temporalio / graphql-proxy Goto Github PK

Vulnerable Library - proto-google-common-protos-1.17.0.jar

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.protobuf/protobuf-java/3.11.1/1752390841a56e112b01990c9b523e6978abb24f/protobuf-java-3.11.1.jar

Found in HEAD commit: 88a939c2c318f8f73d61c143677013b95df9a979

CVE-2021-22569

Vulnerable Library - protobuf-java-3.11.1.jar

Core Protocol Buffers library. Protocol Buffers are a way of encoding structured data in an efficient yet extensible format.

Library home page: https://developers.google.com/protocol-buffers/

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.protobuf/protobuf-java/3.11.1/1752390841a56e112b01990c9b523e6978abb24f/protobuf-java-3.11.1.jar

Dependency Hierarchy:

• proto-google-common-protos-1.17.0.jar (Root Library)
  • ❌ protobuf-java-3.11.1.jar (Vulnerable Library)

Found in HEAD commit: 88a939c2c318f8f73d61c143677013b95df9a979

Found in base branch: main

Vulnerability Details

An issue in protobuf-java allowed the interleaving of com.google.protobuf.UnknownFieldSet fields in such a way that would be processed out of order. A small malicious payload can occupy the parser for several minutes by creating large numbers of short-lived objects that cause frequent, repeated pauses. We recommend upgrading libraries beyond the vulnerable versions.

Publish Date: 2022-01-10

URL: CVE-2021-22569

CVSS 3 Score Details (5.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-wrvw-hg22-4m67

Release Date: 2022-01-10

Fix Resolution: com.google.protobuf:protobuf-java:3.16.1,3.18.2,3.19.2; com.google.protobuf:protobuf-kotlin:3.18.2,3.19.2; google-protobuf - 3.19.2

Vulnerable Library - protobuf-java-util-3.19.4.jar

Path to dependency file: /tmp/ws-scm/graphql/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.code.gson/gson/2.8.6/9180733b7df8542621dc12e21e87557e8c99b8cb/gson-2.8.6.jar

Found in HEAD commit: 2658eb632f2ad201c19c841ec5711166a4c40ed2

WS-2021-0419

Vulnerable Library - gson-2.8.6.jar

Gson JSON library

Library home page: https://github.com/google/gson

Path to dependency file: /tmp/ws-scm/graphql/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.code.gson/gson/2.8.6/9180733b7df8542621dc12e21e87557e8c99b8cb/gson-2.8.6.jar

Dependency Hierarchy:

• protobuf-java-util-3.19.4.jar (Root Library)
  • ❌ gson-2.8.6.jar (Vulnerable Library)

Found in HEAD commit: 2658eb632f2ad201c19c841ec5711166a4c40ed2

Found in base branch: main

Vulnerability Details

Denial of Service vulnerability was discovered in gson before 2.8.9 via the writeReplace() method.

Publish Date: 2021-10-11

URL: WS-2021-0419

CVSS 3 Score Details (7.7)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://github.com/google/gson/releases/tag/gson-parent-2.8.9

Release Date: 2021-10-11

Fix Resolution (com.google.code.gson:gson): 2.8.9

Direct dependency fix Resolution (com.google.protobuf:protobuf-java-util): 3.20.0

⛑️ Automatic Remediation is available for this issue

CVE-2022-25647

Vulnerable Library - gson-2.8.6.jar

Gson JSON library

Library home page: https://github.com/google/gson

Path to dependency file: /tmp/ws-scm/graphql/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.code.gson/gson/2.8.6/9180733b7df8542621dc12e21e87557e8c99b8cb/gson-2.8.6.jar

Dependency Hierarchy:

• protobuf-java-util-3.19.4.jar (Root Library)
  • ❌ gson-2.8.6.jar (Vulnerable Library)

Found in HEAD commit: 2658eb632f2ad201c19c841ec5711166a4c40ed2

Found in base branch: main

Vulnerability Details

The package com.google.code.gson:gson before 2.8.9 are vulnerable to Deserialization of Untrusted Data via the writeReplace() method in internal classes, which may lead to DoS attacks.

Publish Date: 2022-05-01

URL: CVE-2022-25647

CVSS 3 Score Details (7.7)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25647`

Release Date: 2022-05-01

Fix Resolution (com.google.code.gson:gson): 2.8.9

Direct dependency fix Resolution (com.google.protobuf:protobuf-java-util): 3.20.0

⛑️ Automatic Remediation is available for this issue

Vulnerable Library - rejoiner-grpc-0.4.0-SNAPSHOT.jar

Path to dependency file: /tmp/ws-scm/graphql-full/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.protobuf/protobuf-java/3.20.0/3c72ddaaab7ffafe789e4f732c1fd614eb798bf4/protobuf-java-3.20.0.jar

CVE-2022-3510

Vulnerable Library - protobuf-java-3.20.0.jar

Core Protocol Buffers library. Protocol Buffers are a way of encoding structured data in an efficient yet extensible format.

Library home page: https://developers.google.com/protocol-buffers/

Path to dependency file: /tmp/ws-scm/graphql-full/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.protobuf/protobuf-java/3.20.0/3c72ddaaab7ffafe789e4f732c1fd614eb798bf4/protobuf-java-3.20.0.jar

Dependency Hierarchy:

• rejoiner-grpc-0.4.0-SNAPSHOT.jar (Root Library)
  • ❌ protobuf-java-3.20.0.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

A parsing issue similar to CVE-2022-3171, but with Message-Type Extensions in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.

Publish Date: 2022-12-12

URL: CVE-2022-3510

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-4gg5-vx3j-xwc7

Release Date: 2022-12-12

Fix Resolution: com.google.protobuf:protobuf-java:3.21.7,3.20.3,3.19.6,3.16.3

CVE-2022-3509

Vulnerable Library - protobuf-java-3.20.0.jar

Core Protocol Buffers library. Protocol Buffers are a way of encoding structured data in an efficient yet extensible format.

Library home page: https://developers.google.com/protocol-buffers/

Path to dependency file: /tmp/ws-scm/graphql-full/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.protobuf/protobuf-java/3.20.0/3c72ddaaab7ffafe789e4f732c1fd614eb798bf4/protobuf-java-3.20.0.jar

Dependency Hierarchy:

• rejoiner-grpc-0.4.0-SNAPSHOT.jar (Root Library)
  • ❌ protobuf-java-3.20.0.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

A parsing issue similar to CVE-2022-3171, but with textformat in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.

Publish Date: 2022-12-12

URL: CVE-2022-3509

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3509

Release Date: 2022-12-12

Fix Resolution: com.google.protobuf:protobuf-java:3.16.3,3.19.6,3.20.3,3.21.7

CVE-2022-3171

Vulnerable Library - protobuf-java-3.20.0.jar

Core Protocol Buffers library. Protocol Buffers are a way of encoding structured data in an efficient yet extensible format.

Library home page: https://developers.google.com/protocol-buffers/

Path to dependency file: /tmp/ws-scm/graphql-full/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.protobuf/protobuf-java/3.20.0/3c72ddaaab7ffafe789e4f732c1fd614eb798bf4/protobuf-java-3.20.0.jar

Dependency Hierarchy:

• rejoiner-grpc-0.4.0-SNAPSHOT.jar (Root Library)
  • ❌ protobuf-java-3.20.0.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

A parsing issue with binary data in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.

Publish Date: 2022-10-12

URL: CVE-2022-3171

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-h4h5-3hr4-j3g2

Release Date: 2022-10-12

Fix Resolution: com.google.protobuf:protobuf-java:3.16.3,3.19.6,3.20.3,3.21.7;com.google.protobuf:protobuf-javalite:3.16.3,3.19.6,3.20.3,3.21.7;com.google.protobuf:protobuf-kotlin:3.19.6,3.20.3,3.21.7;com.google.protobuf:protobuf-kotlin-lite:3.19.6,3.20.3,3.21.7;google-protobuf - 3.19.6,3.20.3,3.21.7

Vulnerable Library - jetty-server-9.3.8.v20160314.jar

The core jetty server artifact.

