Vulnerable Library - kramdown-1.17.0.gem

kramdown is yet-another-markdown-parser but fast, pure Ruby, using a strict syntax definition and supporting several common extensions.

Library home page: https://rubygems.org/gems/kramdown-1.17.0.gem

Path to dependency file: /docs/Gemfile.lock

Path to vulnerable library: /home/wss-scanner/.gem/ruby/2.7.0/cache/kramdown-1.17.0.gem

Dependency Hierarchy:

• jekyll-3.8.6.gem (Root Library)
  • ❌ kramdown-1.17.0.gem (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Kramdown before 2.3.1 does not restrict Rouge formatters to the Rouge::Formatters namespace, and thus arbitrary classes can be instantiated.

Publish Date: 2021-03-19

URL: CVE-2021-28834

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2021-03-19

Fix Resolution: 2.3.1

Vulnerable Library - ivy-2.5.0.jar

The Apache Software Foundation provides support for the Apache community of open-source software projects. The Apache projects are characterized by a collaborative, consensus based development process, an open and pragmatic software license, and a desire to create high quality software that leads the way in its field. We consider ourselves not simply a group of projects sharing a server, but rather a community of developers and users.

Library home page: http://ant.apache.org/ivy/

Path to dependency file: /pom.xml

Path to vulnerable library: /canner/.m2/repository/org/apache/ivy/ivy/2.5.0/ivy-2.5.0.jar

Dependency Hierarchy:

• ❌ ivy-2.5.0.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

When Apache Ivy downloads artifacts from a repository it stores them in the local file system based on a user-supplied "pattern" that may include placeholders for artifacts coordinates like the organisation, module or version. If said coordinates contain "../" sequences - which are valid characters for Ivy coordinates in general - it is possible the artifacts are stored outside of Ivy's local cache or repository or can overwrite different artifacts inside of the local cache. In order to exploit this vulnerability an attacker needs collaboration by the remote repository as Ivy will issue http requests containing ".." sequences and a "normal" repository will not interpret them as part of the artifact coordinates. Users of Apache Ivy 2.0.0 to 2.5.1 should upgrade to Ivy 2.5.1.

Publish Date: 2022-11-07

URL: CVE-2022-37866

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://lists.apache.org/thread/htxbr8oc464hxrgroftnz3my70whk93b

Release Date: 2022-11-07

Fix Resolution: org.apache.ivy:ivy:2.5.1

Vulnerable Library - xercesImpl-2.12.0.jar

Xerces2 is the next generation of high performance, fully compliant XML parsers in the Apache Xerces family. This new version of Xerces introduces the Xerces Native Interface (XNI), a complete framework for building parser components and configurations that is extremely modular and easy to program.

The Apache Xerces2 parser is the reference implementation of XNI but other parser components, configurations, and parsers can be written using the Xerces Native Interface. For complete design and implementation documents, refer to the XNI Manual.

Xerces2 is a fully conforming XML Schema 1.0 processor. A partial experimental implementation of the XML Schema 1.1 Structures and Datatypes Working Drafts (December 2009) and an experimental implementation of the XML Schema Definition Language (XSD): Component Designators (SCD) Candidate Recommendation (January 2010) are provided for evaluation. For more information, refer to the XML Schema page.

Xerces2 also provides a complete implementation of the Document Object Model Level 3 Core and Load/Save W3C Recommendations and provides a complete implementation of the XML Inclusions (XInclude) W3C Recommendation. It also provides support for OASIS XML Catalogs v1.1.

Xerces2 is able to parse documents written according to the XML 1.1 Recommendation, except that it does not yet provide an option to enable normalization checking as described in section 2.13 of this specification. It also handles namespaces according to the XML Namespaces 1.1 Recommendation, and will correctly serialize XML 1.1 documents if the DOM level 3 load/save APIs are in use.</p>

Library home page: https://xerces.apache.org/xerces2-j/

Path to dependency file: ant-contrib/cpptasks/pom.xml

Path to vulnerable library: canner/.m2/repository/xerces/xercesImpl/2.12.0/xercesImpl-2.12.0.jar,canner/.m2/repository/xerces/xercesImpl/2.12.0/xercesImpl-2.12.0.jar

Dependency Hierarchy:

• ❌ xercesImpl-2.12.0.jar (Vulnerable Library)

Found in HEAD commit: bbf96a9fcd08620a370c76cd1e4c769d6acad479

Found in base branch: master

Vulnerability Details

A flaw was found in Wildfly's implementation of Xerces, specifically in the way the XMLSchemaValidator class in the JAXP component of Wildfly enforced the "use-grammar-pool-only" feature. This flaw allows a specially-crafted XML file to manipulate the validation process in certain cases. This issue is the same flaw as CVE-2020-14621, which affected OpenJDK, and uses a similar code. This flaw affects all Xerces JBoss versions before 2.12.0.SP3.

Publish Date: 2020-09-17

URL: CVE-2020-14338

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://bugzilla.redhat.com/show_bug.cgi?id=1860054

Release Date: 2020-07-21

Fix Resolution: xerces:xercesImpl:2.12.0.SP3

Vulnerable Library - ant-1.9.15.jar

master POM

Library home page: http://ant.apache.org/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/ant/ant/1.9.15/ant-1.9.15.jar,/home/wss-scanner/.m2/repository/org/apache/ant/ant/1.9.15/ant-1.9.15.jar

Dependency Hierarchy:

• ❌ ant-1.9.15.jar (Vulnerable Library)

Found in HEAD commit: bbf96a9fcd08620a370c76cd1e4c769d6acad479

Found in base branch: master

Vulnerability Details

As mitigation for CVE-2020-1945 Apache Ant 1.10.8 changed the permissions of temporary files it created so that only the current user was allowed to access them. Unfortunately the fixcrlf task deleted the temporary file and created a new one without said protection, effectively nullifying the effort. This would still allow an attacker to inject modified source files into the build process.

Publish Date: 2020-10-01

URL: CVE-2020-11979

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://ant.apache.org/security.html

Release Date: 2020-10-01

Fix Resolution: 1.10.9

Vulnerable Library - ant-1.9.15.jar

master POM

Library home page: http://ant.apache.org/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/ant/ant/1.9.15/ant-1.9.15.jar,/home/wss-scanner/.m2/repository/org/apache/ant/ant/1.9.15/ant-1.9.15.jar

Dependency Hierarchy:

• ❌ ant-1.9.15.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

When reading a specially crafted TAR archive an Apache Ant build can be made to allocate large amounts of memory that finally leads to an out of memory error, even for small inputs. This can be used to disrupt builds using Apache Ant. Apache Ant prior to 1.9.16 and 1.10.11 were affected.

Publish Date: 2021-07-14

URL: CVE-2021-36373

CVSS 3 Score Details (5.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36373

Release Date: 2021-07-14

Fix Resolution: 1.9.16

Vulnerable Libraries - xercesImpl-2.12.1.jar, xercesImpl-2.12.0.jar

The Apache Xerces2 parser is the reference implementation of XNI but other parser components, configurations, and parsers can be written using the Xerces Native Interface. For complete design and implementation documents, refer to the XNI Manual.

Xerces2 is a fully conforming XML Schema 1.0 processor. A partial experimental implementation of the XML Schema 1.1 Structures and Datatypes Working Drafts (December 2009) and an experimental implementation of the XML Schema Definition Language (XSD): Component Designators (SCD) Candidate Recommendation (January 2010) are provided for evaluation. For more information, refer to the XML Schema page.

Xerces2 also provides a complete implementation of the Document Object Model Level 3 Core and Load/Save W3C Recommendations and provides a complete implementation of the XML Inclusions (XInclude) W3C Recommendation. It also provides support for OASIS XML Catalogs v1.1.

Xerces2 is able to parse documents written according to the XML 1.1 Recommendation, except that it does not yet provide an option to enable normalization checking as described in section 2.13 of this specification. It also handles namespaces according to the XML Namespaces 1.1 Recommendation, and will correctly serialize XML 1.1 documents if the DOM level 3 load/save APIs are in use.</p>

The Apache Xerces2 parser is the reference implementation of XNI but other parser components, configurations, and parsers can be written using the Xerces Native Interface. For complete design and implementation documents, refer to the XNI Manual.

