Open mend-for-github-com[bot] opened 3 years ago
:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.
:information_source: This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory.
CVE-2018-11087 - Medium Severity Vulnerability
spring-amqp-2.0.5.RELEASE.jar
Spring AMQP Core
Library home page: https://projects.spring.io/spring-amqp
Path to dependency file: /commons/pac-api-commons/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/amqp/spring-amqp/2.0.5.RELEASE/spring-amqp-2.0.5.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/amqp/spring-amqp/2.0.5.RELEASE/spring-amqp-2.0.5.RELEASE.jar
Dependency Hierarchy: - spring-cloud-starter-bus-amqp-2.0.0.RELEASE.jar (Root Library) - spring-cloud-starter-stream-rabbit-2.0.0.RELEASE.jar - spring-cloud-stream-binder-rabbit-2.0.0.RELEASE.jar - spring-cloud-stream-binder-rabbit-core-2.0.0.RELEASE.jar - spring-boot-starter-amqp-2.0.4.RELEASE.jar - spring-rabbit-2.0.5.RELEASE.jar - :x: **spring-amqp-2.0.5.RELEASE.jar** (Vulnerable Library)
amqp-client-5.1.2.jar
The RabbitMQ Java client library allows Java applications to interface with RabbitMQ.
Library home page: http://www.rabbitmq.com
Path to dependency file: /api/pacman-api-admin/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/rabbitmq/amqp-client/5.1.2/amqp-client-5.1.2.jar,/home/wss-scanner/.m2/repository/com/rabbitmq/amqp-client/5.1.2/amqp-client-5.1.2.jar
Dependency Hierarchy: - spring-cloud-starter-bus-amqp-2.0.0.RELEASE.jar (Root Library) - spring-cloud-starter-stream-rabbit-2.0.0.RELEASE.jar - spring-cloud-stream-binder-rabbit-2.0.0.RELEASE.jar - spring-cloud-stream-binder-rabbit-core-2.0.0.RELEASE.jar - spring-boot-starter-amqp-2.0.4.RELEASE.jar - spring-rabbit-2.0.5.RELEASE.jar - :x: **amqp-client-5.1.2.jar** (Vulnerable Library)
spring-rabbit-2.0.5.RELEASE.jar
Spring RabbitMQ Support
Library home page: https://projects.spring.io/spring-amqp
Path to dependency file: /commons/pac-api-commons/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/amqp/spring-rabbit/2.0.5.RELEASE/spring-rabbit-2.0.5.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/amqp/spring-rabbit/2.0.5.RELEASE/spring-rabbit-2.0.5.RELEASE.jar
Dependency Hierarchy: - spring-cloud-starter-bus-amqp-2.0.0.RELEASE.jar (Root Library) - spring-cloud-starter-stream-rabbit-2.0.0.RELEASE.jar - spring-cloud-stream-binder-rabbit-2.0.0.RELEASE.jar - spring-cloud-stream-binder-rabbit-core-2.0.0.RELEASE.jar - spring-boot-starter-amqp-2.0.4.RELEASE.jar - :x: **spring-rabbit-2.0.5.RELEASE.jar** (Vulnerable Library)
Found in HEAD commit: acf9a0620c1a37cee4f2896d71e1c3731c5c7b06
Found in base branch: master
Pivotal Spring AMQP, 1.x versions prior to 1.7.10 and 2.x versions prior to 2.0.6, expose a man-in-the-middle vulnerability due to lack of hostname validation. A malicious user that has the ability to intercept traffic would be able to view data in transit.
Publish Date: 2018-09-14
URL: CVE-2018-11087
Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here.Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-11087
Release Date: 2018-09-11
Fix Resolution (org.springframework.amqp:spring-amqp): 2.0.6.RELEASE
Direct dependency fix Resolution (org.springframework.cloud:spring-cloud-starter-bus-amqp): 2.0.1.RELEASE
Fix Resolution (com.rabbitmq:amqp-client): 2.0.6.RELEASE
Direct dependency fix Resolution (org.springframework.cloud:spring-cloud-starter-bus-amqp): 2.0.1.RELEASE
Fix Resolution (org.springframework.amqp:spring-rabbit): 2.0.6.RELEASE
Direct dependency fix Resolution (org.springframework.cloud:spring-cloud-starter-bus-amqp): 2.0.1.RELEASE