Library home page: http://www.eclipse.org/jetty

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-server/9.3.8.v20160314/da8366f602f35d4c3177cb081472e2fc4abe04ea/jetty-server-9.3.8.v20160314.jar,/gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-server/9.3.8.v20160314/da8366f602f35d4c3177cb081472e2fc4abe04ea/jetty-server-9.3.8.v20160314.jar

Found in HEAD commit: 88a939c2c318f8f73d61c143677013b95df9a979

CVE-2017-7657

Vulnerable Libraries - jetty-http-9.3.8.v20160314.jar, jetty-server-9.3.8.v20160314.jar

jetty-http-9.3.8.v20160314.jar

Administrative parent pom for Jetty modules

Library home page: http://www.eclipse.org/jetty

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-http/9.3.8.v20160314/127feb7407f4137ff4295b5fa2895845db56710/jetty-http-9.3.8.v20160314.jar

Dependency Hierarchy:

• jetty-server-9.3.8.v20160314.jar (Root Library)
  • ❌ jetty-http-9.3.8.v20160314.jar (Vulnerable Library)

jetty-server-9.3.8.v20160314.jar

The core jetty server artifact.

Library home page: http://www.eclipse.org/jetty

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-server/9.3.8.v20160314/da8366f602f35d4c3177cb081472e2fc4abe04ea/jetty-server-9.3.8.v20160314.jar,/gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-server/9.3.8.v20160314/da8366f602f35d4c3177cb081472e2fc4abe04ea/jetty-server-9.3.8.v20160314.jar

Dependency Hierarchy:

• ❌ jetty-server-9.3.8.v20160314.jar (Vulnerable Library)

Found in HEAD commit: 88a939c2c318f8f73d61c143677013b95df9a979

Found in base branch: main

Vulnerability Details

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interpreted as a pipelined request. If Jetty was deployed behind an intermediary that imposed some authorization and that intermediary allowed arbitrarily large chunks to be passed on unchanged, then this flaw could be used to bypass the authorization imposed by the intermediary as the fake pipelined request would not be interpreted by the intermediary as a request.

Publish Date: 2018-06-26

URL: CVE-2017-7657

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://bugs.eclipse.org/bugs/show_bug.cgi?id=535668

Release Date: 2018-06-26

Fix Resolution: org.eclipse.jetty:jetty-server:9.3.24.v20180605,9.4.11.v20180605;org.eclipse.jetty:jetty-http:9.3.24.v20180605,9.4.11.v20180605

CVE-2016-4800

Vulnerable Libraries - jetty-server-9.3.8.v20160314.jar, jetty-util-9.3.8.v20160314.jar

jetty-server-9.3.8.v20160314.jar

The core jetty server artifact.

Library home page: http://www.eclipse.org/jetty

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-server/9.3.8.v20160314/da8366f602f35d4c3177cb081472e2fc4abe04ea/jetty-server-9.3.8.v20160314.jar,/gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-server/9.3.8.v20160314/da8366f602f35d4c3177cb081472e2fc4abe04ea/jetty-server-9.3.8.v20160314.jar

Dependency Hierarchy:

• ❌ jetty-server-9.3.8.v20160314.jar (Vulnerable Library)

jetty-util-9.3.8.v20160314.jar

Utility classes for Jetty

Library home page: http://www.eclipse.org/jetty

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-util/9.3.8.v20160314/1d53c7a7e7715e67d6f4edec6c5b328ee162e65/jetty-util-9.3.8.v20160314.jar

Dependency Hierarchy:

• jetty-server-9.3.8.v20160314.jar (Root Library)
  • jetty-io-9.3.8.v20160314.jar
    • ❌ jetty-util-9.3.8.v20160314.jar (Vulnerable Library)

Found in HEAD commit: 88a939c2c318f8f73d61c143677013b95df9a979

Found in base branch: main

Vulnerability Details

The path normalization mechanism in PathResource class in Eclipse Jetty 9.3.x before 9.3.9 on Windows allows remote attackers to bypass protected resource restrictions and other security constraints via a URL with certain escaped characters, related to backslashes.

Publish Date: 2017-04-13

URL: CVE-2016-4800

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4800

Release Date: 2017-04-13

Fix Resolution: org.eclipse.jetty:jetty-server:9.3.9.M0,org.eclipse.jetty:jetty-util:9.3.9.M0,org.eclipse.jetty:jetty-runner:9.3.9.M0

⛑️ Automatic Remediation is available for this issue

CVE-2017-7658

Vulnerable Libraries - jetty-http-9.3.8.v20160314.jar, jetty-server-9.3.8.v20160314.jar

jetty-http-9.3.8.v20160314.jar

Administrative parent pom for Jetty modules

Library home page: http://www.eclipse.org/jetty

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-http/9.3.8.v20160314/127feb7407f4137ff4295b5fa2895845db56710/jetty-http-9.3.8.v20160314.jar

Dependency Hierarchy:

• jetty-server-9.3.8.v20160314.jar (Root Library)
  • ❌ jetty-http-9.3.8.v20160314.jar (Vulnerable Library)

jetty-server-9.3.8.v20160314.jar

The core jetty server artifact.

Library home page: http://www.eclipse.org/jetty

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-server/9.3.8.v20160314/da8366f602f35d4c3177cb081472e2fc4abe04ea/jetty-server-9.3.8.v20160314.jar,/gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-server/9.3.8.v20160314/da8366f602f35d4c3177cb081472e2fc4abe04ea/jetty-server-9.3.8.v20160314.jar

Dependency Hierarchy:

• ❌ jetty-server-9.3.8.v20160314.jar (Vulnerable Library)

Found in HEAD commit: 88a939c2c318f8f73d61c143677013b95df9a979

Found in base branch: main

Vulnerability Details

In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization.

Publish Date: 2018-06-26

URL: CVE-2017-7658

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7658

Release Date: 2018-06-26

Fix Resolution: org.eclipse.jetty:jetty-server:9.4.11.v20180605,9.3.24.v20180605,9.2.25.v20180606;org.eclipse.jetty.aggregate:jetty-client:9.4.11.v20180605,9.3.24.v20180605,9.2.25.v20180606;org.eclipse.jetty:jetty-http:9.4.11.v20180605,9.3.24.v20180605,9.2.25.v20180606

CVE-2017-9735

Vulnerable Library - jetty-util-9.3.8.v20160314.jar

Utility classes for Jetty

Library home page: http://www.eclipse.org/jetty

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-util/9.3.8.v20160314/1d53c7a7e7715e67d6f4edec6c5b328ee162e65/jetty-util-9.3.8.v20160314.jar

Dependency Hierarchy:

• jetty-server-9.3.8.v20160314.jar (Root Library)
  • jetty-io-9.3.8.v20160314.jar
    • ❌ jetty-util-9.3.8.v20160314.jar (Vulnerable Library)

Found in HEAD commit: 88a939c2c318f8f73d61c143677013b95df9a979

Found in base branch: main

Vulnerability Details

Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords.

Publish Date: 2017-06-16

URL: CVE-2017-9735

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5784

Release Date: 2017-06-16

Fix Resolution: 9.4.7.RC0

CVE-2017-7656

Vulnerable Libraries - jetty-server-9.3.8.v20160314.jar, jetty-http-9.3.8.v20160314.jar

jetty-server-9.3.8.v20160314.jar

The core jetty server artifact.

Library home page: http://www.eclipse.org/jetty

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-server/9.3.8.v20160314/da8366f602f35d4c3177cb081472e2fc4abe04ea/jetty-server-9.3.8.v20160314.jar,/gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-server/9.3.8.v20160314/da8366f602f35d4c3177cb081472e2fc4abe04ea/jetty-server-9.3.8.v20160314.jar

Dependency Hierarchy:

• ❌ jetty-server-9.3.8.v20160314.jar (Vulnerable Library)

jetty-http-9.3.8.v20160314.jar

Administrative parent pom for Jetty modules

Library home page: http://www.eclipse.org/jetty

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-http/9.3.8.v20160314/127feb7407f4137ff4295b5fa2895845db56710/jetty-http-9.3.8.v20160314.jar

Dependency Hierarchy:

• jetty-server-9.3.8.v20160314.jar (Root Library)
  • ❌ jetty-http-9.3.8.v20160314.jar (Vulnerable Library)

Found in HEAD commit: 88a939c2c318f8f73d61c143677013b95df9a979

Found in base branch: main

Vulnerability Details

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but did not act on it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response.

