mule4.3x-v2.1.0: Merge pull request #50 from mulesoft-consulting/mule-4.3.x+

2022-11-17T18:40:47Z

Merge pull request #50 from mulesoft-consulting/mule-4.3.x+

# JSON Logger 2.0.1 Vulnerabilities Fixed in this PR

## Critical Severity

- ✗ XML External Entity (XXE) Injection [Critical Severity][https://security.snyk.io/vuln/SNYK-JAVA-COMFASTERXMLWOODSTOX-2928754] in com.fasterxml.woodstox:woodstox-core@5.0.2
introduced by org.mule.services:mule-service-weave:mule-service@2.1.2 > org.mule.weave:runtime@2.1.2 > org.mule.weave:core-modules@2.1.2 > com.fasterxml.woodstox:woodstox-core@5.0.2
This issue was fixed in versions: 5.3.0
- ✗ Remote Code Execution (RCE) [Critical Severity][https://security.snyk.io/vuln/SNYK-JAVA-ORGMULERUNTIME-1089453] in org.mule.runtime:mule-core@4.1.1
introduced by org.mule.runtime:mule-core@4.1.1
This issue was fixed in versions: 4.3.0
- ✗ XML External Entity (XXE) Injection [Critical Severity][https://security.snyk.io/vuln/SNYK-JAVA-ORGMULERUNTIME-1089455] in org.mule.runtime:mule-core@4.1.1
introduced by org.mule.runtime:mule-core@4.1.1
This issue was fixed in versions: 4.3.0
- ✗ Remote Code Execution [Critical Severity][https://security.snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORK-2436751] in org.springframework:spring-beans@5.1.6.RELEASE
introduced by org.mule.connectors:mule-jms-connector:mule-plugin@1.6.3 > org.mule.connectors:mule-jms-client@1.6.2 > org.springframework:spring-jms@5.1.6.RELEASE > org.springframework:spring-beans@5.1.6.RELEASE
This issue was fixed in versions: 5.2.20, 5.3.18

## High Severity

- ✗ Denial of Service (DoS) [High Severity][https://security.snyk.io/vuln/SNYK-JAVA-ORGYAML-2806360] in org.yaml:snakeyaml@1.18
introduced by org.mule.runtime:mule-core@4.1.1 > org.yaml:snakeyaml@1.18
This issue was fixed in versions: 1.31
- ✗ XML External Entity (XXE) Injection [High Severity][https://security.snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-1048302] in com.fasterxml.jackson.core:jackson-databind@2.10.3
introduced by com.fasterxml.jackson.core:jackson-databind@2.10.3
- ✗ Denial of Service (DoS) [High Severity][https://security.snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-2421244] in com.fasterxml.jackson.core:jackson-databind@2.10.3
introduced by com.fasterxml.jackson.core:jackson-databind@2.10.3
- ✗ Denial of Service (DoS) [High Severity][https://security.snyk.io/vuln/SNYK-JAVA-NETMINIDEV-1078499] in net.minidev:json-smart@2.3
introduced by com.jayway.jsonpath:json-path@2.4.0 > net.minidev:json-smart@2.3
- ✗ XML External Entity (XXE) Injection [High Severity][https://security.snyk.io/vuln/SNYK-JAVA-DOM4J-174153] in dom4j:dom4j@1.6.1
introduced by org.mule.runtime:mule-module-extensions-spring-support@4.1.1 > dom4j:dom4j@1.6.1
No upgrade or patch available
- ✗ Denial of Service (DoS) [High Severity][https://security.snyk.io/vuln/SNYK-JAVA-ORGJSON-2841369] in org.json:json@20160810
introduced by org.mule.runtime:mule-metadata-model-json@1.1.1 > org.everit.json:org.everit.json.schema@1.5.0 > org.json:json@20160810
This issue was fixed in versions: 20180130
- ✗ XML External Entity (XXE) Injection [High Severity][https://security.snyk.io/vuln/SNYK-JAVA-DOM4J-2812975] in dom4j:dom4j@1.6.1
introduced by org.mule.runtime:mule-module-extensions-spring-support@4.1.1 > dom4j:dom4j@1.6.1
No upgrade or patch available
- ✗ XML External Entity (XXE) Injection [High Severity][https://security.snyk.io/vuln/SNYK-JAVA-ORGAPACHEXMLBEANS-1060048] in org.apache.xmlbeans:xmlbeans@2.6.0
introduced by org.mule.runtime:mule-metadata-model-xml@1.1.1 > org.apache.xmlbeans:xmlbeans@2.6.0
This issue was fixed in versions: 3.0.0

