opentok / accelerator-sample-apps-android Goto Github PK

Vulnerable Library - kotlin-stdlib-1.4.20.jar

Kotlin Standard Library for JVM

Path to dependency file: /app/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.jetbrains.kotlin/kotlin-stdlib/1.4.20/9be77b243a362b745e365f286627b8724337009c/kotlin-stdlib-1.4.20.jar,/files-2.1/org.jetbrains.kotlin/kotlin-stdlib/1.4.20/9be77b243a362b745e365f286627b8724337009c/kotlin-stdlib-1.4.20.jar

CVE-2022-24329

Vulnerable Library - kotlin-stdlib-1.4.20.jar

Kotlin Standard Library for JVM

Path to dependency file: /app/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.jetbrains.kotlin/kotlin-stdlib/1.4.20/9be77b243a362b745e365f286627b8724337009c/kotlin-stdlib-1.4.20.jar,/files-2.1/org.jetbrains.kotlin/kotlin-stdlib/1.4.20/9be77b243a362b745e365f286627b8724337009c/kotlin-stdlib-1.4.20.jar

Dependency Hierarchy:

• ❌ kotlin-stdlib-1.4.20.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

In JetBrains Kotlin before 1.6.0, it was not possible to lock dependencies for Multiplatform Gradle Projects.

Publish Date: 2022-02-25

URL: CVE-2022-24329

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-2qp4-g3q3-f92w

Release Date: 2022-02-25

Fix Resolution: 1.6.0-M1

⛑️ Automatic Remediation is available for this issue

Vulnerable Library - junit-4.12.jar

JUnit is a unit testing framework for Java, created by Erich Gamma and Kent Beck.

Library home page: http://junit.org

Path to dependency file: /app/build.gradle

Path to vulnerable library: /files-2.1/junit/junit/4.12/2973d150c0dc1fefe998f834810d68f278ea58ec/junit-4.12.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/junit/junit/4.12/2973d150c0dc1fefe998f834810d68f278ea58ec/junit-4.12.jar

CVE-2020-15250

Vulnerable Library - junit-4.12.jar

JUnit is a unit testing framework for Java, created by Erich Gamma and Kent Beck.

Library home page: http://junit.org

Path to dependency file: /app/build.gradle

Path to vulnerable library: /files-2.1/junit/junit/4.12/2973d150c0dc1fefe998f834810d68f278ea58ec/junit-4.12.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/junit/junit/4.12/2973d150c0dc1fefe998f834810d68f278ea58ec/junit-4.12.jar

Dependency Hierarchy:

• ❌ junit-4.12.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

In JUnit4 from version 4.7 and before 4.13.1, the test rule TemporaryFolder contains a local information disclosure vulnerability. On Unix like systems, the system's temporary directory is shared between all users on that system. Because of this, when files and directories are written into this directory they are, by default, readable by other users on that same system. This vulnerability does not allow other users to overwrite the contents of these directories or files. This is purely an information disclosure vulnerability. This vulnerability impacts you if the JUnit tests write sensitive information, like API keys or passwords, into the temporary folder, and the JUnit tests execute in an environment where the OS has other untrusted users. Because certain JDK file system APIs were only added in JDK 1.7, this this fix is dependent upon the version of the JDK you are using. For Java 1.7 and higher users: this vulnerability is fixed in 4.13.1. For Java 1.6 and lower users: no patch is available, you must use the workaround below. If you are unable to patch, or are stuck running on Java 1.6, specifying the java.io.tmpdir system environment variable to a directory that is exclusively owned by the executing user will fix this vulnerability. For more information, including an example of vulnerable code, see the referenced GitHub Security Advisory.

