The codec package contains simple encoder and decoders for
various formats such as Base64 and Hexadecimal. In addition to these
widely used encoders and decoders, the codec package also maintains a
collection of phonetic encoding utilities.
Base64 encode() method is no longer thread-safe in Apache Commons Codec before version 1.7, which might disclose the wrong data or allow an attacker to change non-private fields.
WS-2010-0001 - Medium Severity Vulnerability
Vulnerable Libraries - common-codec-1.3.jar, commons-codec-1.2.jar
common-codec-1.3.jar
Common codecs for Java Agent Development Framework
path: /root/.m2/repository/commons-codec/commons-codec/1.3/commons-codec-1.3.jar
Library home page: http://jakarta.apache.org/commons/codec/
Dependency Hierarchy: - myfaces-impl-1.1.2.jar (Root Library) - :x: **common-codec-1.3.jar** (Vulnerable Library)commons-codec-1.2.jar
The codec package contains simple encoder and decoders for various formats such as Base64 and Hexadecimal. In addition to these widely used encoders and decoders, the codec package also maintains a collection of phonetic encoding utilities.
path: /root/.m2/repository/commons-codec/commons-codec/1.2/commons-codec-1.2.jar
Dependency Hierarchy: - commons-httpclient-3.1.jar (Root Library) - :x: **commons-codec-1.2.jar** (Vulnerable Library)
Found in HEAD commit: 1d3a9da2b49a075b9122e05e19a483fc66b5aaf4
Vulnerability Details
Base64 encode() method is no longer thread-safe in Apache Commons Codec before version 1.7, which might disclose the wrong data or allow an attacker to change non-private fields.
Publish Date: 2010-02-26
URL: WS-2010-0001
CVSS 2 Score Details (5.0)
Base Score Metrics not available
Suggested Fix
Type: Upgrade version
Origin: https://issues.apache.org/jira/browse/CODEC-96
Release Date: 2017-01-31
Fix Resolution: 1.7
Step up your Open Source Security Game with WhiteSource here