Open mend-for-github-com[bot] opened 1 year ago
:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.
:information_source: This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory.
Vulnerable Library - grpc-spring-boot-starter-3.5.1.jar
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/google/protobuf/protobuf-java/3.10.0/protobuf-java-3.10.0.jar
Found in HEAD commit: ed3f721097f8dd5a9245e42ec9e122c9dd3a74dc
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2022-22965
### Vulnerable Library - spring-beans-5.2.3.RELEASE.jarSpring Beans
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-beans/5.2.3.RELEASE/spring-beans-5.2.3.RELEASE.jar
Dependency Hierarchy: - grpc-spring-boot-starter-3.5.1.jar (Root Library) - spring-boot-starter-2.2.4.RELEASE.jar - spring-boot-2.2.4.RELEASE.jar - spring-context-5.2.3.RELEASE.jar - :x: **spring-beans-5.2.3.RELEASE.jar** (Vulnerable Library)
Found in HEAD commit: ed3f721097f8dd5a9245e42ec9e122c9dd3a74dc
Found in base branch: master
### Vulnerability DetailsA Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it. Mend Note: Converted from WS-2022-0107, on 2022-11-07.
Publish Date: 2022-04-01
URL: CVE-2022-22965
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement
Release Date: 2022-04-01
Fix Resolution (org.springframework:spring-beans): 5.2.20.RELEASE
Direct dependency fix Resolution (io.github.lognet:grpc-spring-boot-starter): 4.4.2
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.CVE-2022-1471
### Vulnerable Library - snakeyaml-1.25.jarYAML 1.1 parser and emitter for Java
Library home page: http://www.snakeyaml.org
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.25/snakeyaml-1.25.jar
Dependency Hierarchy: - grpc-spring-boot-starter-3.5.1.jar (Root Library) - spring-boot-starter-2.2.4.RELEASE.jar - :x: **snakeyaml-1.25.jar** (Vulnerable Library)
Found in HEAD commit: ed3f721097f8dd5a9245e42ec9e122c9dd3a74dc
Found in base branch: master
### Vulnerability DetailsSnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by an attacker can lead to remote code execution. We recommend using SnakeYaml's SafeConsturctor when parsing untrusted content to restrict deserialization. We recommend upgrading to version 2.0 and beyond.
Publish Date: 2022-12-01
URL: CVE-2022-1471
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in#comment-64634374
Release Date: 2022-12-01
Fix Resolution (org.yaml:snakeyaml): 2.0
Direct dependency fix Resolution (io.github.lognet:grpc-spring-boot-starter): 5.1.1
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.CVE-2022-27772
### Vulnerable Library - spring-boot-2.2.4.RELEASE.jarSpring Boot
Library home page: https://projects.spring.io/spring-boot/#/spring-boot-parent/spring-boot
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/boot/spring-boot/2.2.4.RELEASE/spring-boot-2.2.4.RELEASE.jar
Dependency Hierarchy: - grpc-spring-boot-starter-3.5.1.jar (Root Library) - spring-boot-starter-2.2.4.RELEASE.jar - :x: **spring-boot-2.2.4.RELEASE.jar** (Vulnerable Library)
Found in HEAD commit: ed3f721097f8dd5a9245e42ec9e122c9dd3a74dc
Found in base branch: master
### Vulnerability Details** UNSUPPORTED WHEN ASSIGNED ** spring-boot versions prior to version v2.2.11.RELEASE was vulnerable to temporary directory hijacking. This vulnerability impacted the org.springframework.boot.web.server.AbstractConfigurableWebServerFactory.createTempDir method. NOTE: This vulnerability only affects products and/or versions that are no longer supported by the maintainer.
Publish Date: 2022-03-30
URL: CVE-2022-27772
### CVSS 3 Score Details (7.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/JLLeitschuh/security-research/security/advisories/GHSA-cm59-pr5q-cw85
Release Date: 2022-03-30
Fix Resolution (org.springframework.boot:spring-boot): 2.2.11.RELEASE
Direct dependency fix Resolution (io.github.lognet:grpc-spring-boot-starter): 4.0.0
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.WS-2021-0419
### Vulnerable Library - gson-2.8.6.jarGson JSON library
Library home page: https://github.com/google/gson
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/google/code/gson/gson/2.8.6/gson-2.8.6.jar
Dependency Hierarchy: - grpc-spring-boot-starter-3.5.1.jar (Root Library) - grpc-netty-1.25.0.jar - grpc-core-1.25.0.jar - :x: **gson-2.8.6.jar** (Vulnerable Library)
Found in HEAD commit: ed3f721097f8dd5a9245e42ec9e122c9dd3a74dc
Found in base branch: master
### Vulnerability DetailsDenial of Service vulnerability was discovered in gson before 2.8.9 via the writeReplace() method.
