katerinaorg / nobasebrach Goto Github PK
View Code? Open in Web Editor NEWThis project forked from gal-doron/nobasebrach
This project forked from gal-doron/nobasebrach
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty-codec/4.1.66.Final/netty-codec-4.1.66.Final.jar
Found in HEAD commit: 9d50db869f7d875d8d68163abd32186fdb3e2855
CVE | Severity | CVSS | Dependency | Type | Fixed in | Remediation Available |
---|---|---|---|---|---|---|
WS-2021-0419 | High | 7.7 | gson-2.8.6.jar | Transitive | 2.8.2.3 | ✅ |
CVE-2022-25647 | High | 7.7 | gson-2.8.6.jar | Transitive | 2.8.2.3 | ✅ |
CVE-2020-36518 | High | 7.5 | jackson-databind-2.12.3.jar | Transitive | 2.9.0-candidate-4 | ✅ |
CVE-2021-37136 | High | 7.5 | netty-codec-4.1.66.Final.jar | Transitive | 2.8.1.5 | ✅ |
CVE-2021-37137 | High | 7.5 | netty-codec-4.1.66.Final.jar | Transitive | 2.8.1.5 | ✅ |
WS-2020-0408 | High | 7.4 | netty-handler-4.1.66.Final.jar | Transitive | 2.8.1.30 | ✅ |
WS-2021-0616 | Medium | 5.9 | multiple | Transitive | 2.8.2.4 | ✅ |
Gson JSON library
Library home page: https://github.com/google/gson
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/google/code/gson/gson/2.8.6/gson-2.8.6.jar
Dependency Hierarchy:
Found in HEAD commit: 9d50db869f7d875d8d68163abd32186fdb3e2855
Found in base branch: main
Denial of Service vulnerability was discovered in gson before 2.8.9 via the writeReplace() method.
Publish Date: 2021-10-11
URL: WS-2021-0419
Base Score Metrics:
Type: Upgrade version
Origin: https://github.com/google/gson/releases/tag/gson-parent-2.8.9
Release Date: 2021-10-11
Fix Resolution (com.google.code.gson:gson): 2.8.9
Direct dependency fix Resolution (io.streamnative:pulsar-common): 2.8.2.3
⛑️ Automatic Remediation is available for this issue
Gson JSON library
Library home page: https://github.com/google/gson
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/google/code/gson/gson/2.8.6/gson-2.8.6.jar
Dependency Hierarchy:
Found in HEAD commit: 9d50db869f7d875d8d68163abd32186fdb3e2855
Found in base branch: main
The package com.google.code.gson:gson before 2.8.9 are vulnerable to Deserialization of Untrusted Data via the writeReplace() method in internal classes, which may lead to DoS attacks.
Publish Date: 2022-05-01
URL: CVE-2022-25647
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25647`
Release Date: 2022-05-01
Fix Resolution (com.google.code.gson:gson): 2.8.9
Direct dependency fix Resolution (io.streamnative:pulsar-common): 2.8.2.3
⛑️ Automatic Remediation is available for this issue
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.12.3/jackson-databind-2.12.3.jar
Dependency Hierarchy:
Found in HEAD commit: 9d50db869f7d875d8d68163abd32186fdb3e2855
Found in base branch: main
jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects.
WhiteSource Note: After conducting further research, WhiteSource has determined that all versions of com.fasterxml.jackson.core:jackson-databind up to version 2.13.2 are vulnerable to CVE-2020-36518.
Publish Date: 2022-03-11
URL: CVE-2020-36518
Base Score Metrics:
Type: Upgrade version
Origin: FasterXML/jackson-databind#2816
Release Date: 2022-03-11
Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.12.6.1
Direct dependency fix Resolution (io.streamnative:pulsar-common): 2.9.0-candidate-4
⛑️ Automatic Remediation is available for this issue
Library home page: https://netty.io/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty-codec/4.1.66.Final/netty-codec-4.1.66.Final.jar
Dependency Hierarchy:
Found in HEAD commit: 9d50db869f7d875d8d68163abd32186fdb3e2855
Found in base branch: main
The Bzip2 decompression decoder function doesn't allow setting size restrictions on the decompressed output data (which affects the allocation size used during decompression). All users of Bzip2Decoder are affected. The malicious input can trigger an OOME and so a DoS attack
Publish Date: 2021-10-19
URL: CVE-2021-37136
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-grg4-wf29-r9vv
Release Date: 2021-10-19
Fix Resolution (io.netty:netty-codec): 4.1.68.Final
Direct dependency fix Resolution (io.streamnative:pulsar-common): 2.8.1.5
⛑️ Automatic Remediation is available for this issue
Library home page: https://netty.io/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty-codec/4.1.66.Final/netty-codec-4.1.66.Final.jar
Dependency Hierarchy:
Found in HEAD commit: 9d50db869f7d875d8d68163abd32186fdb3e2855
Found in base branch: main
The Snappy frame decoder function doesn't restrict the chunk length which may lead to excessive memory usage. Beside this it also may buffer reserved skippable chunks until the whole chunk was received which may lead to excessive memory usage as well. This vulnerability can be triggered by supplying malicious input that decompresses to a very big size (via a network stream or a file) or by sending a huge skippable chunk.
Publish Date: 2021-10-19
URL: CVE-2021-37137
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-9vjp-v76f-g363
Release Date: 2021-10-19
Fix Resolution (io.netty:netty-codec): 4.1.68.Final
Direct dependency fix Resolution (io.streamnative:pulsar-common): 2.8.1.5
⛑️ Automatic Remediation is available for this issue
Library home page: https://netty.io/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty-handler/4.1.66.Final/netty-handler-4.1.66.Final.jar
Dependency Hierarchy:
Found in HEAD commit: 9d50db869f7d875d8d68163abd32186fdb3e2855
Found in base branch: main
An issue was found in all versions of io.netty:netty-all. Host verification in Netty is disabled by default. This can lead to MITM attack in which an attacker can forge valid SSL/TLS certificates for a different hostname in order to intercept traffic that doesn’t intend for him. This is an issue because the certificate is not matched with the host.
Publish Date: 2020-06-22
URL: WS-2020-0408
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/WS-2020-0408
Release Date: 2020-06-22
Fix Resolution (io.netty:netty-handler): 4.1.69.Final
Direct dependency fix Resolution (io.streamnative:pulsar-common): 2.8.1.30
⛑️ Automatic Remediation is available for this issue
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.12.3/jackson-databind-2.12.3.jar
Dependency Hierarchy:
Core Jackson processing abstractions (aka Streaming API), implementation for JSON
Library home page: https://github.com/FasterXML/jackson-core
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.12.3/jackson-core-2.12.3.jar
Dependency Hierarchy:
Found in HEAD commit: 9d50db869f7d875d8d68163abd32186fdb3e2855
Found in base branch: main
FasterXML jackson-databind before 2.12.6 and 2.13.1 there is DoS when using JDK serialization to serialize JsonNode.
Publish Date: 2021-11-20
URL: WS-2021-0616
Base Score Metrics:
Type: Upgrade version
Origin: FasterXML/jackson-databind#3328
Release Date: 2021-11-20
Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.12.4
Direct dependency fix Resolution (io.streamnative:pulsar-common): 2.8.2.4
⛑️ Automatic Remediation is available for this issue
⛑️ Automatic Remediation is available for this issue.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.