lint-gradle-26.5.3.jar: 25 vulnerabilities (highest severity is: 8.1)

Vulnerable Library - lint-gradle-26.5.3.jar

Path to dependency file: /android/app/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.bouncycastle/bcprov-jdk15on/1.56/a153c6f9744a3e9dd6feab5e210e1c9861362ec7/bcprov-jdk15on-1.56.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.bouncycastle/bcprov-jdk15on/1.56/a153c6f9744a3e9dd6feab5e210e1c9861362ec7/bcprov-jdk15on-1.56.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.bouncycastle/bcprov-jdk15on/1.56/a153c6f9744a3e9dd6feab5e210e1c9861362ec7/bcprov-jdk15on-1.56.jar

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (lint-gradle version)	Remediation Possible**
CVE-2024-25710	High	8.1	commons-compress-1.12.jar	Transitive	N/A*	❌
WS-2021-0419	High	7.7	gson-2.8.5.jar	Transitive	N/A*	❌
CVE-2022-25647	High	7.7	gson-2.8.5.jar	Transitive	N/A*	❌
CVE-2024-30172	High	7.5	bcprov-jdk15on-1.56.jar	Transitive	N/A*	❌
CVE-2024-29857	High	7.5	bcprov-jdk15on-1.56.jar	Transitive	N/A*	❌
CVE-2022-3509	High	7.5	protobuf-java-3.4.0.jar	Transitive	N/A*	❌
CVE-2021-36090	High	7.5	commons-compress-1.12.jar	Transitive	N/A*	❌
CVE-2021-35517	High	7.5	commons-compress-1.12.jar	Transitive	N/A*	❌
CVE-2021-35516	High	7.5	commons-compress-1.12.jar	Transitive	N/A*	❌
CVE-2021-35515	High	7.5	commons-compress-1.12.jar	Transitive	N/A*	❌
CVE-2021-22569	High	7.5	protobuf-java-3.4.0.jar	Transitive	N/A*	❌
CVE-2019-17359	High	7.5	bcprov-jdk15on-1.56.jar	Transitive	N/A*	❌
CVE-2018-1000180	High	7.5	bcprov-jdk15on-1.56.jar	Transitive	N/A*	❌
WS-2019-0379	Medium	6.5	commons-codec-1.10.jar	Transitive	N/A*	❌
CVE-2020-15522	Medium	5.9	bcprov-jdk15on-1.56.jar	Transitive	N/A*	❌
CVE-2023-33202	Medium	5.5	bcprov-jdk15on-1.56.jar	Transitive	N/A*	❌
CVE-2023-2976	Medium	5.5	guava-27.0.1-jre.jar	Transitive	N/A*	❌
CVE-2020-17521	Medium	5.5	groovy-all-2.4.15.jar	Transitive	N/A*	❌
CVE-2023-33201	Medium	5.3	bcprov-jdk15on-1.56.jar	Transitive	N/A*	❌
CVE-2022-24329	Medium	5.3	kotlin-stdlib-1.3.50.jar	Transitive	N/A*	❌
CVE-2020-29582	Medium	5.3	kotlin-stdlib-1.3.50.jar	Transitive	N/A*	❌
CVE-2020-26939	Medium	5.3	bcprov-jdk15on-1.56.jar	Transitive	N/A*	❌
CVE-2020-13956	Medium	5.3	httpclient-4.5.6.jar	Transitive	N/A*	❌
CVE-2022-3171	Medium	4.3	protobuf-java-3.4.0.jar	Transitive	N/A*	❌
CVE-2020-8908	Low	3.3	guava-27.0.1-jre.jar	Transitive	N/A*	❌

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

Partial details (22 vulnerabilities) are displayed below due to a content size limitation in GitHub. To view information on the remaining vulnerabilities, navigate to the Mend Application.

CVE-2024-25710

### Vulnerable Library - commons-compress-1.12.jar

Apache Commons Compress software defines an API for working with compression and archive formats. These include: bzip2, gzip, pack200, lzma, xz, Snappy, traditional Unix Compress, DEFLATE and ar, cpio, jar, tar, zip, dump, 7z, arj.