Publish Date: 2021-10-11
URL: WS-2021-0419
### CVSS 3 Score Details (7.7)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2021-10-11
Fix Resolution (com.google.code.gson:gson): 2.8.9
Direct dependency fix Resolution (io.github.lognet:grpc-spring-boot-starter): 4.8.1
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.CVE-2017-18640
### Vulnerable Library - snakeyaml-1.25.jarYAML 1.1 parser and emitter for Java
Library home page: http://www.snakeyaml.org
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.25/snakeyaml-1.25.jar
Dependency Hierarchy: - grpc-spring-boot-starter-3.5.1.jar (Root Library) - spring-boot-starter-2.2.4.RELEASE.jar - :x: **snakeyaml-1.25.jar** (Vulnerable Library)
Found in HEAD commit: ed3f721097f8dd5a9245e42ec9e122c9dd3a74dc
Found in base branch: master
### Vulnerability DetailsThe Alias feature in SnakeYAML before 1.26 allows entity expansion during a load operation, a related issue to CVE-2003-1564.
Publish Date: 2019-12-12
URL: CVE-2017-18640
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18640
Release Date: 2019-12-12
Fix Resolution (org.yaml:snakeyaml): 1.26
Direct dependency fix Resolution (io.github.lognet:grpc-spring-boot-starter): 4.0.0
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.CVE-2022-25857
### Vulnerable Library - snakeyaml-1.25.jarYAML 1.1 parser and emitter for Java
Library home page: http://www.snakeyaml.org
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.25/snakeyaml-1.25.jar
Dependency Hierarchy: - grpc-spring-boot-starter-3.5.1.jar (Root Library) - spring-boot-starter-2.2.4.RELEASE.jar - :x: **snakeyaml-1.25.jar** (Vulnerable Library)
Found in HEAD commit: ed3f721097f8dd5a9245e42ec9e122c9dd3a74dc
Found in base branch: master
### Vulnerability DetailsThe package org.yaml:snakeyaml from 0 and before 1.31 are vulnerable to Denial of Service (DoS) due missing to nested depth limitation for collections.
Publish Date: 2022-08-30
URL: CVE-2022-25857
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25857
Release Date: 2022-08-30
Fix Resolution (org.yaml:snakeyaml): 1.31
Direct dependency fix Resolution (io.github.lognet:grpc-spring-boot-starter): 5.0.0
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.CVE-2022-3509
### Vulnerable Library - protobuf-java-3.10.0.jarCore Protocol Buffers library. Protocol Buffers are a way of encoding structured data in an efficient yet extensible format.
Library home page: https://developers.google.com/protocol-buffers/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/google/protobuf/protobuf-java/3.10.0/protobuf-java-3.10.0.jar
Dependency Hierarchy: - grpc-spring-boot-starter-3.5.1.jar (Root Library) - grpc-services-1.25.0.jar - grpc-protobuf-1.25.0.jar - :x: **protobuf-java-3.10.0.jar** (Vulnerable Library)
Found in HEAD commit: ed3f721097f8dd5a9245e42ec9e122c9dd3a74dc
Found in base branch: master
### Vulnerability DetailsA parsing issue similar to CVE-2022-3171, but with textformat in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.
