Code Monkey home page Code Monkey logo

hygieia-scm-github-graphql-collector's Introduction

Due to changes in the priorities, this project is currently not being supported. The project is archived as of 6/1/2023 and will be available in a read-only state. Please note, since archival, the project is not maintained or reviewed

Hygieia Collector for Github leveraging graphql

Build Status Quality Gate Status Total alerts Language grade: Java Maven Central License Gitter Chat

Table of Contents

Setup Instructions

To configure the GitHub graphql Collector, execute the following steps:

  • Step 1 - Artifact Preparation:

    Please review the two options in Step 1 to find the best fit for you.

    Option 1 - Download the artifact:

    You can download the SNAPSHOTs from the SNAPSHOT directory here or from the maven central repository here.

    Option 2 - Build locally:

    To configure the Github graphql collector, git clone the collector repo. Then, execute the following steps:

    To package the collector into an executable JAR file, run the Maven build from the \hygieia-scm-github-graphql-collector directory of your source code installation:

    mvn install

    The output file [collector name].jar is generated in the hygieia-scm-github-graphql-collector\target folder.

    Once you have chosen an option in Step 1, please proceed:

  • Step 2: Set Parameters in Application Properties File

Set the configurable parameters in the application.properties file to connect to the Dashboard MongoDB database instance, including properties required by the GitHub Collector.

For information about sourcing the application properties file, refer to the Spring Boot Documentation.

To configure parameters for the GitHub Collector, refer to the sample application.properties section.

  • Step 3: Deploy the Executable File

To deploy the [collector name].jar file, change directory to hygieia-scm-github-graphql-collector\target, and then execute the following from the command prompt:

java -jar [collector name].jar --spring.config.name=github --spring.config.location=[path to application.properties file]

Sample Application Properties

The sample application.properties lists parameter values to configure the GitHub graphql Collector. Set the parameters based on your environment setup.

	# Database Name
	dbname=dashboarddb

	# Database HostName - default is localhost
	dbhost=localhost

	# Database Port - default is 27017
	dbport=27017

	# MongoDB replicaset
	dbreplicaset=[false if you are not using MongoDB replicaset]
	dbhostport=[host1:port1,host2:port2,host3:port3]

	# Database Username - default is blank
	dbusername=dashboarduser

	# Database Password - default is blank
	dbpassword=dbpassword
	
	# Proxy URL
	github.proxy=
	
	# Proxy Port
	github.proxyPort=
	
	# Proxy user if auth is required
	github.proxyUser=
	
	# Proxy password if auth is required
	github.proxyPassword=
	
	# Logging File location
	logging.file=./logs/github.log

	# Collector schedule (required)
	github.cron=0 0/5 * * * *

	github.host=github.com
	
	github.firstRunHistoryDays=
	github.rateLimitThreshold=
	github.graphqlUrl=baseurl/api/graphql
	github.baseApiUrl=baseurl/api/v3

	# Maximum number of previous days from current date, when fetching commits
	github.commitThresholdDays=15
	
	# A filter of commits with subject containing the pattern that will be filtered
	github.notBuiltCommits[0]=
	github.notBuiltCommits[1]=

	# Optional: Error threshold count after which collector stops collecting for a collector item. Default is 2.
	github.errorThreshold=1

	# This is the key generated using the Encryption class in core
	github.key=<your-generated-key>

	# Personal access token generated from github and used for making authentiated calls
	github.personalAccessToken=

	# Github repository Connect Timeout value in milliseconds, default value is 20000 (20s)
	github.connectTimeout=

	# Github repository Read Timeout value in milliseconds, default value is 20000 (20s) 
	github.readTimeout=
	
	github.commitPullSyncTime=
	github.offsetMinutes=
	github.fetchCount=
	github.searchCriteria=

Run collector with Docker

You can install Hygieia by using a docker image from docker hub. This section gives detailed instructions on how to download and run with Docker.

  • Step 1: Download

    Navigate to the docker hub location of your collector here and download the latest image (most recent version is preferred). Tags can also be used, if needed.

  • Step 2: Run with Docker

    Docker run -e SKIP_PROPERTIES_BUILDER=true -v properties_location:/hygieia/config image_name

    • -e SKIP_PROPERTIES_BUILDER=true
      indicates whether you want to supply a properties file for the java application. If false/omitted, the script will build a properties file with default values
    • -v properties_location:/hygieia/config
      if you want to use your own properties file that located outside of docker container, supply the path here.
      • Example: -v /Home/User/Document/application.properties:/hygieia/config

hygieia-scm-github-graphql-collector's People

Contributors

alzafacon avatar andrewalvintran avatar aochsner avatar beasknees avatar benj58xu avatar chzhanpeng avatar courtneyp123 avatar cryptk avatar cschristine avatar danielyhuang avatar dcanar9 avatar gonchalo620 avatar miablo avatar nameisaravind avatar nireesht avatar paruff avatar rvema avatar satishc1 avatar sbrenthughes avatar shriver135 avatar subodhbattina avatar vidhya9lakshmi avatar yamunag19 avatar

Stargazers

avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Forkers

mukteshkrmishra sbrenthughes chzhanpeng rvema newgen-git cschristine vidhya9lakshmi nameisaravind jsooriya-amd paruff aochsner courtneyp123 danielyhuang isabella232 vivekbuzruk benj58xu pmstnepal tabladrum pianomanx jijain786 johnmcentire erictice connorcason tatlax3636 kennethlong abeleencon nireesht dcanar9 nigeriabuddy yingmingzongyu hemanthmgowda

hygieia-scm-github-graphql-collector's Issues

CVE-2016-1000027 (High) detected in spring-web-5.3.18.jar

CVE-2016-1000027 - High Severity Vulnerability

Vulnerable Library - spring-web-5.3.18.jar

Spring Web

Library home page: https://github.com/spring-projects/spring-framework

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-web/5.3.18/spring-web-5.3.18.jar

Dependency Hierarchy:

  • core-4.0.1.jar (Root Library)
    • spring-web-5.3.18.jar (Vulnerable Library)

Found in HEAD commit: 412dba4d9ffebf9ab94272772ab4153912ecc4a0

Found in base branch: master

Vulnerability Details

Pivotal Spring Framework through 5.3.16 suffers from a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data. Depending on how the library is implemented within a product, this issue may or not occur, and authentication may be required. NOTE: the vendor's position is that untrusted data is not an intended use case. The product's behavior will not be changed because some users rely on deserialization of trusted data.
Mend Note: After conducting further research, Mend has determined that all versions of spring-web up to version 6.0.0 are vulnerable to CVE-2016-1000027.

Publish Date: 2020-01-02

URL: CVE-2016-1000027

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-4wrc-f8pq-fpqp

Release Date: 2020-01-02

Fix Resolution: org.springframework:spring-web:6.0.0

Step up your Open Source Security Game with Mend here

CVE-2022-42252 (High) detected in tomcat-embed-core-9.0.65.jar

CVE-2022-42252 - High Severity Vulnerability

Vulnerable Library - tomcat-embed-core-9.0.65.jar

Core Tomcat implementation

Library home page: https://tomcat.apache.org/

Path to dependency file: /pom.xml

Path to vulnerable library: /at/embed/tomcat-embed-core/9.0.65/tomcat-embed-core-9.0.65.jar

Dependency Hierarchy:

  • tomcat-embed-core-9.0.65.jar (Vulnerable Library)

Found in HEAD commit: 412dba4d9ffebf9ab94272772ab4153912ecc4a0

Found in base branch: master

Vulnerability Details

If Apache Tomcat 8.5.0 to 8.5.82, 9.0.0-M1 to 9.0.67, 10.0.0-M1 to 10.0.26 or 10.1.0-M1 to 10.1.0 was configured to ignore invalid HTTP headers via setting rejectIllegalHeader to false (the default for 8.5.x only), Tomcat did not reject a request containing an invalid Content-Length header making a request smuggling attack possible if Tomcat was located behind a reverse proxy that also failed to reject the request with the invalid header.

Publish Date: 2022-11-01

URL: CVE-2022-42252

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-p22x-g9px-3945

Release Date: 2022-11-01

Fix Resolution: org.apache.tomcat:tomcat:8.5.83,9.0.68,10.0.27,10.1.1

Step up your Open Source Security Game with Mend here

WS-2021-0419 (High) detected in gson-2.8.5.jar - autoclosed

WS-2021-0419 - High Severity Vulnerability

Vulnerable Library - gson-2.8.5.jar

Gson JSON library

Library home page: https://github.com/google/gson

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/google/code/gson/gson/2.8.5/gson-2.8.5.jar

Dependency Hierarchy:

  • core-3.15.26.jar (Root Library)
    • gson-2.8.5.jar (Vulnerable Library)

Found in HEAD commit: 412dba4d9ffebf9ab94272772ab4153912ecc4a0

Found in base branch: master

Vulnerability Details

Denial of Service vulnerability was discovered in gson before 2.8.9 via the writeReplace() method.