Library home page: http://www.apache.org/

Path to dependency file: /node_modules/opentok-react-native/android/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.commons/commons-compress/1.12/84caa68576e345eb5e7ae61a0e5a9229eb100d7b/commons-compress-1.12.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.commons/commons-compress/1.12/84caa68576e345eb5e7ae61a0e5a9229eb100d7b/commons-compress-1.12.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.commons/commons-compress/1.12/84caa68576e345eb5e7ae61a0e5a9229eb100d7b/commons-compress-1.12.jar

Dependency Hierarchy: - lint-gradle-26.5.3.jar (Root Library) - builder-3.5.3.jar - sdklib-26.5.3.jar - :x: **commons-compress-1.12.jar** (Vulnerable Library)

Found in base branch: main

### Vulnerability Details

Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in Apache Commons Compress.This issue affects Apache Commons Compress: from 1.3 through 1.25.0. Users are recommended to upgrade to version 1.26.0 which fixes the issue.

Publish Date: 2024-02-19

URL: CVE-2024-25710

### CVSS 3 Score Details (8.1)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Changed - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2024-25710

Release Date: 2024-02-19

Fix Resolution: org.apache.commons:commons-compress:1.26.0

WS-2021-0419

### Vulnerable Library - gson-2.8.5.jar

Gson JSON library

Library home page: https://github.com/google/gson

Path to dependency file: /node_modules/react-native-vector-icons/android/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.code.gson/gson/2.8.5/f645ed69d595b24d4cf8b3fbb64cc505bede8829/gson-2.8.5.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.code.gson/gson/2.8.5/f645ed69d595b24d4cf8b3fbb64cc505bede8829/gson-2.8.5.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.code.gson/gson/2.8.5/f645ed69d595b24d4cf8b3fbb64cc505bede8829/gson-2.8.5.jar

Dependency Hierarchy: - lint-gradle-26.5.3.jar (Root Library) - builder-3.5.3.jar - sdklib-26.5.3.jar - :x: **gson-2.8.5.jar** (Vulnerable Library)

Found in base branch: main

### Vulnerability Details

Denial of Service vulnerability was discovered in gson before 2.8.9 via the writeReplace() method.

Publish Date: 2021-10-11

URL: WS-2021-0419

### CVSS 3 Score Details (7.7)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Release Date: 2021-10-11

Fix Resolution: com.google.code.gson:gson:2.8.9

CVE-2022-25647

### Vulnerable Library - gson-2.8.5.jar

Gson JSON library

Library home page: https://github.com/google/gson

Path to dependency file: /node_modules/react-native-vector-icons/android/build.gradle

Dependency Hierarchy: - lint-gradle-26.5.3.jar (Root Library) - builder-3.5.3.jar - sdklib-26.5.3.jar - :x: **gson-2.8.5.jar** (Vulnerable Library)

Found in base branch: main

### Vulnerability Details

The package com.google.code.gson:gson before 2.8.9 are vulnerable to Deserialization of Untrusted Data via the writeReplace() method in internal classes, which may lead to DoS attacks.

Publish Date: 2022-05-01

URL: CVE-2022-25647

### CVSS 3 Score Details (7.7)

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25647`

Release Date: 2022-05-01

Fix Resolution: com.google.code.gson:gson:gson-parent-2.8.9

CVE-2024-30172

### Vulnerable Library - bcprov-jdk15on-1.56.jar

The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5 to JDK 1.8.

Library home page: http://www.bouncycastle.org/java.html

Path to dependency file: /node_modules/react-native-vector-icons/android/build.gradle

Dependency Hierarchy: - lint-gradle-26.5.3.jar (Root Library) - builder-3.5.3.jar - :x: **bcprov-jdk15on-1.56.jar** (Vulnerable Library)

Found in base branch: main

### Vulnerability Details

An issue was discovered in Bouncy Castle Java Cryptography APIs before 1.78. An Ed25519 verification code infinite loop can occur via a crafted signature and public key.

