search

jgeraigery / hadoop-555665675

Apache Hadoop
https://hadoop.apache.org/
Apache License 2.0
0 stars 0 forks source link

commons-configuration2-2.1.1.jar: 2 vulnerabilities (highest severity is: 4.4) - autoclosed #105

Closed mend-for-github-com[bot] closed 2 weeks ago

mend-for-github-com[bot] commented 2 months ago
Vulnerable Library - commons-configuration2-2.1.1.jar

Tools to assist in the reading of configuration/preferences files in various formats

Library home page: http://commons.apache.org/proper/commons-configuration/

Path to dependency file: /hadoop-yarn-project/hadoop-yarn/hadoop-yarn-applications/hadoop-yarn-services/hadoop-yarn-services-api/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/commons/commons-configuration2/2.1.1/commons-configuration2-2.1.1.jar,/home/wss-scanner/.m2/repository/org/apache/commons/commons-configuration2/2.1.1/commons-configuration2-2.1.1.jar,/home/wss-scanner/.m2/repository/org/apache/commons/commons-configuration2/2.1.1/commons-configuration2-2.1.1.jar,/home/wss-scanner/.m2/repository/org/apache/commons/commons-configuration2/2.1.1/commons-configuration2-2.1.1.jar,/home/wss-scanner/.m2/repository/org/apache/commons/commons-configuration2/2.1.1/commons-configuration2-2.1.1.jar,/home/wss-scanner/.m2/repository/org/apache/commons/commons-configuration2/2.1.1/commons-configuration2-2.1.1.jar,/home/wss-scanner/.m2/repository/org/apache/commons/commons-configuration2/2.1.1/commons-configuration2-2.1.1.jar,/home/wss-scanner/.m2/repository/org/apache/commons/commons-configuration2/2.1.1/commons-configuration2-2.1.1.jar,/home/wss-scanner/.m2/repository/org/apache/commons/commons-configuration2/2.1.1/commons-configuration2-2.1.1.jar,/home/wss-scanner/.m2/repository/org/apache/commons/commons-configuration2/2.1.1/commons-configuration2-2.1.1.jar,/home/wss-scanner/.m2/repository/org/apache/commons/commons-configuration2/2.1.1/commons-configuration2-2.1.1.jar,/home/wss-scanner/.m2/repository/org/apache/commons/commons-configuration2/2.1.1/commons-configuration2-2.1.1.jar,/home/wss-scanner/.m2/repository/org/apache/commons/commons-configuration2/2.1.1/commons-configuration2-2.1.1.jar,/home/wss-scanner/.m2/repository/org/apache/commons/commons-configuration2/2.1.1/commons-configuration2-2.1.1.jar,/home/wss-scanner/.m2/repository/org/apache/commons/commons-configuration2/2.1.1/commons-configuration2-2.1.1.jar

Vulnerabilities

CVE Severity CVSS Exploit Maturity EPSS Dependency Type Fixed in (commons-configuration2 version) Remediation Possible** Reachability
CVE-2024-29133 Medium 4.4 Not Defined 0.0% commons-configuration2-2.1.1.jar Direct 2.10.1
CVE-2024-29131 Medium 4.4 Not Defined 0.0% commons-configuration2-2.1.1.jar Direct 2.10.1

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2024-29133 ### Vulnerable Library - commons-configuration2-2.1.1.jar

Tools to assist in the reading of configuration/preferences files in various formats

Library home page: http://commons.apache.org/proper/commons-configuration/

Path to dependency file: /hadoop-yarn-project/hadoop-yarn/hadoop-yarn-applications/hadoop-yarn-services/hadoop-yarn-services-api/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/commons/commons-configuration2/2.1.1/commons-configuration2-2.1.1.jar,/home/wss-scanner/.m2/repository/org/apache/commons/commons-configuration2/2.1.1/commons-configuration2-2.1.1.jar,/home/wss-scanner/.m2/repository/org/apache/commons/commons-configuration2/2.1.1/commons-configuration2-2.1.1.jar,/home/wss-scanner/.m2/repository/org/apache/commons/commons-configuration2/2.1.1/commons-configuration2-2.1.1.jar,/home/wss-scanner/.m2/repository/org/apache/commons/commons-configuration2/2.1.1/commons-configuration2-2.1.1.jar,/home/wss-scanner/.m2/repository/org/apache/commons/commons-configuration2/2.1.1/commons-configuration2-2.1.1.jar,/home/wss-scanner/.m2/repository/org/apache/commons/commons-configuration2/2.1.1/commons-configuration2-2.1.1.jar,/home/wss-scanner/.m2/repository/org/apache/commons/commons-configuration2/2.1.1/commons-configuration2-2.1.1.jar,/home/wss-scanner/.m2/repository/org/apache/commons/commons-configuration2/2.1.1/commons-configuration2-2.1.1.jar,/home/wss-scanner/.m2/repository/org/apache/commons/commons-configuration2/2.1.1/commons-configuration2-2.1.1.jar,/home/wss-scanner/.m2/repository/org/apache/commons/commons-configuration2/2.1.1/commons-configuration2-2.1.1.jar,/home/wss-scanner/.m2/repository/org/apache/commons/commons-configuration2/2.1.1/commons-configuration2-2.1.1.jar,/home/wss-scanner/.m2/repository/org/apache/commons/commons-configuration2/2.1.1/commons-configuration2-2.1.1.jar,/home/wss-scanner/.m2/repository/org/apache/commons/commons-configuration2/2.1.1/commons-configuration2-2.1.1.jar,/home/wss-scanner/.m2/repository/org/apache/commons/commons-configuration2/2.1.1/commons-configuration2-2.1.1.jar

