halil-lnr / googlesearch_demo__java Goto Github PK

Vulnerable Library - webdrivermanager-4.2.2.jar

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/google/code/gson/gson/2.8.6/gson-2.8.6.jar

Found in HEAD commit: b2982b351b53ccd6c39470b8a0164090a3c0b640

WS-2021-0419

Vulnerable Library - gson-2.8.6.jar

Gson JSON library

Library home page: https://github.com/google/gson

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/google/code/gson/gson/2.8.6/gson-2.8.6.jar

Dependency Hierarchy:

• webdrivermanager-4.2.2.jar (Root Library)
  • ❌ gson-2.8.6.jar (Vulnerable Library)

Found in HEAD commit: b2982b351b53ccd6c39470b8a0164090a3c0b640

Found in base branch: master

Vulnerability Details

Denial of Service vulnerability was discovered in gson before 2.8.9 via the writeReplace() method.

Publish Date: 2021-10-11

URL: WS-2021-0419

CVSS 3 Score Details (7.7)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2021-10-11

Fix Resolution (com.google.code.gson:gson): 2.8.9

Direct dependency fix Resolution (io.github.bonigarcia:webdrivermanager): 5.1.0

Step up your Open Source Security Game with Mend here

CVE-2021-36090

Vulnerable Library - commons-compress-1.20.jar

Apache Commons Compress software defines an API for working with compression and archive formats. These include: bzip2, gzip, pack200, lzma, xz, Snappy, traditional Unix Compress, DEFLATE, DEFLATE64, LZ4, Brotli, Zstandard and ar, cpio, jar, tar, zip, dump, 7z, arj.

Library home page: https://commons.apache.org/proper/commons-compress/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/commons/commons-compress/1.20/commons-compress-1.20.jar

Dependency Hierarchy:

• webdrivermanager-4.2.2.jar (Root Library)
  • jarchivelib-1.1.0.jar
    • ❌ commons-compress-1.20.jar (Vulnerable Library)

Found in HEAD commit: b2982b351b53ccd6c39470b8a0164090a3c0b640

Found in base branch: master

Vulnerability Details

When reading a specially crafted ZIP archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' zip package.

Publish Date: 2021-07-13

URL: CVE-2021-36090

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://commons.apache.org/proper/commons-compress/security-reports.html

Release Date: 2021-07-13

Fix Resolution (org.apache.commons:commons-compress): 1.21

Direct dependency fix Resolution (io.github.bonigarcia:webdrivermanager): 5.0.3

Step up your Open Source Security Game with Mend here

CVE-2021-37714

Vulnerable Library - jsoup-1.13.1.jar

jsoup is a Java library for working with real-world HTML. It provides a very convenient API for extracting and manipulating data, using the best of DOM, CSS, and jquery-like methods. jsoup implements the WHATWG HTML5 specification, and parses HTML to the same DOM as modern browsers do.

Library home page: https://jsoup.org/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/jsoup/jsoup/1.13.1/jsoup-1.13.1.jar

Dependency Hierarchy:

• webdrivermanager-4.2.2.jar (Root Library)
  • ❌ jsoup-1.13.1.jar (Vulnerable Library)

Found in HEAD commit: b2982b351b53ccd6c39470b8a0164090a3c0b640

Found in base branch: master

Vulnerability Details

jsoup is a Java library for working with HTML. Those using jsoup versions prior to 1.14.2 to parse untrusted HTML or XML may be vulnerable to DOS attacks. If the parser is run on user supplied input, an attacker may supply content that causes the parser to get stuck (loop indefinitely until cancelled), to complete more slowly than usual, or to throw an unexpected exception. This effect may support a denial of service attack. The issue is patched in version 1.14.2. There are a few available workarounds. Users may rate limit input parsing, limit the size of inputs based on system resources, and/or implement thread watchdogs to cap and timeout parse runtimes.

Publish Date: 2021-08-18

URL: CVE-2021-37714

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://jsoup.org/news/release-1.14.2

Release Date: 2021-08-18

Fix Resolution (org.jsoup:jsoup): 1.14.2

Direct dependency fix Resolution (io.github.bonigarcia:webdrivermanager): 5.0.0

Step up your Open Source Security Game with Mend here

CVE-2022-25647

Vulnerable Library - gson-2.8.6.jar

Gson JSON library

Library home page: https://github.com/google/gson

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/google/code/gson/gson/2.8.6/gson-2.8.6.jar

Dependency Hierarchy:

• webdrivermanager-4.2.2.jar (Root Library)
  • ❌ gson-2.8.6.jar (Vulnerable Library)

Found in HEAD commit: b2982b351b53ccd6c39470b8a0164090a3c0b640

Found in base branch: master

Vulnerability Details

The package com.google.code.gson:gson before 2.8.9 are vulnerable to Deserialization of Untrusted Data via the writeReplace() method in internal classes, which may lead to DoS attacks.

