kedacore / test-tools Goto Github PK

Vulnerable Library - spring-beans-5.2.6.RELEASE.jar

Spring Beans

Library home page: https://github.com/spring-projects/spring-framework

Path to dependency file: /e2e/images/artemis/producer/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-beans/5.2.6.RELEASE/spring-beans-5.2.6.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-beans/5.2.6.RELEASE/spring-beans-5.2.6.RELEASE.jar

Dependency Hierarchy:

• spring-jms-5.2.6.RELEASE.jar (Root Library)
  • ❌ spring-beans-5.2.6.RELEASE.jar (Vulnerable Library)

Found in HEAD commit: 2c144e12e5f278d59cbdc4f4eb3c652e0d62591e

Found in base branch: main

Vulnerability Details

A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.

Publish Date: 2022-04-01

URL: CVE-2022-22965

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement

Release Date: 2022-04-01

Fix Resolution (org.springframework:spring-beans): 5.2.20.RELEASE

Direct dependency fix Resolution (org.springframework:spring-jms): 5.2.20.RELEASE

Vulnerable Library - netty-handler-4.1.49.Final.jar

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.

Library home page: https://netty.io/

Path to dependency file: /e2e/images/artemis/consumer/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty-handler/4.1.49.Final/netty-handler-4.1.49.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-handler/4.1.49.Final/netty-handler-4.1.49.Final.jar

Dependency Hierarchy:

• spring-boot-starter-artemis-2.3.0.RELEASE.jar (Root Library)
  • artemis-jms-client-2.12.0.jar
    • artemis-core-client-2.12.0.jar
      • ❌ netty-handler-4.1.49.Final.jar (Vulnerable Library)

Found in HEAD commit: 2c144e12e5f278d59cbdc4f4eb3c652e0d62591e

Found in base branch: main

Vulnerability Details

An issue was found in all versions of io.netty:netty-all. Host verification in Netty is disabled by default. This can lead to MITM attack in which an attacker can forge valid SSL/TLS certificates for a different hostname in order to intercept traffic that doesn’t intend for him. This is an issue because the certificate is not matched with the host.

Publish Date: 2020-06-22

URL: WS-2020-0408

CVSS 3 Score Details (7.4)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/WS-2020-0408

Release Date: 2020-06-22

Fix Resolution: io.netty:netty-all - 4.1.68.Final-redhat-00001,4.0.0.Final,4.1.67.Final-redhat-00002;io.netty:netty-handler - 4.1.68.Final-redhat-00001,4.1.67.Final-redhat-00001

Vulnerable Library - node-fetch-2.6.1.tgz

A light-weight module that brings window.fetch to node.js

Library home page: https://registry.npmjs.org/node-fetch/-/node-fetch-2.6.1.tgz

Path to dependency file: /e2e/images/selenium-grid/package.json

Path to vulnerable library: /e2e/images/selenium-grid/node_modules/node-fetch/package.json

Dependency Hierarchy:

• cli-7.8.0.tgz (Root Library)
  • webdriverio-7.8.0.tgz
    • puppeteer-core-10.1.0.tgz
      • ❌ node-fetch-2.6.1.tgz (Vulnerable Library)

Found in HEAD commit: 2c144e12e5f278d59cbdc4f4eb3c652e0d62591e

Found in base branch: main

Vulnerability Details

node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor

Publish Date: 2022-01-16

URL: CVE-2022-0235

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-r683-j2x4-v87g

Release Date: 2022-01-16

Fix Resolution: node-fetch - 2.6.7,3.1.1

Vulnerable Library - github.com/docker/distribution-v2.8.1

The toolkit to pack, ship, store, and deliver container content

Dependency Hierarchy:

• ❌ github.com/docker/distribution-v2.8.1 (Vulnerable Library)

Found in HEAD commit: 2c144e12e5f278d59cbdc4f4eb3c652e0d62591e

Found in base branch: main

Vulnerability Details

client_golang is the instrumentation library for Go applications in Prometheus, and the promhttp package in client_golang provides tooling around HTTP servers and clients. In client_golang prior to version 1.11.1, HTTP server is susceptible to a Denial of Service through unbounded cardinality, and potential memory exhaustion, when handling requests with non-standard HTTP methods. In order to be affected, an instrumented software must use any of promhttp.InstrumentHandler* middleware except RequestsInFlight; not filter any specific methods (e.g GET) before middleware; pass metric with method label name to our middleware; and not have any firewall/LB/proxy that filters away requests with unknown method. client_golang version 1.11.1 contains a patch for this issue. Several workarounds are available, including removing the method label name from counter/gauge used in the InstrumentHandler; turning off affected promhttp handlers; adding custom middleware before promhttp handler that will sanitize the request method given by Go http.Request; and using a reverse proxy or web application firewall, configured to only allow a limited set of methods.

Publish Date: 2022-02-15

URL: CVE-2022-21698

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-cg3q-j54f-5p7p

Release Date: 2022-02-15

Fix Resolution: v1.11.1

Vulnerable Library - snakeyaml-1.26.jar

YAML 1.1 parser and emitter for Java

Library home page: http://www.snakeyaml.org

Path to dependency file: /e2e/images/artemis/consumer/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.26/snakeyaml-1.26.jar,/home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.26/snakeyaml-1.26.jar

Dependency Hierarchy:

• spring-boot-starter-2.3.0.RELEASE.jar (Root Library)
  • ❌ snakeyaml-1.26.jar (Vulnerable Library)

Found in HEAD commit: 2c144e12e5f278d59cbdc4f4eb3c652e0d62591e

Found in base branch: main

Vulnerability Details

Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.

Publish Date: 2022-09-05

URL: CVE-2022-38751

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47039

Release Date: 2022-09-05

Fix Resolution: org.yaml:snakeyaml:1.31

Vulnerable Library - async-3.2.0.tgz

Higher-order functions and common patterns for asynchronous code

Library home page: https://registry.npmjs.org/async/-/async-3.2.0.tgz

Path to dependency file: /e2e/images/selenium-grid/package.json

Path to vulnerable library: /e2e/images/selenium-grid/node_modules/async/package.json

Dependency Hierarchy:

• cli-7.8.0.tgz (Root Library)
  • webdriverio-7.8.0.tgz
    • archiver-5.3.0.tgz
      • ❌ async-3.2.0.tgz (Vulnerable Library)

Found in HEAD commit: 2c144e12e5f278d59cbdc4f4eb3c652e0d62591e

Found in base branch: main

Vulnerability Details

In Async before 2.6.4 and 3.x before 3.2.2, a malicious user can obtain privileges via the mapValues() method, aka lib/internal/iterator.js createObjectIterator prototype pollution.

