hutool-core v5.8.23 was discovered to contain an infinite loop in the StrSplitter.splitByRegex function. This vulnerability allows attackers to cause a Denial of Service (DoS) via manipulation of the first two parameters.
Hutool v5.8.17 and below was discovered to contain an information disclosure vulnerability via the File.createTempFile() function at /core/io/FileUtil.java.
A vulnerability, which was classified as problematic, has been found in Dromara HuTool up to 5.8.19. Affected by this issue is the function readBySax of the file XmlUtil.java of the component XML Parsing Module. The manipulation leads to xml external entity reference. The exploit has been disclosed to the public and may be used. VDB-231626 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
Hutool是一个小而全的Java工具类库,通过静态方法封装,降低相关API的学习成本,提高工作效率,使Java拥有函数式语言般的优雅,让Java语言也可以“甜甜的”。
Library home page: https://github.com/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/cn/hutool/hutool-all/5.8.10/hutool-all-5.8.10.jar
Found in HEAD commit: bf8704d43c30f97e6b81388a152e3528d45aeacf
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2023-42277
### Vulnerable Library - hutool-all-5.8.10.jarHutool是一个小而全的Java工具类库,通过静态方法封装,降低相关API的学习成本,提高工作效率,使Java拥有函数式语言般的优雅,让Java语言也可以“甜甜的”。
Library home page: https://github.com/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/cn/hutool/hutool-all/5.8.10/hutool-all-5.8.10.jar
Dependency Hierarchy: - :x: **hutool-all-5.8.10.jar** (Vulnerable Library)
Found in HEAD commit: bf8704d43c30f97e6b81388a152e3528d45aeacf
Found in base branch: master
### Reachability Analysis This vulnerability is potentially reachable ``` org.joychou.controller.SSRF (Application) -> cn.hutool.http.HttpUtil (Extension) -> cn.hutool.core.convert.Convert (Extension) -> cn.hutool.core.convert.impl.MapConverter (Extension) -> cn.hutool.core.bean.BeanUtil (Extension) -> ❌ cn.hutool.core.collection.ListUtil (Vulnerable Component) ``` ### Vulnerability Detailshutool v5.8.21 was discovered to contain a buffer overflow via the component jsonObject.putByPath.
Publish Date: 2023-09-08
URL: CVE-2023-42277
### Threat AssessmentExploit Maturity: Not Defined
EPSS: 0.2%
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-7p8c-crfr-q93p
Release Date: 2023-09-08
Fix Resolution: 5.8.22
In order to enable automatic remediation, please create workflow rules
CVE-2023-42276
### Vulnerable Library - hutool-all-5.8.10.jarHutool是一个小而全的Java工具类库,通过静态方法封装,降低相关API的学习成本,提高工作效率,使Java拥有函数式语言般的优雅,让Java语言也可以“甜甜的”。
Library home page: https://github.com/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/cn/hutool/hutool-all/5.8.10/hutool-all-5.8.10.jar
Dependency Hierarchy: - :x: **hutool-all-5.8.10.jar** (Vulnerable Library)
Found in HEAD commit: bf8704d43c30f97e6b81388a152e3528d45aeacf
Found in base branch: master
### Reachability Analysis This vulnerability is potentially reachable ``` org.joychou.controller.SSRF (Application) -> cn.hutool.http.HttpUtil (Extension) -> cn.hutool.core.convert.Convert (Extension) -> cn.hutool.core.convert.impl.MapConverter (Extension) -> cn.hutool.core.bean.BeanUtil (Extension) -> ❌ cn.hutool.core.collection.ListUtil (Vulnerable Component) ``` ### Vulnerability Detailshutool v5.8.21 was discovered to contain a buffer overflow via the component jsonArray.
Publish Date: 2023-09-08
URL: CVE-2023-42276
### Threat AssessmentExploit Maturity: Not Defined
EPSS: 0.2%
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here.