Publish Date: 2024-05-09

URL: CVE-2024-30172

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Release Date: 2024-05-09

Fix Resolution: org.bouncycastle:bcprov-jdk18on:1.78,org.bouncycastle:bcprov-jdk15to18:1.78, org.bouncycastle:bcprov-jdk14:1.78, BouncyCastle.Cryptography - 2.3.1

CVE-2024-29857

### Vulnerable Library - bcprov-jdk15on-1.56.jar

Library home page: http://www.bouncycastle.org/java.html

Path to dependency file: /node_modules/react-native-vector-icons/android/build.gradle

Dependency Hierarchy: - lint-gradle-26.5.3.jar (Root Library) - builder-3.5.3.jar - :x: **bcprov-jdk15on-1.56.jar** (Vulnerable Library)

Found in base branch: main

### Vulnerability Details

An issue was discovered in ECCurve.java and ECCurve.cs in Bouncy Castle Java (BC Java) before 1.78, BC Java LTS before 2.73.6, BC-FJA before 1.0.2.5, and BC C# .Net before 2.3.1. Importing an EC certificate with crafted F2m parameters can lead to excessive CPU consumption during the evaluation of the curve parameters.

Publish Date: 2024-05-14

URL: CVE-2024-29857

### CVSS 3 Score Details (7.5)

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://www.bouncycastle.org/latest_releases.html

Release Date: 2024-05-09

Fix Resolution: org.bouncycastle:bcprov-jdk15to18:1.78, org.bouncycastle:bcprov-jdk18on:1.78

CVE-2022-3509

### Vulnerable Library - protobuf-java-3.4.0.jar

Core Protocol Buffers library. Protocol Buffers are a way of encoding structured data in an efficient yet extensible format.

Library home page: http://www.google.com/

Path to dependency file: /android/app/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.protobuf/protobuf-java/3.4.0/b32aba0cbe737a4ca953f71688725972e3ee927c/protobuf-java-3.4.0.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.protobuf/protobuf-java/3.4.0/b32aba0cbe737a4ca953f71688725972e3ee927c/protobuf-java-3.4.0.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.protobuf/protobuf-java/3.4.0/b32aba0cbe737a4ca953f71688725972e3ee927c/protobuf-java-3.4.0.jar

Dependency Hierarchy: - lint-gradle-26.5.3.jar (Root Library) - builder-3.5.3.jar - tracker-26.5.3.jar - :x: **protobuf-java-3.4.0.jar** (Vulnerable Library)

Found in base branch: main

### Vulnerability Details

A parsing issue similar to CVE-2022-3171, but with textformat in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.

Publish Date: 2022-11-01

URL: CVE-2022-3509

### CVSS 3 Score Details (7.5)

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3509

Release Date: 2022-11-01

Fix Resolution: com.google.protobuf:protobuf-java:3.16.3,3.19.6,3.20.3,3.21.7

CVE-2021-36090

### Vulnerable Library - commons-compress-1.12.jar

Library home page: http://www.apache.org/

Path to dependency file: /node_modules/opentok-react-native/android/build.gradle

Dependency Hierarchy: - lint-gradle-26.5.3.jar (Root Library) - builder-3.5.3.jar - sdklib-26.5.3.jar - :x: **commons-compress-1.12.jar** (Vulnerable Library)

Found in base branch: main

### Vulnerability Details

When reading a specially crafted ZIP archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' zip package.

Publish Date: 2021-07-13

URL: CVE-2021-36090

### CVSS 3 Score Details (7.5)

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://commons.apache.org/proper/commons-compress/security-reports.html

Release Date: 2021-07-13

Fix Resolution: org.apache.commons:commons-compress:1.21

CVE-2021-35517

### Vulnerable Library - commons-compress-1.12.jar

Library home page: http://www.apache.org/

Path to dependency file: /node_modules/opentok-react-native/android/build.gradle

Dependency Hierarchy: - lint-gradle-26.5.3.jar (Root Library) - builder-3.5.3.jar - sdklib-26.5.3.jar - :x: **commons-compress-1.12.jar** (Vulnerable Library)

Found in base branch: main

### Vulnerability Details

When reading a specially crafted TAR archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' tar package.

