search

mixellent / fitbit-api-example-java2

0 stars 5 forks source link

WS-2009-0001 Low Severity Vulnerability detected by WhiteSource #2

Open mend-bolt-for-github[bot] opened 5 years ago

mend-bolt-for-github[bot] commented 5 years ago

WS-2009-0001 - Low Severity Vulnerability

Vulnerable Library - commons-codec-1.10.jar

path: /root/.m2/repository/commons-codec/commons-codec/1.10/commons-codec-1.10.jar

Library home page: http://commons.apache.org/proper/commons-codec/

Dependency Hierarchy: - spring-security-oauth2-2.0.10.RELEASE.jar (Root Library) - :x: **commons-codec-1.10.jar** (Vulnerable Library)

Found in commit: 8c153ad064e8f07a4ddade35ac13a9b485ca3dac

Vulnerability Details

Not all "business" method implementations of public API in Apache Commons Codec 1.x are thread safe, which might disclose the wrong data or allow an attacker to change non-private fields. Updated 2018-10-07 - an additional review by WhiteSource research team could not indicate on a clear security vulnerability

Publish Date: 2007-10-07

URL: WS-2009-0001

CVSS 2 Score Details (0.0)

Base Score Metrics not available

Step up your Open Source Security Game with WhiteSource here

aiannucci commented 5 years ago

So, is this a vulnerability or not? Your latest update says you can't indicate a clear security vulnerability, although this is labeled as security vulnerability. What is the actual vulnerability here? Is there a PoC?