Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.protobuf/protobuf-java/3.7.0/dbb5e9230a91f2a6d011096c2b9c10a5a6e5f7f2/protobuf-java-3.7.0.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.protobuf/protobuf-java/3.7.0/dbb5e9230a91f2a6d011096c2b9c10a5a6e5f7f2/protobuf-java-3.7.0.jar
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/net.java.dev.jna/jna-platform/4.5.0/ab163522ed76eb01c8c9a750dedacb134fc8c0/jna-platform-4.5.0.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/net.java.dev.jna/jna-platform/4.5.0/ab163522ed76eb01c8c9a750dedacb134fc8c0/jna-platform-4.5.0.jar
JNA prior to 5.0.0 was discovered to contain an out-of-bounds read. Advapi32Util.registryGetValues does not terminate the returned string with null terminators. When it tries to identify the string content it searches for the next null-terminator and will read out-of-bounds of the buffer.
Path to dependency file: /streams/streams-scala/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.protobuf/protobuf-java/3.7.0/dbb5e9230a91f2a6d011096c2b9c10a5a6e5f7f2/protobuf-java-3.7.0.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.protobuf/protobuf-java/3.7.0/dbb5e9230a91f2a6d011096c2b9c10a5a6e5f7f2/protobuf-java-3.7.0.jar
A parsing issue similar to CVE-2022-3171, but with textformat in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.
Path to dependency file: /streams/streams-scala/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.protobuf/protobuf-java/3.7.0/dbb5e9230a91f2a6d011096c2b9c10a5a6e5f7f2/protobuf-java-3.7.0.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.protobuf/protobuf-java/3.7.0/dbb5e9230a91f2a6d011096c2b9c10a5a6e5f7f2/protobuf-java-3.7.0.jar
A parsing issue with binary data in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.scala-sbt/io_2.12/1.3.0/ac02eaca49f66b3a2c548ca0cf12b07a9e4d93da/io_2.12-1.3.0.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.scala-sbt/io_2.12/1.3.0/ac02eaca49f66b3a2c548ca0cf12b07a9e4d93da/io_2.12-1.3.0.jar
sbt is a build tool for Scala, Java, and others. Given a specially crafted zip or JAR file, `IO.unzip` allows writing of arbitrary file. This would have potential to overwrite `/root/.ssh/authorized_keys`. Within sbt's main code, `IO.unzip` is used in `pullRemoteCache` task and `Resolvers.remote`; however many projects use `IO.unzip(...)` directly to implement custom tasks. This vulnerability has been patched in version 1.9.7.
Path to dependency file: /streams/streams-scala/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.protobuf/protobuf-java/3.7.0/dbb5e9230a91f2a6d011096c2b9c10a5a6e5f7f2/protobuf-java-3.7.0.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.protobuf/protobuf-java/3.7.0/dbb5e9230a91f2a6d011096c2b9c10a5a6e5f7f2/protobuf-java-3.7.0.jar
An issue in protobuf-java allowed the interleaving of com.google.protobuf.UnknownFieldSet fields in such a way that would be processed out of order. A small malicious payload can occupy the parser for several minutes by creating large numbers of short-lived objects that cause frequent, repeated pauses. We recommend upgrading libraries beyond the vulnerable versions.
Path to dependency file: /core/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.protobuf/protobuf-java/3.7.0/dbb5e9230a91f2a6d011096c2b9c10a5a6e5f7f2/protobuf-java-3.7.0.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.protobuf/protobuf-java/3.7.0/dbb5e9230a91f2a6d011096c2b9c10a5a6e5f7f2/protobuf-java-3.7.0.jar
Found in HEAD commit: 9b4b1490ec6d070b17879bdd976a474544628950
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
WS-2014-0065
### Vulnerable Library - jna-platform-4.5.0.jarJava Native Access Platform
Library home page: https://github.com/java-native-access/jna
Path to dependency file: /core/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/net.java.dev.jna/jna-platform/4.5.0/ab163522ed76eb01c8c9a750dedacb134fc8c0/jna-platform-4.5.0.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/net.java.dev.jna/jna-platform/4.5.0/ab163522ed76eb01c8c9a750dedacb134fc8c0/jna-platform-4.5.0.jar
Dependency Hierarchy: - zinc_2.12-1.3.5.jar (Root Library) - zinc-compile-core_2.12-1.3.5.jar - io_2.12-1.3.0.jar - :x: **jna-platform-4.5.0.jar** (Vulnerable Library)
Found in HEAD commit: 9b4b1490ec6d070b17879bdd976a474544628950
Found in base branch: trunk
### Vulnerability DetailsJNA prior to 5.0.0 was discovered to contain an out-of-bounds read. Advapi32Util.registryGetValues does not terminate the returned string with null terminators. When it tries to identify the string content it searches for the next null-terminator and will read out-of-bounds of the buffer.
Publish Date: 2014-06-24
URL: WS-2014-0065
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2014-06-24
Fix Resolution (net.java.dev.jna:jna-platform): 5.0.0
Direct dependency fix Resolution (org.scala-sbt:zinc_2.12): 1.4.0
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2022-3509
### Vulnerable Library - protobuf-java-3.7.0.jarCore Protocol Buffers library. Protocol Buffers are a way of encoding structured data in an efficient yet extensible format.