Publish Date: 2021-10-11

URL: WS-2021-0419

CVSS 3 Score Details (7.7)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2021-10-11

Fix Resolution (com.google.code.gson:gson): 2.8.9

Direct dependency fix Resolution (com.capitalone.dashboard:core): 3.15.27

Step up your Open Source Security Game with Mend here

CVE-2017-18640 (High) detected in snakeyaml-1.17.jar - autoclosed

CVE-2017-18640 - High Severity Vulnerability

Vulnerable Library - snakeyaml-1.17.jar

YAML 1.1 parser and emitter for Java

Library home page: http://www.snakeyaml.org

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.17/snakeyaml-1.17.jar

Dependency Hierarchy:

  • spring-boot-starter-data-mongodb-1.5.22.RELEASE.jar (Root Library)
    • spring-boot-starter-1.5.22.RELEASE.jar
      • snakeyaml-1.17.jar (Vulnerable Library)

Found in HEAD commit: 412dba4d9ffebf9ab94272772ab4153912ecc4a0

Found in base branch: master

Vulnerability Details

The Alias feature in SnakeYAML before 1.26 allows entity expansion during a load operation, a related issue to CVE-2003-1564.

Publish Date: 2019-12-12

URL: CVE-2017-18640

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18640

Release Date: 2019-12-12

Fix Resolution (org.yaml:snakeyaml): 1.26

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-data-mongodb): 2.3.0.RELEASE

Step up your Open Source Security Game with Mend here

CVE-2022-38750 (Medium) detected in snakeyaml-1.17.jar - autoclosed

CVE-2022-38750 - Medium Severity Vulnerability

Vulnerable Library - snakeyaml-1.17.jar

YAML 1.1 parser and emitter for Java

Library home page: http://www.snakeyaml.org

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.17/snakeyaml-1.17.jar

Dependency Hierarchy:

  • spring-boot-starter-data-mongodb-1.5.22.RELEASE.jar (Root Library)
    • spring-boot-starter-1.5.22.RELEASE.jar
      • snakeyaml-1.17.jar (Vulnerable Library)

Found in HEAD commit: 412dba4d9ffebf9ab94272772ab4153912ecc4a0

Found in base branch: master

Vulnerability Details

Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.

Publish Date: 2022-09-05

URL: CVE-2022-38750

CVSS 3 Score Details (5.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47027

Release Date: 2022-09-05

Fix Resolution: org.yaml:snakeyaml:1.31

Step up your Open Source Security Game with Mend here

CVE-2022-22950 (Medium) detected in spring-expression-4.3.25.RELEASE.jar - autoclosed

CVE-2022-22950 - Medium Severity Vulnerability

Vulnerable Library - spring-expression-4.3.25.RELEASE.jar

Spring Expression Language (SpEL)

Library home page: https://github.com/spring-projects/spring-framework

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-expression/4.3.25.RELEASE/spring-expression-4.3.25.RELEASE.jar

Dependency Hierarchy:

  • spring-boot-starter-data-mongodb-1.5.22.RELEASE.jar (Root Library)
    • spring-data-mongodb-1.10.23.RELEASE.jar
      • spring-expression-4.3.25.RELEASE.jar (Vulnerable Library)

Found in HEAD commit: 412dba4d9ffebf9ab94272772ab4153912ecc4a0

Found in base branch: master

Vulnerability Details

n Spring Framework versions 5.3.0 - 5.3.16 and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial of service condition.

Publish Date: 2022-04-01

URL: CVE-2022-22950

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://tanzu.vmware.com/security/cve-2022-22950

Release Date: 2022-04-01

Fix Resolution (org.springframework:spring-expression): 5.2.20.RELEASE

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-data-mongodb): 2.4.0

Step up your Open Source Security Game with Mend here

CVE-2022-23181 (High) detected in tomcat-embed-core-8.5.70.jar - autoclosed

CVE-2022-23181 - High Severity Vulnerability

Vulnerable Library - tomcat-embed-core-8.5.70.jar

Core Tomcat implementation

Library home page: https://tomcat.apache.org/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/8.5.70/tomcat-embed-core-8.5.70.jar

Dependency Hierarchy:

  • core-3.15.26.jar (Root Library)
    • spring-boot-starter-web-1.5.22.RELEASE.jar
      • spring-boot-starter-tomcat-1.5.22.RELEASE.jar
        • tomcat-embed-core-8.5.70.jar (Vulnerable Library)

Found in HEAD commit: 412dba4d9ffebf9ab94272772ab4153912ecc4a0

Found in base branch: master

Vulnerability Details

The fix for bug CVE-2020-9484 introduced a time of check, time of use vulnerability into Apache Tomcat 10.1.0-M1 to 10.1.0-M8, 10.0.0-M5 to 10.0.14, 9.0.35 to 9.0.56 and 8.5.55 to 8.5.73 that allowed a local attacker to perform actions with the privileges of the user that the Tomcat process is using. This issue is only exploitable when Tomcat is configured to persist sessions using the FileStore.

Publish Date: 2022-01-27

URL: CVE-2022-23181

CVSS 3 Score Details (7.0)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: High
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://lists.apache.org/thread/l8x62p3k19yfcb208jo4zrb83k5mfwg9

Release Date: 2022-01-27

Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 8.5.75

Direct dependency fix Resolution (com.capitalone.dashboard:core): 3.15.27

Step up your Open Source Security Game with Mend here

CVE-2023-20861 (Medium) detected in spring-expression-5.3.18.jar

CVE-2023-20861 - Medium Severity Vulnerability

Vulnerable Library - spring-expression-5.3.18.jar

Spring Expression Language (SpEL)

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-expression/5.3.18/spring-expression-5.3.18.jar

Dependency Hierarchy:

  • spring-security-web-5.6.4.jar (Root Library)
    • spring-expression-5.3.18.jar (Vulnerable Library)

Found in HEAD commit: 412dba4d9ffebf9ab94272772ab4153912ecc4a0

Found in base branch: master

Vulnerability Details

In Spring Framework versions 6.0.0 - 6.0.6, 5.3.0 - 5.3.25, 5.2.0.RELEASE - 5.2.22.RELEASE, and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service (DoS) condition.

Publish Date: 2023-03-23

URL: CVE-2023-20861

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://securityonline.info/cve-2023-20860-high-severity-vulnerability-in-spring-framework/

Release Date: 2023-03-23

Fix Resolution (org.springframework:spring-expression): 5.3.25

Direct dependency fix Resolution (org.springframework.security:spring-security-web): 5.7.7

Step up your Open Source Security Game with Mend here

WS-2020-0293 (Medium) detected in spring-security-web-4.2.18.RELEASE.jar - autoclosed

WS-2020-0293 - Medium Severity Vulnerability

Vulnerable Library - spring-security-web-4.2.18.RELEASE.jar

spring-security-web

Library home page: https://spring.io/spring-security

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/security/spring-security-web/4.2.18.RELEASE/spring-security-web-4.2.18.RELEASE.jar

Dependency Hierarchy:

  • core-3.15.26.jar (Root Library)
    • spring-boot-starter-security-1.5.22.RELEASE.jar
      • spring-security-web-4.2.18.RELEASE.jar (Vulnerable Library)

Found in HEAD commit: 412dba4d9ffebf9ab94272772ab4153912ecc4a0

Found in base branch: master

Vulnerability Details

Spring Security before 5.2.9, 5.3.7, and 5.4.3 vulnerable to side-channel attacks. Vulnerable versions of Spring Security don't use constant time comparisons for CSRF tokens.

Publish Date: 2020-12-17

URL: WS-2020-0293

CVSS 3 Score Details (5.9)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2020-12-17

Fix Resolution (org.springframework.security:spring-security-web): 5.2.9.RELEASE

Direct dependency fix Resolution (com.capitalone.dashboard:core): 3.15.27

Step up your Open Source Security Game with Mend here

CVE-2022-22980 (High) detected in spring-data-mongodb-1.10.23.RELEASE.jar - autoclosed

CVE-2022-22980 - High Severity Vulnerability

Vulnerable Library - spring-data-mongodb-1.10.23.RELEASE.jar

MongoDB support for Spring Data

Library home page: https://projects.spring.io/spring-data-mongodb

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/data/spring-data-mongodb/1.10.23.RELEASE/spring-data-mongodb-1.10.23.RELEASE.jar

Dependency Hierarchy:

  • spring-boot-starter-data-mongodb-1.5.22.RELEASE.jar (Root Library)
    • spring-data-mongodb-1.10.23.RELEASE.jar (Vulnerable Library)

Found in HEAD commit: 412dba4d9ffebf9ab94272772ab4153912ecc4a0

Found in base branch: master

Vulnerability Details

A Spring Data MongoDB application is vulnerable to SpEL Injection when using @query or @Aggregation-annotated query methods with SpEL expressions that contain query parameter placeholders for value binding if the input is not sanitized.

Publish Date: 2022-06-23

URL: CVE-2022-22980

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://tanzu.vmware.com/security/cve-2022-22980

Release Date: 2022-06-23

Fix Resolution (org.springframework.data:spring-data-mongodb): 3.2.12

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-data-mongodb): 2.6.0

Step up your Open Source Security Game with Mend here

CVE-2022-38751 (Medium) detected in snakeyaml-1.17.jar - autoclosed

CVE-2022-38751 - Medium Severity Vulnerability

Vulnerable Library - snakeyaml-1.17.jar

YAML 1.1 parser and emitter for Java

Library home page: http://www.snakeyaml.org

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.17/snakeyaml-1.17.jar

Dependency Hierarchy:

  • spring-boot-starter-data-mongodb-1.5.22.RELEASE.jar (Root Library)
    • spring-boot-starter-1.5.22.RELEASE.jar
      • snakeyaml-1.17.jar (Vulnerable Library)

Found in HEAD commit: 412dba4d9ffebf9ab94272772ab4153912ecc4a0

Found in base branch: master

Vulnerability Details

Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.

