lint-gradle-27.2.2.jar: 23 vulnerabilities (highest severity is: 8.1)

Vulnerable Library - lint-gradle-27.2.2.jar

Path to dependency file: /in-app-messaging-kotlin/app/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.protobuf/protobuf-java/3.10.0/410b61dd0088aab4caa05739558d43df248958c9/protobuf-java-3.10.0.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.protobuf/protobuf-java/3.10.0/410b61dd0088aab4caa05739558d43df248958c9/protobuf-java-3.10.0.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.protobuf/protobuf-java/3.10.0/410b61dd0088aab4caa05739558d43df248958c9/protobuf-java-3.10.0.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.protobuf/protobuf-java/3.10.0/410b61dd0088aab4caa05739558d43df248958c9/protobuf-java-3.10.0.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.protobuf/protobuf-java/3.10.0/410b61dd0088aab4caa05739558d43df248958c9/protobuf-java-3.10.0.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.protobuf/protobuf-java/3.10.0/410b61dd0088aab4caa05739558d43df248958c9/protobuf-java-3.10.0.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.protobuf/protobuf-java/3.10.0/410b61dd0088aab4caa05739558d43df248958c9/protobuf-java-3.10.0.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.protobuf/protobuf-java/3.10.0/410b61dd0088aab4caa05739558d43df248958c9/protobuf-java-3.10.0.jar

Found in HEAD commit: 691e25809d42cce5a487504aa376638500c5b492

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (lint-gradle version)	Remediation Possible**
CVE-2024-25710	High	8.1	commons-compress-1.12.jar	Transitive	N/A*	❌
CVE-2024-30172	High	7.5	bcprov-jdk15on-1.56.jar	Transitive	N/A*	❌
CVE-2024-29857	High	7.5	bcprov-jdk15on-1.56.jar	Transitive	N/A*	❌
CVE-2022-3509	High	7.5	protobuf-java-3.10.0.jar	Transitive	N/A*	❌
CVE-2021-36090	High	7.5	commons-compress-1.12.jar	Transitive	N/A*	❌
CVE-2021-35517	High	7.5	commons-compress-1.12.jar	Transitive	N/A*	❌
CVE-2021-35516	High	7.5	commons-compress-1.12.jar	Transitive	N/A*	❌
CVE-2021-35515	High	7.5	commons-compress-1.12.jar	Transitive	N/A*	❌
CVE-2021-22569	High	7.5	protobuf-java-3.10.0.jar	Transitive	N/A*	❌
CVE-2019-17359	High	7.5	bcprov-jdk15on-1.56.jar	Transitive	N/A*	❌
CVE-2018-1000180	High	7.5	bcprov-jdk15on-1.56.jar	Transitive	N/A*	❌
WS-2019-0379	Medium	6.5	commons-codec-1.10.jar	Transitive	N/A*	❌
CVE-2022-23437	Medium	6.5	xercesImpl-2.12.0.jar	Transitive	N/A*	❌
CVE-2020-15522	Medium	5.9	bcprov-jdk15on-1.56.jar	Transitive	N/A*	❌
CVE-2023-33202	Medium	5.5	bcprov-jdk15on-1.56.jar	Transitive	N/A*	❌
CVE-2023-2976	Medium	5.5	guava-28.1-jre.jar	Transitive	N/A*	❌
CVE-2020-17521	Medium	5.5	groovy-all-2.4.15.jar	Transitive	N/A*	❌
CVE-2023-33201	Medium	5.3	bcprov-jdk15on-1.56.jar	Transitive	N/A*	❌
CVE-2022-24329	Medium	5.3	kotlin-stdlib-1.4.31.jar	Transitive	N/A*	❌
CVE-2020-26939	Medium	5.3	bcprov-jdk15on-1.56.jar	Transitive	N/A*	❌
CVE-2020-13956	Medium	5.3	httpclient-4.5.6.jar	Transitive	N/A*	❌
CVE-2022-3171	Medium	4.3	protobuf-java-3.10.0.jar	Transitive	N/A*	❌
CVE-2020-8908	Low	3.3	guava-28.1-jre.jar	Transitive	N/A*	❌

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

Partial details (15 vulnerabilities) are displayed below due to a content size limitation in GitHub. To view information on the remaining vulnerabilities, navigate to the Mend Application.

