SingularityExecutor-1.5.1-SNAPSHOT.jar: 24 vulnerabilities (highest severity is: 9.8) - autoclosed

Vulnerable Library - SingularityExecutor-1.5.1-SNAPSHOT.jar

Path to dependency file: /SingularityExecutorCleanup/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.60/bcprov-jdk15on-1.60.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.60/bcprov-jdk15on-1.60.jar

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (SingularityExecutor version)	Remediation Possible**
CVE-2022-1471	Critical	9.8	snakeyaml-1.23.jar	Transitive	N/A*	❌
CVE-2019-20444	Critical	9.1	netty-3.10.6.Final.jar	Transitive	N/A*	❌
CVE-2020-11002	High	8.8	dropwizard-validation-1.3.12.jar	Transitive	N/A*	❌
CVE-2020-5245	High	8.8	dropwizard-validation-1.3.12.jar	Transitive	N/A*	❌
CVE-2021-36090	High	7.5	commons-compress-1.18.jar	Transitive	N/A*	❌
CVE-2019-17359	High	7.5	bcprov-jdk15on-1.60.jar	Transitive	N/A*	❌
CVE-2022-25857	High	7.5	snakeyaml-1.23.jar	Transitive	N/A*	❌
CVE-2017-18640	High	7.5	snakeyaml-1.23.jar	Transitive	N/A*	❌
CVE-2021-35517	High	7.5	commons-compress-1.18.jar	Transitive	N/A*	❌
CVE-2019-12402	High	7.5	commons-compress-1.18.jar	Transitive	N/A*	❌
CVE-2021-35516	High	7.5	commons-compress-1.18.jar	Transitive	N/A*	❌
CVE-2021-35515	High	7.5	commons-compress-1.18.jar	Transitive	N/A*	❌
CVE-2021-28165	High	7.5	jetty-io-9.4.18.v20190429.jar	Transitive	N/A*	❌
CVE-2021-42550	Medium	6.6	logback-core-1.2.3.jar	Transitive	N/A*	❌
CVE-2022-41854	Medium	6.5	snakeyaml-1.23.jar	Transitive	N/A*	❌
CVE-2022-38752	Medium	6.5	snakeyaml-1.23.jar	Transitive	N/A*	❌
CVE-2022-38751	Medium	6.5	snakeyaml-1.23.jar	Transitive	N/A*	❌
CVE-2022-38749	Medium	6.5	snakeyaml-1.23.jar	Transitive	N/A*	❌
CVE-2020-15522	Medium	5.9	bcprov-jdk15on-1.60.jar	Transitive	N/A*	❌
CVE-2022-38750	Medium	5.5	snakeyaml-1.23.jar	Transitive	N/A*	❌
CVE-2020-10693	Medium	5.3	hibernate-validator-5.4.3.Final.jar	Transitive	N/A*	❌
CVE-2023-33201	Medium	5.3	bcprov-jdk15on-1.60.jar	Transitive	N/A*	❌
CVE-2020-26939	Medium	5.3	bcprov-jdk15on-1.60.jar	Transitive	N/A*	❌
CVE-2021-29425	Medium	4.8	commons-io-2.5.jar	Transitive	N/A*	❌

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

Partial details (22 vulnerabilities) are displayed below due to a content size limitation in GitHub. To view information on the remaining vulnerabilities, navigate to the Mend Application.

CVE-2022-1471

### Vulnerable Library - snakeyaml-1.23.jar

YAML 1.1 parser and emitter for Java

Library home page: http://www.snakeyaml.org

Path to dependency file: /SingularityS3Downloader/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.23/snakeyaml-1.23.jar,/home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.23/snakeyaml-1.23.jar,/home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.23/snakeyaml-1.23.jar,/home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.23/snakeyaml-1.23.jar,/home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.23/snakeyaml-1.23.jar,/home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.23/snakeyaml-1.23.jar,/home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.23/snakeyaml-1.23.jar,/home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.23/snakeyaml-1.23.jar

Dependency Hierarchy: - SingularityExecutor-1.5.1-SNAPSHOT.jar (Root Library) - SingularityRunnerBase-1.5.1-SNAPSHOT.jar - jackson-dataformat-yaml-2.9.9.jar - :x: **snakeyaml-1.23.jar** (Vulnerable Library)

Found in base branch: master

### Vulnerability Details

SnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by an attacker can lead to remote code execution. We recommend using SnakeYaml's SafeConsturctor when parsing untrusted content to restrict deserialization. We recommend upgrading to version 2.0 and beyond.