Publish Date: 2022-09-05

URL: CVE-2022-38751

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47039

Release Date: 2022-09-05

Fix Resolution: org.yaml:snakeyaml:1.31

Step up your Open Source Security Game with Mend here

CVE-2022-38749 (Medium) detected in snakeyaml-1.17.jar - autoclosed

CVE-2022-38749 - Medium Severity Vulnerability

Vulnerable Library - snakeyaml-1.17.jar

YAML 1.1 parser and emitter for Java

Library home page: http://www.snakeyaml.org

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.17/snakeyaml-1.17.jar

Dependency Hierarchy:

  • spring-boot-starter-data-mongodb-1.5.22.RELEASE.jar (Root Library)
    • spring-boot-starter-1.5.22.RELEASE.jar
      • snakeyaml-1.17.jar (Vulnerable Library)

Found in HEAD commit: 412dba4d9ffebf9ab94272772ab4153912ecc4a0

Found in base branch: master

Vulnerability Details

Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.

Publish Date: 2022-09-05

URL: CVE-2022-38749

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://bitbucket.org/snakeyaml/snakeyaml/issues/526/stackoverflow-oss-fuzz-47027

Release Date: 2022-09-05

Fix Resolution: org.yaml:snakeyaml:1.31

Step up your Open Source Security Game with Mend here

CVE-2023-20863 (Medium) detected in spring-expression-5.3.18.jar

CVE-2023-20863 - Medium Severity Vulnerability

Vulnerable Library - spring-expression-5.3.18.jar

Spring Expression Language (SpEL)

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-expression/5.3.18/spring-expression-5.3.18.jar

Dependency Hierarchy:

  • spring-security-web-5.6.4.jar (Root Library)
    • spring-expression-5.3.18.jar (Vulnerable Library)

Found in HEAD commit: 412dba4d9ffebf9ab94272772ab4153912ecc4a0

Found in base branch: master

Vulnerability Details

In spring framework versions prior to 5.2.24 release+ ,5.3.27+ and 6.0.8+ , it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service (DoS) condition.

Publish Date: 2023-04-13

URL: CVE-2023-20863

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2023-20863

Release Date: 2023-04-13

Fix Resolution (org.springframework:spring-expression): 5.3.27

Direct dependency fix Resolution (org.springframework.security:spring-security-web): 5.7.8

Step up your Open Source Security Game with Mend here

CVE-2021-42550 (Medium) detected in logback-core-1.2.3.jar, logback-classic-1.2.3.jar - autoclosed

CVE-2021-42550 - Medium Severity Vulnerability

Vulnerable Libraries - logback-core-1.2.3.jar, logback-classic-1.2.3.jar

logback-core-1.2.3.jar

logback-core module

Library home page: http://logback.qos.ch

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar

Dependency Hierarchy:

  • spring-boot-starter-data-mongodb-1.5.22.RELEASE.jar (Root Library)
    • spring-boot-starter-1.5.22.RELEASE.jar
      • spring-boot-starter-logging-1.5.22.RELEASE.jar
        • logback-classic-1.2.3.jar
          • logback-core-1.2.3.jar (Vulnerable Library)
logback-classic-1.2.3.jar

logback-classic module

Library home page: http://logback.qos.ch

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.2.3/logback-classic-1.2.3.jar

Dependency Hierarchy:

  • spring-boot-starter-data-mongodb-1.5.22.RELEASE.jar (Root Library)
    • spring-boot-starter-1.5.22.RELEASE.jar
      • spring-boot-starter-logging-1.5.22.RELEASE.jar
        • logback-classic-1.2.3.jar (Vulnerable Library)

Found in HEAD commit: 412dba4d9ffebf9ab94272772ab4153912ecc4a0

Found in base branch: master

Vulnerability Details

In logback version 1.2.7 and prior versions, an attacker with the required privileges to edit configurations files could craft a malicious configuration allowing to execute arbitrary code loaded from LDAP servers.

Publish Date: 2021-12-16

URL: CVE-2021-42550

CVSS 3 Score Details (6.6)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: High
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=VE-2021-42550

Release Date: 2021-12-16

Fix Resolution (ch.qos.logback:logback-core): 1.2.8

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-data-mongodb): 2.5.8

Fix Resolution (ch.qos.logback:logback-classic): 1.2.8

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-data-mongodb): 2.5.8

Step up your Open Source Security Game with Mend here

CVE-2023-20860 (High) detected in spring-webmvc-5.3.18.jar

CVE-2023-20860 - High Severity Vulnerability

Vulnerable Library - spring-webmvc-5.3.18.jar

Spring Web MVC

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-webmvc/5.3.18/spring-webmvc-5.3.18.jar

Dependency Hierarchy:

  • spring-boot-starter-web-2.5.12.jar (Root Library)
    • spring-webmvc-5.3.18.jar (Vulnerable Library)

Found in HEAD commit: 412dba4d9ffebf9ab94272772ab4153912ecc4a0

Found in base branch: master

Vulnerability Details

Spring Framework running version 6.0.0 - 6.0.6 or 5.3.0 - 5.3.25 using "**" as a pattern in Spring Security configuration with the mvcRequestMatcher creates a mismatch in pattern matching between Spring Security and Spring MVC, and the potential for a security bypass.

Publish Date: 2023-03-27

URL: CVE-2023-20860

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://spring.io/blog/2023/03/21/this-week-in-spring-march-21st-2023/

Release Date: 2023-03-27

Fix Resolution (org.springframework:spring-webmvc): 5.3.26

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.6.0

Step up your Open Source Security Game with Mend here

CVE-2022-27772 (High) detected in spring-boot-1.5.22.RELEASE.jar - autoclosed

CVE-2022-27772 - High Severity Vulnerability

Vulnerable Library - spring-boot-1.5.22.RELEASE.jar

Spring Boot

Library home page: https://projects.spring.io/spring-boot/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/boot/spring-boot/1.5.22.RELEASE/spring-boot-1.5.22.RELEASE.jar

Dependency Hierarchy:

  • spring-boot-starter-data-mongodb-1.5.22.RELEASE.jar (Root Library)
    • spring-boot-starter-1.5.22.RELEASE.jar
      • spring-boot-1.5.22.RELEASE.jar (Vulnerable Library)

Found in HEAD commit: 412dba4d9ffebf9ab94272772ab4153912ecc4a0

Found in base branch: master

Vulnerability Details

** UNSUPPORTED WHEN ASSIGNED ** spring-boot versions prior to version v2.2.11.RELEASE was vulnerable to temporary directory hijacking. This vulnerability impacted the org.springframework.boot.web.server.AbstractConfigurableWebServerFactory.createTempDir method. NOTE: This vulnerability only affects products and/or versions that are no longer supported by the maintainer.

Publish Date: 2022-03-30

URL: CVE-2022-27772

CVSS 3 Score Details (7.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-cm59-pr5q-cw85

Release Date: 2022-03-30

Fix Resolution (org.springframework.boot:spring-boot): 2.2.11.RELEASE

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-data-mongodb): 2.2.11.RELEASE

Step up your Open Source Security Game with Mend here

WS-2016-7107 (Medium) detected in spring-security-web-4.2.18.RELEASE.jar - autoclosed

WS-2016-7107 - Medium Severity Vulnerability

Vulnerable Library - spring-security-web-4.2.18.RELEASE.jar

spring-security-web

Library home page: https://spring.io/spring-security

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/security/spring-security-web/4.2.18.RELEASE/spring-security-web-4.2.18.RELEASE.jar

Dependency Hierarchy:

  • core-3.15.26.jar (Root Library)
    • spring-boot-starter-security-1.5.22.RELEASE.jar
      • spring-security-web-4.2.18.RELEASE.jar (Vulnerable Library)

Found in HEAD commit: 412dba4d9ffebf9ab94272772ab4153912ecc4a0

Found in base branch: master

Vulnerability Details

CSRF tokens in Spring Security are vulnerable to a breach attack. Spring Security always returns the same CSRF token to the browser.

Publish Date: 2016-08-02

URL: WS-2016-7107

CVSS 3 Score Details (5.9)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/WS-2016-7107

Release Date: 2016-08-02

Fix Resolution (org.springframework.security:spring-security-web): 5.2.14.RELEASE

Direct dependency fix Resolution (com.capitalone.dashboard:core): 3.15.27

Step up your Open Source Security Game with Mend here

CVE-2020-13956 (Medium) detected in httpclient-4.5.9.jar - autoclosed

CVE-2020-13956 - Medium Severity Vulnerability

Vulnerable Library - httpclient-4.5.9.jar

Apache HttpComponents Client

Library home page: http://hc.apache.org/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/httpcomponents/httpclient/4.5.9/httpclient-4.5.9.jar

Dependency Hierarchy:

  • core-3.15.26.jar (Root Library)
    • httpclient-4.5.9.jar (Vulnerable Library)

Found in HEAD commit: 412dba4d9ffebf9ab94272772ab4153912ecc4a0

Found in base branch: master

Vulnerability Details

Apache HttpClient versions prior to version 4.5.13 and 5.0.3 can misinterpret malformed authority component in request URIs passed to the library as java.net.URI object and pick the wrong target host for request execution.

