Git Product home page Git Product logo

nobasebrach's People

Contributors

gal-doron avatar mend-for-github-com[bot] avatar

nobasebrach's Issues

pulsar-common-2.8.0.9.jar: 7 vulnerabilities (highest severity is: 7.7)

Vulnerable Library - pulsar-common-2.8.0.9.jar

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty-codec/4.1.66.Final/netty-codec-4.1.66.Final.jar

Found in HEAD commit: 9d50db869f7d875d8d68163abd32186fdb3e2855

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in Remediation Available
WS-2021-0419 High 7.7 gson-2.8.6.jar Transitive 2.8.2.3
CVE-2022-25647 High 7.7 gson-2.8.6.jar Transitive 2.8.2.3
CVE-2020-36518 High 7.5 jackson-databind-2.12.3.jar Transitive 2.9.0-candidate-4
CVE-2021-37136 High 7.5 netty-codec-4.1.66.Final.jar Transitive 2.8.1.5
CVE-2021-37137 High 7.5 netty-codec-4.1.66.Final.jar Transitive 2.8.1.5
WS-2020-0408 High 7.4 netty-handler-4.1.66.Final.jar Transitive 2.8.1.30
WS-2021-0616 Medium 5.9 multiple Transitive 2.8.2.4

Details

WS-2021-0419

Vulnerable Library - gson-2.8.6.jar

Gson JSON library

Library home page: https://github.com/google/gson

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/google/code/gson/gson/2.8.6/gson-2.8.6.jar

Dependency Hierarchy:

  • pulsar-common-2.8.0.9.jar (Root Library)
    • gson-2.8.6.jar (Vulnerable Library)

Found in HEAD commit: 9d50db869f7d875d8d68163abd32186fdb3e2855

Found in base branch: main

Vulnerability Details

Denial of Service vulnerability was discovered in gson before 2.8.9 via the writeReplace() method.

Publish Date: 2021-10-11

URL: WS-2021-0419

CVSS 3 Score Details (7.7)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/google/gson/releases/tag/gson-parent-2.8.9

Release Date: 2021-10-11

Fix Resolution (com.google.code.gson:gson): 2.8.9

Direct dependency fix Resolution (io.streamnative:pulsar-common): 2.8.2.3

⛑️ Automatic Remediation is available for this issue

CVE-2022-25647

Vulnerable Library - gson-2.8.6.jar

Gson JSON library

Library home page: https://github.com/google/gson

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/google/code/gson/gson/2.8.6/gson-2.8.6.jar

Dependency Hierarchy:

  • pulsar-common-2.8.0.9.jar (Root Library)
    • gson-2.8.6.jar (Vulnerable Library)

Found in HEAD commit: 9d50db869f7d875d8d68163abd32186fdb3e2855

Found in base branch: main

Vulnerability Details

The package com.google.code.gson:gson before 2.8.9 are vulnerable to Deserialization of Untrusted Data via the writeReplace() method in internal classes, which may lead to DoS attacks.

Publish Date: 2022-05-01

URL: CVE-2022-25647

CVSS 3 Score Details (7.7)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25647`

Release Date: 2022-05-01

Fix Resolution (com.google.code.gson:gson): 2.8.9

Direct dependency fix Resolution (io.streamnative:pulsar-common): 2.8.2.3

⛑️ Automatic Remediation is available for this issue

CVE-2020-36518

Vulnerable Library - jackson-databind-2.12.3.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.12.3/jackson-databind-2.12.3.jar

Dependency Hierarchy:

  • pulsar-common-2.8.0.9.jar (Root Library)
    • jackson-databind-2.12.3.jar (Vulnerable Library)

Found in HEAD commit: 9d50db869f7d875d8d68163abd32186fdb3e2855

Found in base branch: main

Vulnerability Details

jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects.
WhiteSource Note: After conducting further research, WhiteSource has determined that all versions of com.fasterxml.jackson.core:jackson-databind up to version 2.13.2 are vulnerable to CVE-2020-36518.