Publish Date: 2022-04-06

URL: CVE-2021-43138

CVSS 3 Score Details (7.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-43138

Release Date: 2022-04-06

Fix Resolution (async): 3.2.2

Direct dependency fix Resolution (@wdio/cli): 7.19.5

Vulnerable Libraries - spring-core-5.2.6.RELEASE.jar, spring-beans-5.2.6.RELEASE.jar

Found in HEAD commit: 2c144e12e5f278d59cbdc4f4eb3c652e0d62591e

Found in base branch: main

Vulnerability Details

In spring framework versions prior to 5.3.20+ , 5.2.22+ and old unsupported versions, applications that handle file uploads are vulnerable to DoS attack if they rely on data binding to set a MultipartFile or javax.servlet.Part to a field in a model object.

Publish Date: 2022-05-12

URL: CVE-2022-22970

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://tanzu.vmware.com/security/cve-2022-22970

Release Date: 2022-05-12

Fix Resolution (org.springframework:spring-core): 5.2.22.RELEASE

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter): 2.4.0

Fix Resolution (org.springframework:spring-beans): 5.2.22.RELEASE

Direct dependency fix Resolution (org.springframework:spring-jms): 5.2.22.RELEASE

Vulnerable Library - netty-codec-http-4.1.49.Final.jar

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.

Library home page: https://netty.io/

Path to dependency file: /e2e/images/artemis/consumer/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty-codec-http/4.1.49.Final/netty-codec-http-4.1.49.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-codec-http/4.1.49.Final/netty-codec-http-4.1.49.Final.jar

Dependency Hierarchy:

• spring-boot-starter-artemis-2.3.0.RELEASE.jar (Root Library)
  • artemis-jms-client-2.12.0.jar
    • artemis-core-client-2.12.0.jar
      • ❌ netty-codec-http-4.1.49.Final.jar (Vulnerable Library)

Found in HEAD commit: 2c144e12e5f278d59cbdc4f4eb3c652e0d62591e

Found in base branch: main

Vulnerability Details

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. Netty prior to version 4.1.71.Final skips control chars when they are present at the beginning / end of the header name. It should instead fail fast as these are not allowed by the spec and could lead to HTTP request smuggling. Failing to do the validation might cause netty to "sanitize" header names before it forward these to another remote system when used as proxy. This remote system can't see the invalid usage anymore, and therefore does not do the validation itself. Users should upgrade to version 4.1.71.Final to receive a patch.

Publish Date: 2021-12-09

URL: CVE-2021-43797

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: CVE-2021-43797

Release Date: 2021-12-09

Fix Resolution: io.netty:netty-codec-http:4.1.71.Final,io.netty:netty-all:4.1.71.Final

Vulnerable Library - got-11.8.2.tgz

Human-friendly and powerful HTTP request library for Node.js

Library home page: https://registry.npmjs.org/got/-/got-11.8.2.tgz

Path to dependency file: /e2e/images/selenium-grid/package.json

Path to vulnerable library: /e2e/images/selenium-grid/node_modules/got/package.json

Dependency Hierarchy:

• cli-7.8.0.tgz (Root Library)
  • webdriverio-7.8.0.tgz
    • webdriver-7.8.0.tgz
      • ❌ got-11.8.2.tgz (Vulnerable Library)

Found in HEAD commit: 2c144e12e5f278d59cbdc4f4eb3c652e0d62591e

Found in base branch: main

Vulnerability Details

The got package before 12.1.0 for Node.js allows a redirect to a UNIX socket.

Publish Date: 2022-06-18

URL: CVE-2022-33987

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-33987

Release Date: 2022-06-18

Fix Resolution: got - 11.8.5,12.1.0

Vulnerable Library - github.com/golang/net-c89045814202410a2d67ec20ecf177ec77ceae7f

[mirror] Go supplementary network libraries

Dependency Hierarchy:

• google.golang.org/grpc-v1.45.0 (Root Library)
  • ❌ github.com/golang/net-c89045814202410a2d67ec20ecf177ec77ceae7f (Vulnerable Library)

Found in HEAD commit: 2c144e12e5f278d59cbdc4f4eb3c652e0d62591e

Found in base branch: main

Vulnerability Details

In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error.

Publish Date: 2022-09-06

URL: CVE-2022-27664

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Vulnerable Library - netty-codec-http-4.1.49.Final.jar

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.

Library home page: https://netty.io/

Path to dependency file: /e2e/images/artemis/consumer/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty-codec-http/4.1.49.Final/netty-codec-http-4.1.49.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-codec-http/4.1.49.Final/netty-codec-http-4.1.49.Final.jar

Dependency Hierarchy:

• spring-boot-starter-artemis-2.3.0.RELEASE.jar (Root Library)
  • artemis-jms-client-2.12.0.jar
    • artemis-core-client-2.12.0.jar
      • ❌ netty-codec-http-4.1.49.Final.jar (Vulnerable Library)

Found in HEAD commit: 2c144e12e5f278d59cbdc4f4eb3c652e0d62591e

Found in base branch: main

Vulnerability Details

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.60.Final there is a vulnerability that enables request smuggling. If a Content-Length header is present in the original HTTP/2 request, the field is not validated by Http2MultiplexHandler as it is propagated up. This is fine as long as the request is not proxied through as HTTP/1.1. If the request comes in as an HTTP/2 stream, gets converted into the HTTP/1.1 domain objects (HttpRequest, HttpContent, etc.) via Http2StreamFrameToHttpObjectCodec and then sent up to the child channel's pipeline and proxied through a remote peer as HTTP/1.1 this may result in request smuggling. In a proxy case, users may assume the content-length is validated somehow, which is not the case. If the request is forwarded to a backend channel that is a HTTP/1.1 connection, the Content-Length now has meaning and needs to be checked. An attacker can smuggle requests inside the body as it gets downgraded from HTTP/2 to HTTP/1.1. For an example attack refer to the linked GitHub Advisory. Users are only affected if all of this is true: HTTP2MultiplexCodec or Http2FrameCodec is used, Http2StreamFrameToHttpObjectCodec is used to convert to HTTP/1.1 objects, and these HTTP/1.1 objects are forwarded to another remote peer. This has been patched in 4.1.60.Final As a workaround, the user can do the validation by themselves by implementing a custom ChannelInboundHandler that is put in the ChannelPipeline behind Http2StreamFrameToHttpObjectCodec.

