amaybaum-prod / atom-hopper

ATOM Hopper - The Java ATOMpub Server
http://atomhopper.org
0 stars 2 forks source link

c3p0-0.9.1.jar: 2 vulnerabilities (highest severity is: 9.8) non-reachable - autoclosed #34

Closed mend-for-github-com[bot] closed 1 year ago

mend-for-github-com[bot] commented 1 year ago
Vulnerable Library - c3p0-0.9.1.jar

c3p0 is an easy-to-use library for augmenting traditional (DriverManager-based) JDBC drivers with JNDI-bindable DataSources, including DataSources that implement Connection and Statement Pooling, as described by the jdbc3 spec and jdbc2 std extension.

Library home page: http://c3p0.sourceforge.net

Path to dependency file: /atomhopper/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/c3p0/c3p0/0.9.1/c3p0-0.9.1.jar,/atomhopper/target/atomhopper-1.2.35-SNAPSHOT/WEB-INF/lib/c3p0-0.9.1.jar

Found in HEAD commit: d0c49807860a8c07c922d8e19168bd6893aad298

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (c3p0 version) Remediation Available Reachability
CVE-2018-20433 Critical 9.8 c3p0-0.9.1.jar Direct 0.9.5.3

CVE-2019-5427 High 7.5 c3p0-0.9.1.jar Direct com.mchange:c3p0:0.9.5.4

Details

CVE-2018-20433 ### Vulnerable Library - c3p0-0.9.1.jar

c3p0 is an easy-to-use library for augmenting traditional (DriverManager-based) JDBC drivers with JNDI-bindable DataSources, including DataSources that implement Connection and Statement Pooling, as described by the jdbc3 spec and jdbc2 std extension.

Library home page: http://c3p0.sourceforge.net

Path to dependency file: /atomhopper/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/c3p0/c3p0/0.9.1/c3p0-0.9.1.jar,/atomhopper/target/atomhopper-1.2.35-SNAPSHOT/WEB-INF/lib/c3p0-0.9.1.jar

Dependency Hierarchy: - :x: **c3p0-0.9.1.jar** (Vulnerable Library)

Found in HEAD commit: d0c49807860a8c07c922d8e19168bd6893aad298

Found in base branch: master

### Reachability Analysis

The vulnerable code is not reachable.

### Vulnerability Details

c3p0 0.9.5.2 allows XXE in extractXmlConfigFromInputStream in com/mchange/v2/c3p0/cfg/C3P0ConfigXmlUtils.java during initialization.

Publish Date: 2018-12-24

URL: CVE-2018-20433

### CVSS 3 Score Details (9.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20433

Release Date: 2018-12-24

Fix Resolution: 0.9.5.3

:rescue_worker_helmet: Automatic Remediation is available for this issue
CVE-2019-5427 ### Vulnerable Library - c3p0-0.9.1.jar

c3p0 is an easy-to-use library for augmenting traditional (DriverManager-based) JDBC drivers with JNDI-bindable DataSources, including DataSources that implement Connection and Statement Pooling, as described by the jdbc3 spec and jdbc2 std extension.

Library home page: http://c3p0.sourceforge.net

Path to dependency file: /atomhopper/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/c3p0/c3p0/0.9.1/c3p0-0.9.1.jar,/atomhopper/target/atomhopper-1.2.35-SNAPSHOT/WEB-INF/lib/c3p0-0.9.1.jar

Dependency Hierarchy: - :x: **c3p0-0.9.1.jar** (Vulnerable Library)

Found in HEAD commit: d0c49807860a8c07c922d8e19168bd6893aad298

Found in base branch: master

### Reachability Analysis

The vulnerable code is not reachable.

### Vulnerability Details

c3p0 version < 0.9.5.4 may be exploited by a billion laughs attack when loading XML configuration due to missing protections against recursive entity expansion when loading configuration.

Publish Date: 2019-04-22

URL: CVE-2019-5427

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5427

Release Date: 2019-04-22

Fix Resolution: com.mchange:c3p0:0.9.5.4

:rescue_worker_helmet: Automatic Remediation is available for this issue

:rescue_worker_helmet: Automatic Remediation is available for this issue.

mend-for-github-com[bot] commented 1 year ago

:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.