alfrescoarchive / alfresco-repository Goto Github PK

Metadata and content storage for Alfresco Content Services (Community and Enterprise)

Home Page: https://www.alfresco.com/platform/content-services-ecm/trial/download

License: GNU Lesser General Public License v3.0

FreeMarker 1.38% JavaScript 0.24% HTML 0.22% Java 98.16% XSLT 0.01%

alfresco-repository's Introduction

This project has now been Archived

The alfresco-core, alfresco-data-model, alfresco-repository and alfresco-remote-api projects have been archived with their code incorporated into alfresco-community-repo to simply ongoing development. The same artifacts are still produced by the new project. It also has a branch used as the basis of each of ACS 6 Enterprise release. For more information, set the new project’s README.md file.

Alfresco Repository

Repository is a library packaged as a jar file which is part of Alfresco Content Services Repository. The library contains the following:

DAOs and SQL scripts
Various Service implementations
Utility classes

Building and testing

The project can be built by running Maven command:

mvn clean install

The tests are combined in test classes split by test type or Spring application context used in the test, see classes in src/test/java/org/alfresco. All of these classes as well as individual tests can be run by specifying the test class name and a set of DB connection properties, for example:

mvn clean test -Dtest=SomeRepoTest -Ddb.driver=org.postgresql.Driver -Ddb.name=alfresco -Ddb.url=jdbc:postgresql:alfresco -Ddb.username=alfresco -Ddb.password=alfresco

Artifacts

The artifacts can be obtained by:

downloading from Alfresco repository
getting as Maven dependency by adding the dependency to your pom file:

<dependency>
  <groupId>org.alfresco</groupId>
  <artifactId>alfresco-repository</artifactId>
  <version>version</version>
</dependency>

and Alfresco Maven repository:

<repository>
  <id>alfresco-maven-repo</id>
  <url>https://artifacts.alfresco.com/nexus/content/groups/public</url>
</repository>

The SNAPSHOT version of the artifact is never published.

Contributing guide

Please use this guide to make a contribution to the project.

alfresco-repository's People

Contributors

Stargazers

Watchers

Forkers

sasagolang acosix lucadevelo runwayinfotech alxgomz smith750 zkada siophy afaust kudaz28 binovo alucas nxmatar vzorge vanler seong954t adeeadee38 alabamamike kikou2016 kast0rtr0y yregaieg murshidmac mtanji78 jkluttig sjahangi gagravarr raurelian k3ndr4k ecm4u valerioz yanlilong fredy7777 sonakshi15 thelostworldfree sshyran panstella joelcalebpa quendal imperiuscorp raphalreadytaken alejandroms14 ikaygorodov carlosvv scope-demo acamposloz shaitan1985 hansvanmoer 5l1v3r1 asauvez luca86r mihamimi edilyxin jonadan95 ariel-levy kaynezhang jottley stanop wimcrols asmbit venziait shazada yangqian1992 aagrandaz gsi-eric netwidz gihyunlee hoplex pbateman6 globalquark bolinis asksasasa83 cmartinez18 kangzhenkang dicolar chawwalittee zadislaw plusyoursoftech jod21 shrutibilagi ahmedmohdjamil-cts xsir0 shibin-aot ninasuomi thijslemmens radziu1202 shawnjrose ddiawara jharkins2 fresh-jam rufuslawrence deepak-keswani delfinowilliane cgb-lowcode2023

alfresco-repository's Issues

CVE-2018-19362 (High) detected in jackson-databind-2.9.5.jar

CVE-2018-19362 - High Severity Vulnerability

Vulnerable Library - jackson-databind-2.9.5.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /alfresco-repository/pom.xml

Path to vulnerable library: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.5/jackson-databind-2.9.5.jar

Dependency Hierarchy:

alfresco-heartbeat-data-sender-1.0.9.jar (Root Library)
- ❌ jackson-databind-2.9.5.jar (Vulnerable Library)

Found in HEAD commit: 62ed25becc3b352a9e9ad2f3c703f276d6361d10

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the jboss-common-core class from polymorphic deserialization.

Publish Date: 2019-01-02

URL: CVE-2018-19362

CVSS 3 Score Details (9.8)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19362

Release Date: 2019-01-02

Fix Resolution: 2.9.8

Step up your Open Source Security Game with WhiteSource here

CVE-2019-0194 (High) detected in camel-core-2.22.1.jar

CVE-2019-0194 - High Severity Vulnerability

Vulnerable Library - camel-core-2.22.1.jar

The Core Camel Java DSL based router

Library home page: http://camel.apache.org/camel-parent/camel-core

Path to dependency file: /alfresco-repository/pom.xml

Path to vulnerable library: /root/.m2/repository/org/apache/camel/camel-core/2.22.1/camel-core-2.22.1.jar

Dependency Hierarchy:

camel-spring-2.22.1.jar (Root Library)
- ❌ camel-core-2.22.1.jar (Vulnerable Library)

Found in HEAD commit: 323e5eb523602793eb891ac2bd4f1009c574222f

Vulnerability Details

Apache Camel's File is vulnerable to directory traversal. Camel 2.21.0 to 2.21.3, 2.22.0 to 2.22.2, 2.23.0 and the unsupported Camel 2.x (2.19 and earlier) versions may be also affected.

Publish Date: 2019-04-30

URL: CVE-2019-0194

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: http://www.openwall.com/lists/oss-security/2019/04/30/2

Release Date: 2019-04-30

Fix Resolution: 2.21.5,2.22.3,2.23.1

Step up your Open Source Security Game with WhiteSource here

Keycloak session filled

I found this bug when using https://github.com/OrderOfTheBee/ootbee-support-tools. For more info see OrderOfTheBee/ootbee-support-tools#152

BUG

I'm using Alfresco 6.2 with ADF and keycloak integration. When a webscript from support tools project is called, a new session in keycloak is opened.
I'm new to keycloak, maybe it's due to a misconsfiguration, or maybe it's an Alfresco issue regarding keycloak integration, because an active session is tracked when I login to share, but when I logout this session reamains in keycloak.

Expected behavior

I don't know, I suppose a new session should not be created in keycloak at every webscript call, and sessions should be closed when I logout from share

Actual behavior

New session created in keycloak for every webscript called. Sessions are not closed when I logout.

Steps to reproduce the behavior

Install Alfresco 6.2 with keycloak integration. You can follow this to get keycloak to work. You can use this to get a working project to test.

Additional details (analysis so far, log statements, references, etc.)

Changing share endpoints to /wcs as stated by AFaust is now working.

Tell us about your environment

docker-compose local installation
alfresco6.2.0-ga
share6.2.0
Alfresco-content-application, master tag
T-engines, postgres, activemq, etc etc...

CVE-2016-9878 High Severity Vulnerability detected by WhiteSource

CVE-2016-9878 - High Severity Vulnerability

Vulnerable Library - spring-webmvc-3.2.14.RELEASE.jar

Spring Web MVC

path: /root/.m2/repository/org/springframework/spring-webmvc/3.2.14.RELEASE/spring-webmvc-3.2.14.RELEASE.jar

Library home page: https://github.com/SpringSource/spring-framework

Dependency Hierarchy:

spring-webscripts-6.21.jar (Root Library)
- ❌ spring-webmvc-3.2.14.RELEASE.jar (Vulnerable Library)

Vulnerability Details

An issue was discovered in Pivotal Spring Framework before 3.2.18, 4.2.x before 4.2.9, and 4.3.x before 4.3.5. Paths provided to the ResourceServlet were not properly sanitized and as a result exposed to directory traversal attacks.

Publish Date: 2016-12-29

URL: CVE-2016-9878

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://pivotal.io/security/cve-2016-9878

Release Date: 2017-12-31

Fix Resolution: Users of affected versions should apply the following mitigation: 4.3.x users should upgrade to 4.3.5 4.2.x users should upgrade to 4.2.9 3.2.x users should upgrade to 3.2.18 Note that few applications are likely to use the . It has been generally superseded since version 3.0 (circa 2009) by the and related classes that have been in use by default and provide much more advanced capabilities, see “” in the reference documentation. The is now deprecated in 3.2.x and 4.x and is removed altogether starting with version 5.