Xerces2 is a fully conforming XML Schema 1.0 processor. A partial experimental implementation of the XML Schema 1.1 Structures and Datatypes Working Drafts (December 2009) and an experimental implementation of the XML Schema Definition Language (XSD): Component Designators (SCD) Candidate Recommendation (January 2010) are provided for evaluation. For more information, refer to the XML Schema page.

Xerces2 also provides a complete implementation of the Document Object Model Level 3 Core and Load/Save W3C Recommendations and provides a complete implementation of the XML Inclusions (XInclude) W3C Recommendation. It also provides support for OASIS XML Catalogs v1.1.

Xerces2 is able to parse documents written according to the XML 1.1 Recommendation, except that it does not yet provide an option to enable normalization checking as described in section 2.13 of this specification. It also handles namespaces according to the XML Namespaces 1.1 Recommendation, and will correctly serialize XML 1.1 documents if the DOM level 3 load/save APIs are in use.</p>

Found in base branch: master

Vulnerability Details

There's a vulnerability within the Apache Xerces Java (XercesJ) XML parser when handling specially crafted XML document payloads. This causes, the XercesJ XML parser to wait in an infinite loop, which may sometimes consume system resources for prolonged duration. This vulnerability is present within XercesJ version 2.12.1 and the previous versions.

Publish Date: 2022-01-24

URL: CVE-2022-23437

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-h65f-jvqw-m9fj

Release Date: 2022-01-24

Fix Resolution: xerces:xercesImpl:2.12.2

Vulnerable Library - ant-1.9.15.jar

master POM

Library home page: http://ant.apache.org/

Path to dependency file: ant-contrib/cpptasks/pom.xml

Path to vulnerable library: canner/.m2/repository/org/apache/ant/ant/1.9.15/ant-1.9.15.jar,canner/.m2/repository/org/apache/ant/ant/1.9.15/ant-1.9.15.jar

Dependency Hierarchy:

• ❌ ant-1.9.15.jar (Vulnerable Library)

Found in HEAD commit: c82c5bcfe49a445673fe3245c466395b26874986

Found in base branch: master

Vulnerability Details

As mitigation for CVE-2020-1945 Apache Ant 1.10.8 changed the permissions of temporary files it created so that only the current user was allowed to access them. Unfortunately the fixcrlf task deleted the temporary file and created a new one without said protection, effectively nullifying the effort. This would still allow an attacker to inject modified source files into the build process.

Publish Date: 2020-10-01

URL: CVE-2020-11979

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://ant.apache.org/security.html

Release Date: 2020-07-21

Fix Resolution: org.apache.ant:ant:1.10.9

Vulnerable Library - commons-httpclient-3.1.jar

The HttpClient component supports the client-side of RFC 1945 (HTTP/1.0) and RFC 2616 (HTTP/1.1) , several related specifications (RFC 2109 (Cookies) , RFC 2617 (HTTP Authentication) , etc.), and provides a framework by which new request types (methods) or HTTP extensions can be created easily.

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-httpclient/commons-httpclient/3.1/commons-httpclient-3.1.jar

Dependency Hierarchy:

• ❌ commons-httpclient-3.1.jar (Vulnerable Library)

Found in HEAD commit: 767da76da8b0cdc9776a388a85ffc6515d48dd5c

Found in base branch: master

Vulnerability Details

Apache Commons HttpClient 3.x, as used in Amazon Flexible Payments Service (FPS) merchant Java SDK and other products, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

Publish Date: 2012-11-04

URL: CVE-2012-5783

CVSS 3 Score Details (4.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2012-5783

Release Date: 2012-11-04

Fix Resolution: 20020423

Vulnerable Library - ivy-2.5.1.jar

Library home page: http://ant.apache.org/ivy/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/ivy/ivy/2.5.1/ivy-2.5.1.jar

Dependency Hierarchy:

• ❌ ivy-2.5.1.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Improper Restriction of XML External Entity Reference, XML Injection (aka Blind XPath Injection) vulnerability in Apache Software Foundation Apache Ivy.This issue affects any version of Apache Ivy prior to 2.5.2.

When Apache Ivy prior to 2.5.2 parses XML files - either its own configuration, Ivy files or Apache Maven POMs - it will allow downloading external document type definitions and expand any entity references contained therein when used.

