Vulnerable Library - jetty-util-9.4.12.v20180830.jar

Utility classes for Jetty

Library home page: http://www.eclipse.org/jetty

Path to dependency file: selenium-java-tests/training/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/eclipse/jetty/jetty-util/9.4.12.v20180830/jetty-util-9.4.12.v20180830.jar

Dependency Hierarchy:

• htmlunit-driver-2.33.2.jar (Root Library)
  • htmlunit-2.33.jar
    • websocket-client-9.4.12.v20180830.jar
      • ❌ jetty-util-9.4.12.v20180830.jar (Vulnerable Library)

Found in HEAD commit: e69773113dc3fe34f7e6cd57086e179915d2f90a

Found in base branch: main

Vulnerability Details

In Eclipse Jetty version 9.2.26 and older, 9.3.25 and older, and 9.4.15 and older, the server is vulnerable to XSS conditions if a remote client USES a specially formatted URL against the DefaultServlet or ResourceHandler that is configured for showing a Listing of directory contents.

Publish Date: 2019-04-22

URL: CVE-2019-10241

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10241

Release Date: 2019-04-22

Fix Resolution: org.eclipse.jetty:jetty-server:9.2.27,9.3.26,9.4.16,org.eclipse.jetty:jetty-servlet:9.2.27,9.3.26,9.4.16,org.eclipse.jetty:jetty-util:9.2.27,9.3.26,9.4.16

Vulnerable Library - jetty-http-9.4.50.v20221201.jar

Library home page: https://eclipse.org/jetty

Path to dependency file: /training/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/eclipse/jetty/jetty-http/9.4.50.v20221201/jetty-http-9.4.50.v20221201.jar

Dependency Hierarchy:

• htmlunit-driver-4.8.3.jar (Root Library)
  • htmlunit-2.70.0.jar
    • websocket-client-9.4.50.v20221201.jar
      • jetty-client-9.4.50.v20221201.jar
        • ❌ jetty-http-9.4.50.v20221201.jar (Vulnerable Library)

Found in HEAD commit: fbf69a3c856f4a7a3bf9897abb0c3c26bdb0f679

Found in base branch: main

Vulnerability Details

Jetty is a java based web server and servlet engine. Nonstandard cookie parsing in Jetty may allow an attacker to smuggle cookies within other cookies, or otherwise perform unintended behavior by tampering with the cookie parsing mechanism. If Jetty sees a cookie VALUE that starts with " (double quote), it will continue to read the cookie string until it sees a closing quote -- even if a semicolon is encountered. So, a cookie header such as: DISPLAY_LANGUAGE="b; JSESSIONID=1337; c=d" will be parsed as one cookie, with the name DISPLAY_LANGUAGE and a value of b; JSESSIONID=1337; c=d instead of 3 separate cookies. This has security implications because if, say, JSESSIONID is an HttpOnly cookie, and the DISPLAY_LANGUAGE cookie value is rendered on the page, an attacker can smuggle the JSESSIONID cookie into the DISPLAY_LANGUAGE cookie and thereby exfiltrate it. This is significant when an intermediary is enacting some policy based on cookies, so a smuggled cookie can bypass that policy yet still be seen by the Jetty server or its logging system. This issue has been addressed in versions 9.4.51, 10.0.14, 11.0.14, and 12.0.0.beta0 and users are advised to upgrade. There are no known workarounds for this issue.

Publish Date: 2023-04-18

URL: CVE-2023-26049

CVSS 3 Score Details (2.4)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: High
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-p26g-97m4-6q7c

Release Date: 2023-04-18

Fix Resolution: org.eclipse.jetty:jetty-http:9.4.51.v20230217,10.0.14,11.0.14;org.eclipse.jetty:jetty-runner:9.4.51.v20230217,10.0.14,11.0.14

Vulnerable Library - netty-common-4.1.76.Final.jar

Library home page: https://netty.io/

Path to dependency file: /training/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty-common/4.1.76.Final/netty-common-4.1.76.Final.jar

Dependency Hierarchy:

• selenium-chrome-driver-4.1.4.jar (Root Library)
  • selenium-remote-driver-4.1.4.jar
    • ❌ netty-common-4.1.76.Final.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Netty is an open-source, asynchronous event-driven network application framework. The package io.netty:netty-codec-http prior to version 4.1.77.Final contains an insufficient fix for CVE-2021-21290. When Netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. This only impacts applications running on Java version 6 and lower. Additionally, this vulnerability impacts code running on Unix-like systems, and very old versions of Mac OSX and Windows as they all share the system temporary directory between all users. Version 4.1.77.Final contains a patch for this vulnerability. As a workaround, specify one's own java.io.tmpdir when starting the JVM or use DefaultHttpDataFactory.setBaseDir(...) to set the directory to something that is only readable by the current user.