Publish Date: 2022-12-12
URL: CVE-2022-3509
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3509
Release Date: 2022-12-12
Fix Resolution (com.google.protobuf:protobuf-java): 3.16.3
Direct dependency fix Resolution (io.github.lognet:grpc-spring-boot-starter): 4.8.1
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.CVE-2021-37136
### Vulnerable Library - netty-codec-4.1.45.Final.jarNetty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty-codec/4.1.45.Final/netty-codec-4.1.45.Final.jar
Dependency Hierarchy: - grpc-spring-boot-starter-3.5.1.jar (Root Library) - grpc-netty-1.25.0.jar - netty-codec-http2-4.1.45.Final.jar - :x: **netty-codec-4.1.45.Final.jar** (Vulnerable Library)
Found in HEAD commit: ed3f721097f8dd5a9245e42ec9e122c9dd3a74dc
Found in base branch: master
### Vulnerability DetailsThe Bzip2 decompression decoder function doesn't allow setting size restrictions on the decompressed output data (which affects the allocation size used during decompression). All users of Bzip2Decoder are affected. The malicious input can trigger an OOME and so a DoS attack
Publish Date: 2021-10-19
URL: CVE-2021-37136
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/netty/netty/security/advisories/GHSA-grg4-wf29-r9vv
Release Date: 2021-10-19
Fix Resolution (io.netty:netty-codec): 4.1.68.Final
Direct dependency fix Resolution (io.github.lognet:grpc-spring-boot-starter): 4.2.1
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.CVE-2021-37137
### Vulnerable Library - netty-codec-4.1.45.Final.jarNetty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty-codec/4.1.45.Final/netty-codec-4.1.45.Final.jar
Dependency Hierarchy: - grpc-spring-boot-starter-3.5.1.jar (Root Library) - grpc-netty-1.25.0.jar - netty-codec-http2-4.1.45.Final.jar - :x: **netty-codec-4.1.45.Final.jar** (Vulnerable Library)
Found in HEAD commit: ed3f721097f8dd5a9245e42ec9e122c9dd3a74dc
Found in base branch: master
### Vulnerability DetailsThe Snappy frame decoder function doesn't restrict the chunk length which may lead to excessive memory usage. Beside this it also may buffer reserved skippable chunks until the whole chunk was received which may lead to excessive memory usage as well. This vulnerability can be triggered by supplying malicious input that decompresses to a very big size (via a network stream or a file) or by sending a huge skippable chunk.
Publish Date: 2021-10-19
URL: CVE-2021-37137
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-9vjp-v76f-g363
Release Date: 2021-10-19
Fix Resolution (io.netty:netty-codec): 4.1.68.Final
Direct dependency fix Resolution (io.github.lognet:grpc-spring-boot-starter): 4.2.1
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.CVE-2023-32731
### Vulnerable Library - grpc-protobuf-1.25.0.jargRPC: Protobuf
Library home page: https://github.com/grpc/grpc-java
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/io/grpc/grpc-protobuf/1.25.0/grpc-protobuf-1.25.0.jar
Dependency Hierarchy: - grpc-spring-boot-starter-3.5.1.jar (Root Library) - grpc-services-1.25.0.jar - :x: **grpc-protobuf-1.25.0.jar** (Vulnerable Library)
Found in HEAD commit: ed3f721097f8dd5a9245e42ec9e122c9dd3a74dc
Found in base branch: master
### Vulnerability DetailsWhen gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy and a backend, this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration. We recommend upgrading beyond the commit contained in https://github.com/grpc/grpc/pull/33005 https://github.com/grpc/grpc/pull/33005
Publish Date: 2023-06-09
URL: CVE-2023-32731
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-cfgp-2977-2fmm
Release Date: 2023-06-09
Fix Resolution: grpc- 1.53.0;grpcio- 1.53.0;io.grpc:grpc-protobuf:1.53.0
CVE-2022-25647
### Vulnerable Library - gson-2.8.6.jarGson JSON library
Library home page: https://github.com/google/gson
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/google/code/gson/gson/2.8.6/gson-2.8.6.jar
Dependency Hierarchy: - grpc-spring-boot-starter-3.5.1.jar (Root Library) - grpc-netty-1.25.0.jar - grpc-core-1.25.0.jar - :x: **gson-2.8.6.jar** (Vulnerable Library)
Found in HEAD commit: ed3f721097f8dd5a9245e42ec9e122c9dd3a74dc
Found in base branch: master
### Vulnerability DetailsThe package com.google.code.gson:gson before 2.8.9 are vulnerable to Deserialization of Untrusted Data via the writeReplace() method in internal classes, which may lead to DoS attacks.
Publish Date: 2022-05-01
URL: CVE-2022-25647
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25647`
Release Date: 2022-05-01
Fix Resolution (com.google.code.gson:gson): 2.8.9
Direct dependency fix Resolution (io.github.lognet:grpc-spring-boot-starter): 4.8.1
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.CVE-2023-20883
### Vulnerable Library - spring-boot-autoconfigure-2.2.4.RELEASE.jarSpring Boot AutoConfigure
Library home page: https://projects.spring.io/spring-boot/#/spring-boot-parent/spring-boot-autoconfigure
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/boot/spring-boot-autoconfigure/2.2.4.RELEASE/spring-boot-autoconfigure-2.2.4.RELEASE.jar
Dependency Hierarchy: - grpc-spring-boot-starter-3.5.1.jar (Root Library) - spring-boot-starter-2.2.4.RELEASE.jar - :x: **spring-boot-autoconfigure-2.2.4.RELEASE.jar** (Vulnerable Library)
Found in HEAD commit: ed3f721097f8dd5a9245e42ec9e122c9dd3a74dc
Found in base branch: master
### Vulnerability DetailsIn Spring Boot versions 3.0.0 - 3.0.6, 2.7.0 - 2.7.11, 2.6.0 - 2.6.14, 2.5.0 - 2.5.14 and older unsupported versions, there is potential for a denial-of-service (DoS) attack if Spring MVC is used together with a reverse proxy cache.