Step up your Open Source Security Game with WhiteSource here

CVE-2018-5968 (High) detected in jackson-databind-2.9.5.jar

CVE-2018-5968 - High Severity Vulnerability

Vulnerable Library - jackson-databind-2.9.5.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /alfresco-repository/pom.xml

Path to vulnerable library: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.5/jackson-databind-2.9.5.jar

Dependency Hierarchy:

alfresco-heartbeat-data-sender-1.0.9.jar (Root Library)
- ❌ jackson-databind-2.9.5.jar (Vulnerable Library)

Found in HEAD commit: 92474780e3bbd322e2a9efe51c6d5ff335e34289

Vulnerability Details

FasterXML jackson-databind through 2.8.11 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 and CVE-2017-17485 deserialization flaws. This is exploitable via two different gadgets that bypass a blacklist.

Publish Date: 2018-01-22

URL: CVE-2018-5968

CVSS 3 Score Details (8.1)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5968

Release Date: 2018-01-22

Fix Resolution: 2.8.11.1, 2.9.4

Step up your Open Source Security Game with WhiteSource here

CVE-2018-19361 (High) detected in jackson-databind-2.9.5.jar

CVE-2018-19361 - High Severity Vulnerability

Vulnerable Library - jackson-databind-2.9.5.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /alfresco-repository/pom.xml

Path to vulnerable library: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.5/jackson-databind-2.9.5.jar

Dependency Hierarchy:

alfresco-heartbeat-data-sender-1.0.9.jar (Root Library)
- ❌ jackson-databind-2.9.5.jar (Vulnerable Library)

Found in HEAD commit: 62ed25becc3b352a9e9ad2f3c703f276d6361d10

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the openjpa class from polymorphic deserialization.

Publish Date: 2019-01-02

URL: CVE-2018-19361

CVSS 3 Score Details (9.8)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19361

Release Date: 2019-01-02

Fix Resolution: 2.9.8

Step up your Open Source Security Game with WhiteSource here

CVE-2018-5968 (High) detected in jackson-databind-2.9.5.jar

CVE-2018-5968 - High Severity Vulnerability

Vulnerable Library - jackson-databind-2.9.5.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /alfresco-repository/pom.xml

Path to vulnerable library: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.5/jackson-databind-2.9.5.jar

Dependency Hierarchy:

alfresco-heartbeat-data-sender-1.0.9.jar (Root Library)
- ❌ jackson-databind-2.9.5.jar (Vulnerable Library)

Found in HEAD commit: 62ed25becc3b352a9e9ad2f3c703f276d6361d10

Vulnerability Details

Publish Date: 2018-01-22

URL: CVE-2018-5968

CVSS 3 Score Details (8.1)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5968

Release Date: 2018-01-22

Fix Resolution: 2.8.11.1, 2.9.4

Step up your Open Source Security Game with WhiteSource here

CVE-2018-19361 (High) detected in jackson-databind-2.9.5.jar

CVE-2018-19361 - High Severity Vulnerability

Vulnerable Library - jackson-databind-2.9.5.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /alfresco-repository/pom.xml

Path to vulnerable library: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.5/jackson-databind-2.9.5.jar

Dependency Hierarchy:

alfresco-heartbeat-data-sender-1.0.9.jar (Root Library)
- ❌ jackson-databind-2.9.5.jar (Vulnerable Library)

Found in HEAD commit: 92474780e3bbd322e2a9efe51c6d5ff335e34289

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the openjpa class from polymorphic deserialization.

Publish Date: 2019-01-02

URL: CVE-2018-19361

CVSS 3 Score Details (9.8)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19361

Release Date: 2019-01-02

Fix Resolution: 2.9.8

Step up your Open Source Security Game with WhiteSource here

CVE-2018-11307 (Medium) detected in jackson-databind-2.9.5.jar

CVE-2018-11307 - Medium Severity Vulnerability

Vulnerable Library - jackson-databind-2.9.5.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /alfresco-repository/pom.xml

Path to vulnerable library: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.5/jackson-databind-2.9.5.jar

Dependency Hierarchy:

alfresco-heartbeat-data-sender-1.0.9.jar (Root Library)
- ❌ jackson-databind-2.9.5.jar (Vulnerable Library)

Found in HEAD commit: 92474780e3bbd322e2a9efe51c6d5ff335e34289

Vulnerability Details

jackson-databind has a Potential information exfiltration with default typing. versions 2.7.9.x < 2.7.9.4, 2.8.x < 2.8.11.2, 2.9.x < 2.9.6

Publish Date: 2018-12-13

URL: CVE-2018-11307

CVSS 2 Score Details (6.8)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: FasterXML/jackson-databind#2032

Release Date: 2019-03-17

Fix Resolution: jackson-databind-2.9.6

Step up your Open Source Security Game with WhiteSource here

CVE-2018-19360 (High) detected in jackson-databind-2.9.5.jar

CVE-2018-19360 - High Severity Vulnerability

Vulnerable Library - jackson-databind-2.9.5.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /alfresco-repository/pom.xml

Path to vulnerable library: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.5/jackson-databind-2.9.5.jar

Dependency Hierarchy:

alfresco-heartbeat-data-sender-1.0.9.jar (Root Library)
- ❌ jackson-databind-2.9.5.jar (Vulnerable Library)

Found in HEAD commit: 62ed25becc3b352a9e9ad2f3c703f276d6361d10

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the axis2-transport-jms class from polymorphic deserialization.

Publish Date: 2019-01-02

URL: CVE-2018-19360

CVSS 3 Score Details (9.8)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19360

Release Date: 2019-01-02

Fix Resolution: 2.9.8

Step up your Open Source Security Game with WhiteSource here

CVE-2018-14718 (High) detected in jackson-databind-2.9.5.jar

CVE-2018-14718 - High Severity Vulnerability

Vulnerable Library - jackson-databind-2.9.5.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /alfresco-repository/pom.xml

Path to vulnerable library: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.5/jackson-databind-2.9.5.jar

Dependency Hierarchy:

alfresco-heartbeat-data-sender-1.0.9.jar (Root Library)
- ❌ jackson-databind-2.9.5.jar (Vulnerable Library)

Found in HEAD commit: 92474780e3bbd322e2a9efe51c6d5ff335e34289

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the slf4j-ext class from polymorphic deserialization.

Publish Date: 2019-01-02

URL: CVE-2018-14718

CVSS 3 Score Details (9.8)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-14718

Release Date: 2019-01-02

Fix Resolution: 2.9.7

Step up your Open Source Security Game with WhiteSource here

CVE-2019-12086 (Medium) detected in jackson-databind-2.9.8.jar

CVE-2019-12086 - Medium Severity Vulnerability

Vulnerable Library - jackson-databind-2.9.8.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /alfresco-repository/pom.xml

Path to vulnerable library: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar

Dependency Hierarchy:

alfresco-heartbeat-data-sender-1.0.10.jar (Root Library)
- ❌ jackson-databind-2.9.8.jar (Vulnerable Library)

Found in HEAD commit: 44db4f0f27220938b8d5ba66476b01b54c86ad66

Vulnerability Details

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint, the service has the mysql-connector-java jar (8.0.14 or earlier) in the classpath, and an attacker can host a crafted MySQL server reachable by the victim, an attacker can send a crafted JSON message that allows them to read arbitrary local files on the server. This occurs because of missing com.mysql.cj.jdbc.admin.MiniAdmin validation.

Publish Date: 2019-05-17

URL: CVE-2019-12086

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12086

Release Date: 2019-05-17

Fix Resolution: 2.9.9

Step up your Open Source Security Game with WhiteSource here

CVE-2018-14718 (High) detected in jackson-databind-2.9.5.jar

CVE-2018-14718 - High Severity Vulnerability

Vulnerable Library - jackson-databind-2.9.5.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /alfresco-repository/pom.xml

Path to vulnerable library: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.5/jackson-databind-2.9.5.jar

Dependency Hierarchy:

alfresco-heartbeat-data-sender-1.0.9.jar (Root Library)
- ❌ jackson-databind-2.9.5.jar (Vulnerable Library)

Found in HEAD commit: 62ed25becc3b352a9e9ad2f3c703f276d6361d10

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the slf4j-ext class from polymorphic deserialization.