CVE-2023-51080
### Vulnerable Library - hutool-all-5.8.10.jarHutool是一个小而全的Java工具类库,通过静态方法封装,降低相关API的学习成本,提高工作效率,使Java拥有函数式语言般的优雅,让Java语言也可以“甜甜的”。
Library home page: https://github.com/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/cn/hutool/hutool-all/5.8.10/hutool-all-5.8.10.jar
Dependency Hierarchy: - :x: **hutool-all-5.8.10.jar** (Vulnerable Library)
Found in HEAD commit: bf8704d43c30f97e6b81388a152e3528d45aeacf
Found in base branch: master
### Reachability Analysis This vulnerability is potentially reachable ``` org.joychou.controller.SSRF (Application) -> cn.hutool.http.HttpUtil (Extension) -> cn.hutool.core.util.ObjectUtil (Extension) -> ❌ cn.hutool.core.util.NumberUtil (Vulnerable Component) ``` ### Vulnerability DetailsThe NumberUtil.toBigDecimal method in hutool-core v5.8.23 was discovered to contain a stack overflow.
Publish Date: 2023-12-27
URL: CVE-2023-51080
### Threat AssessmentExploit Maturity: Not Defined
EPSS: 0.0%
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2023-12-27
Fix Resolution: 5.8.22
In order to enable automatic remediation, please create workflow rules
CVE-2023-51075
### Vulnerable Library - hutool-all-5.8.10.jarHutool是一个小而全的Java工具类库,通过静态方法封装,降低相关API的学习成本,提高工作效率,使Java拥有函数式语言般的优雅,让Java语言也可以“甜甜的”。
Library home page: https://github.com/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/cn/hutool/hutool-all/5.8.10/hutool-all-5.8.10.jar
Dependency Hierarchy: - :x: **hutool-all-5.8.10.jar** (Vulnerable Library)
Found in HEAD commit: bf8704d43c30f97e6b81388a152e3528d45aeacf
Found in base branch: master
### Reachability Analysis This vulnerability is potentially reachable ``` org.joychou.controller.SSRF (Application) -> cn.hutool.http.HttpUtil (Extension) -> cn.hutool.core.util.StrUtil (Extension) -> cn.hutool.core.text.CharSequenceUtil (Extension) -> cn.hutool.core.text.StrSplitter (Extension) -> ❌ cn.hutool.core.text.finder.PatternFinder (Vulnerable Component) ``` ### Vulnerability Detailshutool-core v5.8.23 was discovered to contain an infinite loop in the StrSplitter.splitByRegex function. This vulnerability allows attackers to cause a Denial of Service (DoS) via manipulation of the first two parameters.
Publish Date: 2023-12-27
URL: CVE-2023-51075
### Threat AssessmentExploit Maturity: Not Defined
EPSS: 0.0%
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-51075
Release Date: 2023-12-27
Fix Resolution: 5.8.24
In order to enable automatic remediation, please create workflow rules
CVE-2023-33695
### Vulnerable Library - hutool-all-5.8.10.jarHutool是一个小而全的Java工具类库,通过静态方法封装,降低相关API的学习成本,提高工作效率,使Java拥有函数式语言般的优雅,让Java语言也可以“甜甜的”。
Library home page: https://github.com/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/cn/hutool/hutool-all/5.8.10/hutool-all-5.8.10.jar
Dependency Hierarchy: - :x: **hutool-all-5.8.10.jar** (Vulnerable Library)
Found in HEAD commit: bf8704d43c30f97e6b81388a152e3528d45aeacf
Found in base branch: master
### Reachability Analysis This vulnerability is potentially reachable ``` org.joychou.controller.SSRF (Application) -> cn.hutool.http.HttpUtil (Extension) -> cn.hutool.core.io.FileUtil (Extension) -> ❌ cn.hutool.core.io.file.PathUtil (Vulnerable Component) ``` ### Vulnerability DetailsHutool v5.8.17 and below was discovered to contain an information disclosure vulnerability via the File.createTempFile() function at /core/io/FileUtil.java.
Publish Date: 2023-06-13
URL: CVE-2023-33695
### Threat AssessmentExploit Maturity: Not Defined
EPSS: 0.0%
### CVSS 3 Score Details (7.1)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2023-06-13
Fix Resolution: 5.8.19
In order to enable automatic remediation, please create workflow rules
CVE-2023-24163
### Vulnerable Library - hutool-all-5.8.10.jarHutool是一个小而全的Java工具类库,通过静态方法封装,降低相关API的学习成本,提高工作效率,使Java拥有函数式语言般的优雅,让Java语言也可以“甜甜的”。
Library home page: https://github.com/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/cn/hutool/hutool-all/5.8.10/hutool-all-5.8.10.jar
Dependency Hierarchy: - :x: **hutool-all-5.8.10.jar** (Vulnerable Library)
Found in HEAD commit: bf8704d43c30f97e6b81388a152e3528d45aeacf
Found in base branch: master
### Reachability AnalysisThe vulnerable code is unreachable
### Vulnerability DetailsSQL Inection vulnerability in Dromara hutool before 5.8.21 allows attacker to execute arbitrary code via the aviator template engine.
