search

opfab / operatorfabric-core

Main operatorfabric program
https://opfab.github.io
Mozilla Public License 2.0
39 stars 27 forks source link

CVE-2024-26308 (Medium) detected in commons-compress-1.22.jar - autoclosed #5980

Closed mend-bolt-for-github[bot] closed 1 month ago

mend-bolt-for-github[bot] commented 6 months ago

CVE-2024-26308 - Medium Severity Vulnerability

Vulnerable Library - commons-compress-1.22.jar

Apache Commons Compress software defines an API for working with compression and archive formats. These include: bzip2, gzip, pack200, lzma, xz, Snappy, traditional Unix Compress, DEFLATE, DEFLATE64, LZ4, Brotli, Zstandard and ar, cpio, jar, tar, zip, dump, 7z, arj.

Library home page: https://commons.apache.org/proper/commons-compress/

Path to dependency file: /client/cards/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.commons/commons-compress/1.22/691a8b4e6cf4248c3bc72c8b719337d5cb7359fa/commons-compress-1.22.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.commons/commons-compress/1.22/691a8b4e6cf4248c3bc72c8b719337d5cb7359fa/commons-compress-1.22.jar

Dependency Hierarchy: - avro-1.11.3.jar (Root Library) - :x: **commons-compress-1.22.jar** (Vulnerable Library)

Found in HEAD commit: c41ef568bfcdd468f539067b28a5490847f990c8

Found in base branch: develop

Vulnerability Details

Allocation of Resources Without Limits or Throttling vulnerability in Apache Commons Compress.This issue affects Apache Commons Compress: from 1.21 before 1.26. Users are recommended to upgrade to version 1.26, which fixes the issue.

Publish Date: 2024-02-19

URL: CVE-2024-26308

CVSS 3 Score Details (5.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2024-26308

Release Date: 2024-02-19

Fix Resolution: org.apache.commons:commons-compress:1.26.0

Step up your Open Source Security Game with Mend here

freddidierRTE commented 4 months ago

Need to wait for avro update

mend-bolt-for-github[bot] commented 1 month ago

:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.