Publish Date: 2020-10-12

URL: CVE-2020-15250

CVSS 3 Score Details (5.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-269g-pwp5-87pp

Release Date: 2020-10-12

Fix Resolution: 4.13.1

⛑️ Automatic Remediation is available for this issue

Vulnerable Library - lint-gradle-27.1.1.jar

Path to dependency file: /app/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.protobuf/protobuf-java/3.10.0/410b61dd0088aab4caa05739558d43df248958c9/protobuf-java-3.10.0.jar

CVE-2018-1000613

Vulnerable Library - bcprov-jdk15on-1.56.jar

The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5 to JDK 1.8.

Library home page: http://www.bouncycastle.org/java.html

Path to dependency file: /app/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.bouncycastle/bcprov-jdk15on/1.56/a153c6f9744a3e9dd6feab5e210e1c9861362ec7/bcprov-jdk15on-1.56.jar

Dependency Hierarchy:

• lint-gradle-27.1.1.jar (Root Library)
  • builder-4.1.1.jar
    • ❌ bcprov-jdk15on-1.56.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Legion of the Bouncy Castle Legion of the Bouncy Castle Java Cryptography APIs 1.58 up to but not including 1.60 contains a CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') vulnerability in XMSS/XMSS^MT private key deserialization that can result in Deserializing an XMSS/XMSS^MT private key can result in the execution of unexpected code. This attack appear to be exploitable via A handcrafted private key can include references to unexpected classes which will be picked up from the class path for the executing application. This vulnerability appears to have been fixed in 1.60 and later.

Publish Date: 2018-07-09

URL: CVE-2018-1000613

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000613

Release Date: 2018-07-09

Fix Resolution: org.bouncycastle:bcprov-ext-debug-jdk15on:1.60,org.bouncycastle:bcprov-debug-jdk15on:1.60,org.bouncycastle:bcprov-debug-jdk14:1.60,org.bouncycastle:bcprov-ext-jdk14:1.60,org.bouncycastle:bcprov-ext-jdk15on:1.60,org.bouncycastle:bcprov-jdk14:1.60,org.bouncycastle:bcprov-jdk15on:1.60

WS-2021-0419

Vulnerable Library - gson-2.8.5.jar

Gson JSON library

Library home page: https://github.com/google/gson

Path to dependency file: /app/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.code.gson/gson/2.8.5/f645ed69d595b24d4cf8b3fbb64cc505bede8829/gson-2.8.5.jar

Dependency Hierarchy:

• lint-gradle-27.1.1.jar (Root Library)
  • builder-4.1.1.jar
    • sdklib-27.1.1.jar
      • ❌ gson-2.8.5.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Denial of Service vulnerability was discovered in gson before 2.8.9 via the writeReplace() method.

Publish Date: 2021-10-11

URL: WS-2021-0419

CVSS 3 Score Details (7.7)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2021-10-11

Fix Resolution: com.google.code.gson:gson:2.8.9

CVE-2021-36090

Vulnerable Library - commons-compress-1.12.jar

Apache Commons Compress software defines an API for working with compression and archive formats. These include: bzip2, gzip, pack200, lzma, xz, Snappy, traditional Unix Compress, DEFLATE and ar, cpio, jar, tar, zip, dump, 7z, arj.

Path to dependency file: /app/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.commons/commons-compress/1.12/84caa68576e345eb5e7ae61a0e5a9229eb100d7b/commons-compress-1.12.jar

Dependency Hierarchy:

• lint-gradle-27.1.1.jar (Root Library)
  • builder-4.1.1.jar
    • sdklib-27.1.1.jar
      • ❌ commons-compress-1.12.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

When reading a specially crafted ZIP archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' zip package.

Publish Date: 2021-07-13

URL: CVE-2021-36090

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://commons.apache.org/proper/commons-compress/security-reports.html

Release Date: 2021-07-13

Fix Resolution: org.apache.commons:commons-compress:1.21

CVE-2019-17359

Vulnerable Library - bcprov-jdk15on-1.56.jar

The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5 to JDK 1.8.