Publish Date: 2018-06-26

URL: CVE-2017-7656

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://bugs.eclipse.org/bugs/show_bug.cgi?id=535667

Release Date: 2018-06-26

Fix Resolution: org.eclipse.jetty:jetty-server:9.2.25.v20180606,9.3.24.v20180605,9.4.11.v20180605;org.eclipse.jetty:jetty-http:9.2.25.v20180606.,9.3.24.v20180605,9.4.11.v20180605

CVE-2021-28165

Vulnerable Library - jetty-io-9.3.8.v20160314.jar

Administrative parent pom for Jetty modules

Library home page: http://www.eclipse.org/jetty

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-io/9.3.8.v20160314/371e3c2b72d9a9737579ec0fdfd6a2a3ab8b8141/jetty-io-9.3.8.v20160314.jar

Dependency Hierarchy:

• jetty-server-9.3.8.v20160314.jar (Root Library)
  • ❌ jetty-io-9.3.8.v20160314.jar (Vulnerable Library)

Found in HEAD commit: 88a939c2c318f8f73d61c143677013b95df9a979

Found in base branch: main

Vulnerability Details

In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame.

Publish Date: 2021-04-01

URL: CVE-2021-28165

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-26vr-8j45-3r4w

Release Date: 2021-04-01

Fix Resolution: org.eclipse.jetty:jetty-io:9.4.39, org.eclipse.jetty:jetty-io:10.0.2, org.eclipse.jetty:jetty-io:11.0.2

CVE-2019-10241

Vulnerable Libraries - jetty-util-9.3.8.v20160314.jar, jetty-server-9.3.8.v20160314.jar

jetty-util-9.3.8.v20160314.jar

Utility classes for Jetty

Library home page: http://www.eclipse.org/jetty

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-util/9.3.8.v20160314/1d53c7a7e7715e67d6f4edec6c5b328ee162e65/jetty-util-9.3.8.v20160314.jar

Dependency Hierarchy:

• jetty-server-9.3.8.v20160314.jar (Root Library)
  • jetty-io-9.3.8.v20160314.jar
    • ❌ jetty-util-9.3.8.v20160314.jar (Vulnerable Library)

jetty-server-9.3.8.v20160314.jar

The core jetty server artifact.

Library home page: http://www.eclipse.org/jetty

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-server/9.3.8.v20160314/da8366f602f35d4c3177cb081472e2fc4abe04ea/jetty-server-9.3.8.v20160314.jar,/gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-server/9.3.8.v20160314/da8366f602f35d4c3177cb081472e2fc4abe04ea/jetty-server-9.3.8.v20160314.jar

Dependency Hierarchy:

• ❌ jetty-server-9.3.8.v20160314.jar (Vulnerable Library)

Found in HEAD commit: 88a939c2c318f8f73d61c143677013b95df9a979

Found in base branch: main

Vulnerability Details

In Eclipse Jetty version 9.2.26 and older, 9.3.25 and older, and 9.4.15 and older, the server is vulnerable to XSS conditions if a remote client USES a specially formatted URL against the DefaultServlet or ResourceHandler that is configured for showing a Listing of directory contents.

Publish Date: 2019-04-22

URL: CVE-2019-10241

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10241

Release Date: 2019-04-22

Fix Resolution: org.eclipse.jetty:jetty-server:9.2.27,9.3.26,9.4.16,org.eclipse.jetty:jetty-servlet:9.2.27,9.3.26,9.4.16,org.eclipse.jetty:jetty-util:9.2.27,9.3.26,9.4.16

⛑️ Automatic Remediation is available for this issue

CVE-2018-12536

Vulnerable Libraries - jetty-util-9.3.8.v20160314.jar, jetty-server-9.3.8.v20160314.jar

jetty-util-9.3.8.v20160314.jar

Utility classes for Jetty

Library home page: http://www.eclipse.org/jetty

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-util/9.3.8.v20160314/1d53c7a7e7715e67d6f4edec6c5b328ee162e65/jetty-util-9.3.8.v20160314.jar

Dependency Hierarchy:

• jetty-server-9.3.8.v20160314.jar (Root Library)
  • jetty-io-9.3.8.v20160314.jar
    • ❌ jetty-util-9.3.8.v20160314.jar (Vulnerable Library)

jetty-server-9.3.8.v20160314.jar

The core jetty server artifact.

Library home page: http://www.eclipse.org/jetty

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-server/9.3.8.v20160314/da8366f602f35d4c3177cb081472e2fc4abe04ea/jetty-server-9.3.8.v20160314.jar,/gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-server/9.3.8.v20160314/da8366f602f35d4c3177cb081472e2fc4abe04ea/jetty-server-9.3.8.v20160314.jar

Dependency Hierarchy:

• ❌ jetty-server-9.3.8.v20160314.jar (Vulnerable Library)

Found in HEAD commit: 88a939c2c318f8f73d61c143677013b95df9a979

Found in base branch: main

Vulnerability Details

In Eclipse Jetty Server, all 9.x versions, on webapps deployed using default Error Handling, when an intentionally bad query arrives that doesn't match a dynamic url-pattern, and is eventually handled by the DefaultServlet's static file serving, the bad characters can trigger a java.nio.file.InvalidPathException which includes the full path to the base resource directory that the DefaultServlet and/or webapp is using. If this InvalidPathException is then handled by the default Error Handler, the InvalidPathException message is included in the error response, revealing the full server path to the requesting system.

Publish Date: 2018-06-27

URL: CVE-2018-12536

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: jetty/jetty.project@ad4dceb

Release Date: 2018-06-27

Fix Resolution: org.eclipse.jetty:jetty-server:9.3.24.v20180605,9.4.11.v20180605,org.eclipse.jetty:jetty-util:9.3.24.v20180605,9.4.11.v20180605,org.eclipse.jetty:jetty-servlet:9.3.24.v20180605,9.4.11.v20180605

⛑️ Automatic Remediation is available for this issue

CVE-2019-10247

Vulnerable Library - jetty-server-9.3.8.v20160314.jar

The core jetty server artifact.

Library home page: http://www.eclipse.org/jetty

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-server/9.3.8.v20160314/da8366f602f35d4c3177cb081472e2fc4abe04ea/jetty-server-9.3.8.v20160314.jar,/gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-server/9.3.8.v20160314/da8366f602f35d4c3177cb081472e2fc4abe04ea/jetty-server-9.3.8.v20160314.jar

Dependency Hierarchy:

• ❌ jetty-server-9.3.8.v20160314.jar (Vulnerable Library)

Found in HEAD commit: 88a939c2c318f8f73d61c143677013b95df9a979

Found in base branch: main

Vulnerability Details

In Eclipse Jetty version 7.x, 8.x, 9.2.27 and older, 9.3.26 and older, and 9.4.16 and older, the server running on any OS and Jetty version combination will reveal the configured fully qualified directory base resource location on the output of the 404 error for not finding a Context that matches the requested path. The default server behavior on jetty-distribution and jetty-home will include at the end of the Handler tree a DefaultHandler, which is responsible for reporting this 404 error, it presents the various configured contexts as HTML for users to click through to. This produced HTML includes output that contains the configured fully qualified directory base resource location for each context.

Publish Date: 2019-04-22

URL: CVE-2019-10247

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://bugs.eclipse.org/bugs/show_bug.cgi?id=546577

Release Date: 2019-04-22

Fix Resolution: 9.2.28.v20190418

⛑️ Automatic Remediation is available for this issue

CVE-2021-28169

Vulnerable Libraries - jetty-server-9.3.8.v20160314.jar, jetty-http-9.3.8.v20160314.jar

jetty-server-9.3.8.v20160314.jar

The core jetty server artifact.

Library home page: http://www.eclipse.org/jetty

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-server/9.3.8.v20160314/da8366f602f35d4c3177cb081472e2fc4abe04ea/jetty-server-9.3.8.v20160314.jar,/gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-server/9.3.8.v20160314/da8366f602f35d4c3177cb081472e2fc4abe04ea/jetty-server-9.3.8.v20160314.jar

Dependency Hierarchy:

• ❌ jetty-server-9.3.8.v20160314.jar (Vulnerable Library)

jetty-http-9.3.8.v20160314.jar

Administrative parent pom for Jetty modules

Library home page: http://www.eclipse.org/jetty

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-http/9.3.8.v20160314/127feb7407f4137ff4295b5fa2895845db56710/jetty-http-9.3.8.v20160314.jar

Dependency Hierarchy:

• jetty-server-9.3.8.v20160314.jar (Root Library)
  • ❌ jetty-http-9.3.8.v20160314.jar (Vulnerable Library)

Found in HEAD commit: 88a939c2c318f8f73d61c143677013b95df9a979

Found in base branch: main

Vulnerability Details

For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, it is possible for requests to the ConcatServlet with a doubly encoded path to access protected resources within the WEB-INF directory. For example a request to /concat?/%2557EB-INF/web.xml can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application.

