Open mend-for-github-com[bot] opened 1 month ago
mend-for-github-com[bot]
commented
1 month ago :heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.
mend-for-github-com[bot]
commented
3 days ago :information_source: This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory.
Kotlin Full Reflection Library
Path to dependency file: /test/fixtures/find-files/gradle-kts/build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.jetbrains.kotlin/kotlin-reflect/1.3.21/d0d5ff2ac2ebd8a42697af41e20fc225a23c5d3b/kotlin-reflect-1.3.21.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.jetbrains.kotlin/kotlin-reflect/1.3.21/d0d5ff2ac2ebd8a42697af41e20fc225a23c5d3b/kotlin-reflect-1.3.21.jar
Found in HEAD commit: 7e83e87477e0886cad26f767efdb9ffd90d9fbfe
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2019-10103
### Vulnerable Libraries - kotlin-reflect-1.3.21.jar, kotlin-stdlib-1.3.21.jar### kotlin-reflect-1.3.21.jar
Kotlin Full Reflection Library
Path to dependency file: /test/fixtures/find-files/gradle-kts/build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.jetbrains.kotlin/kotlin-reflect/1.3.21/d0d5ff2ac2ebd8a42697af41e20fc225a23c5d3b/kotlin-reflect-1.3.21.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.jetbrains.kotlin/kotlin-reflect/1.3.21/d0d5ff2ac2ebd8a42697af41e20fc225a23c5d3b/kotlin-reflect-1.3.21.jar
Dependency Hierarchy: - :x: **kotlin-reflect-1.3.21.jar** (Vulnerable Library) ### kotlin-stdlib-1.3.21.jar
Kotlin Standard Library for JVM
Path to dependency file: /test/fixtures/find-files/gradle-kts/subproj/build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.jetbrains.kotlin/kotlin-stdlib/1.3.21/4bcc2012b84840e19e1e28074284cac908be0295/kotlin-stdlib-1.3.21.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.jetbrains.kotlin/kotlin-stdlib/1.3.21/4bcc2012b84840e19e1e28074284cac908be0295/kotlin-stdlib-1.3.21.jar
Dependency Hierarchy: - kotlin-reflect-1.3.21.jar (Root Library) - :x: **kotlin-stdlib-1.3.21.jar** (Vulnerable Library)
Found in HEAD commit: 7e83e87477e0886cad26f767efdb9ffd90d9fbfe
Found in base branch: main
### Vulnerability DetailsJetBrains IntelliJ IDEA projects created using the Kotlin (JS Client/JVM Server) IDE Template were resolving Gradle artifacts using an http connection, potentially allowing an MITM attack. This issue, which was fixed in Kotlin plugin version 1.3.30, is similar to CVE-2019-10101.
Publish Date: 2019-07-03
URL: CVE-2019-10103
### Threat AssessmentExploit Maturity: Not Defined
EPSS: 0.2%
### CVSS 3 Score Details (8.1)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10103
Release Date: 2019-07-03
Fix Resolution (org.jetbrains.kotlin:kotlin-stdlib): 1.3.30
Direct dependency fix Resolution (org.jetbrains.kotlin:kotlin-reflect): 1.3.30
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2019-10102
### Vulnerable Libraries - kotlin-stdlib-1.3.21.jar, kotlin-reflect-1.3.21.jar### kotlin-stdlib-1.3.21.jar
Kotlin Standard Library for JVM
Path to dependency file: /test/fixtures/find-files/gradle-kts/subproj/build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.jetbrains.kotlin/kotlin-stdlib/1.3.21/4bcc2012b84840e19e1e28074284cac908be0295/kotlin-stdlib-1.3.21.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.jetbrains.kotlin/kotlin-stdlib/1.3.21/4bcc2012b84840e19e1e28074284cac908be0295/kotlin-stdlib-1.3.21.jar
Dependency Hierarchy: - kotlin-reflect-1.3.21.jar (Root Library) - :x: **kotlin-stdlib-1.3.21.jar** (Vulnerable Library) ### kotlin-reflect-1.3.21.jar
Kotlin Full Reflection Library
Path to dependency file: /test/fixtures/find-files/gradle-kts/build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.jetbrains.kotlin/kotlin-reflect/1.3.21/d0d5ff2ac2ebd8a42697af41e20fc225a23c5d3b/kotlin-reflect-1.3.21.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.jetbrains.kotlin/kotlin-reflect/1.3.21/d0d5ff2ac2ebd8a42697af41e20fc225a23c5d3b/kotlin-reflect-1.3.21.jar
Dependency Hierarchy: - :x: **kotlin-reflect-1.3.21.jar** (Vulnerable Library)
Found in HEAD commit: 7e83e87477e0886cad26f767efdb9ffd90d9fbfe
Found in base branch: main
### Vulnerability DetailsJetBrains Ktor framework (created using the Kotlin IDE template) versions before 1.1.0 were resolving artifacts using an http connection during the build process, potentially allowing an MITM attack. This issue was fixed in Kotlin plugin version 1.3.30.