Library home page: http://www.bouncycastle.org/java.html

Path to dependency file: /app/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.bouncycastle/bcprov-jdk15on/1.56/a153c6f9744a3e9dd6feab5e210e1c9861362ec7/bcprov-jdk15on-1.56.jar

Dependency Hierarchy:

• lint-gradle-27.1.1.jar (Root Library)
  • builder-4.1.1.jar
    • ❌ bcprov-jdk15on-1.56.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

The ASN.1 parser in Bouncy Castle Crypto (aka BC Java) 1.63 can trigger a large attempted memory allocation, and resultant OutOfMemoryError error, via crafted ASN.1 data. This is fixed in 1.64.

Publish Date: 2019-10-08

URL: CVE-2019-17359

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17359

Release Date: 2019-10-08

Fix Resolution: org.bouncycastle:bcprov-jdk15on:1.64

CVE-2022-25647

Vulnerable Library - gson-2.8.5.jar

Gson JSON library

Library home page: https://github.com/google/gson

Path to dependency file: /app/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.code.gson/gson/2.8.5/f645ed69d595b24d4cf8b3fbb64cc505bede8829/gson-2.8.5.jar

Dependency Hierarchy:

• lint-gradle-27.1.1.jar (Root Library)
  • builder-4.1.1.jar
    • sdklib-27.1.1.jar
      • ❌ gson-2.8.5.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

The package com.google.code.gson:gson before 2.8.9 are vulnerable to Deserialization of Untrusted Data via the writeReplace() method in internal classes, which may lead to DoS attacks.

Publish Date: 2022-05-01

URL: CVE-2022-25647

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25647`

Release Date: 2022-05-01

Fix Resolution: com.google.code.gson:gson:gson-parent-2.8.9

CVE-2021-35517

Vulnerable Library - commons-compress-1.12.jar

Apache Commons Compress software defines an API for working with compression and archive formats. These include: bzip2, gzip, pack200, lzma, xz, Snappy, traditional Unix Compress, DEFLATE and ar, cpio, jar, tar, zip, dump, 7z, arj.

Path to dependency file: /app/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.commons/commons-compress/1.12/84caa68576e345eb5e7ae61a0e5a9229eb100d7b/commons-compress-1.12.jar

Dependency Hierarchy:

• lint-gradle-27.1.1.jar (Root Library)
  • builder-4.1.1.jar
    • sdklib-27.1.1.jar
      • ❌ commons-compress-1.12.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

When reading a specially crafted TAR archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' tar package.

Publish Date: 2021-07-13

URL: CVE-2021-35517

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://commons.apache.org/proper/commons-compress/security-reports.html

Release Date: 2021-07-13

Fix Resolution: org.apache.commons:commons-compress:1.21

CVE-2018-1000180

Vulnerable Library - bcprov-jdk15on-1.56.jar

The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5 to JDK 1.8.

Library home page: http://www.bouncycastle.org/java.html

Path to dependency file: /app/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.bouncycastle/bcprov-jdk15on/1.56/a153c6f9744a3e9dd6feab5e210e1c9861362ec7/bcprov-jdk15on-1.56.jar

Dependency Hierarchy:

• lint-gradle-27.1.1.jar (Root Library)
  • builder-4.1.1.jar
    • ❌ bcprov-jdk15on-1.56.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Bouncy Castle BC 1.54 - 1.59, BC-FJA 1.0.0, BC-FJA 1.0.1 and earlier have a flaw in the Low-level interface to RSA key pair generator, specifically RSA Key Pairs generated in low-level API with added certainty may have less M-R tests than expected. This appears to be fixed in versions BC 1.60 beta 4 and later, BC-FJA 1.0.2 and later.

Publish Date: 2018-06-05

URL: CVE-2018-1000180

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000180

Release Date: 2018-06-05

Fix Resolution: org.bouncycastle:bc-fips:1.0.2;org.bouncycastle:bcprov-jdk15on:1.60;org.bouncycastle:bcprov-jdk14:1.60;org.bouncycastle:bcprov-ext-jdk14:1.60;org.bouncycastle:bcprov-ext-jdk15on:1.60;org.bouncycastle:bcprov-debug-jdk14:1.60;org.bouncycastle:bcprov-debug-jdk15on:1.60

CVE-2021-35516

Vulnerable Library - commons-compress-1.12.jar

Apache Commons Compress software defines an API for working with compression and archive formats. These include: bzip2, gzip, pack200, lzma, xz, Snappy, traditional Unix Compress, DEFLATE and ar, cpio, jar, tar, zip, dump, 7z, arj.