Dependency Hierarchy: - :x: **commons-configuration2-2.1.1.jar** (Vulnerable Library)

Found in base branch: hubspot-3.3

### Vulnerability Details

Out-of-bounds Write vulnerability in Apache Commons Configuration.This issue affects Apache Commons Configuration: from 2.0 before 2.10.1. Users are recommended to upgrade to version 2.10.1, which fixes the issue.

Publish Date: 2024-03-21

URL: CVE-2024-29133

### Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.0%

### CVSS 3 Score Details (4.4)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: Low - Availability Impact: Low

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://lists.apache.org/thread/ccb9w15bscznh6tnp3wsvrrj9crbszh2

Release Date: 2024-03-21

Fix Resolution: 2.10.1

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2024-29131 ### Vulnerable Library - commons-configuration2-2.1.1.jar

Tools to assist in the reading of configuration/preferences files in various formats

Library home page: http://commons.apache.org/proper/commons-configuration/

Path to dependency file: /hadoop-yarn-project/hadoop-yarn/hadoop-yarn-applications/hadoop-yarn-services/hadoop-yarn-services-api/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/commons/commons-configuration2/2.1.1/commons-configuration2-2.1.1.jar,/home/wss-scanner/.m2/repository/org/apache/commons/commons-configuration2/2.1.1/commons-configuration2-2.1.1.jar,/home/wss-scanner/.m2/repository/org/apache/commons/commons-configuration2/2.1.1/commons-configuration2-2.1.1.jar,/home/wss-scanner/.m2/repository/org/apache/commons/commons-configuration2/2.1.1/commons-configuration2-2.1.1.jar,/home/wss-scanner/.m2/repository/org/apache/commons/commons-configuration2/2.1.1/commons-configuration2-2.1.1.jar,/home/wss-scanner/.m2/repository/org/apache/commons/commons-configuration2/2.1.1/commons-configuration2-2.1.1.jar,/home/wss-scanner/.m2/repository/org/apache/commons/commons-configuration2/2.1.1/commons-configuration2-2.1.1.jar,/home/wss-scanner/.m2/repository/org/apache/commons/commons-configuration2/2.1.1/commons-configuration2-2.1.1.jar,/home/wss-scanner/.m2/repository/org/apache/commons/commons-configuration2/2.1.1/commons-configuration2-2.1.1.jar,/home/wss-scanner/.m2/repository/org/apache/commons/commons-configuration2/2.1.1/commons-configuration2-2.1.1.jar,/home/wss-scanner/.m2/repository/org/apache/commons/commons-configuration2/2.1.1/commons-configuration2-2.1.1.jar,/home/wss-scanner/.m2/repository/org/apache/commons/commons-configuration2/2.1.1/commons-configuration2-2.1.1.jar,/home/wss-scanner/.m2/repository/org/apache/commons/commons-configuration2/2.1.1/commons-configuration2-2.1.1.jar,/home/wss-scanner/.m2/repository/org/apache/commons/commons-configuration2/2.1.1/commons-configuration2-2.1.1.jar,/home/wss-scanner/.m2/repository/org/apache/commons/commons-configuration2/2.1.1/commons-configuration2-2.1.1.jar

Dependency Hierarchy: - :x: **commons-configuration2-2.1.1.jar** (Vulnerable Library)

Found in base branch: hubspot-3.3

### Vulnerability Details

Out-of-bounds Write vulnerability in Apache Commons Configuration.This issue affects Apache Commons Configuration: from 2.0 before 2.10.1. Users are recommended to upgrade to version 2.10.1, which fixes the issue.

Publish Date: 2024-03-21

URL: CVE-2024-29131

### Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.0%

### CVSS 3 Score Details (4.4)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: Low - Availability Impact: Low

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://lists.apache.org/thread/03nzzzjn4oknyw5y0871tw7ltj0t3r37

Release Date: 2024-03-21

Fix Resolution: 2.10.1

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.

:rescue_worker_helmet:Automatic Remediation will be attempted for this issue.

mend-for-github-com[bot] commented 2 weeks ago

:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.