Publish Date: 2021-03-09

URL: CVE-2021-21295

CVSS 3 Score Details (5.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-wm47-8v5p-wjpj

Release Date: 2021-03-09

Fix Resolution: io.netty:netty-all:4.1.60;io.netty:netty-codec-http:4.1.60;io.netty:netty-codec-http2:4.1.60

Vulnerable Library - github.com/docker/distribution-v2.7.1

The toolkit to pack, ship, store, and deliver container content

Dependency Hierarchy:

• ❌ github.com/docker/distribution-v2.7.1 (Vulnerable Library)

Found in HEAD commit: 2c144e12e5f278d59cbdc4f4eb3c652e0d62591e

Found in base branch: main

Vulnerability Details

The OCI Distribution Spec project defines an API protocol to facilitate and standardize the distribution of content. In the OCI Distribution Specification version 1.0.0 and prior, the Content-Type header alone was used to determine the type of document during push and pull operations. Documents that contain both “manifests” and “layers” fields could be interpreted as either a manifest or an index in the absence of an accompanying Content-Type header. If a Content-Type header changed between two pulls of the same digest, a client may interpret the resulting content differently. The OCI Distribution Specification has been updated to require that a mediaType value present in a manifest or index match the Content-Type header used during the push and pull operations. Clients pulling from a registry may distrust the Content-Type header and reject an ambiguous document that contains both “manifests” and “layers” fields or “manifests” and “config” fields if they are unable to update to version 1.0.1 of the spec.

Publish Date: 2021-11-17

URL: CVE-2021-41190

CVSS 3 Score Details (5.0)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-77vh-xpmg-72qh

Release Date: 2021-11-17

Fix Resolution: 1.0.2

Vulnerable Library - snakeyaml-1.26.jar

YAML 1.1 parser and emitter for Java

Library home page: http://www.snakeyaml.org

Path to dependency file: /e2e/images/artemis/consumer/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.26/snakeyaml-1.26.jar,/home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.26/snakeyaml-1.26.jar

Dependency Hierarchy:

• spring-boot-starter-2.3.0.RELEASE.jar (Root Library)
  • ❌ snakeyaml-1.26.jar (Vulnerable Library)

Found in HEAD commit: 2c144e12e5f278d59cbdc4f4eb3c652e0d62591e

Found in base branch: main

Vulnerability Details

The package org.yaml:snakeyaml from 0 and before 1.31 are vulnerable to Denial of Service (DoS) due missing to nested depth limitation for collections.

Publish Date: 2022-08-30

URL: CVE-2022-25857

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25857

Release Date: 2022-08-30

Fix Resolution (org.yaml:snakeyaml): 1.31

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter): 2.6.9

Vulnerable Library - github.com/docker/distribution-v2.7.1

The toolkit to pack, ship, store, and deliver container content

Dependency Hierarchy:

• ❌ github.com/docker/distribution-v2.7.1 (Vulnerable Library)

Found in HEAD commit: 2c144e12e5f278d59cbdc4f4eb3c652e0d62591e

Found in base branch: main

Vulnerability Details

The Kubernetes API Server component in versions 1.1-1.14, and versions prior to 1.15.10, 1.16.7 and 1.17.3 allows an authorized user who sends malicious YAML payloads to cause the kube-apiserver to consume excessive CPU cycles while parsing YAML.

Publish Date: 2020-04-01

URL: CVE-2019-11254

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://github.com/go-yaml/yaml/tree/v2.2.8

Release Date: 2020-04-01

Fix Resolution: v2.2.8

Vulnerable Library - spring-core-5.2.6.RELEASE.jar

Spring Core

Library home page: https://github.com/spring-projects/spring-framework

Path to dependency file: /e2e/images/artemis/consumer/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-core/5.2.6.RELEASE/spring-core-5.2.6.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/5.2.6.RELEASE/spring-core-5.2.6.RELEASE.jar

Dependency Hierarchy:

• spring-boot-starter-2.3.0.RELEASE.jar (Root Library)
  • ❌ spring-core-5.2.6.RELEASE.jar (Vulnerable Library)

Found in HEAD commit: 2c144e12e5f278d59cbdc4f4eb3c652e0d62591e

Found in base branch: main

Vulnerability Details

In Spring Framework versions 5.3.0 - 5.3.13, 5.2.0 - 5.2.18, and older unsupported versions, it is possible for a user to provide malicious input to cause the insertion of additional log entries. This is a follow-up to CVE-2021-22096 that protects against additional types of input and in more places of the Spring Framework codebase.

Publish Date: 2022-01-10

URL: CVE-2021-22060

CVSS 3 Score Details (4.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-6gf2-pvqw-37ph

Release Date: 2022-01-10

Fix Resolution: org.springframework:spring-core:5.2.19, 5.3.14

Vulnerable Library - github.com/golang/net-c89045814202410a2d67ec20ecf177ec77ceae7f

[mirror] Go supplementary network libraries

Dependency Hierarchy:

• google.golang.org/grpc-v1.45.0 (Root Library)
  • ❌ github.com/golang/net-c89045814202410a2d67ec20ecf177ec77ceae7f (Vulnerable Library)

Found in HEAD commit: 2c144e12e5f278d59cbdc4f4eb3c652e0d62591e

Found in base branch: main

Vulnerability Details

net/http in Go before 1.15.12 and 1.16.x before 1.16.4 allows remote attackers to cause a denial of service (panic) via a large header to ReadRequest or ReadResponse. Server, Transport, and Client can each be affected in some configurations.

Publish Date: 2021-05-27

URL: CVE-2021-31525

CVSS 3 Score Details (5.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://bugzilla.redhat.com/show_bug.cgi?id=1958341

Release Date: 2021-05-27

Fix Resolution: golang - v1.15.12,v1.16.4,v1.17.0

Vulnerable Library - logback-classic-1.2.3.jar

logback-classic module

Library home page: http://logback.qos.ch

Path to dependency file: /e2e/images/artemis/consumer/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.2.3/logback-classic-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.2.3/logback-classic-1.2.3.jar

Dependency Hierarchy:

• spring-boot-starter-2.3.0.RELEASE.jar (Root Library)
  • spring-boot-starter-logging-2.3.0.RELEASE.jar
    • ❌ logback-classic-1.2.3.jar (Vulnerable Library)

Found in HEAD commit: 2c144e12e5f278d59cbdc4f4eb3c652e0d62591e

Found in base branch: main

Vulnerability Details

In logback version 1.2.7 and prior versions, an attacker with the required privileges to edit configurations files could craft a malicious configuration allowing to execute arbitrary code loaded from LDAP servers.