Path to dependency file: /app/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.commons/commons-compress/1.12/84caa68576e345eb5e7ae61a0e5a9229eb100d7b/commons-compress-1.12.jar

Dependency Hierarchy:

• lint-gradle-27.1.1.jar (Root Library)
  • builder-4.1.1.jar
    • sdklib-27.1.1.jar
      • ❌ commons-compress-1.12.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

When reading a specially crafted 7Z archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' sevenz package.

Publish Date: 2021-07-13

URL: CVE-2021-35516

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://commons.apache.org/proper/commons-compress/security-reports.html

Release Date: 2021-07-13

Fix Resolution: org.apache.commons:commons-compress:1.21

CVE-2021-35515

Vulnerable Library - commons-compress-1.12.jar

Apache Commons Compress software defines an API for working with compression and archive formats. These include: bzip2, gzip, pack200, lzma, xz, Snappy, traditional Unix Compress, DEFLATE and ar, cpio, jar, tar, zip, dump, 7z, arj.

Path to dependency file: /app/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.commons/commons-compress/1.12/84caa68576e345eb5e7ae61a0e5a9229eb100d7b/commons-compress-1.12.jar

Dependency Hierarchy:

• lint-gradle-27.1.1.jar (Root Library)
  • builder-4.1.1.jar
    • sdklib-27.1.1.jar
      • ❌ commons-compress-1.12.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

When reading a specially crafted 7Z archive, the construction of the list of codecs that decompress an entry can result in an infinite loop. This could be used to mount a denial of service attack against services that use Compress' sevenz package.

Publish Date: 2021-07-13

URL: CVE-2021-35515

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://commons.apache.org/proper/commons-compress/security-reports.html

Release Date: 2021-07-13

Fix Resolution: org.apache.commons:commons-compress:1.21

WS-2019-0379

Vulnerable Library - commons-codec-1.10.jar

The Apache Commons Codec package contains simple encoder and decoders for various formats such as Base64 and Hexadecimal. In addition to these widely used encoders and decoders, the codec package also maintains a collection of phonetic encoding utilities.

Path to dependency file: /app/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/commons-codec/commons-codec/1.10/4b95f4897fa13f2cd904aee711aeafc0c5295cd8/commons-codec-1.10.jar

Dependency Hierarchy:

• lint-gradle-27.1.1.jar (Root Library)
  • builder-4.1.1.jar
    • sdklib-27.1.1.jar
      • httpmime-4.5.6.jar
        • httpclient-4.5.6.jar
          • ❌ commons-codec-1.10.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Apache commons-codec before version “commons-codec-1.13-RC1” is vulnerable to information disclosure due to Improper Input validation.

Publish Date: 2019-05-20

URL: WS-2019-0379

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Release Date: 2019-05-20

Fix Resolution: commons-codec:commons-codec:1.13

CVE-2020-15522

Vulnerable Library - bcprov-jdk15on-1.56.jar

The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5 to JDK 1.8.

Library home page: http://www.bouncycastle.org/java.html

Path to dependency file: /app/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.bouncycastle/bcprov-jdk15on/1.56/a153c6f9744a3e9dd6feab5e210e1c9861362ec7/bcprov-jdk15on-1.56.jar

Dependency Hierarchy:

• lint-gradle-27.1.1.jar (Root Library)
  • builder-4.1.1.jar
    • ❌ bcprov-jdk15on-1.56.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Bouncy Castle BC Java before 1.66, BC C# .NET before 1.8.7, BC-FJA before 1.0.1.2, 1.0.2.1, and BC-FNA before 1.0.1.1 have a timing issue within the EC math library that can expose information about the private key when an attacker is able to observe timing information for the generation of multiple deterministic ECDSA signatures.