Publish Date: 2023-01-31
URL: CVE-2023-24163
### Threat AssessmentExploit Maturity: Not Defined
EPSS: 0.4%
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2023-01-31
Fix Resolution: 5.8.21
In order to enable automatic remediation, please create workflow rules
CVE-2023-24162
### Vulnerable Library - hutool-all-5.8.10.jarHutool是一个小而全的Java工具类库,通过静态方法封装,降低相关API的学习成本,提高工作效率,使Java拥有函数式语言般的优雅,让Java语言也可以“甜甜的”。
Library home page: https://github.com/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/cn/hutool/hutool-all/5.8.10/hutool-all-5.8.10.jar
Dependency Hierarchy: - :x: **hutool-all-5.8.10.jar** (Vulnerable Library)
Found in HEAD commit: bf8704d43c30f97e6b81388a152e3528d45aeacf
Found in base branch: master
### Reachability AnalysisThe vulnerable code is unreachable
### Vulnerability DetailsDeserialization vulnerability in Dromara Hutool v5.8.11 allows attacker to execute arbitrary code via the XmlUtil.readObjectFromXml parameter.
Publish Date: 2023-01-31
URL: CVE-2023-24162
### Threat AssessmentExploit Maturity: Not Defined
EPSS: 0.2%
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2023-01-31
Fix Resolution: 5.8.12
In order to enable automatic remediation, please create workflow rules
CVE-2023-42278
### Vulnerable Library - hutool-all-5.8.10.jarHutool是一个小而全的Java工具类库,通过静态方法封装,降低相关API的学习成本,提高工作效率,使Java拥有函数式语言般的优雅,让Java语言也可以“甜甜的”。
Library home page: https://github.com/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/cn/hutool/hutool-all/5.8.10/hutool-all-5.8.10.jar
Dependency Hierarchy: - :x: **hutool-all-5.8.10.jar** (Vulnerable Library)
Found in HEAD commit: bf8704d43c30f97e6b81388a152e3528d45aeacf
Found in base branch: master
### Reachability AnalysisThe vulnerable code is unreachable
### Vulnerability Detailshutool v5.8.21 was discovered to contain a buffer overflow via the component JSONUtil.parse().
Publish Date: 2023-09-08
URL: CVE-2023-42278
### Threat AssessmentExploit Maturity: Not Defined
EPSS: 0.1%
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here.
CVE-2023-3276
### Vulnerable Library - hutool-all-5.8.10.jarHutool是一个小而全的Java工具类库,通过静态方法封装,降低相关API的学习成本,提高工作效率,使Java拥有函数式语言般的优雅,让Java语言也可以“甜甜的”。
Library home page: https://github.com/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/cn/hutool/hutool-all/5.8.10/hutool-all-5.8.10.jar
Dependency Hierarchy: - :x: **hutool-all-5.8.10.jar** (Vulnerable Library)
Found in HEAD commit: bf8704d43c30f97e6b81388a152e3528d45aeacf
Found in base branch: master
### Reachability AnalysisThe vulnerable code is unreachable
### Vulnerability DetailsA vulnerability, which was classified as problematic, has been found in Dromara HuTool up to 5.8.19. Affected by this issue is the function readBySax of the file XmlUtil.java of the component XML Parsing Module. The manipulation leads to xml external entity reference. The exploit has been disclosed to the public and may be used. VDB-231626 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
Publish Date: 2023-06-15
URL: CVE-2023-3276
### Threat AssessmentExploit Maturity: Not Defined
EPSS: 0.1%
### CVSS 3 Score Details (5.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Adjacent - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: Low
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2023-06-15
Fix Resolution: 5.8.20
In order to enable automatic remediation, please create workflow rules
In order to enable automatic remediation for this issue, please create workflow rules