Publish Date: 2021-12-16

URL: CVE-2021-42550

CVSS 3 Score Details (6.6)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: High
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: http://logback.qos.ch/news.html

Release Date: 2021-12-16

Fix Resolution: ch.qos.logback:logback-classic:1.2.8

Vulnerable Library - snakeyaml-1.26.jar

YAML 1.1 parser and emitter for Java

Library home page: http://www.snakeyaml.org

Path to dependency file: /e2e/images/artemis/consumer/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.26/snakeyaml-1.26.jar,/home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.26/snakeyaml-1.26.jar

Dependency Hierarchy:

• spring-boot-starter-2.3.0.RELEASE.jar (Root Library)
  • ❌ snakeyaml-1.26.jar (Vulnerable Library)

Found in HEAD commit: 2c144e12e5f278d59cbdc4f4eb3c652e0d62591e

Found in base branch: main

Vulnerability Details

Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack-overflow.

Publish Date: 2022-09-05

URL: CVE-2022-38752

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-9w3m-gqgf-c4p9

Release Date: 2022-09-05

Fix Resolution: org.yaml:snakeyaml:1.32

Vulnerable Library - spring-expression-5.2.6.RELEASE.jar

Spring Expression Language (SpEL)

Library home page: https://github.com/spring-projects/spring-framework

Path to dependency file: /e2e/images/artemis/producer/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-expression/5.2.6.RELEASE/spring-expression-5.2.6.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/5.2.6.RELEASE/spring-expression-5.2.6.RELEASE.jar

Dependency Hierarchy:

• spring-boot-starter-2.3.0.RELEASE.jar (Root Library)
  • spring-boot-2.3.0.RELEASE.jar
    • spring-context-5.2.6.RELEASE.jar
      • ❌ spring-expression-5.2.6.RELEASE.jar (Vulnerable Library)

Found in HEAD commit: 2c144e12e5f278d59cbdc4f4eb3c652e0d62591e

Found in base branch: main

Vulnerability Details

n Spring Framework versions 5.3.0 - 5.3.16 and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial of service condition.

Publish Date: 2022-04-01

URL: CVE-2022-22950

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://tanzu.vmware.com/security/cve-2022-22950

Release Date: 2022-04-01

Fix Resolution (org.springframework:spring-expression): 5.2.20.RELEASE

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter): 2.4.0

Vulnerable Library - github.com/golang/crypto-8b5274cf687fd9316b4108863654cc57385531e8

[mirror] Go supplementary cryptography libraries

Dependency Hierarchy:

• github.com/mongodb/mongo-go-driver-v1.8.2 (Root Library)
  • github.com/youmark/pkcs8-v1.1
    • ❌ github.com/golang/crypto-8b5274cf687fd9316b4108863654cc57385531e8 (Vulnerable Library)

Found in HEAD commit: 2c144e12e5f278d59cbdc4f4eb3c652e0d62591e

Found in base branch: main

Vulnerability Details

There's an input validation flaw in golang.org/x/crypto's readCipherPacket() function. An unauthenticated attacker who sends an empty plaintext packet to a program linked with golang.org/x/crypto/ssh could cause a panic, potentially leading to denial of service.

Publish Date: 2021-11-10

URL: CVE-2021-43565

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Vulnerable Library - spring-messaging-5.2.6.RELEASE.jar

Spring Messaging

Library home page: https://github.com/spring-projects/spring-framework

Path to dependency file: /e2e/images/artemis/producer/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-messaging/5.2.6.RELEASE/spring-messaging-5.2.6.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-messaging/5.2.6.RELEASE/spring-messaging-5.2.6.RELEASE.jar

Dependency Hierarchy:

• spring-jms-5.2.6.RELEASE.jar (Root Library)
  • ❌ spring-messaging-5.2.6.RELEASE.jar (Vulnerable Library)

Found in HEAD commit: 2c144e12e5f278d59cbdc4f4eb3c652e0d62591e

Found in base branch: main

Vulnerability Details

In spring framework versions prior to 5.3.20+ , 5.2.22+ and old unsupported versions, application with a STOMP over WebSocket endpoint is vulnerable to a denial of service attack by an authenticated user.

Publish Date: 2022-05-12

URL: CVE-2022-22971

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://tanzu.vmware.com/security/cve-2022-22971

Release Date: 2022-05-12

Fix Resolution (org.springframework:spring-messaging): 5.2.22.RELEASE

Direct dependency fix Resolution (org.springframework:spring-jms): 5.2.22.RELEASE

Vulnerable Library - ejs-3.1.6.tgz

Embedded JavaScript templates

Library home page: https://registry.npmjs.org/ejs/-/ejs-3.1.6.tgz

Path to dependency file: /e2e/images/selenium-grid/package.json

Path to vulnerable library: /e2e/images/selenium-grid/node_modules/ejs/package.json

Dependency Hierarchy:

• cli-7.8.0.tgz (Root Library)
  • ❌ ejs-3.1.6.tgz (Vulnerable Library)

Found in HEAD commit: 2c144e12e5f278d59cbdc4f4eb3c652e0d62591e

Found in base branch: main

Vulnerability Details

The ejs (aka Embedded JavaScript templates) package 3.1.6 for Node.js allows server-side template injection in settings[view options][outputFunctionName]. This is parsed as an internal option, and overwrites the outputFunctionName option with an arbitrary OS command (which is executed upon template compilation).

Publish Date: 2022-04-25

URL: CVE-2022-29078

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29078~

Release Date: 2022-04-25

Fix Resolution (ejs): 3.1.7

Direct dependency fix Resolution (@wdio/cli): 7.19.7

Vulnerable Libraries - ansi-regex-3.0.0.tgz, ansi-regex-5.0.0.tgz

Found in HEAD commit: 2c144e12e5f278d59cbdc4f4eb3c652e0d62591e

Found in base branch: main

Vulnerability Details

ansi-regex is vulnerable to Inefficient Regular Expression Complexity

Publish Date: 2021-09-17

URL: CVE-2021-3807

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994/

Release Date: 2021-09-17

Fix Resolution: ansi-regex - 5.0.1,6.0.1

Vulnerable Library - snakeyaml-1.26.jar

YAML 1.1 parser and emitter for Java

Library home page: http://www.snakeyaml.org

Path to dependency file: /e2e/images/artemis/consumer/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.26/snakeyaml-1.26.jar,/home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.26/snakeyaml-1.26.jar

Dependency Hierarchy:

• spring-boot-starter-2.3.0.RELEASE.jar (Root Library)
  • ❌ snakeyaml-1.26.jar (Vulnerable Library)

Found in HEAD commit: 2c144e12e5f278d59cbdc4f4eb3c652e0d62591e

Found in base branch: main

Vulnerability Details

Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.

