forked from wolfi-dev/advisories
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathapache-nifi-registry.advisories.yaml
More file actions
237 lines (226 loc) · 8.18 KB
/
apache-nifi-registry.advisories.yaml
File metadata and controls
237 lines (226 loc) · 8.18 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
schema-version: 2.0.2
package:
name: apache-nifi-registry
advisories:
- id: CGA-2f4q-3rwr-m7mc
aliases:
- CVE-2025-5115
- GHSA-mmxm-8w33-wc4h
events:
- timestamp: 2025-08-21T07:05:37Z
type: detection
data:
type: scan/v1
data:
subpackageName: apache-nifi-registry
componentID: 4b9d160fff527078
componentName: jetty-http2-common
componentVersion: 12.0.23
componentType: java-archive
componentLocation: /opt/nifi-registry/nifi-toolkit-registry-2.5.0/nifi-registry-toolkit-2.5.0/lib/jetty-http2-common-12.0.23.jar
scanner: grype
- timestamp: 2025-08-21T08:34:56Z
type: fixed
data:
fixed-version: 2.5.0-r2
- id: CGA-2rhm-pq9f-wfvc
aliases:
- CVE-2025-55163
- GHSA-prj3-ccx8-p6x4
events:
- timestamp: 2025-08-14T11:22:03Z
type: detection
data:
type: scan/v1
data:
subpackageName: apache-nifi-registry
componentID: a7ed52c7d7d98f3b
componentName: netty-codec-http2
componentVersion: 4.2.2.Final
componentType: java-archive
componentLocation: /opt/nifi-registry/nifi-registry-2.5.0/ext/aws/lib/netty-codec-http2-4.2.2.Final.jar
scanner: grype
- timestamp: 2025-08-15T01:00:00Z
type: pending-upstream-fix
data:
note: |
The fix for this CVE requires upgrading netty-codec-http2 to 4.2.4.Final. However, this dependency
is bundled as part of the AWS extension JAR and cannot be independently updated through dependency
management. Cherry-picking the upstream fix (commit ccd3c4e2c4fe7f78aa2c214b3f953540e63e7066)
introduces 2.6.0-SNAPSHOT dependencies that break the build, as this version is not yet released
and the SNAPSHOT artifacts are not available in Maven repositories.
We need to wait for Apache NiFi 2.6.0 to be officially released before we can apply this security fix.
- id: CGA-3xmr-7g5q-24pv
aliases:
- CVE-2025-58056
- GHSA-fghv-69vj-qj49
events:
- timestamp: 2025-09-06T07:05:09Z
type: detection
data:
type: scan/v1
data:
subpackageName: apache-nifi-registry
componentID: fe12da413410cbef
componentName: netty-codec-http
componentVersion: 4.2.2.Final
componentType: java-archive
componentLocation: /opt/nifi-registry/nifi-registry-2.5.0/ext/aws/lib/netty-codec-http-4.2.2.Final.jar
scanner: grype
- timestamp: 2025-09-08T02:45:37Z
type: pending-upstream-fix
data:
note: |
The fix for this CVE requires upgrading netty-codec-http to 4.2.5.Final.
However, this dependency is bundled as part of the AWS extension JAR and cannot be independently updated through dependency management.
We need to wait for Apache NiFi 2.6.0 to be officially released before we can apply this security fix.
- id: CGA-4chp-2v5c-g3c7
aliases:
- CVE-2025-58057
- GHSA-3p8m-j85q-pgmj
events:
- timestamp: 2025-09-04T07:09:04Z
type: detection
data:
type: scan/v1
data:
subpackageName: apache-nifi-registry
componentID: f8e96f5921c1ee2e
componentName: netty-codec-compression
componentVersion: 4.2.2.Final
componentType: java-archive
componentLocation: /opt/nifi-registry/nifi-registry-2.5.0/ext/aws/lib/netty-codec-compression-4.2.2.Final.jar
scanner: grype
- timestamp: 2025-09-08T02:48:42Z
type: pending-upstream-fix
data:
note: |
The fix for this CVE requires upgrading netty-codec-compression to 4.2.5.Final.
However, this dependency is bundled as part of the AWS extension JAR and cannot be independently updated through dependency management.
We need to wait for Apache NiFi 2.6.0 to be officially released before we can apply this security fix.