Publish Date: 2022-12-01

URL: CVE-2022-1471

### CVSS 3 Score Details (9.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in#comment-64634374

Release Date: 2022-12-01

Fix Resolution: org.yaml:snakeyaml:2.0

CVE-2019-20444

### Vulnerable Library - netty-3.10.6.Final.jar

The Netty project is an effort to provide an asynchronous event-driven network application framework and tools for rapid development of maintainable high performance and high scalability protocol servers and clients. In other words, Netty is a NIO client server framework which enables quick and easy development of network applications such as protocol servers and clients. It greatly simplifies and streamlines network programming such as TCP and UDP socket server.

Library home page: http://netty.io/

Path to dependency file: /SingularityExecutor/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty/3.10.6.Final/netty-3.10.6.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty/3.10.6.Final/netty-3.10.6.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty/3.10.6.Final/netty-3.10.6.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty/3.10.6.Final/netty-3.10.6.Final.jar

Dependency Hierarchy: - SingularityExecutor-1.5.1-SNAPSHOT.jar (Root Library) - async-http-client-1.9.38.jar - :x: **netty-3.10.6.Final.jar** (Vulnerable Library)

Found in base branch: master

### Vulnerability Details

HttpObjectDecoder.java in Netty before 4.1.44 allows an HTTP header that lacks a colon, which might be interpreted as a separate header with an incorrect syntax, or might be interpreted as an "invalid fold."

Publish Date: 2020-01-29

URL: CVE-2019-20444

### CVSS 3 Score Details (9.1)

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20444

Release Date: 2020-01-29

Fix Resolution: io.netty:netty-all:4.1.44.Final

CVE-2020-11002

### Vulnerable Library - dropwizard-validation-1.3.12.jar

Dropwizard is a Java framework for developing ops-friendly, high-performance, RESTful web applications.

Library home page: http://www.dropwizard.io/1.3.12

Path to dependency file: /SingularityS3Uploader/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/io/dropwizard/dropwizard-validation/1.3.12/dropwizard-validation-1.3.12.jar,/home/wss-scanner/.m2/repository/io/dropwizard/dropwizard-validation/1.3.12/dropwizard-validation-1.3.12.jar,/home/wss-scanner/.m2/repository/io/dropwizard/dropwizard-validation/1.3.12/dropwizard-validation-1.3.12.jar,/home/wss-scanner/.m2/repository/io/dropwizard/dropwizard-validation/1.3.12/dropwizard-validation-1.3.12.jar,/home/wss-scanner/.m2/repository/io/dropwizard/dropwizard-validation/1.3.12/dropwizard-validation-1.3.12.jar,/home/wss-scanner/.m2/repository/io/dropwizard/dropwizard-validation/1.3.12/dropwizard-validation-1.3.12.jar,/home/wss-scanner/.m2/repository/io/dropwizard/dropwizard-validation/1.3.12/dropwizard-validation-1.3.12.jar,/home/wss-scanner/.m2/repository/io/dropwizard/dropwizard-validation/1.3.12/dropwizard-validation-1.3.12.jar

Dependency Hierarchy: - SingularityExecutor-1.5.1-SNAPSHOT.jar (Root Library) - SingularityRunnerBase-1.5.1-SNAPSHOT.jar - dropwizard-configuration-1.3.12.jar - :x: **dropwizard-validation-1.3.12.jar** (Vulnerable Library)

