nkomarn / composter Goto Github PK

Vulnerable Library - snakeyaml-1.25.jar

YAML 1.1 parser and emitter for Java

Library home page: http://www.snakeyaml.org

Path to dependency file: /tmp/ws-scm/Composter/pom.xml

Path to vulnerable library: 20200410162455/downloadResource_66c8d975-29a8-434e-88af-f273deebf07d/20200410165709/snakeyaml-1.25.jar

Dependency Hierarchy:

• ❌ snakeyaml-1.25.jar (Vulnerable Library)

Found in HEAD commit: ef882059f334043855e1cd2de8dcccc4ce4f5e7a

Vulnerability Details

The Alias feature in SnakeYAML 1.18 allows entity expansion during a load operation, a related issue to CVE-2003-1564.

Publish Date: 2019-12-12

URL: CVE-2017-18640

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://bitbucket.org/asomov/snakeyaml/commits/da11ddbd91c1f8392ea932b37fa48110fa54ed8c

Release Date: 2020-03-08

Fix Resolution: 1.26

Vulnerable Library - log4j-core-2.12.1.jar

The Apache Log4j Implementation

Library home page: https://logging.apache.org/log4j/2.x/

Path to dependency file: /tmp/ws-scm/Composter/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/logging/log4j/log4j-core/2.12.1/log4j-core-2.12.1.jar

Dependency Hierarchy:

• log4j-slf4j-impl-2.12.1.jar (Root Library)
  • ❌ log4j-core-2.12.1.jar (Vulnerable Library)

Found in HEAD commit: fb233022a36a67562fa0f9b7d9c24a19a202c5e2

Vulnerability Details

Improper validation of certificate with host mismatch in Apache Log4j SMTP appender. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent through that appender.

Publish Date: 2020-04-27

URL: CVE-2020-9488

CVSS 3 Score Details (3.7)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://issues.apache.org/jira/browse/LOG4J2-2819

Release Date: 2020-04-27

Fix Resolution: org.apache.logging.log4j:log4j-core:2.13.2

Vulnerable Library - netty-all-4.1.43.Final.jar

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.

Library home page: https://netty.io/

Path to dependency file: /tmp/ws-scm/Composter/pom.xml

Path to vulnerable library: 20200410162455/downloadResource_66c8d975-29a8-434e-88af-f273deebf07d/20200410165708/netty-all-4.1.43.Final.jar

Dependency Hierarchy:

• ❌ netty-all-4.1.43.Final.jar (Vulnerable Library)

Found in HEAD commit: ef882059f334043855e1cd2de8dcccc4ce4f5e7a

Vulnerability Details

The ZlibDecoders in Netty 4.1.x before 4.1.46 allow for unbounded memory allocation while decoding a ZlibEncoded byte stream. An attacker could send a large ZlibEncoded byte stream to the Netty server, forcing the server to allocate all of its free memory to a single decoder.

Publish Date: 2020-04-07

URL: CVE-2020-11612

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://netty.io/news/2020/02/28/4-1-46-Final.html

Release Date: 2020-04-07

Fix Resolution: io.netty:netty-codec:4.1.46.Final;io.netty:netty-all:4.1.46.Final