Publish Date: 2022-05-01

URL: CVE-2022-25647

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25647`

Release Date: 2022-05-01

Fix Resolution (com.google.code.gson:gson): 2.8.9

Direct dependency fix Resolution (io.github.bonigarcia:webdrivermanager): 5.1.0

Step up your Open Source Security Game with Mend here

CVE-2021-35517

Vulnerable Library - commons-compress-1.20.jar

Apache Commons Compress software defines an API for working with compression and archive formats. These include: bzip2, gzip, pack200, lzma, xz, Snappy, traditional Unix Compress, DEFLATE, DEFLATE64, LZ4, Brotli, Zstandard and ar, cpio, jar, tar, zip, dump, 7z, arj.

Library home page: https://commons.apache.org/proper/commons-compress/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/commons/commons-compress/1.20/commons-compress-1.20.jar

Dependency Hierarchy:

• webdrivermanager-4.2.2.jar (Root Library)
  • jarchivelib-1.1.0.jar
    • ❌ commons-compress-1.20.jar (Vulnerable Library)

Found in HEAD commit: b2982b351b53ccd6c39470b8a0164090a3c0b640

Found in base branch: master

Vulnerability Details

When reading a specially crafted TAR archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' tar package.

Publish Date: 2021-07-13

URL: CVE-2021-35517

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://commons.apache.org/proper/commons-compress/security-reports.html

Release Date: 2021-07-13

Fix Resolution (org.apache.commons:commons-compress): 1.21

Direct dependency fix Resolution (io.github.bonigarcia:webdrivermanager): 5.0.3

Step up your Open Source Security Game with Mend here

CVE-2021-35516

Vulnerable Library - commons-compress-1.20.jar

Apache Commons Compress software defines an API for working with compression and archive formats. These include: bzip2, gzip, pack200, lzma, xz, Snappy, traditional Unix Compress, DEFLATE, DEFLATE64, LZ4, Brotli, Zstandard and ar, cpio, jar, tar, zip, dump, 7z, arj.

Library home page: https://commons.apache.org/proper/commons-compress/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/commons/commons-compress/1.20/commons-compress-1.20.jar

Dependency Hierarchy:

• webdrivermanager-4.2.2.jar (Root Library)
  • jarchivelib-1.1.0.jar
    • ❌ commons-compress-1.20.jar (Vulnerable Library)

Found in HEAD commit: b2982b351b53ccd6c39470b8a0164090a3c0b640

Found in base branch: master

Vulnerability Details

When reading a specially crafted 7Z archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' sevenz package.

Publish Date: 2021-07-13

URL: CVE-2021-35516

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://commons.apache.org/proper/commons-compress/security-reports.html

Release Date: 2021-07-13

Fix Resolution (org.apache.commons:commons-compress): 1.21

Direct dependency fix Resolution (io.github.bonigarcia:webdrivermanager): 5.0.3

Step up your Open Source Security Game with Mend here

CVE-2021-35515

Vulnerable Library - commons-compress-1.20.jar

Apache Commons Compress software defines an API for working with compression and archive formats. These include: bzip2, gzip, pack200, lzma, xz, Snappy, traditional Unix Compress, DEFLATE, DEFLATE64, LZ4, Brotli, Zstandard and ar, cpio, jar, tar, zip, dump, 7z, arj.

Library home page: https://commons.apache.org/proper/commons-compress/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/commons/commons-compress/1.20/commons-compress-1.20.jar

Dependency Hierarchy:

• webdrivermanager-4.2.2.jar (Root Library)
  • jarchivelib-1.1.0.jar
    • ❌ commons-compress-1.20.jar (Vulnerable Library)

Found in HEAD commit: b2982b351b53ccd6c39470b8a0164090a3c0b640

Found in base branch: master

Vulnerability Details

When reading a specially crafted 7Z archive, the construction of the list of codecs that decompress an entry can result in an infinite loop. This could be used to mount a denial of service attack against services that use Compress' sevenz package.

Publish Date: 2021-07-13

URL: CVE-2021-35515

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://commons.apache.org/proper/commons-compress/security-reports.html

Release Date: 2021-07-13

Fix Resolution (org.apache.commons:commons-compress): 1.21

Direct dependency fix Resolution (io.github.bonigarcia:webdrivermanager): 5.0.3

Step up your Open Source Security Game with Mend here

CVE-2022-36033

Vulnerable Library - jsoup-1.13.1.jar

jsoup is a Java library for working with real-world HTML. It provides a very convenient API for extracting and manipulating data, using the best of DOM, CSS, and jquery-like methods. jsoup implements the WHATWG HTML5 specification, and parses HTML to the same DOM as modern browsers do.

Library home page: https://jsoup.org/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/jsoup/jsoup/1.13.1/jsoup-1.13.1.jar

Dependency Hierarchy:

• webdrivermanager-4.2.2.jar (Root Library)
  • ❌ jsoup-1.13.1.jar (Vulnerable Library)

Found in HEAD commit: b2982b351b53ccd6c39470b8a0164090a3c0b640

Found in base branch: master

Vulnerability Details

jsoup is a Java HTML parser, built for HTML editing, cleaning, scraping, and cross-site scripting (XSS) safety. jsoup may incorrectly sanitize HTML including javascript: URL expressions, which could allow XSS attacks when a reader subsequently clicks that link. If the non-default SafeList.preserveRelativeLinks option is enabled, HTML including javascript: URLs that have been crafted with control characters will not be sanitized. If the site that this HTML is published on does not set a Content Security Policy, an XSS attack is then possible. This issue is patched in jsoup 1.15.3. Users should upgrade to this version. Additionally, as the unsanitized input may have been persisted, old content should be cleaned again using the updated version. To remediate this issue without immediately upgrading: - disable SafeList.preserveRelativeLinks, which will rewrite input URLs as absolute URLs - ensure an appropriate Content Security Policy is defined. (This should be used regardless of upgrading, as a defence-in-depth best practice.)