Found in base branch: master

### Vulnerability Details

dropwizard-validation before versions 2.0.3 and 1.3.21 has a remote code execution vulnerability. A server-side template injection was identified in the self-validating feature enabling attackers to inject arbitrary Java EL expressions, leading to Remote Code Execution (RCE) vulnerability. If you are using a self-validating bean an upgrade to Dropwizard 1.3.21/2.0.3 or later is strongly recommended. The changes introduced in Dropwizard 1.3.19 and 2.0.2 for CVE-2020-5245 unfortunately did not fix the underlying issue completely. The issue has been fixed in dropwizard-validation 1.3.21 and 2.0.3 or later. We strongly recommend upgrading to one of these versions.

Publish Date: 2020-04-10

URL: CVE-2020-11002

### CVSS 3 Score Details (8.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/dropwizard/dropwizard/security/advisories/GHSA-8jpx-m2wh-2v34

Release Date: 2020-04-13

Fix Resolution: io.dropwizard:dropwizard-validation:2.0.3,1.3.21

CVE-2020-5245

### Vulnerable Library - dropwizard-validation-1.3.12.jar

Dropwizard is a Java framework for developing ops-friendly, high-performance, RESTful web applications.

Library home page: http://www.dropwizard.io/1.3.12

Path to dependency file: /SingularityS3Uploader/pom.xml

Found in base branch: master

### Vulnerability Details

Dropwizard-Validation before 1.3.19, and 2.0.2 may allow arbitrary code execution on the host system, with the privileges of the Dropwizard service account, by injecting arbitrary Java Expression Language expressions when using the self-validating feature. The issue has been fixed in dropwizard-validation 1.3.19 and 2.0.2.

Publish Date: 2020-02-24

URL: CVE-2020-5245

### CVSS 3 Score Details (8.8)

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5245

Release Date: 2020-02-24

Fix Resolution: 1.3.19,2.0.2

CVE-2021-36090

### Vulnerable Library - commons-compress-1.18.jar

Apache Commons Compress software defines an API for working with compression and archive formats. These include: bzip2, gzip, pack200, lzma, xz, Snappy, traditional Unix Compress, DEFLATE, DEFLATE64, LZ4, Brotli, Zstandard and ar, cpio, jar, tar, zip, dump, 7z, arj.

Path to dependency file: /SingularityExecutor/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/commons/commons-compress/1.18/commons-compress-1.18.jar,/home/wss-scanner/.m2/repository/org/apache/commons/commons-compress/1.18/commons-compress-1.18.jar

Dependency Hierarchy: - SingularityExecutor-1.5.1-SNAPSHOT.jar (Root Library) - docker-client-8.16.0.jar - :x: **commons-compress-1.18.jar** (Vulnerable Library)

Found in base branch: master

### Vulnerability Details

When reading a specially crafted ZIP archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' zip package.

Publish Date: 2021-07-13

URL: CVE-2021-36090

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://commons.apache.org/proper/commons-compress/security-reports.html

Release Date: 2021-07-13

Fix Resolution: org.apache.commons:commons-compress:1.21

CVE-2019-17359

### Vulnerable Library - bcprov-jdk15on-1.60.jar

The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5 to JDK 1.8.

Library home page: http://www.bouncycastle.org/java.html

Path to dependency file: /SingularityExecutor/pom.xml

Dependency Hierarchy: - SingularityExecutor-1.5.1-SNAPSHOT.jar (Root Library) - docker-client-8.16.0.jar - bcpkix-jdk15on-1.60.jar - :x: **bcprov-jdk15on-1.60.jar** (Vulnerable Library)

Found in base branch: master

### Vulnerability Details

The ASN.1 parser in Bouncy Castle Crypto (aka BC Java) 1.63 can trigger a large attempted memory allocation, and resultant OutOfMemoryError error, via crafted ASN.1 data. This is fixed in 1.64.

