Closed Drjacky closed 1 year ago
You seem to run version 5.2.2-SNAPSHOT, do you find the same vulnerabilities in the latest 5.3.0 release?
I am also having a similar issue with 5.3.0 as well as two other High severity CVSS alerts.
com.github.docker-java:docker-java:3.2.13 -> com.fasterxml.jackson.core:jackson-databind:2.10.3 CVE-2020-36518 CVE-2020-25649
com.github.docker-java:docker-java:3.2.13 -> commons-io:commons-io:2.6 Apache Commons IO input/InfiniteCircularInputStream.java InfiniteCircularInputStream::read() Function Buffer Handling Divide-by-zero DoS
Yes, with 5.3.0:
Found vulnerabilities in 5 dependencies
[1/5] - pkg:maven/commons-io/commons-io@2.6 - 1 vulnerability found!
Vulnerability Title: [sonatype-2018-0705] CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
ID: sonatype-2018-0705
Description: commons-io - Path Traversal [CVE-2021-29425] The software uses external input to construct a pathname that is intended to identify a fil...
CVSS Score: (5.3/10, Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CVE: CVE-2021-29425
Reference: https://ossindex.sonatype.org/vulnerability/sonatype-2018-0705?component-type=maven&component-name=commons-io%2Fcommons-io&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
[2/5] - pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.10.3 - 3 vulnerabilities found!
Vulnerability Title: [CVE-2020-25649] CWE-611: Improper Restriction of XML External Entity Reference ('XXE')
ID: CVE-2020-25649
Description: A flaw was found in FasterXML Jackson Databind, where it did not have entity expansion secured properly. This flaw allows vulnerability t...
CVSS Score: (7.5/10, High)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CVE: CVE-2020-25649
Reference: https://ossindex.sonatype.org/vulnerability/CVE-2020-25649?component-type=maven&component-name=com.fasterxml.jackson.core%2Fjackson-databind&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
Vulnerability Title: [CVE-2020-36518] CWE-787: Out-of-bounds Write
ID: CVE-2020-36518
Description: jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects.
CVSS Score: (7.5/10, High)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVE: CVE-2020-36518
Reference: https://ossindex.sonatype.org/vulnerability/CVE-2020-36518?component-type=maven&component-name=com.fasterxml.jackson.core%2Fjackson-databind&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
Vulnerability Title: 1 vulnerability found
ID: sonatype-2021-4682
Description: 1 non-CVE vulnerability found. To see more details, please create a free account at https://ossindex.sonatype.org/ and request for this i...
CVSS Score: (7.5/10, High)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVE: Unspecified
Reference: https://ossindex.sonatype.org/vulnerability/sonatype-2021-4682
[3/5] - pkg:maven/com.google.guava/guava@19.0 - 2 vulnerabilities found!
Vulnerability Title: 1 vulnerability found
ID: sonatype-2020-0926
Description: 1 non-CVE vulnerability found. To see more details, please create a free account at https://ossindex.sonatype.org/ and request for this i...
CVSS Score: (6.2/10, High)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVE: Unspecified
Reference: https://ossindex.sonatype.org/vulnerability/sonatype-2020-0926
Vulnerability Title: [CVE-2018-10237] CWE-770: Allocation of Resources Without Limits or Throttling
ID: CVE-2018-10237
Description: Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attacks ...
CVSS Score: (5.9/10, Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
CVE: CVE-2018-10237
Reference: https://ossindex.sonatype.org/vulnerability/CVE-2018-10237?component-type=maven&component-name=com.google.guava%2Fguava&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
[4/5] - pkg:maven/org.bouncycastle/bcprov-jdk15on@1.64 - 2 vulnerabilities found!
Vulnerability Title: [CVE-2020-0187] In engineSetMode of BaseBlockCipher.java, there is a possible incorrect cryptographic algorithm chosen due to an incomplete comparison. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10Android ID: A-148517383
ID: CVE-2020-0187
Description: In engineSetMode of BaseBlockCipher.java, there is a possible incorrect cryptographic algorithm chosen due to an incomplete comparison. T...
CVSS Score: (5.5/10, Medium)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CVE: CVE-2020-0187
Reference: https://ossindex.sonatype.org/vulnerability/CVE-2020-0187?component-type=maven&component-name=org.bouncycastle%2Fbcprov-jdk15on&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
Vulnerability Title: 1 vulnerability found
ID: sonatype-2020-0770
Description: 1 non-CVE vulnerability found. To see more details, please create a free account at https://ossindex.sonatype.org/ and request for this i...
CVSS Score: (5.5/10, Medium)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CVE: Unspecified
Reference: https://ossindex.sonatype.org/vulnerability/sonatype-2020-0770
########THIS ONE IS NOT FROM YOUR LIB########
[5/5] - pkg:maven/com.google.code.gson/gson@2.8.5 - 1 vulnerability found!
Vulnerability Title: [sonatype-2021-1694] CWE-502: Deserialization of Untrusted Data
ID: sonatype-2021-1694
Description: gson - Deserialization of Untrusted Data [CVE-2022-25647] The application deserializes untrusted data without sufficiently verifying tha...
CVSS Score: (7.5/10, High)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVE: CVE-2022-25647
Reference: https://ossindex.sonatype.org/vulnerability/sonatype-2021-1694?component-type=maven&component-name=com.google.code.gson%2Fgson&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
It seems these are security problems due to transitive dependencies to WebDriverManager, right? I am not sure if I can do anything to solve it.
