Patched Vulnerabilities

This page provides information about the common security vulnerabilities that were patched in Anzo and AnzoGraph releases.

Anzo Releases	AnzoGraph Releases
Anzo 5.4.8 Anzo 5.4.7 Anzo 5.4.6 Anzo 5.4.5 Anzo 5.4.2 Anzo 5.4.1 Anzo 5.3.12 Anzo 5.3.11 Anzo 5.3.10 Anzo 5.3.9 Anzo 5.3.8 Anzo 5.3.6 Anzo 5.3.4 Anzo 5.3.2 Anzo 5.3.0	AnzoGraph 3.1.3 AnzoGraph 3.1.2 AnzoGraph 3.1.1 AnzoGraph 3.1.0 AnzoGraph 2.5.22 AnzoGraph 2.5.21 AnzoGraph 2.5.20 AnzoGraph 2.5.19 AnzoGraph 2.5.17 AnzoGraph 2.5.15 AnzoGraph 2.5.14 AnzoGraph 2.5.12 AnzoGraph 2.5.11 AnzoGraph 2.5.10 AnzoGraph 2.5.8 AnzoGraph 2.5.7 AnzoGraph 2.5.6 AnzoGraph 2.5.5 AnzoGraph 2.5.4 AnzoGraph 2.5.3 AnzoGraph 2.5.2 AnzoGraph 2.5.1

Anzo Releases

Anzo 5.4.8

GHSA-xpw8-rcwv-8f8p: The io.netty:netty-codec-http2 package dependency was upgraded to remediate a potential DDoS attack vulnerability.
CVE-2020-11971: The Apache Camel's JMX dependency was upgraded to remediate this Rebind Flaw vulnerability.
CVE-2024-21634: The ion-java dependency for AnzoGraphDB was updated to remediate this vulnerability.

Anzo 5.4.7

CVE-2024-24790: The golang net/netip package dependency was updated to remediate this vulnerability.
CVE-2024-2961: The glibc library dependency was updated to remediate this vulnerability.

Anzo 5.4.6

CVE-2018-1320: The Apache Thrift Java client library dependency was updated to remediate this vulnerability.
CVE-2023-6378: The logback receiver component of the logback dependency was updated to remediate a possible Denial of Service (DoS) vulnerability.
CVE-2023-34054 and CVE-2023-34062: The Reactor Netty HTTP Server dependency was updated to remediate these vulnerabilities.
CVE-2023-33202: The Bouncy Castle for Java dependency was updated to remediate a possible Denial of Service (DoS) vulnerability.
CVE-2023-46673: The Elasticsearch dependency was updated as it was identified that malformed scripts used in the script processor of a pipeline could cause an Elasticsearch node to crash when calling the Simulate Pipeline API.
GHSA-xpw8-rcwv-8f8p: The io.netty:netty-codec-http2 dependency for Anzo Distributed Unstructured was updated to remediate this possible HTTP/2 Rapid Reset Attack vulnerability.

Anzo 5.4.5

CVE-2023-46604: The Apache ActiveMQ dependency was updated to remediate this possible remote code execution vulnerability.
CVE-2023-39410: The Apache Avro dependency for Anzo Unstructured was updated to remediate this possible out of memory vulnerability.
CVE-2023-41900, CVE-2023-36479, and CVE-2023-40167: The Eclipse Jetty dependency was updated to remediate these vulnerabilities.
CVE-2022-44729 and CVE-2022-44730: The Apache XML Graphics Batik dependency was updated to remediate these possible Server-Side Request Forgery (SSRF) vulnerabilities.
CVE-2023-2976: The Google Guava dependency was updated to remediate this vulnerability.

Anzo 5.4.2

CVE-2023-24998: The Apache Commons FileUpload dependency for Anzo Unstructured was updated to remediate a possible Denial of Service (DoS) vulnerability.
CVE-2022-1471: Modified the SnakeYaml dependency for Anzo Unstructured to use the SafeConstructor when parsing content.
CVE-2023-1370: The json-smart dependency was updated to remediate a possible stack overflow vulnerability.
CVE-2023-1436: The Jettison dependency was updated to remediate this possible StackOverflowError vulnerability.
CVE-2023-26048, CVE-2023-26049: The Jetty dependency was updated to remediate these vulnerabilities.