Publish Date: 2021-05-20

URL: CVE-2020-15522

CVSS 3 Score Details (5.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15522

Release Date: 2021-05-20

Fix Resolution: C#- release-1.8.7, Java- 1.66

CVE-2022-3171

Vulnerable Library - protobuf-java-3.10.0.jar

Core Protocol Buffers library. Protocol Buffers are a way of encoding structured data in an efficient yet extensible format.

Library home page: https://developers.google.com/protocol-buffers/

Path to dependency file: /app/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.protobuf/protobuf-java/3.10.0/410b61dd0088aab4caa05739558d43df248958c9/protobuf-java-3.10.0.jar

Dependency Hierarchy:

• lint-gradle-27.1.1.jar (Root Library)
  • builder-4.1.1.jar
    • ddmlib-27.1.1.jar
      • ❌ protobuf-java-3.10.0.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

A potential Denial of Service issue in protobuf-java core and lite was discovered in the parsing procedure for binary and text format data. Input streams containing multiple instances of non-repeated embedded messages with repeated or unknown fields cause objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses.

This issue was fixed In the following version:

protobuf-java (3.21.7, 3.20.3, 3.19.6, 3.16.3)
protobuf-javalite (3.21.7, 3.20.3, 3.19.6, 3.16.3)
protobuf-kotlin (3.21.7, 3.20.3, 3.19.6)
protobuf-kotlin-lite (3.21.7, 3.20.3, 3.19.6)
google-protobuf [JRuby gem only] (3.21.7, 3.20.3, 3.19.6)

Publish Date: 2022-09-10

URL: CVE-2022-3171

CVSS 3 Score Details (5.7)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Adjacent
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-h4h5-3hr4-j3g2

Release Date: 2022-09-10

Fix Resolution: com.google.protobuf:protobuf-java:3.16.3,3.19.6,3.20.3,3.21.7;com.google.protobuf:protobuf-javalite:3.16.3,3.19.6,3.20.3,3.21.7;com.google.protobuf:protobuf-kotlin:3.19.6,3.20.3,3.21.7;com.google.protobuf:protobuf-kotlin-lite:3.19.6,3.20.3,3.21.7;google-protobuf - 3.19.6,3.20.3,3.21.7

CVE-2021-22569

Vulnerable Library - protobuf-java-3.10.0.jar

Core Protocol Buffers library. Protocol Buffers are a way of encoding structured data in an efficient yet extensible format.

Library home page: https://developers.google.com/protocol-buffers/

Path to dependency file: /app/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.protobuf/protobuf-java/3.10.0/410b61dd0088aab4caa05739558d43df248958c9/protobuf-java-3.10.0.jar

Dependency Hierarchy:

• lint-gradle-27.1.1.jar (Root Library)
  • builder-4.1.1.jar
    • ddmlib-27.1.1.jar
      • ❌ protobuf-java-3.10.0.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

An issue in protobuf-java allowed the interleaving of com.google.protobuf.UnknownFieldSet fields in such a way that would be processed out of order. A small malicious payload can occupy the parser for several minutes by creating large numbers of short-lived objects that cause frequent, repeated pauses. We recommend upgrading libraries beyond the vulnerable versions.