Publish Date: 2023-05-26
URL: CVE-2023-20883
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://spring.io/security/cve-2023-20883
Release Date: 2023-05-26
Fix Resolution (org.springframework.boot:spring-boot-autoconfigure): 2.5.15
Direct dependency fix Resolution (io.github.lognet:grpc-spring-boot-starter): 4.6.0
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.CVE-2020-11612
### Vulnerable Library - netty-codec-4.1.45.Final.jarNetty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty-codec/4.1.45.Final/netty-codec-4.1.45.Final.jar
Dependency Hierarchy: - grpc-spring-boot-starter-3.5.1.jar (Root Library) - grpc-netty-1.25.0.jar - netty-codec-http2-4.1.45.Final.jar - :x: **netty-codec-4.1.45.Final.jar** (Vulnerable Library)
Found in HEAD commit: ed3f721097f8dd5a9245e42ec9e122c9dd3a74dc
Found in base branch: master
### Vulnerability DetailsThe ZlibDecoders in Netty 4.1.x before 4.1.46 allow for unbounded memory allocation while decoding a ZlibEncoded byte stream. An attacker could send a large ZlibEncoded byte stream to the Netty server, forcing the server to allocate all of its free memory to a single decoder.
Publish Date: 2020-04-07
URL: CVE-2020-11612
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://netty.io/news/2020/02/28/4-1-46-Final.html
Release Date: 2020-04-07
Fix Resolution (io.netty:netty-codec): 4.1.46.Final
Direct dependency fix Resolution (io.github.lognet:grpc-spring-boot-starter): 3.5.4
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.CVE-2022-3171
### Vulnerable Library - protobuf-java-3.10.0.jarCore Protocol Buffers library. Protocol Buffers are a way of encoding structured data in an efficient yet extensible format.
Library home page: https://developers.google.com/protocol-buffers/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/google/protobuf/protobuf-java/3.10.0/protobuf-java-3.10.0.jar
Dependency Hierarchy: - grpc-spring-boot-starter-3.5.1.jar (Root Library) - grpc-services-1.25.0.jar - grpc-protobuf-1.25.0.jar - :x: **protobuf-java-3.10.0.jar** (Vulnerable Library)
Found in HEAD commit: ed3f721097f8dd5a9245e42ec9e122c9dd3a74dc
Found in base branch: master
### Vulnerability DetailsA parsing issue with binary data in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.
Publish Date: 2022-10-12
URL: CVE-2022-3171
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-h4h5-3hr4-j3g2
Release Date: 2022-10-12
Fix Resolution (com.google.protobuf:protobuf-java): 3.16.3
Direct dependency fix Resolution (io.github.lognet:grpc-spring-boot-starter): 4.8.1
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.WS-2020-0408
### Vulnerable Library - netty-handler-4.1.45.Final.jarNetty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty-handler/4.1.45.Final/netty-handler-4.1.45.Final.jar
Dependency Hierarchy: - grpc-spring-boot-starter-3.5.1.jar (Root Library) - grpc-netty-1.25.0.jar - netty-codec-http2-4.1.45.Final.jar - :x: **netty-handler-4.1.45.Final.jar** (Vulnerable Library)
Found in HEAD commit: ed3f721097f8dd5a9245e42ec9e122c9dd3a74dc
Found in base branch: master
### Vulnerability DetailsAn issue was found in all versions of io.netty:netty-all. Host verification in Netty is disabled by default. This can lead to MITM attack in which an attacker can forge valid SSL/TLS certificates for a different hostname in order to intercept traffic that doesn’t intend for him. This is an issue because the certificate is not matched with the host.