Anzo 5.4.1

CVE-2022-1471: Modified the SnakeYaml dependency to use the SafeConstructor when parsing content.
CVE-2022-40152: The Woodstox dependency was updated to version 6.4.0 to remediate a potential Denial of Service (DoS) vulnerability.
CVE-2021-37533: The Apache Commons Net dependency was updated to version 3.9.0 to remediate this vulnerability.
CVE-2022-40150: The Jettison dependency was updated to version 1.5.3 to remediate a possible Denial of Service (DoS) vulnerability.
SONATYPE-2019-0870, SONATYPE-2021-0887, SONATYPE-2019-0992, and SONATYPE-2014-0257: The freemarker, passay, jcommander, and javaassit dependencies were updated to remediate these vulnerabilities.
CVE-2022-25168: The Apache Hadoop file utility dependency was updated to version 3.3.4 to remediate this vulnerability.
CVE-2022-38900: The decode-uri-component dependency was updated to remediate this possible Denial of Service (DoS) vulnerability.

Anzo 5.3.12

CVE-2022-25168: The Apache Hadoop file utility dependency was updated to version 3.3.4 to remediate this vulnerability.
CVE-2022-38900: The decode-uri-component dependency was updated to remediate a potential Denial of Service (DoS) vulnerability.
CVE-2022-40146, CVE-2022-38398, CVE-2022-38648, CVE-2022-41704, and CVE-2022-42890: The Batik of Apache XML Graphics dependency was updated to version 1.16 to remediate a Server-Side Request Forgery (SSRF) vulnerability as well as a vulnerability that could allow an attacker to run Java code from untrusted SVG via JavaScript.
CVE-2022-1471: Modified the SnakeYaml dependency to use the SafeConstructor when parsing content.
CVE-2022-40152: The Woodstox dependency was updated to version 6.4.0 to remediate a potential Denial of Service (DoS) vulnerability.
CVE-2021-37533: The Apache Commons Net dependency was updated to version 3.9.0 to remediate this vulnerability.
CVE-2022-40150: The Jettison dependency was updated to version 1.5.3 to remediate a possible Denial of Service (DoS) vulnerability.
CVE-2022-45047: The Apache SSHD dependency was updated to version 2.9.2 to remediate this vulnerability.
SONATYPE-2019-0870, SONATYPE-2021-0887, SONATYPE-2019-0992, and SONATYPE-2014-0257: The freemarker, passay, jcommander, and javaassit dependencies were updated to remediate these vulnerabilities.

Anzo 5.3.11

CVE-2022-42003: The FasterXML jackson-databind dependency was updated to remediate a possible resource exhaustion vulnerability.
CVE-2022-40146, CVE-2022-38398, CVE-2022-38648, CVE-2022-41704, and CVE-2022-42890: The Batik of Apache XML Graphics dependency was updated to remediate a Server-Side Request Forgery (SSRF) vulnerability as well as a vulnerability that could allow an attacker to run Java code from untrusted SVG via JavaScript.
CVE-2022-40149 and CVE-2022-40150: The Jettison dependency was updated to remediate a possible Denial of Service (DoS) vulnerability.
CVE-2022-42889: The Apache Commons Text (commons-text) dependency was updated to remediate this vulnerability.
CVE-2022-3171: The protobuf dependency was updated to remediate a possible Denial of Service (DoS) vulnerability.
CVE-2022-36944: The Scala library dependency for Anzo Unstructured was updated to remediate this possible deserialization of untrusted data vulnerability.
CVE-2021-0341: The com.squareup.okhttp dependency for Anzo Unstructured was updated to remediate this possible improper certificate validation vulnerability.
CVE-2022-25857, CVE-2022-38749, CVE-2022-38750, CVE-2022-38751, and CVE-2022-38752: The snakeYAML dependency for Anzo Unstructured was updated to remediate these possible Denial of Service (DoS) vulnerabilities.
CVE-2022-36033: The jsoup dependency for Anzo Unstructured was updated to remediate this possible cross-site scripting (XSS) vulnerability.
CVE-2018-12536: The Eclipse Jetty Server dependency for Anzo Unstructured was updated to remediate this vulnerability.
CVE-2022-33879: The org.apache.tika dependency for Anzo Unstructured was updated to remediate this vulnerability.