Publish Date: 2022-01-10

URL: CVE-2021-22569

CVSS 3 Score Details (5.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-wrvw-hg22-4m67

Release Date: 2022-01-10

Fix Resolution: com.google.protobuf:protobuf-java:3.16.1,3.18.2,3.19.2; com.google.protobuf:protobuf-kotlin:3.18.2,3.19.2; google-protobuf - 3.19.2

CVE-2020-17521

Vulnerable Library - groovy-all-2.4.15.jar

Groovy: A powerful, dynamic language for the JVM

Library home page: http://groovy-lang.org

Path to dependency file: /app/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.codehaus.groovy/groovy-all/2.4.15/423a17aeb2f64bc6f76e8e44265a548bec80fd42/groovy-all-2.4.15.jar

Dependency Hierarchy:

• lint-gradle-27.1.1.jar (Root Library)
  • ❌ groovy-all-2.4.15.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Apache Groovy provides extension methods to aid with creating temporary directories. Prior to this fix, Groovy's implementation of those extension methods was using a now superseded Java JDK method call that is potentially not secure on some operating systems in some contexts. Users not using the extension methods mentioned in the advisory are not affected, but may wish to read the advisory for further details. Versions Affected: 2.0 to 2.4.20, 2.5.0 to 2.5.13, 3.0.0 to 3.0.6, and 4.0.0-alpha-1. Fixed in versions 2.4.21, 2.5.14, 3.0.7, 4.0.0-alpha-2.

Publish Date: 2020-12-07

URL: CVE-2020-17521

CVSS 3 Score Details (5.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://issues.apache.org/jira/browse/GROOVY-9824

Release Date: 2020-12-07

Fix Resolution: org.codehaus.groovy:groovy-all:2.4.21,2.5.14,3.0.7

CVE-2018-11771

Vulnerable Library - commons-compress-1.12.jar

Apache Commons Compress software defines an API for working with compression and archive formats. These include: bzip2, gzip, pack200, lzma, xz, Snappy, traditional Unix Compress, DEFLATE and ar, cpio, jar, tar, zip, dump, 7z, arj.

Path to dependency file: /app/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.commons/commons-compress/1.12/84caa68576e345eb5e7ae61a0e5a9229eb100d7b/commons-compress-1.12.jar

Dependency Hierarchy:

• lint-gradle-27.1.1.jar (Root Library)
  • builder-4.1.1.jar
    • sdklib-27.1.1.jar
      • ❌ commons-compress-1.12.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

When reading a specially crafted ZIP archive, the read method of Apache Commons Compress 1.7 to 1.17's ZipArchiveInputStream can fail to return the correct EOF indication after the end of the stream has been reached. When combined with a java.io.InputStreamReader this can lead to an infinite stream, which can be used to mount a denial of service attack against services that use Compress' zip package.

Publish Date: 2018-08-16

URL: CVE-2018-11771

CVSS 3 Score Details (5.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11771

Release Date: 2018-08-16

Fix Resolution: 1.18

CVE-2018-1324

Vulnerable Library - commons-compress-1.12.jar

Apache Commons Compress software defines an API for working with compression and archive formats. These include: bzip2, gzip, pack200, lzma, xz, Snappy, traditional Unix Compress, DEFLATE and ar, cpio, jar, tar, zip, dump, 7z, arj.

Path to dependency file: /app/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.commons/commons-compress/1.12/84caa68576e345eb5e7ae61a0e5a9229eb100d7b/commons-compress-1.12.jar

Dependency Hierarchy:

• lint-gradle-27.1.1.jar (Root Library)
  • builder-4.1.1.jar
    • sdklib-27.1.1.jar
      • ❌ commons-compress-1.12.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

A specially crafted ZIP archive can be used to cause an infinite loop inside of Apache Commons Compress' extra field parser used by the ZipFile and ZipArchiveInputStream classes in versions 1.11 to 1.15. This can be used to mount a denial of service attack against services that use Compress' zip package.

Publish Date: 2018-03-16

URL: CVE-2018-1324

CVSS 3 Score Details (5.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1324

Release Date: 2018-03-16

Fix Resolution: 1.16

CVE-2022-24329

Vulnerable Library - kotlin-stdlib-1.3.72.jar

Kotlin Standard Library for JVM

Library home page: https://kotlinlang.org/

Path to dependency file: /app/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.jetbrains.kotlin/kotlin-stdlib/1.3.72/8032138f12c0180bc4e51fe139d4c52b46db6109/kotlin-stdlib-1.3.72.jar

Dependency Hierarchy:

• lint-gradle-27.1.1.jar (Root Library)
  • kotlin-stdlib-jdk8-1.3.72.jar
    • ❌ kotlin-stdlib-1.3.72.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

In JetBrains Kotlin before 1.6.0, it was not possible to lock dependencies for Multiplatform Gradle Projects.

