Open mend-for-github-com[bot] opened 2 years ago
:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.
:information_source: This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory.
Vulnerable Library - dropwizard-core-1.3.12.jar
Path to dependency file: /BaragonService/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.23/snakeyaml-1.23.jar,/home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.23/snakeyaml-1.23.jar,/home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.23/snakeyaml-1.23.jar
Found in HEAD commit: 87f082027b5a45541e1017025780fe8a6a0e951e
Vulnerabilities
Details
CVE-2020-11002
### Vulnerable Library - dropwizard-validation-1.3.12.jarDropwizard is a Java framework for developing ops-friendly, high-performance, RESTful web applications.
Library home page: http://www.dropwizard.io/1.3.12
Path to dependency file: /BaragonService/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/io/dropwizard/dropwizard-validation/1.3.12/dropwizard-validation-1.3.12.jar,/home/wss-scanner/.m2/repository/io/dropwizard/dropwizard-validation/1.3.12/dropwizard-validation-1.3.12.jar,/home/wss-scanner/.m2/repository/io/dropwizard/dropwizard-validation/1.3.12/dropwizard-validation-1.3.12.jar
Dependency Hierarchy: - dropwizard-core-1.3.12.jar (Root Library) - :x: **dropwizard-validation-1.3.12.jar** (Vulnerable Library)
Found in HEAD commit: 87f082027b5a45541e1017025780fe8a6a0e951e
Found in base branch: master
### Vulnerability Detailsdropwizard-validation before versions 2.0.3 and 1.3.21 has a remote code execution vulnerability. A server-side template injection was identified in the self-validating feature enabling attackers to inject arbitrary Java EL expressions, leading to Remote Code Execution (RCE) vulnerability. If you are using a self-validating bean an upgrade to Dropwizard 1.3.21/2.0.3 or later is strongly recommended. The changes introduced in Dropwizard 1.3.19 and 2.0.2 for CVE-2020-5245 unfortunately did not fix the underlying issue completely. The issue has been fixed in dropwizard-validation 1.3.21 and 2.0.3 or later. We strongly recommend upgrading to one of these versions.
Publish Date: 2020-04-10
URL: CVE-2020-11002
### CVSS 3 Score Details (8.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/dropwizard/dropwizard/security/advisories/GHSA-8jpx-m2wh-2v34
Release Date: 2020-04-13
Fix Resolution (io.dropwizard:dropwizard-validation): 1.3.21
Direct dependency fix Resolution (io.dropwizard:dropwizard-core): 1.3.21
:rescue_worker_helmet: Automatic Remediation is available for this issueCVE-2020-5245
### Vulnerable Library - dropwizard-validation-1.3.12.jarDropwizard is a Java framework for developing ops-friendly, high-performance, RESTful web applications.
Library home page: http://www.dropwizard.io/1.3.12
Path to dependency file: /BaragonService/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/io/dropwizard/dropwizard-validation/1.3.12/dropwizard-validation-1.3.12.jar,/home/wss-scanner/.m2/repository/io/dropwizard/dropwizard-validation/1.3.12/dropwizard-validation-1.3.12.jar,/home/wss-scanner/.m2/repository/io/dropwizard/dropwizard-validation/1.3.12/dropwizard-validation-1.3.12.jar
Dependency Hierarchy: - dropwizard-core-1.3.12.jar (Root Library) - :x: **dropwizard-validation-1.3.12.jar** (Vulnerable Library)
Found in HEAD commit: 87f082027b5a45541e1017025780fe8a6a0e951e
Found in base branch: master
### Vulnerability DetailsDropwizard-Validation before 1.3.19, and 2.0.2 may allow arbitrary code execution on the host system, with the privileges of the Dropwizard service account, by injecting arbitrary Java Expression Language expressions when using the self-validating feature. The issue has been fixed in dropwizard-validation 1.3.19 and 2.0.2.
Publish Date: 2020-02-24
URL: CVE-2020-5245
### CVSS 3 Score Details (8.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5245
Release Date: 2020-02-24
Fix Resolution (io.dropwizard:dropwizard-validation): 1.3.19
Direct dependency fix Resolution (io.dropwizard:dropwizard-core): 1.3.19
:rescue_worker_helmet: Automatic Remediation is available for this issueCVE-2017-18640
### Vulnerable Library - snakeyaml-1.23.jarYAML 1.1 parser and emitter for Java
Library home page: http://www.snakeyaml.org
Path to dependency file: /BaragonAgentService/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.23/snakeyaml-1.23.jar,/home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.23/snakeyaml-1.23.jar,/home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.23/snakeyaml-1.23.jar
Dependency Hierarchy: - dropwizard-core-1.3.12.jar (Root Library) - dropwizard-configuration-1.3.12.jar - jackson-dataformat-yaml-2.9.9.jar - :x: **snakeyaml-1.23.jar** (Vulnerable Library)
Found in HEAD commit: 87f082027b5a45541e1017025780fe8a6a0e951e
Found in base branch: master
### Vulnerability DetailsThe Alias feature in SnakeYAML before 1.26 allows entity expansion during a load operation, a related issue to CVE-2003-1564.
