Giter Site home page Giter Site logo

contrast-agent's People

Contributors

firefive4u avatar mend-bolt-for-github[bot] avatar

Watchers

avatar

contrast-agent's Issues

commons-net-1.4.1.jar: 1 vulnerabilities (highest severity is: 6.5)

Vulnerable Library - commons-net-1.4.1.jar

Path to vulnerable library: /commons-net-1.4.1.jar

Found in HEAD commit: f4af44974d9ee719d6895a867a2b0abfd3b8432d

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (commons-net version) Remediation Possible**
CVE-2021-37533 Medium 6.5 commons-net-1.4.1.jar Direct 3.9.0

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2021-37533

Vulnerable Library - commons-net-1.4.1.jar

Path to vulnerable library: /commons-net-1.4.1.jar

Dependency Hierarchy:

  • commons-net-1.4.1.jar (Vulnerable Library)

Found in HEAD commit: f4af44974d9ee719d6895a867a2b0abfd3b8432d

Found in base branch: main

Vulnerability Details

Prior to Apache Commons Net 3.9.0, Net's FTP client trusts the host from PASV response by default. A malicious server can redirect the Commons Net code to use a different host, but the user has to connect to the malicious server in the first place. This may lead to leakage of information about services running on the private network of the client. The default in version 3.9.0 is now false to ignore such hosts, as cURL does. See https://issues.apache.org/jira/browse/NET-711.

Publish Date: 2022-12-03

URL: CVE-2021-37533

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2021-37533

Release Date: 2022-12-03

Fix Resolution: 3.9.0

Step up your Open Source Security Game with Mend here

itext-1.3.jar: 1 vulnerabilities (highest severity is: 8.8)

Vulnerable Library - itext-1.3.jar

Path to vulnerable library: /itext-1.3.jar

Found in HEAD commit: f4af44974d9ee719d6895a867a2b0abfd3b8432d

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (itext version) Remediation Possible**
CVE-2017-9096 High 8.8 itext-1.3.jar Direct com.itextpdf:itextpdf:5.5.12

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2017-9096

Vulnerable Library - itext-1.3.jar

Path to vulnerable library: /itext-1.3.jar

Dependency Hierarchy:

  • itext-1.3.jar (Vulnerable Library)

Found in HEAD commit: f4af44974d9ee719d6895a867a2b0abfd3b8432d

Found in base branch: main

Vulnerability Details

The XML parsers in iText before 5.5.12 and 7.x before 7.0.3 do not disable external entities, which might allow remote attackers to conduct XML external entity (XXE) attacks via a crafted PDF.

Publish Date: 2017-11-08

URL: CVE-2017-9096

CVSS 3 Score Details (8.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9096

Release Date: 2017-11-08

Fix Resolution: com.itextpdf:itextpdf:5.5.12

Step up your Open Source Security Game with Mend here

jsoup-1.9.2.jar: 2 vulnerabilities (highest severity is: 7.5)

Vulnerable Library - jsoup-1.9.2.jar

jsoup HTML parser

Path to vulnerable library: /jsoup-1.9.2.jar

Found in HEAD commit: f4af44974d9ee719d6895a867a2b0abfd3b8432d

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (jsoup version) Remediation Possible**
CVE-2021-37714 High 7.5 jsoup-1.9.2.jar Direct 1.14.2
CVE-2022-36033 Medium 6.1 jsoup-1.9.2.jar Direct 1.15.3

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2021-37714

Vulnerable Library - jsoup-1.9.2.jar

jsoup HTML parser

Path to vulnerable library: /jsoup-1.9.2.jar

Dependency Hierarchy:

  • jsoup-1.9.2.jar (Vulnerable Library)

Found in HEAD commit: f4af44974d9ee719d6895a867a2b0abfd3b8432d

Found in base branch: main

Vulnerability Details

jsoup is a Java library for working with HTML. Those using jsoup versions prior to 1.14.2 to parse untrusted HTML or XML may be vulnerable to DOS attacks. If the parser is run on user supplied input, an attacker may supply content that causes the parser to get stuck (loop indefinitely until cancelled), to complete more slowly than usual, or to throw an unexpected exception. This effect may support a denial of service attack. The issue is patched in version 1.14.2. There are a few available workarounds. Users may rate limit input parsing, limit the size of inputs based on system resources, and/or implement thread watchdogs to cap and timeout parse runtimes.