Publish Date: 2019-10-08

URL: CVE-2019-17359

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17359

Release Date: 2019-10-08

Fix Resolution: org.bouncycastle:bcprov-jdk15on:1.64

CVE-2022-25857

### Vulnerable Library - snakeyaml-1.23.jar

YAML 1.1 parser and emitter for Java

Library home page: http://www.snakeyaml.org

Path to dependency file: /SingularityS3Downloader/pom.xml

Found in base branch: master

### Vulnerability Details

The package org.yaml:snakeyaml from 0 and before 1.31 are vulnerable to Denial of Service (DoS) due missing to nested depth limitation for collections.

Publish Date: 2022-08-30

URL: CVE-2022-25857

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25857

Release Date: 2022-08-30

Fix Resolution: org.yaml:snakeyaml:1.31

CVE-2017-18640

### Vulnerable Library - snakeyaml-1.23.jar

YAML 1.1 parser and emitter for Java

Library home page: http://www.snakeyaml.org

Path to dependency file: /SingularityS3Downloader/pom.xml

Found in base branch: master

### Vulnerability Details

The Alias feature in SnakeYAML before 1.26 allows entity expansion during a load operation, a related issue to CVE-2003-1564.

Publish Date: 2019-12-12

URL: CVE-2017-18640

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18640

Release Date: 2019-12-12

Fix Resolution: org.yaml:snakeyaml:1.26

CVE-2021-35517

### Vulnerable Library - commons-compress-1.18.jar

Path to dependency file: /SingularityExecutor/pom.xml

Dependency Hierarchy: - SingularityExecutor-1.5.1-SNAPSHOT.jar (Root Library) - docker-client-8.16.0.jar - :x: **commons-compress-1.18.jar** (Vulnerable Library)

Found in base branch: master

### Vulnerability Details

When reading a specially crafted TAR archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' tar package.

Publish Date: 2021-07-13

URL: CVE-2021-35517

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://commons.apache.org/proper/commons-compress/security-reports.html

Release Date: 2021-07-13

Fix Resolution: org.apache.commons:commons-compress:1.21

CVE-2019-12402

### Vulnerable Library - commons-compress-1.18.jar

Path to dependency file: /SingularityExecutor/pom.xml

Dependency Hierarchy: - SingularityExecutor-1.5.1-SNAPSHOT.jar (Root Library) - docker-client-8.16.0.jar - :x: **commons-compress-1.18.jar** (Vulnerable Library)

Found in base branch: master

### Vulnerability Details

The file name encoding algorithm used internally in Apache Commons Compress 1.15 to 1.18 can get into an infinite loop when faced with specially crafted inputs. This can lead to a denial of service attack if an attacker can choose the file names inside of an archive created by Compress.

Publish Date: 2019-08-30

URL: CVE-2019-12402

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12402

Release Date: 2019-08-30

Fix Resolution: 1.19

CVE-2021-35516

### Vulnerable Library - commons-compress-1.18.jar

Path to dependency file: /SingularityExecutor/pom.xml

Dependency Hierarchy: - SingularityExecutor-1.5.1-SNAPSHOT.jar (Root Library) - docker-client-8.16.0.jar - :x: **commons-compress-1.18.jar** (Vulnerable Library)

Found in base branch: master

### Vulnerability Details

When reading a specially crafted 7Z archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' sevenz package.

Publish Date: 2021-07-13

URL: CVE-2021-35516

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://commons.apache.org/proper/commons-compress/security-reports.html

Release Date: 2021-07-13

Fix Resolution: org.apache.commons:commons-compress:1.21

CVE-2021-35515

### Vulnerable Library - commons-compress-1.18.jar

Path to dependency file: /SingularityExecutor/pom.xml

Dependency Hierarchy: - SingularityExecutor-1.5.1-SNAPSHOT.jar (Root Library) - docker-client-8.16.0.jar - :x: **commons-compress-1.18.jar** (Vulnerable Library)

Found in base branch: master

### Vulnerability Details

When reading a specially crafted 7Z archive, the construction of the list of codecs that decompress an entry can result in an infinite loop. This could be used to mount a denial of service attack against services that use Compress' sevenz package.