Publish Date: 2022-09-05

URL: CVE-2022-38750

CVSS 3 Score Details (5.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47027

Release Date: 2022-09-05

Fix Resolution (org.yaml:snakeyaml): 1.31

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter): 2.6.9

Vulnerable Library - github.com/docker/distribution-v2.7.1

The toolkit to pack, ship, store, and deliver container content

Dependency Hierarchy:

• ❌ github.com/docker/distribution-v2.7.1 (Vulnerable Library)

Found in HEAD commit: 2c144e12e5f278d59cbdc4f4eb3c652e0d62591e

Found in base branch: main

Vulnerability Details

Yaml in versions v2.2.0 to v2.2.2 is vulnerable to denial of service vector.
Related to decode.go

Publish Date: 2021-04-14

URL: WS-2021-0200

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://osv.dev/vulnerability/GO-2021-0061

Release Date: 2021-04-14

Fix Resolution: v2.2.3

Vulnerable Library - github.com/golang/text-v0.3.5

[mirror] Go text processing support

Dependency Hierarchy:

• github.com/mongodb/mongo-go-driver-v1.8.2 (Root Library)
  • github.com/xdg-go/stringprep-v1.0.2
    • ❌ github.com/golang/text-v0.3.5 (Vulnerable Library)

Found in HEAD commit: 2c144e12e5f278d59cbdc4f4eb3c652e0d62591e

Found in base branch: main

Vulnerability Details

Due to improper index calculation, an incorrectly formatted language tag can cause Parse
to panic, due to an out of bounds read. If Parse is used to process untrusted user inputs,
this may be used as a vector for a denial of service attack.

Publish Date: 2021-08-12

URL: CVE-2021-38561

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://osv.dev/vulnerability/GO-2021-0113

Release Date: 2021-08-12

Fix Resolution: v0.3.7

Vulnerable Library - github.com/golang/crypto-86c0c3e7f9624c5d1a4ff79e1605de2d53284af5

[mirror] Go supplementary cryptography libraries

Dependency Hierarchy:

• go.mongodb.org/mongo-driver-v1.8.2 (Root Library)
  • ❌ github.com/golang/crypto-86c0c3e7f9624c5d1a4ff79e1605de2d53284af5 (Vulnerable Library)

Found in HEAD commit: 2c144e12e5f278d59cbdc4f4eb3c652e0d62591e

Found in base branch: main

Vulnerability Details

The golang.org/x/crypto/ssh package before 0.0.0-20220314234659-1baeb1ce4c0b for Go allows an attacker to crash a server in certain circumstances involving AddHostKey.

Publish Date: 2022-03-18

URL: CVE-2022-27191

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2022-27191

Release Date: 2022-03-18

Fix Resolution: golang-golang-x-crypto-dev - 1:0.0~git20220315.3147a52-1;golang-go.crypto-dev - 1:0.0~git20220315.3147a52-1

Vulnerable Library - netty-codec-4.1.49.Final.jar

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.

Library home page: https://netty.io/

Path to dependency file: /e2e/images/artemis/producer/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty-codec/4.1.49.Final/netty-codec-4.1.49.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-codec/4.1.49.Final/netty-codec-4.1.49.Final.jar

Dependency Hierarchy:

• spring-boot-starter-artemis-2.3.0.RELEASE.jar (Root Library)
  • artemis-jms-client-2.12.0.jar
    • artemis-core-client-2.12.0.jar
      • ❌ netty-codec-4.1.49.Final.jar (Vulnerable Library)

Found in HEAD commit: 2c144e12e5f278d59cbdc4f4eb3c652e0d62591e

Found in base branch: main

Vulnerability Details

The Bzip2 decompression decoder function doesn't allow setting size restrictions on the decompressed output data (which affects the allocation size used during decompression). All users of Bzip2Decoder are affected. The malicious input can trigger an OOME and so a DoS attack

Publish Date: 2021-10-19

URL: CVE-2021-37136

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-grg4-wf29-r9vv

Release Date: 2021-10-19

Fix Resolution: io.netty:netty-codec:4.1.68.Final;io.netty:netty-all::4.1.68.Final

Vulnerable Library - artemis-core-client-2.12.0.jar

Library home page: http://apache.org/

Path to dependency file: /e2e/images/artemis/producer/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/activemq/artemis-core-client/2.12.0/artemis-core-client-2.12.0.jar,/home/wss-scanner/.m2/repository/org/apache/activemq/artemis-core-client/2.12.0/artemis-core-client-2.12.0.jar

Dependency Hierarchy:

• spring-boot-starter-artemis-2.3.0.RELEASE.jar (Root Library)
  • artemis-jms-client-2.12.0.jar
    • ❌ artemis-core-client-2.12.0.jar (Vulnerable Library)

Found in HEAD commit: 2c144e12e5f278d59cbdc4f4eb3c652e0d62591e

Found in base branch: main

Vulnerability Details

In Apache ActiveMQ Artemis prior to 2.20.0 or 2.19.1, an attacker could partially disrupt availability (DoS) through uncontrolled resource consumption of memory.

Publish Date: 2022-02-04

URL: CVE-2022-23913

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://lists.apache.org/thread/fjynj57rd99s814rdn5hzvmx8lz403q2

Release Date: 2022-02-04

Fix Resolution (org.apache.activemq:artemis-core-client): 2.16.0

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-artemis): 2.5.0

Vulnerable Libraries - netty-codec-http-4.1.49.Final.jar, netty-handler-4.1.49.Final.jar

Found in HEAD commit: 2c144e12e5f278d59cbdc4f4eb3c652e0d62591e

Found in base branch: main

Vulnerability Details

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty before version 4.1.59.Final there is a vulnerability on Unix-like systems involving an insecure temp file. When netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. On unix-like systems, the temporary directory is shared between all user. As such, writing to this directory using APIs that do not explicitly set the file/directory permissions can lead to information disclosure. Of note, this does not impact modern MacOS Operating Systems. The method "File.createTempFile" on unix-like systems creates a random file, but, by default will create this file with the permissions "-rw-r--r--". Thus, if sensitive information is written to this file, other local users can read this information. This is the case in netty's "AbstractDiskHttpData" is vulnerable. This has been fixed in version 4.1.59.Final. As a workaround, one may specify your own "java.io.tmpdir" when you start the JVM or use "DefaultHttpDataFactory.setBaseDir(...)" to set the directory to something that is only readable by the current user.

