Anolis OS update for maven:3.6 module
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2020-13956 |
| CWE-ID | CWE-20 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
Anolis OS Operating systems & Components / Operating system slf4j Operating systems & Components / Operating system package or component sisu Operating systems & Components / Operating system package or component plexus-utils Operating systems & Components / Operating system package or component plexus-sec-dispatcher Operating systems & Components / Operating system package or component plexus-interpolation Operating systems & Components / Operating system package or component plexus-containers-component-annotations Operating systems & Components / Operating system package or component plexus-classworlds Operating systems & Components / Operating system package or component plexus-cipher Operating systems & Components / Operating system package or component maven-wagon Operating systems & Components / Operating system package or component maven-shared-utils Operating systems & Components / Operating system package or component maven-resolver Operating systems & Components / Operating system package or component maven-openjdk8 Operating systems & Components / Operating system package or component maven-openjdk17 Operating systems & Components / Operating system package or component maven-openjdk11 Operating systems & Components / Operating system package or component maven-lib Operating systems & Components / Operating system package or component maven Operating systems & Components / Operating system package or component jsr-305 Operating systems & Components / Operating system package or component jsoup Operating systems & Components / Operating system package or component jcl-over-slf4j Operating systems & Components / Operating system package or component jansi Operating systems & Components / Operating system package or component httpcomponents-core Operating systems & Components / Operating system package or component httpcomponents-client Operating systems & Components / Operating system package or component guava Operating systems & Components / Operating system package or component google-guice Operating systems & Components / Operating system package or component geronimo-annotation Operating systems & Components / Operating system package or component cdi-api Operating systems & Components / Operating system package or component atinject Operating systems & Components / Operating system package or component apache-commons-lang3 Operating systems & Components / Operating system package or component apache-commons-io Operating systems & Components / Operating system package or component apache-commons-codec Operating systems & Components / Operating system package or component apache-commons-cli Operating systems & Components / Operating system package or component aopalliance Operating systems & Components / Operating system package or component |
| Vendor | OpenAnolis |
Security Bulletin
This security bulletin contains one medium risk vulnerability.
1) Input validation error
EUVDB-ID: #VU47481
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2020-13956
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise the affected application.
The vulnerability exists due to insufficient validation of user-supplied input in Apache HttpClient. A remote attacker can pass request URIs to the library as java.net.URI object and force the application to pick the wrong target host for request execution.
MitigationInstall updates from vendor's repository.
Vulnerable software versionsAnolis OS: 8
slf4j: before 1.7.28-3
sisu: before 0.3.4-2
plexus-utils: before 3.3.0-3
plexus-sec-dispatcher: before 1.4-29
plexus-interpolation: before 1.26-3
plexus-containers-component-annotations: before 2.1.0-2
plexus-classworlds: before 2.6.0-4
plexus-cipher: before 1.7-17
maven-wagon: before 3.3.4-2
maven-shared-utils: before 3.2.1-0.4
maven-resolver: before 1.4.1-3
maven-openjdk8: before 3.6.2-7
maven-openjdk17: before 3.6.2-7
maven-openjdk11: before 3.6.2-7
maven-lib: before 3.6.2-7
maven: before 3.6.2-7
jsr-305: before 0-0.25.20130910svn
jsoup: before 1.12.1-3
jcl-over-slf4j: before 1.7.28-3
jansi: before 1.18-4
httpcomponents-core: before 4.4.12-3
httpcomponents-client: before 4.5.10-4
guava: before 28.1-3
google-guice: before 4.2.2-4
geronimo-annotation: before 1.0-26
cdi-api: before 2.0.1-3
atinject: before 1-31.20100611svn86
apache-commons-lang3: before 3.9-4
apache-commons-io: before 2.6-6
apache-commons-codec: before 1.13-3
apache-commons-cli: before 1.4-7
aopalliance: before 1.0-20
CPE2.3- cpe:2.3:o:openanolis:anolis_os:8:*:*:*:*:*:*:*
- cpe:2.3:a:openanolis:slf4j:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:sisu:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:plexus-utils:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:plexus-sec-dispatcher:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:plexus-interpolation:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:plexus-containers-component-annotations:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:plexus-classworlds:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:plexus-cipher:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:maven-wagon:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:maven-shared-utils:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:maven-resolver:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:maven-openjdk8:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:maven-openjdk17:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:maven-openjdk11:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:maven-lib:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:maven:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:jsr-305:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:jsoup:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:jcl-over-slf4j:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:jansi:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:httpcomponents-core:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:httpcomponents-client:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:guava:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:google-guice:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:geronimo-annotation:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:cdi-api:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:atinject:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:apache-commons-lang3:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:apache-commons-io:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:apache-commons-codec:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:apache-commons-cli:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:aopalliance:*:*:*:*:*:anolis_os:*:*
https://anas.openanolis.cn/errata/detail/ANSA-2022:0464
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
