MendDemo-josh / java-sec-code

Java web common vulnerabilities and security code which is base on springboot and spring security
0 stars 0 forks source link

hutool-all-5.8.10.jar: 9 vulnerabilities (highest severity is: 9.8) reachable #20

Open mend-for-github-com[bot] opened 10 months ago

mend-for-github-com[bot] commented 10 months ago
Vulnerable Library - hutool-all-5.8.10.jar

Hutool是一个小而全的Java工具类库,通过静态方法封装,降低相关API的学习成本,提高工作效率,使Java拥有函数式语言般的优雅,让Java语言也可以“甜甜的”。

Library home page: https://github.com/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/cn/hutool/hutool-all/5.8.10/hutool-all-5.8.10.jar

Found in HEAD commit: bf8704d43c30f97e6b81388a152e3528d45aeacf

Vulnerabilities

CVE Severity CVSS Exploit Maturity EPSS Dependency Type Fixed in (hutool-all version) Remediation Possible** Reachability
CVE-2023-42277 Critical 9.8 Not Defined 0.2% hutool-all-5.8.10.jar Direct N/A

Reachable

CVE-2023-42276 Critical 9.8 Not Defined 0.2% hutool-all-5.8.10.jar Direct 5.8.22

Reachable

CVE-2023-51080 High 7.5 Not Defined 0.0% hutool-all-5.8.10.jar Direct 5.8.22

Reachable

CVE-2023-51075 High 7.5 Not Defined 0.0% hutool-all-5.8.10.jar Direct 5.8.24

Reachable

CVE-2023-33695 High 7.1 Not Defined 0.0% hutool-all-5.8.10.jar Direct 5.8.19

Reachable

CVE-2023-24163 Critical 9.8 Not Defined 0.3% hutool-all-5.8.10.jar Direct 5.8.21

Unreachable

CVE-2023-24162 Critical 9.8 Not Defined 0.2% hutool-all-5.8.10.jar Direct N/A

Unreachable

CVE-2023-42278 High 7.5 Not Defined 0.1% hutool-all-5.8.10.jar Direct N/A

Unreachable

CVE-2023-3276 Medium 5.5 Not Defined 0.1% hutool-all-5.8.10.jar Direct 5.8.20

Unreachable

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2023-42277 ### Vulnerable Library - hutool-all-5.8.10.jar

Hutool是一个小而全的Java工具类库,通过静态方法封装,降低相关API的学习成本,提高工作效率,使Java拥有函数式语言般的优雅,让Java语言也可以“甜甜的”。

Library home page: https://github.com/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/cn/hutool/hutool-all/5.8.10/hutool-all-5.8.10.jar

Dependency Hierarchy: - :x: **hutool-all-5.8.10.jar** (Vulnerable Library)

Found in HEAD commit: bf8704d43c30f97e6b81388a152e3528d45aeacf

Found in base branch: master

### Reachability Analysis This vulnerability is potentially reachable ``` org.joychou.controller.SSRF (Application) -> cn.hutool.http.HttpUtil (Extension) -> cn.hutool.core.convert.Convert (Extension) -> cn.hutool.core.convert.impl.MapConverter (Extension) -> cn.hutool.core.bean.BeanUtil (Extension) -> ❌ cn.hutool.core.collection.ListUtil (Vulnerable Component) ```

### Vulnerability Details

hutool v5.8.21 was discovered to contain a buffer overflow via the component jsonObject.putByPath.

Publish Date: 2023-09-08

URL: CVE-2023-42277

### Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.2%

### CVSS 3 Score Details (9.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

CVE-2023-42276 ### Vulnerable Library - hutool-all-5.8.10.jar

Hutool是一个小而全的Java工具类库,通过静态方法封装,降低相关API的学习成本,提高工作效率,使Java拥有函数式语言般的优雅,让Java语言也可以“甜甜的”。

Library home page: https://github.com/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/cn/hutool/hutool-all/5.8.10/hutool-all-5.8.10.jar

Dependency Hierarchy: - :x: **hutool-all-5.8.10.jar** (Vulnerable Library)

Found in HEAD commit: bf8704d43c30f97e6b81388a152e3528d45aeacf

Found in base branch: master

### Reachability Analysis This vulnerability is potentially reachable ``` org.joychou.controller.SSRF (Application) -> cn.hutool.http.HttpUtil (Extension) -> cn.hutool.core.convert.Convert (Extension) -> cn.hutool.core.convert.impl.MapConverter (Extension) -> cn.hutool.core.bean.BeanUtil (Extension) -> ❌ cn.hutool.core.collection.ListUtil (Vulnerable Component) ```

### Vulnerability Details

hutool v5.8.21 was discovered to contain a buffer overflow via the component jsonArray.