Anzo 5.3.10

CVE-2022-36033: The jsoup Java HTML parser dependency was updated to version 1.15.3 to remediate a cross-site scripting (XSS) vulnerability.
CVE-2022-25857: The org.yaml:snakeyaml dependency was updated to version 1.31 to remediate a Denial of Service (DoS) vulnerability.
CVE-2022-34169: The Apache Xalan Java XSLT library was removed to avoid an integer truncation issue that could occur when processing malicious XSLT stylesheets.
Several Anzo Distributed Unstructured dependencies were updated to remediate the following vulnerabilities:
CVE-2019-20444, CVE-2021-37136, CVE-2021-35516, CVE-2018-1000632, CVE-2021-21290, CVE-2021-28657, CVE-2019-20445, CVE-2021-37137, CVE-2021-35517, CVE-2014-0114, CVE-2012-5783, CVE-2022-25169, CVE-2019-17571, CVE-2020-7238, CVE-2021-36090, CVE-2012-0881, CVE-2021-29425, CVE-2022-30126, CVE-2022-23305, CVE-2021-29505, CVE-2020-11988, CVE-2013-4002, CVE-2021-28169, CVE-2022-30973, CVE-2021-27568, CVE-2021-43859, CVE-2018-10936, CVE-2020-13956, CVE-2020-15250, CVE-2021-27807, CVE-2022-21724, CVE-2022-23302, CVE-2020-13692, CVE-2020-15522, CVE-2018-11771, CVE-2021-27906, CVE-2019-13990, CVE-2022-23307, CVE-2022-25647, CVE-2020-0187, CVE-2018-1324, CVE-2021-31811, CVE-2020-10683, CVE-2021-4104, CVE-2020-9492, CVE-2020-26939, CVE-2018-10237, CVE-2021-31812, CVE-2017-18640, CVE-2021-33813, CVE-2019-14262, CVE-2021-22569, CVE-2020-1950, CVE-2022-26336, CVE-2020-28491, CVE-2020-13936, CVE-2022-23596, CVE-2021-43797, CVE-2020-1951, CVE-2019-12415, CVE-2022-25647, CVE-2021-35515, CVE-2022-2048, CVE-2021-21295, CVE-2020-9489, CVE-2022-24613, CVE-2019-17573, CVE-2020-13954, CVE-2019-12406, CVE-2020-1945, CVE-2021-36373, CVE-2022-24614, CVE-2009-2625, CVE-2021-34428, and CVE-2021-36374.

Anzo 5.3.9

CVE-2022-2047: The Eclipse jetty dependency was updated to version 9.4.46 to remediate a vulnerability that could lead to failures in a Proxy scenario.
CVE-2022-33980: The Apache Commons Configuration (commons-configuration) dependency was updated to version 2.8 to remediate this vulnerability.

Anzo 5.3.8

CVE-2022-25169: The Apache Tika dependency was updated to version 1.28.3 to remediate a BPG parser vulnerability.
CVE-2022-31129: The moment JavaScript library dependency was upgraded to remediate this vulnerability.

Anzo 5.3.6

CVE-2021-21409, CVE-2021-21295, CVE-2021-21290, CVE-2021-37137, CVE-2021-37136, and CVE-2021-43797: The Netty gRPC dependency library (grpc-netty-shaded) was updated to version 4.1.72 to remediate the listed vulnerabilities.
CVE-2021-43797, CVE-2022-24823, CVE-2021-37136, and CVE-2021-37137: The Netty IO dependency library (io.netty.*) was updated to version 4.1.77 to remediate the listed vulnerabilities.
CVE-2021-22569: The protobuf-java dependency library was updated to version 3.8.2 to resolve this vulnerability.
CVE-2018-1337: The Apache Directory LDAP API dependency was updated to version 1.0.3 to remediate this vulnerability.
CVE-2021-41973: The Apache MINA dependency was updated to version 2.0.23 to remediate this vulnerability.
CVE-2019-10101 and CVE-2020-29582: The JetBrains Kotlin dependency was updated to version 1.6.21 to remediate these potential man-in-the-middle (MITM) vulnerabilities.
CVE-2019-0809: The Anzo CData JDBC and ODBC drivers were updated to remediate a Visual Studio remote code execution vulnerability.
CVE-2022-25169: The Apache Tika dependency was updated to version 1.28.2 to remediate a BPG parser vulnerability.
CVE-2021-22573: The com.google.oauth-client dependency was updated to version 1.31.3 to remediate an IDToken verifier vulnerability.
CVE-2022-25647: The com.google.code.gson:gson package was updated to version 2.8.9 to remediate a potential Denial of Service (DoS) vulnerability.
CVE-2021-22112, CVE-2019-3795, CVE-2021-22096, CVE-2016-1000027, CVE-2022-22950, and CVE-2022-22965: The Spring Framework dependencies were updated to version 5.3.19_1 to remediate the listed vulnerabilities.
CVE-2019-16869, CVE-2019-20444, CVE-2019-20445, CVE-2021-21290, CVE-2021-21295, CVE-2021-21409, CVE-2021-37136, CVE-2021-37137, and CVE-2021-43797: The Netty IO dependency library for the Anzo Unstructured software was updated to remediate the listed vulnerabilities.
CVE-2021-44878: The Pac4j dependency was updated to version 5.3.0 to remediate an OpenID Connect provider vulnerability.
CVE-2022-24721: The CometD dependency was updated to version 5.0.11 to remediate a vulnerability where a remote user could have subscribed to the Oort and Seti channels and watched internal network traffic.
CVE-2021-42550: The logback-core dependency was updated to version 1.2.9 to remediate a potential vulnerability that could have allowed an attacker to craft a malicious configuration.
CVE-2021-42392 and CVE-2022-23221: The H2 database dependency was updated to version 2.1.212 to remediate an unauthenticated remote code execution vulnerability.
CVE-2022-26336: The Apache POI (poi-scratchpad) dependency was updated to version 5.2.2 to remediate an Out of Memory exception vulnerability.
CVE-2022-26612: The Apache Hadoop dependency was updated to version 3.2.3 to remediate a symlink vulnerability.
CVE-2020-36518: The jackson-databind dependency was updated to remediate a Java StackOverflow exception and Denial of Service (DoS) vulnerability.
CVE-2017-7658, CVE-2017-7657, and CVE-2018-7489: The shaded classes were removed from the EHCache dependencies to remediate the listed vulnerabilities.
Fixed CVE-2018-25032, CVE-2022-0778, CVE-2021-23222, CVE-2021-3634, CVE-2021-23177, CVE-2021-31566, CVE-2021-3999, CVE-2022-23218, CVE-2022-23219, and CVE-2022-23308: The Anzo dynamic K8s fluent-bit component was updated to resolve the listed vulnerabilities.
CVE-2021-41184, CVE-2021-41183, and CVE-2021-41182: The JQuery-UI library was updated to remediate the listed vulnerabilities.
CVE-2021-23337, CVE-2020-28500, CVE-2020-8203, CVE-2019-10744, CVE-2019-1010266, CVE-2018-16487, CVE-2018-3721, and CWE-400: The Lodash dependency was updated to remediate the listed vulnerabilities.