Library home page: https://developers.google.com/protocol-buffers/
Path to dependency file: /streams/streams-scala/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.protobuf/protobuf-java/3.7.0/dbb5e9230a91f2a6d011096c2b9c10a5a6e5f7f2/protobuf-java-3.7.0.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.protobuf/protobuf-java/3.7.0/dbb5e9230a91f2a6d011096c2b9c10a5a6e5f7f2/protobuf-java-3.7.0.jar
Dependency Hierarchy: - zinc_2.12-1.3.5.jar (Root Library) - :x: **protobuf-java-3.7.0.jar** (Vulnerable Library)
Found in HEAD commit: 9b4b1490ec6d070b17879bdd976a474544628950
Found in base branch: trunk
### Vulnerability DetailsA parsing issue similar to CVE-2022-3171, but with textformat in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.
Publish Date: 2022-12-12
URL: CVE-2022-3509
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3509
Release Date: 2022-12-12
Fix Resolution (com.google.protobuf:protobuf-java): 3.16.3
Direct dependency fix Resolution (org.scala-sbt:zinc_2.12): 1.4.0
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2022-3171
### Vulnerable Library - protobuf-java-3.7.0.jarCore Protocol Buffers library. Protocol Buffers are a way of encoding structured data in an efficient yet extensible format.
Library home page: https://developers.google.com/protocol-buffers/
Path to dependency file: /streams/streams-scala/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.protobuf/protobuf-java/3.7.0/dbb5e9230a91f2a6d011096c2b9c10a5a6e5f7f2/protobuf-java-3.7.0.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.protobuf/protobuf-java/3.7.0/dbb5e9230a91f2a6d011096c2b9c10a5a6e5f7f2/protobuf-java-3.7.0.jar
Dependency Hierarchy: - zinc_2.12-1.3.5.jar (Root Library) - :x: **protobuf-java-3.7.0.jar** (Vulnerable Library)
Found in HEAD commit: 9b4b1490ec6d070b17879bdd976a474544628950
Found in base branch: trunk
### Vulnerability DetailsA parsing issue with binary data in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.
Publish Date: 2022-10-12
URL: CVE-2022-3171
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-h4h5-3hr4-j3g2
Release Date: 2022-10-12
Fix Resolution (com.google.protobuf:protobuf-java): 3.16.3
Direct dependency fix Resolution (org.scala-sbt:zinc_2.12): 1.4.0
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2023-46122
### Vulnerable Library - io_2.12-1.3.0.jarIO module for sbt
Library home page: https://github.com/sbt/io
Path to dependency file: /core/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.scala-sbt/io_2.12/1.3.0/ac02eaca49f66b3a2c548ca0cf12b07a9e4d93da/io_2.12-1.3.0.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.scala-sbt/io_2.12/1.3.0/ac02eaca49f66b3a2c548ca0cf12b07a9e4d93da/io_2.12-1.3.0.jar
Dependency Hierarchy: - zinc_2.12-1.3.5.jar (Root Library) - zinc-compile-core_2.12-1.3.5.jar - :x: **io_2.12-1.3.0.jar** (Vulnerable Library)
Found in HEAD commit: 9b4b1490ec6d070b17879bdd976a474544628950
Found in base branch: trunk
### Vulnerability Detailssbt is a build tool for Scala, Java, and others. Given a specially crafted zip or JAR file, `IO.unzip` allows writing of arbitrary file. This would have potential to overwrite `/root/.ssh/authorized_keys`. Within sbt's main code, `IO.unzip` is used in `pullRemoteCache` task and `Resolvers.remote`; however many projects use `IO.unzip(...)` directly to implement custom tasks. This vulnerability has been patched in version 1.9.7.
Publish Date: 2023-10-23
URL: CVE-2023-46122
### CVSS 3 Score Details (7.1)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-46122
Release Date: 2023-10-23
Fix Resolution (org.scala-sbt:io_2.12): 1.9.7
Direct dependency fix Resolution (org.scala-sbt:zinc_2.12): 1.9.6
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2021-22569
### Vulnerable Library - protobuf-java-3.7.0.jarCore Protocol Buffers library. Protocol Buffers are a way of encoding structured data in an efficient yet extensible format.
Library home page: https://developers.google.com/protocol-buffers/
Path to dependency file: /streams/streams-scala/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.protobuf/protobuf-java/3.7.0/dbb5e9230a91f2a6d011096c2b9c10a5a6e5f7f2/protobuf-java-3.7.0.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.protobuf/protobuf-java/3.7.0/dbb5e9230a91f2a6d011096c2b9c10a5a6e5f7f2/protobuf-java-3.7.0.jar
Dependency Hierarchy: - zinc_2.12-1.3.5.jar (Root Library) - :x: **protobuf-java-3.7.0.jar** (Vulnerable Library)
Found in HEAD commit: 9b4b1490ec6d070b17879bdd976a474544628950
Found in base branch: trunk
### Vulnerability DetailsAn issue in protobuf-java allowed the interleaving of com.google.protobuf.UnknownFieldSet fields in such a way that would be processed out of order. A small malicious payload can occupy the parser for several minutes by creating large numbers of short-lived objects that cause frequent, repeated pauses. We recommend upgrading libraries beyond the vulnerable versions.
Publish Date: 2022-01-10
URL: CVE-2021-22569
### CVSS 3 Score Details (5.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-wrvw-hg22-4m67
Release Date: 2022-01-10
Fix Resolution (com.google.protobuf:protobuf-java): 3.16.1
Direct dependency fix Resolution (org.scala-sbt:zinc_2.12): 1.4.0
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.:rescue_worker_helmet:Automatic Remediation will be attempted for this issue.