Open mend-for-github-com[bot] opened 2 years ago
github-actions[bot]
commented
2 years ago Red Shield Alert: CVE-2021-29425 - An effective vulnerability has been found in your open-source code demanding urgent remediation steps. https://saas.whitesourcesoftware.com/Wss/WSS.html#!libraryVulnerabilities;uuid=4ba40e0a-a309-48ee-954a-97bbd17fa20f;project=6635648
github-actions[bot]
commented
2 years ago Red Shield Alert: CVE-2021-29425 - An effective vulnerability has been found in your open-source code demanding urgent remediation steps. https://saas.whitesourcesoftware.com/Wss/WSS.html#!libraryVulnerabilities;uuid=4ba40e0a-a309-48ee-954a-97bbd17fa20f;project=6635648
The Enterprise Security API (ESAPI) project is an OWASP project to create simple strong security controls for every web platform. Security controls are not simple to build. You can read about the hundreds of pitfalls for unwary developers on the OWASP web site. By providing developers with a set of strong controls, we aim to eliminate some of the complexity of creating secure web applications. This can result in significant cost savings across the SDLC.
Library home page: https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/owasp/esapi/esapi/2.1.0.1/esapi-2.1.0.1.jar
Found in HEAD commit: f43b382100bf78a7a51267a514f8ba0e99fea374
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2022-23457
### Vulnerable Library - esapi-2.1.0.1.jarThe Enterprise Security API (ESAPI) project is an OWASP project to create simple strong security controls for every web platform. Security controls are not simple to build. You can read about the hundreds of pitfalls for unwary developers on the OWASP web site. By providing developers with a set of strong controls, we aim to eliminate some of the complexity of creating secure web applications. This can result in significant cost savings across the SDLC.
Library home page: https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/owasp/esapi/esapi/2.1.0.1/esapi-2.1.0.1.jar
Dependency Hierarchy: - :x: **esapi-2.1.0.1.jar** (Vulnerable Library)
Found in HEAD commit: f43b382100bf78a7a51267a514f8ba0e99fea374
Found in base branch: main
### Vulnerability DetailsESAPI (The OWASP Enterprise Security API) is a free, open source, web application security control library. Prior to version 2.3.0.0, the default implementation of `Validator.getValidDirectoryPath(String, String, File, boolean)` may incorrectly treat the tested input string as a child of the specified parent directory. This potentially could allow control-flow bypass checks to be defeated if an attack can specify the entire string representing the 'input' path. This vulnerability is patched in release 2.3.0.0 of ESAPI. As a workaround, it is possible to write one's own implementation of the Validator interface. However, maintainers do not recommend this.
Publish Date: 2022-04-25
URL: CVE-2022-23457
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/ESAPI/esapi-java-legacy/security/advisories/GHSA-8m5h-hrqm-pxm2
Release Date: 2022-04-25
Fix Resolution (esapi): org.owasp.esapi:esapi:2.3.0.0
Direct dependency fix Resolution (org.owasp.esapi:esapi): 2.5.3.0
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2022-28366
### Vulnerable Library - nekohtml-1.9.16.jarAn HTML parser and tag balancer.
Library home page: http://nekohtml.sourceforge.net/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/net/sourceforge/nekohtml/nekohtml/1.9.16/nekohtml-1.9.16.jar
Dependency Hierarchy: - esapi-2.1.0.1.jar (Root Library) - antisamy-1.5.3.jar - :x: **nekohtml-1.9.16.jar** (Vulnerable Library)
Found in HEAD commit: f43b382100bf78a7a51267a514f8ba0e99fea374
Found in base branch: main
### Vulnerability DetailsCertain Neko-related HTML parsers allow a denial of service via crafted Processing Instruction (PI) input that causes excessive heap memory consumption. In particular, this issue exists in HtmlUnit-Neko through 2.26, and is fixed in 2.27. This issue also exists in CyberNeko HTML through 1.9.22 (also affecting OWASP AntiSamy before 1.6.6), but 1.9.22 is the last version of CyberNeko HTML. NOTE: this may be related to CVE-2022-24839.
Publish Date: 2022-04-21
URL: CVE-2022-28366
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-g9hh-vvx3-v37v
Release Date: 2022-04-21
Fix Resolution (nekohtml): net.sourceforge.htmlunit:neko-htmlunit:2.27
Direct dependency fix Resolution (org.owasp.esapi:esapi): 2.5.3.0
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
WS-2023-0388
### Vulnerable Library - esapi-2.1.0.1.jarThe Enterprise Security API (ESAPI) project is an OWASP project to create simple strong security controls for every web platform. Security controls are not simple to build. You can read about the hundreds of pitfalls for unwary developers on the OWASP web site. By providing developers with a set of strong controls, we aim to eliminate some of the complexity of creating secure web applications. This can result in significant cost savings across the SDLC.
