search

labsai / EDDI

Prompt & Conversation Management Middleware for Conversational AI APIs such as OpenAI ChatGPT, Facebook Hugging Face, Anthropic Claude, Google Gemini and Ollama. Lean, restful, scalable, and cloud-native. Developed in Java, powered by Quarkus, provided with Docker, and orchestrated with Kubernetes or Openshift.
https://eddi.labs.ai
257 stars 93 forks source link

mbknor-jackson-jsonschema_2.13-1.0.39.jar: 1 vulnerabilities (highest severity is: 6.5) - autoclosed #370

Closed mend-bolt-for-github[bot] closed 4 months ago

mend-bolt-for-github[bot] commented 4 months ago
Vulnerable Library - mbknor-jackson-jsonschema_2.13-1.0.39.jar

Path to dependency file: /pom.xml

Path to vulnerable library: /pom.xml

Found in HEAD commit: 7664dbb2a09fe36117ac9a7e072a10600a02d0c8

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (mbknor-jackson-jsonschema_2.13 version) Remediation Possible**
CVE-2021-47621 Medium 6.5 classgraph-4.8.21.jar Transitive N/A*

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2021-47621 ### Vulnerable Library - classgraph-4.8.21.jar

The uber-fast, ultra-lightweight classpath and module scanner for JVM languages.

Library home page: https://github.com/classgraph/classgraph

Path to dependency file: /pom.xml

Path to vulnerable library: /pom.xml

Dependency Hierarchy: - mbknor-jackson-jsonschema_2.13-1.0.39.jar (Root Library) - :x: **classgraph-4.8.21.jar** (Vulnerable Library)

Found in HEAD commit: 7664dbb2a09fe36117ac9a7e072a10600a02d0c8

Found in base branch: main

### Vulnerability Details

ClassGraph before 4.8.112 was not resistant to XML eXternal Entity (XXE) attacks.

Publish Date: 2024-06-21

URL: CVE-2021-47621

### CVSS 3 Score Details (6.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2021-47621

Release Date: 2024-06-21

Fix Resolution: io.github.classgraph:classgraph:4.8.112

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
mend-bolt-for-github[bot] commented 4 months ago

:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.