GHSA-HWVM-VFW8-93MW

Vulnerability from github – Published: 2021-12-16 18:53 – Updated: 2021-12-16 18:40
VLAI?
Summary
Vulnerable dependency in XTDB connector
Details

Impact

The impacted portion of the XTDB connector is its connectivity to S3 as a backing store: this is the only portion of the connector that uses this vulnerable httpclient dependency. Per the description, the vulnerability regards URIs that may be misinterpreted, which given the area of impact within the connector we understand to be any URI used to configure connectivity to S3. Note therefore that if you do not use or configure S3 as a backing store in your use of the connector, you should not be exposed to any vulnerability from this component.

Patches

The problem has been addressed in version 4.5.13 of the httpclient library, which is included as a replacement dependency version for the build of the XTDB connector from release 3.5 onwards. Therefore, using release 3.5 (or newer) of the connector will include the fixes to address this CVE.

Workarounds

We have not investigated specific workarounds, but per the description of the issue it seems likely that ensuring the proper URIs are used for any S3 connectivity used by the connector (and ensuring there are appropriate controls around modifying such URIs in the connector's configuration) would be the first point of investigation.

References

https://nvd.nist.gov/vuln/detail/CVE-2020-13956

Severity ?
5.3 (Medium)
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.odpi.egeria:egeria-connector-xtdb"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": true,
    "github_reviewed_at": "2021-12-16T18:40:26Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nThe impacted portion of the XTDB connector is its connectivity to S3 as a backing store: this is the only portion of the connector that uses this vulnerable `httpclient` dependency. Per the description, the vulnerability regards URIs that may be misinterpreted, which given the area of impact within the connector we understand to be any URI used to configure connectivity to S3. Note therefore that if you do not use or configure S3 as a backing store in your use of the connector, you should not be exposed to any vulnerability from this component.\n\n### Patches\n\nThe problem has been addressed in version 4.5.13 of the httpclient library, which is included as a replacement dependency version for the build of the XTDB connector from release 3.5 onwards. Therefore, using release 3.5 (or newer) of the connector will include the fixes to address this CVE.\n\n### Workarounds\n\nWe have not investigated specific workarounds, but per the description of the issue it seems likely that ensuring the proper URIs are used for any S3 connectivity used by the connector (and ensuring there are appropriate controls around modifying such URIs in the connector\u0027s configuration) would be the first point of investigation.\n\n### References\n\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-13956",
  "id": "GHSA-hwvm-vfw8-93mw",
  "modified": "2021-12-16T18:40:26Z",
  "published": "2021-12-16T18:53:32Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/odpi/egeria-connector-xtdb/security/advisories/GHSA-hwvm-vfw8-93mw"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-13956"
    },
    {
      "type": "WEB",
      "url": "https://github.com/odpi/egeria-connector-xtdb/commit/7b2dcc9fc6c5ce509cf72a275a2f2b8b1870dc15"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/odpi/egeria-connector-xtdb"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Vulnerable dependency in XTDB connector"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.