Library home page: https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/owasp/esapi/esapi/2.1.0.1/esapi-2.1.0.1.jar
Dependency Hierarchy: - :x: **esapi-2.1.0.1.jar** (Vulnerable Library)
Found in HEAD commit: f43b382100bf78a7a51267a514f8ba0e99fea374
Found in base branch: main
### Reachability AnalysisThis vulnerability is potentially used ``` org.t246osslab.easybuggy.core.servlets.AbstractServlet (Application) -> org.owasp.esapi.ESAPI (Extension) -> ❌ org.owasp.esapi.reference.DefaultHTTPUtilities (Vulnerable Component) ```
### Vulnerability DetailsESAPI 2.5.2.0 and later addressed the DoS vulnerability described in CVE-2023-24998, which Apache Commons FileUpload 1.5 attempted to remediate. But while writing up a new security bulletin regarding the impact on the affected ESAPI HTTPUtilities.getFileUploads methods (or more specifically those methods in the DefaultHTTPUtilities implementation class), I realized that a DoS vulnerability still persists in ESAPI and for that matter in Apache Commons FileUpload as well.
Publish Date: 2023-10-28
URL: WS-2023-0388
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-7c2q-5qmr-v76q
Release Date: 2023-10-28
Fix Resolution (esapi): org.owasp.esapi:esapi:2.5.2.0
Direct dependency fix Resolution (org.owasp.esapi:esapi): 2.5.3.0
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2022-34169
### Vulnerable Library - xalan-2.7.0.jarPath to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/xalan/xalan/2.7.0/xalan-2.7.0.jar
Dependency Hierarchy: - esapi-2.1.0.1.jar (Root Library) - xom-1.2.5.jar - :x: **xalan-2.7.0.jar** (Vulnerable Library)
Found in HEAD commit: f43b382100bf78a7a51267a514f8ba0e99fea374
Found in base branch: main
### Vulnerability DetailsThe Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious XSLT stylesheets. This can be used to corrupt Java class files generated by the internal XSLTC compiler and execute arbitrary Java bytecode. Users are recommended to update to version 2.7.3 or later. Note: Java runtimes (such as OpenJDK) include repackaged copies of Xalan.
Publish Date: 2022-07-19
URL: CVE-2022-34169
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: High - Availability Impact: None
For more information on CVSS3 Scores, click here. :rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2023-43643
### Vulnerable Library - antisamy-1.5.3.jarThe OWASP AntiSamy project is a collection of APIs for safely allowing users to supply their own HTML and CSS without exposing the site to XSS vulnerabilities.
Library home page: http://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/owasp/antisamy/antisamy/1.5.3/antisamy-1.5.3.jar
Dependency Hierarchy: - esapi-2.1.0.1.jar (Root Library) - :x: **antisamy-1.5.3.jar** (Vulnerable Library)
Found in HEAD commit: f43b382100bf78a7a51267a514f8ba0e99fea374
Found in base branch: main
### Vulnerability DetailsAntiSamy is a library for performing fast, configurable cleansing of HTML coming from untrusted sources. Prior to version 1.7.4, there is a potential for a mutation XSS (mXSS) vulnerability in AntiSamy caused by flawed parsing of the HTML being sanitized. To be subject to this vulnerability the `preserveComments` directive must be enabled in your policy file and also allow for certain tags at the same time. As a result, certain crafty inputs can result in elements in comment tags being interpreted as executable when using AntiSamy's sanitized output. This issue has been patched in AntiSamy 1.7.4 and later.
Publish Date: 2023-10-09
URL: CVE-2023-43643
### CVSS 3 Score Details (6.1)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-43643
Release Date: 2023-10-09
Fix Resolution (antisamy): org.owasp.antisamy:antisamy:1.7.4
Direct dependency fix Resolution (org.owasp.esapi:esapi): 2.5.3.0
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
WS-2023-0429
### Vulnerable Library - esapi-2.1.0.1.jarThe Enterprise Security API (ESAPI) project is an OWASP project to create simple strong security controls for every web platform. Security controls are not simple to build. You can read about the hundreds of pitfalls for unwary developers on the OWASP web site. By providing developers with a set of strong controls, we aim to eliminate some of the complexity of creating secure web applications. This can result in significant cost savings across the SDLC.
Library home page: https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/owasp/esapi/esapi/2.1.0.1/esapi-2.1.0.1.jar
Dependency Hierarchy: - :x: **esapi-2.1.0.1.jar** (Vulnerable Library)
Found in HEAD commit: f43b382100bf78a7a51267a514f8ba0e99fea374
Found in base branch: main
### Vulnerability DetailsThe Validator.isValidSafeHTML method can result in false negatives where it reports some input as safe (i.e., returns true), but really isn't, and using that same input as-is can in certain circumstances result in XSS vulnerabilities. Because this method cannot be fixed, it is being deprecated and will be removed in one years time from when this advisory is published. Note that all versions of ESAPI, that have this method (which dates back to at least the ESAPI 1.3 release more than 15 years ago) have this issue and it will continue to exist until these two methods are removed in a future ESAPI release.
