...
This page keeps track of known CVE issues in libraries that are distributed with the Deltares Open Archive and the upgrade strategy of these libraries. The Common Vulnerability Scoring System (CVSS) of severity Critical and High are reported here.
THREDDS
| date | CVE | description | versions | Risk for Deltares Open Archive | JIRA | upgrade strategy |
|---|---|---|---|---|---|---|
| October 2021 | CVE-2020-13936 | An attacker that is able to modify Velocity templates may execute arbitrary Java code or run arbitrary system commands with the same privileges as the account running the Servlet container | up to 202301 | False positive. Users in thredds are not allowed to upload velocity templates. | FEWS-29325 | |
| november 2018 | CVE-2018-1258 | Spring Framework version 5.0.5 when used in combination with any versions of Spring Security contains an authorization bypass when using method security. An unauthorized malicious user can gain unauthorized access to methods that should be restricted. | up to 202301 | False positive. Spring security is not used. |
Apache Tomcat CVE score Critical and High
...