Publish Date: 2021-06-09

URL: CVE-2021-28169

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-gwcr-j4wh-j3cq

Release Date: 2021-06-09

Fix Resolution: org.eclipse.jetty:jetty-runner:9.4.41.v20210516, 10.0.3, 11.0.3, org.eclipse.jetty:jetty-http:9.4.41.v20210516, 10.0.3, 11.0.3,org.eclipse.jetty:jetty-servlets:9.4.41.v20210516, 10.0.3, 11.0.3, org.eclipse.jetty:jetty-server:9.4.41.v20210516, 10.0.3, 11.0.3

⛑️ Automatic Remediation is available for this issue

CVE-2021-34428

Vulnerable Library - jetty-server-9.3.8.v20160314.jar

The core jetty server artifact.

Library home page: http://www.eclipse.org/jetty

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-server/9.3.8.v20160314/da8366f602f35d4c3177cb081472e2fc4abe04ea/jetty-server-9.3.8.v20160314.jar,/gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-server/9.3.8.v20160314/da8366f602f35d4c3177cb081472e2fc4abe04ea/jetty-server-9.3.8.v20160314.jar

Dependency Hierarchy:

• ❌ jetty-server-9.3.8.v20160314.jar (Vulnerable Library)

Found in HEAD commit: 88a939c2c318f8f73d61c143677013b95df9a979

Found in base branch: main

Vulnerability Details

For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, if an exception is thrown from the SessionListener#sessionDestroyed() method, then the session ID is not invalidated in the session ID manager. On deployments with clustered sessions and multiple contexts this can result in a session not being invalidated. This can result in an application used on a shared computer being left logged in.

Publish Date: 2021-06-22

URL: CVE-2021-34428

CVSS 3 Score Details (3.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Physical
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-m6cp-vxjx-65j6

Release Date: 2021-06-22

Fix Resolution: org.eclipse.jetty:jetty-server:9.4.41.v20210516,10.0.3,11.0.3

⛑️ Automatic Remediation is available for this issue

Vulnerable Library - guava-28.2-jre.jar

Guava is a suite of core and expanded libraries that include utility classes, google's collections, io classes, and much much more.

Library home page: https://github.com/google/guava

Path to dependency file: /build.gradle

Path to vulnerable library: /gradle/caches/modules-2/files-2.1/com.google.guava/guava/28.2-jre/8ec9ed76528425762174f0011ce8f74ad845b756/guava-28.2-jre.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.guava/guava/28.2-jre/8ec9ed76528425762174f0011ce8f74ad845b756/guava-28.2-jre.jar

Found in HEAD commit: 88a939c2c318f8f73d61c143677013b95df9a979

CVE-2020-8908

Vulnerable Library - guava-28.2-jre.jar

Guava is a suite of core and expanded libraries that include utility classes, google's collections, io classes, and much much more.

Library home page: https://github.com/google/guava

Path to dependency file: /build.gradle

Path to vulnerable library: /gradle/caches/modules-2/files-2.1/com.google.guava/guava/28.2-jre/8ec9ed76528425762174f0011ce8f74ad845b756/guava-28.2-jre.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.guava/guava/28.2-jre/8ec9ed76528425762174f0011ce8f74ad845b756/guava-28.2-jre.jar

Dependency Hierarchy:

• ❌ guava-28.2-jre.jar (Vulnerable Library)

Found in HEAD commit: 88a939c2c318f8f73d61c143677013b95df9a979

Found in base branch: main

Vulnerability Details

A temp directory creation vulnerability exists in all versions of Guava, allowing an attacker with access to the machine to potentially access data in a temporary directory created by the Guava API com.google.common.io.Files.createTempDir(). By default, on unix-like systems, the created directory is world-readable (readable by an attacker with access to the system). The method in question has been marked @deprecated in versions 30.0 and later and should not be used. For Android developers, we recommend choosing a temporary directory API provided by Android, such as context.getCacheDir(). For other Java developers, we recommend migrating to the Java 7 API java.nio.file.Files.createTempDirectory() which explicitly configures permissions of 700, or configuring the Java runtime's java.io.tmpdir system property to point to a location whose permissions are appropriately configured.

Publish Date: 2020-12-10

URL: CVE-2020-8908

CVSS 3 Score Details (3.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8908

Release Date: 2020-12-10

Fix Resolution: v30.0

⛑️ Automatic Remediation is available for this issue

Vulnerable Library - guava-29.0-jre.jar

Guava is a suite of core and expanded libraries that include utility classes, google's collections, io classes, and much much more.

Library home page: https://github.com/google/guava

Path to dependency file: /pom.xml

Path to vulnerable library: /232440_LELXSW/downloadResource_TBUAXR/20220331232450/guava-29.0-jre.jar

Found in HEAD commit: 88a939c2c318f8f73d61c143677013b95df9a979

CVE-2020-8908

Vulnerable Library - guava-29.0-jre.jar

Guava is a suite of core and expanded libraries that include utility classes, google's collections, io classes, and much much more.

Library home page: https://github.com/google/guava

Path to dependency file: /pom.xml

Path to vulnerable library: /232440_LELXSW/downloadResource_TBUAXR/20220331232450/guava-29.0-jre.jar

Dependency Hierarchy:

• ❌ guava-29.0-jre.jar (Vulnerable Library)

Found in HEAD commit: 88a939c2c318f8f73d61c143677013b95df9a979

Found in base branch: main

Vulnerability Details

A temp directory creation vulnerability exists in all versions of Guava, allowing an attacker with access to the machine to potentially access data in a temporary directory created by the Guava API com.google.common.io.Files.createTempDir(). By default, on unix-like systems, the created directory is world-readable (readable by an attacker with access to the system). The method in question has been marked @deprecated in versions 30.0 and later and should not be used. For Android developers, we recommend choosing a temporary directory API provided by Android, such as context.getCacheDir(). For other Java developers, we recommend migrating to the Java 7 API java.nio.file.Files.createTempDirectory() which explicitly configures permissions of 700, or configuring the Java runtime's java.io.tmpdir system property to point to a location whose permissions are appropriately configured.

Publish Date: 2020-12-10

URL: CVE-2020-8908

CVSS 3 Score Details (3.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8908

Release Date: 2020-12-10

Fix Resolution: v30.0

⛑️ Automatic Remediation is available for this issue

Vulnerable Library - grpc-netty-1.44.1.jar

Path to dependency file: /tmp/ws-scm/graphql-full/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/io.netty/netty-common/4.1.72.Final/a55bac9c3af5f59828207b551a96ac19bbfc341e/netty-common-4.1.72.Final.jar

CVE-2022-24823

Vulnerable Library - netty-common-4.1.72.Final.jar

Library home page: https://netty.io/

Path to dependency file: /tmp/ws-scm/graphql-full/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/io.netty/netty-common/4.1.72.Final/a55bac9c3af5f59828207b551a96ac19bbfc341e/netty-common-4.1.72.Final.jar

Dependency Hierarchy:

• grpc-netty-1.44.1.jar (Root Library)
  • netty-handler-proxy-4.1.72.Final.jar
    • ❌ netty-common-4.1.72.Final.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Netty is an open-source, asynchronous event-driven network application framework. The package io.netty:netty-codec-http prior to version 4.1.77.Final contains an insufficient fix for CVE-2021-21290. When Netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. This only impacts applications running on Java version 6 and lower. Additionally, this vulnerability impacts code running on Unix-like systems, and very old versions of Mac OSX and Windows as they all share the system temporary directory between all users. Version 4.1.77.Final contains a patch for this vulnerability. As a workaround, specify one's own java.io.tmpdir when starting the JVM or use DefaultHttpDataFactory.setBaseDir(...) to set the directory to something that is only readable by the current user.

Publish Date: 2022-05-06

URL: CVE-2022-24823

CVSS 3 Score Details (5.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24823

Release Date: 2022-05-06

Fix Resolution: io.netty:netty-all;io.netty:netty-common - 4.1.77.Final

Vulnerable Library - rejoiner-grpc-0.4.0-SNAPSHOT.jar

Path to dependency file: /tmp/ws-scm/graphql-full/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.protobuf/protobuf-java/3.20.0/3c72ddaaab7ffafe789e4f732c1fd614eb798bf4/protobuf-java-3.20.0.jar

CVE-2022-3510

Vulnerable Library - protobuf-java-3.20.0.jar

Core Protocol Buffers library. Protocol Buffers are a way of encoding structured data in an efficient yet extensible format.

