Vulnerabilities in readonlyrest-1.40.0_es7.16.3

#1

Hi,

As per NVD, the Bouncy Castle1.0.1 and elasticsearch-rest-high-level-client-7.16.3 present in readonlyrest-1.40.0_es7.16.3.zip are vulnerable.

CVE numbers are as follows:

  1. CVE-2007-6721
  2. CVE-2020-26939
  3. CVE-2016-1000338
  4. CVE-2016-1000343
  5. CVE-2016-1000341
  6. CVE-2017-13098
  7. CVE-2020-15522
  8. CVE-2016-1000342
  9. CVE-2016-1000345
  10. CVE-2016-1000352
  11. CVE-2016-1000339
  12. CVE-2016-1000344
  13. CVE-2018-5382
  14. CVE-2016-1000346
  15. CVE-2018-1000180
  16. CVE-2013-1624
  17. CVE-2022-23710
  18. CVE-2022-23708

Please have a look into this.

1 Like
#2

We are currently looking into this, thanks for the post. @coutoPL please update this thread when you have news.

#3

I cannot confirm it.
We use:
https://mvnrepository.com/artifact/org.bouncycastle/bctls-fips/1.0.12.3 (no CVE)
https://mvnrepository.com/artifact/org.elasticsearch.client/elasticsearch-rest-client/7.16.3 but with https://mvnrepository.com/artifact/org.apache.httpcomponents/httpclient/4.5.13 (fixes CVE-2020-13956)

We have a CVE-check in our pipeline and it doesn’t detect anything in ROR 1.40.0 (any ES version).

@Sagarika How did you check this?

1 Like