CVE-2024-25710

### Vulnerable Library - commons-compress-1.12.jar

Apache Commons Compress software defines an API for working with compression and archive formats. These include: bzip2, gzip, pack200, lzma, xz, Snappy, traditional Unix Compress, DEFLATE and ar, cpio, jar, tar, zip, dump, 7z, arj.

Library home page: http://www.apache.org/

Path to dependency file: /app-to-phone-java/app-to-phone/app/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.commons/commons-compress/1.12/84caa68576e345eb5e7ae61a0e5a9229eb100d7b/commons-compress-1.12.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.commons/commons-compress/1.12/84caa68576e345eb5e7ae61a0e5a9229eb100d7b/commons-compress-1.12.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.commons/commons-compress/1.12/84caa68576e345eb5e7ae61a0e5a9229eb100d7b/commons-compress-1.12.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.commons/commons-compress/1.12/84caa68576e345eb5e7ae61a0e5a9229eb100d7b/commons-compress-1.12.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.commons/commons-compress/1.12/84caa68576e345eb5e7ae61a0e5a9229eb100d7b/commons-compress-1.12.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.commons/commons-compress/1.12/84caa68576e345eb5e7ae61a0e5a9229eb100d7b/commons-compress-1.12.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.commons/commons-compress/1.12/84caa68576e345eb5e7ae61a0e5a9229eb100d7b/commons-compress-1.12.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.commons/commons-compress/1.12/84caa68576e345eb5e7ae61a0e5a9229eb100d7b/commons-compress-1.12.jar

Dependency Hierarchy: - lint-gradle-27.2.2.jar (Root Library) - builder-4.2.2.jar - sdklib-27.2.2.jar - :x: **commons-compress-1.12.jar** (Vulnerable Library)

Found in HEAD commit: 691e25809d42cce5a487504aa376638500c5b492

Found in base branch: main

### Vulnerability Details

Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in Apache Commons Compress.This issue affects Apache Commons Compress: from 1.3 through 1.25.0. Users are recommended to upgrade to version 1.26.0 which fixes the issue.

Publish Date: 2024-02-19

URL: CVE-2024-25710

### CVSS 3 Score Details (8.1)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Changed - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2024-25710

Release Date: 2024-02-19

Fix Resolution: org.apache.commons:commons-compress:1.26.0

CVE-2024-30172

### Vulnerable Library - bcprov-jdk15on-1.56.jar

The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5 to JDK 1.8.

Library home page: http://www.bouncycastle.org/java.html

Path to dependency file: /app-to-phone-java/app-to-phone/app/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.bouncycastle/bcprov-jdk15on/1.56/a153c6f9744a3e9dd6feab5e210e1c9861362ec7/bcprov-jdk15on-1.56.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.bouncycastle/bcprov-jdk15on/1.56/a153c6f9744a3e9dd6feab5e210e1c9861362ec7/bcprov-jdk15on-1.56.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.bouncycastle/bcprov-jdk15on/1.56/a153c6f9744a3e9dd6feab5e210e1c9861362ec7/bcprov-jdk15on-1.56.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.bouncycastle/bcprov-jdk15on/1.56/a153c6f9744a3e9dd6feab5e210e1c9861362ec7/bcprov-jdk15on-1.56.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.bouncycastle/bcprov-jdk15on/1.56/a153c6f9744a3e9dd6feab5e210e1c9861362ec7/bcprov-jdk15on-1.56.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.bouncycastle/bcprov-jdk15on/1.56/a153c6f9744a3e9dd6feab5e210e1c9861362ec7/bcprov-jdk15on-1.56.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.bouncycastle/bcprov-jdk15on/1.56/a153c6f9744a3e9dd6feab5e210e1c9861362ec7/bcprov-jdk15on-1.56.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.bouncycastle/bcprov-jdk15on/1.56/a153c6f9744a3e9dd6feab5e210e1c9861362ec7/bcprov-jdk15on-1.56.jar

