Vulnerable Library - org.eclipse.jgit-4.0.1.201506240215-r.jar
Path to dependency file: /builder/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.jcraft/jsch/0.1.51/6ceee2696b07cc320d0e1aaea82c7b40768aca0f/jsch-0.1.51.jar
Found in HEAD commit: f9ab46dc02eb9f288341bd45c13b4a231f876515
Vulnerabilities
CVE |
Severity |
CVSS |
Dependency |
Type |
Fixed in |
Remediation Available |
CVE-2020-13956 |
Medium |
5.3 |
httpclient-4.1.3.jar |
Transitive |
5.1.0.201809111528-r |
✅ |
CVE-2014-3577 |
Medium |
4.8 |
httpclient-4.1.3.jar |
Transitive |
4.0.2.201509141540-r |
✅ |
CVE-2016-5725 |
Low |
3.7 |
jsch-0.1.51.jar |
Transitive |
4.7.0.201704051617-r |
✅ |
CVE-2012-6153 |
Low |
3.7 |
httpclient-4.1.3.jar |
Transitive |
4.0.2.201509141540-r |
✅ |
Details
CVE-2020-13956
Vulnerable Library - httpclient-4.1.3.jar
HttpComponents Client (base module)
Path to dependency file: /builder/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.httpcomponents/httpclient/4.1.3/16cf5a6b78951f50713d29bfae3230a611dc01f0/httpclient-4.1.3.jar
Dependency Hierarchy:
- org.eclipse.jgit-4.0.1.201506240215-r.jar (Root Library)
- ❌ httpclient-4.1.3.jar (Vulnerable Library)
Found in HEAD commit: f9ab46dc02eb9f288341bd45c13b4a231f876515
Found in base branch: main
Vulnerability Details
Apache HttpClient versions prior to version 4.5.13 and 5.0.3 can misinterpret malformed authority component in request URIs passed to the library as java.net.URI object and pick the wrong target host for request execution.
Publish Date: 2020-12-02
URL: CVE-2020-13956
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-13956
Release Date: 2020-12-02
Fix Resolution (org.apache.httpcomponents:httpclient): 4.5.13
Direct dependency fix Resolution (org.eclipse.jgit:org.eclipse.jgit): 5.1.0.201809111528-r
⛑️ Automatic Remediation is available for this issue
CVE-2014-3577
Vulnerable Library - httpclient-4.1.3.jar
HttpComponents Client (base module)
Path to dependency file: /builder/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.httpcomponents/httpclient/4.1.3/16cf5a6b78951f50713d29bfae3230a611dc01f0/httpclient-4.1.3.jar
Dependency Hierarchy:
- org.eclipse.jgit-4.0.1.201506240215-r.jar (Root Library)
- ❌ httpclient-4.1.3.jar (Vulnerable Library)
Found in HEAD commit: f9ab46dc02eb9f288341bd45c13b4a231f876515
Found in base branch: main
Vulnerability Details
org.apache.http.conn.ssl.AbstractVerifier in Apache HttpComponents HttpClient before 4.3.5 and HttpAsyncClient before 4.0.2 does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a "CN=" string in a field in the distinguished name (DN) of a certificate, as demonstrated by the "foo,CN=www.apache.org" string in the O field.
Publish Date: 2014-08-21
URL: CVE-2014-3577
CVSS 3 Score Details (4.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2014-08-21
Fix Resolution (org.apache.httpcomponents:httpclient): 4.3.5
Direct dependency fix Resolution (org.eclipse.jgit:org.eclipse.jgit): 4.0.2.201509141540-r
⛑️ Automatic Remediation is available for this issue
CVE-2016-5725
Vulnerable Library - jsch-0.1.51.jar
JSch is a pure Java implementation of SSH2
Library home page: http://www.jcraft.com/jsch/
Path to dependency file: /builder/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.jcraft/jsch/0.1.51/6ceee2696b07cc320d0e1aaea82c7b40768aca0f/jsch-0.1.51.jar
Dependency Hierarchy:
- org.eclipse.jgit-4.0.1.201506240215-r.jar (Root Library)
- ❌ jsch-0.1.51.jar (Vulnerable Library)
Found in HEAD commit: f9ab46dc02eb9f288341bd45c13b4a231f876515
Found in base branch: main
Vulnerability Details
Directory traversal vulnerability in JCraft JSch before 0.1.54 on Windows, when the mode is ChannelSftp.OVERWRITE, allows remote SFTP servers to write to arbitrary files via a ..\ (dot dot backslash) in a response to a recursive GET command.
Publish Date: 2017-01-19
URL: CVE-2016-5725
CVSS 3 Score Details (3.7)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5725
Release Date: 2017-01-19
Fix Resolution (com.jcraft:jsch): 0.1.54
Direct dependency fix Resolution (org.eclipse.jgit:org.eclipse.jgit): 4.7.0.201704051617-r
⛑️ Automatic Remediation is available for this issue
CVE-2012-6153
Vulnerable Library - httpclient-4.1.3.jar
HttpComponents Client (base module)
Path to dependency file: /builder/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.httpcomponents/httpclient/4.1.3/16cf5a6b78951f50713d29bfae3230a611dc01f0/httpclient-4.1.3.jar
Dependency Hierarchy:
- org.eclipse.jgit-4.0.1.201506240215-r.jar (Root Library)
- ❌ httpclient-4.1.3.jar (Vulnerable Library)
Found in HEAD commit: f9ab46dc02eb9f288341bd45c13b4a231f876515
Found in base branch: main
Vulnerability Details
http/conn/ssl/AbstractVerifier.java in Apache Commons HttpClient before 4.2.3 does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a certificate with a subject that specifies a common name in a field that is not the CN field. NOTE: this issue exists because of an incomplete fix for CVE-2012-5783.
Publish Date: 2014-09-04
URL: CVE-2012-6153
CVSS 3 Score Details (3.7)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2012-6153
Release Date: 2014-09-04
Fix Resolution (org.apache.httpcomponents:httpclient): 4.2.3
Direct dependency fix Resolution (org.eclipse.jgit:org.eclipse.jgit): 4.0.2.201509141540-r
⛑️ Automatic Remediation is available for this issue
⛑️ Automatic Remediation is available for this issue.