Publish Date: 2020-12-02

URL: CVE-2020-13956

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-13956

Release Date: 2020-12-02

Fix Resolution (org.apache.httpcomponents:httpclient): 4.5.13

Direct dependency fix Resolution (com.capitalone.dashboard:core): 3.15.37

Step up your Open Source Security Game with Mend here

CVE-2021-22096 (Medium) detected in multiple libraries - autoclosed

CVE-2021-22096 - Medium Severity Vulnerability

Vulnerable Libraries - spring-web-4.3.25.RELEASE.jar, spring-webmvc-4.3.25.RELEASE.jar, spring-core-4.3.25.RELEASE.jar

spring-web-4.3.25.RELEASE.jar

Spring Web

Library home page: https://github.com/spring-projects/spring-framework

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-web/4.3.25.RELEASE/spring-web-4.3.25.RELEASE.jar

Dependency Hierarchy:

  • core-3.15.26.jar (Root Library)
    • spring-web-4.3.25.RELEASE.jar (Vulnerable Library)
spring-webmvc-4.3.25.RELEASE.jar

Spring Web MVC

Library home page: https://github.com/spring-projects/spring-framework

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-webmvc/4.3.25.RELEASE/spring-webmvc-4.3.25.RELEASE.jar

Dependency Hierarchy:

  • core-3.15.26.jar (Root Library)
    • spring-boot-starter-web-1.5.22.RELEASE.jar
      • spring-webmvc-4.3.25.RELEASE.jar (Vulnerable Library)
spring-core-4.3.25.RELEASE.jar

Spring Core

Library home page: https://github.com/spring-projects/spring-framework

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-core/4.3.25.RELEASE/spring-core-4.3.25.RELEASE.jar

Dependency Hierarchy:

  • core-3.15.26.jar (Root Library)
    • spring-web-4.3.25.RELEASE.jar
      • spring-core-4.3.25.RELEASE.jar (Vulnerable Library)

Found in HEAD commit: 412dba4d9ffebf9ab94272772ab4153912ecc4a0

Found in base branch: master

Vulnerability Details

In Spring Framework versions 5.3.0 - 5.3.10, 5.2.0 - 5.2.17, and older unsupported versions, it is possible for a user to provide malicious input to cause the insertion of additional log entries.

Publish Date: 2021-10-28

URL: CVE-2021-22096

CVSS 3 Score Details (4.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://tanzu.vmware.com/security/cve-2021-22096

Release Date: 2021-10-28

Fix Resolution (org.springframework:spring-web): 5.2.18.RELEASE

Direct dependency fix Resolution (com.capitalone.dashboard:core): 3.15.37

Fix Resolution (org.springframework:spring-webmvc): 5.2.18.RELEASE

Direct dependency fix Resolution (com.capitalone.dashboard:core): 3.15.37

Fix Resolution (org.springframework:spring-core): 5.2.18.RELEASE

Direct dependency fix Resolution (com.capitalone.dashboard:core): 3.15.37

Step up your Open Source Security Game with Mend here

CVE-2021-43980 (Medium) detected in tomcat-embed-core-8.5.70.jar - autoclosed

CVE-2021-43980 - Medium Severity Vulnerability

Vulnerable Library - tomcat-embed-core-8.5.70.jar

Core Tomcat implementation

Library home page: https://tomcat.apache.org/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/8.5.70/tomcat-embed-core-8.5.70.jar

Dependency Hierarchy:

  • core-3.15.26.jar (Root Library)
    • spring-boot-starter-web-1.5.22.RELEASE.jar
      • spring-boot-starter-tomcat-1.5.22.RELEASE.jar
        • tomcat-embed-core-8.5.70.jar (Vulnerable Library)

Found in HEAD commit: 412dba4d9ffebf9ab94272772ab4153912ecc4a0

Found in base branch: master

Vulnerability Details

The simplified implementation of blocking reads and writes introduced in Tomcat 10 and back-ported to Tomcat 9.0.47 onwards exposed a long standing (but extremely hard to trigger) concurrency bug in Apache Tomcat 10.1.0 to 10.1.0-M12, 10.0.0-M1 to 10.0.18, 9.0.0-M1 to 9.0.60 and 8.5.0 to 8.5.77 that could cause client connections to share an Http11Processor instance resulting in responses, or part responses, to be received by the wrong client.

Publish Date: 2022-09-28

URL: CVE-2021-43980

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://lists.apache.org/thread/3jjqbsp6j88b198x5rmg99b1qr8ht3g3

Release Date: 2022-09-28

Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 8.5.78

Direct dependency fix Resolution (com.capitalone.dashboard:core): 3.15.27

Step up your Open Source Security Game with Mend here

CVE-2020-5421 (Medium) detected in spring-web-4.3.25.RELEASE.jar - autoclosed

CVE-2020-5421 - Medium Severity Vulnerability

Vulnerable Library - spring-web-4.3.25.RELEASE.jar

Spring Web

Library home page: https://github.com/spring-projects/spring-framework

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-web/4.3.25.RELEASE/spring-web-4.3.25.RELEASE.jar

Dependency Hierarchy:

  • core-3.15.26.jar (Root Library)
    • spring-web-4.3.25.RELEASE.jar (Vulnerable Library)

Found in HEAD commit: 412dba4d9ffebf9ab94272772ab4153912ecc4a0

Found in base branch: master

Vulnerability Details

In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.0 - 4.3.28, and older unsupported versions, the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter.

Publish Date: 2020-09-19

URL: CVE-2020-5421

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: Low
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://tanzu.vmware.com/security/cve-2020-5421

Release Date: 2020-09-19

Fix Resolution (org.springframework:spring-web): 4.3.29.RELEASE

Direct dependency fix Resolution (com.capitalone.dashboard:core): 3.15.37

Step up your Open Source Security Game with Mend here

CVE-2020-25649 (High) detected in jackson-databind-2.10.5.jar - autoclosed

CVE-2020-25649 - High Severity Vulnerability

Vulnerable Library - jackson-databind-2.10.5.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.10.5/jackson-databind-2.10.5.jar

Dependency Hierarchy:

  • core-3.15.26.jar (Root Library)
    • spring-boot-starter-web-1.5.22.RELEASE.jar
      • jackson-databind-2.10.5.jar (Vulnerable Library)

Found in HEAD commit: 412dba4d9ffebf9ab94272772ab4153912ecc4a0

Found in base branch: master

Vulnerability Details

A flaw was found in FasterXML Jackson Databind, where it did not have entity expansion secured properly. This flaw allows vulnerability to XML external entity (XXE) attacks. The highest threat from this vulnerability is data integrity.

Publish Date: 2020-12-03

URL: CVE-2020-25649

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2020-12-03

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.10.5.1

Direct dependency fix Resolution (com.capitalone.dashboard:core): 3.15.27

Step up your Open Source Security Game with Mend here

CVE-2020-36518 (High) detected in jackson-databind-2.10.5.jar - autoclosed

CVE-2020-36518 - High Severity Vulnerability

Vulnerable Library - jackson-databind-2.10.5.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.10.5/jackson-databind-2.10.5.jar

Dependency Hierarchy:

  • core-3.15.26.jar (Root Library)
    • spring-boot-starter-web-1.5.22.RELEASE.jar
      • jackson-databind-2.10.5.jar (Vulnerable Library)

Found in HEAD commit: 412dba4d9ffebf9ab94272772ab4153912ecc4a0

Found in base branch: master

Vulnerability Details

jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects.
Mend Note: After conducting further research, Mend has determined that all versions of com.fasterxml.jackson.core:jackson-databind up to version 2.13.2 are vulnerable to CVE-2020-36518.

Publish Date: 2022-03-11

URL: CVE-2020-36518

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2022-03-11

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.12.6.1

Direct dependency fix Resolution (com.capitalone.dashboard:core): 3.15.27

Step up your Open Source Security Game with Mend here

Not able to run hygieia-scm-github-graphql-collector jar file from local

Hi,

I'm having a problem when running https://github.com/Hygieia/hygieia-scm-github-graphql-collector (For public repo)

I'm trying to run the .jar file but it is showing me some error (See below log.). Hence not able to populate the dropdown in the UI(Screenshot).

