ChoeMinji / tensorflow-2.2.3

Apache License 2.0
0 stars 0 forks source link

CVE-2014-3643 (High) detected in jersey-server-1.9.jar, jersey-core-1.9.jar #12

Open mend-bolt-for-github[bot] opened 2 years ago

mend-bolt-for-github[bot] commented 2 years ago

CVE-2014-3643 - High Severity Vulnerability

Vulnerable Libraries - jersey-server-1.9.jar, jersey-core-1.9.jar

jersey-server-1.9.jar

Jersey is the open source (under dual CDDL+GPL license) JAX-RS (JSR 311) production quality Reference Implementation for building RESTful Web services.

Library home page: https://jersey.java.net/

Path to dependency file: /tensorflow/java/maven/spark-tensorflow-connector/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/sun/jersey/jersey-server/1.9/jersey-server-1.9.jar,/home/wss-scanner/.m2/repository/com/sun/jersey/jersey-server/1.9/jersey-server-1.9.jar

Dependency Hierarchy: - hadoop-common-2.6.0.jar (Root Library) - :x: **jersey-server-1.9.jar** (Vulnerable Library)

jersey-core-1.9.jar

Jersey is the open source (under dual CDDL+GPL license) JAX-RS (JSR 311) production quality Reference Implementation for building RESTful Web services.

Library home page: http://www.oracle.com/

Path to dependency file: /tensorflow/java/maven/spark-tensorflow-connector/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/sun/jersey/jersey-core/1.9/jersey-core-1.9.jar,/home/wss-scanner/.m2/repository/com/sun/jersey/jersey-core/1.9/jersey-core-1.9.jar

Dependency Hierarchy: - hadoop-common-2.6.0.jar (Root Library) - :x: **jersey-core-1.9.jar** (Vulnerable Library)

Found in HEAD commit: 1f65fd168afc52c040a47230bb3cb902f7223124

Found in base branch: master

Vulnerability Details

jersey: XXE via parameter entities not disabled by the jersey SAX parser

Publish Date: 2019-12-15

URL: CVE-2014-3643

CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3643

Release Date: 2019-12-15

Fix Resolution: com.sun.jersey:jersey-core:1.13;com.sun.jersey:jersey-server:1.13


Step up your Open Source Security Game with Mend here