Publish Date: 2023-09-08

URL: CVE-2023-42276

### Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.2%

### CVSS 3 Score Details (9.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/advisories/GHSA-rxgf-r843-g53h

Release Date: 2023-09-08

Fix Resolution: 5.8.22

In order to enable automatic remediation, please create workflow rules

CVE-2023-51080 ### Vulnerable Library - hutool-all-5.8.10.jar

Hutool是一个小而全的Java工具类库,通过静态方法封装,降低相关API的学习成本,提高工作效率,使Java拥有函数式语言般的优雅,让Java语言也可以“甜甜的”。

Library home page: https://github.com/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/cn/hutool/hutool-all/5.8.10/hutool-all-5.8.10.jar

Dependency Hierarchy: - :x: **hutool-all-5.8.10.jar** (Vulnerable Library)

Found in HEAD commit: bf8704d43c30f97e6b81388a152e3528d45aeacf

Found in base branch: master

### Reachability Analysis This vulnerability is potentially reachable ``` org.joychou.controller.SSRF (Application) -> cn.hutool.http.HttpUtil (Extension) -> cn.hutool.core.util.ObjectUtil (Extension) -> ❌ cn.hutool.core.util.NumberUtil (Vulnerable Component) ```

### Vulnerability Details

The NumberUtil.toBigDecimal method in hutool-core v5.8.23 was discovered to contain a stack overflow.

Publish Date: 2023-12-27

URL: CVE-2023-51080

### Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.0%

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Release Date: 2023-12-27

Fix Resolution: 5.8.22

In order to enable automatic remediation, please create workflow rules

CVE-2023-51075 ### Vulnerable Library - hutool-all-5.8.10.jar

Hutool是一个小而全的Java工具类库,通过静态方法封装,降低相关API的学习成本,提高工作效率,使Java拥有函数式语言般的优雅,让Java语言也可以“甜甜的”。

Library home page: https://github.com/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/cn/hutool/hutool-all/5.8.10/hutool-all-5.8.10.jar

Dependency Hierarchy: - :x: **hutool-all-5.8.10.jar** (Vulnerable Library)

Found in HEAD commit: bf8704d43c30f97e6b81388a152e3528d45aeacf

Found in base branch: master

### Reachability Analysis This vulnerability is potentially reachable ``` org.joychou.controller.SSRF (Application) -> cn.hutool.http.HttpUtil (Extension) -> cn.hutool.core.util.StrUtil (Extension) -> cn.hutool.core.text.CharSequenceUtil (Extension) -> cn.hutool.core.text.StrSplitter (Extension) -> ❌ cn.hutool.core.text.finder.PatternFinder (Vulnerable Component) ```

### Vulnerability Details

hutool-core v5.8.23 was discovered to contain an infinite loop in the StrSplitter.splitByRegex function. This vulnerability allows attackers to cause a Denial of Service (DoS) via manipulation of the first two parameters.

Publish Date: 2023-12-27

URL: CVE-2023-51075

### Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.0%

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-51075

Release Date: 2023-12-27

Fix Resolution: 5.8.24

In order to enable automatic remediation, please create workflow rules

CVE-2023-33695 ### Vulnerable Library - hutool-all-5.8.10.jar

Hutool是一个小而全的Java工具类库,通过静态方法封装,降低相关API的学习成本,提高工作效率,使Java拥有函数式语言般的优雅,让Java语言也可以“甜甜的”。

Library home page: https://github.com/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/cn/hutool/hutool-all/5.8.10/hutool-all-5.8.10.jar

Dependency Hierarchy: - :x: **hutool-all-5.8.10.jar** (Vulnerable Library)

Found in HEAD commit: bf8704d43c30f97e6b81388a152e3528d45aeacf

Found in base branch: master

### Reachability Analysis This vulnerability is potentially reachable ``` org.joychou.controller.SSRF (Application) -> cn.hutool.http.HttpUtil (Extension) -> ❌ cn.hutool.core.io.FileUtil (Vulnerable Component) ```

### Vulnerability Details

Hutool v5.8.17 and below was discovered to contain an information disclosure vulnerability via the File.createTempFile() function at /core/io/FileUtil.java.

