Open mend-for-github-com[bot] opened 11 months ago
mend-for-github-com[bot]
commented
11 months ago :heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.
mend-for-github-com[bot]
commented
1 month ago :information_source: This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory.
Path to vulnerable library: /legend-depot-store-status/pom.xml,/legend-depot-store-notifications/pom.xml,/legend-depot-artifacts-refresh/pom.xml,/legend-depot-store-server/pom.xml,/legend-depot-server/pom.xml,/legend-depot-artifacts-purge/pom.xml,/legend-depot-core-http/pom.xml
Found in HEAD commit: 0e09140ab0afde1bcc8a1cd324ab9bbde68802df
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2023-25581
### Vulnerable Library - pac4j-core-3.8.3.jarProfile & Authentication Client for Java
Library home page: https://github.com/pac4j/pac4j
Path to dependency file: /legend-depot-core-http/pom.xml
Path to vulnerable library: /legend-depot-core-http/pom.xml,/legend-depot-store-status/pom.xml,/legend-depot-server/pom.xml,/legend-depot-artifacts-refresh/pom.xml,/legend-depot-artifacts-purge/pom.xml,/legend-depot-store-server/pom.xml,/legend-depot-store-notifications/pom.xml
Dependency Hierarchy: - legend-depot-artifacts-refresh-1.7.6-SNAPSHOT.jar (Root Library) - legend-depot-store-notifications-1.7.6-SNAPSHOT.jar - legend-depot-core-http-1.7.6-SNAPSHOT.jar - legend-shared-pac4j-0.23.3.jar - :x: **pac4j-core-3.8.3.jar** (Vulnerable Library)
Found in HEAD commit: 0e09140ab0afde1bcc8a1cd324ab9bbde68802df
Found in base branch: master
### Vulnerability Detailspac4j is a security framework for Java. `pac4j-core` prior to version 4.0.0 is affected by a Java deserialization vulnerability. The vulnerability affects systems that store externally controlled values in attributes of the `UserProfile` class from pac4j-core. It can be exploited by providing an attribute that contains a serialized Java object with a special prefix `{#sb64}` and Base64 encoding. This issue may lead to Remote Code Execution (RCE) in the worst case. Although a `RestrictedObjectInputStream` is in place, that puts some restriction on what classes can be deserialized, it still allows a broad range of java packages and potentially exploitable with different gadget chains. pac4j versions 4.0.0 and greater are not affected by this issue. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Publish Date: 2024-10-10
URL: CVE-2023-25581
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://securitylab.github.com/advisories/GHSL-2022-085_pac4j/
Release Date: 2024-10-10
Fix Resolution: org.pac4j:pac4j-core:4.0.0
CVE-2022-42889
### Vulnerable Library - commons-text-1.9.jarApache Commons Text is a library focused on algorithms working on strings.
Library home page: https://www.apache.org/
Path to dependency file: /legend-depot-store-notifications/pom.xml
Path to vulnerable library: /legend-depot-store-notifications/pom.xml,/legend-depot-core-http/pom.xml,/legend-depot-artifacts-refresh/pom.xml,/legend-depot-artifacts-purge/pom.xml,/legend-depot-server/pom.xml,/legend-depot-store-status/pom.xml,/legend-depot-store-server/pom.xml
Dependency Hierarchy: - legend-depot-artifacts-refresh-1.7.6-SNAPSHOT.jar (Root Library) - legend-depot-store-notifications-1.7.6-SNAPSHOT.jar - legend-depot-core-http-1.7.6-SNAPSHOT.jar - dropwizard-core-1.3.29.jar - dropwizard-configuration-1.3.29.jar - :x: **commons-text-1.9.jar** (Vulnerable Library)
Found in HEAD commit: 0e09140ab0afde1bcc8a1cd324ab9bbde68802df
Found in base branch: master
### Vulnerability DetailsApache Commons Text performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is "${prefix:name}", where "prefix" is used to locate an instance of org.apache.commons.text.lookup.StringLookup that performs the interpolation. Starting with version 1.5 and continuing through 1.9, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers. These lookups are: - "script" - execute expressions using the JVM script execution engine (javax.script) - "dns" - resolve dns records - "url" - load values from urls, including from remote servers Applications using the interpolation defaults in the affected versions may be vulnerable to remote code execution or unintentional contact with remote servers if untrusted configuration values are used. Users are recommended to upgrade to Apache Commons Text 1.10.0, which disables the problematic interpolators by default.
