...
| date | CVE | description | versions | Risk for Deltares Open Archive | JIRA | upgrade strategy |
|---|---|---|---|---|---|---|
| October 2023 | The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. | This is triggered by the Netty components bundled with OpenSearch, which are not used in the context of the Delft-FEWS archive service as this uses OpenSearch internally and does not expose OpenSearch as a web service. | ||||
| january 2020 | CVE-2019-20444 | HttpObjectDecoder.java in Netty before 4.1.44 allows an HTTP header that lacks a colon, which might be interpreted as a separate header with an incorrect syntax, or might be interpreted as an "invalid fold." | up to 202301 | 202301 and higher have a fix which checks that headers have a colon. If not the request is rejected | FEWS-29351 | |
| december 20222 | CVE-2022-3064 | Parsing malicious or large YAML documents can consume excessive amounts of CPU or memory. | up to 202301 | False positive. The only yaml file used is the yaml file for the config. This file is only accessible by admins. | FEWS-29357 |
...