Anzo 5.3.4

CVE-2021-22144, CVE-2021-22145, and CVE-2021-22147: The Elasticsearch dependencies were updated to version 7.14.1 to resolve the listed vulnerabilities.
CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, and CVE-2021-36090: The Apache Commons Compress (org.apache.commons.commons-compress) library was updated to version 1.21.0 to remediate Denial of Service (DoS) vulnerabilities.
CVE-2021-34429: The Eclipse Jetty dependency was updated to version 9.4.43.v20210629 to remediate a security constraint vulnerability.
CVE-2021-37714: The jsoup Java library was updated to version 1.14.2 to remediate Denial of Service (DoS) vulnerability.
CVE-2021-41616: The unused Apache DB DdlUtils (org.apache.ddlutils) .jar file was removed from Anzo to remediate this vulnerability.
The netty dependency was updated to version 4.1.70.

Anzo 5.3.2

The following vulnerabilities were remediated in Anzo Unstructured Leader and Worker software dependencies.

The Data Mapper and Data Binding packages for Jackson were upgraded to remediate the following vulnerabilities:
CVE-2017-7525, CVE-2018-14718, CVE-2018-7489, CVE-2017-15095, CVE-2017-17485, CVE-2018-5968, CVE-2018-1000873, CVE-2019-14893, CVE-2019-14540, CVE-2019-16335, CVE-2019-17267, CVE-2019-20330, CVE-2019-16943, CVE-2019-16942, CVE-2019-17531, CVE-2019-14892, CVE-2020-8840, CVE-2020-9546, CVE-2020-9547, CVE-2020-9548, CVE-2020-35490, CVE-2020-35491, CVE-2020-25649, CVE-2020-10672, CVE-2020-10673, CVE-2020-10968, CVE-2020-10969, CVE-2020-11111, CVE-2020-11112, CVE-2020-11113, CVE-2020-11619, CVE-2020-11620, CVE-2020-14060, CVE-2020-14061, CVE-2020-14062, CVE-2020-14195, CVE-2020-24616, CVE-2020-24750, CVE-2021-20190, CVE-2020-35728, and CVE-2020-36179 through 36189.
CVE-2016-5007, CVE-2016-9878, CVE-2018-1271, CVE-2018-1272, CVE-2018-1273, and CVE-2018-15756: The Spring Data Commons package was upgraded to remediate the listed vulnerabilities.
CVE-2018-1270: The Spring Framework package was upgraded to remediate a remote code execution vulnerability.
CVE-2019-17195: The Nimbus JOSE + JWT library was upgraded to remediate an issue with uncaught exceptions that had a potential authentication bypass vulnerability.
CVE-2019-20444, CVE-2019-20445, and CVE-2019-16869: The Netty dependency was upgraded to remediate a vulnerability with inconsistent interpretation of HTTP requests (HTTP Request Smuggling).
CVE-2021-27568: The Json-smart dependency was upgraded to remediate an improper check for unusual or exceptional conditions.
CVE-2015-6748 and CVE-2021-37714: The Java HTML Parser library, jsoup, was upgraded to remediate a Cross-Site Scripting (XSS) and possible Denial of Service (DoS) vulnerability.
CVE-2020-26939: The Bouncy Castle dependency was upgraded to remediate observable differences in behavior to error inputs.
CVE-2017-15288: The Scala compilation daemon dependency was upgraded to remediate an incorrect permission assignment for critical resource vulnerability.
CVE-2020-9492: The Apache Hadoop dependency was upgraded to remediate an incorrect authorization vulnerability.
CVE-2019-10086: The Apache Commons Beanutils dependency was upgraded to remediate a deserialization flaw.