Publish Date: 2022-10-13
URL: CVE-2022-42889
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://www.openwall.com/lists/oss-security/2022/10/13/4
Release Date: 2022-10-13
Fix Resolution: org.apache.commons:commons-text:1.10.0
CVE-2022-1471
### Vulnerable Library - snakeyaml-1.26.jarYAML 1.1 parser and emitter for Java
Library home page: http://www.snakeyaml.org
Path to dependency file: /legend-depot-store-server/pom.xml
Path to vulnerable library: /legend-depot-store-server/pom.xml,/legend-depot-store-notifications/pom.xml,/legend-depot-server/pom.xml,/legend-depot-core-http/pom.xml,/legend-depot-store-status/pom.xml,/legend-depot-artifacts-refresh/pom.xml,/legend-depot-artifacts-purge/pom.xml
Dependency Hierarchy: - legend-depot-artifacts-refresh-1.7.6-SNAPSHOT.jar (Root Library) - legend-depot-store-notifications-1.7.6-SNAPSHOT.jar - legend-depot-core-http-1.7.6-SNAPSHOT.jar - dropwizard-core-1.3.29.jar - dropwizard-configuration-1.3.29.jar - jackson-dataformat-yaml-2.10.5.jar - :x: **snakeyaml-1.26.jar** (Vulnerable Library)
Found in HEAD commit: 0e09140ab0afde1bcc8a1cd324ab9bbde68802df
Found in base branch: master
### Vulnerability DetailsSnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by an attacker can lead to remote code execution. We recommend using SnakeYaml's SafeConsturctor when parsing untrusted content to restrict deserialization. We recommend upgrading to version 2.0 and beyond.
Publish Date: 2022-12-01
URL: CVE-2022-1471
### CVSS 3 Score Details (8.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: Low
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in#comment-64634374
Release Date: 2022-12-01
Fix Resolution: org.yaml:snakeyaml:2.0
CVE-2023-36478
### Vulnerable Library - jetty-http-9.4.35.v20201120.jarLibrary home page: https://webtide.com
Path to dependency file: /legend-depot-artifacts-purge/pom.xml
Path to vulnerable library: /legend-depot-artifacts-purge/pom.xml,/legend-depot-store-notifications/pom.xml,/legend-depot-server/pom.xml,/legend-depot-artifacts-refresh/pom.xml,/legend-depot-core-http/pom.xml,/legend-depot-store-status/pom.xml,/legend-depot-store-server/pom.xml
Dependency Hierarchy: - legend-depot-artifacts-refresh-1.7.6-SNAPSHOT.jar (Root Library) - legend-depot-store-notifications-1.7.6-SNAPSHOT.jar - legend-depot-core-http-1.7.6-SNAPSHOT.jar - dropwizard-core-1.3.29.jar - dropwizard-metrics-1.3.29.jar - dropwizard-lifecycle-1.3.29.jar - jetty-server-9.4.35.v20201120.jar - :x: **jetty-http-9.4.35.v20201120.jar** (Vulnerable Library)
Found in HEAD commit: 0e09140ab0afde1bcc8a1cd324ab9bbde68802df
Found in base branch: master
### Vulnerability DetailsEclipse Jetty provides a web server and servlet container. In versions 11.0.0 through 11.0.15, 10.0.0 through 10.0.15, and 9.0.0 through 9.4.52, an integer overflow in `MetaDataBuilder.checkSize` allows for HTTP/2 HPACK header values to exceed their size limit. `MetaDataBuilder.java` determines if a header name or value exceeds the size limit, and throws an exception if the limit is exceeded. However, when length is very large and huffman is true, the multiplication by 4 in line 295 will overflow, and length will become negative. `(_size+length)` will now be negative, and the check on line 296 will not be triggered. Furthermore, `MetaDataBuilder.checkSize` allows for user-entered HPACK header value sizes to be negative, potentially leading to a very large buffer allocation later on when the user-entered size is multiplied by 2. This means that if a user provides a negative length value (or, more precisely, a length value which, when multiplied by the 4/3 fudge factor, is negative), and this length value is a very large positive number when multiplied by 2, then the user can cause a very large buffer to be allocated on the server. Users of HTTP/2 can be impacted by a remote denial of service attack. The issue has been fixed in versions 11.0.16, 10.0.16, and 9.4.53. There are no known workarounds.