Publish Date: 2022-03-11

URL: CVE-2020-36518

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: FasterXML/jackson-databind#2816

Release Date: 2022-03-11

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.12.6.1

Direct dependency fix Resolution (io.streamnative:pulsar-common): 2.9.0-candidate-4

⛑️ Automatic Remediation is available for this issue

CVE-2021-37136

Vulnerable Library - netty-codec-4.1.66.Final.jar

Library home page: https://netty.io/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty-codec/4.1.66.Final/netty-codec-4.1.66.Final.jar

Dependency Hierarchy:

  • pulsar-common-2.8.0.9.jar (Root Library)
    • netty-handler-4.1.66.Final.jar
      • netty-codec-4.1.66.Final.jar (Vulnerable Library)

Found in HEAD commit: 9d50db869f7d875d8d68163abd32186fdb3e2855

Found in base branch: main

Vulnerability Details

The Bzip2 decompression decoder function doesn't allow setting size restrictions on the decompressed output data (which affects the allocation size used during decompression). All users of Bzip2Decoder are affected. The malicious input can trigger an OOME and so a DoS attack

Publish Date: 2021-10-19

URL: CVE-2021-37136

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-grg4-wf29-r9vv

Release Date: 2021-10-19

Fix Resolution (io.netty:netty-codec): 4.1.68.Final

Direct dependency fix Resolution (io.streamnative:pulsar-common): 2.8.1.5

⛑️ Automatic Remediation is available for this issue

CVE-2021-37137

Vulnerable Library - netty-codec-4.1.66.Final.jar

Library home page: https://netty.io/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty-codec/4.1.66.Final/netty-codec-4.1.66.Final.jar

Dependency Hierarchy:

  • pulsar-common-2.8.0.9.jar (Root Library)
    • netty-handler-4.1.66.Final.jar
      • netty-codec-4.1.66.Final.jar (Vulnerable Library)

Found in HEAD commit: 9d50db869f7d875d8d68163abd32186fdb3e2855

Found in base branch: main

Vulnerability Details

The Snappy frame decoder function doesn't restrict the chunk length which may lead to excessive memory usage. Beside this it also may buffer reserved skippable chunks until the whole chunk was received which may lead to excessive memory usage as well. This vulnerability can be triggered by supplying malicious input that decompresses to a very big size (via a network stream or a file) or by sending a huge skippable chunk.

Publish Date: 2021-10-19

URL: CVE-2021-37137

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-9vjp-v76f-g363

Release Date: 2021-10-19

Fix Resolution (io.netty:netty-codec): 4.1.68.Final

Direct dependency fix Resolution (io.streamnative:pulsar-common): 2.8.1.5

⛑️ Automatic Remediation is available for this issue

WS-2020-0408

Vulnerable Library - netty-handler-4.1.66.Final.jar

Library home page: https://netty.io/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty-handler/4.1.66.Final/netty-handler-4.1.66.Final.jar

Dependency Hierarchy:

  • pulsar-common-2.8.0.9.jar (Root Library)
    • netty-handler-4.1.66.Final.jar (Vulnerable Library)

Found in HEAD commit: 9d50db869f7d875d8d68163abd32186fdb3e2855

Found in base branch: main

Vulnerability Details

An issue was found in all versions of io.netty:netty-all. Host verification in Netty is disabled by default. This can lead to MITM attack in which an attacker can forge valid SSL/TLS certificates for a different hostname in order to intercept traffic that doesn’t intend for him. This is an issue because the certificate is not matched with the host.

Publish Date: 2020-06-22

URL: WS-2020-0408

CVSS 3 Score Details (7.4)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/WS-2020-0408

Release Date: 2020-06-22

Fix Resolution (io.netty:netty-handler): 4.1.69.Final

Direct dependency fix Resolution (io.streamnative:pulsar-common): 2.8.1.30

⛑️ Automatic Remediation is available for this issue

WS-2021-0616

Vulnerable Libraries - jackson-databind-2.12.3.jar, jackson-core-2.12.3.jar

jackson-databind-2.12.3.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.12.3/jackson-databind-2.12.3.jar

Dependency Hierarchy:

  • pulsar-common-2.8.0.9.jar (Root Library)
    • jackson-databind-2.12.3.jar (Vulnerable Library)

jackson-core-2.12.3.jar

Core Jackson processing abstractions (aka Streaming API), implementation for JSON

Library home page: https://github.com/FasterXML/jackson-core

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.12.3/jackson-core-2.12.3.jar

Dependency Hierarchy:

  • pulsar-common-2.8.0.9.jar (Root Library)
    • jackson-databind-2.12.3.jar
      • jackson-core-2.12.3.jar (Vulnerable Library)

Found in HEAD commit: 9d50db869f7d875d8d68163abd32186fdb3e2855

Found in base branch: main

Vulnerability Details

FasterXML jackson-databind before 2.12.6 and 2.13.1 there is DoS when using JDK serialization to serialize JsonNode.

Publish Date: 2021-11-20

URL: WS-2021-0616

CVSS 3 Score Details (5.9)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: FasterXML/jackson-databind#3328

Release Date: 2021-11-20

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.12.4

Direct dependency fix Resolution (io.streamnative:pulsar-common): 2.8.2.4

⛑️ Automatic Remediation is available for this issue

⛑️ Automatic Remediation is available for this issue.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.