Dependency Hierarchy: - lint-gradle-27.2.2.jar (Root Library) - builder-4.2.2.jar - :x: **bcprov-jdk15on-1.56.jar** (Vulnerable Library)

Found in HEAD commit: 691e25809d42cce5a487504aa376638500c5b492

Found in base branch: main

### Vulnerability Details

An issue was discovered in Bouncy Castle Java Cryptography APIs before 1.78. An Ed25519 verification code infinite loop can occur via a crafted signature and public key.

Publish Date: 2024-05-09

URL: CVE-2024-30172

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Release Date: 2024-05-09

Fix Resolution: org.bouncycastle:bcprov-jdk18on:1.78,org.bouncycastle:bcprov-jdk15to18:1.78, org.bouncycastle:bcprov-jdk14:1.78, BouncyCastle.Cryptography - 2.3.1

CVE-2024-29857

### Vulnerable Library - bcprov-jdk15on-1.56.jar

Library home page: http://www.bouncycastle.org/java.html

Path to dependency file: /app-to-phone-java/app-to-phone/app/build.gradle

Dependency Hierarchy: - lint-gradle-27.2.2.jar (Root Library) - builder-4.2.2.jar - :x: **bcprov-jdk15on-1.56.jar** (Vulnerable Library)

Found in HEAD commit: 691e25809d42cce5a487504aa376638500c5b492

Found in base branch: main

### Vulnerability Details

An issue was discovered in ECCurve.java and ECCurve.cs in Bouncy Castle Java (BC Java) before 1.78, BC Java LTS before 2.73.6, BC-FJA before 1.0.2.5, and BC C# .Net before 2.3.1. Importing an EC certificate with crafted F2m parameters can lead to excessive CPU consumption during the evaluation of the curve parameters.

Publish Date: 2024-05-14

URL: CVE-2024-29857

### CVSS 3 Score Details (7.5)

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/advisories/GHSA-8xfc-gm6g-vgpv

Release Date: 2024-05-14

Fix Resolution: org.bouncycastle:bcprov-jdk15to18:1.78, org.bouncycastle:bcprov-jdk18on:1.78, BouncyCastle.Cryptography - 2.3.1

CVE-2022-3509

### Vulnerable Library - protobuf-java-3.10.0.jar

Core Protocol Buffers library. Protocol Buffers are a way of encoding structured data in an efficient yet extensible format.

Library home page: https://developers.google.com/protocol-buffers/

Path to dependency file: /in-app-messaging-java/app/build.gradle

Dependency Hierarchy: - lint-gradle-27.2.2.jar (Root Library) - builder-4.2.2.jar - ddmlib-27.2.2.jar - :x: **protobuf-java-3.10.0.jar** (Vulnerable Library)

Found in HEAD commit: 691e25809d42cce5a487504aa376638500c5b492

Found in base branch: main

### Vulnerability Details

A parsing issue similar to CVE-2022-3171, but with textformat in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.

Publish Date: 2022-11-01

URL: CVE-2022-3509

### CVSS 3 Score Details (7.5)

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3509

Release Date: 2022-11-01

Fix Resolution: com.google.protobuf:protobuf-java:3.16.3,3.19.6,3.20.3,3.21.7

CVE-2021-36090

### Vulnerable Library - commons-compress-1.12.jar

Library home page: http://www.apache.org/

Path to dependency file: /app-to-phone-java/app-to-phone/app/build.gradle

Dependency Hierarchy: - lint-gradle-27.2.2.jar (Root Library) - builder-4.2.2.jar - sdklib-27.2.2.jar - :x: **commons-compress-1.12.jar** (Vulnerable Library)

Found in HEAD commit: 691e25809d42cce5a487504aa376638500c5b492

Found in base branch: main

### Vulnerability Details

When reading a specially crafted ZIP archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' zip package.

