search

amaybaum-prod / atom-hopper

ATOM Hopper - The Java ATOMpub Server
http://atomhopper.org
0 stars 2 forks source link

xmlgraphics-commons-1.3.1.jar: 1 vulnerabilities (highest severity is: 8.2) - autoclosed #15

Closed mend-for-github-com[bot] closed 4 months ago

mend-for-github-com[bot] commented 1 year ago
Vulnerable Library - xmlgraphics-commons-1.3.1.jar

Apache XML Graphics Commons is a library that consists of several reusable components used by Apache Batik and Apache FOP. Many of these components can easily be used separately outside the domains of SVG and XSL-FO.

Library home page: http://xmlgraphics.apache.org/commons/

Path to vulnerable library: /tests/regression/target/jmeter/lib/xmlgraphics-commons-1.3.1.jar

Found in HEAD commit: d0c49807860a8c07c922d8e19168bd6893aad298

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (xmlgraphics-commons version) Remediation Possible** Reachability
CVE-2020-11988 High 8.2 xmlgraphics-commons-1.3.1.jar Direct 2.6

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2020-11988 ### Vulnerable Library - xmlgraphics-commons-1.3.1.jar

Apache XML Graphics Commons is a library that consists of several reusable components used by Apache Batik and Apache FOP. Many of these components can easily be used separately outside the domains of SVG and XSL-FO.

Library home page: http://xmlgraphics.apache.org/commons/

Path to vulnerable library: /tests/regression/target/jmeter/lib/xmlgraphics-commons-1.3.1.jar

Dependency Hierarchy: - :x: **xmlgraphics-commons-1.3.1.jar** (Vulnerable Library)

Found in HEAD commit: d0c49807860a8c07c922d8e19168bd6893aad298

Found in base branch: master

### Vulnerability Details

Apache XmlGraphics Commons 2.4 and earlier is vulnerable to server-side request forgery, caused by improper input validation by the XMPParser. By using a specially-crafted argument, an attacker could exploit this vulnerability to cause the underlying server to make arbitrary GET requests. Users should upgrade to 2.6 or later.

Publish Date: 2021-02-24

URL: CVE-2020-11988

### CVSS 3 Score Details (8.2)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: Low - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://xmlgraphics.apache.org/security.html

Release Date: 2021-02-24

Fix Resolution: 2.6

mend-for-github-com[bot] commented 4 months ago

:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.