This can be used to exfiltrate data, access resources only the machine running Ivy has access to or disturb the execution of Ivy in different ways.

Starting with Ivy 2.5.2 DTD processing is disabled by default except when parsing Maven POMs where the default is to allow DTD processing but only to include a DTD snippet shipping with Ivy that is needed to deal with existing Maven POMs that are not valid XML files but are nevertheless accepted by Maven. Access can be be made more lenient via newly introduced system properties where needed.

Users of Ivy prior to version 2.5.2 can use Java system properties to restrict processing of external DTDs, see the section about "JAXP Properties for External Access restrictions" inside Oracle's "Java API for XML Processing (JAXP) Security Guide".

Publish Date: 2023-08-21

URL: CVE-2022-46751

CVSS 3 Score Details (8.2)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: GHSA-2jc4-r94c-rp7h

Release Date: 2023-08-21

Fix Resolution: org.apache.ivy:ivy:2.5.2

Vulnerable Library - ant-1.9.5.jar

master POM

Path to dependency file: ant-contrib/cpptasks/pom.xml

Path to vulnerable library: canner/.m2/repository/org/apache/ant/ant/1.9.5/ant-1.9.5.jar

Dependency Hierarchy:

• ❌ ant-1.9.5.jar (Vulnerable Library)

Found in HEAD commit: 767da76da8b0cdc9776a388a85ffc6515d48dd5c

Found in base branch: master

Vulnerability Details

Apache Ant 1.1 to 1.9.14 and 1.10.0 to 1.10.7 uses the default temporary directory identified by the Java system property java.io.tmpdir for several tasks and may thus leak sensitive information. The fixcrlf and replaceregexp tasks also copy files from the temporary directory back into the build tree allowing an attacker to inject modified source files into the build process.

Publish Date: 2020-05-14

URL: CVE-2020-1945

CVSS 3 Score Details (6.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: High
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://ant.apache.org/security.html

Release Date: 2020-05-14

Fix Resolution: org.apache.ant:ant-junitlauncher:1.10.8;org.apache.ant:ant:1.9.15,1.10.8

Vulnerable Library - ant-1.9.15.jar

master POM

Library home page: http://ant.apache.org/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/ant/ant/1.9.15/ant-1.9.15.jar,/home/wss-scanner/.m2/repository/org/apache/ant/ant/1.9.15/ant-1.9.15.jar

Dependency Hierarchy:

• ❌ ant-1.9.15.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

When reading a specially crafted ZIP archive, or a derived formats, an Apache Ant build can be made to allocate large amounts of memory that leads to an out of memory error, even for small inputs. This can be used to disrupt builds using Apache Ant. Commonly used derived formats from ZIP archives are for instance JAR files and many office files. Apache Ant prior to 1.9.16 and 1.10.11 were affected.

Publish Date: 2021-07-14

URL: CVE-2021-36374

CVSS 3 Score Details (5.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://ant.apache.org/security.html

Release Date: 2021-07-14

Fix Resolution: 1.9.16

Vulnerable Library - kramdown-1.17.0.gem

kramdown is yet-another-markdown-parser but fast, pure Ruby, using a strict syntax definition and supporting several common extensions.

Library home page: https://rubygems.org/gems/kramdown-1.17.0.gem

Path to dependency file: /docs/Gemfile.lock

Path to vulnerable library: /home/wss-scanner/.gem/ruby/2.7.0/cache/kramdown-1.17.0.gem

Dependency Hierarchy:

• jekyll-3.8.6.gem (Root Library)
  • ❌ kramdown-1.17.0.gem (Vulnerable Library)

Found in HEAD commit: 767da76da8b0cdc9776a388a85ffc6515d48dd5c

Found in base branch: master

Vulnerability Details

The kramdown gem before 2.3.0 for Ruby processes the template option inside Kramdown documents by default, which allows unintended read access (such as template="/etc/passwd") or unintended embedded Ruby code execution (such as a string that begins with template="string://<%= `). NOTE: kramdown is used in Jekyll, GitLab Pages, GitHub Pages, and Thredded Forum.

Publish Date: 2020-07-17

URL: CVE-2020-14001

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14001

Release Date: 2020-07-17

Fix Resolution: kramdown - 2.3.0