Publish Date: 2019-12-12
URL: CVE-2017-18640
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18640
Release Date: 2019-12-12
Fix Resolution (org.yaml:snakeyaml): 1.26
Direct dependency fix Resolution (io.dropwizard:dropwizard-core): 2.0.9
:rescue_worker_helmet: Automatic Remediation is available for this issueCVE-2022-25857
### Vulnerable Library - snakeyaml-1.23.jarYAML 1.1 parser and emitter for Java
Library home page: http://www.snakeyaml.org
Path to dependency file: /BaragonAgentService/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.23/snakeyaml-1.23.jar,/home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.23/snakeyaml-1.23.jar,/home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.23/snakeyaml-1.23.jar
Dependency Hierarchy: - dropwizard-core-1.3.12.jar (Root Library) - dropwizard-configuration-1.3.12.jar - jackson-dataformat-yaml-2.9.9.jar - :x: **snakeyaml-1.23.jar** (Vulnerable Library)
Found in HEAD commit: 87f082027b5a45541e1017025780fe8a6a0e951e
Found in base branch: master
### Vulnerability DetailsThe package org.yaml:snakeyaml from 0 and before 1.31 are vulnerable to Denial of Service (DoS) due missing to nested depth limitation for collections.
Publish Date: 2022-08-30
URL: CVE-2022-25857
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25857
Release Date: 2022-08-30
Fix Resolution (org.yaml:snakeyaml): 1.31
Direct dependency fix Resolution (io.dropwizard:dropwizard-core): 2.0.31
:rescue_worker_helmet: Automatic Remediation is available for this issueCVE-2021-42550
### Vulnerable Library - logback-core-1.2.3.jarlogback-core module
Library home page: http://logback.qos.ch
Path to dependency file: /BaragonServiceIntegrationTests/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar
Dependency Hierarchy: - dropwizard-core-1.3.12.jar (Root Library) - dropwizard-logging-1.3.12.jar - :x: **logback-core-1.2.3.jar** (Vulnerable Library)
Found in HEAD commit: 87f082027b5a45541e1017025780fe8a6a0e951e
Found in base branch: master
### Vulnerability DetailsIn logback version 1.2.7 and prior versions, an attacker with the required privileges to edit configurations files could craft a malicious configuration allowing to execute arbitrary code loaded from LDAP servers.
Publish Date: 2021-12-16
URL: CVE-2021-42550
### CVSS 3 Score Details (6.6)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: High - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=VE-2021-42550
Release Date: 2021-12-16
Fix Resolution (ch.qos.logback:logback-core): 1.2.8
Direct dependency fix Resolution (io.dropwizard:dropwizard-core): 2.0.27
:rescue_worker_helmet: Automatic Remediation is available for this issueCVE-2022-38749
### Vulnerable Library - snakeyaml-1.23.jarYAML 1.1 parser and emitter for Java
Library home page: http://www.snakeyaml.org
Path to dependency file: /BaragonAgentService/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.23/snakeyaml-1.23.jar,/home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.23/snakeyaml-1.23.jar,/home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.23/snakeyaml-1.23.jar
Dependency Hierarchy: - dropwizard-core-1.3.12.jar (Root Library) - dropwizard-configuration-1.3.12.jar - jackson-dataformat-yaml-2.9.9.jar - :x: **snakeyaml-1.23.jar** (Vulnerable Library)