Publish Date: 2021-07-13

URL: CVE-2021-36090

### CVSS 3 Score Details (7.5)

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://commons.apache.org/proper/commons-compress/security-reports.html

Release Date: 2021-07-13

Fix Resolution: org.apache.commons:commons-compress:1.21

CVE-2021-35517

### Vulnerable Library - commons-compress-1.12.jar

Library home page: http://www.apache.org/

Path to dependency file: /app-to-phone-java/app-to-phone/app/build.gradle

Dependency Hierarchy: - lint-gradle-27.2.2.jar (Root Library) - builder-4.2.2.jar - sdklib-27.2.2.jar - :x: **commons-compress-1.12.jar** (Vulnerable Library)

Found in HEAD commit: 691e25809d42cce5a487504aa376638500c5b492

Found in base branch: main

### Vulnerability Details

When reading a specially crafted TAR archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' tar package.

Publish Date: 2021-07-13

URL: CVE-2021-35517

### CVSS 3 Score Details (7.5)

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://commons.apache.org/proper/commons-compress/security-reports.html

Release Date: 2021-07-13

Fix Resolution: org.apache.commons:commons-compress:1.21

CVE-2021-35516

### Vulnerable Library - commons-compress-1.12.jar

Library home page: http://www.apache.org/

Path to dependency file: /app-to-phone-java/app-to-phone/app/build.gradle

Dependency Hierarchy: - lint-gradle-27.2.2.jar (Root Library) - builder-4.2.2.jar - sdklib-27.2.2.jar - :x: **commons-compress-1.12.jar** (Vulnerable Library)

Found in HEAD commit: 691e25809d42cce5a487504aa376638500c5b492

Found in base branch: main

### Vulnerability Details

When reading a specially crafted 7Z archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' sevenz package.

Publish Date: 2021-07-13

URL: CVE-2021-35516

### CVSS 3 Score Details (7.5)

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://commons.apache.org/proper/commons-compress/security-reports.html

Release Date: 2021-07-13

Fix Resolution: org.apache.commons:commons-compress:1.21

CVE-2021-35515

### Vulnerable Library - commons-compress-1.12.jar

Library home page: http://www.apache.org/

Path to dependency file: /app-to-phone-java/app-to-phone/app/build.gradle

Dependency Hierarchy: - lint-gradle-27.2.2.jar (Root Library) - builder-4.2.2.jar - sdklib-27.2.2.jar - :x: **commons-compress-1.12.jar** (Vulnerable Library)

Found in HEAD commit: 691e25809d42cce5a487504aa376638500c5b492

Found in base branch: main

### Vulnerability Details

When reading a specially crafted 7Z archive, the construction of the list of codecs that decompress an entry can result in an infinite loop. This could be used to mount a denial of service attack against services that use Compress' sevenz package.

Publish Date: 2021-07-13

URL: CVE-2021-35515

### CVSS 3 Score Details (7.5)

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://commons.apache.org/proper/commons-compress/security-reports.html

Release Date: 2021-07-13

Fix Resolution: org.apache.commons:commons-compress:1.21

CVE-2021-22569

### Vulnerable Library - protobuf-java-3.10.0.jar

Core Protocol Buffers library. Protocol Buffers are a way of encoding structured data in an efficient yet extensible format.

Library home page: https://developers.google.com/protocol-buffers/

Path to dependency file: /in-app-messaging-java/app/build.gradle

Dependency Hierarchy: - lint-gradle-27.2.2.jar (Root Library) - builder-4.2.2.jar - ddmlib-27.2.2.jar - :x: **protobuf-java-3.10.0.jar** (Vulnerable Library)

Found in HEAD commit: 691e25809d42cce5a487504aa376638500c5b492

Found in base branch: main

### Vulnerability Details

An issue in protobuf-java allowed the interleaving of com.google.protobuf.UnknownFieldSet fields in such a way that would be processed out of order. A small malicious payload can occupy the parser for several minutes by creating large numbers of short-lived objects that cause frequent, repeated pauses. We recommend upgrading libraries beyond the vulnerable versions.