Publish Date: 2022-02-25

URL: CVE-2022-24329

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-2qp4-g3q3-f92w

Release Date: 2022-02-25

Fix Resolution: org.jetbrains.kotlin:kotlin-stdlib:1.6.0

CVE-2020-13956

Vulnerable Library - httpclient-4.5.6.jar

Apache HttpComponents Client

Path to dependency file: /app/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.httpcomponents/httpclient/4.5.6/1afe5621985efe90a92d0fbc9be86271efbe796f/httpclient-4.5.6.jar

Dependency Hierarchy:

• lint-gradle-27.1.1.jar (Root Library)
  • builder-4.1.1.jar
    • sdklib-27.1.1.jar
      • httpmime-4.5.6.jar
        • ❌ httpclient-4.5.6.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Apache HttpClient versions prior to version 4.5.13 and 5.0.3 can misinterpret malformed authority component in request URIs passed to the library as java.net.URI object and pick the wrong target host for request execution.

Publish Date: 2020-12-02

URL: CVE-2020-13956

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-13956

Release Date: 2020-12-02

Fix Resolution: org.apache.httpcomponents:httpclient:4.5.13;org.apache.httpcomponents:httpclient-osgi:4.5.13;org.apache.httpcomponents.client5:httpclient5:5.0.3;org.apache.httpcomponents.client5:httpclient5-osgi:5.0.3

CVE-2020-26939

Vulnerable Library - bcprov-jdk15on-1.56.jar

The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5 to JDK 1.8.

Library home page: http://www.bouncycastle.org/java.html

Path to dependency file: /app/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.bouncycastle/bcprov-jdk15on/1.56/a153c6f9744a3e9dd6feab5e210e1c9861362ec7/bcprov-jdk15on-1.56.jar

Dependency Hierarchy:

• lint-gradle-27.1.1.jar (Root Library)
  • builder-4.1.1.jar
    • ❌ bcprov-jdk15on-1.56.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

In Legion of the Bouncy Castle BC before 1.61 and BC-FJA before 1.0.1.2, attackers can obtain sensitive information about a private exponent because of Observable Differences in Behavior to Error Inputs. This occurs in org.bouncycastle.crypto.encodings.OAEPEncoding. Sending invalid ciphertext that decrypts to a short payload in the OAEP Decoder could result in the throwing of an early exception, potentially leaking some information about the private exponent of the RSA private key performing the encryption.

Publish Date: 2020-11-02

URL: CVE-2020-26939

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Release Date: 2020-11-02

Fix Resolution: org.bouncycastle:bcprov-jdk14:1.61,org.bouncycastle:bcprov-ext-debug-jdk15on:1.61,org.bouncycastle:bcprov-debug-jdk15on:1.61,org.bouncycastle:bcprov-ext-jdk15on:1.61,org.bouncycastle:bcprov-jdk15on:1.61

CVE-2020-8908

Vulnerable Library - guava-28.1-jre.jar

Guava is a suite of core and expanded libraries that include utility classes, google's collections, io classes, and much much more.

Library home page: https://github.com/google/guava

Path to dependency file: /app/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.guava/guava/28.1-jre/b0e91dcb6a44ffb6221b5027e12a5cb34b841145/guava-28.1-jre.jar

Dependency Hierarchy:

• lint-gradle-27.1.1.jar (Root Library)
  • builder-4.1.1.jar
    • common-27.1.1.jar
      • ❌ guava-28.1-jre.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

A temp directory creation vulnerability exists in all versions of Guava, allowing an attacker with access to the machine to potentially access data in a temporary directory created by the Guava API com.google.common.io.Files.createTempDir(). By default, on unix-like systems, the created directory is world-readable (readable by an attacker with access to the system). The method in question has been marked @deprecated in versions 30.0 and later and should not be used. For Android developers, we recommend choosing a temporary directory API provided by Android, such as context.getCacheDir(). For other Java developers, we recommend migrating to the Java 7 API java.nio.file.Files.createTempDirectory() which explicitly configures permissions of 700, or configuring the Java runtime's java.io.tmpdir system property to point to a location whose permissions are appropriately configured.

