-
Notifications
You must be signed in to change notification settings - Fork 11
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
scalatestplus-play_2.12-3.1.2.jar: 25 vulnerabilities (highest severity is: 9.8) #116
Labels
Mend: dependency security vulnerability
Security vulnerability detected by Mend
Comments
1 task
1 task
1 task
1 task
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
Mend: dependency security vulnerability
Security vulnerability detected by Mend
0 participants
Path to dependency file: /test/demo-helper/play-helper/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/net.sourceforge.htmlunit/htmlunit/2.27/aea70f853583b0eadcaa6a0429595973036cc745/htmlunit-2.27.jar
Found in HEAD commit: 4e5656db54be4b22481fe3774c2caeba51bac190
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - htmlunit-2.27.jar
A headless browser intended for use in testing web-based applications.
Library home page: http://htmlunit.sourceforge.net
Path to dependency file: /test/demo-helper/play-helper/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/net.sourceforge.htmlunit/htmlunit/2.27/aea70f853583b0eadcaa6a0429595973036cc745/htmlunit-2.27.jar
Dependency Hierarchy:
Found in HEAD commit: 4e5656db54be4b22481fe3774c2caeba51bac190
Found in base branch: main
Vulnerability Details
Versions of the package net.sourceforge.htmlunit:htmlunit from 0 and before 3.0.0 are vulnerable to Remote Code Execution (RCE) via XSTL, when browsing the attacker’s webpage.
Publish Date: 2023-04-03
URL: CVE-2023-26119
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 2.2%
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-26119
Release Date: 2023-04-03
Fix Resolution: net.sourceforge.htmlunit:htmlunit:3.0.0
Vulnerable Library - jetty-http-9.4.5.v20170502.jar
The Eclipse Jetty Project
Library home page: http://www.eclipse.org/jetty
Path to dependency file: /test/demo-helper/play-helper/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-http/9.4.5.v20170502/c51b8a6a67d64672889249dd958edd77bff8fc0c/jetty-http-9.4.5.v20170502.jar
Dependency Hierarchy:
Found in HEAD commit: 4e5656db54be4b22481fe3774c2caeba51bac190
Found in base branch: main
Vulnerability Details
In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization.
Publish Date: 2018-06-26
URL: CVE-2017-7658
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 1.2%
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7658
Release Date: 2018-06-26
Fix Resolution (org.eclipse.jetty:jetty-http): 9.4.11.v20180605
Direct dependency fix Resolution (org.scalatestplus.play:scalatestplus-play_2.12): 4.0.0
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - jetty-http-9.4.5.v20170502.jar
The Eclipse Jetty Project
Library home page: http://www.eclipse.org/jetty
Path to dependency file: /test/demo-helper/play-helper/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-http/9.4.5.v20170502/c51b8a6a67d64672889249dd958edd77bff8fc0c/jetty-http-9.4.5.v20170502.jar
Dependency Hierarchy:
Found in HEAD commit: 4e5656db54be4b22481fe3774c2caeba51bac190
Found in base branch: main
Vulnerability Details
In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interpreted as a pipelined request. If Jetty was deployed behind an intermediary that imposed some authorization and that intermediary allowed arbitrarily large chunks to be passed on unchanged, then this flaw could be used to bypass the authorization imposed by the intermediary as the fake pipelined request would not be interpreted by the intermediary as a request.
Publish Date: 2018-06-26
URL: CVE-2017-7657
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.70000005%
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://bugs.eclipse.org/bugs/show_bug.cgi?id=535668
Release Date: 2018-06-26
Fix Resolution (org.eclipse.jetty:jetty-http): 9.4.11.v20180605
Direct dependency fix Resolution (org.scalatestplus.play:scalatestplus-play_2.12): 4.0.0
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - htmlunit-2.27.jar
A headless browser intended for use in testing web-based applications.