## Medium Severity

- ✗ Denial of Service (DoS) (new) [Medium Severity][https://security.snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-3038424] in com.fasterxml.jackson.core:jackson-databind@2.10.3
introduced by com.fasterxml.jackson.core:jackson-databind@2.10.3
- ✗ Denial of Service (DoS) (new) [Medium Severity][https://security.snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-3038426] in com.fasterxml.jackson.core:jackson-databind@2.10.3
introduced by com.fasterxml.jackson.core:jackson-databind@2.10.3
- ✗ Denial of Service (DoS) [Medium Severity][https://security.snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-2326698] in com.fasterxml.jackson.core:jackson-databind@2.10.3
introduced by com.fasterxml.jackson.core:jackson-databind@2.10.3
- ✗ Denial of Service (DoS) [Medium Severity][https://security.snyk.io/vuln/SNYK-JAVA-NETMINIDEV-1298655] in net.minidev:json-smart@2.3
introduced by com.jayway.jsonpath:json-path@2.4.0 > net.minidev:json-smart@2.3
- ✗ Deserialization of Untrusted Data [Medium Severity][https://security.snyk.io/vuln/SNYK-JAVA-COMGOOGLECODEGSON-1730327] in com.google.code.gson:gson@2.8.5
introduced by com.mulesoft.muleesb.modules:anypoint-mq-rest-client@3.1.0 > com.google.code.gson:gson@2.8.5
This issue was fixed in versions: 2.8.9
- ✗ Directory Traversal [Medium Severity][https://security.snyk.io/vuln/SNYK-JAVA-COMMONSIO-1277109] in commons-io:commons-io@2.6
introduced by org.mule.connectors:mule-jms-connector:mule-plugin@1.6.3 > commons-io:commons-io@2.6
This issue was fixed in versions: 2.7
- ✗ Server-side Request Forgery (SSRF) [Medium Severity][https://security.snyk.io/vuln/SNYK-JAVA-ORGMULERUNTIME-1089457] in org.mule.runtime:mule-core@4.1.1
introduced by org.mule.runtime:mule-core@4.1.1
This issue was fixed in versions: 4.3.0
- ✗ Improper Output Neutralization for Logs [Medium Severity][https://security.snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORK-2329097] in org.springframework:spring-core@5.0.4.RELEASE
introduced by com.mulesoft.muleesb.modules:anypoint-mq-rest-client@3.1.0 > org.springframework:spring-core@5.0.4.RELEASE
This issue was fixed in versions: 5.3.12, 5.2.18
- ✗ Improper Input Validation [Medium Severity][https://security.snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORK-2330878] in org.springframework:spring-core@5.0.4.RELEASE
introduced by com.mulesoft.muleesb.modules:anypoint-mq-rest-client@3.1.0 > org.springframework:spring-core@5.0.4.RELEASE
This issue was fixed in versions: 5.2.19.RELEASE, 5.3.14
- ✗ Multipart Content Pollution [Medium Severity][https://security.snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORK-460644] in org.springframework:spring-core@5.0.4.RELEASE
introduced by com.mulesoft.muleesb.modules:anypoint-mq-rest-client@3.1.0 > org.springframework:spring-core@5.0.4.RELEASE
This issue was fixed in versions: 4.3.14.RELEASE, 5.0.5.RELEASE
- ✗ Denial of Service (DoS) [Medium Severity][https://security.snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORK-2434828] in org.springframework:spring-expression@4.1.9.RELEASE
introduced by org.mule.runtime:mule-module-extensions-spring-support@4.1.1 > org.mule.runtime:mule-module-spring-config@4.1.1 > org.springframework:spring-context@4.1.9.RELEASE > org.springframework:spring-expression@4.1.9.RELEASE
This issue was fixed in versions: 5.2.20.RELEASE, 5.3.17
- ✗ Denial of Service (DoS) [Medium Severity][https://security.snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORK-2823313] in org.springframework:spring-beans@5.1.6.RELEASE
introduced by org.mule.connectors:mule-jms-connector:mule-plugin@1.6.3 > org.mule.connectors:mule-jms-client@1.6.2 > org.springframework:spring-jms@5.1.6.RELEASE > org.springframework:spring-beans@5.1.6.RELEASE
This issue was fixed in versions: 5.2.22.RELEASE, 5.3.20
- ✗ Improper Handling of Case Sensitivity [Low Severity][https://security.snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORK-2689634] in org.springframework:spring-context@4.1.9.RELEASE
introduced by org.mule.runtime:mule-module-extensions-spring-support@4.1.1 > org.mule.runtime:mule-module-spring-config@4.1.1 > org.springframework:spring-context@4.1.9.RELEASE
This issue was fixed in versions: 5.2.21, 5.3.19
- ✗ Denial of Service (DoS) [Medium Severity][https://security.snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORK-2823310] in org.springframework:spring-messaging@5.1.6.RELEASE
introduced by org.mule.connectors:mule-jms-connector:mule-plugin@1.6.3 > org.mule.connectors:mule-jms-client@1.6.2 > org.springframework:spring-jms@5.1.6.RELEASE > org.springframework:spring-messaging@5.1.6.RELEASE
This issue was fixed in versions: 5.2.22.RELEASE, 5.3.20
- ✗ Stack-based Buffer Overflow [Medium Severity][https://security.snyk.io/vuln/SNYK-JAVA-ORGYAML-3016891] in org.yaml:snakeyaml@1.18
introduced by org.mule.runtime:mule-core@4.1.1 > org.yaml:snakeyaml@1.18
This issue was fixed in versions: 1.31
- ✗ Denial of Service (DoS) [Medium Severity][https://security.snyk.io/vuln/SNYK-JAVA-ORGYAML-537645] in org.yaml:snakeyaml@1.18
introduced by org.mule.runtime:mule-core@4.1.1 > org.yaml:snakeyaml@1.18
This issue was fixed in versions: 1.26