Publish Date: 2021-07-13

URL: CVE-2021-35515

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://commons.apache.org/proper/commons-compress/security-reports.html

Release Date: 2021-07-13

Fix Resolution: org.apache.commons:commons-compress:1.21

CVE-2021-28165

### Vulnerable Library - jetty-io-9.4.18.v20190429.jar

The Eclipse Jetty Project

Library home page: http://www.eclipse.org/jetty

Path to dependency file: /SingularityExecutor/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/eclipse/jetty/jetty-io/9.4.18.v20190429/jetty-io-9.4.18.v20190429.jar,/home/wss-scanner/.m2/repository/org/eclipse/jetty/jetty-io/9.4.18.v20190429/jetty-io-9.4.18.v20190429.jar,/home/wss-scanner/.m2/repository/org/eclipse/jetty/jetty-io/9.4.18.v20190429/jetty-io-9.4.18.v20190429.jar,/home/wss-scanner/.m2/repository/org/eclipse/jetty/jetty-io/9.4.18.v20190429/jetty-io-9.4.18.v20190429.jar,/home/wss-scanner/.m2/repository/org/eclipse/jetty/jetty-io/9.4.18.v20190429/jetty-io-9.4.18.v20190429.jar

Dependency Hierarchy: - SingularityExecutor-1.5.1-SNAPSHOT.jar (Root Library) - jetty-client-9.4.18.v20190429.jar - jetty-http-9.4.18.v20190429.jar - :x: **jetty-io-9.4.18.v20190429.jar** (Vulnerable Library)

Found in base branch: master

### Vulnerability Details

In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame.

Publish Date: 2021-04-01

URL: CVE-2021-28165

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/eclipse/jetty.project/security/advisories/GHSA-26vr-8j45-3r4w

Release Date: 2021-04-01

Fix Resolution: org.eclipse.jetty:jetty-io:9.4.39, org.eclipse.jetty:jetty-io:10.0.2, org.eclipse.jetty:jetty-io:11.0.2

CVE-2021-42550

### Vulnerable Library - logback-core-1.2.3.jar

logback-core module

Library home page: http://logback.qos.ch

Path to dependency file: /SingularityRunnerBase/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar

Dependency Hierarchy: - SingularityExecutor-1.5.1-SNAPSHOT.jar (Root Library) - logback-classic-1.2.3.jar - :x: **logback-core-1.2.3.jar** (Vulnerable Library)

Found in base branch: master

### Vulnerability Details

In logback version 1.2.7 and prior versions, an attacker with the required privileges to edit configurations files could craft a malicious configuration allowing to execute arbitrary code loaded from LDAP servers. Mend Note: Converted from WS-2021-0491, on 2022-11-07.

Publish Date: 2021-12-16

URL: CVE-2021-42550

### CVSS 3 Score Details (6.6)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: High - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=VE-2021-42550

Release Date: 2021-12-16

Fix Resolution: ch.qos.logback:logback-classic:1.2.9;ch.qos.logback:logback-core:1.2.9

CVE-2022-41854

### Vulnerable Library - snakeyaml-1.23.jar

YAML 1.1 parser and emitter for Java

Library home page: http://www.snakeyaml.org

Path to dependency file: /SingularityS3Downloader/pom.xml

Found in base branch: master

### Vulnerability Details

Those using Snakeyaml to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack overflow. This effect may support a denial of service attack.

Publish Date: 2022-11-11

URL: CVE-2022-41854

### CVSS 3 Score Details (6.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://bitbucket.org/snakeyaml/snakeyaml/issues/531/

Release Date: 2022-11-11

Fix Resolution: org.yaml:snakeyaml:1.32

CVE-2022-38752

### Vulnerable Library - snakeyaml-1.23.jar

YAML 1.1 parser and emitter for Java

Library home page: http://www.snakeyaml.org

Path to dependency file: /SingularityS3Downloader/pom.xml

Found in base branch: master

### Vulnerability Details

Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack-overflow.