Publish Date: 2023-10-10
URL: CVE-2023-36478
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/eclipse/jetty.project/security/advisories/GHSA-wgh7-54f2-x98r
Release Date: 2023-10-10
Fix Resolution: org.eclipse.jetty.http2:http2-hpack:9.4.53.v20231009,10.0.16,11.0.16;org.eclipse.jetty.http3:http3-qpack:10.0.16,11.0.16;org.eclipse.jetty:jetty-http:9.4.53.v20231009,10.0.16,11.0.16
CVE-2022-25857
### Vulnerable Library - snakeyaml-1.26.jarYAML 1.1 parser and emitter for Java
Library home page: http://www.snakeyaml.org
Path to dependency file: /legend-depot-store-server/pom.xml
Path to vulnerable library: /legend-depot-store-server/pom.xml,/legend-depot-store-notifications/pom.xml,/legend-depot-server/pom.xml,/legend-depot-core-http/pom.xml,/legend-depot-store-status/pom.xml,/legend-depot-artifacts-refresh/pom.xml,/legend-depot-artifacts-purge/pom.xml
Dependency Hierarchy: - legend-depot-artifacts-refresh-1.7.6-SNAPSHOT.jar (Root Library) - legend-depot-store-notifications-1.7.6-SNAPSHOT.jar - legend-depot-core-http-1.7.6-SNAPSHOT.jar - dropwizard-core-1.3.29.jar - dropwizard-configuration-1.3.29.jar - jackson-dataformat-yaml-2.10.5.jar - :x: **snakeyaml-1.26.jar** (Vulnerable Library)
Found in HEAD commit: 0e09140ab0afde1bcc8a1cd324ab9bbde68802df
Found in base branch: master
### Vulnerability DetailsThe package org.yaml:snakeyaml from 0 and before 1.31 are vulnerable to Denial of Service (DoS) due missing to nested depth limitation for collections.
Publish Date: 2022-08-30
URL: CVE-2022-25857
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25857
Release Date: 2022-08-30
Fix Resolution: org.yaml:snakeyaml:1.31
CVE-2021-28165
### Vulnerable Library - jetty-io-9.4.35.v20201120.jarLibrary home page: https://webtide.com
Path to dependency file: /legend-depot-store-status/pom.xml
Path to vulnerable library: /legend-depot-store-status/pom.xml,/legend-depot-store-server/pom.xml,/legend-depot-artifacts-purge/pom.xml,/legend-depot-core-http/pom.xml,/legend-depot-server/pom.xml,/legend-depot-artifacts-refresh/pom.xml,/legend-depot-store-notifications/pom.xml
Dependency Hierarchy: - legend-depot-artifacts-refresh-1.7.6-SNAPSHOT.jar (Root Library) - legend-depot-store-notifications-1.7.6-SNAPSHOT.jar - legend-depot-core-http-1.7.6-SNAPSHOT.jar - dropwizard-core-1.3.29.jar - dropwizard-metrics-1.3.29.jar - dropwizard-lifecycle-1.3.29.jar - jetty-server-9.4.35.v20201120.jar - jetty-http-9.4.35.v20201120.jar - :x: **jetty-io-9.4.35.v20201120.jar** (Vulnerable Library)
Found in HEAD commit: 0e09140ab0afde1bcc8a1cd324ab9bbde68802df
Found in base branch: master
### Vulnerability DetailsIn Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame.
Publish Date: 2021-04-01
URL: CVE-2021-28165
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/eclipse/jetty.project/security/advisories/GHSA-26vr-8j45-3r4w
Release Date: 2021-04-01
Fix Resolution: org.eclipse.jetty:jetty-io:9.4.39, org.eclipse.jetty:jetty-io:10.0.2, org.eclipse.jetty:jetty-io:11.0.2
CVE-2023-6481
### Vulnerable Library - logback-core-1.2.3.jarlogback-core module
Library home page: http://www.qos.ch
Path to dependency file: /legend-depot-store-status/pom.xml
Path to vulnerable library: /legend-depot-store-status/pom.xml,/legend-depot-server/pom.xml,/legend-depot-artifacts-purge/pom.xml,/legend-depot-core-http/pom.xml,/legend-depot-artifacts-refresh/pom.xml,/legend-depot-store-server/pom.xml,/legend-depot-store-notifications/pom.xml
Dependency Hierarchy: - legend-depot-artifacts-refresh-1.7.6-SNAPSHOT.jar (Root Library) - legend-depot-store-notifications-1.7.6-SNAPSHOT.jar - legend-depot-core-http-1.7.6-SNAPSHOT.jar - dropwizard-core-1.3.29.jar - dropwizard-logging-1.3.29.jar - :x: **logback-core-1.2.3.jar** (Vulnerable Library)
Found in HEAD commit: 0e09140ab0afde1bcc8a1cd324ab9bbde68802df
Found in base branch: master
### Vulnerability DetailsA serialization vulnerability in logback receiver component part of logback version 1.4.13, 1.3.13 and 1.2.12 allows an attacker to mount a Denial-Of-Service attack by sending poisoned data.