## Low Severity

- ✗ Information Disclosure [Low Severity][https://security.snyk.io/vuln/SNYK-JAVA-COMGOOGLEGUAVA-1015415] in com.google.guava:guava@25.1-jre
introduced by org.mule.connectors:mule-jms-connector:mule-plugin@1.6.3 > com.google.guava:guava@25.1-jre
This issue was fixed in versions: 30.0-android, 30.0-jre
- ✗ Stack-based Buffer Overflow [Low Severity][https://security.snyk.io/vuln/SNYK-JAVA-ORGYAML-3016888] in org.yaml:snakeyaml@1.18
introduced by org.mule.runtime:mule-core@4.1.1 > org.yaml:snakeyaml@1.18
This issue was fixed in versions: 1.32
- ✗ Stack-based Buffer Overflow [Low Severity][https://security.snyk.io/vuln/SNYK-JAVA-ORGYAML-3016889] in org.yaml:snakeyaml@1.18
introduced by org.mule.runtime:mule-core@4.1.1 > org.yaml:snakeyaml@1.18
This issue was fixed in versions: 1.31

Tags from json-logger

v3.0.2

v3.0.1

v3.0.0

v2.2.3

2.2.2

2.2.1

v2.2.0

mule4.3x-v2.1.0: Merge pull request #50 from mulesoft-consulting/mule-4.3.x+