Publish Date: 2023-11-24
URL: WS-2023-0429
### CVSS 3 Score Details (6.1)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/WS-2023-0429
Release Date: 2023-11-24
Fix Resolution: org.owasp.esapi:esapi - 2.0_rc9
In order to enable automatic remediation, please create workflow rules
CVE-2022-24891
### Vulnerable Library - esapi-2.1.0.1.jarThe Enterprise Security API (ESAPI) project is an OWASP project to create simple strong security controls for every web platform. Security controls are not simple to build. You can read about the hundreds of pitfalls for unwary developers on the OWASP web site. By providing developers with a set of strong controls, we aim to eliminate some of the complexity of creating secure web applications. This can result in significant cost savings across the SDLC.
Library home page: https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/owasp/esapi/esapi/2.1.0.1/esapi-2.1.0.1.jar
Dependency Hierarchy: - :x: **esapi-2.1.0.1.jar** (Vulnerable Library)
Found in HEAD commit: f43b382100bf78a7a51267a514f8ba0e99fea374
Found in base branch: main
### Reachability AnalysisThe vulnerable code is not reachable.
### Vulnerability DetailsESAPI (The OWASP Enterprise Security API) is a free, open source, web application security control library. Prior to version 2.3.0.0, there is a potential for a cross-site scripting vulnerability in ESAPI caused by a incorrect regular expression for "onsiteURL" in the **antisamy-esapi.xml** configuration file that can cause "javascript:" URLs to fail to be correctly sanitized. This issue is patched in ESAPI 2.3.0.0. As a workaround, manually edit the **antisamy-esapi.xml** configuration files to change the "onsiteURL" regular expression. More information about remediation of the vulnerability, including the workaround, is available in the maintainers' release notes and security bulletin.
Publish Date: 2022-04-27
URL: CVE-2022-24891
### CVSS 3 Score Details (6.1)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-q77q-vx4q-xx6q
Release Date: 2022-04-27
Fix Resolution (esapi): org.owasp.esapi:esapi:2.3.0.0
Direct dependency fix Resolution (org.owasp.esapi:esapi): 2.5.3.0
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2020-14338
### Vulnerable Library - xercesImpl-2.8.0.jarXerces2 is the next generation of high performance, fully compliant XML parsers in the Apache Xerces family. This new version of Xerces introduces the Xerces Native Interface (XNI), a complete framework for building parser components and configurations that is extremely modular and easy to program.
Library home page: http://xerces.apache.org/xerces2-j
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/xerces/xercesImpl/2.8.0/xercesImpl-2.8.0.jar
Dependency Hierarchy: - esapi-2.1.0.1.jar (Root Library) - xom-1.2.5.jar - :x: **xercesImpl-2.8.0.jar** (Vulnerable Library)
Found in HEAD commit: f43b382100bf78a7a51267a514f8ba0e99fea374
Found in base branch: main
### Vulnerability DetailsA flaw was found in Wildfly's implementation of Xerces, specifically in the way the XMLSchemaValidator class in the JAXP component of Wildfly enforced the "use-grammar-pool-only" feature. This flaw allows a specially-crafted XML file to manipulate the validation process in certain cases. This issue is the same flaw as CVE-2020-14621, which affected OpenJDK, and uses a similar code. This flaw affects all Xerces JBoss versions before 2.12.0.SP3.
Publish Date: 2020-09-17
URL: CVE-2020-14338
### CVSS 3 Score Details (5.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2020-10-19
Fix Resolution (xercesImpl): xerces:xercesImpl:2.12.0.SP3
Direct dependency fix Resolution (org.owasp.esapi:esapi): 2.5.3.0
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2021-29425
### Vulnerable Library - commons-io-2.2.jarThe Commons IO library contains utility classes, stream implementations, file filters, file comparators, endian transformation classes, and much more.
Library home page: http://commons.apache.org/io/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-io/commons-io/2.2/commons-io-2.2.jar
Dependency Hierarchy: - esapi-2.1.0.1.jar (Root Library) - commons-fileupload-1.3.1.jar - :x: **commons-io-2.2.jar** (Vulnerable Library)
Found in HEAD commit: f43b382100bf78a7a51267a514f8ba0e99fea374
Found in base branch: main
### Reachability AnalysisThis vulnerability is potentially used ``` org.t246osslab.easybuggy.vulnerabilities.UnrestrictedSizeUploadServlet (Application) -> ❌ org.apache.commons.io.FilenameUtils (Vulnerable Component) ```
### Vulnerability DetailsIn Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper input string, like "//../foo", or "\\..\foo", the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus "limited" path traversal), if the calling code would use the result to construct a path value.
Publish Date: 2021-04-13
URL: CVE-2021-29425
### CVSS 3 Score Details (4.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29425
Release Date: 2021-04-13
Fix Resolution (commons-io): commons-io:commons-io:2.7
Direct dependency fix Resolution (org.owasp.esapi:esapi): 2.5.3.0
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.:rescue_worker_helmet:Automatic Remediation will be attempted for this issue.