- id: CGA-4fcv-jq36-r7hx
aliases:
- CVE-2025-48924
- GHSA-j288-q9x7-2f5v
events:
- timestamp: 2025-07-12T08:06:04Z
type: detection
data:
type: scan/v1
data:
subpackageName: apache-nifi-registry
componentID: b346ec3119e55f19
componentName: commons-lang3
componentVersion: 3.17.0
componentType: java-archive
componentLocation: /opt/nifi-registry/nifi-toolkit-registry-2.4.0/nifi-registry-toolkit-2.4.0/lib/commons-lang3-3.17.0.jar
scanner: grype
- timestamp: 2025-07-15T07:28:59Z
type: fixed
data:
fixed-version: 2.4.0-r4
- id: CGA-4m66-858p-cx2p
aliases:
- CVE-2025-41234
- GHSA-6r3c-xf4w-jxjm
events:
- timestamp: 2025-06-14T08:49:26Z
type: detection
data:
type: scan/v1
data:
subpackageName: apache-nifi-registry
componentID: aa330053b48f94ea
componentName: spring-web
componentVersion: 6.2.6
componentType: java-archive
componentLocation: /opt/nifi-registry/nifi-toolkit-registry-2.4.0/nifi-registry-toolkit-2.4.0/lib/spring-web-6.2.6.jar
scanner: grype
- timestamp: 2025-06-14T13:22:10Z
type: fixed
data:
fixed-version: 2.4.0-r3
- id: CGA-84cv-x3rp-2gmp
aliases:
- CVE-2025-41242
- GHSA-r936-gwx5-v52f
events:
- timestamp: 2025-08-19T07:09:21Z
type: detection
data:
type: scan/v1
data:
subpackageName: apache-nifi-registry
componentID: a8b5f10e24b961cf
componentName: spring-webmvc
componentVersion: 6.2.8
componentType: java-archive
componentLocation: /opt/nifi-registry/nifi-registry-2.5.0/lib/nifi-registry-web-api-2.5.0.war
scanner: grype
- timestamp: 2025-08-19T08:38:40Z
type: fixed
data:
fixed-version: 2.5.0-r1
- id: CGA-cwq3-w8fh-cpjm
aliases:
- CVE-2025-22233
- GHSA-4wp7-92pw-q264
events:
- timestamp: 2025-06-03T07:46:45Z
type: detection
data:
type: scan/v1
data:
subpackageName: apache-nifi-registry
componentID: 7deace997379f610
componentName: spring-context
componentVersion: 6.2.6
componentType: java-archive
componentLocation: /opt/nifi-registry/nifi-toolkit-registry-2.4.0/nifi-registry-toolkit-2.4.0/lib/spring-context-6.2.6.jar
scanner: grype
- timestamp: 2025-06-03T09:30:48Z
type: fixed
data:
fixed-version: 2.4.0-r2
- id: CGA-jwwh-vrxx-rwpw
aliases:
- CVE-2025-4949
- GHSA-vrpq-qp53-qv56
events:
- timestamp: 2025-05-23T07:38:15Z
type: detection
data:
type: scan/v1
data:
subpackageName: apache-nifi-registry
componentID: 93036eaf2b3e7898
componentName: org.eclipse.jgit
componentVersion: 7.2.0.202503040940-r
componentType: java-archive
componentLocation: /opt/nifi-registry/nifi-toolkit-registry-2.4.0/nifi-registry-toolkit-2.4.0/lib/org.eclipse.jgit-7.2.0.202503040940-r.jar
scanner: grype
- timestamp: 2025-05-24T09:06:58Z
type: fixed
data:
fixed-version: 2.4.0-r1
- id: CGA-mpwh-pghw-hw5x
aliases:
- CVE-2025-53864
- GHSA-xwmg-2g98-w7v9
events:
- timestamp: 2025-07-12T08:06:05Z
type: detection
data:
type: scan/v1
data:
subpackageName: apache-nifi-registry
componentID: c1a16c7a0267b6f9
componentName: nimbus-jose-jwt
componentVersion: "9.48"
componentType: java-archive
componentLocation: /opt/nifi-registry/nifi-registry-2.4.0/lib/nifi-registry-web-api-2.4.0.war
scanner: grype
- timestamp: 2025-07-15T07:29:00Z
type: fixed
data:
fixed-version: 2.4.0-r4