Publish Date: 2022-08-29

URL: CVE-2022-36033

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-gp7f-rwcx-9369

Release Date: 2022-08-29

Fix Resolution (org.jsoup:jsoup): 1.15.3

Direct dependency fix Resolution (io.github.bonigarcia:webdrivermanager): 5.1.0

Step up your Open Source Security Game with Mend here

CVE-2020-13956

Vulnerable Library - httpclient5-5.0.1.jar

Apache HttpComponents Client

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/httpcomponents/client5/httpclient5/5.0.1/httpclient5-5.0.1.jar

Dependency Hierarchy:

• webdrivermanager-4.2.2.jar (Root Library)
  • ❌ httpclient5-5.0.1.jar (Vulnerable Library)

Found in HEAD commit: b2982b351b53ccd6c39470b8a0164090a3c0b640

Found in base branch: master

Vulnerability Details

Apache HttpClient versions prior to version 4.5.13 and 5.0.3 can misinterpret malformed authority component in request URIs passed to the library as java.net.URI object and pick the wrong target host for request execution.

Publish Date: 2020-12-02

URL: CVE-2020-13956

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-13956

Release Date: 2020-12-02

Fix Resolution (org.apache.httpcomponents.client5:httpclient5): 5.0.3

Direct dependency fix Resolution (io.github.bonigarcia:webdrivermanager): 4.3.0

Step up your Open Source Security Game with Mend here

Vulnerable Library - jacoco-maven-plugin-0.8.7.jar

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/codehaus/plexus/plexus-utils/3.0.22/plexus-utils-3.0.22.jar

Found in HEAD commit: b2982b351b53ccd6c39470b8a0164090a3c0b640

CVE-2022-4244

Vulnerable Library - plexus-utils-3.0.22.jar

A collection of various utility classes to ease working with strings, files, command lines, XML and more.

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/codehaus/plexus/plexus-utils/3.0.22/plexus-utils-3.0.22.jar

Dependency Hierarchy:

• jacoco-maven-plugin-0.8.7.jar (Root Library)
  • ❌ plexus-utils-3.0.22.jar (Vulnerable Library)

Found in HEAD commit: b2982b351b53ccd6c39470b8a0164090a3c0b640

Found in base branch: master

Vulnerability Details

A flaw was found in codeplex-codehaus. A directory traversal attack (also known as path traversal) aims to access files and directories stored outside the intended folder. By manipulating files with "dot-dot-slash (../)" sequences and their variations or by using absolute file paths, it may be possible to access arbitrary files and directories stored on the file system, including application source code, configuration, and other critical system files.

Publish Date: 2023-09-25

URL: CVE-2022-4244

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Release Date: 2023-09-25

Fix Resolution (org.codehaus.plexus:plexus-utils): 3.0.24

Direct dependency fix Resolution (org.jacoco:jacoco-maven-plugin): 0.8.9

Step up your Open Source Security Game with Mend here

WS-2016-7057

Vulnerable Library - plexus-utils-3.0.22.jar

A collection of various utility classes to ease working with strings, files, command lines, XML and more.

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/codehaus/plexus/plexus-utils/3.0.22/plexus-utils-3.0.22.jar

Dependency Hierarchy:

• jacoco-maven-plugin-0.8.7.jar (Root Library)
  • ❌ plexus-utils-3.0.22.jar (Vulnerable Library)

Found in HEAD commit: b2982b351b53ccd6c39470b8a0164090a3c0b640

Found in base branch: master

Vulnerability Details

Plexus-utils before 3.0.24 are vulnerable to Directory Traversal

Publish Date: 2016-05-07

URL: WS-2016-7057

CVSS 3 Score Details (5.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Release Date: 2016-05-07

Fix Resolution (org.codehaus.plexus:plexus-utils): 3.0.24

Direct dependency fix Resolution (org.jacoco:jacoco-maven-plugin): 0.8.9

Step up your Open Source Security Game with Mend here

WS-2016-7062

Vulnerable Library - plexus-utils-3.0.22.jar

A collection of various utility classes to ease working with strings, files, command lines, XML and more.

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/codehaus/plexus/plexus-utils/3.0.22/plexus-utils-3.0.22.jar

Dependency Hierarchy:

• jacoco-maven-plugin-0.8.7.jar (Root Library)
  • ❌ plexus-utils-3.0.22.jar (Vulnerable Library)

Found in HEAD commit: b2982b351b53ccd6c39470b8a0164090a3c0b640

Found in base branch: master

Vulnerability Details

Security vulnerability found in plexus-utils before 3.0.24. XML injection found in XmlWriterUtil.java.