Publish Date: 2021-02-08

URL: CVE-2021-21290

CVSS 3 Score Details (5.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-5mcr-gq6c-3hq2

Release Date: 2021-02-08

Fix Resolution: io.netty:netty-codec-http:4.1.59.Final

Vulnerable Library - github.com/docker/distribution-v2.7.1

The toolkit to pack, ship, store, and deliver container content

Dependency Hierarchy:

• ❌ github.com/docker/distribution-v2.7.1 (Vulnerable Library)

Found in HEAD commit: 2c144e12e5f278d59cbdc4f4eb3c652e0d62591e

Found in base branch: main

Vulnerability Details

go-jose before 1.0.4 suffers from an invalid curve attack for the ECDH-ES algorithm. When deriving a shared key using ECDH-ES for an encrypted message, go-jose neglected to check that the received public key on a message is on the same curve as the static private key of the receiver, thus making it vulnerable to an invalid curve attack.

Publish Date: 2017-03-28

URL: CVE-2016-9121

CVSS 3 Score Details (9.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2016-9121

Release Date: 2017-03-28

Fix Resolution: 1.0.4

Vulnerable Library - netty-common-4.1.49.Final.jar

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.

Library home page: https://netty.io/

Path to dependency file: /e2e/images/artemis/producer/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty-common/4.1.49.Final/netty-common-4.1.49.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-common/4.1.49.Final/netty-common-4.1.49.Final.jar

Dependency Hierarchy:

• spring-boot-starter-artemis-2.3.0.RELEASE.jar (Root Library)
  • artemis-jms-client-2.12.0.jar
    • artemis-core-client-2.12.0.jar
      • ❌ netty-common-4.1.49.Final.jar (Vulnerable Library)

Found in HEAD commit: 2c144e12e5f278d59cbdc4f4eb3c652e0d62591e

Found in base branch: main

Vulnerability Details

Netty is an open-source, asynchronous event-driven network application framework. The package io.netty:netty-codec-http prior to version 4.1.77.Final contains an insufficient fix for CVE-2021-21290. When Netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. This only impacts applications running on Java version 6 and lower. Additionally, this vulnerability impacts code running on Unix-like systems, and very old versions of Mac OSX and Windows as they all share the system temporary directory between all users. Version 4.1.77.Final contains a patch for this vulnerability. As a workaround, specify one's own java.io.tmpdir when starting the JVM or use DefaultHttpDataFactory.setBaseDir(...) to set the directory to something that is only readable by the current user.

Publish Date: 2022-05-06

URL: CVE-2022-24823

CVSS 3 Score Details (5.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24823

Release Date: 2022-05-06

Fix Resolution: io.netty:netty-all;io.netty:netty-common - 4.1.77.Final

Vulnerable Library - github.com/docker/distribution-v2.7.1

The toolkit to pack, ship, store, and deliver container content

Dependency Hierarchy:

• ❌ github.com/docker/distribution-v2.7.1 (Vulnerable Library)

Found in HEAD commit: 2c144e12e5f278d59cbdc4f4eb3c652e0d62591e

Found in base branch: main

Vulnerability Details

go-jose before 1.0.5 suffers from a CBC-HMAC integer overflow on 32-bit architectures. An integer overflow could lead to authentication bypass for CBC-HMAC encrypted ciphertexts on 32-bit architectures.

Publish Date: 2017-03-28

URL: CVE-2016-9123

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://osv.dev/vulnerability/GO-2020-0009

Release Date: 2017-03-28

Fix Resolution: v1.0.5

Vulnerable Library - github.com/golang/net-c89045814202410a2d67ec20ecf177ec77ceae7f

[mirror] Go supplementary network libraries

Dependency Hierarchy:

• google.golang.org/grpc-v1.45.0 (Root Library)
  • ❌ github.com/golang/net-c89045814202410a2d67ec20ecf177ec77ceae7f (Vulnerable Library)

Found in HEAD commit: 2c144e12e5f278d59cbdc4f4eb3c652e0d62591e

Found in base branch: main

Vulnerability Details

net/http in Go before 1.16.12 and 1.17.x before 1.17.5 allows uncontrolled memory consumption in the header canonicalization cache via HTTP/2 requests.

Publish Date: 2022-01-01

URL: CVE-2021-44716

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-vc3p-29h2-gpcp

Release Date: 2022-01-01

Fix Resolution: github.com/golang/net - 491a49abca63de5e07ef554052d180a1b5fe2d70

Vulnerable Library - netty-codec-4.1.49.Final.jar

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.

Library home page: https://netty.io/

Path to dependency file: /e2e/images/artemis/producer/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty-codec/4.1.49.Final/netty-codec-4.1.49.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-codec/4.1.49.Final/netty-codec-4.1.49.Final.jar

Dependency Hierarchy:

• spring-boot-starter-artemis-2.3.0.RELEASE.jar (Root Library)
  • artemis-jms-client-2.12.0.jar
    • artemis-core-client-2.12.0.jar
      • ❌ netty-codec-4.1.49.Final.jar (Vulnerable Library)

Found in HEAD commit: 2c144e12e5f278d59cbdc4f4eb3c652e0d62591e

Found in base branch: main

Vulnerability Details

The Snappy frame decoder function doesn't restrict the chunk length which may lead to excessive memory usage. Beside this it also may buffer reserved skippable chunks until the whole chunk was received which may lead to excessive memory usage as well. This vulnerability can be triggered by supplying malicious input that decompresses to a very big size (via a network stream or a file) or by sending a huge skippable chunk.

Publish Date: 2021-10-19

URL: CVE-2021-37137

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-9vjp-v76f-g363

Release Date: 2021-10-19

Fix Resolution: io.netty:netty-codec:4.1.68.Final;io.netty:netty-all:4.1.68.Final

Vulnerable Library - snakeyaml-1.26.jar

YAML 1.1 parser and emitter for Java

Library home page: http://www.snakeyaml.org

Path to dependency file: /e2e/images/artemis/consumer/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.26/snakeyaml-1.26.jar,/home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.26/snakeyaml-1.26.jar

Dependency Hierarchy:

• spring-boot-starter-2.3.0.RELEASE.jar (Root Library)
  • ❌ snakeyaml-1.26.jar (Vulnerable Library)

Found in HEAD commit: 2c144e12e5f278d59cbdc4f4eb3c652e0d62591e

Found in base branch: main

Vulnerability Details

Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.

