jonesde
commented
3 years ago This was fixed in commit 5f1dea46de9237ee9e24668b88b03c5fbb248f20 by adding a dependency on a newer version of jcommander
Closed mend-bolt-for-github[bot] closed 3 years ago
jonesde
commented
3 years ago This was fixed in commit 5f1dea46de9237ee9e24668b88b03c5fbb248f20 by adding a dependency on a newer version of jcommander
WS-2019-0490 - High Severity Vulnerability
Command line parsing
Library home page: http://jcommander.org
Path to dependency file: moqui-framework/framework/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.beust/jcommander/1.72/6375e521c1e11d6563d4f25a07ce124ccf8cd171/jcommander-1.72.jar
Dependency Hierarchy: - totp-1.7.1.jar (Root Library) - javase-3.4.0.jar - :x: **jcommander-1.72.jar** (Vulnerable Library)
Found in base branch: master
Inclusion of Functionality from Untrusted Control Sphere vulnerability found in jcommander before 1.75. jcommander resolving dependencies over HTTP instead of HTTPS.
Publish Date: 2019-02-19
URL: WS-2019-0490
Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here.Type: Upgrade version
Origin: https://github.com/cbeust/jcommander/issues/465
Release Date: 2019-02-19
Fix Resolution: com.beust:jcommander:1.75
Step up your Open Source Security Game with WhiteSource here