Library home page: http://htmlunit.sourceforge.net
Path to dependency file: /test/demo-helper/play-helper/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/net.sourceforge.htmlunit/htmlunit/2.27/aea70f853583b0eadcaa6a0429595973036cc745/htmlunit-2.27.jar
Dependency Hierarchy:
Found in HEAD commit: 4e5656db54be4b22481fe3774c2caeba51bac190
Found in base branch: main
Vulnerability Details
HtmlUnit prior to 2.37.0 contains code execution vulnerabilities. HtmlUnit initializes Rhino engine improperly, hence a malicious JavScript code can execute arbitrary Java code on the application. Moreover, when embedded in Android application, Android-specific initialization of Rhino engine is done in an improper way, hence a malicious JavaScript code can execute arbitrary Java code on the application.
Publish Date: 2020-02-11
URL: CVE-2020-5529
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.4%
CVSS 3 Score Details (8.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2020-02-11
Fix Resolution: net.sourceforge.htmlunit:htmlunit:2.37.0
Vulnerable Library - gson-2.8.0.jar
Gson JSON library
Library home page: https://github.com/google/gson
Path to dependency file: /test/demo-helper/play-helper/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.code.gson/gson/2.8.0/c4ba5371a29ac9b2ad6129b1d39ea38750043eff/gson-2.8.0.jar
Dependency Hierarchy:
Found in HEAD commit: 4e5656db54be4b22481fe3774c2caeba51bac190
Found in base branch: main
Vulnerability Details
Denial of Service vulnerability was discovered in gson before 2.8.9 via the writeReplace() method.
Publish Date: 2021-10-11
URL: WS-2021-0419
Threat Assessment
Exploit Maturity: Not Defined
EPSS:
CVSS 3 Score Details (7.7)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2021-10-11
Fix Resolution: com.google.code.gson:gson:2.8.9
Vulnerable Library - jna-platform-4.1.0.jar
Java Native Access Platform
Library home page: https://github.com/twall/jna
Path to dependency file: /test/demo-helper/play-helper/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/net.java.dev.jna/jna-platform/4.1.0/23457ad1cf75c2c16763330de5565a0e67b4bc0a/jna-platform-4.1.0.jar
Dependency Hierarchy:
Found in HEAD commit: 4e5656db54be4b22481fe3774c2caeba51bac190
Found in base branch: main
Vulnerability Details
JNA prior to 5.0.0 was discovered to contain an out-of-bounds read. Advapi32Util.registryGetValues does not terminate the returned string with null terminators. When it tries to identify the string content it searches for the next null-terminator and will read out-of-bounds of the buffer.
Publish Date: 2014-06-24
URL: WS-2014-0065
Threat Assessment
Exploit Maturity: Not Defined
EPSS:
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2014-06-24
Fix Resolution (net.java.dev.jna:jna-platform): 5.0.0
Direct dependency fix Resolution (org.scalatestplus.play:scalatestplus-play_2.12): 4.0.0
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - jetty-http-9.4.5.v20170502.jar
The Eclipse Jetty Project
Library home page: http://www.eclipse.org/jetty
Path to dependency file: /test/demo-helper/play-helper/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-http/9.4.5.v20170502/c51b8a6a67d64672889249dd958edd77bff8fc0c/jetty-http-9.4.5.v20170502.jar
Dependency Hierarchy:
Found in HEAD commit: 4e5656db54be4b22481fe3774c2caeba51bac190
Found in base branch: main
Vulnerability Details
Eclipse Jetty provides a web server and servlet container. In versions 11.0.0 through 11.0.15, 10.0.0 through 10.0.15, and 9.0.0 through 9.4.52, an integer overflow in
MetaDataBuilder.checkSize
allows for HTTP/2 HPACK header values toexceed their size limit.
MetaDataBuilder.java
determines if a header name or value exceeds the size limit, and throws an exception if the limit is exceeded. However, when length is very large and huffman is true, the multiplication by 4 in line 295will overflow, and length will become negative.