Publish Date: 2022-09-05

URL: CVE-2022-38749

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://bitbucket.org/snakeyaml/snakeyaml/issues/526/stackoverflow-oss-fuzz-47027

Release Date: 2022-09-05

Fix Resolution (org.yaml:snakeyaml): 1.31

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter): 2.6.9

Vulnerable Library - spring-context-5.2.6.RELEASE.jar

Spring Context

Library home page: https://github.com/spring-projects/spring-framework

Path to dependency file: /e2e/images/artemis/producer/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-context/5.2.6.RELEASE/spring-context-5.2.6.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-context/5.2.6.RELEASE/spring-context-5.2.6.RELEASE.jar

Dependency Hierarchy:

• spring-boot-starter-2.3.0.RELEASE.jar (Root Library)
  • spring-boot-2.3.0.RELEASE.jar
    • ❌ spring-context-5.2.6.RELEASE.jar (Vulnerable Library)

Found in HEAD commit: 2c144e12e5f278d59cbdc4f4eb3c652e0d62591e

Found in base branch: main

Vulnerability Details

In Spring Framework versions 5.3.0 - 5.3.18, 5.2.0 - 5.2.20, and older unsupported versions, the patterns for disallowedFields on a DataBinder are case sensitive which means a field is not effectively protected unless it is listed with both upper and lower case for the first character of the field, including upper and lower case for the first character of all nested fields within the property path.

Publish Date: 2022-04-14

URL: CVE-2022-22968

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://tanzu.vmware.com/security/cve-2022-22968

Release Date: 2022-04-14

Fix Resolution (org.springframework:spring-context): 5.2.21.RELEASE

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter): 2.4.0

Vulnerable Library - redis-3.0.2.tgz

A high performance Redis client.

Library home page: https://registry.npmjs.org/redis/-/redis-3.0.2.tgz

Path to dependency file: /e2e/images/redis/lists/package.json

Path to vulnerable library: /e2e/images/redis/lists/node_modules/redis/package.json

Dependency Hierarchy:

• ❌ redis-3.0.2.tgz (Vulnerable Library)

Found in HEAD commit: 2c144e12e5f278d59cbdc4f4eb3c652e0d62591e

Found in base branch: main

Vulnerability Details

Node-redis is a Node.js Redis client. Before version 3.1.1, when a client is in monitoring mode, the regex begin used to detected monitor messages could cause exponential backtracking on some strings. This issue could lead to a denial of service. The issue is patched in version 3.1.1.

Publish Date: 2021-04-23

URL: CVE-2021-29469

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-35q2-47q7-3pc3

Release Date: 2021-04-23

Fix Resolution: redis - 3.1.1

Vulnerable Library - spring-core-5.2.6.RELEASE.jar

Spring Core

Library home page: https://github.com/spring-projects/spring-framework

Path to dependency file: /e2e/images/artemis/consumer/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-core/5.2.6.RELEASE/spring-core-5.2.6.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/5.2.6.RELEASE/spring-core-5.2.6.RELEASE.jar

Dependency Hierarchy:

• spring-boot-starter-2.3.0.RELEASE.jar (Root Library)
  • ❌ spring-core-5.2.6.RELEASE.jar (Vulnerable Library)

Found in HEAD commit: 2c144e12e5f278d59cbdc4f4eb3c652e0d62591e

Found in base branch: main

Vulnerability Details

In Spring Framework versions 5.3.0 - 5.3.10, 5.2.0 - 5.2.17, and older unsupported versions, it is possible for a user to provide malicious input to cause the insertion of additional log entries.

Publish Date: 2021-10-28

URL: CVE-2021-22096

CVSS 3 Score Details (4.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://tanzu.vmware.com/security/cve-2021-22096

Release Date: 2021-10-28

Fix Resolution: org.springframework:spring-core:5.2.18.RELEASE,5.3.12;org.springframework:spring-web:5.2.18.RELEASE,5.3.12;org.springframework:spring-webmvc:5.2.18.RELEASE,5.3.12;org.springframework:spring-webflux:5.2.18.RELEASE,5.3.12

Vulnerable Library - gopkg.in/yaml.v3-v3.0.0-20200313102051-9f266ea9e77c

YAML support for the Go language.

Library home page: https://proxy.golang.org/gopkg.in/yaml.v3/@v/v3.0.0-20200313102051-9f266ea9e77c.zip

Dependency Hierarchy:

• github.com/docker/distribution-v2.8.1+incompatible (Root Library)
  • github.com/sirupsen/logrus-v1.9.0
    • github.com/stretchr/testify-v1.7.0
      • ❌ gopkg.in/yaml.v3-v3.0.0-20200313102051-9f266ea9e77c (Vulnerable Library)

Found in HEAD commit: 2c144e12e5f278d59cbdc4f4eb3c652e0d62591e

Found in base branch: main

Vulnerability Details

An issue in the Unmarshal function in Go-Yaml v3 causes the program to crash when attempting to deserialize invalid input.

Publish Date: 2022-05-19

URL: CVE-2022-28948

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://security-tracker.debian.org/tracker/CVE-2022-28948

Release Date: 2022-05-19

Fix Resolution: v3.0.0

Vulnerable Library - github.com/golang/net-c89045814202410a2d67ec20ecf177ec77ceae7f

[mirror] Go supplementary network libraries

Dependency Hierarchy:

• google.golang.org/grpc-v1.45.0 (Root Library)
  • ❌ github.com/golang/net-c89045814202410a2d67ec20ecf177ec77ceae7f (Vulnerable Library)

Found in HEAD commit: 2c144e12e5f278d59cbdc4f4eb3c652e0d62591e

Found in base branch: main

Vulnerability Details

golang.org/x/net before v0.0.0-20210520170846-37e1c6afe023 allows attackers to cause a denial of service (infinite loop) via crafted ParseFragment input.

Publish Date: 2021-05-26

URL: CVE-2021-33194

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33194

Release Date: 2021-05-26

Fix Resolution: golang.org/x/net - v0.0.0-20210520170846-37e1c6afe023

Vulnerable Library - github.com/docker/distribution-v2.7.1

The toolkit to pack, ship, store, and deliver container content

Dependency Hierarchy:

• ❌ github.com/docker/distribution-v2.7.1 (Vulnerable Library)

Found in HEAD commit: 2c144e12e5f278d59cbdc4f4eb3c652e0d62591e

Found in base branch: main

Vulnerability Details

A flaw was found in github.com/satori/go.uuid in versions from commit 0ef6afb2f6cdd6cdaeee3885a95099c63f18fc8c to d91630c8510268e75203009fe7daf2b8e1d60c45. Due to insecure randomness in the g.rand.Read function the generated UUIDs are predictable for an attacker.