Publish Date: 2022-05-06

URL: CVE-2022-24823

CVSS 3 Score Details (5.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24823

Release Date: 2022-05-06

Fix Resolution: io.netty:netty-all;io.netty:netty-common - 4.1.77.Final

Vulnerable Library - jetty-http-9.4.50.v20221201.jar

Library home page: https://eclipse.org/jetty

Path to dependency file: /training/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/eclipse/jetty/jetty-http/9.4.50.v20221201/jetty-http-9.4.50.v20221201.jar

Dependency Hierarchy:

• htmlunit-driver-4.8.3.jar (Root Library)
  • htmlunit-2.70.0.jar
    • websocket-client-9.4.50.v20221201.jar
      • jetty-client-9.4.50.v20221201.jar
        • ❌ jetty-http-9.4.50.v20221201.jar (Vulnerable Library)

Found in HEAD commit: 39fe6b4f09c7ba3e58fb78a7e803523dda17364a

Found in base branch: main

Vulnerability Details

Jetty is a java based web server and servlet engine. Nonstandard cookie parsing in Jetty may allow an attacker to smuggle cookies within other cookies, or otherwise perform unintended behavior by tampering with the cookie parsing mechanism. If Jetty sees a cookie VALUE that starts with " (double quote), it will continue to read the cookie string until it sees a closing quote -- even if a semicolon is encountered. So, a cookie header such as: DISPLAY_LANGUAGE="b; JSESSIONID=1337; c=d" will be parsed as one cookie, with the name DISPLAY_LANGUAGE and a value of b; JSESSIONID=1337; c=d instead of 3 separate cookies. This has security implications because if, say, JSESSIONID is an HttpOnly cookie, and the DISPLAY_LANGUAGE cookie value is rendered on the page, an attacker can smuggle the JSESSIONID cookie into the DISPLAY_LANGUAGE cookie and thereby exfiltrate it. This is significant when an intermediary is enacting some policy based on cookies, so a smuggled cookie can bypass that policy yet still be seen by the Jetty server or its logging system. This issue has been addressed in versions 9.4.51, 10.0.14, 11.0.14, and 12.0.0.beta0 and users are advised to upgrade. There are no known workarounds for this issue.

Publish Date: 2023-04-18

URL: CVE-2023-26049

CVSS 3 Score Details (2.4)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: High
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-p26g-97m4-6q7c

Release Date: 2023-04-18

Fix Resolution: org.eclipse.jetty:jetty-http:9.4.51.v20230217,10.0.14,11.0.14;org.eclipse.jetty:jetty-runner:9.4.51.v20230217,10.0.14,11.0.14

Vulnerable Library - jetty-http-9.4.50.v20221201.jar

Library home page: https://eclipse.org/jetty

Path to dependency file: /training/pom.xml

Path to vulnerable library: /training/pom.xml

Dependency Hierarchy:

• htmlunit-driver-4.13.0.jar (Root Library)
  • htmlunit-2.70.0.jar
    • websocket-client-9.4.50.v20221201.jar
      • jetty-client-9.4.50.v20221201.jar
        • ❌ jetty-http-9.4.50.v20221201.jar (Vulnerable Library)

Found in HEAD commit: 809489cfcccf8668ff6de2c962c09e4bb0033765

Found in base branch: main

Vulnerability Details

Jetty is a Java based web server and servlet engine. Prior to versions 9.4.52, 10.0.16, 11.0.16, and 12.0.1, Jetty accepts the + character proceeding the content-length value in a HTTP/1 header field. This is more permissive than allowed by the RFC and other servers routinely reject such requests with 400 responses. There is no known exploit scenario, but it is conceivable that request smuggling could result if jetty is used in combination with a server that does not close the connection after sending such a 400 response. Versions 9.4.52, 10.0.16, 11.0.16, and 12.0.1 contain a patch for this issue. There is no workaround as there is no known exploit scenario.

Publish Date: 2023-09-15

URL: CVE-2023-40167

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-hmr7-m48g-48f6

Release Date: 2023-09-15

Fix Resolution: org.eclipse.jetty:jetty-http:9.4.52.v20230823,10.0.16,11.0.16,12.0.1

Vulnerable Library - netty-handler-4.1.92.Final.jar

Library home page: https://netty.io/

Dependency Hierarchy:

• selenium-chrome-driver-4.10.0.jar (Root Library)
  • selenium-chromium-driver-4.10.0.jar
    • selenium-remote-driver-4.10.0.jar
      • netty-codec-http-4.1.92.Final.jar
        • ❌ netty-handler-4.1.92.Final.jar (Vulnerable Library)

Found in HEAD commit: 809489cfcccf8668ff6de2c962c09e4bb0033765

Found in base branch: main

Vulnerability Details

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. The SniHandler can allocate up to 16MB of heap for each channel during the TLS handshake. When the handler or the channel does not have an idle timeout, it can be used to make a TCP server using the SniHandler to allocate 16MB of heap. The SniHandler class is a handler that waits for the TLS handshake to configure a SslHandler according to the indicated server name by the ClientHello record. For this matter it allocates a ByteBuf using the value defined in the ClientHello record. Normally the value of the packet should be smaller than the handshake packet but there are not checks done here and the way the code is written, it is possible to craft a packet that makes the SslClientHelloHandler. This vulnerability has been fixed in version 4.1.94.Final.