Publish Date: 2019-01-02

URL: CVE-2018-14718

CVSS 3 Score Details (9.8)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-14718

Release Date: 2019-01-02

Fix Resolution: 2.9.7

Step up your Open Source Security Game with WhiteSource here

CVE-2018-19362 (High) detected in jackson-databind-2.9.5.jar

CVE-2018-19362 - High Severity Vulnerability

Vulnerable Library - jackson-databind-2.9.5.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /alfresco-repository/pom.xml

Path to vulnerable library: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.5/jackson-databind-2.9.5.jar

Dependency Hierarchy:

alfresco-heartbeat-data-sender-1.0.9.jar (Root Library)
- ❌ jackson-databind-2.9.5.jar (Vulnerable Library)

Found in HEAD commit: 92474780e3bbd322e2a9efe51c6d5ff335e34289

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the jboss-common-core class from polymorphic deserialization.

Publish Date: 2019-01-02

URL: CVE-2018-19362

CVSS 3 Score Details (9.8)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19362

Release Date: 2019-01-02

Fix Resolution: 2.9.8

Step up your Open Source Security Game with WhiteSource here

CVE-2018-10237 Medium Severity Vulnerability detected by WhiteSource

CVE-2018-10237 - Medium Severity Vulnerability

Vulnerable Library - guava-24.0-jre.jar

Guava is a suite of core and expanded libraries that include utility classes, google's collections, io classes, and much much more.

Library home page: https://github.com/google/guava/guava

Path to dependency file: /alfresco-repository/pom.xml

Path to vulnerable library: 2/repository/com/google/guava/guava/24.0-jre/guava-24.0-jre.jar

Dependency Hierarchy:

❌ guava-24.0-jre.jar (Vulnerable Library)

Found in HEAD commit: 8772e46910898980b9886bc744b7acb4849cabf8

Vulnerability Details

Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attacks against servers that depend on this library and deserialize attacker-provided data, because the AtomicDoubleArray class (when serialized with Java serialization) and the CompoundOrdering class (when serialized with GWT serialization) perform eager allocation without appropriate checks on what a client has sent and whether the data size is reasonable.

Publish Date: 2018-04-26

URL: CVE-2018-10237

CVSS 3 Score Details (5.9)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-10237

Release Date: 2018-04-26

Fix Resolution: 24.1.1

Step up your Open Source Security Game with WhiteSource here

CVE-2018-14719 (High) detected in jackson-databind-2.9.5.jar

CVE-2018-14719 - High Severity Vulnerability

Vulnerable Library - jackson-databind-2.9.5.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /alfresco-repository/pom.xml

Path to vulnerable library: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.5/jackson-databind-2.9.5.jar

Dependency Hierarchy:

alfresco-heartbeat-data-sender-1.0.9.jar (Root Library)
- ❌ jackson-databind-2.9.5.jar (Vulnerable Library)

Found in HEAD commit: 92474780e3bbd322e2a9efe51c6d5ff335e34289

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the blaze-ds-opt and blaze-ds-core classes from polymorphic deserialization.

Publish Date: 2019-01-02

URL: CVE-2018-14719

CVSS 3 Score Details (9.8)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-14719

Release Date: 2019-01-02

Fix Resolution: 2.9.7

Step up your Open Source Security Game with WhiteSource here

CVE-2018-15756 High Severity Vulnerability detected by WhiteSource

CVE-2018-15756 - High Severity Vulnerability

Vulnerable Library - spring-web-5.0.4.RELEASE.jar

Spring Web

Library home page: https://github.com/spring-projects/spring-framework

Path to dependency file: /alfresco-repository/pom.xml

Path to vulnerable library: 2/repository/org/springframework/spring-web/5.0.4.RELEASE/spring-web-5.0.4.RELEASE.jar

Dependency Hierarchy:

❌ spring-web-5.0.4.RELEASE.jar (Vulnerable Library)

Found in HEAD commit: a6b33c7b9104af395c59b8805bd5b78bc5e7e3ef

Vulnerability Details

Spring Framework, version 5.1, versions 5.0.x prior to 5.0.10, versions 4.3.x prior to 4.3.20, and older unsupported versions on the 4.2.x branch provide support for range requests when serving static resources through the ResourceHttpRequestHandler, or starting in 5.0 when an annotated controller returns an org.springframework.core.io.Resource. A malicious user (or attacker) can add a range header with a high number of ranges, or with wide ranges that overlap, or both, for a denial of service attack. This vulnerability affects applications that depend on either spring-webmvc or spring-webflux. Such applications must also have a registration for serving static resources (e.g. JS, CSS, images, and others), or have an annotated controller that returns an org.springframework.core.io.Resource. Spring Boot applications that depend on spring-boot-starter-web or spring-boot-starter-webflux are ready to serve static resources out of the box and are therefore vulnerable.

Publish Date: 2018-10-18

URL: CVE-2018-15756

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://pivotal.io/security/cve-2018-15756

Release Date: 2018-10-18

Fix Resolution: 4.3.20,5.0.10,5.1.1

Step up your Open Source Security Game with WhiteSource here

property 'heartbeat.sender.cronExpression' is no longer supported.

When I installed Alfresco Content Services Community 6.2 GA, the following log was output to catalina.out.

2020-01-04 22:20:47,357  WARN  [heartbeat.datasender.HBDataSenderServiceBuilder] [localhost-startStop-1] Setting the Heartbeat sender cron with property 'heartbeat.sender.cronExpression' is no longer supported.

heartbeat.sender.cronExpression appears to be used in the following beans:

https://github.com/Alfresco/alfresco-repository/blob/76ebd2d850802268ecf072e55200f7fffcbb19ff/src/main/resources/alfresco/heartbeat/heartbeat-context.xml#L11

When I open the target source in Intellij IDEA, the following is DEPRECATED.

https://github.com/Alfresco/alfresco-repository/blob/3aa4d1bb14981bc25e8d76fb44e8a73531b63dd0/src/main/java/org/alfresco/heartbeat/HBDataSenderServiceFactory.java#L82

Is it possible to have tags added for Alfresco releases?

There is a branch for 5.2.6. It would be super helpful if there were tags added for releases. In particular I'm trying to understand some changes between 5.2.5 and 5.2.6. Because there is no branch (that I can find) for 5.2.5, I'm left with an odd mixture of using Github to look at 5.2.6 source and exploding jar files in a 5.2.5 deployment and attempting to infer some changes.

CVE-2018-14719 (High) detected in jackson-databind-2.9.5.jar

CVE-2018-14719 - High Severity Vulnerability

Vulnerable Library - jackson-databind-2.9.5.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /alfresco-repository/pom.xml

Path to vulnerable library: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.5/jackson-databind-2.9.5.jar

Dependency Hierarchy:

alfresco-heartbeat-data-sender-1.0.9.jar (Root Library)
- ❌ jackson-databind-2.9.5.jar (Vulnerable Library)

Found in HEAD commit: 62ed25becc3b352a9e9ad2f3c703f276d6361d10

Vulnerability Details

Publish Date: 2019-01-02

URL: CVE-2018-14719

CVSS 3 Score Details (9.8)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-14719

Release Date: 2019-01-02

Fix Resolution: 2.9.7

Step up your Open Source Security Game with WhiteSource here

CVE-2018-11797 Medium Severity Vulnerability detected by WhiteSource

CVE-2018-11797 - Medium Severity Vulnerability

Vulnerable Library - pdfbox-2.0.8.jar

The Apache PDFBox library is an open source Java tool for working with PDF documents.

Library home page: http://www.apache.org/pdfbox-parent/pdfbox/

Path to dependency file: /alfresco-repository/pom.xml

Path to vulnerable library: 2/repository/org/apache/pdfbox/pdfbox/2.0.8/pdfbox-2.0.8.jar

Dependency Hierarchy:

❌ pdfbox-2.0.8.jar (Vulnerable Library)

Found in HEAD commit: a6b33c7b9104af395c59b8805bd5b78bc5e7e3ef

Vulnerability Details

In Apache PDFBox 1.8.0 to 1.8.15 and 2.0.0RC1 to 2.0.11, a carefully crafted PDF file can trigger an extremely long running computation when parsing the page tree.

Publish Date: 2018-10-05

URL: CVE-2018-11797

CVSS 3 Score Details (5.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-11797

Release Date: 2019-04-08

Fix Resolution: 1.8.16,2.0.12

Step up your Open Source Security Game with WhiteSource here

CVE-2018-14721 (High) detected in jackson-databind-2.9.5.jar

CVE-2018-14721 - High Severity Vulnerability

Vulnerable Library - jackson-databind-2.9.5.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /alfresco-repository/pom.xml

Path to vulnerable library: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.5/jackson-databind-2.9.5.jar

Dependency Hierarchy:

alfresco-heartbeat-data-sender-1.0.9.jar (Root Library)
- ❌ jackson-databind-2.9.5.jar (Vulnerable Library)

Found in HEAD commit: 62ed25becc3b352a9e9ad2f3c703f276d6361d10

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to conduct server-side request forgery (SSRF) attacks by leveraging failure to block the axis2-jaxws class from polymorphic deserialization.