Publish Date: 2020-06-22
URL: WS-2020-0408
### CVSS 3 Score Details (7.4)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/WS-2020-0408
Release Date: 2020-06-22
Fix Resolution (io.netty:netty-handler): 4.1.69.Final
Direct dependency fix Resolution (io.github.lognet:grpc-spring-boot-starter): 4.2.1
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.CVE-2021-42550
### Vulnerable Libraries - logback-classic-1.2.3.jar, logback-core-1.2.3.jar### logback-classic-1.2.3.jar
logback-classic module
Library home page: http://logback.qos.ch
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.2.3/logback-classic-1.2.3.jar
Dependency Hierarchy: - grpc-spring-boot-starter-3.5.1.jar (Root Library) - spring-boot-starter-2.2.4.RELEASE.jar - spring-boot-starter-logging-2.2.4.RELEASE.jar - :x: **logback-classic-1.2.3.jar** (Vulnerable Library) ### logback-core-1.2.3.jar
logback-core module
Library home page: http://logback.qos.ch
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar
Dependency Hierarchy: - grpc-spring-boot-starter-3.5.1.jar (Root Library) - spring-boot-starter-2.2.4.RELEASE.jar - spring-boot-starter-logging-2.2.4.RELEASE.jar - logback-classic-1.2.3.jar - :x: **logback-core-1.2.3.jar** (Vulnerable Library)
Found in HEAD commit: ed3f721097f8dd5a9245e42ec9e122c9dd3a74dc
Found in base branch: master
### Vulnerability DetailsIn logback version 1.2.7 and prior versions, an attacker with the required privileges to edit configurations files could craft a malicious configuration allowing to execute arbitrary code loaded from LDAP servers. Mend Note: Converted from WS-2021-0491, on 2022-11-07.
Publish Date: 2021-12-16
URL: CVE-2021-42550
### CVSS 3 Score Details (6.6)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: High - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=VE-2021-42550
Release Date: 2021-12-16
Fix Resolution (ch.qos.logback:logback-classic): 1.2.8
Direct dependency fix Resolution (io.github.lognet:grpc-spring-boot-starter): 4.6.0
Fix Resolution (ch.qos.logback:logback-core): 1.2.8
Direct dependency fix Resolution (io.github.lognet:grpc-spring-boot-starter): 4.6.0
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.CVE-2023-34462
### Vulnerable Library - netty-handler-4.1.45.Final.jarNetty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty-handler/4.1.45.Final/netty-handler-4.1.45.Final.jar
Dependency Hierarchy: - grpc-spring-boot-starter-3.5.1.jar (Root Library) - grpc-netty-1.25.0.jar - netty-codec-http2-4.1.45.Final.jar - :x: **netty-handler-4.1.45.Final.jar** (Vulnerable Library)
Found in HEAD commit: ed3f721097f8dd5a9245e42ec9e122c9dd3a74dc
Found in base branch: master
### Vulnerability DetailsNetty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. The `SniHandler` can allocate up to 16MB of heap for each channel during the TLS handshake. When the handler or the channel does not have an idle timeout, it can be used to make a TCP server using the `SniHandler` to allocate 16MB of heap. The `SniHandler` class is a handler that waits for the TLS handshake to configure a `SslHandler` according to the indicated server name by the `ClientHello` record. For this matter it allocates a `ByteBuf` using the value defined in the `ClientHello` record. Normally the value of the packet should be smaller than the handshake packet but there are not checks done here and the way the code is written, it is possible to craft a packet that makes the `SslClientHelloHandler`. This vulnerability has been fixed in version 4.1.94.Final.
Publish Date: 2023-06-22
URL: CVE-2023-34462
### CVSS 3 Score Details (6.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-6mjq-h674-j845
Release Date: 2023-06-22
Fix Resolution (io.netty:netty-handler): 4.1.94.Final
Direct dependency fix Resolution (io.github.lognet:grpc-spring-boot-starter): 4.2.1
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.CVE-2022-38752
### Vulnerable Library - snakeyaml-1.25.jarYAML 1.1 parser and emitter for Java
Library home page: http://www.snakeyaml.org
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.25/snakeyaml-1.25.jar
Dependency Hierarchy: - grpc-spring-boot-starter-3.5.1.jar (Root Library) - spring-boot-starter-2.2.4.RELEASE.jar - :x: **snakeyaml-1.25.jar** (Vulnerable Library)