Probably just update those dependencies and hope they have fixed it:
https://mvnrepository.com/artifact/com.fasterxml.jackson.core/jackson-databind https://mvnrepository.com/artifact/com.google.guava/guava https://mvnrepository.com/artifact/org.bouncycastle/bcprov-jdk15on
And if you don't have/use them in your code, define them explicitly like this: Kotlin DSL:
implementation("org.bouncycastle:bcprov-jdk15on") {
version {
strickly("1.70")
}
}
Groovy:
implementation('org.bouncycastle:bcprov-jdk15on') { version { strictly '[1.70,)'; prefer '1.70' } }
These dependencies are transitive in my project, which mean that I do not explicitly define their versions, but some of my dependencies (docker-java in all cases). Moreover, my project uses Maven, not Gradle.
I have just committed a patch (87e5f0ac8a37b479a3d5e3ff18ed59a8c30c4fa1) that excludes these dependencies. But I am not sure if this is going to break something. Let's see what CI thinks about it.
Nope, excluding is not a solution for this: https://github.com/bonigarcia/webdrivermanager/actions/runs/3089548184/jobs/4997285412
Since these dependencies are transitive in WebDriverManager, maybe this should be reported to the docker-java project.
After I visited this repo, I got this email (which is weird!):
The bonigarcia/webdrivermanager project has introduced a total of 3 vulnerable components. The following is some of the main information:
Full report: https://www.oscs1024.com/cd/1527731389443649536?sign=e1561308&report=1
Defective component: commons-io:commons-io@2.6 - indirect introductionVulnerability Title: Apache Commons IO Path Traversal VulnerabilityImpact Description: Apache Commons IO is an application of the American Apache (Apache) Foundation. Provides a function to help develop IO. A path traversal vulnerability exists in Apache Commons IO versions 2.2 through 2.6 that arises when the FileNameUtils.normalize method is called with an incorrect input string (such as "//../foo" or ".. foo"), then the May provide access to files in the parent directory.CVE Number: CVE-2021-29425National vulnerability database information: https://www.cnvd.org.cn/flaw/show/CNVD-2021-30583Influence range: : [0, 2.7)Min fix version: 2.7Component import path: io.github.bonigarcia:webdrivermanager@5.2.2-SNAPSHOT->com.github.docker-java:docker-java-core@3.2.13->commons-io:commons-io@2.6Vulnerability details: https://www.oscs1024.com/hd/MPS-2021-4531
Defective component: org.bouncycastle:bcprov-jdk15on@1.64 - indirect importVulnerability Title: Bouncy Castle BC Race Condition Issue VulnerabilityImpact Description: Bouncy Castle BC is a cryptographic library for C# and Java applications by the Bouncy Castle organization. Bouncy Castle BC Java, BC C# .NET, BC-FJA, BC-FNA A race condition issue vulnerability exists that could allow attackers to bypass access restrictions on data in order to obtain sensitive information.CVE Number: CVE-2020-15522National Vulnerability Database Information:Sphere of Influence:: (∞, 1.66)Min fix version: 1.66Component import path: io.github.bonigarcia:webdrivermanager@5.2.2-SNAPSHOT->com.github.docker-java:docker-java-core@3.2.13->org.bouncycastle:bcpkix-jdk15on@1.64->org .bouncycastle:bcprov-jdk15on@1.64Vulnerability details: https://www.oscs1024.com/hd/MPS-2021-7064
Defective component: commons-io:commons-io@2.6 - indirect introduction Vulnerability Title: Apache Commons IO Path Traversal Vulnerability Impact Description: Apache Commons IO is an application of the American Apache (Apache) Foundation. Provides a function to help develop IO. A path traversal vulnerability exists in Apache Commons IO versions 2.2 through 2.6 that arises when the FileNameUtils.normalize method is called with an incorrect input string (such as "//../foo" or ".. foo"), then the May provide access to files in the parent directory. CVE Number: CVE-2021-29425 National vulnerability database information: https://www.cnvd.org.cn/flaw/show/CNVD-2021-30583 Influence range: : [0, 2.7) Min fix version: 2.7 Component import path: io.github.bonigarcia:webdrivermanager@5.2.2-SNAPSHOT->com.github.docker-java:docker-java-core@3.2.13->commons-io:commons-io@2.6 Vulnerability details: https://www.oscs1024.com/hd/MPS-2021-4531 Defective component: org.bouncycastle:bcprov-jdk15on@1.64 - indirect import Vulnerability Title: Bouncy Castle BC Race Condition Issue Vulnerability Impact Description: Bouncy Castle BC is a cryptographic library for C# and Java applications by the Bouncy Castle organization. Bouncy Castle BC Java, BC C# .NET, BC-FJA, BC-FNA A race condition issue vulnerability exists that could allow attackers to bypass access restrictions on data in order to obtain sensitive information. CVE Number: CVE-2020-15522 National Vulnerability Database Information: Sphere of Influence:: (∞, 1.66) Min fix version: 1.66 Component import path: io.github.bonigarcia:webdrivermanager@5.2.2-SNAPSHOT->com.github.docker-java:docker-java-core@3.2.13->org.bouncycastle:bcpkix-jdk15on@1.64->org .bouncycastle:bcprov-jdk15on@1.64 Vulnerability details: https://www.oscs1024.com/hd/MPS-2021-7064