Screenshot 2022-06-29 at 1 05 40 PM

`2022-06-29 12:46:39,294 [main] INFO com.capitalone.dashboard.Application - Starting Application v3.3.13-SNAPSHOT on SHODHARA-M-M2UH with PID 79060 (/Users/shovandhara/Downloads/Cisco/Hygieia/hygieia-scm-github-graphql-collector/target/github-graphql-scm-collector.jar started by shovandhara in /Users/shovandhara/Downloads/Cisco/Hygieia/hygieia-scm-github-graphql-collector/target)
2022-06-29 12:46:39,302 [main] INFO com.capitalone.dashboard.Application - No active profile set, falling back to default profiles: default
2022-06-29 12:46:39,411 [main] INFO o.s.b.c.e.AnnotationConfigEmbeddedWebApplicationContext - Refreshing org.springframework.boot.context.embedded.AnnotationConfigEmbeddedWebApplicationContext@5aebe890: startup date [Wed Jun 29 12:46:39 IST 2022]; root of context hierarchy
2022-06-29 12:46:39,785 [background-preinit] INFO o.h.validator.internal.util.Version - HV000001: Hibernate Validator 5.4.2.Final
WARNING: An illegal reflective access operation has occurred
WARNING: Illegal reflective access by org.springframework.cglib.core.ReflectUtils$1 (jar:file:/Users/shovandhara/Downloads/Cisco/Hygieia/hygieia-scm-github-graphql-collector/target/github-graphql-scm-collector.jar!/BOOT-INF/lib/spring-core-4.3.25.RELEASE.jar!/) to method java.lang.ClassLoader.defineClass(java.lang.String,byte[],int,int,java.security.ProtectionDomain)
WARNING: Please consider reporting this to the maintainers of org.springframework.cglib.core.ReflectUtils$1
WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
WARNING: All illegal access operations will be denied in a future release
2022-06-29 12:46:45,051 [main] INFO c.u.j.c.EnableEncryptablePropertiesBeanFactoryPostProcessor - Post-processing PropertySource instances
2022-06-29 12:46:45,096 [main] INFO c.u.j.EncryptablePropertySourceConverter - Converting PropertySource commandLineArgs [org.springframework.core.env.SimpleCommandLinePropertySource] to EncryptableEnumerablePropertySourceWrapper
2022-06-29 12:46:45,096 [main] INFO c.u.j.EncryptablePropertySourceConverter - Converting PropertySource servletConfigInitParams [org.springframework.core.env.PropertySource$StubPropertySource] to EncryptablePropertySourceWrapper
2022-06-29 12:46:45,096 [main] INFO c.u.j.EncryptablePropertySourceConverter - Converting PropertySource servletContextInitParams [org.springframework.core.env.PropertySource$StubPropertySource] to EncryptablePropertySourceWrapper
2022-06-29 12:46:45,096 [main] INFO c.u.j.EncryptablePropertySourceConverter - Converting PropertySource systemProperties [org.springframework.core.env.MapPropertySource] to EncryptableMapPropertySourceWrapper
2022-06-29 12:46:45,096 [main] INFO c.u.j.EncryptablePropertySourceConverter - Converting PropertySource systemEnvironment [org.springframework.core.env.SystemEnvironmentPropertySource] to EncryptableMapPropertySourceWrapper
2022-06-29 12:46:45,097 [main] INFO c.u.j.EncryptablePropertySourceConverter - Converting PropertySource random [org.springframework.boot.context.config.RandomValuePropertySource] to EncryptablePropertySourceWrapper
2022-06-29 12:46:45,251 [main] INFO o.s.c.s.PostProcessorRegistrationDelegate$BeanPostProcessorChecker - Bean 'org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler@2313052e' of type [org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying)
2022-06-29 12:46:45,267 [main] INFO o.s.c.s.PostProcessorRegistrationDelegate$BeanPostProcessorChecker - Bean 'methodSecurityMetadataSource' of type [org.springframework.security.access.method.DelegatingMethodSecurityMetadataSource] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying)
2022-06-29 12:46:45,774 [main] INFO o.s.b.c.e.t.TomcatEmbeddedServletContainer - Tomcat initialized with port(s): 8080 (http)
2022-06-29 12:46:45,797 [main] INFO o.a.coyote.http11.Http11NioProtocol - Initializing ProtocolHandler ["http-nio-8080"]
2022-06-29 12:46:45,821 [main] INFO o.a.catalina.core.StandardService - Starting service [Tomcat]
2022-06-29 12:46:45,821 [main] INFO o.a.catalina.core.StandardEngine - Starting Servlet engine: [Apache Tomcat/8.5.70]
2022-06-29 12:46:45,948 [localhost-startStop-1] INFO o.a.c.c.C.[Tomcat].[localhost].[/] - Initializing Spring embedded WebApplicationContext
2022-06-29 12:46:45,949 [localhost-startStop-1] INFO o.s.web.context.ContextLoader - Root WebApplicationContext: initialization completed in 6538 ms
2022-06-29 12:46:46,401 [localhost-startStop-1] INFO c.c.dashboard.config.MongoConfig - ReplicaSetfalse
2022-06-29 12:46:46,634 [localhost-startStop-1] INFO c.c.dashboard.config.MongoConfig - Initializing Mongo Client server at: localhost:27017
2022-06-29 12:46:46,693 [localhost-startStop-1] INFO org.mongodb.driver.cluster - Cluster created with settings {hosts=[localhost:27017], mode=SINGLE, requiredClusterType=UNKNOWN, serverSelectionTimeout='30000 ms', maxWaitQueueSize=500}
2022-06-29 12:46:46,771 [localhost-startStop-1] INFO c.c.dashboard.config.MongoConfig - Connecting to Mongo: Mongo{options=MongoClientOptions{description='null', applicationName='null', compressors='[]', readPreference=primary, writeConcern=WriteConcern{w=null, wTimeout=null ms, fsync=null, journal=null, retryWrites=false, readConcern=com.mongodb.ReadConcern@0, codecRegistry=org.bson.codecs.configuration.ProvidersCodecRegistry@b2537b7b, serverSelector=null, clusterListeners=[], commandListeners=[], minConnectionsPerHost=0, maxConnectionsPerHost=100, threadsAllowedToBlockForConnectionMultiplier=5, serverSelectionTimeout=30000, maxWaitTime=120000, maxConnectionIdleTime=0, maxConnectionLifeTime=0, connectTimeout=10000, socketTimeout=0, socketKeepAlive=true, sslEnabled=false, sslInvalidHostNamesAllowed=false, sslContext=null, alwaysUseMBeans=false, heartbeatFrequency=10000, minHeartbeatFrequency=500, heartbeatConnectTimeout=20000, heartbeatSocketTimeout=20000, localThreshold=15, requiredReplicaSetName='null', dbDecoderFactory=com.mongodb.DefaultDBDecoder$1@8a48847, dbEncoderFactory=com.mongodb.DefaultDBEncoder$1@a383ae3, socketFactory=null, cursorFinalizerEnabled=true, connectionPoolSettings=ConnectionPoolSettings{maxSize=100, minSize=0, maxWaitQueueSize=500, maxWaitTimeMS=120000, maxConnectionLifeTimeMS=0, maxConnectionIdleTimeMS=0, maintenanceInitialDelayMS=0, maintenanceFrequencyMS=60000, connectionPoolListeners=[]}, socketSettings=SocketSettings{connectTimeoutMS=10000, readTimeoutMS=0, keepAlive=true, receiveBufferSize=0, sendBufferSize=0}, serverSettings=ServerSettings{heartbeatFrequencyMS=10000, minHeartbeatFrequencyMS=500, serverListeners='[]', serverMonitorListeners='[]'}, heartbeatSocketSettings=SocketSettings{connectTimeoutMS=20000, readTimeoutMS=20000, keepAlive=true, receiveBufferSize=0, sendBufferSize=0}}}
2022-06-29 12:46:46,816 [cluster-ClusterId{value='62bbfc5ef0752f34d4b53214', description='null'}-localhost:27017] INFO org.mongodb.driver.connection - Opened connection [connectionId{localValue:1, serverValue:154}] to localhost:27017
2022-06-29 12:46:46,822 [cluster-ClusterId{value='62bbfc5ef0752f34d4b53214', description='null'}-localhost:27017] INFO org.mongodb.driver.cluster - Monitor thread successfully connected to server with description ServerDescription{address=localhost:27017, type=STANDALONE, state=CONNECTED, ok=true, version=ServerVersion{versionList=[5, 0, 9]}, minWireVersion=0, maxWireVersion=13, maxDocumentSize=16777216, logicalSessionTimeoutMinutes=30, roundTripTimeNanos=4049615}
2022-06-29 12:46:47,227 [localhost-startStop-1] INFO o.s.b.w.s.FilterRegistrationBean - Mapping filter: 'characterEncodingFilter' to: [/]
2022-06-29 12:46:47,229 [localhost-startStop-1] INFO o.s.b.w.s.DelegatingFilterProxyRegistrationBean - Mapping filter: 'springSecurityFilterChain' to: [/]
2022-06-29 12:46:47,229 [localhost-startStop-1] INFO o.s.b.w.s.FilterRegistrationBean - Mapping filter: 'apiTokenRequestFilter' to: [/*]
2022-06-29 12:46:47,229 [localhost-startStop-1] INFO o.s.b.w.s.ServletRegistrationBean - Mapping servlet: 'dispatcherServlet' to [/]
2022-06-29 12:46:47,349 [main] INFO org.mongodb.driver.connection - Opened connection [connectionId{localValue:2, serverValue:155}] to localhost:27017
2022-06-29 12:46:47,709 [main] INFO o.s.s.c.ThreadPoolTaskScheduler - Initializing ExecutorService 'taskScheduler'
2022-06-29 12:46:48,084 [main] WARN o.s.b.c.e.AnnotationConfigEmbeddedWebApplicationContext - Exception encountered during context initialization - cancelling refresh attempt: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'gitHubCollectorTask': Invocation of init method failed; nested exception is java.lang.NullPointerException
2022-06-29 12:46:48,084 [main] INFO o.s.s.c.ThreadPoolTaskScheduler - Shutting down ExecutorService 'taskScheduler'
2022-06-29 12:46:48,086 [main] INFO o.a.catalina.core.StandardService - Stopping service [Tomcat]
2022-06-29 12:46:48,093 [localhost-startStop-1] WARN o.a.c.loader.WebappClassLoaderBase - The web application [ROOT] appears to have started a thread named [cluster-ClusterId{value='62bbfc5ef0752f34d4b53214', description='null'}-localhost:27017] but has failed to stop it. This is very likely to create a memory leak. Stack trace of thread:
[email protected]/jdk.internal.misc.Unsafe.park(Native Method)
[email protected]/java.util.concurrent.locks.LockSupport.parkNanos(LockSupport.java:234)
[email protected]/java.util.concurrent.locks.AbstractQueuedSynchronizer$ConditionObject.awaitNanos(AbstractQueuedSynchronizer.java:2123)
com.mongodb.connection.DefaultServerMonitor$ServerMonitorRunnable.waitForSignalOrTimeout(DefaultServerMonitor.java:226)
com.mongodb.connection.DefaultServerMonitor$ServerMonitorRunnable.waitForNext(DefaultServerMonitor.java:207)
com.mongodb.connection.DefaultServerMonitor$ServerMonitorRunnable.run(DefaultServerMonitor.java:154)
[email protected]/java.lang.Thread.run(Thread.java:829)
2022-06-29 12:46:48,094 [localhost-startStop-1] WARN o.a.c.loader.WebappClassLoaderBase - The web application [ROOT] appears to have started a thread named [CleanCursors-1-thread-1] but has failed to stop it. This is very likely to create a memory leak. Stack trace of thread:
[email protected]/jdk.internal.misc.Unsafe.park(Native Method)
[email protected]/java.util.concurrent.locks.LockSupport.parkNanos(LockSupport.java:234)
[email protected]/java.util.concurrent.locks.AbstractQueuedSynchronizer$ConditionObject.awaitNanos(AbstractQueuedSynchronizer.java:2123)
[email protected]/java.util.concurrent.ScheduledThreadPoolExecutor$DelayedWorkQueue.take(ScheduledThreadPoolExecutor.java:1182)
[email protected]/java.util.concurrent.ScheduledThreadPoolExecutor$DelayedWorkQueue.take(ScheduledThreadPoolExecutor.java:899)
[email protected]/java.util.concurrent.ThreadPoolExecutor.getTask(ThreadPoolExecutor.java:1054)
[email protected]/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1114)
[email protected]/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
[email protected]/java.lang.Thread.run(Thread.java:829)
2022-06-29 12:46:48,102 [main] INFO o.s.b.a.l.AutoConfigurationReportLoggingInitializer -