Publish Date: 2023-06-22

URL: CVE-2023-34462

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-6mjq-h674-j845

Release Date: 2023-06-22

Fix Resolution (io.netty:netty-handler): 4.1.94.Final

Direct dependency fix Resolution (org.seleniumhq.selenium:selenium-chrome-driver): 4.12.0

Vulnerable Library - jetty-http-9.4.40.v20210413.jar

Library home page: https://eclipse.org/jetty

Path to dependency file: selenium-java-tests/training/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/eclipse/jetty/jetty-http/9.4.40.v20210413/jetty-http-9.4.40.v20210413.jar

Dependency Hierarchy:

• htmlunit-driver-2.50.0.jar (Root Library)
  • htmlunit-2.50.0.jar
    • websocket-client-9.4.40.v20210413.jar
      • jetty-client-9.4.40.v20210413.jar
        • ❌ jetty-http-9.4.40.v20210413.jar (Vulnerable Library)

Found in HEAD commit: e69773113dc3fe34f7e6cd57086e179915d2f90a

Found in base branch: main

Vulnerability Details

For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, it is possible for requests to the ConcatServlet with a doubly encoded path to access protected resources within the WEB-INF directory. For example a request to /concat?/%2557EB-INF/web.xml can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application.

Publish Date: 2021-06-09

URL: CVE-2021-28169

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-gwcr-j4wh-j3cq

Release Date: 2021-06-09

Fix Resolution: org.eclipse.jetty:jetty-runner:9.4.41.v20210516, 10.0.3, 11.0.3, org.eclipse.jetty:jetty-http:9.4.41.v20210516, 10.0.3, 11.0.3,org.eclipse.jetty:jetty-servlets:9.4.41.v20210516, 10.0.3, 11.0.3, org.eclipse.jetty:jetty-server:9.4.41.v20210516, 10.0.3, 11.0.3

Vulnerable Library - guava-31.1-jre.jar

Guava is a suite of core and expanded libraries that include utility classes, Google's collections, I/O classes, and much more.

Dependency Hierarchy:

• selenium-chrome-driver-4.10.0.jar (Root Library)
  • auto-service-1.0.1.jar
    • auto-common-1.2.jar
      • ❌ guava-31.1-jre.jar (Vulnerable Library)

Found in HEAD commit: 809489cfcccf8668ff6de2c962c09e4bb0033765

Found in base branch: main

Vulnerability Details

Use of Java's default temporary directory for file creation in FileBackedOutputStream in Google Guava versions 1.0 to 31.1 on Unix systems and Android Ice Cream Sandwich allows other users and apps on the machine with access to the default Java temporary directory to be able to access the files created by the class.

Even though the security vulnerability is fixed in version 32.0.0, we recommend using version 32.0.1 as version 32.0.0 breaks some functionality under Windows.

Mend Note: Even though the security vulnerability is fixed in version 32.0.0, maintainers recommend using version 32.0.1 as version 32.0.0 breaks some functionality under Windows.

Publish Date: 2023-06-14

URL: CVE-2023-2976

CVSS 3 Score Details (7.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-7g45-4rm6-3mm3

Release Date: 2023-06-14

Fix Resolution (com.google.guava:guava): 32.0.1-android

Direct dependency fix Resolution (org.seleniumhq.selenium:selenium-chrome-driver): 4.12.0

Vulnerable Library - htmlunit-2.70.0.jar

A headless browser intended for use in testing web-based applications.

Library home page: http://htmlunit.sourceforge.net

Path to dependency file: /training/pom.xml

Path to vulnerable library: /training/pom.xml

Dependency Hierarchy:

• htmlunit-driver-4.13.0.jar (Root Library)
  • ❌ htmlunit-2.70.0.jar (Vulnerable Library)

Found in HEAD commit: 833beab3d098aa20bcd64786808a08c0a662931f

Found in base branch: main

Vulnerability Details

Versions of the package net.sourceforge.htmlunit:htmlunit from 0 and before 3.0.0 are vulnerable to Remote Code Execution (RCE) via XSTL, when browsing the attacker’s webpage.

Publish Date: 2023-04-03

URL: CVE-2023-26119

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-26119

Release Date: 2023-04-03

Fix Resolution: net.sourceforge.htmlunit:htmlunit:3.0.0

Vulnerable Library - guava-25.0-jre.jar

Guava is a suite of core and expanded libraries that include utility classes, google's collections, io classes, and much much more.

Library home page: https://github.com/google/guava

Path to dependency file: /training/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/google/guava/guava/25.0-jre/guava-25.0-jre.jar

Dependency Hierarchy:

• selenium-chrome-driver-3.141.59.jar (Root Library)
  • ❌ guava-25.0-jre.jar (Vulnerable Library)

Found in HEAD commit: e69773113dc3fe34f7e6cd57086e179915d2f90a

Found in base branch: main

Vulnerability Details

A temp directory creation vulnerability exists in all versions of Guava, allowing an attacker with access to the machine to potentially access data in a temporary directory created by the Guava API com.google.common.io.Files.createTempDir(). By default, on unix-like systems, the created directory is world-readable (readable by an attacker with access to the system). The method in question has been marked @deprecated in versions 30.0 and later and should not be used. For Android developers, we recommend choosing a temporary directory API provided by Android, such as context.getCacheDir(). For other Java developers, we recommend migrating to the Java 7 API java.nio.file.Files.createTempDirectory() which explicitly configures permissions of 700, or configuring the Java runtime's java.io.tmpdir system property to point to a location whose permissions are appropriately configured.