Anzo 5.3.0

CVE-2021-22134: The Elasticsearch dependency was upgraded to version 7.12 to remediate a document disclosure flaw when Document or Field Level Security was used.
CVE-2020-28491: The Jackson Dataformat XML dependency was upgraded to version 2.12.1 to remediate an unchecked allocation of byte buffers that could cause a java.lang.OutOfMemoryError exception.
CVE-2021-29425: The Apache Commons IO dependency was upgraded to version 2.8 to remediate an issue where an improper input string to a subdirectory could result in access to the parent directory.
CVE-2021-28657: The Apache Tika dependency was upgraded to version 1.26 to remediate an issue where a corrupt file could trigger an infinite loop in Tika's MP3Parser.
CVE-2020-27223, CVE-2021-28163, and CVE-2021-28165: The Eclipse Jetty dependency was updated to version 9.4.40.v20210413 to remediate a Denial of Service (DoS) vulnerability.
CVE-2020-13947 and CVE-2021-26117: The Apache ActiveMQ dependency was upgraded to version 5.16.2 to remediate a Cross-Site Scripting (XSS) vulnerability as well as a vulnerability that could result in a failure to check passwords.
CVE-2020-8554 and CVE-2020-8570: The Kubernetes API and Java client libraries were upgraded to remediate these vulnerabilities.
The JQuery dependencies were updated to resolve Cross-Site Scripting (XSS) vulnerabilities.

AnzoGraph Releases

AnzoGraph 3.1.3

CVE-2024-2398: The libcurl dependency was updated to remediate this HTTP/2 push headers memory-leak vulnerability.
CVE-2024-6345: The pypa/setuptools dependency was upgraded to remediate this vulnerability.

AnzoGraph 3.1.2

CVE-2024-24790: The golang net/netip package dependency was updated to remediate this vulnerability (Go upgraded to version 1.22.4).
CVE-2023-45288: The golang net/http and x/net/http2 package dependencies were updated to remediate this HTTP/2 CONTINUATION Flood vulnerability.
CVE-2023-6597: The CPython dependency for the frontend user interface was updated to remediate this tempfile.TemporaryDirectory class vulnerability.
CVE-2023-52424: A dependency for the frontend user interface was updated to remediate the SSID Confusion Attack vulnerability.
CVE-2024-24788: A golang dependency was updated to remediate this vulnerability (Go upgraded to version 1.22.4).

AnzoGraph 3.1.1

CVE-2024-21634: The ion-java dependency for AnzoGraphDB was updated to remediate this vulnerability.
CVE-2024-29857 and CVE-2024-30172: The BC Java, BC Java LTS, BC-FJA, and BC C# .Net dependencies for the frontend user interface were updated to remediate these vulnerabilities.
CVE-2024-33601, CVE-2024-33599, CVE-2024-33600, CVE-2024-33602, CVE-2024-2961: The glibc library dependencies for all containers were updated to remediate these vulnerabilities.