Publish Date: 2021-08-18

URL: CVE-2021-37714

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://jsoup.org/news/release-1.14.2

Release Date: 2021-08-18

Fix Resolution: 1.14.2

Step up your Open Source Security Game with Mend here

CVE-2022-36033

Vulnerable Library - jsoup-1.9.2.jar

jsoup HTML parser

Path to vulnerable library: /jsoup-1.9.2.jar

Dependency Hierarchy:

  • jsoup-1.9.2.jar (Vulnerable Library)

Found in HEAD commit: f4af44974d9ee719d6895a867a2b0abfd3b8432d

Found in base branch: main

Vulnerability Details

jsoup is a Java HTML parser, built for HTML editing, cleaning, scraping, and cross-site scripting (XSS) safety. jsoup may incorrectly sanitize HTML including javascript: URL expressions, which could allow XSS attacks when a reader subsequently clicks that link. If the non-default SafeList.preserveRelativeLinks option is enabled, HTML including javascript: URLs that have been crafted with control characters will not be sanitized. If the site that this HTML is published on does not set a Content Security Policy, an XSS attack is then possible. This issue is patched in jsoup 1.15.3. Users should upgrade to this version. Additionally, as the unsanitized input may have been persisted, old content should be cleaned again using the updated version. To remediate this issue without immediately upgrading: - disable SafeList.preserveRelativeLinks, which will rewrite input URLs as absolute URLs - ensure an appropriate Content Security Policy is defined. (This should be used regardless of upgrading, as a defence-in-depth best practice.)

Publish Date: 2022-08-29

URL: CVE-2022-36033

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-gp7f-rwcx-9369

Release Date: 2022-08-29

Fix Resolution: 1.15.3

Step up your Open Source Security Game with Mend here

commons-httpclient-3.1.jar: 1 vulnerabilities (highest severity is: 4.8)

Vulnerable Library - commons-httpclient-3.1.jar

The HttpClient component supports the client-side of RFC 1945 (HTTP/1.0) and RFC 2616 (HTTP/1.1) , several related specifications (RFC 2109 (Cookies) , RFC 2617 (HTTP Authentication) , etc.), and provides a framework by which new request types (methods) or HTTP extensions can be created easily.

Path to vulnerable library: /commons-httpclient-3.1.jar

Found in HEAD commit: f4af44974d9ee719d6895a867a2b0abfd3b8432d

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (commons-httpclient version) Remediation Possible**
CVE-2012-5783 Medium 4.8 commons-httpclient-3.1.jar Direct 20020423

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2012-5783

Vulnerable Library - commons-httpclient-3.1.jar

The HttpClient component supports the client-side of RFC 1945 (HTTP/1.0) and RFC 2616 (HTTP/1.1) , several related specifications (RFC 2109 (Cookies) , RFC 2617 (HTTP Authentication) , etc.), and provides a framework by which new request types (methods) or HTTP extensions can be created easily.

Path to vulnerable library: /commons-httpclient-3.1.jar

Dependency Hierarchy:

  • commons-httpclient-3.1.jar (Vulnerable Library)

Found in HEAD commit: f4af44974d9ee719d6895a867a2b0abfd3b8432d

Found in base branch: main

Vulnerability Details

Apache Commons HttpClient 3.x, as used in Amazon Flexible Payments Service (FPS) merchant Java SDK and other products, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

Publish Date: 2012-11-04

URL: CVE-2012-5783

CVSS 3 Score Details (4.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2012-5783

Release Date: 2012-11-04

Fix Resolution: 20020423

Step up your Open Source Security Game with Mend here

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.