Publish Date: 2021-07-13

URL: CVE-2021-35517

### CVSS 3 Score Details (7.5)

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://commons.apache.org/proper/commons-compress/security-reports.html

Release Date: 2021-07-13

Fix Resolution: org.apache.commons:commons-compress:1.21

CVE-2021-35516

### Vulnerable Library - commons-compress-1.12.jar

Library home page: http://www.apache.org/

Path to dependency file: /node_modules/opentok-react-native/android/build.gradle

Dependency Hierarchy: - lint-gradle-26.5.3.jar (Root Library) - builder-3.5.3.jar - sdklib-26.5.3.jar - :x: **commons-compress-1.12.jar** (Vulnerable Library)

Found in base branch: main

### Vulnerability Details

When reading a specially crafted 7Z archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' sevenz package.

Publish Date: 2021-07-13

URL: CVE-2021-35516

### CVSS 3 Score Details (7.5)

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://commons.apache.org/proper/commons-compress/security-reports.html

Release Date: 2021-07-13

Fix Resolution: org.apache.commons:commons-compress:1.21

CVE-2021-35515

### Vulnerable Library - commons-compress-1.12.jar

Library home page: http://www.apache.org/

Path to dependency file: /node_modules/opentok-react-native/android/build.gradle

Dependency Hierarchy: - lint-gradle-26.5.3.jar (Root Library) - builder-3.5.3.jar - sdklib-26.5.3.jar - :x: **commons-compress-1.12.jar** (Vulnerable Library)

Found in base branch: main

### Vulnerability Details

When reading a specially crafted 7Z archive, the construction of the list of codecs that decompress an entry can result in an infinite loop. This could be used to mount a denial of service attack against services that use Compress' sevenz package.

Publish Date: 2021-07-13

URL: CVE-2021-35515

### CVSS 3 Score Details (7.5)

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://commons.apache.org/proper/commons-compress/security-reports.html

Release Date: 2021-07-13

Fix Resolution: org.apache.commons:commons-compress:1.21

CVE-2021-22569

### Vulnerable Library - protobuf-java-3.4.0.jar

Core Protocol Buffers library. Protocol Buffers are a way of encoding structured data in an efficient yet extensible format.

Library home page: http://www.google.com/

Path to dependency file: /android/app/build.gradle

Dependency Hierarchy: - lint-gradle-26.5.3.jar (Root Library) - builder-3.5.3.jar - tracker-26.5.3.jar - :x: **protobuf-java-3.4.0.jar** (Vulnerable Library)

Found in base branch: main

### Vulnerability Details

An issue in protobuf-java allowed the interleaving of com.google.protobuf.UnknownFieldSet fields in such a way that would be processed out of order. A small malicious payload can occupy the parser for several minutes by creating large numbers of short-lived objects that cause frequent, repeated pauses. We recommend upgrading libraries beyond the vulnerable versions.

Publish Date: 2022-01-07

URL: CVE-2021-22569

### CVSS 3 Score Details (7.5)

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/advisories/GHSA-wrvw-hg22-4m67

Release Date: 2022-01-07

Fix Resolution: com.google.protobuf:protobuf-java:3.16.1,3.18.2,3.19.2; com.google.protobuf:protobuf-kotlin:3.18.2,3.19.2; google-protobuf - 3.19.2

CVE-2019-17359

### Vulnerable Library - bcprov-jdk15on-1.56.jar

Library home page: http://www.bouncycastle.org/java.html

Path to dependency file: /node_modules/react-native-vector-icons/android/build.gradle

Dependency Hierarchy: - lint-gradle-26.5.3.jar (Root Library) - builder-3.5.3.jar - :x: **bcprov-jdk15on-1.56.jar** (Vulnerable Library)

Found in base branch: main

### Vulnerability Details

The ASN.1 parser in Bouncy Castle Crypto (aka BC Java) 1.63 can trigger a large attempted memory allocation, and resultant OutOfMemoryError error, via crafted ASN.1 data. This is fixed in 1.64.