(_size+length)
will now be negative, and the check on line 296 will not be triggered. Furthermore,MetaDataBuilder.checkSize
allows for user-entered HPACK header value sizes to be negative, potentially leading to a very large buffer allocation later on when the user-entered size is multiplied by 2. This means that if a user provides a negative length value (or, more precisely, a length value which, when multiplied by the 4/3 fudge factor, is negative), and this length value is a very large positive number when multiplied by 2, then the user can cause a very large buffer to be allocated on the server. Users of HTTP/2 can be impacted by a remote denial of service attack. The issue has been fixed in versions 11.0.16, 10.0.16, and 9.4.53. There are no known workarounds.Publish Date: 2023-10-10
URL: CVE-2023-36478
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.4%
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-wgh7-54f2-x98r
Release Date: 2023-10-10
Fix Resolution: org.eclipse.jetty.http2:http2-hpack:9.4.53.v20231009,10.0.16,11.0.16;org.eclipse.jetty.http3:http3-qpack:10.0.16,11.0.16;org.eclipse.jetty:jetty-http:9.4.53.v20231009,10.0.16,11.0.16
Vulnerable Library - htmlunit-2.27.jar
A headless browser intended for use in testing web-based applications.
Library home page: http://htmlunit.sourceforge.net
Path to dependency file: /test/demo-helper/play-helper/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/net.sourceforge.htmlunit/htmlunit/2.27/aea70f853583b0eadcaa6a0429595973036cc745/htmlunit-2.27.jar
Dependency Hierarchy:
Found in HEAD commit: 4e5656db54be4b22481fe3774c2caeba51bac190
Found in base branch: main
Vulnerability Details
Those using HtmlUnit to browse untrusted webpages may be vulnerable to Denial of service attacks (DoS). If HtmlUnit is running on user supplied web pages, an attacker may supply content that causes HtmlUnit to crash by a stack overflow. This effect may support a denial of service attack.This issue affects htmlunit before 2.70.0.
Publish Date: 2023-05-25
URL: CVE-2023-2798
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.1%
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2023-05-25
Fix Resolution: net.sourceforge.htmlunit:htmlunit:2.70.0
Vulnerable Library - xalan-2.7.2.jar
Xalan-Java is an XSLT processor for transforming XML documents into HTML, text, or other XML document types. It implements XSL Transformations (XSLT) Version 1.0 and XML Path Language (XPath) Version 1.0 and can be used from the command line, in an applet or a servlet, or as a module in other program.
Library home page: http://xml.apache.org/xalan-j/
Path to dependency file: /test/demo-helper/play-helper/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/xalan/xalan/2.7.2/d55d3f02a56ec4c25695fe67e1334ff8c2ecea23/xalan-2.7.2.jar
Dependency Hierarchy:
Found in HEAD commit: 4e5656db54be4b22481fe3774c2caeba51bac190
Found in base branch: main
Vulnerability Details
The Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious XSLT stylesheets. This can be used to corrupt Java class files generated by the internal XSLTC compiler and execute arbitrary Java bytecode. Users are recommended to update to version 2.7.3 or later. Note: Java runtimes (such as OpenJDK) include repackaged copies of Xalan.
Publish Date: 2022-07-19
URL: CVE-2022-34169
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.2%
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-9339-86wc-4qgf
Release Date: 2022-07-19
Fix Resolution: xalan:xalan:2.7.3
Vulnerable Library - neko-htmlunit-2.27.jar
HtmlUnit adaptation of NekoHtml. It has the same functionality but exposing HTMLElements to be overridden.
Library home page: http://htmlunit.sourceforge.net
Path to dependency file: /test/demo-helper/play-helper/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/net.sourceforge.htmlunit/neko-htmlunit/2.27/a1afb1fd290cc6d076639d852b80943c10ace0a2/neko-htmlunit-2.27.jar
Dependency Hierarchy:
Found in HEAD commit: 4e5656db54be4b22481fe3774c2caeba51bac190
Found in base branch: main
Vulnerability Details
HtmlUnit NekoHtml Parser before 2.61.0 suffers from a denial of service vulnerability. Crafted input associated with the parsing of Processing Instruction (PI) data leads to heap memory consumption. This is similar to CVE-2022-28366 but affects a much later version of the product.
