The open source project bonigarcia/webdrivermanager you follow is affected by 3 open source components with security flaws

[Drjacky]

After I visited this repo, I got this email (which is weird!):

The bonigarcia/webdrivermanager project has introduced a total of 3 vulnerable components. The following is some of the main information:

Full report: https://www.oscs1024.com/cd/1527731389443649536?sign=e1561308&report=1

Defective component: commons-io:commons-io@2.6 - indirect introductionVulnerability Title: Apache Commons IO Path Traversal VulnerabilityImpact Description: Apache Commons IO is an application of the American Apache (Apache) Foundation. Provides a function to help develop IO. A path traversal vulnerability exists in Apache Commons IO versions 2.2 through 2.6 that arises when the FileNameUtils.normalize method is called with an incorrect input string (such as "//../foo" or ".. foo"), then the May provide access to files in the parent directory.CVE Number: CVE-2021-29425National vulnerability database information: https://www.cnvd.org.cn/flaw/show/CNVD-2021-30583Influence range: : [0, 2.7)Min fix version: 2.7Component import path: io.github.bonigarcia:webdrivermanager@5.2.2-SNAPSHOT->com.github.docker-java:docker-java-core@3.2.13->commons-io:commons-io@2.6Vulnerability details: https://www.oscs1024.com/hd/MPS-2021-4531

Defective component: org.bouncycastle:bcprov-jdk15on@1.64 - indirect importVulnerability Title: Bouncy Castle BC Race Condition Issue VulnerabilityImpact Description: Bouncy Castle BC is a cryptographic library for C# and Java applications by the Bouncy Castle organization. Bouncy Castle BC Java, BC C# .NET, BC-FJA, BC-FNA A race condition issue vulnerability exists that could allow attackers to bypass access restrictions on data in order to obtain sensitive information.CVE Number: CVE-2020-15522National Vulnerability Database Information:Sphere of Influence:: (∞, 1.66)Min fix version: 1.66Component import path: io.github.bonigarcia:webdrivermanager@5.2.2-SNAPSHOT->com.github.docker-java:docker-java-core@3.2.13->org.bouncycastle:bcpkix-jdk15on@1.64->org .bouncycastle:bcprov-jdk15on@1.64Vulnerability details: https://www.oscs1024.com/hd/MPS-2021-7064

Defective component: commons-io:commons-io@2.6 - indirect introduction Vulnerability Title: Apache Commons IO Path Traversal Vulnerability Impact Description: Apache Commons IO is an application of the American Apache (Apache) Foundation. Provides a function to help develop IO. A path traversal vulnerability exists in Apache Commons IO versions 2.2 through 2.6 that arises when the FileNameUtils.normalize method is called with an incorrect input string (such as "//../foo" or ".. foo"), then the May provide access to files in the parent directory. CVE Number: CVE-2021-29425 National vulnerability database information: https://www.cnvd.org.cn/flaw/show/CNVD-2021-30583 Influence range: : [0, 2.7) Min fix version: 2.7 Component import path: io.github.bonigarcia:webdrivermanager@5.2.2-SNAPSHOT->com.github.docker-java:docker-java-core@3.2.13->commons-io:commons-io@2.6 Vulnerability details: https://www.oscs1024.com/hd/MPS-2021-4531 Defective component: org.bouncycastle:bcprov-jdk15on@1.64 - indirect import Vulnerability Title: Bouncy Castle BC Race Condition Issue Vulnerability Impact Description: Bouncy Castle BC is a cryptographic library for C# and Java applications by the Bouncy Castle organization. Bouncy Castle BC Java, BC C# .NET, BC-FJA, BC-FNA A race condition issue vulnerability exists that could allow attackers to bypass access restrictions on data in order to obtain sensitive information. CVE Number: CVE-2020-15522 National Vulnerability Database Information: Sphere of Influence:: (∞, 1.66) Min fix version: 1.66 Component import path: io.github.bonigarcia:webdrivermanager@5.2.2-SNAPSHOT->com.github.docker-java:docker-java-core@3.2.13->org.bouncycastle:bcpkix-jdk15on@1.64->org .bouncycastle:bcprov-jdk15on@1.64 Vulnerability details: https://www.oscs1024.com/hd/MPS-2021-7064

[sander-cb]

You seem to run version 5.2.2-SNAPSHOT, do you find the same vulnerabilities in the latest 5.3.0 release?