Publish Date: 2019-01-02

URL: CVE-2018-14721

CVSS 3 Score Details (10.0)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Changed
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-14721

Release Date: 2019-01-02

Fix Resolution: 2.9.7

Step up your Open Source Security Game with WhiteSource here

CVE-2015-5211 High Severity Vulnerability detected by WhiteSource

CVE-2015-5211 - High Severity Vulnerability

Vulnerable Library - spring-webmvc-3.2.14.RELEASE.jar

Spring Web MVC

path: /root/.m2/repository/org/springframework/spring-webmvc/3.2.14.RELEASE/spring-webmvc-3.2.14.RELEASE.jar

Library home page: https://github.com/SpringSource/spring-framework

Dependency Hierarchy:

spring-webscripts-6.21.jar (Root Library)
- ❌ spring-webmvc-3.2.14.RELEASE.jar (Vulnerable Library)

Vulnerability Details

Under some situations, the Spring Framework 4.2.0 to 4.2.1, 4.0.0 to 4.1.7, 3.2.0 to 3.2.14 and older unsupported versions is vulnerable to a Reflected File Download (RFD) attack. The attack involves a malicious user crafting a URL with a batch script extension that results in the response being downloaded rather than rendered and also includes some input reflected in the response.

Publish Date: 2017-05-25

URL: CVE-2015-5211

CVSS 3 Score Details (8.6)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://pivotal.io/security/cve-2015-5211

Fix Resolution: Users of affected Spring Framework versions should upgrade as follows: For 3.2.x upgrade to 3.2.15+. For 4.0.x and 4.1.x upgrade to 4.1.8+. For 4.2.x upgrade to 4.2.2+. In the above mentioned versions Spring MVC checks if the URL contains a file extension prior to writing with an HttpMessageConverter, and if the extension is unknown a “Content-Disposition” response header is added to suggest the download filename “f.txt”. The list of “known” extensions by default includes the ones associated with the built-in HttpMessageConverter implementations as well as any additional extensions explicitly registered for content negotiation purposes. For 4.x the fix also includes URL checks for SockJS URLs and validation of the JSONP callback parameter in all areas where JSONP is supported.

Step up your Open Source Security Game with WhiteSource here

CVE-2016-2510 High Severity Vulnerability detected by WhiteSource

CVE-2016-2510 - High Severity Vulnerability

Vulnerable Library - bsh-1.3.0.jar

Lightweight Scripting for Java

Library home page: http://www.beanshell.org/

Path to dependency file: /alfresco-repository/pom.xml

Path to vulnerable library: 2/repository/org/beanshell/bsh/1.3.0/bsh-1.3.0.jar

Dependency Hierarchy:

❌ bsh-1.3.0.jar (Vulnerable Library)

Found in HEAD commit: 8772e46910898980b9886bc744b7acb4849cabf8

Vulnerability Details

BeanShell (bsh) before 2.0b6, when included on the classpath by an application that uses Java serialization or XStream, allows remote attackers to execute arbitrary code via crafted serialized data, related to XThis.Handler.

Publish Date: 2016-04-07

URL: CVE-2016-2510

CVSS 3 Score Details (8.1)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://security.gentoo.org/glsa/201607-17

Release Date: 2016-07-30

Fix Resolution: All BeanShell users should upgrade to the latest version >= bsh-2.0_beta6

Step up your Open Source Security Game with WhiteSource here

The display name of the scheduled job is incorrect.

Hi.

When accessing the URL of <Base URL>/alfresco/service/enterprise/admin/admin-scheduledjobs and viewing the list of scheduled jobs, the display name of the job looks like a Java memory address.

The following image is an example. In fact, there are other things that look like this.

Error starting alfresco - relation "alf_server" does not exist

I am migrating the current version that I use from Alfresco to a stack with transform-core-aio.
If I execute this stack without using my current volumes, the system works correctly, but when updating using the current volumes, the error below occurs:

2020-09-22 07:59:27,012  ERROR [repo.descriptor.RepositoryDescriptorDAOImpl] [localhost-startStop-1] updateDescriptor: 
org.springframework.jdbc.BadSqlGrammarException: 
### Error querying database.  Cause: org.postgresql.util.PSQLException: ERROR: relation "alf_server" does not exist
  Position: 93
### The error may exist in alfresco/ibatis/#resource.dialect#/node-common-SqlMap.xml
### The error may involve alfresco.node.select_ServerByIpAddress-Inline
### The error occurred while setting parameters
### SQL: select             id,             version,             ip_address         from             alf_server         where             ip_address = ?
### Cause: org.postgresql.util.PSQLException: ERROR: relation "alf_server" does not exist
  Position: 93
; bad SQL grammar []; nested exception is org.postgresql.util.PSQLException: ERROR: relation "alf_server" does not exist
  Position: 93
	at org.springframework.jdbc.support.SQLErrorCodeSQLExceptionTranslator.doTranslate(SQLErrorCodeSQLExceptionTranslator.java:235)
	at org.springframework.jdbc.support.AbstractFallbackSQLExceptionTranslator.translate(AbstractFallbackSQLExceptionTranslator.java:72)
	at org.mybatis.spring.MyBatisExceptionTranslator.translateExceptionIfPossible(MyBatisExceptionTranslator.java:74)
	at org.mybatis.spring.SqlSessionTemplate$SqlSessionInterceptor.invoke(SqlSessionTemplate.java:421)
	at com.sun.proxy.$Proxy19.selectList(Unknown Source)
	at org.mybatis.spring.SqlSessionTemplate.selectList(SqlSessionTemplate.java:206)
	at org.alfresco.repo.domain.node.ibatis.NodeDAOImpl.selectServer(NodeDAOImpl.java:233)
	at org.alfresco.repo.domain.node.AbstractNodeDAOImpl$ServerIdCallback.getWithWriteLock(AbstractNodeDAOImpl.java:463)
	at org.alfresco.repo.domain.node.AbstractNodeDAOImpl$ServerIdCallback.getWithWriteLock(AbstractNodeDAOImpl.java:1)
	at org.alfresco.util.ReadWriteLockExecuter.execute(ReadWriteLockExecuter.java:103)
	at org.alfresco.repo.domain.node.AbstractNodeDAOImpl.getServerId(AbstractNodeDAOImpl.java:487)
	at org.alfresco.repo.domain.node.AbstractNodeDAOImpl.getCurrentTransaction(AbstractNodeDAOImpl.java:653)
	at org.alfresco.repo.domain.node.AbstractNodeDAOImpl.updateNodeImpl(AbstractNodeDAOImpl.java:1858)
	at org.alfresco.repo.domain.node.AbstractNodeDAOImpl.touchNode(AbstractNodeDAOImpl.java:1775)
	at org.alfresco.repo.domain.node.AbstractNodeDAOImpl.setNodePropertiesImpl(AbstractNodeDAOImpl.java:2356)
	at org.alfresco.repo.domain.node.AbstractNodeDAOImpl.addNodeProperties(AbstractNodeDAOImpl.java:2463)
	at org.alfresco.repo.node.db.DbNodeServiceImpl.addAspectsAndProperties(DbNodeServiceImpl.java:563)
	at org.alfresco.repo.node.db.DbNodeServiceImpl.addAspectsAndProperties(DbNodeServiceImpl.java:465)
	at org.alfresco.repo.node.db.DbNodeServiceImpl.addProperties_aroundBody64(DbNodeServiceImpl.java:1679)
	at org.alfresco.repo.node.db.DbNodeServiceImpl$AjcClosure65.run(DbNodeServiceImpl.java:1)
	at org.aspectj.runtime.reflect.JoinPointImpl.proceed(JoinPointImpl.java:257)
	at org.alfresco.traitextender.AJExtender.localProceed(AJExtender.java:728)
	at org.alfresco.traitextender.AJProxyTrait.invoke(AJProxyTrait.java:86)
	at com.sun.proxy.$Proxy30.addProperties(Unknown Source)
	at org.alfresco.repo.virtual.bundle.VirtualNodeServiceExtension.addProperties(VirtualNodeServiceExtension.java:1118)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
	at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.base/java.lang.reflect.Method.invoke(Method.java:566)
	at org.alfresco.traitextender.SingletonExtensionFactory$TraiSingletontHandler.invoke(SingletonExtensionFactory.java:74)
	at com.sun.proxy.$Proxy222.addProperties(Unknown Source)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
	at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.base/java.lang.reflect.Method.invoke(Method.java:566)
	at org.alfresco.traitextender.AJExtender.extendAroundAdvice(AJExtender.java:654)
	at org.alfresco.traitextender.RouteExtensions.ajc$inlineAccessMethod$org_alfresco_traitextender_RouteExtensions$org_alfresco_traitextender_AJExtender$extendAroundAdvice(RouteExtensions.java:1)
	at org.alfresco.traitextender.RouteExtensions.intercept(RouteExtensions.java:85)
	at org.alfresco.repo.node.db.DbNodeServiceImpl.addProperties(DbNodeServiceImpl.java:1668)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
	at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.base/java.lang.reflect.Method.invoke(Method.java:566)
	at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:343)
	at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:198)
	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:163)
	at org.alfresco.repo.lock.mem.LockableAspectInterceptor.invoke(LockableAspectInterceptor.java:239)
	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186)
	at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:212)
	at com.sun.proxy.$Proxy33.addProperties(Unknown Source)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
	at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.base/java.lang.reflect.Method.invoke(Method.java:566)
	at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:343)
	at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:198)
	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:163)
	at org.alfresco.repo.tenant.MultiTNodeServiceInterceptor.invoke(MultiTNodeServiceInterceptor.java:111)
	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186)
	at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:212)
	at com.sun.proxy.$Proxy33.addProperties(Unknown Source)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
	at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.base/java.lang.reflect.Method.invoke(Method.java:566)
	at org.alfresco.repo.service.StoreRedirectorProxyFactory$RedirectorInvocationHandler.invoke(StoreRedirectorProxyFactory.java:231)
	at com.sun.proxy.$Proxy54.addProperties(Unknown Source)
	at org.alfresco.repo.node.MLPropertyInterceptor.invoke(MLPropertyInterceptor.java:241)
	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186)
	at org.alfresco.repo.node.NodeRefPropertyMethodInterceptor.invoke(NodeRefPropertyMethodInterceptor.java:276)
	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186)
	at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:212)
	at com.sun.proxy.$Proxy33.addProperties(Unknown Source)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
	at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.base/java.lang.reflect.Method.invoke(Method.java:566)
	at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:343)
	at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:205)
	at com.sun.proxy.$Proxy33.addProperties(Unknown Source)
	at org.alfresco.repo.descriptor.RepositoryDescriptorDAOImpl.updateDescriptor(RepositoryDescriptorDAOImpl.java:217)
	at org.alfresco.repo.descriptor.DescriptorServiceImpl$NOOPLicenseService$1.execute(DescriptorServiceImpl.java:472)
	at org.alfresco.repo.descriptor.DescriptorServiceImpl$NOOPLicenseService$1.execute(DescriptorServiceImpl.java:1)
	at org.alfresco.repo.transaction.RetryingTransactionHelper.doInTransaction(RetryingTransactionHelper.java:450)
	at org.alfresco.repo.descriptor.DescriptorServiceImpl$NOOPLicenseService.verifyLicense(DescriptorServiceImpl.java:478)
	at org.alfresco.repo.descriptor.DescriptorServiceImpl.bootstrap(DescriptorServiceImpl.java:382)
	at org.alfresco.repo.descriptor.DescriptorServiceImpl.access$7(DescriptorServiceImpl.java:328)
	at org.alfresco.repo.descriptor.DescriptorServiceImpl$5.doWork(DescriptorServiceImpl.java:318)
	at org.alfresco.repo.descriptor.DescriptorServiceImpl$5.doWork(DescriptorServiceImpl.java:1)
	at org.alfresco.repo.security.authentication.AuthenticationUtil.runAs(AuthenticationUtil.java:602)
	at org.alfresco.repo.descriptor.DescriptorServiceImpl.onBootstrap(DescriptorServiceImpl.java:322)
	at org.springframework.extensions.surf.util.AbstractLifecycleBean.onApplicationEvent(AbstractLifecycleBean.java:56)
	at org.alfresco.repo.management.SafeApplicationEventMulticaster.multicastEventInternal(SafeApplicationEventMulticaster.java:221)
	at org.alfresco.repo.management.SafeApplicationEventMulticaster.multicastEvent(SafeApplicationEventMulticaster.java:186)
	at org.alfresco.repo.management.SafeApplicationEventMulticaster.multicastEvent(SafeApplicationEventMulticaster.java:206)
	at org.springframework.context.support.AbstractApplicationContext.publishEvent(AbstractApplicationContext.java:402)
	at org.springframework.context.support.AbstractApplicationContext.publishEvent(AbstractApplicationContext.java:359)
	at org.springframework.context.support.AbstractApplicationContext.finishRefresh(AbstractApplicationContext.java:896)
	at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:552)
	at org.springframework.web.context.ContextLoader.configureAndRefreshWebApplicationContext(ContextLoader.java:401)
	at org.springframework.web.context.ContextLoader.initWebApplicationContext(ContextLoader.java:292)
	at org.springframework.web.context.ContextLoaderListener.contextInitialized(ContextLoaderListener.java:103)
	at org.alfresco.web.app.ContextLoaderListener.contextInitialized(ContextLoaderListener.java:70)
	at org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:4699)
	at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5165)
	at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
	at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:743)
	at org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:129)
	at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:150)
	at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:140)
	at java.base/java.security.AccessController.doPrivileged(Native Method)
	at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:717)
	at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:714)
	at org.apache.catalina.startup.HostConfig.deployDirectory(HostConfig.java:1125)
	at org.apache.catalina.startup.HostConfig$DeployDirectory.run(HostConfig.java:1859)
	at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515)
	at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
	at java.base/java.lang.Thread.run(Thread.java:834)
Caused by: org.postgresql.util.PSQLException: ERROR: relation "alf_server" does not exist
  Position: 93
	at org.postgresql.core.v3.QueryExecutorImpl.receiveErrorResponse(QueryExecutorImpl.java:2533)
	at org.postgresql.core.v3.QueryExecutorImpl.processResults(QueryExecutorImpl.java:2268)
	at org.postgresql.core.v3.QueryExecutorImpl.execute(QueryExecutorImpl.java:313)
	at org.postgresql.jdbc.PgStatement.executeInternal(PgStatement.java:448)
	at org.postgresql.jdbc.PgStatement.execute(PgStatement.java:369)
	at org.postgresql.jdbc.PgPreparedStatement.executeWithFlags(PgPreparedStatement.java:159)
	at org.postgresql.jdbc.PgPreparedStatement.execute(PgPreparedStatement.java:148)
	at org.apache.commons.dbcp.DelegatingPreparedStatement.execute(DelegatingPreparedStatement.java:172)
	at org.apache.commons.dbcp.DelegatingPreparedStatement.execute(DelegatingPreparedStatement.java:172)
	at org.apache.commons.dbcp.DelegatingPreparedStatement.execute(DelegatingPreparedStatement.java:172)
	at org.apache.ibatis.executor.statement.PreparedStatementHandler.query(PreparedStatementHandler.java:62)
	at org.apache.ibatis.executor.statement.RoutingStatementHandler.query(RoutingStatementHandler.java:78)
	at org.apache.ibatis.executor.SimpleExecutor.doQuery(SimpleExecutor.java:62)
	at org.apache.ibatis.executor.BaseExecutor.queryFromDatabase(BaseExecutor.java:303)
	at org.apache.ibatis.executor.BaseExecutor.query(BaseExecutor.java:154)
	at org.apache.ibatis.executor.CachingExecutor.query(CachingExecutor.java:102)
	at org.apache.ibatis.executor.CachingExecutor.query(CachingExecutor.java:82)
	at org.apache.ibatis.session.defaults.DefaultSqlSession.selectList(DefaultSqlSession.java:120)
	at org.apache.ibatis.session.defaults.DefaultSqlSession.selectList(DefaultSqlSession.java:113)
	at org.alfresco.ibatis.SqlSessionMetricsWrapper.selectList(SqlSessionMetricsWrapper.java:131)
	at jdk.internal.reflect.GeneratedMethodAccessor262.invoke(Unknown Source)
	at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.base/java.lang.reflect.Method.invoke(Method.java:566)
	at org.mybatis.spring.SqlSessionTemplate$SqlSessionInterceptor.invoke(SqlSessionTemplate.java:408)
	... 116 more
2020-09-22 07:59:27,158  ERROR [repo.descriptor.RepositoryDescriptorDAOImpl] [localhost-startStop-1] updateDescriptor: 
org.springframework.jdbc.BadSqlGrammarException: 
### Error querying database.  Cause: org.postgresql.util.PSQLException: ERROR: relation "alf_server" does not exist
  Position: 93
### The error may exist in alfresco/ibatis/#resource.dialect#/node-common-SqlMap.xml
### The error may involve alfresco.node.select_ServerByIpAddress-Inline
### The error occurred while setting parameters
### SQL: select             id,             version,             ip_address         from             alf_server         where             ip_address = ?
### Cause: org.postgresql.util.PSQLException: ERROR: relation "alf_server" does not exist
  Position: 93

My current version is: Community - 6.3.0 (r44c1063b-b381) using the separate conversion containers.