Publish Date: 2020-12-10

URL: CVE-2020-8908

CVSS 3 Score Details (3.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8908

Release Date: 2020-12-10

Fix Resolution: v30.0

Vulnerable Library - commons-net-3.8.0.jar

Apache Commons Net library contains a collection of network utilities and protocol implementations. Supported protocols include: Echo, Finger, FTP, NNTP, NTP, POP3(S), SMTP(S), Telnet, Whois

Library home page: https://commons.apache.org/proper/commons-net/

Path to dependency file: /training/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-net/commons-net/3.8.0/commons-net-3.8.0.jar

Dependency Hierarchy:

• htmlunit-driver-4.7.2.jar (Root Library)
  • htmlunit-2.67.0.jar
    • ❌ commons-net-3.8.0.jar (Vulnerable Library)

Found in HEAD commit: a5e17be61c0eea27e14e2cdf0f0964535f98ed2a

Found in base branch: main

Vulnerability Details

Prior to Apache Commons Net 3.9.0, Net's FTP client trusts the host from PASV response by default. A malicious server can redirect the Commons Net code to use a different host, but the user has to connect to the malicious server in the first place. This may lead to leakage of information about services running on the private network of the client. The default in version 3.9.0 is now false to ignore such hosts, as cURL does. See https://issues.apache.org/jira/browse/NET-711.

Publish Date: 2022-12-03

URL: CVE-2021-37533

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2021-37533

Release Date: 2022-12-03

Fix Resolution: commons-net:commons-net:3.9.0

Vulnerable Library - netty-codec-http-4.1.84.Final.jar

Library home page: https://netty.io/

Path to dependency file: /training/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty-codec-http/4.1.84.Final/netty-codec-http-4.1.84.Final.jar

Dependency Hierarchy:

• selenium-chrome-driver-4.7.2.jar (Root Library)
  • selenium-remote-driver-4.7.2.jar
    • ❌ netty-codec-http-4.1.84.Final.jar (Vulnerable Library)

Found in HEAD commit: a5e17be61c0eea27e14e2cdf0f0964535f98ed2a

Found in base branch: main

Vulnerability Details

Netty project is an event-driven asynchronous network application framework. In versions prior to 4.1.86.Final, when calling DefaultHttpHeadesr.set with an iterator of values, header value validation was not performed, allowing malicious header values in the iterator to perform HTTP Response Splitting. This issue has been patched in version 4.1.86.Final. Integrators can work around the issue by changing the DefaultHttpHeaders.set(CharSequence, Iterator<?>) call, into a remove() call, and call add() in a loop over the iterator of values.

Publish Date: 2022-12-13

URL: CVE-2022-41915

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Release Date: 2022-12-13

Fix Resolution: io.netty:netty-codec-http:4.1.86.Final

Vulnerable Library - xercesImpl-2.12.0.jar

Xerces2 is the next generation of high performance, fully compliant XML parsers in the Apache Xerces family. This new version of Xerces introduces the Xerces Native Interface (XNI), a complete framework for building parser components and configurations that is extremely modular and easy to program.

The Apache Xerces2 parser is the reference implementation of XNI but other parser components, configurations, and parsers can be written using the Xerces Native Interface. For complete design and implementation documents, refer to the XNI Manual.

Xerces2 is a fully conforming XML Schema 1.0 processor. A partial experimental implementation of the XML Schema 1.1 Structures and Datatypes Working Drafts (December 2009) and an experimental implementation of the XML Schema Definition Language (XSD): Component Designators (SCD) Candidate Recommendation (January 2010) are provided for evaluation. For more information, refer to the XML Schema page.

Xerces2 also provides a complete implementation of the Document Object Model Level 3 Core and Load/Save W3C Recommendations and provides a complete implementation of the XML Inclusions (XInclude) W3C Recommendation. It also provides support for OASIS XML Catalogs v1.1.

Xerces2 is able to parse documents written according to the XML 1.1 Recommendation, except that it does not yet provide an option to enable normalization checking as described in section 2.13 of this specification. It also handles namespaces according to the XML Namespaces 1.1 Recommendation, and will correctly serialize XML 1.1 documents if the DOM level 3 load/save APIs are in use.</p>

Library home page: https://xerces.apache.org/xerces2-j/

Path to dependency file: /training/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/xerces/xercesImpl/2.12.0/xercesImpl-2.12.0.jar

Dependency Hierarchy:

• htmlunit-driver-2.52.0.jar (Root Library)
  • htmlunit-2.52.0.jar
    • neko-htmlunit-2.52.0.jar
      • ❌ xercesImpl-2.12.0.jar (Vulnerable Library)

Found in HEAD commit: e69773113dc3fe34f7e6cd57086e179915d2f90a

Found in base branch: main

Vulnerability Details

There's a vulnerability within the Apache Xerces Java (XercesJ) XML parser when handling specially crafted XML document payloads. This causes, the XercesJ XML parser to wait in an infinite loop, which may sometimes consume system resources for prolonged duration. This vulnerability is present within XercesJ version 2.12.1 and the previous versions.

