Closed mend-bolt-for-github[bot] closed 1 year ago
Nice to meet you, @mend-bolt-for-github[bot]. Thank you for creating an issue. There are some tasks for you:
To close issue send comment "close", to reopen - "reopen"
Nice, one of tasks is done
Integer overflow occurs when the result of arithmetic operation is greater than the maximum value the integer data type can store. For example, if an integer data type allows integers up to two bytes or 16 bits in length (or an unsigned number up to decimal 65,535), and two integers are to be added together that will exceed the value of 65,535, the result will be integer overflow.
Use of vulnerable components will introduce weaknesses into the application. Components with published vulnerabilities will allow easy exploitation as resources will often be available to automate the process.
Thanks for issue, @mend-bolt-for-github[bot]! @AdamOswald, thank you for closing this issue, I have less work. I will look forward to our next meeting😜
If you want to reopen the issue - type "reopen"
Vulnerable Library - libxml2-2.9.9-he19cac6_0.conda
The XML C parser and toolkit of Gnome
Library home page: http://repo.continuum.io/pkgs/main/linux-64/libxml2-2.9.9-he19cac6_0.conda
Path to dependency file: /module/SwapNet-jwyang-roi-version/environment.yml
Path to vulnerable library: /home/wss-scanner/anaconda3/pkgs/libxml2-2.9.9-he19cac6_0.conda,/home/wss-scanner/anaconda3/pkgs/libxml2-2.9.9-he19cac6_0.conda,/r/anaconda3/pkgs/libxml2-2.9.9-he19cac6_0.conda,/r/anaconda3/pkgs/libxml2-2.9.9-he19cac6_0.conda
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
Vulnerabilities
Details
CVE-2022-29824
### Vulnerable Library - libxml2-2.9.9-he19cac6_0.condaThe XML C parser and toolkit of Gnome
Library home page: http://repo.continuum.io/pkgs/main/linux-64/libxml2-2.9.9-he19cac6_0.conda
Path to dependency file: /module/SwapNet-jwyang-roi-version/environment.yml
Path to vulnerable library: /home/wss-scanner/anaconda3/pkgs/libxml2-2.9.9-he19cac6_0.conda,/home/wss-scanner/anaconda3/pkgs/libxml2-2.9.9-he19cac6_0.conda,/r/anaconda3/pkgs/libxml2-2.9.9-he19cac6_0.conda,/r/anaconda3/pkgs/libxml2-2.9.9-he19cac6_0.conda
Dependency Hierarchy: - :x: **libxml2-2.9.9-he19cac6_0.conda** (Vulnerable Library)
Found in HEAD commit: 1def381581db59d139b24ef0a32eed6f8e3b2af8
Found in base branch: master
### Vulnerability DetailsIn libxml2 before 2.9.14, several buffer handling functions in buf.c (xmlBuf*) and tree.c (xmlBuffer*) don't check for integer overflows. This can result in out-of-bounds memory writes. Exploitation requires a victim to open a crafted, multi-gigabyte XML file. Other software using libxml2's buffer functions, for example libxslt through 1.1.35, is affected as well.
Publish Date: 2022-05-03
URL: CVE-2022-29824
### CVSS 3 Score Details (6.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29824
Release Date: 2022-05-03
Fix Resolution: v2.9.14
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)