Publish Date: 2022-01-07

URL: CVE-2021-22569

### CVSS 3 Score Details (7.5)

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/advisories/GHSA-wrvw-hg22-4m67

Release Date: 2022-01-07

Fix Resolution: com.google.protobuf:protobuf-java:3.16.1,3.18.2,3.19.2; com.google.protobuf:protobuf-kotlin:3.18.2,3.19.2; google-protobuf - 3.19.2

CVE-2019-17359

### Vulnerable Library - bcprov-jdk15on-1.56.jar

Library home page: http://www.bouncycastle.org/java.html

Path to dependency file: /app-to-phone-java/app-to-phone/app/build.gradle

Dependency Hierarchy: - lint-gradle-27.2.2.jar (Root Library) - builder-4.2.2.jar - :x: **bcprov-jdk15on-1.56.jar** (Vulnerable Library)

Found in HEAD commit: 691e25809d42cce5a487504aa376638500c5b492

Found in base branch: main

### Vulnerability Details

The ASN.1 parser in Bouncy Castle Crypto (aka BC Java) 1.63 can trigger a large attempted memory allocation, and resultant OutOfMemoryError error, via crafted ASN.1 data. This is fixed in 1.64.

Publish Date: 2019-10-08

URL: CVE-2019-17359

### CVSS 3 Score Details (7.5)

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17359

Release Date: 2019-10-08

Fix Resolution: org.bouncycastle:bcprov-jdk15on:1.64

CVE-2018-1000180

### Vulnerable Library - bcprov-jdk15on-1.56.jar

Library home page: http://www.bouncycastle.org/java.html

Path to dependency file: /app-to-phone-java/app-to-phone/app/build.gradle

Dependency Hierarchy: - lint-gradle-27.2.2.jar (Root Library) - builder-4.2.2.jar - :x: **bcprov-jdk15on-1.56.jar** (Vulnerable Library)

Found in HEAD commit: 691e25809d42cce5a487504aa376638500c5b492

Found in base branch: main

### Vulnerability Details

Bouncy Castle BC 1.54 - 1.59, BC-FJA 1.0.0, BC-FJA 1.0.1 and earlier have a flaw in the Low-level interface to RSA key pair generator, specifically RSA Key Pairs generated in low-level API with added certainty may have less M-R tests than expected. This appears to be fixed in versions BC 1.60 beta 4 and later, BC-FJA 1.0.2 and later.

Publish Date: 2018-06-05

URL: CVE-2018-1000180

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000180

Release Date: 2018-06-05

Fix Resolution: org.bouncycastle:bc-fips:1.0.2;org.bouncycastle:bcprov-jdk15on:1.60;org.bouncycastle:bcprov-jdk14:1.60;org.bouncycastle:bcprov-ext-jdk14:1.60;org.bouncycastle:bcprov-ext-jdk15on:1.60;org.bouncycastle:bcprov-debug-jdk14:1.60;org.bouncycastle:bcprov-debug-jdk15on:1.60

WS-2019-0379

### Vulnerable Library - commons-codec-1.10.jar

The Apache Commons Codec package contains simple encoder and decoders for various formats such as Base64 and Hexadecimal. In addition to these widely used encoders and decoders, the codec package also maintains a collection of phonetic encoding utilities.

Library home page: http://www.apache.org/

Path to dependency file: /app-to-app-java/app-to-app/app/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/commons-codec/commons-codec/1.10/4b95f4897fa13f2cd904aee711aeafc0c5295cd8/commons-codec-1.10.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/commons-codec/commons-codec/1.10/4b95f4897fa13f2cd904aee711aeafc0c5295cd8/commons-codec-1.10.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/commons-codec/commons-codec/1.10/4b95f4897fa13f2cd904aee711aeafc0c5295cd8/commons-codec-1.10.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/commons-codec/commons-codec/1.10/4b95f4897fa13f2cd904aee711aeafc0c5295cd8/commons-codec-1.10.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/commons-codec/commons-codec/1.10/4b95f4897fa13f2cd904aee711aeafc0c5295cd8/commons-codec-1.10.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/commons-codec/commons-codec/1.10/4b95f4897fa13f2cd904aee711aeafc0c5295cd8/commons-codec-1.10.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/commons-codec/commons-codec/1.10/4b95f4897fa13f2cd904aee711aeafc0c5295cd8/commons-codec-1.10.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/commons-codec/commons-codec/1.10/4b95f4897fa13f2cd904aee711aeafc0c5295cd8/commons-codec-1.10.jar