I'm upgrading to the latest version published on the dockerhub centralizing conversions with transform-ore-aio

CVE-2018-12023 (High) detected in jackson-databind-2.9.5.jar

CVE-2018-12023 - High Severity Vulnerability

Vulnerable Library - jackson-databind-2.9.5.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /alfresco-repository/pom.xml

Path to vulnerable library: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.5/jackson-databind-2.9.5.jar

Dependency Hierarchy:

alfresco-heartbeat-data-sender-1.0.9.jar (Root Library)
- ❌ jackson-databind-2.9.5.jar (Vulnerable Library)

Found in HEAD commit: 92474780e3bbd322e2a9efe51c6d5ff335e34289

Vulnerability Details

An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Oracle JDBC jar in the classpath, and an attacker can provide an LDAP service to access, it is possible to make the service execute a malicious payload.

Publish Date: 2019-03-21

URL: CVE-2018-12023

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12022

Release Date: 2019-03-21

Fix Resolution: 2.7.9.4, 2.8.11.2, 2.9.6

Step up your Open Source Security Game with WhiteSource here

CVE-2018-1324 Medium Severity Vulnerability detected by WhiteSource

CVE-2018-1324 - Medium Severity Vulnerability

Vulnerable Library - commons-compress-1.15.jar

Apache Commons Compress software defines an API for working with compression and archive formats. These include: bzip2, gzip, pack200, lzma, xz, Snappy, traditional Unix Compress, DEFLATE, LZ4, Brotli and ar, cpio, jar, tar, zip, dump, 7z, arj.

Library home page: http://commons.apache.org/proper/commons-compress/

Path to dependency file: /alfresco-repository/pom.xml

Path to vulnerable library: 2/repository/org/apache/commons/commons-compress/1.15/commons-compress-1.15.jar

Dependency Hierarchy:

❌ commons-compress-1.15.jar (Vulnerable Library)

Found in HEAD commit: a6b33c7b9104af395c59b8805bd5b78bc5e7e3ef

Vulnerability Details

A specially crafted ZIP archive can be used to cause an infinite loop inside of Apache Commons Compress' extra field parser used by the ZipFile and ZipArchiveInputStream classes in versions 1.11 to 1.15. This can be used to mount a denial of service attack against services that use Compress' zip package.

Publish Date: 2018-03-16

URL: CVE-2018-1324

CVSS 3 Score Details (5.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1324

Release Date: 2018-03-16

Fix Resolution: 1.16

Step up your Open Source Security Game with WhiteSource here

CVE-2018-19360 (High) detected in jackson-databind-2.9.5.jar

CVE-2018-19360 - High Severity Vulnerability

Vulnerable Library - jackson-databind-2.9.5.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /alfresco-repository/pom.xml

Path to vulnerable library: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.5/jackson-databind-2.9.5.jar

Dependency Hierarchy:

alfresco-heartbeat-data-sender-1.0.9.jar (Root Library)
- ❌ jackson-databind-2.9.5.jar (Vulnerable Library)

Found in HEAD commit: 92474780e3bbd322e2a9efe51c6d5ff335e34289

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the axis2-transport-jms class from polymorphic deserialization.

Publish Date: 2019-01-02

URL: CVE-2018-19360

CVSS 3 Score Details (9.8)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19360

Release Date: 2019-01-02

Fix Resolution: 2.9.8

Step up your Open Source Security Game with WhiteSource here

WS-2009-0001 Low Severity Vulnerability detected by WhiteSource

WS-2009-0001 - Low Severity Vulnerability

Vulnerable Library - commons-codec-1.11.jar

The Apache Commons Codec package contains simple encoder and decoders for various formats such as Base64 and Hexadecimal. In addition to these widely used encoders and decoders, the codec package also maintains a collection of phonetic encoding utilities.

Library home page: http://commons.apache.org/proper/commons-codec/

Path to dependency file: /alfresco-repository/pom.xml

Path to vulnerable library: 2/repository/commons-codec/commons-codec/1.11/commons-codec-1.11.jar

Dependency Hierarchy:

❌ commons-codec-1.11.jar (Vulnerable Library)

Found in HEAD commit: 8772e46910898980b9886bc744b7acb4849cabf8

Vulnerability Details

Not all "business" method implementations of public API in Apache Commons Codec 1.x are thread safe, which might disclose the wrong data or allow an attacker to change non-private fields.

Updated 2018-10-07 - an additional review by WhiteSource research team could not indicate on a clear security vulnerability

Publish Date: 2007-10-07

URL: WS-2009-0001

CVSS 2 Score Details (0.0)

Base Score Metrics not available

Step up your Open Source Security Game with WhiteSource here

CVE-2018-14720 (High) detected in jackson-databind-2.9.5.jar

CVE-2018-14720 - High Severity Vulnerability

Vulnerable Library - jackson-databind-2.9.5.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /alfresco-repository/pom.xml

Path to vulnerable library: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.5/jackson-databind-2.9.5.jar

Dependency Hierarchy:

alfresco-heartbeat-data-sender-1.0.9.jar (Root Library)
- ❌ jackson-databind-2.9.5.jar (Vulnerable Library)

Found in HEAD commit: 92474780e3bbd322e2a9efe51c6d5ff335e34289

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.7 might allow attackers to conduct external XML entity (XXE) attacks by leveraging failure to block unspecified JDK classes from polymorphic deserialization.

Publish Date: 2019-01-02

URL: CVE-2018-14720

CVSS 3 Score Details (9.8)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-14720

Release Date: 2019-01-02

Fix Resolution: 2.9.7

Step up your Open Source Security Game with WhiteSource here

CVE-2018-12022 (High) detected in jackson-databind-2.9.5.jar

CVE-2018-12022 - High Severity Vulnerability

Vulnerable Library - jackson-databind-2.9.5.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /alfresco-repository/pom.xml

Path to vulnerable library: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.5/jackson-databind-2.9.5.jar

Dependency Hierarchy:

alfresco-heartbeat-data-sender-1.0.9.jar (Root Library)
- ❌ jackson-databind-2.9.5.jar (Vulnerable Library)

Found in HEAD commit: 92474780e3bbd322e2a9efe51c6d5ff335e34289

Vulnerability Details

An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Jodd-db jar (for database access for the Jodd framework) in the classpath, and an attacker can provide an LDAP service to access, it is possible to make the service execute a malicious payload.

Publish Date: 2019-03-21

URL: CVE-2018-12022

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12022

Release Date: 2019-03-21

Fix Resolution: 2.7.9.4, 2.8.11.2, 2.9.6

Step up your Open Source Security Game with WhiteSource here

CVE-2018-11040 Medium Severity Vulnerability detected by WhiteSource

CVE-2018-11040 - Medium Severity Vulnerability

Vulnerable Library - spring-web-5.0.4.RELEASE.jar

Spring Web

Library home page: https://github.com/spring-projects/spring-framework

Path to dependency file: /alfresco-repository/pom.xml

Path to vulnerable library: 2/repository/org/springframework/spring-web/5.0.4.RELEASE/spring-web-5.0.4.RELEASE.jar

Dependency Hierarchy:

❌ spring-web-5.0.4.RELEASE.jar (Vulnerable Library)

Found in HEAD commit: a6b33c7b9104af395c59b8805bd5b78bc5e7e3ef

Vulnerability Details

Spring Framework, versions 5.0.x prior to 5.0.7 and 4.3.x prior to 4.3.18 and older unsupported versions, allows web applications to enable cross-domain requests via JSONP (JSON with Padding) through AbstractJsonpResponseBodyAdvice for REST controllers and MappingJackson2JsonView for browser requests. Both are not enabled by default in Spring Framework nor Spring Boot, however, when MappingJackson2JsonView is configured in an application, JSONP support is automatically ready to use through the "jsonp" and "callback" JSONP parameters, enabling cross-domain requests.

