...
| date | CVE | description | versions | Risk for Deltares Open Archive | JIRA | upgrade strategy |
|---|---|---|---|---|---|---|
| january 2020 | CVE-2019-20444 | HttpObjectDecoder.java in Netty before 4.1.44 allows an HTTP header that lacks a colon, which might be interpreted as a separate header with an incorrect syntax, or might be interpreted as an "invalid fold." | up to 202301 | 202301 and higher have a fix which checks that headers have a colon. If not the request is rejected | FEWS-29351 | |
| december 20222 | CVE-2022-3064 | Parsing malicious or large YAML documents can consume excessive amounts of CPU or memory. | up to 202301 | False positive. The only yaml file used is the yaml file for the config. This file is only accessible by admins. | FEWS-29357 |
Deltares archive server
| date | CVE | description | versions | Risk for Deltares Open Archive | JIRA | upgrade strategy |
|---|---|---|---|---|---|---|
| April 2022 | CVE-2022-24785 | Moment.js is a JavaScript date library for parsing, validating, manipulating, and formatting dates. A path traversal vulnerability impacts npm (server) users of Moment.js between versions 1.0.1 and 2.29.1, especially if a user-provided locale string is directly used to switch moment locale. This problem is patched in 2.29.2, and the patch can be applied to all affected versions. As a workaround, sanitize the user-provided locale name before passing it to Moment.js. | up to 202301 | False positive. User provided local strings are not used. | FEWS-29358 |
Apache Tomcat CVE score Critical and High
...