Publish Date: 2020-12-10

URL: CVE-2020-8908

CVSS 3 Score Details (3.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8908

Release Date: 2020-12-10

Fix Resolution: v30.0

Vulnerable Library - jackson-mapper-asl-1.9.13.jar

Data Mapper package is a high-performance data binding package built on Jackson JSON processor

Path to dependency file: /app/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.codehaus.jackson/jackson-mapper-asl/1.9.13/1ee2f2bed0e5dd29d1cb155a166e6f8d50bbddb7/jackson-mapper-asl-1.9.13.jar,/files-2.1/org.codehaus.jackson/jackson-mapper-asl/1.9.13/1ee2f2bed0e5dd29d1cb155a166e6f8d50bbddb7/jackson-mapper-asl-1.9.13.jar

CVE-2019-10202

Vulnerable Library - jackson-mapper-asl-1.9.13.jar

Data Mapper package is a high-performance data binding package built on Jackson JSON processor

Path to dependency file: /app/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.codehaus.jackson/jackson-mapper-asl/1.9.13/1ee2f2bed0e5dd29d1cb155a166e6f8d50bbddb7/jackson-mapper-asl-1.9.13.jar,/files-2.1/org.codehaus.jackson/jackson-mapper-asl/1.9.13/1ee2f2bed0e5dd29d1cb155a166e6f8d50bbddb7/jackson-mapper-asl-1.9.13.jar

Dependency Hierarchy:

• ❌ jackson-mapper-asl-1.9.13.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

A series of deserialization vulnerabilities have been discovered in Codehaus 1.9.x implemented in EAP 7. This CVE fixes CVE-2017-17485, CVE-2017-7525, CVE-2017-15095, CVE-2018-5968, CVE-2018-7489, CVE-2018-1000873, CVE-2019-12086 reported for FasterXML jackson-databind by implementing a whitelist approach that will mitigate these vulnerabilities and future ones alike.

Publish Date: 2019-10-01

URL: CVE-2019-10202

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://access.redhat.com/errata/RHSA-2019:2938

Release Date: 2019-10-01

Fix Resolution: org.codehaus.jackson:jackson-mapper-asl-7.2.4;com.fasterxml.jackson.core:jackson-databind-2.9.9

⛑️ Automatic Remediation is available for this issue

CVE-2019-10172

Vulnerable Library - jackson-mapper-asl-1.9.13.jar

Data Mapper package is a high-performance data binding package built on Jackson JSON processor

Path to dependency file: /app/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.codehaus.jackson/jackson-mapper-asl/1.9.13/1ee2f2bed0e5dd29d1cb155a166e6f8d50bbddb7/jackson-mapper-asl-1.9.13.jar,/files-2.1/org.codehaus.jackson/jackson-mapper-asl/1.9.13/1ee2f2bed0e5dd29d1cb155a166e6f8d50bbddb7/jackson-mapper-asl-1.9.13.jar

Dependency Hierarchy:

• ❌ jackson-mapper-asl-1.9.13.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

A flaw was found in org.codehaus.jackson:jackson-mapper-asl:1.9.x libraries. XML external entity vulnerabilities similar CVE-2016-3720 also affects codehaus jackson-mapper-asl libraries but in different classes.

Publish Date: 2019-11-18

URL: CVE-2019-10172

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10172

Release Date: 2019-11-18

Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.0.0-RC1

⛑️ Automatic Remediation is available for this issue