Library home page: https://developers.google.com/protocol-buffers/

Path to dependency file: /tmp/ws-scm/graphql-full/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.protobuf/protobuf-java/3.20.0/3c72ddaaab7ffafe789e4f732c1fd614eb798bf4/protobuf-java-3.20.0.jar

Dependency Hierarchy:

• rejoiner-grpc-0.4.0-SNAPSHOT.jar (Root Library)
  • ❌ protobuf-java-3.20.0.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

A parsing issue similar to CVE-2022-3171, but with Message-Type Extensions in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.

Publish Date: 2022-12-12

URL: CVE-2022-3510

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-4gg5-vx3j-xwc7

Release Date: 2022-12-12

Fix Resolution: com.google.protobuf:protobuf-java:3.21.7,3.20.3,3.19.6,3.16.3

CVE-2022-3509

Vulnerable Library - protobuf-java-3.20.0.jar

Core Protocol Buffers library. Protocol Buffers are a way of encoding structured data in an efficient yet extensible format.

Library home page: https://developers.google.com/protocol-buffers/

Path to dependency file: /tmp/ws-scm/graphql-full/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.protobuf/protobuf-java/3.20.0/3c72ddaaab7ffafe789e4f732c1fd614eb798bf4/protobuf-java-3.20.0.jar

Dependency Hierarchy:

• rejoiner-grpc-0.4.0-SNAPSHOT.jar (Root Library)
  • ❌ protobuf-java-3.20.0.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

A parsing issue similar to CVE-2022-3171, but with textformat in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.

Publish Date: 2022-12-12

URL: CVE-2022-3509

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3509

Release Date: 2022-12-12

Fix Resolution: com.google.protobuf:protobuf-java:3.16.3,3.19.6,3.20.3,3.21.7

CVE-2022-3171

Vulnerable Library - protobuf-java-3.20.0.jar

Core Protocol Buffers library. Protocol Buffers are a way of encoding structured data in an efficient yet extensible format.

Library home page: https://developers.google.com/protocol-buffers/

Path to dependency file: /tmp/ws-scm/graphql-full/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.protobuf/protobuf-java/3.20.0/3c72ddaaab7ffafe789e4f732c1fd614eb798bf4/protobuf-java-3.20.0.jar

Dependency Hierarchy:

• rejoiner-grpc-0.4.0-SNAPSHOT.jar (Root Library)
  • ❌ protobuf-java-3.20.0.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

A parsing issue with binary data in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.

Publish Date: 2022-10-12

URL: CVE-2022-3171

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-h4h5-3hr4-j3g2

Release Date: 2022-10-12

Fix Resolution: com.google.protobuf:protobuf-java:3.16.3,3.19.6,3.20.3,3.21.7;com.google.protobuf:protobuf-javalite:3.16.3,3.19.6,3.20.3,3.21.7;com.google.protobuf:protobuf-kotlin:3.19.6,3.20.3,3.21.7;com.google.protobuf:protobuf-kotlin-lite:3.19.6,3.20.3,3.21.7;google-protobuf - 3.19.6,3.20.3,3.21.7

Vulnerable Library - jetty-server-11.0.8.jar

Path to dependency file: /tmp/ws-scm/graphql-full/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-io/11.0.8/c78472dd805be404e0adf2b33315c7b2bb49144c/jetty-io-11.0.8.jar

CVE-2022-2191

Vulnerable Library - jetty-io-11.0.8.jar

Library home page: https://eclipse.org/jetty

Path to dependency file: /tmp/ws-scm/graphql-full/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-io/11.0.8/c78472dd805be404e0adf2b33315c7b2bb49144c/jetty-io-11.0.8.jar

Dependency Hierarchy:

• jetty-server-11.0.8.jar (Root Library)
  • ❌ jetty-io-11.0.8.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

In Eclipse Jetty versions 10.0.0 thru 10.0.9, and 11.0.0 thru 11.0.9 versions, SslConnection does not release ByteBuffers from configured ByteBufferPool in case of error code paths.

Publish Date: 2022-07-07

URL: CVE-2022-2191

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2191

Release Date: 2022-07-07

Fix Resolution (org.eclipse.jetty:jetty-io): 11.0.10

Direct dependency fix Resolution (org.eclipse.jetty:jetty-server): 11.0.10

⛑️ Automatic Remediation is available for this issue

CVE-2022-2047

Vulnerable Libraries - jetty-http-11.0.8.jar, jetty-server-11.0.8.jar

jetty-http-11.0.8.jar

Library home page: https://eclipse.org/jetty

Path to dependency file: /tmp/ws-scm/graphql-full/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-http/11.0.8/ae463766ab49eaa89e6d13608a47a920ed14638a/jetty-http-11.0.8.jar

Dependency Hierarchy:

• jetty-server-11.0.8.jar (Root Library)
  • ❌ jetty-http-11.0.8.jar (Vulnerable Library)

jetty-server-11.0.8.jar

The core jetty server artifact.

Library home page: https://eclipse.org/jetty

Path to dependency file: /tmp/ws-scm/graphql-full/build.gradle

Path to vulnerable library: /e/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-server/11.0.8/49f0408a1ee871bf430690a33c327fc22ee1b027/jetty-server-11.0.8.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-server/11.0.8/49f0408a1ee871bf430690a33c327fc22ee1b027/jetty-server-11.0.8.jar

Dependency Hierarchy:

• ❌ jetty-server-11.0.8.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

In Eclipse Jetty versions 9.4.0 thru 9.4.46, and 10.0.0 thru 10.0.9, and 11.0.0 thru 11.0.9 versions, the parsing of the authority segment of an http scheme URI, the Jetty HttpURI class improperly detects an invalid input as a hostname. This can lead to failures in a Proxy scenario.

Publish Date: 2022-07-07

URL: CVE-2022-2047

CVSS 3 Score Details (2.7)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: High
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-cj7v-27pg-wf7q

Release Date: 2022-07-07

Fix Resolution (org.eclipse.jetty:jetty-http): 11.0.12

Direct dependency fix Resolution (org.eclipse.jetty:jetty-server): 11.0.10

⛑️ Automatic Remediation is available for this issue

Vulnerable Library - grpc-netty-1.26.0.jar

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec-http/4.1.42.Final/5f71267aa784d0e6c5ec09fb988339d244b205a0/netty-codec-http-4.1.42.Final.jar

Found in HEAD commit: 88a939c2c318f8f73d61c143677013b95df9a979

CVE-2019-20445

Vulnerable Library - netty-codec-http-4.1.42.Final.jar

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec-http/4.1.42.Final/5f71267aa784d0e6c5ec09fb988339d244b205a0/netty-codec-http-4.1.42.Final.jar

Dependency Hierarchy:

• grpc-netty-1.26.0.jar (Root Library)
  • netty-handler-proxy-4.1.42.Final.jar
    • ❌ netty-codec-http-4.1.42.Final.jar (Vulnerable Library)

Found in HEAD commit: 88a939c2c318f8f73d61c143677013b95df9a979

Found in base branch: main

Vulnerability Details

HttpObjectDecoder.java in Netty before 4.1.44 allows a Content-Length header to be accompanied by a second Content-Length header, or by a Transfer-Encoding header.

Publish Date: 2020-01-29

URL: CVE-2019-20445

CVSS 3 Score Details (9.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20445

Release Date: 2020-01-29

Fix Resolution: io.netty:netty-codec-http:4.1.44

CVE-2019-20444

Vulnerable Library - netty-codec-http-4.1.42.Final.jar

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec-http/4.1.42.Final/5f71267aa784d0e6c5ec09fb988339d244b205a0/netty-codec-http-4.1.42.Final.jar

Dependency Hierarchy:

• grpc-netty-1.26.0.jar (Root Library)
  • netty-handler-proxy-4.1.42.Final.jar
    • ❌ netty-codec-http-4.1.42.Final.jar (Vulnerable Library)

Found in HEAD commit: 88a939c2c318f8f73d61c143677013b95df9a979

Found in base branch: main

Vulnerability Details

HttpObjectDecoder.java in Netty before 4.1.44 allows an HTTP header that lacks a colon, which might be interpreted as a separate header with an incorrect syntax, or might be interpreted as an "invalid fold."