Found in HEAD commit: 87f082027b5a45541e1017025780fe8a6a0e951e
Found in base branch: master
### Vulnerability DetailsUsing snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.
Publish Date: 2022-09-05
URL: CVE-2022-38749
### CVSS 3 Score Details (6.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://bitbucket.org/snakeyaml/snakeyaml/issues/526/stackoverflow-oss-fuzz-47027
Release Date: 2022-09-05
Fix Resolution (org.yaml:snakeyaml): 1.31
Direct dependency fix Resolution (io.dropwizard:dropwizard-core): 2.0.31
:rescue_worker_helmet: Automatic Remediation is available for this issueCVE-2022-38752
### Vulnerable Library - snakeyaml-1.23.jarYAML 1.1 parser and emitter for Java
Library home page: http://www.snakeyaml.org
Path to dependency file: /BaragonAgentService/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.23/snakeyaml-1.23.jar,/home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.23/snakeyaml-1.23.jar,/home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.23/snakeyaml-1.23.jar
Dependency Hierarchy: - dropwizard-core-1.3.12.jar (Root Library) - dropwizard-configuration-1.3.12.jar - jackson-dataformat-yaml-2.9.9.jar - :x: **snakeyaml-1.23.jar** (Vulnerable Library)
Found in HEAD commit: 87f082027b5a45541e1017025780fe8a6a0e951e
Found in base branch: master
### Vulnerability DetailsUsing snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack-overflow.
Publish Date: 2022-09-05
URL: CVE-2022-38752
### CVSS 3 Score Details (6.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-9w3m-gqgf-c4p9
Release Date: 2022-09-05
Fix Resolution (org.yaml:snakeyaml): 1.32
Direct dependency fix Resolution (io.dropwizard:dropwizard-core): 2.0.31
:rescue_worker_helmet: Automatic Remediation is available for this issueCVE-2022-38751
### Vulnerable Library - snakeyaml-1.23.jarYAML 1.1 parser and emitter for Java
Library home page: http://www.snakeyaml.org
Path to dependency file: /BaragonAgentService/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.23/snakeyaml-1.23.jar,/home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.23/snakeyaml-1.23.jar,/home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.23/snakeyaml-1.23.jar
Dependency Hierarchy: - dropwizard-core-1.3.12.jar (Root Library) - dropwizard-configuration-1.3.12.jar - jackson-dataformat-yaml-2.9.9.jar - :x: **snakeyaml-1.23.jar** (Vulnerable Library)
Found in HEAD commit: 87f082027b5a45541e1017025780fe8a6a0e951e
Found in base branch: master
### Vulnerability DetailsUsing snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.
Publish Date: 2022-09-05
URL: CVE-2022-38751
### CVSS 3 Score Details (6.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47039
Release Date: 2022-09-05
Fix Resolution (org.yaml:snakeyaml): 1.32
Direct dependency fix Resolution (io.dropwizard:dropwizard-core): 2.0.31
:rescue_worker_helmet: Automatic Remediation is available for this issueCVE-2022-38750
### Vulnerable Library - snakeyaml-1.23.jarYAML 1.1 parser and emitter for Java
Library home page: http://www.snakeyaml.org
Path to dependency file: /BaragonAgentService/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.23/snakeyaml-1.23.jar,/home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.23/snakeyaml-1.23.jar,/home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.23/snakeyaml-1.23.jar
Dependency Hierarchy: - dropwizard-core-1.3.12.jar (Root Library) - dropwizard-configuration-1.3.12.jar - jackson-dataformat-yaml-2.9.9.jar - :x: **snakeyaml-1.23.jar** (Vulnerable Library)
Found in HEAD commit: 87f082027b5a45541e1017025780fe8a6a0e951e
Found in base branch: master
### Vulnerability DetailsUsing snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.
Publish Date: 2022-09-05
URL: CVE-2022-38750
### CVSS 3 Score Details (5.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47027
Release Date: 2022-09-05
Fix Resolution (org.yaml:snakeyaml): 1.31
Direct dependency fix Resolution (io.dropwizard:dropwizard-core): 2.0.31
:rescue_worker_helmet: Automatic Remediation is available for this issueCVE-2020-27223
### Vulnerable Library - jetty-http-9.4.18.v20190429.jarThe Eclipse Jetty Project
Library home page: http://www.eclipse.org/jetty
Path to dependency file: /BaragonData/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/eclipse/jetty/jetty-http/9.4.18.v20190429/jetty-http-9.4.18.v20190429.jar,/home/wss-scanner/.m2/repository/org/eclipse/jetty/jetty-http/9.4.18.v20190429/jetty-http-9.4.18.v20190429.jar,/home/wss-scanner/.m2/repository/org/eclipse/jetty/jetty-http/9.4.18.v20190429/jetty-http-9.4.18.v20190429.jar
Dependency Hierarchy: - dropwizard-core-1.3.12.jar (Root Library) - dropwizard-jetty-1.3.12.jar - :x: **jetty-http-9.4.18.v20190429.jar** (Vulnerable Library)
Found in HEAD commit: 87f082027b5a45541e1017025780fe8a6a0e951e
Found in base branch: master
### Vulnerability DetailsIn Eclipse Jetty 9.4.6.v20170531 to 9.4.36.v20210114 (inclusive), 10.0.0, and 11.0.0 when Jetty handles a request containing multiple Accept headers with a large number of “quality” (i.e. q) parameters, the server may enter a denial of service (DoS) state due to high CPU usage processing those quality values, resulting in minutes of CPU time exhausted processing those quality values.