Publish Date: 2022-01-24

URL: CVE-2022-23437

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-h65f-jvqw-m9fj

Release Date: 2022-01-24

Fix Resolution: xerces:xercesImpl:2.12.2

Vulnerable Library - jetty-http-9.4.50.v20221201.jar

Library home page: https://eclipse.org/jetty

Path to dependency file: /training/pom.xml

Path to vulnerable library: /training/pom.xml

Dependency Hierarchy:

• htmlunit-driver-4.13.0.jar (Root Library)
  • htmlunit-2.70.0.jar
    • websocket-client-9.4.50.v20221201.jar
      • jetty-client-9.4.50.v20221201.jar
        • ❌ jetty-http-9.4.50.v20221201.jar (Vulnerable Library)

Found in HEAD commit: 809489cfcccf8668ff6de2c962c09e4bb0033765

Found in base branch: main

Vulnerability Details

Jetty is a java based web server and servlet engine. Nonstandard cookie parsing in Jetty may allow an attacker to smuggle cookies within other cookies, or otherwise perform unintended behavior by tampering with the cookie parsing mechanism. If Jetty sees a cookie VALUE that starts with " (double quote), it will continue to read the cookie string until it sees a closing quote -- even if a semicolon is encountered. So, a cookie header such as: DISPLAY_LANGUAGE="b; JSESSIONID=1337; c=d" will be parsed as one cookie, with the name DISPLAY_LANGUAGE and a value of b; JSESSIONID=1337; c=d instead of 3 separate cookies. This has security implications because if, say, JSESSIONID is an HttpOnly cookie, and the DISPLAY_LANGUAGE cookie value is rendered on the page, an attacker can smuggle the JSESSIONID cookie into the DISPLAY_LANGUAGE cookie and thereby exfiltrate it. This is significant when an intermediary is enacting some policy based on cookies, so a smuggled cookie can bypass that policy yet still be seen by the Jetty server or its logging system. This issue has been addressed in versions 9.4.51, 10.0.14, 11.0.14, and 12.0.0.beta0 and users are advised to upgrade. There are no known workarounds for this issue.

Publish Date: 2023-04-18

URL: CVE-2023-26049

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-p26g-97m4-6q7c

Release Date: 2023-04-18

Fix Resolution: org.eclipse.jetty:jetty-http:9.4.51.v20230217,10.0.14,11.0.14, org.eclipse.jetty:jetty-runner:9.4.51.v20230217,10.0.14,11.0.14, org.eclipse.jetty:jetty-server:9.4.51.v20230217,10.0.14,11.0.14

Vulnerable Library - guava-31.1-jre.jar

Guava is a suite of core and expanded libraries that include utility classes, Google's collections, I/O classes, and much more.

Path to dependency file: /training/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/google/guava/guava/31.1-jre/guava-31.1-jre.jar

Dependency Hierarchy:

• selenium-chrome-driver-4.10.0.jar (Root Library)
  • auto-service-1.0.1.jar
    • auto-common-1.2.jar
      • ❌ guava-31.1-jre.jar (Vulnerable Library)

Found in HEAD commit: 809489cfcccf8668ff6de2c962c09e4bb0033765

Found in base branch: main

Vulnerability Details

Use of Java's default temporary directory for file creation in FileBackedOutputStream in Google Guava versions 1.0 to 31.1 on Unix systems and Android Ice Cream Sandwich allows other users and apps on the machine with access to the default Java temporary directory to be able to access the files created by the class.

Even though the security vulnerability is fixed in version 32.0.0, we recommend using version 32.0.1 as version 32.0.0 breaks some functionality under Windows.

Publish Date: 2023-06-14

URL: CVE-2023-2976

CVSS 3 Score Details (7.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-2976

Release Date: 2023-06-14

Fix Resolution: com.google.guava:guava:32.0.1-jre,com.google.guava:guava:32.0.1-android

Vulnerable Library - httpclient-4.5.6.jar

Apache HttpComponents Client

Path to dependency file: selenium-java-tests/training/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/httpcomponents/httpclient/4.5.6/httpclient-4.5.6.jar

Dependency Hierarchy:

• htmlunit-driver-2.33.2.jar (Root Library)
  • htmlunit-2.33.jar
    • httpmime-4.5.6.jar
      • ❌ httpclient-4.5.6.jar (Vulnerable Library)

Found in HEAD commit: e69773113dc3fe34f7e6cd57086e179915d2f90a

Found in base branch: main

Vulnerability Details

Apache HttpClient versions prior to version 4.5.13 and 5.0.3 can misinterpret malformed authority component in request URIs passed to the library as java.net.URI object and pick the wrong target host for request execution.

Publish Date: 2020-12-02

URL: CVE-2020-13956

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-13956

Release Date: 2020-07-21

Fix Resolution: org.apache.httpcomponents:httpclient:4.5.13;org.apache.httpcomponents:httpclient-osgi:4.5.13;org.apache.httpcomponents.client5:httpclient5:5.0.3;org.apache.httpcomponents.client5:httpclient5-osgi:5.0.3

Vulnerable Library - commons-text-1.9.jar

Apache Commons Text is a library focused on algorithms working on strings.