Error starting ApplicationContext. To display the auto-configuration report re-run your application with 'debug' enabled.
2022-06-29 12:46:48,109 [main] ERROR o.s.boot.SpringApplication - Application startup failed
org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'gitHubCollectorTask': Invocation of init method failed; nested exception is java.lang.NullPointerException
at org.springframework.beans.factory.annotation.InitDestroyAnnotationBeanPostProcessor.postProcessBeforeInitialization(InitDestroyAnnotationBeanPostProcessor.java:137)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.applyBeanPostProcessorsBeforeInitialization(AbstractAutowireCapableBeanFactory.java:407)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1622)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:553)
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:481)
at org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:312)
at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:230)
at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:308)
at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:197)
at org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingletons(DefaultListableBeanFactory.java:756)
at org.springframework.context.support.AbstractApplicationContext.finishBeanFactoryInitialization(AbstractApplicationContext.java:867)
at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:542)
at org.springframework.boot.context.embedded.EmbeddedWebApplicationContext.refresh(EmbeddedWebApplicationContext.java:123)
at org.springframework.boot.SpringApplication.refresh(SpringApplication.java:666)
at org.springframework.boot.SpringApplication.refreshContext(SpringApplication.java:353)
at org.springframework.boot.SpringApplication.run(SpringApplication.java:300)
at org.springframework.boot.SpringApplication.run(SpringApplication.java:1082)
at org.springframework.boot.SpringApplication.run(SpringApplication.java:1071)
at com.capitalone.dashboard.Application.main(Application.java:24)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:566)
at org.springframework.boot.loader.MainMethodRunner.run(MainMethodRunner.java:48)
at org.springframework.boot.loader.Launcher.launch(Launcher.java:87)
at org.springframework.boot.loader.Launcher.launch(Launcher.java:51)
at org.springframework.boot.loader.JarLauncher.main(JarLauncher.java:52)
Caused by: java.lang.NullPointerException: null
at org.springframework.scheduling.support.CronSequenceGenerator.parse(CronSequenceGenerator.java:271)
at org.springframework.scheduling.support.CronSequenceGenerator.(CronSequenceGenerator.java:96)
at org.springframework.scheduling.support.CronSequenceGenerator.(CronSequenceGenerator.java:83)
at org.springframework.scheduling.support.CronTrigger.(CronTrigger.java:44)
at com.capitalone.dashboard.collector.CollectorTask.onStartup(CollectorTask.java:89)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:566)
at org.springframework.beans.factory.annotation.InitDestroyAnnotationBeanPostProcessor$LifecycleElement.invoke(InitDestroyAnnotationBeanPostProcessor.java:366)
at org.springframework.beans.factory.annotation.InitDestroyAnnotationBeanPostProcessor$LifecycleMetadata.invokeInitMethods(InitDestroyAnnotationBeanPostProcessor.java:311)
at org.springframework.beans.factory.annotation.InitDestroyAnnotationBeanPostProcessor.postProcessBeforeInitialization(InitDestroyAnnotationBeanPostProcessor.java:134)
... 26 common frames omitted
shovandhara@SHODHARA-M-M2UH target % clear
`

Here is my application.properties config -

dbname=dashboarddb
dbhost=localhost
dbport=27017
dbreplicaset=false
dbhostport=localhost:27017
dbusername=shodhara
dbpassword=Cancer2233!
logging.file=./logs/github.log
github.cron=0 0/1 * * * *

github.host=https://github.com/ShovanDhara/

github.firstRunHistoryDays=100
github.rateLimitThreshold=100

github.commitThresholdDays=15

github.errorThreshold=1

I'm using this command to run the .jar file

java -jar github-graphql-scm-collector.jar --spring.config.name=github --spring.config.location=application.properties

Api, DB Layer and UI are running fine

I'm not able to understand where I'm doing wrong

CVE-2020-10693 (Medium) detected in hibernate-validator-5.4.2.Final.jar - autoclosed

CVE-2020-10693 - Medium Severity Vulnerability

Vulnerable Library - hibernate-validator-5.4.2.Final.jar

Hibernate's Bean Validation (JSR-303) reference implementation.

Library home page: http://hibernate.org/validator

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/hibernate/hibernate-validator/5.4.2.Final/hibernate-validator-5.4.2.Final.jar

Dependency Hierarchy:

  • core-3.15.26.jar (Root Library)
    • spring-boot-starter-web-1.5.22.RELEASE.jar
      • hibernate-validator-5.4.2.Final.jar (Vulnerable Library)

Found in HEAD commit: 412dba4d9ffebf9ab94272772ab4153912ecc4a0

Found in base branch: master

Vulnerability Details

A flaw was found in Hibernate Validator version 6.1.2.Final. A bug in the message interpolation processor enables invalid EL expressions to be evaluated as if they were valid. This flaw allows attackers to bypass input sanitation (escaping, stripping) controls that developers may have put in place when handling user-controlled data in error messages.

Publish Date: 2020-05-06

URL: CVE-2020-10693

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://in.relation.to/2020/05/07/hibernate-validator-615-6020-released/

Release Date: 2020-05-06

Fix Resolution (org.hibernate:hibernate-validator): 6.0.0.Alpha1

Direct dependency fix Resolution (com.capitalone.dashboard:core): 3.15.27

Step up your Open Source Security Game with Mend here

CVE-2022-25857 (High) detected in snakeyaml-1.17.jar - autoclosed

CVE-2022-25857 - High Severity Vulnerability

Vulnerable Library - snakeyaml-1.17.jar

YAML 1.1 parser and emitter for Java

Library home page: http://www.snakeyaml.org

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.17/snakeyaml-1.17.jar

Dependency Hierarchy:

  • spring-boot-starter-data-mongodb-1.5.22.RELEASE.jar (Root Library)
    • spring-boot-starter-1.5.22.RELEASE.jar
      • snakeyaml-1.17.jar (Vulnerable Library)

Found in HEAD commit: 412dba4d9ffebf9ab94272772ab4153912ecc4a0

Found in base branch: master

Vulnerability Details

The package org.yaml:snakeyaml from 0 and before 1.31 are vulnerable to Denial of Service (DoS) due missing to nested depth limitation for collections.

Publish Date: 2022-08-30

URL: CVE-2022-25857

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25857

Release Date: 2022-08-30

Fix Resolution: org.yaml:snakeyaml:1.31

Step up your Open Source Security Game with Mend here

CVE-2022-25647 (High) detected in gson-2.8.5.jar - autoclosed

CVE-2022-25647 - High Severity Vulnerability

Vulnerable Library - gson-2.8.5.jar

Gson JSON library

Library home page: https://github.com/google/gson

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/google/code/gson/gson/2.8.5/gson-2.8.5.jar

Dependency Hierarchy:

  • core-3.15.26.jar (Root Library)
    • gson-2.8.5.jar (Vulnerable Library)

Found in HEAD commit: 412dba4d9ffebf9ab94272772ab4153912ecc4a0

Found in base branch: master

Vulnerability Details

The package com.google.code.gson:gson before 2.8.9 are vulnerable to Deserialization of Untrusted Data via the writeReplace() method in internal classes, which may lead to DoS attacks.