Publish Date: 2020-01-29

URL: CVE-2019-20444

CVSS 3 Score Details (9.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20444

Release Date: 2020-01-29

Fix Resolution: io.netty:netty-all:4.1.44.Final

CVE-2020-7238

Vulnerable Library - netty-codec-http-4.1.42.Final.jar

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec-http/4.1.42.Final/5f71267aa784d0e6c5ec09fb988339d244b205a0/netty-codec-http-4.1.42.Final.jar

Dependency Hierarchy:

• grpc-netty-1.26.0.jar (Root Library)
  • netty-handler-proxy-4.1.42.Final.jar
    • ❌ netty-codec-http-4.1.42.Final.jar (Vulnerable Library)

Found in HEAD commit: 88a939c2c318f8f73d61c143677013b95df9a979

Found in base branch: main

Vulnerability Details

Netty 4.1.43.Final allows HTTP Request Smuggling because it mishandles Transfer-Encoding whitespace (such as a [space]Transfer-Encoding:chunked line) and a later Content-Length header. This issue exists because of an incomplete fix for CVE-2019-16869.

Publish Date: 2020-01-27

URL: CVE-2020-7238

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: netty/netty#9861

Release Date: 2020-01-27

Fix Resolution: io.netty:netty-all:4.1.44.Final;io.netty:netty-codec-http:4.1.44.Final

CVE-2020-11612

Vulnerable Library - netty-codec-4.1.42.Final.jar

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec/4.1.42.Final/b1d5ed85a558fbbadc2783f869fbd0adcd32b07b/netty-codec-4.1.42.Final.jar

Dependency Hierarchy:

• grpc-netty-1.26.0.jar (Root Library)
  • netty-handler-proxy-4.1.42.Final.jar
    • ❌ netty-codec-4.1.42.Final.jar (Vulnerable Library)

Found in HEAD commit: 88a939c2c318f8f73d61c143677013b95df9a979

Found in base branch: main

Vulnerability Details

The ZlibDecoders in Netty 4.1.x before 4.1.46 allow for unbounded memory allocation while decoding a ZlibEncoded byte stream. An attacker could send a large ZlibEncoded byte stream to the Netty server, forcing the server to allocate all of its free memory to a single decoder.

Publish Date: 2020-04-07

URL: CVE-2020-11612

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://netty.io/news/2020/02/28/4-1-46-Final.html

Release Date: 2020-04-07

Fix Resolution: io.netty:netty-codec:4.1.46.Final;io.netty:netty-all:4.1.46.Final

CVE-2021-37136

Vulnerable Library - netty-codec-4.1.42.Final.jar

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec/4.1.42.Final/b1d5ed85a558fbbadc2783f869fbd0adcd32b07b/netty-codec-4.1.42.Final.jar

Dependency Hierarchy:

• grpc-netty-1.26.0.jar (Root Library)
  • netty-handler-proxy-4.1.42.Final.jar
    • ❌ netty-codec-4.1.42.Final.jar (Vulnerable Library)

Found in HEAD commit: 88a939c2c318f8f73d61c143677013b95df9a979

Found in base branch: main

Vulnerability Details

The Bzip2 decompression decoder function doesn't allow setting size restrictions on the decompressed output data (which affects the allocation size used during decompression). All users of Bzip2Decoder are affected. The malicious input can trigger an OOME and so a DoS attack

Publish Date: 2021-10-19

URL: CVE-2021-37136

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-grg4-wf29-r9vv

Release Date: 2021-10-19

Fix Resolution: io.netty:netty-codec:4.1.68.Final;io.netty:netty-all::4.1.68.Final

CVE-2021-37137

Vulnerable Library - netty-codec-4.1.42.Final.jar

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec/4.1.42.Final/b1d5ed85a558fbbadc2783f869fbd0adcd32b07b/netty-codec-4.1.42.Final.jar

Dependency Hierarchy:

• grpc-netty-1.26.0.jar (Root Library)
  • netty-handler-proxy-4.1.42.Final.jar
    • ❌ netty-codec-4.1.42.Final.jar (Vulnerable Library)

Found in HEAD commit: 88a939c2c318f8f73d61c143677013b95df9a979

Found in base branch: main

Vulnerability Details

The Snappy frame decoder function doesn't restrict the chunk length which may lead to excessive memory usage. Beside this it also may buffer reserved skippable chunks until the whole chunk was received which may lead to excessive memory usage as well. This vulnerability can be triggered by supplying malicious input that decompresses to a very big size (via a network stream or a file) or by sending a huge skippable chunk.

Publish Date: 2021-10-19

URL: CVE-2021-37137

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-9vjp-v76f-g363

Release Date: 2021-10-19

Fix Resolution: io.netty:netty-codec:4.1.68.Final;io.netty:netty-all:4.1.68.Final

WS-2020-0408

Vulnerable Library - netty-handler-4.1.42.Final.jar

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/io.netty/netty-handler/4.1.42.Final/fc6546be5df552d9729f008d8d41a6dee28127aa/netty-handler-4.1.42.Final.jar

Dependency Hierarchy:

• grpc-netty-1.26.0.jar (Root Library)
  • netty-handler-proxy-4.1.42.Final.jar
    • netty-codec-http-4.1.42.Final.jar
      • ❌ netty-handler-4.1.42.Final.jar (Vulnerable Library)

Found in HEAD commit: 88a939c2c318f8f73d61c143677013b95df9a979

Found in base branch: main

Vulnerability Details

An issue was found in all versions of io.netty:netty-all. Host verification in Netty is disabled by default. This can lead to MITM attack in which an attacker can forge valid SSL/TLS certificates for a different hostname in order to intercept traffic that doesn’t intend for him. This is an issue because the certificate is not matched with the host.

Publish Date: 2020-06-22

URL: WS-2020-0408

CVSS 3 Score Details (7.4)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/WS-2020-0408

Release Date: 2020-06-22

Fix Resolution: io.netty:netty-all - 4.1.68.Final-redhat-00001,4.0.0.Final,4.1.67.Final-redhat-00002;io.netty:netty-handler - 4.1.68.Final-redhat-00001,4.1.67.Final-redhat-00001

CVE-2021-43797

Vulnerable Library - netty-codec-http-4.1.42.Final.jar

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec-http/4.1.42.Final/5f71267aa784d0e6c5ec09fb988339d244b205a0/netty-codec-http-4.1.42.Final.jar

Dependency Hierarchy:

• grpc-netty-1.26.0.jar (Root Library)
  • netty-handler-proxy-4.1.42.Final.jar
    • ❌ netty-codec-http-4.1.42.Final.jar (Vulnerable Library)

Found in HEAD commit: 88a939c2c318f8f73d61c143677013b95df9a979

Found in base branch: main

Vulnerability Details

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. Netty prior to version 4.1.71.Final skips control chars when they are present at the beginning / end of the header name. It should instead fail fast as these are not allowed by the spec and could lead to HTTP request smuggling. Failing to do the validation might cause netty to "sanitize" header names before it forward these to another remote system when used as proxy. This remote system can't see the invalid usage anymore, and therefore does not do the validation itself. Users should upgrade to version 4.1.71.Final.