Publish Date: 2016-05-07

URL: WS-2016-7062

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Release Date: 2016-05-07

Fix Resolution (org.codehaus.plexus:plexus-utils): 3.0.24

Direct dependency fix Resolution (org.jacoco:jacoco-maven-plugin): 0.8.9

Step up your Open Source Security Game with Mend here

CVE-2022-4245

Vulnerable Library - plexus-utils-3.0.22.jar

A collection of various utility classes to ease working with strings, files, command lines, XML and more.

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/codehaus/plexus/plexus-utils/3.0.22/plexus-utils-3.0.22.jar

Dependency Hierarchy:

• jacoco-maven-plugin-0.8.7.jar (Root Library)
  • ❌ plexus-utils-3.0.22.jar (Vulnerable Library)

Found in HEAD commit: b2982b351b53ccd6c39470b8a0164090a3c0b640

Found in base branch: master

Vulnerability Details

A flaw was found in codehaus-plexus. The org.codehaus.plexus.util.xml.XmlWriterUtil#writeComment fails to sanitize comments for a --> sequence. This issue means that text contained in the command string could be interpreted as XML and allow for XML injection.

Publish Date: 2023-09-25

URL: CVE-2022-4245

CVSS 3 Score Details (4.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://bugzilla.suse.com/show_bug.cgi?id=1205930

Release Date: 2023-09-25

Fix Resolution (org.codehaus.plexus:plexus-utils): 3.0.24

Direct dependency fix Resolution (org.jacoco:jacoco-maven-plugin): 0.8.9

Step up your Open Source Security Game with Mend here

Vulnerable Library - log4j-1.2.17.jar

Apache Log4j 1.2

Path to dependency file: /pom.xml

Path to vulnerable library: /g4j/log4j/1.2.17/log4j-1.2.17.jar

Found in HEAD commit: b2982b351b53ccd6c39470b8a0164090a3c0b640

CVE-2022-23305

Vulnerable Library - log4j-1.2.17.jar

Apache Log4j 1.2

Path to dependency file: /pom.xml

Path to vulnerable library: /g4j/log4j/1.2.17/log4j-1.2.17.jar

Dependency Hierarchy:

• ❌ log4j-1.2.17.jar (Vulnerable Library)

Found in HEAD commit: b2982b351b53ccd6c39470b8a0164090a3c0b640

Found in base branch: master

Vulnerability Details

By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converters from PatternLayout. The message converter, %m, is likely to always be included. This allows attackers to manipulate the SQL by entering crafted strings into input fields or headers of an application that are logged allowing unintended SQL queries to be executed. Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default. Beginning in version 2.0-beta8, the JDBCAppender was re-introduced with proper support for parameterized SQL queries and further customization over the columns written to in logs. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.

Publish Date: 2022-01-18

URL: CVE-2022-23305

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://reload4j.qos.ch/

Release Date: 2022-01-18

Fix Resolution: ch.qos.reload4j:reload4j:1.2.18.2

Step up your Open Source Security Game with Mend here

CVE-2019-17571

Vulnerable Library - log4j-1.2.17.jar

Apache Log4j 1.2

Path to dependency file: /pom.xml

Path to vulnerable library: /g4j/log4j/1.2.17/log4j-1.2.17.jar

Dependency Hierarchy:

• ❌ log4j-1.2.17.jar (Vulnerable Library)

Found in HEAD commit: b2982b351b53ccd6c39470b8a0164090a3c0b640

Found in base branch: master

Vulnerability Details

Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17.

Publish Date: 2019-12-20

URL: CVE-2019-17571

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://lists.apache.org/thread.html/eea03d504b36e8f870e8321d908e1def1addda16adda04327fe7c125%40%3Cdev.logging.apache.org%3E

Release Date: 2019-12-20

Fix Resolution: log4j-manual - 1.2.17-16;log4j-javadoc - 1.2.17-16;log4j - 1.2.17-16,1.2.17-16

Step up your Open Source Security Game with Mend here

CVE-2020-9493

Vulnerable Library - log4j-1.2.17.jar

Apache Log4j 1.2

Path to dependency file: /pom.xml

Path to vulnerable library: /g4j/log4j/1.2.17/log4j-1.2.17.jar

Dependency Hierarchy:

• ❌ log4j-1.2.17.jar (Vulnerable Library)

Found in HEAD commit: b2982b351b53ccd6c39470b8a0164090a3c0b640

Found in base branch: master

Vulnerability Details

A deserialization flaw was found in Apache Chainsaw versions prior to 2.1.0 which could lead to malicious code execution.

Publish Date: 2021-06-16

URL: CVE-2020-9493

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.openwall.com/lists/oss-security/2021/06/16/1

Release Date: 2021-06-16

Fix Resolution: ch.qos.reload4j:reload4j:1.2.18.1

Step up your Open Source Security Game with Mend here

CVE-2022-23307

Vulnerable Library - log4j-1.2.17.jar

Apache Log4j 1.2

Path to dependency file: /pom.xml

Path to vulnerable library: /g4j/log4j/1.2.17/log4j-1.2.17.jar

Dependency Hierarchy:

• ❌ log4j-1.2.17.jar (Vulnerable Library)

Found in HEAD commit: b2982b351b53ccd6c39470b8a0164090a3c0b640

Found in base branch: master

Vulnerability Details

CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw V2.0 Chainsaw was a component of Apache Log4j 1.2.x where the same issue exists.