Publish Date: 2018-06-25

URL: CVE-2018-11040

CVSS 3 Score Details (5.9)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-11040

Release Date: 2018-06-25

Fix Resolution: 5.0.7,4.3.18

Step up your Open Source Security Game with WhiteSource here

CVE-2018-1272 High Severity Vulnerability detected by WhiteSource

CVE-2018-1272 - High Severity Vulnerability

Vulnerable Library - spring-core-5.0.4.RELEASE.jar

Spring Core

Library home page: https://github.com/spring-projects/spring-framework

Path to dependency file: /alfresco-repository/pom.xml

Path to vulnerable library: 2/repository/org/springframework/spring-core/5.0.4.RELEASE/spring-core-5.0.4.RELEASE.jar

Dependency Hierarchy:

❌ spring-core-5.0.4.RELEASE.jar (Vulnerable Library)

Found in HEAD commit: a6b33c7b9104af395c59b8805bd5b78bc5e7e3ef

Vulnerability Details

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, provide client-side support for multipart requests. When Spring MVC or Spring WebFlux server application (server A) receives input from a remote client, and then uses that input to make a multipart request to another server (server B), it can be exposed to an attack, where an extra multipart is inserted in the content of the request from server A, causing server B to use the wrong value for a part it expects. This could to lead privilege escalation, for example, if the part content represents a username or user roles.

Publish Date: 2018-04-06

URL: CVE-2018-1272

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1272

Release Date: 2018-04-06

Fix Resolution: v4.3.15.RELEASE,v5.0.5.RELEASE

Step up your Open Source Security Game with WhiteSource here

CVE-2018-11771 Medium Severity Vulnerability detected by WhiteSource

CVE-2018-11771 - Medium Severity Vulnerability

Vulnerable Library - commons-compress-1.15.jar

Library home page: http://commons.apache.org/proper/commons-compress/

Path to dependency file: /alfresco-repository/pom.xml

Path to vulnerable library: 2/repository/org/apache/commons/commons-compress/1.15/commons-compress-1.15.jar

Dependency Hierarchy:

❌ commons-compress-1.15.jar (Vulnerable Library)

Found in HEAD commit: a6b33c7b9104af395c59b8805bd5b78bc5e7e3ef

Vulnerability Details

When reading a specially crafted ZIP archive, the read method of Apache Commons Compress 1.7 to 1.17's ZipArchiveInputStream can fail to return the correct EOF indication after the end of the stream has been reached. When combined with a java.io.InputStreamReader this can lead to an infinite stream, which can be used to mount a denial of service attack against services that use Compress' zip package.

Publish Date: 2018-08-16

URL: CVE-2018-11771

CVSS 3 Score Details (5.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-11771

Release Date: 2019-04-08

Fix Resolution: 1.18

Step up your Open Source Security Game with WhiteSource here

Unit tests hang: java.sql.SQLException: Data source is closed

fresh checkout of tag alfresco-repository-7.43
empty PostgreSQL database created

$ mvn clean test \
  -Ddb.driver=org.postgresql.Driver \
  -Ddb.name=alfresco-6 \
  -Ddb.url=jdbc:postgresql:alfresco-6 \
  -Ddb.username=lutz \
  -Ddb.password=lutz

Tail on target/surefire-reports/org.alfresco.RepositoryStartStopTest-output.txt:

2019-04-11 11:36:20,802  DEBUG [repo.transaction.RetryingTransactionHelper] [JobLockService1]
Transaction commit failed:
   Thread: JobLockService1
   Txn:    UserTransaction[object=org.alfresco.util.transaction.SpringAwareUserTransaction@3cd249ab, status=6]
   Iteration: 4
   Exception follows:
 org.alfresco.util.transaction.ConnectionPoolException: 03110086 The DB connection pool is depleted.
        at org.alfresco.util.transaction.SpringAwareUserTransaction.begin(SpringAwareUserTransaction.java:418)
        at org.alfresco.repo.transaction.RetryingTransactionHelper.doInTransaction(RetryingTransactionHelper.java:439)
        at org.alfresco.repo.lock.JobLockServiceImpl.releaseLockVerify(JobLockServiceImpl.java:477)
        at org.alfresco.repo.lock.JobLockServiceImpl$2.run(JobLockServiceImpl.java:385)
        at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
        at java.util.concurrent.FutureTask.run(FutureTask.java:266)
        at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180)
        at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
        at java.lang.Thread.run(Thread.java:748)
Caused by: org.springframework.transaction.CannotCreateTransactionException: Could not open JDBC Connection for transaction; nested exception is java.sql.SQLException: Data source is closed
        at org.springframework.jdbc.datasource.DataSourceTransactionManager.doBegin(DataSourceTransactionManager.java:305)
        at org.springframework.transaction.support.AbstractPlatformTransactionManager.getTransaction(AbstractPlatformTransactionManager.java:378)
        at org.springframework.transaction.interceptor.TransactionAspectSupport.createTransactionIfNecessary(TransactionAspectSupport.java:474)
        at org.alfresco.util.transaction.SpringAwareUserTransaction.begin(SpringAwareUserTransaction.java:413)
        ... 10 more
Caused by: java.sql.SQLException: Data source is closed
        at org.apache.commons.dbcp.BasicDataSource.createDataSource(BasicDataSource.java:1362)
        at org.apache.commons.dbcp.BasicDataSource.getConnection(BasicDataSource.java:1044)
        at org.springframework.jdbc.datasource.DataSourceTransactionManager.doBegin(DataSourceTransactionManager.java:262)
        ... 13 more

The unit test uses 11 databae connections:

lutz@localhost:alfresco-6> select usename, application_name
 from pg_stat_activity
 where datname = 'alfresco-6';
+-----------+------------------------+
| usename   | application_name       |
|-----------+------------------------|
| lutz      | pgcli                  |
| lutz      | PostgreSQL JDBC Driver |
| lutz      | PostgreSQL JDBC Driver |
| lutz      | PostgreSQL JDBC Driver |
| lutz      | PostgreSQL JDBC Driver |
| lutz      | PostgreSQL JDBC Driver |
| lutz      | PostgreSQL JDBC Driver |
| lutz      | PostgreSQL JDBC Driver |
| lutz      | PostgreSQL JDBC Driver |
| lutz      | PostgreSQL JDBC Driver |
| lutz      | PostgreSQL JDBC Driver |
| lutz      | PostgreSQL JDBC Driver |
+-----------+------------------------+
SELECT 12

What is missing?

CVE-2016-5007 High Severity Vulnerability detected by WhiteSource

CVE-2016-5007 - High Severity Vulnerability

Vulnerable Library - spring-webmvc-3.2.14.RELEASE.jar

Spring Web MVC

path: /root/.m2/repository/org/springframework/spring-webmvc/3.2.14.RELEASE/spring-webmvc-3.2.14.RELEASE.jar

Library home page: https://github.com/SpringSource/spring-framework

Dependency Hierarchy:

spring-webscripts-6.21.jar (Root Library)
- ❌ spring-webmvc-3.2.14.RELEASE.jar (Vulnerable Library)

Vulnerability Details

Both Spring Security 3.2.x, 4.0.x, 4.1.0 and the Spring Framework 3.2.x, 4.0.x, 4.1.x, 4.2.x rely on URL pattern mappings for authorization and for mapping requests to controllers respectively. Differences in the strictness of the pattern matching mechanisms, for example with regards to space trimming in path segments, can lead Spring Security to not recognize certain paths as not protected that are in fact mapped to Spring MVC controllers that should be protected. The problem is compounded by the fact that the Spring Framework provides richer features with regards to pattern matching as well as by the fact that pattern matching in each Spring Security and the Spring Framework can easily be customized creating additional differences.

Publish Date: 2017-05-25

URL: CVE-2016-5007

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://pivotal.io/security/cve-2016-5007

Release Date: 2017-05-25

Fix Resolution: v4.3.0

Step up your Open Source Security Game with WhiteSource here

CVE-2018-1000180 (High) detected in bcprov-jdk15on-1.59.jar

CVE-2018-1000180 - High Severity Vulnerability

Vulnerable Library - bcprov-jdk15on-1.59.jar

The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5 to JDK 1.8.

