temporalio / edu-101-java-code Goto Github PK
View Code? Open in Web Editor NEWCode Exercises for Temporal 101 in java
License: MIT License
edu-101-java-code's People
Contributors
Stargazers
Watchers
edu-101-java-code's Issues
go.temporal.io/sdk-v1.22.1: 1 vulnerabilities (highest severity is: 7.5)
Vulnerable Library - go.temporal.io/sdk-v1.22.1
Path to dependency file: /exercises/finale-workflow/go/go.mod
Path to vulnerable library: /exercises/finale-workflow/go/go.mod
Vulnerabilities
| CVE | Severity |  CVSS |
Dependency | Type | Fixed in (go.temporal.io/sdk-v1.22.1 version) | Remediation Possible** |
|---|---|---|---|---|---|---|
| CVE-2023-39325 |  High |
7.5 | golang.org/x/net-v0.8.0 | Transitive | N/A* | ❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2023-39325
Vulnerable Library - golang.org/x/net-v0.8.0
Library home page: https://proxy.golang.org/golang.org/x/net/@v/v0.8.0.zip
Path to dependency file: /exercises/finale-workflow/go/go.mod
Path to vulnerable library: /exercises/finale-workflow/go/go.mod
Dependency Hierarchy:
- go.temporal.io/sdk-v1.22.1 (Root Library)
- github.com/grpc-ecosystem/go-grpc-middleware-v1.3.0
- ❌ golang.org/x/net-v0.8.0 (Vulnerable Library)
- github.com/grpc-ecosystem/go-grpc-middleware-v1.3.0
Found in base branch: main
Vulnerability Details
A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing. With the fix applied, HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit (MaxConcurrentStreams). New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too large, the server will terminate the connection. This issue is also fixed in golang.org/x/net/http2 for users manually configuring HTTP/2. The default stream concurrency limit is 250 streams (requests) per HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams setting and the ConfigureServer function.
Publish Date: 2023-10-11
URL: CVE-2023-39325
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://pkg.go.dev/vuln/GO-2023-2102
Release Date: 2023-10-11
Fix Resolution: go1.20.10, go1.21.3, golang.org/x/net - v0.17.0
rapidoid-quick-5.5.5.jar: 3 vulnerabilities (highest severity is: 8.3)
Vulnerable Library - rapidoid-quick-5.5.5.jar
Path to dependency file: /exercises/farewell-workflow/solution/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.41/mysql-connector-java-5.1.41.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.41/mysql-connector-java-5.1.41.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.41/mysql-connector-java-5.1.41.jar
Found in HEAD commit: 609f532cd3d68a8e2f49228ed020168e1ac404b3
Vulnerabilities
| CVE | Severity | CVSS |
Dependency | Type | Fixed in (rapidoid-quick version) | Remediation Possible** |
|---|---|---|---|---|---|---|
| CVE-2023-22102 | High |
8.3 | mysql-connector-java-5.1.41.jar | Transitive | N/A* | ❌ |
| CVE-2023-5072 | High |
7.5 | json-20140107.jar | Transitive | N/A* | ❌ |
| CVE-2023-6481 | High |
7.5 | logback-core-1.1.3.jar | Transitive | N/A* | ❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2023-22102
Vulnerable Library - mysql-connector-java-5.1.41.jar
MySQL JDBC Type 4 driver
Library home page: http://dev.mysql.com/doc/connector-j/en/
Path to dependency file: /demos/service-workflow/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.41/mysql-connector-java-5.1.41.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.41/mysql-connector-java-5.1.41.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.41/mysql-connector-java-5.1.41.jar
Dependency Hierarchy:
- rapidoid-quick-5.5.5.jar (Root Library)
- ❌ mysql-connector-java-5.1.41.jar (Vulnerable Library)
Found in HEAD commit: 609f532cd3d68a8e2f49228ed020168e1ac404b3
Found in base branch: main
Vulnerability Details
Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 8.1.0 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in MySQL Connectors, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of MySQL Connectors. CVSS 3.1 Base Score 8.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H).
Publish Date: 2023-10-17
URL: CVE-2023-22102
CVSS 3 Score Details (8.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2023-22102
Release Date: 2023-10-17
Fix Resolution: com.mysql:mysql-connector-j:8.2.0
CVE-2023-5072
Vulnerable Library - json-20140107.jar
JSON is a light-weight, language independent, data interchange format. See http://www.JSON.org/
The files in this package implement JSON encoders/decoders in Java.
It also includes the capability to convert between JSON and XML, HTTP
headers, Cookies, and CDL.
This is a reference implementation. There is a large number of JSON packages
in Java. Perhaps someday the Java community will standardize on one. Until
then, choose carefully.
The license includes this restriction: "The software shall be used for good,
not evil." If your conscience cannot live with that, then choose a different
package.
The package compiles on Java 1.2 thru Java 1.4.</p>
Library home page: https://github.com/douglascrockford/JSON-java
Path to dependency file: /exercises/farewell-workflow/practice/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/json/json/20140107/json-20140107.jar,/home/wss-scanner/.m2/repository/org/json/json/20140107/json-20140107.jar,/home/wss-scanner/.m2/repository/org/json/json/20140107/json-20140107.jar
Dependency Hierarchy:
- rapidoid-quick-5.5.5.jar (Root Library)
- rapidoid-oauth-5.5.5.jar
- org.apache.oltu.oauth2.client-1.0.1.jar
- org.apache.oltu.oauth2.common-1.0.1.jar
- ❌ json-20140107.jar (Vulnerable Library)
- org.apache.oltu.oauth2.common-1.0.1.jar
- org.apache.oltu.oauth2.client-1.0.1.jar
- rapidoid-oauth-5.5.5.jar
Found in HEAD commit: 609f532cd3d68a8e2f49228ed020168e1ac404b3
Found in base branch: main
Vulnerability Details
Denial of Service in JSON-Java versions up to and including 20230618. A bug in the parser means that an input string of modest size can lead to indefinite amounts of memory being used.
Publish Date: 2023-10-12
URL: CVE-2023-5072
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-rm7j-f5g5-27vv
Release Date: 2023-10-12
Fix Resolution: org.json:json:20231013
CVE-2023-6481
Vulnerable Library - logback-core-1.1.3.jar
logback-core module
Library home page: http://logback.qos.ch
Path to dependency file: /demos/service-workflow/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.1.3/logback-core-1.1.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.1.3/logback-core-1.1.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.1.3/logback-core-1.1.3.jar
Dependency Hierarchy:
- rapidoid-quick-5.5.5.jar (Root Library)
- logback-classic-1.1.3.jar
- ❌ logback-core-1.1.3.jar (Vulnerable Library)
- logback-classic-1.1.3.jar
Found in HEAD commit: 609f532cd3d68a8e2f49228ed020168e1ac404b3
Found in base branch: main
Vulnerability Details
A serialization vulnerability in logback receiver component part of
logback version 1.4.13, 1.3.13 and 1.2.12 allows an attacker to mount a Denial-Of-Service
attack by sending poisoned data.
Publish Date: 2023-12-04
URL: CVE-2023-6481
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-6481
Release Date: 2023-12-04
Fix Resolution: ch.qos.logback:logback-core:1.2.13,1.3.14,1.4.14
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.