Dependency Hierarchy: - lint-gradle-27.2.2.jar (Root Library) - builder-4.2.2.jar - sdklib-27.2.2.jar - httpmime-4.5.6.jar - httpclient-4.5.6.jar - :x: **commons-codec-1.10.jar** (Vulnerable Library)

Found in HEAD commit: 691e25809d42cce5a487504aa376638500c5b492

Found in base branch: main

### Vulnerability Details

Apache commons-codec before version “commons-codec-1.13-RC1” is vulnerable to information disclosure due to Improper Input validation.

Publish Date: 2019-05-20

URL: WS-2019-0379

### CVSS 3 Score Details (6.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Release Date: 2019-05-20

Fix Resolution: commons-codec:commons-codec:1.13

CVE-2022-23437

### Vulnerable Library - xercesImpl-2.12.0.jar

Xerces2 is the next generation of high performance, fully compliant XML parsers in the Apache Xerces family. This new version of Xerces introduces the Xerces Native Interface (XNI), a complete framework for building parser components and configurations that is extremely modular and easy to program. The Apache Xerces2 parser is the reference implementation of XNI but other parser components, configurations, and parsers can be written using the Xerces Native Interface. For complete design and implementation documents, refer to the XNI Manual. Xerces2 is a fully conforming XML Schema 1.0 processor. A partial experimental implementation of the XML Schema 1.1 Structures and Datatypes Working Drafts (December 2009) and an experimental implementation of the XML Schema Definition Language (XSD): Component Designators (SCD) Candidate Recommendation (January 2010) are provided for evaluation. For more information, refer to the XML Schema page. Xerces2 also provides a complete implementation of the Document Object Model Level 3 Core and Load/Save W3C Recommendations and provides a complete implementation of the XML Inclusions (XInclude) W3C Recommendation. It also provides support for OASIS XML Catalogs v1.1. Xerces2 is able to parse documents written according to the XML 1.1 Recommendation, except that it does not yet provide an option to enable normalization checking as described in section 2.13 of this specification. It also handles namespaces according to the XML Namespaces 1.1 Recommendation, and will correctly serialize XML 1.1 documents if the DOM level 3 load/save APIs are in use.

Library home page: https://xerces.apache.org/xerces2-j/

Path to dependency file: /app-to-phone-java/app-to-phone/app/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/xerces/xercesImpl/2.12.0/f02c844149fd306601f20e0b34853a670bef7fa2/xercesImpl-2.12.0.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/xerces/xercesImpl/2.12.0/f02c844149fd306601f20e0b34853a670bef7fa2/xercesImpl-2.12.0.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/xerces/xercesImpl/2.12.0/f02c844149fd306601f20e0b34853a670bef7fa2/xercesImpl-2.12.0.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/xerces/xercesImpl/2.12.0/f02c844149fd306601f20e0b34853a670bef7fa2/xercesImpl-2.12.0.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/xerces/xercesImpl/2.12.0/f02c844149fd306601f20e0b34853a670bef7fa2/xercesImpl-2.12.0.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/xerces/xercesImpl/2.12.0/f02c844149fd306601f20e0b34853a670bef7fa2/xercesImpl-2.12.0.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/xerces/xercesImpl/2.12.0/f02c844149fd306601f20e0b34853a670bef7fa2/xercesImpl-2.12.0.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/xerces/xercesImpl/2.12.0/f02c844149fd306601f20e0b34853a670bef7fa2/xercesImpl-2.12.0.jar

Dependency Hierarchy: - lint-gradle-27.2.2.jar (Root Library) - sdk-common-27.2.2.jar - :x: **xercesImpl-2.12.0.jar** (Vulnerable Library)

Found in HEAD commit: 691e25809d42cce5a487504aa376638500c5b492

Found in base branch: main

### Vulnerability Details

There's a vulnerability within the Apache Xerces Java (XercesJ) XML parser when handling specially crafted XML document payloads. This causes, the XercesJ XML parser to wait in an infinite loop, which may sometimes consume system resources for prolonged duration. This vulnerability is present within XercesJ version 2.12.1 and the previous versions.