Publish Date: 2022-05-01

URL: CVE-2022-25647

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25647`

Release Date: 2022-05-01

Fix Resolution (com.google.code.gson:gson): 2.8.9

Direct dependency fix Resolution (com.capitalone.dashboard:core): 3.15.27

Step up your Open Source Security Game with Mend here

CVE-2022-42003 (High) detected in jackson-databind-2.13.4.jar

CVE-2022-42003 - High Severity Vulnerability

Vulnerable Library - jackson-databind-2.13.4.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /pom.xml

Path to vulnerable library: /ackson/core/jackson-databind/2.13.4/jackson-databind-2.13.4.jar

Dependency Hierarchy:

  • jackson-databind-2.13.4.jar (Vulnerable Library)

Found in HEAD commit: 412dba4d9ffebf9ab94272772ab4153912ecc4a0

Found in base branch: master

Vulnerability Details

In FasterXML jackson-databind before 2.14.0-rc1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled. Additional fix version in 2.13.4.1 and 2.12.17.1

Publish Date: 2022-10-02

URL: CVE-2022-42003

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2022-10-02

Fix Resolution: 2.13.4.1

Step up your Open Source Security Game with Mend here

Collector not pulling collector items from db

Affects: \commit.

I have at least one entry in the collector items collection within mongo db, however it is not being picked up by the scm collector. This collector item was generated by using the hygieia UI to create a repo widget.

{
        "_id" : ObjectId("6037c70841b2652b4b7b6e36"),
        "_class" : "com.capitalone.dashboard.model.webhook.github.GitHubRepo",
        "enabled" : true,
        "errors" : [ ],
        "pushed" : false,
        "collectorId" : ObjectId("603523384caca502ee30cb45"),
        "lastUpdated" : NumberLong("1614269059661"),
        "options" : {
                "password" : "",
                "personalAccessToken" : "",
                "branch" : "master",
                "userID" : "",
                "url" : "https://github.com/Hygieia/hygieia-scm-github-graphql-collector"
        },
        "upsertTime" : ISODate("2021-02-25T15:49:28.263Z")
}

Here's the log showing the collector items is zero

2021-02-25 17:33:03,348 [taskScheduler-1] INFO  c.c.d.collector.CollectorTask - Finished running Collector=GitHub timeTaken=63340 collectorItems=0
2021-02-25 17:34:00,001 [taskScheduler-1] INFO  c.c.d.collector.CollectorTask - Getting Collector: GitHub
2021-02-25 17:34:00,008 [taskScheduler-1] INFO  c.c.d.collector.CollectorTask - Starting Collector=GitHub
2021-02-25 17:34:00,010 [taskScheduler-1] INFO  c.c.d.collector.GitHubCollectorTask - # of collections: 1
2021-02-25 17:34:00,010 [taskScheduler-1] INFO  c.c.d.collector.DefaultGitHubClient - Executing https://api.github.com/events
2021-02-25 17:34:00,274 [taskScheduler-1] INFO  c.c.dashboard.client.RestClient - makeRestCall op=GET url=https://api.github.com/events status=200 duration=264
2021-02-25 17:34:00,275 [taskScheduler-1] INFO  c.c.d.collector.DefaultGitHubClient - Executing https://api.github.com/events?page=2
2021-02-25 17:34:00,580 [taskScheduler-1] INFO  c.c.dashboard.client.RestClient - makeRestCall op=GET url=https://api.github.com/events?page=2 status=200 duration=305
2021-02-25 17:34:00,582 [taskScheduler-1] INFO  c.c.d.collector.DefaultGitHubClient - Executing https://api.github.com/events?page=3

Is there any further guide or documentation to get this collector working beyond the readme on this repo?
Any guidance on why this is not working?

CVE-2022-1471 (High) detected in snakeyaml-1.32.jar

CVE-2022-1471 - High Severity Vulnerability

Vulnerable Library - snakeyaml-1.32.jar

YAML 1.1 parser and emitter for Java

Library home page: https://bitbucket.org/snakeyaml/snakeyaml

Path to dependency file: /pom.xml

Path to vulnerable library: /aml/1.32/snakeyaml-1.32.jar

Dependency Hierarchy:

  • snakeyaml-1.32.jar (Vulnerable Library)

Found in HEAD commit: 412dba4d9ffebf9ab94272772ab4153912ecc4a0

Found in base branch: master

Vulnerability Details

SnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by an attacker can lead to remote code execution. We recommend using SnakeYaml's SafeConsturctor when parsing untrusted content to restrict deserialization. We recommend upgrading to version 2.0 and beyond.

Publish Date: 2022-12-01

URL: CVE-2022-1471

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in#comment-64634374

Release Date: 2022-12-01

Fix Resolution: 2.0

Step up your Open Source Security Game with Mend here

CVE-2020-8908 (Low) detected in guava-29.0-jre.jar - autoclosed

CVE-2020-8908 - Low Severity Vulnerability

Vulnerable Library - guava-29.0-jre.jar

Guava is a suite of core and expanded libraries that include utility classes, google's collections, io classes, and much much more.

Library home page: https://github.com/google/guava

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/google/guava/guava/29.0-jre/guava-29.0-jre.jar

Dependency Hierarchy:

  • core-3.15.26.jar (Root Library)
    • guava-29.0-jre.jar (Vulnerable Library)

Found in HEAD commit: 412dba4d9ffebf9ab94272772ab4153912ecc4a0

Found in base branch: master

Vulnerability Details

A temp directory creation vulnerability exists in all versions of Guava, allowing an attacker with access to the machine to potentially access data in a temporary directory created by the Guava API com.google.common.io.Files.createTempDir(). By default, on unix-like systems, the created directory is world-readable (readable by an attacker with access to the system). The method in question has been marked @deprecated in versions 30.0 and later and should not be used. For Android developers, we recommend choosing a temporary directory API provided by Android, such as context.getCacheDir(). For other Java developers, we recommend migrating to the Java 7 API java.nio.file.Files.createTempDirectory() which explicitly configures permissions of 700, or configuring the Java runtime's java.io.tmpdir system property to point to a location whose permissions are appropriately configured.

Publish Date: 2020-12-10

URL: CVE-2020-8908

CVSS 3 Score Details (3.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8908

Release Date: 2020-12-10

Fix Resolution (com.google.guava:guava): 30.0-android

Direct dependency fix Resolution (com.capitalone.dashboard:core): 3.15.37

Step up your Open Source Security Game with Mend here

CVE-2022-38752 (Medium) detected in snakeyaml-1.17.jar - autoclosed

CVE-2022-38752 - Medium Severity Vulnerability

Vulnerable Library - snakeyaml-1.17.jar

YAML 1.1 parser and emitter for Java

Library home page: http://www.snakeyaml.org

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.17/snakeyaml-1.17.jar

Dependency Hierarchy:

  • spring-boot-starter-data-mongodb-1.5.22.RELEASE.jar (Root Library)
    • spring-boot-starter-1.5.22.RELEASE.jar
      • snakeyaml-1.17.jar (Vulnerable Library)

Found in HEAD commit: 412dba4d9ffebf9ab94272772ab4153912ecc4a0

Found in base branch: master

Vulnerability Details

Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack-overflow.

Publish Date: 2022-09-05

URL: CVE-2022-38752

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-9w3m-gqgf-c4p9

Release Date: 2022-09-05

Fix Resolution: org.yaml:snakeyaml:1.32

Step up your Open Source Security Game with Mend here

CVE-2022-22965 (High) detected in spring-beans-4.3.25.RELEASE.jar - autoclosed

CVE-2022-22965 - High Severity Vulnerability

Vulnerable Library - spring-beans-4.3.25.RELEASE.jar

Spring Beans

Library home page: https://github.com/spring-projects/spring-framework

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-beans/4.3.25.RELEASE/spring-beans-4.3.25.RELEASE.jar

Dependency Hierarchy:

  • core-3.15.26.jar (Root Library)
    • spring-web-4.3.25.RELEASE.jar
      • spring-beans-4.3.25.RELEASE.jar (Vulnerable Library)

Found in HEAD commit: 412dba4d9ffebf9ab94272772ab4153912ecc4a0

Found in base branch: master

Vulnerability Details

A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.

Publish Date: 2022-04-01

URL: CVE-2022-22965

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement

Release Date: 2022-04-01

Fix Resolution (org.springframework:spring-beans): 5.2.20.RELEASE

Direct dependency fix Resolution (com.capitalone.dashboard:core): 3.15.37

Step up your Open Source Security Game with Mend here

CVE-2021-22112 (High) detected in spring-security-web-4.2.18.RELEASE.jar - autoclosed

CVE-2021-22112 - High Severity Vulnerability

Vulnerable Library - spring-security-web-4.2.18.RELEASE.jar

spring-security-web

Library home page: https://spring.io/spring-security

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/security/spring-security-web/4.2.18.RELEASE/spring-security-web-4.2.18.RELEASE.jar

Dependency Hierarchy:

  • core-3.15.26.jar (Root Library)
    • spring-boot-starter-security-1.5.22.RELEASE.jar
      • spring-security-web-4.2.18.RELEASE.jar (Vulnerable Library)

Found in HEAD commit: 412dba4d9ffebf9ab94272772ab4153912ecc4a0

Found in base branch: master

Vulnerability Details

Spring Security 5.4.x prior to 5.4.4, 5.3.x prior to 5.3.8.RELEASE, 5.2.x prior to 5.2.9.RELEASE, and older unsupported versions can fail to save the SecurityContext if it is changed more than once in a single request.A malicious user cannot cause the bug to happen (it must be programmed in). However, if the application's intent is to only allow the user to run with elevated privileges in a small portion of the application, the bug can be leveraged to extend those privileges to the rest of the application.