Publish Date: 2019-07-03
URL: CVE-2019-10102
### Threat AssessmentExploit Maturity: Not Defined
EPSS: 0.2%
### CVSS 3 Score Details (8.1)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10102
Release Date: 2019-07-03
Fix Resolution (org.jetbrains.kotlin:kotlin-stdlib): 1.3.30
Direct dependency fix Resolution (org.jetbrains.kotlin:kotlin-reflect): 1.3.30
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2019-10101
### Vulnerable Libraries - kotlin-reflect-1.3.21.jar, kotlin-stdlib-1.3.21.jar### kotlin-reflect-1.3.21.jar
Kotlin Full Reflection Library
Path to dependency file: /test/fixtures/find-files/gradle-kts/build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.jetbrains.kotlin/kotlin-reflect/1.3.21/d0d5ff2ac2ebd8a42697af41e20fc225a23c5d3b/kotlin-reflect-1.3.21.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.jetbrains.kotlin/kotlin-reflect/1.3.21/d0d5ff2ac2ebd8a42697af41e20fc225a23c5d3b/kotlin-reflect-1.3.21.jar
Dependency Hierarchy: - :x: **kotlin-reflect-1.3.21.jar** (Vulnerable Library) ### kotlin-stdlib-1.3.21.jar
Kotlin Standard Library for JVM
Path to dependency file: /test/fixtures/find-files/gradle-kts/subproj/build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.jetbrains.kotlin/kotlin-stdlib/1.3.21/4bcc2012b84840e19e1e28074284cac908be0295/kotlin-stdlib-1.3.21.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.jetbrains.kotlin/kotlin-stdlib/1.3.21/4bcc2012b84840e19e1e28074284cac908be0295/kotlin-stdlib-1.3.21.jar
Dependency Hierarchy: - kotlin-reflect-1.3.21.jar (Root Library) - :x: **kotlin-stdlib-1.3.21.jar** (Vulnerable Library)
Found in HEAD commit: 7e83e87477e0886cad26f767efdb9ffd90d9fbfe
Found in base branch: main
### Vulnerability DetailsJetBrains Kotlin versions before 1.3.30 were resolving artifacts using an http connection during the build process, potentially allowing an MITM attack.
Publish Date: 2019-07-03
URL: CVE-2019-10101
### Threat AssessmentExploit Maturity: Not Defined
EPSS: 0.3%
### CVSS 3 Score Details (8.1)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10101
Release Date: 2019-07-03
Fix Resolution (org.jetbrains.kotlin:kotlin-stdlib): 1.3.30
Direct dependency fix Resolution (org.jetbrains.kotlin:kotlin-reflect): 1.3.30
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2022-24329
### Vulnerable Library - kotlin-stdlib-1.3.21.jarKotlin Standard Library for JVM
Path to dependency file: /test/fixtures/find-files/gradle-kts/subproj/build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.jetbrains.kotlin/kotlin-stdlib/1.3.21/4bcc2012b84840e19e1e28074284cac908be0295/kotlin-stdlib-1.3.21.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.jetbrains.kotlin/kotlin-stdlib/1.3.21/4bcc2012b84840e19e1e28074284cac908be0295/kotlin-stdlib-1.3.21.jar
Dependency Hierarchy: - kotlin-reflect-1.3.21.jar (Root Library) - :x: **kotlin-stdlib-1.3.21.jar** (Vulnerable Library)
Found in HEAD commit: 7e83e87477e0886cad26f767efdb9ffd90d9fbfe
Found in base branch: main
### Vulnerability DetailsIn JetBrains Kotlin before 1.6.0, it was not possible to lock dependencies for Multiplatform Gradle Projects.
Publish Date: 2022-02-25
URL: CVE-2022-24329
### Threat AssessmentExploit Maturity: Not Defined
EPSS: 0.1%
### CVSS 3 Score Details (5.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-2qp4-g3q3-f92w
Release Date: 2022-02-25
Fix Resolution (org.jetbrains.kotlin:kotlin-stdlib): 1.6.0-M1
Direct dependency fix Resolution (org.jetbrains.kotlin:kotlin-reflect): 1.6.0
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2020-29582
### Vulnerable Library - kotlin-stdlib-1.3.21.jarKotlin Standard Library for JVM
Path to dependency file: /test/fixtures/find-files/gradle-kts/subproj/build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.jetbrains.kotlin/kotlin-stdlib/1.3.21/4bcc2012b84840e19e1e28074284cac908be0295/kotlin-stdlib-1.3.21.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.jetbrains.kotlin/kotlin-stdlib/1.3.21/4bcc2012b84840e19e1e28074284cac908be0295/kotlin-stdlib-1.3.21.jar
Dependency Hierarchy: - kotlin-reflect-1.3.21.jar (Root Library) - :x: **kotlin-stdlib-1.3.21.jar** (Vulnerable Library)
Found in HEAD commit: 7e83e87477e0886cad26f767efdb9ffd90d9fbfe
Found in base branch: main
### Vulnerability DetailsIn JetBrains Kotlin before 1.4.21, a vulnerable Java API was used for temporary file and folder creation. An attacker was able to read data from such files and list directories due to insecure permissions.
Publish Date: 2021-02-03
URL: CVE-2020-29582
### Threat AssessmentExploit Maturity: Not Defined
EPSS: 0.1%
### CVSS 3 Score Details (5.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-cqj8-47ch-rvvq
Release Date: 2021-02-03
Fix Resolution (org.jetbrains.kotlin:kotlin-stdlib): 1.4.21
Direct dependency fix Resolution (org.jetbrains.kotlin:kotlin-reflect): 1.4.21
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.:rescue_worker_helmet:Automatic Remediation will be attempted for this issue.