Publish Date: 2022-01-24

URL: CVE-2022-23437

### CVSS 3 Score Details (6.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/advisories/GHSA-h65f-jvqw-m9fj

Release Date: 2022-01-24

Fix Resolution: xerces:xercesImpl:2.12.2

CVE-2020-15522

### Vulnerable Library - bcprov-jdk15on-1.56.jar

Library home page: http://www.bouncycastle.org/java.html

Path to dependency file: /app-to-phone-java/app-to-phone/app/build.gradle

Dependency Hierarchy: - lint-gradle-27.2.2.jar (Root Library) - builder-4.2.2.jar - :x: **bcprov-jdk15on-1.56.jar** (Vulnerable Library)

Found in HEAD commit: 691e25809d42cce5a487504aa376638500c5b492

Found in base branch: main

### Vulnerability Details

Bouncy Castle BC Java before 1.66, BC C# .NET before 1.8.7, BC-FJA before 1.0.1.2, 1.0.2.1, and BC-FNA before 1.0.1.1 have a timing issue within the EC math library that can expose information about the private key when an attacker is able to observe timing information for the generation of multiple deterministic ECDSA signatures.

Publish Date: 2021-05-20

URL: CVE-2020-15522

### CVSS 3 Score Details (5.9)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15522

Release Date: 2021-05-20

Fix Resolution: org.bouncycastle:bc-fips:1.0.2.1;org.bouncycastle:bcprov-ext-jdk14:1.66;org.bouncycastle:bcprov-ext-jdk15on:1.66;org.bouncycastle:bcprov-jdk14:1.66;org.bouncycastle:bcprov-jdk15on:1.66;BouncyCastle - 1.8.9;Portable.BouncyCastle - 1.8.8

CVE-2023-33202

### Vulnerable Library - bcprov-jdk15on-1.56.jar

Library home page: http://www.bouncycastle.org/java.html

Path to dependency file: /app-to-phone-java/app-to-phone/app/build.gradle

Dependency Hierarchy: - lint-gradle-27.2.2.jar (Root Library) - builder-4.2.2.jar - :x: **bcprov-jdk15on-1.56.jar** (Vulnerable Library)

Found in HEAD commit: 691e25809d42cce5a487504aa376638500c5b492

Found in base branch: main

### Vulnerability Details

Bouncy Castle for Java before 1.73 contains a potential Denial of Service (DoS) issue within the Bouncy Castle org.bouncycastle.openssl.PEMParser class. This class parses OpenSSL PEM encoded streams containing X.509 certificates, PKCS8 encoded keys, and PKCS7 objects. Parsing a file that has crafted ASN.1 data through the PEMParser causes an OutOfMemoryError, which can enable a denial of service attack. (For users of the FIPS Java API: BC-FJA 1.0.2.3 and earlier are affected; BC-FJA 1.0.2.4 is fixed.)

Publish Date: 2023-11-23

URL: CVE-2023-33202

### CVSS 3 Score Details (5.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/advisories/GHSA-wjxj-5m7g-mg7q

Release Date: 2023-11-23

Fix Resolution: org.bouncycastle:bcprov-jdk14:1.73, org.bouncycastle:bcprov-jdk15to18: 1.73, org.bouncycastle:bcprov-jdk18on:1.73

nexmo-community / client-sdk-tutorials

lint-gradle-27.2.2.jar: 23 vulnerabilities (highest severity is: 8.1) #30

Vulnerabilities

Details