bengmend / WebGoat

demo
Other
0 stars 0 forks source link

asciidoctorj-2.5.3.jar: 1 vulnerabilities (highest severity is: 7.5) unreachable - autoclosed #48

Closed mend-for-github-com[bot] closed 6 months ago

mend-for-github-com[bot] commented 6 months ago
Vulnerable Library - asciidoctorj-2.5.3.jar

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/joda-time/joda-time/2.10.10/joda-time-2.10.10.jar

Found in HEAD commit: 9e6fae155f315fd0f4b7ffb352b78b28e6d061b9

Vulnerabilities

CVE Severity CVSS Exploit Maturity EPSS Dependency Type Fixed in (asciidoctorj version) Remediation Possible** Reachability
CVE-2024-23080 High 7.5 Not Defined 0.0% joda-time-2.10.10.jar Transitive N/A*

Unreachable

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2024-23080 ### Vulnerable Library - joda-time-2.10.10.jar

Date and time library to replace JDK date handling

Library home page: https://www.joda.org/joda-time/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/joda-time/joda-time/2.10.10/joda-time-2.10.10.jar

Dependency Hierarchy: - asciidoctorj-2.5.3.jar (Root Library) - jruby-9.3.6.0.jar - jruby-base-9.3.6.0.jar - :x: **joda-time-2.10.10.jar** (Vulnerable Library)

Found in HEAD commit: 9e6fae155f315fd0f4b7ffb352b78b28e6d061b9

Found in base branch: main

### Reachability Analysis

The vulnerable code is unreachable

### Vulnerability Details

Joda Time v2.12.5 was discovered to contain a NullPointerException via the component org.joda.time.format.PeriodFormat::wordBased(Locale). NOTE: this is disputed by multiple third parties who believe there was not reasonable evidence to determine the existence of a vulnerability. The submission may have been based on a tool that is not sufficiently robust for vulnerability identification.

Publish Date: 2024-04-10

URL: CVE-2024-23080

### Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.0%

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

mend-for-github-com[bot] commented 6 months ago

:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.