Publish Date: 2019-10-08

URL: CVE-2019-17359

### CVSS 3 Score Details (7.5)

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17359

Release Date: 2019-10-08

Fix Resolution: org.bouncycastle:bcprov-jdk15on:1.64

CVE-2018-1000180

### Vulnerable Library - bcprov-jdk15on-1.56.jar

Library home page: http://www.bouncycastle.org/java.html

Path to dependency file: /node_modules/react-native-vector-icons/android/build.gradle

Dependency Hierarchy: - lint-gradle-26.5.3.jar (Root Library) - builder-3.5.3.jar - :x: **bcprov-jdk15on-1.56.jar** (Vulnerable Library)

Found in base branch: main

### Vulnerability Details

Bouncy Castle BC 1.54 - 1.59, BC-FJA 1.0.0, BC-FJA 1.0.1 and earlier have a flaw in the Low-level interface to RSA key pair generator, specifically RSA Key Pairs generated in low-level API with added certainty may have less M-R tests than expected. This appears to be fixed in versions BC 1.60 beta 4 and later, BC-FJA 1.0.2 and later.

Publish Date: 2018-06-05

URL: CVE-2018-1000180

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000180

Release Date: 2018-06-05

Fix Resolution: org.bouncycastle:bc-fips:1.0.2;org.bouncycastle:bcprov-jdk15on:1.60;org.bouncycastle:bcprov-jdk14:1.60;org.bouncycastle:bcprov-ext-jdk14:1.60;org.bouncycastle:bcprov-ext-jdk15on:1.60;org.bouncycastle:bcprov-debug-jdk14:1.60;org.bouncycastle:bcprov-debug-jdk15on:1.60

WS-2019-0379

### Vulnerable Library - commons-codec-1.10.jar

The Apache Commons Codec package contains simple encoder and decoders for various formats such as Base64 and Hexadecimal. In addition to these widely used encoders and decoders, the codec package also maintains a collection of phonetic encoding utilities.

Library home page: http://www.apache.org/

Path to dependency file: /node_modules/react-native-vector-icons/android/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/commons-codec/commons-codec/1.10/4b95f4897fa13f2cd904aee711aeafc0c5295cd8/commons-codec-1.10.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/commons-codec/commons-codec/1.10/4b95f4897fa13f2cd904aee711aeafc0c5295cd8/commons-codec-1.10.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/commons-codec/commons-codec/1.10/4b95f4897fa13f2cd904aee711aeafc0c5295cd8/commons-codec-1.10.jar

Dependency Hierarchy: - lint-gradle-26.5.3.jar (Root Library) - builder-3.5.3.jar - sdklib-26.5.3.jar - httpmime-4.5.6.jar - httpclient-4.5.6.jar - :x: **commons-codec-1.10.jar** (Vulnerable Library)

Found in base branch: main

### Vulnerability Details

Apache commons-codec before version “commons-codec-1.13-RC1” is vulnerable to information disclosure due to Improper Input validation.

Publish Date: 2019-05-20

URL: WS-2019-0379

### CVSS 3 Score Details (6.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Release Date: 2019-05-20

Fix Resolution: commons-codec:commons-codec:1.13

CVE-2020-15522

### Vulnerable Library - bcprov-jdk15on-1.56.jar

Library home page: http://www.bouncycastle.org/java.html

Path to dependency file: /node_modules/react-native-vector-icons/android/build.gradle

Dependency Hierarchy: - lint-gradle-26.5.3.jar (Root Library) - builder-3.5.3.jar - :x: **bcprov-jdk15on-1.56.jar** (Vulnerable Library)

Found in base branch: main

### Vulnerability Details

Bouncy Castle BC Java before 1.66, BC C# .NET before 1.8.7, BC-FJA before 1.0.1.2, 1.0.2.1, and BC-FNA before 1.0.1.1 have a timing issue within the EC math library that can expose information about the private key when an attacker is able to observe timing information for the generation of multiple deterministic ECDSA signatures.