Publish Date: 2022-04-25
URL: CVE-2022-29546
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.1%
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2022-04-25
Fix Resolution: net.sourceforge.htmlunit:neko-htmlunit:2.61.0
Vulnerable Library - gson-2.8.0.jar
Gson JSON library
Library home page: https://github.com/google/gson
Path to dependency file: /test/demo-helper/play-helper/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.code.gson/gson/2.8.0/c4ba5371a29ac9b2ad6129b1d39ea38750043eff/gson-2.8.0.jar
Dependency Hierarchy:
Found in HEAD commit: 4e5656db54be4b22481fe3774c2caeba51bac190
Found in base branch: main
Vulnerability Details
The package com.google.code.gson:gson before 2.8.9 are vulnerable to Deserialization of Untrusted Data via the writeReplace() method in internal classes, which may lead to DoS attacks.
Publish Date: 2022-05-01
URL: CVE-2022-25647
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.4%
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25647`
Release Date: 2022-05-01
Fix Resolution: com.google.code.gson:gson:gson-parent-2.8.9
Vulnerable Library - jetty-io-9.4.5.v20170502.jar
The Eclipse Jetty Project
Library home page: http://www.eclipse.org/jetty
Path to dependency file: /test/demo-helper/play-helper/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-io/9.4.5.v20170502/76086f955d4e943396b8f340fd5bae3ce4da19d9/jetty-io-9.4.5.v20170502.jar
Dependency Hierarchy:
Found in HEAD commit: 4e5656db54be4b22481fe3774c2caeba51bac190
Found in base branch: main
Vulnerability Details
In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame.
Publish Date: 2021-04-01
URL: CVE-2021-28165
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 80.2%
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-26vr-8j45-3r4w
Release Date: 2021-04-01
Fix Resolution: org.eclipse.jetty:jetty-io:9.4.39, org.eclipse.jetty:jetty-io:10.0.2, org.eclipse.jetty:jetty-io:11.0.2
Vulnerable Library - play-ws_2.12-2.6.5.jar
Play-WS
Path to dependency file: /test/demo-helper/play-helper/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.typesafe.play/play-ws_2.12/2.6.5/47a852ed178ef948b3a1e93c1c0bb27a4602e647/play-ws_2.12-2.6.5.jar
Dependency Hierarchy:
Found in HEAD commit: 4e5656db54be4b22481fe3774c2caeba51bac190
Found in base branch: main
Vulnerability Details
An issue was discovered in Lightbend Play Framework 2.5.x through 2.6.23. When configured to make requests using an authenticated HTTP proxy, play-ws may sometimes, typically under high load, when connecting to a target host using https, expose the proxy credentials to the target host.
Publish Date: 2020-08-24
URL: CVE-2019-17598
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.2%
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-442g-gcg6-mhm4
Release Date: 2020-08-24
Fix Resolution (com.typesafe.play:play-ws_2.12): 2.6.24
Direct dependency fix Resolution (org.scalatestplus.play:scalatestplus-play_2.12): 3.1.3
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - xercesImpl-2.11.0.jar
Xerces2 is the next generation of high performance, fully compliant XML parsers in the Apache Xerces family. This new version of Xerces introduces the Xerces Native Interface (XNI), a complete framework for building parser components and configurations that is extremely modular and easy to program.
Library home page: https://xerces.apache.org/xerces2-j/
Path to dependency file: /test/demo-helper/play-helper/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/xerces/xercesImpl/2.11.0/9bb329db1cfc4e22462c9d6b43a8432f5850e92c/xercesImpl-2.11.0.jar
Dependency Hierarchy:
Found in HEAD commit: 4e5656db54be4b22481fe3774c2caeba51bac190
Found in base branch: main
Vulnerability Details
Apache Xerces2 Java Parser before 2.12.0 allows remote attackers to cause a denial of service (CPU consumption) via a crafted message to an XML service, which triggers hash table collisions.