Publish Date: 2023-12-04
URL: CVE-2023-6481
### CVSS 3 Score Details (7.1)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Changed - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-6481
Release Date: 2023-12-04
Fix Resolution: ch.qos.logback:logback-core:1.2.13,1.3.14,1.4.14
CVE-2023-6378
### Vulnerable Library - logback-classic-1.2.3.jarlogback-classic module
Library home page: http://www.qos.ch
Path to dependency file: /legend-depot-store-server/pom.xml
Path to vulnerable library: /legend-depot-store-server/pom.xml,/legend-depot-artifacts-purge/pom.xml,/legend-depot-store-status/pom.xml,/legend-depot-core-http/pom.xml,/legend-depot-server/pom.xml,/legend-depot-artifacts-refresh/pom.xml,/legend-depot-store-notifications/pom.xml
Dependency Hierarchy: - legend-depot-artifacts-refresh-1.7.6-SNAPSHOT.jar (Root Library) - legend-depot-store-notifications-1.7.6-SNAPSHOT.jar - legend-depot-core-http-1.7.6-SNAPSHOT.jar - dropwizard-core-1.3.29.jar - dropwizard-logging-1.3.29.jar - :x: **logback-classic-1.2.3.jar** (Vulnerable Library)
Found in HEAD commit: 0e09140ab0afde1bcc8a1cd324ab9bbde68802df
Found in base branch: master
### Vulnerability DetailsA serialization vulnerability in logback receiver component part of logback version 1.4.11 allows an attacker to mount a Denial-Of-Service attack by sending poisoned data.
Publish Date: 2023-11-29
URL: CVE-2023-6378
### CVSS 3 Score Details (7.1)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Changed - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://logback.qos.ch/news.html#1.3.12
Release Date: 2023-11-29
Fix Resolution: ch.qos.logback:logback-classic:1.3.12,1.4.12
CVE-2021-42550
### Vulnerable Libraries - logback-core-1.2.3.jar, logback-classic-1.2.3.jar### logback-core-1.2.3.jar
logback-core module
Library home page: http://www.qos.ch
Path to dependency file: /legend-depot-store-status/pom.xml
Path to vulnerable library: /legend-depot-store-status/pom.xml,/legend-depot-server/pom.xml,/legend-depot-artifacts-purge/pom.xml,/legend-depot-core-http/pom.xml,/legend-depot-artifacts-refresh/pom.xml,/legend-depot-store-server/pom.xml,/legend-depot-store-notifications/pom.xml
Dependency Hierarchy: - legend-depot-artifacts-refresh-1.7.6-SNAPSHOT.jar (Root Library) - legend-depot-store-notifications-1.7.6-SNAPSHOT.jar - legend-depot-core-http-1.7.6-SNAPSHOT.jar - dropwizard-core-1.3.29.jar - dropwizard-logging-1.3.29.jar - :x: **logback-core-1.2.3.jar** (Vulnerable Library) ### logback-classic-1.2.3.jar
logback-classic module
Library home page: http://www.qos.ch
Path to dependency file: /legend-depot-store-server/pom.xml
Path to vulnerable library: /legend-depot-store-server/pom.xml,/legend-depot-artifacts-purge/pom.xml,/legend-depot-store-status/pom.xml,/legend-depot-core-http/pom.xml,/legend-depot-server/pom.xml,/legend-depot-artifacts-refresh/pom.xml,/legend-depot-store-notifications/pom.xml
Dependency Hierarchy: - legend-depot-artifacts-refresh-1.7.6-SNAPSHOT.jar (Root Library) - legend-depot-store-notifications-1.7.6-SNAPSHOT.jar - legend-depot-core-http-1.7.6-SNAPSHOT.jar - dropwizard-core-1.3.29.jar - dropwizard-logging-1.3.29.jar - :x: **logback-classic-1.2.3.jar** (Vulnerable Library)
Found in HEAD commit: 0e09140ab0afde1bcc8a1cd324ab9bbde68802df
Found in base branch: master
### Vulnerability DetailsIn logback version 1.2.7 and prior versions, an attacker with the required privileges to edit configurations files could craft a malicious configuration allowing to execute arbitrary code loaded from LDAP servers. Mend Note: Converted from WS-2021-0491, on 2022-11-07.
Publish Date: 2021-12-16
URL: CVE-2021-42550
### CVSS 3 Score Details (6.6)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: High - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=VE-2021-42550
Release Date: 2021-12-16
Fix Resolution: ch.qos.logback:logback-classic:1.2.9;ch.qos.logback:logback-core:1.2.9
CVE-2022-38752
### Vulnerable Library - snakeyaml-1.26.jarYAML 1.1 parser and emitter for Java
Library home page: http://www.snakeyaml.org
Path to dependency file: /legend-depot-store-server/pom.xml
Path to vulnerable library: /legend-depot-store-server/pom.xml,/legend-depot-store-notifications/pom.xml,/legend-depot-server/pom.xml,/legend-depot-core-http/pom.xml,/legend-depot-store-status/pom.xml,/legend-depot-artifacts-refresh/pom.xml,/legend-depot-artifacts-purge/pom.xml
Dependency Hierarchy: - legend-depot-artifacts-refresh-1.7.6-SNAPSHOT.jar (Root Library) - legend-depot-store-notifications-1.7.6-SNAPSHOT.jar - legend-depot-core-http-1.7.6-SNAPSHOT.jar - dropwizard-core-1.3.29.jar - dropwizard-configuration-1.3.29.jar - jackson-dataformat-yaml-2.10.5.jar - :x: **snakeyaml-1.26.jar** (Vulnerable Library)
Found in HEAD commit: 0e09140ab0afde1bcc8a1cd324ab9bbde68802df
Found in base branch: master
### Vulnerability DetailsUsing snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack-overflow.
Publish Date: 2022-09-05
URL: CVE-2022-38752
### CVSS 3 Score Details (6.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-9w3m-gqgf-c4p9
Release Date: 2022-09-05
Fix Resolution: org.yaml:snakeyaml:1.32
CVE-2022-38751
### Vulnerable Library - snakeyaml-1.26.jarYAML 1.1 parser and emitter for Java
Library home page: http://www.snakeyaml.org
Path to dependency file: /legend-depot-store-server/pom.xml
Path to vulnerable library: /legend-depot-store-server/pom.xml,/legend-depot-store-notifications/pom.xml,/legend-depot-server/pom.xml,/legend-depot-core-http/pom.xml,/legend-depot-store-status/pom.xml,/legend-depot-artifacts-refresh/pom.xml,/legend-depot-artifacts-purge/pom.xml
Dependency Hierarchy: - legend-depot-artifacts-refresh-1.7.6-SNAPSHOT.jar (Root Library) - legend-depot-store-notifications-1.7.6-SNAPSHOT.jar - legend-depot-core-http-1.7.6-SNAPSHOT.jar - dropwizard-core-1.3.29.jar - dropwizard-configuration-1.3.29.jar - jackson-dataformat-yaml-2.10.5.jar - :x: **snakeyaml-1.26.jar** (Vulnerable Library)
Found in HEAD commit: 0e09140ab0afde1bcc8a1cd324ab9bbde68802df
Found in base branch: master
### Vulnerability DetailsUsing snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.
Publish Date: 2022-09-05
URL: CVE-2022-38751
### CVSS 3 Score Details (6.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47039
Release Date: 2022-09-05
Fix Resolution: org.yaml:snakeyaml:1.31
CVE-2022-38750
### Vulnerable Library - snakeyaml-1.26.jarYAML 1.1 parser and emitter for Java
Library home page: http://www.snakeyaml.org
Path to dependency file: /legend-depot-store-server/pom.xml
Path to vulnerable library: /legend-depot-store-server/pom.xml,/legend-depot-store-notifications/pom.xml,/legend-depot-server/pom.xml,/legend-depot-core-http/pom.xml,/legend-depot-store-status/pom.xml,/legend-depot-artifacts-refresh/pom.xml,/legend-depot-artifacts-purge/pom.xml
Dependency Hierarchy: - legend-depot-artifacts-refresh-1.7.6-SNAPSHOT.jar (Root Library) - legend-depot-store-notifications-1.7.6-SNAPSHOT.jar - legend-depot-core-http-1.7.6-SNAPSHOT.jar - dropwizard-core-1.3.29.jar - dropwizard-configuration-1.3.29.jar - jackson-dataformat-yaml-2.10.5.jar - :x: **snakeyaml-1.26.jar** (Vulnerable Library)
Found in HEAD commit: 0e09140ab0afde1bcc8a1cd324ab9bbde68802df
Found in base branch: master
### Vulnerability DetailsUsing snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.
Publish Date: 2022-09-05
URL: CVE-2022-38750
### CVSS 3 Score Details (6.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47027
Release Date: 2022-09-05
Fix Resolution: org.yaml:snakeyaml:1.31
CVE-2022-38749
### Vulnerable Library - snakeyaml-1.26.jarYAML 1.1 parser and emitter for Java
Library home page: http://www.snakeyaml.org
Path to dependency file: /legend-depot-store-server/pom.xml
Path to vulnerable library: /legend-depot-store-server/pom.xml,/legend-depot-store-notifications/pom.xml,/legend-depot-server/pom.xml,/legend-depot-core-http/pom.xml,/legend-depot-store-status/pom.xml,/legend-depot-artifacts-refresh/pom.xml,/legend-depot-artifacts-purge/pom.xml
Dependency Hierarchy: - legend-depot-artifacts-refresh-1.7.6-SNAPSHOT.jar (Root Library) - legend-depot-store-notifications-1.7.6-SNAPSHOT.jar - legend-depot-core-http-1.7.6-SNAPSHOT.jar - dropwizard-core-1.3.29.jar - dropwizard-configuration-1.3.29.jar - jackson-dataformat-yaml-2.10.5.jar - :x: **snakeyaml-1.26.jar** (Vulnerable Library)
Found in HEAD commit: 0e09140ab0afde1bcc8a1cd324ab9bbde68802df
Found in base branch: master
### Vulnerability DetailsUsing snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.
Publish Date: 2022-09-05
URL: CVE-2022-38749
### CVSS 3 Score Details (6.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://bitbucket.org/snakeyaml/snakeyaml/issues/526/stackoverflow-oss-fuzz-47027
Release Date: 2022-09-05
Fix Resolution: org.yaml:snakeyaml:1.31
CVE-2023-1932
### Vulnerable Library - hibernate-validator-5.4.2.Final.jarHibernate's Bean Validation (JSR-303) reference implementation.
Library home page: http://hibernate.org/validator
Path to dependency file: /legend-depot-artifacts-refresh/pom.xml
Path to vulnerable library: /legend-depot-artifacts-refresh/pom.xml,/legend-depot-core-http/pom.xml,/legend-depot-server/pom.xml,/legend-depot-artifacts-purge/pom.xml,/legend-depot-store-status/pom.xml,/legend-depot-store-notifications/pom.xml,/legend-depot-store-server/pom.xml
Dependency Hierarchy: - legend-depot-artifacts-refresh-1.7.6-SNAPSHOT.jar (Root Library) - legend-depot-store-notifications-1.7.6-SNAPSHOT.jar - legend-depot-core-http-1.7.6-SNAPSHOT.jar - dropwizard-core-1.3.29.jar - dropwizard-validation-1.3.29.jar - :x: **hibernate-validator-5.4.2.Final.jar** (Vulnerable Library)
Found in HEAD commit: 0e09140ab0afde1bcc8a1cd324ab9bbde68802df
Found in base branch: master
### Vulnerability DetailsA vulnerability was found in hibernate-validator version 6.1.2.Final, where the method 'isValid' in the class org.hibernate.validator.internal.constraintvalidators.hv.SafeHtmlValidator can by bypassed by omitting the tag end (less than sign). Browsers typically still render the invalid html which leads to attacks like HTML injection and Cross-Site-Scripting.
Publish Date: 2024-11-07
URL: CVE-2023-1932
### CVSS 3 Score Details (6.1)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://bugzilla.redhat.com/show_bug.cgi?id=1809444
Release Date: 2023-04-07
Fix Resolution: org.hibernate.validator:hibernate-validator:6.2.0.Final
CVE-2024-8184
### Vulnerable Library - jetty-server-9.4.35.v20201120.jarThe core jetty server artifact.
Library home page: https://webtide.com
Path to dependency file: /legend-depot-store-status/pom.xml
Path to vulnerable library: /legend-depot-store-status/pom.xml,/legend-depot-store-notifications/pom.xml,/legend-depot-artifacts-refresh/pom.xml,/legend-depot-store-server/pom.xml,/legend-depot-server/pom.xml,/legend-depot-artifacts-purge/pom.xml,/legend-depot-core-http/pom.xml
Dependency Hierarchy: - legend-depot-artifacts-refresh-1.7.6-SNAPSHOT.jar (Root Library) - legend-depot-store-notifications-1.7.6-SNAPSHOT.jar - legend-depot-core-http-1.7.6-SNAPSHOT.jar - dropwizard-core-1.3.29.jar - dropwizard-metrics-1.3.29.jar - dropwizard-lifecycle-1.3.29.jar - :x: **jetty-server-9.4.35.v20201120.jar** (Vulnerable Library)
Found in HEAD commit: 0e09140ab0afde1bcc8a1cd324ab9bbde68802df
Found in base branch: master
### Vulnerability DetailsThere exists a security vulnerability in Jetty's ThreadLimitHandler.getRemote() which can be exploited by unauthorized users to cause remote denial-of-service (DoS) attack. By repeatedly sending crafted requests, attackers can trigger OutofMemory errors and exhaust the server's memory.
Publish Date: 2024-10-14
URL: CVE-2024-8184
### CVSS 3 Score Details (5.9)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/jetty/jetty.project/security/advisories/GHSA-g8m5-722r-8whq
Release Date: 2024-10-14
Fix Resolution: org.eclipse.jetty:jetty-server:9.4.56,10.0.24,11.0.24,12.0.9, org.eclipse.jetty.ee9:jetty-ee9-nested:9.4.56,10.0.24,11.0.24,12.0.9
CVE-2022-41854
### Vulnerable Library - snakeyaml-1.26.jarYAML 1.1 parser and emitter for Java
Library home page: http://www.snakeyaml.org
Path to dependency file: /legend-depot-store-server/pom.xml
Path to vulnerable library: /legend-depot-store-server/pom.xml,/legend-depot-store-notifications/pom.xml,/legend-depot-server/pom.xml,/legend-depot-core-http/pom.xml,/legend-depot-store-status/pom.xml,/legend-depot-artifacts-refresh/pom.xml,/legend-depot-artifacts-purge/pom.xml
Dependency Hierarchy: - legend-depot-artifacts-refresh-1.7.6-SNAPSHOT.jar (Root Library) - legend-depot-store-notifications-1.7.6-SNAPSHOT.jar - legend-depot-core-http-1.7.6-SNAPSHOT.jar - dropwizard-core-1.3.29.jar - dropwizard-configuration-1.3.29.jar - jackson-dataformat-yaml-2.10.5.jar - :x: **snakeyaml-1.26.jar** (Vulnerable Library)
Found in HEAD commit: 0e09140ab0afde1bcc8a1cd324ab9bbde68802df
Found in base branch: master
### Vulnerability DetailsThose using Snakeyaml to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack overflow. This effect may support a denial of service attack.
Publish Date: 2022-11-11
URL: CVE-2022-41854
### CVSS 3 Score Details (5.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: Low - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://bitbucket.org/snakeyaml/snakeyaml/issues/531/
Release Date: 2022-11-11
Fix Resolution: org.yaml:snakeyaml:1.32
CVE-2024-9823
### Vulnerable Library - jetty-servlets-9.4.35.v20201120.jarUtility Servlets from Jetty
Library home page: https://webtide.com
Path to dependency file: /legend-depot-store-server/pom.xml
Path to vulnerable library: /legend-depot-store-server/pom.xml,/legend-depot-store-status/pom.xml,/legend-depot-core-http/pom.xml,/legend-depot-artifacts-purge/pom.xml,/legend-depot-server/pom.xml,/legend-depot-artifacts-refresh/pom.xml,/legend-depot-store-notifications/pom.xml
Dependency Hierarchy: - legend-depot-artifacts-refresh-1.7.6-SNAPSHOT.jar (Root Library) - legend-depot-store-notifications-1.7.6-SNAPSHOT.jar - legend-depot-core-http-1.7.6-SNAPSHOT.jar - dropwizard-core-1.3.29.jar - dropwizard-jetty-1.3.29.jar - :x: **jetty-servlets-9.4.35.v20201120.jar** (Vulnerable Library)
Found in HEAD commit: 0e09140ab0afde1bcc8a1cd324ab9bbde68802df
Found in base branch: master
### Vulnerability DetailsThere exists a security vulnerability in Jetty's DosFilter which can be exploited by unauthorized users to cause remote denial-of-service (DoS) attack on the server using DosFilter. By repeatedly sending crafted requests, attackers can trigger OutofMemory errors and exhaust the server's memory finally.
Publish Date: 2024-10-14
URL: CVE-2024-9823
### CVSS 3 Score Details (5.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: Low
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/jetty/jetty.project/security/advisories/GHSA-7hcf-ppf8-5w5h
Release Date: 2024-10-14
Fix Resolution: org.eclipse.jetty:jetty-servlets:10.0.18,11.0.18,9.4.54.v20240208, org.eclipse.jetty.ee8:jetty-ee8-servlets:12.0.3, org.eclipse.jetty.ee9:jetty-ee9-servlets:12.0.3, org.eclipse.jetty.ee10:jetty-ee10-servlets:12.0.3
CVE-2023-40167
### Vulnerable Library - jetty-http-9.4.35.v20201120.jarLibrary home page: https://webtide.com
Path to dependency file: /legend-depot-artifacts-purge/pom.xml
Path to vulnerable library: /legend-depot-artifacts-purge/pom.xml,/legend-depot-store-notifications/pom.xml,/legend-depot-server/pom.xml,/legend-depot-artifacts-refresh/pom.xml,/legend-depot-core-http/pom.xml,/legend-depot-store-status/pom.xml,/legend-depot-store-server/pom.xml
Dependency Hierarchy: - legend-depot-artifacts-refresh-1.7.6-SNAPSHOT.jar (Root Library) - legend-depot-store-notifications-1.7.6-SNAPSHOT.jar - legend-depot-core-http-1.7.6-SNAPSHOT.jar - dropwizard-core-1.3.29.jar - dropwizard-metrics-1.3.29.jar - dropwizard-lifecycle-1.3.29.jar - jetty-server-9.4.35.v20201120.jar - :x: **jetty-http-9.4.35.v20201120.jar** (Vulnerable Library)
Found in HEAD commit: 0e09140ab0afde1bcc8a1cd324ab9bbde68802df
Found in base branch: master
### Vulnerability DetailsJetty is a Java based web server and servlet engine. Prior to versions 9.4.52, 10.0.16, 11.0.16, and 12.0.1, Jetty accepts the `+` character proceeding the content-length value in a HTTP/1 header field. This is more permissive than allowed by the RFC and other servers routinely reject such requests with 400 responses. There is no known exploit scenario, but it is conceivable that request smuggling could result if jetty is used in combination with a server that does not close the connection after sending such a 400 response. Versions 9.4.52, 10.0.16, 11.0.16, and 12.0.1 contain a patch for this issue. There is no workaround as there is no known exploit scenario.
Publish Date: 2023-09-15
URL: CVE-2023-40167
### CVSS 3 Score Details (5.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/eclipse/jetty.project/security/advisories/GHSA-hmr7-m48g-48f6
Release Date: 2023-09-15
Fix Resolution: org.eclipse.jetty:jetty-http:9.4.52.v20230823,10.0.16,11.0.16,12.0.1
CVE-2023-26048
### Vulnerable Library - jetty-server-9.4.35.v20201120.jarThe core jetty server artifact.
Library home page: https://webtide.com
Path to dependency file: /legend-depot-store-status/pom.xml
Path to vulnerable library: /legend-depot-store-status/pom.xml,/legend-depot-store-notifications/pom.xml,/legend-depot-artifacts-refresh/pom.xml,/legend-depot-store-server/pom.xml,/legend-depot-server/pom.xml,/legend-depot-artifacts-purge/pom.xml,/legend-depot-core-http/pom.xml
Dependency Hierarchy: - legend-depot-artifacts-refresh-1.7.6-SNAPSHOT.jar (Root Library) - legend-depot-store-notifications-1.7.6-SNAPSHOT.jar - legend-depot-core-http-1.7.6-SNAPSHOT.jar - dropwizard-core-1.3.29.jar - dropwizard-metrics-1.3.29.jar - dropwizard-lifecycle-1.3.29.jar - :x: **jetty-server-9.4.35.v20201120.jar** (Vulnerable Library)
Found in HEAD commit: 0e09140ab0afde1bcc8a1cd324ab9bbde68802df
Found in base branch: master
### Vulnerability DetailsJetty is a java based web server and servlet engine. In affected versions servlets with multipart support (e.g. annotated with `@MultipartConfig`) that call `HttpServletRequest.getParameter()` or `HttpServletRequest.getParts()` may cause `OutOfMemoryError` when the client sends a multipart request with a part that has a name but no filename and very large content. This happens even with the default settings of `fileSizeThreshold=0` which should stream the whole part content to disk. An attacker client may send a large multipart request and cause the server to throw `OutOfMemoryError`. However, the server may be able to recover after the `OutOfMemoryError` and continue its service -- although it may take some time. This issue has been patched in versions 9.4.51, 10.0.14, and 11.0.14. Users are advised to upgrade. Users unable to upgrade may set the multipart parameter `maxRequestSize` which must be set to a non-negative value, so the whole multipart content is limited (although still read into memory).
Publish Date: 2023-04-18
URL: CVE-2023-26048
### CVSS 3 Score Details (5.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: Low
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/eclipse/jetty.project/security/advisories/GHSA-qw69-rqj8-6qw8
Release Date: 2023-04-18
Fix Resolution: org.eclipse.jetty:jetty-server:9.4.51.v20230217,10.0.14,11.0.14;org.eclipse.jetty:jetty-runner:9.4.51.v20230217,10.0.14,11.0.14
CVE-2021-28170
### Vulnerable Library - javax.el-3.0.0.jarJava.net - The Source for Java Technology Collaboration
Library home page: http://glassfish.org
Path to dependency file: /legend-depot-artifacts-purge/pom.xml
Path to vulnerable library: /legend-depot-artifacts-purge/pom.xml,/legend-depot-store-notifications/pom.xml,/legend-depot-artifacts-refresh/pom.xml,/legend-depot-server/pom.xml,/legend-depot-core-http/pom.xml,/legend-depot-store-status/pom.xml,/legend-depot-store-server/pom.xml
Dependency Hierarchy: - legend-depot-artifacts-refresh-1.7.6-SNAPSHOT.jar (Root Library) - legend-depot-store-notifications-1.7.6-SNAPSHOT.jar - legend-depot-core-http-1.7.6-SNAPSHOT.jar - dropwizard-core-1.3.29.jar - dropwizard-validation-1.3.29.jar - :x: **javax.el-3.0.0.jar** (Vulnerable Library)
Found in HEAD commit: 0e09140ab0afde1bcc8a1cd324ab9bbde68802df
Found in base branch: master
### Vulnerability DetailsIn the Jakarta Expression Language implementation 3.0.3 and earlier, a bug in the ELParserTokenManager enables invalid EL expressions to be evaluated as if they were valid.
Publish Date: 2021-05-26
URL: CVE-2021-28170
### CVSS 3 Score Details (5.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2021-28170
Release Date: 2021-05-26
Fix Resolution: org.glassfish:jakarta.el:3.0.4, com.sun.el:el-ri:3.0.4