Library home page: https://commons.apache.org/proper/commons-text

Path to dependency file: /training/pom.xml

Path to vulnerable library: /tmp/ws-ua_20221004175944_ZHZDRB/downloadResource_BNHWMP/20221004180043/commons-text-1.9.jar,/home/wss-scanner/.m2/repository/org/apache/commons/commons-text/1.9/commons-text-1.9.jar

Dependency Hierarchy:

• htmlunit-driver-4.5.0.jar (Root Library)
  • htmlunit-2.65.1.jar
    • ❌ commons-text-1.9.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Apache Commons Text performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is "${prefix:name}", where "prefix" is used to locate an instance of org.apache.commons.text.lookup.StringLookup that performs the interpolation. Starting with version 1.5 and continuing through 1.9, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers. These lookups are: - "script" - execute expressions using the JVM script execution engine (javax.script) - "dns" - resolve dns records - "url" - load values from urls, including from remote servers Applications using the interpolation defaults in the affected versions may be vulnerable to remote code execution or unintentional contact with remote servers if untrusted configuration values are used. Users are recommended to upgrade to Apache Commons Text 1.10.0, which disables the problematic interpolators by default.

Publish Date: 2022-10-13

URL: CVE-2022-42889

CVSS 3 Score Details (5.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.openwall.com/lists/oss-security/2022/10/13/4

Release Date: 2022-10-13

Fix Resolution: org.apache.commons:commons-text:1.10.0

Vulnerable Library - neko-htmlunit-2.52.0.jar

HtmlUnit adaptation of NekoHtml. It has the same functionality but exposing HTMLElements to be overridden.

Library home page: http://htmlunit.sourceforge.net

Path to dependency file: /training/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/net/sourceforge/htmlunit/neko-htmlunit/2.52.0/neko-htmlunit-2.52.0.jar

Dependency Hierarchy:

• htmlunit-driver-2.52.0.jar (Root Library)
  • htmlunit-2.52.0.jar
    • ❌ neko-htmlunit-2.52.0.jar (Vulnerable Library)

Found in HEAD commit: e69773113dc3fe34f7e6cd57086e179915d2f90a

Found in base branch: main

Vulnerability Details

HtmlUnit NekoHtml Parser before 2.61.0 suffers from a denial of service vulnerability. Crafted input associated with the parsing of Processing Instruction (PI) data leads to heap memory consumption. This is similar to CVE-2022-28366 but affects a much later version of the product.

Publish Date: 2022-04-25

URL: CVE-2022-29546

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29546

Release Date: 2022-04-25

Fix Resolution: neko-htmlunit - 2.61.0

Vulnerable Library - jetty-io-9.4.12.v20180830.jar

The Eclipse Jetty Project

Library home page: http://www.eclipse.org/jetty

Path to dependency file: selenium-java-tests/training/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/eclipse/jetty/jetty-io/9.4.12.v20180830/jetty-io-9.4.12.v20180830.jar

Dependency Hierarchy:

• htmlunit-driver-2.33.2.jar (Root Library)
  • htmlunit-2.33.jar
    • websocket-client-9.4.12.v20180830.jar
      • ❌ jetty-io-9.4.12.v20180830.jar (Vulnerable Library)

Found in HEAD commit: e69773113dc3fe34f7e6cd57086e179915d2f90a

Found in base branch: main

Vulnerability Details

In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame.

Publish Date: 2021-04-01

URL: CVE-2021-28165

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-26vr-8j45-3r4w

Release Date: 2021-04-01

Fix Resolution: org.eclipse.jetty:jetty-io:9.4.39, org.eclipse.jetty:jetty-io:10.0.2, org.eclipse.jetty:jetty-io:11.0.2

Vulnerable Library - jetty-http-9.4.12.v20180830.jar

The Eclipse Jetty Project

Library home page: http://www.eclipse.org/jetty

Path to dependency file: selenium-java-tests/training/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/eclipse/jetty/jetty-http/9.4.12.v20180830/jetty-http-9.4.12.v20180830.jar

Dependency Hierarchy:

• htmlunit-driver-2.33.2.jar (Root Library)
  • htmlunit-2.33.jar
    • websocket-client-9.4.12.v20180830.jar
      • jetty-client-9.4.12.v20180830.jar
        • ❌ jetty-http-9.4.12.v20180830.jar (Vulnerable Library)

Found in HEAD commit: e69773113dc3fe34f7e6cd57086e179915d2f90a

Found in base branch: main

Vulnerability Details

In Eclipse Jetty 9.4.6.v20170531 to 9.4.36.v20210114 (inclusive), 10.0.0, and 11.0.0 when Jetty handles a request containing multiple Accept headers with a large number of “quality” (i.e. q) parameters, the server may enter a denial of service (DoS) state due to high CPU usage processing those quality values, resulting in minutes of CPU time exhausted processing those quality values.

Publish Date: 2021-02-26

URL: CVE-2020-27223

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: GHSA-m394-8rww-3jr7

Release Date: 2021-02-26

Fix Resolution: org.eclipse.jetty:jetty-http:9.4.37.v20210219, org.eclipse.jetty:jetty-http:10.0.1, org.eclipse.jetty:jetty-http:11.0.1

Vulnerable Library - commons-io-2.6.jar

The Apache Commons IO library contains utility classes, stream implementations, file filters, file comparators, endian transformation classes, and much more.