Publish Date: 2017-10-30
URL: CVE-2012-0881
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.9%
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0881
Release Date: 2017-10-30
Fix Resolution (xerces:xercesImpl): 2.12.0
Direct dependency fix Resolution (org.scalatestplus.play:scalatestplus-play_2.12): 4.0.0
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - xercesImpl-2.11.0.jar
Xerces2 is the next generation of high performance, fully compliant XML parsers in the Apache Xerces family. This new version of Xerces introduces the Xerces Native Interface (XNI), a complete framework for building parser components and configurations that is extremely modular and easy to program.
Library home page: https://xerces.apache.org/xerces2-j/
Path to dependency file: /test/demo-helper/play-helper/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/xerces/xercesImpl/2.11.0/9bb329db1cfc4e22462c9d6b43a8432f5850e92c/xercesImpl-2.11.0.jar
Dependency Hierarchy:
Found in HEAD commit: 4e5656db54be4b22481fe3774c2caeba51bac190
Found in base branch: main
Vulnerability Details
There's a vulnerability within the Apache Xerces Java (XercesJ) XML parser when handling specially crafted XML document payloads. This causes, the XercesJ XML parser to wait in an infinite loop, which may sometimes consume system resources for prolonged duration. This vulnerability is present within XercesJ version 2.12.1 and the previous versions.
Publish Date: 2022-01-24
URL: CVE-2022-23437
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.4%
CVSS 3 Score Details (6.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-h65f-jvqw-m9fj
Release Date: 2022-01-24
Fix Resolution: xerces:xercesImpl:2.12.2
Vulnerable Library - jetty-util-9.4.5.v20170502.jar
Utility classes for Jetty
Library home page: http://www.eclipse.org/jetty
Path to dependency file: /test/demo-helper/play-helper/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-util/9.4.5.v20170502/5fd36dfcf39110b809bd9b20cec62706ab694711/jetty-util-9.4.5.v20170502.jar
Dependency Hierarchy:
Found in HEAD commit: 4e5656db54be4b22481fe3774c2caeba51bac190
Found in base branch: main
Vulnerability Details
In Eclipse Jetty version 9.2.26 and older, 9.3.25 and older, and 9.4.15 and older, the server is vulnerable to XSS conditions if a remote client USES a specially formatted URL against the DefaultServlet or ResourceHandler that is configured for showing a Listing of directory contents.
Publish Date: 2019-04-22
URL: CVE-2019-10241
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.5%
CVSS 3 Score Details (6.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10241
Release Date: 2019-04-22
Fix Resolution (org.eclipse.jetty:jetty-util): 9.4.16.v20190411
Direct dependency fix Resolution (org.scalatestplus.play:scalatestplus-play_2.12): 5.0.0
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - xercesImpl-2.11.0.jar
Xerces2 is the next generation of high performance, fully compliant XML parsers in the Apache Xerces family. This new version of Xerces introduces the Xerces Native Interface (XNI), a complete framework for building parser components and configurations that is extremely modular and easy to program.
Library home page: https://xerces.apache.org/xerces2-j/
Path to dependency file: /test/demo-helper/play-helper/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/xerces/xercesImpl/2.11.0/9bb329db1cfc4e22462c9d6b43a8432f5850e92c/xercesImpl-2.11.0.jar
Dependency Hierarchy:
Found in HEAD commit: 4e5656db54be4b22481fe3774c2caeba51bac190
Found in base branch: main
Vulnerability Details
XMLscanner.java in Apache Xerces2 Java Parser before 2.12.0, as used in the Java Runtime Environment (JRE) in IBM Java 5.0 before 5.0 SR16-FP3, 6 before 6 SR14, 6.0.1 before 6.0.1 SR6, and 7 before 7 SR5 as well as Oracle Java SE 7u40 and earlier, Java SE 6u60 and earlier, Java SE 5.0u51 and earlier, JRockit R28.2.8 and earlier, JRockit R27.7.6 and earlier, Java SE Embedded 7u40 and earlier, and possibly other products allows remote attackers to cause a denial of service via vectors related to XML attribute names.