AnzoGraph 3.1.0

CVE-2024-22201: The Jetty dependency for the frontend user interface was updated to remediate this vulnerability.
CVE-2023-32200: The Apache Jena dependency for the frontend user interface was updated to remediate this vulnerability.
CVE-2024-25710 and CVE-2024-26308: The Apache Commons dependency for the frontend user interface was updated to remediate these vulnerabilities.
CVE-2023-32067: The c-ares dependency library was updated to remediate a possible Denial of Service (DoS) vulnerability.
CVE-2023-30535: The Snowflake JDBC driver was updated to version 3.13.29 to remediate a possible command injection vulnerability.
CVE-2023-1370: The json-smart dependency for the frontend user interface was updated to remediate a possible stack overflow vulnerability.
CVE-2022-46175: The JSON5 dependency for the frontend user interface was updated to remediate this vulnerability.
CVE-2022-31129: The moment JavaScript library dependency for the frontend user interface was upgraded to remediate this vulnerability.
CVE-2021-0341: The com.squareup.okhttp dependency for the frontend user interface was updated to remediate this possible improper certificate validation vulnerability.
CVE-2020-21469: The PostgreSQL dependency was updated to remediate this possible Denial of Service (DoS) vulnerability.
GHSA-v78c-4p63-2j6c: The moment-timezone dependency for the frontend user interface was updated to remediate this vulnerability.
GHSA-xpw8-rcwv-8f8p: The Netty dependency for the frontend user interface was updated to remediate this possible HTTP/2 Rapid Reset Attack vulnerability.
The Eclipse Jetty dependency for the frontend user interface was updated to remediate the following vulnerabilities:
GHSA-jjjh-jjxp-wpff, GHSA-rgv9-q543-rqg4, GHSA-wgh7-54f2-x98r, GHSA-58qw-p7qm-5rvh, CVE-2022-2191, CVE-2022-25647, CVE-2007-1652, CVE-2022-2048, CVE-2009-5045, CVE-2017-7656, CVE-2017-7657, CVE-2017-7658, CVE-2017-9735, CVE-2022-2048, CVE-2020-27216, CVE-2023-44487, CVE-2023-40167, CVE-2023-36478, CVE-2023-36479, and CVE-2023-41900.
SONATYPE-2022-4402: The Postgres JDBC driver was updated to remediate this possible SQL injection vulnerability.
SONATYPE-2022-6438: The jackson-core and jackon-databind dependencies were updated to version 2.14.1 to remediate this vulnerability.

AnzoGraph 2.5.22

CVE-2022-30187: Azure Storage client library dependencies were updated to remediate the Azure Storage Library Information Disclosure Vulnerability.
CVE-2023-2976: The Google Guava dependency was updated to remediate this vulnerability.
CVE-2024-29025: The io.netty:netty-codec-http dependency was updated to remediate this HttpPostRequestDecoder out-of-memory vulnerability.
CVE-2024-29131 and CVE-2024-29133: The Apache Commons Configuration dependency was updated to remediate this Out-of-bounds Write vulnerability.
CVE-2023-52428: The Connect2id Nimbus JOSE+JWT dependency was updated to remediate a potential Denial of Service (DoS) vulnerability.

AnzoGraph 2.5.21

CVE-2024-24790: The golang net/netip package dependency was updated to remediate this vulnerability.
CVE-2023-45288: The golang net/http and x/net/http2 package dependencies were updated to remediate this HTTP/2 CONTINUATION Flood vulnerability.
CVE-2023-45283: The golang path/filepath package dependency was updated to remediate this vulnerability.
CVE-2024-24791: The golang net/http HTTP/1.1 client dependency for AnzoGraphDB and frontend user interface was updated to remediate a potential Denial of Service (DoS) vulnerability.
GHSA-58qw-p7qm-5rvh: The Eclipse Jetty dependency was updated to remediate this XmlParser XML external entity (XXE) vulnerability.
CVE-2022-36944: The Scala dependency for AnzoGraphDB was upgraded to remediate this vulnerability.

AnzoGraph 2.5.20

CVE-2023-46234: The cryptographic signature verification issue caused by the browserify-sign package dependency for the frontend user interface was remediated.
CVE-2024-21634: The ion-java dependency for AnzoGraphDB was updated to remediate this vulnerability.
CVE-2024-26308 and CVE-2024-25710: The Apache Commons Compress dependencies for AnzoGraphDB were updated to remediate these vulnerabilities.
GHSA-xpw8-rcwv-8f8p: The netty-codec-http2 dependency for AnzoGraphDB and frontend user interface was updated to remediate the HTTP/2 Rapid Reset Attack vulnerability.
CVE-2022-21698, CVE-2023-39325, CVE-2021-44716, CVE-2022-32149, CVE-2022-28948, CVE-2022-27664, and CVE-2022-41723: The golang dependencies for the AnzoGraph operator (client_golang, net/http, golang.org/x/net/http2, Go-Yaml) were updated to remediate these vulnerabilities.
GHSA-m425-mq94-257g: The gRPC-Go dependency for the AnzoGraph (golang) client was updated to remediate the HTTP/2 Rapid Reset Attack vulnerability.
CVE-2023-46233: The configuration of crypto-js JavaScript library for the frontend user interface was updated to remediate this vulnerability.
CVE-2024-22201, CVE-2024-25710, CVE-2024-26308, and CVE-2023-32200: The Eclipse Jetty, Apache Commons Compress, and Apache Jena dependencies for the frontend user interface were updated to remediate these vulnerabilities.
CVE-2024-29857 and CVE-2024-30172: The BC Java, BC Java LTS, BC-FJA, and BC C# .Net dependencies for the frontend user interface were updated to remediate these vulnerabilities.
CVE-2024-33601, CVE-2024-33599, CVE-2024-33600, CVE-2024-33602, CVE-2024-2961, CVE-2023-4813, CVE-2023-4806, CVE-2023-4527, and CVE-2023-4911: The glibc library dependencies for all containers were updated to remediate these vulnerabilities.

