The following is a list of CVEs that do not impact Distribution.
CVE | Severity | Distribution Fix Version | Reason |
---|---|---|---|
High | 2.27.2 | Upgraded Spring Framework to a fixed version due to a vulnerability to path traversal attacks. | |
Critical | 2.27.2 | Upgraded observability to a fixed version. | |
High | 2.26.1 | Upgraded Amazon Ion to a fixed version. | |
High | 2.25.1 | Upgraded Spring Framework to a fixed version. | |
Medium | 2.24.0 | Upgraded Bouncy Castle to a fixed version. | |
Medium | 2.24.0 | Upgraded Netty to a fixed version. | |
High | 2.24.0 | Upgraded Spring Security to a fixed version. | |
Medium | 2.21.3 | Upgraded netty-handler to a fixed version. | |
High | 2.21.3 | Upgraded netty-codec-http2 to a fixed version. | |
Medium | 2.20.2 | Upgraded Netty to a fixed version. | |
High | 2.20.1 | Upgraded Google Guava to a fixed version. | |
High | 2.19.1 | Upgraded fast-xml-parser to a fixed version. | |
Medium | 2.19.1 | Upgraded Spring Vault core to a fixed version. | |
High | 2.18.1 | Upgraded to a fixed version. | |
Medium | 2.18.1 | Upgraded the SnakeYAML library to a fixed version. | |
Critical | 2.18.1 | Upgraded Spring Boot to a fixed version. | |
Medium | 2.18.1 | Upgraded Spring Framework to a fixed version. | |
Critical | 2.18.1 | Upgraded Spring Security to a fixed version. | |
High | 2.18.1 | Upgraded to a fixed version. | |
High | N/A | This dependency is used in the development process only and does not impact the final product. | |
Medium | N/A | Upgraded to a fixed version. | |
High | N/A | Distribution doesn’t use the API related to this vulnerability. | |
High | N/A | Updated the UI common library. | |
High | N/A | This dependency is used in the development process only and is not included in the final product deployment. | |
High | N/A | Distribution does not use the vulnerable API. | |
Medium | N/A | Updating the drivers to 42.5.1 fixed the vulnerability. | |
Critical | N/A | Upgraded to a fixed version, although Distribution does not use the vulnerable API. | |
Critical | N/A | Upgraded to a fixed version. | |
High | N/A | Upgraded to a fixed version. | |
High | N/A | Upgraded to a fixed version. | |
Medium | N/A | Upgraded to a fixed version. | |
Medium | N/A | Upgraded to a fixed version. | |
Critical | N/A | Does not affect Distribution since Distribution does not use the potentially-harmful constructor. | |
High | N/A | Does not affect Distribution since the product uses Tomcat version 9.0.58 and doesn’t redefine | |
Critical | N/A | Does not affect Distribution since Distribution is not using the vulnerable API. | |
High | N/A | Upgraded | |
Medium | N/A | Upgraded | |
Medium | N/A | Upgraded | |
Critical | N/A | Does not affect Distribution, since Distribution uses 64-bit Redis and the issue affects only on a 32-bit system or as a 32-bit Redis executable running on a 64-bit system. | |
High | 2.12.3 |
| |
Medium | 2.12.0 |
| |
Medium | 2.11.0 | Upgraded the | |
Medium | N/A | Does not affect Distribution, since the vulnerability only impacts applications running on Java version 6 and lower. |