Publish Date: 2021-06-02

URL: CVE-2021-3538

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: satori/go.uuid#75

Release Date: 2021-06-02

Fix Resolution: github.com/satori/go.uuid - 75cca531ea763666bc46e531da3b4c3b95f64557

Vulnerable Library - github.com/docker/distribution-v2.7.1

The toolkit to pack, ship, store, and deliver container content

Dependency Hierarchy:

• ❌ github.com/docker/distribution-v2.7.1 (Vulnerable Library)

Found in HEAD commit: 2c144e12e5f278d59cbdc4f4eb3c652e0d62591e

Found in base branch: main

Vulnerability Details

jwt-go before 4.0.0-preview1 allows attackers to bypass intended access restrictions in situations with []string{} for m["aud"] (which is allowed by the specification). Because the type assertion fails, "" is the value of aud. This is a security problem if the JWT token is presented to a service that lacks its own audience check.

Publish Date: 2020-09-30

URL: CVE-2020-26160

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2020-26160

Release Date: 2020-09-30

Fix Resolution: v4.0.0-preview1

Vulnerable Libraries - github.com/golang/sys-da31bd327af904dd4721b4eefa7c505bb3afd214, github.com/golang/sys-c6e801f48ba2ad620ea6c8fe8899fb80af386135

Found in HEAD commit: 2c144e12e5f278d59cbdc4f4eb3c652e0d62591e

Found in base branch: main

Vulnerability Details

Go before 1.17.10 and 1.18.x before 1.18.2 has Incorrect Privilege Assignment. When called with a non-zero flags parameter, the Faccessat function could incorrectly report that a file is accessible.

Publish Date: 2022-06-23

URL: CVE-2022-29526

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://security-tracker.debian.org/tracker/CVE-2022-29526

Release Date: 2022-06-23

Fix Resolution: go1.17.10,go1.18.2,go1.19

Vulnerable Library - protobufjs-6.11.2.tgz

Protocol Buffers for JavaScript (& TypeScript).

Library home page: https://registry.npmjs.org/protobufjs/-/protobufjs-6.11.2.tgz

Path to dependency file: /e2e/images/selenium-grid/package.json

Path to vulnerable library: /e2e/images/selenium-grid/node_modules/protobufjs/package.json

Dependency Hierarchy:

• cucumber-framework-7.8.0.tgz (Root Library)
  • messages-15.0.0.tgz
    • ❌ protobufjs-6.11.2.tgz (Vulnerable Library)

Found in HEAD commit: 2c144e12e5f278d59cbdc4f4eb3c652e0d62591e

Found in base branch: main

Vulnerability Details

The package protobufjs before 6.11.3 are vulnerable to Prototype Pollution which can allow an attacker to add/modify properties of the Object.prototype.

This vulnerability can occur in multiple ways:

1. by providing untrusted user input to util.setProperty or to ReflectionObject.setParsedOption functions
2. by parsing/loading .proto files

Publish Date: 2022-05-27

URL: CVE-2022-25878

CVSS 3 Score Details (8.2)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25878

Release Date: 2022-05-27

Fix Resolution (protobufjs): 6.11.3

Direct dependency fix Resolution (@wdio/cucumber-framework): 7.19.4

Vulnerable Library - github.com/docker/distribution-v2.7.1

The toolkit to pack, ship, store, and deliver container content

Dependency Hierarchy:

• ❌ github.com/docker/distribution-v2.7.1 (Vulnerable Library)

Found in HEAD commit: 2c144e12e5f278d59cbdc4f4eb3c652e0d62591e

Found in base branch: main

Vulnerability Details

go-jose before 1.0.4 suffers from multiple signatures exploitation. The go-jose library supports messages with multiple signatures. However, when validating a signed message the API did not indicate which signature was valid, which could potentially lead to confusion. For example, users of the library might mistakenly read protected header values from an attached signature that was different from the one originally validated.

Publish Date: 2017-03-28

URL: CVE-2016-9122

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://osv.dev/vulnerability/GO-2020-0011

Release Date: 2017-03-28

Fix Resolution: v1.1.0

Vulnerable Library - glob-parent-5.1.2.tgz

Extract the non-magic parent path from a glob string.

Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-5.1.2.tgz

Path to dependency file: /e2e/images/selenium-grid/package.json

Path to vulnerable library: /e2e/images/selenium-grid/node_modules/glob-parent/package.json

Dependency Hierarchy:

• cli-7.8.0.tgz (Root Library)
  • chokidar-3.5.2.tgz
    • ❌ glob-parent-5.1.2.tgz (Vulnerable Library)

Found in HEAD commit: 2c144e12e5f278d59cbdc4f4eb3c652e0d62591e

Found in base branch: main

Vulnerability Details

The package glob-parent before 6.0.1 are vulnerable to Regular Expression Denial of Service (ReDoS)

Publish Date: 2021-06-22

URL: CVE-2021-35065

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-cj88-88mr-972w

Release Date: 2021-06-22

Fix Resolution: glob-parent - 6.0.1

Vulnerable Library - golang.org/x/text-v0.3.0

Library home page: https://proxy.golang.org/golang.org/x/text/@v/v0.3.0.zip

Dependency Hierarchy:

• google.golang.org/grpc-v1.45.0 (Root Library)
  • github.com/golang/net-c89045814202410a2d67ec20ecf177ec77ceae7f
    • ❌ golang.org/x/text-v0.3.0 (Vulnerable Library)

Found in HEAD commit: 2c144e12e5f278d59cbdc4f4eb3c652e0d62591e

Found in base branch: main

Vulnerability Details

The x/text package before 0.3.3 for Go has a vulnerability in encoding/unicode that could lead to the UTF-16 decoder entering an infinite loop, causing the program to crash or run out of memory. An attacker could provide a single byte to a UTF16 decoder instantiated with UseBOM or ExpectBOM to trigger an infinite loop if the String function on the Decoder is called, or the Decoder is passed to golang.org/x/text/transform.String.

Publish Date: 2020-06-17

URL: CVE-2020-14040

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://osv.dev/vulnerability/GO-2020-0015

Release Date: 2020-06-17

Fix Resolution: v0.3.3