Found in HEAD commit: ed3f721097f8dd5a9245e42ec9e122c9dd3a74dc
Found in base branch: master
### Vulnerability DetailsUsing snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack-overflow.
Publish Date: 2022-09-05
URL: CVE-2022-38752
### CVSS 3 Score Details (6.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-9w3m-gqgf-c4p9
Release Date: 2022-09-05
Fix Resolution (org.yaml:snakeyaml): 1.32
Direct dependency fix Resolution (io.github.lognet:grpc-spring-boot-starter): 5.0.0
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.CVE-2022-38751
### Vulnerable Library - snakeyaml-1.25.jarYAML 1.1 parser and emitter for Java
Library home page: http://www.snakeyaml.org
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.25/snakeyaml-1.25.jar
Dependency Hierarchy: - grpc-spring-boot-starter-3.5.1.jar (Root Library) - spring-boot-starter-2.2.4.RELEASE.jar - :x: **snakeyaml-1.25.jar** (Vulnerable Library)
Found in HEAD commit: ed3f721097f8dd5a9245e42ec9e122c9dd3a74dc
Found in base branch: master
### Vulnerability DetailsUsing snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.
Publish Date: 2022-09-05
URL: CVE-2022-38751
### CVSS 3 Score Details (6.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47039
Release Date: 2022-09-05
Fix Resolution (org.yaml:snakeyaml): 1.31
Direct dependency fix Resolution (io.github.lognet:grpc-spring-boot-starter): 5.0.0
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.CVE-2022-38749
### Vulnerable Library - snakeyaml-1.25.jarYAML 1.1 parser and emitter for Java
Library home page: http://www.snakeyaml.org
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.25/snakeyaml-1.25.jar
Dependency Hierarchy: - grpc-spring-boot-starter-3.5.1.jar (Root Library) - spring-boot-starter-2.2.4.RELEASE.jar - :x: **snakeyaml-1.25.jar** (Vulnerable Library)
Found in HEAD commit: ed3f721097f8dd5a9245e42ec9e122c9dd3a74dc
Found in base branch: master
### Vulnerability DetailsUsing snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.
Publish Date: 2022-09-05
URL: CVE-2022-38749
### CVSS 3 Score Details (6.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://bitbucket.org/snakeyaml/snakeyaml/issues/526/stackoverflow-oss-fuzz-47027
Release Date: 2022-09-05
Fix Resolution (org.yaml:snakeyaml): 1.31
Direct dependency fix Resolution (io.github.lognet:grpc-spring-boot-starter): 5.0.0
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.CVE-2022-41854
### Vulnerable Library - snakeyaml-1.25.jarYAML 1.1 parser and emitter for Java
Library home page: http://www.snakeyaml.org
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.25/snakeyaml-1.25.jar
Dependency Hierarchy: - grpc-spring-boot-starter-3.5.1.jar (Root Library) - spring-boot-starter-2.2.4.RELEASE.jar - :x: **snakeyaml-1.25.jar** (Vulnerable Library)
Found in HEAD commit: ed3f721097f8dd5a9245e42ec9e122c9dd3a74dc
Found in base branch: master
### Vulnerability DetailsThose using Snakeyaml to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack overflow. This effect may support a denial of service attack.
Publish Date: 2022-11-11
URL: CVE-2022-41854
### CVSS 3 Score Details (6.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://bitbucket.org/snakeyaml/snakeyaml/issues/531/
Release Date: 2022-11-11
Fix Resolution (org.yaml:snakeyaml): 1.32
Direct dependency fix Resolution (io.github.lognet:grpc-spring-boot-starter): 5.0.0
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.CVE-2022-22950
### Vulnerable Library - spring-expression-5.2.3.RELEASE.jarSpring Expression Language (SpEL)
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-expression/5.2.3.RELEASE/spring-expression-5.2.3.RELEASE.jar
Dependency Hierarchy: - grpc-spring-boot-starter-3.5.1.jar (Root Library) - spring-boot-starter-2.2.4.RELEASE.jar - spring-boot-2.2.4.RELEASE.jar - spring-context-5.2.3.RELEASE.jar - :x: **spring-expression-5.2.3.RELEASE.jar** (Vulnerable Library)
Found in HEAD commit: ed3f721097f8dd5a9245e42ec9e122c9dd3a74dc
Found in base branch: master
### Vulnerability Detailsn Spring Framework versions 5.3.0 - 5.3.16 and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial of service condition.
Publish Date: 2022-04-01
URL: CVE-2022-22950
### CVSS 3 Score Details (6.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://tanzu.vmware.com/security/cve-2022-22950
Release Date: 2022-04-01
Fix Resolution (org.springframework:spring-expression): 5.2.20.RELEASE
Direct dependency fix Resolution (io.github.lognet:grpc-spring-boot-starter): 4.4.2
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.:rescue_worker_helmet:Automatic Remediation will be attempted for this issue.