search

jgeraigery / front50---Demo

Spinnaker Metadata Repository Service
Apache License 2.0
0 stars 0 forks source link

kork-sql-7.126.0.jar: 1 vulnerabilities (highest severity is: 9.8) #23

Open mend-for-github-com[bot] opened 1 year ago

mend-for-github-com[bot] commented 1 year ago
Vulnerable Library - kork-sql-7.126.0.jar

Path to dependency file: /front50-api-tck/front50-api-tck.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.liquibase/liquibase-core/3.8.9/ba38ad9bc271fb4f5c03547f99ab22caecf70431/liquibase-core-3.8.9.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.liquibase/liquibase-core/3.8.9/ba38ad9bc271fb4f5c03547f99ab22caecf70431/liquibase-core-3.8.9.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.liquibase/liquibase-core/3.8.9/ba38ad9bc271fb4f5c03547f99ab22caecf70431/liquibase-core-3.8.9.jar

Found in HEAD commit: 030c85bbbd79c49a42f0cc49719b8c41bd782262

Vulnerabilities

CVE Severity CVSS Exploit Maturity EPSS Dependency Type Fixed in (kork-sql version) Remediation Possible** Reachability
CVE-2022-0839 Critical 9.8 Not Defined 0.70000005% liquibase-core-3.8.9.jar Transitive 7.201.0

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2022-0839 ### Vulnerable Library - liquibase-core-3.8.9.jar

Liquibase is a tool for managing and executing database changes.

Library home page: http://www.liquibase.org/liquibase-root/liquibase-dist

Path to dependency file: /front50-sql/front50-sql.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.liquibase/liquibase-core/3.8.9/ba38ad9bc271fb4f5c03547f99ab22caecf70431/liquibase-core-3.8.9.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.liquibase/liquibase-core/3.8.9/ba38ad9bc271fb4f5c03547f99ab22caecf70431/liquibase-core-3.8.9.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.liquibase/liquibase-core/3.8.9/ba38ad9bc271fb4f5c03547f99ab22caecf70431/liquibase-core-3.8.9.jar

Dependency Hierarchy: - kork-sql-7.126.0.jar (Root Library) - :x: **liquibase-core-3.8.9.jar** (Vulnerable Library)

Found in HEAD commit: 030c85bbbd79c49a42f0cc49719b8c41bd782262

Found in base branch: master

### Vulnerability Details

Improper Restriction of XML External Entity Reference in GitHub repository liquibase/liquibase prior to 4.8.0.

Publish Date: 2022-03-04

URL: CVE-2022-0839

### Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.70000005%

### CVSS 3 Score Details (9.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0839

Release Date: 2022-03-04

Fix Resolution (org.liquibase:liquibase-core): 4.8.0

Direct dependency fix Resolution (io.spinnaker.kork:kork-sql): 7.201.0

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.

:rescue_worker_helmet:Automatic Remediation will be attempted for this issue.