search

amaybaum-local / remediate-test6

0 stars 1 forks source link

CVE-2018-11087 (Medium, reachable) detected in multiple libraries - autoclosed #108

Closed mend-local-app[bot] closed 5 months ago

mend-local-app[bot] commented 5 months ago

CVE-2018-11087 - Medium Severity Vulnerability

Vulnerable Libraries - spring-amqp-1.7.1.RELEASE.jar, amqp-client-4.0.2.jar, spring-rabbit-1.7.1.RELEASE.jar

spring-amqp-1.7.1.RELEASE.jar

Spring AMQP Core

Library home page: https://projects.spring.io/spring-amqp

Path to dependency file: /pom.xml

Path to vulnerable library: /Users/alexmaybaum/.m2/repository/org/springframework/amqp/spring-amqp/1.7.1.RELEASE/spring-amqp-1.7.1.RELEASE.jar

Dependency Hierarchy: - spring-rabbit-1.7.1.RELEASE.jar (Root Library) - :x: **spring-amqp-1.7.1.RELEASE.jar** (Vulnerable Library)

amqp-client-4.0.2.jar

The RabbitMQ Java client library allows Java applications to interface with RabbitMQ.

Library home page: http://www.rabbitmq.com

Path to dependency file: /pom.xml

Path to vulnerable library: /Users/alexmaybaum/.m2/repository/com/rabbitmq/amqp-client/4.0.2/amqp-client-4.0.2.jar

Dependency Hierarchy: - spring-rabbit-1.7.1.RELEASE.jar (Root Library) - :x: **amqp-client-4.0.2.jar** (Vulnerable Library)

spring-rabbit-1.7.1.RELEASE.jar

Spring RabbitMQ Support

Library home page: https://projects.spring.io/spring-amqp

Path to dependency file: /pom.xml

Path to vulnerable library: /Users/alexmaybaum/.m2/repository/org/springframework/amqp/spring-rabbit/1.7.1.RELEASE/spring-rabbit-1.7.1.RELEASE.jar

Dependency Hierarchy: - :x: **spring-rabbit-1.7.1.RELEASE.jar** (Vulnerable Library)

Found in HEAD commit: 9c6901108cf0138889fa46846fabfcb78828d070

Found in base branch: vp-rem

Reachability Analysis(Reachable)

This vulnerability is potentially used ``` com.visualpathit.account.service.ConsumerServiceImpl (Application) -> ❌ org.springframework.amqp.core.ExchangeTypes (Vulnerable Component) ```

Vulnerability Details

Pivotal Spring AMQP, 1.x versions prior to 1.7.10 and 2.x versions prior to 2.0.6, expose a man-in-the-middle vulnerability due to lack of hostname validation. A malicious user that has the ability to intercept traffic would be able to view data in transit.

Publish Date: 2018-09-14

URL: CVE-2018-11087

CVSS 3 Score Details (5.9)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-11087

Release Date: 2018-09-14

Fix Resolution: 1.7.10.RELEASE,2.0.6.RELEASE

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.

mend-local-app[bot] commented 5 months ago

:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.