Publish Date: 2021-05-20

URL: CVE-2020-15522

### CVSS 3 Score Details (5.9)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15522

Release Date: 2021-05-20

Fix Resolution: org.bouncycastle:bc-fips:1.0.2.1;org.bouncycastle:bcprov-ext-jdk14:1.66;org.bouncycastle:bcprov-ext-jdk15on:1.66;org.bouncycastle:bcprov-jdk14:1.66;org.bouncycastle:bcprov-jdk15on:1.66;BouncyCastle - 1.8.9;Portable.BouncyCastle - 1.8.8

CVE-2023-33202

### Vulnerable Library - bcprov-jdk15on-1.56.jar

Library home page: http://www.bouncycastle.org/java.html

Path to dependency file: /node_modules/react-native-vector-icons/android/build.gradle

Dependency Hierarchy: - lint-gradle-26.5.3.jar (Root Library) - builder-3.5.3.jar - :x: **bcprov-jdk15on-1.56.jar** (Vulnerable Library)

Found in base branch: main

### Vulnerability Details

Bouncy Castle for Java before 1.73 contains a potential Denial of Service (DoS) issue within the Bouncy Castle org.bouncycastle.openssl.PEMParser class. This class parses OpenSSL PEM encoded streams containing X.509 certificates, PKCS8 encoded keys, and PKCS7 objects. Parsing a file that has crafted ASN.1 data through the PEMParser causes an OutOfMemoryError, which can enable a denial of service attack. (For users of the FIPS Java API: BC-FJA 1.0.2.3 and earlier are affected; BC-FJA 1.0.2.4 is fixed.)

Publish Date: 2023-11-23

URL: CVE-2023-33202

### CVSS 3 Score Details (5.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/advisories/GHSA-wjxj-5m7g-mg7q

Release Date: 2023-11-23

Fix Resolution: org.bouncycastle:bcprov-jdk14:1.73, org.bouncycastle:bcprov-jdk15to18: 1.73, org.bouncycastle:bcprov-jdk18on:1.73

CVE-2023-2976

### Vulnerable Library - guava-27.0.1-jre.jar

Guava is a suite of core and expanded libraries that include utility classes, google's collections, io classes, and much much more.

Library home page: https://github.com/google/guava

Path to dependency file: /node_modules/react-native-vector-icons/android/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.guava/guava/27.0.1-jre/bd41a290787b5301e63929676d792c507bbc00ae/guava-27.0.1-jre.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.guava/guava/27.0.1-jre/bd41a290787b5301e63929676d792c507bbc00ae/guava-27.0.1-jre.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.guava/guava/27.0.1-jre/bd41a290787b5301e63929676d792c507bbc00ae/guava-27.0.1-jre.jar

Dependency Hierarchy: - lint-gradle-26.5.3.jar (Root Library) - builder-3.5.3.jar - apkzlib-3.5.3.jar - :x: **guava-27.0.1-jre.jar** (Vulnerable Library)

Found in base branch: main

### Vulnerability Details

Use of Java's default temporary directory for file creation in `FileBackedOutputStream` in Google Guava versions 1.0 to 31.1 on Unix systems and Android Ice Cream Sandwich allows other users and apps on the machine with access to the default Java temporary directory to be able to access the files created by the class. Even though the security vulnerability is fixed in version 32.0.0, we recommend using version 32.0.1 as version 32.0.0 breaks some functionality under Windows. Mend Note: Even though the security vulnerability is fixed in version 32.0.0, maintainers recommend using version 32.0.1 as version 32.0.0 breaks some functionality under Windows.

