse/che/blob/7035a9d2115054178628db25b2b32c4731eabb5c/pom.xml#L52 2.10.3.
CVE-2016-3720 is about 2.7.4.

@skabashnyuk
Copy link
Contributor

Anyway, I believe it's a good time to get 1.5.x or 1.6.x swagger

@skabashnyuk skabashnyuk mentioned this issue Apr 28, 2021
Merged
9 tasks
@skabashnyuk
Copy link
Contributor

Explained and upgraded.

@skabashnyuk skabashnyuk added this to the 7.30 milestone Apr 28, 2021
@skabashnyuk skabashnyuk mentioned this issue Apr 28, 2021
Closed
12 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/che-server kind/bug Outline of a bug - must adhere to the bug report template. severity/P1 Has a major impact to usage or development of the system.
Projects
None yet
Milestone
7.30
Development

No branches or pull requests
3 participants
@skabashnyuk @jenia90 @che-bot