Library home page: http://commons.apache.org/proper/commons-io/

Path to dependency file: selenium-java-tests/training/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-io/commons-io/2.6/commons-io-2.6.jar

Dependency Hierarchy:

• htmlunit-driver-2.33.2.jar (Root Library)
  • htmlunit-2.33.jar
    • ❌ commons-io-2.6.jar (Vulnerable Library)

Found in HEAD commit: e69773113dc3fe34f7e6cd57086e179915d2f90a

Found in base branch: main

Vulnerability Details

In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper input string, like "//../foo", or "\..\foo", the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus "limited" path traversal), if the calling code would use the result to construct a path value.

Publish Date: 2021-04-13

URL: CVE-2021-29425

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29425

Release Date: 2021-04-13

Fix Resolution: commons-io:commons-io:2.7

Vulnerable Library - commons-codec-1.11.jar

The Apache Commons Codec package contains simple encoder and decoders for various formats such as Base64 and Hexadecimal. In addition to these widely used encoders and decoders, the codec package also maintains a collection of phonetic encoding utilities.

Path to dependency file: /training/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-codec/commons-codec/1.11/commons-codec-1.11.jar

Dependency Hierarchy:

• htmlunit-driver-2.52.0.jar (Root Library)
  • htmlunit-2.52.0.jar
    • httpmime-4.5.13.jar
      • httpclient-4.5.13.jar
        • ❌ commons-codec-1.11.jar (Vulnerable Library)

Found in HEAD commit: e69773113dc3fe34f7e6cd57086e179915d2f90a

Found in base branch: main

Vulnerability Details

Apache commons-codec before version “commons-codec-1.13-RC1” is vulnerable to information disclosure due to Improper Input validation.

Publish Date: 2019-05-20

URL: WS-2019-0379

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: apache/commons-codec@48b6157

Release Date: 2019-05-20

Fix Resolution: commons-codec:commons-codec:1.13

Vulnerable Library - jcommander-1.72.jar

Command line parsing

Library home page: http://jcommander.org

Path to dependency file: /training/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/beust/jcommander/1.72/jcommander-1.72.jar

Dependency Hierarchy:

• selenium-chrome-driver-4.3.0.jar (Root Library)
  • selenium-remote-driver-4.3.0.jar
    • ❌ jcommander-1.72.jar (Vulnerable Library)

Found in HEAD commit: 8f2077cfa3f7ea6fbe502901d3f1559d0d8dd18a

Found in base branch: main

Vulnerability Details

Inclusion of Functionality from Untrusted Control Sphere vulnerability found in jcommander before 1.75. jcommander resolving dependencies over HTTP instead of HTTPS.

Publish Date: 2019-02-19

URL: WS-2019-0490

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2019-02-19

Fix Resolution: com.beust:jcommander:1.75

Vulnerable Library - htmlunit-2.33.jar

A headless browser intended for use in testing web-based applications.

Library home page: http://htmlunit.sourceforge.net

Path to dependency file: selenium-java-tests/training/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/net/sourceforge/htmlunit/htmlunit/2.33/htmlunit-2.33.jar

Dependency Hierarchy:

• htmlunit-driver-2.33.2.jar (Root Library)
  • ❌ htmlunit-2.33.jar (Vulnerable Library)

Found in HEAD commit: e69773113dc3fe34f7e6cd57086e179915d2f90a

Found in base branch: main

Vulnerability Details

HtmlUnit prior to 2.37.0 contains code execution vulnerabilities. HtmlUnit initializes Rhino engine improperly, hence a malicious JavScript code can execute arbitrary Java code on the application. Moreover, when embedded in Android application, Android-specific initialization of Rhino engine is done in an improper way, hence a malicious JavaScript code can execute arbitrary Java code on the application.

Publish Date: 2020-02-11

URL: CVE-2020-5529

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://github.com/HtmlUnit/htmlunit/releases/tag/2.37.0

Release Date: 2020-02-11

Fix Resolution: net.sourceforge.htmlunit:htmlunit:2.37.0

Vulnerable Library - netty-handler-4.1.92.Final.jar

Library home page: https://netty.io/

Path to dependency file: /training/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty-handler/4.1.92.Final/netty-handler-4.1.92.Final.jar

Dependency Hierarchy:

• selenium-chrome-driver-4.10.0.jar (Root Library)
  • selenium-chromium-driver-4.10.0.jar
    • selenium-remote-driver-4.10.0.jar
      • netty-codec-http-4.1.92.Final.jar
        • ❌ netty-handler-4.1.92.Final.jar (Vulnerable Library)

Found in HEAD commit: 809489cfcccf8668ff6de2c962c09e4bb0033765

Found in base branch: main

Vulnerability Details

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. The SniHandler can allocate up to 16MB of heap for each channel during the TLS handshake. When the handler or the channel does not have an idle timeout, it can be used to make a TCP server using the SniHandler to allocate 16MB of heap. The SniHandler class is a handler that waits for the TLS handshake to configure a SslHandler according to the indicated server name by the ClientHello record. For this matter it allocates a ByteBuf using the value defined in the ClientHello record. Normally the value of the packet should be smaller than the handshake packet but there are not checks done here and the way the code is written, it is possible to craft a packet that makes the SslClientHelloHandler. This vulnerability has been fixed in version 4.1.94.Final.