Publish Date: 2023-06-14

URL: CVE-2023-2976

### CVSS 3 Score Details (5.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/advisories/GHSA-7g45-4rm6-3mm3

Release Date: 2023-06-14

Fix Resolution: com.google.guava:guava:32.0.1-android,32.0.1-jre

CVE-2020-17521

### Vulnerable Library - groovy-all-2.4.15.jar

Groovy: A powerful, dynamic language for the JVM

Library home page: http://groovy-lang.org

Path to dependency file: /node_modules/opentok-react-native/android/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.codehaus.groovy/groovy-all/2.4.15/423a17aeb2f64bc6f76e8e44265a548bec80fd42/groovy-all-2.4.15.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.codehaus.groovy/groovy-all/2.4.15/423a17aeb2f64bc6f76e8e44265a548bec80fd42/groovy-all-2.4.15.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.codehaus.groovy/groovy-all/2.4.15/423a17aeb2f64bc6f76e8e44265a548bec80fd42/groovy-all-2.4.15.jar

Dependency Hierarchy: - lint-gradle-26.5.3.jar (Root Library) - :x: **groovy-all-2.4.15.jar** (Vulnerable Library)

Found in base branch: main

### Vulnerability Details

Apache Groovy provides extension methods to aid with creating temporary directories. Prior to this fix, Groovy's implementation of those extension methods was using a now superseded Java JDK method call that is potentially not secure on some operating systems in some contexts. Users not using the extension methods mentioned in the advisory are not affected, but may wish to read the advisory for further details. Versions Affected: 2.0 to 2.4.20, 2.5.0 to 2.5.13, 3.0.0 to 3.0.6, and 4.0.0-alpha-1. Fixed in versions 2.4.21, 2.5.14, 3.0.7, 4.0.0-alpha-2.

Publish Date: 2020-12-07

URL: CVE-2020-17521

### CVSS 3 Score Details (5.5)

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://issues.apache.org/jira/browse/GROOVY-9824

Release Date: 2020-12-07

Fix Resolution: org.codehaus.groovy:groovy-all:2.4.21,2.5.14,3.0.7

CVE-2023-33201

### Vulnerable Library - bcprov-jdk15on-1.56.jar

Library home page: http://www.bouncycastle.org/java.html

Path to dependency file: /node_modules/react-native-vector-icons/android/build.gradle

Dependency Hierarchy: - lint-gradle-26.5.3.jar (Root Library) - builder-3.5.3.jar - :x: **bcprov-jdk15on-1.56.jar** (Vulnerable Library)

Found in base branch: main

### Vulnerability Details

Bouncy Castle For Java before 1.74 is affected by an LDAP injection vulnerability. The vulnerability only affects applications that use an LDAP CertStore from Bouncy Castle to validate X.509 certificates. During the certificate validation process, Bouncy Castle inserts the certificate's Subject Name into an LDAP search filter without any escaping, which leads to an LDAP injection vulnerability.

Publish Date: 2023-07-05

URL: CVE-2023-33201

### CVSS 3 Score Details (5.3)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: None - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Release Date: 2023-07-05

Fix Resolution: org.bouncycastle:bcprov-ext-jdk18on:1.74, org.bouncycastle:bcprov-jdk18on:1.74, org.bouncycastle:bcprov-debug-jdk18on:1.74, org.bouncycastle:bcprov-ext-debug-jdk18on:1.74, org.bouncycastle:bcprov-ext-jdk15to18:1.74, org.bouncycastle:bcprov-jdk15to18:1.74, org.bouncycastle:bcprov-debug-jdk14:1.74, org.bouncycastle:bcprov-debug-jdk15to18:1.74, org.bouncycastle:bcprov-ext-debug-jdk14:1.74, org.bouncycastle:bcprov-ext-debug-jdk15to18:1.74, org.bouncycastle:bcprov-jdk14:1.74