Publish Date: 2023-06-13

URL: CVE-2023-33695

### Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.0%

### CVSS 3 Score Details (7.1)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Release Date: 2023-06-13

Fix Resolution: 5.8.19

In order to enable automatic remediation, please create workflow rules

CVE-2023-24163 ### Vulnerable Library - hutool-all-5.8.10.jar

Hutool是一个小而全的Java工具类库,通过静态方法封装,降低相关API的学习成本,提高工作效率,使Java拥有函数式语言般的优雅,让Java语言也可以“甜甜的”。

Library home page: https://github.com/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/cn/hutool/hutool-all/5.8.10/hutool-all-5.8.10.jar

Dependency Hierarchy: - :x: **hutool-all-5.8.10.jar** (Vulnerable Library)

Found in HEAD commit: bf8704d43c30f97e6b81388a152e3528d45aeacf

Found in base branch: master

### Reachability Analysis

The vulnerable code is unreachable

### Vulnerability Details

SQL Inection vulnerability in Dromara hutool before 5.8.21 allows attacker to execute arbitrary code via the aviator template engine.

Publish Date: 2023-01-31

URL: CVE-2023-24163

### Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.3%

### CVSS 3 Score Details (9.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Release Date: 2023-01-31

Fix Resolution: 5.8.21

In order to enable automatic remediation, please create workflow rules

CVE-2023-24162 ### Vulnerable Library - hutool-all-5.8.10.jar

Hutool是一个小而全的Java工具类库,通过静态方法封装,降低相关API的学习成本,提高工作效率,使Java拥有函数式语言般的优雅,让Java语言也可以“甜甜的”。

Library home page: https://github.com/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/cn/hutool/hutool-all/5.8.10/hutool-all-5.8.10.jar

Dependency Hierarchy: - :x: **hutool-all-5.8.10.jar** (Vulnerable Library)

Found in HEAD commit: bf8704d43c30f97e6b81388a152e3528d45aeacf

Found in base branch: master

### Reachability Analysis

The vulnerable code is unreachable

### Vulnerability Details

Deserialization vulnerability in Dromara Hutool v5.8.11 allows attacker to execute arbitrary code via the XmlUtil.readObjectFromXml parameter.

Publish Date: 2023-01-31

URL: CVE-2023-24162

### Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.2%

### CVSS 3 Score Details (9.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

CVE-2023-42278 ### Vulnerable Library - hutool-all-5.8.10.jar

Hutool是一个小而全的Java工具类库,通过静态方法封装,降低相关API的学习成本,提高工作效率,使Java拥有函数式语言般的优雅,让Java语言也可以“甜甜的”。

Library home page: https://github.com/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/cn/hutool/hutool-all/5.8.10/hutool-all-5.8.10.jar

Dependency Hierarchy: - :x: **hutool-all-5.8.10.jar** (Vulnerable Library)

Found in HEAD commit: bf8704d43c30f97e6b81388a152e3528d45aeacf

Found in base branch: master

### Reachability Analysis

The vulnerable code is unreachable

### Vulnerability Details

hutool v5.8.21 was discovered to contain a buffer overflow via the component JSONUtil.parse().

Publish Date: 2023-09-08

URL: CVE-2023-42278

### Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.1%

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

CVE-2023-3276 ### Vulnerable Library - hutool-all-5.8.10.jar

Hutool是一个小而全的Java工具类库,通过静态方法封装,降低相关API的学习成本,提高工作效率,使Java拥有函数式语言般的优雅,让Java语言也可以“甜甜的”。

Library home page: https://github.com/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/cn/hutool/hutool-all/5.8.10/hutool-all-5.8.10.jar

Dependency Hierarchy: - :x: **hutool-all-5.8.10.jar** (Vulnerable Library)

Found in HEAD commit: bf8704d43c30f97e6b81388a152e3528d45aeacf

Found in base branch: master

### Reachability Analysis

The vulnerable code is unreachable

### Vulnerability Details

A vulnerability, which was classified as problematic, has been found in Dromara HuTool up to 5.8.19. Affected by this issue is the function readBySax of the file XmlUtil.java of the component XML Parsing Module. The manipulation leads to xml external entity reference. The exploit has been disclosed to the public and may be used. VDB-231626 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

Publish Date: 2023-06-15

URL: CVE-2023-3276

### Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.1%

### CVSS 3 Score Details (5.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Adjacent - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: Low

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Release Date: 2023-06-15

Fix Resolution: 5.8.20

In order to enable automatic remediation, please create workflow rules


In order to enable automatic remediation for this issue, please create workflow rules