Publish Date: 2021-12-09

URL: CVE-2021-43797

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: CVE-2021-43797

Release Date: 2021-12-09

Fix Resolution: io.netty:netty-codec-http:4.1.71.Final,io.netty:netty-all:4.1.71.Final

CVE-2021-21295

Vulnerable Libraries - netty-codec-http-4.1.42.Final.jar, netty-codec-http2-4.1.42.Final.jar

netty-codec-http-4.1.42.Final.jar

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec-http/4.1.42.Final/5f71267aa784d0e6c5ec09fb988339d244b205a0/netty-codec-http-4.1.42.Final.jar

Dependency Hierarchy:

• grpc-netty-1.26.0.jar (Root Library)
  • netty-handler-proxy-4.1.42.Final.jar
    • ❌ netty-codec-http-4.1.42.Final.jar (Vulnerable Library)

netty-codec-http2-4.1.42.Final.jar

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec-http2/4.1.42.Final/819e7b5f2005770cf7558c04276fff080331c6df/netty-codec-http2-4.1.42.Final.jar

Dependency Hierarchy:

• grpc-netty-1.26.0.jar (Root Library)
  • ❌ netty-codec-http2-4.1.42.Final.jar (Vulnerable Library)

Found in HEAD commit: 88a939c2c318f8f73d61c143677013b95df9a979

Found in base branch: main

Vulnerability Details

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.60.Final there is a vulnerability that enables request smuggling. If a Content-Length header is present in the original HTTP/2 request, the field is not validated by Http2MultiplexHandler as it is propagated up. This is fine as long as the request is not proxied through as HTTP/1.1. If the request comes in as an HTTP/2 stream, gets converted into the HTTP/1.1 domain objects (HttpRequest, HttpContent, etc.) via Http2StreamFrameToHttpObjectCodec and then sent up to the child channel's pipeline and proxied through a remote peer as HTTP/1.1 this may result in request smuggling. In a proxy case, users may assume the content-length is validated somehow, which is not the case. If the request is forwarded to a backend channel that is a HTTP/1.1 connection, the Content-Length now has meaning and needs to be checked. An attacker can smuggle requests inside the body as it gets downgraded from HTTP/2 to HTTP/1.1. For an example attack refer to the linked GitHub Advisory. Users are only affected if all of this is true: HTTP2MultiplexCodec or Http2FrameCodec is used, Http2StreamFrameToHttpObjectCodec is used to convert to HTTP/1.1 objects, and these HTTP/1.1 objects are forwarded to another remote peer. This has been patched in 4.1.60.Final As a workaround, the user can do the validation by themselves by implementing a custom ChannelInboundHandler that is put in the ChannelPipeline behind Http2StreamFrameToHttpObjectCodec.

Publish Date: 2021-03-09

URL: CVE-2021-21295

CVSS 3 Score Details (5.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-wm47-8v5p-wjpj

Release Date: 2021-03-09

Fix Resolution: io.netty:netty-all:4.1.60;io.netty:netty-codec-http:4.1.60;io.netty:netty-codec-http2:4.1.60

CVE-2021-21409

Vulnerable Library - netty-codec-http2-4.1.42.Final.jar

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec-http2/4.1.42.Final/819e7b5f2005770cf7558c04276fff080331c6df/netty-codec-http2-4.1.42.Final.jar

Dependency Hierarchy:

• grpc-netty-1.26.0.jar (Root Library)
  • ❌ netty-codec-http2-4.1.42.Final.jar (Vulnerable Library)

Found in HEAD commit: 88a939c2c318f8f73d61c143677013b95df9a979

Found in base branch: main

Vulnerability Details

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.61.Final there is a vulnerability that enables request smuggling. The content-length header is not correctly validated if the request only uses a single Http2HeaderFrame with the endStream set to to true. This could lead to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. This is a followup of GHSA-wm47-8v5p-wjpj/CVE-2021-21295 which did miss to fix this one case. This was fixed as part of 4.1.61.Final.

Publish Date: 2021-03-30

URL: CVE-2021-21409

CVSS 3 Score Details (5.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-f256-j965-7f32

Release Date: 2021-03-30

Fix Resolution: io.netty:netty-codec-http2:4.1.61.Final

CVE-2021-21290

Vulnerable Libraries - netty-codec-http-4.1.42.Final.jar, netty-handler-4.1.42.Final.jar

netty-codec-http-4.1.42.Final.jar

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec-http/4.1.42.Final/5f71267aa784d0e6c5ec09fb988339d244b205a0/netty-codec-http-4.1.42.Final.jar

Dependency Hierarchy:

• grpc-netty-1.26.0.jar (Root Library)
  • netty-handler-proxy-4.1.42.Final.jar
    • ❌ netty-codec-http-4.1.42.Final.jar (Vulnerable Library)

netty-handler-4.1.42.Final.jar

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/io.netty/netty-handler/4.1.42.Final/fc6546be5df552d9729f008d8d41a6dee28127aa/netty-handler-4.1.42.Final.jar

Dependency Hierarchy:

• grpc-netty-1.26.0.jar (Root Library)
  • netty-handler-proxy-4.1.42.Final.jar
    • netty-codec-http-4.1.42.Final.jar
      • ❌ netty-handler-4.1.42.Final.jar (Vulnerable Library)

Found in HEAD commit: 88a939c2c318f8f73d61c143677013b95df9a979

Found in base branch: main

Vulnerability Details

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty before version 4.1.59.Final there is a vulnerability on Unix-like systems involving an insecure temp file. When netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. On unix-like systems, the temporary directory is shared between all user. As such, writing to this directory using APIs that do not explicitly set the file/directory permissions can lead to information disclosure. Of note, this does not impact modern MacOS Operating Systems. The method "File.createTempFile" on unix-like systems creates a random file, but, by default will create this file with the permissions "-rw-r--r--". Thus, if sensitive information is written to this file, other local users can read this information. This is the case in netty's "AbstractDiskHttpData" is vulnerable. This has been fixed in version 4.1.59.Final. As a workaround, one may specify your own "java.io.tmpdir" when you start the JVM or use "DefaultHttpDataFactory.setBaseDir(...)" to set the directory to something that is only readable by the current user.

Publish Date: 2021-02-08

URL: CVE-2021-21290

CVSS 3 Score Details (5.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-5mcr-gq6c-3hq2

Release Date: 2021-02-08

Fix Resolution: io.netty:netty-codec-http:4.1.59.Final

Vulnerable Library - grpc-netty-1.44.1.jar

Path to dependency file: /tmp/ws-scm/graphql-full/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/io.netty/netty-handler/4.1.72.Final/9feee089fee606c64be90c0332db9aef1f7d8e46/netty-handler-4.1.72.Final.jar

Found in HEAD commit: 2658eb632f2ad201c19c841ec5711166a4c40ed2

CVE-2023-34462

Vulnerable Library - netty-handler-4.1.72.Final.jar

Library home page: https://netty.io/

Path to dependency file: /tmp/ws-scm/graphql-full/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/io.netty/netty-handler/4.1.72.Final/9feee089fee606c64be90c0332db9aef1f7d8e46/netty-handler-4.1.72.Final.jar

Dependency Hierarchy:

• grpc-netty-1.44.1.jar (Root Library)
  • netty-codec-http2-4.1.72.Final.jar
    • ❌ netty-handler-4.1.72.Final.jar (Vulnerable Library)

Found in HEAD commit: 2658eb632f2ad201c19c841ec5711166a4c40ed2

Found in base branch: main

Vulnerability Details

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. The SniHandler can allocate up to 16MB of heap for each channel during the TLS handshake. When the handler or the channel does not have an idle timeout, it can be used to make a TCP server using the SniHandler to allocate 16MB of heap. The SniHandler class is a handler that waits for the TLS handshake to configure a SslHandler according to the indicated server name by the ClientHello record. For this matter it allocates a ByteBuf using the value defined in the ClientHello record. Normally the value of the packet should be smaller than the handshake packet but there are not checks done here and the way the code is written, it is possible to craft a packet that makes the SslClientHelloHandler. This vulnerability has been fixed in version 4.1.94.Final.

Publish Date: 2023-06-22

URL: CVE-2023-34462

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-6mjq-h674-j845

Release Date: 2023-06-22

Fix Resolution (io.netty:netty-handler): 4.1.94.Final

Direct dependency fix Resolution (io.grpc:grpc-netty): 1.50.3

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2022-24823

Vulnerable Library - netty-common-4.1.72.Final.jar

Library home page: https://netty.io/

Path to dependency file: /tmp/ws-scm/graphql-full/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/io.netty/netty-common/4.1.72.Final/a55bac9c3af5f59828207b551a96ac19bbfc341e/netty-common-4.1.72.Final.jar

Dependency Hierarchy:

• grpc-netty-1.44.1.jar (Root Library)
  • netty-handler-proxy-4.1.72.Final.jar
    • ❌ netty-common-4.1.72.Final.jar (Vulnerable Library)

Found in HEAD commit: 2658eb632f2ad201c19c841ec5711166a4c40ed2

Found in base branch: main

Vulnerability Details

Netty is an open-source, asynchronous event-driven network application framework. The package io.netty:netty-codec-http prior to version 4.1.77.Final contains an insufficient fix for CVE-2021-21290. When Netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. This only impacts applications running on Java version 6 and lower. Additionally, this vulnerability impacts code running on Unix-like systems, and very old versions of Mac OSX and Windows as they all share the system temporary directory between all users. Version 4.1.77.Final contains a patch for this vulnerability. As a workaround, specify one's own java.io.tmpdir when starting the JVM or use DefaultHttpDataFactory.setBaseDir(...) to set the directory to something that is only readable by the current user.