Library home page: http://www.bouncycastle.org/java.html

Path to dependency file: /alfresco-repository/pom.xml

Path to vulnerable library: 2/repository/org/bouncycastle/bcprov-jdk15on/1.59/bcprov-jdk15on-1.59.jar

Dependency Hierarchy:

❌ bcprov-jdk15on-1.59.jar (Vulnerable Library)

Found in HEAD commit: 92474780e3bbd322e2a9efe51c6d5ff335e34289

Vulnerability Details

Bouncy Castle BC 1.54 - 1.59, BC-FJA 1.0.0, BC-FJA 1.0.1 and earlier have a flaw in the Low-level interface to RSA key pair generator, specifically RSA Key Pairs generated in low-level API with added certainty may have less M-R tests than expected. This appears to be fixed in versions BC 1.60 beta 4 and later, BC-FJA 1.0.2 and later.

Publish Date: 2018-06-05

URL: CVE-2018-1000180

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Change files

Origin: bcgit/bc-java@73780ac

Release Date: 2018-04-19

Fix Resolution: Replace or update the following file: RSAKeyPairGenerator.java

Step up your Open Source Security Game with WhiteSource here

CVE-2018-1000613 (High) detected in bcprov-jdk15on-1.59.jar

CVE-2018-1000613 - High Severity Vulnerability

Vulnerable Library - bcprov-jdk15on-1.59.jar

Library home page: http://www.bouncycastle.org/java.html

Path to dependency file: /alfresco-repository/pom.xml

Path to vulnerable library: 2/repository/org/bouncycastle/bcprov-jdk15on/1.59/bcprov-jdk15on-1.59.jar

Dependency Hierarchy:

❌ bcprov-jdk15on-1.59.jar (Vulnerable Library)

Found in HEAD commit: 92474780e3bbd322e2a9efe51c6d5ff335e34289

Vulnerability Details

Legion of the Bouncy Castle Legion of the Bouncy Castle Java Cryptography APIs 1.58 up to but not including 1.60 contains a CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') vulnerability in XMSS/XMSS^MT private key deserialization that can result in Deserializing an XMSS/XMSS^MT private key can result in the execution of unexpected code. This attack appear to be exploitable via A handcrafted private key can include references to unexpected classes which will be picked up from the class path for the executing application. This vulnerability appears to have been fixed in 1.60 and later.

Publish Date: 2018-07-09

URL: CVE-2018-1000613

CVSS 3 Score Details (9.8)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-1000613

Release Date: 2018-07-09

Fix Resolution: 1.60

Step up your Open Source Security Game with WhiteSource here

CVE-2018-14721 (High) detected in jackson-databind-2.9.5.jar

CVE-2018-14721 - High Severity Vulnerability

Vulnerable Library - jackson-databind-2.9.5.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /alfresco-repository/pom.xml

Path to vulnerable library: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.5/jackson-databind-2.9.5.jar

Dependency Hierarchy:

alfresco-heartbeat-data-sender-1.0.9.jar (Root Library)
- ❌ jackson-databind-2.9.5.jar (Vulnerable Library)

Found in HEAD commit: 92474780e3bbd322e2a9efe51c6d5ff335e34289

Vulnerability Details

Publish Date: 2019-01-02

URL: CVE-2018-14721

CVSS 3 Score Details (10.0)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Changed
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-14721

Release Date: 2019-01-02

Fix Resolution: 2.9.7

Step up your Open Source Security Game with WhiteSource here

CVE-2018-14720 (High) detected in jackson-databind-2.9.5.jar

CVE-2018-14720 - High Severity Vulnerability

Vulnerable Library - jackson-databind-2.9.5.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /alfresco-repository/pom.xml

Path to vulnerable library: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.5/jackson-databind-2.9.5.jar

Dependency Hierarchy:

alfresco-heartbeat-data-sender-1.0.9.jar (Root Library)
- ❌ jackson-databind-2.9.5.jar (Vulnerable Library)

Found in HEAD commit: 62ed25becc3b352a9e9ad2f3c703f276d6361d10

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.7 might allow attackers to conduct external XML entity (XXE) attacks by leveraging failure to block unspecified JDK classes from polymorphic deserialization.

Publish Date: 2019-01-02

URL: CVE-2018-14720

CVSS 3 Score Details (9.8)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-14720

Release Date: 2019-01-02

Fix Resolution: 2.9.7

Step up your Open Source Security Game with WhiteSource here

CVE-2018-11039 Medium Severity Vulnerability detected by WhiteSource

CVE-2018-11039 - Medium Severity Vulnerability

Vulnerable Library - spring-web-5.0.4.RELEASE.jar

Spring Web

Library home page: https://github.com/spring-projects/spring-framework

Path to dependency file: /alfresco-repository/pom.xml

Path to vulnerable library: 2/repository/org/springframework/spring-web/5.0.4.RELEASE/spring-web-5.0.4.RELEASE.jar

Dependency Hierarchy:

❌ spring-web-5.0.4.RELEASE.jar (Vulnerable Library)

Found in HEAD commit: a6b33c7b9104af395c59b8805bd5b78bc5e7e3ef

Vulnerability Details

Spring Framework (versions 5.0.x prior to 5.0.7, versions 4.3.x prior to 4.3.18, and older unsupported versions) allow web applications to change the HTTP request method to any HTTP method (including TRACE) using the HiddenHttpMethodFilter in Spring MVC. If an application has a pre-existing XSS vulnerability, a malicious user (or attacker) can use this filter to escalate to an XST (Cross Site Tracing) attack.

Publish Date: 2018-06-25

URL: CVE-2018-11039

CVSS 3 Score Details (5.9)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-11039

Release Date: 2018-06-25

Fix Resolution: 5.0.7,4.3.18

Step up your Open Source Security Game with WhiteSource here

alfrescoarchive / alfresco-repository Goto Github PK

alfresco-repository's Introduction

This project has now been Archived

Alfresco Repository

Building and testing

Artifacts

Contributing guide

alfresco-repository's People

Contributors

Stargazers

Watchers

Forkers

alfresco-repository's Issues

CVE-2018-19362 - High Severity Vulnerability

CVE-2019-0194 - High Severity Vulnerability

BUG

Expected behavior

Actual behavior

Steps to reproduce the behavior

Additional details (analysis so far, log statements, references, etc.)

Tell us about your environment

CVE-2016-9878 - High Severity Vulnerability

CVE-2018-5968 - High Severity Vulnerability

CVE-2018-19361 - High Severity Vulnerability

CVE-2018-5968 - High Severity Vulnerability

CVE-2018-19361 - High Severity Vulnerability

CVE-2018-11307 - Medium Severity Vulnerability

CVE-2018-19360 - High Severity Vulnerability

CVE-2018-14718 - High Severity Vulnerability

CVE-2019-12086 - Medium Severity Vulnerability

CVE-2018-14718 - High Severity Vulnerability

CVE-2018-19362 - High Severity Vulnerability

CVE-2018-10237 - Medium Severity Vulnerability

CVE-2018-14719 - High Severity Vulnerability

CVE-2018-15756 - High Severity Vulnerability

CVE-2018-14719 - High Severity Vulnerability

CVE-2018-11797 - Medium Severity Vulnerability

CVE-2018-14721 - High Severity Vulnerability

CVE-2015-5211 - High Severity Vulnerability

CVE-2016-2510 - High Severity Vulnerability

CVE-2018-12023 - High Severity Vulnerability

CVE-2018-1324 - Medium Severity Vulnerability

CVE-2018-19360 - High Severity Vulnerability

WS-2009-0001 - Low Severity Vulnerability

CVE-2018-14720 - High Severity Vulnerability

CVE-2018-12022 - High Severity Vulnerability

CVE-2018-11040 - Medium Severity Vulnerability

CVE-2018-1272 - High Severity Vulnerability

CVE-2018-11771 - Medium Severity Vulnerability

CVE-2016-5007 - High Severity Vulnerability

CVE-2018-1000180 - High Severity Vulnerability

CVE-2018-1000613 - High Severity Vulnerability

CVE-2018-14721 - High Severity Vulnerability

CVE-2018-14720 - High Severity Vulnerability

CVE-2018-11039 - Medium Severity Vulnerability

Recommend Projects

Recommend Topics

Recommend Org