AnzoGraph 2.5.19

The Jetty dependency for the frontend user interface was updated to remediate the following vulnerabilities:

GHSA-jjjh-jjxp-wpff, GHSA-rgv9-q543-rqg4, GHSA-wgh7-54f2-x98r, GHSA-58qw-p7qm-5rvh, CVE-2022-25647, CVE-2007-1652, CVE-2022-2048, CVE-2009-5045, CVE-2017-7656, CVE-2017-7657, CVE-2017-7658, CVE-2017-9735, CVE-2022-2048, CVE-2020-27216, CVE-2023-44487, CVE-2023-40167, CVE-2023-36478, CVE-2023-36479, and CVE-2023-41900.

AnzoGraph 2.5.17

CVE-2023-30535: The Snowflake JDBC driver was updated to version 3.13.29 to remediate a possible command injection vulnerability.

AnzoGraph 2.5.15

CVE-2023-1370: The json-smart dependency for the frontend user interface was updated to remediate a possible stack overflow vulnerability.

AnzoGraph 2.5.14

CVE-2022-2191: The Eclipse Jetty dependency for the frontend user interface was updated to version 11.0.14 to remediate this vulnerability.

AnzoGraph 2.5.12

SONATYPE-2022-6438: The jackson-core and jackon-databind dependencies were updated to version 2.14.1 to remediate this vulnerability.
GHSA-h4h5-3hr4-j3g2: The com.google.protobuf and woodstox-core dependencies were updated to remediate this vulnerability.

AnzoGraph 2.5.11

CVE-2022-42889: The Apache Commons Text (commons-text) dependency was updated to remediate this vulnerability.
CVE-2022-42003 and CVE-2022-42004: The FasterXML jackson-databind dependencies were updated to remediate these vulnerabilities.
CVE-2022-41853: To mitigate this vulnerability, the HyperSQL DataBase driver was removed from the product.
CVE-2022-36944: The Scala library was updated to version 2.13.9 to remediate this vulnerability.
CVE-2020-15250: The JUnit dependency was updated to version 4.13.1 to remediate this vulnerability.

AnzoGraph 2.5.10

CVE-2015-6420: The Apache Commons Collections (ACC) library (commons-collections) dependency was updated to remediate this vulnerability.
CVE-2022-25168: The Apache Hadoop file utility (hadoop-common) dependency was updated to remediate this vulnerability.
CVE-2022-2309: The python2-lxml dependency was updated to remediate this vulnerability.

AnzoGraph 2.5.8

CVE-2022-31129: The moment JavaScript library dependency in the AnzoGraph user interface was upgraded to remediate this vulnerability.

AnzoGraph 2.5.7

CVE-2021-0341: The unused Java component OkHostnameVerifier.java was removed from the AnzoGraph user interface to remediate this vulnerability.

AnzoGraph 2.5.6

CVE-2020-8908: Updated the GDI Guava dependency to remediate a temp directory creation vulnerability.
CVE-2021-22573: Updated the GDI com.google.oauth-client:google-oauth-client dependency to version 1.33.3 to remediate a vulnerability where the IDToken verifier did not verify if a token was properly signed.
CVE-2022-24823: Updated the GDI Netty IO dependency to version 4.1.77.Final to remediate this vulnerability.

AnzoGraph 2.5.5

CVE-2020-36518: The jackson-databind dependency for AnzoGraph extensions and the frontend user interface was updated to remediate a Java StackOverflow exception and Denial of Service (DoS) vulnerability.

AnzoGraph 2.5.4

CVE-2021-3807: The ansi-regex dependency in the frontend user interface was updated to remediate an Inefficient Regular Expression Complexity vulnerability.
CVE-2022-0778: The MySQL driver was updated to remediate a Denial of Service (DoS) vulnerability related to certificate parsing.
CVE-2022-29078: The Embedded JavaScript templates package for Node.js, which is used in the frontend user interface, was updated to remediate a vulnerability that could allow server-side template injection.