Publish Date: 2013-07-23
URL: CVE-2013-4002
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 1.9%
CVSS 3 Score Details (5.9)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4002
Release Date: 2013-07-23
Fix Resolution: xerces:xercesImpl:Xerces-J_2_12_0
Vulnerable Library - junit-4.12.jar
JUnit is a unit testing framework for Java, created by Erich Gamma and Kent Beck.
Library home page: http://junit.org
Path to dependency file: /test/demo-helper/play-helper/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/junit/junit/4.12/2973d150c0dc1fefe998f834810d68f278ea58ec/junit-4.12.jar
Dependency Hierarchy:
Found in HEAD commit: 4e5656db54be4b22481fe3774c2caeba51bac190
Found in base branch: main
Vulnerability Details
In JUnit4 from version 4.7 and before 4.13.1, the test rule TemporaryFolder contains a local information disclosure vulnerability. On Unix like systems, the system's temporary directory is shared between all users on that system. Because of this, when files and directories are written into this directory they are, by default, readable by other users on that same system. This vulnerability does not allow other users to overwrite the contents of these directories or files. This is purely an information disclosure vulnerability. This vulnerability impacts you if the JUnit tests write sensitive information, like API keys or passwords, into the temporary folder, and the JUnit tests execute in an environment where the OS has other untrusted users. Because certain JDK file system APIs were only added in JDK 1.7, this this fix is dependent upon the version of the JDK you are using. For Java 1.7 and higher users: this vulnerability is fixed in 4.13.1. For Java 1.6 and lower users: no patch is available, you must use the workaround below. If you are unable to patch, or are stuck running on Java 1.6, specifying the
java.io.tmpdir
system environment variable to a directory that is exclusively owned by the executing user will fix this vulnerability. For more information, including an example of vulnerable code, see the referenced GitHub Security Advisory.Publish Date: 2020-10-12
URL: CVE-2020-15250
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.1%
CVSS 3 Score Details (5.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-269g-pwp5-87pp
Release Date: 2020-10-12
Fix Resolution: junit:junit:4.13.1
Vulnerable Library - jetty-http-9.4.5.v20170502.jar
The Eclipse Jetty Project
Library home page: http://www.eclipse.org/jetty
Path to dependency file: /test/demo-helper/play-helper/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-http/9.4.5.v20170502/c51b8a6a67d64672889249dd958edd77bff8fc0c/jetty-http-9.4.5.v20170502.jar
Dependency Hierarchy:
Found in HEAD commit: 4e5656db54be4b22481fe3774c2caeba51bac190
Found in base branch: main
Vulnerability Details
Jetty is a Java based web server and servlet engine. Prior to versions 9.4.52, 10.0.16, 11.0.16, and 12.0.1, Jetty accepts the
+
character proceeding the content-length value in a HTTP/1 header field. This is more permissive than allowed by the RFC and other servers routinely reject such requests with 400 responses. There is no known exploit scenario, but it is conceivable that request smuggling could result if jetty is used in combination with a server that does not close the connection after sending such a 400 response. Versions 9.4.52, 10.0.16, 11.0.16, and 12.0.1 contain a patch for this issue. There is no workaround as there is no known exploit scenario.Publish Date: 2023-09-15
URL: CVE-2023-40167
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.1%
CVSS 3 Score Details (5.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-hmr7-m48g-48f6
Release Date: 2023-09-15
Fix Resolution: org.eclipse.jetty:jetty-http:9.4.52.v20230823,10.0.16,11.0.16,12.0.1
⛑️Automatic Remediation will be attempted for this issue.
The text was updated successfully, but these errors were encountered: