nimbusgo / prophecy-libs-test Goto Github PK

Vulnerable Library - prophecy-libs_2.12-3.3.0-7.0.12-fixdeps-SNAPSHOT.jar

Path to dependency file: /pipelines/test/code/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.70/bcprov-jdk15on-1.70.jar

Found in HEAD commit: e0cdb027636b0d1d81e365025abf50e4565502d0

CVE-2022-45868

Vulnerable Library - h2-2.1.212.jar

H2 Database Engine

Library home page: https://h2database.com

Path to dependency file: /pipelines/test/code/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/h2database/h2/2.1.212/h2-2.1.212.jar

Dependency Hierarchy:

• prophecy-libs_2.12-3.3.0-7.0.12-fixdeps-SNAPSHOT.jar (Root Library)
  • spark-excel_2.12-3.2.2_0.18.0.jar
    • poi-shared-strings-2.5.3.jar
      • ❌ h2-2.1.212.jar (Vulnerable Library)

Found in HEAD commit: e0cdb027636b0d1d81e365025abf50e4565502d0

Found in base branch: main

Vulnerability Details

The web-based admin console in H2 Database Engine before 2.2.220 can be started via the CLI with the argument -webAdminPassword, which allows the user to specify the password in cleartext for the web admin console. Consequently, a local user (or an attacker that has obtained local access through some means) would be able to discover the password by listing processes and their arguments. NOTE: the vendor states "This is not a vulnerability of H2 Console ... Passwords should never be passed on the command line and every qualified DBA or system administrator is expected to know that." Nonetheless, the issue was fixed in 2.2.220.

Publish Date: 2022-11-23

URL: CVE-2022-45868

CVSS 3 Score Details (7.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-22wj-vf5f-wrvj

Release Date: 2022-11-23

Fix Resolution: com.h2database:h2:2.2.220

Step up your Open Source Security Game with Mend here

CVE-2024-29857

Vulnerable Library - bcprov-jdk15on-1.70.jar

The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5 and up.

Library home page: https://www.bouncycastle.org/java.html

Path to dependency file: /pipelines/test/code/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.70/bcprov-jdk15on-1.70.jar

Dependency Hierarchy:

• prophecy-libs_2.12-3.3.0-7.0.12-fixdeps-SNAPSHOT.jar (Root Library)
  • sshj-0.35.0.jar
    • ❌ bcprov-jdk15on-1.70.jar (Vulnerable Library)

Found in HEAD commit: e0cdb027636b0d1d81e365025abf50e4565502d0

Found in base branch: main

Vulnerability Details

An issue was discovered in Bouncy Castle Java Cryptography APIs before BC 1.78. Importing an EC certificate with crafted F2m parameters can lead to excessive CPU consumption during the evaluation of the curve parameters.

Publish Date: 2024-05-09

URL: CVE-2024-29857

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-8xfc-gm6g-vgpv

Release Date: 2024-05-09

Fix Resolution: org.bouncycastle:bcprov-jdk15to18:1.78, org.bouncycastle:bcprov-jdk18on:1.78, BouncyCastle.Cryptography - 2.3.1

Step up your Open Source Security Game with Mend here

CVE-2023-6481

Vulnerable Library - logback-core-1.2.9.jar

logback-core module

Library home page: http://logback.qos.ch

Path to dependency file: /pipelines/test/code/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.9/logback-core-1.2.9.jar

Dependency Hierarchy:

• prophecy-libs_2.12-3.3.0-7.0.12-fixdeps-SNAPSHOT.jar (Root Library)
  • ❌ logback-core-1.2.9.jar (Vulnerable Library)

Found in HEAD commit: e0cdb027636b0d1d81e365025abf50e4565502d0

Found in base branch: main

Vulnerability Details

A serialization vulnerability in logback receiver component part of
logback version 1.4.13, 1.3.13 and 1.2.12 allows an attacker to mount a Denial-Of-Service
attack by sending poisoned data.

Publish Date: 2023-12-04

URL: CVE-2023-6481

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-6481

Release Date: 2023-12-04

Fix Resolution: ch.qos.logback:logback-core:1.2.13,1.3.14,1.4.14

Step up your Open Source Security Game with Mend here

CVE-2023-6378

Vulnerable Library - logback-classic-1.2.9.jar

logback-classic module

Library home page: http://logback.qos.ch

Path to dependency file: /pipelines/test/code/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.2.9/logback-classic-1.2.9.jar

Dependency Hierarchy:

• prophecy-libs_2.12-3.3.0-7.0.12-fixdeps-SNAPSHOT.jar (Root Library)
  • ❌ logback-classic-1.2.9.jar (Vulnerable Library)

Found in HEAD commit: e0cdb027636b0d1d81e365025abf50e4565502d0

Found in base branch: main

Vulnerability Details

A serialization vulnerability in logback receiver component part of
logback version 1.4.11 allows an attacker to mount a Denial-Of-Service
attack by sending poisoned data.

Publish Date: 2023-11-29

URL: CVE-2023-6378

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://logback.qos.ch/news.html#1.3.12

Release Date: 2023-11-29

Fix Resolution: ch.qos.logback:logback-classic:1.3.12,1.4.12

Step up your Open Source Security Game with Mend here

CVE-2024-30172

Vulnerable Library - bcprov-jdk15on-1.70.jar

The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5 and up.

Library home page: https://www.bouncycastle.org/java.html

Path to dependency file: /pipelines/test/code/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.70/bcprov-jdk15on-1.70.jar

Dependency Hierarchy:

• prophecy-libs_2.12-3.3.0-7.0.12-fixdeps-SNAPSHOT.jar (Root Library)
  • sshj-0.35.0.jar
    • ❌ bcprov-jdk15on-1.70.jar (Vulnerable Library)

Found in HEAD commit: e0cdb027636b0d1d81e365025abf50e4565502d0

Found in base branch: main

Vulnerability Details

In BouncyCastle before 1.78, crafted signature and public key can be used to trigger an infinite loop in the Ed25519 verification code.

Publish Date: 2024-03-24

URL: CVE-2024-30172

CVSS 3 Score Details (5.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-m44j-cfrm-g8qc

Release Date: 2024-03-24

Fix Resolution: org.bouncycastle:bcprov-jdk18on:1.78,org.bouncycastle:bcprov-jdk15to18:1.78, org.bouncycastle:bcprov-jdk14:1.78, BouncyCastle.Cryptography - 2.3.1

Step up your Open Source Security Game with Mend here

CVE-2023-48795

Vulnerable Library - sshj-0.35.0.jar

SSHv2 library for Java

Library home page: https://github.com/hierynomus/sshj

Path to dependency file: /pipelines/test/code/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/hierynomus/sshj/0.35.0/sshj-0.35.0.jar

Dependency Hierarchy:

• prophecy-libs_2.12-3.3.0-7.0.12-fixdeps-SNAPSHOT.jar (Root Library)
  • ❌ sshj-0.35.0.jar (Vulnerable Library)

Found in HEAD commit: e0cdb027636b0d1d81e365025abf50e4565502d0

Found in base branch: main

Vulnerability Details

The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack. This occurs because the SSH Binary Packet Protocol (BPP), implemented by these extensions, mishandles the handshake phase and mishandles use of sequence numbers. For example, there is an effective attack against SSH's use of ChaCha20-Poly1305 (and CBC with Encrypt-then-MAC). The bypass occurs in [email protected] and (if CBC is used) the [email protected] MAC algorithms. This also affects Maverick Synergy Java SSH API before 3.1.0-SNAPSHOT, Dropbear through 2022.83, Ssh before 5.1.1 in Erlang/OTP, PuTTY before 0.80, AsyncSSH before 2.14.2, golang.org/x/crypto before 0.17.0, libssh before 0.10.6, libssh2 through 1.11.0, Thorn Tech SFTP Gateway before 3.4.6, Tera Term before 5.1, Paramiko before 3.4.0, jsch before 0.2.15, SFTPGo before 2.5.6, Netgate pfSense Plus through 23.09.1, Netgate pfSense CE through 2.7.2, HPN-SSH through 18.2.0, ProFTPD before 1.3.8b (and before 1.3.9rc2), ORYX CycloneSSH before 2.3.4, NetSarang XShell 7 before Build 0144, CrushFTP before 10.6.0, ConnectBot SSH library before 2.2.22, Apache MINA sshd through 2.11.0, sshj through 0.37.0, TinySSH through 20230101, trilead-ssh2 6401, LANCOM LCOS and LANconfig, FileZilla before 3.66.4, Nova before 11.8, PKIX-SSH before 14.4, SecureCRT before 9.4.3, Transmit5 before 5.10.4, Win32-OpenSSH before 9.5.0.0p1-Beta, WinSCP before 6.2.2, Bitvise SSH Server before 9.32, Bitvise SSH Client before 9.33, KiTTY through 0.76.1.13, the net-ssh gem 7.2.0 for Ruby, the mscdex ssh2 module before 1.15.0 for Node.js, the thrussh library before 0.35.1 for Rust, and the Russh crate before 0.40.2 for Rust.

Publish Date: 2023-12-18

URL: CVE-2023-48795

CVSS 3 Score Details (5.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://security-tracker.debian.org/tracker/CVE-2023-48795

Release Date: 2023-12-18

Fix Resolution: putty - 0.80, openssh - V_9_6_P1, golang/crypto - v0.17.0, asyncssh - 2.14.2, libssh-0.9.8, libssh-0.10.6, teraterm - v5.1, paramiko - 3.4.0, russh - 0.40.2, com.github.mwiede:jsch:0.2.15, proftpd - v1.3.8b, thrussh - 0.35.1, teraterm - v5.1, org.connectbot:sshlib:2.2.22, mscdex/ssh2 - 1.15.0, jtesta/ssh-audit - v3.1.0, Oryx-Embedded/CycloneSSH - v2.3.4, opnsense/src - 23.7, winscp - 6.2.2, PowerShell/openssh-portable - v9.5.0.0

Step up your Open Source Security Game with Mend here

CVE-2024-26308

Vulnerable Library - commons-compress-1.21.jar

Apache Commons Compress software defines an API for working with compression and archive formats. These include: bzip2, gzip, pack200, lzma, xz, Snappy, traditional Unix Compress, DEFLATE, DEFLATE64, LZ4, Brotli, Zstandard and ar, cpio, jar, tar, zip, dump, 7z, arj.

Library home page: https://commons.apache.org/proper/commons-compress/

Path to dependency file: /pipelines/test/code/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/commons/commons-compress/1.21/commons-compress-1.21.jar

Dependency Hierarchy:

• prophecy-libs_2.12-3.3.0-7.0.12-fixdeps-SNAPSHOT.jar (Root Library)
  • spark-excel_2.12-3.2.2_0.18.0.jar
    • ❌ commons-compress-1.21.jar (Vulnerable Library)

Found in HEAD commit: e0cdb027636b0d1d81e365025abf50e4565502d0

Found in base branch: main

Vulnerability Details

Allocation of Resources Without Limits or Throttling vulnerability in Apache Commons Compress.This issue affects Apache Commons Compress: from 1.21 before 1.26.

Users are recommended to upgrade to version 1.26, which fixes the issue.

Publish Date: 2024-02-19

URL: CVE-2024-26308

CVSS 3 Score Details (5.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2024-26308

Release Date: 2024-02-19

Fix Resolution: org.apache.commons:commons-compress:1.26.0

Step up your Open Source Security Game with Mend here

CVE-2024-25710

Vulnerable Library - commons-compress-1.21.jar

Apache Commons Compress software defines an API for working with compression and archive formats. These include: bzip2, gzip, pack200, lzma, xz, Snappy, traditional Unix Compress, DEFLATE, DEFLATE64, LZ4, Brotli, Zstandard and ar, cpio, jar, tar, zip, dump, 7z, arj.

Library home page: https://commons.apache.org/proper/commons-compress/

Path to dependency file: /pipelines/test/code/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/commons/commons-compress/1.21/commons-compress-1.21.jar

Dependency Hierarchy:

• prophecy-libs_2.12-3.3.0-7.0.12-fixdeps-SNAPSHOT.jar (Root Library)
  • spark-excel_2.12-3.2.2_0.18.0.jar
    • ❌ commons-compress-1.21.jar (Vulnerable Library)

Found in HEAD commit: e0cdb027636b0d1d81e365025abf50e4565502d0

Found in base branch: main

Vulnerability Details

Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in Apache Commons Compress.This issue affects Apache Commons Compress: from 1.3 through 1.25.0.

Users are recommended to upgrade to version 1.26.0 which fixes the issue.

Publish Date: 2024-02-19

URL: CVE-2024-25710

CVSS 3 Score Details (5.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2024-25710

Release Date: 2024-02-19

Fix Resolution: org.apache.commons:commons-compress:1.26.0

Step up your Open Source Security Game with Mend here

CVE-2023-33251

Vulnerable Library - akka-http_2.12-10.2.7.jar

Akka Http: Modern, fast, asynchronous, streaming-first HTTP server and client.

Library home page: https://akka.io

Path to dependency file: /pipelines/test/code/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/typesafe/akka/akka-http_2.12/10.2.7/akka-http_2.12-10.2.7.jar

Dependency Hierarchy:

• prophecy-libs_2.12-3.3.0-7.0.12-fixdeps-SNAPSHOT.jar (Root Library)
  • ❌ akka-http_2.12-10.2.7.jar (Vulnerable Library)

Found in HEAD commit: e0cdb027636b0d1d81e365025abf50e4565502d0

Found in base branch: main

Vulnerability Details

When Akka HTTP before 10.5.2 accepts file uploads via the FileUploadDirectives.fileUploadAll directive, the temporary file it creates has too weak permissions: it is readable by other users on Linux or UNIX, a similar issue to CVE-2022-41946.

Publish Date: 2023-05-21

URL: CVE-2023-33251

CVSS 3 Score Details (5.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://akka.io/security/akka-http-cve-2023-05-15.html

Release Date: 2023-05-21

Fix Resolution: com.typesafe.akka:akka-http:10.5.2

Step up your Open Source Security Game with Mend here

CVE-2023-33201

Vulnerable Library - bcprov-jdk15on-1.70.jar

The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5 and up.

Library home page: https://www.bouncycastle.org/java.html

Path to dependency file: /pipelines/test/code/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.70/bcprov-jdk15on-1.70.jar

Dependency Hierarchy:

• prophecy-libs_2.12-3.3.0-7.0.12-fixdeps-SNAPSHOT.jar (Root Library)
  • sshj-0.35.0.jar
    • ❌ bcprov-jdk15on-1.70.jar (Vulnerable Library)

Found in HEAD commit: e0cdb027636b0d1d81e365025abf50e4565502d0

Found in base branch: main

Vulnerability Details

Bouncy Castle For Java before 1.74 is affected by an LDAP injection vulnerability. The vulnerability only affects applications that use an LDAP CertStore from Bouncy Castle to validate X.509 certificates. During the certificate validation process, Bouncy Castle inserts the certificate's Subject Name into an LDAP search filter without any escaping, which leads to an LDAP injection vulnerability.

Publish Date: 2023-07-05

URL: CVE-2023-33201

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Release Date: 2023-07-05

Fix Resolution: org.bouncycastle:bcprov-ext-jdk18on:1.74, org.bouncycastle:bcprov-jdk18on:1.74, org.bouncycastle:bcprov-debug-jdk18on:1.74, org.bouncycastle:bcprov-ext-debug-jdk18on:1.74, org.bouncycastle:bcprov-ext-jdk15to18:1.74, org.bouncycastle:bcprov-jdk15to18:1.74, org.bouncycastle:bcprov-debug-jdk14:1.74, org.bouncycastle:bcprov-debug-jdk15to18:1.74, org.bouncycastle:bcprov-ext-debug-jdk14:1.74, org.bouncycastle:bcprov-ext-debug-jdk15to18:1.74, org.bouncycastle:bcprov-jdk14:1.74

Step up your Open Source Security Game with Mend here