AnzoGraph 2.5.3

CVE-2022-24785: The Moment.js JavaScript date library frontend user interface dependency was updated to remediate a path traversal vulnerability.
CVE-2020-15366, CVE-2021-3757, CVE-2021-3918, CVE-2021-23807: The Another JSON Schema Validator (AJV), json-schema, jsonpointer, and immer frontend user interface dependencies were updated to remediate "prototype pollution" vulnerabilities.
CVE-2021-23364, CVE-2021-27290, and CVE-2021-23382: The package browserslist, ssri, and postcss frontend user interface dependencies were updated to remediate a Regular Expression Denial of Service (ReDoS) vulnerability.
CVE-2021-3803: The nth-check frontend user interface dependency was updated to remediate an Inefficient Regular Expression Complexity vulnerability.

AnzoGraph 2.5.2

CVE-2020-36518: The jackson-databind dependency in the GDI and Neptune and Geospatial extensions was updated to remediate a Java StackOverflow exception and Denial of Service (DoS) vulnerability.
CVE-2021-3807 and CVE-2021-44906: The ansi-regex and Minimist dependencies in the AnzoGraph frontend container were updated to remediate vulnerabilities.
CVE-2022-25315: The Expat library for Red Hat Enterprise Linux and CentOS 7 was updated to remediate the integer overflow flaw in libexpat.

AnzoGraph 2.5.1

Updated 2.5.1 Docker Images

The following Docker images were re-released to resolve the vulnerabilities listed below:

docker.io/cambridgesemantics/anzograph-frontend:latest
docker.io/cambridgesemantics/anzograph-frontend:2.5.1-i202202151912-b202202242300
docker.io/cambridgesemantics/anzograph-frontend:2.5.1-i202202151912
docker.io/cambridgesemantics/anzograph-frontend:2.5.1
docker.io/cambridgesemantics/anzograph-db:latest
docker.io/cambridgesemantics/anzograph-db:2.5.1-r202202161817-b202202242300
docker.io/cambridgesemantics/anzograph-db:2.5.1-r202202161817
docker.io/cambridgesemantics/anzograph-db:2.5.1
docker.io/cambridgesemantics/anzograph:latest
docker.io/cambridgesemantics/anzograph:2.5.1-r202202161817-b202202242300
docker.io/cambridgesemantics/anzograph:2.5.1-r202202161817
docker.io/cambridgesemantics/anzograph:2.5.1
docker.io/cambridgesemantics/anzograph-devel:latest
docker.io/cambridgesemantics/anzograph-devel:2.5.1-r202202161817-b202202242300
docker.io/cambridgesemantics/anzograph-devel:2.5.1-r202202161817
docker.io/cambridgesemantics/anzograph-devel:2.5.1

CVE-2022-24407: The Cyrus SASL dependency was upgraded to remediate a flaw found in the SQL plugin.
CVE-2020-25709: The OpenLDAP dependency was upgraded to remediate a vulnerability that could allow an attacker to send a malicious packet to be processed by OpenLDAP’s slapd server.

Released 2.5.1 Red Hat Marketplace Images

The following release of Red Hat Marketplace images resolve the vulnerabilities listed below:

cambridgesemantics/anzograph-frontend:2.5.1-i202202151912
cambridgesemantics/anzograph-db:2.5.1-r202202161817-b202202282115
cambridgesemantics/anzograph:2.5.1-r202202161817-b202202282115

CVE-2022-24407: The Cyrus SASL dependency was upgraded to remediate a flaw found in the SQL plugin.
CVE-2020-25709: The OpenLDAP dependency was upgraded to remediate a vulnerability that could allow an attacker to send a malicious packet to be processed by OpenLDAP’s slapd server.

Initial 2.5.1 Release of all Deployment Methods Except Red Hat Marketplace

CVE-2021-21290, CVE-2021-37137, CVE-2021-21409, CVE-2021-37136, CVE-2021-21295, and CVE-2021-43797: The Netty dependencies were upgraded to remediate the listed vulnerabilities.
CVE-2021-44832: The Apache Log4j 2 Java library was upgraded to version 2.17.1 to remediate a vulnerability related to a remote code execution (RCE) attack.
CVE-2021-22569: The protobuf-java dependency was upgraded to remediate a potential Denial of Service (DoS) vulnerability.
CVE-2021-3712: The OpenSSL library dependencies were updated to remediate a potential Denial of Service (DoS) vulnerability.
CVE-2020-25704, CVE-2020-36322, and CVE-2021-42739: The Linux kernel headers dependency was upgraded to remediate a heap-based buffer overflow flaw related to kernel drivers.