CVE-2024-23080 (Medium) detected in joda-time-2.12.2.jar

[mend-for-github-com[bot]]

CVE-2024-23080 - Medium Severity Vulnerability

Vulnerable Library - joda-time-2.12.2.jar

Date and time library to replace JDK date handling

Library home page: https://www.joda.org/joda-time/

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/joda-time/joda-time/2.12.2/78e18a7b4180e911dafba0a412adfa82c1e3d14b/joda-time-2.12.2.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/joda-time/joda-time/2.12.2/78e18a7b4180e911dafba0a412adfa82c1e3d14b/joda-time-2.12.2.jar

Dependency Hierarchy: - opensearch-3.0.0-SNAPSHOT.jar (Root Library) - :x: **joda-time-2.12.2.jar** (Vulnerable Library)

Found in HEAD commit: 71d03648b8d39f15f64922cb3b3ff9e18d16ed35

Found in base branch: main

Vulnerability Details

Joda Time v2.12.5 was discovered to contain a NullPointerException via the component org.joda.time.format.PeriodFormat::wordBased(Locale).

Publish Date: 2024-04-10

URL: CVE-2024-23080

CVSS 3 Score Details (5.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

[jowg-amazon]

Other plugins experiencing the same vulnerability, seems to be getting this dependency from Core.

https://github.com/opensearch-project/security/issues/4249 https://github.com/opensearch-project/spring-data-opensearch/issues/262

[peternied]

Fixed in https://github.com/opensearch-project/OpenSearch/pull/13193