...
Only CVE issues of severity Critical and High are reported here.
CVE | file | description | risk for Delft-FEWS | JIRA | upgrade strategy | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
CVE-2021-33813 | jdom.jar | An XXE issue in SAXBuilder in JDOM through 2.0.6 allows attackers to cause a denial of service via a crafted HTTP request. | The risk is limited since the embeded PI service is not a public facing webservice and the alarm module only uses the library in the client. For most Delft-FEWS users, the library is never used. |
| phase out xfire. This is used in:
| ||||||||||
CVE-2021-33813 | jdom-2.02.jar | An XXE issue in SAXBuilder in JDOM through 2.0.6 allows attackers to cause a denial of service via a crafted HTTP request. | Might be used in imports that use opendap. But since the library is not used in a service component, the risk is limited. |
| Dependency of ucar netcdf libraries. JDOM is not actively being developed, but there seems to be work on a fix. See: https://github.com/hunterhacker/jdom/issues/189 |