Publish Date: 2022-09-05

URL: CVE-2022-38752

### CVSS 3 Score Details (6.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/advisories/GHSA-9w3m-gqgf-c4p9

Release Date: 2022-09-05

Fix Resolution: org.yaml:snakeyaml:1.32

CVE-2022-38751

### Vulnerable Library - snakeyaml-1.23.jar

YAML 1.1 parser and emitter for Java

Library home page: http://www.snakeyaml.org

Path to dependency file: /SingularityS3Downloader/pom.xml

Found in base branch: master

### Vulnerability Details

Publish Date: 2022-09-05

URL: CVE-2022-38751

### CVSS 3 Score Details (6.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47039

Release Date: 2022-09-05

Fix Resolution: org.yaml:snakeyaml:1.31

CVE-2022-38749

### Vulnerable Library - snakeyaml-1.23.jar

YAML 1.1 parser and emitter for Java

Library home page: http://www.snakeyaml.org

Path to dependency file: /SingularityS3Downloader/pom.xml

Found in base branch: master

### Vulnerability Details

Publish Date: 2022-09-05

URL: CVE-2022-38749

### CVSS 3 Score Details (6.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://bitbucket.org/snakeyaml/snakeyaml/issues/526/stackoverflow-oss-fuzz-47027

Release Date: 2022-09-05

Fix Resolution: org.yaml:snakeyaml:1.31

CVE-2020-15522

### Vulnerable Library - bcprov-jdk15on-1.60.jar

Library home page: http://www.bouncycastle.org/java.html

Path to dependency file: /SingularityExecutor/pom.xml

Dependency Hierarchy: - SingularityExecutor-1.5.1-SNAPSHOT.jar (Root Library) - docker-client-8.16.0.jar - bcpkix-jdk15on-1.60.jar - :x: **bcprov-jdk15on-1.60.jar** (Vulnerable Library)

Found in base branch: master

### Vulnerability Details

Bouncy Castle BC Java before 1.66, BC C# .NET before 1.8.7, BC-FJA before 1.0.1.2, 1.0.2.1, and BC-FNA before 1.0.1.1 have a timing issue within the EC math library that can expose information about the private key when an attacker is able to observe timing information for the generation of multiple deterministic ECDSA signatures.

Publish Date: 2021-05-20

URL: CVE-2020-15522

### CVSS 3 Score Details (5.9)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15522

Release Date: 2021-05-20

Fix Resolution: org.bouncycastle:bc-fips:1.0.2.1;org.bouncycastle:bcprov-ext-jdk14:1.66;org.bouncycastle:bcprov-ext-jdk15on:1.66;org.bouncycastle:bcprov-jdk14:1.66;org.bouncycastle:bcprov-jdk15on:1.66;BouncyCastle - 1.8.9;Portable.BouncyCastle - 1.8.8

CVE-2022-38750

### Vulnerable Library - snakeyaml-1.23.jar

YAML 1.1 parser and emitter for Java

Library home page: http://www.snakeyaml.org

Path to dependency file: /SingularityS3Downloader/pom.xml

Found in base branch: master

### Vulnerability Details

Publish Date: 2022-09-05

URL: CVE-2022-38750

### CVSS 3 Score Details (5.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47027

Release Date: 2022-09-05

Fix Resolution: org.yaml:snakeyaml:1.31

CVE-2020-10693

### Vulnerable Library - hibernate-validator-5.4.3.Final.jar

Hibernate's Bean Validation (JSR-303) reference implementation.