Publish Date: 2021-02-23

URL: CVE-2021-22112

CVSS 3 Score Details (8.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://tanzu.vmware.com/security/cve-2021-22112

Release Date: 2021-02-23

Fix Resolution (org.springframework.security:spring-security-web): 5.2.9.RELEASE

Direct dependency fix Resolution (com.capitalone.dashboard:core): 3.15.27

Step up your Open Source Security Game with Mend here

CVE-2022-42004 (Medium) detected in jackson-databind-2.10.5.jar - autoclosed

CVE-2022-42004 - Medium Severity Vulnerability

Vulnerable Library - jackson-databind-2.10.5.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.10.5/jackson-databind-2.10.5.jar

Dependency Hierarchy:

  • core-3.15.26.jar (Root Library)
    • spring-boot-starter-web-1.5.22.RELEASE.jar
      • jackson-databind-2.10.5.jar (Vulnerable Library)

Found in HEAD commit: 412dba4d9ffebf9ab94272772ab4153912ecc4a0

Found in base branch: master

Vulnerability Details

In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An application is vulnerable only with certain customized choices for deserialization.

Publish Date: 2022-10-02

URL: CVE-2022-42004

CVSS 3 Score Details (5.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2022-10-02

Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.13.4

Step up your Open Source Security Game with Mend here

Hygieia-collector not pulling in data.

Hey @Sbrenthughes @rvema , I followed all the steps and have successfully setup the scm-graphql-collector, and it shows no errors while starting the collector too, but it shows the total repo counts and all other data to be 0.

2021-04-29 17:18:42,717 [main] INFO com.capitalone.dashboard.Application - Started Application in 28.966 seconds (JVM running for 30.774)
2021-04-29 17:20:00,008 [taskScheduler-1] INFO c.c.d.collector.CollectorTask - Getting Collector: GitHub
2021-04-29 17:20:00,039 [taskScheduler-1] INFO c.c.d.collector.CollectorTask - Starting Collector=GitHub
2021-04-29 17:20:00,129 [taskScheduler-1] INFO c.c.d.collector.GitHubCollectorTask - GitHubCollectorTask:collect start, total enabledRepos=0
2021-04-29 17:20:00,129 [taskScheduler-1] WARN c.c.d.collector.GitHubCollectorTask - error threshold error_threshold=1000
2021-04-29 17:20:00,130 [taskScheduler-1] INFO c.c.d.collector.GitHubCollectorTask - GitHubCollectorTask:collect stop, totalProcessSeconds=0, totalRepoCount=0, totalNewPulls=0, totalNewCommits=0 totalNewIssues=0
2021-04-29 17:20:00,141 [taskScheduler-1] INFO c.c.d.collector.CollectorTask - Finished running collector_name=GitHub collector_run_duration=0 collector_items_count=0

the application .properties file looks like:

Database Name

dbname=dashboarddb

Database HostName - default is localhost

dbhost=localhost

Database Port - default is 27017

dbport=27017
server.contextPath=/github
server.port=9082

MongoDB replicaset

dbreplicaset=false
dbhostport=[host1:port1,host2:port2,host3:port3]

Database Username - default is blank

dbusername=

Database Password - default is blank

dbpassword=

Proxy URL

#github.proxy=

Proxy Port

#github.proxyPort=

Proxy user if auth is required

#github.proxyUser=

Proxy password if auth is required

#github.proxyPassword=

Logging File location

logging.file=./logs/github.log

Collector schedule (required)

github.cron=0 0/2 * * * *

github.host=api.github.com

github.firstRunHistoryDays=60
github.rateLimitThreshold=100
github.graphqlUrl=https://api.github.com/graphql
github.baseApiUrl=https://api.github.com/

Maximum number of previous days from current date, when fetching commits

github.commitThresholdDays=50

A filter of commits with subject containing the pattern that will be filtered

#github.notBuiltCommits[0]=(.)(\[maven-release-plugin\])(.)
#github.notBuiltCommits[1]=(.)(orion committed files to rewardsone-chef\/environments\/environments\/rewards_sparkearnengine\_)(.)(json)

Optional: Error threshold count after which collector stops collecting for a collector item. Default is 2.

github.errorThreshold=1000

This is the key generated using the Encryption class in core

github.key=

Personal access token generated from github and used for making authentiated calls

github.personalAccessToken=

Github repository Connect Timeout value in milliseconds, default value is 20000 (20s)

github.connectTimeout=20000

Github repository Read Timeout value in milliseconds, default value is 20000 (20s)

github.readTimeout=60000

github.commitPullSyncTime=10800000
github.offsetMinutes=2
github.fetchCount=25
github.collectChangedReposOnly=false

github.privateReposCollectionTime=7200000
#github.searchCriteria=

Any insights would be much appreciated!

CVE-2022-31692 (High) detected in spring-security-web-5.6.4.jar

CVE-2022-31692 - High Severity Vulnerability

Vulnerable Library - spring-security-web-5.6.4.jar

Spring Security

Library home page: https://spring.io/projects/spring-security

Path to dependency file: /pom.xml

Path to vulnerable library: /work/security/spring-security-web/5.6.4/spring-security-web-5.6.4.jar

Dependency Hierarchy:

  • spring-security-web-5.6.4.jar (Vulnerable Library)

Found in HEAD commit: 412dba4d9ffebf9ab94272772ab4153912ecc4a0

Found in base branch: master

Vulnerability Details

Spring Security, versions 5.7 prior to 5.7.5 and 5.6 prior to 5.6.9 could be susceptible to authorization rules bypass via forward or include dispatcher types. Specifically, an application is vulnerable when all of the following are true: The application expects that Spring Security applies security to forward and include dispatcher types. The application uses the AuthorizationFilter either manually or via the authorizeHttpRequests() method. The application configures the FilterChainProxy to apply to forward and/or include requests (e.g. spring.security.filter.dispatcher-types = request, error, async, forward, include). The application may forward or include the request to a higher privilege-secured endpoint.The application configures Spring Security to apply to every dispatcher type via authorizeHttpRequests().shouldFilterAllDispatcherTypes(true)

Publish Date: 2022-10-31

URL: CVE-2022-31692

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://tanzu.vmware.com/security/cve-2022-31692

Release Date: 2022-10-31

Fix Resolution: 5.6.9

Step up your Open Source Security Game with Mend here

CVE-2022-22970 (Medium) detected in spring-core-4.3.25.RELEASE.jar, spring-beans-4.3.25.RELEASE.jar - autoclosed

CVE-2022-22970 - Medium Severity Vulnerability

Vulnerable Libraries - spring-core-4.3.25.RELEASE.jar, spring-beans-4.3.25.RELEASE.jar

spring-core-4.3.25.RELEASE.jar

Spring Core

Library home page: https://github.com/spring-projects/spring-framework

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-core/4.3.25.RELEASE/spring-core-4.3.25.RELEASE.jar

Dependency Hierarchy:

  • core-3.15.26.jar (Root Library)
    • spring-web-4.3.25.RELEASE.jar
      • spring-core-4.3.25.RELEASE.jar (Vulnerable Library)
spring-beans-4.3.25.RELEASE.jar

Spring Beans

Library home page: https://github.com/spring-projects/spring-framework

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-beans/4.3.25.RELEASE/spring-beans-4.3.25.RELEASE.jar

Dependency Hierarchy:

  • core-3.15.26.jar (Root Library)
    • spring-web-4.3.25.RELEASE.jar
      • spring-beans-4.3.25.RELEASE.jar (Vulnerable Library)

Found in HEAD commit: 412dba4d9ffebf9ab94272772ab4153912ecc4a0

Found in base branch: master

Vulnerability Details

In spring framework versions prior to 5.3.20+ , 5.2.22+ and old unsupported versions, applications that handle file uploads are vulnerable to DoS attack if they rely on data binding to set a MultipartFile or javax.servlet.Part to a field in a model object.

Publish Date: 2022-05-12

URL: CVE-2022-22970

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://tanzu.vmware.com/security/cve-2022-22970

Release Date: 2022-05-12

Fix Resolution (org.springframework:spring-core): 5.2.22.RELEASE

Direct dependency fix Resolution (com.capitalone.dashboard:core): 3.15.37

Fix Resolution (org.springframework:spring-beans): 5.2.22.RELEASE

Direct dependency fix Resolution (com.capitalone.dashboard:core): 3.15.37

Step up your Open Source Security Game with Mend here

WS-2021-0616 (Medium) detected in jackson-databind-2.10.5.jar - autoclosed

WS-2021-0616 - Medium Severity Vulnerability

Vulnerable Library - jackson-databind-2.10.5.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.10.5/jackson-databind-2.10.5.jar

Dependency Hierarchy:

  • core-3.15.26.jar (Root Library)
    • spring-boot-starter-web-1.5.22.RELEASE.jar
      • jackson-databind-2.10.5.jar (Vulnerable Library)

Found in HEAD commit: 412dba4d9ffebf9ab94272772ab4153912ecc4a0

Found in base branch: master

Vulnerability Details

FasterXML jackson-databind before 2.12.6 and 2.13.1 there is DoS when using JDK serialization to serialize JsonNode.

Publish Date: 2021-11-20

URL: WS-2021-0616

CVSS 3 Score Details (5.9)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2021-11-20

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.11.0

Direct dependency fix Resolution (com.capitalone.dashboard:core): 3.15.27

Step up your Open Source Security Game with Mend here

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.