Publish Date: 2022-01-18

URL: CVE-2022-23307

CVSS 3 Score Details (8.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2022-01-18

Fix Resolution: ch.qos.reload4j:reload4j:1.2.18.1

Step up your Open Source Security Game with Mend here

CVE-2022-23302

Vulnerable Library - log4j-1.2.17.jar

Apache Log4j 1.2

Path to dependency file: /pom.xml

Path to vulnerable library: /g4j/log4j/1.2.17/log4j-1.2.17.jar

Dependency Hierarchy:

• ❌ log4j-1.2.17.jar (Vulnerable Library)

Found in HEAD commit: b2982b351b53ccd6c39470b8a0164090a3c0b640

Found in base branch: master

Vulnerability Details

JMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration or if the configuration references an LDAP service the attacker has access to. The attacker can provide a TopicConnectionFactoryBindingName configuration causing JMSSink to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-4104. Note this issue only affects Log4j 1.x when specifically configured to use JMSSink, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.

Publish Date: 2022-01-18

URL: CVE-2022-23302

CVSS 3 Score Details (8.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://reload4j.qos.ch/

Release Date: 2022-01-18

Fix Resolution: ch.qos.reload4j:reload4j:1.2.18.1

Step up your Open Source Security Game with Mend here

CVE-2021-4104

Vulnerable Library - log4j-1.2.17.jar

Apache Log4j 1.2

Path to dependency file: /pom.xml

Path to vulnerable library: /g4j/log4j/1.2.17/log4j-1.2.17.jar

Dependency Hierarchy:

• ❌ log4j-1.2.17.jar (Vulnerable Library)

Found in HEAD commit: b2982b351b53ccd6c39470b8a0164090a3c0b640

Found in base branch: master

Vulnerability Details

JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.

Publish Date: 2021-12-14

URL: CVE-2021-4104

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-4104

Release Date: 2021-12-14

Fix Resolution: uom-parent - 1.0.3-3.module,1.0.3-3.module;uom-se-javadoc - 1.0.4-3.module;parfait-examples - 0.5.4-4.module;log4j-manual - 1.2.17-16;si-units-javadoc - 0.6.5-2.module;unit-api - 1.0-5.module,1.0-5.module;unit-api-javadoc - 1.0-5.module;parfait - 0.5.4-4.module,0.5.4-4.module;log4j-javadoc - 1.2.17-16;uom-systems-javadoc - 0.7-1.module;uom-lib-javadoc - 1.0.1-6.module;uom-systems - 0.7-1.module,0.7-1.module;log4j - 1.2.17-16,1.2.17-16;uom-se - 1.0.4-3.module,1.0.4-3.module;uom-lib - 1.0.1-6.module,1.0.1-6.module;parfait-javadoc - 0.5.4-4.module;pcp-parfait-agent - 0.5.4-4.module;si-units - 0.6.5-2.module,0.6.5-2.module

Step up your Open Source Security Game with Mend here

CVE-2023-26464

Vulnerable Library - log4j-1.2.17.jar

Apache Log4j 1.2

Path to dependency file: /pom.xml

Path to vulnerable library: /g4j/log4j/1.2.17/log4j-1.2.17.jar

Dependency Hierarchy:

• ❌ log4j-1.2.17.jar (Vulnerable Library)

Found in HEAD commit: b2982b351b53ccd6c39470b8a0164090a3c0b640

Found in base branch: master

Vulnerability Details

** UNSUPPORTED WHEN ASSIGNED **

When using the Chainsaw or SocketAppender components with Log4j 1.x on JRE less than 1.7, an attacker that manages to cause a logging entry involving a specially-crafted (ie, deeply nested)
hashmap or hashtable (depending on which logging component is in use) to be processed could exhaust the available memory in the virtual machine and achieve Denial of Service when the object is deserialized.

This issue affects Apache Log4j before 2. Affected users are recommended to update to Log4j 2.x.

NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

Publish Date: 2023-03-10

URL: CVE-2023-26464

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-vp98-w2p3-mv35

Release Date: 2023-03-10

Fix Resolution: org.apache.logging.log4j:log4j-core:2.0

Step up your Open Source Security Game with Mend here

CVE-2020-9488

Vulnerable Library - log4j-1.2.17.jar

Apache Log4j 1.2

Path to dependency file: /pom.xml

Path to vulnerable library: /g4j/log4j/1.2.17/log4j-1.2.17.jar

Dependency Hierarchy:

• ❌ log4j-1.2.17.jar (Vulnerable Library)

Found in HEAD commit: b2982b351b53ccd6c39470b8a0164090a3c0b640

Found in base branch: master

Vulnerability Details

Improper validation of certificate with host mismatch in Apache Log4j SMTP appender. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent through that appender. Fixed in Apache Log4j 2.12.3 and 2.13.1

Publish Date: 2020-04-27

URL: CVE-2020-9488

CVSS 3 Score Details (3.7)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://reload4j.qos.ch/