Publish Date: 2023-06-22

URL: CVE-2023-34462

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-6mjq-h674-j845

Release Date: 2023-06-22

Fix Resolution: io.netty:netty-handler:4.1.94.Final;io.netty:netty-all:4.1.94.Final

Vulnerable Library - jetty-http-9.4.50.v20221201.jar

Library home page: https://eclipse.org/jetty

Path to dependency file: /training/pom.xml

Path to vulnerable library: /training/pom.xml

Dependency Hierarchy:

• htmlunit-driver-4.13.0.jar (Root Library)
  • htmlunit-2.70.0.jar
    • websocket-client-9.4.50.v20221201.jar
      • jetty-client-9.4.50.v20221201.jar
        • ❌ jetty-http-9.4.50.v20221201.jar (Vulnerable Library)

Found in HEAD commit: 809489cfcccf8668ff6de2c962c09e4bb0033765

Found in base branch: main

Vulnerability Details

Eclipse Jetty provides a web server and servlet container. In versions 11.0.0 through 11.0.15, 10.0.0 through 10.0.15, and 9.0.0 through 9.4.52, an integer overflow in MetaDataBuilder.checkSize allows for HTTP/2 HPACK header values to
exceed their size limit. MetaDataBuilder.java determines if a header name or value exceeds the size limit, and throws an exception if the limit is exceeded. However, when length is very large and huffman is true, the multiplication by 4 in line 295
will overflow, and length will become negative. (_size+length) will now be negative, and the check on line 296 will not be triggered. Furthermore, MetaDataBuilder.checkSize allows for user-entered HPACK header value sizes to be negative, potentially leading to a very large buffer allocation later on when the user-entered size is multiplied by 2. This means that if a user provides a negative length value (or, more precisely, a length value which, when multiplied by the 4/3 fudge factor, is negative), and this length value is a very large positive number when multiplied by 2, then the user can cause a very large buffer to be allocated on the server. Users of HTTP/2 can be impacted by a remote denial of service attack. The issue has been fixed in versions 11.0.16, 10.0.16, and 9.4.53. There are no known workarounds.

Publish Date: 2023-10-10

URL: CVE-2023-36478

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-wgh7-54f2-x98r

Release Date: 2023-10-10

Fix Resolution: org.eclipse.jetty.http2:http2-hpack:9.4.53.v20231009,10.0.16,11.0.16;org.eclipse.jetty.http3:http3-qpack:10.0.16,11.0.16;org.eclipse.jetty:jetty-http:9.4.53.v20231009,10.0.16,11.0.16

Vulnerable Library - xalan-2.7.2.jar

Xalan-Java is an XSLT processor for transforming XML documents into HTML, text, or other XML document types. It implements XSL Transformations (XSLT) Version 1.0 and XML Path Language (XPath) Version 1.0 and can be used from the command line, in an applet or a servlet, or as a module in other program.

Library home page: http://xml.apache.org/xalan-j/

Path to dependency file: /training/pom.xml

Path to vulnerable library: /tmp/ws-ua_20221004175944_ZHZDRB/downloadResource_BNHWMP/20221004180042/xalan-2.7.2.jar

Dependency Hierarchy:

• htmlunit-driver-3.64.0.jar (Root Library)
  • htmlunit-2.64.0.jar
    • ❌ xalan-2.7.2.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

The Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious XSLT stylesheets. This can be used to corrupt Java class files generated by the internal XSLTC compiler and execute arbitrary Java bytecode. The Apache Xalan Java project is dormant and in the process of being retired. No future releases of Apache Xalan Java to address this issue are expected. Note: Java runtimes (such as OpenJDK) include repackaged copies of Xalan.

Publish Date: 2022-07-19

URL: CVE-2022-34169

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

Vulnerable Libraries - jetty-client-9.4.46.v20220331.jar, jetty-http-9.4.46.v20220331.jar

Found in base branch: main

Vulnerability Details

In Eclipse Jetty versions 9.4.0 thru 9.4.46, and 10.0.0 thru 10.0.9, and 11.0.0 thru 11.0.9 versions, the parsing of the authority segment of an http scheme URI, the Jetty HttpURI class improperly detects an invalid input as a hostname. This can lead to failures in a Proxy scenario.

Publish Date: 2022-07-07

URL: CVE-2022-2047

CVSS 3 Score Details (2.7)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: High
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-cj7v-27pg-wf7q

Release Date: 2022-07-07

Fix Resolution: org.eclipse.jetty:jetty-http:10.0.10,11.0.10;org.eclipse.jetty:jetty-runner:9.4.47,10.10,11.0.10;org.eclipse.jetty:jetty-client:9.4.47,10.10,11.0.10;org.eclipse.jetty:jetty-server;9.4.47,10.10,11.0.10;org.eclipse.jetty:jetty-proxy:9.4.47,10.10,11.0.10