Publish Date: 2021-02-26
URL: CVE-2020-27223
### CVSS 3 Score Details (5.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: Low
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/eclipse/jetty.project/security/advisories/GHSA-m394-8rww-3jr7
Release Date: 2021-02-26
Fix Resolution (org.eclipse.jetty:jetty-http): 9.4.37.v20210219
Direct dependency fix Resolution (io.dropwizard:dropwizard-core): 2.0.0-rc0+test8
:rescue_worker_helmet: Automatic Remediation is available for this issueCVE-2021-28169
### Vulnerable Library - jetty-http-9.4.18.v20190429.jarThe Eclipse Jetty Project
Library home page: http://www.eclipse.org/jetty
Path to dependency file: /BaragonData/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/eclipse/jetty/jetty-http/9.4.18.v20190429/jetty-http-9.4.18.v20190429.jar,/home/wss-scanner/.m2/repository/org/eclipse/jetty/jetty-http/9.4.18.v20190429/jetty-http-9.4.18.v20190429.jar,/home/wss-scanner/.m2/repository/org/eclipse/jetty/jetty-http/9.4.18.v20190429/jetty-http-9.4.18.v20190429.jar
Dependency Hierarchy: - dropwizard-core-1.3.12.jar (Root Library) - dropwizard-jetty-1.3.12.jar - :x: **jetty-http-9.4.18.v20190429.jar** (Vulnerable Library)
Found in HEAD commit: 87f082027b5a45541e1017025780fe8a6a0e951e
Found in base branch: master
### Vulnerability DetailsFor Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, it is possible for requests to the ConcatServlet with a doubly encoded path to access protected resources within the WEB-INF directory. For example a request to `/concat?/%2557EB-INF/web.xml` can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application.
Publish Date: 2021-06-09
URL: CVE-2021-28169
### CVSS 3 Score Details (5.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/eclipse/jetty.project/security/advisories/GHSA-gwcr-j4wh-j3cq
Release Date: 2021-06-09
Fix Resolution (org.eclipse.jetty:jetty-http): 9.4.41.v20210516
Direct dependency fix Resolution (io.dropwizard:dropwizard-core): 2.0.0-rc0+test8
:rescue_worker_helmet: Automatic Remediation is available for this issueCVE-2022-2047
### Vulnerable Library - jetty-http-9.4.18.v20190429.jarThe Eclipse Jetty Project
Library home page: http://www.eclipse.org/jetty
Path to dependency file: /BaragonData/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/eclipse/jetty/jetty-http/9.4.18.v20190429/jetty-http-9.4.18.v20190429.jar,/home/wss-scanner/.m2/repository/org/eclipse/jetty/jetty-http/9.4.18.v20190429/jetty-http-9.4.18.v20190429.jar,/home/wss-scanner/.m2/repository/org/eclipse/jetty/jetty-http/9.4.18.v20190429/jetty-http-9.4.18.v20190429.jar
Dependency Hierarchy: - dropwizard-core-1.3.12.jar (Root Library) - dropwizard-jetty-1.3.12.jar - :x: **jetty-http-9.4.18.v20190429.jar** (Vulnerable Library)
Found in HEAD commit: 87f082027b5a45541e1017025780fe8a6a0e951e
Found in base branch: master
### Vulnerability DetailsIn Eclipse Jetty versions 9.4.0 thru 9.4.46, and 10.0.0 thru 10.0.9, and 11.0.0 thru 11.0.9 versions, the parsing of the authority segment of an http scheme URI, the Jetty HttpURI class improperly detects an invalid input as a hostname. This can lead to failures in a Proxy scenario.
Publish Date: 2022-07-07
URL: CVE-2022-2047
### CVSS 3 Score Details (2.7)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: High - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/eclipse/jetty.project/security/advisories/GHSA-cj7v-27pg-wf7q
Release Date: 2022-07-07
Fix Resolution (org.eclipse.jetty:jetty-http): 9.4.47.v20220610
Direct dependency fix Resolution (io.dropwizard:dropwizard-core): 2.0.0-rc0+test8
:rescue_worker_helmet: Automatic Remediation is available for this issue:rescue_worker_helmet: Automatic Remediation is available for this issue.