[mrpeterli]

I am also having a similar issue with 5.3.0 as well as two other High severity CVSS alerts.

com.github.docker-java:docker-java:3.2.13 -> com.fasterxml.jackson.core:jackson-databind:2.10.3 CVE-2020-36518 CVE-2020-25649

com.github.docker-java:docker-java:3.2.13 -> commons-io:commons-io:2.6 Apache Commons IO input/InfiniteCircularInputStream.java InfiniteCircularInputStream::read() Function Buffer Handling Divide-by-zero DoS

[Drjacky]

Yes, with 5.3.0:

Found vulnerabilities in 5 dependencies
[1/5] - pkg:maven/commons-io/commons-io@2.6 - 1 vulnerability found!

   Vulnerability Title:  [sonatype-2018-0705] CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
   ID:  sonatype-2018-0705
   Description:  commons-io - Path Traversal [CVE-2021-29425]  The software uses external input to construct a pathname that is intended to identify a fil...
   CVSS Score:  (5.3/10, Medium)
   CVSS Vector:  CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
   CVE:  CVE-2021-29425
   Reference:  https://ossindex.sonatype.org/vulnerability/sonatype-2018-0705?component-type=maven&component-name=commons-io%2Fcommons-io&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1

[2/5] - pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.10.3 - 3 vulnerabilities found!

   Vulnerability Title:  [CVE-2020-25649] CWE-611: Improper Restriction of XML External Entity Reference ('XXE')
   ID:  CVE-2020-25649
   Description:  A flaw was found in FasterXML Jackson Databind, where it did not have entity expansion secured properly. This flaw allows vulnerability t...
   CVSS Score:  (7.5/10, High)
   CVSS Vector:  CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
   CVE:  CVE-2020-25649
   Reference:  https://ossindex.sonatype.org/vulnerability/CVE-2020-25649?component-type=maven&component-name=com.fasterxml.jackson.core%2Fjackson-databind&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1

   Vulnerability Title:  [CVE-2020-36518] CWE-787: Out-of-bounds Write
   ID:  CVE-2020-36518
   Description:  jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects.
   CVSS Score:  (7.5/10, High)
   CVSS Vector:  CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
   CVE:  CVE-2020-36518
   Reference:  https://ossindex.sonatype.org/vulnerability/CVE-2020-36518?component-type=maven&component-name=com.fasterxml.jackson.core%2Fjackson-databind&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1

   Vulnerability Title:  1 vulnerability found
   ID:  sonatype-2021-4682
   Description:  1 non-CVE vulnerability found. To see more details, please create a free account at https://ossindex.sonatype.org/ and request for this i...
   CVSS Score:  (7.5/10, High)
   CVSS Vector:  CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
   CVE:  Unspecified
   Reference:  https://ossindex.sonatype.org/vulnerability/sonatype-2021-4682

[3/5] - pkg:maven/com.google.guava/guava@19.0 - 2 vulnerabilities found!