Release Date: 2020-04-27

Fix Resolution: ch.qos.reload4j:reload4j:1.2.18.3

Step up your Open Source Security Game with Mend here

Vulnerable Library - selenium-java-4.0.0-beta-1.jar

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty-codec/4.1.58.Final/netty-codec-4.1.58.Final.jar

Found in HEAD commit: b2982b351b53ccd6c39470b8a0164090a3c0b640

CVE-2021-37136

Vulnerable Library - netty-codec-4.1.58.Final.jar

Library home page: https://netty.io/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty-codec/4.1.58.Final/netty-codec-4.1.58.Final.jar

Dependency Hierarchy:

• selenium-java-4.0.0-beta-1.jar (Root Library)
  • selenium-remote-driver-4.0.0-beta-1.jar
    • netty-codec-http-4.1.58.Final.jar
      • ❌ netty-codec-4.1.58.Final.jar (Vulnerable Library)

Found in HEAD commit: b2982b351b53ccd6c39470b8a0164090a3c0b640

Found in base branch: master

Vulnerability Details

The Bzip2 decompression decoder function doesn't allow setting size restrictions on the decompressed output data (which affects the allocation size used during decompression). All users of Bzip2Decoder are affected. The malicious input can trigger an OOME and so a DoS attack

Publish Date: 2021-10-19

URL: CVE-2021-37136

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-grg4-wf29-r9vv

Release Date: 2021-10-19

Fix Resolution (io.netty:netty-codec): 4.1.68.Final

Direct dependency fix Resolution (org.seleniumhq.selenium:selenium-java): 4.14.0

Step up your Open Source Security Game with Mend here

CVE-2021-37137

Vulnerable Library - netty-codec-4.1.58.Final.jar

Library home page: https://netty.io/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty-codec/4.1.58.Final/netty-codec-4.1.58.Final.jar

Dependency Hierarchy:

• selenium-java-4.0.0-beta-1.jar (Root Library)
  • selenium-remote-driver-4.0.0-beta-1.jar
    • netty-codec-http-4.1.58.Final.jar
      • ❌ netty-codec-4.1.58.Final.jar (Vulnerable Library)

Found in HEAD commit: b2982b351b53ccd6c39470b8a0164090a3c0b640

Found in base branch: master

Vulnerability Details

The Snappy frame decoder function doesn't restrict the chunk length which may lead to excessive memory usage. Beside this it also may buffer reserved skippable chunks until the whole chunk was received which may lead to excessive memory usage as well. This vulnerability can be triggered by supplying malicious input that decompresses to a very big size (via a network stream or a file) or by sending a huge skippable chunk.

Publish Date: 2021-10-19

URL: CVE-2021-37137

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-9vjp-v76f-g363

Release Date: 2021-10-19

Fix Resolution (io.netty:netty-codec): 4.1.68.Final

Direct dependency fix Resolution (org.seleniumhq.selenium:selenium-java): 4.14.0

Step up your Open Source Security Game with Mend here

WS-2020-0408

Vulnerable Library - netty-handler-4.1.58.Final.jar

Library home page: https://netty.io/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty-handler/4.1.58.Final/netty-handler-4.1.58.Final.jar

Dependency Hierarchy:

• selenium-java-4.0.0-beta-1.jar (Root Library)
  • selenium-remote-driver-4.0.0-beta-1.jar
    • netty-codec-http-4.1.58.Final.jar
      • ❌ netty-handler-4.1.58.Final.jar (Vulnerable Library)

Found in HEAD commit: b2982b351b53ccd6c39470b8a0164090a3c0b640

Found in base branch: master

Vulnerability Details

An issue was found in all versions of io.netty:netty-all. Host verification in Netty is disabled by default. This can lead to MITM attack in which an attacker can forge valid SSL/TLS certificates for a different hostname in order to intercept traffic that doesn’t intend for him. This is an issue because the certificate is not matched with the host.

Publish Date: 2020-06-22

URL: WS-2020-0408

CVSS 3 Score Details (7.4)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/WS-2020-0408

Release Date: 2020-06-22

Fix Resolution (io.netty:netty-handler): 4.1.69.Final

Direct dependency fix Resolution (org.seleniumhq.selenium:selenium-java): 4.14.0

Step up your Open Source Security Game with Mend here

CVE-2023-2976

Vulnerable Library - guava-30.1-jre.jar

Guava is a suite of core and expanded libraries that include utility classes, Google's collections, I/O classes, and much more.

Library home page: https://github.com/google/guava

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/google/guava/guava/30.1-jre/guava-30.1-jre.jar

Dependency Hierarchy:

• selenium-java-4.0.0-beta-1.jar (Root Library)
  • selenium-chrome-driver-4.0.0-beta-1.jar
    • ❌ guava-30.1-jre.jar (Vulnerable Library)

Found in HEAD commit: b2982b351b53ccd6c39470b8a0164090a3c0b640

Found in base branch: master

Vulnerability Details

Use of Java's default temporary directory for file creation in FileBackedOutputStream in Google Guava versions 1.0 to 31.1 on Unix systems and Android Ice Cream Sandwich allows other users and apps on the machine with access to the default Java temporary directory to be able to access the files created by the class.

