search

h3xstream / burp-retire-js

Burp/ZAP/Maven extension that integrate Retire.js repository to find vulnerable Javascript libraries.
Apache License 2.0
200 stars 56 forks source link

CVE-2018-10237: Vulnerable Guava 16.0.1 in retirejs-core v3.0.1 #53

Closed albuch closed 4 years ago

albuch commented 5 years ago

The currently released version v3.0.1 of retirejs-core contains the vulnerable Guava version 16.0.1 (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-10237) as a transitive dependency via com.github.spullara.mustache.java.compiler v0.8.18.

The current snapshot of retirejs-core already contains a version of com.github.spullara.mustache.java.compiler (v0.9.5) that doesn't contain guava anymore. (See https://github.com/h3xstream/burp-retire-js/commit/06cacf0067e4a95f85ae97d91d7bceb8a4d94665#diff-600376dffeb79835ede4a0b285078036)

Would it be possible to get a new release soon?

h3xstream commented 5 years ago

Note: This is a deserialization gadget. (DOS)

h3xstream commented 4 years ago

Fixed 0f8d0b610ed424035ce31624fb3b9de43c8a5b00