Publish Date: 2022-05-06

URL: CVE-2022-24823

CVSS 3 Score Details (5.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24823

Release Date: 2022-05-06

Fix Resolution: io.netty:netty-all;io.netty:netty-common - 4.1.77.Final

Vulnerable Library - jetty-servlet-9.3.8.v20160314.jar

Jetty Servlet Container

Library home page: http://www.eclipse.org/jetty

Path to dependency file: /pom.xml

Path to vulnerable library: /232440_LELXSW/downloadResource_TBUAXR/20220331232450/jetty-servlet-9.3.8.v20160314.jar,/gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-servlet/9.3.8.v20160314/ea5f25d3326d7745d9c21d405dcf6f878efbd5fb/jetty-servlet-9.3.8.v20160314.jar

Found in HEAD commit: 88a939c2c318f8f73d61c143677013b95df9a979

CVE-2019-10241

Vulnerable Library - jetty-servlet-9.3.8.v20160314.jar

Jetty Servlet Container

Library home page: http://www.eclipse.org/jetty

Path to dependency file: /pom.xml

Path to vulnerable library: /232440_LELXSW/downloadResource_TBUAXR/20220331232450/jetty-servlet-9.3.8.v20160314.jar,/gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-servlet/9.3.8.v20160314/ea5f25d3326d7745d9c21d405dcf6f878efbd5fb/jetty-servlet-9.3.8.v20160314.jar

Dependency Hierarchy:

• ❌ jetty-servlet-9.3.8.v20160314.jar (Vulnerable Library)

Found in HEAD commit: 88a939c2c318f8f73d61c143677013b95df9a979

Found in base branch: main

Vulnerability Details

In Eclipse Jetty version 9.2.26 and older, 9.3.25 and older, and 9.4.15 and older, the server is vulnerable to XSS conditions if a remote client USES a specially formatted URL against the DefaultServlet or ResourceHandler that is configured for showing a Listing of directory contents.

Publish Date: 2019-04-22

URL: CVE-2019-10241

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10241

Release Date: 2019-04-22

Fix Resolution: org.eclipse.jetty:jetty-server:9.2.27,9.3.26,9.4.16,org.eclipse.jetty:jetty-servlet:9.2.27,9.3.26,9.4.16,org.eclipse.jetty:jetty-util:9.2.27,9.3.26,9.4.16

⛑️ Automatic Remediation is available for this issue

CVE-2018-12536

Vulnerable Library - jetty-servlet-9.3.8.v20160314.jar

Jetty Servlet Container

Library home page: http://www.eclipse.org/jetty

Path to dependency file: /pom.xml

Path to vulnerable library: /232440_LELXSW/downloadResource_TBUAXR/20220331232450/jetty-servlet-9.3.8.v20160314.jar,/gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-servlet/9.3.8.v20160314/ea5f25d3326d7745d9c21d405dcf6f878efbd5fb/jetty-servlet-9.3.8.v20160314.jar

Dependency Hierarchy:

• ❌ jetty-servlet-9.3.8.v20160314.jar (Vulnerable Library)

Found in HEAD commit: 88a939c2c318f8f73d61c143677013b95df9a979

Found in base branch: main

Vulnerability Details

In Eclipse Jetty Server, all 9.x versions, on webapps deployed using default Error Handling, when an intentionally bad query arrives that doesn't match a dynamic url-pattern, and is eventually handled by the DefaultServlet's static file serving, the bad characters can trigger a java.nio.file.InvalidPathException which includes the full path to the base resource directory that the DefaultServlet and/or webapp is using. If this InvalidPathException is then handled by the default Error Handler, the InvalidPathException message is included in the error response, revealing the full server path to the requesting system.

Publish Date: 2018-06-27

URL: CVE-2018-12536

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: jetty/jetty.project@ad4dceb

Release Date: 2018-06-27

Fix Resolution: org.eclipse.jetty:jetty-server:9.3.24.v20180605,9.4.11.v20180605,org.eclipse.jetty:jetty-util:9.3.24.v20180605,9.4.11.v20180605,org.eclipse.jetty:jetty-servlet:9.3.24.v20180605,9.4.11.v20180605

⛑️ Automatic Remediation is available for this issue

Vulnerable Library - protobuf-java-util-3.11.1.jar

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.code.gson/gson/2.8.6/9180733b7df8542621dc12e21e87557e8c99b8cb/gson-2.8.6.jar

Found in HEAD commit: 88a939c2c318f8f73d61c143677013b95df9a979

WS-2021-0419

Vulnerable Library - gson-2.8.6.jar

Gson JSON library

Library home page: https://github.com/google/gson

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.code.gson/gson/2.8.6/9180733b7df8542621dc12e21e87557e8c99b8cb/gson-2.8.6.jar

Dependency Hierarchy:

• protobuf-java-util-3.11.1.jar (Root Library)
  • ❌ gson-2.8.6.jar (Vulnerable Library)

Found in HEAD commit: 88a939c2c318f8f73d61c143677013b95df9a979

Found in base branch: main

Vulnerability Details

Denial of Service vulnerability was discovered in gson before 2.8.9 via the writeReplace() method.

Publish Date: 2021-10-11

URL: WS-2021-0419

CVSS 3 Score Details (7.7)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://github.com/google/gson/releases/tag/gson-parent-2.8.9

Release Date: 2021-10-11

Fix Resolution: com.google.code.gson:gson:2.8.9

Vulnerable Library - jetty-server-11.0.8.jar

Path to dependency file: /tmp/ws-scm/graphql-full/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-io/11.0.8/c78472dd805be404e0adf2b33315c7b2bb49144c/jetty-io-11.0.8.jar

CVE-2022-2191

Vulnerable Library - jetty-io-11.0.8.jar

Library home page: https://eclipse.org/jetty

Path to dependency file: /tmp/ws-scm/graphql-full/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-io/11.0.8/c78472dd805be404e0adf2b33315c7b2bb49144c/jetty-io-11.0.8.jar

Dependency Hierarchy:

• jetty-server-11.0.8.jar (Root Library)
  • ❌ jetty-io-11.0.8.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

In Eclipse Jetty versions 10.0.0 thru 10.0.9, and 11.0.0 thru 11.0.9 versions, SslConnection does not release ByteBuffers from configured ByteBufferPool in case of error code paths.

Publish Date: 2022-07-07

URL: CVE-2022-2191

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2191

Release Date: 2022-07-07

Fix Resolution (org.eclipse.jetty:jetty-io): 11.0.10

Direct dependency fix Resolution (org.eclipse.jetty:jetty-server): 11.0.10

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2022-2047

Vulnerable Libraries - jetty-http-11.0.8.jar, jetty-server-11.0.8.jar

jetty-http-11.0.8.jar

Library home page: https://eclipse.org/jetty

Path to dependency file: /tmp/ws-scm/graphql-full/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-http/11.0.8/ae463766ab49eaa89e6d13608a47a920ed14638a/jetty-http-11.0.8.jar

Dependency Hierarchy:

• jetty-server-11.0.8.jar (Root Library)
  • ❌ jetty-http-11.0.8.jar (Vulnerable Library)

jetty-server-11.0.8.jar

The core jetty server artifact.

Library home page: https://eclipse.org/jetty

Path to dependency file: /tmp/ws-scm/graphql-full/build.gradle

Path to vulnerable library: /e/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-server/11.0.8/49f0408a1ee871bf430690a33c327fc22ee1b027/jetty-server-11.0.8.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-server/11.0.8/49f0408a1ee871bf430690a33c327fc22ee1b027/jetty-server-11.0.8.jar

Dependency Hierarchy:

• ❌ jetty-server-11.0.8.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

In Eclipse Jetty versions 9.4.0 thru 9.4.46, and 10.0.0 thru 10.0.9, and 11.0.0 thru 11.0.9 versions, the parsing of the authority segment of an http scheme URI, the Jetty HttpURI class improperly detects an invalid input as a hostname. This can lead to failures in a Proxy scenario.

Publish Date: 2022-07-07

URL: CVE-2022-2047

CVSS 3 Score Details (2.7)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: High
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-cj7v-27pg-wf7q

Release Date: 2022-07-07

Fix Resolution (org.eclipse.jetty:jetty-http): 11.0.10

Direct dependency fix Resolution (org.eclipse.jetty:jetty-server): 11.0.10

⛑️ Automatic Remediation will be attempted for this issue.