Even though the security vulnerability is fixed in version 32.0.0, we recommend using version 32.0.1 as version 32.0.0 breaks some functionality under Windows.

Mend Note: Even though the security vulnerability is fixed in version 32.0.0, maintainers recommend using version 32.0.1 as version 32.0.0 breaks some functionality under Windows.

Publish Date: 2023-06-14

URL: CVE-2023-2976

CVSS 3 Score Details (7.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-7g45-4rm6-3mm3

Release Date: 2023-06-14

Fix Resolution (com.google.guava:guava): 32.0.1-android

Direct dependency fix Resolution (org.seleniumhq.selenium:selenium-java): 4.12.0

Step up your Open Source Security Game with Mend here

CVE-2023-34462

Vulnerable Library - netty-handler-4.1.58.Final.jar

Library home page: https://netty.io/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty-handler/4.1.58.Final/netty-handler-4.1.58.Final.jar

Dependency Hierarchy:

• selenium-java-4.0.0-beta-1.jar (Root Library)
  • selenium-remote-driver-4.0.0-beta-1.jar
    • netty-codec-http-4.1.58.Final.jar
      • ❌ netty-handler-4.1.58.Final.jar (Vulnerable Library)

Found in HEAD commit: b2982b351b53ccd6c39470b8a0164090a3c0b640

Found in base branch: master

Vulnerability Details

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. The SniHandler can allocate up to 16MB of heap for each channel during the TLS handshake. When the handler or the channel does not have an idle timeout, it can be used to make a TCP server using the SniHandler to allocate 16MB of heap. The SniHandler class is a handler that waits for the TLS handshake to configure a SslHandler according to the indicated server name by the ClientHello record. For this matter it allocates a ByteBuf using the value defined in the ClientHello record. Normally the value of the packet should be smaller than the handshake packet but there are not checks done here and the way the code is written, it is possible to craft a packet that makes the SslClientHelloHandler. This vulnerability has been fixed in version 4.1.94.Final.

Publish Date: 2023-06-22

URL: CVE-2023-34462

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-6mjq-h674-j845

Release Date: 2023-06-22

Fix Resolution (io.netty:netty-handler): 4.1.94.Final

Direct dependency fix Resolution (org.seleniumhq.selenium:selenium-java): 4.14.0

Step up your Open Source Security Game with Mend here

CVE-2021-43797

Vulnerable Library - netty-codec-http-4.1.58.Final.jar

Library home page: https://netty.io/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty-codec-http/4.1.58.Final/netty-codec-http-4.1.58.Final.jar

Dependency Hierarchy:

• selenium-java-4.0.0-beta-1.jar (Root Library)
  • selenium-remote-driver-4.0.0-beta-1.jar
    • ❌ netty-codec-http-4.1.58.Final.jar (Vulnerable Library)

Found in HEAD commit: b2982b351b53ccd6c39470b8a0164090a3c0b640

Found in base branch: master

Vulnerability Details

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. Netty prior to version 4.1.71.Final skips control chars when they are present at the beginning / end of the header name. It should instead fail fast as these are not allowed by the spec and could lead to HTTP request smuggling. Failing to do the validation might cause netty to "sanitize" header names before it forward these to another remote system when used as proxy. This remote system can't see the invalid usage anymore, and therefore does not do the validation itself. Users should upgrade to version 4.1.71.Final.
Mend Note: After conducting further research, Mend has determined that all versions of netty up to version 4.1.71.Final are vulnerable to CVE-2021-43797.

Publish Date: 2021-12-09

URL: CVE-2021-43797

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: CVE-2021-43797

Release Date: 2021-12-09

Fix Resolution (io.netty:netty-codec-http): 4.1.71.Final

Direct dependency fix Resolution (org.seleniumhq.selenium:selenium-java): 4.14.0

Step up your Open Source Security Game with Mend here

CVE-2021-21295

Vulnerable Library - netty-codec-http-4.1.58.Final.jar

Library home page: https://netty.io/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty-codec-http/4.1.58.Final/netty-codec-http-4.1.58.Final.jar

Dependency Hierarchy:

• selenium-java-4.0.0-beta-1.jar (Root Library)
  • selenium-remote-driver-4.0.0-beta-1.jar
    • ❌ netty-codec-http-4.1.58.Final.jar (Vulnerable Library)

Found in HEAD commit: b2982b351b53ccd6c39470b8a0164090a3c0b640

Found in base branch: master

Vulnerability Details

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.60.Final there is a vulnerability that enables request smuggling. If a Content-Length header is present in the original HTTP/2 request, the field is not validated by Http2MultiplexHandler as it is propagated up. This is fine as long as the request is not proxied through as HTTP/1.1. If the request comes in as an HTTP/2 stream, gets converted into the HTTP/1.1 domain objects (HttpRequest, HttpContent, etc.) via Http2StreamFrameToHttpObjectCodec and then sent up to the child channel's pipeline and proxied through a remote peer as HTTP/1.1 this may result in request smuggling. In a proxy case, users may assume the content-length is validated somehow, which is not the case. If the request is forwarded to a backend channel that is a HTTP/1.1 connection, the Content-Length now has meaning and needs to be checked. An attacker can smuggle requests inside the body as it gets downgraded from HTTP/2 to HTTP/1.1. For an example attack refer to the linked GitHub Advisory. Users are only affected if all of this is true: HTTP2MultiplexCodec or Http2FrameCodec is used, Http2StreamFrameToHttpObjectCodec is used to convert to HTTP/1.1 objects, and these HTTP/1.1 objects are forwarded to another remote peer. This has been patched in 4.1.60.Final As a workaround, the user can do the validation by themselves by implementing a custom ChannelInboundHandler that is put in the ChannelPipeline behind Http2StreamFrameToHttpObjectCodec.