Library home page: http://hibernate.org/validator

Path to dependency file: /SingularityS3Downloader/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/hibernate/hibernate-validator/5.4.3.Final/hibernate-validator-5.4.3.Final.jar,/home/wss-scanner/.m2/repository/org/hibernate/hibernate-validator/5.4.3.Final/hibernate-validator-5.4.3.Final.jar,/home/wss-scanner/.m2/repository/org/hibernate/hibernate-validator/5.4.3.Final/hibernate-validator-5.4.3.Final.jar,/home/wss-scanner/.m2/repository/org/hibernate/hibernate-validator/5.4.3.Final/hibernate-validator-5.4.3.Final.jar,/home/wss-scanner/.m2/repository/org/hibernate/hibernate-validator/5.4.3.Final/hibernate-validator-5.4.3.Final.jar,/home/wss-scanner/.m2/repository/org/hibernate/hibernate-validator/5.4.3.Final/hibernate-validator-5.4.3.Final.jar,/home/wss-scanner/.m2/repository/org/hibernate/hibernate-validator/5.4.3.Final/hibernate-validator-5.4.3.Final.jar,/home/wss-scanner/.m2/repository/org/hibernate/hibernate-validator/5.4.3.Final/hibernate-validator-5.4.3.Final.jar

Dependency Hierarchy: - SingularityExecutor-1.5.1-SNAPSHOT.jar (Root Library) - SingularityRunnerBase-1.5.1-SNAPSHOT.jar - dropwizard-configuration-1.3.12.jar - dropwizard-validation-1.3.12.jar - :x: **hibernate-validator-5.4.3.Final.jar** (Vulnerable Library)

Found in base branch: master

### Vulnerability Details

A flaw was found in Hibernate Validator version 6.1.2.Final. A bug in the message interpolation processor enables invalid EL expressions to be evaluated as if they were valid. This flaw allows attackers to bypass input sanitation (escaping, stripping) controls that developers may have put in place when handling user-controlled data in error messages.

Publish Date: 2020-05-06

URL: CVE-2020-10693

### CVSS 3 Score Details (5.3)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: Low - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://in.relation.to/2020/05/07/hibernate-validator-615-6020-released/

Release Date: 2020-05-06

Fix Resolution: org.hibernate:hibernate-validator:6.0.20.Final,6.1.5.Final

CVE-2023-33201

### Vulnerable Library - bcprov-jdk15on-1.60.jar

Library home page: http://www.bouncycastle.org/java.html

Path to dependency file: /SingularityExecutor/pom.xml

Dependency Hierarchy: - SingularityExecutor-1.5.1-SNAPSHOT.jar (Root Library) - docker-client-8.16.0.jar - bcpkix-jdk15on-1.60.jar - :x: **bcprov-jdk15on-1.60.jar** (Vulnerable Library)

Found in base branch: master

### Vulnerability Details

Bouncy Castle For Java before 1.74 is affected by an LDAP injection vulnerability. The vulnerability only affects applications that use an LDAP CertStore from Bouncy Castle to validate X.509 certificates. During the certificate validation process, Bouncy Castle inserts the certificate's Subject Name into an LDAP search filter without any escaping, which leads to an LDAP injection vulnerability.

Publish Date: 2023-07-05

URL: CVE-2023-33201

### CVSS 3 Score Details (5.3)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: None - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Release Date: 2023-07-05

Fix Resolution: org.bouncycastle:bcprov-ext-jdk18on:1.74, org.bouncycastle:bcprov-jdk18on:1.74, org.bouncycastle:bcprov-debug-jdk18on:1.74, org.bouncycastle:bcprov-ext-debug-jdk18on:1.74, org.bouncycastle:bcprov-ext-jdk15to18:1.74, org.bouncycastle:bcprov-jdk15to18:1.74, org.bouncycastle:bcprov-debug-jdk14:1.74, org.bouncycastle:bcprov-debug-jdk15to18:1.74, org.bouncycastle:bcprov-ext-debug-jdk14:1.74, org.bouncycastle:bcprov-ext-debug-jdk15to18:1.74, org.bouncycastle:bcprov-jdk14:1.74

jgeraigery / Singularity-4567321

SingularityExecutor-1.5.1-SNAPSHOT.jar: 24 vulnerabilities (highest severity is: 9.8) - autoclosed #184

Vulnerabilities

Details