CVE-2022-24329

### Vulnerable Library - kotlin-stdlib-1.3.50.jar

Kotlin Standard Library for JVM

Library home page: https://kotlinlang.org/

Path to dependency file: /node_modules/react-native-vector-icons/android/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.jetbrains.kotlin/kotlin-stdlib/1.3.50/b529d1738c7e98bbfa36a4134039528f2ce78ebf/kotlin-stdlib-1.3.50.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.jetbrains.kotlin/kotlin-stdlib/1.3.50/b529d1738c7e98bbfa36a4134039528f2ce78ebf/kotlin-stdlib-1.3.50.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.jetbrains.kotlin/kotlin-stdlib/1.3.50/b529d1738c7e98bbfa36a4134039528f2ce78ebf/kotlin-stdlib-1.3.50.jar

Dependency Hierarchy: - lint-gradle-26.5.3.jar (Root Library) - kotlin-stdlib-jdk8-1.3.50.jar - :x: **kotlin-stdlib-1.3.50.jar** (Vulnerable Library)

Found in base branch: main

### Vulnerability Details

In JetBrains Kotlin before 1.6.0, it was not possible to lock dependencies for Multiplatform Gradle Projects.

Publish Date: 2022-02-25

URL: CVE-2022-24329

### CVSS 3 Score Details (5.3)

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/advisories/GHSA-2qp4-g3q3-f92w

Release Date: 2022-02-25

Fix Resolution: org.jetbrains.kotlin:kotlin-stdlib:1.6.0

CVE-2020-29582

### Vulnerable Library - kotlin-stdlib-1.3.50.jar

Kotlin Standard Library for JVM

Library home page: https://kotlinlang.org/

Path to dependency file: /node_modules/react-native-vector-icons/android/build.gradle

Dependency Hierarchy: - lint-gradle-26.5.3.jar (Root Library) - kotlin-stdlib-jdk8-1.3.50.jar - :x: **kotlin-stdlib-1.3.50.jar** (Vulnerable Library)

Found in base branch: main

### Vulnerability Details

In JetBrains Kotlin before 1.4.21, a vulnerable Java API was used for temporary file and folder creation. An attacker was able to read data from such files and list directories due to insecure permissions.

Publish Date: 2021-02-03

URL: CVE-2020-29582

### CVSS 3 Score Details (5.3)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: None - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/advisories/GHSA-cqj8-47ch-rvvq

Release Date: 2021-02-03

Fix Resolution: org.jetbrains.kotlin:kotlin-stdlib:1.4.21

CVE-2020-26939

### Vulnerable Library - bcprov-jdk15on-1.56.jar

Library home page: http://www.bouncycastle.org/java.html

Path to dependency file: /node_modules/react-native-vector-icons/android/build.gradle

Dependency Hierarchy: - lint-gradle-26.5.3.jar (Root Library) - builder-3.5.3.jar - :x: **bcprov-jdk15on-1.56.jar** (Vulnerable Library)

Found in base branch: main

### Vulnerability Details

In Legion of the Bouncy Castle BC before 1.61 and BC-FJA before 1.0.1.2, attackers can obtain sensitive information about a private exponent because of Observable Differences in Behavior to Error Inputs. This occurs in org.bouncycastle.crypto.encodings.OAEPEncoding. Sending invalid ciphertext that decrypts to a short payload in the OAEP Decoder could result in the throwing of an early exception, potentially leaking some information about the private exponent of the RSA private key performing the encryption.

Publish Date: 2020-11-02

URL: CVE-2020-26939

### CVSS 3 Score Details (5.3)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: None - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Release Date: 2020-11-02

Fix Resolution: org.bouncycastle:bcprov-jdk14:1.61,org.bouncycastle:bcprov-ext-debug-jdk15on:1.61,org.bouncycastle:bcprov-debug-jdk15on:1.61,org.bouncycastle:bcprov-ext-jdk15on:1.61,org.bouncycastle:bcprov-jdk15on:1.61

nexmo-community / multiparty-video-react-native

lint-gradle-26.5.3.jar: 25 vulnerabilities (highest severity is: 8.1) #7

Vulnerabilities

Details