Publish Date: 2021-03-09

URL: CVE-2021-21295

CVSS 3 Score Details (5.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-wm47-8v5p-wjpj

Release Date: 2021-03-09

Fix Resolution (io.netty:netty-codec-http): 4.1.60.Final

Direct dependency fix Resolution (org.seleniumhq.selenium:selenium-java): 4.0.0

Step up your Open Source Security Game with Mend here

CVE-2022-24823

Vulnerable Library - netty-common-4.1.58.Final.jar

Library home page: https://netty.io/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty-common/4.1.58.Final/netty-common-4.1.58.Final.jar

Dependency Hierarchy:

• selenium-java-4.0.0-beta-1.jar (Root Library)
  • selenium-remote-driver-4.0.0-beta-1.jar
    • ❌ netty-common-4.1.58.Final.jar (Vulnerable Library)

Found in HEAD commit: b2982b351b53ccd6c39470b8a0164090a3c0b640

Found in base branch: master

Vulnerability Details

Netty is an open-source, asynchronous event-driven network application framework. The package io.netty:netty-codec-http prior to version 4.1.77.Final contains an insufficient fix for CVE-2021-21290. When Netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. This only impacts applications running on Java version 6 and lower. Additionally, this vulnerability impacts code running on Unix-like systems, and very old versions of Mac OSX and Windows as they all share the system temporary directory between all users. Version 4.1.77.Final contains a patch for this vulnerability. As a workaround, specify one's own java.io.tmpdir when starting the JVM or use DefaultHttpDataFactory.setBaseDir(...) to set the directory to something that is only readable by the current user.

Publish Date: 2022-05-06

URL: CVE-2022-24823

CVSS 3 Score Details (5.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24823

Release Date: 2022-05-06

Fix Resolution: io.netty:netty-all;io.netty:netty-common - 4.1.77.Final

Step up your Open Source Security Game with Mend here

CVE-2021-21290

Vulnerable Libraries - netty-handler-4.1.58.Final.jar, netty-codec-http-4.1.58.Final.jar

netty-handler-4.1.58.Final.jar

Library home page: https://netty.io/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty-handler/4.1.58.Final/netty-handler-4.1.58.Final.jar

Dependency Hierarchy:

• selenium-java-4.0.0-beta-1.jar (Root Library)
  • selenium-remote-driver-4.0.0-beta-1.jar
    • netty-codec-http-4.1.58.Final.jar
      • ❌ netty-handler-4.1.58.Final.jar (Vulnerable Library)

netty-codec-http-4.1.58.Final.jar

Library home page: https://netty.io/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty-codec-http/4.1.58.Final/netty-codec-http-4.1.58.Final.jar

Dependency Hierarchy:

• selenium-java-4.0.0-beta-1.jar (Root Library)
  • selenium-remote-driver-4.0.0-beta-1.jar
    • ❌ netty-codec-http-4.1.58.Final.jar (Vulnerable Library)

Found in HEAD commit: b2982b351b53ccd6c39470b8a0164090a3c0b640

Found in base branch: master

Vulnerability Details

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty before version 4.1.59.Final there is a vulnerability on Unix-like systems involving an insecure temp file. When netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. On unix-like systems, the temporary directory is shared between all user. As such, writing to this directory using APIs that do not explicitly set the file/directory permissions can lead to information disclosure. Of note, this does not impact modern MacOS Operating Systems. The method "File.createTempFile" on unix-like systems creates a random file, but, by default will create this file with the permissions "-rw-r--r--". Thus, if sensitive information is written to this file, other local users can read this information. This is the case in netty's "AbstractDiskHttpData" is vulnerable. This has been fixed in version 4.1.59.Final. As a workaround, one may specify your own "java.io.tmpdir" when you start the JVM or use "DefaultHttpDataFactory.setBaseDir(...)" to set the directory to something that is only readable by the current user.

Publish Date: 2021-02-08

URL: CVE-2021-21290

CVSS 3 Score Details (5.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-5mcr-gq6c-3hq2

Release Date: 2021-02-08

Fix Resolution (io.netty:netty-handler): 4.1.59.Final

Direct dependency fix Resolution (org.seleniumhq.selenium:selenium-java): 4.14.0

Fix Resolution (io.netty:netty-codec-http): 4.1.59.Final

Direct dependency fix Resolution (org.seleniumhq.selenium:selenium-java): 4.0.0

Step up your Open Source Security Game with Mend here