Closed mend-for-github-com[bot] closed 2 years ago
Not applicable to WDK
:heavy_check_mark: This issue was automatically closed by WhiteSource because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the WhiteSource inventory.
:heavy_check_mark: This issue was automatically closed by WhiteSource because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the WhiteSource inventory.
:heavy_check_mark: This issue was automatically closed by WhiteSource because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the WhiteSource inventory.
:heavy_check_mark: This issue was automatically closed by WhiteSource because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the WhiteSource inventory.
CVE-2021-36374 - Medium Severity Vulnerability
Vulnerable Library - ant-1.10.9.jar
Library home page: https://ant.apache.org/
Path to dependency file: symphony-wdk/workflow-bot-app/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.ant/ant/1.10.9/a8a0c9bc4473acdac25832d0a9da2ca9fd9cd35f/ant-1.10.9.jar
Dependency Hierarchy: - groovy-all-3.0.8-groovydoc.jar (Root Library) - groovy-ant-3.0.8.jar - ant-junit-1.10.9.jar - :x: **ant-1.10.9.jar** (Vulnerable Library)
Found in HEAD commit: 004d6ff32b56fa8739f47862c8544f6270c29183
Found in base branch: master
Vulnerability Details
When reading a specially crafted ZIP archive, or a derived formats, an Apache Ant build can be made to allocate large amounts of memory that leads to an out of memory error, even for small inputs. This can be used to disrupt builds using Apache Ant. Commonly used derived formats from ZIP archives are for instance JAR files and many office files. Apache Ant prior to 1.9.16 and 1.10.11 were affected.
Publish Date: 2021-07-14
URL: CVE-2021-36374
CVSS 3 Score Details (5.5)
Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://ant.apache.org/security.html
Release Date: 2021-07-14
Fix Resolution: org.apache.ant:ant:1.9.16,1.10.11