   Vulnerability Title:  1 vulnerability found
   ID:  sonatype-2020-0926
   Description:  1 non-CVE vulnerability found. To see more details, please create a free account at https://ossindex.sonatype.org/ and request for this i...
   CVSS Score:  (6.2/10, High)
   CVSS Vector:  CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
   CVE:  Unspecified
   Reference:  https://ossindex.sonatype.org/vulnerability/sonatype-2020-0926

   Vulnerability Title:  [CVE-2018-10237] CWE-770: Allocation of Resources Without Limits or Throttling
   ID:  CVE-2018-10237
   Description:  Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attacks ...
   CVSS Score:  (5.9/10, Medium)
   CVSS Vector:  CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
   CVE:  CVE-2018-10237
   Reference:  https://ossindex.sonatype.org/vulnerability/CVE-2018-10237?component-type=maven&component-name=com.google.guava%2Fguava&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1

[4/5] - pkg:maven/org.bouncycastle/bcprov-jdk15on@1.64 - 2 vulnerabilities found!

   Vulnerability Title:  [CVE-2020-0187] In engineSetMode of BaseBlockCipher.java, there is a possible incorrect cryptographic algorithm chosen due to an incomplete comparison. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10Android ID: A-148517383
   ID:  CVE-2020-0187
   Description:  In engineSetMode of BaseBlockCipher.java, there is a possible incorrect cryptographic algorithm chosen due to an incomplete comparison. T...
   CVSS Score:  (5.5/10, Medium)
   CVSS Vector:  CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
   CVE:  CVE-2020-0187
   Reference:  https://ossindex.sonatype.org/vulnerability/CVE-2020-0187?component-type=maven&component-name=org.bouncycastle%2Fbcprov-jdk15on&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1

   Vulnerability Title:  1 vulnerability found
   ID:  sonatype-2020-0770
   Description:  1 non-CVE vulnerability found. To see more details, please create a free account at https://ossindex.sonatype.org/ and request for this i...
   CVSS Score:  (5.5/10, Medium)
   CVSS Vector:  CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
   CVE:  Unspecified
   Reference:  https://ossindex.sonatype.org/vulnerability/sonatype-2020-0770

########THIS ONE IS NOT FROM YOUR LIB########

[5/5] - pkg:maven/com.google.code.gson/gson@2.8.5 - 1 vulnerability found!

   Vulnerability Title:  [sonatype-2021-1694] CWE-502: Deserialization of Untrusted Data
   ID:  sonatype-2021-1694
   Description:  gson - Deserialization of Untrusted Data [CVE-2022-25647]  The application deserializes untrusted data without sufficiently verifying tha...
   CVSS Score:  (7.5/10, High)
   CVSS Vector:  CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
   CVE:  CVE-2022-25647
   Reference:  https://ossindex.sonatype.org/vulnerability/sonatype-2021-1694?component-type=maven&component-name=com.google.code.gson%2Fgson&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1

[bonigarcia]

It seems these are security problems due to transitive dependencies to WebDriverManager, right? I am not sure if I can do anything to solve it.

[Drjacky]

Probably just update those dependencies and hope they have fixed it:

https://mvnrepository.com/artifact/com.fasterxml.jackson.core/jackson-databind https://mvnrepository.com/artifact/com.google.guava/guava https://mvnrepository.com/artifact/org.bouncycastle/bcprov-jdk15on

---

And if you don't have/use them in your code, define them explicitly like this: Kotlin DSL:

implementation("org.bouncycastle:bcprov-jdk15on") {
    version {
        strickly("1.70")
    }
}

Groovy:

implementation('org.bouncycastle:bcprov-jdk15on') { version { strictly '[1.70,)'; prefer '1.70' } }

[bonigarcia]

These dependencies are transitive in my project, which mean that I do not explicitly define their versions, but some of my dependencies (docker-java in all cases). Moreover, my project uses Maven, not Gradle.

[bonigarcia]

I have just committed a patch (87e5f0ac8a37b479a3d5e3ff18ed59a8c30c4fa1) that excludes these dependencies. But I am not sure if this is going to break something. Let's see what CI thinks about it.

[bonigarcia]

Nope, excluding is not a solution for this: https://github.com/bonigarcia/webdrivermanager/actions/runs/3089548184/jobs/4997285412

[bonigarcia]

Since these dependencies are transitive in WebDriverManager, maybe this should be reported to the docker-java project.